New module: modules/headscale.nix
- Headscale service listening on localhost with Nginx reverse proxy
- SQLite database (appropriate for personal use)
- Tailscale public DERP relays for NAT traversal fallback
- MagicDNS enabled with Mullvad/Quad9 upstream resolvers
- Optional OIDC authentication (Google, GitHub, etc.)
- Default auth: pre-shared API keys (headscale apikeys create)
- Added to backup paths (SQLite DB)
- headscale CLI tool added to system packages
Configuration:
- Domain: vpn.ashisgreat.xyz
- OIDC disabled by default (documented how to enable in configuration.nix)
To register a device after deploying:
sudo headscale apikeys create
tailscale up --login-server=https://vpn.ashisgreat.xyz --authkey=<key>
DNS record needed: vpn.ashisgreat.xyz → VPS IP
- Global rate limit: 10 req/s with burst of 20
- Connection limit: 30 concurrent per IP
- Per-domain override support (requests, burst, enable/disable)
- SearXNG gets higher limits (20/40) to tolerate bot traffic
- Returns 429 when rate limited
Remove LAPI server config causing null coercion error.
Detection-only mode for now; bouncer can be added later.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove redundant vaultwarden_admin_token from configuration.nix
(already declared in module)
- Remove unused pkgs parameter from vaultwarden module
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Enable web_search tool with Brave provider
- Add openclaw_brave_api_key secret to SOPS configuration
- Add BRAVE_API_KEY to openclaw.env template
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move openclaw config to separate json file
- Reference file directly in podman module
- Remove problematic builtins.toJSON with nested arrays
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use official ghcr.io/openclaw/openclaw image
- configure via JSON config file
- containerized for better isolation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Systemd service running OpenClaw gateway
- Configurable via sops secrets
- Runs on localhost:18789
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Create modules/ directory with reusable NixOS modules
- Add system module for main user configuration
- Add podman module for rootless container support
- Add nginx module with automatic Let's Encrypt SSL
- Add searxng module with Anubis AI firewall protection
- Configure SearXNG at search.ashisgreat.xyz
- Enable nginx reverse proxy with HTTPS
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add flake.nix with sops-nix input
- Configure sops with age key encryption
- Add .sops.yaml template for age key configuration
- Create secrets/ directory for encrypted secrets
- Add .gitignore for age keys and nix result symlinks
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
