From 318fbd3cec3fc00aa91c3dfa8efd61cbd658cfd5 Mon Sep 17 00:00:00 2001 From: oluceps Date: Thu, 22 Feb 2024 00:57:49 +0800 Subject: [PATCH] ~ --- hosts/hastur/spec.nix | 22 ++++++++--------- hosts/lib.nix | 2 +- hosts/nodens/caddy.nix | 52 +++++++++++++++++++++++++++++++++-------- hosts/nodens/spec.nix | 2 +- justfile | 2 +- sec/ssh-cfg.age | Bin 2696 -> 2674 bytes 6 files changed, 56 insertions(+), 24 deletions(-) diff --git a/hosts/hastur/spec.nix b/hosts/hastur/spec.nix index e7aba518d..6861f7241 100644 --- a/hosts/hastur/spec.nix +++ b/hosts/hastur/spec.nix @@ -118,17 +118,17 @@ dae.enable = true; sing-box.enable = true; - beesd.filesystems = { - os = { - spec = "LABEL=nixos"; - hashTableSizeMB = 1024; # 256 *2 *2 - verbosity = "crit"; - extraOptions = [ - "--loadavg-target" - "5.0" - ]; - }; - }; + # beesd.filesystems = { + # os = { + # spec = "LABEL=nixos"; + # hashTableSizeMB = 1024; # 256 *2 *2 + # verbosity = "crit"; + # extraOptions = [ + # "--loadavg-target" + # "5.0" + # ]; + # }; + # }; restic.backups.solid = { passwordFile = config.age.secrets.wg.path; repositoryFile = config.age.secrets.restic-repo.path; diff --git a/hosts/lib.nix b/hosts/lib.nix index 27a3030ab..e12c9f543 100644 --- a/hosts/lib.nix +++ b/hosts/lib.nix @@ -61,7 +61,7 @@ in toString (pkgs.lib.getExe (pkgs.nuenv.writeScriptBin { name = "post-ntfy-msg"; - script = "cat /run/agenix/ntfy-token | str trim | http post --password $in --headers [${header}] https://ntfy.nyaw.xyz/${level} ${body}"; + script = "http post --password $in --headers [${header}] https://ntfy.nyaw.xyz/${level} ${body}"; })); base = diff --git a/hosts/nodens/caddy.nix b/hosts/nodens/caddy.nix index 4091d3e50..82d627630 100644 --- a/hosts/nodens/caddy.nix +++ b/hosts/nodens/caddy.nix @@ -12,17 +12,49 @@ { handle = [{ handler = "subroute"; - routes = [{ - handle = [{ - handler = "reverse_proxy"; - upstreams = [{ - dial = "10.0.1.2:6167"; + routes = [ + { + handle = [{ + handler = "reverse_proxy"; + upstreams = [{ + dial = "10.0.1.2:6167"; + }]; }]; - }]; - match = [{ - path = [ "/_matrix/*" ]; - }]; - }]; + match = [{ + path = [ "/_matrix/*" ]; + }]; + } + { + handle = [ + { + handler = "headers"; + response.set = { + X-Frame-Options = [ "SAMEORIGIN" ]; + X-Content-Type-Options = [ "nosniff" ]; + X-XSS-Protection = [ "1; mode=block" ]; + Content-Security-Policy = [ "frame-ancestors 'self'" ]; + }; + } + ( + let + conf = { + default_server_config = { + "m.homeserver" = { + base_url = "https://matrix.nyaw.xyz"; + server_name = "nyaw.xyz"; + }; + }; + show_labs_settings = true; + }; + in + { + handler = "file_server"; + root = "${pkgs.element-web.override { inherit conf; }}"; + } + ) + ]; + } + ]; }]; match = [{ host = [ "matrix.nyaw.xyz" ]; diff --git a/hosts/nodens/spec.nix b/hosts/nodens/spec.nix index 32ebc5898..3833d890d 100644 --- a/hosts/nodens/spec.nix +++ b/hosts/nodens/spec.nix @@ -45,7 +45,7 @@ settings = { listen-http = ":2586"; behind-proxy = true; - auth-default-access = "deny-all"; + auth-default-access = "read-write"; base-url = "http://ntfy.nyaw.xyz"; }; }; diff --git a/justfile b/justfile index 4e2e94ed8..1aa14715a 100644 --- a/justfile +++ b/justfile @@ -81,7 +81,7 @@ rekey: overwrite-s3: mc mirror --overwrite --remove /home/{{ me }}/Sec/ r2/sec/Sec - mc mirror --overwrite --remove /etc/nixos/sec/ r2/sec/credentials + mc mirror --overwrite --remove {{loc}}/sec/ r2/sec/credentials overwrite-local: mc mirror --overwrite --remove r2/sec/Sec /home/{{ me }}/Sec/ diff --git a/sec/ssh-cfg.age b/sec/ssh-cfg.age index cb74baed27dc6e9ceff16571344a51007f3aa285..e3d1cc6613494cc351b278609152e150b972a233 100644 GIT binary patch delta 2669 zcmV-z3X=7R74j62Ab&JfQh8A`S6VPrNNagHYiL4ZHdIzMPHk{2R4;WxFLFdsPghcL zd2(`SSqf-5b4N;cIB;oJGD~k&MR!kgXlhwObZ%o*bTLI|GD~AQP*g}vOh#CBcM2^& zAaH4REpRe5HXvqJF;-DQAVD~DGeI*&b2mjXcvEO$T31+cIDd3XHEB?HPGee8OmAdb zNmXxGGj4f$Q#1-MfTB!7vbglxl{Ro=yt>R0?mwufCh5N4L^+HJwuI0|sfK~wnu#jZ#=1>_54iAI)Z zzFns8aF9qaf)xGQJt^9oAA-!}yU|#Y|2u7h%=3T4h`x@74!S{Um6E)gG}KefhNRse za;}GK;!XfA=Rl}&>?|O!=WC4{Exu+=Hm5McNPiMoAk~*aL7CS=-^T?n+04`YoMGN@ zmQ9BenD?$dwl;RnRkj`jC9x`~&aEP7!xkT&L~WM^<( zIe(?+(fV~W(~n%$q8!`BicB~SWAkK zT|`Fv`9$ch-z)2}G*!$6RVfPRX2HH3ajEFNC0%2`m1&$9J&NE_g< zUt=gPsHJDS{1^C97RqJ|UKqhbO;YmP+7Q=gs_MQSp#L%MZSe}AFv ziR*ppa}af0w#p~-TW=PWH&OTy8$O1}8e^n6vK558zvqGUL#xKiFNHHupude@-cc7^ z{h6au8Mb)a!Do})Z(&NYWur_cZe?@qweYbV!f1%OQ;kx1zKo(we|CURM$se2-R!Rx z1}AnAUONW~#SPs{Q>XoCuw%9L8GoZ9Jqn5iX|cm07H_yN&d*u`L#I!Nkn*5Cq^=+i zN(?3&!XUD6Z-231{OdJrQu|CL4$>GjGZ;;{UastjyZ#Jc*zd;flOs^&YhET4T=aEg z%$|(MNAD`S-$Ase8sl;hqe#tuB7D9NInMovbx=Gnt$!DI(>ei!vy!DQOn>(>Vl`g+ z>OW)$ba3y16tUra*=pXy;mU(3;r^Q~;U(cBo0tuIX^s_kBpZWUuN{qXN(EYj9G2L$ z-Ib(Ve^pKL7Hz=L@slR=xD(7bpeP=rdsx_fvvr2e&Ox*OaUFmg5khTo0tK_waJI&r z(8qDS>JXjl9$3nCveRh#i+?Tke%`VYDi}x31IM&y8SjD-H+M0XUPM_Gy7m2hKbLXY z!*+@S@+z|`;CJan6pQc_s{DxOj4g4ON}a{f(Z6=O-fzFezukA*^9%@Xpah=$o(OUS4nF`%Z=>wl@Rg_iFPL>8^L*n@t}zcg&L(3fr> z%B9CMzwZ>02Wv1K01u&S%N*UYR#ibwdkhbhqp(eluUc-eAMr9#3v0_Meik?Br#AqX zVB{--^A=mmF{|Cjh$i_~N>GOzgvO|2mAXixSif_{A9yhNkAIDJk>Yjq8##L$dg|gz z&v*nbH>+$KCkxM2bf!K2T8P@dY*-xYuqlU(mM!9LM>rc>_;m!;$Ha`+KQ3&}v454l z>H3leJN73h%RxdbG@KyZ4m^uzDJ5*6x)7v9$n!C?{nM3@EXdkv*P0*p+_v_ON#sMm zE5v7Sv~lCy$S2AS$uDRdb|vAB88${Rte<^Zsja9mdj5^{TVtBy7GhCD)wUzfF!c7W7C4 z?tZcxo`1_@)AxpRBZDmO!KO-s8bRsv>Br=s`PN8>I@WHTNN^25WkKf>Z)A3PchTFE zg?VgUsPpRq*7HVA!%lt_Vg*zoOdA4&8&ww~!W{M}bi*mBI!OlEtBz;{|LvrEk17x^ zEyWPI00-q>J_kW@jCr@M9*mP^^q;HTzXDWh*njeJ#~Ycd-Qzf_rxJT}qpknul%jsb z0;qGlYPhXy(vqn@r2Ua^F6Fj$mPE})qQz@uxURg1SvS9@^7A7^3-^a#&pSNxs;LLKp zV;f2BiamN-eY#jpwqE3KX1sXrMHEHZNoH3uO&W#Z=dt|`Cw#?W5JACf<1%GEZwu$&sBOIAl(-EXvQ|+KfxoK5mpB|-$eax delta 2691 zcmV-}3VikQ6o?g&Ab&x2Ml(%TFE(Q@RaHrNO;syIYC~FZVsCXhYEm>>SWP)MLsoBL zY)3L^X9`e8SYk&sMNxNHV_IQqMKV$`b#!S=PhnAZPFY8Kd2Df7N<>R%aYR*bcM2^& zAaH4REpRe5HXvqJF;-DQAVF_3D{5F&H9=ZtZ%A=YD{(bOP=88lT1!+?N>eXoO)yqO zVpLI8dQ~(*ZAS`Ibx}tvHbPKCb67`NO-o^QRZmnzFlu#aVs11D=~UyZdYM%Ls4jJH!)ImYeaENS6Mi3PisqM zc5QNYSVKVybHaYX%J0JBJf>EdkYDk{1JQ_<=F`^vwaeBVS(1NMYE$m)z4EpucqQ*a zV*oMHz>Sc zlB|Kxv)5oDE{;~}k=6dCR6cUj0^ZKxhiwvV(T1rcXhaMyH_mkO$E)M;t{VI=fsSEon)VsZ7X#e9kw$p-+aD0_Hu z(O(EF+9ro^M3LuJL9ei08s+nukxYNnN?xP+)-tP4va0!}7X!F3Ok%C&} z4iXY7PTkAcljx1j;@zYAal&=m1W$bTa%j28z)snkcBRk1fv3WwAzX^YF7&zTg*UdL z+hkgw97pv%)LqFC)58_k0WS#jm4Xcmy?+WBNh`Wpi|P4PVQ)JvHfM4koe1J7S2wlO zz8s=!IY7zsSGb$1O|f%CPWRTjAHaU-FpZpc>e>XDV9XBW@cCuHv6&qbfEZiaxhhA4 z7erxkt1N}+mrxFrbhH!B&~?P*4YRr}qrcO>?^3yKBtXeGYZZYP8lme8-x^>P%YQ9d zaQ=@efVT>V`35XK8r|h^W5i-pNszl#9HDVxJaew85=B6n!;aTdDO%#U?S&HpQcE_|*J~7dz|0e$K zs15r&*Rm8qGjwCuoDhQV1XsPPiYhkZOD5}BhTl)S&@ne&Pz_1-)XZ-4A{Ejr^KUA* z0f>et)C=WF7Bqu%y5=y{v&ZaR?t6>11k9A!75d?DV(G$8pTDl~i#73}>VHm~0%abe zw|}l+I%Qf4*MU3CZFsna=Hluv^6$%0Y1+A$Jvt|(5L-ahJbMHhrsWKt8}iUgObzkO zX>f55XM@CXoerLz%bz_7AY}4}d=lU`=;-~J9unp#SY3k~&ZUWp{pTq(mboYLLyXsz zT-=WR%lHfLF`)C*rt-QH_kUpyYYoFp<1!pTLUkCP?vt3;X{uKkRheXNgCbz1&P&)g z6Jv*SubmDabS_lTf~D2jS4upppIR}$OV?h!*XD&*U!e`WzVNj*C~7y$*&KvWx+ z0Xw;W`e>LY9pTO?2UDobzsY~lEKdmLkSrZy&Ylmm)otlGM63dP-hV;hR3E}SqB%N4 zG{`0hST2YMfw8XHg&INQLam+Rq1ulY9w8Ap&X&r*a)4!bwPLcvU8oo5vdk#Csy91% zO{c=FdBn)6NWG}OfQt2^6V1oL$=&9huVGZ70!j0;gxr#)E_HIf{fAJDU-ZM$qb3Awa4gv1TR62vJ1wrjleW~p@r z<;3oEU)Ab`HjGoh{rw>Ko*?*MIx$DFQn{9Iw%*5)Qg=_@*2rp9fpMrEY`0zvOQ67< za}Ly4lU^k%;ep8qSl=1dVW7W+a(EoGY}KhH(|6D-CC_mv112IC3hz=E`j#5Mwgiq* zT0kKQY=mo;+kdR?Ha&RSi=x$$m~*c6k(y0P!+hL19ycg6JAv@SiP05P)% zl|jixVG^h=Yt6xAMAq}@;d|+RZDxmzU~oUvSM@Bv+UjYEO;n2N4WdzQ4Q9Dwlw;1O zSl;4OhJS}JZm*hREylPlRgjnlR#yz>Xb{M`JL!<^$P%40MkoT+zoWvI>{p2;)cFVygM>6oolxq;1MEq#{xR0~o{0|$O6s38~acIngjR4H_%9(TwB z2^`h+KQ`)~Jhvlwpe^T*s2H~d&@A7e#BP%W(tpc2qABERI%YBwa=_RMlT_{AEv)9l zK`+{0cz}>fJ;Im`;9w}bfkKONi`&uALCM7;3sV$UoT1{PYk}N(ky(~ zrzzwZ7Qz2F)y2y=hitMvyw;vycMiw``~MRHshY7`yAz{=rk0HcI3mIoB~18=qOtBe zB7clY)S#A`GqaZ_PeZ=4aQ{)uu-dYDRUUmO0aDEj!C8XHC4cJ1mLMWCSP|6agY0_< zt=Nljq4qzu*cJdtWDmO=JZpa0XWu1#00Q2iW{VyBOgf@8`J>*W34F$U@Gy{)i&D6U zzF(&BHW}Nm^tnHUrqsZ^VRM4_&S_%a34G92TFXw)H7#vJN3d)6+!e6>7ly0o4G$lT zTOSEW7&4`YYqO^OzB(RRHn>HDcl2durbl}F)SkCtgu|?>CQbFYVvrGvS*ibf1?QQi x1%ZL^mA`+aUWOW_!8Z}G#r|!>NMhWnhs4!B5OxAf+^!9Ft1Sx5mV^Jg&yIA@6KDVc