update: system update & refactor

# Breaking Changes - sops location movod to "system/dev/<dev-name>/sops/sops-conf.nix" - flake devices declaration changes - whole flake update
2025-10-14 16:49:03 +08:00 · 2025-10-14 16:49:03 +08:00 · 6a71b601f5
commit 6a71b601f5
parent 321f740af0
116 changed files with 2576 additions and 3634 deletions
--- a/system/dev/dn-server/network/default.nix
+++ b/system/dev/dn-server/network/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./nginx.nix
+    ./services.nix
+    ./step-ca.nix
+  ];
+}
--- a/system/dev/dn-server/network/nginx.nix
+++ b/system/dev/dn-server/network/nginx.nix
@ -0,0 +1,77 @@
+{
+  config,
+  ...
+}:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      validMinDays = 2;
+      server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
+      renewInterval = "daily";
+      email = "danny@net.dn";
+      dnsProvider = "pdns";
+      dnsPropagationCheck = false;
+      environmentFile = config.sops.secrets."acme/env".path;
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "files.${config.networking.domain}" = {
+        enableACME = true;
+        forceSSL = true;
+
+        root = "/var/www/files";
+        locations."/" = {
+          extraConfig = ''
+            autoindex on;
+            autoindex_exact_size off;
+            autoindex_localtime on;
+          '';
+        };
+
+        extraConfig = ''
+          types {
+            image/png png;
+            image/jpeg jpg jpeg;
+            image/gif gif;
+          }
+        '';
+      };
+
+      "webcam.net.dn" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/ws/" = {
+          proxyPass = "http://10.0.0.130:8080/";
+          extraConfig = ''
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+          '';
+        };
+
+        locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
+      };
+
+      "ca.net.dn" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "https://10.0.0.1:8443/";
+        };
+      };
+    };
+  };
+}
--- a/system/dev/dn-server/network/services.nix
+++ b/system/dev/dn-server/network/services.nix
@ -0,0 +1,431 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.systemConf) username;
+
+  ethInterface = "enp0s31f6";
+  sshPorts = [ 30072 ];
+  sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
+
+  personal = {
+    inherit (config.networking) domain;
+    ip = "10.0.0.1/24";
+    interface = "wg0";
+    port = 51820;
+    range = "10.0.0.0/24";
+    full = "10.0.0.1/25";
+    restrict = "10.0.0.128/25";
+  };
+
+  kube = {
+    ip = "10.10.0.1/24";
+    range = "10.10.0.0/24";
+    interface = "wg1";
+    port = 51821;
+    masterIP = "10.10.0.1";
+    masterHostname = "api-kube.${config.networking.domain}";
+    masterAPIServerPort = 6443;
+  };
+
+  allowedSSHIPs = builtins.concatStringsSep ", " [
+    "122.117.215.55"
+    "192.168.100.1/24"
+    personal.range
+  ];
+
+  fullRoute = [
+    {
+      # Jonly
+      dns = "jonly";
+      publicKey = "GAayY6p8ST3I66kFSGY3seaHhfkrc6atcrFu2C9BDDs=";
+      allowedIPs = [ "10.0.0.5/32" ];
+    }
+    {
+      dns = "jonly-mac";
+      publicKey = "jPmeA0WH3vQw/PDNdJwYLfE7Ibl5oZGuta9UkZNEyTk=";
+      allowedIPs = [ "10.0.0.9/32" ];
+    }
+    {
+      # YC
+      dns = "yc";
+      publicKey = "5LfmjAg07ixmBCcsEn319UHqMRO3AdusXsoibGUqfQE=";
+      allowedIPs = [ "10.0.0.7/32" ];
+    }
+    {
+      # Tommy
+      dns = "tommy";
+      publicKey = "AxujfkiHLj09LoAXZl7yUf3fzyjorKOg8CfcJJvr2HQ=";
+      allowedIPs = [ "10.0.0.8/32" ];
+    }
+  ];
+
+  meshRoute = [
+    {
+      # pre7780.dn
+      dns = "pre7780";
+      publicKey = "WvvBRGbWUMUhSgodZNlhglacsWhMOTdHhJxcf81kTmQ=";
+      allowedIPs = [ "10.0.0.130/32" ];
+    }
+    {
+      # Skydrive
+      dns = "skydrive";
+      publicKey = "GceSQwI7XqYQw2oPmquuKdPqmt6KsYnoGuFoiaKRb0E=";
+      allowedIPs = [ "10.0.0.132/32" ];
+    }
+    {
+      # ken
+      dns = "phone.ken";
+      publicKey = "knRpD7qb2JejioJBP5HZgWCrDEOWUq27+ueWPYwnWws=";
+      allowedIPs = [ "10.0.0.134/32" ];
+    }
+    {
+      # lap.dn
+      dns = "lap";
+      publicKey = "Cm2AZU+zlv+ThMqah6WiLVxgPNvMHm9DEGd4PfywNWU=";
+      allowedIPs = [ "10.0.0.135/32" ];
+    }
+    {
+      # justin03
+      dns = "justin";
+      publicKey = "WOze/PPilBPqQudk1D4Se34zWV3UghKXWTG6M/f7bEM=";
+      allowedIPs = [ "10.0.0.136/32" ];
+    }
+    {
+      # ahhaha
+      dns = "ahhaha";
+      publicKey = "PGBqCPLxaFd/+KqwrjF6B6lqxvpPKos0sst5gk8p8Bo=";
+      allowedIPs = [ "10.0.0.137/32" ];
+    }
+    {
+      # oreo
+      dns = "oreo";
+      publicKey = "GXHRZ9DmVg7VtuJdvcHOGFCuFqH2Kd/c+3unrq7e5SE=";
+      allowedIPs = [ "10.0.0.139/32" ];
+    }
+    {
+      # phone.dn
+      dns = "phone";
+      publicKey = "XiR4NZLdHyOvzt+fdYoFDW2s/Su8nlz8UgrVPLISdBY=";
+      allowedIPs = [ "10.0.0.140/32" ];
+    }
+    {
+      # kavic
+      dns = "kavic";
+      publicKey = "VVzGcHjSo6QkvN6raS9g/NYLIrZ1xzxdnEronQaTIHs=";
+      allowedIPs = [ "10.0.0.141/32" ];
+    }
+    {
+      dns = "yc-mesh";
+      publicKey = "dKcEjRq9eYA8rXVfispNoKEbrs9R3ZIVlQi5AXfFch8=";
+      allowedIPs = [ "10.0.0.142/32" ];
+    }
+    {
+      dns = "jonly-mesh";
+      publicKey = "EyRL+iyKZJaqz9DXVsH2Ne/wVInx5hg9oQARrXP3/k0=";
+      allowedIPs = [ "10.0.0.143/32" ];
+    }
+    {
+      dns = "tommy-mesh";
+      publicKey = "oCRNCyg0bw6W6W87XQ4pIUW+WFi/bx9MG4cIwE23GxI=";
+      allowedIPs = [ "10.0.0.144/32" ];
+    }
+    {
+      # ken
+      dns = "pc.ken";
+      publicKey = "ERLMpSbSIYRN5HoKmvsk2852/aAvzjvMV7tOs0oupxI=";
+      allowedIPs = [ "10.0.0.145/32" ];
+    }
+    {
+      # Skydrive Lap
+      dns = "skydrive-mesh";
+      publicKey = "MK6UX8WadSbDXI3919F5EarYlZHjFNbHwYJH8Ub/YXk=";
+      allowedIPs = [ "10.0.0.146/32" ];
+    }
+    {
+      # Skydrive Phone
+      dns = "skydrive-mesh-phone";
+      publicKey = "K6Pd69/Hfu4ceCAp/JbeEL2QQ+/4ohugW1lAOxHFKDA=";
+      allowedIPs = [ "10.0.0.147/32" ];
+    }
+    {
+      # GCP
+      dns = "gcp";
+      publicKey = "5th0G9c7vHrhcByvPJAbrn2LXjLPqDEMsHzda0FGUTQ=";
+      allowedIPs = [ "10.0.0.148/32" ];
+    }
+  ];
+in
+{
+  networking = {
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = ethInterface;
+      internalInterfaces = [
+        personal.interface
+        kube.interface
+      ];
+    };
+
+    firewall = {
+      allowedUDPPorts = [
+        53
+        personal.port
+        kube.port
+        25565
+        kube.masterAPIServerPort
+        5359
+      ];
+      allowedTCPPorts = sshPorts ++ [
+        53
+        25565
+        kube.masterAPIServerPort
+        5359
+      ];
+    };
+
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table inet wg-filter {
+          chain input {
+            type filter hook input priority 0; policy drop;
+
+            iif lo accept
+
+            meta nftrace set 1
+            meta l4proto { icmp, ipv6-icmp } accept
+
+            ct state vmap { invalid : drop, established : accept, related : accept }
+
+            udp dport 53 accept
+            tcp dport 53 accept
+
+            tcp dport { ${sshPortsString} } jump ssh-filter
+
+            iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${builtins.toString personal.port}, ${builtins.toString kube.port} } accept
+            iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
+            iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
+
+            counter reject
+          }
+
+          chain ssh-filter {
+            ip saddr { ${allowedSSHIPs} } accept
+            counter reject
+          }
+
+          chain forward {
+            type filter hook forward priority 0; policy drop;
+
+            meta l4proto { icmp, ipv6-icmp } accept
+
+            iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
+            iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
+
+            counter
+          }
+
+          chain kube-filter {
+            ip saddr ${kube.ip} ip daddr ${kube.ip} accept
+            counter drop
+          }
+
+          chain wg-subnet {
+            ip saddr ${personal.full} accept
+            ip saddr ${personal.restrict} ip daddr ${personal.range} accept
+            counter drop
+          }
+
+          chain postrouting {
+            type nat hook postrouting priority 100; policy accept;
+            oifname ${ethInterface} masquerade
+          }
+        }
+      '';
+    };
+
+    wireguard = {
+      enable = true;
+      interfaces = {
+        ${personal.interface} = {
+          ips = [ personal.ip ];
+          listenPort = personal.port;
+          privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
+          peers = builtins.map (r: {
+            inherit (r) publicKey allowedIPs;
+          }) (fullRoute ++ meshRoute);
+        };
+
+        ${kube.interface} = {
+          ips = [ kube.ip ];
+          listenPort = kube.port;
+          privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
+          peers = [ ];
+        };
+      };
+    };
+
+    extraHosts = "${kube.masterIP} ${kube.masterHostname}";
+  };
+
+  services = {
+    dbus.enable = true;
+    blueman.enable = true;
+
+    postgresql = {
+      enable = lib.mkDefault true;
+      authentication = ''
+        host  powerdnsadmin powerdnsadmin 127.0.0.1/32    trust
+      '';
+      ensureUsers = [
+        {
+          name = "powerdnsadmin";
+          ensureDBOwnership = true;
+        }
+        {
+          name = "pdns";
+          ensureDBOwnership = true;
+        }
+      ];
+      ensureDatabases = [
+        "powerdnsadmin"
+        "pdns"
+      ];
+    };
+
+    openssh = {
+      enable = true;
+      ports = sshPorts;
+      settings = {
+        PasswordAuthentication = false;
+        UseDns = false;
+        PermitRootLogin = "yes";
+      };
+    };
+
+    powerdns = {
+      enable = true;
+      extraConfig = ''
+        launch=gpgsql
+        loglevel=6
+        webserver-password=$WEB_PASSWORD
+        api=yes
+        api-key=$WEB_PASSWORD
+        gpgsql-host=/var/run/postgresql
+        gpgsql-dbname=pdns
+        gpgsql-user=pdns
+        gpgsql-dnssec=yes
+        webserver=yes
+        webserver-port=8081
+        local-port=5359
+        dnsupdate=yes
+        allow-dnsupdate-from=10.0.0.0/24
+      '';
+      secretFile = config.sops.secrets.powerdns.path;
+    };
+
+    pdns-recursor = {
+      enable = true;
+      forwardZones = {
+        "${config.networking.domain}." = "127.0.0.1:5359";
+        "pre7780.dn." = "127.0.0.1:5359";
+      };
+      forwardZonesRecurse = {
+        "." = "8.8.8.8";
+      };
+      dnssecValidation = "off";
+      dns.allowFrom = [
+        "127.0.0.0/8"
+        "10.0.0.0/24"
+        "192.168.100.0/24"
+        "::1/128"
+        "fc00::/7"
+        "fe80::/10"
+      ];
+      yaml-settings = {
+        webservice.webserver = true;
+      };
+    };
+
+    powerdns-admin = {
+      enable = true;
+      secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
+      saltFile = config.sops.secrets."powerdns-admin/salt".path;
+      config =
+        # python
+        ''
+          import cachelib
+
+          SESSION_TYPE = 'cachelib'
+          SESSION_CACHELIB = cachelib.simple.SimpleCache()
+          SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
+        '';
+    };
+
+    xserver = {
+      enable = false;
+      xkb.layout = "us";
+    };
+  };
+
+  systemd.services.pdns-recursor.before = [ "acme-setup.service" ];
+  systemd.services.pdns.before = [ "acme-setup.service" ];
+
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
+    ];
+
+    "${username}".openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
+    ];
+  };
+
+  virtualisation = {
+    oci-containers = {
+      backend = "docker";
+      containers = {
+        uptime-kuma = {
+          extraOptions = [ "--network=host" ];
+          image = "louislam/uptime-kuma:1";
+          volumes = [
+            "/var/lib/uptime-kuma:/app/data"
+            "${config.security.pki.caBundle}:/etc/ca.crt:ro"
+          ];
+          environment = {
+            NODE_EXTRA_CA_CERTS = "/etc/ca.crt";
+          };
+        };
+      };
+    };
+  };
+
+  systemd.services.raspamd-trainer = {
+    after = [ "pdns-recursor.service" ];
+  };
+
+  services.nginx.virtualHosts = {
+    "powerdns.${config.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/api".proxyPass = "http://127.0.0.1:8081";
+      locations."/".proxyPass = "http://127.0.0.1:8000";
+    };
+
+    "uptime.${config.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://localhost:3001";
+    };
+  };
+
+  nix.settings.trusted-users = [
+    username
+  ];
+}
--- a/system/dev/dn-server/network/step-ca.nix
+++ b/system/dev/dn-server/network/step-ca.nix
@ -0,0 +1,83 @@
+{ pkgs, config, ... }:
+{
+  environment.systemPackages = with pkgs; [ step-cli ];
+
+  users.users.step-ca = {
+    isSystemUser = true;
+    group = "step-ca";
+  };
+
+  users.groups.step-ca = { };
+
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
+  services.step-ca = {
+    enable = true;
+    address = "0.0.0.0";
+    settings = {
+      address = ":443";
+      authority = {
+        provisioners = [
+          {
+            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUTZYbDJOdkFabGZZSTZ5QnBrZWp6dyJ9.z
+Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB1ezz4NvpSDe9GIweBlTLH4DpZ7As65QftJf-32vFeSjw_8So8ugpS2BmfWaMcL6rHxJG369zf-Ninecy3yg4AvQ0WvzUWCYnR2m5-B2YYFJ0SlTv-FXOf_412ZaGdIK9FQo
+8LszKMGzw0e3YkBuAAfEsqYaCTd27trDDPUelTVnC20zblVDEkBlusvoNeYEiy7nphjqy2OPW6bxLKdQMg-b9zVgZqkImRqojBBqnV85sBHaSyQWA9rP2PPJM8AVjVBtrVLG3YIVObbjiLAa21WMaFe1bW4LK7BNj7KwQ2JJzlBfkDkdmo3gZvYag--9AarieKeIumQ.Vxj5NwzSurT
+47yHhoiCOug";
+            key = {
+              alg = "ES256";
+              crv = "P-256";
+              kid = "ywqnDBi0j1wjIx4i8xOBhqd6sCqsI_Z7aGQ6QifKFtM";
+              kty = "EC";
+              use = "sig";
+              x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI";
+              y = "y5OFjciRMVg8ePaEsjSPWbKp_NjQ6U4CtbplRx7z3Bw";
+            };
+            name = "danny@net.dn";
+            type = "JWK";
+          }
+          {
+            claims = {
+              minTLSCertDuration = "32h";
+              maxTLSCertDuration = "72h";
+              defaultTLSCertDuration = "72h";
+            };
+            name = "acme";
+            options = {
+              enableRenewal = true;
+            };
+            type = "ACME";
+          }
+        ];
+      };
+      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
+      db = {
+        badgerFileLoadingMode = "";
+        dataSource = "/var/lib/step-ca/db";
+        type = "badgerv2";
+      };
+      dnsNames = [
+        "10.0.0.1"
+        "ca.net.dn"
+      ];
+      federatedRoots = null;
+      insecureAddress = "";
+      key = "/var/lib/step-ca/secrets/intermediate_ca_key";
+      logger = {
+        format = "text";
+      };
+      root = "/var/lib/step-ca/certs/root_ca.crt";
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        maxVersion = 1.3;
+        minVersion = 1.2;
+        renegotiation = false;
+      };
+    };
+    port = 8443;
+    openFirewall = true;
+    intermediatePasswordFile = config.sops.secrets."step_ca/password".path;
+  };
+}