hosts/vps2: init

hosts/vps1: delete outline
hosts/vps1: disable outline
2025-07-31 21:59:59 +01:00 · 2025-07-31 19:54:59 +01:00 · 2025-07-31 19:17:35 +01:00
8 changed files with 130 additions and 57 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -1000,11 +1000,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1752936308,
-        "narHash": "sha256-OAlj8oJpcKo9cCIwxzMolnwdfczlovvC1y1MeIpDPYM=",
+        "lastModified": 1753994653,
+        "narHash": "sha256-kVd17w6oo9dbZfgZXMMPEssspp8vAr32G5U8VnfuIFc=",
        "ref": "refs/heads/master",
-        "rev": "eddee7a0b83063ba60c0dd49fc18399b6564559d",
-        "revCount": 36,
+        "rev": "e0cb8c5b8de3f61fbef13c80219715f2e3e5ffb5",
+        "revCount": 39,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -163,6 +163,7 @@
          "pi"
          "skycam"
          "vps1"
+          "vps2"
        ] mkDeployNode;
      };
    };
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -11,7 +11,6 @@
    ./kanidm.nix
    ./matrix.nix
    ./nginx.nix
-    ./outline.nix
    ./photoprism.nix
    ../server.nix
  ];
--- a/hosts/vps1/outline.nix
+++ b/hosts/vps1/outline.nix
@@ -1,51 +0,0 @@
-{
-  inputs,
-  config,
-  ...
-}:
-let
-  domain = "outline.vimium.com";
-in
-{
-  services.nginx.virtualHosts = {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3000";
-        extraConfig = ''
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "Upgrade";
-          proxy_set_header Host $host;
-
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Scheme $scheme;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_redirect off;
-        '';
-      };
-    };
-  };
-
-  age.secrets."passwords/services/outline/oidc-client-secret" = {
-    file = "${inputs.secrets}/passwords/services/outline/oidc-client-secret.age";
-    owner = "outline";
-    group = "outline";
-  };
-
-  services.outline = {
-    enable = true;
-    forceHttps = false;
-    oidcAuthentication = {
-      clientId = "outline";
-      clientSecretFile = config.age.secrets."passwords/services/outline/oidc-client-secret".path;
-      displayName = "Vimium";
-      authUrl = "https://auth.vimium.com/ui/oauth2";
-      tokenUrl = "https://auth.vimium.com/oauth2/token";
-      userinfoUrl = "https://auth.vimium.com/oauth2/openid/outline/userinfo";
-    };
-    publicUrl = "https://${domain}";
-    storage.storageType = "local";
-  };
-}
--- a/hosts/vps2/default.nix
+++ b/hosts/vps2/default.nix
@@ -0,0 +1,31 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    ./hardware-configuration.nix
+    ./disko-config.nix
+    ../server.nix
+  ];
+
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+  };
+
+  networking = {
+    hostId = "60de4af8";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+      ];
+    };
+  };
+
+  modules.services.tailscale.isExitNode = true;
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/vps2/disko-config.nix
+++ b/hosts/vps2/disko-config.nix
@@ -0,0 +1,55 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "2M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "300M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/vps2/hardware-configuration.nix
+++ b/hosts/vps2/hardware-configuration.nix
@@ -0,0 +1,29 @@
+{
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "xen_blkfront"
+        "vmw_pvscsi"
+      ];
+      kernelModules = [ "nvme" ];
+    };
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+    };
+    tmp.cleanOnBoot = true;
+  };
+
+  zramSwap.enable = true;
+}
--- a/modules/nixos/services/tailscale.nix
+++ b/modules/nixos/services/tailscale.nix
@@ -17,6 +17,14 @@ in
      default = false;
      example = true;
    };
+    isExitNode = lib.mkOption {
+      default = false;
+      example = true;
+    };
+    useExitNode = lib.mkOption {
+      default = false;
+      example = true;
+    };
    restrictSSH = lib.mkOption {
      default = true;
      example = true;
@@ -37,7 +45,8 @@ in
      extraUpFlags = [
        "--login-server"
        headscale
-      ];
+      ]
+      ++ (if cfg.isExitNode then [ "--advertise-exit-node" ] else [ ]);
    };

    services.openssh.openFirewall = !cfg.restrictSSH;
Author	SHA1	Message	Date
Jordan Holt	c36dfec8ac	hosts/vps2: init All checks were successful Check flake / build-amd64-linux (push) Successful in 1m26s Details	2025-07-31 21:59:59 +01:00
Jordan Holt	595f0cc35d	hosts/vps1: delete outline	2025-07-31 19:54:59 +01:00
Jordan Holt	8d4689e8c7	hosts/vps1: disable outline	2025-07-31 19:17:35 +01:00