diff options
| author | tzlil <tzlils@protonmail.com> | 2023-07-30 13:19:39 +0300 |
|---|---|---|
| committer | tzlil <tzlils@protonmail.com> | 2023-07-30 13:19:39 +0300 |
| commit | f72f22b250ecf22657ffc9e6082086377031ea8a (patch) | |
| tree | ce0f397e0933118b64bc58fab5463968d27fd0df /hosts/vps/services | |
| parent | 22743d455ebb1f44f07b429a2b82045ca5b1d3ac (diff) | |
clean up a bit
Diffstat (limited to 'hosts/vps/services')
| -rw-r--r-- | hosts/vps/services/git.nix | 93 | ||||
| -rw-r--r-- | hosts/vps/services/hydrus.nix | 60 | ||||
| -rw-r--r-- | hosts/vps/services/maloja.nix | 51 | ||||
| -rw-r--r-- | hosts/vps/services/matrix.nix | 159 | ||||
| -rw-r--r-- | hosts/vps/services/website.nix | 139 |
5 files changed, 502 insertions, 0 deletions
diff --git a/hosts/vps/services/git.nix b/hosts/vps/services/git.nix new file mode 100644 index 0000000..8bd4653 --- /dev/null +++ b/hosts/vps/services/git.nix @@ -0,0 +1,93 @@ +{ + pkgs, + config, + ... +}: { + config = { + users.groups.git = {}; + users.users.git = { + isSystemUser = true; + description = "tzlil"; + group = "git"; + home = "/home/git"; + packages = [pkgs.git]; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" + ]; + }; + + # for syntax highlighting + users.groups.fcgiwrap = {}; + users.users.fcgiwrap = { + isSystemUser = true; + group = "fcgiwrap"; + packages = [pkgs.highlight pkgs.fcgiwrap]; + }; + + services = { + fcgiwrap = { + enable = true; + user = "fcgiwrap"; + group = "fcgiwrap"; + }; + caddy = { + virtualHosts."tzlil.net".extraConfig = '' + bind 0.0.0.0 + ${config.website.defaultHeaders} + handle_path /cgit/* { + handle /cgit.png { + root * ${pkgs.cgit}/cgit + file_server + } + handle /cgit.css { + try_files ${pkgs.fetchurl { + url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css"; + sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw="; + }} / + file_server + } + handle /favicon.ico { + root * ${pkgs.cgit}/cgit + file_server + } + handle { + reverse_proxy unix//run/fcgiwrap.sock { + transport fastcgi { + env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi + env CGIT_CONFIG ${pkgs.writeText "cgitrc" (pkgs.lib.generators.toKeyValue {} { + css = "/cgit/cgit.css"; + logo = "/cgit/cgit.png"; + favicon = "/favicon.ico"; + clone-url = pkgs.lib.concatStringsSep " " [ + "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL" + "ssh://git@tzlil.net:$CGIT_REPO_URL" + ]; + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + root-title = "tzlil.net"; + root-desc = "Tzlil's Git Repositories"; + scan-path = "/home/git"; + about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.py"; + source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + logo-link = "/"; + virtual-root = "/cgit"; + readme = ":README.md"; + })} + } + } + } + } + ''; + }; + }; + environment.persistence."/nix/persist".directories = [ + { + directory = "/home/git"; + user = "git"; + group = "git"; + } + ]; + }; +} diff --git a/hosts/vps/services/hydrus.nix b/hosts/vps/services/hydrus.nix new file mode 100644 index 0000000..c967fbc --- /dev/null +++ b/hosts/vps/services/hydrus.nix @@ -0,0 +1,60 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + users.groups.hydrus = {}; + users.users.hydrus = { + isSystemUser = true; + description = "hydrus"; + group = "hydrus"; + home = "/home/hydrus"; + }; + + systemd.services.Xvnc = { + description = "Xvnc"; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + ExecStart = "${pkgs.turbovnc}/bin/Xvnc :30 -iglx -depth 24 -rfbwait 120000 -deferupdate 1 -localhost -verbose -securitytypes none"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + systemd.services.hydrus = { + description = "Hydrus"; + wantedBy = ["multi-user.target" "Xvnc.service"]; + wants = ["podman-hydrus-web.service"]; + + serviceConfig = { + Environment = "DISPLAY=:30"; + ExecStart = "${pkgs.hydrus}/bin/hydrus-client -d /home/hydrus"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + security.lockKernelModules = lib.mkForce false; + virtualisation.oci-containers.containers.hydrus-web = { + ports = ["100.67.217.90:8080:80"]; + image = "ghcr.io/floogulinc/hydrus-web:dev"; + }; + + networking.firewall.allowedTCPPorts = [45869]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/home/hydrus"; + user = "hydrus"; + group = "hydrus"; + } + ]; + }; +} diff --git a/hosts/vps/services/maloja.nix b/hosts/vps/services/maloja.nix new file mode 100644 index 0000000..3d4530d --- /dev/null +++ b/hosts/vps/services/maloja.nix @@ -0,0 +1,51 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + users.groups.maloja = {}; + users.users.maloja = { + isSystemUser = true; + description = "maloja"; + group = "maloja"; + home = "/var/lib/maloja"; + }; + + security.lockKernelModules = lib.mkForce false; + virtualisation.oci-containers.containers.maloja = { + ports = ["42010:42010"]; + image = "krateng/maloja"; + volumes = [ + "/var/lib/maloja:/data" + ]; + environment = { + MALOJA_DATA_DIRECTORY = "/data"; + MALOJA_SKIP_SETUP = "True"; + MALOJA_NAME = "tzlil"; + MAlOJA_PROXY_IMAGES = "True"; + }; + }; + + # systemd.services.podman-maloja.serviceConfig.User = "maloja"; + # systemd.services.podman-maloja.serviceConfig.Group = "maloja"; + + networking.firewall.allowedTCPPorts = [42010]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/maloja"; + user = "maloja"; + group = "maloja"; + } + ]; + + services.caddy = { + virtualHosts."fm.tzlil.net".extraConfig = '' + bind 0.0.0.0 + reverse_proxy :42010 + ''; + }; + }; +} diff --git a/hosts/vps/services/matrix.nix b/hosts/vps/services/matrix.nix new file mode 100644 index 0000000..e2aa1a5 --- /dev/null +++ b/hosts/vps/services/matrix.nix @@ -0,0 +1,159 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + # services.matrix-synapse = { + # enable = true; + # settings.server_name = config.networking.domain; + # settings.listeners = [ + # { + # port = 8008; + # bind_addresses = ["::1"]; + # type = "http"; + # tls = false; + # x_forwarded = true; + # resources = [ + # { + # names = ["client" "federation"]; + # compress = true; + # } + # ]; + # } + # ]; + # }; + # networking.firewall.allowedTCPPorts = [80 443]; + + age.secrets.matrix = { + file = ../../secrets/matrix.age; + mode = "600"; + owner = "root"; + group = "root"; + }; + + services.dendrite = let + database_config = { + connection_string = "postgresql:///dendrite?host=/run/postgresql"; + max_open_conns = 10; + max_idle_conns = 5; + }; + in { + enable = true; + + loadCredential = ["private_key:${config.age.secrets.matrix.path}" "tlsCert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt" "tlsKey:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key"]; + + # tlsCert = "$CREDENTIALS_DIRECTORY/tlsCert"; + # tlsKey = "$CREDENTIALS_DIRECTORY/tlsKey"; + + # httpPort = null; + # httpsPort = 8448; + + settings = { + global = { + server_name = "tzlil.net"; + private_key = "$CREDENTIALS_DIRECTORY/private_key"; + + # preserve across restarts + jetstream.storage_path = "/var/lib/dendrite/"; + + dns_cache = { + enabled = true; + cache_size = 4096; + cache_lifetime = "600s"; + }; + + presence = { + enable_inbound = true; + enable_outbound = true; + }; + + cache.max_size_estimated = "16gb"; + }; + federation_api.key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; + + app_service_api.database = database_config; + federation_api.database = database_config; + key_server.database = database_config; + media_api.database = database_config; + mscs.database = database_config; + room_server.database = database_config; + sync_api.database = database_config; + user_api.account_database = database_config; + user_api.device_database = database_config; + }; + }; + + systemd.services.dendrite.serviceConfig.ExecStart = lib.mkForce (lib.strings.concatStringsSep " " [ + "${pkgs.dendrite}/bin/dendrite" + "--config /run/dendrite/dendrite.yaml" + "--http-bind-address :8008" + "--https-bind-address :8448" + "--tls-cert $CREDENTIALS_DIRECTORY/tlsCert" + "--tls-key $CREDENTIALS_DIRECTORY/tlsKey" + ]); + + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "dendrite"; + ensurePermissions = { + "DATABASE dendrite" = "ALL PRIVILEGES"; + }; + } + ]; + + ensureDatabases = ["dendrite"]; + }; + + # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service + # systemd.services.dendrite.serviceConfig.User = "dendrite"; + # systemd.services.dendrite.serviceConfig.Group = "dendrite"; + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; + user = "postgres"; + group = "postgres"; + } + + { + directory = "/var/lib/private/dendrite"; + user = "root"; + group = "root"; + } + ]; + + systemd.services.dendrite.after = ["postgresql.service"]; + + services.caddy = { + # for federation + virtualHosts."tzlil.net:8448".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + ''; + # for clients + virtualHosts."tzlil.net".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `{"m.server": "tzlil.net"}` + ''; + }; + networking.firewall.allowedTCPPorts = [8448]; + }; +} diff --git a/hosts/vps/services/website.nix b/hosts/vps/services/website.nix new file mode 100644 index 0000000..5d1d48a --- /dev/null +++ b/hosts/vps/services/website.nix @@ -0,0 +1,139 @@ +{ + pkgs, + config, + lib, + ... +}: { + options.website.defaultHeaders = lib.mkOption { + type = lib.types.str; + default = '' + header { + -Server + -Date + -Last-Modified + -Etag + -Accept-Ranges + # disable indexing by search engines + + X-Robots-Tag "noindex, nofollow" + + # disable FLoC tracking + # Permissions-Policy interest-cohort=() + + # enable HSTS + # Strict-Transport-Security max-age=31536000; + + # disable clients from sniffing the media type + # X-Content-Type-Options nosniff + + # clickjacking protection + # X-Frame-Options DENY + + # keep referrer data off of HTTP connections + # Referrer-Policy no-referrer-when-downgrade + } + ''; + }; + config = { + services.caddy = { + enable = true; + virtualHosts = { + "tzlil.net".extraConfig = '' + bind 0.0.0.0 + handle_path / { + try_files ${pkgs.writeText "index.html" '' + <style> + @media (prefers-color-scheme: dark) { + body { background-color: #121212; color: #d4d4d4; } + a { color: #7878ff; } + a:visited { color: #6464fa; } + } + </style> + <pre> + ~?~+=I?~~IIIII++,: .?= .,I=O8OZ.DNNO, ZD7:::=.? ,,:,,I,,:,~+?II?I?II?=+=~+7$ZO + ?==++??==+I???7..:. :II$77?I+ID~NND8.ZMN7~=~I7:,., :?7,.,.~+?I???????,+~7+$ZOZ + 7+===I+~===?I77: ? ,$7$.:.,I?=7NNNINMMMNOI=++ .~==I$7, ..++?I???I+=?.+:O+ZZOZ + ===++I+==?III??I,?, ~I7NN,.. ??ONNNMMMD$777$7I$ZOO$7?....+=????I~=+,:+,O8DNMM + ~=~==7II=+I?II7I,I+,8Z.II8D+=~:.,7$NMMMMMN8$7~. .. :88I. ..?=?++I:~+=.~~~NMMMNN + ~====II?I~+?I?$7I?~8D7+7$ZZNONDN8Z8NMMMMMMNNON:=. :,$.I7 .,+=??I:,=, .:,=DNNMMN + =+?==+==?~+=I?$$I+88D:I$8NMNDDNNNDNNNMMMMMMMMM8I$77=MMDO. :~=+?,,, .~,?8DDD8D + =~=+==I7I=IIIIO$=~OOD=I7ODNNNNMNNDNDNMMMMMMMMNO$O+OZ 78.,.I::++:.. .,::=888OOO + ===I=I?~=?I???$I$?OODZ=7Z8NDONNN7D88MMMMMMMMMMNNNN8DNN~..~:7,,+7?,:,:::+8=Z888OO + ~+===7?=??I????7Z7ZOD8I777$+NNN:OOZOMMMMMMMMMMMMMMNMM+..~=?=O:+?::=+~:~+IDD888OZ + I==II??=I???=::7OI?O88Z=I~,?ZDD,Z$IDMMMMMMMMMMMMMMMM:$$?.~?+=?:,~+?I??==+++I8OOO + ==+++??+=.,~,~:7Z$?7I77$=. $I$8I$7+~8NMMMMMMMMMMMMDDMN$ ,:+?=.~==?II+++=+=?II+OZ + ==+?+I?,=:+?=~~??I++~7$$$= 777Z,$Z$$ONNMMMMMMMMMMMMMM8? .~=?:.==+?I~+?=+=??II?I8 + ?=+?I:=~??II=~~, II?+ 7$7?=?77$?$Z:8NMMMNMMMMMMMMMMMD7 ,,===::~=?II.??++?++III+~ + ??+.I+I=+I+??=~=~ =I+:?7$77?$$$ZI7Z8DM7NMMNMMMMMMMMOI. .,=~~.~~+I?:???==~????II? + I??:==?I++I?~==+=~:.?I7I77$?IZ$ZODDOIDNNNNNMMMMNM8?.:. ,,+=,::~+==II=~,=?+?IIIII + ??I:?=,=+++?II+=:,:, +77777$$777ODDMMNO~DNNNDD8?..::: .,,+~.,::=??????=+?IIIII?I + ????++=~:=?IIIII=~:: ~~+II77$$7$ZO8NMMMND.+: .=7+=~ ,,:?...~II??+??I?+??IIII?I + ??III7II+~:?II7+II?, ~,:,~7777$$$I$8DNMMNO .~I .Z:.,:~: ,+???+=,IIIIII??IIIII + ???I7I:,~=:,+II+=~I??:.,,,.:77777777$ODMM8 .:+ZI. ,~,..~~ :II?==~:?II??IIIIIIIII + No matter where you go, everyone's connected + + my name is tzlil, i'm 18 and from israel + i currently work as a security researcher + but in a few months i will be drafted to the army + + i like music <a href="https://fm.tzlil.net">https://fm.tzlil.net</a> + + my interests: + plan9 + lambda calculus + functional programming + binary exploitation + keyboards and layouts + yggdrasil + nixos + + my wares: + hard: + aurora lily58 with sunset kailh low profile + laptop(s): + - lenovo v14 + + phone: + - google pixel 7 + + OUT OF COMMISSION + <s>desktop:</s> + <s>- amd ryzen 5 5600g</s> + + soft: + <a href="/cgit/flake.git">nixos</a> + keepassxc + syncthing + tailscale (to mesh between my devices) + grapheneos + <a href="/cgit/flake.git/tree/hosts/vps/hydrus.nix">hydrus</a> + + ctfs i played in: + google ctf 2023 - 96th place (solo) + tfcctf 2022 - 4th place + google ctf 2022 - 100th place + + contact info: + tzlil:tzlil.net + tzlils@protonmail.com + tzlil@irc.libera.chat + + /cgit/ for repositories + </pre> + ''} / + file_server + } + ''; + }; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/caddy"; + user = "caddy"; + group = "caddy"; + } + ]; + }; +} |