2024-04-22 18:35:50 +00:00
|
|
|
{
|
|
|
|
lib,
|
2024-08-29 17:42:37 +00:00
|
|
|
config,
|
2024-07-11 15:50:43 +00:00
|
|
|
modulesPath,
|
2024-05-02 23:43:48 +00:00
|
|
|
pkgs,
|
2024-04-22 18:35:50 +00:00
|
|
|
...
|
2024-08-25 15:02:35 +00:00
|
|
|
}:
|
|
|
|
{
|
2024-04-22 18:35:50 +00:00
|
|
|
imports = [
|
|
|
|
"${modulesPath}/virtualisation/amazon-image.nix"
|
|
|
|
./anti-feature.nix
|
2024-09-06 12:19:44 +00:00
|
|
|
./ports.nix
|
2024-08-11 10:13:36 +00:00
|
|
|
|
|
|
|
./services/forgejo.nix
|
|
|
|
./services/keycloak.nix
|
|
|
|
./services/miniflux.nix
|
|
|
|
./services/murmur.nix
|
|
|
|
./services/ntfy.nix
|
2024-08-29 17:42:37 +00:00
|
|
|
./services/prometheus.nix
|
2024-08-12 13:23:46 +00:00
|
|
|
./services/vaultwarden.nix
|
2024-08-27 09:08:53 +00:00
|
|
|
./services/wastebin.nix
|
2024-09-21 20:19:03 +00:00
|
|
|
|
2024-09-27 16:03:31 +00:00
|
|
|
../../../nixos/profiles/sing-box-server
|
2024-04-22 18:35:50 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
2024-08-12 07:25:36 +00:00
|
|
|
system.stateVersion = "24.05";
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-08-29 18:17:30 +00:00
|
|
|
swapDevices = lib.singleton {
|
|
|
|
device = "/var/lib/swapfile";
|
|
|
|
size = 4 * 1024; # 4 GiB
|
|
|
|
};
|
2024-05-23 16:15:10 +00:00
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
# WORKAROUND:
|
|
|
|
systemd.services."print-host-key".enable = false;
|
|
|
|
|
2024-09-21 16:21:30 +00:00
|
|
|
# FIXME: error: builder for '/nix/store/...-ena-2.12.3-6.11.drv' failed with exit code 2
|
|
|
|
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_6_10;
|
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
### Secrets
|
2024-08-25 15:02:35 +00:00
|
|
|
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
2024-08-29 17:42:37 +00:00
|
|
|
"prometheus/auth" = {
|
|
|
|
owner = config.systemd.services.prometheus.serviceConfig.User;
|
|
|
|
restartUnits = [ "prometheus.service" ];
|
|
|
|
};
|
2024-07-21 10:09:21 +00:00
|
|
|
"miniflux/environment" = {
|
2024-08-25 15:02:35 +00:00
|
|
|
restartUnits = [ "miniflux.service" ];
|
2024-05-23 16:15:10 +00:00
|
|
|
};
|
2024-08-12 13:23:46 +00:00
|
|
|
"vaultwarden/environment" = {
|
2024-08-25 15:02:35 +00:00
|
|
|
restartUnits = [ "vaultwarden.service" ];
|
2024-08-12 13:23:46 +00:00
|
|
|
};
|
2024-05-23 16:15:10 +00:00
|
|
|
};
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
### Services
|
2024-08-27 21:02:01 +00:00
|
|
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
2024-08-25 15:02:35 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
80
|
|
|
|
443
|
2024-08-27 21:02:01 +00:00
|
|
|
];
|
2024-05-02 23:43:48 +00:00
|
|
|
|
2024-08-31 02:15:09 +00:00
|
|
|
services.caddy.enable = true;
|
|
|
|
services.caddy.settings.apps.http.servers.srv0 = {
|
|
|
|
listen = [ ":443" ];
|
2024-05-04 08:12:36 +00:00
|
|
|
};
|
|
|
|
|
2024-09-20 17:38:01 +00:00
|
|
|
systemd.services."caddy".serviceConfig.SupplementaryGroups = [ "forgejo" ];
|
2024-09-07 07:24:37 +00:00
|
|
|
|
2024-08-31 02:15:09 +00:00
|
|
|
services.caddy.settings.apps.http.servers.srv0.routes = [
|
|
|
|
{
|
|
|
|
match = lib.singleton {
|
|
|
|
host = [ "ny4.dev" ];
|
|
|
|
path = [ "/.well-known/matrix/server" ];
|
|
|
|
};
|
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "static_response";
|
|
|
|
status_code = 200;
|
|
|
|
headers = {
|
|
|
|
Access-Control-Allow-Origin = [ "*" ];
|
|
|
|
Content-Type = [ "application/json" ];
|
|
|
|
};
|
2024-09-20 17:38:01 +00:00
|
|
|
body = builtins.toJSON { "m.server" = "matrix.ny4.dev:443"; };
|
2024-05-23 16:15:10 +00:00
|
|
|
};
|
2024-08-31 02:15:09 +00:00
|
|
|
}
|
|
|
|
{
|
|
|
|
match = lib.singleton {
|
|
|
|
host = [ "ny4.dev" ];
|
|
|
|
path = [ "/.well-known/matrix/client" ];
|
|
|
|
};
|
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "static_response";
|
|
|
|
status_code = 200;
|
|
|
|
headers = {
|
|
|
|
Access-Control-Allow-Origin = [ "*" ];
|
|
|
|
Content-Type = [ "application/json" ];
|
|
|
|
};
|
|
|
|
body = builtins.toJSON {
|
|
|
|
"m.homeserver" = {
|
|
|
|
"base_url" = "https://matrix.ny4.dev";
|
|
|
|
};
|
2024-07-31 13:34:24 +00:00
|
|
|
};
|
|
|
|
};
|
2024-08-31 02:15:09 +00:00
|
|
|
}
|
|
|
|
{
|
|
|
|
match = lib.singleton {
|
|
|
|
host = [ "ny4.dev" ];
|
|
|
|
path = [ "/.well-known/webfinger" ];
|
|
|
|
};
|
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "static_response";
|
|
|
|
status_code = 301;
|
|
|
|
headers = {
|
|
|
|
Access-Control-Allow-Origin = [ "*" ];
|
|
|
|
Location = [ "https://mastodon.ny4.dev{http.request.uri}" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
2024-09-20 17:38:01 +00:00
|
|
|
match = lib.singleton { host = [ "ny4.dev" ]; };
|
2024-08-31 02:15:09 +00:00
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "static_response";
|
|
|
|
status_code = 302;
|
|
|
|
headers = {
|
|
|
|
Location = [ "https://blog.ny4.dev" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
2024-09-20 17:38:01 +00:00
|
|
|
match = lib.singleton { host = [ "element.ny4.dev" ]; };
|
2024-08-31 02:15:09 +00:00
|
|
|
handle = [
|
|
|
|
{
|
|
|
|
handler = "headers";
|
|
|
|
response.set = {
|
|
|
|
X-Frame-Options = [ "SAMEORIGIN" ];
|
|
|
|
X-Content-Type-Options = [ "nosniff" ];
|
|
|
|
X-XSS-Protection = [ "1; mode=block" ];
|
|
|
|
Content-Security-Policy = [ "frame-ancestors 'self'" ];
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
handler = "file_server";
|
|
|
|
root = pkgs.element-web.override {
|
|
|
|
conf.default_server_config."m.homeserver" = {
|
|
|
|
base_url = "https://matrix.ny4.dev";
|
|
|
|
server_name = "ny4.dev";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
{
|
2024-09-20 17:38:01 +00:00
|
|
|
match = lib.singleton { host = [ "cinny.ny4.dev" ]; };
|
2024-08-31 02:15:09 +00:00
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "subroute";
|
|
|
|
routes = [
|
|
|
|
{
|
|
|
|
match = [ { "path" = [ "/*/olm.wasm" ]; } ];
|
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "rewrite";
|
|
|
|
uri = "/olm.wasm";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
match = lib.singleton {
|
|
|
|
not = [
|
|
|
|
{ path = [ "/index.html" ]; }
|
|
|
|
{ path = [ "/public/*" ]; }
|
|
|
|
{ path = [ "/assets/*" ]; }
|
|
|
|
{ path = [ "/config.json" ]; }
|
|
|
|
{ path = [ "/manifest.json" ]; }
|
|
|
|
{ path = [ "/pdf.worker.min.js" ]; }
|
|
|
|
{ path = [ "/olm.wasm" ]; }
|
|
|
|
];
|
|
|
|
path = [ "/*" ];
|
|
|
|
};
|
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "rewrite";
|
|
|
|
uri = "/index.html";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
handle = lib.singleton {
|
|
|
|
handler = "file_server";
|
|
|
|
root = pkgs.cinny.override {
|
|
|
|
conf = {
|
|
|
|
defaultHomeserver = 0;
|
|
|
|
homeserverList = [ "ny4.dev" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
2024-04-22 21:01:38 +00:00
|
|
|
|
2024-08-11 11:02:04 +00:00
|
|
|
services.postgresql = {
|
|
|
|
package = pkgs.postgresql_16;
|
|
|
|
settings = {
|
|
|
|
max_connections = 200;
|
|
|
|
shared_buffers = "256MB";
|
|
|
|
effective_cache_size = "768MB";
|
|
|
|
maintenance_work_mem = "64MB";
|
|
|
|
checkpoint_completion_target = 0.9;
|
|
|
|
wal_buffers = "7864kB";
|
|
|
|
default_statistics_target = 100;
|
|
|
|
random_page_cost = 1.1;
|
|
|
|
effective_io_concurrency = 200;
|
|
|
|
work_mem = "655kB";
|
|
|
|
huge_pages = "off";
|
|
|
|
min_wal_size = "1GB";
|
|
|
|
max_wal_size = "4GB";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-05-02 23:43:48 +00:00
|
|
|
### Prevents me from bankrupt
|
|
|
|
# https://fmk.im/p/shutdown-aws/
|
|
|
|
services.vnstat.enable = true;
|
|
|
|
systemd.services."no-bankrupt" = {
|
|
|
|
serviceConfig.Type = "oneshot";
|
2024-08-25 15:02:35 +00:00
|
|
|
path = with pkgs; [
|
|
|
|
coreutils
|
|
|
|
gawk
|
|
|
|
vnstat
|
|
|
|
systemd
|
|
|
|
];
|
2024-05-02 23:43:48 +00:00
|
|
|
script = ''
|
|
|
|
TRAFF_TOTAL=1900
|
|
|
|
TRAFF_USED=$(vnstat --oneline b | awk -F ';' '{print $11}')
|
|
|
|
CHANGE_TO_GB=$(($TRAFF_USED / 1073741824))
|
|
|
|
|
|
|
|
if [ $CHANGE_TO_GB -gt $TRAFF_TOTAL ]; then
|
|
|
|
shutdown -h now
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
systemd.timers."no-bankrupt" = {
|
|
|
|
timerConfig.OnCalendar = "*:0:0"; # Check every hour
|
|
|
|
};
|
2024-04-22 18:35:50 +00:00
|
|
|
}
|