nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: nyancat:8b9cf53351b4e7ed370d667247c9cda58f6b8f67
Branches Tags
nyancat:master
...
compare: nyancat:602995c20578335f526fc79253b749f2337280f6
Branches Tags
nyancat:master

3 commits
8b9cf53351 ... 602995c205

Author SHA1 Message Date
Guanran Wang
602995c205
nixos/caddy: caddyfile -> rfc42 2024-08-31 10:19:01 +08:00
Guanran Wang
5bf6e5f576
hosts: blacksteel -> pek0 2024-08-31 08:00:40 +08:00
Guanran Wang
7c0764a270
pek0: qbittorrent-nox -> transmission 2024-08-31 07:51:49 +08:00
32 changed files with 449 additions and 277 deletions
Show stats Expand all files Collapse all files

4
flake.nix
View file

@ -151,8 +151,8 @@
deployment.targetHost = "tyo0.ny4.dev";
};
"blacksteel" = {
imports = [ ./hosts/blacksteel ];
"pek0" = {
imports = [ ./hosts/pek0 ];
deployment.targetHost = "blacksteel"; # thru tailscale
};
};

4
home/applications/ssh/default.nix
View file

@ -11,8 +11,10 @@
};
in
{
"blacksteel" = serverConfig;
"tyo0.ny4.dev" = serverConfig;
"pek0.ny4.dev" = serverConfig // {
hostname = "blacksteel";
};
};
};
}

67
hosts/blacksteel/Caddyfile
View file

@ -1,67 +0,0 @@
{
servers {
trusted_proxies static private_ranges
trusted_proxies_strict
}
}
(default) {
encode zstd gzip
handle_path /robots.txt {
file_server * {
root @robots@
}
}
}
http://pek0.ny4.dev:80 {
import default
basicauth {
prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
}
reverse_proxy localhost:9091
}
http://mastodon.ny4.dev:80 {
import default
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
header_up X-Forwarded-Proto "https"
}
}
route * {
file_server * {
root @mastodon@/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket {
header_up X-Forwarded-Proto "https"
}
}
handle_errors {
root * @mastodon@/public
rewrite 500.html
file_server
}
}
http://matrix.ny4.dev:80 {
import default
reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock {
header_up X-Forwarded-Proto "https"
}
reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock {
header_up X-Forwarded-Proto "https"
}
reverse_proxy /health unix//run/matrix-synapse/synapse.sock {
header_up X-Forwarded-Proto "https"
}
}

38
hosts/blacksteel/services/mastodon.nix
View file

@ -1,38 +0,0 @@
{ config, ... }:
{
services.mastodon = {
enable = true;
localDomain = "ny4.dev";
streamingProcesses = 1;
mediaAutoRemove.olderThanDays = 14;
# FIXME: this doesn't exist
smtp = {
createLocally = false;
fromAddress = "mastodon@ny4.dev";
};
extraConfig = rec {
SINGLE_USER_MODE = "true";
WEB_DOMAIN = "mastodon.ny4.dev";
# keycloak
OMNIAUTH_ONLY = "true";
OIDC_ENABLED = "true";
OIDC_CLIENT_ID = "mastodon";
# OIDC_CLIENT_SECRET # EnvironmentFile
OIDC_DISCOVERY = "true";
OIDC_DISPLAY_NAME = "id.ny4.dev";
OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
OIDC_SCOPE = "openid,profile,email";
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
OIDC_UID_FIELD = "preferred_username";
};
};
systemd.services.mastodon-web = {
environment = config.networking.proxy.envVars;
serviceConfig.EnvironmentFile = [ config.sops.secrets."mastodon/environment".path ];
};
systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
}

8
hosts/blacksteel/services/qbittorrent.nix
View file

@ -1,8 +0,0 @@
{ pkgs, ... }:
{
# TODO: https://github.com/NixOS/nixpkgs/pull/287923
# currently running qbittorrent-nox with tmux :c
environment.systemPackages = with pkgs; [
qbittorrent-nox
];
}

0
hosts/blacksteel/anti-feature.nix → hosts/pek0/anti-feature.nix
View file

23
hosts/blacksteel/default.nix → hosts/pek0/default.nix
View file

@ -18,13 +18,13 @@
./services/mastodon.nix
./services/matrix.nix
./services/minecraft.nix
./services/qbittorrent.nix
./services/samba.nix
./services/transmission.nix
];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.enable = true;
networking.hostName = "blacksteel";
networking.hostName = "pek0";
system.stateVersion = "24.05";
######## Secrets
@ -67,12 +67,21 @@
};
};
services.caddy = {
enable = true;
configFile = pkgs.replaceVars ./Caddyfile {
robots = toString ../tyo0/robots.txt;
inherit (pkgs) mastodon;
services.caddy.enable = true;
services.caddy.settings.apps.http.servers.srv0 = {
listen = [ ":80" ];
trusted_proxies = {
ranges = [
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"127.0.0.1/8"
"fd00::/8"
"::1"
];
source = "static";
};
trusted_proxies_strict = 1;
};
systemd.services.caddy.serviceConfig = {

0
hosts/blacksteel/hardware-configuration.nix → hosts/pek0/hardware-configuration.nix
View file

0
hosts/blacksteel/secrets.yaml → hosts/pek0/secrets.yaml
View file

0
hosts/blacksteel/services/jellyfin.nix → hosts/pek0/services/jellyfin.nix
View file

121
hosts/pek0/services/mastodon.nix Normal file
View file

@ -0,0 +1,121 @@
{
lib,
pkgs,
config,
...
}:
{
services.mastodon = {
enable = true;
localDomain = "ny4.dev";
streamingProcesses = 1;
mediaAutoRemove.olderThanDays = 14;
# FIXME: this doesn't exist
smtp = {
createLocally = false;
fromAddress = "mastodon@ny4.dev";
};
extraConfig = rec {
SINGLE_USER_MODE = "true";
WEB_DOMAIN = "mastodon.ny4.dev";
# keycloak
OMNIAUTH_ONLY = "true";
OIDC_ENABLED = "true";
OIDC_CLIENT_ID = "mastodon";
# OIDC_CLIENT_SECRET # EnvironmentFile
OIDC_DISCOVERY = "true";
OIDC_DISPLAY_NAME = "id.ny4.dev";
OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
OIDC_SCOPE = "openid,profile,email";
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
OIDC_UID_FIELD = "preferred_username";
};
};
systemd.services.mastodon-web = {
environment = config.networking.proxy.envVars;
serviceConfig.EnvironmentFile = [ config.sops.secrets."mastodon/environment".path ];
};
systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "mastodon.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = [
{
match = lib.singleton {
path = [ "/api/v1/streaming/*" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
headers.request.set."X-Forwarded-Proto" = [ "https" ];
upstreams = lib.singleton {
dial = "unix//run/mastodon-streaming/streaming-1.socket";
};
};
}
{
match = lib.singleton {
path = [ "/system/*" ];
};
handle = [
{
handler = "rewrite";
strip_path_prefix = "/system";
}
{
handler = "file_server";
root = "/var/lib/mastodon/public-system";
}
];
}
{
handle = [
{
handler = "file_server";
root = "${pkgs.mastodon}/public";
pass_thru = true;
}
{
handler = "reverse_proxy";
headers.request.set."X-Forwarded-Proto" = [ "https" ];
upstreams = lib.singleton {
dial = "unix//run/mastodon-web/web.socket";
};
}
];
}
];
};
};
services.caddy.settings.apps.http.servers.srv0.errors.routes = lib.singleton {
match = lib.singleton {
host = [ "mastodon.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = [
{
handle = lib.singleton {
handler = "rewrite";
uri = "500.html";
};
}
{
handle = lib.singleton {
handler = "file_server";
root = "${pkgs.mastodon}/public";
};
}
];
};
};
}

25
hosts/blacksteel/services/matrix.nix → hosts/pek0/services/matrix.nix
View file

@ -54,4 +54,29 @@
environment = config.networking.proxy.envVars;
serviceConfig.RuntimeDirectory = [ "matrix-synapse" ];
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "matrix.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = lib.singleton {
match = lib.singleton {
path = [
"/_matrix/*"
"/_synapse/*"
"/health"
];
};
handle = lib.singleton {
handler = "reverse_proxy";
headers.request.set."X-Forwarded-Proto" = [ "https" ];
upstreams = lib.singleton {
dial = "unix//run/matrix-synapse/synapse.sock";
};
};
};
};
};
}

0
hosts/blacksteel/services/minecraft.nix → hosts/pek0/services/minecraft.nix
View file

9
hosts/blacksteel/services/samba.nix → hosts/pek0/services/samba.nix
View file

@ -1,3 +1,4 @@
{ config, ... }:
{
services.samba = {
enable = true;
@ -12,4 +13,12 @@
enable = true;
openFirewall = true;
};
users.users."guanranwang" = {
uid = 1000;
isNormalUser = true;
createHome = false;
useDefaultShell = false;
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
};
}

27
hosts/pek0/services/transmission.nix Normal file
View file

@ -0,0 +1,27 @@
{ pkgs, ... }:
{
services.transmission = {
enable = true;
openRPCPort = true;
webHome = pkgs.flood-for-transmission;
settings = {
rpc-bind-address = "0.0.0.0";
rpc-port = 9080;
# tailscale
rpc-whitelist = "100.*.*.*";
rpc-host-whitelist = "blacksteel";
incomplete-dir = "/mnt/torrent/downloading";
download-dir = "/mnt/torrent";
speed-limit-up-enabled = true;
speed-limit-up = 1000;
speed-limit-down-enabled = true;
speed-limit-down = 4000;
ratio-limit-enabled = true;
ratio-limit = 2;
};
};
}

115
hosts/tyo0/Caddyfile
View file

@ -1,115 +0,0 @@
(default) {
encode zstd gzip
handle_path /robots.txt {
file_server * {
root /var/www/robots/robots.txt
}
}
}
www.ny4.dev {
import default
redir https://blog.ny4.dev
}
# get the certificate for hysteria
tyo0.ny4.dev {
import default
basicauth {
prometheus $2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.
}
reverse_proxy localhost:9091
}
ny4.dev {
import default
# Synapse
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/matrix/* {
file_server * {
root /var/www/matrix
}
}
# Mastodon
header /.well-known/webfinger Access-Control-Allow-Origin *
redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent
# TODO: Build Hugo blog with Nix
# How do I use hugo modules without using FOD?
route * {
redir https://blog.ny4.dev
}
}
pb.ny4.dev {
import default
reverse_proxy localhost:8200
}
ntfy.ny4.dev {
import default
reverse_proxy unix//run/ntfy-sh/ntfy.sock
}
id.ny4.dev {
import default
reverse_proxy localhost:8800
}
element.ny4.dev {
import default
root * @element@
header X-Frame-Options SAMEORIGIN;
header X-Content-Type-Options nosniff;
header X-XSS-Protection "1; mode=block";
header Content-Security-Policy "frame-ancestors 'self'";
file_server
}
cinny.ny4.dev {
import default
@index {
not path /index.html
not path /public/*
not path /assets/*
not path /config.json
not path /manifest.json
not path /pdf.worker.min.js
not path /olm.wasm
path /*
}
root * @cinny@
rewrite /*/olm.wasm /olm.wasm
rewrite @index /index.html
file_server
}
git.ny4.dev {
import default
reverse_proxy unix//run/forgejo/forgejo.sock
}
rss.ny4.dev {
import default
reverse_proxy localhost:9300
}
reddit.ny4.dev {
import default
reverse_proxy localhost:9400
}
vault.ny4.dev {
import default
reverse_proxy localhost:9500
}
prom.ny4.dev {
import default
reverse_proxy localhost:9090
}

155
hosts/tyo0/default.nix
View file

@ -23,6 +23,7 @@
];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
networking.hostName = "tyo0";
system.stateVersion = "24.05";
swapDevices = lib.singleton {
@ -57,32 +58,146 @@
443
];
systemd.tmpfiles.settings = {
"10-www" = {
"/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
"/var/www/matrix/client".C.argument = toString ./matrix-client.json;
"/var/www/matrix/server".C.argument = toString ./matrix-server.json;
};
services.caddy.enable = true;
services.caddy.settings.apps.http.servers.srv0 = {
listen = [ ":443" ];
};
services.caddy = {
enable = true;
configFile = pkgs.replaceVars ./Caddyfile {
"element" = pkgs.element-web.override {
conf.default_server_config."m.homeserver" = {
base_url = "https://matrix.ny4.dev";
server_name = "ny4.dev";
services.caddy.settings.apps.http.servers.srv0.routes = [
{
match = lib.singleton {
host = [ "ny4.dev" ];
path = [ "/.well-known/matrix/server" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 200;
headers = {
Access-Control-Allow-Origin = [ "*" ];
Content-Type = [ "application/json" ];
};
body = builtins.toJSON {
"m.server" = "matrix.ny4.dev:443";
};
};
"cinny" = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
homeserverList = [ "ny4.dev" ];
}
{
match = lib.singleton {
host = [ "ny4.dev" ];
path = [ "/.well-known/matrix/client" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 200;
headers = {
Access-Control-Allow-Origin = [ "*" ];
Content-Type = [ "application/json" ];
};
body = builtins.toJSON {
"m.homeserver" = {
"base_url" = "https://matrix.ny4.dev";
};
};
};
};
};
}
{
match = lib.singleton {
host = [ "ny4.dev" ];
path = [ "/.well-known/webfinger" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 301;
headers = {
Access-Control-Allow-Origin = [ "*" ];
Location = [ "https://mastodon.ny4.dev{http.request.uri}" ];
};
};
}
{
match = lib.singleton {
host = [ "ny4.dev" ];
};
handle = lib.singleton {
handler = "static_response";
status_code = 302;
headers = {
Location = [ "https://blog.ny4.dev" ];
};
};
}
{
match = lib.singleton {
host = [ "element.ny4.dev" ];
};
handle = [
{
handler = "headers";
response.set = {
X-Frame-Options = [ "SAMEORIGIN" ];
X-Content-Type-Options = [ "nosniff" ];
X-XSS-Protection = [ "1; mode=block" ];
Content-Security-Policy = [ "frame-ancestors 'self'" ];
};
}
{
handler = "file_server";
root = pkgs.element-web.override {
conf.default_server_config."m.homeserver" = {
base_url = "https://matrix.ny4.dev";
server_name = "ny4.dev";
};
};
}
];
}
{
match = lib.singleton {
host = [ "cinny.ny4.dev" ];
};
handle = lib.singleton {
handler = "subroute";
routes = [
{
match = [ { "path" = [ "/*/olm.wasm" ]; } ];
handle = lib.singleton {
handler = "rewrite";
uri = "/olm.wasm";
};
}
{
match = lib.singleton {
not = [
{ path = [ "/index.html" ]; }
{ path = [ "/public/*" ]; }
{ path = [ "/assets/*" ]; }
{ path = [ "/config.json" ]; }
{ path = [ "/manifest.json" ]; }
{ path = [ "/pdf.worker.min.js" ]; }
{ path = [ "/olm.wasm" ]; }
];
path = [ "/*" ];
};
handle = lib.singleton {
handler = "rewrite";
uri = "/index.html";
};
}
{
handle = lib.singleton {
handler = "file_server";
root = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
homeserverList = [ "ny4.dev" ];
};
};
};
}
];
};
}
];
services.postgresql = {
package = pkgs.postgresql_16;

5
hosts/tyo0/matrix-client.json
View file

@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://matrix.ny4.dev"
}
}

3
hosts/tyo0/matrix-server.json
View file

@ -1,3 +0,0 @@
{
"m.server": "matrix.ny4.dev:443"
}

4
hosts/tyo0/robots.txt
View file

@ -1,4 +0,0 @@
User-Agent: *
Disallow: /harming/humans
Disallow: /ignoring/human/orders
Disallow: /harm/to/self

12
hosts/tyo0/services/forgejo.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ lib, pkgs, ... }:
{
services.forgejo = {
enable = true;
@ -26,4 +26,14 @@
};
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "git.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "unix//run/forgejo/forgejo.sock"; } ];
};
};
}

13
hosts/tyo0/services/keycloak.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ lib, pkgs, ... }:
{
services.keycloak = {
enable = true;
@ -8,8 +8,17 @@
http-host = "127.0.0.1";
http-port = 8800;
proxy = "edge";
# proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
};
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "id.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:8800"; } ];
};
};
}

12
hosts/tyo0/services/miniflux.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ lib, config, ... }:
{
services.miniflux = {
enable = true;
@ -14,4 +14,14 @@
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "rss.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:9300"; } ];
};
};
}

11
hosts/tyo0/services/ntfy.nix
View file

@ -1,3 +1,4 @@
{ lib, ... }:
{
services.ntfy-sh = {
enable = true;
@ -11,4 +12,14 @@
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = [ "ntfy-sh" ];
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "ntfy.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "unix//run/ntfy-sh/ntfy.sock"; } ];
};
};
}

10
hosts/tyo0/services/prometheus.nix
View file

@ -139,4 +139,14 @@
};
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "prom.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "127.0.0.1:9090"; } ];
};
};
}

11
hosts/tyo0/services/redlib.nix
View file

@ -1,7 +1,18 @@
{ lib, ... }:
{
services.redlib = {
enable = true;
address = "127.0.0.1";
port = 9400;
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "reddit.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:9400"; } ];
};
};
}

12
hosts/tyo0/services/vaultwarden.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ lib, config, ... }:
{
services.vaultwarden = {
enable = true;
@ -15,4 +15,14 @@
ORG_CREATION_USERS = "none";
};
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "vault.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:9500"; } ];
};
};
}

11
hosts/tyo0/services/wastebin.nix
View file

@ -1,6 +1,17 @@
{ lib, ... }:
{
services.wastebin = {
enable = true;
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ "pb.ny4.dev" ];
};
handle = lib.singleton {
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:8200"; } ];
};
};
}

1
nixos/profiles/core/default.nix
View file

@ -1,5 +1,4 @@
{
lib,
inputs,
pkgs,
...

21
nixos/profiles/prometheus/default.nix
View file

@ -1,3 +1,4 @@
{ config, lib, ... }:
{
services.prometheus.exporters.node = {
enable = true;
@ -5,4 +6,24 @@
port = 9091;
enabledCollectors = [ "systemd" ];
};
services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
match = lib.singleton {
host = [ config.networking.fqdn ];
path = [ "/metrics" ];
};
handle = [
{
handler = "authentication";
providers.http_basic.accounts = lib.singleton {
username = "prometheus";
password = "$2a$14$2Phk4tobM04H4XiGegB3TuEXkyORCKMKW8TptYPTPXUWmZgtGBj/.";
};
}
{
handler = "reverse_proxy";
upstreams = lib.singleton { dial = "127.0.0.1:9091"; };
}
];
};
}

2
nixos/profiles/server/default.nix
View file

@ -19,4 +19,6 @@
];
time.timeZone = "UTC";
networking.domain = "ny4.dev";
}

2
treefmt.nix
View file

@ -9,7 +9,7 @@
### misc
programs.prettier.enable = true;
settings.formatter.prettier.excludes = [
"hosts/blacksteel/secrets.yaml"
"hosts/pek0/secrets.yaml"
"hosts/tyo0/secrets.yaml"
"nixos/profiles/sing-box/secrets.yaml"
"nixos/profiles/wireless/secrets.yaml"