From c3f8acad128edffcc0e5b15940cc959bee0cd0ea Mon Sep 17 00:00:00 2001
From: oqyude <oqyude@gmail.com>
Date: Sat, 4 Apr 2026 11:34:44 +0300
Subject: [PATCH] remnawave init

---
 configurations/disko/server.nix           |   2 +-
 configurations/disko/vds.nix              |   2 +-
 configurations/hardware/mini-laptop.nix   |  10 +-
 configurations/hardware/server.nix        |  10 +-
 configurations/hardware/vds.nix           |  10 +-
 configurations/server.nix                 |   2 +-
 configurations/vds.nix                    |   2 +-
 modules/containers/remnawave.nix          | 187 ++++++++++++++++++++++
 modules/containers/secrets/remnawave.yaml |  20 +++
 modules/server/default.nix                |   4 +-
 modules/server/netdata.nix                |  10 +-
 11 files changed, 237 insertions(+), 22 deletions(-)
 create mode 100644 modules/containers/secrets/remnawave.yaml

diff --git a/configurations/disko/server.nix b/configurations/disko/server.nix
index 0e73e05..981057f 100644
--- a/configurations/disko/server.nix
+++ b/configurations/disko/server.nix
@@ -18,7 +18,7 @@
               };
             };
             swap = {
-              size = "2G";
+              size = "6G";
               content = {
                 type = "swap";
               };
diff --git a/configurations/disko/vds.nix b/configurations/disko/vds.nix
index c8210e5..bcc69ce 100644
--- a/configurations/disko/vds.nix
+++ b/configurations/disko/vds.nix
@@ -20,7 +20,7 @@
               };
             };
             swap = {
-              size = "1G";
+              size = "4G";
               content = {
                 type = "swap";
               };
diff --git a/configurations/hardware/mini-laptop.nix b/configurations/hardware/mini-laptop.nix
index 096a51d..b83f334 100644
--- a/configurations/hardware/mini-laptop.nix
+++ b/configurations/hardware/mini-laptop.nix
@@ -14,11 +14,11 @@
 
   boot = {
     initrd = {
-      supportedFilesystems = [
-        "nfs"
-        "nfsv4"
-        "overlay"
-      ];
+      # supportedFilesystems = [
+      #   "nfs"
+      #   "nfsv4"
+      #   "overlay"
+      # ];
       availableKernelModules = [
         "nvme"
         "xhci_pci"
diff --git a/configurations/hardware/server.nix b/configurations/hardware/server.nix
index a4c066f..4823fcf 100644
--- a/configurations/hardware/server.nix
+++ b/configurations/hardware/server.nix
@@ -51,9 +51,13 @@
     };
   };
 
-  # swapDevices = [
-  #   { device = "/dev/disk/by-partlabel/disk-main-swap"; }
-  # ];
+  zramSwap = {
+    enable = true;
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-partlabel/disk-main-swap"; }
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/configurations/hardware/vds.nix b/configurations/hardware/vds.nix
index cdbee5a..dc81641 100644
--- a/configurations/hardware/vds.nix
+++ b/configurations/hardware/vds.nix
@@ -13,9 +13,13 @@
     };
   };
 
-  # swapDevices = [
-  #   { device = "/dev/disk/by-partlabel/disk-main-swap"; }
-  # ];
+  swapDevices = [
+    { device = "/dev/disk/by-partlabel/disk-main-swap"; }
+  ];
+
+  zramSwap = {
+    enable = true;
+  };
 
   networking.useDHCP = lib.mkDefault true;
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
diff --git a/configurations/server.nix b/configurations/server.nix
index 1ca6125..4be2e1d 100644
--- a/configurations/server.nix
+++ b/configurations/server.nix
@@ -20,7 +20,7 @@ let
       ];
 
       boot = {
-        kernelPackages = pkgs.linuxPackages_xanmod_stable;
+        # kernelPackages = pkgs.linuxPackages_xanmod_stable;
         hardwareScan = true;
         loader = {
           systemd-boot.enable = lib.mkDefault true;
diff --git a/configurations/vds.nix b/configurations/vds.nix
index 7a9cf9c..6f873ed 100644
--- a/configurations/vds.nix
+++ b/configurations/vds.nix
@@ -26,7 +26,7 @@ let
       ];
 
       boot = {
-        kernelPackages = pkgs.linuxPackages_xanmod_stable;
+        # kernelPackages = pkgs.linuxPackages_xanmod_stable;
         hardwareScan = true;
         loader = {
           grub = {
diff --git a/modules/containers/remnawave.nix b/modules/containers/remnawave.nix
index 9496e74..6498398 100644
--- a/modules/containers/remnawave.nix
+++ b/modules/containers/remnawave.nix
@@ -7,6 +7,193 @@
   ...
 }:
 {
+  # Runtime
+  virtualisation.podman = {
+    enable = true;
+    autoPrune.enable = true;
+    dockerCompat = true;
+  };
+
+  # Enable container name DNS for all Podman networks.
+  networking.firewall.interfaces = let
+    matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
+  in {
+    "${matchAll}".allowedUDPPorts = [ 53 ];
+  };
+
+  virtualisation.oci-containers.backend = "podman";
+
+  # Containers
+  virtualisation.oci-containers.containers."remnawave-panel-1" = {
+    image = "ghcr.io/remnawave/backend:latest";
+    environment = {
+      "API_INSTANCES" = "1";
+      "APP_PORT" = "3000";
+      "BANDWIDTH_USAGE_NOTIFICATIONS_ENABLED" = "false";
+      "BANDWIDTH_USAGE_NOTIFICATIONS_THRESHOLD" = "[60, 80]";
+      "FRONT_END_DOMAIN" = "*";
+      "IS_DOCS_ENABLED" = "false";
+      "IS_TELEGRAM_NOTIFICATIONS_ENABLED" = "false";
+      "METRICS_PASS" = "admin";
+      "METRICS_PORT" = "3001";
+      "METRICS_USER" = "admin";
+      "NOT_CONNECTED_USERS_NOTIFICATIONS_AFTER_HOURS" = "[6, 24, 48]";
+      "NOT_CONNECTED_USERS_NOTIFICATIONS_ENABLED" = "false";
+      "PANEL_DOMAIN" = "rw.zeroq.ru";
+      "POSTGRES_DB" = "remnawave";
+      "POSTGRES_USER" = "remnawave";
+      "REDIS_SOCKET" = "/var/run/valkey/valkey.sock";
+      "SCALAR_PATH" = "/scalar";
+      "SUB_PUBLIC_DOMAIN" = "rw.zeroq.ru/api/sub";
+      "SWAGGER_PATH" = "/docs";
+      # "TELEGRAM_BOT_TOKEN" = "change_me";
+      # "TELEGRAM_NOTIFY_CRM" = "change_me";
+      # "TELEGRAM_NOTIFY_NODES" = "change_me";
+      # "TELEGRAM_NOTIFY_SERVICE" = "change_me";
+      # "TELEGRAM_NOTIFY_TBLOCKER" = "change_me";
+      # "TELEGRAM_NOTIFY_USERS" = "change_me";
+      "WEBHOOK_ENABLED" = "false";
+      # "WEBHOOK_URL" = "https://your-webhook-url.com/endpoint";
+    };
+    environmentFiles = [
+      "/run/secrets/remnawave-env"
+    ];
+    ports = [
+      "3003:3003/tcp"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=remnawave-panel-1"
+      "--network=host" # "--network=remnawavebackend_default"
+    ];
+  };
+  systemd.services."podman-remnawave-panel-1" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    partOf = [
+      "podman-compose-remnawave-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-remnawave-root.target"
+    ];
+  };
+
+  # Builds
+  # systemd.services."podman-build-remnawave-panel-1" = {
+  #   path = [ pkgs.podman pkgs.git ];
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     TimeoutSec = 300;
+  #   };
+  #   script = ''
+  #     cd /mnt/s/Deploy/remnawave-backend
+  #     podman build -t compose2nix/remnawave-panel-1 .
+  #   '';
+  # };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-remnawave-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  services = {
+    postgresql = {
+      ensureDatabases = [ "remnawave" ];
+      ensureUsers = [
+        {
+          name = "remnawave";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+  
+  systemd.services = {
+    remnawave-env = {
+      description = "Generate remnawave env file";
+      requiredBy = [ "podman-remnawave-panel-1.service" ];
+      before = [ "podman-remnawave-panel-1.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+      script = ''
+        cat > /run/secrets/remnawave-env <<EOF
+          DATABASE_URL=$(cat ${config.sops.secrets.DATABASE_URL.path})
+          DATABASE_PASSWORD=$(cat ${config.sops.secrets.DATABASE_PASSWORD.path})
+          JWT_AUTH_SECRET=$(cat ${config.sops.secrets.JWT_AUTH_SECRET.path})
+          JWT_API_TOKENS_SECRET=$(cat ${config.sops.secrets.JWT_API_TOKENS_SECRET.path})
+          CLOUDFLARE_TOKEN=$(cat ${config.sops.secrets.CLOUDFLARE_TOKEN.path})
+          WEBHOOK_SECRET_HEADER=$(cat ${config.sops.secrets.WEBHOOK_SECRET_HEADER.path})
+          EOF
+        chmod 600 /run/secrets/remnawave-env
+      '';
+      wantedBy = [ "multi-user.target" ];
+    };
+    remnawave-db-init = {
+      description = "Initialize Remnawave DB user";
+      after = [ "postgresql.service" ];
+      requires = [ "postgresql.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+      };
+      script = ''
+        PASSWORD=$(cat ${config.sops.secrets.DATABASE_PASSWORD.path})
+        ${pkgs.postgresql}/bin/psql -v ON_ERROR_STOP=1 <<EOF
+        DO \$\$
+        BEGIN
+          IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname='remnawave') THEN
+              EXECUTE format('ALTER ROLE remnawave WITH PASSWORD %L', '$PASSWORD');
+          END IF;
+        END
+        \$\$ LANGUAGE plpgsql;
+        EOF
+      '';
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+
+  sops.secrets = {
+    DATABASE_PASSWORD = {
+      key = "DATABASE_PASSWORD";
+      sopsFile = ./secrets/remnawave.yaml;
+      owner = "postgres";
+      group = "postgres";
+      mode = "0400";
+    };
+    WEBHOOK_SECRET_HEADER = {
+      key = "WEBHOOK_SECRET_HEADER";
+      sopsFile = ./secrets/remnawave.yaml;
+      mode = "0400";
+    };
+    DATABASE_URL = {
+      key = "DATABASE_URL";
+      sopsFile = ./secrets/remnawave.yaml;
+      mode = "0400";
+    };
+    JWT_AUTH_SECRET = {
+      key = "JWT_AUTH_SECRET";
+      sopsFile = ./secrets/remnawave.yaml;
+      mode = "0400";
+    };
+    JWT_API_TOKENS_SECRET = {
+      key = "JWT_API_TOKENS_SECRET";
+      sopsFile = ./secrets/remnawave.yaml;
+      mode = "0400";
+    };
+    CLOUDFLARE_TOKEN = {
+      key = "CLOUDFLARE_TOKEN";
+      sopsFile = ./secrets/remnawave.yaml;
+      mode = "0400";
+    };
+  };
   systemd.tmpfiles.rules = [
     "d ${xlib.dirs.services-mnt-folder} 0755 root root -"
     "d ${xlib.dirs.services-mnt-folder}/containers 0755 root root -"
diff --git a/modules/containers/secrets/remnawave.yaml b/modules/containers/secrets/remnawave.yaml
new file mode 100644
index 0000000..f3b41d2
--- /dev/null
+++ b/modules/containers/secrets/remnawave.yaml
@@ -0,0 +1,20 @@
+DATABASE_PASSWORD: ENC[AES256_GCM,data:DRactR3j13q9zHFO0puGhBv09CX9YJc9KtFSLuOUVV/U7O/Nmh5Hb4ID0+A=,iv:5ErptccuQIVxfZKIcpfO5yVtcM0zE7kPn4v7kHctTP8=,tag:e3w8Rz+wGLTrxDSNftmkLw==,type:str]
+WEBHOOK_SECRET_HEADER: ENC[AES256_GCM,data:ZJYKwG1a8JH0ODeRnrv395plPN7PA18+gi3R/ueGd/r8OrtbVGL8UnZ/6HgW9M+/jCGWNclD5mZfyRg3He6hDg==,iv:PIYCD2n5ED5T24JfG6xhrvStd6jySCoBHhA8hUFIEMk=,tag:WWpfI1q9l9R44FRNaqIiaA==,type:str]
+DATABASE_URL: ENC[AES256_GCM,data:6plSDBUKyZVAO/djw3bPTthtS11yljwCGfQcIUqQetxROk5hwwVEGNMd1e6nGgS7eTtqJHW6uStkw58=,iv:RDjCVPDgPhMEbCriW0xjrxzcAolmyD55fbkD95LZMlE=,tag:ovH2D3eTXtHFmZba6u+IZg==,type:str]
+JWT_AUTH_SECRET: ENC[AES256_GCM,data:rzsOoIwJwwzCd+QbelcWYjfe1Bt7Y1ihrEn9tsxNyZnfmVVIkpFC948ne3YhUZ0CXYEDJYen/SFQgyyWsPwTwZgcy11mIZnROh4vlOJvPWILB1IlVQF/JDDts3fvXfe9HQ7ujBwkw5uR/33Rm+yxeLHMWTsn644DZSyKFi53QqY=,iv:aB3meC8BeEsLmiF0UMjQ60xipjGTJ0Qg1XqRHNujPFE=,tag:s/YcehFUrArknqHlXo3MYw==,type:str]
+JWT_API_TOKENS_SECRET: ENC[AES256_GCM,data:m6EtsdMNDRJk99LEYRgTk5rFNUYux4I2UWo/8AWy+2HJI8tRiOrBO284T3W/N+2/3fbty96sVB/SD8bjIIsxHij51sZTYi4+hdU7VxANGPdiMckKAXtvj3FMsVwrtW4MgRbH0j7taiDtnxVp6F3Cl7Sb0GamKFJjgAZnA3weN/8=,iv:rnNB1AzosstyF3c2pUcvYVTyUWcmo8Du+/b09OgcN9w=,tag:O81gnP2nXJ3JvgkivzVgkw==,type:str]
+sops:
+    age:
+        - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dWxEUDdhV2Z4V3JpNzNL
+            T0ZkYjlLWTNFV2c0Vm5Vb05xK09sQ0RxU0ZVCjhaSVhsSmoyZCtLYlNOVlNnTGFv
+            TTU1Y3I5U3UrcXhOOGt6U0hoSGw0YlUKLS0tIEJIbnJwNUk4Z0ZGNTRQRVFjWFhv
+            d0sreEpsMjV5M2JoRHFnVkpqeGhMM1EKX7K3Q2yj8EZuzCIxWIc+6Xeo+0lidPse
+            wstbeHV8ygWvOjIxjRGPOETQ17GLLl3eNEsk6P2gytZchmLkLYKKsA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-04T23:08:05Z"
+    mac: ENC[AES256_GCM,data:vWNFqNiWleqvRItVB0X5W/7e/F+LEWmfIKtnjbV5xwgyZ1jkP2N2wkw8CpzDNN5xwrkTdKfziGt+Psg8p72uMfvqns1lgQzvSbT3W8Di7bbIxgvwyBV8qCCpYn95ra/KRmV+oefhhr/1RlBN8wNb3oZI/m7sH8lv9d0sKw5SrE8=,iv:UAOifm4itrG6M3VKi7zelxL73lcpQkGXLSa/dk/hbvM=,tag:rzCK7Id3zQVF8VSDJV3nhg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2
diff --git a/modules/server/default.nix b/modules/server/default.nix
index adc4bfe..d19fe93 100644
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -9,6 +9,8 @@
     ./calibre-web.nix
     ./immich.nix
     ./miniflux.nix
+    ./n8n.nix
+    ./netdata.nix
     ./nextcloud.nix
     ./nginx.nix
     ./open-webui.nix
@@ -19,8 +21,6 @@
     ./systemd.nix
     ./transmission.nix
     ./uptime-kuma.nix
-    ./netdata.nix
-    ./n8n.nix
     # ./mealie.nix
     # ./memos.nix
     # ./nfs.nix
diff --git a/modules/server/netdata.nix b/modules/server/netdata.nix
index 26e396c..395b6c7 100644
--- a/modules/server/netdata.nix
+++ b/modules/server/netdata.nix
@@ -8,7 +8,7 @@
 {
   services = {
     netdata = {
-      enable = true;
+      enable = false;
       package = pkgs.netdata.override {
         withCloudUi = true;
       };
@@ -19,10 +19,10 @@
           "bind to" = "0.0.0.0";
         };
       };
-      python = {
-        enable = true;
-        recommendedPythonPackages = true;
-      };
+      # python = {
+      #   enable = true;
+      #   recommendedPythonPackages = true;
+      # };
     };
   };