diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..93d64e3 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,17 @@ +keys: + - &snuff age1w4hw2ntxrtfqhht63s9lf7nhjxjmdcc927hndn5ygcqqj532qssq4m2m6p + - &yukkop age1r25zdeqq8nac6dgca9en28r57ffyz9u9d8z5yc25gc8xqz747vaqmdtk0h + - &bfs-server age15yzgmsvl3ku2w863h6gw2vpmw37m9aruv6xrj4fue6n2jpm7pyuqk9xjmj + +creation_rules: + - path_regex: sus/home.xray.yaml$ + key_groups: + - age: + - *yukkop + + - path_regex: sus/bfs.xray.yaml$ + key_groups: + - age: + - *snuff + - *yukkop + - *bfs-server diff --git a/flake.lock b/flake.lock index 207721c..75595b9 100644 --- a/flake.lock +++ b/flake.lock @@ -736,7 +736,8 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixvim": "nixvim", - "rust-overlay": "rust-overlay" + "rust-overlay": "rust-overlay", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -759,6 +760,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1764483358, + "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5aca6ff67264321d47856a2ed183729271107c9c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index f10524d..15d7023 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,10 @@ url = "github:nix-community/nixos-anywhere"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { diff --git a/nixos/module/hectic/hardware/geo-hosting.nix b/nixos/module/hectic/hardware/geo-hosting.nix new file mode 100644 index 0000000..d6c8aa9 --- /dev/null +++ b/nixos/module/hectic/hardware/geo-hosting.nix @@ -0,0 +1,102 @@ +{ + inputs, + flake, + self, +}: +{ + pkgs, + lib, + config, + ... +}: let + cfg = config.hectic.hardware.geo-hosting; +in { + options.hectic.hardware.geo-hosting = { + enable = lib.mkEnableOption "Enable geo-hosting hardware configurations"; + ipv4Gateway = lib.mkOption { + type = lib.types.strMatching "^([0-9]{1,3}\\.){3}[0-9]{1,3}$"; + example = "188.243.124.1"; + description = '' + + ''; + }; + ipv4 = lib.mkOption { + type = lib.types.strMatching "^([0-9]{1,3}\\.){3}[0-9]{1,3}$"; + example = "188.243.124.246"; + description = '' + + ''; + }; + device = lib.mkOption { + type = lib.types.str; + default = "/dev/vda"; + example = "/dev/disk/by-uuid/f184a16b-6eca-41cb-b48a-ff37cdce1d79"; + description = '' + boot device uuid + if it is null then will use "/dev/vda" + /dev/sva - default geo hosting device + !! But can changes on reboot if server have volumes + !! So use IDs + ''; + }; + networkMatchConfigName = lib.mkOption { + type = lib.types.strMatching "^(enp1s0|ens3)$"; + example = "ens3"; + description = '' + type of network conection + + you can use `networkctl list` on server to know it + ''; + }; + }; + + config = lib.mkIf cfg.enable { + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = false; + + boot.loader.grub = { + enable = true; + device = cfg.device; + efiSupport = false; + forceInstall = true; + }; + + disko.devices.disk.vda = { + device = cfg.device; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + + + networking.useDHCP = false; + networking.interfaces.${cfg.networkMatchConfigName} = { + ipv4.addresses = [ + { address = cfg.ipv4; prefixLength = 24; } + ]; + }; + networking.defaultGateway = cfg.ipv4Gateway; + networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; + }; +} diff --git a/nixos/system/xray/xray.nix b/nixos/system/xray/xray.nix index 0c9ef91..2e39e9d 100644 --- a/nixos/system/xray/xray.nix +++ b/nixos/system/xray/xray.nix @@ -11,54 +11,72 @@ }: let xrayPort = 10086; in { + # TODO: + # white list + # torent + # rate limit + # ping - game and speak + imports = [ self.nixosModules.hectic + inputs.sops-nix.nixosModules.sops ]; services.xray = { enable = true; - settings = { - "inbounds" = [ - { - "port" = xrayPort; - "protocol" = "vmess"; - "settings" = { - "clients" = [ - { - "id" = "04ad600a-0e94-4ba6-af93-74e03fd3f58d"; - } - ]; - }; - } - ]; - "log" = { - "loglevel" = "warning"; - }; - "outbounds" = [ - { - "protocol" = "freedom"; - } - ]; - }; + settingsFile = config.sops.secrets."config".path; }; users.users.root.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPChQvpyOrPjRjp8pS5Yw+oJVmywDzefzZCXh1d44EY'' - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP3HjFoJNGHqHoEw9XLzh766QWknfaN07GGi8lsC2Tv'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl'' ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + ] ++ (if pkgs.system != "aarch64-linux" then [ "vmw_pvscsi" ] else []); + boot.initrd.kernelModules = ["nvme"]; + + disko.devices = { + disk.vda = { + device = lib.mkDefault "/dev/vda"; + content = { + type = "table"; + format = "msdos"; + partitions = [ + { + name = "root"; + part-type = "primary"; + fs-type = "ext4"; + bootable = true; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + } + ]; + }; + }; + }; + hectic = { archetype.base.enable = true; archetype.dev.enable = true; - hardware.hetzner-cloud = { - enable = true; - networkMatchConfigName = "enp1s0"; - ipv4 = "77.42.45.173"; - ipv6 = "2a01:4f9:c013:7230"; - }; }; + sops = { + gnupg.sshKeyPaths = [ ]; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../../../sus/bfs.xray.yaml; + + secrets."config" = {}; + }; + + networking.firewall = { enable = true; allowedTCPPorts = [ diff --git a/sus/bfs.xray.yaml b/sus/bfs.xray.yaml new file mode 100644 index 0000000..7a25386 --- /dev/null +++ b/sus/bfs.xray.yaml @@ -0,0 +1,34 @@ +config: ENC[AES256_GCM,data:IL0jhVCw2YcZW/LkOrKXYrVAzq6jC65gAzOhfD8P8DL8GKQUHY/GlzJBNw+Vnk+EO8vYdcwpjWou+lhyL9aG7HKqK4rVo8nhxVyCmcaoAPjz4gmHer0teAloI5xCtifbDzzE4VAvpxmZbMPg6d5kSV3elqIFzCBVSsM1KM7ku/0+NEm2VuJuZEsta5UqHDGAPPBqy1TkQXDtabyLfP4q4GimKBI4t7uusE0oMRB5WuSljTpW9eBd5pRrKBZZ+oFDn5Lx2GK4DpVX92VKtbEWewRpcU3/2KhSXSc+Nx+Vw0ULc1P1AMtl8v8SBbYLZZF9Ebsl2/XTRvEZO+HuZ4op2zTrLTElFBx4UKoq4tJGru6XeEKRECgIi7jPq0e1NmY+jyjTa8xyUCG2h//+jffMFCvOvN1xy/NYALnaf6dl+NfCYIlRYuPXEA==,iv:v8AKjCMUDcCBDkbp2AxQddTCPmIXpTkgecO5PPQ1Ljs=,tag:fbrMrlRc7tsTr6pppeHbuA==,type:str] +sops: + age: + - recipient: age1w4hw2ntxrtfqhht63s9lf7nhjxjmdcc927hndn5ygcqqj532qssq4m2m6p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWEhFQ3JlTS9wT3U4RjNq + OFRkQ21pR0xobHF5OGFzWGpJdFBLYkp1dEdvCmcvQnVySWxCWm5VSWwvNS91UzBI + N2lJNHdiODd2c1U2cEd4cnhzeSs4YXMKLS0tIFpHUTVjT0hHelYwc2ZrK25MZVJF + TG55eWlWOE04UmFsd09tWWR3cWpVQTQKPEyBrE8ml16SAmDsB2quA2BqB4dUb19l + wrv2raWhqTyQ+C6YbF4Xysa6lT8FA05As+9ssJ6a4arw6wcRYHQ67g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1r25zdeqq8nac6dgca9en28r57ffyz9u9d8z5yc25gc8xqz747vaqmdtk0h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyd0hmNFRVVzZOa3gwZE95 + RHA3dHpPbEd0KzAySlU0YnF4dlVZdGppNTMwCjlHR3d1Y1ltMmphUk5kYnYzd0Y2 + SXhKa21abXBobTdpUUJPUmtaMGEyTE0KLS0tIE5yWm5Odk1GSnRKRWFvSy9vMXBq + WnpMcHpta0FXTHIyY20rTVhBdmFFa3MKYNK6hE369CE7ZCeCJouC3glK9Me/T4Ft + QHlNAFR65t9sx1EBjWKwkeM+PFVqifRitC9MbdTzSm1hRyXfQhtQEg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15yzgmsvl3ku2w863h6gw2vpmw37m9aruv6xrj4fue6n2jpm7pyuqk9xjmj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZEQ1UG1EckFSRHpkbjRC + QTFrVWZDOTk0KzFmOGVWSFY3WTRhTy9pb0dzCkRoc1lwR3plZ1lvdTZGdmZkUlp0 + NTB6cDEyaGZ4bGVBZVFtanQ2a2QrTzgKLS0tIEYrQUpJejZ4QkRKWWRGL2VXZTh1 + dFh2anpQTTBpVDdCd3hIYmJLMmpVM0kKvuWuryBpHTpsn9eq6MosafVH0m2KTmql + xzxUibPr2BmeR4QAB+pYLqTBH1+N9atGYdLe5qe7GqEmcjq8IfJnBw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-05T00:29:42Z" + mac: ENC[AES256_GCM,data:7Aq8HPrJNohcjvIp6FZdNVtjXIg4tviJ7dLXO4NQo5H70l35el1+PusKX+tTjaSx4lVNlosDVQAhT44k8giKkiOivt0Uonn5c8MPSwVB+MOT6kLTwdDIG0mvW8vEl7EXVMNgI2gK1FPGpBEIgK5kJ0wmyM4fwVyfQfJMQqwZhk4=,iv:cpEA6krRGT3tAgT8PqF2wh9zYQ59Bpls3iYZpguRHjI=,tag:izeoirVSJ5phVDJ+xPuePA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2