pub add

nixosConfigurations/default.nix

@@ -6,5 +6,7 @@
     otreca = import ./hosts/vds.nix flakeContext; # vds
     sapphira = import ./hosts/server.nix flakeContext; # sapphira
     wsl = import ./hosts/wsl.nix flakeContext; # wsl
+
+    pub-vds = import ./hosts/pub-vds.nix flakeContext;
   };
 }

nixosConfigurations/hosts/disko/pub-vds.nix

@@ -0,0 +1,33 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/vda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              type = "EF02";
+              size = "1M";
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+            swap = {
+              size = "256M";
+              content = {
+                type = "swap";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixosConfigurations/hosts/hardware/pub-vds.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  fileSystems = {
+    "/" = {
+      device = lib.mkForce "/dev/disk/by-partlabel/disk-main-root"; # "/dev/disk/by-partlabel/disk-main-root";
+      fsType = "ext4";
+    };
+  };
+
+  # swapDevices = [
+  #   { device = "/dev/disk/by-partlabel/disk-main-swap"; }
+  # ];
+
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nixosConfigurations/hosts/hardware/vds.nix

@@ -6,10 +6,6 @@
   ...
 }:
 {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
   fileSystems = {
     "/" = {
       device = lib.mkForce "/dev/disk/by-partlabel/disk-main-root"; # "/dev/disk/by-partlabel/disk-main-root";
@@ -21,15 +17,7 @@
   #   { device = "/dev/disk/by-partlabel/disk-main-swap"; }
   # ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

nixosConfigurations/hosts/pub-vds.nix

@@ -0,0 +1,138 @@
+{ inputs, ... }@flakeContext:
+let
+  nixosModule =
+    {
+      config,
+      lib,
+      modulesPath,
+      pkgs,
+      xlib,
+      ...
+    }:
+    {
+      xlib.device = {
+        type = "pub-vds";
+        hostname = "pub-vds";
+      };
+
+      imports = [
+        (modulesPath + "/installer/scan/not-detected.nix")
+        (modulesPath + "/profiles/qemu-guest.nix")
+
+        ./disko/pub-vds.nix
+        ./hardware/pub-vds.nix
+
+        inputs.self.nixosModules.default
+      ];
+
+      boot = {
+        kernelPackages = pkgs.linuxPackages_xanmod_stable;
+        hardwareScan = true;
+        loader = {
+          grub = {
+            enable = true;
+            device = "nodev";
+            useOSProber = false;
+            efiSupport = false;
+          };
+          systemd-boot.enable = lib.mkDefault false;
+        };
+      };
+
+      services = {
+        earlyoom.enable = true;
+        preload.enable = true;
+        journald = {
+          extraConfig = ''
+            SystemMaxUse=512M
+          '';
+        };
+        samba = {
+          enable = true;
+          openFirewall = true;
+          settings = {
+            global = {
+              "invalid users" = [ ];
+              "passwd program" = "/run/wrappers/bin/passwd %u";
+              security = "user";
+            };
+            nixos = {
+              "path" = "/etc/nixos";
+              "browseable" = "yes";
+              "read only" = "no";
+              "valid users" = "${xlib.device.username}";
+              "guest ok" = "no";
+              "writable" = "yes";
+              "create mask" = 755;
+              "directory mask" = 755;
+              "force user" = "${xlib.device.username}";
+              "force group" = "users";
+            };
+            root = {
+              "path" = "/";
+              "browseable" = "yes";
+              "read only" = "no";
+              "valid users" = "${xlib.device.username}";
+              "guest ok" = "no";
+              "writable" = "yes";
+              #"create mask" = 0644;
+              #"directory mask" = 0644;
+              "force user" = "root";
+              "force group" = "root";
+            };
+            "${xlib.device.username}" = {
+              "path" = "/home/${xlib.device.username}";
+              "browseable" = "yes";
+              "read only" = "no";
+              "valid users" = "${xlib.device.username}";
+              "guest ok" = "no";
+              "writable" = "yes";
+              "create mask" = 700;
+              "directory mask" = 700;
+              "force user" = "${xlib.device.username}";
+              "force group" = "users";
+            };
+          };
+        };
+        openssh = {
+          enable = true;
+          allowSFTP = true;
+          openFirewall = true;
+          hostKeys = [
+            {
+              path = "/etc/ssh/id_ed25519";
+              type = "ed25519";
+            }
+          ];
+          settings = {
+            PasswordAuthentication = false;
+            PermitRootLogin = "yes";
+            UsePAM = true;
+          };
+        };
+        tailscale = {
+          enable = true;
+          openFirewall = true;
+        };
+      };
+
+      networking = {
+        hostName = "${xlib.device.hostname}";
+        networkmanager.enable = true;
+        firewall.enable = true;
+      };
+
+      system = {
+        stateVersion = "25.05";
+      };
+    };
+in
+inputs.nixpkgs.lib.nixosSystem {
+  modules = [
+    nixosModule
+  ];
+  system = "x86_64-linux";
+  specialArgs = {
+    deviceType = "pub-vds";
+  };
+}

nixosModules/options.nix

@@ -14,6 +14,7 @@
             "server"
             "vds"
             "wsl"
+            "pub-vds"
           ];
           default = "minimal";
           description = "Type of device for this host.";

nixosModules/pub-vds/default.nix

@@ -0,0 +1,9 @@
+{
+  lib,
+  ...
+}:
+{
+  imports = [
+    ./xray.nix
+  ];
+}

nixosModules/pub-vds/xray.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+{
+  services.xray = {
+    enable = true;
+    settings = inputs.zeroq-credentials.public.services.xray;
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 443 ];
+    allowedUDPPorts = [ 443 ];
+  };
+
+  environment.systemPackages = [ pkgs.xray ];
+}

nixosModules/vds/xray.nix

@@ -13,7 +13,6 @@
   networking.firewall = {
     allowedTCPPorts = [ 8443 ];
     allowedUDPPorts = [ 8443 ];
-    #trustedInterfaces = [ "tailscale0" ];
   };
 
   environment.systemPackages = [ pkgs.xray ];