AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

authentik + headscale, and change some settings

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-06-29 23:21:54 +03:00
parent cd687b02b8
commit 1898a3f751
14 changed files with 408 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
machines/AMD-Workstation/default.nix
View File

@ -103,5 +103,12 @@
system.stateVersion = "23.05"; system.stateVersion = "23.05";
secrets.wg-ataraxia.services = [ "wg-quick-wg0.service" ]; secrets.wg-ataraxia.services = [ "wg-quick-wg0.service" ];
networking.wg-quick.interfaces.wg0.configFile = config.secrets.wg-ataraxia.decrypted; networking.wg-quick.interfaces.wg0 = {
autostart = false;
configFile = config.secrets.wg-ataraxia.decrypted;
};
services.tailscale.enable = true;
services.tailscale.useRoutingFeatures = "client";
persist.state.directories = [ "/var/lib/tailscale" ];
} }

9
machines/Home-Hypervisor/default.nix
View File

@ -10,7 +10,7 @@ in {
nixosRoles.hypervisor nixosRoles.hypervisor
nixosProfiles.acme nixosProfiles.acme
nixosProfiles.authentik # nixosProfiles.authentik
nixosProfiles.battery-historian nixosProfiles.battery-historian
nixosProfiles.duplicacy nixosProfiles.duplicacy
nixosProfiles.fail2ban nixosProfiles.fail2ban
@ -73,11 +73,16 @@ in {
memoryPercent = 150; memoryPercent = 150;
}; };
services.tailscale.enable = true;
services.tailscale.useRoutingFeatures = "client";
# Impermanence # Impermanence
persist = { persist = {
enable = true; enable = true;
cache.clean.enable = true; cache.clean.enable = true;
state.files = [ "/etc/machine-id" ]; state = {
files = [ "/etc/machine-id" ];
directories = [ "/var/lib/tailscale" ];
};
}; };
fileSystems."/home".neededForBoot = true; fileSystems."/home".neededForBoot = true;
fileSystems.${persistRoot}.neededForBoot = true; fileSystems.${persistRoot}.neededForBoot = true;

3
machines/Home-Hypervisor/dns-mapping.nix
View File

@ -2,6 +2,8 @@
dns-mapping = { dns-mapping = {
customDNS = { customDNS = {
mapping = { mapping = {
"anime.ataraxiadev.com" = "193.219.97.142";
"auth.ataraxiadev.com" = "193.219.97.142";
"coturn.pve" = "192.168.0.20"; "coturn.pve" = "192.168.0.20";
"matrix.pve" = "192.168.0.11"; "matrix.pve" = "192.168.0.11";
"monero.pve" = "192.168.0.13"; "monero.pve" = "192.168.0.13";
@ -19,7 +21,6 @@
rewrite = { rewrite = {
"api.ataraxiadev.com" = "ataraxiadev.com"; "api.ataraxiadev.com" = "ataraxiadev.com";
"ataraxiadev.com" = "nginx.pve"; "ataraxiadev.com" = "nginx.pve";
"auth.ataraxiadev.com" = "ataraxiadev.com";
"bathist.ataraxiadev.com" = "bathist.ataraxiadev.com"; "bathist.ataraxiadev.com" = "bathist.ataraxiadev.com";
"browser.ataraxiadev.com" = "ataraxiadev.com"; "browser.ataraxiadev.com" = "ataraxiadev.com";
"cache.ataraxiadev.com" = "ataraxiadev.com"; "cache.ataraxiadev.com" = "ataraxiadev.com";

28
machines/NixOS-VPS/default.nix
View File

@ -7,12 +7,19 @@
./hardware ./hardware
./network.nix ./network.nix
./nix.nix ./nix.nix
./services/authentik.nix
./services/backups.nix ./services/backups.nix
./services/dns.nix ./services/dns.nix
./services/nginx.nix
./services/tor-bridge.nix ./services/tor-bridge.nix
./services/wireguard.nix ./services/wireguard.nix
./services/xtls.nix ./services/xtls.nix
(import ./services/headscale.nix {
inherit config lib pkgs;
inherit (import ./hardware/dns-mapping.nix) dns-mapping;
})
customModules.devices customModules.devices
customModules.users customModules.users
@ -24,9 +31,8 @@
# Misc # Misc
boot = { boot = {
# TODO: hardened kernel with bcachefs patches
supportedFilesystems = [ "vfat" "btrfs" ]; supportedFilesystems = [ "vfat" "btrfs" ];
kernelModules = [ "tcp_bbr" ]; kernelModules = [ "tcp_bbr" "veth" "x_tables" ];
kernelParams = [ kernelParams = [
"scsi_mod.use_blk_mq=1" "scsi_mod.use_blk_mq=1"
"kvm.ignore_msrs=1" "kvm.ignore_msrs=1"
@ -144,6 +150,24 @@
}]; }];
}]; }];
# Podman
virtualisation = {
oci-containers.backend = lib.mkForce "podman";
podman.enable = true;
podman.dockerSocket.enable = true;
containers.registries.search = [
"docker.io" "gcr.io" "quay.io"
];
containers.storage.settings = {
storage = {
driver = "overlay";
graphroot = "/var/lib/podman/storage";
runroot = "/run/containers/storage";
};
};
};
security.unprivilegedUsernsClone = true;
# Directory for some state files (like wireguard keys) # Directory for some state files (like wireguard keys)
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /srv 0755 root root -" "d /srv 0755 root root -"

85
machines/NixOS-VPS/hardware/dns-mapping.nix Normal file
View File

@ -0,0 +1,85 @@
{
dns-mapping = [
{ name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "bathist.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "browser.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "cinny.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "cocalc.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "fb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "fsync.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "mail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "microbin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "nzbhydra.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "organizr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "prowlarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "shoko.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "sonarrtv.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "startpage.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "webmail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "bathist.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "browser.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "cinny.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "cocalc.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "fb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "fsync.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "mail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "microbin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "nzbhydra.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "organizr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "prowlarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "shoko.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "sonarrtv.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "startpage.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "webmail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
];
}

1
machines/NixOS-VPS/hardware/networks.nix
View File

@ -1,5 +1,6 @@
rec { rec {
privateIPv6Prefix = "fd3a:900e:8e74:ffff"; privateIPv6Prefix = "fd3a:900e:8e74:ffff";
domain = "wg.ataraxiadev.com";
interfaces = { interfaces = {
# This is the public-facing interface. Any interface name with a prime # This is the public-facing interface. Any interface name with a prime

6
machines/NixOS-VPS/network.nix
View File

@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
let let
inherit (import ./hardware/networks.nix) interfaces; inherit (import ./hardware/networks.nix) interfaces domain;
in { in {
services.resolved.enable = true; services.resolved.enable = true;
networking = { networking = {
@ -8,8 +8,8 @@ in {
usePredictableInterfaceNames = true; usePredictableInterfaceNames = true;
useDHCP = false; useDHCP = false;
dhcpcd.enable = false; dhcpcd.enable = false;
nftables.enable = true; nftables.enable = false; # incompatible with tailscale and docker/podman
domain = "wg.ataraxiadev.com"; domain = domain;
}; };
systemd.network = with interfaces.main'; { systemd.network = with interfaces.main'; {
enable = true; enable = true;

133
machines/NixOS-VPS/services/authentik.nix Normal file
View File

@ -0,0 +1,133 @@
{ config, pkgs, lib, inputs, ... }:
let
backend = config.virtualisation.oci-containers.backend;
data-dir = "/srv/authentik";
pod-name = "authentik-pod";
open-ports = [
# authentik
"127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp"
# ldap
"127.0.0.1:389:3389/tcp" "127.0.0.1:636:6636/tcp"
];
owner = "1000";
authentik-version = "2023.5.4";
in {
services.nginx.virtualHosts."auth.ataraxiadev.com" = {
forceSSL = true;
enableACME = false;
useACMEHost = "wg.ataraxiadev.com";
locations."/" = {
proxyPass = "http://127.0.0.1:9000";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
'';
};
};
virtualisation.oci-containers.containers = {
authentik-postgresql = {
autoStart = true;
image = "docker.io/library/postgres:12-alpine";
extraOptions = [ "--pod=${pod-name}" ];
environmentFiles = [ "${data-dir}/env" ];
volumes = [
"${data-dir}/db:/var/lib/postgresql/data"
];
};
authentik-redis = {
autoStart = true;
image = "docker.io/library/redis:alpine";
cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
extraOptions = [ "--pod=${pod-name}" ];
volumes = [
"${data-dir}/redis:/data"
];
};
authentik-server = {
autoStart = true;
dependsOn = [ "authentik-postgresql" "authentik-redis" ];
image = "ghcr.io/goauthentik/server:${authentik-version}";
cmd = [ "server" ];
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
};
environmentFiles = [ "${data-dir}/env" ];
volumes = [
"${data-dir}/media:/media"
"${data-dir}/custom-templates:/templates"
];
};
authentik-worker = {
autoStart = true;
dependsOn = [ "authentik-server" ];
image = "ghcr.io/goauthentik/server:${authentik-version}";
cmd = [ "worker" ];
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
};
environmentFiles = [ "${data-dir}/env" ];
# user = "root";
volumes = [
# "/var/run/${backend}/${backend}.sock"
"${data-dir}/media:/media"
"${data-dir}/certs:/certs"
"${data-dir}/custom-templates:/templates"
];
};
authentik-ldap = {
autoStart = true;
dependsOn = [ "authentik-server" ];
image = "ghcr.io/goauthentik/ldap:${authentik-version}";
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_HOST = "https://auth.ataraxiadev.com";
AUTHENTIK_INSECURE = "false";
};
environmentFiles = [ "${data-dir}/ldap" ];
};
};
systemd.tmpfiles.rules = [
"d ${data-dir}/db 0700 70 root -"
"d ${data-dir}/redis 0755 999 root -"
"d ${data-dir}/media 0755 ${owner} ${owner} -"
"d ${data-dir}/certs 0755 ${owner} ${owner} -"
"d ${data-dir}/custom-templates 0755 ${owner} ${owner} -"
];
systemd.services."podman-create-${pod-name}" = let
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
start = pkgs.writeShellScript "create-pod" ''
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
'';
stop = "podman pod rm -i -f ${pod-name}";
in rec {
path = [ pkgs.coreutils config.virtualisation.podman.package ];
before = [
"${backend}-authentik-postgresql.service"
"${backend}-authentik-redis.service"
"${backend}-authentik-server.service"
"${backend}-authentik-worker.service"
"${backend}-authentik-ldap.service"
];
requiredBy = before;
partOf = before;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = start;
ExecStop = stop;
};
};
}

65
machines/NixOS-VPS/services/headscale.nix Normal file
View File

@ -0,0 +1,65 @@
{ config, pkgs, lib, dns-mapping ? {}, ... }:
let
domain = (import ../hardware/networks.nix).domain;
bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
tailscalePort = config.services.tailscale.port;
tailscaleIfname = config.services.tailscale.interfaceName;
in {
networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];
networking.firewall.trustedInterfaces = [ tailscaleIfname ];
systemd.network.networks."50-tailscale" = {
matchConfig.Name = tailscaleIfname;
linkConfig.Unmanaged = true;
linkConfig.ActivationPolicy = "manual";
};
environment.systemPackages = [ config.services.headscale.package ];
services.headscale = {
enable = true;
address = "0.0.0.0";
port = 8080;
settings = {
logtail.enabled = false;
server_url = "https://${domain}";
ip_prefixes = [
"fd7a:115c:a1e0::/64" "100.64.0.0/16"
];
dns_config = {
base_domain = domain;
nameservers = [ "127.0.0.1" ];
extra_records = dns-mapping;
};
oidc = {
only_start_if_oidc_is_available = true;
issuer = "https://auth.ataraxiadev.com/application/o/headscale/";
client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi";
scope = [ "openid" "profile" "email" "groups" ];
allowed_groups = [ "headscale" ];
strip_email_domain = true;
};
};
};
systemd.services.headscale = {
serviceConfig.TimeoutStopSec = 10;
serviceConfig.EnvironmentFile = "/srv/headscale-oidc";
serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" ''
until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done
'');
};
services.tailscale = {
enable = true;
port = 18491;
useRoutingFeatures = "both";
};
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = false;
useACMEHost = "wg.ataraxiadev.com";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
}

48
machines/NixOS-VPS/services/nginx.nix Normal file
View File

@ -0,0 +1,48 @@
{ config, pkgs, lib, ... }: {
security.acme = {
acceptTerms = true;
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
defaults.email = "admin@ataraxiadev.com";
defaults.renewInterval = "weekly";
certs = {
"wg.ataraxiadev.com" = {
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = [
"anime.ataraxiadev.com"
"auth.ataraxiadev.com"
];
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
group = "acme";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# recommendedProxySettings = true;
recommendedTlsSettings = true;
# recommendedZstdSettings = true; # forcing nginx rebuild
appendConfig = ''
worker_processes auto;
'';
appendHttpConfig = ''
map $proxy_protocol_addr $proxy_forwarded_elem {
~^[0-9.]+$ "for=$proxy_protocol_addr";
~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
default "$proxy_forwarded_elem";
}
'';
eventsConfig = ''
worker_connections 1024;
'';
};
}

2
machines/NixOS-VPS/services/wireguard.nix
View File

@ -7,7 +7,7 @@ in {
networking.firewall = { networking.firewall = {
allowedUDPPorts = [ wireguardPort ]; allowedUDPPorts = [ wireguardPort ];
checkReversePath = false; checkReversePath = lib.mkForce false;
}; };
boot.kernelModules = [ "wireguard" ]; boot.kernelModules = [ "wireguard" ];

61
machines/NixOS-VPS/services/xtls.nix
View File

@ -1,56 +1,30 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
security.acme = { services.nginx.virtualHosts = {
acceptTerms = true; "anime.ataraxiadev.com" = {
defaults.email = "admin@ataraxiadev.com";
defaults.renewInterval = "weekly";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
group = "acme";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# recommendedProxySettings = true;
recommendedTlsSettings = true;
# recommendedZstdSettings = true; # forcing nginx rebuild
sslProtocols = "TLSv1.3";
appendConfig = ''
worker_processes auto;
'';
appendHttpConfig = ''
map $proxy_protocol_addr $proxy_forwarded_elem {
~^[0-9.]+$ "for=$proxy_protocol_addr";
~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
default "$proxy_forwarded_elem";
}
'';
eventsConfig = ''
worker_connections 1024;
'';
virtualHosts."wg.ataraxiadev.com" = {
enableACME = true;
forceSSL = true; forceSSL = true;
enableACME = false;
useACMEHost = "wg.ataraxiadev.com";
locations."/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:5443;
'';
};
};
"xtls:8001" = {
enableACME = false;
forceSSL = false;
listen = [{ listen = [{
addr = "127.0.0.1"; addr = "127.0.0.1";
port = 8001; port = 8001;
ssl = true; ssl = false;
extraParameters = [ "proxy_protocol" ]; extraParameters = [ "http2" "proxy_protocol" ];
}]; }];
extraConfig = '' serverAliases = [ "anime.ataraxiadev.com" ];
set_real_ip_from 127.0.0.1;
'';
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''
sub_filter $proxy_host $host; sub_filter $proxy_host $host;
sub_filter_once off; sub_filter_once off;
proxy_pass https://www.lovelive-anime.jp; proxy_pass https://www.crunchyroll.com;
proxy_set_header Host $proxy_host; proxy_set_header Host $proxy_host;
proxy_cache_bypass $http_upgrade; proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on; proxy_ssl_server_name on;
@ -65,7 +39,6 @@
proxy_read_timeout 60s; proxy_read_timeout 60s;
resolver 127.0.0.1; resolver 127.0.0.1;
''; '';
proxyWebsockets = true;
}; };
}; };
}; };

2
profiles/servers/authentik.nix
View File

@ -84,7 +84,7 @@ in {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${data-dir}/db 0700 70 root -" "d ${data-dir}/db 0700 70 root -"
"d ${data-dir}/redis 0755 dhcpcd root -" "d ${data-dir}/redis 0755 999 root -"
"d ${data-dir}/media 0755 ${owner} ${owner} -" "d ${data-dir}/media 0755 ${owner} ${owner} -"
"d ${data-dir}/certs 0755 ${owner} ${owner} -" "d ${data-dir}/certs 0755 ${owner} ${owner} -"
"d ${data-dir}/custom-templates 0755 ${owner} ${owner} -" "d ${data-dir}/custom-templates 0755 ${owner} ${owner} -"

21
profiles/servers/nginx.nix
View File

@ -25,7 +25,8 @@ let
} // root; } // root;
"/outpost.goauthentik.io" = { "/outpost.goauthentik.io" = {
extraConfig = '' extraConfig = ''
proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io; # proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io;
proxy_pass https://auth.ataraxiadev.com/outpost.goauthentik.io;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
@ -65,7 +66,7 @@ in {
"joplin.ataraxiadev.com" "joplin.ataraxiadev.com"
"api.ataraxiadev.com" "api.ataraxiadev.com"
"fsync.ataraxiadev.com" "fsync.ataraxiadev.com"
"auth.ataraxiadev.com" # "auth.ataraxiadev.com"
"sonarr.ataraxiadev.com" "sonarr.ataraxiadev.com"
"radarr.ataraxiadev.com" "radarr.ataraxiadev.com"
"file.ataraxiadev.com" "file.ataraxiadev.com"
@ -169,7 +170,7 @@ in {
''; '';
}; };
} // default; } // default;
"matrix:8448" = with config.security.acme; { "matrix:8448" = {
serverAliases = [ "matrix.ataraxiadev.com" ]; serverAliases = [ "matrix.ataraxiadev.com" ];
listen = [{ listen = [{
addr = "0.0.0.0"; addr = "0.0.0.0";
@ -323,13 +324,13 @@ in {
extraConfig = proxySettings; extraConfig = proxySettings;
}; };
} // default; } // default;
"auth.ataraxiadev.com" = { # "auth.ataraxiadev.com" = {
locations."/" = { # locations."/" = {
proxyPass = "http://127.0.0.1:9000"; # proxyPass = "http://127.0.0.1:9000";
proxyWebsockets = true; # proxyWebsockets = true;
extraConfig = proxySettings; # extraConfig = proxySettings;
}; # };
} // default; # } // default;
"ldap.ataraxiadev.com" = default; "ldap.ataraxiadev.com" = default;
"api.ataraxiadev.com" = { "api.ataraxiadev.com" = {
locations."~ (\\.py|\\.sh)$" = with config.services; { locations."~ (\\.py|\\.sh)$" = with config.services; {