darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

move lotte.chir.rs to new infra

Browse source
This commit is contained in:
Charlotte 🦝 Delenk 2024-12-05 11:34:14 +01:00
parent 3637a21604
commit 2859992921
Signed by: darkkirb
GPG key ID: AB2BD8DAF2E37122
12 changed files with 573 additions and 519 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -73,3 +73,11 @@ creation_rules:
- *instance-20221213-1915
- *rainbow-resort
- *lotte
- path_regex: config/services/chir-rs/secrets\.yaml$
key_groups:
- age:
- *nixos-8gb-fsn1-1
- *nas
- *instance-20221213-1915
- *rainbow-resort
- *lotte

19
config/instance-20221213-1915.nix
View file

@ -3,7 +3,8 @@
lib,
modulesPath,
...
} @ args: {
}@args:
{
networking.hostName = "instance-20221213-1915";
networking.hostId = "746d4523";
@ -24,7 +25,7 @@
./zfs.nix
#./services/kubernetes.nix
./services/gitea.nix
./services/chir-rs.nix
./services/chir-rs
];
boot.initrd.availableKernelModules = [
@ -32,9 +33,9 @@
"virtio_pci"
"usbhid"
];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "tank/local/root";
@ -93,7 +94,7 @@
services.postgresql.dataDir = "/persist/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453/64"];
networking.wireguard.interfaces."wg0".ips = [ "fd0d:a262:1fa6:e621:746d:4523:5c04:1453/64" ];
home-manager.users.darkkirb = import ./home-manager/darkkirb.nix {
desktop = false;
inherit args;
@ -126,8 +127,8 @@
owner = "root";
path = "/etc/secrets/initrd/ssh_host_ed25519_key";
};
sops.age.sshKeyPaths = lib.mkForce ["/persist/ssh/ssh_host_ed25519_key"];
services.bind.forwarders = lib.mkForce [];
sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ];
services.bind.forwarders = lib.mkForce [ ];
boot.loader.systemd-boot.configurationLimit = lib.mkForce 1;
services.tailscale.useRoutingFeatures = "server";
services.postgresql.settings = {
@ -149,5 +150,5 @@
max_parallel_maintenance_workers = 2;
};
services.restic.backups.sysbackup.paths = ["/persist"];
services.restic.backups.sysbackup.paths = [ "/persist" ];
}

47
config/nas.nix
View file

@ -6,7 +6,8 @@
nixpkgs,
pkgs,
...
} @ args: {
}@args:
{
networking.hostName = "nas";
networking.hostId = "70af00ed";
@ -41,12 +42,20 @@
./services/forgejo-runner.nix
./services/renovate.nix
./services/mautrix-slack.nix
./services/chir-rs
];
hardware.cpu.amd.updateMicrocode = true;
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "sd_mod" "bcache"];
boot.initrd.kernelModules = ["igb"];
boot.kernelModules = ["kvm-amd"];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
"bcache"
];
boot.initrd.kernelModules = [ "igb" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [
config.boot.kernelPackages.zenpower
];
@ -54,19 +63,29 @@
fileSystems."/" = {
device = "/dev/bcache0";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
options = [
"subvol=root"
"compress=zstd"
];
};
fileSystems."/home" = {
device = "/dev/bcache0";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
options = [
"subvol=home"
"compress=zstd"
];
};
fileSystems."/nix" = {
device = "/dev/bcache0";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
options = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
services.snapper.configs.main = {
@ -81,7 +100,10 @@
spec = "/";
hashTableSizeMB = 2048;
verbosity = "crit";
extraOptions = ["--loadavg-target" "5.0"];
extraOptions = [
"--loadavg-target"
"5.0"
];
};
fileSystems."/boot" = {
@ -184,7 +206,7 @@
driSupport32Bit = true;
};
services.xserver.videoDrivers = ["nvidia"];
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia = {
modesetting.enable = true;
@ -195,7 +217,7 @@
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
services.restic.backups.sysbackup = {
paths = ["/media"];
paths = [ "/media" ];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
@ -207,5 +229,8 @@
enable = true;
#enableNvidia = true;
};
environment.systemPackages = with pkgs; [docker runc];
environment.systemPackages = with pkgs; [
docker
runc
];
}

63
config/nixos-8gb-fsn1-1.nix
View file

@ -5,7 +5,8 @@
config,
system,
...
} @ args: {
}@args:
{
networking.hostName = "nixos-8gb-fsn1-1";
networking.hostId = "73561e1f";
@ -31,14 +32,22 @@
./wireguard
./zfs.nix
#./services/kubernetes.nix
./services/chir-rs
];
boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.supportedFilesystems = ["zfs"];
boot.loader.grub.devices = ["/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_16151622"];
boot.initrd.availableKernelModules = [
"ata_piix"
"virtio_pci"
"virtio_scsi"
"xhci_pci"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
boot.loader.grub.devices = [ "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_16151622" ];
boot.loader.timeout = 5;
boot.initrd.luks.devices = {
disk0 = {
@ -49,106 +58,106 @@
fileSystems."/" = {
device = "tank/nixos";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/nix" = {
device = "tank/nixos/nix";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/etc" = {
device = "tank/nixos/etc";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var" = {
device = "tank/nixos/var";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/lib" = {
device = "tank/nixos/var/lib";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/lib/minio" = {
device = "tank/nixos/var/lib/minio";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/lib/minio/disk0" = {
device = "tank/nixos/var/lib/minio/disk0";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/lib/minio/disk1" = {
device = "tank/nixos/var/lib/minio/disk1";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/lib/minio/disk2" = {
device = "tank/nixos/var/lib/minio/disk2";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/lib/minio/disk3" = {
device = "tank/nixos/var/lib/minio/disk3";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/log" = {
device = "tank/nixos/var/log";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/var/spool" = {
device = "tank/nixos/var/spool";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/home" = {
device = "tank/userdata/home";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/root" = {
device = "tank/userdata/home/root";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/home/darkkirb" = {
device = "tank/userdata/home/darkkirb";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/home/miifox" = {
device = "tank/userdata/home/miifox";
fsType = "zfs";
options = ["zfsutil"];
options = [ "zfsutil" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/8E14-4366";
fsType = "vfat";
options = ["X-mount.mkdir"];
options = [ "X-mount.mkdir" ];
};
swapDevices = [];
swapDevices = [ ];
system.stateVersion = "21.11";
@ -163,7 +172,7 @@
'';
};
networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49/64"];
networking.wireguard.interfaces."wg0".ips = [ "fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49/64" ];
home-manager.users.darkkirb = import ./home-manager/darkkirb.nix {
desktop = false;
inherit args;
@ -203,7 +212,7 @@
};
services.resolved.enable = false;
services.bind.forwarders = lib.mkForce [];
services.bind.forwarders = lib.mkForce [ ];
services.tailscale.useRoutingFeatures = "server";
services.caddy.virtualHosts."darkkirb.de" = {
useACMEHost = "darkkirb.de";

64
config/services/chir-rs.dhall
View file

@ -1,64 +0,0 @@
λ ( secretsFile
: { staticDir : Text, connectionString : Text, signUpKey : Text
, nodeName : Text }
) →
let SqliteConfig =
{ Type =
{ filename : Text
, walEnabled : Optional Bool
, fkEnabled : Optional Bool
, extraPragmas : Optional (List Text)
}
, default =
{ walEnabled = None Bool
, fkEnabled = None Bool
, extraPragmas = None (List Text)
}
}
let PostgresConfig =
{ Type =
{ connectionString : Text
, poolStripes : Natural
, poolIdleTimeout : Natural
}
, default = { poolStripes = 0, poolIdleTimeout = 300 }
}
let LogLevel =
{ Type =
< LogLevelDebug
| LogLevelInfo
| LogLevelWarn
| LogLevelError
| LogLevelOther : Text
>
}
let Config =
{ Type =
{ listenPort : Natural
, database : PostgresConfig.Type
, databasePoolSize : Natural
, staticDir : Text
, logLevel : LogLevel.Type
, nodeName : Text
, signUpKey : Text
, rpId : Text
}
, default =
{ databasePoolSize = 10
, staticDir = "./static"
, logLevel = LogLevel.Type.LogLevelInfo
}
}
in Config::{
, listenPort = 62936
, database = PostgresConfig::{ connectionString = secretsFile.connectionString }
, logLevel = LogLevel.Type.LogLevelInfo
, signUpKey = secretsFile.signUpKey
, rpId = "lotte-test.chir.rs"
, staticDir = secretsFile.staticDir
, nodeName = secretsFile.nodeName
}

96
config/services/chir-rs.nix
View file

@ -1,96 +0,0 @@
{
lib,
pkgs,
config,
chir-rs,
system,
...
}: let
staticDir = pkgs.stdenvNoCC.mkDerivation {
name = "static";
buildPhase = "true";
src = pkgs.emptyDirectory;
installPhase = ''
mkdir $out
for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do
ln -sv $f $out
done
ln -sv ${chir-rs.packages.${system}.art-assets} $out/img
'';
};
auxCfg = pkgs.writeText "config.dhall" ''
${./chir-rs.dhall} {
staticDir = "${staticDir}",
connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ "@nixos-8gb-fsn1-1.int.chir.rs/chir_rs",
signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text,
nodeName = "${config.networking.hostName}"
}
'';
in {
systemd.services.chir-rs = {
enable = true;
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Restart = "always";
PrivateTmp = true;
WorkingDirectory = "/tmp";
User = "chir-rs";
CapabilityBoundingSet = [""];
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
ExecStart = ''
${chir-rs.packages.${system}.chir-rs}/bin/chir-rs
'';
};
environment = {
CHIR_RS_CONFIG = "${auxCfg}";
};
};
sops.secrets."services/chir-rs/database-password".owner = "chir-rs";
sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs";
services.postgresql.ensureDatabases = [
"chir_rs"
];
services.postgresql.ensureUsers = [
{
name = "chir_rs";
ensureDBOwnership = true;
}
];
services.caddy.virtualHosts."lotte-test.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy http://127.0.0.1:62936 {
trusted_proxies private_ranges
}
'';
};
users.users.chir-rs = {
description = "Chir.rs domain server";
isSystemUser = true;
group = "chir-rs";
};
users.groups.chir-rs = {};
}

121
config/services/chir-rs/default.nix Normal file
View file

@ -0,0 +1,121 @@
{
lib,
pkgs,
config,
chir-rs,
system,
...
}:
let
configFile = (pkgs.formats.toml { }).generate "config.toml" {
cache_max_size = 16000000;
paseto_secret_key_file = config.sops.secrets."services/chir-rs/paseto-secret-key".path;
logging = {
sentry_dsn = "https://c9d12e36a24cf7cd7addfff060884d0d@o253952.ingest.us.sentry.io/4508341406793728";
};
http = { };
gemini = {
host = "lotte.chir.rs";
private_key = "/var/lib/acme/chir.rs/key.pem";
certificate = "/var/lib/acme/chir.rs/cert.pem";
};
s3 = {
endpoint = "https://ams1.vultrobjects.com/";
region = "us-east-1";
access_key_id_file = config.sops.secrets."services/chir-rs/access-key-id".path;
secret_access_key_file = config.sops.secrets."services/chir-rs/secret-access-key".path;
bucket = "chir-rs";
};
database.path = config.sops.secrets."services/chir-rs/database-url".path;
};
in
{
systemd.services.chir-rs = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Restart = "always";
PrivateTmp = true;
WorkingDirectory = "/tmp";
User = "chir-rs";
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
ExecStart = ''
${chir-rs.packages.${system}.chir-rs}/bin/chir-rs
'';
};
environment = {
CHIR_RS_CONFIG = "${configFile}";
};
};
sops.secrets."services/chir-rs/paseto-secret-key" = {
owner = "chir-rs";
sopsFile = ./secrets.yaml;
};
sops.secrets."services/chir-rs/access-key-id" = {
owner = "chir-rs";
sopsFile = ./secrets.yaml;
};
sops.secrets."services/chir-rs/secret-access-key" = {
owner = "chir-rs";
sopsFile = ./secrets.yaml;
};
sops.secrets."services/chir-rs/database-url" = {
owner = "chir-rs";
sopsFile = ./secrets.yaml;
};
services.postgresql.ensureDatabases = [
"chir_rs"
];
services.postgresql.ensureUsers = [
{
name = "chir_rs";
ensureDBOwnership = true;
}
];
services.caddy.virtualHosts."lotte.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy {
to http://instance-20221213-1915.int.chir.rs:5621 http://nixos-8gb-fsn1-1.int.chir.rs:5621 http://nas.int.chir.rs:5621
trusted_proxies private_ranges
lb_retries 3
lb_try_duration 2s
health_uri /.api/readyz
header_up Host {upstream_hostport}
}
'';
};
users.users.chir-rs = {
description = "Chir.rs domain server";
isSystemUser = true;
group = "chir-rs";
};
users.groups.chir-rs = { };
}

62
config/services/chir-rs/secrets.yaml Normal file
View file

@ -0,0 +1,62 @@
services:
chir-rs:
paseto-secret-key: ENC[AES256_GCM,data:tTYBMA7LwmkKVyMERegZXnX5tL5lly0lL+nADBxDZN/cNQeQhZm+sT+VSg==,iv:OlFE1cpK3QQJ/DcuGHIjFc6+oLLLB9D4n+7sawiBD60=,tag:tmte7j9Fujc9NPoncEB1Ww==,type:str]
access-key-id: ENC[AES256_GCM,data:o3TM4GMU94QesHvpaaSfIUb8txE=,iv:zmfDr+RNkuYoYUT8BNu1DZbj8D+MpnsyWLqUEdhrRp4=,tag:OCWNU6eIGYt76yMPisyFaA==,type:str]
secret-access-key: ENC[AES256_GCM,data:kRxXzZpQje07Aoet5ga6RBnMlOLeF9dMMjrnzmvnHVOHK3FU04kAYQ==,iv:RNjJI9iBZRy+EM9EBPuVavVFEGOWy3+CyIId2Du8UYI=,tag:VgRyUGn77snLr4IbizrLrA==,type:str]
database-url: ENC[AES256_GCM,data:WrbOtp/82my4ciEnxwU2Q331OwlW7Iy2TQbttlLWbyxRRm1uMmZ6YYn2vEsh71BSiGw/26JO+UuVjPNutGKwujUQWwWhNkJNcZ2f5ee1e2PzjrXKszeXblb5QJsvyx4R,iv:+eorzBca2pdQPbQhXCJOabCzjJw+XuU6j2tHp2fm1aU=,tag:7hy+v3RsKxGnrGy+H2F+7A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4U1dSejljT1JzNjdQaFhH
Q1o4WXRaWTRiUHBFOG80QXV3ekgwSm5KcGhBCmxXZlhyeE9JZDlkNnIwRGcrakd3
V3BTcWZNcS84RWxoNm1DbURqcEZUWlEKLS0tIDFvV1hkOTlFeFJPTnJBQVIxZ0F4
U0YrNVhEOHpBY1k5cWI5MU9rc3J1Y00KfDWRGhRIQnhkj+DoHxv9hDVfYZ+COnvB
KPMi1LX9RVjKzBVhfhVheHpBcFb63InSlBFWbGDUvVz/j6WDUMAG+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1c7y687sxh428wk34s8ws6kemu62mggafpt40rmanevgkuj5xa59q6f7tlc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZa0x6eklGSWF0WE9vZE9H
NVBOdkl3cHpnUlFUbkRIY3BqTXUxN1NLMmpFCkxMR2s0YlQ2UGd6Si9qdUdyN3g4
VUpBNU1NTysybktSZmVldmJXMXRLaUUKLS0tIDNDVVhBNTRTMjFHVjFyQjc2U0Qx
clJ0cHNISXN3ZmUyc3V2ZW1VR01ieTQKv4zThHezYGDcf9vDql+Lynu6pE4v2y1X
uB4Uc6Y7uYFY5QOigYJCXVzjN8e0oO/Wuhw1CXJKhMvueZnrGQ52/g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1elra3uklw8rmwkevqms2l4tsd06d5utqda9d2w4qvqpz898uzuesugxkhc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVR3kyTDZVVGhMZnQ3bzFB
Z1Zpd3Frc2k2YUNUVnNvYkdEb2FmY3RTbGljCmpaY0lYVkhtT3JMZjdkRjcxOG5L
TTRVTzQvcXJYdUp4TVc3VlRvd0I5VFUKLS0tIC9zSHhWNWtzSXBxMUNGVEYxKzBU
MkY1UGttNWp6bnI4RWlVaEcxSmNwaEkKBf8bHI1xFX3IVVeAXa1McmIEYGfFSJIN
GSAZbAE45yIUhICPVUABbDeh1ktoWnemhaWIcjgrQYbcrvngBv1QwQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age19vzypddhexvvsf8xylstxc9znnkd8rxmamhjlt7elvz4j3zaf5tqqura6f
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMEc4MDVoa2J0VjdYVHZX
UmNHVlFWMVUyTmtiSmVaL042QjBMUFBtZW5jCkc3YmFDMTJERjE5ZWoxeU5TZnF1
SDdrQjBocU5LdkNXUFRxWlkrT3hNWlUKLS0tIG1rdkxabWtSSDUvYzYreFN1MHhq
MFdZS1ZyYy9aUWFsaElxdElQSi9nRHcK0uMWpLyMJmoOd5w/s7/1lC8vfLuRnU9S
DKSZr4FV8ujU8sA0UUDlaWcXvpgKIJDT49QiGjiSbyai+522MFKN0g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Sjh6SGhBSkFCVEJLbW5j
YUZUNmJjUGwyUmVxdTlNL3BORUxlTlBpSkRnCmtWSFBCZEd3TE1QRG02L1ZURWxB
b1Nsd3Q2aTB0WUF0QjNXR0ZrNmh6SU0KLS0tIG1rbUNYNm9RZTZpUFlIRk1YMnpI
cEJHUzE3QjUyUUFQZWRYaGJ0c1NUSnMKWZnz5h//CEvfaaIqLfyDvVgX1iOaKtJS
NMWPInLJGEWGetl1EiCLDnar9UNJBpqgzAt+TLNpe7QEC+RoceVXQQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-05T10:18:58Z"
mac: ENC[AES256_GCM,data:IKCioppowoNJYYnMkGikliH16L5q/+fRNqGjrE9HHIi+veo1hX2RjfvGWUvdYwlUHUa0MsuhlB1i36Y/rjZnVNI7jDWGojxFiqdPdreYvO7Scch0wnzQ+95FakvEobbfu8FKMcqL/OJFnKbsHMwqMC6hD4+DuBQl2UOz/caRXp8=,iv:JJLXqiPmvQogeT21nLg/etTWkhFAHotv1uL1C/8qp7U=,tag:s7Hl9ebm+YO16ocAvI/Ngw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

1
config/services/hydra.nix
View file

@ -155,6 +155,7 @@ in
reverse_proxy http://127.0.0.1:${toString config.services.hydra-dev.port} {
trusted_proxies private_ranges
header_up Host hydra.chir.rs
}
'';
};

128
flake.lock
View file

@ -143,32 +143,35 @@
},
"chir-rs": {
"inputs": {
"flake-parts": [
"flake-parts"
"cargo2nix": [
"cargo2nix"
],
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"haskell-flake": "haskell-flake",
"microformats2-parser": "microformats2-parser",
"nixpkgs": [
"nixpkgs"
],
"systems": [
"systems"
],
"treefmt-nix": "treefmt-nix",
"webauthn": "webauthn"
"riscv-overlay": "riscv-overlay",
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1729675675,
"narHash": "sha256-Eo73j7AkSdb8XU7MlAZeuBH+tgRJGMY1tXjlOI//2JU=",
"lastModified": 1733387034,
"narHash": "sha256-tbGWUYObc5DstFds0Til/A/Tt64Ed7ZFUI0vadjUUyc=",
"ref": "refs/heads/main",
"rev": "48e5aade5bcc188d3c2cc4b446d445355b49b458",
"revCount": 380,
"rev": "f4b45cb2f8aeca95b59afd96ead8a5c36a6f224d",
"revCount": 24,
"type": "git",
"url": "https://git.chir.rs/chir.rs/chir.rs"
"url": "https://git.chir.rs/darkkirb/chir.rs"
},
"original": {
"type": "git",
"url": "https://git.chir.rs/chir.rs/chir.rs"
"url": "https://git.chir.rs/darkkirb/chir.rs"
}
},
"colorpickle": {
@ -479,21 +482,6 @@
"type": "github"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1729428816,
"narHash": "sha256-PA3LR2aFS7GDaViGEl4gAbohwGLzU3dvykLCfNTLi+Y=",
"owner": "srid",
"repo": "haskell-flake",
"rev": "688cc5757af330c9c2c53b23a00fec6664ff8852",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "haskell-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -679,22 +667,6 @@
"url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"
}
},
"microformats2-parser": {
"flake": false,
"locked": {
"lastModified": 1695821315,
"narHash": "sha256-Et4yYDiIcIeMsEkZI9Y0Unh51fnuMQzScE4dxgXCGzo=",
"owner": "darkkirb",
"repo": "microformats2-parser",
"rev": "4e6b3aac8f5af3306261ef2782f7df990e96f429",
"type": "github"
},
"original": {
"owner": "darkkirb",
"repo": "microformats2-parser",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": [
@ -728,7 +700,7 @@
"hydra",
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_2"
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1732351635,
@ -752,7 +724,7 @@
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_3"
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1732351635,
@ -1114,6 +1086,27 @@
"type": "github"
}
},
"riscv-overlay": {
"inputs": {
"nixpkgs": [
"chir-rs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733038904,
"narHash": "sha256-M6JkngHqY/gacVebtpn63NXxFw9m7NtP/9WWtWurHPc=",
"owner": "DarkKirb",
"repo": "riscv-overlay",
"rev": "19c2d6af232de9af3c6691df5ed6b629da7731f4",
"type": "github"
},
"original": {
"owner": "DarkKirb",
"repo": "riscv-overlay",
"type": "github"
}
},
"root": {
"inputs": {
"admin-fe": "admin-fe",
@ -1207,27 +1200,6 @@
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"chir-rs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729242555,
"narHash": "sha256-6jWSWxv2crIXmYSEb3LEVsFkCkyVHNllk61X4uhqfCs=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "d986489c1c757f6921a48c1439f19bfb9b8ecab5",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"hydra",
@ -1249,7 +1221,7 @@
"type": "github"
}
},
"treefmt-nix_3": {
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nix-eval-jobs",
@ -1294,22 +1266,6 @@
"type": "git",
"url": "https://github.com/Open-Wine-Components/umu-launcher/"
}
},
"webauthn": {
"flake": false,
"locked": {
"lastModified": 1727705861,
"narHash": "sha256-DJOrV0PZAeRGbWe765ayvBhxk1w5LDsDUBObjwcEl/Q=",
"owner": "tweag",
"repo": "webauthn",
"rev": "e2abad5bc299914e18dc823ac016eb673004cbe5",
"type": "github"
},
"original": {
"owner": "tweag",
"repo": "webauthn",
"type": "github"
}
}
},
"root": "root",

386
flake.nix
View file

@ -39,10 +39,12 @@ rec {
inputs.rust-overlay.follows = "rust-overlay";
};
chir-rs = {
url = "git+https://git.chir.rs/chir.rs/chir.rs";
url = "git+https://git.chir.rs/darkkirb/chir.rs";
inputs.cargo2nix.follows = "cargo2nix";
inputs.flake-compat.follows = "flake-compat";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
inputs.systems.follows = "systems";
inputs.flake-parts.follows = "flake-parts";
inputs.rust-overlay.follows = "rust-overlay";
};
colorpickle = {
url = "github:AgathaSorceress/colorpickle";
@ -165,206 +167,208 @@ rec {
systems.url = "github:nix-systems/default";
};
outputs = {
self,
nixpkgs,
sops-nix,
home-manager,
lix-module,
...
} @ args: let
systems = [
{
name = "nixos-8gb-fsn1-1"; # Hetzner Server
system = "x86_64-linux";
}
{
name = "nas"; # My nas
system = "x86_64-linux";
}
{
name = "instance-20221213-1915"; # Oracle server
system = "aarch64-linux";
}
/*
outputs =
{
self,
nixpkgs,
sops-nix,
home-manager,
lix-module,
...
}@args:
let
systems = [
{
name = "devterm";
system = "aarch64-linux";
}
*/
];
mkPackages = system: let
pkgs = import nixpkgs {
inherit system;
overlays = [
args.gomod2nix.overlays.default
self.overlays.${system}
args.hydra.overlays.default
];
config.allowUnfree = true;
config.permittedInsecurePackages = [
"olm-3.2.16"
];
};
common = {
inherit
(pkgs)
emoji-lotte
emoji-volpeon-blobfox
emoji-volpeon-blobfox-flip
emoji-volpeon-bunhd
emoji-volpeon-bunhd-flip
emoji-volpeon-drgn
emoji-volpeon-fox
emoji-volpeon-gphn
emoji-volpeon-raccoon
emoji-volpeon-vlpn
emoji-volpeon-neofox
emoji-volpeon-neocat
emoji-volpeon-floof
emoji-rosaflags
emoji-raccoon
emoji-caro
lotte-art
alco-sans
constructium
fairfax
fairfax-hd
kreative-square
nasin-nanpa
matrix-media-repo
mautrix-discord
mautrix-whatsapp
mautrix-telegram
mautrix-slack
python-mautrix
python-tulir-telethon
papermc
python-plover-stroke
python-rtf-tokenize
plover
plover-plugins-manager
python-simplefuzzyset
plover-plugin-emoji
plover-plugin-tapey-tape
plover-plugin-yaml-dictionary
plover-plugin-machine-hid
plover-plugin-rkb1-hid
plover-plugin-dotool-output
plover-dict-didoesdigital
miifox-net
plover-plugin-python-dictionary
plover-plugin-stenotype-extended
asar-asm
bsnes-plus
yiffstash
plover-plugin-dict-commands
plover-plugin-last-translation
plover-plugin-modal-dictionary
plover-plugin-stitching
plover-plugin-lapwing-aio
mgba-dev
;
};
perSystem = {
aarch64-linux = {
#inherit (pkgs) linux-devterm;
};
};
in
common // perSystem.${system} or {};
in rec {
nixosConfigurations = builtins.listToAttrs (
map (
name = "nixos-8gb-fsn1-1"; # Hetzner Server
system = "x86_64-linux";
}
{
name,
system,
configName ? name,
}: {
inherit name;
value = nixpkgs.lib.nixosSystem {
name = "nas"; # My nas
system = "x86_64-linux";
}
{
name = "instance-20221213-1915"; # Oracle server
system = "aarch64-linux";
}
/*
{
name = "devterm";
system = "aarch64-linux";
}
*/
];
mkPackages =
system:
let
pkgs = import nixpkgs {
inherit system;
specialArgs =
args
// {
inherit system;
};
modules = [
(./config + "/${configName}.nix")
./config/default.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
(
{pkgs, ...}: {
home-manager.extraSpecialArgs =
args
// {
inherit system;
};
}
)
(import utils/link-input.nix args)
lix-module.nixosModules.default
overlays = [
args.gomod2nix.overlays.default
self.overlays.${system}
args.hydra.overlays.default
];
config.allowUnfree = true;
config.permittedInsecurePackages = [
"olm-3.2.16"
];
};
}
)
systems
);
overlays = {
x86_64-linux = import ./overlays args "x86_64-linux";
aarch64-linux = import ./overlays args "aarch64-linux";
};
devShell.x86_64-linux = let
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
args.gomod2nix.overlays.default
self.overlays.x86_64-linux
];
};
common = {
inherit (pkgs)
emoji-lotte
emoji-volpeon-blobfox
emoji-volpeon-blobfox-flip
emoji-volpeon-bunhd
emoji-volpeon-bunhd-flip
emoji-volpeon-drgn
emoji-volpeon-fox
emoji-volpeon-gphn
emoji-volpeon-raccoon
emoji-volpeon-vlpn
emoji-volpeon-neofox
emoji-volpeon-neocat
emoji-volpeon-floof
emoji-rosaflags
emoji-raccoon
emoji-caro
lotte-art
alco-sans
constructium
fairfax
fairfax-hd
kreative-square
nasin-nanpa
matrix-media-repo
mautrix-discord
mautrix-whatsapp
mautrix-telegram
mautrix-slack
python-mautrix
python-tulir-telethon
papermc
python-plover-stroke
python-rtf-tokenize
plover
plover-plugins-manager
python-simplefuzzyset
plover-plugin-emoji
plover-plugin-tapey-tape
plover-plugin-yaml-dictionary
plover-plugin-machine-hid
plover-plugin-rkb1-hid
plover-plugin-dotool-output
plover-dict-didoesdigital
miifox-net
plover-plugin-python-dictionary
plover-plugin-stenotype-extended
asar-asm
bsnes-plus
yiffstash
plover-plugin-dict-commands
plover-plugin-last-translation
plover-plugin-modal-dictionary
plover-plugin-stitching
plover-plugin-lapwing-aio
mgba-dev
;
};
perSystem = {
aarch64-linux = {
#inherit (pkgs) linux-devterm;
};
};
in
common // perSystem.${system} or { };
in
pkgs.mkShell {
nativeBuildInputs = with pkgs; [
age
sops
ssh-to-age
nix-prefetch
nix-prefetch-git
jq
bundix
python3
python3Packages.yapf
github-cli
statix
alejandra
];
};
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
packages.x86_64-linux = mkPackages "x86_64-linux";
packages.aarch64-linux = mkPackages "aarch64-linux";
hydraJobs =
(builtins.listToAttrs (
rec {
nixosConfigurations = builtins.listToAttrs (
map (
{
name,
system,
...
}: {
configName ? name,
}:
{
inherit name;
value = {
${system} = nixosConfigurations.${name}.config.system.build.toplevel;
value = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = args // {
inherit system;
};
modules = [
(./config + "/${configName}.nix")
./config/default.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
(
{ pkgs, ... }:
{
home-manager.extraSpecialArgs = args // {
inherit system;
};
}
)
(import utils/link-input.nix args)
lix-module.nixosModules.default
];
};
}
)
systems
))
// {
inherit devShell;
inherit packages;
# Uncomment the line to build an installer image
# This is EXTREMELY LARGE and will make builds take forever
# installer.x86_64-linux = nixosConfigurations.installer.config.system.build.isoImage;
) systems
);
overlays = {
x86_64-linux = import ./overlays args "x86_64-linux";
aarch64-linux = import ./overlays args "aarch64-linux";
};
};
devShell.x86_64-linux =
let
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
args.gomod2nix.overlays.default
self.overlays.x86_64-linux
];
};
in
pkgs.mkShell {
nativeBuildInputs = with pkgs; [
age
sops
ssh-to-age
nix-prefetch
nix-prefetch-git
jq
bundix
python3
python3Packages.yapf
github-cli
statix
alejandra
];
};
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
packages.x86_64-linux = mkPackages "x86_64-linux";
packages.aarch64-linux = mkPackages "aarch64-linux";
hydraJobs =
(builtins.listToAttrs (
map (
{
name,
system,
...
}:
{
inherit name;
value = {
${system} = nixosConfigurations.${name}.config.system.build.toplevel;
};
}
) systems
))
// {
inherit devShell;
inherit packages;
# Uncomment the line to build an installer image
# This is EXTREMELY LARGE and will make builds take forever
# installer.x86_64-linux = nixosConfigurations.installer.config.system.build.isoImage;
};
};
}

97
zones/chir.rs.nix
View file

@ -1,15 +1,19 @@
{
dns ? (import (builtins.fetchTarball "https://github.com/DarkKirb/dns.nix/archive/master.zip")).outputs,
dns ?
(import (builtins.fetchTarball "https://github.com/DarkKirb/dns.nix/archive/master.zip")).outputs,
zoneTTL ? 3600,
}:
with dns.lib.combinators; let
with dns.lib.combinators;
let
inherit (builtins) hasAttr;
merge = a: b:
merge =
a: b:
(a // b)
// (
if ((hasAttr "subdomains" a) && (hasAttr "subdomains" b))
then {subdomains = a.subdomains // b.subdomains;}
else {}
if ((hasAttr "subdomains" a) && (hasAttr "subdomains" b)) then
{ subdomains = a.subdomains // b.subdomains; }
else
{ }
);
oracleBase = {
A = [
@ -48,9 +52,13 @@ with dns.lib.combinators; let
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["130.162.60.127"];
ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"];
alpn = [
"http/1.1"
"h2"
"h3"
];
ipv4hint = [ "130.162.60.127" ];
ipv6hint = [ "2603:c020:8009:f100:f09a:894d:ef57:a278" ];
ttl = zoneTTL;
}
];
@ -92,9 +100,13 @@ with dns.lib.combinators; let
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["138.201.155.128"];
ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"];
alpn = [
"http/1.1"
"h2"
"h3"
];
ipv4hint = [ "138.201.155.128" ];
ipv6hint = [ "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49" ];
ttl = zoneTTL;
}
];
@ -133,9 +145,19 @@ with dns.lib.combinators; let
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["138.201.155.128" "130.162.60.127"];
ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49" "2603:c020:8009:f100:f09a:894d:ef57:a278"];
alpn = [
"http/1.1"
"h2"
"h3"
];
ipv4hint = [
"138.201.155.128"
"130.162.60.127"
];
ipv6hint = [
"2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"
"2603:c020:8009:f100:f09a:894d:ef57:a278"
];
ttl = zoneTTL;
}
];
@ -144,7 +166,7 @@ with dns.lib.combinators; let
SOA = {
nameServer = "ns1.chir.rs.";
adminEmail = "lotte@chir.rs";
serial = 56;
serial = 57;
};
NS = [
"ns1.chir.rs."
@ -210,42 +232,47 @@ with dns.lib.combinators; let
];
subdomains = {
_dmarc.TXT = [
(ttl zoneTTL (txt "v=DMARC1; p=reject; rua=mailto:dmarc@chir.rs; ruf=mailto:dmarc@chir.rs; sp=reject; adkim=s; aspf=s"))
(ttl zoneTTL (
txt "v=DMARC1; p=reject; rua=mailto:dmarc@chir.rs; ruf=mailto:dmarc@chir.rs; sp=reject; adkim=s; aspf=s"
))
];
_domainkey.subdomains.mail.TXT = [
(ttl zoneTTL (txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTZvuDWFmZOOMr9pogMK5lFBjV3nRAjUpFv3o0d4KhbRW/zVrOOdfdt83F6zSLzUqrxSOG3uKVG+J0KR4kX4BbYflSLZ++y91C0Uu5d+o3A8Y/z2vUSe5YVt44IaDQoPCCpuWEYyqKIEaKGXNFPvlsO6y551biM3raNjq5kEpb3wIDAQAB"))
(ttl zoneTTL (
txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTZvuDWFmZOOMr9pogMK5lFBjV3nRAjUpFv3o0d4KhbRW/zVrOOdfdt83F6zSLzUqrxSOG3uKVG+J0KR4kX4BbYflSLZ++y91C0Uu5d+o3A8Y/z2vUSe5YVt44IaDQoPCCpuWEYyqKIEaKGXNFPvlsO6y551biM3raNjq5kEpb3wIDAQAB"
))
];
_domainkey.subdomains.zmail.TXT = [
(ttl zoneTTL (txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYVA1GcJ+JSl/Qv3hHtnge+FwAMn0+4KXWH3Ut4Ma6li3jT3ibO3d7sk7D4jmqwSQH+vCh/HC7+0PI8PYM9TQIecVwdwBF/29yMpiyVDyEc8ppRfU5KeYJsPxSAS/quFHy3M24qfckXb5aor6aI0mOtq8Bvh+v+69CpJUGSkNLUQIDAQAB"))
(ttl zoneTTL (
txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYVA1GcJ+JSl/Qv3hHtnge+FwAMn0+4KXWH3Ut4Ma6li3jT3ibO3d7sk7D4jmqwSQH+vCh/HC7+0PI8PYM9TQIecVwdwBF/29yMpiyVDyEc8ppRfU5KeYJsPxSAS/quFHy3M24qfckXb5aor6aI0mOtq8Bvh+v+69CpJUGSkNLUQIDAQAB"
))
];
_keybase.TXT = [
(ttl zoneTTL (txt "keybase-site-verification=r044cwg0wOTW-ws35BA5MMRLNwjdTNJ4uOu6kgdTopI"))
];
www = createZone {};
api = createZone {};
www = createZone { };
api = createZone { };
git = createZone oracleBase;
mail = createZone {};
mail = createZone { };
mc = createZone oracleBase;
ns1 = createZone {};
ns2 = createZone {};
ns1 = createZone { };
ns2 = createZone { };
ns3 = createZone oracleBase;
ns4 = createZone oracleBase;
hydra = createZone {};
mastodon = createZone {};
hydra = createZone { };
mastodon = createZone { };
mastodon-assets.CNAME = [
"assets-chir-rs.b-cdn.net."
];
matrix = createZone {};
akko = createZone {};
peertube = createZone {};
mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."];
cache.CNAME = ["cache-chir-rs.b-cdn.net."];
matrix = createZone { };
akko = createZone { };
peertube = createZone { };
mediaproxy.CNAME = [ "mediaproxy-chir-rs.b-cdn.net." ];
cache.CNAME = [ "cache-chir-rs.b-cdn.net." ];
attic = createZone oracleBase;
lotte.CNAME = ["lotte-chir-rs.b-cdn.net."];
lotte-test = createZone oracleBase;
lotte = createFullZone { };
status = createZone oracleBase;
weblate = createFullZone {};
weblate = createFullZone { };
int =
delegateTo [
@ -273,4 +300,4 @@ with dns.lib.combinators; let
};
};
in
zone
zone