fixup! nixos: frp -> cloudflared

flake.lock

@@ -10,11 +10,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1717970544,
+        "lastModified": 1718735045,
-        "narHash": "sha256-YX43aaegfqjXaZ3S+z0JI7SKOEE1Afqm/I9FBIezJ7A=",
+        "narHash": "sha256-5PaPrMjQu0ojps12ecRO6qFntCU+pkUCrJIjDUFJknE=",
         "owner": "ezKEa",
         "repo": "aagl-gtk-on-nix",
-        "rev": "85c380e4e80fbc21d25165626ad2897cbb11af4d",
+        "rev": "2d4d6c0f286bd6901c8eab5e2d08593ca3394d6c",
         "type": "github"
       },
       "original": {
@@ -33,11 +33,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718252558,
+        "lastModified": 1718403459,
-        "narHash": "sha256-Yph5ocpdI3a1Ib+V9BQ4/0YyO4UVn8J0WeAvOLYGaGk=",
+        "narHash": "sha256-6d+nrN/L8DUCCEioQkdXy71+lYs09sP4nExSMjEkw30=",
         "owner": "berberman",
         "repo": "flakes",
-        "rev": "73949fb5964f243ff9c28887bfc99c2fe12407c3",
+        "rev": "de292d23437ff2a6c41b32f3449fae83deb88cfb",
         "type": "github"
       },
       "original": {
@@ -53,11 +53,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718078026,
+        "lastModified": 1718730147,
-        "narHash": "sha256-LbQabH6h86ZzTvDnaZHmMwedRZNB2jYtUQzmoqWQoJ8=",
+        "narHash": "sha256-QmD6B6FYpuoCqu6ZuPJH896ItNquDkn0ulQlOn4ykN8=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "a3f0c63eed74a516298932b9b1627dd80b9c3892",
+        "rev": "32c21c29b034d0a93fdb2379d6fabc40fc3d0e6c",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718242063,
+        "lastModified": 1718846788,
-        "narHash": "sha256-n3AWItJ4a94GT0cray/eUV7tt3mulQ52L+lWJN9d1E8=",
+        "narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "832a9f2c81ff3485404bd63952eadc17bf7ccef2",
+        "rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718243258,
+        "lastModified": 1718788307,
-        "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=",
+        "narHash": "sha256-SqiOz0sljM0GjyQEVinPXQxaGcbOXw5OgpCWGPgh/vo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3",
+        "rev": "d7830d05421d0ced83a0f007900898bdcaf2a2ca",
         "type": "github"
       },
       "original": {
@@ -221,11 +221,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718218065,
+        "lastModified": 1718782018,
-        "narHash": "sha256-fKC7Ryg3AYykDrS2ilS1VqA8/9B2m3yFZcshK+7tIEc=",
+        "narHash": "sha256-8SBmf7Sx5xMLzL4VGEU0fe8cuq0yMumdkXgOPXXD3Bo=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "7cb05fab896bd542c0ca4260d74d9d664cd7b56e",
+        "rev": "6fa7bc0522f71d3906a3788bbd80c344cd9c4523",
         "type": "github"
       },
       "original": {
@@ -250,11 +250,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712745718,
+        "lastModified": 1718491861,
-        "narHash": "sha256-pAPGjjPEC5Y3DeuqSlDgFRPAZStA1doWowOvmPY7jvk=",
+        "narHash": "sha256-nnKZRkwXoCtGN8Rgv6FcHttX1JOPWQt2y7yY4Bz/hWk=",
         "owner": "Guanran928",
         "repo": "nvim",
-        "rev": "3fbc02368d9d554ac2918e48112fbc25957fb03a",
+        "rev": "49f55400d06fa113e4b4ae5a6fa97a6d83c59983",
         "type": "github"
       },
       "original": {
@@ -270,11 +270,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718345812,
+        "lastModified": 1718662658,
-        "narHash": "sha256-FJhA+YFsOFrAYe6EaiTEfomNf7jeURaPiG5/+a3DRSc=",
+        "narHash": "sha256-AKG7BsqtVWDlefgzyKz7vjaKTLi4+bmTSBhowbQoZtM=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "ff988d78f2f55641efacdf9a585d2937f7e32a9b",
+        "rev": "29b3096a6e283d7e6779187244cb2a3942239fdf",
         "type": "github"
       },
       "original": {
@@ -352,11 +352,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718401149,
+        "lastModified": 1718833139,
-        "narHash": "sha256-THXbbmhDZjEnc+372GYl3JpXKkkuo7nhShv66Reklsk=",
+        "narHash": "sha256-m+7obxxZ6Fgjz/Cs3mkax8xec+0cDwnxb4Ti6jAP/ik=",
         "owner": "jacekszymanski",
         "repo": "nixcasks",
-        "rev": "d35924a6bd7c8a34f31e885754a5564ea06ab833",
+        "rev": "592abedb3df4d8d10107065c12632ce08d972d71",
         "type": "github"
       },
       "original": {
@@ -367,11 +367,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1718349360,
+        "lastModified": 1718806950,
-        "narHash": "sha256-SuPne4BMqh9/IkKIAG47Cu5qfmntAaqlHdX1yuFoDO0=",
+        "narHash": "sha256-E+W/kbedZAiOuPtT+KQRposLaXGDLd7lyK7oL3IH/5U=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "ae5c8dcc4d0182d07d75df2dc97112de822cb9d6",
+        "rev": "acb4f0e9bfa8ca2d6fca5e692307b5c994e7dbda",
         "type": "github"
       },
       "original": {
@@ -397,11 +397,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1718276985,
+        "lastModified": 1718710757,
-        "narHash": "sha256-u1fA0DYQYdeG+5kDm1bOoGcHtX0rtC7qs2YA2N1X++I=",
+        "narHash": "sha256-zzHTI7iQByeuGDto16eRwPflCf3xfVOJJSB0/cnEd2s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3f84a279f1a6290ce154c5531378acc827836fbb",
+        "rev": "56fc115880db6498245adecda277ccdb33025bc2",
         "type": "github"
       },
       "original": {
@@ -413,11 +413,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1718229064,
+        "lastModified": 1718447546,
-        "narHash": "sha256-ZFav8A9zPNfjZg/wrxh1uZeMJHELRfRgFP+meq01XYk=",
+        "narHash": "sha256-JHuXsrC9pr4kA4n7LuuPfWFJUVlDBVJ1TXDVpHEuUgM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5c2ec3a5c2ee9909904f860dadc19bc12cd9cc44",
+        "rev": "842253bf992c3a7157b67600c2857193f126563a",
         "type": "github"
       },
       "original": {
@@ -468,11 +468,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1718400242,
+        "lastModified": 1718873190,
-        "narHash": "sha256-gLX2eyWb8lVxwI5Uv0F5WKb+YwvlDYnI+sSQB2xMqhw=",
+        "narHash": "sha256-puGZxr3LWT5DuHbpesgb8Hi2w0D07S7iJD92InUPU7c=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "d50ea2706590f0edce9f49d8990dbcf82cdb66ec",
+        "rev": "57f88b637d41f8f1f7c4a6d827ead6d9c4347e50",
         "type": "github"
       },
       "original": {
@@ -523,11 +523,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1717664902,
+        "lastModified": 1718872830,
-        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
+        "narHash": "sha256-1EIYImP6ROTu2IuQtTG1aVcbXli+CgIXP7NpHqt7EXY=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
+        "rev": "e4ea49a8c0c35b5bea2d033263c6c6b4b2a19a41",
         "type": "github"
       },
       "original": {
@@ -573,19 +573,16 @@
     },
     "rust-overlay": {
       "inputs": {
-        "flake-utils": [
-          "flake-utils"
-        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1718331519,
+        "lastModified": 1718849885,
-        "narHash": "sha256-6Ru37wS8uec626nHVIh6hSpCYB7eNc3RPFa2U//bhw4=",
+        "narHash": "sha256-Qfc5HKpQvGhWXox0WJVzLqrAcFm3uy6xtWRvVmrkLYc=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "419e7fae2731f41dd9b3e34dfe8802be68558b92",
+        "rev": "bc1a236757cd5f6622f73838e551fb2035afa44a",
         "type": "github"
       },
       "original": {
@@ -620,11 +617,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718137936,
+        "lastModified": 1718506969,
-        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
+        "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
+        "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
         "type": "github"
       },
       "original": {
@@ -640,11 +637,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718239576,
+        "lastModified": 1718844164,
-        "narHash": "sha256-Afdz9oCQf8VCGXUhI8KxdJg9gc+fepZK//mYsijfhFw=",
+        "narHash": "sha256-QUXWv6llKIQ5To2N24d9dRI78Hqfm9iFyhvmvlOICNo=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "d6280e5c12c4ddb26f0807387777786c66e4c552",
+        "rev": "557ff94aa1b48a723f8fa16eb9e7a2e6de991682",
         "type": "github"
       },
       "original": {
@@ -675,11 +672,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718271476,
+        "lastModified": 1718522839,
-        "narHash": "sha256-35hUMmFesmchb+u7heKHLG5B6c8fBOcSYo0jj0CHLes=",
+        "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "e75ba0a6bb562d2ce275db28f6a36a2e4fd81391",
+        "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
         "type": "github"
       },
       "original": {

flake.nix

@@ -141,7 +141,6 @@
     rust-overlay = {
       url = "github:oxalica/rust-overlay";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
     };
     scss-reset = {
       url = "github:andreymatin/scss-reset";
@@ -162,6 +161,16 @@
 
       ### nix {run,shell,build}
       packages = import ./pkgs pkgs;
+
+      ### nix develop
+      devShells.default = pkgs.mkShell {
+        packages = with pkgs; [
+          alejandra
+          colmena
+          git
+          sops
+        ];
+      };
     })
     // (let
       mkNixOS = system: modules:

home/applications/alacritty/default.nix

@@ -6,10 +6,6 @@
   programs.alacritty = {
     enable = true;
     settings = {
-      import = [
-        "${pkgs.vimPlugins.tokyonight-nvim}/extras/alacritty/tokyonight_night.toml"
-      ];
-
       cursor.style = "beam";
       font.size = 10;
 

home/applications/common/wayland.nix

@@ -1,9 +0,0 @@
-{pkgs, ...}: {
-  home.sessionVariables = {
-    NIXOS_OZONE_WL = "1"; # let electron applications use wayland
-  };
-
-  home.packages = with pkgs; [
-    wl-clipboard
-  ];
-}

home/applications/common/wm.nix

@@ -1,8 +0,0 @@
-{pkgs, ...}: {
-  home.packages = with pkgs; [pwvucontrol];
-
-  # remove csd window buttons
-  # https://github.com/localsend/localsend/blob/2457acd8a7412723b174672d174e4853dccd7d99/app/linux/my_application.cc#L45
-  home.sessionVariables.GTK_CSD = 0;
-  dconf.settings."org/gnome/desktop/wm/preferences"."button-layout" = "icon,appmenu:";
-}

home/applications/fcitx5/default.nix

@@ -8,7 +8,6 @@
     fcitx5.addons =
       (with pkgs; [
         libsForQt5.fcitx5-chinese-addons
-        fcitx5-tokyonight
       ])
       ++ (with inputs.berberman.packages.${pkgs.stdenv.hostPlatform.system}; [
         fcitx5-pinyin-moegirl
@@ -17,7 +16,6 @@
   };
 
   xdg.configFile."fcitx5/conf/classicui.conf".text = ''
-    Theme=Tokyonight-Storm
     Vertical Candidate List=True
     PreferTextIcon=True
   '';

home/applications/firefox/default.nix

@@ -1,19 +1,12 @@
 {pkgs, ...}: {
   programs.firefox = {
     enable = true;
-    profiles."default" = {
+    package = pkgs.firefox.overrides {
-      extraConfig = ''
+      extraPrefsFiles = [
-        ${builtins.readFile (pkgs.fetchurl {
+        "${pkgs.arkenfox-userjs}/user.cfg"
-          # FIXME: IFD
+        ./user-overrides.js
-          url = "https://raw.githubusercontent.com/arkenfox/user.js/126.1/user.js";
+      ];
-          hash = "sha256-XRtG0iLKh8uqbeX7Rc2H6VJwZYJoNZPBlAfZEfrSCP4=";
-        })}
-        ${builtins.readFile ./user-overrides.js}
-      '';
     };
-  };
+    profiles."default" = {};
-
-  home.sessionVariables = {
-    MOZ_USE_XINPUT2 = "1";
   };
 }

home/applications/fish/default.nix

@@ -3,7 +3,6 @@
     enable = true;
     interactiveShellInit = ''
       set fish_greeting
-      source ${pkgs.vimPlugins.tokyonight-nvim}/extras/fish/tokyonight_night.fish
     '';
     plugins = [
       {

home/applications/mpv/default.nix

@@ -17,18 +17,14 @@
       slang = "eng,en";
     };
 
-    # FIXME: https://github.com/nix-community/home-manager/pull/5524
+    scripts =
-    package = pkgs.mpv-unwrapped.wrapper {
+      (with pkgs.mpvScripts; [
-      mpv = pkgs.mpv-unwrapped;
+        thumbfast
-      scripts =
+        sponsorblock
-        (with pkgs.mpvScripts; [
+        modernx-zydezu
-          thumbfast
+      ])
-          sponsorblock
+      ++ lib.optionals pkgs.stdenv.hostPlatform.isLinux (with pkgs.mpvScripts; [
-          modernx-zydezu
+        mpris
-        ])
+      ]);
-        ++ lib.optionals pkgs.stdenv.hostPlatform.isLinux (with pkgs.mpvScripts; [
-          mpris
-        ]);
-    };
   };
 }

home/applications/starship/default.nix

@@ -1,11 +1,9 @@
-{
+{pkgs, ...}: {
-  pkgs,
-  lib,
-  ...
-}: {
   programs.starship = {
     enable = true;
-    # FIXME: IFD
+  };
-    settings = lib.importTOML "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
+
+  home.sessionVariables = {
+    "STARSHIP_CONFIG" = "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
   };
 }

home/applications/thunderbird/default.nix

@@ -1,16 +1,15 @@
 {pkgs, ...}: {
   programs.thunderbird = {
     enable = true;
-    profiles.default = {
+    package = pkgs.thunderbird.override {
-      isDefault = true;
+      extraPrefsFiles = [
-      extraConfig = ''
+        (pkgs.fetchurl {
-        ${builtins.readFile (pkgs.fetchurl {
-          # FIXME: IFD
           url = "https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/d6b18302e46349d9924c8a76951bae6efca51501/user.js";
           hash = "sha256-66B1yLQkQnydAUXD7KGt32OhWSYcdWX+BUozrgW9uAg=";
-        })}
+        })
-        ${builtins.readFile ./user-overrides.js}
+        ./user-overrides.js
-      '';
+      ];
     };
+    profiles.default.isDefault = true;
   };
 }

home/applications/zellij/default.nix

@@ -6,9 +6,6 @@
 
   # Unsure about the syntax for defining keybindings in Nix (refer to line 16)
   xdg.configFile."zellij/config.kdl".text = lib.mkForce ''
-    // TODO: Text selection is not displayed due to the use of the same color as
-    //       my terminal background.
-    theme "tokyo-night-dark"
     simplified_ui true
     pane_frames false
     default_layout "compact"

hosts/blacksteel/Caddyfile

@@ -0,0 +1,64 @@
+(default) {
+	encode zstd gzip
+
+	header {
+		# https://observatory.mozilla.org/analyze/ny4.dev
+		# https://infosec.mozilla.org/guidelines/web_security
+		# https://caddyserver.com/docs/caddyfile/directives/header#examples
+
+		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
+		?Permissions-Policy interest-Hpcohort=()
+		?Strict-Transport-Security max-age=31536000;
+		?X-Content-Type-Options nosniff
+		?X-Frame-Options DENY
+	}
+
+	handle_path /robots.txt {
+		file_server * {
+			root /var/www/robots/robots.txt
+		}
+	}
+}
+
+http://mastodon.ny4.dev:80 {
+	import default
+	handle_path /system/* {
+		file_server * {
+			root /var/lib/mastodon/public-system
+		}
+	}
+
+	handle /api/v1/streaming/* {
+		reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
+			header_up X-Forwarded-Proto "https"
+		}
+	}
+
+	route * {
+		file_server * {
+			root @mastodon@/public
+			pass_thru
+		}
+		reverse_proxy * unix//run/mastodon-web/web.socket {
+			header_up X-Forwarded-Proto "https"
+		}
+	}
+
+	handle_errors {
+		root * @mastodon@/public
+		rewrite 500.html
+		file_server
+	}
+}
+
+http://matrix.ny4.dev:80 {
+	import default
+	reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /health unix//run/matrix-synapse/synapse.sock
+}
+
+http://syncv3.ny4.dev:80 {
+	import default
+	reverse_proxy unix//run/matrix-sliding-sync/sync.sock
+}

hosts/blacksteel/default.nix

@@ -2,7 +2,6 @@
   pkgs,
   lib,
   config,
-  inputs,
   ...
 }: {
   imports = [
@@ -43,6 +42,10 @@
       "mastodon/environment" = {
         restartUnits = ["mastodon-web.service"];
       };
+      "cloudflared/secret" = {
+        restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
+        owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
+      };
     };
   };
 
@@ -54,67 +57,41 @@
     openFirewall = true;
   };
 
-  services.frp = {
+  services.cloudflared = {
     enable = true;
-    role = "client";
+    tunnels = {
-    settings = {
+      "6222a3e0-98da-4325-be19-0f86a7318a41" = {
-      serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
+        credentialsFile = config.sops.secrets."cloudflared/secret".path;
-      serverPort = 7000;
+        default = "http_status:404";
-      auth.method = "token";
+        ingress = {
-      auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
+          # TODO: is this safe?
-      proxies = [
+          # browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
-        {
+          #                                             ^ no tls in this part?
-          name = "synapse";
+          "mastodon.ny4.dev" = "http://localhost:80";
-          type = "tcp";
+          "matrix.ny4.dev" = "http://localhost:80";
-          localIP = "127.0.0.1";
+          "syncv3.ny4.dev" = "http://localhost:80";
-          localPort = 8100;
+        };
-          remotePort = 8600;
+      };
-        }
-        {
-          name = "syncv3";
-          type = "tcp";
-          localIP = "127.0.0.1";
-          remotePort = 8700;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/matrix-sliding-sync/sync.sock";
-          };
-        }
-        {
-          name = "mastodon-web";
-          type = "tcp";
-          localIP = "127.0.0.1";
-          remotePort = 8900;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-web/web.socket";
-          };
-        }
-        {
-          name = "mastodon-streaming";
-          type = "tcp";
-          localIP = "127.0.0.1";
-          remotePort = 9000;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-streaming/streaming-1.socket";
-          };
-        }
-        {
-          name = "mastodon-system";
-          type = "tcp";
-          localIP = "127.0.0.1";
-          remotePort = 9100;
-          plugin = {
-            type = "static_file";
-            localPath = "/var/lib/mastodon/public-system";
-          };
-        }
-      ];
     };
   };
 
-  systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon"];
+  services.caddy = {
+    enable = true;
+    configFile = pkgs.substituteAll {
+      src = ./Caddyfile;
+      inherit (pkgs) mastodon;
+    };
+  };
+
+  systemd.services.caddy.serviceConfig = {
+    SupplementaryGroups = ["mastodon" "matrix-synapse"];
+  };
+
+  systemd.tmpfiles.settings = {
+    "10-www" = {
+      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
+    };
+  };
 
   services.postgresql = {
     enable = true;
@@ -168,12 +145,7 @@
     eula = true;
     openFirewall = true;
 
-    package = pkgs.callPackage "${inputs.nixpkgs}/pkgs/games/minecraft-servers/derivation.nix" {
+    package = pkgs.minecraftServers.vanilla-1-21;
-      version = "1.21";
-      sha1 = "450698d1863ab5180c25d7c804ef0fe6369dd1ba";
-      url = "https://piston-data.mojang.com/v1/objects/450698d1863ab5180c25d7c804ef0fe6369dd1ba/server.jar";
-      jre_headless = pkgs.javaPackages.compiler.openjdk21.headless;
-    };
 
     # Aikar's flag
     # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
@@ -239,6 +211,7 @@
   services.matrix-synapse = {
     enable = true;
     withJemalloc = true;
+    enableRegistrationScript = false;
     extraConfigFiles = [config.sops.secrets."synapse/secret".path];
     settings = {
       server_name = "ny4.dev";
@@ -246,11 +219,8 @@
       presence.enabled = false; # tradeoff
       listeners = [
         {
-          port = 8100;
+          path = "/run/matrix-synapse/synapse.sock";
-          bind_addresses = ["127.0.0.1"];
           type = "http";
-          tls = false;
-          x_forwarded = true;
           resources = [
             {
               names = ["client" "federation"];
@@ -265,7 +235,7 @@
         {
           idp_id = "keycloak";
           idp_name = "id.ny4.dev";
-          issuer = "https://id.ny4.dev/realms/master";
+          issuer = "https://id.ny4.dev/realms/ny4";
           client_id = "synapse";
           client_secret_path = config.sops.secrets."synapse/oidc".path;
           scopes = ["openid" "profile"];
@@ -280,18 +250,24 @@
     };
   };
 
-  systemd.services.matrix-synapse.environment = config.networking.proxy.envVars;
+  systemd.services.matrix-synapse = {
+    environment = config.networking.proxy.envVars;
+    serviceConfig.RuntimeDirectory = ["matrix-synapse"];
+  };
 
   services.matrix-sliding-sync = {
     enable = true;
     environmentFile = config.sops.secrets."syncv3/environment".path;
     settings = {
-      SYNCV3_SERVER = "http://127.0.0.1:8100";
+      SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
       SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
     };
   };
 
-  systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = ["matrix-sliding-sync"];
+  systemd.services.matrix-sliding-sync.serviceConfig = {
+    RuntimeDirectory = ["matrix-sliding-sync"];
+    SupplementaryGroups = ["matrix-synapse"];
+  };
 
   services.mastodon = {
     enable = true;
@@ -314,7 +290,7 @@
       # OIDC_CLIENT_SECRET # EnvironmentFile
       OIDC_DISCOVERY = "true";
       OIDC_DISPLAY_NAME = "id.ny4.dev";
-      OIDC_ISSUER = "https://id.ny4.dev/realms/master";
+      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
       OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
       OIDC_SCOPE = "openid,profile,email";
       OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";

hosts/blacksteel/secrets.yaml

@@ -1,10 +1,12 @@
 synapse:
     secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
-    oidc: ENC[AES256_GCM,data:vGQcPcUfbv6II6buEMKELc1+xZ5XccpEeCy3vZx4fdk=,iv:ORok/FXZ9SA54zD1+OhyFnZAPhGpMpTetWYgge2QSwQ=,tag:7DxrruTbenUfI/V6hGYBaw==,type:str]
+    oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str]
 syncv3:
     environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
 mastodon:
-    environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
+    environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
+cloudflared:
+    secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,8 +31,8 @@ sops:
             bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
             hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-21T10:09:01Z"
+    lastmodified: "2024-06-21T07:19:43Z"
-    mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
+    mac: ENC[AES256_GCM,data:pKWUM3uhmtrwTOlR2jZauWsGSY1d//z+cojpWLFAAKedGjotLB6cmektyAVRHhw3waiM4WR5+BNZ6ghp7qBrM0z2WanJCdSmXqdyxJEydUC9CCFXZG+7SmIZS+7+/LsqejzdYSAMf9DijN74E1EJVS5F0mHhw8QuRmDy3wU789M=,iv:IrOm1Maz8os9Q/ez+TbOxOTr1zwB1loDVHcPbN8kMvg=,tag:AAKp3OH/s2c7u8lp6vkLVg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

hosts/lightsail-tokyo/Caddyfile

@@ -6,7 +6,9 @@
 	}
 }
 
-(header) {
+(default) {
+	encode zstd gzip
+
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
@@ -18,13 +20,7 @@
 		?X-Content-Type-Options nosniff
 		?X-Frame-Options DENY
 	}
-}
 
-(compression) {
-	encode zstd gzip
-}
-
-(robots) {
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
@@ -32,12 +28,6 @@
 	}
 }
 
-(default) {
-	import header
-	import compression
-	import robots
-}
-
 www.ny4.dev {
 	import default
 	redir https://ny4.dev
@@ -91,13 +81,6 @@ pixiv.ny4.dev {
 	reverse_proxy unix//run/pixivfe/pixiv.sock
 }
 
-matrix.ny4.dev {
-	import default
-	reverse_proxy /_matrix/* localhost:8600
-	reverse_proxy /_synapse/client/* localhost:8600
-	reverse_proxy /health localhost:8600
-}
-
 syncv3.ny4.dev {
 	import default
 	reverse_proxy localhost:8700
@@ -114,31 +97,6 @@ element.ny4.dev {
 	file_server
 }
 
-mastodon.ny4.dev {
-	import default
-	handle_path /system/* {
-		reverse_proxy localhost:9100
-	}
-
-	handle /api/v1/streaming/* {
-		reverse_proxy localhost:9000
-	}
-
-	route * {
-		file_server * {
-			root @mastodon@/public
-			pass_thru
-		}
-		reverse_proxy * localhost:8900
-	}
-
-	handle_errors {
-		root * @mastodon@/public
-		rewrite 500.html
-		file_server
-	}
-}
-
 git.ny4.dev {
 	import default
 	reverse_proxy unix//run/forgejo/forgejo.sock

hosts/lightsail-tokyo/default.nix

@@ -66,9 +66,6 @@
     # caddy
     80
     443
-
-    # frp
-    7000
   ];
 
   systemd.tmpfiles.settings = {
@@ -86,12 +83,12 @@
 
       "element" = pkgs.element-web.override {
         element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
-          version = "1.11.69-rc.1";
+          version = "1.11.69";
           src = oldAttrs.src.overrideAttrs {
-            outputHash = "sha256-vL21wTI9qeIhrFdbI0WsehVy0ZLBj9rayuQnTPC7k8g=";
+            outputHash = "sha256-oFSaKtig1z3jepLpwJW4i5VskMBhKUIbPsCfLQuCgMY=";
           };
           offlineCache = oldAttrs.offlineCache.overrideAttrs {
-            outputHash = "sha256-nZWclW2tEq7vPRPG5zzhYfExVnmPxYDm8DxME5w5ORI=";
+            outputHash = "sha256-ClpD/PIW3P1+d7KqDTl6gWNbqKaUi6JypE/yaVsB+Oc=";
           };
         });
 
@@ -115,16 +112,6 @@
     ];
   };
 
-  services.frp = {
-    enable = true;
-    role = "server";
-    settings = {
-      bindPort = 7000;
-      auth.method = "token";
-      auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
-    };
-  };
-
   # `journalctl -u murmur.service | grep Password`
   services.murmur = {
     enable = true;

hosts/lightsail-tokyo/secrets.yaml

@@ -28,8 +28,8 @@ sops:
             R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
             3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-15T07:19:59Z"
+    lastmodified: "2024-06-21T07:19:35Z"
-    mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
+    mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

pkgs/default.nix

@@ -1,13 +1,14 @@
 # NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`,
 #       only keeping some packages that only fits for personal use.
-pkgs: {
+pkgs: let
-  scripts = rec {
+  inherit (pkgs) lib;
+in {
+  scripts = lib.makeScope pkgs.newScope (self: {
     # util
-    makeScript = pkgs.callPackage ./scripts/makeScript.nix {};
+    makeScript = self.callPackage ./scripts/makeScript.nix {};
 
     # scripts
-    # TODO: Do I really have to inherit `makeScript` for every script?
+    lofi = self.callPackage ./scripts/lofi.nix {};
-    lofi = pkgs.callPackage ./scripts/lofi.nix {inherit makeScript;};
+    screenshot = self.callPackage ./scripts/screenshot.nix {};
-    screenshot = pkgs.callPackage ./scripts/screenshot.nix {inherit makeScript;};
+  });
-  };
 }

pkgs/scripts/makeScript.nix

@@ -1,7 +1,6 @@
 {
   lib,
   runtimeShell,
-  writeScriptBin,
   runCommandNoCCLocal,
   makeBinaryWrapper,
 }: {