server/flake.nix

{
  description = "jana's server infrastructure";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/release-25.05";
    colmena.url = "github:zhaofengli/colmena";
    flake-utils.url = "github:numtide/flake-utils";
    sops-nix.url = "github:jdonszelmann/sops-nix";
    vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";

    # websites

    homepage.url = "github:jdonszelmann/homepage";
    totpal.url = "github:jdonszelmann/totpal";
    harmonica.url = "git+ssh://git@github.com/jdonszelmann/harmonica-tabs";
    mapf.url = "git+ssh://git@github.com/jdonszelmann/mapf-server";
    reviewqueue.url = "github:jdonszelmann/review-queue";
  };
  outputs =
    {
      self,
      nixpkgs,
      colmena,
      flake-utils,
      sops-nix,
      vpn-confinement,
      mapf,
      ...
    }@inputs:
    let
      pkgsForSystem =
        system:
        import nixpkgs {
          inherit system;
          config.allowUnfree = true;
          overlays = [ ];
        };
    in
    {
      colmenaHive = colmena.lib.makeHive self.outputs.colmena;

      colmena = {
        meta = {
          nixpkgs = pkgsForSystem "x86_64-linux";

          specialArgs.flakes = inputs;
        };

        fili = {
          deployment = {
            targetHost = "donsz.nl";
            targetPort = 22;
            replaceUnknownProfiles = false;
            tags = [ "server" ];
            # buildOnTarget = true;
            targetUser = "jana";
          };

          imports = [
            ./fili/configuration.nix
            ./users/users.nix
            ./default-machine-config.nix
            sops-nix.nixosModules.sops
            vpn-confinement.nixosModules.default
          ];
        };
      };
    }
    // flake-utils.lib.eachDefaultSystem (
      system:
      let
        pkgs = pkgsForSystem system;
      in
      {
        devShells.default = pkgs.mkShell {
          buildInputs = with pkgs; [
            lix
            colmena.packages.${system}.colmena
            (pkgs.writeShellScriptBin "apply" ''
              colmena apply --no-substitute
            '')
          ];
          shellHook = "exec $NIX_BUILD_SHELL";
        };

        formatter = pkgs.nixfmt-rfc-style;
      }
    );

  nixConfig = {
    extra-substituters = [ "https://jana.cachix.org" ];
    extra-trusted-public-keys = [
      "jana.cachix.org-1:LN0lzHx7QH1RBoDn3+psi4HOEAXW3EqRa/u0ncQ1XBE="
    ];
  };
}