feat: add marzban, nginx, ocis with secrets for redshift

2025-03-10 20:01:44 +03:00 · 2025-03-10 20:01:44 +03:00 · 3f16fdab87
commit 3f16fdab87
parent bf9584b0f1
4 changed files with 131 additions and 0 deletions
--- a/hosts/redshift/default.nix
+++ b/hosts/redshift/default.nix
@ -9,6 +9,7 @@
    (modulesPath + "/profiles/qemu-guest.nix")

    ./disk-config.nix
+    ./services.nix
  ];

  ataraxia.defaults.role = "server";
--- a/hosts/redshift/services.nix
+++ b/hosts/redshift/services.nix
@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  pkgs,
+  secretsDir,
+  ...
+}:
+let
+  cert-key = config.sops.secrets."cert.key".path;
+  cert-pem = config.sops.secrets."cert.pem".path;
+  nginx-conf = config.sops.secrets."nginx.conf".path;
+  marzban-env = config.sops.secrets.marzban.path;
+  cfgOcis = config.services.ocis;
+in
+{
+  # Tailscale exit-node
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+  };
+
+  # Empty ocis in front
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+  services.ocis.enable = true;
+  services.ocis.url = "https://cloud.ataraxiadev.com";
+  services.ocis.configDir = "/var/lib/ocis/config";
+  systemd.services.ocis.serviceConfig.ReadOnlyPaths = lib.mkForce [ ];
+  systemd.services.ocis.serviceConfig.ExecStartPre = pkgs.writeShellScript "ocis-init" ''
+    ${lib.getExe cfgOcis.package} init --force-overwrite --insecure true --config-path ${config.services.ocis.configDir}
+  '';
+
+  # Marzban
+  sops.secrets =
+    let
+      nginx = {
+        sopsFile = secretsDir + /redshift/nginx.yaml;
+        restartUnits = [ "podman-nginx.service" ];
+      };
+      marzban = {
+        format = "dotenv";
+        sopsFile = secretsDir + /redshift/marzban.env;
+        restartUnits = [ "podman-marzban.service" ];
+      };
+    in
+    {
+      "cert.key" = nginx;
+      "cert.pem" = nginx;
+      "nginx.conf" = nginx;
+      inherit marzban;
+    };
+
+  virtualisation.oci-containers.containers = {
+    marzban = {
+      autoStart = true;
+      # Tags: v0.8.4
+      image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
+      environmentFiles = [ marzban-env ];
+      extraOptions = [ "--network=host" ];
+      volumes = [
+        "/srv/marzban:/var/lib/marzban"
+      ];
+    };
+    nginx = {
+      autoStart = true;
+      # Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
+      image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
+      extraOptions = [ "--network=host" ];
+      volumes = [
+        "${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
+        "${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
+        "${nginx-conf}:/etc/nginx/nginx.conf:ro"
+      ];
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${cfgOcis.configDir} 0700 ${cfgOcis.user} ${cfgOcis.group} -"
+    "d /srv/marzban 0755 root root -"
+  ];
+}
--- a/secrets/redshift/marzban.env
+++ b/secrets/redshift/marzban.env
@ -0,0 +1,14 @@
+SUDO_USERNAME=ENC[AES256_GCM,data:4QMSmmaPB10=,iv:KveMQ+EdfltGzQRRA+cm1MaRlsLypOhlWHdCumHLQS4=,tag:v30WjSutCxO9LDv3wFZHMA==,type:str]
+SUDO_PASSWORD=ENC[AES256_GCM,data:IPJGUQiB6jMObUsUdw==,iv:N9cw9aGkmgIYmmrNkQYQ5PFdrmYKC8Tdgr4yb/96U5A=,tag:/yYIC/rKCttSgBBGvjCe2A==,type:str]
+#ENC[AES256_GCM,data:P0rsl7K5MZceskgE/JrUlB7vTlKh0kP5Al1lH1CBUZKeVVGdbfW/VOy6CkNo8QuOUQqkzWocH0TNKzSEBw8et6s=,iv:uxHc50I95zeI/jkC60HOfzgftDBxdQM1/wqb8emrTSc=,tag:JaeHm9KAbh/KS+TIRrfWlw==,type:comment]
+#ENC[AES256_GCM,data:u8NnWvULwXIg0mqTlPoOlpBgWn6LU+zsrd4P,iv:MxUYe7rI7u98wnKD1ichiYeTw/o5+E2c+22qTXRZTSI=,tag:DgkxQNi6EItuRl+av6rH3Q==,type:comment]
+SQLALCHEMY_DATABASE_URL=ENC[AES256_GCM,data:bQJGB/c/pTuAPev2zxcLu1cNg2TmlHH9iY2kQH4qfqRwh/Fcjg==,iv:CeQZ8qcNLiVgtGI/4Egod6VaXamCfAKHi4jrgzXKl9Q=,tag:VX0J3r6RjnS5utJ/UDK1hQ==,type:str]
+XRAY_JSON=ENC[AES256_GCM,data:28Wkv4CG4hpG9h51d2ge3AUO2MdVuRBjPuw1bxFwYqhT,iv:MooWqI5QCmk0JXWdKxA40UIFaaIxG3EakMQ1jBH8TVI=,tag:Fmnqdg9mvRVvm/0O7VNFGw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxV1VPQ2V5WjltK0JDUXhU\nWENHRUxFS0M1RjJjekNYeHlSSlhmNmE4eEUwCnpMWStLd1B6Q29DWTJLbURGdTJk\ndHY0RHFRRmFEaFNpOUxROTVWK0V6UmsKLS0tIEI0blZ1SlhBV3lpdGlGTWtWd3F1\nK0hNQjFDMG1sTWJCNFp1OE1kdlpydHcKzjus65hl6IVKdgS18xY20dgG+Blm15NE\nwf31QfHahDdY4r8DviX2/algiELvbTWNBicDOjvoiyhItPRX+9nN3Q==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1n0prg9vynuwc56gn0xfe5qde8wqcd4uzg5ghhhetu2024ckvjyvqxf49el
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbmlBd3FJcjMyVldhL3BG\nc2s3YnlCenRNdXJ2VVlnU0lTZUU3MUh1TVZFClArSlM5Ylhya2JHT3RQQkZFRXVH\nblgwR0dJdmdOTUxsZERBc3pYbld0NncKLS0tIGc3bTdxbGg5cGdYYThwMkR2RlRF\ndTlNWGhoeXBueVZtbjdYS2JCVVpwSmsKzujU4pXFhI3Sa4TSYZRgkMpOqdKN7+jT\nTi8zqO0oRQAMnIAq+AYiMDIgi/ngiAxo5HeTIM2wZ7oRX6XsPZKH/w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1d4mqql020mpne9r3vtt4l9ywfzfq7zpa3mad33syxln2kldkjsxqgju90f
+sops_lastmodified=2024-02-27T16:26:33Z
+sops_mac=ENC[AES256_GCM,data:bWpVRMOaYvvOFMWksVXSPWmG5l/XDCSnnLovuf1cgn98yabzbYheBchhb3sgM3PWG2P/NwnxM3krVPdUMJ7vQVMp5uAph53rVRdmgUDXAEaRGkRzR4nAIi8eDKc1C/a+ifxNjsi2VOS0+rSdWOtUa1jdQx23tvACz1NXGw3G7SI=,iv:s6vfppM8PRA+ryzMvDSklH7HwgbDjCyK0/QHp+/2UNs=,tag:OwtdXGrP9XAREPbvbxqWUw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1
--- a/secrets/redshift/nginx.yaml
+++ b/secrets/redshift/nginx.yaml