summary refs log tree commit diff
path: root/hosts/vps/services
diff options
context:
space:
mode:
authortzlil <tzlils@protonmail.com>2023-07-30 13:19:39 +0300
committertzlil <tzlils@protonmail.com>2023-07-30 13:19:39 +0300
commitf72f22b250ecf22657ffc9e6082086377031ea8a (patch)
treece0f397e0933118b64bc58fab5463968d27fd0df /hosts/vps/services
parent22743d455ebb1f44f07b429a2b82045ca5b1d3ac (diff)
clean up a bit
Diffstat (limited to 'hosts/vps/services')
-rw-r--r--hosts/vps/services/git.nix93
-rw-r--r--hosts/vps/services/hydrus.nix60
-rw-r--r--hosts/vps/services/maloja.nix51
-rw-r--r--hosts/vps/services/matrix.nix159
-rw-r--r--hosts/vps/services/website.nix139
5 files changed, 502 insertions, 0 deletions
diff --git a/hosts/vps/services/git.nix b/hosts/vps/services/git.nix
new file mode 100644
index 0000000..8bd4653
--- /dev/null
+++ b/hosts/vps/services/git.nix
@@ -0,0 +1,93 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  config = {
+    users.groups.git = {};
+    users.users.git = {
+      isSystemUser = true;
+      description = "tzlil";
+      group = "git";
+      home = "/home/git";
+      packages = [pkgs.git];
+      shell = "${pkgs.git}/bin/git-shell";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe"
+      ];
+    };
+
+    # for syntax highlighting
+    users.groups.fcgiwrap = {};
+    users.users.fcgiwrap = {
+      isSystemUser = true;
+      group = "fcgiwrap";
+      packages = [pkgs.highlight pkgs.fcgiwrap];
+    };
+
+    services = {
+      fcgiwrap = {
+        enable = true;
+        user = "fcgiwrap";
+        group = "fcgiwrap";
+      };
+      caddy = {
+        virtualHosts."tzlil.net".extraConfig = ''
+          bind 0.0.0.0
+          ${config.website.defaultHeaders}
+          handle_path /cgit/* {
+            handle /cgit.png {
+              root * ${pkgs.cgit}/cgit
+              file_server
+            }
+            handle /cgit.css {
+              try_files ${pkgs.fetchurl {
+            url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css";
+            sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw=";
+          }} /
+              file_server
+            }
+            handle /favicon.ico {
+              root * ${pkgs.cgit}/cgit
+              file_server
+            }
+            handle {
+              reverse_proxy unix//run/fcgiwrap.sock {
+                transport fastcgi {
+                  env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi
+                  env CGIT_CONFIG ${pkgs.writeText "cgitrc" (pkgs.lib.generators.toKeyValue {} {
+            css = "/cgit/cgit.css";
+            logo = "/cgit/cgit.png";
+            favicon = "/favicon.ico";
+            clone-url = pkgs.lib.concatStringsSep " " [
+              "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL"
+              "ssh://git@tzlil.net:$CGIT_REPO_URL"
+            ];
+            enable-log-filecount = 1;
+            enable-log-linecount = 1;
+            enable-git-config = 1;
+            root-title = "tzlil.net";
+            root-desc = "Tzlil's Git Repositories";
+            scan-path = "/home/git";
+            about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.py";
+            source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+            logo-link = "/";
+            virtual-root = "/cgit";
+            readme = ":README.md";
+          })}
+                }
+              }
+          }
+          }
+        '';
+      };
+    };
+    environment.persistence."/nix/persist".directories = [
+      {
+        directory = "/home/git";
+        user = "git";
+        group = "git";
+      }
+    ];
+  };
+}
diff --git a/hosts/vps/services/hydrus.nix b/hosts/vps/services/hydrus.nix
new file mode 100644
index 0000000..c967fbc
--- /dev/null
+++ b/hosts/vps/services/hydrus.nix
@@ -0,0 +1,60 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  config = {
+    users.groups.hydrus = {};
+    users.users.hydrus = {
+      isSystemUser = true;
+      description = "hydrus";
+      group = "hydrus";
+      home = "/home/hydrus";
+    };
+
+    systemd.services.Xvnc = {
+      description = "Xvnc";
+      wantedBy = ["multi-user.target"];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.turbovnc}/bin/Xvnc :30 -iglx -depth 24 -rfbwait 120000 -deferupdate 1 -localhost -verbose -securitytypes none";
+        User = "hydrus";
+        Group = "hydrus";
+        Restart = "on-failure";
+        RestartSec = "5s";
+      };
+    };
+
+    systemd.services.hydrus = {
+      description = "Hydrus";
+      wantedBy = ["multi-user.target" "Xvnc.service"];
+      wants = ["podman-hydrus-web.service"];
+
+      serviceConfig = {
+        Environment = "DISPLAY=:30";
+        ExecStart = "${pkgs.hydrus}/bin/hydrus-client -d /home/hydrus";
+        User = "hydrus";
+        Group = "hydrus";
+        Restart = "on-failure";
+        RestartSec = "5s";
+      };
+    };
+
+    security.lockKernelModules = lib.mkForce false;
+    virtualisation.oci-containers.containers.hydrus-web = {
+      ports = ["100.67.217.90:8080:80"];
+      image = "ghcr.io/floogulinc/hydrus-web:dev";
+    };
+
+    networking.firewall.allowedTCPPorts = [45869];
+
+    environment.persistence."/nix/persist".directories = [
+      {
+        directory = "/home/hydrus";
+        user = "hydrus";
+        group = "hydrus";
+      }
+    ];
+  };
+}
diff --git a/hosts/vps/services/maloja.nix b/hosts/vps/services/maloja.nix
new file mode 100644
index 0000000..3d4530d
--- /dev/null
+++ b/hosts/vps/services/maloja.nix
@@ -0,0 +1,51 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  config = {
+    users.groups.maloja = {};
+    users.users.maloja = {
+      isSystemUser = true;
+      description = "maloja";
+      group = "maloja";
+      home = "/var/lib/maloja";
+    };
+
+    security.lockKernelModules = lib.mkForce false;
+    virtualisation.oci-containers.containers.maloja = {
+      ports = ["42010:42010"];
+      image = "krateng/maloja";
+      volumes = [
+        "/var/lib/maloja:/data"
+      ];
+      environment = {
+        MALOJA_DATA_DIRECTORY = "/data";
+        MALOJA_SKIP_SETUP = "True";
+        MALOJA_NAME = "tzlil";
+        MAlOJA_PROXY_IMAGES = "True";
+      };
+    };
+
+    # systemd.services.podman-maloja.serviceConfig.User = "maloja";
+    # systemd.services.podman-maloja.serviceConfig.Group = "maloja";
+
+    networking.firewall.allowedTCPPorts = [42010];
+
+    environment.persistence."/nix/persist".directories = [
+      {
+        directory = "/var/lib/maloja";
+        user = "maloja";
+        group = "maloja";
+      }
+    ];
+
+    services.caddy = {
+      virtualHosts."fm.tzlil.net".extraConfig = ''
+        bind 0.0.0.0
+        reverse_proxy :42010
+      '';
+    };
+  };
+}
diff --git a/hosts/vps/services/matrix.nix b/hosts/vps/services/matrix.nix
new file mode 100644
index 0000000..e2aa1a5
--- /dev/null
+++ b/hosts/vps/services/matrix.nix
@@ -0,0 +1,159 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  config = {
+    # services.matrix-synapse = {
+    #   enable = true;
+    #   settings.server_name = config.networking.domain;
+    #   settings.listeners = [
+    #     {
+    #       port = 8008;
+    #       bind_addresses = ["::1"];
+    #       type = "http";
+    #       tls = false;
+    #       x_forwarded = true;
+    #       resources = [
+    #         {
+    #           names = ["client" "federation"];
+    #           compress = true;
+    #         }
+    #       ];
+    #     }
+    #   ];
+    # };
+    # networking.firewall.allowedTCPPorts = [80 443];
+
+    age.secrets.matrix = {
+      file = ../../secrets/matrix.age;
+      mode = "600";
+      owner = "root";
+      group = "root";
+    };
+
+    services.dendrite = let
+      database_config = {
+        connection_string = "postgresql:///dendrite?host=/run/postgresql";
+        max_open_conns = 10;
+        max_idle_conns = 5;
+      };
+    in {
+      enable = true;
+
+      loadCredential = ["private_key:${config.age.secrets.matrix.path}" "tlsCert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt" "tlsKey:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key"];
+
+      # tlsCert = "$CREDENTIALS_DIRECTORY/tlsCert";
+      # tlsKey = "$CREDENTIALS_DIRECTORY/tlsKey";
+
+      # httpPort = null;
+      # httpsPort = 8448;
+
+      settings = {
+        global = {
+          server_name = "tzlil.net";
+          private_key = "$CREDENTIALS_DIRECTORY/private_key";
+
+          # preserve across restarts
+          jetstream.storage_path = "/var/lib/dendrite/";
+
+          dns_cache = {
+            enabled = true;
+            cache_size = 4096;
+            cache_lifetime = "600s";
+          };
+
+          presence = {
+            enable_inbound = true;
+            enable_outbound = true;
+          };
+
+          cache.max_size_estimated = "16gb";
+        };
+        federation_api.key_perspectives = [
+          {
+            server_name = "matrix.org";
+            keys = [
+              {
+                key_id = "ed25519:auto";
+                public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+              }
+              {
+                key_id = "ed25519:a_RXGa";
+                public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
+              }
+            ];
+          }
+        ];
+
+        app_service_api.database = database_config;
+        federation_api.database = database_config;
+        key_server.database = database_config;
+        media_api.database = database_config;
+        mscs.database = database_config;
+        room_server.database = database_config;
+        sync_api.database = database_config;
+        user_api.account_database = database_config;
+        user_api.device_database = database_config;
+      };
+    };
+
+    systemd.services.dendrite.serviceConfig.ExecStart = lib.mkForce (lib.strings.concatStringsSep " " [
+      "${pkgs.dendrite}/bin/dendrite"
+      "--config /run/dendrite/dendrite.yaml"
+      "--http-bind-address :8008"
+      "--https-bind-address :8448"
+      "--tls-cert $CREDENTIALS_DIRECTORY/tlsCert"
+      "--tls-key $CREDENTIALS_DIRECTORY/tlsKey"
+    ]);
+
+    services.postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = "dendrite";
+          ensurePermissions = {
+            "DATABASE dendrite" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+
+      ensureDatabases = ["dendrite"];
+    };
+
+    # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service
+    # systemd.services.dendrite.serviceConfig.User = "dendrite";
+    # systemd.services.dendrite.serviceConfig.Group = "dendrite";
+    environment.persistence."/nix/persist".directories = [
+      {
+        directory = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+        user = "postgres";
+        group = "postgres";
+      }
+
+      {
+        directory = "/var/lib/private/dendrite";
+        user = "root";
+        group = "root";
+      }
+    ];
+
+    systemd.services.dendrite.after = ["postgresql.service"];
+
+    services.caddy = {
+      # for federation
+      virtualHosts."tzlil.net:8448".extraConfig = ''
+        reverse_proxy /_matrix/* localhost:8008
+      '';
+      # for clients
+      virtualHosts."tzlil.net".extraConfig = ''
+        reverse_proxy /_matrix/* localhost:8008
+        header /.well-known/matrix/* Content-Type application/json
+        header /.well-known/matrix/* Access-Control-Allow-Origin *
+        respond /.well-known/matrix/server `{"m.server": "tzlil.net"}`
+      '';
+    };
+    networking.firewall.allowedTCPPorts = [8448];
+  };
+}
diff --git a/hosts/vps/services/website.nix b/hosts/vps/services/website.nix
new file mode 100644
index 0000000..5d1d48a
--- /dev/null
+++ b/hosts/vps/services/website.nix
@@ -0,0 +1,139 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  options.website.defaultHeaders = lib.mkOption {
+    type = lib.types.str;
+    default = ''
+      header {
+        -Server
+        -Date
+        -Last-Modified
+        -Etag
+        -Accept-Ranges
+        # disable indexing by search engines
+
+        X-Robots-Tag "noindex, nofollow"
+
+       # disable FLoC tracking
+        # Permissions-Policy interest-cohort=()
+
+        # enable HSTS
+        # Strict-Transport-Security max-age=31536000;
+
+        # disable clients from sniffing the media type
+        # X-Content-Type-Options nosniff
+
+        # clickjacking protection
+        # X-Frame-Options DENY
+
+        # keep referrer data off of HTTP connections
+        # Referrer-Policy no-referrer-when-downgrade
+      }
+    '';
+  };
+  config = {
+    services.caddy = {
+      enable = true;
+      virtualHosts = {
+        "tzlil.net".extraConfig = ''
+          bind 0.0.0.0
+          handle_path / {
+            try_files ${pkgs.writeText "index.html" ''
+            <style>
+            @media (prefers-color-scheme: dark) {
+                body { background-color: #121212; color: #d4d4d4; }
+                a { color: #7878ff; }
+                a:visited { color: #6464fa; }
+            }
+            </style>
+            <pre>
+            ~?~+=I?~~IIIII++,:   .?= .,I=O8OZ.DNNO, ZD7:::=.? ,,:,,I,,:,~+?II?I?II?=+=~+7$ZO
+            ?==++??==+I???7..:.   :II$77?I+ID~NND8.ZMN7~=~I7:,., :?7,.,.~+?I???????,+~7+$ZOZ
+            7+===I+~===?I77:  ?   ,$7$.:.,I?=7NNNINMMMNOI=++ .~==I$7, ..++?I???I+=?.+:O+ZZOZ
+            ===++I+==?III??I,?,   ~I7NN,..  ??ONNNMMMD$777$7I$ZOO$7?....+=????I~=+,:+,O8DNMM
+            ~=~==7II=+I?II7I,I+,8Z.II8D+=~:.,7$NMMMMMN8$7~. ..  :88I. ..?=?++I:~+=.~~~NMMMNN
+            ~====II?I~+?I?$7I?~8D7+7$ZZNONDN8Z8NMMMMMMNNON:=. :,$.I7  .,+=??I:,=, .:,=DNNMMN
+            =+?==+==?~+=I?$$I+88D:I$8NMNDDNNNDNNNMMMMMMMMM8I$77=MMDO.  :~=+?,,,   .~,?8DDD8D
+            =~=+==I7I=IIIIO$=~OOD=I7ODNNNNMNNDNDNMMMMMMMMNO$O+OZ 78.,.I::++:..   .,::=888OOO
+            ===I=I?~=?I???$I$?OODZ=7Z8NDONNN7D88MMMMMMMMMMNNNN8DNN~..~:7,,+7?,:,:::+8=Z888OO
+            ~+===7?=??I????7Z7ZOD8I777$+NNN:OOZOMMMMMMMMMMMMMMNMM+..~=?=O:+?::=+~:~+IDD888OZ
+            I==II??=I???=::7OI?O88Z=I~,?ZDD,Z$IDMMMMMMMMMMMMMMMM:$$?.~?+=?:,~+?I??==+++I8OOO
+            ==+++??+=.,~,~:7Z$?7I77$=. $I$8I$7+~8NMMMMMMMMMMMMDDMN$ ,:+?=.~==?II+++=+=?II+OZ
+            ==+?+I?,=:+?=~~??I++~7$$$= 777Z,$Z$$ONNMMMMMMMMMMMMMM8? .~=?:.==+?I~+?=+=??II?I8
+            ?=+?I:=~??II=~~, II?+ 7$7?=?77$?$Z:8NMMMNMMMMMMMMMMMD7 ,,===::~=?II.??++?++III+~
+            ??+.I+I=+I+??=~=~ =I+:?7$77?$$$ZI7Z8DM7NMMNMMMMMMMMOI. .,=~~.~~+I?:???==~????II?
+            I??:==?I++I?~==+=~:.?I7I77$?IZ$ZODDOIDNNNNNMMMMNM8?.:. ,,+=,::~+==II=~,=?+?IIIII
+            ??I:?=,=+++?II+=:,:, +77777$$777ODDMMNO~DNNNDD8?..::: .,,+~.,::=??????=+?IIIII?I
+            ????++=~:=?IIIII=~:: ~~+II77$$7$ZO8NMMMND.+:   .=7+=~ ,,:?...~II??+??I?+??IIII?I
+            ??III7II+~:?II7+II?, ~,:,~7777$$$I$8DNMMNO   .~I  .Z:.,:~: ,+???+=,IIIIII??IIIII
+            ???I7I:,~=:,+II+=~I??:.,,,.:77777777$ODMM8 .:+ZI. ,~,..~~ :II?==~:?II??IIIIIIIII
+            No matter where you go, everyone's connected
+
+            my name is tzlil, i'm 18 and from israel
+            i currently work as a security researcher
+            but in a few months i will be drafted to the army
+
+            i like music <a href="https://fm.tzlil.net">https://fm.tzlil.net</a>
+
+            my interests:
+            plan9
+            lambda calculus
+            functional programming
+            binary exploitation
+            keyboards and layouts
+            yggdrasil
+            nixos
+
+            my wares:
+            hard:
+              aurora lily58 with sunset kailh low profile
+              laptop(s):
+              - lenovo v14
+
+              phone:
+              - google pixel 7
+
+              OUT OF COMMISSION
+              <s>desktop:</s>
+              <s>- amd ryzen 5 5600g</s>
+
+            soft:
+              <a href="/cgit/flake.git">nixos</a>
+              keepassxc
+              syncthing
+              tailscale (to mesh between my devices)
+              grapheneos
+              <a href="/cgit/flake.git/tree/hosts/vps/hydrus.nix">hydrus</a>
+
+            ctfs i played in:
+              google ctf 2023 - 96th place (solo)
+              tfcctf 2022     - 4th place
+              google ctf 2022 - 100th place
+
+            contact info:
+            tzlil:tzlil.net
+            tzlils@protonmail.com
+            tzlil@irc.libera.chat
+
+            /cgit/ for repositories
+            </pre>
+          ''} /
+            file_server
+          }
+        '';
+      };
+    };
+    networking.firewall.allowedTCPPorts = [80 443];
+
+    environment.persistence."/nix/persist".directories = [
+      {
+        directory = "/var/lib/caddy";
+        user = "caddy";
+        group = "caddy";
+      }
+    ];
+  };
+}