BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vps-2024-05-31-13-02-21

Browse Source
This commit is contained in:
Alexander Szczepanski
2024-05-31 13:02:21 +02:00
parent 5aa1fedfaf
commit 315784fc98
5 changed files with 255 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
configs/common.nix
View File

@ -16,30 +16,50 @@ in {
openFirewall = true; openFirewall = true;
extraConfig = "StreamLocalBindUnlink yes"; extraConfig = "StreamLocalBindUnlink yes";
}; };
nextdns = { # nextdns = {
# enable = true;
# arguments = [
# "-config"
# secrets.nextdnshash
# "-cache-size"
# "10MB"
# "-listen"
# "127.0.0.1:53"
# "-report-client-info"
# ];
# };
dnscrypt-proxy2 = {
enable = true; enable = true;
arguments = [ settings = {
"-config" ipv6_servers = true;
secrets.nextdnshash require_dnssec = true;
"-cache-size"
"10MB" sources.public-resolvers = {
"-listen" urls = [
"127.0.0.1:53" "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"-report-client-info" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
]; ];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
}; };
fwupd.enable = true;
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
# server_names = [ ... ];
};
};
journald = { extraConfig = "SystemMaxUse=500M"; }; journald = { extraConfig = "SystemMaxUse=500M"; };
}; };
networking = { networking = {
nameservers = [ "127.0.0.1" "::1" ]; nameservers = [ "127.0.0.1" "::1" ];
hosts = { # hosts = {
"207.180.220.97" = [ "szczepan.ski" ]; # "207.180.220.97" = [ "szczepan.ski" ];
"10.100.0.1" = [ "vps.wg" ]; # "10.100.0.1" = [ "vps.wg" ];
"10.100.0.2" = [ "desktop.wg" ]; # "10.100.0.2" = [ "desktop.wg" ];
"10.100.0.3" = [ "mini.wg" ]; # "10.100.0.3" = [ "mini.wg" ];
}; # };
# If using dhcpcd: # If using dhcpcd:
dhcpcd.extraConfig = "nohook resolv.conf"; dhcpcd.extraConfig = "nohook resolv.conf";
# If using NetworkManager: # If using NetworkManager:
@ -53,6 +73,7 @@ in {
btrfs-progs btrfs-progs
cargo cargo
dog dog
doggo # DNS Resolver
du-dust du-dust
duf duf
gnupg gnupg
@ -82,8 +103,6 @@ in {
wget wget
]; ];
documentation.enable = false;
nix.settings = { auto-optimise-store = true; }; nix.settings = { auto-optimise-store = true; };
boot = { boot = {
@ -96,6 +115,6 @@ in {
nix.gc = { nix.gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 30d"; options = "--delete-older-than 14d";
}; };
} }

1
configs/docker.nix
View File

@ -12,7 +12,6 @@
docker-compose docker-compose
lazydocker lazydocker
minikube minikube
lazydocker
dive dive
]; ];
} }

6
configs/hardware.nix Normal file
View File

@ -0,0 +1,6 @@
{ config, pkgs, lib, ... }:
{
services = {
fwupd.enable = true;
};
}

124
home/bin/wg Executable file
View File

@ -0,0 +1,124 @@
#!/usr/bin/env zsh
PEERFILE=/home/alex/.wgpeers
WGCOMMAND="wg"
# Make sure peer file exists
if [[ ! -f "$PEERFILE" ]]; then
touch "$PEERFILE" 2>/dev/null
if [[ "$?" != "0" ]]; then
echo "Peer file $PEERFILE is not accesible by your user"
exit 0
fi
fi
function updatePeerFile() {
local NEWPEERS=()
# Loop config, extract peers, check peers file, add if not present
while read LINE ; do
# Check if its a peer line
if [[ $LINE == *"peer"* ]]; then
# Isolate peer public key, cut peer: (hardcoded)
PEERPK=$(printf '%s' "$LINE" | cut -c7-)
# See if we can find peer in peers file
PEERCOUNT=$(grep $PEERPK "$PEERFILE" | wc -l)
if [[ $PEERCOUNT -eq 0 ]]; then
# Peer not found in peers file, add for later processing
NEWPEERS+=("$PEERPK")
fi
fi
done <<< $("$WGCOMMAND")
for PEERPK in "${NEWPEERS[@]}"; do
echo -n "Enter friendly name for peer "
tput setaf 7; tput bold
echo -n $PEERPK
tput setaf 9; tput sgr0
read -r -p " : " PEERNAME
if [[ "$PEERNAME" == "" ]]; then
PEERNAME="Unnamed peer"
fi
echo "$PEERPK:$PEERNAME" >> "$PEERFILE"
done
}
function showConfiguration() {
# Determine if we are using rich (colorful) output or not
local RICHOUTPUT=1;
if [[ ! -t 1 ]]; then
RICHOUTPUT=0
fi
# Run wg through script to preserve color coding
script --flush --quiet /dev/null --command "$WGCOMMAND" | while read LINE ; do
# Check if its a peer line
if [[ $LINE == *"peer"* ]]; then
# Isolate peer public key, cut peer: (incl colors) hardcoded, then cut until first ESC character
PEERPK=$(printf '%s' "$LINE" | cut -c25- | cut -d $(echo -e '\033') -f1)
# Output peer line
echoLine "$LINE" $RICHOUTPUT 1
# See if we can find peer in peers file
PEER=$(grep $PEERPK "$PEERFILE" | cut -d ':' -f2)
# If we found a friendly name, print that
if [[ "$PEER" != "" ]]; then
# Pretty print friendly name
echoLine "$(printf '%s' "$(tput bold)$(tput setaf 7) friendly name$(tput setaf 9)$(tput sgr0)")" $RICHOUTPUT 0
echoLine "$(printf '%s' ": $PEER")" $RICHOUTPUT 1
fi
else
# Non-peer line, just output, but remember indentation
if [[ "$LINE" == *"interface"* ]]; then
echoLine "$LINE" $RICHOUTPUT 1
else
echoLine " $LINE" $RICHOUTPUT 1
fi
fi
done
}
# $1: text, $2 richoutput, $3 print linebreak
function echoLine() {
# Strip any newline characters
local OUTPUTLINE=$(printf '%s' "$1" | sed '$ s/\[\r\n]$//')
# If not rich output, strip ANSI control codes
if [[ $2 -eq 0 ]]; then
OUTPUTLINE=$(printf '%s' "$OUTPUTLINE" | sed 's/\x1b\[[0-9]\{0,\}m\{0,1\}\x0f\{0,1\}//g')
fi
# Handle newline printing
if [[ $3 -eq 0 ]]; then
printf '%s' "$OUTPUTLINE"
else
printf '%s\r\n' "$OUTPUTLINE"
fi
}
# What are we doing?
if [[ $# -gt 0 ]]; then
while getopts :u OPTION; do
case ${OPTION} in
u) updatePeerFile
exit
;;
esac
done
echo Usage: wgg.sh [-u]
echo -e " -u\tAdd missing peers to $PEERFILE"
echo ""
echo If no arguments are given, shows wg configuration with friendly peernames added
else
# Show the peer-enriched configuration overview
showConfiguration
fi

90
machine/vps.nix
View File

@ -6,7 +6,10 @@ let
in in
{ {
imports = imports =
[ /etc/nixos/hardware-configuration.nix ../configs/common-server.nix ]; [
/etc/nixos/hardware-configuration.nix
../configs/common-server.nix
];
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
@ -22,6 +25,10 @@ in
# "address" = "gw.contabo.net"; # "address" = "gw.contabo.net";
# "interface" = "ens18"; # "interface" = "ens18";
# }; # };
defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
interfaces.ens18 = { interfaces.ens18 = {
useDHCP = true; useDHCP = true;
# ipv4.addresses = [ { # ipv4.addresses = [ {
@ -107,10 +114,12 @@ in
allowPing = true; allowPing = true;
allowedTCPPorts = [ allowedTCPPorts = [
80 # web 80 # web
222 # SSH for gitea
443 # web 443 # web
9898 # i2p 9898 # i2p
9899 9899
18080 18080
21114 #Rustdesk
21115 #Rustdesk 21115 #Rustdesk
21116 #Rustdesk 21116 #Rustdesk
21117 #Rustdesk 21117 #Rustdesk
@ -121,6 +130,7 @@ in
allowedUDPPorts = [ allowedUDPPorts = [
80 # web 80 # web
443 # web 443 # web
3478 # headscale
9898 # i2p 9898 # i2p
21116 # Rustdesk 21116 # Rustdesk
51820 # wireguard 51820 # wireguard
@ -147,15 +157,19 @@ in
nyx nyx
mkp224o mkp224o
progress progress
headscale
]; ];
programs = { programs = {
mtr.enable = true; mtr.enable = true;
fuse.userAllowOther = true; fuse.userAllowOther = true;
nix-ld.enable = true;
}; };
security.acme.defaults.email = "webmaster@szczepan.ski"; security.acme = {
security.acme.acceptTerms = true; defaults.email = "webmaster@szczepan.ski";
acceptTerms = true;
};
services = { services = {
nginx = { nginx = {
@ -181,6 +195,11 @@ in
enableACME = true; enableACME = true;
globalRedirect = "alexander.szczepan.ski"; globalRedirect = "alexander.szczepan.ski";
}; };
"ipv6.szczepan.ski" = {
forceSSL = true;
enableACME = true;
globalRedirect = "alexander.szczepan.ski";
};
"alexander.szczepan.ski" = { "alexander.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -204,6 +223,11 @@ in
}; };
}; };
}; };
# "nextcloud.ipv6.szczepan.ski" = {
# forceSSL = true;
# enableACME = true;
# globalRedirect = "nextcloud.szczepan.ski";
# };
"firefly.szczepan.ski" = { "firefly.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -244,11 +268,26 @@ in
enableACME = true; enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8091/"; }; }; locations = { "/" = { proxyPass = "http://127.0.0.1:8091/"; }; };
}; };
"git.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8084/"; }; };
};
"torrents.szczepan.ski" = { "torrents.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; }; locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; };
}; };
"headscale.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8088/";
proxyWebsockets = true;
};
};
};
"syncthing.szczepan.ski" = { "syncthing.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -312,6 +351,31 @@ in
}; };
}; };
headscale = {
enable = true;
address = "127.0.0.1";
port = 8088;
# dns = { baseDomain = "example.com"; };
settings = {
logtail.enabled = false;
server_url = "https://headscale.szczepan.ski";
ip_prefixes = [
"100.64.0.0/10"
];
dns_config = {
base_domain = "szczepan.ski";
magic_dns = true;
domains = [ "headscale.szczepan.ski" ];
nameservers = [
"1.1.1.1"
"9.9.9.9"
];
};
};
};
tailscale.enable = true;
webdav = { webdav = {
enable = true; enable = true;
user = "alex"; user = "alex";
@ -353,7 +417,7 @@ in
}; };
i2pd = { i2pd = {
enable = true; enable = false;
ifname = "ens18"; ifname = "ens18";
address = "207.180.220.97"; address = "207.180.220.97";
# TCP & UDP # TCP & UDP
@ -412,7 +476,7 @@ in
}; };
icecast = { icecast = {
enable = true; enable = false;
hostname = "254ryojirydttsaealusydhwyjfe2rpschdaduok4czhg45of6ua.b32.i2p"; hostname = "254ryojirydttsaealusydhwyjfe2rpschdaduok4czhg45of6ua.b32.i2p";
listen = { listen = {
port = 13337; port = 13337;
@ -514,6 +578,7 @@ in
}; };
extraPruneArgs = "--save-space --stats"; extraPruneArgs = "--save-space --stats";
exclude = [ exclude = [
"/home/alex/storage"
"/home/alex/storagebox" "/home/alex/storagebox"
"/home/alex/docker/jellyfin/data" "/home/alex/docker/jellyfin/data"
"/home/alex/.cache" "/home/alex/.cache"
@ -536,8 +601,21 @@ in
}; };
systemd.services = {
# Limit stack size to reduce memory usage # Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
goaccess = {
description = "GoAccess real-time web log analysis";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"";
# serviceConfig = {
# ExecStart = "${pkgs.bash}/bin/bash -c "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"'";
# # ExecStop = "/bin/kill -9 ${MAINPID}";
# };
};
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }