tulg/nixdots
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pain

Browse source
This commit is contained in:
tulg 2026-05-11 18:19:58 +03:00
parent 5acdaed42a
commit cb6af5e7c4
16 changed files with 288 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -59,7 +59,6 @@
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
config.allowUnfree = true;
}; };
in { in {
nixosConfigurations.virgil = nixpkgs.lib.nixosSystem { nixosConfigurations.virgil = nixpkgs.lib.nixosSystem {

7
hosts/kittykat/configuration.nix
View file

@ -9,11 +9,9 @@
./disko.nix ./disko.nix
../../modules/nixos/networking/ssh.nix ../../modules/nixos/networking/ssh.nix
../../modules/nixos/users/tulg.nix ../../modules/nixos/users/tulg.nix
./traefik.nix
./home.nix ./home.nix
../../modules/servers/per-host/kittykat/vaultwarden.nix ../../modules/servers/per-host/kittykat
../../modules/servers/common.nix
../../modules/servers/per-host/kittykat/xray.nix
]; ];
networking.hostName = "kittykat"; networking.hostName = "kittykat";
@ -27,6 +25,7 @@
AllowTcpForwarding = true; AllowTcpForwarding = true;
X11Forwarding = true; X11Forwarding = true;
GatewayPorts = "yes"; GatewayPorts = "yes";
PermitTunnel = "yes";
}; };
}; };
programs.bash.interactiveShellInit = '' programs.bash.interactiveShellInit = ''

4
hosts/overlord/configuration.nix
View file

@ -11,9 +11,7 @@
../../modules/nixos/networking/ssh.nix ../../modules/nixos/networking/ssh.nix
../../modules/nixos/users/tulg.nix ../../modules/nixos/users/tulg.nix
../../modules/servers/common.nix ../../modules/servers/common.nix
../../modules/servers/per-host/overlord/nixarr.nix ../../modules/servers/per-host/overlord
../../modules/servers/per-host/overlord/share.nix
./slopfarms.nix
]; ];
programs.tmux = { programs.tmux = {
enable = true; enable = true;

1
hosts/virgil/home.nix
View file

@ -4,7 +4,6 @@
useUserPackages = true; useUserPackages = true;
extraSpecialArgs = {inherit inputs;}; extraSpecialArgs = {inherit inputs;};
backupFileExtension = "backup"; backupFileExtension = "backup";
users.tulg = { users.tulg = {
imports = [ imports = [
../../modules/home-manager/home.nix ../../modules/home-manager/home.nix

2
modules/home-manager/home.nix
View file

@ -11,7 +11,7 @@
./stylix.nix ./stylix.nix
]; ];
# Home Manager settings # Home Manager settings
nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"]; #nix.nixPath = ["nixpkgs=${inputs.nixpkgs}"];
home.username = "tulg"; home.username = "tulg";
home.homeDirectory = "/home/tulg"; home.homeDirectory = "/home/tulg";
home.stateVersion = "25.05"; home.stateVersion = "25.05";

6
modules/home-manager/pkgs.nix
View file

@ -18,7 +18,7 @@
swappy swappy
mpv mpv
vulkan-tools vulkan-tools
pkgs.looking-glass-client looking-glass-client
fastfetch fastfetch
btop btop
nicotine-plus nicotine-plus
@ -30,8 +30,8 @@
file-roller file-roller
hyprpaper hyprpaper
hyprpolkitagent hyprpolkitagent
pkgs.nixd nixd
swww awww
grim grim
slurp slurp
inxi inxi

2
modules/home-manager/stylix.nix
View file

@ -13,6 +13,8 @@
targets.zellij.enable = false; targets.zellij.enable = false;
targets.tmux.enable = false; targets.tmux.enable = false;
targets.kitty.enable = false; targets.kitty.enable = false;
targets.gnome-text-editor.enable = false;
base16Scheme = "${pkgs.base16-schemes}/share/themes/rose-pine.yaml"; base16Scheme = "${pkgs.base16-schemes}/share/themes/rose-pine.yaml";
fonts = { fonts = {

14
modules/nixos/services.nix
View file

@ -19,21 +19,7 @@
workstation = true; workstation = true;
}; };
}; };
services.tailscale = {
enable = true;
openFirewall = true;
extraSetFlags = [
"--accept-routes=false"
"--accept-dns=false"
];
useRoutingFeatures = "client";
# interfaceName = "userspace-networking";
};
services.mullvad-vpn = {
enable = true;
package = pkgs.mullvad-vpn;
};
services.v2raya.enable = true; services.v2raya.enable = true;
programs.thunar.plugins = with pkgs; [ programs.thunar.plugins = with pkgs; [
thunar-archive-plugin thunar-archive-plugin

8
modules/servers/per-host/kittykat/default.nix Normal file
View file

@ -0,0 +1,8 @@
{...}: {
imports = [
./xray.nix
./vaultwarden.nix
./tunnel.nix
./traefik.nix
];
}

14
hosts/kittykat/traefik.nix → modules/servers/per-host/kittykat/traefik.nix
View file

@ -1,10 +1,22 @@
{config, ...}: { {config, ...}: {
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [80 443 25565 25567]; allowedTCPPorts = [
80
443
25565
25567
16261
16262
];
extraInputRules = '' extraInputRules = ''
tcp dport 2053 drop tcp dport 2053 drop
''; '';
allowedUDPPorts = [
16261
16262
];
}; };
services.static-web-server = { services.static-web-server = {

107
modules/servers/per-host/kittykat/tunnel.nix Normal file
View file

@ -0,0 +1,107 @@
{
config,
pkgs,
...
}: let
# kittykat public NIC
publicInterface = "enp1s0";
# SSH tunnel IPs
overlordTunIp = "10.0.0.1";
kittykatTunIp = "10.0.0.2";
# Zomboid ports:
# 16261 = main game port
# 16262+ = player ports, using 16262-16272 as a sane test range
# 52015 = extra UDP port your server is listening on
zomboidUdpPorts = [
16261
16262
16263
16264
16265
16266
16267
16268
16269
16270
16271
16272
52015
];
in {
boot.kernelModules = ["tun"];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
services.openssh = {
enable = true;
settings = {
PermitTunnel = "yes";
# Strongly prefer key-only root login if you're using root for the tunnel.
PasswordAuthentication = false;
};
};
# Declaratively create kittykat's tun0.
networking.interfaces.tun0 = {
virtual = true;
virtualType = "tun";
ipv4.addresses = [
{
address = kittykatTunIp;
prefixLength = 30;
}
];
};
networking.firewall = {
enable = true;
# Public Zomboid UDP ports on kittykat.
allowedUDPPorts = zomboidUdpPorts;
# Allow tunnel-side packets too.
interfaces.tun0.allowedUDPPorts = zomboidUdpPorts;
};
networking.nftables = {
enable = true;
ruleset = ''
table ip zomboid_tunnel {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
# Public players -> kittykat public IP -> overlord over tun0
iifname "${publicInterface}" udp dport 16261-16272 dnat to ${overlordTunIp}
iifname "${publicInterface}" udp dport 52015 dnat to ${overlordTunIp}:52015
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
# Important:
# Make overlord see traffic as coming from kittykat's tun IP,
# so replies go back through the tunnel instead of overlord's normal internet route.
oifname "tun0" ip daddr ${overlordTunIp} udp dport 16261-16272 snat to ${kittykatTunIp}
oifname "tun0" ip daddr ${overlordTunIp} udp dport 52015 snat to ${kittykatTunIp}
}
chain forward {
type filter hook forward priority filter; policy accept;
# Public -> tunnel
iifname "${publicInterface}" oifname "tun0" ip daddr ${overlordTunIp} udp dport 16261-16272 accept
iifname "${publicInterface}" oifname "tun0" ip daddr ${overlordTunIp} udp dport 52015 accept
# Tunnel replies -> public
iifname "tun0" oifname "${publicInterface}" ip saddr ${overlordTunIp} accept
}
}
'';
};
}

9
modules/servers/per-host/overlord/default.nix Normal file
View file

@ -0,0 +1,9 @@
{...}: {
imports = [
./nixarr.nix
./share.nix
./tunnel.nix
./pz.nix
./slopfarms.nix
];
}

33
modules/servers/per-host/overlord/pz.nix Normal file
View file

@ -0,0 +1,33 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
steamcmd
jdk17
steam-run
];
networking.firewall = {
allowedTCPPorts = [
16261
16262
];
allowedUDPPorts = [
16261
16262
];
};
users.users.pzserver = {
isSystemUser = true;
group = "pzserver";
home = "/srv/pzserver-home";
createHome = true;
};
users.groups.pzserver = {};
systemd.tmpfiles.rules = [
"d /srv/pzserver 0755 pzserver pzserver -"
"d /srv/pzserver-home 0755 pzserver pzserver -"
];
}

2
modules/servers/per-host/overlord/share.nix
View file

@ -24,7 +24,7 @@
services.samba = { services.samba = {
enable = true; enable = true;
shares.share = { settings.share = {
path = "/mnt/2tbhdd/nfs"; path = "/mnt/2tbhdd/nfs";
browseable = "yes"; browseable = "yes";
writable = "yes"; writable = "yes";

0
hosts/overlord/slopfarms.nix → modules/servers/per-host/overlord/slopfarms.nix
View file

107
modules/servers/per-host/overlord/tunnel.nix Normal file
View file

@ -0,0 +1,107 @@
{
config,
pkgs,
...
}: let
kittykatHost = "49.13.170.223";
sshKeyPath = "/root/.ssh/id_rsa";
overlordTunIp = "10.0.0.1";
kittykatTunIp = "10.0.0.2";
zomboidUdpPorts = [
16261
16262
16263
16264
16265
16266
16267
16268
16269
16270
16271
16272
52015
];
in {
boot.kernelModules = ["tun"];
networking.interfaces.tun0 = {
virtual = true;
virtualType = "tun";
ipv4.addresses = [
{
address = overlordTunIp;
prefixLength = 30;
}
];
};
networking.firewall = {
enable = true;
interfaces.tun0.allowedUDPPorts = zomboidUdpPorts;
};
systemd.services.ssh-tun-kittykat = {
description = "Persistent SSH TUN tunnel to kittykat";
after = [
"network-online.target"
"systemd-networkd-wait-online.service"
"NetworkManager-wait-online.service"
"systemd-modules-load.service"
"network-addresses-tun0.service"
];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
path = [
pkgs.openssh
pkgs.iproute2
pkgs.coreutils
pkgs.kmod
pkgs.bash
];
serviceConfig = {
Type = "simple";
User = "root";
Restart = "always";
RestartSec = "5s";
StartLimitIntervalSec = 0;
};
preStart = ''
modprobe tun || true
ip addr replace ${overlordTunIp}/30 dev tun0 || true
ip link set dev tun0 up || true
for i in $(seq 1 60); do
if ip route get ${kittykatHost} >/dev/null 2>&1; then
exit 0
fi
sleep 2
done
echo "No route to ${kittykatHost} after waiting."
exit 1
'';
script = ''
exec ssh \
-i ${sshKeyPath} \
-o BatchMode=yes \
-o StrictHostKeyChecking=accept-new \
-o ServerAliveInterval=15 \
-o ServerAliveCountMax=3 \
-o ExitOnForwardFailure=yes \
-o Tunnel=point-to-point \
-w 0:0 \
root@${kittykatHost} \
"ip addr replace ${kittykatTunIp}/30 dev tun0 && ip link set dev tun0 up && exec sleep infinity"
'';
};
}