Compare commits
19 Commits
4af33b066d
...
0ea7d0961d
|
@ -37,8 +37,8 @@
|
|||
};
|
||||
|
||||
maunium-stickerpicker = {
|
||||
# url = "git+file:///home/h7x4/git/maunium-stickerpicker-nix";
|
||||
url = "github:h7x4/maunium-stickerpicker-nix/project-rewrite";
|
||||
url = "github:h7x4/maunium-stickerpicker-nix/0.1.0";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
minecraft = {
|
||||
|
@ -99,8 +99,8 @@
|
|||
config.allowUnfree = true;
|
||||
};
|
||||
in [
|
||||
(self: super: { pgadmin4 = nonrecursive-unstable-pkgs.pgadmin4; })
|
||||
# (self: super: { pcloud = nonrecursive-unstable-pkgs.pcloud; })
|
||||
minecraft.overlays.default
|
||||
osuchan.overlays.default
|
||||
(self: super: {
|
||||
mpv-unwrapped = super.mpv-unwrapped.override {
|
||||
|
|
|
@ -6,7 +6,6 @@ in [
|
|||
(short "tr" "Translate" "https://translate.google.no/?hl=no")
|
||||
(short "gm" "Gmail" "https://mail.google.com/mail/u/0/#inbox")
|
||||
(short "辞書" "Jisho" "https://jisho.org/?color_theme=dark")
|
||||
(short "Gitea" "Gitea - nani.wtf" "https://git.nani.wtf/explore/repos")
|
||||
(link "GitHub" "http://github.com")
|
||||
(short "/u/" "danger/u/" "https://dangeru.us/")
|
||||
(link "PVV" "https://www.pvv.ntnu.no/")
|
||||
|
@ -99,7 +98,6 @@ in [
|
|||
(link "WWW" "https://www.nani.wtf/")
|
||||
(link "MAdmin" "https://madmin.nani.wtf")
|
||||
(link "Git" "https://git.nani.wtf/explore/repos/")
|
||||
(link "Hydra" "https://hydra.nani.wtf/")
|
||||
(link "Docs" "https://docs.nani.wtf/")
|
||||
(link "Grafana" "https://log.nani.wtf/")
|
||||
])
|
||||
|
|
|
@ -7,20 +7,15 @@
|
|||
|
||||
./services/atuin.nix
|
||||
./services/borg.nix
|
||||
./services/gitea
|
||||
./services/gitea-runners.nix
|
||||
./services/grafana
|
||||
./services/headscale.nix
|
||||
./services/hedgedoc.nix
|
||||
./services/hydra.nix
|
||||
./services/invidious.nix
|
||||
./services/jupyter.nix
|
||||
./services/kanidm.nix
|
||||
./services/matrix
|
||||
./services/minecraft
|
||||
./services/navidrome.nix
|
||||
./services/nginx
|
||||
./services/osuchan.nix
|
||||
./services/pgadmin.nix
|
||||
./services/plex.nix
|
||||
./services/postgres.nix
|
||||
./services/samba.nix
|
||||
|
|
|
@ -13,7 +13,6 @@ in {
|
|||
in {
|
||||
postgres = createJob config.services.postgresqlBackup.location "postgres";
|
||||
minecraft = createJob config.services.minecraft-servers.dataDir "minecraft";
|
||||
gitea = createJob config.services.gitea.dump.backupDir "gitea";
|
||||
};
|
||||
|
||||
systemd.services = lib.mkMerge ((lib.flip map) (builtins.attrNames cfg.jobs) (name: {
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
virtualisation.podman.enable = true;
|
||||
virtualisation.podman.autoPrune.enable = true;
|
||||
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ];
|
||||
|
||||
sops.secrets."gitea/runners/ping".restartUnits = [ "gitea-runner-ping.service" ];
|
||||
sops.secrets."gitea/runners/pong".restartUnits = [ "gitea-runner-pong.service" ];
|
||||
|
||||
services.gitea-actions-runner.instances = let
|
||||
mkRunner = name: {
|
||||
${name} = {
|
||||
enable = true;
|
||||
name = "git-runner-${name}";
|
||||
url = "https://git.pvv.ntnu.no";
|
||||
labels = [
|
||||
"debian-latest:docker://node:latest"
|
||||
"ubuntu-latest:docker://node:latest"
|
||||
"debian-latest-personal:docker://node:latest"
|
||||
"ubuntu-latest-personal:docker://node:latest"
|
||||
];
|
||||
tokenFile = config.sops.secrets."gitea/runners/${name}".path;
|
||||
};
|
||||
};
|
||||
in lib.foldl (a: b: a // b) { } [
|
||||
(mkRunner "ping")
|
||||
(mkRunner "pong")
|
||||
];
|
||||
}
|
|
@ -1,151 +0,0 @@
|
|||
{ config, pkgs, unstable-pkgs, lib, secrets, ... }: let
|
||||
cfg = config.services.gitea;
|
||||
in {
|
||||
security.pam.services."gitea".unixAuth = true;
|
||||
|
||||
users.users.git = {
|
||||
description = "Gitea service";
|
||||
home = config.services.gitea.stateDir;
|
||||
useDefaultShell = true;
|
||||
|
||||
group = "gitea";
|
||||
isSystemUser = true;
|
||||
uid = config.ids.uids.git;
|
||||
packages = with unstable-pkgs; [ gitea ];
|
||||
};
|
||||
|
||||
users.groups."gitea".members = [ "nginx" ];
|
||||
|
||||
sops.secrets."postgres/gitea" = rec {
|
||||
restartUnits = [ "gitea.service" ];
|
||||
owner = config.services.gitea.user;
|
||||
group = config.users.users.${owner}.group;
|
||||
};
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
package = unstable-pkgs.gitea;
|
||||
|
||||
dump = {
|
||||
enable = true;
|
||||
interval = "weekly";
|
||||
backupDir = "/data/backup/gitea";
|
||||
};
|
||||
|
||||
database = {
|
||||
user = "gitea";
|
||||
type = "postgres";
|
||||
socket = "/var/run/postgresql";
|
||||
createDatabase = false;
|
||||
passwordFile = config.sops.secrets."postgres/gitea".path;
|
||||
};
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
PROTOCOL = "http+unix";
|
||||
HTTP_ADDR = "/run/gitea/gitea.sock";
|
||||
BUILTIN_SSH_SERVER_USER="git";
|
||||
LANDING_PAGE = "/explore/repos";
|
||||
ROOT_URL = "https://git.nani.wtf/";
|
||||
DOMAIN = "git.nani.wtf";
|
||||
};
|
||||
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
session.COOKIE_SECURE = true;
|
||||
metrics.ENABLED = true;
|
||||
|
||||
oauth2_client = {
|
||||
ENABLE_AUTO_REGISTRATION = true;
|
||||
OPENID_CONNECT_SCOPES = "email profile";
|
||||
UPDATE_AVATAR = true;
|
||||
ACCOUNT_LINKING = "auto";
|
||||
USERNAME = "userid";
|
||||
};
|
||||
|
||||
log.LEVEL = "Info";
|
||||
|
||||
database.LOG_SQL = false;
|
||||
|
||||
repository.DISABLE_STARS = true;
|
||||
|
||||
ui = {
|
||||
DEFAULT_THEME = "monokai";
|
||||
THEMES = lib.strings.concatStringsSep "," [
|
||||
"gitea"
|
||||
"arc-green"
|
||||
|
||||
# Custom
|
||||
"monokai"
|
||||
];
|
||||
};
|
||||
|
||||
"ui.svg".RENDER = true;
|
||||
|
||||
indexer.REPO_INDEXER_ENABLED = true;
|
||||
mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "gitea@nani.wtf";
|
||||
};
|
||||
|
||||
# Looking forward to the day I can uncomment this line
|
||||
# federation.ENABLED = true;
|
||||
packages.ENABLED = false;
|
||||
|
||||
# TODO: fix
|
||||
|
||||
# markup = let
|
||||
# docutils = pkgs.python37.withPackages (ps: with ps; [
|
||||
# docutils # Provides rendering of ReStructured Text files
|
||||
# pygments # Provides syntax highlighting
|
||||
# ]);
|
||||
# in {
|
||||
# restructuredtext = {
|
||||
# ENABLED = true;
|
||||
# FILE_EXTENSIONS = ".rst";
|
||||
# RENDER_COMMAND = "${docutils}/bin/rst2html.py";
|
||||
# IS_INPUT_FILE = false;
|
||||
# };
|
||||
# asciidoc = {
|
||||
# ENABLED = true;
|
||||
# FILE_EXTENSIONS = ".adoc,.asciidoc";
|
||||
# RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor -e -a leveloffset=-1 --out-file=- -";
|
||||
# IS_INPUT_FILE = false;
|
||||
# };
|
||||
# };
|
||||
};
|
||||
};
|
||||
|
||||
system.activationScripts.linkGiteaThemes.text = let
|
||||
themes = pkgs.stdenv.mkDerivation {
|
||||
pname = "gitea-themes";
|
||||
version = "1.0.0";
|
||||
src = ./themes;
|
||||
|
||||
buildInputs = with pkgs; [ lessc ];
|
||||
buildPhase = ''
|
||||
mkdir out
|
||||
for f in $(find -name 'theme-*.less')
|
||||
do
|
||||
lessc $f out/''${f%.less}.css
|
||||
done;
|
||||
'';
|
||||
installPhase = "mv out $out";
|
||||
};
|
||||
cssParentPath = "${config.services.gitea.stateDir}/custom/public";
|
||||
cssPath = "${cssParentPath}/css";
|
||||
in ''
|
||||
if [[ ! -e "${cssPath}" ]]; then
|
||||
printf "creating symlink at %s...\n" "${cssPath}"
|
||||
mkdir -p "${cssParentPath}"
|
||||
ln -s "${themes}" "${cssPath}"
|
||||
elif [ -L "${cssPath}" ]; then
|
||||
printf "replacing symlink at %s...\n" "${cssPath}"
|
||||
rm ${cssPath}
|
||||
ln -s "${themes}" "${cssPath}"
|
||||
else
|
||||
printf "ERROR: %s already exists and it is not a symlink\n" "${cssPath}"
|
||||
_localstatus=1;
|
||||
fi
|
||||
'';
|
||||
}
|
|
@ -1,832 +0,0 @@
|
|||
// This is only a rough approximation, and needs a lot of polishing.
|
||||
|
||||
// 'mk' is a prefix 'for monokai'
|
||||
|
||||
@mk-bg-dark: #1e1f1c;
|
||||
|
||||
@mk-bg0: #272820;
|
||||
@mk-bg1: #3e3d32;
|
||||
@mk-bg2: #75715e;
|
||||
|
||||
@mk-fg0: #f8f8f2;
|
||||
@mk-fg1: #cfcfc2;
|
||||
|
||||
@mk-red: #f92672;
|
||||
@mk-green: #a6e22e;
|
||||
@mk-blue: #66d9ef;
|
||||
@mk-violet: #ae81ff;
|
||||
@mk-cyan: #a1efe4;
|
||||
@mk-magenta: #fd5ff0;
|
||||
@mk-yellow: #e6db74;
|
||||
|
||||
|
||||
// Extra additions
|
||||
@mk-orange: #fd971f;
|
||||
@mk-forest-green: #2d693b;
|
||||
@mk-success-green: #21ba45;
|
||||
@mk-error-red: #ff4433;
|
||||
|
||||
@primary: @mk-green;
|
||||
|
||||
/* @import "../chroma/dark.less"; */
|
||||
// Code higlighting colors
|
||||
|
||||
.chroma .hl { background-color: #3f424d; } /* LineHighlight */
|
||||
.chroma .lnt { color: @mk-fg1; } /* LineNumbersTable */
|
||||
.chroma .ln { color: @mk-fg1; } /* LineNumbers */
|
||||
.chroma .k { color: @mk-red; } /* Keyword */
|
||||
.chroma .kc { color: @mk-red; } /* KeywordConstant */
|
||||
.chroma .kd { color: @mk-red; } /* KeywordDeclaration */
|
||||
.chroma .kn { color: @mk-orange; } /* KeywordNamespace */
|
||||
.chroma .kp { color: @mk-red; } /* KeywordPseudo */
|
||||
.chroma .kr { color: @mk-red; } /* KeywordReserved */
|
||||
.chroma .kt { color: @mk-blue; } /* KeywordType */
|
||||
.chroma .n { color: @mk-green; } /* Generic Name */
|
||||
.chroma .na { color: @mk-fg0; } /* NameAttribute */
|
||||
.chroma .nb { color: @mk-red; } /* NameBuiltin */
|
||||
.chroma .bp { color: @mk-red; } /* NameBuiltinPseudo */
|
||||
.chroma .nc { color: @mk-blue; } /* NameClass */
|
||||
.chroma .no { color: @mk-violet; } /* NameConstant */
|
||||
.chroma .nd { color: @mk-violet; } /* NameDecorator */
|
||||
.chroma .ni { color: @mk-violet; } /* NameEntity */
|
||||
.chroma .ne { color: @mk-violet; } /* NameException */
|
||||
.chroma .nf { color: @mk-green; } /* NameFunction */
|
||||
.chroma .nl { color: @mk-orange; } /* NameLabel */
|
||||
.chroma .nn { color: @mk-cyan; } /* NameNamespace */
|
||||
.chroma .nx { color: @mk-blue; } /* NameOther */
|
||||
.chroma .nt { color: @mk-red; } /* NameTag */
|
||||
.chroma .nv { color: @mk-fg0; } /* NameVariable */
|
||||
.chroma .vc { color: @mk-fg0; } /* NameVariableClass */
|
||||
.chroma .vg { color: @mk-fg0; } /* NameVariableGlobal */
|
||||
.chroma .vi { color: @mk-fg0; } /* NameVariableInstance */
|
||||
.chroma .s { color: @mk-yellow; } /* LiteralString */
|
||||
.chroma .sa { color: @mk-yellow; } /* LiteralStringAffix */
|
||||
.chroma .sb { color: @mk-yellow; } /* LiteralStringBacktick */
|
||||
.chroma .sc { color: @mk-yellow; } /* LiteralStringChar */
|
||||
.chroma .dl { color: @mk-yellow; } /* LiteralStringDelimiter */
|
||||
.chroma .sd { color: @mk-yellow; } /* LiteralStringDoc */
|
||||
.chroma .s2 { color: @mk-yellow; } /* LiteralStringDouble */
|
||||
.chroma .se { color: @mk-orange; } /* LiteralStringEscape */
|
||||
.chroma .sh { color: @mk-yellow; } /* LiteralStringHeredoc */
|
||||
.chroma .si { color: @mk-yellow; } /* LiteralStringInterpol */
|
||||
.chroma .sx { color: @mk-yellow; } /* LiteralStringOther */
|
||||
.chroma .sr { color: @mk-orange; } /* LiteralStringRegex */
|
||||
.chroma .s1 { color: @mk-yellow; } /* LiteralStringSingle */
|
||||
.chroma .ss { color: @mk-yellow; } /* LiteralStringSymbol */
|
||||
.chroma .m { color: @mk-cyan; } /* LiteralNumber */
|
||||
.chroma .mb { color: @mk-cyan; } /* LiteralNumberBin */
|
||||
.chroma .mf { color: @mk-cyan; } /* LiteralNumberFloat */
|
||||
.chroma .mh { color: @mk-cyan; } /* LiteralNumberHex */
|
||||
.chroma .mi { color: @mk-cyan; } /* LiteralNumberInteger */
|
||||
.chroma .il { color: @mk-cyan; } /* LiteralNumberIntegerLong */
|
||||
.chroma .mo { color: @mk-cyan; } /* LiteralNumberOct */
|
||||
.chroma .o { color: @mk-red; } /* Operator */
|
||||
.chroma .ow { color: @mk-red; } /* OperatorWord */
|
||||
.chroma .c { color: @mk-bg2; } /* Comment */
|
||||
.chroma .ch { color: @mk-bg2; } /* CommentHashbang */
|
||||
.chroma .cm { color: @mk-bg2; } /* CommentMultiline */
|
||||
.chroma .c1 { color: @mk-bg2; } /* CommentSingle */
|
||||
.chroma .cs { color: lighten(@mk-bg2, 10%); } /* CommentSpecial */
|
||||
.chroma .cp { color: lighten(@mk-red, 20%); } /* CommentPreproc */
|
||||
.chroma .cpf { color: @mk-yellow; } /* CommentPreprocFile */
|
||||
|
||||
// TODO:
|
||||
.chroma .gd { color: #fff; background-color: #5f3737; } /* GenericDeleted */
|
||||
.chroma .ge { color: #ef5; } /* GenericEmph */
|
||||
.chroma .gr { color: #f33; } /* GenericError */
|
||||
.chroma .gh { color: #fa1; } /* GenericHeading */
|
||||
.chroma .gi { color: #fff; background-color: #3a523a; } /* GenericInserted */
|
||||
.chroma .go { color: #888888; } /* GenericOutput */
|
||||
.chroma .gp { color: #555555; } /* GenericPrompt */
|
||||
.chroma .gu { color: #9daccc; } /* GenericSubheading */
|
||||
.chroma .gt { color: #f63; } /* GenericTraceback */
|
||||
.chroma .w { color: #bbbbbb; } /* TextWhitespace */
|
||||
|
||||
/* @import "../codemirror/dark.less"; */
|
||||
// what is this?
|
||||
|
||||
.CodeMirror {
|
||||
&.cm-s-default,
|
||||
&.cm-s-paper {
|
||||
.cm-property {
|
||||
color: #a0cc75;
|
||||
}
|
||||
|
||||
.cm-header {
|
||||
color: #9daccc;
|
||||
}
|
||||
|
||||
.cm-quote {
|
||||
color: #009900;
|
||||
}
|
||||
|
||||
.cm-keyword {
|
||||
color: #cc8a61;
|
||||
}
|
||||
|
||||
.cm-atom {
|
||||
color: #ef5e77;
|
||||
}
|
||||
|
||||
.cm-number {
|
||||
color: #ff5656;
|
||||
}
|
||||
|
||||
.cm-def {
|
||||
color: #e4e4e4;
|
||||
}
|
||||
|
||||
.cm-variable-2 {
|
||||
color: #00bdbf;
|
||||
}
|
||||
|
||||
.cm-variable-3 {
|
||||
color: #008855;
|
||||
}
|
||||
|
||||
.cm-comment {
|
||||
color: #8e9ab3;
|
||||
}
|
||||
|
||||
.cm-string {
|
||||
color: #a77272;
|
||||
}
|
||||
|
||||
.cm-string-2 {
|
||||
color: #ff5500;
|
||||
}
|
||||
|
||||
.cm-meta,
|
||||
.cm-qualifier {
|
||||
color: #ffb176;
|
||||
}
|
||||
|
||||
.cm-builtin {
|
||||
color: #b7c951;
|
||||
}
|
||||
|
||||
.cm-bracket {
|
||||
color: #999977;
|
||||
}
|
||||
|
||||
.cm-tag {
|
||||
color: #f1d273;
|
||||
}
|
||||
|
||||
.cm-attribute {
|
||||
color: #bfcc70;
|
||||
}
|
||||
|
||||
.cm-hr {
|
||||
color: #999999;
|
||||
}
|
||||
|
||||
.cm-url {
|
||||
color: #c5cfd0;
|
||||
}
|
||||
|
||||
.cm-link {
|
||||
color: #d8c792;
|
||||
}
|
||||
|
||||
.cm-error {
|
||||
color: #dbdbeb;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* theme */
|
||||
|
||||
:root {
|
||||
--is-dark-theme: true;
|
||||
--color-primary: @primary;
|
||||
--color-primary-dark-1: lighten(@primary, 10%);
|
||||
--color-primary-dark-2: lighten(@primary, 15%);
|
||||
--color-primary-dark-3: lighten(@primary, 20%);
|
||||
--color-primary-dark-4: lighten(@primary, 25%);
|
||||
--color-primary-dark-5: lighten(@primary, 40%);
|
||||
--color-primary-dark-6: lighten(@primary, 60%);
|
||||
--color-primary-dark-7: lighten(@primary, 80%);
|
||||
--color-primary-light-1: darken(@primary, 10%);
|
||||
--color-primary-light-2: darken(@primary, 15%);
|
||||
--color-primary-light-3: darken(@primary, 20%);
|
||||
--color-primary-light-4: darken(@primary, 25%);
|
||||
--color-primary-light-5: darken(@primary, 40%);
|
||||
--color-primary-light-6: darken(@primary, 60%);
|
||||
--color-primary-light-7: darken(@primary, 80%);
|
||||
--color-primary-alpha-10: fade(@primary, 10%);
|
||||
--color-primary-alpha-20: fade(@primary, 20%);
|
||||
--color-primary-alpha-30: fade(@primary, 30%);
|
||||
--color-primary-alpha-40: fade(@primary, 40%);
|
||||
--color-primary-alpha-50: fade(@primary, 50%);
|
||||
--color-primary-alpha-60: fade(@primary, 60%);
|
||||
--color-primary-alpha-70: fade(@primary, 70%);
|
||||
--color-primary-alpha-80: fade(@primary, 80%);
|
||||
--color-primary-alpha-90: fade(@primary, 90%);
|
||||
--color-secondary: #454a57;
|
||||
--color-secondary-dark-1: #505665;
|
||||
--color-secondary-dark-2: #5b6273;
|
||||
--color-secondary-dark-3: #71798e;
|
||||
--color-secondary-dark-4: #7f8699;
|
||||
--color-secondary-dark-5: #8c93a4;
|
||||
--color-secondary-dark-6: #9aa0af;
|
||||
--color-secondary-dark-7: #a8adba;
|
||||
--color-secondary-dark-8: #b6bac5;
|
||||
--color-secondary-dark-9: #c4c7d0;
|
||||
--color-secondary-dark-10: #d2d4db;
|
||||
--color-secondary-dark-11: #dfe1e6;
|
||||
--color-secondary-dark-12: #edeef1;
|
||||
--color-secondary-dark-13: #fbfbfc;
|
||||
--color-secondary-light-1: #373b46;
|
||||
--color-secondary-light-2: #292c34;
|
||||
--color-secondary-light-3: #1c1e23;
|
||||
--color-secondary-light-4: #0e0f11;
|
||||
--color-secondary-alpha-10: #454a5719;
|
||||
--color-secondary-alpha-20: #454a5733;
|
||||
--color-secondary-alpha-30: #454a574b;
|
||||
--color-secondary-alpha-40: #454a5766;
|
||||
--color-secondary-alpha-50: #454a5780;
|
||||
--color-secondary-alpha-60: #454a5799;
|
||||
--color-secondary-alpha-70: #454a57b3;
|
||||
--color-secondary-alpha-80: #454a57cc;
|
||||
--color-secondary-alpha-90: #454a57e1;
|
||||
/* colors */
|
||||
--color-red: #db2828;
|
||||
--color-orange: #f2711c;
|
||||
--color-yellow: #fbbd08;
|
||||
--color-olive: #b5cc18;
|
||||
--color-green: #21ba45;
|
||||
--color-teal: #00b5ad;
|
||||
--color-blue: #2185d0;
|
||||
--color-violet: #6435c9;
|
||||
--color-purple: #a333c8;
|
||||
--color-pink: #e03997;
|
||||
--color-brown: #a5673f;
|
||||
--color-grey: #767a85;
|
||||
--color-black: #1e222e;
|
||||
--color-gold: #a1882b;
|
||||
--color-white: #ffffff;
|
||||
|
||||
--color-diff-removed-word-bg: @mk-red;
|
||||
--color-diff-added-word-bg: @mk-green;
|
||||
--color-diff-removed-row-bg: #3c2626;
|
||||
--color-diff-moved-row-bg: #818044;
|
||||
--color-diff-added-row-bg: #283e2d;
|
||||
--color-diff-removed-row-border: #634343;
|
||||
--color-diff-moved-row-border: #bcca6f;
|
||||
--color-diff-added-row-border: #314a37;
|
||||
--color-diff-inactive: #353846;
|
||||
|
||||
--color-error-border: darken(@mk-error-red, 20%);
|
||||
--color-error-bg: @mk-bg-dark;
|
||||
--color-error-text: @mk-error-red;
|
||||
--color-success-border: darken(@mk-success-green, 20%);
|
||||
--color-success-bg: @mk-bg-dark;
|
||||
--color-success-text: @mk-success-green;
|
||||
--color-warning-border: darken(@mk-orange, 20%);
|
||||
--color-warning-bg: @mk-bg-dark;
|
||||
--color-warning-text: @mk-orange;
|
||||
--color-info-border: darken(@mk-blue, 20%);
|
||||
--color-info-bg: @mk-bg-dark;
|
||||
--color-info-text: @mk-blue;
|
||||
/* target-based colors */
|
||||
--color-body: @mk-bg0;
|
||||
--color-box-header: @mk-bg-dark;
|
||||
--color-box-body: @mk-bg-dark;
|
||||
--color-text-dark: lighten(@mk-fg0, 10%);
|
||||
--color-text: @mk-fg0;
|
||||
--color-text-light: @mk-fg1;
|
||||
--color-text-light-2: @mk-fg1;
|
||||
--color-text-light-3: @mk-fg1;
|
||||
--color-footer: @mk-bg1;
|
||||
--color-timeline: #4c525e;
|
||||
--color-input-text: @mk-fg1;
|
||||
--color-input-background: @mk-bg-dark;
|
||||
--color-input-border: @mk-bg1;
|
||||
--color-input-border-hover: @mk-bg2;
|
||||
--color-navbar: @mk-bg1;
|
||||
--color-navbar-transparent: fade(@mk-bg1, 0%);
|
||||
--color-light: #00000028;
|
||||
--color-light-mimic-enabled: rgba(0, 0, 0, calc(40 / 255 * 222 / 255 / var(--opacity-disabled)));
|
||||
--color-light-border: #ffffff28;
|
||||
--color-hover: #ffffff10;
|
||||
--color-active: #ffffff16;
|
||||
--color-menu: @mk-bg-dark;
|
||||
--color-card: @mk-bg1;
|
||||
--color-markup-table-row: lighten(@mk-bg-dark, 5%);
|
||||
--color-markup-code-block: @mk-bg1;
|
||||
--color-button: #353846;
|
||||
--color-code-bg: @mk-bg-dark;
|
||||
--color-code-sidebar-bg: #2e323e;
|
||||
--color-shadow: #00000060;
|
||||
--color-secondary-bg: #2a2e3a;
|
||||
--color-text-focus: #fff;
|
||||
--color-expand-button: #3c404d;
|
||||
--color-placeholder-text: #6a737d;
|
||||
--color-editor-line-highlight: var(--color-primary-light-5);
|
||||
--color-project-board-bg: var(--color-secondary-light-2);
|
||||
--color-caret: var(--color-text); /* should ideally be --color-text-dark, see #15651 */
|
||||
--color-reaction-bg: #ffffff12;
|
||||
--color-reaction-active-bg: var(--color-primary-alpha-40);
|
||||
}
|
||||
|
||||
::-webkit-calendar-picker-indicator {
|
||||
filter: invert(.8);
|
||||
}
|
||||
|
||||
.markup {
|
||||
& h1,
|
||||
& h2 {
|
||||
border-bottom: 1px solid @mk-bg2;
|
||||
}
|
||||
|
||||
& table {
|
||||
& tr
|
||||
{
|
||||
border-top: 1px solid @mk-bg2;
|
||||
}
|
||||
& td,
|
||||
& th {
|
||||
border: 1px solid @mk-bg2 !important;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
.ui {
|
||||
&.card {
|
||||
background: var(--color-card);
|
||||
border: 1px solid @mk-bg1;
|
||||
|
||||
& > .content {
|
||||
border-color: @mk-bg2;
|
||||
}
|
||||
|
||||
& > .extra {
|
||||
border-top-color: @mk-bg2;
|
||||
}
|
||||
}
|
||||
|
||||
&.dropdown .menu,
|
||||
&.menu {
|
||||
background: var(--color-menu);
|
||||
border: 1px solid @mk-bg1;
|
||||
}
|
||||
|
||||
&.segment,
|
||||
&.segments,
|
||||
&.attached.segment,
|
||||
&.attached.header {
|
||||
background: var(--color-box-body);
|
||||
color: var(--color-text);
|
||||
border-color: @mk-bg1;
|
||||
}
|
||||
|
||||
&.repository.list.item:not(:first-child) {
|
||||
border-top: 1px solid @mk-bg2;
|
||||
}
|
||||
|
||||
&.divider {
|
||||
border-bottom-color: @mk-bg2;
|
||||
}
|
||||
|
||||
&.button {
|
||||
background-color: @mk-bg1;
|
||||
}
|
||||
|
||||
&.primary {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: black;
|
||||
background-color: @primary;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: black;
|
||||
background-color: lighten(@primary, 15%);
|
||||
}
|
||||
}
|
||||
|
||||
&.green {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: black;
|
||||
background-color: @mk-success-green;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: black;
|
||||
background-color: lighten(@mk-success-green, 15%);
|
||||
}
|
||||
}
|
||||
|
||||
&.blue {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: black;
|
||||
background-color: @mk-blue;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: black;
|
||||
background-color: lighten(@mk-blue, 15%);
|
||||
}
|
||||
}
|
||||
|
||||
&.red {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: white;
|
||||
background-color: @mk-error-red;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: white;
|
||||
background-color: darken(@mk-error-red, 15%);
|
||||
}
|
||||
}
|
||||
|
||||
&.basic {
|
||||
&.primary {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: black !important;
|
||||
background-color: @primary !important;
|
||||
box-shadow: inset 0 0 0 1px @primary !important;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: black !important;
|
||||
background-color: lighten(@primary, 15%) !important;
|
||||
}
|
||||
}
|
||||
|
||||
&.green {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: black !important;
|
||||
background-color: @mk-success-green !important;
|
||||
box-shadow: inset 0 0 0 1px @mk-success-green !important;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: black !important;
|
||||
background-color: lighten(@mk-success-green, 15%) !important;
|
||||
}
|
||||
}
|
||||
|
||||
&.blue {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: black !important;
|
||||
background-color: @mk-blue !important;
|
||||
box-shadow: inset 0 0 0 1px @mk-blue !important;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: black !important;
|
||||
background-color: lighten(@mk-blue, 15%) !important;
|
||||
}
|
||||
}
|
||||
|
||||
&.red {
|
||||
&.button,
|
||||
&.buttons .button {
|
||||
color: white;
|
||||
background-color: @mk-error-red;
|
||||
}
|
||||
|
||||
&.button:hover,
|
||||
&.buttons .button:hover {
|
||||
color: white;
|
||||
background-color: darken(@mk-error-red, 15%);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
.ui.horizontal.segments > .segment {
|
||||
background-color: @mk-bg-dark;
|
||||
border-color: @mk-bg1;
|
||||
}
|
||||
|
||||
.ui.green.progress .bar {
|
||||
background-color: #668844;
|
||||
}
|
||||
|
||||
.ui.progress.success .bar {
|
||||
background-color: #7b9e57 !important;
|
||||
}
|
||||
|
||||
.repository {
|
||||
&.file.list #repo-files-table tr {
|
||||
background: @mk-bg-dark;
|
||||
&:hover {
|
||||
background-color: lighten(@mk-bg-dark, 20%) !important;
|
||||
}
|
||||
}
|
||||
|
||||
& .navbar .active.item,
|
||||
& .navbar .active.item:hover {
|
||||
border-color: transparent !important;
|
||||
}
|
||||
|
||||
& .diff-stats li {
|
||||
border-color: var(--color-secondary);
|
||||
}
|
||||
|
||||
&.release #release-list {
|
||||
border-top: 1px solid @mk-bg2;
|
||||
& > li .detail .dot {
|
||||
background-color: #505667;
|
||||
border-color: #383c4a;
|
||||
}
|
||||
}
|
||||
|
||||
& .repo-header .ui.huge.breadcrumb.repo-title .repo-header-icon .avatar {
|
||||
color: #2a2e3a;
|
||||
}
|
||||
|
||||
&.labels .ui.basic.black.label {
|
||||
background-color: #bbbbbb !important;
|
||||
}
|
||||
}
|
||||
|
||||
.following.bar.light {
|
||||
background: @mk-bg1;
|
||||
border-color: var(--color-secondary-alpha-40);
|
||||
}
|
||||
|
||||
.following.bar .top.menu a.item:hover {
|
||||
color: #fff;
|
||||
}
|
||||
|
||||
.feeds .list ul li.private {
|
||||
background: #353945;
|
||||
}
|
||||
|
||||
.ui.red.label,
|
||||
.ui.red.labels .label {
|
||||
background-color: #7d3434 !important;
|
||||
border-color: #8a2121 !important;
|
||||
}
|
||||
|
||||
.ui.yellow.label,
|
||||
.ui.yellow.labels .label {
|
||||
border-color: #664d02 !important;
|
||||
background-color: #936e00 !important;
|
||||
}
|
||||
|
||||
.ui.accordion .title:not(.ui) {
|
||||
color: #dbdbdb;
|
||||
}
|
||||
|
||||
.ui.green.label,
|
||||
.ui.green.labels .label,
|
||||
.ui.basic.green.label {
|
||||
background-color: #2d693b !important;
|
||||
border-color: #2d693b !important;
|
||||
}
|
||||
|
||||
.ui.green.labels a.label:hover,
|
||||
.ui.basic.green.labels a.label:hover,
|
||||
a.ui.ui.ui.green.label:hover,
|
||||
a.ui.basic.green.label:hover {
|
||||
background-color: #3d794b !important;
|
||||
border-color: #3d794b !important;
|
||||
color: #fff !important;
|
||||
}
|
||||
|
||||
// .ui.divider:not(.vertical):not(.horizontal) {
|
||||
// border-bottom-color: var(--color-secondary);
|
||||
// border-top-color: transparent;
|
||||
// }
|
||||
|
||||
.form .help {
|
||||
color: @mk-fg1;
|
||||
}
|
||||
|
||||
.ui .text.light.grey {
|
||||
color: #7f8699 !important;
|
||||
}
|
||||
|
||||
.ui.form .fields.error .field textarea,
|
||||
.ui.form .fields.error .field select,
|
||||
.ui.form .fields.error .field input:not([type]),
|
||||
.ui.form .fields.error .field input[type="date"],
|
||||
.ui.form .fields.error .field input[type="datetime-local"],
|
||||
.ui.form .fields.error .field input[type="email"],
|
||||
.ui.form .fields.error .field input[type="number"],
|
||||
.ui.form .fields.error .field input[type="password"],
|
||||
.ui.form .fields.error .field input[type="search"],
|
||||
.ui.form .fields.error .field input[type="tel"],
|
||||
.ui.form .fields.error .field input[type="time"],
|
||||
.ui.form .fields.error .field input[type="text"],
|
||||
.ui.form .fields.error .field input[type="file"],
|
||||
.ui.form .fields.error .field input[type="url"],
|
||||
.ui.form .field.error textarea,
|
||||
.ui.form .field.error select,
|
||||
.ui.form .field.error input:not([type]),
|
||||
.ui.form .field.error input[type="date"],
|
||||
.ui.form .field.error input[type="datetime-local"],
|
||||
.ui.form .field.error input[type="email"],
|
||||
.ui.form .field.error input[type="number"],
|
||||
.ui.form .field.error input[type="password"],
|
||||
.ui.form .field.error input[type="search"],
|
||||
.ui.form .field.error input[type="tel"],
|
||||
.ui.form .field.error input[type="time"],
|
||||
.ui.form .field.error input[type="text"],
|
||||
.ui.form .field.error input[type="file"],
|
||||
.ui.form .field.error input[type="url"] {
|
||||
background-color: @mk-error-red;
|
||||
border: 1px solid darken(@mk-error-red, 30%);
|
||||
color: lighten(@mk-error-red, 90%);
|
||||
}
|
||||
|
||||
.ui.form .field.error select:focus,
|
||||
.ui.form .field.error input:not([type]):focus,
|
||||
.ui.form .field.error input[type="date"]:focus,
|
||||
.ui.form .field.error input[type="datetime-local"]:focus,
|
||||
.ui.form .field.error input[type="email"]:focus,
|
||||
.ui.form .field.error input[type="number"]:focus,
|
||||
.ui.form .field.error input[type="password"]:focus,
|
||||
.ui.form .field.error input[type="search"]:focus,
|
||||
.ui.form .field.error input[type="tel"]:focus,
|
||||
.ui.form .field.error input[type="time"]:focus,
|
||||
.ui.form .field.error input[type="text"]:focus,
|
||||
.ui.form .field.error input[type="file"]:focus,
|
||||
.ui.form .field.error input[type="url"]:focus {
|
||||
background-color: #522;
|
||||
border: 1px solid #a04141;
|
||||
color: #f9cbcb;
|
||||
}
|
||||
|
||||
.ui.search > .results {
|
||||
background: @mk-bg-dark;
|
||||
// border-color: @mk-bg0-dark;
|
||||
}
|
||||
|
||||
.ui.search > .results .result:hover,
|
||||
.ui.category.search > .results .category .result:hover {
|
||||
background: @mk-bg-dark;
|
||||
}
|
||||
|
||||
.ui.search > .results .result .title {
|
||||
color: @mk-fg0;
|
||||
}
|
||||
|
||||
.ui.table {
|
||||
border-color: @mk-bg1;
|
||||
|
||||
thead > tr > th {
|
||||
background: @mk-bg-dark;
|
||||
color: @mk-fg0 !important;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
.overflow.menu .items .item {
|
||||
color: #9d9d9d;
|
||||
}
|
||||
|
||||
.overflow.menu .items .item:hover {
|
||||
color: #dbdbdb;
|
||||
}
|
||||
|
||||
.ui.list > .item > .content {
|
||||
color: var(--color-secondary-dark-6) !important;
|
||||
}
|
||||
|
||||
|
||||
.tag-code,
|
||||
.tag-code td {
|
||||
background: #353945 !important;
|
||||
|
||||
}
|
||||
.tag-code td.lines-num {
|
||||
background-color: #3a3e4c !important;
|
||||
}
|
||||
|
||||
.tag-code td.lines-type-marker,
|
||||
td.blob-hunk {
|
||||
color: #dbdbdb !important;
|
||||
}
|
||||
|
||||
.ui.list .list > .item .header,
|
||||
.ui.list > .item .header {
|
||||
color: #dedede;
|
||||
}
|
||||
|
||||
.ui.list .list > .item .description,
|
||||
.ui.list > .item .description {
|
||||
color: var(--color-secondary-dark-6);
|
||||
}
|
||||
|
||||
.lines-num {
|
||||
color: var(--color-secondary-dark-6) !important;
|
||||
border-color: var(--color-secondary) !important;
|
||||
}
|
||||
|
||||
td.blob-excerpt {
|
||||
background-color: rgba(0, 0, 0, .15);
|
||||
}
|
||||
|
||||
.lines-code.active,
|
||||
.lines-code .active {
|
||||
background: #534d1b !important;
|
||||
}
|
||||
|
||||
.ui.ui.ui.ui.table tr.active,
|
||||
.ui.ui.table td.active {
|
||||
color: #dbdbdb;
|
||||
}
|
||||
|
||||
.ui.active.label {
|
||||
background: #393d4a;
|
||||
border-color: #393d4a;
|
||||
color: #dbdbdb;
|
||||
}
|
||||
|
||||
.ui.header .sub.header {
|
||||
color: var(--color-secondary-dark-6);
|
||||
}
|
||||
|
||||
.ui.dividing.header {
|
||||
border-bottom: 1px solid var(--color-secondary);
|
||||
}
|
||||
|
||||
.ui.modal > .header {
|
||||
background: var(--color-secondary);
|
||||
color: #dbdbdb;
|
||||
}
|
||||
|
||||
.ui.modal > .actions {
|
||||
background: var(--color-secondary);
|
||||
border-color: var(--color-secondary);
|
||||
}
|
||||
|
||||
.ui.modal > .content {
|
||||
background: #383c4a;
|
||||
}
|
||||
|
||||
.minicolors-panel {
|
||||
background: var(--color-secondary) !important;
|
||||
border-color: #6a737d !important;
|
||||
}
|
||||
|
||||
/* invert emojis that are hard to read otherwise */
|
||||
.emoji[aria-label="check mark"],
|
||||
.emoji[aria-label="currency exchange"],
|
||||
.emoji[aria-label="TOP arrow"],
|
||||
.emoji[aria-label="END arrow"],
|
||||
.emoji[aria-label="ON! arrow"],
|
||||
.emoji[aria-label="SOON arrow"],
|
||||
.emoji[aria-label="heavy dollar sign"],
|
||||
.emoji[aria-label="copyright"],
|
||||
.emoji[aria-label="registered"],
|
||||
.emoji[aria-label="trade mark"],
|
||||
.emoji[aria-label="multiply"],
|
||||
.emoji[aria-label="plus"],
|
||||
.emoji[aria-label="minus"],
|
||||
.emoji[aria-label="divide"],
|
||||
.emoji[aria-label="curly loop"],
|
||||
.emoji[aria-label="double curly loop"],
|
||||
.emoji[aria-label="wavy dash"],
|
||||
.emoji[aria-label="paw prints"],
|
||||
.emoji[aria-label="musical note"],
|
||||
.emoji[aria-label="musical notes"] {
|
||||
filter: invert(100%) hue-rotate(180deg);
|
||||
}
|
||||
|
||||
.edit-diff > div > .ui.table {
|
||||
border-left-color: var(--color-secondary) !important;
|
||||
border-right-color: var(--color-secondary) !important;
|
||||
}
|
||||
|
||||
footer .container .links > * {
|
||||
border-left-color: #888;
|
||||
}
|
||||
|
||||
.tribute-container {
|
||||
box-shadow: 0 .25rem .5rem rgba(0, 0, 0, .6);
|
||||
}
|
||||
|
||||
|
||||
img[src$="/img/matrix.svg"] {
|
||||
filter: invert(80%);
|
||||
}
|
||||
|
||||
.is-loading::after {
|
||||
border-color: #4a4c58 #4a4c58 #d7d7da #d7d7da;
|
||||
}
|
||||
|
||||
.markup-block-error {
|
||||
border: 1px solid rgba(121, 71, 66, .5) !important;
|
||||
border-bottom: none !important;
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
{ ... }:
|
||||
{
|
||||
# Gitea already exports at /metrics
|
||||
services.prometheus.scrapeConfigs = [{
|
||||
job_name = "gitea";
|
||||
scrape_interval = "15s";
|
||||
metrics_path = "/metrics/gitea";
|
||||
static_configs = [{
|
||||
targets = [ "localhost" ];
|
||||
}];
|
||||
}];
|
||||
}
|
|
@ -2,7 +2,6 @@
|
|||
# TODO: Autogenerate port infrastructure
|
||||
|
||||
imports = [
|
||||
./prometheus-exporters/gitea.nix
|
||||
./prometheus-exporters/hedgedoc.nix
|
||||
./prometheus-exporters/matrix-synapse.nix
|
||||
./prometheus-exporters/minecraft.nix
|
||||
|
|
|
@ -13,7 +13,7 @@ in {
|
|||
};
|
||||
|
||||
services.headscale = {
|
||||
enable = true;
|
||||
enable = false;
|
||||
|
||||
port = 39304;
|
||||
|
||||
|
@ -55,14 +55,10 @@ in {
|
|||
services.postgresql = lib.mkIf cfg.enable {
|
||||
enable = true;
|
||||
ensureDatabases = [ "headscale" ];
|
||||
ensureUsers = [
|
||||
(rec {
|
||||
ensureUsers = [{
|
||||
name = "headscale";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
})
|
||||
];
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
|
||||
environment.systemPackages = lib.mkIf cfg.enable [ pkgs.headscale ];
|
||||
|
|
|
@ -53,11 +53,10 @@ in {
|
|||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "hedgedoc" ];
|
||||
|
||||
ensureUsers = [{
|
||||
name = "hedgedoc";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
|
||||
|
|
|
@ -1,78 +0,0 @@
|
|||
{ pkgs, unstable-pkgs, secrets, ... }:
|
||||
{
|
||||
# Follow instructions for setup:
|
||||
# https://gist.github.com/joepie91/c26f01a787af87a96f967219234a8723
|
||||
services.hydra = {
|
||||
enable = true;
|
||||
hydraURL = "https://hydra.nani.wtf";
|
||||
listenHost = "localhost";
|
||||
notificationSender = "hydra@nani.wtf";
|
||||
useSubstitutes = true;
|
||||
package = unstable-pkgs.hydra_unstable;
|
||||
buildMachinesFiles = [];
|
||||
dbi = "dbi:Pg:dbname=hydra;host=/var/run/postgresql;user=hydra;";
|
||||
};
|
||||
|
||||
systemd.slices.system-hydra = {
|
||||
description = "Nix Hydra slice";
|
||||
requires = [
|
||||
"system.slice"
|
||||
"postgresql.service"
|
||||
];
|
||||
after = [ "system.slice" ];
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
hydra-evaluator.serviceConfig.Slice = "system-hydra.slice";
|
||||
hydra-init.serviceConfig.Slice = "system-hydra.slice";
|
||||
hydra-notify.serviceConfig.Slice = "system-hydra.slice";
|
||||
hydra-queue-runner.serviceConfig.Slice = "system-hydra.slice";
|
||||
hydra-send-stats.serviceConfig.Slice = "system-hydra.slice";
|
||||
hydra-server.serviceConfig.Slice = "system-hydra.slice";
|
||||
};
|
||||
|
||||
systemd.timers = {
|
||||
hydra-check-space.timerConfig.Slice = "system-hydra.slice";
|
||||
hydra-compress-logs.timerConfig.Slice = "system-hydra.slice";
|
||||
hydra-update-gc-roots.timerConfig.Slice = "system-hydra.slice";
|
||||
};
|
||||
|
||||
systemd.services.hydra-server.serviceConfig = {
|
||||
Slice = "system-hydra.slice";
|
||||
ReadOnlyPaths = [
|
||||
"/nix/"
|
||||
"/var/lib/hydra/scm/"
|
||||
];
|
||||
ReadWritePaths = [
|
||||
"/nix/var/nix/gcroots/hydra/"
|
||||
"/nix/var/nix/daemon-socket/socket"
|
||||
];
|
||||
|
||||
LockPersonality = true;
|
||||
# MemoryDenyWriteExecute = false;
|
||||
NoNewPrivileges = true;
|
||||
PermissionsStartOnly = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
# PrivateNetwork=false
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
Restart = "always";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
# StateDirectory=hydra/www
|
||||
# StateDirectoryMode=700
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "@system-service";
|
||||
};
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
{ config, ... }: let
|
||||
cfg = config.services.invidious;
|
||||
in {
|
||||
sops.secrets."postgres/invidious" = {
|
||||
restartUnits = [ "invidious.service" ];
|
||||
};
|
||||
|
||||
services.invidious = {
|
||||
enable = true;
|
||||
domain = "yt.nani.wtf";
|
||||
|
||||
port = 19283;
|
||||
|
||||
# This will implicitly use unix socket
|
||||
database = {
|
||||
createLocally = true;
|
||||
passwordFile = config.sops.secrets."postgres/invidious".path;
|
||||
};
|
||||
|
||||
settings = {
|
||||
registration_enabled = false;
|
||||
host_binding = "127.0.0.1";
|
||||
# popular_enabled = false;
|
||||
};
|
||||
};
|
||||
|
||||
local.socketActivation.invidious = {
|
||||
enable = cfg.enable;
|
||||
originalSocketAddress = "${cfg.settings.host_binding}:${toString cfg.port}";
|
||||
newSocketAddress = "/run/invidious.sock";
|
||||
privateNamespace = false;
|
||||
};
|
||||
}
|
||||
|
|
@ -1,119 +0,0 @@
|
|||
{ config, pkgs, lib, ... }: let
|
||||
cfg = config.services.jupyter;
|
||||
in {
|
||||
sops.secrets."jupyter/password" = {
|
||||
restartUnits = [ "jupyter.service" ];
|
||||
owner = cfg.user;
|
||||
inherit (cfg) group;
|
||||
};
|
||||
|
||||
users.users."jupyter".group = "jupyter";
|
||||
|
||||
services.jupyter = {
|
||||
enable = true;
|
||||
group = "jupyter";
|
||||
password = let
|
||||
readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()";
|
||||
in
|
||||
readFile config.sops.secrets."jupyter/password".path;
|
||||
|
||||
kernels = {
|
||||
pythonDS = let
|
||||
env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
|
||||
numpy
|
||||
matplotlib
|
||||
ipykernel
|
||||
]));
|
||||
in {
|
||||
displayName = "Python for data science";
|
||||
argv = [
|
||||
"${env.interpreter}"
|
||||
"-m"
|
||||
"ipykernel_launcher"
|
||||
"-f"
|
||||
"{connection_file}"
|
||||
];
|
||||
language = "python";
|
||||
logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
|
||||
logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings."10-jupyter" = {
|
||||
"/var/lib/jupyter/notebooks".d = {
|
||||
mode = "0700";
|
||||
user = "jupyter";
|
||||
group = "jupyter";
|
||||
};
|
||||
"/var/lib/jupyter/data".d = {
|
||||
mode = "0700";
|
||||
user = "jupyter";
|
||||
group = "jupyter";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.jupyter = let
|
||||
notebookConfig = pkgs.writeText "jupyter_config.py" ''
|
||||
c.NotebookApp.notebook_dir = 'notebooks'
|
||||
c.NotebookApp.open_browser = False
|
||||
c.NotebookApp.password = ${cfg.password}
|
||||
c.NotebookApp.password_required = True
|
||||
|
||||
c.NotebookApp.sock = '/run/jupyter/jupyter.sock'
|
||||
c.NotebookApp.sock_mode = '0660'
|
||||
c.NotebookApp.local_hostnames = ['py.nani.wtf']
|
||||
|
||||
c.ConnectionFileMixin.transport = 'ipc'
|
||||
|
||||
${cfg.notebookConfig}
|
||||
'';
|
||||
in {
|
||||
environment = {
|
||||
JUPYTER_DATA_DIR = "%S/${config.systemd.services.jupyter.serviceConfig.StateDirectory}/data";
|
||||
JUPYTER_RUNTIME_DIR = "%t/${config.systemd.services.jupyter.serviceConfig.RuntimeDirectory}";
|
||||
};
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "jupyter";
|
||||
StateDirectory = "jupyter";
|
||||
|
||||
# Hardening
|
||||
CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0007";
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||
SystemCallArchitectures = "native";
|
||||
|
||||
ExecStart = lib.mkForce ''
|
||||
${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
local.socketActivation.jupyter = {
|
||||
enable = cfg.enable;
|
||||
originalSocketAddress = "/run/jupyter/jupyter.sock";
|
||||
newSocketAddress = "/run/jupyter.sock";
|
||||
privateNamespace = false;
|
||||
};
|
||||
|
||||
systemd.services.jupyter-proxy.serviceConfig = {
|
||||
User = "jupyter";
|
||||
Group = "jupyter";
|
||||
};
|
||||
}
|
|
@ -1,79 +0,0 @@
|
|||
{ secrets, ... }:
|
||||
{
|
||||
services.mautrix-facebook = {
|
||||
enable = false;
|
||||
configurePostgresql = true;
|
||||
|
||||
registrationData = {
|
||||
# NOTE: This is a randomly generated UUID
|
||||
inherit (secrets.keys.matrix.mautrix-facebook) as_token;
|
||||
inherit (secrets.keys.matrix.mautrix-facebook) hs_token;
|
||||
};
|
||||
|
||||
settings = {
|
||||
homeserver = {
|
||||
# TODO: connect via localhost
|
||||
address = "https://matrix.nani.wtf";
|
||||
domain = "nani.wtf";
|
||||
};
|
||||
|
||||
appservice = rec {
|
||||
address = "http://${hostname}:${toString port}";
|
||||
bot_username = "facebookbot";
|
||||
hostname = "0.0.0.0";
|
||||
|
||||
ephemeral_events = true;
|
||||
|
||||
port = secrets.ports.matrix.mautrix-facebook;
|
||||
inherit (secrets.keys.matrix.mautrix-facebook) as_token;
|
||||
inherit (secrets.keys.matrix.mautrix-facebook) hs_token;
|
||||
};
|
||||
|
||||
bridge = {
|
||||
encryption = {
|
||||
allow = true;
|
||||
default = true;
|
||||
};
|
||||
backfilling = {
|
||||
initial_limit = 8000;
|
||||
};
|
||||
username_template = "facebook_{userid}";
|
||||
sync_with_custom_puppets = false;
|
||||
permissions = {
|
||||
"@h7x4:nani.wtf" = "admin";
|
||||
"nani.wtf" = "user";
|
||||
};
|
||||
};
|
||||
|
||||
logging = {
|
||||
formatters = {
|
||||
journal_fmt = {
|
||||
format = "%(name)s: %(message)s";
|
||||
};
|
||||
};
|
||||
handlers = {
|
||||
journal = {
|
||||
SYSLOG_IDENTIFIER = "mautrix-facebook";
|
||||
class = "systemd.journal.JournalHandler";
|
||||
formatter = "journal_fmt";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
handlers = [
|
||||
"journal"
|
||||
];
|
||||
level = "INFO";
|
||||
};
|
||||
version = 1;
|
||||
};
|
||||
|
||||
manhole = {
|
||||
enabled = false;
|
||||
};
|
||||
|
||||
metrics = {
|
||||
enabled = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,46 +0,0 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
services.mx-puppet-discord = {
|
||||
enable = false;
|
||||
serviceDependencies = [
|
||||
"matrix-synapse.service"
|
||||
"postgresql.service"
|
||||
];
|
||||
|
||||
settings = {
|
||||
|
||||
bridge = {
|
||||
bindAddress = "localhost";
|
||||
domain = "nani.wtf";
|
||||
# TODO: connect via localhost
|
||||
homeserverUrl = "https://matrix.nani.wtf";
|
||||
|
||||
port = 8434;
|
||||
enableGroupSync = true;
|
||||
};
|
||||
|
||||
database.connString = "postgres://mx-puppet-discord:@localhost:${toString config.services.postgresql.port}/mx-puppet-discord?sslmode=disable";
|
||||
|
||||
namePatterns = {
|
||||
room = ":name";
|
||||
user = ":name";
|
||||
userOverride = ":displayname";
|
||||
group = ":name";
|
||||
};
|
||||
|
||||
presence = {
|
||||
enabled = true;
|
||||
interval = 500;
|
||||
};
|
||||
|
||||
logging = {
|
||||
console = "info";
|
||||
lineDateFormat = "MMM-D HH:mm:ss.SSS";
|
||||
};
|
||||
|
||||
provisioning.whitelist = [ "@h7x4:nani\\.wtf" ];
|
||||
relay.whitelist = [ "@h7x4:nani\\.wtf" ];
|
||||
selfService.whitelist = [ "@h7x4:nani\\.wtf" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,8 +1,6 @@
|
|||
{ pkgs, lib, config, secrets, ... }: {
|
||||
|
||||
imports = [
|
||||
./bridges/mautrix-facebook.nix
|
||||
./bridges/mx-puppet-discord.nix
|
||||
./bridges/matrix-appservice-irc.nix
|
||||
|
||||
./maunium-stickerpicker.nix
|
||||
|
@ -76,9 +74,6 @@
|
|||
# TODO: Figure out a way to do this declaratively.
|
||||
# The files need to be owned by matrix-synapse
|
||||
app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||
# (pkgs.writeText "facebook-registrations.yaml" (builtins.toJSON config.services.mautrix-facebook.registrationData))
|
||||
"/var/lib/matrix-synapse/facebook-registration.yaml"
|
||||
"/var/lib/matrix-synapse/irc-registration.yml"
|
||||
];
|
||||
|
||||
|
@ -88,6 +83,14 @@
|
|||
};
|
||||
};
|
||||
|
||||
systemd.slices.system-matrix-synapse = {
|
||||
requires = [
|
||||
"postgresql.service"
|
||||
"redis.service"
|
||||
"kanidm.service"
|
||||
];
|
||||
};
|
||||
|
||||
services.redis.servers."".enable = true;
|
||||
|
||||
networking.firewall = {
|
||||
|
|
|
@ -8,7 +8,7 @@ in {
|
|||
stickerMatrixDomain = "pingu-stickers.nani.wtf";
|
||||
# These will be defined by `useACMECert` in nginx config
|
||||
enableACME = false;
|
||||
stickerpacks = with stickerpacks; [
|
||||
stickerPacks = with stickerpacks; [
|
||||
dogCatCatgirlSide
|
||||
frownCat1
|
||||
niniCouple1
|
||||
|
@ -23,7 +23,7 @@ in {
|
|||
realMatrixDomain = "matrix.nani.wtf";
|
||||
stickerMatrixDomain = "h7x4-stickers.nani.wtf";
|
||||
enableACME = false;
|
||||
stickerpacks = with stickerpacks; [
|
||||
stickerPacks = with stickerpacks; [
|
||||
dogCatDogboySide
|
||||
niniCouple1
|
||||
niniCouple2
|
||||
|
|
|
@ -5,20 +5,16 @@
|
|||
cfg = config.services;
|
||||
db = name: {
|
||||
inherit name;
|
||||
ensurePermissions = {
|
||||
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureDBOwnership = true;
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
ensureDatabases =
|
||||
(o cfg.matrix-synapse.enable "matrix-synapse")
|
||||
++ (o cfg.mx-puppet-discord.enable "mx-puppet-discord")
|
||||
++ (o cfg.matrix-appservice-irc.enable "matrix-appservice-irc");
|
||||
ensureUsers =
|
||||
(o cfg.matrix-synapse.enable (db "matrix-synapse"))
|
||||
++ (o cfg.mx-puppet-discord.enable (db "mx-puppet-discord"))
|
||||
++ (o cfg.matrix-appservice-irc.enable (db "matrix-appservice-irc"));
|
||||
};
|
||||
}
|
||||
|
|
|
@ -78,7 +78,7 @@
|
|||
id = "hutao";
|
||||
title = "Hu Tao";
|
||||
stickers = ./json/hutao.json;
|
||||
hash = "sha256-ECEK7bYa9dyPBAi74A/Gjt08MHUBTZHAPzAeusynEjM=";
|
||||
hash = "sha256-953otzYwn6/iOeLYGoMA+wpnH8S7nNqTs/XCLU1eM0E=";
|
||||
};
|
||||
|
||||
pokemonPiplup = {
|
||||
|
|
|
@ -170,9 +170,7 @@ in
|
|||
o = lib.optional;
|
||||
db = name: {
|
||||
inherit name;
|
||||
ensurePermissions = {
|
||||
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureDBOwnership = true;
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
{ config, pkgs, ... }: let
|
||||
cfg = config.services.navidrome;
|
||||
in {
|
||||
services.navidrome = {
|
||||
enable = true;
|
||||
settings = {
|
||||
Address = "127.0.0.1";
|
||||
Port = 4533;
|
||||
MusicFolder = "/data2/media/music";
|
||||
Prometheus.Enabled = true;
|
||||
};
|
||||
};
|
||||
|
||||
local.socketActivation.navidrome = {
|
||||
enable = cfg.enable;
|
||||
originalSocketAddress = "${cfg.settings.Address}:${toString cfg.settings.Port}";
|
||||
newSocketAddress = "/run/navidrome.sock";
|
||||
privateNamespace = false;
|
||||
};
|
||||
}
|
|
@ -58,13 +58,9 @@
|
|||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
(rec {
|
||||
name = "nextcloud";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
})
|
||||
];
|
||||
ensureUsers = [{
|
||||
name = "nextcloud";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -43,18 +43,12 @@
|
|||
in {
|
||||
"atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
|
||||
"dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
|
||||
"gitea".servers."unix:/run/gitea/gitea.sock" = { };
|
||||
"grafana".servers."unix:/run/grafana/grafana.sock" = { };
|
||||
"headscale".servers."localhost:${s srv.headscale.port}" = { };
|
||||
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
|
||||
"hydra".servers."localhost:${s srv.hydra.port}" = { };
|
||||
"idrac".servers."${ips.idrac}" = { };
|
||||
"invidious".servers."unix:${sa.invidious.newSocketAddress}" = { };
|
||||
"jupyter".servers."unix:${sa.jupyter.newSocketAddress}" = { };
|
||||
"kanidm".servers."localhost:8300" = { };
|
||||
"navidrome".servers."unix:${sa.navidrome.newSocketAddress}" = { };
|
||||
"osuchan".servers."localhost:${s ports.osuchan}" = { };
|
||||
"pgadmin".servers."unix:${srv.uwsgi.instance.vassals.pgadmin.socket}" = { };
|
||||
"plex".servers."localhost:${s ports.plex}" = { };
|
||||
"vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
|
||||
};
|
||||
|
@ -69,6 +63,20 @@
|
|||
sha256 = "0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
|
||||
};
|
||||
|
||||
# nonCFHost =
|
||||
# subdomains: extraSettings: let
|
||||
# settings = with keys.certificates; {
|
||||
# useACMEHost = "nani.wtf";
|
||||
# forceSSL = true;
|
||||
# kTLS = true;
|
||||
# };
|
||||
# in
|
||||
# nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate settings extraSettings);
|
||||
|
||||
# nonCFProxy =
|
||||
# subdomains: url: extraSettings:
|
||||
# nonCFHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
|
||||
|
||||
host =
|
||||
subdomains: extraSettings: let
|
||||
settings = with keys.certificates; {
|
||||
|
@ -117,25 +125,22 @@
|
|||
};
|
||||
}
|
||||
# (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
|
||||
(host ["testmap"] {
|
||||
root = "/var/lib/mcmap";
|
||||
locations = {
|
||||
"~* ^/maps/[^/]*/tiles/[^/]*.json$".extraConfig = ''
|
||||
error_page 404 =200 /assets/emptyTile.json;
|
||||
gzip_static always;
|
||||
'';
|
||||
"~* ^/maps/[^/]*/tiles/[^/]*.png$".tryFiles = "$uri =204";
|
||||
};
|
||||
})
|
||||
(host ["www"] {
|
||||
locations."/" = {
|
||||
tryFiles = "$uri /index.html";
|
||||
root = pkgs.writeTextDir "index.html" (lib.fileContents ./temp-website.html);
|
||||
};
|
||||
})
|
||||
(host ["pg"] {
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
include ${pkgs.nginx}/conf/uwsgi_params;
|
||||
uwsgi_pass pgadmin;
|
||||
'';
|
||||
};
|
||||
})
|
||||
# (proxy ["pg"] "http://localhost:${s ports.pgadmin}" {
|
||||
# extraConfig = ''
|
||||
# proxy_set_header X-CSRF-Token $http_x_pga_csrftoken;
|
||||
# '';
|
||||
# })
|
||||
# (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
|
||||
(host ["matrix"] {
|
||||
enableACME = lib.mkForce false;
|
||||
|
@ -151,17 +156,38 @@
|
|||
(proxy ["auth"] "https://kanidm" { extraConfig = "proxy_ssl_verify off;"; })
|
||||
(proxy ["bw"] "http://vaultwarden" {})
|
||||
(proxy ["docs"] "http://hedgedoc" {})
|
||||
(proxy ["git"] "http://gitea" {})
|
||||
(proxy ["hydra"] "http://hydra" {})
|
||||
(host ["git"] {
|
||||
locations."/".extraConfig = ''
|
||||
location /h7x4 {
|
||||
location ~ /h7x4/(?<project>[a-zA-Z0-9\./_-]*) {
|
||||
return 301 $scheme://git.pvv.ntnu.no/oysteikt/$project;
|
||||
}
|
||||
return 301 $scheme://git.pvv.ntnu.no/oysteikt/;
|
||||
}
|
||||
location ~ /[Ss]chool[Ww]ork {
|
||||
location ~ /[Ss]chool[Ww]ork/(?<project>[a-zA-Z0-9\./_-]*) {
|
||||
return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/$project;
|
||||
}
|
||||
return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/;
|
||||
}
|
||||
return 301 $scheme://git.pvv.ntnu.no$request_uri;
|
||||
'';
|
||||
})
|
||||
(proxy ["idrac"] "https://idrac" {})
|
||||
(proxy ["log"] "http://grafana" enableWebsockets)
|
||||
(proxy ["map"] "http://dynmap" {})
|
||||
(proxy ["osu"] "http://osuchan" {})
|
||||
(proxy ["plex"] "http://plex" {})
|
||||
(proxy ["mus"] "http://navidrome" enableWebsockets)
|
||||
(proxy ["py"] "http://jupyter" enableWebsockets)
|
||||
(proxy ["vpn"] "http://headscale" enableWebsockets)
|
||||
(proxy ["yt"] "http://invidious" {})
|
||||
# (proxy ["vpn"] "http://headscale" {
|
||||
# locations."/" = {
|
||||
# proxyWebsockets = true;
|
||||
# extraConfig = ''
|
||||
# add_header Access-Control-Allow-Origin *;
|
||||
# add_header Access-Control-Allow-Methods GET,HEAD,POST,OPTIONS;
|
||||
# add_header Access-Control-Max-Age 86400;
|
||||
# '';
|
||||
# };
|
||||
# })
|
||||
|
||||
(host ["h7x4-stickers"] {})
|
||||
(host ["pingu-stickers"] {})
|
||||
|
|
|
@ -1,111 +0,0 @@
|
|||
{ config, pkgs, lib, secrets, ... }: let
|
||||
pgadmin-user = let
|
||||
username = config.systemd.services.pgadmin.serviceConfig.User;
|
||||
in config.users.users.${username};
|
||||
in {
|
||||
|
||||
sops.secrets = {
|
||||
"pgadmin/oauth2_secret" = rec {
|
||||
restartUnits = [ "pgadmin.service" ];
|
||||
owner = pgadmin-user.name;
|
||||
group = pgadmin-user.group;
|
||||
};
|
||||
"pgadmin/initialPassword" = rec {
|
||||
restartUnits = [ "pgadmin.service" ];
|
||||
owner = pgadmin-user.name;
|
||||
group = pgadmin-user.group;
|
||||
};
|
||||
};
|
||||
|
||||
services.pgadmin = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
initialEmail = "h7x4@nani.wtf";
|
||||
initialPasswordFile = config.sops.secrets."pgadmin/initialPassword".path;
|
||||
port = secrets.ports.pgadmin;
|
||||
settings = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in {
|
||||
# FIXME: pgadmin does not work with NFS by default, because it uses
|
||||
# some kind of metafiles in its data directory.
|
||||
# DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
|
||||
DATA_DIR = "/var/lib/pgadmin";
|
||||
|
||||
WTF_CSRF_HEADERS = [
|
||||
"X-pgA-CSRFToken"
|
||||
"X-CSRFToken"
|
||||
"X-CSRF-Token"
|
||||
];
|
||||
|
||||
PROXY_X_FOR_COUNT = 1;
|
||||
PROXY_X_PROTO_COUNT = 1;
|
||||
PROXY_X_HOST_COUNT = 1;
|
||||
PROXY_X_PORT_COUNT = 1;
|
||||
PROXY_X_PREFIX_COUNT = 1;
|
||||
|
||||
SESSION_COOKIE_HTTPONLY = false;
|
||||
SESSION_COOKIE_SECURE = true;
|
||||
|
||||
AUTHENTICATION_SOURCES = [ "oauth2" ];
|
||||
OAUTH2_AUTO_CREATE_USER = true;
|
||||
OAUTH2_CONFIG = [ rec {
|
||||
OAUTH2_NAME = "KaniDM";
|
||||
OAUTH2_DISPLAY_NAME = "KaniDM";
|
||||
OAUTH2_CLIENT_ID = "pgadmin";
|
||||
OAUTH2_API_BASE_URL = "${authServerUrl}/oauth2";
|
||||
OAUTH2_TOKEN_URL = "${authServerUrl}/oauth2/token";
|
||||
OAUTH2_AUTHORIZATION_URL = "${authServerUrl}/ui/oauth2";
|
||||
OAUTH2_USERINFO_ENDPOINT = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/userinfo";
|
||||
OAUTH2_SERVER_METADATA_URL = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/.well-known/openid-configuration";
|
||||
OAUTH2_SCOPE = "openid email profile";
|
||||
OAUTH2_ICON = "fa-lock";
|
||||
OAUTH2_BUTTON_COLOR = "#ff6600";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."pgadmin/config_system.py".text = let
|
||||
in ''
|
||||
with open("${config.sops.secrets."pgadmin/oauth2_secret".path}") as f:
|
||||
OAUTH2_CONFIG[0]['OAUTH2_CLIENT_SECRET'] = f.read()
|
||||
'';
|
||||
|
||||
systemd.services."pgadmin".enable = false;
|
||||
|
||||
users = {
|
||||
users."pgadmin".uid = 985;
|
||||
groups = {
|
||||
"pgadmin" = {
|
||||
gid = 984;
|
||||
members = [
|
||||
"nginx"
|
||||
"uwsgi"
|
||||
];
|
||||
};
|
||||
"uwsgi".members = [ pgadmin-user.name ];
|
||||
};
|
||||
};
|
||||
|
||||
services.uwsgi = {
|
||||
enable = false;
|
||||
plugins = [ "python3" ];
|
||||
instance = {
|
||||
type = "emperor";
|
||||
pidfile = "${config.services.uwsgi.runDir}/uwsgi.pid";
|
||||
stats = "${config.services.uwsgi.runDir}/stats.sock";
|
||||
vassals."pgadmin" = rec {
|
||||
type = "normal";
|
||||
pythonPackages = _: with pkgs; ([ pgadmin4 ] ++ pgadmin4.propagatedBuildInputs);
|
||||
strict = true;
|
||||
immediate-uid = pgadmin-user.name;
|
||||
immediate-gid = pgadmin-user.group;
|
||||
lazy-apps = true;
|
||||
enable-threads = true;
|
||||
# chdir = "${pkgs.pgadmin4}/lib/python3.10/site-packages/pgadmin4";
|
||||
module = "pgAdmin4:app";
|
||||
socket = "/run/user/${toString pgadmin-user.uid}/pgadmin.sock";
|
||||
chmod-socket = 664;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -5,27 +5,4 @@ in {
|
|||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
systemd.services.plex.serviceConfig = {
|
||||
ReadWritePaths = [ cfg.dataDir ];
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
PrivateMounts = true;
|
||||
RestrictSUIDSGID = true;
|
||||
ProtectHostname = true;
|
||||
LockPersonality = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectProc = true;
|
||||
ProtectHome = true;
|
||||
# PrivateNetwork = true;
|
||||
PrivateUsers = true;
|
||||
PrivateTmp = true;
|
||||
UMask = "0007";
|
||||
# RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||||
SystemCallArchitectures = "native";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ in {
|
|||
enableTCPIP = true;
|
||||
authentication = pkgs.lib.mkOverride 10 ''
|
||||
local all all trust
|
||||
local hydra all ident map=hydra-users
|
||||
host all all 127.0.0.1/32 trust
|
||||
host all all ::1/128 trust
|
||||
'';
|
||||
|
|
|
@ -15,10 +15,10 @@ in {
|
|||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
WorkingDirectory = "/data/scrapers/nhk-easy-news";
|
||||
BindPaths = [ WorkingDirectory ];
|
||||
# BindPaths = [ WorkingDirectory ];
|
||||
ReadWritePaths = [ WorkingDirectory ];
|
||||
StateDirectory = "nhk-easy-news-scraper";
|
||||
StateDirectoryMode = "0755";
|
||||
# StateDirectory = "nhk-easy-news-scraper";
|
||||
# StateDirectoryMode = "0755";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -59,14 +59,10 @@ in {
|
|||
services.postgresql = lib.mkIf cfg.enable {
|
||||
enable = true;
|
||||
ensureDatabases = [ "vaultwarden" ];
|
||||
ensureUsers = [
|
||||
(rec {
|
||||
name = "vaultwarden";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
})
|
||||
];
|
||||
ensureUsers = [{
|
||||
name = "vaultwarden";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
|
||||
local.socketActivation.vaultwarden = {
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
github:
|
||||
tokens:
|
||||
prometheus_exporter: ENC[AES256_GCM,data:Uybn/X2kgRKrtoLfgOYU/vR9PS/9JTX4MVuXJBCq2ZH5O2O1W5wfUg==,iv:8Q/kKd3r6G70wU4eLtqpf1obWeErNv5mNrpOQxB6tl8=,tag:PrCMzieirVaCbUT94iVKbg==,type:str]
|
||||
jupyter:
|
||||
password: ENC[AES256_GCM,data:mm0EHzhK9AqErfsoWWJ5+3ym+VXgEcZ+qadTy3f+NtA=,iv:ntGxklA5oDbGbo3j3ffbAvzGE4c9Ay/SfCWdA6bqzP4=,tag:KG1luMcSjBFm0LVKnoTvGA==,type:str]
|
||||
gitea:
|
||||
runners:
|
||||
ping: ENC[AES256_GCM,data:DRyw59+KE0n/qEr+Az7r8ulZr3dk1u6hVT1SVqKywW4DgtUr1eLj7DGOXvHxug==,iv:W49dNY/V+6KPuQeN5rdWw6Ed+w/oOy9ey+hRRz7Oxdc=,tag:ILzIKgvLs+8RVpHsSuMHrA==,type:str]
|
||||
pong: ENC[AES256_GCM,data:VwpNj/FRSkc5/s6aZPaiBwIaj9VBfp6wcnDFkWmTWC6xRWevMUYKv3jHPhD/ZA==,iv:0uVgjmrF4jIa+Eg3Gofb+2eFa1MdZHb9eR4BcWBpkeQ=,tag:YsXjKqeksU9JcXl+5REXFQ==,type:str]
|
||||
grafana:
|
||||
oauth2_secret: ENC[AES256_GCM,data:zxfPtiB/o5cC27O9uQzPvQV1qWcp3xxnIi7/P84I2lJ/X4ovAwXuiEqnc7BDAE4E,iv:ZY8BDTMEvR2JiFHKM8iM90UQbmTqH/DoVklWno6Xa4U=,tag:E8GTGk9IJauCgjaoToShBg==,type:str]
|
||||
secretkey: ENC[AES256_GCM,data:aVzqZqwFfm3FcYJE8USxsDbZVwtnF5NJXTAqshv9av4ZeR5YrDfDzLYHHztXMZt2Q7p/6A==,iv:A7x7oRUVvfxqSXRfi9+15z9pE6xX+GZrGU7gXrSKyXE=,tag:2uatRT0XePk2dqZj2ZlM3A==,type:str]
|
||||
|
@ -18,15 +20,10 @@ drives:
|
|||
nextcloud:
|
||||
initialPassword: ENC[AES256_GCM,data:ROG+4u6C9zBu8Ez3Jprw8cgwVd2gFErUIOBmrWL9o7/qSGPT8jnwd0T5W8E=,iv:uRdL/3Xslu/J/aPI44WxlNw3RLAvjDRPt5VttuQL/P0=,tag:IDmGXNF9PsHPaMqK5YUKIg==,type:str]
|
||||
postgres:
|
||||
gitea: ENC[AES256_GCM,data:HyYgEgOzeOnaEvPDEXoL+fRhrnqCeGbb/wOYf2kHulxrU9PKIAcRzmNljsc=,iv:1N/N2RUQ++rAWw4VNQzhee2aV9LzOJym6cyM6CAnZUU=,tag:o7dblJrIAPd4/S8X2LKdcQ==,type:str]
|
||||
invidious: ENC[AES256_GCM,data:r/Jzs7U1fkCi2j5L/tOcBfakR3virj8HGrDrVZdP7VwubG4BJLvoeb14eJo=,iv:3plNFOds+HeF0HAliedczpNgPL4ZgqhCOwqbnb2e8Ag=,tag:DHm/KM9UuPiqaRxqNDb7QA==,type:str]
|
||||
nextcloud: ENC[AES256_GCM,data:E1tD6Z2SDbi5TUDAACjXSJJIn+/ySu0+8xhvRVFxumxjex4ZsEw+mofKIxM=,iv:E4iPVF3M8GOoQghVQtn/kCEpXl0b8MueCbtyvzFM8AA=,tag:IF4kWOuTsylqrXMoXzQaVQ==,type:str]
|
||||
headscale: ENC[AES256_GCM,data:UVPCZjcpm9j2dMwyAvrPfwOj84JJHrwoU5rs672FEeA=,iv:zq3J4mL/PB3EAl8LHxxC77Y4FMrZWT4QF+DOih+FIGk=,tag:UwfjKnjfJ3a6RwAWg/8BzQ==,type:str]
|
||||
grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str]
|
||||
matrix_synapse: ENC[AES256_GCM,data:hLlUeo6glgw1PIo4N9aE7KLg7JV88EcG4IYZwVhs97Y=,iv:c4g33QQ/r54KrBM/zUG/gS9rNQy1OUB4KPSAggkgNvo=,tag:WOezFIPE89+oHKGMrsMSgA==,type:str]
|
||||
pgadmin:
|
||||
oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
|
||||
initialPassword: ENC[AES256_GCM,data:y2ADMtiIO+jIjIQhGKZB43yKcJIouaWagZYe/0K9OoKEGUQq+wXXWA==,iv:oeSzHdaxPj5nN3T+WfCxOq1wkcEDPJCgeh7WOOqs3B0=,tag:r81rysqIjsiCOvyzHiAV6Q==,type:str]
|
||||
paperless:
|
||||
password: ENC[AES256_GCM,data:8ut0DX8NajIy/WUwd3eBrFiGwsTMTYKWaPDy7kGytt8=,iv:q2hTmQsS4kBLZ4I7nRljstHlqELsGBYqf5yifFh3vNY=,tag:eJj+DXU898frl6+IoBsSPQ==,type:str]
|
||||
matrix_synapse:
|
||||
|
@ -70,8 +67,8 @@ sops:
|
|||
cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
|
||||
rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-01-23T05:31:44Z"
|
||||
mac: ENC[AES256_GCM,data:BmSIU2VYYhetuQ5ooBr8y+YSTJnUoglGaVfOzW+Hx+qNDDR+PHHoOSHnciuQonMjQz1KX4lBmxAYKyeOi7ZjyZe7kYYPMcOkHZjYk+GihXJ2ncCnK+dyoPVMGfe2oR38cnilI8YcczuQDGLfkuBT08lSbzV+LMtTQXBQoOlgmM0=,iv:2Uflf2ShABEImYjqRQ5piuB5Y5kJ7IIME/8zdmewgBI=,tag:thuF8OWuAs5t8mNpKmVK7w==,type:str]
|
||||
lastmodified: "2024-06-09T14:08:52Z"
|
||||
mac: ENC[AES256_GCM,data:+gz1Zp4cZ4k81mPVUSjBth/B7Dgc4urOAWmfN9p5qxUEXoiqY1TLImmqr1YGrQE7QHO0VzpEY1UJsDLayMFTQexnI9ePjaws9bJrHndR6wMcuDunyQ9iWgwU3CYPtvX8T4/5lTTswwiWaMRMHR9j3KB43VQ8p/DpMVrZBdGD3Mc=,iv:YRABwve5RYb4npW5eHrqjFDVhs+hq3a8fMueG6aKdD0=,tag:7/+fq26aB0i9+AJfNcuV5A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-05-08T00:49:52Z"
|
||||
enc: |
|
||||
|
|
Loading…
Reference in New Issue