commit 6c4d073b7b049c2b44c130ed04dd016e2b442e79
parent 423441f22a3928b5af301efdfbcbeed1443348bc
Author: Toni Brown <me@tb148.net>
Date: Sun, 26 Apr 2026 18:22:32 +0800
add hetzner remote configuration
Diffstat:
15 files changed, 280 insertions(+), 24 deletions(-)
diff --git a/flake.nix b/flake.nix
@@ -46,29 +46,40 @@
run0-sudo-shim,
...
} @ inputs: {
- nixosConfigurations.nixosion =
- nixpkgs.lib.nixosSystem {
- system = "x86_64-linux";
- specialArgs = {inherit inputs;};
- modules = [
- ./local/.
- nur.modules.nixos.default
- lix-module.nixosModules.default
- catppuccin.nixosModules.catppuccin
- home-manager.nixosModules.home-manager
- run0-sudo-shim.nixosModules.default
- {
- home-manager.useGlobalPkgs = true;
- home-manager.useUserPackages = true;
- home-manager.users.tb148 = {
- imports = [
- ./home/.
- betterfox.homeModules.betterfox
- catppuccin.homeModules.catppuccin
- ];
- };
- }
- ];
- };
+ nixosConfigurations = {
+ nixosion =
+ nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = {inherit inputs;};
+ modules = [
+ ./local/.
+ nur.modules.nixos.default
+ lix-module.nixosModules.default
+ catppuccin.nixosModules.catppuccin
+ home-manager.nixosModules.home-manager
+ run0-sudo-shim.nixosModules.default
+ {
+ home-manager.useGlobalPkgs = true;
+ home-manager.useUserPackages = true;
+ home-manager.users.tb148 = {
+ imports = [
+ ./home/.
+ betterfox.homeModules.betterfox
+ catppuccin.homeModules.catppuccin
+ ];
+ };
+ }
+ ];
+ };
+ hetznerion =
+ nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = {inherit inputs;};
+ modules = [
+ ./remote/.
+ lix-module.nixosModules.default
+ ];
+ };
+ };
};
}
diff --git a/remote/boot/default.nix b/remote/boot/default.nix
@@ -0,0 +1,7 @@
+{...}: {
+ boot.loader.grub.enable = true;
+ boot.loader.grub.efiSupport = true;
+ boot.loader.grub.efiInstallAsRemovable = true;
+ boot.loader.grub.device = "/dev/sda";
+ boot.loader.grub.configurationLimit = 16;
+}
diff --git a/remote/btrbk/default.nix b/remote/btrbk/default.nix
@@ -0,0 +1,12 @@
+{pkgs, ...}: {
+ services.btrbk.sshAccess = [
+ {
+ key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL18Wkgat+pFy2FFrta8ryH57X36uCCSGv1P7gYFn0Jp btrbk@nixosion";
+ roles = ["source" "info" "delete"];
+ }
+ ];
+ systemd.tmpfiles.rules = [
+ "d /var/lib/btrbk/snapshots 0750 btrbk btrbk"
+ ];
+ environment.systemPackages = [pkgs.zstd];
+}
diff --git a/remote/cloudflared/default.nix b/remote/cloudflared/default.nix
@@ -0,0 +1,10 @@
+{...}: {
+ services.cloudflared = {
+ enable = true;
+ tunnels."9fa561dc-d9b5-4b26-a351-d8248b10e6f9" = {
+ credentialsFile = "/home/admin/.cloudflared/9fa561dc-d9b5-4b26-a351-d8248b10e6f9.json";
+ edgeIPVersion = "6";
+ default = "http_status:404";
+ };
+ };
+}
diff --git a/remote/default.nix b/remote/default.nix
@@ -0,0 +1,40 @@
+{...}: {
+ imports = [
+ ./boot/.
+ ./btrbk/.
+ ./cloudflared/.
+ ./filesystem/.
+ ./matrix-continuwuity/.
+ ./networking/.
+ ./nix/.
+ ./openssh/.
+ ./security/.
+ ./user/.
+ ./vaultwarden/.
+ ./hardware-configuration.nix
+ ];
+
+ time.timeZone = "Etc/UTC";
+ i18n.defaultLocale = "en_US.UTF-8";
+
+ programs.git.enable = true;
+
+ # This option defines the first version of NixOS you have installed on this particular machine,
+ # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+ #
+ # Most users should NEVER change this value after the initial install, for any reason,
+ # even if you've upgraded your system to a new NixOS release.
+ #
+ # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+ # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+ # to actually do that.
+ #
+ # This value being lower than the current NixOS release does NOT mean your system is
+ # out of date, out of support, or vulnerable.
+ #
+ # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+ # and migrated your data accordingly.
+ #
+ # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+ system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/remote/filesystem/default.nix b/remote/filesystem/default.nix
@@ -0,0 +1,12 @@
+{...}: {
+ fileSystems."/".options = ["compress=zstd"];
+ fileSystems."/nix".options = ["compress=zstd" "noatime"];
+ fileSystems."/var/lib".options = ["compress=zstd"];
+ fileSystems."/swap".options = ["noatime"];
+ swapDevices = [
+ {
+ device = "/swap/swapfile";
+ size = 4 * 1024;
+ }
+ ];
+}
diff --git a/remote/hardware-configuration.nix b/remote/hardware-configuration.nix
@@ -0,0 +1,53 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}: {
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
+
+ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+ boot.initrd.kernelModules = [];
+ boot.kernelModules = [];
+ boot.extraModulePackages = [];
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/429b4a0d-e3a3-4843-babb-3c709e0aca85";
+ fsType = "btrfs";
+ options = ["subvol=root"];
+ };
+
+ fileSystems."/nix" = {
+ device = "/dev/disk/by-uuid/429b4a0d-e3a3-4843-babb-3c709e0aca85";
+ fsType = "btrfs";
+ options = ["subvol=nix"];
+ };
+
+ fileSystems."/var/lib" = {
+ device = "/dev/disk/by-uuid/429b4a0d-e3a3-4843-babb-3c709e0aca85";
+ fsType = "btrfs";
+ options = ["subvol=data"];
+ };
+
+ fileSystems."/swap" = {
+ device = "/dev/disk/by-uuid/429b4a0d-e3a3-4843-babb-3c709e0aca85";
+ fsType = "btrfs";
+ options = ["subvol=swap"];
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/352C-FCAB";
+ fsType = "vfat";
+ options = ["fmask=0022" "dmask=0022"];
+ };
+
+ swapDevices = [];
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/remote/matrix-continuwuity/default.nix b/remote/matrix-continuwuity/default.nix
@@ -0,0 +1,28 @@
+{
+ lib,
+ pkgs,
+ ...
+}: {
+ services.matrix-continuwuity = {
+ enable = true;
+ package =
+ pkgs.matrix-continuwuity.override {
+ rocksdb =
+ pkgs.rocksdb.overrideAttrs (prev: {
+ # needed on btrfs: otherwise rocksdb preallocates too much space and can't free them
+ cmakeFlags =
+ lib.subtractLists [(lib.cmakeBool "WITH_FALLOCATE" true)] prev.cmakeFlags
+ ++ [(lib.cmakeBool "WITH_FALLOCATE" false)];
+ });
+ };
+ settings.global = {
+ server_name = "tb148.net";
+ allow_registration = false;
+ allow_encryption = true;
+ allow_federation = true;
+ trusted_servers = ["matrix.org" "tchncs.de" "envs.net"];
+ ip_lookup_strategy = 2;
+ database_backup_path = "/var/lib/continuwuity/backups";
+ };
+ };
+}
diff --git a/remote/networking/default.nix b/remote/networking/default.nix
@@ -0,0 +1,7 @@
+{...}: {
+ imports = [./networkd/.];
+
+ networking.hostName = "hetznerion";
+ networking.useDHCP = false;
+ services.resolved.enable = true;
+}
diff --git a/remote/networking/networkd/default.nix b/remote/networking/networkd/default.nix
@@ -0,0 +1,22 @@
+{...}: {
+ systemd.network.enable = true;
+ systemd.network.networks."30-wan" = {
+ matchConfig.Name = "enp1s0";
+ networkConfig = {
+ DNS = [
+ "2a00:1098:2b::1"
+ "2a00:1098:2c::1"
+ "2a01:4f8:c2c:123f::1"
+ "2a01:4f9:c010:3f02::1"
+ ];
+ DHCP = "no";
+ IPv6AcceptRA = false;
+ };
+ address = [
+ "2a01:4f8:1c19:8cba::1/64"
+ ];
+ routes = [
+ {Gateway = "fe80::1";}
+ ];
+ };
+}
diff --git a/remote/nix/default.nix b/remote/nix/default.nix
@@ -0,0 +1,15 @@
+{...}: {
+ nix.gc = {
+ automatic = true;
+ dates = "weekly";
+ options = "--delete-older-than 7d";
+ };
+ nix.settings = {
+ auto-optimise-store = true;
+ experimental-features = [
+ "nix-command"
+ "flakes"
+ ];
+ trusted-users = ["admin"];
+ };
+}
diff --git a/remote/openssh/default.nix b/remote/openssh/default.nix
@@ -0,0 +1,10 @@
+{...}: {
+ services.openssh = {
+ enable = true;
+ settings = {
+ KbdInteractiveAuthentication = false;
+ PasswordAuthentication = false;
+ PermitRootLogin = "no";
+ };
+ };
+}
diff --git a/remote/security/default.nix b/remote/security/default.nix
@@ -0,0 +1,4 @@
+{...}: {
+ security.sudo.enable = false;
+ security.sudo-rs.enable = true;
+}
diff --git a/remote/user/default.nix b/remote/user/default.nix
@@ -0,0 +1,7 @@
+{...}: {
+ users.users.admin = {
+ isNormalUser = true;
+ extraGroups = ["wheel"]; # Enable ‘sudo’ for the user.
+ openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2TIXbQnwXj+V+wCm381+noJLNa9VPFToIsP446SRnA openpgp:0x86122D5D"];
+ };
+}
diff --git a/remote/vaultwarden/default.nix b/remote/vaultwarden/default.nix
@@ -0,0 +1,18 @@
+{...}: {
+ services.vaultwarden = {
+ enable = true;
+ domain = "vault.tb148.net";
+ # in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
+ # be aware that this file must be created by hand (or via secrets management like sops)
+ # environmentFile = "/home/admin/vaultwarden.env";
+ config = {
+ # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+ SIGNUPS_ALLOWED = false;
+ INVITATIONS_ALLOWED = false;
+
+ ROCKET_ADDRESS = "127.0.0.1";
+ ROCKET_PORT = 8222;
+ ROCKET_LOG = "critical";
+ };
+ };
+}
