treewide: update
I honestly have no idea how to commit this pile of stuff one by one...
This commit is contained in:
parent
fca24d8bb6
commit
340f42cf17
26 changed files with 880 additions and 166 deletions
|
@ -8,6 +8,11 @@ keys:
|
||||||
- &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
|
- &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
|
||||||
- &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
- &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
||||||
creation_rules:
|
creation_rules:
|
||||||
|
- path_regex: hosts/blacksteel/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *guanranwang
|
||||||
|
- *blacksteel
|
||||||
- path_regex: hosts/lightsail-tokyo/secrets.yaml$
|
- path_regex: hosts/lightsail-tokyo/secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
|
153
flake.lock
153
flake.lock
|
@ -1,5 +1,26 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"aagl": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-compat": "flake-compat",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1716425853,
|
||||||
|
"narHash": "sha256-PSd1jStP3SfJB3JvHRVjHpGwy3eKjni06VciEly0rHQ=",
|
||||||
|
"owner": "ezKEa",
|
||||||
|
"repo": "aagl-gtk-on-nix",
|
||||||
|
"rev": "fa6201a1cfcaa84d442c9c9b17c2e79df99f444b",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ezKEa",
|
||||||
|
"repo": "aagl-gtk-on-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"berberman": {
|
"berberman": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -10,11 +31,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714155185,
|
"lastModified": 1716307996,
|
||||||
"narHash": "sha256-/waEN3vHOgWHqRi4p3lbndS8C3iFl1ZQA60dR0CrJco=",
|
"narHash": "sha256-yuyK5HpOIbzkptgvuL+jqi+/Jy1XYzjsNUN2AUIq+Wc=",
|
||||||
"owner": "berberman",
|
"owner": "berberman",
|
||||||
"repo": "flakes",
|
"repo": "flakes",
|
||||||
"rev": "8609046ac57e6b32e601c6577562c3eb75ae95f6",
|
"rev": "09f7b705563c36221e89d0e9bc156b29c0a5d6f2",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -30,11 +51,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714536327,
|
"lastModified": 1716156051,
|
||||||
"narHash": "sha256-zu4+LcygJwdyFHunTMeDFltBZ9+hoWvR/1A7IEy7ChA=",
|
"narHash": "sha256-TjUX7WWRcrhuUxDHsR8pDR2N7jitqZehgCVSy3kBeS8=",
|
||||||
"owner": "ipetkov",
|
"owner": "ipetkov",
|
||||||
"repo": "crane",
|
"repo": "crane",
|
||||||
"rev": "3124551aebd8db15d4560716d4f903bd44c64e4a",
|
"rev": "7443df1c478947bf96a2e699209f53b2db26209d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -50,11 +71,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714612856,
|
"lastModified": 1716431128,
|
||||||
"narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=",
|
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "d57058eb09dd5ec00c746df34fe0a603ea744370",
|
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -64,6 +85,22 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1696426674,
|
||||||
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-compat_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1696426674,
|
"lastModified": 1696426674,
|
||||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
|
@ -85,11 +122,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714641030,
|
"lastModified": 1715865404,
|
||||||
"narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=",
|
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e",
|
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -145,11 +182,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714679908,
|
"lastModified": 1716457508,
|
||||||
"narHash": "sha256-KzcXzDvDJjX34en8f3Zimm396x6idbt+cu4tWDVS2FI=",
|
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "9036fe9ef8e15a819fa76f47a8b1f287903fb848",
|
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -247,11 +284,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1713946171,
|
"lastModified": 1716329735,
|
||||||
"narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=",
|
"narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=",
|
||||||
"owner": "LnL7",
|
"owner": "LnL7",
|
||||||
"repo": "nix-darwin",
|
"repo": "nix-darwin",
|
||||||
"rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7",
|
"rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -273,11 +310,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1713988078,
|
"lastModified": 1715807870,
|
||||||
"narHash": "sha256-scRrzQQyJAT0iPAd8AZvolgiq7npatsfytwnduESndI=",
|
"narHash": "sha256-lutvG1LFGSpXsGA7U4TWfdfq6p71WdSlhw3vM4W/Opk=",
|
||||||
"owner": "Gerschtli",
|
"owner": "Gerschtli",
|
||||||
"repo": "nix-formatter-pack",
|
"repo": "nix-formatter-pack",
|
||||||
"rev": "08d0135dbe95992b5f8d54c351ce62be2177f0b4",
|
"rev": "ab5feb867e5d074918852de6134500a82a09dc48",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -296,11 +333,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714303849,
|
"lastModified": 1716409168,
|
||||||
"narHash": "sha256-o/IgiwA0ZS/nMh5YB0bt+ae3Lt+tlbQouY/xL7tB5h0=",
|
"narHash": "sha256-EhfEm11GRKDJVWeCRZ9uH6PZC6I0rAKTTEOedOlEfEI=",
|
||||||
"owner": "fufexan",
|
"owner": "fufexan",
|
||||||
"repo": "nix-gaming",
|
"repo": "nix-gaming",
|
||||||
"rev": "dbb96ae98e723128cf5a612480ba6187113f5e49",
|
"rev": "72a38144721f978979d09f01e0929457c347d1f3",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -350,11 +387,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714685946,
|
"lastModified": 1716413945,
|
||||||
"narHash": "sha256-09YdG9ExCFj9Ngrc1qXZBtn6LRyzFG2KcVVcl295tmU=",
|
"narHash": "sha256-BND2qR3ijnT1pS0vonpzlloeJqcnkLsz863JVl4Hb48=",
|
||||||
"owner": "jacekszymanski",
|
"owner": "jacekszymanski",
|
||||||
"repo": "nixcasks",
|
"repo": "nixcasks",
|
||||||
"rev": "a0bc85d5d4d3c3e83c637cfb8b0830ed55020bf2",
|
"rev": "8d9c80f1ffd737aa1a2660bcf8fecbd3176dc71e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -365,11 +402,11 @@
|
||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714465198,
|
"lastModified": 1716173274,
|
||||||
"narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=",
|
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
|
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -395,16 +432,16 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714750568,
|
"lastModified": 1716358718,
|
||||||
"narHash": "sha256-HHx3NGN7gHZdfnyXF961sxr9FcxM5bg4gweeHEnRxXQ=",
|
"narHash": "sha256-NQbegJb2ZZnAqp2EJhWwTf6DrZXSpA6xZCEq+RGV1r0=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e96601ecf084d9d6a366a4f0da7f36479f67f81e",
|
"rev": "3f316d2a50699a78afe5e77ca486ad553169061e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "nixos-unstable-small",
|
"ref": "nixpkgs-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -427,11 +464,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714531828,
|
"lastModified": 1716361217,
|
||||||
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
|
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
|
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -482,11 +519,11 @@
|
||||||
},
|
},
|
||||||
"nur": {
|
"nur": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714681542,
|
"lastModified": 1716479105,
|
||||||
"narHash": "sha256-7WQo+TMORkw/Bo1AADX7IuYu28rWVJN7qMTq3QDWU9E=",
|
"narHash": "sha256-O5vAr3D1Kxo+BCzL25bR6H3IwLZISj/B29OVGon216k=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "NUR",
|
"repo": "NUR",
|
||||||
"rev": "6132349be4a6cfe62cfe744d622a645e4981d458",
|
"rev": "b3d163c563387c70d9a4ee1055e6c9def436f529",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -526,9 +563,6 @@
|
||||||
"flake-compat": [
|
"flake-compat": [
|
||||||
"flake-compat"
|
"flake-compat"
|
||||||
],
|
],
|
||||||
"flake-utils": [
|
|
||||||
"flake-utils"
|
|
||||||
],
|
|
||||||
"gitignore": [
|
"gitignore": [
|
||||||
"gitignore"
|
"gitignore"
|
||||||
],
|
],
|
||||||
|
@ -540,11 +574,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714478972,
|
"lastModified": 1716213921,
|
||||||
"narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=",
|
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "pre-commit-hooks.nix",
|
"repo": "pre-commit-hooks.nix",
|
||||||
"rev": "2849da033884f54822af194400f8dff435ada242",
|
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -555,10 +589,11 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"aagl": "aagl",
|
||||||
"berberman": "berberman",
|
"berberman": "berberman",
|
||||||
"crane": "crane",
|
"crane": "crane",
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat_2",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
"gitignore": "gitignore",
|
"gitignore": "gitignore",
|
||||||
|
@ -599,11 +634,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714616033,
|
"lastModified": 1716430594,
|
||||||
"narHash": "sha256-JcWAjIDl3h0bE/pII0emeHwokTeBl+SWrzwrjoRu7a0=",
|
"narHash": "sha256-vdVzaGD5p+KG7XHepIeX5rUPmdzEcF2w6rhqfr0SNkI=",
|
||||||
"owner": "oxalica",
|
"owner": "oxalica",
|
||||||
"repo": "rust-overlay",
|
"repo": "rust-overlay",
|
||||||
"rev": "3e416d5067ba31ff8ac31eeb763e4388bdf45089",
|
"rev": "ee0db3aeebafeaada2b98d076de6d314b4c8682e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -638,11 +673,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1713892811,
|
"lastModified": 1716400300,
|
||||||
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
|
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
|
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -681,11 +716,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714611022,
|
"lastModified": 1716425501,
|
||||||
"narHash": "sha256-Cneh2G54TO1eVQBxLZp0JlW8LWbTE/N1WjcE2W+F3pI=",
|
"narHash": "sha256-BSLhmGYY1khyyBAjraR+N0Pa9Nha/et5yQQlEZxcfkU=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "srvos",
|
"repo": "srvos",
|
||||||
"rev": "1fa90a0a81fec38c117397fde79733cc78f12815",
|
"rev": "1122cd50a23647e09c3e7a679d37ec02113bc412",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -716,11 +751,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1714058656,
|
"lastModified": 1715940852,
|
||||||
"narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
|
"narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "treefmt-nix",
|
"repo": "treefmt-nix",
|
||||||
"rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
|
"rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -7,9 +7,13 @@
|
||||||
# `nixpkgs-unstable` contains less(?) jobs, and usually updates faster.
|
# `nixpkgs-unstable` contains less(?) jobs, and usually updates faster.
|
||||||
#
|
#
|
||||||
# REFERENCE: https://discourse.nixos.org/t/differences-between-nix-channels/13998/5
|
# REFERENCE: https://discourse.nixos.org/t/differences-between-nix-channels/13998/5
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
|
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
|
||||||
|
|
||||||
|
aagl = {
|
||||||
|
url = "github:ezKEa/aagl-gtk-on-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
berberman = {
|
berberman = {
|
||||||
url = "github:berberman/flakes";
|
url = "github:berberman/flakes";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
@ -140,7 +144,6 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
inputs.nixpkgs-stable.follows = "nixpkgs-stable";
|
inputs.nixpkgs-stable.follows = "nixpkgs-stable";
|
||||||
inputs.flake-compat.follows = "flake-compat";
|
inputs.flake-compat.follows = "flake-compat";
|
||||||
inputs.flake-utils.follows = "flake-utils";
|
|
||||||
inputs.gitignore.follows = "gitignore";
|
inputs.gitignore.follows = "gitignore";
|
||||||
};
|
};
|
||||||
rust-overlay = {
|
rust-overlay = {
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
inputs,
|
inputs,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -53,4 +55,17 @@
|
||||||
|
|
||||||
# for udev rules
|
# for udev rules
|
||||||
programs.adb.enable = true;
|
programs.adb.enable = true;
|
||||||
|
|
||||||
|
# fucking hell
|
||||||
|
programs.anime-game-launcher.enable = true;
|
||||||
|
|
||||||
|
# FIXME:
|
||||||
|
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
|
||||||
|
version = "555.42.02";
|
||||||
|
sha256_64bit = "sha256-k7cI3ZDlKp4mT46jMkLaIrc2YUx1lh1wj/J4SVSHWyk=";
|
||||||
|
sha256_aarch64 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
|
||||||
|
openSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
|
||||||
|
settingsSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
|
||||||
|
persistencedSha256 = lib.fakeSha256;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,7 +10,7 @@ MacBookPro11,3
|
||||||
|
|
||||||
### Description
|
### Description
|
||||||
|
|
||||||
Homelab, hosting random stuff through tailscale.
|
Homelab, hosting random stuff through tailscale and rathole.
|
||||||
|
|
||||||
### TODOs:
|
### TODOs:
|
||||||
|
|
||||||
|
|
|
@ -9,22 +9,22 @@
|
||||||
"adoptopenjdk-hotspot-bin"
|
"adoptopenjdk-hotspot-bin"
|
||||||
"cargo-bootstrap"
|
"cargo-bootstrap"
|
||||||
"cef-binary"
|
"cef-binary"
|
||||||
|
"minecraft-server"
|
||||||
"rustc-bootstrap"
|
"rustc-bootstrap"
|
||||||
"rustc-bootstrap-wrapper"
|
"rustc-bootstrap-wrapper"
|
||||||
"sof-firmware"
|
"sof-firmware"
|
||||||
"spotify"
|
"spotify"
|
||||||
"vscodium"
|
|
||||||
"papermc"
|
|
||||||
"temurin-bin"
|
"temurin-bin"
|
||||||
|
"vscodium"
|
||||||
];
|
];
|
||||||
|
|
||||||
allowUnfree = false;
|
allowUnfree = false;
|
||||||
allowUnfreePredicate = pkg:
|
allowUnfreePredicate = pkg:
|
||||||
builtins.elem (lib.getName pkg) [
|
builtins.elem (lib.getName pkg) [
|
||||||
|
"broadcom-sta"
|
||||||
|
"minecraft-server"
|
||||||
"nvidia-x11"
|
"nvidia-x11"
|
||||||
"spotify"
|
"spotify"
|
||||||
"broadcom-sta"
|
|
||||||
"papermc"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
# OS
|
# OS
|
||||||
../../nixos/profiles/laptop
|
# FIXME:
|
||||||
|
../../nixos/profiles/common/core
|
||||||
|
../../nixos/profiles/common/physical
|
||||||
|
../../nixos/profiles/common/mobile
|
||||||
../../nixos/profiles/common/opt-in/clash-meta-client
|
../../nixos/profiles/common/opt-in/clash-meta-client
|
||||||
|
|
||||||
# Hardware
|
# Hardware
|
||||||
|
@ -19,26 +23,148 @@
|
||||||
time.timeZone = "Asia/Shanghai";
|
time.timeZone = "Asia/Shanghai";
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "23.11";
|
||||||
|
|
||||||
|
######## Secrets
|
||||||
|
sops = {
|
||||||
|
secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
|
||||||
|
"synapse/secret" = {
|
||||||
|
restartUnits = ["matrix-synapse.service"];
|
||||||
|
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||||
|
};
|
||||||
|
"synapse/oidc" = {
|
||||||
|
restartUnits = ["matrix-synapse.service"];
|
||||||
|
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||||
|
};
|
||||||
|
"syncv3/environment" = {
|
||||||
|
restartUnits = ["matrix-sliding-sync.service"];
|
||||||
|
};
|
||||||
|
"mastodon/environment" = {
|
||||||
|
restartUnits = ["mastodon-web.service"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
######## Services
|
######## Services
|
||||||
|
environment.systemPackages = with pkgs; [qbittorrent];
|
||||||
|
|
||||||
services.tailscale = {
|
services.tailscale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Minecraft
|
services.frp = {
|
||||||
|
enable = true;
|
||||||
|
role = "client";
|
||||||
|
settings = {
|
||||||
|
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
|
||||||
|
serverPort = 7000;
|
||||||
|
auth.method = "token";
|
||||||
|
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
|
||||||
|
proxies = [
|
||||||
|
{
|
||||||
|
name = "synapse";
|
||||||
|
type = "tcp";
|
||||||
|
localIP = "127.0.0.1";
|
||||||
|
localPort = 8100;
|
||||||
|
remotePort = 8600;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "syncv3";
|
||||||
|
type = "tcp";
|
||||||
|
localIP = "127.0.0.1";
|
||||||
|
remotePort = 8700;
|
||||||
|
plugin = {
|
||||||
|
type = "unix_domain_socket";
|
||||||
|
unixPath = "/run/matrix-sliding-sync/sync.sock";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "mastodon-web";
|
||||||
|
type = "tcp";
|
||||||
|
localIP = "127.0.0.1";
|
||||||
|
remotePort = 8900;
|
||||||
|
plugin = {
|
||||||
|
type = "unix_domain_socket";
|
||||||
|
unixPath = "/run/mastodon-web/web.socket";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "mastodon-streaming";
|
||||||
|
type = "tcp";
|
||||||
|
localIP = "127.0.0.1";
|
||||||
|
remotePort = 9000;
|
||||||
|
plugin = {
|
||||||
|
type = "unix_domain_socket";
|
||||||
|
unixPath = "/run/mastodon-streaming/streaming-1.socket";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "mastodon-system";
|
||||||
|
type = "tcp";
|
||||||
|
localIP = "127.0.0.1";
|
||||||
|
remotePort = 9100;
|
||||||
|
plugin = {
|
||||||
|
type = "static_file";
|
||||||
|
localPath = "/var/lib/mastodon/public-system";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon"];
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
# Generated by pgTune
|
||||||
|
# https://pgtune.leopard.in.ua/#/
|
||||||
|
#
|
||||||
|
# DB Version: 15
|
||||||
|
# OS Type: linux
|
||||||
|
# DB Type: web
|
||||||
|
# Total Memory (RAM): 16 GB
|
||||||
|
# CPUs num: 8
|
||||||
|
# Data Storage: ssd
|
||||||
|
|
||||||
|
max_connections = 200;
|
||||||
|
shared_buffers = "4GB";
|
||||||
|
effective_cache_size = "12GB";
|
||||||
|
maintenance_work_mem = "1GB";
|
||||||
|
checkpoint_completion_target = 0.9;
|
||||||
|
wal_buffers = "16MB";
|
||||||
|
default_statistics_target = 100;
|
||||||
|
random_page_cost = "1.1";
|
||||||
|
effective_io_concurrency = 200;
|
||||||
|
work_mem = "5242kB";
|
||||||
|
huge_pages = "off";
|
||||||
|
min_wal_size = "1GB";
|
||||||
|
max_wal_size = "4GB";
|
||||||
|
max_worker_processes = 8;
|
||||||
|
max_parallel_workers_per_gather = 4;
|
||||||
|
max_parallel_workers = 8;
|
||||||
|
max_parallel_maintenance_workers = 4;
|
||||||
|
};
|
||||||
|
initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||||
|
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
||||||
|
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
||||||
|
TEMPLATE template0
|
||||||
|
LC_COLLATE = "C"
|
||||||
|
LC_CTYPE = "C";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresqlBackup = {
|
||||||
|
enable = true;
|
||||||
|
location = "/var/lib/backup/postgresql";
|
||||||
|
compression = "zstd";
|
||||||
|
startAt = "weekly";
|
||||||
|
};
|
||||||
|
|
||||||
services.minecraft-server = {
|
services.minecraft-server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
eula = true;
|
eula = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
|
|
||||||
# I should switch to vanilla/fabric one day...
|
|
||||||
package = pkgs.papermc.overrideAttrs {
|
|
||||||
version = "1.20.4-485";
|
|
||||||
hash = "sha256-8bhlv/MU7KDmdL8Ngvg/zLMlGiO4Fswoyn/1diFE65k=";
|
|
||||||
};
|
|
||||||
# TODO: not working for some reason
|
|
||||||
#.override {jre = pkgs.temurin-bin;};
|
|
||||||
|
|
||||||
# Aikar's flag
|
# Aikar's flag
|
||||||
# https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
|
# https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
|
||||||
# https://docs.papermc.io/paper/aikars-flags
|
# https://docs.papermc.io/paper/aikars-flags
|
||||||
|
@ -82,7 +208,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Samba
|
|
||||||
services.samba = {
|
services.samba = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
|
@ -91,14 +216,105 @@
|
||||||
"read only" = "no";
|
"read only" = "no";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.samba-wsdd = {
|
services.samba-wsdd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /srv/samba/share 0700 guanranwang root"
|
"d /srv/samba/share 0700 guanranwang root"
|
||||||
];
|
];
|
||||||
|
|
||||||
# qBitTorrent
|
services.matrix-synapse = {
|
||||||
environment.systemPackages = with pkgs; [qbittorrent];
|
enable = true;
|
||||||
|
withJemalloc = true;
|
||||||
|
extraConfigFiles = [config.sops.secrets."synapse/secret".path];
|
||||||
|
settings = {
|
||||||
|
server_name = "ny4.dev";
|
||||||
|
public_baseurl = "https://matrix.ny4.dev";
|
||||||
|
presence.enabled = false; # tradeoff
|
||||||
|
listeners = [
|
||||||
|
{
|
||||||
|
port = 8100;
|
||||||
|
bind_addresses = ["127.0.0.1"];
|
||||||
|
type = "http";
|
||||||
|
tls = false;
|
||||||
|
x_forwarded = true;
|
||||||
|
resources = [
|
||||||
|
{
|
||||||
|
names = ["client" "federation"];
|
||||||
|
compress = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
# https://element-hq.github.io/synapse/latest/openid.html#keycloak
|
||||||
|
oidc_providers = [
|
||||||
|
{
|
||||||
|
idp_id = "keycloak";
|
||||||
|
idp_name = "id.ny4.dev";
|
||||||
|
issuer = "https://id.ny4.dev/realms/master";
|
||||||
|
client_id = "synapse";
|
||||||
|
client_secret_path = config.sops.secrets."synapse/oidc".path;
|
||||||
|
scopes = ["openid" "profile"];
|
||||||
|
user_mapping_provider.config = {
|
||||||
|
localpart_template = "{{ user.preferred_username }}";
|
||||||
|
display_name_template = "{{ user.name }}";
|
||||||
|
};
|
||||||
|
backchannel_logout_enabled = true;
|
||||||
|
allow_existing_users = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.matrix-synapse.environment = config.networking.proxy.envVars;
|
||||||
|
|
||||||
|
services.matrix-sliding-sync = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = config.sops.secrets."syncv3/environment".path;
|
||||||
|
settings = {
|
||||||
|
SYNCV3_SERVER = "http://127.0.0.1:8100";
|
||||||
|
SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = ["matrix-sliding-sync"];
|
||||||
|
|
||||||
|
services.mastodon = {
|
||||||
|
enable = true;
|
||||||
|
localDomain = "ny4.dev";
|
||||||
|
streamingProcesses = 1;
|
||||||
|
# FIXME: this doesn't exist
|
||||||
|
smtp = {
|
||||||
|
createLocally = false;
|
||||||
|
fromAddress = "mastodon@ny4.dev";
|
||||||
|
};
|
||||||
|
extraConfig = rec {
|
||||||
|
SINGLE_USER_MODE = "true";
|
||||||
|
WEB_DOMAIN = "mastodon.ny4.dev";
|
||||||
|
|
||||||
|
# keycloak
|
||||||
|
OMNIAUTH_ONLY = "true";
|
||||||
|
OIDC_ENABLED = "true";
|
||||||
|
OIDC_CLIENT_ID = "mastodon";
|
||||||
|
# OIDC_CLIENT_SECRET # EnvironmentFile
|
||||||
|
OIDC_DISCOVERY = "true";
|
||||||
|
OIDC_DISPLAY_NAME = "id.ny4.dev";
|
||||||
|
OIDC_ISSUER = "https://id.ny4.dev/realms/master";
|
||||||
|
OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
|
||||||
|
OIDC_SCOPE = "openid,profile,email";
|
||||||
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
|
||||||
|
OIDC_UID_FIELD = "preferred_username";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.mastodon-web = {
|
||||||
|
environment = config.networking.proxy.envVars;
|
||||||
|
serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
inputs.nixpkgs.nixosModules.notDetected
|
inputs.nixpkgs.nixosModules.notDetected
|
||||||
inputs.nixos-hardware.nixosModules.apple-macbook-pro
|
inputs.nixos-hardware.nixosModules.apple-macbook-pro
|
||||||
inputs.nixos-hardware.nixosModules.common-cpu-intel
|
inputs.nixos-hardware.nixosModules.common-cpu-intel
|
||||||
inputs.nixos-hardware.nixosModules.common-gpu-intel
|
|
||||||
#inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
|
#inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
|
||||||
inputs.nixos-hardware.nixosModules.common-hidpi
|
inputs.nixos-hardware.nixosModules.common-hidpi
|
||||||
inputs.nixos-hardware.nixosModules.common-pc-laptop
|
inputs.nixos-hardware.nixosModules.common-pc-laptop
|
||||||
|
|
36
hosts/blacksteel/secrets.yaml
Normal file
36
hosts/blacksteel/secrets.yaml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
synapse:
|
||||||
|
secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
|
||||||
|
oidc: ENC[AES256_GCM,data:vGQcPcUfbv6II6buEMKELc1+xZ5XccpEeCy3vZx4fdk=,iv:ORok/FXZ9SA54zD1+OhyFnZAPhGpMpTetWYgge2QSwQ=,tag:7DxrruTbenUfI/V6hGYBaw==,type:str]
|
||||||
|
syncv3:
|
||||||
|
environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
|
||||||
|
mastodon:
|
||||||
|
environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdjRrUkJXd3Z2VlhRRDEz
|
||||||
|
YS9DZVlQYmNXeW9qQWtZZlUrZHQrSXFJYWtRCk54Z3NEck51dTR3ZDh3SnEwNXhu
|
||||||
|
ZEI4S1ZEQklDd0ZwTWJwdHNEVlFERWsKLS0tIGRSVjVGR3daR0k2dVVHUmVwMHlL
|
||||||
|
dWtkdkQvMjZqbHp0STA3cnZPYkIzOWMKNGH8hQI4oKrjCAEE5onH9sa2AhdjeUsl
|
||||||
|
PSd1/z0ka0Y2wlPGuGOqIXYg8O1WqFxn/uS6O2YZSpAtw7JulOs8aQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMHRrOGJ6RkxrZndoZkEy
|
||||||
|
V1NtbEw0SExiaWE1bGtPYXROSFVZNmVTR0RVCkM0OHhxMzhvUzVUMThTc3VyZUFq
|
||||||
|
c3FyVUNpM09WUURnSzY4dW4zS0U3T0EKLS0tIFJQL3BlY1N1bkorYlVqRkVaUmdi
|
||||||
|
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
||||||
|
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-05-21T10:09:01Z"
|
||||||
|
mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -12,11 +12,11 @@
|
||||||
# https://infosec.mozilla.org/guidelines/web_security
|
# https://infosec.mozilla.org/guidelines/web_security
|
||||||
# https://caddyserver.com/docs/caddyfile/directives/header#examples
|
# https://caddyserver.com/docs/caddyfile/directives/header#examples
|
||||||
|
|
||||||
Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
|
?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
|
||||||
Permissions-Policy interest-Hpcohort=()
|
?Permissions-Policy interest-Hpcohort=()
|
||||||
Strict-Transport-Security max-age=31536000;
|
?Strict-Transport-Security max-age=31536000;
|
||||||
X-Content-Type-Options nosniff
|
?X-Content-Type-Options nosniff
|
||||||
X-Frame-Options DENY
|
?X-Frame-Options DENY
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -45,7 +45,19 @@ www.ny4.dev {
|
||||||
|
|
||||||
ny4.dev {
|
ny4.dev {
|
||||||
import default
|
import default
|
||||||
respond "Hello, world!"
|
|
||||||
|
# Synapse
|
||||||
|
header /.well-known/matrix/* Content-Type application/json
|
||||||
|
header /.well-known/matrix/* Access-Control-Allow-Origin *
|
||||||
|
handle_path /.well-known/matrix/* {
|
||||||
|
file_server * {
|
||||||
|
root /var/www/matrix
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Mastodon
|
||||||
|
header /.well-known/webfinger Access-Control-Allow-Origin *
|
||||||
|
redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent
|
||||||
}
|
}
|
||||||
|
|
||||||
searx.ny4.dev {
|
searx.ny4.dev {
|
||||||
|
@ -65,5 +77,61 @@ uptime.ny4.dev {
|
||||||
|
|
||||||
ntfy.ny4.dev {
|
ntfy.ny4.dev {
|
||||||
import default
|
import default
|
||||||
reverse_proxy localhost:8400
|
reverse_proxy unix//run/ntfy-sh/ntfy.sock
|
||||||
|
}
|
||||||
|
|
||||||
|
pixiv.ny4.dev {
|
||||||
|
import default
|
||||||
|
basicauth {
|
||||||
|
Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri
|
||||||
|
}
|
||||||
|
reverse_proxy unix//run/pixivfe/pixiv.sock
|
||||||
|
}
|
||||||
|
|
||||||
|
matrix.ny4.dev {
|
||||||
|
import default
|
||||||
|
reverse_proxy /_matrix/* localhost:8600
|
||||||
|
reverse_proxy /_synapse/client/* localhost:8600
|
||||||
|
reverse_proxy /health localhost:8600
|
||||||
|
}
|
||||||
|
|
||||||
|
syncv3.ny4.dev {
|
||||||
|
import default
|
||||||
|
reverse_proxy localhost:8700
|
||||||
|
}
|
||||||
|
|
||||||
|
id.ny4.dev {
|
||||||
|
import default
|
||||||
|
reverse_proxy localhost:8800
|
||||||
|
}
|
||||||
|
|
||||||
|
element.ny4.dev {
|
||||||
|
import default
|
||||||
|
root * @element@
|
||||||
|
file_server
|
||||||
|
}
|
||||||
|
|
||||||
|
mastodon.ny4.dev {
|
||||||
|
import default
|
||||||
|
handle_path /system/* {
|
||||||
|
reverse_proxy localhost:9100
|
||||||
|
}
|
||||||
|
|
||||||
|
handle /api/v1/streaming/* {
|
||||||
|
reverse_proxy localhost:9000
|
||||||
|
}
|
||||||
|
|
||||||
|
route * {
|
||||||
|
file_server * {
|
||||||
|
root @mastodon@/public
|
||||||
|
pass_thru
|
||||||
|
}
|
||||||
|
reverse_proxy * localhost:8900
|
||||||
|
}
|
||||||
|
|
||||||
|
handle_errors {
|
||||||
|
root * @mastodon@/public
|
||||||
|
rewrite 500.html
|
||||||
|
file_server
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,6 +7,8 @@
|
||||||
"cargo-bootstrap"
|
"cargo-bootstrap"
|
||||||
"rustc-bootstrap"
|
"rustc-bootstrap"
|
||||||
"rustc-bootstrap-wrapper"
|
"rustc-bootstrap-wrapper"
|
||||||
|
"keycloak"
|
||||||
|
"temurin-bin"
|
||||||
];
|
];
|
||||||
|
|
||||||
allowUnfree = false;
|
allowUnfree = false;
|
||||||
|
|
|
@ -17,16 +17,32 @@
|
||||||
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "23.11";
|
||||||
|
|
||||||
|
swapDevices = [
|
||||||
|
{
|
||||||
|
device = "/var/lib/swapfile";
|
||||||
|
size = 4 * 1024; # 4 GiB
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
# WORKAROUND:
|
# WORKAROUND:
|
||||||
systemd.services."print-host-key".enable = false;
|
systemd.services."print-host-key".enable = false;
|
||||||
|
|
||||||
### Secrets
|
### Secrets
|
||||||
sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
|
sops = {
|
||||||
"hysteria/auth".restartUnits = ["hysteria.service"];
|
secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
|
||||||
"searx/environment".restartUnits = ["searx.service"];
|
"hysteria/auth" = {
|
||||||
|
restartUnits = ["hysteria.service"];
|
||||||
|
};
|
||||||
|
"pixivfe/environment" = {
|
||||||
|
restartUnits = ["pixivfe.service"];
|
||||||
|
};
|
||||||
|
"searx/environment" = {
|
||||||
|
restartUnits = ["searx.service"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.templates."hysteria.yaml".content = ''
|
templates = {
|
||||||
|
"hysteria.yaml".content = ''
|
||||||
tls:
|
tls:
|
||||||
cert: /run/credentials/hysteria.service/cert
|
cert: /run/credentials/hysteria.service/cert
|
||||||
key: /run/credentials/hysteria.service/key
|
key: /run/credentials/hysteria.service/key
|
||||||
|
@ -38,20 +54,47 @@
|
||||||
|
|
||||||
${config.sops.placeholder."hysteria/auth"}
|
${config.sops.placeholder."hysteria/auth"}
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
### Services
|
### Services
|
||||||
networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy
|
networking.firewall.allowedUDPPorts = [
|
||||||
networking.firewall.allowedTCPPorts = [80 443]; # caddy
|
# hysteria
|
||||||
|
443
|
||||||
|
];
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
# caddy
|
||||||
|
80
|
||||||
|
443
|
||||||
|
|
||||||
|
# frp
|
||||||
|
7000
|
||||||
|
];
|
||||||
|
|
||||||
systemd.tmpfiles.settings = {
|
systemd.tmpfiles.settings = {
|
||||||
"10-www" = {
|
"10-www" = {
|
||||||
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
|
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
|
||||||
|
"/var/www/matrix/client".C.argument = toString ./matrix-client.json;
|
||||||
|
"/var/www/matrix/server".C.argument = toString ./matrix-server.json;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
configFile = ./Caddyfile;
|
configFile = pkgs.substituteAll {
|
||||||
|
src = ./Caddyfile;
|
||||||
|
|
||||||
|
"element" = pkgs.element-web.override {
|
||||||
|
conf.default_server_config."m.homeserver" = let
|
||||||
|
inherit (config.services.matrix-synapse) settings;
|
||||||
|
in {
|
||||||
|
base_url = "https://matrix.ny4.dev";
|
||||||
|
inherit (settings) server_name;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
"mastodon" = pkgs.mastodon;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.hysteria = {
|
services.hysteria = {
|
||||||
|
@ -64,11 +107,21 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.frp = {
|
||||||
|
enable = true;
|
||||||
|
role = "server";
|
||||||
|
settings = {
|
||||||
|
bindPort = 7000;
|
||||||
|
auth.method = "token";
|
||||||
|
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# `journalctl -u murmur.service | grep Password`
|
# `journalctl -u murmur.service | grep Password`
|
||||||
services.murmur = {
|
services.murmur = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
bandwidth = 128000;
|
bandwidth = 256 * 1024; # 256 Kbit/s
|
||||||
};
|
};
|
||||||
|
|
||||||
services.searx = {
|
services.searx = {
|
||||||
|
@ -99,10 +152,45 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
base-url = "https://ntfy.ny4.dev";
|
base-url = "https://ntfy.ny4.dev";
|
||||||
listen-http = "127.0.0.1:8400";
|
listen-http = "";
|
||||||
|
listen-unix = "/run/ntfy-sh/ntfy.sock";
|
||||||
|
listen-unix-mode = 511; # 0777
|
||||||
|
behind-proxy = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
|
||||||
|
|
||||||
|
services.pixivfe = {
|
||||||
|
enable = true;
|
||||||
|
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
|
||||||
|
settings = {
|
||||||
|
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
|
||||||
|
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.pixivfe.serviceConfig = {
|
||||||
|
RuntimeDirectory = ["pixivfe"];
|
||||||
|
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
|
||||||
|
${pkgs.coreutils}/bin/sleep 5
|
||||||
|
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.keycloak = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
http-host = "127.0.0.1";
|
||||||
|
http-port = 8800;
|
||||||
|
proxy = "edge";
|
||||||
|
hostname-strict-backchannel = true;
|
||||||
|
hostname = "id.ny4.dev";
|
||||||
|
cache = "local";
|
||||||
|
};
|
||||||
|
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
|
||||||
|
};
|
||||||
|
|
||||||
### Prevents me from bankrupt
|
### Prevents me from bankrupt
|
||||||
# https://fmk.im/p/shutdown-aws/
|
# https://fmk.im/p/shutdown-aws/
|
||||||
services.vnstat.enable = true;
|
services.vnstat.enable = true;
|
||||||
|
|
8
hosts/lightsail-tokyo/matrix-client.json
Normal file
8
hosts/lightsail-tokyo/matrix-client.json
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
"m.homeserver": {
|
||||||
|
"base_url": "https://matrix.ny4.dev"
|
||||||
|
},
|
||||||
|
"org.matrix.msc3575.proxy": {
|
||||||
|
"url": "https://syncv3.ny4.dev"
|
||||||
|
}
|
||||||
|
}
|
3
hosts/lightsail-tokyo/matrix-server.json
Normal file
3
hosts/lightsail-tokyo/matrix-server.json
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
{
|
||||||
|
"m.server": "matrix.ny4.dev:443"
|
||||||
|
}
|
|
@ -1,33 +1,33 @@
|
||||||
User-agent: GPTBot
|
User-agent: Amazonbot
|
||||||
Disallow: /
|
|
||||||
|
|
||||||
User-agent: ChatGPT-User
|
|
||||||
Disallow: /
|
|
||||||
|
|
||||||
User-agent: Google-Extended
|
|
||||||
Disallow: /
|
Disallow: /
|
||||||
|
|
||||||
User-agent: CCBot
|
User-agent: CCBot
|
||||||
Disallow: /
|
Disallow: /
|
||||||
|
|
||||||
User-agent: Amazonbot
|
User-agent: ChatGPT-User
|
||||||
Disallow: /
|
|
||||||
|
|
||||||
User-agent: FacebookBot
|
|
||||||
Disallow: /
|
|
||||||
|
|
||||||
User-agent: anthopic-ai
|
|
||||||
Disallow: /
|
Disallow: /
|
||||||
|
|
||||||
User-agent: Claude-Web
|
User-agent: Claude-Web
|
||||||
Disallow: /
|
Disallow: /
|
||||||
|
|
||||||
User-agent: cohere-ai
|
User-agent: FacebookBot
|
||||||
|
Disallow: /
|
||||||
|
|
||||||
|
User-agent: GPTBot
|
||||||
|
Disallow: /
|
||||||
|
|
||||||
|
User-agent: Google-Extended
|
||||||
Disallow: /
|
Disallow: /
|
||||||
|
|
||||||
User-agent: Omgilibot
|
User-agent: Omgilibot
|
||||||
Disallow: /
|
Disallow: /
|
||||||
|
|
||||||
|
User-agent: anthopic-ai
|
||||||
|
Disallow: /
|
||||||
|
|
||||||
|
User-agent: cohere-ai
|
||||||
|
Disallow: /
|
||||||
|
|
||||||
User-Agent: *
|
User-Agent: *
|
||||||
Disallow: /harming/humans
|
Disallow: /harming/humans
|
||||||
Disallow: /ignoring/human/orders
|
Disallow: /ignoring/human/orders
|
||||||
|
|
|
@ -2,6 +2,8 @@ hysteria:
|
||||||
auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
|
auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
|
||||||
searx:
|
searx:
|
||||||
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
||||||
|
pixivfe:
|
||||||
|
environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -26,8 +28,8 @@ sops:
|
||||||
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
|
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
|
||||||
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
|
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-05-01T11:58:36Z"
|
lastmodified: "2024-05-15T07:19:59Z"
|
||||||
mac: ENC[AES256_GCM,data:dC1Q+u26euRWBsbduJC9bI79wZ0HG278Zgiijw65FAaSV6cemtwEul9PYBAOyz81MVSJCS2L7IkV6oUJWRr+nCbMMR19llWFsQNryC4TmthVXpfPkA5KeOHNR0Cz9acaQGdST+4zARYk/8VKYWO+2dX0V/BUN22C1FBu67w21H4=,iv:9CYnuGfW0Ax/rvqRXv+t9DJYF8KmWzeHjI+L6xnhf10=,tag:SQwukFLU9zzOkDGXTbOF4A==,type:str]
|
mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -6,15 +6,10 @@
|
||||||
outputs = inputs: {
|
outputs = inputs: {
|
||||||
packages.x86_64-linux.default = inputs.self.robotnixConfigurations."socrates".img;
|
packages.x86_64-linux.default = inputs.self.robotnixConfigurations."socrates".img;
|
||||||
|
|
||||||
# FIXME: it doesn't build
|
|
||||||
# hardware/qcom-caf/sm8550/audio/pal/test/PalTest_main.c:56:32: error: unused parameter 'sig' [-Werror,-Wunused-parameter]
|
|
||||||
# static void sigint_handler(int sig)
|
|
||||||
# ^
|
|
||||||
# 1 error generated.
|
|
||||||
robotnixConfigurations."socrates" = inputs.robotnix.lib.robotnixSystem ({pkgs, ...}: {
|
robotnixConfigurations."socrates" = inputs.robotnix.lib.robotnixSystem ({pkgs, ...}: {
|
||||||
device = "socrates";
|
device = "socrates";
|
||||||
flavor = "lineageos";
|
flavor = "lineageos";
|
||||||
androidVersion = 13;
|
androidVersion = 14;
|
||||||
|
|
||||||
apps.chromium.enable = false;
|
apps.chromium.enable = false;
|
||||||
webview.chromium.enable = false;
|
webview.chromium.enable = false;
|
||||||
|
@ -22,32 +17,32 @@
|
||||||
ccache.enable = true;
|
ccache.enable = true;
|
||||||
|
|
||||||
source.dirs."device/xiaomi/socrates".src = pkgs.fetchFromGitHub {
|
source.dirs."device/xiaomi/socrates".src = pkgs.fetchFromGitHub {
|
||||||
owner = "kmiit";
|
owner = "danielml3";
|
||||||
repo = "android_device_xiaomi_socrates";
|
repo = "android_device_xiaomi_socrates";
|
||||||
rev = "6548361fe50743d6fe752f5848f63f9965d12d23";
|
rev = "8b48a7a18b8db76d7122ca6e1b5bde8765d16665"; # lineage-21
|
||||||
hash = "sha256-traXLuq74MTfUStOqyX3QBBbYAQEtXWTP9PpBjVfK/o=";
|
hash = "sha256-pQIbxpZhaxc7nI8Pl8sjG3kmvD3ComFDowjcKb9eZRo=";
|
||||||
};
|
};
|
||||||
source.dirs."device/xiaomi/socrates".patches = [./disable-gapps.patch];
|
|
||||||
|
|
||||||
source.dirs."device/xiaomi/socrates-kernel".src = pkgs.fetchFromGitHub {
|
source.dirs."device/xiaomi/socrates-kernel".src = pkgs.fetchFromGitHub {
|
||||||
owner = "xiaomi-socrates";
|
owner = "danielml3";
|
||||||
repo = "android_device_xiaomi_socrates-kernel";
|
repo = "android_device_xiaomi_socrates";
|
||||||
rev = "f13d073698b678442a694b2b2e3eecc997bb5227";
|
rev = "60cd3aebf59cdf96366e8e4a8a1e2887f7d4d063"; # lineage-21-kernel
|
||||||
hash = "sha256-Ln7rhdJNbj8imUUaitnUhXMj36Wjuf5IB8UmD6Y1o4c";
|
hash = "sha256-i5QtxvApvGk24WeH6i6nC6jhS2jL2BolRUr/M02y6lc=";
|
||||||
};
|
};
|
||||||
|
|
||||||
source.dirs."hardware/xiaomi".src = pkgs.fetchFromGitHub {
|
source.dirs."hardware/xiaomi".src = pkgs.fetchFromGitHub {
|
||||||
owner = "cupid-development";
|
owner = "LineageOS";
|
||||||
repo = "android_hardware_xiaomi";
|
repo = "android_hardware_xiaomi";
|
||||||
rev = "b5167f21ba268a029461bded3f12205e5600b9f0";
|
rev = "4453055456bb452830144d9526342b032289495e"; # lineage-21
|
||||||
hash = "sha256-69nyWSjFrTjVsZdX92NZ5lv1H14mtC9dGepaD+nwvhY=";
|
hash = "sha256-kQoHGKsa5L+usIChTMm63P85N8ZGofcllE4Hybf7itA=";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# TODO:
|
||||||
source.dirs."vendor/xiaomi/socrates".src = pkgs.fetchFromGitHub {
|
source.dirs."vendor/xiaomi/socrates".src = pkgs.fetchFromGitHub {
|
||||||
owner = "kmiit";
|
owner = "kmiit";
|
||||||
repo = "android_vendor_xiaomi_socrates";
|
repo = "android_vendor_xiaomi_socrates";
|
||||||
rev = "8808c2f06a7645eaccb4992193f24c188b908418";
|
rev = "";
|
||||||
hash = "sha256-jPZxWtTpj5a+EoIVmkU4L0dQD4926HyeM6BE2/1swDw=";
|
hash = "";
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
|
@ -11,5 +11,7 @@
|
||||||
|
|
||||||
# nixpkgs styled options
|
# nixpkgs styled options
|
||||||
./services/hysteria.nix
|
./services/hysteria.nix
|
||||||
|
./services/pixivfe.nix
|
||||||
|
./services/rathole.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
37
nixos/modules/services/pixivfe-pkg.nix
Normal file
37
nixos/modules/services/pixivfe-pkg.nix
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
buildGoModule,
|
||||||
|
fetchFromGitea,
|
||||||
|
makeBinaryWrapper,
|
||||||
|
}:
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "pixivfe";
|
||||||
|
version = "2.5.1";
|
||||||
|
|
||||||
|
src = fetchFromGitea {
|
||||||
|
domain = "codeberg.org";
|
||||||
|
owner = "VnPower";
|
||||||
|
repo = "PixivFE";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-G2pSPpemMFAbQ9QkI4XAHobv+Em9ZoDUJiO/cwEy4Tc=";
|
||||||
|
};
|
||||||
|
|
||||||
|
vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI=";
|
||||||
|
|
||||||
|
nativeBuildInputs = [makeBinaryWrapper];
|
||||||
|
|
||||||
|
# PixivFE require files from source code
|
||||||
|
postInstall = ''
|
||||||
|
wrapProgram $out/bin/pixivfe \
|
||||||
|
--chdir ${src}
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
description = "A privacy respecting frontend for Pixiv";
|
||||||
|
homepage = "https://codeberg.org/VnPower/PixivFE";
|
||||||
|
license = lib.licenses.agpl3Only;
|
||||||
|
mainProgram = "pixivfe";
|
||||||
|
maintainers = with lib.maintainers; [Guanran928];
|
||||||
|
platforms = lib.platforms.linux;
|
||||||
|
};
|
||||||
|
}
|
130
nixos/modules/services/pixivfe.nix
Normal file
130
nixos/modules/services/pixivfe.nix
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
cfg = config.services.pixivfe;
|
||||||
|
in {
|
||||||
|
options.services.pixivfe = {
|
||||||
|
enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv";
|
||||||
|
|
||||||
|
# package = lib.mkPackageOption pkgs "pixivfe" {};
|
||||||
|
package = lib.mkOption {
|
||||||
|
default = pkgs.callPackage ./pixivfe-pkg.nix {};
|
||||||
|
};
|
||||||
|
|
||||||
|
openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function";
|
||||||
|
|
||||||
|
settings = lib.mkOption {
|
||||||
|
type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
|
||||||
|
default = null;
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
{
|
||||||
|
PIXIVFE_PORT = "8282";
|
||||||
|
PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP";
|
||||||
|
};
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
Additional configuration for PixivFE, see
|
||||||
|
<https://pixivfe.pages.dev/environment-variables/> for supported values.
|
||||||
|
For secrets use `EnvironmentFile` option instead.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
EnvironmentFile = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
/run/secrets/environment
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
File containing environment variables to be passed to the PixivFE service.
|
||||||
|
|
||||||
|
See `systemd.exec(5)` for more information.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion =
|
||||||
|
if cfg.openFirewall
|
||||||
|
then (cfg.settings ? PIXIVFE_PORT)
|
||||||
|
else true;
|
||||||
|
message = ''
|
||||||
|
PIXIVFE_PORT must be specified for NixOS to open a port.
|
||||||
|
|
||||||
|
See https://pixivfe.pages.dev/environment-variables/ for more information.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion =
|
||||||
|
if (cfg.EnvironmentFile == null)
|
||||||
|
then (cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT)
|
||||||
|
else true;
|
||||||
|
message = ''
|
||||||
|
PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run.
|
||||||
|
|
||||||
|
See https://pixivfe.pages.dev/environment-variables/ for more information.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion =
|
||||||
|
if (cfg.EnvironmentFile == null)
|
||||||
|
then cfg.settings ? PIXIVFE_TOKEN
|
||||||
|
else true;
|
||||||
|
message = ''
|
||||||
|
PIXIVFE_TOKEN must be set for PixivFE to run.
|
||||||
|
|
||||||
|
See https://pixivfe.pages.dev/environment-variables/ for more information.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services."pixivfe" = {
|
||||||
|
description = "PixivFE, a privacy respecting frontend for Pixiv.";
|
||||||
|
documentation = ["https://pixivfe.pages.dev/"];
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
after = ["network-online.target"];
|
||||||
|
wants = ["network-online.target"];
|
||||||
|
environment = lib.mkIf (cfg.settings != null) (lib.mapAttrs (_: v:
|
||||||
|
if lib.isBool v
|
||||||
|
then lib.boolToString v
|
||||||
|
else toString v)
|
||||||
|
cfg.settings);
|
||||||
|
serviceConfig = {
|
||||||
|
inherit (cfg) EnvironmentFile;
|
||||||
|
ExecStart = lib.getExe cfg.package;
|
||||||
|
DynamicUser = true;
|
||||||
|
|
||||||
|
### Hardening
|
||||||
|
AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; # For ports <= 1024
|
||||||
|
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = "@system-service";
|
||||||
|
UMask = "0077";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = lib.mkIf cfg.openFirewall {
|
||||||
|
allowedTCPPorts = [cfg.settings.PIXIVFE_PORT];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
50
nixos/modules/services/rathole.nix
Normal file
50
nixos/modules/services/rathole.nix
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
cfg = config.services.rathole;
|
||||||
|
in {
|
||||||
|
options.services.rathole = {
|
||||||
|
enable = lib.mkEnableOption "Rathole, a lightweight and high-performance reverse proxy for NAT traversal";
|
||||||
|
|
||||||
|
package = lib.mkPackageOption pkgs "rathole" {};
|
||||||
|
|
||||||
|
configFile = lib.mkOption {
|
||||||
|
default = null;
|
||||||
|
type = lib.types.nullOr lib.types.path;
|
||||||
|
description = "Configuration file to use.";
|
||||||
|
};
|
||||||
|
|
||||||
|
credentials = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
default = [];
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
[
|
||||||
|
"cert:/tmp/certificate.crt"
|
||||||
|
"key:/tmp/private-key.key"
|
||||||
|
];
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
Extra credentials loaded by systemd, you can access them by `/run/credentials/rathole.service/foobar`.
|
||||||
|
|
||||||
|
See `systemd.exec(5)` for more information.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
systemd.services.rathole = {
|
||||||
|
description = "Rathole daemon, a lightweight and high-performance reverse proxy for NAT traversal.";
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
after = ["network-online.target"];
|
||||||
|
wants = ["network-online.target"];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${lib.getExe cfg.package} $\{CREDENTIALS_DIRECTORY}/rathole.toml";
|
||||||
|
LoadCredential = ["rathole.toml:${cfg.configFile}"] ++ cfg.credentials;
|
||||||
|
DynamicUser = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,22 +5,24 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports =
|
||||||
|
[
|
||||||
./hardening
|
./hardening
|
||||||
./networking
|
./networking
|
||||||
./nix
|
./nix
|
||||||
|
]
|
||||||
# Flake modules
|
++ (with inputs; [
|
||||||
inputs.disko.nixosModules.disko
|
aagl.nixosModules.default
|
||||||
inputs.home-manager.nixosModules.home-manager
|
disko.nixosModules.disko
|
||||||
inputs.impermanence.nixosModules.impermanence
|
home-manager.nixosModules.home-manager
|
||||||
inputs.lanzaboote.nixosModules.lanzaboote
|
impermanence.nixosModules.impermanence
|
||||||
inputs.nix-gaming.nixosModules.pipewireLowLatency
|
lanzaboote.nixosModules.lanzaboote
|
||||||
inputs.nur.nixosModules.nur
|
nix-gaming.nixosModules.pipewireLowLatency
|
||||||
inputs.self.nixosModules.default
|
nixos-sensible.nixosModules.default
|
||||||
inputs.sops-nix.nixosModules.sops
|
nur.nixosModules.nur
|
||||||
inputs.nixos-sensible.nixosModules.default
|
self.nixosModules.default
|
||||||
];
|
sops-nix.nixosModules.sops
|
||||||
|
]);
|
||||||
|
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays = [
|
||||||
inputs.self.overlays.patches
|
inputs.self.overlays.patches
|
||||||
|
|
|
@ -52,6 +52,7 @@
|
||||||
default = "gtk";
|
default = "gtk";
|
||||||
"org.freedesktop.impl.portal.ScreenCast" = "wlr";
|
"org.freedesktop.impl.portal.ScreenCast" = "wlr";
|
||||||
"org.freedesktop.impl.portal.Screenshot" = "wlr";
|
"org.freedesktop.impl.portal.Screenshot" = "wlr";
|
||||||
|
"org.freedesktop.impl.portal.Inhibit" = "none";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -70,7 +71,7 @@
|
||||||
package = pkgs.valent;
|
package = pkgs.valent;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.xserver.libinput = {
|
services.libinput = {
|
||||||
touchpad = {
|
touchpad = {
|
||||||
accelProfile = "flat";
|
accelProfile = "flat";
|
||||||
naturalScrolling = true;
|
naturalScrolling = true;
|
||||||
|
|
|
@ -30,8 +30,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
theme = {
|
theme = {
|
||||||
name = "adw-gtk3-dark";
|
name = "Adwaita-dark";
|
||||||
package = pkgs.adw-gtk3;
|
package = pkgs.gnome-themes-extra;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -18,6 +18,23 @@ in {
|
||||||
url = "https://i.pximg.net/img-original/img/2023/03/29/01/29/52/106654974_p0.jpg"; # https://www.pixiv.net/en/artworks/106654974
|
url = "https://i.pximg.net/img-original/img/2023/03/29/01/29/52/106654974_p0.jpg"; # https://www.pixiv.net/en/artworks/106654974
|
||||||
hash = "sha256-mB/D46JCddOlMUtFQu7R0OtRMIoApbT1nnRv0VyzEb8=";
|
hash = "sha256-mB/D46JCddOlMUtFQu7R0OtRMIoApbT1nnRv0VyzEb8=";
|
||||||
};
|
};
|
||||||
|
"backgrounds/genshin1.jpg".source = pkgs.fetchurl {
|
||||||
|
inherit curlOptsList;
|
||||||
|
url = "https://i.pximg.net/img-original/img/2022/09/29/00/00/15/101553430_p0.jpg"; # https://www.pixiv.net/artworks/101553430
|
||||||
|
hash = "sha256-VMUxBExuA5LDNQVeBBf4btyWsETN0B7pr0bTrBiJHaI=";
|
||||||
|
};
|
||||||
|
|
||||||
|
"backgrounds/genshin2.jpg".source = pkgs.fetchurl {
|
||||||
|
url = "https://imglf3.lf127.net/img/7196a1c5f06b5e38/T0FlK2VJTUI4Q1ZGbkhrc0ZWMlpiT3RJU1RQOXdJcGhrS3ZMOTBKdmR3OD0.jpeg"; # https://57friend.lofter.com/post/1d7a55da_2b5bc7172
|
||||||
|
hash = "sha256-jO8S+WNWfel74+CtMbfd9F78CuyXFK5ka72Br9b10P4=";
|
||||||
|
};
|
||||||
|
|
||||||
|
"backgrounds/genshin3.jpg".source = pkgs.fetchurl {
|
||||||
|
inherit curlOptsList;
|
||||||
|
url = "https://i.pximg.net/img-original/img/2022/06/21/20/00/28/99170653_p0.jpg"; # https://www.pixiv.net/artworks/99170653
|
||||||
|
hash = "sha256-7DmmJRZyJKU06j89X3x5NlOElFhdilIhzQMs3ynZKh4=";
|
||||||
|
};
|
||||||
|
|
||||||
"backgrounds/summer.jpg".source = let
|
"backgrounds/summer.jpg".source = let
|
||||||
image = pkgs.fetchurl {
|
image = pkgs.fetchurl {
|
||||||
inherit curlOptsList;
|
inherit curlOptsList;
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
prev.gnome
|
prev.gnome
|
||||||
// {
|
// {
|
||||||
# https://aur.archlinux.org/pkgbase/nautilus-typeahead
|
# https://aur.archlinux.org/pkgbase/nautilus-typeahead
|
||||||
nautilus = prev.gnome.nautilus.overrideAttrs (old: {
|
nautilus = prev.gnome.nautilus.overrideAttrs {
|
||||||
src = prev.fetchFromGitLab {
|
src = prev.fetchFromGitLab {
|
||||||
domain = "gitlab.gnome.org";
|
domain = "gitlab.gnome.org";
|
||||||
owner = "albertvaka";
|
owner = "albertvaka";
|
||||||
|
@ -16,6 +16,6 @@
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
awk -i inplace '/type-ahead-search/{c++;} c==1 && /true/{sub("true", "false"); c++;} 1' data/org.gnome.nautilus.gschema.xml
|
awk -i inplace '/type-ahead-search/{c++;} c==1 && /true/{sub("true", "false"); c++;} 1' data/org.gnome.nautilus.gschema.xml
|
||||||
'';
|
'';
|
||||||
});
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue