{ config, pkgs, lib, ... }: { aa = { nix.enable = true; nix.useSelfhostedCache = true; security.acme = { enable = true; domainName = "proxy.kilonull.com"; isWildcard = false; # TODO: Use a different cert with more targetted permissions (this one # can make wildcard certs) # TODO: Add machine public key in secrets/secrets.nix dnsCredentialsFile = "/var/acme/creds"; }; services = { openssh.enable = true; # NOTE: Need to run `tailscale login` on first boot tailscale = { enable = true; configureClientRouting = true; }; }; tools.zsh.enable = true; }; # Workaround for broken digital ocean image builds # See: https://github.com/NixOS/nixpkgs/issues/308404 boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; boot.loader.grub.device = "/dev/vda"; services.nginx = { enable = true; appendHttpConfig = '' log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time'; access_log /var/log/nginx/access.log upstreamlog; ''; virtualHosts."proxy.kilonull.com" = let commonConfig = pkgs.writeText "common_config.conf" '' proxy_redirect off; proxy_set_header Host "hydra.kilonull.com"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; allow 127.0.0.1; allow 100.0.0.0/8; allow 192.168.113.0/24; ''; in { forceSSL = true; useACMEHost = "proxy.kilonull.com"; locations = { "/" = { extraConfig = '' deny all; ''; }; "/hydra" = { proxyPass = "https://hydra.kilonull.com"; extraConfig = '' rewrite /hydra(.*) /$1 break; include ${commonConfig}; deny all; ''; }; "/hydra/api/push-github" = { proxyPass = "https://hydra.kilonull.com/api/push-github"; extraConfig = '' include ${commonConfig}; # GitHub webhook IPs allow 192.30.252.0/22; allow 185.199.108.0/22; allow 140.82.112.0/20; allow 143.55.64.0/20; allow 2a0a:a440::/29; allow 2606:50c0::/3; deny all; ''; }; }; }; }; users.users.${config.aa.user.name} = { initialHashedPassword = "$y$j9T$/AuWXo5argOeEi1hwlu161$bvB.V5tfB.acWAvr6mV9lVucdGzQc16UVffMdPbqWD0"; }; networking.firewall.allowedTCPPorts = [ # SSH 22 # HTTP(S) 80 443 ]; virtualisation.digitalOcean = { setRootPassword = true; setSshKeys = true; }; system.stateVersion = "24.05"; }