nixos: use prometheus

flake: bump
blacksteel: drop matrix-sliding-sync
2024-08-30 01:42:37 +08:00 · 2024-08-29 23:37:29 +08:00 · 2024-08-29 23:24:08 +08:00 · 2024-08-29 23:22:46 +08:00 · 2024-08-29 23:20:29 +08:00 · 2024-08-29 23:15:13 +08:00
36 changed files with 432 additions and 604 deletions
--- a/flake.lock
+++ b/flake.lock
@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724349583,
-        "narHash": "sha256-zgB1Cfk46irIsto8666yLdKjqKdBrjR48Dd3lhQ0CnQ=",
+        "lastModified": 1724895876,
+        "narHash": "sha256-GSqAwa00+vRuHbq9O/yRv7Ov7W/pcMLis3HmeHv8a+Q=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "435737144be0259559ca3b43f7d72252b1fdcc1b",
+        "rev": "511388d837178979de66d14ca4a2ebd5f7991cd3",
        "type": "github"
      },
      "original": {
@ -216,11 +216,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1724575805,
-        "narHash": "sha256-OB/kEL3GAhUZmUfkbPfsPhKs0pRqJKs0EEBiLfyKZw8=",
+        "lastModified": 1724878143,
+        "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "9fc19be21f0807d6be092d70bf0b1de0c00ac895",
+        "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
        "type": "github"
      },
      "original": {
@ -231,11 +231,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1724395761,
-        "narHash": "sha256-zRkDV/nbrnp3Y8oCADf5ETl1sDrdmAW6/bBVJ8EbIdQ=",
+        "lastModified": 1724748588,
+        "narHash": "sha256-NlpGA4+AIf1dKNq76ps90rxowlFXUsV9x7vK/mN37JM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ae815cee91b417be55d43781eb4b73ae1ecc396c",
+        "rev": "a6292e34000dc93d43bccf78338770c1c5ec8a99",
        "type": "github"
      },
      "original": {
@ -261,11 +261,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724440431,
-        "narHash": "sha256-9etXEOUtzeMgqg1u0wp+EdwG7RpmrAZ2yX516bMj2aE=",
+        "lastModified": 1724857454,
+        "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "c8a54057aae480c56e28ef3e14e4960628ac495b",
+        "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
        "type": "github"
      },
      "original": {
@ -302,11 +302,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724552650,
-        "narHash": "sha256-u1xzgrdRTL0DQhjXMgmEvl75IrL8zGf0RS34IQJXxeU=",
+        "lastModified": 1724898214,
+        "narHash": "sha256-4yMO9+Lsr3zqTf4clAGGag/bfNTmc/ITOXbJQcOEok4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "19fda552b69513df7b6aa5fcfd1412c0221467b1",
+        "rev": "0bc2c784e3a6ce30a2ab1b9f47325ccbed13039f",
        "type": "github"
      },
      "original": {
@ -360,11 +360,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724338379,
-        "narHash": "sha256-kKJtaiU5Ou+e/0Qs7SICXF22DLx4V/WhG1P6+k4yeOE=",
+        "lastModified": 1724833132,
+        "narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "070f834771efa715f3e74cd8ab93ecc96fabc951",
+        "rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
        "type": "github"
      },
      "original": {
--- a/home/applications/fish/default.nix
+++ b/home/applications/fish/default.nix
@ -1,10 +1,12 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
  programs.fish = {
    enable = true;
+
    interactiveShellInit = ''
      set fish_greeting
    '';
+
    plugins = [
      {
        name = "autopair";
@ -19,5 +21,24 @@
        inherit (pkgs.fishPlugins.puffer) src;
      }
    ];
+
+    functions =
+      let
+        jq = lib.getExe pkgs.jq;
+        nix = lib.getExe pkgs.nix;
+        curl = lib.getExe pkgs.curl;
+      in
+      {
+        "pb" = ''
+          ${jq} -Rns '{text: inputs}' | \
+            ${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
+            ${jq} -r '. | "https://pb.ny4.dev\(.path)"'
+        '';
+
+        "getmnter" = ''
+          ${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
+            ${jq} '.[].github | "@" + .' -r
+        '';
+      };
  };
 }
--- a/home/applications/mpv/default.nix
+++ b/home/applications/mpv/default.nix
@ -10,7 +10,7 @@
      ao = "pipewire";
      vo = "gpu-next";
      hwdec = "auto-safe";
-      profile = "gpu-hq";
+      profile = "high-quality";

      alang = "jpn,ja";
      slang = "eng,en";
--- a/home/applications/ssh/default.nix
+++ b/home/applications/ssh/default.nix
@ -5,10 +5,14 @@
    matchBlocks =
      let
        inherit (config.home) homeDirectory;
+        serverConfig = {
+          identityFile = "${homeDirectory}/.ssh/id_github_signing";
+          user = "root";
+        };
      in
      {
-        "blacksteel".identityFile = "${homeDirectory}/.ssh/id_github_signing";
-        "tyo0.ny4.dev".identityFile = "${homeDirectory}/.ssh/id_github_signing";
+        "blacksteel" = serverConfig;
+        "tyo0.ny4.dev" = serverConfig;
      };
  };
 }
--- a/home/default.nix
+++ b/home/default.nix
@ -1,5 +1,4 @@
 {
-  lib,
  pkgs,
  ...
 }:
@ -10,46 +9,52 @@
    stateVersion = "23.05";
  };

-  imports = [
-    ./applications/atuin
-    ./applications/bash
-    ./applications/bat
-    ./applications/eza
-    ./applications/fish
-    ./applications/git
-    ./applications/gpg
-    ./applications/neovim
-    ./applications/ssh
-    ./applications/starship
-    ./applications/tealdeer
-    ./applications/tmux
-  ];
+  imports =
+    [
+      ./theme.nix
+      ./xdg-mime.nix
+    ]
+    ++ map (n: ./applications/${n}) [
+      "atuin"
+      "bash"
+      "bat"
+      "eza"
+      "fcitx5"
+      "firefox"
+      "fish"
+      "foot"
+      "git"
+      "go"
+      "gpg"
+      "mpv"
+      "nautilus"
+      "neovim"
+      "nix"
+      "ssh"
+      "starship"
+      "sway"
+      "tealdeer"
+      "thunderbird"
+      "tmux"
+      "ydict"
+    ];

  programs.jq.enable = true;
+  programs.obs-studio.enable = true;
  programs.ripgrep.enable = true;
  programs.skim.enable = true;
  programs.zoxide.enable = true;
+
  home.packages = with pkgs; [
    fastfetch
    fd
+    dconf-editor
+    file-roller
+    fractal
+    gnome-calculator
+    hyperfine
+    loupe
+    seahorse
  ];

-  programs.fish.functions =
-    let
-      jq = lib.getExe pkgs.jq;
-      nix = lib.getExe pkgs.nix;
-      curl = lib.getExe pkgs.curl;
-    in
-    {
-      "pb" = ''
-        ${jq} -Rns '{text: inputs}' | \
-          ${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
-          ${jq} -r '. | "https://pb.ny4.dev\(.path)"'
-      '';
-
-      "getmnter" = ''
-        ${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
-          ${jq} '.[].github | "@" + .' -r
-      '';
-    };
 }
--- a/hosts/dust/home/theme.nix
+++ b/hosts/dust/home/theme.nix
--- a/hosts/dust/home/xdg-mime.nix
+++ b/hosts/dust/home/xdg-mime.nix
--- a/hosts/blacksteel/Caddyfile
+++ b/hosts/blacksteel/Caddyfile
@ -14,6 +14,14 @@
 	}
 }

+http://pek0.ny4.dev:80 {
+	import default
+	basicauth {
+		prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
+	}
+	reverse_proxy localhost:9091
+}
+
 http://mastodon.ny4.dev:80 {
 	import default
 	handle_path /system/* {
@ -57,10 +65,3 @@ http://matrix.ny4.dev:80 {
 		header_up X-Forwarded-Proto "https"
 	}
 }
-
-http://syncv3.ny4.dev:80 {
-	import default
-	reverse_proxy unix//run/matrix-sliding-sync/sync.sock {
-		header_up X-Forwarded-Proto "https"
-	}
-}
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@ -37,9 +37,6 @@
      restartUnits = [ "matrix-synapse.service" ];
      owner = config.systemd.services.matrix-synapse.serviceConfig.User;
    };
-    "syncv3/environment" = {
-      restartUnits = [ "matrix-sliding-sync.service" ];
-    };
    "mastodon/environment" = {
      restartUnits = [ "mastodon-web.service" ];
    };
@ -64,7 +61,7 @@
        ingress = lib.genAttrs [
          "mastodon.ny4.dev"
          "matrix.ny4.dev"
-          "syncv3.ny4.dev"
+          "pek0.ny4.dev"
        ] (_: "http://localhost");
      };
    };
--- a/hosts/blacksteel/secrets.yaml
+++ b/hosts/blacksteel/secrets.yaml
@ -1,8 +1,6 @@
 synapse:
    secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
    oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str]
-syncv3:
-    environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
 mastodon:
    environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
 cloudflared:
@ -31,8 +29,8 @@ sops:
            bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
            hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-21T07:19:43Z"
-    mac: ENC[AES256_GCM,data:pKWUM3uhmtrwTOlR2jZauWsGSY1d//z+cojpWLFAAKedGjotLB6cmektyAVRHhw3waiM4WR5+BNZ6ghp7qBrM0z2WanJCdSmXqdyxJEydUC9CCFXZG+7SmIZS+7+/LsqejzdYSAMf9DijN74E1EJVS5F0mHhw8QuRmDy3wU789M=,iv:IrOm1Maz8os9Q/ez+TbOxOTr1zwB1loDVHcPbN8kMvg=,tag:AAKp3OH/s2c7u8lp6vkLVg==,type:str]
+    lastmodified: "2024-08-29T15:23:52Z"
+    mac: ENC[AES256_GCM,data:32DW8e/ojxJzL8UOAQ3x8jg5fbUC+m+mwom00gXBaBsu/C2CLkOC2xyiZragBjbp/OWy3xoZC3GG7dngXpBT8pSo7T/F8KDnP2fKacvrKJRNBTT+JFjxZ0VkPy82MIi2JBkXqYRF248ofdXHFTHp/71s15R97xVtHEZdtGbEly0=,iv:sMgk1pTVWdgjSlXNvX4EAraw4tNwP1mxzihCv/dSfuI=,tag:FhfSoy5w2WezE++2QGjFrg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/hosts/blacksteel/services/matrix.nix
+++ b/hosts/blacksteel/services/matrix.nix
@ -58,18 +58,4 @@
    environment = config.networking.proxy.envVars;
    serviceConfig.RuntimeDirectory = [ "matrix-synapse" ];
  };
-
-  services.matrix-sliding-sync = {
-    enable = true;
-    environmentFile = config.sops.secrets."syncv3/environment".path;
-    settings = {
-      SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
-      SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
-    };
-  };
-
-  systemd.services.matrix-sliding-sync.serviceConfig = {
-    RuntimeDirectory = [ "matrix-sliding-sync" ];
-    SupplementaryGroups = [ "matrix-synapse" ];
-  };
 }
--- a/hosts/dust/default.nix
+++ b/hosts/dust/default.nix
@ -1,6 +1,8 @@
 {
  lib,
+  config,
  pkgs,
+  inputs,
  ...
 }:
 {
@ -19,7 +21,27 @@
  time.timeZone = "Asia/Shanghai";
  system.stateVersion = "24.05";

-  home-manager.users.guanranwang = import ./home;
+  users.users = {
+    "guanranwang" = {
+      isNormalUser = true;
+      description = "Guanran Wang";
+      hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
+      shell = pkgs.fish;
+      extraGroups = [
+        "wheel"
+        "nix-access-tokens"
+      ];
+    };
+  };
+
+  home-manager = {
+    users.guanranwang = import ../../home;
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {
+      inherit inputs;
+    };
+  };

  boot.tmp.useTmpfs = true;

@ -36,6 +58,8 @@
  networking.firewall.allowedUDPPorts = [ 53317 ];

  programs.adb.enable = true;
+  programs.dconf.enable = true;
+  programs.fish.enable = true;
  programs.localsend.enable = true;
  programs.seahorse.enable = true;
  programs.ssh = {
@ -165,4 +189,30 @@
      "org.freedesktop.impl.portal.Inhibit" = "none";
    };
  };
+
+  services.sing-box.settings = {
+    outbounds = [
+      {
+        type = "selector";
+        tag = "select";
+        outbounds = [
+          "tyo0"
+          "direct"
+        ];
+        default = "tyo0";
+      }
+    ];
+
+    route = {
+      final = "select";
+    };
+
+    experimental = {
+      clash_api = {
+        external_controller = "127.0.0.1:9090";
+        external_ui = pkgs.metacubexd;
+        secret = "hunter2";
+      };
+    };
+  };
 }
--- a/hosts/dust/hardware-configuration.nix
+++ b/hosts/dust/hardware-configuration.nix
@ -5,6 +5,9 @@
    inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-12th-gen
  ];

+  services.fwupd.enable = true;
+  services.fprintd.enable = true;
+
  security.rtkit.enable = true;
  hardware.pulseaudio.enable = false;
  services.pipewire = {
@ -17,8 +20,6 @@
    settings.General.FastConnectable = true;
  };

-  services.fprintd.enable = true;
-
  boot.loader.timeout = 0;
  boot.loader.efi.canTouchEfiVariables = true;

--- a/hosts/dust/home/default.nix
+++ b/hosts/dust/home/default.nix
@ -1,32 +0,0 @@
-{ pkgs, ... }:
-{
-  imports =
-    [
-      ./theme.nix
-      ./xdg-mime.nix
-    ]
-    ++ map (n: ../../../home/applications/${n}) [
-      "fcitx5"
-      "firefox"
-      "foot"
-      "go"
-      "mpv"
-      "nautilus"
-      "nix"
-      "sway"
-      "thunderbird"
-      "ydict"
-    ];
-
-  home.packages = with pkgs; [
-    dconf-editor
-    file-roller
-    fractal
-    gnome-calculator
-    hyperfine
-    loupe
-    seahorse
-  ];
-
-  programs.obs-studio.enable = true;
-}
--- a/hosts/tyo0/Caddyfile
+++ b/hosts/tyo0/Caddyfile
@ -1,11 +1,3 @@
-{
-	# Disables HTTP/3 for Hysteria
-	# https://github.com/apernet/hysteria/issues/768
-	servers :443 {
-		protocols h1 h2 h2c
-	}
-}
-
 (default) {
 	encode zstd gzip
 	handle_path /robots.txt {
@ -23,7 +15,10 @@ www.ny4.dev {
 # get the certificate for hysteria
 tyo0.ny4.dev {
 	import default
-	redir https://blog.ny4.dev
+	basicauth {
+		prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
+	}
+	reverse_proxy localhost:9091
 }

 ny4.dev {
@ -49,34 +44,16 @@ ny4.dev {
 	}
 }

-searx.ny4.dev {
-	import default
-	reverse_proxy localhost:8100
-}
-
 pb.ny4.dev {
 	import default
 	reverse_proxy localhost:8200
 }

-uptime.ny4.dev {
-	import default
-	reverse_proxy localhost:8300
-}
-
 ntfy.ny4.dev {
 	import default
 	reverse_proxy unix//run/ntfy-sh/ntfy.sock
 }

-pixiv.ny4.dev {
-	import default
-	basicauth {
-		Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri
-	}
-	reverse_proxy unix//run/pixivfe/pixiv.sock
-}
-
 id.ny4.dev {
 	import default
 	reverse_proxy localhost:8800
@ -131,3 +108,8 @@ vault.ny4.dev {
 	import default
 	reverse_proxy localhost:9500
 }
+
+prom.ny4.dev {
+	import default
+	reverse_proxy localhost:9090
+}
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@ -1,5 +1,6 @@
 {
  lib,
+  config,
  modulesPath,
  pkgs,
  ...
@ -10,14 +11,15 @@
    ./anti-feature.nix

    ./services/forgejo.nix
-    ./services/hysteria.nix
    ./services/keycloak.nix
    ./services/miniflux.nix
    ./services/murmur.nix
    ./services/ntfy.nix
-    ./services/pixivfe.nix
-    ./services/searx.nix
+    ./services/prometheus.nix
+    ./services/redlib.nix
+    ./services/sing-box.nix
    ./services/vaultwarden.nix
+    ./services/wastebin.nix
  ];

  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
@ -35,14 +37,12 @@

  ### Secrets
  sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
-    "hysteria/auth" = {
-      restartUnits = [ "hysteria.service" ];
+    "sing-box/auth" = {
+      restartUnits = [ "sing-box.service" ];
    };
-    "pixivfe/environment" = {
-      restartUnits = [ "pixivfe.service" ];
-    };
-    "searx/environment" = {
-      restartUnits = [ "searx.service" ];
+    "prometheus/auth" = {
+      owner = config.systemd.services.prometheus.serviceConfig.User;
+      restartUnits = [ "prometheus.service" ];
    };
    "miniflux/environment" = {
      restartUnits = [ "miniflux.service" ];
@ -53,11 +53,11 @@
  };

  ### Services
-  networking.firewall.allowedUDPPorts = [ 443 ]; # hysteria
+  networking.firewall.allowedUDPPorts = [ 443 ];
  networking.firewall.allowedTCPPorts = [
    80
    443
-  ]; # caddy
+  ];

  systemd.tmpfiles.settings = {
    "10-www" = {
@ -105,22 +105,6 @@
    };
  };

-  services.wastebin = {
-    enable = true;
-    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
-  };
-
-  services.uptime-kuma = {
-    enable = true;
-    settings.PORT = "8300";
-  };
-
-  services.redlib = {
-    enable = true;
-    address = "127.0.0.1";
-    port = 9400;
-  };
-
  ### Prevents me from bankrupt
  # https://fmk.im/p/shutdown-aws/
  services.vnstat.enable = true;
--- a/hosts/tyo0/matrix-client.json
+++ b/hosts/tyo0/matrix-client.json
@ -2,7 +2,4 @@
  "m.homeserver": {
    "base_url": "https://matrix.ny4.dev"
  },
-  "org.matrix.msc3575.proxy": {
-    "url": "https://syncv3.ny4.dev"
-  }
 }
--- a/hosts/tyo0/secrets.yaml
+++ b/hosts/tyo0/secrets.yaml
@ -1,13 +1,11 @@
-hysteria:
-    auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
-searx:
-    environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
-pixivfe:
-    environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
+sing-box:
+    auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
 miniflux:
    environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
 vaultwarden:
    environment: ENC[AES256_GCM,data:+pcUVL7yVXKVp57/feHHWmSuH/2B0hLtADxZWCQOOMG+M3UQh+4dHA5debiv,iv:Zy6xn4Z4VwVXfWWjVeCYY/gRnDp//7yUPLbtLuABFPY=,tag:LxEc31YhgyjEhDrqoJxCJw==,type:str]
+prometheus:
+    auth: ENC[AES256_GCM,data:sQ7oEL2gGz2nnn+QGcmmI3IwNEWbZ13s2/3QLj0O0BZp,iv:r7F70DzMNrcuxq2LISwm4tXjiR8m9eyt8GQyiuWxvhM=,tag:LfpxK3wcuMFCmFQn/iPZsw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -32,8 +30,8 @@ sops:
            UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
            n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-12T12:55:54Z"
-    mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str]
+    lastmodified: "2024-08-29T16:26:25Z"
+    mac: ENC[AES256_GCM,data:jpm+TBCtdFcgfRvzg+mTgWtu20/rm6nF/OdxUGbufkC1Y0Z8+eb8nIBe1TJhodt6kT/NdPRVI0N1JLD5XOwduvqL/QoZGzGkBfEVqFvnTxQYVVXp4sWdqji26XPb1sn+gbmobR4qlZPxdmvKZWEQxO2VJpKA3Bfalwa9fy0ajHE=,iv:XDRDEP/+rs2DLLkrftSxlxDMbdz7W9nHBEs0QWIDK88=,tag:UVmyD5FOev9LPRBvMcmJyw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/hosts/tyo0/services/forgejo.nix
+++ b/hosts/tyo0/services/forgejo.nix
@ -5,6 +5,10 @@
    package = pkgs.forgejo;
    database.type = "postgres";
    settings = {
+      DEFAULT = {
+        APP_NAME = "git.ny4.dev";
+      };
+
      server = {
        DOMAIN = "git.ny4.dev";
        PROTOCOL = "http+unix";
@ -15,6 +19,11 @@
      service = {
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
      };
+
+      repository = {
+        DISABLE_STARS = true;
+        DEFAULT_BRANCH = "master";
+      };
    };
  };
 }
--- a/hosts/tyo0/services/hysteria.nix
+++ b/hosts/tyo0/services/hysteria.nix
@ -1,30 +0,0 @@
-{ config, ... }:
-{
-  services.hysteria = {
-    enable = true;
-    settings = {
-      auth = {
-        type = "userpass";
-        userpass = {
-          _secret = "/run/credentials/hysteria.service/auth";
-          quote = false;
-        };
-      };
-      masquerade = {
-        type = "proxy";
-        proxy.url = "https://ny4.dev/";
-      };
-      tls = {
-        cert = "/run/credentials/hysteria.service/cert";
-        key = "/run/credentials/hysteria.service/key";
-      };
-    };
-  };
-
-  systemd.services."hysteria".serviceConfig.LoadCredential = [
-    # FIXME: remove hardcoded path
-    "auth:${config.sops.secrets."hysteria/auth".path}"
-    "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
-    "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
-  ];
-}
--- a/hosts/tyo0/services/pixivfe.nix
+++ b/hosts/tyo0/services/pixivfe.nix
@ -1,23 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}:
-{
-  services.pixivfe = {
-    enable = true;
-    EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
-    settings = {
-      PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
-      PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
-    };
-  };
-
-  systemd.services.pixivfe.serviceConfig = {
-    RuntimeDirectory = [ "pixivfe" ];
-    ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
-      ${pkgs.coreutils}/bin/sleep 5
-      ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
-    '';
-  };
-}
--- a/hosts/tyo0/services/prometheus.nix
+++ b/hosts/tyo0/services/prometheus.nix
@ -0,0 +1,140 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  services.prometheus = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    port = 9090;
+
+    exporters.blackbox = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = 9093;
+      configFile = (pkgs.formats.yaml { }).generate "config.yaml" {
+        modules = {
+          http_2xx = {
+            prober = "http";
+          };
+        };
+      };
+    };
+
+    scrapeConfigs = [
+      {
+        job_name = "metrics";
+        scheme = "https";
+        basic_auth = {
+          username = "prometheus";
+          password_file = config.sops.secrets."prometheus/auth".path;
+        };
+        static_configs = lib.singleton {
+          targets = [
+            "tyo0.ny4.dev"
+            "pek0.ny4.dev"
+          ];
+        };
+      }
+      {
+        job_name = "http";
+        scheme = "http";
+        metrics_path = "/probe";
+        params = {
+          module = [ "http_2xx" ];
+        };
+        static_configs = lib.singleton {
+          targets = [
+            "https://blog.ny4.dev"
+            "https://cinny.ny4.dev"
+            "https://element.ny4.dev"
+            "https://git.ny4.dev"
+            "https://id.ny4.dev"
+            "https://mastodon.ny4.dev"
+            "https://matrix.ny4.dev"
+            "https://ntfy.ny4.dev"
+            "https://pb.ny4.dev"
+            "https://reddit.ny4.dev"
+            "https://rss.ny4.dev"
+            "https://vault.ny4.dev"
+          ];
+        };
+        relabel_configs = [
+          {
+            source_labels = [ "__address__" ];
+            target_label = "__param_target";
+          }
+          {
+            source_labels = [ "__param_target" ];
+            target_label = "instance";
+          }
+          {
+            target_label = "__address__";
+            replacement = "127.0.0.1:9093";
+          }
+        ];
+      }
+
+    ];
+
+    rules = lib.singleton (
+      builtins.toJSON {
+        groups = lib.singleton {
+          name = "metrics";
+          rules = [
+            {
+              alert = "NodeDown";
+              expr = ''up == 0'';
+              for = "5m";
+            }
+            {
+              alert = "HTTPDown";
+              expr = ''probe_http_status_code < 200 or probe_http_status_code > 299'';
+              for = "5m";
+            }
+            {
+              alert = "MemoryFull";
+              expr = ''node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes < 0.1'';
+            }
+            {
+              alert = "DiskFull";
+              expr = ''node_filesystem_avail_bytes{mountpoint=~"/|/mnt"} / node_filesystem_size_bytes < 0.1'';
+            }
+            {
+              alert = "UnitFailed";
+              expr = ''node_systemd_unit_state{state="failed"} == 1'';
+            }
+          ];
+        };
+      }
+    );
+
+    alertmanagers = lib.singleton {
+      static_configs = lib.singleton {
+        targets = [
+          "127.0.0.1:9092"
+        ];
+      };
+    };
+
+    alertmanager = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      port = 9092;
+
+      configuration = {
+        receivers = lib.singleton {
+          name = "ntfy";
+          webhook_configs = lib.singleton {
+            url = "https://ntfy.ny4.dev/alert";
+          };
+        };
+        route = {
+          receiver = "ntfy";
+        };
+      };
+    };
+  };
+}
--- a/hosts/tyo0/services/redlib.nix
+++ b/hosts/tyo0/services/redlib.nix
@ -0,0 +1,7 @@
+{
+  services.redlib = {
+    enable = true;
+    address = "127.0.0.1";
+    port = 9400;
+  };
+}
--- a/hosts/tyo0/services/searx.nix
+++ b/hosts/tyo0/services/searx.nix
@ -1,20 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}:
-{
-  services.searx = {
-    enable = true;
-    package = pkgs.searxng;
-    environmentFile = config.sops.secrets."searx/environment".path;
-    settings = {
-      general.contact_url = "mailto:guanran928@outlook.com";
-      search.autocomplete = "google";
-      server = {
-        port = 8100;
-        secret_key = "@SEARX_SECRET@";
-      };
-    };
-  };
-}
--- a/hosts/tyo0/services/sing-box.nix
+++ b/hosts/tyo0/services/sing-box.nix
@ -0,0 +1,56 @@
+{ config, ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    27253
+  ];
+
+  services.sing-box = {
+    enable = true;
+    settings = {
+      log = {
+        level = "info";
+      };
+
+      inbounds = [
+        {
+          type = "vless";
+          tag = "inbound";
+          listen = "0.0.0.0";
+          listen_port = 27253;
+          users = {
+            _secret = "/run/credentials/sing-box.service/auth";
+            quote = false;
+          };
+          tls = {
+            enabled = true;
+            server_name = "tyo0.ny4.dev";
+            certificate_path = "/run/credentials/sing-box.service/cert";
+            key_path = "/run/credentials/sing-box.service/key";
+          };
+        }
+      ];
+
+      outbounds = [
+        {
+          type = "direct";
+          tag = "direct";
+        }
+      ];
+
+      route = {
+        final = "direct";
+      };
+    };
+  };
+
+  systemd.services."sing-box".serviceConfig.LoadCredential =
+    let
+      # FIXME: remove hardcoded path
+      path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
+    in
+    [
+      "auth:${config.sops.secrets."sing-box/auth".path}"
+      "cert:${path}/tyo0.ny4.dev.crt"
+      "key:${path}/tyo0.ny4.dev.key"
+    ];
+}
--- a/hosts/tyo0/services/wastebin.nix
+++ b/hosts/tyo0/services/wastebin.nix
@ -0,0 +1,6 @@
+{
+  services.wastebin = {
+    enable = true;
+    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
+  };
+}
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,7 +1,4 @@
 { ... }:
 {
-  imports = [
-    ./services/hysteria.nix
-    ./services/pixivfe.nix
-  ];
+  imports = [ ];
 }
--- a/nixos/modules/services/hysteria.nix
+++ b/nixos/modules/services/hysteria.nix
@ -1,94 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  utils,
-  ...
-}:
-let
-  cfg = config.services.hysteria;
-  settingsFormat = pkgs.formats.json { };
-in
-{
-  options.services.hysteria = {
-    enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
-
-    package = lib.mkPackageOption pkgs "hysteria" { };
-
-    mode = lib.mkOption {
-      type = lib.types.enum [
-        "server"
-        "client"
-      ];
-      default = "server";
-      description = "Whether to use Hysteria as a client or a server.";
-    };
-
-    settings = lib.mkOption {
-      type = lib.types.submodule {
-        freeformType = settingsFormat.type;
-      };
-      default = { };
-      description = ''
-        The Hysteria configuration, see https://hysteria.network/ for documentation.
-
-        Options containing secret data should be set to an attribute set
-        containing the attribute `_secret` - a string pointing to a file
-        containing the value the option should be set to.
-
-        Ignored when `services.hysteria.configFile` is set.
-      '';
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    systemd.services."hysteria" = {
-      description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
-      documentation = [ "https://hysteria.network/" ];
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network-online.target" ];
-      wants = [ "network-online.target" ];
-      preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json";
-      serviceConfig = {
-        ExecStart = lib.concatStringsSep " " [
-          (lib.getExe cfg.package)
-          cfg.mode
-          "--config /var/lib/private/hysteria/config.json"
-        ];
-
-        DynamicUser = true;
-        StateDirectory = "hysteria";
-
-        ### Hardening
-        AmbientCapabilities = [
-          "CAP_NET_ADMIN"
-          "CAP_NET_BIND_SERVICE"
-          "CAP_NET_RAW"
-        ];
-        CapabilityBoundingSet = [
-          "CAP_NET_ADMIN"
-          "CAP_NET_BIND_SERVICE"
-          "CAP_NET_RAW"
-        ];
-        NoNewPrivileges = true;
-        PrivateMounts = true;
-        PrivateTmp = true;
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        RestrictNamespaces = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = "@system-service";
-        UMask = "0077";
-      };
-    };
-  };
-}
--- a/nixos/modules/services/pixivfe.nix
+++ b/nixos/modules/services/pixivfe.nix
@ -1,125 +0,0 @@
-{
-  lib,
-  config,
-  inputs,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.services.pixivfe;
-in
-{
-  options.services.pixivfe = {
-    enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv";
-
-    package =
-      lib.mkPackageOption inputs.self.legacyPackages.${pkgs.stdenv.hostPlatform.system} "pixivfe"
-        { };
-
-    openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function";
-
-    settings = lib.mkOption {
-      type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
-      default = null;
-      example = lib.literalExpression ''
-        {
-          PIXIVFE_PORT = "8282";
-          PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP";
-        };
-      '';
-      description = ''
-        Additional configuration for PixivFE, see
-        <https://pixivfe.pages.dev/environment-variables/> for supported values.
-        For secrets use `EnvironmentFile` option instead.
-      '';
-    };
-
-    EnvironmentFile = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      example = lib.literalExpression ''
-        /run/secrets/environment
-      '';
-      description = ''
-        File containing environment variables to be passed to the PixivFE service.
-
-        See `systemd.exec(5)` for more information.
-      '';
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = if cfg.openFirewall then (cfg.settings ? PIXIVFE_PORT) else true;
-        message = ''
-          PIXIVFE_PORT must be specified for NixOS to open a port.
-
-          See https://pixivfe.pages.dev/environment-variables/ for more information.
-        '';
-      }
-      {
-        assertion =
-          if (cfg.EnvironmentFile == null) then
-            (cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT)
-          else
-            true;
-        message = ''
-          PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run.
-
-          See https://pixivfe.pages.dev/environment-variables/ for more information.
-        '';
-      }
-      {
-        assertion = if (cfg.EnvironmentFile == null) then cfg.settings ? PIXIVFE_TOKEN else true;
-        message = ''
-          PIXIVFE_TOKEN must be set for PixivFE to run.
-
-          See https://pixivfe.pages.dev/environment-variables/ for more information.
-        '';
-      }
-    ];
-
-    systemd.services."pixivfe" = {
-      description = "PixivFE, a privacy respecting frontend for Pixiv.";
-      documentation = [ "https://pixivfe.pages.dev/" ];
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network-online.target" ];
-      wants = [ "network-online.target" ];
-      environment = lib.mkIf (cfg.settings != null) (
-        lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings
-      );
-      serviceConfig = {
-        inherit (cfg) EnvironmentFile;
-        ExecStart = lib.getExe cfg.package;
-        DynamicUser = true;
-
-        ### Hardening
-        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # For ports <= 1024
-        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-        NoNewPrivileges = true;
-        PrivateMounts = true;
-        PrivateTmp = true;
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = "@system-service";
-        UMask = "0077";
-      };
-    };
-
-    networking.firewall = lib.mkIf cfg.openFirewall {
-      allowedTCPPorts = [ cfg.settings.PIXIVFE_PORT ];
-    };
-  };
-}
--- a/nixos/profiles/core/default.nix
+++ b/nixos/profiles/core/default.nix
@ -1,5 +1,4 @@
 {
-  config,
  lib,
  inputs,
  pkgs,
@ -26,15 +25,6 @@
    inputs.self.overlays.patches
  ];

-  home-manager = {
-    users.guanranwang = import ../../../home;
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    extraSpecialArgs = {
-      inherit inputs;
-    };
-  };
-
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;

  environment.systemPackages = with pkgs; [
@ -53,55 +43,19 @@
  ];

  users.mutableUsers = false;
-  users.users = {
-    "guanranwang" = {
-      isNormalUser = true;
-      description = "Guanran Wang";
-      hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
-      shell = pkgs.fish;
-      extraGroups = [
-        "wheel"
-        "nix-access-tokens"
-      ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
-      ];
-    };
-  };
-
  boot.initrd.systemd.enable = true;
  environment.stub-ld.enable = false;

  programs.command-not-found.enable = false;
-  programs.dconf.enable = true;
-  programs.fish.enable = true;
  programs.nano.enable = false;
  programs.vim = {
    enable = true;
    defaultEditor = true;
  };

-  # Avoid TOFU MITM with github by providing their public key here.
-  programs.ssh.knownHosts = {
-    "github.com".hostNames = [ "github.com" ];
-    "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-
-    "gitlab.com".hostNames = [ "gitlab.com" ];
-    "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-
-    "git.sr.ht".hostNames = [ "git.sr.ht" ];
-    "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
-  };
-
  # https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
  services.dbus.implementation = lib.mkDefault "broker";

-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
-    settings.PasswordAuthentication = false;
-  };
-
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
--- a/nixos/profiles/prometheus/default.nix
+++ b/nixos/profiles/prometheus/default.nix
@ -0,0 +1,10 @@
+{ config, lib, ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    listenAddress = "127.0.0.1";
+    port = 9091;
+    enabledCollectors = [ "systemd" ];
+  };
+}
--- a/nixos/profiles/server/default.nix
+++ b/nixos/profiles/server/default.nix
@ -1,17 +1,22 @@
+{ pkgs, ... }:
 {
-  pkgs,
-  config,
-  ...
-}:
-{
+  imports = [
+    ../prometheus
+  ];
+
  environment.systemPackages = with pkgs; [
    foot.terminfo
  ];

-  # TODO: colmena
-  services.openssh.settings.PermitRootLogin = "prohibit-password";
-  users.users."root".openssh.authorizedKeys.keys =
-    config.users.users.guanranwang.openssh.authorizedKeys.keys;
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "prohibit-password";
+    settings.PasswordAuthentication = false;
+  };
+
+  users.users."root".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
+  ];

  time.timeZone = "UTC";
 }
--- a/nixos/profiles/sing-box/default.nix
+++ b/nixos/profiles/sing-box/default.nix
@ -1,4 +1,5 @@
 {
+  lib,
  pkgs,
  config,
  ...
@ -24,11 +25,12 @@

      outbounds = [
        {
-          type = "hysteria2";
+          type = "vless";
          tag = "tyo0";
          server = "tyo0.ny4.dev";
-          server_port = 443;
-          password._secret = config.sops.secrets."sing-box/tyo0".path;
+          server_port = 27253;
+          uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
+          flow = "xtls-rprx-vision";
          tls.enabled = true;
        }
        {
@ -76,15 +78,7 @@
          }
        ];

-        final = "tyo0";
-      };
-
-      experimental = {
-        clash_api = {
-          external_controller = "127.0.0.1:9090";
-          external_ui = pkgs.metacubexd;
-          secret = "hunter2";
-        };
+        final = lib.mkDefault "tyo0";
      };
    };
  };
@ -95,7 +89,7 @@
    httpsProxy = "http://127.0.0.1:1080/";
  };

-  environment.shellAliases =
+  programs.fish.shellAliases =
    let
      inherit (config.networking.proxy) httpProxy httpsProxy;
    in
--- a/nixos/profiles/sing-box/secrets.yaml
+++ b/nixos/profiles/sing-box/secrets.yaml
@ -1,5 +1,5 @@
 sing-box:
-    tyo0: ENC[AES256_GCM,data:c1WIyaAXyiir4VRcggvJ0drgxOi24+s=,iv:1CufURfG6PL+iv54LOkh6kdjjf6Pa8uvyWsRX4rBTls=,tag:M5PzRvKJzQzhpv3z6XlG9A==,type:str]
+    tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -33,8 +33,8 @@ sops:
            NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
            JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-24T07:58:00Z"
-    mac: ENC[AES256_GCM,data:gbgaZ6fGr8sIaEPMTJeTr4nHEkfWDMwNPstEjfn580go8Ogg3cIW0Lca1nPERCI7XimswjT9V6FnxV8HtTZ+VH3jZsuB/Zu0lYpCsTx//wY0meWWHtOINFZ6Qn9dl6CTRi/QgmNJPKjPPYcHg0ECGY/Iv8s44Mj0aXthVN61huk=,iv:8y+vjDSWaVt7kQkvu499+bK3lYB3moVtAQJ4UvfLYv4=,tag:XAhiF7cw8i8ilj3Dp/zoDw==,type:str]
+    lastmodified: "2024-08-27T20:29:35Z"
+    mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,12 +1,5 @@
 # NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`,
 #       only keeping some packages that only fits for personal use.
-pkgs:
-let
-  inherit (pkgs) callPackage;
-in
-{
-  # https://github.com/NixOS/nixpkgs/pull/308720
-  pixivfe = callPackage ./pixivfe.nix { };
-
+pkgs: {
  background = pkgs.nixos-artwork.wallpapers.nineish-dark-gray.src;
 }
--- a/pkgs/pixivfe.nix
+++ b/pkgs/pixivfe.nix
@ -1,43 +0,0 @@
-{
-  lib,
-  buildGoModule,
-  fetchFromGitea,
-  makeBinaryWrapper,
-}:
-buildGoModule rec {
-  pname = "pixivfe";
-  version = "2.6";
-
-  src = fetchFromGitea {
-    domain = "codeberg.org";
-    owner = "VnPower";
-    repo = "PixivFE";
-    rev = "v${version}";
-    hash = "sha256-pusyCXy2tsdvOSUR6LfSYHv8YT1tiCErqUEkUgKYbZ4=";
-  };
-
-  vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI=";
-
-  ldflags = [
-    "-s"
-    "-w"
-  ];
-
-  nativeBuildInputs = [ makeBinaryWrapper ];
-
-  postInstall = ''
-    mkdir -p $out/share/pixivfe
-    cp -r ./views/ $out/share/pixivfe/views
-    wrapProgram $out/bin/pixivfe \
-      --chdir $out/share/pixivfe
-  '';
-
-  meta = {
-    description = "Privacy respecting frontend for Pixiv";
-    homepage = "https://codeberg.org/VnPower/PixivFE";
-    license = lib.licenses.agpl3Only;
-    mainProgram = "pixivfe";
-    maintainers = with lib.maintainers; [ Guanran928 ];
-    platforms = lib.platforms.linux;
-  };
-}
Author	SHA1	Message	Date
Guanran Wang	4af6d5e6c8	nixos: use prometheus	2024-08-30 01:42:37 +08:00
Guanran Wang	6e2f18af2c	flake: bump	2024-08-29 23:37:29 +08:00
Guanran Wang	d3004d3833	blacksteel: drop matrix-sliding-sync	2024-08-29 23:24:08 +08:00
Guanran Wang	012dd00ed4	tyo0: drop pixivfe	2024-08-29 23:22:46 +08:00
Guanran Wang	16777141b3	tyo0: drop searxng	2024-08-29 23:20:29 +08:00
Guanran Wang	a9f846b242	dust: enable fwupd	2024-08-29 23:15:13 +08:00
Guanran Wang	7c339b95b4	tyo0: drop uptime-kuma	2024-08-29 23:14:13 +08:00
Guanran Wang	a6c6003033	nixos/servers: dont use home-manager	2024-08-28 05:44:22 +08:00
Guanran Wang	de39160e63	nixos: hysteria2 -> vless	2024-08-28 05:02:01 +08:00
Guanran Wang	38125607f8	home/mpv: remove deprecated alias `938938a985/etc/builtin.conf (L60)`	2024-08-28 00:18:08 +08:00
Guanran Wang	d9ba3826aa	tyo0/forgejo: customize	2024-08-27 17:08:53 +08:00