chore: devide xrays systems

2026-05-23 18:27:02 +00:00
parent bce720fcff
commit fb6ee3cb54
8 changed files with 197 additions and 130 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -98,7 +98,8 @@
    nixosConfigurations = {
      # NOTE(yukkop): in bfs one of dependencies is shadow-4.17.4 that
      # unsupported on aarch64-darwin
-      "bfs|x86_64-linux"        = import ./nixos/system/bfs        { inherit flake self inputs; system = "x86_64-linux"; };
+      "bfs.netherland.xray|x86_64-linux" = import ./nixos/system/bfs.netherland.xray { inherit flake self inputs; system = "x86_64-linux"; };
+      "bfs.poland.xray|x86_64-linux"     = import ./nixos/system/bfs.poland.xray     { inherit flake self inputs; system = "x86_64-linux"; };
      # FIXME(yukkop): some why I cannot merge nixosConfigurations from `forAllSystemsWithPkgs` with this 
      "neuro|x86_64-linux"     = import ./nixos/system/neuro       { inherit flake self inputs; system = "x86_64-linux"; };
      "games|x86_64-linux"     = import ./nixos/system/games       { inherit flake self inputs; system = "x86_64-linux"; };
--- a/nixos/module/generic/xray-system.nix
+++ b/nixos/module/generic/xray-system.nix
@@ -0,0 +1,101 @@
+{
+  inputs,
+  flake,
+  self,
+}: {
+  lib,
+  pkgs,
+  modulesPath,
+  config,
+  ...
+}: let
+  cfg = config.hectic.generic.xray-system;
+  xrayPort = 10086;
+in {
+  imports = [
+    self.nixosModules.hectic
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  options.hectic.generic.xray-system = {
+    enable = lib.mkEnableOption "generic xray VPN server system configuration";
+
+    defaultSopsFile = lib.mkOption {
+      type        = lib.types.path;
+      description = ''
+        SOPS-encrypted secrets file used as `sops.defaultSopsFile`.
+        Must define the `config` and `init-postgresql` secrets.
+      '';
+      example     = lib.literalExpression "../../../sus/bfs.xray.yaml";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.xray = {
+      enable       = true;
+      settingsFile = config.sops.secrets."config".path;
+    };
+
+    users.users.root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKPbIJATVyAw7F7vBZbHkCODXFo5gvDyqhuU0gnNUNH''
+    ];
+
+    boot.initrd.availableKernelModules = [
+      "ata_piix"
+      "uhci_hcd"
+      "xen_blkfront"
+    ] ++ (if pkgs.stdenv.hostPlatform.system != "aarch64-linux" then [ "vmw_pvscsi" ] else []);
+    boot.initrd.kernelModules = ["nvme"];
+
+    disko.devices = {
+      disk.vda = {
+        device  = lib.mkDefault "/dev/vda";
+        content = {
+          type       = "gpt";
+          partitions = {
+            boot = {
+              size     = "1M";
+              type     = "EF02";
+              priority = 1;
+            };
+            root = {
+              size    = "100%";
+              content = {
+                type       = "filesystem";
+                format     = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+
+    hectic = {
+      archetype.base.enable = true;
+      archetype.dev.enable  = true;
+    };
+
+    sops = {
+      gnupg.sshKeyPaths = [ ];
+      age.sshKeyPaths   = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile   = cfg.defaultSopsFile;
+
+      secrets."config"          = {};
+      secrets."init-postgresql" = {};
+    };
+
+    networking.firewall = {
+      enable          = true;
+      allowedTCPPorts = [
+        xrayPort 8443
+        80 443 # for acme
+      ];
+    };
+
+    environment.systemPackages = with pkgs; [
+      xray
+    ];
+  };
+}
--- a/nixos/system/bfs.netherland.xray/bfs.netherland.xray.nix
+++ b/nixos/system/bfs.netherland.xray/bfs.netherland.xray.nix
@@ -0,0 +1,26 @@
+{
+  inputs,
+  flake,
+  self,
+}: {
+  lib,
+  pkgs,
+  modulesPath,
+  config,
+  ...
+}: {
+  # TODO:
+  # white list
+  # torent
+  # rate limit
+  # ping - game and speak
+
+  imports = [
+    self.nixosModules.xray-system
+  ];
+
+  hectic.generic.xray-system = {
+    enable          = true;
+    defaultSopsFile = ../../../sus/bfs.xray.yaml;
+  };
+}
--- a/nixos/system/bfs.netherland.xray/default.nix
+++ b/nixos/system/bfs.netherland.xray/default.nix
@@ -0,0 +1,21 @@
+{
+  flake,
+  self,
+  inputs,
+  system,
+  ...
+}: let
+  # Use folder name as name of this system; sanitize for hostName (no dots)
+  name     = builtins.baseNameOf ./.;
+  hostName = builtins.replaceStrings ["."] ["-"] name;
+
+in self.lib.nixpkgs-lib.nixosSystem {
+  pkgs = import inputs.nixpkgs {
+    inherit system;
+    overlays = [ self.overlays.default ];
+  };
+  modules = [
+    { networking.hostName = hostName; }
+    (import ./${name}.nix { inherit flake self inputs; })
+  ];
+}
--- a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix
+++ b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix
@@ -0,0 +1,26 @@
+{
+  inputs,
+  flake,
+  self,
+}: {
+  lib,
+  pkgs,
+  modulesPath,
+  config,
+  ...
+}: {
+  # TODO:
+  # white list
+  # torent
+  # rate limit
+  # ping - game and speak
+
+  imports = [
+    self.nixosModules.xray-system
+  ];
+
+  hectic.generic.xray-system = {
+    enable          = true;
+    defaultSopsFile = ../../../sus/bfs.xray.yaml;
+  };
+}
--- a/nixos/system/bfs.poland.xray/default.nix
+++ b/nixos/system/bfs.poland.xray/default.nix
@@ -0,0 +1,21 @@
+{
+  flake,
+  self,
+  inputs,
+  system,
+  ...
+}: let
+  # Use folder name as name of this system; sanitize for hostName (no dots)
+  name     = builtins.baseNameOf ./.;
+  hostName = builtins.replaceStrings ["."] ["-"] name;
+
+in self.lib.nixpkgs-lib.nixosSystem {
+  pkgs = import inputs.nixpkgs {
+    inherit system;
+    overlays = [ self.overlays.default ];
+  };
+  modules = [
+    { networking.hostName = hostName; }
+    (import ./${name}.nix { inherit flake self inputs; })
+  ];
+}
--- a/nixos/system/bfs/bfs.nix
+++ b/nixos/system/bfs/bfs.nix
@@ -1,109 +0,0 @@
-{
-  inputs,
-  flake,
-  self,
-}: {
-  lib,
-  pkgs,
-  modulesPath,
-  config,
-  ...
-}: let
-  xrayPort = 10086;
-in {
-  # TODO:
-  # white list
-  # torent
-  # rate limit
-  # ping - game and speak
- 
-  imports = [
-    self.nixosModules.hectic
-    inputs.sops-nix.nixosModules.sops
-  ];
-
-  #hectic.services.matrix = {
-  #  enable           = true;
-  #  secretsFile      = config.sops.secrets."matrix/secrets".path;
-  #  turnSecretFile   = config.sops.secrets."matrix/turn-secret".path;
-  #  publicIp         = "188.137.254.58";
-  #  postgresql = {
-  #    port           = 5432;
-  #    initialEnvFile = config.sops.secrets."init-postgresql".path;
-  #  };
-  #  matrixDomain     = "accord.tube";
-  #};
-
-  services.xray = {
-    enable  = true;
-    settingsFile = config.sops.secrets."config".path;
-  };
-
-  users.users.root.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl''
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKPbIJATVyAw7F7vBZbHkCODXFo5gvDyqhuU0gnNUNH''
-  ];
-
-  boot.initrd.availableKernelModules = [
-    "ata_piix"
-    "uhci_hcd"
-    "xen_blkfront"
-  ] ++ (if pkgs.stdenv.hostPlatform.system != "aarch64-linux" then [ "vmw_pvscsi" ] else []);
-  boot.initrd.kernelModules = ["nvme"];
-
-  disko.devices = {
-    disk.vda = {
-      device = lib.mkDefault "/dev/vda";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            size     = "1M";
-            type     = "EF02";
-            priority = 1;
-          };
-          root = {
-            size    = "100%";
-            content = {
-              type       = "filesystem";
-              format     = "ext4";
-              mountpoint = "/";
-            };
-          };
-        };
-      };
-    };
-  };
-
-  hectic = {
-    archetype.base.enable = true;
-    archetype.dev.enable  = true;
-  };
-
-  sops = {
-    gnupg.sshKeyPaths         = [ ];
-    age.sshKeyPaths           = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    defaultSopsFile           = ../../../sus/bfs.xray.yaml;
-
-    secrets."config"              = {};
-    secrets."init-postgresql"     = {};
-    #secrets."matrix/secrets"      = {};
-    #secrets."matrix/turn-secret"  = {
-    #  owner = "turnserver";
-    #  group = "turnserver";
-    #  mode = "0400";
-    #};
-  };
-
-  networking.firewall = {
-    enable = true;
-    allowedTCPPorts = [
-      xrayPort 8443
-      80 443 # for acme
-    ];
-  };
-
-  environment.systemPackages = with pkgs; [
-    xray
-  ];
-}
--- a/nixos/system/bfs/default.nix
+++ b/nixos/system/bfs/default.nix
@@ -1,20 +0,0 @@
-{
-  flake,
-  self,
-  inputs,
-  system,
-  ...
-}: let
-  # Use folder name as name of this system
-  name = builtins.baseNameOf ./.;
-
-in self.lib.nixpkgs-lib.nixosSystem {
-  pkgs = import inputs.nixpkgs { 
-    inherit system;
-    overlays = [ self.overlays.default ];
-  };
-  modules = [
-    { networking.hostName = name; }
-    (import ./${name}.nix { inherit flake self inputs; })
-  ];
-}