s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

staging(no atomic commits thank to git-hooks)

Browse source 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
This commit is contained in:
s0me1newithhand7s 2026-03-25 17:56:18 +03:00
parent db3b60a846
commit c5f949506a
117 changed files with 2520 additions and 999 deletions
Download patch file Download diff file Expand all files Collapse all files

99
kyra/services/alloy.nix Normal file
View file

@ -0,0 +1,99 @@
{
config,
pkgs,
...
}: {
services = {
alloy = {
enable = true;
configPath = pkgs.writeText "alloy-config.alloy" ''
loki.source.journal "system" {
max_age = "24h"
forward_to = [loki.process.production.receiver]
labels = {
host = "${config.networking.hostName}",
job = "journalctl",
}
}
loki.process "production" {
forward_to = [loki.write.viola.receiver]
stage.labels {
values = {
unit = "__journal_systemd_unit__",
}
}
stage.label_keep {
values = ["unit"]
}
stage.match {
selector = `{unit=~"(traefik|sing-box|crowdsec|alloy|netbird).*\\.service"}`
action = "drop"
}
}
prometheus.exporter.unix "node" {
enable_collectors = [
"cpu", "diskstats", "filesystem",
"loadavg", "meminfo", "netdev",
"time", "uname",
]
}
prometheus.scrape "node" {
targets = prometheus.exporter.unix.node.targets
forward_to = [prometheus.remote_write.viola.receiver]
scrape_interval = "30s"
job_name = "node"
}
prometheus.scrape "alloy" {
targets = [{"__address__" = "127.0.0.1:12345"}]
forward_to = [prometheus.remote_write.viola.receiver]
job_name = "alloy"
}
loki.write "viola" {
endpoint {
url = "http://100.109.123.164:3100/loki/api/v1/push"
}
}
prometheus.remote_write "viola" {
endpoint {
url = "http://100.109.123.164:9009/api/v1/push"
}
}
otelcol.receiver.otlp "default" {
grpc {
endpoint = "0.0.0.0:4317"
}
http {
endpoint = "0.0.0.0:4318"
}
output {
traces = [otelcol.exporter.otlp.tempo.input]
}
}
otelcol.exporter.otlp "tempo" {
client {
endpoint = "http://100.109.123.164:4317"
tls {
insecure = true
}
}
}
'';
};
};
}

60
kyra/services/caddy.nix
View file

@ -1,60 +0,0 @@
{
config,
pkgs,
lib,
...
}: {
services = {
caddy = {
enable =
lib.mkIf (
config.networking.hostName == "hazel"
)
true;
package = pkgs.caddy.withPlugins {
plugins = [
"github.com/mholt/caddy-l4@v0.0.0-20250902102621-4a517a98d7fa"
"github.com/caddy-dns/cloudflare@v0.2.1"
];
hash = "sha256-1/jRWotKCvx7QncjVSVGYXb2gAmIiokC/ZbCUelG5Rc=";
};
globalConfig = ''
debug
email me@hand7s.org
acme_ca https://acme-v02.api.letsencrypt.org/directory
'';
# acme_ca https://api.zerossl.com/directory
virtualHosts = {
"hand7s.org" = {
extraConfig = ''
respond "hi! :D WIP btw"
'';
};
"git.hand7s.org" = {
extraConfig = ''
reverse_proxy ${homeIP}:53350
'';
};
"bin.hand7s.org" = {
extraConfig = ''
reverse_proxy ${homeIP}:80
'';
};
"zitadel.hand7s.org" = {
extraConfig = ''
reverse_proxy ${homeIP}:8443
'';
};
};
};
};
}

154
kyra/services/firewalld.nix Normal file
View file

@ -0,0 +1,154 @@
{
name,
lib,
...
}: {
services = {
firewalld = {
enable = true;
services = {
"ssh" = {
short = "openssh";
ports = [
{
port = 60009;
protocol = "tcp";
}
];
};
"stalwart" = {
short = "Stalwart-mail";
ports =
lib.forEach [
25
110
143
465
993
995
4190
] (
port: {
protocol = "tcp";
inherit
port
;
}
);
};
"consul" = {
short = "Consul";
ports =
lib.forEach [
8300
8301
8302
8500
8600
] (
port: {
protocol = "tcp";
inherit
port
;
}
)
++ lib.forEach [
8301
8302
8600
] (
port: {
protocol = "udp";
inherit
port
;
}
);
};
};
zones = {
"trusted" = {
services = [
"consul"
];
};
"wan" = {
ports = [
{
port = 2053;
protocol = "udp";
}
{
port = 8443;
protocol = "tcp";
}
{
port = 51820;
protocol = "udp";
}
];
icmpBlockInversion = true;
icmpBlocks = [
"echo-request"
"destination-unreachable"
"parameter-problem"
"time-exceeded"
];
interfaces = lib.concatLists [
(
lib.optionals (
lib.elem name [
"hazel"
"lynn"
"yara"
"ivy"
]
) [
"ens3"
]
)
(
lib.optionals (
name == "mel"
) [
"eth0"
]
)
];
services = lib.concatLists [
[
"ssh"
"http"
"https"
]
(
lib.optionals (
lib.elem name [
"hazel"
"lynn"
"mel"
]
) [
"minecraft"
"stalwart"
]
)
];
};
};
};
};
}

12
kyra/services/netbird.nix
View file

@ -1,7 +1,17 @@
{...}: {
{config, ...}: {
services = {
netbird = {
enable = true;
clients = {
"wt0" = {
port = 51820;
login = {
enable = true;
setupKeyFile = config.sops.secrets."nbKey".path;
};
};
};
};
};
}

9
kyra/services/openssh.nix
View file

@ -3,7 +3,14 @@ _: {
openssh = {
enable = true;
ports = [
58693
60009
];
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
settings = {

39
kyra/services/resolved.nix Normal file
View file

@ -0,0 +1,39 @@
_: {
services = {
resolved = {
enable = true;
dnsovertls = toString true;
dnssec = toString true;
llmnr = toString true;
domains = [
"~."
];
fallbackDns = [
# cf dns
"1.1.1.1"
"1.0.0.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
# google dns
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
# q9 dns
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
# open dns
"208.67.222.222"
"208.67.220.220"
"2620:119:35::35"
"2620:119:53::53"
];
};
};
}

78
kyra/services/sing-box.nix
View file

@ -1,26 +1,33 @@
{...}: {
{lib, ...}: {
services = {
sing-box = {
enable = true;
settings = {
log = {
level = "debug";
level = "error";
};
dns = {
servers = [
{
type = "local";
tag = "cloudflare";
type = "quic";
server = "1.1.1.1";
}
{
tag = "local";
type = "local";
}
];
final = "local";
strategy = "prefer_ipv6";
final = "cloudflare";
strategy = "prefer_ipv4";
};
route = {
final = "direct-out";
default_domain_resolver = "cloudflare";
auto_detect_interface = true;
};
@ -32,54 +39,69 @@
];
inbounds = [
{
type = "hysteria2";
tag = "hy2-in";
listen = "::";
listen_port = 2053;
masquerade = "https://hand7s.org";
up_mbps = 100;
down_mbps = 100;
obfs = {
type = "salamander";
password = lib.hashString "sha512" "randomstring"; # not a real string
};
users = [
{
name = "hand7s";
password = lib.hashString "sha512" "userstring"; # not a real string
}
];
tls = {
enabled = true;
server_name = "hand7s.org";
certificate_path = "/var/lib/acme/hand7s.org/cert.pem";
key_path = "/var/lib/acme/hand7s.org/key.pem";
};
}
{
type = "vless";
tag = "vless-inbound";
listen = "::";
listen_port = 53570;
listen_port = 8443;
sniff = true;
users = [
{
name = "hand7s_1";
uuid = "${singboxUUID2}";
flow = "xtls-rprx-vision";
}
{
name = "hand7s_2";
uuid = "${singboxUUID2}";
name = "hand7s";
uuid = lib.hashString "sha512" "uuidstring"; # not a real string
flow = "xtls-rprx-vision";
}
];
tls = rec {
tls = {
enabled = true;
server_name = "vk.com";
server_name = "hand7s.org";
reality = {
enabled = true;
max_time_difference = "5m";
handshake = {
server = server_name;
server = "127.0.0.1";
server_port = 443;
};
private_key = "${singboxKey}";
private_key = lib.hashString "sha512" "uuidstring"; # not a real string
short_id = [
"${singboxId}"
"shortie"
];
};
};
transport = {
type = "httpupgrade";
};
multiplex = {
enabled = true;
padding = false;
};
}
];
};

459
kyra/services/traefik.nix Normal file
View file

@ -0,0 +1,459 @@
{config, ...}: {
services = {
traefik = {
enable = true;
environmentFiles = [
config.sops.templates."traefik.env".path
];
dynamicConfigOptions = {
http = {
routers = {
"site" = {
rule = "Host(`hand7s.org`)";
service = "site-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"git" = {
rule = "Host(`git.hand7s.org`)";
service = "git-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"cicd" = {
rule = "Host(`woodpecker.hand7s.org`)";
service = "cicd-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"oidc" = {
rule = "Host(`zitadel.hand7s.org`)";
service = "oidc-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"bin" = {
rule = "Host(`bin.hand7s.org`)";
service = "bin-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"lgtm" = {
rule = "Host(`grafana.hand7s.org`)";
service = "lgtm-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
};
services = {
"site-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:8180";
}
];
};
};
"git-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53350";
}
];
};
};
"oidc-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:8443";
}
];
};
};
"bin-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53352";
}
];
};
};
"cicd-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53351";
}
];
};
};
"lgtm-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:3030";
}
];
};
};
};
};
tcp = {
routers = {
"minecraft" = {
rule = "HostSNI(`*`)";
service = "mc-svc";
entryPoints = [
"minecraft"
];
};
"smtp" = {
rule = "HostSNI(`*`)";
service = "smtp-svc";
entryPoints = [
"smtp"
];
};
"pop3" = {
rule = "HostSNI(`*`)";
service = "pop-svc";
entryPoints = [
"pop3"
];
};
"submissions" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "submissions-svc";
entryPoints = [
"submissions"
];
};
"submission" = {
rule = "HostSNI(`*`)";
service = "submission-svc";
entryPoints = [
"submission"
];
};
"imaptls" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "imaptls-svc";
entryPoints = [
"imaptls"
];
};
"pop3s" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "pop3s-svc";
entryPoints = [
"pop3s"
];
};
"managesieve" = {
rule = "HostSNI(`*`)";
service = "managesieve-svc";
entryPoints = [
"managesieve"
];
};
};
};
services = {
"mc-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:25565";
}
];
};
};
"smtp-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:25";
}
];
};
};
"pop3-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:110";
}
];
};
};
"imap-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:143";
}
];
};
};
"submissions-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:465";
}
];
};
};
"submission-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:587";
}
];
};
};
"imaptls-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:993";
}
];
};
};
"pop3s-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:995";
}
];
};
};
"managesieve-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:4190";
}
];
};
};
};
};
staticConfigOptions = {
api = {
dashboard = true;
};
tracing = {
otlp = {
grpc = {
endpoint = "127.0.0.1:4317";
insecure = true;
};
};
};
certificatesResolvers = {
"cloudflare" = {
acme = {
email = "litvinovb0@gmail.com";
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
};
};
log = {
level = "DEBUG";
};
entryPoints = {
"web" = {
address = ":80";
http = {
redirections = {
entryPoint = {
to = "websecure";
scheme = "https";
};
};
};
};
"websecure" = {
address = ":443";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
"minecraft" = {
address = ":25565";
};
"smtp" = {
address = ":25";
};
"pop3" = {
address = ":110";
};
"imap" = {
address = ":143";
};
"submissions" = {
address = ":465";
};
"submission" = {
address = ":587";
};
"imaptls" = {
address = ":993";
};
"pop3s" = {
address = ":995";
};
"managesieve" = {
address = ":4190";
};
};
};
};
};
}