aboutsummaryrefslogtreecommitdiff
path: root/modules/hosts/ltrr-cloud
diff options
context:
space:
mode:
Diffstat (limited to 'modules/hosts/ltrr-cloud')
-rw-r--r--modules/hosts/ltrr-cloud/age.nix10
-rw-r--r--modules/hosts/ltrr-cloud/configuration.nix345
-rw-r--r--modules/hosts/ltrr-cloud/disk-config.nix56
-rw-r--r--modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.agebin0 -> 473 bytes
-rw-r--r--modules/hosts/ltrr-cloud/secrets/authelia-storage.key.agebin0 -> 464 bytes
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age8
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age7
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age8
-rw-r--r--modules/hosts/ltrr-cloud/secrets/wg-priv.key.agebin0 -> 392 bytes
9 files changed, 434 insertions, 0 deletions
diff --git a/modules/hosts/ltrr-cloud/age.nix b/modules/hosts/ltrr-cloud/age.nix
new file mode 100644
index 0000000..80232d7
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/age.nix
@@ -0,0 +1,10 @@
+{inputs, ...}: {
+ flake.nixosModules.ltrr-cloud = {
+ age.rekey = {
+ hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkmaIw2J4H6lWDVnopnUKQuQMJuQf5VMoC1/YwCuhAb";
+ masterIdentities = ["/home/jerpo/.config/age/keys.txt"];
+ storageMode = "local";
+ localStorageDir = ./. + "/secrets/rekeyed";
+ };
+ };
+}
diff --git a/modules/hosts/ltrr-cloud/configuration.nix b/modules/hosts/ltrr-cloud/configuration.nix
new file mode 100644
index 0000000..34a74e0
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/configuration.nix
@@ -0,0 +1,345 @@
+{
+ inputs,
+ self,
+ ...
+}: {
+ flake.nixosConfigurations.ltrr-cloud = inputs.nixpkgs-stable.lib.nixosSystem {
+ modules = [
+ self.nixosModules.ltrr-cloud
+ ];
+ };
+
+ flake.nixosModules.ltrr-cloud = {
+ modulesPath,
+ config,
+ lib,
+ pkgs,
+ ...
+ }: let
+ domain = "kcu.su";
+ in {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ (modulesPath + "/profiles/qemu-guest.nix")
+ "${inputs.nixpkgs}/nixos/modules/services/networking/headscale.nix"
+
+ self.nixosModules.nginxProxy
+ self.nixosModules.directories
+
+ inputs.disko.nixosModules.disko
+ self.diskoConfigurations.ltrr-cloud
+
+ inputs.agenix.nixosModules.default
+ inputs.agenix-rekey.nixosModules.default
+ ];
+ nixpkgs.hostPlatform = "x86_64-linux";
+
+ disabledModules = ["services/networking/headscale.nix"];
+
+ nixpkgs.overlays = [
+ self.overlays.unstable-packages
+ ];
+
+ boot.loader.grub = {
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+
+ networking = {
+ interfaces.ens3 = {
+ ipv4.addresses = [
+ {
+ address = "194.156.117.206";
+ prefixLength = 32;
+ }
+ ];
+ };
+ defaultGateway = {
+ address = "100.100.1.1";
+ interface = "ens3";
+ };
+ };
+
+ networking.nameservers = ["8.8.8.8" "1.1.1.1"];
+
+ networking.useDHCP = lib.mkDefault false;
+
+ networking.hostName = "ltrr-cloud";
+
+ services.openssh = {
+ enable = true;
+ };
+
+ environment.systemPackages = map lib.lowPrio [
+ pkgs.curl
+ pkgs.gitMinimal
+ ];
+
+ users.users = {
+ root = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru"
+ ];
+ };
+ };
+
+ swapDevices = [
+ {
+ device = "/var/lib/swapfile";
+ size = 2 * 1024;
+ }
+ ];
+
+ networking.nat = {
+ enable = true;
+ externalInterface = "ens3";
+ internalInterfaces = ["wg0"];
+ };
+
+ age.secrets.wg-priv-key = {
+ rekeyFile = ./secrets/wg-priv.key.age;
+ };
+ networking.wg-quick = {
+ interfaces.wg0 = {
+ address = ["10.1.1.1/32"];
+ listenPort = 51820;
+
+ privateKeyFile = config.age.secrets.wg-priv-key.path;
+
+ preUp = ''
+ sysctl -w net.ipv4.ip_forward=1
+ # 16261
+ iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
+ iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
+
+ # 16262
+ iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
+ iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ '';
+ postDown = ''
+ # 16261
+ iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
+ iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
+
+ # 16262
+ iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
+ iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ '';
+
+ peers = [
+ {
+ allowedIPs = ["10.1.1.2/32"];
+ publicKey = "kzXzxJu1AdcRI5UwtGOrN6WuTZYqJo++PYRrXdOu/lY=";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [80 443 25565];
+ networking.firewall.allowedUDPPorts = [51820 16261 16262];
+
+ services.fail2ban = {
+ enable = true;
+ ignoreIP = [
+ "10.0.0.0/8"
+ ];
+ bantime = "24h";
+ bantime-increment = {
+ enable = true;
+ multipliers = "1 2 4 8 16 32 64";
+ maxtime = "168h";
+ overalljails = true;
+ };
+
+ jails = {
+ nginx-http-auth.settings = {
+ enabled = true;
+ port = "http,https";
+ logpath = "/var/log/nginx/*.log";
+ backend = "auto";
+ };
+ nginx-botsearch.settings = {
+ enabled = true;
+ port = "http,https";
+ logpath = "/var/log/nginx/*.log";
+ backend = "auto";
+ };
+ nginx-bad-request.settings = {
+ enabled = true;
+ port = "http,https";
+ logpath = "/var/log/nginx/*.log";
+ backend = "auto";
+ };
+ };
+ };
+
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "notspl3g+acme@duck.com";
+ };
+
+ nginxProxy = {
+ enable = true;
+ acme.enable = true;
+
+ inherit domain;
+ subdomains = {
+ "headscale" = {
+ proxyPass = "http://127.0.0.1:8768";
+ proxyWebsockets = true;
+ recommendedProxySettings = true;
+ };
+ "uptime" = {
+ proxyPass = "http://127.0.0.1:8762";
+ proxyWebsockets = true;
+ recommendedProxySettings = true;
+ };
+ "monitor" = {
+ proxyPass = "http://127.0.0.1:8090";
+ };
+ "auth".proxyPass = "http://127.0.0.1:9091";
+ };
+
+ extraVirtualHosts = {
+ "kcu.su" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/apple" = {
+ root = "/var/www";
+ };
+ locations."/" = {
+ return = 444;
+ };
+ };
+
+ "_".locations = {
+ "/" = {
+ return = 444;
+ };
+ };
+ };
+
+ home = let
+ homeConfig = self.nixosConfigurations.ltrr-block.config;
+ in {
+ subdomains = homeConfig.nginxProxy.subdomains;
+ url = "http://10.1.1.2";
+ };
+ };
+
+ age.secrets.authelia-jwt = {
+ rekeyFile = ./secrets/authelia-jwt.key.age;
+ owner = "authelia-kcu";
+ group = "authelia-kcu";
+ };
+ age.secrets.authelia-storage = {
+ rekeyFile = ./secrets/authelia-storage.key.age;
+ owner = "authelia-kcu";
+ group = "authelia-kcu";
+ };
+ services.authelia.instances.kcu = {
+ enable = true;
+ secrets = {
+ jwtSecretFile = config.age.secrets.authelia-jwt.path;
+ storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+ };
+ settings = {
+ authentication_backend = {
+ file = {
+ path = "/var/lib/authelia-kcu/users_database.yml";
+ };
+ };
+
+ storage = {
+ local = {};
+ };
+
+ access_control = {
+ default_policy = "deny";
+ rules = [
+ {
+ domain = ["auth.${domain}"];
+ policy = "bypass";
+ }
+ {
+ domain = ["*.${domain}"];
+ policy = "one_factor";
+ }
+ ];
+ };
+
+ session = {
+ name = "authelia_session";
+ expiration = "12h";
+ inactivity = "45m";
+ cookies = [
+ {
+ inherit domain;
+ authelia_url = "https://auth.kcu.su";
+ }
+ ];
+ };
+
+ storage = {
+ local = {
+ path = "/var/lib/authelia-kcu/db.sqlite3";
+ };
+ };
+
+ notifier = {
+ disable_startup_check = false;
+ filesystem = {
+ filename = "/var/lib/authelia-kcu/notification.txt";
+ };
+ };
+ };
+ };
+
+ services.headscale = {
+ enable = true;
+ package = pkgs.headscale;
+ port = 8768;
+ settings = {
+ server_url = "https://headscale.${domain}:443";
+ dns = {
+ base_domain = "ts.net";
+ nameservers.global = ["8.8.8.8"];
+ magicdns = true;
+ };
+ };
+ };
+
+ createPaths = {
+ "/var/lib/uptime-kuma" = {
+ owner = "root";
+ group = "root";
+ };
+ };
+ virtualisation.oci-containers.backend = "podman";
+ virtualisation.oci-containers.containers = {
+ "uptime-kuma" = {
+ image = "louislam/uptime-kuma:2";
+ volumes = [
+ "/var/lib/uptime-kuma:/app/data"
+ ];
+ ports = [
+ "127.0.0.1:8762:3001"
+ ];
+ capabilities = {
+ NET_RAW = true;
+ };
+ };
+ };
+
+ services.beszel.hub = {
+ enable = true;
+ };
+
+ system.stateVersion = "24.05";
+ };
+}
diff --git a/modules/hosts/ltrr-cloud/disk-config.nix b/modules/hosts/ltrr-cloud/disk-config.nix
new file mode 100644
index 0000000..f7abadd
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/disk-config.nix
@@ -0,0 +1,56 @@
+{
+ flake.diskoConfigurations.ltrr-cloud = {
+ disko.devices = {
+ disk.disk1 = {
+ device = "/dev/vda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ name = "boot";
+ size = "1M";
+ type = "EF02";
+ };
+ esp = {
+ name = "ESP";
+ size = "500M";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ name = "root";
+ size = "100%";
+ content = {
+ type = "lvm_pv";
+ vg = "pool";
+ };
+ };
+ };
+ };
+ };
+ lvm_vg = {
+ pool = {
+ type = "lvm_vg";
+ lvs = {
+ root = {
+ size = "100%FREE";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ mountOptions = [
+ "defaults"
+ ];
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age b/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age
new file mode 100644
index 0000000..ecad260
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age b/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age
new file mode 100644
index 0000000..22e9eb5
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age
new file mode 100644
index 0000000..3fdbf7c
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 +W/xBg sJTHHtkYrmAQbKR8ZOdR9K/reO0qeKTL4gsx34pysiY
+iTmPnK/LRYZIgEuq/xtLiQyDMML6hFPO262OdIq8UD8
+-> orB|s|Kd-grease K7 l7hC&yL A^ 6,
+MoHcwp57sM2RWYOYAk8LihPGhPSrmZkUpd3X4eJODfsqfEuJys9ZhKVyr4l4FwzN
+NsQJcBuH1//fXe/P
+--- gku/aoba9gRLFf1wD6rrwogur0EYGovRAybhyr3CLco
+ĩ,y yLۘXP1d(5Xvst6D}S 8ҹ03.XDLQsUEgK4<w [u3BxN'9}z $wF Ŧ^z!lg ńØ $qjP \ No newline at end of file
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age
new file mode 100644
index 0000000..5605e81
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 +W/xBg HvzCOTiwRSUSNLxgsyBbhWOU7JdVeA0OLMTnHTAXlgE
+v4G1Z3E2H0zzbamMppALx25HeS5rSfM+bJmrbUM+jgs
+-> 6hkBDp}-grease ^w s#u_m8> 1?':qM
+IAyx+VQq7VnSNf2SfqusH0eXFffH
+--- L9C8w8DV9hstoTBd39/zve9OJt4v/vFpIDbRcxUWIeI
+W:l{2u%:Vy/> .H u+AtLȲN ޼뺃 \ No newline at end of file
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age
new file mode 100644
index 0000000..ff31a34
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 +W/xBg vxOWjAe9E2wVCDSYjJ4FzTb6OJof4BME/a0B2/m7zl8
+2jTCWcg7koRgIOUi2QDKFimbE/Gq+F0CAYmkaBmT51g
+-> eI}jc#W-grease $l&5 718 6%B>X
+miZ+OEV0SD7oYl1tqYpVFzxGhQIvMjDTQ4xRwA8Cu8BNghAwbv2vROant8sjWSsv
+WKkljj4/RH2EU1f0y0b2fIbhF8I
+--- X06G5WHTNau24I+ZT20SebQvbxP7S9zrjbk0FFIPyOE
+L\_@DD=*o>YEak",ś2،Iwb(p4Y' Paj&4-J!lkLV[X"2mqVᷩPNëz"9'I۲*5Z2~zYܸ2 \ No newline at end of file
diff --git a/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age b/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age
new file mode 100644
index 0000000..cd52bb3
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age
Binary files differ
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-24 05:43:16 +0000