mv hosts nixosConfigurations

nixosConfigurations/hetzner-vpn2/configuration.nix

@@ -0,0 +1,21 @@
+{ ... }:
+{
+  # uncomment for build check on non arm system (requires --impure)
+  # nixpkgs.buildPlatform = builtins.currentSystem;
+
+  services.tailscale.useRoutingFeatures = "both";
+
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
+    ];
+    #ronja.openssh.authorizedKeys.keys = [
+    #  ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
+    #];
+  };
+
+  system.autoUpgrade.allowReboot = true;
+}

nixosConfigurations/hetzner-vpn2/hardware.nix

@@ -0,0 +1,63 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  config = {
+    nixpkgs = {
+      hostPlatform = "aarch64-linux";
+      system = "aarch64-linux";
+    };
+
+    boot = {
+      tmp.cleanOnBoot = true;
+      kernelParams = [ "console=tty" ];
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+      initrd = {
+        availableKernelModules = [
+          "xhci_pci"
+          "virtio_scsi"
+          "sr_mod"
+          "virtio_gpu"
+        ];
+        kernelModules = [ ];
+      };
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/3263489d-9819-433c-b198-9d2e732a94e4";
+        fsType = "ext4";
+      };
+      "/boot" = {
+        device = "/dev/disk/by-uuid/6C25-6BDC";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+
+    swapDevices = [
+      { device = "/dev/disk/by-uuid/e147721d-86b5-40d7-a231-c6ea391c563d"; }
+    ];
+
+    networking.useNetworkd = true;
+    systemd.network = {
+      enable = true;
+      networks."10-wan" = {
+        matchConfig.Name = "enp1s0";
+        networkConfig.DHCP = "ipv4";
+        address = [
+          "2a01:4f8:c013:65dd::1/64"
+        ];
+        routes = [
+          { Gateway = "fe80::1"; }
+        ];
+      };
+    };
+  };
+}

nixosConfigurations/hetzner-vpn2/imports.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./nginx.nix
+  ];
+}

nixosConfigurations/hetzner-vpn2/nginx.nix

@@ -0,0 +1,104 @@
+{ pkgs, ... }:
+let
+  blog-domain-socket = "/run/nginx/blog.sock";
+  anubis-domain-socket = "/run/anubis/anubis-blog.sock";
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@zerforschen.plus";
+  };
+
+  security.pam.services.nginx.setEnvironment = false;
+  systemd.services = {
+    nginx.serviceConfig = {
+      SupplementaryGroups = [
+        "shadow"
+        "anubis"
+      ];
+    };
+    anubis-main.serviceConfig = {
+      SupplementaryGroups = [ "nginx" ];
+    };
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      additionalModules = [ pkgs.nginxModules.pam ];
+
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+
+      virtualHosts =
+        #let
+        #  servicesDomain = "services.zerforschen.plus";
+        #  mkServiceConfig =
+        #    { host, port }:
+        #    {
+        #      addSSL = true;
+        #      enableACME = true;
+        #      locations."/" = {
+        #        proxyPass = "http://${host}:${toString port}/";
+        #        extraConfig = ''
+        #          # bind to tailscale ip
+        #          proxy_bind 100.88.118.60;
+        #          # pam auth
+        #          limit_except OPTIONS {
+        #            auth_pam  "Password Required";
+        #            auth_pam_service_name "nginx";
+        #          }
+        #        '';
+        #      };
+        #    };
+        #  pc2 = "vinzenz-pc2.donkey-pentatonic.ts.net";
+        #in
+        {
+          #"code.${servicesDomain}" = lib.mkMerge [
+          #  (mkServiceConfig {
+          #    host = pc2;
+          #    port = 8542;
+          #  })
+          #  { locations."/".proxyWebsockets = true; }
+          #];
+          #"view.${servicesDomain}" = mkServiceConfig {
+          #  host = pc2;
+          #  port = 1313;
+          #};
+
+          "zerforschen.plus" = {
+            addSSL = true;
+            enableACME = true;
+            locations."/" = {
+              proxyPass = ("http://unix:" + anubis-domain-socket);
+            };
+          };
+
+          "blog-in-anubis" = {
+            root = pkgs.zerforschen-plus-content;
+            listen = [
+              {
+                addr = ("unix:" + blog-domain-socket);
+              }
+            ];
+          };
+        };
+    };
+
+    anubis.instances.main = {
+      enable = true;
+      settings = {
+        BIND = anubis-domain-socket;
+        TARGET = "unix://" + blog-domain-socket;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+    5201
+  ];
+}