me
/
server-configuration
1
0
Fork 0
Code
Configuration using OpenTofu and Nix
11 Commits
1 Branch
0 Tags
69 KiB
Nix 49%
HCL 46.5%
Shell 4.5%
 
 
 
Go to file
Ethan Reece 6e0d7506e8
Add reverse proxy to existing docker host 		2025-02-22 23:53:45 -06:00
modules Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00
targets Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00
terraform Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00
.env.example Add headscale 2025-02-22 06:01:14 -06:00
.gitignore Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00
.sops.yaml Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00
README.md Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00
flake.lock Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00
flake.nix Add reverse proxy to existing docker host 2025-02-22 23:53:45 -06:00

README.md

VPN server configuration

This is an experimental configuration for my Hetzner VPS and Cloudflare to run a VPN using OpenTofu and Nix, based on NixOS/nixos-wiki-infra on Github.

Configure ssh

Add keys to target/admin/terraform.tf.

Configure .env

Copy .env.example to .env and fill in the values.

Hetzner

In the Hetzner Cloud dashboard, go to the project and click Security -> API Tokens.

Cloudflare

In the Cloudflare user settings, generate an API token with write access to DNS zones.

Configure sops

On the Terraform client, run:

nix develop
cd targets/vpn/secrets
just generate-key
cp secrets.yaml.example secrets.yaml

Populate secrets.yaml with the desired values. Run age-keygen to get another key specifically for the server and put it in secrets.yaml (note that this will only work during installation). Then run just encrypt to encrypt and just decrypt to decrypt. Put the public key for both the VPN server and the OpenTofu client in .sops.yaml in the project root directory.

If you have already installed the server without a key, then run on the server:

sudo mkdir -p /var/lib/secrets
sudo chmod 700 /var/lib/secrets
sudo chown root:root /var/lib/secrets
umask 0177
age-keygen | sudo tee /var/lib/secrets/age >/dev/null
sudo chmod 600 /var/lib/secrets/age
sudo chown root:root /var/lib/secrets/age
umask 0022
cat /var/lib/secrets/age

Or run on the client: nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' to get a public age key from the server's public ssh key.

Then follow the above instructions to add the public key.

Apply configuration

For cross-compiling on different architectures, you will need to add a builder by visiting the following resources:

Run nix develop at the root of the project directory to access a shell where OpenTofu is accessible.

In the targets directory, run just to update the configurations.

VPN

To set up the VPN, on the VPS run:

headscale users create default
headscale preauthkeys create --user default --reusable

On the client run:

tailscale up --login-server <HEADSCALE_URL> --auth-key <KEY>

Troubleshooting

Hetzner VPN

Some stuff may need to be configured by hand. For instance, the network settings may change with a new installation and need to be updated in targets/vpn/configuration.nix, or it may cause the network to be disabled requiring mounting with a NixOS recovery image and using nixos-enter to redo the networking and rebuild the system.

It may also complain about a hostname change. Changing the name of the VPN in terraform/nixos-vpn from nixos-vpn to vpn might help but I haven't tested it out yet. Otherwise you may need to clone the repo inside of the VM and do nixos-rebuild there.