Compare commits
No commits in common. "4af6d5e6c82e1427bae268d1f4bc5a6af980aa16" and "2280df2d04f5eb3770c68d1fa35c8ed81bc81bf8" have entirely different histories.
4af6d5e6c8
...
2280df2d04
36 changed files with 604 additions and 432 deletions
36
flake.lock
36
flake.lock
|
@ -27,11 +27,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724895876,
|
"lastModified": 1724349583,
|
||||||
"narHash": "sha256-GSqAwa00+vRuHbq9O/yRv7Ov7W/pcMLis3HmeHv8a+Q=",
|
"narHash": "sha256-zgB1Cfk46irIsto8666yLdKjqKdBrjR48Dd3lhQ0CnQ=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "511388d837178979de66d14ca4a2ebd5f7991cd3",
|
"rev": "435737144be0259559ca3b43f7d72252b1fdcc1b",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -216,11 +216,11 @@
|
||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724878143,
|
"lastModified": 1724575805,
|
||||||
"narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
|
"narHash": "sha256-OB/kEL3GAhUZmUfkbPfsPhKs0pRqJKs0EEBiLfyKZw8=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
|
"rev": "9fc19be21f0807d6be092d70bf0b1de0c00ac895",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -231,11 +231,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724748588,
|
"lastModified": 1724395761,
|
||||||
"narHash": "sha256-NlpGA4+AIf1dKNq76ps90rxowlFXUsV9x7vK/mN37JM=",
|
"narHash": "sha256-zRkDV/nbrnp3Y8oCADf5ETl1sDrdmAW6/bBVJ8EbIdQ=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "a6292e34000dc93d43bccf78338770c1c5ec8a99",
|
"rev": "ae815cee91b417be55d43781eb4b73ae1ecc396c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -261,11 +261,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724857454,
|
"lastModified": 1724440431,
|
||||||
"narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
|
"narHash": "sha256-9etXEOUtzeMgqg1u0wp+EdwG7RpmrAZ2yX516bMj2aE=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "pre-commit-hooks.nix",
|
"repo": "pre-commit-hooks.nix",
|
||||||
"rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
|
"rev": "c8a54057aae480c56e28ef3e14e4960628ac495b",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -302,11 +302,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724898214,
|
"lastModified": 1724552650,
|
||||||
"narHash": "sha256-4yMO9+Lsr3zqTf4clAGGag/bfNTmc/ITOXbJQcOEok4=",
|
"narHash": "sha256-u1xzgrdRTL0DQhjXMgmEvl75IrL8zGf0RS34IQJXxeU=",
|
||||||
"owner": "oxalica",
|
"owner": "oxalica",
|
||||||
"repo": "rust-overlay",
|
"repo": "rust-overlay",
|
||||||
"rev": "0bc2c784e3a6ce30a2ab1b9f47325ccbed13039f",
|
"rev": "19fda552b69513df7b6aa5fcfd1412c0221467b1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -360,11 +360,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724833132,
|
"lastModified": 1724338379,
|
||||||
"narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
|
"narHash": "sha256-kKJtaiU5Ou+e/0Qs7SICXF22DLx4V/WhG1P6+k4yeOE=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "treefmt-nix",
|
"repo": "treefmt-nix",
|
||||||
"rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
|
"rev": "070f834771efa715f3e74cd8ab93ecc96fabc951",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -1,12 +1,10 @@
|
||||||
{ lib, pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
programs.fish = {
|
programs.fish = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
interactiveShellInit = ''
|
interactiveShellInit = ''
|
||||||
set fish_greeting
|
set fish_greeting
|
||||||
'';
|
'';
|
||||||
|
|
||||||
plugins = [
|
plugins = [
|
||||||
{
|
{
|
||||||
name = "autopair";
|
name = "autopair";
|
||||||
|
@ -21,24 +19,5 @@
|
||||||
inherit (pkgs.fishPlugins.puffer) src;
|
inherit (pkgs.fishPlugins.puffer) src;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
functions =
|
|
||||||
let
|
|
||||||
jq = lib.getExe pkgs.jq;
|
|
||||||
nix = lib.getExe pkgs.nix;
|
|
||||||
curl = lib.getExe pkgs.curl;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
"pb" = ''
|
|
||||||
${jq} -Rns '{text: inputs}' | \
|
|
||||||
${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
|
|
||||||
${jq} -r '. | "https://pb.ny4.dev\(.path)"'
|
|
||||||
'';
|
|
||||||
|
|
||||||
"getmnter" = ''
|
|
||||||
${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
|
|
||||||
${jq} '.[].github | "@" + .' -r
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
ao = "pipewire";
|
ao = "pipewire";
|
||||||
vo = "gpu-next";
|
vo = "gpu-next";
|
||||||
hwdec = "auto-safe";
|
hwdec = "auto-safe";
|
||||||
profile = "high-quality";
|
profile = "gpu-hq";
|
||||||
|
|
||||||
alang = "jpn,ja";
|
alang = "jpn,ja";
|
||||||
slang = "eng,en";
|
slang = "eng,en";
|
||||||
|
|
|
@ -5,14 +5,10 @@
|
||||||
matchBlocks =
|
matchBlocks =
|
||||||
let
|
let
|
||||||
inherit (config.home) homeDirectory;
|
inherit (config.home) homeDirectory;
|
||||||
serverConfig = {
|
|
||||||
identityFile = "${homeDirectory}/.ssh/id_github_signing";
|
|
||||||
user = "root";
|
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"blacksteel" = serverConfig;
|
"blacksteel".identityFile = "${homeDirectory}/.ssh/id_github_signing";
|
||||||
"tyo0.ny4.dev" = serverConfig;
|
"tyo0.ny4.dev".identityFile = "${homeDirectory}/.ssh/id_github_signing";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
{
|
{
|
||||||
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
@ -9,52 +10,46 @@
|
||||||
stateVersion = "23.05";
|
stateVersion = "23.05";
|
||||||
};
|
};
|
||||||
|
|
||||||
imports =
|
imports = [
|
||||||
[
|
./applications/atuin
|
||||||
./theme.nix
|
./applications/bash
|
||||||
./xdg-mime.nix
|
./applications/bat
|
||||||
]
|
./applications/eza
|
||||||
++ map (n: ./applications/${n}) [
|
./applications/fish
|
||||||
"atuin"
|
./applications/git
|
||||||
"bash"
|
./applications/gpg
|
||||||
"bat"
|
./applications/neovim
|
||||||
"eza"
|
./applications/ssh
|
||||||
"fcitx5"
|
./applications/starship
|
||||||
"firefox"
|
./applications/tealdeer
|
||||||
"fish"
|
./applications/tmux
|
||||||
"foot"
|
|
||||||
"git"
|
|
||||||
"go"
|
|
||||||
"gpg"
|
|
||||||
"mpv"
|
|
||||||
"nautilus"
|
|
||||||
"neovim"
|
|
||||||
"nix"
|
|
||||||
"ssh"
|
|
||||||
"starship"
|
|
||||||
"sway"
|
|
||||||
"tealdeer"
|
|
||||||
"thunderbird"
|
|
||||||
"tmux"
|
|
||||||
"ydict"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
programs.jq.enable = true;
|
programs.jq.enable = true;
|
||||||
programs.obs-studio.enable = true;
|
|
||||||
programs.ripgrep.enable = true;
|
programs.ripgrep.enable = true;
|
||||||
programs.skim.enable = true;
|
programs.skim.enable = true;
|
||||||
programs.zoxide.enable = true;
|
programs.zoxide.enable = true;
|
||||||
|
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
fastfetch
|
fastfetch
|
||||||
fd
|
fd
|
||||||
dconf-editor
|
|
||||||
file-roller
|
|
||||||
fractal
|
|
||||||
gnome-calculator
|
|
||||||
hyperfine
|
|
||||||
loupe
|
|
||||||
seahorse
|
|
||||||
];
|
];
|
||||||
|
|
||||||
|
programs.fish.functions =
|
||||||
|
let
|
||||||
|
jq = lib.getExe pkgs.jq;
|
||||||
|
nix = lib.getExe pkgs.nix;
|
||||||
|
curl = lib.getExe pkgs.curl;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"pb" = ''
|
||||||
|
${jq} -Rns '{text: inputs}' | \
|
||||||
|
${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
|
||||||
|
${jq} -r '. | "https://pb.ny4.dev\(.path)"'
|
||||||
|
'';
|
||||||
|
|
||||||
|
"getmnter" = ''
|
||||||
|
${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
|
||||||
|
${jq} '.[].github | "@" + .' -r
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,14 +14,6 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
http://pek0.ny4.dev:80 {
|
|
||||||
import default
|
|
||||||
basicauth {
|
|
||||||
prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
|
|
||||||
}
|
|
||||||
reverse_proxy localhost:9091
|
|
||||||
}
|
|
||||||
|
|
||||||
http://mastodon.ny4.dev:80 {
|
http://mastodon.ny4.dev:80 {
|
||||||
import default
|
import default
|
||||||
handle_path /system/* {
|
handle_path /system/* {
|
||||||
|
@ -65,3 +57,10 @@ http://matrix.ny4.dev:80 {
|
||||||
header_up X-Forwarded-Proto "https"
|
header_up X-Forwarded-Proto "https"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
http://syncv3.ny4.dev:80 {
|
||||||
|
import default
|
||||||
|
reverse_proxy unix//run/matrix-sliding-sync/sync.sock {
|
||||||
|
header_up X-Forwarded-Proto "https"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -37,6 +37,9 @@
|
||||||
restartUnits = [ "matrix-synapse.service" ];
|
restartUnits = [ "matrix-synapse.service" ];
|
||||||
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||||
};
|
};
|
||||||
|
"syncv3/environment" = {
|
||||||
|
restartUnits = [ "matrix-sliding-sync.service" ];
|
||||||
|
};
|
||||||
"mastodon/environment" = {
|
"mastodon/environment" = {
|
||||||
restartUnits = [ "mastodon-web.service" ];
|
restartUnits = [ "mastodon-web.service" ];
|
||||||
};
|
};
|
||||||
|
@ -61,7 +64,7 @@
|
||||||
ingress = lib.genAttrs [
|
ingress = lib.genAttrs [
|
||||||
"mastodon.ny4.dev"
|
"mastodon.ny4.dev"
|
||||||
"matrix.ny4.dev"
|
"matrix.ny4.dev"
|
||||||
"pek0.ny4.dev"
|
"syncv3.ny4.dev"
|
||||||
] (_: "http://localhost");
|
] (_: "http://localhost");
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
synapse:
|
synapse:
|
||||||
secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
|
secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
|
||||||
oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str]
|
oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str]
|
||||||
|
syncv3:
|
||||||
|
environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
|
||||||
mastodon:
|
mastodon:
|
||||||
environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
|
environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
|
||||||
cloudflared:
|
cloudflared:
|
||||||
|
@ -29,8 +31,8 @@ sops:
|
||||||
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
||||||
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-08-29T15:23:52Z"
|
lastmodified: "2024-06-21T07:19:43Z"
|
||||||
mac: ENC[AES256_GCM,data:32DW8e/ojxJzL8UOAQ3x8jg5fbUC+m+mwom00gXBaBsu/C2CLkOC2xyiZragBjbp/OWy3xoZC3GG7dngXpBT8pSo7T/F8KDnP2fKacvrKJRNBTT+JFjxZ0VkPy82MIi2JBkXqYRF248ofdXHFTHp/71s15R97xVtHEZdtGbEly0=,iv:sMgk1pTVWdgjSlXNvX4EAraw4tNwP1mxzihCv/dSfuI=,tag:FhfSoy5w2WezE++2QGjFrg==,type:str]
|
mac: ENC[AES256_GCM,data:pKWUM3uhmtrwTOlR2jZauWsGSY1d//z+cojpWLFAAKedGjotLB6cmektyAVRHhw3waiM4WR5+BNZ6ghp7qBrM0z2WanJCdSmXqdyxJEydUC9CCFXZG+7SmIZS+7+/LsqejzdYSAMf9DijN74E1EJVS5F0mHhw8QuRmDy3wU789M=,iv:IrOm1Maz8os9Q/ez+TbOxOTr1zwB1loDVHcPbN8kMvg=,tag:AAKp3OH/s2c7u8lp6vkLVg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.8.1
|
||||||
|
|
|
@ -58,4 +58,18 @@
|
||||||
environment = config.networking.proxy.envVars;
|
environment = config.networking.proxy.envVars;
|
||||||
serviceConfig.RuntimeDirectory = [ "matrix-synapse" ];
|
serviceConfig.RuntimeDirectory = [ "matrix-synapse" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.matrix-sliding-sync = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = config.sops.secrets."syncv3/environment".path;
|
||||||
|
settings = {
|
||||||
|
SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
|
||||||
|
SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.matrix-sliding-sync.serviceConfig = {
|
||||||
|
RuntimeDirectory = [ "matrix-sliding-sync" ];
|
||||||
|
SupplementaryGroups = [ "matrix-synapse" ];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
inputs,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
|
@ -21,27 +19,7 @@
|
||||||
time.timeZone = "Asia/Shanghai";
|
time.timeZone = "Asia/Shanghai";
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
|
|
||||||
users.users = {
|
home-manager.users.guanranwang = import ./home;
|
||||||
"guanranwang" = {
|
|
||||||
isNormalUser = true;
|
|
||||||
description = "Guanran Wang";
|
|
||||||
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
|
|
||||||
shell = pkgs.fish;
|
|
||||||
extraGroups = [
|
|
||||||
"wheel"
|
|
||||||
"nix-access-tokens"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
home-manager = {
|
|
||||||
users.guanranwang = import ../../home;
|
|
||||||
useGlobalPkgs = true;
|
|
||||||
useUserPackages = true;
|
|
||||||
extraSpecialArgs = {
|
|
||||||
inherit inputs;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.tmp.useTmpfs = true;
|
boot.tmp.useTmpfs = true;
|
||||||
|
|
||||||
|
@ -58,8 +36,6 @@
|
||||||
networking.firewall.allowedUDPPorts = [ 53317 ];
|
networking.firewall.allowedUDPPorts = [ 53317 ];
|
||||||
|
|
||||||
programs.adb.enable = true;
|
programs.adb.enable = true;
|
||||||
programs.dconf.enable = true;
|
|
||||||
programs.fish.enable = true;
|
|
||||||
programs.localsend.enable = true;
|
programs.localsend.enable = true;
|
||||||
programs.seahorse.enable = true;
|
programs.seahorse.enable = true;
|
||||||
programs.ssh = {
|
programs.ssh = {
|
||||||
|
@ -189,30 +165,4 @@
|
||||||
"org.freedesktop.impl.portal.Inhibit" = "none";
|
"org.freedesktop.impl.portal.Inhibit" = "none";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.sing-box.settings = {
|
|
||||||
outbounds = [
|
|
||||||
{
|
|
||||||
type = "selector";
|
|
||||||
tag = "select";
|
|
||||||
outbounds = [
|
|
||||||
"tyo0"
|
|
||||||
"direct"
|
|
||||||
];
|
|
||||||
default = "tyo0";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
route = {
|
|
||||||
final = "select";
|
|
||||||
};
|
|
||||||
|
|
||||||
experimental = {
|
|
||||||
clash_api = {
|
|
||||||
external_controller = "127.0.0.1:9090";
|
|
||||||
external_ui = pkgs.metacubexd;
|
|
||||||
secret = "hunter2";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,9 +5,6 @@
|
||||||
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-12th-gen
|
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-12th-gen
|
||||||
];
|
];
|
||||||
|
|
||||||
services.fwupd.enable = true;
|
|
||||||
services.fprintd.enable = true;
|
|
||||||
|
|
||||||
security.rtkit.enable = true;
|
security.rtkit.enable = true;
|
||||||
hardware.pulseaudio.enable = false;
|
hardware.pulseaudio.enable = false;
|
||||||
services.pipewire = {
|
services.pipewire = {
|
||||||
|
@ -20,6 +17,8 @@
|
||||||
settings.General.FastConnectable = true;
|
settings.General.FastConnectable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.fprintd.enable = true;
|
||||||
|
|
||||||
boot.loader.timeout = 0;
|
boot.loader.timeout = 0;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
|
32
hosts/dust/home/default.nix
Normal file
32
hosts/dust/home/default.nix
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
./theme.nix
|
||||||
|
./xdg-mime.nix
|
||||||
|
]
|
||||||
|
++ map (n: ../../../home/applications/${n}) [
|
||||||
|
"fcitx5"
|
||||||
|
"firefox"
|
||||||
|
"foot"
|
||||||
|
"go"
|
||||||
|
"mpv"
|
||||||
|
"nautilus"
|
||||||
|
"nix"
|
||||||
|
"sway"
|
||||||
|
"thunderbird"
|
||||||
|
"ydict"
|
||||||
|
];
|
||||||
|
|
||||||
|
home.packages = with pkgs; [
|
||||||
|
dconf-editor
|
||||||
|
file-roller
|
||||||
|
fractal
|
||||||
|
gnome-calculator
|
||||||
|
hyperfine
|
||||||
|
loupe
|
||||||
|
seahorse
|
||||||
|
];
|
||||||
|
|
||||||
|
programs.obs-studio.enable = true;
|
||||||
|
}
|
|
@ -1,3 +1,11 @@
|
||||||
|
{
|
||||||
|
# Disables HTTP/3 for Hysteria
|
||||||
|
# https://github.com/apernet/hysteria/issues/768
|
||||||
|
servers :443 {
|
||||||
|
protocols h1 h2 h2c
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
(default) {
|
(default) {
|
||||||
encode zstd gzip
|
encode zstd gzip
|
||||||
handle_path /robots.txt {
|
handle_path /robots.txt {
|
||||||
|
@ -15,10 +23,7 @@ www.ny4.dev {
|
||||||
# get the certificate for hysteria
|
# get the certificate for hysteria
|
||||||
tyo0.ny4.dev {
|
tyo0.ny4.dev {
|
||||||
import default
|
import default
|
||||||
basicauth {
|
redir https://blog.ny4.dev
|
||||||
prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
|
|
||||||
}
|
|
||||||
reverse_proxy localhost:9091
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ny4.dev {
|
ny4.dev {
|
||||||
|
@ -44,16 +49,34 @@ ny4.dev {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
searx.ny4.dev {
|
||||||
|
import default
|
||||||
|
reverse_proxy localhost:8100
|
||||||
|
}
|
||||||
|
|
||||||
pb.ny4.dev {
|
pb.ny4.dev {
|
||||||
import default
|
import default
|
||||||
reverse_proxy localhost:8200
|
reverse_proxy localhost:8200
|
||||||
}
|
}
|
||||||
|
|
||||||
|
uptime.ny4.dev {
|
||||||
|
import default
|
||||||
|
reverse_proxy localhost:8300
|
||||||
|
}
|
||||||
|
|
||||||
ntfy.ny4.dev {
|
ntfy.ny4.dev {
|
||||||
import default
|
import default
|
||||||
reverse_proxy unix//run/ntfy-sh/ntfy.sock
|
reverse_proxy unix//run/ntfy-sh/ntfy.sock
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pixiv.ny4.dev {
|
||||||
|
import default
|
||||||
|
basicauth {
|
||||||
|
Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri
|
||||||
|
}
|
||||||
|
reverse_proxy unix//run/pixivfe/pixiv.sock
|
||||||
|
}
|
||||||
|
|
||||||
id.ny4.dev {
|
id.ny4.dev {
|
||||||
import default
|
import default
|
||||||
reverse_proxy localhost:8800
|
reverse_proxy localhost:8800
|
||||||
|
@ -108,8 +131,3 @@ vault.ny4.dev {
|
||||||
import default
|
import default
|
||||||
reverse_proxy localhost:9500
|
reverse_proxy localhost:9500
|
||||||
}
|
}
|
||||||
|
|
||||||
prom.ny4.dev {
|
|
||||||
import default
|
|
||||||
reverse_proxy localhost:9090
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
|
||||||
modulesPath,
|
modulesPath,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
|
@ -11,15 +10,14 @@
|
||||||
./anti-feature.nix
|
./anti-feature.nix
|
||||||
|
|
||||||
./services/forgejo.nix
|
./services/forgejo.nix
|
||||||
|
./services/hysteria.nix
|
||||||
./services/keycloak.nix
|
./services/keycloak.nix
|
||||||
./services/miniflux.nix
|
./services/miniflux.nix
|
||||||
./services/murmur.nix
|
./services/murmur.nix
|
||||||
./services/ntfy.nix
|
./services/ntfy.nix
|
||||||
./services/prometheus.nix
|
./services/pixivfe.nix
|
||||||
./services/redlib.nix
|
./services/searx.nix
|
||||||
./services/sing-box.nix
|
|
||||||
./services/vaultwarden.nix
|
./services/vaultwarden.nix
|
||||||
./services/wastebin.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
||||||
|
@ -37,12 +35,14 @@
|
||||||
|
|
||||||
### Secrets
|
### Secrets
|
||||||
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
||||||
"sing-box/auth" = {
|
"hysteria/auth" = {
|
||||||
restartUnits = [ "sing-box.service" ];
|
restartUnits = [ "hysteria.service" ];
|
||||||
};
|
};
|
||||||
"prometheus/auth" = {
|
"pixivfe/environment" = {
|
||||||
owner = config.systemd.services.prometheus.serviceConfig.User;
|
restartUnits = [ "pixivfe.service" ];
|
||||||
restartUnits = [ "prometheus.service" ];
|
};
|
||||||
|
"searx/environment" = {
|
||||||
|
restartUnits = [ "searx.service" ];
|
||||||
};
|
};
|
||||||
"miniflux/environment" = {
|
"miniflux/environment" = {
|
||||||
restartUnits = [ "miniflux.service" ];
|
restartUnits = [ "miniflux.service" ];
|
||||||
|
@ -53,11 +53,11 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
### Services
|
### Services
|
||||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
networking.firewall.allowedUDPPorts = [ 443 ]; # hysteria
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
80
|
80
|
||||||
443
|
443
|
||||||
];
|
]; # caddy
|
||||||
|
|
||||||
systemd.tmpfiles.settings = {
|
systemd.tmpfiles.settings = {
|
||||||
"10-www" = {
|
"10-www" = {
|
||||||
|
@ -105,6 +105,22 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.wastebin = {
|
||||||
|
enable = true;
|
||||||
|
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.uptime-kuma = {
|
||||||
|
enable = true;
|
||||||
|
settings.PORT = "8300";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.redlib = {
|
||||||
|
enable = true;
|
||||||
|
address = "127.0.0.1";
|
||||||
|
port = 9400;
|
||||||
|
};
|
||||||
|
|
||||||
### Prevents me from bankrupt
|
### Prevents me from bankrupt
|
||||||
# https://fmk.im/p/shutdown-aws/
|
# https://fmk.im/p/shutdown-aws/
|
||||||
services.vnstat.enable = true;
|
services.vnstat.enable = true;
|
||||||
|
|
|
@ -2,4 +2,7 @@
|
||||||
"m.homeserver": {
|
"m.homeserver": {
|
||||||
"base_url": "https://matrix.ny4.dev"
|
"base_url": "https://matrix.ny4.dev"
|
||||||
},
|
},
|
||||||
|
"org.matrix.msc3575.proxy": {
|
||||||
|
"url": "https://syncv3.ny4.dev"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,13 @@
|
||||||
sing-box:
|
hysteria:
|
||||||
auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
|
auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
|
||||||
|
searx:
|
||||||
|
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
||||||
|
pixivfe:
|
||||||
|
environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
|
||||||
miniflux:
|
miniflux:
|
||||||
environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
|
environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
|
||||||
vaultwarden:
|
vaultwarden:
|
||||||
environment: ENC[AES256_GCM,data:+pcUVL7yVXKVp57/feHHWmSuH/2B0hLtADxZWCQOOMG+M3UQh+4dHA5debiv,iv:Zy6xn4Z4VwVXfWWjVeCYY/gRnDp//7yUPLbtLuABFPY=,tag:LxEc31YhgyjEhDrqoJxCJw==,type:str]
|
environment: ENC[AES256_GCM,data:+pcUVL7yVXKVp57/feHHWmSuH/2B0hLtADxZWCQOOMG+M3UQh+4dHA5debiv,iv:Zy6xn4Z4VwVXfWWjVeCYY/gRnDp//7yUPLbtLuABFPY=,tag:LxEc31YhgyjEhDrqoJxCJw==,type:str]
|
||||||
prometheus:
|
|
||||||
auth: ENC[AES256_GCM,data:sQ7oEL2gGz2nnn+QGcmmI3IwNEWbZ13s2/3QLj0O0BZp,iv:r7F70DzMNrcuxq2LISwm4tXjiR8m9eyt8GQyiuWxvhM=,tag:LfpxK3wcuMFCmFQn/iPZsw==,type:str]
|
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -30,8 +32,8 @@ sops:
|
||||||
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
||||||
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-08-29T16:26:25Z"
|
lastmodified: "2024-08-12T12:55:54Z"
|
||||||
mac: ENC[AES256_GCM,data:jpm+TBCtdFcgfRvzg+mTgWtu20/rm6nF/OdxUGbufkC1Y0Z8+eb8nIBe1TJhodt6kT/NdPRVI0N1JLD5XOwduvqL/QoZGzGkBfEVqFvnTxQYVVXp4sWdqji26XPb1sn+gbmobR4qlZPxdmvKZWEQxO2VJpKA3Bfalwa9fy0ajHE=,iv:XDRDEP/+rs2DLLkrftSxlxDMbdz7W9nHBEs0QWIDK88=,tag:UVmyD5FOev9LPRBvMcmJyw==,type:str]
|
mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
|
@ -5,10 +5,6 @@
|
||||||
package = pkgs.forgejo;
|
package = pkgs.forgejo;
|
||||||
database.type = "postgres";
|
database.type = "postgres";
|
||||||
settings = {
|
settings = {
|
||||||
DEFAULT = {
|
|
||||||
APP_NAME = "git.ny4.dev";
|
|
||||||
};
|
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
DOMAIN = "git.ny4.dev";
|
DOMAIN = "git.ny4.dev";
|
||||||
PROTOCOL = "http+unix";
|
PROTOCOL = "http+unix";
|
||||||
|
@ -19,11 +15,6 @@
|
||||||
service = {
|
service = {
|
||||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
repository = {
|
|
||||||
DISABLE_STARS = true;
|
|
||||||
DEFAULT_BRANCH = "master";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
30
hosts/tyo0/services/hysteria.nix
Normal file
30
hosts/tyo0/services/hysteria.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
services.hysteria = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
auth = {
|
||||||
|
type = "userpass";
|
||||||
|
userpass = {
|
||||||
|
_secret = "/run/credentials/hysteria.service/auth";
|
||||||
|
quote = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
masquerade = {
|
||||||
|
type = "proxy";
|
||||||
|
proxy.url = "https://ny4.dev/";
|
||||||
|
};
|
||||||
|
tls = {
|
||||||
|
cert = "/run/credentials/hysteria.service/cert";
|
||||||
|
key = "/run/credentials/hysteria.service/key";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."hysteria".serviceConfig.LoadCredential = [
|
||||||
|
# FIXME: remove hardcoded path
|
||||||
|
"auth:${config.sops.secrets."hysteria/auth".path}"
|
||||||
|
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
|
||||||
|
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
|
||||||
|
];
|
||||||
|
}
|
23
hosts/tyo0/services/pixivfe.nix
Normal file
23
hosts/tyo0/services/pixivfe.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
services.pixivfe = {
|
||||||
|
enable = true;
|
||||||
|
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
|
||||||
|
settings = {
|
||||||
|
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
|
||||||
|
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.pixivfe.serviceConfig = {
|
||||||
|
RuntimeDirectory = [ "pixivfe" ];
|
||||||
|
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
|
||||||
|
${pkgs.coreutils}/bin/sleep 5
|
||||||
|
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,140 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
config,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
services.prometheus = {
|
|
||||||
enable = true;
|
|
||||||
listenAddress = "127.0.0.1";
|
|
||||||
port = 9090;
|
|
||||||
|
|
||||||
exporters.blackbox = {
|
|
||||||
enable = true;
|
|
||||||
listenAddress = "127.0.0.1";
|
|
||||||
port = 9093;
|
|
||||||
configFile = (pkgs.formats.yaml { }).generate "config.yaml" {
|
|
||||||
modules = {
|
|
||||||
http_2xx = {
|
|
||||||
prober = "http";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
scrapeConfigs = [
|
|
||||||
{
|
|
||||||
job_name = "metrics";
|
|
||||||
scheme = "https";
|
|
||||||
basic_auth = {
|
|
||||||
username = "prometheus";
|
|
||||||
password_file = config.sops.secrets."prometheus/auth".path;
|
|
||||||
};
|
|
||||||
static_configs = lib.singleton {
|
|
||||||
targets = [
|
|
||||||
"tyo0.ny4.dev"
|
|
||||||
"pek0.ny4.dev"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{
|
|
||||||
job_name = "http";
|
|
||||||
scheme = "http";
|
|
||||||
metrics_path = "/probe";
|
|
||||||
params = {
|
|
||||||
module = [ "http_2xx" ];
|
|
||||||
};
|
|
||||||
static_configs = lib.singleton {
|
|
||||||
targets = [
|
|
||||||
"https://blog.ny4.dev"
|
|
||||||
"https://cinny.ny4.dev"
|
|
||||||
"https://element.ny4.dev"
|
|
||||||
"https://git.ny4.dev"
|
|
||||||
"https://id.ny4.dev"
|
|
||||||
"https://mastodon.ny4.dev"
|
|
||||||
"https://matrix.ny4.dev"
|
|
||||||
"https://ntfy.ny4.dev"
|
|
||||||
"https://pb.ny4.dev"
|
|
||||||
"https://reddit.ny4.dev"
|
|
||||||
"https://rss.ny4.dev"
|
|
||||||
"https://vault.ny4.dev"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
relabel_configs = [
|
|
||||||
{
|
|
||||||
source_labels = [ "__address__" ];
|
|
||||||
target_label = "__param_target";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
source_labels = [ "__param_target" ];
|
|
||||||
target_label = "instance";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
target_label = "__address__";
|
|
||||||
replacement = "127.0.0.1:9093";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
|
|
||||||
];
|
|
||||||
|
|
||||||
rules = lib.singleton (
|
|
||||||
builtins.toJSON {
|
|
||||||
groups = lib.singleton {
|
|
||||||
name = "metrics";
|
|
||||||
rules = [
|
|
||||||
{
|
|
||||||
alert = "NodeDown";
|
|
||||||
expr = ''up == 0'';
|
|
||||||
for = "5m";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
alert = "HTTPDown";
|
|
||||||
expr = ''probe_http_status_code < 200 or probe_http_status_code > 299'';
|
|
||||||
for = "5m";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
alert = "MemoryFull";
|
|
||||||
expr = ''node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes < 0.1'';
|
|
||||||
}
|
|
||||||
{
|
|
||||||
alert = "DiskFull";
|
|
||||||
expr = ''node_filesystem_avail_bytes{mountpoint=~"/|/mnt"} / node_filesystem_size_bytes < 0.1'';
|
|
||||||
}
|
|
||||||
{
|
|
||||||
alert = "UnitFailed";
|
|
||||||
expr = ''node_systemd_unit_state{state="failed"} == 1'';
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
alertmanagers = lib.singleton {
|
|
||||||
static_configs = lib.singleton {
|
|
||||||
targets = [
|
|
||||||
"127.0.0.1:9092"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
alertmanager = {
|
|
||||||
enable = true;
|
|
||||||
listenAddress = "127.0.0.1";
|
|
||||||
port = 9092;
|
|
||||||
|
|
||||||
configuration = {
|
|
||||||
receivers = lib.singleton {
|
|
||||||
name = "ntfy";
|
|
||||||
webhook_configs = lib.singleton {
|
|
||||||
url = "https://ntfy.ny4.dev/alert";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
route = {
|
|
||||||
receiver = "ntfy";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
{
|
|
||||||
services.redlib = {
|
|
||||||
enable = true;
|
|
||||||
address = "127.0.0.1";
|
|
||||||
port = 9400;
|
|
||||||
};
|
|
||||||
}
|
|
20
hosts/tyo0/services/searx.nix
Normal file
20
hosts/tyo0/services/searx.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
services.searx = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.searxng;
|
||||||
|
environmentFile = config.sops.secrets."searx/environment".path;
|
||||||
|
settings = {
|
||||||
|
general.contact_url = "mailto:guanran928@outlook.com";
|
||||||
|
search.autocomplete = "google";
|
||||||
|
server = {
|
||||||
|
port = 8100;
|
||||||
|
secret_key = "@SEARX_SECRET@";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,56 +0,0 @@
|
||||||
{ config, ... }:
|
|
||||||
{
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
27253
|
|
||||||
];
|
|
||||||
|
|
||||||
services.sing-box = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
log = {
|
|
||||||
level = "info";
|
|
||||||
};
|
|
||||||
|
|
||||||
inbounds = [
|
|
||||||
{
|
|
||||||
type = "vless";
|
|
||||||
tag = "inbound";
|
|
||||||
listen = "0.0.0.0";
|
|
||||||
listen_port = 27253;
|
|
||||||
users = {
|
|
||||||
_secret = "/run/credentials/sing-box.service/auth";
|
|
||||||
quote = false;
|
|
||||||
};
|
|
||||||
tls = {
|
|
||||||
enabled = true;
|
|
||||||
server_name = "tyo0.ny4.dev";
|
|
||||||
certificate_path = "/run/credentials/sing-box.service/cert";
|
|
||||||
key_path = "/run/credentials/sing-box.service/key";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
outbounds = [
|
|
||||||
{
|
|
||||||
type = "direct";
|
|
||||||
tag = "direct";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
route = {
|
|
||||||
final = "direct";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."sing-box".serviceConfig.LoadCredential =
|
|
||||||
let
|
|
||||||
# FIXME: remove hardcoded path
|
|
||||||
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
|
|
||||||
in
|
|
||||||
[
|
|
||||||
"auth:${config.sops.secrets."sing-box/auth".path}"
|
|
||||||
"cert:${path}/tyo0.ny4.dev.crt"
|
|
||||||
"key:${path}/tyo0.ny4.dev.key"
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -1,6 +0,0 @@
|
||||||
{
|
|
||||||
services.wastebin = {
|
|
||||||
enable = true;
|
|
||||||
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,4 +1,7 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
imports = [ ];
|
imports = [
|
||||||
|
./services/hysteria.nix
|
||||||
|
./services/pixivfe.nix
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
94
nixos/modules/services/hysteria.nix
Normal file
94
nixos/modules/services/hysteria.nix
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
utils,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.services.hysteria;
|
||||||
|
settingsFormat = pkgs.formats.json { };
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.hysteria = {
|
||||||
|
enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
|
||||||
|
|
||||||
|
package = lib.mkPackageOption pkgs "hysteria" { };
|
||||||
|
|
||||||
|
mode = lib.mkOption {
|
||||||
|
type = lib.types.enum [
|
||||||
|
"server"
|
||||||
|
"client"
|
||||||
|
];
|
||||||
|
default = "server";
|
||||||
|
description = "Whether to use Hysteria as a client or a server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
settings = lib.mkOption {
|
||||||
|
type = lib.types.submodule {
|
||||||
|
freeformType = settingsFormat.type;
|
||||||
|
};
|
||||||
|
default = { };
|
||||||
|
description = ''
|
||||||
|
The Hysteria configuration, see https://hysteria.network/ for documentation.
|
||||||
|
|
||||||
|
Options containing secret data should be set to an attribute set
|
||||||
|
containing the attribute `_secret` - a string pointing to a file
|
||||||
|
containing the value the option should be set to.
|
||||||
|
|
||||||
|
Ignored when `services.hysteria.configFile` is set.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
systemd.services."hysteria" = {
|
||||||
|
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
|
||||||
|
documentation = [ "https://hysteria.network/" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network-online.target" ];
|
||||||
|
wants = [ "network-online.target" ];
|
||||||
|
preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json";
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = lib.concatStringsSep " " [
|
||||||
|
(lib.getExe cfg.package)
|
||||||
|
cfg.mode
|
||||||
|
"--config /var/lib/private/hysteria/config.json"
|
||||||
|
];
|
||||||
|
|
||||||
|
DynamicUser = true;
|
||||||
|
StateDirectory = "hysteria";
|
||||||
|
|
||||||
|
### Hardening
|
||||||
|
AmbientCapabilities = [
|
||||||
|
"CAP_NET_ADMIN"
|
||||||
|
"CAP_NET_BIND_SERVICE"
|
||||||
|
"CAP_NET_RAW"
|
||||||
|
];
|
||||||
|
CapabilityBoundingSet = [
|
||||||
|
"CAP_NET_ADMIN"
|
||||||
|
"CAP_NET_BIND_SERVICE"
|
||||||
|
"CAP_NET_RAW"
|
||||||
|
];
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = "@system-service";
|
||||||
|
UMask = "0077";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
125
nixos/modules/services/pixivfe.nix
Normal file
125
nixos/modules/services/pixivfe.nix
Normal file
|
@ -0,0 +1,125 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
inputs,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.services.pixivfe;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.pixivfe = {
|
||||||
|
enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv";
|
||||||
|
|
||||||
|
package =
|
||||||
|
lib.mkPackageOption inputs.self.legacyPackages.${pkgs.stdenv.hostPlatform.system} "pixivfe"
|
||||||
|
{ };
|
||||||
|
|
||||||
|
openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function";
|
||||||
|
|
||||||
|
settings = lib.mkOption {
|
||||||
|
type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
|
||||||
|
default = null;
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
{
|
||||||
|
PIXIVFE_PORT = "8282";
|
||||||
|
PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP";
|
||||||
|
};
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
Additional configuration for PixivFE, see
|
||||||
|
<https://pixivfe.pages.dev/environment-variables/> for supported values.
|
||||||
|
For secrets use `EnvironmentFile` option instead.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
EnvironmentFile = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
/run/secrets/environment
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
File containing environment variables to be passed to the PixivFE service.
|
||||||
|
|
||||||
|
See `systemd.exec(5)` for more information.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = if cfg.openFirewall then (cfg.settings ? PIXIVFE_PORT) else true;
|
||||||
|
message = ''
|
||||||
|
PIXIVFE_PORT must be specified for NixOS to open a port.
|
||||||
|
|
||||||
|
See https://pixivfe.pages.dev/environment-variables/ for more information.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion =
|
||||||
|
if (cfg.EnvironmentFile == null) then
|
||||||
|
(cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT)
|
||||||
|
else
|
||||||
|
true;
|
||||||
|
message = ''
|
||||||
|
PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run.
|
||||||
|
|
||||||
|
See https://pixivfe.pages.dev/environment-variables/ for more information.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion = if (cfg.EnvironmentFile == null) then cfg.settings ? PIXIVFE_TOKEN else true;
|
||||||
|
message = ''
|
||||||
|
PIXIVFE_TOKEN must be set for PixivFE to run.
|
||||||
|
|
||||||
|
See https://pixivfe.pages.dev/environment-variables/ for more information.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services."pixivfe" = {
|
||||||
|
description = "PixivFE, a privacy respecting frontend for Pixiv.";
|
||||||
|
documentation = [ "https://pixivfe.pages.dev/" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network-online.target" ];
|
||||||
|
wants = [ "network-online.target" ];
|
||||||
|
environment = lib.mkIf (cfg.settings != null) (
|
||||||
|
lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings
|
||||||
|
);
|
||||||
|
serviceConfig = {
|
||||||
|
inherit (cfg) EnvironmentFile;
|
||||||
|
ExecStart = lib.getExe cfg.package;
|
||||||
|
DynamicUser = true;
|
||||||
|
|
||||||
|
### Hardening
|
||||||
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # For ports <= 1024
|
||||||
|
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = "@system-service";
|
||||||
|
UMask = "0077";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = lib.mkIf cfg.openFirewall {
|
||||||
|
allowedTCPPorts = [ cfg.settings.PIXIVFE_PORT ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,5 @@
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
lib,
|
lib,
|
||||||
inputs,
|
inputs,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
@ -25,6 +26,15 @@
|
||||||
inputs.self.overlays.patches
|
inputs.self.overlays.patches
|
||||||
];
|
];
|
||||||
|
|
||||||
|
home-manager = {
|
||||||
|
users.guanranwang = import ../../../home;
|
||||||
|
useGlobalPkgs = true;
|
||||||
|
useUserPackages = true;
|
||||||
|
extraSpecialArgs = {
|
||||||
|
inherit inputs;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -43,19 +53,55 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
|
users.users = {
|
||||||
|
"guanranwang" = {
|
||||||
|
isNormalUser = true;
|
||||||
|
description = "Guanran Wang";
|
||||||
|
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
|
||||||
|
shell = pkgs.fish;
|
||||||
|
extraGroups = [
|
||||||
|
"wheel"
|
||||||
|
"nix-access-tokens"
|
||||||
|
];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
boot.initrd.systemd.enable = true;
|
boot.initrd.systemd.enable = true;
|
||||||
environment.stub-ld.enable = false;
|
environment.stub-ld.enable = false;
|
||||||
|
|
||||||
programs.command-not-found.enable = false;
|
programs.command-not-found.enable = false;
|
||||||
|
programs.dconf.enable = true;
|
||||||
|
programs.fish.enable = true;
|
||||||
programs.nano.enable = false;
|
programs.nano.enable = false;
|
||||||
programs.vim = {
|
programs.vim = {
|
||||||
enable = true;
|
enable = true;
|
||||||
defaultEditor = true;
|
defaultEditor = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Avoid TOFU MITM with github by providing their public key here.
|
||||||
|
programs.ssh.knownHosts = {
|
||||||
|
"github.com".hostNames = [ "github.com" ];
|
||||||
|
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
||||||
|
|
||||||
|
"gitlab.com".hostNames = [ "gitlab.com" ];
|
||||||
|
"gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
|
||||||
|
|
||||||
|
"git.sr.ht".hostNames = [ "git.sr.ht" ];
|
||||||
|
"git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
|
||||||
|
};
|
||||||
|
|
||||||
# https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
|
# https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
|
||||||
services.dbus.implementation = lib.mkDefault "broker";
|
services.dbus.implementation = lib.mkDefault "broker";
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
|
||||||
|
settings.PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
|
||||||
security.sudo.execWheelOnly = true;
|
security.sudo.execWheelOnly = true;
|
||||||
security.sudo.extraConfig = ''
|
security.sudo.extraConfig = ''
|
||||||
Defaults lecture = never
|
Defaults lecture = never
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
services.prometheus.exporters.node = {
|
|
||||||
enable = true;
|
|
||||||
listenAddress = "127.0.0.1";
|
|
||||||
port = 9091;
|
|
||||||
enabledCollectors = [ "systemd" ];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,22 +1,17 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
{
|
{
|
||||||
imports = [
|
pkgs,
|
||||||
../prometheus
|
config,
|
||||||
];
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
foot.terminfo
|
foot.terminfo
|
||||||
];
|
];
|
||||||
|
|
||||||
services.openssh = {
|
# TODO: colmena
|
||||||
enable = true;
|
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||||
settings.PermitRootLogin = "prohibit-password";
|
users.users."root".openssh.authorizedKeys.keys =
|
||||||
settings.PasswordAuthentication = false;
|
config.users.users.guanranwang.openssh.authorizedKeys.keys;
|
||||||
};
|
|
||||||
|
|
||||||
users.users."root".openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
|
|
||||||
];
|
|
||||||
|
|
||||||
time.timeZone = "UTC";
|
time.timeZone = "UTC";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{
|
{
|
||||||
lib,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
|
@ -25,12 +24,11 @@
|
||||||
|
|
||||||
outbounds = [
|
outbounds = [
|
||||||
{
|
{
|
||||||
type = "vless";
|
type = "hysteria2";
|
||||||
tag = "tyo0";
|
tag = "tyo0";
|
||||||
server = "tyo0.ny4.dev";
|
server = "tyo0.ny4.dev";
|
||||||
server_port = 27253;
|
server_port = 443;
|
||||||
uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
|
password._secret = config.sops.secrets."sing-box/tyo0".path;
|
||||||
flow = "xtls-rprx-vision";
|
|
||||||
tls.enabled = true;
|
tls.enabled = true;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
@ -78,7 +76,15 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
final = lib.mkDefault "tyo0";
|
final = "tyo0";
|
||||||
|
};
|
||||||
|
|
||||||
|
experimental = {
|
||||||
|
clash_api = {
|
||||||
|
external_controller = "127.0.0.1:9090";
|
||||||
|
external_ui = pkgs.metacubexd;
|
||||||
|
secret = "hunter2";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -89,7 +95,7 @@
|
||||||
httpsProxy = "http://127.0.0.1:1080/";
|
httpsProxy = "http://127.0.0.1:1080/";
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.fish.shellAliases =
|
environment.shellAliases =
|
||||||
let
|
let
|
||||||
inherit (config.networking.proxy) httpProxy httpsProxy;
|
inherit (config.networking.proxy) httpProxy httpsProxy;
|
||||||
in
|
in
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
sing-box:
|
sing-box:
|
||||||
tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
|
tyo0: ENC[AES256_GCM,data:c1WIyaAXyiir4VRcggvJ0drgxOi24+s=,iv:1CufURfG6PL+iv54LOkh6kdjjf6Pa8uvyWsRX4rBTls=,tag:M5PzRvKJzQzhpv3z6XlG9A==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -33,8 +33,8 @@ sops:
|
||||||
NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
|
NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
|
||||||
JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
|
JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-08-27T20:29:35Z"
|
lastmodified: "2024-08-24T07:58:00Z"
|
||||||
mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
|
mac: ENC[AES256_GCM,data:gbgaZ6fGr8sIaEPMTJeTr4nHEkfWDMwNPstEjfn580go8Ogg3cIW0Lca1nPERCI7XimswjT9V6FnxV8HtTZ+VH3jZsuB/Zu0lYpCsTx//wY0meWWHtOINFZ6Qn9dl6CTRi/QgmNJPKjPPYcHg0ECGY/Iv8s44Mj0aXthVN61huk=,iv:8y+vjDSWaVt7kQkvu499+bK3lYB3moVtAQJ4UvfLYv4=,tag:XAhiF7cw8i8ilj3Dp/zoDw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
|
@ -1,5 +1,12 @@
|
||||||
# NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`,
|
# NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`,
|
||||||
# only keeping some packages that only fits for personal use.
|
# only keeping some packages that only fits for personal use.
|
||||||
pkgs: {
|
pkgs:
|
||||||
|
let
|
||||||
|
inherit (pkgs) callPackage;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# https://github.com/NixOS/nixpkgs/pull/308720
|
||||||
|
pixivfe = callPackage ./pixivfe.nix { };
|
||||||
|
|
||||||
background = pkgs.nixos-artwork.wallpapers.nineish-dark-gray.src;
|
background = pkgs.nixos-artwork.wallpapers.nineish-dark-gray.src;
|
||||||
}
|
}
|
||||||
|
|
43
pkgs/pixivfe.nix
Normal file
43
pkgs/pixivfe.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
buildGoModule,
|
||||||
|
fetchFromGitea,
|
||||||
|
makeBinaryWrapper,
|
||||||
|
}:
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "pixivfe";
|
||||||
|
version = "2.6";
|
||||||
|
|
||||||
|
src = fetchFromGitea {
|
||||||
|
domain = "codeberg.org";
|
||||||
|
owner = "VnPower";
|
||||||
|
repo = "PixivFE";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-pusyCXy2tsdvOSUR6LfSYHv8YT1tiCErqUEkUgKYbZ4=";
|
||||||
|
};
|
||||||
|
|
||||||
|
vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI=";
|
||||||
|
|
||||||
|
ldflags = [
|
||||||
|
"-s"
|
||||||
|
"-w"
|
||||||
|
];
|
||||||
|
|
||||||
|
nativeBuildInputs = [ makeBinaryWrapper ];
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
mkdir -p $out/share/pixivfe
|
||||||
|
cp -r ./views/ $out/share/pixivfe/views
|
||||||
|
wrapProgram $out/bin/pixivfe \
|
||||||
|
--chdir $out/share/pixivfe
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
description = "Privacy respecting frontend for Pixiv";
|
||||||
|
homepage = "https://codeberg.org/VnPower/PixivFE";
|
||||||
|
license = lib.licenses.agpl3Only;
|
||||||
|
mainProgram = "pixivfe";
|
||||||
|
maintainers = with lib.maintainers; [ Guanran928 ];
|
||||||
|
platforms = lib.platforms.linux;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue