pain

2026-05-11 18:19:58 +03:00 · 2026-05-11 18:19:58 +03:00 · cb6af5e7c4
commit cb6af5e7c4
parent 5acdaed42a
16 changed files with 288 additions and 29 deletions
--- a/modules/home-manager/home.nix
+++ b/modules/home-manager/home.nix
@ -11,7 +11,7 @@
    ./stylix.nix
  ];
  # Home Manager settings
-  nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"];
+  #nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"];
  home.username = "tulg";
  home.homeDirectory = "/home/tulg";
  home.stateVersion = "25.05";
--- a/modules/home-manager/pkgs.nix
+++ b/modules/home-manager/pkgs.nix
@ -18,7 +18,7 @@
    swappy
    mpv
    vulkan-tools
-    pkgs.looking-glass-client
+    looking-glass-client
    fastfetch
    btop
    nicotine-plus
@ -30,8 +30,8 @@
    file-roller
    hyprpaper
    hyprpolkitagent
-    pkgs.nixd
-    swww
+    nixd
+    awww
    grim
    slurp
    inxi
--- a/modules/home-manager/stylix.nix
+++ b/modules/home-manager/stylix.nix
@ -13,6 +13,8 @@
    targets.zellij.enable = false;
    targets.tmux.enable = false;
    targets.kitty.enable = false;
+    targets.gnome-text-editor.enable = false;
+
    base16Scheme = "${pkgs.base16-schemes}/share/themes/rose-pine.yaml";

    fonts = {
--- a/modules/nixos/services.nix
+++ b/modules/nixos/services.nix
@ -19,21 +19,7 @@
      workstation = true;
    };
  };
-  services.tailscale = {
-    enable = true;
-    openFirewall = true;
-    extraSetFlags = [
-      "--accept-routes=false"
-      "--accept-dns=false"
-    ];
-    useRoutingFeatures = "client";

-    # interfaceName = "userspace-networking";
-  };
-  services.mullvad-vpn = {
-    enable = true;
-    package = pkgs.mullvad-vpn;
-  };
  services.v2raya.enable = true;
  programs.thunar.plugins = with pkgs; [
    thunar-archive-plugin
--- a/modules/servers/per-host/kittykat/default.nix
+++ b/modules/servers/per-host/kittykat/default.nix
@ -0,0 +1,8 @@
+{...}: {
+  imports = [
+    ./xray.nix
+    ./vaultwarden.nix
+    ./tunnel.nix
+    ./traefik.nix
+  ];
+}
--- a/modules/servers/per-host/kittykat/traefik.nix
+++ b/modules/servers/per-host/kittykat/traefik.nix
@ -0,0 +1,79 @@
+{config, ...}: {
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      25565
+      25567
+      16261
+      16262
+    ];
+    extraInputRules = ''
+      tcp dport 2053 drop
+    '';
+
+    allowedUDPPorts = [
+      16261
+      16262
+    ];
+  };
+
+  services.static-web-server = {
+    enable = true;
+    listen = "127.0.0.1:8080";
+    root = "/var/www/kittykat";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/www/kittykat 0755 root root -"
+  ];
+
+  services.traefik = {
+    enable = true;
+
+    staticConfigOptions = {
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+
+        websecure = {
+          address = ":443";
+          http.tls.certResolver = "letsencrypt";
+        };
+      };
+
+      log = {
+        level = "INFO";
+        filePath = "${config.services.traefik.dataDir}/traefik.log";
+        format = "json";
+      };
+
+      certificatesResolvers.letsencrypt.acme = {
+        email = "tulg@protonmail.ch";
+        storage = "${config.services.traefik.dataDir}/acme.json";
+        httpChallenge.entryPoint = "web";
+      };
+
+      api.dashboard = true;
+    };
+
+    dynamicConfigOptions.http = {
+      routers.plain-html = {
+        rule = "Host(`poggerer.xyz`)";
+        entryPoints = ["websecure"];
+        service = "plain-html";
+        tls.certResolver = "letsencrypt";
+      };
+
+      services.plain-html.loadBalancer.servers = [
+        {url = "http://127.0.0.1:8080";}
+      ];
+    };
+  };
+}
--- a/modules/servers/per-host/kittykat/tunnel.nix
+++ b/modules/servers/per-host/kittykat/tunnel.nix
@ -0,0 +1,107 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  # kittykat public NIC
+  publicInterface = "enp1s0";
+
+  # SSH tunnel IPs
+  overlordTunIp = "10.0.0.1";
+  kittykatTunIp = "10.0.0.2";
+
+  # Zomboid ports:
+  # 16261 = main game port
+  # 16262+ = player ports, using 16262-16272 as a sane test range
+  # 52015 = extra UDP port your server is listening on
+  zomboidUdpPorts = [
+    16261
+    16262
+    16263
+    16264
+    16265
+    16266
+    16267
+    16268
+    16269
+    16270
+    16271
+    16272
+    52015
+  ];
+in {
+  boot.kernelModules = ["tun"];
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitTunnel = "yes";
+
+      # Strongly prefer key-only root login if you're using root for the tunnel.
+      PasswordAuthentication = false;
+    };
+  };
+
+  # Declaratively create kittykat's tun0.
+  networking.interfaces.tun0 = {
+    virtual = true;
+    virtualType = "tun";
+    ipv4.addresses = [
+      {
+        address = kittykatTunIp;
+        prefixLength = 30;
+      }
+    ];
+  };
+
+  networking.firewall = {
+    enable = true;
+
+    # Public Zomboid UDP ports on kittykat.
+    allowedUDPPorts = zomboidUdpPorts;
+
+    # Allow tunnel-side packets too.
+    interfaces.tun0.allowedUDPPorts = zomboidUdpPorts;
+  };
+
+  networking.nftables = {
+    enable = true;
+
+    ruleset = ''
+      table ip zomboid_tunnel {
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+
+          # Public players -> kittykat public IP -> overlord over tun0
+          iifname "${publicInterface}" udp dport 16261-16272 dnat to ${overlordTunIp}
+          iifname "${publicInterface}" udp dport 52015 dnat to ${overlordTunIp}:52015
+        }
+
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+
+          # Important:
+          # Make overlord see traffic as coming from kittykat's tun IP,
+          # so replies go back through the tunnel instead of overlord's normal internet route.
+          oifname "tun0" ip daddr ${overlordTunIp} udp dport 16261-16272 snat to ${kittykatTunIp}
+          oifname "tun0" ip daddr ${overlordTunIp} udp dport 52015 snat to ${kittykatTunIp}
+        }
+
+        chain forward {
+          type filter hook forward priority filter; policy accept;
+
+          # Public -> tunnel
+          iifname "${publicInterface}" oifname "tun0" ip daddr ${overlordTunIp} udp dport 16261-16272 accept
+          iifname "${publicInterface}" oifname "tun0" ip daddr ${overlordTunIp} udp dport 52015 accept
+
+          # Tunnel replies -> public
+          iifname "tun0" oifname "${publicInterface}" ip saddr ${overlordTunIp} accept
+        }
+      }
+    '';
+  };
+}
--- a/modules/servers/per-host/overlord/default.nix
+++ b/modules/servers/per-host/overlord/default.nix
@ -0,0 +1,9 @@
+{...}: {
+  imports = [
+    ./nixarr.nix
+    ./share.nix
+    ./tunnel.nix
+    ./pz.nix
+    ./slopfarms.nix
+  ];
+}
--- a/modules/servers/per-host/overlord/pz.nix
+++ b/modules/servers/per-host/overlord/pz.nix
@ -0,0 +1,33 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    steamcmd
+    jdk17
+    steam-run
+  ];
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      16261
+      16262
+    ];
+
+    allowedUDPPorts = [
+      16261
+      16262
+    ];
+  };
+
+  users.users.pzserver = {
+    isSystemUser = true;
+    group = "pzserver";
+    home = "/srv/pzserver-home";
+    createHome = true;
+  };
+
+  users.groups.pzserver = {};
+
+  systemd.tmpfiles.rules = [
+    "d /srv/pzserver 0755 pzserver pzserver -"
+    "d /srv/pzserver-home 0755 pzserver pzserver -"
+  ];
+}
--- a/modules/servers/per-host/overlord/share.nix
+++ b/modules/servers/per-host/overlord/share.nix
@ -24,7 +24,7 @@
  services.samba = {
    enable = true;

-    shares.share = {
+    settings.share = {
      path = "/mnt/2tbhdd/nfs";
      browseable = "yes";
      writable = "yes";
--- a/modules/servers/per-host/overlord/slopfarms.nix
+++ b/modules/servers/per-host/overlord/slopfarms.nix
@ -0,0 +1,92 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  services.n8n = {
+    enable = true;
+    openFirewall = true;
+
+    environment = {
+      host = "0.0.0.0";
+      port = 5678;
+      protocol = "http";
+    };
+
+    environment = {
+      N8N_SECURE_COOKIE = "false";
+
+      N8N_EXECUTE_COMMAND_ENABLED = "true";
+      N8N_ENABLE_EXECUTE_COMMAND = "true";
+      NODES_EXCLUDE = "[]";
+      N8N_NODES_INCLUDE = "n8n-nodes-base.executeCommand";
+
+      N8N_BINARY_DATA_STORAGE_PATH = "/srv/slopfarm";
+    };
+  };
+
+  systemd.services.n8n.serviceConfig = {
+    ReadWritePaths = ["/srv/slopfarm"];
+
+    SupplementaryGroups = ["video" "render"];
+
+    PrivateDevices = lib.mkForce false;
+    DevicePolicy = lib.mkForce "auto";
+    DeviceAllow = [
+      "/dev/nvidiactl rw"
+      "/dev/nvidia0 rw"
+      "/dev/nvidia-uvm rw"
+      "/dev/nvidia-uvm-tools rw"
+      "/dev/nvidia-modeset rw"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    ffmpeg
+    piper-tts
+    git
+    yt-dlp
+    cudaPackages.cudatoolkit
+
+    (python3.withPackages (ps:
+      with ps; [
+        requests
+        aiohttp
+        praw
+
+        torch
+        torchvision
+        transformers
+        accelerate
+        sentencepiece
+        safetensors
+
+        soundfile
+        librosa
+        pydub
+        scipy
+
+        pillow
+        moviepy
+        imageio
+        imageio-ffmpeg
+        opencv4
+
+        numpy
+        tqdm
+        regex
+        python-dotenv
+        pysrt
+        flask
+      ]))
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /srv/slopfarm 0755 n8n n8n -"
+    "d /srv/slopfarm/input 0755 n8n n8n -"
+    "d /srv/slopfarm/output 0755 n8n n8n -"
+    "d /srv/slopfarm/scripts 0755 n8n n8n -"
+    "d /srv/slopfarm/backgrounds 0755 n8n n8n -"
+    "d /srv/slopfarm/voices 0755 n8n n8n -"
+  ];
+}
--- a/modules/servers/per-host/overlord/tunnel.nix
+++ b/modules/servers/per-host/overlord/tunnel.nix
@ -0,0 +1,107 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  kittykatHost = "49.13.170.223";
+  sshKeyPath = "/root/.ssh/id_rsa";
+
+  overlordTunIp = "10.0.0.1";
+  kittykatTunIp = "10.0.0.2";
+
+  zomboidUdpPorts = [
+    16261
+    16262
+    16263
+    16264
+    16265
+    16266
+    16267
+    16268
+    16269
+    16270
+    16271
+    16272
+    52015
+  ];
+in {
+  boot.kernelModules = ["tun"];
+
+  networking.interfaces.tun0 = {
+    virtual = true;
+    virtualType = "tun";
+    ipv4.addresses = [
+      {
+        address = overlordTunIp;
+        prefixLength = 30;
+      }
+    ];
+  };
+
+  networking.firewall = {
+    enable = true;
+    interfaces.tun0.allowedUDPPorts = zomboidUdpPorts;
+  };
+
+  systemd.services.ssh-tun-kittykat = {
+    description = "Persistent SSH TUN tunnel to kittykat";
+
+    after = [
+      "network-online.target"
+      "systemd-networkd-wait-online.service"
+      "NetworkManager-wait-online.service"
+      "systemd-modules-load.service"
+      "network-addresses-tun0.service"
+    ];
+
+    wants = ["network-online.target"];
+    wantedBy = ["multi-user.target"];
+
+    path = [
+      pkgs.openssh
+      pkgs.iproute2
+      pkgs.coreutils
+      pkgs.kmod
+      pkgs.bash
+    ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "root";
+      Restart = "always";
+      RestartSec = "5s";
+      StartLimitIntervalSec = 0;
+    };
+
+    preStart = ''
+      modprobe tun || true
+
+      ip addr replace ${overlordTunIp}/30 dev tun0 || true
+      ip link set dev tun0 up || true
+
+      for i in $(seq 1 60); do
+        if ip route get ${kittykatHost} >/dev/null 2>&1; then
+          exit 0
+        fi
+        sleep 2
+      done
+
+      echo "No route to ${kittykatHost} after waiting."
+      exit 1
+    '';
+
+    script = ''
+      exec ssh \
+        -i ${sshKeyPath} \
+        -o BatchMode=yes \
+        -o StrictHostKeyChecking=accept-new \
+        -o ServerAliveInterval=15 \
+        -o ServerAliveCountMax=3 \
+        -o ExitOnForwardFailure=yes \
+        -o Tunnel=point-to-point \
+        -w 0:0 \
+        root@${kittykatHost} \
+        "ip addr replace ${kittykatTunIp}/30 dev tun0 && ip link set dev tun0 up && exec sleep infinity"
+    '';
+  };
+}