lightsail-tokyo: add domain and bunch of services

2024-05-03 07:43:48 +08:00 · 2024-05-03 07:43:48 +08:00 · 61ebc16a43
commit 61ebc16a43
parent 035afa11fe
6 changed files with 144 additions and 30 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -11,6 +11,7 @@ creation_rules:
  - path_regex: hosts/lightsail-tokyo/secrets.yaml$
    key_groups:
      - age:
+          - *guanranwang
          - *lightsail-tokyo
  - path_regex: secrets.yaml$
    key_groups:
--- a/flake.nix
+++ b/flake.nix
@ -221,7 +221,7 @@

        "lightsail-tokyo" = {
          imports = [./hosts/lightsail-tokyo];
-          deployment.targetHost = "18.177.132.61";
+          deployment.targetHost = "ny4.dev";
        };
      };
    });
--- a/hosts/aristotle/default.nix
+++ b/hosts/aristotle/default.nix
@ -1,4 +1,8 @@
-{pkgs, inputs, ...}: {
+{
+  pkgs,
+  inputs,
+  ...
+}: {
  imports = [
    # OS
    ../../nixos/profiles/laptop
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@ -3,6 +3,7 @@
  lib,
  config,
  inputs,
+  pkgs,
  ...
 }: {
  imports = [
@ -16,16 +17,13 @@
  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
  system.stateVersion = "23.11";

-  ### Services
-  sops.secrets = builtins.mapAttrs (_name: value:
-    value
-    // {
-      sopsFile = ./secrets.yaml;
-      restartUnits = ["hysteria.service"];
-    }) {
-    "hysteria/certificate" = {};
-    "hysteria/private-key" = {};
-    "hysteria/auth" = {};
+  # WORKAROUND:
+  systemd.services."print-host-key".enable = false;
+
+  ### Secrets
+  sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
+    "hysteria/auth".restartUnits = ["hysteria.service"];
+    "searx/environment".restartUnits = ["searx.service"];
  };

  sops.templates."hysteria.yaml".content = ''
@ -36,21 +34,123 @@
    masquerade:
      type: proxy
      proxy:
-        url: https://news.ycombinator.com/
-        rewriteHost: true
+        url: http://localhost/

    ${config.sops.placeholder."hysteria/auth"}
  '';

-  networking.firewall.allowedUDPPorts = [80 443];
-  networking.firewall.allowedTCPPorts = [80 443];
+  ### Services
+  networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy
+  networking.firewall.allowedTCPPorts = [80 443]; # caddy
+
+  services.caddy = {
+    enable = true;
+    configFile = pkgs.writeText "Caddyfile" ''
+      {
+        # Disables HTTP/3 for Hysteria
+        # https://github.com/apernet/hysteria/issues/768
+        servers :443 {
+          protocols h1 h2 h2c
+        }
+      }
+
+      www.ny4.dev {
+        redir https://ny4.dev
+      }
+
+      ny4.dev {
+        encode zstd gzip
+        respond "Hello, world!"
+      }
+
+      searx.ny4.dev {
+        encode zstd gzip
+        reverse_proxy localhost:8100
+      }
+
+      pb.ny4.dev {
+        encode zstd gzip
+        reverse_proxy localhost:8200
+      }
+
+      uptime.ny4.dev {
+        encode zstd gzip
+        reverse_proxy localhost:8300
+      }
+
+      ntfy.ny4.dev {
+        encode zstd gzip
+        reverse_proxy localhost:8400
+      }
+    '';
+  };

  services.hysteria = {
    enable = true;
    configFile = config.sops.templates."hysteria.yaml".path;
    credentials = [
-      "cert:${config.sops.secrets."hysteria/certificate".path}"
-      "key:${config.sops.secrets."hysteria/private-key".path}"
+      # FIXME: remove hardcoded path
+      "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.crt"
+      "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.key"
    ];
  };
+
+  # `journalctl -u murmur.service | grep Password`
+  services.murmur = {
+    enable = true;
+    openFirewall = true;
+    bandwidth = 128000;
+  };
+
+  services.searx = {
+    enable = true;
+    package = pkgs.searxng;
+    environmentFile = config.sops.secrets."searx/environment".path;
+    settings = {
+      general.contact_url = "mailto:guanran928@outlook.com";
+      search.autocomplete = "google";
+      server = {
+        port = 8100;
+        secret_key = "@SEARX_SECRET@";
+      };
+    };
+  };
+
+  services.wastebin = {
+    enable = true;
+    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
+  };
+
+  services.uptime-kuma = {
+    enable = true;
+    settings.PORT = "8300";
+  };
+
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      base-url = "https://ntfy.ny4.dev";
+      listen-http = "127.0.0.1:8400";
+    };
+  };
+
+  ### Prevents me from bankrupt
+  # https://fmk.im/p/shutdown-aws/
+  services.vnstat.enable = true;
+  systemd.services."no-bankrupt" = {
+    serviceConfig.Type = "oneshot";
+    path = with pkgs; [coreutils gawk vnstat systemd];
+    script = ''
+      TRAFF_TOTAL=1900
+      TRAFF_USED=$(vnstat --oneline b | awk -F ';' '{print $11}')
+      CHANGE_TO_GB=$(($TRAFF_USED / 1073741824))
+
+      if [ $CHANGE_TO_GB -gt $TRAFF_TOTAL ]; then
+          shutdown -h now
+      fi
+    '';
+  };
+  systemd.timers."no-bankrupt" = {
+    timerConfig.OnCalendar = "*:0:0"; # Check every hour
+  };
 }
--- a/hosts/lightsail-tokyo/secrets.yaml
+++ b/hosts/lightsail-tokyo/secrets.yaml
@ -1,24 +1,33 @@
 hysteria:
-    certificate: ENC[AES256_GCM,data:g1/uRZbhH+EJ5s/Zu3QRUT+cEyj5n+SAEUgdsqvoOF0nKGEjTE8NhCnvFy4kpB97VuOEfFrIPlgQ9cAnUC64t3oExmIz8DhVTrDgCS1PGKkbOSix8k2sDMA6/3KeTzG3R70kN2IyeSz5fQSUTnj3TjcufAs5H4JvTB/M/JoAgyUHpPTPWbgINwoSGtTgO845I/sv68sf66KE/nk7m1UcKzwXLNXDJB2lpGf3xd/X0TNJWMtopHN9VbUnFvBM22Lfl4yjb+C58IM7KApkPU8V1tZI6H2tCtZw5V1PqFVgwirQRB53NjKrTxnizaPbg0appVOxjZVQ95cV9STIj4uArudaXGv+E4bA92SNyUL12x22Y5/F8HvsWZ7xObZC0ABYdZd61+RHJ/Iy88ZS7egAq11lvtQnwuDuBUlDR25TF99YLebReon/bWaJZ9CEXJUCLaw0ibk4u0J6Lb/FuDHdlr1y37Py8KJZ3fD/7CMgzm0zbpMGdw2tl73CSONsSfaA3MNTLhIS81ON2/mMjP3XEYsznRKNum3hJIyKfzKOdCgqtcaGzYVeE7ApKSwR4PTO2pTzSe+72GI/ODfDkR+0Df1ex0gEtvVLDcgrRc+VyTsuDPA55mJtu9njwOx0DEAUWH2+dGw23/+p2HWnNbi1pUgzTWVyE9Hz1Dkmplrgj/bPgqBgYkae8u3ZRLucxRlIw7UysLhsp+HlP5HDE5nfnZpQDCbhh2zLgjsS6LRBzibopkpjrEE7IGfnsmAW0XXzBsS2iEV9f1pNGDgBa9vt,iv:933c5DHeoOmFf2mmEquIRLo8pST91qe7OO2RGV8c2Zo=,tag:9LiJrZryyR68wMKPIK5qkg==,type:str]
-    private-key: ENC[AES256_GCM,data:00lUMy2Is//XkYYRCnqvQG8xw3oFWr5ApG6ZGlkiiTgveC4uCETH8+KAsfU+AxLE1DBuN7EhLjd8Zh50vxldjB9yXZ5vU0ARgLC5RtuUVOx7BcltoWU2p+hms/PNiIKf1mgriHLun8UoyvkxAQKzQ8UN9eDvv0SdBTU9S6GhS3nkfdSHHOCzy6ekTZCjaLtMrMpelkZEWbkYW2kOd7spLmpagyEHhsTeggesxQo1zgQM7vmlN3l4bDrskoUcCsSCV9fkvaxYCuNfWYQjyfkQcl/OUMWPTVm2NFrXdhis1g9HyqRQy0vUQ1clJSfohSd5W5RZmeiGXqtWc+ep3KvVbBA/X5ybbPsdFtmgOIteIg2jygCW9blTWr2zLHAizmw58dzZt2eq6xfDetpDf6M=,iv:oZN+aj/cIGnUseIr1T6W+9WsRD54+5ifXQabtX6ZWTw=,tag:SdMEludXw9aMaBnvuev33w==,type:str]
    auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
+searx:
+    environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
+        - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3c05VWWV6RHVJckQ4R0VS
+            aWVCbHhjYTdwK0ZSMHc3am9MMTVoeTZ5SFdnCmtrWGc1QjBGWVJneVBqbi8rSzZj
+            RlBpY3dLVzFDbnFvNlZUS1B6ejdZQTgKLS0tIFpvRnR0K1FMcytpZTZ5UFhnNmR3
+            eEhvYmk2SytiS1JVdlZZTFdPZEUrS1kKFbh4IBm6yekqsQgivyQVFgOcsmGdlV5H
+            fCbsVtNwTS5xvd9FXykSbiy5d6KElQTrUTAYOp+3p8A09dziJc1u2g==
+            -----END AGE ENCRYPTED FILE-----
        - recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdzMxRkVvMm1xbXByanUv
-            eXNKb2lLSi83ME1jajVVZ2x4dnV1SjBjeHlRCnVVVnFEK24zcTB1SnZ5WWYwRDlk
-            RHJSWlFqMklVU0hOYU1LeXl4THZRK00KLS0tIDEzTzhHUlhqWXRLSENMajJvM3Iw
-            b1lSK3l0U25BYW4wRmlIYzAweTZEK3cKk8sK1Wky0sRKKMrK5gnp7wWx7qu04Wpg
-            Bc5OPhqAZkNVOG0Mt2C2XynsDVOyzq4RcOZQGeI0xaJGFQ+wlZG37g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcU9JbVlTR2dUUEtaeXVp
+            NXJRVGJjdUtBaVdzNFNIa1h4Vk9adGRJSDFvClV1QTdCSUpETmxucmlwL0U2S3Yy
+            OU4zRjY2YkZXSDhHZjZ5bEJuU3Rsck0KLS0tIGVFZDVCdG1pdFFWUVhjSEpGUjE5
+            R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
+            3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-22T19:40:45Z"
-    mac: ENC[AES256_GCM,data:K3SkQQYgdpRBByNVPJVPLbAlwTD8U6knrdFvVm6rrMhWAsVN6zFvalDZTd9kLqC4pmd2eg6czarUK+IfnOvF4qqWeEO9QlBFfD8GDfdgRG28A1wb2aCNYAPMox6X1ZI5uo2QR7oODfS2u1r8tVtY6VSevusH7u16KwjR17IXA8I=,iv:PFtREBhYZJDDQjRBn3kG13hKBsN87jML01kjpdsWsTA=,tag:E1CBiUv0KrrdzZW6/TZk1Q==,type:str]
+    lastmodified: "2024-05-01T11:58:36Z"
+    mac: ENC[AES256_GCM,data:dC1Q+u26euRWBsbduJC9bI79wZ0HG278Zgiijw65FAaSV6cemtwEul9PYBAOyz81MVSJCS2L7IkV6oUJWRr+nCbMMR19llWFsQNryC4TmthVXpfPkA5KeOHNR0Cz9acaQGdST+4zARYk/8VKYWO+2dX0V/BUN22C1FBu67w21H4=,iv:9CYnuGfW0Ax/rvqRXv+t9DJYF8KmWzeHjI+L6xnhf10=,tag:SQwukFLU9zzOkDGXTbOF4A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/secrets.yaml
+++ b/secrets.yaml
@ -6,7 +6,7 @@ wireless:
 clash:
    secret: ENC[AES256_GCM,data:eCq/pDlSOw==,iv:QGNKxqmkj9BWFBJGj/O4fUL8Ey8zGEHMsWX02DrM82U=,tag:z2vVCBSt6mw47ca2xoxg9A==,type:str]
    proxies:
-        lightsail: ENC[AES256_GCM,data:aoZhIKOLZK6TK3dXWZBZ637OPgN+BBNu0AX0sGdOg4GZAf6H2MVMBST2/SBgdJ6w/bsF8+QFbyd/D9TctonJwxNyKguhfUR8bkRdtpkzKVBHe6Aem/5sSPybWjKNkewUE0rPqU5NwFKfDDngJgnQeulv5ulBcylLyCk30Y1E6Cah7R7NroD7rFFzId+VzQM4adUObcGT3XdtT78XPcS2uEOZUXKbhlB/9133rFI0glEBEm+K3WwN8ukHQ9wW5QkBP2paB4o6iAaDuBLlrQo3U7XLqN/5SBwhyxccEkq24qTxdH8iRpBoJ31Iv9XWSUWyNpzFpvu0ffBVHvCDPIij16BR79fXlzSt6fRob87Gud/DAru7Y7tUMd0=,iv:UQrYqosgI1RI83ZSF09YJXA52MHUpsjmARC4/fJwDxY=,tag:p239REW5qP/UzNjh0xVkzQ==,type:str]
+        lightsail: ENC[AES256_GCM,data:0lbXCE21o8FrQonV1AElDxGG+eTrFIabch/QnE0tZ5QoioDRstMs1oiXN/XQHJqQdHLY+blgyEyyBjJMc8rjRcGEgAy081xzlcD2VKDoXOBcnMgBNtMz1i8aG+DqfjadDWBt0v0KK2GgiZ9K+A8=,iv:wDo0S4XlFN6kRlApAIePYdJgGMwz/TJuxInZ8vGTUeQ=,tag:8oBxnC3qTQQ7ofGmNmi/Ew==,type:str]
    proxy-providers:
        flyairport: ENC[AES256_GCM,data:akHdU/2o8D65sG2b/mcj76HASwhg3WvoEcrpgkXPyh7kuc+Ci42hmmmmBk9I29vuvZjTtCTs8mMzaLK1wm8TS/K1A1zeAGULxSsqhpV4cA19Q4vAtQ2+FyuGiaFszuaHK6BSlZAosfmCGoM1nZRYuOnsdeR0vnHBIHhJFNhaLw==,iv:VeVT3cEaOO/90gcqpm2yOacThbEyaXuBRhp4buX/XOY=,tag:kojJbqwYk/DNFBcJMY2eXg==,type:str]
        efcloud: ENC[AES256_GCM,data:GvKNMscPknhlBy9Qp8iuYoxF10oX2ZIOKo+XKRH2NOGGDiMk/GwdGfA5+gf3ZcEEGFGw/8CrBddjJCivyxqwF+oAEHJyjdcFhGyyOopsx9s3waq8Hge/KzE=,iv:WXAd3yA5cTZp+ttKHXPf6cbsk6pRXq5/xMysNUAs1Rk=,tag:HygexRSW8ICa+RIFmrRKRQ==,type:str]
@ -54,8 +54,8 @@ sops:
            SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH
            c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-22T20:38:52Z"
-    mac: ENC[AES256_GCM,data:A+8o7hkJI43ufArv5baN7SkauWg3sh9rcTWJy/8h8tD7UPcK8NIvsggtcT2vWCsXQ+SywdCRQMXBwXuA5qSdXs5HJys+aY2BB1rylMScXLYFYA6KXTIeur8l592lU9TOwPp/RALpEQfg7eu2Ps2xdBEgeVbrnn040+3oTqA/Dpo=,iv:1ZRkJDr3Bbx2fRPmLFZAWi6g2QBO5ZEIiFuPgDueRLI=,tag:lkljJXaa7VoUSH6NKQKJ6Q==,type:str]
+    lastmodified: "2024-05-01T11:58:20Z"
+    mac: ENC[AES256_GCM,data:mlOkAorzLzSGFDhFlZ1Kx3AYWSeJGJbk8JFaidWIk1Bp5/4ttO4sFskfRl4SqXCcAcqvgGDhzit5x/i9cCzlrE004f0t4hsupxQOkZ8yZ5+8uT4Q4NFdPf+WPU6/LwG8qrv2i7qbjRb2bnTVKqzyjvrKjx2ZIScAlzWm87bAjuk=,iv:xshvSgZ1P+z6NwrrlouyO8lYL/4ohedKZmbkewS7w3k=,tag:AFBnvs55Ws8ShVFRie1Rew==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1