Merge pull request #409 from genebean/new-hetznix01

Prep for reinstall

modules/hosts/nixos/hetznix01/default.nix

@@ -1,11 +1,7 @@
-{ inputs, config, disko, hostname, pkgs, sops-nix, username,  ... }: let
-  http_port = 80;
-  https_port = 443;
-in {
+{ config, username,  ... }: {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
-    ../../../system/common/linux/lets-encrypt.nix
   ];
 
   system.stateVersion = "23.11";
@@ -38,59 +34,6 @@ in {
 
   services = {
     fail2ban.enable = true;
-    nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      appendHttpConfig = ''
-        # Add HSTS header with preloading to HTTPS requests.
-        # Adding this header to HTTP requests is discouraged
-        map $scheme $hsts_header {
-            https   "max-age=31536000 always;";
-        }
-        add_header Strict-Transport-Security $hsts_header;
-      '';
-      virtualHosts = {
-        "hetznix01.technicalissues.us" = {
-          default = true;
-          listen = [
-            { port = http_port; addr = "0.0.0.0"; }
-            { port = https_port; addr = "0.0.0.0"; ssl = true; }
-          ];
-          enableACME = true;
-          acmeRoot = null;
-          addSSL = true;
-          forceSSL = false;
-          locations."/" = {
-            return = "200 '<h1>Hello world ;)</h1>'";
-            extraConfig = ''
-              add_header Content-Type text/html;
-            '';
-          };
-        };
-        "utk-eu.technicalissues.us" = {
-          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
-          enableACME = true;
-          acmeRoot = null;
-          forceSSL = true;
-          locations."/".proxyWebsockets = true;
-          locations."/".proxyPass = "http://127.0.0.1:3001";
-        };
-      }; # end virtualHosts
-    }; # end nginx
-    tailscale = {
-      enable = true;
-      authKeyFile = config.sops.secrets.tailscale_key.path;
-      extraUpFlags = [
-        "--advertise-exit-node"
-        "--operator"
-        "${username}"
-        "--ssh"
-      ];
-      useRoutingFeatures = "both";
-    };
     uptime-kuma = {
       enable = true;
       settings = {
@@ -100,31 +43,13 @@ in {
     };
   };
 
-  sops = {
-    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
-    defaultSopsFile = ./secrets.yaml;
-    secrets = {
-      local_git_config = {
-        owner = "${username}";
-        path = "/home/${username}/.gitconfig-local";
-      };
-      local_private_env = {
-        owner = "${username}";
-        path = "/home/${username}/.private-env";
-      };
-      tailscale_key = {
-        restartUnits = [ "tailscaled-autoconnect.service" ];
-      };
-    };
-  };
-
   systemd.network = {
     enable = true;
     networks."10-wan" = {
       matchConfig.Name = "enp1s0";
       address = [
-        "167.235.18.32/32"
-        "2a01:4f8:c2c:2e49::1/64"
+        "5.161.244.95/32"
+        "2a01:4ff:f0:977c::1/64"
       ];
       dns = [
         "185.12.64.1"
@@ -148,7 +73,6 @@ in {
     extraGroups = [ "networkmanager" "wheel" ];
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N bluerock"
     ];
   };
 }

modules/hosts/nixos/hetznix01/nginx.nix

@@ -0,0 +1,50 @@
+{ ... }: let 
+  http_port = 80;
+  https_port = 443;
+in {
+  imports = [
+    ../../../system/common/linux/lets-encrypt.nix
+  ];
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000 always;";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+    '';
+    virtualHosts = {
+      "hetznix01.technicalissues.us" = {
+        default = true;
+        listen = [
+          { port = http_port; addr = "0.0.0.0"; }
+          { port = https_port; addr = "0.0.0.0"; ssl = true; }
+        ];
+        enableACME = true;
+        acmeRoot = null;
+        addSSL = true;
+        forceSSL = false;
+        locations."/" = {
+          return = "200 '<h1>Hello world ;)</h1>'";
+          extraConfig = ''
+            add_header Content-Type text/html;
+          '';
+        };
+      };
+      "utk-eu.technicalissues.us" = {
+        listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyWebsockets = true;
+        locations."/".proxyPass = "http://127.0.0.1:3001";
+      };
+    }; # end virtualHosts
+  }; # end nginx
+}

modules/hosts/nixos/hetznix01/sops.nix

@@ -0,0 +1,20 @@
+{ username, ... }: {
+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "/home/${username}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "/home/${username}/.private-env";
+      };
+      tailscale_key = {
+        restartUnits = [ "tailscaled-autoconnect.service" ];
+      };
+    };
+  };
+}
+

modules/hosts/nixos/hetznix01/tailscale.nix

@@ -0,0 +1,14 @@
+{ config, username, ... }: {
+  tailscale = {
+    enable = true;
+    authKeyFile = config.sops.secrets.tailscale_key.path;
+    extraUpFlags = [
+      "--advertise-exit-node"
+      "--operator"
+      "${username}"
+      "--ssh"
+    ];
+    useRoutingFeatures = "both";
+  };
+}
+