172 lines
3.9 KiB
Nix
172 lines
3.9 KiB
Nix
{
|
|
self,
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
|
|
in
|
|
{
|
|
imports = [
|
|
self.nixosModules.hcloud
|
|
];
|
|
|
|
users.users.root = {
|
|
openssh.authorizedKeys.keys = nixosVars.ssh_keys;
|
|
initialPassword = "nixos";
|
|
};
|
|
|
|
system.stateVersion = "23.11";
|
|
|
|
networking = {
|
|
hostName = nixosVars.hostname;
|
|
domain = nixosVars.domain_netname;
|
|
|
|
firewall = {
|
|
allowedUDPPorts = [3478];
|
|
allowedTCPPorts = [80 443];
|
|
checkReversePath = "loose";
|
|
};
|
|
};
|
|
|
|
sops = {
|
|
#secrets = {
|
|
# cloudflare-api-token = {};
|
|
#};
|
|
templates."caddy-env.conf".content = ''
|
|
CLOUDFLARE_API_TOKEN=${config.sops.placeholder.cloudflare-api-token}
|
|
'';
|
|
defaultSopsFile = ./secrets/secrets.yaml;
|
|
age = {
|
|
keyFile = "/var/lib/secrets/age";
|
|
generateKey = true;
|
|
};
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
AllowTcpForwarding = "yes";
|
|
AllowAgentForwarding = "yes";
|
|
};
|
|
};
|
|
|
|
cloud-init.enable = lib.mkForce false;
|
|
|
|
headscale = {
|
|
enable = true;
|
|
address = "[::]";
|
|
port = 8080;
|
|
settings = {
|
|
server_url = "https://${nixosVars.hostname}.${nixosVars.domain_netname}";
|
|
logtail.enabled = false;
|
|
dns = {
|
|
base_domain = "ts.${nixosVars.domain_netname}";
|
|
magic_dns = true;
|
|
search_domains = ["${nixosVars.domain_netname}"];
|
|
nameservers.global = [
|
|
"9.9.9.9"
|
|
"149.112.112.112"
|
|
"2620:fe::fe"
|
|
"2620:fe::9"
|
|
];
|
|
};
|
|
ip_prefixes = [
|
|
"100.64.0.0/10"
|
|
"fd7a:115c:a1e0::/48"
|
|
];
|
|
};
|
|
};
|
|
|
|
tailscale = {
|
|
enable = true;
|
|
};
|
|
|
|
caddy = {
|
|
enable = true;
|
|
package = pkgs.caddy.withPlugins {
|
|
plugins = [ "github.com/caddy-dns/cloudflare@v0.0.0-20250214163716-188b4850c0f2" ];
|
|
hash = "sha256-izuQXvxIq3ycxcUuMErz7MbP9RwLkj+bhliK9H6Heqc=";
|
|
};
|
|
globalConfig = ''
|
|
acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
|
cert_issuer acme {
|
|
resolvers 1.1.1.1
|
|
}
|
|
'';
|
|
virtualHosts = {
|
|
"${nixosVars.hostname}.${nixosVars.domain_netname}".extraConfig = ''
|
|
reverse_proxy localhost:8080
|
|
'';
|
|
"ts.${nixosVars.domain_netname}".extraConfig = ''
|
|
respond "Access Denied" 403
|
|
'';
|
|
"*.ts.${nixosVars.domain_netname}".extraConfig = ''
|
|
respond "Access Denied" 403
|
|
'';
|
|
"${nixosVars.domain_realname}".extraConfig = ''
|
|
reverse_proxy http://docker
|
|
'';
|
|
"${nixosVars.domain_netname}".extraConfig = ''
|
|
reverse_proxy http://docker
|
|
'';
|
|
"*.${nixosVars.domain_realname}".extraConfig = ''
|
|
reverse_proxy http://docker
|
|
'';
|
|
"*.${nixosVars.domain_netname}".extraConfig = ''
|
|
reverse_proxy http://docker
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
services = {
|
|
caddy = {
|
|
unitConfig = {
|
|
After = [ "sops-nix.service" ];
|
|
};
|
|
serviceConfig = {
|
|
EnvironmentFile = lib.mkForce [config.sops.templates."caddy-env.conf".path];
|
|
};
|
|
};
|
|
};
|
|
network.networks."10-wan" = {
|
|
matchConfig.MACAddress = "96:00:04:16:ed:c5";
|
|
address = [
|
|
"${nixosVars.ipv4_address}/32"
|
|
"${nixosVars.ipv6_address}/64"
|
|
];
|
|
routes = [
|
|
{ Gateway = "fe80::1"; }
|
|
{
|
|
Gateway = "172.31.1.1";
|
|
GatewayOnLink = true;
|
|
}
|
|
];
|
|
linkConfig.RequiredForOnline = "routable";
|
|
};
|
|
};
|
|
|
|
boot.supportedFilesystems = ["btrfs"];
|
|
environment.systemPackages = [
|
|
pkgs.btrfs-progs
|
|
pkgs.shadow
|
|
pkgs.vim
|
|
pkgs.speedtest-cli
|
|
pkgs.git
|
|
pkgs.hcloud
|
|
pkgs.dhcpcd
|
|
pkgs.age
|
|
];
|
|
|
|
boot.kernel.sysctl = {
|
|
"net.ipv4.ip_forward" = 1;
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
|
};
|
|
}
|
|
|