Compare commits

...

2 commits

Author SHA1 Message Date
Update Bot
251242032f
flake.lock: Update
Flake lock file updates:

• Updated input 'attic':
    'github:zhaofengli/attic/48c8b395bfbc6b76c7eae74df6c74351255a095c' (2024-10-30)
  → 'github:zhaofengli/attic/d0b66cf897e4d55f03d341562c9821dc4e566e54' (2024-11-06)
• Updated input 'disko':
    'github:nix-community/disko/380847d94ff0fedee8b50ee4baddb162c06678df' (2024-11-03)
  → 'github:nix-community/disko/f3f8254fccc321f4cac0d716f73203bfd5e02477' (2024-11-08)
• Updated input 'home-manager':
    'github:nix-community/home-manager/8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661' (2024-11-03)
  → 'github:nix-community/home-manager/2f607e07f3ac7e53541120536708e824acccfaa8' (2024-11-05)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/f6e0cd5c47d150c4718199084e5764f968f1b560' (2024-11-02)
  → 'github:nixos/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7' (2024-11-06)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d' (2024-11-02)
  → 'github:nixos/nixpkgs/4aa36568d413aca0ea84a1684d2d46f55dbabad7' (2024-11-05)
• Updated input 'nixvim':
    'github:nix-community/nixvim/6f210158b03b01a1fd44bf3968165e6da80635ce' (2024-11-02)
  → 'github:nix-community/nixvim/aabbd60633947baba11db44df84f402edc241440' (2024-11-07)
• Updated input 'nixvim/git-hooks':
    'github:cachix/git-hooks.nix/af8a16fe5c264f5e9e18bcee2859b40a656876cf' (2024-10-30)
  → 'github:cachix/git-hooks.nix/d70155fdc00df4628446352fc58adc640cd705c2' (2024-11-05)
• Updated input 'nixvim/nix-darwin':
    'github:lnl7/nix-darwin/683d0c4cd1102dcccfa3f835565378c7f3cbe05e' (2024-11-01)
  → 'github:lnl7/nix-darwin/0e3f3f017c14467085f15d42343a3aaaacd89bcb' (2024-11-05)
• Updated input 'nixvim/nuschtosSearch':
    'github:NuschtOS/search/9e22bd742480916ff5d0ab20ca2522eaa3fa061e' (2024-11-02)
  → 'github:NuschtOS/search/aa5214c81b904a19f7a54f7a8f288f7902586eee' (2024-11-04)
• Updated input 'nixvim/nuschtosSearch/ixx':
    'github:NuschtOS/ixx/65c207c92befec93e22086da9456d3906a4e999c' (2024-10-21)
  → 'github:NuschtOS/ixx/9fd01aad037f345350eab2cd45e1946cc66da4eb' (2024-10-26)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e9b5eef9b51cdf966c76143e13a9476725b2f760' (2024-11-03)
  → 'github:Mic92/sops-nix/fe63071416471abdab06caa234122932a7c4b980' (2024-11-07)
• Updated input 'stylix':
    'github:danth/stylix/04afcfc0684d9bbb24bb1dc77afda7c1843ec93b' (2024-10-26)
  → 'github:danth/stylix/f71c2effed1ce4f9fbeefe402e4e431428ffe93a' (2024-11-07)
2024-11-08 04:20:13 +01:00
e688808e77
florp.social: add dedicated host 2024-11-07 23:20:40 +01:00
16 changed files with 254 additions and 183 deletions

View file

@ -3,6 +3,7 @@ keys:
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
- &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
- &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
- &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
creation_rules: creation_rules:
- path_regex: secrets/services/dns-knot.yaml - path_regex: secrets/services/dns-knot.yaml
key_groups: key_groups:
@ -57,4 +58,4 @@ creation_rules:
- pgp: - pgp:
- *emily - *emily
age: age:
- *seras - *florp

View file

@ -1,6 +1,6 @@
{ config, inputs, lib, pkgs, ... }: { config, inputs, lib, pkgs, ... }: let
inherit (lib) mkDefault;
with lib; { in {
imports = [ imports = [
./kernel.nix ./kernel.nix
./networking.nix ./networking.nix
@ -105,6 +105,6 @@ with lib; {
services.fprintd.enable = config.kyouma.machine-type.graphical; services.fprintd.enable = config.kyouma.machine-type.graphical;
system.stateVersion = "23.11"; system.stateVersion = mkDefault "23.11";
time.timeZone = mkDefault "CET"; time.timeZone = mkDefault "CET";
} }

View file

@ -7,11 +7,7 @@
../../services/nginx.nix ../../services/nginx.nix
./nginx.nix ./nginx.nix
]; ];
networking = { networking.hostName = "crime";
hostName = "crime";
firewall.allowedTCPPorts = [ 80 443 ];
firewall.allowedUDPPorts = [ 443 ];
};
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [
"2a0f:be01:0:100::1337/128" "2a0f:be01:0:100::1337/128"

View file

@ -17,10 +17,8 @@
kyouma.machine-type.physical = true; kyouma.machine-type.physical = true;
kyouma.nginx.defaultForbidden = "uptime.kyouma.net"; kyouma.nginx.defaultForbidden = "uptime.kyouma.net";
networking = { networking.hostName = "emilia";
firewall.allowedTCPPorts = [ 80 443 ];
hostName = "emilia";
};
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
matchConfig.MACAddress = "04:d4:c4:39:73:f6"; matchConfig.MACAddress = "04:d4:c4:39:73:f6";
addresses = [ addresses = [

View file

@ -0,0 +1,41 @@
{ lib, ... }: {
imports = [
../../common
../../profiles/headless.nix
../../profiles/kartoffel.nix
../../profiles/lxc.nix
../../services/akkoma
../../services/nginx.nix
];
networking = {
hostName = "florp";
domain = lib.mkForce "social";
};
kyouma.nginx.defaultForbidden = "florp.social";
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::171/128"
];
};
services.postgresql.settings = {
max_connections = 30;
shared_buffers = "4GB";
effective_cache_size = "12GB";
maintenance_work_mem = "1GB";
checkpoint_completion_target = 0.9;
wal_buffers = "16MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 200;
work_mem = "34952kB";
huge_pages = "try";
min_wal_size = "2GB";
max_wal_size = "8GB";
max_worker_processes = 16;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 16;
max_parallel_maintenance_workers = 4;
};
system.stateVersion = "24.11";
}

View file

@ -11,7 +11,6 @@
domain = lib.mkForce "girldick.gay"; domain = lib.mkForce "girldick.gay";
hostName = "staging"; hostName = "staging";
nftables.enable = lib.mkForce false; nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 80 443 ];
}; };
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [

View file

@ -5,17 +5,13 @@
../../profiles/headless.nix ../../profiles/headless.nix
../../profiles/kartoffel.nix ../../profiles/kartoffel.nix
../../profiles/lxc.nix ../../profiles/lxc.nix
../../services/akkoma
../../services/nginx.nix ../../services/nginx.nix
../../services/hydra ../../services/hydra
../../services/update-nixfiles.nix ../../services/update-nixfiles.nix
]; ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking = { networking.hostName = "seras";
hostName = "seras";
firewall.allowedTCPPorts = [ 80 443 ];
};
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [
"2a0f:be01:0:100::169/128" "2a0f:be01:0:100::169/128"

View file

@ -11,8 +11,7 @@
networking = { networking = {
hostName = "web-dus"; hostName = "web-dus";
nftables.enable = lib.mkForce false; nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 80 443 11019 ]; firewall.allowedTCPPorts = [ 11019 ];
firewall.allowedUDPPorts = [ 443 ];
}; };
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [

View file

@ -1,34 +1,21 @@
{ config, inputs, pkgs, ... }: { { config, inputs, lib, pkgs, ... }: {
sops.secrets."services/akkoma/mailerPassword" = { sops.secrets."services/akkoma/mailerPassword" = {
sopsFile = ../../../secrets/services/akkoma.yaml; sopsFile = ../../../secrets/services/akkoma.yaml;
}; };
sops.secrets."services/akkoma/deepl" = { sops.secrets."services/akkoma/deepl" = {
sopsFile = ../../../secrets/services/akkoma.yaml; sopsFile = ../../../secrets/services/akkoma.yaml;
}; };
services.akkoma = { services.akkoma = {
enable = true; enable = true;
extraPackages = with pkgs; [ exiftool ffmpeg-headless imagemagick ]; extraPackages = with pkgs; [ exiftool ffmpeg-headless imagemagick ];
extraStatic."emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg; extraStatic."emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
extraStatic."static/styles.json" = pkgs.writeText "styles.json" (builtins.toJSON { extraStatic."static/styles.json" = pkgs.writeText "styles.json" (builtins.toJSON (
pleroma-dark = "/static/themes/pleroma-dark.json"; builtins.fromJSON (builtins.readFile "${pkgs.akkoma-fe-domi}/static/styles.json") // {
pleroma-light = "/static/themes/pleroma-light.json"; elly-mod = "/static/themes/elly-mod.json";
pleroma-amoled = [ "Pleroma Dark AMOLED" "#000000" "#111111" "#b0b0b1" "#d8a070" "#aa0000" "#0fa00f" "#0095ff" "#d59500"]; }
classic-dark = [ "Classic Dark" "#161c20" "#282e32" "#b9b9b9" "#baaa9c" "#d31014" "#0fa00f" "#0095ff" "#ffa500" ]; ));
bird = [ "Bird" "#f8fafd" "#e6ecf0" "#14171a" "#0084b8" "#e0245e" "#17bf63" "#1b95e0" "#fab81e"];
ir-black = [ "Ir Black" "#000000" "#242422" "#b5b3aa" "#ff6c60" "#FF6C60" "#A8FF60" "#96CBFE" "#FFFFB6" ];
monokai = [ "Monokai" "#272822" "#383830" "#f8f8f2" "#f92672" "#F92672" "#a6e22e" "#66d9ef" "#f4bf75" ];
redmond-xx = "/static/themes/redmond-xx.json";
redmond-xx-se = "/static/themes/redmond-xx-se.json";
redmond-xxi = "/static/themes/redmond-xxi.json";
breezy-dark = "/static/themes/breezy-dark.json";
breezy-light = "/static/themes/breezy-light.json";
paper = "/static/themes/paper.json";
thekanata = "/static/themes/thekanata.json";
ihatebeingalive = "/static/themes/ihatebeingalive.json";
elly-mod = "/static/themes/elly-mod.json";
});
extraStatic."static/themes/elly-mod.json" = pkgs.writeText "elly-mod.json" (builtins.readFile ./elly-mod.json); extraStatic."static/themes/elly-mod.json" = pkgs.writeText "elly-mod.json" (builtins.readFile ./elly-mod.json);
@ -38,23 +25,7 @@
extraStatic."images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.wallpaper; extraStatic."images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.wallpaper;
extraStatic."favicon.png" = let extraStatic."favicon.png" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.favicon;
rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c";
in pkgs.stdenvNoCC.mkDerivation {
name = "favicon.png";
src = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/TilCreator/NixOwO/${rev}/NixOwO_plain.svg";
hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E=";
};
nativeBuildInputs = with pkgs; [ librsvg ];
dontUnpack = true;
installPhase = ''
rsvg-convert -o $out -w 96 -h 96 $src
'';
};
frontends = { frontends = {
primary = { primary = {
@ -70,13 +41,31 @@
}; };
}; };
services.akkoma.config = let services.akkoma.config = let
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap; inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkTuple;
mapAttrsToListOfTuple = attr: lib.mapAttrsToList (name: value: mkTuple [ name value ]) attr;
mkMapOfPredefinedKeys = set: let
string = value: "\"${(lib.escape [ "\\" "#" "\"" ]) value}\"";
toElixir = value:
if value == null then "nil" else
if lib.isString value then string value else
if builtins.isBool value then lib.boolToString value else
if lib.isInt value || lib.isFloat value then toString value else
abort "Not a elixir value ${value}";
entries = attrs: lib.concatStringsSep ", " (lib.mapAttrsToList (name: value:
"${toElixir name}: ${toElixir value}"
) attrs);
in mkRaw "%{${entries set}}";
in { in {
":pleroma" = { ":pleroma" = {
":instance" = { ":instance" = {
name = "florp.social"; name = "florp.social";
email = "contact@florp.social"; email = "contact@florp.social";
notify_email = "akkoma@florp.social"; notify_email = "noreply@florp.social";
description = "Likes are now florps. The timeline goes sideways."; description = "Likes are now florps. The timeline goes sideways.";
instance_thumbnail = "/instance/thumbnail.avif"; instance_thumbnail = "/instance/thumbnail.avif";
limit = 69420; limit = 69420;
@ -90,19 +79,22 @@
registration_reason_length = 2048; registration_reason_length = 2048;
account_approval_required = true; account_approval_required = true;
account_activation_required = true; account_activation_required = true;
federation = false; federating = true;
federation_incoming_replies_max_depth = 1024; federation_incoming_replies_max_depth = 1024;
federation_reachability_timeout_days = 14;
allow_relay = true;
max_pinned_statuses = 10; max_pinned_statuses = 10;
max_report_comment_size = 2048;
safe_dm_mentions = true; safe_dm_mentions = true;
remote_post_retention_days = 365; remote_post_retention_days = 365;
user_bio_length = 8192; user_bio_length = 8192;
user_name_length = 64; user_name_length = 64;
max_account_fields = 8;
cleanup_attachments = true; cleanup_attachments = true;
local_bubble = [ local_bubble = [
"solitary.social" "solitary.social"
"donotsta.re" "donotsta.re"
"chaos.social" "chaos.social"
"girldick.gay"
]; ];
}; };
@ -110,11 +102,13 @@
"Pleroma.Web.Endpoint".url.host = "florp.social"; "Pleroma.Web.Endpoint".url.host = "florp.social";
"Pleroma.Web.Metadata.Providers.Theme".theme_color = "#070F1C";
"Pleroma.Emails.Mailer" = { "Pleroma.Emails.Mailer" = {
enabled = true; enabled = true;
adapter = mkRaw "Swoosh.Adapters.SMTP"; adapter = mkRaw "Swoosh.Adapters.SMTP";
relay = "mail.kyouma.net"; relay = "mail.kyouma.net";
username = "akkoma@florp.social"; username = "noreply@florp.social";
password._secret = config.sops.secrets."services/akkoma/mailerPassword".path; password._secret = config.sops.secrets."services/akkoma/mailerPassword".path;
port = 465; port = 465;
ssl = true; ssl = true;
@ -146,37 +140,42 @@
"Pleroma.Upload.Filter.AnonymizeFilename" "Pleroma.Upload.Filter.AnonymizeFilename"
]; ];
":mrf" = { ":mrf".policies = map mkRaw [
transparency = true; "Pleroma.Web.ActivityPub.MRF.SimplePolicy"
policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy"
"Pleroma.Web.ActivityPub.MRF.SimplePolicy" "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy"
"Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy" ];
];
};
":mrf_simple" = { ":mrf_simple" = {
reject = mkMap { reject = mapAttrsToListOfTuple {
"bae.st" = "harassment"; "bae.st" = "transphobia / queerphobia";
"brighteon.social" = "incompatible"; "brighteon.social" = "transphobia, pro trump";
"detroitriotcity.com" = "incompatible"; "detroitriotcity.com" = "transphobia / queerphobia";
"freeatlantis.com" = "incompatible"; "freeatlantis.com" = "harassment";
"freespeechextremist.com" = "incompatible"; "freespeechextremist.com" = "N/A";
"gab.com" = "incompatible"; "gab.com" = "N/A";
"gleasonator.com" = "incompatible"; "gleasonator.com" = "transphobia";
"kitsunemimi.club" = "incompatible"; "kitsunemimi.club" = "transphobia";
"poa.st" = "incompatible"; "kiwifarms.*" = "N/A";
"seal.cafe" = "harassment"; "poa.st" = "queerphobia / racism / nazis";
"social.quodverum.com" = "incompatible"; "seal.cafe" = "transphobia";
"spinster.xyz" = "incompatible"; "social.quodverum.com" = "N/A";
"truthsocial.co.in" = "incompatible"; "spinster.xyz" = "transphobia";
"varishangout.net" = "incompatible"; "truthsocial.co.in" = "N/A";
"varishangout.net" = "transphobia";
"activitypub-troll.cf" = "security"; "activitypub-troll.cf" = "N/A";
"misskey-forkbomb.cf" = "security"; "misskey-forkbomb.cf" = "N/A";
"repl.co" = "security"; "repl.co" = "N/A";
"rape.pet" = "CP";
"childlove.space" = "CP";
"pedo.school" = "CP";
"loli.church" = "transphobia";
"usasa.ky" = "spam";
"tickler.cc" = "spam";
"shitposter.club" = "transphobia";
}; };
followers_only = mkMap { followers_only = mapAttrsToListOfTuple {
"bitcoinhackers.org" = "annoying"; "bitcoinhackers.org" = "annoying";
}; };
}; };
@ -184,7 +183,7 @@
":mrf_object_age".threshold = 180 * 24 * 3600; ":mrf_object_age".threshold = 180 * 24 * 3600;
":frontend_configurations" = { ":frontend_configurations" = {
pleroma_fe = mkMap { pleroma_fe = mkMapOfPredefinedKeys {
background = "/images/sylvia-ritter-15012323.avif"; background = "/images/sylvia-ritter-15012323.avif";
collapseMessageWithSubject = true; collapseMessageWithSubject = true;
streaming = true; streaming = true;
@ -204,9 +203,10 @@
}; };
":restrict_unauthenticated" = { ":restrict_unauthenticated" = {
timelines = mkMap { timelines = mkMapOfPredefinedKeys {
local = false; local = false;
federated = true; federated = false;
bubble = true;
}; };
}; };
@ -227,21 +227,44 @@
":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer"; ":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer";
}; };
services.postgresql.enable = true;
services.postgresql.extraPlugins = [ services.postgresql.extraPlugins = [
pkgs.postgresql15Packages.rum pkgs.postgresql16Packages.rum
]; ];
services.nginx = { services.nginx = {
clientMaxBodySize = "256m"; clientMaxBodySize = "256m";
commonHttpConfig = '' commonHttpConfig = ''
proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache proxy_cache_path /var/cache/nginx/akkoma-media-cache
levels= keys_zone=akkoma_media_cache:32m max_size=32g levels= keys_zone=akkoma_media_cache:32m max_size=32g
inactive=1y use_temp_path=off; inactive=1y use_temp_path=off;
access_log off; access_log off;
''; '';
}; };
kyouma.nginx.virtualHosts = { kyouma.nginx.virtualHosts = let
proxyCache = ''
proxy_cache akkoma_media_cache;
# Cache objects in slices of 1 MiB
slice 1m;
proxy_cache_key $host$uri$is_args$args$slice_range;
proxy_set_header Range $slice_range;
# Decouple proxy and upstream responses
proxy_buffering on;
proxy_cache_lock on;
proxy_ignore_client_abort on;
# Default cache times for various responses
proxy_cache_valid 200 1y;
proxy_cache_valid 206 301 304 1h;
# Allow serving of stale items
proxy_cache_use_stale error timeout invalid_header updating;
'';
in {
"florp.social" = { "florp.social" = {
serverAliases = map (x: "${x}.florp.social") [ "a" "b" "c" ];
locations."/" = { locations."/" = {
proxyPass = "http://unix:/run/akkoma/socket"; proxyPass = "http://unix:/run/akkoma/socket";
proxyWebsockets = true; proxyWebsockets = true;
@ -254,7 +277,9 @@
useACMEHost = "florp.social"; useACMEHost = "florp.social";
locations."/" = { locations."/" = {
proxyPass = "http://unix:/run/akkoma/socket"; proxyPass = "http://unix:/run/akkoma/socket";
extraConfig = "rewrite ^(?!/media)(.*)$ /media$1;"; extraConfig = ''
rewrite ^(?!/media)(.*)$ /media$1;
'' + proxyCache;
}; };
}; };
@ -264,27 +289,12 @@
proxyPass = "http://unix:/run/akkoma/socket"; proxyPass = "http://unix:/run/akkoma/socket";
extraConfig = '' extraConfig = ''
rewrite ^(?!/proxy)(.*)$ /proxy$1; rewrite ^(?!/proxy)(.*)$ /proxy$1;
proxy_cache akkoma_media_cache; '' + proxyCache;
# Cache objects in slices of 1 MiB
slice 1m;
proxy_cache_key $host$uri$is_args$args$slice_range;
proxy_set_header Range $slice_range;
# Decouple proxy and upstream responses
proxy_buffering on;
proxy_cache_lock on;
proxy_ignore_client_abort on;
# Default cache times for various responses
proxy_cache_valid 200 1y;
proxy_cache_valid 206 301 304 1h;
# Allow serving of stale items
proxy_cache_use_stale error timeout invalid_header updating;
'';
}; };
}; };
}; };
security.acme.certs."florp.social".extraDomainNames = [ "cache.florp.social" "media.florp.social" ]; security.acme.certs."florp.social".extraDomainNames = [
"cache.florp.social"
"media.florp.social"
] ++ map (x: "${x}.florp.social") [ "a" "b" "c" ];
} }

View file

@ -11,6 +11,7 @@ in {
email = "noc@kyouma.net"; email = "noc@kyouma.net";
}; };
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = { services.nginx = {
enable = true; enable = true;

View file

@ -12,11 +12,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1730257295, "lastModified": 1730906442,
"narHash": "sha256-OQl+aAsKiyygvpzck1u0sZf/R4T9zM903CgNDFmmzA8=", "narHash": "sha256-tBuyb8jWBSHHgcIrOfiyQJZGY1IviMzH2V74t7gWfgI=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "attic", "repo": "attic",
"rev": "48c8b395bfbc6b76c7eae74df6c74351255a095c", "rev": "d0b66cf897e4d55f03d341562c9821dc4e566e54",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -156,11 +156,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730675461, "lastModified": 1731026109,
"narHash": "sha256-Mhqz3p/HEiI/zxBJWO57LYQf6gGlJB0tci6fiVXLjd8=", "narHash": "sha256-X1/F4qNzKuhnWwO32b774nPVLnNLnJILyT61zsjk3FA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "380847d94ff0fedee8b50ee4baddb162c06678df", "rev": "f3f8254fccc321f4cac0d716f73203bfd5e02477",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -437,11 +437,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730469723, "lastModified": 1730825511,
"narHash": "sha256-5U2aVAXbzd26f0r4+1fo0F4KTqY5h3z2fV0uDJ9YsMQ=", "narHash": "sha256-Ywc4Y+4VobocyxcVhHlJ5Q5h1fOdsJNlAlWlrkqC8U0=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "16f4a9c871b5417b9ed17e7666c1b266dd8de464", "rev": "81bde12357d59215e7d67c7f55c2eb3d54c47689",
"revCount": 1, "revCount": 2,
"type": "git", "type": "git",
"url": "https://woof.rip/florp/branding.git" "url": "https://woof.rip/florp/branding.git"
}, },
@ -483,11 +483,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730302582, "lastModified": 1730814269,
"narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=", "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf", "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -542,11 +542,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730633670, "lastModified": 1730837930,
"narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=", "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661", "rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -593,16 +593,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729544999, "lastModified": 1729958008,
"narHash": "sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus=", "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "ixx", "repo": "ixx",
"rev": "65c207c92befec93e22086da9456d3906a4e999c", "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NuschtOS", "owner": "NuschtOS",
"ref": "v0.0.5", "ref": "v0.0.6",
"repo": "ixx", "repo": "ixx",
"type": "github" "type": "github"
} }
@ -693,11 +693,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730448474, "lastModified": 1730779758,
"narHash": "sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc=", "narHash": "sha256-5WI9AnsBwhLzVRnQm3Qn9oAbROnuLDQTpaXeyZCK8qw=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "683d0c4cd1102dcccfa3f835565378c7f3cbe05e", "rev": "0e3f3f017c14467085f15d42343a3aaaacd89bcb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -795,11 +795,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1730537918, "lastModified": 1730919458,
"narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=", "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "f6e0cd5c47d150c4718199084e5764f968f1b560", "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -926,11 +926,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1730531603, "lastModified": 1730785428,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -957,11 +957,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1730569492, "lastModified": 1731009822,
"narHash": "sha256-NByr7l7JetL9kIrdCOcRqBu+lAkruYXETp1DMiDHNQs=", "narHash": "sha256-VwGfFYHjizs7yQwh8JRlDUVkHLPc34jdqkQ2vyv6ddY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "6f210158b03b01a1fd44bf3968165e6da80635ce", "rev": "aabbd60633947baba11db44df84f402edc241440",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -980,11 +980,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730515563, "lastModified": 1730760712,
"narHash": "sha256-8lklUZRV7nwkPLF3roxzi4C2oyLydDXyAzAnDvjkOms=", "narHash": "sha256-F4H98tjNgySlSLItuOqHYo9LF85rFoS/Vr0uOrq7BM4=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "search", "repo": "search",
"rev": "9e22bd742480916ff5d0ab20ca2522eaa3fa061e", "rev": "aa5214c81b904a19f7a54f7a8f288f7902586eee",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1038,11 +1038,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1730605784, "lastModified": 1731008979,
"narHash": "sha256-1NveNAMLHbxOg0BpBMSVuZ2yW2PpDnZLbZ25wV50PMc=", "narHash": "sha256-yN1NxvmqV8UltLkqYBWTeZNgpD/eyh/7LM58caHiEfE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e9b5eef9b51cdf966c76143e13a9476725b2f760", "rev": "fe63071416471abdab06caa234122932a7c4b980",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1072,11 +1072,11 @@
"tinted-tmux": "tinted-tmux" "tinted-tmux": "tinted-tmux"
}, },
"locked": { "locked": {
"lastModified": 1729963473, "lastModified": 1731002033,
"narHash": "sha256-uGjTjvvlGQfQ0yypVP+at0NizI2nrb6kz4wGAqzRGbY=", "narHash": "sha256-uGjTjvvlGQfQ0yypVP+at0NizI2nrb6kz4wGAqzRGbY=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "04afcfc0684d9bbb24bb1dc77afda7c1843ec93b", "rev": "f71c2effed1ce4f9fbeefe402e4e431428ffe93a",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -3,11 +3,11 @@
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
''; '';
createHost = vhostName: vhostCfg: { createHost = vhostName: vhostCfg: {
extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
@ -42,9 +42,13 @@ in {
builtins.mapAttrs (createHost) cfg.virtualHosts) // builtins.mapAttrs (createHost) cfg.virtualHosts) //
lib.optionalAttrs (cfg.defaultForbidden != null) { lib.optionalAttrs (cfg.defaultForbidden != null) {
"redirect" = { "redirect" = {
quic = true;
http3 = true;
# reuseport has to be specified on the quic listener
# when using worker_processes auto;
reuseport = true;
default = true; default = true;
forceSSL = true; forceSSL = true;
reuseport = true;
useACMEHost = cfg.defaultForbidden; useACMEHost = cfg.defaultForbidden;
extraConfig = '' extraConfig = ''
return 403; return 403;

View file

@ -23,6 +23,16 @@ in {
# Build scripts assume to be used within a Git repository checkout # Build scripts assume to be used within a Git repository checkout
substituteInPlace src/modules/instance.js \ substituteInPlace src/modules/instance.js \
--replace-fail "widenTimeline: true" 'widenTimeline: "50%"' --replace-fail "widenTimeline: true" 'widenTimeline: "50%"'
substituteInPlace src/modules/config.js \
--replace-fail "streaming: false" "streaming: true" \
--replace-fail "useStreamingApi: false" "useStreamingApi: true" \
--replace-fail "webPushNotifications: false" "webPushNotifications: true"
substituteInPlace src/i18n/en.json \
--replace-fail "meow" "florp" \
--replace-fail "Meow" "Florp"
sed -E -i '/^let commitHash =/,/;$/clet commitHash = "${builtins.substring 0 7 src.rev}";' \ sed -E -i '/^let commitHash =/,/;$/clet commitHash = "${builtins.substring 0 7 src.rev}";' \
build/webpack.prod.conf.js build/webpack.prod.conf.js
''; '';

View file

@ -6,5 +6,9 @@ final: prev: {
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {}; librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
librespeed-go = final.callPackage ./librespeed-go/default.nix {}; librespeed-go = final.callPackage ./librespeed-go/default.nix {};
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {}; akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
nginxQuic = prev.nginxQuic.override { withSlice = true; }; nginxQuic = prev.nginxQuic.override {
withSlice = true;
# Use zlib because zlib-ng uses larger buffers then nginx preallocates.
zlib = final.zlib;
};
} }

View file

@ -6,6 +6,7 @@ BRANCH="update-inputs-$(date +%Y-%m-%d-%H-%M)"
HYDRA_URL="https://hydra.kyouma.net" HYDRA_URL="https://hydra.kyouma.net"
JOBSET_URL="${HYDRA_URL}/jobset/nixfiles/update-inputs" JOBSET_URL="${HYDRA_URL}/jobset/nixfiles/update-inputs"
ROOT="$(mktemp -d)" ROOT="$(mktemp -d)"
START_TIME="$(date +%s)"
gitin () { gitin () {
git -C "${ROOT}/nixfiles" "$@" git -C "${ROOT}/nixfiles" "$@"
@ -21,20 +22,31 @@ merge_theirs () {
} }
test_build () { test_build () {
local last_error
local build_jobs local build_jobs
build_jobs="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r ".builds | .[]")" build_jobs="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r ".builds | .[]")"
for build in ${build_jobs}; do for build in ${build_jobs}; do
local build_status local build_status
while true; do while true; do
local build_finished local build_finished
build_finished="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".finished")" build_finished="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".finished")"
[[ ${build_finished} == 1 ]] && break [[ ${build_finished} == 1 ]] && break
sleep 5 sleep 5
done done
build_status="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".buildstatus")" build_status="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".buildstatus")"
[[ $build_status != 0 ]] && echo "Build ${build} failed" && exit 1 [[ $build_status != 0 ]] &&
echo "Build ${build} failed" &&
exit 1
echo "Build ${build} was successful" echo "Build ${build} was successful"
done done
last_error="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}" | jq -r ".errortime")"
[[ $last_error -gt $START_TIME ]] &&
echo "Evaluation error encountered at $(date +%Y-%m-%d-%H:%M:%S --date="@${last_error}")" &&
exit 1
} }
wait_for_hydra () { wait_for_hydra () {
@ -42,9 +54,9 @@ wait_for_hydra () {
local hydra_rev local hydra_rev
local counter local counter
counter=0 counter=0
git_rev="$(git -C "${ROOT}/nixfiles" rev-parse update-inputs)" git_rev="$(git -C "${1}/nixfiles" rev-parse update-inputs)"
while true; do while true; do
hydra_rev="$(curl -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")" hydra_rev="$(curl -s -L -H "Accept: application/json" "${2}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")"
if [[ "${git_rev}" == "${hydra_rev}" ]]; then if [[ "${git_rev}" == "${hydra_rev}" ]]; then
echo "Hydra got new commit" echo "Hydra got new commit"
break break
@ -87,7 +99,7 @@ gitin push origin update-inputs
echo "Waiting for hydra to get new commit" echo "Waiting for hydra to get new commit"
export -f wait_for_hydra export -f wait_for_hydra
timeout 4h bash -c wait_for_hydra timeout 4h bash -c "wait_for_hydra ${ROOT} ${JOBSET_URL}"
echo "Testing if all build jobs completed successfully" echo "Testing if all build jobs completed successfully"
test_build test_build

View file

@ -8,27 +8,27 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd - recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTi9Ha0tQRGE2L3BzclpW YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NGRYOHFVSXBNdjlpVDhF
NnduRVVRUnhkV1pEOXllZTA0bnN0NENESlM4Ck9jSTcxcjJIdThvUk9IM1FCOGNv V0g2ZkRiZnR6UElvWEZKUWxHSjZySlJadHlvCmpBdzBPRklkOVltZWwzNlNrc0pC
V1FNV2ZHbHlTaWNBL0VvSGxhSzlWSDgKLS0tIEFoWEozY0VSWVA0cVp5dkI4NHNH bG9kU3phNmFKNGkwek94Y2hZcjZCNW8KLS0tIFFqM0VTQXRuODAva0Rkc2xvWFB4
RVQ3aDd0c1RDNWd2eGxiNURGRXVXS2sKTT4LpWSIb9hjrcdUWOhieUeUHop0pwoA VTQ3RExKY093VG8vOThCczRzY2tpY2cKJOv0yVl9Zody0mjtytyjCXpe5V3NsReA
OfOv3y3dp7tYc5HRREN5jkVx29jb2lrml0ycu9ek58S8+bolfzN8yQ== /Dqr6V9Hjuf3u0fjMHAjE6hDPGVH5t5NYLkNDeaGHNTaAd5dnhfprg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-31T16:57:58Z" lastmodified: "2024-10-31T16:57:58Z"
mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str] mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str]
pgp: pgp:
- created_at: "2024-10-31T16:40:38Z" - created_at: "2024-11-04T20:52:58Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4D1GtNSlou/HkSAQdAmS/QDuU40+HtiMoCa9byz80b6lGMd6cvqxYShifFxUgw hF4D1GtNSlou/HkSAQdApk/nEYcccQBCzFwC+hZbMio0s37LJuK6ceSLW786Sjsw
Bn34D6HB6z3nQxWanlOCkA2ud8GBUhEFlLjsQf29apfWuWxKpNv37Olou1/vGvNm 90ggzfOg63e92cyqYxvbKqtCgVHHU/9RmKdsSZM+rFcR3XpzWw0ke10WjZNW0lU5
0l4BIzFesU+aoIUi+Fp0GbJ1+ObzRvGZq1IULChsDgbbvDnHah7yvN5wKYwj6x7f 0l4BuP1sPvP7Z+kxWlITnYl4SPKxVhSmYtAdGbceiGUo36jtpi9vkziuPmyrGttM
ZhPpm40+FLea1najiN6igUD6oUy8TSYnCgPODef4FeI0ZwFqF5MaucY8CNuWsugS t1PNZ9gjGVyNw96rRg9bgXCSvJo2FfMx8GeArj1yuO3+bkkbDm7mFrbF6fMQN3JE
=1vZk =Q9iO
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted