{ config, modulesPath, lib, pkgs, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/profiles/qemu-guest.nix") ./vps-disk-config.nix ]; boot.loader.grub = { # no need to set devices, disko will add all devices that have a EF02 partition to the list already # devices = [ ]; efiSupport = true; efiInstallAsRemovable = true; }; environment.systemPackages = with pkgs; [ curl ]; networking.hostName = "tien"; # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below) networking.useDHCP = pkgs.lib.mkForce false; networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; trustedInterfaces = [ "tailscale0" ]; }; services.authelia.instances.main = { enable = true; secrets = { jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}"; storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}"; sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}"; }; settings = { theme = "auto"; default_redirection_url = "https://auth.johannes-rothe.de"; server = { host = "127.0.0.1"; port = 9091; }; log = { level = "debug"; format = "text"; }; authentication_backend = { #file = { # path = "/var/lib/authelia-main/users_database.yml"; #}; }; access_control = { default_policy = "one_factor"; rules = [ #{ # domain = ["auth.example.com"]; # policy = "bypass"; #} #{ # domain = ["*.example.com"]; # policy = "one_factor"; #} ]; }; session = { name = "authelia_session"; expiration = "12h"; inactivity = "45m"; remember_me_duration = "1M"; domain = "example.com"; redis.host = "/run/redis-authelia-main/redis.sock"; }; regulation = { max_retries = 3; find_time = "5m"; ban_time = "15m"; }; storage = { local = { path = "/var/lib/authelia-main/db.sqlite3"; }; }; notifier = { disable_startup_check = false; filesystem = { filename = "/var/lib/authelia-main/notification.txt"; }; }; }; }; services.redis.servers.authelia-main = { enable = true; user = "authelia-main"; port = 0; unixSocket = "/run/redis-authelia-main/redis.sock"; unixSocketPerm = 600; }; services.headscale = { enable = true; address = "0.0.0.0"; port = 8080; settings = { dns_config.base_domain= "johannes-rothe.de"; server_url = "https://headscale.johannes-rothe.de"; }; }; services.caddy = { enable = true; email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"]; virtualHosts = { "johannes-rothe.de".extraConfig = '' reverse_proxy base:11112 ''; "www.johannes-rothe.de".extraConfig = '' reverse_proxy base:11112 ''; "auth.johannes-rothe.de".extraConfig = '' reverse_proxy localhost:9091 ''; "cloud.johannes-rothe.de".extraConfig = '' reverse_proxy base:5002 ''; "feeds.johannes-rothe.de".extraConfig = '' reverse_proxy base:1990 ''; "git.johannes-rothe.de".extraConfig = '' reverse_proxy base:3001 ''; "headscale.johannes-rothe.de".extraConfig = '' reverse_proxy localhost:8080 ''; "radicale.johannes-rothe.de".extraConfig = '' reverse_proxy base:5232 ''; }; }; services.cloud-init = { enable = true; network.enable = true; settings = { hostname = "tien"; }; }; services.searx = { enable = true; redisCreateLocally = true; settings.server = { bind_address = "0.0.0.0"; port = 8888; secret_key = "localonly"; }; }; services.tailscale.enable = true; system.stateVersion = "24.05"; }