hectic-lab/util.nix
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(nixos): netherlands xray

Browse Source
This commit is contained in:
yukkop
2025-12-05 00:56:08 +00:00
parent 3e6bf6ce7f
commit 9d914ed863
6 changed files with 228 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.sops.yaml Normal file
View File

@@ -0,0 +1,17 @@
keys:
- &snuff age1w4hw2ntxrtfqhht63s9lf7nhjxjmdcc927hndn5ygcqqj532qssq4m2m6p
- &yukkop age1r25zdeqq8nac6dgca9en28r57ffyz9u9d8z5yc25gc8xqz747vaqmdtk0h
- &bfs-server age15yzgmsvl3ku2w863h6gw2vpmw37m9aruv6xrj4fue6n2jpm7pyuqk9xjmj
creation_rules:
- path_regex: sus/home.xray.yaml$
key_groups:
- age:
- *yukkop
- path_regex: sus/bfs.xray.yaml$
key_groups:
- age:
- *snuff
- *yukkop
- *bfs-server

23
flake.lock generated
View File

@@ -736,7 +736,8 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim",
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay",
"sops-nix": "sops-nix"
} }
}, },
"rust-overlay": { "rust-overlay": {
@@ -759,6 +760,26 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1764483358,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

4
flake.nix
View File

@@ -38,6 +38,10 @@
url = "github:nix-community/nixos-anywhere"; url = "github:nix-community/nixos-anywhere";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { outputs = {

102
nixos/module/hectic/hardware/geo-hosting.nix Normal file
View File

@@ -0,0 +1,102 @@
{
inputs,
flake,
self,
}:
{
pkgs,
lib,
config,
...
}: let
cfg = config.hectic.hardware.geo-hosting;
in {
options.hectic.hardware.geo-hosting = {
enable = lib.mkEnableOption "Enable geo-hosting hardware configurations";
ipv4Gateway = lib.mkOption {
type = lib.types.strMatching "^([0-9]{1,3}\\.){3}[0-9]{1,3}$";
example = "188.243.124.1";
description = ''
'';
};
ipv4 = lib.mkOption {
type = lib.types.strMatching "^([0-9]{1,3}\\.){3}[0-9]{1,3}$";
example = "188.243.124.246";
description = ''
'';
};
device = lib.mkOption {
type = lib.types.str;
default = "/dev/vda";
example = "/dev/disk/by-uuid/f184a16b-6eca-41cb-b48a-ff37cdce1d79";
description = ''
boot device uuid
if it is null then will use "/dev/vda"
/dev/sva - default geo hosting device
!! But can changes on reboot if server have volumes
!! So use IDs
'';
};
networkMatchConfigName = lib.mkOption {
type = lib.types.strMatching "^(enp1s0|ens3)$";
example = "ens3";
description = ''
type of network conection
you can use `networkctl list` on server to know it
'';
};
};
config = lib.mkIf cfg.enable {
boot.loader.systemd-boot.enable = false;
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.grub = {
enable = true;
device = cfg.device;
efiSupport = false;
forceInstall = true;
};
disko.devices.disk.vda = {
device = cfg.device;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
networking.useDHCP = false;
networking.interfaces.${cfg.networkMatchConfigName} = {
ipv4.addresses = [
{ address = cfg.ipv4; prefixLength = 24; }
];
};
networking.defaultGateway = cfg.ipv4Gateway;
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
};
}

80
nixos/system/xray/xray.nix
View File

@@ -11,54 +11,72 @@
}: let }: let
xrayPort = 10086; xrayPort = 10086;
in { in {
# TODO:
# white list
# torent
# rate limit
# ping - game and speak
imports = [ imports = [
self.nixosModules.hectic self.nixosModules.hectic
inputs.sops-nix.nixosModules.sops
]; ];
services.xray = { services.xray = {
enable = true; enable = true;
settings = { settingsFile = config.sops.secrets."config".path;
"inbounds" = [
{
"port" = xrayPort;
"protocol" = "vmess";
"settings" = {
"clients" = [
{
"id" = "04ad600a-0e94-4ba6-af93-74e03fd3f58d";
}
];
};
}
];
"log" = {
"loglevel" = "warning";
};
"outbounds" = [
{
"protocol" = "freedom";
}
];
};
}; };
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPChQvpyOrPjRjp8pS5Yw+oJVmywDzefzZCXh1d44EY'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP3HjFoJNGHqHoEw9XLzh766QWknfaN07GGi8lsC2Tv''
]; ];
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
] ++ (if pkgs.system != "aarch64-linux" then [ "vmw_pvscsi" ] else []);
boot.initrd.kernelModules = ["nvme"];
disko.devices = {
disk.vda = {
device = lib.mkDefault "/dev/vda";
content = {
type = "table";
format = "msdos";
partitions = [
{
name = "root";
part-type = "primary";
fs-type = "ext4";
bootable = true;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
}
];
};
};
};
hectic = { hectic = {
archetype.base.enable = true; archetype.base.enable = true;
archetype.dev.enable = true; archetype.dev.enable = true;
hardware.hetzner-cloud = {
enable = true;
networkMatchConfigName = "enp1s0";
ipv4 = "77.42.45.173";
ipv6 = "2a01:4f9:c013:7230";
};
}; };
sops = {
gnupg.sshKeyPaths = [ ];
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ../../../sus/bfs.xray.yaml;
secrets."config" = {};
};
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [

34
sus/bfs.xray.yaml Normal file
View File

@@ -0,0 +1,34 @@
config: ENC[AES256_GCM,data:IL0jhVCw2YcZW/LkOrKXYrVAzq6jC65gAzOhfD8P8DL8GKQUHY/GlzJBNw+Vnk+EO8vYdcwpjWou+lhyL9aG7HKqK4rVo8nhxVyCmcaoAPjz4gmHer0teAloI5xCtifbDzzE4VAvpxmZbMPg6d5kSV3elqIFzCBVSsM1KM7ku/0+NEm2VuJuZEsta5UqHDGAPPBqy1TkQXDtabyLfP4q4GimKBI4t7uusE0oMRB5WuSljTpW9eBd5pRrKBZZ+oFDn5Lx2GK4DpVX92VKtbEWewRpcU3/2KhSXSc+Nx+Vw0ULc1P1AMtl8v8SBbYLZZF9Ebsl2/XTRvEZO+HuZ4op2zTrLTElFBx4UKoq4tJGru6XeEKRECgIi7jPq0e1NmY+jyjTa8xyUCG2h//+jffMFCvOvN1xy/NYALnaf6dl+NfCYIlRYuPXEA==,iv:v8AKjCMUDcCBDkbp2AxQddTCPmIXpTkgecO5PPQ1Ljs=,tag:fbrMrlRc7tsTr6pppeHbuA==,type:str]
sops:
age:
- recipient: age1w4hw2ntxrtfqhht63s9lf7nhjxjmdcc927hndn5ygcqqj532qssq4m2m6p
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWEhFQ3JlTS9wT3U4RjNq
OFRkQ21pR0xobHF5OGFzWGpJdFBLYkp1dEdvCmcvQnVySWxCWm5VSWwvNS91UzBI
N2lJNHdiODd2c1U2cEd4cnhzeSs4YXMKLS0tIFpHUTVjT0hHelYwc2ZrK25MZVJF
TG55eWlWOE04UmFsd09tWWR3cWpVQTQKPEyBrE8ml16SAmDsB2quA2BqB4dUb19l
wrv2raWhqTyQ+C6YbF4Xysa6lT8FA05As+9ssJ6a4arw6wcRYHQ67g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r25zdeqq8nac6dgca9en28r57ffyz9u9d8z5yc25gc8xqz747vaqmdtk0h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyd0hmNFRVVzZOa3gwZE95
RHA3dHpPbEd0KzAySlU0YnF4dlVZdGppNTMwCjlHR3d1Y1ltMmphUk5kYnYzd0Y2
SXhKa21abXBobTdpUUJPUmtaMGEyTE0KLS0tIE5yWm5Odk1GSnRKRWFvSy9vMXBq
WnpMcHpta0FXTHIyY20rTVhBdmFFa3MKYNK6hE369CE7ZCeCJouC3glK9Me/T4Ft
QHlNAFR65t9sx1EBjWKwkeM+PFVqifRitC9MbdTzSm1hRyXfQhtQEg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15yzgmsvl3ku2w863h6gw2vpmw37m9aruv6xrj4fue6n2jpm7pyuqk9xjmj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZEQ1UG1EckFSRHpkbjRC
QTFrVWZDOTk0KzFmOGVWSFY3WTRhTy9pb0dzCkRoc1lwR3plZ1lvdTZGdmZkUlp0
NTB6cDEyaGZ4bGVBZVFtanQ2a2QrTzgKLS0tIEYrQUpJejZ4QkRKWWRGL2VXZTh1
dFh2anpQTTBpVDdCd3hIYmJLMmpVM0kKvuWuryBpHTpsn9eq6MosafVH0m2KTmql
xzxUibPr2BmeR4QAB+pYLqTBH1+N9atGYdLe5qe7GqEmcjq8IfJnBw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-05T00:29:42Z"
mac: ENC[AES256_GCM,data:7Aq8HPrJNohcjvIp6FZdNVtjXIg4tviJ7dLXO4NQo5H70l35el1+PusKX+tTjaSx4lVNlosDVQAhT44k8giKkiOivt0Uonn5c8MPSwVB+MOT6kLTwdDIG0mvW8vEl7EXVMNgI2gK1FPGpBEIgK5kJ0wmyM4fwVyfQfJMQqwZhk4=,iv:cpEA6krRGT3tAgT8PqF2wh9zYQ59Bpls3iYZpguRHjI=,tag:izeoirVSJ5phVDJ+xPuePA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2