nixos-config/vps-configuration.nix

{  config, modulesPath, lib, pkgs, ... }:
{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./vps-disk-config.nix
  ];
  boot.loader.grub = {
    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
    # devices = [ ];
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  environment.systemPackages = with pkgs; [
    curl
  ];

  networking.hostName = "tien";
  # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
  networking.useDHCP = pkgs.lib.mkForce false;
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    trustedInterfaces = [ "tailscale0" ];
  };

  services.authelia.instances.main = {
    enable = true;
    secrets = {
      jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}";
      storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}";
      sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}";
    };
    settings = {
      theme = "auto";
      default_redirection_url = "https://auth.johannes-rothe.de";

      server = {
        host = "127.0.0.1";
        port = 9091;
      };

      log = {
        level = "debug";
        format = "text";
      };

      authentication_backend = {
        #file = {
        #  path = "/var/lib/authelia-main/users_database.yml";
        #};
      };

      access_control = {
        default_policy = "one_factor";
        rules = [
          #{
          #  domain = ["auth.example.com"];
          #  policy = "bypass";
          #}
          #{
          #  domain = ["*.example.com"];
          #  policy = "one_factor";
          #}
        ];
      };

      session = {
        name = "authelia_session";
        expiration = "12h";
        inactivity = "45m";
        remember_me_duration = "1M";
        domain = "example.com";
        redis.host = "/run/redis-authelia-main/redis.sock";
      };

      regulation = {
        max_retries = 3;
        find_time = "5m";
        ban_time = "15m";
      };

      storage = {
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };

      notifier = {
        disable_startup_check = false;
        filesystem = {
          filename = "/var/lib/authelia-main/notification.txt";
        };
      };
    };
  };

  services.redis.servers.authelia-main = {
    enable = true;
    user = "authelia-main";
    port = 0;
    unixSocket = "/run/redis-authelia-main/redis.sock";
    unixSocketPerm = 600;
  };

  services.headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8080;
      settings = {
        dns_config.base_domain= "johannes-rothe.de";
        server_url = "https://headscale.johannes-rothe.de";
      };
  };


  services.caddy = {
    enable = true;
    email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
    virtualHosts = {
      "johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
      "www.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
      "auth.johannes-rothe.de".extraConfig = ''
        reverse_proxy localhost:9091
      '';
      "cloud.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5002
      '';
      "feeds.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:1990
      '';
      "git.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:3001
      '';
      "headscale.johannes-rothe.de".extraConfig = ''
        reverse_proxy localhost:8080
      '';
      "radicale.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5232
      '';
    };
  };

  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      hostname = "tien";
    };
  };

  services.searx = {
    enable = true;
    redisCreateLocally = true;
    settings.server = {
      bind_address = "0.0.0.0";
      port = 8888;
      secret_key = "localonly";
    };
  };


  services.tailscale.enable = true;

  system.stateVersion = "24.05";
}
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00			`{ config, modulesPath, lib, pkgs, ... }:`
			`{`
			`imports = [`
			`(modulesPath + "/installer/scan/not-detected.nix")`
			`(modulesPath + "/profiles/qemu-guest.nix")`
			`./vps-disk-config.nix`
			`];`
			`boot.loader.grub = {`
			`# no need to set devices, disko will add all devices that have a EF02 partition to the list already`
			`# devices = [ ];`
			`efiSupport = true;`
			`efiInstallAsRemovable = true;`
			`};`

Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`environment.systemPackages = with pkgs; [`
			`curl`
			`];`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00
Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`networking.hostName = "tien";`
			`# do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00			`networking.useDHCP = pkgs.lib.mkForce false;`
Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`networking.firewall = {`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00			`enable = true;`
Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`allowedTCPPorts = [ 80 443 ];`
			`trustedInterfaces = [ "tailscale0" ];`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00			`};`

Add Authelia 2024-11-19 21:00:51 +01:00			`services.authelia.instances.main = {`
			`enable = true;`
			`secrets = {`
			`jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}";`
			`storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}";`
			`sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}";`
			`};`
			`settings = {`
			`theme = "auto";`
			`default_redirection_url = "https://auth.johannes-rothe.de";`

			`server = {`
			`host = "127.0.0.1";`
			`port = 9091;`
			`};`

			`log = {`
			`level = "debug";`
			`format = "text";`
			`};`

			`authentication_backend = {`
			`#file = {`
			`# path = "/var/lib/authelia-main/users_database.yml";`
			`#};`
			`};`

			`access_control = {`
			`default_policy = "one_factor";`
			`rules = [`
			`#{`
			`# domain = ["auth.example.com"];`
			`# policy = "bypass";`
			`#}`
			`#{`
			`# domain = ["*.example.com"];`
			`# policy = "one_factor";`
			`#}`
			`];`
			`};`

			`session = {`
			`name = "authelia_session";`
			`expiration = "12h";`
			`inactivity = "45m";`
			`remember_me_duration = "1M";`
			`domain = "example.com";`
			`redis.host = "/run/redis-authelia-main/redis.sock";`
			`};`

			`regulation = {`
			`max_retries = 3;`
			`find_time = "5m";`
			`ban_time = "15m";`
			`};`

			`storage = {`
			`local = {`
			`path = "/var/lib/authelia-main/db.sqlite3";`
			`};`
			`};`

			`notifier = {`
			`disable_startup_check = false;`
			`filesystem = {`
			`filename = "/var/lib/authelia-main/notification.txt";`
			`};`
			`};`
			`};`
			`};`

			`services.redis.servers.authelia-main = {`
			`enable = true;`
			`user = "authelia-main";`
			`port = 0;`
			`unixSocket = "/run/redis-authelia-main/redis.sock";`
			`unixSocketPerm = 600;`
			`};`

Configure headscale on VPS 2024-11-17 23:03:54 +01:00			`services.headscale = {`
			`enable = true;`
			`address = "0.0.0.0";`
			`port = 8080;`
			`settings = {`
			`dns_config.base_domain= "johannes-rothe.de";`
			`server_url = "https://headscale.johannes-rothe.de";`
			`};`
			`};`


Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`services.caddy = {`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00			`enable = true;`
Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];`
			`virtualHosts = {`
			`"johannes-rothe.de".extraConfig = ''`
			`reverse_proxy base:11112`
			`'';`
			`"www.johannes-rothe.de".extraConfig = ''`
			`reverse_proxy base:11112`
			`'';`
Add Authelia 2024-11-19 21:00:51 +01:00			`"auth.johannes-rothe.de".extraConfig = ''`
			`reverse_proxy localhost:9091`
			`'';`
Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`"cloud.johannes-rothe.de".extraConfig = ''`
			`reverse_proxy base:5002`
			`'';`
			`"feeds.johannes-rothe.de".extraConfig = ''`
			`reverse_proxy base:1990`
			`'';`
			`"git.johannes-rothe.de".extraConfig = ''`
			`reverse_proxy base:3001`
			`'';`
Add Authelia 2024-11-19 21:00:51 +01:00			`"headscale.johannes-rothe.de".extraConfig = ''`
			`reverse_proxy localhost:8080`
			`'';`
Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`"radicale.johannes-rothe.de".extraConfig = ''`
			`reverse_proxy base:5232`
			`'';`
			`};`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00			`};`

Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`services.cloud-init = {`
			`enable = true;`
			`network.enable = true;`
Set the VPS hostname via cloud-init as well 2024-11-15 22:50:18 +01:00			`settings = {`
			`hostname = "tien";`
			`};`
Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`};`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00
Enable searxng on tien 2024-11-16 20:47:59 +01:00			`services.searx = {`
			`enable = true;`
			`redisCreateLocally = true;`
			`settings.server = {`
			`bind_address = "0.0.0.0";`
			`port = 8888;`
			`secret_key = "localonly";`
			`};`
			`};`


Setup caddy server on VPS 2024-11-14 22:38:24 +01:00			`services.tailscale.enable = true;`
Take over a VPS with nixos-anywhere 2024-11-13 22:10:09 +01:00
			`system.stateVersion = "24.05";`
			`}`