first commit

servers/common/firewall.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+	networking.firewall = {
+		enable = true;
+		allowedTCPPorts = [ 80 443 1004 666 ];
+		allowedUDPPorts = [ 80 443 1004 666 ];
+	};
+}

servers/common/main.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+	imports = [
+		./ssh.nix
+		./users.nix
+		./yggdrasil.nix
+		./firewall.nix
+		./sudo.nix
+		./packages.nix
+	];
+	programs.fish.enable = true;
+
+	nix.settings.experimental-features = [ "nix-command" "flakes" ];
+	nix.settings.trusted-users = [ "root" "@wheel"  ];
+}

servers/common/packages.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, pkgs-unstable, ... }: 
+
+{
+	environment.systemPackages = 
+  	(with pkgs; [ # STABLE PACKAGES
+    	btop
+    	screen
+  	])
+  	++
+  	(with pkgs-unstable; [ # UNSTABLE PACKAGES
+    	bun
+  	]);
+}

servers/common/ssh.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+	services.openssh = {
+		enable = true;
+		ports = [ 1004 ];
+		settings = {
+			AllowGroups = [ "remote" ];
+			PasswordAuthentication = false;
+		};
+	};
+}

servers/common/sudo.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+	security.sudo.extraRules = [
+		{
+			groups = [ "wheel" ];
+    		commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
+  		}
+	];
+}

servers/common/users.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+	users = {
+		groups = {
+			remote = {};
+		};
+		users = {
+			in5ar = {
+				isNormalUser = true;
+				description = "IN5-AR";
+				extraGroups = [ "wheel" "docker" "remote"];
+				shell = pkgs.fish;
+				openssh.authorizedKeys.keys = [
+					''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg2GEI2xcR0E1LzJWDvF5eHNt93TcYy7W/qEI3XoVWr almiriqi@aqore-nix''
+				];
+				initialPassword = "ra5ni";
+			};
+		};
+	};
+}

servers/common/xray.nix

@@ -0,0 +1,62 @@
+{ server-domain, port, dest, privateKey, shortId, spiderX }:
+
+{
+	log.loglevel = "warning";
+	dns = {
+		servers = [ "1.1.1.1" ];
+		queryStrategy = "UseIPv4";
+	};
+	routing = {
+		rules = [
+			{
+				ip = [ "geoip:private" ];
+				outboundTag = "BLOCK";
+				type = "field";
+			}
+		];
+	};
+	inbounds = [
+		{
+			tag = "VLESS TCP REALITY";
+			listen = "0.0.0.0";
+			port = port;
+			protocol = "vless";
+			settings = {
+				clients = [];
+				decryption = "none";
+			};
+			streamSettings = {
+				network = "tcp";
+				tcpSettings = {};
+				security = "reality";
+				realitySettings = {
+					show = false;
+					dest = dest;
+					xver = 0;
+					serverNames = [
+						server-domain
+					];
+					privateKey = privateKey;
+					SpiderX = spiderX;
+					shortIds = [
+						shortId
+					];
+				};
+			};
+			sniffing = {
+        		enabled = true;
+        		destOverride = [ "http" "tls" "quic" ];
+			};
+		}
+	];
+	outbounds = [
+		{
+			protocol = "freedom";
+			tag = "DIRECT";
+		}
+		{
+			protocol = "blackhole";
+			tag = "BLOCK";
+		}
+	];
+}

servers/common/yggdrasil.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+
+{
+	services.yggdrasil = {
+		enable = true;
+		settings = {
+			Peers = [
+				"tls://kuber.project-a.space:666"
+				"tls://arti.project-a.space:666"
+				"tls://reine.project-a.space:666"
+			];
+			Listen = [
+				"tls://0.0.0.0:666"
+			];
+			IfName = "ygg0";
+		};
+	};
+}