homelab/lxc-base.nix

{ config, pkgs, modulesPath, lib, ... }:

{
  imports = [
    (modulesPath + "/virtualisation/proxmox-lxc.nix")
  ];

  options.my.vm = {
    name = lib.mkOption {
      type = lib.types.nonEmptyStr;
      example = "hello01";
      description = "Used for vm name and hostname";
    };

    iface = lib.mkOption {
      type = lib.types.nonEmptyStr;
      default = "ens18";
      example = "ens18";
      description = "Interface on which static IP is bound";
    };

    ip4 = lib.mkOption {
      type = lib.types.nonEmptyStr;
      example = "192.168.0.42";
      description = "Static IP for this VM";
    };
  };

  config = let cfg = config.my.vm; in {
    proxmoxLXC = {
      enable = true;
    };

    # Allow remote updates with flakes and non-root users
    nix.settings.trusted-users = [ "root" "@wheel" ];
    nix.settings.experimental-features = [ "nix-command" "flakes" ];

    # Enable mDNS for `hostname.local` addresses
    services.avahi.enable = true;
    services.avahi.nssmdns4 = true;
    services.avahi.publish = {
      enable = true;
      addresses = true;
    };

    # Some sane packages we need on every system
    environment.systemPackages = with pkgs; [
      vim
      git  # for pulling nix flakes
    ];

    # doing it here opens udp port _and_ installs package
    programs.mosh.enable = true;

    # Don't ask for passwords
    security.sudo.wheelNeedsPassword = false;

    # Don't use cloud-init
    services.cloud-init.network.enable = lib.mkForce false;
    networking = {
      hostName = cfg.name;
      nameservers = ["192.168.0.1"];
      interfaces.${cfg.iface} = {
        ipv4.addresses = [{
          address = cfg.ip4;
          prefixLength = 24;
        }];
      };
      defaultGateway = {
        address = "192.168.0.1";
        interface = "${cfg.iface}";
      };
      defaultGateway6 = {
        address = "fe80::1";
        interface = "${cfg.iface}";
      };
    };

    # Enable ssh
    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
    };
    programs.ssh.startAgent = true;

    # Enable prometheus metrics export
    networking.firewall.allowedTCPPorts = [ 9100 ];
    services.prometheus.exporters.node = {
      enable = true;
      port = 9100;
      enabledCollectors = ["systemd"];
    };

    # Add an admin user
    users.users.admin = {
      isNormalUser = true;
      description = "Robert Perce";
      extraGroups = [ "wheel" ];
    };

    users.users.admin.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFTDd1G3ufe8lCEWMbMN+q83WrrS92+qrI2tOaMtit+q robert@aether"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdReqMvpgCuez7dTeSaMnHU/7gDal6/HH7c8m17M1hb rob@ereshkigal"
    ];

    # Default filesystem
    fileSystems."/" = lib.mkDefault {
      device = "/dev/disk/by-label/nixos";
      autoResize = true;
      fsType = "ext4";
    };

    system.stateVersion = lib.mkDefault "24.11";
  };
}