Merge branch 'hetzner'

hi

4 files changed, 141 insertions, 0 deletions

diff --git a/hosts/cloud/hetzner/configuration.nix b/hosts/cloud/hetzner/configuration.nix
new file mode 100644
index 0000000..73ca07e
--- /dev/null
+++ b/hosts/cloud/hetzner/configuration.nix
@@ -0,0 +1,53 @@
+{
+  modulesPath,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # ./hardware-configuration.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./nginx.nix
+    ./disk-config.nix
+    ../../base.nix
+    ../users.nix
+    ../packages.nix
+    ../../server.nix
+  ];
+  boot = {
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+    };
+  };
+
+  networking = {
+    hostName = "yn-hel";
+  };
+  networking.firewall = {
+    enable = false;
+    #   allowedTCPPorts = [ 993 465 40308 80 443 53 51820 5522 ];
+    #   allowedUDPPorts = [ 993 465 40308 80 443 53 50000 50001 50002 50003 50004 50005 50006 50007 50008 50009 50010 51820 5522 ];
+  };
+  # services.ntfy-sh = {
+  #   enable = true;
+  #   settings = {
+  #     base-url = "https://n.urbit.men";
+  #     listen-http = ":8090";
+  #   };
+  # };
+
+  # services.headscale = {
+  #   enable = true;
+  #   address = "0.0.0.0";
+  #   port = 8001;
+  #   settings = {
+  #     server_url = "https://head.urbit.men";
+  #     dns.baseDomain = "urbit.men";
+  #     logtail.enabled = false;
+  #   };
+  # };
+
+  system.stateVersion = "24.11"; # Did you read the comment?
+}
diff --git a/hosts/cloud/hetzner/default.nix b/hosts/cloud/hetzner/default.nix
new file mode 100644
index 0000000..3669483
--- /dev/null
+++ b/hosts/cloud/hetzner/default.nix
@@ -0,0 +1,4 @@
+inputs: [
+  inputs.disko.nixosModules.disko
+  ./configuration.nix
+]
diff --git a/hosts/cloud/hetzner/disk-config.nix b/hosts/cloud/hetzner/disk-config.nix
new file mode 100644
index 0000000..c72a8d4
--- /dev/null
+++ b/hosts/cloud/hetzner/disk-config.nix
@@ -0,0 +1,55 @@
+# Example to create a bios compatible gpt partition
+{lib, ...}: {
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/cloud/hetzner/nginx.nix b/hosts/cloud/hetzner/nginx.nix
new file mode 100644
index 0000000..4a6d708
--- /dev/null
+++ b/hosts/cloud/hetzner/nginx.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@urbit.cam";
+  services.nginx = {
+    enable = true;
+    virtualHosts."u.urbit.cloud" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+        # proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header Forwarded $proxy_add_x_forwarded_for;
+        '';
+      };
+      extraConfig = ''
+        chunked_transfer_encoding off;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_cache off;
+      '';
+    };
+  };
+}