From 03648b3d9f177227df40129bed22558f6924b91c Mon Sep 17 00:00:00 2001 From: spl3g Date: Wed, 18 Mar 2026 18:01:41 +0300 Subject: so.. v2 i guess --- modules/hosts/ltrr-block/age.nix | 10 + modules/hosts/ltrr-block/configuration.nix | 467 +++++++++++++++++++++ modules/hosts/ltrr-block/disk-config.nix | 39 ++ .../hosts/ltrr-block/hardware-configuration.nix | 32 ++ modules/hosts/ltrr-block/secrets/cwa.env.age | Bin 0 -> 821 bytes modules/hosts/ltrr-block/secrets/explo.env.age | Bin 0 -> 3721 bytes modules/hosts/ltrr-block/secrets/navidrome.env.age | Bin 0 -> 351 bytes ...22a2f185737c765ae9a5ce0d3879-soularr-config.age | Bin 0 -> 2790 bytes ...50a141b44c76106807b541c1987996b-wg-priv-key.age | 8 + .../9288d02fd4269798567444d076247538-explo-env.age | Bin 0 -> 3760 bytes ...39083f61f3167ef5aff27bdba700e8e-xray-config.age | Bin 0 -> 1750 bytes ...4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age | 7 + .../e9669da1b38fb37ba09edf8fdeafc4de-slskd-env.age | Bin 0 -> 507 bytes modules/hosts/ltrr-block/secrets/slskd.env.age | Bin 0 -> 491 bytes modules/hosts/ltrr-block/secrets/soularr.conf.age | Bin 0 -> 2711 bytes .../secrets/transmission-settings.json.age | 8 + modules/hosts/ltrr-block/secrets/wg-priv.key.age | Bin 0 -> 294 bytes modules/hosts/ltrr-block/secrets/xray.json.age | Bin 0 -> 1752 bytes modules/hosts/ltrr-cloud/age.nix | 10 + modules/hosts/ltrr-cloud/configuration.nix | 345 +++++++++++++++ modules/hosts/ltrr-cloud/disk-config.nix | 56 +++ .../hosts/ltrr-cloud/secrets/authelia-jwt.key.age | Bin 0 -> 473 bytes .../ltrr-cloud/secrets/authelia-storage.key.age | Bin 0 -> 464 bytes ...c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age | 8 + ...8c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age | 7 + ...e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age | 8 + modules/hosts/ltrr-cloud/secrets/wg-priv.key.age | Bin 0 -> 392 bytes modules/hosts/ltrr-mask/configuration.nix | 125 ++++++ modules/hosts/ltrr-mask/disk-config.nix | 56 +++ 29 files changed, 1186 insertions(+) create mode 100644 modules/hosts/ltrr-block/age.nix create mode 100644 modules/hosts/ltrr-block/configuration.nix create mode 100644 modules/hosts/ltrr-block/disk-config.nix create mode 100644 modules/hosts/ltrr-block/hardware-configuration.nix create mode 100644 modules/hosts/ltrr-block/secrets/cwa.env.age create mode 100644 modules/hosts/ltrr-block/secrets/explo.env.age create mode 100644 modules/hosts/ltrr-block/secrets/navidrome.env.age create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.age create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.age create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.age create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age create mode 100644 modules/hosts/ltrr-block/secrets/rekeyed/e9669da1b38fb37ba09edf8fdeafc4de-slskd-env.age create mode 100644 modules/hosts/ltrr-block/secrets/slskd.env.age create mode 100644 modules/hosts/ltrr-block/secrets/soularr.conf.age create mode 100644 modules/hosts/ltrr-block/secrets/transmission-settings.json.age create mode 100644 modules/hosts/ltrr-block/secrets/wg-priv.key.age create mode 100644 modules/hosts/ltrr-block/secrets/xray.json.age create mode 100644 modules/hosts/ltrr-cloud/age.nix create mode 100644 modules/hosts/ltrr-cloud/configuration.nix create mode 100644 modules/hosts/ltrr-cloud/disk-config.nix create mode 100644 modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age create mode 100644 modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age create mode 100644 modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age create mode 100644 modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age create mode 100644 modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age create mode 100644 modules/hosts/ltrr-cloud/secrets/wg-priv.key.age create mode 100644 modules/hosts/ltrr-mask/configuration.nix create mode 100644 modules/hosts/ltrr-mask/disk-config.nix (limited to 'modules/hosts') diff --git a/modules/hosts/ltrr-block/age.nix b/modules/hosts/ltrr-block/age.nix new file mode 100644 index 0000000..e22263b --- /dev/null +++ b/modules/hosts/ltrr-block/age.nix @@ -0,0 +1,10 @@ +{inputs, ...}: { + flake.nixosModules.ltrr-block = { + age.rekey = { + hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINe2bfzslwh9DwNXopmaiRKVNQMIQNuMlP/jJCDrwSbc"; + masterIdentities = ["/home/jerpo/.config/age/keys.txt"]; + storageMode = "local"; + localStorageDir = ./. + "/secrets/rekeyed"; + }; + }; +} diff --git a/modules/hosts/ltrr-block/configuration.nix b/modules/hosts/ltrr-block/configuration.nix new file mode 100644 index 0000000..5ee4711 --- /dev/null +++ b/modules/hosts/ltrr-block/configuration.nix @@ -0,0 +1,467 @@ +{ + inputs, + self, + ... +}: { + flake.nixosConfigurations.ltrr-block = inputs.nixpkgs-stable.lib.nixosSystem { + modules = [ + self.nixosModules.ltrr-block + ]; + }; + + flake.nixosModules.ltrr-block = { + modulesPath, + pkgs, + config, + ... + }: let + domain = "kcu.su"; + in { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + + self.nixosModules.nginxProxy + self.nixosModules.directories + self.nixosModules.booklore + self.nixosModules.watcharr + + inputs.disko.nixosModules.disko + self.diskoConfigurations.ltrr-block + + inputs.agenix.nixosModules.default + inputs.agenix-rekey.nixosModules.default + ]; + + nixpkgs = { + config.allowUnfree = true; + overlays = [ + self.overlays.unstable-packages + ]; + }; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + environment.systemPackages = with pkgs; [ + curl + gitMinimal + ]; + + users.users = { + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru" + ]; + }; + }; + + users.users.mc = { + isNormalUser = true; + packages = with pkgs; [ + steamcmd + tmux + steam-run + ]; + }; + + users.users.files = { + isNormalUser = true; + group = "files"; + uid = 1000; + linger = true; + extraGroups = [ + "music" + "images" + ]; + }; + + users.groups.music = { + gid = 991; + }; + + createPaths."/srv/files" = { + owner = "files"; + permissions = "0770"; + group = "files"; + subPaths = { + "music".group = "music"; + "images".group = "images"; + }; + }; + + networking.hostName = "ltrr-block"; + networking.firewall = { + allowedTCPPorts = [80 5030 2049 25565]; + allowedUDPPorts = [51820 16261 16262]; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "notspl3g+acme@duck.com"; + }; + + nginxProxy = { + enable = true; + domain = domain; + + recommendedProxySettings = false; + subdomains = { + "slskd" = { + proxyPass = "http://127.0.0.1:${toString config.services.slskd.settings.web.port}"; + proxyWebsockets = true; + }; + "immich" = { + proxyPass = "http://localhost:${toString config.services.immich.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + + "music".proxyPass = "http://127.0.0.1:5692"; + "navidrome".proxyPass = "http://127.0.0.1:4533"; + "files".proxyPass = "http://127.0.0.1:${toString config.services.filebrowser.settings.port}"; + "track".proxyPass = "http://127.0.0.1:7093"; + "tube".proxyPass = "http://127.0.0.1:5410"; + "torrents".proxyPass = "http://127.0.0.1:7317"; + "jellyfin".proxyPass = "http://127.0.0.1:8096"; + "lidarr" = { + proxyPass = "http://127.0.0.1:8686"; + proxyWebsockets = true; + }; + + "prowlarr".proxyPass = "http://127.0.0.1:9696"; + "shelfmark".proxyPass = "http://127.0.0.1:8084"; + }; + }; + + age.secrets.wg-priv-key = { + rekeyFile = ./secrets/wg-priv.key.age; + }; + + networking.wg-quick = { + interfaces.wg0 = { + address = ["10.1.1.2/32"]; + listenPort = 51820; + + privateKeyFile = config.age.secrets.wg-priv-key.path; + + peers = [ + { + endpoint = "${domain}:51820"; + publicKey = "1RwEOL8br97Mujhz3fkfYKcxUFNHYAmt5JbWTbR3ihE="; + allowedIPs = ["10.1.1.1/32"]; + persistentKeepalive = 25; + } + ]; + }; + }; + + services.tailscale.enable = true; + + users.users.filebrowser.extraGroups = ["music" "images"]; + systemd.services.filebrowser.serviceConfig.SupplementaryGroups = ["music" "images"]; + services.filebrowser = { + enable = true; + group = "files"; + settings = { + root = "/srv/files"; + port = 9337; + }; + }; + + systemd.tmpfiles.rules = [ + "d /srv/files/slskd 0770 slskd music" + "d /opt/traggo/data" + "d /var/lib/traggo" + ]; + users.users.slskd.extraGroups = ["files"]; + age.secrets.slskd-env = { + rekeyFile = ./secrets/slskd.env.age; + }; + systemd.services.slskd.serviceConfig.UMask = 0002; + services.slskd = { + enable = true; + environmentFile = config.age.secrets.slskd-env.path; + group = "music"; + settings = { + shares = { + directories = ["/srv/files/music"]; + filters = ["explo"]; + }; + directories.downloads = "/srv/files/slskd"; + permissions.file.mode = 770; + web.authentication.api_keys = { + arr = { + key = "mahChufaeweipemeeheexaoDahchohZi"; + cidr = "127.0.0.1/32"; + }; + }; + }; + openFirewall = true; + domain = null; + }; + + users.users.jellyfin.extraGroups = ["files"]; + services.jellyfin = { + enable = true; + }; + + createPaths."/srv/files/torrents" = { + owner = "files"; + group = "files"; + permissions = "0770"; + subPaths = { + "incomplete" = {}; + "completed" = {}; + }; + }; + + users.users.lidarr.extraGroups = ["files"]; + services.lidarr = { + enable = true; + group = "music"; + }; + + services.prowlarr = { + enable = true; + }; + + services.qbittorrent = { + enable = true; + user = "files"; + group = "files"; + webuiPort = 7317; + serverConfig = { + Preferences = { + WebUI = { + Enabled = "true"; + Username = "spl3g"; + Password_PBKDF2 = "@ByteArray(drq4VxxcJLLK0Bma9mxUeg==:47J+BVdVlmpJt0Hb9LqiAj6rTK3ZlFPvy00PdGPtmeXO7SslNg/4Uej7Vmwn3+oFPuE1q/9tm1z1UogfopREUQ==)"; + }; + Downloads = { + SavePath = "/srv/files/torrents/complete/"; + TempPathEnabled = "true"; + TempPath = "/srv/files/torrents/incomplete/"; + }; + }; + }; + }; + + createPaths."/var/lib/soularr" = { + owner = "slskd"; + group = "slskd"; + permissions = "0770"; + }; + age.secrets.soularr-config = { + rekeyFile = ./secrets/soularr.conf.age; + owner = "slskd"; + group = "music"; + }; + virtualisation.oci-containers.containers.soularr = { + image = "mrusse08/soularr:latest"; + environment = { + TZ = "Asia/Yekaterinburg"; + SCRIPT_INTERVAL = "300"; + }; + # slskd:music + user = "991:991"; + volumes = [ + "/srv/files/slskd:/downloads" + "/var/lib/soularr:/data" + "${config.age.secrets.soularr-config.path}:/data/config.ini" + ]; + networks = [ + "host" + ]; + }; + + createPaths."/srv/files/explo" = { + owner = "files"; + group = "music"; + permissions = "0770"; + }; + age.secrets.explo-env = { + rekeyFile = ./secrets/explo.env.age; + owner = "files"; + group = "music"; + }; + # TODO: write a module for explo + virtualisation.oci-containers.containers.explo = { + image = "ghcr.io/lumepart/explo:latest"; + volumes = [ + "${config.age.secrets.explo-env.path}:/opt/explo/.env" + "/srv/files/explo:/data/" + "/srv/files/slskd:/slskd/" + ]; + environment = { + EXECUTE_ON_START = "true"; + }; + networks = [ + "host" + ]; + # files:music + extraOptions = [ + "--uidmap=0:1000:1" + "--gidmap=0:991:1" + "--uidmap=1:100000:65535" + "--gidmap=1:100000:65535" + ]; + }; + + age.secrets.navidrome-env = { + rekeyFile = ./secrets/navidrome.env.age; + }; + users.users.navidrome.extraGroups = ["files" "music"]; + systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/srv/files/explo"]; + services.navidrome = { + enable = true; + package = pkgs.unstable.navidrome; + settings = { + BaseUrl = "https://navidrome.${domain}"; + MusicFolder = "/srv/files/music"; + PlaylistsPath = "playlists"; + Scanner.PurgeMissing = "always"; + EnableSharing = true; + }; + environmentFile = config.age.secrets.navidrome-env.path; + }; + + age.secrets.xray-config = { + rekeyFile = ./secrets/xray.json.age; + }; + services.xray = { + enable = true; + settingsFile = config.age.secrets.xray-config.path; + }; + + services.invidious = { + enable = true; + address = "127.0.0.1"; + port = 5410; + domain = "tube.${domain}"; + settings = { + http_proxy = { + host = "127.0.0.1"; + port = 10801; + user = ""; + password = ""; + }; + }; + }; + + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers.aonsoku = { + image = "ghcr.io/victoralvesf/aonsoku:latest"; + ports = [ + "127.0.0.1:5692:8080" + ]; + environment = { + SERVER_URL = "https://navidrome.${domain}"; + HIDE_SERVER = "true"; + }; + }; + + users.groups.books = { + gid = 1001; + }; + createPaths."/srv/files/books" = { + owner = "files"; + group = "books"; + permissions = "0770"; + subPaths = { + "/library" = {}; + "/bookdrop" = {}; + }; + }; + + createPaths."/var/lib/cwa" = { + owner = "files"; + group = "books"; + permissions = "0750"; + }; + + # age.secrets.cwa-env = { + # rekeyFile = ./secrets/cwa.env.age; + # }; + # virtualisation.oci-containers.containers.cwa = { + # image = "ghcr.io/crocodilestick/calibre-web-automated:latest"; + # environmentFiles = [ + # config.age.secrets.cwa-env.path + # ]; + # environment = { + # TZ = "Europe/Moscow"; + # PUID = "1000"; + # PGID = "1001"; + # }; + # ports = [ + # "127.0.0.1:8083:8083" + # ]; + # volumes = [ + # "/srv/files/books:/calibre-library" + # "/srv/files/books/injest:/cwa-book-ingest" + # "/var/lib/cwa:/config" + # ]; + # }; + + createPaths."/var/lib/shelfmark" = { + owner = "files"; + group = "books"; + permissions = "0750"; + }; + + virtualisation.oci-containers.containers.shelfmark = { + image = "ghcr.io/calibrain/shelfmark:latest"; + environment = { + PUID = "1000"; + PGID = "1001"; + }; + + ports = [ + "127.0.0.1:8084:8084" + ]; + + volumes = [ + "/srv/files/books/injest:/books" + "/var/lib/shelfmark:/config" + ]; + networks = [ + "host" + ]; + }; + services.booklore = { + enable = true; + subdomain = "books"; + uid = "1000"; + gid = "1001"; + settings = { + timezone = "Europe/Yekaterinburg"; + booksDir = "/srv/files/books/library"; + bookdropDir = "/srv/files/books/injest"; + }; + }; + + services.watcharr = { + enable = true; + subdomain = "watched"; + }; + + services.immich = { + enable = true; + }; + + system.stateVersion = "24.05"; + }; +} diff --git a/modules/hosts/ltrr-block/disk-config.nix b/modules/hosts/ltrr-block/disk-config.nix new file mode 100644 index 0000000..52c5070 --- /dev/null +++ b/modules/hosts/ltrr-block/disk-config.nix @@ -0,0 +1,39 @@ +{ + flake.diskoConfigurations.ltrr-block = { + disko.devices = { + disk = { + main = { + device = "/dev/sdb"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = ["umask=0077"]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/ltrr-block/hardware-configuration.nix b/modules/hosts/ltrr-block/hardware-configuration.nix new file mode 100644 index 0000000..ed72c61 --- /dev/null +++ b/modules/hosts/ltrr-block/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + flake.nixosModules.ltrr-block = { + config, + lib, + pkgs, + modulesPath, + ... + }: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["ehci_pci" "ata_piix" "xhci_pci" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s29u1u3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/modules/hosts/ltrr-block/secrets/cwa.env.age b/modules/hosts/ltrr-block/secrets/cwa.env.age new file mode 100644 index 0000000..25e9486 Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/cwa.env.age differ diff --git a/modules/hosts/ltrr-block/secrets/explo.env.age b/modules/hosts/ltrr-block/secrets/explo.env.age new file mode 100644 index 0000000..1c0f605 Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/explo.env.age differ diff --git a/modules/hosts/ltrr-block/secrets/navidrome.env.age b/modules/hosts/ltrr-block/secrets/navidrome.env.age new file mode 100644 index 0000000..5a6b99d Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/navidrome.env.age differ diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.age b/modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.age new file mode 100644 index 0000000..608846d Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.age differ diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age b/modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age new file mode 100644 index 0000000..52a14bd --- /dev/null +++ b/modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptoveQ ulI09UBOLtapH3caDEteDd52zftMg/7xb9XT2N643A4 +JxzMCCqoLhPIuF7uas7xs1FhX3oqwm11a4r7mV56aiw +-> pXy7_[-grease H=# dQnNDe%G ] o +bT0nTM57IpqunS1CNyc/DXpM3f5L3n1887I++YtmrFZQEiU5liKv8Kr+aUD6lK7N +S44U1Z0Y3VmTeWbN1iV0f5KMk2ZIFXtdjf1kw5JGfFWWVoGXJAxQuQ +--- 522Kc0bJO1nPQ7bKfYj2+dNqArZpWbwGHRQCLnjbspI +vν1PʾPMqkI6!vj/)/OZhGxnUš9cL \ No newline at end of file diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.age b/modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.age new file mode 100644 index 0000000..c11aa4a Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.age differ diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.age b/modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.age new file mode 100644 index 0000000..7cba65e Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.age differ diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age b/modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age new file mode 100644 index 0000000..954c2bb --- /dev/null +++ b/modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 ptoveQ OduiFfXpTXdPiFhmwROVjOSFSPSE8ViVFKpDKbkU4GA +SOtXYB7vqxYAdiZ81YkQJPU+EBljy8q/5xfUwkQE9FA +-> GPDe-grease +tK3q1L/lU2oMO9AzA2cfa5OE36z3x2YCGAu5SVyajQ +--- Y//hhULEy1uzl/p289AiDRGKFuR4GufSVa48rrgD8Ck +&o$)ʓ\StkಚJ+J=}a8~ҪCY*O@%: X25519 OUnJLswhrEjV/CylaDqKGX/VqhxhepjCt458Gk0wBgE +AN2//RRPB5aF+UMSF7ezSXza3t1dr6AGuTGhVzkDitM +-> 2f#v;H-grease dJa +ErP6N46d+W72CKSHEbgxzWSiCjN7VM0unjwAE/LWLXt+GNUGEN3I+DaPTWf46v05 +EA +--- URehB3fPuN8jXQoFfe2YZTyT6gZVs44slp/F7pXBYXM +=T̈` AMwƗ{ #荂w֬5Ԫ@A܇91{,k{B͆HfSn^;Lew`W41K>hfY \ No newline at end of file diff --git a/modules/hosts/ltrr-block/secrets/wg-priv.key.age b/modules/hosts/ltrr-block/secrets/wg-priv.key.age new file mode 100644 index 0000000..7ea39e9 Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/wg-priv.key.age differ diff --git a/modules/hosts/ltrr-block/secrets/xray.json.age b/modules/hosts/ltrr-block/secrets/xray.json.age new file mode 100644 index 0000000..f50d67b Binary files /dev/null and b/modules/hosts/ltrr-block/secrets/xray.json.age differ diff --git a/modules/hosts/ltrr-cloud/age.nix b/modules/hosts/ltrr-cloud/age.nix new file mode 100644 index 0000000..80232d7 --- /dev/null +++ b/modules/hosts/ltrr-cloud/age.nix @@ -0,0 +1,10 @@ +{inputs, ...}: { + flake.nixosModules.ltrr-cloud = { + age.rekey = { + hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkmaIw2J4H6lWDVnopnUKQuQMJuQf5VMoC1/YwCuhAb"; + masterIdentities = ["/home/jerpo/.config/age/keys.txt"]; + storageMode = "local"; + localStorageDir = ./. + "/secrets/rekeyed"; + }; + }; +} diff --git a/modules/hosts/ltrr-cloud/configuration.nix b/modules/hosts/ltrr-cloud/configuration.nix new file mode 100644 index 0000000..34a74e0 --- /dev/null +++ b/modules/hosts/ltrr-cloud/configuration.nix @@ -0,0 +1,345 @@ +{ + inputs, + self, + ... +}: { + flake.nixosConfigurations.ltrr-cloud = inputs.nixpkgs-stable.lib.nixosSystem { + modules = [ + self.nixosModules.ltrr-cloud + ]; + }; + + flake.nixosModules.ltrr-cloud = { + modulesPath, + config, + lib, + pkgs, + ... + }: let + domain = "kcu.su"; + in { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + "${inputs.nixpkgs}/nixos/modules/services/networking/headscale.nix" + + self.nixosModules.nginxProxy + self.nixosModules.directories + + inputs.disko.nixosModules.disko + self.diskoConfigurations.ltrr-cloud + + inputs.agenix.nixosModules.default + inputs.agenix-rekey.nixosModules.default + ]; + nixpkgs.hostPlatform = "x86_64-linux"; + + disabledModules = ["services/networking/headscale.nix"]; + + nixpkgs.overlays = [ + self.overlays.unstable-packages + ]; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + networking = { + interfaces.ens3 = { + ipv4.addresses = [ + { + address = "194.156.117.206"; + prefixLength = 32; + } + ]; + }; + defaultGateway = { + address = "100.100.1.1"; + interface = "ens3"; + }; + }; + + networking.nameservers = ["8.8.8.8" "1.1.1.1"]; + + networking.useDHCP = lib.mkDefault false; + + networking.hostName = "ltrr-cloud"; + + services.openssh = { + enable = true; + }; + + environment.systemPackages = map lib.lowPrio [ + pkgs.curl + pkgs.gitMinimal + ]; + + users.users = { + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru" + ]; + }; + }; + + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 2 * 1024; + } + ]; + + networking.nat = { + enable = true; + externalInterface = "ens3"; + internalInterfaces = ["wg0"]; + }; + + age.secrets.wg-priv-key = { + rekeyFile = ./secrets/wg-priv.key.age; + }; + networking.wg-quick = { + interfaces.wg0 = { + address = ["10.1.1.1/32"]; + listenPort = 51820; + + privateKeyFile = config.age.secrets.wg-priv-key.path; + + preUp = '' + sysctl -w net.ipv4.ip_forward=1 + # 16261 + iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261 + iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT + iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE + + # 16262 + iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262 + iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT + iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE + ''; + postDown = '' + # 16261 + iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261 + iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT + iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE + + # 16262 + iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262 + iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT + iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE + ''; + + peers = [ + { + allowedIPs = ["10.1.1.2/32"]; + publicKey = "kzXzxJu1AdcRI5UwtGOrN6WuTZYqJo++PYRrXdOu/lY="; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [80 443 25565]; + networking.firewall.allowedUDPPorts = [51820 16261 16262]; + + services.fail2ban = { + enable = true; + ignoreIP = [ + "10.0.0.0/8" + ]; + bantime = "24h"; + bantime-increment = { + enable = true; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; + overalljails = true; + }; + + jails = { + nginx-http-auth.settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/*.log"; + backend = "auto"; + }; + nginx-botsearch.settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/*.log"; + backend = "auto"; + }; + nginx-bad-request.settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/*.log"; + backend = "auto"; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "notspl3g+acme@duck.com"; + }; + + nginxProxy = { + enable = true; + acme.enable = true; + + inherit domain; + subdomains = { + "headscale" = { + proxyPass = "http://127.0.0.1:8768"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + "uptime" = { + proxyPass = "http://127.0.0.1:8762"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + "monitor" = { + proxyPass = "http://127.0.0.1:8090"; + }; + "auth".proxyPass = "http://127.0.0.1:9091"; + }; + + extraVirtualHosts = { + "kcu.su" = { + forceSSL = true; + enableACME = true; + locations."/apple" = { + root = "/var/www"; + }; + locations."/" = { + return = 444; + }; + }; + + "_".locations = { + "/" = { + return = 444; + }; + }; + }; + + home = let + homeConfig = self.nixosConfigurations.ltrr-block.config; + in { + subdomains = homeConfig.nginxProxy.subdomains; + url = "http://10.1.1.2"; + }; + }; + + age.secrets.authelia-jwt = { + rekeyFile = ./secrets/authelia-jwt.key.age; + owner = "authelia-kcu"; + group = "authelia-kcu"; + }; + age.secrets.authelia-storage = { + rekeyFile = ./secrets/authelia-storage.key.age; + owner = "authelia-kcu"; + group = "authelia-kcu"; + }; + services.authelia.instances.kcu = { + enable = true; + secrets = { + jwtSecretFile = config.age.secrets.authelia-jwt.path; + storageEncryptionKeyFile = config.age.secrets.authelia-storage.path; + }; + settings = { + authentication_backend = { + file = { + path = "/var/lib/authelia-kcu/users_database.yml"; + }; + }; + + storage = { + local = {}; + }; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = ["auth.${domain}"]; + policy = "bypass"; + } + { + domain = ["*.${domain}"]; + policy = "one_factor"; + } + ]; + }; + + session = { + name = "authelia_session"; + expiration = "12h"; + inactivity = "45m"; + cookies = [ + { + inherit domain; + authelia_url = "https://auth.kcu.su"; + } + ]; + }; + + storage = { + local = { + path = "/var/lib/authelia-kcu/db.sqlite3"; + }; + }; + + notifier = { + disable_startup_check = false; + filesystem = { + filename = "/var/lib/authelia-kcu/notification.txt"; + }; + }; + }; + }; + + services.headscale = { + enable = true; + package = pkgs.headscale; + port = 8768; + settings = { + server_url = "https://headscale.${domain}:443"; + dns = { + base_domain = "ts.net"; + nameservers.global = ["8.8.8.8"]; + magicdns = true; + }; + }; + }; + + createPaths = { + "/var/lib/uptime-kuma" = { + owner = "root"; + group = "root"; + }; + }; + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers = { + "uptime-kuma" = { + image = "louislam/uptime-kuma:2"; + volumes = [ + "/var/lib/uptime-kuma:/app/data" + ]; + ports = [ + "127.0.0.1:8762:3001" + ]; + capabilities = { + NET_RAW = true; + }; + }; + }; + + services.beszel.hub = { + enable = true; + }; + + system.stateVersion = "24.05"; + }; +} diff --git a/modules/hosts/ltrr-cloud/disk-config.nix b/modules/hosts/ltrr-cloud/disk-config.nix new file mode 100644 index 0000000..f7abadd --- /dev/null +++ b/modules/hosts/ltrr-cloud/disk-config.nix @@ -0,0 +1,56 @@ +{ + flake.diskoConfigurations.ltrr-cloud = { + disko.devices = { + disk.disk1 = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age b/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age new file mode 100644 index 0000000..ecad260 Binary files /dev/null and b/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age differ diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age b/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age new file mode 100644 index 0000000..22e9eb5 Binary files /dev/null and b/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age differ diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age new file mode 100644 index 0000000..3fdbf7c --- /dev/null +++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 +W/xBg sJTHHtkYrmAQbKR8ZOdR9K/reO0qeKTL4gsx34pysiY +iTmPnK/LRYZIgEuq/xtLiQyDMML6hFPO262OdIq8UD8 +-> orB|s|Kd-grease K7 l7hC&yL A^ 6, +MoHcwp57sM2RWYOYAk8LihPGhPSrmZkUpd3X4eJODfsqfEuJys9ZhKVyr4l4FwzN +NsQJcBuH1//fXe/P +--- gku/aoba9gRLFf1wD6rrwogur0EYGovRAybhyr3CLco +ĩ,y yLۘXP1d(5Xvst6D}S 8ҹ03.XDLQsUEgK4 ssh-ed25519 +W/xBg HvzCOTiwRSUSNLxgsyBbhWOU7JdVeA0OLMTnHTAXlgE +v4G1Z3E2H0zzbamMppALx25HeS5rSfM+bJmrbUM+jgs +-> 6hkBDp}-grease ^w s#u_m8> 1?':qM +IAyx+VQq7VnSNf2SfqusH0eXFffH +--- L9C8w8DV9hstoTBd39/zve9OJt4v/vFpIDbRcxUWIeI +W:l{2u%:Vy/> .H u+AtLȲN ޼뺃 \ No newline at end of file diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age new file mode 100644 index 0000000..ff31a34 --- /dev/null +++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 +W/xBg vxOWjAe9E2wVCDSYjJ4FzTb6OJof4BME/a0B2/m7zl8 +2jTCWcg7koRgIOUi2QDKFimbE/Gq+F0CAYmkaBmT51g +-> eI}jc#W-grease $l&5 718 6%B>X +miZ+OEV0SD7oYl1tqYpVFzxGhQIvMjDTQ4xRwA8Cu8BNghAwbv2vROant8sjWSsv +WKkljj4/RH2EU1f0y0b2fIbhF8I +--- X06G5WHTNau24I+ZT20SebQvbxP7S9zrjbk0FFIPyOE +L\_@DD=*o>YEak",ś2،Iwb(p4Y' Paj&4-J!lkLV[X"2mqVᷩPNëz"9'I۲*5Z2~zYܸ2 \ No newline at end of file diff --git a/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age b/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age new file mode 100644 index 0000000..cd52bb3 Binary files /dev/null and b/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age differ diff --git a/modules/hosts/ltrr-mask/configuration.nix b/modules/hosts/ltrr-mask/configuration.nix new file mode 100644 index 0000000..3656016 --- /dev/null +++ b/modules/hosts/ltrr-mask/configuration.nix @@ -0,0 +1,125 @@ +{ + inputs, + self, + ... +}: { + flake.nixosConfigurations.ltrr-mask = inputs.nixpkgs-stable.lib.nixosSystem { + modules = [ + self.nixosModules.ltrr-mask + ]; + }; + + flake.nixosModules.ltrr-mask = { + modulesPath, + config, + lib, + pkgs, + ... + }: let + domain = "kcu.su"; + in { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + + inputs.disko.nixosModules.disko + self.diskoConfigurations.ltrr-mask + + self.nixosModules.nginxProxy + ]; + nixpkgs.hostPlatform = "x86_64-linux"; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + networking.firewall.allowedTCPPorts = [ + # http + # 80 + # 443 + + # xray + 4876 + 57625 + 39701 + 39482 + ]; + + networking.domain = domain; + networking.hostName = "ltrr-vpn"; + networking = { + interfaces.ens3 = { + ipv4.addresses = [ + { + address = "64.188.126.186"; + prefixLength = 32; + } + ]; + }; + defaultGateway = { + address = "100.64.0.1"; + interface = "ens3"; + }; + }; + + networking.useDHCP = lib.mkDefault false; + + networking.nameservers = ["8.8.8.8" "1.1.1.1"]; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + environment.systemPackages = map lib.lowPrio [ + pkgs.curl + pkgs.gitMinimal + ]; + + users.users = { + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuQVHIGm2bfvhW16ZI/4hDK2X8W+ADbPLXwzKZIYXZL user@LAPTOP-72FMD6D0" + ]; + }; + }; + + nginxProxy = { + enable = false; + acme.enable = true; + + inherit domain; + subdomains = { + "xray" = { + proxyPass = "http://127.0.0.1:2053"; + + extraConfig = " + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Range $http_range; + proxy_set_header If-Range $http_if_range; + proxy_redirect off; + "; + recommendedProxySettings = false; + }; + }; + }; + + virtualisation.oci-containers = { + backend = "docker"; + containers.xui = { + image = "ghcr.io/mhsanaei/3x-ui:latest"; + ports = ["4876:2053" "57625:57625" "39701:39701"]; + volumes = [ + "/root/x-ui:/etc/x-ui" + ]; + }; + }; + + system.stateVersion = "24.05"; + }; +} diff --git a/modules/hosts/ltrr-mask/disk-config.nix b/modules/hosts/ltrr-mask/disk-config.nix new file mode 100644 index 0000000..e772466 --- /dev/null +++ b/modules/hosts/ltrr-mask/disk-config.nix @@ -0,0 +1,56 @@ +{lib, ...}: { + flake.diskoConfigurations.ltrr-mask = { + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; + }; +} -- cgit v1.2.3