From 61ebc16a439e9741229b3c7a89977083260709e2 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Fri, 3 May 2024 07:43:48 +0800 Subject: [PATCH] lightsail-tokyo: add domain and bunch of services --- .sops.yaml | 1 + flake.nix | 2 +- hosts/aristotle/default.nix | 6 +- hosts/lightsail-tokyo/default.nix | 132 +++++++++++++++++++++++++---- hosts/lightsail-tokyo/secrets.yaml | 27 ++++-- secrets.yaml | 6 +- 6 files changed, 144 insertions(+), 30 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 696eb67..4c59d5f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,7 @@ creation_rules: - path_regex: hosts/lightsail-tokyo/secrets.yaml$ key_groups: - age: + - *guanranwang - *lightsail-tokyo - path_regex: secrets.yaml$ key_groups: diff --git a/flake.nix b/flake.nix index 79ced40..10465ae 100755 --- a/flake.nix +++ b/flake.nix @@ -221,7 +221,7 @@ "lightsail-tokyo" = { imports = [./hosts/lightsail-tokyo]; - deployment.targetHost = "18.177.132.61"; + deployment.targetHost = "ny4.dev"; }; }; }); diff --git a/hosts/aristotle/default.nix b/hosts/aristotle/default.nix index 959acfd..997b47b 100644 --- a/hosts/aristotle/default.nix +++ b/hosts/aristotle/default.nix @@ -1,4 +1,8 @@ -{pkgs, inputs, ...}: { +{ + pkgs, + inputs, + ... +}: { imports = [ # OS ../../nixos/profiles/laptop diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix index 310c9aa..ef1ab75 100644 --- a/hosts/lightsail-tokyo/default.nix +++ b/hosts/lightsail-tokyo/default.nix @@ -3,6 +3,7 @@ lib, config, inputs, + pkgs, ... }: { imports = [ @@ -16,16 +17,13 @@ boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; system.stateVersion = "23.11"; - ### Services - sops.secrets = builtins.mapAttrs (_name: value: - value - // { - sopsFile = ./secrets.yaml; - restartUnits = ["hysteria.service"]; - }) { - "hysteria/certificate" = {}; - "hysteria/private-key" = {}; - "hysteria/auth" = {}; + # WORKAROUND: + systemd.services."print-host-key".enable = false; + + ### Secrets + sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) { + "hysteria/auth".restartUnits = ["hysteria.service"]; + "searx/environment".restartUnits = ["searx.service"]; }; sops.templates."hysteria.yaml".content = '' @@ -36,21 +34,123 @@ masquerade: type: proxy proxy: - url: https://news.ycombinator.com/ - rewriteHost: true + url: http://localhost/ ${config.sops.placeholder."hysteria/auth"} ''; - networking.firewall.allowedUDPPorts = [80 443]; - networking.firewall.allowedTCPPorts = [80 443]; + ### Services + networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy + networking.firewall.allowedTCPPorts = [80 443]; # caddy + + services.caddy = { + enable = true; + configFile = pkgs.writeText "Caddyfile" '' + { + # Disables HTTP/3 for Hysteria + # https://github.com/apernet/hysteria/issues/768 + servers :443 { + protocols h1 h2 h2c + } + } + + www.ny4.dev { + redir https://ny4.dev + } + + ny4.dev { + encode zstd gzip + respond "Hello, world!" + } + + searx.ny4.dev { + encode zstd gzip + reverse_proxy localhost:8100 + } + + pb.ny4.dev { + encode zstd gzip + reverse_proxy localhost:8200 + } + + uptime.ny4.dev { + encode zstd gzip + reverse_proxy localhost:8300 + } + + ntfy.ny4.dev { + encode zstd gzip + reverse_proxy localhost:8400 + } + ''; + }; services.hysteria = { enable = true; configFile = config.sops.templates."hysteria.yaml".path; credentials = [ - "cert:${config.sops.secrets."hysteria/certificate".path}" - "key:${config.sops.secrets."hysteria/private-key".path}" + # FIXME: remove hardcoded path + "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.crt" + "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.key" ]; }; + + # `journalctl -u murmur.service | grep Password` + services.murmur = { + enable = true; + openFirewall = true; + bandwidth = 128000; + }; + + services.searx = { + enable = true; + package = pkgs.searxng; + environmentFile = config.sops.secrets."searx/environment".path; + settings = { + general.contact_url = "mailto:guanran928@outlook.com"; + search.autocomplete = "google"; + server = { + port = 8100; + secret_key = "@SEARX_SECRET@"; + }; + }; + }; + + services.wastebin = { + enable = true; + settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200"; + }; + + services.uptime-kuma = { + enable = true; + settings.PORT = "8300"; + }; + + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://ntfy.ny4.dev"; + listen-http = "127.0.0.1:8400"; + }; + }; + + ### Prevents me from bankrupt + # https://fmk.im/p/shutdown-aws/ + services.vnstat.enable = true; + systemd.services."no-bankrupt" = { + serviceConfig.Type = "oneshot"; + path = with pkgs; [coreutils gawk vnstat systemd]; + script = '' + TRAFF_TOTAL=1900 + TRAFF_USED=$(vnstat --oneline b | awk -F ';' '{print $11}') + CHANGE_TO_GB=$(($TRAFF_USED / 1073741824)) + + if [ $CHANGE_TO_GB -gt $TRAFF_TOTAL ]; then + shutdown -h now + fi + ''; + }; + systemd.timers."no-bankrupt" = { + timerConfig.OnCalendar = "*:0:0"; # Check every hour + }; } diff --git a/hosts/lightsail-tokyo/secrets.yaml b/hosts/lightsail-tokyo/secrets.yaml index bfa69b2..1839725 100644 --- a/hosts/lightsail-tokyo/secrets.yaml +++ b/hosts/lightsail-tokyo/secrets.yaml @@ -1,24 +1,33 @@ hysteria: - certificate: ENC[AES256_GCM,data:g1/uRZbhH+EJ5s/Zu3QRUT+cEyj5n+SAEUgdsqvoOF0nKGEjTE8NhCnvFy4kpB97VuOEfFrIPlgQ9cAnUC64t3oExmIz8DhVTrDgCS1PGKkbOSix8k2sDMA6/3KeTzG3R70kN2IyeSz5fQSUTnj3TjcufAs5H4JvTB/M/JoAgyUHpPTPWbgINwoSGtTgO845I/sv68sf66KE/nk7m1UcKzwXLNXDJB2lpGf3xd/X0TNJWMtopHN9VbUnFvBM22Lfl4yjb+C58IM7KApkPU8V1tZI6H2tCtZw5V1PqFVgwirQRB53NjKrTxnizaPbg0appVOxjZVQ95cV9STIj4uArudaXGv+E4bA92SNyUL12x22Y5/F8HvsWZ7xObZC0ABYdZd61+RHJ/Iy88ZS7egAq11lvtQnwuDuBUlDR25TF99YLebReon/bWaJZ9CEXJUCLaw0ibk4u0J6Lb/FuDHdlr1y37Py8KJZ3fD/7CMgzm0zbpMGdw2tl73CSONsSfaA3MNTLhIS81ON2/mMjP3XEYsznRKNum3hJIyKfzKOdCgqtcaGzYVeE7ApKSwR4PTO2pTzSe+72GI/ODfDkR+0Df1ex0gEtvVLDcgrRc+VyTsuDPA55mJtu9njwOx0DEAUWH2+dGw23/+p2HWnNbi1pUgzTWVyE9Hz1Dkmplrgj/bPgqBgYkae8u3ZRLucxRlIw7UysLhsp+HlP5HDE5nfnZpQDCbhh2zLgjsS6LRBzibopkpjrEE7IGfnsmAW0XXzBsS2iEV9f1pNGDgBa9vt,iv:933c5DHeoOmFf2mmEquIRLo8pST91qe7OO2RGV8c2Zo=,tag:9LiJrZryyR68wMKPIK5qkg==,type:str] - private-key: ENC[AES256_GCM,data:00lUMy2Is//XkYYRCnqvQG8xw3oFWr5ApG6ZGlkiiTgveC4uCETH8+KAsfU+AxLE1DBuN7EhLjd8Zh50vxldjB9yXZ5vU0ARgLC5RtuUVOx7BcltoWU2p+hms/PNiIKf1mgriHLun8UoyvkxAQKzQ8UN9eDvv0SdBTU9S6GhS3nkfdSHHOCzy6ekTZCjaLtMrMpelkZEWbkYW2kOd7spLmpagyEHhsTeggesxQo1zgQM7vmlN3l4bDrskoUcCsSCV9fkvaxYCuNfWYQjyfkQcl/OUMWPTVm2NFrXdhis1g9HyqRQy0vUQ1clJSfohSd5W5RZmeiGXqtWc+ep3KvVbBA/X5ybbPsdFtmgOIteIg2jygCW9blTWr2zLHAizmw58dzZt2eq6xfDetpDf6M=,iv:oZN+aj/cIGnUseIr1T6W+9WsRD54+5ifXQabtX6ZWTw=,tag:SdMEludXw9aMaBnvuev33w==,type:str] auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str] +searx: + environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: + - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3c05VWWV6RHVJckQ4R0VS + aWVCbHhjYTdwK0ZSMHc3am9MMTVoeTZ5SFdnCmtrWGc1QjBGWVJneVBqbi8rSzZj + RlBpY3dLVzFDbnFvNlZUS1B6ejdZQTgKLS0tIFpvRnR0K1FMcytpZTZ5UFhnNmR3 + eEhvYmk2SytiS1JVdlZZTFdPZEUrS1kKFbh4IBm6yekqsQgivyQVFgOcsmGdlV5H + fCbsVtNwTS5xvd9FXykSbiy5d6KElQTrUTAYOp+3p8A09dziJc1u2g== + -----END AGE ENCRYPTED FILE----- - recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdzMxRkVvMm1xbXByanUv - eXNKb2lLSi83ME1jajVVZ2x4dnV1SjBjeHlRCnVVVnFEK24zcTB1SnZ5WWYwRDlk - RHJSWlFqMklVU0hOYU1LeXl4THZRK00KLS0tIDEzTzhHUlhqWXRLSENMajJvM3Iw - b1lSK3l0U25BYW4wRmlIYzAweTZEK3cKk8sK1Wky0sRKKMrK5gnp7wWx7qu04Wpg - Bc5OPhqAZkNVOG0Mt2C2XynsDVOyzq4RcOZQGeI0xaJGFQ+wlZG37g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcU9JbVlTR2dUUEtaeXVp + NXJRVGJjdUtBaVdzNFNIa1h4Vk9adGRJSDFvClV1QTdCSUpETmxucmlwL0U2S3Yy + OU4zRjY2YkZXSDhHZjZ5bEJuU3Rsck0KLS0tIGVFZDVCdG1pdFFWUVhjSEpGUjE5 + R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3 + 3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-22T19:40:45Z" - mac: ENC[AES256_GCM,data:K3SkQQYgdpRBByNVPJVPLbAlwTD8U6knrdFvVm6rrMhWAsVN6zFvalDZTd9kLqC4pmd2eg6czarUK+IfnOvF4qqWeEO9QlBFfD8GDfdgRG28A1wb2aCNYAPMox6X1ZI5uo2QR7oODfS2u1r8tVtY6VSevusH7u16KwjR17IXA8I=,iv:PFtREBhYZJDDQjRBn3kG13hKBsN87jML01kjpdsWsTA=,tag:E1CBiUv0KrrdzZW6/TZk1Q==,type:str] + lastmodified: "2024-05-01T11:58:36Z" + mac: ENC[AES256_GCM,data:dC1Q+u26euRWBsbduJC9bI79wZ0HG278Zgiijw65FAaSV6cemtwEul9PYBAOyz81MVSJCS2L7IkV6oUJWRr+nCbMMR19llWFsQNryC4TmthVXpfPkA5KeOHNR0Cz9acaQGdST+4zARYk/8VKYWO+2dX0V/BUN22C1FBu67w21H4=,iv:9CYnuGfW0Ax/rvqRXv+t9DJYF8KmWzeHjI+L6xnhf10=,tag:SQwukFLU9zzOkDGXTbOF4A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/secrets.yaml b/secrets.yaml index 0c7cdb3..230c821 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -6,7 +6,7 @@ wireless: clash: secret: ENC[AES256_GCM,data:eCq/pDlSOw==,iv:QGNKxqmkj9BWFBJGj/O4fUL8Ey8zGEHMsWX02DrM82U=,tag:z2vVCBSt6mw47ca2xoxg9A==,type:str] proxies: - lightsail: ENC[AES256_GCM,data:aoZhIKOLZK6TK3dXWZBZ637OPgN+BBNu0AX0sGdOg4GZAf6H2MVMBST2/SBgdJ6w/bsF8+QFbyd/D9TctonJwxNyKguhfUR8bkRdtpkzKVBHe6Aem/5sSPybWjKNkewUE0rPqU5NwFKfDDngJgnQeulv5ulBcylLyCk30Y1E6Cah7R7NroD7rFFzId+VzQM4adUObcGT3XdtT78XPcS2uEOZUXKbhlB/9133rFI0glEBEm+K3WwN8ukHQ9wW5QkBP2paB4o6iAaDuBLlrQo3U7XLqN/5SBwhyxccEkq24qTxdH8iRpBoJ31Iv9XWSUWyNpzFpvu0ffBVHvCDPIij16BR79fXlzSt6fRob87Gud/DAru7Y7tUMd0=,iv:UQrYqosgI1RI83ZSF09YJXA52MHUpsjmARC4/fJwDxY=,tag:p239REW5qP/UzNjh0xVkzQ==,type:str] + lightsail: ENC[AES256_GCM,data:0lbXCE21o8FrQonV1AElDxGG+eTrFIabch/QnE0tZ5QoioDRstMs1oiXN/XQHJqQdHLY+blgyEyyBjJMc8rjRcGEgAy081xzlcD2VKDoXOBcnMgBNtMz1i8aG+DqfjadDWBt0v0KK2GgiZ9K+A8=,iv:wDo0S4XlFN6kRlApAIePYdJgGMwz/TJuxInZ8vGTUeQ=,tag:8oBxnC3qTQQ7ofGmNmi/Ew==,type:str] proxy-providers: flyairport: ENC[AES256_GCM,data:akHdU/2o8D65sG2b/mcj76HASwhg3WvoEcrpgkXPyh7kuc+Ci42hmmmmBk9I29vuvZjTtCTs8mMzaLK1wm8TS/K1A1zeAGULxSsqhpV4cA19Q4vAtQ2+FyuGiaFszuaHK6BSlZAosfmCGoM1nZRYuOnsdeR0vnHBIHhJFNhaLw==,iv:VeVT3cEaOO/90gcqpm2yOacThbEyaXuBRhp4buX/XOY=,tag:kojJbqwYk/DNFBcJMY2eXg==,type:str] efcloud: ENC[AES256_GCM,data:GvKNMscPknhlBy9Qp8iuYoxF10oX2ZIOKo+XKRH2NOGGDiMk/GwdGfA5+gf3ZcEEGFGw/8CrBddjJCivyxqwF+oAEHJyjdcFhGyyOopsx9s3waq8Hge/KzE=,iv:WXAd3yA5cTZp+ttKHXPf6cbsk6pRXq5/xMysNUAs1Rk=,tag:HygexRSW8ICa+RIFmrRKRQ==,type:str] @@ -54,8 +54,8 @@ sops: SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-22T20:38:52Z" - mac: ENC[AES256_GCM,data:A+8o7hkJI43ufArv5baN7SkauWg3sh9rcTWJy/8h8tD7UPcK8NIvsggtcT2vWCsXQ+SywdCRQMXBwXuA5qSdXs5HJys+aY2BB1rylMScXLYFYA6KXTIeur8l592lU9TOwPp/RALpEQfg7eu2Ps2xdBEgeVbrnn040+3oTqA/Dpo=,iv:1ZRkJDr3Bbx2fRPmLFZAWi6g2QBO5ZEIiFuPgDueRLI=,tag:lkljJXaa7VoUSH6NKQKJ6Q==,type:str] + lastmodified: "2024-05-01T11:58:20Z" + mac: ENC[AES256_GCM,data:mlOkAorzLzSGFDhFlZ1Kx3AYWSeJGJbk8JFaidWIk1Bp5/4ttO4sFskfRl4SqXCcAcqvgGDhzit5x/i9cCzlrE004f0t4hsupxQOkZ8yZ5+8uT4Q4NFdPf+WPU6/LwG8qrv2i7qbjRb2bnTVKqzyjvrKjx2ZIScAlzWm87bAjuk=,iv:xshvSgZ1P+z6NwrrlouyO8lYL/4ohedKZmbkewS7w3k=,tag:AFBnvs55Ws8ShVFRie1Rew==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1