treewide: update

I honestly have no idea how to commit this pile of stuff one by one...
This commit is contained in:
Guanran Wang 2024-05-24 00:15:10 +08:00
parent fca24d8bb6
commit 340f42cf17
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
26 changed files with 880 additions and 166 deletions

View file

@ -8,6 +8,11 @@ keys:
- &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
- &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
creation_rules:
- path_regex: hosts/blacksteel/secrets.yaml$
key_groups:
- age:
- *guanranwang
- *blacksteel
- path_regex: hosts/lightsail-tokyo/secrets.yaml$
key_groups:
- age:

View file

@ -1,5 +1,26 @@
{
"nodes": {
"aagl": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716425853,
"narHash": "sha256-PSd1jStP3SfJB3JvHRVjHpGwy3eKjni06VciEly0rHQ=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "fa6201a1cfcaa84d442c9c9b17c2e79df99f444b",
"type": "github"
},
"original": {
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"type": "github"
}
},
"berberman": {
"inputs": {
"nixpkgs": [
@ -10,11 +31,11 @@
]
},
"locked": {
"lastModified": 1714155185,
"narHash": "sha256-/waEN3vHOgWHqRi4p3lbndS8C3iFl1ZQA60dR0CrJco=",
"lastModified": 1716307996,
"narHash": "sha256-yuyK5HpOIbzkptgvuL+jqi+/Jy1XYzjsNUN2AUIq+Wc=",
"owner": "berberman",
"repo": "flakes",
"rev": "8609046ac57e6b32e601c6577562c3eb75ae95f6",
"rev": "09f7b705563c36221e89d0e9bc156b29c0a5d6f2",
"type": "github"
},
"original": {
@ -30,11 +51,11 @@
]
},
"locked": {
"lastModified": 1714536327,
"narHash": "sha256-zu4+LcygJwdyFHunTMeDFltBZ9+hoWvR/1A7IEy7ChA=",
"lastModified": 1716156051,
"narHash": "sha256-TjUX7WWRcrhuUxDHsR8pDR2N7jitqZehgCVSy3kBeS8=",
"owner": "ipetkov",
"repo": "crane",
"rev": "3124551aebd8db15d4560716d4f903bd44c64e4a",
"rev": "7443df1c478947bf96a2e699209f53b2db26209d",
"type": "github"
},
"original": {
@ -50,11 +71,11 @@
]
},
"locked": {
"lastModified": 1714612856,
"narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=",
"lastModified": 1716431128,
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
"owner": "nix-community",
"repo": "disko",
"rev": "d57058eb09dd5ec00c746df34fe0a603ea744370",
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
"type": "github"
},
"original": {
@ -64,6 +85,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -85,11 +122,11 @@
]
},
"locked": {
"lastModified": 1714641030,
"narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=",
"lastModified": 1715865404,
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e",
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
"type": "github"
},
"original": {
@ -145,11 +182,11 @@
]
},
"locked": {
"lastModified": 1714679908,
"narHash": "sha256-KzcXzDvDJjX34en8f3Zimm396x6idbt+cu4tWDVS2FI=",
"lastModified": 1716457508,
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9036fe9ef8e15a819fa76f47a8b1f287903fb848",
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
"type": "github"
},
"original": {
@ -247,11 +284,11 @@
]
},
"locked": {
"lastModified": 1713946171,
"narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=",
"lastModified": 1716329735,
"narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7",
"rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c",
"type": "github"
},
"original": {
@ -273,11 +310,11 @@
]
},
"locked": {
"lastModified": 1713988078,
"narHash": "sha256-scRrzQQyJAT0iPAd8AZvolgiq7npatsfytwnduESndI=",
"lastModified": 1715807870,
"narHash": "sha256-lutvG1LFGSpXsGA7U4TWfdfq6p71WdSlhw3vM4W/Opk=",
"owner": "Gerschtli",
"repo": "nix-formatter-pack",
"rev": "08d0135dbe95992b5f8d54c351ce62be2177f0b4",
"rev": "ab5feb867e5d074918852de6134500a82a09dc48",
"type": "github"
},
"original": {
@ -296,11 +333,11 @@
]
},
"locked": {
"lastModified": 1714303849,
"narHash": "sha256-o/IgiwA0ZS/nMh5YB0bt+ae3Lt+tlbQouY/xL7tB5h0=",
"lastModified": 1716409168,
"narHash": "sha256-EhfEm11GRKDJVWeCRZ9uH6PZC6I0rAKTTEOedOlEfEI=",
"owner": "fufexan",
"repo": "nix-gaming",
"rev": "dbb96ae98e723128cf5a612480ba6187113f5e49",
"rev": "72a38144721f978979d09f01e0929457c347d1f3",
"type": "github"
},
"original": {
@ -350,11 +387,11 @@
]
},
"locked": {
"lastModified": 1714685946,
"narHash": "sha256-09YdG9ExCFj9Ngrc1qXZBtn6LRyzFG2KcVVcl295tmU=",
"lastModified": 1716413945,
"narHash": "sha256-BND2qR3ijnT1pS0vonpzlloeJqcnkLsz863JVl4Hb48=",
"owner": "jacekszymanski",
"repo": "nixcasks",
"rev": "a0bc85d5d4d3c3e83c637cfb8b0830ed55020bf2",
"rev": "8d9c80f1ffd737aa1a2660bcf8fecbd3176dc71e",
"type": "github"
},
"original": {
@ -365,11 +402,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1714465198,
"narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=",
"lastModified": 1716173274,
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
"type": "github"
},
"original": {
@ -395,16 +432,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1714750568,
"narHash": "sha256-HHx3NGN7gHZdfnyXF961sxr9FcxM5bg4gweeHEnRxXQ=",
"lastModified": 1716358718,
"narHash": "sha256-NQbegJb2ZZnAqp2EJhWwTf6DrZXSpA6xZCEq+RGV1r0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e96601ecf084d9d6a366a4f0da7f36479f67f81e",
"rev": "3f316d2a50699a78afe5e77ca486ad553169061e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -427,11 +464,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714531828,
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
"lastModified": 1716361217,
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
"type": "github"
},
"original": {
@ -482,11 +519,11 @@
},
"nur": {
"locked": {
"lastModified": 1714681542,
"narHash": "sha256-7WQo+TMORkw/Bo1AADX7IuYu28rWVJN7qMTq3QDWU9E=",
"lastModified": 1716479105,
"narHash": "sha256-O5vAr3D1Kxo+BCzL25bR6H3IwLZISj/B29OVGon216k=",
"owner": "nix-community",
"repo": "NUR",
"rev": "6132349be4a6cfe62cfe744d622a645e4981d458",
"rev": "b3d163c563387c70d9a4ee1055e6c9def436f529",
"type": "github"
},
"original": {
@ -526,9 +563,6 @@
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"gitignore": [
"gitignore"
],
@ -540,11 +574,11 @@
]
},
"locked": {
"lastModified": 1714478972,
"narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=",
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "2849da033884f54822af194400f8dff435ada242",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
@ -555,10 +589,11 @@
},
"root": {
"inputs": {
"aagl": "aagl",
"berberman": "berberman",
"crane": "crane",
"disko": "disko",
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"gitignore": "gitignore",
@ -599,11 +634,11 @@
]
},
"locked": {
"lastModified": 1714616033,
"narHash": "sha256-JcWAjIDl3h0bE/pII0emeHwokTeBl+SWrzwrjoRu7a0=",
"lastModified": 1716430594,
"narHash": "sha256-vdVzaGD5p+KG7XHepIeX5rUPmdzEcF2w6rhqfr0SNkI=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "3e416d5067ba31ff8ac31eeb763e4388bdf45089",
"rev": "ee0db3aeebafeaada2b98d076de6d314b4c8682e",
"type": "github"
},
"original": {
@ -638,11 +673,11 @@
]
},
"locked": {
"lastModified": 1713892811,
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
"lastModified": 1716400300,
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
"type": "github"
},
"original": {
@ -681,11 +716,11 @@
]
},
"locked": {
"lastModified": 1714611022,
"narHash": "sha256-Cneh2G54TO1eVQBxLZp0JlW8LWbTE/N1WjcE2W+F3pI=",
"lastModified": 1716425501,
"narHash": "sha256-BSLhmGYY1khyyBAjraR+N0Pa9Nha/et5yQQlEZxcfkU=",
"owner": "nix-community",
"repo": "srvos",
"rev": "1fa90a0a81fec38c117397fde79733cc78f12815",
"rev": "1122cd50a23647e09c3e7a679d37ec02113bc412",
"type": "github"
},
"original": {
@ -716,11 +751,11 @@
]
},
"locked": {
"lastModified": 1714058656,
"narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
"lastModified": 1715940852,
"narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
"rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
"type": "github"
},
"original": {

View file

@ -7,9 +7,13 @@
# `nixpkgs-unstable` contains less(?) jobs, and usually updates faster.
#
# REFERENCE: https://discourse.nixos.org/t/differences-between-nix-channels/13998/5
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
aagl = {
url = "github:ezKEa/aagl-gtk-on-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
berberman = {
url = "github:berberman/flakes";
inputs.nixpkgs.follows = "nixpkgs";
@ -140,7 +144,6 @@
inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs-stable.follows = "nixpkgs-stable";
inputs.flake-compat.follows = "flake-compat";
inputs.flake-utils.follows = "flake-utils";
inputs.gitignore.follows = "gitignore";
};
rust-overlay = {

View file

@ -1,6 +1,8 @@
{
pkgs,
inputs,
config,
lib,
...
}: {
imports = [
@ -53,4 +55,17 @@
# for udev rules
programs.adb.enable = true;
# fucking hell
programs.anime-game-launcher.enable = true;
# FIXME:
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
version = "555.42.02";
sha256_64bit = "sha256-k7cI3ZDlKp4mT46jMkLaIrc2YUx1lh1wj/J4SVSHWyk=";
sha256_aarch64 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
openSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
settingsSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
persistencedSha256 = lib.fakeSha256;
};
}

View file

@ -10,7 +10,7 @@ MacBookPro11,3
### Description
Homelab, hosting random stuff through tailscale.
Homelab, hosting random stuff through tailscale and rathole.
### TODOs:

View file

@ -9,22 +9,22 @@
"adoptopenjdk-hotspot-bin"
"cargo-bootstrap"
"cef-binary"
"minecraft-server"
"rustc-bootstrap"
"rustc-bootstrap-wrapper"
"sof-firmware"
"spotify"
"vscodium"
"papermc"
"temurin-bin"
"vscodium"
];
allowUnfree = false;
allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"broadcom-sta"
"minecraft-server"
"nvidia-x11"
"spotify"
"broadcom-sta"
"papermc"
];
};
}

View file

@ -1,11 +1,15 @@
{
pkgs,
lib,
config,
...
}: {
imports = [
# OS
../../nixos/profiles/laptop
# FIXME:
../../nixos/profiles/common/core
../../nixos/profiles/common/physical
../../nixos/profiles/common/mobile
../../nixos/profiles/common/opt-in/clash-meta-client
# Hardware
@ -19,26 +23,148 @@
time.timeZone = "Asia/Shanghai";
system.stateVersion = "23.11";
######## Secrets
sops = {
secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
"synapse/secret" = {
restartUnits = ["matrix-synapse.service"];
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
};
"synapse/oidc" = {
restartUnits = ["matrix-synapse.service"];
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
};
"syncv3/environment" = {
restartUnits = ["matrix-sliding-sync.service"];
};
"mastodon/environment" = {
restartUnits = ["mastodon-web.service"];
};
};
};
######## Services
environment.systemPackages = with pkgs; [qbittorrent];
services.tailscale = {
enable = true;
openFirewall = true;
};
# Minecraft
services.frp = {
enable = true;
role = "client";
settings = {
serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
serverPort = 7000;
auth.method = "token";
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
proxies = [
{
name = "synapse";
type = "tcp";
localIP = "127.0.0.1";
localPort = 8100;
remotePort = 8600;
}
{
name = "syncv3";
type = "tcp";
localIP = "127.0.0.1";
remotePort = 8700;
plugin = {
type = "unix_domain_socket";
unixPath = "/run/matrix-sliding-sync/sync.sock";
};
}
{
name = "mastodon-web";
type = "tcp";
localIP = "127.0.0.1";
remotePort = 8900;
plugin = {
type = "unix_domain_socket";
unixPath = "/run/mastodon-web/web.socket";
};
}
{
name = "mastodon-streaming";
type = "tcp";
localIP = "127.0.0.1";
remotePort = 9000;
plugin = {
type = "unix_domain_socket";
unixPath = "/run/mastodon-streaming/streaming-1.socket";
};
}
{
name = "mastodon-system";
type = "tcp";
localIP = "127.0.0.1";
remotePort = 9100;
plugin = {
type = "static_file";
localPath = "/var/lib/mastodon/public-system";
};
}
];
};
};
systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon"];
services.postgresql = {
enable = true;
settings = {
# Generated by pgTune
# https://pgtune.leopard.in.ua/#/
#
# DB Version: 15
# OS Type: linux
# DB Type: web
# Total Memory (RAM): 16 GB
# CPUs num: 8
# Data Storage: ssd
max_connections = 200;
shared_buffers = "4GB";
effective_cache_size = "12GB";
maintenance_work_mem = "1GB";
checkpoint_completion_target = 0.9;
wal_buffers = "16MB";
default_statistics_target = 100;
random_page_cost = "1.1";
effective_io_concurrency = 200;
work_mem = "5242kB";
huge_pages = "off";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 8;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 8;
max_parallel_maintenance_workers = 4;
};
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.postgresqlBackup = {
enable = true;
location = "/var/lib/backup/postgresql";
compression = "zstd";
startAt = "weekly";
};
services.minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
# I should switch to vanilla/fabric one day...
package = pkgs.papermc.overrideAttrs {
version = "1.20.4-485";
hash = "sha256-8bhlv/MU7KDmdL8Ngvg/zLMlGiO4Fswoyn/1diFE65k=";
};
# TODO: not working for some reason
#.override {jre = pkgs.temurin-bin;};
# Aikar's flag
# https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
# https://docs.papermc.io/paper/aikars-flags
@ -82,7 +208,6 @@
};
};
# Samba
services.samba = {
enable = true;
openFirewall = true;
@ -91,14 +216,105 @@
"read only" = "no";
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
systemd.tmpfiles.rules = [
"d /srv/samba/share 0700 guanranwang root"
];
# qBitTorrent
environment.systemPackages = with pkgs; [qbittorrent];
services.matrix-synapse = {
enable = true;
withJemalloc = true;
extraConfigFiles = [config.sops.secrets."synapse/secret".path];
settings = {
server_name = "ny4.dev";
public_baseurl = "https://matrix.ny4.dev";
presence.enabled = false; # tradeoff
listeners = [
{
port = 8100;
bind_addresses = ["127.0.0.1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
# https://element-hq.github.io/synapse/latest/openid.html#keycloak
oidc_providers = [
{
idp_id = "keycloak";
idp_name = "id.ny4.dev";
issuer = "https://id.ny4.dev/realms/master";
client_id = "synapse";
client_secret_path = config.sops.secrets."synapse/oidc".path;
scopes = ["openid" "profile"];
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
backchannel_logout_enabled = true;
allow_existing_users = true;
}
];
};
};
systemd.services.matrix-synapse.environment = config.networking.proxy.envVars;
services.matrix-sliding-sync = {
enable = true;
environmentFile = config.sops.secrets."syncv3/environment".path;
settings = {
SYNCV3_SERVER = "http://127.0.0.1:8100";
SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
};
};
systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = ["matrix-sliding-sync"];
services.mastodon = {
enable = true;
localDomain = "ny4.dev";
streamingProcesses = 1;
# FIXME: this doesn't exist
smtp = {
createLocally = false;
fromAddress = "mastodon@ny4.dev";
};
extraConfig = rec {
SINGLE_USER_MODE = "true";
WEB_DOMAIN = "mastodon.ny4.dev";
# keycloak
OMNIAUTH_ONLY = "true";
OIDC_ENABLED = "true";
OIDC_CLIENT_ID = "mastodon";
# OIDC_CLIENT_SECRET # EnvironmentFile
OIDC_DISCOVERY = "true";
OIDC_DISPLAY_NAME = "id.ny4.dev";
OIDC_ISSUER = "https://id.ny4.dev/realms/master";
OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
OIDC_SCOPE = "openid,profile,email";
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
OIDC_UID_FIELD = "preferred_username";
};
};
systemd.services.mastodon-web = {
environment = config.networking.proxy.envVars;
serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path];
};
systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
}

View file

@ -7,7 +7,6 @@
inputs.nixpkgs.nixosModules.notDetected
inputs.nixos-hardware.nixosModules.apple-macbook-pro
inputs.nixos-hardware.nixosModules.common-cpu-intel
inputs.nixos-hardware.nixosModules.common-gpu-intel
#inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
inputs.nixos-hardware.nixosModules.common-hidpi
inputs.nixos-hardware.nixosModules.common-pc-laptop

View file

@ -0,0 +1,36 @@
synapse:
secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
oidc: ENC[AES256_GCM,data:vGQcPcUfbv6II6buEMKELc1+xZ5XccpEeCy3vZx4fdk=,iv:ORok/FXZ9SA54zD1+OhyFnZAPhGpMpTetWYgge2QSwQ=,tag:7DxrruTbenUfI/V6hGYBaw==,type:str]
syncv3:
environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
mastodon:
environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdjRrUkJXd3Z2VlhRRDEz
YS9DZVlQYmNXeW9qQWtZZlUrZHQrSXFJYWtRCk54Z3NEck51dTR3ZDh3SnEwNXhu
ZEI4S1ZEQklDd0ZwTWJwdHNEVlFERWsKLS0tIGRSVjVGR3daR0k2dVVHUmVwMHlL
dWtkdkQvMjZqbHp0STA3cnZPYkIzOWMKNGH8hQI4oKrjCAEE5onH9sa2AhdjeUsl
PSd1/z0ka0Y2wlPGuGOqIXYg8O1WqFxn/uS6O2YZSpAtw7JulOs8aQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMHRrOGJ6RkxrZndoZkEy
V1NtbEw0SExiaWE1bGtPYXROSFVZNmVTR0RVCkM0OHhxMzhvUzVUMThTc3VyZUFq
c3FyVUNpM09WUURnSzY4dW4zS0U3T0EKLS0tIFJQL3BlY1N1bkorYlVqRkVaUmdi
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-21T10:09:01Z"
mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -12,11 +12,11 @@
# https://infosec.mozilla.org/guidelines/web_security
# https://caddyserver.com/docs/caddyfile/directives/header#examples
Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
Permissions-Policy interest-Hpcohort=()
Strict-Transport-Security max-age=31536000;
X-Content-Type-Options nosniff
X-Frame-Options DENY
?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
?Permissions-Policy interest-Hpcohort=()
?Strict-Transport-Security max-age=31536000;
?X-Content-Type-Options nosniff
?X-Frame-Options DENY
}
}
@ -45,7 +45,19 @@ www.ny4.dev {
ny4.dev {
import default
respond "Hello, world!"
# Synapse
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/matrix/* {
file_server * {
root /var/www/matrix
}
}
# Mastodon
header /.well-known/webfinger Access-Control-Allow-Origin *
redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent
}
searx.ny4.dev {
@ -65,5 +77,61 @@ uptime.ny4.dev {
ntfy.ny4.dev {
import default
reverse_proxy localhost:8400
reverse_proxy unix//run/ntfy-sh/ntfy.sock
}
pixiv.ny4.dev {
import default
basicauth {
Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri
}
reverse_proxy unix//run/pixivfe/pixiv.sock
}
matrix.ny4.dev {
import default
reverse_proxy /_matrix/* localhost:8600
reverse_proxy /_synapse/client/* localhost:8600
reverse_proxy /health localhost:8600
}
syncv3.ny4.dev {
import default
reverse_proxy localhost:8700
}
id.ny4.dev {
import default
reverse_proxy localhost:8800
}
element.ny4.dev {
import default
root * @element@
file_server
}
mastodon.ny4.dev {
import default
handle_path /system/* {
reverse_proxy localhost:9100
}
handle /api/v1/streaming/* {
reverse_proxy localhost:9000
}
route * {
file_server * {
root @mastodon@/public
pass_thru
}
reverse_proxy * localhost:8900
}
handle_errors {
root * @mastodon@/public
rewrite 500.html
file_server
}
}

View file

@ -7,6 +7,8 @@
"cargo-bootstrap"
"rustc-bootstrap"
"rustc-bootstrap-wrapper"
"keycloak"
"temurin-bin"
];
allowUnfree = false;

View file

@ -17,16 +17,32 @@
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
system.stateVersion = "23.11";
swapDevices = [
{
device = "/var/lib/swapfile";
size = 4 * 1024; # 4 GiB
}
];
# WORKAROUND:
systemd.services."print-host-key".enable = false;
### Secrets
sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
"hysteria/auth".restartUnits = ["hysteria.service"];
"searx/environment".restartUnits = ["searx.service"];
sops = {
secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
"hysteria/auth" = {
restartUnits = ["hysteria.service"];
};
"pixivfe/environment" = {
restartUnits = ["pixivfe.service"];
};
"searx/environment" = {
restartUnits = ["searx.service"];
};
};
sops.templates."hysteria.yaml".content = ''
templates = {
"hysteria.yaml".content = ''
tls:
cert: /run/credentials/hysteria.service/cert
key: /run/credentials/hysteria.service/key
@ -38,20 +54,47 @@
${config.sops.placeholder."hysteria/auth"}
'';
};
};
### Services
networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy
networking.firewall.allowedTCPPorts = [80 443]; # caddy
networking.firewall.allowedUDPPorts = [
# hysteria
443
];
networking.firewall.allowedTCPPorts = [
# caddy
80
443
# frp
7000
];
systemd.tmpfiles.settings = {
"10-www" = {
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
"/var/www/matrix/client".C.argument = toString ./matrix-client.json;
"/var/www/matrix/server".C.argument = toString ./matrix-server.json;
};
};
services.caddy = {
enable = true;
configFile = ./Caddyfile;
configFile = pkgs.substituteAll {
src = ./Caddyfile;
"element" = pkgs.element-web.override {
conf.default_server_config."m.homeserver" = let
inherit (config.services.matrix-synapse) settings;
in {
base_url = "https://matrix.ny4.dev";
inherit (settings) server_name;
};
};
"mastodon" = pkgs.mastodon;
};
};
services.hysteria = {
@ -64,11 +107,21 @@
];
};
services.frp = {
enable = true;
role = "server";
settings = {
bindPort = 7000;
auth.method = "token";
auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
};
};
# `journalctl -u murmur.service | grep Password`
services.murmur = {
enable = true;
openFirewall = true;
bandwidth = 128000;
bandwidth = 256 * 1024; # 256 Kbit/s
};
services.searx = {
@ -99,10 +152,45 @@
enable = true;
settings = {
base-url = "https://ntfy.ny4.dev";
listen-http = "127.0.0.1:8400";
listen-http = "";
listen-unix = "/run/ntfy-sh/ntfy.sock";
listen-unix-mode = 511; # 0777
behind-proxy = true;
};
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
services.pixivfe = {
enable = true;
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
settings = {
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
};
};
systemd.services.pixivfe.serviceConfig = {
RuntimeDirectory = ["pixivfe"];
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
${pkgs.coreutils}/bin/sleep 5
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
'';
};
services.keycloak = {
enable = true;
settings = {
http-host = "127.0.0.1";
http-port = 8800;
proxy = "edge";
hostname-strict-backchannel = true;
hostname = "id.ny4.dev";
cache = "local";
};
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
};
### Prevents me from bankrupt
# https://fmk.im/p/shutdown-aws/
services.vnstat.enable = true;

View file

@ -0,0 +1,8 @@
{
"m.homeserver": {
"base_url": "https://matrix.ny4.dev"
},
"org.matrix.msc3575.proxy": {
"url": "https://syncv3.ny4.dev"
}
}

View file

@ -0,0 +1,3 @@
{
"m.server": "matrix.ny4.dev:443"
}

View file

@ -1,33 +1,33 @@
User-agent: GPTBot
Disallow: /
User-agent: ChatGPT-User
Disallow: /
User-agent: Google-Extended
User-agent: Amazonbot
Disallow: /
User-agent: CCBot
Disallow: /
User-agent: Amazonbot
Disallow: /
User-agent: FacebookBot
Disallow: /
User-agent: anthopic-ai
User-agent: ChatGPT-User
Disallow: /
User-agent: Claude-Web
Disallow: /
User-agent: cohere-ai
User-agent: FacebookBot
Disallow: /
User-agent: GPTBot
Disallow: /
User-agent: Google-Extended
Disallow: /
User-agent: Omgilibot
Disallow: /
User-agent: anthopic-ai
Disallow: /
User-agent: cohere-ai
Disallow: /
User-Agent: *
Disallow: /harming/humans
Disallow: /ignoring/human/orders

View file

@ -2,6 +2,8 @@ hysteria:
auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
searx:
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
pixivfe:
environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
sops:
kms: []
gcp_kms: []
@ -26,8 +28,8 @@ sops:
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-01T11:58:36Z"
mac: ENC[AES256_GCM,data:dC1Q+u26euRWBsbduJC9bI79wZ0HG278Zgiijw65FAaSV6cemtwEul9PYBAOyz81MVSJCS2L7IkV6oUJWRr+nCbMMR19llWFsQNryC4TmthVXpfPkA5KeOHNR0Cz9acaQGdST+4zARYk/8VKYWO+2dX0V/BUN22C1FBu67w21H4=,iv:9CYnuGfW0Ax/rvqRXv+t9DJYF8KmWzeHjI+L6xnhf10=,tag:SQwukFLU9zzOkDGXTbOF4A==,type:str]
lastmodified: "2024-05-15T07:19:59Z"
mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -6,15 +6,10 @@
outputs = inputs: {
packages.x86_64-linux.default = inputs.self.robotnixConfigurations."socrates".img;
# FIXME: it doesn't build
# hardware/qcom-caf/sm8550/audio/pal/test/PalTest_main.c:56:32: error: unused parameter 'sig' [-Werror,-Wunused-parameter]
# static void sigint_handler(int sig)
# ^
# 1 error generated.
robotnixConfigurations."socrates" = inputs.robotnix.lib.robotnixSystem ({pkgs, ...}: {
device = "socrates";
flavor = "lineageos";
androidVersion = 13;
androidVersion = 14;
apps.chromium.enable = false;
webview.chromium.enable = false;
@ -22,32 +17,32 @@
ccache.enable = true;
source.dirs."device/xiaomi/socrates".src = pkgs.fetchFromGitHub {
owner = "kmiit";
owner = "danielml3";
repo = "android_device_xiaomi_socrates";
rev = "6548361fe50743d6fe752f5848f63f9965d12d23";
hash = "sha256-traXLuq74MTfUStOqyX3QBBbYAQEtXWTP9PpBjVfK/o=";
rev = "8b48a7a18b8db76d7122ca6e1b5bde8765d16665"; # lineage-21
hash = "sha256-pQIbxpZhaxc7nI8Pl8sjG3kmvD3ComFDowjcKb9eZRo=";
};
source.dirs."device/xiaomi/socrates".patches = [./disable-gapps.patch];
source.dirs."device/xiaomi/socrates-kernel".src = pkgs.fetchFromGitHub {
owner = "xiaomi-socrates";
repo = "android_device_xiaomi_socrates-kernel";
rev = "f13d073698b678442a694b2b2e3eecc997bb5227";
hash = "sha256-Ln7rhdJNbj8imUUaitnUhXMj36Wjuf5IB8UmD6Y1o4c";
owner = "danielml3";
repo = "android_device_xiaomi_socrates";
rev = "60cd3aebf59cdf96366e8e4a8a1e2887f7d4d063"; # lineage-21-kernel
hash = "sha256-i5QtxvApvGk24WeH6i6nC6jhS2jL2BolRUr/M02y6lc=";
};
source.dirs."hardware/xiaomi".src = pkgs.fetchFromGitHub {
owner = "cupid-development";
owner = "LineageOS";
repo = "android_hardware_xiaomi";
rev = "b5167f21ba268a029461bded3f12205e5600b9f0";
hash = "sha256-69nyWSjFrTjVsZdX92NZ5lv1H14mtC9dGepaD+nwvhY=";
rev = "4453055456bb452830144d9526342b032289495e"; # lineage-21
hash = "sha256-kQoHGKsa5L+usIChTMm63P85N8ZGofcllE4Hybf7itA=";
};
# TODO:
source.dirs."vendor/xiaomi/socrates".src = pkgs.fetchFromGitHub {
owner = "kmiit";
repo = "android_vendor_xiaomi_socrates";
rev = "8808c2f06a7645eaccb4992193f24c188b908418";
hash = "sha256-jPZxWtTpj5a+EoIVmkU4L0dQD4926HyeM6BE2/1swDw=";
rev = "";
hash = "";
};
});
};

View file

@ -11,5 +11,7 @@
# nixpkgs styled options
./services/hysteria.nix
./services/pixivfe.nix
./services/rathole.nix
];
}

View file

@ -0,0 +1,37 @@
{
lib,
buildGoModule,
fetchFromGitea,
makeBinaryWrapper,
}:
buildGoModule rec {
pname = "pixivfe";
version = "2.5.1";
src = fetchFromGitea {
domain = "codeberg.org";
owner = "VnPower";
repo = "PixivFE";
rev = "v${version}";
hash = "sha256-G2pSPpemMFAbQ9QkI4XAHobv+Em9ZoDUJiO/cwEy4Tc=";
};
vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI=";
nativeBuildInputs = [makeBinaryWrapper];
# PixivFE require files from source code
postInstall = ''
wrapProgram $out/bin/pixivfe \
--chdir ${src}
'';
meta = {
description = "A privacy respecting frontend for Pixiv";
homepage = "https://codeberg.org/VnPower/PixivFE";
license = lib.licenses.agpl3Only;
mainProgram = "pixivfe";
maintainers = with lib.maintainers; [Guanran928];
platforms = lib.platforms.linux;
};
}

View file

@ -0,0 +1,130 @@
{
pkgs,
config,
lib,
...
}: let
cfg = config.services.pixivfe;
in {
options.services.pixivfe = {
enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv";
# package = lib.mkPackageOption pkgs "pixivfe" {};
package = lib.mkOption {
default = pkgs.callPackage ./pixivfe-pkg.nix {};
};
openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function";
settings = lib.mkOption {
type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
default = null;
example = lib.literalExpression ''
{
PIXIVFE_PORT = "8282";
PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP";
};
'';
description = ''
Additional configuration for PixivFE, see
<https://pixivfe.pages.dev/environment-variables/> for supported values.
For secrets use `EnvironmentFile` option instead.
'';
};
EnvironmentFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = lib.literalExpression ''
/run/secrets/environment
'';
description = ''
File containing environment variables to be passed to the PixivFE service.
See `systemd.exec(5)` for more information.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion =
if cfg.openFirewall
then (cfg.settings ? PIXIVFE_PORT)
else true;
message = ''
PIXIVFE_PORT must be specified for NixOS to open a port.
See https://pixivfe.pages.dev/environment-variables/ for more information.
'';
}
{
assertion =
if (cfg.EnvironmentFile == null)
then (cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT)
else true;
message = ''
PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run.
See https://pixivfe.pages.dev/environment-variables/ for more information.
'';
}
{
assertion =
if (cfg.EnvironmentFile == null)
then cfg.settings ? PIXIVFE_TOKEN
else true;
message = ''
PIXIVFE_TOKEN must be set for PixivFE to run.
See https://pixivfe.pages.dev/environment-variables/ for more information.
'';
}
];
systemd.services."pixivfe" = {
description = "PixivFE, a privacy respecting frontend for Pixiv.";
documentation = ["https://pixivfe.pages.dev/"];
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
environment = lib.mkIf (cfg.settings != null) (lib.mapAttrs (_: v:
if lib.isBool v
then lib.boolToString v
else toString v)
cfg.settings);
serviceConfig = {
inherit (cfg) EnvironmentFile;
ExecStart = lib.getExe cfg.package;
DynamicUser = true;
### Hardening
AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; # For ports <= 1024
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
UMask = "0077";
};
};
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [cfg.settings.PIXIVFE_PORT];
};
};
}

View file

@ -0,0 +1,50 @@
{
pkgs,
config,
lib,
...
}: let
cfg = config.services.rathole;
in {
options.services.rathole = {
enable = lib.mkEnableOption "Rathole, a lightweight and high-performance reverse proxy for NAT traversal";
package = lib.mkPackageOption pkgs "rathole" {};
configFile = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.path;
description = "Configuration file to use.";
};
credentials = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
example = lib.literalExpression ''
[
"cert:/tmp/certificate.crt"
"key:/tmp/private-key.key"
];
'';
description = ''
Extra credentials loaded by systemd, you can access them by `/run/credentials/rathole.service/foobar`.
See `systemd.exec(5)` for more information.
'';
};
};
config = lib.mkIf cfg.enable {
systemd.services.rathole = {
description = "Rathole daemon, a lightweight and high-performance reverse proxy for NAT traversal.";
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
serviceConfig = {
ExecStart = "${lib.getExe cfg.package} $\{CREDENTIALS_DIRECTORY}/rathole.toml";
LoadCredential = ["rathole.toml:${cfg.configFile}"] ++ cfg.credentials;
DynamicUser = true;
};
};
};
}

View file

@ -5,22 +5,24 @@
pkgs,
...
}: {
imports = [
imports =
[
./hardening
./networking
./nix
# Flake modules
inputs.disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nix-gaming.nixosModules.pipewireLowLatency
inputs.nur.nixosModules.nur
inputs.self.nixosModules.default
inputs.sops-nix.nixosModules.sops
inputs.nixos-sensible.nixosModules.default
];
]
++ (with inputs; [
aagl.nixosModules.default
disko.nixosModules.disko
home-manager.nixosModules.home-manager
impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote
nix-gaming.nixosModules.pipewireLowLatency
nixos-sensible.nixosModules.default
nur.nixosModules.nur
self.nixosModules.default
sops-nix.nixosModules.sops
]);
nixpkgs.overlays = [
inputs.self.overlays.patches

View file

@ -52,6 +52,7 @@
default = "gtk";
"org.freedesktop.impl.portal.ScreenCast" = "wlr";
"org.freedesktop.impl.portal.Screenshot" = "wlr";
"org.freedesktop.impl.portal.Inhibit" = "none";
};
};
};
@ -70,7 +71,7 @@
package = pkgs.valent;
};
};
services.xserver.libinput = {
services.libinput = {
touchpad = {
accelProfile = "flat";
naturalScrolling = true;

View file

@ -30,8 +30,8 @@
};
theme = {
name = "adw-gtk3-dark";
package = pkgs.adw-gtk3;
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};

View file

@ -18,6 +18,23 @@ in {
url = "https://i.pximg.net/img-original/img/2023/03/29/01/29/52/106654974_p0.jpg"; # https://www.pixiv.net/en/artworks/106654974
hash = "sha256-mB/D46JCddOlMUtFQu7R0OtRMIoApbT1nnRv0VyzEb8=";
};
"backgrounds/genshin1.jpg".source = pkgs.fetchurl {
inherit curlOptsList;
url = "https://i.pximg.net/img-original/img/2022/09/29/00/00/15/101553430_p0.jpg"; # https://www.pixiv.net/artworks/101553430
hash = "sha256-VMUxBExuA5LDNQVeBBf4btyWsETN0B7pr0bTrBiJHaI=";
};
"backgrounds/genshin2.jpg".source = pkgs.fetchurl {
url = "https://imglf3.lf127.net/img/7196a1c5f06b5e38/T0FlK2VJTUI4Q1ZGbkhrc0ZWMlpiT3RJU1RQOXdJcGhrS3ZMOTBKdmR3OD0.jpeg"; # https://57friend.lofter.com/post/1d7a55da_2b5bc7172
hash = "sha256-jO8S+WNWfel74+CtMbfd9F78CuyXFK5ka72Br9b10P4=";
};
"backgrounds/genshin3.jpg".source = pkgs.fetchurl {
inherit curlOptsList;
url = "https://i.pximg.net/img-original/img/2022/06/21/20/00/28/99170653_p0.jpg"; # https://www.pixiv.net/artworks/99170653
hash = "sha256-7DmmJRZyJKU06j89X3x5NlOElFhdilIhzQMs3ynZKh4=";
};
"backgrounds/summer.jpg".source = let
image = pkgs.fetchurl {
inherit curlOptsList;

View file

@ -3,7 +3,7 @@
prev.gnome
// {
# https://aur.archlinux.org/pkgbase/nautilus-typeahead
nautilus = prev.gnome.nautilus.overrideAttrs (old: {
nautilus = prev.gnome.nautilus.overrideAttrs {
src = prev.fetchFromGitLab {
domain = "gitlab.gnome.org";
owner = "albertvaka";
@ -16,6 +16,6 @@
postPatch = ''
awk -i inplace '/type-ahead-search/{c++;} c==1 && /true/{sub("true", "false"); c++;} 1' data/org.gnome.nautilus.gschema.xml
'';
});
};
};
}