Updated new config for use on servers

flake.nix

@@ -87,6 +87,10 @@
           modules = [ ./hosts/display ];
           specialArgs = { inherit inputs outputs; };
         };
+        fred = lib.nixosSystem {
+          modules = [ ./hosts/fred ];
+          specialArgs = { inherit inputs outputs; };
+        };
         harper2 = lib.nixosSystem {
           modules = [ ./hosts/harper2 ];
           specialArgs = { inherit inputs outputs; };

hosts/fred/default.nix

@@ -4,6 +4,7 @@
   imports =
     [
       ./hardware-configuration.nix
+      ../server
       ./podman.nix
     ];
   networking.hostName = "fred";

hosts/server/default.nix

@@ -3,7 +3,7 @@
 let
   my-python-packages = python-packages: with python-packages; [
     pip
-    pipx
+    # pipx
     python-dateutil
     setuptools
     requests
@@ -31,18 +31,31 @@ in
       ./upgrade-diff.nix
     ];
 
+  # Enable networking
   networking.networkmanager.enable = true;
   networking.enableIPv6 = true;
   networking.useDHCP = false;
 
+  # Set your time zone.
   time = {
     timeZone = "America/Chicago";
     hardwareClockInLocalTime = false;
   };
 
-  i18n.defaultLocale = "en_US.utf8";
 
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.utf8";
+  i18n.inputMethod = {
+    enabled = "fcitx5";
+    fcitx5.addons = with pkgs; [
+      fcitx5-mozc
+      fcitx5-gtk
+    ];
+  };
+
+  # Bootloader.
   boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
     kernelParams = [ "consoleblank=60" ];
     loader = {
       systemd-boot = {
@@ -63,6 +76,9 @@ in
   };
 
   security = {
+    polkit = {
+      enable = true;
+    };
     sudo.enable = false;
     doas = {
       enable = true;
@@ -78,6 +94,13 @@ in
     pcscd = {
       enable = true;
     };
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+    };
+    printing = {
+      enable = true;
+    };
     udisks2 = {
       enable = true;
     };
@@ -168,15 +191,35 @@ in
 
   # Open ports in the firewall.
   networking.firewall = {
-    enable = false;
+    enable = true;
+    # always allow traffic from your Tailscale network
     trustedInterfaces = [ "tailscale0" ];
     checkReversePath = "loose";
+
+    # allow the Tailscale UDP port through the firewall
     allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedTCPPortRanges = [ { from = 1714 ; to = 1764; } ];
+    allowedUDPPortRanges = [ { from = 1714 ; to = 1764; } ];
+
+    # allow you to SSH in over the public internet
     allowedTCPPorts = [ 22 ];
+    interfaces = {
+      "tailscale0" = {
+        allowedTCPPorts = [ 22 8080 8443 ];
+        allowedTCPPortRanges = [ { from = 1714 ; to = 1764; } ];
+        allowedUDPPortRanges = [ { from = 1714 ; to = 1764; } ];
+      };
+    };
   };
 
 
-  system.stateVersion = "23.11";
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leavecatenate(variables, "bootdev", bootdev)
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
   programs.msmtp = {
     enable = true;
     accounts = {

hosts/workstation/default.nix

@@ -218,6 +218,7 @@ in
     isync
     libsForQt5.qtkeychain
     lsb-release
+    lsof
     pkg-config
     playerctl
     poppler_utils