geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/flake.nix
Geir Okkenhaug Jerstad 304e868e09 Add reverse-proxy configuration with DMZ-specific security 
- Create reverse-proxy machine configuration for VPS edge server
- Configure SSH access only via Tailscale (100.96.189.104)
- Implement strict DMZ firewall rules (HTTP/HTTPS only externally)
- Add enhanced fail2ban settings for DMZ environment
- Include sma user with SSH key management
- Configure Nginx reverse proxy with Let's Encrypt SSL
- Add reverse-proxy to flake.nix nixosConfigurations

Security features:
- SSH only accessible through Tailscale interface
- Aggressive fail2ban settings (24h ban, 3 max retries)
- Firewall rejects all non-essential traffic
- No common network config to avoid security conflicts
2025-06-05 16:47:52 +02:00

137 lines
No EOL
4.2 KiB
Nix
Raw Blame History

{
description = "Home Lab NixOS Configuration - congenital-optimist & sleeper-service";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs:
let
system = "x86_64-linux";
# Create unstable package set
unstable = import nixpkgs-unstable {
inherit system;
config.allowUnfree = true;
};
# Shared special arguments for all machines
specialArgs = {
inherit inputs unstable;
};
in {
# NixOS system configurations
nixosConfigurations = {
# congenital-optimist - AMD Threadripper workstation
congenital-optimist = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
./machines/congenital-optimist/configuration.nix
./machines/congenital-optimist/hardware-configuration.nix
./modules/common/nix.nix
./modules/common/base.nix
./modules/common/tty.nix
];
};
# sleeper-service - Intel Xeon file server
sleeper-service = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
./machines/sleeper-service/configuration.nix
./machines/sleeper-service/hardware-configuration.nix
./modules/common/nix.nix
./modules/common/base.nix
./modules/common/tty.nix
];
};
# reverse-proxy - VPS edge server with Nginx reverse proxy
reverse-proxy = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
./machines/reverse-proxy/configuration.nix
./machines/reverse-proxy/gandicloud.nix
./modules/common/nix.nix
./modules/common/base.nix
./modules/common/tty.nix
];
};
};
# Custom packages for the home lab
packages.${system} = import ./packages {
pkgs = nixpkgs.legacyPackages.${system};
};
# Development shells for different projects
devShells.${system} = {
default = nixpkgs.legacyPackages.${system}.mkShell {
buildInputs = with nixpkgs.legacyPackages.${system}; [
nixd
alejandra
nixpkgs-fmt
git
emacs
];
shellHook = ''
echo "Home-lab development environment"
echo "Available configurations:"
echo " - congenital-optimist (Threadripper workstation)"
echo " - sleeper-service (Xeon file server)"
echo " - reverse-proxy (VPS edge server)"
echo ""
echo "Build with: nixos-rebuild build --flake .#<config>"
echo "Switch with: nixos-rebuild switch --flake .#<config>"
'';
};
# Dotfiles development shell
dotfiles = nixpkgs.legacyPackages.${system}.mkShell {
buildInputs = with nixpkgs.legacyPackages.${system}; [
emacs
pandoc
starship
nixpkgs-fmt
alejandra
];
shellHook = ''
echo "Literate dotfiles development environment"
echo "Tangle dotfiles with: emacs --batch -l org --eval \"(org-babel-tangle-file \\\"README.org\\\")\""
'';
};
};
# Overlays for package customizations
overlays.default = import ./overlays;
# Applications that can be run directly
apps.${system} = {
# Tangle all user dotfiles
tangle-dotfiles = {
type = "app";
program = "${nixpkgs.legacyPackages.${system}.writeShellScript "tangle-dotfiles" ''
cd users/geir/dotfiles
${nixpkgs.legacyPackages.${system}.emacs}/bin/emacs --batch -l org --eval "(org-babel-tangle-file \"README.org\")"
echo "Dotfiles tangled successfully!"
''}";
};
# Check flake configuration
check-config = {
type = "app";
program = "${nixpkgs.legacyPackages.${system}.writeShellScript "check-config" ''
echo "Checking flake configuration..."
nix flake check
echo "Configuration check complete!"
''}";
};
};
# Formatter for Nix files
formatter.${system} = nixpkgs.legacyPackages.${system}.alejandra;
};
}
Reference in a new issue View git blame Copy permalink