From a1191f016220c46c358788b2f30192d35e60d0a0 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sat, 13 Jan 2024 00:05:18 +0300 Subject: [PATCH] remove suomi-vps --- flake.nix | 9 - machines/Suomi-VPS/default.nix | 240 --------------------- machines/Suomi-VPS/disk-config.nix | 100 --------- machines/Suomi-VPS/hardware/networks.nix | 96 --------- machines/Suomi-VPS/network.nix | 66 ------ machines/Suomi-VPS/nix.nix | 38 ---- machines/Suomi-VPS/services/backups.nix | 50 ----- machines/Suomi-VPS/services/dns.nix | 232 -------------------- machines/Suomi-VPS/services/tailscale.nix | 23 -- machines/Suomi-VPS/services/tor-bridge.nix | 45 ---- machines/Suomi-VPS/services/wireguard.nix | 131 ----------- machines/Suomi-VPS/services/xtls.nix | 65 ------ machines/Suomi-VPS/system | 1 - 13 files changed, 1096 deletions(-) delete mode 100644 machines/Suomi-VPS/default.nix delete mode 100644 machines/Suomi-VPS/disk-config.nix delete mode 100644 machines/Suomi-VPS/hardware/networks.nix delete mode 100644 machines/Suomi-VPS/network.nix delete mode 100644 machines/Suomi-VPS/nix.nix delete mode 100644 machines/Suomi-VPS/services/backups.nix delete mode 100644 machines/Suomi-VPS/services/dns.nix delete mode 100644 machines/Suomi-VPS/services/tailscale.nix delete mode 100644 machines/Suomi-VPS/services/tor-bridge.nix delete mode 100644 machines/Suomi-VPS/services/wireguard.nix delete mode 100644 machines/Suomi-VPS/services/xtls.nix delete mode 100644 machines/Suomi-VPS/system diff --git a/flake.nix b/flake.nix index 861a5956..7a7c4130 100644 --- a/flake.nix +++ b/flake.nix @@ -161,15 +161,6 @@ specialArgs = { inherit inputs; }; channelName = "unstable"; }; - Suomi-VPS = { - system = builtins.readFile (./machines/Suomi-VPS/system); - modules = [ - (import (./machines/Suomi-VPS)) - { device = "Suomi-VPS"; mainuser = "ataraxia"; } - ]; - specialArgs = { inherit inputs; }; - channelName = "vps"; - }; NixOS-VPS = { system = builtins.readFile (./machines/NixOS-VPS/system); modules = [ diff --git a/machines/Suomi-VPS/default.nix b/machines/Suomi-VPS/default.nix deleted file mode 100644 index 40ddceaf..00000000 --- a/machines/Suomi-VPS/default.nix +++ /dev/null @@ -1,240 +0,0 @@ -{ modulesPath, inputs, lib, pkgs, config, ... }: { - imports = with inputs.self; [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/minimal.nix") - inputs.disko.nixosModules.disko - inputs.sops-nix.nixosModules.sops - - ./disk-config.nix - ./network.nix - ./nix.nix - customModules.devices - customModules.persist - customModules.rustic - customModules.users - - customProfiles.hardened - ./services/backups.nix - ./services/dns.nix - ./services/tailscale.nix - ./services/tor-bridge.nix - ./services/wireguard.nix - ./services/xtls.nix - ]; - - # Impermanence - boot.initrd = { - # hardware - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; - # reset rootfs on reboot - postDeviceCommands = pkgs.lib.mkBefore '' - mkdir -p /mnt - mount -o subvol=/ /dev/sda4 /mnt - - btrfs subvolume list -o /mnt/rootfs | - cut -f9 -d' ' | - while read subvolume; do - echo "deleting /$subvolume subvolume..." - btrfs subvolume delete "/mnt/$subvolume" - done && - - echo "deleting /root subvolume..." - btrfs subvolume delete /mnt/rootfs - echo "restoring blank /root subvolume..." - btrfs subvolume snapshot /mnt/snapshots/rootfs-blank /mnt/rootfs - umount /mnt - ''; - }; - fileSystems."/home".neededForBoot = true; - fileSystems."/persist".neededForBoot = true; - persist = { - enable = true; - cache.clean.enable = true; - state = { - files = [ - "/etc/machine-id" - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; - directories = [ - "/var/lib/nixos" - "/var/lib/systemd" - ]; - }; - }; - - # TODO: write all needed modules in boot.kernelModules - security.lockKernelModules = lib.mkForce false; - # Misc - boot = { - supportedFilesystems = [ "vfat" "btrfs" ]; - kernelModules = [ - "tcp_bbr" "veth" - # podman - "nft_chain_nat" "xt_addrtype" "xt_comment" "xt_mark" "xt_MASQUERADE" - ]; - kernelParams = [ - "scsi_mod.use_blk_mq=1" - "kvm.ignore_msrs=1" - "kvm.report_ignored_msrs=0" - ]; - kernel.sysctl = { - "vm.swappiness" = 50; - "vm.vfs_cache_pressure" = 200; - "vm.dirty_background_ratio" = 1; - "vm.dirty_ratio" = 40; - "vm.page-cluster" = 0; - # proxy tuning - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.core.default_qdisc" = "cake"; - # "net.core.default_qdisc" = "fq"; - "net.core.rmem_max" = 67108864; - "net.core.wmem_max" = 67108864; - "net.core.netdev_max_backlog" = 10000; - "net.core.somaxconn" = 4096; - "net.ipv4.tcp_syncookies" = 1; - "net.ipv4.tcp_tw_reuse" = 1; - "net.ipv4.tcp_fin_timeout" = 30; - "net.ipv4.tcp_keepalive_time" = 1200; - "net.ipv4.tcp_keepalive_probes" = 5; - "net.ipv4.tcp_keepalive_intvl" = 30; - "net.ipv4.tcp_max_syn_backlog" = 8192; - "net.ipv4.tcp_max_tw_buckets" = 5000; - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_mem" = "25600 51200 102400"; - "net.ipv4.udp_mem" = "25600 51200 102400"; - "net.ipv4.tcp_rmem" = "4096 87380 67108864"; - "net.ipv4.tcp_wmem" = "4096 65536 67108864"; - "net.ipv4.tcp_mtu_probing" = 1; - }; - loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = true; - }; - }; - zramSwap = { - enable = true; - algorithm = "zstd"; - memoryPercent = 100; - }; - - deviceSpecific.isServer = true; - services.journald.extraConfig = "Compress=false"; - nix.optimise.automatic = false; - nix.distributedBuilds = lib.mkForce false; - environment.noXlibs = lib.mkForce false; - fonts.enableDefaultPackages = lib.mkForce false; - security.polkit.enable = true; - # security.pam.enableSSHAgentAuth = true; - environment.systemPackages = with pkgs; [ - bat - bottom - comma - git - kitty - micro - pwgen - inputs.nix-alien.packages."aarch64-linux".nix-index-update - rsync - ]; - - # Locale - i18n.defaultLocale = "en_GB.UTF-8"; - i18n.extraLocaleSettings = { - LANGUAGE = "en_GB.UTF-8"; - LC_ALL = "en_GB.UTF-8"; - LC_TIME = "en_GB.UTF-8"; - LC_ADDRESS = "ru_RU.UTF-8"; - LC_MONETARY = "ru_RU.UTF-8"; - LC_PAPER = "ru_RU.UTF-8"; - }; - time.timeZone = "Europe/Helsinki"; - environment.sessionVariables = { - XKB_DEFAULT_LAYOUT = "us,ru"; - XKB_DEFAULT_OPTIONS = "grp:win_space_toggle"; - LANGUAGE = "en_GB.UTF-8"; - LC_ALL = "en_GB.UTF-8"; - }; - - # Hardened - networking.firewall = { - enable = true; - allowPing = false; - allowedTCPPorts = lib.mkDefault [ ]; - allowedUDPPorts = lib.mkDefault [ ]; - }; - systemd.coredump.enable = false; - - # Users - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.PermitRootLogin = lib.mkForce "prohibit-password"; - settings.X11Forwarding = false; - extraConfig = "StreamLocalBindUnlink yes"; - ports = [ 22 ]; - }; - users.mutableUsers = false; - users.users = { - ${config.mainuser} = { - isNormalUser = true; - extraGroups = [ "disk" "systemd-journal" "wheel" ]; - uid = 1000; - hashedPassword = - "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6"; - shell = pkgs.bash; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation" - ]; - }; - deploy = { - description = "The administrator account for the servers."; - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = - config.users.users.${config.mainuser}.openssh.authorizedKeys.keys; - }; - root.openssh.authorizedKeys.keys = - config.users.users.${config.mainuser}.openssh.authorizedKeys.keys; - }; - # Passwordless sudo for deploy user - security.sudo = { - extraRules = [{ - users = [ "deploy" ]; - commands = [{ - command = "ALL"; - options = [ "NOPASSWD" ]; - }]; - }]; - extraConfig = '' - Defaults lecture = never - ''; - }; - - # Podman - virtualisation = { - oci-containers.backend = lib.mkForce "podman"; - podman.enable = true; - podman.dockerSocket.enable = true; - containers.registries.search = [ - "docker.io" "gcr.io" "quay.io" - ]; - containers.storage.settings = { - storage = { - driver = "overlay"; - graphroot = "/var/lib/podman/storage"; - runroot = "/run/containers/storage"; - }; - }; - }; - networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ]; - security.unprivilegedUsernsClone = true; - - system.stateVersion = "23.05"; - nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; -} diff --git a/machines/Suomi-VPS/disk-config.nix b/machines/Suomi-VPS/disk-config.nix deleted file mode 100644 index 1293b493..00000000 --- a/machines/Suomi-VPS/disk-config.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ lib, ... }: { - disko.devices.disk.disk1 = { - device = lib.mkDefault "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "1M"; - type = "EF02"; - }; - esp = { - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - swap = { - name = "swap"; - size = "4G"; - content = { - type = "swap"; - randomEncryption = true; - }; - }; - root = { - name = "root"; - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - postCreateHook = '' - mount -t btrfs /dev/sda4 /mnt - btrfs subvolume snapshot -r /mnt/rootfs /mnt/snapshots/rootfs-blank - btrfs subvolume snapshot -r /mnt/persistent/home /mnt/snapshots/home-blank - btrfs subvolume snapshot -r /mnt/persistent/docker /mnt/snapshots/docker-blank - btrfs subvolume snapshot -r /mnt/persistent/podman /mnt/snapshots/podman-blank - btrfs subvolume snapshot -r /mnt/persistent/containers /mnt/snapshots/containers-blank - btrfs subvolume snapshot -r /mnt/persistent/libvirt /mnt/snapshots/libvirt-blank - btrfs subvolume snapshot -r /mnt/persistent/log /mnt/snapshots/log-blank - btrfs subvolume snapshot -r /mnt/persistent/impermanence /mnt/snapshots/impermanence-blank - btrfs subvolume snapshot -r /mnt/persistent/srv /mnt/snapshots/srv-blank - umount /mnt - ''; - subvolumes = { - "/snapshots" = { }; - "/rootfs" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent" = { }; - "/persistent/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/srv" = { - mountpoint = "/srv"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/docker" = { - mountpoint = "/var/lib/docker"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/podman" = { - mountpoint = "/var/lib/podman"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/containers" = { - mountpoint = "/var/lib/containers"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/libvirt" = { - mountpoint = "/var/lib/libvirt"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/log" = { - mountpoint = "/var/log"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/persistent/impermanence" = { - mountpoint = "/persist"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - }; - }; - }; - - }; - }; - }; -} diff --git a/machines/Suomi-VPS/hardware/networks.nix b/machines/Suomi-VPS/hardware/networks.nix deleted file mode 100644 index e46af205..00000000 --- a/machines/Suomi-VPS/hardware/networks.nix +++ /dev/null @@ -1,96 +0,0 @@ -rec { - privateIPv6Prefix = "fd3a:900e:8e74:ffff"; - domain = "vps.ataraxiadev.com"; - - interfaces = { - # This is the public-facing interface. Any interface name with a prime - # symbol means it's a public-facing interface. - main' = { - bridgeName = "br0"; - ifname = "enp1s0"; - IPv4 = { - address = "65.21.2.254/32"; - gateway = "172.31.1.1"; - dns = [ "185.12.64.1" "185.12.64.2" ]; - }; - IPv6 = { - address = "2a01:4f9:c012:859e::1/64"; - gateway = "fe80::1"; - # dns = [ "2a0d:f302:99::99" "2a0d:f302:100::100" ]; - dns = [ ]; - }; - }; - - wireguard0 = { - ifname = "wg0"; - dns = [ "${privateIPv6Prefix}::0:53" ]; - IPv4 = { - address = "10.100.0.1"; - subnet = "10.100.0.0/16"; - }; - IPv6 = { - address = "${privateIPv6Prefix}::1"; - subnet = "${privateIPv6Prefix}::0/64"; - }; - }; - }; - - # Wireguard-related things. - wireguardPort = 40820; - wireguardIPv4Prefix = "10.100.0"; - wireguardIPv6Prefix = "${privateIPv6Prefix}::0"; - wireguardPeers = { - server = with interfaces.wireguard0; { - IPv4 = IPv4.address; - IPv6 = IPv6.address; - }; - ataraxia = { - IPv4 = "${wireguardIPv4Prefix}.2"; - IPv6 = "${wireguardIPv6Prefix}:2"; - }; - hypervisor = { - IPv4 = "${wireguardIPv4Prefix}.3"; - IPv6 = "${wireguardIPv6Prefix}:3"; - }; - mikrotik = { - IPv4 = "${wireguardIPv4Prefix}.4"; - IPv6 = "${wireguardIPv6Prefix}:4"; - }; - poco = { - IPv4 = "${wireguardIPv4Prefix}.5"; - IPv6 = "${wireguardIPv6Prefix}:5"; - }; - kpoxa = { - IPv4 = "${wireguardIPv4Prefix}.6"; - IPv6 = "${wireguardIPv6Prefix}:6"; - }; - kpoxa2 = { - IPv4 = "${wireguardIPv4Prefix}.7"; - IPv6 = "${wireguardIPv6Prefix}:7"; - }; - faysss = { - IPv4 = "${wireguardIPv4Prefix}.8"; - IPv6 = "${wireguardIPv6Prefix}:8"; - }; - faysss2 = { - IPv4 = "${wireguardIPv4Prefix}.9"; - IPv6 = "${wireguardIPv6Prefix}:9"; - }; - faysss3 = { - IPv4 = "${wireguardIPv4Prefix}.10"; - IPv6 = "${wireguardIPv6Prefix}:a"; - }; - doste = { - IPv4 = "${wireguardIPv4Prefix}.11"; - IPv6 = "${wireguardIPv6Prefix}:b"; - }; - dell = { - IPv4 = "${wireguardIPv4Prefix}.12"; - IPv6 = "${wireguardIPv6Prefix}:c"; - }; - hypervisor-dns = { - IPv4 = "${wireguardIPv4Prefix}.13"; - IPv6 = "${wireguardIPv6Prefix}:d"; - }; - }; -} diff --git a/machines/Suomi-VPS/network.nix b/machines/Suomi-VPS/network.nix deleted file mode 100644 index 0f0c30b6..00000000 --- a/machines/Suomi-VPS/network.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, ... }: -let - inherit (import ./hardware/networks.nix) interfaces domain; -in { - services.resolved.enable = true; - networking = { - enableIPv6 = true; - usePredictableInterfaceNames = true; - useDHCP = false; - dhcpcd.enable = false; - nftables.enable = false; # incompatible with tailscale and docker/podman - hostName = config.device; - domain = domain; - }; - systemd.network = with interfaces.main'; { - enable = true; - wait-online.ignoredInterfaces = [ "lo" ]; - networks = { - "10-wan" = { - matchConfig.Name = ifname; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig.Bridge = bridgeName; - networkConfig.DHCP = "no"; - networkConfig.LinkLocalAddressing = "no"; - networkConfig.IPv6AcceptRA = false; - }; - "20-${bridgeName}" = { - matchConfig.Name = bridgeName; - address = [ - IPv4.address IPv6.address - "192.168.0.1/24" "fc00::1/64" - ]; - linkConfig.RequiredForOnline = "routable"; - - domains = [ config.networking.domain ]; - networkConfig = { - DHCP = "no"; - IPForward = true; - IPv6PrivacyExtensions = true; - LinkLocalAddressing = "no"; - IPv6AcceptRA = false; - DNS = IPv4.dns ++ IPv6.dns; - }; - routes = [ - { - routeConfig.Gateway = IPv4.gateway; - routeConfig.GatewayOnLink = true; - } - { - routeConfig.Gateway = IPv6.gateway; - routeConfig.GatewayOnLink = true; - } - ]; - }; - }; - netdevs = { - "20-${bridgeName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeName; - MACAddress = "e6:95:b5:a6:28:c0"; - }; - }; - }; - }; -} \ No newline at end of file diff --git a/machines/Suomi-VPS/nix.nix b/machines/Suomi-VPS/nix.nix deleted file mode 100644 index 9708c3c4..00000000 --- a/machines/Suomi-VPS/nix.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, inputs, ... }: { - nix = { - nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ]; - registry.self.flake = inputs.self; - registry.nixpkgs.flake = inputs.nixpkgs; - optimise.automatic = lib.mkDefault true; - extraOptions = '' - builders-use-substitutes = true - experimental-features = nix-command flakes - flake-registry = ${inputs.flake-registry}/flake-registry.json - ''; - settings = { - auto-optimise-store = false; - require-sigs = true; - substituters = [ - "https://cache.nixos.org" - "https://nix-community.cachix.org" - "https://ataraxiadev-foss.cachix.org" - "https://cache.ataraxiadev.com/ataraxiadev" - "https://numtide.cachix.org" - "https://devenv.cachix.org" - "https://ezkea.cachix.org" - ]; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "ataraxiadev-foss.cachix.org-1:ws/jmPRUF5R8TkirnV1b525lP9F/uTBsz2KraV61058=" - "ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" - "ezkea.cachix.org-1:ioBmUbJTZIKsHmWWXPe1FSFbeVe+afhfgqgTSNd34eI=" - ]; - trusted-users = [ "root" config.mainuser "@wheel" ]; - }; - }; - environment.etc.nixpkgs.source = inputs.nixpkgs; - environment.etc.self.source = inputs.self; -} diff --git a/machines/Suomi-VPS/services/backups.nix b/machines/Suomi-VPS/services/backups.nix deleted file mode 100644 index 3ab0a6ab..00000000 --- a/machines/Suomi-VPS/services/backups.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, inputs, ... }: { - sops.secrets.rustic-repo-pass.sopsFile = inputs.self.secretsDir + /rustic-b2.yaml; - sops.secrets.rclone-backup-config.sopsFile = inputs.self.secretsDir + /rustic-b2.yaml; - - services.rustic.backups = let - label = "vps-containers"; - in rec { - vps-backup = { - backup = true; - prune = false; - rcloneConfigFile = config.sops.secrets.rclone-backup-config.path; - timerConfig = { - OnCalendar = "01:00"; - Persistent = true; - }; - settings = { - repository = { - repository = "rclone:rustic-b2:ataraxia-nas-backup"; - password-file = config.sops.secrets.rustic-repo-pass.path; - }; - repository.options = { - timeout = "10min"; - }; - backup = { - label = label; - ignore-devid = true; - sources = [{ - source = "/srv/marzban /srv/nextcloud/config /srv/nextcloud/data"; - }]; - }; - forget = { - filter-label = [ label ]; - prune = true; - keep-daily = 7; - keep-weekly = 5; - keep-monthly = 2; - }; - }; - }; - vps-prune = vps-backup // { - backup = false; - prune = true; - createWrapper = false; - timerConfig = { - OnCalendar = "Tue, 02:00"; - Persistent = true; - }; - }; - }; -} \ No newline at end of file diff --git a/machines/Suomi-VPS/services/dns.nix b/machines/Suomi-VPS/services/dns.nix deleted file mode 100644 index 8ef80a79..00000000 --- a/machines/Suomi-VPS/services/dns.nix +++ /dev/null @@ -1,232 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (import ../hardware/networks.nix) interfaces; - wg = interfaces.wireguard0; - wgIfname = wg.ifname; - brIfname = interfaces.main'.bridgeName; - tailscaleIfname = config.services.tailscale.interfaceName; -in { - # For debugging purposes - environment.systemPackages = with pkgs; [ tcpdump dnsutils ]; - services.resolved.extraConfig = '' - DNSStubListener=off - ''; - systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; - systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; - - networking.firewall.interfaces = let - ports = { - allowedTCPPorts = [ - config.services.blocky.settings.ports.dns - config.services.grafana.settings.server.http_port - ]; - allowedUDPPorts = [ - config.services.blocky.settings.ports.dns - ]; - }; - in { - ${wgIfname} = ports; - ${tailscaleIfname} = ports; - }; - - # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html) - services.unbound = { - enable = true; - package = pkgs.unbound-full; - settings = { - server = { - root-hints = "${config.services.unbound.stateDir}/root.hints"; - port = "553"; - interface = [ - "127.0.0.1" - "::1" - ]; - access-control = [ - "0.0.0.0/0 refuse" - "127.0.0.0/8 allow" - "::0/0 refuse" - "::1 allow" - ]; - private-address = [ - "127.0.0.0/8" - "::1" - ]; - hide-version = "yes"; - aggressive-nsec = "yes"; - cache-max-ttl = "86400"; - cache-min-ttl = "600"; - deny-any = "yes"; - do-ip4 = "yes"; - do-ip6 = "yes"; - do-tcp = "yes"; - do-udp = "yes"; - harden-algo-downgrade = "yes"; - harden-dnssec-stripped = "yes"; - harden-glue = "yes"; - harden-large-queries = "yes"; - harden-referral-path = "yes"; - harden-short-bufsize = "yes"; - hide-identity = "yes"; - minimal-responses = "yes"; - msg-cache-size = "128m"; - neg-cache-size = "4m"; - prefer-ip6 = "no"; - prefetch = "yes"; - prefetch-key = "yes"; - qname-minimisation = "yes"; - rrset-cache-size = "256m"; - rrset-roundrobin = "yes"; - serve-expired = "yes"; - so-rcvbuf = "4m"; - so-reuseport = "yes"; - so-sndbuf = "4m"; - unwanted-reply-threshold = "100000"; - use-caps-for-id = "yes"; - }; - cachedb = { - backend = "redis"; - redis-server-host = "127.0.0.1"; - redis-server-port = toString config.services.redis.servers.unbound.port; - redis-timeout = "300"; - redis-expire-records = "no"; - }; - }; - }; - services.redis.vmOverCommit = true; - services.redis.servers.unbound = { - enable = true; - port = 7379; - databases = 1; - save = [ [ 3600 1 ] [ 1800 10 ] [ 600 100 ] ]; - settings = { - maxmemory = "16mb"; - protected-mode = true; - rdbchecksum = false; - stop-writes-on-bgsave-error = false; - tcp-keepalive = 300; - timeout = 0; - }; - }; - # TODO: maybe set internic ip address to hosts? - systemd.services.root-hints = { - script = '' - ${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root - ''; - serviceConfig.Type = "oneshot"; - startAt = "1 0 1 */1 *"; - }; - # Blocky + prometheus + grafana - services.blocky = { - enable = true; - settings = { - upstream.default = [ "127.0.0.1:553" "[::1]:553" ]; - upstreamTimeout = "10s"; - bootstrapDns = [{ - upstream = "https://dns.quad9.net/dns-query"; - ips = [ "9.9.9.9" "149.112.112.112" ]; - }]; - blocking = { - blackLists = { - ads = [ - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - "https://github.com/RPiList/specials/raw/master/Blocklisten/malware" - ]; - telemetry = [ - "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" - "https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry" - "https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry" - ]; - }; - clientGroupsBlock.default = [ "ads" "telemetry" ]; - }; - # disable caching (use unbound) - caching = { - minTime = -1; - maxTime = -1; - cacheTimeNegative = -1; - prefetching = false; - }; - ports = { - dns = 53; - http = "127.0.0.1:4000"; - }; - prometheus.enable = true; - queryLog = { - type = "console"; - }; - }; - }; - services.prometheus = { - enable = true; - listenAddress = "127.0.0.1"; - globalConfig.scrape_interval = "15s"; - globalConfig.evaluation_interval = "15s"; - scrapeConfigs = [{ - job_name = "blocky"; - static_configs = [{ - targets = [ config.services.blocky.settings.ports.http ]; - }]; - }]; - }; - services.grafana = { - enable = true; - settings = { - analytics.reporting_enabled = false; - server = { - enable_gzip = true; - domain = "localhost"; - http_addr = "0.0.0.0"; - http_port = 3000; - }; - # Grafana can be accessed only through wireguard, so it's secure enough - security = { - admin_user = "admin"; - admin_password = "admin"; - }; - panels.disable_sanitize_html = true; - }; - provision = { - enable = true; - datasources.settings = { - datasources = [{ - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - orgId = 1; - uid = "Y4SSG429DWCGDQ3R"; - url = "http://127.0.0.1:${toString config.services.prometheus.port}"; - isDefault = true; - jsonData = { - graphiteVersion = "1.1"; - tlsAuth = false; - tlsAuthWithCACert = false; - }; - version = 1; - editable = true; - }]; - }; - dashboards = { - settings = { - providers = [{ - name = "My Dashboards"; - options.path = "/etc/grafana-dashboards"; - }]; - }; - }; - }; - }; - environment.etc = { - "grafana-dashboards/blocky_rev3.json" = { - source = ../../../misc/grafana_blocky_rev3.json; - group = "grafana"; - user = "grafana"; - }; - }; - - persist.state.directories = [ - "/var/lib/grafana" - "/var/lib/prometheus2" - "/var/lib/redis-unbound" - "/var/lib/unbound" - ]; -} \ No newline at end of file diff --git a/machines/Suomi-VPS/services/tailscale.nix b/machines/Suomi-VPS/services/tailscale.nix deleted file mode 100644 index c87f8ff3..00000000 --- a/machines/Suomi-VPS/services/tailscale.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, lib, ... }: -let - bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName; - tailscalePort = config.services.tailscale.port; - tailscaleIfname = config.services.tailscale.interfaceName; -in { - networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ]; - networking.firewall.trustedInterfaces = [ tailscaleIfname ]; - - systemd.network.networks."50-tailscale" = { - matchConfig.Name = tailscaleIfname; - linkConfig.Unmanaged = true; - linkConfig.ActivationPolicy = "manual"; - }; - - services.tailscale = { - enable = true; - port = 18491; - useRoutingFeatures = "both"; - }; - - persist.state.directories = [ "/var/lib/tailscale" ]; -} \ No newline at end of file diff --git a/machines/Suomi-VPS/services/tor-bridge.nix b/machines/Suomi-VPS/services/tor-bridge.nix deleted file mode 100644 index f312543d..00000000 --- a/machines/Suomi-VPS/services/tor-bridge.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, pkgs, lib, ... }: -let - inherit (import ../hardware/networks.nix) interfaces; - bridgeName = interfaces.main'.bridgeName; - obfs4Port = 18371; -in { - networking.firewall.interfaces.${bridgeName} = { - allowedTCPPorts = [ obfs4Port ]; - }; - - # We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt - # Fingerprint can be obtained from tor.service logs - services.tor = { - enable = true; - enableGeoIP = true; - client.enable = false; - relay.enable = true; - relay.role = "private-bridge"; - settings = { - BridgeDistribution = "none"; - BridgeRelay = true; - ContactInfo = "admin@ataraxiadev.com"; - ORPort = [ 17429 ]; - ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}"; - Nickname = "Ataraxia"; - }; - }; - - services.networkd-dispatcher = { - enable = true; - rules."restart-tor" = { - onState = [ "routable" "off" ]; - script = '' - #!${pkgs.runtimeShell} - if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then - echo "Restarting Tor ..." - systemctl restart tor - fi - exit 0 - ''; - }; - }; - - persist.state.directories = [ "/var/lib/tor" ]; -} \ No newline at end of file diff --git a/machines/Suomi-VPS/services/wireguard.nix b/machines/Suomi-VPS/services/wireguard.nix deleted file mode 100644 index 93197bc4..00000000 --- a/machines/Suomi-VPS/services/wireguard.nix +++ /dev/null @@ -1,131 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers; - wireguardIFName = interfaces.wireguard0.ifname; -in { - # Sometimes we need to disable checksum validation - # ethtool -K br0 tx off rx off - # ethtool -K enp0s1 tx off rx off - environment.systemPackages = [ pkgs.wireguard-tools ]; - - networking.firewall = { - allowedUDPPorts = [ wireguardPort ]; - checkReversePath = lib.mkForce false; - }; - - boot.kernelModules = [ "wireguard" ]; - systemd.network = { - wait-online.ignoredInterfaces = [ wireguardIFName ]; - - networks."90-${wireguardIFName}" = with interfaces.wireguard0; { - matchConfig.Name = wireguardIFName; - address = [ - "${IPv4.address}/16" - "${IPv6.address}/64" - ]; - DHCP = "no"; - networkConfig = { - IPForward = true; - IPMasquerade = "both"; - DNS = interfaces.main'.IPv4.dns ++ interfaces.main'.IPv6.dns; - }; - }; - - netdevs."90-${wireguardIFName}" = { - netdevConfig = { - Name = wireguardIFName; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = "/srv/wireguard/private"; - ListenPort = wireguardPort; - }; - wireguardPeers = [ - { - wireguardPeerConfig = with wireguardPeers.ataraxia; { - PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o="; - PresharedKeyFile = "/srv/wireguard/ataraxia/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.hypervisor; { - PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o="; - PresharedKeyFile = "/srv/wireguard/hypervisor/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.mikrotik; { - PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo="; - PresharedKeyFile = "/srv/wireguard/mikrotik/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.poco; { - PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34="; - PresharedKeyFile = "/srv/wireguard/poco/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.kpoxa; { - PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE="; - PresharedKeyFile = "/srv/wireguard/kpoxa/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.kpoxa2; { - PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI="; - PresharedKeyFile = "/srv/wireguard/kpoxa2/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss; { - PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY="; - PresharedKeyFile = "/srv/wireguard/faysss/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss2; { - PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8="; - PresharedKeyFile = "/srv/wireguard/faysss2/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss3; { - PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4="; - PresharedKeyFile = "/srv/wireguard/faysss3/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.doste; { - PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0="; - PresharedKeyFile = "/srv/wireguard/doste/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.dell; { - PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc="; - PresharedKeyFile = "/srv/wireguard/dell/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.hypervisor-dns; { - PublicKey = "x4uavQEEfhdqNC4FCOPfKlEDRJiwOz4dy2W1KhJtnwc="; - PresharedKeyFile = "/srv/wireguard/hypervisor-dns/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - ]; - }; - }; -} diff --git a/machines/Suomi-VPS/services/xtls.nix b/machines/Suomi-VPS/services/xtls.nix deleted file mode 100644 index 4f8e8027..00000000 --- a/machines/Suomi-VPS/services/xtls.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ config, pkgs, lib, inputs, ... }: -let - cert-key = config.sops.secrets."cert.key".path; - cert-pem = config.sops.secrets."cert.pem".path; - nginx-conf = config.sops.secrets."nginx.conf".path; - marzban-env = config.sops.secrets.marzban.path; -in { - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - sops.secrets = let - nginx = { - sopsFile = inputs.self.secretsDir + /suomi-vps/nginx.yaml; - restartUnits = [ "podman-nginx.service" ]; - }; - marzban = { - format = "dotenv"; - sopsFile = inputs.self.secretsDir + /suomi-vps/marzban.env; - restartUnits = [ "podman-marzban.service" ]; - }; - in { - "cert.key" = nginx; - "cert.pem" = nginx; - "nginx.conf" = nginx; - marzban = marzban; - }; - - virtualisation.oci-containers.containers = { - nextcloud = { - autoStart = true; - image = "docker.io/nextcloud:stable"; - ports = [ "9765:80" ]; - volumes = [ - "/srv/nextcloud/html:/var/www/html" - "/srv/nextcloud/config:/var/www/html/config" - "/srv/nextcloud/data:/var/www/html/data" - ]; - }; - marzban = { - autoStart = true; - image = "ghcr.io/gozargah/marzban:v0.4.1"; - environmentFiles = [ marzban-env ]; - extraOptions = [ "--network=host" ]; - volumes = [ - "/srv/marzban:/var/lib/marzban" - ]; - }; - nginx = { - autoStart = true; - image = "docker.io/nginx:latest"; - extraOptions = [ "--network=host" ]; - volumes = [ - "${cert-key}:/etc/ssl/certs/cert.key:ro" - "${cert-pem}:/etc/ssl/certs/cert.pem:ro" - "${nginx-conf}:/etc/nginx/nginx.conf:ro" - ]; - }; - }; - - systemd.tmpfiles.rules = [ - "d /srv/marzban 0755 root root -" - "d /srv/nextcloud/html 0755 33 33 -" - "d /srv/nextcloud/config 0755 33 33 -" - "d /srv/nextcloud/data 0755 33 33 -" - ]; -} \ No newline at end of file diff --git a/machines/Suomi-VPS/system b/machines/Suomi-VPS/system deleted file mode 100644 index ab65297e..00000000 --- a/machines/Suomi-VPS/system +++ /dev/null @@ -1 +0,0 @@ -aarch64-linux \ No newline at end of file