Organize bits better, add OwnTracks

2026-03-27 01:17:42 -04:00 · 2024-06-15 20:42:25 -04:00 · 2024-06-15 20:42:25 -04:00 · c68680eff4
commit c68680eff4
parent eb53309c33
7 changed files with 139 additions and 82 deletions
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@ -2,11 +2,9 @@
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
-    # Added post-install
-    ./sops.nix
-    ./nginx.nix
-    ./restic.nix
-    ./tailscale.nix
+    ./owntracks.nix
+    ./post-install-general.nix
+    ./post-install-nginx.nix
  ];

  system.stateVersion = "24.05";
--- a/modules/hosts/nixos/hetznix01/nginx.nix
+++ b/modules/hosts/nixos/hetznix01/nginx.nix
@ -1,50 +0,0 @@
-{ ... }: let 
-  http_port = 80;
-  https_port = 443;
-in {
-  imports = [
-    ../../../system/common/linux/lets-encrypt.nix
-  ];
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    appendHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=31536000 always;";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-    '';
-    virtualHosts = {
-      "hetznix01.technicalissues.us" = {
-        default = true;
-        listen = [
-          { port = http_port; addr = "0.0.0.0"; }
-          { port = https_port; addr = "0.0.0.0"; ssl = true; }
-        ];
-        enableACME = true;
-        acmeRoot = null;
-        addSSL = true;
-        forceSSL = false;
-        locations."/" = {
-          return = "200 '<h1>Hello world ;)</h1>'";
-          extraConfig = ''
-            add_header Content-Type text/html;
-          '';
-        };
-      };
-      "utk.technicalissues.us" = {
-        listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
-        enableACME = true;
-        acmeRoot = null;
-        forceSSL = true;
-        locations."/".proxyWebsockets = true;
-        locations."/".proxyPass = "http://127.0.0.1:3001";
-      };
-    }; # end virtualHosts
-  }; # end nginx
-}
--- a/modules/hosts/nixos/hetznix01/owntracks.nix
+++ b/modules/hosts/nixos/hetznix01/owntracks.nix
@ -0,0 +1,20 @@
+{ config, pkgs, ... }: let
+  frontend_port = "8082";
+in {
+  environment.systemPackages = with pkgs; [
+    owntracks-recorder
+  ];
+
+  virtualisation.oci-containers.containers = {
+    "owntracks-frontend" = {
+      autoStart = true;
+      image = "docker.io/owntracks/frontend:2.15.3";
+      environment = {
+        LISTEN = frontend_port;
+        SERVER_HOST = config.networking.hostName;
+        SERVER_PORT = "8083";
+      };
+      ports = [ "${frontend_port}:${frontend_port}" ];
+    };
+  };
+}
--- a/modules/hosts/nixos/hetznix01/post-install-general.nix
+++ b/modules/hosts/nixos/hetznix01/post-install-general.nix
@ -1,4 +1,25 @@
-{ username, ... }: {
+{ config, username, ... }: {
+  imports = [
+    ../../../system/common/linux/restic.nix
+  ];
+
+  services = {
+    restic.backups.daily.paths = [
+      "/var/lib/uptime-kuma"
+    ];
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets.tailscale_key.path;
+      extraUpFlags = [
+        "--advertise-exit-node"
+        "--operator"
+        "${username}"
+        "--ssh"
+      ];
+      useRoutingFeatures = "both";
+    };
+  };
+
  sops = {
    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
    defaultSopsFile = ./secrets.yaml;
@ -17,4 +38,3 @@
    };
  };
 }
-
--- a/modules/hosts/nixos/hetznix01/post-install-nginx.nix
+++ b/modules/hosts/nixos/hetznix01/post-install-nginx.nix
@ -0,0 +1,93 @@
+{ config, ... }: let 
+  domain = "technicalissues.us";
+  http_port = 80;
+  https_port = 443;
+in {
+  imports = [
+    ../../../system/common/linux/lets-encrypt.nix
+  ];
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    appendHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000 always;";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+    '';
+    virtualHosts = {
+      "hetznix01.${domain}" = {
+        default = true;
+        listen = [
+          { port = http_port; addr = "0.0.0.0"; }
+          { port = https_port; addr = "0.0.0.0"; ssl = true; }
+        ];
+        enableACME = true;
+        acmeRoot = null;
+        addSSL = true;
+        forceSSL = false;
+        locations."/" = {
+          return = "200 '<h1>Hello world ;)</h1>'";
+          extraConfig = ''
+            add_header Content-Type text/html;
+          '';
+        };
+      };
+      "ot.${domain}}" = {
+        listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        basicAuthFile = config.sops.secrets.owntracks_basic_auth.path;
+        locations = {
+          # OwnTracks Frontend container
+          "/" = {
+            proxypass = "http://127.0.0.1:8082";
+            recommendedproxysettings = true;
+          };
+          # OwnTracks Recorder
+          "/owntracks/" = {
+            proxypass = "http://127.0.0.1:8083";
+            recommendedproxysettings = true;
+          };
+          "/owntracks/pub" = { # Client apps need to point to this path
+            extraConfig = "proxy_set_header X-Limit-U $remote_user;";
+            proxypass = "http://127.0.0.1:8083/pub";
+            recommendedproxysettings = true;
+          };
+          "/owntracks/static/" = {
+            proxypass = "http://127.0.0.1:8083/static/";
+            recommendedproxysettings = true;
+          };
+          "/owntracks/utils/" = {
+            proxypass = "http://127.0.0.1:8083/utils/";
+            recommendedproxysettings = true;
+          };
+          "/owntracks/view/" = {
+            extraConfig = "proxy_buffering off;";
+            proxypass = "http://127.0.0.1:8083/view/";
+            recommendedproxysettings = true;
+          };
+          "/owntracks/ws" = {
+            extraConfig = "rewrite ^/owntracks/(.*) /$1 break;";
+            proxyPass = "http://127.0.0.1:8083";
+            recommendedProxySettings = true;
+          };
+        };
+      };
+      "utk.${domain}" = {
+        listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyWebsockets = true;
+        locations."/".proxyPass = "http://127.0.0.1:3001";
+      };
+    }; # end virtualHosts
+  }; # end nginx
+}
--- a/modules/hosts/nixos/hetznix01/restic.nix
+++ b/modules/hosts/nixos/hetznix01/restic.nix
@ -1,10 +0,0 @@
-{ ... }: {
-  imports = [
-    ../../../system/common/linux/restic.nix
-  ];
-
-  services.restic.backups.daily.paths = [
-    "/var/lib/uptime-kuma"
-  ];
-}
-
--- a/modules/hosts/nixos/hetznix01/tailscale.nix
+++ b/modules/hosts/nixos/hetznix01/tailscale.nix
@ -1,14 +0,0 @@
-{ config, username, ... }: {
-  services.tailscale = {
-    enable = true;
-    authKeyFile = config.sops.secrets.tailscale_key.path;
-    extraUpFlags = [
-      "--advertise-exit-node"
-      "--operator"
-      "${username}"
-      "--ssh"
-    ];
-    useRoutingFeatures = "both";
-  };
-}
-