chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:39:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: chn:native
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire
...
compare: chn:29fef229d86eea21e4228bfed6f8b10b18241294
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire

67 Commits
native ... 29fef229d8

Author SHA1 Message Date
chn
29fef229d8 Revert "system: try to fix ipv6" 
This reverts commit 303d67ca06.
 2023-12-23 15:31:44 +08:00
chn
303d67ca06 system: try to fix ipv6 2023-12-23 10:03:09 +08:00
chn
3732d19de0 packages.server.ssh: auto cd in jykang 2023-12-22 11:39:10 +08:00
chn
26eec4d375 packages.server: split zsh 2023-12-22 11:38:56 +08:00
chn
ac362289de services.synapse: fix 2023-12-20 16:20:23 +08:00
chn
3bb5e840e7 services.synapse: fix 2023-12-20 15:26:35 +08:00
chn
8b3ef05d3b services.nginx.applications.main: fix alias 2023-12-20 15:14:51 +08:00
chn
0fd63c01f7 services.synapse: fix 2023-12-20 14:39:23 +08:00
chn
61c644a4b1 services.synapse: enable sliding sync 2023-12-20 14:33:14 +08:00
chn
788709aac9 services.synapse: fix 2023-12-20 12:33:17 +08:00
chn
f5053ae284 services.postgresql: add initializeFlags 2023-12-20 12:23:05 +08:00
chn
6a6625d585 system.kernel: port some change from xddxdd/nur-packages 2023-12-20 11:31:12 +08:00
chn
69c528a03d switch back to xanmod 2023-12-20 11:04:40 +08:00
chn
6c496b7b8e services.postgresql: fix locale setting 2023-12-19 22:09:35 +08:00
chn
13652e7c0e services.synapse: correct locale 2023-12-19 22:07:27 +08:00
chn
2160e453eb services.postgresql: allow set locale 2023-12-19 22:06:41 +08:00
chn
71acf32da3 vps7: enable second synapse instance 2023-12-19 21:43:48 +08:00
chn
aac7bad20a packages.workstation: add nheko 2023-12-19 21:19:27 +08:00
chn
1d9a3ad2c0 enable laptop-mode 2023-12-19 18:56:08 +08:00
chn
f55576883c system.kernel: switch to zen 2023-12-19 18:36:45 +08:00
chn
e71a08586d Revert "Revert "drop acpi workaround"" 
This reverts commit 8c2b6530a6.
 2023-12-19 13:43:28 +08:00
chn
8c2b6530a6 Revert "drop acpi workaround" 
This reverts commit 72e1e0140a.
 2023-12-19 13:29:17 +08:00
chn
38d3d8c7df update kernel 2023-12-19 12:56:24 +08:00
chn
72e1e0140a drop acpi workaround 2023-12-19 12:51:43 +08:00
chn
59dbfaa70f add acpi workaround 2023-12-18 21:04:42 +08:00
chn
75e2b84c4c Revert "nvidia: do not add modules to initrd" 
This reverts commit 45ec3e74b7.
 2023-12-18 20:25:35 +08:00
chn
9cfd30db6a Revert "hardware: gpu drivers should not be in initrd" 
This reverts commit 02a2d399d6.
 2023-12-18 20:24:40 +08:00
chn
02a2d399d6 hardware: gpu drivers should not be in initrd 2023-12-18 20:08:24 +08:00
chn
eb25e31c70 always apply embree patch 2023-12-18 14:04:39 +08:00
chn
6265e41ca7 revert some nvidia config 2023-12-17 22:46:58 +08:00
chn
6f36cfe007 services.akkoma: init 2023-12-17 22:43:54 +08:00
chn
b8abc4a326 services.nginx.https: allow custom TLS certificate 2023-12-17 21:42:57 +08:00
chn
59b053886b services.synapse: enable redis 2023-12-17 19:52:12 +08:00
chn
1769069057 synapse 支持多实例 2023-12-17 19:44:40 +08:00
chn
9801e53230 services.gitea: fix ssh 2023-12-17 14:41:00 +08:00
chn
9ea81dfe9e services.gitea: fix ssh 2023-12-17 14:10:16 +08:00
chn
c6c9bbafae services.gitea: fix 2023-12-17 13:46:29 +08:00
chn
f906e9d556 services.gitea: init 2023-12-17 13:37:15 +08:00
chn
4ffd5aebd5 move wireguard peer config to top level 2023-12-17 12:10:45 +08:00
chn
8724c23fde fix watchfiles 2023-12-17 11:50:40 +08:00
chn
808058596f xmupc1: do not build firefox 2023-12-17 11:44:32 +08:00
chn
36b37daf2e packages.desktop.vscode: remove copilot-labs 2023-12-17 10:50:42 +08:00
chn
45ec3e74b7 nvidia: do not add modules to initrd 2023-12-17 10:49:22 +08:00
chn
f5724e10a4 pc: fix power down on load graphic driver 2023-12-17 01:10:00 +08:00
chn
183d805a8f services.gitlab: currently disable ssh 2023-12-16 22:29:02 +08:00
chn
ca7668cbd5 services.gitlab: change hostname, enable ssh and lfs 2023-12-16 21:16:56 +08:00
chn
2462e85b70 pc: disable XHCI wakeup 2023-12-16 20:34:30 +08:00
chn
a6b4077114 packages.desktop-fat: add fluffychat 2023-12-16 13:42:19 +08:00
chn
e5b13ace75 add chn.moe 2023-12-15 21:01:29 +08:00
chn
b861d7bfb9 fix tmpfiles permission 2023-12-15 20:26:04 +08:00
chn
2d8c36d108 fix wireguard port 2023-12-15 12:40:28 +08:00
chn
9ec9597421 services.fz-new-order: fix permission 2023-12-15 12:38:39 +08:00
chn
469919c75a services.wireguard: auto deduce port 2023-12-14 23:34:03 +08:00
chn
9e14036e57 system.gui: default coincide with packages._packageSets 2023-12-14 23:28:30 +08:00
chn
839e56e52c init xmupc1 2023-12-14 23:24:20 +08:00
chn
087b4f0a7f yoga: try to fix touch keyboard in initrd 2023-12-13 22:20:29 +08:00
chn
99b891a4cb packages.server.ssh: remove internal hostnames 2023-12-13 12:33:56 +08:00
chn
73d6b46a4b vps7: fix wireguard private key 2023-12-13 12:01:16 +08:00
chn
d15794e7b1 yoga: prefer gui 2023-12-12 23:40:10 +08:00
chn
417e924b04 add yogabook module to initrd 2023-12-12 23:30:43 +08:00
chn
f4d12652c2 fix 2023-12-12 00:18:03 +08:00
chn
219d3fbb20 整理 flake.nix 2023-12-11 19:19:36 +08:00
chn
d44a9c4ddb add ventoy-full 2023-12-11 17:29:51 +08:00
chn
266692c74a remove pe 2023-12-11 17:27:26 +08:00
chn
c1a8043322 install pe 2023-12-11 17:05:29 +08:00
chn
d330f60909 add exfatprogs 2023-12-11 13:48:47 +08:00
chn
2b16dde96d move some packages to workstation 2023-12-10 15:20:04 +08:00
49 changed files with 950 additions and 610 deletions
Expand all files Collapse all files

6
.sops.yaml
View File

@@ -4,8 +4,8 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
- &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
- &yoga age1qrea4twxdhd7fnvlq5v45528c90qy6hp2wa55kghsxzgut6n6fxs7w6u42
- &pe age1cahahn9hp265dkhduaec65vugk8fct2vt9ur6y54m4mgmyx4v4fq0etjhv
- &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
- &xmupc1 age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
creation_rules:
- path_regex: secrets/pc/.*$
key_groups:
@@ -36,8 +36,8 @@ creation_rules:
- age:
- *chn
- *yoga
- path_regex: secrets/pe/.*$
- path_regex: secrets/xmupc1/.*$
key_groups:
- age:
- *chn
- *pe
- *xmupc1

12
flake.lock generated
View File

@@ -1124,11 +1124,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1702086307,
"narHash": "sha256-VYrU2OTc6SjB0DHzgn0ai0JEyIBfu11luQZdthO481M=",
"lastModified": 1702961405,
"narHash": "sha256-H7TRw7SHZhC07K+E8YpDrDv19SMmA4sThQQPIrQ3vxg=",
"owner": "CHN-beta",
"repo": "nixpkgs",
"rev": "bfee670bc80b86734e5cd3bc608f2f42ac511491",
"rev": "530eea7ffc7a0c010557714f6d48981085d9b932",
"type": "github"
},
"original": {
@@ -1140,11 +1140,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1702086283,
"narHash": "sha256-vmRkfUdggvt0NIayUHpqpnUESwkp+3f7OQ7qabnDyWc=",
"lastModified": 1702980585,
"narHash": "sha256-GvjQ462NjjmA2OXGT5ZjHJGA7BrqfsrUpMx4Iq6xkrI=",
"owner": "CHN-beta",
"repo": "nixpkgs",
"rev": "6f15ecd7a9192cee53136682da672bee7b466987",
"rev": "8439a9c91674ecef22fd1e5ab8643b813fb5229d",
"type": "github"
},
"original": {

221
flake.nix
View File

@@ -50,7 +50,7 @@
default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
(builtins.concatStringsSep "\n" (builtins.map
(system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
[ "pc" "vps6" "vps7" "nas" "yoga" "pe" ]));
[ "pc" "vps6" "vps7" "nas" "yoga" ]));
}
// (
builtins.listToAttrs (builtins.map
@@ -59,32 +59,16 @@
name = system;
value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel;
})
[ "pc" "vps6" "vps7" "nas" "yoga" "pe" ])
[ "pc" "vps6" "vps7" "nas" "yoga" "xmupc1" ])
);
nixosConfigurations = builtins.listToAttrs (builtins.map
(system:
{
name = system.name;
value = inputs.nixpkgs.lib.nixosSystem
# ssh-keygen -t rsa -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_rsa_key
# ssh-keygen -t ed25519 -C root@pe -f /mnt/nix/persistent/etc/ssh/ssh_host_ed25519_key
# systemd-machine-id-setup --root=/mnt/nix/persistent
nixosConfigurations =
let
system =
{
system = "x86_64-linux";
specialArgs = { topInputs = inputs; inherit localLib; };
modules = localLib.mkModules
(
[
(inputs: { config.nixpkgs.overlays = [(final: prev:
{ localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); })]; })
./modules
]
++ system.value
);
};
})
(localLib.attrsToList
{
pc =
[
(inputs: { config.nixos =
pc =
{
system =
{
@@ -132,10 +116,10 @@
};
nixpkgs =
{ march = "alderlake"; cuda = { enable = true; capabilities = [ "8.6" ]; forwardCompat = false; }; };
gui = { enable = true; preferred = true; };
kernel.patches = [ "cjktty" ];
kernel.patches = [ "cjktty" "lantian" ];
impermanence.enable = true;
networking.hostname = "pc";
sysctl.laptop-mode = 5;
};
hardware =
{
@@ -208,18 +192,21 @@
smartd.enable = true;
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
wireguard = { enable = true; peers = [ "vps6" ]; };
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
wireguardIp = "192.168.83.3";
};
};
bugs =
[
"intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
"suspend-hibernate-waydroid" "embree"
"suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
"suspend-hibernate-waydroid"
];
};})
];
vps6 =
[
(inputs: { config.nixos =
};
vps6 =
{
system =
{
@@ -269,26 +256,35 @@
[ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
// (builtins.listToAttrs (builtins.map
(site: { name = "${site}.chn.moe"; value.upstream.address = "wireguard.vps7.chn.moe"; })
[ "xn--s8w913fdga" "misskey" "synapse" "send" "kkmeeting" "api" "gitlab" "grafana" ]));
[
"xn--s8w913fdga" "misskey" "synapse" "syncv3.synapse" "matrix" "syncv3.matrix"
"send" "kkmeeting" "api" "git" "grafana"
]));
applications =
{
element.instances."element.chn.moe" = {};
synapse-admin.instances."synapse-admin.chn.moe" = {};
catalog.enable = true;
blog.enable = true;
main.enable = true;
};
};
coturn.enable = true;
httpua.enable = true;
mirism.enable = true;
fail2ban.enable = true;
wireguard = { enable = true; peers = [ "pc" "nas" "vps7" ]; };
wireguard =
{
enable = true;
peers = [ "pc" "nas" "vps7" ];
publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
wireguardIp = "192.168.83.1";
externalIp = "74.211.99.69";
lighthouse = true;
};
};
};})
];
vps7 =
[
(inputs: { config.nixos =
};
vps7 =
{
system =
{
@@ -317,7 +313,7 @@
initrd.sshd.enable = true;
impermanence.enable = true;
networking.hostname = "vps7";
gui.enable = true;
gui.preferred = false;
};
packages.packageSet = "desktop";
services =
@@ -332,7 +328,11 @@
misskey.hostname = "xn--s8w913fdga.chn.moe";
misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
};
synapse.enable = true;
synapse.instances =
{
synapse.matrixHostname = "synapse.chn.moe";
matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
};
xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
vaultwarden.enable = true;
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
@@ -345,16 +345,20 @@
nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
httpapi.enable = true;
mastodon.enable = true;
gitlab.enable = true;
gitea.enable = true;
grafana.enable = true;
fail2ban.enable = true;
wireguard = { enable = true; peers = [ "vps6" ]; };
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
wireguardIp = "192.168.83.2";
externalIp = "95.111.228.40";
};
};
};})
];
nas =
[
(inputs: { config.nixos =
};
nas =
{
system =
{
@@ -398,7 +402,7 @@
kernel.patches = [ "cjktty" ];
impermanence.enable = true;
networking.hostname = "nas";
gui.enable = true;
gui.preferred = false;
};
hardware = { cpus = [ "intel" ]; gpus = [ "intel" ]; };
packages.packageSet = "desktop";
@@ -440,14 +444,17 @@
stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
};
nginx = { enable = true; applications.webdav.instances."local.webdav.chn.moe" = {}; };
wireguard = { enable = true; peers = [ "vps6" ]; };
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
wireguardIp = "192.168.83.4";
};
};
users.users = [ "chn" "xll" "zem" "yjq" "yxy" ];
};})
];
yoga =
[
(inputs: { config.nixos =
};
yoga =
{
system =
{
@@ -468,7 +475,6 @@
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
nixpkgs.march = "silvermont";
gui.enable = true;
grub.installDevice = "efi";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
kernel.patches = [ "cjktty" ];
@@ -502,11 +508,8 @@
firewall.trustedInterfaces = [ "virbr0" ];
};
bugs = [ "xmunet" ];
};})
];
pe =
[
(inputs: { config.nixos =
};
xmupc1 =
{
system =
{
@@ -514,36 +517,70 @@
{
mount =
{
vfat."/dev/disk/by-uuid/86B8-CF80" = "/boot/efi";
vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
btrfs =
{
"/dev/disk/by-uuid/e252f81d-b4b3-479f-8664-380a9b73cf83"."/boot" = "/boot";
"/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
};
swap = [ "/nix/swap/swap" ];
swap = [ "/dev/mapper/swap" ];
resume = "/dev/mapper/swap";
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
gui.enable = true;
grub.installDevice = "efiRemovable";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
grub.installDevice = "efi";
nixpkgs =
{
march = "znver3";
cuda =
{
enable = true;
capabilities =
[
# 2080 Ti
"7.5"
# 3090
"8.6"
# 4090
"8.9"
];
forwardCompat = false;
};
};
gui.preferred = false;
kernel.patches = [ "cjktty" ];
impermanence.enable = true;
networking.hostname = "pe";
networking.hostname = "xmupc1";
};
hardware =
{
cpus = [ "intel" "amd" ];
gpus = [ "intel" "amd" "nvidia" ];
cpus = [ "amd" ];
gpus = [ "nvidia" ];
bluetooth.enable = true;
joystick.enable = true;
printer.enable = true;
sound.enable = true;
gamemode.drmDevice = 1;
};
packages.packageSet = "desktop";
packages.packageSet = "workstation";
virtualization = { docker.enable = true; kvmHost = { enable = true; gui = true; }; };
services =
{
snapper.enable = true;
fontconfig.enable = true;
samba =
{
enable = true;
private = true;
hostsAllowed = "192.168. 127.";
shares =
{
media.path = "/run/media/chn";
home.path = "/home/chn";
mnt.path = "/mnt";
share.path = "/home/chn/share";
};
};
sshd.enable = true;
xrayClient =
{
@@ -552,11 +589,39 @@
serverName = "vps6.xserver.chn.moe";
dns.extraInterfaces = [ "docker0" ];
};
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
acme = { enable = true; cert."debug.mirism.one" = {}; };
smartd.enable = true;
beesd = { enable = true; instances.root = { device = "/nix/persistent"; hashTableSizeMB = 2048; }; };
wireguard =
{
enable = true;
peers = [ "vps6" ];
publicKey = "JEY7D4ANfTpevjXNvGDYO6aGwtBGRXsf/iwNwjwDRQk=";
wireguardIp = "192.168.83.5";
};
};
bugs = [ "xmunet" ];
};})
];
}));
bugs = [ "xmunet" "firefox" ];
};
};
in builtins.listToAttrs (builtins.map
(system:
{
name = system.name;
value = inputs.nixpkgs.lib.nixosSystem
{
system = "x86_64-linux";
specialArgs = { topInputs = inputs; inherit localLib; };
modules = localLib.mkModules
[
(inputs: { config.nixpkgs.overlays = [(final: prev:
{ localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); })]; })
./modules
{ config.nixos = system.value; }
];
};
})
(localLib.attrsToList system));
# sudo HTTPS_PROXY=socks5://127.0.0.1:10884 nixos-install --flake .#bootstrap --option substituters http://127.0.0.1:5000 --option require-sigs false --option system-features gccarch-silvermont
# nix-serve -p 5000
# nix copy --substitute-on-destination --to ssh://server /run/current-system

8
modules/bugs/default.nix
View File

@@ -5,8 +5,6 @@ inputs:
inherit (inputs.lib) mkMerge mkIf mkOption types;
bugs =
{
# intel i915 hdmi
intel-hdmi.boot.kernelPatches = [{ name = "intel-hdmi"; patch = ./intel-hdmi.patch; }];
# suspend & hibernate do not use platform
suspend-hibernate-no-platform.systemd.sleep.extraConfig =
''
@@ -47,6 +45,10 @@ inputs:
then
echo LID0 > /proc/acpi/wakeup
fi
if ${cat} /proc/acpi/wakeup | ${grep} XHCI | ${grep} -q enabled
then
echo XHCI > /proc/acpi/wakeup
fi
'';
wantedBy = [ "multi-user.target" ];
};
@@ -76,8 +78,6 @@ inputs:
};
};
firefox.programs.firefox.enable = inputs.lib.mkForce false;
embree.nixpkgs.overlays =
[(final: prev: { embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; })];
};
in
{

14
modules/bugs/intel-hdmi.patch
View File

@@ -1,14 +0,0 @@
diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
index 55544d484318..d6f257f8fd14 100644
--- a/drivers/gpu/drm/i915/display/intel_bios.c
+++ b/drivers/gpu/drm/i915/display/intel_bios.c
@@ -2708,7 +2708,7 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata)
if (i915->display.vbt.ports[port]) {
drm_dbg_kms(&i915->drm,
"More than one child device for port %c in VBT, using the first.\n",
port_name(port));
- return;
+ // return;
}
sanitize_device_type(devdata, port);

50
modules/hardware/default.nix
View File

@@ -163,23 +163,13 @@ inputs:
{
Type = "simple";
WorkingDirectory = "/etc/touch_keyboard";
# ExecStartPre = let sh = "${inputs.pkgs.bash}/bin/sh"; in
# [
# ''-${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/export"''
# ''${sh} -c "echo 0 > /sys/class/pwm/pwmchip1/pwm0/enable"''
# ''${sh} -c "echo 1 > /sys/class/pwm/pwmchip1/pwm0/enable"''
# ];
ExecStart = "${keyboard}/bin/touch_keyboard_handler";
};
yogabook-modes-handler =
yogabook-modes-handler.serviceConfig =
{
wantedBy = [ "default.target" ];
serviceConfig =
{
Type = "simple";
ExecStart = "${support}/bin/yogabook-modes-handler";
StandardOutput = "journal";
};
Type = "simple";
ExecStart = "${support}/bin/yogabook-modes-handler";
StandardOutput = "journal";
};
monitor-sensor =
{
@@ -192,6 +182,38 @@ inputs:
};
};
environment.etc."touch_keyboard".source = "${keyboard}/etc/touch_keyboard";
boot.initrd =
{
services.udev.packages = [ keyboard support ];
systemd =
{
extraBin =
{
touch_keyboard_handler = "${keyboard}/bin/touch_keyboard_handler";
yogabook-modes-handler = "${support}/bin/yogabook-modes-handler";
};
services =
{
touch-keyboard-handler =
{
serviceConfig =
{
Type = "simple";
WorkingDirectory = "/etc/touch_keyboard";
ExecStart = "${keyboard}/bin/touch_keyboard_handler";
};
};
yogabook-modes-handler.serviceConfig =
{
Type = "simple";
ExecStart = "${support}/bin/yogabook-modes-handler";
StandardOutput = "journal";
};
};
};
extraFiles."/etc/touch_keyboard".source = "${keyboard}/etc/touch_keyboard";
};
}
))
];

28
modules/packages/desktop-fat/default.nix
View File

@@ -16,9 +16,9 @@ inputs:
_packages =
[
# system management
etcher btrfs-assistant
etcher btrfs-assistant snapper-gui libsForQt5.qtstyleplugin-kvantum
# password and key management
yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui electrum jabref
yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden
# download
qbittorrent nur-xddxdd.baidupcs-go wgetpaste
# development
@@ -26,33 +26,21 @@ inputs:
# media
spotify yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
# editor
localPackages.typora hdfview
localPackages.typora
# themes
orchis-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme arc-kde-theme materia-theme
# news
fluent-reader rssguard newsflash newsboat
fluent-reader
# nix tools
deploy-rs.deploy-rs nixpkgs-fmt
# instant messager
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
cinny-desktop # nur-xddxdd.wine-wechat thunder
element-desktop telegram-desktop discord fluffychat
# browser
google-chrome microsoft-edge
google-chrome
# office
crow-translate zotero pandoc ydict
] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
};
users.sharedModules =
[{
config.programs =
{
obs-studio =
{
enable = true;
plugins = with inputs.pkgs.obs-studio-plugins;
[ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
doom-emacs = { enable = true; doomPrivateDir = ./doom.d; };
};
}];
};
programs = { steam.enable = true; kdeconnect.enable = true; };
};

9
modules/packages/desktop/default.nix
View File

@@ -11,14 +11,10 @@ inputs:
packages._packages = with inputs.pkgs;
[
# system management
gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
wayland-utils clinfo glxinfo vulkan-tools dracut
gparted wl-clipboard-x11 kio-fuse
wayland-utils clinfo glxinfo vulkan-tools dracut
# networking
remmina putty mtr-gui
# password and key management
bitwarden
# office
crow-translate zotero pandoc ydict logseq
# media
mpv nomacs
# themes
@@ -35,6 +31,7 @@ inputs:
};
programs =
{
adb.enable = true;
wireshark = { enable = true; package = inputs.pkgs.wireshark; };
firefox = { enable = true; languagePacks = [ "zh-CN" "en-US" ]; };
vim.package = inputs.pkgs.vim-full;

2
modules/packages/desktop/vscode.nix
View File

@@ -13,7 +13,7 @@ inputs:
{
vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
(with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
++ (with github; [ copilot copilot-chat copilot-labs github-vscode-theme ])
++ (with github; [ copilot copilot-chat github-vscode-theme ])
++ (with intellsmi; [ comment-translate deepl-translate ])
++ (with ms-python; [ isort python vscode-pylance ])
++ (with ms-toolsai;

79
modules/packages/server/default.nix
View File

@@ -3,6 +3,7 @@ inputs:
imports = inputs.localLib.mkModules
[
./ssh
./zsh
];
config =
let
@@ -35,7 +36,7 @@ inputs:
# compress
pigz rar upx unzip zip lzip p7zip
# file system management
sshfs e2fsprogs adb-sync duperemove compsize
sshfs e2fsprogs adb-sync duperemove compsize exfatprogs
# disk management
smartmontools hdparm
# encryption and authentication
@@ -49,73 +50,11 @@ inputs:
# development
gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix
] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
_pythonPackages = [(pythonPackages: with pythonPackages;
[
inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
certifi charset-normalizer idna orjson psycopg2 localPackages.eigengdb
])];
};
users.sharedModules = [(home-inputs:
{
config.programs =
{
zsh =
{
enable = true;
initExtraBeforeCompInit =
''
# p10k instant prompt
P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
HYPHEN_INSENSITIVE="true"
export PATH=~/bin:$PATH
function br
{
local cmd cmd_file code
cmd_file=$(mktemp)
if broot --outcmd "$cmd_file" "$@"; then
cmd=$(<"$cmd_file")
command rm -f "$cmd_file"
eval "$cmd"
else
code=$?
command rm -f "$cmd_file"
return "$code"
fi
}
alias todo="todo.sh"
'';
plugins =
[
{
file = "powerlevel10k.zsh-theme";
name = "powerlevel10k";
src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
}
{
file = "p10k.zsh";
name = "powerlevel10k-config";
src = ./p10k-config;
}
{
name = "zsh-lsd";
src = inputs.pkgs.fetchFromGitHub
{
owner = "z-shell";
repo = "zsh-lsd";
rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
};
}
];
history =
{
path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
extended = true;
save = 100000000;
size = 100000000;
};
};
direnv = { enable = true; nix-direnv.enable = true; };
git =
{
@@ -168,21 +107,7 @@ inputs:
{
nix-index-database.comma.enable = true;
nix-index.enable = true;
zsh =
{
enable = true;
syntaxHighlighting.enable = true;
autosuggestions.enable = true;
enableCompletion = true;
ohMyZsh =
{
enable = true;
plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
customPkgs = with inputs.pkgs; [ zsh-nix-shell ];
};
};
command-not-found.enable = false;
adb.enable = true;
gnupg.agent = { enable = true; enableSSHSupport = true; };
autojump.enable = true;
git =

47
modules/packages/server/ssh/default.nix
View File

@@ -14,11 +14,7 @@ inputs:
vps6 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
hostnames =
[
"vps6.chn.moe" "internal.vps6.chn.moe" "wireguard.vps6.chn.moe"
"74.211.99.69" "192.168.82.1" "192.168.83.1"
];
hostnames = [ "vps6.chn.moe" "wireguard.vps6.chn.moe" "74.211.99.69" "192.168.83.1" ];
};
"initrd.vps6" =
{
@@ -28,11 +24,7 @@ inputs:
vps7 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
hostnames =
[
"vps7.chn.moe" "internal.vps7.chn.moe" "wireguard.vps7.chn.moe"
"95.111.228.40" "192.168.82.2" "192.168.83.2"
];
hostnames = [ "vps7.chn.moe" "wireguard.vps7.chn.moe" "ssh.git.chn.moe" "95.111.228.40" "192.168.83.2" ];
};
"initrd.vps7" =
{
@@ -42,11 +34,7 @@ inputs:
nas =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
hostnames =
[
"internal.nas.chn.moe" "wireguard.nas.chn.moe" "[office.chn.moe]:5440"
"192.168.1.185" "192.168.82.4" "192.168.83.4"
];
hostnames = [ "wireguard.nas.chn.moe" "[office.chn.moe]:5440" "192.168.1.185" "192.168.83.4" ];
};
"initrd.nas" =
{
@@ -56,7 +44,7 @@ inputs:
pc =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
hostnames = [ "internal.pc.chn.moe" "wireguard.pc.chn.moe" "192.168.82.3" "192.168.83.3" ];
hostnames = [ "wireguard.pc.chn.moe" "192.168.83.3" ];
};
hpc =
{
@@ -109,7 +97,7 @@ inputs:
))
(attrsToList servers)));
nixos.users.sharedModules =
[{
[(hmInputs: {
config.programs.ssh =
{
enable = true;
@@ -120,10 +108,7 @@ inputs:
(
(builtins.map
(host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
[
"vps6" "internal.vps6" "wireguard.vps6" "vps7" "internal.vps7" "wireguard.vps7"
"internal.pc" "wireguard.pc" "internal.nas" "wireguard.nas"
])
[ "vps6" "wireguard.vps6" "vps7" "wireguard.vps7" "wireguard.pc" "wireguard.nas" ])
++ (builtins.map
(host:
{
@@ -137,12 +122,27 @@ inputs:
{
PubkeyAcceptedAlgorithms = "+ssh-rsa";
HostkeyAlgorithms = "+ssh-rsa";
SetEnv = "TERM=chn_unset_ls_colors:xterm-256color";
SetEnv =
let
usernameMap =
{
chn = "linwei/chn";
};
cdString =
if host == "jykang" && (usernameMap ? ${hmInputs.config.home.username}) then
":chn_cd:${usernameMap.${hmInputs.config.home.username}}"
else "";
in "TERM=chn_unset_ls_colors${cdString}:xterm-256color";
# in .bash_profile:
# if [[ $TERM == chn_unset_ls_colors* ]]; then
# export TERM=${TERM#*:}
# export CHN_LS_USE_COLOR=1
# fi
# if [[ $TERM == chn_cd* ]]; then
# export TERM=${TERM#*:}
# cd ~/${TERM%%:*}
# export TERM=${TERM#*:}
# fi
# in .bashrc
# [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
};
@@ -153,8 +153,9 @@ inputs:
// {
xmupc1 = { host = "xmupc1"; hostname = "office.chn.moe"; port = 6007; };
nas = { host = "nas"; hostname = "office.chn.moe"; port = 5440; };
gitea = { host = "gitea"; hostname = "ssh.git.chn.moe"; };
};
};
}];
})];
};
}

79
modules/packages/server/zsh/default.nix Normal file
View File

@@ -0,0 +1,79 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "server" inputs.config.nixos.packages._packageSets)
{
nixos.users.sharedModules = [(home-inputs: { config.programs.zsh =
{
enable = true;
initExtraBeforeCompInit =
''
# p10k instant prompt
P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
HYPHEN_INSENSITIVE="true"
export PATH=~/bin:$PATH
function br
{
local cmd cmd_file code
cmd_file=$(mktemp)
if broot --outcmd "$cmd_file" "$@"; then
cmd=$(<"$cmd_file")
command rm -f "$cmd_file"
eval "$cmd"
else
code=$?
command rm -f "$cmd_file"
return "$code"
fi
}
alias todo="todo.sh"
'';
plugins =
[
{
file = "powerlevel10k.zsh-theme";
name = "powerlevel10k";
src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
}
{
file = "p10k.zsh";
name = "powerlevel10k-config";
src = ./p10k-config;
}
{
name = "zsh-lsd";
src = inputs.pkgs.fetchFromGitHub
{
owner = "z-shell";
repo = "zsh-lsd";
rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
};
}
];
history =
{
path = "${home-inputs.config.xdg.dataHome}/zsh/zsh_history";
extended = true;
save = 100000000;
size = 100000000;
};
};})];
programs.zsh =
{
enable = true;
syntaxHighlighting.enable = true;
autosuggestions.enable = true;
enableCompletion = true;
ohMyZsh =
{
enable = true;
plugins = [ "git" "colored-man-pages" "extract" "history-substring-search" "autojump" ];
customPkgs = with inputs.pkgs; [ zsh-nix-shell ];
};
};
};
}

0
modules/packages/server/p10k-config/p10k.zsh → modules/packages/server/zsh/p10k-config/p10k.zsh
View File

101
modules/packages/workstation/default.nix
View File

@@ -5,44 +5,71 @@ inputs:
inherit (inputs.lib) mkIf;
in mkIf (builtins.elem "workstation" inputs.config.nixos.packages._packageSets)
{
nixos.packages = with inputs.pkgs;
nixos =
{
_packages =
[
# nix tools
nix-template appimage-run nil nixd nix-alien nix-serve node2nix nix-prefetch-github prefetch-npm-deps
nix-prefetch-docker pnpm-lock-export bundix
# instant messager
zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack # jail
# office
libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain
(texlive.combine { inherit (texlive) scheme-full; inherit (localPackages) citation-style-language; })
# development
jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify aircrack-ng
# media
nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
# virtualization
wineWowPackages.stagingFull virt-viewer bottles # wine64
# text editor
appflowy notion-app-enhanced joplin-desktop standardnotes
# math, physics and chemistry
mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
localPackages.vasp localPackages.vaspkit jmol localPackages.v_sim
# encryption and password management
john crunch hashcat
# container and vm
genymotion # davinci-resolve playonlinux
];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
phonopy tensorflow keras openai scipy scikit-learn jupyterlab autograd
# localPackages.pix2tex
])];
_prebuildPackages =
[
httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
gcc13Stdenv
];
packages = with inputs.pkgs;
{
_packages =
[
# password and key management
electrum jabref
# system management
wl-mirror ventoy-full
# nix tools
nix-template appimage-run nil nixd nix-alien nix-serve node2nix nix-prefetch-github prefetch-npm-deps
nix-prefetch-docker pnpm-lock-export bundix
# instant messager
zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack inputs.config.nur.repos.linyinfeng.wemeet
cinny-desktop nheko
# office
libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain hdfview
(texlive.combine { inherit (texlive) scheme-full; inherit (localPackages) citation-style-language; })
# development
jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify aircrack-ng
# media
nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
# virtualization
wineWowPackages.stagingFull virt-viewer bottles # wine64
# text editor
appflowy notion-app-enhanced joplin-desktop standardnotes logseq
# math, physics and chemistry
mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
localPackages.vasp localPackages.vaspkit jmol localPackages.v_sim
# encryption and password management
john crunch hashcat
# container and vm
genymotion # davinci-resolve playonlinux
# browser
microsoft-edge
# news
rssguard newsflash newsboat
];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
phonopy tensorflow keras openai scipy scikit-learn jupyterlab autograd
# localPackages.pix2tex
inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
certifi charset-normalizer idna orjson psycopg2 localPackages.eigengdb
])];
_prebuildPackages =
[
httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
gcc13Stdenv
];
};
users.sharedModules =
[{
config.programs =
{
obs-studio =
{
enable = true;
plugins = with inputs.pkgs.obs-studio-plugins;
[ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
doom-emacs = { enable = true; doomPrivateDir = ./doom.d; };
};
}];
};
programs =
{

0
modules/packages/desktop-fat/doom.d/config.el → modules/packages/workstation/doom.d/config.el
View File

0
modules/packages/desktop-fat/doom.d/init.el → modules/packages/workstation/doom.d/init.el
View File

0
modules/packages/desktop-fat/doom.d/packages.el → modules/packages/workstation/doom.d/packages.el
View File

51
modules/services/akkoma.nix Normal file
View File

@@ -0,0 +1,51 @@
inputs:
{
options.nixos.services.akkoma = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "akkoma.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) akkoma;
inherit (inputs.lib) mkIf;
in mkIf akkoma.enable
{
services.akkoma =
{
enable = true;
config.":pleroma" =
{
"Pleroma.Web.Endpoint".url.host = akkoma.hostname;
"Pleroma.Repo" =
{
adapter = (inputs.pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
hostname = "127.0.0.1";
username = "akkoma";
password._secret = inputs.config.sops.secrets."akkoma/db".path;
database = "akkoma";
};
":instance" =
{
name = "";
email = "grass@grass.squre";
description = "";
};
};
};
nixos.services =
{
nginx =
{
enable = true;
https."${akkoma.hostname}" =
{
global.tlsCert = "/var/lib/akkoma";
location."/".proxy = { upstream = "http://127.0.0.1:4000"; websocket = true; };
};
};
postgresql.instances.akkoma = {};
};
sops.secrets."akkoma/db" = { owner = "akkoma"; key = "postgresql/akkoma"; };
};
}

3
modules/services/default.nix
View File

@@ -35,10 +35,11 @@ inputs:
./httpapi.nix
./mirism.nix
./mastodon.nix
./gitlab.nix
./gitea.nix
./grafana.nix
./fail2ban.nix
./wireguard.nix
./akkoma.nix
];
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{

5
modules/services/fz-new-order/default.nix
View File

@@ -76,6 +76,11 @@ inputs:
in "${binary}/bin/fz-new-order";
};
};
tmpfiles.rules =
[
"d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
"Z /var/lib/fz-new-order - fz-new-order fz-new-order"
];
};
sops = let userNum = 6; configNum = 2; in
{

54
modules/services/gitea.nix Normal file
View File

@@ -0,0 +1,54 @@
inputs:
{
options.nixos.services.gitea = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "git.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) gitea;
inherit (inputs.lib) mkIf;
in mkIf gitea.enable
{
services.gitea =
{
enable = true;
lfs.enable = true;
mailerPasswordFile = inputs.config.sops.secrets."gitea/mail".path;
database =
{ createDatabase = false; type = "postgres"; passwordFile = inputs.config.sops.secrets."gitea/db".path; };
settings =
{
session.COOKIE_SECURE = true;
server =
{
ROOT_URL = "https://${gitea.hostname}";
DOMAIN = gitea.hostname;
HTTP_PORT = 3002;
SSH_DOMAIN = "ssh.${gitea.hostname}";
};
mailer =
{
ENABLED = true;
FROM = "bot@chn.moe";
PROTOCOL = "smtps";
SMTP_ADDR = "mail.chn.moe";
SMTP_PORT = 465;
USER = "bot@chn.moe";
};
};
};
nixos.services =
{
nginx = { enable = true; https."${gitea.hostname}".location."/".proxy.upstream = "http://127.0.0.1:3002"; };
postgresql.instances.gitea = {};
};
sops.secrets =
{
"gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
"gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
"mail/bot" = {};
};
};
}

72
modules/services/gitlab.nix
View File

@@ -1,72 +0,0 @@
inputs:
{
options.nixos.services.gitlab = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "gitlab.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) gitlab;
inherit (inputs.lib) mkIf;
in mkIf gitlab.enable
{
services.gitlab =
{
enable = true;
host = gitlab.hostname;
port = 443;
https = true;
smtp =
{
enable = true;
address = "mail.chn.moe";
username = "bot@chn.moe";
passwordFile = inputs.config.sops.secrets."gitlab/mail".path;
tls = true;
enableStartTLSAuto = false;
port = 465;
domain = gitlab.hostname;
authentication = "login";
};
extraConfig.gitlab.email_from = "bot@chn.moe";
secrets =
{
secretFile = inputs.config.sops.secrets."gitlab/secret".path;
otpFile = inputs.config.sops.secrets."gitlab/otp".path;
jwsFile = inputs.config.sops.secrets."gitlab/jws".path;
dbFile = inputs.config.sops.secrets."gitlab/dbFile".path;
};
initialRootPasswordFile = inputs.config.sops.secrets."gitlab/root".path;
initialRootEmail = "bot@chn.moe";
databasePasswordFile = inputs.config.sops.secrets."gitlab/db".path;
databaseHost = "127.0.0.1";
};
nixos.services =
{
nginx =
{
enable = true;
https."${gitlab.hostname}".location."/".proxy.upstream = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
postgresql.instances.gitlab = {};
};
sops.secrets = let owner = inputs.config.services.gitlab.user; in
{
"gitlab/mail" = { owner = owner; key = "mail/bot"; };
"gitlab/secret".owner = owner;
"gitlab/otp".owner = owner;
"gitlab/jws" =
{
owner = owner;
sopsFile =
"${inputs.topInputs.self}/secrets/${inputs.config.nixos.system.networking.hostname}/gitlab/jws.bin";
format = "binary";
};
"gitlab/dbFile".owner = owner;
"gitlab/root".owner = owner;
"gitlab/db" = { owner = owner; key = "postgresql/gitlab"; };
"mail/bot" = {};
};
};
}

2
modules/services/groupshare.nix
View File

@@ -20,7 +20,7 @@ inputs:
(user:
[
"d /var/lib/groupshare/${user} 2750 ${user} groupshare"
"Z /var/lib/groupshare/${user} 2750 ${user} groupshare"
"Z /var/lib/groupshare/${user} - ${user} groupshare"
("A /var/lib/groupshare/${user} - - - - "
# d 指 default, 即目录下新创建的文件和目录的权限
# 大写 X 指仅给目录执行权限

2
modules/services/httpapi.nix
View File

@@ -40,6 +40,6 @@ inputs:
};
secrets."httpapi/token" = {};
};
systemd.tmpfiles.rules = let perm = "/srv/api 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
};
}

4
modules/services/meilisearch.nix
View File

@@ -78,9 +78,9 @@ inputs:
let
user = instance.value.user;
group = inputs.config.users.users.${instance.value.user}.group;
perm = "/var/lib/meilisearch/${instance.name} 0700 ${user} ${group}";
dir = "/var/lib/meilisearch/${instance.name}";
in
[ "d ${perm}" "Z ${perm}" ])
[ "d ${dir} 0700 ${user} ${group}" "Z ${dir} - ${user} ${group}" ])
(attrsToList meilisearch.instances));
};
sops =

4
modules/services/mirism.nix
View File

@@ -37,8 +37,8 @@ inputs:
})
[ "ng01" "beta" ]);
tmpfiles.rules = concatLists (map
(perm: [ "d ${perm}" "Z ${perm}" ])
(map (dir: "/srv/${dir}mirism 0700 nginx nginx") [ "" "entry." ]));
(dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ])
[ "" "entry." ]);
};
nixos.services =
{

5
modules/services/misskey.nix
View File

@@ -48,9 +48,8 @@ inputs:
Restart = "always";
};
};
tmpfiles.rules =
let perm = "/var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}";
in [ "d ${perm}" "Z ${perm}" ];
tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
[ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
})
(attrsToList misskey.instances));
fileSystems = mkMerge (map

2
modules/services/nginx/applications/blog.nix
View File

@@ -12,6 +12,6 @@ inputs:
{
nixos.services.nginx.https."blog.chn.moe".location."/".static =
{ root = "/srv/blog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = let perm = "/srv/blog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" "Z /srv/blog - nginx nginx" ];
};
}

2
modules/services/nginx/applications/catalog.nix
View File

@@ -12,6 +12,6 @@ inputs:
{
nixos.services.nginx.https."catalog.chn.moe".location."/".static =
{ root = "/srv/catalog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = let perm = "/srv/catalog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" "Z /srv/catalog - nginx nginx" ];
};
}

1
modules/services/nginx/applications/default.nix
View File

@@ -8,5 +8,6 @@ inputs:
./webdav.nix
./blog.nix
./catalog.nix
./main.nix
];
}

2
modules/services/nginx/applications/element.nix
View File

@@ -5,7 +5,7 @@ inputs:
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
defaultServer = mkOption { type = types.nullOr types.nonEmptyStr; default = "element.chn.moe"; };
defaultServer = mkOption { type = types.nullOr types.nonEmptyStr; default = "matrix.chn.moe"; };
};}));
default = {};
};

2
modules/services/nginx/applications/kkmeeting.nix
View File

@@ -13,6 +13,6 @@ inputs:
{
nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
{ root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
systemd.tmpfiles.rules = let perm = "/srv/kkmeeting 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" "Z /srv/kkmeeting - nginx nginx" ];
};
}

22
modules/services/nginx/applications/main.nix Normal file
View File

@@ -0,0 +1,22 @@
inputs:
{
options.nixos.services.nginx.applications.main = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) main;
in
{
nixos.services.nginx.https."chn.moe".location =
{
"/".return.return = "302 https://xn--s8w913fdga.chn.moe/@chn";
"/.well-known/matrix/server".proxy =
{
setHeaders.Host = "matrix.chn.moe";
upstream = "https://matrix.chn.moe";
};
};
};
}

2
modules/services/nginx/applications/webdav.nix
View File

@@ -28,7 +28,7 @@ inputs:
systemd = mkMerge (map
(site:
{
tmpfiles.rules = let perm = "${site.path} 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" "Z ${site.path} - nginx nginx" ];
services.nginx.serviceConfig.ReadWritePaths = [ site.path ];
})
(attrValues instances));

7
modules/services/nginx/default.nix
View File

@@ -94,6 +94,7 @@ inputs:
default = null;
};
rewriteHttps = mkOption { type = types.bool; default = true; };
tlsCert = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};
listen = mkOption
{
@@ -547,7 +548,11 @@ inputs:
# do not automatically add http2 listen
http2 = false;
onlySSL = true;
useACMEHost = site.name;
useACMEHost = mkIf (site.value.global.tlsCert == null) site.name;
sslCertificate = mkIf (site.value.global.tlsCert != null)
"${site.value.global.tlsCert}/fullchain.pem";
sslCertificateKey = mkIf (site.value.global.tlsCert != null)
"${site.value.global.tlsCert}/privkey.pem";
locations = listToAttrs (map
(location:
{

31
modules/services/postgresql.nix
View File

@@ -10,6 +10,7 @@ inputs:
database = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
user = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
passwordFile = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
initializeFlags = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
};}));
default = {};
};
@@ -51,7 +52,6 @@ inputs:
# chattr +C /path/to/dir
# cp -a --reflink=never /path/to/dir_old/. /path/to/dir
# rm -rf /path/to/dir_old
ensureDatabases = map (db: db.value.database) (attrsToList postgresql.instances);
ensureUsers = map (db: { name = db.value.user; }) (attrsToList postgresql.instances);
};
postgresqlBackup =
@@ -68,15 +68,26 @@ inputs:
passwordFile =
if db.value.passwordFile or null != null then db.value.passwordFile
else inputs.config.sops.secrets."postgresql/${db.value.user}".path;
in
# set user password
"$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
# set db owner
+ "\n"
+ "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
+ " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
+ " | grep -E '^${db.value.user}$' -q"
+ " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
initializeFlag =
if db.value.initializeFlags != {} then
" WITH "
+ (concatStringsSep " " (map
(flag: ''${flag.name} = "${flag.value}"'')
(attrsToList db.value.initializeFlags)))
else "";
in
# create database if not exist
"$PSQL -tAc \"SELECT 1 FROM pg_database WHERE datname = '${db.value.database}'\" | grep -q 1"
+ " || $PSQL -tAc 'CREATE DATABASE \"${db.value.database}\"${initializeFlag}'"
# set user password
+ "\n"
+ "$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
# set db owner
+ "\n"
+ "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
+ " WHERE d.datname = '${db.value.database}' ORDER BY 1\""
+ " | grep -E '^${db.value.user}$' -q"
+ " || $PSQL -tAc \"ALTER DATABASE ${db.value.database} OWNER TO ${db.value.user}\"")
(attrsToList postgresql.instances)));
sops.secrets = listToAttrs (map
(db: { name = "postgresql/${db.value.user}"; value.owner = inputs.config.users.users.postgres.name; })

377
modules/services/synapse.nix
View File

@@ -1,111 +1,316 @@
# port from nixpkgs#70dc536a
inputs:
{
options.nixos.services.synapse = let inherit (inputs.lib) mkOption types; in
options.nixos.services.synapse.instances = let inherit (inputs.lib) mkOption types; in mkOption
{
enable = mkOption { type = types.bool; default = false; };
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 8008; };
hostname = mkOption { type = types.nonEmptyStr; default = "synapse.chn.moe"; };
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 8008; };
redisPort = mkOption { type = types.ints.unsigned; default = 6379; };
slidingSyncPort = mkOption { type = types.ints.unsigned; default = 9000; };
hostname = mkOption
{
type = types.nonEmptyStr;
default = "${submoduleInputs.config._module.args.name}.chn.moe";
};
matrixHostname = mkOption { type = types.nonEmptyStr; default = "chn.moe"; };
slidingSyncHostname = mkOption
{
type = types.nonEmptyStr;
default = "syncv3.${submoduleInputs.config.hostname}";
};
# , synapse_homeserver --config-path homeserver.yaml --generate-config --report-stats=yes --server-name xxx
};}));
default = {};
};
config =
let
inherit (inputs.config.nixos.services) synapse;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs;
in mkIf synapse.enable
inherit (inputs.lib) mkIf mkMerge;
inherit (builtins) map listToAttrs replaceStrings concatLists;
inherit (inputs.localLib) attrsToList;
in
{
services.matrix-synapse =
{
enable = true;
settings =
users = mkMerge (map
(instance:
{
server_name = synapse.hostname;
listeners =
[{
bind_addresses = [ "0.0.0.0" ];
port = 8008;
resources = [{ names = [ "client" "federation" ]; compress = false; }];
tls = false;
type = "http";
x_forwarded = true;
}];
database.name = "psycopg2";
admin_contact = "mailto:chn@chn.moe";
enable_registration = true;
registrations_require_3pid = [ "email" ];
turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
max_upload_size = "1024M";
web_client_location = "https://element.chn.moe/";
serve_server_wellknown = true;
report_stats = true;
trusted_key_servers = [{ server_name = "matrix.org"; }];
suppress_key_server_warning = true;
log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
users."synapse-${instance.name}" =
{
version = 1;
formatters.precise.format =
"%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
root = { level = "INFO"; handlers = [ "console" ]; };
disable_existing_loggers = true;
uid = inputs.config.nixos.system.user.user."synapse-${instance.name}";
group = "synapse-${instance.name}";
home = "/var/lib/synapse/${instance.name}";
createHome = true;
isSystemUser = true;
shell = "${inputs.pkgs.bash}/bin/bash";
};
};
extraConfigFiles = [ inputs.config.sops.templates."synapse/password.yaml".path ];
};
sops =
{
templates."synapse/password.yaml" =
groups."synapse-${instance.name}".gid = inputs.config.nixos.system.user.group."synapse-${instance.name}";
})
(attrsToList synapse.instances));
systemd = mkMerge (map
(instance: let workdir = "/var/lib/synapse/${instance.name}"; in
{
owner = inputs.config.systemd.services.matrix-synapse.serviceConfig.User;
group = inputs.config.systemd.services.matrix-synapse.serviceConfig.Group;
content = builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "password.yaml"
services =
{
database =
{
name = "psycopg2";
args =
"synapse-${instance.name}" =
let
package = inputs.pkgs.matrix-synapse.override
{ extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
config = inputs.config.sops.templates."synapse/${instance.name}/config.yaml".path;
homeserver = "${package}/bin/synapse_homeserver";
in
{
user = "synapse";
password = inputs.config.sops.placeholder."postgresql/synapse";
database = "synapse";
host = "127.0.0.1";
port = "5432";
description = "synapse-${instance.name}";
enable = instance.value.autoStart;
after = [ "network-online.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
Type = "notify";
User = "synapse-${instance.name}";
Group = "synapse-${instance.name}";
WorkingDirectory = workdir;
ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
UMask = "0077";
CapabilityBoundingSet = [ "" ];
# hardening
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workdir ];
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
};
};
allow_unsafe_locale = true;
};
turn_shared_secret = inputs.config.sops.placeholder."synapse/coturn";
registration_shared_secret = inputs.config.sops.placeholder."synapse/registration";
macaroon_secret_key = inputs.config.sops.placeholder."synapse/macaroon";
form_secret = inputs.config.sops.placeholder."synapse/form";
signing_key_path = inputs.config.sops.secrets."synapse/signing-key".path;
email =
"synapse-sliding-sync-${instance.name}" =
{
smtp_host = "mail.chn.moe";
smtp_port = 25;
smtp_user = "bot@chn.moe";
smtp_pass = inputs.config.sops.placeholder."mail/bot";
require_transport_security = true;
notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
app_name = "Haonan Chen's synapse";
after = [ "synapse-${instance.name}.service" ];
wants = [ "synapse-${instance.name}.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
User = "synapse-${instance.name}";
Group = "synapse-${instance.name}";
EnvironmentFile = inputs.config.sops.templates."synapse/${instance.name}-sliding-sync/env".path;
ExecStart = inputs.lib.getExe inputs.pkgs.matrix-sliding-sync;
WorkingDirectory = workdir + "-sliding-sync";
Restart = "on-failure";
RestartSec = "1s";
};
};
});
};
secrets = (listToAttrs (map
(secret: { name = "synapse/${secret}"; value = {}; })
[ "coturn" "registration" "macaroon" "form" ]))
// { "synapse/signing-key".owner = inputs.config.systemd.services.matrix-synapse.serviceConfig.User; }
// { "mail/bot" = {}; };
};
};
tmpfiles.rules =
[
"d /var/lib/synapse 0755 root root"
"d ${workdir} 0700 synapse-${instance.name} synapse-${instance.name}"
"Z ${workdir} - synapse-${instance.name} synapse-${instance.name}"
"d ${workdir}-sliding-sync 0700 synapse-${instance.name} synapse-${instance.name}"
"Z ${workdir}-sliding-sync - synapse-${instance.name} synapse-${instance.name}"
];
})
(attrsToList synapse.instances));
sops = mkMerge (map
(instance:
{
templates =
{
"synapse/${instance.name}/config.yaml" =
{
owner = "synapse-${instance.name}";
group = "synapse-${instance.name}";
content =
let
inherit (inputs.config.sops) placeholder;
in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
{
server_name = instance.value.matrixHostname;
public_baseurl = "https://${instance.value.hostname}/";
listeners =
[{
bind_addresses = [ "127.0.0.1" ];
inherit (instance.value) port;
resources = [{ names = [ "client" "federation" ]; compress = false; }];
tls = false;
type = "http";
x_forwarded = true;
}];
database =
{
name = "psycopg2";
args =
{
user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
host = "127.0.0.1";
port = "5432";
};
allow_unsafe_locale = true;
};
redis =
{
enabled = true;
port = instance.value.redisPort;
password = placeholder."redis/synapse-${instance.name}";
};
turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
registration_shared_secret = placeholder."synapse/${instance.name}/registration";
macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
form_secret = placeholder."synapse/${instance.name}/form";
signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
email =
{
smtp_host = "mail.chn.moe";
smtp_port = 25;
smtp_user = "bot@chn.moe";
smtp_pass = placeholder."mail/bot";
require_transport_security = true;
notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
app_name = "Haonan Chen's synapse";
};
admin_contact = "mailto:chn@chn.moe";
enable_registration = true;
registrations_require_3pid = [ "email" ];
turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
max_upload_size = "1024M";
web_client_location = "https://element.chn.moe/";
extra_well_known_client_content."org.matrix.msc3575.proxy".url =
"https://${instance.value.slidingSyncHostname}";
report_stats = true;
trusted_key_servers =
[{
server_name = "matrix.org";
verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
}];
suppress_key_server_warning = true;
log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
{
version = 1;
formatters.precise.format =
"%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
root = { level = "INFO"; handlers = [ "console" ]; };
disable_existing_loggers = true;
};
pid_file = "/run/synapse-${instance.name}.pid";
media_store_path = "/var/lib/synapse/${instance.name}/media_store";
presence.enabled = true;
url_preview_enabled = true;
url_preview_ip_range_blacklist =
[
"10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
"192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
"203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
];
max_image_pixels = "32M";
dynamic_thumbnails = false;
});
};
"synapse/${instance.name}-sliding-sync/env" =
{
owner = "synapse-${instance.name}";
group = "synapse-${instance.name}";
content =
let
inherit (inputs.config.sops) placeholder;
pgString = "postgresql://"
+ "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"
+ ":${placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"}"
+ "@127.0.0.1:5432"
+ "/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync"
+ "?sslmode=disable";
in
''
SYNCV3_SERVER=https://${instance.value.hostname}
SYNCV3_DB=${pgString}
SYNCV3_SECRET=${placeholder."synapse/${instance.name}/sliding-sync"}
SYNCV3_BINDADDR=127.0.0.1:${toString instance.value.slidingSyncPort}
'';
};
};
secrets = (listToAttrs (map
(secret: { name = "synapse/${instance.name}/${secret}"; value = {}; })
[ "coturn" "registration" "macaroon" "form" "sliding-sync" ]))
// { "synapse/${instance.name}/signing-key".owner = "synapse-${instance.name}"; }
// { "mail/bot" = {}; };
})
(attrsToList synapse.instances));
nixos.services =
{
postgresql = { enable = true; instances.synapse = {}; };
postgresql =
{
enable = mkIf (synapse.instances != {}) true;
instances = listToAttrs (concatLists (map
(instance:
[
{
name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
value.initializeFlags = { TEMPLATE = "template0"; LC_CTYPE = "C"; LC_COLLATE = "C"; };
}
{
name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync";
value.user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
}
])
(attrsToList synapse.instances)));
};
redis.instances = listToAttrs (map
(instance: { name = "synapse-${instance.name}"; value.port = instance.value.redisPort; })
(attrsToList synapse.instances));
nginx =
{
enable = true;
https.${synapse.hostname}.location."/".proxy =
{ upstream = "http://127.0.0.1:${toString synapse.port}"; websocket = true; };
enable = mkIf (synapse.instances != {}) true;
https = listToAttrs (concatLists (map
(instance: with instance.value;
[
{
name = hostname;
value.location =
{
"/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
"/.well-known/matrix/server".static =
{
root = builtins.toString (inputs.pkgs.writeTextFile
{
name = "server";
text = builtins.toJSON
{
"m.server" = "${hostname}:443";
};
destination = "/.well-known/matrix/server";
});
};
};
}
{
name = slidingSyncHostname;
value.location."/".proxy =
{ upstream = "http://127.0.0.1:${toString slidingSyncPort}"; websocket = true; };
}
])
(attrsToList synapse.instances)));
};
};
systemd.services.matrix-synapse.enable = synapse.autoStart;
};
}

86
modules/services/wireguard.nix
View File

@@ -4,47 +4,11 @@ inputs:
{
enable = mkOption { type = types.bool; default = false; };
peers = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = []; };
_peer = mkOption
{
type = types.attrsOf (types.submodule { options =
{
publicKey = mkOption { type = types.nonEmptyStr; };
wireguardIp = mkOption { type = types.nonEmptyStr; };
externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
lighthouse = mkOption { type = types.bool; default = false; };
# if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
bindPort = mkOption { type = types.ints.unsigned; default = 51820; };
};});
readOnly = true;
default = # wg genkey | wg pubkey
{
vps6 =
{
publicKey = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
wireguardIp = "192.168.83.1";
externalIp = "74.211.99.69";
lighthouse = true;
};
vps7 =
{
publicKey = "n056ppNxC9oECcW7wEbALnw8GeW7nrMImtexKWYVUBk=";
wireguardIp = "192.168.83.2";
externalIp = "95.111.228.40";
};
pc =
{
publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
wireguardIp = "192.168.83.3";
bindPort = 51821;
};
nas =
{
publicKey = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
wireguardIp = "192.168.83.4";
bindPort = 51821;
};
};
};
# wg genkey | wg pubkey
publicKey = mkOption { type = types.nonEmptyStr; };
wireguardIp = mkOption { type = types.nonEmptyStr; };
externalIp = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
lighthouse = mkOption { type = types.bool; default = false; };
};
config =
let
@@ -53,25 +17,31 @@ inputs:
inherit (builtins) map toString;
in mkIf wireguard.enable
{
networking = let self = wireguard._peer.${inputs.config.nixos.system.networking.hostname}; in
{
firewall = { allowedUDPPorts = [ self.bindPort ]; trustedInterfaces = [ "wireguard" ]; };
wireguard.interfaces.wireguard =
networking =
let
# if the host is behind xray, it should listen on another port, to make xray succeffully listen on 51820
port = 51820 + (if inputs.config.nixos.services.xrayClient.enable then 1 else 0);
in
{
ips = [ "${self.wireguardIp}/24" ];
listenPort = self.bindPort;
privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
peers = map
(peer:
{
publicKey = peer.publicKey;
allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:${toString peer.bindPort}";
persistentKeepalive = 3;
})
(map (peer: wireguard._peer.${peer}) wireguard.peers);
firewall = { allowedUDPPorts = [ port ]; trustedInterfaces = [ "wireguard" ]; };
wireguard.interfaces.wireguard =
{
ips = [ "${wireguard.wireguardIp}/24" ];
listenPort = port;
privateKeyFile = inputs.config.sops.secrets."wireguard/privateKey".path;
peers = map
(peer:
{
publicKey = peer.publicKey;
allowedIPs = [ (if peer.lighthouse then "192.168.83.0/24" else "${peer.wireguardIp}/32") ];
endpoint = mkIf (peer.externalIp != null) "${peer.externalIp}:51820";
persistentKeepalive = 3;
})
(map
(peer: inputs.topInputs.self.nixosConfigurations.${peer}.config.nixos.services.wireguard)
wireguard.peers);
};
};
};
sops.secrets."wireguard/privateKey" = {};
};
}

8
modules/system/default.nix
View File

@@ -15,6 +15,7 @@ inputs:
./security.nix
./sops.nix
./user.nix
./sysctl.nix
];
config =
{
@@ -22,13 +23,6 @@ inputs:
time.timeZone = "Asia/Shanghai";
boot =
{
kernel.sysctl =
{
"vm.oom_kill_allocating_task" = true;
"vm.oom_dump_tasks" = false;
"vm.overcommit_memory" = 1;
"kernel.sysrq" = 438;
};
supportedFilesystems = [ "ntfs" ];
consoleLogLevel = 7;
};

5
modules/system/gui.nix
View File

@@ -2,8 +2,9 @@ inputs:
{
options.nixos.system.gui = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
preferred = mkOption { type = types.bool; default = false; };
enable = mkOption
{ type = types.bool; default = builtins.elem "desktop" inputs.config.nixos.packages._packageSets; };
preferred = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.enable; };
autoStart = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
};
config =

2
modules/system/impermanence.nix
View File

@@ -20,7 +20,7 @@ inputs:
hideMounts = true;
directories =
[
"/etc/NetworkManager/system-connections"
{ directory = "/etc/NetworkManager/system-connections"; mode = "0700"; }
"/home"
"/root"
"/var/db"

24
modules/system/kernel.nix
View File

@@ -2,8 +2,7 @@ inputs:
{
options.nixos.system.kernel = let inherit (inputs.lib) mkOption types; in
{
useLts = mkOption { type = types.bool; default = false; };
patches = mkOption { type = types.listOf (types.enum [ "cjktty" ]); default = []; };
patches = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
modules =
{
install = mkOption { type = types.listOf types.str; default = []; };
@@ -28,11 +27,13 @@ inputs:
"virtio_net" "virtio_pci" "xhci_pci" "virtio_ring" "virtio_scsi" "cryptd" "crypto_simd" "libaes"
# networking for nas
"igb"
] ++ kernel.modules.initrd ++ (if (!kernel.useLts) then [ "lenovo-yogabook" ] else []);
# yoga
"lenovo_yogabook"
];
extraModulePackages = (with inputs.config.boot.kernelPackages; [ v4l2loopback ]) ++ kernel.modules.install;
extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
kernelParams = [ "delayacct" "acpi_osi=Linux" ];
kernelPackages = inputs.pkgs."linuxPackages_xanmod${if kernel.useLts then "" else "_latest"}";
kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
kernelPatches =
let
patches =
@@ -53,13 +54,26 @@ inputs:
hashes =
{
"6.1" = "11ddiammvjxx2m9v32p25l1ai759a1d6xhdpszgnihv7g2fzigf5";
"6.5" = "0ckmbx53js04lrcvcsf8qk935v2pl9w0af2v1mqghfs0krakfgfh";
"6.6" = "19ib0syj3207ifr315gdrnpv6nhh435fmgl05c7k715nng40i827";
};
in hashes."${major}.${minor}";
};
extraStructuredConfig =
{ FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
};
lantian =
{
patch = null;
# pick from xddxdd/nur-packages dce93a
extraStructuredConfig = with inputs.lib.kernel;
{
ACPI_PCI_SLOT = yes;
ENERGY_MODEL = yes;
PARAVIRT_TIME_ACCOUNTING = yes;
PM_AUTOSLEEP = yes;
WQ_POWER_EFFICIENT_DEFAULT = yes;
};
};
};
in
builtins.map (name: { inherit name; } // patches.${name}) kernel.patches;

5
modules/system/nixpkgs.nix
View File

@@ -103,6 +103,11 @@ inputs:
replacedPackages)
else {}
)
// (
if nixpkgs.march != null then
{ embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; }
else {}
)
// (
if nixpkgs.replaceTensorflow then
{

24
modules/system/sysctl.nix Normal file
View File

@@ -0,0 +1,24 @@
inputs:
{
options.nixos.system.sysctl = let inherit (inputs.lib) mkOption types; in
{
laptop-mode = mkOption { type = types.nullOr types.int; default = null; };
};
config =
let
inherit (inputs.lib) mkIf mkMerge;
inherit (inputs.config.nixos.system) sysctl;
in mkMerge
[
{
boot.kernel.sysctl =
{
"vm.oom_kill_allocating_task" = true;
"vm.oom_dump_tasks" = false;
"vm.overcommit_memory" = 1;
"kernel.sysrq" = 438;
};
}
(mkIf (sysctl.laptop-mode != null) { boot.kernel.sysctl."vm.laptop_mode" = sysctl.laptop-mode; })
];
}

2
modules/system/user.nix
View File

@@ -22,6 +22,8 @@ inputs:
rsshub = 2006;
v2ray = 2007;
fz-new-order = 2008;
synapse-synapse = 2009;
synapse-matrix = 2010;
};
};
group = mkOption

31
secrets/pe/default.yaml
View File

@@ -1,31 +0,0 @@
xray-client:
uuid: ENC[AES256_GCM,data:oWBCrslSr59qmoGPdyDorwVlgmS4LeP1EVgfxBz21/s/14M2,iv:OmhMp8D+CjRq/6EcJsspKvTLTfXiwaikhqoTxMDb4Nk=,tag:K1A+QqVoQnusUbyy71v26Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Q0xRZFNTdGovWUUwY0dG
TXZzTElxK0FzU0dmZjhHUjhhOVJrdlJZM2d3CnpYS3Y0emYwZGhWeWM5blVwSlBz
SW82UU1BTXNkU1lpdjRnNzVsc2FlUjgKLS0tIGJiM0dNZ1RGTHJqaVhHNTVEMVp2
S3JoL2ZzZXo1SllnS08yTW53bFhQdG8KS1W8aDpXR2tvk94cynn0CVy+/dQeF1r1
daZmmEhxEn5PhLsY9ESnmkyMBahILtS4aVZHhPAjbExYevd4olLA4A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cahahn9hp265dkhduaec65vugk8fct2vt9ur6y54m4mgmyx4v4fq0etjhv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT2d2TnJKckRNWGx3QlFh
eW40OENNc2huVjdvVmk1SFByOXp1VngwbldBCjc1dXZhZk5RUnhhVFNNRnAvaUMx
cEtRSEVsTy9UMU95a21EVlV6YlpVNnMKLS0tIDNXZnFXWlN3MkQrVW9NWmdZNFJ6
SThRUGRvbHVaemNnWDQ1OVErdThYdncKNRjXQ4pOOX7FbItLJT4ALwd/SBcNyIgV
xtLKnNqh9zIV1SwJEre01MKRRkSZ51MLAmnzK/4ZYX3UBdw7xqv5Ag==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-22T06:50:20Z"
mac: ENC[AES256_GCM,data:fSopSz5q80h4lESJEyrkRVsDzW/JlzIsFFgEYMs7BMO2i5PKP3riEBNW9auPADvxmmcT0i7GghZ18ConbSHuIP5eqVBBYrfyIyVy1yMTY/I8HpC8AoZKCHca5Xx//5rBBJL/9n5px1KTex2mbw5LkvdFhCzX49NobV54VagNsB8=,iv:Lf6EcaBmYGF+Fbo+YPSE8y+E/X+4EV+k7389JSspDAQ=,tag:oF4AbdW1jKmPcWGSnEW5CA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

33
secrets/vps7/default.yaml
View File

@@ -13,16 +13,20 @@ redis:
nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
mastodon: ENC[AES256_GCM,data:E5aMRzqd1dqcw66uZwWoT+LDH30mg1vZjk3lhKIXKPd36MANE6z04aBPcAHyHT71jEYsect9JXagC4MUJBuSSQ==,iv:4IjTTNSTraL33fInlTkB2ZylcEaaKi5pgvugZIk24e0=,tag:32JSTNpF2cxYh/NEAS6jZQ==,type:str]
synapse-synapse: ENC[AES256_GCM,data:8CVbcN2FG4mRT4PnlOGsS7tDfS+6ojIJFvq2EwItxn1gg2Ghd/Bmx+5tS/Do2FrYp/Xiv1EqucomM50r5bXnmg==,iv:TT7zBKQ4M10XYVCn5aeSu9IqjrIEHHazPUCOTmgRAU0=,tag:0+Q9hZMBVDj1TnHj3xoTBA==,type:str]
synapse-matrix: ENC[AES256_GCM,data:eJ9GXDVLPg1C+Zjpj3NnWUyZxDbOZ61f+gs/bkZgdWjeu61MEMtU/Hh+p/ceAn3y0aPi0ZTcd+zSgIPIkcj+qg==,iv:uTdS4uguNJErc+DDW4H6dsRFkqlkHtaCfR8LR/d9nvY=,tag:UhY9xbe1r7FUpyid2nSt5Q==,type:str]
postgresql:
wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
misskey_misskey_old: ENC[AES256_GCM,data:Wwtd+hKI0s7m3PbEPHbnSyTsCkW0x8SYHUiCYuNSNCG8i4RAmiAbONNFfWN2hXnmTmRK79Tx/3GR+L0KMzmNGQ==,iv:BekTELToPQXUdZHyNtkuqKyZeez+moI6k907P7NhA3Q=,tag:A5YB0WIa1RkDCtzeBhiuyA==,type:str]
synapse: ENC[AES256_GCM,data:Orfse2arRGMujA8MloqOp+iVr0+uCVtlMZJNAA36J3UCog5ExE8HE6G5wIvvoP0o/PNToYc9Jgn8T7iWdU6FIA==,iv:XQ6/bDfIRmvZ3VdTqH5Gaiu2emd5kV+q6RjNXDQEtkc=,tag:Yq+w9oxv2yhpsQfMRp4HaQ==,type:str]
synapse_synapse: ENC[AES256_GCM,data:lzaggyuXM1XwsRxFHslsP89r8wEcgi6LNfbcm+pFWj6WLO8y8WaQIdOkiF3D2ToKDwcw5XgSGSt/VAk6lv+GeA==,iv:8WOL3jze797Wz9kSRq7YpY8OS1TBMqHYhfgZlluJlic=,tag:utNhs1AMbGthp6M2c0x67g==,type:str]
vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str]
gitlab: ENC[AES256_GCM,data:YC1Ubpc9zWK8rb5FvZAEYjNWqVF8tZL6Nxqa18Wyq7KAh2Rv2tjl0iVlVzhtaBf28gF++nJVu9LcATaOuHH9sw==,iv:j+t4PwizJNkWZkhzdqU01/P5MeS2nSk6XNlvxJ17hC0=,tag:0gtBn9has+xrtJCn6MAyyA==,type:str]
gitea: ENC[AES256_GCM,data:EAuFPlUFvtARh4wbevoIUwZ886nS+3O9Jy7q/SkaTDx7PkQKGhZcPPxY45AG0QQrjSaI3cGLzDBMutFMXP0BMA==,iv:0cLOsopAfyMLHJDowyZirVR5nqLrjSLHYtnPC8GXReE=,tag:BwG5UibGLS16rwJbH/0ZyQ==,type:str]
grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
akkoma: ENC[AES256_GCM,data:6piRt7BbMBLVGdot+VyoJN3/S8DoPNTYHFh/1coHSLNmiA6kU/6sca4Bts1Up/Vu164oTsFAr1JsKx6tzNzAPg==,iv:qplA1GXHwzVrmjm7eagCk3PFa7DRdwaf+p7N1HLb6mw=,tag:W6WedSK3R1IgZVo/0Hr9vA==,type:str]
synapse_matrix: ENC[AES256_GCM,data:5j+TYJ3vYUqu6CdRDYAT558DsTWbX4Rh+HuukPog5HGXlhneL3RnxVeGBR9CV1rlCP1NY99Nm8roBG+BcyPYHQ==,iv:CboB6lzqxAE/8ZlzaTU3bxw94N6OAhrq8pZ0AfxQiUc=,tag:z6cM3ufgbMn5n5PzgqdRjw==,type:str]
meilisearch:
misskey-misskey: ENC[AES256_GCM,data:4s+qqd6mmstioC0XmG/vA6ED9mzu1vRJVPFFalRiqnnsFy0dYEU87H+y12eOp/KDSLdTNvpp6Z6jCNvxnpDXzQ==,iv:x6L9OPu/dwVsD9pYb4dqavw9NesMbo7LB+rwz6veAR4=,tag:/BBqV2sHIgPas7XsZydh2g==,type:str]
rsshub:
@@ -35,11 +39,20 @@ mail:
bot-encoded: ENC[AES256_GCM,data:HstqDfhKoLqDip9O+mwYGbNlNQ==,iv:CZSTfxJHhI6nG7501cQdJiZ9l3uKS7d5YsA8iVTUuoE=,tag:Rj3rvXJzDp8XzODV/gABog==,type:str]
bot: ENC[AES256_GCM,data:j4Y5oYeVt0sd2z2Qwuqisw==,iv:wasQCTqEMAyttbn1zm9oKck6QiByom+F7ZIMDUse9Gc=,tag:92O4ka6f0I9qnlnVy2dltA==,type:str]
synapse:
coturn: ENC[AES256_GCM,data:d0slDodWSVCMMgYXeLYcESuS3q2OkRI0fGTPAn1Ho+WLc/g8IHwSDtLt6W8j9UiBn1TpLVHnI71M6SZLwZK2XQ==,iv:nF89F/ezZFgCrS1WLLTgdV6pksSSgntJUdJ8Q2hVME4=,tag:Z0bJFFRdZCinrFDH9gyGwg==,type:str]
registration: ENC[AES256_GCM,data:bvDx/RaGLd7wkQIGz6+GKNHzuwjaoC2IOIY5Nu+/UAAjlwtTv5fhjlxq1ylTctvaeto=,iv:2mcSGeocXboBcY3SHkio8tnj+7rM1o5gOHZGYBP5x+Q=,tag:3vcVHR03NyIq6DvbPApFkg==,type:str]
macaroon: ENC[AES256_GCM,data:SUJe+4q7QlWBceL/cyJxrjl9OV9o2//YEu3k4rzRRg3eSgiDphyL8MWzoO/WH8MzaH8=,iv:2tTQVj9kHa3Lb3ZqnxwSfpyWEDq77gtxS+iBqKuTLpY=,tag:XnKKMg8sxw3WQtJvfcyXcA==,type:str]
form: ENC[AES256_GCM,data:N/5El9TMbVL0zKTiTgtjdhk3PeRmWV7grckZ6NrroaXqt0I1HCCUGJQA+Qd7fp5SKV0=,iv:AfP6PrsyU6cCQa3LEUivN3k5pv/JARVzEigHJLopasU=,tag:CT0/7czF+VNnlb5yN8EZXg==,type:str]
signing-key: ENC[AES256_GCM,data:ZCayvU2lElUnuyVDL05XjO3v2P78ha9i9PEcLvpBLgNeYkh7nH9Z4kIAP6Pmbw39ufaSJuo5tZZPmA==,iv:CfxqL7dJbmG/jEcdDe+Su8uxsA4dkOq/CCOGlb3EDIk=,tag:9728QS3GLnTcerzDgtQEWw==,type:str]
synapse:
coturn: ENC[AES256_GCM,data:9MDq0eXLHjJ8Cd2d1iogS1lnjI0A2+0ZK8OtLKRLqT16BVzQQJyhbkAYwkn1+9ppfrazsHFGrk7DVsA7PWjdmA==,iv:SOjwZIyzkMK9Q1fGkmBSr6nSIarNe/WeD91GPJRuZjg=,tag:1GljmXdK80NKTPSg6xJz0A==,type:str]
registration: ENC[AES256_GCM,data:MmRJ3el59XaTwFImuCsiAm2zXeGhgvyUyw9AIv7FvxR4N3YWnHKALcQJtG52N4bmLXU=,iv:vm2R7XGzGET0eTcD2trl3xD2I09NzYmx5NPIY4KK4xM=,tag:exm8/ehPufeqtp6j61ap0Q==,type:str]
macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
sliding-sync: ENC[AES256_GCM,data:POXExkTRRhXin4lD4MA61xsuzYXCT6U7QtQWtNnEb6kUWRrAvS9mqk+JTBn3onCzf2Azhi3WQOY/t+OiQFXI1w==,iv:GJfJSGb6t/q9KdVCr0dVVcD+e0yZUQzrJrtuhOlYJIE=,tag:ovd1ZXRkk7VoNo8KoYDViA==,type:str]
matrix:
coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
sliding-sync: ENC[AES256_GCM,data:BeA6g98IWDP6hnLFI77QqG6esDwB6j3OPzAv3eJxWoTajAsByHSgSYP1vHN5Iok6IgvSSmkf0/HiOJy1Ca8IIA==,iv:ca+t/rYwc/fAVUcz0JTmrRQCOcbDNscbnE8BpHkx/OE=,tag:eEfhUChUt4kRnO82XqRY4g==,type:str]
nebula:
key: ENC[AES256_GCM,data:9o6EkfTWOU0KwnJsgHML4E7VOfzo3LHnlOkV8ubhi6aayXImC3lAaoPrqUI=,iv:KHprijN7z+4FIIW+D5klDM9a9VzMJ5xawPc7jJtbHmk=,tag:0DAmxoz8D5f38ndPbkNW+g==,type:str]
vaultwarden:
@@ -91,7 +104,7 @@ grafana:
secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
wireguard:
privateKey: ENC[AES256_GCM,data:uMJ6TQOZrWEkeSWLF1KnN5/x2eQFIiaCDrr6Xt1bNfRAzY4l/ljYXBwzkann,iv:IY6lPxT4359QGeTDBENIOWaRZx1bMHh6xSu8/GvVsUY=,tag:3W+vU8jpQHle8/3eyAsfUQ==,type:str]
privateKey: ENC[AES256_GCM,data:TS+toaJRgAvC78XVwTciXe2IG8++vaqXVCi/u/8Aej6qq1B9Cb6f20cp5K0=,iv:T/NkLvcYiWzIDG3jWtuhe/sH2GT4z5f0xdUGbSL901I=,tag:qN7YokFBj3Kbbx4ijHTRnw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -116,8 +129,8 @@ sops:
SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-07T08:53:58Z"
mac: ENC[AES256_GCM,data:aon0ssJEEFBN7XEdvtFgVFVv5mPSeGxJdBCTIxj3eAUbFIuUKvjAz8jbIiMEZNHw7SQxNRbWO57zQmxwnHswWYtMYEgQO4nvZl7gOMvKqErh4rtltUHxmmG0Uv/ORZjqbebkiUN/UdiPPubICqrSAmdL1V/Irj1m7wD4KGcjF64=,iv:FV2YYKchx3qudpARV74P255i3L/sI/TnLqN6mlEC2ts=,tag:mqRLRvJyoRDcS5Heogx85A==,type:str]
lastmodified: "2023-12-20T06:27:19Z"
mac: ENC[AES256_GCM,data:i7AN+Sd4C61GSzT409mYd6D2tQzDyONIUsto52b1mV8hIJ4Q/U9VT5wumRjm4dGUWqrq9oFdD0/iUL1CmEdasBN7VFwNEpSYl6yhzU7zX3Re3N/0mffeW0Fx/38LdvywusJAHC9yWvsNMblKDnYxGm/UI2W/7QRMDyr8jnU6La0=,iv:Ua+K1m27GkkrUn+wcylkwrdWnq1yzFG1NMVzYAiW/6k=,tag:Gqqk5zOU3Ax2Al5CvXEV7g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

24
secrets/vps7/gitlab/jws.bin
View File

@@ -1,24 +0,0 @@
{
"data": "ENC[AES256_GCM,data:Al5NNNTib+gGITYXCC7y2eBnbMtDEg12PPIKhu5aYsX1y5hEzf8plZAQUpjipwW+MRGP8y13kjtvgmYEW+2hjPKkvB1V0wVWwyVlJW9z4c/8+XZQ6iHTbdczxKbSj9swXO+pbnt6n20ofKSB5eCJbaHWG6Fd1ln7S0sataprlccwSF/WoJuwL5Hk654ldN4EA6i/2QHcUZFeVCc7cx+j9kBp6optwydV+V/skp88sJ9mecLXDrfFnNqzEFK4U6s2lMnhSfDtYGCC6RlC63hslSS6aqYrVn7KJqoI1v2pMBWbTSjO4ZJZkjy4RBjcnbYotfEji8zJ1QEJ/49IjrMkDxxT/shdmk5G8F2Zf1f9bo6Ge6yBJffw3oBAnjZe7z4QgHQzbQmuEMmgZ6C+XMyvtFNXbCcBIjFPIiaMujj4aT7S1HBGyVIoYUTRiLsTF8cilsazIid65ps7ydkHJjDZigigcuunogBJ7WtOs1wU2j/O8LDwStMnJ33aib4M4dVAn896KyIltN2lber4zQcshce+Ld2Y5UPU9wUD6dcx+Ezmma0OCgvoAB8TmZ1L+6heBWf27hb+Z2eHQlatLDhnZrQ7OrO76eL3aBHDXbDHv5IDMRTntb4strUqDD6JPAN+L8HS8D3rhVK54OHVMMPyIWzkWJRpLjyrI2m0bgxlpNPDz97ACu1Mlu0ebbhWTYMOYeBZjNvyyvf2W0Bp01sgnImQkFbfoxwZchvtDAhfCeW4GtlF2GI2iwCCtbe09hCO+hf9ulQQsoPcS875n3QlLv8SiFh24MEmj2JwfbrfeCb4QZxh6d+A63PBZxurhk1eDfVHjWa/e23A7hdv8NJ9Qfd5ah5jDgEHwLzu0HOE+afsJieYYHLhEUmv0/+HIyLG3soWfDLjy+i73p3avtaFv0GHXZx8D5NQB7Gy3445Px9Yd75xOI2kasI1sHbJuDgtLzNImNhfnA3L9EwTNyHMVpPH+1dUOV3qw+UH34tD8iJfSdV1WYp3ewxnrPFWuuLnZp0Z8LhtXW/FHlBQGAOoth0gdixy9wxEfxN93bXYMDHLzwxLA8vQ3b5inWMEptKXWKGjfASa8N63K0+r0SAbLMYNp7QvJycaswiust2dYhxbwFE30eQKrf07IWoYEKSKOBJD6mgO2O89W9Zn0KXvcYB4gU+emHRUAURZVQ2JMKT17L7h/y2FJj7nQV9M9iCp+Z4svwl6ur4FwIJ6NjkNqiyL9e6fAeWwi/8ip3WIjSosk4H8et/D757D9Kd9TxBAijfyMdDEwNi7ign7WIa2dkKjZIt3TS2ZxdE8zlc9MYUqc04ncqfuw3LolBlnwVscQgO3zf99yaMBA0KL4fm+Wps7Yqx+SVWz/W614AqJDqPYmdqs4T7LQYGmRYAsb3T6SRHDAU/v7Z9moAXvxc5t20fChm6p6nJc8kpG0kYhyoh7EbVefMqhwxVL97QKgoqzMjH+cXUEGdFS07bKETCuMep9wL2wH1DqAU3jwzrhmJebjuvtr7Q1Y7Ea0CTx+mCkWp6puX7xwHMFoSkMVvc1Kw5Bao1uI+ENIMKcSB2JST5fvYkzFNfl21ellJo4sqpLl30LNrjAi7Mv2oxw7hERZCvMewEyqOX4jplQyGtg3rv9hZnZZ+vy0T/Dn0gRruF5+lc32rkPaYWN8KEsOilXnoP+1014ScfnDD0gK/I/pLkTrxZYXjpSFU2J+qwif8NtcYghbMT5u3B6nv5rdmhF0RPUG2qgVvQDG5e6inzPidyGLGMxzPVFGDNg25tQTnG9YO833FNTV0DS6ThZOHjW6AntDcxvtSc6GqKCOomBPD0vmsGAOEVxLCWTQ6j422obThFZu6QQSjoyPKWwukeHWA1MEMdNY79bf1qACxoBJvSh+Xg/M9POvySHxVbFItvvRPTQYii9i4Cr0DpDhmK8pH27AqIc1tyaFfb2n0q/OGqjsvExFhA0mDn8x6D9spt9j7hRixHFFmqMSAins8NolbOPeY/uVq2WqaU4w3sPSIM/on20eadpsC5O22xt5UQXGQYn3d7TtpvInJ7r3gU5pp/Sjoe4Qw68sl4BZ3u8jYUOuVUqVztcilqqcqMUf96qDVnGjetLtL1c+BTDqcefZmSaEUIDe8gyKbvuY5rB0OqkxZ6F6shXiJRKGLQOfGL7mhh9GCgUTa/VhXaZmcOuc9jS0hCl4cZbEaIJr+SdChqHvwCnvFLyh3DpUwEh8S1E8MK3v6J3pQRPEgWSji3ntJxakGbW6tHb,iv:w+4KWqVK5p9UrAulfCwq1naoJoBmLYxWhRlYeG3x08c=,tag:hMDB+QP1AXRU0iBd3ZSxGg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbDRxK0taVzlwWEJPNFNk\nWVVtS09Jb1AzaUhkeGlTNlJBOXUyTEs1MEVjCnEwOGMyV0tJVDNwTzhQb25Fb1lz\nRkJqbFZMa1VkWVBFOWc0NVIwU2E1SEEKLS0tIExqOEZFUThmYThnbzBpZC9TcGc2\nSFNRQmNmdGlPZnE1cXlMT1VKNTU4NkUK19Xik2Nc2UB6hREBiClAx8fQQd0/lhma\nq0e0KEOIlJfH9Yowc/oT+zZust/i7O69mIK8cS3XWF8eUqFzj4aG8w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGxNN2xIOFYvYWxuQTJy\ndktHSjU3cnJWN1diQTJKaVRPVU52MG1XUVUwCk9nVTZIbkllQjhGK0JweE1EbGFp\nTXZoakZpODRTM3BzUkp3Wk1WRmtwbnMKLS0tIGhkdmIzTXJwUHc3dHlHV3phTVVr\nQS9kalRPdkRZM0FBbXF6SDh6YzA0QVkKGTVwOIO6JgEKSb78s8erh+McXjtfuQQm\nlhX1NRb8Uk/SYhvrnfjMTUIQ9i2yqPn1cBuhp/MNgSsSS49q5anRNA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-11-20T06:57:24Z",
"mac": "ENC[AES256_GCM,data:QiRf8cKJeTkEQOK3qJCi2uise8RDyg0zcZOVX0XE6YSE6mDivg2LC8mKuSBFVPw1vX+99l7aOBDEqKALD0sQIOQjd0lySJTLp4TDbSP43QoVQ5KmUtUUzeByDkH6DUBnFuXWlvyD5kOokqGvxkYXvyihdji8yDQz8rlw6xlwNPU=,iv:C3Wd+I2yal/tFpURBRvPygOtPedJ4kLsVNmOip9CUio=,tag:NIq54bGg863j+/k15npz8A==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

10
secrets/xmupc1/default.yaml
View File

@@ -2,10 +2,10 @@ acme:
cloudflare.ini: ENC[AES256_GCM,data:k7ojGrQQN81OGh391ISD0vfmQF7P3Iiuyx4ck7FxB9h3hFyl6HsiJxp3tIKsFBirbHzePEtXZOYmYUkqqw2i8dY=,iv:RX1BpzeznkrXhLVoI1YwrlRDnkQqGYNw/xwQvN8P9JM=,tag:TOfGt4QwxAY2j/c1deKFoA==,type:str]
nginx:
maxmind-license: ENC[AES256_GCM,data:VmOiT6FYFEkMYTstz+4+4MSZSeOgHQh437j6Ccd/EhYVEa8iKI1PfA==,iv:C90KL+tv3ZpbnHqsKv0hLUprM1RKagCdU2ne3Z9Hor4=,tag:QVlJZL+bnVpjEzy4VF31vA==,type:str]
frp:
token: ENC[AES256_GCM,data:lo/To0asGgHnajc6GD6zh+e9onIwQ6XdfTA5wg7g+fvslzxH6eXhV+14Wkb86E2fn7AAlru+,iv:d2MHOCwc5E8nAcqjWxdzONPpjdFfJ01f01Q7a7C2CT4=,tag:5zzciq12PqWT29G+BaT1XQ==,type:str]
xray-client:
uuid: ENC[AES256_GCM,data:+UJjAWH31CbeQjWoFNeBW5Sqt/RoBTbgouelDYGKfK5G6uY+,iv:AzIpLV7NYeqZUmZ6PZNYFbml9TUPRLTFPeiRQm8S7X0=,tag:/lDbaFCUHmVYDHtmrMisGA==,type:str]
wireguard:
privateKey: ENC[AES256_GCM,data:49BPDoNzzTJFRpIXw3wMRStwd66aG848Z5EUMPwMMZdWeFPBdDB6cHm9zQM=,iv:R6zsmALbV3YMFlIQlGpLqL5mNXeQXn6MbhAFB7T+nLI=,tag:WOrebshoF1V0u2+GnBMTXw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -21,8 +21,8 @@ sops:
UDRVZ3luNkRQNFdtYUF4bm4vd05mdkEKlX67g6DrurDVrSG2+5lj4wZ+8xfEpu9K
jAZ8pt1pCsrbkGOWOBD5PqbWn0X1Dms6F4qiyefcQlmIjhXc9/PPLQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-23T12:19:57Z"
mac: ENC[AES256_GCM,data:beF84oGJhqGwl7E7jan9oZMlJmPZrQdC0ZAif/zpCYwdy53v9J4R5RM7pKZ0CFQA+ubwW4GZXrv2qTLayV2FgRtu+TBWLeRF5t34AcfyMHmChiIuAjHljVv3Y0Cus3Ctt2quMpyvmYEGvq+bGPzi5BY+cu4PSQZUsUUDImjw7/g=,iv:pUEJKfzZ5loUJvzpCRHNpUK4aM2OiCQ8RLFZRr2iiVU=,tag:ibGL5Wb1PJhMck5RnPtobA==,type:str]
lastmodified: "2023-12-14T15:20:08Z"
mac: ENC[AES256_GCM,data:jPdmavg3atcQZoQwKCJf8f5TQ5L8l3snCSCv6MYJpbV3qjSCDKAxpJduXBlbSxWgUXv5dwuPbhCKnTIJhoWAEh+pE4BR+c5+nk9fL89IxaHZftlxj1hhPBoZRUyQLPe5ZaFyXFcwWNc93PZxOQ/g4z97C2v358puY3fDyOxOyqI=,iv:YvaCLaeYXMnJW0WL4TxUBqh8acXHOHuRXxJr1qH3VLM=,tag:AJH7q9zySk899IEuPo94UA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.8.1