From 3da51481c24fa07360cd9eb6d6c8b049c7128a4f Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sun, 16 Feb 2025 22:17:53 +0300 Subject: [PATCH] remove NixOS-VPS --- machines/NixOS-VPS/default.nix | 283 --------------------- machines/NixOS-VPS/disk-config.nix | 100 -------- machines/NixOS-VPS/dns-mapping.nix | 101 -------- machines/NixOS-VPS/hardware/networks.nix | 97 ------- machines/NixOS-VPS/network.nix | 67 ----- machines/NixOS-VPS/services/backups.nix | 65 ----- machines/NixOS-VPS/services/dns.nix | 239 ----------------- machines/NixOS-VPS/services/tailscale.nix | 38 --- machines/NixOS-VPS/services/tor-bridge.nix | 46 ---- machines/NixOS-VPS/services/wireguard.nix | 132 ---------- machines/NixOS-VPS/services/xtls.nix | 96 ------- machines/NixOS-VPS/system | 1 - 12 files changed, 1265 deletions(-) delete mode 100644 machines/NixOS-VPS/default.nix delete mode 100644 machines/NixOS-VPS/disk-config.nix delete mode 100644 machines/NixOS-VPS/dns-mapping.nix delete mode 100644 machines/NixOS-VPS/hardware/networks.nix delete mode 100644 machines/NixOS-VPS/network.nix delete mode 100644 machines/NixOS-VPS/services/backups.nix delete mode 100644 machines/NixOS-VPS/services/dns.nix delete mode 100644 machines/NixOS-VPS/services/tailscale.nix delete mode 100644 machines/NixOS-VPS/services/tor-bridge.nix delete mode 100644 machines/NixOS-VPS/services/wireguard.nix delete mode 100644 machines/NixOS-VPS/services/xtls.nix delete mode 100644 machines/NixOS-VPS/system diff --git a/machines/NixOS-VPS/default.nix b/machines/NixOS-VPS/default.nix deleted file mode 100644 index f57d056..0000000 --- a/machines/NixOS-VPS/default.nix +++ /dev/null @@ -1,283 +0,0 @@ -{ modulesPath, self, inputs, lib, pkgs, config, ... }: { - disabledModules = [ "${self}/modules/pass-store.nix" ]; - imports = with inputs.self; [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/minimal.nix") - inputs.disko.nixosModules.disko - - ./disk-config.nix - ./network.nix - customModules.devices - customModules.libvirt-guests - customModules.persist - customModules.users - - # customProfiles.hardened - customProfiles.nix - ./services/backups.nix - ./services/dns.nix - ./services/tailscale.nix - ./services/tor-bridge.nix - # ./services/wireguard.nix - ./services/xtls.nix - - customProfiles.authentik - customProfiles.hoyolab - # customProfiles.radicale - # customProfiles.vaultwarden - (import customProfiles.headscale { - inherit (import ./dns-mapping.nix) headscale-list; - }) - ]; - - boot.kernelPackages = pkgs.linuxPackages_latest; - services.qemuGuest.enable = lib.mkForce true; - - # Impermanence - boot.initrd = { - # hardware - availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - # reset rootfs on reboot - postDeviceCommands = pkgs.lib.mkBefore '' - mkdir -p /mnt - mount -o subvol=/ /dev/sda4 /mnt - - btrfs subvolume list -o /mnt/rootfs | - cut -f9 -d' ' | - while read subvolume; do - echo "deleting /$subvolume subvolume..." - btrfs subvolume delete "/mnt/$subvolume" - done && - - echo "deleting /root subvolume..." - btrfs subvolume delete /mnt/rootfs - echo "restoring blank /root subvolume..." - btrfs subvolume snapshot /mnt/snapshots/rootfs-blank /mnt/rootfs - umount /mnt - ''; - }; - fileSystems."/home".neededForBoot = true; - fileSystems."/persist".neededForBoot = true; - persist = { - enable = true; - cache.clean.enable = true; - state = { - files = [ - "/etc/machine-id" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; - directories = [ - "/var/lib/nixos" - "/var/lib/systemd" - "/var/lib/postgresql" - ]; - }; - }; - - # TODO: write all needed modules in boot.kernelModules - security.lockKernelModules = lib.mkForce false; - # Misc - boot = { - supportedFilesystems = [ "vfat" "btrfs" ]; - kernelModules = [ - "kvm-intel" "tcp_bbr" "veth" - # podman - "nft_chain_nat" "xt_addrtype" "xt_comment" "xt_mark" "xt_MASQUERADE" - ]; - kernelParams = [ - "scsi_mod.use_blk_mq=1" - "kvm.ignore_msrs=1" - "kvm.report_ignored_msrs=0" - ]; - kernel.sysctl = { - "vm.swappiness" = 50; - "vm.vfs_cache_pressure" = 200; - "vm.dirty_background_ratio" = 1; - "vm.dirty_ratio" = 40; - "vm.page-cluster" = 0; - # proxy tuning - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.core.default_qdisc" = "cake"; - "net.core.rmem_max" = 67108864; - "net.core.wmem_max" = 67108864; - "net.core.netdev_max_backlog" = 10000; - "net.core.somaxconn" = 4096; - "net.ipv4.tcp_syncookies" = 1; - "net.ipv4.tcp_tw_reuse" = 1; - "net.ipv4.tcp_fin_timeout" = 30; - "net.ipv4.tcp_keepalive_time" = 1200; - "net.ipv4.tcp_keepalive_probes" = 5; - "net.ipv4.tcp_keepalive_intvl" = 30; - "net.ipv4.tcp_max_syn_backlog" = 8192; - "net.ipv4.tcp_max_tw_buckets" = 5000; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_mem" = "25600 51200 102400"; - "net.ipv4.udp_mem" = "25600 51200 102400"; - "net.ipv4.tcp_rmem" = "4096 87380 67108864"; - "net.ipv4.tcp_wmem" = "4096 65536 67108864"; - "net.ipv4.tcp_mtu_probing" = 1; - }; - loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = true; - }; - }; - zramSwap = { - enable = true; - algorithm = "zstd"; - memoryPercent = 100; - }; - - environment.memoryAllocator.provider = lib.mkForce "libc"; - deviceSpecific.isServer = true; - services.journald.extraConfig = "Compress=false"; - nix.optimise.automatic = false; - nix.distributedBuilds = lib.mkForce false; - fonts.enableDefaultPackages = lib.mkForce false; - security.polkit.enable = true; - # security.pam.enableSSHAgentAuth = true; - environment.systemPackages = with pkgs; [ - bat - bottom - comma - git - kitty - micro - pwgen - inputs.nix-alien.packages.${pkgs.hostPlatform.system}.nix-index-update - rsync - ]; - - # Locale - i18n.defaultLocale = "en_IE.UTF-8"; - i18n.extraLocaleSettings = { - LANGUAGE = "en_IE:en_US:en:C:ru_RU"; - LC_TIME = "en_DK.UTF-8"; - LC_ADDRESS = "ru_RU.UTF-8"; - LC_MONETARY = "ru_RU.UTF-8"; - LC_NUMERIC = "ru_RU.UTF-8"; - LC_PAPER = "ru_RU.UTF-8"; - LC_TELEPHONE = "ru_RU.UTF-8"; - }; - i18n.supportedLocales = [ - "C.UTF-8/UTF-8" - "en_DK.UTF-8/UTF-8" - "en_GB.UTF-8/UTF-8" - "en_IE.UTF-8/UTF-8" - "en_US.UTF-8/UTF-8" - "ru_RU.UTF-8/UTF-8" - ]; - time.timeZone = "Etc/UTC"; - environment.sessionVariables = { - XKB_DEFAULT_LAYOUT = "us,ru"; - XKB_DEFAULT_OPTIONS = "grp:win_space_toggle"; - }; - - # Hardened - networking.firewall = { - enable = true; - allowPing = false; - allowedTCPPorts = lib.mkDefault [ ]; - allowedUDPPorts = lib.mkDefault [ ]; - }; - systemd.coredump.enable = false; - - # Users - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.PermitRootLogin = lib.mkForce "prohibit-password"; - settings.X11Forwarding = false; - extraConfig = "StreamLocalBindUnlink yes"; - ports = [ 22 ]; - }; - users.mutableUsers = false; - users.users = { - ${config.mainuser} = { - isNormalUser = true; - extraGroups = [ "disk" "systemd-journal" "wheel" "qemu-libvirtd" "libvirtd" ]; - uid = 1000; - hashedPassword = - "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6"; - shell = pkgs.bash; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation" - ]; - }; - deploy = { - description = "The administrator account for the servers."; - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = - config.users.users.${config.mainuser}.openssh.authorizedKeys.keys; - }; - root.openssh.authorizedKeys.keys = - config.users.users.${config.mainuser}.openssh.authorizedKeys.keys; - }; - # Passwordless sudo for deploy user - security.sudo = { - extraRules = [{ - users = [ "deploy" ]; - commands = [{ - command = "ALL"; - options = [ "NOPASSWD" ]; - }]; - }]; - extraConfig = '' - Defaults lecture = never - ''; - }; - - # Podman - virtualisation = { - oci-containers.backend = lib.mkForce "podman"; - podman.enable = true; - podman.dockerSocket.enable = true; - containers.registries.search = [ - "docker.io" "gcr.io" "quay.io" - ]; - containers.storage.settings = { - storage = { - driver = "overlay"; - graphroot = "/var/lib/podman/storage"; - runroot = "/run/containers/storage"; - }; - }; - libvirtd = { - enable = true; - qemu = { - ovmf.enable = true; - ovmf.packages = [ pkgs.OVMFFull.fd ]; - runAsRoot = false; - }; - onBoot = "ignore"; - onShutdown = "shutdown"; - }; - }; - programs.virt-manager.enable = true; - networking.firewall.trustedInterfaces = [ "podman*" "vnet*" "virbr*" ]; - networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ]; - security.unprivilegedUsernsClone = true; - - nixpkgs.overlays = let - unstable = import self.unstable-nixpkgs { - config = config.nixpkgs.config; - localSystem = { system = pkgs.hostPlatform.system; }; - }; - in [ - inputs.ataraxiasjel-nur.overlays.default - (final: prev: { - authentik = unstable.authentik; - authentik-outposts = unstable.authentik-outposts; - }) - ]; - - system.stateVersion = "24.05"; - nixpkgs.hostPlatform = lib.mkForce "x86_64-linux"; -} diff --git a/machines/NixOS-VPS/disk-config.nix b/machines/NixOS-VPS/disk-config.nix deleted file mode 100644 index 23c20a0..0000000 --- a/machines/NixOS-VPS/disk-config.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ lib, ... }: { - disko.devices.disk.disk1 = { - device = lib.mkDefault "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "1M"; - type = "EF02"; - }; - esp = { - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - swap = { - name = "swap"; - size = "2G"; - content = { - type = "swap"; - randomEncryption = true; - }; - }; - root = { - name = "root"; - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - postCreateHook = '' - mount -t btrfs /dev/sda4 /mnt - btrfs subvolume snapshot -r /mnt/rootfs /mnt/snapshots/rootfs-blank - btrfs subvolume snapshot -r /mnt/persistent/home /mnt/snapshots/home-blank - btrfs subvolume snapshot -r /mnt/persistent/docker /mnt/snapshots/docker-blank - btrfs subvolume snapshot -r /mnt/persistent/podman /mnt/snapshots/podman-blank - btrfs subvolume snapshot -r /mnt/persistent/containers /mnt/snapshots/containers-blank - btrfs subvolume snapshot -r /mnt/persistent/libvirt /mnt/snapshots/libvirt-blank - btrfs subvolume snapshot -r /mnt/persistent/log /mnt/snapshots/log-blank - btrfs subvolume snapshot -r /mnt/persistent/impermanence /mnt/snapshots/impermanence-blank - btrfs subvolume snapshot -r /mnt/persistent/srv /mnt/snapshots/srv-blank - umount /mnt - ''; - subvolumes = { - "/snapshots" = { }; - "/rootfs" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent" = { }; - "/persistent/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/srv" = { - mountpoint = "/srv"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/docker" = { - mountpoint = "/var/lib/docker"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/podman" = { - mountpoint = "/var/lib/podman"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/containers" = { - mountpoint = "/var/lib/containers"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/libvirt" = { - mountpoint = "/var/lib/libvirt"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/log" = { - mountpoint = "/var/log"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/impermanence" = { - mountpoint = "/persist"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - }; - }; - }; - - }; - }; - }; -} diff --git a/machines/NixOS-VPS/dns-mapping.nix b/machines/NixOS-VPS/dns-mapping.nix deleted file mode 100644 index 694cf14..0000000 --- a/machines/NixOS-VPS/dns-mapping.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - headscale-list = [ - { name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - # { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; } - { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "net.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "s3.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - - { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - # { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; } - { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "net.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "s3.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - ]; - dnsmasq-list = [ - "/api.ataraxiadev.com/10.10.10.10" - "/cache.ataraxiadev.com/10.10.10.10" - "/cal.ataraxiadev.com/10.10.10.10" - "/code.ataraxiadev.com/10.10.10.10" - "/docs.ataraxiadev.com/10.10.10.10" - "/element.ataraxiadev.com/10.10.10.10" - "/file.ataraxiadev.com/10.10.10.10" - "/home.ataraxiadev.com/10.10.10.10" - "/jackett.ataraxiadev.com/10.10.10.10" - "/jellyfin.ataraxiadev.com/10.10.10.10" - "/joplin.ataraxiadev.com/10.10.10.10" - "/kavita.ataraxiadev.com/10.10.10.10" - "/ldap.ataraxiadev.com/10.10.10.10" - "/lib.ataraxiadev.com/10.10.10.10" - "/matrix.ataraxiadev.com/10.10.10.10" - "/medusa.ataraxiadev.com/10.10.10.10" - "/net.ataraxiadev.com/10.10.10.10" - "/openbooks.ataraxiadev.com/10.10.10.10" - "/pdf.ataraxiadev.com/10.10.10.10" - "/qbit.ataraxiadev.com/10.10.10.10" - "/radarr.ataraxiadev.com/10.10.10.10" - "/restic.ataraxiadev.com/10.10.10.10" - "/s3.ataraxiadev.com/10.10.10.10" - "/sonarr.ataraxiadev.com/10.10.10.10" - "/stats.ataraxiadev.com/10.10.10.10" - "/tools.ataraxiadev.com/10.10.10.10" - "/turn.ataraxiadev.com/10.10.10.10" - "/vault.ataraxiadev.com/10.10.10.10" - "/vw.ataraxiadev.com/10.10.10.10" - "/wiki.ataraxiadev.com/10.10.10.10" - ]; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/hardware/networks.nix b/machines/NixOS-VPS/hardware/networks.nix deleted file mode 100644 index 667d304..0000000 --- a/machines/NixOS-VPS/hardware/networks.nix +++ /dev/null @@ -1,97 +0,0 @@ -rec { - privateIPv6Prefix = "fd3a:900e:8e74:ffff"; - domain = "wg.ataraxiadev.com"; - hasIPv6 = false; - - interfaces = { - # This is the public-facing interface. Any interface name with a prime - # symbol means it's a public-facing interface. - main' = { - mac = "bc:24:11:79:81:d7"; - bridgeName = "br0"; - ifname = "enp0s18"; - IPv4 = { - address = "45.135.180.193/32"; - gateway = "45.135.180.1"; - dns = [ "9.9.9.9" "149.112.112.112" ]; - }; - IPv6 = { - address = ""; - gateway = ""; - dns = [ ]; - }; - }; - - wireguard0 = { - ifname = "wg0"; - dns = [ "${privateIPv6Prefix}::0:53" ]; - IPv4 = { - address = "10.100.0.1"; - subnet = "10.100.0.0/16"; - }; - IPv6 = { - address = "${privateIPv6Prefix}::1"; - subnet = "${privateIPv6Prefix}::0/64"; - }; - }; - }; - - # Wireguard-related things. - wireguardPort = 40820; - wireguardIPv4Prefix = "10.100.0"; - wireguardIPv6Prefix = "${privateIPv6Prefix}::0"; - wireguardPeers = { - server = with interfaces.wireguard0; { - IPv4 = IPv4.address; - IPv6 = IPv6.address; - }; - ataraxia = { - IPv4 = "${wireguardIPv4Prefix}.2"; - IPv6 = "${wireguardIPv6Prefix}:2"; - }; - hypervisor = { - IPv4 = "${wireguardIPv4Prefix}.3"; - IPv6 = "${wireguardIPv6Prefix}:3"; - }; - mikrotik = { - IPv4 = "${wireguardIPv4Prefix}.4"; - IPv6 = "${wireguardIPv6Prefix}:4"; - }; - poco = { - IPv4 = "${wireguardIPv4Prefix}.5"; - IPv6 = "${wireguardIPv6Prefix}:5"; - }; - kpoxa = { - IPv4 = "${wireguardIPv4Prefix}.6"; - IPv6 = "${wireguardIPv6Prefix}:6"; - }; - kpoxa2 = { - IPv4 = "${wireguardIPv4Prefix}.7"; - IPv6 = "${wireguardIPv6Prefix}:7"; - }; - faysss = { - IPv4 = "${wireguardIPv4Prefix}.8"; - IPv6 = "${wireguardIPv6Prefix}:8"; - }; - faysss2 = { - IPv4 = "${wireguardIPv4Prefix}.9"; - IPv6 = "${wireguardIPv6Prefix}:9"; - }; - faysss3 = { - IPv4 = "${wireguardIPv4Prefix}.10"; - IPv6 = "${wireguardIPv6Prefix}:a"; - }; - doste = { - IPv4 = "${wireguardIPv4Prefix}.11"; - IPv6 = "${wireguardIPv6Prefix}:b"; - }; - dell = { - IPv4 = "${wireguardIPv4Prefix}.12"; - IPv6 = "${wireguardIPv6Prefix}:c"; - }; - hypervisor-dns = { - IPv4 = "${wireguardIPv4Prefix}.13"; - IPv6 = "${wireguardIPv6Prefix}:d"; - }; - }; -} diff --git a/machines/NixOS-VPS/network.nix b/machines/NixOS-VPS/network.nix deleted file mode 100644 index 5e83bec..0000000 --- a/machines/NixOS-VPS/network.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (import ./hardware/networks.nix) interfaces domain hasIPv6; -in { - services.resolved.enable = true; - networking = { - enableIPv6 = lib.mkForce hasIPv6; - usePredictableInterfaceNames = lib.mkForce true; - useDHCP = false; - dhcpcd.enable = false; - nftables.enable = false; # incompatible with tailscale and docker - hostName = config.device; - domain = domain; - nameservers = with interfaces.main'; IPv4.dns ++ lib.optionals hasIPv6 IPv6.dns; - }; - - systemd.network = with interfaces.main'; { - enable = true; - wait-online.ignoredInterfaces = [ "lo" ]; - networks = { - "40-${ifname}" = { - matchConfig.Name = ifname; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig.Bridge = bridgeName; - networkConfig.DHCP = "no"; - }; - "60-${bridgeName}" = { - matchConfig.Name = bridgeName; - address = [ - IPv4.address - "192.168.0.1/24" - ] ++ lib.optionals hasIPv6 [ - IPv6.address - "fc00::1/64" - ]; - linkConfig.RequiredForOnline = "routable"; - routes = [{ - routeConfig.Gateway = IPv4.gateway; - routeConfig.GatewayOnLink = true; - }] ++ lib.optionals hasIPv6 [{ - routeConfig.Gateway = IPv6.gateway; - routeConfig.GatewayOnLink = true; - }]; - dhcpServerConfig = { - ServerAddress = "192.168.0.1/24"; - PoolOffset = 100; - PoolSize = 100; - }; - }; - }; - netdevs = { - "60-${bridgeName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeName; - MACAddress = mac; - }; - }; - }; - }; - - system.activationScripts.udp-gro-forwarding = { - text = with interfaces.main'; '' - ${pkgs.ethtool}/bin/ethtool -K ${bridgeName} rx-udp-gro-forwarding on rx-gro-list off - ''; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/backups.nix b/machines/NixOS-VPS/services/backups.nix deleted file mode 100644 index 98ee83e..0000000 --- a/machines/NixOS-VPS/services/backups.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ config, lib, inputs, ... }: { - imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ]; - backups.postgresql.authentik.proxyAddress = lib.mkForce null; - - sops.secrets.rustic-vps-pass.sopsFile = inputs.self.secretsDir + /rustic.yaml; - sops.secrets.rustic-backups-s3-env.sopsFile = inputs.self.secretsDir + /rustic.yaml; - services.rustic.backups = rec { - vps-backup = { - backup = true; - prune = false; - initialize = false; - pruneOpts = [ "--repack-cacheable-only=false" ]; - environmentFile = config.sops.secrets.rustic-backups-s3-env.path; - timerConfig = { - OnCalendar = "01:00"; - Persistent = true; - }; - settings = let - label = "vps-containers"; - in { - repository = { - repository = "opendal:s3"; - password-file = config.sops.secrets.rustic-vps-pass.path; - options = { - root = label; - bucket = "ataraxia-rustic-backups"; - region = "eu-central-003"; - endpoint = "https://s3.eu-central-003.backblazeb2.com"; - }; - }; - repository.options = { - timeout = "5min"; - retry = "10"; - }; - backup = { - host = config.device; - label = label; - ignore-devid = true; - group-by = "label"; - skip-identical-parent = true; - snapshots = [{ - sources = [ "/srv/marzban" ]; - }]; - }; - forget = { - filter-labels = [ label ]; - group-by = "label"; - prune = true; - keep-daily = 4; - keep-weekly = 2; - keep-monthly = 1; - }; - }; - }; - vps-prune = vps-backup // { - backup = false; - prune = true; - createWrapper = false; - timerConfig = { - OnCalendar = "Mon, 02:00"; - Persistent = true; - }; - }; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/dns.nix b/machines/NixOS-VPS/services/dns.nix deleted file mode 100644 index 16e56de..0000000 --- a/machines/NixOS-VPS/services/dns.nix +++ /dev/null @@ -1,239 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (import ../hardware/networks.nix) interfaces; - wg = interfaces.wireguard0; - wgIfname = wg.ifname; - brIfname = interfaces.main'.bridgeName; - tailscaleIfname = config.services.tailscale.interfaceName; -in { - networking.extraHosts = '' - 192.0.46.9 www.internic.net - ''; - # For debugging purposes - environment.systemPackages = with pkgs; [ tcpdump dnsutils ]; - services.resolved.extraConfig = '' - DNSStubListener=off - ''; - systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; - systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; - - networking.firewall.interfaces = let - ports = { - allowedTCPPorts = [ - config.services.blocky.settings.ports.dns - # config.services.grafana.settings.server.http_port - ]; - allowedUDPPorts = [ - config.services.blocky.settings.ports.dns - ]; - }; - in { - ${wgIfname} = ports; - ${tailscaleIfname} = ports; - }; - - # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html) - services.unbound = { - enable = true; - package = pkgs.unbound-full; - settings = { - server = { - root-hints = "${config.services.unbound.stateDir}/root.hints"; - port = "553"; - interface = [ - "127.0.0.1" - "::1" - ]; - access-control = [ - "0.0.0.0/0 refuse" - "127.0.0.0/8 allow" - "::0/0 refuse" - "::1 allow" - ]; - private-address = [ - "127.0.0.0/8" - "::1" - ]; - hide-version = "yes"; - aggressive-nsec = "yes"; - cache-max-ttl = "86400"; - cache-min-ttl = "600"; - deny-any = "yes"; - do-ip4 = "yes"; - do-ip6 = "yes"; - do-tcp = "yes"; - do-udp = "yes"; - harden-algo-downgrade = "yes"; - harden-dnssec-stripped = "yes"; - harden-glue = "yes"; - harden-large-queries = "yes"; - harden-referral-path = "yes"; - harden-short-bufsize = "yes"; - hide-identity = "yes"; - minimal-responses = "yes"; - msg-cache-size = "128m"; - neg-cache-size = "4m"; - prefer-ip6 = "no"; - prefetch = "yes"; - prefetch-key = "yes"; - qname-minimisation = "yes"; - rrset-cache-size = "256m"; - rrset-roundrobin = "yes"; - serve-expired = "yes"; - so-rcvbuf = "4m"; - so-reuseport = "yes"; - so-sndbuf = "4m"; - unwanted-reply-threshold = "100000"; - use-caps-for-id = "yes"; - }; - cachedb = { - backend = "redis"; - redis-server-host = "127.0.0.1"; - redis-server-port = toString config.services.redis.servers.unbound.port; - redis-timeout = "300"; - redis-expire-records = "no"; - }; - }; - }; - services.redis.vmOverCommit = true; - services.redis.servers.unbound = { - enable = true; - port = 7379; - databases = 1; - save = [ [ 3600 1 ] [ 1800 10 ] [ 600 100 ] ]; - settings = { - maxmemory = "16mb"; - protected-mode = true; - rdbchecksum = false; - stop-writes-on-bgsave-error = false; - tcp-keepalive = 300; - timeout = 0; - }; - }; - # TODO: maybe set internic ip address to hosts? - systemd.services.root-hints = { - script = '' - ${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root - ''; - serviceConfig.Type = "oneshot"; - startAt = "weekly"; - }; - # systemd.services.unbound = { - # after = [ "root-hints.service" ]; - # }; - # Blocky + prometheus + grafana - services.blocky = { - enable = true; - settings = { - upstream.default = [ "127.0.0.1:553" "[::1]:553" ]; - upstreamTimeout = "10s"; - bootstrapDns = [{ - upstream = "https://dns.quad9.net/dns-query"; - ips = [ "9.9.9.9" "149.112.112.112" ]; - }]; - blocking = { - blackLists = { - ads = [ - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - "https://github.com/RPiList/specials/raw/master/Blocklisten/malware" - ]; - telemetry = [ - "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" - "https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry" - "https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry" - ../../../misc/telemetry.hosts - ]; - }; - clientGroupsBlock.default = [ "ads" "telemetry" ]; - }; - # disable caching (use unbound) - caching = { - minTime = -1; - maxTime = -1; - cacheTimeNegative = -1; - prefetching = false; - }; - ports = { - dns = 53; - http = "127.0.0.1:4000"; - }; - prometheus.enable = true; - queryLog = { - type = "console"; - }; - }; - }; - # services.prometheus = { - # enable = true; - # listenAddress = "127.0.0.1"; - # globalConfig.scrape_interval = "15s"; - # globalConfig.evaluation_interval = "15s"; - # scrapeConfigs = [{ - # job_name = "blocky"; - # static_configs = [{ - # targets = [ config.services.blocky.settings.ports.http ]; - # }]; - # }]; - # }; - # services.grafana = { - # enable = true; - # settings = { - # analytics.reporting_enabled = false; - # server = { - # enable_gzip = true; - # domain = "localhost"; - # http_addr = "0.0.0.0"; - # http_port = 3000; - # }; - # # Grafana can be accessed only through wireguard, so it's secure enough - # security = { - # admin_user = "admin"; - # admin_password = "admin"; - # }; - # panels.disable_sanitize_html = true; - # }; - # provision = { - # enable = true; - # datasources.settings = { - # datasources = [{ - # name = "Prometheus"; - # type = "prometheus"; - # access = "proxy"; - # orgId = 1; - # uid = "Y4SSG429DWCGDQ3R"; - # url = "http://127.0.0.1:${toString config.services.prometheus.port}"; - # isDefault = true; - # jsonData = { - # graphiteVersion = "1.1"; - # tlsAuth = false; - # tlsAuthWithCACert = false; - # }; - # version = 1; - # editable = true; - # }]; - # }; - # dashboards = { - # settings = { - # providers = [{ - # name = "My Dashboards"; - # options.path = "/etc/grafana-dashboards"; - # }]; - # }; - # }; - # }; - # }; - # environment.etc = { - # "grafana-dashboards/blocky_rev3.json" = { - # source = ../../../misc/grafana_blocky_rev3.json; - # group = "grafana"; - # user = "grafana"; - # }; - # }; - - persist.state.directories = [ - "/var/lib/grafana" - "/var/lib/prometheus2" - "/var/lib/redis-unbound" - "/var/lib/unbound" - ]; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/tailscale.nix b/machines/NixOS-VPS/services/tailscale.nix deleted file mode 100644 index 86a7c74..0000000 --- a/machines/NixOS-VPS/services/tailscale.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, inputs, ... }: -let - bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName; - tailscalePort = config.services.tailscale.port; - tailscaleIfname = config.services.tailscale.interfaceName; - ssPort1 = 2234; - ssPort2 = 2235; -in { - imports = [ inputs.ataraxiasjel-nur.nixosModules.rinetd ]; - - networking.firewall.trustedInterfaces = [ tailscaleIfname ]; - networking.firewall.interfaces.${bridgeName} = { - allowedUDPPorts = [ tailscalePort ]; - allowedTCPPorts = [ ssPort1 ssPort2 ]; - }; - - systemd.network.networks."50-tailscale" = { - matchConfig.Name = tailscaleIfname; - linkConfig.Unmanaged = true; - linkConfig.ActivationPolicy = "manual"; - }; - - services.tailscale = { - enable = true; - port = 18491; - useRoutingFeatures = "both"; - }; - - persist.state.directories = [ "/var/lib/tailscale" ]; - - services.rinetd = { - enable = true; - settings = '' - 0.0.0.0 ${toString ssPort1} 100.64.0.2 ${toString ssPort1} - 0.0.0.0 ${toString ssPort2} 100.64.0.3 ${toString ssPort2} - ''; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/tor-bridge.nix b/machines/NixOS-VPS/services/tor-bridge.nix deleted file mode 100644 index 8d3d04a..0000000 --- a/machines/NixOS-VPS/services/tor-bridge.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs, ... }: -let - inherit (import ../hardware/networks.nix) interfaces; - bridgeName = interfaces.main'.bridgeName; - obfs4Port = 18371; - orPort = 17429; -in { - networking.firewall.interfaces.${bridgeName} = { - allowedTCPPorts = [ obfs4Port orPort ]; - }; - - # We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt - # Fingerprint can be obtained from tor.service logs - services.tor = { - enable = true; - enableGeoIP = true; - client.enable = false; - relay.enable = true; - relay.role = "private-bridge"; - settings = { - BridgeDistribution = "none"; - BridgeRelay = true; - ContactInfo = "admin@ataraxiadev.com"; - ORPort = [ orPort ]; - ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}"; - Nickname = "Ataraxia"; - }; - }; - - services.networkd-dispatcher = { - enable = true; - rules."restart-tor" = { - onState = [ "routable" "off" ]; - script = '' - #!${pkgs.runtimeShell} - if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then - echo "Restarting Tor ..." - systemctl restart tor - fi - exit 0 - ''; - }; - }; - - persist.state.directories = [ "/var/lib/tor" ]; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/wireguard.nix b/machines/NixOS-VPS/services/wireguard.nix deleted file mode 100644 index 6b8cb87..0000000 --- a/machines/NixOS-VPS/services/wireguard.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ lib, pkgs, ... }: -let - inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers hasIPv6; - wireguardIFName = interfaces.wireguard0.ifname; -in { - # Sometimes we need to disable checksum validation - # ethtool -K br0 tx off rx off - # ethtool -K enp0s1 tx off rx off - environment.systemPackages = [ pkgs.wireguard-tools ]; - - networking.firewall = { - allowedUDPPorts = [ wireguardPort ]; - checkReversePath = lib.mkForce false; - }; - - boot.kernelModules = [ "wireguard" ]; - systemd.network = { - wait-online.ignoredInterfaces = [ wireguardIFName ]; - - networks."90-${wireguardIFName}" = with interfaces.wireguard0; { - matchConfig.Name = wireguardIFName; - address = [ - "${IPv4.address}/16" - ] ++ lib.optionals hasIPv6 [ - "${IPv6.address}/64" - ]; - DHCP = "no"; - networkConfig = { - IPForward = true; - IPMasquerade = "both"; - DNS = interfaces.main'.IPv4.dns ++ lib.optionals hasIPv6 interfaces.main'.IPv6.dns; - }; - }; - - netdevs."90-${wireguardIFName}" = { - netdevConfig = { - Name = wireguardIFName; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = "/srv/wireguard/private"; - ListenPort = wireguardPort; - }; - wireguardPeers = [ - { - wireguardPeerConfig = with wireguardPeers.ataraxia; { - PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o="; - PresharedKeyFile = "/srv/wireguard/ataraxia/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.hypervisor; { - PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o="; - PresharedKeyFile = "/srv/wireguard/hypervisor/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.mikrotik; { - PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo="; - PresharedKeyFile = "/srv/wireguard/mikrotik/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.poco; { - PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34="; - PresharedKeyFile = "/srv/wireguard/poco/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.kpoxa; { - PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE="; - PresharedKeyFile = "/srv/wireguard/kpoxa/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.kpoxa2; { - PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI="; - PresharedKeyFile = "/srv/wireguard/kpoxa2/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss; { - PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY="; - PresharedKeyFile = "/srv/wireguard/faysss/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss2; { - PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8="; - PresharedKeyFile = "/srv/wireguard/faysss2/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss3; { - PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4="; - PresharedKeyFile = "/srv/wireguard/faysss3/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.doste; { - PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0="; - PresharedKeyFile = "/srv/wireguard/doste/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.dell; { - PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc="; - PresharedKeyFile = "/srv/wireguard/dell/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.hypervisor-dns; { - PublicKey = "x4uavQEEfhdqNC4FCOPfKlEDRJiwOz4dy2W1KhJtnwc="; - PresharedKeyFile = "/srv/wireguard/hypervisor-dns/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - ]; - }; - }; -} diff --git a/machines/NixOS-VPS/services/xtls.nix b/machines/NixOS-VPS/services/xtls.nix deleted file mode 100644 index fa2b33d..0000000 --- a/machines/NixOS-VPS/services/xtls.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, pkgs, inputs, modulesPath, ... }: -let - inherit (pkgs.hostPlatform) system; - cert-key = config.sops.secrets."cert.key".path; - cert-pem = config.sops.secrets."cert.pem".path; - nginx-conf = config.sops.secrets."nginx.conf".path; - marzban-env = config.sops.secrets.marzban.path; - fqdn = "wg.ataraxiadev.com"; -in { - disabledModules = [ "${modulesPath}/services/web-apps/ocis.nix" ]; - imports = [ inputs.ataraxiasjel-nur.nixosModules.ocis ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - sops.secrets = let - nginx = { - sopsFile = inputs.self.secretsDir + /nixos-vps/nginx.yaml; - restartUnits = [ "podman-nginx.service" ]; - }; - marzban = { - format = "dotenv"; - sopsFile = inputs.self.secretsDir + /nixos-vps/marzban.env; - restartUnits = [ "podman-marzban.service" ]; - }; - cf-dns-api = { - sopsFile = inputs.self.secretsDir + /misc.yaml; - owner = "acme"; - }; - in { - "cert.key" = nginx; - "cert.pem" = nginx; - "nginx.conf" = nginx; - inherit cf-dns-api marzban; - }; - - virtualisation.oci-containers.containers = { - marzban = { - autoStart = true; - image = "ghcr.io/gozargah/marzban:v0.7.0"; - environmentFiles = [ marzban-env ]; - extraOptions = [ "--network=host" ]; - volumes = [ - "/srv/marzban:/var/lib/marzban" - ]; - }; - nginx = { - autoStart = true; - image = "docker.io/nginx:latest"; - extraOptions = [ "--network=host" ]; - volumes = [ - "${cert-key}:/etc/ssl/certs/cf-cert.key:ro" - "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro" - "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem:/etc/ssl/certs/cert.pem:ro" - "${config.security.acme.certs.${fqdn}.directory}/key.pem:/etc/ssl/certs/cert.key:ro" - "${nginx-conf}:/etc/nginx/nginx.conf:ro" - ]; - }; - }; - - services.ocis = { - enable = true; - package = inputs.ataraxiasjel-nur.packages.${system}.ocis-bin; - configDir = "/srv/ocis/config"; - baseDataPath = "/srv/ocis/data"; - environment = { - OCIS_INSECURE = "false"; - OCIS_URL = "https://cloud.ataraxiadev.com"; - PROXY_HTTP_ADDR = "127.0.0.1:9200"; - PROXY_TLS = "false"; - }; - }; - - systemd.tmpfiles.rules = [ - "d /srv/marzban 0755 root root -" - ]; - - # OpenConnect - security.acme = { - acceptTerms = true; - defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production - defaults.email = "admin@ataraxiadev.com"; - defaults.renewInterval = "weekly"; - certs = { - ${fqdn} = { - extraDomainNames = [ - "auth.ataraxiadev.com" - "doh.ataraxiadev.com" - ]; - dnsResolver = "1.1.1.1:53"; - dnsProvider = "cloudflare"; - credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path; - reloadServices = [ "podman-nginx.service" ]; - }; - }; - }; - persist.state.directories = [ "/var/lib/acme" ]; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/system b/machines/NixOS-VPS/system deleted file mode 100644 index 9bdfd5f..0000000 --- a/machines/NixOS-VPS/system +++ /dev/null @@ -1 +0,0 @@ -x86_64-linux \ No newline at end of file