AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

remove suomi-vps

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-01-13 00:05:18 +03:00
parent d204f871af
commit b2e065a75c
13 changed files with 0 additions and 1096 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
flake.nix
View File

@ -161,15 +161,6 @@
specialArgs = { inherit inputs; };
channelName = "unstable";
};
Suomi-VPS = {
system = builtins.readFile (./machines/Suomi-VPS/system);
modules = [
(import (./machines/Suomi-VPS))
{ device = "Suomi-VPS"; mainuser = "ataraxia"; }
];
specialArgs = { inherit inputs; };
channelName = "vps";
};
NixOS-VPS = {
system = builtins.readFile (./machines/NixOS-VPS/system);
modules = [

240
machines/Suomi-VPS/default.nix
View File

@ -1,240 +0,0 @@
{ modulesPath, inputs, lib, pkgs, config, ... }: {
imports = with inputs.self; [
(modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix")
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
./disk-config.nix
./network.nix
./nix.nix
customModules.devices
customModules.persist
customModules.rustic
customModules.users
customProfiles.hardened
./services/backups.nix
./services/dns.nix
./services/tailscale.nix
./services/tor-bridge.nix
./services/wireguard.nix
./services/xtls.nix
];
# Impermanence
boot.initrd = {
# hardware
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
# reset rootfs on reboot
postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -p /mnt
mount -o subvol=/ /dev/sda4 /mnt
btrfs subvolume list -o /mnt/rootfs |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..."
btrfs subvolume delete /mnt/rootfs
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/snapshots/rootfs-blank /mnt/rootfs
umount /mnt
'';
};
fileSystems."/home".neededForBoot = true;
fileSystems."/persist".neededForBoot = true;
persist = {
enable = true;
cache.clean.enable = true;
state = {
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
directories = [
"/var/lib/nixos"
"/var/lib/systemd"
];
};
};
# TODO: write all needed modules in boot.kernelModules
security.lockKernelModules = lib.mkForce false;
# Misc
boot = {
supportedFilesystems = [ "vfat" "btrfs" ];
kernelModules = [
"tcp_bbr" "veth"
# podman
"nft_chain_nat" "xt_addrtype" "xt_comment" "xt_mark" "xt_MASQUERADE"
];
kernelParams = [
"scsi_mod.use_blk_mq=1"
"kvm.ignore_msrs=1"
"kvm.report_ignored_msrs=0"
];
kernel.sysctl = {
"vm.swappiness" = 50;
"vm.vfs_cache_pressure" = 200;
"vm.dirty_background_ratio" = 1;
"vm.dirty_ratio" = 40;
"vm.page-cluster" = 0;
# proxy tuning
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.tcp_slow_start_after_idle" = 0;
"net.core.default_qdisc" = "cake";
# "net.core.default_qdisc" = "fq";
"net.core.rmem_max" = 67108864;
"net.core.wmem_max" = 67108864;
"net.core.netdev_max_backlog" = 10000;
"net.core.somaxconn" = 4096;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_tw_reuse" = 1;
"net.ipv4.tcp_fin_timeout" = 30;
"net.ipv4.tcp_keepalive_time" = 1200;
"net.ipv4.tcp_keepalive_probes" = 5;
"net.ipv4.tcp_keepalive_intvl" = 30;
"net.ipv4.tcp_max_syn_backlog" = 8192;
"net.ipv4.tcp_max_tw_buckets" = 5000;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_mem" = "25600 51200 102400";
"net.ipv4.udp_mem" = "25600 51200 102400";
"net.ipv4.tcp_rmem" = "4096 87380 67108864";
"net.ipv4.tcp_wmem" = "4096 65536 67108864";
"net.ipv4.tcp_mtu_probing" = 1;
};
loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
};
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 100;
};
deviceSpecific.isServer = true;
services.journald.extraConfig = "Compress=false";
nix.optimise.automatic = false;
nix.distributedBuilds = lib.mkForce false;
environment.noXlibs = lib.mkForce false;
fonts.enableDefaultPackages = lib.mkForce false;
security.polkit.enable = true;
# security.pam.enableSSHAgentAuth = true;
environment.systemPackages = with pkgs; [
bat
bottom
comma
git
kitty
micro
pwgen
inputs.nix-alien.packages."aarch64-linux".nix-index-update
rsync
];
# Locale
i18n.defaultLocale = "en_GB.UTF-8";
i18n.extraLocaleSettings = {
LANGUAGE = "en_GB.UTF-8";
LC_ALL = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
LC_ADDRESS = "ru_RU.UTF-8";
LC_MONETARY = "ru_RU.UTF-8";
LC_PAPER = "ru_RU.UTF-8";
};
time.timeZone = "Europe/Helsinki";
environment.sessionVariables = {
XKB_DEFAULT_LAYOUT = "us,ru";
XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
LANGUAGE = "en_GB.UTF-8";
LC_ALL = "en_GB.UTF-8";
};
# Hardened
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = lib.mkDefault [ ];
allowedUDPPorts = lib.mkDefault [ ];
};
systemd.coredump.enable = false;
# Users
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.PermitRootLogin = lib.mkForce "prohibit-password";
settings.X11Forwarding = false;
extraConfig = "StreamLocalBindUnlink yes";
ports = [ 22 ];
};
users.mutableUsers = false;
users.users = {
${config.mainuser} = {
isNormalUser = true;
extraGroups = [ "disk" "systemd-journal" "wheel" ];
uid = 1000;
hashedPassword =
"$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.bash;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
];
};
deploy = {
description = "The administrator account for the servers.";
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
root.openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
# Passwordless sudo for deploy user
security.sudo = {
extraRules = [{
users = [ "deploy" ];
commands = [{
command = "ALL";
options = [ "NOPASSWD" ];
}];
}];
extraConfig = ''
Defaults lecture = never
'';
};
# Podman
virtualisation = {
oci-containers.backend = lib.mkForce "podman";
podman.enable = true;
podman.dockerSocket.enable = true;
containers.registries.search = [
"docker.io" "gcr.io" "quay.io"
];
containers.storage.settings = {
storage = {
driver = "overlay";
graphroot = "/var/lib/podman/storage";
runroot = "/run/containers/storage";
};
};
};
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
security.unprivilegedUsernsClone = true;
system.stateVersion = "23.05";
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

100
machines/Suomi-VPS/disk-config.nix
View File

@ -1,100 +0,0 @@
{ lib, ... }: {
disko.devices.disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
swap = {
name = "swap";
size = "4G";
content = {
type = "swap";
randomEncryption = true;
};
};
root = {
name = "root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
postCreateHook = ''
mount -t btrfs /dev/sda4 /mnt
btrfs subvolume snapshot -r /mnt/rootfs /mnt/snapshots/rootfs-blank
btrfs subvolume snapshot -r /mnt/persistent/home /mnt/snapshots/home-blank
btrfs subvolume snapshot -r /mnt/persistent/docker /mnt/snapshots/docker-blank
btrfs subvolume snapshot -r /mnt/persistent/podman /mnt/snapshots/podman-blank
btrfs subvolume snapshot -r /mnt/persistent/containers /mnt/snapshots/containers-blank
btrfs subvolume snapshot -r /mnt/persistent/libvirt /mnt/snapshots/libvirt-blank
btrfs subvolume snapshot -r /mnt/persistent/log /mnt/snapshots/log-blank
btrfs subvolume snapshot -r /mnt/persistent/impermanence /mnt/snapshots/impermanence-blank
btrfs subvolume snapshot -r /mnt/persistent/srv /mnt/snapshots/srv-blank
umount /mnt
'';
subvolumes = {
"/snapshots" = { };
"/rootfs" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent" = { };
"/persistent/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/srv" = {
mountpoint = "/srv";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/docker" = {
mountpoint = "/var/lib/docker";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/podman" = {
mountpoint = "/var/lib/podman";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/containers" = {
mountpoint = "/var/lib/containers";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/libvirt" = {
mountpoint = "/var/lib/libvirt";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/log" = {
mountpoint = "/var/log";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/impermanence" = {
mountpoint = "/persist";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
};
};
};
};
};
};
}

96
machines/Suomi-VPS/hardware/networks.nix
View File

@ -1,96 +0,0 @@
rec {
privateIPv6Prefix = "fd3a:900e:8e74:ffff";
domain = "vps.ataraxiadev.com";
interfaces = {
# This is the public-facing interface. Any interface name with a prime
# symbol means it's a public-facing interface.
main' = {
bridgeName = "br0";
ifname = "enp1s0";
IPv4 = {
address = "65.21.2.254/32";
gateway = "172.31.1.1";
dns = [ "185.12.64.1" "185.12.64.2" ];
};
IPv6 = {
address = "2a01:4f9:c012:859e::1/64";
gateway = "fe80::1";
# dns = [ "2a0d:f302:99::99" "2a0d:f302:100::100" ];
dns = [ ];
};
};
wireguard0 = {
ifname = "wg0";
dns = [ "${privateIPv6Prefix}::0:53" ];
IPv4 = {
address = "10.100.0.1";
subnet = "10.100.0.0/16";
};
IPv6 = {
address = "${privateIPv6Prefix}::1";
subnet = "${privateIPv6Prefix}::0/64";
};
};
};
# Wireguard-related things.
wireguardPort = 40820;
wireguardIPv4Prefix = "10.100.0";
wireguardIPv6Prefix = "${privateIPv6Prefix}::0";
wireguardPeers = {
server = with interfaces.wireguard0; {
IPv4 = IPv4.address;
IPv6 = IPv6.address;
};
ataraxia = {
IPv4 = "${wireguardIPv4Prefix}.2";
IPv6 = "${wireguardIPv6Prefix}:2";
};
hypervisor = {
IPv4 = "${wireguardIPv4Prefix}.3";
IPv6 = "${wireguardIPv6Prefix}:3";
};
mikrotik = {
IPv4 = "${wireguardIPv4Prefix}.4";
IPv6 = "${wireguardIPv6Prefix}:4";
};
poco = {
IPv4 = "${wireguardIPv4Prefix}.5";
IPv6 = "${wireguardIPv6Prefix}:5";
};
kpoxa = {
IPv4 = "${wireguardIPv4Prefix}.6";
IPv6 = "${wireguardIPv6Prefix}:6";
};
kpoxa2 = {
IPv4 = "${wireguardIPv4Prefix}.7";
IPv6 = "${wireguardIPv6Prefix}:7";
};
faysss = {
IPv4 = "${wireguardIPv4Prefix}.8";
IPv6 = "${wireguardIPv6Prefix}:8";
};
faysss2 = {
IPv4 = "${wireguardIPv4Prefix}.9";
IPv6 = "${wireguardIPv6Prefix}:9";
};
faysss3 = {
IPv4 = "${wireguardIPv4Prefix}.10";
IPv6 = "${wireguardIPv6Prefix}:a";
};
doste = {
IPv4 = "${wireguardIPv4Prefix}.11";
IPv6 = "${wireguardIPv6Prefix}:b";
};
dell = {
IPv4 = "${wireguardIPv4Prefix}.12";
IPv6 = "${wireguardIPv6Prefix}:c";
};
hypervisor-dns = {
IPv4 = "${wireguardIPv4Prefix}.13";
IPv6 = "${wireguardIPv6Prefix}:d";
};
};
}

66
machines/Suomi-VPS/network.nix
View File

@ -1,66 +0,0 @@
{ config, ... }:
let
inherit (import ./hardware/networks.nix) interfaces domain;
in {
services.resolved.enable = true;
networking = {
enableIPv6 = true;
usePredictableInterfaceNames = true;
useDHCP = false;
dhcpcd.enable = false;
nftables.enable = false; # incompatible with tailscale and docker/podman
hostName = config.device;
domain = domain;
};
systemd.network = with interfaces.main'; {
enable = true;
wait-online.ignoredInterfaces = [ "lo" ];
networks = {
"10-wan" = {
matchConfig.Name = ifname;
linkConfig.RequiredForOnline = "enslaved";
networkConfig.Bridge = bridgeName;
networkConfig.DHCP = "no";
networkConfig.LinkLocalAddressing = "no";
networkConfig.IPv6AcceptRA = false;
};
"20-${bridgeName}" = {
matchConfig.Name = bridgeName;
address = [
IPv4.address IPv6.address
"192.168.0.1/24" "fc00::1/64"
];
linkConfig.RequiredForOnline = "routable";
domains = [ config.networking.domain ];
networkConfig = {
DHCP = "no";
IPForward = true;
IPv6PrivacyExtensions = true;
LinkLocalAddressing = "no";
IPv6AcceptRA = false;
DNS = IPv4.dns ++ IPv6.dns;
};
routes = [
{
routeConfig.Gateway = IPv4.gateway;
routeConfig.GatewayOnLink = true;
}
{
routeConfig.Gateway = IPv6.gateway;
routeConfig.GatewayOnLink = true;
}
];
};
};
netdevs = {
"20-${bridgeName}" = {
netdevConfig = {
Kind = "bridge";
Name = bridgeName;
MACAddress = "e6:95:b5:a6:28:c0";
};
};
};
};
}

38
machines/Suomi-VPS/nix.nix
View File

@ -1,38 +0,0 @@
{ config, lib, inputs, ... }: {
nix = {
nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
registry.self.flake = inputs.self;
registry.nixpkgs.flake = inputs.nixpkgs;
optimise.automatic = lib.mkDefault true;
extraOptions = ''
builders-use-substitutes = true
experimental-features = nix-command flakes
flake-registry = ${inputs.flake-registry}/flake-registry.json
'';
settings = {
auto-optimise-store = false;
require-sigs = true;
substituters = [
"https://cache.nixos.org"
"https://nix-community.cachix.org"
"https://ataraxiadev-foss.cachix.org"
"https://cache.ataraxiadev.com/ataraxiadev"
"https://numtide.cachix.org"
"https://devenv.cachix.org"
"https://ezkea.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"ataraxiadev-foss.cachix.org-1:ws/jmPRUF5R8TkirnV1b525lP9F/uTBsz2KraV61058="
"ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
"ezkea.cachix.org-1:ioBmUbJTZIKsHmWWXPe1FSFbeVe+afhfgqgTSNd34eI="
];
trusted-users = [ "root" config.mainuser "@wheel" ];
};
};
environment.etc.nixpkgs.source = inputs.nixpkgs;
environment.etc.self.source = inputs.self;
}

50
machines/Suomi-VPS/services/backups.nix
View File

@ -1,50 +0,0 @@
{ config, inputs, ... }: {
sops.secrets.rustic-repo-pass.sopsFile = inputs.self.secretsDir + /rustic-b2.yaml;
sops.secrets.rclone-backup-config.sopsFile = inputs.self.secretsDir + /rustic-b2.yaml;
services.rustic.backups = let
label = "vps-containers";
in rec {
vps-backup = {
backup = true;
prune = false;
rcloneConfigFile = config.sops.secrets.rclone-backup-config.path;
timerConfig = {
OnCalendar = "01:00";
Persistent = true;
};
settings = {
repository = {
repository = "rclone:rustic-b2:ataraxia-nas-backup";
password-file = config.sops.secrets.rustic-repo-pass.path;
};
repository.options = {
timeout = "10min";
};
backup = {
label = label;
ignore-devid = true;
sources = [{
source = "/srv/marzban /srv/nextcloud/config /srv/nextcloud/data";
}];
};
forget = {
filter-label = [ label ];
prune = true;
keep-daily = 7;
keep-weekly = 5;
keep-monthly = 2;
};
};
};
vps-prune = vps-backup // {
backup = false;
prune = true;
createWrapper = false;
timerConfig = {
OnCalendar = "Tue, 02:00";
Persistent = true;
};
};
};
}

232
machines/Suomi-VPS/services/dns.nix
View File

@ -1,232 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces;
wg = interfaces.wireguard0;
wgIfname = wg.ifname;
brIfname = interfaces.main'.bridgeName;
tailscaleIfname = config.services.tailscale.interfaceName;
in {
# For debugging purposes
environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
services.resolved.extraConfig = ''
DNSStubListener=off
'';
systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
networking.firewall.interfaces = let
ports = {
allowedTCPPorts = [
config.services.blocky.settings.ports.dns
config.services.grafana.settings.server.http_port
];
allowedUDPPorts = [
config.services.blocky.settings.ports.dns
];
};
in {
${wgIfname} = ports;
${tailscaleIfname} = ports;
};
# TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html)
services.unbound = {
enable = true;
package = pkgs.unbound-full;
settings = {
server = {
root-hints = "${config.services.unbound.stateDir}/root.hints";
port = "553";
interface = [
"127.0.0.1"
"::1"
];
access-control = [
"0.0.0.0/0 refuse"
"127.0.0.0/8 allow"
"::0/0 refuse"
"::1 allow"
];
private-address = [
"127.0.0.0/8"
"::1"
];
hide-version = "yes";
aggressive-nsec = "yes";
cache-max-ttl = "86400";
cache-min-ttl = "600";
deny-any = "yes";
do-ip4 = "yes";
do-ip6 = "yes";
do-tcp = "yes";
do-udp = "yes";
harden-algo-downgrade = "yes";
harden-dnssec-stripped = "yes";
harden-glue = "yes";
harden-large-queries = "yes";
harden-referral-path = "yes";
harden-short-bufsize = "yes";
hide-identity = "yes";
minimal-responses = "yes";
msg-cache-size = "128m";
neg-cache-size = "4m";
prefer-ip6 = "no";
prefetch = "yes";
prefetch-key = "yes";
qname-minimisation = "yes";
rrset-cache-size = "256m";
rrset-roundrobin = "yes";
serve-expired = "yes";
so-rcvbuf = "4m";
so-reuseport = "yes";
so-sndbuf = "4m";
unwanted-reply-threshold = "100000";
use-caps-for-id = "yes";
};
cachedb = {
backend = "redis";
redis-server-host = "127.0.0.1";
redis-server-port = toString config.services.redis.servers.unbound.port;
redis-timeout = "300";
redis-expire-records = "no";
};
};
};
services.redis.vmOverCommit = true;
services.redis.servers.unbound = {
enable = true;
port = 7379;
databases = 1;
save = [ [ 3600 1 ] [ 1800 10 ] [ 600 100 ] ];
settings = {
maxmemory = "16mb";
protected-mode = true;
rdbchecksum = false;
stop-writes-on-bgsave-error = false;
tcp-keepalive = 300;
timeout = 0;
};
};
# TODO: maybe set internic ip address to hosts?
systemd.services.root-hints = {
script = ''
${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root
'';
serviceConfig.Type = "oneshot";
startAt = "1 0 1 */1 *";
};
# Blocky + prometheus + grafana
services.blocky = {
enable = true;
settings = {
upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
upstreamTimeout = "10s";
bootstrapDns = [{
upstream = "https://dns.quad9.net/dns-query";
ips = [ "9.9.9.9" "149.112.112.112" ];
}];
blocking = {
blackLists = {
ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://github.com/RPiList/specials/raw/master/Blocklisten/malware"
];
telemetry = [
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry"
"https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry"
];
};
clientGroupsBlock.default = [ "ads" "telemetry" ];
};
# disable caching (use unbound)
caching = {
minTime = -1;
maxTime = -1;
cacheTimeNegative = -1;
prefetching = false;
};
ports = {
dns = 53;
http = "127.0.0.1:4000";
};
prometheus.enable = true;
queryLog = {
type = "console";
};
};
};
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
globalConfig.scrape_interval = "15s";
globalConfig.evaluation_interval = "15s";
scrapeConfigs = [{
job_name = "blocky";
static_configs = [{
targets = [ config.services.blocky.settings.ports.http ];
}];
}];
};
services.grafana = {
enable = true;
settings = {
analytics.reporting_enabled = false;
server = {
enable_gzip = true;
domain = "localhost";
http_addr = "0.0.0.0";
http_port = 3000;
};
# Grafana can be accessed only through wireguard, so it's secure enough
security = {
admin_user = "admin";
admin_password = "admin";
};
panels.disable_sanitize_html = true;
};
provision = {
enable = true;
datasources.settings = {
datasources = [{
name = "Prometheus";
type = "prometheus";
access = "proxy";
orgId = 1;
uid = "Y4SSG429DWCGDQ3R";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData = {
graphiteVersion = "1.1";
tlsAuth = false;
tlsAuthWithCACert = false;
};
version = 1;
editable = true;
}];
};
dashboards = {
settings = {
providers = [{
name = "My Dashboards";
options.path = "/etc/grafana-dashboards";
}];
};
};
};
};
environment.etc = {
"grafana-dashboards/blocky_rev3.json" = {
source = ../../../misc/grafana_blocky_rev3.json;
group = "grafana";
user = "grafana";
};
};
persist.state.directories = [
"/var/lib/grafana"
"/var/lib/prometheus2"
"/var/lib/redis-unbound"
"/var/lib/unbound"
];
}

23
machines/Suomi-VPS/services/tailscale.nix
View File

@ -1,23 +0,0 @@
{ config, pkgs, lib, ... }:
let
bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
tailscalePort = config.services.tailscale.port;
tailscaleIfname = config.services.tailscale.interfaceName;
in {
networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];
networking.firewall.trustedInterfaces = [ tailscaleIfname ];
systemd.network.networks."50-tailscale" = {
matchConfig.Name = tailscaleIfname;
linkConfig.Unmanaged = true;
linkConfig.ActivationPolicy = "manual";
};
services.tailscale = {
enable = true;
port = 18491;
useRoutingFeatures = "both";
};
persist.state.directories = [ "/var/lib/tailscale" ];
}

45
machines/Suomi-VPS/services/tor-bridge.nix
View File

@ -1,45 +0,0 @@
{ config, pkgs, lib, ... }:
let
inherit (import ../hardware/networks.nix) interfaces;
bridgeName = interfaces.main'.bridgeName;
obfs4Port = 18371;
in {
networking.firewall.interfaces.${bridgeName} = {
allowedTCPPorts = [ obfs4Port ];
};
# We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt
# Fingerprint can be obtained from tor.service logs
services.tor = {
enable = true;
enableGeoIP = true;
client.enable = false;
relay.enable = true;
relay.role = "private-bridge";
settings = {
BridgeDistribution = "none";
BridgeRelay = true;
ContactInfo = "admin@ataraxiadev.com";
ORPort = [ 17429 ];
ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}";
Nickname = "Ataraxia";
};
};
services.networkd-dispatcher = {
enable = true;
rules."restart-tor" = {
onState = [ "routable" "off" ];
script = ''
#!${pkgs.runtimeShell}
if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then
echo "Restarting Tor ..."
systemctl restart tor
fi
exit 0
'';
};
};
persist.state.directories = [ "/var/lib/tor" ];
}

131
machines/Suomi-VPS/services/wireguard.nix
View File

@ -1,131 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
wireguardIFName = interfaces.wireguard0.ifname;
in {
# Sometimes we need to disable checksum validation
# ethtool -K br0 tx off rx off
# ethtool -K enp0s1 tx off rx off
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.firewall = {
allowedUDPPorts = [ wireguardPort ];
checkReversePath = lib.mkForce false;
};
boot.kernelModules = [ "wireguard" ];
systemd.network = {
wait-online.ignoredInterfaces = [ wireguardIFName ];
networks."90-${wireguardIFName}" = with interfaces.wireguard0; {
matchConfig.Name = wireguardIFName;
address = [
"${IPv4.address}/16"
"${IPv6.address}/64"
];
DHCP = "no";
networkConfig = {
IPForward = true;
IPMasquerade = "both";
DNS = interfaces.main'.IPv4.dns ++ interfaces.main'.IPv6.dns;
};
};
netdevs."90-${wireguardIFName}" = {
netdevConfig = {
Name = wireguardIFName;
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/srv/wireguard/private";
ListenPort = wireguardPort;
};
wireguardPeers = [
{
wireguardPeerConfig = with wireguardPeers.ataraxia; {
PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o=";
PresharedKeyFile = "/srv/wireguard/ataraxia/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.hypervisor; {
PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o=";
PresharedKeyFile = "/srv/wireguard/hypervisor/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.mikrotik; {
PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo=";
PresharedKeyFile = "/srv/wireguard/mikrotik/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.poco; {
PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34=";
PresharedKeyFile = "/srv/wireguard/poco/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.kpoxa; {
PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE=";
PresharedKeyFile = "/srv/wireguard/kpoxa/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.kpoxa2; {
PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI=";
PresharedKeyFile = "/srv/wireguard/kpoxa2/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss; {
PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY=";
PresharedKeyFile = "/srv/wireguard/faysss/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss2; {
PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8=";
PresharedKeyFile = "/srv/wireguard/faysss2/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss3; {
PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4=";
PresharedKeyFile = "/srv/wireguard/faysss3/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.doste; {
PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0=";
PresharedKeyFile = "/srv/wireguard/doste/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.dell; {
PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc=";
PresharedKeyFile = "/srv/wireguard/dell/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.hypervisor-dns; {
PublicKey = "x4uavQEEfhdqNC4FCOPfKlEDRJiwOz4dy2W1KhJtnwc=";
PresharedKeyFile = "/srv/wireguard/hypervisor-dns/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
];
};
};
}

65
machines/Suomi-VPS/services/xtls.nix
View File

@ -1,65 +0,0 @@
{ config, pkgs, lib, inputs, ... }:
let
cert-key = config.sops.secrets."cert.key".path;
cert-pem = config.sops.secrets."cert.pem".path;
nginx-conf = config.sops.secrets."nginx.conf".path;
marzban-env = config.sops.secrets.marzban.path;
in {
networking.firewall.allowedTCPPorts = [ 80 443 ];
sops.secrets = let
nginx = {
sopsFile = inputs.self.secretsDir + /suomi-vps/nginx.yaml;
restartUnits = [ "podman-nginx.service" ];
};
marzban = {
format = "dotenv";
sopsFile = inputs.self.secretsDir + /suomi-vps/marzban.env;
restartUnits = [ "podman-marzban.service" ];
};
in {
"cert.key" = nginx;
"cert.pem" = nginx;
"nginx.conf" = nginx;
marzban = marzban;
};
virtualisation.oci-containers.containers = {
nextcloud = {
autoStart = true;
image = "docker.io/nextcloud:stable";
ports = [ "9765:80" ];
volumes = [
"/srv/nextcloud/html:/var/www/html"
"/srv/nextcloud/config:/var/www/html/config"
"/srv/nextcloud/data:/var/www/html/data"
];
};
marzban = {
autoStart = true;
image = "ghcr.io/gozargah/marzban:v0.4.1";
environmentFiles = [ marzban-env ];
extraOptions = [ "--network=host" ];
volumes = [
"/srv/marzban:/var/lib/marzban"
];
};
nginx = {
autoStart = true;
image = "docker.io/nginx:latest";
extraOptions = [ "--network=host" ];
volumes = [
"${cert-key}:/etc/ssl/certs/cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cert.pem:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro"
];
};
};
systemd.tmpfiles.rules = [
"d /srv/marzban 0755 root root -"
"d /srv/nextcloud/html 0755 33 33 -"
"d /srv/nextcloud/config 0755 33 33 -"
"d /srv/nextcloud/data 0755 33 33 -"
];
}

1
machines/Suomi-VPS/system
View File

@ -1 +0,0 @@
aarch64-linux