dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/nixos/hosts/vps-relay.nix
DannyDannyDanny 47fc658523 feat(clan): add vps-relay + strip bbbot cloudflared 🚢 
Stage 4.5: declare a Hetzner-hosted reverse-proxy VPS as a clan machine.

- nixos/hosts/vps-relay.nix: Debian→NixOS cx23 in hel1. Caddy at public
  80/443 reverse-proxies navidrome.dannydannydanny.me and
  bbbot.dannydannydanny.me over ZT to sunken-ship.
- nixos/disko-cloud.nix: simple GPT + ext4 root, no LUKS — cloud provider
  has physical disk anyway and there's no operator at boot.
- flake-modules/clan.nix: register vps-relay as an inventory machine,
  zerotier peer, internet networking target at its clan-generated ZT
  IPv6, and add vps-relay.clan to clanHostsModule /etc/hosts.
- sunken-ship fitness-bot: drop pkgs.cloudflared from PATH + set
  WEBAPP_URL=https://bbbot.dannydannydanny.me. Paired with the bbbot
  upstream patch (start.py honors env WEBAPP_URL and skips cloudflared
  when set) — once the 15-min fitness-bot-pull timer pulls that change,
  bbbot will stop churning trycloudflare.com URLs.

Vars (zerotier identity/ip + sops machine key) generated on sunken-ship
because clan's hermetic sandbox on macOS fails to run the zerotier
identity generator (same workaround as for data-mesher earlier).

VPS install flow: Hetzner-created Debian box, then `clan machines
install vps-relay --target-host root@<public-ipv4>` reinstalls to
NixOS; subsequent updates go over ZT.
2026-04-24 13:43:21 +02:00

77 lines
2.6 KiB
Nix
Raw Blame History

# Hetzner Cloud VPS — public reverse proxy into the clan.
#
# Role: terminates public TLS via Caddy + Let's Encrypt, reverse-proxies
# each declared subdomain over ZeroTier to the appropriate homelab host.
# No navidrome/bbbot data ever hits disk here; this box is a relay.
{ config, lib, pkgs, ... }:
{
imports = [ ../disko-cloud.nix ];
nixpkgs.hostPlatform = "x86_64-linux";
# Hetzner Cloud boots EFI with systemd-boot.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Cloud provisioners add the initial root SSH key via cloud-init or
# equivalent; we don't run cloud-init. All config is baked at install.
networking.hostName = "vps-relay";
networking.useDHCP = lib.mkDefault true;
time.timeZone = "Europe/Copenhagen";
# --- User + SSH ------------------------------------------------------
users.users.danny = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
# Same pubkey used to reach sunken-ship; set at install via clan.
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship"
];
};
users.users.root.openssh.authorizedKeys.keys =
config.users.users.danny.openssh.authorizedKeys.keys;
security.sudo.wheelNeedsPassword = false;
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
# --- Firewall --------------------------------------------------------
# Public: 22 (SSH), 80 + 443 (Caddy).
# ZT interface: trusted (set in the clan ZT module).
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# --- Caddy reverse proxy --------------------------------------------
# Subdomains → clan backends over ZeroTier. IPs are sunken-ship's /
# phantom-ship's ZT IPv6; brackets required in URLs.
services.caddy = {
enable = true;
email = "powerhouseplayer@gmail.com";
# Tell ACME to use Let's Encrypt's production endpoint (Caddy default).
virtualHosts = {
"navidrome.dannydannydanny.me".extraConfig = ''
reverse_proxy http://[fdd5:53a2:de33:d269:6499:93d5:53a2:de33]:4533
'';
"bbbot.dannydannydanny.me".extraConfig = ''
reverse_proxy http://[fdd5:53a2:de33:d269:6499:93d5:53a2:de33]:8080
'';
};
};
# --- Basic tooling ---------------------------------------------------
environment.systemPackages = with pkgs; [
git
htop
tcpdump
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "25.11";
}
Reference in a new issue View git blame Copy permalink