diff --git a/flake.nix b/flake.nix index 20cdb83f1..449d29391 100755 --- a/flake.nix +++ b/flake.nix @@ -141,9 +141,12 @@ nixosModules = let shadowedModules = [ "sundial" ]; - modules = extraLibs.genFilteredDirAttrsV2 ./modules shadowedModules ( - n: import (./modules + "/${n}.nix") - ); + modules = + let + genModule = + dir: extraLibs.genFilteredDirAttrsV2 dir shadowedModules (n: import (dir + "/${n}.nix")); + in + (genModule ./modules) // { repack = ./repack; }; default = { ... }: diff --git a/hosts/abhoth/default.nix b/hosts/abhoth/default.nix index 4a74b6fc4..1eb435f8a 100644 --- a/hosts/abhoth/default.nix +++ b/hosts/abhoth/default.nix @@ -44,7 +44,6 @@ withSystem "x86_64-linux" ( user = "elen"; }; modules = lib.sharedModules ++ [ - ../../srv ../sysvars.nix ./hardware.nix ./network.nix diff --git a/hosts/abhoth/spec.nix b/hosts/abhoth/spec.nix index 11e5b934a..b17ec926a 100644 --- a/hosts/abhoth/spec.nix +++ b/hosts/abhoth/spec.nix @@ -26,31 +26,29 @@ "nyaw.key" ]; - srv = { + repack = { openssh.enable = true; fail2ban.enable = true; dnsproxy = { enable = true; - override = { - settings = { - bootstrap = [ - "1.1.1.1" - "8.8.8.8" - ]; - listen-addrs = [ "0.0.0.0" ]; - listen-ports = [ 53 ]; - upstream-mode = "load_balance"; - upstream = [ - "1.1.1.1" - "8.8.8.8" - "https://dns.google/dns-query" - ]; - }; - }; }; # rustypaste.enable = true; }; services = { + dnsproxy.settings = lib.mkForce { + bootstrap = [ + "1.1.1.1" + "8.8.8.8" + ]; + listen-addrs = [ "0.0.0.0" ]; + listen-ports = [ 53 ]; + upstream-mode = "load_balance"; + upstream = [ + "1.1.1.1" + "8.8.8.8" + "https://dns.google/dns-query" + ]; + }; metrics.enable = true; trojan-server.enable = true; hysteria.instances = [ diff --git a/hosts/azasos/default.nix b/hosts/azasos/default.nix index abbe9acea..d91c40fd7 100644 --- a/hosts/azasos/default.nix +++ b/hosts/azasos/default.nix @@ -43,7 +43,6 @@ withSystem "x86_64-linux" ( user = "elen"; }; modules = lib.sharedModules ++ [ - ../../srv inputs.disko.nixosModules.default ./hardware.nix ./network.nix diff --git a/hosts/azasos/spec.nix b/hosts/azasos/spec.nix index 170649797..8467e2575 100644 --- a/hosts/azasos/spec.nix +++ b/hosts/azasos/spec.nix @@ -26,7 +26,7 @@ supportedFilesystems = [ "tcp_bbr" ]; inherit ((import ../sysctl.nix { inherit lib; }).boot) kernel; }; - srv = { + repack = { openssh.enable = true; fail2ban.enable = true; dae.enable = false; diff --git a/hosts/colour/default.nix b/hosts/colour/default.nix index 72eec61af..c462d0c65 100644 --- a/hosts/colour/default.nix +++ b/hosts/colour/default.nix @@ -43,7 +43,6 @@ withSystem "x86_64-linux" ( user = "elen"; }; modules = lib.sharedModules ++ [ - ../../srv ./hardware.nix ./network.nix ./rekey.nix diff --git a/hosts/eihort/default.nix b/hosts/eihort/default.nix index ea0b33ac5..9428775a7 100644 --- a/hosts/eihort/default.nix +++ b/hosts/eihort/default.nix @@ -45,7 +45,6 @@ withSystem "x86_64-linux" ( ./spec.nix ./sysctl.nix ../persist.nix - ../../srv ../../age.nix ../../packages.nix ../../misc.nix diff --git a/hosts/eihort/spec.nix b/hosts/eihort/spec.nix index a07396b73..12f9b4c5d 100644 --- a/hosts/eihort/spec.nix +++ b/hosts/eihort/spec.nix @@ -58,7 +58,7 @@ supportedFilesystems = [ "tcp_bbr" ]; }; # environment.systemPackages = with pkgs;[ zfs ]; - srv = { + repack = { openssh.enable = true; fail2ban.enable = true; phantomsocks.enable = true; diff --git a/hosts/hastur/default.nix b/hosts/hastur/default.nix index ca7df98db..1fada468b 100644 --- a/hosts/hastur/default.nix +++ b/hosts/hastur/default.nix @@ -46,14 +46,12 @@ withSystem "x86_64-linux" ( modules = lib.sharedModules ++ [ - ../../srv ./hardware.nix ./network.nix ./rekey.nix ./spec.nix ./caddy.nix - # ./nginx.nix - # ../graphBase.nix + ./restic.nix ../persist.nix ../secureboot.nix @@ -69,7 +67,6 @@ withSystem "x86_64-linux" ( inputs.niri.nixosModules.niri ../../users.nix - ./misskey.nix ../dev.nix ] ++ (with inputs; [ diff --git a/hosts/hastur/nginx.nix b/hosts/hastur/nginx.nix index b2ffb6364..948fb0d5e 100644 --- a/hosts/hastur/nginx.nix +++ b/hosts/hastur/nginx.nix @@ -6,5 +6,5 @@ "nyaw.key" ]; - srv.nginx.enable = true; + repack.nginx.enable = true; } diff --git a/hosts/hastur/restic.nix b/hosts/hastur/restic.nix new file mode 100644 index 000000000..0b44f9581 --- /dev/null +++ b/hosts/hastur/restic.nix @@ -0,0 +1,63 @@ +{ config, lib, ... }: +{ + systemd.services = lib.listToAttrs ( + map (name: { + name = "restic-backups-${name}"; + value = { + serviceConfig.Environment = [ "GOGC=20" ]; + }; + }) (lib.attrNames config.services.restic.backups) + ); + + services.restic = { + backups = { + # solid = { + # passwordFile = config.age.secrets.wg.path; + # repositoryFile = config.age.secrets.restic-repo.path; + # environmentFile = config.age.secrets.restic-envs.path; + # paths = [ + # "/persist" + # "/var" + # ]; + # extraBackupArgs = [ + # "--one-file-system" + # "--exclude-caches" + # "--no-scan" + # "--retry-lock 2h" + # ]; + # timerConfig = { + # OnCalendar = "daily"; + # RandomizedDelaySec = "4h"; + # FixedRandomDelay = true; + # Persistent = true; + # }; + # }; + critic = { + #### CLOUDFLARE R2 but connectivity bad + # passwordFile = config.age.secrets.wg.path; + # repositoryFile = config.age.secrets.restic-repo-crit.path; + # environmentFile = config.age.secrets.restic-envs-crit.path; + passwordFile = config.age.secrets.wg.path; + repository = "s3:http://10.0.1.3:3900/crit"; + environmentFile = config.age.secrets.restic-envs-dc3.path; + #### + paths = [ + "/var/.snapshots/latest/lib/backup" + "/var/.snapshots/latest/lib/private/matrix-conduit" + ]; + extraBackupArgs = [ + "--exclude-caches" + "--no-scan" + "--retry-lock 2h" + ]; + pruneOpts = [ "--keep-daily 3" ]; + timerConfig = { + OnCalendar = "daily"; + RandomizedDelaySec = "4h"; + FixedRandomDelay = true; + Persistent = true; + }; + }; + }; + }; +} diff --git a/hosts/hastur/spec.nix b/hosts/hastur/spec.nix index b71550fb3..bcdf4ec4e 100644 --- a/hosts/hastur/spec.nix +++ b/hosts/hastur/spec.nix @@ -32,20 +32,7 @@ ${pkgs.openssh}/bin/ssh-add ${config.age.secrets.id.path} ''; systemd = { - services = { - alertmanager.serviceConfig.LoadCredential = [ - "notifychan:${config.age.secrets.notifychan.path}" - ]; - - atuin.serviceConfig.Environment = [ "RUST_LOG=debug" ]; - - prometheus.serviceConfig.LoadCredential = (map (lib.genCredPath config)) [ - "prom" - ]; - }; - enableEmergencyMode = false; - watchdog = { runtimeTime = "20s"; rebootTime = "30s"; @@ -65,7 +52,7 @@ ] ++ [ config.services.photoprism.port ]; services.smartd.notifications.systembus-notify.enable = true; - srv = { + repack = { openssh.enable = true; fail2ban.enable = true; dae.enable = true; @@ -80,44 +67,12 @@ vaultwarden.enable = true; matrix-conduit.enable = true; # coredns.enable = true; + misskey.enable = true; dnsproxy.enable = true; srs.enable = true; grafana.enable = true; meilisearch.enable = true; radicle.enable = true; - - phantomsocks = { - enable = false; - override = { - settings.interfaces = [ - { - device = "bond0"; - dns = "tcp://208.67.220.220:5353"; - hint = "w-seq,https,w-md5"; - name = "default"; - } - { - device = "bond0"; - dns = "tcp://208.67.220.220:443"; - hint = "ipv6,w-seq,w-md5"; - name = "v6"; - } - { - device = "bond0"; - dns = "tcp://208.67.220.220:443"; - hint = "df"; - name = "df"; - } - { - device = "bond0"; - dns = "tcp://208.67.220.220:5353"; - hint = "http,ttl"; - name = "http"; - ttl = 15; - } - ]; - }; - }; }; services = { # ktistec.enable = true; @@ -174,57 +129,7 @@ }; sing-box.enable = true; - restic = { - backups = { - # solid = { - # passwordFile = config.age.secrets.wg.path; - # repositoryFile = config.age.secrets.restic-repo.path; - # environmentFile = config.age.secrets.restic-envs.path; - # paths = [ - # "/persist" - # "/var" - # ]; - # extraBackupArgs = [ - # "--one-file-system" - # "--exclude-caches" - # "--no-scan" - # "--retry-lock 2h" - # ]; - # timerConfig = { - # OnCalendar = "daily"; - # RandomizedDelaySec = "4h"; - # FixedRandomDelay = true; - # Persistent = true; - # }; - # }; - critic = { - #### CLOUDFLARE R2 but connectivity bad - # passwordFile = config.age.secrets.wg.path; - # repositoryFile = config.age.secrets.restic-repo-crit.path; - # environmentFile = config.age.secrets.restic-envs-crit.path; - passwordFile = config.age.secrets.wg.path; - repository = "s3:http://10.0.1.3:3900/crit"; - environmentFile = config.age.secrets.restic-envs-dc3.path; - #### - paths = [ - "/var/.snapshots/latest/lib/backup" - "/var/.snapshots/latest/lib/private/matrix-conduit" - ]; - extraBackupArgs = [ - "--exclude-caches" - "--no-scan" - "--retry-lock 2h" - ]; - pruneOpts = [ "--keep-daily 3" ]; - timerConfig = { - OnCalendar = "daily"; - RandomizedDelaySec = "4h"; - FixedRandomDelay = true; - Persistent = true; - }; - }; - }; - }; + hysteria.instances = [ { name = "nodens"; diff --git a/hosts/kaambl/default.nix b/hosts/kaambl/default.nix index 4de015ee5..a2606d66b 100644 --- a/hosts/kaambl/default.nix +++ b/hosts/kaambl/default.nix @@ -43,13 +43,13 @@ withSystem "x86_64-linux" ( user = "elen"; }; modules = lib.sharedModules ++ [ - ../../srv ./hardware.nix ./network.nix ./rekey.nix ./spec.nix ../persist.nix ../secureboot.nix + ./restic.nix # inputs.home-manager.nixosModules.default # ../../home ../sysctl.nix diff --git a/hosts/kaambl/restic.nix b/hosts/kaambl/restic.nix new file mode 100644 index 000000000..6ea2247e7 --- /dev/null +++ b/hosts/kaambl/restic.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + restic = { + backups = { + # critic = { + # passwordFile = config.age.secrets.wg.path; + # repository = "rclone:sec:crit"; + # rcloneConfigFile = config.age.secrets.rclone-conf.path; + # paths = map (n: "/home/${user}/${n}") [ + # "Books" + # "Pictures" + # "Music" + # ]; + # extraBackupArgs = [ + # "--exclude-caches" + # "--no-scan" + # "--retry-lock 2h" + # ]; + # pruneOpts = [ "--keep-daily 3" ]; + # timerConfig = { + # OnCalendar = "daily"; + # RandomizedDelaySec = "4h"; + # FixedRandomDelay = true; + # Persistent = true; + # }; + # }; + }; + }; +} diff --git a/hosts/kaambl/spec.nix b/hosts/kaambl/spec.nix index 3a5c2a940..27c07c2e6 100644 --- a/hosts/kaambl/spec.nix +++ b/hosts/kaambl/spec.nix @@ -57,17 +57,13 @@ wantedBy = [ "default.target" ]; }; - srv = { + repack = { openssh.enable = true; fail2ban.enable = true; phantomsocks.enable = true; garage.enable = true; - # srs.enable = true; - # coredns.enable = true; - # mosproxy.enable = true; - dnsproxy.enable = true; dae.enable = true; - # smartdns.enable = true; + dnsproxy.enable = true; }; services = { @@ -75,32 +71,6 @@ sing-box.enable = true; - restic = { - backups = { - # critic = { - # passwordFile = config.age.secrets.wg.path; - # repository = "rclone:sec:crit"; - # rcloneConfigFile = config.age.secrets.rclone-conf.path; - # paths = map (n: "/home/${user}/${n}") [ - # "Books" - # "Pictures" - # "Music" - # ]; - # extraBackupArgs = [ - # "--exclude-caches" - # "--no-scan" - # "--retry-lock 2h" - # ]; - # pruneOpts = [ "--keep-daily 3" ]; - # timerConfig = { - # OnCalendar = "daily"; - # RandomizedDelaySec = "4h"; - # FixedRandomDelay = true; - # Persistent = true; - # }; - # }; - }; - }; snapy.instances = [ { name = "persist"; diff --git a/hosts/lib.nix b/hosts/lib.nix index 34449cfcb..299cfdbd3 100644 --- a/hosts/lib.nix +++ b/hosts/lib.nix @@ -36,7 +36,7 @@ in genOverlays = map (i: inputs.${i}.overlays.default); sharedModules = - [ ] + [ inputs.self.nixosModules.repack ] ++ (genModules [ "agenix-rekey" "ragenix" diff --git a/hosts/nodens/default.nix b/hosts/nodens/default.nix index 02a1ce24e..67a40e60d 100644 --- a/hosts/nodens/default.nix +++ b/hosts/nodens/default.nix @@ -38,7 +38,6 @@ withSystem "x86_64-linux" ( user = "elen"; }; modules = lib.sharedModules ++ [ - ../../srv ../sysvars.nix ./hardware.nix ./network.nix diff --git a/hosts/nodens/spec.nix b/hosts/nodens/spec.nix index 13c065295..a4ab89976 100644 --- a/hosts/nodens/spec.nix +++ b/hosts/nodens/spec.nix @@ -1,9 +1,7 @@ { - inputs, pkgs, config, lib, - user, ... }: { @@ -24,40 +22,32 @@ supportedFilesystems = [ "tcp_bbr" ]; inherit ((import ../sysctl.nix { inherit lib; }).boot) kernel; }; - - systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = [ "matrix-sliding-sync" ]; - systemd.services.trojan-server.serviceConfig.LoadCredential = (map (lib.genCredPath config)) [ - "nyaw.cert" - "nyaw.key" - ]; - - srv = { + repack = { openssh.enable = true; fail2ban.enable = true; rustypaste.enable = true; matrix-sliding-sync.enable = true; - + trojan-server.enable = true; dnsproxy = { enable = true; - override = { - settings = { - bootstrap = [ - "1.1.1.1" - "8.8.8.8" - ]; - listen-addrs = [ "0.0.0.0" ]; - listen-ports = [ 53 ]; - upstream-mode = "parallel"; - upstream = [ - "1.1.1.1" - "8.8.8.8" - "https://dns.google/dns-query" - ]; - }; - }; }; }; services = { + # override repack + dnsproxy.settings = lib.mkForce { + bootstrap = [ + "1.1.1.1" + "8.8.8.8" + ]; + listen-addrs = [ "0.0.0.0" ]; + listen-ports = [ 53 ]; + upstream-mode = "parallel"; + upstream = [ + "1.1.1.1" + "8.8.8.8" + "https://dns.google/dns-query" + ]; + }; realm = { enable = true; settings = { @@ -75,7 +65,6 @@ }; }; metrics.enable = true; - trojan-server.enable = true; do-agent.enable = true; # copilot-gpt4.enable = true; factorio-manager = { diff --git a/hosts/yidhra/default.nix b/hosts/yidhra/default.nix index ab37dd8bc..04f6480c3 100644 --- a/hosts/yidhra/default.nix +++ b/hosts/yidhra/default.nix @@ -50,7 +50,6 @@ withSystem "x86_64-linux" ( ./network.nix ./rekey.nix ./spec.nix - ../../srv ../../age.nix ../../packages.nix ../../misc.nix diff --git a/hosts/yidhra/spec.nix b/hosts/yidhra/spec.nix index b2f25674a..6516e5a88 100644 --- a/hosts/yidhra/spec.nix +++ b/hosts/yidhra/spec.nix @@ -21,7 +21,7 @@ inherit ((import ../sysctl.nix { inherit lib; }).boot) kernel; }; - srv = { + repack = { openssh.enable = true; fail2ban.enable = true; }; diff --git a/repack/atuin.nix b/repack/atuin.nix new file mode 100644 index 000000000..775cfe84c --- /dev/null +++ b/repack/atuin.nix @@ -0,0 +1,18 @@ +{ + reIf, + ... +}: +reIf { + services.atuin = { + enable = true; + host = "0.0.0.0"; + port = 8888; + openFirewall = true; + openRegistration = false; + maxHistoryLength = 65536; + database.uri = "postgresql://atuin@127.0.0.1:5432/atuin"; + }; + systemd.services = { + atuin.serviceConfig.Environment = [ "RUST_LOG=debug" ]; + }; +} diff --git a/modules/caddy.nix b/repack/caddy.nix similarity index 97% rename from modules/caddy.nix rename to repack/caddy.nix index 10ec8fb63..5adc78ce6 100644 --- a/modules/caddy.nix +++ b/repack/caddy.nix @@ -14,7 +14,8 @@ in options = { repack.caddy = { - enable = lib.mkEnableOption "caddy api gateway"; + # moved to upper module + # enable = lib.mkEnableOption "caddy api gateway"; package = lib.mkPackageOption pkgs "caddy-lim" { }; settings = lib.mkOption { type = lib.types.submodule { freeformType = format.type; }; diff --git a/repack/coredns.nix b/repack/coredns.nix new file mode 100644 index 000000000..2ceb03801 --- /dev/null +++ b/repack/coredns.nix @@ -0,0 +1,40 @@ +{ reIf, ... }: +reIf { + services.coredns = { + enable = true; + # package = pkgs.coredns.override { + # externalPlugins = [ + # { + # name = "alternate"; + # repo = "github.com/coredns/alternate"; + # version = "d2ebc97c57b7878dd269c9a8783c50622f23c6cf"; + # } + # ]; + # vendorHash = "sha256-hWmB7B3mdexfndUi5u/129PB/RqeHxMk+d2ExFPxOIQ="; + # }; + config = '' + .:53 { + forward . tls://223.6.6.6 { + tls_servername dns.alidns.com + expire 20s + max_fails 1 + policy sequential + health_check 1s + } + forward . tls://8.8.8.8 tls://8.8.4.4 { + tls_servername dns.google + expire 20s + max_fails 1 + policy sequential + health_check 1s + } + forward . tls://1.1.1.1 tls://1.0.0.1 { + expire 20s + max_fails 1 + policy sequential + health_check 1s + } + } + ''; + }; +} diff --git a/repack/dae.nix b/repack/dae.nix new file mode 100644 index 000000000..4dca745a5 --- /dev/null +++ b/repack/dae.nix @@ -0,0 +1,29 @@ +{ + pkgs, + config, + inputs, + reIf, + ... +}: +reIf { + services.dae = { + enable = true; + disableTxChecksumIpGeneric = false; + configFile = config.age.secrets.dae.path; + # package = pkgs.dae-unstable; + assetsPath = toString ( + pkgs.symlinkJoin { + name = "dae-assets-nixy"; + paths = [ + "${inputs.nixyDomains}/assets" + "${pkgs.v2ray-geoip}/share/v2ray" + ]; + } + ); + + openFirewall = { + enable = true; + port = 12345; + }; + }; +} diff --git a/repack/ddns-go.nix b/repack/ddns-go.nix new file mode 100644 index 000000000..eb7f52e26 --- /dev/null +++ b/repack/ddns-go.nix @@ -0,0 +1,6 @@ +{ reIf, ... }: +reIf { + services.ddns-go = { + enable = true; + }; +} diff --git a/repack/default.nix b/repack/default.nix new file mode 100644 index 000000000..7a41dd4d2 --- /dev/null +++ b/repack/default.nix @@ -0,0 +1,29 @@ +{ + lib, + config, + pkgs, + ... +}@args: +let + repackNames = ( + map (lib.removeSuffix ".nix") ( + lib.attrNames (lib.filterAttrs (n: v: n != "default.nix") (builtins.readDir ./.)) + ) + ); + genReIf = name: lib.mkIf config.repack.${name}.enable; +in +{ + options.repack = lib.genAttrs repackNames (n: { + enable = lib.mkEnableOption "enable repacked ${n} module"; + }); + imports = map ( + n: + import ./${n}.nix ( + args + // { + inherit pkgs; + reIf = genReIf n; + } + ) + ) repackNames; +} diff --git a/repack/dnsproxy.nix b/repack/dnsproxy.nix new file mode 100644 index 000000000..9348f7e11 --- /dev/null +++ b/repack/dnsproxy.nix @@ -0,0 +1,26 @@ +{ reIf, ... }: +reIf { + services.dnsproxy = { + enable = true; + flags = [ + "--cache" + "--edns" + "--http3" + ]; + settings = { + bootstrap = [ + "119.29.29.29" + "tcp://223.6.6.6:53" + ]; + listen-addrs = [ "0.0.0.0" ]; + listen-ports = [ 53 ]; + upstream-mode = "parallel"; + upstream = [ + "quic://dns.alidns.com" + "1.1.1.1" + "h3://dns.alidns.com/dns-query" + "tls://dot.pub" + ]; + }; + }; +} diff --git a/repack/earlyoom.nix b/repack/earlyoom.nix new file mode 100644 index 000000000..c2611902c --- /dev/null +++ b/repack/earlyoom.nix @@ -0,0 +1,7 @@ +{ reIf, ... }: +reIf { + services.earlyoom = { + enable = true; + enableNotifications = true; + }; +} diff --git a/repack/fail2ban.nix b/repack/fail2ban.nix new file mode 100644 index 000000000..16331272a --- /dev/null +++ b/repack/fail2ban.nix @@ -0,0 +1,13 @@ +{ reIf, ... }: +reIf { + services.fail2ban = { + enable = true; + maxretry = 5; + ignoreIP = [ + "127.0.0.0/8" + "10.0.0.0/16" + "172.16.0.0/12" + "192.168.0.0/16" + ]; + }; +} diff --git a/repack/garage.nix b/repack/garage.nix new file mode 100644 index 000000000..f17bcc418 --- /dev/null +++ b/repack/garage.nix @@ -0,0 +1,31 @@ +{ + reIf, + pkgs, + config, + ... +}: +reIf { + services.garage = { + enable = true; + environmentFile = config.age.secrets.garage.path; + package = pkgs.garage; + settings = { + replication_factor = 1; + db_engine = "lmdb"; + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "127.0.0.1:3901"; + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.garage.localhost"; + }; + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.garage.localhost"; + index = "index.html"; + }; + k2v_api.api_bind_addr = "[::]:3904"; + admin.api_bind_addr = "[::]:3903"; + }; + }; +} diff --git a/repack/grafana.nix b/repack/grafana.nix new file mode 100644 index 000000000..0f45ac3b9 --- /dev/null +++ b/repack/grafana.nix @@ -0,0 +1,15 @@ +{ reIf, config, ... }: +reIf { + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "0.0.0.0"; + http_port = 3002; + domain = config.networking.fqdn; + root_url = "https://${config.networking.fqdn}/grafana"; + serve_from_sub_path = true; + }; + }; + }; +} diff --git a/repack/matrix-conduit.nix b/repack/matrix-conduit.nix new file mode 100644 index 000000000..aae5f08ea --- /dev/null +++ b/repack/matrix-conduit.nix @@ -0,0 +1,21 @@ +{ + reIf, + inputs, + pkgs, + ... +}: +reIf { + services.matrix-conduit = { + enable = true; + + package = inputs.conduit.packages.${pkgs.system}.default; + + settings.global = { + server_name = "nyaw.xyz"; + database_backend = "rocksdb"; + port = 6167; + address = "0.0.0.0"; + # allow_registration = true; + }; + }; +} diff --git a/repack/matrix-sliding-sync.nix b/repack/matrix-sliding-sync.nix new file mode 100644 index 000000000..4282e9a72 --- /dev/null +++ b/repack/matrix-sliding-sync.nix @@ -0,0 +1,13 @@ +{ config, reIf, ... }: +reIf { + systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = [ "matrix-sliding-sync" ]; + services.matrix-sliding-sync = { + enable = true; + environmentFile = config.age.secrets.syncv3.path; + settings = { + SYNCV3_SERVER = "https://matrix.nyaw.xyz"; + SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock"; + SYNCV3_LOG_LEVEL = "info"; + }; + }; +} diff --git a/repack/meilisearch.nix b/repack/meilisearch.nix new file mode 100644 index 000000000..3dacc5969 --- /dev/null +++ b/repack/meilisearch.nix @@ -0,0 +1,9 @@ +{ reIf, config, ... }: +reIf { + services.meilisearch = { + enable = true; + listenAddress = "0.0.0.0"; + environment = "production"; + masterKeyEnvironmentFile = config.age.secrets.meilisearch.path; + }; +} diff --git a/hosts/hastur/misskey.nix b/repack/misskey.nix similarity index 96% rename from hosts/hastur/misskey.nix rename to repack/misskey.nix index 57f4064b2..9324b565a 100644 --- a/hosts/hastur/misskey.nix +++ b/repack/misskey.nix @@ -1,5 +1,10 @@ -{ config, pkgs, ... }: { + reIf, + config, + pkgs, + ... +}: +reIf { services.redis.servers.misskey = { enable = true; port = 6379; diff --git a/repack/mosdns.nix b/repack/mosdns.nix new file mode 100644 index 000000000..dc7c0c0b5 --- /dev/null +++ b/repack/mosdns.nix @@ -0,0 +1,192 @@ +{ + reIf, + inputs, + config, + ... +}: +reIf { + services.mosdns = { + enable = true; + config = { + log = { + level = "debug"; + production = false; + }; + api.http = "localhost:9092"; + plugins = + let + src = "${inputs.nixyDomains}/assets"; + in + [ + { + args = { + files = [ "${src}/accelerated-domains.china.txt" ]; + }; + tag = "direct_domain"; + type = "domain_set"; + } + { + args = { + files = [ "${src}/all_cn.txt" ]; + }; + tag = "direct_ip"; + type = "ip_set"; + } + { + args = { + dump_file = "./cache.dump"; + lazy_cache_ttl = 86400; + size = 65536; + dump_interval = 600; + }; + tag = "cache"; + type = "cache"; + } + { + args = { + concurrent = 2; + upstreams = [ + { addr = "https://1.0.0.1/dns-query"; } + { + addr = "tls://8.8.4.4:853"; + enable_pipeline = true; + } + ]; + }; + tag = "remote_forward"; + type = "forward"; + } + { + args = { + concurrent = 2; + upstreams = [ + { + addr = "quic://dns.alidns.com"; + dial_addr = "223.6.6.6"; + } + { + addr = "tls://dot.pub"; + dial_addr = "1.12.12.12"; + enable_pipeline = true; + } + ]; + }; + tag = "local_forward"; + type = "forward"; + } + { + args = { + concurrent = 2; + upstreams = [ { addr = "udp://192.168.1.1"; } ]; + }; + tag = "local_domain_forward"; + type = "forward"; + } + { + args = [ + { exec = "ttl 600-3600"; } + { exec = "accept"; } + ]; + tag = "ttl_sequence"; + type = "sequence"; + } + { + args = [ + { exec = "query_summary local_forward"; } + { exec = "$local_forward"; } + { exec = "goto ttl_sequence"; } + ]; + tag = "local_sequence"; + type = "sequence"; + } + { + args = [ + { exec = "query_summary local_area"; } + { exec = "$local_domain_forward"; } + { exec = "goto ttl_sequence"; } + ]; + tag = "local_area"; + type = "sequence"; + } + { + args = [ + { exec = "query_summary remote_forward"; } + { exec = "$remote_forward"; } + { + exec = "goto local_sequence"; + matches = "resp_ip $direct_ip"; + } + { exec = "goto ttl_sequence"; } + ]; + tag = "remote_sequence"; + type = "sequence"; + } + { + args = { + always_standby = false; + primary = "remote_sequence"; + secondary = "local_sequence"; + threshold = 500; + }; + tag = "final"; + type = "fallback"; + } + { + args = [ + { exec = "prefer_ipv4"; } + { exec = "$cache"; } + { + exec = "accept"; + matches = "has_resp"; + } + { + exec = "$local_domain_forward"; + matches = "qname ${ + with builtins; + (concatStringsSep " " (map (n: "full:" + n + ".") (attrNames inputs.self.nixosConfigurations))) + }"; + } + { + exec = "accept"; + matches = "has_resp"; + } + { + exec = "goto local_sequence"; + matches = "qname $direct_domain"; + } + { exec = "$final"; } + ]; + tag = "main_sequence"; + type = "sequence"; + } + { + args = { + entry = "main_sequence"; + listen = ":53"; + }; + tag = "udp_server"; + type = "udp_server"; + } + { + args = { + entry = "main_sequence"; + listen = ":53"; + }; + tag = "tcp_server"; + type = "tcp_server"; + } + { + tag = "quic_server"; + type = "quic_server"; + args = { + entry = "main_sequence"; + listen = "127.0.0.1:853"; + cert = config.age.secrets."nyaw.cert".path; + key = config.age.secrets."nyaw.key".path; + idle_timeout = 30; + }; + } + ]; + }; + }; +} diff --git a/repack/mosproxy.nix b/repack/mosproxy.nix new file mode 100644 index 000000000..da5320ff7 --- /dev/null +++ b/repack/mosproxy.nix @@ -0,0 +1,68 @@ +{ reIf, ... }: +let + redisPort = 6380; +in +reIf { + services.mosproxy = { + enable = true; + inherit redisPort; + config = { + cache = { + maximum_ttl = 3600; + mem_size = 1048576; + redis = "unix:///run/redis-mosproxy/redis.sock"; + }; + api = { + addr = "127.0.0.1:9092"; + }; + ecs = { + enabled = true; + }; + log = { + queries = true; + }; + + rules = [ + { + forward = "ali"; + reject = 0; + } + { + forward = "dot"; + reject = 0; + } + ]; + servers = [ + { + listen = ":53"; + protocol = "udp"; + quic = { + max_streams = 100; + }; + udp = { + multi_routes = false; + }; + } + { + listen = ":53"; + protocol = "gnet"; + tcp = { + max_concurrent_queries = 100; + }; + } + ]; + upstreams = [ + { + addr = "quic://dns.alidns.com"; + dial_addr = "223.6.6.6"; + tag = "ali"; + } + { + addr = "tls+pipeline://dot.pub"; + dial_addr = "1.12.12.12"; + tag = "dot"; + } + ]; + }; + }; +} diff --git a/repack/mysql.nix b/repack/mysql.nix new file mode 100644 index 000000000..5935d5554 --- /dev/null +++ b/repack/mysql.nix @@ -0,0 +1,23 @@ +{ reIf, pkgs, ... }: +reIf { + services.mysql = { + enable = true; + package = pkgs.mariadb_1011; + dataDir = "/var/lib/mysql"; + ensureDatabases = [ "photoprism" ]; + ensureUsers = [ + { + name = "riro"; + ensurePermissions = { + "*.*" = "ALL PRIVILEGES"; + }; + } + { + name = "photoprism"; + ensurePermissions = { + "photoprism.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; +} diff --git a/repack/nginx.nix b/repack/nginx.nix new file mode 100644 index 000000000..6295416c8 --- /dev/null +++ b/repack/nginx.nix @@ -0,0 +1,42 @@ +{ reIf, ... }: +reIf { + services.nginx = { + enable = true; + clientMaxBodySize = "4G"; + virtualHosts = { + "attic.nyaw.xyz" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/nyaw.cert"; + sslCertificateKey = "/run/credentials/nginx.service/nyaw.key"; + locations = { + "/" = { + proxyPass = "http://localhost:8083"; + }; + }; + }; + + "s3.nyaw.xyz" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/nyaw.cert"; + sslCertificateKey = "/run/credentials/nginx.service/nyaw.key"; + locations = { + "/" = { + proxyPass = "http://localhost:9000"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_connect_timeout 300; + # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + ''; + }; + }; + }; + }; + }; +} diff --git a/repack/openssh.nix b/repack/openssh.nix new file mode 100644 index 000000000..21a5db535 --- /dev/null +++ b/repack/openssh.nix @@ -0,0 +1,17 @@ +{ reIf, lib, ... }: +reIf { + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = lib.mkForce false; + PermitRootLogin = lib.mkForce "prohibit-password"; + UseDns = false; + X11Forwarding = false; + }; + authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; + extraConfig = '' + ClientAliveInterval 60 + ClientAliveCountMax 720 + ''; + }; +} diff --git a/repack/phantomsocks.nix b/repack/phantomsocks.nix new file mode 100644 index 000000000..8da3ee25a --- /dev/null +++ b/repack/phantomsocks.nix @@ -0,0 +1,84 @@ +{ reIf, pkgs, ... }: +reIf { + services.phantomsocks = { + enable = true; + settings = { + interfaces = [ + { + device = "wlan0"; + dns = "tcp://208.67.220.220:5353"; + hint = "mode2"; + name = "default"; + } + { + device = "wlan0"; + dns = "tcp://208.67.220.220:443"; + hint = "ipv6,w-seq,w-md5"; + name = "v6"; + } + { + device = "wlan0"; + dns = "tcp://208.67.220.220:443"; + hint = "df"; + name = "df"; + } + { + device = "wlan0"; + dns = "tcp://208.67.220.220:5353"; + hint = "http,ttl"; + name = "http"; + ttl = 15; + } + ]; + profiles = [ + (pkgs.writeText "default.conf" '' + [default] + google.com=108.177.111.90,108.177.126.90,108.177.127.90,108.177.97.100,142.250.1.90,142.250.112.90,142.250.13.90,142.250.142.90,142.250.145.90,142.250.148.90,142.250.149.90,142.250.152.90,142.250.153.90,142.250.158.90,142.250.176.64,142.250.176.95,142.250.178.160,142.250.178.186,142.250.180.167,142.250.193.216,142.250.27.90,142.251.0.90,142.251.1.90,142.251.111.90,142.251.112.90,142.251.117.90,142.251.12.90,142.251.120.90,142.251.160.90,142.251.161.90,142.251.162.90,142.251.166.90,142.251.167.90,142.251.169.90,142.251.170.90,142.251.18.90,172.217.218.90,172.253.117.90,172.253.63.90,192.178.49.10,192.178.49.174,192.178.49.178,192.178.49.213,192.178.49.24,192.178.50.32,192.178.50.43,192.178.50.64,192.178.50.85,216.239.32.40,64.233.189.191,74.125.137.90,74.125.196.113,142.251.42.228 + ajax.googleapis.com=[google.com] + .google.com=[google.com] + .google.com.hk=[google.com] + .googleusercontent.com=[google.com] + .ytimg.com=[google.com] + .youtube.com=[google.com] + youtube.com=[google.com] + .youtube-nocookie.com=[google.com] + youtu.be=[google.com] + .ggpht.com=[google.com] + .gstatic.com=[google.com] + .translate.goog=[google.com] + blogspot.com=[google.com] + .blogspot.com=[google.com] + blogger.com=[google.com] + .blogger.com=[google.com] + fonts.googleapis.com=120.253.250.225 + .googleapis.com=[google.com] + .googleusercontent.com=[google.com] + + [df] + .mega.nz + .mega.co.nz + .mega.io + mega.nz + mega.co.nz + mega.io + + # [v6] + # .googlevideo.com + + [http] + ocsp.int-x3.letsencrypt.org + captive.apple.com + neverssl.com + www.msftconnecttest.com + '') + ]; + services = [ + { + address = "127.0.0.1:1681"; + name = "socks"; + protocol = "socks"; + } + ]; + }; + }; +} diff --git a/repack/photoprism.nix b/repack/photoprism.nix new file mode 100644 index 000000000..1a8d0d30b --- /dev/null +++ b/repack/photoprism.nix @@ -0,0 +1,23 @@ +{ + reIf, + config, + user, + ... +}: +reIf { + services.photoprism = { + enable = true; + originalsPath = "/var/lib/private/photoprism/originals"; + address = "[::]"; + passwordFile = config.age.secrets.prism.path; + settings = { + PHOTOPRISM_ADMIN_USER = "${user}"; + PHOTOPRISM_DEFAULT_LOCALE = "en"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + }; + port = 20800; + }; +} diff --git a/repack/pleroma.nix b/repack/pleroma.nix new file mode 100644 index 000000000..3fa6fdb95 --- /dev/null +++ b/repack/pleroma.nix @@ -0,0 +1,46 @@ +{ reIf, ... }: +reIf { + services.pleroma = { + # bcz of hard 2 use + enable = false; + secretConfigFile = "/run/credentials/pleroma.service/config.exs"; + configs = [ + '' + # Pleroma instance configuration + + # NOTE: This file should not be committed to a repo or otherwise made public + # without removing sensitive information. + + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "nyaw.xyz", scheme: "https", port: 443], + http: [ip: {0, 0, 0, 0}, port: 3000] + + config :pleroma, :instance, + name: "nyaw.xyz", + email: "pleroma@oluceps.uk", + notify_email: "pleroma@oluceps.uk", + limit: 5000, + registrations_open: false + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + + config :pleroma, :database, rum_enabled: false + config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" + config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + + # Enable Strict-Transport-Security once SSL is working: + # config :pleroma, :http_security, + # sts: true + + config :pleroma, configurable_from_database: true + + config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Dedupe] + '' + ]; + }; +} diff --git a/repack/postgresql.nix b/repack/postgresql.nix new file mode 100644 index 000000000..ce28a0873 --- /dev/null +++ b/repack/postgresql.nix @@ -0,0 +1,51 @@ +{ reIf, pkgs, ... }: +reIf { + services.postgresql = { + enable = true; + package = pkgs.postgresql_16_jit; + enableTCPIP = true; + settings = { + port = 5432; + max_connections = 100; + shared_buffers = "2GB"; + effective_cache_size = "6GB"; + maintenance_work_mem = "512MB"; + checkpoint_completion_target = 0.9; + wal_buffers = "16MB"; + default_statistics_target = 100; + random_page_cost = 1.1; + effective_io_concurrency = 200; + work_mem = "5242kB"; + min_wal_size = "1GB"; + max_wal_size = "4GB"; + max_worker_processes = 4; + max_parallel_workers_per_gather = 2; + max_parallel_workers = 4; + max_parallel_maintenance_workers = 2; + }; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + local misskey misskey peer map=misskey + + #type database DBuser origin-address auth-method + # ipv4 + host all all 127.0.0.1/32 trust + host all all 10.0.1.1/24 trust + host all all 10.0.0.1/24 trust + # ipv6 + host all all ::1/128 trust + ''; + + ensureDatabases = [ "misskey" ]; + ensureUsers = [ + { + name = "misskey"; + ensureDBOwnership = true; + } + ]; + identMap = '' + misskey misskey misskey + ''; + }; +} diff --git a/repack/prometheus.nix b/repack/prometheus.nix new file mode 100644 index 000000000..1c61f2162 --- /dev/null +++ b/repack/prometheus.nix @@ -0,0 +1,184 @@ +{ + reIf, + config, + pkgs, + lib, + ... +}: +let + targets = map (n: "${n}.nyaw.xyz") [ + "nodens" + "abhoth" # single point + "kaambl" + "azasos" + "hastur" + ]; + relabel_configs = [ + { + source_labels = [ "__address__" ]; + target_label = "__param_target"; + } + { + source_labels = [ "__param_target" ]; + target_label = "instance"; + } + { + target_label = "__address__"; + replacement = + with config.services.prometheus.exporters.blackbox; + "${listenAddress}:${toString port}"; + } + ]; + +in +reIf { + systemd.services = { + alertmanager.serviceConfig.LoadCredential = [ + "notifychan:${config.age.secrets.notifychan.path}" + ]; + prometheus.serviceConfig.LoadCredential = (map (lib.genCredPath config)) [ + "prom" + ]; + }; + services.prometheus = { + enable = true; + webExternalUrl = "https://${config.networking.fqdn}/prom"; + listenAddress = "127.0.0.1"; + webConfigFile = (pkgs.formats.yaml { }).generate "web.yaml" { + basic_auth_users = { + prometheus = "$2b$05$bKuO7ehC6wKR28/pfhJZOuNyQFUtF7FwhkPFLwcbCMhfLRNUV54vm"; + }; + }; + port = 9090; + retentionTime = "7d"; + globalConfig = { + scrape_interval = "1m"; + evaluation_interval = "1m"; + }; + # prometheus not exit when credentials could not be load. + scrapeConfigs = + let + secPath = "/run/credentials/prometheus.service/prom"; + in + [ + { + job_name = "caddy"; + scheme = "https"; + basic_auth = { + username = "prometheus"; + password_file = secPath; + }; + metrics_path = "/caddy"; + static_configs = [ { inherit targets; } ]; + } + { + job_name = "metrics"; + scheme = "https"; + basic_auth = { + username = "prometheus"; + password_file = secPath; + }; + static_configs = [ { inherit targets; } ]; + } + { + job_name = "http"; + scheme = "http"; + metrics_path = "/probe"; + params = { + module = [ "http_2xx" ]; + }; + static_configs = [ + { + targets = [ + "https://nyaw.xyz" + "https://matrix.nyaw.xyz" + "https://pb.nyaw.xyz" + "https://vault.nyaw.xyz" + ]; + } + ]; + inherit relabel_configs; + } + # { + # job_name = "metrics-notls"; + # scheme = "http"; + # static_configs = [ + # { targets = [ "10.0.2.1:9100" ]; } + # { targets = [ "10.0.2.2:9100" ]; } + # ]; + # } + ]; + rules = lib.singleton ( + builtins.toJSON { + groups = [ + { + name = "metrics"; + rules = [ + { + alert = "NodeDown"; + expr = ''up == 0''; + } + { + alert = "OOM"; + expr = ''node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes < 0.1''; + } + { + alert = "DiskFull"; + expr = ''node_filesystem_avail_bytes{mountpoint=~"/persist"} / node_filesystem_size_bytes < 0.1''; + } + { + alert = "UnitFailed"; + expr = ''node_systemd_unit_state{state="failed"} == 1''; + } + ]; + } + ]; + } + ); + alertmanagers = [ + { + path_prefix = "/alert"; + static_configs = [ + { + targets = ( + let + cfg = config.services.prometheus; + in + [ "${cfg.alertmanager.listenAddress}:${builtins.toString cfg.alertmanager.port}" ] + ); + } + ]; + } + ]; + alertmanager = { + enable = true; + webExternalUrl = "https://${config.networking.fqdn}/alert"; + listenAddress = "127.0.0.1"; + port = 9093; + logLevel = "info"; + extraFlags = [ ''--cluster.listen-address=""'' ]; + configuration = { + receivers = [ + { + name = "telegram"; + telegram_configs = [ + { + bot_token_file = "/run/credentials/alertmanager.service/notifychan"; + chat_id = -1002215131569; + http_config = { + proxy_url = "http://127.0.0.1:1900"; + }; + } + ]; + } + ]; + route = { + receiver = "telegram"; + group_wait = "30s"; + group_interval = "2m"; + repeat_interval = "10m"; + }; + }; + }; + }; +} diff --git a/repack/radicle.nix b/repack/radicle.nix new file mode 100644 index 000000000..002bdcb3b --- /dev/null +++ b/repack/radicle.nix @@ -0,0 +1,70 @@ +{ + lib, + reIf, + config, + ... +}: +reIf { + services.radicle = { + enable = true; + httpd = { + enable = true; + listenPort = 8084; + listenAddress = "10.0.1.2"; + }; + node.openFirewall = true; + privateKeyFile = config.age.secrets.id.path; + publicKey = lib.data.keys.sshPubKey; + settings = { + cli = { + hints = true; + }; + node = { + alias = "nodens"; + connect = [ ]; + externalAddresses = [ "seed.nyaw.xyz:8776" ]; + limits = { + connection = { + inbound = 128; + outbound = 16; + }; + fetchConcurrency = 1; + gossipMaxAge = 1209600; + maxOpenFiles = 4096; + rate = { + inbound = { + capacity = 32; + fillRate = 0.2; + }; + outbound = { + capacity = 64; + fillRate = 1; + }; + }; + routingMaxAge = 604800; + routingMaxSize = 1000; + }; + listen = [ ]; + network = "main"; + peers = { + target = 8; + type = "dynamic"; + }; + policy = "block"; + relay = true; + scope = "all"; + workers = 8; + }; + preferredSeeds = [ + "z6MkrLMMsiPWUcNPHcRajuMi9mDfYckSoJyPwwnknocNYPm7@seed.radicle.garden:8776" + "z6Mkmqogy2qEM2ummccUthFEaaHvyYmYBYh3dbe9W4ebScxo@ash.radicle.garden:8776" + ]; + publicExplorer = "https://app.radicle.xyz/nodes/$host/$rid$path"; + # web = { + # pinned = { + # repositories = [ "z2BAxuSMWoD3JujdWKCS3FoYEXE6V" ]; + # }; + # }; + }; + }; +} diff --git a/repack/rustypaste.nix b/repack/rustypaste.nix new file mode 100644 index 000000000..c36549c33 --- /dev/null +++ b/repack/rustypaste.nix @@ -0,0 +1,90 @@ +{ reIf, ... }: +reIf { + services.rustypaste = { + enable = true; + settings = { + config = { + refresh_rate = "3s"; + }; + landing_page = { + content_type = "text/plain; charset=utf-8"; + text = '' + |\__/,| (`\ + _.|o o |_ ) ) + -(((---(((-------- + Submit files via HTTP POST here: + curl -F 'file=@example.txt' + This will return the URL of the uploaded file nya. + The server administrator might remove any pastes that they do not personally + want to host. + If you are the server administrator and want to change this page, just go + into your config file and change it! If you change the expiry time, it is + recommended that you do. + By default, pastes expire every hour. The server admin may or may not have + changed this. + Check out the GitHub repository at https://github.com/orhun/rustypaste + Command line tool is available at https://github.com/orhun/rustypaste-cli + ''; + }; + paste = { + default_expiry = "128h"; + default_extension = "txt"; + delete_expired_files = { + enabled = true; + interval = "1h"; + }; + duplicate_files = true; + mime_blacklist = [ + "application/x-dosexec" + "application/java-archive" + "application/java-vm" + ]; + mime_override = [ + { + mime = "image/jpeg"; + regex = "^.*\\.jpg$"; + } + { + mime = "image/png"; + regex = "^.*\\.png$"; + } + { + mime = "image/svg+xml"; + regex = "^.*\\.svg$"; + } + { + mime = "video/webm"; + regex = "^.*\\.webm$"; + } + { + mime = "video/x-matroska"; + regex = "^.*\\.mkv$"; + } + { + mime = "application/octet-stream"; + regex = "^.*\\.bin$"; + } + { + mime = "text/plain"; + regex = "^.*\\.(log|txt|diff|sh|rs|toml)$"; + } + ]; + random_url = { + separator = "-"; + type = "petname"; + words = 2; + }; + }; + server = { + address = "127.0.0.1:3999"; + expose_list = false; + expose_version = false; + handle_spaces = "replace"; + max_content_length = "10MB"; + timeout = "30s"; + upload_path = "./upload"; + url = "https://pb.nyaw.xyz"; + }; + }; + }; +} diff --git a/repack/scrutiny.nix b/repack/scrutiny.nix new file mode 100644 index 000000000..4325f02f0 --- /dev/null +++ b/repack/scrutiny.nix @@ -0,0 +1,23 @@ +{ reIf, ... }: +reIf { + services.scrutiny = { + enable = true; + collector = { + enable = true; + settings.api.endpoint = "http://localhost:8080"; + }; + + settings = { + web.listen = { + port = 8080; + host = "0.0.0.0"; + }; + + openFirewall = true; + + notify = { + urls = [ "ntfy://ntfy.nyaw.xyz/crit?auth=QmVhcmVyIHRrXzFkZTlmYXdic3g1NGFweWVmbDZ3OWFtOGg5Mmpn" ]; + }; + }; + }; +} diff --git a/repack/smartdns.nix b/repack/smartdns.nix new file mode 100644 index 000000000..5e56f59ac --- /dev/null +++ b/repack/smartdns.nix @@ -0,0 +1,15 @@ +{ reIf, ... }: +reIf { + services.smartdns = { + enable = true; + config = '' + bind 127.0.0.1:53 + + server-quic 223.5.5.5 -bootstrap-dns -exclude-default-group + server-quic 223.5.5.5 + server-quic 223.6.6.6 + server tls://dot.pub + server tls://dns.google + ''; + }; +} diff --git a/repack/srs.nix b/repack/srs.nix new file mode 100644 index 000000000..e092d9c9a --- /dev/null +++ b/repack/srs.nix @@ -0,0 +1,52 @@ +{ reIf, ... }: +reIf { + services.srs = { + enable = true; + config = '' + # main config for srs. + # @see full.conf for detail config. + + listen 1935; + max_connections 1000; + srs_log_tank console; + daemon off; + pid /run/srs.pid; + + http_api { + enabled on; + listen 1985; + } + http_server { + enabled on; + listen 8083; + dir ./objs/nginx/html; + } + rtc_server { + enabled on; + listen 8000; # UDP port + # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#config-candidate + candidate $CANDIDATE; + } + vhost __defaultVhost__ { + hls { + enabled on; + } + http_remux { + enabled on; + mount [vhost]/[app]/[stream].flv; + } + rtc { + enabled on; + # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#rtmp-to-rtc + rtmp_to_rtc off; + # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#rtc-to-rtmp + rtc_to_rtmp off; + } + + play{ + gop_cache_max_frames 2500; + } + } + ''; + }; +} diff --git a/repack/trojan-server.nix b/repack/trojan-server.nix new file mode 100644 index 000000000..26cdc01b4 --- /dev/null +++ b/repack/trojan-server.nix @@ -0,0 +1,13 @@ +{ + reIf, + lib, + config, + ... +}: +reIf { + services.trojan-server.enable = true; + systemd.services.trojan-server.serviceConfig.LoadCredential = (map (lib.genCredPath config)) [ + "nyaw.cert" + "nyaw.key" + ]; +} diff --git a/repack/vaultwarden.nix b/repack/vaultwarden.nix new file mode 100644 index 000000000..6ee7ae50e --- /dev/null +++ b/repack/vaultwarden.nix @@ -0,0 +1,22 @@ +{ + config, + reIf, + ... +}: +reIf { + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + config = { + signupsAllowed = false; + sendsAllowed = false; + emergencyAccessAllowed = false; + orgCreationUsers = "none"; + domain = "https://vault.nyaw.xyz"; + rocketAddress = "0.0.0.0"; + rocketPort = 8003; + }; + # backupDir = "/var/lib/bitwarden_rs/backup"; + environmentFile = config.age.secrets.vault.path; + }; +} diff --git a/repack/xmrig.nix b/repack/xmrig.nix new file mode 100644 index 000000000..06f5594a7 --- /dev/null +++ b/repack/xmrig.nix @@ -0,0 +1,29 @@ +{ + reIf, + data, + config, + ... +}: +reIf { + services.xmrig = { + enable = true; + settings = { + autosave = true; + opencl = false; + cuda = false; + cpu = { + enable = true; + max-threads-hint = 85; + }; + pools = [ + { + url = "pool.supportxmr.com:443"; + user = data.xmrAddr; + keepalive = true; + tls = true; + pass = config.networking.hostName; + } + ]; + }; + }; +} diff --git a/srv/atticd.nix b/srv/atticd.nix deleted file mode 100644 index 1cee91a3e..000000000 --- a/srv/atticd.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, ... }: -{ - - enable = true; - - # Replace with absolute path to your credentials file - credentialsFile = config.age.secrets.attic.path; - - settings = { - listen = "[::]:8083"; - database.url = "postgresql://attic:attic@localhost:5432/attic"; - api-endpoint = "https://attic.nyaw.xyz/"; - storage = { - type = "s3"; - region = "ap-east-1"; - bucket = "attic"; - endpoint = "https://s3.nyaw.xyz"; - }; - - # Data chunking - # - # Warning: If you change any of the values here, it will be - # difficult to reuse existing chunks for newly-uploaded NARs - # since the cutpoints will be different. As a result, the - # deduplication ratio will suffer for a while after the change. - chunking = { - # The minimum NAR size to trigger chunking - # - # If 0, chunking is disabled entirely for newly-uploaded NARs. - # If 1, all NARs are chunked. - nar-size-threshold = 64 * 1024; # 64 KiB - - # The preferred minimum size of a chunk, in bytes - min-size = 16 * 1024; # 16 KiB - - # The preferred average size of a chunk, in bytes - avg-size = 64 * 1024; # 64 KiB - - # The preferred maximum size of a chunk, in bytes - max-size = 256 * 1024; # 256 KiB - }; - garbage-collection = { - interval = "1 days"; - default-retention-period = "7 days"; - }; - }; -} diff --git a/srv/atuin.nix b/srv/atuin.nix deleted file mode 100644 index 3dd473549..000000000 --- a/srv/atuin.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: -{ - enable = true; - host = "0.0.0.0"; - port = 8888; - openFirewall = true; - openRegistration = false; - maxHistoryLength = 65536; - database.uri = "postgresql://atuin@127.0.0.1:5432/atuin"; -} diff --git a/srv/coredns.nix b/srv/coredns.nix deleted file mode 100644 index fd1f46687..000000000 --- a/srv/coredns.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ pkgs, ... }: -{ - enable = true; - # package = pkgs.coredns.override { - # externalPlugins = [ - # { - # name = "alternate"; - # repo = "github.com/coredns/alternate"; - # version = "d2ebc97c57b7878dd269c9a8783c50622f23c6cf"; - # } - # ]; - # vendorHash = "sha256-hWmB7B3mdexfndUi5u/129PB/RqeHxMk+d2ExFPxOIQ="; - # }; - config = '' - .:53 { - forward . tls://223.6.6.6 { - tls_servername dns.alidns.com - expire 20s - max_fails 1 - policy sequential - health_check 1s - } - forward . tls://8.8.8.8 tls://8.8.4.4 { - tls_servername dns.google - expire 20s - max_fails 1 - policy sequential - health_check 1s - } - forward . tls://1.1.1.1 tls://1.0.0.1 { - expire 20s - max_fails 1 - policy sequential - health_check 1s - } - } - ''; -} diff --git a/srv/dae.nix b/srv/dae.nix deleted file mode 100644 index 79da90158..000000000 --- a/srv/dae.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - pkgs, - config, - inputs, - ... -}: -{ - enable = true; - disableTxChecksumIpGeneric = false; - configFile = config.age.secrets.dae.path; - # package = pkgs.dae-unstable; - assetsPath = toString ( - pkgs.symlinkJoin { - name = "dae-assets-nixy"; - paths = [ - "${inputs.nixyDomains}/assets" - "${pkgs.v2ray-geoip}/share/v2ray" - ]; - } - ); - - openFirewall = { - enable = true; - port = 12345; - }; -} diff --git a/srv/ddns-go.nix b/srv/ddns-go.nix deleted file mode 100644 index cb27de110..000000000 --- a/srv/ddns-go.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ inputs, config, ... }: -{ - enable = true; -} diff --git a/srv/default.nix b/srv/default.nix deleted file mode 100644 index 4e2b1edeb..000000000 --- a/srv/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ lib, pkgs, ... }@args: - -let - inherit (lib) - types - subtractLists - removeSuffix - filter - genAttrs - mkEnableOption - mkOption - mkIf - ; - - inherit (types) lazyAttrsOf unspecified; - - allSrvPath = (subtractLists [ "default.nix" ] (with builtins; attrNames (readDir ./.))); - - allSrvName = map (removeSuffix ".nix") allSrvPath; - - existSrvName = filter (n: args.config.services ? ${n}) allSrvName; -in -{ - options.srv = genAttrs allSrvName (sn: { - enable = mkEnableOption "${sn} service"; - override = mkOption { - type = lazyAttrsOf unspecified; - default = { }; - }; - }); - - config.services = genAttrs existSrvName ( - n: - ( - let - perSrv = args.config.srv.${n}; - in - (mkIf (perSrv.enable) ((removeAttrs (import ./${n}.nix args) [ "attach" ]) // perSrv.override)) - ) - ); -} diff --git a/srv/dnsproxy.nix b/srv/dnsproxy.nix deleted file mode 100644 index b2d60204b..000000000 --- a/srv/dnsproxy.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: -{ - enable = true; - flags = [ - "--cache" - "--edns" - "--http3" - ]; - settings = { - bootstrap = [ - "119.29.29.29" - "tcp://223.6.6.6:53" - ]; - listen-addrs = [ "0.0.0.0" ]; - listen-ports = [ 53 ]; - upstream-mode = "parallel"; - upstream = [ - "quic://dns.alidns.com" - "1.1.1.1" - "h3://dns.alidns.com/dns-query" - "tls://dot.pub" - ]; - }; -} diff --git a/srv/earlyoom.nix b/srv/earlyoom.nix deleted file mode 100644 index 137e5190e..000000000 --- a/srv/earlyoom.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ lib, ... }: -{ - enable = true; - enableNotifications = true; -} diff --git a/srv/fail2ban.nix b/srv/fail2ban.nix deleted file mode 100644 index 4759287b0..000000000 --- a/srv/fail2ban.nix +++ /dev/null @@ -1,11 +0,0 @@ -_: { - enable = true; - maxretry = 5; - ignoreIP = [ - "127.0.0.0/8" - "10.0.0.0/16" - "172.16.0.0/12" - "192.168.0.0/16" - ]; - attach.services.nginx.enable = true; -} diff --git a/srv/garage.nix b/srv/garage.nix deleted file mode 100644 index 3e3c97e08..000000000 --- a/srv/garage.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, config, ... }: -{ - enable = true; - environmentFile = config.age.secrets.garage.path; - package = pkgs.garage; - settings = { - replication_factor = 1; - db_engine = "lmdb"; - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "127.0.0.1:3901"; - s3_api = { - s3_region = "garage"; - api_bind_addr = "[::]:3900"; - root_domain = ".s3.garage.localhost"; - }; - s3_web = { - bind_addr = "[::]:3902"; - root_domain = ".web.garage.localhost"; - index = "index.html"; - }; - k2v_api.api_bind_addr = "[::]:3904"; - admin.api_bind_addr = "[::]:3903"; - }; -} diff --git a/srv/grafana.nix b/srv/grafana.nix deleted file mode 100644 index 807dc6fbe..000000000 --- a/srv/grafana.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, config, ... }: -{ - enable = true; - settings = { - server = { - http_addr = "0.0.0.0"; - http_port = 3002; - domain = config.networking.fqdn; - root_url = "https://${config.networking.fqdn}/grafana"; - serve_from_sub_path = true; - }; - }; -} diff --git a/srv/matrix-conduit.nix b/srv/matrix-conduit.nix deleted file mode 100644 index 58d20c4c6..000000000 --- a/srv/matrix-conduit.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ inputs, pkgs, ... }: -{ - enable = true; - - package = inputs.conduit.packages.${pkgs.system}.default; - - settings.global = { - server_name = "nyaw.xyz"; - database_backend = "rocksdb"; - port = 6167; - address = "0.0.0.0"; - # allow_registration = true; - }; -} diff --git a/srv/matrix-sliding-sync.nix b/srv/matrix-sliding-sync.nix deleted file mode 100644 index 022e42261..000000000 --- a/srv/matrix-sliding-sync.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, ... }: -{ - enable = true; - environmentFile = config.age.secrets.syncv3.path; - settings = { - SYNCV3_SERVER = "https://matrix.nyaw.xyz"; - SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock"; - SYNCV3_LOG_LEVEL = "info"; - }; -} diff --git a/srv/meilisearch.nix b/srv/meilisearch.nix deleted file mode 100644 index 76bf6f662..000000000 --- a/srv/meilisearch.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, config, ... }: -{ - enable = true; - listenAddress = "0.0.0.0"; - environment = "production"; - masterKeyEnvironmentFile = config.age.secrets.meilisearch.path; -} diff --git a/srv/mosdns.nix b/srv/mosdns.nix deleted file mode 100644 index 5b2c38f0d..000000000 --- a/srv/mosdns.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ inputs, config, ... }: -{ - enable = true; - config = { - log = { - level = "debug"; - production = false; - }; - api.http = "localhost:9092"; - plugins = - let - src = "${inputs.nixyDomains}/assets"; - in - [ - { - args = { - files = [ "${src}/accelerated-domains.china.txt" ]; - }; - tag = "direct_domain"; - type = "domain_set"; - } - { - args = { - files = [ "${src}/all_cn.txt" ]; - }; - tag = "direct_ip"; - type = "ip_set"; - } - { - args = { - dump_file = "./cache.dump"; - lazy_cache_ttl = 86400; - size = 65536; - dump_interval = 600; - }; - tag = "cache"; - type = "cache"; - } - { - args = { - concurrent = 2; - upstreams = [ - { addr = "https://1.0.0.1/dns-query"; } - { - addr = "tls://8.8.4.4:853"; - enable_pipeline = true; - } - ]; - }; - tag = "remote_forward"; - type = "forward"; - } - { - args = { - concurrent = 2; - upstreams = [ - { - addr = "quic://dns.alidns.com"; - dial_addr = "223.6.6.6"; - } - { - addr = "tls://dot.pub"; - dial_addr = "1.12.12.12"; - enable_pipeline = true; - } - ]; - }; - tag = "local_forward"; - type = "forward"; - } - { - args = { - concurrent = 2; - upstreams = [ { addr = "udp://192.168.1.1"; } ]; - }; - tag = "local_domain_forward"; - type = "forward"; - } - { - args = [ - { exec = "ttl 600-3600"; } - { exec = "accept"; } - ]; - tag = "ttl_sequence"; - type = "sequence"; - } - { - args = [ - { exec = "query_summary local_forward"; } - { exec = "$local_forward"; } - { exec = "goto ttl_sequence"; } - ]; - tag = "local_sequence"; - type = "sequence"; - } - { - args = [ - { exec = "query_summary local_area"; } - { exec = "$local_domain_forward"; } - { exec = "goto ttl_sequence"; } - ]; - tag = "local_area"; - type = "sequence"; - } - { - args = [ - { exec = "query_summary remote_forward"; } - { exec = "$remote_forward"; } - { - exec = "goto local_sequence"; - matches = "resp_ip $direct_ip"; - } - { exec = "goto ttl_sequence"; } - ]; - tag = "remote_sequence"; - type = "sequence"; - } - { - args = { - always_standby = false; - primary = "remote_sequence"; - secondary = "local_sequence"; - threshold = 500; - }; - tag = "final"; - type = "fallback"; - } - { - args = [ - { exec = "prefer_ipv4"; } - { exec = "$cache"; } - { - exec = "accept"; - matches = "has_resp"; - } - { - exec = "$local_domain_forward"; - matches = "qname ${ - with builtins; - (concatStringsSep " " (map (n: "full:" + n + ".") (attrNames inputs.self.nixosConfigurations))) - }"; - } - { - exec = "accept"; - matches = "has_resp"; - } - { - exec = "goto local_sequence"; - matches = "qname $direct_domain"; - } - { exec = "$final"; } - ]; - tag = "main_sequence"; - type = "sequence"; - } - { - args = { - entry = "main_sequence"; - listen = ":53"; - }; - tag = "udp_server"; - type = "udp_server"; - } - { - args = { - entry = "main_sequence"; - listen = ":53"; - }; - tag = "tcp_server"; - type = "tcp_server"; - } - { - tag = "quic_server"; - type = "quic_server"; - args = { - entry = "main_sequence"; - listen = "127.0.0.1:853"; - cert = config.age.secrets."nyaw.cert".path; - key = config.age.secrets."nyaw.key".path; - idle_timeout = 30; - }; - } - ]; - }; -} diff --git a/srv/mosproxy.nix b/srv/mosproxy.nix deleted file mode 100644 index c66c14d8e..000000000 --- a/srv/mosproxy.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ ... }: -let - redisPort = 6380; -in -{ - enable = true; - inherit redisPort; - config = { - cache = { - maximum_ttl = 3600; - mem_size = 1048576; - redis = "unix:///run/redis-mosproxy/redis.sock"; - }; - api = { - addr = "127.0.0.1:9092"; - }; - ecs = { - enabled = true; - }; - log = { - queries = true; - }; - - rules = [ - { - forward = "ali"; - reject = 0; - } - { - forward = "dot"; - reject = 0; - } - ]; - servers = [ - { - listen = ":53"; - protocol = "udp"; - quic = { - max_streams = 100; - }; - udp = { - multi_routes = false; - }; - } - { - listen = ":53"; - protocol = "gnet"; - tcp = { - max_concurrent_queries = 100; - }; - } - ]; - upstreams = [ - { - addr = "quic://dns.alidns.com"; - dial_addr = "223.6.6.6"; - tag = "ali"; - } - { - addr = "tls+pipeline://dot.pub"; - dial_addr = "1.12.12.12"; - tag = "dot"; - } - ]; - }; -} diff --git a/srv/mysql.nix b/srv/mysql.nix deleted file mode 100644 index 96166f01e..000000000 --- a/srv/mysql.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }: -{ - enable = true; - package = pkgs.mariadb_1011; - dataDir = "/var/lib/mysql"; - ensureDatabases = [ "photoprism" ]; - ensureUsers = [ - { - name = "riro"; - ensurePermissions = { - "*.*" = "ALL PRIVILEGES"; - }; - } - { - name = "photoprism"; - ensurePermissions = { - "photoprism.*" = "ALL PRIVILEGES"; - }; - } - ]; -} diff --git a/srv/nginx.nix b/srv/nginx.nix deleted file mode 100644 index 2a2b8f13a..000000000 --- a/srv/nginx.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ ... }: -{ - enable = true; - clientMaxBodySize = "4G"; - virtualHosts = { - "attic.nyaw.xyz" = { - forceSSL = true; - sslCertificate = "/run/credentials/nginx.service/nyaw.cert"; - sslCertificateKey = "/run/credentials/nginx.service/nyaw.key"; - locations = { - "/" = { - proxyPass = "http://localhost:8083"; - }; - }; - }; - - "s3.nyaw.xyz" = { - forceSSL = true; - sslCertificate = "/run/credentials/nginx.service/nyaw.cert"; - sslCertificateKey = "/run/credentials/nginx.service/nyaw.key"; - locations = { - "/" = { - proxyPass = "http://localhost:9000"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_connect_timeout 300; - # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; - ''; - }; - }; - }; - }; -} diff --git a/srv/openssh.nix b/srv/openssh.nix deleted file mode 100644 index 69764deb9..000000000 --- a/srv/openssh.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, ... }: -{ - enable = true; - settings = { - PasswordAuthentication = lib.mkForce false; - PermitRootLogin = lib.mkForce "prohibit-password"; - UseDns = false; - X11Forwarding = false; - }; - authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; - extraConfig = '' - ClientAliveInterval 60 - ClientAliveCountMax 720 - ''; -} diff --git a/srv/phantomsocks.nix b/srv/phantomsocks.nix deleted file mode 100644 index 1730f9859..000000000 --- a/srv/phantomsocks.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ pkgs, ... }: -{ - enable = true; - settings = { - interfaces = [ - { - device = "wlan0"; - dns = "tcp://208.67.220.220:5353"; - hint = "mode2"; - name = "default"; - } - { - device = "wlan0"; - dns = "tcp://208.67.220.220:443"; - hint = "ipv6,w-seq,w-md5"; - name = "v6"; - } - { - device = "wlan0"; - dns = "tcp://208.67.220.220:443"; - hint = "df"; - name = "df"; - } - { - device = "wlan0"; - dns = "tcp://208.67.220.220:5353"; - hint = "http,ttl"; - name = "http"; - ttl = 15; - } - ]; - profiles = [ - (pkgs.writeText "default.conf" '' - [default] - google.com=108.177.111.90,108.177.126.90,108.177.127.90,108.177.97.100,142.250.1.90,142.250.112.90,142.250.13.90,142.250.142.90,142.250.145.90,142.250.148.90,142.250.149.90,142.250.152.90,142.250.153.90,142.250.158.90,142.250.176.64,142.250.176.95,142.250.178.160,142.250.178.186,142.250.180.167,142.250.193.216,142.250.27.90,142.251.0.90,142.251.1.90,142.251.111.90,142.251.112.90,142.251.117.90,142.251.12.90,142.251.120.90,142.251.160.90,142.251.161.90,142.251.162.90,142.251.166.90,142.251.167.90,142.251.169.90,142.251.170.90,142.251.18.90,172.217.218.90,172.253.117.90,172.253.63.90,192.178.49.10,192.178.49.174,192.178.49.178,192.178.49.213,192.178.49.24,192.178.50.32,192.178.50.43,192.178.50.64,192.178.50.85,216.239.32.40,64.233.189.191,74.125.137.90,74.125.196.113,142.251.42.228 - ajax.googleapis.com=[google.com] - .google.com=[google.com] - .google.com.hk=[google.com] - .googleusercontent.com=[google.com] - .ytimg.com=[google.com] - .youtube.com=[google.com] - youtube.com=[google.com] - .youtube-nocookie.com=[google.com] - youtu.be=[google.com] - .ggpht.com=[google.com] - .gstatic.com=[google.com] - .translate.goog=[google.com] - blogspot.com=[google.com] - .blogspot.com=[google.com] - blogger.com=[google.com] - .blogger.com=[google.com] - fonts.googleapis.com=120.253.250.225 - .googleapis.com=[google.com] - .googleusercontent.com=[google.com] - - [df] - .mega.nz - .mega.co.nz - .mega.io - mega.nz - mega.co.nz - mega.io - - # [v6] - # .googlevideo.com - - [http] - ocsp.int-x3.letsencrypt.org - captive.apple.com - neverssl.com - www.msftconnecttest.com - '') - ]; - services = [ - { - address = "127.0.0.1:1681"; - name = "socks"; - protocol = "socks"; - } - ]; - }; -} diff --git a/srv/photoprism.nix b/srv/photoprism.nix deleted file mode 100644 index 58d5a4382..000000000 --- a/srv/photoprism.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, user, ... }: -{ - enable = true; - originalsPath = "/var/lib/private/photoprism/originals"; - address = "[::]"; - passwordFile = config.age.secrets.prism.path; - settings = { - PHOTOPRISM_ADMIN_USER = "${user}"; - PHOTOPRISM_DEFAULT_LOCALE = "en"; - PHOTOPRISM_DATABASE_NAME = "photoprism"; - PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; - PHOTOPRISM_DATABASE_USER = "photoprism"; - PHOTOPRISM_DATABASE_DRIVER = "mysql"; - }; - port = 20800; -} diff --git a/srv/pleroma.nix b/srv/pleroma.nix deleted file mode 100644 index 935c64d0d..000000000 --- a/srv/pleroma.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ pkgs, ... }: -{ - # bcz of hard 2 use - enable = false; - secretConfigFile = "/run/credentials/pleroma.service/config.exs"; - configs = [ - '' - # Pleroma instance configuration - - # NOTE: This file should not be committed to a repo or otherwise made public - # without removing sensitive information. - - import Config - - config :pleroma, Pleroma.Web.Endpoint, - url: [host: "nyaw.xyz", scheme: "https", port: 443], - http: [ip: {0, 0, 0, 0}, port: 3000] - - config :pleroma, :instance, - name: "nyaw.xyz", - email: "pleroma@oluceps.uk", - notify_email: "pleroma@oluceps.uk", - limit: 5000, - registrations_open: false - - config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - #base_url: "https://cache.pleroma.social" - - config :pleroma, :database, rum_enabled: false - config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" - config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" - - # Enable Strict-Transport-Security once SSL is working: - # config :pleroma, :http_security, - # sts: true - - config :pleroma, configurable_from_database: true - - config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Dedupe] - '' - ]; -} diff --git a/srv/postgresql.nix b/srv/postgresql.nix deleted file mode 100644 index e4e893f43..000000000 --- a/srv/postgresql.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ pkgs, ... }: -{ - enable = true; - package = pkgs.postgresql_16_jit; - enableTCPIP = true; - settings = { - port = 5432; - max_connections = 100; - shared_buffers = "2GB"; - effective_cache_size = "6GB"; - maintenance_work_mem = "512MB"; - checkpoint_completion_target = 0.9; - wal_buffers = "16MB"; - default_statistics_target = 100; - random_page_cost = 1.1; - effective_io_concurrency = 200; - work_mem = "5242kB"; - min_wal_size = "1GB"; - max_wal_size = "4GB"; - max_worker_processes = 4; - max_parallel_workers_per_gather = 2; - max_parallel_workers = 4; - max_parallel_maintenance_workers = 2; - }; - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all all trust - local misskey misskey peer map=misskey - - #type database DBuser origin-address auth-method - # ipv4 - host all all 127.0.0.1/32 trust - host all all 10.0.1.1/24 trust - host all all 10.0.0.1/24 trust - # ipv6 - host all all ::1/128 trust - ''; - - ensureDatabases = [ "misskey" ]; - ensureUsers = [ - { - name = "misskey"; - ensureDBOwnership = true; - } - ]; - identMap = '' - misskey misskey misskey - ''; -} diff --git a/srv/prometheus.nix b/srv/prometheus.nix deleted file mode 100644 index 1c2c98a35..000000000 --- a/srv/prometheus.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - targets = map (n: "${n}.nyaw.xyz") [ - "nodens" - "abhoth" # single point - "kaambl" - "azasos" - "hastur" - ]; - relabel_configs = [ - { - source_labels = [ "__address__" ]; - target_label = "__param_target"; - } - { - source_labels = [ "__param_target" ]; - target_label = "instance"; - } - { - target_label = "__address__"; - replacement = - with config.services.prometheus.exporters.blackbox; - "${listenAddress}:${toString port}"; - } - ]; - -in -{ - enable = true; - webExternalUrl = "https://${config.networking.fqdn}/prom"; - listenAddress = "127.0.0.1"; - webConfigFile = (pkgs.formats.yaml { }).generate "web.yaml" { - basic_auth_users = { - prometheus = "$2b$05$bKuO7ehC6wKR28/pfhJZOuNyQFUtF7FwhkPFLwcbCMhfLRNUV54vm"; - }; - }; - port = 9090; - retentionTime = "7d"; - globalConfig = { - scrape_interval = "1m"; - evaluation_interval = "1m"; - }; - # prometheus not exit when credentials could not be load. - scrapeConfigs = - let - secPath = "/run/credentials/prometheus.service/prom"; - in - [ - { - job_name = "caddy"; - scheme = "https"; - basic_auth = { - username = "prometheus"; - password_file = secPath; - }; - metrics_path = "/caddy"; - static_configs = [ { inherit targets; } ]; - } - { - job_name = "metrics"; - scheme = "https"; - basic_auth = { - username = "prometheus"; - password_file = secPath; - }; - static_configs = [ { inherit targets; } ]; - } - { - job_name = "http"; - scheme = "http"; - metrics_path = "/probe"; - params = { - module = [ "http_2xx" ]; - }; - static_configs = [ - { - targets = [ - "https://nyaw.xyz" - "https://matrix.nyaw.xyz" - "https://pb.nyaw.xyz" - "https://vault.nyaw.xyz" - ]; - } - ]; - inherit relabel_configs; - } - # { - # job_name = "metrics-notls"; - # scheme = "http"; - # static_configs = [ - # { targets = [ "10.0.2.1:9100" ]; } - # { targets = [ "10.0.2.2:9100" ]; } - # ]; - # } - ]; - rules = lib.singleton ( - builtins.toJSON { - groups = [ - { - name = "metrics"; - rules = [ - { - alert = "NodeDown"; - expr = ''up == 0''; - } - { - alert = "OOM"; - expr = ''node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes < 0.1''; - } - { - alert = "DiskFull"; - expr = ''node_filesystem_avail_bytes{mountpoint=~"/persist"} / node_filesystem_size_bytes < 0.1''; - } - { - alert = "UnitFailed"; - expr = ''node_systemd_unit_state{state="failed"} == 1''; - } - ]; - } - ]; - } - ); - alertmanagers = [ - { - path_prefix = "/alert"; - static_configs = [ - { - targets = ( - let - cfg = config.services.prometheus; - in - [ "${cfg.alertmanager.listenAddress}:${builtins.toString cfg.alertmanager.port}" ] - ); - } - ]; - } - ]; - alertmanager = { - enable = true; - webExternalUrl = "https://${config.networking.fqdn}/alert"; - listenAddress = "127.0.0.1"; - port = 9093; - logLevel = "info"; - extraFlags = [ ''--cluster.listen-address=""'' ]; - configuration = { - receivers = [ - { - name = "telegram"; - telegram_configs = [ - { - bot_token_file = "/run/credentials/alertmanager.service/notifychan"; - chat_id = -1002215131569; - http_config = { - proxy_url = "http://127.0.0.1:1900"; - }; - } - ]; - } - ]; - route = { - receiver = "telegram"; - group_wait = "30s"; - group_interval = "2m"; - repeat_interval = "10m"; - }; - }; - }; -} diff --git a/srv/radicle.nix b/srv/radicle.nix deleted file mode 100644 index 5ec419a3b..000000000 --- a/srv/radicle.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: -{ - enable = true; - httpd = { - enable = true; - listenPort = 8084; - listenAddress = "10.0.1.2"; - }; - node.openFirewall = true; - privateKeyFile = config.age.secrets.id.path; - publicKey = lib.data.keys.sshPubKey; - settings = { - cli = { - hints = true; - }; - node = { - alias = "nodens"; - connect = [ ]; - externalAddresses = [ "seed.nyaw.xyz:8776" ]; - limits = { - connection = { - inbound = 128; - outbound = 16; - }; - fetchConcurrency = 1; - gossipMaxAge = 1209600; - maxOpenFiles = 4096; - rate = { - inbound = { - capacity = 32; - fillRate = 0.2; - }; - outbound = { - capacity = 64; - fillRate = 1; - }; - }; - routingMaxAge = 604800; - routingMaxSize = 1000; - }; - listen = [ ]; - network = "main"; - peers = { - target = 8; - type = "dynamic"; - }; - policy = "block"; - relay = true; - scope = "all"; - workers = 8; - }; - preferredSeeds = [ - "z6MkrLMMsiPWUcNPHcRajuMi9mDfYckSoJyPwwnknocNYPm7@seed.radicle.garden:8776" - "z6Mkmqogy2qEM2ummccUthFEaaHvyYmYBYh3dbe9W4ebScxo@ash.radicle.garden:8776" - ]; - publicExplorer = "https://app.radicle.xyz/nodes/$host/$rid$path"; - # web = { - # pinned = { - # repositories = [ "z2BAxuSMWoD3JujdWKCS3FoYEXE6V" ]; - # }; - # }; - }; -} diff --git a/srv/rustypaste.nix b/srv/rustypaste.nix deleted file mode 100644 index 8b049c49e..000000000 --- a/srv/rustypaste.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ ... }: -{ - enable = true; - settings = { - config = { - refresh_rate = "3s"; - }; - landing_page = { - content_type = "text/plain; charset=utf-8"; - text = '' - |\__/,| (`\ - _.|o o |_ ) ) - -(((---(((-------- - Submit files via HTTP POST here: - curl -F 'file=@example.txt' - This will return the URL of the uploaded file nya. - The server administrator might remove any pastes that they do not personally - want to host. - If you are the server administrator and want to change this page, just go - into your config file and change it! If you change the expiry time, it is - recommended that you do. - By default, pastes expire every hour. The server admin may or may not have - changed this. - Check out the GitHub repository at https://github.com/orhun/rustypaste - Command line tool is available at https://github.com/orhun/rustypaste-cli - ''; - }; - paste = { - default_expiry = "128h"; - default_extension = "txt"; - delete_expired_files = { - enabled = true; - interval = "1h"; - }; - duplicate_files = true; - mime_blacklist = [ - "application/x-dosexec" - "application/java-archive" - "application/java-vm" - ]; - mime_override = [ - { - mime = "image/jpeg"; - regex = "^.*\\.jpg$"; - } - { - mime = "image/png"; - regex = "^.*\\.png$"; - } - { - mime = "image/svg+xml"; - regex = "^.*\\.svg$"; - } - { - mime = "video/webm"; - regex = "^.*\\.webm$"; - } - { - mime = "video/x-matroska"; - regex = "^.*\\.mkv$"; - } - { - mime = "application/octet-stream"; - regex = "^.*\\.bin$"; - } - { - mime = "text/plain"; - regex = "^.*\\.(log|txt|diff|sh|rs|toml)$"; - } - ]; - random_url = { - separator = "-"; - type = "petname"; - words = 2; - }; - }; - server = { - address = "127.0.0.1:3999"; - expose_list = false; - expose_version = false; - handle_spaces = "replace"; - max_content_length = "10MB"; - timeout = "30s"; - upload_path = "./upload"; - url = "https://pb.nyaw.xyz"; - }; - }; -} diff --git a/srv/scrutiny.nix b/srv/scrutiny.nix deleted file mode 100644 index d71a85e5b..000000000 --- a/srv/scrutiny.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: -{ - enable = true; - collector = { - enable = true; - settings.api.endpoint = "http://localhost:8080"; - }; - - settings = { - web.listen = { - port = 8080; - host = "0.0.0.0"; - }; - - openFirewall = true; - - notify = { - urls = [ "ntfy://ntfy.nyaw.xyz/crit?auth=QmVhcmVyIHRrXzFkZTlmYXdic3g1NGFweWVmbDZ3OWFtOGg5Mmpn" ]; - }; - }; -} diff --git a/srv/smartdns.nix b/srv/smartdns.nix deleted file mode 100644 index 944d36692..000000000 --- a/srv/smartdns.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, pkgs, ... }: -{ - enable = true; - config = '' - bind 127.0.0.1:53 - - server-quic 223.5.5.5 -bootstrap-dns -exclude-default-group - server-quic 223.5.5.5 - server-quic 223.6.6.6 - server tls://dot.pub - server tls://dns.google - ''; -} diff --git a/srv/srs.nix b/srv/srs.nix deleted file mode 100644 index 5fc298281..000000000 --- a/srv/srs.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ ... }: -{ - enable = true; - config = '' - # main config for srs. - # @see full.conf for detail config. - - listen 1935; - max_connections 1000; - srs_log_tank console; - daemon off; - pid /run/srs.pid; - - http_api { - enabled on; - listen 1985; - } - http_server { - enabled on; - listen 8083; - dir ./objs/nginx/html; - } - rtc_server { - enabled on; - listen 8000; # UDP port - # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#config-candidate - candidate $CANDIDATE; - } - vhost __defaultVhost__ { - hls { - enabled on; - } - http_remux { - enabled on; - mount [vhost]/[app]/[stream].flv; - } - rtc { - enabled on; - # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#rtmp-to-rtc - rtmp_to_rtc off; - # @see https://ossrs.net/lts/zh-cn/docs/v4/doc/webrtc#rtc-to-rtmp - rtc_to_rtmp off; - } - - play{ - gop_cache_max_frames 2500; - } - } - ''; -} diff --git a/srv/vaultwarden.nix b/srv/vaultwarden.nix deleted file mode 100644 index ad1deca58..000000000 --- a/srv/vaultwarden.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: -{ - enable = true; - dbBackend = "postgresql"; - config = { - signupsAllowed = false; - sendsAllowed = false; - emergencyAccessAllowed = false; - orgCreationUsers = "none"; - domain = "https://vault.nyaw.xyz"; - rocketAddress = "0.0.0.0"; - rocketPort = 8003; - }; - # backupDir = "/var/lib/bitwarden_rs/backup"; - environmentFile = config.age.secrets.vault.path; -} diff --git a/srv/xmrig.nix b/srv/xmrig.nix deleted file mode 100644 index 3cc39d757..000000000 --- a/srv/xmrig.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ data, config, ... }: -{ - enable = true; - settings = { - autosave = true; - opencl = false; - cuda = false; - cpu = { - enable = true; - max-threads-hint = 85; - }; - pools = [ - { - url = "pool.supportxmr.com:443"; - user = data.xmrAddr; - keepalive = true; - tls = true; - pass = config.networking.hostName; - } - ]; - }; -}