diff --git a/machines/AMD-Workstation/default.nix b/machines/AMD-Workstation/default.nix index d31887f..abe8066 100644 --- a/machines/AMD-Workstation/default.nix +++ b/machines/AMD-Workstation/default.nix @@ -103,5 +103,12 @@ system.stateVersion = "23.05"; secrets.wg-ataraxia.services = [ "wg-quick-wg0.service" ]; - networking.wg-quick.interfaces.wg0.configFile = config.secrets.wg-ataraxia.decrypted; + networking.wg-quick.interfaces.wg0 = { + autostart = false; + configFile = config.secrets.wg-ataraxia.decrypted; + }; + + services.tailscale.enable = true; + services.tailscale.useRoutingFeatures = "client"; + persist.state.directories = [ "/var/lib/tailscale" ]; } diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index 5b3c5ab..13dfbac 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -10,7 +10,7 @@ in { nixosRoles.hypervisor nixosProfiles.acme - nixosProfiles.authentik + # nixosProfiles.authentik nixosProfiles.battery-historian nixosProfiles.duplicacy nixosProfiles.fail2ban @@ -73,11 +73,16 @@ in { memoryPercent = 150; }; + services.tailscale.enable = true; + services.tailscale.useRoutingFeatures = "client"; # Impermanence persist = { enable = true; cache.clean.enable = true; - state.files = [ "/etc/machine-id" ]; + state = { + files = [ "/etc/machine-id" ]; + directories = [ "/var/lib/tailscale" ]; + }; }; fileSystems."/home".neededForBoot = true; fileSystems.${persistRoot}.neededForBoot = true; diff --git a/machines/Home-Hypervisor/dns-mapping.nix b/machines/Home-Hypervisor/dns-mapping.nix index 269cd33..9600aa7 100644 --- a/machines/Home-Hypervisor/dns-mapping.nix +++ b/machines/Home-Hypervisor/dns-mapping.nix @@ -2,6 +2,8 @@ dns-mapping = { customDNS = { mapping = { + "anime.ataraxiadev.com" = "193.219.97.142"; + "auth.ataraxiadev.com" = "193.219.97.142"; "coturn.pve" = "192.168.0.20"; "matrix.pve" = "192.168.0.11"; "monero.pve" = "192.168.0.13"; @@ -19,7 +21,6 @@ rewrite = { "api.ataraxiadev.com" = "ataraxiadev.com"; "ataraxiadev.com" = "nginx.pve"; - "auth.ataraxiadev.com" = "ataraxiadev.com"; "bathist.ataraxiadev.com" = "bathist.ataraxiadev.com"; "browser.ataraxiadev.com" = "ataraxiadev.com"; "cache.ataraxiadev.com" = "ataraxiadev.com"; diff --git a/machines/NixOS-VPS/default.nix b/machines/NixOS-VPS/default.nix index db45f97..8171c89 100644 --- a/machines/NixOS-VPS/default.nix +++ b/machines/NixOS-VPS/default.nix @@ -7,12 +7,19 @@ ./hardware ./network.nix ./nix.nix + ./services/authentik.nix ./services/backups.nix ./services/dns.nix + ./services/nginx.nix ./services/tor-bridge.nix ./services/wireguard.nix ./services/xtls.nix + (import ./services/headscale.nix { + inherit config lib pkgs; + inherit (import ./hardware/dns-mapping.nix) dns-mapping; + }) + customModules.devices customModules.users @@ -24,9 +31,8 @@ # Misc boot = { - # TODO: hardened kernel with bcachefs patches supportedFilesystems = [ "vfat" "btrfs" ]; - kernelModules = [ "tcp_bbr" ]; + kernelModules = [ "tcp_bbr" "veth" "x_tables" ]; kernelParams = [ "scsi_mod.use_blk_mq=1" "kvm.ignore_msrs=1" @@ -144,6 +150,24 @@ }]; }]; + # Podman + virtualisation = { + oci-containers.backend = lib.mkForce "podman"; + podman.enable = true; + podman.dockerSocket.enable = true; + containers.registries.search = [ + "docker.io" "gcr.io" "quay.io" + ]; + containers.storage.settings = { + storage = { + driver = "overlay"; + graphroot = "/var/lib/podman/storage"; + runroot = "/run/containers/storage"; + }; + }; + }; + security.unprivilegedUsernsClone = true; + # Directory for some state files (like wireguard keys) systemd.tmpfiles.rules = [ "d /srv 0755 root root -" diff --git a/machines/NixOS-VPS/hardware/dns-mapping.nix b/machines/NixOS-VPS/hardware/dns-mapping.nix new file mode 100644 index 0000000..489878a --- /dev/null +++ b/machines/NixOS-VPS/hardware/dns-mapping.nix @@ -0,0 +1,85 @@ +{ + dns-mapping = [ + { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "bathist.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "browser.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "cinny.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "cocalc.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "fb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "fsync.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "mail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "microbin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "nzbhydra.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "organizr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "prowlarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "shoko.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "sonarrtv.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "startpage.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + { name = "webmail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } + + { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "bathist.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "browser.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "cinny.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "cocalc.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "fb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "fsync.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "mail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "microbin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "nzbhydra.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "organizr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "prowlarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "shoko.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "sonarrtv.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "startpage.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + { name = "webmail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } + ]; +} diff --git a/machines/NixOS-VPS/hardware/networks.nix b/machines/NixOS-VPS/hardware/networks.nix index 17de91e..ca06f9d 100644 --- a/machines/NixOS-VPS/hardware/networks.nix +++ b/machines/NixOS-VPS/hardware/networks.nix @@ -1,5 +1,6 @@ rec { privateIPv6Prefix = "fd3a:900e:8e74:ffff"; + domain = "wg.ataraxiadev.com"; interfaces = { # This is the public-facing interface. Any interface name with a prime diff --git a/machines/NixOS-VPS/network.nix b/machines/NixOS-VPS/network.nix index 8319b36..1e7fa04 100644 --- a/machines/NixOS-VPS/network.nix +++ b/machines/NixOS-VPS/network.nix @@ -1,6 +1,6 @@ { config, ... }: let - inherit (import ./hardware/networks.nix) interfaces; + inherit (import ./hardware/networks.nix) interfaces domain; in { services.resolved.enable = true; networking = { @@ -8,8 +8,8 @@ in { usePredictableInterfaceNames = true; useDHCP = false; dhcpcd.enable = false; - nftables.enable = true; - domain = "wg.ataraxiadev.com"; + nftables.enable = false; # incompatible with tailscale and docker/podman + domain = domain; }; systemd.network = with interfaces.main'; { enable = true; diff --git a/machines/NixOS-VPS/services/authentik.nix b/machines/NixOS-VPS/services/authentik.nix new file mode 100644 index 0000000..2ef7acb --- /dev/null +++ b/machines/NixOS-VPS/services/authentik.nix @@ -0,0 +1,133 @@ +{ config, pkgs, lib, inputs, ... }: +let + backend = config.virtualisation.oci-containers.backend; + data-dir = "/srv/authentik"; + pod-name = "authentik-pod"; + open-ports = [ + # authentik + "127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp" + # ldap + "127.0.0.1:389:3389/tcp" "127.0.0.1:636:6636/tcp" + ]; + owner = "1000"; + authentik-version = "2023.5.4"; +in { + services.nginx.virtualHosts."auth.ataraxiadev.com" = { + forceSSL = true; + enableACME = false; + useACMEHost = "wg.ataraxiadev.com"; + locations."/" = { + proxyPass = "http://127.0.0.1:9000"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + ''; + }; + }; + + + virtualisation.oci-containers.containers = { + authentik-postgresql = { + autoStart = true; + image = "docker.io/library/postgres:12-alpine"; + extraOptions = [ "--pod=${pod-name}" ]; + environmentFiles = [ "${data-dir}/env" ]; + volumes = [ + "${data-dir}/db:/var/lib/postgresql/data" + ]; + }; + authentik-redis = { + autoStart = true; + image = "docker.io/library/redis:alpine"; + cmd = [ "--save" "60" "1" "--loglevel" "warning" ]; + extraOptions = [ "--pod=${pod-name}" ]; + volumes = [ + "${data-dir}/redis:/data" + ]; + }; + authentik-server = { + autoStart = true; + dependsOn = [ "authentik-postgresql" "authentik-redis" ]; + image = "ghcr.io/goauthentik/server:${authentik-version}"; + cmd = [ "server" ]; + extraOptions = [ "--pod=${pod-name}" ]; + environment = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql"; + }; + environmentFiles = [ "${data-dir}/env" ]; + volumes = [ + "${data-dir}/media:/media" + "${data-dir}/custom-templates:/templates" + ]; + }; + authentik-worker = { + autoStart = true; + dependsOn = [ "authentik-server" ]; + image = "ghcr.io/goauthentik/server:${authentik-version}"; + cmd = [ "worker" ]; + extraOptions = [ "--pod=${pod-name}" ]; + environment = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql"; + }; + environmentFiles = [ "${data-dir}/env" ]; + # user = "root"; + volumes = [ + # "/var/run/${backend}/${backend}.sock" + "${data-dir}/media:/media" + "${data-dir}/certs:/certs" + "${data-dir}/custom-templates:/templates" + ]; + }; + authentik-ldap = { + autoStart = true; + dependsOn = [ "authentik-server" ]; + image = "ghcr.io/goauthentik/ldap:${authentik-version}"; + extraOptions = [ "--pod=${pod-name}" ]; + environment = { + AUTHENTIK_HOST = "https://auth.ataraxiadev.com"; + AUTHENTIK_INSECURE = "false"; + }; + environmentFiles = [ "${data-dir}/ldap" ]; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${data-dir}/db 0700 70 root -" + "d ${data-dir}/redis 0755 999 root -" + "d ${data-dir}/media 0755 ${owner} ${owner} -" + "d ${data-dir}/certs 0755 ${owner} ${owner} -" + "d ${data-dir}/custom-templates 0755 ${owner} ${owner} -" + ]; + + systemd.services."podman-create-${pod-name}" = let + portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports; + start = pkgs.writeShellScript "create-pod" '' + podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} + ''; + stop = "podman pod rm -i -f ${pod-name}"; + in rec { + path = [ pkgs.coreutils config.virtualisation.podman.package ]; + before = [ + "${backend}-authentik-postgresql.service" + "${backend}-authentik-redis.service" + "${backend}-authentik-server.service" + "${backend}-authentik-worker.service" + "${backend}-authentik-ldap.service" + ]; + requiredBy = before; + partOf = before; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = start; + ExecStop = stop; + }; + }; +} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/headscale.nix b/machines/NixOS-VPS/services/headscale.nix new file mode 100644 index 0000000..c6d02b4 --- /dev/null +++ b/machines/NixOS-VPS/services/headscale.nix @@ -0,0 +1,65 @@ +{ config, pkgs, lib, dns-mapping ? {}, ... }: +let + domain = (import ../hardware/networks.nix).domain; + bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName; + tailscalePort = config.services.tailscale.port; + tailscaleIfname = config.services.tailscale.interfaceName; +in { + networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ]; + networking.firewall.trustedInterfaces = [ tailscaleIfname ]; + + systemd.network.networks."50-tailscale" = { + matchConfig.Name = tailscaleIfname; + linkConfig.Unmanaged = true; + linkConfig.ActivationPolicy = "manual"; + }; + environment.systemPackages = [ config.services.headscale.package ]; + + services.headscale = { + enable = true; + address = "0.0.0.0"; + port = 8080; + settings = { + logtail.enabled = false; + server_url = "https://${domain}"; + ip_prefixes = [ + "fd7a:115c:a1e0::/64" "100.64.0.0/16" + ]; + dns_config = { + base_domain = domain; + nameservers = [ "127.0.0.1" ]; + extra_records = dns-mapping; + }; + oidc = { + only_start_if_oidc_is_available = true; + issuer = "https://auth.ataraxiadev.com/application/o/headscale/"; + client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi"; + scope = [ "openid" "profile" "email" "groups" ]; + allowed_groups = [ "headscale" ]; + strip_email_domain = true; + }; + }; + }; + systemd.services.headscale = { + serviceConfig.TimeoutStopSec = 10; + serviceConfig.EnvironmentFile = "/srv/headscale-oidc"; + serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" '' + until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done + ''); + }; + + services.tailscale = { + enable = true; + port = 18491; + useRoutingFeatures = "both"; + }; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = false; + useACMEHost = "wg.ataraxiadev.com"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; +} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/nginx.nix b/machines/NixOS-VPS/services/nginx.nix new file mode 100644 index 0000000..6e5c7da --- /dev/null +++ b/machines/NixOS-VPS/services/nginx.nix @@ -0,0 +1,48 @@ +{ config, pkgs, lib, ... }: { + security.acme = { + acceptTerms = true; + # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + defaults.email = "admin@ataraxiadev.com"; + defaults.renewInterval = "weekly"; + certs = { + "wg.ataraxiadev.com" = { + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ + "anime.ataraxiadev.com" + "auth.ataraxiadev.com" + ]; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + group = "acme"; + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + # recommendedProxySettings = true; + recommendedTlsSettings = true; + # recommendedZstdSettings = true; # forcing nginx rebuild + appendConfig = '' + worker_processes auto; + ''; + appendHttpConfig = '' + map $proxy_protocol_addr $proxy_forwarded_elem { + ~^[0-9.]+$ "for=$proxy_protocol_addr"; + ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\""; + default "for=unknown"; + } + map $http_forwarded $proxy_add_forwarded { + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + default "$proxy_forwarded_elem"; + } + ''; + eventsConfig = '' + worker_connections 1024; + ''; + + }; +} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/wireguard.nix b/machines/NixOS-VPS/services/wireguard.nix index 333c464..b11ba4e 100644 --- a/machines/NixOS-VPS/services/wireguard.nix +++ b/machines/NixOS-VPS/services/wireguard.nix @@ -7,7 +7,7 @@ in { networking.firewall = { allowedUDPPorts = [ wireguardPort ]; - checkReversePath = false; + checkReversePath = lib.mkForce false; }; boot.kernelModules = [ "wireguard" ]; diff --git a/machines/NixOS-VPS/services/xtls.nix b/machines/NixOS-VPS/services/xtls.nix index 4f99e41..99a6580 100644 --- a/machines/NixOS-VPS/services/xtls.nix +++ b/machines/NixOS-VPS/services/xtls.nix @@ -1,56 +1,30 @@ { config, pkgs, lib, ... }: { - security.acme = { - acceptTerms = true; - defaults.email = "admin@ataraxiadev.com"; - defaults.renewInterval = "weekly"; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - services.nginx = { - enable = true; - group = "acme"; - recommendedBrotliSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - # recommendedProxySettings = true; - recommendedTlsSettings = true; - # recommendedZstdSettings = true; # forcing nginx rebuild - sslProtocols = "TLSv1.3"; - appendConfig = '' - worker_processes auto; - ''; - appendHttpConfig = '' - map $proxy_protocol_addr $proxy_forwarded_elem { - ~^[0-9.]+$ "for=$proxy_protocol_addr"; - ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\""; - default "for=unknown"; - } - map $http_forwarded $proxy_add_forwarded { - "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; - default "$proxy_forwarded_elem"; - } - ''; - eventsConfig = '' - worker_connections 1024; - ''; - virtualHosts."wg.ataraxiadev.com" = { - enableACME = true; + services.nginx.virtualHosts = { + "anime.ataraxiadev.com" = { forceSSL = true; + enableACME = false; + useACMEHost = "wg.ataraxiadev.com"; + locations."/" = { + extraConfig = '' + proxy_pass http://127.0.0.1:5443; + ''; + }; + }; + "xtls:8001" = { + enableACME = false; + forceSSL = false; listen = [{ addr = "127.0.0.1"; port = 8001; - ssl = true; - extraParameters = [ "proxy_protocol" ]; + ssl = false; + extraParameters = [ "http2" "proxy_protocol" ]; }]; - extraConfig = '' - set_real_ip_from 127.0.0.1; - ''; + serverAliases = [ "anime.ataraxiadev.com" ]; locations."/" = { extraConfig = '' sub_filter $proxy_host $host; sub_filter_once off; - proxy_pass https://www.lovelive-anime.jp; + proxy_pass https://www.crunchyroll.com; proxy_set_header Host $proxy_host; proxy_cache_bypass $http_upgrade; proxy_ssl_server_name on; @@ -65,7 +39,6 @@ proxy_read_timeout 60s; resolver 127.0.0.1; ''; - proxyWebsockets = true; }; }; }; diff --git a/profiles/servers/authentik.nix b/profiles/servers/authentik.nix index 5350788..d8b20d8 100644 --- a/profiles/servers/authentik.nix +++ b/profiles/servers/authentik.nix @@ -84,7 +84,7 @@ in { systemd.tmpfiles.rules = [ "d ${data-dir}/db 0700 70 root -" - "d ${data-dir}/redis 0755 dhcpcd root -" + "d ${data-dir}/redis 0755 999 root -" "d ${data-dir}/media 0755 ${owner} ${owner} -" "d ${data-dir}/certs 0755 ${owner} ${owner} -" "d ${data-dir}/custom-templates 0755 ${owner} ${owner} -" diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index 481db90..53aa2a8 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -25,7 +25,8 @@ let } // root; "/outpost.goauthentik.io" = { extraConfig = '' - proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io; + # proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io; + proxy_pass https://auth.ataraxiadev.com/outpost.goauthentik.io; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; @@ -65,7 +66,7 @@ in { "joplin.ataraxiadev.com" "api.ataraxiadev.com" "fsync.ataraxiadev.com" - "auth.ataraxiadev.com" + # "auth.ataraxiadev.com" "sonarr.ataraxiadev.com" "radarr.ataraxiadev.com" "file.ataraxiadev.com" @@ -169,7 +170,7 @@ in { ''; }; } // default; - "matrix:8448" = with config.security.acme; { + "matrix:8448" = { serverAliases = [ "matrix.ataraxiadev.com" ]; listen = [{ addr = "0.0.0.0"; @@ -323,13 +324,13 @@ in { extraConfig = proxySettings; }; } // default; - "auth.ataraxiadev.com" = { - locations."/" = { - proxyPass = "http://127.0.0.1:9000"; - proxyWebsockets = true; - extraConfig = proxySettings; - }; - } // default; + # "auth.ataraxiadev.com" = { + # locations."/" = { + # proxyPass = "http://127.0.0.1:9000"; + # proxyWebsockets = true; + # extraConfig = proxySettings; + # }; + # } // default; "ldap.ataraxiadev.com" = default; "api.ataraxiadev.com" = { locations."~ (\\.py|\\.sh)$" = with config.services; {