chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 05:29:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

enable 铜锣湾实验室

Browse Source
This commit is contained in:
陈浩南
2023-08-25 22:55:33 +08:00
parent b7c890a206
commit d60a991eac
5 changed files with 129 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
flake.nix
View File

@@ -192,6 +192,7 @@
nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
smartd.enable = true;
nginx = { enable = true; transparentProxy.enable = false; };
misskey = { enable = true; hostname = "xn--qbtm095lrg0bfka60z.chn.moe"; };
};
bugs =
[
@@ -243,9 +244,11 @@
"ng01.mirism.one" = 7411;
"beta.mirism.one" = 9114;
"nix-store.chn.moe" = 7676;
"xn--qbtm095lrg0bfka60z.chn.moe" = 7676;
};
};
};
misskey-proxy = { enable = true; hostname = "xn--qbtm095lrg0bfka60z.chn.moe"; };
};
boot =
{
@@ -332,11 +335,6 @@
rsshub.enable = true;
nginx = { enable = true; transparentProxy.externalIp = "207.180.253.54"; };
wallabag.enable = true;
misskey =
{
enable = true;
hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
};
};
boot =
{

213
modules/services/misskey.nix
View File

@@ -1,112 +1,133 @@
inputs:
{
options.nixos.services.misskey = let inherit (inputs.lib) mkOption types; in
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 9726; };
hostname = mkOption { type = types.str; default = "misskey.chn.moe"; };
misskey =
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 9726; };
hostname = mkOption { type = types.str; default = "misskey.chn.moe"; };
};
misskey-proxy =
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "misskey.chn.moe"; };
};
};
config =
let
inherit (inputs.config.nixos.services) misskey;
inherit (inputs.config.nixos.services) misskey misskey-proxy;
inherit (inputs.localLib) stripeTabs;
inherit (inputs.lib) mkIf;
inherit (inputs.lib) mkIf mkMerge;
inherit (builtins) map listToAttrs toString replaceStrings;
in mkIf misskey.enable
{
systemd =
in mkMerge
[
(mkIf misskey.enable
{
services.misskey =
systemd =
{
description = "misskey";
after = [ "network.target" "redis-misskey.service" "postgresql.service" ];
requires = [ "network.target" "redis-misskey.service" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/default.yml".path;
serviceConfig = rec
services.misskey =
{
User = inputs.config.users.users.misskey.name;
Group = inputs.config.users.users.misskey.group;
WorkingDirectory = "/var/lib/misskey/work";
ExecStart = "${WorkingDirectory}/bin/misskey";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};
tmpfiles.rules = [ "d /var/lib/misskey/files 0700 misskey misskey" ];
};
fileSystems =
{
"/var/lib/misskey/work" =
{
device = "${inputs.pkgs.localPackages.misskey}";
options = [ "bind" ];
};
"/var/lib/misskey/work/files" =
{
device = "/var/lib/misskey/files";
options = [ "bind" ];
};
};
sops.templates."misskey/default.yml" =
{
content =
let
placeholder = inputs.config.sops.placeholder;
misskey = inputs.config.nixos.services.misskey;
redis = inputs.config.nixos.services.redis.instances.misskey;
in replaceStrings ["\t"] [" "] (stripeTabs
''
url: https://${misskey.hostname}/
port: ${toString misskey.port}
db:
host: 127.0.0.1
port: 5432
db: misskey
user: misskey
pass: ${placeholder."postgresql/misskey"}
dbReplications: false
redis:
host: 127.0.0.1
port: ${toString redis.port}
pass: ${placeholder."redis/misskey"}
id: 'aid'
proxyBypassHosts:
- api.deepl.com
- api-free.deepl.com
- www.recaptcha.net
- hcaptcha.com
- challenges.cloudflare.com
proxyRemoteFiles: true
signToActivityPubGet: true
maxFileSize: 1073741824
'');
owner = inputs.config.users.users.misskey.name;
};
users =
{
users.misskey = { isSystemUser = true; group = "misskey"; home = "/var/lib/misskey"; createHome = true; };
groups.misskey = {};
};
nixos.services =
{
redis.instances.misskey.port = 3545;
nginx =
{
enable = true;
httpProxy =
{
"${misskey.hostname}" = { upstream = "http://127.0.0.1:${toString misskey.port}"; websocket = true; };
"direct.${misskey.hostname}" =
description = "misskey";
after = [ "network.target" "redis-misskey.service" "postgresql.service" ];
requires = [ "network.target" "redis-misskey.service" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/default.yml".path;
serviceConfig = rec
{
upstream = "http://127.0.0.1:${toString misskey.port}";
websocket = true;
setHeaders.Host = "direct.${misskey.hostname}";
detectAuth = true;
User = inputs.config.users.users.misskey.name;
Group = inputs.config.users.users.misskey.group;
WorkingDirectory = "/var/lib/misskey/work";
ExecStart = "${WorkingDirectory}/bin/misskey";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};
tmpfiles.rules = [ "d /var/lib/misskey/files 0700 misskey misskey" ];
};
postgresql = { enable = true; instances.misskey = {}; };
};
};
fileSystems =
{
"/var/lib/misskey/work" =
{
device = "${inputs.pkgs.localPackages.misskey}";
options = [ "bind" ];
};
"/var/lib/misskey/work/files" =
{
device = "/var/lib/misskey/files";
options = [ "bind" ];
};
};
sops.templates."misskey/default.yml" =
{
content =
let
placeholder = inputs.config.sops.placeholder;
misskey = inputs.config.nixos.services.misskey;
redis = inputs.config.nixos.services.redis.instances.misskey;
in replaceStrings ["\t"] [" "] (stripeTabs
''
url: https://${misskey.hostname}/
port: ${toString misskey.port}
db:
host: 127.0.0.1
port: 5432
db: misskey
user: misskey
pass: ${placeholder."postgresql/misskey"}
dbReplications: false
redis:
host: 127.0.0.1
port: ${toString redis.port}
pass: ${placeholder."redis/misskey"}
id: 'aid'
proxyBypassHosts:
- api.deepl.com
- api-free.deepl.com
- www.recaptcha.net
- hcaptcha.com
- challenges.cloudflare.com
proxyRemoteFiles: true
signToActivityPubGet: true
maxFileSize: 1073741824
'');
owner = inputs.config.users.users.misskey.name;
};
users =
{
users.misskey = { isSystemUser = true; group = "misskey"; home = "/var/lib/misskey"; createHome = true; };
groups.misskey = {};
};
nixos.services =
{
redis.instances.misskey.port = 3545;
nginx =
{
enable = true;
httpProxy =
{
"${misskey.hostname}" = { upstream = "http://127.0.0.1:${toString misskey.port}"; websocket = true; };
"direct.${misskey.hostname}" =
{
upstream = "http://127.0.0.1:${toString misskey.port}";
websocket = true;
setHeaders.Host = "${misskey.hostname}";
detectAuth = true;
};
};
};
postgresql = { enable = true; instances.misskey = {}; };
};
})
(mkIf misskey-proxy.enable
{
nixos.services.nginx.httpProxy."${misskey-proxy.hostname}" =
{
upstream = "https://direct.${misskey.hostname}";
websocket = true;
setHeaders.Host = "direct.${misskey.hostname}";
addAuth = true;
};
})
];
}

2
modules/services/nginx.nix
View File

@@ -137,7 +137,7 @@ inputs:
templates = listToAttrs (map
(site:
{
name = "nginx/addAuth/${site.name}";
name = "nginx/addAuth/${site.name}-template";
value =
{
content =

6
secrets/chn-PC.yaml
View File

@@ -9,7 +9,7 @@ store:
nginx:
detectAuth:
#ENC[AES256_GCM,data:3JlL83PuobpUYTsgAIT6Fw7EUf42hjhdREqiRB3yJq8SLd8mQEgS3bI=,iv:ujECnaWT2enQUwtjLCbaD2EF1dgbVoxk6aLm9ydmtGk=,tag:3JXn9NB1yWJPJlWRWW4/AA==,type:comment]
direct.misskey.chn.moe: ENC[AES256_GCM,data:lomcsh/Q0OcNIB0xX0AC02dwhTs24Dg6JTBjSTXO1flPERojGbyXFrXCcj43,iv:eqYQcMoIOa+9ncrdec0SbvNpTy3qhZxV8AVUtTrrJF8=,tag:uqPfeKTWuwU4HNNkXAn+NQ==,type:str]
direct.xn--qbtm095lrg0bfka60z.chn.moe: ENC[AES256_GCM,data:QbUQ9tK9sBpdNKRqCVlr2X38gOM0GCgXwpoYQcaRtb03o7gPNyPiOn/1w408,iv:uhetRhYDL01mbm/LUwUpQlQTm2cObSTvILv+kihLFZY=,tag:oz2Ns0YzQXjzcJMjOy7wog==,type:str]
maxmind-license: ENC[AES256_GCM,data:PVV4VAvB22KoA8EM8Honb+KWYhydXdmTAVlDw/XnTcbaIY+5Km2gGA==,iv:7PfytRbpW4G2iDNqysvZnB0YsQFVUL5Kr1DNsBzuhCA=,tag:z2J14fdD7AUNabN+6kUojA==,type:str]
postgresql:
misskey: ENC[AES256_GCM,data:KiJ2smpRwJ1pzauCgVsmFH4aCiw4sEkCQ9JSTao5NdI=,iv:jIc0a797dokfByN2vJcYcAFfPC8MP7wCV5qsxoCDxcE=,tag:L5n1/xszwB0lhqYcbLqp2Q==,type:str]
@@ -39,8 +39,8 @@ sops:
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-25T14:11:58Z"
mac: ENC[AES256_GCM,data:4mBu1XHiiw4oWBAI/cVbsdst8BH+aVFLIHMjR+YXrmHCxwu5fWgLtKGyJVR3udvLw/WbHa5Ce8AYialPhaWmgy0Jp0pWW4VNaTA0u//9Vv5Vs5A3pp74kzcd5aZwtCMAk1Gsf9t0jIGUkc7E+TPCfOSNp4AVVbqh14HErzLsa1E=,iv:SUNbJX61ZuR4MrwsHqm7wFyI978qovFiUz8UTTl7G/4=,tag:f5jG3opgTUCckSChv9RBhA==,type:str]
lastmodified: "2023-08-25T14:54:50Z"
mac: ENC[AES256_GCM,data:nFGQleqylBnUSY+pu2Z4xtz0wpUJhKpwtAKZa85yImHMSnWfy/zijASC12yi5ekzZkAJg9ZFFgalXtVuLjdrJ6d4d49Hs0XAjt5DC5GzUvJGDY+dLEMatFNXe5pFJ01xh7jrq51YnYYgNbPjFKjzSMQgeKPdZg4anwgYapenWAQ=,iv:mVBTyjOfjN3BZ9kFGmySx9XSCmvu4uIsBA3sNTDnTLs=,tag:5q401/ySjOJ05idzYWc7ug==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

7
secrets/vps6.yaml
View File

@@ -48,6 +48,9 @@ xray-server:
chat: ENC[AES256_GCM,data:X1JxFQw0bPCu,iv:hf+TOSH2p9RdnXDFKxTpSRzxDLdJyzNHVV8MfOQuGWY=,tag:iiWw9IFiBGOOyOSl9Jj2wQ==,type:str]
private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
nginx:
addAuth:
#ENC[AES256_GCM,data:0f7P/+sx7C8AQUK+q7TucsEhiYQpGG6axuSTYx+c/BtSbZvrC6UKHa4=,iv:lv9PsQLziNmK1y9pw8TDxNdmq0rARxGomBb7sRgH0cA=,tag:Vk004NA74XjT7pqIWD34jw==,type:comment]
xn--qbtm095lrg0bfka60z.chn.moe: ENC[AES256_GCM,data:6alYFNVOAk0Yp0l4K6G4t6iIptkpsqDxWLRjfSo9UsewNFrbsMqw8JWNAYIqEhitcCb0cMZIBgI=,iv:xZzGMCOJU9Ja9XhDE/4gjsLb7FEjzhfCUtiS7ORvnp4=,tag:pfJr5+GstP9BoKa/bI+t2g==,type:str]
maxmind-license: ENC[AES256_GCM,data:sESU6uK9EYLido9/0sXO2Zw1SjuKmxPh4r3giJcaG7068gn1kByjsA==,iv:htnFgnLrH35zSvmlRAdoRDLFIpKroKO5dW9TNK9soUc=,tag:6pJuc54SrKP5n0kJJ7fGyA==,type:str]
send:
redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
@@ -75,8 +78,8 @@ sops:
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-23T12:20:06Z"
mac: ENC[AES256_GCM,data:CWVcA+ssnLBvYnX+spddvKe8hbaugaLSVXqUNDYEVaVfLCJkXaHzTOM3Kgp6DNlXCTV40lYqtW4XMvK6CbbJpuxxsy5AlgA0lsVgPGT4JZFmrXFcsN3WUVA6L5trjVaJ044NwSWBDYUsHrkgnck6nWWyIUxzMUerCinCtuMaXHI=,iv:U2ZTD1g0d6COnShHvBOHugqYPpeO8Sba/FVPH1sgHsU=,tag:EfZcb69v+qVG6P+rcXVIyA==,type:str]
lastmodified: "2023-08-25T14:54:22Z"
mac: ENC[AES256_GCM,data:WcsA+0Y23DsZX1QjxOSX3xh3AXDQKcjN+dggW9aiS3yuSgpjaYfJ+Ro8TlBkgIZb7ehYftYRUAu1z4HSjSilqGTchR+krmXed7GT1ucLU2lcVng0/Q4SjqAit67X8Rh+CdMAaJOLXP+14i3ARYtoltUb3NFinQ4nxV4NXCeSuoA=,iv:+Y1KL8X9ls5RulpSnzzLZcnqm3CvAdhCND+oS3Niakw=,tag:AQTeCbJ0JhXFISP2PD9gcQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3