From 340f42cf17e267253b884d22cd30305c3a19b824 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Fri, 24 May 2024 00:15:10 +0800 Subject: [PATCH] treewide: update I honestly have no idea how to commit this pile of stuff one by one... --- .sops.yaml | 5 + flake.lock | 153 ++++++----- flake.nix | 7 +- hosts/aristotle/default.nix | 15 ++ hosts/blacksteel/README.md | 4 +- hosts/blacksteel/anti-feature.nix | 8 +- hosts/blacksteel/default.nix | 242 +++++++++++++++++- hosts/blacksteel/hardware-configuration.nix | 1 - hosts/blacksteel/secrets.yaml | 36 +++ hosts/lightsail-tokyo/Caddyfile | 82 +++++- hosts/lightsail-tokyo/anti-feature.nix | 2 + hosts/lightsail-tokyo/default.nix | 130 ++++++++-- hosts/lightsail-tokyo/matrix-client.json | 8 + hosts/lightsail-tokyo/matrix-server.json | 3 + hosts/lightsail-tokyo/robots.txt | 30 +-- hosts/lightsail-tokyo/secrets.yaml | 6 +- hosts/socrates/robotnix/flake.nix | 33 +-- nixos/modules/default.nix | 2 + nixos/modules/services/pixivfe-pkg.nix | 37 +++ nixos/modules/services/pixivfe.nix | 130 ++++++++++ nixos/modules/services/rathole.nix | 50 ++++ nixos/profiles/common/core/default.nix | 34 +-- nixos/profiles/common/graphical/default.nix | 3 +- .../profiles/common/graphical/home/theme.nix | 4 +- .../graphical/home/wallpapers/default.nix | 17 ++ overlays/nautilus.nix | 4 +- 26 files changed, 880 insertions(+), 166 deletions(-) create mode 100644 hosts/blacksteel/secrets.yaml create mode 100644 hosts/lightsail-tokyo/matrix-client.json create mode 100644 hosts/lightsail-tokyo/matrix-server.json create mode 100644 nixos/modules/services/pixivfe-pkg.nix create mode 100644 nixos/modules/services/pixivfe.nix create mode 100644 nixos/modules/services/rathole.nix diff --git a/.sops.yaml b/.sops.yaml index 4c59d5f..f431b68 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,6 +8,11 @@ keys: - &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk - &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa creation_rules: + - path_regex: hosts/blacksteel/secrets.yaml$ + key_groups: + - age: + - *guanranwang + - *blacksteel - path_regex: hosts/lightsail-tokyo/secrets.yaml$ key_groups: - age: diff --git a/flake.lock b/flake.lock index d9f570c..c9df819 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "aagl": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716425853, + "narHash": "sha256-PSd1jStP3SfJB3JvHRVjHpGwy3eKjni06VciEly0rHQ=", + "owner": "ezKEa", + "repo": "aagl-gtk-on-nix", + "rev": "fa6201a1cfcaa84d442c9c9b17c2e79df99f444b", + "type": "github" + }, + "original": { + "owner": "ezKEa", + "repo": "aagl-gtk-on-nix", + "type": "github" + } + }, "berberman": { "inputs": { "nixpkgs": [ @@ -10,11 +31,11 @@ ] }, "locked": { - "lastModified": 1714155185, - "narHash": "sha256-/waEN3vHOgWHqRi4p3lbndS8C3iFl1ZQA60dR0CrJco=", + "lastModified": 1716307996, + "narHash": "sha256-yuyK5HpOIbzkptgvuL+jqi+/Jy1XYzjsNUN2AUIq+Wc=", "owner": "berberman", "repo": "flakes", - "rev": "8609046ac57e6b32e601c6577562c3eb75ae95f6", + "rev": "09f7b705563c36221e89d0e9bc156b29c0a5d6f2", "type": "github" }, "original": { @@ -30,11 +51,11 @@ ] }, "locked": { - "lastModified": 1714536327, - "narHash": "sha256-zu4+LcygJwdyFHunTMeDFltBZ9+hoWvR/1A7IEy7ChA=", + "lastModified": 1716156051, + "narHash": "sha256-TjUX7WWRcrhuUxDHsR8pDR2N7jitqZehgCVSy3kBeS8=", "owner": "ipetkov", "repo": "crane", - "rev": "3124551aebd8db15d4560716d4f903bd44c64e4a", + "rev": "7443df1c478947bf96a2e699209f53b2db26209d", "type": "github" }, "original": { @@ -50,11 +71,11 @@ ] }, "locked": { - "lastModified": 1714612856, - "narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=", + "lastModified": 1716431128, + "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=", "owner": "nix-community", "repo": "disko", - "rev": "d57058eb09dd5ec00c746df34fe0a603ea744370", + "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606", "type": "github" }, "original": { @@ -64,6 +85,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "locked": { "lastModified": 1696426674, "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", @@ -85,11 +122,11 @@ ] }, "locked": { - "lastModified": 1714641030, - "narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=", + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", "type": "github" }, "original": { @@ -145,11 +182,11 @@ ] }, "locked": { - "lastModified": 1714679908, - "narHash": "sha256-KzcXzDvDJjX34en8f3Zimm396x6idbt+cu4tWDVS2FI=", + "lastModified": 1716457508, + "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=", "owner": "nix-community", "repo": "home-manager", - "rev": "9036fe9ef8e15a819fa76f47a8b1f287903fb848", + "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05", "type": "github" }, "original": { @@ -247,11 +284,11 @@ ] }, "locked": { - "lastModified": 1713946171, - "narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=", + "lastModified": 1716329735, + "narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7", + "rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c", "type": "github" }, "original": { @@ -273,11 +310,11 @@ ] }, "locked": { - "lastModified": 1713988078, - "narHash": "sha256-scRrzQQyJAT0iPAd8AZvolgiq7npatsfytwnduESndI=", + "lastModified": 1715807870, + "narHash": "sha256-lutvG1LFGSpXsGA7U4TWfdfq6p71WdSlhw3vM4W/Opk=", "owner": "Gerschtli", "repo": "nix-formatter-pack", - "rev": "08d0135dbe95992b5f8d54c351ce62be2177f0b4", + "rev": "ab5feb867e5d074918852de6134500a82a09dc48", "type": "github" }, "original": { @@ -296,11 +333,11 @@ ] }, "locked": { - "lastModified": 1714303849, - "narHash": "sha256-o/IgiwA0ZS/nMh5YB0bt+ae3Lt+tlbQouY/xL7tB5h0=", + "lastModified": 1716409168, + "narHash": "sha256-EhfEm11GRKDJVWeCRZ9uH6PZC6I0rAKTTEOedOlEfEI=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "dbb96ae98e723128cf5a612480ba6187113f5e49", + "rev": "72a38144721f978979d09f01e0929457c347d1f3", "type": "github" }, "original": { @@ -350,11 +387,11 @@ ] }, "locked": { - "lastModified": 1714685946, - "narHash": "sha256-09YdG9ExCFj9Ngrc1qXZBtn6LRyzFG2KcVVcl295tmU=", + "lastModified": 1716413945, + "narHash": "sha256-BND2qR3ijnT1pS0vonpzlloeJqcnkLsz863JVl4Hb48=", "owner": "jacekszymanski", "repo": "nixcasks", - "rev": "a0bc85d5d4d3c3e83c637cfb8b0830ed55020bf2", + "rev": "8d9c80f1ffd737aa1a2660bcf8fecbd3176dc71e", "type": "github" }, "original": { @@ -365,11 +402,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1714465198, - "narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=", + "lastModified": 1716173274, + "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4", + "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191", "type": "github" }, "original": { @@ -395,16 +432,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1714750568, - "narHash": "sha256-HHx3NGN7gHZdfnyXF961sxr9FcxM5bg4gweeHEnRxXQ=", + "lastModified": 1716358718, + "narHash": "sha256-NQbegJb2ZZnAqp2EJhWwTf6DrZXSpA6xZCEq+RGV1r0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e96601ecf084d9d6a366a4f0da7f36479f67f81e", + "rev": "3f316d2a50699a78afe5e77ca486ad553169061e", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -427,11 +464,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1714531828, - "narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=", + "lastModified": 1716361217, + "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1", + "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f", "type": "github" }, "original": { @@ -482,11 +519,11 @@ }, "nur": { "locked": { - "lastModified": 1714681542, - "narHash": "sha256-7WQo+TMORkw/Bo1AADX7IuYu28rWVJN7qMTq3QDWU9E=", + "lastModified": 1716479105, + "narHash": "sha256-O5vAr3D1Kxo+BCzL25bR6H3IwLZISj/B29OVGon216k=", "owner": "nix-community", "repo": "NUR", - "rev": "6132349be4a6cfe62cfe744d622a645e4981d458", + "rev": "b3d163c563387c70d9a4ee1055e6c9def436f529", "type": "github" }, "original": { @@ -526,9 +563,6 @@ "flake-compat": [ "flake-compat" ], - "flake-utils": [ - "flake-utils" - ], "gitignore": [ "gitignore" ], @@ -540,11 +574,11 @@ ] }, "locked": { - "lastModified": 1714478972, - "narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=", + "lastModified": 1716213921, + "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "2849da033884f54822af194400f8dff435ada242", + "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0", "type": "github" }, "original": { @@ -555,10 +589,11 @@ }, "root": { "inputs": { + "aagl": "aagl", "berberman": "berberman", "crane": "crane", "disko": "disko", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts", "flake-utils": "flake-utils", "gitignore": "gitignore", @@ -599,11 +634,11 @@ ] }, "locked": { - "lastModified": 1714616033, - "narHash": "sha256-JcWAjIDl3h0bE/pII0emeHwokTeBl+SWrzwrjoRu7a0=", + "lastModified": 1716430594, + "narHash": "sha256-vdVzaGD5p+KG7XHepIeX5rUPmdzEcF2w6rhqfr0SNkI=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "3e416d5067ba31ff8ac31eeb763e4388bdf45089", + "rev": "ee0db3aeebafeaada2b98d076de6d314b4c8682e", "type": "github" }, "original": { @@ -638,11 +673,11 @@ ] }, "locked": { - "lastModified": 1713892811, - "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=", + "lastModified": 1716400300, + "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd", + "rev": "b549832718b8946e875c016a4785d204fcfc2e53", "type": "github" }, "original": { @@ -681,11 +716,11 @@ ] }, "locked": { - "lastModified": 1714611022, - "narHash": "sha256-Cneh2G54TO1eVQBxLZp0JlW8LWbTE/N1WjcE2W+F3pI=", + "lastModified": 1716425501, + "narHash": "sha256-BSLhmGYY1khyyBAjraR+N0Pa9Nha/et5yQQlEZxcfkU=", "owner": "nix-community", "repo": "srvos", - "rev": "1fa90a0a81fec38c117397fde79733cc78f12815", + "rev": "1122cd50a23647e09c3e7a679d37ec02113bc412", "type": "github" }, "original": { @@ -716,11 +751,11 @@ ] }, "locked": { - "lastModified": 1714058656, - "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", + "lastModified": 1715940852, + "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", + "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e854ed1..74fffe1 100644 --- a/flake.nix +++ b/flake.nix @@ -7,9 +7,13 @@ # `nixpkgs-unstable` contains less(?) jobs, and usually updates faster. # # REFERENCE: https://discourse.nixos.org/t/differences-between-nix-channels/13998/5 - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11"; + aagl = { + url = "github:ezKEa/aagl-gtk-on-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; berberman = { url = "github:berberman/flakes"; inputs.nixpkgs.follows = "nixpkgs"; @@ -140,7 +144,6 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs-stable.follows = "nixpkgs-stable"; inputs.flake-compat.follows = "flake-compat"; - inputs.flake-utils.follows = "flake-utils"; inputs.gitignore.follows = "gitignore"; }; rust-overlay = { diff --git a/hosts/aristotle/default.nix b/hosts/aristotle/default.nix index dbede4a..0f6c525 100644 --- a/hosts/aristotle/default.nix +++ b/hosts/aristotle/default.nix @@ -1,6 +1,8 @@ { pkgs, inputs, + config, + lib, ... }: { imports = [ @@ -53,4 +55,17 @@ # for udev rules programs.adb.enable = true; + + # fucking hell + programs.anime-game-launcher.enable = true; + + # FIXME: + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver { + version = "555.42.02"; + sha256_64bit = "sha256-k7cI3ZDlKp4mT46jMkLaIrc2YUx1lh1wj/J4SVSHWyk="; + sha256_aarch64 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA="; + openSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA="; + settingsSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA="; + persistencedSha256 = lib.fakeSha256; + }; } diff --git a/hosts/blacksteel/README.md b/hosts/blacksteel/README.md index 3859cb0..5365ebe 100644 --- a/hosts/blacksteel/README.md +++ b/hosts/blacksteel/README.md @@ -10,7 +10,7 @@ MacBookPro11,3 ### Description -Homelab, hosting random stuff through tailscale. +Homelab, hosting random stuff through tailscale and rathole. ### TODOs: @@ -20,4 +20,4 @@ Homelab, hosting random stuff through tailscale. - [ ] luks1 -> luks2 - [ ] tpm luks unlocking - [ ] nouveau -> nvidia -- [x] networkmanager - > iwd +- [x] networkmanager -> iwd diff --git a/hosts/blacksteel/anti-feature.nix b/hosts/blacksteel/anti-feature.nix index 282a39d..1561131 100644 --- a/hosts/blacksteel/anti-feature.nix +++ b/hosts/blacksteel/anti-feature.nix @@ -9,22 +9,22 @@ "adoptopenjdk-hotspot-bin" "cargo-bootstrap" "cef-binary" + "minecraft-server" "rustc-bootstrap" "rustc-bootstrap-wrapper" "sof-firmware" "spotify" - "vscodium" - "papermc" "temurin-bin" + "vscodium" ]; allowUnfree = false; allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "broadcom-sta" + "minecraft-server" "nvidia-x11" "spotify" - "broadcom-sta" - "papermc" ]; }; } diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix index d7520a1..e4af79f 100644 --- a/hosts/blacksteel/default.nix +++ b/hosts/blacksteel/default.nix @@ -1,11 +1,15 @@ { pkgs, lib, + config, ... }: { imports = [ # OS - ../../nixos/profiles/laptop + # FIXME: + ../../nixos/profiles/common/core + ../../nixos/profiles/common/physical + ../../nixos/profiles/common/mobile ../../nixos/profiles/common/opt-in/clash-meta-client # Hardware @@ -19,26 +23,148 @@ time.timeZone = "Asia/Shanghai"; system.stateVersion = "23.11"; + ######## Secrets + sops = { + secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) { + "synapse/secret" = { + restartUnits = ["matrix-synapse.service"]; + owner = config.systemd.services.matrix-synapse.serviceConfig.User; + }; + "synapse/oidc" = { + restartUnits = ["matrix-synapse.service"]; + owner = config.systemd.services.matrix-synapse.serviceConfig.User; + }; + "syncv3/environment" = { + restartUnits = ["matrix-sliding-sync.service"]; + }; + "mastodon/environment" = { + restartUnits = ["mastodon-web.service"]; + }; + }; + }; + ######## Services + environment.systemPackages = with pkgs; [qbittorrent]; + services.tailscale = { enable = true; openFirewall = true; }; - # Minecraft + services.frp = { + enable = true; + role = "client"; + settings = { + serverAddr = "18.177.132.61"; # TODO: can I use a domain name? + serverPort = 7000; + auth.method = "token"; + auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret! + proxies = [ + { + name = "synapse"; + type = "tcp"; + localIP = "127.0.0.1"; + localPort = 8100; + remotePort = 8600; + } + { + name = "syncv3"; + type = "tcp"; + localIP = "127.0.0.1"; + remotePort = 8700; + plugin = { + type = "unix_domain_socket"; + unixPath = "/run/matrix-sliding-sync/sync.sock"; + }; + } + { + name = "mastodon-web"; + type = "tcp"; + localIP = "127.0.0.1"; + remotePort = 8900; + plugin = { + type = "unix_domain_socket"; + unixPath = "/run/mastodon-web/web.socket"; + }; + } + { + name = "mastodon-streaming"; + type = "tcp"; + localIP = "127.0.0.1"; + remotePort = 9000; + plugin = { + type = "unix_domain_socket"; + unixPath = "/run/mastodon-streaming/streaming-1.socket"; + }; + } + { + name = "mastodon-system"; + type = "tcp"; + localIP = "127.0.0.1"; + remotePort = 9100; + plugin = { + type = "static_file"; + localPath = "/var/lib/mastodon/public-system"; + }; + } + ]; + }; + }; + + systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon"]; + + services.postgresql = { + enable = true; + settings = { + # Generated by pgTune + # https://pgtune.leopard.in.ua/#/ + # + # DB Version: 15 + # OS Type: linux + # DB Type: web + # Total Memory (RAM): 16 GB + # CPUs num: 8 + # Data Storage: ssd + + max_connections = 200; + shared_buffers = "4GB"; + effective_cache_size = "12GB"; + maintenance_work_mem = "1GB"; + checkpoint_completion_target = 0.9; + wal_buffers = "16MB"; + default_statistics_target = 100; + random_page_cost = "1.1"; + effective_io_concurrency = 200; + work_mem = "5242kB"; + huge_pages = "off"; + min_wal_size = "1GB"; + max_wal_size = "4GB"; + max_worker_processes = 8; + max_parallel_workers_per_gather = 4; + max_parallel_workers = 8; + max_parallel_maintenance_workers = 4; + }; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.postgresqlBackup = { + enable = true; + location = "/var/lib/backup/postgresql"; + compression = "zstd"; + startAt = "weekly"; + }; + services.minecraft-server = { enable = true; eula = true; openFirewall = true; - # I should switch to vanilla/fabric one day... - package = pkgs.papermc.overrideAttrs { - version = "1.20.4-485"; - hash = "sha256-8bhlv/MU7KDmdL8Ngvg/zLMlGiO4Fswoyn/1diFE65k="; - }; - # TODO: not working for some reason - #.override {jre = pkgs.temurin-bin;}; - # Aikar's flag # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/ # https://docs.papermc.io/paper/aikars-flags @@ -82,7 +208,6 @@ }; }; - # Samba services.samba = { enable = true; openFirewall = true; @@ -91,14 +216,105 @@ "read only" = "no"; }; }; + services.samba-wsdd = { enable = true; openFirewall = true; }; + systemd.tmpfiles.rules = [ "d /srv/samba/share 0700 guanranwang root" ]; - # qBitTorrent - environment.systemPackages = with pkgs; [qbittorrent]; + services.matrix-synapse = { + enable = true; + withJemalloc = true; + extraConfigFiles = [config.sops.secrets."synapse/secret".path]; + settings = { + server_name = "ny4.dev"; + public_baseurl = "https://matrix.ny4.dev"; + presence.enabled = false; # tradeoff + listeners = [ + { + port = 8100; + bind_addresses = ["127.0.0.1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + + # https://element-hq.github.io/synapse/latest/openid.html#keycloak + oidc_providers = [ + { + idp_id = "keycloak"; + idp_name = "id.ny4.dev"; + issuer = "https://id.ny4.dev/realms/master"; + client_id = "synapse"; + client_secret_path = config.sops.secrets."synapse/oidc".path; + scopes = ["openid" "profile"]; + user_mapping_provider.config = { + localpart_template = "{{ user.preferred_username }}"; + display_name_template = "{{ user.name }}"; + }; + backchannel_logout_enabled = true; + allow_existing_users = true; + } + ]; + }; + }; + + systemd.services.matrix-synapse.environment = config.networking.proxy.envVars; + + services.matrix-sliding-sync = { + enable = true; + environmentFile = config.sops.secrets."syncv3/environment".path; + settings = { + SYNCV3_SERVER = "http://127.0.0.1:8100"; + SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock"; + }; + }; + + systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = ["matrix-sliding-sync"]; + + services.mastodon = { + enable = true; + localDomain = "ny4.dev"; + streamingProcesses = 1; + # FIXME: this doesn't exist + smtp = { + createLocally = false; + fromAddress = "mastodon@ny4.dev"; + }; + extraConfig = rec { + SINGLE_USER_MODE = "true"; + WEB_DOMAIN = "mastodon.ny4.dev"; + + # keycloak + OMNIAUTH_ONLY = "true"; + OIDC_ENABLED = "true"; + OIDC_CLIENT_ID = "mastodon"; + # OIDC_CLIENT_SECRET # EnvironmentFile + OIDC_DISCOVERY = "true"; + OIDC_DISPLAY_NAME = "id.ny4.dev"; + OIDC_ISSUER = "https://id.ny4.dev/realms/master"; + OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback"; + OIDC_SCOPE = "openid,profile,email"; + OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; + OIDC_UID_FIELD = "preferred_username"; + }; + }; + + systemd.services.mastodon-web = { + environment = config.networking.proxy.envVars; + serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path]; + }; + + systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars; } diff --git a/hosts/blacksteel/hardware-configuration.nix b/hosts/blacksteel/hardware-configuration.nix index 36f06c5..204721a 100644 --- a/hosts/blacksteel/hardware-configuration.nix +++ b/hosts/blacksteel/hardware-configuration.nix @@ -7,7 +7,6 @@ inputs.nixpkgs.nixosModules.notDetected inputs.nixos-hardware.nixosModules.apple-macbook-pro inputs.nixos-hardware.nixosModules.common-cpu-intel - inputs.nixos-hardware.nixosModules.common-gpu-intel #inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime inputs.nixos-hardware.nixosModules.common-hidpi inputs.nixos-hardware.nixosModules.common-pc-laptop diff --git a/hosts/blacksteel/secrets.yaml b/hosts/blacksteel/secrets.yaml new file mode 100644 index 0000000..da7a6c3 --- /dev/null +++ b/hosts/blacksteel/secrets.yaml @@ -0,0 +1,36 @@ +synapse: + secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str] + oidc: ENC[AES256_GCM,data:vGQcPcUfbv6II6buEMKELc1+xZ5XccpEeCy3vZx4fdk=,iv:ORok/FXZ9SA54zD1+OhyFnZAPhGpMpTetWYgge2QSwQ=,tag:7DxrruTbenUfI/V6hGYBaw==,type:str] +syncv3: + environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str] +mastodon: + environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdjRrUkJXd3Z2VlhRRDEz + YS9DZVlQYmNXeW9qQWtZZlUrZHQrSXFJYWtRCk54Z3NEck51dTR3ZDh3SnEwNXhu + ZEI4S1ZEQklDd0ZwTWJwdHNEVlFERWsKLS0tIGRSVjVGR3daR0k2dVVHUmVwMHlL + dWtkdkQvMjZqbHp0STA3cnZPYkIzOWMKNGH8hQI4oKrjCAEE5onH9sa2AhdjeUsl + PSd1/z0ka0Y2wlPGuGOqIXYg8O1WqFxn/uS6O2YZSpAtw7JulOs8aQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMHRrOGJ6RkxrZndoZkEy + V1NtbEw0SExiaWE1bGtPYXROSFVZNmVTR0RVCkM0OHhxMzhvUzVUMThTc3VyZUFq + c3FyVUNpM09WUURnSzY4dW4zS0U3T0EKLS0tIFJQL3BlY1N1bkorYlVqRkVaUmdi + bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ + hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-21T10:09:01Z" + mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/lightsail-tokyo/Caddyfile b/hosts/lightsail-tokyo/Caddyfile index fa4ecd3..f3c3a6f 100644 --- a/hosts/lightsail-tokyo/Caddyfile +++ b/hosts/lightsail-tokyo/Caddyfile @@ -12,11 +12,11 @@ # https://infosec.mozilla.org/guidelines/web_security # https://caddyserver.com/docs/caddyfile/directives/header#examples - Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'" - Permissions-Policy interest-Hpcohort=() - Strict-Transport-Security max-age=31536000; - X-Content-Type-Options nosniff - X-Frame-Options DENY + ?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'" + ?Permissions-Policy interest-Hpcohort=() + ?Strict-Transport-Security max-age=31536000; + ?X-Content-Type-Options nosniff + ?X-Frame-Options DENY } } @@ -45,7 +45,19 @@ www.ny4.dev { ny4.dev { import default - respond "Hello, world!" + + # Synapse + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + handle_path /.well-known/matrix/* { + file_server * { + root /var/www/matrix + } + } + + # Mastodon + header /.well-known/webfinger Access-Control-Allow-Origin * + redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent } searx.ny4.dev { @@ -65,5 +77,61 @@ uptime.ny4.dev { ntfy.ny4.dev { import default - reverse_proxy localhost:8400 + reverse_proxy unix//run/ntfy-sh/ntfy.sock +} + +pixiv.ny4.dev { + import default + basicauth { + Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri + } + reverse_proxy unix//run/pixivfe/pixiv.sock +} + +matrix.ny4.dev { + import default + reverse_proxy /_matrix/* localhost:8600 + reverse_proxy /_synapse/client/* localhost:8600 + reverse_proxy /health localhost:8600 +} + +syncv3.ny4.dev { + import default + reverse_proxy localhost:8700 +} + +id.ny4.dev { + import default + reverse_proxy localhost:8800 +} + +element.ny4.dev { + import default + root * @element@ + file_server +} + +mastodon.ny4.dev { + import default + handle_path /system/* { + reverse_proxy localhost:9100 + } + + handle /api/v1/streaming/* { + reverse_proxy localhost:9000 + } + + route * { + file_server * { + root @mastodon@/public + pass_thru + } + reverse_proxy * localhost:8900 + } + + handle_errors { + root * @mastodon@/public + rewrite 500.html + file_server + } } diff --git a/hosts/lightsail-tokyo/anti-feature.nix b/hosts/lightsail-tokyo/anti-feature.nix index 026b59f..7d6725d 100644 --- a/hosts/lightsail-tokyo/anti-feature.nix +++ b/hosts/lightsail-tokyo/anti-feature.nix @@ -7,6 +7,8 @@ "cargo-bootstrap" "rustc-bootstrap" "rustc-bootstrap-wrapper" + "keycloak" + "temurin-bin" ]; allowUnfree = false; diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix index ff33572..0d55836 100644 --- a/hosts/lightsail-tokyo/default.nix +++ b/hosts/lightsail-tokyo/default.nix @@ -17,41 +17,84 @@ boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; system.stateVersion = "23.11"; + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 4 * 1024; # 4 GiB + } + ]; + # WORKAROUND: systemd.services."print-host-key".enable = false; ### Secrets - sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) { - "hysteria/auth".restartUnits = ["hysteria.service"]; - "searx/environment".restartUnits = ["searx.service"]; + sops = { + secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) { + "hysteria/auth" = { + restartUnits = ["hysteria.service"]; + }; + "pixivfe/environment" = { + restartUnits = ["pixivfe.service"]; + }; + "searx/environment" = { + restartUnits = ["searx.service"]; + }; + }; + + templates = { + "hysteria.yaml".content = '' + tls: + cert: /run/credentials/hysteria.service/cert + key: /run/credentials/hysteria.service/key + + masquerade: + type: proxy + proxy: + url: http://localhost/ + + ${config.sops.placeholder."hysteria/auth"} + ''; + }; }; - sops.templates."hysteria.yaml".content = '' - tls: - cert: /run/credentials/hysteria.service/cert - key: /run/credentials/hysteria.service/key - - masquerade: - type: proxy - proxy: - url: http://localhost/ - - ${config.sops.placeholder."hysteria/auth"} - ''; - ### Services - networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy - networking.firewall.allowedTCPPorts = [80 443]; # caddy + networking.firewall.allowedUDPPorts = [ + # hysteria + 443 + ]; + networking.firewall.allowedTCPPorts = [ + # caddy + 80 + 443 + + # frp + 7000 + ]; systemd.tmpfiles.settings = { "10-www" = { "/var/www/robots/robots.txt".C.argument = toString ./robots.txt; + "/var/www/matrix/client".C.argument = toString ./matrix-client.json; + "/var/www/matrix/server".C.argument = toString ./matrix-server.json; }; }; services.caddy = { enable = true; - configFile = ./Caddyfile; + configFile = pkgs.substituteAll { + src = ./Caddyfile; + + "element" = pkgs.element-web.override { + conf.default_server_config."m.homeserver" = let + inherit (config.services.matrix-synapse) settings; + in { + base_url = "https://matrix.ny4.dev"; + inherit (settings) server_name; + }; + }; + + "mastodon" = pkgs.mastodon; + }; }; services.hysteria = { @@ -64,11 +107,21 @@ ]; }; + services.frp = { + enable = true; + role = "server"; + settings = { + bindPort = 7000; + auth.method = "token"; + auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; + }; + }; + # `journalctl -u murmur.service | grep Password` services.murmur = { enable = true; openFirewall = true; - bandwidth = 128000; + bandwidth = 256 * 1024; # 256 Kbit/s }; services.searx = { @@ -99,10 +152,45 @@ enable = true; settings = { base-url = "https://ntfy.ny4.dev"; - listen-http = "127.0.0.1:8400"; + listen-http = ""; + listen-unix = "/run/ntfy-sh/ntfy.sock"; + listen-unix-mode = 511; # 0777 + behind-proxy = true; }; }; + systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"]; + + services.pixivfe = { + enable = true; + EnvironmentFile = config.sops.secrets."pixivfe/environment".path; + settings = { + PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock"; + PIXIVFE_IMAGEPROXY = "https://i.pixiv.re"; + }; + }; + + systemd.services.pixivfe.serviceConfig = { + RuntimeDirectory = ["pixivfe"]; + ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" '' + ${pkgs.coreutils}/bin/sleep 5 + ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock + ''; + }; + + services.keycloak = { + enable = true; + settings = { + http-host = "127.0.0.1"; + http-port = 8800; + proxy = "edge"; + hostname-strict-backchannel = true; + hostname = "id.ny4.dev"; + cache = "local"; + }; + database.passwordFile = toString (pkgs.writeText "password" "keycloak"); + }; + ### Prevents me from bankrupt # https://fmk.im/p/shutdown-aws/ services.vnstat.enable = true; diff --git a/hosts/lightsail-tokyo/matrix-client.json b/hosts/lightsail-tokyo/matrix-client.json new file mode 100644 index 0000000..6cb0dd7 --- /dev/null +++ b/hosts/lightsail-tokyo/matrix-client.json @@ -0,0 +1,8 @@ +{ + "m.homeserver": { + "base_url": "https://matrix.ny4.dev" + }, + "org.matrix.msc3575.proxy": { + "url": "https://syncv3.ny4.dev" + } +} diff --git a/hosts/lightsail-tokyo/matrix-server.json b/hosts/lightsail-tokyo/matrix-server.json new file mode 100644 index 0000000..938e84e --- /dev/null +++ b/hosts/lightsail-tokyo/matrix-server.json @@ -0,0 +1,3 @@ +{ + "m.server": "matrix.ny4.dev:443" +} diff --git a/hosts/lightsail-tokyo/robots.txt b/hosts/lightsail-tokyo/robots.txt index 7d1ecef..457cc89 100644 --- a/hosts/lightsail-tokyo/robots.txt +++ b/hosts/lightsail-tokyo/robots.txt @@ -1,33 +1,33 @@ -User-agent: GPTBot -Disallow: / - -User-agent: ChatGPT-User -Disallow: / - -User-agent: Google-Extended +User-agent: Amazonbot Disallow: / User-agent: CCBot Disallow: / -User-agent: Amazonbot -Disallow: / - -User-agent: FacebookBot -Disallow: / - -User-agent: anthopic-ai +User-agent: ChatGPT-User Disallow: / User-agent: Claude-Web Disallow: / -User-agent: cohere-ai +User-agent: FacebookBot +Disallow: / + +User-agent: GPTBot +Disallow: / + +User-agent: Google-Extended Disallow: / User-agent: Omgilibot Disallow: / +User-agent: anthopic-ai +Disallow: / + +User-agent: cohere-ai +Disallow: / + User-Agent: * Disallow: /harming/humans Disallow: /ignoring/human/orders diff --git a/hosts/lightsail-tokyo/secrets.yaml b/hosts/lightsail-tokyo/secrets.yaml index 1839725..d7a07f5 100644 --- a/hosts/lightsail-tokyo/secrets.yaml +++ b/hosts/lightsail-tokyo/secrets.yaml @@ -2,6 +2,8 @@ hysteria: auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str] searx: environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str] +pixivfe: + environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +28,8 @@ sops: R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3 3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-01T11:58:36Z" - mac: ENC[AES256_GCM,data:dC1Q+u26euRWBsbduJC9bI79wZ0HG278Zgiijw65FAaSV6cemtwEul9PYBAOyz81MVSJCS2L7IkV6oUJWRr+nCbMMR19llWFsQNryC4TmthVXpfPkA5KeOHNR0Cz9acaQGdST+4zARYk/8VKYWO+2dX0V/BUN22C1FBu67w21H4=,iv:9CYnuGfW0Ax/rvqRXv+t9DJYF8KmWzeHjI+L6xnhf10=,tag:SQwukFLU9zzOkDGXTbOF4A==,type:str] + lastmodified: "2024-05-15T07:19:59Z" + mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/socrates/robotnix/flake.nix b/hosts/socrates/robotnix/flake.nix index bc724d4..472b9f8 100644 --- a/hosts/socrates/robotnix/flake.nix +++ b/hosts/socrates/robotnix/flake.nix @@ -6,15 +6,10 @@ outputs = inputs: { packages.x86_64-linux.default = inputs.self.robotnixConfigurations."socrates".img; - # FIXME: it doesn't build - # hardware/qcom-caf/sm8550/audio/pal/test/PalTest_main.c:56:32: error: unused parameter 'sig' [-Werror,-Wunused-parameter] - # static void sigint_handler(int sig) - # ^ - # 1 error generated. robotnixConfigurations."socrates" = inputs.robotnix.lib.robotnixSystem ({pkgs, ...}: { device = "socrates"; flavor = "lineageos"; - androidVersion = 13; + androidVersion = 14; apps.chromium.enable = false; webview.chromium.enable = false; @@ -22,32 +17,32 @@ ccache.enable = true; source.dirs."device/xiaomi/socrates".src = pkgs.fetchFromGitHub { - owner = "kmiit"; + owner = "danielml3"; repo = "android_device_xiaomi_socrates"; - rev = "6548361fe50743d6fe752f5848f63f9965d12d23"; - hash = "sha256-traXLuq74MTfUStOqyX3QBBbYAQEtXWTP9PpBjVfK/o="; + rev = "8b48a7a18b8db76d7122ca6e1b5bde8765d16665"; # lineage-21 + hash = "sha256-pQIbxpZhaxc7nI8Pl8sjG3kmvD3ComFDowjcKb9eZRo="; }; - source.dirs."device/xiaomi/socrates".patches = [./disable-gapps.patch]; source.dirs."device/xiaomi/socrates-kernel".src = pkgs.fetchFromGitHub { - owner = "xiaomi-socrates"; - repo = "android_device_xiaomi_socrates-kernel"; - rev = "f13d073698b678442a694b2b2e3eecc997bb5227"; - hash = "sha256-Ln7rhdJNbj8imUUaitnUhXMj36Wjuf5IB8UmD6Y1o4c"; + owner = "danielml3"; + repo = "android_device_xiaomi_socrates"; + rev = "60cd3aebf59cdf96366e8e4a8a1e2887f7d4d063"; # lineage-21-kernel + hash = "sha256-i5QtxvApvGk24WeH6i6nC6jhS2jL2BolRUr/M02y6lc="; }; source.dirs."hardware/xiaomi".src = pkgs.fetchFromGitHub { - owner = "cupid-development"; + owner = "LineageOS"; repo = "android_hardware_xiaomi"; - rev = "b5167f21ba268a029461bded3f12205e5600b9f0"; - hash = "sha256-69nyWSjFrTjVsZdX92NZ5lv1H14mtC9dGepaD+nwvhY="; + rev = "4453055456bb452830144d9526342b032289495e"; # lineage-21 + hash = "sha256-kQoHGKsa5L+usIChTMm63P85N8ZGofcllE4Hybf7itA="; }; + # TODO: source.dirs."vendor/xiaomi/socrates".src = pkgs.fetchFromGitHub { owner = "kmiit"; repo = "android_vendor_xiaomi_socrates"; - rev = "8808c2f06a7645eaccb4992193f24c188b908418"; - hash = "sha256-jPZxWtTpj5a+EoIVmkU4L0dQD4926HyeM6BE2/1swDw="; + rev = ""; + hash = ""; }; }); }; diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 1ce856b..8326a5e 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -11,5 +11,7 @@ # nixpkgs styled options ./services/hysteria.nix + ./services/pixivfe.nix + ./services/rathole.nix ]; } diff --git a/nixos/modules/services/pixivfe-pkg.nix b/nixos/modules/services/pixivfe-pkg.nix new file mode 100644 index 0000000..f4117c2 --- /dev/null +++ b/nixos/modules/services/pixivfe-pkg.nix @@ -0,0 +1,37 @@ +{ + lib, + buildGoModule, + fetchFromGitea, + makeBinaryWrapper, +}: +buildGoModule rec { + pname = "pixivfe"; + version = "2.5.1"; + + src = fetchFromGitea { + domain = "codeberg.org"; + owner = "VnPower"; + repo = "PixivFE"; + rev = "v${version}"; + hash = "sha256-G2pSPpemMFAbQ9QkI4XAHobv+Em9ZoDUJiO/cwEy4Tc="; + }; + + vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI="; + + nativeBuildInputs = [makeBinaryWrapper]; + + # PixivFE require files from source code + postInstall = '' + wrapProgram $out/bin/pixivfe \ + --chdir ${src} + ''; + + meta = { + description = "A privacy respecting frontend for Pixiv"; + homepage = "https://codeberg.org/VnPower/PixivFE"; + license = lib.licenses.agpl3Only; + mainProgram = "pixivfe"; + maintainers = with lib.maintainers; [Guanran928]; + platforms = lib.platforms.linux; + }; +} diff --git a/nixos/modules/services/pixivfe.nix b/nixos/modules/services/pixivfe.nix new file mode 100644 index 0000000..a88e280 --- /dev/null +++ b/nixos/modules/services/pixivfe.nix @@ -0,0 +1,130 @@ +{ + pkgs, + config, + lib, + ... +}: let + cfg = config.services.pixivfe; +in { + options.services.pixivfe = { + enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv"; + + # package = lib.mkPackageOption pkgs "pixivfe" {}; + package = lib.mkOption { + default = pkgs.callPackage ./pixivfe-pkg.nix {}; + }; + + openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function"; + + settings = lib.mkOption { + type = lib.types.nullOr (lib.types.attrsOf lib.types.anything); + default = null; + example = lib.literalExpression '' + { + PIXIVFE_PORT = "8282"; + PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP"; + }; + ''; + description = '' + Additional configuration for PixivFE, see + for supported values. + For secrets use `EnvironmentFile` option instead. + ''; + }; + + EnvironmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = lib.literalExpression '' + /run/secrets/environment + ''; + description = '' + File containing environment variables to be passed to the PixivFE service. + + See `systemd.exec(5)` for more information. + ''; + }; + }; + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = + if cfg.openFirewall + then (cfg.settings ? PIXIVFE_PORT) + else true; + message = '' + PIXIVFE_PORT must be specified for NixOS to open a port. + + See https://pixivfe.pages.dev/environment-variables/ for more information. + ''; + } + { + assertion = + if (cfg.EnvironmentFile == null) + then (cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT) + else true; + message = '' + PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run. + + See https://pixivfe.pages.dev/environment-variables/ for more information. + ''; + } + { + assertion = + if (cfg.EnvironmentFile == null) + then cfg.settings ? PIXIVFE_TOKEN + else true; + message = '' + PIXIVFE_TOKEN must be set for PixivFE to run. + + See https://pixivfe.pages.dev/environment-variables/ for more information. + ''; + } + ]; + + systemd.services."pixivfe" = { + description = "PixivFE, a privacy respecting frontend for Pixiv."; + documentation = ["https://pixivfe.pages.dev/"]; + wantedBy = ["multi-user.target"]; + after = ["network-online.target"]; + wants = ["network-online.target"]; + environment = lib.mkIf (cfg.settings != null) (lib.mapAttrs (_: v: + if lib.isBool v + then lib.boolToString v + else toString v) + cfg.settings); + serviceConfig = { + inherit (cfg) EnvironmentFile; + ExecStart = lib.getExe cfg.package; + DynamicUser = true; + + ### Hardening + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; # For ports <= 1024 + CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + UMask = "0077"; + }; + }; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [cfg.settings.PIXIVFE_PORT]; + }; + }; +} diff --git a/nixos/modules/services/rathole.nix b/nixos/modules/services/rathole.nix new file mode 100644 index 0000000..f922cb4 --- /dev/null +++ b/nixos/modules/services/rathole.nix @@ -0,0 +1,50 @@ +{ + pkgs, + config, + lib, + ... +}: let + cfg = config.services.rathole; +in { + options.services.rathole = { + enable = lib.mkEnableOption "Rathole, a lightweight and high-performance reverse proxy for NAT traversal"; + + package = lib.mkPackageOption pkgs "rathole" {}; + + configFile = lib.mkOption { + default = null; + type = lib.types.nullOr lib.types.path; + description = "Configuration file to use."; + }; + + credentials = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + example = lib.literalExpression '' + [ + "cert:/tmp/certificate.crt" + "key:/tmp/private-key.key" + ]; + ''; + description = '' + Extra credentials loaded by systemd, you can access them by `/run/credentials/rathole.service/foobar`. + + See `systemd.exec(5)` for more information. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.rathole = { + description = "Rathole daemon, a lightweight and high-performance reverse proxy for NAT traversal."; + wantedBy = ["multi-user.target"]; + after = ["network-online.target"]; + wants = ["network-online.target"]; + serviceConfig = { + ExecStart = "${lib.getExe cfg.package} $\{CREDENTIALS_DIRECTORY}/rathole.toml"; + LoadCredential = ["rathole.toml:${cfg.configFile}"] ++ cfg.credentials; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/profiles/common/core/default.nix b/nixos/profiles/common/core/default.nix index d0bedce..00fc093 100644 --- a/nixos/profiles/common/core/default.nix +++ b/nixos/profiles/common/core/default.nix @@ -5,22 +5,24 @@ pkgs, ... }: { - imports = [ - ./hardening - ./networking - ./nix - - # Flake modules - inputs.disko.nixosModules.disko - inputs.home-manager.nixosModules.home-manager - inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote - inputs.nix-gaming.nixosModules.pipewireLowLatency - inputs.nur.nixosModules.nur - inputs.self.nixosModules.default - inputs.sops-nix.nixosModules.sops - inputs.nixos-sensible.nixosModules.default - ]; + imports = + [ + ./hardening + ./networking + ./nix + ] + ++ (with inputs; [ + aagl.nixosModules.default + disko.nixosModules.disko + home-manager.nixosModules.home-manager + impermanence.nixosModules.impermanence + lanzaboote.nixosModules.lanzaboote + nix-gaming.nixosModules.pipewireLowLatency + nixos-sensible.nixosModules.default + nur.nixosModules.nur + self.nixosModules.default + sops-nix.nixosModules.sops + ]); nixpkgs.overlays = [ inputs.self.overlays.patches diff --git a/nixos/profiles/common/graphical/default.nix b/nixos/profiles/common/graphical/default.nix index c9b0eca..48c0da0 100644 --- a/nixos/profiles/common/graphical/default.nix +++ b/nixos/profiles/common/graphical/default.nix @@ -52,6 +52,7 @@ default = "gtk"; "org.freedesktop.impl.portal.ScreenCast" = "wlr"; "org.freedesktop.impl.portal.Screenshot" = "wlr"; + "org.freedesktop.impl.portal.Inhibit" = "none"; }; }; }; @@ -70,7 +71,7 @@ package = pkgs.valent; }; }; - services.xserver.libinput = { + services.libinput = { touchpad = { accelProfile = "flat"; naturalScrolling = true; diff --git a/nixos/profiles/common/graphical/home/theme.nix b/nixos/profiles/common/graphical/home/theme.nix index 8283464..c80cf60 100644 --- a/nixos/profiles/common/graphical/home/theme.nix +++ b/nixos/profiles/common/graphical/home/theme.nix @@ -30,8 +30,8 @@ }; theme = { - name = "adw-gtk3-dark"; - package = pkgs.adw-gtk3; + name = "Adwaita-dark"; + package = pkgs.gnome-themes-extra; }; }; diff --git a/nixos/profiles/common/graphical/home/wallpapers/default.nix b/nixos/profiles/common/graphical/home/wallpapers/default.nix index e165e13..d796141 100644 --- a/nixos/profiles/common/graphical/home/wallpapers/default.nix +++ b/nixos/profiles/common/graphical/home/wallpapers/default.nix @@ -18,6 +18,23 @@ in { url = "https://i.pximg.net/img-original/img/2023/03/29/01/29/52/106654974_p0.jpg"; # https://www.pixiv.net/en/artworks/106654974 hash = "sha256-mB/D46JCddOlMUtFQu7R0OtRMIoApbT1nnRv0VyzEb8="; }; + "backgrounds/genshin1.jpg".source = pkgs.fetchurl { + inherit curlOptsList; + url = "https://i.pximg.net/img-original/img/2022/09/29/00/00/15/101553430_p0.jpg"; # https://www.pixiv.net/artworks/101553430 + hash = "sha256-VMUxBExuA5LDNQVeBBf4btyWsETN0B7pr0bTrBiJHaI="; + }; + + "backgrounds/genshin2.jpg".source = pkgs.fetchurl { + url = "https://imglf3.lf127.net/img/7196a1c5f06b5e38/T0FlK2VJTUI4Q1ZGbkhrc0ZWMlpiT3RJU1RQOXdJcGhrS3ZMOTBKdmR3OD0.jpeg"; # https://57friend.lofter.com/post/1d7a55da_2b5bc7172 + hash = "sha256-jO8S+WNWfel74+CtMbfd9F78CuyXFK5ka72Br9b10P4="; + }; + + "backgrounds/genshin3.jpg".source = pkgs.fetchurl { + inherit curlOptsList; + url = "https://i.pximg.net/img-original/img/2022/06/21/20/00/28/99170653_p0.jpg"; # https://www.pixiv.net/artworks/99170653 + hash = "sha256-7DmmJRZyJKU06j89X3x5NlOElFhdilIhzQMs3ynZKh4="; + }; + "backgrounds/summer.jpg".source = let image = pkgs.fetchurl { inherit curlOptsList; diff --git a/overlays/nautilus.nix b/overlays/nautilus.nix index e24405d..3b9e000 100644 --- a/overlays/nautilus.nix +++ b/overlays/nautilus.nix @@ -3,7 +3,7 @@ prev.gnome // { # https://aur.archlinux.org/pkgbase/nautilus-typeahead - nautilus = prev.gnome.nautilus.overrideAttrs (old: { + nautilus = prev.gnome.nautilus.overrideAttrs { src = prev.fetchFromGitLab { domain = "gitlab.gnome.org"; owner = "albertvaka"; @@ -16,6 +16,6 @@ postPatch = '' awk -i inplace '/type-ahead-search/{c++;} c==1 && /true/{sub("true", "false"); c++;} 1' data/org.gnome.nautilus.gschema.xml ''; - }); + }; }; }