Skip to content
This repository has been archived by the owner on Sep 15, 2024. It is now read-only.
/ nixos-vps Public archive

NixOS config for the VPSs hosting https://cynosure.red - ARCHIVE, merged with main config

git.cynosure.red/romner-set/nixos

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

romner-set/nixos-vps

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

130 Commits
.github/workflows
.github/workflows
 
 
common
common
 
 
hosts
hosts
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 

Repository files navigation

Each VPS hosts (so far):

It's also worth noting that the VPSs are considered completely untrusted, so they only proxy already encrypted web traffic at the TCP level and publish records DNSSEC-signed by the trusted main server (to whose hardware I have physical access to).

Deploying a new VPS

Mostly a personal guide for convenience, should work for anyone trying to use this config though.

  1. Boot into an installer using kexec (https://github.com/nix-community/nixos-images), make sure an SSH key is set in /root/.ssh/authorized_keys. This only works for ARM machines, use the one in the linked README for x86

    curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-aarch64-linux.tar.gz | tar -xzf- -C /root
/root/kexec/run

    SSH into the new system afterwards.

  2. Format & mount persistent storage, install system

    hostname=REPLACEME
repo="romner-set/nixos-vps"

nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko --flake "github:$repo#$hostname"
nixos-install --no-root-passwd --flake "github:$repo#$hostname"

  3. Manually create /mnt/data/rathole.toml according to this template:

    [server]
bind_addr = "[::]:444"

[server.transport]
type = "noise"
[server.transport.noise]
pattern = "Noise_KK_25519_ChaChaPoly_BLAKE2s"
local_private_key = "REPLACEME" # created with `rathole --genkey`
remote_public_key = "kAucMFPz3+2RP+LTQ6X/LjBcIlmjQ+r8/vBtKe9NfWM=" # main server's pubkey

[server.services.doq]
type = "udp"
token = "REPLACEME"
bind_addr = "[::1]:853"
[server.services.http]
token = "REPLACEME"
bind_addr = "[::]:80"
[server.services.https]
token = "REPLACEME"
bind_addr = "[::]:443"
[server.services.http3]
type = "udp"
token = "REPLACEME"
bind_addr = "[::]:443"

  4. Setup /data & reboot

    cd /mnt/data
chmod 600 rathole.toml # see 3.
mkdir knot && chown 999:999 knot
reboot

  5. Update main server, i.e.

    1. Create new rathole keys & client config
    2. Authorize the VPS' knotc status cert-key

  6. Do something productive (or not) with the time you've just saved

About

NixOS config for the VPSs hosting https://cynosure.red - ARCHIVE, merged with main config

git.cynosure.red/romner-set/nixos

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages