s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

staging(no atomic commits thank to git-hooks)

Browse source 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
This commit is contained in:
s0me1newithhand7s 2026-03-25 17:56:18 +03:00
parent db3b60a846
commit c5f949506a
117 changed files with 2520 additions and 999 deletions
Download patch file Download diff file Expand all files Collapse all files

57
kyra/default.nix
View file

@ -1,57 +0,0 @@
{self, ...}: {
imports = [
"${self}/kyra/disko/disk.nix"
"${self}/kyra/disko/lvm_vg.nix"
"${self}/kyra/boot/initrd/availableKernelModules.nix"
"${self}/kyra/boot/initrd/kernelModules.nix"
"${self}/kyra/boot/loader/grub.nix"
"${self}/kyra/boot/kernel.nix"
"${self}/kyra/boot/tmp.nix"
"${self}/kyra/environment/systemPackages.nix"
"${self}/kyra/hardware/zram.nix"
"${self}/kyra/home-manager/users.nix"
"${self}/kyra/networking/interfaces/ens3.nix"
"${self}/kyra/networking/firewall/ens3.nix"
"${self}/kyra/networking/firewall.nix"
"${self}/kyra/networking/dns.nix"
"${self}/kyra/networking/wireguard.nix"
"${self}/kyra/networking/defaultGateway.nix"
"${self}/kyra/nix/settings/allowed-users.nix"
"${self}/kyra/nix/settings/experimental-features.nix"
"${self}/kyra/nix/settings/substituters.nix"
"${self}/kyra/nix/settings/trusted-public-keys.nix"
"${self}/kyra/nix/settings/trusted-users.nix"
"${self}/kyra/nix/settings/auto-optimise-store.nix"
"${self}/kyra/nixpkgs/config.nix"
"${self}/kyra/nixpkgs/platform.nix"
"${self}/kyra/programs/nh.nix"
"${self}/kyra/services/openssh.nix"
"${self}/kyra/services/fail2ban.nix"
"${self}/kyra/services/netbird.nix"
"${self}/kyra/services/qemuGuest.nix"
"${self}/kyra/services/caddy.nix"
"${self}/kyra/services/sing-box.nix"
"${self}/kyra/sops/age.nix"
"${self}/kyra/sops/defaults.nix"
"${self}/kyra/sops/secrets.nix"
"${self}/kyra/system/stateVersion.nix"
"${self}/kyra/users/users.nix"
"${self}/kyra/users/users/alep0u.nix"
"${self}/kyra/users/users/hand7s.nix"
"${self}/kyra/users/users/root.nix"
"${self}/kyra/virtualisation/docker.nix"
];
}

11
kyra/disko/disk.nix
View file

@ -1,9 +1,14 @@
{
{name, ...}: {
disko = {
devices = {
disk = {
virt_main = {
device = "/dev/sda";
"virt_main" = {
device =
{
"yara" = "/dev/vda";
}.${
name
} or "/dev/sda";
type = "disk";
content = {
type = "gpt";

2
kyra/home-manager/users.nix
View file

@ -4,12 +4,10 @@
"hand7s" = {
imports = [
"${self}/hand7s/"
self.inputs.agenix.homeManagerModules.default
self.inputs.spicetify-nix.homeManagerModules.default
self.inputs.hyprland.homeManagerModules.default
self.inputs.chaotic.homeManagerModules.default
self.inputs.sops-nix.homeManagerModules.sops
self.inputs.nix-index-database.homeModules.nix-index
self.inputs.noctalia.homeModules.default
];

17
kyra/networking/defaultGateway.nix
View file

@ -1,17 +0,0 @@
{
lib,
config,
...
}: {
networking = {
defaultGateway = lib.mkIf (config.networking.hostName == "mel") {
address = "45.11.229.1";
interface = "ens3";
};
defaultGateway6 = lib.mkIf (config.networking.hostName == "mel") {
address = "2a0e:97c0:3e3:2Oa::1";
interface = "ens3";
};
};
}

5
kyra/networking/firewall.nix
View file

@ -1,11 +1,8 @@
_: {
networking = {
firewall = {
enable = true;
allowPing = true;
checkReversePath = false;
enable = false;
};
useNetworkd = true;
};
}

57
kyra/networking/firewall/ens3.nix
View file

@ -1,57 +0,0 @@
{
config,
lib,
...
}: {
networking = {
firewall = {
interfaces = {
ens3 = {
allowedUDPPorts =
[
53580
53590
]
++ lib.optionals (config.networking.hostName == "hazel") [
443
25565
24
25
110
143
465
587
993
995
4190
53570
];
allowedTCPPorts =
[
53580
53590
]
++ lib.optionals (config.networking.hostName == "hazel") [
443
25565
24
25
110
143
465
587
993
995
4190
53570
];
};
};
};
};
}

4
kyra/networking/hostname.nix
View file

@ -1,5 +1,5 @@
_: {
{name, ...}: {
networking = {
hostName = "kyra";
hostName = name;
};
}

36
kyra/networking/interfaces/ens3.nix
View file

@ -1,36 +0,0 @@
{
config,
lib,
...
}: {
networking = {
interfaces = {
ens3 = {
ipv4 = {
addresses = lib.optionals (config.networking.hostName == "mel") [
{
address = "45.11.229.254";
prefixLength = 24;
}
];
};
ipv6 = {
addresses =
lib.optionals (config.networking.hostName == "hazel") [
{
address = "2a03:6f01:1:2::cb1e";
prefixLength = 64;
}
]
++ lib.optionals (config.networking.hostName == "mel") [
{
address = "2a0e:97c0:3e3:2Oa::1";
prefixLength = 64;
}
];
};
};
};
};
}

7
kyra/networking/nftables.nix Normal file
View file

@ -0,0 +1,7 @@
_: {
networking = {
nftables = {
enable = true;
};
};
}

18
kyra/security/acme.nix Normal file
View file

@ -0,0 +1,18 @@
{config, ...}: {
security = {
acme = {
acceptTerms = true;
defaults = {
email = "litvinovb0@gmail.com";
};
certs = {
"hand7s.org" = {
dnsProvider = "cloudflare";
credentialsFile = config.sops.templates."acme.env".path;
group = "sing-box";
};
};
};
};
}

99
kyra/services/alloy.nix Normal file
View file

@ -0,0 +1,99 @@
{
config,
pkgs,
...
}: {
services = {
alloy = {
enable = true;
configPath = pkgs.writeText "alloy-config.alloy" ''
loki.source.journal "system" {
max_age = "24h"
forward_to = [loki.process.production.receiver]
labels = {
host = "${config.networking.hostName}",
job = "journalctl",
}
}
loki.process "production" {
forward_to = [loki.write.viola.receiver]
stage.labels {
values = {
unit = "__journal_systemd_unit__",
}
}
stage.label_keep {
values = ["unit"]
}
stage.match {
selector = `{unit=~"(traefik|sing-box|crowdsec|alloy|netbird).*\\.service"}`
action = "drop"
}
}
prometheus.exporter.unix "node" {
enable_collectors = [
"cpu", "diskstats", "filesystem",
"loadavg", "meminfo", "netdev",
"time", "uname",
]
}
prometheus.scrape "node" {
targets = prometheus.exporter.unix.node.targets
forward_to = [prometheus.remote_write.viola.receiver]
scrape_interval = "30s"
job_name = "node"
}
prometheus.scrape "alloy" {
targets = [{"__address__" = "127.0.0.1:12345"}]
forward_to = [prometheus.remote_write.viola.receiver]
job_name = "alloy"
}
loki.write "viola" {
endpoint {
url = "http://100.109.123.164:3100/loki/api/v1/push"
}
}
prometheus.remote_write "viola" {
endpoint {
url = "http://100.109.123.164:9009/api/v1/push"
}
}
otelcol.receiver.otlp "default" {
grpc {
endpoint = "0.0.0.0:4317"
}
http {
endpoint = "0.0.0.0:4318"
}
output {
traces = [otelcol.exporter.otlp.tempo.input]
}
}
otelcol.exporter.otlp "tempo" {
client {
endpoint = "http://100.109.123.164:4317"
tls {
insecure = true
}
}
}
'';
};
};
}

60
kyra/services/caddy.nix
View file

@ -1,60 +0,0 @@
{
config,
pkgs,
lib,
...
}: {
services = {
caddy = {
enable =
lib.mkIf (
config.networking.hostName == "hazel"
)
true;
package = pkgs.caddy.withPlugins {
plugins = [
"github.com/mholt/caddy-l4@v0.0.0-20250902102621-4a517a98d7fa"
"github.com/caddy-dns/cloudflare@v0.2.1"
];
hash = "sha256-1/jRWotKCvx7QncjVSVGYXb2gAmIiokC/ZbCUelG5Rc=";
};
globalConfig = ''
debug
email me@hand7s.org
acme_ca https://acme-v02.api.letsencrypt.org/directory
'';
# acme_ca https://api.zerossl.com/directory
virtualHosts = {
"hand7s.org" = {
extraConfig = ''
respond "hi! :D WIP btw"
'';
};
"git.hand7s.org" = {
extraConfig = ''
reverse_proxy ${homeIP}:53350
'';
};
"bin.hand7s.org" = {
extraConfig = ''
reverse_proxy ${homeIP}:80
'';
};
"zitadel.hand7s.org" = {
extraConfig = ''
reverse_proxy ${homeIP}:8443
'';
};
};
};
};
}

154
kyra/services/firewalld.nix Normal file
View file

@ -0,0 +1,154 @@
{
name,
lib,
...
}: {
services = {
firewalld = {
enable = true;
services = {
"ssh" = {
short = "openssh";
ports = [
{
port = 60009;
protocol = "tcp";
}
];
};
"stalwart" = {
short = "Stalwart-mail";
ports =
lib.forEach [
25
110
143
465
993
995
4190
] (
port: {
protocol = "tcp";
inherit
port
;
}
);
};
"consul" = {
short = "Consul";
ports =
lib.forEach [
8300
8301
8302
8500
8600
] (
port: {
protocol = "tcp";
inherit
port
;
}
)
++ lib.forEach [
8301
8302
8600
] (
port: {
protocol = "udp";
inherit
port
;
}
);
};
};
zones = {
"trusted" = {
services = [
"consul"
];
};
"wan" = {
ports = [
{
port = 2053;
protocol = "udp";
}
{
port = 8443;
protocol = "tcp";
}
{
port = 51820;
protocol = "udp";
}
];
icmpBlockInversion = true;
icmpBlocks = [
"echo-request"
"destination-unreachable"
"parameter-problem"
"time-exceeded"
];
interfaces = lib.concatLists [
(
lib.optionals (
lib.elem name [
"hazel"
"lynn"
"yara"
"ivy"
]
) [
"ens3"
]
)
(
lib.optionals (
name == "mel"
) [
"eth0"
]
)
];
services = lib.concatLists [
[
"ssh"
"http"
"https"
]
(
lib.optionals (
lib.elem name [
"hazel"
"lynn"
"mel"
]
) [
"minecraft"
"stalwart"
]
)
];
};
};
};
};
}

12
kyra/services/netbird.nix
View file

@ -1,7 +1,17 @@
{...}: {
{config, ...}: {
services = {
netbird = {
enable = true;
clients = {
"wt0" = {
port = 51820;
login = {
enable = true;
setupKeyFile = config.sops.secrets."nbKey".path;
};
};
};
};
};
}

9
kyra/services/openssh.nix
View file

@ -3,7 +3,14 @@ _: {
openssh = {
enable = true;
ports = [
58693
60009
];
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
settings = {

39
kyra/services/resolved.nix Normal file
View file

@ -0,0 +1,39 @@
_: {
services = {
resolved = {
enable = true;
dnsovertls = toString true;
dnssec = toString true;
llmnr = toString true;
domains = [
"~."
];
fallbackDns = [
# cf dns
"1.1.1.1"
"1.0.0.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
# google dns
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
# q9 dns
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
# open dns
"208.67.222.222"
"208.67.220.220"
"2620:119:35::35"
"2620:119:53::53"
];
};
};
}

78
kyra/services/sing-box.nix
View file

@ -1,26 +1,33 @@
{...}: {
{lib, ...}: {
services = {
sing-box = {
enable = true;
settings = {
log = {
level = "debug";
level = "error";
};
dns = {
servers = [
{
type = "local";
tag = "cloudflare";
type = "quic";
server = "1.1.1.1";
}
{
tag = "local";
type = "local";
}
];
final = "local";
strategy = "prefer_ipv6";
final = "cloudflare";
strategy = "prefer_ipv4";
};
route = {
final = "direct-out";
default_domain_resolver = "cloudflare";
auto_detect_interface = true;
};
@ -32,54 +39,69 @@
];
inbounds = [
{
type = "hysteria2";
tag = "hy2-in";
listen = "::";
listen_port = 2053;
masquerade = "https://hand7s.org";
up_mbps = 100;
down_mbps = 100;
obfs = {
type = "salamander";
password = lib.hashString "sha512" "randomstring"; # not a real string
};
users = [
{
name = "hand7s";
password = lib.hashString "sha512" "userstring"; # not a real string
}
];
tls = {
enabled = true;
server_name = "hand7s.org";
certificate_path = "/var/lib/acme/hand7s.org/cert.pem";
key_path = "/var/lib/acme/hand7s.org/key.pem";
};
}
{
type = "vless";
tag = "vless-inbound";
listen = "::";
listen_port = 53570;
listen_port = 8443;
sniff = true;
users = [
{
name = "hand7s_1";
uuid = "${singboxUUID2}";
flow = "xtls-rprx-vision";
}
{
name = "hand7s_2";
uuid = "${singboxUUID2}";
name = "hand7s";
uuid = lib.hashString "sha512" "uuidstring"; # not a real string
flow = "xtls-rprx-vision";
}
];
tls = rec {
tls = {
enabled = true;
server_name = "vk.com";
server_name = "hand7s.org";
reality = {
enabled = true;
max_time_difference = "5m";
handshake = {
server = server_name;
server = "127.0.0.1";
server_port = 443;
};
private_key = "${singboxKey}";
private_key = lib.hashString "sha512" "uuidstring"; # not a real string
short_id = [
"${singboxId}"
"shortie"
];
};
};
transport = {
type = "httpupgrade";
};
multiplex = {
enabled = true;
padding = false;
};
}
];
};

459
kyra/services/traefik.nix Normal file
View file

@ -0,0 +1,459 @@
{config, ...}: {
services = {
traefik = {
enable = true;
environmentFiles = [
config.sops.templates."traefik.env".path
];
dynamicConfigOptions = {
http = {
routers = {
"site" = {
rule = "Host(`hand7s.org`)";
service = "site-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"git" = {
rule = "Host(`git.hand7s.org`)";
service = "git-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"cicd" = {
rule = "Host(`woodpecker.hand7s.org`)";
service = "cicd-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"oidc" = {
rule = "Host(`zitadel.hand7s.org`)";
service = "oidc-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"bin" = {
rule = "Host(`bin.hand7s.org`)";
service = "bin-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"lgtm" = {
rule = "Host(`grafana.hand7s.org`)";
service = "lgtm-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
};
services = {
"site-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:8180";
}
];
};
};
"git-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53350";
}
];
};
};
"oidc-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:8443";
}
];
};
};
"bin-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53352";
}
];
};
};
"cicd-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53351";
}
];
};
};
"lgtm-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:3030";
}
];
};
};
};
};
tcp = {
routers = {
"minecraft" = {
rule = "HostSNI(`*`)";
service = "mc-svc";
entryPoints = [
"minecraft"
];
};
"smtp" = {
rule = "HostSNI(`*`)";
service = "smtp-svc";
entryPoints = [
"smtp"
];
};
"pop3" = {
rule = "HostSNI(`*`)";
service = "pop-svc";
entryPoints = [
"pop3"
];
};
"submissions" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "submissions-svc";
entryPoints = [
"submissions"
];
};
"submission" = {
rule = "HostSNI(`*`)";
service = "submission-svc";
entryPoints = [
"submission"
];
};
"imaptls" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "imaptls-svc";
entryPoints = [
"imaptls"
];
};
"pop3s" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "pop3s-svc";
entryPoints = [
"pop3s"
];
};
"managesieve" = {
rule = "HostSNI(`*`)";
service = "managesieve-svc";
entryPoints = [
"managesieve"
];
};
};
};
services = {
"mc-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:25565";
}
];
};
};
"smtp-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:25";
}
];
};
};
"pop3-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:110";
}
];
};
};
"imap-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:143";
}
];
};
};
"submissions-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:465";
}
];
};
};
"submission-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:587";
}
];
};
};
"imaptls-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:993";
}
];
};
};
"pop3s-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:995";
}
];
};
};
"managesieve-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:4190";
}
];
};
};
};
};
staticConfigOptions = {
api = {
dashboard = true;
};
tracing = {
otlp = {
grpc = {
endpoint = "127.0.0.1:4317";
insecure = true;
};
};
};
certificatesResolvers = {
"cloudflare" = {
acme = {
email = "litvinovb0@gmail.com";
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
};
};
log = {
level = "DEBUG";
};
entryPoints = {
"web" = {
address = ":80";
http = {
redirections = {
entryPoint = {
to = "websecure";
scheme = "https";
};
};
};
};
"websecure" = {
address = ":443";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
"minecraft" = {
address = ":25565";
};
"smtp" = {
address = ":25";
};
"pop3" = {
address = ":110";
};
"imap" = {
address = ":143";
};
"submissions" = {
address = ":465";
};
"submission" = {
address = ":587";
};
"imaptls" = {
address = ":993";
};
"pop3s" = {
address = ":995";
};
"managesieve" = {
address = ":4190";
};
};
};
};
};
}

120
kyra/systemd/networkd.nix Normal file
View file

@ -0,0 +1,120 @@
{
name,
lib,
...
}: {
systemd = {
network = {
enable = true;
networks = lib.mkMerge [
(
lib.mkIf (
name == "mel"
)
{
"10-eth0" = {
matchConfig.Name = "eth0";
networkConfig = {
IPv6AcceptRA = false;
Address = [
"45.11.229.245/24"
"2a0e:97c0:3e3:20a::1/64"
];
};
routes = [
{
routeConfig = {
Gateway = "45.11.229.1";
};
}
{
routeConfig = {
Gateway = "fe80::1";
GatewayOnLink = true;
};
}
];
};
}
)
(
lib.mkIf (
name == "yara"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
networkConfig = {
IPv6AcceptRA = false;
Address = [
"138.124.240.75/32"
"2a0d:d940:1a:1500::2/56"
];
};
routes = [
{
routeConfig = {
Gateway = "10.0.0.1";
GatewayOnLink = true;
};
}
{
routeConfig = {
Gateway = "2a0d:d940:1a:1500::1";
GatewayOnLink = true;
};
}
];
};
}
)
(
lib.mkIf (
name == "hazel"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
networkConfig = {
Address = "90.156.226.152/24";
Gateway = "90.156.226.1";
IPv6AcceptRA = false;
};
};
}
)
(
lib.mkIf (
name == "lynn"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
networkConfig = {
Address = "138.124.72.244/24";
Gateway = "138.124.72.1";
IPv6AcceptRA = false;
};
};
}
)
];
};
};
}

1
kyra/users/users/alep0u.nix
View file

@ -4,7 +4,6 @@ _: {
"alep0u" = {
description = "alep0u";
isNormalUser = true;
password = "alep0u";
extraGroups = [
"wheel"
"docker"

1
kyra/users/users/hand7s.nix
View file

@ -4,7 +4,6 @@ _: {
"hand7s" = {
description = "hands";
isNormalUser = true;
hashedPassword = "$y$j9T$eHfq328GBp7Ga8xsbOTV/0$kcihv7zWLqSkj2jKAhI1pdbTSwvaf2RY5Rokm69XTL/";
extraGroups = [
"wheel"
"docker"

14
kyra/virtualisation/docker.nix
View file

@ -1,14 +0,0 @@
_: {
virtualisation = {
oci-containers = {
backend = "docker";
};
docker = {
enable = true;
rootless = {
enable = true;
};
};
};
}

11
kyra/virtualisation/vmVariant.nix Normal file
View file

@ -0,0 +1,11 @@
_: {
virtualisation = {
vmVariant = {
virtualisation = {
cores = 2;
memorySize = 2048;
diskSize = 20480;
};
};
};
}