Prep for reinstall

Bits that require SOPS to be working have been pulled out into other
files. Once the install is complete, these will be included in the base
config.

modules/hosts/nixos/hetznix01/default.nix

@@ -1,11 +1,7 @@
-{ inputs, config, disko, hostname, pkgs, sops-nix, username,  ... }: let
-  http_port = 80;
-  https_port = 443;
-in {
+{ config, username,  ... }: {
   imports = [
     ./hardware-configuration.nix
     ./disk-config.nix
-    ../../../system/common/linux/lets-encrypt.nix
   ];
 
   system.stateVersion = "23.11";
@@ -38,59 +34,6 @@ in {
 
   services = {
     fail2ban.enable = true;
-    nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      appendHttpConfig = ''
-        # Add HSTS header with preloading to HTTPS requests.
-        # Adding this header to HTTP requests is discouraged
-        map $scheme $hsts_header {
-            https   "max-age=31536000 always;";
-        }
-        add_header Strict-Transport-Security $hsts_header;
-      '';
-      virtualHosts = {
-        "hetznix01.technicalissues.us" = {
-          default = true;
-          listen = [
-            { port = http_port; addr = "0.0.0.0"; }
-            { port = https_port; addr = "0.0.0.0"; ssl = true; }
-          ];
-          enableACME = true;
-          acmeRoot = null;
-          addSSL = true;
-          forceSSL = false;
-          locations."/" = {
-            return = "200 '<h1>Hello world ;)</h1>'";
-            extraConfig = ''
-              add_header Content-Type text/html;
-            '';
-          };
-        };
-        "utk-eu.technicalissues.us" = {
-          listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
-          enableACME = true;
-          acmeRoot = null;
-          forceSSL = true;
-          locations."/".proxyWebsockets = true;
-          locations."/".proxyPass = "http://127.0.0.1:3001";
-        };
-      }; # end virtualHosts
-    }; # end nginx
-    tailscale = {
-      enable = true;
-      authKeyFile = config.sops.secrets.tailscale_key.path;
-      extraUpFlags = [
-        "--advertise-exit-node"
-        "--operator"
-        "${username}"
-        "--ssh"
-      ];
-      useRoutingFeatures = "both";
-    };
     uptime-kuma = {
       enable = true;
       settings = {
@@ -100,31 +43,13 @@ in {
     };
   };
 
-  sops = {
-    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
-    defaultSopsFile = ./secrets.yaml;
-    secrets = {
-      local_git_config = {
-        owner = "${username}";
-        path = "/home/${username}/.gitconfig-local";
-      };
-      local_private_env = {
-        owner = "${username}";
-        path = "/home/${username}/.private-env";
-      };
-      tailscale_key = {
-        restartUnits = [ "tailscaled-autoconnect.service" ];
-      };
-    };
-  };
-
   systemd.network = {
     enable = true;
     networks."10-wan" = {
       matchConfig.Name = "enp1s0";
       address = [
-        "167.235.18.32/32"
-        "2a01:4f8:c2c:2e49::1/64"
+        "5.161.244.95/32"
+        "2a01:4ff:f0:977c::1/64"
       ];
       dns = [
         "185.12.64.1"
@@ -148,7 +73,6 @@ in {
     extraGroups = [ "networkmanager" "wheel" ];
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N bluerock"
     ];
   };
 }

modules/hosts/nixos/hetznix01/nginx.nix

@@ -0,0 +1,50 @@
+{ ... }: let 
+  http_port = 80;
+  https_port = 443;
+in {
+  imports = [
+    ../../../system/common/linux/lets-encrypt.nix
+  ];
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000 always;";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+    '';
+    virtualHosts = {
+      "hetznix01.technicalissues.us" = {
+        default = true;
+        listen = [
+          { port = http_port; addr = "0.0.0.0"; }
+          { port = https_port; addr = "0.0.0.0"; ssl = true; }
+        ];
+        enableACME = true;
+        acmeRoot = null;
+        addSSL = true;
+        forceSSL = false;
+        locations."/" = {
+          return = "200 '<h1>Hello world ;)</h1>'";
+          extraConfig = ''
+            add_header Content-Type text/html;
+          '';
+        };
+      };
+      "utk-eu.technicalissues.us" = {
+        listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyWebsockets = true;
+        locations."/".proxyPass = "http://127.0.0.1:3001";
+      };
+    }; # end virtualHosts
+  }; # end nginx
+}

modules/hosts/nixos/hetznix01/sops.nix

@@ -0,0 +1,20 @@
+{ username, ... }: {
+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "/home/${username}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "/home/${username}/.private-env";
+      };
+      tailscale_key = {
+        restartUnits = [ "tailscaled-autoconnect.service" ];
+      };
+    };
+  };
+}
+

modules/hosts/nixos/hetznix01/tailscale.nix

@@ -0,0 +1,14 @@
+{ config, username, ... }: {
+  tailscale = {
+    enable = true;
+    authKeyFile = config.sops.secrets.tailscale_key.path;
+    extraUpFlags = [
+      "--advertise-exit-node"
+      "--operator"
+      "${username}"
+      "--ssh"
+    ];
+    useRoutingFeatures = "both";
+  };
+}
+