genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-28 01:47:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #409 from genebean/new-hetznix01

Browse source 
Prep for reinstall
This commit is contained in:
Gene Liverman 2024-06-15 15:14:58 -04:00 committed by GitHub
commit 6d1390c885
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 87 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

82
modules/hosts/nixos/hetznix01/default.nix
View file

@ -1,11 +1,7 @@
{ inputs, config, disko, hostname, pkgs, sops-nix, username, ... }: let { config, username, ... }: {
http_port = 80;
https_port = 443;
in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./disk-config.nix ./disk-config.nix
../../../system/common/linux/lets-encrypt.nix
]; ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";
@ -38,59 +34,6 @@ in {
services = { services = {
fail2ban.enable = true; fail2ban.enable = true;
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000 always;";
}
add_header Strict-Transport-Security $hsts_header;
'';
virtualHosts = {
"hetznix01.technicalissues.us" = {
default = true;
listen = [
{ port = http_port; addr = "0.0.0.0"; }
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
];
enableACME = true;
acmeRoot = null;
addSSL = true;
forceSSL = false;
locations."/" = {
return = "200 '<h1>Hello world ;)</h1>'";
extraConfig = ''
add_header Content-Type text/html;
'';
};
};
"utk-eu.technicalissues.us" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
}; # end virtualHosts
}; # end nginx
tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tailscale_key.path;
extraUpFlags = [
"--advertise-exit-node"
"--operator"
"${username}"
"--ssh"
];
useRoutingFeatures = "both";
};
uptime-kuma = { uptime-kuma = {
enable = true; enable = true;
settings = { settings = {
@ -100,31 +43,13 @@ in {
}; };
}; };
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "/home/${username}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "/home/${username}/.private-env";
};
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
};
};
};
systemd.network = { systemd.network = {
enable = true; enable = true;
networks."10-wan" = { networks."10-wan" = {
matchConfig.Name = "enp1s0"; matchConfig.Name = "enp1s0";
address = [ address = [
"167.235.18.32/32" "5.161.244.95/32"
"2a01:4f8:c2c:2e49::1/64" "2a01:4ff:f0:977c::1/64"
]; ];
dns = [ dns = [
"185.12.64.1" "185.12.64.1"
@ -148,7 +73,6 @@ in {
extraGroups = [ "networkmanager" "wheel" ]; extraGroups = [ "networkmanager" "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N bluerock"
]; ];
}; };
} }

50
modules/hosts/nixos/hetznix01/nginx.nix Normal file
View file

@ -0,0 +1,50 @@
{ ... }: let
http_port = 80;
https_port = 443;
in {
imports = [
../../../system/common/linux/lets-encrypt.nix
];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000 always;";
}
add_header Strict-Transport-Security $hsts_header;
'';
virtualHosts = {
"hetznix01.technicalissues.us" = {
default = true;
listen = [
{ port = http_port; addr = "0.0.0.0"; }
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
];
enableACME = true;
acmeRoot = null;
addSSL = true;
forceSSL = false;
locations."/" = {
return = "200 '<h1>Hello world ;)</h1>'";
extraConfig = ''
add_header Content-Type text/html;
'';
};
};
"utk-eu.technicalissues.us" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
}; # end virtualHosts
}; # end nginx
}

20
modules/hosts/nixos/hetznix01/sops.nix Normal file
View file

@ -0,0 +1,20 @@
{ username, ... }: {
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "/home/${username}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "/home/${username}/.private-env";
};
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
};
};
};
}

14
modules/hosts/nixos/hetznix01/tailscale.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, username, ... }: {
tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tailscale_key.path;
extraUpFlags = [
"--advertise-exit-node"
"--operator"
"${username}"
"--ssh"
];
useRoutingFeatures = "both";
};
}