Compare commits

...

4 commits

Author SHA1 Message Date
Update Bot
275b7103b2
Update from update-inputs-2024-11-05-04-20 2024-11-05 04:20:25 +01:00
Update Bot
e95b391c04
flake.lock: Update
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/380847d94ff0fedee8b50ee4baddb162c06678df' (2024-11-03)
  → 'github:nix-community/disko/856a2902156ba304efebd4c1096dbf7465569454' (2024-11-04)
• Updated input 'nixvim':
    'github:nix-community/nixvim/6f210158b03b01a1fd44bf3968165e6da80635ce' (2024-11-02)
  → 'github:nix-community/nixvim/aa06b176e78c9ae9e779e605cab61c9d8681a54e' (2024-11-04)
• Updated input 'nixvim/nix-darwin':
    'github:lnl7/nix-darwin/683d0c4cd1102dcccfa3f835565378c7f3cbe05e' (2024-11-01)
  → 'github:lnl7/nix-darwin/4652874d014b82cb746173ffc64f6a70044daa7e' (2024-11-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e9b5eef9b51cdf966c76143e13a9476725b2f760' (2024-11-03)
  → 'github:Mic92/sops-nix/59d6988329626132eaf107761643f55eb979eef1' (2024-11-04)
2024-11-05 04:20:23 +01:00
e5bab5cd47
florp.social: add dedicated host 2024-11-04 23:18:10 +01:00
992b4796ad
nginx: enable http3 2024-11-04 20:30:18 +01:00
14 changed files with 92 additions and 56 deletions

View file

@ -3,6 +3,7 @@ keys:
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
- &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
- &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
- &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
creation_rules: creation_rules:
- path_regex: secrets/services/dns-knot.yaml - path_regex: secrets/services/dns-knot.yaml
key_groups: key_groups:
@ -57,4 +58,4 @@ creation_rules:
- pgp: - pgp:
- *emily - *emily
age: age:
- *seras - *florp

View file

@ -1,6 +1,6 @@
{ config, inputs, lib, pkgs, ... }: { config, inputs, lib, pkgs, ... }: let
inherit (lib) mkDefault;
with lib; { in {
imports = [ imports = [
./kernel.nix ./kernel.nix
./networking.nix ./networking.nix
@ -105,6 +105,6 @@ with lib; {
services.fprintd.enable = config.kyouma.machine-type.graphical; services.fprintd.enable = config.kyouma.machine-type.graphical;
system.stateVersion = "23.11"; system.stateVersion = mkDefault "23.11";
time.timeZone = mkDefault "CET"; time.timeZone = mkDefault "CET";
} }

View file

@ -7,11 +7,7 @@
../../services/nginx.nix ../../services/nginx.nix
./nginx.nix ./nginx.nix
]; ];
networking = { networking.hostName = "crime";
hostName = "crime";
firewall.allowedTCPPorts = [ 80 443 ];
firewall.allowedUDPPorts = [ 443 ];
};
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [
"2a0f:be01:0:100::1337/128" "2a0f:be01:0:100::1337/128"

View file

@ -17,10 +17,8 @@
kyouma.machine-type.physical = true; kyouma.machine-type.physical = true;
kyouma.nginx.defaultForbidden = "uptime.kyouma.net"; kyouma.nginx.defaultForbidden = "uptime.kyouma.net";
networking = { networking.hostName = "emilia";
firewall.allowedTCPPorts = [ 80 443 ];
hostName = "emilia";
};
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
matchConfig.MACAddress = "04:d4:c4:39:73:f6"; matchConfig.MACAddress = "04:d4:c4:39:73:f6";
addresses = [ addresses = [

View file

@ -0,0 +1,40 @@
{ lib, ... }: {
imports = [
../../common
../../profiles/headless.nix
../../profiles/kartoffel.nix
../../profiles/lxc.nix
../../services/akkoma
../../services/nginx.nix
];
networking = {
hostName = "florp";
domain = lib.mkForce "social";
};
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::171/128"
];
};
services.postgresql.settings = {
max_connections = 200;
shared_buffers = "8GB";
effective_cache_size = "10GB";
maintenance_work_mem = "2GB";
checkpoint_completion_target = 0.9;
wal_buffers = "16MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 200;
work_mem = "31457kB";
huge_pages = "try";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 32;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 32;
max_parallel_maintenance_workers = 4;
};
system.stateVersion = "24.11";
}

View file

@ -11,7 +11,6 @@
domain = lib.mkForce "girldick.gay"; domain = lib.mkForce "girldick.gay";
hostName = "staging"; hostName = "staging";
nftables.enable = lib.mkForce false; nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 80 443 ];
}; };
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [

View file

@ -5,17 +5,13 @@
../../profiles/headless.nix ../../profiles/headless.nix
../../profiles/kartoffel.nix ../../profiles/kartoffel.nix
../../profiles/lxc.nix ../../profiles/lxc.nix
../../services/akkoma
../../services/nginx.nix ../../services/nginx.nix
../../services/hydra ../../services/hydra
../../services/update-nixfiles.nix ../../services/update-nixfiles.nix
]; ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking = { networking.hostName = "seras";
hostName = "seras";
firewall.allowedTCPPorts = [ 80 443 ];
};
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [
"2a0f:be01:0:100::169/128" "2a0f:be01:0:100::169/128"

View file

@ -11,8 +11,7 @@
networking = { networking = {
hostName = "web-dus"; hostName = "web-dus";
nftables.enable = lib.mkForce false; nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 80 443 11019 ]; firewall.allowedTCPPorts = [ 11019 ];
firewall.allowedUDPPorts = [ 443 ];
}; };
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [

View file

@ -76,7 +76,7 @@
":instance" = { ":instance" = {
name = "florp.social"; name = "florp.social";
email = "contact@florp.social"; email = "contact@florp.social";
notify_email = "akkoma@florp.social"; notify_email = "noreply@florp.social";
description = "Likes are now florps. The timeline goes sideways."; description = "Likes are now florps. The timeline goes sideways.";
instance_thumbnail = "/instance/thumbnail.avif"; instance_thumbnail = "/instance/thumbnail.avif";
limit = 69420; limit = 69420;
@ -114,7 +114,7 @@
enabled = true; enabled = true;
adapter = mkRaw "Swoosh.Adapters.SMTP"; adapter = mkRaw "Swoosh.Adapters.SMTP";
relay = "mail.kyouma.net"; relay = "mail.kyouma.net";
username = "akkoma@florp.social"; username = "noreply@florp.social";
password._secret = config.sops.secrets."services/akkoma/mailerPassword".path; password._secret = config.sops.secrets."services/akkoma/mailerPassword".path;
port = 465; port = 465;
ssl = true; ssl = true;
@ -227,14 +227,14 @@
":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer"; ":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer";
}; };
services.postgresql.enable = true;
services.postgresql.extraPlugins = [ services.postgresql.extraPlugins = [
pkgs.postgresql15Packages.rum pkgs.postgresql16Packages.rum
]; ];
services.nginx = { services.nginx = {
package = pkgs.tengine;
clientMaxBodySize = "256m"; clientMaxBodySize = "256m";
commonHttpConfig = '' commonHttpConfig = ''
proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache proxy_cache_path /var/cache/nginx/akkoma-media-cache
levels= keys_zone=akkoma_media_cache:32m max_size=32g levels= keys_zone=akkoma_media_cache:32m max_size=32g
inactive=1y use_temp_path=off; inactive=1y use_temp_path=off;

View file

@ -1,4 +1,6 @@
{ config, lib, ... }: with lib; { { config, lib, pkgs, ... }: let
inherit (lib) mkDefault;
in {
kyouma.deployment.tags = [ "web" ]; kyouma.deployment.tags = [ "web" ];
security.dhparams.enable = true; security.dhparams.enable = true;
security.dhparams.params.nginx = {}; security.dhparams.params.nginx = {};
@ -9,9 +11,11 @@
email = "noc@kyouma.net"; email = "noc@kyouma.net";
}; };
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = { services.nginx = {
enable = true; enable = true;
#package = pkgs.nginxQuic; package = mkDefault pkgs.nginxQuic;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
@ -32,6 +36,7 @@
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
''; '';
eventsConfig = '' eventsConfig = ''

View file

@ -156,11 +156,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730675461, "lastModified": 1730751873,
"narHash": "sha256-Mhqz3p/HEiI/zxBJWO57LYQf6gGlJB0tci6fiVXLjd8=", "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "380847d94ff0fedee8b50ee4baddb162c06678df", "rev": "856a2902156ba304efebd4c1096dbf7465569454",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -693,11 +693,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730448474, "lastModified": 1730600078,
"narHash": "sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc=", "narHash": "sha256-BoyFmE59HDF3uybBySsWVoyjNuHvz3Wv8row/mSb958=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "683d0c4cd1102dcccfa3f835565378c7f3cbe05e", "rev": "4652874d014b82cb746173ffc64f6a70044daa7e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -957,11 +957,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1730569492, "lastModified": 1730731617,
"narHash": "sha256-NByr7l7JetL9kIrdCOcRqBu+lAkruYXETp1DMiDHNQs=", "narHash": "sha256-W7FNEe+gewzTSx0lykzZ3XUKmJ8uKk/SpIPblZIfYc0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "6f210158b03b01a1fd44bf3968165e6da80635ce", "rev": "aa06b176e78c9ae9e779e605cab61c9d8681a54e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1038,11 +1038,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1730605784, "lastModified": 1730746162,
"narHash": "sha256-1NveNAMLHbxOg0BpBMSVuZ2yW2PpDnZLbZ25wV50PMc=", "narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e9b5eef9b51cdf966c76143e13a9476725b2f760", "rev": "59d6988329626132eaf107761643f55eb979eef1",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -2,6 +2,7 @@
cfg = config.kyouma.nginx; cfg = config.kyouma.nginx;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
@ -9,11 +10,11 @@
add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
''; '';
createHost = vhostName: vhostCfg: { createHost = vhostName: vhostCfg: {
extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig; extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
forceSSL = true; forceSSL = true;
#kTLS = true; #kTLS = true;
#http3 = true; http3 = true;
#quic = true; quic = true;
} // } //
lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
enableACME = true; enableACME = true;

View file

@ -6,4 +6,5 @@ final: prev: {
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {}; librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
librespeed-go = final.callPackage ./librespeed-go/default.nix {}; librespeed-go = final.callPackage ./librespeed-go/default.nix {};
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {}; akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
nginxQuic = prev.nginxQuic.override { withSlice = true; };
} }

View file

@ -8,27 +8,27 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTi9Ha0tQRGE2L3BzclpW YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NGRYOHFVSXBNdjlpVDhF
NnduRVVRUnhkV1pEOXllZTA0bnN0NENESlM4Ck9jSTcxcjJIdThvUk9IM1FCOGNv V0g2ZkRiZnR6UElvWEZKUWxHSjZySlJadHlvCmpBdzBPRklkOVltZWwzNlNrc0pC
V1FNV2ZHbHlTaWNBL0VvSGxhSzlWSDgKLS0tIEFoWEozY0VSWVA0cVp5dkI4NHNH bG9kU3phNmFKNGkwek94Y2hZcjZCNW8KLS0tIFFqM0VTQXRuODAva0Rkc2xvWFB4
RVQ3aDd0c1RDNWd2eGxiNURGRXVXS2sKTT4LpWSIb9hjrcdUWOhieUeUHop0pwoA VTQ3RExKY093VG8vOThCczRzY2tpY2cKJOv0yVl9Zody0mjtytyjCXpe5V3NsReA
OfOv3y3dp7tYc5HRREN5jkVx29jb2lrml0ycu9ek58S8+bolfzN8yQ== /Dqr6V9Hjuf3u0fjMHAjE6hDPGVH5t5NYLkNDeaGHNTaAd5dnhfprg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-31T16:57:58Z" lastmodified: "2024-10-31T16:57:58Z"
mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str] mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str]
pgp: pgp:
- created_at: "2024-10-31T16:40:38Z" - created_at: "2024-11-04T20:52:58Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4D1GtNSlou/HkSAQdAmS/QDuU40+HtiMoCa9byz80b6lGMd6cvqxYShifFxUgw hF4D1GtNSlou/HkSAQdApk/nEYcccQBCzFwC+hZbMio0s37LJuK6ceSLW786Sjsw
Bn34D6HB6z3nQxWanlOCkA2ud8GBUhEFlLjsQf29apfWuWxKpNv37Olou1/vGvNm 90ggzfOg63e92cyqYxvbKqtCgVHHU/9RmKdsSZM+rFcR3XpzWw0ke10WjZNW0lU5
0l4BIzFesU+aoIUi+Fp0GbJ1+ObzRvGZq1IULChsDgbbvDnHah7yvN5wKYwj6x7f 0l4BuP1sPvP7Z+kxWlITnYl4SPKxVhSmYtAdGbceiGUo36jtpi9vkziuPmyrGttM
ZhPpm40+FLea1najiN6igUD6oUy8TSYnCgPODef4FeI0ZwFqF5MaucY8CNuWsugS t1PNZ9gjGVyNw96rRg9bgXCSvJo2FfMx8GeArj1yuO3+bkkbDm7mFrbF6fMQN3JE
=1vZk =Q9iO
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted