add gateway-nixos + hetzner machine config (#413)

* add nixos gateway device + hetzner config

* harden ssh config

* move 1pw config out of shared server

* limit resources to avoid throttling hetzner machines

* fix nftables rules, drop ffmpeg-full

* monkeypatch hetzner ipv6 detection

Author: kclejeune

flake.nix

@@ -196,7 +196,20 @@
                     ./modules/hardware/phil.nix
                     inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t460s
                   ];
-                  extraModules = [ ./profiles/personal ];
+                  extraModules = [
+                    ./modules/nixos/desktop.nix
+                    ./profiles/personal
+                  ];
+                };
+                gateway = mkNixosConfig {
+                  system = "x86_64-linux";
+                  hardwareModules = [
+                    ./modules/nixos/hetzner.nix
+                  ];
+                  extraModules = [
+                    ./modules/nixos/gateway.nix
+                    ./profiles/personal
+                  ];
                 };
               }
             ];

modules/common.nix

@@ -32,7 +32,6 @@
   hm = {
     imports = [
       ./home-manager
-      ./home-manager/1password.nix
     ];
   };
 

modules/darwin/default.nix

@@ -38,6 +38,8 @@
     };
   };
 
+  hm.imports = [ ../home-manager/1password.nix ];
+
   hm.home.sessionVariables = {
     SDKROOT = "$(xcrun --show-sdk-path)";
   };

modules/home-manager/default.nix

@@ -19,7 +19,6 @@
     ./tldr.nix
     ./tmux.nix
     ./yazi
-    ./gnome.nix
     ./nixpkgs.nix
   ];
 
@@ -66,7 +65,7 @@
         doxx
         dust
         fd
-        ffmpeg-full
+        ffmpeg
         findutils
         flamegraph
         flamelens

modules/nixos/default.nix

@@ -6,7 +6,6 @@
 {
   # bundles essential nixos modules
   imports = [
-    ./keybase.nix
     ../common.nix
   ];
 
@@ -22,116 +21,17 @@
     keep-derivations = true;
   };
 
-  services.syncthing = {
-    enable = true;
-    user = config.user.name;
-    group = "users";
-    openDefaultPorts = true;
-    dataDir = config.user.home;
-  };
-
-  environment.systemPackages = with pkgs; [
-    vscode
-    brave
-    gnome-tweaks
-  ];
-
-  hm =
-    { ... }:
-    {
-      imports = [ ../home-manager/gnome.nix ];
-    };
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
   users = {
     defaultUserShell = pkgs.zsh;
-    mutableUsers = false;
-    users = {
-      "${config.user.name}" = {
-        isNormalUser = true;
-        extraGroups = [
-          "sudo"
-          "wheel"
-          "networkmanager"
-        ]; # Enable ‘sudo’ for the user.
-        hashedPassword = "$6$1kR9R2U/NA0.$thN8N2sTo7odYaoLhipeuu5Ic4CS7hKDt1Q6ClP9y0I3eVMaFmo.dZNpPfdwNitkElkaLwDVsGpDuM2SO2GqP/";
-      };
-    };
   };
 
-  networking.hostName = "Phil"; # Define your hostname.
-  networking.networkmanager.enable = true;
-
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
-
-  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
-  networking.useDHCP = false;
-  networking.interfaces.enp0s31f6.useDHCP = true;
-  networking.interfaces.wlp4s0.useDHCP = true;
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
-  # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = pkgs.jetbrains-mono;
-  #   keyMap = "us";
-  # };
-
-  # Set your time zone.
-  # time.timeZone = "EST";
-  services.geoclue2.enable = true;
-  services.localtimed.enable = true;
 
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
-    pinentryPackage = pkgs.pinentry-gnome3;
   };
 
-  # List services that you want to enable:
-
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Enable CUPS to print documents.
-  services.printing.enable = true;
-
-  services.pulseaudio.enable = false;
-
-  # Enable touchpad support.
-  services.libinput.enable = true;
-
-  # Enable the X11 windowing system.
-  services.xserver.enable = true;
-  services.xserver.xkb.layout = "us";
-  services.desktopManager.gnome.enable = true;
-  services.displayManager.gdm.enable = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11";
 }

modules/nixos/desktop.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  imports = [ ./keybase.nix ];
+
+  services.syncthing = {
+    enable = true;
+    user = config.user.name;
+    group = "users";
+    openDefaultPorts = true;
+    dataDir = config.user.home;
+  };
+
+  environment.systemPackages = with pkgs; [
+    vscode
+    brave
+    gnome-tweaks
+  ];
+
+  hm =
+    { ... }:
+    {
+      imports = [
+        ../home-manager/gnome.nix
+        ../home-manager/1password.nix
+      ];
+    };
+
+  # Define a user account. Don't forget to set a password with 'passwd'.
+  users = {
+    mutableUsers = false;
+    users = {
+      "${config.user.name}" = {
+        isNormalUser = true;
+        extraGroups = [
+          "sudo"
+          "wheel"
+          "networkmanager"
+        ];
+        hashedPassword = "$6$1kR9R2U/NA0.$thN8N2sTo7odYaoLhipeuu5Ic4CS7hKDt1Q6ClP9y0I3eVMaFmo.dZNpPfdwNitkElkaLwDVsGpDuM2SO2GqP/";
+      };
+    };
+  };
+
+  networking.hostName = "Phil";
+  networking.networkmanager.enable = true;
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  networking.useDHCP = false;
+  networking.interfaces.enp0s31f6.useDHCP = true;
+  networking.interfaces.wlp4s0.useDHCP = true;
+
+  services.geoclue2.enable = true;
+  services.localtimed.enable = true;
+
+  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
+
+  services.printing.enable = true;
+  services.pulseaudio.enable = false;
+  services.libinput.enable = true;
+
+  services.xserver.enable = true;
+  services.xserver.xkb.layout = "us";
+  services.desktopManager.gnome.enable = true;
+  services.displayManager.gdm.enable = true;
+
+  system.stateVersion = "24.11";
+}

modules/nixos/gateway.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  ...
+}:
+{
+  networking.hostName = "gateway";
+  networking.domain = "";
+
+  # Open additional ports beyond the SSH default from hetzner.nix
+  networking.firewall = {
+    allowedTCPPorts = [
+      80 # HTTP
+      443 # HTTPS
+    ];
+    allowedUDPPorts = [
+      443 # QUIC / HTTP/3
+    ];
+  };
+
+  # User account
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM48VQYrCQErK9QdC/mZ61Yzjh/4xKpgZ2WU5G19FpBG"
+    ];
+    "${config.user.name}" = {
+      isNormalUser = true;
+      extraGroups = [
+        "wheel"
+      ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM48VQYrCQErK9QdC/mZ61Yzjh/4xKpgZ2WU5G19FpBG"
+      ];
+    };
+  };
+
+  # TODO: Authelia - authentication server (disabled until secrets/domains are configured)
+  # services.authelia.instances.main = {
+  #   enable = true;
+  #   settings = { ... };
+  #   secrets = { ... };
+  # };
+
+  # Passwordless sudo via SSH agent forwarding
+  security.pam.rssh.enable = true;
+  security.pam.services.sudo.rssh = true;
+
+  # Netbird - mesh VPN
+  services.netbird.enable = true;
+
+  system.stateVersion = "25.11";
+}