diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix
index 787d56d..35946b0 100644
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@@ -2,11 +2,9 @@
imports = [
./hardware-configuration.nix
./disk-config.nix
- # Added post-install
- ./sops.nix
- ./nginx.nix
- ./restic.nix
- ./tailscale.nix
+ ./owntracks.nix
+ ./post-install-general.nix
+ ./post-install-nginx.nix
];
system.stateVersion = "24.05";
diff --git a/modules/hosts/nixos/hetznix01/nginx.nix b/modules/hosts/nixos/hetznix01/nginx.nix
deleted file mode 100644
index 641f63d..0000000
--- a/modules/hosts/nixos/hetznix01/nginx.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{ ... }: let
- http_port = 80;
- https_port = 443;
-in {
- imports = [
- ../../../system/common/linux/lets-encrypt.nix
- ];
- services.nginx = {
- enable = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedProxySettings = true;
- recommendedTlsSettings = true;
- appendHttpConfig = ''
- # Add HSTS header with preloading to HTTPS requests.
- # Adding this header to HTTP requests is discouraged
- map $scheme $hsts_header {
- https "max-age=31536000 always;";
- }
- add_header Strict-Transport-Security $hsts_header;
- '';
- virtualHosts = {
- "hetznix01.technicalissues.us" = {
- default = true;
- listen = [
- { port = http_port; addr = "0.0.0.0"; }
- { port = https_port; addr = "0.0.0.0"; ssl = true; }
- ];
- enableACME = true;
- acmeRoot = null;
- addSSL = true;
- forceSSL = false;
- locations."/" = {
- return = "200 'Hello world ;)
'";
- extraConfig = ''
- add_header Content-Type text/html;
- '';
- };
- };
- "utk.technicalissues.us" = {
- listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
- enableACME = true;
- acmeRoot = null;
- forceSSL = true;
- locations."/".proxyWebsockets = true;
- locations."/".proxyPass = "http://127.0.0.1:3001";
- };
- }; # end virtualHosts
- }; # end nginx
-}
diff --git a/modules/hosts/nixos/hetznix01/owntracks.nix b/modules/hosts/nixos/hetznix01/owntracks.nix
new file mode 100644
index 0000000..3c6fd49
--- /dev/null
+++ b/modules/hosts/nixos/hetznix01/owntracks.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }: let
+ frontend_port = "8082";
+in {
+ environment.systemPackages = with pkgs; [
+ owntracks-recorder
+ ];
+
+ virtualisation.oci-containers.containers = {
+ "owntracks-frontend" = {
+ autoStart = true;
+ image = "docker.io/owntracks/frontend:2.15.3";
+ environment = {
+ LISTEN = frontend_port;
+ SERVER_HOST = config.networking.hostName;
+ SERVER_PORT = "8083";
+ };
+ ports = [ "${frontend_port}:${frontend_port}" ];
+ };
+ };
+}
diff --git a/modules/hosts/nixos/hetznix01/sops.nix b/modules/hosts/nixos/hetznix01/post-install-general.nix
similarity index 51%
rename from modules/hosts/nixos/hetznix01/sops.nix
rename to modules/hosts/nixos/hetznix01/post-install-general.nix
index abd4db0..a40721f 100644
--- a/modules/hosts/nixos/hetznix01/sops.nix
+++ b/modules/hosts/nixos/hetznix01/post-install-general.nix
@@ -1,4 +1,25 @@
-{ username, ... }: {
+{ config, username, ... }: {
+ imports = [
+ ../../../system/common/linux/restic.nix
+ ];
+
+ services = {
+ restic.backups.daily.paths = [
+ "/var/lib/uptime-kuma"
+ ];
+ tailscale = {
+ enable = true;
+ authKeyFile = config.sops.secrets.tailscale_key.path;
+ extraUpFlags = [
+ "--advertise-exit-node"
+ "--operator"
+ "${username}"
+ "--ssh"
+ ];
+ useRoutingFeatures = "both";
+ };
+ };
+
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ./secrets.yaml;
@@ -16,5 +37,4 @@
};
};
};
-}
-
+}
\ No newline at end of file
diff --git a/modules/hosts/nixos/hetznix01/post-install-nginx.nix b/modules/hosts/nixos/hetznix01/post-install-nginx.nix
new file mode 100644
index 0000000..b155366
--- /dev/null
+++ b/modules/hosts/nixos/hetznix01/post-install-nginx.nix
@@ -0,0 +1,93 @@
+{ config, ... }: let
+ domain = "technicalissues.us";
+ http_port = 80;
+ https_port = 443;
+in {
+ imports = [
+ ../../../system/common/linux/lets-encrypt.nix
+ ];
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ appendHttpConfig = ''
+ # Add HSTS header with preloading to HTTPS requests.
+ # Adding this header to HTTP requests is discouraged
+ map $scheme $hsts_header {
+ https "max-age=31536000 always;";
+ }
+ add_header Strict-Transport-Security $hsts_header;
+ '';
+ virtualHosts = {
+ "hetznix01.${domain}" = {
+ default = true;
+ listen = [
+ { port = http_port; addr = "0.0.0.0"; }
+ { port = https_port; addr = "0.0.0.0"; ssl = true; }
+ ];
+ enableACME = true;
+ acmeRoot = null;
+ addSSL = true;
+ forceSSL = false;
+ locations."/" = {
+ return = "200 'Hello world ;)
'";
+ extraConfig = ''
+ add_header Content-Type text/html;
+ '';
+ };
+ };
+ "ot.${domain}}" = {
+ listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+ enableACME = true;
+ acmeRoot = null;
+ forceSSL = true;
+ basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
+ locations = {
+ # OwnTracks Frontend container
+ "/" = {
+ proxypass = "http://127.0.0.1:8082";
+ recommendedproxysettings = true;
+ };
+ # OwnTracks Recorder
+ "/owntracks/" = {
+ proxypass = "http://127.0.0.1:8083";
+ recommendedproxysettings = true;
+ };
+ "/owntracks/pub" = { # Client apps need to point to this path
+ extraConfig = "proxy_set_header X-Limit-U $remote_user;";
+ proxypass = "http://127.0.0.1:8083/pub";
+ recommendedproxysettings = true;
+ };
+ "/owntracks/static/" = {
+ proxypass = "http://127.0.0.1:8083/static/";
+ recommendedproxysettings = true;
+ };
+ "/owntracks/utils/" = {
+ proxypass = "http://127.0.0.1:8083/utils/";
+ recommendedproxysettings = true;
+ };
+ "/owntracks/view/" = {
+ extraConfig = "proxy_buffering off;";
+ proxypass = "http://127.0.0.1:8083/view/";
+ recommendedproxysettings = true;
+ };
+ "/owntracks/ws" = {
+ extraConfig = "rewrite ^/owntracks/(.*) /$1 break;";
+ proxyPass = "http://127.0.0.1:8083";
+ recommendedProxySettings = true;
+ };
+ };
+ };
+ "utk.${domain}" = {
+ listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+ enableACME = true;
+ acmeRoot = null;
+ forceSSL = true;
+ locations."/".proxyWebsockets = true;
+ locations."/".proxyPass = "http://127.0.0.1:3001";
+ };
+ }; # end virtualHosts
+ }; # end nginx
+}
diff --git a/modules/hosts/nixos/hetznix01/restic.nix b/modules/hosts/nixos/hetznix01/restic.nix
deleted file mode 100644
index 5acd1b2..0000000
--- a/modules/hosts/nixos/hetznix01/restic.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ ... }: {
- imports = [
- ../../../system/common/linux/restic.nix
- ];
-
- services.restic.backups.daily.paths = [
- "/var/lib/uptime-kuma"
- ];
-}
-
diff --git a/modules/hosts/nixos/hetznix01/tailscale.nix b/modules/hosts/nixos/hetznix01/tailscale.nix
deleted file mode 100644
index d6f3278..0000000
--- a/modules/hosts/nixos/hetznix01/tailscale.nix
+++ /dev/null
@@ -1,14 +0,0 @@
-{ config, username, ... }: {
- services.tailscale = {
- enable = true;
- authKeyFile = config.sops.secrets.tailscale_key.path;
- extraUpFlags = [
- "--advertise-exit-node"
- "--operator"
- "${username}"
- "--ssh"
- ];
- useRoutingFeatures = "both";
- };
-}
-