dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: maintain

Browse source
This commit is contained in:
danny 2026-01-20 13:41:53 +08:00
parent 2378a66114
commit 25482857d4
58 changed files with 1095 additions and 747 deletions
Download patch file Download diff file Expand all files Collapse all files

491
flake.lock generated
View file

File diff suppressed because it is too large Load diff

10
home/options/noctalia.nix
View file

@ -1,17 +1,19 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) inherit (builtins)
mkOption
types
elem elem
isList isList
filter filter
listToAttrs listToAttrs
concatMap concatMap
nameValuePair
attrNames attrNames
isAttrs isAttrs
; ;
inherit (lib)
mkOption
types
nameValuePair
;
filterAttrsRecursive' = filterAttrsRecursive' =
pred: set: pred: set:

1
home/presets/basic.nix
View file

@ -19,5 +19,6 @@
../user/wm-service.nix ../user/wm-service.nix
../user/ghostty.nix ../user/ghostty.nix
../user/podman.nix ../user/podman.nix
../user/image-viewer.nix
]; ];
} }

43
home/user/image-viewer.nix Normal file
View file

@ -0,0 +1,43 @@
{ pkgs, ... }:
{
home.packages = with pkgs; [ loupe ];
xdg.mimeApps =
let
value = "org.gnome.Loupe.desktop";
associations = builtins.listToAttrs (
map
(name: {
inherit name value;
})
[
"image/png"
"image/jpeg"
"image/gif"
"image/bmp"
"image/webp"
"image/tiff"
"image/svg+xml"
"image/x-icon"
"image/avif"
"image/heif"
"image/heic"
"image/jxl"
"image/apng"
"image/x-raw"
"image/x-xbitmap"
"image/x-xpixmap"
"image/x-portable-bitmap"
"image/x-portable-graymap"
"image/x-portable-pixmap"
"image/x-tga"
"image/x-pcx"
]
);
in
{
associations.added = associations;
defaultApplications = associations;
};
}

5
home/user/nvf/default.nix
View file

@ -436,7 +436,10 @@ in
ts-error-translator.enable = true; ts-error-translator.enable = true;
}; };
}; };
python.enable = true; python = {
enable = true;
format.type = [ "ruff" ];
};
markdown = { markdown = {
enable = true; enable = true;
extensions = { extensions = {

14
home/user/yazi.nix
View file

@ -7,7 +7,7 @@
}: }:
let let
inherit (pkgs.stdenv.hostPlatform) system; inherit (pkgs.stdenv.hostPlatform) system;
inherit (lib) getExe'; inherit (lib) getExe' getExe;
yaziPlugins = pkgs.fetchFromGitHub { yaziPlugins = pkgs.fetchFromGitHub {
owner = "yazi-rs"; owner = "yazi-rs";
repo = "plugins"; repo = "plugins";
@ -43,11 +43,11 @@ in
enableFishIntegration = true; enableFishIntegration = true;
plugins = { plugins = {
toggle-pane = ''${yaziPlugins}/toggle-pane.yazi''; toggle-pane = "${yaziPlugins}/toggle-pane.yazi";
mount = ''${yaziPlugins}/mount.yazi''; mount = "${yaziPlugins}/mount.yazi";
zoom = ''${yaziPlugins}/zoom''; zoom = "${yaziPlugins}/zoom";
vcs-files = ''${yaziPlugins}/vcs-files''; vcs-files = "${yaziPlugins}/vcs-files";
git = ''${yaziPlugins}/git''; git = "${yaziPlugins}/git";
}; };
settings = { settings = {
@ -77,7 +77,7 @@ in
]; ];
player = [ player = [
{ run = ''mpv --force-window "$1"''; } { run = ''${getExe pkgs.mpv} --force-window "$1"''; }
]; ];
open = [ open = [

2
home/user/zellij.nix
View file

@ -21,7 +21,7 @@ let
zellij-sessionizer-src = fetchurl { zellij-sessionizer-src = fetchurl {
url = "https://raw.githubusercontent.com/dachxy/zellij-sessionizer/refs/heads/main/zellij-sessionizer"; url = "https://raw.githubusercontent.com/dachxy/zellij-sessionizer/refs/heads/main/zellij-sessionizer";
sha256 = "sha256:12kbni75x9g424bymky8cy84i354j654rfmz9bffnabbblccfbpn"; sha256 = "sha256:0p6s2mwcya448vgag42akwlfmzr9nw1vxh6gv5lmz1xmyrhkysjd";
}; };
zellij-sessionizer = pkgs.writeShellScriptBin "zellij-sessionizer" '' zellij-sessionizer = pkgs.writeShellScriptBin "zellij-sessionizer" ''

2
home/user/zen-browser.nix
View file

@ -172,8 +172,6 @@ in
"application/json" "application/json"
"application/pdf" "application/pdf"
"text/html" "text/html"
"image/png"
"image/jpeg"
] ]
); );
in in

1
options/default.nix
View file

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./systemconf.nix ./systemconf.nix
./game/velocity.nix
]; ];
} }

152
options/game/velocity.nix Normal file
View file

@ -0,0 +1,152 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (pkgs.writers) writeTOML;
inherit (lib)
mkIf
mkOption
mkEnableOption
mkPackageOption
types
getExe
;
cfg = config.services.velocity;
defaultSettings = {
config-version = "2.7";
motd = "<#09add3>A Velocity Server";
show-max-players = 500;
online-mode = true;
force-key-authentication = true;
prevent-client-proxy-connections = false;
player-info-forwarding-mode = "none";
forwarding-secret-file = "forwarding.secret";
announce-forge = false;
kick-existing-players = false;
ping-passthrough = "DISABLED";
sample-players-in-ping = false;
enable-player-address-logging = true;
servers = {
};
forced-hosts = {
};
advanced = {
compression-threshold = 256;
compression-level = -1;
login-ratelimit = 3000;
connection-timeout = 5000;
read-timeout = 30000;
haproxy-protocol = false;
tcp-fast-open = false;
bungee-plugin-message-channel = true;
show-ping-requests = false;
failover-on-unexpected-server-disconnect = true;
announce-proxy-commands = true;
log-command-executions = false;
log-player-connections = true;
accepts-transfers = false;
enable-reuse-port = false;
command-rate-limit = 50;
forward-commands-if-rate-limited = true;
kick-after-rate-limited-commands = 0;
tab-complete-rate-limit = 10;
kick-after-rate-limited-tab-completes = 0;
};
query = {
enabled = false;
port = 25565;
map = "Velocity";
show-plugins = false;
};
};
in
{
options.services.velocity = {
enable = mkEnableOption "Enable the minecraft proxy";
package = mkPackageOption pkgs "velocity" { };
user = mkOption {
type = types.str;
default = "velocity";
};
group = mkOption {
type = types.str;
default = "velocity";
};
host = mkOption {
type = types.str;
default = "0.0.0.0";
};
port = mkOption {
type = types.port;
default = 25565;
};
openFirewall = mkEnableOption "Open firewall for velocity" // {
default = true;
};
settings = mkOption {
type =
with types;
attrsOf (oneOf [
attrs
str
int
bool
]);
default = defaultSettings;
apply =
v:
defaultSettings
// {
bind = "${cfg.host}:${toString cfg.port}";
}
// v;
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
};
users.groups.${cfg.group} = { };
systemd.services.velocity =
let
configFile = writeTOML "velocity.toml" cfg.settings;
in
{
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStartPre =
let
configFilePath = "/var/lib/velocity/velocity.toml";
in
[
"${pkgs.coreutils}/bin/cp ${configFile} ${configFilePath}"
"${pkgs.coreutils}/bin/chmod 750 ${configFilePath}"
"${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} ${configFilePath}"
];
ExecStart = "${getExe cfg.package}";
StateDirectory = "velocity";
StateDirectoryMode = "0750";
WorkingDirectory = "/var/lib/velocity";
};
};
};
}

8
options/systemconf.nix
View file

@ -1,4 +1,5 @@
{ {
self,
inputs, inputs,
config, config,
pkgs, pkgs,
@ -124,7 +125,12 @@ in
useUserPackages = true; useUserPackages = true;
useGlobalPkgs = true; useGlobalPkgs = true;
extraSpecialArgs = { extraSpecialArgs = {
inherit helper inputs system; inherit
helper
inputs
system
self
;
inherit (cfg) username hostname; inherit (cfg) username hostname;
}; };
sharedModules = [ sharedModules = [

1
system/dev/dn-pre7780/games/default.nix
View file

@ -3,6 +3,7 @@
../../../modules/gaming.nix ../../../modules/gaming.nix
./shadps4.nix ./shadps4.nix
./minecraft.nix ./minecraft.nix
./lsgf-vk.nix
./heroic.nix ./heroic.nix
]; ];
} }

6
system/dev/dn-pre7780/games/heroic.nix
View file

@ -3,7 +3,11 @@
home-manager.sharedModules = [ home-manager.sharedModules = [
{ {
home.packages = with pkgs; [ home.packages = with pkgs; [
heroic (heroic.override {
extraPkgs = pkgs: [
pkgs.gamemode
];
})
]; ];
} }
]; ];

11
system/dev/dn-pre7780/games/lsgf-vk.nix Normal file
View file

@ -0,0 +1,11 @@
{ pkgs, ... }:
{
home-manager.sharedModules = [
{
home.packages = with pkgs; [
lsfg-vk
lsfg-vk-ui
];
}
];
}

2
system/dev/dn-pre7780/games/minecraft.nix
View file

@ -4,8 +4,6 @@
{ {
home.packages = with pkgs; [ home.packages = with pkgs; [
prismlauncher prismlauncher
lsfg-vk
lsfg-vk-ui
]; ];
} }
]; ];

11
system/dev/dn-pre7780/home/wm/hyprland.nix
View file

@ -1,7 +1,14 @@
{ pkgs, lib, ... }: {
self,
pkgs,
lib,
...
}:
let let
serverCfg = self.nixosConfigurations.dn-server.config;
inherit (serverCfg.services.nextcloud) hostName;
memeSelector = pkgs.callPackage ../../../../../home/scripts/memeSelector.nix { memeSelector = pkgs.callPackage ../../../../../home/scripts/memeSelector.nix {
url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/"; url = "https://${hostName}/public.php/dav/files/pygHoPB5LxDZbeY/";
}; };
in in
{ {

1
system/dev/dn-pre7780/network/default.nix
View file

@ -1,6 +1,7 @@
{ {
imports = [ imports = [
../../../modules/netbird-client.nix ../../../modules/netbird-client.nix
./openfortivpn.nix
# ../../../modules/wireguard.nix # ../../../modules/wireguard.nix
]; ];
} }

27
system/dev/dn-pre7780/network/openfortivpn.nix Normal file
View file

@ -0,0 +1,27 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib) getExe;
inherit (config.sops) secrets;
in
{
sops.secrets = {
"openfortivpn" = { };
};
systemd.services.openfortivpn = {
script = ''
${getExe pkgs.openfortivpn} -c "$CREDENTIALS_DIRECTORY/config" --set-dns=1 --use-resolvconf=1
'';
serviceConfig = {
Restart = "no";
LoadCredential = [
"config:${secrets."openfortivpn".path}"
];
};
};
}

1
system/dev/dn-pre7780/services/default.nix
View file

@ -4,6 +4,5 @@
# ./mail.nix # ./mail.nix
./nginx.nix ./nginx.nix
# ./pangolin.nix # ./pangolin.nix
# ./nextcloud.nix
]; ];
} }

16
system/dev/dn-pre7780/services/mail.nix
View file

@ -6,6 +6,7 @@
}: }:
let let
inherit (lib) mkIf; inherit (lib) mkIf;
inherit (config.networking) domain;
mkCondition = ( mkCondition = (
condition: ithen: ielse: [ condition: ithen: ielse: [
{ {
@ -18,7 +19,6 @@ let
rspamdWebPort = 11333; rspamdWebPort = 11333;
rspamdPort = 31009; rspamdPort = 31009;
domain = "dnywe.com";
fqdn = "mx1.dnywe.com"; fqdn = "mx1.dnywe.com";
rspamdSecretFile = config.sops.secrets."rspamd".path; rspamdSecretFile = config.sops.secrets."rspamd".path;
@ -202,18 +202,4 @@ in
''; '';
}; };
}; };
services.mail-ntfy-server = {
enable = true;
settings = {
NTFY_URL = "https://ntfy.net.dn";
NTFY_TOPIC = "dachxy-mail";
NTFY_RCPTS = [ "dachxy@dnywe.com" ];
HOST = "127.0.0.1";
PORT = 31010;
};
environmentFiles = [
config.sops.secrets."ntfy".path
];
};
} }

103
system/dev/dn-pre7780/services/nextcloud.nix
View file

@ -1,103 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkForce;
hostname = "drive.dnywe.com";
port = 31007;
in
{
sops.secrets = {
"nextcloud/adminPassword" = mkIf config.services.nextcloud.enable {
owner = "nextcloud";
group = "nextcloud";
};
"nextcloud/signaling.conf" = mkIf config.services.nextcloud.enable {
owner = "signaling";
group = "signaling";
mode = "0640";
};
"nextcloud/whiteboard" = mkIf config.services.nextcloud.enable {
owner = "nextcloud";
};
};
imports = [
(import ../../../modules/nextcloud.nix {
configureACME = false;
hostname = hostname;
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
trusted-domains = [
hostname
];
trusted-proxies = [ "10.0.0.0/24" ];
whiteboardSecrets = [
config.sops.secrets."nextcloud/whiteboard".path
];
})
];
services.nextcloud = {
# enable = mkForce false;
https = mkForce false;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) spreed;
twofactor_totp = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/twofactor_totp/releases/download/v6.4.1/twofactor_totp-v6.4.1.tar.gz";
sha256 = "sha256-Wa2P6tpp75IxCsTG4B5DQ8+iTzR7yjKBi4ZDBcv+AOI=";
license = "agpl3Plus";
};
twofactor_nextcloud_notification = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/twofactor_nextcloud_notification/releases/download/v3.9.0/twofactor_nextcloud_notification-v3.9.0.tar.gz";
sha256 = "sha256-4fXWgDeiup5/Gm9hdZDj/u07rp/Nzwly53aLUT/d0IU=";
license = "agpl3Plus";
};
twofactor_email = pkgs.fetchNextcloudApp {
url = "https://github.com/nursoda/twofactor_email/releases/download/2.8.2/twofactor_email.tar.gz";
sha256 = "sha256-zk5DYNwoIRTIWrchWDiCHuvAST2kuIoow6VaHAAzYog=";
license = "agpl3Plus";
};
};
};
users.groups.signaling = mkIf config.services.nextcloud.enable {
};
users.users.signaling = mkIf config.services.nextcloud.enable {
isSystemUser = true;
group = "signaling";
};
systemd.services.nextcloud-spreed-signaling = mkIf config.services.nextcloud.enable {
requiredBy = [
"multi-users.target"
"phpfpm-nextcloud.service"
];
serviceConfig = {
User = "signaling";
Group = "signaling";
ExecStart = "${lib.getExe' pkgs.nextcloud-spreed-signaling "server"} --config ${
config.sops.secrets."nextcloud/signaling.conf".path
}";
};
};
services.nats = mkIf config.services.nextcloud.enable {
enable = true;
settings = {
host = "127.0.0.1";
};
};
services.nginx.virtualHosts."${hostname}".listen = lib.mkForce [
{
port = port;
addr = "0.0.0.0";
}
];
}

8
system/dev/dn-pre7780/services/nginx.nix
View file

@ -1,4 +1,8 @@
{ config, ... }: { self, config, ... }:
let
serverCfg = self.nixosConfigurations.dn-server.config;
inherit (serverCfg.networking) domain;
in
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
443 443
@ -10,7 +14,7 @@
defaults = { defaults = {
validMinDays = 2; validMinDays = 2;
webroot = null; webroot = null;
server = "https://ca.net.dn/acme/acme/directory"; server = "https://ca.${domain}/acme/acme/directory";
renewInterval = "daily"; renewInterval = "daily";
email = "danny@pre7780.dn"; email = "danny@pre7780.dn";
dnsResolver = "10.0.0.1:53"; dnsResolver = "10.0.0.1:53";

7
system/dev/dn-pre7780/sops/secret.yaml
View file

@ -1,5 +1,6 @@
wireguard: wireguard:
wg0.conf: ENC[AES256_GCM,data:ozySeNEvkiLt9TGrZCrlJWKT5gcSlZ9T8AeXGO97SPgxI394eCQ/LOkVFl7AykhZvs7YkxMpZzAZxc0oNdTYuDlqfrNr0pqTUJmpX+5PVRmDb5z2MJvERktVkJ4LSvVodoYznDwT/y9q199AFKf3t4EoWuRyR/il6P8HuGVHXrKRYUrwuB4nuq1SIByY+8D2gzohFB/s6pSOPYy6/xCt0Nm+x0wmcdrlyOb0S+4WXlcou2ll98o9q2YDdVBKeW4jyUjFqXM2XzD0JXpAi9ZFlyzxyYNwa4oMYATyCBCH4BNHqe850QHEoCaOovioEdDH/tluB2X/891ixqzURypzbg==,iv:3Q5xOgGcg8/DIwHt4fHsQGtN8f2hGpVDtf47PcwW62I=,tag:SbJqhWi3+h1O5ZIOayDrUw==,type:str] wg0.conf: ENC[AES256_GCM,data:ozySeNEvkiLt9TGrZCrlJWKT5gcSlZ9T8AeXGO97SPgxI394eCQ/LOkVFl7AykhZvs7YkxMpZzAZxc0oNdTYuDlqfrNr0pqTUJmpX+5PVRmDb5z2MJvERktVkJ4LSvVodoYznDwT/y9q199AFKf3t4EoWuRyR/il6P8HuGVHXrKRYUrwuB4nuq1SIByY+8D2gzohFB/s6pSOPYy6/xCt0Nm+x0wmcdrlyOb0S+4WXlcou2ll98o9q2YDdVBKeW4jyUjFqXM2XzD0JXpAi9ZFlyzxyYNwa4oMYATyCBCH4BNHqe850QHEoCaOovioEdDH/tluB2X/891ixqzURypzbg==,iv:3Q5xOgGcg8/DIwHt4fHsQGtN8f2hGpVDtf47PcwW62I=,tag:SbJqhWi3+h1O5ZIOayDrUw==,type:str]
openfortivpn: ENC[AES256_GCM,data:rWv6kZDYO4yKmrEfm63X7qin0veSx7U/ZZFPM0vxBPjIzh7VZg6wCjJ1pHpSpCT0DS39TA/Z5xhH4l+gOUHMxeuKw1Zn96DxccdpGs+WMdgis8LJc42Qmfnmdw==,iv:QEgbiRV2B5LG7X9KXcln04nUedbV7GiS+3E5AihVbXw=,tag:rGerAwx0FeRLGPBCePdo/w==,type:str]
netbird: netbird:
wt0-setupKey: ENC[AES256_GCM,data:166VX+rgzxhar+GFKxA5d8G3/9ewISdv2hUSwvbggyyjwwvE,iv:w8p4gDP6U0ZONX59t2dnglTC9S2dW2TX5A4OoCzRuzM=,tag:zf3jvlERJtM+osBd4ZQjMA==,type:str] wt0-setupKey: ENC[AES256_GCM,data:166VX+rgzxhar+GFKxA5d8G3/9ewISdv2hUSwvbggyyjwwvE,iv:w8p4gDP6U0ZONX59t2dnglTC9S2dW2TX5A4OoCzRuzM=,tag:zf3jvlERJtM+osBd4ZQjMA==,type:str]
dovecot: dovecot:
@ -26,6 +27,8 @@ crowdsec:
rspamd: ENC[AES256_GCM,data:8DryYdMyhzBqwqcbYUQ=,iv:5w21u3xqshRSf8IJbG16/Gf6AC2Zw6VnI3MOchN+w8A=,tag:OiiYUDT69SZObgOh1qCL0g==,type:str] rspamd: ENC[AES256_GCM,data:8DryYdMyhzBqwqcbYUQ=,iv:5w21u3xqshRSf8IJbG16/Gf6AC2Zw6VnI3MOchN+w8A=,tag:OiiYUDT69SZObgOh1qCL0g==,type:str]
pangolin: pangolin:
env: ENC[AES256_GCM,data:f5Pq+DE9PeRyOKeygREuovlqOMhe/bmTOrBA7Px3Oq+pWG5kGwnxqDdP/PwawJAskQPC9LN+QP6hIPNrJbPyxtk87hoRMb/3X0ggOw==,iv:yqqQizPwf3EfCelczf/7piH9kYiAwGLTtassvQ8oXNs=,tag:UzVuKIS8WZNAHgpLkzc9XA==,type:str] env: ENC[AES256_GCM,data:f5Pq+DE9PeRyOKeygREuovlqOMhe/bmTOrBA7Px3Oq+pWG5kGwnxqDdP/PwawJAskQPC9LN+QP6hIPNrJbPyxtk87hoRMb/3X0ggOw==,iv:yqqQizPwf3EfCelczf/7piH9kYiAwGLTtassvQ8oXNs=,tag:UzVuKIS8WZNAHgpLkzc9XA==,type:str]
velocity: ENC[AES256_GCM,data:Q1Bfiks3/0XsBfouqck9PJr9QmZv/2ayd2qEFNPVz+GW3JpzIPEf2uGn06u7U+ZFtSuV12jG+3fhGhMh+UT3,iv:PHZLyLhNb9NE1J/Tsm35K4g6WMnR/9EYfVrsuDFbaNE=,tag:SCJgjDjaHkLffX8JiWTKsA==,type:str]
fabricProxy: ENC[AES256_GCM,data:MXukmKmMBRXCfeW6MBlfJU3cMZ/Y8sysFxiW0g3MOXnEcySu5tN5uuNhuorWNNknemRWayAaozU+d21UWbHmVez1inVQX193EnlTnDaZ,iv:ih2l1rimFqupZlu3NrGaCL7IMM0SPW6YZkMnk8mtXvc=,tag:wxNatJHNB3isKDuprxl7Fw==,type:str]
sops: sops:
age: age:
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@ -37,7 +40,7 @@ sops:
MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA== lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-07T08:17:20Z" lastmodified: "2026-01-20T05:40:32Z"
mac: ENC[AES256_GCM,data:M9hBNU2KetaGEhJnYW10nWEWetFWs9c5gPN/0W6UIOsP2Y9E2d8J09Ary9O9z6TjjxqkS+H15SQfo6bjuc19jSwtdQ/scqy9nV1H0pOEHzWj8zG/bzC71WmwhZbx4+1cK83HYS9pJhzbO+5tbOK75GwJscXAhXKDzzNBmTW2Y3U=,iv:qozD5Z2uiI5vFApsRVkjiXLOPATs3VV0PDk5szX+mrc=,tag:WpM+Ab9U2q9GR0qvyMZO8w==,type:str] mac: ENC[AES256_GCM,data:2UM15E3aYMunypx6THZTwHdedmUWYKQGgPEqMmT1D/CkWcCmau0Yk2nhALjcXWLuODlkedrjm6tYSPg7Yv/eZUnUwfI9reBAfoGBbJLCIoAloomzzm21xDvIJOco9xyHPKwT4buYYA/mylJvrSi07G0qRM6tINQjhEvVsDIbFR0=,iv:lPo3U/eCSZx6MmqvoTUpk+u6E+fFgED4eq0EF/jk/hs=,tag:b8XyedLJ706LplFF/VafAg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0

2
system/dev/dn-pre7780/utility/davinci-resolve.nix
View file

@ -1,5 +1,5 @@
{ {
imports = [ imports = [
../../../modules/davinci-resolve.nix # ../../../modules/davinci-resolve.nix
]; ];
} }

16
system/dev/dn-server/default.nix
View file

@ -1,9 +1,11 @@
{ hostname }: { hostname }:
{ {
pkgs, pkgs,
config,
... ...
}: }:
let let
inherit (config.networking) domain;
username = "danny"; username = "danny";
in in
{ {
@ -17,7 +19,7 @@ in
"maps.rspamd.com" "maps.rspamd.com"
"cdn-hub.crowdsec.net" "cdn-hub.crowdsec.net"
"api.crowdsec.net" "api.crowdsec.net"
"mx1.dnywe.com" "mx1.${domain}"
]; ];
allowedIPs = [ allowedIPs = [
"127.0.0.1" "127.0.0.1"
@ -58,4 +60,16 @@ in
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
openssl openssl
]; ];
users.users = {
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
];
"${username}".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
];
};
} }

62
system/dev/dn-server/network/nginx.nix
View file

@ -2,22 +2,12 @@
config, config,
... ...
}: }:
let
inherit (config.networking) domain;
gcpIP = "10.10.0.1";
in
{ {
security.acme = {
acceptTerms = true;
defaults = {
validMinDays = 2;
server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
renewInterval = "daily";
email = "danny@net.dn";
dnsProvider = "pdns";
dnsPropagationCheck = false;
environmentFile = config.sops.secrets."acme/env".path;
};
};
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true; enableReload = true;
@ -26,44 +16,10 @@
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
virtualHosts = { virtualHosts."manage.stalwart.${domain}" = {
"files.${config.networking.domain}" = { useACMEHost = domain;
enableACME = true; forceSSL = true;
forceSSL = true; locations."/".proxyPass = "http://${gcpIP}:8081";
root = "/var/www/files";
locations."/" = {
extraConfig = ''
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
'';
};
extraConfig = ''
types {
image/png png;
image/jpeg jpg jpeg;
image/gif gif;
}
'';
};
"webcam.net.dn" = {
enableACME = true;
forceSSL = true;
locations."/ws/" = {
proxyPass = "http://10.0.0.130:8080/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
};
}; };
}; };
} }

178
system/dev/dn-server/network/services.nix
View file

@ -6,11 +6,12 @@
}: }:
let let
inherit (builtins) concatStringsSep; inherit (builtins) concatStringsSep;
inherit (config.systemConf) username security; inherit (config.systemConf) security domain;
inherit (lib) mkForce optionalString; inherit (lib) mkForce optionalString;
inherit (helper.nftables) mkElementsStatement; inherit (helper.nftables) mkElementsStatement;
netbirdCfg = config.services.netbird; netbirdCfg = config.services.netbird;
netbirdRange = "100.64.0.0/16";
ethInterface = "enp0s31f6"; ethInterface = "enp0s31f6";
sshPorts = [ 30072 ]; sshPorts = [ 30072 ];
@ -35,7 +36,7 @@ let
allowedSSHIPs = concatStringsSep ", " [ allowedSSHIPs = concatStringsSep ", " [
"122.117.215.55" "122.117.215.55"
"192.168.100.1/24" "192.168.100.1/24"
"100.64.0.0/16" netbirdRange
personal.range personal.range
]; ];
@ -173,8 +174,6 @@ in
"10.0.0.0/24" "10.0.0.0/24"
]; ];
services.resolved.enable = mkForce false;
networking = { networking = {
nat = { nat = {
enable = true; enable = true;
@ -189,12 +188,10 @@ in
allowedUDPPorts = [ allowedUDPPorts = [
53 53
personal.port personal.port
25565
5359 5359
]; ];
allowedTCPPorts = sshPorts ++ [ allowedTCPPorts = sshPorts ++ [
53 53
25565
5359 5359
]; ];
}; };
@ -233,15 +230,18 @@ in
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }
# Allow Incoming DNS qeury
udp dport 53 accept udp dport 53 accept
tcp dport 53 accept tcp dport 53 accept
tcp dport { ${sshPortsString} } jump ssh-filter tcp dport { ${sshPortsString} } jump ssh-filter
# Allow Netbird UDP
udp dport { ${toString netbirdCfg.clients.wt0.port} } accept
iifname ${netbirdCfg.clients.wt0.interface} accept
iifname { ${ethInterface}, ${personal.interface} } udp dport { ${toString personal.port} } accept iifname { ${ethInterface}, ${personal.interface} } udp dport { ${toString personal.port} } accept
iifname ${infra.interface} ip saddr ${infra.range} accept iifname ${infra.interface} ip saddr ${infra.range} accept
iifname ${personal.interface} ip saddr ${personal.range} jump wg-subnet iifname ${personal.interface} ip saddr ${personal.range} jump wg-subnet
iifname ${netbirdCfg.clients.wt0.interface} accept
drop drop
} }
@ -258,7 +258,7 @@ in
# Allow UDP hole punching # Allow UDP hole punching
${optionalString ( ${optionalString (
netbirdCfg.clients ? wt0 netbirdCfg.clients ? wt0
) ''udp sport ${toString netbirdCfg.clients.wt0.port} accept''} ) "udp sport ${toString netbirdCfg.clients.wt0.port} accept"}
meta skuid ${toString config.users.users.systemd-timesync.uid} accept meta skuid ${toString config.users.users.systemd-timesync.uid} accept
@ -281,6 +281,8 @@ in
meta l4proto { icmp, ipv6-icmp } accept meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept }
iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
iifname ${infra.interface} ip saddr ${infra.ip} accept iifname ${infra.interface} ip saddr ${infra.ip} accept
@ -309,7 +311,7 @@ in
ips = [ personal.ip ]; ips = [ personal.ip ];
listenPort = personal.port; listenPort = personal.port;
privateKeyFile = config.sops.secrets."wireguard/privateKey".path; privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
peers = builtins.map (r: { peers = map (r: {
inherit (r) publicKey allowedIPs; inherit (r) publicKey allowedIPs;
}) (fullRoute ++ meshRoute); }) (fullRoute ++ meshRoute);
}; };
@ -321,27 +323,6 @@ in
dbus.enable = true; dbus.enable = true;
blueman.enable = true; blueman.enable = true;
postgresql = {
enable = lib.mkDefault true;
authentication = ''
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
'';
ensureUsers = [
{
name = "powerdnsadmin";
ensureDBOwnership = true;
}
{
name = "pdns";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"powerdnsadmin"
"pdns"
];
};
openssh = { openssh = {
enable = true; enable = true;
ports = mkForce sshPorts; ports = mkForce sshPorts;
@ -352,106 +333,12 @@ in
}; };
}; };
powerdns = {
enable = true;
extraConfig = ''
launch=gpgsql
loglevel=6
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
gpgsql-dnssec=yes
webserver=yes
webserver-port=8081
local-port=5359
dnsupdate=yes
primary=yes
secondary=no
allow-dnsupdate-from=10.0.0.0/24
allow-axfr-ips=10.0.0.0/24
also-notify=10.0.0.148:53
'';
secretFile = config.sops.secrets.powerdns.path;
};
pdns-recursor = {
enable = true;
forwardZones = {
"dn." = "127.0.0.1:5359";
};
forwardZonesRecurse = {
# ==== Rspamd DNS ==== #
"multi.uribl.com." = "168.95.1.1";
"score.senderscore.com." = "168.95.1.1";
"list.dnswl.org." = "168.95.1.1";
"dwl.dnswl.org." = "168.95.1.1";
# ==== Others ==== #
"tw." = "168.95.1.1";
"." = "8.8.8.8";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
];
dns.port = 5300;
yaml-settings = {
webservice.webserver = true;
recordcache.max_negative_ttl = 60;
};
};
dnsdist = {
enable = true;
extraConfig = ''
newServer("127.0.0.1:${toString config.services.pdns-recursor.dns.port}")
addDOHLocal("0.0.0.0:8053", nil, nil, "/", { reusePort = true })
getPool(""):setCache(newPacketCache(65535, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false}))
'';
};
powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
BIND_ADDRESS = "127.0.0.1"
PORT = 8081
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
xserver = { xserver = {
enable = false; enable = false;
xkb.layout = "us"; xkb.layout = "us";
}; };
}; };
systemd.services.pdns-recursor.before = [ "acme-setup.service" ];
systemd.services.pdns.before = [ "acme-setup.service" ];
users.users = {
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
];
"${username}".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
];
};
systemConf.security = { systemConf.security = {
allowedDomains = [ allowedDomains = [
"registry-1.docker.io" "registry-1.docker.io"
@ -466,52 +353,19 @@ in
image = "louislam/uptime-kuma:2"; image = "louislam/uptime-kuma:2";
volumes = [ volumes = [
"/var/lib/uptime-kuma:/app/data" "/var/lib/uptime-kuma:/app/data"
"${config.security.pki.caBundle}:/etc/ca.crt:ro"
]; ];
environment = {
NODE_EXTRA_CA_CERTS = "/etc/ca.crt";
};
}; };
}; };
}; };
}; };
systemd.services.raspamd-trainer = { systemd.services.rspamd-trainer = {
after = [ "pdns-recursor.service" ]; after = [ "pdns-recursor.service" ];
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts."uptime.${domain}" = {
"dns.${config.networking.domain}" = { useACMEHost = domain;
enableACME = true; forceSSL = true;
forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:3001";
locations."/dns-query" = {
extraConfig = ''
grpc_pass grpc://127.0.0.1:${toString 8053};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
'';
};
};
"powerdns.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/api".proxyPass = "http://127.0.0.1:8081";
locations."/".proxyPass = "http://127.0.0.1:8000";
};
"uptime.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
}; };
nix.settings.trusted-users = [
username
];
} }

9
system/dev/dn-server/network/step-ca.nix
View file

@ -1,4 +1,7 @@
{ pkgs, config, ... }: { pkgs, config, ... }:
let
inherit (config.networking) domain;
in
{ {
environment.systemPackages = with pkgs; [ step-cli ]; environment.systemPackages = with pkgs; [ step-cli ];
@ -57,7 +60,7 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
}; };
dnsNames = [ dnsNames = [
"10.0.0.1" "10.0.0.1"
"ca.net.dn" "ca.${domain}"
]; ];
federatedRoots = null; federatedRoots = null;
insecureAddress = ""; insecureAddress = "";
@ -81,8 +84,8 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
intermediatePasswordFile = config.sops.secrets."step_ca/password".path; intermediatePasswordFile = config.sops.secrets."step_ca/password".path;
}; };
services.nginx.virtualHosts."ca.net.dn" = { services.nginx.virtualHosts."ca.${domain}" = {
enableACME = true; useACMEHost = domain;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "https://10.0.0.1:8443/"; proxyPass = "https://10.0.0.1:8443/";

59
system/dev/dn-server/services/acme.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
pkgs,
...
}:
let
inherit (config.sops) secrets;
in
{
users.users.nginx.extraGroups = [ "acme" ];
sops.secrets = {
"acme/pdns" = {
mode = "0660";
owner = "acme";
group = "acme";
};
"acme/cloudflare" = {
mode = "0640";
};
};
systemConf.security.allowedDomains = [
"acme-v02.api.letsencrypt.org"
"api.cloudflare.com"
];
security.acme = {
acceptTerms = true;
defaults = {
server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
validMinDays = 2;
renewInterval = "daily";
email = "danny@net.dn";
dnsProvider = "pdns";
dnsPropagationCheck = false;
environmentFile = secrets."acme/pdns".path;
};
certs."dnywe.com" = {
domain = "*.dnywe.com";
extraDomainNames = [
"*.stalwart.dnywe.com"
];
server = "https://acme-v02.api.letsencrypt.org/directory";
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
email = "postmaster@dnywe.com";
dnsPropagationCheck = true;
environmentFile = pkgs.writeText "lego-config" ''
LEGO_CA_CERTIFICATES=${config.security.pki.caBundle}
'';
credentialFiles = {
"CLOUDFLARE_DNS_API_TOKEN_FILE" = secrets."acme/cloudflare".path;
};
};
};
}

32
system/dev/dn-server/services/actual-budget.nix
View file

@ -1,7 +1,37 @@
{ config, ... }:
let
inherit (config.networking) domain;
inherit (config.sops) secrets;
hostname = "actual.${domain}";
oidcURL = "https://${config.services.keycloak.settings.hostname}/realms/master";
in
{ {
sops.secrets."actual/clientSecret" = {
owner = "actual";
group = "actual";
mode = "640";
};
imports = [ imports = [
(import ../../../modules/actual { (import ../../../modules/actual {
fqdn = "actual.net.dn"; fqdn = hostname;
}) })
]; ];
services.nginx.virtualHosts."${hostname}" = {
useACMEHost = domain;
};
services.actual.settings = {
loginMethod = "openid";
allowedLoginMethods = [ "openid" ];
openId = {
discoveryURL = "${oidcURL}/.well-known/openid-configuration";
client_id = "actual";
client_secret._secret = secrets."actual/clientSecret".path;
server_hostname = "https://${hostname}";
authMethod = "openid";
};
};
} }

11
system/dev/dn-server/services/bitwarden.nix
View file

@ -1,7 +1,16 @@
{ config, ... }:
let
inherit (config.networking) domain;
hostname = "bitwarden.${domain}";
in
{ {
imports = [ imports = [
(import ../../../modules/vaultwarden.nix { (import ../../../modules/vaultwarden.nix {
domain = "bitwarden.net.dn"; domain = hostname;
}) })
]; ];
services.nginx.virtualHosts."${hostname}" = {
useACMEHost = domain;
};
} }

8
system/dev/dn-server/services/default.nix
View file

@ -12,10 +12,8 @@
./keycloak.nix ./keycloak.nix
./netbird.nix ./netbird.nix
./hideTTY.nix ./hideTTY.nix
# (import ../../../modules/opencloud.nix { ./dns.nix
# fqdn = "opencloud.net.dn"; ./acme.nix
# envFile = config.sops.secrets."opencloud".path; ./ntfy.nix
# })
(import ./ntfy.nix { fqdn = "ntfy.net.dn"; })
]; ];
} }

164
system/dev/dn-server/services/dns.nix Normal file
View file

@ -0,0 +1,164 @@
{ config, lib, ... }:
let
inherit (builtins) listToAttrs;
inherit (lib) nameValuePair mkForce;
inherit (config.sops) secrets;
inherit (config.networking) domain;
splitDNS = listToAttrs (
map (x: nameValuePair x "127.0.0.1:5359") [
"${domain}."
]
);
in
{
services.resolved.enable = mkForce false;
sops.secrets = {
"powerdns-admin/secret" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
"powerdns-admin/salt" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
powerdns = {
mode = "0660";
owner = "pdns";
group = "pdns";
};
};
services.postgresql = {
enable = true;
authentication = ''
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
'';
ensureUsers = [
{
name = "powerdnsadmin";
ensureDBOwnership = true;
}
{
name = "pdns";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"powerdnsadmin"
"pdns"
];
};
services.powerdns = {
enable = true;
extraConfig = ''
launch=gpgsql
loglevel=6
webserver-password=$WEB_PASSWORD
api=yes
api-key=$WEB_PASSWORD
gpgsql-host=/var/run/postgresql
gpgsql-dbname=pdns
gpgsql-user=pdns
gpgsql-dnssec=yes
webserver=yes
webserver-port=8081
local-port=5359
dnsupdate=yes
primary=yes
secondary=no
allow-dnsupdate-from=10.0.0.0/24
allow-axfr-ips=10.0.0.0/24
also-notify=10.0.0.148:53
'';
secretFile = secrets.powerdns.path;
};
services.pdns-recursor = {
enable = true;
forwardZones = {
"dn." = "127.0.0.1:5359";
}
// splitDNS;
forwardZonesRecurse = {
# ==== Rspamd DNS ==== #
"multi.uribl.com." = "168.95.1.1";
"score.senderscore.com." = "168.95.1.1";
"list.dnswl.org." = "168.95.1.1";
"dwl.dnswl.org." = "168.95.1.1";
# ==== Others ==== #
"tw." = "168.95.1.1";
"." = "1.1.1.1";
};
dnssecValidation = "off";
dns.allowFrom = [
"127.0.0.0/8"
"10.0.0.0/24"
"192.168.100.0/24"
];
dns.port = 5300;
yaml-settings = {
webservice.webserver = true;
recordcache.max_negative_ttl = 60;
};
};
services.dnsdist = {
enable = true;
extraConfig = ''
newServer("127.0.0.1:${toString config.services.pdns-recursor.dns.port}")
addDOHLocal("0.0.0.0:8053", nil, nil, "/", { reusePort = true })
getPool(""):setCache(newPacketCache(65535, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false}))
'';
};
services.powerdns-admin = {
enable = true;
secretKeyFile = config.sops.secrets."powerdns-admin/secret".path;
saltFile = config.sops.secrets."powerdns-admin/salt".path;
config =
# python
''
import cachelib
BIND_ADDRESS = "127.0.0.1"
PORT = 8081
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'
'';
};
services.nginx.virtualHosts = {
"dns.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/dns-query" = {
extraConfig = ''
grpc_pass grpc://127.0.0.1:${toString 8053};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
'';
};
};
"powerdns.${domain}" = {
useACMEHost = domain;
forceSSL = true;
locations."/api".proxyPass = "http://127.0.0.1:8081";
locations."/".proxyPass = "http://127.0.0.1:8000";
};
};
systemd.services.pdns-recursor.before = [ "acme-setup.service" ];
systemd.services.pdns.before = [ "acme-setup.service" ];
}

12
system/dev/dn-server/services/forgejo.nix
View file

@ -1,8 +1,10 @@
{ lib, config, ... }: { lib, config, ... }:
let let
inherit (config.networking) domain;
cfg = config.services.forgejo; cfg = config.services.forgejo;
srv = cfg.settings.server; srv = cfg.settings.server;
domain = "git.dnywe.com"; hostname = "git.${domain}";
mailServer = "mx1.net.dn"; mailServer = "mx1.net.dn";
forgejoOwner = { forgejoOwner = {
@ -39,7 +41,7 @@ in
settings = { settings = {
server = { server = {
DOMAIN = domain; DOMAIN = hostname;
ROOT_URL = "https://${srv.DOMAIN}"; ROOT_URL = "https://${srv.DOMAIN}";
HTTP_PORT = 32006; HTTP_PORT = 32006;
SSH_PORT = lib.head config.services.openssh.ports; SSH_PORT = lib.head config.services.openssh.ports;
@ -69,4 +71,10 @@ in
server.SECRET_KEY = config.sops.secrets."forgejo/server/secretKey".path; server.SECRET_KEY = config.sops.secrets."forgejo/server/secretKey".path;
}; };
}; };
services.nginx.virtualHosts.${hostname} = {
useACMEHost = domain;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${toString srv.HTTP_PORT}";
};
} }

9
system/dev/dn-server/services/keycloak.nix
View file

@ -2,7 +2,7 @@
{ lib, config, ... }: { lib, config, ... }:
let let
inherit (lib) mkForce; inherit (lib) mkForce;
domain = "dnywe.com"; inherit (config.networking) domain;
cfg = config.services.keycloak; cfg = config.services.keycloak;
in in
{ {
@ -12,6 +12,9 @@ in
}; };
}; };
# Disable nginx reverse proxy services.nginx.virtualHosts."${cfg.settings.hostname}" = {
services.nginx.virtualHosts."${cfg.settings.hostname}" = mkForce { }; useACMEHost = domain;
forceSSL = true;
enableACME = mkForce false;
};
} }

2
system/dev/dn-server/services/mail-server.nix
View file

@ -46,7 +46,7 @@ in
''; '';
webmail = { webmail = {
enable = true; enable = true;
hostname = "mail.${domain}"; hostname = "mail.dnywe.com";
}; };
keycloak = { keycloak = {
dbSecretFile = config.sops.secrets."oauth/password".path; dbSecretFile = config.sops.secrets."oauth/password".path;

18
system/dev/dn-server/services/metrics.nix
View file

@ -8,7 +8,10 @@
let let
inherit (helper.grafana) mkDashboard; inherit (helper.grafana) mkDashboard;
inherit (lib) optionalAttrs optional; inherit (lib) optionalAttrs optional;
inherit (config.networking) hostName; inherit (config.networking) hostName domain;
grafanaHostname = "grafana.${domain}";
prometheusHostname = "metrics.${domain}";
datasourceTemplate = [ datasourceTemplate = [
{ {
@ -55,7 +58,7 @@ in
{ {
imports = [ imports = [
(import ../../../modules/prometheus.nix { (import ../../../modules/prometheus.nix {
fqdn = "metrics.net.dn"; fqdn = prometheusHostname;
selfMonitor = true; selfMonitor = true;
configureNginx = true; configureNginx = true;
scrapes = [ scrapes = [
@ -108,7 +111,7 @@ in
}) })
(import ../../../modules/grafana.nix { (import ../../../modules/grafana.nix {
domain = "grafana.net.dn"; domain = grafanaHostname;
passFile = config.sops.secrets."grafana/password".path; passFile = config.sops.secrets."grafana/password".path;
smtpHost = "${config.mail-server.hostname}.${config.mail-server.domain}:465"; smtpHost = "${config.mail-server.hostname}.${config.mail-server.domain}:465";
smtpDomain = config.mail-server.domain; smtpDomain = config.mail-server.domain;
@ -194,4 +197,13 @@ in
}; };
enable = true; enable = true;
}; };
services.nginx.virtualHosts = {
"${grafanaHostname}" = {
useACMEHost = domain;
};
"${prometheusHostname}" = {
useACMEHost = domain;
};
};
} }

144
system/dev/dn-server/services/minecraft-server.nix
View file

@ -1,9 +1,32 @@
{ pkgs, ... }: {
pkgs,
config,
lib,
inputs,
...
}:
let let
modpack = pkgs.fetchPackwizModpack { inherit (config.sops) secrets;
inherit (inputs.nix-minecraft.lib) collectFilesAt;
modpack-shaderRetired = pkgs.fetchPackwizModpack {
url = "https://git.dnywe.com/dachxy/shader-retired-modpack/raw/branch/main/pack.toml"; url = "https://git.dnywe.com/dachxy/shader-retired-modpack/raw/branch/main/pack.toml";
packHash = "sha256-NPMS8j5NXbtbsso8R4s4lhx5L7rQJdek62G2Im3JdmM="; packHash = "sha256-NPMS8j5NXbtbsso8R4s4lhx5L7rQJdek62G2Im3JdmM=";
}; };
modpack-landscape = pkgs.fetchPackwizModpack {
url = "https://git.dnywe.com/dachxy/landscape-modpack/raw/branch/main/pack.toml";
packHash = "sha256-mQSE4PMrOupARpEIzdzg+gOD0VQGII4MrBUyr8VevKk=";
};
fabricProxy = pkgs.fetchurl rec {
pname = "FabricProxy-Lite";
version = "2.11.0";
url = "https://cdn.modrinth.com/data/8dI2tmqs/versions/nR8AIdvx/${pname}-${version}.jar";
hash = "sha256-68er6vbAOsYZxwHrszLeaWbG2D7fq/AkNHIMj8PQPNw=";
};
velocityCfg = config.services.velocity;
in in
{ {
systemConf.security.allowedDomains = [ systemConf.security.allowedDomains = [
@ -13,29 +36,110 @@ in
"login.microsoftonline.com" "login.microsoftonline.com"
]; ];
sops.secrets."velocity" = {
owner = velocityCfg.user;
};
sops.secrets."fabricProxy" = {
owner = "minecraft";
};
services.velocity = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
port = 25565;
settings = {
motd = "<#09add3>POG, MC server!";
player-info-forwarding-mode = "modern";
forwarding-secret-file = "${secrets."velocity".path}";
servers = {
shader-retired = "127.0.0.1:30066";
landscape = "127.0.0.1:30067";
try = [
"shader-retired"
];
};
forced-hosts = {
"server.vnet.dn" = [
"shader-retired"
];
"retired.mc.dnywe.com" = [
"shader-retired"
];
"landscape.mc.dnywe.com" = [
"landscape"
];
};
};
};
services.minecraft-servers = { services.minecraft-servers = {
enable = true; enable = true;
eula = true; eula = true;
}; };
services.minecraft-servers.servers.shader-retired = { services.minecraft-servers.servers = {
enable = true; shader-retired =
autoStart = true; let
openFirewall = true; mcVersion = modpack-shaderRetired.manifest.versions.minecraft;
package = pkgs.fabric-server; fabricVersion = modpack-shaderRetired.manifest.versions.fabric;
symlinks = { serverVersion = lib.replaceStrings [ "." ] [ "_" ] "fabric-${mcVersion}";
"mods" = "${modpack}/mods"; in
}; {
serverProperties = { enable = true;
autoStart = true;
jvmOpts = "-Xms2144M -Xmx8240M";
package = pkgs.fabricServers.${serverVersion}.override { loaderVersion = fabricVersion; };
symlinks = collectFilesAt modpack-shaderRetired "mods" // {
"mods/FabricProxy-Lite.jar" = fabricProxy;
};
files = {
"config/FabricProxy-Lite.toml" = "${secrets."fabricProxy".path}";
};
serverProperties = {
server-port = 30066;
difficulty = 3;
gamemode = "survival";
max-player = 20;
motd = "Bro!!!!";
accepts-flight = true;
accepts-transfers = true;
hardcore = false;
};
};
server-port = 25565; landscape =
difficulty = 3; let
gamemode = "survival"; mcVersion = modpack-landscape.manifest.versions.minecraft;
max-player = 20; fabricVersion = modpack-landscape.manifest.versions.fabric;
modt = "Bro!!!!"; serverVersion = lib.replaceStrings [ "." ] [ "_" ] "fabric-${mcVersion}";
accepts-flight = true; in
accepts-transfers = true; {
hardcore = false; enable = true;
}; autoStart = true;
enableReload = true;
jvmOpts = "-Xms2144M -Xmx8240M";
package = pkgs.fabricServers.${serverVersion}.override { loaderVersion = fabricVersion; };
symlinks = collectFilesAt modpack-landscape "mods" // {
"mods/FabricProxy-Lite.jar" = fabricProxy;
};
files = {
"config/FabricProxy-Lite.toml" = "${secrets."fabricProxy".path}";
};
serverProperties = {
server-port = 30067;
difficulty = 3;
gamemode = "survival";
max-player = 20;
motd = "Landscape, daug!";
accepts-flight = true;
accepts-transfers = true;
hardcore = false;
};
};
}; };
} }

8
system/dev/dn-server/services/netbird.nix
View file

@ -1,7 +1,7 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkForce; inherit (lib) mkForce;
domain = "dnywe.com"; inherit (config.networking) domain;
# Virtual Domain # Virtual Domain
vDomain = "vnet.dn"; vDomain = "vnet.dn";
@ -19,9 +19,9 @@ in
}; };
systemConf.security.allowedDomains = [ systemConf.security.allowedDomains = [
"login.dnywe.com" config.services.keycloak.settings.hostname
"pkgs.netbird.io"
"${srv.domain}" "${srv.domain}"
"pkgs.netbird.io"
]; ];
imports = [ imports = [
@ -71,6 +71,8 @@ in
''; '';
services.nginx.virtualHosts."${srv.domain}" = { services.nginx.virtualHosts."${srv.domain}" = {
useACMEHost = domain;
addSSL = true;
locations."/api" = { locations."/api" = {
extraConfig = '' extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

13
system/dev/dn-server/services/nextcloud.nix
View file

@ -7,10 +7,10 @@
let let
inherit (lib) mkIf mkDefault mkAfter; inherit (lib) mkIf mkDefault mkAfter;
inherit (config.sops) secrets; inherit (config.sops) secrets;
inherit (config.networking) domain;
spreedCfg = config.services.nextcloud-spreed-signaling; spreedCfg = config.services.nextcloud-spreed-signaling;
nextcloudCfg = config.services.nextcloud; nextcloudCfg = config.services.nextcloud;
turnDomain = "coturn.dnywe.com"; turnDomain = "coturn.${domain}";
domain = "net.dn";
in in
{ {
sops.secrets = { sops.secrets = {
@ -79,7 +79,7 @@ in
mail_smtpname = "nextcloud"; mail_smtpname = "nextcloud";
mail_smtpmode = "smtp"; mail_smtpmode = "smtp";
mail_smtpauthtype = "LOGIN"; mail_smtpauthtype = "LOGIN";
mail_domain = "net.dn"; mail_domain = "${domain}";
mail_smtpport = 465; mail_smtpport = 465;
mail_smtpsecure = "ssl"; mail_smtpsecure = "ssl";
mail_from_address = "nextcloud"; mail_from_address = "nextcloud";
@ -123,8 +123,13 @@ in
}; };
}; };
services.nginx.virtualHosts.${nextcloudCfg.hostName} = {
useACMEHost = domain;
forceSSL = true;
};
services.nginx.virtualHosts.${spreedCfg.hostName} = { services.nginx.virtualHosts.${spreedCfg.hostName} = {
enableACME = true; useACMEHost = domain;
forceSSL = true; forceSSL = true;
}; };

13
system/dev/dn-server/services/ntfy.nix
View file

@ -1,22 +1,19 @@
{
fqdn ? null,
}:
{ config, ... }: { config, ... }:
let let
inherit (config.networking) domain;
port = 31004; port = 31004;
finalFqdn = if fqdn == null then config.networking.fqdn else fqdn; hostname = "ntfy.${domain}";
in in
{ {
systemConf.security.allowedDomains = [ systemConf.security.allowedDomains = [
"ntfy.sh" "ntfy.sh"
"web.push.apple.com"
]; ];
services.ntfy-sh = { services.ntfy-sh = {
enable = true; enable = true;
settings = { settings = {
listen-http = ":${toString port}"; listen-http = ":${toString port}";
base-url = "https://${finalFqdn}"; base-url = "https://${hostname}";
upstream-base-url = "https://ntfy.sh"; upstream-base-url = "https://ntfy.sh";
behind-proxy = true; behind-proxy = true;
proxy-trusted-hosts = "127.0.0.1"; proxy-trusted-hosts = "127.0.0.1";
@ -30,8 +27,8 @@ in
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${finalFqdn}" = { "${hostname}" = {
enableACME = true; useACMEHost = domain;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;

13
system/dev/dn-server/services/paperless-ngx.nix
View file

@ -1,9 +1,18 @@
{ config, ... }: { config, lib, ... }:
let
inherit (config.networking) domain;
hostname = "paperless.${domain}";
in
{ {
imports = [ imports = [
(import ../../../modules/paperless-ngx.nix { (import ../../../modules/paperless-ngx.nix {
domain = "paperless.net.dn"; domain = hostname;
passwordFile = config.sops.secrets."paperless/adminPassword".path; passwordFile = config.sops.secrets."paperless/adminPassword".path;
}) })
]; ];
services.nginx.virtualHosts."${hostname}" = {
useACMEHost = domain;
};
} }

13
system/dev/dn-server/sops/secret.yaml
View file

@ -8,6 +8,8 @@ netbird:
coturn: coturn:
password: ENC[AES256_GCM,data:AMWBkWLcj1EFfufl8pALpVOG0PE=,iv:sngIedZE4X8clhGIsQyiGKbdsheRbEqeU57Emz2DWJM=,tag:daRLPNrO5fq84rtieYuYYw==,type:str] password: ENC[AES256_GCM,data:AMWBkWLcj1EFfufl8pALpVOG0PE=,iv:sngIedZE4X8clhGIsQyiGKbdsheRbEqeU57Emz2DWJM=,tag:daRLPNrO5fq84rtieYuYYw==,type:str]
wt0-setupKey: ENC[AES256_GCM,data:2KKqmcdQhkbu4Qo8rVWLwT7NdpF7iWneDGazHQlM++LdGQNr,iv:Dfryc5Ak8ueuHCT+8SxliEJqUtn695/N3iE69a5AoCQ=,tag:wCKfCOcTFZWbZs99FhF2EQ==,type:str] wt0-setupKey: ENC[AES256_GCM,data:2KKqmcdQhkbu4Qo8rVWLwT7NdpF7iWneDGazHQlM++LdGQNr,iv:Dfryc5Ak8ueuHCT+8SxliEJqUtn695/N3iE69a5AoCQ=,tag:wCKfCOcTFZWbZs99FhF2EQ==,type:str]
actual:
clientSecret: ENC[AES256_GCM,data:1p/1ns46hrBXC80YvdBUV5BUrXxUmF5+q2YK/ENA1iQ=,iv:2ivuxwlKNy2awFkSlA946rIythd2Q5fROO8tc3HgtR4=,tag:S2dUoazTvh2hwpkSaZ/O4Q==,type:str]
nextcloud: nextcloud:
adminPassword: ENC[AES256_GCM,data:ev4Ua8JX0l0KK50SGm6xCw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:rIr+4x/p8u94e2Ip03iX0Q==,type:str] adminPassword: ENC[AES256_GCM,data:ev4Ua8JX0l0KK50SGm6xCw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:rIr+4x/p8u94e2Ip03iX0Q==,type:str]
whiteboard: ENC[AES256_GCM,data:EFrakjKTOskWBrobg/F12bdm/sM/cU4u6bUDw8TVqzmV95fNqn6n4MR+gTyKj6CG0+YLbZDHAmfsApWVH/VhDNTw3s1hkSu93Yq85ov7QEk=,iv:fYTLDOMmW+qoZVgC7fSPo+xFaytJN1gIaEcRgle+7gY=,tag:ETmXxGPsUafV3pR9cMLMXA==,type:str] whiteboard: ENC[AES256_GCM,data:EFrakjKTOskWBrobg/F12bdm/sM/cU4u6bUDw8TVqzmV95fNqn6n4MR+gTyKj6CG0+YLbZDHAmfsApWVH/VhDNTw3s1hkSu93Yq85ov7QEk=,iv:fYTLDOMmW+qoZVgC7fSPo+xFaytJN1gIaEcRgle+7gY=,tag:ETmXxGPsUafV3pR9cMLMXA==,type:str]
@ -19,7 +21,7 @@ nextcloud:
backendsecret: ENC[AES256_GCM,data:pV5yw755RkAwHBdmfeP37/SobFZqJouWyIiRJ+Y2mk0iiVdW04vhYVsyjcI=,iv:NhkewgnyE2Dw8mQMMSq6AWo6IOWu8BlyPZvZAszyZuQ=,tag:BlZO15qZWViV8pCWIgZHZQ==,type:str] backendsecret: ENC[AES256_GCM,data:pV5yw755RkAwHBdmfeP37/SobFZqJouWyIiRJ+Y2mk0iiVdW04vhYVsyjcI=,iv:NhkewgnyE2Dw8mQMMSq6AWo6IOWu8BlyPZvZAszyZuQ=,tag:BlZO15qZWViV8pCWIgZHZQ==,type:str]
step_ca: step_ca:
password: ENC[AES256_GCM,data:3NtUAl344gHiXLlMl88X17Vsm/4OKFM0W8bntzbXC0U=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:ibumK7ebPKNO/CXAS0eeRA==,type:str] password: ENC[AES256_GCM,data:3NtUAl344gHiXLlMl88X17Vsm/4OKFM0W8bntzbXC0U=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:ibumK7ebPKNO/CXAS0eeRA==,type:str]
vaultwarden: ENC[AES256_GCM,data:h8GFyXRMI51DZutX60up4vXTQLNY3q0pr+BWpZ5frJHwy6PVBTYts81K0aTIIU71epT4SVR3p3e8yUdU7jXS1Tw1ol0RnPL+bBNv7JyUede9mkrP4pnozmuCQqOdlHCaUvYyIoWFPrLiz/drXX7gJvWh6zYTTFn9mQ3wQE9J6rxoLzbMyS6raSn2O8Ke+YM0VRXYgVvsyEL3Aa0wV3qO5NDCZ67rZp4TG5U8tOrziw0gnKU3eBCuNyL/uU/7ySvfdxwv631vEi24+dxN+Kx6rlaJpJIywx9xxxoRhOz5TrHzptqRMWpg2GZL5qdVXiUxqYLgC3s7Ri0P2BwOslteO6Z6NXk0HSravbpz3sevEu+bRS7u2MLvL3keP48+EBsXNebnKY7nfqCoIPUQ86CIVGw5fNI+irnRR8kq6oV0MBDGXu6DgmzKV7crFp65zzVSqfFOntVYSqgtQnnM1CmkuGJD,iv:51zbASyFgprzYCMswiEM81p8C0kFhSc28VavCHqRsF0=,tag:LvcY2DbeA71/PXEnjph3dw==,type:str] vaultwarden: ENC[AES256_GCM,data:unu2+istP/NHcns2HUvNYveGElAEDFI+6X/KXYu2hKvY9c57PhmGVEmwlNhMWjHOSLaIvF48iDKCMnFnk20Fop5S2PS8WdNQ5sAA3mhoBnYGKIVsSsjpAqdIKj5c+AozeFODuIrCPRFm1JbOlgcmniwWNwbKtXt8GrgHzBbFUNX00npOwK9NmZOTxPVCj6gs3purULbsTzxDYZKdtqoM0Rv8E+MM/SLTR3QJnTCi7CxWfqy2tSsNzFh4puyZ0xf03m/fMP2iJqwZKjr0G5DwMl8ng0XvnojUcAg3OO34T7VCR1E6unqOpt8Mxc4l5eDVZEp6euchLB1GHP1OaElLCGvlp16xFKQyu+XtuFKxDrgl+AjVXl/rdl8Sk7fa9x6VzYbbJIR5Nzrwb+x9sJIc0Q5u6MroVsfawUzNH3aWkBCxQ0jGqkWyAZyumOuLxODpYETUCxiaBW6unEYSABibY5Q=,iv:5T/N41eLnPThRs1nwFiqMqyd6+RMWkDz6N4yVuAojH0=,tag:1gyxAtpZw/uhPWOoioFqKw==,type:str]
ldap: ldap:
password: ENC[AES256_GCM,data:gz5WBopSffGyvJxKDPekPQ==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:YoTe6NPAJgp/0nvhHC9Y5A==,type:str] password: ENC[AES256_GCM,data:gz5WBopSffGyvJxKDPekPQ==,iv:bX7N9/oNMhtE/KbPah2ge4s87P2VsxHGoFkOyl83dxs=,tag:YoTe6NPAJgp/0nvhHC9Y5A==,type:str]
env: ENC[AES256_GCM,data:68EvTHeBqtCVfde5oO+Wzny+l/YIMWQmbcNQ0Wl59EjMrSlJM0rmFm2lMJpxKzCN2cFs0N2z6zG1/eQ9t/SxxyVBrNA6ECnCZrerIo2YGlaT30tc1rffpd8TchMH1VKP5qHnbLUqORMx5z0LR4U49l2HVcHgSCjt/1f127oMi411vIU=,iv:+m1F0CBaoJGv6Z1u+h6rbsXGPUhxgHouTalj13ccJiY=,tag:I/hK65yPaIcgHEZVaXJHBA==,type:str] env: ENC[AES256_GCM,data:68EvTHeBqtCVfde5oO+Wzny+l/YIMWQmbcNQ0Wl59EjMrSlJM0rmFm2lMJpxKzCN2cFs0N2z6zG1/eQ9t/SxxyVBrNA6ECnCZrerIo2YGlaT30tc1rffpd8TchMH1VKP5qHnbLUqORMx5z0LR4U49l2HVcHgSCjt/1f127oMi411vIU=,iv:+m1F0CBaoJGv6Z1u+h6rbsXGPUhxgHouTalj13ccJiY=,tag:I/hK65yPaIcgHEZVaXJHBA==,type:str]
@ -33,7 +35,8 @@ powerdns: ENC[AES256_GCM,data:d4qzUAjyHUxLynvP6vSxCzrihfb/X3KYHeRA/w+CButld7ulxL
rspamd-trainer: ENC[AES256_GCM,data:EqWVADi7zr6AUZL5mlN1/xbpjuRIS3Zn,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:4lH3hhMxWIzEUExJOt/41Q==,type:str] rspamd-trainer: ENC[AES256_GCM,data:EqWVADi7zr6AUZL5mlN1/xbpjuRIS3Zn,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:4lH3hhMxWIzEUExJOt/41Q==,type:str]
rspamd: ENC[AES256_GCM,data:qEXHXdcvk24pAHEl6MI=,iv:L5tmoTu5Qk5sxDj3EmWfc39AHwRTT4T4gB1O2EsTQkY=,tag:vIhAOnEpWxtP0eU4stkQww==,type:str] rspamd: ENC[AES256_GCM,data:qEXHXdcvk24pAHEl6MI=,iv:L5tmoTu5Qk5sxDj3EmWfc39AHwRTT4T4gB1O2EsTQkY=,tag:vIhAOnEpWxtP0eU4stkQww==,type:str]
acme: acme:
env: ENC[AES256_GCM,data:DQaHr13K3faeyQk/05sVmmZRNvEbjmMP8y3nES1vyFO+oNX9nyyWcy5YEAO5tjRTxi/yM1ISlhbXWct4iRwAkvnhtoFRK/jpAfDv+W3J1LotaRxiPWSXUs5lS7uS0DpveRwQVv6qEl3Cs8vitHAJfRCKJoYv5HTJyvOnoWqHbnk=,iv:co3V0vu2c26NKHuoNoRv7td8qu6m0NTlvkr3EJBQGvM=,tag:leTY/DGg85Pm8gsAHah29Q==,type:str] pdns: ENC[AES256_GCM,data:pQbUDyKCRz36CAI1UhxLnsgDmQ1Hhfv6iqA8R3YBdWXHHXIHMXz2ujVz+/fPCEnbLuMevAzT2L5Pejm0q38FQitcbRNngueymOWX2Iq/T1GP+t/Yhfy/r24dubgX5sH6USl2du2MmIwxa5VwBpjoTi3+CjqalV2sp8+HYwXWNKQ=,iv:8sX4R5xgdlq8EyDEUcvoROs21h2pAH1C3TpDw4I2WLs=,tag:aQhuoldv4fRz2+NmHfCWNQ==,type:str]
cloudflare: ENC[AES256_GCM,data:JwIL00LMPQeIxesD5umO5iBkIFFBZek9iHw76BT4/km3UX+nUn+wcw==,iv:wJIW869+BY+w9ynL4jF40mSrXpClVW9HGnOwTaKIT/k=,tag:c/NK+RzwNfvB+jh6vliM0g==,type:str]
postsrsd: postsrsd:
secret: ENC[AES256_GCM,data:JZNwSymEjIFb8h3gnvFajxSaNYRxjA/NUruA4WX+uSqX0ufVcbVWgxQTr7U=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:M3RGI6LgU5n2e6ZiXxTFfQ==,type:str] secret: ENC[AES256_GCM,data:JZNwSymEjIFb8h3gnvFajxSaNYRxjA/NUruA4WX+uSqX0ufVcbVWgxQTr7U=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:M3RGI6LgU5n2e6ZiXxTFfQ==,type:str]
grafana: grafana:
@ -60,6 +63,8 @@ forgejo:
secretKey: ENC[AES256_GCM,data:DShv0oGdrHi40OMGz6/8XsiNY7nFcdJswBXucP9t7JQtgj9wk8Wr2mn17rfzkjNXTRletI60OPGPz2c57xOnTA==,iv:9TVma4i167123hyVA4yMAGsc9074+Yd4qggL7PkhUKg=,tag:/ELp01jK7of78Kyn+aOcMA==,type:str] secretKey: ENC[AES256_GCM,data:DShv0oGdrHi40OMGz6/8XsiNY7nFcdJswBXucP9t7JQtgj9wk8Wr2mn17rfzkjNXTRletI60OPGPz2c57xOnTA==,iv:9TVma4i167123hyVA4yMAGsc9074+Yd4qggL7PkhUKg=,tag:/ELp01jK7of78Kyn+aOcMA==,type:str]
mailer: mailer:
password: ENC[AES256_GCM,data:dcIotYpgtdFLcunAB3ttlczzQ68=,iv:vH3rckAfntFAEtH3dolF7NCAdj142cAzre56x7oBdDA=,tag:TaxRn8g/TVloM60D6Ud0Jg==,type:str] password: ENC[AES256_GCM,data:dcIotYpgtdFLcunAB3ttlczzQ68=,iv:vH3rckAfntFAEtH3dolF7NCAdj142cAzre56x7oBdDA=,tag:TaxRn8g/TVloM60D6Ud0Jg==,type:str]
velocity: ENC[AES256_GCM,data:PYGSXfivm7OyKhBMKPOVDs+efpcb0hhwCAxlT05pM+kg9t0lH4TEMuxBXFRs80LUiQx+CYXyw8UvBkkKwPEc,iv:PppenjXIQ+eirCor3PxT16r2S7wO8bww5v/RyjQh9MI=,tag:Dc3BzmyQcTwYsvWShQ/JqQ==,type:str]
fabricProxy: ENC[AES256_GCM,data:srGYmqHgfkxAKKSjy9uGX1mQpE3N0rXb06MYiycbYESj/sZu/vjsPspvUdzTHHb9zkF5SWLWkmP6llIpimkss/dm7A1pGlagin3+,iv:yoWQdWeP9UjoRO5rJ9FQGbBu3iypIdXGrSDqBfFhw6w=,tag:+d/Tp/m3vENZAXJyHOMJEA==,type:str]
sops: sops:
age: age:
- recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2 - recipient: age17rjcght2y5p4ryr76ysnxpy2wff62sml7pyc5udcts48985j05vqpwdfq2
@ -89,7 +94,7 @@ sops:
OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK
9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g== 9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-09T04:59:21Z" lastmodified: "2026-01-19T10:14:12Z"
mac: ENC[AES256_GCM,data:NIHLAoNatyAhKHwCNdRGMR8+rUv00y/ssoGSQlq9/QayYt/GATfelgNwcqksSWf/db5v+Jz92bbk3RT9SKeoMWRxjm+8xzARbjhHGrzxAeLoerGPjQpEpkYYWbFC2ihSODrE+ar3HskAkQmVxmiGKEtYSg3+X2hiEy6ydZkP5Ps=,iv:mAyO820PpeG6NWQlmQf+l9MLIL4OTGJXCBSqYbmozZk=,tag:+Bex5hyAGBXiFoqxqVtaqg==,type:str] mac: ENC[AES256_GCM,data:d9OAnjstk72GOnKqyDw2qbNfZho0mdqAMSQ4xH903b1COmgIn4MsqWiCzDJ5k6RxLE4wfCAPvn8JA+cXiox6/xctqfyqLoWN4fp2Q40IHjbA3mQGalwywRgmga74PVe3gJPZ7H8PJncN0TdU29A/lGcUtjCkAqjBuFS4e7wbQfA=,iv:e6aG+plaSDtaiqglY5S1svE/XZfs7n9dhSNCiB5pdTs=,tag:BsGItrtDVFF2kXgwE1zaFA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0

20
system/dev/dn-server/sops/sops-conf.nix
View file

@ -17,31 +17,11 @@ in
mode = "0660"; mode = "0660";
group = config.users.groups.docker.name; group = config.users.groups.docker.name;
}; };
"powerdns-admin/secret" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
"powerdns-admin/salt" = {
mode = "0660";
owner = "powerdnsadmin";
group = "powerdnsadmin";
};
powerdns = {
mode = "0660";
owner = "pdns";
group = "pdns";
};
rspamd-trainer = { rspamd-trainer = {
}; };
rspamd = mkIf config.services.rspamd.enable { rspamd = mkIf config.services.rspamd.enable {
owner = config.services.rspamd.user; owner = config.services.rspamd.user;
}; };
"acme/env" = mkIf config.security.acme.acceptTerms {
mode = "0660";
owner = "acme";
group = "acme";
};
"postsrsd/secret" = mkIf config.services.postsrsd.enable { "postsrsd/secret" = mkIf config.services.postsrsd.enable {
mode = "0660"; mode = "0660";
owner = config.services.postsrsd.user; owner = config.services.postsrsd.user;

2
system/dev/public/dn/common.nix
View file

@ -5,7 +5,7 @@ in
{ {
systemConf = { systemConf = {
face = ../../../../home/config/.face; face = ../../../../home/config/.face;
domain = "net.dn"; domain = "dnywe.com";
}; };
home-manager.users."${username}" = home-manager.users."${username}" =

4
system/dev/public/dn/ntfy.nix
View file

@ -1,10 +1,12 @@
{ {
self,
config, config,
pkgs, pkgs,
lib, lib,
... ...
}: }:
let let
serverCfg = self.nixosConfigurations.dn-server.config;
inherit (config.systemConf) username; inherit (config.systemConf) username;
ntfyWrapper = import ../../../../home/scripts/ntfy.nix { inherit config pkgs lib; }; ntfyWrapper = import ../../../../home/scripts/ntfy.nix { inherit config pkgs lib; };
in in
@ -30,7 +32,7 @@ in
{ {
enable = true; enable = true;
settings = { settings = {
default-host = "https://ntfy.net.dn"; default-host = serverCfg.services.ntfy-sh.settings.base-url;
subscribe = [ subscribe = [
{ {
topic = "public-notifications"; topic = "public-notifications";

6
system/dev/skydrive-lap/home/default.nix
View file

@ -1,16 +1,18 @@
{ {
self,
config, config,
lib, lib,
pkgs, pkgs,
... ...
}: }:
let let
inherit (config.networking) hostName; serverCfg = self.nixosConfigurations.dn-server.config;
inherit (config.systemConf) username; inherit (config.systemConf) username;
inherit (lib) optionalString; inherit (lib) optionalString;
inherit (serverCfg.services.nextcloud) hostName;
memeSelector = pkgs.callPackage ../../../../home/scripts/memeSelector.nix { memeSelector = pkgs.callPackage ../../../../home/scripts/memeSelector.nix {
url = "https://nextcloud.net.dn/public.php/dav/files/pygHoPB5LxDZbeY/"; url = "https://${hostName}/public.php/dav/files/pygHoPB5LxDZbeY/";
}; };
in in
{ {

25
system/modules/actual/default.nix
View file

@ -8,21 +8,28 @@
... ...
}: }:
let let
inherit (builtins) toString;
inherit (lib) mkIf; inherit (lib) mkIf;
finalFqdn = if fqdn != null then fqdn else config.networking.fqdn; finalFqdn = if fqdn != null then fqdn else config.networking.fqdn;
in in
{ {
users.users.actual = {
isSystemUser = true;
group = "actual";
};
users.groups.actual = { };
services = { services = {
actual = { actual = {
enable = true; enable = true;
user = config.users.users.actual.name;
group = config.users.users.actual.group;
settings = { settings = {
port = 31000; port = 31000;
hostname = "127.0.0.1"; hostname = "127.0.0.1";
serverFiles = "/var/lib/actual/server-files"; serverFiles = "/var/lib/actual/server-files";
userFiles = "/var/lib/actual/user-files"; userFiles = "/var/lib/actual/user-files";
loginMethod = "openid";
}; };
}; };
@ -35,11 +42,21 @@ in
}; };
services.nginx.virtualHosts."${finalFqdn}" = mkIf proxy { services.nginx.virtualHosts."${finalFqdn}" = mkIf proxy {
enableACME = true;
forceSSL = true; forceSSL = true;
locations."/api/".proxyPass = locations."/api/".proxyPass =
"http://127.0.0.1:${toString config.services.actual-budget-api.listenPort}/"; "http://127.0.0.1:${toString config.services.actual-budget-api.listenPort}/";
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.actual.settings.port}"; locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.actual.settings.port}";
extraConfig = ''
proxy_hide_header Cross-Origin-Embedder-Policy;
proxy_hide_header Cross-Origin-Opener-Policy;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Origin-Agent-Cluster "?1" always;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
'';
};
}; };
} }

1
system/modules/grafana.nix
View file

@ -58,7 +58,6 @@ in
// extraConf; // extraConf;
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {

16
system/modules/nextcloud.nix
View file

@ -3,7 +3,7 @@
adminpassFile, adminpassFile,
datadir ? null, datadir ? null,
https ? true, https ? true,
configureACME ? true, configureNginx ? true,
trusted-domains ? [ ], trusted-domains ? [ ],
trusted-proxies ? [ ], trusted-proxies ? [ ],
whiteboardSecrets ? [ ], whiteboardSecrets ? [ ],
@ -16,13 +16,6 @@
}: }:
let let
inherit (lib) mkIf optionalString; inherit (lib) mkIf optionalString;
nextcloudPkg = pkgs.nextcloud32.overrideAttrs (oldAttr: rec {
caBundle = config.security.pki.caBundle;
postPatch = ''
cp ${caBundle} resources/config/ca-bundle.crt
'';
});
in in
{ {
imports = [ imports = [
@ -86,13 +79,12 @@ in
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = nextcloudPkg;
configureRedis = true; configureRedis = true;
hostName = hostname; hostName = hostname;
https = https; https = https;
datadir = lib.mkIf (datadir != null) datadir; datadir = lib.mkIf (datadir != null) datadir;
phpExtraExtensions = phpExtraExtensions =
all: with all; [ allEx: with allEx; [
imagick imagick
]; ];
@ -153,9 +145,7 @@ in
secrets = whiteboardSecrets; secrets = whiteboardSecrets;
}; };
services.nginx.virtualHosts.${hostname} = mkIf configureACME { services.nginx.virtualHosts.${hostname} = mkIf configureNginx {
enableACME = true;
forceSSL = true;
locations."/whiteboard/" = { locations."/whiteboard/" = {
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${config.services.nextcloud-whiteboard-server.settings.PORT}/"; proxyPass = "http://127.0.0.1:${config.services.nextcloud-whiteboard-server.settings.PORT}/";

13
system/modules/niri.nix
View file

@ -73,7 +73,7 @@ in
extraPortals = with pkgs; [ xdg-desktop-portal-gtk ]; extraPortals = with pkgs; [ xdg-desktop-portal-gtk ];
}; };
services.nfsm.enable = false; services.nfsm.enable = true;
programs.niri.package = osConfig.programs.niri.package; programs.niri.package = osConfig.programs.niri.package;
programs.niri.settings = { programs.niri.settings = {
@ -154,6 +154,7 @@ in
matches = [ matches = [
{ app-id = "^xdg-desktop-portal-gtk$"; } { app-id = "^xdg-desktop-portal-gtk$"; }
{ app-id = "^(org.gnome.Nautilus)$"; } { app-id = "^(org.gnome.Nautilus)$"; }
{ app-id = "^(org.gnome.Loupe)$"; }
]; ];
open-floating = true; open-floating = true;
} }
@ -177,9 +178,9 @@ in
in in
{ {
# ==== Launch ==== # # ==== Launch ==== #
"Mod+Return".action = sh ''${prefix} ${terminal}''; "Mod+Return".action = sh "${prefix} ${terminal}";
"Mod+F".action = sh ''${browser}''; "Mod+F".action = sh "${browser}";
"Mod+E".action = sh ''${prefix} ${terminal} -e yazi''; "Mod+E".action = sh "${prefix} ${terminal} -e yazi";
"Mod+Ctrl+P".action = spawn "${rbwSelector}"; "Mod+Ctrl+P".action = spawn "${rbwSelector}";
"Mod+Ctrl+M".action = spawn "${toggleWlogout}"; "Mod+Ctrl+M".action = spawn "${toggleWlogout}";
@ -198,9 +199,9 @@ in
"XF86AudioStop".action = spawn "playerctl" "stop"; "XF86AudioStop".action = spawn "playerctl" "stop";
"XF86AudioMute".action = spawn "wpctl" "set-mute" "@DEFAULT_SINK@" "toggle"; "XF86AudioMute".action = spawn "wpctl" "set-mute" "@DEFAULT_SINK@" "toggle";
"XF86AudioRaiseVolume".action = "XF86AudioRaiseVolume".action =
sh ''wpctl set-mute @DEFAULT_SINK@ 0 && wpctl set-volume @DEFAULT_SINK@ ${volumeStep}%+''; sh "wpctl set-mute @DEFAULT_SINK@ 0 && wpctl set-volume @DEFAULT_SINK@ ${volumeStep}%+";
"XF86AudioLowerVolume".action = "XF86AudioLowerVolume".action =
sh ''wpctl set-mute @DEFAULT_SINK@ 0 && wpctl set-volume @DEFAULT_SINK@ ${volumeStep}%-''; sh "wpctl set-mute @DEFAULT_SINK@ 0 && wpctl set-volume @DEFAULT_SINK@ ${volumeStep}%-";
"XF86MonBrightnessDown".action = spawn "brightnessctl set ${brightnessStep}%-"; "XF86MonBrightnessDown".action = spawn "brightnessctl set ${brightnessStep}%-";
"XF86MonBrightnessUp".action = spawn "brightnessctl set ${brightnessStep}%+"; "XF86MonBrightnessUp".action = spawn "brightnessctl set ${brightnessStep}%+";

6
system/modules/nixsettings.nix
View file

@ -1,4 +1,7 @@
{ inputs, ... }: { config, inputs, ... }:
let
inherit (config.systemConf) username;
in
{ {
documentation.nixos.enable = false; documentation.nixos.enable = false;
nix = { nix = {
@ -14,6 +17,7 @@
warn-dirty = false; warn-dirty = false;
trusted-users = [ trusted-users = [
"@wheel" "@wheel"
username
]; ];
experimental-features = [ experimental-features = [
"nix-command" "nix-command"

1
system/modules/paperless-ngx.nix
View file

@ -29,7 +29,6 @@ in
}; };
services.nginx.virtualHosts."${domain}" = mkIf configureNginx { services.nginx.virtualHosts."${domain}" = mkIf configureNginx {
enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}"; locations."/".proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}";
}; };

3
system/modules/prometheus.nix
View file

@ -7,12 +7,10 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
let let
inherit (lib) mkIf optionalAttrs; inherit (lib) mkIf optionalAttrs;
inherit (builtins) toString;
in in
{ {
services.prometheus.exporters.node = mkIf selfMonitor { services.prometheus.exporters.node = mkIf selfMonitor {
@ -43,7 +41,6 @@ in
}; };
services.nginx.virtualHosts."${fqdn}" = mkIf configureNginx { services.nginx.virtualHosts."${fqdn}" = mkIf configureNginx {
enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {

8
system/modules/shells/noctalia/bar.nix
View file

@ -1,6 +1,10 @@
{ lib }:
let
inherit (lib) mkForce;
in
{ {
backgroundOpacity = 0.25; backgroundOpacity = mkForce 0.25;
capsuleOpacity = 0; capsuleOpacity = mkForce 0;
density = "comfortable"; density = "comfortable";
exclusive = true; exclusive = true;
floating = true; floating = true;

13
system/modules/shells/noctalia/default.nix
View file

@ -2,7 +2,8 @@
let let
inherit (config.systemConf) username; inherit (config.systemConf) username;
inherit (lib) mkForce mapAttrs; inherit (builtins) mapAttrs;
inherit (lib) mkForce;
in in
{ {
@ -57,7 +58,7 @@ in
volumeOverdrive = false; volumeOverdrive = false;
volumeStep = 5; volumeStep = 5;
}; };
bar = import ./bar.nix; bar = import ./bar.nix { inherit lib; };
brightness = { brightness = {
brightnessStep = 5; brightnessStep = 5;
enableDdcSupport = false; enableDdcSupport = false;
@ -98,7 +99,7 @@ in
}; };
controlCenter = import ./controlCenter.nix; controlCenter = import ./controlCenter.nix;
dock = { dock = {
backgroundOpacity = 1; backgroundOpacity = 1.0;
colorizeIcons = false; colorizeIcons = false;
displayMode = "auto_hide"; displayMode = "auto_hide";
enabled = false; enabled = false;
@ -162,7 +163,7 @@ in
manualSunset = "18:30"; manualSunset = "18:30";
}; };
notifications = { notifications = {
backgroundOpacity = 1; backgroundOpacity = 1.0;
criticalUrgencyDuration = 15; criticalUrgencyDuration = 15;
enableKeyboardLayoutToast = true; enableKeyboardLayoutToast = true;
enabled = true; enabled = true;
@ -176,7 +177,7 @@ in
}; };
osd = { osd = {
autoHideMs = 1500; autoHideMs = 1500;
backgroundOpacity = 1; backgroundOpacity = 1.0;
enabled = true; enabled = true;
enabledTypes = [ enabledTypes = [
0 0
@ -207,7 +208,7 @@ in
fontDefaultScale = 1; fontDefaultScale = 1;
fontFixed = config.stylix.fonts.monospace.name; fontFixed = config.stylix.fonts.monospace.name;
fontFixedScale = 1; fontFixedScale = 1;
panelBackgroundOpacity = 0.25; panelBackgroundOpacity = mkForce 0.25;
panelsAttachedToBar = true; panelsAttachedToBar = true;
settingsPanelAttachToBar = true; settingsPanelAttachToBar = true;
tooltipsEnabled = true; tooltipsEnabled = true;

10
system/modules/systemd-resolv.nix
View file

@ -7,11 +7,9 @@
services.resolved = { services.resolved = {
enable = true; enable = true;
llmnr = "false"; settings.Resolve = {
fallbackDns = [ LLMNR = false;
"1.1.1.1#one.one.one.one" Domains = [ "~." ];
"1.0.0.1#one.one.one.one" };
];
domains = [ "~." ];
}; };
} }

5
system/modules/vaultwarden.nix
View file

@ -26,8 +26,8 @@ in
environmentFile = secrets.vaultwarden.path; environmentFile = secrets.vaultwarden.path;
config = { config = {
DOMAIN = "https://${domain}"; DOMAIN = "https://${domain}";
SIGNUPS_ALLOWED = true; SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true; SIGNUPS_VERIFY = false;
ROCKET_PORT = 8222; ROCKET_PORT = 8222;
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
ROCKET_LOG = "critical"; ROCKET_LOG = "critical";
@ -42,7 +42,6 @@ in
}; };
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.config.ROCKET_PORT}/"; proxyPass = "http://127.0.0.1:${toString cfg.config.ROCKET_PORT}/";