penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
163 commits 3 branches 0 tags 363 KiB
Commit graph

163 commits

This branch
This branch
All branches
Author SHA1 Message Date
Franz Kafka
1c28db5f8e feat(headscale): add self-hosted Tailscale control server 
New module: modules/headscale.nix
- Headscale service listening on localhost with Nginx reverse proxy
- SQLite database (appropriate for personal use)
- Tailscale public DERP relays for NAT traversal fallback
- MagicDNS enabled with Mullvad/Quad9 upstream resolvers
- Optional OIDC authentication (Google, GitHub, etc.)
- Default auth: pre-shared API keys (headscale apikeys create)
- Added to backup paths (SQLite DB)
- headscale CLI tool added to system packages

Configuration:
- Domain: vpn.ashisgreat.xyz
- OIDC disabled by default (documented how to enable in configuration.nix)

To register a device after deploying:
  sudo headscale apikeys create
  tailscale up --login-server=https://vpn.ashisgreat.xyz --authkey=<key>

DNS record needed: vpn.ashisgreat.xyz → VPS IP
 2026-03-19 15:39:56 +00:00
Franz Kafka
9092d6ec58 fix(openclaw): remove --network=host, use bridge network 
- Drops --network=host from OpenClaw container
- Container now runs on Podman's default bridge network
- Gateway port already mapped via ports config (127.0.0.1:18789:8080)
- Container retains outbound internet access for Discord API, model providers, etc.
- Cannot reach other host services (Forgejo, Vaultwarden, etc.) — principle of least privilege

Note: If OpenClaw needs to reach local services in the future, add explicit
extraOptions like --network=bridge or create a shared Podman network.
 2026-03-19 15:09:05 +00:00
Franz Kafka
790501d290 feat(nginx): add rate limiting with per-domain overrides 
- Global rate limit: 10 req/s with burst of 20
- Connection limit: 30 concurrent per IP
- Per-domain override support (requests, burst, enable/disable)
- SearXNG gets higher limits (20/40) to tolerate bot traffic
- Returns 429 when rate limited
 2026-03-19 15:08:34 +00:00
ashie
2bc375ab86 Merge pull request 'fix(backup): correct backup paths and add missing services' (#2) from franz-kafka/nixos-vps:fix/backup-paths into main 
Reviewed-on: ashie/nixos-vps#2
 2026-03-19 14:52:00 +00:00
Franz Kafka
9a0900c81a fix(backup): correct backup paths and add missing services 
- Replace stale /var/lib/bitwarden_rs with /var/lib/vaultwarden (correct DB path)
- Add /var/lib/private/AdGuardHome (DNS config, filters, query logs)
- Add /var/lib/sops-nix (age decryption key — critical for secret recovery)
- Add /var/lib/crowdsec (security engine state and decisions)
- Keep /var/backup/vaultwarden (built-in sqlite backup snapshots)

Note: Forgejo data path is still added dynamically by the forgejo module.
Note: OpenClaw Podman volume needs separate handling (named volume path on host).
 2026-03-19 14:50:24 +00:00
ashie
88905eb4e4 Merge pull request 'feat(nginx): add security headers with per-domain CSP' (#1) from franz-kafka/nixos-vps:feat/security-headers into main 
Reviewed-on: ashie/nixos-vps#1
 2026-03-19 14:04:45 +00:00
Franz Kafka
fbea02867e feat(nginx): add security headers with per-domain CSP 
- Add HSTS (6 months, includeSubDomains, preload-ready)
- Add X-Content-Type-Options: nosniff
- Add Permissions-Policy (disable camera/mic/geolocation)
- Add Cross-Origin-Resource-Policy: same-origin
- Add Cross-Origin-Opener-Policy: same-origin
- Add configurable Content-Security-Policy per domain

Per-service CSP tuning:
- SearXNG: null (handles its own CSP in settings.yml)
- Forgejo: relaxed (unsafe-inline/eval for code highlighting)
- Vaultwarden: relaxed (unsafe-eval for WebCrypto vault)

Fixes: missing CSP, HSTS, X-Content-Type-Options headers
 2026-03-19 13:42:41 +00:00
ashisgreat22
6354a030f0 feat(openclaw): add Forgejo integration secrets to SOPS template 2026-03-19 14:32:05 +01:00
ashisgreat22
837e71b69d Add Forgejo Actions Runner with sops secrets 2026-03-19 14:05:51 +01:00
ashisgreat22
b6abc4a1cf Configure zram swap with zstd and 50% memory limit 2026-03-19 00:22:48 +01:00
ashisgreat22
f646c091cc Harden SSH and enable post-quantum key exchange (sntrup761x25519-sha512) for system and Forgejo 2026-03-19 00:05:12 +01:00
ashisgreat22
abf2080f91 Add auto-update and maintenance options to system module 2026-03-19 00:03:58 +01:00
ashisgreat22
99c23a1aa5 chore: update flake.lock 2026-03-18 22:52:33 +00:00
ashisgreat22
748ccc6fc8 Enable Forgejo built-in SSH server on port 2222 2026-03-18 23:49:02 +01:00
ashisgreat22
6e9de4c189 Add Forgejo self-hosted Git service with Nginx, PostgreSQL, and Restic backups 2026-03-18 23:32:01 +01:00
ashisgreat22
c51c7183c1 Allow AdGuard Home to read ACME certificates via ReadOnlyPaths 2026-03-18 22:12:28 +01:00
ashisgreat22
deedd00762 Automate certificate path injection in AdGuard Home config 2026-03-18 22:11:08 +01:00
ashisgreat22
223f716b85 Remove explicit filter IDs from AdGuard config to avoid unmarshalling errors 2026-03-18 22:06:47 +01:00
ashisgreat22
8a9c513fde Fix AdGuard filter ID type (string to integer) 2026-03-18 22:02:44 +01:00
ashisgreat22
7ea9246d74 Manage AdGuard Home blocklists via NixOS using yq-go injection 2026-03-18 22:01:38 +01:00
ashisgreat22
4790078ff9 Fix CrowdSec GeoIP filter syntax 2026-03-18 21:54:34 +01:00
ashisgreat22
c3adfa7e25 Restrict incoming connections to DE via CrowdSec GeoIP 2026-03-18 21:53:05 +01:00
ashisgreat22
8f44273faf Cleanup 2026-03-18 21:33:42 +01:00
ashisgreat22
01b19c9fa0 Cleanup 2026-03-18 21:31:19 +01:00
ashisgreat22
ecf4fe59af Cleanup 2026-03-18 21:29:58 +01:00
ashisgreat22
e9652aaaa6 Cleanup 2026-03-18 21:27:41 +01:00
ashisgreat22
ac36befbd7 Cleanup 2026-03-18 21:26:19 +01:00
ashisgreat22
e82bbec626 Cleanup 2026-03-18 21:23:53 +01:00
ashisgreat22
1c56d477fa Cleanup 2026-03-18 21:23:37 +01:00
ashisgreat22
e1d18c18be Cleanup 2026-03-18 21:22:19 +01:00
ashisgreat22
1792180144 Cleanup 2026-03-18 21:20:42 +01:00
ashisgreat22
1942425605 feat(adguard): enable DoT and fix ClientID injection 
- Enable DNS-over-TLS (DoT) on port 853 using Nginx's ACME certificates
- Fix an issue where the native NixOS module dropped SOPS client IDs
- Use sops.templates and yq to inject ClientIDs dynamically before start
- Enable allow_unencrypted_doh to fix Nginx proxying DoH correctly
 2026-03-18 21:12:31 +01:00
ashisgreat22
5dd91f74b1 fix(adguard): resolve port 53 conflict 
Change AdGuard Home DNS listener to bind to 127.0.0.1:5353 to avoid conflicting with existing services on port 53, since we only expose DoH via Nginx.
 2026-03-18 20:58:07 +01:00
ashisgreat22
219391bc85 refactor(adguard): migrate to native nixos service 
Replace the Podman container and manual YAML templating with the native  NixOS module for better system integration and simpler declarative configuration.
 2026-03-18 20:56:30 +01:00
ashisgreat22
7a505055f8 fix(adguard): fix string interpolation syntax error 
Fix a broken string concatenation that was causing a syntax error during NixOS evaluation.

Co-Authored-By: Gemini CLI <noreply@google.com>
 2026-03-18 20:49:31 +01:00
ashisgreat22
93bef3b301 fix(adguard): rewrite with correct lib.length syntax 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:51:53 +01:00
ashisgreat22
7bdbe767b6 fix(adguard): use lib.length instead of == for empty check 
Nix doesn't support == operator.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:27:47 +01:00
ashisgreat22
51e937c02f fix(adguard): add empty clients list when no clients configured 
AdGuard Home fails with empty persistent list.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:27:21 +01:00
ashisgreat22
7b9b1e1909 fix(adguard): add newline before filtering section 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:26:40 +01:00
ashisgreat22
a5d1f3e136 fix(adguard): fix YAML structure - clients at correct level 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:24:37 +01:00
ashisgreat22
ce152ba2b3 fix(adguard): fix template string concatenation 
Properly concatenate optionalString with content.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:23:51 +01:00
ashisgreat22
294b556542 fix(adguard): handle empty clients list 
Only render clients section when clients are configured.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:22:58 +01:00
ashisgreat22
23696e7e79 fix(adguard): remove --cap-drop=ALL flag 
AdGuard Home needs capabilities to run.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:20:41 +01:00
ashisgreat22
9b1d5ede54 fix(adguard): remove --read-only flag 
AdGuard Home needs write access to working directory.
Config file remains read-only via :ro mount.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:19:30 +01:00
ashisgreat22
8b3df01823 chore(secrets): add AdGuard ClientID secrets 2026-03-18 18:14:48 +00:00
ashisgreat22
9189a9c49d feat(config): enable AdGuard Home module with two clients 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:09:59 +01:00
ashisgreat22
d413d5ec1b feat(modules): register adguard module in default.nix 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:09:04 +01:00
ashisgreat22
1ed9acdcda feat(modules): add AdGuard Home module with DoH and ClientID support 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:07:59 +01:00
ashisgreat22
30d5ce8134 docs: add AdGuard Home implementation plan 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:06:42 +01:00
ashisgreat22
4eeeef121e docs: add explicit podman dependency in implementation 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-18 19:03:57 +01:00