diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix
index a673a66..9ee5c90 100644
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@@ -1,11 +1,7 @@
-{ inputs, config, disko, hostname, pkgs, sops-nix, username, ... }: let
- http_port = 80;
- https_port = 443;
-in {
+{ config, username, ... }: {
imports = [
./hardware-configuration.nix
./disk-config.nix
- ../../../system/common/linux/lets-encrypt.nix
];
system.stateVersion = "23.11";
@@ -38,59 +34,6 @@ in {
services = {
fail2ban.enable = true;
- nginx = {
- enable = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedProxySettings = true;
- recommendedTlsSettings = true;
- appendHttpConfig = ''
- # Add HSTS header with preloading to HTTPS requests.
- # Adding this header to HTTP requests is discouraged
- map $scheme $hsts_header {
- https "max-age=31536000 always;";
- }
- add_header Strict-Transport-Security $hsts_header;
- '';
- virtualHosts = {
- "hetznix01.technicalissues.us" = {
- default = true;
- listen = [
- { port = http_port; addr = "0.0.0.0"; }
- { port = https_port; addr = "0.0.0.0"; ssl = true; }
- ];
- enableACME = true;
- acmeRoot = null;
- addSSL = true;
- forceSSL = false;
- locations."/" = {
- return = "200 'Hello world ;)
'";
- extraConfig = ''
- add_header Content-Type text/html;
- '';
- };
- };
- "utk-eu.technicalissues.us" = {
- listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
- enableACME = true;
- acmeRoot = null;
- forceSSL = true;
- locations."/".proxyWebsockets = true;
- locations."/".proxyPass = "http://127.0.0.1:3001";
- };
- }; # end virtualHosts
- }; # end nginx
- tailscale = {
- enable = true;
- authKeyFile = config.sops.secrets.tailscale_key.path;
- extraUpFlags = [
- "--advertise-exit-node"
- "--operator"
- "${username}"
- "--ssh"
- ];
- useRoutingFeatures = "both";
- };
uptime-kuma = {
enable = true;
settings = {
@@ -100,31 +43,13 @@ in {
};
};
- sops = {
- age.keyFile = /home/${username}/.config/sops/age/keys.txt;
- defaultSopsFile = ./secrets.yaml;
- secrets = {
- local_git_config = {
- owner = "${username}";
- path = "/home/${username}/.gitconfig-local";
- };
- local_private_env = {
- owner = "${username}";
- path = "/home/${username}/.private-env";
- };
- tailscale_key = {
- restartUnits = [ "tailscaled-autoconnect.service" ];
- };
- };
- };
-
systemd.network = {
enable = true;
networks."10-wan" = {
matchConfig.Name = "enp1s0";
address = [
- "167.235.18.32/32"
- "2a01:4f8:c2c:2e49::1/64"
+ "5.161.244.95/32"
+ "2a01:4ff:f0:977c::1/64"
];
dns = [
"185.12.64.1"
@@ -148,7 +73,6 @@ in {
extraGroups = [ "networkmanager" "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N bluerock"
];
};
}
diff --git a/modules/hosts/nixos/hetznix01/nginx.nix b/modules/hosts/nixos/hetznix01/nginx.nix
new file mode 100644
index 0000000..ceece66
--- /dev/null
+++ b/modules/hosts/nixos/hetznix01/nginx.nix
@@ -0,0 +1,50 @@
+{ ... }: let
+ http_port = 80;
+ https_port = 443;
+in {
+ imports = [
+ ../../../system/common/linux/lets-encrypt.nix
+ ];
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ appendHttpConfig = ''
+ # Add HSTS header with preloading to HTTPS requests.
+ # Adding this header to HTTP requests is discouraged
+ map $scheme $hsts_header {
+ https "max-age=31536000 always;";
+ }
+ add_header Strict-Transport-Security $hsts_header;
+ '';
+ virtualHosts = {
+ "hetznix01.technicalissues.us" = {
+ default = true;
+ listen = [
+ { port = http_port; addr = "0.0.0.0"; }
+ { port = https_port; addr = "0.0.0.0"; ssl = true; }
+ ];
+ enableACME = true;
+ acmeRoot = null;
+ addSSL = true;
+ forceSSL = false;
+ locations."/" = {
+ return = "200 'Hello world ;)
'";
+ extraConfig = ''
+ add_header Content-Type text/html;
+ '';
+ };
+ };
+ "utk-eu.technicalissues.us" = {
+ listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+ enableACME = true;
+ acmeRoot = null;
+ forceSSL = true;
+ locations."/".proxyWebsockets = true;
+ locations."/".proxyPass = "http://127.0.0.1:3001";
+ };
+ }; # end virtualHosts
+ }; # end nginx
+}
diff --git a/modules/hosts/nixos/hetznix01/sops.nix b/modules/hosts/nixos/hetznix01/sops.nix
new file mode 100644
index 0000000..abd4db0
--- /dev/null
+++ b/modules/hosts/nixos/hetznix01/sops.nix
@@ -0,0 +1,20 @@
+{ username, ... }: {
+ sops = {
+ age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+ defaultSopsFile = ./secrets.yaml;
+ secrets = {
+ local_git_config = {
+ owner = "${username}";
+ path = "/home/${username}/.gitconfig-local";
+ };
+ local_private_env = {
+ owner = "${username}";
+ path = "/home/${username}/.private-env";
+ };
+ tailscale_key = {
+ restartUnits = [ "tailscaled-autoconnect.service" ];
+ };
+ };
+ };
+}
+
diff --git a/modules/hosts/nixos/hetznix01/tailscale.nix b/modules/hosts/nixos/hetznix01/tailscale.nix
new file mode 100644
index 0000000..0b95751
--- /dev/null
+++ b/modules/hosts/nixos/hetznix01/tailscale.nix
@@ -0,0 +1,14 @@
+{ config, username, ... }: {
+ tailscale = {
+ enable = true;
+ authKeyFile = config.sops.secrets.tailscale_key.path;
+ extraUpFlags = [
+ "--advertise-exit-node"
+ "--operator"
+ "${username}"
+ "--ssh"
+ ];
+ useRoutingFeatures = "both";
+ };
+}
+