AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

move headscale and authentik to home-hypervisor

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-10-13 19:44:48 +03:00
parent 447ad74b1c
commit 9f0892d904
11 changed files with 83 additions and 318 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
machines/Home-Hypervisor/default.nix
View File

@ -48,6 +48,11 @@ in {
inherit config; inherit config;
inherit (import ./dns-mapping.nix) dns-mapping; inherit (import ./dns-mapping.nix) dns-mapping;
}) })
(import customProfiles.headscale {
inherit config pkgs;
inherit (import ./dns-headscale.nix) dns-mapping;
})
]; ];
deviceSpecific.devInfo = { deviceSpecific.devInfo = {

4
machines/NixOS-VPS/hardware/dns-mapping.nix → machines/Home-Hypervisor/dns-headscale.nix
View File

@ -2,7 +2,7 @@
dns-mapping = [ dns-mapping = [
{ name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "api.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; } { name = "auth.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "bathist.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "bathist.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "browser.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "browser.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; } { name = "cache.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -47,7 +47,7 @@
{ name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; } { name = "auth.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "bathist.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "bathist.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "browser.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "browser.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; } { name = "cache.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }

5
machines/Home-Hypervisor/dns-mapping.nix
View File

@ -2,8 +2,6 @@
dns-mapping = { dns-mapping = {
customDNS = { customDNS = {
mapping = { mapping = {
"anime.ataraxiadev.com" = "193.219.97.142";
"auth.ataraxiadev.com" = "193.219.97.142";
"coturn.pve" = "192.168.0.20"; "coturn.pve" = "192.168.0.20";
"matrix.pve" = "192.168.0.11"; "matrix.pve" = "192.168.0.11";
"monero.pve" = "192.168.0.13"; "monero.pve" = "192.168.0.13";
@ -13,7 +11,6 @@
"sd.ataraxiadev.com" = "192.168.0.100"; "sd.ataraxiadev.com" = "192.168.0.100";
"static.powernet.com.ru" = "10.200.201.167"; "static.powernet.com.ru" = "10.200.201.167";
"tinyproxy.pve" = "192.168.0.9"; "tinyproxy.pve" = "192.168.0.9";
"wg.ataraxiadev.com" = "193.219.97.142";
}; };
}; };
conditional = { conditional = {
@ -21,6 +18,7 @@
rewrite = { rewrite = {
"api.ataraxiadev.com" = "ataraxiadev.com"; "api.ataraxiadev.com" = "ataraxiadev.com";
"ataraxiadev.com" = "nginx.pve"; "ataraxiadev.com" = "nginx.pve";
"auth.ataraxiadev.com" = "ataraxiadev.com";
"bathist.ataraxiadev.com" = "bathist.ataraxiadev.com"; "bathist.ataraxiadev.com" = "bathist.ataraxiadev.com";
"browser.ataraxiadev.com" = "ataraxiadev.com"; "browser.ataraxiadev.com" = "ataraxiadev.com";
"cache.ataraxiadev.com" = "ataraxiadev.com"; "cache.ataraxiadev.com" = "ataraxiadev.com";
@ -61,6 +59,7 @@
"turn.ataraxiadev.com" = "coturn.pve"; "turn.ataraxiadev.com" = "coturn.pve";
"vw.ataraxiadev.com" = "ataraxiadev.com"; "vw.ataraxiadev.com" = "ataraxiadev.com";
"webmail.ataraxiadev.com" = "ataraxiadev.com"; "webmail.ataraxiadev.com" = "ataraxiadev.com";
"wg.ataraxiadev.com" = "ataraxiadev.com";
"wiki.ataraxiadev.com" = "ataraxiadev.com"; "wiki.ataraxiadev.com" = "ataraxiadev.com";
"www.ataraxiadev.com" = "ataraxiadev.com"; "www.ataraxiadev.com" = "ataraxiadev.com";
}; };

9
machines/NixOS-VPS/default.nix
View File

@ -7,19 +7,13 @@
./hardware ./hardware
./network.nix ./network.nix
./nix.nix ./nix.nix
./services/authentik.nix
./services/backups.nix ./services/backups.nix
./services/dns.nix ./services/dns.nix
./services/nginx.nix ./services/tailscale.nix
./services/tor-bridge.nix ./services/tor-bridge.nix
./services/wireguard.nix ./services/wireguard.nix
./services/xtls.nix ./services/xtls.nix
(import ./services/headscale.nix {
inherit config lib pkgs;
inherit (import ./hardware/dns-mapping.nix) dns-mapping;
})
customModules.devices customModules.devices
customModules.users customModules.users
@ -45,6 +39,7 @@
"vm.dirty_ratio" = 40; "vm.dirty_ratio" = 40;
"vm.page-cluster" = 0; "vm.page-cluster" = 0;
"net.ipv4.tcp_congestion_control" = "bbr"; "net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.tcp_slow_start_after_idle" = 0;
"net.core.default_qdisc" = "cake"; "net.core.default_qdisc" = "cake";
# "net.core.default_qdisc" = "fq"; # "net.core.default_qdisc" = "fq";
}; };

133
machines/NixOS-VPS/services/authentik.nix
View File

@ -1,133 +0,0 @@
{ config, pkgs, lib, inputs, ... }:
let
backend = config.virtualisation.oci-containers.backend;
data-dir = "/srv/authentik";
pod-name = "authentik-pod";
open-ports = [
# authentik
"127.0.0.1:9000:9000/tcp" "127.0.0.1:9443:9443/tcp"
# ldap
"127.0.0.1:389:3389/tcp" "127.0.0.1:636:6636/tcp"
];
owner = "1000";
authentik-version = "2023.8.3";
in {
services.nginx.virtualHosts."auth.ataraxiadev.com" = {
forceSSL = true;
enableACME = false;
useACMEHost = "wg.ataraxiadev.com";
locations."/" = {
proxyPass = "http://127.0.0.1:9000";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
'';
};
};
virtualisation.oci-containers.containers = {
authentik-postgresql = {
autoStart = true;
image = "docker.io/library/postgres:12-alpine";
extraOptions = [ "--pod=${pod-name}" ];
environmentFiles = [ "${data-dir}/env" ];
volumes = [
"${data-dir}/db:/var/lib/postgresql/data"
];
};
authentik-redis = {
autoStart = true;
image = "docker.io/library/redis:alpine";
cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
extraOptions = [ "--pod=${pod-name}" ];
volumes = [
"${data-dir}/redis:/data"
];
};
authentik-server = {
autoStart = true;
dependsOn = [ "authentik-postgresql" "authentik-redis" ];
image = "ghcr.io/goauthentik/server:${authentik-version}";
cmd = [ "server" ];
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
};
environmentFiles = [ "${data-dir}/env" ];
volumes = [
"${data-dir}/media:/media"
"${data-dir}/custom-templates:/templates"
];
};
authentik-worker = {
autoStart = true;
dependsOn = [ "authentik-server" ];
image = "ghcr.io/goauthentik/server:${authentik-version}";
cmd = [ "worker" ];
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "authentik-postgresql";
};
environmentFiles = [ "${data-dir}/env" ];
# user = "root";
volumes = [
# "/var/run/${backend}/${backend}.sock"
"${data-dir}/media:/media"
"${data-dir}/certs:/certs"
"${data-dir}/custom-templates:/templates"
];
};
authentik-ldap = {
autoStart = true;
dependsOn = [ "authentik-server" ];
image = "ghcr.io/goauthentik/ldap:${authentik-version}";
extraOptions = [ "--pod=${pod-name}" ];
environment = {
AUTHENTIK_HOST = "https://auth.ataraxiadev.com";
AUTHENTIK_INSECURE = "false";
};
environmentFiles = [ "${data-dir}/ldap" ];
};
};
systemd.tmpfiles.rules = [
"d ${data-dir}/db 0700 70 root -"
"d ${data-dir}/redis 0755 999 root -"
"d ${data-dir}/media 0755 ${owner} ${owner} -"
"d ${data-dir}/certs 0755 ${owner} ${owner} -"
"d ${data-dir}/custom-templates 0755 ${owner} ${owner} -"
];
systemd.services."podman-create-${pod-name}" = let
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
start = pkgs.writeShellScript "create-pod" ''
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
'';
stop = "podman pod rm -i -f ${pod-name}";
in rec {
path = [ pkgs.coreutils config.virtualisation.podman.package ];
before = [
"${backend}-authentik-postgresql.service"
"${backend}-authentik-redis.service"
"${backend}-authentik-server.service"
"${backend}-authentik-worker.service"
"${backend}-authentik-ldap.service"
];
requiredBy = before;
partOf = before;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = start;
ExecStop = stop;
};
};
}

2
machines/NixOS-VPS/services/backups.nix
View File

@ -6,7 +6,7 @@
paths = [ paths = [
"/srv" "/srv"
"/var/lib/acme" "/var/lib/acme"
"/var/lib/headscale" # "/var/lib/headscale"
"/var/lib/redis-unbound" "/var/lib/redis-unbound"
"/var/lib/tailscale" "/var/lib/tailscale"
"/var/lib/tor" "/var/lib/tor"

1
machines/NixOS-VPS/services/dns.nix
View File

@ -29,7 +29,6 @@ in {
services.unbound = { services.unbound = {
enable = true; enable = true;
package = pkgs.unbound-full; package = pkgs.unbound-full;
# package = (pkgs.unbound-with-systemd.override { withRedis = true; });
settings = { settings = {
server = { server = {
root-hints = "${config.services.unbound.stateDir}/root.hints"; root-hints = "${config.services.unbound.stateDir}/root.hints";

88
machines/NixOS-VPS/services/nginx.nix
View File

@ -1,88 +0,0 @@
{ config, pkgs, lib, ... }: {
security.acme = {
acceptTerms = true;
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
defaults.email = "admin@ataraxiadev.com";
defaults.renewInterval = "weekly";
certs = {
"wg.ataraxiadev.com" = {
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = [
"anime.ataraxiadev.com"
"auth.ataraxiadev.com"
];
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
group = "acme";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
appendConfig = ''
worker_processes auto;
'';
appendHttpConfig = ''
map $proxy_protocol_addr $proxy_forwarded_elem {
~^[0-9.]+$ "for=$proxy_protocol_addr";
~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
default "$proxy_forwarded_elem";
}
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
'';
eventsConfig = ''
worker_connections 1024;
'';
streamConfig = ''
map $ssl_preread_server_name $name {
auth.ataraxiadev.com auth_backend;
wg.ataraxiadev.com wg_backend;
anime.ataraxiadev.com anime_backend;
default default_backend;
}
upstream auth_backend {
server 127.0.0.1:8010;
}
upstream wg_backend {
server 127.0.0.1:8011;
}
upstream anime_backend {
server 127.0.0.1:8001;
}
upstream default_backend {
server 127.0.0.1:8020;
}
server {
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $name;
ssl_preread on;
proxy_protocol on;
}
'';
virtualHosts."reject" = {
listen = [{
addr = "127.0.0.1";
port = 8020;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}];
rejectSSL = true;
};
};
}

21
machines/NixOS-VPS/services/tailscale.nix Normal file
View File

@ -0,0 +1,21 @@
{ config, pkgs, lib, ... }:
let
bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
tailscalePort = config.services.tailscale.port;
tailscaleIfname = config.services.tailscale.interfaceName;
in {
networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];
networking.firewall.trustedInterfaces = [ tailscaleIfname ];
systemd.network.networks."50-tailscale" = {
matchConfig.Name = tailscaleIfname;
linkConfig.Unmanaged = true;
linkConfig.ActivationPolicy = "manual";
};
services.tailscale = {
enable = true;
port = 18491;
useRoutingFeatures = "both";
};
}

93
machines/NixOS-VPS/services/xtls.nix
View File

@ -1,60 +1,45 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
services.nginx.virtualHosts."anime.ataraxiadev.com" = { networking.firewall.allowedTCPPorts = [ 80 443 ];
onlySSL = true;
enableACME = false; virtualisation.oci-containers.containers = {
useACMEHost = "wg.ataraxiadev.com"; nextcloud = {
listen = [{ autoStart = true;
addr = "127.0.0.1"; image = "docker.io/nextcloud:stable";
port = 8002; ports = [ "9765:80" ];
ssl = true; volumes = [
extraParameters = [ "proxy_protocol" ]; "/srv/nextcloud/html:/var/www/html"
}]; "/srv/nextcloud/config:/var/www/html/config"
extraConfig = '' "/srv/nextcloud/data:/var/www/html/data"
set_real_ip_from 127.0.0.1; ];
real_ip_header proxy_protocol;
ssl_early_data on;
resolver 127.0.0.1 valid=60s;
resolver_timeout 2s;
'';
locations."/" = {
proxyPass = "https://monster-siren.hypergryph.com";
proxyWebsockets = true;
extraConfig = ''
sub_filter $proxy_host $host;
sub_filter_once off;
proxy_set_header Host $proxy_host;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_set_header Early-Data $ssl_early_data;
'';
};
}; };
x-ui = {
autoStart = true;
image = "ghcr.io/mhsanaei/3x-ui:v1.7.8";
environment = {
XRAY_VMESS_AEAD_FORCED = "false";
};
extraOptions = [ "--network=host" ];
volumes = [
"/srv/x-ui/db:/etc/x-ui"
"/srv/x-ui/certs:/root/cert"
];
};
nginx = {
autoStart = true;
image = "docker.io/nginx:latest";
extraOptions = [ "--network=host" ];
volumes = [
"/srv/nginx/certs:/etc/ssl/certs:ro"
"/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
];
};
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /srv/xray 0755 root root -" "d /srv/x-ui/db 0755 root root -"
"d /srv/x-ui/certs 0755 root root -"
"d /srv/nextcloud/html 0755 33 33 -"
"d /srv/nextcloud/config 0755 33 33 -"
"d /srv/nextcloud/data 0755 33 33 -"
]; ];
services.xray.enable = true;
services.xray.settingsFile = "/srv/xray/config.json";
systemd.services.xray.serviceConfig = {
Group = "acme";
User = "xray";
DynamicUser = lib.mkForce false;
CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ];
};
users.users.xray = {
isSystemUser = true;
group = "acme";
};
} }

40
machines/NixOS-VPS/services/headscale.nix → profiles/servers/headscale.nix
View File

@ -1,24 +1,13 @@
{ config, pkgs, lib, dns-mapping ? {}, ... }: { config, pkgs, dns-mapping ? {}, ... }:
let let
domain = (import ../hardware/networks.nix).domain; domain = "wg.ataraxiadev.com";
bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
tailscalePort = config.services.tailscale.port;
tailscaleIfname = config.services.tailscale.interfaceName;
in { in {
networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];
networking.firewall.trustedInterfaces = [ tailscaleIfname ];
systemd.network.networks."50-tailscale" = {
matchConfig.Name = tailscaleIfname;
linkConfig.Unmanaged = true;
linkConfig.ActivationPolicy = "manual";
};
environment.systemPackages = [ config.services.headscale.package ]; environment.systemPackages = [ config.services.headscale.package ];
services.headscale = { services.headscale = {
enable = true; enable = true;
address = "0.0.0.0"; address = "0.0.0.0";
port = 8080; port = 8005;
settings = { settings = {
logtail.enabled = false; logtail.enabled = false;
server_url = "https://${domain}"; server_url = "https://${domain}";
@ -40,26 +29,19 @@ in {
}; };
}; };
}; };
secrets.headscale-oidc = {
owner = "headscale";
services = [ "headscale.service" ];
};
systemd.services.headscale = { systemd.services.headscale = {
serviceConfig.TimeoutStopSec = 10; serviceConfig.TimeoutStopSec = 10;
serviceConfig.EnvironmentFile = "/srv/headscale-oidc"; serviceConfig.TimeoutStartSec = 300;
serviceConfig.EnvironmentFile = config.secrets.headscale-oidc.decrypted;
serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" '' serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" ''
until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done
''); '');
}; };
services.tailscale = { persist.state.directories = [ "/var/lib/headscale" ];
enable = true;
port = 18491;
useRoutingFeatures = "both";
};
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = false;
useACMEHost = "wg.ataraxiadev.com";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
} }