From 2363adccc0d1a0ab774865fc7366caabb50614e0 Mon Sep 17 00:00:00 2001 From: Crony Akatsuki Date: Sat, 31 Jan 2026 13:54:42 +0100 Subject: [PATCH] feat: setup termix and wireproxy for sock5 proxy. --- flake.lock | 48 +++++++++--------- modules/servers/per-server/tyr/secrets.nix | 12 +++++ .../servers/per-server/tyr/services/dns.nix | 1 + .../per-server/tyr/services/termix.nix | 39 ++++++++++++++ .../per-server/tyr/services/wireproxy.nix | 34 +++++++++++++ secrets/secrets.nix | 2 + secrets/wg-heimdall.age | Bin 1756 -> 1848 bytes secrets/wg-wireproxy.age | Bin 0 -> 1556 bytes secrets/wireproxy.age | 23 +++++++++ 9 files changed, 135 insertions(+), 24 deletions(-) create mode 100644 modules/servers/per-server/tyr/services/termix.nix create mode 100644 modules/servers/per-server/tyr/services/wireproxy.nix create mode 100644 secrets/wg-wireproxy.age create mode 100644 secrets/wireproxy.age diff --git a/flake.lock b/flake.lock index e3013e9..9fda96d 100644 --- a/flake.lock +++ b/flake.lock @@ -169,11 +169,11 @@ "cachyos-kernel": { "flake": false, "locked": { - "lastModified": 1769435645, - "narHash": "sha256-xxIqw5x8U+13ya2BUcwmAW6BdpCpMhrMTn6Pd0bzocE=", + "lastModified": 1769780135, + "narHash": "sha256-4U/BvhiP1PJcI3bRYkIeNVio71BnkzVrUdTUqzBxjXo=", "owner": "CachyOS", "repo": "linux-cachyos", - "rev": "e8675eeb9b48a23167b3e43f84e3be76e321935e", + "rev": "1acd46cdeb2598f0300b6d7141d47edbf63772cc", "type": "github" }, "original": { @@ -185,11 +185,11 @@ "cachyos-kernel-patches": { "flake": false, "locked": { - "lastModified": 1769587384, - "narHash": "sha256-fPOlnH9arzQLmkbaZ6p+otwLuH9YEf/t8Q2o9/Yq/YA=", + "lastModified": 1769777717, + "narHash": "sha256-+9N64QIaxCEfsA/CtqQjrjV8pmlm8Wcgb+4JWARp3Lc=", "owner": "CachyOS", "repo": "kernel-patches", - "rev": "5f061ab9733ad15eccf6b9995e9d56f572e67266", + "rev": "23d3863f8e3b1f96c1b12042096cc525b6a68738", "type": "github" }, "original": { @@ -285,11 +285,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1769765113, - "narHash": "sha256-XwTDilFuTxc+2TaOKDlSxL+XjbokJNrzm7fW+ZVC6jc=", + "lastModified": 1769852053, + "narHash": "sha256-vWIDVl7JRI3z4nSSVjGVQJwpU4buhXUM9ibTi/G+bDk=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "d4cbce95a61e14274512f6f83f06c15beb4e6a00", + "rev": "64978459ab46ee2aa8d6db02b7c3dc3cb53cc055", "type": "github" }, "original": { @@ -952,11 +952,11 @@ ] }, "locked": { - "lastModified": 1769776025, - "narHash": "sha256-70a1kVC08AMTvPc7iqQsJbbD4Y1fukakMVudz4oY9SM=", + "lastModified": 1769813945, + "narHash": "sha256-9ABv9Lo9t6MrFjlnRnU8Zw1C6LVj2+R8PipQ/rxGLHk=", "owner": "nix-community", "repo": "home-manager", - "rev": "0fba737f8d5571d41467f3d99a878e11b8c0f0f0", + "rev": "475921375def3eb930e1f8883f619ff8609accb6", "type": "github" }, "original": { @@ -1090,11 +1090,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1769782457, - "narHash": "sha256-ZXyT+qjqELGZWipc/P727hd1weTRQnv9pM+YilNy8Go=", + "lastModified": 1769802121, + "narHash": "sha256-P2KVccrXznyha83gPQeVJ3k+3+/hYXIPQ91DwuRmFF4=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "b8fc0def97a5b6279b8d0e8e13972575a84c310a", + "rev": "ec120d57328e5ae4bfc93a7e809ace47d98f2dc3", "type": "github" }, "original": { @@ -1551,11 +1551,11 @@ "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1769709954, - "narHash": "sha256-giMeVSEYM80pRrpB95wwgvcGODbkKT3LKVnTpVTj8TA=", + "lastModified": 1769796227, + "narHash": "sha256-v4GMU24wyowYBEUoVTyNq4mIlz+fpyNJhrmd/8HrSdU=", "owner": "xddxdd", "repo": "nix-cachyos-kernel", - "rev": "856b12c3db3cb7a2531d4f26eac6f2129284f7e1", + "rev": "0ebc34bb07ad7025fe0167a97115344f0c895474", "type": "github" }, "original": { @@ -1863,11 +1863,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1769694244, - "narHash": "sha256-y9iLxICVcfG0IS7neuCS+K/qtM1DexpRi4Dd5naIc5g=", + "lastModified": 1769770707, + "narHash": "sha256-pZilzGn9G1FCxqow3T6q4XvdH4g3opVqr/l3HhQbOSM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e9dd4a0a603081bc77beda88510f873671d38859", + "rev": "e522e49851239164443baaef4432890c831e4e71", "type": "github" }, "original": { @@ -2265,11 +2265,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1769782950, - "narHash": "sha256-bMJPPDyG/BV7Qx0r5JuO9oQG/o/VlnEOFnC8zKhJsBQ=", + "lastModified": 1769819994, + "narHash": "sha256-AJB2hcg1OgocLGuVdot9HyCD+Kv+a6znhY2i3XqcZYU=", "owner": "danth", "repo": "stylix", - "rev": "aad90ca763be126c0ed67c29826bbb9b5ca665d8", + "rev": "8b14679c0e1570b0e137f0f7997717be0fdf2cf2", "type": "github" }, "original": { diff --git a/modules/servers/per-server/tyr/secrets.nix b/modules/servers/per-server/tyr/secrets.nix index d8230f9..cac16b2 100644 --- a/modules/servers/per-server/tyr/secrets.nix +++ b/modules/servers/per-server/tyr/secrets.nix @@ -43,6 +43,18 @@ paperless-ngx = { file = ../../../../secrets/paperless-ngx.age; }; + wg-wireproxy = { + file = ../../../../secrets/wg-wireproxy.age; + owner = "wireproxy"; + group = "wireproxy"; + }; + wireproxy = { + file = ../../../../secrets/wireproxy.age; + path = "/etc/wireproxy/wireproxy.conf"; + owner = "wireproxy"; + group = "wireproxy"; + symlink = false; + }; }; }; } diff --git a/modules/servers/per-server/tyr/services/dns.nix b/modules/servers/per-server/tyr/services/dns.nix index dd7eb79..f9b90eb 100644 --- a/modules/servers/per-server/tyr/services/dns.nix +++ b/modules/servers/per-server/tyr/services/dns.nix @@ -85,6 +85,7 @@ ''"linkwarden.home.cronyakatsuki.xyz IN A 192.168.0.5"'' ''"paperless.home.cronyakatsuki.xyz IN A 192.168.0.5"'' ''"komga.home.cronyakatsuki.xyz IN A 192.168.0.5"'' + ''"termix.home.cronyakatsuki.xyz IN A 192.168.0.5"'' ]; }; }; diff --git a/modules/servers/per-server/tyr/services/termix.nix b/modules/servers/per-server/tyr/services/termix.nix new file mode 100644 index 0000000..e87f328 --- /dev/null +++ b/modules/servers/per-server/tyr/services/termix.nix @@ -0,0 +1,39 @@ +{ + virtualisation.oci-containers.containers.termix = { + image = "ghcr.io/lukegus/termix:latest"; + autoStart = true; + ports = [ + "8484:8484" + ]; + labels = { + "io.containers.autoupdate" = "registry"; + }; + volumes = [ + "/var/lib/termix:/app/data:U" + ]; + extraOptions = ["--network=host"]; + environment.PORT = "8484"; + }; + + services.restic.backups = { + local.paths = ["/var/lib/termix"]; + server.paths = ["/var/lib/termix"]; + }; + + services.traefik.dynamicConfigOptions.http = { + services.termix.loadBalancer.servers = [ + { + url = "http://localhost:8484"; + } + ]; + + routers.termix = { + rule = "Host(`termix.home.cronyakatsuki.xyz`)"; + tls = { + certResolver = "porkbun"; + }; + service = "termix"; + entrypoints = "websecure"; + }; + }; +} diff --git a/modules/servers/per-server/tyr/services/wireproxy.nix b/modules/servers/per-server/tyr/services/wireproxy.nix new file mode 100644 index 0000000..76e9030 --- /dev/null +++ b/modules/servers/per-server/tyr/services/wireproxy.nix @@ -0,0 +1,34 @@ +{pkgs, ...}: { + systemd.services.wireproxy = { + enable = true; + description = "Wireproxy"; + after = ["network.target"]; + wants = ["network.target"]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = 3; + User = "wireproxy"; + Group = "wireproxy"; + WorkingDirectory = "/var/lib/wireproxy"; + StateDirectory = "wireproxy"; + }; + + script = "${pkgs.wireproxy}/bin/wireproxy"; + + wantedBy = ["multi-user.target"]; + }; + + users = { + users.wireproxy = { + isSystemUser = true; + home = "/var/lib/wireproxy"; + createHome = true; + group = "wireproxy"; + }; + groups.wireproxy = {}; + }; + + networking.firewall.allowedTCPPorts = [25344]; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3226494..39582c4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -48,4 +48,6 @@ in { "paperless-ngx.age".publicKeys = systems ++ users; "forgejo-runner-token.age".publicKeys = systems ++ users; "attic-env.age".publicKeys = systems ++ users; + "wg-wireproxy.age".publicKeys = systems ++ users; + "wireproxy.age".publicKeys = systems ++ users; } diff --git a/secrets/wg-heimdall.age b/secrets/wg-heimdall.age index 96b135365ca4b72576bd7e920181f059bfe0fdc5..d33d2652a053a52a0f5fecc329e6ad24e5917c2a 100644 GIT binary patch delta 1767 zcmcb^yMu3nPJN`gshg*{v5!%DYJP!_Wt3l`vAel(vO$uCfumV^p1GlslaXg~U}lP; z0asvXv38KLms5IHct&PXO1YbBMn!6nS$beVxUXeMm8*wyPKC3#rFTSzk!41?p?9d` z#E;_Po+*W;X1SSBmc9mQVL1`W#rh@XPC1q3S&li`ML}tP=_P&!1tl&f<$=CjiMbh3 zE>332C59nhY2InBVPytEc?ND4p22BF5&02?`W88n&XGptMPA91;~B-n%Y%%ab6m_L z{Y;W`a+|4aYT#~AMBMLl|BEs^$igR5I6I~*?s*DVheN7U*O1z5mgFG^w z3{wLw6N5riOjC`DtGojIbCR5k$~?_Wjq=MUpJf!U&q)aia?j6lDYb|S40WnV^f4$7 zGq4B^s0dE+Dlzjm&aNoRu1fMYNDK<)aw@6Fsq(hS&-5z{O7qC_GWONatT4}T*DnYO z3Ng%0HVmpXF|4vEbt;HNkAcD@U+6Z%d}*RRJYu6N3JjrOS9YvPxnH<)UdL!LgT!o0H?x;%!+)+vaG7qd?&;3 z&VHIy}gX; z1H7HJU0l-)lexkI%k@ozJl%7vvco)+9D@vv5{=B#ywZ&wle3HxJ)O1n4SZ6{ql!#D z9MOH}?iUpql&)Z8ke6i^R$iLvn-mgmV(J{^T$$|Sl#}RF7#vn!6=+lukYnjy5bjn{ zUd-j5nc-|+5muj{R8VZ17aCG!?okjLUTJPw7?Ne2SZSVHT>0G+Hx(aUIA($i?nNh}h z86{P|1yN20c}c!$sab|afd(c9mf88)0iKB^>0BQp97~Q1^frbcXJ6H595vxq{q4Pv zY!-d_bK>6ZZzeOLU||Pirs3rW zrIUDi&A-1cE99!<_$gtb7(XFM?RsSQ2~TF0ZTF-dOTPZ7o0z?K+w9`=P5bprM4x@o zcgfzGzhRz#Mbd0JiSI`H1ynTVF-`bg;&7gA>%D#^ci~IX&h;YPx!WF|IrsJ27RT3y z8Dg(4N&VjZchaTf@1DI5Uc2+iwYtgSUuP|}yYzV4V*c>PZ?lsHrPinhKD6^Z_h7DL zZkkk>+Ete+y(j*!d8m?mbDGm)aTD{tJs)dc^T`M`OxQE;M7yFOZC$EG;5IZX9wD=lLbN@n$VI=wvYW3%^<-JgkU-!Clr zB^}eIQ$DRF{K{WZ%fE+Y*Y-@xF>|$4x^dp#vi$b$dE4)ueW0nCvrfl6p#7AG2V2;e zS%JQ;tJex0nizk*aNER?nTjrk-^3f8q_<9EYpDFoyJ7uZU&Uo9(z7po>c>8Jc|0UMN*lpHtzN=K5E3N59Ql&#?zJ$K~R+^9{7^YtEgKA7igIww3)tpv^RS-wEB5HDh1Zq@B`NKmI%^;Qx9?6ZF4_{O=I;zYc+pnO$l{~V bGuBnM>Sk8uZ|`#cQCY3GCxUlNw@4fS|dVHOtbk zatSx{OApO2PS1$Ub2G}#@Yhe$4)F`|NDmH(j4TQ>Hp!?6G2k+-()MskDsT)oa&wCC z$_oxHa*oW&Da@@*&j^h)Nwg^RtE|khC<*Y2azwW+N8jHi+)*LYrNTSUyV%J%+clsd z#Vyr1DXhFIFHyU~Hy|joDmyGUCo|Q;!?H9#BA=@wCD7Qv$kDRU#K|ZlzaX_J!zLBxA42FlU2YXH);= z;?%I*e0@uIzr-9%uZrTxeB*SJbWg5gAKyarEF+_$0O!y&k8Gc0f1j#i7k3NuLZ5&j zW21Z*U$1=sNVi~5i*j_^{L2kO+{+b`gH5uG(hA)2+ zqAXm)D*OXNe1jvi3|+a34D+g@(i4M9z5H@RBU7qO&GJm5+zO06{WCIx{EEvXa!Oo6 zT+)Ja^Fq;WOLq12^L11x3{FoC@wRmJ3=459@-MUS(@&|)@`}tiPID;^4l~d6EeSHu zb1SIy4fEuRDEG-X&UA83EprJCj!1Pc&G5@}a?i8yuMA2va}Ny6_X|iXtIGBW)3-pk ztuV>gyC_h>*w`e|+sM-=+_NCqyR@`8LR-JMAUVn{-6_bdtfImrJEf$;sM5=|$jOr{ zyx1emr6e>hKd;coyCOBCvLHv>E6ULz#lND!IM=t*Im9h3rz{}ctsEmHqYQE#tI8GJ z^{af%%DfZZOilBul2e>Y!VH~D0zxZH0!)HUopQ1Y4I)Y-A`(sgjeNPP(mkqj%FLqD zT%9T-3cYhf0^Ce9oD4%Oy$k}3o$|FabKJ|)3(_nL3$xMv=I$328I-P2ndTngp6HWb zJ?y|5@qgP;+yX7o9)S^?VMHV>QNBpYp5NO9cFA6 zSXioWmRS_+TpAo)9u$!uR8W*#Y+jt0?TZnTX({?qK7k5_B_UD%;fVpk`6k*yX-URr zu2GJa9~Ci+!Hso~Dq9)6a|E@tJqY1(<|?&0C( zxdl!|AsI%QMSewYCXR+Bo+jvis|s|=j4D?s2nhEr%?T?_EX{Pv$aV9m3~+YO@e57M zHOwtb%Y=x)-STC5>#cqVjsq8y^GPd#Pv^R;?@P{PVs-r zUKM!kw$RF~OTuldFU?3>b*;X2i}6L>htI|TEZ#o()AkR3yPwL|OmvHX6t8k7>|v6d z`-QVg8+NZ-ocQ?twTP|Ln|0)MBtq5G)_qC)_~gv0u+y>sCch|W+#Wok>~3)1fnP6J zJ4FrU|3;Tx_1d0(y=+~M&QFt{+dE>+d^e<=wcc94@J@wasMyB-x}<^UNIc^l4SioHTNPugbAK$Bgd1-x3JIYkdQWe zvo#4m;H+Bg%je+W*Ykn@J?myczlX7_mzsb47-|1_#jPzJ+~0X@xA*DMXJmM>^OYk`DZD^`wJdza96Zl(!`zn-%Uzs zjscgvqC@hQl+#!LSWjx*FZ)p|hkId;;u>+M#NF4p`kZ>Bxx(9)IA2tqAu_vs;*+kp zwFb54SEv-8U7+L3zW9&kfnBT*6w~VC*D^j-I`93X;9cpvH&*+r7+8N+o`1DnxrrnE G{uuz~gP&gj diff --git a/secrets/wg-wireproxy.age b/secrets/wg-wireproxy.age new file mode 100644 index 0000000000000000000000000000000000000000..adf1cf0475a8e6459eee213d82f7cb02f27de347 GIT binary patch literal 1556 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP3NXp@E?3AbcJfZj z^@_;MF!wd^^2!d2Dlg2;)HVvqc5#YItMbkFu5t3Ftwm8-POFxD6lBBBuPKQ#1q{%b8S;^<3I(^)O0U{Qj7GYP)9cpmq53wh+Jbs zM?b@i@W_m`kl>(@Ku=>MeZ%~q&}6O%3uoUP|Dfyl@ya(h&G&POun3Aw_6w*i*AGRv ztuV>gyC_hhq%h0CuRJs>S>LhDC8WgEqO!sxJG|1s)4bdxJ5t-!JhRX*t1Kw9B*>M^ zy~Hy;Ti+%FH9vl)9mF;Ad z=8+R@X;@t592Dl{>f{%Z8Jt!b?w21Bg%NLQDf&@9feM+X1(EuuIhF2a!4YYG&K?0y zS^nV#zK+gCrrGAn-bEpnp&3P9t_5is$y`C<8IidGrm6Y)fth9&K@k;2NscK_?xq&W zNol1nu33?3<_3`kjxGUFj_C1L73h>1Rj!b1Vv?EUo?RH=Y*B8UlA2QK8RnP~>FJkl znH-kk?_2EZ>>gq6Yf|a%ZouX4ooN#6=v?69=o{=9QtnmeW1?SfY?7Yl;#p=HR*;(K z7Fb?oo~)l{>B^<6tE*64P+nY|m|W;#7#5aNl3S5oo>S(bZyD(3SrnR8ndqNbSXvoY z>=#<@n$2}0zjv*~L-BQT5py2!OuDo5%chKW6Sf3{xGwf54<@Fcu)PrAEzPaf$1ZgH z@TbDvTCZ=txoSOACUdFUsx!&Wzv3c_H0C{t{ki_{!XIVb-d{82>ca2axrcgmZf~fZ zu;*;|jn@Vfez`sq-q3g8;IG&6S4!nIy=3G5b!Ha5ZJFNkPyBDn#|w8>ua4JN-tY5M zJl~*f-CUm|H~;DLKQ|D5YSX>@VD-=MGq}$`(~-AQ*;?1+_xXt7LW65J+=I+*Z+abn z(ICuzr(8*E(bDhNbIyJ1_P-|}r&z+;QJryA*y_yo{l9Kyi>z|Gb;M@f;mo7QL~Sftqgh`bqcf}Wr{q>^rlj9C>zEeVv;W1d-gQR- DXfr(| literal 0 HcmV?d00001 diff --git a/secrets/wireproxy.age b/secrets/wireproxy.age new file mode 100644 index 0000000..5c70004 --- /dev/null +++ b/secrets/wireproxy.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 2P4nKw NCoqAJ+IdYnRedKv23voGjEeXJ2IKnn1ru8rEegSCmM +RAf5hshay9kyTUBSFhEerpaEdJquufIn61mj4G+2VU8 +-> ssh-ed25519 l/ODWA jZhbqHZpw4UYbmKcVaNLhmXHSkqQhYKDYOV+hiLydlI +mentg+0q55+4gwLFbzveXzPyGEmcFyQhaGdWBHrNPDk +-> ssh-ed25519 7+5K3Q MZA2Dc28X17/JQf01DuONHHttL9mfINFUpi6Ei4osTM +q/vfUr0H1grVFm/7lnwDCAD7athyXZTrwzZ7WLGMlOk +-> ssh-ed25519 Ow0TGw EMNg0QgRrIWtortkoHV5y3W8G2luAszGdJP6J5WFCQI +L8vDx4lkA9KP8wx1ycrmjdiU7cOyJMUzmBhJGJsqg1U +-> ssh-ed25519 cEINMA MxmgQmJQrjuzrpf6U3CCsu/ZHWlnItCs8PiuIt6SQ3k +ina1R2HbexQfWe/zpWGrpVa5dP6ZpTWyjztKtfV8YXw +-> ssh-ed25519 qbMKrQ fMOzVMLvy4tKtITfAiWwnPVnCMCH5Ocv7P7yVK3+0zM +S3MMdVcyL66pTEjTN9iYwW6QBMlZuvzKVa7TlS6Q/kA +-> ssh-ed25519 Z0mAzw y6INKLu8L3pwLdPRk1ukRGIoJksmUJkxXcZsA/h8BWc +p3mItFuMW+t2vQPfvhd6mlalJNad40+0+zVOm6TzJuE +-> ssh-ed25519 GNZYRg pEPVDnyXksxjYfJL/TzwxaMhU6V+/BbzUmhdlNRMHyE +yyZjjlPH5PwHnnnlAW186DwPbvPccQrFHkoN5m/rKn8 +-> ssh-ed25519 fd/ZLQ H5dx53Qv3Vi9d1LBQwrgCVpGDPw67xmq0yVpNyeYY0E +V2XZTH0gzAHvWBtm2njsj2LHu41i0MMv3pvqajgDU1w +-> ssh-ed25519 zQBiZw ejAkmQMJfIHOn04Wd3wB2HE/VvhUnBHhyOrDXlE11ig +cDSDnV2wSMnhIgwMrFnHhfrmL8D38NlCmyJ8QEyBG2E +--- 2jtmzQVCWGlDs+u3BYILcsEs6TSPCuA3A65pb8j8MDA +B^ MW݄[yb@ [p&W:B>$q:HwIFZ,.*gשgVbC0t6݌Z}F߬^`0M7Bi \ No newline at end of file