diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index 32d2bfc..c06d8ab 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -48,6 +48,11 @@ in { inherit config; inherit (import ./dns-mapping.nix) dns-mapping; }) + + (import customProfiles.headscale { + inherit config pkgs; + inherit (import ./dns-headscale.nix) dns-mapping; + }) ]; deviceSpecific.devInfo = { diff --git a/machines/NixOS-VPS/hardware/dns-mapping.nix b/machines/Home-Hypervisor/dns-headscale.nix similarity index 99% rename from machines/NixOS-VPS/hardware/dns-mapping.nix rename to machines/Home-Hypervisor/dns-headscale.nix index 16d6135..04f98ee 100644 --- a/machines/NixOS-VPS/hardware/dns-mapping.nix +++ b/machines/Home-Hypervisor/dns-headscale.nix @@ -2,7 +2,7 @@ dns-mapping = [ { name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } - { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; } + { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "bathist.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "browser.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } @@ -47,7 +47,7 @@ { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } - { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; } + { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "bathist.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "browser.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } diff --git a/machines/Home-Hypervisor/dns-mapping.nix b/machines/Home-Hypervisor/dns-mapping.nix index 5cddf98..631a4fe 100644 --- a/machines/Home-Hypervisor/dns-mapping.nix +++ b/machines/Home-Hypervisor/dns-mapping.nix @@ -2,8 +2,6 @@ dns-mapping = { customDNS = { mapping = { - "anime.ataraxiadev.com" = "193.219.97.142"; - "auth.ataraxiadev.com" = "193.219.97.142"; "coturn.pve" = "192.168.0.20"; "matrix.pve" = "192.168.0.11"; "monero.pve" = "192.168.0.13"; @@ -13,7 +11,6 @@ "sd.ataraxiadev.com" = "192.168.0.100"; "static.powernet.com.ru" = "10.200.201.167"; "tinyproxy.pve" = "192.168.0.9"; - "wg.ataraxiadev.com" = "193.219.97.142"; }; }; conditional = { @@ -21,6 +18,7 @@ rewrite = { "api.ataraxiadev.com" = "ataraxiadev.com"; "ataraxiadev.com" = "nginx.pve"; + "auth.ataraxiadev.com" = "ataraxiadev.com"; "bathist.ataraxiadev.com" = "bathist.ataraxiadev.com"; "browser.ataraxiadev.com" = "ataraxiadev.com"; "cache.ataraxiadev.com" = "ataraxiadev.com"; @@ -61,6 +59,7 @@ "turn.ataraxiadev.com" = "coturn.pve"; "vw.ataraxiadev.com" = "ataraxiadev.com"; "webmail.ataraxiadev.com" = "ataraxiadev.com"; + "wg.ataraxiadev.com" = "ataraxiadev.com"; "wiki.ataraxiadev.com" = "ataraxiadev.com"; "www.ataraxiadev.com" = "ataraxiadev.com"; }; diff --git a/machines/NixOS-VPS/default.nix b/machines/NixOS-VPS/default.nix index ad0a9fc..3478910 100644 --- a/machines/NixOS-VPS/default.nix +++ b/machines/NixOS-VPS/default.nix @@ -7,19 +7,13 @@ ./hardware ./network.nix ./nix.nix - ./services/authentik.nix ./services/backups.nix ./services/dns.nix - ./services/nginx.nix + ./services/tailscale.nix ./services/tor-bridge.nix ./services/wireguard.nix ./services/xtls.nix - (import ./services/headscale.nix { - inherit config lib pkgs; - inherit (import ./hardware/dns-mapping.nix) dns-mapping; - }) - customModules.devices customModules.users @@ -45,6 +39,7 @@ "vm.dirty_ratio" = 40; "vm.page-cluster" = 0; "net.ipv4.tcp_congestion_control" = "bbr"; + "net.ipv4.tcp_slow_start_after_idle" = 0; "net.core.default_qdisc" = "cake"; # "net.core.default_qdisc" = "fq"; }; diff --git a/machines/NixOS-VPS/services/authentik.nix b/machines/NixOS-VPS/services/authentik.nix deleted file mode 100644 index 294525d..0000000 --- a/machines/NixOS-VPS/services/authentik.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ config, pkgs, lib, inputs, ... }: -let - backend = config.virtualisation.oci-containers.backend; - data-dir = "/srv/authentik"; - pod-name = "authentik-pod"; - open-ports = [ - # authentik - "127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp" - # ldap - "127.0.0.1:389:3389/tcp" "127.0.0.1:636:6636/tcp" - ]; - owner = "1000"; - authentik-version = "2023.8.3"; -in { - services.nginx.virtualHosts."auth.ataraxiadev.com" = { - forceSSL = true; - enableACME = false; - useACMEHost = "wg.ataraxiadev.com"; - locations."/" = { - proxyPass = "http://127.0.0.1:9000"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; - }; - }; - - - virtualisation.oci-containers.containers = { - authentik-postgresql = { - autoStart = true; - image = "docker.io/library/postgres:12-alpine"; - extraOptions = [ "--pod=${pod-name}" ]; - environmentFiles = [ "${data-dir}/env" ]; - volumes = [ - "${data-dir}/db:/var/lib/postgresql/data" - ]; - }; - authentik-redis = { - autoStart = true; - image = "docker.io/library/redis:alpine"; - cmd = [ "--save" "60" "1" "--loglevel" "warning" ]; - extraOptions = [ "--pod=${pod-name}" ]; - volumes = [ - "${data-dir}/redis:/data" - ]; - }; - authentik-server = { - autoStart = true; - dependsOn = [ "authentik-postgresql" "authentik-redis" ]; - image = "ghcr.io/goauthentik/server:${authentik-version}"; - cmd = [ "server" ]; - extraOptions = [ "--pod=${pod-name}" ]; - environment = { - AUTHENTIK_REDIS__HOST = "authentik-redis"; - AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql"; - }; - environmentFiles = [ "${data-dir}/env" ]; - volumes = [ - "${data-dir}/media:/media" - "${data-dir}/custom-templates:/templates" - ]; - }; - authentik-worker = { - autoStart = true; - dependsOn = [ "authentik-server" ]; - image = "ghcr.io/goauthentik/server:${authentik-version}"; - cmd = [ "worker" ]; - extraOptions = [ "--pod=${pod-name}" ]; - environment = { - AUTHENTIK_REDIS__HOST = "authentik-redis"; - AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql"; - }; - environmentFiles = [ "${data-dir}/env" ]; - # user = "root"; - volumes = [ - # "/var/run/${backend}/${backend}.sock" - "${data-dir}/media:/media" - "${data-dir}/certs:/certs" - "${data-dir}/custom-templates:/templates" - ]; - }; - authentik-ldap = { - autoStart = true; - dependsOn = [ "authentik-server" ]; - image = "ghcr.io/goauthentik/ldap:${authentik-version}"; - extraOptions = [ "--pod=${pod-name}" ]; - environment = { - AUTHENTIK_HOST = "https://auth.ataraxiadev.com"; - AUTHENTIK_INSECURE = "false"; - }; - environmentFiles = [ "${data-dir}/ldap" ]; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${data-dir}/db 0700 70 root -" - "d ${data-dir}/redis 0755 999 root -" - "d ${data-dir}/media 0755 ${owner} ${owner} -" - "d ${data-dir}/certs 0755 ${owner} ${owner} -" - "d ${data-dir}/custom-templates 0755 ${owner} ${owner} -" - ]; - - systemd.services."podman-create-${pod-name}" = let - portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports; - start = pkgs.writeShellScript "create-pod" '' - podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} - ''; - stop = "podman pod rm -i -f ${pod-name}"; - in rec { - path = [ pkgs.coreutils config.virtualisation.podman.package ]; - before = [ - "${backend}-authentik-postgresql.service" - "${backend}-authentik-redis.service" - "${backend}-authentik-server.service" - "${backend}-authentik-worker.service" - "${backend}-authentik-ldap.service" - ]; - requiredBy = before; - partOf = before; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = start; - ExecStop = stop; - }; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/backups.nix b/machines/NixOS-VPS/services/backups.nix index a04ea4a..28cdc69 100644 --- a/machines/NixOS-VPS/services/backups.nix +++ b/machines/NixOS-VPS/services/backups.nix @@ -6,7 +6,7 @@ paths = [ "/srv" "/var/lib/acme" - "/var/lib/headscale" + # "/var/lib/headscale" "/var/lib/redis-unbound" "/var/lib/tailscale" "/var/lib/tor" diff --git a/machines/NixOS-VPS/services/dns.nix b/machines/NixOS-VPS/services/dns.nix index 9d1148c..91528ef 100644 --- a/machines/NixOS-VPS/services/dns.nix +++ b/machines/NixOS-VPS/services/dns.nix @@ -29,7 +29,6 @@ in { services.unbound = { enable = true; package = pkgs.unbound-full; - # package = (pkgs.unbound-with-systemd.override { withRedis = true; }); settings = { server = { root-hints = "${config.services.unbound.stateDir}/root.hints"; diff --git a/machines/NixOS-VPS/services/nginx.nix b/machines/NixOS-VPS/services/nginx.nix deleted file mode 100644 index 2e072ee..0000000 --- a/machines/NixOS-VPS/services/nginx.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ config, pkgs, lib, ... }: { - security.acme = { - acceptTerms = true; - # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - defaults.email = "admin@ataraxiadev.com"; - defaults.renewInterval = "weekly"; - certs = { - "wg.ataraxiadev.com" = { - webroot = "/var/lib/acme/acme-challenge"; - extraDomainNames = [ - "anime.ataraxiadev.com" - "auth.ataraxiadev.com" - ]; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - services.nginx = { - enable = true; - group = "acme"; - recommendedBrotliSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - # recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedZstdSettings = true; - appendConfig = '' - worker_processes auto; - ''; - appendHttpConfig = '' - map $proxy_protocol_addr $proxy_forwarded_elem { - ~^[0-9.]+$ "for=$proxy_protocol_addr"; - ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\""; - default "for=unknown"; - } - map $http_forwarded $proxy_add_forwarded { - "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; - default "$proxy_forwarded_elem"; - } - server { - listen 80; - listen [::]:80; - return 301 https://$host$request_uri; - } - ''; - eventsConfig = '' - worker_connections 1024; - ''; - streamConfig = '' - map $ssl_preread_server_name $name { - auth.ataraxiadev.com auth_backend; - wg.ataraxiadev.com wg_backend; - anime.ataraxiadev.com anime_backend; - default default_backend; - } - upstream auth_backend { - server 127.0.0.1:8010; - } - upstream wg_backend { - server 127.0.0.1:8011; - } - upstream anime_backend { - server 127.0.0.1:8001; - } - upstream default_backend { - server 127.0.0.1:8020; - } - server { - listen 443 reuseport; - listen [::]:443 reuseport; - proxy_pass $name; - ssl_preread on; - proxy_protocol on; - } - ''; - virtualHosts."reject" = { - listen = [{ - addr = "127.0.0.1"; - port = 8020; - ssl = true; - extraParameters = [ "proxy_protocol" ]; - }]; - rejectSSL = true; - }; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/tailscale.nix b/machines/NixOS-VPS/services/tailscale.nix new file mode 100644 index 0000000..b0d6ef5 --- /dev/null +++ b/machines/NixOS-VPS/services/tailscale.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, ... }: +let + bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName; + tailscalePort = config.services.tailscale.port; + tailscaleIfname = config.services.tailscale.interfaceName; +in { + networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ]; + networking.firewall.trustedInterfaces = [ tailscaleIfname ]; + + systemd.network.networks."50-tailscale" = { + matchConfig.Name = tailscaleIfname; + linkConfig.Unmanaged = true; + linkConfig.ActivationPolicy = "manual"; + }; + + services.tailscale = { + enable = true; + port = 18491; + useRoutingFeatures = "both"; + }; +} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/xtls.nix b/machines/NixOS-VPS/services/xtls.nix index eb710be..0a161de 100644 --- a/machines/NixOS-VPS/services/xtls.nix +++ b/machines/NixOS-VPS/services/xtls.nix @@ -1,60 +1,45 @@ { config, pkgs, lib, ... }: { - services.nginx.virtualHosts."anime.ataraxiadev.com" = { - onlySSL = true; - enableACME = false; - useACMEHost = "wg.ataraxiadev.com"; - listen = [{ - addr = "127.0.0.1"; - port = 8002; - ssl = true; - extraParameters = [ "proxy_protocol" ]; - }]; - extraConfig = '' - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ssl_early_data on; - resolver 127.0.0.1 valid=60s; - resolver_timeout 2s; - ''; - locations."/" = { - proxyPass = "https://monster-siren.hypergryph.com"; - proxyWebsockets = true; - extraConfig = '' - sub_filter $proxy_host $host; - sub_filter_once off; - proxy_set_header Host $proxy_host; - proxy_cache_bypass $http_upgrade; - proxy_ssl_server_name on; - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header Forwarded $proxy_add_forwarded; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - proxy_set_header Early-Data $ssl_early_data; - ''; - }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + virtualisation.oci-containers.containers = { + nextcloud = { + autoStart = true; + image = "docker.io/nextcloud:stable"; + ports = [ "9765:80" ]; + volumes = [ + "/srv/nextcloud/html:/var/www/html" + "/srv/nextcloud/config:/var/www/html/config" + "/srv/nextcloud/data:/var/www/html/data" + ]; }; + x-ui = { + autoStart = true; + image = "ghcr.io/mhsanaei/3x-ui:v1.7.8"; + environment = { + XRAY_VMESS_AEAD_FORCED = "false"; + }; + extraOptions = [ "--network=host" ]; + volumes = [ + "/srv/x-ui/db:/etc/x-ui" + "/srv/x-ui/certs:/root/cert" + ]; + }; + nginx = { + autoStart = true; + image = "docker.io/nginx:latest"; + extraOptions = [ "--network=host" ]; + volumes = [ + "/srv/nginx/certs:/etc/ssl/certs:ro" + "/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro" + ]; + }; + }; systemd.tmpfiles.rules = [ - "d /srv/xray 0755 root root -" + "d /srv/x-ui/db 0755 root root -" + "d /srv/x-ui/certs 0755 root root -" + "d /srv/nextcloud/html 0755 33 33 -" + "d /srv/nextcloud/config 0755 33 33 -" + "d /srv/nextcloud/data 0755 33 33 -" ]; - - services.xray.enable = true; - services.xray.settingsFile = "/srv/xray/config.json"; - systemd.services.xray.serviceConfig = { - Group = "acme"; - User = "xray"; - DynamicUser = lib.mkForce false; - CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ]; - AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ]; - }; - - users.users.xray = { - isSystemUser = true; - group = "acme"; - }; } \ No newline at end of file diff --git a/machines/NixOS-VPS/services/headscale.nix b/profiles/servers/headscale.nix similarity index 50% rename from machines/NixOS-VPS/services/headscale.nix rename to profiles/servers/headscale.nix index c6d02b4..7bb3b18 100644 --- a/machines/NixOS-VPS/services/headscale.nix +++ b/profiles/servers/headscale.nix @@ -1,24 +1,13 @@ -{ config, pkgs, lib, dns-mapping ? {}, ... }: +{ config, pkgs, dns-mapping ? {}, ... }: let - domain = (import ../hardware/networks.nix).domain; - bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName; - tailscalePort = config.services.tailscale.port; - tailscaleIfname = config.services.tailscale.interfaceName; + domain = "wg.ataraxiadev.com"; in { - networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ]; - networking.firewall.trustedInterfaces = [ tailscaleIfname ]; - - systemd.network.networks."50-tailscale" = { - matchConfig.Name = tailscaleIfname; - linkConfig.Unmanaged = true; - linkConfig.ActivationPolicy = "manual"; - }; environment.systemPackages = [ config.services.headscale.package ]; services.headscale = { enable = true; address = "0.0.0.0"; - port = 8080; + port = 8005; settings = { logtail.enabled = false; server_url = "https://${domain}"; @@ -40,26 +29,19 @@ in { }; }; }; + + secrets.headscale-oidc = { + owner = "headscale"; + services = [ "headscale.service" ]; + }; systemd.services.headscale = { serviceConfig.TimeoutStopSec = 10; - serviceConfig.EnvironmentFile = "/srv/headscale-oidc"; + serviceConfig.TimeoutStartSec = 300; + serviceConfig.EnvironmentFile = config.secrets.headscale-oidc.decrypted; serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" '' until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done ''); }; - services.tailscale = { - enable = true; - port = 18491; - useRoutingFeatures = "both"; - }; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = false; - useACMEHost = "wg.ataraxiadev.com"; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}"; - proxyWebsockets = true; - }; - }; + persist.state.directories = [ "/var/lib/headscale" ]; } \ No newline at end of file