2024-04-22 18:35:50 +00:00
|
|
|
{
|
|
|
|
modulesPath,
|
|
|
|
lib,
|
2024-04-22 21:01:38 +00:00
|
|
|
config,
|
2024-04-22 21:09:00 +00:00
|
|
|
inputs,
|
2024-05-02 23:43:48 +00:00
|
|
|
pkgs,
|
2024-04-22 18:35:50 +00:00
|
|
|
...
|
|
|
|
}: {
|
|
|
|
imports = [
|
|
|
|
"${modulesPath}/virtualisation/amazon-image.nix"
|
2024-04-22 21:09:00 +00:00
|
|
|
inputs.nixos-sensible.nixosModules.zram
|
2024-04-22 18:35:50 +00:00
|
|
|
../../nixos/profiles/server
|
|
|
|
./anti-feature.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
time.timeZone = "Asia/Tokyo";
|
|
|
|
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
|
|
|
system.stateVersion = "23.11";
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-05-23 16:15:10 +00:00
|
|
|
swapDevices = [
|
|
|
|
{
|
|
|
|
device = "/var/lib/swapfile";
|
|
|
|
size = 4 * 1024; # 4 GiB
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
# WORKAROUND:
|
|
|
|
systemd.services."print-host-key".enable = false;
|
|
|
|
|
|
|
|
### Secrets
|
2024-05-23 16:15:10 +00:00
|
|
|
sops = {
|
|
|
|
secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
|
|
|
|
"hysteria/auth" = {
|
|
|
|
restartUnits = ["hysteria.service"];
|
|
|
|
};
|
|
|
|
"pixivfe/environment" = {
|
|
|
|
restartUnits = ["pixivfe.service"];
|
|
|
|
};
|
|
|
|
"searx/environment" = {
|
|
|
|
restartUnits = ["searx.service"];
|
|
|
|
};
|
|
|
|
};
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-05-23 16:15:10 +00:00
|
|
|
templates = {
|
|
|
|
"hysteria.yaml".content = ''
|
|
|
|
tls:
|
|
|
|
cert: /run/credentials/hysteria.service/cert
|
|
|
|
key: /run/credentials/hysteria.service/key
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-05-23 16:15:10 +00:00
|
|
|
masquerade:
|
|
|
|
type: proxy
|
|
|
|
proxy:
|
2024-05-30 14:31:41 +00:00
|
|
|
url: https://ny4.dev/
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-05-23 16:15:10 +00:00
|
|
|
${config.sops.placeholder."hysteria/auth"}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
### Services
|
2024-06-29 03:18:11 +00:00
|
|
|
networking.firewall.allowedUDPPorts = [443]; # hysteria
|
|
|
|
networking.firewall.allowedTCPPorts = [80 443]; # caddy
|
2024-05-02 23:43:48 +00:00
|
|
|
|
2024-05-04 08:12:36 +00:00
|
|
|
systemd.tmpfiles.settings = {
|
|
|
|
"10-www" = {
|
|
|
|
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
|
2024-05-23 16:15:10 +00:00
|
|
|
"/var/www/matrix/client".C.argument = toString ./matrix-client.json;
|
|
|
|
"/var/www/matrix/server".C.argument = toString ./matrix-server.json;
|
2024-05-04 08:12:36 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
services.caddy = {
|
|
|
|
enable = true;
|
2024-05-23 16:15:10 +00:00
|
|
|
configFile = pkgs.substituteAll {
|
|
|
|
src = ./Caddyfile;
|
|
|
|
|
|
|
|
"element" = pkgs.element-web.override {
|
2024-06-17 03:33:36 +00:00
|
|
|
element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
|
2024-06-29 03:18:11 +00:00
|
|
|
version = "1.11.70-rc.0";
|
2024-06-17 03:33:36 +00:00
|
|
|
src = oldAttrs.src.overrideAttrs {
|
2024-06-29 03:18:11 +00:00
|
|
|
outputHash = "sha256-LnPqwXczECH7XnVvGnoUQpZct2jmGEFVpJ1nTewAHC8=";
|
2024-06-17 03:33:36 +00:00
|
|
|
};
|
|
|
|
offlineCache = oldAttrs.offlineCache.overrideAttrs {
|
2024-06-29 03:18:11 +00:00
|
|
|
outputHash = "sha256-yAAZXnxrBGuTWUJcL6Su0F5H2D5MNg9PUU7Uj8XT8N8=";
|
2024-06-17 03:33:36 +00:00
|
|
|
};
|
|
|
|
});
|
|
|
|
|
|
|
|
conf.default_server_config."m.homeserver" = {
|
2024-05-23 16:15:10 +00:00
|
|
|
base_url = "https://matrix.ny4.dev";
|
2024-06-17 03:33:36 +00:00
|
|
|
server_name = "ny4.dev";
|
2024-05-23 16:15:10 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
"mastodon" = pkgs.mastodon;
|
|
|
|
};
|
2024-05-02 23:43:48 +00:00
|
|
|
};
|
2024-04-22 21:01:38 +00:00
|
|
|
|
|
|
|
services.hysteria = {
|
|
|
|
enable = true;
|
|
|
|
configFile = config.sops.templates."hysteria.yaml".path;
|
|
|
|
credentials = [
|
2024-05-02 23:43:48 +00:00
|
|
|
# FIXME: remove hardcoded path
|
|
|
|
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.crt"
|
|
|
|
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.key"
|
2024-04-22 21:01:38 +00:00
|
|
|
];
|
|
|
|
};
|
2024-05-02 23:43:48 +00:00
|
|
|
|
|
|
|
# `journalctl -u murmur.service | grep Password`
|
|
|
|
services.murmur = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
2024-05-23 16:15:10 +00:00
|
|
|
bandwidth = 256 * 1024; # 256 Kbit/s
|
2024-05-02 23:43:48 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
services.searx = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.searxng;
|
|
|
|
environmentFile = config.sops.secrets."searx/environment".path;
|
|
|
|
settings = {
|
|
|
|
general.contact_url = "mailto:guanran928@outlook.com";
|
|
|
|
search.autocomplete = "google";
|
|
|
|
server = {
|
|
|
|
port = 8100;
|
|
|
|
secret_key = "@SEARX_SECRET@";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.wastebin = {
|
|
|
|
enable = true;
|
|
|
|
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.uptime-kuma = {
|
|
|
|
enable = true;
|
|
|
|
settings.PORT = "8300";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.ntfy-sh = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
base-url = "https://ntfy.ny4.dev";
|
2024-05-23 16:15:10 +00:00
|
|
|
listen-http = "";
|
|
|
|
listen-unix = "/run/ntfy-sh/ntfy.sock";
|
|
|
|
listen-unix-mode = 511; # 0777
|
|
|
|
behind-proxy = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
|
|
|
|
|
|
|
|
services.pixivfe = {
|
|
|
|
enable = true;
|
|
|
|
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
|
|
|
|
settings = {
|
|
|
|
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
|
|
|
|
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.pixivfe.serviceConfig = {
|
|
|
|
RuntimeDirectory = ["pixivfe"];
|
|
|
|
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
|
|
|
|
${pkgs.coreutils}/bin/sleep 5
|
|
|
|
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
services.keycloak = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
2024-06-29 03:18:11 +00:00
|
|
|
cache = "local";
|
|
|
|
hostname = "id.ny4.dev";
|
2024-05-23 16:15:10 +00:00
|
|
|
http-host = "127.0.0.1";
|
|
|
|
http-port = 8800;
|
|
|
|
proxy = "edge";
|
2024-06-29 03:18:11 +00:00
|
|
|
# proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
|
2024-05-02 23:43:48 +00:00
|
|
|
};
|
2024-05-23 16:15:10 +00:00
|
|
|
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
|
2024-05-02 23:43:48 +00:00
|
|
|
};
|
|
|
|
|
2024-06-05 09:51:38 +00:00
|
|
|
services.homepage-dashboard = {
|
|
|
|
enable = true;
|
|
|
|
listenPort = 9200;
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
useEqualHeights = true;
|
|
|
|
cardBlur = "sm";
|
|
|
|
layout."Services" = {
|
|
|
|
style = "row";
|
|
|
|
columns = "4";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-06-10 08:48:35 +00:00
|
|
|
services = let
|
|
|
|
getDesc = pkg: pkg.meta.description;
|
|
|
|
in [
|
2024-06-05 09:51:38 +00:00
|
|
|
{
|
|
|
|
"Services" = [
|
|
|
|
{
|
|
|
|
"SearXNG" = {
|
2024-06-10 08:48:35 +00:00
|
|
|
description = getDesc pkgs.searxng;
|
2024-06-05 09:51:38 +00:00
|
|
|
href = "https://searx.ny4.dev";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"Wastebin" = {
|
2024-06-10 08:48:35 +00:00
|
|
|
description = getDesc pkgs.wastebin;
|
2024-06-05 09:51:38 +00:00
|
|
|
href = "https://pb.ny4.dev";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"Ntfy" = {
|
2024-06-10 08:48:35 +00:00
|
|
|
description = getDesc pkgs.ntfy;
|
2024-06-05 09:51:38 +00:00
|
|
|
href = "https://ntfy.ny4.dev/";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"Mumble" = {
|
2024-06-20 05:49:27 +00:00
|
|
|
description = "${getDesc pkgs.mumble} (Connect with tyo0.ny4.dev:64738)";
|
2024-06-05 09:51:38 +00:00
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"Private stuff" = [
|
|
|
|
{
|
|
|
|
"Mastodon" = rec {
|
2024-06-10 08:48:35 +00:00
|
|
|
description = getDesc pkgs.mastodon;
|
2024-06-05 09:51:38 +00:00
|
|
|
href = "https://mastodon.ny4.dev/";
|
|
|
|
widget.type = "mastodon";
|
|
|
|
widget.url = href;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"Matrix" = {
|
2024-06-10 08:48:35 +00:00
|
|
|
description = getDesc pkgs.element-web;
|
2024-06-05 09:51:38 +00:00
|
|
|
href = "https://element.ny4.dev/";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"PixivFE" = {
|
|
|
|
description = "A privacy respecting frontend for Pixiv.";
|
|
|
|
href = "https://pixiv.ny4.dev";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"Uptime Kuma" = {
|
2024-06-10 08:48:35 +00:00
|
|
|
description = getDesc pkgs.uptime-kuma;
|
2024-06-05 09:51:38 +00:00
|
|
|
href = "https://uptime.ny4.dev/";
|
|
|
|
};
|
|
|
|
}
|
2024-06-10 08:48:35 +00:00
|
|
|
{
|
|
|
|
"Forgejo" = {
|
|
|
|
description = getDesc pkgs.forgejo;
|
|
|
|
href = "https://git.ny4.dev/";
|
|
|
|
};
|
|
|
|
}
|
2024-06-05 09:51:38 +00:00
|
|
|
];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"Links" = [
|
|
|
|
{"Blog".href = "https://blog.ny4.dev/";}
|
|
|
|
{"GitHub".href = "https://github.com/Guanran928";}
|
|
|
|
{"Mastodon".herf = "https://mastodon.ny4.dev/@nyancat";}
|
|
|
|
{"Matrix".href = "https://matrix.to/#/@root:ny4.dev";}
|
2024-06-10 08:48:35 +00:00
|
|
|
{"Forgejo".href = "https://git.ny4.dev/nyancat";}
|
2024-06-05 09:51:38 +00:00
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2024-06-10 08:48:35 +00:00
|
|
|
services.forgejo = {
|
|
|
|
enable = true;
|
|
|
|
database.type = "postgres";
|
|
|
|
settings = {
|
|
|
|
server = {
|
|
|
|
# TODO: whats the difference between this and fcgi+unix
|
|
|
|
DOMAIN = "git.ny4.dev";
|
|
|
|
PROTOCOL = "http+unix";
|
|
|
|
ROOT_URL = "https://git.ny4.dev/";
|
|
|
|
};
|
|
|
|
|
|
|
|
service = {
|
|
|
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
### Prevents me from bankrupt
|
|
|
|
# https://fmk.im/p/shutdown-aws/
|
|
|
|
services.vnstat.enable = true;
|
|
|
|
systemd.services."no-bankrupt" = {
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
path = with pkgs; [coreutils gawk vnstat systemd];
|
|
|
|
script = ''
|
|
|
|
TRAFF_TOTAL=1900
|
|
|
|
TRAFF_USED=$(vnstat --oneline b | awk -F ';' '{print $11}')
|
|
|
|
CHANGE_TO_GB=$(($TRAFF_USED / 1073741824))
|
|
|
|
|
|
|
|
if [ $CHANGE_TO_GB -gt $TRAFF_TOTAL ]; then
|
|
|
|
shutdown -h now
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
systemd.timers."no-bankrupt" = {
|
|
|
|
timerConfig.OnCalendar = "*:0:0"; # Check every hour
|
|
|
|
};
|
2024-04-22 18:35:50 +00:00
|
|
|
}
|