fixup! nixos: frp -> cloudflared

home/applications/common/wayland.nix

@@ -1,9 +0,0 @@
-{pkgs, ...}: {
-  home.sessionVariables = {
-    NIXOS_OZONE_WL = "1"; # let electron applications use wayland
-  };
-
-  home.packages = with pkgs; [
-    wl-clipboard
-  ];
-}

home/applications/common/wm.nix

@@ -1,8 +0,0 @@
-{pkgs, ...}: {
-  home.packages = with pkgs; [pwvucontrol];
-
-  # remove csd window buttons
-  # https://github.com/localsend/localsend/blob/2457acd8a7412723b174672d174e4853dccd7d99/app/linux/my_application.cc#L45
-  home.sessionVariables.GTK_CSD = 0;
-  dconf.settings."org/gnome/desktop/wm/preferences"."button-layout" = "icon,appmenu:";
-}

home/applications/firefox/default.nix

@@ -1,19 +1,12 @@
 {pkgs, ...}: {
   programs.firefox = {
     enable = true;
-    profiles."default" = {
+    package = pkgs.firefox.overrides {
-      extraConfig = ''
+      extraPrefsFiles = [
-        ${builtins.readFile (pkgs.fetchurl {
+        "${pkgs.arkenfox-userjs}/user.cfg"
-          # FIXME: IFD
+        ./user-overrides.js
-          url = "https://raw.githubusercontent.com/arkenfox/user.js/126.1/user.js";
+      ];
-          hash = "sha256-XRtG0iLKh8uqbeX7Rc2H6VJwZYJoNZPBlAfZEfrSCP4=";
-        })}
-        ${builtins.readFile ./user-overrides.js}
-      '';
     };
-  };
+    profiles."default" = {};
-
-  home.sessionVariables = {
-    MOZ_USE_XINPUT2 = "1";
   };
 }

home/applications/mpv/default.nix

@@ -17,9 +17,6 @@
       slang = "eng,en";
     };
 
-    # FIXME: https://github.com/nix-community/home-manager/pull/5524
-    package = pkgs.mpv-unwrapped.wrapper {
-      mpv = pkgs.mpv-unwrapped;
     scripts =
       (with pkgs.mpvScripts; [
         thumbfast
@@ -30,5 +27,4 @@
         mpris
       ]);
   };
-  };
 }

home/applications/starship/default.nix

@@ -1,11 +1,9 @@
-{
+{pkgs, ...}: {
-  pkgs,
-  lib,
-  ...
-}: {
   programs.starship = {
     enable = true;
-    # FIXME: IFD
+  };
-    settings = lib.importTOML "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
+
+  home.sessionVariables = {
+    "STARSHIP_CONFIG" = "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
   };
 }

home/applications/thunderbird/default.nix

@@ -1,16 +1,15 @@
 {pkgs, ...}: {
   programs.thunderbird = {
     enable = true;
-    profiles.default = {
+    package = pkgs.thunderbird.override {
-      isDefault = true;
+      extraPrefsFiles = [
-      extraConfig = ''
+        (pkgs.fetchurl {
-        ${builtins.readFile (pkgs.fetchurl {
-          # FIXME: IFD
           url = "https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/d6b18302e46349d9924c8a76951bae6efca51501/user.js";
           hash = "sha256-66B1yLQkQnydAUXD7KGt32OhWSYcdWX+BUozrgW9uAg=";
-        })}
+        })
-        ${builtins.readFile ./user-overrides.js}
+        ./user-overrides.js
-      '';
+      ];
     };
+    profiles.default.isDefault = true;
   };
 }

hosts/blacksteel/Caddyfile

@@ -0,0 +1,64 @@
+(default) {
+	encode zstd gzip
+
+	header {
+		# https://observatory.mozilla.org/analyze/ny4.dev
+		# https://infosec.mozilla.org/guidelines/web_security
+		# https://caddyserver.com/docs/caddyfile/directives/header#examples
+
+		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
+		?Permissions-Policy interest-Hpcohort=()
+		?Strict-Transport-Security max-age=31536000;
+		?X-Content-Type-Options nosniff
+		?X-Frame-Options DENY
+	}
+
+	handle_path /robots.txt {
+		file_server * {
+			root /var/www/robots/robots.txt
+		}
+	}
+}
+
+http://mastodon.ny4.dev:80 {
+	import default
+	handle_path /system/* {
+		file_server * {
+			root /var/lib/mastodon/public-system
+		}
+	}
+
+	handle /api/v1/streaming/* {
+		reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
+			header_up X-Forwarded-Proto "https"
+		}
+	}
+
+	route * {
+		file_server * {
+			root @mastodon@/public
+			pass_thru
+		}
+		reverse_proxy * unix//run/mastodon-web/web.socket {
+			header_up X-Forwarded-Proto "https"
+		}
+	}
+
+	handle_errors {
+		root * @mastodon@/public
+		rewrite 500.html
+		file_server
+	}
+}
+
+http://matrix.ny4.dev:80 {
+	import default
+	reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
+	reverse_proxy /health unix//run/matrix-synapse/synapse.sock
+}
+
+http://syncv3.ny4.dev:80 {
+	import default
+	reverse_proxy unix//run/matrix-sliding-sync/sync.sock
+}

hosts/blacksteel/default.nix

@@ -2,7 +2,6 @@
   pkgs,
   lib,
   config,
-  inputs,
   ...
 }: {
   imports = [
@@ -43,8 +42,9 @@
       "mastodon/environment" = {
         restartUnits = ["mastodon-web.service"];
       };
-      "frp/environment" = {
+      "cloudflared/secret" = {
-        restartUnits = ["frp.service"];
+        restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
+        owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
       };
     };
   };
@@ -57,70 +57,42 @@
     openFirewall = true;
   };
 
-  services.frp = {
+  services.cloudflared = {
     enable = true;
-    role = "client";
+    tunnels = {
-    settings = {
+      "6222a3e0-98da-4325-be19-0f86a7318a41" = {
-      serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
+        credentialsFile = config.sops.secrets."cloudflared/secret".path;
-      serverPort = 7000;
+        default = "http_status:404";
-      auth.method = "token";
+        ingress = {
-      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
+          # TODO: is this safe?
-      proxies = [
+          # browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
-        {
+          #                                             ^ no tls in this part?
-          name = "synapse";
+          "mastodon.ny4.dev" = "http://localhost:80";
-          type = "tcp";
+          "matrix.ny4.dev" = "http://localhost:80";
-          remotePort = 8600;
+          "syncv3.ny4.dev" = "http://localhost:80";
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/matrix-synapse/synapse.sock";
         };
-        }
-        {
-          name = "syncv3";
-          type = "tcp";
-          remotePort = 8700;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/matrix-sliding-sync/sync.sock";
       };
-        }
-        {
-          name = "mastodon-web";
-          type = "tcp";
-          remotePort = 8900;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-web/web.socket";
-          };
-        }
-        {
-          name = "mastodon-streaming";
-          type = "tcp";
-          remotePort = 9000;
-          plugin = {
-            type = "unix_domain_socket";
-            unixPath = "/run/mastodon-streaming/streaming-1.socket";
-          };
-        }
-        {
-          name = "mastodon-system";
-          type = "tcp";
-          remotePort = 9100;
-          plugin = {
-            # FIXME:
-            type = "static_file";
-            localPath = "/var/lib/mastodon/public-system";
-          };
-        }
-      ];
     };
   };
 
-  systemd.services.frp.serviceConfig = {
+  services.caddy = {
-    EnvironmentFile = [config.sops.secrets."frp/environment".path];
+    enable = true;
+    configFile = pkgs.substituteAll {
+      src = ./Caddyfile;
+      inherit (pkgs) mastodon;
+    };
+  };
+
+  systemd.services.caddy.serviceConfig = {
     SupplementaryGroups = ["mastodon" "matrix-synapse"];
   };
 
+  systemd.tmpfiles.settings = {
+    "10-www" = {
+      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
+    };
+  };
+
   services.postgresql = {
     enable = true;
     settings = {

hosts/blacksteel/secrets.yaml

@@ -5,8 +5,8 @@ syncv3:
     environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
 mastodon:
     environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
-frp:
+cloudflared:
-    environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str]
+    secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -31,8 +31,8 @@ sops:
             bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
             hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-20T14:23:30Z"
+    lastmodified: "2024-06-21T07:19:43Z"
-    mac: ENC[AES256_GCM,data:cgDwV6lXR+eTOFcfytKDc2cCs+w/PGDS3fASoKw5VQ95StbmvVNt0go4yAt1D86LXa5p1ReW8dVaciDovuhCFd/jZ+zJpA7sNwKBNrlye7sURW6zDiVM7ITyslPd31bSeIL5/qtiwyT+1tdnthSTjtJPrnPu9NfsRrkUsITT7WA=,iv:ComILTHFTb8lHooVemIg+Nx9ZDWr6SyweZTtmsjWALQ=,tag:7Bj38htDNkoHZdVDMgEiBA==,type:str]
+    mac: ENC[AES256_GCM,data:pKWUM3uhmtrwTOlR2jZauWsGSY1d//z+cojpWLFAAKedGjotLB6cmektyAVRHhw3waiM4WR5+BNZ6ghp7qBrM0z2WanJCdSmXqdyxJEydUC9CCFXZG+7SmIZS+7+/LsqejzdYSAMf9DijN74E1EJVS5F0mHhw8QuRmDy3wU789M=,iv:IrOm1Maz8os9Q/ez+TbOxOTr1zwB1loDVHcPbN8kMvg=,tag:AAKp3OH/s2c7u8lp6vkLVg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

hosts/lightsail-tokyo/Caddyfile

@@ -6,7 +6,9 @@
 	}
 }
 
-(header) {
+(default) {
+	encode zstd gzip
+
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
@@ -18,13 +20,7 @@
 		?X-Content-Type-Options nosniff
 		?X-Frame-Options DENY
 	}
-}
 
-(compression) {
-	encode zstd gzip
-}
-
-(robots) {
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
@@ -32,12 +28,6 @@
 	}
 }
 
-(default) {
-	import header
-	import compression
-	import robots
-}
-
 www.ny4.dev {
 	import default
 	redir https://ny4.dev
@@ -91,13 +81,6 @@ pixiv.ny4.dev {
 	reverse_proxy unix//run/pixivfe/pixiv.sock
 }
 
-matrix.ny4.dev {
-	import default
-	reverse_proxy /_matrix/* localhost:8600
-	reverse_proxy /_synapse/client/* localhost:8600
-	reverse_proxy /health localhost:8600
-}
-
 syncv3.ny4.dev {
 	import default
 	reverse_proxy localhost:8700
@@ -114,31 +97,6 @@ element.ny4.dev {
 	file_server
 }
 
-mastodon.ny4.dev {
-	import default
-	handle_path /system/* {
-		reverse_proxy localhost:9100
-	}
-
-	handle /api/v1/streaming/* {
-		reverse_proxy localhost:9000
-	}
-
-	route * {
-		file_server * {
-			root @mastodon@/public
-			pass_thru
-		}
-		reverse_proxy * localhost:8900
-	}
-
-	handle_errors {
-		root * @mastodon@/public
-		rewrite 500.html
-		file_server
-	}
-}
-
 git.ny4.dev {
 	import default
 	reverse_proxy unix//run/forgejo/forgejo.sock

hosts/lightsail-tokyo/default.nix

@@ -39,9 +39,6 @@
       "searx/environment" = {
         restartUnits = ["searx.service"];
       };
-      "frp/environment" = {
-        restartUnits = ["frp.service"];
-      };
     };
 
     templates = {
@@ -69,9 +66,6 @@
     # caddy
     80
     443
-
-    # frp
-    7000
   ];
 
   systemd.tmpfiles.settings = {
@@ -118,20 +112,6 @@
     ];
   };
 
-  services.frp = {
-    enable = true;
-    role = "server";
-    settings = {
-      bindPort = 7000;
-      auth.method = "token";
-      auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}";
-    };
-  };
-
-  systemd.services.frp.serviceConfig = {
-    EnvironmentFile = [config.sops.secrets."frp/environment".path];
-  };
-
   # `journalctl -u murmur.service | grep Password`
   services.murmur = {
     enable = true;

hosts/lightsail-tokyo/secrets.yaml

@@ -4,8 +4,6 @@ searx:
     environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
 pixivfe:
     environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
-frp:
-    environment: ENC[AES256_GCM,data:6XWjUPuJt6fPiIO7mrMjIoR0VHsiy77GqJu/CXVqMEi+EEmXgUN2l6m5vTkttmZICXb5M9ANpdTYOB3nEwCYBJvmFe8kFIZ77rYRVt3C4l0=,iv:5UHJQTanNvk5BsZzH0JeGKP8sDFjTIuc7sGRcReF1+4=,tag:sBYa9RFaMGrh6HZudqZVVA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,8 +28,8 @@ sops:
             R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
             3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-20T08:14:22Z"
+    lastmodified: "2024-06-21T07:19:35Z"
-    mac: ENC[AES256_GCM,data:hqCsHztVoTvRoJ+HyODPrYJKwCWusLzap0tVRxnQlAaqIp1ln9AyxLRuQetDkF5nN97S0BW1z1Uf910wlAe5VxsENrIDMYeUq1PnbQ2ijLttGOnLJVS0aJgcFqNOir2tbflH3fbzDCiSmrT+xQ8ytgX+MEtXpxH7OlVFohjXBCo=,iv:ztALlEtd9cGBY0Sx9yzSngNMaHX3kgkRMTruXDXXVHQ=,tag:hztHafyj4nu3npWyBPhxGw==,type:str]
+    mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

pkgs/default.nix

@@ -1,13 +1,14 @@
 # NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`,
 #       only keeping some packages that only fits for personal use.
-pkgs: {
+pkgs: let
-  scripts = rec {
+  inherit (pkgs) lib;
+in {
+  scripts = lib.makeScope pkgs.newScope (self: {
     # util
-    makeScript = pkgs.callPackage ./scripts/makeScript.nix {};
+    makeScript = self.callPackage ./scripts/makeScript.nix {};
 
     # scripts
-    # TODO: Do I really have to inherit `makeScript` for every script?
+    lofi = self.callPackage ./scripts/lofi.nix {};
-    lofi = pkgs.callPackage ./scripts/lofi.nix {inherit makeScript;};
+    screenshot = self.callPackage ./scripts/screenshot.nix {};
-    screenshot = pkgs.callPackage ./scripts/screenshot.nix {inherit makeScript;};
+  });
-  };
 }