chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-13 13:59:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: chn:nvme-bug
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire
..
compare: chn:meilisearch-migration
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire

158 Commits
nvme-bug ... meilisearc

Author SHA1 Message Date
chn
0447b56167 revert meilisearch to old version 2023-12-05 12:00:13 +08:00
chn
6fd53808e6 remove trace 2023-12-05 11:43:08 +08:00
chn
e372278343 fix gdal 2023-12-05 10:55:37 +08:00
chn
d13364fa42 fix latex 2023-12-05 10:53:11 +08:00
chn
666990c1a9 替换更多包 2023-12-05 10:27:12 +08:00
chn
13363f42a1 缩减行数 2023-12-04 21:41:23 +08:00
chn
f642e11739 update flake.lock 2023-12-04 21:39:19 +08:00
chn
ed6b68eb89 vim use optimized version 2023-12-04 21:38:27 +08:00
chn
396ee9fc73 use localPackages.esbonio instead of esbonio 2023-12-04 21:38:08 +08:00
chn
44ae89efee nixpkgs: allow to replace tensorflow 2023-12-04 21:20:32 +08:00
chn
36e1faee0c fix eval 2023-12-04 18:26:27 +08:00
chn
1080a2dacf 整理 nixpkgs 2023-12-04 17:27:47 +08:00
chn
f9e35b8837 do not build with ccache 2023-12-04 11:41:29 +08:00
chn
dfad8c1df7 add logseq 2023-12-03 14:43:19 +08:00
chn
6444e76b49 fix pygls 2023-12-02 22:20:58 +08:00
chn
c2864ad7a0 fix pygls 2023-12-02 21:55:14 +08:00
chn
136d02b0eb packages: add autograd 2023-12-02 17:04:47 +08:00
chn
97158555e4 packages.vscode: add restrucuredtext 2023-12-02 15:34:50 +08:00
chn
3deeb55dbd fix nextcloud 
update everything
 2023-12-02 10:52:42 +08:00
chn
2184dfa34f disable ccache for tensorflow 2023-11-30 23:18:11 +08:00
chn
94d74eac46 enable ccache for multiple packages 2023-11-30 22:44:06 +08:00
chn
2bf0d49e52 ccache: move cache to /var/lib/ccache 2023-11-30 20:21:06 +08:00
chn
73ddbd00a9 fix chromium build with ccache 2023-11-30 20:14:49 +08:00
chn
1deffccf00 enable ccache for chromium 2023-11-30 14:47:38 +08:00
chn
bac20eae3e upate everything 2023-11-30 14:15:26 +08:00
chn
6057c5079f remove touchix 2023-11-29 02:19:41 +08:00
chn
2ab7119ea9 fix nextcloud twofactor_webauthn url 2023-11-29 01:30:41 +08:00
chn
56a34a9f73 update everything 2023-11-29 01:07:20 +08:00
chn
693967cf49 system.kernel: remove preempt patch 2023-11-27 02:22:08 +08:00
chn
d273fd6046 update rsshub 2023-11-26 01:07:32 +08:00
chn
73a509b1ba remove unused packages 2023-11-26 01:07:18 +08:00
chn
df7ff0516c Merge branch 'main' into next 2023-11-25 23:05:24 +08:00
chn
2b3c0e61c5 add emacs 2023-11-25 22:33:21 +08:00
chn
47406cd0a5 update 2023-11-24 11:12:05 +08:00
chn
36a702a9a2 Merge branch 'main' into next 2023-11-24 11:08:10 +08:00
chn
b42024378b add aircrack-ng 2023-11-23 23:53:13 +08:00
chn
7f68855c7d users: fix 2023-11-23 02:04:47 +08:00
chn
38c7491640 services.mastodon: fix 2023-11-22 22:00:58 +08:00
chn
18ca4d7a00 services.nextcloud: update apps 2023-11-22 21:48:23 +08:00
chn
d52d0e3139 services.mastodon: fix 2023-11-22 21:35:47 +08:00
chn
fecf4816dc packages: move some packages from desktop to desktop-fat 2023-11-22 20:54:03 +08:00
chn
3d92e9e593 localPackages.mirism: fix 2023-11-22 20:48:12 +08:00
chn
d54d37b8f2 minor fixes 2023-11-22 20:12:41 +08:00
chn
44e843ae5f exa -> eza 2023-11-22 16:42:31 +08:00
chn
ec07725983 fix pnpm2nix 2023-11-22 16:40:38 +08:00
chn
bc40195d0f yoga: add to default 2023-11-22 13:49:45 +08:00
chn
7561442593 done some todo 2023-11-22 11:58:58 +08:00
chn
b240f8d04c update meilisearch 2023-11-22 11:48:39 +08:00
chn
10691aa076 remove unnecessary unstablePackages 2023-11-22 11:41:36 +08:00
chn
8599296ff5 update inputs 2023-11-22 11:39:30 +08:00
chn
86e89c7310 use archived branch 2023-11-22 10:57:38 +08:00
chn
367c78abd7 move some packages 2023-11-22 10:48:00 +08:00
chn
50025a78a1 hardware.cpu: add some intel modules 2023-11-22 01:48:09 +08:00
chn
7c08aa5b05 system.impermanence: fix /srv mount 2023-11-21 22:03:47 +08:00
chn
24727ea5f0 services.fail2ban: add ignoreIP 2023-11-21 20:52:46 +08:00
chn
04d411d16f services.fail2ban: init 2023-11-21 20:44:31 +08:00
chn
84a2bc2eac system.impermanence: write journal to nodatacow 2023-11-21 20:06:48 +08:00
chn
616a366221 services.grafana: init 2023-11-21 00:05:26 +08:00
chn
757f0f63bf services.gitlab: add email_from option 2023-11-20 22:25:47 +08:00
chn
083cf9524c services.gitlab: fix port number 2023-11-20 22:23:45 +08:00
chn
19729fb334 services.gitlab: fix smtp 2023-11-20 22:09:41 +08:00
chn
da4a7e33ff typo 2023-11-20 20:53:34 +08:00
chn
ff5780ca42 services.gitlab: fix nginx 2023-11-20 20:51:57 +08:00
chn
9bdb9c8293 services.nextcloud: run nextcloud-setup after postgresql 2023-11-20 20:46:29 +08:00
chn
f51f9c9992 services.gitlab: init 2023-11-20 20:15:53 +08:00
chn
f5777bc89d services.gitlab: prepare 2023-11-20 15:03:02 +08:00
chn
54f2458f69 services.mastodon: add package to system 2023-11-19 22:52:06 +08:00
chn
d0ff526f82 fix mastodon 2023-11-19 22:44:06 +08:00
chn
e7708c5647 services.gitlab: preprare 2023-11-19 22:01:36 +08:00
chn
c38d84a1b1 services.mastodon: init 2023-11-19 20:47:52 +08:00
chn
4e44953e75 typo 2023-11-19 17:44:07 +08:00
chn
be8cf779c9 change some default settings 2023-11-19 17:33:38 +08:00
chn
3209e0aa60 users: 分离各个用户的配置 2023-11-19 17:15:44 +08:00
chn
7bba7613a2 add plasma-manager 2023-11-19 16:38:21 +08:00
chn
e78c263248 system.fileSystems: set delay to 2 day 2023-11-19 08:29:15 +08:00
chn
3ab09c31bb mastodon: prepare 2023-11-19 06:38:05 +08:00
chn
ae468cb654 fix 2023-11-19 02:35:06 +08:00
chn
2615d82fea nginx.applications.webdav: allow multiple instances 2023-11-19 02:32:07 +08:00
chn
3d2ad2e800 update misskey 2023-11-17 22:35:15 +08:00
chn
15e9cf917e nas: add webdav 2023-11-17 22:11:36 +08:00
chn
b0619ec108 fix xray error 2023-11-16 16:10:46 +08:00
chn
3c29b08a08 add blog catalog 2023-11-16 16:06:52 +08:00
chn
ed794ac95f 缩减行数 2023-11-16 15:51:47 +08:00
chn
17a462ad04 fix mirism path 2023-11-16 14:45:53 +08:00
chn
994360d473 dnsmasq: fix dns 2023-11-16 14:43:16 +08:00
chn
c32cff7349 nginx: fix path 2023-11-16 14:09:23 +08:00
chn
97468b121b add mirism 2023-11-16 13:58:59 +08:00
chn
8cbad5dc58 add httpapi 2023-11-16 13:18:21 +08:00
chn
790aa5fa2e add crunch hashcat 2023-11-16 12:09:11 +08:00
chn
3cfedc26c9 add john 2023-11-16 12:06:53 +08:00
chn
d2479b229e nginx.webdav: restrict write path 2023-11-16 11:57:02 +08:00
chn
87684a981d packages.ssh: add some hostname 2023-11-16 11:35:03 +08:00
chn
3386b3bd2b nginx: fix permission 2023-11-15 22:09:44 +08:00
chn
86cb0a4d85 add webdav 2023-11-15 21:37:20 +08:00
chn
7c96745618 nginx: add charset 2023-11-15 20:59:27 +08:00
chn
2a515f2a9b add kkmeeting 2023-11-15 20:42:42 +08:00
chn
5f4fea3df6 Merge branch 'nginx' 2023-11-15 19:48:38 +08:00
chn
d53c5493e1 port change from main 2023-11-15 19:29:14 +08:00
chn
8750ee1b8b 修正 addAuth 2023-11-15 19:24:03 +08:00
chn
d9c956bca1 init fz-new-order 2023-11-15 14:20:56 +08:00
chn
1f529b55e1 nginx https support cgi 2023-11-12 23:35:08 +08:00
chn
888f438031 add fcgiwrap 2023-11-12 22:13:01 +08:00
chn
7aadd673cd 打包 mirism 2023-11-12 21:59:03 +08:00
chn
f227925d38 fix php user group 2023-11-12 20:47:29 +08:00
chn
90839e445d Merge branch 'ua' 2023-11-12 20:29:27 +08:00
chn
57d07fc326 add ua 2023-11-12 20:29:16 +08:00
chn
91228c3053 allow disable sddm autostart 2023-11-12 20:15:44 +08:00
chn
3e8237286d docker only persist volumes 
rollRootfs chattr +C
 2023-11-12 19:35:09 +08:00
chn
3f670636e8 huginn: do not create database 2023-11-12 19:28:07 +08:00
chn
8191eec21e mariadb uses password auth only 2023-11-12 19:15:29 +08:00
chn
fed092c67c mariadb: fix user creation 2023-11-12 17:59:49 +08:00
chn
44ee17f2ff init huginn 2023-11-12 16:56:58 +08:00
chn
a898902f9e fix frp tls config 2023-11-11 20:27:12 +08:00
chn
00dd5ae7ad update frp 2023-11-11 20:14:37 +08:00
chn
d274730437 pc: frp add stcp 2023-11-11 19:13:16 +08:00
chn
333ed600ef xray 使用 nginx 的设置 2023-11-11 01:33:46 +08:00
chn
05cd6dd1c8 enable proxyProtocol as default 2023-11-11 00:57:49 +08:00
chn
b1e2497054 allow send to be forwarded 2023-11-10 23:57:13 +08:00
chn
0e56ee4293 fix send websocket 2023-11-10 23:52:43 +08:00
chn
0294805326 add send 2023-11-10 23:37:16 +08:00
chn
218b6c6140 暂存 localPackages.send 2023-11-10 20:47:05 +08:00
chn
f908883f18 fix nextcloud config 2023-11-10 19:30:37 +08:00
chn
4d81aa8ca7 fix nginx listen 2023-11-10 19:16:55 +08:00
chn
98fafdd331 add two xray user 2023-11-10 18:24:43 +08:00
chn
2549be1e55 所有机器都可以编译通过 2023-11-10 12:39:55 +08:00
chn
3d261febd2 Merge branch 'main' into nginx 2023-11-09 23:04:41 +08:00
chn
12cdc43f17 可以编译通过 2023-11-09 23:04:28 +08:00
chn
fd799befd3 全部修改完成 2023-11-09 22:19:37 +08:00
chn
69cb43e6f5 整理 vaultwarden 2023-11-09 21:02:08 +08:00
chn
7122474023 整理 synapse 2023-11-09 20:52:15 +08:00
chn
ebc8f80476 整理 photoprism 2023-11-09 20:43:25 +08:00
chn
855d24c1ea 整理 nextcloud 2023-11-09 20:32:13 +08:00
chn
aa74e0911c 修正misskey 2023-11-09 12:41:25 +08:00
chn
ad4f316339 packages: add jabref 2023-11-09 12:02:39 +08:00
chn
f8c0295bd5 修正 element 2023-11-09 12:02:05 +08:00
chn
72801ad14c minor fixes 2023-11-09 00:51:45 +08:00
chn
c975bcba51 重写nginx模块 2023-11-08 23:44:19 +08:00
chn
967f7f155e acme可以直接设置组 2023-11-08 23:18:19 +08:00
chn
bc351ff0d4 fix nginx type check 2023-11-07 16:16:04 +08:00
chn
35c183f9dc fix freshrss 2023-11-07 15:14:06 +08:00
chn
90a3604ac7 vps7: enable freshrss 2023-11-07 13:48:38 +08:00
chn
dd1ac653a3 fix synapse-admin 2023-11-07 13:40:22 +08:00
chn
8a88c8f6a7 mariadb: backup using singleTransaction 2023-11-07 13:34:14 +08:00
chn
ad6e94ec09 vps6: add synapse-admin service 2023-11-07 13:27:47 +08:00
chn
6b384443e2 confix xray for xmupc1 2023-11-06 20:11:18 +08:00
chn
21080d7d61 fix frp 2023-11-06 19:47:00 +08:00
chn
8a3b3313f7 fix freshrss 2023-11-06 19:41:31 +08:00
chn
7b3a23d19f frp: add stcp support 2023-11-06 19:41:05 +08:00
chn
dea55cdc70 freshrss do not auto enable nginx 2023-11-06 18:49:20 +08:00
chn
1216a2c674 Merge branch 'vps7-freshrss' 2023-11-06 18:30:00 +08:00
chn
3de91db3fd add freshrss 2023-11-06 18:29:46 +08:00
chn
297fcee5df vps6: disable beesd, enable autoOptimiseStore 2023-11-06 13:48:29 +08:00
chn
95e42f969c localPackages.misskey: update 2023-11-06 09:21:10 +08:00
chn
2ae484fcc9 packages.zsh: try to workaround bug 2023-11-05 23:08:32 +08:00
chn
4d0cc3e30c pc: use single swap partition 2023-11-05 12:45:09 +08:00
chn
09a687f65a change disk 2023-11-04 21:08:30 +08:00
chn
8f7c6db841 packages.ssh: add nas ip 2023-11-04 16:47:51 +08:00
chn
d225de887d packages: add reptyr 2023-11-04 12:43:30 +08:00
102 changed files with 5436 additions and 1901 deletions
Expand all files Collapse all files

5
.sops.yaml
View File

@@ -45,3 +45,8 @@ creation_rules:
- age:
- *chn
- *pe
- path_regex: secrets/gitlab/jws\.bin$
key_groups:
- age:
- *chn
- *vps7

2342
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

337
flake.nix
View File

@@ -3,26 +3,26 @@
inputs =
{
nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.05";
nixpkgs.url = "github:CHN-beta/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:CHN-beta/nixpkgs/nixos-unstable";
home-manager = { url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; };
nixpkgs-2305.url = "github:CHN-beta/nixpkgs/nixos-23.05";
home-manager = { url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; };
sops-nix =
{
url = "github:Mic92/sops-nix";
inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; };
};
touchix = { url = "github:CHN-beta/touchix"; inputs.nixpkgs.follows = "nixpkgs"; };
aagl = { url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
nur.url = "github:nix-community/NUR";
nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; };
nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-vscode-extensions =
nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-alien =
{
url = "github:nix-community/nix-vscode-extensions?rev=50c4bce16b93e7ca8565d51fafabc05e9f0515da";
inputs.nixpkgs.follows = "nixpkgs";
url = "github:thiagokokada/nix-alien";
inputs = { nixpkgs.follows = "nixpkgs"; nix-index-database.follows = "nix-index-database"; };
};
nix-alien = { url = "github:thiagokokada/nix-alien"; inputs.nix-index-database.follows = "nix-index-database"; };
impermanence.url = "github:nix-community/impermanence";
qchem = { url = "github:Nix-QChem/NixOS-QChem"; inputs.nixpkgs.follows = "nixpkgs"; };
nixd = { url = "github:nix-community/nixd"; inputs.nixpkgs.follows = "nixpkgs"; };
@@ -32,6 +32,13 @@
pnpm2nix-nzbr = { url = "github:CHN-beta/pnpm2nix-nzbr"; inputs.nixpkgs.follows = "nixpkgs"; };
lmix = { url = "github:CHN-beta/lmix"; inputs.nixpkgs.follows = "nixpkgs"; };
dguibert-nur-packages = { url = "github:CHN-beta/dguibert-nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
plasma-manager =
{
url = "github:pjones/plasma-manager";
inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
};
nix-doom-emacs = { url = "github:nix-community/nix-doom-emacs"; inputs.nixpkgs.follows = "nixpkgs"; };
nixos-2305.url = "github:CHN-beta/nixos/nixos-23.05";
};
outputs = inputs:
@@ -44,7 +51,7 @@
default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
(builtins.concatStringsSep "\n" (builtins.map
(system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
[ "pc" "vps6" "vps7" "nas" ]));
[ "pc" "vps6" "vps7" "nas" "yoga" ]));
}
// (
builtins.listToAttrs (builtins.map
@@ -76,7 +83,7 @@
})
(localLib.attrsToList
{
"pc" =
pc =
[
(inputs: { config.nixos =
{
@@ -96,10 +103,9 @@
decrypt.auto =
{
"/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
"/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
"/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
{ mapper = "swap"; ssd = true; before = [ "root" ]; };
};
mdadm =
"ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
swap = [ "/dev/mapper/swap" ];
resume = "/dev/mapper/swap";
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
@@ -125,13 +131,12 @@
];
keepOutputs = true;
};
nixpkgs = { march = "alderlake"; cudaSupport = true; };
nixpkgs = { march = "alderlake"; cudaSupport = true; replaceTensorflow = true; };
gui = { enable = true; preferred = true; };
kernel.patches = [ "cjktty" "preempt" ];
kernel.patches = [ "cjktty" ];
impermanence.enable = true;
networking =
{ hostname = "pc"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
@@ -141,17 +146,10 @@
joystick.enable = true;
printer.enable = true;
sound.enable = true;
prime =
{ enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
prime = { enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; }; };
gamemode.drmDevice = 1;
};
packages =
{
packageSet = "workstation";
extraPrebuildPackages = with inputs.pkgs; [ llvmPackages_git.stdenv ];
extraPythonPackages = [(pythonPackages:
[ inputs.pkgs.localPackages.upho inputs.pkgs.localPackages.spectral ])];
};
packages.packageSet = "workstation";
virtualization =
{
waydroid.enable = true;
@@ -162,7 +160,7 @@
};
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
snapper.enable = true;
fontconfig.enable = true;
samba =
{
@@ -188,9 +186,9 @@
extraInterfaces = [ "docker0" ];
hosts =
{
"mirism.one" = "216.24.188.24";
"beta.mirism.one" = "216.24.188.24";
"ng01.mirism.one" = "216.24.188.24";
"mirism.one" = "74.211.99.69";
"beta.mirism.one" = "74.211.99.69";
"ng01.mirism.one" = "74.211.99.69";
"debug.mirism.one" = "127.0.0.1";
"initrd.vps6.chn.moe" = "74.211.99.69";
"nix-store.chn.moe" = "127.0.0.1";
@@ -199,22 +197,17 @@
};
};
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
acme = { enable = true; certs = [ "debug.mirism.one" ]; };
acme = { enable = true; cert."debug.mirism.one" = {}; };
frpClient =
{
enable = true;
serverName = "frp.chn.moe";
user = "pc";
tcp.store = { localPort = 443; remotePort = 7676; };
stcpVisitor."yy.vnc".localPort = 6187;
};
nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
smartd.enable = true;
nginx =
{
enable = true;
transparentProxy.externalIp = [ "192.168.82.3" ];
applications.misskey.instances."xn--qbtm095lrg0bfka60z.chn.moe" = {};
};
nginx.transparentProxy.externalIp = [ "192.168.82.3" ];
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
};
@@ -225,7 +218,7 @@
];
};})
];
"vps6" =
vps6 =
[
(inputs: { config.nixos =
{
@@ -252,68 +245,53 @@
};
grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
nixpkgs.march = "sandybridge";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
initrd =
nix =
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
autoOptimiseStore = true;
};
kernel.patches = [ "preempt" ];
initrd.sshd.enable = true;
impermanence.enable = true;
networking = { hostname = "vps6"; nebula.enable = true; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
packages.packageSet = "server";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
snapper.enable = true;
sshd.enable = true;
xrayServer = { enable = true; serverName = "vps6.xserver.chn.moe"; };
frpServer = { enable = true; serverName = "frp.chn.moe"; };
nginx =
{
enable = true;
transparentProxy =
transparentProxy.externalIp = [ "74.211.99.69" "192.168.82.1" ];
streamProxy.map =
{
externalIp = [ "74.211.99.69" "192.168.82.1" ];
map =
{
"ng01.mirism.one" = 7411;
"beta.mirism.one" = 9114;
};
};
streamProxy =
{
enable = true;
map =
{
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; };
"anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; rewriteHttps = true; };
};
};
"anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
}
// (builtins.listToAttrs (builtins.map
(site: { name = "${site}.chn.moe"; value.upstream.address = "internal.pc.chn.moe"; })
[ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
// (builtins.listToAttrs (builtins.map
(site: { name = "${site}.chn.moe"; value.upstream.address = "internal.vps7.chn.moe"; })
[ "xn--s8w913fdga" "misskey" "synapse" "send" "kkmeeting" "api" "gitlab" "grafana" ]));
applications =
{
misskey.instances =
{
"xn--qbtm095lrg0bfka60z.chn.moe".upstream.address = "internal.pc.chn.moe";
"xn--s8w913fdga.chn.moe".upstream.address = "internal.vps7.chn.moe";
"misskey.chn.moe".upstream = "internal.vps7.chn.moe:9727";
};
synapse.instances."synapse.chn.moe".upstream.address = "internal.vps7.chn.moe";
vaultwarden = { enable = true; upstream.address = "internal.vps7.chn.moe"; };
element.instances."element.chn.moe" = {};
photoprism.instances."photoprism.chn.moe".upstream.address = "internal.vps7.chn.moe";
nextcloud.proxy = { enable = true; upstream = "internal.vps7.chn.moe"; };
synapse-admin.instances."synapse-admin.chn.moe" = {};
catalog.enable = true;
blog.enable = true;
};
};
coturn.enable = true;
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 16; }; };
httpua.enable = true;
mirism.enable = true;
fail2ban.enable = true;
};
};})
];
"vps7" =
vps7 =
[
(inputs: { config.nixos =
{
@@ -341,44 +319,19 @@
grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
nixpkgs.march = "broadwell";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
initrd =
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
kernel.patches = [ "preempt" ];
initrd.sshd.enable = true;
impermanence.enable = true;
networking = { hostname = "vps7"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; }; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
gui.enable = true;
};
packages =
{
packageSet = "desktop";
};
packages.packageSet = "desktop";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
snapper.enable = true;
fontconfig.enable = true;
sshd.enable = true;
rsshub.enable = true;
nginx =
{
enable = true;
transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
applications =
{
misskey.instances =
{
"xn--s8w913fdga.chn.moe" = {};
"misskey.chn.moe".upstream.port = 9727;
};
synapse.instances."synapse.chn.moe" = {};
vaultwarden.enable = true;
photoprism.instances."photoprism.chn.moe" = {};
nextcloud.instance.enable = true;
};
};
nginx.transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
wallabag.enable = true;
misskey.instances =
{
@@ -386,15 +339,25 @@
misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
};
synapse.enable = true;
xrdp = { enable = true; hostname = "vps7.chn.moe"; };
xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
vaultwarden.enable = true;
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
photoprism.enable = true;
nextcloud.enable = true;
freshrss.enable = true;
send.enable = true;
huginn.enable = true;
fz-new-order.enable = true;
nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
httpapi.enable = true;
mastodon.enable = true;
gitlab.enable = true;
grafana.enable = true;
fail2ban.enable = true;
};
};})
];
"nas" =
nas =
[
(inputs: { config.nixos =
{
@@ -433,40 +396,27 @@
swap = [ "/nix/swap/swap" ];
rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; };
};
initrd =
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
initrd.sshd.enable = true;
grub.installDevice = "efi";
nixpkgs.march = "silvermont";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
kernel.patches = [ "cjktty" "preempt" ];
kernel.patches = [ "cjktty" ];
impermanence.enable = true;
networking =
{ hostname = "nas"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
gui.enable = true;
};
hardware =
{
cpus = [ "intel" ];
gpus = [ "intel" ];
};
hardware = { cpus = [ "intel" ]; gpus = [ "intel" ]; };
packages.packageSet = "desktop";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
snapper.enable = true;
fontconfig.enable = true;
samba =
{
enable = true;
hostsAllowed = "192.168. 127.";
shares =
{
home.path = "/home";
root.path = "/";
};
shares = { home.path = "/home"; root.path = "/"; };
};
sshd = { enable = true; passwordAuthentication = true; };
xrayClient =
@@ -488,130 +438,24 @@
nix = { device = "/nix"; hashTableSizeMB = 128; };
};
};
};
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
};})
];
"xmupc1" =
[
(inputs: { config.nixos =
{
system =
{
fileSystems =
{
mount =
{
vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
btrfs =
{
"/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
};
decrypt.auto =
{
"/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
"/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
};
mdadm =
"ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
swap = [ "/dev/mapper/swap" ];
resume = "/dev/mapper/swap";
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
grub.installDevice = "efi";
nixpkgs = { march = "znver3"; cudaSupport = true; };
nix =
{
marches =
[
"znver3" "znver2"
# PREFETCHW RDRND XSAVE XSAVEOPT PTWRITE SGX GFNI-SSE MOVDIRI MOVDIR64B CLDEMOTE WAITPKG LZCNT
# PCONFIG SERIALIZE HRESET KL WIDEKL AVX-VNNI
"alderlake"
# SAHF FXSR XSAVE
"sandybridge"
# SAHF FXSR PREFETCHW RDRND
"silvermont"
];
substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
};
gui.enable = true;
kernel.patches = [ "cjktty" "preempt" ];
impermanence.enable = true;
networking.hostname = "xmupc1";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
cpus = [ "intel" ];
gpus = [ "intel" "nvidia" ];
bluetooth.enable = true;
joystick.enable = true;
printer.enable = true;
sound.enable = true;
prime =
{ enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
};
packages.packageSet = "workstation";
virtualization =
{
docker.enable = true;
kvmHost = { enable = true; gui = true; };
};
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
samba =
{
enable = true;
hostsAllowed = "192.168. 127.";
shares =
{
media.path = "/run/media/chn";
home.path = "/home/chn";
mnt.path = "/mnt";
share.path = "/home/chn/share";
};
};
sshd.enable = true;
xrayClient =
{
enable = true;
serverAddress = "74.211.99.69";
serverName = "vps6.xserver.chn.moe";
dns =
{
extraInterfaces = [ "docker0" ];
hosts =
{
"mirism.one" = "216.24.188.24";
"beta.mirism.one" = "216.24.188.24";
"ng01.mirism.one" = "216.24.188.24";
"debug.mirism.one" = "127.0.0.1";
"initrd.vps6.chn.moe" = "74.211.99.69";
"nix-store.chn.moe" = "127.0.0.1";
};
};
};
firewall.trustedInterfaces = [ "virbr0" ];
frpClient =
{
enable = true;
serverName = "frp.chn.moe";
user = "xmupc1";
tcp.store = { localPort = 443; remotePort = 7676; };
user = "nas";
stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
};
nginx =
{
enable = true;
transparentProxy.externalIp = [ "192.168.82.4" "192.168.1.185" ];
applications.webdav.instances."local.webdav.chn.moe" = {};
};
smartd.enable = true;
nginx = { enable = true; transparentProxy.enable = false; };
postgresql.enable = true;
};
bugs = [ "xmunet" "firefox" "embree" ];
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
};})
];
"yoga" =
yoga =
[
(inputs: { config.nixos =
{
@@ -637,10 +481,9 @@
gui.enable = true;
grub.installDevice = "efi";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
kernel.patches = [ "cjktty" "preempt" ];
kernel.patches = [ "cjktty" ];
impermanence.enable = true;
networking.hostname = "yoga";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
@@ -652,11 +495,11 @@
sound.enable = true;
halo-keyboard.enable = true;
};
packages.packageSet = "desktop";
packages.packageSet = "desktop-fat";
virtualization.docker.enable = true;
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
snapper.enable = true;
fontconfig.enable = true;
sshd.enable = true;
xrayClient =
@@ -668,7 +511,7 @@
};
firewall.trustedInterfaces = [ "virbr0" ];
};
bugs = [ "xmunet" "firmware-unstable" ];
bugs = [ "xmunet" ];
};})
];
}));
@@ -704,7 +547,7 @@
{
hostname = node;
profiles.system.path = inputs.self.nixosConfigurations.${node}.pkgs.deploy-rs.lib.activate.nixos
inputs.self.nixosConfigurations.${node};
inputs.self.nixosConfigurations.${node};
};
})
[ "vps6" "vps7" "nas" "yoga" ]);

29
local/pkgs/12to11/default.nix
View File

@@ -1,29 +0,0 @@
{
lib, stdenv, fetchsvn, xorg, libdrm
}:
stdenv.mkDerivation rec
{
pname = "12to11";
version = "193";
src = fetchsvn
{
url = "svn://svn.code.sf.net/p/twelveto11/code";
rev = version;
sha256 = "12csy55f2xxj03c5b60dvip68mz8cggic6751y3hvj22ar4ncaaj";
};
postPatch =
''
for i in *.c
do
sed -i -e "s|#include <drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
done
for i in tests/*.c
do
sed -i -e "s|#include <drm/drm_fourcc.h>|#include <libdrm/drm_fourcc.h>|" $i
done
'';
nativeBuildInputs = [ ];
buildInputs = [ xorg.imake libdrm.dev ];
}

2
local/pkgs/latex-citation-style-language/default.nix → local/pkgs/citation-style-language/default.nix
View File

@@ -1,6 +1,6 @@
{ stdenvNoCC, texlive, fetchFromGitHub }: stdenvNoCC.mkDerivation (finalAttrs: rec
{
pname = "latex-citation-style-language";
pname = "citation-style-language";
version = "0.4.5";
passthru = {
pkgs = [ finalAttrs.finalPackage ];

12
local/pkgs/cppcoro/cppcoro-include-utility.patch Normal file
View File

@@ -0,0 +1,12 @@
diff --git a/lib/static_thread_pool.cpp b/lib/static_thread_pool.cpp
index 989a6a9..0b91b9c 100644
--- a/lib/static_thread_pool.cpp
+++ b/lib/static_thread_pool.cpp
@@ -12,6 +12,7 @@
#include <cassert>
#include <mutex>
#include <chrono>
+#include <utility>
namespace
{

13
local/pkgs/cppcoro/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{ stdenv, fetchFromGitHub, cmake }: stdenv.mkDerivation
{
name = "cppcoro";
src = fetchFromGitHub
{
owner = "Garcia6l20";
repo = "cppcoro";
rev = "e1d53e620b0eee828915ada179cd7ca8e66ca855";
sha256 = "luBkf1x5kqXaVbQM01yWRmA5QvrQNZkFVCjRctJdnXc=";
};
nativeBuildInputs = [ cmake ];
patches = [ ./cppcoro-include-utility.patch ];
}

18
local/pkgs/date/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ stdenv, fetchFromGitHub }: stdenv.mkDerivation
{
name = "date";
src = fetchFromGitHub
{
owner = "HowardHinnant";
repo = "date";
rev = "cc4685a21e4a4fdae707ad1233c61bbaff241f93";
sha256 = "KilhBEeLMvHtS76Gu0UhzE8lhS1+sCwQ1UL4pswKXTs=";
};
phases = [ "installPhase" ];
installPhase =
''
runHook preInstall
mkdir -p $out
cp -r $src/{include,src} $out
'';
}

16
local/pkgs/default.nix
View File

@@ -1,15 +1,11 @@
{ lib, pkgs }: with pkgs; rec
{
typora = callPackage ./typora {};
upho = python3Packages.callPackage ./upho {};
spectral = python3Packages.callPackage ./spectral {};
vesta = callPackage ./vesta {};
oneapi = callPackage ./oneapi {};
send = callPackage ./send {};
rsshub = callPackage ./rsshub {};
misskey = callPackage ./misskey {};
mk-meili-mgn = callPackage ./mk-meili-mgn {};
phonon-unfolding = callPackage ./phonon-unfolding {};
# vasp = callPackage ./vasp
# {
# stdenv = pkgs.lmix-pkgs.intel21Stdenv;
@@ -22,8 +18,6 @@
openmpi = pkgs.openmpi.override { cudaSupport = false; };
};
vaspkit = callPackage ./vaspkit { attrsToList = (import ../lib lib).attrsToList; };
# "12to11" = callPackage ./12to11 {};
huginn = callPackage ./huginn {};
v_sim = callPackage ./v_sim {};
concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; };
eigengdb = python3Packages.callPackage ./eigengdb {};
@@ -38,5 +32,13 @@
yoga-support = callPackage ./yoga-support {};
tgbot-cpp = callPackage ./tgbot-cpp {};
biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; };
latex-citation-style-language = callPackage ./latex-citation-style-language {};
citation-style-language = callPackage ./citation-style-language {};
mirism = callPackage ./mirism
{
inherit cppcoro nameof tgbot-cpp date;
nghttp2 = nghttp2-2305.override { enableAsioLib = true; };
};
cppcoro = callPackage ./cppcoro {};
date = callPackage ./date {};
esbonio = python3Packages.callPackage ./esbonio {};
}

11
local/pkgs/esbonio/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, fetchPypi, buildPythonPackage }: buildPythonPackage rec
{
pname = "esbonio";
version = "0.16.3";
src = fetchPypi
{
inherit pname version;
sha256 = "1ggxdzl95fy0zxpyd1pcylhif1x604wk4wy7sv9322hc84b708zx";
};
doCheck = false;
}

29
local/pkgs/huginn/default.nix
View File

@@ -1,29 +0,0 @@
{ lib, stdenv, bundlerEnv, fetchFromGitHub }:
let
pname = "huginn";
version = "20230723";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "huginn";
rev = "a02977ad420a01b6460634af19f714db4a8f8f36";
hash = "sha256-Ty2EDCIjbvcf3PzPupcV4s7ZfAFTuYEjSfy0m+Yt3j4=";
};
gems = bundlerEnv
{
name = "${pname}-${version}-gems";
gemdir = "${src}";
gemfile = "${src}/Gemfile";
lockfile = "${src}/Gemfile.lock";
gemset = "${src}/gemset.nix";
copyGemFiles = true;
};
in stdenv.mkDerivation
{
inherit pname version src;
buildInputs = [ gems gems.wrappedRuby ];
installPhase =
''
false
'';
}

29
local/pkgs/mirism/default.nix Normal file
View File

@@ -0,0 +1,29 @@
{
lib, stdenv, requireFile,
boost, nghttp2, brotli, nameof, cppcoro, tgbot-cpp, libbacktrace, fmt, date
}: stdenv.mkDerivation rec
{
name = "mirism";
# nix-store --query --hash $(nix store add-path . --name 'mirism')
src = requireFile
{
inherit name;
sha256 = "10r40j4d6nnj930c8rw925akpim8f8sixh1lqrwdyp561nw774s4";
hashMode = "recursive";
message = "Source file not found.";
};
buildInputs = [ boost nghttp2.dev brotli nameof cppcoro tgbot-cpp libbacktrace fmt date ];
buildPhase =
''
runHook preBuild
make ng01 beta
runHook postBuild
'';
installPhase =
''
runHook preInstall
mkdir -p $out/bin
cp build/{ng01,beta} $out/bin
runHook postInstall
'';
}

32
local/pkgs/misskey/default.nix
View File

@@ -4,13 +4,13 @@
}:
let
pname = "misskey";
version = "2023.10.2";
version = "2023.11.1";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "misskey";
rev = "3f813d9808ebc1774457e02add8fe9c7a6937ff7";
sha256 = "63ZIil28jcMiL+c9FMj7m1OeCrLwsQZNHib+j8ar66s=";
rev = "1e5134816cc23600a0448a62b34aadfe573c3bbc";
sha256 = "ihkFVTpwEELmxAw4Lw01pWr8j6u2oLpfcw3laVUFCO4=";
fetchSubmodules = true;
};
originalPnpmPackage = mkPnpmPackage
@@ -29,38 +29,38 @@ let
re2 = stdenv.mkDerivation rec
{
pname = "re2";
version = "1.20.3";
version = "1.20.8";
srcs =
[
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.br";
sha256 = "0g2k0bki0zm0vaqpz25ww119qcs1flv63h6s5ib3103arpnzmb6d";
url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-120.br";
sha256 = "0f2l658xxc2112mbqpkyfic3vhjgdyafbfi14b6n40skyd6lijcq";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.gz";
sha256 = "1dr9zzzm67jknzvla1l5178lzmj6cfh8i1vsp5r4gkwdwbfh3ip0";
url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-120.gz";
sha256 = "1v5n8i16188xpwx1jr8gcc1a99v83hlbh5hldl4i376vh0lwsxlq";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.br";
sha256 = "0wby987byhshb20np1gglj6y9ji7m7jza5jwa4hyxfxs1pkkmg1n";
url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-115.br";
sha256 = "0cyqmgqk5cwik27wh4ynaf94v4w6p1fsavm07xh8xfmdim2sr9kd";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.gz";
sha256 = "0q3dyxm63d2x0wxx23gdwym7r2gmaw4ahvmd35dgrj179ik290pi";
url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-115.gz";
sha256 = "0i3iykw13d5qfd5s6pq6kx6cbd64vfb3w65f9bnj87qz44la84ic";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.br";
sha256 = "1wjmdni24353ppwfiyrv1zl9ci4g2habk0g2nz6b0sijagcy7bv3";
url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-108.br";
sha256 = "1467frfapqhi839r2v0p0wh76si3lihwzwgl9098mj7mwhjfl4lx";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.gz";
sha256 = "0rgkryjh412g2m7rfrl2krsb9137prkk2y9ga8akn7qp1bqsbq1i";
url = "https://github.com/uhop/node-re2/releases/download/1.20.8/linux-x64-108.gz";
sha256 = "0hykpqdrn55x83v1kzz6bdvrp24hgz3rwmwbdfl2saz576krzg1c";
})
];
phases = [ "installPhase" ];

28
local/pkgs/phonon-unfolding/default.nix
View File

@@ -1,28 +0,0 @@
{
stdenv, fetchFromGitHub, gfortran, blas
}:
stdenv.mkDerivation
{
pname = "phonon-unfolding";
version = "0";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "phonon_unfolding";
rev = "ec363ef2bad0ee18a0839a1681ea9915c0b72e1d";
hash = "sha256-zDTbtYk5OXf//6eS4gEF7IvrpWcRAz18ue48IDZnfSk=";
};
buildInputs = [ blas ];
nativeBuildInputs = [ gfortran ];
buildPhase =
''
gfortran PhononUnfoldingModule.f90 -o PhononUnfoldingModule.mod -c
gfortran PhononUnfolding.f90 -c -o PhononUnfolding.mod
gfortran PhononUnfolding.mod PhononUnfoldingModule.mod -o PhononUnfolding -lblas
'';
installPhase =
''
mkdir -p $out/bin
cp PhononUnfolding $out/bin
'';
}

4
local/pkgs/rsshub/default.nix
View File

@@ -8,8 +8,8 @@ let
{
owner = "DIYgod";
repo = "RSSHub";
rev = "4356fad91a268c81b8dacd2e3d9d07dbdce231a0";
sha256 = "rUfXHtePIkBGF1U/tqrXHEsYC5jah2A7hoJZfEAnCoQ=";
rev = "2cfde2ce5e8bd3591feb85543bb4e0df940aad46";
sha256 = "dSq774Qnnpn4y5ky8tHC8ceEx92lXl9G0S5z/XRcoEk=";
};
originalPnpmPackage = mkPnpmPackage { inherit name src nodejs; };
nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; };

15
local/pkgs/send/default.nix
View File

@@ -1,15 +0,0 @@
{ buildNpmPackage, fetchFromGitHub, nodejs-16_x }:
buildNpmPackage.override { nodejs = nodejs-16_x; }
{
pname = "send";
version = "3.4.23";
src = fetchFromGitHub
{
owner = "timvisee";
repo = "send";
rev = "6ad2885a168148fb996d3983457bc39527c7c8e5";
hash = "sha256-/w9KhktDVSAmp6EVIRHFM63mppsIzYSm5F7CQQd/2+E=";
};
npmDepsHash = "sha256-r1iaurKuhpP0sevB5pFdtv9j1ikM1fKL7Jgakh4FzTI=";
makeCacheWritable = true;
}

15
local/pkgs/spectral/default.nix
View File

@@ -1,15 +0,0 @@
{
lib, fetchPypi, buildPythonPackage,
numpy, pillow, wxPython_4_2, matplotlib, ipython, pyopengl
}: buildPythonPackage rec
{
pname = "spectral";
version = "0.23.1";
src = fetchPypi
{
inherit pname version;
sha256 = "sha256-4YIic1Je81g7J6lmIm1Vr+CefSmnI2z82LwN+x+Wj8I=";
};
doCheck = false;
propagatedBuildInputs = [ numpy pillow wxPython_4_2 matplotlib ipython pyopengl ];
}

14
local/pkgs/upho/default.nix
View File

@@ -1,14 +0,0 @@
{ lib, fetchFromGitHub, buildPythonPackage, numpy, h5py, phonopy }: buildPythonPackage rec
{
pname = "upho";
version = "0.6.6";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "upho";
rev = "0f27ac6918e8972c70692816438e4ac37ec6b348";
sha256 = "sha256-NvoV+AUH9MmGT4ohrLAAvpLs8APP2DOKYlZVliHrVRM=";
};
doCheck = false;
propagatedBuildInputs = [ numpy h5py phonopy ];
}

2
modules/bugs/default.nix
View File

@@ -78,8 +78,6 @@ inputs:
firefox.programs.firefox.enable = inputs.lib.mkForce false;
embree.nixpkgs.overlays =
[(final: prev: { embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; })];
firmware-unstable.nixpkgs.overlays =
[ (final: prev: { linux-firmware = final.unstablePackages.linux-firmware; }) ];
};
in
{

48
modules/default.nix
View File

@@ -13,24 +13,38 @@ inputs:
topInputs.nur.nixosModules.nur
topInputs.nur-xddxdd.nixosModules.setupOverlay
topInputs.impermanence.nixosModules.impermanence
(inputs: { config.nixpkgs.overlays =
[
topInputs.qchem.overlays.default
topInputs.nixd.overlays.default
topInputs.nix-alien.overlays.default
topInputs.napalm.overlays.default
topInputs.pnpm2nix-nzbr.overlays.default
topInputs.lmix.overlays.default
(final: prev: topInputs.aagl.overlays.default {} final.unstablePackages)
(import "${topInputs.dguibert-nur-packages}/overlays/nvhpc-overlay")
(final: prev:
(inputs:
{
config =
{
touchix = topInputs.touchix.packages."${prev.system}";
nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
deploy-rs = { inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
})
];})
nixpkgs.overlays =
[
topInputs.qchem.overlays.default
topInputs.nixd.overlays.default
topInputs.nix-alien.overlays.default
topInputs.napalm.overlays.default
topInputs.pnpm2nix-nzbr.overlays.default
topInputs.lmix.overlays.default
topInputs.aagl.overlays.default
(import "${topInputs.dguibert-nur-packages}/overlays/nvhpc-overlay")
(final: prev:
{
nix-vscode-extensions = topInputs.nix-vscode-extensions.extensions."${prev.system}";
nur-xddxdd = topInputs.nur-xddxdd.overlays.default final prev;
deploy-rs =
{ inherit (prev) deploy-rs; inherit ((topInputs.deploy-rs.overlay final prev).deploy-rs) lib; };
# needed by mirism
nghttp2-2305 =
inputs.pkgs.callPackage "${inputs.topInputs.nixpkgs-2305}/pkgs/development/libraries/nghttp2" {};
})
];
home-manager.sharedModules =
[
topInputs.plasma-manager.homeManagerModules.plasma-manager
topInputs.nix-doom-emacs.hmModule
];
};
})
./hardware ./packages ./system ./virtualization ./services ./bugs ./users
];
}

5
modules/hardware/default.nix
View File

@@ -71,7 +71,10 @@ inputs:
let
modules =
{
intel = [ "intel_cstate" "aesni_intel" ];
intel =
[
"intel_cstate" "aesni_intel" "intel_cstate" "intel_uncore" "intel_uncore_frequency" "intel_powerclamp"
];
amd = [];
};
in

237
modules/packages/default.nix
View File

@@ -10,6 +10,7 @@ inputs:
"server"
# gui, for daily use, but not install large programs such as matlab
"desktop"
"desktop-fat"
# nearly everything
"workstation"
];
@@ -44,7 +45,7 @@ inputs:
ksh
# basic tools
beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch localPackages.pslist
unstablePackages.fastfetch
fastfetch reptyr
# lsxx
pciutils usbutils lshw util-linux lsof
# top
@@ -52,9 +53,9 @@ inputs:
# editor
nano bat
# downloader
wget aria2 curl
wget aria2 curl yt-dlp
# file manager
tree exa trash-cli lsd broot file xdg-ninja mlocate
tree eza trash-cli lsd broot file xdg-ninja mlocate
# compress
pigz rar upx unzip zip lzip p7zip
# file system management
@@ -66,11 +67,11 @@ inputs:
# networking
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils
# nix tools
nix-output-monitor nix-tree
nix-output-monitor nix-tree ssh-to-age
# office
todo-txt-cli
# development
gdb unstablePackages.try
gdb try inputs.topInputs.plasma-manager.packages.x86_64-linux.rc2nix
] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
_pythonPackages = [(pythonPackages: with pythonPackages;
[
@@ -137,7 +138,6 @@ inputs:
extended = true;
save = 100000000;
size = 100000000;
share = true;
};
};
direnv = { enable = true; nix-direnv.enable = true; };
@@ -212,7 +212,6 @@ inputs:
customPkgs = with inputs.pkgs; [ zsh-nix-shell ];
};
};
ccache.enable = true;
command-not-found.enable = false;
adb.enable = true;
gnupg.agent = { enable = true; enableSSHSupport = true; };
@@ -228,6 +227,7 @@ inputs:
core = { quotepath = false; editor = "vim"; };
};
};
# yazi.enable = true;
};
services =
{
@@ -240,7 +240,7 @@ inputs:
vps6 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5ZcvyRyOnUCuRtqrM/Qf+AdUe3a5bhbnfyhw2FSLDZ";
hostnames = [ "vps6.chn.moe" "74.211.99.69" "192.168.82.1" ];
hostnames = [ "internal.vps6.chn.moe" "vps6.chn.moe" "74.211.99.69" "192.168.82.1" ];
};
"initrd.vps6" =
{
@@ -250,7 +250,7 @@ inputs:
vps7 =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5XkdilejDAlg5hZZD0oq69k8fQpe9hIJylTo/aLRgY";
hostnames = [ "vps7.chn.moe" "95.111.228.40" "192.168.82.2" ];
hostnames = [ "internal.vps7.chn.moe" "vps7.chn.moe" "95.111.228.40" "192.168.82.2" ];
};
"initrd.vps7" =
{
@@ -260,17 +260,17 @@ inputs:
nas =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
hostnames = [ "[office.chn.moe]:5440" "192.168.82.4" ];
hostnames = [ "internal.nas.chn.moe" "[office.chn.moe]:5440" "192.168.82.4" "192.168.1.185" ];
};
"initrd.nas" =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
hostnames = [ "[office.chn.moe]:5440" ];
hostnames = [ "[office.chn.moe]:5440" "192.168.1.185" ];
};
pc =
{
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
hostnames = [ "192.168.8.2.3" ];
hostnames = [ "internal.pc.chn.moe" "192.168.8.2.3" ];
};
hpc =
{
@@ -323,25 +323,11 @@ inputs:
))
(attrsToList servers)));
};
nix.settings.extra-sandbox-paths = [ inputs.config.programs.ccache.cacheDir ];
nixpkgs.config =
{
permittedInsecurePackages = with inputs.pkgs;
[
openssl_1_1.name electron_19.name nodejs-16_x.name python2.name electron_12.name electron_24.name
zotero.name
];
allowUnfree = true;
};
home-manager =
{
useGlobalPkgs = true;
useUserPackages = true;
};
home-manager = { useGlobalPkgs = true; useUserPackages = true; };
}
# >= desktop
(
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "workstation" ] )
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "desktop-fat" "workstation" ] )
{
nixos =
{
@@ -351,36 +337,17 @@ inputs:
[
# system management
gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
wayland-utils clinfo glxinfo vulkan-tools dracut etcher unstablePackages.btrfs-assistant
# nix tools
ssh-to-age deploy-rs.deploy-rs nixpkgs-fmt
# instant messager
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
cinny-desktop # nur-xddxdd.wine-wechat thunder
# browser
google-chrome
wayland-utils clinfo glxinfo vulkan-tools dracut
# networking
remmina putty mtr-gui
# password and key management
bitwarden yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui
# download
qbittorrent yt-dlp nur-xddxdd.baidupcs-go wgetpaste
bitwarden
# office
unstablePackages.crow-translate zotero pandoc ydict
# development
scrcpy
crow-translate zotero pandoc ydict logseq
# media
spotify yesplaymusic mpv nomacs simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
# text editor
localPackages.typora
mpv nomacs
# themes
orchis-theme tela-circle-icon-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme
arc-kde-theme materia-theme
# news
fluent-reader rssguard
# davinci-resolve playonlinux
weston cage openbox krita
genymotion hdfview electrum
tela-circle-icon-theme
(
vscode-with-extensions.override
{
@@ -413,69 +380,32 @@ inputs:
feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
gruntfuggly.todo-tree
# restrctured text
lextudio.restructuredtext trond-snekvik.simple-rst
];
}
)
] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
# required by vscode extensions restrucuredtext
localPackages.esbonio
])];
};
users.sharedModules =
[{
config =
{
programs =
{
chromium =
{
enable = true;
extensions =
[
{ id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
{ id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
{ id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
{ id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
{ id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
{ id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
{ id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
{ id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
{ id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
{ id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
{ id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
{ id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
{ id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
{ id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
{ id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
{ id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
{ id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
{ id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask
];
};
obs-studio =
{
enable = true;
plugins = with inputs.pkgs.obs-studio-plugins;
[ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
};
home.file.".config/baloofilerc".text =
''
[Basic Settings]
Indexing-Enabled=false
'';
};
config.home.file.".config/baloofilerc".text =
''
[Basic Settings]
Indexing-Enabled=false
'';
}];
};
programs =
{
steam.enable = true;
kdeconnect.enable = true;
wireshark = { enable = true; package = inputs.pkgs.wireshark; };
firefox =
{
enable = true;
languagePacks = [ "zh-CN" "en-US" ];
};
vim.package = inputs.pkgs.genericPackages.vim-full;
firefox = { enable = true; languagePacks = [ "zh-CN" "en-US" ]; };
vim.package = inputs.pkgs.vim-full;
};
nixpkgs.config.packageOverrides = pkgs:
{
@@ -487,6 +417,84 @@ inputs:
services.pcscd.enable = true;
}
)
# >= desktop-fat
(
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop-fat" "workstation" ] )
{
nixos =
{
packages = with inputs.pkgs;
{
_packages =
[
# system management
etcher btrfs-assistant
# password and key management
yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui electrum jabref
# download
qbittorrent nur-xddxdd.baidupcs-go wgetpaste
# development
scrcpy weston cage openbox krita
# media
spotify yesplaymusic simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
# editor
localPackages.typora hdfview
# themes
orchis-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme arc-kde-theme materia-theme
# news
fluent-reader rssguard newsflash newsboat
# nix tools
deploy-rs.deploy-rs nixpkgs-fmt
# instant messager
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
cinny-desktop # nur-xddxdd.wine-wechat thunder
# browser
google-chrome microsoft-edge
] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
};
users.sharedModules =
[{
config.programs =
{
chromium =
{
enable = true;
extensions =
[
{ id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
{ id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
{ id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
{ id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
{ id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
{ id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
{ id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
{ id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
{ id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
{ id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
{ id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
{ id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
{ id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
{ id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
{ id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
{ id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
{ id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
{ id = "nkbihfbeogaeaoehlefnkodbefgpgknn"; } # MetaMask
];
};
obs-studio =
{
enable = true;
plugins = with inputs.pkgs.obs-studio-plugins;
[ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
doom-emacs = { enable = true; doomPrivateDir = ./doom.d; };
};
}];
};
programs = { steam.enable = true; kdeconnect.enable = true; };
}
)
# >= workstation
(
mkIf (inputs.config.nixos.packages.packageSet == "workstation")
@@ -502,13 +510,9 @@ inputs:
zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack # jail
# office
libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain
(texlive.combine
{
inherit (texlive) scheme-full;
inherit (localPackages) latex-citation-style-language;
})
(texlive.combine { inherit (texlive) scheme-full; inherit (localPackages) citation-style-language; })
# development
jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify
jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify aircrack-ng
# media
nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
# virtualization
@@ -517,19 +521,20 @@ inputs:
appflowy notion-app-enhanced joplin-desktop standardnotes
# math, physics and chemistry
mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
localPackages.vasp localPackages.phonon-unfolding localPackages.vaspkit jmol localPackages.v_sim
# news
newsflash newsboat
microsoft-edge
localPackages.vasp localPackages.vaspkit jmol localPackages.v_sim
# encryption and password management
john crunch hashcat
# container and vm
genymotion # davinci-resolve playonlinux
];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
phonopy tensorflow keras openai scipy scikit-learn jupyterlab
phonopy tensorflow keras openai scipy scikit-learn jupyterlab autograd
])];
_prebuildPackages =
[
httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
unstablePackages.gcc13Stdenv
gcc13Stdenv
];
};
programs =

0
modules/packages/doom.d/config.el Normal file
View File

191
modules/packages/doom.d/init.el Normal file
View File

@@ -0,0 +1,191 @@
;;; init.el -*- lexical-binding: t; -*-
;; This file controls what Doom modules are enabled and what order they load
;; in. Remember to run 'doom sync' after modifying it!
;; NOTE Press 'SPC h d h' (or 'C-h d h' for non-vim users) to access Doom's
;; documentation. There you'll find a "Module Index" link where you'll find
;; a comprehensive list of Doom's modules and what flags they support.
;; NOTE Move your cursor over a module's name (or its flags) and press 'K' (or
;; 'C-c c k' for non-vim users) to view its documentation. This works on
;; flags as well (those symbols that start with a plus).
;;
;; Alternatively, press 'gd' (or 'C-c c d') on a module to browse its
;; directory (for easy access to its source code).
(doom! :input
;;chinese
;;japanese
;;layout ; auie,ctsrnm is the superior home row
:completion
company ; the ultimate code completion backend
;;helm ; the *other* search engine for love and life
;;ido ; the other *other* search engine...
;;ivy ; a search engine for love and life
vertico ; the search engine of the future
:ui
;;deft ; notational velocity for Emacs
doom ; what makes DOOM look the way it does
doom-dashboard ; a nifty splash screen for Emacs
doom-quit ; DOOM quit-message prompts when you quit Emacs
;;(emoji +unicode) ; 🙂
hl-todo ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW
;;hydra
;;indent-guides ; highlighted indent columns
;;ligatures ; ligatures and symbols to make your code pretty again
;;minimap ; show a map of the code on the side
modeline ; snazzy, Atom-inspired modeline, plus API
;;nav-flash ; blink cursor line after big motions
;;neotree ; a project drawer, like NERDTree for vim
ophints ; highlight the region an operation acts on
(popup +defaults) ; tame sudden yet inevitable temporary windows
;;tabs ; a tab bar for Emacs
;;treemacs ; a project drawer, like neotree but cooler
;;unicode ; extended unicode support for various languages
vc-gutter ; vcs diff in the fringe
vi-tilde-fringe ; fringe tildes to mark beyond EOB
;;window-select ; visually switch windows
workspaces ; tab emulation, persistence & separate workspaces
;;zen ; distraction-free coding or writing
:editor
(evil +everywhere); come to the dark side, we have cookies
file-templates ; auto-snippets for empty files
fold ; (nigh) universal code folding
;;(format +onsave) ; automated prettiness
;;god ; run Emacs commands without modifier keys
;;lispy ; vim for lisp, for people who don't like vim
;;multiple-cursors ; editing in many places at once
;;objed ; text object editing for the innocent
;;parinfer ; turn lisp into python, sort of
;;rotate-text ; cycle region at point between text candidates
snippets ; my elves. They type so I don't have to
;;word-wrap ; soft wrapping with language-aware indent
:emacs
dired ; making dired pretty [functional]
electric ; smarter, keyword-based electric-indent
;;ibuffer ; interactive buffer management
undo ; persistent, smarter undo for your inevitable mistakes
vc ; version-control and Emacs, sitting in a tree
:term
;;eshell ; the elisp shell that works everywhere
;;shell ; simple shell REPL for Emacs
;;term ; basic terminal emulator for Emacs
;;vterm ; the best terminal emulation in Emacs
:checkers
syntax ; tasing you for every semicolon you forget
;;(spell +flyspell) ; tasing you for misspelling mispelling
;;grammar ; tasing grammar mistake every you make
:tools
;;ansible
;;biblio ; Writes a PhD for you (citation needed)
;;debugger ; FIXME stepping through code, to help you add bugs
;;direnv
;;docker
;;editorconfig ; let someone else argue about tabs vs spaces
;;ein ; tame Jupyter notebooks with emacs
(eval +overlay) ; run code, run (also, repls)
;;gist ; interacting with github gists
lookup ; navigate your code and its documentation
;;lsp ; M-x vscode
magit ; a git porcelain for Emacs
;;make ; run make tasks from Emacs
;;pass ; password manager for nerds
;;pdf ; pdf enhancements
;;prodigy ; FIXME managing external services & code builders
;;rgb ; creating color strings
;;taskrunner ; taskrunner for all your projects
;;terraform ; infrastructure as code
;;tmux ; an API for interacting with tmux
;;upload ; map local to remote projects via ssh/ftp
:os
(:if IS-MAC macos) ; improve compatibility with macOS
;;tty ; improve the terminal Emacs experience
:lang
;;agda ; types of types of types of types...
;;beancount ; mind the GAAP
;;cc ; C > C++ == 1
;;clojure ; java with a lisp
;;common-lisp ; if you've seen one lisp, you've seen them all
;;coq ; proofs-as-programs
;;crystal ; ruby at the speed of c
;;csharp ; unity, .NET, and mono shenanigans
;;data ; config/data formats
;;(dart +flutter) ; paint ui and not much else
;;dhall
;;elixir ; erlang done right
;;elm ; care for a cup of TEA?
emacs-lisp ; drown in parentheses
;;erlang ; an elegant language for a more civilized age
;;ess ; emacs speaks statistics
;;factor
;;faust ; dsp, but you get to keep your soul
;;fortran ; in FORTRAN, GOD is REAL (unless declared INTEGER)
;;fsharp ; ML stands for Microsoft's Language
;;fstar ; (dependent) types and (monadic) effects and Z3
;;gdscript ; the language you waited for
;;(go +lsp) ; the hipster dialect
;;(haskell +lsp) ; a language that's lazier than I am
;;hy ; readability of scheme w/ speed of python
;;idris ; a language you can depend on
;;json ; At least it ain't XML
;;(java +meghanada) ; the poster child for carpal tunnel syndrome
;;javascript ; all(hope(abandon(ye(who(enter(here))))))
;;julia ; a better, faster MATLAB
;;kotlin ; a better, slicker Java(Script)
;;latex ; writing papers in Emacs has never been so fun
;;lean ; for folks with too much to prove
;;ledger ; be audit you can be
;;lua ; one-based indices? one-based indices
markdown ; writing docs for people to ignore
;;nim ; python + lisp at the speed of c
;;nix ; I hereby declare "nix geht mehr!"
;;ocaml ; an objective camel
org ; organize your plain life in plain text
;;php ; perl's insecure younger brother
;;plantuml ; diagrams for confusing people more
;;purescript ; javascript, but functional
;;python ; beautiful is better than ugly
;;qt ; the 'cutest' gui framework ever
;;racket ; a DSL for DSLs
;;raku ; the artist formerly known as perl6
;;rest ; Emacs as a REST client
;;rst ; ReST in peace
;;(ruby +rails) ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"}
;;rust ; Fe2O3.unwrap().unwrap().unwrap().unwrap()
;;scala ; java, but good
;;(scheme +guile) ; a fully conniving family of lisps
sh ; she sells {ba,z,fi}sh shells on the C xor
;;sml
;;solidity ; do you need a blockchain? No.
;;swift ; who asked for emoji variables?
;;terra ; Earth and Moon in alignment for performance.
;;web ; the tubes
;;yaml ; JSON, but readable
;;zig ; C, but simpler
:email
;;(mu4e +org +gmail)
;;notmuch
;;(wanderlust +gmail)
:app
;;calendar
;;emms
;;everywhere ; *leave* Emacs!? You must be joking
;;irc ; how neckbeards socialize
;;(rss +org) ; emacs as an RSS reader
;;twitter ; twitter client https://twitter.com/vnought
:config
;;literate
(default +bindings +smartparens))

0
modules/packages/doom.d/packages.el Normal file
View File

2
modules/packages/p10k-config/p10k.zsh
View File

@@ -855,7 +855,7 @@
#
# These variables correspond to the last line of the output of `todo.sh -p ls`:
#
# TODO: 24 of 42 tasks shown
# TO DO: 24 of 42 tasks shown
#
# Here 24 is P9K_TODO_FILTERED_TASK_COUNT and 42 is P9K_TODO_TOTAL_TASK_COUNT.
#

19
modules/services/acme.nix
View File

@@ -3,10 +3,15 @@ inputs:
options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
certs = mkOption
cert = mkOption
{
type = types.listOf (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
default = [];
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
domains = mkOption
{ type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};}));
default = {};
};
};
config =
@@ -14,6 +19,7 @@ inputs:
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) acme;
inherit (builtins) map listToAttrs;
inherit (inputs.localLib) attrsToList;
in mkIf acme.enable
{
security.acme =
@@ -23,16 +29,17 @@ inputs:
certs = listToAttrs (map
(cert:
{
name = if builtins.typeOf cert == "string" then cert else builtins.elemAt cert 0;
name = builtins.elemAt cert.value.domains 0;
value =
{
dnsResolver = "8.8.8.8";
dnsProvider = "cloudflare";
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
extraDomainNames = if builtins.typeOf cert == "string" then [] else builtins.tail cert;
extraDomainNames = builtins.tail cert.value.domains;
group = mkIf (cert.value.group != null) cert.value.group;
};
})
acme.certs);
(attrsToList acme.cert));
};
sops.secrets."acme/cloudflare.ini" = {};
};

5
modules/services/beesd.nix
View File

@@ -9,10 +9,7 @@ inputs:
[
types.nonEmptyStr
(types.submodule { options =
{
device = mkOption { type = types.nonEmptyStr; };
hashTableSizeMB = mkOption { type = types.int; };
};})
{ device = mkOption { type = types.nonEmptyStr; }; hashTableSizeMB = mkOption { type = types.int; }; };})
]);
default = {};
};

30
modules/services/coturn.nix
View File

@@ -11,22 +11,22 @@ inputs:
inherit (inputs.lib) mkIf;
in mkIf coturn.enable
{
services.coturn =
let
keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory;
in
{
enable = true;
use-auth-secret = true;
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
realm = coturn.hostname;
cert = "${keydir}/full.pem";
pkey = "${keydir}/key.pem";
no-cli = true;
};
services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
{
enable = true;
use-auth-secret = true;
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
realm = coturn.hostname;
cert = "${keydir}/full.pem";
pkey = "${keydir}/key.pem";
no-cli = true;
};
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
nixos.services.acme = { enable = true; certs = [ coturn.hostname ]; };
security.acme.certs.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
nixos.services.acme =
{
enable = true;
cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
};
networking.firewall = with inputs.config.services.coturn;
{
allowedUDPPorts = [ listening-port tls-listening-port ];

111
modules/services/default.nix
View File

@@ -24,19 +24,25 @@ inputs:
./mariadb.nix
./photoprism.nix
./nextcloud.nix
./freshrss.nix
./kmscon.nix
./fontconfig.nix
./nix-serve.nix
./send.nix
./huginn.nix
./httpua
./fz-new-order
./httpapi.nix
./mirism.nix
./mastodon.nix
./gitlab.nix
./grafana.nix
./fail2ban.nix
];
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{
kmscon.enable = mkOption { type = types.bool; default = false; };
fontconfig.enable = mkOption { type = types.bool; default = false; };
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
nix-serve =
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; };
};
smartd.enable = mkOption { type = types.bool; default = false; };
fileshelter.enable = mkOption { type = types.bool; default = false; };
wallabag.enable = mkOption { type = types.bool; default = false; };
noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
};
@@ -48,49 +54,7 @@ inputs:
inherit (builtins) map listToAttrs toString;
in mkMerge
[
(
mkIf services.kmscon.enable
{
services.kmscon =
{
enable = true;
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
};
}
)
(
mkIf services.fontconfig.enable
{
fonts =
{
fontDir.enable = true;
fonts = with inputs.pkgs;
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
fontconfig.defaultFonts =
{
emoji = [ "Noto Color Emoji" ];
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
};
};
}
)
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
(
mkIf services.nix-serve.enable
{
services.nix-serve =
{
enable = true;
openFirewall = true;
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
};
sops.secrets."store/signingKey" = {};
nixos.services.nginx.http.${services.nix-serve.hostname} =
{ rewriteHttps = true; locations."/".proxy.upstream = "http://127.0.0.1:5000"; };
}
)
(mkIf services.smartd.enable { services.smartd.enable = true; })
(
mkIf services.wallabag.enable
@@ -110,11 +74,6 @@ inputs:
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
};
# systemd.services.docker-wallabag.serviceConfig =
# {
# User = "wallabag";
# Group = "wallabag";
# };
sops =
{
templates."wallabag/env".content =
@@ -138,33 +97,7 @@ inputs:
# SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
# SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
# SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
secrets =
{
"redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name;
"postgresql/wallabag" = {};
"mail/bot-encoded" = {};
};
};
services =
{
redis.servers.wallabag =
{
enable = true;
bind = null;
port = 8790;
requirePassFile = inputs.config.sops.secrets."redis/wallabag".path;
};
postgresql =
{
ensureDatabases = [ "wallabag" ];
ensureUsers =
[{
name = "wallabag";
ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES";
}];
# ALTER DATABASE db_name OWNER TO new_owner_name
# sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction
};
secrets."mail/bot-encoded" = {};
};
nixos =
{
@@ -173,21 +106,13 @@ inputs:
nginx =
{
enable = true;
http."wallabag.chn.moe" =
{
rewriteHttps = true;
locations."/".proxy = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
};
https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398";
};
postgresql.enable = true;
postgresql = { enable = true; instances.wallabag = {}; };
redis.instances.wallabag = { user = "root"; port = 8790; };
};
virtualization.docker.enable = true;
};
# users =
# {
# users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; };
# groups.wallabag = {};
# };
}
)
(mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })

19
modules/services/fail2ban.nix Normal file
View File

@@ -0,0 +1,19 @@
inputs:
{
options.nixos.services.fail2ban = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services) fail2ban;
inherit (inputs.lib) mkIf;
in mkIf fail2ban.enable
{
services.fail2ban =
{
enable = true;
ignoreIP = [ "127.0.0.0/8" "192.168.0.0/16" "vps6.chn.moe" ];
};
};
}

27
modules/services/fontconfig.nix Normal file
View File

@@ -0,0 +1,27 @@
inputs:
{
options.nixos.services.fontconfig = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) fontconfig;
in mkIf fontconfig.enable
{
fonts =
{
fontDir.enable = true;
packages = with inputs.pkgs;
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
fontconfig.defaultFonts =
{
emoji = [ "Noto Color Emoji" ];
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
};
};
};
}

52
modules/services/freshrss.nix Normal file
View File

@@ -0,0 +1,52 @@
inputs:
{
options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) freshrss;
inherit (inputs.lib) mkIf;
in mkIf freshrss.enable
{
services.freshrss =
{
enable = true;
baseUrl = "https://${freshrss.hostname}";
defaultUser = "chn";
passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
virtualHost = null;
};
sops.secrets =
{
"freshrss/chn".owner = inputs.config.users.users.freshrss.name;
"freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
};
systemd.services.freshrss-config.after = [ "mysql.service" ];
nixos.services =
{
mariadb = { enable = true; instances.freshrss = {}; };
nginx.https.${freshrss.hostname} =
{
location =
{
"/".static =
{
root = "${inputs.pkgs.freshrss}/p";
index = [ "index.php" ];
tryFiles = [ "$uri" "$uri/" "$uri/index.php" ];
};
"~ ^.+?\.php(/.*)?$".php =
{
root = "${inputs.pkgs.freshrss}/p";
fastcgiPass =
"unix:${inputs.config.services.phpfpm.pools.${inputs.config.services.freshrss.pool}.socket}";
};
};
};
};
};
}

118
modules/services/frp.nix
View File

@@ -21,6 +21,30 @@ inputs:
}));
default = {};
};
stcp = mkOption
{
type = types.attrsOf (types.submodule (inputs:
{
options =
{
localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
localPort = mkOption { type = types.ints.unsigned; };
};
}));
default = {};
};
stcpVisitor = mkOption
{
type = types.attrsOf (types.submodule (inputs:
{
options =
{
localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
localPort = mkOption { type = types.ints.unsigned; };
};
}));
default = {};
};
};
frpServer =
{
@@ -31,6 +55,7 @@ inputs:
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.lib.strings) splitString;
inherit (inputs.localLib) attrsToList;
inherit (inputs.config.nixos.services) frpClient frpServer;
inherit (builtins) map listToAttrs;
@@ -42,7 +67,7 @@ inputs:
systemd.services.frpc =
let
frpc = "${inputs.pkgs.frp}/bin/frpc";
config = inputs.config.sops.templates."frpc.ini";
config = inputs.config.sops.templates."frpc.json";
in
{
description = "Frp Client Service";
@@ -61,40 +86,58 @@ inputs:
};
sops =
{
templates."frpc.ini" =
templates."frpc.json" =
{
owner = inputs.config.users.users.frp.name;
group = inputs.config.users.users.frp.group;
content = inputs.lib.generators.toINI {}
(
{
common =
{
server_addr = frpClient.serverName;
server_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
user = frpClient.user;
tls_enable = true;
};
}
// (listToAttrs (map
content = builtins.toJSON
{
auth.token = inputs.config.sops.placeholder."frp/token";
user = frpClient.user;
serverAddr = frpClient.serverName;
serverPort = 7000;
proxies =
(map
(tcp:
{
name = tcp.name;
value =
{
type = "tcp";
local_ip = tcp.value.localIp;
local_port = tcp.value.localPort;
remote_port = tcp.value.remotePort;
use_compression = true;
};
type = "tcp";
transport.useCompression = true;
inherit (tcp.value) localIp localPort remotePort;
})
(attrsToList frpClient.tcp))
)
);
++ (map
(stcp:
{
name = stcp.name;
type = "stcp";
transport.useCompression = true;
secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
inherit (stcp.value) localIp localPort;
})
(attrsToList frpClient.stcp));
visitors = map
(stcp:
{
name = stcp.name;
type = "stcp";
transport = { useCompression = true; tls.enable = true; };
secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
serverUser = builtins.elemAt (splitString "." stcp.name) 0;
serverName = builtins.elemAt (splitString "." stcp.name) 1;
bindAddr = stcp.value.localIp;
bindPort = stcp.value.localPort;
})
(attrsToList frpClient.stcpVisitor);
};
};
secrets."frp/token" = {};
secrets = listToAttrs
(
[{ name = "frp/token"; value = {}; }]
++ (map
(stcp: { name = "frp/stcp/${stcp.name}"; value = {}; })
(attrsToList (with frpClient; stcp // stcpVisitor)))
);
};
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
}
@@ -105,7 +148,7 @@ inputs:
systemd.services.frps =
let
frps = "${inputs.pkgs.frp}/bin/frps";
config = inputs.config.sops.templates."frps.ini";
config = inputs.config.sops.templates."frps.json";
in
{
description = "Frp Server Service";
@@ -124,28 +167,25 @@ inputs:
};
sops =
{
templates."frps.ini" =
templates."frps.json" =
{
owner = inputs.config.users.users.frp.name;
group = inputs.config.users.users.frp.group;
content = inputs.lib.generators.toINI {}
content = builtins.toJSON
{
common = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
auth.token = inputs.config.sops.placeholder."frp/token";
transport.tls = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
{
bind_port = 7000;
bind_udp_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
tls_cert_file = "${cert}/full.pem";
tls_key_file = "${cert}/key.pem";
tls_only = true;
user_conn_timeout = 30;
force = true;
certFile = "${cert}/full.pem";
keyFile = "${cert}/key.pem";
serverName = frpServer.serverName;
};
};
};
secrets."frp/token" = {};
};
nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; };
security.acme.certs.${frpServer.serverName}.group = "frp";
nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
networking.firewall.allowedTCPPorts = [ 7000 ];
}

104
modules/services/fz-new-order/default.nix Normal file
View File

@@ -0,0 +1,104 @@
inputs:
{
options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services) fz-new-order;
inherit (inputs.localLib) attrsToList;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs toString concatLists;
in mkIf fz-new-order.enable
{
users =
{
users.fz-new-order =
{ isSystemUser = true; group = "fz-new-order"; home = "/var/lib/fz-new-order"; createHome = true; };
groups.fz-new-order = {};
};
systemd =
{
timers.fz-new-order =
{
wantedBy = [ "timers.target" ];
timerConfig =
{
OnBootSec = "10m";
OnUnitActiveSec = "10m";
Unit = "fz-new-order.service";
};
};
services.fz-new-order = rec
{
description = "fz-new-order";
after = [ "network.target" ];
requires = after;
serviceConfig =
{
User = inputs.config.users.users."fz-new-order".name;
Group = inputs.config.users.users."fz-new-order".group;
WorkingDirectory = "/var/lib/fz-new-order";
ExecStart =
let
src = inputs.pkgs.substituteAll
{
src = ./main.cpp;
config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
};
binary = inputs.pkgs.stdenv.mkDerivation
{
name = "fz-new-order";
inherit src;
buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
dontUnpack = true;
buildPhase =
''
runHook preBuild
g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
runHook postBuild
'';
installPhase =
''
runHook preInstall
mkdir -p $out/bin
cp fz-new-order $out/bin/fz-new-order
runHook postInstall
'';
};
in "${binary}/bin/fz-new-order";
};
};
};
sops = let userNum = 6; configNum = 2; in
{
templates."fz-new-order/config.json" =
{
owner = inputs.config.users.users."fz-new-order".name;
group = inputs.config.users.users."fz-new-order".group;
content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
{
manager = placeholder."fz-new-order/manager";
token = placeholder."fz-new-order/token";
uids = map (j: placeholder."fz-new-order/uids/user${toString j}") (builtins.genList (n: n) userNum);
config = map
(i: listToAttrs (map
(attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
[ "username" "password" "comment" ]))
(builtins.genList (n: n) configNum);
};
};
secrets =
{ "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
// (listToAttrs (map
(i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
(builtins.genList (n: n) userNum)))
// (listToAttrs (concatLists (map
(i: map
(attrName: { name = "fz-new-order/config${toString i}/${attrName}"; value = {}; })
[ "username" "password" "comment" ])
(builtins.genList (n: n) configNum))));
};
};
}

254
modules/services/fz-new-order/main.cpp Normal file
View File

@@ -0,0 +1,254 @@
# include <iostream>
# include <set>
# include <sstream>
# include <filesystem>
# include <cereal/types/set.hpp>
# include <cereal/archives/json.hpp>
# include <fmt/format.h>
# include <fmt/ranges.h>
# include <httplib.h>
# include <json/json.h>
std::string urlencode(std::string s)
{
auto hexchar = [](unsigned char c, unsigned char &hex1, unsigned char &hex2)
{
hex1 = c / 16;
hex2 = c % 16;
hex1 += hex1 <= 9 ? '0' : 'a' - 10;
hex2 += hex2 <= 9 ? '0' : 'a' - 10;
};
const char *str = s.c_str();
std::vector<char> v(s.size());
v.clear();
for (std::size_t i = 0, l = s.size(); i < l; i++)
{
char c = str[i];
if
(
(c >= '0' && c <= '9')
|| (c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| c == '-' || c == '_' || c == '.' || c == '!' || c == '~'
|| c == '*' || c == '\'' || c == '(' || c == ')'
)
v.push_back(c);
else
{
v.push_back('%');
unsigned char d1, d2;
hexchar(c, d1, d2);
v.push_back(d1);
v.push_back(d2);
}
}
return std::string(v.cbegin(), v.cend());
}
void oneshot
(
const std::string& username, const std::string& password, const std::string& comment,
const std::set<std::string>& wxuser, const std::set<std::string>& manager, const std::string& token
)
{
httplib::Client fzclient("http://scmv9.fengzhansy.com:8882");
httplib::Client wxclient("http://wxpusher.zjiecode.com");
auto& log = std::clog;
try
{
// get JSESSIONID
auto cookie_jsessionid = [&]() -> std::string
{
log << "get /scmv9/login.jsp\n";
auto result = fzclient.Get("/scmv9/login.jsp");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
auto it = result.value().headers.find("Set-Cookie");
if (it == result.value().headers.end() || it->first != "Set-Cookie")
throw std::runtime_error("find cookie failed");
log << fmt::format("set_cookie JSESSIONID {}\n", it->second.substr(0, it->second.find(';')));
return it->second.substr(0, it->second.find(';'));
}();
// login
auto cookie_pppp = [&]() -> std::string
{
auto body = fmt::format("method=dologinajax&rand=1234&userc={}&mdid=P&passw={}", username, password);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882" },
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/login.jsp" },
{ "Cookie", cookie_jsessionid }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("set_cookie pppp {}\n", fmt::format("pppp={}%40{}", username, password));
return fmt::format("pppp={}%40{}", username, password);
}();
// get order list
auto order_list = [&]() -> std::map<std::string, std::pair<std::string, std::string>>
{
auto body = fmt::format("method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=dd_qry&nv%5B%5D=bill&nv%5B%5D=&nv%5B%5D=storeid&nv%5B%5D=&nv%5B%5D=vendorid&nv%5B%5D={}&nv%5B%5D=qr_status&nv%5B%5D=&nv%5B%5D=ddprt&nv%5B%5D=%25&nv%5B%5D=fdate&nv%5B%5D=&nv%5B%5D=tdate&nv%5B%5D=&nv%5B%5D=shfdate&nv%5B%5D=&nv%5B%5D=shtdate&nv%5B%5D=&nv%5B%5D=fy_pno&nv%5B%5D=1&nv%5B%5D=fy_psize&nv%5B%5D=10", username);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882"
},
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
{ "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("get result {}\n", result.value().body);
std::stringstream result_body(result.value().body);
Json::Value root;
result_body >> root;
std::map<std::string, std::pair<std::string, std::string>> orders;
for (unsigned i = 0; i < root["dt"][1].size(); i++)
{
log << fmt::format
(
"insert order {} {} {}\n", root["dt"][1][i].asString(), root["dt"][2][i].asString(),
root["dt"][4][i].asString()
);
orders.insert({root["dt"][1][i].asString(), {root["dt"][2][i].asString(), root["dt"][4][i].asString()}});
}
return orders;
}();
// read order old
auto order_old = [&]() -> std::set<std::string>
{
if (!std::filesystem::exists("orders.json"))
return {};
else
{
std::ifstream ins("orders.json");
cereal::JSONInputArchive ina(ins);
std::set<std::string> data;
cereal::load(ina, data);
return data;
}
}();
// push new order info
for (const auto& order : order_list)
if (!order_old.contains(order.first))
{
for (const auto& user : manager)
{
auto path = fmt::format
(
"/api/send/message/?appToken={}&content={}&uid={}",
token, urlencode(fmt::format("push {}", order.first)), user
);
auto wxresult = wxclient.Get(path.c_str());
}
auto body = fmt::format
(
"method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=ddsp_qry&nv%5B%5D=bill&nv%5B%5D={}",
order.first
);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882" },
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
{ "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post
("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("get result {}\n", result.value().body);
std::stringstream result_body(result.value().body);
Json::Value root;
result_body >> root;
std::stringstream push_body;
double all_cost = 0;
push_body << fmt::format
(
"{} {} {}店\n", comment, order.second.second.substr(order.second.second.find('-') + 1),
order.second.first.substr(1, 2)
);
for (unsigned i = 0; i < root["dt"][6].size(); i++)
{
push_body << fmt::format
(
"{} {}{}\n", root["dt"][6][i].asString().substr(root["dt"][6][i].asString().length() - 4),
root["dt"][7][i].asString(), root["dt"][5][i].asString()
);
// 订货金额 maybe empty ???
if (root["dt"][10][i].asString() != "")
all_cost += std::stod(root["dt"][10][i].asString());
}
push_body << fmt::format("共{:.2f}元\n", all_cost);
log << fmt::format("push to wx {}\n", push_body.str());
auto encoded = urlencode(push_body.str());
for (const auto& wxu : wxuser)
{
auto path = fmt::format
("/api/send/message/?appToken={}&content={}&uid={}", token, encoded, wxu);
auto wxresult = wxclient.Get(path.c_str());
}
}
// save data
{
for (const auto& order : order_list)
if (!order_old.contains(order.first))
order_old.insert(order.first);
std::ofstream os("orders.json");
cereal::JSONOutputArchive oa(os);
cereal::save(oa, order_old);
}
}
catch (const std::exception& ex)
{
log << ex.what() << "\n" << std::flush;
std::terminate();
}
}
int main(int argc, char** argv)
{
Json::Value configs;
std::ifstream("@config_file@") >> configs;
auto config_uids = configs["uids"];
std::set<std::string> uids;
for (auto& uid : config_uids)
uids.insert(uid.asString());
for (auto& config : configs["config"])
oneshot
(
config["username"].asString(), config["password"].asString(), config["comment"].asString(),
uids, { configs["manager"].asString() }, configs["token"].asString()
);
}

67
modules/services/gitlab.nix Normal file
View File

@@ -0,0 +1,67 @@
inputs:
{
options.nixos.services.gitlab = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "gitlab.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) gitlab;
inherit (inputs.lib) mkIf;
in mkIf gitlab.enable
{
services.gitlab =
{
enable = true;
host = gitlab.hostname;
port = 443;
https = true;
smtp =
{
enable = true;
address = "mail.chn.moe";
username = "bot@chn.moe";
passwordFile = inputs.config.sops.secrets."gitlab/mail".path;
tls = true;
enableStartTLSAuto = false;
port = 465;
domain = gitlab.hostname;
authentication = "login";
};
extraConfig.gitlab.email_from = "bot@chn.moe";
secrets =
{
secretFile = inputs.config.sops.secrets."gitlab/secret".path;
otpFile = inputs.config.sops.secrets."gitlab/otp".path;
jwsFile = inputs.config.sops.secrets."gitlab/jws".path;
dbFile = inputs.config.sops.secrets."gitlab/dbFile".path;
};
initialRootPasswordFile = inputs.config.sops.secrets."gitlab/root".path;
initialRootEmail = "bot@chn.moe";
databasePasswordFile = inputs.config.sops.secrets."gitlab/db".path;
databaseHost = "127.0.0.1";
};
nixos.services =
{
nginx =
{
enable = true;
https."${gitlab.hostname}".location."/".proxy.upstream = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
postgresql.instances.gitlab = {};
};
sops.secrets = let owner = inputs.config.services.gitlab.user; in
{
"gitlab/mail" = { owner = owner; key = "mail/bot"; };
"gitlab/secret".owner = owner;
"gitlab/otp".owner = owner;
"gitlab/jws" =
{ owner = owner; sopsFile = "${inputs.topInputs.self}/secrets/gitlab/jws.bin"; format = "binary"; };
"gitlab/dbFile".owner = owner;
"gitlab/root".owner = owner;
"gitlab/db" = { owner = owner; key = "postgresql/gitlab"; };
"mail/bot" = {};
};
};
}

67
modules/services/grafana.nix Normal file
View File

@@ -0,0 +1,67 @@
inputs:
{
options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) grafana;
inherit (inputs.lib) mkIf;
in mkIf grafana.enable
{
services.grafana =
{
enable = true;
declarativePlugins = with inputs.pkgs.grafanaPlugins; [];
settings =
{
users = { verify_email_enabled = true; default_language = "zh-CN"; allow_sign_up = true; };
smtp =
{
enabled = true;
host = "mail.chn.moe";
user = "bot@chn.moe";
password = "$__file{${inputs.config.sops.secrets."grafana/mail".path}}";
from_address = "bot@chn.moe";
ehlo_identity = grafana.hostname;
startTLS_policy = "MandatoryStartTLS";
};
server = { root_url = "https://${grafana.hostname}"; http_port = 3001; enable_gzip = true; };
security =
{
secret_key = "$__file{${inputs.config.sops.secrets."grafana/secret".path}}";
admin_user = "chn";
admin_password = "$__file{${inputs.config.sops.secrets."grafana/chn".path}}";
admin_email = "chn@chn.moe";
};
database =
{
type = "postgres";
host = "127.0.0.1:5432";
user = "grafana";
password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
};
};
};
nixos.services =
{
nginx =
{
enable = true;
https."${grafana.hostname}".location."/".proxy =
{ upstream = "http://127.0.0.1:3001"; websocket = true; };
};
postgresql.instances.grafana = {};
};
sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
{
"grafana/mail" = { owner = owner; key = "mail/bot"; };
"grafana/secret".owner = owner;
"grafana/chn".owner = owner;
"grafana/db" = { owner = owner; key = "postgresql/grafana"; };
"mail/bot" = {};
};
};
}

5
modules/services/groupshare.nix
View File

@@ -20,10 +20,9 @@ inputs:
(user:
[
"d /var/lib/groupshare/${user} 2750 ${user} groupshare"
# systemd 253 does not support 'X' bit, it should be manually set
# sudo setfacl -m 'xxx' dir
# ("a /var/lib/groupshare/${user} - - - - "
# + "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x")
("a /var/lib/groupshare/${user} - - - - "
+ "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x")
])
users));
fileSystems = listToAttrs (map

46
modules/services/httpapi.nix Normal file
View File

@@ -0,0 +1,46 @@
inputs:
{
options.nixos.services.httpapi = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "api.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) httpapi;
inherit (inputs.lib) mkIf;
inherit (builtins) toString;
in mkIf httpapi.enable
{
nixos.services =
{
phpfpm.instances.httpapi = {};
nginx.https.${httpapi.hostname}.location =
{
"/files".static.root = "/srv/api";
"/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
"/notify.php".php =
{
root = builtins.dirOf inputs.config.sops.templates."httpapi/notify.php".path;
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
};
};
phpfpm.instances.httpapi = {};
};
sops =
{
templates."httpapi/notify.php" =
{
owner = inputs.config.users.users.httpapi.name;
group = inputs.config.users.users.httpapi.group;
content =
let
placeholder = inputs.config.sops.placeholder;
request = "https://api.telegram.org/${placeholder."httpapi/token"}/sendMessage?chat_id=861886506&text=";
in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
};
secrets."httpapi/token" = {};
};
systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" ];
};
}

25
modules/services/httpua/default.nix Normal file
View File

@@ -0,0 +1,25 @@
inputs:
{
options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) httpua;
inherit (inputs.lib) mkIf;
inherit (builtins) toString;
in mkIf httpua.enable
{
nixos.services =
{
phpfpm.instances.httpua = {};
nginx.http.${httpua.hostname}.php =
{
root = toString ./.;
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
};
};
};
}

1
modules/services/httpua/index.php Normal file
View File

@@ -0,0 +1 @@
<?php echo $_SERVER['HTTP_USER_AGENT']; ?>

66
modules/services/huginn.nix Normal file
View File

@@ -0,0 +1,66 @@
inputs:
{
options.nixos.services.huginn = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "huginn.chn.moe"; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) huginn;
in mkIf huginn.enable
{
virtualisation.oci-containers.containers.huginn =
{
image = "huginn/huginn:2d5fcafc507da3e8c115c3479e9116a0758c5375";
imageFile = inputs.pkgs.dockerTools.pullImage
{
imageName = "ghcr.io/huginn/huginn";
imageDigest = "sha256:aa694519b196485c6c31582dde007859fc8b8bbe9b1d4d94c6db8558843d0458";
sha256 = "0471v20d7ilwx81kyrxjcb90nnmqyyi9mwazbpy3z4rhnzv7pz76";
finalImageName = "huginn/huginn";
finalImageTag = "2d5fcafc507da3e8c115c3479e9116a0758c5375";
};
ports = [ "127.0.0.1:3000:3000/tcp" ];
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
};
sops =
{
templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
''
MYSQL_PORT_3306_TCP_ADDR=host.docker.internal
HUGINN_DATABASE_NAME=huginn
HUGINN_DATABASE_USERNAME=huginn
HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
DOMAIN=${huginn.hostname}
RAILS_ENV=production
FORCE_SSL=true
INVITATION_CODE=${placeholder."huginn/invitationCode"}
SMTP_DOMAIN=mail.chn.moe
SMTP_USER_NAME=bot@chn.moe
SMTP_PASSWORD="${placeholder."mail/bot"}"
SMTP_SERVER=mail.chn.moe
SMTP_SSL=true
EMAIL_FROM_ADDRESS=bot@chn.moe
TIMEZONE=Beijing
DO_NOT_CREATE_DATABASE=true
'';
secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
};
nixos =
{
services =
{
nginx =
{
enable = true;
https."${huginn.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
};
mariadb.instances.huginn = {};
};
virtualization.docker.enable = true;
};
};
}

19
modules/services/kmscon.nix Normal file
View File

@@ -0,0 +1,19 @@
inputs:
{
options.nixos.services.kmscon = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) kmscon;
in mkIf kmscon.enable
{
services.kmscon =
{
enable = true;
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
};
};
}

13
modules/services/mariadb.nix
View File

@@ -28,18 +28,16 @@ inputs:
{
enable = true;
package = inputs.pkgs.mariadb;
settings.mysqld.skip_name_resolve = true;
ensureDatabases = map (db: db.value.database) (attrsToList mariadb.instances);
ensureUsers = map
(db:
{
name = db.value.user;
ensurePermissions."${db.value.database}.*" = "ALL PRIVILEGES";
})
(db: { name = db.value.user; ensurePermissions."${db.value.database}.*" = "ALL PRIVILEGES"; })
(attrsToList mariadb.instances);
};
mysqlBackup =
{
enable = true;
singleTransaction = true;
databases = map (db: db.value.database) (attrsToList mariadb.instances);
};
};
@@ -51,9 +49,8 @@ inputs:
else inputs.config.sops.secrets."mariadb/${db.value.user}".path;
mysql = "${inputs.config.services.mysql.package}/bin/mysql";
in
# set user password
''echo "ALTER USER '${db.value.user}'@'localhost' IDENTIFIED VIA unix_socket OR mysql_native_password ''
+ ''USING PASSWORD('$(cat ${passwordFile})');" | ${mysql} -N'')
# force user use password auth
''echo "ALTER USER '${db.value.user}' IDENTIFIED BY '$(cat ${passwordFile})';" | ${mysql} -N'')
(attrsToList mariadb.instances)));
sops.secrets = listToAttrs (map
(db: { name = "mariadb/${db.value.user}"; value.owner = inputs.config.users.users.mysql.name; })

83
modules/services/mastodon.nix Normal file
View File

@@ -0,0 +1,83 @@
inputs:
{
options.nixos.services.mastodon = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "dudu.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) mastodon;
inherit (inputs.lib) mkIf;
inherit (builtins) toString;
in mkIf mastodon.enable
{
services.mastodon =
{
enable = true;
streamingProcesses = 1;
enableUnixSocket = false;
localDomain = mastodon.hostname;
database =
{
createLocally = false;
host = "127.0.0.1";
passwordFile = inputs.config.sops.secrets."mastodon/postgresql".path;
};
redis.createLocally = false;
smtp =
{
createLocally = false;
user = "bot@chn.moe";
port = 465;
passwordFile = inputs.config.sops.secrets."mastodon/mail".path;
host = "mail.chn.moe";
fromAddress = "bot@chn.moe";
authenticate = true;
};
extraEnvFiles = [ inputs.config.sops.templates."mastodon/env".path ];
};
nixos.services =
{
postgresql = { enable = true; instances.mastodon = {}; };
redis.instances.mastodon.port = inputs.config.services.mastodon.redis.port;
nginx =
{
enable = true;
https."${mastodon.hostname}".location =
{
"/system/".alias.path = "/var/lib/mastodon/public-system/";
"/".static =
{ root = "${inputs.config.services.mastodon.package}/public"; tryFiles = [ "$uri" "@proxy" ]; };
"@proxy".proxy =
{ upstream = "http://127.0.0.1:${toString inputs.config.services.mastodon.webPort}"; websocket = true; };
"/api/v1/streaming/".proxy =
{
upstream = "http://unix:/run/mastodon-streaming/streaming-1.socket";
websocket = true;
};
};
};
};
sops =
{
secrets =
{
"mastodon/mail" = { owner = "mastodon"; key = "mail/bot"; };
"mastodon/postgresql" = { owner = "mastodon"; key = "postgresql/mastodon"; };
};
templates."mastodon/env" =
{
owner = "mastodon";
content =
''
REDIS_PASSWORD=${inputs.config.sops.placeholder."redis/mastodon"}
SMTP_SSL=true
SMTP_AUTH_METHOD=plain
'';
};
};
environment.systemPackages = [ inputs.config.services.mastodon.package ];
# sudo -u mastodon mastodon-tootctl accounts modify chn --role Owner
};
}

14
modules/services/meilisearch.nix
View File

@@ -36,19 +36,7 @@ inputs:
{
User = instance.value.user;
Group = inputs.config.users.users.${instance.value.user}.group;
ExecStart =
let
meilisearch = inputs.pkgs.unstablePackages.meilisearch.overrideAttrs (prev:
{
RUSTFLAGS = prev.RUSTFLAGS or [] ++ [ "-Clto=true" "-Cpanic=abort" "-Cembed-bitcode=yes"]
++ (
let inherit (inputs.config.nixos.system.nixpkgs) march;
in (if march != null then [ "-Ctarget-cpu=${march}" ] else [])
);
});
config = inputs.config.sops.templates."meilisearch-${instance.name}.toml".path;
in
"${meilisearch}/bin/meilisearch --config-file-path ${config}";
ExecStart = inputs.topInputs.nixos-2305.nixosConfigurations.pc.config.systemd.services."meilisearch-misskey-misskey".serviceConfig.ExecStart;
Restart = "always";
StartLimitBurst = 3;
LimitNOFILE = "infinity";

67
modules/services/mirism.nix Normal file
View File

@@ -0,0 +1,67 @@
inputs:
{
options.nixos.services.mirism = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services) mirism;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs toString concatLists;
in mkIf mirism.enable
{
users = { users.mirism = { isSystemUser = true; group = "mirism"; }; groups.mirism = {}; };
systemd =
{
services = listToAttrs (map
(instance:
{
name = "mirism-${instance}";
value =
{
description = "mirism ${instance}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
User = inputs.config.users.users.mirism.name;
Group = inputs.config.users.users.mirism.group;
ExecStart = "${inputs.pkgs.localPackages.mirism}/bin/${instance}";
};
};
})
[ "ng01" "beta" ]);
tmpfiles.rules = [ "d /srv/entry.mirism 0700 nginx nginx" "d /srv/mirism 0700 nginx nginx" ];
};
nixos.services =
{
nginx =
{
enable = true;
transparentProxy.map = { "ng01.mirism.one" = 7411; "beta.mirism.one" = 9114; };
https = listToAttrs (map
(instance:
{
name = "${instance}mirism.one";
value.location."/".static = { root = "/srv/${instance}mirism"; index = [ "index.html" ]; };
})
[ "entry." "" ]);
};
acme = { enable = true; cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; }; };
};
environment.etc = listToAttrs (concatLists (map
(instance:
[
{
name = "letsencrypt/live/${instance}.mirism.one/fullchain.pem";
value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/fullchain.pem";
}
{
name = "letsencrypt/live/${instance}.mirism.one/privkey.pem";
value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/key.pem";
}
])
[ "ng01" "beta" ]));
};
}

19
modules/services/misskey.nix
View File

@@ -7,7 +7,7 @@ inputs:
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 9726; };
redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
hostname = mkOption { type = types.str; default = "misskey.chn.moe"; };
hostname = mkOption { type = types.nonEmptyStr; default = "misskey.chn.moe"; };
meilisearch =
{
enable = mkOption { type = types.bool; default = true; };
@@ -136,11 +136,7 @@ inputs:
nixos.services =
{
redis.instances = listToAttrs (map
(instance:
{
name = "misskey-${instance.name}";
value.port = instance.value.redis.port;
})
(instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
(attrsToList misskey.instances));
postgresql =
{
@@ -160,6 +156,17 @@ inputs:
};
})
(filter (instance: instance.value.meilisearch.enable) (attrsToList misskey.instances)));
nginx =
{
enable = mkIf (misskey.instances != {}) true;
https = listToAttrs (map
(instance: with instance.value;
{
name = hostname;
value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
})
(attrsToList misskey.instances));
};
};
};
}

41
modules/services/nextcloud.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.services.nextcloud = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "nextcloud.chn.moe"; };
hostname = mkOption { type = types.nonEmptyStr; default = "nextcloud.chn.moe"; };
};
config =
let
@@ -45,28 +45,36 @@ inputs:
};
secretFile = inputs.config.sops.templates."nextcloud/secret".path;
extraApps =
{
maps = inputs.pkgs.fetchNextcloudApp
let
githubRelease = repo: file: "https://github.com/${repo}/releases/download/${file}";
in
{
url = "https://github.com/nextcloud/maps/releases/download/v1.1.1/maps-1.1.1.tar.gz";
sha256 = "1rcmqnm5364h5gaq1yy6b6d7k17napgn0yc9ymrnn75bps9s71v9";
};
phonetrack = inputs.pkgs.fetchNextcloudApp
{
url = "https://github.com/julien-nc/phonetrack/releases/download/v0.7.6/phonetrack-0.7.6.tar.gz";
sha256 = "1p15vw7c5c1h08czyxi1r6svjd5hjmnc0i6is4vl3xq2kfjmcyyx";
};
twofactor_webauthn = inputs.pkgs.fetchNextcloudApp
{
url = "https://github.com/nextcloud-releases/twofactor_webauthn/releases/download/v1.2.0/twofactor_webauthn-v1.2.0.tar.gz";
sha256 = "1lqcw74rsnl8c4sirw9208ra3c8zl8zp93scs7y8fv2n4n60l465";
# nix-prefetch-url --unpack
maps = inputs.pkgs.fetchNextcloudApp
{
url = githubRelease "nextcloud/maps" "v1.1.1/maps-1.1.1.tar.gz";
sha256 = "1rcmqnm5364h5gaq1yy6b6d7k17napgn0yc9ymrnn75bps9s71v9";
license = "agpl3";
};
phonetrack = inputs.pkgs.fetchNextcloudApp
{
url = githubRelease "julien-nc/phonetrack" "v0.7.6/phonetrack-0.7.6.tar.gz";
sha256 = "1p15vw7c5c1h08czyxi1r6svjd5hjmnc0i6is4vl3xq2kfjmcyyx";
license = "agpl3";
};
twofactor_webauthn = inputs.pkgs.fetchNextcloudApp
{
url = githubRelease "nextcloud-releases/twofactor_webauthn" "v1.3.0/twofactor_webauthn-v1.3.0.tar.gz";
sha256 = "0z6m2chq5kxc8f10g6n1lh51yi10svy2qp5gp0v8xs71apqcc2wx";
license = "agpl3";
};
};
};
};
nixos.services =
{
postgresql = { enable = true; instances.nextcloud = {}; };
redis.instances.nextcloud.port = 3499;
nginx = { enable = true; https.${nextcloud.hostname}.global.configName = nextcloud.hostname; };
};
sops =
{
@@ -85,5 +93,6 @@ inputs:
"nextcloud/admin".owner = inputs.config.users.users.nextcloud.name;
};
};
systemd.services.nextcloud-setup = rec { requires = [ "postgresql.service" ]; after = requires; };
};
}

17
modules/services/nginx/applications/blog.nix Normal file
View File

@@ -0,0 +1,17 @@
inputs:
{
options.nixos.services.nginx.applications.blog = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) blog;
inherit (inputs.lib) mkIf;
in mkIf blog.enable
{
nixos.services.nginx.https."blog.chn.moe".location."/".static =
{ root = "/srv/blog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" ];
};
}

17
modules/services/nginx/applications/catalog.nix Normal file
View File

@@ -0,0 +1,17 @@
inputs:
{
options.nixos.services.nginx.applications.catalog = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) catalog;
inherit (inputs.lib) mkIf;
in mkIf catalog.enable
{
nixos.services.nginx.https."catalog.chn.moe".location."/".static =
{ root = "/srv/catalog"; index = [ "index.html" ]; };
systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" ];
};
}

10
modules/services/nginx/applications/default.nix
View File

@@ -2,11 +2,11 @@ inputs:
{
imports = inputs.localLib.mkModules
[
./misskey.nix
./synapse.nix
./vaultwarden.nix
./element.nix
./photoprism.nix
./nextcloud.nix
./synapse-admin.nix
./kkmeeting.nix
./webdav.nix
./blog.nix
./catalog.nix
];
}

13
modules/services/nginx/applications/element.nix
View File

@@ -16,24 +16,21 @@ inputs:
inherit (builtins) map listToAttrs toString;
in
{
nixos.services.nginx.http = listToAttrs (map
nixos.services.nginx.https = listToAttrs (map
(instance: with instance.value;
{
name = hostname;
value =
value.location."/".static =
{
rewriteHttps = true;
locations."/".static.root =
root =
if defaultServer == null then toString inputs.pkgs.element-web
else toString (inputs.pkgs.element-web.override { conf =
{
default_server_config."m.homeserver" =
{
base_url = "https://${defaultServer}";
server_name = defaultServer;
};
{ base_url = "https://${defaultServer}"; server_name = defaultServer; };
disable_guests = false;
};});
index = [ "index.html" ];
};
})
(attrsToList instances));

18
modules/services/nginx/applications/kkmeeting.nix Normal file
View File

@@ -0,0 +1,18 @@
inputs:
{
options.nixos.services.nginx.applications.kkmeeting = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "kkmeeting.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) kkmeeting;
inherit (inputs.lib) mkIf;
in mkIf kkmeeting.enable
{
nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
{ root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" ];
};
}

45
modules/services/nginx/applications/misskey.nix
View File

@@ -1,45 +0,0 @@
inputs:
{
options.nixos.services.nginx.applications.misskey.instances = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
upstream = mkOption
{
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
{
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
port = mkOption { type = types.ints.unsigned; default = 9726; };
};})];
default = "127.0.0.1:9726";
};
};}));
default = {};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications.misskey) instances;
inherit (inputs.localLib) attrsToList;
inherit (builtins) map listToAttrs toString;
in
{
nixos.services.nginx.http = listToAttrs (map
(proxy: with proxy.value;
{
name = hostname;
value =
{
rewriteHttps = true;
locations."/".proxy =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
};
})
(attrsToList instances));
};
}

48
modules/services/nginx/applications/nextcloud.nix
View File

@@ -1,48 +0,0 @@
inputs:
{
options.nixos.services.nginx.applications.nextcloud = let inherit (inputs.lib) mkOption types; in
{
instance.enable = mkOption
{
type = types.addCheck types.bool (value: value -> inputs.config.nixos.services.nextcloud.enable);
default = false;
};
proxy =
{
enable = mkOption
{
type = types.addCheck types.bool
(value: value -> !inputs.config.nixos.services.nginx.applications.nextcloud.instance.enable);
default = false;
};
upstream = mkOption { type = types.nonEmptyStr; };
};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) nextcloud;
inherit (inputs.lib) mkIf mkMerge;
inherit (inputs.localLib) attrsToList;
inherit (builtins) map listToAttrs;
in mkMerge
[
(mkIf (nextcloud.instance.enable)
{
nixos.services.nginx.http.${inputs.config.nixos.services.nextcloud.hostname}.rewriteHttps = true;
services.nginx.virtualHosts.${inputs.config.nixos.services.nextcloud.hostname} = mkMerge
[
(inputs.config.services.nextcloud.nginx.recommendedConfig { upstream = "127.0.0.1"; })
{ listen = [ { addr = "0.0.0.0"; port = 8417; ssl = true; extraParameters = [ "proxy_protocol" ]; } ]; }
];
})
(mkIf (nextcloud.proxy.enable)
{
nixos.services.nginx.streamProxy.map.${inputs.config.nixos.services.nextcloud.hostname} =
{
upstream = "${nextcloud.proxy.upstream}:8417";
rewriteHttps = true;
proxyProtocol = true;
};
})
];
}

45
modules/services/nginx/applications/photoprism.nix
View File

@@ -1,45 +0,0 @@
inputs:
{
options.nixos.services.nginx.applications.photoprism.instances = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
upstream = mkOption
{
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
{
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
port = mkOption { type = types.ints.unsigned; default = 2342; };
};})];
default = "127.0.0.1:2342";
};
};}));
default = {};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications.photoprism) instances;
inherit (inputs.localLib) attrsToList;
inherit (builtins) map listToAttrs toString;
in
{
nixos.services.nginx.http = listToAttrs (map
(proxy: with proxy.value;
{
name = hostname;
value =
{
rewriteHttps = true;
locations."/".proxy =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
};
})
(attrsToList instances));
};
}

26
modules/services/nginx/applications/synapse-admin.nix Normal file
View File

@@ -0,0 +1,26 @@
inputs:
{
options.nixos.services.nginx.applications.synapse-admin.instances =
let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{ hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; }; };}));
default = {};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications.synapse-admin) instances;
inherit (inputs.localLib) attrsToList;
inherit (builtins) map listToAttrs;
in
{
nixos.services.nginx.https = listToAttrs (map
(site: with site.value;
{
name = hostname;
value.location."/".static =
{ root = "${inputs.pkgs.synapse-admin}"; index = [ "index.html" ]; };
})
(attrsToList instances));
};
}

46
modules/services/nginx/applications/synapse.nix
View File

@@ -1,46 +0,0 @@
inputs:
{
options.nixos.services.nginx.applications.synapse.instances = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
upstream = mkOption
{
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
{
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
port = mkOption { type = types.ints.unsigned; default = 8008; };
};})];
default = "127.0.0.1:8008";
};
};}));
default = {};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications.synapse) instances;
inherit (inputs.localLib) attrsToList;
inherit (inputs.lib) mkIf mkMerge;
inherit (builtins) map listToAttrs;
in
{
nixos.services.nginx.http = listToAttrs (map
(proxy: with proxy.value;
{
name = hostname;
value =
{
rewriteHttps = true;
locations."/".proxy =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
};
})
(attrsToList instances));
};
}

44
modules/services/nginx/applications/vaultwarden.nix
View File

@@ -1,44 +0,0 @@
inputs:
{
options.nixos.services.nginx.applications.vaultwarden = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "vaultwarden.chn.moe"; };
upstream = mkOption
{
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
{
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
port = mkOption { type = types.ints.unsigned; default = 8000; };
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
};})];
default = {};
};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications) vaultwarden;
inherit (builtins) listToAttrs;
inherit (inputs.lib) mkIf;
in mkIf vaultwarden.enable
{
nixos.services.nginx.http."${vaultwarden.hostname}" =
{
rewriteHttps = true;
locations = let upstream = vaultwarden.upstream; in (listToAttrs (map
(location: { name = location; value.proxy =
{
upstream = "http://${upstream.address or upstream}:${builtins.toString upstream.port or 8000}";
setHeaders = { Host = vaultwarden.hostname; Connection = ""; };
};})
[ "/" "/notifications/hub/negotiate" ]))
// { "/notifications/hub".proxy =
{
upstream =
"http://${upstream.address or upstream}:${builtins.toString upstream.websocketPort or 3012}";
websocket = true;
setHeaders.Host = vaultwarden.hostname;
};};
};
};
}

36
modules/services/nginx/applications/webdav.nix Normal file
View File

@@ -0,0 +1,36 @@
inputs:
{
options.nixos.services.nginx.applications.webdav.instances = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
path = mkOption { type = types.nonEmptyStr; default = "/srv/webdav"; };
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; default = [ "chn" ]; };
};}));
default = {};
};
config =
let
inherit (inputs.config.nixos.services.nginx.applications.webdav) instances;
inherit (builtins) map listToAttrs attrValues;
inherit (inputs.lib) mkMerge;
in
{
nixos.services.nginx.https = listToAttrs (map
(site:
{
name = site.hostname;
value.location."/".static =
{ root = site.path; index = "auto"; charset = "utf-8"; webdav = true; detectAuth.users = site.users; };
})
(attrValues instances));
systemd = mkMerge (map
(site:
{
tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" ];
services.nginx.serviceConfig.ReadWritePaths = [ site.path ];
})
(attrValues instances));
};
}

772
modules/services/nginx/default.nix
View File

@@ -7,32 +7,141 @@ inputs:
options.nixos.services.nginx = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
# transparentProxy -> https(with proxyProtocol) or transparentProxy -> streamProxy -> https(with proxyProtocol)
# https without proxyProtocol listen on private ip, with proxyProtocol listen on all ip
# streamProxy listen on private ip
# transparentProxy listen on public ip
global = mkOption
{
type = types.anything;
readOnly = true;
default =
{
httpsPort = 3065;
httpsPortShift = { http2 = 1; proxyProtocol = 2; };
httpsLocationTypes = [ "proxy" "static" "php" "return" "cgi" "alias" ];
httpTypes = [ "rewriteHttps" "php" ];
streamPort = 5575;
streamPortShift = { proxyProtocol = 1; };
};
};
transparentProxy =
{
# only disable in some rare cases
enable = mkOption { type = types.bool; default = true; };
externalIp = mkOption { type = types.listOf types.nonEmptyStr; };
map = mkOption { type = types.attrsOf types.ints.unsigned; default = {};};
# proxy to 127.0.0.1:${specified port}
map = mkOption { type = types.attrsOf types.ints.unsigned; default = {}; };
};
http = mkOption
streamProxy =
{
type = types.attrsOf (types.submodule { options =
map = mkOption
{
rewriteHttps = mkOption { type = types.bool; default = false; };
http2 = mkOption { type = types.bool; default = true; };
addAuth = mkOption { type = types.bool; default = false; };
detectAuth = mkOption { type = types.bool; default = false; };
locations = mkOption
{
type = types.attrsOf (types.addCheck
(types.submodule { options =
type = types.attrsOf (types.oneOf
[
# proxy to specified ip:port without proxyProtocol
types.nonEmptyStr
(types.submodule { options =
{
upstream = mkOption
{
type = types.oneOf
[
# proxy to specified ip:port with or without proxyProtocol
types.nonEmptyStr
(types.submodule { options =
{
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
# if port not specified, guess from proxyProtocol enabled or not, assume http2 enabled
port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
};})
];
default = {};
};
proxyProtocol = mkOption { type = types.bool; default = true; };
addToTransparentProxy = mkOption { type = types.bool; default = true; };
rewriteHttps = mkOption { type = types.bool; default = true; };
};})
]);
default = {};
};
};
https = mkOption
{
type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
{
global =
{
configName = mkOption
{
type = types.nonEmptyStr;
default = "https:${siteSubmoduleInputs.config._module.args.name}";
};
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
index = mkOption
{
type = types.nullOr (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
default = null;
};
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
detectAuth = mkOption
{
type = types.nullOr (types.submodule { options =
{
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
};});
default = null;
};
rewriteHttps = mkOption { type = types.bool; default = true; };
};
listen = mkOption
{
type = types.attrsOf (types.submodule { options =
{
http2 = mkOption { type = types.bool; default = true; };
proxyProtocol = mkOption { type = types.bool; default = true; };
# if proxyProtocol not enabled, add to transparentProxy only
# if proxyProtocol enabled, add to transparentProxy and streamProxy
addToTransparentProxy = mkOption { type = types.bool; default = true; };
};});
default.main = {};
};
location = mkOption
{
type = types.attrsOf (types.submodule { options =
let
genericOptions =
{
# should be set to non null value if global root is null
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
detectAuth = mkOption
{
type = types.nullOr (types.submodule { options =
{
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
};});
default = null;
};
};
in
{
# only one should be specified
proxy = mkOption
{
type = types.nullOr (types.submodule { options =
{
inherit (genericOptions) detectAuth;
upstream = mkOption { type = types.nonEmptyStr; };
websocket = mkOption { type = types.bool; default = false; };
setHeaders = mkOption { type = types.attrsOf types.str; default = {}; };
setHeaders = mkOption
{
type = types.attrsOf types.str;
default.Host = siteSubmoduleInputs.config._module.args.name;
};
# echo -n "username:password" | base64
addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};});
default = null;
};
@@ -40,48 +149,83 @@ inputs:
{
type = types.nullOr (types.submodule { options =
{
root = mkOption { type = types.nonEmptyStr; };
index = mkOption { type = types.nonEmptyStr; default = "index.html"; };
inherit (genericOptions) detectAuth root;
index = mkOption
{
type = types.nullOr
(types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
default = null;
};
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
tryFiles = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
webdav = mkOption { type = types.bool; default = false; };
};});
default = null;
};
};})
(value: (inputs.lib.count (value: value != null) (builtins.attrValues value)) == 1));
php = mkOption
{
type = types.nullOr (types.submodule { options =
{ inherit (genericOptions) detectAuth root; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
default = null;
};
return = mkOption
{
type = types.nullOr (types.submodule { options =
{ return = mkOption { type = types.nonEmptyStr; }; };});
default = null;
};
cgi = mkOption
{
type = types.nullOr (types.submodule { options = { inherit (genericOptions) detectAuth root; };});
default = null;
};
alias = mkOption
{
type = types.nullOr (types.submodule { options =
{
path = mkOption { type = types.nonEmptyStr; };
};});
default = null;
};
};});
default = {};
};
};});
};}));
default = {};
};
streamProxy =
http = mkOption
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 5575; };
portWithProxyProtocol = mkOption { type = types.ints.unsigned; default = 5576; };
map = mkOption
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
type = types.attrsOf (types.oneOf
[
types.nonEmptyStr
(types.submodule { options =
rewriteHttps = mkOption
{
type = types.nullOr (types.submodule { options =
{
upstream = mkOption { type = types.nonEmptyStr; };
rewriteHttps = mkOption { type = types.bool; default = false; };
proxyProtocol = mkOption { type = types.bool; default = false; };
};})
]);
default = {};
};
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
};});
default = null;
};
php = mkOption
{
type = types.nullOr (types.submodule { options =
{ root = mkOption { type = types.nonEmptyStr; }; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
default = null;
};
};}));
default = {};
};
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.lib) mkMerge mkIf mkDefault;
inherit (inputs.lib.strings) escapeURL;
inherit (inputs.localLib) attrsToList;
inherit (inputs.config.nixos.services) nginx;
inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues;
in mkMerge
inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues concatLists;
concatAttrs = list: listToAttrs (concatLists (map (attrs: attrsToList attrs) list));
in mkIf nginx.enable (mkMerge
[
(mkIf nginx.enable
# generic config
{
services =
{
@@ -107,55 +251,6 @@ inputs:
send_timeout 10m;
'';
proxyTimeout = "10m";
virtualHosts = listToAttrs (map
(site:
{
inherit (site) name;
value =
{
serverName = site.name;
listen = [ { addr = "127.0.0.1"; port = (if site.value.http2 then 443 else 3065); ssl = true; } ]
++ (if site.value.rewriteHttps then [ { addr = "0.0.0.0"; port = 80; } ] else []);
useACMEHost = site.name;
locations = listToAttrs (map
(location:
{
inherit (location) name;
value =
if (location.value.proxy != null) then
{
proxyPass = location.value.proxy.upstream;
proxyWebsockets = location.value.proxy.websocket;
recommendedProxySettings = false;
recommendedProxySettingsNoHost = true;
extraConfig = concatStringsSep "\n"
(
(map
(header: ''proxy_set_header ${header.name} "${header.value}";'')
(attrsToList location.value.proxy.setHeaders))
++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
++ (
if site.value.addAuth then
["include ${inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path};"]
else [])
);
}
else if (location.value.static != null) then
{
root = location.value.static.root;
index = location.value.static.index;
}
else {};
})
(attrsToList site.value.locations));
forceSSL = site.value.rewriteHttps;
http2 = site.value.http2;
basicAuthFile =
if site.value.detectAuth then inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path
else null;
};
})
(attrsToList nginx.http));
recommendedZstdSettings = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
@@ -182,8 +277,7 @@ inputs:
.overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
streamConfig =
''
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb
{
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
$geoip2_data_country_code country iso_code;
}
resolver 8.8.8.8;
@@ -202,29 +296,8 @@ inputs:
};
};
};
sops =
{
templates = listToAttrs (map
(site:
{
name = "nginx/addAuth/${site.name}-template";
value =
{
content =
let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${site.name}";
in ''proxy_set_header Authorization "Basic ${placeholder}";'';
owner = inputs.config.users.users.nginx.name;
};
})
(filter (site: site.value.addAuth) (attrsToList nginx.http)));
secrets = { "nginx/maxmind-license".owner = inputs.config.users.users.nginx.name; }
// (listToAttrs (map
(site: { name = "nginx/detectAuth/${site.name}"; value.owner = inputs.config.users.users.nginx.name; })
(filter (site: site.value.detectAuth) (attrsToList nginx.http))))
// (listToAttrs (map
(site: { name = "nginx/addAuth/${site.name}"; value = {}; })
(filter (site: site.value.addAuth) (attrsToList nginx.http))));
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
sops.secrets = { "nginx/maxmind-license".owner = inputs.config.users.users.nginx.name; };
systemd.services.nginx.serviceConfig =
{
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
@@ -232,37 +305,22 @@ inputs:
LimitNPROC = 65536;
LimitNOFILE = 524288;
};
nixos.services.acme =
{
enable = true;
certs = map (cert: cert.name) (attrsToList nginx.http);
};
security.acme.certs = listToAttrs (map
(cert: { inherit (cert) name; value.group = inputs.config.services.nginx.group; })
(attrsToList nginx.http));
})
}
# transparentProxy
(mkIf nginx.transparentProxy.enable
{
services.nginx.streamConfig =
''
log_format transparent_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
'"$ssl_preread_server_name"->$transparent_proxy_backend $bytes_sent $bytes_received';
map $ssl_preread_server_name $transparent_proxy_backend
{
${concatStringsSep "\n" (map
(x: '' "${x.name}" 127.0.0.1:${toString x.value};'')
(
(attrsToList nginx.transparentProxy.map)
++ (map
(site: { name = site.name; value = (if site.value.http2 then 443 else 3065); })
(attrsToList nginx.http)
)
))}
default 127.0.0.1:443;
map $ssl_preread_server_name $transparent_proxy_backend {
${concatStringsSep "\n " (map
(x: ''"${x.name}" 127.0.0.1:${toString x.value};'')
(attrsToList nginx.transparentProxy.map))}
default 127.0.0.1:${toString (with nginx.global; (httpsPort + httpsPortShift.http2))};
}
server
{
${concatStringsSep "\n " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
server {
${concatStringsSep "\n " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
ssl_preread on;
proxy_bind $remote_addr transparent;
proxy_pass $transparent_proxy_backend;
@@ -272,7 +330,6 @@ inputs:
access_log syslog:server=unix:/dev/log transparent_proxy;
}
'';
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx-proxy =
let
ipset = "${inputs.pkgs.ipset}/bin/ipset";
@@ -293,9 +350,9 @@ inputs:
${ip} rule add fwmark 2/2 table 200
${ip} route add local 0.0.0.0/0 dev lo table 200
''
+ concatStringsSep "\n" (map
+ concatStringsSep "\n " (map
(port: ''${ipset} add nginx_proxy_port ${toString port}'')
(inputs.lib.unique ((attrValues nginx.transparentProxy.map) ++ [ 443 3065 ])))
(inputs.lib.unique (attrValues nginx.transparentProxy.map)))
);
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
''
@@ -324,64 +381,403 @@ inputs:
wantedBy= [ "multi-user.target" ];
};
})
(mkIf nginx.streamProxy.enable
# streamProxy
{
services.nginx =
services.nginx.streamConfig =
''
log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
'"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
map $ssl_preread_server_name $stream_proxy_backend {
${concatStringsSep "\n " (map
(x:
let
upstream =
if (builtins.typeOf x.value.upstream == "string") then
x.value.upstream
else
let
port = with nginx.global;
if x.value.upstream.port == null then
httpsPort + httpsPortShift.http2
+ (if x.value.proxyProtocol then httpsPortShift.proxyProtocol else 0)
else x.value.upstream.port;
in "${x.value.upstream.address}:${toString port}";
in ''"${x.name}" "${upstream}";'')
(attrsToList nginx.streamProxy.map))}
}
server {
listen 127.0.0.1:${toString nginx.global.streamPort};
ssl_preread on;
proxy_pass $stream_proxy_backend;
proxy_connect_timeout 10s;
proxy_socket_keepalive on;
proxy_buffer_size 128k;
access_log syslog:server=unix:/dev/log stream_proxy;
}
server {
listen 127.0.0.1:${toString (with nginx.global; (streamPort + streamPortShift.proxyProtocol))};
proxy_protocol on;
ssl_preread on;
proxy_pass $stream_proxy_backend;
proxy_connect_timeout 10s;
proxy_socket_keepalive on;
proxy_buffer_size 128k;
access_log syslog:server=unix:/dev/log stream_proxy;
}
'';
nixos.services.nginx =
{
streamConfig =
''
log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
'"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
map $ssl_preread_server_name $stream_proxy_backend
transparentProxy.map = listToAttrs
(
(map
(site: { inherit (site) name; value = nginx.global.streamPort; })
(filter
(site: (!(site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
(attrsToList nginx.streamProxy.map)))
++ (map
(site: { inherit (site) name; value = with nginx.global; streamPort + streamPortShift.proxyProtocol; })
(filter
(site: ((site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
(attrsToList nginx.streamProxy.map)))
);
http = listToAttrs (map
(site: { inherit (site) name; value.rewriteHttps = {}; })
(filter (site: site.value.rewriteHttps or false) (attrsToList nginx.streamProxy.map)));
};
}
# https assertions
{
# only one type should be specified in each location
assertions =
(
(map
(location:
{
${concatStringsSep "\n" (map
(x: '' "${x.name}" "${x.value.upstream or x.value}";'')
(attrsToList nginx.streamProxy.map))}
}
server
assertion = (inputs.lib.count
(x: x != null)
(map (type: location.value.${type}) nginx.global.httpsLocationTypes)) <= 1;
message = "Only one type shuold be specified in ${location.name}";
})
(concatLists (map
(site: (map
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
(attrsToList site.value.location)))
(attrsToList nginx.https))))
# root should be specified either in global or in each location
++ (map
(location:
{
listen 127.0.0.1:${toString nginx.streamProxy.port};
ssl_preread on;
proxy_pass $stream_proxy_backend;
proxy_connect_timeout 10s;
proxy_socket_keepalive on;
proxy_buffer_size 128k;
access_log syslog:server=unix:/dev/log stream_proxy;
}
server
{
listen 127.0.0.1:${toString nginx.streamProxy.portWithProxyProtocol};
proxy_protocol on;
ssl_preread on;
proxy_pass $stream_proxy_backend;
proxy_connect_timeout 10s;
proxy_socket_keepalive on;
proxy_buffer_size 128k;
access_log syslog:server=unix:/dev/log stream_proxy;
}
'';
virtualHosts = listToAttrs (map
assertion = (location.value.root or "") != null;
message = "Root should be specified in ${location.name}";
})
(concatLists (map
(site: (map
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
(attrsToList site.value.location)))
(filter (site: site.value.global.root == null) (attrsToList nginx.https)))))
);
}
# https
(
let
# merge different types of locations
sites = map
(site:
{
inherit (site) name;
value =
{
serverName = site.name;
listen = [ { addr = "0.0.0.0"; port = 80; } ];
locations."/".return = "301 https://${site.name}$request_uri";
inherit (site.value) global;
listens = attrValues site.value.listen;
locations = map
(location:
{
inherit (location) name;
value =
let _ = builtins.head (filter (type: type.value != null) (attrsToList location.value));
in _.value // { type = _.name; };
})
(attrsToList site.value.location);
};
})
(filter (site: site.value.rewriteHttps or false) (attrsToList nginx.streamProxy.map)));
};
nixos.services.nginx.transparentProxy.map = listToAttrs
(
(map
(site: { name = site.name; value = nginx.streamProxy.port; })
(filter (site: !(site.value.proxyProtocol or false)) (attrsToList nginx.streamProxy.map)))
++ (map
(site: { name = site.name; value = nginx.streamProxy.portWithProxyProtocol; })
(filter (site: site.value.proxyProtocol or false) (attrsToList nginx.streamProxy.map)))
);
})
];
(attrsToList nginx.https);
in
{
services =
{
nginx.virtualHosts = listToAttrs (map
(site:
{
name = site.value.global.configName;
value =
{
serverName = site.name;
root = mkIf (site.value.global.root != null) site.value.global.root;
basicAuthFile = mkIf (site.value.global.detectAuth != null)
inputs.config.sops.templates."nginx/templates/detectAuth/${escapeURL site.name}-global".path;
extraConfig = concatStringsSep "\n"
(
(
let inherit (site.value.global) index; in
if (builtins.typeOf index == "list") then [ "index ${concatStringsSep " " index};" ]
else if (index == "auto") then [ "autoindex on;" ]
else []
)
++ (
let inherit (site.value.global) detectAuth; in
if (detectAuth != null) then [ ''auth_basic "${detectAuth.text}"'' ] else []
)
++ (
let inherit (site.value.global) charset; in
if (charset != null) then [ "charset ${charset};" ] else []
)
);
listen = map
(listen:
{
addr = if listen.proxyProtocol then "0.0.0.0" else "127.0.0.1";
port = with nginx.global; httpsPort
+ (if listen.http2 then httpsPortShift.http2 else 0)
+ (if listen.proxyProtocol then httpsPortShift.proxyProtocol else 0);
ssl = true;
proxyProtocol = listen.proxyProtocol;
extraParameters = mkIf listen.http2 [ "http2" ];
})
site.value.listens;
# do not automatically add http2 listen
http2 = false;
onlySSL = true;
useACMEHost = site.name;
locations = listToAttrs (map
(location:
{
inherit (location) name;
value =
{
basicAuthFile = mkIf (location.value.detectAuth or null != null)
inputs.config.sops.templates
."nginx/templates/detectAuth/${escapeURL site.name}/${escapeURL location.name}".path;
root = mkIf (location.value.root or null != null) location.value.root;
}
// {
proxy =
{
proxyPass = location.value.upstream;
proxyWebsockets = location.value.websocket;
recommendedProxySettings = false;
recommendedProxySettingsNoHost = true;
extraConfig = concatStringsSep "\n"
(
(map
(header: ''proxy_set_header ${header.name} "${header.value}";'')
(attrsToList location.value.setHeaders))
++ (
if location.value.detectAuth != null || site.value.global.detectAuth != null
then [ "proxy_hide_header Authorization;" ]
else []
)
++ (
if location.value.addAuth != null then
let authFile = "nginx/templates/addAuth/${location.value.addAuth}";
in [ "include ${inputs.config.sops.templates.${authFile}.path};" ]
else [])
);
};
static =
{
index = mkIf (builtins.typeOf location.value.index == "list")
(concatStringsSep " " location.value.index);
tryFiles = mkIf (location.value.tryFiles != null)
(concatStringsSep " " location.value.tryFiles);
extraConfig = mkMerge
[
(mkIf (location.value.index == "auto") "autoindex on;")
(mkIf (location.value.charset != null) "charset ${location.value.charset};")
(mkIf location.value.webdav
''
dav_access user:rw group:rw;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
'')
];
};
php.extraConfig =
''
fastcgi_pass ${location.value.fastcgiPass};
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
'';
return.return = location.value.return;
cgi.extraConfig =
''
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_pass unix:${inputs.config.services.fcgiwrap.socketAddress};
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
'';
alias.alias = location.value.path;
}.${location.value.type};
})
site.value.locations);
};
})
sites);
fcgiwrap = mkIf
(
filter (site: site != []) (map
(site: filter (location: location.value.type == "cgi") site.value.locations)
sites)
!= []
)
(with inputs.config.users.users.nginx; { enable = true; user = name; inherit group; });
};
nixos.services =
{
nginx =
let
# { name = domain; value = listen = { http2 = xxx, proxyProtocol = xxx }; }
listens = filter
(listen: listen.value.addToTransparentProxy)
(concatLists (map
(site: map (listen: { inherit (site) name; value = listen; }) site.value.listens)
sites));
in
{
transparentProxy.map = listToAttrs (map
(site:
{
inherit (site) name;
value = with nginx.global; httpsPort + (if site.value.http2 then httpsPortShift.http2 else 0);
})
(filter (listen: !listen.value.proxyProtocol) listens));
streamProxy.map = listToAttrs (map
(site:
{
inherit (site) name;
value =
{
upstream.port = with nginx.global; httpsPort + httpsPortShift.proxyProtocol
+ (if site.value.http2 then httpsPortShift.http2 else 0);
proxyProtocol = true;
rewriteHttps = mkDefault false;
};
})
(filter (listen: listen.value.proxyProtocol) listens));
http = listToAttrs (map
(site: { inherit (site) name; value.rewriteHttps = {}; })
(filter (site: site.value.global.rewriteHttps) sites));
};
acme =
{
enable = true;
cert = listToAttrs (map
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
sites);
};
};
sops =
let
detectAuthUsers = concatLists (map
(site:
(
(map
(location:
{
name = "${escapeURL site.name}/${escapeURL location.name}";
value = location.value.detectAuth.users;
})
(filter (location: location.value.detectAuth or null != null) site.value.locations))
++ (if site.value.global.detectAuth != null then
[ { name = "${escapeURL site.name}-global"; value = site.value.global.detectAuth.users; } ]
else [])
))
sites);
addAuth = concatLists (map
(site: map
(location:
{
name = "${escapeURL site.name}/${escapeURL location.name}";
value = location.value.addAuth;
})
(filter (location: location.value.addAuth or null != null) site.value.locations)
)
sites);
in
{
templates = listToAttrs
(
(map
(detectAuth:
{
name = "nginx/templates/detectAuth/${detectAuth.name}";
value =
{
owner = inputs.config.users.users.nginx.name;
content = concatStringsSep "\n" (map
(user: "${user}:{PLAIN}${inputs.config.sops.placeholder."nginx/detectAuth/${user}"}")
detectAuth.value);
};
})
detectAuthUsers)
++ (map
(addAuth:
{
name = "nginx/templates/addAuth/${addAuth.name}";
value =
{
owner = inputs.config.users.users.nginx.name;
content =
let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${addAuth.value}";
in ''proxy_set_header Authorization "Basic ${placeholder}";'';
};
})
addAuth)
);
secrets = listToAttrs
(
(map
(secret: { name = "nginx/detectAuth/${secret}"; value = {}; })
(inputs.lib.unique (concatLists (map (detectAuth: detectAuth.value) detectAuthUsers))))
++ (map
(secret: { name = "nginx/addAuth/${secret}"; value = {}; })
(inputs.lib.unique (map (addAuth: addAuth.value) addAuth)))
);
};
}
)
# http
{
assertions = map
(site:
{
assertion = (inputs.lib.count (x: x != null) (map (type: site.value.${type}) nginx.global.httpTypes)) <= 1;
message = "Only one type shuold be specified in ${site.name}";
})
(attrsToList nginx.http);
services.nginx.virtualHosts = listToAttrs (map
(site:
{
name = "http.${site.name}";
value = { serverName = site.name; listen = [ { addr = "0.0.0.0"; port = 80; } ]; }
// (if site.value.rewriteHttps != null then
{ locations."/".return = "301 https://${site.value.rewriteHttps.hostname}$request_uri"; }
else {})
// (if site.value.php != null then
{
extraConfig = "index index.php;";
root = site.value.php.root;
locations."~ ^.+?.php(/.*)?$".extraConfig =
''
fastcgi_pass ${site.value.php.fastcgiPass};
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
'';
}
else {});
})
(attrsToList nginx.http));
}
]);
}

26
modules/services/nix-serve.nix Normal file
View File

@@ -0,0 +1,26 @@
inputs:
{
options.nixos.services.nix-serve = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; };
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos.services) nix-serve;
inherit (builtins) map listToAttrs toString;
in mkIf nix-serve.enable
{
services.nix-serve =
{
enable = true;
openFirewall = true;
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
};
sops.secrets."store/signingKey" = {};
nixos.services.nginx =
{ enable = true; https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; };
};
}

13
modules/services/photoprism.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.services.photoprism = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "photoprism.chn.moe"; };
hostname = mkOption { type = types.nonEmptyStr; default = "photoprism.chn.moe"; };
port = mkOption { type = types.ints.unsigned; default = 2342; };
};
config =
@@ -42,6 +42,15 @@ inputs:
'';
secrets."photoprism/adminPassword" = {};
};
nixos.services.mariadb = { enable = true; instances.photoprism = {}; };
nixos.services =
{
mariadb = { enable = true; instances.photoprism = {}; };
nginx =
{
enable = true;
https.${photoprism.hostname}.location."/".proxy =
{ upstream = "http://127.0.0.1:${toString photoprism.port}"; websocket = true; };
};
};
};
}

24
modules/services/phpfpm.nix
View File

@@ -8,7 +8,13 @@ inputs:
{
user = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
package = mkOption { type = types.nullOr types.package; default = null; };
package = mkOption { type = types.nullOr types.package; default = inputs.pkgs.php; };
fastcgi = mkOption
{
type = types.nonEmptyStr;
readOnly = true;
default = "unix:${inputs.config.services.phpfpm.pools.${submoduleInputs.config._module.args.name}.socket}";
};
};}));
default = {};
};
@@ -28,13 +34,15 @@ inputs:
{
user = if pool.value.user == null then pool.name else pool.value.user;
group = if pool.value.group == null then inputs.config.users.users.${user}.group else pool.value.group;
phpPackage = if pool.value.package == null then inputs.pkgs.php else pool.value.package;
phpPackage = pool.value.package;
settings =
{
"pm" = "ondemand";
"pm.max_children" = 4;
"pm.process_idle_timeout" = "60s";
"pm.max_requests" = 128;
"listen.owner" = inputs.config.services.nginx.user;
"listen.group" = inputs.config.services.nginx.group;
};
};
})
@@ -42,18 +50,10 @@ inputs:
users =
{
users = listToAttrs (map
(pool:
{
inherit (pool) name;
value = { isSystemUser = true; group = pool.name; };
})
(pool: { inherit (pool) name; value = { isSystemUser = true; group = pool.name; extraGroups = [ "nginx" ]; }; })
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
groups = listToAttrs (map
(pool:
{
inherit (pool) name;
value = {};
})
(pool: { inherit (pool) name; value = {}; })
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
};
};

2
modules/services/redis.nix
View File

@@ -39,7 +39,7 @@ inputs:
})
(attrsToList redis.instances));
sops.secrets = listToAttrs (map
(server: { name = "redis/${server.name}"; value.owner = inputs.config.users.users.${server.name}.name; })
(server: { name = "redis/${server.name}"; value.owner = inputs.config.users.users.${server.value.user}.name; })
(filter (server: server.value.passwordFile == null) (attrsToList redis.instances)));
};
}

10
modules/services/rsshub.nix
View File

@@ -4,12 +4,11 @@ inputs:
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 5221; };
hostname = mkOption { type = types.str; default = "rsshub.chn.moe"; };
hostname = mkOption { type = types.nonEmptyStr; default = "rsshub.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) rsshub;
inherit (inputs.localLib) stripeTabs;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs toString;
in mkIf rsshub.enable
@@ -60,12 +59,7 @@ inputs:
nginx =
{
enable = true;
http.${rsshub.hostname} =
{
rewriteHttps = true;
locations."/".proxy =
{ upstream = "http://127.0.0.1:${toString rsshub.port}"; setHeaders.Host = rsshub.hostname; };
};
https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:${toString rsshub.port}";
};
};
};

55
modules/services/send.nix Normal file
View File

@@ -0,0 +1,55 @@
inputs:
{
options.nixos.services.send = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "send.chn.moe"; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) send;
in mkIf send.enable
{
virtualisation.oci-containers.containers.send =
{
image = "timvisee/send:1ee4951";
imageFile = inputs.pkgs.dockerTools.pullImage
{
imageName = "registry.gitlab.com/timvisee/send";
imageDigest = "sha256:1ee495161f176946e6e4077e17be2b8f8634c2d502172cc530a8cd5affd7078f";
sha256 = "1dimqga35c2ka4advhv3v60xcsdrhc6c4hh21x36fbyhk90n2vzs";
finalImageName = "timvisee/send";
finalImageTag = "1ee4951";
};
ports = [ "127.0.0.1:1443:1443/tcp" ];
volumes = [ "send:/uploads" ];
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
environmentFiles = [ inputs.config.sops.templates."send/env".path ];
};
sops =
{
templates."send/env".content =
''
BASE_URL=https://${send.hostname}
MAX_FILE_SIZE=17179869184
REDIS_HOST=host.docker.internal
REDIS_PORT=9184
REDIS_PASSWORD=${inputs.config.sops.placeholder."redis/send"}
'';
};
nixos =
{
services =
{
nginx =
{
enable = true;
https."${send.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:1443"; websocket = true; };
};
redis.instances.send = { user = "root"; port = 9184; };
};
virtualization.docker.enable = true;
};
};
}

2
modules/services/snapper.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.services.snapper = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
configs = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
configs = mkOption { type = types.attrsOf types.nonEmptyStr; default.persistent = "/nix/persistent"; };
};
config =
let

13
modules/services/synapse.nix
View File

@@ -5,7 +5,7 @@ inputs:
enable = mkOption { type = types.bool; default = false; };
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 8008; };
hostname = mkOption { type = types.str; default = "synapse.chn.moe"; };
hostname = mkOption { type = types.nonEmptyStr; default = "synapse.chn.moe"; };
};
config =
let
@@ -96,7 +96,16 @@ inputs:
// { "synapse/signing-key".owner = inputs.config.systemd.services.matrix-synapse.serviceConfig.User; }
// { "mail/bot" = {}; };
};
nixos.services.postgresql = { enable = true; instances.synapse = {}; };
nixos.services =
{
postgresql = { enable = true; instances.synapse = {}; };
nginx =
{
enable = true;
https.${synapse.hostname}.location."/".proxy =
{ upstream = "http://127.0.0.1:${toString synapse.port}"; websocket = true; };
};
};
systemd.services.matrix-synapse.enable = synapse.autoStart;
};
}

44
modules/services/vaultwarden.nix
View File

@@ -6,12 +6,12 @@ inputs:
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 8000; };
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
hostname = mkOption { type = types.str; default = "vaultwarden.chn.moe"; };
hostname = mkOption { type = types.nonEmptyStr; default = "vaultwarden.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) vaultwarden;
inherit (builtins) listToAttrs;
inherit (builtins) listToAttrs toString;
inherit (inputs.lib) mkIf;
in mkIf vaultwarden.enable
{
@@ -53,15 +53,41 @@ inputs:
SMTP_PASSWORD=${placeholder."mail/bot"}
'';
};
secrets = listToAttrs (map
(secret: { name = secret; value = {}; })
[ "vaultwarden/admin_token" "mail/bot" ]);
secrets = listToAttrs (map (secret: { name = secret; value = {}; }) [ "vaultwarden/admin_token" "mail/bot" ]);
};
systemd.services.vaultwarden =
systemd.services.vaultwarden = { enable = vaultwarden.autoStart; after = [ "postgresql.service" ]; };
nixos.services =
{
enable = vaultwarden.autoStart;
after = [ "postgresql.service" ];
postgresql = { enable = true; instances.vaultwarden = {}; };
nginx =
{
enable = true;
https.${vaultwarden.hostname} =
{
location = listToAttrs
(
(map
(location:
{
name = location;
value.proxy =
{
upstream = "http://127.0.0.1:${toString vaultwarden.port}";
setHeaders = { Host = vaultwarden.hostname; Connection = ""; };
};
})
[ "/" "/notifications/hub/negotiate" ])
++ (map
(location:
{
name = location;
value.proxy =
{ upstream = "http://127.0.0.1:${toString vaultwarden.websocketPort}"; websocket = true; };
})
[ "/notifications/hub" ])
);
};
};
};
nixos.services.postgresql = { enable = true; instances.vaultwarden = {}; };
};
}

273
modules/services/xray.nix
View File

@@ -24,7 +24,7 @@ inputs:
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos.services) xrayClient xrayServer;
inherit (builtins) map listToAttrs toString genList length;
inherit (builtins) map listToAttrs toString genList length concatStringsSep;
in mkMerge
[
(
@@ -220,95 +220,82 @@ inputs:
{
Type = "simple";
RemainAfterExit = true;
ExecStart = inputs.pkgs.writeShellScript "v2ray-forwarder.start"
''
${ipset} create lo_net hash:net
${ipset} add lo_net 0.0.0.0/8
${ipset} add lo_net 10.0.0.0/8
${ipset} add lo_net 100.64.0.0/10
${ipset} add lo_net 127.0.0.0/8
${ipset} add lo_net 169.254.0.0/16
${ipset} add lo_net 172.16.0.0/12
${ipset} add lo_net 192.0.0.0/24
${ipset} add lo_net 192.88.99.0/24
${ipset} add lo_net 192.168.0.0/16
${ipset} add lo_net 59.77.0.143
${ipset} add lo_net 198.18.0.0/15
${ipset} add lo_net 198.51.100.0/24
${ipset} add lo_net 203.0.113.0/24
${ipset} add lo_net 224.0.0.0/4
${ipset} add lo_net 240.0.0.0/4
${ipset} add lo_net 255.255.255.255/32
${ipset} create xmu_net hash:net
${ipset} create noproxy_net hash:net
${ipset} add noproxy_net 223.5.5.5
${ipset} create noproxy_src_net hash:net
${ipset} create proxy_net hash:net
${ipset} add proxy_net 8.8.8.8
${iptables} -t mangle -N v2ray -w
${iptables} -t mangle -A PREROUTING -j v2ray -w
${iptables} -t mangle -A v2ray -m set --match-set noproxy_src_net src -j RETURN -w
${iptables} -t mangle -A v2ray -m set --match-set xmu_net dst -p tcp \
-j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1 -w
${iptables} -t mangle -A v2ray -m set --match-set xmu_net dst -p udp \
-j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1 -w
${iptables} -t mangle -A v2ray -m set --match-set noproxy_net dst -j RETURN -w
${iptables} -t mangle -A v2ray -m set --match-set proxy_net dst -p tcp \
-j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1 -w
${iptables} -t mangle -A v2ray -m set --match-set proxy_net dst -p udp \
-j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1 -w
${iptables} -t mangle -A v2ray -m set --match-set lo_net dst -j RETURN -w
${iptables} -t mangle -A v2ray -p tcp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1 -w
${iptables} -t mangle -A v2ray -p udp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1 -w
${iptables} -t mangle -N v2ray_mark -w
${iptables} -t mangle -A OUTPUT -j v2ray_mark -w
${iptables} -t mangle -A v2ray_mark -m owner --uid-owner $(id -u v2ray) -j RETURN -w
${
if inputs.config.nixos.system.networking.nebula.enable then
let user = inputs.config.systemd.services."nebula@nebula".serviceConfig.User; in
"${iptables} -t mangle -A v2ray_mark -m owner --uid-owner $(id -u ${user}) -j RETURN -w"
else ""
}
${iptables} -t mangle -A v2ray_mark -m set --match-set noproxy_src_net src -j RETURN -w
${iptables} -t mangle -A v2ray_mark -m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1 -w
${iptables} -t mangle -A v2ray_mark -m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1 -w
${iptables} -t mangle -A v2ray_mark -m set --match-set noproxy_net dst -j RETURN -w
${iptables} -t mangle -A v2ray_mark -m set --match-set proxy_net dst -p tcp \
-j MARK --set-mark 1/1 -w
${iptables} -t mangle -A v2ray_mark -m set --match-set proxy_net dst -p udp \
-j MARK --set-mark 1/1 -w
${iptables} -t mangle -A v2ray_mark -m set --match-set lo_net dst -j RETURN -w
${iptables} -t mangle -A v2ray_mark -p tcp -j MARK --set-mark 1/1 -w
${iptables} -t mangle -A v2ray_mark -p udp -j MARK --set-mark 1/1 -w
${ip} rule add fwmark 1/1 table 100
${ip} route add local 0.0.0.0/0 dev lo table 100
'';
ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop"
''
${iptables} -t mangle -F v2ray -w
${iptables} -t mangle -D PREROUTING -j v2ray -w
${iptables} -t mangle -X v2ray -w
${iptables} -t mangle -F v2ray_mark -w
${iptables} -t mangle -D OUTPUT -j v2ray_mark -w
${iptables} -t mangle -X v2ray_mark -w
${ip} rule del fwmark 1/1 table 100
${ip} route del local 0.0.0.0/0 dev lo table 100
${ipset} destroy lo_net
${ipset} destroy xmu_net
${ipset} destroy noproxy_net
${ipset} destroy noproxy_src_net
${ipset} destroy proxy_net
'';
ExecStart = inputs.pkgs.writeShellScript "v2ray-forwarder.start" (concatStringsSep "\n"
(
[ "${ipset} create lo_net hash:net" ]
++ (map (host: "${ipset} add lo_net ${host}")
[
"0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12"
"192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15"
"198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4" "255.255.255.255/32"
])
++ [
"${ipset} create xmu_net hash:net"
"${ipset} create noproxy_net hash:net"
"${ipset} add noproxy_net 223.5.5.5"
"${ipset} create noproxy_src_net hash:net"
"${ipset} create proxy_net hash:net"
"${ipset} add proxy_net 8.8.8.8"
]
++ [
"${iptables} -t mangle -N v2ray -w"
"${iptables} -t mangle -A PREROUTING -j v2ray -w"
]
++ (map (action: "${iptables} -t mangle -A v2ray ${action} -w")
[
"-m set --match-set noproxy_src_net src -j RETURN"
"-m set --match-set xmu_net dst -p tcp -j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1"
"-m set --match-set xmu_net dst -p udp -j TPROXY --on-port ${xmuPort} --tproxy-mark 1/1"
"-m set --match-set noproxy_net dst -j RETURN"
"-m set --match-set proxy_net dst -p tcp -j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1"
"-m set --match-set proxy_net dst -p udp -j TPROXY --on-port ${proxyPort} --tproxy-mark 1/1"
"-m set --match-set lo_net dst -j RETURN"
"-p tcp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1"
"-p udp -j TPROXY --on-port ${autoPort} --tproxy-mark 1/1"
])
++ [
"${iptables} -t mangle -N v2ray_mark -w"
"${iptables} -t mangle -A OUTPUT -j v2ray_mark -w"
]
++ (map (action: "${iptables} -t mangle -A v2ray_mark ${action} -w")
(
(if inputs.config.nixos.system.networking.nebula.enable then
let user = inputs.config.systemd.services."nebula@nebula".serviceConfig.User;
in [ "-m owner --uid-owner $(id -u ${user}) -j RETURN" ]
else [])
++ [
"-m owner --uid-owner $(id -u v2ray) -j RETURN"
"-m set --match-set noproxy_src_net src -j RETURN"
"-m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1"
"-m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1"
"-m set --match-set noproxy_net dst -j RETURN"
"-m set --match-set proxy_net dst -p tcp -j MARK --set-mark 1/1"
"-m set --match-set proxy_net dst -p udp -j MARK --set-mark 1/1"
"-m set --match-set lo_net dst -j RETURN"
"-p tcp -j MARK --set-mark 1/1"
"-p udp -j MARK --set-mark 1/1"
]
))
++ [
"${ip} rule add fwmark 1/1 table 100"
"${ip} route add local 0.0.0.0/0 dev lo table 100"
]
));
ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop" (concatStringsSep "\n"
(
[
"${iptables} -t mangle -F v2ray -w"
"${iptables} -t mangle -D PREROUTING -j v2ray -w"
"${iptables} -t mangle -X v2ray -w"
"${iptables} -t mangle -F v2ray_mark -w"
"${iptables} -t mangle -D OUTPUT -j v2ray_mark -w"
"${iptables} -t mangle -X v2ray_mark -w"
"${ip} rule del fwmark 1/1 table 100"
"${ip} route del local 0.0.0.0/0 dev lo table 100"
]
++ (map (set: "${ipset} destroy ${set}")
[ "lo_net" "xmu_net" "noproxy_net" "noproxy_src_net" "proxy_net" ])
));
};
};
};
@@ -319,19 +306,7 @@ inputs:
(
mkIf xrayServer.enable (let userList = genList (n: n) 30; in
{
services =
{
xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
nginx.virtualHosts.xray =
{
serverName = xrayServer.serverName;
default = true;
listen = [{ addr = "127.0.0.1"; port = 7233; ssl = true; }];
useACMEHost = xrayServer.serverName;
onlySSL = true;
locations."/".return = "400";
};
};
services.xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
sops =
{
templates."xray-server.json" =
@@ -343,48 +318,50 @@ inputs:
log.loglevel = "warning";
inbounds =
[
{
port = 4726;
listen = "127.0.0.1";
protocol = "vless";
settings =
(
let
fallbackPort = toString
(with inputs.config.nixos.services.nginx.global; httpsPort + httpsPortShift.http2);
in
{
clients = map
(n:
{
id = inputs.config.sops.placeholder."xray-server/clients/user${toString n}";
flow = "xtls-rprx-vision";
email = "${toString n}@xray.chn.moe";
})
userList;
decryption = "none";
fallbacks = [{ dest = "127.0.0.1:7233"; }];
};
streamSettings =
{
network = "tcp";
security = "reality";
realitySettings =
port = 4726;
listen = "127.0.0.1";
protocol = "vless";
settings =
{
dest = "127.0.0.1:7233";
serverNames = [ xrayServer.serverName ];
privateKey = inputs.config.sops.placeholder."xray-server/private-key";
minClientVer = "1.8.0";
shortIds = [ "" ];
clients = map
(n:
{
id = inputs.config.sops.placeholder."xray-server/clients/user${toString n}";
flow = "xtls-rprx-vision";
email = "${toString n}@xray.chn.moe";
})
userList;
decryption = "none";
fallbacks = [{ dest = "127.0.0.1:${fallbackPort}"; }];
};
};
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
tag = "in";
}
streamSettings =
{
network = "tcp";
security = "reality";
realitySettings =
{
dest = "127.0.0.1:${fallbackPort}";
serverNames = [ xrayServer.serverName ];
privateKey = inputs.config.sops.placeholder."xray-server/private-key";
minClientVer = "1.8.0";
shortIds = [ "" ];
};
};
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
tag = "in";
}
)
{
port = 4638;
listen = "127.0.0.1";
protocol = "vless";
settings =
{
clients = [{ id = "be01f0a0-9976-42f5-b9ab-866eba6ed393"; }];
decryption = "none";
};
settings = { clients = [{ id = "be01f0a0-9976-42f5-b9ab-866eba6ed393"; }]; decryption = "none"; };
streamSettings.network = "tcp";
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; };
tag = "in-localdns";
@@ -443,11 +420,7 @@ inputs:
(name:
{
name = "xray-server/telegram/${name}";
value =
{
owner = inputs.config.users.users.v2ray.name;
group = inputs.config.users.users.v2ray.group;
};
value = (let user = inputs.config.users.users.v2ray; in { owner = user.name; inherit (user) group; });
})
[ "token" "chat" ]))
// { "xray-server/private-key" = {}; };
@@ -512,10 +485,18 @@ inputs:
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
nixos.services =
{
acme = { enable = true; certs = [ xrayServer.serverName ]; };
nginx.transparentProxy.map."${xrayServer.serverName}" = 4726;
acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; };
nginx =
{
enable = true;
transparentProxy.map."${xrayServer.serverName}" = 4726;
https."${xrayServer.serverName}" =
{
listen.main = { proxyProtocol = false; addToTransparentProxy = false; };
location."/".return.return = "400";
};
};
};
security.acme.certs.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group;
}
))
];

29
modules/services/xrdp.nix
View File

@@ -4,11 +4,7 @@ inputs:
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 3389; };
hostname = mkOption
{
type = types.nullOr (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
default = null;
};
hostname = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
};
config =
let
@@ -18,25 +14,24 @@ inputs:
[
{
services.xrdp =
{
enable = true;
port = xrdp.port;
openFirewall = true;
defaultWindowManager = "startplasma-x11";
};
{ enable = true; port = xrdp.port; openFirewall = true; defaultWindowManager = "startplasma-x11"; };
}
(
mkIf (xrdp.hostname != null)
(
let
mainDomain = if builtins.typeOf xrdp.hostname == "string" then xrdp.hostname
else builtins.elemAt xrdp.hostname 0;
mainDomain = builtins.elemAt xrdp.hostname 0;
in
{
services.xrdp = let keydir = inputs.config.security.acme.certs.${mainDomain}.directory; in
{ sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme = { enable = true; certs = [ xrdp.hostname ]; };
security.acme.certs.${mainDomain}.group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
services.xrdp =
let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme =
{
enable = true;
cert.${mainDomain} =
{ domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
};
}
)
)

11
modules/system/default.nix
View File

@@ -17,11 +17,7 @@ inputs:
];
config =
{
services =
{
dbus.implementation = "broker";
fstrim = { enable = true; interval = "daily"; };
};
services = { dbus.implementation = "broker"; fstrim = { enable = true; interval = "daily"; }; };
time.timeZone = "Asia/Shanghai";
boot =
{
@@ -53,10 +49,7 @@ inputs:
_JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${XDG_CONFIG_HOME}/java";
};
i18n =
{
defaultLocale = "C.UTF-8";
supportedLocales = [ "zh_CN.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "C.UTF-8/UTF-8" ];
};
{ defaultLocale = "C.UTF-8"; supportedLocales = [ "zh_CN.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "C.UTF-8/UTF-8" ]; };
users.mutableUsers = false;
# environment.pathsToLink = [ "/include" ];
# environment.variables.CPATH = "/run/current-system/sw/include";

27
modules/system/fileSystems/default.nix
View File

@@ -40,10 +40,7 @@ inputs:
default = {};
};
keyFile = mkOption
{
type = types.path;
default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key";
};
{ type = types.path; default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key"; };
delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
};
@@ -56,20 +53,14 @@ inputs:
type = types.nullOr (types.str or (types.submodule
{
options =
{
device = mkOption { type = types.nonEmptyStr; };
offset = mkOption { type = types.ints.unsigned; };
};
{ device = mkOption { type = types.nonEmptyStr; }; offset = mkOption { type = types.ints.unsigned; }; };
}));
default = null;
};
rollingRootfs = mkOption
{
type = types.nullOr (types.submodule { options =
{
device = mkOption { type = types.nonEmptyStr; };
path = mkOption { type = types.nonEmptyStr; };
}; });
{ device = mkOption { type = types.nonEmptyStr; }; path = mkOption { type = types.nonEmptyStr; }; }; });
default = null;
};
};
@@ -87,13 +78,7 @@ inputs:
(device:
{
name = device.value;
value =
{
device = device.name;
fsType = "vfat";
neededForBoot = true;
options = [ "noatime" ];
};
value = { device = device.name; fsType = "vfat"; neededForBoot = true; options = [ "noatime" ]; };
})
(attrsToList fileSystems.mount.vfat));
}
@@ -207,7 +192,7 @@ inputs:
};
};
fileSystems = listToAttrs (map
(mount: { name = mount; value.options = [ "x-systemd.device-timeout=15min" ]; })
(mount: { name = mount; value.options = [ "x-systemd.device-timeout=48h" ]; })
fileSystems.decrypt.manual.delayedMount);
}
)
@@ -241,6 +226,7 @@ inputs:
{
grep = "${inputs.pkgs.gnugrep}/bin/grep";
awk = "${inputs.pkgs.gawk}/bin/awk";
chattr = "${inputs.pkgs.e2fsprogs}/bin/chattr";
};
services.roll-rootfs =
{
@@ -260,6 +246,7 @@ inputs:
btrfs property set -ts /mnt${path}/$timestamp-$subvolid ro true
fi
btrfs subvolume create /mnt${path}/current
chattr +C /mnt${path}/current
echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
umount /mnt
'';

9
modules/system/gui.nix
View File

@@ -4,6 +4,7 @@ inputs:
{
enable = mkOption { type = types.bool; default = false; };
preferred = mkOption { type = types.bool; default = false; };
autoStart = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
};
config =
let
@@ -18,7 +19,7 @@ inputs:
desktopManager.plasma5.enable = true;
videoDrivers = inputs.config.nixos.hardware.gpus;
};
systemd.services.display-manager.after = [ "network-online.target" ];
systemd.services.display-manager = { after = [ "network-online.target" ]; enable = gui.autoStart; };
environment =
{
sessionVariables."GTK_USE_PORTAL" = "1";
@@ -30,10 +31,6 @@ inputs:
enabled = "fcitx5";
fcitx5.addons = with inputs.pkgs; [ fcitx5-rime fcitx5-chinese-addons fcitx5-mozc ];
};
programs =
{
dconf.enable = true;
xwayland.enable = true;
};
programs = { dconf.enable = true; xwayland.enable = true; };
};
}

21
modules/system/impermanence.nix
View File

@@ -28,6 +28,8 @@ inputs:
"/var/log"
"/var/spool"
"/var/backup"
{ directory = "/var/lib/docker/volumes"; mode = "0710"; }
"/srv"
];
files =
[
@@ -41,25 +43,28 @@ inputs:
"${impermanence.root}" =
{
hideMounts = true;
directories = [ "/var/lib/systemd/linger" "/var/lib/systemd/coredump" ]
++ (if inputs.config.services.xserver.displayManager.sddm.enable then
[{ directory = "/var/lib/sddm"; user = "sddm"; group = "sddm"; mode = "0700"; }] else []);
directories =
[
"/var/lib/systemd/linger"
"/var/lib/systemd/coredump"
{ directory = "/var/lib/docker"; mode = "0710"; }
]
++ (if inputs.config.services.xserver.displayManager.sddm.enable then
[{ directory = "/var/lib/sddm"; user = "sddm"; group = "sddm"; mode = "0700"; }] else []);
}
// (if builtins.elem "chn" inputs.config.nixos.users.users then
{
users.chn =
{
directories =
[
".cache"
];
directories = [ ".cache" ];
};
} else {});
"${impermanence.nodatacow}" =
{
hideMounts = true;
directories =
(
[{ directory = "/var/log/journal"; user = "root"; group = "systemd-journal"; mode = "u=rwx,g=rx+s,o=rx"; }]
++ (
if inputs.config.nixos.services.postgresql.enable then let user = inputs.config.users.users.postgres; in
[{ directory = "/var/lib/postgresql"; user = user.name; group = user.group; mode = "0750"; }]
else []

33
modules/system/initrd.nix
View File

@@ -2,27 +2,32 @@ inputs:
{
options.nixos.system.initrd = let inherit (inputs.lib) mkOption types; in
{
network.enable = mkOption { type = types.bool; default = false; };
sshd =
{
enable = mkOption { type = types.bool; default = false; };
hostKeys = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
hostKeys = mkOption
{
type = types.listOf types.nonEmptyStr;
default = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ];
};
};
};
config =
let
inherit (inputs.config.nixos.system) initrd;
in { boot =
{
initrd =
{
systemd.enable = true;
network =
inherit (inputs.lib) mkIf mkMerge;
in mkMerge
[
{ boot.initrd.systemd.enable = true; }
(
mkIf (initrd.sshd.enable)
{
enable = initrd.network.enable;
ssh = { enable = true; hostKeys = initrd.sshd.hostKeys; };
};
};
kernelParams = if initrd.network.enable then [ "ip=dhcp" ] else [];
};};
boot =
{
initrd.network = { enable = true; ssh = { enable = true; hostKeys = initrd.sshd.hostKeys; }; };
kernelParams = [ "ip=dhcp" ];
};
}
)
];
}

14
modules/system/kernel.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.system.kernel = let inherit (inputs.lib) mkOption types; in
{
useLts = mkOption { type = types.bool; default = false; };
patches = mkOption { type = types.listOf (types.enum [ "cjktty" "preempt" ]); default = []; };
patches = mkOption { type = types.listOf (types.enum [ "cjktty" ]); default = []; };
modules =
{
install = mkOption { type = types.listOf types.str; default = []; };
@@ -60,18 +60,6 @@ inputs:
extraStructuredConfig =
{ FONT_CJK_16x16 = inputs.lib.kernel.yes; FONT_CJK_32x32 = inputs.lib.kernel.yes; };
};
preempt =
{
patch = null;
extraStructuredConfig =
{
PREEMPT_VOLUNTARY = inputs.lib.mkForce inputs.lib.kernel.no;
PREEMPT = inputs.lib.mkForce inputs.lib.kernel.yes;
HZ_500 = inputs.lib.mkForce inputs.lib.kernel.no;
HZ_1000 = inputs.lib.mkForce inputs.lib.kernel.yes;
HZ = inputs.lib.mkForce (inputs.lib.kernel.freeform "1000");
};
};
};
in
builtins.map (name: { inherit name; } // patches.${name}) kernel.patches;

6
modules/system/networking/nebula/default.nix
View File

@@ -49,10 +49,6 @@ inputs:
secrets."nebula/key" = {};
};
networking.firewall.trustedInterfaces = [ "nebula.nebula" ];
systemd.services."nebula@nebula" =
{
after = [ "network-online.target" ];
serviceConfig.Restart = "always";
};
systemd.services."nebula@nebula" = { after = [ "network-online.target" ]; serviceConfig.Restart = "always"; };
};
}

8
modules/system/nix.nix
View File

@@ -6,6 +6,7 @@ inputs:
marches = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
keepOutputs = mkOption { type = types.bool; default = false; };
substituters = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
autoOptimiseStore = mkOption { type = types.bool; default = false; };
};
config =
let
@@ -26,6 +27,7 @@ inputs:
experimental-features = [ "nix-command" "flakes" ];
keep-outputs = nix.keepOutputs;
keep-failed = true;
auto-optimise-store = nix.autoOptimiseStore;
substituters = if nix.substituters == null then [ "https://cache.nixos.org/" ] else nix.substituters;
trusted-public-keys = [ "chn:Cc+nowW1LIpe1kyXOZmNaznFDiH1glXmpb4A+WD/DTE=" ];
show-trace = true;
@@ -43,11 +45,7 @@ inputs:
};
nixPath = [ "nixpkgs=${inputs.topInputs.nixpkgs}" ];
};
system =
{
stateVersion = "22.11";
configurationRevision = inputs.topInputs.self.rev or "dirty";
};
system = { stateVersion = "22.11"; configurationRevision = inputs.topInputs.self.rev or "dirty"; };
systemd.services.nix-daemon =
{
serviceConfig = { CacheDirectory = "nix"; Slice = "-.slice"; Nice = "19"; };

186
modules/system/nixpkgs.nix
View File

@@ -3,80 +3,136 @@ inputs:
options.nixos.system.nixpkgs = let inherit (inputs.lib) mkOption types; in
{
march = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
oneapiArch = mkOption
{
type = types.nullOr types.nonEmptyStr;
default = inputs.config.nixos.system.nixpkgs.march;
};
cudaSupport = mkOption { type = types.bool; default = false; };
replaceTensorflow = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) mkConditional;
inherit (builtins) map listToAttrs filter tryEval attrNames concatStringsSep toString;
inherit (inputs.lib) mkIf;
inherit (inputs.lib.strings) hasPrefix splitString;
inherit (inputs.localLib) mkConditional attrsToList;
inherit (inputs.config.nixos.system) nixpkgs;
in mkMerge
[
{
nixpkgs =
in
{
nixpkgs =
let
permittedInsecurePackages =
[ "openssl_1_1" "electron_19" "python2" "electron_12" "electron_24" "zotero" ];
hostPlatform = mkConditional (nixpkgs.march != null)
{ system = "x86_64-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; }
"x86_64-linux";
noBuildPackages =
[
# chromium
"chromium" "electron" "webkitgtk"
# old python release
"python310"
# nodejs
"nodejs"
# haskell
"haskell"
# meta tools
"fastfetch"
# libreoffice
"libreoffice" "libreoffice-qt" "libreoffice-fresh"
# java
"openjdk" "jetbrains"
];
in
{
config.allowUnfree = true;
config.cudaSupport = nixpkgs.cudaSupport;
overlays = [(final: prev:
inherit hostPlatform;
config =
{
genericPackages =
import inputs.topInputs.nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; };
waydroid = final.unstablePackages.waydroid;
})];
};
}
(
mkConditional (nixpkgs.march != null)
{
programs.ccache.enable = true;
nixpkgs =
{
hostPlatform = { system = "x86_64-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; };
config = { qchem-config.optArch = nixpkgs.march; oneapiArch = nixpkgs.oneapiArch; };
overlays = [(final: prev:
{
unstablePackages = import inputs.topInputs.nixpkgs-unstable
{
localSystem = { system = "x86_64-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; };
config.allowUnfree = true;
};
})];
permittedInsecurePackages = map
(package: inputs.pkgs.${package}.name)
(filter (package: inputs.pkgs ? ${package}) permittedInsecurePackages);
allowUnfree = true;
cudaSupport = nixpkgs.cudaSupport;
qchem-config = mkIf (nixpkgs.march != null) { optArch = nixpkgs.march; };
oneapiArch = mkIf (nixpkgs.march != null) nixpkgs.march;
};
boot.kernelPatches =
[{
name = "native kernel";
patch = null;
extraStructuredConfig =
let
kernelConfig =
overlays =
[(final: prev:
let
genericPackages = import inputs.topInputs.nixpkgs
{
system = "x86_64-linux";
config =
{
alderlake = "MALDERLAKE";
sandybridge = "MSANDYBRIDGE";
silvermont = "MSILVERMONT";
broadwell = "MBROADWELL";
znver2 = "MZEN2";
znver3 = "MZEN3";
allowUnfree = true;
permittedInsecurePackages = let pkgs = inputs.topInputs.nixpkgs.legacyPackages.x86_64-linux; in map
(package: pkgs.${package}.name)
(filter (package: pkgs ? ${package}) permittedInsecurePackages);
};
in
{
GENERIC_CPU = inputs.lib.kernel.no;
${kernelConfig.${nixpkgs.march}} = inputs.lib.kernel.yes;
};
}];
}
{
nixpkgs =
{
hostPlatform = "x86_64-linux";
overlays = [(final: prev: { unstablePackages = import inputs.topInputs.nixpkgs-unstable
{ localSystem.system = "x86_64-linux"; config.allowUnfree = true; }; })];
};
}
)
];
targetPythonVersion = inputs.lib.lists.take 2 (splitString "." genericPackages.python3.version);
targetPythonName = "python${concatStringsSep "" targetPythonVersion}";
in
{ inherit genericPackages; }
// {
unstablePackages = import inputs.topInputs.nixpkgs-unstable
{
localSystem = hostPlatform;
config =
{
allowUnfree = true;
permittedInsecurePackages =
let pkgs = inputs.topInputs.nixpkgs-unstable.legacyPackages.x86_64-linux;
in map
(package: pkgs.${package}.name)
(filter (package: pkgs ? ${package}) permittedInsecurePackages);
};
};
}
// (
if nixpkgs.march != null then
let replacedPackages = filter
(package: let pname = tryEval genericPackages.${package}.pname or null;
in (pname.success && (builtins.elem pname.value noBuildPackages)
|| builtins.elem package noBuildPackages))
(filter
(package: builtins.any (prefix: hasPrefix prefix package) noBuildPackages)
(attrNames genericPackages));
in listToAttrs (map
(package: { name = package; value = genericPackages.${package}; })
replacedPackages)
else {}
)
// (
if nixpkgs.replaceTensorflow then
{
${targetPythonName} = prev.${targetPythonName}.override { packageOverrides = final: prev:
{
tensorflow = prev.tensorflow.override
{
cudaSupport = false;
customBazelBuild = genericPackages.${targetPythonName}.pkgs.tensorflow.passthru.bazel-build;
};
};};
}
else {}
)
)];
};
programs.ccache = { enable = true; cacheDir = "/var/lib/ccache"; };
nix.settings.extra-sandbox-paths = [ inputs.config.programs.ccache.cacheDir ];
boot.kernelPatches = mkIf (nixpkgs.march != null)
[{
name = "native kernel";
patch = null;
extraStructuredConfig =
let
kernelConfig =
{
alderlake = "MALDERLAKE";
sandybridge = "MSANDYBRIDGE";
silvermont = "MSILVERMONT";
broadwell = "MBROADWELL";
znver2 = "MZEN2";
znver3 = "MZEN3";
};
in { GENERIC_CPU = inputs.lib.kernel.no; ${kernelConfig.${nixpkgs.march}} = inputs.lib.kernel.yes; };
}];
};
}

6
modules/system/security.nix
View File

@@ -28,11 +28,7 @@ inputs:
])
]);
};
yubico =
{
enable = true;
id = "91291";
};
yubico = { enable = true; id = "91291"; };
};
};
}

4
modules/system/sops.nix
View File

@@ -2,8 +2,8 @@ inputs:
{
options.nixos.system.sops = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
keyPathPrefix = mkOption { type = types.str; default = ""; };
enable = mkOption { type = types.bool; default = true; };
keyPathPrefix = mkOption { type = types.str; default = "/nix/persistent"; };
};
config =
let

118
modules/users/chn/default.nix Normal file
View File

@@ -0,0 +1,118 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "chn" users.users)
{
users.users.chn =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ]
(builtins.attrNames inputs.config.users.groups);
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
openssh.authorizedKeys.keys =
[
# ykman fido credentials list
# ykman fido credentials delete f2c1ca2d
# ssh-keygen -t ed25519-sk -O resident
# ssh-keygen -K
(builtins.concatStringsSep ""
[
"sk-ssh-ed25519@openssh.com "
"AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo= "
"chn@pc"
])
];
};
home-manager.users.chn =
{
imports = users.sharedModules;
config =
{
programs =
{
git = { userName = "chn"; userEmail = "chn@chn.moe"; };
ssh.matchBlocks = builtins.listToAttrs
(
(builtins.map
(host: { name = host; value = { inherit host; hostname = "${host}.chn.moe"; }; })
[ "internal.pc" "vps5" "vps6" "internal.vps6" "vps7" "internal.vps7" "internal.nas" ])
++ (builtins.map
(host:
{
name = host;
value =
{
host = host;
hostname = "hpc.xmu.edu.cn";
user = host;
extraOptions =
{
PubkeyAcceptedAlgorithms = "+ssh-rsa";
HostkeyAlgorithms = "+ssh-rsa";
SetEnv = "TERM=chn_unset_ls_colors:xterm-256color";
# in .bash_profile:
# if [[ $TERM == chn_unset_ls_colors* ]]; then
# export TERM=${TERM#*:}
# export CHN_LS_USE_COLOR=1
# fi
# in .bashrc
# [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
};
};
})
[ "wlin" "jykang" "hwang" ])
)
// {
xmupc1 = { host = "xmupc1"; hostname = "office.chn.moe"; port = 6007; };
nas = { host = "nas"; hostname = "office.chn.moe"; port = 5440; };
# identityFile = "~/.ssh/xmuhk_id_rsa";
xmuhk = { host = "xmuhk"; hostname = "10.26.14.56"; user = "xmuhk"; };
xmuhk2 = { host = "xmuhk2"; hostname = "183.233.219.132"; user = "xmuhk"; port = 62022; };
};
};
home.packages =
[
(
let
servers = builtins.filter
(system: system.value.enable)
(builtins.map
(system:
{
name = system.config.nixos.system.networking.hostname;
value = system.config.nixos.system.fileSystems.decrypt.manual;
})
(builtins.attrValues inputs.topInputs.self.nixosConfigurations));
cat = "${inputs.pkgs.coreutils}/bin/cat";
gpg = "${inputs.pkgs.gnupg}/bin/gpg";
ssh = "${inputs.pkgs.openssh}/bin/ssh";
in inputs.pkgs.writeShellScriptBin "remote-decrypt" (builtins.concatStringsSep "\n"
(
(builtins.map (system: builtins.concatStringsSep "\n"
[
"decrypt-${system.name}() {"
" key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
(builtins.concatStringsSep "\n" (builtins.map
(device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
+ (if device.value.ssd then "--allow-discards " else "")
+ "${device.name} ${device.value.mapper} -")
(inputs.localLib.attrsToList system.value.devices)))
"}"
])
servers)
++ [ "decrypt-$1" ]
))
)
];
pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ];
};
};
nixos.services.groupshare.mountPoints = [ "/home/chn/groupshare" ];
};
}

279
modules/users/default.nix
View File

@@ -1,277 +1,12 @@
inputs:
let
allUsers =
{
root =
{
users.users.root =
{
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$.UyKKvDnmlJaYZAh6./rf/$65dRqishAiqxCE6LEMjqruwJPZte7uiyYLVKpzdZNH5";
openssh.authorizedKeys.keys =
[
(builtins.concatStringsSep ""
[
"sk-ssh-ed25519@openssh.com "
"AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo= "
"chn@pc"
])
];
};
home-manager.users.root =
{
imports = inputs.config.nixos.users.sharedModules;
config.programs.git =
{
extraConfig.core.editor = inputs.lib.mkForce "vim";
userName = "chn";
userEmail = "chn@chn.moe";
};
};
};
chn =
{
users.users.chn =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ]
(builtins.attrNames inputs.config.users.groups);
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
openssh.authorizedKeys.keys =
[
# ykman fido credentials list
# ykman fido credentials delete f2c1ca2d
# ssh-keygen -t ed25519-sk -O resident
# ssh-keygen -K
(builtins.concatStringsSep ""
[
"sk-ssh-ed25519@openssh.com "
"AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo= "
"chn@pc"
])
];
};
home-manager.users.chn =
{
imports = inputs.config.nixos.users.sharedModules;
config =
{
programs =
{
git =
{
userName = "chn";
userEmail = "chn@chn.moe";
};
ssh.matchBlocks = builtins.listToAttrs
(
(builtins.map
(host:
{
name = host.name;
value = { host = host.name; hostname = host.value; user = "chn"; };
})
(inputs.localLib.attrsToList
{
vps3 = "vps3.chn.moe";
vps4 = "vps4.chn.moe";
vps5 = "vps5.chn.moe";
vps6 = "vps6.chn.moe";
vps7 = "vps7.chn.moe";
}))
++ (builtins.map
(host:
{
name = host;
value =
{
host = host;
hostname = "hpc.xmu.edu.cn";
user = host;
extraOptions =
{
PubkeyAcceptedAlgorithms = "+ssh-rsa";
HostkeyAlgorithms = "+ssh-rsa";
SetEnv = "TERM=chn_unset_ls_colors:xterm-256color";
# in .bash_profile:
# if [[ $TERM == chn_unset_ls_colors* ]]; then
# export TERM=${TERM#*:}
# export CHN_LS_USE_COLOR=1
# fi
# in .bashrc
# [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
};
};
})
[ "wlin" "jykang" "hwang" ])
)
// {
xmupc1 =
{
host = "xmupc1";
hostname = "office.chn.moe";
user = "chn";
port = 6007;
};
nas =
{
host = "nas";
hostname = "office.chn.moe";
user = "chn";
port = 5440;
};
xmupc1-ext =
{
host = "xmupc1-ext";
hostname = "vps3.chn.moe";
user = "chn";
port = 6007;
};
xmuhk =
{
host = "xmuhk";
hostname = "10.26.14.56";
user = "xmuhk";
# identityFile = "~/.ssh/xmuhk_id_rsa";
};
xmuhk2 =
{
host = "xmuhk2";
hostname = "183.233.219.132";
user = "xmuhk";
port = 62022;
};
};
};
home.packages =
[
(
let
servers = builtins.filter
(system: system.value.enable)
(builtins.map
(system:
{
name = system.config.nixos.system.networking.hostname;
value = system.config.nixos.system.fileSystems.decrypt.manual;
})
(builtins.attrValues inputs.topInputs.self.nixosConfigurations));
cat = "${inputs.pkgs.coreutils}/bin/cat";
gpg = "${inputs.pkgs.gnupg}/bin/gpg";
ssh = "${inputs.pkgs.openssh}/bin/ssh";
in inputs.pkgs.writeShellScriptBin "remote-decrypt" (builtins.concatStringsSep "\n"
(
(builtins.map (system: builtins.concatStringsSep "\n"
[
"decrypt-${system.name}() {"
" key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
(builtins.concatStringsSep "\n" (builtins.map
(device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
+ (if device.value.ssd then "--allow-discards " else "")
+ "${device.name} ${device.value.mapper} -")
(inputs.localLib.attrsToList system.value.devices)))
"}"
])
servers)
++ [ "decrypt-$1" ]
))
)
];
pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ];
};
};
nixos.services.groupshare.mountPoints = [ "/home/chn/groupshare" ];
};
xll =
{
users.users.xll =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/xll".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./xll_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.xll.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/xll".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/xll/groupshare" ];
};
zem =
{
users.users.zem =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/zem".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./zem_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.zem.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/zem".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ];
};
yjq =
{
users.users.yjq =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/yjq".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./yjq_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.yjq.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/yjq".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/yjq/groupshare" ];
};
yxy =
{
users.users.yxy =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/yxy".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./yxy_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.yxy.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/yxy".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/yxy/groupshare" ];
};
};
in
{
options.nixos.users = let inherit (inputs.lib) mkOption types; in
{
options.nixos.users = let inherit (inputs.lib) mkOption types; in
{
users = mkOption { type = types.listOf (types.enum (builtins.attrNames allUsers)); default = [ "root" "chn" ]; };
sharedModules = mkOption { type = types.listOf types.anything; default = []; };
};
config =
let
inherit (builtins) map attrNames;
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.config.nixos) users;
in mkMerge
[
(mkMerge (map (user: mkIf (builtins.elem user users.users) allUsers.${user}) (attrNames allUsers)))
];
}
users = mkOption { type = types.listOf types.nonEmptyStr; default = [ "root" "chn" ]; };
sharedModules = mkOption { type = types.listOf types.anything; default = []; };
};
imports = inputs.localLib.mkModules [ ./chn ./root ./xll ./yjq ./yxy ./zem ];
}
# environment.persistence."/impermanence".users.chn =
# {

31
modules/users/root/default.nix Normal file
View File

@@ -0,0 +1,31 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "root" users.users)
{
users.users.root =
{
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$.UyKKvDnmlJaYZAh6./rf/$65dRqishAiqxCE6LEMjqruwJPZte7uiyYLVKpzdZNH5";
openssh.authorizedKeys.keys =
[
(builtins.concatStringsSep ""
[
"sk-ssh-ed25519@openssh.com "
"AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo= "
"chn@pc"
])
];
};
home-manager.users.root =
{
imports = users.sharedModules;
config.programs.git =
{ extraConfig.core.editor = inputs.lib.mkForce "vim"; userName = "chn"; userEmail = "chn@chn.moe"; };
};
};
}

24
modules/users/xll/default.nix Normal file
View File

@@ -0,0 +1,24 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "xll" users.users)
{
users.users.xll =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
hashedPasswordFile = inputs.config.sops.secrets."users/xll".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.xll.imports = users.sharedModules;
sops.secrets."users/xll".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/xll/groupshare" ];
};
}

0
modules/users/xll_id_rsa.pub → modules/users/xll/id_rsa.pub
View File

24
modules/users/yjq/default.nix Normal file
View File

@@ -0,0 +1,24 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "yjq" users.users)
{
users.users.yjq =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
hashedPasswordFile = inputs.config.sops.secrets."users/yjq".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.yjq.imports = users.sharedModules;
sops.secrets."users/yjq".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/yjq/groupshare" ];
};
}

0
modules/users/yjq_id_rsa.pub → modules/users/yjq/id_rsa.pub
View File

24
modules/users/yxy/default.nix Normal file
View File

@@ -0,0 +1,24 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "yxy" users.users)
{
users.users.yxy =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
hashedPasswordFile = inputs.config.sops.secrets."users/yxy".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.yxy.imports = users.sharedModules;
sops.secrets."users/yxy".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/yxy/groupshare" ];
};
}

0
modules/users/yxy_id_rsa.pub → modules/users/yxy/id_rsa.pub
View File

24
modules/users/zem/default.nix Normal file
View File

@@ -0,0 +1,24 @@
inputs:
{
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos) users;
in mkIf (builtins.elem "zem" users.users)
{
users.users.zem =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
hashedPasswordFile = inputs.config.sops.secrets."users/zem".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.zem.imports = users.sharedModules;
sops.secrets."users/zem".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ];
};
}

0
modules/users/zem_id_rsa.pub → modules/users/zem/id_rsa.pub
View File

43
modules/virtualization/default.nix
View File

@@ -8,7 +8,7 @@ inputs:
{
enable = mkOption { default = false; type = types.bool; };
gui = mkOption { default = false; type = types.bool; };
autoSuspend = mkOption { type = types.listOf types.string; default = []; };
autoSuspend = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
kvmGuest.enable = mkOption { default = false; type = types.bool; };
nspawn = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
@@ -26,12 +26,9 @@ inputs:
# enable = true;
rootless =
{
enable = true; setSocketVariable = true;
daemon.settings =
{
features.buildkit = true;
dns = [ "1.1.1.1" ];
};
enable = true;
setSocketVariable = true;
daemon.settings = { features.buildkit = true; dns = [ "1.1.1.1" ]; storage-driver = "overlay2"; };
};
enableNvidia = builtins.elem "nvidia" inputs.config.nixos.hardware.gpus;
storageDriver = "overlay2";
@@ -47,23 +44,11 @@ inputs:
boot =
{
kernelModules =
let
modules =
{
intel = [ "kvm-intel" ];
amd = [];
};
in
builtins.concatLists (builtins.map (cpu: modules.${cpu}) inputs.config.nixos.hardware.cpus);
let modules = { intel = [ "kvm-intel" ]; amd = []; };
in builtins.concatLists (builtins.map (cpu: modules.${cpu}) inputs.config.nixos.hardware.cpus);
extraModprobeConfig =
let
configs =
{
intel = "options kvm_intel nested=1";
amd = "";
};
in
builtins.concatStringsSep "\n" (builtins.map (cpu: configs.${cpu}) inputs.config.nixos.hardware.cpus);
let configs = { intel = "options kvm_intel nested=1"; amd = ""; };
in builtins.concatStringsSep "\n" (builtins.map (cpu: configs.${cpu}) inputs.config.nixos.hardware.cpus);
};
virtualisation =
{
@@ -153,15 +138,9 @@ inputs:
)
# nspawn
{
systemd.nspawn =
let
f = name: { inherit name; value =
{
execConfig.PrivateUsers = false;
networkConfig.VirtualEthernet = false;
}; };
in
builtins.listToAttrs (builtins.map f inputs.config.nixos.virtualization.nspawn);
systemd.nspawn = builtins.listToAttrs (builtins.map
(name: { inherit name; value = { execConfig.PrivateUsers = false; networkConfig.VirtualEthernet = false; }; })
inputs.config.nixos.virtualization.nspawn);
}
];
}

24
secrets/gitlab/jws.bin Normal file
View File

@@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:Al5NNNTib+gGITYXCC7y2eBnbMtDEg12PPIKhu5aYsX1y5hEzf8plZAQUpjipwW+MRGP8y13kjtvgmYEW+2hjPKkvB1V0wVWwyVlJW9z4c/8+XZQ6iHTbdczxKbSj9swXO+pbnt6n20ofKSB5eCJbaHWG6Fd1ln7S0sataprlccwSF/WoJuwL5Hk654ldN4EA6i/2QHcUZFeVCc7cx+j9kBp6optwydV+V/skp88sJ9mecLXDrfFnNqzEFK4U6s2lMnhSfDtYGCC6RlC63hslSS6aqYrVn7KJqoI1v2pMBWbTSjO4ZJZkjy4RBjcnbYotfEji8zJ1QEJ/49IjrMkDxxT/shdmk5G8F2Zf1f9bo6Ge6yBJffw3oBAnjZe7z4QgHQzbQmuEMmgZ6C+XMyvtFNXbCcBIjFPIiaMujj4aT7S1HBGyVIoYUTRiLsTF8cilsazIid65ps7ydkHJjDZigigcuunogBJ7WtOs1wU2j/O8LDwStMnJ33aib4M4dVAn896KyIltN2lber4zQcshce+Ld2Y5UPU9wUD6dcx+Ezmma0OCgvoAB8TmZ1L+6heBWf27hb+Z2eHQlatLDhnZrQ7OrO76eL3aBHDXbDHv5IDMRTntb4strUqDD6JPAN+L8HS8D3rhVK54OHVMMPyIWzkWJRpLjyrI2m0bgxlpNPDz97ACu1Mlu0ebbhWTYMOYeBZjNvyyvf2W0Bp01sgnImQkFbfoxwZchvtDAhfCeW4GtlF2GI2iwCCtbe09hCO+hf9ulQQsoPcS875n3QlLv8SiFh24MEmj2JwfbrfeCb4QZxh6d+A63PBZxurhk1eDfVHjWa/e23A7hdv8NJ9Qfd5ah5jDgEHwLzu0HOE+afsJieYYHLhEUmv0/+HIyLG3soWfDLjy+i73p3avtaFv0GHXZx8D5NQB7Gy3445Px9Yd75xOI2kasI1sHbJuDgtLzNImNhfnA3L9EwTNyHMVpPH+1dUOV3qw+UH34tD8iJfSdV1WYp3ewxnrPFWuuLnZp0Z8LhtXW/FHlBQGAOoth0gdixy9wxEfxN93bXYMDHLzwxLA8vQ3b5inWMEptKXWKGjfASa8N63K0+r0SAbLMYNp7QvJycaswiust2dYhxbwFE30eQKrf07IWoYEKSKOBJD6mgO2O89W9Zn0KXvcYB4gU+emHRUAURZVQ2JMKT17L7h/y2FJj7nQV9M9iCp+Z4svwl6ur4FwIJ6NjkNqiyL9e6fAeWwi/8ip3WIjSosk4H8et/D757D9Kd9TxBAijfyMdDEwNi7ign7WIa2dkKjZIt3TS2ZxdE8zlc9MYUqc04ncqfuw3LolBlnwVscQgO3zf99yaMBA0KL4fm+Wps7Yqx+SVWz/W614AqJDqPYmdqs4T7LQYGmRYAsb3T6SRHDAU/v7Z9moAXvxc5t20fChm6p6nJc8kpG0kYhyoh7EbVefMqhwxVL97QKgoqzMjH+cXUEGdFS07bKETCuMep9wL2wH1DqAU3jwzrhmJebjuvtr7Q1Y7Ea0CTx+mCkWp6puX7xwHMFoSkMVvc1Kw5Bao1uI+ENIMKcSB2JST5fvYkzFNfl21ellJo4sqpLl30LNrjAi7Mv2oxw7hERZCvMewEyqOX4jplQyGtg3rv9hZnZZ+vy0T/Dn0gRruF5+lc32rkPaYWN8KEsOilXnoP+1014ScfnDD0gK/I/pLkTrxZYXjpSFU2J+qwif8NtcYghbMT5u3B6nv5rdmhF0RPUG2qgVvQDG5e6inzPidyGLGMxzPVFGDNg25tQTnG9YO833FNTV0DS6ThZOHjW6AntDcxvtSc6GqKCOomBPD0vmsGAOEVxLCWTQ6j422obThFZu6QQSjoyPKWwukeHWA1MEMdNY79bf1qACxoBJvSh+Xg/M9POvySHxVbFItvvRPTQYii9i4Cr0DpDhmK8pH27AqIc1tyaFfb2n0q/OGqjsvExFhA0mDn8x6D9spt9j7hRixHFFmqMSAins8NolbOPeY/uVq2WqaU4w3sPSIM/on20eadpsC5O22xt5UQXGQYn3d7TtpvInJ7r3gU5pp/Sjoe4Qw68sl4BZ3u8jYUOuVUqVztcilqqcqMUf96qDVnGjetLtL1c+BTDqcefZmSaEUIDe8gyKbvuY5rB0OqkxZ6F6shXiJRKGLQOfGL7mhh9GCgUTa/VhXaZmcOuc9jS0hCl4cZbEaIJr+SdChqHvwCnvFLyh3DpUwEh8S1E8MK3v6J3pQRPEgWSji3ntJxakGbW6tHb,iv:w+4KWqVK5p9UrAulfCwq1naoJoBmLYxWhRlYeG3x08c=,tag:hMDB+QP1AXRU0iBd3ZSxGg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbDRxK0taVzlwWEJPNFNk\nWVVtS09Jb1AzaUhkeGlTNlJBOXUyTEs1MEVjCnEwOGMyV0tJVDNwTzhQb25Fb1lz\nRkJqbFZMa1VkWVBFOWc0NVIwU2E1SEEKLS0tIExqOEZFUThmYThnbzBpZC9TcGc2\nSFNRQmNmdGlPZnE1cXlMT1VKNTU4NkUK19Xik2Nc2UB6hREBiClAx8fQQd0/lhma\nq0e0KEOIlJfH9Yowc/oT+zZust/i7O69mIK8cS3XWF8eUqFzj4aG8w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGxNN2xIOFYvYWxuQTJy\ndktHSjU3cnJWN1diQTJKaVRPVU52MG1XUVUwCk9nVTZIbkllQjhGK0JweE1EbGFp\nTXZoakZpODRTM3BzUkp3Wk1WRmtwbnMKLS0tIGhkdmIzTXJwUHc3dHlHV3phTVVr\nQS9kalRPdkRZM0FBbXF6SDh6YzA0QVkKGTVwOIO6JgEKSb78s8erh+McXjtfuQQm\nlhX1NRb8Uk/SYhvrnfjMTUIQ9i2yqPn1cBuhp/MNgSsSS49q5anRNA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-11-20T06:57:24Z",
"mac": "ENC[AES256_GCM,data:QiRf8cKJeTkEQOK3qJCi2uise8RDyg0zcZOVX0XE6YSE6mDivg2LC8mKuSBFVPw1vX+99l7aOBDEqKALD0sQIOQjd0lySJTLp4TDbSP43QoVQ5KmUtUUzeByDkH6DUBnFuXWlvyD5kOokqGvxkYXvyihdji8yDQz8rlw6xlwNPU=,iv:C3Wd+I2yal/tFpURBRvPygOtPedJ4kLsVNmOip9CUio=,tag:NIq54bGg863j+/k15npz8A==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

12
secrets/nas.yaml
View File

@@ -9,6 +9,14 @@ users:
zem: ENC[AES256_GCM,data:VCVLfGO9a06XhAOBciFf1u7A5jaQikAt2wZf+dCAi1BglXpM6Hof1yAunadYOwLOBFgGlP19kX53CBBlZtaqZFL2GRDzXP0woQ==,iv:AFYtHCCkzNrllN/fjQ8GKYs2TyV3uj3BsU5n1tBQAmM=,tag:5dP7c5N4yG2NS4T+Vg0Zpg==,type:str]
yjq: ENC[AES256_GCM,data:yn6eGrySCxlRsFioaE2p1qlTHkIGC9l64+edjuDvt232xc+iFeD03EYfuulyr0GxYFwnlAwtaJnyMi5eOrSd1W6HeV3Canzdbw==,iv:qTc6vA8uQza8CB+BvffEN9GqHkiwNM4h9RkqQR14ylk=,tag:UZ2GYCJLjcWLuVXlscLviw==,type:str]
yxy: ENC[AES256_GCM,data:71vjvwr29lfPCarnblpbW3WVyJK8EMV+cR4prc4AM3r0PG4z88P6i0IrzSy8XwkVPrEasfYXxn+vDbzXyi7kIWaWXrkjcyGTxg==,iv:LfkinvbIhchvgfgixIY8Wg6esrc+TOS4YWqRTJ0qfvw=,tag:mLPw6z8DOPrHsRpUHn3/gw==,type:str]
frp:
token: ENC[AES256_GCM,data:zYRZoWa3Llv0NiPXtSfhWUn+wt4uIcw8Wa+QBTzn7gLk6UVIA4FD7FLABBKoFbwg62Fo79Nn,iv:YZdOYkJf6BN76Z68nCtetKElJkqKiYmcx6UmLoIXSdo=,tag:5sC2vt3Z21KhgOU9mrfXhg==,type:str]
stcp:
hpc: ENC[AES256_GCM,data:lkpM4nzt8ymQ+5eV,iv:LvSShCSN8w0VsJYjICG9NWCMiw7NSPpoSZ+I2t7uILs=,tag:LLry5z4KpPdnN75x8dANqg==,type:str]
nginx:
detectAuth:
chn: ENC[AES256_GCM,data:44vsExbVhO3gnD4Gme92eQ==,iv:LyDvZebs1sDL1/hZQiZdHoPBm4hXtBy56jR73zSH6Aw=,tag:w5xPHnK9XOSS0+97q8b5gQ==,type:str]
maxmind-license: ENC[AES256_GCM,data:JbAnFQiDcJGwvb89sG2ro77nwwOWcDnqVcA902jwb2zzZci7PpXROw==,iv:eifkWK0oN73Ekn3oWzy6XbYK2GU+4tlnLPJ+96WOWJY=,tag:35ulsshxtUfOsSQOLgAt0g==,type:str]
sops:
kms: []
gcp_kms: []
@@ -33,8 +41,8 @@ sops:
by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-14T11:09:58Z"
mac: ENC[AES256_GCM,data:f6D4N+He7Zz0VA2FxUzTARfckidgVlDHE1hZrYW6jDf+v9ZK/c/JAj12zLNiCy9aG6rBz5K0jdWpnTsguMlTYCKUjLcD8MSW4KJErYmeVFLpfuiSBMr0+pcSVA9DpEmekaYl0GbnxrgQKrfEL0dthR6+9m5CsP/1bvEs34XcKGk=,iv:0YVxL5iVOvmFzThk7fua2Cqpty9lTX/tdKNii5gY/UA=,tag:d+NwYbpeDziniYXwQYVCdg==,type:str]
lastmodified: "2023-11-17T14:11:34Z"
mac: ENC[AES256_GCM,data:8ii7sqkHlhdCAqBoDZEBU7Q6gNe6qyOby2ADyX5uaHu7kKe95+lCa14iqLZV5ekjIiNuTWLjOMmHtuZN5OiRVDIsmNMWKDv7Drt3CVpDv0dLC1Za0gNn7asmNnFh1Esfr1eLJuN09UY4qKN+LFbz4phxLh+f1CZBKTVTH5dHsbo=,iv:vnb/UB6miHo0D7HGGVxnoE0+kS+SRmFijPnlKIAmbuI=,tag:oQ9/JjG5Sn+y/bLxswOGaQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

6
secrets/pc.yaml
View File

@@ -4,6 +4,8 @@ acme:
cloudflare.ini: ENC[AES256_GCM,data:hPNpTclYvRbcbFO6aR9PNyHt3kDUmjeUgg4NPsr+c/yxKPundoiziNYBRfF7/axlw8Hu32jf/cDlcWaEmqCBQJY=,iv:bdGCD/a6AnGQhiFNyZ+fD1f/rILsEcPXC2qRDsAO4n8=,tag:MLZak9uSqsg/0Ldx2Wgb6A==,type:str]
frp:
token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
stcp:
yy.vnc: ENC[AES256_GCM,data:IsZWkNGYHrbQcgvOSURDnA==,iv:4XO8RFBdNopLKYxCACmkXLMPu0wIVx64y0C7m2bsTVA=,tag:fMHzU9aQm0bRr8pTKwpuHQ==,type:str]
store:
signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
nginx:
@@ -40,8 +42,8 @@ sops:
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-03T10:45:13Z"
mac: ENC[AES256_GCM,data:9O1o1uNvrSu4yEpVmvPLESrCqtkf+MXUud54hVgjd/Mmchsy0eTi3gMzbAb0i6vaaNH7hHVOT0GnSNiS67UjYemvx9xHOPuJxysmoUAvT6aVzap4XZirnnsKgfYGUwn/iECsEF3dGa2c4nCiPxdtac2BaGBlxFKuh1fWBKWrow0=,iv:a+xHAakjIPhDQRYJnb0BFxdXc0uXZmmZYv8kvOPoKBA=,tag:hWpzT1tMILYZKhQXgdmhXg==,type:str]
lastmodified: "2023-11-11T11:10:21Z"
mac: ENC[AES256_GCM,data:ro3ROIx/9+pnS2Cdz44NKYZ0kDDdLPZJyXkBpYSuCrkotLzyDrx9Kjx1FR4CrQQeA4hOPQ9Z5qJVC1shef+UgwDwemiUhR3zq9BQv0PmsRYilT19o2W9tmgfbM0NiXISeN9w0MttlBUASq7mBUDbTFRViL9fAppRixkANLxVxmw=,iv:YR6QQNYQoK3v6RHUUWerM2cXU5oYQkSRfr58QDnw5H4=,tag:6Ig+RlVySAYEEiZTo8bs3A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

Some files were not shown because too many files have changed in this diff Show More