add vpsfree.cz box

flake.nix

@@ -54,6 +54,7 @@
         thinky = mkWorkstation nixpkgs-stable "x86_64-linux" "thinky";
         bolty = mkServer nixpkgs-stable "x86_64-linux" "bolty";
         vultr1 = mkServer nixpkgs-stable "x86_64-linux" "vultr1";
+        vpsfree1 = mkServer nixpkgs-stable "x86_64-linux" "vpsfree1";
         rpi4_8 = mkRaspi nixpkgs-stable "rpi4-8";
 
         bootstrap = nixpkgs-stable.lib.nixosSystem rec {

nixos/boxes/vpsfree1/default.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, inputs, lib, ... }:
+{
+  networking.hostName = "vpsfree1";
+
+  imports = [
+    ./vpsfree1-vpsadminos.nix
+    ./tailscale-vpsfree1.nix
+    ../cli.nix
+    ../../server-security.nix
+    ../../tailscale.nix
+  ];
+
+  systemd.extraConfig = ''
+    DefaultTimeoutStartSec=900s
+  '';
+
+  time.timeZone = "Europe/London";
+}
+

nixos/boxes/vpsfree1/tailscale-vpsfree1.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, inputs, lib, ... }:
+let
+  tailscale = inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux".tailscale;
+in
+{
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey tskey-ketJA57CNTRL-d8cMQZK6jjgtSDgXiarET1
+    '';
+  };
+}

nixos/boxes/vpsfree1/vpsfree1-vpsadminos.nix

@@ -0,0 +1,56 @@
+# This file provides compatibility for NixOS to run in a container on vpsAdminOS
+# hosts.
+#
+# If you're experiencing issues, try updating this file to the latest version
+# from vpsAdminOS repository:
+#
+#   https://github.com/vpsfreecz/vpsadminos/blob/staging/os/lib/nixos-container/vpsadminos.nix
+
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  nameservers = [
+    "1.1.1.1"
+    "2606:4700:4700::1111"
+  ];
+in
+{
+  networking.nameservers = lib.mkDefault nameservers;
+  services.resolved = lib.mkDefault { fallbackDns = nameservers; };
+  networking.dhcpcd.extraConfig = "noipv4ll";
+
+  systemd.services.systemd-sysctl.enable = false;
+  systemd.sockets."systemd-journald-audit".enable = false;
+  systemd.mounts = [{ where = "/sys/kernel/debug"; enable = false; }];
+  systemd.services.systemd-udev-trigger.enable = false;
+  systemd.services.rpc-gssd.enable = false;
+
+  boot.isContainer = true;
+  boot.enableContainers = mkDefault true;
+  boot.loader.initScript.enable = true;
+  boot.specialFileSystems."/run/keys".fsType = lib.mkForce "tmpfs";
+  boot.systemdExecutable = mkDefault "systemd systemd.unified_cgroup_hierarchy=0";
+
+  # Overrides for <nixpkgs/nixos/modules/virtualisation/container-config.nix>
+  documentation.enable = mkOverride 500 true;
+  documentation.nixos.enable = mkOverride 500 true;
+  networking.useHostResolvConf = mkOverride 500 false;
+  services.openssh.startWhenNeeded = mkOverride 500 false;
+
+  # Bring up the network, /ifcfg.{add,del} are supplied by the vpsAdminOS host
+  systemd.services.networking-setup = {
+    description = "Load network configuration provided by the vpsAdminOS host";
+    before = [ "network.target" ];
+    wantedBy = [ "network.target" ];
+    after = [ "network-pre.target" ];
+    path = [ pkgs.iproute ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.bash}/bin/bash /ifcfg.add";
+      ExecStop = "${pkgs.bash}/bin/bash /ifcfg.del";
+    };
+    unitConfig.ConditionPathExists = "/ifcfg.add";
+  };
+}
+