diff --git a/hosts/tyo0/Caddyfile b/hosts/tyo0/Caddyfile index c7cc633..dcbd0b3 100644 --- a/hosts/tyo0/Caddyfile +++ b/hosts/tyo0/Caddyfile @@ -51,14 +51,6 @@ ntfy.ny4.dev { reverse_proxy unix//run/ntfy-sh/ntfy.sock } -pixiv.ny4.dev { - import default - basicauth { - Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri - } - reverse_proxy unix//run/pixivfe/pixiv.sock -} - id.ny4.dev { import default reverse_proxy localhost:8800 diff --git a/hosts/tyo0/default.nix b/hosts/tyo0/default.nix index 63a2287..47b6ada 100644 --- a/hosts/tyo0/default.nix +++ b/hosts/tyo0/default.nix @@ -14,7 +14,6 @@ ./services/miniflux.nix ./services/murmur.nix ./services/ntfy.nix - ./services/pixivfe.nix ./services/redlib.nix ./services/sing-box.nix ./services/vaultwarden.nix @@ -39,9 +38,6 @@ "sing-box/auth" = { restartUnits = [ "sing-box.service" ]; }; - "pixivfe/environment" = { - restartUnits = [ "pixivfe.service" ]; - }; "miniflux/environment" = { restartUnits = [ "miniflux.service" ]; }; diff --git a/hosts/tyo0/secrets.yaml b/hosts/tyo0/secrets.yaml index 22778bc..820dbda 100644 --- a/hosts/tyo0/secrets.yaml +++ b/hosts/tyo0/secrets.yaml @@ -1,7 +1,5 @@ sing-box: auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str] -pixivfe: - environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str] miniflux: environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str] vaultwarden: @@ -30,8 +28,8 @@ sops: UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4 n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-29T15:18:59Z" - mac: ENC[AES256_GCM,data:XZMya28H5W4C2iBOAOvQ7tze2ooC4P4hy/VMJne7FQQu+fOlKtNUq5rWOOWIxttKriD00kkSjsE29KrVKVcreI1PeaxQ2a+QRhGONtQlLDrTQXVTBaHaHzBmu7VzQOWzSvs8d4KsLv5uaHfe5bwTGnHprjbZ9E9tH7oPNNhwOGo=,iv:69TabzusnSmiCLz/QG91IjoA4TRSfb80p0yKloBSiig=,tag:NjSOWau/aYp9KHwHjwOL9A==,type:str] + lastmodified: "2024-08-29T15:22:29Z" + mac: ENC[AES256_GCM,data:wZzk/3ZdCXpMhMfIKbT0ZVm9k+c50MxWwZ88zZv0s44jYgWarzR92W09bTcOxw+SIfakdKt9y4aQENES1+JkGor3JpzxyVO4SGPaiZRFgNjjwAJJ2mAGTI3E69giirQipVHWOaPChZrpfCD2xa5Xrgm+as4fQpQrkgcv9ebyjrQ=,iv:GYsml4JuZ13OCMYcZiynaIlSU2V5lhsJd1GfSrOK/Oc=,tag:QodmEPuhmKA+/nuhP2Cufg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/hosts/tyo0/services/pixivfe.nix b/hosts/tyo0/services/pixivfe.nix deleted file mode 100644 index 8673408..0000000 --- a/hosts/tyo0/services/pixivfe.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - pkgs, - config, - ... -}: -{ - services.pixivfe = { - enable = true; - EnvironmentFile = config.sops.secrets."pixivfe/environment".path; - settings = { - PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock"; - PIXIVFE_IMAGEPROXY = "https://i.pixiv.re"; - }; - }; - - systemd.services.pixivfe.serviceConfig = { - RuntimeDirectory = [ "pixivfe" ]; - ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" '' - ${pkgs.coreutils}/bin/sleep 5 - ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock - ''; - }; -} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 1b20ddf..7437af2 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,7 +1,4 @@ { ... }: { - imports = [ - ./services/hysteria.nix - ./services/pixivfe.nix - ]; + imports = [ ]; } diff --git a/nixos/modules/services/hysteria.nix b/nixos/modules/services/hysteria.nix deleted file mode 100644 index 02a3d96..0000000 --- a/nixos/modules/services/hysteria.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ - config, - lib, - pkgs, - utils, - ... -}: -let - cfg = config.services.hysteria; - settingsFormat = pkgs.formats.json { }; -in -{ - options.services.hysteria = { - enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy"; - - package = lib.mkPackageOption pkgs "hysteria" { }; - - mode = lib.mkOption { - type = lib.types.enum [ - "server" - "client" - ]; - default = "server"; - description = "Whether to use Hysteria as a client or a server."; - }; - - settings = lib.mkOption { - type = lib.types.submodule { - freeformType = settingsFormat.type; - }; - default = { }; - description = '' - The Hysteria configuration, see https://hysteria.network/ for documentation. - - Options containing secret data should be set to an attribute set - containing the attribute `_secret` - a string pointing to a file - containing the value the option should be set to. - - Ignored when `services.hysteria.configFile` is set. - ''; - }; - }; - config = lib.mkIf cfg.enable { - systemd.services."hysteria" = { - description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy."; - documentation = [ "https://hysteria.network/" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json"; - serviceConfig = { - ExecStart = lib.concatStringsSep " " [ - (lib.getExe cfg.package) - cfg.mode - "--config /var/lib/private/hysteria/config.json" - ]; - - DynamicUser = true; - StateDirectory = "hysteria"; - - ### Hardening - AmbientCapabilities = [ - "CAP_NET_ADMIN" - "CAP_NET_BIND_SERVICE" - "CAP_NET_RAW" - ]; - CapabilityBoundingSet = [ - "CAP_NET_ADMIN" - "CAP_NET_BIND_SERVICE" - "CAP_NET_RAW" - ]; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictNamespaces = true; - SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service"; - UMask = "0077"; - }; - }; - }; -} diff --git a/nixos/modules/services/pixivfe.nix b/nixos/modules/services/pixivfe.nix deleted file mode 100644 index b781574..0000000 --- a/nixos/modules/services/pixivfe.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ - lib, - config, - inputs, - pkgs, - ... -}: -let - cfg = config.services.pixivfe; -in -{ - options.services.pixivfe = { - enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv"; - - package = - lib.mkPackageOption inputs.self.legacyPackages.${pkgs.stdenv.hostPlatform.system} "pixivfe" - { }; - - openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function"; - - settings = lib.mkOption { - type = lib.types.nullOr (lib.types.attrsOf lib.types.anything); - default = null; - example = lib.literalExpression '' - { - PIXIVFE_PORT = "8282"; - PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP"; - }; - ''; - description = '' - Additional configuration for PixivFE, see - for supported values. - For secrets use `EnvironmentFile` option instead. - ''; - }; - - EnvironmentFile = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - example = lib.literalExpression '' - /run/secrets/environment - ''; - description = '' - File containing environment variables to be passed to the PixivFE service. - - See `systemd.exec(5)` for more information. - ''; - }; - }; - config = lib.mkIf cfg.enable { - assertions = [ - { - assertion = if cfg.openFirewall then (cfg.settings ? PIXIVFE_PORT) else true; - message = '' - PIXIVFE_PORT must be specified for NixOS to open a port. - - See https://pixivfe.pages.dev/environment-variables/ for more information. - ''; - } - { - assertion = - if (cfg.EnvironmentFile == null) then - (cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT) - else - true; - message = '' - PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run. - - See https://pixivfe.pages.dev/environment-variables/ for more information. - ''; - } - { - assertion = if (cfg.EnvironmentFile == null) then cfg.settings ? PIXIVFE_TOKEN else true; - message = '' - PIXIVFE_TOKEN must be set for PixivFE to run. - - See https://pixivfe.pages.dev/environment-variables/ for more information. - ''; - } - ]; - - systemd.services."pixivfe" = { - description = "PixivFE, a privacy respecting frontend for Pixiv."; - documentation = [ "https://pixivfe.pages.dev/" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - environment = lib.mkIf (cfg.settings != null) ( - lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings - ); - serviceConfig = { - inherit (cfg) EnvironmentFile; - ExecStart = lib.getExe cfg.package; - DynamicUser = true; - - ### Hardening - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # For ports <= 1024 - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service"; - UMask = "0077"; - }; - }; - - networking.firewall = lib.mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.settings.PIXIVFE_PORT ]; - }; - }; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index dbc4dc3..58e074b 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,12 +1,5 @@ # NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`, # only keeping some packages that only fits for personal use. -pkgs: -let - inherit (pkgs) callPackage; -in -{ - # https://github.com/NixOS/nixpkgs/pull/308720 - pixivfe = callPackage ./pixivfe.nix { }; - +pkgs: { background = pkgs.nixos-artwork.wallpapers.nineish-dark-gray.src; } diff --git a/pkgs/pixivfe.nix b/pkgs/pixivfe.nix deleted file mode 100644 index 3bcc531..0000000 --- a/pkgs/pixivfe.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - lib, - buildGoModule, - fetchFromGitea, - makeBinaryWrapper, -}: -buildGoModule rec { - pname = "pixivfe"; - version = "2.6"; - - src = fetchFromGitea { - domain = "codeberg.org"; - owner = "VnPower"; - repo = "PixivFE"; - rev = "v${version}"; - hash = "sha256-pusyCXy2tsdvOSUR6LfSYHv8YT1tiCErqUEkUgKYbZ4="; - }; - - vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI="; - - ldflags = [ - "-s" - "-w" - ]; - - nativeBuildInputs = [ makeBinaryWrapper ]; - - postInstall = '' - mkdir -p $out/share/pixivfe - cp -r ./views/ $out/share/pixivfe/views - wrapProgram $out/bin/pixivfe \ - --chdir $out/share/pixivfe - ''; - - meta = { - description = "Privacy respecting frontend for Pixiv"; - homepage = "https://codeberg.org/VnPower/PixivFE"; - license = lib.licenses.agpl3Only; - mainProgram = "pixivfe"; - maintainers = with lib.maintainers; [ Guanran928 ]; - platforms = lib.platforms.linux; - }; -}