From d00e298dc5d7c3ea5168298c987d65a0c4edba84 Mon Sep 17 00:00:00 2001 From: oqyude Date: Sun, 1 Mar 2026 16:02:34 +0300 Subject: [PATCH] test --- configurations/default.nix | 1 + configurations/hardware/vds-new.nix | 23 +++ configurations/vds-new.nix | 177 ++++++++++++++++++++++ home/vds-new.nix | 27 ++++ modules/options.nix | 1 + modules/vds-new/containers/3x-ui.nix | 108 ++++++++++++++ modules/vds-new/containers/default.nix | 16 ++ modules/vds-new/default.nix | 10 ++ modules/vds-new/netbird.nix | 40 +++++ modules/vds-new/nginx.nix | 198 +++++++++++++++++++++++++ 10 files changed, 601 insertions(+) create mode 100644 configurations/hardware/vds-new.nix create mode 100644 configurations/vds-new.nix create mode 100644 home/vds-new.nix create mode 100644 modules/vds-new/containers/3x-ui.nix create mode 100644 modules/vds-new/containers/default.nix create mode 100644 modules/vds-new/default.nix create mode 100644 modules/vds-new/netbird.nix create mode 100644 modules/vds-new/nginx.nix diff --git a/configurations/default.nix b/configurations/default.nix index 4f53f1b..3d07a04 100644 --- a/configurations/default.nix +++ b/configurations/default.nix @@ -5,6 +5,7 @@ atoridu = import ./mini-pc.nix flakeContext; # atoridu rydiwo = import ./mini-laptop.nix flakeContext; # rydiwo otreca = import ./vds.nix flakeContext; # vds + otreca-new = import ./vds.nix flakeContext; # vds-new sapphira = import ./server.nix flakeContext; # sapphira wsl = import ./wsl.nix flakeContext; # wsl }; diff --git a/configurations/hardware/vds-new.nix b/configurations/hardware/vds-new.nix new file mode 100644 index 0000000..cdbee5a --- /dev/null +++ b/configurations/hardware/vds-new.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +{ + fileSystems = { + "/" = { + device = lib.mkForce "/dev/disk/by-partlabel/disk-main-root"; # "/dev/disk/by-partlabel/disk-main-root"; + fsType = "ext4"; + }; + }; + + # swapDevices = [ + # { device = "/dev/disk/by-partlabel/disk-main-swap"; } + # ]; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/configurations/vds-new.nix b/configurations/vds-new.nix new file mode 100644 index 0000000..b84ebca --- /dev/null +++ b/configurations/vds-new.nix @@ -0,0 +1,177 @@ +{ inputs, ... }@flakeContext: +let + nixosModule = + { + config, + lib, + modulesPath, + pkgs, + xlib, + ... + }: + { + xlib.device = { + type = "vds-new"; + hostname = "otreca"; + }; + + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + + ./disko/vds.nix + ./hardware/vds.nix + + inputs.self.nixosModules.default + ]; + + boot = { + kernelPackages = pkgs.linuxPackages_xanmod_stable; + hardwareScan = true; + loader = { + grub = { + enable = true; + device = "nodev"; + useOSProber = false; + efiSupport = false; + }; + systemd-boot.enable = lib.mkDefault false; + }; + }; + + services = { + earlyoom.enable = true; + journald = { + extraConfig = '' + SystemMaxUse=512M + ''; + }; + samba = { + enable = true; + openFirewall = true; + settings = { + global = { + "invalid users" = [ ]; + "passwd program" = "/run/wrappers/bin/passwd %u"; + security = "user"; + }; + nixos = { + "path" = "/etc/nixos"; + "browseable" = "yes"; + "read only" = "no"; + "valid users" = "${xlib.device.username}"; + "guest ok" = "no"; + "writable" = "yes"; + "create mask" = 755; + "directory mask" = 755; + "force user" = "${xlib.device.username}"; + "force group" = "users"; + }; + root = { + "path" = "/"; + "browseable" = "yes"; + "read only" = "no"; + "valid users" = "${xlib.device.username}"; + "guest ok" = "no"; + "writable" = "yes"; + #"create mask" = 0644; + #"directory mask" = 0644; + "force user" = "root"; + "force group" = "root"; + }; + "${xlib.device.username}" = { + "path" = "/home/${xlib.device.username}"; + "browseable" = "yes"; + "read only" = "no"; + "valid users" = "${xlib.device.username}"; + "guest ok" = "no"; + "writable" = "yes"; + "create mask" = 700; + "directory mask" = 700; + "force user" = "${xlib.device.username}"; + "force group" = "users"; + }; + }; + }; + openssh = { + enable = true; + allowSFTP = true; + openFirewall = true; + hostKeys = [ + { + path = "/etc/ssh/id_ed25519"; + type = "ed25519"; + } + ]; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "yes"; + UsePAM = true; + }; + }; + tailscale = { + enable = true; + openFirewall = true; + }; + }; + + networking = { + nameservers = [ + "1.1.1.1" + "8.8.8.8" + "2001:4860:4860::8844" + "2001:4860:4860::8888" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + hostName = "${xlib.device.hostname}"; + networkmanager.enable = true; + tempAddresses = "disabled"; + dhcpcd = { + enable = true; + IPv6rs = true; + }; + firewall = { + enable = true; + allowPing = true; + }; + enableIPv6 = true; + interfaces.ens3 = { + useDHCP = true; + # ipv4.addresses = [ + # { + # address = "31.57.158.109"; + # prefixLength = 24; + # } + # ]; + # ipv6.addresses = [ + # { + # address = "2a13:7c00:6:102:f816:3eff:fe91:6b9e"; + # prefixLength = 64; + # } + # ]; + }; + # defaultGateway = { + # address = "31.57.158.1"; + # interface = "ens3"; + # }; + # defaultGateway6 = { + # address = "2a13:7c00:6:102::1"; + # interface = "ens3"; + # }; + }; + + system = { + stateVersion = "25.05"; + }; + }; +in +inputs.nixpkgs.lib.nixosSystem { + modules = [ + nixosModule + ]; + system = "x86_64-linux"; + specialArgs = { + deviceType = "vds-new"; + }; +} diff --git a/home/vds-new.nix b/home/vds-new.nix new file mode 100644 index 0000000..15d68db --- /dev/null +++ b/home/vds-new.nix @@ -0,0 +1,27 @@ +{ + config, + pkgs, + xlib, + ... +}: +{ + imports = [ + ./minimal.nix + ]; + xdg = { + enable = true; + autostart.enable = true; + userDirs = { + enable = true; + createDirectories = false; + desktop = null; + documents = null; + download = null; + music = null; + pictures = null; + publicShare = null; + templates = null; + videos = null; + }; + }; +} diff --git a/modules/options.nix b/modules/options.nix index 1aac5bf..91ded17 100644 --- a/modules/options.nix +++ b/modules/options.nix @@ -14,6 +14,7 @@ "secondary" "server" "vds" + "vds-new" "wsl" ]; default = "minimal"; diff --git a/modules/vds-new/containers/3x-ui.nix b/modules/vds-new/containers/3x-ui.nix new file mode 100644 index 0000000..1eefd7d --- /dev/null +++ b/modules/vds-new/containers/3x-ui.nix @@ -0,0 +1,108 @@ +# Auto-generated using compose2nix v0.3.3-pre. +{ + pkgs, + lib, + config, + ... +}: + +{ + # Runtime + virtualisation.podman = { + enable = true; + autoPrune = { + enable = true; + flags = [ "--all" ]; + }; + dockerCompat = true; + }; + + # Enable container name DNS for all Podman networks. + networking.firewall.interfaces = + let + matchAll = if !config.networking.nftables.enable then "podman+" else "podman*"; + in + { + "${matchAll}".allowedUDPPorts = [ 53 ]; + }; + + networking.firewall = { + allowedUDPPortRanges = [ + { + from = 14380; + to = 15380; + } + ]; + allowedTCPPortRanges = [ + { + from = 14380; + to = 15380; + } + ]; + allowedTCPPorts = [ + 8443 + 9443 + 13380 + ]; + allowedUDPPorts = [ + 8443 + 9443 + 13380 + ]; + }; + virtualisation.oci-containers.backend = "podman"; + + # Containers + virtualisation.oci-containers.containers."3xui_app" = { + image = "ghcr.io/mhsanaei/3x-ui:latest"; + environment = { + "XRAY_VMESS_AEAD_FORCED" = "false"; + "XUI_ENABLE_FAIL2BAN" = "true"; + }; + volumes = [ + "/mnt/containers/3x-ui/cert/:/root/cert:rw" + "/mnt/containers/3x-ui/db/:/etc/x-ui:rw" + ]; + log-driver = "journald"; + extraOptions = [ + "--network=host" + ]; + }; + systemd.services."podman-3xui_app" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + partOf = [ + "podman-compose-3x-ui-root.target" + ]; + wantedBy = [ + "podman-compose-3x-ui-root.target" + ]; + }; + + # Builds + systemd.services."podman-build-3xui_app" = { + path = [ + pkgs.podman + pkgs.git + ]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 300; + }; + script = '' + cd /mnt/containers/3x-ui + podman build -t compose2nix/3xui_app -f ./Dockerfile . + ''; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-3x-ui-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/modules/vds-new/containers/default.nix b/modules/vds-new/containers/default.nix new file mode 100644 index 0000000..494db3a --- /dev/null +++ b/modules/vds-new/containers/default.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + inputs, + ... +}: +{ + imports = [ + ./3x-ui.nix + ]; + + environment.systemPackages = with pkgs; [ + compose2nix + podman-tui + ]; +} diff --git a/modules/vds-new/default.nix b/modules/vds-new/default.nix new file mode 100644 index 0000000..5f3ed7a --- /dev/null +++ b/modules/vds-new/default.nix @@ -0,0 +1,10 @@ +{ + lib, + ... +}: +{ + imports = [ + ./containers + ./nginx.nix + ]; +} diff --git a/modules/vds-new/netbird.nix b/modules/vds-new/netbird.nix new file mode 100644 index 0000000..ec6ba1f --- /dev/null +++ b/modules/vds-new/netbird.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + ... +}: +{ + services.netbird.server = { + enable = false; + enableNginx = true; + domain = "netbird.zeroq.ru"; + dashboard = { + enable = false; + domain = "netbird.zeroq.ru"; + settings = { + #AUTH_AUTHORITY = "nbp_ufe0v5mbb5H1lQWL8eJfuzJ5ItPmlM46Mik0"; + }; + }; + management = { + enable = false; + domain = "netbird.zeroq.ru"; + }; + }; + + # networking.firewall = { + # allowedTCPPorts = [ + # 80 + # 443 + # 33073 + # 10000 + # 33080 + # ]; + # allowedUDPPorts = [ 3478 ]; + # allowedUDPPortRanges = [ + # { + # from = 49152; + # to = 65535; + # } + # ]; + # }; +} diff --git a/modules/vds-new/nginx.nix b/modules/vds-new/nginx.nix new file mode 100644 index 0000000..641ae76 --- /dev/null +++ b/modules/vds-new/nginx.nix @@ -0,0 +1,198 @@ +{ + config, + inputs, + pkgs, + ... +}: +let + server = "100.64.0.0"; +in +{ + environment.etc."nginx/pubray".text = inputs.zeroq-credentials.services.xray.auth; + users.users.nginx.extraGroups = [ "acme" ]; + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + appendHttpConfig = inputs.zeroq-credentials.services.xray.maps; + virtualHosts = { + "pubray.zeroq.ru" = { + enableACME = true; + forceSSL = true; + root = "${inputs.zeroq-credentials.services.xray.subs}"; + locations."/" = { + extraConfig = '' + auth_basic "Restricted"; + auth_basic_user_file /etc/nginx/pubray; + + if ($subfile = "") { return 403; } + rewrite ^/$ $subfile break; + ''; + }; + }; + "x.new.zeroq.ru" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://localhost:2049"; + proxyWebsockets = true; + }; + "/subs/" = { + proxyPass = "http://localhost:2096"; + proxyWebsockets = true; + }; + }; + }; + "kuma.new.zeroq.ru" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${server}:4001"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 5G; + ''; + }; + # "node-red.zeroq.ru" = { + # forceSSL = true; + # enableACME = true; + # kTLS = true; + # locations."/" = { + # proxyPass = "http://${server}:1880"; + # proxyWebsockets = true; + # }; + # extraConfig = '' + # client_max_body_size 5G; + # ''; + # }; + # "new.zeroq.ru" = { + # forceSSL = true; + # enableACME = true; + # root = pkgs.writeTextDir "index.html" '' + # + # + # + # 
What are you doing here?
+ # + # + # ''; + # locations = { + # "/guest/" = { + # proxyPass = "http://${server}:80"; + # proxyWebsockets = true; + # }; + # # "/.well-known/discord" = { + # # extraConfig = '' + # # default_type text/plain; + # # return 200 "dh=c2d103553a4cfdaa1b7952a87a7d8120a1e167cc"; + # # ''; + # # }; + # }; + # }; + "flux.new.zeroq.ru" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${server}:6061"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 5G; + ''; + }; + "office.new.zeroq.ru" = { + enableACME = true; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://${server}:9980"; # API и coauthoring + proxyWebsockets = true; + }; + }; + extraConfig = '' + client_max_body_size 5G; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; # absolute_redirect off; + }; + "immich.new.zeroq.ru" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${server}:2283"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 5G; + ''; + }; + "nextcloud.new.zeroq.ru" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${server}:10000"; + proxyWebsockets = true; + }; + "/whiteboard" = { + proxyPass = "http://${server}:3002"; + proxyWebsockets = true; + }; + }; + extraConfig = '' + client_max_body_size 5G; + ''; + }; + "calibre.new.zeroq.ru" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${server}:8083"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 5G; + ''; + }; + # "pdf.new.zeroq.ru" = { + # forceSSL = true; + # enableACME = true; + # locations."/" = { + # proxyPass = "http://${server}:6060"; + # proxyWebsockets = true; + # }; + # extraConfig = '' + # client_max_body_size 5G; + # ''; + # }; + # "ai.zeroq.ru" = { + # forceSSL = true; + # enableACME = true; + # locations."/" = { + # proxyPass = "http://${server}:11112"; + # proxyWebsockets = true; + # }; + # extraConfig = '' + # client_max_body_size 5G; + # ''; + # }; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults = { + email = "go.bin043120@gmail.com"; + }; + }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +}