dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: maintain

Browse source
This commit is contained in:
danny 2026-01-20 13:41:53 +08:00
parent 2378a66114
commit 25482857d4
58 changed files with 1095 additions and 747 deletions
Download patch file Download diff file Expand all files Collapse all files

1
system/dev/dn-pre7780/games/default.nix
View file

@ -3,6 +3,7 @@
../../../modules/gaming.nix
./shadps4.nix
./minecraft.nix
./lsgf-vk.nix
./heroic.nix
];
}

6
system/dev/dn-pre7780/games/heroic.nix
View file

@ -3,7 +3,11 @@
home-manager.sharedModules = [
{
home.packages = with pkgs; [
heroic
(heroic.override {
extraPkgs = pkgs: [
pkgs.gamemode
];
})
];
}
];

11
system/dev/dn-pre7780/games/lsgf-vk.nix Normal file
View file

@ -0,0 +1,11 @@
{ pkgs, ... }:
{
home-manager.sharedModules = [
{
home.packages = with pkgs; [
lsfg-vk
lsfg-vk-ui
];
}
];
}

2
system/dev/dn-pre7780/games/minecraft.nix
View file

@ -4,8 +4,6 @@
{
home.packages = with pkgs; [
prismlauncher
lsfg-vk
lsfg-vk-ui
];
}
];

11
system/dev/dn-pre7780/home/wm/hyprland.nix
View file

@ -1,7 +1,14 @@
{ pkgs, lib, ... }:
{
self,
pkgs,
lib,
...
}:
let
serverCfg = self.nixosConfigurations.dn-server.config;
inherit (serverCfg.services.nextcloud) hostName;
memeSelector = pkgs.callPackage ../../../../../home/scripts/memeSelector.nix {
url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/";
url = "https://${hostName}/public.php/dav/files/pygHoPB5LxDZbeY/";
};
in
{

1
system/dev/dn-pre7780/network/default.nix
View file

@ -1,6 +1,7 @@
{
imports = [
../../../modules/netbird-client.nix
./openfortivpn.nix
# ../../../modules/wireguard.nix
];
}

27
system/dev/dn-pre7780/network/openfortivpn.nix Normal file
View file

@ -0,0 +1,27 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib) getExe;
inherit (config.sops) secrets;
in
{
sops.secrets = {
"openfortivpn" = { };
};
systemd.services.openfortivpn = {
script = ''
${getExe pkgs.openfortivpn} -c "$CREDENTIALS_DIRECTORY/config" --set-dns=1 --use-resolvconf=1
'';
serviceConfig = {
Restart = "no";
LoadCredential = [
"config:${secrets."openfortivpn".path}"
];
};
};
}

1
system/dev/dn-pre7780/services/default.nix
View file

@ -4,6 +4,5 @@
# ./mail.nix
./nginx.nix
# ./pangolin.nix
# ./nextcloud.nix
];
}

16
system/dev/dn-pre7780/services/mail.nix
View file

@ -6,6 +6,7 @@
}:
let
inherit (lib) mkIf;
inherit (config.networking) domain;
mkCondition = (
condition: ithen: ielse: [
{
@ -18,7 +19,6 @@ let
rspamdWebPort = 11333;
rspamdPort = 31009;
domain = "dnywe.com";
fqdn = "mx1.dnywe.com";
rspamdSecretFile = config.sops.secrets."rspamd".path;
@ -202,18 +202,4 @@ in
'';
};
};
services.mail-ntfy-server = {
enable = true;
settings = {
NTFY_URL = "https://ntfy.net.dn";
NTFY_TOPIC = "dachxy-mail";
NTFY_RCPTS = [ "dachxy@dnywe.com" ];
HOST = "127.0.0.1";
PORT = 31010;
};
environmentFiles = [
config.sops.secrets."ntfy".path
];
};
}

103
system/dev/dn-pre7780/services/nextcloud.nix
View file

@ -1,103 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkForce;
hostname = "drive.dnywe.com";
port = 31007;
in
{
sops.secrets = {
"nextcloud/adminPassword" = mkIf config.services.nextcloud.enable {
owner = "nextcloud";
group = "nextcloud";
};
"nextcloud/signaling.conf" = mkIf config.services.nextcloud.enable {
owner = "signaling";
group = "signaling";
mode = "0640";
};
"nextcloud/whiteboard" = mkIf config.services.nextcloud.enable {
owner = "nextcloud";
};
};
imports = [
(import ../../../modules/nextcloud.nix {
configureACME = false;
hostname = hostname;
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
trusted-domains = [
hostname
];
trusted-proxies = [ "10.0.0.0/24" ];
whiteboardSecrets = [
config.sops.secrets."nextcloud/whiteboard".path
];
})
];
services.nextcloud = {
# enable = mkForce false;
https = mkForce false;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) spreed;
twofactor_totp = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
sha256 = "sha256-Wa2P6tpp75IxCsTG4B5DQ8+iTzR7yjKBi4ZDBcv+AOI=";
license = "agpl3Plus";
};
twofactor_nextcloud_notification = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/twofactor_nextcloud_notification/releases/download/v3.9.0/twofactor_nextcloud_notification-v3.9.0.tar.gz";
sha256 = "sha256-4fXWgDeiup5/Gm9hdZDj/u07rp/Nzwly53aLUT/d0IU=";
license = "agpl3Plus";
};
twofactor_email = pkgs.fetchNextcloudApp {
url = "https://github.com/nursoda/twofactor_email/releases/download/2.8.2/twofactor_email.tar.gz";
sha256 = "sha256-zk5DYNwoIRTIWrchWDiCHuvAST2kuIoow6VaHAAzYog=";
license = "agpl3Plus";
};
};
};
users.groups.signaling = mkIf config.services.nextcloud.enable {
};
users.users.signaling = mkIf config.services.nextcloud.enable {
isSystemUser = true;
group = "signaling";
};
systemd.services.nextcloud-spreed-signaling = mkIf config.services.nextcloud.enable {
requiredBy = [
"multi-users.target"
"phpfpm-nextcloud.service"
];
serviceConfig = {
User = "signaling";
Group = "signaling";
ExecStart = "${lib.getExe' pkgs.nextcloud-spreed-signaling "server"} --config ${
config.sops.secrets."nextcloud/signaling.conf".path
}";
};
};
services.nats = mkIf config.services.nextcloud.enable {
enable = true;
settings = {
host = "127.0.0.1";
};
};
services.nginx.virtualHosts."${hostname}".listen = lib.mkForce [
{
port = port;
addr = "0.0.0.0";
}
];
}

8
system/dev/dn-pre7780/services/nginx.nix
View file

@ -1,4 +1,8 @@
{ config, ... }:
{ self, config, ... }:
let
serverCfg = self.nixosConfigurations.dn-server.config;
inherit (serverCfg.networking) domain;
in
{
networking.firewall.allowedTCPPorts = [
443
@ -10,7 +14,7 @@
defaults = {
validMinDays = 2;
webroot = null;
server = "https://ca.net.dn/acme/acme/directory";
server = "https://ca.${domain}/acme/acme/directory";
renewInterval = "daily";
email = "danny@pre7780.dn";
dnsResolver = "10.0.0.1:53";

7
system/dev/dn-pre7780/sops/secret.yaml
View file

@ -1,5 +1,6 @@
wireguard:
wg0.conf: ENC[AES256_GCM,data:ozySeNEvkiLt9TGrZCrlJWKT5gcSlZ9T8AeXGO97SPgxI394eCQ/LOkVFl7AykhZvs7YkxMpZzAZxc0oNdTYuDlqfrNr0pqTUJmpX+5PVRmDb5z2MJvERktVkJ4LSvVodoYznDwT/y9q199AFKf3t4EoWuRyR/il6P8HuGVHXrKRYUrwuB4nuq1SIByY+8D2gzohFB/s6pSOPYy6/xCt0Nm+x0wmcdrlyOb0S+4WXlcou2ll98o9q2YDdVBKeW4jyUjFqXM2XzD0JXpAi9ZFlyzxyYNwa4oMYATyCBCH4BNHqe850QHEoCaOovioEdDH/tluB2X/891ixqzURypzbg==,iv:3Q5xOgGcg8/DIwHt4fHsQGtN8f2hGpVDtf47PcwW62I=,tag:SbJqhWi3+h1O5ZIOayDrUw==,type:str]
openfortivpn: ENC[AES256_GCM,data:rWv6kZDYO4yKmrEfm63X7qin0veSx7U/ZZFPM0vxBPjIzh7VZg6wCjJ1pHpSpCT0DS39TA/Z5xhH4l+gOUHMxeuKw1Zn96DxccdpGs+WMdgis8LJc42Qmfnmdw==,iv:QEgbiRV2B5LG7X9KXcln04nUedbV7GiS+3E5AihVbXw=,tag:rGerAwx0FeRLGPBCePdo/w==,type:str]
netbird:
wt0-setupKey: ENC[AES256_GCM,data:166VX+rgzxhar+GFKxA5d8G3/9ewISdv2hUSwvbggyyjwwvE,iv:w8p4gDP6U0ZONX59t2dnglTC9S2dW2TX5A4OoCzRuzM=,tag:zf3jvlERJtM+osBd4ZQjMA==,type:str]
dovecot:
@ -26,6 +27,8 @@ crowdsec:
rspamd: ENC[AES256_GCM,data:8DryYdMyhzBqwqcbYUQ=,iv:5w21u3xqshRSf8IJbG16/Gf6AC2Zw6VnI3MOchN+w8A=,tag:OiiYUDT69SZObgOh1qCL0g==,type:str]
pangolin:
env: ENC[AES256_GCM,data:f5Pq+DE9PeRyOKeygREuovlqOMhe/bmTOrBA7Px3Oq+pWG5kGwnxqDdP/PwawJAskQPC9LN+QP6hIPNrJbPyxtk87hoRMb/3X0ggOw==,iv:yqqQizPwf3EfCelczf/7piH9kYiAwGLTtassvQ8oXNs=,tag:UzVuKIS8WZNAHgpLkzc9XA==,type:str]
velocity: ENC[AES256_GCM,data:Q1Bfiks3/0XsBfouqck9PJr9QmZv/2ayd2qEFNPVz+GW3JpzIPEf2uGn06u7U+ZFtSuV12jG+3fhGhMh+UT3,iv:PHZLyLhNb9NE1J/Tsm35K4g6WMnR/9EYfVrsuDFbaNE=,tag:SCJgjDjaHkLffX8JiWTKsA==,type:str]
fabricProxy: ENC[AES256_GCM,data:MXukmKmMBRXCfeW6MBlfJU3cMZ/Y8sysFxiW0g3MOXnEcySu5tN5uuNhuorWNNknemRWayAaozU+d21UWbHmVez1inVQX193EnlTnDaZ,iv:ih2l1rimFqupZlu3NrGaCL7IMM0SPW6YZkMnk8mtXvc=,tag:wxNatJHNB3isKDuprxl7Fw==,type:str]
sops:
age:
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@ -37,7 +40,7 @@ sops:
MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-07T08:17:20Z"
mac: ENC[AES256_GCM,data:M9hBNU2KetaGEhJnYW10nWEWetFWs9c5gPN/0W6UIOsP2Y9E2d8J09Ary9O9z6TjjxqkS+H15SQfo6bjuc19jSwtdQ/scqy9nV1H0pOEHzWj8zG/bzC71WmwhZbx4+1cK83HYS9pJhzbO+5tbOK75GwJscXAhXKDzzNBmTW2Y3U=,iv:qozD5Z2uiI5vFApsRVkjiXLOPATs3VV0PDk5szX+mrc=,tag:WpM+Ab9U2q9GR0qvyMZO8w==,type:str]
lastmodified: "2026-01-20T05:40:32Z"
mac: ENC[AES256_GCM,data:2UM15E3aYMunypx6THZTwHdedmUWYKQGgPEqMmT1D/CkWcCmau0Yk2nhALjcXWLuODlkedrjm6tYSPg7Yv/eZUnUwfI9reBAfoGBbJLCIoAloomzzm21xDvIJOco9xyHPKwT4buYYA/mylJvrSi07G0qRM6tINQjhEvVsDIbFR0=,iv:lPo3U/eCSZx6MmqvoTUpk+u6E+fFgED4eq0EF/jk/hs=,tag:b8XyedLJ706LplFF/VafAg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

2
system/dev/dn-pre7780/utility/davinci-resolve.nix
View file

@ -1,5 +1,5 @@
{
imports = [
../../../modules/davinci-resolve.nix
# ../../../modules/davinci-resolve.nix
];
}

16
system/dev/dn-server/default.nix
View file

@ -1,9 +1,11 @@
{ hostname }:
{
pkgs,
config,
...
}:
let
inherit (config.networking) domain;
username = "danny";
in
{
@ -17,7 +19,7 @@ in
"maps.rspamd.com"
"cdn-hub.crowdsec.net"
"api.crowdsec.net"
"mx1.dnywe.com"
"mx1.${domain}"
];
allowedIPs = [
"127.0.0.1"
@ -58,4 +60,16 @@ in
environment.systemPackages = with pkgs; [
openssl
];
users.users = {
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
];
"${username}".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
];
};
}

62
system/dev/dn-server/network/nginx.nix
View file

@ -2,22 +2,12 @@
config,
...
}:
let
inherit (config.networking) domain;
gcpIP = "10.10.0.1";
in
{
security.acme = {
acceptTerms = true;
defaults = {
validMinDays = 2;
server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
renewInterval = "daily";
email = "danny@net.dn";
dnsProvider = "pdns";
dnsPropagationCheck = false;
environmentFile = config.sops.secrets."acme/env".path;
};
};
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
enableReload = true;
@ -26,44 +16,10 @@
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"files.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
root = "/var/www/files";
locations."/" = {
extraConfig = ''
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
'';
};
extraConfig = ''
types {
image/png png;
image/jpeg jpg jpeg;
image/gif gif;
}
'';
};
"webcam.net.dn" = {
enableACME = true;
forceSSL = true;
locations."/ws/" = {
proxyPass = "http://10.0.0.130:8080/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
};
virtualHosts."manage.stalwart.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/".proxyPass = "http://${gcpIP}:8081";
};
};
}

178
system/dev/dn-server/network/services.nix
View file

@ -6,11 +6,12 @@
}:
let
inherit (builtins) concatStringsSep;
inherit (config.systemConf) username security;
inherit (config.systemConf) security domain;
inherit (lib) mkForce optionalString;
inherit (helper.nftables) mkElementsStatement;
netbirdCfg = config.services.netbird;
netbirdRange = "100.64.0.0/16";
ethInterface = "enp0s31f6";
sshPorts = [ 30072 ];
@ -35,7 +36,7 @@ let
allowedSSHIPs = concatStringsSep ", " [
"122.117.215.55"
"192.168.100.1/24"
"100.64.0.0/16"
netbirdRange
personal.range
];
@ -173,8 +174,6 @@ in
"10.0.0.0/24"
];
services.resolved.enable = mkForce false;
networking = {
nat = {
enable = true;
@ -189,12 +188,10 @@ in
allowedUDPPorts = [
53
personal.port
25565
5359
];
allowedTCPPorts = sshPorts ++ [
53
25565
5359
];
};
@ -233,15 +230,18 @@ in
ct state vmap { invalid : drop, established : accept, related : accept }
# Allow Incoming DNS qeury
udp dport 53 accept
tcp dport 53 accept
tcp dport { ${sshPortsString} } jump ssh-filter
# Allow Netbird UDP
udp dport { ${toString netbirdCfg.clients.wt0.port} } accept
iifname ${netbirdCfg.clients.wt0.interface} accept
iifname { ${ethInterface}, ${personal.interface} } udp dport { ${toString personal.port} } accept
iifname ${infra.interface} ip saddr ${infra.range} accept
iifname ${personal.interface} ip saddr ${personal.range} jump wg-subnet
iifname ${netbirdCfg.clients.wt0.interface} accept
drop
}
@ -258,7 +258,7 @@ in
# Allow UDP hole punching
${optionalString (
netbirdCfg.clients ? wt0
) ''udp sport ${toString netbirdCfg.clients.wt0.port} accept''}
) "udp sport ${toString netbirdCfg.clients.wt0.port} accept"}
meta skuid ${toString config.users.users.systemd-timesync.uid} accept
@ -281,6 +281,8 @@ in
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept }
iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
iifname ${infra.interface} ip saddr ${infra.ip} accept
@ -309,7 +311,7 @@ in
ips = [ personal.ip ];
listenPort = personal.port;
privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
peers = builtins.map (r: {
peers = map (r: {
inherit (r) publicKey allowedIPs;
}) (fullRoute ++ meshRoute);
};
@ -321,27 +323,6 @@ in
dbus.enable = true;
blueman.enable = true;
postgresql = {
enable = lib.mkDefault true;
authentication = ''
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
'';
ensureUsers = [
{
name = "powerdnsadmin";
ensureDBOwnership = true;
}
{
name = "pdns";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"powerdnsadmin"
"pdns"
];
};
openssh = {
enable = true;
ports = mkForce sshPorts;
@ -352,106 +333,12 @@ in
};
};
powerdns = {
enable = true;
extraConfig = ''
launch=gpgsql
loglevel=6
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
gpgsql-dnssec=yes
webserver=yes
webserver-port=8081
local-port=5359
dnsupdate=yes
primary=yes
secondary=no
allow-dnsupdate-from=10.0.0.0/24
allow-axfr-ips=10.0.0.0/24
also-notify=10.0.0.148:53
'';
secretFile = config.sops.secrets.powerdns.path;
};
pdns-recursor = {
enable = true;
forwardZones = {
"dn." = "127.0.0.1:5359";
};
forwardZonesRecurse = {
# ==== Rspamd DNS ==== #
"multi.uribl.com." = "168.95.1.1";
"score.senderscore.com." = "168.95.1.1";
"list.dnswl.org." = "168.95.1.1";
"dwl.dnswl.org." = "168.95.1.1";
# ==== Others ==== #
"tw." = "168.95.1.1";
"." = "8.8.8.8";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
];
dns.port = 5300;
yaml-settings = {
webservice.webserver = true;
recordcache.max_negative_ttl = 60;
};
};
dnsdist = {
enable = true;
extraConfig = ''
newServer("127.0.0.1:${toString config.services.pdns-recursor.dns.port}")
addDOHLocal("0.0.0.0:8053", nil, nil, "/", { reusePort = true })
getPool(""):setCache(newPacketCache(65535, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false}))
'';
};
powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
BIND_ADDRESS = "127.0.0.1"
PORT = 8081
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
xserver = {
enable = false;
xkb.layout = "us";
};
};
systemd.services.pdns-recursor.before = [ "acme-setup.service" ];
systemd.services.pdns.before = [ "acme-setup.service" ];
users.users = {
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
];
"${username}".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
];
};
systemConf.security = {
allowedDomains = [
"registry-1.docker.io"
@ -466,52 +353,19 @@ in
image = "louislam/uptime-kuma:2";
volumes = [
"/var/lib/uptime-kuma:/app/data"
"${config.security.pki.caBundle}:/etc/ca.crt:ro"
];
environment = {
NODE_EXTRA_CA_CERTS = "/etc/ca.crt";
};
};
};
};
};
systemd.services.raspamd-trainer = {
systemd.services.rspamd-trainer = {
after = [ "pdns-recursor.service" ];
};
services.nginx.virtualHosts = {
"dns.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/dns-query" = {
extraConfig = ''
grpc_pass grpc://127.0.0.1:${toString 8053};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
'';
};
};
"powerdns.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/api".proxyPass = "http://127.0.0.1:8081";
locations."/".proxyPass = "http://127.0.0.1:8000";
};
"uptime.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
services.nginx.virtualHosts."uptime.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
nix.settings.trusted-users = [
username
];
}

9
system/dev/dn-server/network/step-ca.nix
View file

@ -1,4 +1,7 @@
{ pkgs, config, ... }:
let
inherit (config.networking) domain;
in
{
environment.systemPackages = with pkgs; [ step-cli ];
@ -57,7 +60,7 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
};
dnsNames = [
"10.0.0.1"
"ca.net.dn"
"ca.${domain}"
];
federatedRoots = null;
insecureAddress = "";
@ -81,8 +84,8 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
intermediatePasswordFile = config.sops.secrets."step_ca/password".path;
};
services.nginx.virtualHosts."ca.net.dn" = {
enableACME = true;
services.nginx.virtualHosts."ca.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/" = {
proxyPass = "https://10.0.0.1:8443/";

59
system/dev/dn-server/services/acme.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
pkgs,
...
}:
let
inherit (config.sops) secrets;
in
{
users.users.nginx.extraGroups = [ "acme" ];
sops.secrets = {
"acme/pdns" = {
mode = "0660";
owner = "acme";
group = "acme";
};
"acme/cloudflare" = {
mode = "0640";
};
};
systemConf.security.allowedDomains = [
"acme-v02.api.letsencrypt.org"
"api.cloudflare.com"
];
security.acme = {
acceptTerms = true;
defaults = {
server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
validMinDays = 2;
renewInterval = "daily";
email = "danny@net.dn";
dnsProvider = "pdns";
dnsPropagationCheck = false;
environmentFile = secrets."acme/pdns".path;
};
certs."dnywe.com" = {
domain = "*.dnywe.com";
extraDomainNames = [
"*.stalwart.dnywe.com"
];
server = "https://acme-v02.api.letsencrypt.org/directory";
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
email = "postmaster@dnywe.com";
dnsPropagationCheck = true;
environmentFile = pkgs.writeText "lego-config" ''
LEGO_CA_CERTIFICATES=${config.security.pki.caBundle}
'';
credentialFiles = {
"CLOUDFLARE_DNS_API_TOKEN_FILE" = secrets."acme/cloudflare".path;
};
};
};
}

32
system/dev/dn-server/services/actual-budget.nix
View file

@ -1,7 +1,37 @@
{ config, ... }:
let
inherit (config.networking) domain;
inherit (config.sops) secrets;
hostname = "actual.${domain}";
oidcURL = "https://${config.services.keycloak.settings.hostname}/realms/master";
in
{
sops.secrets."actual/clientSecret" = {
owner = "actual";
group = "actual";
mode = "640";
};
imports = [
(import ../../../modules/actual {
fqdn = "actual.net.dn";
fqdn = hostname;
})
];
services.nginx.virtualHosts."${hostname}" = {
useACMEHost = domain;
};
services.actual.settings = {
loginMethod = "openid";
allowedLoginMethods = [ "openid" ];
openId = {
discoveryURL = "${oidcURL}/.well-known/openid-configuration";
client_id = "actual";
client_secret._secret = secrets."actual/clientSecret".path;
server_hostname = "https://${hostname}";
authMethod = "openid";
};
};
}

11
system/dev/dn-server/services/bitwarden.nix
View file

@ -1,7 +1,16 @@
{ config, ... }:
let
inherit (config.networking) domain;
hostname = "bitwarden.${domain}";
in
{
imports = [
(import ../../../modules/vaultwarden.nix {
domain = "bitwarden.net.dn";
domain = hostname;
})
];
services.nginx.virtualHosts."${hostname}" = {
useACMEHost = domain;
};
}

8
system/dev/dn-server/services/default.nix
View file

@ -12,10 +12,8 @@
./keycloak.nix
./netbird.nix
./hideTTY.nix
# (import ../../../modules/opencloud.nix {
# fqdn = "opencloud.net.dn";
# envFile = config.sops.secrets."opencloud".path;
# })
(import ./ntfy.nix { fqdn = "ntfy.net.dn"; })
./dns.nix
./acme.nix
./ntfy.nix
];
}

164
system/dev/dn-server/services/dns.nix Normal file
View file

@ -0,0 +1,164 @@
{ config, lib, ... }:
let
inherit (builtins) listToAttrs;
inherit (lib) nameValuePair mkForce;
inherit (config.sops) secrets;
inherit (config.networking) domain;
splitDNS = listToAttrs (
map (x: nameValuePair x "127.0.0.1:5359") [
"${domain}."
]
);
in
{
services.resolved.enable = mkForce false;
sops.secrets = {
"powerdns-admin/secret" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
"powerdns-admin/salt" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
powerdns = {
mode = "0660";
owner = "pdns";
group = "pdns";
};
};
services.postgresql = {
enable = true;
authentication = ''
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
'';
ensureUsers = [
{
name = "powerdnsadmin";
ensureDBOwnership = true;
}
{
name = "pdns";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"powerdnsadmin"
"pdns"
];
};
services.powerdns = {
enable = true;
extraConfig = ''
launch=gpgsql
loglevel=6
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
gpgsql-dnssec=yes
webserver=yes
webserver-port=8081
local-port=5359
dnsupdate=yes
primary=yes
secondary=no
allow-dnsupdate-from=10.0.0.0/24
allow-axfr-ips=10.0.0.0/24
also-notify=10.0.0.148:53
'';
secretFile = secrets.powerdns.path;
};
services.pdns-recursor = {
enable = true;
forwardZones = {
"dn." = "127.0.0.1:5359";
}
// splitDNS;
forwardZonesRecurse = {
# ==== Rspamd DNS ==== #
"multi.uribl.com." = "168.95.1.1";
"score.senderscore.com." = "168.95.1.1";
"list.dnswl.org." = "168.95.1.1";
"dwl.dnswl.org." = "168.95.1.1";
# ==== Others ==== #
"tw." = "168.95.1.1";
"." = "1.1.1.1";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
];
dns.port = 5300;
yaml-settings = {
webservice.webserver = true;
recordcache.max_negative_ttl = 60;
};
};
services.dnsdist = {
enable = true;
extraConfig = ''
newServer("127.0.0.1:${toString config.services.pdns-recursor.dns.port}")
addDOHLocal("0.0.0.0:8053", nil, nil, "/", { reusePort = true })
getPool(""):setCache(newPacketCache(65535, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false}))
'';
};
services.powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
BIND_ADDRESS = "127.0.0.1"
PORT = 8081
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
services.nginx.virtualHosts = {
"dns.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/dns-query" = {
extraConfig = ''
grpc_pass grpc://127.0.0.1:${toString 8053};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
'';
};
};
"powerdns.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/api".proxyPass = "http://127.0.0.1:8081";
locations."/".proxyPass = "http://127.0.0.1:8000";
};
};
systemd.services.pdns-recursor.before = [ "acme-setup.service" ];
systemd.services.pdns.before = [ "acme-setup.service" ];
}

12
system/dev/dn-server/services/forgejo.nix
View file

@ -1,8 +1,10 @@
{ lib, config, ... }:
let
inherit (config.networking) domain;
cfg = config.services.forgejo;
srv = cfg.settings.server;
domain = "git.dnywe.com";
hostname = "git.${domain}";
mailServer = "mx1.net.dn";
forgejoOwner = {
@ -39,7 +41,7 @@ in
settings = {
server = {
DOMAIN = domain;
DOMAIN = hostname;
ROOT_URL = "https://${srv.DOMAIN}";
HTTP_PORT = 32006;
SSH_PORT = lib.head config.services.openssh.ports;
@ -69,4 +71,10 @@ in
server.SECRET_KEY = config.sops.secrets."forgejo/server/secretKey".path;
};
};
services.nginx.virtualHosts.${hostname} = {
useACMEHost = domain;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${toString srv.HTTP_PORT}";
};
}

9
system/dev/dn-server/services/keycloak.nix
View file

@ -2,7 +2,7 @@
{ lib, config, ... }:
let
inherit (lib) mkForce;
domain = "dnywe.com";
inherit (config.networking) domain;
cfg = config.services.keycloak;
in
{
@ -12,6 +12,9 @@ in
};
};
# Disable nginx reverse proxy
services.nginx.virtualHosts."${cfg.settings.hostname}" = mkForce { };
services.nginx.virtualHosts."${cfg.settings.hostname}" = {
useACMEHost = domain;
forceSSL = true;
enableACME = mkForce false;
};
}

2
system/dev/dn-server/services/mail-server.nix
View file

@ -46,7 +46,7 @@ in
'';
webmail = {
enable = true;
hostname = "mail.${domain}";
hostname = "mail.dnywe.com";
};
keycloak = {
dbSecretFile = config.sops.secrets."oauth/password".path;

18
system/dev/dn-server/services/metrics.nix
View file

@ -8,7 +8,10 @@
let
inherit (helper.grafana) mkDashboard;
inherit (lib) optionalAttrs optional;
inherit (config.networking) hostName;
inherit (config.networking) hostName domain;
grafanaHostname = "grafana.${domain}";
prometheusHostname = "metrics.${domain}";
datasourceTemplate = [
{
@ -55,7 +58,7 @@ in
{
imports = [
(import ../../../modules/prometheus.nix {
fqdn = "metrics.net.dn";
fqdn = prometheusHostname;
selfMonitor = true;
configureNginx = true;
scrapes = [
@ -108,7 +111,7 @@ in
})
(import ../../../modules/grafana.nix {
domain = "grafana.net.dn";
domain = grafanaHostname;
passFile = config.sops.secrets."grafana/password".path;
smtpHost = "${config.mail-server.hostname}.${config.mail-server.domain}:465";
smtpDomain = config.mail-server.domain;
@ -194,4 +197,13 @@ in
};
enable = true;
};
services.nginx.virtualHosts = {
"${grafanaHostname}" = {
useACMEHost = domain;
};
"${prometheusHostname}" = {
useACMEHost = domain;
};
};
}

144
system/dev/dn-server/services/minecraft-server.nix
View file

@ -1,9 +1,32 @@
{ pkgs, ... }:
{
pkgs,
config,
lib,
inputs,
...
}:
let
modpack = pkgs.fetchPackwizModpack {
inherit (config.sops) secrets;
inherit (inputs.nix-minecraft.lib) collectFilesAt;
modpack-shaderRetired = pkgs.fetchPackwizModpack {
url = "https://git.dnywe.com/dachxy/shader-retired-modpack/raw/branch/main/pack.toml";
packHash = "sha256-NPMS8j5NXbtbsso8R4s4lhx5L7rQJdek62G2Im3JdmM=";
};
modpack-landscape = pkgs.fetchPackwizModpack {
url = "https://git.dnywe.com/dachxy/landscape-modpack/raw/branch/main/pack.toml";
packHash = "sha256-mQSE4PMrOupARpEIzdzg+gOD0VQGII4MrBUyr8VevKk=";
};
fabricProxy = pkgs.fetchurl rec {
pname = "FabricProxy-Lite";
version = "2.11.0";
url = "https://cdn.modrinth.com/data/8dI2tmqs/versions/nR8AIdvx/${pname}-${version}.jar";
hash = "sha256-68er6vbAOsYZxwHrszLeaWbG2D7fq/AkNHIMj8PQPNw=";
};
velocityCfg = config.services.velocity;
in
{
systemConf.security.allowedDomains = [
@ -13,29 +36,110 @@ in
"login.microsoftonline.com"
];
sops.secrets."velocity" = {
owner = velocityCfg.user;
};
sops.secrets."fabricProxy" = {
owner = "minecraft";
};
services.velocity = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
port = 25565;
settings = {
motd = "<#09add3>POG, MC server!";
player-info-forwarding-mode = "modern";
forwarding-secret-file = "${secrets."velocity".path}";
servers = {
shader-retired = "127.0.0.1:30066";
landscape = "127.0.0.1:30067";
try = [
"shader-retired"
];
};
forced-hosts = {
"server.vnet.dn" = [
"shader-retired"
];
"retired.mc.dnywe.com" = [
"shader-retired"
];
"landscape.mc.dnywe.com" = [
"landscape"
];
};
};
};
services.minecraft-servers = {
enable = true;
eula = true;
};
services.minecraft-servers.servers.shader-retired = {
enable = true;
autoStart = true;
openFirewall = true;
package = pkgs.fabric-server;
symlinks = {
"mods" = "${modpack}/mods";
};
serverProperties = {
services.minecraft-servers.servers = {
shader-retired =
let
mcVersion = modpack-shaderRetired.manifest.versions.minecraft;
fabricVersion = modpack-shaderRetired.manifest.versions.fabric;
serverVersion = lib.replaceStrings [ "." ] [ "_" ] "fabric-${mcVersion}";
in
{
enable = true;
autoStart = true;
jvmOpts = "-Xms2144M -Xmx8240M";
package = pkgs.fabricServers.${serverVersion}.override { loaderVersion = fabricVersion; };
symlinks = collectFilesAt modpack-shaderRetired "mods" // {
"mods/FabricProxy-Lite.jar" = fabricProxy;
};
files = {
"config/FabricProxy-Lite.toml" = "${secrets."fabricProxy".path}";
};
serverProperties = {
server-port = 30066;
difficulty = 3;
gamemode = "survival";
max-player = 20;
motd = "Bro!!!!";
accepts-flight = true;
accepts-transfers = true;
hardcore = false;
};
};
server-port = 25565;
difficulty = 3;
gamemode = "survival";
max-player = 20;
modt = "Bro!!!!";
accepts-flight = true;
accepts-transfers = true;
hardcore = false;
};
landscape =
let
mcVersion = modpack-landscape.manifest.versions.minecraft;
fabricVersion = modpack-landscape.manifest.versions.fabric;
serverVersion = lib.replaceStrings [ "." ] [ "_" ] "fabric-${mcVersion}";
in
{
enable = true;
autoStart = true;
enableReload = true;
jvmOpts = "-Xms2144M -Xmx8240M";
package = pkgs.fabricServers.${serverVersion}.override { loaderVersion = fabricVersion; };
symlinks = collectFilesAt modpack-landscape "mods" // {
"mods/FabricProxy-Lite.jar" = fabricProxy;
};
files = {
"config/FabricProxy-Lite.toml" = "${secrets."fabricProxy".path}";
};
serverProperties = {
server-port = 30067;
difficulty = 3;
gamemode = "survival";
max-player = 20;
motd = "Landscape, daug!";
accepts-flight = true;
accepts-transfers = true;
hardcore = false;
};
};
};
}

8
system/dev/dn-server/services/netbird.nix
View file

@ -1,7 +1,7 @@
{ config, lib, ... }:
let
inherit (lib) mkForce;
domain = "dnywe.com";
inherit (config.networking) domain;
# Virtual Domain
vDomain = "vnet.dn";
@ -19,9 +19,9 @@ in
};
systemConf.security.allowedDomains = [
"login.dnywe.com"
"pkgs.netbird.io"
config.services.keycloak.settings.hostname
"${srv.domain}"
"pkgs.netbird.io"
];
imports = [
@ -71,6 +71,8 @@ in
'';
services.nginx.virtualHosts."${srv.domain}" = {
useACMEHost = domain;
addSSL = true;
locations."/api" = {
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

13
system/dev/dn-server/services/nextcloud.nix
View file

@ -7,10 +7,10 @@
let
inherit (lib) mkIf mkDefault mkAfter;
inherit (config.sops) secrets;
inherit (config.networking) domain;
spreedCfg = config.services.nextcloud-spreed-signaling;
nextcloudCfg = config.services.nextcloud;
turnDomain = "coturn.dnywe.com";
domain = "net.dn";
turnDomain = "coturn.${domain}";
in
{
sops.secrets = {
@ -79,7 +79,7 @@ in
mail_smtpname = "nextcloud";
mail_smtpmode = "smtp";
mail_smtpauthtype = "LOGIN";
mail_domain = "net.dn";
mail_domain = "${domain}";
mail_smtpport = 465;
mail_smtpsecure = "ssl";
mail_from_address = "nextcloud";
@ -123,8 +123,13 @@ in
};
};
services.nginx.virtualHosts.${nextcloudCfg.hostName} = {
useACMEHost = domain;
forceSSL = true;
};
services.nginx.virtualHosts.${spreedCfg.hostName} = {
enableACME = true;
useACMEHost = domain;
forceSSL = true;
};

13
system/dev/dn-server/services/ntfy.nix
View file

@ -1,22 +1,19 @@
{
fqdn ? null,
}:
{ config, ... }:
let
inherit (config.networking) domain;
port = 31004;
finalFqdn = if fqdn == null then config.networking.fqdn else fqdn;
hostname = "ntfy.${domain}";
in
{
systemConf.security.allowedDomains = [
"ntfy.sh"
"web.push.apple.com"
];
services.ntfy-sh = {
enable = true;
settings = {
listen-http = ":${toString port}";
base-url = "https://${finalFqdn}";
base-url = "https://${hostname}";
upstream-base-url = "https://ntfy.sh";
behind-proxy = true;
proxy-trusted-hosts = "127.0.0.1";
@ -30,8 +27,8 @@ in
};
services.nginx.virtualHosts = {
"${finalFqdn}" = {
enableACME = true;
"${hostname}" = {
useACMEHost = domain;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;

13
system/dev/dn-server/services/paperless-ngx.nix
View file

@ -1,9 +1,18 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (config.networking) domain;
hostname = "paperless.${domain}";
in
{
imports = [
(import ../../../modules/paperless-ngx.nix {
domain = "paperless.net.dn";
domain = hostname;
passwordFile = config.sops.secrets."paperless/adminPassword".path;
})
];
services.nginx.virtualHosts."${hostname}" = {
useACMEHost = domain;
};
}

13
system/dev/dn-server/sops/secret.yaml
View file

@ -8,6 +8,8 @@ netbird:
coturn:
password: ENC[AES256_GCM,data:AMWBkWLcj1EFfufl8pALpVOG0PE=,iv:sngIedZE4X8clhGIsQyiGKbdsheRbEqeU57Emz2DWJM=,tag:daRLPNrO5fq84rtieYuYYw==,type:str]
wt0-setupKey: ENC[AES256_GCM,data:2KKqmcdQhkbu4Qo8rVWLwT7NdpF7iWneDGazHQlM++LdGQNr,iv:Dfryc5Ak8ueuHCT+8SxliEJqUtn695/N3iE69a5AoCQ=,tag:wCKfCOcTFZWbZs99FhF2EQ==,type:str]
actual:
clientSecret: ENC[AES256_GCM,data:1p/1ns46hrBXC80YvdBUV5BUrXxUmF5+q2YK/ENA1iQ=,iv:2ivuxwlKNy2awFkSlA946rIythd2Q5fROO8tc3HgtR4=,tag:S2dUoazTvh2hwpkSaZ/O4Q==,type:str]
nextcloud:
adminPassword: ENC[AES256_GCM,data:ev4Ua8JX0l0KK50SGm6xCw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:rIr+4x/p8u94e2Ip03iX0Q==,type:str]
whiteboard: ENC[AES256_GCM,data:EFrakjKTOskWBrobg/F12bdm/sM/cU4u6bUDw8TVqzmV95fNqn6n4MR+gTyKj6CG0+YLbZDHAmfsApWVH/VhDNTw3s1hkSu93Yq85ov7QEk=,iv:fYTLDOMmW+qoZVgC7fSPo+xFaytJN1gIaEcRgle+7gY=,tag:ETmXxGPsUafV3pR9cMLMXA==,type:str]
@ -19,7 +21,7 @@ nextcloud:
backendsecret: ENC[AES256_GCM,data:pV5yw755RkAwHBdmfeP37/SobFZqJouWyIiRJ+Y2mk0iiVdW04vhYVsyjcI=,iv:NhkewgnyE2Dw8mQMMSq6AWo6IOWu8BlyPZvZAszyZuQ=,tag:BlZO15qZWViV8pCWIgZHZQ==,type:str]
step_ca:
password: ENC[AES256_GCM,data:3NtUAl344gHiXLlMl88X17Vsm/4OKFM0W8bntzbXC0U=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:ibumK7ebPKNO/CXAS0eeRA==,type:str]
vaultwarden: ENC[AES256_GCM,data:h8GFyXRMI51DZutX60up4vXTQLNY3q0pr+BWpZ5frJHwy6PVBTYts81K0aTIIU71epT4SVR3p3e8yUdU7jXS1Tw1ol0RnPL+bBNv7JyUede9mkrP4pnozmuCQqOdlHCaUvYyIoWFPrLiz/drXX7gJvWh6zYTTFn9mQ3wQE9J6rxoLzbMyS6raSn2O8Ke+YM0VRXYgVvsyEL3Aa0wV3qO5NDCZ67rZp4TG5U8tOrziw0gnKU3eBCuNyL/uU/7ySvfdxwv631vEi24+dxN+Kx6rlaJpJIywx9xxxoRhOz5TrHzptqRMWpg2GZL5qdVXiUxqYLgC3s7Ri0P2BwOslteO6Z6NXk0HSravbpz3sevEu+bRS7u2MLvL3keP48+EBsXNebnKY7nfqCoIPUQ86CIVGw5fNI+irnRR8kq6oV0MBDGXu6DgmzKV7crFp65zzVSqfFOntVYSqgtQnnM1CmkuGJD,iv:51zbASyFgprzYCMswiEM81p8C0kFhSc28VavCHqRsF0=,tag:LvcY2DbeA71/PXEnjph3dw==,type:str]
vaultwarden: ENC[AES256_GCM,data:unu2+istP/NHcns2HUvNYveGElAEDFI+6X/KXYu2hKvY9c57PhmGVEmwlNhMWjHOSLaIvF48iDKCMnFnk20Fop5S2PS8WdNQ5sAA3mhoBnYGKIVsSsjpAqdIKj5c+AozeFODuIrCPRFm1JbOlgcmniwWNwbKtXt8GrgHzBbFUNX00npOwK9NmZOTxPVCj6gs3purULbsTzxDYZKdtqoM0Rv8E+MM/SLTR3QJnTCi7CxWfqy2tSsNzFh4puyZ0xf03m/fMP2iJqwZKjr0G5DwMl8ng0XvnojUcAg3OO34T7VCR1E6unqOpt8Mxc4l5eDVZEp6euchLB1GHP1OaElLCGvlp16xFKQyu+XtuFKxDrgl+AjVXl/rdl8Sk7fa9x6VzYbbJIR5Nzrwb+x9sJIc0Q5u6MroVsfawUzNH3aWkBCxQ0jGqkWyAZyumOuLxODpYETUCxiaBW6unEYSABibY5Q=,iv:5T/N41eLnPThRs1nwFiqMqyd6+RMWkDz6N4yVuAojH0=,tag:1gyxAtpZw/uhPWOoioFqKw==,type:str]
ldap:
password: ENC[AES256_GCM,data:gz5WBopSffGyvJxKDPekPQ==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:YoTe6NPAJgp/0nvhHC9Y5A==,type:str]
env: ENC[AES256_GCM,data:68EvTHeBqtCVfde5oO+Wzny+l/YIMWQmbcNQ0Wl59EjMrSlJM0rmFm2lMJpxKzCN2cFs0N2z6zG1/eQ9t/SxxyVBrNA6ECnCZrerIo2YGlaT30tc1rffpd8TchMH1VKP5qHnbLUqORMx5z0LR4U49l2HVcHgSCjt/1f127oMi411vIU=,iv:+m1F0CBaoJGv6Z1u+h6rbsXGPUhxgHouTalj13ccJiY=,tag:I/hK65yPaIcgHEZVaXJHBA==,type:str]
@ -33,7 +35,8 @@ powerdns: ENC[AES256_GCM,data:d4qzUAjyHUxLynvP6vSxCzrihfb/X3KYHeRA/w+CButld7ulxL
rspamd-trainer: ENC[AES256_GCM,data:EqWVADi7zr6AUZL5mlN1/xbpjuRIS3Zn,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:4lH3hhMxWIzEUExJOt/41Q==,type:str]
rspamd: ENC[AES256_GCM,data:qEXHXdcvk24pAHEl6MI=,iv:L5tmoTu5Qk5sxDj3EmWfc39AHwRTT4T4gB1O2EsTQkY=,tag:vIhAOnEpWxtP0eU4stkQww==,type:str]
acme:
env: ENC[AES256_GCM,data:DQaHr13K3faeyQk/05sVmmZRNvEbjmMP8y3nES1vyFO+oNX9nyyWcy5YEAO5tjRTxi/yM1ISlhbXWct4iRwAkvnhtoFRK/jpAfDv+W3J1LotaRxiPWSXUs5lS7uS0DpveRwQVv6qEl3Cs8vitHAJfRCKJoYv5HTJyvOnoWqHbnk=,iv:co3V0vu2c26NKHuoNoRv7td8qu6m0NTlvkr3EJBQGvM=,tag:leTY/DGg85Pm8gsAHah29Q==,type:str]
pdns: ENC[AES256_GCM,data:pQbUDyKCRz36CAI1UhxLnsgDmQ1Hhfv6iqA8R3YBdWXHHXIHMXz2ujVz+/fPCEnbLuMevAzT2L5Pejm0q38FQitcbRNngueymOWX2Iq/T1GP+t/Yhfy/r24dubgX5sH6USl2du2MmIwxa5VwBpjoTi3+CjqalV2sp8+HYwXWNKQ=,iv:8sX4R5xgdlq8EyDEUcvoROs21h2pAH1C3TpDw4I2WLs=,tag:aQhuoldv4fRz2+NmHfCWNQ==,type:str]
cloudflare: ENC[AES256_GCM,data:JwIL00LMPQeIxesD5umO5iBkIFFBZek9iHw76BT4/km3UX+nUn+wcw==,iv:wJIW869+BY+w9ynL4jF40mSrXpClVW9HGnOwTaKIT/k=,tag:c/NK+RzwNfvB+jh6vliM0g==,type:str]
postsrsd:
secret: ENC[AES256_GCM,data:JZNwSymEjIFb8h3gnvFajxSaNYRxjA/NUruA4WX+uSqX0ufVcbVWgxQTr7U=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:M3RGI6LgU5n2e6ZiXxTFfQ==,type:str]
grafana:
@ -60,6 +63,8 @@ forgejo:
secretKey: ENC[AES256_GCM,data:DShv0oGdrHi40OMGz6/8XsiNY7nFcdJswBXucP9t7JQtgj9wk8Wr2mn17rfzkjNXTRletI60OPGPz2c57xOnTA==,iv:9TVma4i167123hyVA4yMAGsc9074+Yd4qggL7PkhUKg=,tag:/ELp01jK7of78Kyn+aOcMA==,type:str]
mailer:
password: ENC[AES256_GCM,data:dcIotYpgtdFLcunAB3ttlczzQ68=,iv:vH3rckAfntFAEtH3dolF7NCAdj142cAzre56x7oBdDA=,tag:TaxRn8g/TVloM60D6Ud0Jg==,type:str]
velocity: ENC[AES256_GCM,data:PYGSXfivm7OyKhBMKPOVDs+efpcb0hhwCAxlT05pM+kg9t0lH4TEMuxBXFRs80LUiQx+CYXyw8UvBkkKwPEc,iv:PppenjXIQ+eirCor3PxT16r2S7wO8bww5v/RyjQh9MI=,tag:Dc3BzmyQcTwYsvWShQ/JqQ==,type:str]
fabricProxy: ENC[AES256_GCM,data:srGYmqHgfkxAKKSjy9uGX1mQpE3N0rXb06MYiycbYESj/sZu/vjsPspvUdzTHHb9zkF5SWLWkmP6llIpimkss/dm7A1pGlagin3+,iv:yoWQdWeP9UjoRO5rJ9FQGbBu3iypIdXGrSDqBfFhw6w=,tag:+d/Tp/m3vENZAXJyHOMJEA==,type:str]
sops:
age:
- recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
@ -89,7 +94,7 @@ sops:
OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK
9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-09T04:59:21Z"
mac: ENC[AES256_GCM,data:NIHLAoNatyAhKHwCNdRGMR8+rUv00y/ssoGSQlq9/QayYt/GATfelgNwcqksSWf/db5v+Jz92bbk3RT9SKeoMWRxjm+8xzARbjhHGrzxAeLoerGPjQpEpkYYWbFC2ihSODrE+ar3HskAkQmVxmiGKEtYSg3+X2hiEy6ydZkP5Ps=,iv:mAyO820PpeG6NWQlmQf+l9MLIL4OTGJXCBSqYbmozZk=,tag:+Bex5hyAGBXiFoqxqVtaqg==,type:str]
lastmodified: "2026-01-19T10:14:12Z"
mac: ENC[AES256_GCM,data:d9OAnjstk72GOnKqyDw2qbNfZho0mdqAMSQ4xH903b1COmgIn4MsqWiCzDJ5k6RxLE4wfCAPvn8JA+cXiox6/xctqfyqLoWN4fp2Q40IHjbA3mQGalwywRgmga74PVe3gJPZ7H8PJncN0TdU29A/lGcUtjCkAqjBuFS4e7wbQfA=,iv:e6aG+plaSDtaiqglY5S1svE/XZfs7n9dhSNCiB5pdTs=,tag:BsGItrtDVFF2kXgwE1zaFA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

20
system/dev/dn-server/sops/sops-conf.nix
View file

@ -17,31 +17,11 @@ in
mode = "0660";
group = config.users.groups.docker.name;
};
"powerdns-admin/secret" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
"powerdns-admin/salt" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
powerdns = {
mode = "0660";
owner = "pdns";
group = "pdns";
};
rspamd-trainer = {
};
rspamd = mkIf config.services.rspamd.enable {
owner = config.services.rspamd.user;
};
"acme/env" = mkIf config.security.acme.acceptTerms {
mode = "0660";
owner = "acme";
group = "acme";
};
"postsrsd/secret" = mkIf config.services.postsrsd.enable {
mode = "0660";
owner = config.services.postsrsd.user;

2
system/dev/public/dn/common.nix
View file

@ -5,7 +5,7 @@ in
{
systemConf = {
face = ../../../../home/config/.face;
domain = "net.dn";
domain = "dnywe.com";
};
home-manager.users."${username}" =

4
system/dev/public/dn/ntfy.nix
View file

@ -1,10 +1,12 @@
{
self,
config,
pkgs,
lib,
...
}:
let
serverCfg = self.nixosConfigurations.dn-server.config;
inherit (config.systemConf) username;
ntfyWrapper = import ../../../../home/scripts/ntfy.nix { inherit config pkgs lib; };
in
@ -30,7 +32,7 @@ in
{
enable = true;
settings = {
default-host = "https://ntfy.net.dn";
default-host = serverCfg.services.ntfy-sh.settings.base-url;
subscribe = [
{
topic = "public-notifications";

6
system/dev/skydrive-lap/home/default.nix
View file

@ -1,16 +1,18 @@
{
self,
config,
lib,
pkgs,
...
}:
let
inherit (config.networking) hostName;
serverCfg = self.nixosConfigurations.dn-server.config;
inherit (config.systemConf) username;
inherit (lib) optionalString;
inherit (serverCfg.services.nextcloud) hostName;
memeSelector = pkgs.callPackage ../../../../home/scripts/memeSelector.nix {
url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/";
url = "https://${hostName}/public.php/dav/files/pygHoPB5LxDZbeY/";
};
in
{