diff --git a/modules/servers/general/beszel-agent.nix b/modules/servers/general/beszel-agent.nix
new file mode 100644
index 0000000..4fbbd0f
--- /dev/null
+++ b/modules/servers/general/beszel-agent.nix
@@ -0,0 +1,51 @@
+{pkgs, ...}: {
+ systemd.services.beszel-agent = {
+ enable = true;
+ description = "Beszel Agent";
+ after = ["network.target"];
+ wants = ["network.target"];
+
+ serviceConfig = {
+ Type = "simple";
+ Restart = "always";
+ RestartSec = 3;
+ User = "beszel";
+ Group = "beszel";
+ WorkingDirectory = "/var/lib/beszel";
+ StateDirectory = "beszel-agent";
+
+ KeyringMode = "private";
+ LockPersonality = "yes";
+ NoNewPrivileges = "yes";
+ ProtectClock = "yes";
+ ProtectHome = "read-only";
+ ProtectHostname = "yes";
+ ProtectKernelLogs = "yes";
+ ProtectSystem = "strict";
+ RemoveIPC = "yes";
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ };
+
+ script = "${pkgs.beszel}/bin/beszel-agent -listen '45876' --key 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+T3fFx+Sv8jBGr2gNUHfuwUCbGhj8Mr/h4pmkI2Zjn'";
+
+ wantedBy = ["multi-user.target"];
+ };
+
+ users = {
+ users.beszel = {
+ isSystemUser = true;
+ home = "/var/lib/beszel";
+ createHome = true;
+ group = "beszel";
+ };
+ groups.beszel = {};
+ };
+
+ networking.firewall.extraCommands = ''
+ iptables -N beszel # create a new chain named beszel
+ iptables -A beszel --src 65.21.241.194 -j ACCEPT # allow 65.21.241.194
+ iptables -A beszel -j DROP # drop everyone else
+ iptables -I INPUT -m tcp -p tcp --dport 45876 -j beszel # use chain beszel for packets coming to TCP port 45876
+ '';
+}
diff --git a/modules/servers/general/default.nix b/modules/servers/general/default.nix
index f6005fe..7645c87 100644
--- a/modules/servers/general/default.nix
+++ b/modules/servers/general/default.nix
@@ -7,5 +7,6 @@
./podman.nix
./additional-pkgs.nix
./root.nix
+ ./beszel-agent.nix
];
}
diff --git a/modules/servers/heimdall/beszel-hub.nix b/modules/servers/heimdall/beszel-hub.nix
new file mode 100644
index 0000000..0504331
--- /dev/null
+++ b/modules/servers/heimdall/beszel-hub.nix
@@ -0,0 +1,47 @@
+{pkgs, ...}: {
+ systemd.services.beszel-hub = {
+ enable = true;
+ description = "Beszel agent";
+ after = ["network.target"];
+
+ serviceConfig = {
+ Type = "simple";
+ Restart = "always";
+ RestartSec = 3;
+ User = "beszel";
+ Group = "beszel";
+ WorkingDirectory = "/var/lib/beszel";
+ };
+
+ script = "${pkgs.beszel}/bin/beszel-hub serve --http '127.0.0.1:6789'";
+
+ wantedBy = ["multi-user.target"];
+ };
+
+ users = {
+ users.beszel = {
+ isSystemUser = true;
+ home = "/var/lib/beszel";
+ createHome = true;
+ group = "beszel";
+ };
+ groups.beszel = {};
+ };
+
+ services.traefik.dynamicConfigOptions.http = {
+ services.beszel.loadBalancer.servers = [
+ {
+ url = "http://localhost:6789";
+ }
+ ];
+
+ routers.beszel = {
+ rule = "Host(`beszel.cronyakatsuki.xyz`)";
+ tls = {
+ certResolver = "porkbun";
+ };
+ service = "beszel";
+ entrypoints = "websecure";
+ };
+ };
+}
diff --git a/modules/servers/heimdall/default.nix b/modules/servers/heimdall/default.nix
index d140b92..bf6c3e7 100644
--- a/modules/servers/heimdall/default.nix
+++ b/modules/servers/heimdall/default.nix
@@ -5,5 +5,6 @@
./wireguard.nix
./secrets.nix
./redlib.nix
+ ./beszel-hub.nix
];
}