diff --git a/.sops.yaml b/.sops.yaml index 6078d69..fc9da64 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf + - &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t creation_rules: - path_regex: secrets/services/dns-knot.yaml key_groups: @@ -57,4 +58,4 @@ creation_rules: - pgp: - *emily age: - - *seras + - *florp diff --git a/config/common/default.nix b/config/common/default.nix index f5266a5..1b33d66 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -1,6 +1,6 @@ -{ config, inputs, lib, pkgs, ... }: - -with lib; { +{ config, inputs, lib, pkgs, ... }: let + inherit (lib) mkDefault; +in { imports = [ ./kernel.nix ./networking.nix @@ -105,6 +105,6 @@ with lib; { services.fprintd.enable = config.kyouma.machine-type.graphical; - system.stateVersion = "23.11"; + system.stateVersion = mkDefault "23.11"; time.timeZone = mkDefault "CET"; } diff --git a/config/hosts/crime/configuration.nix b/config/hosts/crime/configuration.nix index fcceeca..f3e45ce 100644 --- a/config/hosts/crime/configuration.nix +++ b/config/hosts/crime/configuration.nix @@ -7,11 +7,7 @@ ../../services/nginx.nix ./nginx.nix ]; - networking = { - hostName = "crime"; - firewall.allowedTCPPorts = [ 80 443 ]; - firewall.allowedUDPPorts = [ 443 ]; - }; + networking.hostName = "crime"; systemd.network.networks."98-eth-default" = { address = [ "2a0f:be01:0:100::1337/128" diff --git a/config/hosts/emilia/configuration.nix b/config/hosts/emilia/configuration.nix index f4bceb0..cad1e2c 100644 --- a/config/hosts/emilia/configuration.nix +++ b/config/hosts/emilia/configuration.nix @@ -17,10 +17,8 @@ kyouma.machine-type.physical = true; kyouma.nginx.defaultForbidden = "uptime.kyouma.net"; - networking = { - firewall.allowedTCPPorts = [ 80 443 ]; - hostName = "emilia"; - }; + networking.hostName = "emilia"; + systemd.network.networks."98-eth-default" = { matchConfig.MACAddress = "04:d4:c4:39:73:f6"; addresses = [ diff --git a/config/hosts/florp/configuration.nix b/config/hosts/florp/configuration.nix new file mode 100644 index 0000000..578f28e --- /dev/null +++ b/config/hosts/florp/configuration.nix @@ -0,0 +1,40 @@ +{ lib, ... }: { + imports = [ + ../../common + ../../profiles/headless.nix + ../../profiles/kartoffel.nix + ../../profiles/lxc.nix + ../../services/akkoma + ../../services/nginx.nix + ]; + networking = { + hostName = "florp"; + domain = lib.mkForce "social"; + }; + systemd.network.networks."98-eth-default" = { + address = [ + "2a0f:be01:0:100::171/128" + ]; + }; + + services.postgresql.settings = { + max_connections = 200; + shared_buffers = "8GB"; + effective_cache_size = "10GB"; + maintenance_work_mem = "2GB"; + checkpoint_completion_target = 0.9; + wal_buffers = "16MB"; + default_statistics_target = 100; + random_page_cost = 1.1; + effective_io_concurrency = 200; + work_mem = "31457kB"; + huge_pages = "try"; + min_wal_size = "1GB"; + max_wal_size = "4GB"; + max_worker_processes = 32; + max_parallel_workers_per_gather = 4; + max_parallel_workers = 32; + max_parallel_maintenance_workers = 4; + }; + system.stateVersion = "24.11"; +} diff --git a/config/hosts/girldick/configuration.nix b/config/hosts/girldick/configuration.nix index bc69ddc..35c9211 100644 --- a/config/hosts/girldick/configuration.nix +++ b/config/hosts/girldick/configuration.nix @@ -11,7 +11,6 @@ domain = lib.mkForce "girldick.gay"; hostName = "staging"; nftables.enable = lib.mkForce false; - firewall.allowedTCPPorts = [ 80 443 ]; }; systemd.network.networks."98-eth-default" = { address = [ diff --git a/config/hosts/seras/configuration.nix b/config/hosts/seras/configuration.nix index 34b2ee8..368b4b0 100644 --- a/config/hosts/seras/configuration.nix +++ b/config/hosts/seras/configuration.nix @@ -5,17 +5,13 @@ ../../profiles/headless.nix ../../profiles/kartoffel.nix ../../profiles/lxc.nix - ../../services/akkoma ../../services/nginx.nix ../../services/hydra ../../services/update-nixfiles.nix ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - networking = { - hostName = "seras"; - firewall.allowedTCPPorts = [ 80 443 ]; - }; + networking.hostName = "seras"; systemd.network.networks."98-eth-default" = { address = [ "2a0f:be01:0:100::169/128" diff --git a/config/hosts/web-dus/configuration.nix b/config/hosts/web-dus/configuration.nix index 5f2d701..1eb8172 100644 --- a/config/hosts/web-dus/configuration.nix +++ b/config/hosts/web-dus/configuration.nix @@ -11,8 +11,7 @@ networking = { hostName = "web-dus"; nftables.enable = lib.mkForce false; - firewall.allowedTCPPorts = [ 80 443 11019 ]; - firewall.allowedUDPPorts = [ 443 ]; + firewall.allowedTCPPorts = [ 11019 ]; }; systemd.network.networks."98-eth-default" = { address = [ diff --git a/config/services/akkoma/default.nix b/config/services/akkoma/default.nix index c9d0d85..9a242c5 100644 --- a/config/services/akkoma/default.nix +++ b/config/services/akkoma/default.nix @@ -76,7 +76,7 @@ ":instance" = { name = "florp.social"; email = "contact@florp.social"; - notify_email = "akkoma@florp.social"; + notify_email = "noreply@florp.social"; description = "Likes are now florps. The timeline goes sideways."; instance_thumbnail = "/instance/thumbnail.avif"; limit = 69420; @@ -114,7 +114,7 @@ enabled = true; adapter = mkRaw "Swoosh.Adapters.SMTP"; relay = "mail.kyouma.net"; - username = "akkoma@florp.social"; + username = "noreply@florp.social"; password._secret = config.sops.secrets."services/akkoma/mailerPassword".path; port = 465; ssl = true; @@ -227,14 +227,14 @@ ":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer"; }; + services.postgresql.enable = true; services.postgresql.extraPlugins = [ - pkgs.postgresql15Packages.rum + pkgs.postgresql16Packages.rum ]; services.nginx = { - package = pkgs.tengine; clientMaxBodySize = "256m"; commonHttpConfig = '' - proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache + proxy_cache_path /var/cache/nginx/akkoma-media-cache levels= keys_zone=akkoma_media_cache:32m max_size=32g inactive=1y use_temp_path=off; diff --git a/config/services/nginx.nix b/config/services/nginx.nix index 1a11e0a..b27fa24 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -1,4 +1,6 @@ -{ config, lib, ... }: with lib; { +{ config, lib, pkgs, ... }: let + inherit (lib) mkDefault; +in { kyouma.deployment.tags = [ "web" ]; security.dhparams.enable = true; security.dhparams.params.nginx = {}; @@ -9,9 +11,11 @@ email = "noc@kyouma.net"; }; }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; services.nginx = { enable = true; - #package = pkgs.nginxQuic; + package = mkDefault pkgs.nginxQuic; recommendedGzipSettings = true; recommendedOptimisation = true; @@ -32,6 +36,7 @@ add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "same-origin" always; + add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; ''; eventsConfig = '' diff --git a/flake.lock b/flake.lock index fe32570..6a5babc 100644 --- a/flake.lock +++ b/flake.lock @@ -156,11 +156,11 @@ ] }, "locked": { - "lastModified": 1730675461, - "narHash": "sha256-Mhqz3p/HEiI/zxBJWO57LYQf6gGlJB0tci6fiVXLjd8=", + "lastModified": 1730751873, + "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=", "owner": "nix-community", "repo": "disko", - "rev": "380847d94ff0fedee8b50ee4baddb162c06678df", + "rev": "856a2902156ba304efebd4c1096dbf7465569454", "type": "github" }, "original": { @@ -693,11 +693,11 @@ ] }, "locked": { - "lastModified": 1730448474, - "narHash": "sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc=", + "lastModified": 1730600078, + "narHash": "sha256-BoyFmE59HDF3uybBySsWVoyjNuHvz3Wv8row/mSb958=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "683d0c4cd1102dcccfa3f835565378c7f3cbe05e", + "rev": "4652874d014b82cb746173ffc64f6a70044daa7e", "type": "github" }, "original": { @@ -957,11 +957,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1730569492, - "narHash": "sha256-NByr7l7JetL9kIrdCOcRqBu+lAkruYXETp1DMiDHNQs=", + "lastModified": 1730731617, + "narHash": "sha256-W7FNEe+gewzTSx0lykzZ3XUKmJ8uKk/SpIPblZIfYc0=", "owner": "nix-community", "repo": "nixvim", - "rev": "6f210158b03b01a1fd44bf3968165e6da80635ce", + "rev": "aa06b176e78c9ae9e779e605cab61c9d8681a54e", "type": "github" }, "original": { @@ -1038,11 +1038,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1730605784, - "narHash": "sha256-1NveNAMLHbxOg0BpBMSVuZ2yW2PpDnZLbZ25wV50PMc=", + "lastModified": 1730746162, + "narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e9b5eef9b51cdf966c76143e13a9476725b2f760", + "rev": "59d6988329626132eaf107761643f55eb979eef1", "type": "github" }, "original": { diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index 44b3783..644a2c7 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -2,6 +2,7 @@ cfg = config.kyouma.nginx; extraConfig = '' add_header Strict-Transport-Security $hsts_header; + add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; @@ -9,11 +10,11 @@ add_header Referrer-Policy "same-origin" always; ''; createHost = vhostName: vhostCfg: { - extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig; + extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); forceSSL = true; #kTLS = true; - #http3 = true; - #quic = true; + http3 = true; + quic = true; } // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { enableACME = true; diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 571bfe8..72ef525 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -6,4 +6,5 @@ final: prev: { librespeed-rust = final.callPackage ./librespeed-rust/default.nix {}; librespeed-go = final.callPackage ./librespeed-go/default.nix {}; akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {}; + nginxQuic = prev.nginxQuic.override { withSlice = true; }; } diff --git a/secrets/services/akkoma.yaml b/secrets/services/akkoma.yaml index fc7bb2f..f76c6b6 100644 --- a/secrets/services/akkoma.yaml +++ b/secrets/services/akkoma.yaml @@ -8,27 +8,27 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd + - recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTi9Ha0tQRGE2L3BzclpW - NnduRVVRUnhkV1pEOXllZTA0bnN0NENESlM4Ck9jSTcxcjJIdThvUk9IM1FCOGNv - V1FNV2ZHbHlTaWNBL0VvSGxhSzlWSDgKLS0tIEFoWEozY0VSWVA0cVp5dkI4NHNH - RVQ3aDd0c1RDNWd2eGxiNURGRXVXS2sKTT4LpWSIb9hjrcdUWOhieUeUHop0pwoA - OfOv3y3dp7tYc5HRREN5jkVx29jb2lrml0ycu9ek58S8+bolfzN8yQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NGRYOHFVSXBNdjlpVDhF + V0g2ZkRiZnR6UElvWEZKUWxHSjZySlJadHlvCmpBdzBPRklkOVltZWwzNlNrc0pC + bG9kU3phNmFKNGkwek94Y2hZcjZCNW8KLS0tIFFqM0VTQXRuODAva0Rkc2xvWFB4 + VTQ3RExKY093VG8vOThCczRzY2tpY2cKJOv0yVl9Zody0mjtytyjCXpe5V3NsReA + /Dqr6V9Hjuf3u0fjMHAjE6hDPGVH5t5NYLkNDeaGHNTaAd5dnhfprg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-10-31T16:57:58Z" mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str] pgp: - - created_at: "2024-10-31T16:40:38Z" + - created_at: "2024-11-04T20:52:58Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4D1GtNSlou/HkSAQdAmS/QDuU40+HtiMoCa9byz80b6lGMd6cvqxYShifFxUgw - Bn34D6HB6z3nQxWanlOCkA2ud8GBUhEFlLjsQf29apfWuWxKpNv37Olou1/vGvNm - 0l4BIzFesU+aoIUi+Fp0GbJ1+ObzRvGZq1IULChsDgbbvDnHah7yvN5wKYwj6x7f - ZhPpm40+FLea1najiN6igUD6oUy8TSYnCgPODef4FeI0ZwFqF5MaucY8CNuWsugS - =1vZk + hF4D1GtNSlou/HkSAQdApk/nEYcccQBCzFwC+hZbMio0s37LJuK6ceSLW786Sjsw + 90ggzfOg63e92cyqYxvbKqtCgVHHU/9RmKdsSZM+rFcR3XpzWw0ke10WjZNW0lU5 + 0l4BuP1sPvP7Z+kxWlITnYl4SPKxVhSmYtAdGbceiGUo36jtpi9vkziuPmyrGttM + t1PNZ9gjGVyNw96rRg9bgXCSvJo2FfMx8GeArj1yuO3+bkkbDm7mFrbF6fMQN3JE + =Q9iO -----END PGP MESSAGE----- fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 unencrypted_suffix: _unencrypted