diff --git a/devices/server.nix b/devices/server.nix index 37230d4..0b5b0a0 100755 --- a/devices/server.nix +++ b/devices/server.nix @@ -13,7 +13,7 @@ let self.nixosModules.default #self.nixosModules.desktop - self.nixosModules.server.cloudflared + #self.nixosModules.server.cloudflared self.nixosModules.server.immich self.nixosModules.server.nextcloud self.nixosModules.server.nginx @@ -113,8 +113,8 @@ let "valid users" = "${inputs.zeroq.devices.admin}"; "guest ok" = "no"; "writable" = "yes"; - "create mask" = 644; - "directory mask" = 644; + "create mask" = 755; + "directory mask" = 755; "force user" = "${inputs.zeroq.devices.admin}"; "force group" = "users"; }; diff --git a/devices/vds.nix b/devices/vds.nix index 98b2c1b..2824b3a 100644 --- a/devices/vds.nix +++ b/devices/vds.nix @@ -17,15 +17,9 @@ let ./hardware/vds.nix disko.nixosModules.disko - - #nixos-facter-modules.nixosModules.facter - self.nixosModules.default - self.nixosModules.server.xray - #self.homeConfigurations.server.nixosModule # home-manager configuration module - ]; - - #facter.reportPath = ./report/facter.json; + ] + ++ builtins.attrValues inputs.self.nixosModules.vds; environment.systemPackages = map lib.lowPrio [ pkgs.curl @@ -33,12 +27,6 @@ let pkgs.lazygit ]; - # boot.loader.grub = { - # # no need to set devices, disko will add all devices that have a EF02 partition to the list already - # # devices = [ ]; - # efiSupport = true; - # efiInstallAsRemovable = true; - # }; boot = { kernelPackages = pkgs.linuxPackages_xanmod_stable; hardwareScan = true; @@ -48,10 +36,8 @@ let device = "nodev"; useOSProber = false; efiSupport = false; - #efiInstallAsRemovable = true; }; systemd-boot.enable = lib.mkDefault false; - #efi.canTouchEfiVariables = lib.mkDefault true; }; }; @@ -61,7 +47,6 @@ let openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKduJia+unaQQdN6X5syaHvnpIutO+yZwvfiCP4qKQ/P" ]; - #++ (args.extraPublicKeys or [ ]); # this is used for unit-testing this module and can be removed if not needed }; "${inputs.zeroq.devices.admin}" = { openssh.authorizedKeys.keys = [ @@ -96,8 +81,8 @@ let "valid users" = "${inputs.zeroq.devices.admin}"; "guest ok" = "no"; "writable" = "yes"; - "create mask" = 644; - "directory mask" = 644; + "create mask" = 755; + "directory mask" = 755; "force user" = "${inputs.zeroq.devices.admin}"; "force group" = "users"; }; diff --git a/flake.nix b/flake.nix index f0718c0..07e54f2 100644 --- a/flake.nix +++ b/flake.nix @@ -120,7 +120,11 @@ nextcloud = import ./modules/server/nextcloud.nix flakeContext; nginx = import ./modules/server/cloudflared.nix flakeContext; zerotier = import ./modules/server/zerotier.nix flakeContext; - xray = import ./modules/server/xray.nix flakeContext; + }; + vds = { + cloudflared = import ./modules/vds/cloudflared.nix flakeContext; + nginx = import ./modules/vds/cloudflared.nix flakeContext; + xray = import ./modules/vds/xray.nix flakeContext; }; }; diff --git a/modules/vds/cloudflared.nix b/modules/vds/cloudflared.nix new file mode 100644 index 0000000..20e2835 --- /dev/null +++ b/modules/vds/cloudflared.nix @@ -0,0 +1,72 @@ +{ inputs, ... }@flakeContext: +{ + config, + lib, + pkgs, + ... +}: +{ + services = { + cloudflared = { + enable = true; + certificateFile = "${inputs.zeroq-credentials}/services/cloudflared/cert.pem"; + tunnels = { + "58b340ee-e98a-4af9-b786-74600c71f49e" = { + credentialsFile = "${inputs.zeroq-credentials}/services/cloudflared/server.json"; + warp-routing.enabled = true; + ingress = { + "immich.zeroq.ru" = { + service = "http://sapphira.latxa-platy.ts.net:2283"; + }; + "nextcloud.zeroq.ru" = { + service = "http://sapphira.latxa-platy.ts.net"; + }; + }; + default = "http_status:404"; + }; + # "58b340ee-e98a-4af9-b786-74600c71f49e" = { + # credentialsFile = "${inputs.zeroq.dirs.server-credentials}/cloudflared/server.json"; + # warp-routing.enabled = true; + # ingress = { + # "nextcloud.zeroq.ru" = { + # service = "http://localhost:10000"; + # }; + # }; + # default = "http_status:404"; + # }; + }; + }; + }; + + # users.users = { + # cloudflared = { + # group = "cloudflared"; + # isSystemUser = true; + # }; + # }; + # users.groups.cloudflared = { }; + # + # systemd.services.cloudflared = { + # after = [ + # "network.target" + # "network-online.target" + # ]; + # wants = [ + # "network.target" + # "network-online.target" + # ]; + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate --config=${inputs.zeroq.dirs.server-credentials}/cloudflared/config.yaml --origincert=${inputs.zeroq.dirs.server-credentials}/cloudflared/cert.pem --credentials-file=${inputs.zeroq.dirs.server-credentials}/cloudflared/server.json run"; + # Group = "root"; + # User = "root"; + # Restart = "on-failure"; + # }; + # }; + + environment = { + systemPackages = with pkgs; [ + cloudflared + ]; + }; +} diff --git a/modules/vds/nginx.nix b/modules/vds/nginx.nix new file mode 100644 index 0000000..bb45bdb --- /dev/null +++ b/modules/vds/nginx.nix @@ -0,0 +1,34 @@ +{ inputs, ... }@flakeContext: +{ + config, + lib, + pkgs, + ... +}: +{ + services = { + nginx = { + enable = false; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "localhost:10000" = { + forceSSL = false; + enableACME = false; + listen = [ + { + addr = "100.64.0.0"; + port = 10000; + } + { + addr = "192.168.1.20"; + port = 10000; + } + ]; + }; + }; + }; + }; +} diff --git a/modules/server/xray.nix b/modules/vds/xray.nix similarity index 100% rename from modules/server/xray.nix rename to modules/vds/xray.nix