From 8fa4b314b071bf5eca04d0dce76177d112ab34fa Mon Sep 17 00:00:00 2001 From: Atridad Lahiji Date: Fri, 6 Feb 2026 18:30:57 -0700 Subject: [PATCH] Try this --- configuration.nix | 18 ++ flake.nix | 21 +++ modules/boot.nix | 18 ++ modules/hardware.nix | 5 + modules/locale.nix | 9 + modules/networking.nix | 16 ++ modules/nginx.nix | 363 +++++++++++++++++++++++++++++++++++++++++ modules/services.nix | 13 ++ modules/users.nix | 17 ++ settings.nix | 8 + 10 files changed, 488 insertions(+) create mode 100644 configuration.nix create mode 100644 flake.nix create mode 100644 modules/boot.nix create mode 100644 modules/hardware.nix create mode 100644 modules/locale.nix create mode 100644 modules/networking.nix create mode 100644 modules/nginx.nix create mode 100644 modules/services.nix create mode 100644 modules/users.nix create mode 100644 settings.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..04265ae --- /dev/null +++ b/configuration.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./modules/boot.nix + ./modules/networking.nix + ./modules/locale.nix + ./modules/users.nix + ./modules/hardware.nix + ./modules/services.nix + ./modules/nginx.nix + ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + system.stateVersion = "25.11"; +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..c17b5c8 --- /dev/null +++ b/flake.nix @@ -0,0 +1,21 @@ +{ + description = "Haschel Proxy Server"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; + }; + + outputs = { self, nixpkgs, ... }@inputs: + let + settings = import ./settings.nix; + system = "x86_64-linux"; + in { + nixosConfigurations."${settings.hostname}" = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ + ./configuration.nix + ]; + }; + }; +} diff --git a/modules/boot.nix b/modules/boot.nix new file mode 100644 index 0000000..0057436 --- /dev/null +++ b/modules/boot.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: + +{ + boot.loader.systemd-boot = { + enable = true; + editor = false; + configurationLimit = 10; + }; + boot.loader.efi.canTouchEfiVariables = true; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelModules = [ "tcp_bbr" ]; + + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; +} diff --git a/modules/hardware.nix b/modules/hardware.nix new file mode 100644 index 0000000..a4b2d44 --- /dev/null +++ b/modules/hardware.nix @@ -0,0 +1,5 @@ +{ config, pkgs, ... }: + +{ + hardware.enableRedistributableFirmware = true; +} diff --git a/modules/locale.nix b/modules/locale.nix new file mode 100644 index 0000000..d75cedc --- /dev/null +++ b/modules/locale.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +let + settings = import ../settings.nix; +in +{ + time.timeZone = settings.timezone; + i18n.defaultLocale = settings.locale; +} diff --git a/modules/networking.nix b/modules/networking.nix new file mode 100644 index 0000000..91732d6 --- /dev/null +++ b/modules/networking.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: + +let + settings = import ../settings.nix; +in +{ + networking.hostName = settings.hostname; + + networking.networkmanager.enable = true; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + allowedUDPPorts = [ ]; + }; +} diff --git a/modules/nginx.nix b/modules/nginx.nix new file mode 100644 index 0000000..8a6e4d4 --- /dev/null +++ b/modules/nginx.nix @@ -0,0 +1,363 @@ +{ config, pkgs, ... }: + +{ + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Fuck AI + commonHttpConfig = '' + more_clear_headers Server; + more_clear_headers X-Powered-By; + + map $http_user_agent $fuckai { + default 0; + + "~*GPTBot" 1; + "~*ChatGPT-User" 1; + "~*OAI-SearchBot" 1; + "~*ChatGPT-Browser" 1; + "~*ClaudeBot" 1; + "~*Claude-Web" 1; + "~*anthropic-ai" 1; + "~*Anthropic-Claude" 1; + "~*xAI-Bot" 1; + "~*DeepseekBot" 1; + "~*Google-Extended" 1; + "~*Gemini-Ai" 1; + "~*Gemini-Deep-Research" 1; + "~*Google-CloudVertexBot" 1; + "~*Google-NotebookLM" 1; + "~*GoogleAgent-Mariner" 1; + "~*Bard-Ai" 1; + "~*FacebookBot" 1; + "~*Meta-ExternalAgent" 1; + "~*meta-webindexer" 1; + "~*Applebot-Extended" 1; + "~*bingbot" 1; + "~*CCBot" 1; + "~*PerplexityBot" 1; + "~*Perplexity-User" 1; + "~*Bytespider" 1; + "~*Diffbot" 1; + "~*Amazonbot" 1; + "~*cohere-ai" 1; + "~*Cohere-Command" 1; + "~*YouBot" 1; + "~*Omgilibot" 1; + "~*ImagesiftBot" 1; + "~*AI2Bot" 1; + "~*Andibot" 1; + "~*bigsur.ai" 1; + "~*Brightbot" 1; + "~*TerraCotta" 1; + "~*Character-AI" 1; + "~*Devin" 1; + "~*Crawlspace" 1; + "~*DuckAssistBot" 1; + "~*FirecrawlAgent" 1; + "~*Groq-Bot" 1; + "~*HuggingFace-Bot" 1; + "~*IbouBot" 1; + "~*MistralAI-User" 1; + "~*Replicate-Bot" 1; + "~*RunPod-Bot" 1; + "~*TimpiBot" 1; + "~*Together-Bot" 1; + "~*Kangaroo Bot" 1; + "~*PanguBot" 1; + "~*Cotoyogi" 1; + "~*Webzio-Extended" 1; + } + ''; + + # Stream Hosts + streamConfig = '' + # Port 69 + server { + listen 69; + listen 69 udp; + proxy_pass lloyd.tadpole-pain.ts.net:69; + } + + # Port 420 + server { + listen 420; + listen 420 udp; + proxy_pass lloyd.tadpole-pain.ts.net:420; + } + + # Minecraft / Game Ports + server { + listen 25565; + listen 25565 udp; + proxy_pass lloyd.tadpole-pain.ts.net:25565; + } + server { + listen 25566; + listen 25566 udp; + proxy_pass lloyd.tadpole-pain.ts.net:25566; + } + server { + listen 25567; + listen 25567 udp; + proxy_pass lloyd.tadpole-pain.ts.net:25567; + } + ''; + + # Proxy Hosts + virtualHosts = { + # atri.dad hosts + "atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:3000"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "analytics.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30060"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "archive.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30288"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "ascently.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:8838"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "bsky.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:31173"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "chef.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30111"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "democlimb.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:8008"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "fedi.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:8181"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "gist.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:1227"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "git.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30010"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "links.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30243"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "media.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30013"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "memos.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30311"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "mermaid.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:8280"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "msrc.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:3311"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "n8n.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30109"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "ocr.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30070"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "openclimb.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:1337"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "photos.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30041"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "pods.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:8828"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "requests.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30042"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "ripkyle.org" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:4321"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "s3.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30188"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "search.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30053"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "sync.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:20910"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "travel.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30251"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "travelapi.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30250"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "vault.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:30032"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + + # atash.dev hosts + "atash.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:6969"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + "chronus.atash.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://lloyd.tadpole-pain.ts.net:7337"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + }; + }; + + # Open Ports + networking.firewall.allowedTCPPorts = [ 80 443 69 420 25565 25566 25567 ]; + networking.firewall.allowedUDPPorts = [ 69 420 25565 25566 25567 ]; +} diff --git a/modules/services.nix b/modules/services.nix new file mode 100644 index 0000000..33e7fb9 --- /dev/null +++ b/modules/services.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: + +{ + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; + + services.tailscale.enable = true; +} diff --git a/modules/users.nix b/modules/users.nix new file mode 100644 index 0000000..6827db2 --- /dev/null +++ b/modules/users.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +let + settings = import ../settings.nix; +in +{ + users.users.${settings.username} = { + isNormalUser = true; + description = settings.userDescription; + extraGroups = settings.userGroups; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; + }; + + users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; + + security.sudo.execWheelOnly = true; +} diff --git a/settings.nix b/settings.nix new file mode 100644 index 0000000..4542d54 --- /dev/null +++ b/settings.nix @@ -0,0 +1,8 @@ +{ + hostname = "haschel"; + username = "atridad"; + userDescription = "Atridad Lahiji"; + timezone = "America/Edmonton"; + locale = "en_CA.UTF-8"; + userGroups = [ "networkmanager" "wheel" "docker" ]; +}