fixup! nixos: dont use keycloak master realm

flake: add devShells
nixos: dont use keycloak master realm
2024-06-20 22:28:46 +08:00 · 2024-06-20 22:04:34 +08:00 · 2024-06-20 22:03:59 +08:00 · 2024-06-20 18:09:02 +08:00 · 2024-06-20 17:33:55 +08:00 · 2024-06-20 16:38:40 +08:00
13 changed files with 198 additions and 140 deletions
--- a/home/applications/common/wayland.nix
+++ b/home/applications/common/wayland.nix
@ -0,0 +1,9 @@
 {pkgs, ...}: {
  home.sessionVariables = {
    NIXOS_OZONE_WL = "1"; # let electron applications use wayland
  };
  home.packages = with pkgs; [
    wl-clipboard
  ];
 }
--- a/home/applications/common/wm.nix
+++ b/home/applications/common/wm.nix
@ -0,0 +1,8 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [pwvucontrol];
  # remove csd window buttons
  # https://github.com/localsend/localsend/blob/2457acd8a7412723b174672d174e4853dccd7d99/app/linux/my_application.cc#L45
  home.sessionVariables.GTK_CSD = 0;
  dconf.settings."org/gnome/desktop/wm/preferences"."button-layout" = "icon,appmenu:";
 }
--- a/home/applications/firefox/default.nix
+++ b/home/applications/firefox/default.nix
@ -1,12 +1,19 @@
 {pkgs, ...}: {
  programs.firefox = {
    enable = true;
-    package = pkgs.firefox.overrides {
+    profiles."default" = {
-      extraPrefsFiles = [
+      extraConfig = ''
-        "${pkgs.arkenfox-userjs}/user.cfg"
+        ${builtins.readFile (pkgs.fetchurl {
-        ./user-overrides.js
+          # FIXME: IFD
-      ];
+          url = "https://raw.githubusercontent.com/arkenfox/user.js/126.1/user.js";
          hash = "sha256-XRtG0iLKh8uqbeX7Rc2H6VJwZYJoNZPBlAfZEfrSCP4=";
        })}
        ${builtins.readFile ./user-overrides.js}
      '';
    };
-    profiles."default" = {};
+  };
  home.sessionVariables = {
    MOZ_USE_XINPUT2 = "1";
  };
 }
--- a/home/applications/mpv/default.nix
+++ b/home/applications/mpv/default.nix
@ -17,14 +17,18 @@
      slang = "eng,en";
    };
-    scripts =
+    # FIXME: https://github.com/nix-community/home-manager/pull/5524
-      (with pkgs.mpvScripts; [
+    package = pkgs.mpv-unwrapped.wrapper {
-        thumbfast
+      mpv = pkgs.mpv-unwrapped;
-        sponsorblock
+      scripts =
-        modernx-zydezu
+        (with pkgs.mpvScripts; [
-      ])
+          thumbfast
-      ++ lib.optionals pkgs.stdenv.hostPlatform.isLinux (with pkgs.mpvScripts; [
+          sponsorblock
-        mpris
+          modernx-zydezu
-      ]);
+        ])
        ++ lib.optionals pkgs.stdenv.hostPlatform.isLinux (with pkgs.mpvScripts; [
          mpris
        ]);
    };
  };
 }
--- a/home/applications/starship/default.nix
+++ b/home/applications/starship/default.nix
@ -1,9 +1,11 @@
-{pkgs, ...}: {
+{
  pkgs,
  lib,
  ...
 }: {
  programs.starship = {
    enable = true;
-  };
+    # FIXME: IFD
-
+    settings = lib.importTOML "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
  home.sessionVariables = {
    "STARSHIP_CONFIG" = "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
  };
 }
--- a/home/applications/thunderbird/default.nix
+++ b/home/applications/thunderbird/default.nix
@ -1,15 +1,16 @@
 {pkgs, ...}: {
  programs.thunderbird = {
    enable = true;
-    package = pkgs.thunderbird.override {
+    profiles.default = {
-      extraPrefsFiles = [
+      isDefault = true;
-        (pkgs.fetchurl {
+      extraConfig = ''
        ${builtins.readFile (pkgs.fetchurl {
          # FIXME: IFD
          url = "https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/d6b18302e46349d9924c8a76951bae6efca51501/user.js";
          hash = "sha256-66B1yLQkQnydAUXD7KGt32OhWSYcdWX+BUozrgW9uAg=";
-        })
+        })}
-        ./user-overrides.js
+        ${builtins.readFile ./user-overrides.js}
-      ];
+      '';
    };
    profiles.default.isDefault = true;
  };
 }
--- a/hosts/blacksteel/Caddyfile
+++ b/hosts/blacksteel/Caddyfile
@ -1,64 +0,0 @@
 (default) {
 	encode zstd gzip
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
 		# https://caddyserver.com/docs/caddyfile/directives/header#examples
 		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
 		?Permissions-Policy interest-Hpcohort=()
 		?Strict-Transport-Security max-age=31536000;
 		?X-Content-Type-Options nosniff
 		?X-Frame-Options DENY
 	}
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
 		}
 	}
 }
 http://mastodon.ny4.dev:80 {
 	import default
 	handle_path /system/* {
 		file_server * {
 			root /var/lib/mastodon/public-system
 		}
 	}
 	handle /api/v1/streaming/* {
 		reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
 			header_up X-Forwarded-Proto "https"
 		}
 	}
 	route * {
 		file_server * {
 			root @mastodon@/public
 			pass_thru
 		}
 		reverse_proxy * unix//run/mastodon-web/web.socket {
 			header_up X-Forwarded-Proto "https"
 		}
 	}
 	handle_errors {
 		root * @mastodon@/public
 		rewrite 500.html
 		file_server
 	}
 }
 http://matrix.ny4.dev:80 {
 	import default
 	reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
 	reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
 	reverse_proxy /health unix//run/matrix-synapse/synapse.sock
 }
 http://syncv3.ny4.dev:80 {
 	import default
 	reverse_proxy unix//run/matrix-sliding-sync/sync.sock
 }
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@ -2,6 +2,7 @@
  pkgs,
  lib,
  config,
  inputs,
  ...
 }: {
  imports = [
@ -42,9 +43,8 @@
      "mastodon/environment" = {
        restartUnits = ["mastodon-web.service"];
      };
-      "cloudflared/secret" = {
+      "frp/environment" = {
-        restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
+        restartUnits = ["frp.service"];
        owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
      };
    };
  };
@ -57,42 +57,70 @@
    openFirewall = true;
  };
-  services.cloudflared = {
+  services.frp = {
    enable = true;
-    tunnels = {
+    role = "client";
-      "6222a3e0-98da-4325-be19-0f86a7318a41" = {
+    settings = {
-        credentialsFile = config.sops.secrets."cloudflared/secret".path;
+      serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
-        default = "http_status:404";
+      serverPort = 7000;
-        ingress = {
+      auth.method = "token";
-          # TODO: is this safe?
+      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
-          # browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
+      proxies = [
-          #                                             ^ no tls in this part?
+        {
-          "mastodon.ny4.dev" = "http://localhost:80";
+          name = "synapse";
-          "matrix.ny4.dev" = "http://localhost:80";
+          type = "tcp";
-          "syncv3.ny4.dev" = "http://localhost:80";
+          remotePort = 8600;
-        };
+          plugin = {
-      };
+            type = "unix_domain_socket";
            unixPath = "/run/matrix-synapse/synapse.sock";
          };
        }
        {
          name = "syncv3";
          type = "tcp";
          remotePort = 8700;
          plugin = {
            type = "unix_domain_socket";
            unixPath = "/run/matrix-sliding-sync/sync.sock";
          };
        }
        {
          name = "mastodon-web";
          type = "tcp";
          remotePort = 8900;
          plugin = {
            type = "unix_domain_socket";
            unixPath = "/run/mastodon-web/web.socket";
          };
        }
        {
          name = "mastodon-streaming";
          type = "tcp";
          remotePort = 9000;
          plugin = {
            type = "unix_domain_socket";
            unixPath = "/run/mastodon-streaming/streaming-1.socket";
          };
        }
        {
          name = "mastodon-system";
          type = "tcp";
          remotePort = 9100;
          plugin = {
            # FIXME:
            type = "static_file";
            localPath = "/var/lib/mastodon/public-system";
          };
        }
      ];
    };
  };
-  services.caddy = {
+  systemd.services.frp.serviceConfig = {
-    enable = true;
+    EnvironmentFile = [config.sops.secrets."frp/environment".path];
    configFile = pkgs.substituteAll {
      src = ./Caddyfile;
      inherit (pkgs) mastodon;
    };
  };
  systemd.services.caddy.serviceConfig = {
    SupplementaryGroups = ["mastodon" "matrix-synapse"];
  };
  systemd.tmpfiles.settings = {
    "10-www" = {
      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
    };
  };
  services.postgresql = {
    enable = true;
    settings = {
--- a/hosts/blacksteel/secrets.yaml
+++ b/hosts/blacksteel/secrets.yaml
@ -5,8 +5,8 @@ syncv3:
    environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
 mastodon:
    environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
-cloudflared:
+frp:
-    secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
+    environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -31,8 +31,8 @@ sops:
            bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
            hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-21T07:19:43Z"
+    lastmodified: "2024-06-20T14:23:30Z"
-    mac: ENC[AES256_GCM,data:pKWUM3uhmtrwTOlR2jZauWsGSY1d//z+cojpWLFAAKedGjotLB6cmektyAVRHhw3waiM4WR5+BNZ6ghp7qBrM0z2WanJCdSmXqdyxJEydUC9CCFXZG+7SmIZS+7+/LsqejzdYSAMf9DijN74E1EJVS5F0mHhw8QuRmDy3wU789M=,iv:IrOm1Maz8os9Q/ez+TbOxOTr1zwB1loDVHcPbN8kMvg=,tag:AAKp3OH/s2c7u8lp6vkLVg==,type:str]
+    mac: ENC[AES256_GCM,data:cgDwV6lXR+eTOFcfytKDc2cCs+w/PGDS3fASoKw5VQ95StbmvVNt0go4yAt1D86LXa5p1ReW8dVaciDovuhCFd/jZ+zJpA7sNwKBNrlye7sURW6zDiVM7ITyslPd31bSeIL5/qtiwyT+1tdnthSTjtJPrnPu9NfsRrkUsITT7WA=,iv:ComILTHFTb8lHooVemIg+Nx9ZDWr6SyweZTtmsjWALQ=,tag:7Bj38htDNkoHZdVDMgEiBA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/hosts/lightsail-tokyo/Caddyfile
+++ b/hosts/lightsail-tokyo/Caddyfile
@ -6,9 +6,7 @@
 	}
 }
-(default) {
+(header) {
 	encode zstd gzip
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
@ -20,7 +18,13 @@
 		?X-Content-Type-Options nosniff
 		?X-Frame-Options DENY
 	}
 }
 (compression) {
 	encode zstd gzip
 }
 (robots) {
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
@ -28,6 +32,12 @@
 	}
 }
 (default) {
 	import header
 	import compression
 	import robots
 }
 www.ny4.dev {
 	import default
 	redir https://ny4.dev
@ -81,6 +91,13 @@ pixiv.ny4.dev {
 	reverse_proxy unix//run/pixivfe/pixiv.sock
 }
 matrix.ny4.dev {
 	import default
 	reverse_proxy /_matrix/* localhost:8600
 	reverse_proxy /_synapse/client/* localhost:8600
 	reverse_proxy /health localhost:8600
 }
 syncv3.ny4.dev {
 	import default
 	reverse_proxy localhost:8700
@ -97,6 +114,31 @@ element.ny4.dev {
 	file_server
 }
 mastodon.ny4.dev {
 	import default
 	handle_path /system/* {
 		reverse_proxy localhost:9100
 	}
 	handle /api/v1/streaming/* {
 		reverse_proxy localhost:9000
 	}
 	route * {
 		file_server * {
 			root @mastodon@/public
 			pass_thru
 		}
 		reverse_proxy * localhost:8900
 	}
 	handle_errors {
 		root * @mastodon@/public
 		rewrite 500.html
 		file_server
 	}
 }
 git.ny4.dev {
 	import default
 	reverse_proxy unix//run/forgejo/forgejo.sock
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@ -39,6 +39,9 @@
      "searx/environment" = {
        restartUnits = ["searx.service"];
      };
      "frp/environment" = {
        restartUnits = ["frp.service"];
      };
    };
    templates = {
@ -66,6 +69,9 @@
    # caddy
    80
    443
    # frp
    7000
  ];
  systemd.tmpfiles.settings = {
@ -112,6 +118,20 @@
    ];
  };
  services.frp = {
    enable = true;
    role = "server";
    settings = {
      bindPort = 7000;
      auth.method = "token";
      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
    };
  };
  systemd.services.frp.serviceConfig = {
    EnvironmentFile = [config.sops.secrets."frp/environment".path];
  };
  # `journalctl -u murmur.service | grep Password`
  services.murmur = {
    enable = true;
--- a/hosts/lightsail-tokyo/secrets.yaml
+++ b/hosts/lightsail-tokyo/secrets.yaml
@ -4,6 +4,8 @@ searx:
    environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
 pixivfe:
    environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
 frp:
    environment: ENC[AES256_GCM,data:6XWjUPuJt6fPiIO7mrMjIoR0VHsiy77GqJu/CXVqMEi+EEmXgUN2l6m5vTkttmZICXb5M9ANpdTYOB3nEwCYBJvmFe8kFIZ77rYRVt3C4l0=,iv:5UHJQTanNvk5BsZzH0JeGKP8sDFjTIuc7sGRcReF1+4=,tag:sBYa9RFaMGrh6HZudqZVVA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -28,8 +30,8 @@ sops:
            R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
            3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-21T07:19:35Z"
+    lastmodified: "2024-06-20T08:14:22Z"
-    mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
+    mac: ENC[AES256_GCM,data:hqCsHztVoTvRoJ+HyODPrYJKwCWusLzap0tVRxnQlAaqIp1ln9AyxLRuQetDkF5nN97S0BW1z1Uf910wlAe5VxsENrIDMYeUq1PnbQ2ijLttGOnLJVS0aJgcFqNOir2tbflH3fbzDCiSmrT+xQ8ytgX+MEtXpxH7OlVFohjXBCo=,iv:ztALlEtd9cGBY0Sx9yzSngNMaHX3kgkRMTruXDXXVHQ=,tag:hztHafyj4nu3npWyBPhxGw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,14 +1,13 @@
 # NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`,
 #       only keeping some packages that only fits for personal use.
-pkgs: let
+pkgs: {
-  inherit (pkgs) lib;
+  scripts = rec {
 in {
  scripts = lib.makeScope pkgs.newScope (self: {
    # util
-    makeScript = self.callPackage ./scripts/makeScript.nix {};
+    makeScript = pkgs.callPackage ./scripts/makeScript.nix {};
    # scripts
-    lofi = self.callPackage ./scripts/lofi.nix {};
+    # TODO: Do I really have to inherit `makeScript` for every script?
-    screenshot = self.callPackage ./scripts/screenshot.nix {};
+    lofi = pkgs.callPackage ./scripts/lofi.nix {inherit makeScript;};
-  });
+    screenshot = pkgs.callPackage ./scripts/screenshot.nix {inherit makeScript;};
  };
 }
Author	SHA1	Message	Date
Guanran Wang	aaae00ec5d	fixup! nixos: dont use keycloak master realm	2024-06-20 22:28:46 +08:00
Guanran Wang	e0b167fc03	flake: add devShells	2024-06-20 22:04:34 +08:00
Guanran Wang	832cd5205d	nixos: dont use keycloak master realm	2024-06-20 22:03:59 +08:00
Guanran Wang	6b7c45aeda	home: remove colorschemes	2024-06-20 18:09:02 +08:00
Guanran Wang	f3cd62b226	flake: update lock file	2024-06-20 17:33:55 +08:00
Guanran Wang	abc9c9aaf0	fixup! blacksteel/matrix-synapse: use unix socket	2024-06-20 16:38:40 +08:00
Guanran Wang	13f0d66914	fixup! nixos: mark ifd as fixme	2024-06-20 16:36:12 +08:00
Guanran Wang	41cc9217c8	nixos/frp: don't expose secrets	2024-06-20 16:35:49 +08:00
Guanran Wang	1e51748533	blacksteel/matrix-synapse: use unix socket	2024-06-20 14:06:01 +08:00