mirror of
https://github.com/CHN-beta/nixos.git
synced 2026-01-12 04:19:22 +08:00
Compare commits
77 Commits
vps7-fresh
...
ua
| Author | SHA1 | Date | |
|---|---|---|---|
| 57d07fc326 | |||
| 44ee17f2ff | |||
| a898902f9e | |||
| 00dd5ae7ad | |||
| d274730437 | |||
| 333ed600ef | |||
| 05cd6dd1c8 | |||
| b1e2497054 | |||
| 0e56ee4293 | |||
| 0294805326 | |||
| 218b6c6140 | |||
| f908883f18 | |||
| 4d81aa8ca7 | |||
| 98fafdd331 | |||
| 2549be1e55 | |||
| 3d261febd2 | |||
| 12cdc43f17 | |||
| fd799befd3 | |||
| 69cb43e6f5 | |||
| 7122474023 | |||
| ebc8f80476 | |||
| 855d24c1ea | |||
| aa74e0911c | |||
| ad4f316339 | |||
| f8c0295bd5 | |||
| 72801ad14c | |||
| c975bcba51 | |||
| 967f7f155e | |||
| bc351ff0d4 | |||
| 35c183f9dc | |||
| 90a3604ac7 | |||
| dd1ac653a3 | |||
| 8a88c8f6a7 | |||
| ad6e94ec09 | |||
| 6b384443e2 | |||
| 21080d7d61 | |||
| 8a3b3313f7 | |||
| 7b3a23d19f | |||
| dea55cdc70 | |||
| 1216a2c674 | |||
| 297fcee5df | |||
| 95e42f969c | |||
| 2ae484fcc9 | |||
| 4d0cc3e30c | |||
| 09a687f65a | |||
| 8f7c6db841 | |||
| d225de887d | |||
| ed98f26185 | |||
| f1173b45b4 | |||
| 0204420d4f | |||
| c991429151 | |||
| 7c391d6666 | |||
| 6beec31dc1 | |||
| 0e4d8368e9 | |||
| 36f71df435 | |||
| 7b73bdb9f3 | |||
| 4e05896b4f | |||
| 44d8553aef | |||
| dfe5f20346 | |||
| 42162dc08c | |||
| 9ef9c4daa7 | |||
| 7afa093d25 | |||
| c26ea843eb | |||
| 2b73a6549e | |||
| ad12157fe1 | |||
| f628e55fab | |||
| 2444ff5d27 | |||
| 97ec3061e7 | |||
| e2c61c6aaa | |||
| 550ef39dcf | |||
| b2ef263267 | |||
| a686d8259b | |||
| 057e5a5d51 | |||
| 9e36962acb | |||
| 0941aaf2ee | |||
| 3197b26b10 | |||
| ea4b2cbeb8 |
108
flake.lock
generated
108
flake.lock
generated
@@ -197,11 +197,11 @@
|
||||
"flake-compat_4": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1673956053,
|
||||
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -398,11 +398,11 @@
|
||||
"systems": "systems_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1689068808,
|
||||
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
|
||||
"lastModified": 1694529238,
|
||||
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
|
||||
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -528,11 +528,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695684520,
|
||||
"narHash": "sha256-yORqGB0i1OtEf9MOCCT2BIbOd8txPZn216CM+ylMmhY=",
|
||||
"lastModified": 1697031886,
|
||||
"narHash": "sha256-oTMPX8dGC7yxSwrbF4NuPNQsUEcHB1dusW2yEbFD5zg=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "hercules-ci-effects",
|
||||
"rev": "91fae5824f5f1199f61693c6590b4a89abaed9d7",
|
||||
"rev": "178b36dc3a75c96efc25477d45eafc37ba1fafc3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -564,11 +564,11 @@
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1694622745,
|
||||
"narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=",
|
||||
"lastModified": 1697303681,
|
||||
"narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e",
|
||||
"rev": "0f317c2e9e56550ce12323eb39302d251618f5b5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -682,17 +682,18 @@
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_4",
|
||||
"flake-utils": "flake-utils_4",
|
||||
"nix-filter": "nix-filter",
|
||||
"nix-index-database": [
|
||||
"nix-index-database"
|
||||
],
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695714965,
|
||||
"narHash": "sha256-uukcDCyFOIMo5vJWJbLJk2phHZtJ1DE7YrypSV48gII=",
|
||||
"lastModified": 1698367638,
|
||||
"narHash": "sha256-8g4HAU+kwTxb/RZBFxJw3wLckMGpKdN+7yDbTIGupVU=",
|
||||
"owner": "thiagokokada",
|
||||
"repo": "nix-alien",
|
||||
"rev": "a948cf76e084f4ac770793c6ff9c57ad8b8c099f",
|
||||
"rev": "7b3be1a706c8db4dcca777b6638bdb2ca4849176",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -701,6 +702,21 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-filter": {
|
||||
"locked": {
|
||||
"lastModified": 1694857738,
|
||||
"narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=",
|
||||
"owner": "numtide",
|
||||
"repo": "nix-filter",
|
||||
"rev": "41fd48e00c22b4ced525af521ead8792402de0ea",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "nix-filter",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-index-database": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@@ -708,11 +724,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696131323,
|
||||
"narHash": "sha256-Y47r8Jo+9rs+XUWHcDPZtkQs6wFeZ24L4CQTfVwE+vY=",
|
||||
"lastModified": 1697946153,
|
||||
"narHash": "sha256-7k7qIwWLaYPgQ4fxmEdew3yCffhK6rM4I4Jo3X/79DA=",
|
||||
"owner": "Mic92",
|
||||
"repo": "nix-index-database",
|
||||
"rev": "031d4b22505fdea47bd53bfafad517cd03c26a4f",
|
||||
"rev": "5a2006282caaf32663cdcd582c5b18809c7d7d8d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -752,11 +768,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695137077,
|
||||
"narHash": "sha256-wJ8EpYjsqrR4GFAF67wJKmZd4q86KuODWAag4acQL5Q=",
|
||||
"lastModified": 1697038389,
|
||||
"narHash": "sha256-hbzFPXyQQxJObRdb+CsylUXii29UfFV7866WWgWYs6Y=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixd",
|
||||
"rev": "e8f144ca50fe71e74d247e5308ae7ce122f0a0e6",
|
||||
"rev": "29904e121cc775e7caaf4fffa6bc7da09376a43b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -795,11 +811,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696478570,
|
||||
"narHash": "sha256-Zqktub0f4M8K0jDHFYaTwsGUddkH3UqHU0NNfGJmIKY=",
|
||||
"lastModified": 1697683120,
|
||||
"narHash": "sha256-sd0bjuGoUroCTkwjY2p1FwBPgAitK4qsN/P3jXk7rz0=",
|
||||
"owner": "nixpak",
|
||||
"repo": "nixpak",
|
||||
"rev": "271e01d3912c5c622ca7fa99d63d790bea980de0",
|
||||
"rev": "6b0b69f793390b4fe12821588b6c254b462a3e85",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -894,11 +910,11 @@
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1697904207,
|
||||
"narHash": "sha256-XnPRcBBIYiF7u7kStqgFQcfdEyNlUuS9/hcH0Yb5h0s=",
|
||||
"lastModified": 1698416297,
|
||||
"narHash": "sha256-Ne6TWm5lOaQAjT8aLimLmCufJbPAr8Z3GdPZNIj2HeA=",
|
||||
"owner": "CHN-beta",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "cad11601e9b0f3191778d4a7bfd39622ea033f0b",
|
||||
"rev": "4a5eef80f12698646b237de30d94fc1556eccaee",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -910,16 +926,16 @@
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1692007866,
|
||||
"narHash": "sha256-X8w0vPZjZxMm68VCwh/BHDoKRGp+BgzQ6w7Nkif6IVM=",
|
||||
"lastModified": 1697723726,
|
||||
"narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "de2b8ddf94d6cc6161b7659649594c79bd66c13b",
|
||||
"rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
@@ -942,11 +958,11 @@
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1696511131,
|
||||
"narHash": "sha256-IIhn6F8D26Kix77guTW/4KdpwBzpSHJ3mjG1C8FAwHc=",
|
||||
"lastModified": 1699703546,
|
||||
"narHash": "sha256-LcjcFtZlfuq3zzNm0xP5mrEBlPa185x/Y+do2j39CmQ=",
|
||||
"owner": "CHN-beta",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1bac8e4beb5b30458994710236b9db265829327b",
|
||||
"rev": "045b0394cd64a1d40e16753672f87bc4b2f726e1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -958,11 +974,11 @@
|
||||
},
|
||||
"nur": {
|
||||
"locked": {
|
||||
"lastModified": 1696506445,
|
||||
"narHash": "sha256-ozu7YxmHsvxSyQazVlkajF8A8U7TaXz3asCL5hFxgNk=",
|
||||
"lastModified": 1698414381,
|
||||
"narHash": "sha256-dqeFzaYrkL3swiQFY919hSqmd2D6D0AFBT6zvk/EUUE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"rev": "0178289e0bd913fe9847605b01d6e15b7d076f6e",
|
||||
"rev": "55831c4f594b877658d454d2a51aa06b989d79cc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -981,11 +997,11 @@
|
||||
"nvfetcher": "nvfetcher"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696487499,
|
||||
"narHash": "sha256-wvrBwhLpdF+oK5v3Lzgb1Yhz3vT1DHzIL3HKST/tCwU=",
|
||||
"lastModified": 1698390460,
|
||||
"narHash": "sha256-BSIac9PrpXaX6iFnUAljrHlFhx/+QhvUzY9Ublw1t1M=",
|
||||
"owner": "xddxdd",
|
||||
"repo": "nur-packages",
|
||||
"rev": "9e53a952689cacfd88987c55466450e3076ced05",
|
||||
"rev": "6f9992fe054792014bda7355f60f470956c1fe84",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -1066,11 +1082,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696260682,
|
||||
"narHash": "sha256-iccjl57qw6aEe9nsCYFbF2bl7NEI/3Y4cn1U+QYvrFk=",
|
||||
"lastModified": 1698164032,
|
||||
"narHash": "sha256-YzlHV9N22v8WRTCyt/kMlAX7ntJGboHOh8heaPMfbG0=",
|
||||
"owner": "Nix-QChem",
|
||||
"repo": "NixOS-QChem",
|
||||
"rev": "7324cb54b7687718ed7b05581998f105fe2fd3e3",
|
||||
"rev": "77633a73b12ee27b9c64dcbbb627a91a904efad9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -1114,11 +1130,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696320910,
|
||||
"narHash": "sha256-fbuEc6wylH+0VxG48lhPBK+SQJHfo2lusUwWHZNipIM=",
|
||||
"lastModified": 1698273636,
|
||||
"narHash": "sha256-swsqg/ckSVJnravx7ie9NFQSKIH27owtlk0wh4+xStk=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "746c7fa1a64c1671a4bf287737c27fdc7101c4c2",
|
||||
"rev": "014e44d334a39481223a5d163530d4c4ca2e75cb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
212
flake.nix
212
flake.nix
@@ -44,7 +44,7 @@
|
||||
default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
|
||||
(builtins.concatStringsSep "\n" (builtins.map
|
||||
(system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
|
||||
[ "pc" "vps6" "vps7" "nas" "yoga" ]));
|
||||
[ "pc" "vps6" "vps7" "nas" ]));
|
||||
}
|
||||
// (
|
||||
builtins.listToAttrs (builtins.map
|
||||
@@ -96,10 +96,9 @@
|
||||
decrypt.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
|
||||
"/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
|
||||
"/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
|
||||
{ mapper = "swap"; ssd = true; before = [ "root" ]; };
|
||||
};
|
||||
mdadm =
|
||||
"ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
|
||||
swap = [ "/dev/mapper/swap" ];
|
||||
resume = "/dev/mapper/swap";
|
||||
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
|
||||
@@ -127,12 +126,7 @@
|
||||
};
|
||||
nixpkgs = { march = "alderlake"; cudaSupport = true; };
|
||||
gui = { enable = true; preferred = true; };
|
||||
kernel =
|
||||
{
|
||||
useLts = true;
|
||||
patches = [ "cjktty" "preempt" ];
|
||||
modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
|
||||
};
|
||||
kernel.patches = [ "cjktty" "preempt" ];
|
||||
impermanence.enable = true;
|
||||
networking =
|
||||
{ hostname = "pc"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
|
||||
@@ -204,29 +198,24 @@
|
||||
};
|
||||
};
|
||||
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
|
||||
acme = { enable = true; certs = [ "debug.mirism.one" ]; };
|
||||
acme = { enable = true; cert."debug.mirism.one" = {}; };
|
||||
frpClient =
|
||||
{
|
||||
enable = true;
|
||||
serverName = "frp.chn.moe";
|
||||
user = "pc";
|
||||
tcp.store = { localPort = 443; remotePort = 7676; };
|
||||
stcpVisitor."yy.vnc".localPort = 6187;
|
||||
};
|
||||
nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
|
||||
smartd.enable = true;
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
transparentProxy.externalIp = [ "192.168.82.3" ];
|
||||
applications.misskey.instances."xn--qbtm095lrg0bfka60z.chn.moe" = {};
|
||||
};
|
||||
nginx.transparentProxy.externalIp = [ "192.168.82.3" ];
|
||||
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
|
||||
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
|
||||
};
|
||||
bugs =
|
||||
[
|
||||
"intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
|
||||
"suspend-hibernate-waydroid" "embree" "nvme"
|
||||
"suspend-hibernate-waydroid" "embree"
|
||||
];
|
||||
};})
|
||||
];
|
||||
@@ -257,7 +246,11 @@
|
||||
};
|
||||
grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
|
||||
nixpkgs.march = "sandybridge";
|
||||
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
|
||||
nix =
|
||||
{
|
||||
substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
|
||||
autoOptimiseStore = true;
|
||||
};
|
||||
initrd =
|
||||
{
|
||||
network.enable = true;
|
||||
@@ -277,7 +270,6 @@
|
||||
frpServer = { enable = true; serverName = "frp.chn.moe"; };
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
transparentProxy =
|
||||
{
|
||||
externalIp = [ "74.211.99.69" "192.168.82.1" ];
|
||||
@@ -287,34 +279,26 @@
|
||||
"beta.mirism.one" = 9114;
|
||||
};
|
||||
};
|
||||
streamProxy =
|
||||
streamProxy.map =
|
||||
{
|
||||
enable = true;
|
||||
map =
|
||||
{
|
||||
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; };
|
||||
"anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
|
||||
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
|
||||
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; rewriteHttps = true; };
|
||||
};
|
||||
"anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
|
||||
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
|
||||
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
|
||||
"nix-store.chn.moe".upstream.address = "internal.pc.chn.moe";
|
||||
"xn--qbtm095lrg0bfka60z.chn.moe".upstream.address = "internal.pc.chn.moe";
|
||||
"xn--s8w913fdga.chn.moe".upstream.address = "internal.vps7.chn.moe";
|
||||
"misskey.chn.moe".upstream.address = "internal.vps7.chn.moe";
|
||||
"synapse.chn.moe".upstream.address = "internal.vps7.chn.moe";
|
||||
"send.chn.moe".upstream.address = "internal.vps7.chn.moe";
|
||||
};
|
||||
applications =
|
||||
{
|
||||
misskey.instances =
|
||||
{
|
||||
"xn--qbtm095lrg0bfka60z.chn.moe".upstream.address = "internal.pc.chn.moe";
|
||||
"xn--s8w913fdga.chn.moe".upstream.address = "internal.vps7.chn.moe";
|
||||
"misskey.chn.moe".upstream = "internal.vps7.chn.moe:9727";
|
||||
};
|
||||
synapse.instances."synapse.chn.moe".upstream.address = "internal.vps7.chn.moe";
|
||||
vaultwarden = { enable = true; upstream.address = "internal.vps7.chn.moe"; };
|
||||
element.instances."element.chn.moe" = {};
|
||||
photoprism.instances."photoprism.chn.moe".upstream.address = "internal.vps7.chn.moe";
|
||||
nextcloud.proxy = { enable = true; upstream = "internal.vps7.chn.moe"; };
|
||||
synapse-admin.instances."synapse-admin.chn.moe" = {};
|
||||
};
|
||||
};
|
||||
coturn.enable = true;
|
||||
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 16; }; };
|
||||
httpua.enable = true;
|
||||
};
|
||||
};})
|
||||
];
|
||||
@@ -367,23 +351,7 @@
|
||||
fontconfig.enable = true;
|
||||
sshd.enable = true;
|
||||
rsshub.enable = true;
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
|
||||
applications =
|
||||
{
|
||||
misskey.instances =
|
||||
{
|
||||
"xn--s8w913fdga.chn.moe" = {};
|
||||
"misskey.chn.moe".upstream.port = 9727;
|
||||
};
|
||||
synapse.instances."synapse.chn.moe" = {};
|
||||
vaultwarden.enable = true;
|
||||
photoprism.instances."photoprism.chn.moe" = {};
|
||||
nextcloud.instance.enable = true;
|
||||
};
|
||||
};
|
||||
nginx.transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
|
||||
wallabag.enable = true;
|
||||
misskey.instances =
|
||||
{
|
||||
@@ -391,11 +359,14 @@
|
||||
misskey-old = { port = 9727; redis.port = 3546; meilisearch.enable = false; };
|
||||
};
|
||||
synapse.enable = true;
|
||||
xrdp = { enable = true; hostname = "vps7.chn.moe"; };
|
||||
xrdp = { enable = true; hostname = [ "vps7.chn.moe" ]; };
|
||||
vaultwarden.enable = true;
|
||||
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
|
||||
photoprism.enable = true;
|
||||
nextcloud.enable = true;
|
||||
freshrss.enable = true;
|
||||
send.enable = true;
|
||||
huginn.enable = true;
|
||||
};
|
||||
};})
|
||||
];
|
||||
@@ -420,6 +391,7 @@
|
||||
"/nix/persistent" = "/nix/persistent";
|
||||
"/nix/nodatacow" = "/nix/nodatacow";
|
||||
"/nix/rootfs/current" = "/";
|
||||
"/nix/backup" = "/nix/backup";
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -492,131 +464,15 @@
|
||||
nix = { device = "/nix"; hashTableSizeMB = 128; };
|
||||
};
|
||||
};
|
||||
};
|
||||
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
|
||||
};})
|
||||
];
|
||||
"xmupc1" =
|
||||
[
|
||||
(inputs: { config.nixos =
|
||||
{
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
|
||||
btrfs =
|
||||
{
|
||||
"/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
|
||||
"/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
|
||||
};
|
||||
mdadm =
|
||||
"ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
|
||||
swap = [ "/dev/mapper/swap" ];
|
||||
resume = "/dev/mapper/swap";
|
||||
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
|
||||
};
|
||||
grub.installDevice = "efi";
|
||||
nixpkgs = { march = "znver3"; cudaSupport = true; };
|
||||
nix =
|
||||
{
|
||||
marches =
|
||||
[
|
||||
"znver3" "znver2"
|
||||
# PREFETCHW RDRND XSAVE XSAVEOPT PTWRITE SGX GFNI-SSE MOVDIRI MOVDIR64B CLDEMOTE WAITPKG LZCNT
|
||||
# PCONFIG SERIALIZE HRESET KL WIDEKL AVX-VNNI
|
||||
"alderlake"
|
||||
# SAHF FXSR XSAVE
|
||||
"sandybridge"
|
||||
# SAHF FXSR PREFETCHW RDRND
|
||||
"silvermont"
|
||||
];
|
||||
substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
|
||||
};
|
||||
gui.enable = true;
|
||||
kernel =
|
||||
{
|
||||
patches = [ "cjktty" "preempt" ];
|
||||
modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
|
||||
};
|
||||
impermanence.enable = true;
|
||||
networking.hostname = "xmupc1";
|
||||
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
|
||||
};
|
||||
hardware =
|
||||
{
|
||||
cpus = [ "intel" ];
|
||||
gpus = [ "intel" "nvidia" ];
|
||||
bluetooth.enable = true;
|
||||
joystick.enable = true;
|
||||
printer.enable = true;
|
||||
sound.enable = true;
|
||||
prime =
|
||||
{ enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
|
||||
};
|
||||
packages.packageSet = "workstation";
|
||||
virtualization =
|
||||
{
|
||||
docker.enable = true;
|
||||
kvmHost = { enable = true; gui = true; };
|
||||
};
|
||||
services =
|
||||
{
|
||||
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
|
||||
fontconfig.enable = true;
|
||||
samba =
|
||||
{
|
||||
enable = true;
|
||||
hostsAllowed = "192.168. 127.";
|
||||
shares =
|
||||
{
|
||||
media.path = "/run/media/chn";
|
||||
home.path = "/home/chn";
|
||||
mnt.path = "/mnt";
|
||||
share.path = "/home/chn/share";
|
||||
};
|
||||
};
|
||||
sshd.enable = true;
|
||||
xrayClient =
|
||||
{
|
||||
enable = true;
|
||||
serverAddress = "74.211.99.69";
|
||||
serverName = "vps6.xserver.chn.moe";
|
||||
dns =
|
||||
{
|
||||
extraInterfaces = [ "docker0" ];
|
||||
hosts =
|
||||
{
|
||||
"mirism.one" = "216.24.188.24";
|
||||
"beta.mirism.one" = "216.24.188.24";
|
||||
"ng01.mirism.one" = "216.24.188.24";
|
||||
"debug.mirism.one" = "127.0.0.1";
|
||||
"initrd.vps6.chn.moe" = "74.211.99.69";
|
||||
"nix-store.chn.moe" = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
};
|
||||
firewall.trustedInterfaces = [ "virbr0" ];
|
||||
frpClient =
|
||||
{
|
||||
enable = true;
|
||||
serverName = "frp.chn.moe";
|
||||
user = "xmupc1";
|
||||
tcp.store = { localPort = 443; remotePort = 7676; };
|
||||
user = "nas";
|
||||
stcp.hpc = { localIp = "hpc.xmu.edu.cn"; localPort = 22; };
|
||||
};
|
||||
smartd.enable = true;
|
||||
nginx = { enable = true; transparentProxy.enable = false; };
|
||||
postgresql.enable = true;
|
||||
};
|
||||
bugs = [ "xmunet" "firefox" "embree" ];
|
||||
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
|
||||
};})
|
||||
];
|
||||
"yoga" =
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
oneapi = callPackage ./oneapi {};
|
||||
send = callPackage ./send {};
|
||||
rsshub = callPackage ./rsshub {};
|
||||
misskey = callPackage ./misskey { vips = unstablePackages.vips; };
|
||||
misskey = callPackage ./misskey {};
|
||||
mk-meili-mgn = callPackage ./mk-meili-mgn {};
|
||||
phonon-unfolding = callPackage ./phonon-unfolding {};
|
||||
# vasp = callPackage ./vasp
|
||||
@@ -38,4 +38,5 @@
|
||||
yoga-support = callPackage ./yoga-support {};
|
||||
tgbot-cpp = callPackage ./tgbot-cpp {};
|
||||
biu = callPackage ./biu { inherit concurrencpp tgbot-cpp nameof; stdenv = gcc13Stdenv; };
|
||||
latex-citation-style-language = callPackage ./latex-citation-style-language {};
|
||||
}
|
||||
|
||||
30
local/pkgs/latex-citation-style-language/default.nix
Normal file
30
local/pkgs/latex-citation-style-language/default.nix
Normal file
@@ -0,0 +1,30 @@
|
||||
{ stdenvNoCC, texlive, fetchFromGitHub }: stdenvNoCC.mkDerivation (finalAttrs: rec
|
||||
{
|
||||
pname = "latex-citation-style-language";
|
||||
version = "0.4.5";
|
||||
passthru = {
|
||||
pkgs = [ finalAttrs.finalPackage ];
|
||||
tlDeps = with texlive; [ latex ];
|
||||
tlType = "run";
|
||||
};
|
||||
|
||||
src = fetchFromGitHub
|
||||
{
|
||||
owner = "zepinglee";
|
||||
repo = "citeproc-lua";
|
||||
rev = "v${version}";
|
||||
sha256 = "XH+GH+t/10hr4bfaod8F9JPxmBnAQlDmpSvQNDQsslM=";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ texlive.combined.scheme-full ];
|
||||
dontConfigure = true;
|
||||
dontBuild = true;
|
||||
installPhase =
|
||||
''
|
||||
runHook preInstall
|
||||
export TEXMFHOME=$out
|
||||
l3build install
|
||||
runHook postInstall
|
||||
'';
|
||||
})
|
||||
@@ -4,13 +4,13 @@
|
||||
}:
|
||||
let
|
||||
pname = "misskey";
|
||||
version = "2023.10.2";
|
||||
version = "2023.11.0";
|
||||
src = fetchFromGitHub
|
||||
{
|
||||
owner = "CHN-beta";
|
||||
repo = "misskey";
|
||||
rev = "3f813d9808ebc1774457e02add8fe9c7a6937ff7";
|
||||
sha256 = "63ZIil28jcMiL+c9FMj7m1OeCrLwsQZNHib+j8ar66s=";
|
||||
rev = "aa182cd92ea5dc446f4d1ae2bf942bf46c645811";
|
||||
sha256 = "hotUhy4Rhm4QWO7oYH3UENr7LewF+/dC8rsaKD0y2uc=";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
originalPnpmPackage = mkPnpmPackage
|
||||
@@ -29,38 +29,38 @@ let
|
||||
re2 = stdenv.mkDerivation rec
|
||||
{
|
||||
pname = "re2";
|
||||
version = "1.20.3";
|
||||
version = "1.20.5";
|
||||
srcs =
|
||||
[
|
||||
(fetchurl
|
||||
{
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.br";
|
||||
sha256 = "0g2k0bki0zm0vaqpz25ww119qcs1flv63h6s5ib3103arpnzmb6d";
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-120.br";
|
||||
sha256 = "07hwfgb7yw7pad2svkmx8qapc490xxxk0bbbx51h3kajckw98b9w";
|
||||
})
|
||||
(fetchurl
|
||||
{
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.gz";
|
||||
sha256 = "1dr9zzzm67jknzvla1l5178lzmj6cfh8i1vsp5r4gkwdwbfh3ip0";
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-120.gz";
|
||||
sha256 = "0c3z7bw4b1hgafv4n86pkg3z627zsmlzaghbzpyb81pilf1hzn8z";
|
||||
})
|
||||
(fetchurl
|
||||
{
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.br";
|
||||
sha256 = "0wby987byhshb20np1gglj6y9ji7m7jza5jwa4hyxfxs1pkkmg1n";
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-115.br";
|
||||
sha256 = "17sbfx0dbfqc42qsxbqnn94a3vsih4mc06d8svbarvx5b5x0mg31";
|
||||
})
|
||||
(fetchurl
|
||||
{
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.gz";
|
||||
sha256 = "0q3dyxm63d2x0wxx23gdwym7r2gmaw4ahvmd35dgrj179ik290pi";
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-115.gz";
|
||||
sha256 = "1lnmad2vqhjck0fjs55z74jm9psl1p81g84k2nn9gxbqnk2lxsjd";
|
||||
})
|
||||
(fetchurl
|
||||
{
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.br";
|
||||
sha256 = "1wjmdni24353ppwfiyrv1zl9ci4g2habk0g2nz6b0sijagcy7bv3";
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-108.br";
|
||||
sha256 = "1c605zipadwbd8z3mzvjzw4x9v89jdq19m4hmd6bqbrcz3qbgg4n";
|
||||
})
|
||||
(fetchurl
|
||||
{
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.gz";
|
||||
sha256 = "0rgkryjh412g2m7rfrl2krsb9137prkk2y9ga8akn7qp1bqsbq1i";
|
||||
url = "https://github.com/uhop/node-re2/releases/download/1.20.5/linux-x64-108.gz";
|
||||
sha256 = "0sqsn3rdlg8abqcn7i9gyhpsd1znfj1x2bxm1nj222g0svp1mry3";
|
||||
})
|
||||
];
|
||||
phases = [ "installPhase" ];
|
||||
|
||||
@@ -8,8 +8,8 @@ let
|
||||
{
|
||||
owner = "DIYgod";
|
||||
repo = "RSSHub";
|
||||
rev = "67d4a7ed3f877a8ceac6caebe874c4ce5c210bd8";
|
||||
sha256 = "baJQWGrr1RdZoI2uAGp2uJO9epbjAUjks76knJSwVdE=";
|
||||
rev = "4356fad91a268c81b8dacd2e3d9d07dbdce231a0";
|
||||
sha256 = "rUfXHtePIkBGF1U/tqrXHEsYC5jah2A7hoJZfEAnCoQ=";
|
||||
};
|
||||
originalPnpmPackage = mkPnpmPackage { inherit name src nodejs; };
|
||||
nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; };
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{ buildNpmPackage, fetchFromGitHub, nodejs-16_x }:
|
||||
{ buildNpmPackage, fetchFromGitHub, nodejs-16_x, nodePackages }:
|
||||
buildNpmPackage.override { nodejs = nodejs-16_x; }
|
||||
{
|
||||
pname = "send";
|
||||
@@ -8,8 +8,14 @@ buildNpmPackage.override { nodejs = nodejs-16_x; }
|
||||
owner = "timvisee";
|
||||
repo = "send";
|
||||
rev = "6ad2885a168148fb996d3983457bc39527c7c8e5";
|
||||
hash = "sha256-/w9KhktDVSAmp6EVIRHFM63mppsIzYSm5F7CQQd/2+E=";
|
||||
sha256 = "AdwYNfTMfEItC4kBP+YozUQSBVnu/uzZvGta4wfwv0I=";
|
||||
leaveDotGit = true;
|
||||
};
|
||||
npmDepsHash = "sha256-r1iaurKuhpP0sevB5pFdtv9j1ikM1fKL7Jgakh4FzTI=";
|
||||
makeCacheWritable = true;
|
||||
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD = "1";
|
||||
NODE_OPTIONS = "--openssl-legacy-provider";
|
||||
dontNpmInstall = true;
|
||||
NODE_ENV = "production";
|
||||
nativeBuildInputs = with nodePackages; [ rimraf webpack webpack-cli copy-webpack-plugin webpack-manifest-plugin ];
|
||||
}
|
||||
|
||||
@@ -3,11 +3,11 @@ let
|
||||
typora-dist = stdenv.mkDerivation rec
|
||||
{
|
||||
pname = "typora-dist";
|
||||
version = "1.6.6";
|
||||
version = "1.7.6";
|
||||
src = fetchurl
|
||||
{
|
||||
url = "https://download.typora.io/linux/typora_${version}_amd64.deb";
|
||||
sha256 = "sha256-77mCgmsROLhfuOmOOyl2C5Ug2NfqEvcD+kMA3aiAQtA=";
|
||||
sha256 = "19xgv83zk3mhniswwrb341sr9j4sb9pqy47jamrmkc3w8famxpd3";
|
||||
};
|
||||
|
||||
dontFixup = true;
|
||||
|
||||
@@ -14,18 +14,23 @@ inputs:
|
||||
HibernateMode=shutdown
|
||||
'';
|
||||
# reload iwlwifi after resume from hibernate
|
||||
hibernate-iwlwifi.systemd.services.reload-iwlwifi-after-hibernate =
|
||||
hibernate-iwlwifi =
|
||||
{
|
||||
description = "reload iwlwifi after resume from hibernate";
|
||||
after = [ "systemd-hibernate.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in
|
||||
''
|
||||
${modprobe} -r iwlwifi
|
||||
${modprobe} iwlwifi
|
||||
echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
|
||||
'';
|
||||
wantedBy = [ "systemd-hibernate.service" ];
|
||||
systemd.services.reload-iwlwifi-after-hibernate =
|
||||
{
|
||||
description = "reload iwlwifi after resume from hibernate";
|
||||
after = [ "systemd-hibernate.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in
|
||||
''
|
||||
${modprobe} -r iwlwifi
|
||||
${modprobe} iwlwifi
|
||||
echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
|
||||
'';
|
||||
wantedBy = [ "systemd-hibernate.service" ];
|
||||
};
|
||||
nixos.system.kernel.modules.modprobeConfig =
|
||||
[ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
|
||||
};
|
||||
# disable wakeup on lid open
|
||||
suspend-lid-no-wakeup.systemd.services.lid-no-wakeup =
|
||||
@@ -73,7 +78,6 @@ inputs:
|
||||
firefox.programs.firefox.enable = inputs.lib.mkForce false;
|
||||
embree.nixpkgs.overlays =
|
||||
[(final: prev: { embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; })];
|
||||
nvme.boot.kernelParams = [ "nvme_core.default_ps_max_latency_us=0" "iommu=soft" "pcie_aspm=off" ];
|
||||
firmware-unstable.nixpkgs.overlays =
|
||||
[ (final: prev: { linux-firmware = final.unstablePackages.linux-firmware; }) ];
|
||||
};
|
||||
|
||||
@@ -44,7 +44,7 @@ inputs:
|
||||
ksh
|
||||
# basic tools
|
||||
beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch localPackages.pslist
|
||||
unstablePackages.fastfetch
|
||||
unstablePackages.fastfetch reptyr
|
||||
# lsxx
|
||||
pciutils usbutils lshw util-linux lsof
|
||||
# top
|
||||
@@ -66,7 +66,7 @@ inputs:
|
||||
# networking
|
||||
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils
|
||||
# nix tools
|
||||
nix-output-monitor nix-tree
|
||||
nix-output-monitor nix-tree ssh-to-age
|
||||
# office
|
||||
todo-txt-cli
|
||||
# development
|
||||
@@ -137,7 +137,6 @@ inputs:
|
||||
extended = true;
|
||||
save = 100000000;
|
||||
size = 100000000;
|
||||
share = true;
|
||||
};
|
||||
};
|
||||
direnv = { enable = true; nix-direnv.enable = true; };
|
||||
@@ -228,6 +227,7 @@ inputs:
|
||||
core = { quotepath = false; editor = "vim"; };
|
||||
};
|
||||
};
|
||||
# yazi.enable = true;
|
||||
};
|
||||
services =
|
||||
{
|
||||
@@ -235,7 +235,7 @@ inputs:
|
||||
udev.packages = with inputs.pkgs; [ yubikey-personalization libfido2 ];
|
||||
openssh.knownHosts =
|
||||
let
|
||||
servers =
|
||||
servers = rec
|
||||
{
|
||||
vps6 =
|
||||
{
|
||||
@@ -260,12 +260,12 @@ inputs:
|
||||
nas =
|
||||
{
|
||||
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
|
||||
hostnames = [ "[office.chn.moe]:5440" "192.168.82.4" ];
|
||||
hostnames = [ "[office.chn.moe]:5440" "192.168.82.4" "192.168.1.185" ];
|
||||
};
|
||||
"initrd.nas" =
|
||||
{
|
||||
ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
|
||||
hostnames = [ "[office.chn.moe]:5440" ];
|
||||
hostnames = nas.hostnames;
|
||||
};
|
||||
pc =
|
||||
{
|
||||
@@ -328,7 +328,8 @@ inputs:
|
||||
{
|
||||
permittedInsecurePackages = with inputs.pkgs;
|
||||
[
|
||||
openssl_1_1.name electron_19.name nodejs-16_x.name python2.name electron_12.name
|
||||
openssl_1_1.name electron_19.name nodejs-16_x.name python2.name electron_12.name electron_24.name
|
||||
zotero.name
|
||||
];
|
||||
allowUnfree = true;
|
||||
};
|
||||
@@ -340,7 +341,7 @@ inputs:
|
||||
}
|
||||
# >= desktop
|
||||
(
|
||||
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "workstation" ] )
|
||||
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "desktop-fat" "workstation" ] )
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
@@ -350,14 +351,7 @@ inputs:
|
||||
[
|
||||
# system management
|
||||
gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
|
||||
wayland-utils clinfo glxinfo vulkan-tools dracut etcher unstablePackages.btrfs-assistant
|
||||
# nix tools
|
||||
ssh-to-age deploy-rs.deploy-rs nixpkgs-fmt
|
||||
# instant messager
|
||||
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
|
||||
cinny-desktop # nur-xddxdd.wine-wechat thunder
|
||||
# browser
|
||||
google-chrome
|
||||
wayland-utils clinfo glxinfo vulkan-tools dracut
|
||||
# networking
|
||||
remmina putty mtr-gui
|
||||
# password and key management
|
||||
@@ -379,7 +373,7 @@ inputs:
|
||||
fluent-reader rssguard
|
||||
# davinci-resolve playonlinux
|
||||
weston cage openbox krita
|
||||
genymotion hdfview electrum
|
||||
genymotion hdfview electrum jabref
|
||||
(
|
||||
vscode-with-extensions.override
|
||||
{
|
||||
@@ -473,7 +467,6 @@ inputs:
|
||||
{
|
||||
enable = true;
|
||||
languagePacks = [ "zh-CN" "en-US" ];
|
||||
nativeMessagingHosts.firefoxpwa = true;
|
||||
};
|
||||
vim.package = inputs.pkgs.genericPackages.vim-full;
|
||||
};
|
||||
@@ -487,6 +480,30 @@ inputs:
|
||||
services.pcscd.enable = true;
|
||||
}
|
||||
)
|
||||
# >= desktop-fat
|
||||
(
|
||||
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop-fat" "workstation" ] )
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
packages = with inputs.pkgs;
|
||||
{
|
||||
_packages =
|
||||
[
|
||||
# system management
|
||||
etcher unstablePackages.btrfs-assistant
|
||||
# nix tools
|
||||
deploy-rs.deploy-rs nixpkgs-fmt
|
||||
# instant messager
|
||||
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
|
||||
cinny-desktop # nur-xddxdd.wine-wechat thunder
|
||||
# browser
|
||||
google-chrome
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
# >= workstation
|
||||
(
|
||||
mkIf (inputs.config.nixos.packages.packageSet == "workstation")
|
||||
@@ -501,7 +518,12 @@ inputs:
|
||||
# instant messager
|
||||
zoom-us signal-desktop qq nur-xddxdd.wechat-uos slack # jail
|
||||
# office
|
||||
libreoffice-qt texlive.combined.scheme-full texstudio poppler_utils pdftk gnuplot pdfchain
|
||||
libreoffice-qt texstudio poppler_utils pdftk gnuplot pdfchain
|
||||
(texlive.combine
|
||||
{
|
||||
inherit (texlive) scheme-full;
|
||||
inherit (localPackages) latex-citation-style-language;
|
||||
})
|
||||
# development
|
||||
jetbrains.clion android-studio dbeaver cling clang-tools_16 ccls fprettify
|
||||
# media
|
||||
@@ -515,6 +537,7 @@ inputs:
|
||||
localPackages.vasp localPackages.phonon-unfolding localPackages.vaspkit jmol localPackages.v_sim
|
||||
# news
|
||||
newsflash newsboat
|
||||
microsoft-edge
|
||||
];
|
||||
_pythonPackages = [(pythonPackages: with pythonPackages;
|
||||
[
|
||||
|
||||
@@ -3,10 +3,18 @@ inputs:
|
||||
options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
certs = mkOption
|
||||
cert = mkOption
|
||||
{
|
||||
type = types.listOf (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
|
||||
default = [];
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
domains = mkOption
|
||||
{
|
||||
type = types.nonEmptyListOf types.nonEmptyStr;
|
||||
default = [ submoduleInputs.config._module.args.name ];
|
||||
};
|
||||
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config =
|
||||
@@ -14,6 +22,7 @@ inputs:
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) acme;
|
||||
inherit (builtins) map listToAttrs;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
in mkIf acme.enable
|
||||
{
|
||||
security.acme =
|
||||
@@ -23,16 +32,17 @@ inputs:
|
||||
certs = listToAttrs (map
|
||||
(cert:
|
||||
{
|
||||
name = if builtins.typeOf cert == "string" then cert else builtins.elemAt cert 0;
|
||||
name = builtins.elemAt cert.value.domains 0;
|
||||
value =
|
||||
{
|
||||
dnsResolver = "8.8.8.8";
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
|
||||
extraDomainNames = if builtins.typeOf cert == "string" then [] else builtins.tail cert;
|
||||
extraDomainNames = builtins.tail cert.value.domains;
|
||||
group = mkIf (cert.value.group != null) cert.value.group;
|
||||
};
|
||||
})
|
||||
acme.certs);
|
||||
(attrsToList acme.cert));
|
||||
};
|
||||
sops.secrets."acme/cloudflare.ini" = {};
|
||||
};
|
||||
|
||||
@@ -25,8 +25,11 @@ inputs:
|
||||
no-cli = true;
|
||||
};
|
||||
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
|
||||
nixos.services.acme = { enable = true; certs = [ coturn.hostname ]; };
|
||||
security.acme.certs.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
};
|
||||
networking.firewall = with inputs.config.services.coturn;
|
||||
{
|
||||
allowedUDPPorts = [ listening-port tls-listening-port ];
|
||||
|
||||
@@ -25,20 +25,19 @@ inputs:
|
||||
./photoprism.nix
|
||||
./nextcloud.nix
|
||||
./freshrss.nix
|
||||
./kmscon.nix
|
||||
./fontconfig.nix
|
||||
./nix-serve.nix
|
||||
./send.nix
|
||||
./huginn.nix
|
||||
./httpua
|
||||
];
|
||||
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
kmscon.enable = mkOption { type = types.bool; default = false; };
|
||||
fontconfig.enable = mkOption { type = types.bool; default = false; };
|
||||
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
nix-serve =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; };
|
||||
};
|
||||
smartd.enable = mkOption { type = types.bool; default = false; };
|
||||
fileshelter.enable = mkOption { type = types.bool; default = false; };
|
||||
wallabag.enable = mkOption { type = types.bool; default = false; };
|
||||
noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
@@ -48,49 +47,7 @@ inputs:
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in mkMerge
|
||||
[
|
||||
(
|
||||
mkIf services.kmscon.enable
|
||||
{
|
||||
services.kmscon =
|
||||
{
|
||||
enable = true;
|
||||
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
|
||||
};
|
||||
}
|
||||
)
|
||||
(
|
||||
mkIf services.fontconfig.enable
|
||||
{
|
||||
fonts =
|
||||
{
|
||||
fontDir.enable = true;
|
||||
fonts = with inputs.pkgs;
|
||||
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
|
||||
fontconfig.defaultFonts =
|
||||
{
|
||||
emoji = [ "Noto Color Emoji" ];
|
||||
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
|
||||
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
|
||||
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
|
||||
(
|
||||
mkIf services.nix-serve.enable
|
||||
{
|
||||
services.nix-serve =
|
||||
{
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
|
||||
};
|
||||
sops.secrets."store/signingKey" = {};
|
||||
nixos.services.nginx.http.${services.nix-serve.hostname} =
|
||||
{ rewriteHttps = true; locations."/".proxy.upstream = "http://127.0.0.1:5000"; };
|
||||
}
|
||||
)
|
||||
(mkIf services.smartd.enable { services.smartd.enable = true; })
|
||||
(
|
||||
mkIf services.wallabag.enable
|
||||
@@ -110,11 +67,6 @@ inputs:
|
||||
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
|
||||
environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
|
||||
};
|
||||
# systemd.services.docker-wallabag.serviceConfig =
|
||||
# {
|
||||
# User = "wallabag";
|
||||
# Group = "wallabag";
|
||||
# };
|
||||
sops =
|
||||
{
|
||||
templates."wallabag/env".content =
|
||||
@@ -138,33 +90,7 @@ inputs:
|
||||
# SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
|
||||
# SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
|
||||
# SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
|
||||
secrets =
|
||||
{
|
||||
"redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name;
|
||||
"postgresql/wallabag" = {};
|
||||
"mail/bot-encoded" = {};
|
||||
};
|
||||
};
|
||||
services =
|
||||
{
|
||||
redis.servers.wallabag =
|
||||
{
|
||||
enable = true;
|
||||
bind = null;
|
||||
port = 8790;
|
||||
requirePassFile = inputs.config.sops.secrets."redis/wallabag".path;
|
||||
};
|
||||
postgresql =
|
||||
{
|
||||
ensureDatabases = [ "wallabag" ];
|
||||
ensureUsers =
|
||||
[{
|
||||
name = "wallabag";
|
||||
ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES";
|
||||
}];
|
||||
# ALTER DATABASE db_name OWNER TO new_owner_name
|
||||
# sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction
|
||||
};
|
||||
secrets."mail/bot-encoded" = {};
|
||||
};
|
||||
nixos =
|
||||
{
|
||||
@@ -173,22 +99,16 @@ inputs:
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
http."wallabag.chn.moe" =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".proxy = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
|
||||
};
|
||||
https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398";
|
||||
};
|
||||
postgresql.enable = true;
|
||||
postgresql = { enable = true; instances.wallabag = {}; };
|
||||
redis.instances.wallabag = { user = "root"; port = 8790; };
|
||||
};
|
||||
# TODO: root docker use config of rootless docker?
|
||||
virtualization.docker.enable = true;
|
||||
};
|
||||
# users =
|
||||
# {
|
||||
# users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; };
|
||||
# groups.wallabag = {};
|
||||
# };
|
||||
}
|
||||
)
|
||||
(mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })
|
||||
];
|
||||
}
|
||||
|
||||
27
modules/services/fontconfig.nix
Normal file
27
modules/services/fontconfig.nix
Normal file
@@ -0,0 +1,27 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.fontconfig = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) fontconfig;
|
||||
in mkIf fontconfig.enable
|
||||
{
|
||||
fonts =
|
||||
{
|
||||
fontDir.enable = true;
|
||||
fonts = with inputs.pkgs;
|
||||
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
|
||||
fontconfig.defaultFonts =
|
||||
{
|
||||
emoji = [ "Noto Color Emoji" ];
|
||||
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
|
||||
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
|
||||
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -20,8 +20,9 @@ inputs:
|
||||
database =
|
||||
{
|
||||
type = "mysql";
|
||||
passFile = inputs.config.sops.secrets."freshrss/mysql".path;
|
||||
passFile = inputs.config.sops.secrets."freshrss/db".path;
|
||||
};
|
||||
virtualHost = null;
|
||||
};
|
||||
sops.secrets =
|
||||
{
|
||||
@@ -32,6 +33,28 @@ inputs:
|
||||
key = "mariadb/freshrss";
|
||||
};
|
||||
};
|
||||
nixos.mariadb = { enable = true; instances.freshrss = {}; };
|
||||
systemd.services.freshrss-config.after = [ "mysql.service" ];
|
||||
nixos.services =
|
||||
{
|
||||
mariadb = { enable = true; instances.freshrss = {}; };
|
||||
nginx.https.${freshrss.hostname} =
|
||||
{
|
||||
location =
|
||||
{
|
||||
"/".static =
|
||||
{
|
||||
root = "${inputs.pkgs.freshrss}/p";
|
||||
index = [ "index.php" ];
|
||||
tryFiles = [ "$uri" "$uri/" "$uri/index.php" ];
|
||||
};
|
||||
"~ ^.+?\.php(/.*)?$".php =
|
||||
{
|
||||
root = "${inputs.pkgs.freshrss}/p";
|
||||
fastcgiPass =
|
||||
"unix:${inputs.config.services.phpfpm.pools.${inputs.config.services.freshrss.pool}.socket}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
# TODO: update to json config at 23.11
|
||||
# TODO: switch to module in nixpkgs
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
||||
@@ -21,6 +23,30 @@ inputs:
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
stcp = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (inputs:
|
||||
{
|
||||
options =
|
||||
{
|
||||
localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
localPort = mkOption { type = types.ints.unsigned; };
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
stcpVisitor = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (inputs:
|
||||
{
|
||||
options =
|
||||
{
|
||||
localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
localPort = mkOption { type = types.ints.unsigned; };
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
frpServer =
|
||||
{
|
||||
@@ -31,6 +57,7 @@ inputs:
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.lib.strings) splitString;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.config.nixos.services) frpClient frpServer;
|
||||
inherit (builtins) map listToAttrs;
|
||||
@@ -42,7 +69,7 @@ inputs:
|
||||
systemd.services.frpc =
|
||||
let
|
||||
frpc = "${inputs.pkgs.frp}/bin/frpc";
|
||||
config = inputs.config.sops.templates."frpc.ini";
|
||||
config = inputs.config.sops.templates."frpc.json";
|
||||
in
|
||||
{
|
||||
description = "Frp Client Service";
|
||||
@@ -61,40 +88,58 @@ inputs:
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."frpc.ini" =
|
||||
templates."frpc.json" =
|
||||
{
|
||||
owner = inputs.config.users.users.frp.name;
|
||||
group = inputs.config.users.users.frp.group;
|
||||
content = inputs.lib.generators.toINI {}
|
||||
(
|
||||
{
|
||||
common =
|
||||
{
|
||||
server_addr = frpClient.serverName;
|
||||
server_port = 7000;
|
||||
token = inputs.config.sops.placeholder."frp/token";
|
||||
user = frpClient.user;
|
||||
tls_enable = true;
|
||||
};
|
||||
}
|
||||
// (listToAttrs (map
|
||||
content = builtins.toJSON
|
||||
{
|
||||
auth.token = inputs.config.sops.placeholder."frp/token";
|
||||
user = frpClient.user;
|
||||
serverAddr = frpClient.serverName;
|
||||
serverPort = 7000;
|
||||
proxies =
|
||||
(map
|
||||
(tcp:
|
||||
{
|
||||
name = tcp.name;
|
||||
value =
|
||||
{
|
||||
type = "tcp";
|
||||
local_ip = tcp.value.localIp;
|
||||
local_port = tcp.value.localPort;
|
||||
remote_port = tcp.value.remotePort;
|
||||
use_compression = true;
|
||||
};
|
||||
type = "tcp";
|
||||
transport.useCompression = true;
|
||||
inherit (tcp.value) localIp localPort remotePort;
|
||||
})
|
||||
(attrsToList frpClient.tcp))
|
||||
)
|
||||
);
|
||||
++ (map
|
||||
(stcp:
|
||||
{
|
||||
name = stcp.name;
|
||||
type = "stcp";
|
||||
transport.useCompression = true;
|
||||
secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
|
||||
inherit (stcp.value) localIp localPort;
|
||||
})
|
||||
(attrsToList frpClient.stcp));
|
||||
visitors = map
|
||||
(stcp:
|
||||
{
|
||||
name = stcp.name;
|
||||
type = "stcp";
|
||||
transport = { useCompression = true; tls.enable = true; };
|
||||
secretKey = inputs.config.sops.placeholder."frp/stcp/${stcp.name}";
|
||||
serverUser = builtins.elemAt (splitString "." stcp.name) 0;
|
||||
serverName = builtins.elemAt (splitString "." stcp.name) 1;
|
||||
bindAddr = stcp.value.localIp;
|
||||
bindPort = stcp.value.localPort;
|
||||
})
|
||||
(attrsToList frpClient.stcpVisitor);
|
||||
};
|
||||
};
|
||||
secrets."frp/token" = {};
|
||||
secrets = listToAttrs
|
||||
(
|
||||
[{ name = "frp/token"; value = {}; }]
|
||||
++ (map
|
||||
(stcp: { name = "frp/stcp/${stcp.name}"; value = {}; })
|
||||
(attrsToList (with frpClient; stcp // stcpVisitor)))
|
||||
);
|
||||
};
|
||||
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
||||
}
|
||||
@@ -105,7 +150,7 @@ inputs:
|
||||
systemd.services.frps =
|
||||
let
|
||||
frps = "${inputs.pkgs.frp}/bin/frps";
|
||||
config = inputs.config.sops.templates."frps.ini";
|
||||
config = inputs.config.sops.templates."frps.json";
|
||||
in
|
||||
{
|
||||
description = "Frp Server Service";
|
||||
@@ -124,28 +169,29 @@ inputs:
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."frps.ini" =
|
||||
templates."frps.json" =
|
||||
{
|
||||
owner = inputs.config.users.users.frp.name;
|
||||
group = inputs.config.users.users.frp.group;
|
||||
content = inputs.lib.generators.toINI {}
|
||||
content = builtins.toJSON
|
||||
{
|
||||
common = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
|
||||
auth.token = inputs.config.sops.placeholder."frp/token";
|
||||
transport.tls = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
|
||||
{
|
||||
bind_port = 7000;
|
||||
bind_udp_port = 7000;
|
||||
token = inputs.config.sops.placeholder."frp/token";
|
||||
tls_cert_file = "${cert}/full.pem";
|
||||
tls_key_file = "${cert}/key.pem";
|
||||
tls_only = true;
|
||||
user_conn_timeout = 30;
|
||||
force = true;
|
||||
certFile = "${cert}/full.pem";
|
||||
keyFile = "${cert}/key.pem";
|
||||
serverName = frpServer.serverName;
|
||||
};
|
||||
};
|
||||
};
|
||||
secrets."frp/token" = {};
|
||||
};
|
||||
nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; };
|
||||
security.acme.certs.${frpServer.serverName}.group = "frp";
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${frpServer.serverName}.group = "frp";
|
||||
};
|
||||
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
||||
networking.firewall.allowedTCPPorts = [ 7000 ];
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@ inputs:
|
||||
(user:
|
||||
[
|
||||
"d /var/lib/groupshare/${user} 2750 ${user} groupshare"
|
||||
# TODO: auto set 'X' bit in 23.11
|
||||
# systemd 253 does not support 'X' bit, it should be manually set
|
||||
# sudo setfacl -m 'xxx' dir
|
||||
# ("a /var/lib/groupshare/${user} - - - - "
|
||||
@@ -30,7 +31,12 @@ inputs:
|
||||
(mountPoint:
|
||||
{
|
||||
name = mountPoint;
|
||||
value = { device = "/var/lib/groupshare"; options = [ "bind" ]; depends = [ "/home" "/var/lib" ]; };
|
||||
value =
|
||||
{
|
||||
device = "/var/lib/groupshare";
|
||||
options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
|
||||
depends = [ "/home" "/var/lib" ];
|
||||
};
|
||||
})
|
||||
groupshare.mountPoints);
|
||||
};
|
||||
|
||||
25
modules/services/httpua/default.nix
Normal file
25
modules/services/httpua/default.nix
Normal file
@@ -0,0 +1,25 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) httpua;
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (builtins) toString;
|
||||
in mkIf httpua.enable
|
||||
{
|
||||
nixos.services =
|
||||
{
|
||||
phpfpm.instances.httpua = {};
|
||||
nginx.http.${httpua.hostname}.php =
|
||||
{
|
||||
root = toString ./.;
|
||||
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
1
modules/services/httpua/index.php
Normal file
1
modules/services/httpua/index.php
Normal file
@@ -0,0 +1 @@
|
||||
<?php echo $_SERVER['HTTP_USER_AGENT']; ?>
|
||||
66
modules/services/huginn.nix
Normal file
66
modules/services/huginn.nix
Normal file
@@ -0,0 +1,66 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.huginn = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "huginn.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) huginn;
|
||||
in mkIf huginn.enable
|
||||
{
|
||||
virtualisation.oci-containers.containers.huginn =
|
||||
{
|
||||
image = "huginn/huginn:2d5fcafc507da3e8c115c3479e9116a0758c5375";
|
||||
imageFile = inputs.pkgs.dockerTools.pullImage
|
||||
{
|
||||
imageName = "ghcr.io/huginn/huginn";
|
||||
imageDigest = "sha256:aa694519b196485c6c31582dde007859fc8b8bbe9b1d4d94c6db8558843d0458";
|
||||
sha256 = "0471v20d7ilwx81kyrxjcb90nnmqyyi9mwazbpy3z4rhnzv7pz76";
|
||||
finalImageName = "huginn/huginn";
|
||||
finalImageTag = "2d5fcafc507da3e8c115c3479e9116a0758c5375";
|
||||
};
|
||||
ports = [ "127.0.0.1:3000:3000/tcp" ];
|
||||
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
|
||||
environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
|
||||
''
|
||||
MYSQL_PORT_3306_TCP_ADDR=host.docker.internal
|
||||
HUGINN_DATABASE_NAME=huginn
|
||||
HUGINN_DATABASE_USERNAME=huginn
|
||||
HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
|
||||
DOMAIN=${huginn.hostname}
|
||||
RAILS_ENV=production
|
||||
FORCE_SSL=true
|
||||
INVITATION_CODE=${placeholder."huginn/invitationCode"}
|
||||
SMTP_DOMAIN=mail.chn.moe
|
||||
SMTP_USER_NAME=bot@chn.moe
|
||||
SMTP_PASSWORD="${placeholder."mail/bot"}"
|
||||
SMTP_SERVER=mail.chn.moe
|
||||
SMTP_SSL=true
|
||||
EMAIL_FROM_ADDRESS=bot@chn.moe
|
||||
TIMEZONE=Beijing
|
||||
'';
|
||||
secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
|
||||
};
|
||||
nixos =
|
||||
{
|
||||
services =
|
||||
{
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https."${huginn.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
|
||||
};
|
||||
mariadb.instances.huginn = {};
|
||||
};
|
||||
# TODO: root docker use config of rootless docker?
|
||||
virtualization.docker.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
19
modules/services/kmscon.nix
Normal file
19
modules/services/kmscon.nix
Normal file
@@ -0,0 +1,19 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.kmscon = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) kmscon;
|
||||
in mkIf kmscon.enable
|
||||
{
|
||||
services.kmscon =
|
||||
{
|
||||
enable = true;
|
||||
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -40,6 +40,7 @@ inputs:
|
||||
mysqlBackup =
|
||||
{
|
||||
enable = true;
|
||||
singleTransaction = true;
|
||||
databases = map (db: db.value.database) (attrsToList mariadb.instances);
|
||||
};
|
||||
};
|
||||
|
||||
@@ -7,7 +7,7 @@ inputs:
|
||||
autoStart = mkOption { type = types.bool; default = true; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 9726; };
|
||||
redis.port = mkOption { type = types.ints.unsigned; default = 3545; };
|
||||
hostname = mkOption { type = types.str; default = "misskey.chn.moe"; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "misskey.chn.moe"; };
|
||||
meilisearch =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = true; };
|
||||
@@ -58,12 +58,12 @@ inputs:
|
||||
"/var/lib/misskey/${instance.name}/work" =
|
||||
{
|
||||
device = "${inputs.pkgs.localPackages.misskey}";
|
||||
options = [ "bind" "private" "x-gvfs-hide" ];
|
||||
options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
|
||||
};
|
||||
"/var/lib/misskey/${instance.name}/work/files" =
|
||||
{
|
||||
device = "/var/lib/misskey/${instance.name}/files";
|
||||
options = [ "bind" "private" "x-gvfs-hide" ];
|
||||
options = [ "bind" "private" "x-gvfs-hide" "X-fstrim.notrim" ];
|
||||
};
|
||||
})
|
||||
(attrsToList misskey.instances));
|
||||
@@ -160,6 +160,17 @@ inputs:
|
||||
};
|
||||
})
|
||||
(filter (instance: instance.value.meilisearch.enable) (attrsToList misskey.instances)));
|
||||
nginx =
|
||||
{
|
||||
enable = mkIf (misskey.instances != {}) true;
|
||||
https = listToAttrs (map
|
||||
(instance: with instance.value;
|
||||
{
|
||||
name = hostname;
|
||||
value.location."/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
|
||||
})
|
||||
(attrsToList misskey.instances));
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -3,7 +3,7 @@ inputs:
|
||||
options.nixos.services.nextcloud = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.str; default = "nextcloud.chn.moe"; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "nextcloud.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
@@ -67,6 +67,11 @@ inputs:
|
||||
{
|
||||
postgresql = { enable = true; instances.nextcloud = {}; };
|
||||
redis.instances.nextcloud.port = 3499;
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${nextcloud.hostname}.global.configName = nextcloud.hostname;
|
||||
};
|
||||
};
|
||||
sops =
|
||||
{
|
||||
|
||||
@@ -2,11 +2,7 @@ inputs:
|
||||
{
|
||||
imports = inputs.localLib.mkModules
|
||||
[
|
||||
./misskey.nix
|
||||
./synapse.nix
|
||||
./vaultwarden.nix
|
||||
./element.nix
|
||||
./photoprism.nix
|
||||
./nextcloud.nix
|
||||
./synapse-admin.nix
|
||||
];
|
||||
}
|
||||
|
||||
@@ -16,25 +16,21 @@ inputs:
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in
|
||||
{
|
||||
nixos.services.nginx.http = listToAttrs (map
|
||||
nixos.services.nginx.https = listToAttrs (map
|
||||
(instance: with instance.value;
|
||||
{
|
||||
name = hostname;
|
||||
value =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".static.root =
|
||||
if defaultServer == null then toString inputs.pkgs.element-web
|
||||
else toString (inputs.pkgs.element-web.override { conf =
|
||||
value.location."/".static.root =
|
||||
if defaultServer == null then toString inputs.pkgs.element-web
|
||||
else toString (inputs.pkgs.element-web.override { conf =
|
||||
{
|
||||
default_server_config."m.homeserver" =
|
||||
{
|
||||
default_server_config."m.homeserver" =
|
||||
{
|
||||
base_url = "https://${defaultServer}";
|
||||
server_name = defaultServer;
|
||||
};
|
||||
disable_guests = false;
|
||||
};});
|
||||
};
|
||||
base_url = "https://${defaultServer}";
|
||||
server_name = defaultServer;
|
||||
};
|
||||
disable_guests = false;
|
||||
};});
|
||||
})
|
||||
(attrsToList instances));
|
||||
};
|
||||
|
||||
@@ -1,45 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.applications.misskey.instances = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
upstream = mkOption
|
||||
{
|
||||
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
|
||||
{
|
||||
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 9726; };
|
||||
};})];
|
||||
default = "127.0.0.1:9726";
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services.nginx.applications.misskey) instances;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in
|
||||
{
|
||||
nixos.services.nginx.http = listToAttrs (map
|
||||
(proxy: with proxy.value;
|
||||
{
|
||||
name = hostname;
|
||||
value =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".proxy =
|
||||
{
|
||||
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
|
||||
else "http://${upstream.address}:${toString upstream.port}";
|
||||
websocket = true;
|
||||
setHeaders.Host = hostname;
|
||||
};
|
||||
};
|
||||
})
|
||||
(attrsToList instances));
|
||||
};
|
||||
}
|
||||
@@ -1,48 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.applications.nextcloud = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
instance.enable = mkOption
|
||||
{
|
||||
type = types.addCheck types.bool (value: value -> inputs.config.nixos.services.nextcloud.enable);
|
||||
default = false;
|
||||
};
|
||||
proxy =
|
||||
{
|
||||
enable = mkOption
|
||||
{
|
||||
type = types.addCheck types.bool
|
||||
(value: value -> !inputs.config.nixos.services.nginx.applications.nextcloud.instance.enable);
|
||||
default = false;
|
||||
};
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services.nginx.applications) nextcloud;
|
||||
inherit (inputs.lib) mkIf mkMerge;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (builtins) map listToAttrs;
|
||||
in mkMerge
|
||||
[
|
||||
(mkIf (nextcloud.instance.enable)
|
||||
{
|
||||
nixos.services.nginx.http.${inputs.config.nixos.services.nextcloud.hostname}.rewriteHttps = true;
|
||||
services.nginx.virtualHosts.${inputs.config.nixos.services.nextcloud.hostname} = mkMerge
|
||||
[
|
||||
(inputs.config.services.nextcloud.nginx.recommendedConfig { upstream = "127.0.0.1"; })
|
||||
{ listen = [ { addr = "0.0.0.0"; port = 8417; ssl = true; extraParameters = [ "proxy_protocol" ]; } ]; }
|
||||
];
|
||||
})
|
||||
(mkIf (nextcloud.proxy.enable)
|
||||
{
|
||||
nixos.services.nginx.streamProxy.map.${inputs.config.nixos.services.nextcloud.hostname} =
|
||||
{
|
||||
upstream = "${nextcloud.proxy.upstream}:8417";
|
||||
rewriteHttps = true;
|
||||
proxyProtocol = true;
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
||||
@@ -1,45 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.applications.photoprism.instances = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
upstream = mkOption
|
||||
{
|
||||
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
|
||||
{
|
||||
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 2342; };
|
||||
};})];
|
||||
default = "127.0.0.1:2342";
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services.nginx.applications.photoprism) instances;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in
|
||||
{
|
||||
nixos.services.nginx.http = listToAttrs (map
|
||||
(proxy: with proxy.value;
|
||||
{
|
||||
name = hostname;
|
||||
value =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".proxy =
|
||||
{
|
||||
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
|
||||
else "http://${upstream.address}:${toString upstream.port}";
|
||||
websocket = true;
|
||||
setHeaders.Host = hostname;
|
||||
};
|
||||
};
|
||||
})
|
||||
(attrsToList instances));
|
||||
};
|
||||
}
|
||||
25
modules/services/nginx/applications/synapse-admin.nix
Normal file
25
modules/services/nginx/applications/synapse-admin.nix
Normal file
@@ -0,0 +1,25 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.applications.synapse-admin.instances =
|
||||
let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{ hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; }; };}));
|
||||
default = {};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services.nginx.applications.synapse-admin) instances;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (builtins) map listToAttrs;
|
||||
in
|
||||
{
|
||||
nixos.services.nginx.https = listToAttrs (map
|
||||
(site: with site.value;
|
||||
{
|
||||
name = hostname;
|
||||
value.location."/".static.root = "${inputs.pkgs.synapse-admin}";
|
||||
})
|
||||
(attrsToList instances));
|
||||
};
|
||||
}
|
||||
@@ -1,46 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.applications.synapse.instances = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
upstream = mkOption
|
||||
{
|
||||
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
|
||||
{
|
||||
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 8008; };
|
||||
};})];
|
||||
default = "127.0.0.1:8008";
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services.nginx.applications.synapse) instances;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.lib) mkIf mkMerge;
|
||||
inherit (builtins) map listToAttrs;
|
||||
in
|
||||
{
|
||||
nixos.services.nginx.http = listToAttrs (map
|
||||
(proxy: with proxy.value;
|
||||
{
|
||||
name = hostname;
|
||||
value =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".proxy =
|
||||
{
|
||||
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
|
||||
else "http://${upstream.address}:${toString upstream.port}";
|
||||
websocket = true;
|
||||
setHeaders.Host = hostname;
|
||||
};
|
||||
};
|
||||
})
|
||||
(attrsToList instances));
|
||||
};
|
||||
}
|
||||
@@ -1,44 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.applications.vaultwarden = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "vaultwarden.chn.moe"; };
|
||||
upstream = mkOption
|
||||
{
|
||||
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
|
||||
{
|
||||
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 8000; };
|
||||
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
|
||||
};})];
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services.nginx.applications) vaultwarden;
|
||||
inherit (builtins) listToAttrs;
|
||||
inherit (inputs.lib) mkIf;
|
||||
in mkIf vaultwarden.enable
|
||||
{
|
||||
nixos.services.nginx.http."${vaultwarden.hostname}" =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations = let upstream = vaultwarden.upstream; in (listToAttrs (map
|
||||
(location: { name = location; value.proxy =
|
||||
{
|
||||
upstream = "http://${upstream.address or upstream}:${builtins.toString upstream.port or 8000}";
|
||||
setHeaders = { Host = vaultwarden.hostname; Connection = ""; };
|
||||
};})
|
||||
[ "/" "/notifications/hub/negotiate" ]))
|
||||
// { "/notifications/hub".proxy =
|
||||
{
|
||||
upstream =
|
||||
"http://${upstream.address or upstream}:${builtins.toString upstream.websocketPort or 3012}";
|
||||
websocket = true;
|
||||
setHeaders.Host = vaultwarden.hostname;
|
||||
};};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -7,81 +7,185 @@ inputs:
|
||||
options.nixos.services.nginx = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
# transparentProxy -> https(with proxyProtocol) or transparentProxy -> streamProxy -> https(with proxyProtocol)
|
||||
# https without proxyProtocol listen on private ip, with proxyProtocol listen on all ip
|
||||
# streamProxy listen on private ip
|
||||
# transparentProxy listen on public ip
|
||||
global = mkOption
|
||||
{
|
||||
type = types.anything;
|
||||
readOnly = true;
|
||||
default =
|
||||
{
|
||||
httpsPort = 3065;
|
||||
httpsPortShift = { http2 = 1; proxyProtocol = 2; };
|
||||
httpsLocationTypes = [ "proxy" "static" "php" "return" ];
|
||||
httpTypes = [ "rewriteHttps" "php" ];
|
||||
streamPort = 5575;
|
||||
streamPortShift = { proxyProtocol = 1; };
|
||||
};
|
||||
};
|
||||
transparentProxy =
|
||||
{
|
||||
# only disable in some rare cases
|
||||
enable = mkOption { type = types.bool; default = true; };
|
||||
externalIp = mkOption { type = types.listOf types.nonEmptyStr; };
|
||||
map = mkOption { type = types.attrsOf types.ints.unsigned; default = {};};
|
||||
};
|
||||
http = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
rewriteHttps = mkOption { type = types.bool; default = false; };
|
||||
http2 = mkOption { type = types.bool; default = true; };
|
||||
addAuth = mkOption { type = types.bool; default = false; };
|
||||
detectAuth = mkOption { type = types.bool; default = false; };
|
||||
locations = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.addCheck
|
||||
(types.submodule { options =
|
||||
{
|
||||
proxy = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption { type = types.attrsOf types.str; default = {}; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
static = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
root = mkOption { type = types.nonEmptyStr; };
|
||||
index = mkOption { type = types.nonEmptyStr; default = "index.html"; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};})
|
||||
(value: (inputs.lib.count (value: value != null) (builtins.attrValues value)) == 1));
|
||||
default = {};
|
||||
};
|
||||
};});
|
||||
default = {};
|
||||
# proxy to 127.0.0.1:${specified port}
|
||||
map = mkOption { type = types.attrsOf types.ints.unsigned; default = {}; };
|
||||
};
|
||||
streamProxy =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 5575; };
|
||||
portWithProxyProtocol = mkOption { type = types.ints.unsigned; default = 5576; };
|
||||
map = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.oneOf
|
||||
[
|
||||
# proxy to specified ip:port without proxyProtocol
|
||||
types.nonEmptyStr
|
||||
(types.submodule { options =
|
||||
{
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = false; };
|
||||
proxyProtocol = mkOption { type = types.bool; default = false; };
|
||||
upstream = mkOption
|
||||
{
|
||||
type = types.oneOf
|
||||
[
|
||||
# proxy to specified ip:port with or without proxyProtocol
|
||||
types.nonEmptyStr
|
||||
(types.submodule { options =
|
||||
{
|
||||
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
# if port not specified, guess from proxyProtocol enabled or not, assume http2 enabled
|
||||
port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
|
||||
};})
|
||||
];
|
||||
default = {};
|
||||
};
|
||||
proxyProtocol = mkOption { type = types.bool; default = true; };
|
||||
addToTransparentProxy = mkOption { type = types.bool; default = true; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
};})
|
||||
]);
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
https = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
|
||||
{
|
||||
global =
|
||||
{
|
||||
configName = mkOption
|
||||
{
|
||||
type = types.nonEmptyStr;
|
||||
default = "https:${siteSubmoduleInputs.config._module.args.name}";
|
||||
};
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
index = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
};
|
||||
listen = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
http2 = mkOption { type = types.bool; default = true; };
|
||||
proxyProtocol = mkOption { type = types.bool; default = true; };
|
||||
# if proxyProtocol not enabled, add to transparentProxy only
|
||||
# if proxyProtocol enabled, add to transparentProxy and streamProxy
|
||||
addToTransparentProxy = mkOption { type = types.bool; default = true; };
|
||||
};});
|
||||
default.main = {};
|
||||
};
|
||||
location = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
let
|
||||
genericOptions =
|
||||
{
|
||||
# htpasswd -n username
|
||||
detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
};
|
||||
in
|
||||
{
|
||||
# only one should be specified
|
||||
proxy = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options = genericOptions //
|
||||
{
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption
|
||||
{
|
||||
type = types.attrsOf types.str;
|
||||
default.Host = siteSubmoduleInputs.config._module.args.name;
|
||||
};
|
||||
# echo -n "username:password" | base64
|
||||
addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
static = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options = genericOptions //
|
||||
{
|
||||
# should be set to non null value if global root is null
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
index = mkOption { type = types.listOf types.nonEmptyStr; default = [ "index.html" ]; };
|
||||
tryFiles = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
php = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options = genericOptions //
|
||||
{
|
||||
# should be set to non null value if global root is null
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
fastcgiPass = mkOption { type = types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
return = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
http = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
rewriteHttps = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
php = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
root = mkOption { type = types.nonEmptyStr; };
|
||||
fastcgiPass = mkOption { type = types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.localLib) stripeTabs attrsToList;
|
||||
inherit (inputs.lib) mkMerge mkIf mkDefault;
|
||||
inherit (inputs.lib.strings) escapeURL;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.config.nixos.services) nginx;
|
||||
inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues;
|
||||
in mkMerge
|
||||
inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues concatLists;
|
||||
concatAttrs = list: listToAttrs (concatLists (map (attrs: attrsToList attrs) list));
|
||||
in mkIf nginx.enable (mkMerge
|
||||
[
|
||||
(mkIf nginx.enable
|
||||
# generic config
|
||||
{
|
||||
services =
|
||||
{
|
||||
@@ -107,55 +211,6 @@ inputs:
|
||||
send_timeout 10m;
|
||||
'';
|
||||
proxyTimeout = "10m";
|
||||
virtualHosts = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value =
|
||||
{
|
||||
serverName = site.name;
|
||||
listen = [ { addr = "127.0.0.1"; port = (if site.value.http2 then 443 else 3065); ssl = true; } ]
|
||||
++ (if site.value.rewriteHttps then [ { addr = "0.0.0.0"; port = 80; } ] else []);
|
||||
useACMEHost = site.name;
|
||||
locations = listToAttrs (map
|
||||
(location:
|
||||
{
|
||||
inherit (location) name;
|
||||
value =
|
||||
if (location.value.proxy != null) then
|
||||
{
|
||||
proxyPass = location.value.proxy.upstream;
|
||||
proxyWebsockets = location.value.proxy.websocket;
|
||||
recommendedProxySettings = false;
|
||||
recommendedProxySettingsNoHost = true;
|
||||
extraConfig = concatStringsSep "\n"
|
||||
(
|
||||
(map
|
||||
(header: ''proxy_set_header ${header.name} "${header.value}";'')
|
||||
(attrsToList location.value.proxy.setHeaders))
|
||||
++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
|
||||
++ (
|
||||
if site.value.addAuth then
|
||||
["include ${inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path};"]
|
||||
else [])
|
||||
);
|
||||
}
|
||||
else if (location.value.static != null) then
|
||||
{
|
||||
root = location.value.static.root;
|
||||
index = location.value.static.index;
|
||||
}
|
||||
else {};
|
||||
})
|
||||
(attrsToList site.value.locations));
|
||||
forceSSL = site.value.rewriteHttps;
|
||||
http2 = site.value.http2;
|
||||
basicAuthFile =
|
||||
if site.value.detectAuth then inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path
|
||||
else null;
|
||||
};
|
||||
})
|
||||
(attrsToList nginx.http));
|
||||
recommendedZstdSettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
@@ -182,8 +237,7 @@ inputs:
|
||||
.overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
|
||||
streamConfig =
|
||||
''
|
||||
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb
|
||||
{
|
||||
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
resolver 8.8.8.8;
|
||||
@@ -202,29 +256,8 @@ inputs:
|
||||
};
|
||||
};
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
name = "nginx/addAuth/${site.name}-template";
|
||||
value =
|
||||
{
|
||||
content =
|
||||
let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${site.name}";
|
||||
in ''proxy_set_header Authorization "Basic ${placeholder}";'';
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
};
|
||||
})
|
||||
(filter (site: site.value.addAuth) (attrsToList nginx.http)));
|
||||
secrets = { "nginx/maxmind-license".owner = inputs.config.users.users.nginx.name; }
|
||||
// (listToAttrs (map
|
||||
(site: { name = "nginx/detectAuth/${site.name}"; value.owner = inputs.config.users.users.nginx.name; })
|
||||
(filter (site: site.value.detectAuth) (attrsToList nginx.http))))
|
||||
// (listToAttrs (map
|
||||
(site: { name = "nginx/addAuth/${site.name}"; value = {}; })
|
||||
(filter (site: site.value.addAuth) (attrsToList nginx.http))));
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
sops.secrets = { "nginx/maxmind-license".owner = inputs.config.users.users.nginx.name; };
|
||||
systemd.services.nginx.serviceConfig =
|
||||
{
|
||||
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
||||
@@ -232,37 +265,22 @@ inputs:
|
||||
LimitNPROC = 65536;
|
||||
LimitNOFILE = 524288;
|
||||
};
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
certs = map (cert: cert.name) (attrsToList nginx.http);
|
||||
};
|
||||
security.acme.certs = listToAttrs (map
|
||||
(cert: { inherit (cert) name; value.group = inputs.config.services.nginx.group; })
|
||||
(attrsToList nginx.http));
|
||||
})
|
||||
}
|
||||
# transparentProxy
|
||||
(mkIf nginx.transparentProxy.enable
|
||||
{
|
||||
services.nginx.streamConfig =
|
||||
''
|
||||
log_format transparent_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
|
||||
'"$ssl_preread_server_name"->$transparent_proxy_backend $bytes_sent $bytes_received';
|
||||
map $ssl_preread_server_name $transparent_proxy_backend
|
||||
{
|
||||
${concatStringsSep "\n" (map
|
||||
(x: '' "${x.name}" 127.0.0.1:${toString x.value};'')
|
||||
(
|
||||
(attrsToList nginx.transparentProxy.map)
|
||||
++ (map
|
||||
(site: { name = site.name; value = (if site.value.http2 then 443 else 3065); })
|
||||
(attrsToList nginx.http)
|
||||
)
|
||||
))}
|
||||
default 127.0.0.1:443;
|
||||
map $ssl_preread_server_name $transparent_proxy_backend {
|
||||
${concatStringsSep "\n " (map
|
||||
(x: ''"${x.name}" 127.0.0.1:${toString x.value};'')
|
||||
(attrsToList nginx.transparentProxy.map))}
|
||||
default 127.0.0.1:${toString (with nginx.global; (httpsPort + httpsPortShift.http2))};
|
||||
}
|
||||
server
|
||||
{
|
||||
${concatStringsSep "\n " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
|
||||
server {
|
||||
${concatStringsSep "\n " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
|
||||
ssl_preread on;
|
||||
proxy_bind $remote_addr transparent;
|
||||
proxy_pass $transparent_proxy_backend;
|
||||
@@ -272,7 +290,6 @@ inputs:
|
||||
access_log syslog:server=unix:/dev/log transparent_proxy;
|
||||
}
|
||||
'';
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
systemd.services.nginx-proxy =
|
||||
let
|
||||
ipset = "${inputs.pkgs.ipset}/bin/ipset";
|
||||
@@ -293,9 +310,9 @@ inputs:
|
||||
${ip} rule add fwmark 2/2 table 200
|
||||
${ip} route add local 0.0.0.0/0 dev lo table 200
|
||||
''
|
||||
+ concatStringsSep "\n" (map
|
||||
+ concatStringsSep "\n " (map
|
||||
(port: ''${ipset} add nginx_proxy_port ${toString port}'')
|
||||
(inputs.lib.unique ((attrValues nginx.transparentProxy.map) ++ [ 443 3065 ])))
|
||||
(inputs.lib.unique (attrValues nginx.transparentProxy.map)))
|
||||
);
|
||||
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
|
||||
''
|
||||
@@ -324,64 +341,365 @@ inputs:
|
||||
wantedBy= [ "multi-user.target" ];
|
||||
};
|
||||
})
|
||||
(mkIf nginx.streamProxy.enable
|
||||
# streamProxy
|
||||
{
|
||||
services.nginx =
|
||||
services.nginx.streamConfig =
|
||||
''
|
||||
log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
|
||||
'"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
|
||||
map $ssl_preread_server_name $stream_proxy_backend {
|
||||
${concatStringsSep "\n " (map
|
||||
(x:
|
||||
let
|
||||
upstream =
|
||||
if (builtins.typeOf x.value.upstream == "string") then
|
||||
x.value.upstream
|
||||
else
|
||||
let
|
||||
port = with nginx.global;
|
||||
if x.value.upstream.port == null then
|
||||
httpsPort + httpsPortShift.http2
|
||||
+ (if x.value.proxyProtocol then httpsPortShift.proxyProtocol else 0)
|
||||
else x.value.upstream.port;
|
||||
in "${x.value.upstream.address}:${toString port}";
|
||||
in ''"${x.name}" "${upstream}";'')
|
||||
(attrsToList nginx.streamProxy.map))}
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:${toString nginx.global.streamPort};
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:${toString (with nginx.global; (streamPort + streamPortShift.proxyProtocol))};
|
||||
proxy_protocol on;
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
'';
|
||||
nixos.services.nginx =
|
||||
{
|
||||
streamConfig =
|
||||
''
|
||||
log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
|
||||
'"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
|
||||
map $ssl_preread_server_name $stream_proxy_backend
|
||||
{
|
||||
${concatStringsSep "\n" (map
|
||||
(x: '' "${x.name}" "${x.value.upstream or x.value}";'')
|
||||
(attrsToList nginx.streamProxy.map))}
|
||||
}
|
||||
server
|
||||
{
|
||||
listen 127.0.0.1:${toString nginx.streamProxy.port};
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
server
|
||||
{
|
||||
listen 127.0.0.1:${toString nginx.streamProxy.portWithProxyProtocol};
|
||||
proxy_protocol on;
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
'';
|
||||
virtualHosts = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value =
|
||||
{
|
||||
serverName = site.name;
|
||||
listen = [ { addr = "0.0.0.0"; port = 80; } ];
|
||||
locations."/".return = "301 https://${site.name}$request_uri";
|
||||
};
|
||||
})
|
||||
transparentProxy.map = listToAttrs
|
||||
(
|
||||
(map
|
||||
(site: { inherit (site) name; value = nginx.global.streamPort; })
|
||||
(filter
|
||||
(site: (!(site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
|
||||
(attrsToList nginx.streamProxy.map)))
|
||||
++ (map
|
||||
(site: { inherit (site) name; value = with nginx.global; streamPort + streamPortShift.proxyProtocol; })
|
||||
(filter
|
||||
(site: ((site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
|
||||
(attrsToList nginx.streamProxy.map)))
|
||||
);
|
||||
http = listToAttrs (map
|
||||
(site: { inherit (site) name; value.rewriteHttps = {}; })
|
||||
(filter (site: site.value.rewriteHttps or false) (attrsToList nginx.streamProxy.map)));
|
||||
};
|
||||
nixos.services.nginx.transparentProxy.map = listToAttrs
|
||||
}
|
||||
# https
|
||||
{
|
||||
# only one type should be specified in each location
|
||||
assertions =
|
||||
(
|
||||
(map
|
||||
(site: { name = site.name; value = nginx.streamProxy.port; })
|
||||
(filter (site: !(site.value.proxyProtocol or false)) (attrsToList nginx.streamProxy.map)))
|
||||
(location:
|
||||
{
|
||||
assertion = (inputs.lib.count
|
||||
(x: x != null)
|
||||
(map (type: location.value.${type}) nginx.global.httpsLocationTypes)) <= 1;
|
||||
message = "Only one type shuold be specified in ${location.name}";
|
||||
})
|
||||
(concatLists (map
|
||||
(site: (map
|
||||
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
|
||||
(attrsToList site.value.location)))
|
||||
(attrsToList nginx.https))))
|
||||
# root should be specified either in global or in each location
|
||||
++ (map
|
||||
(site: { name = site.name; value = nginx.streamProxy.portWithProxyProtocol; })
|
||||
(filter (site: site.value.proxyProtocol or false) (attrsToList nginx.streamProxy.map)))
|
||||
(location:
|
||||
{
|
||||
assertion = (location.value.root or "") != null;
|
||||
message = "Root should be specified in ${location.name}";
|
||||
})
|
||||
(concatLists (map
|
||||
(site: (map
|
||||
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
|
||||
(attrsToList site.value.location)))
|
||||
(filter (site: site.value.global.root == null) (attrsToList nginx.https)))))
|
||||
);
|
||||
})
|
||||
];
|
||||
services.nginx.virtualHosts = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
name = site.value.global.configName;
|
||||
value =
|
||||
{
|
||||
serverName = site.name;
|
||||
root = mkIf (site.value.global.root != null) site.value.global.root;
|
||||
basicAuthFile = mkIf (site.value.global.detectAuth != null)
|
||||
inputs.config.sops.templates."nginx/templates/detectAuth/${escapeURL site.name}-global".path;
|
||||
extraConfig = mkIf (site.value.global.index != null)
|
||||
"index ${concatStringsSep " " site.value.global.index};";
|
||||
listen = map
|
||||
(listen:
|
||||
{
|
||||
addr = if listen.value.proxyProtocol then "0.0.0.0" else "127.0.0.1";
|
||||
port = with nginx.global; httpsPort
|
||||
+ (if listen.value.http2 then httpsPortShift.http2 else 0)
|
||||
+ (if listen.value.proxyProtocol then httpsPortShift.proxyProtocol else 0);
|
||||
ssl = true;
|
||||
# TODO: use proxy_protocol in 23.11
|
||||
extraParameters =
|
||||
(if listen.value.proxyProtocol then [ "proxy_protocol" ] else [])
|
||||
++ (if listen.value.http2 then [ "http2" ] else []);
|
||||
})
|
||||
(attrsToList site.value.listen);
|
||||
# do not automatically add http2 listen
|
||||
http2 = false;
|
||||
onlySSL = true;
|
||||
# TODO: disable well-known in 23.11
|
||||
useACMEHost = site.name;
|
||||
locations = listToAttrs (map
|
||||
(location:
|
||||
{
|
||||
inherit (location) name;
|
||||
value =
|
||||
{
|
||||
basicAuthFile =
|
||||
let
|
||||
detectAuthList = filter
|
||||
(detectAuth: detectAuth != null)
|
||||
(map
|
||||
(type: location.value.${type}.detectAuth or null)
|
||||
nginx.global.httpsLocationTypes);
|
||||
in mkIf (builtins.length detectAuthList > 0)
|
||||
inputs.config.sops.templates
|
||||
."nginx/templates/detectAuth/${escapeURL site.name}/${escapeURL location.name}".path;
|
||||
}
|
||||
// (
|
||||
if (location.value.proxy != null) then
|
||||
{
|
||||
proxyPass = location.value.proxy.upstream;
|
||||
proxyWebsockets = location.value.proxy.websocket;
|
||||
recommendedProxySettings = false;
|
||||
recommendedProxySettingsNoHost = true;
|
||||
extraConfig = concatStringsSep "\n"
|
||||
(
|
||||
(map
|
||||
(header: ''proxy_set_header ${header.name} "${header.value}";'')
|
||||
(attrsToList location.value.proxy.setHeaders))
|
||||
++ (
|
||||
if location.value.proxy.detectAuth != null || site.value.global.detectAuth != null
|
||||
then [ "proxy_hide_header Authorization;" ]
|
||||
else []
|
||||
)
|
||||
++ (
|
||||
if location.value.proxy.addAuth != null then
|
||||
let authFile = "nginx/templates/addAuth/${location.value.proxy.addAuth}";
|
||||
in [ "include ${inputs.config.sops.templates.${authFile}.path};" ]
|
||||
else [])
|
||||
);
|
||||
}
|
||||
else if (location.value.static != null) then
|
||||
{
|
||||
root = location.value.static.root;
|
||||
index = mkIf (location.value.static.index != [])
|
||||
(concatStringsSep " " location.value.static.index);
|
||||
tryFiles = mkIf (location.value.static.tryFiles != [])
|
||||
(concatStringsSep " " location.value.static.tryFiles);
|
||||
}
|
||||
else if (location.value.php != null) then
|
||||
{
|
||||
root = location.value.php.root;
|
||||
extraConfig =
|
||||
''
|
||||
fastcgi_pass ${location.value.php.fastcgiPass};
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
|
||||
'';
|
||||
}
|
||||
else if (location.value.return != null) then
|
||||
{
|
||||
return = location.value.return;
|
||||
}
|
||||
else {}
|
||||
);
|
||||
})
|
||||
(attrsToList site.value.location));
|
||||
};
|
||||
})
|
||||
(attrsToList nginx.https));
|
||||
nixos.services =
|
||||
{
|
||||
nginx =
|
||||
let
|
||||
# { name = domain; value = listen = { http2 = xxx, proxyProtocol = xxx, addToTransparentProxy = true }; }
|
||||
listens = filter
|
||||
(site: site.value.addToTransparentProxy)
|
||||
(concatLists (map
|
||||
(site: map
|
||||
(listen: { inherit (site) name; inherit (listen) value; })
|
||||
(attrsToList site.value.listen))
|
||||
(attrsToList nginx.https)));
|
||||
in
|
||||
{
|
||||
transparentProxy.map = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value = with nginx.global; httpsPort + (if site.value.http2 then httpsPortShift.http2 else 0);
|
||||
})
|
||||
(filter (listen: !listen.value.proxyProtocol) listens));
|
||||
streamProxy.map = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value =
|
||||
{
|
||||
upstream.port = with nginx.global; httpsPort + httpsPortShift.proxyProtocol
|
||||
+ (if site.value.http2 then httpsPortShift.http2 else 0);
|
||||
proxyProtocol = true;
|
||||
rewriteHttps = mkDefault false;
|
||||
};
|
||||
})
|
||||
(filter (listen: listen.value.proxyProtocol) listens));
|
||||
http = listToAttrs (map
|
||||
(site: { inherit (site) name; value.rewriteHttps = {}; })
|
||||
(filter (site: site.value.global.rewriteHttps) (attrsToList nginx.https)));
|
||||
};
|
||||
acme =
|
||||
{
|
||||
enable = true;
|
||||
cert = listToAttrs (map
|
||||
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
|
||||
(attrsToList nginx.https));
|
||||
};
|
||||
};
|
||||
sops =
|
||||
let
|
||||
locations =
|
||||
(
|
||||
(concatLists (map
|
||||
(site: map
|
||||
(location:
|
||||
{
|
||||
domain = site.name;
|
||||
location = location.name;
|
||||
detectAuth = concatLists (map
|
||||
(type:
|
||||
if !(location.value.${type} ? detectAuth) || (location.value.${type}.detectAuth == null)
|
||||
then []
|
||||
else location.value.${type}.detectAuth
|
||||
)
|
||||
nginx.global.httpsLocationTypes);
|
||||
addAuth = location.value.proxy.addAuth or null;
|
||||
})
|
||||
(attrsToList site.value.location))
|
||||
(attrsToList nginx.https)))
|
||||
++ (map
|
||||
(site:
|
||||
{
|
||||
domain = site.name;
|
||||
detectAuth = if site.value.global.detectAuth == null then [] else site.value.global.detectAuth;
|
||||
addAuth = null;
|
||||
})
|
||||
(attrsToList nginx.https))
|
||||
);
|
||||
in
|
||||
{
|
||||
templates = listToAttrs
|
||||
(
|
||||
(map
|
||||
(location:
|
||||
{
|
||||
name =
|
||||
if (location ? location) then
|
||||
"nginx/templates/detectAuth/${escapeURL location.domain}/${escapeURL location.location}"
|
||||
else
|
||||
"nginx/templates/detectAuth/${escapeURL location.domain}-global";
|
||||
value =
|
||||
{
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
content = concatStringsSep "\n" (map
|
||||
(secret: inputs.config.sops.placeholder."nginx/detectAuth/${secret}")
|
||||
location.detectAuth);
|
||||
};
|
||||
})
|
||||
(filter (location: location.detectAuth != []) locations))
|
||||
++ (map
|
||||
(location:
|
||||
{
|
||||
name = "nginx/templates/addAuth/${escapeURL location.domain}/${escapeURL location.location}";
|
||||
value =
|
||||
{
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
content =
|
||||
let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${location.addAuth}";
|
||||
in ''proxy_set_header Authorization "Basic ${placeholder}";'';
|
||||
};
|
||||
})
|
||||
(filter (location: (location.addAuth or null) != null) locations))
|
||||
);
|
||||
secrets = listToAttrs
|
||||
(
|
||||
(map
|
||||
(secret: { name = "nginx/detectAuth/${secret}"; value = {}; })
|
||||
(inputs.lib.unique (concatLists (map
|
||||
(location: if location.detectAuth == null then [] else location.detectAuth)
|
||||
locations))))
|
||||
++ (map
|
||||
(secret: { name = "nginx/addAuth/${secret}"; value = {}; })
|
||||
(inputs.lib.unique (filter
|
||||
(secret: secret != null)
|
||||
(map (location: location.addAuth) locations))))
|
||||
);
|
||||
};
|
||||
}
|
||||
# http
|
||||
{
|
||||
assertions = map
|
||||
(site:
|
||||
{
|
||||
assertion = (inputs.lib.count (x: x != null) (map (type: site.value.${type}) nginx.global.httpTypes)) <= 1;
|
||||
message = "Only one type shuold be specified in ${site.name}";
|
||||
})
|
||||
(attrsToList nginx.http);
|
||||
services.nginx.virtualHosts = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
name = "http.${site.name}";
|
||||
value =
|
||||
{
|
||||
serverName = site.name;
|
||||
listen = [ { addr = "0.0.0.0"; port = 80; } ];
|
||||
}
|
||||
// (if site.value.rewriteHttps != null then
|
||||
{ locations."/".return = "301 https://${site.value.rewriteHttps.hostname}$request_uri"; }
|
||||
else {})
|
||||
// (if site.value.php != null then
|
||||
{
|
||||
extraConfig = "index index.php;";
|
||||
root = site.value.php.root;
|
||||
locations."~ ^.+?.php(/.*)?$".extraConfig =
|
||||
''
|
||||
fastcgi_pass ${site.value.php.fastcgiPass};
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
|
||||
'';
|
||||
}
|
||||
else {});
|
||||
})
|
||||
(attrsToList nginx.http));
|
||||
}
|
||||
]);
|
||||
}
|
||||
|
||||
29
modules/services/nix-serve.nix
Normal file
29
modules/services/nix-serve.nix
Normal file
@@ -0,0 +1,29 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nix-serve = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.localLib) stripeTabs attrsToList;
|
||||
inherit (inputs.config.nixos.services) nix-serve;
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in mkIf nix-serve.enable
|
||||
{
|
||||
services.nix-serve =
|
||||
{
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
|
||||
};
|
||||
sops.secrets."store/signingKey" = {};
|
||||
nixos.services.nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000";
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -3,7 +3,7 @@ inputs:
|
||||
options.nixos.services.photoprism = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.str; default = "photoprism.chn.moe"; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "photoprism.chn.moe"; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 2342; };
|
||||
};
|
||||
config =
|
||||
@@ -42,6 +42,18 @@ inputs:
|
||||
'';
|
||||
secrets."photoprism/adminPassword" = {};
|
||||
};
|
||||
nixos.services.mariadb = { enable = true; instances.photoprism = {}; };
|
||||
nixos.services =
|
||||
{
|
||||
mariadb = { enable = true; instances.photoprism = {}; };
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${photoprism.hostname}.location."/".proxy =
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString photoprism.port}";
|
||||
websocket = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -8,7 +8,13 @@ inputs:
|
||||
{
|
||||
user = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
package = mkOption { type = types.nullOr types.package; default = null; };
|
||||
package = mkOption { type = types.nullOr types.package; default = inputs.pkgs.php; };
|
||||
fastcgi = mkOption
|
||||
{
|
||||
type = types.nonEmptyStr;
|
||||
readOnly = true;
|
||||
default = "unix:${inputs.config.services.phpfpm.pools.${submoduleInputs.config._module.args.name}.socket}";
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
@@ -28,7 +34,7 @@ inputs:
|
||||
{
|
||||
user = if pool.value.user == null then pool.name else pool.value.user;
|
||||
group = if pool.value.group == null then inputs.config.users.users.${user}.group else pool.value.group;
|
||||
phpPackage = if pool.value.package == null then inputs.pkgs.php else pool.value.package;
|
||||
phpPackage = pool.value.package;
|
||||
settings =
|
||||
{
|
||||
"pm" = "ondemand";
|
||||
@@ -42,18 +48,10 @@ inputs:
|
||||
users =
|
||||
{
|
||||
users = listToAttrs (map
|
||||
(pool:
|
||||
{
|
||||
inherit (pool) name;
|
||||
value = { isSystemUser = true; group = pool.name; };
|
||||
})
|
||||
(pool: { inherit (pool) name; value = { isSystemUser = true; group = pool.name; }; })
|
||||
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
|
||||
groups = listToAttrs (map
|
||||
(pool:
|
||||
{
|
||||
inherit (pool) name;
|
||||
value = {};
|
||||
})
|
||||
(pool: { inherit (pool) name; value = {}; })
|
||||
(filter (pool: pool.value.user == null) (attrsToList phpfpm.instances)));
|
||||
};
|
||||
};
|
||||
|
||||
@@ -71,6 +71,7 @@ inputs:
|
||||
in
|
||||
# set user password
|
||||
"$PSQL -tAc \"ALTER USER ${db.value.user} with encrypted password '$(cat ${passwordFile})'\""
|
||||
# TODO: still needed in 23.11?
|
||||
# set db owner
|
||||
+ "\n"
|
||||
+ "$PSQL -tAc \"select pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d"
|
||||
|
||||
@@ -39,7 +39,7 @@ inputs:
|
||||
})
|
||||
(attrsToList redis.instances));
|
||||
sops.secrets = listToAttrs (map
|
||||
(server: { name = "redis/${server.name}"; value.owner = inputs.config.users.users.${server.name}.name; })
|
||||
(server: { name = "redis/${server.name}"; value.owner = inputs.config.users.users.${server.value.user}.name; })
|
||||
(filter (server: server.value.passwordFile == null) (attrsToList redis.instances)));
|
||||
};
|
||||
}
|
||||
|
||||
@@ -4,12 +4,11 @@ inputs:
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 5221; };
|
||||
hostname = mkOption { type = types.str; default = "rsshub.chn.moe"; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "rsshub.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) rsshub;
|
||||
inherit (inputs.localLib) stripeTabs;
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in mkIf rsshub.enable
|
||||
@@ -60,12 +59,7 @@ inputs:
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
http.${rsshub.hostname} =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".proxy =
|
||||
{ upstream = "http://127.0.0.1:${toString rsshub.port}"; setHeaders.Host = rsshub.hostname; };
|
||||
};
|
||||
https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:${toString rsshub.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
56
modules/services/send.nix
Normal file
56
modules/services/send.nix
Normal file
@@ -0,0 +1,56 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.send = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "send.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) send;
|
||||
in mkIf send.enable
|
||||
{
|
||||
virtualisation.oci-containers.containers.send =
|
||||
{
|
||||
image = "timvisee/send:1ee4951";
|
||||
imageFile = inputs.pkgs.dockerTools.pullImage
|
||||
{
|
||||
imageName = "registry.gitlab.com/timvisee/send";
|
||||
imageDigest = "sha256:1ee495161f176946e6e4077e17be2b8f8634c2d502172cc530a8cd5affd7078f";
|
||||
sha256 = "1dimqga35c2ka4advhv3v60xcsdrhc6c4hh21x36fbyhk90n2vzs";
|
||||
finalImageName = "timvisee/send";
|
||||
finalImageTag = "1ee4951";
|
||||
};
|
||||
ports = [ "127.0.0.1:1443:1443/tcp" ];
|
||||
volumes = [ "send:/uploads" ];
|
||||
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
|
||||
environmentFiles = [ inputs.config.sops.templates."send/env".path ];
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."send/env".content =
|
||||
''
|
||||
BASE_URL=https://${send.hostname}
|
||||
MAX_FILE_SIZE=17179869184
|
||||
REDIS_HOST=host.docker.internal
|
||||
REDIS_PORT=9184
|
||||
REDIS_PASSWORD=${inputs.config.sops.placeholder."redis/send"}
|
||||
'';
|
||||
};
|
||||
nixos =
|
||||
{
|
||||
services =
|
||||
{
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https."${send.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:1443"; websocket = true; };
|
||||
};
|
||||
redis.instances.send = { user = "root"; port = 9184; };
|
||||
};
|
||||
# TODO: root docker use config of rootless docker?
|
||||
virtualization.docker.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -5,7 +5,7 @@ inputs:
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
autoStart = mkOption { type = types.bool; default = true; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 8008; };
|
||||
hostname = mkOption { type = types.str; default = "synapse.chn.moe"; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "synapse.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
@@ -96,7 +96,16 @@ inputs:
|
||||
// { "synapse/signing-key".owner = inputs.config.systemd.services.matrix-synapse.serviceConfig.User; }
|
||||
// { "mail/bot" = {}; };
|
||||
};
|
||||
nixos.services.postgresql = { enable = true; instances.synapse = {}; };
|
||||
nixos.services =
|
||||
{
|
||||
postgresql = { enable = true; instances.synapse = {}; };
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${synapse.hostname}.location."/".proxy =
|
||||
{ upstream = "http://127.0.0.1:${toString synapse.port}"; websocket = true; };
|
||||
};
|
||||
};
|
||||
systemd.services.matrix-synapse.enable = synapse.autoStart;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -6,12 +6,12 @@ inputs:
|
||||
autoStart = mkOption { type = types.bool; default = true; };
|
||||
port = mkOption { type = types.ints.unsigned; default = 8000; };
|
||||
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
|
||||
hostname = mkOption { type = types.str; default = "vaultwarden.chn.moe"; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "vaultwarden.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) vaultwarden;
|
||||
inherit (builtins) listToAttrs;
|
||||
inherit (builtins) listToAttrs toString;
|
||||
inherit (inputs.lib) mkIf;
|
||||
in mkIf vaultwarden.enable
|
||||
{
|
||||
@@ -62,6 +62,41 @@ inputs:
|
||||
enable = vaultwarden.autoStart;
|
||||
after = [ "postgresql.service" ];
|
||||
};
|
||||
nixos.services.postgresql = { enable = true; instances.vaultwarden = {}; };
|
||||
nixos.services =
|
||||
{
|
||||
postgresql = { enable = true; instances.vaultwarden = {}; };
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${vaultwarden.hostname} =
|
||||
{
|
||||
location = listToAttrs
|
||||
(
|
||||
(map
|
||||
(location:
|
||||
{
|
||||
name = location;
|
||||
value.proxy =
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString vaultwarden.port}";
|
||||
setHeaders = { Host = vaultwarden.hostname; Connection = ""; };
|
||||
};
|
||||
})
|
||||
[ "/" "/notifications/hub/negotiate" ])
|
||||
++ (map
|
||||
(location:
|
||||
{
|
||||
name = location;
|
||||
value.proxy =
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString vaultwarden.websocketPort}";
|
||||
websocket = true;
|
||||
};
|
||||
})
|
||||
[ "/notifications/hub" ])
|
||||
);
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -319,19 +319,7 @@ inputs:
|
||||
(
|
||||
mkIf xrayServer.enable (let userList = genList (n: n) 30; in
|
||||
{
|
||||
services =
|
||||
{
|
||||
xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
|
||||
nginx.virtualHosts.xray =
|
||||
{
|
||||
serverName = xrayServer.serverName;
|
||||
default = true;
|
||||
listen = [{ addr = "127.0.0.1"; port = 7233; ssl = true; }];
|
||||
useACMEHost = xrayServer.serverName;
|
||||
onlySSL = true;
|
||||
locations."/".return = "400";
|
||||
};
|
||||
};
|
||||
services.xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
|
||||
sops =
|
||||
{
|
||||
templates."xray-server.json" =
|
||||
@@ -343,39 +331,45 @@ inputs:
|
||||
log.loglevel = "warning";
|
||||
inbounds =
|
||||
[
|
||||
{
|
||||
port = 4726;
|
||||
listen = "127.0.0.1";
|
||||
protocol = "vless";
|
||||
settings =
|
||||
(
|
||||
let
|
||||
fallbackPort = toString
|
||||
(with inputs.config.nixos.services.nginx.global; httpsPort + httpsPortShift.http2);
|
||||
in
|
||||
{
|
||||
clients = map
|
||||
(n:
|
||||
{
|
||||
id = inputs.config.sops.placeholder."xray-server/clients/user${toString n}";
|
||||
flow = "xtls-rprx-vision";
|
||||
email = "${toString n}@xray.chn.moe";
|
||||
})
|
||||
userList;
|
||||
decryption = "none";
|
||||
fallbacks = [{ dest = "127.0.0.1:7233"; }];
|
||||
};
|
||||
streamSettings =
|
||||
{
|
||||
network = "tcp";
|
||||
security = "reality";
|
||||
realitySettings =
|
||||
port = 4726;
|
||||
listen = "127.0.0.1";
|
||||
protocol = "vless";
|
||||
settings =
|
||||
{
|
||||
dest = "127.0.0.1:7233";
|
||||
serverNames = [ xrayServer.serverName ];
|
||||
privateKey = inputs.config.sops.placeholder."xray-server/private-key";
|
||||
minClientVer = "1.8.0";
|
||||
shortIds = [ "" ];
|
||||
clients = map
|
||||
(n:
|
||||
{
|
||||
id = inputs.config.sops.placeholder."xray-server/clients/user${toString n}";
|
||||
flow = "xtls-rprx-vision";
|
||||
email = "${toString n}@xray.chn.moe";
|
||||
})
|
||||
userList;
|
||||
decryption = "none";
|
||||
fallbacks = [{ dest = "127.0.0.1:${fallbackPort}"; }];
|
||||
};
|
||||
};
|
||||
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
|
||||
tag = "in";
|
||||
}
|
||||
streamSettings =
|
||||
{
|
||||
network = "tcp";
|
||||
security = "reality";
|
||||
realitySettings =
|
||||
{
|
||||
dest = "127.0.0.1:${fallbackPort}";
|
||||
serverNames = [ xrayServer.serverName ];
|
||||
privateKey = inputs.config.sops.placeholder."xray-server/private-key";
|
||||
minClientVer = "1.8.0";
|
||||
shortIds = [ "" ];
|
||||
};
|
||||
};
|
||||
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
|
||||
tag = "in";
|
||||
}
|
||||
)
|
||||
{
|
||||
port = 4638;
|
||||
listen = "127.0.0.1";
|
||||
@@ -512,10 +506,18 @@ inputs:
|
||||
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
|
||||
nixos.services =
|
||||
{
|
||||
acme = { enable = true; certs = [ xrayServer.serverName ]; };
|
||||
nginx.transparentProxy.map."${xrayServer.serverName}" = 4726;
|
||||
acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; };
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
transparentProxy.map."${xrayServer.serverName}" = 4726;
|
||||
https."${xrayServer.serverName}" =
|
||||
{
|
||||
listen.main = { proxyProtocol = false; addToTransparentProxy = false; };
|
||||
location."/".return = "400";
|
||||
};
|
||||
};
|
||||
};
|
||||
security.acme.certs.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group;
|
||||
}
|
||||
))
|
||||
];
|
||||
|
||||
@@ -6,7 +6,7 @@ inputs:
|
||||
port = mkOption { type = types.ints.unsigned; default = 3389; };
|
||||
hostname = mkOption
|
||||
{
|
||||
type = types.nullOr (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
|
||||
type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr);
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
@@ -29,14 +29,21 @@ inputs:
|
||||
mkIf (xrdp.hostname != null)
|
||||
(
|
||||
let
|
||||
mainDomain = if builtins.typeOf xrdp.hostname == "string" then xrdp.hostname
|
||||
else builtins.elemAt xrdp.hostname 0;
|
||||
mainDomain = builtins.elemAt xrdp.hostname 0;
|
||||
in
|
||||
{
|
||||
services.xrdp = let keydir = inputs.config.security.acme.certs.${mainDomain}.directory; in
|
||||
{ sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
|
||||
nixos.services.acme = { enable = true; certs = [ xrdp.hostname ]; };
|
||||
security.acme.certs.${mainDomain}.group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
|
||||
services.xrdp =
|
||||
let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
|
||||
in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${mainDomain} =
|
||||
{
|
||||
domains = xrdp.hostname;
|
||||
group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
@@ -19,13 +19,8 @@ inputs:
|
||||
{
|
||||
services =
|
||||
{
|
||||
udev.extraRules =
|
||||
''
|
||||
ACTION=="add|change", KERNEL=="[sv]d[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
|
||||
ACTION=="add|change", KERNEL=="nvme[0-9]n[0-9]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
|
||||
'';
|
||||
dbus.implementation = "broker";
|
||||
fstrim.enable = true;
|
||||
fstrim = { enable = true; interval = "daily"; };
|
||||
};
|
||||
time.timeZone = "Asia/Shanghai";
|
||||
boot =
|
||||
|
||||
@@ -87,7 +87,13 @@ inputs:
|
||||
(device:
|
||||
{
|
||||
name = device.value;
|
||||
value = { device = device.name; fsType = "vfat"; neededForBoot = true; };
|
||||
value =
|
||||
{
|
||||
device = device.name;
|
||||
fsType = "vfat";
|
||||
neededForBoot = true;
|
||||
options = [ "noatime" ];
|
||||
};
|
||||
})
|
||||
(attrsToList fileSystems.mount.vfat));
|
||||
}
|
||||
@@ -115,7 +121,7 @@ inputs:
|
||||
# zstd:15 5m33s 7.16G
|
||||
# zstd:8 54s 7.32G
|
||||
# zstd:3 17s 7.52G
|
||||
options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" ];
|
||||
options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" "noatime" ];
|
||||
neededForBoot = true;
|
||||
};
|
||||
}
|
||||
@@ -229,26 +235,35 @@ inputs:
|
||||
(
|
||||
mkIf (fileSystems.rollingRootfs != null)
|
||||
{
|
||||
boot.initrd.systemd.services.roll-rootfs =
|
||||
boot.initrd.systemd =
|
||||
{
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "cryptsetup.target" "systemd-hibernate-resume.service" ];
|
||||
before = [ "local-fs-pre.target" "sysroot.mount" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = let inherit (fileSystems.rollingRootfs) device path; in
|
||||
''
|
||||
mount ${device} /mnt -m
|
||||
if [ -f /mnt${path}/current/.timestamp ]
|
||||
then
|
||||
timestamp=$(cat /mnt${path}/current/.timestamp)
|
||||
mv /mnt${path}/current /mnt${path}/$timestamp
|
||||
btrfs property set -ts /mnt${path}/$timestamp ro true
|
||||
fi
|
||||
btrfs subvolume create /mnt${path}/current
|
||||
echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
|
||||
umount /mnt
|
||||
'';
|
||||
extraBin =
|
||||
{
|
||||
grep = "${inputs.pkgs.gnugrep}/bin/grep";
|
||||
awk = "${inputs.pkgs.gawk}/bin/awk";
|
||||
};
|
||||
services.roll-rootfs =
|
||||
{
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "cryptsetup.target" "systemd-hibernate-resume.service" ];
|
||||
before = [ "local-fs-pre.target" "sysroot.mount" ];
|
||||
unitConfig.DefaultDependencies = false;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = let inherit (fileSystems.rollingRootfs) device path; in
|
||||
''
|
||||
mount ${device} /mnt -m
|
||||
if [ -f /mnt${path}/current/.timestamp ]
|
||||
then
|
||||
timestamp=$(cat /mnt${path}/current/.timestamp)
|
||||
subvolid=$(btrfs subvolume show /mnt${path}/current | grep 'Subvolume ID:' | awk '{print $NF}')
|
||||
mv /mnt${path}/current /mnt${path}/$timestamp-$subvolid
|
||||
btrfs property set -ts /mnt${path}/$timestamp-$subvolid ro true
|
||||
fi
|
||||
btrfs subvolume create /mnt${path}/current
|
||||
echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp
|
||||
umount /mnt
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
|
||||
@@ -6,6 +6,7 @@ inputs:
|
||||
marches = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
|
||||
keepOutputs = mkOption { type = types.bool; default = false; };
|
||||
substituters = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
|
||||
autoOptimiseStore = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
@@ -26,6 +27,7 @@ inputs:
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
keep-outputs = nix.keepOutputs;
|
||||
keep-failed = true;
|
||||
auto-optimise-store = nix.autoOptimiseStore;
|
||||
substituters = if nix.substituters == null then [ "https://cache.nixos.org/" ] else nix.substituters;
|
||||
trusted-public-keys = [ "chn:Cc+nowW1LIpe1kyXOZmNaznFDiH1glXmpb4A+WD/DTE=" ];
|
||||
show-trace = true;
|
||||
@@ -38,6 +40,7 @@ inputs:
|
||||
registry =
|
||||
{
|
||||
nixpkgs.flake = inputs.topInputs.nixpkgs;
|
||||
nixpkgs-unstable.flake = inputs.topInputs.nixpkgs-unstable;
|
||||
nixos.flake = inputs.topInputs.self;
|
||||
};
|
||||
nixPath = [ "nixpkgs=${inputs.topInputs.nixpkgs}" ];
|
||||
@@ -55,6 +58,7 @@ inputs:
|
||||
environment.etc =
|
||||
{
|
||||
"channels/nixpkgs".source = inputs.topInputs.nixpkgs.outPath;
|
||||
"channels/nixpkgs-unstable".source = inputs.topInputs.nixpkgs-unstable.outPath;
|
||||
"nixos".source = inputs.topInputs.self.outPath;
|
||||
};
|
||||
# environment.pathsToLink = [ "/include" ];
|
||||
|
||||
@@ -32,7 +32,6 @@ inputs:
|
||||
{
|
||||
enable = true;
|
||||
id = "91291";
|
||||
authFile = inputs.pkgs.writeText "yubikey_mappings" "chn:cccccbgrhnub";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -181,6 +181,7 @@ inputs:
|
||||
))
|
||||
)
|
||||
];
|
||||
pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ];
|
||||
};
|
||||
};
|
||||
nixos.services.groupshare.mountPoints = [ "/home/chn/groupshare" ];
|
||||
|
||||
@@ -31,6 +31,7 @@ inputs:
|
||||
{
|
||||
features.buildkit = true;
|
||||
dns = [ "1.1.1.1" ];
|
||||
storage-driver = "overlay2";
|
||||
};
|
||||
};
|
||||
enableNvidia = builtins.elem "nvidia" inputs.config.nixos.hardware.gpus;
|
||||
|
||||
@@ -9,6 +9,10 @@ users:
|
||||
zem: ENC[AES256_GCM,data:VCVLfGO9a06XhAOBciFf1u7A5jaQikAt2wZf+dCAi1BglXpM6Hof1yAunadYOwLOBFgGlP19kX53CBBlZtaqZFL2GRDzXP0woQ==,iv:AFYtHCCkzNrllN/fjQ8GKYs2TyV3uj3BsU5n1tBQAmM=,tag:5dP7c5N4yG2NS4T+Vg0Zpg==,type:str]
|
||||
yjq: ENC[AES256_GCM,data:yn6eGrySCxlRsFioaE2p1qlTHkIGC9l64+edjuDvt232xc+iFeD03EYfuulyr0GxYFwnlAwtaJnyMi5eOrSd1W6HeV3Canzdbw==,iv:qTc6vA8uQza8CB+BvffEN9GqHkiwNM4h9RkqQR14ylk=,tag:UZ2GYCJLjcWLuVXlscLviw==,type:str]
|
||||
yxy: ENC[AES256_GCM,data:71vjvwr29lfPCarnblpbW3WVyJK8EMV+cR4prc4AM3r0PG4z88P6i0IrzSy8XwkVPrEasfYXxn+vDbzXyi7kIWaWXrkjcyGTxg==,iv:LfkinvbIhchvgfgixIY8Wg6esrc+TOS4YWqRTJ0qfvw=,tag:mLPw6z8DOPrHsRpUHn3/gw==,type:str]
|
||||
frp:
|
||||
token: ENC[AES256_GCM,data:zYRZoWa3Llv0NiPXtSfhWUn+wt4uIcw8Wa+QBTzn7gLk6UVIA4FD7FLABBKoFbwg62Fo79Nn,iv:YZdOYkJf6BN76Z68nCtetKElJkqKiYmcx6UmLoIXSdo=,tag:5sC2vt3Z21KhgOU9mrfXhg==,type:str]
|
||||
stcp:
|
||||
hpc: ENC[AES256_GCM,data:lkpM4nzt8ymQ+5eV,iv:LvSShCSN8w0VsJYjICG9NWCMiw7NSPpoSZ+I2t7uILs=,tag:LLry5z4KpPdnN75x8dANqg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@@ -33,8 +37,8 @@ sops:
|
||||
by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
|
||||
kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-09-14T11:09:58Z"
|
||||
mac: ENC[AES256_GCM,data:f6D4N+He7Zz0VA2FxUzTARfckidgVlDHE1hZrYW6jDf+v9ZK/c/JAj12zLNiCy9aG6rBz5K0jdWpnTsguMlTYCKUjLcD8MSW4KJErYmeVFLpfuiSBMr0+pcSVA9DpEmekaYl0GbnxrgQKrfEL0dthR6+9m5CsP/1bvEs34XcKGk=,iv:0YVxL5iVOvmFzThk7fua2Cqpty9lTX/tdKNii5gY/UA=,tag:d+NwYbpeDziniYXwQYVCdg==,type:str]
|
||||
lastmodified: "2023-11-06T11:12:54Z"
|
||||
mac: ENC[AES256_GCM,data:nMnf+BTle1lrYnd87KZVk+W6N5y/P8SusF1Day7lstNxffPzLwaL+r7D9Lklem5nKPVYPA++ZSNpn2xn39rv24uJDmiI0lbkp/5tFK67flGehJr5YFssHSdsqhTs728IvropKuO3ZgTONVT1J0GSfrJVXNtIMsNgBCGceZ7ZHpM=,iv:2dCzL+do61xX57Do+Bw8gBWgdLgY6gIENdjqosOSGg0=,tag:K+fq9OvNDgwKrlo3InlHpg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
@@ -4,6 +4,8 @@ acme:
|
||||
cloudflare.ini: ENC[AES256_GCM,data:hPNpTclYvRbcbFO6aR9PNyHt3kDUmjeUgg4NPsr+c/yxKPundoiziNYBRfF7/axlw8Hu32jf/cDlcWaEmqCBQJY=,iv:bdGCD/a6AnGQhiFNyZ+fD1f/rILsEcPXC2qRDsAO4n8=,tag:MLZak9uSqsg/0Ldx2Wgb6A==,type:str]
|
||||
frp:
|
||||
token: ENC[AES256_GCM,data:0mE8/cWqHKNquCIiqgbjcNhipKk7KEfbZ+qRYbu+iZr7AH9QjfYZQiMJNp4Aa3JWwBLYAnpf,iv:ID4cc8Tn0H9b1CimXlPamMlhlAkafhRApDHo/CCQ4BE=,tag:BUuU/BCj16R7FlKlpubawA==,type:str]
|
||||
stcp:
|
||||
yy.vnc: ENC[AES256_GCM,data:IsZWkNGYHrbQcgvOSURDnA==,iv:4XO8RFBdNopLKYxCACmkXLMPu0wIVx64y0C7m2bsTVA=,tag:fMHzU9aQm0bRr8pTKwpuHQ==,type:str]
|
||||
store:
|
||||
signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
|
||||
nginx:
|
||||
@@ -40,8 +42,8 @@ sops:
|
||||
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
|
||||
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-03T10:45:13Z"
|
||||
mac: ENC[AES256_GCM,data:9O1o1uNvrSu4yEpVmvPLESrCqtkf+MXUud54hVgjd/Mmchsy0eTi3gMzbAb0i6vaaNH7hHVOT0GnSNiS67UjYemvx9xHOPuJxysmoUAvT6aVzap4XZirnnsKgfYGUwn/iECsEF3dGa2c4nCiPxdtac2BaGBlxFKuh1fWBKWrow0=,iv:a+xHAakjIPhDQRYJnb0BFxdXc0uXZmmZYv8kvOPoKBA=,tag:hWpzT1tMILYZKhQXgdmhXg==,type:str]
|
||||
lastmodified: "2023-11-11T11:10:21Z"
|
||||
mac: ENC[AES256_GCM,data:ro3ROIx/9+pnS2Cdz44NKYZ0kDDdLPZJyXkBpYSuCrkotLzyDrx9Kjx1FR4CrQQeA4hOPQ9Z5qJVC1shef+UgwDwemiUhR3zq9BQv0PmsRYilT19o2W9tmgfbM0NiXISeN9w0MttlBUASq7mBUDbTFRViL9fAppRixkANLxVxmw=,iv:YR6QQNYQoK3v6RHUUWerM2cXU5oYQkSRfr58QDnw5H4=,tag:6Ig+RlVySAYEEiZTo8bs3A==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
@@ -30,8 +30,11 @@ xray-server:
|
||||
user11: ENC[AES256_GCM,data:RPIH0DudfPJwPsa0yFLNqUy2EMwQh1bIqkmhCfteVTkUQGWP,iv:NH0aGTZ6nVqz2nn+o1HQS0PKpqHTBMkAhy0oFeyX/8k=,tag:kgd5zkHXW+oxRFC9x2VTUg==,type:str]
|
||||
#ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
|
||||
user12: ENC[AES256_GCM,data:Q+XcMYPWWeHqXZZt3lf9OurlWwVQGBJWTnRwDUvg7np19g3+,iv:ybREjo5/SFRN5LMSyYdm0ygkYoq/G1uBv9K0iGPqrh4=,tag:g2y8IJeXtHW1XjelOvT+/A==,type:str]
|
||||
#ENC[AES256_GCM,data:D5xiJW0Oyg==,iv:9a/6myiT9Crf/fff6ZkXj/obW2k95cABUNqQdPmcwcc=,tag:chs8BA8YtVkM9m3Ey9ETlA==,type:comment]
|
||||
user13: ENC[AES256_GCM,data:IKKk8joJQ5rcSXV84jbYd4uox548czpcgXwTtyK4rFimQIoO,iv:ycVDDSb0qAtZE8WzEdKkaBYKY13JpKj+4xrgkLogikw=,tag:z9ty67NWIgGlh1psbE5qVQ==,type:str]
|
||||
#ENC[AES256_GCM,data:ujz8CAgN2g==,iv:2KP2DwIfIPPnsyZRSptG6x80n0cQGoiYCFoLRbFeEos=,tag:oITBAiHs1odW3heSEOQAJA==,type:comment]
|
||||
user14: ENC[AES256_GCM,data:WFhrirjRUEZlOaCLGvHzvRPyp5O+035k0bNFqCvs0UTdT0+y,iv:C2vvOexQwFFkQyvFd8tf7lca2ZZIF3hbSiOHa2RFfGU=,tag:zowYrIut44mRiq6/h0r4fQ==,type:str]
|
||||
#ENC[AES256_GCM,data:t9mAcEcdBg==,iv:hzqb80+FtfsNP8ofYMyT0PwT8T8B3HYSGZUOrnk3SjM=,tag:0mbDe6S0bqbC/SffMr0AAg==,type:comment]
|
||||
user15: ENC[AES256_GCM,data:Sfc4BWiQ5dz7K0kwlp/1e8x/ahPTnbTvSvFjz9R5KQL52uaO,iv:kzap3jQgm9P22teMkYJHlySh2azLBBuy/kpm+ylxIhM=,tag:2fOBw+McYdT3r+qoF/Wkzw==,type:str]
|
||||
user16: ENC[AES256_GCM,data:ijz4n66TY2tGpKLvGr7I6n+cOP6BfgpJdHmcPy2oTPGCvhR0,iv:RK8wi3Cj9XFVTqqt00DLru12Hiu/WJU8lV/v9MF5deI=,tag:6SHR8Yb2dO1rRY/xV5u9yw==,type:str]
|
||||
user17: ENC[AES256_GCM,data:Wz7tWzASeIKE9TzicUIwyOnjZDDICYvDAUu/scHrQoFjoOlE,iv:A2gPFSiIXaf1dQkFlXjw5yesKtv3qOVcIXzM2QspvDk=,tag:JWCVx2FJS84v2iMdzBxhlQ==,type:str]
|
||||
@@ -90,8 +93,8 @@ sops:
|
||||
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
|
||||
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-11T05:09:24Z"
|
||||
mac: ENC[AES256_GCM,data:DJyMioOlgRFvRcjy6YNJdmEWSEk3XoChdmzYl3NoCjFj6Xe1wegYJ3Z2dPfPeY6kBrRyKeOg1Yfwwkjc8aj0TZCVVvlgV3q6CRFq7kk7e2wOUCo+Xz28XEL3S+mRMJWp8YYV2P3daS8HRfM72yC7t5JLuwCbyzu/CnxQVB2oxD8=,iv:f7zbYqwnySDg2tJc1CgRfQU2PCK2IbfMVMWsyZKlGNU=,tag:RRCXacPwq7IFv0+mcEdEXw==,type:str]
|
||||
lastmodified: "2023-11-10T08:56:29Z"
|
||||
mac: ENC[AES256_GCM,data:8FYqZcIX80p3ZonWY+JH64PwVtrBQkvAKw2vcBjha9+32S0oqA3P1tVP5ITa81t8ys1aQjAG+j8ShPioday46DnVB84FfKOelEsP5y3l5Em3QCli8EzaVY2Xk7JrMTvnZjIs+nhiBwGTC+BNxe5AXlUyT9m6SzVPwtUF280Bqug=,iv:dMoGufEPbC8M+k/5L6+RdRbaUBetJ1gXohxiFxNnfE0=,tag:CvVugdQ31tocWoPxQ1NwOA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
@@ -11,6 +11,7 @@ redis:
|
||||
misskey-misskey: ENC[AES256_GCM,data:OHjt9o+m++NT5aaFbwBT/wSMdUdgf4zscd/JxjCo5HDhC3WeWMJV7z//kATI5Dg4BWAhvPlL02Vrly4RraIzLw==,iv:sQB4/D2SsOuDR3bTrmlNg7o+6ehFznDsqVc3BX9pK20=,tag:tcwTBt/JhyW8ZTAIWIkWBA==,type:str]
|
||||
misskey-misskey-old: ENC[AES256_GCM,data:amUqMycdXUFvjg66pXKnlZqiESBYMci0k8iYzj824SaEqHl3Nq/I0TjYX++xEUg+RGYyTIcSaj96HUANTKpc1A==,iv:ND1mQLHxltRlOdpJ80ywheGo6hkl7OgRyk9TguJMuTw=,tag:dhCCwnCOnyT2iXdEMK0szg==,type:str]
|
||||
nextcloud: ENC[AES256_GCM,data:jwN/CqwkU/5Rd6w75/bV2Yej9b0CoxZaiJEcZXFx+9XUPY3Xg1tQdEr1SALG8xzOEdoL6WBVs14NvrrL25GeTQ==,iv:p5+0AB52QqScJwMhNIrM/7HAcRPdD9Z8xV6uwIDOwIg=,tag:f1XbNDDRXvGl/dkV9Wp2Ug==,type:str]
|
||||
send: ENC[AES256_GCM,data:IGxj3cgp+fQBdupfK+IgPEQSPuXdM9LRSLGSATNIkzUWC6sQw1aaKTDuRc8cU2BG6quthRwuWnK/F7k3KrUi8Q==,iv:LI9MkaF4e47FPUyL7AXZpO+CdgF91ScdiqjrE8PZjJ4=,tag:eNugln5M0AhU1xmVWFN7Aw==,type:str]
|
||||
postgresql:
|
||||
wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
|
||||
misskey_misskey: ENC[AES256_GCM,data:lRbSz7bbiWEdK/cRD41fLvFJF4WYsclKHVykFcU3LIz9vnKlR3VdczzznVqpT7JvG6OUi+TmipJii+0KzXHtdA==,iv:8sBKgVwuDJdThup0KQ6cnAV5O2liwVra1yIpDHVfpMI=,tag:DyUpaHai8ZUyllvZBUm8sg==,type:str]
|
||||
@@ -42,12 +43,15 @@ vaultwarden:
|
||||
mariadb:
|
||||
photoprism: ENC[AES256_GCM,data:TF1SZVFnvzyE+7vrHYYUS4Juqhbiw9QcJx7p3Xj88xyBFcTqS1YjzAKs/9GQ1PuzdBrt6hXm/XtJILHiuktnSg==,iv:sd9sQEuIePL6LzUYbFtmdecJ57sMrkF0coalBf8KFqQ=,tag:P/knaKYTJ+aXu4l6IixISA==,type:str]
|
||||
freshrss: ENC[AES256_GCM,data:ydqCbj3UbsLC1e++p5ixb5Kpmk2BsYd0urcfw8T51Is5N1/gQ7P0zgR33AOteAxw2oj85WQZhxu3eAN7BCXV5A==,iv:1oiMo1wwFNXiTZLsf4UPZSJfKFIWLI3h947TC06CVy4=,tag:Otq1oeKBnWXhqNilfsywPQ==,type:str]
|
||||
huginn: ENC[AES256_GCM,data:1Tdg1WDwGgFSXdChgif8knWS24BIFYnmaiSjJXxs5uj/v/5fJ1alb4K4XHW/kFRjQbuAOFfJiJ9ogJ1KAyk17A==,iv:qLMaQpVaKrjP7g2lWzhaNLghxwiV4YJmyYY1hrpu5I8=,tag:566JCENvOxgwD7tM3aQBiw==,type:str]
|
||||
photoprism:
|
||||
adminPassword: ENC[AES256_GCM,data:gB81joOfS8h05BNy2YmD/N0cpLPa/vAduDcQBeHiY/WkcnvqSXnXsOfnvbP74KQfoP4W35oFkfyGVPUBSB83tg==,iv:AkN2NoqMXVHQA9fHTTR7xbEapEqy/D61mHn7O23hyYk=,tag:WV+siDA3VnRkOYnP4Z9Qhw==,type:str]
|
||||
nextcloud:
|
||||
admin: ENC[AES256_GCM,data:1rglLrLtRf3yXQwfHDMZLewk8ueIbMFOC+1mtoAyLKnDmcQAoEQZ1vHw/hpKkFXJQ+QyX3sP8eUjRXuBEIVl3A==,iv:lfEGPEw9ybSdOYLDdaGCLXKgCvgRxn3k9eIy2DJHDYU=,tag:j4qRexbEAgK5HAGhr/wxfA==,type:str]
|
||||
freshrss:
|
||||
chn: ENC[AES256_GCM,data:XGcgfuRozJ/xowtmFPSW,iv:yZ9LTuVE8dGyrtE3vxLA2jLErvmt67XC0jefl1njiOM=,tag:J5d+oGFWhfXEFwVOnsJ2iA==,type:str]
|
||||
huginn:
|
||||
invitationCode: ENC[AES256_GCM,data:+m2AabRzUiCFy3MAKTB8d1IE05WHTcmZ,iv:ccdIPHl9N+bvPR/QCwZUwZOfWTeW6gWhhBjOpL85JRg=,tag:Ir2085K04XUGkAuoCG+7VQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@@ -72,8 +76,8 @@ sops:
|
||||
SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
|
||||
HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-11-06T10:12:43Z"
|
||||
mac: ENC[AES256_GCM,data:6sRi0s/9DwOggm3bCsGV4D5eiR6GxiShaSXMefrQSwDJc81NBQ6j3oLeZAUg20Rf0Mvvhhnep7cxZaKKtzBXPoisdEwn3uPDiOCmxfty/0X8zzrkDAvuKtLsvW1/s2ndn/csAJwC330pH1Ti/I6nIqPOJddrkQn/sqjRIbRHS9Q=,iv:f41KhA9EtWJKVkA1nLOmAEhUfuVfHHNQhW11tNrTPKs=,tag:DKq7Ux0lUtXvnZZN4lmtFg==,type:str]
|
||||
lastmodified: "2023-11-12T08:55:55Z"
|
||||
mac: ENC[AES256_GCM,data:AlydFHt0M965B+1r7HxICO730giPv5hAqQZX0K0hqetmq06Z2hmSFaHdTbZx8nBEqJTbzUekN9w9bckzxnLNf+VGbhdAVzIhvU+zoXs1324UdtJqze2w3kPUYhzyC3ovubb0RRd81pgozvGXRTJ10WVcXpI7j2P1DjpPWp6hmHg=,iv:irfEAtnf0U2oMHdf1oNSLD7eqWKdXiLJBlCmsutnb7k=,tag:VkmZ8hWgOZhwfM7p8V4stA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
Reference in New Issue
Block a user