From b41bfc935c62e6cdbd0db0582a363f85b3c02224 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Sun, 1 Dec 2024 12:06:11 +0100 Subject: [PATCH] wip add hetzner-vpn2 --- hosts/hetzner-vpn2/default.nix | 34 ++++++++++++ hosts/hetzner-vpn2/hardware.nix | 94 +++++++++++++++++++++++++++++++++ hosts/hetzner-vpn2/nginx.nix | 57 ++++++++++++++++++++ 3 files changed, 185 insertions(+) create mode 100644 hosts/hetzner-vpn2/default.nix create mode 100644 hosts/hetzner-vpn2/hardware.nix create mode 100644 hosts/hetzner-vpn2/nginx.nix diff --git a/hosts/hetzner-vpn2/default.nix b/hosts/hetzner-vpn2/default.nix new file mode 100644 index 0000000..f808faa --- /dev/null +++ b/hosts/hetzner-vpn2/default.nix @@ -0,0 +1,34 @@ +{ nixpkgs, common-modules, ... }: +nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = common-modules ++ [ + ./hardware.nix + ./nginx.nix + ../../users/vinzenz.nix + ../../users/ronja.nix + { networking.hostName = "hetzner-vpn2"; } + { + # uncomment for build check on non arm system (requires --impure) + # nixpkgs.buildPlatform = builtins.currentSystem; + } + { + users.users = { + root.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming'' + ]; + vinzenz.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming'' + ]; + ronja.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key'' + ]; + }; + } + ]; +} diff --git a/hosts/hetzner-vpn2/hardware.nix b/hosts/hetzner-vpn2/hardware.nix new file mode 100644 index 0000000..e3f308b --- /dev/null +++ b/hosts/hetzner-vpn2/hardware.nix @@ -0,0 +1,94 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + config = { + nixpkgs = { + hostPlatform = "aarch64-linux"; + system = "aarch64-linux"; + }; + + boot = { + tmp.cleanOnBoot = true; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd = { + availableKernelModules = [ + "xhci_pci" + "virtio_scsi" + "sr_mod" + ]; + kernelModules = [ ]; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/24c2f986-1e88-4c26-87eb-0f92aecd6f56"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/AZ0B-81C3"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/2531d357-dea5-4212-97e3-d727f7bdbd16"; } + ]; + + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + useDHCP = true; + domain = ""; + nameservers = [ "8.8.8.8" ]; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + interfaces = { + enp1s0 = { + #ipv4 = { + # addresses = [ + # { + # address = "157.90.146.125"; + # prefixLength = 32; + # } + # ]; + # routes = [ + # { + # address = "172.31.1.1"; + # prefixLength = 32; + # } + # ]; + #}; + ipv6 = { + addresses = [ + { + address = "2a01:4f8:c013:65dd::"; + prefixLength = 64; + } + ]; + routes = [ + { + address = "fe80::1"; + prefixLength = 128; + } + ]; + }; + }; + }; + }; + + #services.udev.extraRules = '' + # ATTR{address}=="96:00:02:87:7f:c9", NAME="eth0" + #''; + }; +} diff --git a/hosts/hetzner-vpn2/nginx.nix b/hosts/hetzner-vpn2/nginx.nix new file mode 100644 index 0000000..f49ff6f --- /dev/null +++ b/hosts/hetzner-vpn2/nginx.nix @@ -0,0 +1,57 @@ +{ pkgs, lib, ... }: +{ + security.acme = { + acceptTerms = true; + defaults.email = "acme@zerforschen.plus"; + }; + + security.pam.services.nginx.setEnvironment = false; + systemd.services.nginx.serviceConfig = { + SupplementaryGroups = [ "shadow" ]; + }; + + services.nginx = { + enable = true; + additionalModules = [ pkgs.nginxModules.pam ]; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + + virtualHosts = + let + servicesDomain = "services.zerforschen.plus"; + mkServiceConfig = host: port: { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${host}:${toString port}/"; + extraConfig = '' + # bind to tailscale ip + proxy_bind 100.88.118.60; + # pam auth + limit_except OPTIONS { + auth_pam "Password Required"; + auth_pam_service_name "nginx"; + } + ''; + }; + }; + pc2 = "vinzenz-pc2.donkey-pentatonic.ts.net"; + in + { + "vscode.${servicesDomain}" = lib.mkMerge [ + (mkServiceConfig pc2 8542) + { locations."/".proxyWebsockets = true; } + ]; + "preon-app.${servicesDomain}" = mkServiceConfig pc2 8543; + "preon-api.${servicesDomain}" = mkServiceConfig pc2 8544; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +}