From cb6af5e7c4cbdc6eac2f1ebdd416fbe8cd7e4783 Mon Sep 17 00:00:00 2001 From: tulg Date: Mon, 11 May 2026 18:19:58 +0300 Subject: [PATCH] pain --- flake.nix | 1 - hosts/kittykat/configuration.nix | 7 +- hosts/overlord/configuration.nix | 4 +- hosts/virgil/home.nix | 1 - modules/home-manager/home.nix | 2 +- modules/home-manager/pkgs.nix | 6 +- modules/home-manager/stylix.nix | 2 + modules/nixos/services.nix | 14 --- modules/servers/per-host/kittykat/default.nix | 8 ++ .../servers/per-host}/kittykat/traefik.nix | 14 ++- modules/servers/per-host/kittykat/tunnel.nix | 107 ++++++++++++++++++ modules/servers/per-host/overlord/default.nix | 9 ++ modules/servers/per-host/overlord/pz.nix | 33 ++++++ modules/servers/per-host/overlord/share.nix | 2 +- .../servers/per-host}/overlord/slopfarms.nix | 0 modules/servers/per-host/overlord/tunnel.nix | 107 ++++++++++++++++++ 16 files changed, 288 insertions(+), 29 deletions(-) create mode 100644 modules/servers/per-host/kittykat/default.nix rename {hosts => modules/servers/per-host}/kittykat/traefik.nix (90%) create mode 100644 modules/servers/per-host/kittykat/tunnel.nix create mode 100644 modules/servers/per-host/overlord/default.nix create mode 100644 modules/servers/per-host/overlord/pz.nix rename {hosts => modules/servers/per-host}/overlord/slopfarms.nix (100%) create mode 100644 modules/servers/per-host/overlord/tunnel.nix diff --git a/flake.nix b/flake.nix index cecdeca..09c136a 100644 --- a/flake.nix +++ b/flake.nix @@ -59,7 +59,6 @@ system = "x86_64-linux"; pkgs = import nixpkgs { inherit system; - config.allowUnfree = true; }; in { nixosConfigurations.virgil = nixpkgs.lib.nixosSystem { diff --git a/hosts/kittykat/configuration.nix b/hosts/kittykat/configuration.nix index dc2519f..f45da6b 100644 --- a/hosts/kittykat/configuration.nix +++ b/hosts/kittykat/configuration.nix @@ -9,11 +9,9 @@ ./disko.nix ../../modules/nixos/networking/ssh.nix ../../modules/nixos/users/tulg.nix - ./traefik.nix ./home.nix - ../../modules/servers/per-host/kittykat/vaultwarden.nix - - ../../modules/servers/per-host/kittykat/xray.nix + ../../modules/servers/per-host/kittykat + ../../modules/servers/common.nix ]; networking.hostName = "kittykat"; @@ -27,6 +25,7 @@ AllowTcpForwarding = true; X11Forwarding = true; GatewayPorts = "yes"; + PermitTunnel = "yes"; }; }; programs.bash.interactiveShellInit = '' diff --git a/hosts/overlord/configuration.nix b/hosts/overlord/configuration.nix index e8fd5d0..6eb1554 100644 --- a/hosts/overlord/configuration.nix +++ b/hosts/overlord/configuration.nix @@ -11,9 +11,7 @@ ../../modules/nixos/networking/ssh.nix ../../modules/nixos/users/tulg.nix ../../modules/servers/common.nix - ../../modules/servers/per-host/overlord/nixarr.nix - ../../modules/servers/per-host/overlord/share.nix - ./slopfarms.nix + ../../modules/servers/per-host/overlord ]; programs.tmux = { enable = true; diff --git a/hosts/virgil/home.nix b/hosts/virgil/home.nix index 6da56b6..c582a35 100644 --- a/hosts/virgil/home.nix +++ b/hosts/virgil/home.nix @@ -4,7 +4,6 @@ useUserPackages = true; extraSpecialArgs = {inherit inputs;}; backupFileExtension = "backup"; - users.tulg = { imports = [ ../../modules/home-manager/home.nix diff --git a/modules/home-manager/home.nix b/modules/home-manager/home.nix index 9198578..7f8acd2 100644 --- a/modules/home-manager/home.nix +++ b/modules/home-manager/home.nix @@ -11,7 +11,7 @@ ./stylix.nix ]; # Home Manager settings - nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"]; + #nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"]; home.username = "tulg"; home.homeDirectory = "/home/tulg"; home.stateVersion = "25.05"; diff --git a/modules/home-manager/pkgs.nix b/modules/home-manager/pkgs.nix index 629388e..3f7bc80 100644 --- a/modules/home-manager/pkgs.nix +++ b/modules/home-manager/pkgs.nix @@ -18,7 +18,7 @@ swappy mpv vulkan-tools - pkgs.looking-glass-client + looking-glass-client fastfetch btop nicotine-plus @@ -30,8 +30,8 @@ file-roller hyprpaper hyprpolkitagent - pkgs.nixd - swww + nixd + awww grim slurp inxi diff --git a/modules/home-manager/stylix.nix b/modules/home-manager/stylix.nix index 654dcc2..c1ef8e0 100644 --- a/modules/home-manager/stylix.nix +++ b/modules/home-manager/stylix.nix @@ -13,6 +13,8 @@ targets.zellij.enable = false; targets.tmux.enable = false; targets.kitty.enable = false; + targets.gnome-text-editor.enable = false; + base16Scheme = "${pkgs.base16-schemes}/share/themes/rose-pine.yaml"; fonts = { diff --git a/modules/nixos/services.nix b/modules/nixos/services.nix index 3476e20..bcefafd 100644 --- a/modules/nixos/services.nix +++ b/modules/nixos/services.nix @@ -19,21 +19,7 @@ workstation = true; }; }; - services.tailscale = { - enable = true; - openFirewall = true; - extraSetFlags = [ - "--accept-routes=false" - "--accept-dns=false" - ]; - useRoutingFeatures = "client"; - # interfaceName = "userspace-networking"; - }; - services.mullvad-vpn = { - enable = true; - package = pkgs.mullvad-vpn; - }; services.v2raya.enable = true; programs.thunar.plugins = with pkgs; [ thunar-archive-plugin diff --git a/modules/servers/per-host/kittykat/default.nix b/modules/servers/per-host/kittykat/default.nix new file mode 100644 index 0000000..a1e8bdb --- /dev/null +++ b/modules/servers/per-host/kittykat/default.nix @@ -0,0 +1,8 @@ +{...}: { + imports = [ + ./xray.nix + ./vaultwarden.nix + ./tunnel.nix + ./traefik.nix + ]; +} diff --git a/hosts/kittykat/traefik.nix b/modules/servers/per-host/kittykat/traefik.nix similarity index 90% rename from hosts/kittykat/traefik.nix rename to modules/servers/per-host/kittykat/traefik.nix index a70b0e4..6b1017f 100644 --- a/hosts/kittykat/traefik.nix +++ b/modules/servers/per-host/kittykat/traefik.nix @@ -1,10 +1,22 @@ {config, ...}: { networking.firewall = { enable = true; - allowedTCPPorts = [80 443 25565 25567]; + allowedTCPPorts = [ + 80 + 443 + 25565 + 25567 + 16261 + 16262 + ]; extraInputRules = '' tcp dport 2053 drop ''; + + allowedUDPPorts = [ + 16261 + 16262 + ]; }; services.static-web-server = { diff --git a/modules/servers/per-host/kittykat/tunnel.nix b/modules/servers/per-host/kittykat/tunnel.nix new file mode 100644 index 0000000..c4563a4 --- /dev/null +++ b/modules/servers/per-host/kittykat/tunnel.nix @@ -0,0 +1,107 @@ +{ + config, + pkgs, + ... +}: let + # kittykat public NIC + publicInterface = "enp1s0"; + + # SSH tunnel IPs + overlordTunIp = "10.0.0.1"; + kittykatTunIp = "10.0.0.2"; + + # Zomboid ports: + # 16261 = main game port + # 16262+ = player ports, using 16262-16272 as a sane test range + # 52015 = extra UDP port your server is listening on + zomboidUdpPorts = [ + 16261 + 16262 + 16263 + 16264 + 16265 + 16266 + 16267 + 16268 + 16269 + 16270 + 16271 + 16272 + 52015 + ]; +in { + boot.kernelModules = ["tun"]; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + }; + + services.openssh = { + enable = true; + settings = { + PermitTunnel = "yes"; + + # Strongly prefer key-only root login if you're using root for the tunnel. + PasswordAuthentication = false; + }; + }; + + # Declaratively create kittykat's tun0. + networking.interfaces.tun0 = { + virtual = true; + virtualType = "tun"; + ipv4.addresses = [ + { + address = kittykatTunIp; + prefixLength = 30; + } + ]; + }; + + networking.firewall = { + enable = true; + + # Public Zomboid UDP ports on kittykat. + allowedUDPPorts = zomboidUdpPorts; + + # Allow tunnel-side packets too. + interfaces.tun0.allowedUDPPorts = zomboidUdpPorts; + }; + + networking.nftables = { + enable = true; + + ruleset = '' + table ip zomboid_tunnel { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + + # Public players -> kittykat public IP -> overlord over tun0 + iifname "${publicInterface}" udp dport 16261-16272 dnat to ${overlordTunIp} + iifname "${publicInterface}" udp dport 52015 dnat to ${overlordTunIp}:52015 + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + + # Important: + # Make overlord see traffic as coming from kittykat's tun IP, + # so replies go back through the tunnel instead of overlord's normal internet route. + oifname "tun0" ip daddr ${overlordTunIp} udp dport 16261-16272 snat to ${kittykatTunIp} + oifname "tun0" ip daddr ${overlordTunIp} udp dport 52015 snat to ${kittykatTunIp} + } + + chain forward { + type filter hook forward priority filter; policy accept; + + # Public -> tunnel + iifname "${publicInterface}" oifname "tun0" ip daddr ${overlordTunIp} udp dport 16261-16272 accept + iifname "${publicInterface}" oifname "tun0" ip daddr ${overlordTunIp} udp dport 52015 accept + + # Tunnel replies -> public + iifname "tun0" oifname "${publicInterface}" ip saddr ${overlordTunIp} accept + } + } + ''; + }; +} diff --git a/modules/servers/per-host/overlord/default.nix b/modules/servers/per-host/overlord/default.nix new file mode 100644 index 0000000..434e964 --- /dev/null +++ b/modules/servers/per-host/overlord/default.nix @@ -0,0 +1,9 @@ +{...}: { + imports = [ + ./nixarr.nix + ./share.nix + ./tunnel.nix + ./pz.nix + ./slopfarms.nix + ]; +} diff --git a/modules/servers/per-host/overlord/pz.nix b/modules/servers/per-host/overlord/pz.nix new file mode 100644 index 0000000..2cebbd5 --- /dev/null +++ b/modules/servers/per-host/overlord/pz.nix @@ -0,0 +1,33 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + steamcmd + jdk17 + steam-run + ]; + + networking.firewall = { + allowedTCPPorts = [ + 16261 + 16262 + ]; + + allowedUDPPorts = [ + 16261 + 16262 + ]; + }; + + users.users.pzserver = { + isSystemUser = true; + group = "pzserver"; + home = "/srv/pzserver-home"; + createHome = true; + }; + + users.groups.pzserver = {}; + + systemd.tmpfiles.rules = [ + "d /srv/pzserver 0755 pzserver pzserver -" + "d /srv/pzserver-home 0755 pzserver pzserver -" + ]; +} diff --git a/modules/servers/per-host/overlord/share.nix b/modules/servers/per-host/overlord/share.nix index 0ac9318..f4195b2 100644 --- a/modules/servers/per-host/overlord/share.nix +++ b/modules/servers/per-host/overlord/share.nix @@ -24,7 +24,7 @@ services.samba = { enable = true; - shares.share = { + settings.share = { path = "/mnt/2tbhdd/nfs"; browseable = "yes"; writable = "yes"; diff --git a/hosts/overlord/slopfarms.nix b/modules/servers/per-host/overlord/slopfarms.nix similarity index 100% rename from hosts/overlord/slopfarms.nix rename to modules/servers/per-host/overlord/slopfarms.nix diff --git a/modules/servers/per-host/overlord/tunnel.nix b/modules/servers/per-host/overlord/tunnel.nix new file mode 100644 index 0000000..756fb30 --- /dev/null +++ b/modules/servers/per-host/overlord/tunnel.nix @@ -0,0 +1,107 @@ +{ + config, + pkgs, + ... +}: let + kittykatHost = "49.13.170.223"; + sshKeyPath = "/root/.ssh/id_rsa"; + + overlordTunIp = "10.0.0.1"; + kittykatTunIp = "10.0.0.2"; + + zomboidUdpPorts = [ + 16261 + 16262 + 16263 + 16264 + 16265 + 16266 + 16267 + 16268 + 16269 + 16270 + 16271 + 16272 + 52015 + ]; +in { + boot.kernelModules = ["tun"]; + + networking.interfaces.tun0 = { + virtual = true; + virtualType = "tun"; + ipv4.addresses = [ + { + address = overlordTunIp; + prefixLength = 30; + } + ]; + }; + + networking.firewall = { + enable = true; + interfaces.tun0.allowedUDPPorts = zomboidUdpPorts; + }; + + systemd.services.ssh-tun-kittykat = { + description = "Persistent SSH TUN tunnel to kittykat"; + + after = [ + "network-online.target" + "systemd-networkd-wait-online.service" + "NetworkManager-wait-online.service" + "systemd-modules-load.service" + "network-addresses-tun0.service" + ]; + + wants = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + + path = [ + pkgs.openssh + pkgs.iproute2 + pkgs.coreutils + pkgs.kmod + pkgs.bash + ]; + + serviceConfig = { + Type = "simple"; + User = "root"; + Restart = "always"; + RestartSec = "5s"; + StartLimitIntervalSec = 0; + }; + + preStart = '' + modprobe tun || true + + ip addr replace ${overlordTunIp}/30 dev tun0 || true + ip link set dev tun0 up || true + + for i in $(seq 1 60); do + if ip route get ${kittykatHost} >/dev/null 2>&1; then + exit 0 + fi + sleep 2 + done + + echo "No route to ${kittykatHost} after waiting." + exit 1 + ''; + + script = '' + exec ssh \ + -i ${sshKeyPath} \ + -o BatchMode=yes \ + -o StrictHostKeyChecking=accept-new \ + -o ServerAliveInterval=15 \ + -o ServerAliveCountMax=3 \ + -o ExitOnForwardFailure=yes \ + -o Tunnel=point-to-point \ + -w 0:0 \ + root@${kittykatHost} \ + "ip addr replace ${kittykatTunIp}/30 dev tun0 && ip link set dev tun0 up && exec sleep infinity" + ''; + }; +}