server-configuration/targets/vpn/configuration.nix

{
  self,
  lib,
  config,
  pkgs,
  ...
}:
let
  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
in
{
  imports = [
    self.nixosModules.hcloud
  ];
  
  users.users.root = {
    openssh.authorizedKeys.keys = nixosVars.ssh_keys;
    initialPassword = "nixos";
  };
  
  system.stateVersion = "23.11";

  networking = {
    hostName = nixosVars.hostname;
    domain = nixosVars.domain_netname;

    firewall = {
      allowedUDPPorts = [3478];
      allowedTCPPorts = [80 443];
    };
  };

  services = {
    openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };

    cloud-init.enable = lib.mkForce false;

    headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8080;
      settings = {
        server_url = "https://${nixosVars.hostname}.${nixosVars.domain_netname}";
        logtail.enabled = false;
        dns = {
          base_domain = "ts.${nixosVars.domain_netname}";
          magic_dns = true;
          search_domains = ["${nixosVars.domain_netname}"];
          nameservers.global = [
            "1.1.1.1"
            "9.9.9.9"
          ];
        };
        ip_prefixes = [
          "100.64.0.0/10"
        ];
      };
    };

    caddy = {
      enable = true;
      virtualHosts."${nixosVars.hostname}.${nixosVars.domain_netname}".extraConfig = ''
        reverse_proxy * 127.0.0.1:8080
      '';
    };
  };

  systemd.network.networks."10-wan" = {
	  matchConfig.MACAddress = "96:00:04:16:ed:c5";
    address = ["${nixosVars.ipv4_address}/32"];
    routes = [
      {
        Gateway = "172.31.1.1";
        GatewayOnLink = true;
      }
    ];
    linkConfig.RequiredForOnline = "routable";
  };

  boot.supportedFilesystems = ["btrfs"];
  environment.systemPackages = [
    pkgs.btrfs-progs
    pkgs.shadow
    pkgs.vim
    pkgs.speedtest-cli
    pkgs.git
    pkgs.hcloud
    pkgs.dhcpcd
  ];
}