nixos-config/machines/NixOS-VPS/services/xtls.nix

{ config, pkgs, inputs, modulesPath, ... }:
let
  inherit (pkgs.hostPlatform) system;
  cert-key = config.sops.secrets."cert.key".path;
  cert-pem = config.sops.secrets."cert.pem".path;
  nginx-conf = config.sops.secrets."nginx.conf".path;
  marzban-env = config.sops.secrets.marzban.path;
  fqdn = "wg.ataraxiadev.com";
in {
  disabledModules = [ "${modulesPath}/services/web-apps/ocis.nix" ];
  imports = [ inputs.ataraxiasjel-nur.nixosModules.ocis ];
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  sops.secrets = let
    nginx = {
      sopsFile = inputs.self.secretsDir + /nixos-vps/nginx.yaml;
      restartUnits = [ "podman-nginx.service" ];
    };
    marzban = {
      format = "dotenv";
      sopsFile = inputs.self.secretsDir + /nixos-vps/marzban.env;
      restartUnits = [ "podman-marzban.service" ];
    };
    cf-dns-api = {
      sopsFile = inputs.self.secretsDir + /misc.yaml;
      owner = "acme";
    };
  in {
    "cert.key" = nginx;
    "cert.pem" = nginx;
    "nginx.conf" = nginx;
    inherit cf-dns-api marzban;
  };

  virtualisation.oci-containers.containers = {
    marzban = {
      autoStart = true;
      image = "ghcr.io/gozargah/marzban:v0.7.0";
      environmentFiles = [ marzban-env ];
      extraOptions = [ "--network=host" ];
      volumes = [
        "/srv/marzban:/var/lib/marzban"
      ];
    };
    nginx = {
      autoStart = true;
      image = "docker.io/nginx:latest";
      extraOptions = [ "--network=host" ];
      volumes = [
        "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
        "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
        "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem:/etc/ssl/certs/cert.pem:ro"
        "${config.security.acme.certs.${fqdn}.directory}/key.pem:/etc/ssl/certs/cert.key:ro"
        "${nginx-conf}:/etc/nginx/nginx.conf:ro"
      ];
    };
  };

  services.ocis = {
    enable = true;
    package = inputs.ataraxiasjel-nur.packages.${system}.ocis-bin;
    configDir = "/srv/ocis/config";
    baseDataPath = "/srv/ocis/data";
    environment = {
      OCIS_INSECURE = "false";
      OCIS_URL = "https://cloud.ataraxiadev.com";
      PROXY_HTTP_ADDR = "127.0.0.1:9200";
      PROXY_TLS = "false";
    };
  };

  systemd.tmpfiles.rules = [
    "d /srv/marzban 0755 root root -"
  ];

  # OpenConnect
  security.acme = {
    acceptTerms = true;
    defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
    defaults.email = "admin@ataraxiadev.com";
    defaults.renewInterval = "weekly";
    certs = {
      ${fqdn} = {
        extraDomainNames = [
          "auth.ataraxiadev.com"
          "doh.ataraxiadev.com"
        ];
        dnsResolver = "1.1.1.1:53";
        dnsProvider = "cloudflare";
        credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
        reloadServices = [ "podman-nginx.service" ];
      };
    };
  };
  persist.state.directories = [ "/var/lib/acme" ];
}
update NixOS-VPS machine 2024-06-30 13:47:03 +03:00			`{ config, pkgs, inputs, modulesPath, ... }:`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`let`
change nextcloud to ocis on nixos-vps 2024-02-01 22:50:21 +03:00			`inherit (pkgs.hostPlatform) system;`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`cert-key = config.sops.secrets."cert.key".path;`
			`cert-pem = config.sops.secrets."cert.pem".path;`
			`nginx-conf = config.sops.secrets."nginx.conf".path;`
			`marzban-env = config.sops.secrets.marzban.path;`
disable cloudflare proxy 2024-11-20 03:49:52 +03:00			`fqdn = "wg.ataraxiadev.com";`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`in {`
update NixOS-VPS machine 2024-06-30 13:47:03 +03:00			`disabledModules = [ "${modulesPath}/services/web-apps/ocis.nix" ];`
minor fixes 2024-02-06 20:23:25 +03:00			`imports = [ inputs.ataraxiasjel-nur.nixosModules.ocis ];`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`networking.firewall.allowedTCPPorts = [ 80 443 ];`

			`sops.secrets = let`
			`nginx = {`
			`sopsFile = inputs.self.secretsDir + /nixos-vps/nginx.yaml;`
			`restartUnits = [ "podman-nginx.service" ];`
			`};`
			`marzban = {`
			`format = "dotenv";`
			`sopsFile = inputs.self.secretsDir + /nixos-vps/marzban.env;`
			`restartUnits = [ "podman-marzban.service" ];`
			`};`
disable cloudflare proxy 2024-11-20 03:49:52 +03:00			`cf-dns-api = {`
			`sopsFile = inputs.self.secretsDir + /misc.yaml;`
			`owner = "acme";`
			`};`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`in {`
			`"cert.key" = nginx;`
			`"cert.pem" = nginx;`
			`"nginx.conf" = nginx;`
disable cloudflare proxy 2024-11-20 03:49:52 +03:00			`inherit cf-dns-api marzban;`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`};`

			`virtualisation.oci-containers.containers = {`
			`marzban = {`
			`autoStart = true;`
disable cloudflare proxy 2024-11-20 03:49:52 +03:00			`image = "ghcr.io/gozargah/marzban:v0.7.0";`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`environmentFiles = [ marzban-env ];`
			`extraOptions = [ "--network=host" ];`
			`volumes = [`
			`"/srv/marzban:/var/lib/marzban"`
			`];`
			`};`
			`nginx = {`
			`autoStart = true;`
			`image = "docker.io/nginx:latest";`
			`extraOptions = [ "--network=host" ];`
			`volumes = [`
disable cloudflare proxy 2024-11-20 03:49:52 +03:00			`"${cert-key}:/etc/ssl/certs/cf-cert.key:ro"`
			`"${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"`
			`"${config.security.acme.certs.${fqdn}.directory}/fullchain.pem:/etc/ssl/certs/cert.pem:ro"`
			`"${config.security.acme.certs.${fqdn}.directory}/key.pem:/etc/ssl/certs/cert.key:ro"`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`"${nginx-conf}:/etc/nginx/nginx.conf:ro"`
			`];`
			`};`
			`};`

change nextcloud to ocis on nixos-vps 2024-02-01 22:50:21 +03:00			`services.ocis = {`
			`enable = true;`
			`package = inputs.ataraxiasjel-nur.packages.${system}.ocis-bin;`
			`configDir = "/srv/ocis/config";`
			`baseDataPath = "/srv/ocis/data";`
			`environment = {`
			`OCIS_INSECURE = "false";`
			`OCIS_URL = "https://cloud.ataraxiadev.com";`
			`PROXY_HTTP_ADDR = "127.0.0.1:9200";`
			`PROXY_TLS = "false";`
			`};`
			`};`

update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`systemd.tmpfiles.rules = [`
			`"d /srv/marzban 0755 root root -"`
			`];`
disable cloudflare proxy 2024-11-20 03:49:52 +03:00
			`# OpenConnect`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production`
			`defaults.email = "admin@ataraxiadev.com";`
			`defaults.renewInterval = "weekly";`
			`certs = {`
			`${fqdn} = {`
			`extraDomainNames = [`
			`"auth.ataraxiadev.com"`
			`"doh.ataraxiadev.com"`
			`];`
			`dnsResolver = "1.1.1.1:53";`
			`dnsProvider = "cloudflare";`
			`credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;`
			`reloadServices = [ "podman-nginx.service" ];`
			`};`
			`};`
			`};`
			`persist.state.directories = [ "/var/lib/acme" ];`
update flake, move to new vps... again 2023-12-23 01:26:18 +03:00			`}`