diff --git a/flake.nix b/flake.nix index 314b3ba..d0d795f 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,18 @@ ./modules/common/tty.nix ]; }; + + # reverse-proxy - VPS edge server with Nginx reverse proxy + reverse-proxy = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + ./machines/reverse-proxy/configuration.nix + ./machines/reverse-proxy/gandicloud.nix + ./modules/common/nix.nix + ./modules/common/base.nix + ./modules/common/tty.nix + ]; + }; }; # Custom packages for the home lab @@ -70,6 +82,7 @@ echo "Available configurations:" echo " - congenital-optimist (Threadripper workstation)" echo " - sleeper-service (Xeon file server)" + echo " - reverse-proxy (VPS edge server)" echo "" echo "Build with: nixos-rebuild build --flake .#" echo "Switch with: nixos-rebuild switch --flake .#" diff --git a/machines/reverse-proxy/configuration.nix b/machines/reverse-proxy/configuration.nix new file mode 100644 index 0000000..d8a8fa2 --- /dev/null +++ b/machines/reverse-proxy/configuration.nix @@ -0,0 +1,80 @@ +{ pkgs, configs, lib, ... }: +let + Host = "vps1.tail807ea.ts.net"; +in +{ + imports = [ + ../../modules/common/base.nix + ../../modules/network/common.nix + ../../modules/users/sma.nix + ../../modules/security/ssh-keys.nix + ]; + + environment.systemPackages = with pkgs; [ + neovim curl htop bottom fastfetch + tailscale git + ]; + + # Override common.nix firewall settings for security + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; # Only HTTP/HTTPS externally + allowedUDPPorts = [ ]; + # SSH only allowed on Tailscale interface + interfaces.tailscale0.allowedTCPPorts = [ 22 ]; + }; + + # Security services + services.fail2ban.enable = true; + + # tailscale + services.tailscale.enable = true; + + # Hostname configuration + networking.hostName = "reverse-proxy"; + + # SSH configuration - only accessible via Tailscale + services.openssh = { + enable = true; + settings = { + PermitRootLogin = lib.mkForce "no"; + PasswordAuthentication = false; + }; + listenAddresses = [ + { + addr = "100.96.189.104"; # Tailscale IP from About.org + port = 22; + } + ]; + }; + + # nginx reverse proxy + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "git.geokkjer.eu" = { + addSSL = true; + enableACME = true; + locations."/".proxyPass = "http://apps:3000"; + }; + #"geokkjer.eu" = { + # default = true; + # forceSSL = true; + # enableACME = true; + # locations."/".proxyPass = "/var/wwww/homepage/"; + #}; + }; + }; + # acme let's encrypt + security.acme = { + acceptTerms = true; + defaults = { + email = "geir@geokkjer.eu"; + }; + }; +} \ No newline at end of file diff --git a/machines/reverse-proxy/gandicloud.nix b/machines/reverse-proxy/gandicloud.nix new file mode 100644 index 0000000..226ba6d --- /dev/null +++ b/machines/reverse-proxy/gandicloud.nix @@ -0,0 +1,44 @@ +# This is the configuration required to run NixOS on GandiCloud. +{ lib, modulesPath, ... }: +{ + imports = [ + (modulesPath + "/virtualisation/openstack-config.nix") + ]; + config = { + boot.initrd.kernelModules = [ + "xen-blkfront" "xen-tpmfront" "xen-kbdfront" "xen-fbfront" + "xen-netfront" "xen-pcifront" "xen-scsifront" + ]; + + # Show debug kernel message on boot then reduce loglevel once booted + boot.consoleLogLevel = 7; + boot.kernel.sysctl."kernel.printk" = "4 4 1 7"; + + # For "openstack console log show" + boot.kernelParams = [ "console=ttyS0" ]; + systemd.services."serial-getty@ttyS0" = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Restart = "always"; + }; + + # The device exposed by Xen + boot.loader.grub.device = lib.mkForce "/dev/xvda"; + + # This is to get a prompt via the "openstack console url show" command + systemd.services."getty@tty1" = { + enable = lib.mkForce true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Restart = "always"; + }; + + # This is required to get an IPv6 address on our infrastructure + networking.tempAddresses = "disabled"; + + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + + system.stateVersion = "23.05"; + }; +} \ No newline at end of file