From f72f22b250ecf22657ffc9e6082086377031ea8a Mon Sep 17 00:00:00 2001 From: tzlil Date: Sun, 30 Jul 2023 13:19:39 +0300 Subject: clean up a bit --- hosts/vps/services/git.nix | 93 ++++++++++++++++++++++++ hosts/vps/services/hydrus.nix | 60 ++++++++++++++++ hosts/vps/services/maloja.nix | 51 +++++++++++++ hosts/vps/services/matrix.nix | 159 +++++++++++++++++++++++++++++++++++++++++ hosts/vps/services/website.nix | 139 +++++++++++++++++++++++++++++++++++ 5 files changed, 502 insertions(+) create mode 100644 hosts/vps/services/git.nix create mode 100644 hosts/vps/services/hydrus.nix create mode 100644 hosts/vps/services/maloja.nix create mode 100644 hosts/vps/services/matrix.nix create mode 100644 hosts/vps/services/website.nix (limited to 'hosts/vps/services') diff --git a/hosts/vps/services/git.nix b/hosts/vps/services/git.nix new file mode 100644 index 0000000..8bd4653 --- /dev/null +++ b/hosts/vps/services/git.nix @@ -0,0 +1,93 @@ +{ + pkgs, + config, + ... +}: { + config = { + users.groups.git = {}; + users.users.git = { + isSystemUser = true; + description = "tzlil"; + group = "git"; + home = "/home/git"; + packages = [pkgs.git]; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgPE76xQXx1kpvWavHGNOWHiZSFdGfz/rQlISGrKsDe" + ]; + }; + + # for syntax highlighting + users.groups.fcgiwrap = {}; + users.users.fcgiwrap = { + isSystemUser = true; + group = "fcgiwrap"; + packages = [pkgs.highlight pkgs.fcgiwrap]; + }; + + services = { + fcgiwrap = { + enable = true; + user = "fcgiwrap"; + group = "fcgiwrap"; + }; + caddy = { + virtualHosts."tzlil.net".extraConfig = '' + bind 0.0.0.0 + ${config.website.defaultHeaders} + handle_path /cgit/* { + handle /cgit.png { + root * ${pkgs.cgit}/cgit + file_server + } + handle /cgit.css { + try_files ${pkgs.fetchurl { + url = "https://jeremias.stotter.eu/cgi-bin/cgit.cgi/cgit-dark/plain/cgit.css"; + sha256 = "sha256-wqszujnWV5PRh3L23L1BFj/PKUElpyu1KhjqrHS8lCw="; + }} / + file_server + } + handle /favicon.ico { + root * ${pkgs.cgit}/cgit + file_server + } + handle { + reverse_proxy unix//run/fcgiwrap.sock { + transport fastcgi { + env SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi + env CGIT_CONFIG ${pkgs.writeText "cgitrc" (pkgs.lib.generators.toKeyValue {} { + css = "/cgit/cgit.css"; + logo = "/cgit/cgit.png"; + favicon = "/favicon.ico"; + clone-url = pkgs.lib.concatStringsSep " " [ + "http://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL" + "ssh://git@tzlil.net:$CGIT_REPO_URL" + ]; + enable-log-filecount = 1; + enable-log-linecount = 1; + enable-git-config = 1; + root-title = "tzlil.net"; + root-desc = "Tzlil's Git Repositories"; + scan-path = "/home/git"; + about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.py"; + source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + logo-link = "/"; + virtual-root = "/cgit"; + readme = ":README.md"; + })} + } + } + } + } + ''; + }; + }; + environment.persistence."/nix/persist".directories = [ + { + directory = "/home/git"; + user = "git"; + group = "git"; + } + ]; + }; +} diff --git a/hosts/vps/services/hydrus.nix b/hosts/vps/services/hydrus.nix new file mode 100644 index 0000000..c967fbc --- /dev/null +++ b/hosts/vps/services/hydrus.nix @@ -0,0 +1,60 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + users.groups.hydrus = {}; + users.users.hydrus = { + isSystemUser = true; + description = "hydrus"; + group = "hydrus"; + home = "/home/hydrus"; + }; + + systemd.services.Xvnc = { + description = "Xvnc"; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + ExecStart = "${pkgs.turbovnc}/bin/Xvnc :30 -iglx -depth 24 -rfbwait 120000 -deferupdate 1 -localhost -verbose -securitytypes none"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + systemd.services.hydrus = { + description = "Hydrus"; + wantedBy = ["multi-user.target" "Xvnc.service"]; + wants = ["podman-hydrus-web.service"]; + + serviceConfig = { + Environment = "DISPLAY=:30"; + ExecStart = "${pkgs.hydrus}/bin/hydrus-client -d /home/hydrus"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + security.lockKernelModules = lib.mkForce false; + virtualisation.oci-containers.containers.hydrus-web = { + ports = ["100.67.217.90:8080:80"]; + image = "ghcr.io/floogulinc/hydrus-web:dev"; + }; + + networking.firewall.allowedTCPPorts = [45869]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/home/hydrus"; + user = "hydrus"; + group = "hydrus"; + } + ]; + }; +} diff --git a/hosts/vps/services/maloja.nix b/hosts/vps/services/maloja.nix new file mode 100644 index 0000000..3d4530d --- /dev/null +++ b/hosts/vps/services/maloja.nix @@ -0,0 +1,51 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + users.groups.maloja = {}; + users.users.maloja = { + isSystemUser = true; + description = "maloja"; + group = "maloja"; + home = "/var/lib/maloja"; + }; + + security.lockKernelModules = lib.mkForce false; + virtualisation.oci-containers.containers.maloja = { + ports = ["42010:42010"]; + image = "krateng/maloja"; + volumes = [ + "/var/lib/maloja:/data" + ]; + environment = { + MALOJA_DATA_DIRECTORY = "/data"; + MALOJA_SKIP_SETUP = "True"; + MALOJA_NAME = "tzlil"; + MAlOJA_PROXY_IMAGES = "True"; + }; + }; + + # systemd.services.podman-maloja.serviceConfig.User = "maloja"; + # systemd.services.podman-maloja.serviceConfig.Group = "maloja"; + + networking.firewall.allowedTCPPorts = [42010]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/maloja"; + user = "maloja"; + group = "maloja"; + } + ]; + + services.caddy = { + virtualHosts."fm.tzlil.net".extraConfig = '' + bind 0.0.0.0 + reverse_proxy :42010 + ''; + }; + }; +} diff --git a/hosts/vps/services/matrix.nix b/hosts/vps/services/matrix.nix new file mode 100644 index 0000000..e2aa1a5 --- /dev/null +++ b/hosts/vps/services/matrix.nix @@ -0,0 +1,159 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + # services.matrix-synapse = { + # enable = true; + # settings.server_name = config.networking.domain; + # settings.listeners = [ + # { + # port = 8008; + # bind_addresses = ["::1"]; + # type = "http"; + # tls = false; + # x_forwarded = true; + # resources = [ + # { + # names = ["client" "federation"]; + # compress = true; + # } + # ]; + # } + # ]; + # }; + # networking.firewall.allowedTCPPorts = [80 443]; + + age.secrets.matrix = { + file = ../../secrets/matrix.age; + mode = "600"; + owner = "root"; + group = "root"; + }; + + services.dendrite = let + database_config = { + connection_string = "postgresql:///dendrite?host=/run/postgresql"; + max_open_conns = 10; + max_idle_conns = 5; + }; + in { + enable = true; + + loadCredential = ["private_key:${config.age.secrets.matrix.path}" "tlsCert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt" "tlsKey:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key"]; + + # tlsCert = "$CREDENTIALS_DIRECTORY/tlsCert"; + # tlsKey = "$CREDENTIALS_DIRECTORY/tlsKey"; + + # httpPort = null; + # httpsPort = 8448; + + settings = { + global = { + server_name = "tzlil.net"; + private_key = "$CREDENTIALS_DIRECTORY/private_key"; + + # preserve across restarts + jetstream.storage_path = "/var/lib/dendrite/"; + + dns_cache = { + enabled = true; + cache_size = 4096; + cache_lifetime = "600s"; + }; + + presence = { + enable_inbound = true; + enable_outbound = true; + }; + + cache.max_size_estimated = "16gb"; + }; + federation_api.key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; + + app_service_api.database = database_config; + federation_api.database = database_config; + key_server.database = database_config; + media_api.database = database_config; + mscs.database = database_config; + room_server.database = database_config; + sync_api.database = database_config; + user_api.account_database = database_config; + user_api.device_database = database_config; + }; + }; + + systemd.services.dendrite.serviceConfig.ExecStart = lib.mkForce (lib.strings.concatStringsSep " " [ + "${pkgs.dendrite}/bin/dendrite" + "--config /run/dendrite/dendrite.yaml" + "--http-bind-address :8008" + "--https-bind-address :8448" + "--tls-cert $CREDENTIALS_DIRECTORY/tlsCert" + "--tls-key $CREDENTIALS_DIRECTORY/tlsKey" + ]); + + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "dendrite"; + ensurePermissions = { + "DATABASE dendrite" = "ALL PRIVILEGES"; + }; + } + ]; + + ensureDatabases = ["dendrite"]; + }; + + # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service + # systemd.services.dendrite.serviceConfig.User = "dendrite"; + # systemd.services.dendrite.serviceConfig.Group = "dendrite"; + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; + user = "postgres"; + group = "postgres"; + } + + { + directory = "/var/lib/private/dendrite"; + user = "root"; + group = "root"; + } + ]; + + systemd.services.dendrite.after = ["postgresql.service"]; + + services.caddy = { + # for federation + virtualHosts."tzlil.net:8448".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + ''; + # for clients + virtualHosts."tzlil.net".extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `{"m.server": "tzlil.net"}` + ''; + }; + networking.firewall.allowedTCPPorts = [8448]; + }; +} diff --git a/hosts/vps/services/website.nix b/hosts/vps/services/website.nix new file mode 100644 index 0000000..5d1d48a --- /dev/null +++ b/hosts/vps/services/website.nix @@ -0,0 +1,139 @@ +{ + pkgs, + config, + lib, + ... +}: { + options.website.defaultHeaders = lib.mkOption { + type = lib.types.str; + default = '' + header { + -Server + -Date + -Last-Modified + -Etag + -Accept-Ranges + # disable indexing by search engines + + X-Robots-Tag "noindex, nofollow" + + # disable FLoC tracking + # Permissions-Policy interest-cohort=() + + # enable HSTS + # Strict-Transport-Security max-age=31536000; + + # disable clients from sniffing the media type + # X-Content-Type-Options nosniff + + # clickjacking protection + # X-Frame-Options DENY + + # keep referrer data off of HTTP connections + # Referrer-Policy no-referrer-when-downgrade + } + ''; + }; + config = { + services.caddy = { + enable = true; + virtualHosts = { + "tzlil.net".extraConfig = '' + bind 0.0.0.0 + handle_path / { + try_files ${pkgs.writeText "index.html" '' + +
+            ~?~+=I?~~IIIII++,:   .?= .,I=O8OZ.DNNO, ZD7:::=.? ,,:,,I,,:,~+?II?I?II?=+=~+7$ZO
+            ?==++??==+I???7..:.   :II$77?I+ID~NND8.ZMN7~=~I7:,., :?7,.,.~+?I???????,+~7+$ZOZ
+            7+===I+~===?I77:  ?   ,$7$.:.,I?=7NNNINMMMNOI=++ .~==I$7, ..++?I???I+=?.+:O+ZZOZ
+            ===++I+==?III??I,?,   ~I7NN,..  ??ONNNMMMD$777$7I$ZOO$7?....+=????I~=+,:+,O8DNMM
+            ~=~==7II=+I?II7I,I+,8Z.II8D+=~:.,7$NMMMMMN8$7~. ..  :88I. ..?=?++I:~+=.~~~NMMMNN
+            ~====II?I~+?I?$7I?~8D7+7$ZZNONDN8Z8NMMMMMMNNON:=. :,$.I7  .,+=??I:,=, .:,=DNNMMN
+            =+?==+==?~+=I?$$I+88D:I$8NMNDDNNNDNNNMMMMMMMMM8I$77=MMDO.  :~=+?,,,   .~,?8DDD8D
+            =~=+==I7I=IIIIO$=~OOD=I7ODNNNNMNNDNDNMMMMMMMMNO$O+OZ 78.,.I::++:..   .,::=888OOO
+            ===I=I?~=?I???$I$?OODZ=7Z8NDONNN7D88MMMMMMMMMMNNNN8DNN~..~:7,,+7?,:,:::+8=Z888OO
+            ~+===7?=??I????7Z7ZOD8I777$+NNN:OOZOMMMMMMMMMMMMMMNMM+..~=?=O:+?::=+~:~+IDD888OZ
+            I==II??=I???=::7OI?O88Z=I~,?ZDD,Z$IDMMMMMMMMMMMMMMMM:$$?.~?+=?:,~+?I??==+++I8OOO
+            ==+++??+=.,~,~:7Z$?7I77$=. $I$8I$7+~8NMMMMMMMMMMMMDDMN$ ,:+?=.~==?II+++=+=?II+OZ
+            ==+?+I?,=:+?=~~??I++~7$$$= 777Z,$Z$$ONNMMMMMMMMMMMMMM8? .~=?:.==+?I~+?=+=??II?I8
+            ?=+?I:=~??II=~~, II?+ 7$7?=?77$?$Z:8NMMMNMMMMMMMMMMMD7 ,,===::~=?II.??++?++III+~
+            ??+.I+I=+I+??=~=~ =I+:?7$77?$$$ZI7Z8DM7NMMNMMMMMMMMOI. .,=~~.~~+I?:???==~????II?
+            I??:==?I++I?~==+=~:.?I7I77$?IZ$ZODDOIDNNNNNMMMMNM8?.:. ,,+=,::~+==II=~,=?+?IIIII
+            ??I:?=,=+++?II+=:,:, +77777$$777ODDMMNO~DNNNDD8?..::: .,,+~.,::=??????=+?IIIII?I
+            ????++=~:=?IIIII=~:: ~~+II77$$7$ZO8NMMMND.+:   .=7+=~ ,,:?...~II??+??I?+??IIII?I
+            ??III7II+~:?II7+II?, ~,:,~7777$$$I$8DNMMNO   .~I  .Z:.,:~: ,+???+=,IIIIII??IIIII
+            ???I7I:,~=:,+II+=~I??:.,,,.:77777777$ODMM8 .:+ZI. ,~,..~~ :II?==~:?II??IIIIIIIII
+            No matter where you go, everyone's connected
+
+            my name is tzlil, i'm 18 and from israel
+            i currently work as a security researcher
+            but in a few months i will be drafted to the army
+
+            i like music https://fm.tzlil.net
+
+            my interests:
+            plan9
+            lambda calculus
+            functional programming
+            binary exploitation
+            keyboards and layouts
+            yggdrasil
+            nixos
+
+            my wares:
+            hard:
+              aurora lily58 with sunset kailh low profile
+              laptop(s):
+              - lenovo v14
+
+              phone:
+              - google pixel 7
+
+              OUT OF COMMISSION
+              desktop:
+              - amd ryzen 5 5600g
+
+            soft:
+              nixos
+              keepassxc
+              syncthing
+              tailscale (to mesh between my devices)
+              grapheneos
+              hydrus
+
+            ctfs i played in:
+              google ctf 2023 - 96th place (solo)
+              tfcctf 2022     - 4th place
+              google ctf 2022 - 100th place
+
+            contact info:
+            tzlil:tzlil.net
+            tzlils@protonmail.com
+            tzlil@irc.libera.chat
+
+            /cgit/ for repositories
+            
+ ''} / + file_server + } + ''; + }; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/var/lib/caddy"; + user = "caddy"; + group = "caddy"; + } + ]; + }; +} -- cgit 1.4.1