- Add `internalOnly` option to nginx module to block public access.
- Apply `internalOnly` flag to Forgejo and Vaultwarden to ensure they are only accessible over the VPN or localhost.
- Configure Headscale to use the VPS Tailscale IP (100.64.0.3) as the global DNS server instead of external providers.
- Add firewall rules to allow DNS requests over the `tailscale0` interface.
- Add iptables PREROUTING rules to redirect standard DNS (port 53) from Tailscale clients to AdGuard Home (port 5353) to resolve port conflicts with `aardvark-dns`.
New module: modules/headscale.nix
- Headscale service listening on localhost with Nginx reverse proxy
- SQLite database (appropriate for personal use)
- Tailscale public DERP relays for NAT traversal fallback
- MagicDNS enabled with Mullvad/Quad9 upstream resolvers
- Optional OIDC authentication (Google, GitHub, etc.)
- Default auth: pre-shared API keys (headscale apikeys create)
- Added to backup paths (SQLite DB)
- headscale CLI tool added to system packages
Configuration:
- Domain: vpn.ashisgreat.xyz
- OIDC disabled by default (documented how to enable in configuration.nix)
To register a device after deploying:
sudo headscale apikeys create
tailscale up --login-server=https://vpn.ashisgreat.xyz --authkey=<key>
DNS record needed: vpn.ashisgreat.xyz → VPS IP
- Drops --network=host from OpenClaw container
- Container now runs on Podman's default bridge network
- Gateway port already mapped via ports config (127.0.0.1:18789:8080)
- Container retains outbound internet access for Discord API, model providers, etc.
- Cannot reach other host services (Forgejo, Vaultwarden, etc.) — principle of least privilege
Note: If OpenClaw needs to reach local services in the future, add explicit
extraOptions like --network=bridge or create a shared Podman network.
- Global rate limit: 10 req/s with burst of 20
- Connection limit: 30 concurrent per IP
- Per-domain override support (requests, burst, enable/disable)
- SearXNG gets higher limits (20/40) to tolerate bot traffic
- Returns 429 when rate limited
- Enable DNS-over-TLS (DoT) on port 853 using Nginx's ACME certificates
- Fix an issue where the native NixOS module dropped SOPS client IDs
- Use sops.templates and yq to inject ClientIDs dynamically before start
- Enable allow_unencrypted_doh to fix Nginx proxying DoH correctly
Replace the Podman container and manual YAML templating with the native NixOS module for better system integration and simpler declarative configuration.
AdGuard Home needs write access to working directory.
Config file remains read-only via :ro mount.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Enable crowdsec-firewall-bouncer by default
- Auto-registers bouncer with local CrowdSec API
- Blocks malicious IPs at iptables/nftables level
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
