jmarkin/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vps: add zapret; configure wiretuard ui. up

Browse source
This commit is contained in:
jmarkin 2025-10-27 00:43:20 +03:00
parent 1e14909950
commit 1127eac829
13 changed files with 123520 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

99
flake.lock
View file

@ -50,11 +50,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1757108414,
"narHash": "sha256-0S8/MQLpnYmwEIqWCU6TBr/NibagfaWkqMOTv7He2Zg=",
"lastModified": 1761172885,
"narHash": "sha256-oV313qlvIissxZdbjKwymnkmhLOnCUn8ckNxF33gWMM=",
"owner": "Saghen",
"repo": "blink.pairs",
"rev": "c2d4030c10e6628de159cbac79a32a70ad746290",
"rev": "66e22e00b2f6ed6217abfceb53f6675f75fafe12",
"type": "github"
},
"original": {
@ -412,11 +412,11 @@
]
},
"locked": {
"lastModified": 1758022363,
"narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=",
"lastModified": 1761230615,
"narHash": "sha256-pLE7U5gOtlA/2wbKCsVRYf5DqMQ5TWBCrCfZGytDDeo=",
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"rev": "1a3667d33e247ad35ca250698d63f49a5453d824",
"rev": "7db2b867219a26781437d840ce457b75b7645154",
"type": "github"
},
"original": {
@ -448,11 +448,11 @@
]
},
"locked": {
"lastModified": 1761066098,
"narHash": "sha256-Fd65ryxzMRsNQ0MqaiT/b3TdinUOKUJ4PyCwnoKcvF0=",
"lastModified": 1761513701,
"narHash": "sha256-w7qOcQb1FSMZASvWe01r99QqZ5LnHO0k3rgs5ryyig0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "13b2744e117993dc5066c1710585dcb99877684f",
"rev": "255b6a0ef2f488a2fad051361699cc67db57338c",
"type": "github"
},
"original": {
@ -462,6 +462,47 @@
"type": "github"
}
},
"kulala-fmt": {
"inputs": {
"flake-parts": [
"mynvim",
"flake-parts"
],
"nixpkgs": [
"mynvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1760780358,
"narHash": "sha256-5H61ktwMRsLbfPl5Zd2ZWVROXk8srXqC7DxhNv80Bq0=",
"owner": "mistweaverco",
"repo": "kulala-fmt",
"rev": "b4838b018d9e931b8f02e480d8c79161dc1b500e",
"type": "github"
},
"original": {
"owner": "mistweaverco",
"repo": "kulala-fmt",
"type": "github"
}
},
"kulala-nvim": {
"flake": false,
"locked": {
"lastModified": 1761409896,
"narHash": "sha256-fChsMhTgne97vHvJzKAxBbM3OO1AZLE4b2TCrY2xL+4=",
"owner": "mistweaverco",
"repo": "kulala.nvim",
"rev": "9a9308b664f71159f1c150e8cfb18541b143a9e9",
"type": "github"
},
"original": {
"owner": "mistweaverco",
"repo": "kulala.nvim",
"type": "github"
}
},
"local-highlight-nvim": {
"flake": false,
"locked": {
@ -529,6 +570,8 @@
"gen-luarc": "gen-luarc",
"gentags-lua": "gentags-lua",
"hlargs-nvim": "hlargs-nvim",
"kulala-fmt": "kulala-fmt",
"kulala-nvim": "kulala-nvim",
"local-highlight-nvim": "local-highlight-nvim",
"namu-nvim": "namu-nvim",
"neovim-nightly-overlay": [
@ -545,11 +588,11 @@
"yaml-nvim": "yaml-nvim"
},
"locked": {
"lastModified": 1761079883,
"narHash": "sha256-geAsZA0BPI9UMR2vw1VppaYUcCLf6qTnE/pBfFjH92Q=",
"lastModified": 1761514859,
"narHash": "sha256-GPmBM926UOptzdrSUzY7dbcGXog4lH1gcTIV8KCV6wI=",
"ref": "refs/heads/master",
"rev": "790b4e8ec02a21dfb9e539e79cc967a92faacaa6",
"revCount": 39,
"rev": "30da584e2a06b80093b2a73a1702faa9d3c385ad",
"revCount": 40,
"type": "git",
"url": "https://git.jmarkin.ru/jmarkin/nvim-nix"
},
@ -587,11 +630,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1761005134,
"narHash": "sha256-9bSlfRleXFl50M6AnurWr1oKDTk3uF5DaTVHxeds0CY=",
"lastModified": 1761437965,
"narHash": "sha256-X4SNeOXdFkE7Gt+waO5ck3TqfqWskqJHxt1WIu3nnUQ=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"rev": "3a6201e41d13f1a73b2e2c734dbd36b4c42584b0",
"rev": "21595d9f79b5da0eef177dcfdd84ca981ac253a9",
"type": "github"
},
"original": {
@ -603,11 +646,11 @@
"neovim-src": {
"flake": false,
"locked": {
"lastModified": 1761000337,
"narHash": "sha256-fBz9U/k/YWoS4QgcoQ54NKDEopTdL2zI0gzLlWv/xR8=",
"lastModified": 1761434579,
"narHash": "sha256-S+YmbP/bPETjKk6B/tlh+jwIH7K7iPoXyHLLwTqVOhk=",
"owner": "neovim",
"repo": "neovim",
"rev": "b67eff38fe19876ab228007897224ec04b58aa40",
"rev": "a121ede1bfee2704c26159124f8f61f96c6aa136",
"type": "github"
},
"original": {
@ -618,11 +661,11 @@
},
"nixos": {
"locked": {
"lastModified": 1760862643,
"narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=",
"lastModified": 1761173472,
"narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c",
"rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb",
"type": "github"
},
"original": {
@ -711,11 +754,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1760965567,
"narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=",
"lastModified": 1761349956,
"narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93",
"rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538",
"type": "github"
},
"original": {
@ -867,11 +910,11 @@
]
},
"locked": {
"lastModified": 1760945191,
"narHash": "sha256-ZRVs8UqikBa4Ki3X4KCnMBtBW0ux1DaT35tgsnB1jM4=",
"lastModified": 1761311587,
"narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "f56b1934f5f8fcab8deb5d38d42fd692632b47c2",
"rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
"type": "github"
},
"original": {

3
flake.nix
View file

@ -47,6 +47,7 @@
neovim-nightly-overlay.inputs.nixpkgs.follows = "nixpkgs";
mynvim.url = "git+https://git.jmarkin.ru/jmarkin/nvim-nix";
# mynvim.url = "path:/home/kron/nvim-nix";
mynvim.inputs.nixpkgs.follows = "nixpkgs";
mynvim.inputs.flake-parts.follows = "flake-parts";
mynvim.inputs.neovim-nightly-overlay.follows = "neovim-nightly-overlay";
@ -226,7 +227,7 @@
};
/*
nixos-rebuild switch --flake .#egyptian-almandite \
--target-host ru-vps --verbose --use-remote-sudo
--target-host ruvps.jmarkin.ru --verbose --use-remote-sudo
*/
egyptian-almandite = nixos.lib.nixosSystem {
system = "x86_64-linux";

3
home/programs/bash.nix
View file

@ -29,6 +29,9 @@
bind '"\e[A": history-search-backward'
bind '"\e[B": history-search-forward'
bind '"\e[1;5C":forward-word'
bind '"\e[1;5D":backward-word'
source ~/.local/scripts/funcs.sh
source ~/.local/scripts/ssh_agent.sh

17
home/users/base.nix
View file

@ -2,6 +2,15 @@
{
imports = [
../programs/git
../programs/bash.nix
../programs/tmux.nix
../programs/bat.nix
../programs/gpg.nix
../programs/starship.nix
];
programs.home-manager.enable = true;
home.activation.report-changes = config.lib.dag.entryAnywhere ''
${pkgs.nvd}/bin/nvd --nix-bin-dir=${pkgs.nix}/bin diff $oldGenPath $newGenPath
@ -52,14 +61,6 @@
};
imports = [
../programs/git
../programs/bash.nix
../programs/tmux.nix
../programs/bat.nix
../programs/gpg.nix
../programs/starship.nix
];
home.sessionPath = [

1
home/users/kron.nix
View file

@ -30,7 +30,6 @@
# utils
jaq
docker-compose
dust
tree-sitter
createnv
dotenv-linter

12
nixos/egyptian-almandite.nix
View file

@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }:
# https://vms.hosting-vds.com/projects/4901/servers/8762
/*
nixos-rebuild switch --flake .#egyptian-almandite \
--target-host ruvps.jmarkin.ru --verbose --use-remote-sudo
*/
{
imports =
[
@ -9,6 +13,10 @@
./modules/adguard.nix
./modules/nginx.nix
./modules/ssh.nix
./modules/zapret
./modules/fail2ban.nix
./modules/wireguard/ui.nix
./modules/wireguard/helper.nix
];
boot.kernelParams = [
@ -16,6 +24,7 @@
"console=tty1"
];
_module.args.iface = "ens3";
networking = {
interfaces.ens3 = {
ipv6.addresses = [{
@ -75,14 +84,15 @@
environment.systemPackages = with pkgs; [
tmux
amnezia-vpn
cfspeedtest
];
networking = {
dhcpcd.enable = false;
hostName = "egyptian-almandite";
firewall = {
checkReversePath = false;
enable = true;
allowedTCPPorts = [ 80 443 324 853 ];
allowedUDPPorts = [ 51820 ];

2
nixos/modules/common.nix
View file

@ -8,6 +8,8 @@
environment.systemPackages = with pkgs; [
wireguard-tools
nix-search-cli
mosh
dust
];
services.avahi = {
enable = true;

12
nixos/modules/fail2ban.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
services.fail2ban.enable = true;
services.fail2ban.jails.sshd.settings = {
enable = true;
maxretry = 5;
findtime = 10 * 60;
bantime = 3600;
mode = "aggressive";
publickey = "invalid";
};
}

1
nixos/modules/nix-options.nix
View file

@ -31,7 +31,6 @@
auto-optimise-store = true;
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="

57
nixos/modules/wireguard/helper.nix Normal file
View file

@ -0,0 +1,57 @@
{ pkgs, iface, ... }:
{
environment.etc."wireguard/helper/add-nat-routing.sh" = {
mode = "0755";
text = ''
#!${pkgs.bash}/bin/bash
IPT="${pkgs.iptables}/bin/iptables"
IPT6="${pkgs.iptables}/bin/ip6tables"
IN_FACE="${iface}" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="10.252.1.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="51820" # WG udp port
SUB_NET_6="fd42:42:42:42::/112" # WG IPv6 sub/net
## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
## IPv6 (Uncomment) ##
## $IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
## $IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
## $IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
## $IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
'';
};
environment.etc."wireguard/helper/remove-nat-routing.sh" = {
mode = "0755";
text = ''
#!${pkgs.bash}/bin/bash
IPT="${pkgs.iptables}/bin/iptables"
IPT6="${pkgs.iptables}/bin/ip6tables"
IN_FACE="${iface}" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="10.252.1.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="51820" # WG udp port
SUB_NET_6="fd42:42:42:42::/112" # WG IPv6 sub/net
# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
# IPv6 rules (uncomment) #
## $IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
## $IPT6 -D INPUT -i $WG_FACE -j ACCEPT
## $IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
## $IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
'';
};
}

51
nixos/modules/wireguard/ui.nix Normal file
View file

@ -0,0 +1,51 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
systemd.services.wireguard-ui = {
description = "WireGuard Web UI";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
User = "wireguard-ui";
Group = "wireguard-ui";
WorkingDirectory = "/etc/wireguard_ui";
ExecStart = "${pkgs.wireguard-ui}/bin/wireguard-ui";
Environment = [
"WGUI_SERVER_LISTEN_ADDRESS=0.0.0.0:5000"
"WGUI_MANAGE_RESTART=true"
"WGUI_MANAGE_START=true"
];
};
};
users.users.wireguard-ui = {
isSystemUser = true;
group = "wireguard-ui";
};
users.groups.wireguard-ui = { };
systemd.services.wgui = {
description = "Restart WireGuard";
after = [ "network.target" ];
path = [ pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart wg-quick@wg0.service";
};
requiredBy = [ "wgui.path" ];
};
systemd.paths.wgui = {
description = "Watch for changes to WireGuard files";
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathChanged = "/etc/wireguard";
};
};
}

16
nixos/modules/zapret/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ lib, ... }:
let
filePath = ./zapret.txt;
fileContent = builtins.readFile filePath;
lines = lib.strings.splitString "\n" fileContent;
cleanLines = lib.lists.filter (s: s != "") lines;
in
{
services.zapret.enable = true;
services.zapret.whitelist = cleanLines;
services.zapret.params = [
"--dpi-desync=fake,disorder2"
"--dpi-desync-ttl=1"
"--dpi-desync-autottl=2"
];
}

123286
nixos/modules/zapret/zapret.txt Normal file
View file

File diff suppressed because it is too large Load diff