oysteikt
/
nix-dotfiles
2
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: oysteikt:4af33b066d091b21c8f9aa256dd8cb20661dd8a7
Branches Tags
oysteikt:home-wayland-migration
oysteikt:main
oysteikt:kasei-merge-2022-08
...
compare: oysteikt:0ea7d0961d74f1c0ad805afebf4e51beec27f0e8
Branches Tags
oysteikt:home-wayland-migration
oysteikt:main
oysteikt:kasei-merge-2022-08

19 Commits
4af33b066d ... 0ea7d0961d

Author SHA1 Message Date
Oystein Kristoffer Tveit 0ea7d0961d
tsuki: add minecraft overlay 2024-06-10 00:51:20 +02:00
Oystein Kristoffer Tveit 73f527559e
tsuki/nginx: add vhost for experimental mutable bluemap setup 2024-06-10 00:50:11 +02:00
Oystein Kristoffer Tveit a6c24b04a1
tsuki/nhk-easy-news-scraper: temporarily disable statedir + bindmount 2024-06-10 00:48:02 +02:00
Oystein Kristoffer Tveit e3cedee060
tsuki/matrix-synapse: add dependencies to systemd slice 2024-06-10 00:46:49 +02:00
Oystein Kristoffer Tveit 53c6c32fb8
tsuki/plex: remove security hardening, included in nixos 24.05 2024-06-10 00:45:19 +02:00
Oystein Kristoffer Tveit 3a81abb683
tsuki/matrix-stickers: update hash for stickerpack 2024-06-10 00:44:39 +02:00
Oystein Kristoffer Tveit 9d090da7cd
rebase: remove mx-puppet-discord 2024-06-10 00:43:55 +02:00
Oystein Kristoffer Tveit 9187a62d6f
tsuki: use `ensureDBOwnership` for postgres for nixos 24.05 migration 2024-06-10 00:43:04 +02:00
Oystein Kristoffer Tveit 68bf2cd1b0
inputs/maunium-stickerpicker-nix: pin to release 2024-06-09 16:18:42 +02:00
Oystein Kristoffer Tveit c7123f23ac
tsuki/invidious: remove 2024-06-09 16:13:32 +02:00
Oystein Kristoffer Tveit e943f2fe5f
tsuki/headscale: disable 2024-06-09 16:13:32 +02:00
Oystein Kristoffer Tveit 830e5477f3
tsuki/navidrome: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit 7f36a1b8c8
tsuki/mx-puppet-discord: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit 2a388e29a5
tsuki/mautrix-facebook: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit 2b0968283d
tsuki/gitea: remove 2024-06-09 16:13:31 +02:00
Oystein Kristoffer Tveit a20bb288aa
tsuki/jupyter: remove 2024-06-09 15:40:57 +02:00
Oystein Kristoffer Tveit 3b736e4c61
tsuki/pgadmin: remove 2024-06-09 15:34:09 +02:00
Oystein Kristoffer Tveit 358a668aa7
tsuki/hydra: remove 2024-06-09 15:30:17 +02:00
Oystein Kristoffer Tveit 37a43a2bd9
tsuki/gitea-runners: init 2024-06-09 15:25:47 +02:00
30 changed files with 120 additions and 1599 deletions
Show Stats Expand all files Collapse all files

6
flake.nix
View File

@ -37,8 +37,8 @@
};
maunium-stickerpicker = {
# url = "git+file:///home/h7x4/git/maunium-stickerpicker-nix";
url = "github:h7x4/maunium-stickerpicker-nix/project-rewrite";
url = "github:h7x4/maunium-stickerpicker-nix/0.1.0";
inputs.nixpkgs.follows = "nixpkgs";
};
minecraft = {
@ -99,8 +99,8 @@
config.allowUnfree = true;
};
in [
(self: super: { pgadmin4 = nonrecursive-unstable-pkgs.pgadmin4; })
# (self: super: { pcloud = nonrecursive-unstable-pkgs.pcloud; })
minecraft.overlays.default
osuchan.overlays.default
(self: super: {
mpv-unwrapped = super.mpv-unwrapped.override {

2
home/programs/browser/bookmarks.nix
View File

@ -6,7 +6,6 @@ in [
(short "tr" "Translate" "https://translate.google.no/?hl=no")
(short "gm" "Gmail" "https://mail.google.com/mail/u/0/#inbox")
(short "" "Jisho" "https://jisho.org/?color_theme=dark")
(short "Gitea" "Gitea - nani.wtf" "https://git.nani.wtf/explore/repos")
(link "GitHub" "http://github.com")
(short "/u/" "danger/u/" "https://dangeru.us/")
(link "PVV" "https://www.pvv.ntnu.no/")
@ -99,7 +98,6 @@ in [
(link "WWW" "https://www.nani.wtf/")
(link "MAdmin" "https://madmin.nani.wtf")
(link "Git" "https://git.nani.wtf/explore/repos/")
(link "Hydra" "https://hydra.nani.wtf/")
(link "Docs" "https://docs.nani.wtf/")
(link "Grafana" "https://log.nani.wtf/")
])

7
hosts/tsuki/configuration.nix
View File

@ -7,20 +7,15 @@
./services/atuin.nix
./services/borg.nix
./services/gitea
./services/gitea-runners.nix
./services/grafana
./services/headscale.nix
./services/hedgedoc.nix
./services/hydra.nix
./services/invidious.nix
./services/jupyter.nix
./services/kanidm.nix
./services/matrix
./services/minecraft
./services/navidrome.nix
./services/nginx
./services/osuchan.nix
./services/pgadmin.nix
./services/plex.nix
./services/postgres.nix
./services/samba.nix

1
hosts/tsuki/services/borg.nix
View File

@ -13,7 +13,6 @@ in {
in {
postgres = createJob config.services.postgresqlBackup.location "postgres";
minecraft = createJob config.services.minecraft-servers.dataDir "minecraft";
gitea = createJob config.services.gitea.dump.backupDir "gitea";
};
systemd.services = lib.mkMerge ((lib.flip map) (builtins.attrNames cfg.jobs) (name: {

29
hosts/tsuki/services/gitea-runners.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, pkgs, lib, ... }:
{
virtualisation.podman.enable = true;
virtualisation.podman.autoPrune.enable = true;
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ];
sops.secrets."gitea/runners/ping".restartUnits = [ "gitea-runner-ping.service" ];
sops.secrets."gitea/runners/pong".restartUnits = [ "gitea-runner-pong.service" ];
services.gitea-actions-runner.instances = let
mkRunner = name: {
${name} = {
enable = true;
name = "git-runner-${name}";
url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:latest"
"ubuntu-latest:docker://node:latest"
"debian-latest-personal:docker://node:latest"
"ubuntu-latest-personal:docker://node:latest"
];
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
};
};
in lib.foldl (a: b: a // b) { } [
(mkRunner "ping")
(mkRunner "pong")
];
}

151
hosts/tsuki/services/gitea/default.nix
View File

@ -1,151 +0,0 @@
{ config, pkgs, unstable-pkgs, lib, secrets, ... }: let
cfg = config.services.gitea;
in {
security.pam.services."gitea".unixAuth = true;
users.users.git = {
description = "Gitea service";
home = config.services.gitea.stateDir;
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
uid = config.ids.uids.git;
packages = with unstable-pkgs; [ gitea ];
};
users.groups."gitea".members = [ "nginx" ];
sops.secrets."postgres/gitea" = rec {
restartUnits = [ "gitea.service" ];
owner = config.services.gitea.user;
group = config.users.users.${owner}.group;
};
services.gitea = {
enable = true;
user = "git";
package = unstable-pkgs.gitea;
dump = {
enable = true;
interval = "weekly";
backupDir = "/data/backup/gitea";
};
database = {
user = "gitea";
type = "postgres";
socket = "/var/run/postgresql";
createDatabase = false;
passwordFile = config.sops.secrets."postgres/gitea".path;
};
settings = {
server = {
PROTOCOL = "http+unix";
HTTP_ADDR = "/run/gitea/gitea.sock";
BUILTIN_SSH_SERVER_USER="git";
LANDING_PAGE = "/explore/repos";
ROOT_URL = "https://git.nani.wtf/";
DOMAIN = "git.nani.wtf";
};
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
metrics.ENABLED = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
OPENID_CONNECT_SCOPES = "email profile";
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto";
USERNAME = "userid";
};
log.LEVEL = "Info";
database.LOG_SQL = false;
repository.DISABLE_STARS = true;
ui = {
DEFAULT_THEME = "monokai";
THEMES = lib.strings.concatStringsSep "," [
"gitea"
"arc-green"
# Custom
"monokai"
];
};
"ui.svg".RENDER = true;
indexer.REPO_INDEXER_ENABLED = true;
mailer = {
ENABLED = true;
FROM = "gitea@nani.wtf";
};
# Looking forward to the day I can uncomment this line
# federation.ENABLED = true;
packages.ENABLED = false;
# TODO: fix
# markup = let
# docutils = pkgs.python37.withPackages (ps: with ps; [
# docutils # Provides rendering of ReStructured Text files
# pygments # Provides syntax highlighting
# ]);
# in {
# restructuredtext = {
# ENABLED = true;
# FILE_EXTENSIONS = ".rst";
# RENDER_COMMAND = "${docutils}/bin/rst2html.py";
# IS_INPUT_FILE = false;
# };
# asciidoc = {
# ENABLED = true;
# FILE_EXTENSIONS = ".adoc,.asciidoc";
# RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor -e -a leveloffset=-1 --out-file=- -";
# IS_INPUT_FILE = false;
# };
# };
};
};
system.activationScripts.linkGiteaThemes.text = let
themes = pkgs.stdenv.mkDerivation {
pname = "gitea-themes";
version = "1.0.0";
src = ./themes;
buildInputs = with pkgs; [ lessc ];
buildPhase = ''
mkdir out
for f in $(find -name 'theme-*.less')
do
lessc $f out/''${f%.less}.css
done;
'';
installPhase = "mv out $out";
};
cssParentPath = "${config.services.gitea.stateDir}/custom/public";
cssPath = "${cssParentPath}/css";
in ''
if [[ ! -e "${cssPath}" ]]; then
printf "creating symlink at %s...\n" "${cssPath}"
mkdir -p "${cssParentPath}"
ln -s "${themes}" "${cssPath}"
elif [ -L "${cssPath}" ]; then
printf "replacing symlink at %s...\n" "${cssPath}"
rm ${cssPath}
ln -s "${themes}" "${cssPath}"
else
printf "ERROR: %s already exists and it is not a symlink\n" "${cssPath}"
_localstatus=1;
fi
'';
}

832
hosts/tsuki/services/gitea/themes/theme-monokai.less
View File

@ -1,832 +0,0 @@
// This is only a rough approximation, and needs a lot of polishing.
// 'mk' is a prefix 'for monokai'
@mk-bg-dark: #1e1f1c;
@mk-bg0: #272820;
@mk-bg1: #3e3d32;
@mk-bg2: #75715e;
@mk-fg0: #f8f8f2;
@mk-fg1: #cfcfc2;
@mk-red: #f92672;
@mk-green: #a6e22e;
@mk-blue: #66d9ef;
@mk-violet: #ae81ff;
@mk-cyan: #a1efe4;
@mk-magenta: #fd5ff0;
@mk-yellow: #e6db74;
// Extra additions
@mk-orange: #fd971f;
@mk-forest-green: #2d693b;
@mk-success-green: #21ba45;
@mk-error-red: #ff4433;
@primary: @mk-green;
/* @import "../chroma/dark.less"; */
// Code higlighting colors
.chroma .hl { background-color: #3f424d; } /* LineHighlight */
.chroma .lnt { color: @mk-fg1; } /* LineNumbersTable */
.chroma .ln { color: @mk-fg1; } /* LineNumbers */
.chroma .k { color: @mk-red; } /* Keyword */
.chroma .kc { color: @mk-red; } /* KeywordConstant */
.chroma .kd { color: @mk-red; } /* KeywordDeclaration */
.chroma .kn { color: @mk-orange; } /* KeywordNamespace */
.chroma .kp { color: @mk-red; } /* KeywordPseudo */
.chroma .kr { color: @mk-red; } /* KeywordReserved */
.chroma .kt { color: @mk-blue; } /* KeywordType */
.chroma .n { color: @mk-green; } /* Generic Name */
.chroma .na { color: @mk-fg0; } /* NameAttribute */
.chroma .nb { color: @mk-red; } /* NameBuiltin */
.chroma .bp { color: @mk-red; } /* NameBuiltinPseudo */
.chroma .nc { color: @mk-blue; } /* NameClass */
.chroma .no { color: @mk-violet; } /* NameConstant */
.chroma .nd { color: @mk-violet; } /* NameDecorator */
.chroma .ni { color: @mk-violet; } /* NameEntity */
.chroma .ne { color: @mk-violet; } /* NameException */
.chroma .nf { color: @mk-green; } /* NameFunction */
.chroma .nl { color: @mk-orange; } /* NameLabel */
.chroma .nn { color: @mk-cyan; } /* NameNamespace */
.chroma .nx { color: @mk-blue; } /* NameOther */
.chroma .nt { color: @mk-red; } /* NameTag */
.chroma .nv { color: @mk-fg0; } /* NameVariable */
.chroma .vc { color: @mk-fg0; } /* NameVariableClass */
.chroma .vg { color: @mk-fg0; } /* NameVariableGlobal */
.chroma .vi { color: @mk-fg0; } /* NameVariableInstance */
.chroma .s { color: @mk-yellow; } /* LiteralString */
.chroma .sa { color: @mk-yellow; } /* LiteralStringAffix */
.chroma .sb { color: @mk-yellow; } /* LiteralStringBacktick */
.chroma .sc { color: @mk-yellow; } /* LiteralStringChar */
.chroma .dl { color: @mk-yellow; } /* LiteralStringDelimiter */
.chroma .sd { color: @mk-yellow; } /* LiteralStringDoc */
.chroma .s2 { color: @mk-yellow; } /* LiteralStringDouble */
.chroma .se { color: @mk-orange; } /* LiteralStringEscape */
.chroma .sh { color: @mk-yellow; } /* LiteralStringHeredoc */
.chroma .si { color: @mk-yellow; } /* LiteralStringInterpol */
.chroma .sx { color: @mk-yellow; } /* LiteralStringOther */
.chroma .sr { color: @mk-orange; } /* LiteralStringRegex */
.chroma .s1 { color: @mk-yellow; } /* LiteralStringSingle */
.chroma .ss { color: @mk-yellow; } /* LiteralStringSymbol */
.chroma .m { color: @mk-cyan; } /* LiteralNumber */
.chroma .mb { color: @mk-cyan; } /* LiteralNumberBin */
.chroma .mf { color: @mk-cyan; } /* LiteralNumberFloat */
.chroma .mh { color: @mk-cyan; } /* LiteralNumberHex */
.chroma .mi { color: @mk-cyan; } /* LiteralNumberInteger */
.chroma .il { color: @mk-cyan; } /* LiteralNumberIntegerLong */
.chroma .mo { color: @mk-cyan; } /* LiteralNumberOct */
.chroma .o { color: @mk-red; } /* Operator */
.chroma .ow { color: @mk-red; } /* OperatorWord */
.chroma .c { color: @mk-bg2; } /* Comment */
.chroma .ch { color: @mk-bg2; } /* CommentHashbang */
.chroma .cm { color: @mk-bg2; } /* CommentMultiline */
.chroma .c1 { color: @mk-bg2; } /* CommentSingle */
.chroma .cs { color: lighten(@mk-bg2, 10%); } /* CommentSpecial */
.chroma .cp { color: lighten(@mk-red, 20%); } /* CommentPreproc */
.chroma .cpf { color: @mk-yellow; } /* CommentPreprocFile */
// TODO:
.chroma .gd { color: #fff; background-color: #5f3737; } /* GenericDeleted */
.chroma .ge { color: #ef5; } /* GenericEmph */
.chroma .gr { color: #f33; } /* GenericError */
.chroma .gh { color: #fa1; } /* GenericHeading */
.chroma .gi { color: #fff; background-color: #3a523a; } /* GenericInserted */
.chroma .go { color: #888888; } /* GenericOutput */
.chroma .gp { color: #555555; } /* GenericPrompt */
.chroma .gu { color: #9daccc; } /* GenericSubheading */
.chroma .gt { color: #f63; } /* GenericTraceback */
.chroma .w { color: #bbbbbb; } /* TextWhitespace */
/* @import "../codemirror/dark.less"; */
// what is this?
.CodeMirror {
&.cm-s-default,
&.cm-s-paper {
.cm-property {
color: #a0cc75;
}
.cm-header {
color: #9daccc;
}
.cm-quote {
color: #009900;
}
.cm-keyword {
color: #cc8a61;
}
.cm-atom {
color: #ef5e77;
}
.cm-number {
color: #ff5656;
}
.cm-def {
color: #e4e4e4;
}
.cm-variable-2 {
color: #00bdbf;
}
.cm-variable-3 {
color: #008855;
}
.cm-comment {
color: #8e9ab3;
}
.cm-string {
color: #a77272;
}
.cm-string-2 {
color: #ff5500;
}
.cm-meta,
.cm-qualifier {
color: #ffb176;
}
.cm-builtin {
color: #b7c951;
}
.cm-bracket {
color: #999977;
}
.cm-tag {
color: #f1d273;
}
.cm-attribute {
color: #bfcc70;
}
.cm-hr {
color: #999999;
}
.cm-url {
color: #c5cfd0;
}
.cm-link {
color: #d8c792;
}
.cm-error {
color: #dbdbeb;
}
}
}
/* theme */
:root {
--is-dark-theme: true;
--color-primary: @primary;
--color-primary-dark-1: lighten(@primary, 10%);
--color-primary-dark-2: lighten(@primary, 15%);
--color-primary-dark-3: lighten(@primary, 20%);
--color-primary-dark-4: lighten(@primary, 25%);
--color-primary-dark-5: lighten(@primary, 40%);
--color-primary-dark-6: lighten(@primary, 60%);
--color-primary-dark-7: lighten(@primary, 80%);
--color-primary-light-1: darken(@primary, 10%);
--color-primary-light-2: darken(@primary, 15%);
--color-primary-light-3: darken(@primary, 20%);
--color-primary-light-4: darken(@primary, 25%);
--color-primary-light-5: darken(@primary, 40%);
--color-primary-light-6: darken(@primary, 60%);
--color-primary-light-7: darken(@primary, 80%);
--color-primary-alpha-10: fade(@primary, 10%);
--color-primary-alpha-20: fade(@primary, 20%);
--color-primary-alpha-30: fade(@primary, 30%);
--color-primary-alpha-40: fade(@primary, 40%);
--color-primary-alpha-50: fade(@primary, 50%);
--color-primary-alpha-60: fade(@primary, 60%);
--color-primary-alpha-70: fade(@primary, 70%);
--color-primary-alpha-80: fade(@primary, 80%);
--color-primary-alpha-90: fade(@primary, 90%);
--color-secondary: #454a57;
--color-secondary-dark-1: #505665;
--color-secondary-dark-2: #5b6273;
--color-secondary-dark-3: #71798e;
--color-secondary-dark-4: #7f8699;
--color-secondary-dark-5: #8c93a4;
--color-secondary-dark-6: #9aa0af;
--color-secondary-dark-7: #a8adba;
--color-secondary-dark-8: #b6bac5;
--color-secondary-dark-9: #c4c7d0;
--color-secondary-dark-10: #d2d4db;
--color-secondary-dark-11: #dfe1e6;
--color-secondary-dark-12: #edeef1;
--color-secondary-dark-13: #fbfbfc;
--color-secondary-light-1: #373b46;
--color-secondary-light-2: #292c34;
--color-secondary-light-3: #1c1e23;
--color-secondary-light-4: #0e0f11;
--color-secondary-alpha-10: #454a5719;
--color-secondary-alpha-20: #454a5733;
--color-secondary-alpha-30: #454a574b;
--color-secondary-alpha-40: #454a5766;
--color-secondary-alpha-50: #454a5780;
--color-secondary-alpha-60: #454a5799;
--color-secondary-alpha-70: #454a57b3;
--color-secondary-alpha-80: #454a57cc;
--color-secondary-alpha-90: #454a57e1;
/* colors */
--color-red: #db2828;
--color-orange: #f2711c;
--color-yellow: #fbbd08;
--color-olive: #b5cc18;
--color-green: #21ba45;
--color-teal: #00b5ad;
--color-blue: #2185d0;
--color-violet: #6435c9;
--color-purple: #a333c8;
--color-pink: #e03997;
--color-brown: #a5673f;
--color-grey: #767a85;
--color-black: #1e222e;
--color-gold: #a1882b;
--color-white: #ffffff;
--color-diff-removed-word-bg: @mk-red;
--color-diff-added-word-bg: @mk-green;
--color-diff-removed-row-bg: #3c2626;
--color-diff-moved-row-bg: #818044;
--color-diff-added-row-bg: #283e2d;
--color-diff-removed-row-border: #634343;
--color-diff-moved-row-border: #bcca6f;
--color-diff-added-row-border: #314a37;
--color-diff-inactive: #353846;
--color-error-border: darken(@mk-error-red, 20%);
--color-error-bg: @mk-bg-dark;
--color-error-text: @mk-error-red;
--color-success-border: darken(@mk-success-green, 20%);
--color-success-bg: @mk-bg-dark;
--color-success-text: @mk-success-green;
--color-warning-border: darken(@mk-orange, 20%);
--color-warning-bg: @mk-bg-dark;
--color-warning-text: @mk-orange;
--color-info-border: darken(@mk-blue, 20%);
--color-info-bg: @mk-bg-dark;
--color-info-text: @mk-blue;
/* target-based colors */
--color-body: @mk-bg0;
--color-box-header: @mk-bg-dark;
--color-box-body: @mk-bg-dark;
--color-text-dark: lighten(@mk-fg0, 10%);
--color-text: @mk-fg0;
--color-text-light: @mk-fg1;
--color-text-light-2: @mk-fg1;
--color-text-light-3: @mk-fg1;
--color-footer: @mk-bg1;
--color-timeline: #4c525e;
--color-input-text: @mk-fg1;
--color-input-background: @mk-bg-dark;
--color-input-border: @mk-bg1;
--color-input-border-hover: @mk-bg2;
--color-navbar: @mk-bg1;
--color-navbar-transparent: fade(@mk-bg1, 0%);
--color-light: #00000028;
--color-light-mimic-enabled: rgba(0, 0, 0, calc(40 / 255 * 222 / 255 / var(--opacity-disabled)));
--color-light-border: #ffffff28;
--color-hover: #ffffff10;
--color-active: #ffffff16;
--color-menu: @mk-bg-dark;
--color-card: @mk-bg1;
--color-markup-table-row: lighten(@mk-bg-dark, 5%);
--color-markup-code-block: @mk-bg1;
--color-button: #353846;
--color-code-bg: @mk-bg-dark;
--color-code-sidebar-bg: #2e323e;
--color-shadow: #00000060;
--color-secondary-bg: #2a2e3a;
--color-text-focus: #fff;
--color-expand-button: #3c404d;
--color-placeholder-text: #6a737d;
--color-editor-line-highlight: var(--color-primary-light-5);
--color-project-board-bg: var(--color-secondary-light-2);
--color-caret: var(--color-text); /* should ideally be --color-text-dark, see #15651 */
--color-reaction-bg: #ffffff12;
--color-reaction-active-bg: var(--color-primary-alpha-40);
}
::-webkit-calendar-picker-indicator {
filter: invert(.8);
}
.markup {
& h1,
& h2 {
border-bottom: 1px solid @mk-bg2;
}
& table {
& tr
{
border-top: 1px solid @mk-bg2;
}
& td,
& th {
border: 1px solid @mk-bg2 !important;
}
}
}
.ui {
&.card {
background: var(--color-card);
border: 1px solid @mk-bg1;
& > .content {
border-color: @mk-bg2;
}
& > .extra {
border-top-color: @mk-bg2;
}
}
&.dropdown .menu,
&.menu {
background: var(--color-menu);
border: 1px solid @mk-bg1;
}
&.segment,
&.segments,
&.attached.segment,
&.attached.header {
background: var(--color-box-body);
color: var(--color-text);
border-color: @mk-bg1;
}
&.repository.list.item:not(:first-child) {
border-top: 1px solid @mk-bg2;
}
&.divider {
border-bottom-color: @mk-bg2;
}
&.button {
background-color: @mk-bg1;
}
&.primary {
&.button,
&.buttons .button {
color: black;
background-color: @primary;
}
&.button:hover,
&.buttons .button:hover {
color: black;
background-color: lighten(@primary, 15%);
}
}
&.green {
&.button,
&.buttons .button {
color: black;
background-color: @mk-success-green;
}
&.button:hover,
&.buttons .button:hover {
color: black;
background-color: lighten(@mk-success-green, 15%);
}
}
&.blue {
&.button,
&.buttons .button {
color: black;
background-color: @mk-blue;
}
&.button:hover,
&.buttons .button:hover {
color: black;
background-color: lighten(@mk-blue, 15%);
}
}
&.red {
&.button,
&.buttons .button {
color: white;
background-color: @mk-error-red;
}
&.button:hover,
&.buttons .button:hover {
color: white;
background-color: darken(@mk-error-red, 15%);
}
}
&.basic {
&.primary {
&.button,
&.buttons .button {
color: black !important;
background-color: @primary !important;
box-shadow: inset 0 0 0 1px @primary !important;
}
&.button:hover,
&.buttons .button:hover {
color: black !important;
background-color: lighten(@primary, 15%) !important;
}
}
&.green {
&.button,
&.buttons .button {
color: black !important;
background-color: @mk-success-green !important;
box-shadow: inset 0 0 0 1px @mk-success-green !important;
}
&.button:hover,
&.buttons .button:hover {
color: black !important;
background-color: lighten(@mk-success-green, 15%) !important;
}
}
&.blue {
&.button,
&.buttons .button {
color: black !important;
background-color: @mk-blue !important;
box-shadow: inset 0 0 0 1px @mk-blue !important;
}
&.button:hover,
&.buttons .button:hover {
color: black !important;
background-color: lighten(@mk-blue, 15%) !important;
}
}
&.red {
&.button,
&.buttons .button {
color: white;
background-color: @mk-error-red;
}
&.button:hover,
&.buttons .button:hover {
color: white;
background-color: darken(@mk-error-red, 15%);
}
}
}
}
.ui.horizontal.segments > .segment {
background-color: @mk-bg-dark;
border-color: @mk-bg1;
}
.ui.green.progress .bar {
background-color: #668844;
}
.ui.progress.success .bar {
background-color: #7b9e57 !important;
}
.repository {
&.file.list #repo-files-table tr {
background: @mk-bg-dark;
&:hover {
background-color: lighten(@mk-bg-dark, 20%) !important;
}
}
& .navbar .active.item,
& .navbar .active.item:hover {
border-color: transparent !important;
}
& .diff-stats li {
border-color: var(--color-secondary);
}
&.release #release-list {
border-top: 1px solid @mk-bg2;
& > li .detail .dot {
background-color: #505667;
border-color: #383c4a;
}
}
& .repo-header .ui.huge.breadcrumb.repo-title .repo-header-icon .avatar {
color: #2a2e3a;
}
&.labels .ui.basic.black.label {
background-color: #bbbbbb !important;
}
}
.following.bar.light {
background: @mk-bg1;
border-color: var(--color-secondary-alpha-40);
}
.following.bar .top.menu a.item:hover {
color: #fff;
}
.feeds .list ul li.private {
background: #353945;
}
.ui.red.label,
.ui.red.labels .label {
background-color: #7d3434 !important;
border-color: #8a2121 !important;
}
.ui.yellow.label,
.ui.yellow.labels .label {
border-color: #664d02 !important;
background-color: #936e00 !important;
}
.ui.accordion .title:not(.ui) {
color: #dbdbdb;
}
.ui.green.label,
.ui.green.labels .label,
.ui.basic.green.label {
background-color: #2d693b !important;
border-color: #2d693b !important;
}
.ui.green.labels a.label:hover,
.ui.basic.green.labels a.label:hover,
a.ui.ui.ui.green.label:hover,
a.ui.basic.green.label:hover {
background-color: #3d794b !important;
border-color: #3d794b !important;
color: #fff !important;
}
// .ui.divider:not(.vertical):not(.horizontal) {
// border-bottom-color: var(--color-secondary);
// border-top-color: transparent;
// }
.form .help {
color: @mk-fg1;
}
.ui .text.light.grey {
color: #7f8699 !important;
}
.ui.form .fields.error .field textarea,
.ui.form .fields.error .field select,
.ui.form .fields.error .field input:not([type]),
.ui.form .fields.error .field input[type="date"],
.ui.form .fields.error .field input[type="datetime-local"],
.ui.form .fields.error .field input[type="email"],
.ui.form .fields.error .field input[type="number"],
.ui.form .fields.error .field input[type="password"],
.ui.form .fields.error .field input[type="search"],
.ui.form .fields.error .field input[type="tel"],
.ui.form .fields.error .field input[type="time"],
.ui.form .fields.error .field input[type="text"],
.ui.form .fields.error .field input[type="file"],
.ui.form .fields.error .field input[type="url"],
.ui.form .field.error textarea,
.ui.form .field.error select,
.ui.form .field.error input:not([type]),
.ui.form .field.error input[type="date"],
.ui.form .field.error input[type="datetime-local"],
.ui.form .field.error input[type="email"],
.ui.form .field.error input[type="number"],
.ui.form .field.error input[type="password"],
.ui.form .field.error input[type="search"],
.ui.form .field.error input[type="tel"],
.ui.form .field.error input[type="time"],
.ui.form .field.error input[type="text"],
.ui.form .field.error input[type="file"],
.ui.form .field.error input[type="url"] {
background-color: @mk-error-red;
border: 1px solid darken(@mk-error-red, 30%);
color: lighten(@mk-error-red, 90%);
}
.ui.form .field.error select:focus,
.ui.form .field.error input:not([type]):focus,
.ui.form .field.error input[type="date"]:focus,
.ui.form .field.error input[type="datetime-local"]:focus,
.ui.form .field.error input[type="email"]:focus,
.ui.form .field.error input[type="number"]:focus,
.ui.form .field.error input[type="password"]:focus,
.ui.form .field.error input[type="search"]:focus,
.ui.form .field.error input[type="tel"]:focus,
.ui.form .field.error input[type="time"]:focus,
.ui.form .field.error input[type="text"]:focus,
.ui.form .field.error input[type="file"]:focus,
.ui.form .field.error input[type="url"]:focus {
background-color: #522;
border: 1px solid #a04141;
color: #f9cbcb;
}
.ui.search > .results {
background: @mk-bg-dark;
// border-color: @mk-bg0-dark;
}
.ui.search > .results .result:hover,
.ui.category.search > .results .category .result:hover {
background: @mk-bg-dark;
}
.ui.search > .results .result .title {
color: @mk-fg0;
}
.ui.table {
border-color: @mk-bg1;
thead > tr > th {
background: @mk-bg-dark;
color: @mk-fg0 !important;
}
}
.overflow.menu .items .item {
color: #9d9d9d;
}
.overflow.menu .items .item:hover {
color: #dbdbdb;
}
.ui.list > .item > .content {
color: var(--color-secondary-dark-6) !important;
}
.tag-code,
.tag-code td {
background: #353945 !important;
}
.tag-code td.lines-num {
background-color: #3a3e4c !important;
}
.tag-code td.lines-type-marker,
td.blob-hunk {
color: #dbdbdb !important;
}
.ui.list .list > .item .header,
.ui.list > .item .header {
color: #dedede;
}
.ui.list .list > .item .description,
.ui.list > .item .description {
color: var(--color-secondary-dark-6);
}
.lines-num {
color: var(--color-secondary-dark-6) !important;
border-color: var(--color-secondary) !important;
}
td.blob-excerpt {
background-color: rgba(0, 0, 0, .15);
}
.lines-code.active,
.lines-code .active {
background: #534d1b !important;
}
.ui.ui.ui.ui.table tr.active,
.ui.ui.table td.active {
color: #dbdbdb;
}
.ui.active.label {
background: #393d4a;
border-color: #393d4a;
color: #dbdbdb;
}
.ui.header .sub.header {
color: var(--color-secondary-dark-6);
}
.ui.dividing.header {
border-bottom: 1px solid var(--color-secondary);
}
.ui.modal > .header {
background: var(--color-secondary);
color: #dbdbdb;
}
.ui.modal > .actions {
background: var(--color-secondary);
border-color: var(--color-secondary);
}
.ui.modal > .content {
background: #383c4a;
}
.minicolors-panel {
background: var(--color-secondary) !important;
border-color: #6a737d !important;
}
/* invert emojis that are hard to read otherwise */
.emoji[aria-label="check mark"],
.emoji[aria-label="currency exchange"],
.emoji[aria-label="TOP arrow"],
.emoji[aria-label="END arrow"],
.emoji[aria-label="ON! arrow"],
.emoji[aria-label="SOON arrow"],
.emoji[aria-label="heavy dollar sign"],
.emoji[aria-label="copyright"],
.emoji[aria-label="registered"],
.emoji[aria-label="trade mark"],
.emoji[aria-label="multiply"],
.emoji[aria-label="plus"],
.emoji[aria-label="minus"],
.emoji[aria-label="divide"],
.emoji[aria-label="curly loop"],
.emoji[aria-label="double curly loop"],
.emoji[aria-label="wavy dash"],
.emoji[aria-label="paw prints"],
.emoji[aria-label="musical note"],
.emoji[aria-label="musical notes"] {
filter: invert(100%) hue-rotate(180deg);
}
.edit-diff > div > .ui.table {
border-left-color: var(--color-secondary) !important;
border-right-color: var(--color-secondary) !important;
}
footer .container .links > * {
border-left-color: #888;
}
.tribute-container {
box-shadow: 0 .25rem .5rem rgba(0, 0, 0, .6);
}
img[src$="/img/matrix.svg"] {
filter: invert(80%);
}
.is-loading::after {
border-color: #4a4c58 #4a4c58 #d7d7da #d7d7da;
}
.markup-block-error {
border: 1px solid rgba(121, 71, 66, .5) !important;
border-bottom: none !important;
}

12
hosts/tsuki/services/grafana/prometheus-exporters/gitea.nix
View File

@ -1,12 +0,0 @@
{ ... }:
{
# Gitea already exports at /metrics
services.prometheus.scrapeConfigs = [{
job_name = "gitea";
scrape_interval = "15s";
metrics_path = "/metrics/gitea";
static_configs = [{
targets = [ "localhost" ];
}];
}];
}

1
hosts/tsuki/services/grafana/prometheus.nix
View File

@ -2,7 +2,6 @@
# TODO: Autogenerate port infrastructure
imports = [
./prometheus-exporters/gitea.nix
./prometheus-exporters/hedgedoc.nix
./prometheus-exporters/matrix-synapse.nix
./prometheus-exporters/minecraft.nix

12
hosts/tsuki/services/headscale.nix
View File

@ -13,7 +13,7 @@ in {
};
services.headscale = {
enable = true;
enable = false;
port = 39304;
@ -55,14 +55,10 @@ in {
services.postgresql = lib.mkIf cfg.enable {
enable = true;
ensureDatabases = [ "headscale" ];
ensureUsers = [
(rec {
ensureUsers = [{
name = "headscale";
ensurePermissions = {
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
};
})
];
ensureDBOwnership = true;
}];
};
environment.systemPackages = lib.mkIf cfg.enable [ pkgs.headscale ];

5
hosts/tsuki/services/hedgedoc.nix
View File

@ -53,11 +53,10 @@ in {
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensurePermissions = {
"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}];
};

78
hosts/tsuki/services/hydra.nix
View File

@ -1,78 +0,0 @@
{ pkgs, unstable-pkgs, secrets, ... }:
{
# Follow instructions for setup:
# https://gist.github.com/joepie91/c26f01a787af87a96f967219234a8723
services.hydra = {
enable = true;
hydraURL = "https://hydra.nani.wtf";
listenHost = "localhost";
notificationSender = "hydra@nani.wtf";
useSubstitutes = true;
package = unstable-pkgs.hydra_unstable;
buildMachinesFiles = [];
dbi = "dbi:Pg:dbname=hydra;host=/var/run/postgresql;user=hydra;";
};
systemd.slices.system-hydra = {
description = "Nix Hydra slice";
requires = [
"system.slice"
"postgresql.service"
];
after = [ "system.slice" ];
};
systemd.services = {
hydra-evaluator.serviceConfig.Slice = "system-hydra.slice";
hydra-init.serviceConfig.Slice = "system-hydra.slice";
hydra-notify.serviceConfig.Slice = "system-hydra.slice";
hydra-queue-runner.serviceConfig.Slice = "system-hydra.slice";
hydra-send-stats.serviceConfig.Slice = "system-hydra.slice";
hydra-server.serviceConfig.Slice = "system-hydra.slice";
};
systemd.timers = {
hydra-check-space.timerConfig.Slice = "system-hydra.slice";
hydra-compress-logs.timerConfig.Slice = "system-hydra.slice";
hydra-update-gc-roots.timerConfig.Slice = "system-hydra.slice";
};
systemd.services.hydra-server.serviceConfig = {
Slice = "system-hydra.slice";
ReadOnlyPaths = [
"/nix/"
"/var/lib/hydra/scm/"
];
ReadWritePaths = [
"/nix/var/nix/gcroots/hydra/"
"/nix/var/nix/daemon-socket/socket"
];
LockPersonality = true;
# MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PermissionsStartOnly = true;
PrivateDevices = true;
PrivateMounts = true;
# PrivateNetwork=false
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
Restart = "always";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
# StateDirectory=hydra/www
# StateDirectoryMode=700
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
};
}

34
hosts/tsuki/services/invidious.nix
View File

@ -1,34 +0,0 @@
{ config, ... }: let
cfg = config.services.invidious;
in {
sops.secrets."postgres/invidious" = {
restartUnits = [ "invidious.service" ];
};
services.invidious = {
enable = true;
domain = "yt.nani.wtf";
port = 19283;
# This will implicitly use unix socket
database = {
createLocally = true;
passwordFile = config.sops.secrets."postgres/invidious".path;
};
settings = {
registration_enabled = false;
host_binding = "127.0.0.1";
# popular_enabled = false;
};
};
local.socketActivation.invidious = {
enable = cfg.enable;
originalSocketAddress = "${cfg.settings.host_binding}:${toString cfg.port}";
newSocketAddress = "/run/invidious.sock";
privateNamespace = false;
};
}

119
hosts/tsuki/services/jupyter.nix
View File

@ -1,119 +0,0 @@
{ config, pkgs, lib, ... }: let
cfg = config.services.jupyter;
in {
sops.secrets."jupyter/password" = {
restartUnits = [ "jupyter.service" ];
owner = cfg.user;
inherit (cfg) group;
};
users.users."jupyter".group = "jupyter";
services.jupyter = {
enable = true;
group = "jupyter";
password = let
readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()";
in
readFile config.sops.secrets."jupyter/password".path;
kernels = {
pythonDS = let
env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
numpy
matplotlib
ipykernel
]));
in {
displayName = "Python for data science";
argv = [
"${env.interpreter}"
"-m"
"ipykernel_launcher"
"-f"
"{connection_file}"
];
language = "python";
logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
};
};
};
systemd.tmpfiles.settings."10-jupyter" = {
"/var/lib/jupyter/notebooks".d = {
mode = "0700";
user = "jupyter";
group = "jupyter";
};
"/var/lib/jupyter/data".d = {
mode = "0700";
user = "jupyter";
group = "jupyter";
};
};
systemd.services.jupyter = let
notebookConfig = pkgs.writeText "jupyter_config.py" ''
c.NotebookApp.notebook_dir = 'notebooks'
c.NotebookApp.open_browser = False
c.NotebookApp.password = ${cfg.password}
c.NotebookApp.password_required = True
c.NotebookApp.sock = '/run/jupyter/jupyter.sock'
c.NotebookApp.sock_mode = '0660'
c.NotebookApp.local_hostnames = ['py.nani.wtf']
c.ConnectionFileMixin.transport = 'ipc'
${cfg.notebookConfig}
'';
in {
environment = {
JUPYTER_DATA_DIR = "%S/${config.systemd.services.jupyter.serviceConfig.StateDirectory}/data";
JUPYTER_RUNTIME_DIR = "%t/${config.systemd.services.jupyter.serviceConfig.RuntimeDirectory}";
};
serviceConfig = {
RuntimeDirectory = "jupyter";
StateDirectory = "jupyter";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
SystemCallArchitectures = "native";
ExecStart = lib.mkForce ''
${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig}
'';
};
};
local.socketActivation.jupyter = {
enable = cfg.enable;
originalSocketAddress = "/run/jupyter/jupyter.sock";
newSocketAddress = "/run/jupyter.sock";
privateNamespace = false;
};
systemd.services.jupyter-proxy.serviceConfig = {
User = "jupyter";
Group = "jupyter";
};
}

79
hosts/tsuki/services/matrix/bridges/mautrix-facebook.nix
View File

@ -1,79 +0,0 @@
{ secrets, ... }:
{
services.mautrix-facebook = {
enable = false;
configurePostgresql = true;
registrationData = {
# NOTE: This is a randomly generated UUID
inherit (secrets.keys.matrix.mautrix-facebook) as_token;
inherit (secrets.keys.matrix.mautrix-facebook) hs_token;
};
settings = {
homeserver = {
# TODO: connect via localhost
address = "https://matrix.nani.wtf";
domain = "nani.wtf";
};
appservice = rec {
address = "http://${hostname}:${toString port}";
bot_username = "facebookbot";
hostname = "0.0.0.0";
ephemeral_events = true;
port = secrets.ports.matrix.mautrix-facebook;
inherit (secrets.keys.matrix.mautrix-facebook) as_token;
inherit (secrets.keys.matrix.mautrix-facebook) hs_token;
};
bridge = {
encryption = {
allow = true;
default = true;
};
backfilling = {
initial_limit = 8000;
};
username_template = "facebook_{userid}";
sync_with_custom_puppets = false;
permissions = {
"@h7x4:nani.wtf" = "admin";
"nani.wtf" = "user";
};
};
logging = {
formatters = {
journal_fmt = {
format = "%(name)s: %(message)s";
};
};
handlers = {
journal = {
SYSLOG_IDENTIFIER = "mautrix-facebook";
class = "systemd.journal.JournalHandler";
formatter = "journal_fmt";
};
};
root = {
handlers = [
"journal"
];
level = "INFO";
};
version = 1;
};
manhole = {
enabled = false;
};
metrics = {
enabled = false;
};
};
};
}

46
hosts/tsuki/services/matrix/bridges/mx-puppet-discord.nix
View File

@ -1,46 +0,0 @@
{ config, ... }:
{
services.mx-puppet-discord = {
enable = false;
serviceDependencies = [
"matrix-synapse.service"
"postgresql.service"
];
settings = {
bridge = {
bindAddress = "localhost";
domain = "nani.wtf";
# TODO: connect via localhost
homeserverUrl = "https://matrix.nani.wtf";
port = 8434;
enableGroupSync = true;
};
database.connString = "postgres://mx-puppet-discord:@localhost:${toString config.services.postgresql.port}/mx-puppet-discord?sslmode=disable";
namePatterns = {
room = ":name";
user = ":name";
userOverride = ":displayname";
group = ":name";
};
presence = {
enabled = true;
interval = 500;
};
logging = {
console = "info";
lineDateFormat = "MMM-D HH:mm:ss.SSS";
};
provisioning.whitelist = [ "@h7x4:nani\\.wtf" ];
relay.whitelist = [ "@h7x4:nani\\.wtf" ];
selfService.whitelist = [ "@h7x4:nani\\.wtf" ];
};
};
}

13
hosts/tsuki/services/matrix/default.nix
View File

@ -1,8 +1,6 @@
{ pkgs, lib, config, secrets, ... }: {
imports = [
./bridges/mautrix-facebook.nix
./bridges/mx-puppet-discord.nix
./bridges/matrix-appservice-irc.nix
./maunium-stickerpicker.nix
@ -76,9 +74,6 @@
# TODO: Figure out a way to do this declaratively.
# The files need to be owned by matrix-synapse
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# (pkgs.writeText "facebook-registrations.yaml" (builtins.toJSON config.services.mautrix-facebook.registrationData))
"/var/lib/matrix-synapse/facebook-registration.yaml"
"/var/lib/matrix-synapse/irc-registration.yml"
];
@ -88,6 +83,14 @@
};
};
systemd.slices.system-matrix-synapse = {
requires = [
"postgresql.service"
"redis.service"
"kanidm.service"
];
};
services.redis.servers."".enable = true;
networking.firewall = {

4
hosts/tsuki/services/matrix/maunium-stickerpicker.nix
View File

@ -8,7 +8,7 @@ in {
stickerMatrixDomain = "pingu-stickers.nani.wtf";
# These will be defined by `useACMECert` in nginx config
enableACME = false;
stickerpacks = with stickerpacks; [
stickerPacks = with stickerpacks; [
dogCatCatgirlSide
frownCat1
niniCouple1
@ -23,7 +23,7 @@ in {
realMatrixDomain = "matrix.nani.wtf";
stickerMatrixDomain = "h7x4-stickers.nani.wtf";
enableACME = false;
stickerpacks = with stickerpacks; [
stickerPacks = with stickerpacks; [
dogCatDogboySide
niniCouple1
niniCouple2

6
hosts/tsuki/services/matrix/postgres.nix
View File

@ -5,20 +5,16 @@
cfg = config.services;
db = name: {
inherit name;
ensurePermissions = {
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
};
in {
enable = true;
ensureDatabases =
(o cfg.matrix-synapse.enable "matrix-synapse")
++ (o cfg.mx-puppet-discord.enable "mx-puppet-discord")
++ (o cfg.matrix-appservice-irc.enable "matrix-appservice-irc");
ensureUsers =
(o cfg.matrix-synapse.enable (db "matrix-synapse"))
++ (o cfg.mx-puppet-discord.enable (db "mx-puppet-discord"))
++ (o cfg.matrix-appservice-irc.enable (db "matrix-appservice-irc"));
};
}

2
hosts/tsuki/services/matrix/stickers/default.nix
View File

@ -78,7 +78,7 @@
id = "hutao";
title = "Hu Tao";
stickers = ./json/hutao.json;
hash = "sha256-ECEK7bYa9dyPBAi74A/Gjt08MHUBTZHAPzAeusynEjM=";
hash = "sha256-953otzYwn6/iOeLYGoMA+wpnH8S7nNqTs/XCLU1eM0E=";
};
pokemonPiplup = {

4
hosts/tsuki/services/minecraft/default.nix
View File

@ -170,9 +170,7 @@ in
o = lib.optional;
db = name: {
inherit name;
ensurePermissions = {
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
};
in {
enable = true;

20
hosts/tsuki/services/navidrome.nix
View File

@ -1,20 +0,0 @@
{ config, pkgs, ... }: let
cfg = config.services.navidrome;
in {
services.navidrome = {
enable = true;
settings = {
Address = "127.0.0.1";
Port = 4533;
MusicFolder = "/data2/media/music";
Prometheus.Enabled = true;
};
};
local.socketActivation.navidrome = {
enable = cfg.enable;
originalSocketAddress = "${cfg.settings.Address}:${toString cfg.settings.Port}";
newSocketAddress = "/run/navidrome.sock";
privateNamespace = false;
};
}

12
hosts/tsuki/services/nextcloud.nix
View File

@ -58,13 +58,9 @@
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
(rec {
name = "nextcloud";
ensurePermissions = {
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
};
})
];
ensureUsers = [{
name = "nextcloud";
ensureDBOwnership = true;
}];
};
}

76
hosts/tsuki/services/nginx/default.nix
View File

@ -43,18 +43,12 @@
in {
"atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
"dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
"gitea".servers."unix:/run/gitea/gitea.sock" = { };
"grafana".servers."unix:/run/grafana/grafana.sock" = { };
"headscale".servers."localhost:${s srv.headscale.port}" = { };
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
"hydra".servers."localhost:${s srv.hydra.port}" = { };
"idrac".servers."${ips.idrac}" = { };
"invidious".servers."unix:${sa.invidious.newSocketAddress}" = { };
"jupyter".servers."unix:${sa.jupyter.newSocketAddress}" = { };
"kanidm".servers."localhost:8300" = { };
"navidrome".servers."unix:${sa.navidrome.newSocketAddress}" = { };
"osuchan".servers."localhost:${s ports.osuchan}" = { };
"pgadmin".servers."unix:${srv.uwsgi.instance.vassals.pgadmin.socket}" = { };
"plex".servers."localhost:${s ports.plex}" = { };
"vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
};
@ -69,6 +63,20 @@
sha256 = "0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
};
# nonCFHost =
# subdomains: extraSettings: let
# settings = with keys.certificates; {
# useACMEHost = "nani.wtf";
# forceSSL = true;
# kTLS = true;
# };
# in
# nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate settings extraSettings);
# nonCFProxy =
# subdomains: url: extraSettings:
# nonCFHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
host =
subdomains: extraSettings: let
settings = with keys.certificates; {
@ -117,25 +125,22 @@
};
}
# (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
(host ["testmap"] {
root = "/var/lib/mcmap";
locations = {
"~* ^/maps/[^/]*/tiles/[^/]*.json$".extraConfig = ''
error_page 404 =200 /assets/emptyTile.json;
gzip_static always;
'';
"~* ^/maps/[^/]*/tiles/[^/]*.png$".tryFiles = "$uri =204";
};
})
(host ["www"] {
locations."/" = {
tryFiles = "$uri /index.html";
root = pkgs.writeTextDir "index.html" (lib.fileContents ./temp-website.html);
};
})
(host ["pg"] {
locations."/" = {
extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass pgadmin;
'';
};
})
# (proxy ["pg"] "http://localhost:${s ports.pgadmin}" {
# extraConfig = ''
# proxy_set_header X-CSRF-Token $http_x_pga_csrftoken;
# '';
# })
# (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
(host ["matrix"] {
enableACME = lib.mkForce false;
@ -151,17 +156,38 @@
(proxy ["auth"] "https://kanidm" { extraConfig = "proxy_ssl_verify off;"; })
(proxy ["bw"] "http://vaultwarden" {})
(proxy ["docs"] "http://hedgedoc" {})
(proxy ["git"] "http://gitea" {})
(proxy ["hydra"] "http://hydra" {})
(host ["git"] {
locations."/".extraConfig = ''
location /h7x4 {
location ~ /h7x4/(?<project>[a-zA-Z0-9\./_-]*) {
return 301 $scheme://git.pvv.ntnu.no/oysteikt/$project;
}
return 301 $scheme://git.pvv.ntnu.no/oysteikt/;
}
location ~ /[Ss]chool[Ww]ork {
location ~ /[Ss]chool[Ww]ork/(?<project>[a-zA-Z0-9\./_-]*) {
return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/$project;
}
return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/;
}
return 301 $scheme://git.pvv.ntnu.no$request_uri;
'';
})
(proxy ["idrac"] "https://idrac" {})
(proxy ["log"] "http://grafana" enableWebsockets)
(proxy ["map"] "http://dynmap" {})
(proxy ["osu"] "http://osuchan" {})
(proxy ["plex"] "http://plex" {})
(proxy ["mus"] "http://navidrome" enableWebsockets)
(proxy ["py"] "http://jupyter" enableWebsockets)
(proxy ["vpn"] "http://headscale" enableWebsockets)
(proxy ["yt"] "http://invidious" {})
# (proxy ["vpn"] "http://headscale" {
# locations."/" = {
# proxyWebsockets = true;
# extraConfig = ''
# add_header Access-Control-Allow-Origin *;
# add_header Access-Control-Allow-Methods GET,HEAD,POST,OPTIONS;
# add_header Access-Control-Max-Age 86400;
# '';
# };
# })
(host ["h7x4-stickers"] {})
(host ["pingu-stickers"] {})

111
hosts/tsuki/services/pgadmin.nix
View File

@ -1,111 +0,0 @@
{ config, pkgs, lib, secrets, ... }: let
pgadmin-user = let
username = config.systemd.services.pgadmin.serviceConfig.User;
in config.users.users.${username};
in {
sops.secrets = {
"pgadmin/oauth2_secret" = rec {
restartUnits = [ "pgadmin.service" ];
owner = pgadmin-user.name;
group = pgadmin-user.group;
};
"pgadmin/initialPassword" = rec {
restartUnits = [ "pgadmin.service" ];
owner = pgadmin-user.name;
group = pgadmin-user.group;
};
};
services.pgadmin = {
enable = true;
openFirewall = true;
initialEmail = "h7x4@nani.wtf";
initialPasswordFile = config.sops.secrets."pgadmin/initialPassword".path;
port = secrets.ports.pgadmin;
settings = let
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
# FIXME: pgadmin does not work with NFS by default, because it uses
# some kind of metafiles in its data directory.
# DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
DATA_DIR = "/var/lib/pgadmin";
WTF_CSRF_HEADERS = [
"X-pgA-CSRFToken"
"X-CSRFToken"
"X-CSRF-Token"
];
PROXY_X_FOR_COUNT = 1;
PROXY_X_PROTO_COUNT = 1;
PROXY_X_HOST_COUNT = 1;
PROXY_X_PORT_COUNT = 1;
PROXY_X_PREFIX_COUNT = 1;
SESSION_COOKIE_HTTPONLY = false;
SESSION_COOKIE_SECURE = true;
AUTHENTICATION_SOURCES = [ "oauth2" ];
OAUTH2_AUTO_CREATE_USER = true;
OAUTH2_CONFIG = [ rec {
OAUTH2_NAME = "KaniDM";
OAUTH2_DISPLAY_NAME = "KaniDM";
OAUTH2_CLIENT_ID = "pgadmin";
OAUTH2_API_BASE_URL = "${authServerUrl}/oauth2";
OAUTH2_TOKEN_URL = "${authServerUrl}/oauth2/token";
OAUTH2_AUTHORIZATION_URL = "${authServerUrl}/ui/oauth2";
OAUTH2_USERINFO_ENDPOINT = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/userinfo";
OAUTH2_SERVER_METADATA_URL = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/.well-known/openid-configuration";
OAUTH2_SCOPE = "openid email profile";
OAUTH2_ICON = "fa-lock";
OAUTH2_BUTTON_COLOR = "#ff6600";
}];
};
};
environment.etc."pgadmin/config_system.py".text = let
in ''
with open("${config.sops.secrets."pgadmin/oauth2_secret".path}") as f:
OAUTH2_CONFIG[0]['OAUTH2_CLIENT_SECRET'] = f.read()
'';
systemd.services."pgadmin".enable = false;
users = {
users."pgadmin".uid = 985;
groups = {
"pgadmin" = {
gid = 984;
members = [
"nginx"
"uwsgi"
];
};
"uwsgi".members = [ pgadmin-user.name ];
};
};
services.uwsgi = {
enable = false;
plugins = [ "python3" ];
instance = {
type = "emperor";
pidfile = "${config.services.uwsgi.runDir}/uwsgi.pid";
stats = "${config.services.uwsgi.runDir}/stats.sock";
vassals."pgadmin" = rec {
type = "normal";
pythonPackages = _: with pkgs; ([ pgadmin4 ] ++ pgadmin4.propagatedBuildInputs);
strict = true;
immediate-uid = pgadmin-user.name;
immediate-gid = pgadmin-user.group;
lazy-apps = true;
enable-threads = true;
# chdir = "${pkgs.pgadmin4}/lib/python3.10/site-packages/pgadmin4";
module = "pgAdmin4:app";
socket = "/run/user/${toString pgadmin-user.uid}/pgadmin.sock";
chmod-socket = 664;
};
};
};
}

23
hosts/tsuki/services/plex.nix
View File

@ -5,27 +5,4 @@ in {
enable = true;
openFirewall = true;
};
systemd.services.plex.serviceConfig = {
ReadWritePaths = [ cfg.dataDir ];
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
PrivateMounts = true;
RestrictSUIDSGID = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = true;
ProtectHome = true;
# PrivateNetwork = true;
PrivateUsers = true;
PrivateTmp = true;
UMask = "0007";
# RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
}

1
hosts/tsuki/services/postgres.nix
View File

@ -6,7 +6,6 @@ in {
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
local hydra all ident map=hydra-users
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';

6
hosts/tsuki/services/scrapers/nhk-easy-news/default.nix
View File

@ -15,10 +15,10 @@ in {
ProtectProc = "invisible";
ProtectSystem = "strict";
WorkingDirectory = "/data/scrapers/nhk-easy-news";
BindPaths = [ WorkingDirectory ];
# BindPaths = [ WorkingDirectory ];
ReadWritePaths = [ WorkingDirectory ];
StateDirectory = "nhk-easy-news-scraper";
StateDirectoryMode = "0755";
# StateDirectory = "nhk-easy-news-scraper";
# StateDirectoryMode = "0755";
};
};

12
hosts/tsuki/services/vaultwarden.nix
View File

@ -59,14 +59,10 @@ in {
services.postgresql = lib.mkIf cfg.enable {
enable = true;
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
(rec {
name = "vaultwarden";
ensurePermissions = {
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
};
})
];
ensureUsers = [{
name = "vaultwarden";
ensureDBOwnership = true;
}];
};
local.socketActivation.vaultwarden = {

15
secrets/default.yaml
View File

@ -1,8 +1,10 @@
github:
tokens:
prometheus_exporter: ENC[AES256_GCM,data:Uybn/X2kgRKrtoLfgOYU/vR9PS/9JTX4MVuXJBCq2ZH5O2O1W5wfUg==,iv:8Q/kKd3r6G70wU4eLtqpf1obWeErNv5mNrpOQxB6tl8=,tag:PrCMzieirVaCbUT94iVKbg==,type:str]
jupyter:
password: ENC[AES256_GCM,data:mm0EHzhK9AqErfsoWWJ5+3ym+VXgEcZ+qadTy3f+NtA=,iv:ntGxklA5oDbGbo3j3ffbAvzGE4c9Ay/SfCWdA6bqzP4=,tag:KG1luMcSjBFm0LVKnoTvGA==,type:str]
gitea:
runners:
ping: ENC[AES256_GCM,data:DRyw59+KE0n/qEr+Az7r8ulZr3dk1u6hVT1SVqKywW4DgtUr1eLj7DGOXvHxug==,iv:W49dNY/V+6KPuQeN5rdWw6Ed+w/oOy9ey+hRRz7Oxdc=,tag:ILzIKgvLs+8RVpHsSuMHrA==,type:str]
pong: ENC[AES256_GCM,data:VwpNj/FRSkc5/s6aZPaiBwIaj9VBfp6wcnDFkWmTWC6xRWevMUYKv3jHPhD/ZA==,iv:0uVgjmrF4jIa+Eg3Gofb+2eFa1MdZHb9eR4BcWBpkeQ=,tag:YsXjKqeksU9JcXl+5REXFQ==,type:str]
grafana:
oauth2_secret: ENC[AES256_GCM,data:zxfPtiB/o5cC27O9uQzPvQV1qWcp3xxnIi7/P84I2lJ/X4ovAwXuiEqnc7BDAE4E,iv:ZY8BDTMEvR2JiFHKM8iM90UQbmTqH/DoVklWno6Xa4U=,tag:E8GTGk9IJauCgjaoToShBg==,type:str]
secretkey: ENC[AES256_GCM,data:aVzqZqwFfm3FcYJE8USxsDbZVwtnF5NJXTAqshv9av4ZeR5YrDfDzLYHHztXMZt2Q7p/6A==,iv:A7x7oRUVvfxqSXRfi9+15z9pE6xX+GZrGU7gXrSKyXE=,tag:2uatRT0XePk2dqZj2ZlM3A==,type:str]
@ -18,15 +20,10 @@ drives:
nextcloud:
initialPassword: ENC[AES256_GCM,data:ROG+4u6C9zBu8Ez3Jprw8cgwVd2gFErUIOBmrWL9o7/qSGPT8jnwd0T5W8E=,iv:uRdL/3Xslu/J/aPI44WxlNw3RLAvjDRPt5VttuQL/P0=,tag:IDmGXNF9PsHPaMqK5YUKIg==,type:str]
postgres:
gitea: ENC[AES256_GCM,data:HyYgEgOzeOnaEvPDEXoL+fRhrnqCeGbb/wOYf2kHulxrU9PKIAcRzmNljsc=,iv:1N/N2RUQ++rAWw4VNQzhee2aV9LzOJym6cyM6CAnZUU=,tag:o7dblJrIAPd4/S8X2LKdcQ==,type:str]
invidious: ENC[AES256_GCM,data:r/Jzs7U1fkCi2j5L/tOcBfakR3virj8HGrDrVZdP7VwubG4BJLvoeb14eJo=,iv:3plNFOds+HeF0HAliedczpNgPL4ZgqhCOwqbnb2e8Ag=,tag:DHm/KM9UuPiqaRxqNDb7QA==,type:str]
nextcloud: ENC[AES256_GCM,data:E1tD6Z2SDbi5TUDAACjXSJJIn+/ySu0+8xhvRVFxumxjex4ZsEw+mofKIxM=,iv:E4iPVF3M8GOoQghVQtn/kCEpXl0b8MueCbtyvzFM8AA=,tag:IF4kWOuTsylqrXMoXzQaVQ==,type:str]
headscale: ENC[AES256_GCM,data:UVPCZjcpm9j2dMwyAvrPfwOj84JJHrwoU5rs672FEeA=,iv:zq3J4mL/PB3EAl8LHxxC77Y4FMrZWT4QF+DOih+FIGk=,tag:UwfjKnjfJ3a6RwAWg/8BzQ==,type:str]
grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str]
matrix_synapse: ENC[AES256_GCM,data:hLlUeo6glgw1PIo4N9aE7KLg7JV88EcG4IYZwVhs97Y=,iv:c4g33QQ/r54KrBM/zUG/gS9rNQy1OUB4KPSAggkgNvo=,tag:WOezFIPE89+oHKGMrsMSgA==,type:str]
pgadmin:
oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
initialPassword: ENC[AES256_GCM,data:y2ADMtiIO+jIjIQhGKZB43yKcJIouaWagZYe/0K9OoKEGUQq+wXXWA==,iv:oeSzHdaxPj5nN3T+WfCxOq1wkcEDPJCgeh7WOOqs3B0=,tag:r81rysqIjsiCOvyzHiAV6Q==,type:str]
paperless:
password: ENC[AES256_GCM,data:8ut0DX8NajIy/WUwd3eBrFiGwsTMTYKWaPDy7kGytt8=,iv:q2hTmQsS4kBLZ4I7nRljstHlqELsGBYqf5yifFh3vNY=,tag:eJj+DXU898frl6+IoBsSPQ==,type:str]
matrix_synapse:
@ -70,8 +67,8 @@ sops:
cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-23T05:31:44Z"
mac: ENC[AES256_GCM,data:BmSIU2VYYhetuQ5ooBr8y+YSTJnUoglGaVfOzW+Hx+qNDDR+PHHoOSHnciuQonMjQz1KX4lBmxAYKyeOi7ZjyZe7kYYPMcOkHZjYk+GihXJ2ncCnK+dyoPVMGfe2oR38cnilI8YcczuQDGLfkuBT08lSbzV+LMtTQXBQoOlgmM0=,iv:2Uflf2ShABEImYjqRQ5piuB5Y5kJ7IIME/8zdmewgBI=,tag:thuF8OWuAs5t8mNpKmVK7w==,type:str]
lastmodified: "2024-06-09T14:08:52Z"
mac: ENC[AES256_GCM,data:+gz1Zp4cZ4k81mPVUSjBth/B7Dgc4urOAWmfN9p5qxUEXoiqY1TLImmqr1YGrQE7QHO0VzpEY1UJsDLayMFTQexnI9ePjaws9bJrHndR6wMcuDunyQ9iWgwU3CYPtvX8T4/5lTTswwiWaMRMHR9j3KB43VQ8p/DpMVrZBdGD3Mc=,iv:YRABwve5RYb4npW5eHrqjFDVhs+hq3a8fMueG6aKdD0=,tag:7/+fq26aB0i9+AJfNcuV5A==,type:str]
pgp:
- created_at: "2023-05-08T00:49:52Z"
enc: |