chore: devide xrays systems

2026-05-23 18:27:02 +00:00
parent bce720fcff
commit fb6ee3cb54
8 changed files with 197 additions and 130 deletions
--- a/nixos/module/generic/xray-system.nix
+++ b/nixos/module/generic/xray-system.nix
@@ -0,0 +1,101 @@
+{
+  inputs,
+  flake,
+  self,
+}: {
+  lib,
+  pkgs,
+  modulesPath,
+  config,
+  ...
+}: let
+  cfg = config.hectic.generic.xray-system;
+  xrayPort = 10086;
+in {
+  imports = [
+    self.nixosModules.hectic
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  options.hectic.generic.xray-system = {
+    enable = lib.mkEnableOption "generic xray VPN server system configuration";
+
+    defaultSopsFile = lib.mkOption {
+      type        = lib.types.path;
+      description = ''
+        SOPS-encrypted secrets file used as `sops.defaultSopsFile`.
+        Must define the `config` and `init-postgresql` secrets.
+      '';
+      example     = lib.literalExpression "../../../sus/bfs.xray.yaml";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.xray = {
+      enable       = true;
+      settingsFile = config.sops.secrets."config".path;
+    };
+
+    users.users.root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKPbIJATVyAw7F7vBZbHkCODXFo5gvDyqhuU0gnNUNH''
+    ];
+
+    boot.initrd.availableKernelModules = [
+      "ata_piix"
+      "uhci_hcd"
+      "xen_blkfront"
+    ] ++ (if pkgs.stdenv.hostPlatform.system != "aarch64-linux" then [ "vmw_pvscsi" ] else []);
+    boot.initrd.kernelModules = ["nvme"];
+
+    disko.devices = {
+      disk.vda = {
+        device  = lib.mkDefault "/dev/vda";
+        content = {
+          type       = "gpt";
+          partitions = {
+            boot = {
+              size     = "1M";
+              type     = "EF02";
+              priority = 1;
+            };
+            root = {
+              size    = "100%";
+              content = {
+                type       = "filesystem";
+                format     = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    hectic = {
+      archetype.base.enable = true;
+      archetype.dev.enable  = true;
+    };
+
+    sops = {
+      gnupg.sshKeyPaths = [ ];
+      age.sshKeyPaths   = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile   = cfg.defaultSopsFile;
+
+      secrets."config"          = {};
+      secrets."init-postgresql" = {};
+    };
+
+    networking.firewall = {
+      enable          = true;
+      allowedTCPPorts = [
+        xrayPort 8443
+        80 443 # for acme
+      ];
+    };
+
+    environment.systemPackages = with pkgs; [
+      xray
+    ];
+  };
+}