AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

remove NixOS-VPS

Browse Source
This commit is contained in:
Dmitriy Kholkin 2025-02-16 22:17:53 +03:00
parent 9f2f82a214
commit 3da51481c2
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
12 changed files with 0 additions and 1265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

283
machines/NixOS-VPS/default.nix
View File

@ -1,283 +0,0 @@
{ modulesPath, self, inputs, lib, pkgs, config, ... }: {
disabledModules = [ "${self}/modules/pass-store.nix" ];
imports = with inputs.self; [
(modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix")
inputs.disko.nixosModules.disko
./disk-config.nix
./network.nix
customModules.devices
customModules.libvirt-guests
customModules.persist
customModules.users
# customProfiles.hardened
customProfiles.nix
./services/backups.nix
./services/dns.nix
./services/tailscale.nix
./services/tor-bridge.nix
# ./services/wireguard.nix
./services/xtls.nix
customProfiles.authentik
customProfiles.hoyolab
# customProfiles.radicale
# customProfiles.vaultwarden
(import customProfiles.headscale {
inherit (import ./dns-mapping.nix) headscale-list;
})
];
boot.kernelPackages = pkgs.linuxPackages_latest;
services.qemuGuest.enable = lib.mkForce true;
# Impermanence
boot.initrd = {
# hardware
availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
# reset rootfs on reboot
postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -p /mnt
mount -o subvol=/ /dev/sda4 /mnt
btrfs subvolume list -o /mnt/rootfs |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..."
btrfs subvolume delete /mnt/rootfs
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/snapshots/rootfs-blank /mnt/rootfs
umount /mnt
'';
};
fileSystems."/home".neededForBoot = true;
fileSystems."/persist".neededForBoot = true;
persist = {
enable = true;
cache.clean.enable = true;
state = {
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
directories = [
"/var/lib/nixos"
"/var/lib/systemd"
"/var/lib/postgresql"
];
};
};
# TODO: write all needed modules in boot.kernelModules
security.lockKernelModules = lib.mkForce false;
# Misc
boot = {
supportedFilesystems = [ "vfat" "btrfs" ];
kernelModules = [
"kvm-intel" "tcp_bbr" "veth"
# podman
"nft_chain_nat" "xt_addrtype" "xt_comment" "xt_mark" "xt_MASQUERADE"
];
kernelParams = [
"scsi_mod.use_blk_mq=1"
"kvm.ignore_msrs=1"
"kvm.report_ignored_msrs=0"
];
kernel.sysctl = {
"vm.swappiness" = 50;
"vm.vfs_cache_pressure" = 200;
"vm.dirty_background_ratio" = 1;
"vm.dirty_ratio" = 40;
"vm.page-cluster" = 0;
# proxy tuning
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.tcp_slow_start_after_idle" = 0;
"net.core.default_qdisc" = "cake";
"net.core.rmem_max" = 67108864;
"net.core.wmem_max" = 67108864;
"net.core.netdev_max_backlog" = 10000;
"net.core.somaxconn" = 4096;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_tw_reuse" = 1;
"net.ipv4.tcp_fin_timeout" = 30;
"net.ipv4.tcp_keepalive_time" = 1200;
"net.ipv4.tcp_keepalive_probes" = 5;
"net.ipv4.tcp_keepalive_intvl" = 30;
"net.ipv4.tcp_max_syn_backlog" = 8192;
"net.ipv4.tcp_max_tw_buckets" = 5000;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_mem" = "25600 51200 102400";
"net.ipv4.udp_mem" = "25600 51200 102400";
"net.ipv4.tcp_rmem" = "4096 87380 67108864";
"net.ipv4.tcp_wmem" = "4096 65536 67108864";
"net.ipv4.tcp_mtu_probing" = 1;
};
loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
};
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 100;
};
environment.memoryAllocator.provider = lib.mkForce "libc";
deviceSpecific.isServer = true;
services.journald.extraConfig = "Compress=false";
nix.optimise.automatic = false;
nix.distributedBuilds = lib.mkForce false;
fonts.enableDefaultPackages = lib.mkForce false;
security.polkit.enable = true;
# security.pam.enableSSHAgentAuth = true;
environment.systemPackages = with pkgs; [
bat
bottom
comma
git
kitty
micro
pwgen
inputs.nix-alien.packages.${pkgs.hostPlatform.system}.nix-index-update
rsync
];
# Locale
i18n.defaultLocale = "en_IE.UTF-8";
i18n.extraLocaleSettings = {
LANGUAGE = "en_IE:en_US:en:C:ru_RU";
LC_TIME = "en_DK.UTF-8";
LC_ADDRESS = "ru_RU.UTF-8";
LC_MONETARY = "ru_RU.UTF-8";
LC_NUMERIC = "ru_RU.UTF-8";
LC_PAPER = "ru_RU.UTF-8";
LC_TELEPHONE = "ru_RU.UTF-8";
};
i18n.supportedLocales = [
"C.UTF-8/UTF-8"
"en_DK.UTF-8/UTF-8"
"en_GB.UTF-8/UTF-8"
"en_IE.UTF-8/UTF-8"
"en_US.UTF-8/UTF-8"
"ru_RU.UTF-8/UTF-8"
];
time.timeZone = "Etc/UTC";
environment.sessionVariables = {
XKB_DEFAULT_LAYOUT = "us,ru";
XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
};
# Hardened
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = lib.mkDefault [ ];
allowedUDPPorts = lib.mkDefault [ ];
};
systemd.coredump.enable = false;
# Users
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.PermitRootLogin = lib.mkForce "prohibit-password";
settings.X11Forwarding = false;
extraConfig = "StreamLocalBindUnlink yes";
ports = [ 22 ];
};
users.mutableUsers = false;
users.users = {
${config.mainuser} = {
isNormalUser = true;
extraGroups = [ "disk" "systemd-journal" "wheel" "qemu-libvirtd" "libvirtd" ];
uid = 1000;
hashedPassword =
"$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.bash;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
];
};
deploy = {
description = "The administrator account for the servers.";
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
root.openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
# Passwordless sudo for deploy user
security.sudo = {
extraRules = [{
users = [ "deploy" ];
commands = [{
command = "ALL";
options = [ "NOPASSWD" ];
}];
}];
extraConfig = ''
Defaults lecture = never
'';
};
# Podman
virtualisation = {
oci-containers.backend = lib.mkForce "podman";
podman.enable = true;
podman.dockerSocket.enable = true;
containers.registries.search = [
"docker.io" "gcr.io" "quay.io"
];
containers.storage.settings = {
storage = {
driver = "overlay";
graphroot = "/var/lib/podman/storage";
runroot = "/run/containers/storage";
};
};
libvirtd = {
enable = true;
qemu = {
ovmf.enable = true;
ovmf.packages = [ pkgs.OVMFFull.fd ];
runAsRoot = false;
};
onBoot = "ignore";
onShutdown = "shutdown";
};
};
programs.virt-manager.enable = true;
networking.firewall.trustedInterfaces = [ "podman*" "vnet*" "virbr*" ];
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ];
security.unprivilegedUsernsClone = true;
nixpkgs.overlays = let
unstable = import self.unstable-nixpkgs {
config = config.nixpkgs.config;
localSystem = { system = pkgs.hostPlatform.system; };
};
in [
inputs.ataraxiasjel-nur.overlays.default
(final: prev: {
authentik = unstable.authentik;
authentik-outposts = unstable.authentik-outposts;
})
];
system.stateVersion = "24.05";
nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
}

100
machines/NixOS-VPS/disk-config.nix
View File

@ -1,100 +0,0 @@
{ lib, ... }: {
disko.devices.disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
swap = {
name = "swap";
size = "2G";
content = {
type = "swap";
randomEncryption = true;
};
};
root = {
name = "root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
postCreateHook = ''
mount -t btrfs /dev/sda4 /mnt
btrfs subvolume snapshot -r /mnt/rootfs /mnt/snapshots/rootfs-blank
btrfs subvolume snapshot -r /mnt/persistent/home /mnt/snapshots/home-blank
btrfs subvolume snapshot -r /mnt/persistent/docker /mnt/snapshots/docker-blank
btrfs subvolume snapshot -r /mnt/persistent/podman /mnt/snapshots/podman-blank
btrfs subvolume snapshot -r /mnt/persistent/containers /mnt/snapshots/containers-blank
btrfs subvolume snapshot -r /mnt/persistent/libvirt /mnt/snapshots/libvirt-blank
btrfs subvolume snapshot -r /mnt/persistent/log /mnt/snapshots/log-blank
btrfs subvolume snapshot -r /mnt/persistent/impermanence /mnt/snapshots/impermanence-blank
btrfs subvolume snapshot -r /mnt/persistent/srv /mnt/snapshots/srv-blank
umount /mnt
'';
subvolumes = {
"/snapshots" = { };
"/rootfs" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent" = { };
"/persistent/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/srv" = {
mountpoint = "/srv";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/docker" = {
mountpoint = "/var/lib/docker";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/podman" = {
mountpoint = "/var/lib/podman";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/containers" = {
mountpoint = "/var/lib/containers";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/libvirt" = {
mountpoint = "/var/lib/libvirt";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/log" = {
mountpoint = "/var/log";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/impermanence" = {
mountpoint = "/persist";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
};
};
};
};
};
};
}

101
machines/NixOS-VPS/dns-mapping.nix
View File

@ -1,101 +0,0 @@
{
headscale-list = [
{ name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
# { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
{ name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "net.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "radarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "restic.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "s3.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "vault.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
# { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
{ name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "net.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "radarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "restic.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "s3.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "vault.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
];
dnsmasq-list = [
"/api.ataraxiadev.com/10.10.10.10"
"/cache.ataraxiadev.com/10.10.10.10"
"/cal.ataraxiadev.com/10.10.10.10"
"/code.ataraxiadev.com/10.10.10.10"
"/docs.ataraxiadev.com/10.10.10.10"
"/element.ataraxiadev.com/10.10.10.10"
"/file.ataraxiadev.com/10.10.10.10"
"/home.ataraxiadev.com/10.10.10.10"
"/jackett.ataraxiadev.com/10.10.10.10"
"/jellyfin.ataraxiadev.com/10.10.10.10"
"/joplin.ataraxiadev.com/10.10.10.10"
"/kavita.ataraxiadev.com/10.10.10.10"
"/ldap.ataraxiadev.com/10.10.10.10"
"/lib.ataraxiadev.com/10.10.10.10"
"/matrix.ataraxiadev.com/10.10.10.10"
"/medusa.ataraxiadev.com/10.10.10.10"
"/net.ataraxiadev.com/10.10.10.10"
"/openbooks.ataraxiadev.com/10.10.10.10"
"/pdf.ataraxiadev.com/10.10.10.10"
"/qbit.ataraxiadev.com/10.10.10.10"
"/radarr.ataraxiadev.com/10.10.10.10"
"/restic.ataraxiadev.com/10.10.10.10"
"/s3.ataraxiadev.com/10.10.10.10"
"/sonarr.ataraxiadev.com/10.10.10.10"
"/stats.ataraxiadev.com/10.10.10.10"
"/tools.ataraxiadev.com/10.10.10.10"
"/turn.ataraxiadev.com/10.10.10.10"
"/vault.ataraxiadev.com/10.10.10.10"
"/vw.ataraxiadev.com/10.10.10.10"
"/wiki.ataraxiadev.com/10.10.10.10"
];
}

97
machines/NixOS-VPS/hardware/networks.nix
View File

@ -1,97 +0,0 @@
rec {
privateIPv6Prefix = "fd3a:900e:8e74:ffff";
domain = "wg.ataraxiadev.com";
hasIPv6 = false;
interfaces = {
# This is the public-facing interface. Any interface name with a prime
# symbol means it's a public-facing interface.
main' = {
mac = "bc:24:11:79:81:d7";
bridgeName = "br0";
ifname = "enp0s18";
IPv4 = {
address = "45.135.180.193/32";
gateway = "45.135.180.1";
dns = [ "9.9.9.9" "149.112.112.112" ];
};
IPv6 = {
address = "";
gateway = "";
dns = [ ];
};
};
wireguard0 = {
ifname = "wg0";
dns = [ "${privateIPv6Prefix}::0:53" ];
IPv4 = {
address = "10.100.0.1";
subnet = "10.100.0.0/16";
};
IPv6 = {
address = "${privateIPv6Prefix}::1";
subnet = "${privateIPv6Prefix}::0/64";
};
};
};
# Wireguard-related things.
wireguardPort = 40820;
wireguardIPv4Prefix = "10.100.0";
wireguardIPv6Prefix = "${privateIPv6Prefix}::0";
wireguardPeers = {
server = with interfaces.wireguard0; {
IPv4 = IPv4.address;
IPv6 = IPv6.address;
};
ataraxia = {
IPv4 = "${wireguardIPv4Prefix}.2";
IPv6 = "${wireguardIPv6Prefix}:2";
};
hypervisor = {
IPv4 = "${wireguardIPv4Prefix}.3";
IPv6 = "${wireguardIPv6Prefix}:3";
};
mikrotik = {
IPv4 = "${wireguardIPv4Prefix}.4";
IPv6 = "${wireguardIPv6Prefix}:4";
};
poco = {
IPv4 = "${wireguardIPv4Prefix}.5";
IPv6 = "${wireguardIPv6Prefix}:5";
};
kpoxa = {
IPv4 = "${wireguardIPv4Prefix}.6";
IPv6 = "${wireguardIPv6Prefix}:6";
};
kpoxa2 = {
IPv4 = "${wireguardIPv4Prefix}.7";
IPv6 = "${wireguardIPv6Prefix}:7";
};
faysss = {
IPv4 = "${wireguardIPv4Prefix}.8";
IPv6 = "${wireguardIPv6Prefix}:8";
};
faysss2 = {
IPv4 = "${wireguardIPv4Prefix}.9";
IPv6 = "${wireguardIPv6Prefix}:9";
};
faysss3 = {
IPv4 = "${wireguardIPv4Prefix}.10";
IPv6 = "${wireguardIPv6Prefix}:a";
};
doste = {
IPv4 = "${wireguardIPv4Prefix}.11";
IPv6 = "${wireguardIPv6Prefix}:b";
};
dell = {
IPv4 = "${wireguardIPv4Prefix}.12";
IPv6 = "${wireguardIPv6Prefix}:c";
};
hypervisor-dns = {
IPv4 = "${wireguardIPv4Prefix}.13";
IPv6 = "${wireguardIPv6Prefix}:d";
};
};
}

67
machines/NixOS-VPS/network.nix
View File

@ -1,67 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import ./hardware/networks.nix) interfaces domain hasIPv6;
in {
services.resolved.enable = true;
networking = {
enableIPv6 = lib.mkForce hasIPv6;
usePredictableInterfaceNames = lib.mkForce true;
useDHCP = false;
dhcpcd.enable = false;
nftables.enable = false; # incompatible with tailscale and docker
hostName = config.device;
domain = domain;
nameservers = with interfaces.main'; IPv4.dns ++ lib.optionals hasIPv6 IPv6.dns;
};
systemd.network = with interfaces.main'; {
enable = true;
wait-online.ignoredInterfaces = [ "lo" ];
networks = {
"40-${ifname}" = {
matchConfig.Name = ifname;
linkConfig.RequiredForOnline = "enslaved";
networkConfig.Bridge = bridgeName;
networkConfig.DHCP = "no";
};
"60-${bridgeName}" = {
matchConfig.Name = bridgeName;
address = [
IPv4.address
"192.168.0.1/24"
] ++ lib.optionals hasIPv6 [
IPv6.address
"fc00::1/64"
];
linkConfig.RequiredForOnline = "routable";
routes = [{
routeConfig.Gateway = IPv4.gateway;
routeConfig.GatewayOnLink = true;
}] ++ lib.optionals hasIPv6 [{
routeConfig.Gateway = IPv6.gateway;
routeConfig.GatewayOnLink = true;
}];
dhcpServerConfig = {
ServerAddress = "192.168.0.1/24";
PoolOffset = 100;
PoolSize = 100;
};
};
};
netdevs = {
"60-${bridgeName}" = {
netdevConfig = {
Kind = "bridge";
Name = bridgeName;
MACAddress = mac;
};
};
};
};
system.activationScripts.udp-gro-forwarding = {
text = with interfaces.main'; ''
${pkgs.ethtool}/bin/ethtool -K ${bridgeName} rx-udp-gro-forwarding on rx-gro-list off
'';
};
}

65
machines/NixOS-VPS/services/backups.nix
View File

@ -1,65 +0,0 @@
{ config, lib, inputs, ... }: {
imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ];
backups.postgresql.authentik.proxyAddress = lib.mkForce null;
sops.secrets.rustic-vps-pass.sopsFile = inputs.self.secretsDir + /rustic.yaml;
sops.secrets.rustic-backups-s3-env.sopsFile = inputs.self.secretsDir + /rustic.yaml;
services.rustic.backups = rec {
vps-backup = {
backup = true;
prune = false;
initialize = false;
pruneOpts = [ "--repack-cacheable-only=false" ];
environmentFile = config.sops.secrets.rustic-backups-s3-env.path;
timerConfig = {
OnCalendar = "01:00";
Persistent = true;
};
settings = let
label = "vps-containers";
in {
repository = {
repository = "opendal:s3";
password-file = config.sops.secrets.rustic-vps-pass.path;
options = {
root = label;
bucket = "ataraxia-rustic-backups";
region = "eu-central-003";
endpoint = "https://s3.eu-central-003.backblazeb2.com";
};
};
repository.options = {
timeout = "5min";
retry = "10";
};
backup = {
host = config.device;
label = label;
ignore-devid = true;
group-by = "label";
skip-identical-parent = true;
snapshots = [{
sources = [ "/srv/marzban" ];
}];
};
forget = {
filter-labels = [ label ];
group-by = "label";
prune = true;
keep-daily = 4;
keep-weekly = 2;
keep-monthly = 1;
};
};
};
vps-prune = vps-backup // {
backup = false;
prune = true;
createWrapper = false;
timerConfig = {
OnCalendar = "Mon, 02:00";
Persistent = true;
};
};
};
}

239
machines/NixOS-VPS/services/dns.nix
View File

@ -1,239 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces;
wg = interfaces.wireguard0;
wgIfname = wg.ifname;
brIfname = interfaces.main'.bridgeName;
tailscaleIfname = config.services.tailscale.interfaceName;
in {
networking.extraHosts = ''
192.0.46.9 www.internic.net
'';
# For debugging purposes
environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
services.resolved.extraConfig = ''
DNSStubListener=off
'';
systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
networking.firewall.interfaces = let
ports = {
allowedTCPPorts = [
config.services.blocky.settings.ports.dns
# config.services.grafana.settings.server.http_port
];
allowedUDPPorts = [
config.services.blocky.settings.ports.dns
];
};
in {
${wgIfname} = ports;
${tailscaleIfname} = ports;
};
# TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html)
services.unbound = {
enable = true;
package = pkgs.unbound-full;
settings = {
server = {
root-hints = "${config.services.unbound.stateDir}/root.hints";
port = "553";
interface = [
"127.0.0.1"
"::1"
];
access-control = [
"0.0.0.0/0 refuse"
"127.0.0.0/8 allow"
"::0/0 refuse"
"::1 allow"
];
private-address = [
"127.0.0.0/8"
"::1"
];
hide-version = "yes";
aggressive-nsec = "yes";
cache-max-ttl = "86400";
cache-min-ttl = "600";
deny-any = "yes";
do-ip4 = "yes";
do-ip6 = "yes";
do-tcp = "yes";
do-udp = "yes";
harden-algo-downgrade = "yes";
harden-dnssec-stripped = "yes";
harden-glue = "yes";
harden-large-queries = "yes";
harden-referral-path = "yes";
harden-short-bufsize = "yes";
hide-identity = "yes";
minimal-responses = "yes";
msg-cache-size = "128m";
neg-cache-size = "4m";
prefer-ip6 = "no";
prefetch = "yes";
prefetch-key = "yes";
qname-minimisation = "yes";
rrset-cache-size = "256m";
rrset-roundrobin = "yes";
serve-expired = "yes";
so-rcvbuf = "4m";
so-reuseport = "yes";
so-sndbuf = "4m";
unwanted-reply-threshold = "100000";
use-caps-for-id = "yes";
};
cachedb = {
backend = "redis";
redis-server-host = "127.0.0.1";
redis-server-port = toString config.services.redis.servers.unbound.port;
redis-timeout = "300";
redis-expire-records = "no";
};
};
};
services.redis.vmOverCommit = true;
services.redis.servers.unbound = {
enable = true;
port = 7379;
databases = 1;
save = [ [ 3600 1 ] [ 1800 10 ] [ 600 100 ] ];
settings = {
maxmemory = "16mb";
protected-mode = true;
rdbchecksum = false;
stop-writes-on-bgsave-error = false;
tcp-keepalive = 300;
timeout = 0;
};
};
# TODO: maybe set internic ip address to hosts?
systemd.services.root-hints = {
script = ''
${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root
'';
serviceConfig.Type = "oneshot";
startAt = "weekly";
};
# systemd.services.unbound = {
# after = [ "root-hints.service" ];
# };
# Blocky + prometheus + grafana
services.blocky = {
enable = true;
settings = {
upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
upstreamTimeout = "10s";
bootstrapDns = [{
upstream = "https://dns.quad9.net/dns-query";
ips = [ "9.9.9.9" "149.112.112.112" ];
}];
blocking = {
blackLists = {
ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://github.com/RPiList/specials/raw/master/Blocklisten/malware"
];
telemetry = [
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry"
"https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry"
../../../misc/telemetry.hosts
];
};
clientGroupsBlock.default = [ "ads" "telemetry" ];
};
# disable caching (use unbound)
caching = {
minTime = -1;
maxTime = -1;
cacheTimeNegative = -1;
prefetching = false;
};
ports = {
dns = 53;
http = "127.0.0.1:4000";
};
prometheus.enable = true;
queryLog = {
type = "console";
};
};
};
# services.prometheus = {
# enable = true;
# listenAddress = "127.0.0.1";
# globalConfig.scrape_interval = "15s";
# globalConfig.evaluation_interval = "15s";
# scrapeConfigs = [{
# job_name = "blocky";
# static_configs = [{
# targets = [ config.services.blocky.settings.ports.http ];
# }];
# }];
# };
# services.grafana = {
# enable = true;
# settings = {
# analytics.reporting_enabled = false;
# server = {
# enable_gzip = true;
# domain = "localhost";
# http_addr = "0.0.0.0";
# http_port = 3000;
# };
# # Grafana can be accessed only through wireguard, so it's secure enough
# security = {
# admin_user = "admin";
# admin_password = "admin";
# };
# panels.disable_sanitize_html = true;
# };
# provision = {
# enable = true;
# datasources.settings = {
# datasources = [{
# name = "Prometheus";
# type = "prometheus";
# access = "proxy";
# orgId = 1;
# uid = "Y4SSG429DWCGDQ3R";
# url = "http://127.0.0.1:${toString config.services.prometheus.port}";
# isDefault = true;
# jsonData = {
# graphiteVersion = "1.1";
# tlsAuth = false;
# tlsAuthWithCACert = false;
# };
# version = 1;
# editable = true;
# }];
# };
# dashboards = {
# settings = {
# providers = [{
# name = "My Dashboards";
# options.path = "/etc/grafana-dashboards";
# }];
# };
# };
# };
# };
# environment.etc = {
# "grafana-dashboards/blocky_rev3.json" = {
# source = ../../../misc/grafana_blocky_rev3.json;
# group = "grafana";
# user = "grafana";
# };
# };
persist.state.directories = [
"/var/lib/grafana"
"/var/lib/prometheus2"
"/var/lib/redis-unbound"
"/var/lib/unbound"
];
}

38
machines/NixOS-VPS/services/tailscale.nix
View File

@ -1,38 +0,0 @@
{ config, inputs, ... }:
let
bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
tailscalePort = config.services.tailscale.port;
tailscaleIfname = config.services.tailscale.interfaceName;
ssPort1 = 2234;
ssPort2 = 2235;
in {
imports = [ inputs.ataraxiasjel-nur.nixosModules.rinetd ];
networking.firewall.trustedInterfaces = [ tailscaleIfname ];
networking.firewall.interfaces.${bridgeName} = {
allowedUDPPorts = [ tailscalePort ];
allowedTCPPorts = [ ssPort1 ssPort2 ];
};
systemd.network.networks."50-tailscale" = {
matchConfig.Name = tailscaleIfname;
linkConfig.Unmanaged = true;
linkConfig.ActivationPolicy = "manual";
};
services.tailscale = {
enable = true;
port = 18491;
useRoutingFeatures = "both";
};
persist.state.directories = [ "/var/lib/tailscale" ];
services.rinetd = {
enable = true;
settings = ''
0.0.0.0 ${toString ssPort1} 100.64.0.2 ${toString ssPort1}
0.0.0.0 ${toString ssPort2} 100.64.0.3 ${toString ssPort2}
'';
};
}

46
machines/NixOS-VPS/services/tor-bridge.nix
View File

@ -1,46 +0,0 @@
{ pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces;
bridgeName = interfaces.main'.bridgeName;
obfs4Port = 18371;
orPort = 17429;
in {
networking.firewall.interfaces.${bridgeName} = {
allowedTCPPorts = [ obfs4Port orPort ];
};
# We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt
# Fingerprint can be obtained from tor.service logs
services.tor = {
enable = true;
enableGeoIP = true;
client.enable = false;
relay.enable = true;
relay.role = "private-bridge";
settings = {
BridgeDistribution = "none";
BridgeRelay = true;
ContactInfo = "admin@ataraxiadev.com";
ORPort = [ orPort ];
ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}";
Nickname = "Ataraxia";
};
};
services.networkd-dispatcher = {
enable = true;
rules."restart-tor" = {
onState = [ "routable" "off" ];
script = ''
#!${pkgs.runtimeShell}
if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then
echo "Restarting Tor ..."
systemctl restart tor
fi
exit 0
'';
};
};
persist.state.directories = [ "/var/lib/tor" ];
}

132
machines/NixOS-VPS/services/wireguard.nix
View File

@ -1,132 +0,0 @@
{ lib, pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers hasIPv6;
wireguardIFName = interfaces.wireguard0.ifname;
in {
# Sometimes we need to disable checksum validation
# ethtool -K br0 tx off rx off
# ethtool -K enp0s1 tx off rx off
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.firewall = {
allowedUDPPorts = [ wireguardPort ];
checkReversePath = lib.mkForce false;
};
boot.kernelModules = [ "wireguard" ];
systemd.network = {
wait-online.ignoredInterfaces = [ wireguardIFName ];
networks."90-${wireguardIFName}" = with interfaces.wireguard0; {
matchConfig.Name = wireguardIFName;
address = [
"${IPv4.address}/16"
] ++ lib.optionals hasIPv6 [
"${IPv6.address}/64"
];
DHCP = "no";
networkConfig = {
IPForward = true;
IPMasquerade = "both";
DNS = interfaces.main'.IPv4.dns ++ lib.optionals hasIPv6 interfaces.main'.IPv6.dns;
};
};
netdevs."90-${wireguardIFName}" = {
netdevConfig = {
Name = wireguardIFName;
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/srv/wireguard/private";
ListenPort = wireguardPort;
};
wireguardPeers = [
{
wireguardPeerConfig = with wireguardPeers.ataraxia; {
PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o=";
PresharedKeyFile = "/srv/wireguard/ataraxia/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.hypervisor; {
PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o=";
PresharedKeyFile = "/srv/wireguard/hypervisor/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.mikrotik; {
PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo=";
PresharedKeyFile = "/srv/wireguard/mikrotik/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.poco; {
PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34=";
PresharedKeyFile = "/srv/wireguard/poco/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.kpoxa; {
PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE=";
PresharedKeyFile = "/srv/wireguard/kpoxa/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.kpoxa2; {
PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI=";
PresharedKeyFile = "/srv/wireguard/kpoxa2/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss; {
PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY=";
PresharedKeyFile = "/srv/wireguard/faysss/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss2; {
PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8=";
PresharedKeyFile = "/srv/wireguard/faysss2/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss3; {
PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4=";
PresharedKeyFile = "/srv/wireguard/faysss3/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.doste; {
PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0=";
PresharedKeyFile = "/srv/wireguard/doste/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.dell; {
PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc=";
PresharedKeyFile = "/srv/wireguard/dell/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.hypervisor-dns; {
PublicKey = "x4uavQEEfhdqNC4FCOPfKlEDRJiwOz4dy2W1KhJtnwc=";
PresharedKeyFile = "/srv/wireguard/hypervisor-dns/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
];
};
};
}

96
machines/NixOS-VPS/services/xtls.nix
View File

@ -1,96 +0,0 @@
{ config, pkgs, inputs, modulesPath, ... }:
let
inherit (pkgs.hostPlatform) system;
cert-key = config.sops.secrets."cert.key".path;
cert-pem = config.sops.secrets."cert.pem".path;
nginx-conf = config.sops.secrets."nginx.conf".path;
marzban-env = config.sops.secrets.marzban.path;
fqdn = "wg.ataraxiadev.com";
in {
disabledModules = [ "${modulesPath}/services/web-apps/ocis.nix" ];
imports = [ inputs.ataraxiasjel-nur.nixosModules.ocis ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
sops.secrets = let
nginx = {
sopsFile = inputs.self.secretsDir + /nixos-vps/nginx.yaml;
restartUnits = [ "podman-nginx.service" ];
};
marzban = {
format = "dotenv";
sopsFile = inputs.self.secretsDir + /nixos-vps/marzban.env;
restartUnits = [ "podman-marzban.service" ];
};
cf-dns-api = {
sopsFile = inputs.self.secretsDir + /misc.yaml;
owner = "acme";
};
in {
"cert.key" = nginx;
"cert.pem" = nginx;
"nginx.conf" = nginx;
inherit cf-dns-api marzban;
};
virtualisation.oci-containers.containers = {
marzban = {
autoStart = true;
image = "ghcr.io/gozargah/marzban:v0.7.0";
environmentFiles = [ marzban-env ];
extraOptions = [ "--network=host" ];
volumes = [
"/srv/marzban:/var/lib/marzban"
];
};
nginx = {
autoStart = true;
image = "docker.io/nginx:latest";
extraOptions = [ "--network=host" ];
volumes = [
"${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
"${config.security.acme.certs.${fqdn}.directory}/fullchain.pem:/etc/ssl/certs/cert.pem:ro"
"${config.security.acme.certs.${fqdn}.directory}/key.pem:/etc/ssl/certs/cert.key:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro"
];
};
};
services.ocis = {
enable = true;
package = inputs.ataraxiasjel-nur.packages.${system}.ocis-bin;
configDir = "/srv/ocis/config";
baseDataPath = "/srv/ocis/data";
environment = {
OCIS_INSECURE = "false";
OCIS_URL = "https://cloud.ataraxiadev.com";
PROXY_HTTP_ADDR = "127.0.0.1:9200";
PROXY_TLS = "false";
};
};
systemd.tmpfiles.rules = [
"d /srv/marzban 0755 root root -"
];
# OpenConnect
security.acme = {
acceptTerms = true;
defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
defaults.email = "admin@ataraxiadev.com";
defaults.renewInterval = "weekly";
certs = {
${fqdn} = {
extraDomainNames = [
"auth.ataraxiadev.com"
"doh.ataraxiadev.com"
];
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
reloadServices = [ "podman-nginx.service" ];
};
};
};
persist.state.directories = [ "/var/lib/acme" ];
}

1
machines/NixOS-VPS/system
View File

@ -1 +0,0 @@
x86_64-linux