first commit

2025-09-17 16:39:03 +07:00 · 2025-09-17 16:39:03 +07:00 · 21737592da
commit 21737592da
27 changed files with 744 additions and 0 deletions
--- a/servers/vanessa/hardware-configuration.nix
+++ b/servers/vanessa/hardware-configuration.nix
@ -0,0 +1,31 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/vda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; };
+  
+  networking = {
+    hostName = "vanessa";
+    interfaces.ens3 = {
+      useDHCP = false;
+      ipv4 = {
+        addresses = [{
+          address = "138.124.112.127";
+          prefixLength = 32;
+        }];
+        routes = [{
+          address = "10.0.0.1";
+          prefixLength = 32;
+        }];
+      };
+    };
+    defaultGateway = "10.0.0.1";
+    nameservers = ["1.1.1.1"];
+  };
+  
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+  system.stateVersion = "25.05";
+}
--- a/servers/vanessa/main.nix
+++ b/servers/vanessa/main.nix
@ -0,0 +1,31 @@
+{ config, pkgs, secret, ... }:
+
+{
+	imports = [
+		./hardware-configuration.nix
+		./nginx.nix
+	];
+	
+	services.yggdrasil.persistentKeys = true;
+	marzban = {
+		env = {
+			UVICORN_HOST = "vanessa.project-a.space";
+			UVICORN_PORT = secret.marzban.port;
+			SUDO_USERNAME = secret.marzban.sudo-username;
+			SUDO_PASSWORD = secret.marzban.sudo-password;
+			DOCS = true;
+		};
+		cert = true;
+		domain = "vanessa.project-a.space";
+		xray = import ../common/xray.nix {
+			server-domain = "vanessa.project-a.space";
+			port = secret.marzban.vless-port;
+			dest = secret.marzban.dest;
+			privateKey = secret.marzban.privateKey;
+			shortId = secret.marzban.shortId;
+			spiderX = secret.marzban.spiderX;
+		};
+	};
+
+	networking.firewall.allowedTCPPorts = [ secret.marzban.port secret.marzban.vless-port ];
+}
--- a/servers/vanessa/nginx.nix
+++ b/servers/vanessa/nginx.nix
@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+
+{
+	security.acme.defaults.email = "porject-a@project-a.space";
+	security.acme.acceptTerms = true;
+
+	services.nginx = {
+		enable = true;
+		recommendedTlsSettings = true;
+		recommendedOptimisation = true;
+		defaultSSLListenPort = 444;
+
+		streamConfig = ''
+			map $ssl_preread_server_name $name {
+				default                marzban;
+			}
+
+			upstream git {
+				server 127.0.0.1:444;
+			}
+
+			upstream marzban {
+				server 127.0.0.1:1080;
+			}
+
+			server {
+				listen 0.0.0.0:443;
+				listen [::0]:443;
+				proxy_pass $name;
+				ssl_preread on;
+				proxy_connect_timeout 1s;
+				proxy_timeout 1h;
+				proxy_buffer_size 16k;
+			}
+		'';
+	};
+}