nixos-vps

Author	SHA1	Message	Date
ashie	9803eebb1d	Merge branch 'main' into feat/headscale	2026-03-19 20:18:10 +00:00
Franz Kafka	1c28db5f8e	feat(headscale): add self-hosted Tailscale control server New module: modules/headscale.nix - Headscale service listening on localhost with Nginx reverse proxy - SQLite database (appropriate for personal use) - Tailscale public DERP relays for NAT traversal fallback - MagicDNS enabled with Mullvad/Quad9 upstream resolvers - Optional OIDC authentication (Google, GitHub, etc.) - Default auth: pre-shared API keys (headscale apikeys create) - Added to backup paths (SQLite DB) - headscale CLI tool added to system packages Configuration: - Domain: vpn.ashisgreat.xyz - OIDC disabled by default (documented how to enable in configuration.nix) To register a device after deploying: sudo headscale apikeys create tailscale up --login-server=https://vpn.ashisgreat.xyz --authkey=<key> DNS record needed: vpn.ashisgreat.xyz → VPS IP	2026-03-19 15:39:56 +00:00
Franz Kafka	790501d290	feat(nginx): add rate limiting with per-domain overrides - Global rate limit: 10 req/s with burst of 20 - Connection limit: 30 concurrent per IP - Per-domain override support (requests, burst, enable/disable) - SearXNG gets higher limits (20/40) to tolerate bot traffic - Returns 429 when rate limited	2026-03-19 15:08:34 +00:00
Franz Kafka	fbea02867e	feat(nginx): add security headers with per-domain CSP - Add HSTS (6 months, includeSubDomains, preload-ready) - Add X-Content-Type-Options: nosniff - Add Permissions-Policy (disable camera/mic/geolocation) - Add Cross-Origin-Resource-Policy: same-origin - Add Cross-Origin-Opener-Policy: same-origin - Add configurable Content-Security-Policy per domain Per-service CSP tuning: - SearXNG: null (handles its own CSP in settings.yml) - Forgejo: relaxed (unsafe-inline/eval for code highlighting) - Vaultwarden: relaxed (unsafe-eval for WebCrypto vault) Fixes: missing CSP, HSTS, X-Content-Type-Options headers	2026-03-19 13:42:41 +00:00
ashisgreat22	837e71b69d	Add Forgejo Actions Runner with sops secrets	2026-03-19 14:05:51 +01:00
ashisgreat22	f646c091cc	Harden SSH and enable post-quantum key exchange (sntrup761x25519-sha512) for system and Forgejo	2026-03-19 00:05:12 +01:00
ashisgreat22	abf2080f91	Add auto-update and maintenance options to system module	2026-03-19 00:03:58 +01:00
ashisgreat22	748ccc6fc8	Enable Forgejo built-in SSH server on port 2222	2026-03-18 23:49:02 +01:00
ashisgreat22	6e9de4c189	Add Forgejo self-hosted Git service with Nginx, PostgreSQL, and Restic backups	2026-03-18 23:32:01 +01:00
ashisgreat22	c51c7183c1	Allow AdGuard Home to read ACME certificates via ReadOnlyPaths	2026-03-18 22:12:28 +01:00
ashisgreat22	deedd00762	Automate certificate path injection in AdGuard Home config	2026-03-18 22:11:08 +01:00
ashisgreat22	223f716b85	Remove explicit filter IDs from AdGuard config to avoid unmarshalling errors	2026-03-18 22:06:47 +01:00
ashisgreat22	8a9c513fde	Fix AdGuard filter ID type (string to integer)	2026-03-18 22:02:44 +01:00
ashisgreat22	7ea9246d74	Manage AdGuard Home blocklists via NixOS using yq-go injection	2026-03-18 22:01:38 +01:00
ashisgreat22	4790078ff9	Fix CrowdSec GeoIP filter syntax	2026-03-18 21:54:34 +01:00
ashisgreat22	c3adfa7e25	Restrict incoming connections to DE via CrowdSec GeoIP	2026-03-18 21:53:05 +01:00
ashisgreat22	8f44273faf	Cleanup	2026-03-18 21:33:42 +01:00
ashisgreat22	01b19c9fa0	Cleanup	2026-03-18 21:31:19 +01:00
ashisgreat22	ecf4fe59af	Cleanup	2026-03-18 21:29:58 +01:00
ashisgreat22	e9652aaaa6	Cleanup	2026-03-18 21:27:41 +01:00
ashisgreat22	ac36befbd7	Cleanup	2026-03-18 21:26:19 +01:00
ashisgreat22	e82bbec626	Cleanup	2026-03-18 21:23:53 +01:00
ashisgreat22	1c56d477fa	Cleanup	2026-03-18 21:23:37 +01:00
ashisgreat22	e1d18c18be	Cleanup	2026-03-18 21:22:19 +01:00
ashisgreat22	1792180144	Cleanup	2026-03-18 21:20:42 +01:00
ashisgreat22	1942425605	feat(adguard): enable DoT and fix ClientID injection - Enable DNS-over-TLS (DoT) on port 853 using Nginx's ACME certificates - Fix an issue where the native NixOS module dropped SOPS client IDs - Use sops.templates and yq to inject ClientIDs dynamically before start - Enable allow_unencrypted_doh to fix Nginx proxying DoH correctly	2026-03-18 21:12:31 +01:00
ashisgreat22	5dd91f74b1	fix(adguard): resolve port 53 conflict Change AdGuard Home DNS listener to bind to 127.0.0.1:5353 to avoid conflicting with existing services on port 53, since we only expose DoH via Nginx.	2026-03-18 20:58:07 +01:00
ashisgreat22	219391bc85	refactor(adguard): migrate to native nixos service Replace the Podman container and manual YAML templating with the native NixOS module for better system integration and simpler declarative configuration.	2026-03-18 20:56:30 +01:00
ashisgreat22	7a505055f8	fix(adguard): fix string interpolation syntax error Fix a broken string concatenation that was causing a syntax error during NixOS evaluation. Co-Authored-By: Gemini CLI <noreply@google.com>	2026-03-18 20:49:31 +01:00
ashisgreat22	93bef3b301	fix(adguard): rewrite with correct lib.length syntax Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:51:53 +01:00
ashisgreat22	7bdbe767b6	fix(adguard): use lib.length instead of == for empty check Nix doesn't support == operator. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:27:47 +01:00
ashisgreat22	51e937c02f	fix(adguard): add empty clients list when no clients configured AdGuard Home fails with empty persistent list. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:27:21 +01:00
ashisgreat22	7b9b1e1909	fix(adguard): add newline before filtering section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:26:40 +01:00
ashisgreat22	a5d1f3e136	fix(adguard): fix YAML structure - clients at correct level Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:24:37 +01:00
ashisgreat22	ce152ba2b3	fix(adguard): fix template string concatenation Properly concatenate optionalString with content. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:23:51 +01:00
ashisgreat22	294b556542	fix(adguard): handle empty clients list Only render clients section when clients are configured. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:22:58 +01:00
ashisgreat22	23696e7e79	fix(adguard): remove --cap-drop=ALL flag AdGuard Home needs capabilities to run. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:20:41 +01:00
ashisgreat22	9b1d5ede54	fix(adguard): remove --read-only flag AdGuard Home needs write access to working directory. Config file remains read-only via :ro mount. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:19:30 +01:00
ashisgreat22	d413d5ec1b	feat(modules): register adguard module in default.nix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:09:04 +01:00
ashisgreat22	1ed9acdcda	feat(modules): add AdGuard Home module with DoH and ClientID support Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 19:07:59 +01:00
ashisgreat22	fd056367d2	feat: add backup module with Restic + Backblaze B2 - Encrypted backups to B2 - Configurable retention (daily/weekly/monthly) - SOPS-managed credentials - Automatic pruning Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 14:11:11 +01:00
ashisgreat22	f82b822d16	feat: add firewall bouncer to CrowdSec module - Enable crowdsec-firewall-bouncer by default - Auto-registers bouncer with local CrowdSec API - Blocks malicious IPs at iptables/nftables level Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 13:58:13 +01:00
ashisgreat22	8a933fd9de	fix: enable CrowdSec Local API for cscli Add LAPI server configuration with credentials file path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 13:53:15 +01:00
ashisgreat22	e0de37b15f	fix: simplify CrowdSec module Remove LAPI server config causing null coercion error. Detection-only mode for now; bouncer can be added later. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 13:50:44 +01:00
ashisgreat22	211693ef3b	feat: add CrowdSec security module - Wraps native NixOS CrowdSec service - Configures SSH and nginx log acquisition - Installs linux/nginx/sshd hub collections - Supports IP whitelisting and ban duration config - Optional nginx bouncer integration (requires manual API key setup) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 13:44:36 +01:00
ashisgreat22	db4f0f8f61	fix: remove duplicate SOPS declaration, clean up unused param - Remove redundant vaultwarden_admin_token from configuration.nix (already declared in module) - Remove unused pkgs parameter from vaultwarden module Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 12:37:09 +01:00
ashisgreat22	e2facd1fa9	feat: add Vaultwarden module - Add native NixOS Vaultwarden service module - Supports WebSocket for real-time sync notifications - Integrates with nginx via extraLocations for /notifications/hub - Configurable signup, invitations, and SMTP settings - Uses SOPS for admin token secret management Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 12:07:26 +01:00
ashisgreat22	cbce4aa228	feat(nginx): add extraLocations option for WebSocket support Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 03:19:31 +01:00
ashisgreat22	a87fd37489	Add Brave Search web search to OpenClaw - Enable web_search tool with Brave provider - Add openclaw_brave_api_key secret to SOPS configuration - Add BRAVE_API_KEY to openclaw.env template Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 02:50:09 +01:00
ashisgreat22	4d9c61da10	Fix exec config: use valid options (security: full, ask: off) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-18 02:36:59 +01:00

1 2

77 commits