├── .envrc ├── .github └── dependabot.yml ├── .gitignore ├── catalog ├── part.nix └── target.nix ├── cluster ├── catalog │ ├── default.nix │ ├── secrets.nix │ └── services.nix ├── default.nix ├── import-services.nix ├── lib │ ├── inject-nixos-config.nix │ ├── lib.nix │ ├── mesh.nix │ ├── port-magic-multi.nix │ ├── secrets.nix │ ├── service-module.nix │ ├── services.nix │ ├── services │ │ └── secrets.nix │ ├── testing.nix │ └── vars │ │ └── default.nix ├── part.nix ├── secrets │ ├── attic-serverToken.age │ ├── cachix-deploy-agent-token-VEGAS.age │ ├── cachix-deploy-agent-token-checkmate.age │ ├── cachix-deploy-agent-token-grail.age │ ├── cachix-deploy-agent-token-prophet.age │ ├── cachix-deploy-agent-token-thunderskin.age │ ├── forge-oidcSecret.age │ ├── hercules-ci-multi-agent-cacheSigningKey.age │ ├── hercules-ci-multi-agent-clusterJoinToken-hyprspace-VEGAS.age │ ├── hercules-ci-multi-agent-clusterJoinToken-hyprspace-prophet.age │ ├── hercules-ci-multi-agent-clusterJoinToken-max-VEGAS.age │ ├── hercules-ci-multi-agent-clusterJoinToken-max-prophet.age │ ├── hercules-ci-multi-agent-clusterJoinToken-nixpak-VEGAS.age │ ├── hercules-ci-multi-agent-clusterJoinToken-nixpak-prophet.age │ ├── hercules-ci-multi-agent-clusterJoinToken-private-void-VEGAS.age │ ├── hercules-ci-multi-agent-clusterJoinToken-private-void-prophet.age │ ├── hercules-ci-multi-agent-effectsSecrets.age │ ├── idm-serviceAccountCredentials-VEGAS.age │ ├── idm-serviceAccountCredentials-checkmate.age │ ├── idm-serviceAccountCredentials-grail.age │ ├── idm-serviceAccountCredentials-prophet.age │ ├── idm-serviceAccountCredentials-soda.age │ ├── idm-serviceAccountCredentials-thunderskin.age │ ├── ipfs-clusterSecret.age │ ├── ipfs-pinningServiceCredentials.age │ ├── irc-peerKey.age │ ├── matrix-coturnStaticAuth.age │ ├── matrix-dbConfig.age │ ├── matrix-discordBridgeToken.age │ ├── matrix-keysConfig.age │ ├── matrix-ldapConfig.age │ ├── matrix-turnConfig.age │ ├── patroni-PATRONI_REPLICATION_PASSWORD.age │ ├── patroni-PATRONI_REWIND_PASSWORD.age │ ├── patroni-PATRONI_SUPERUSER_PASSWORD.age │ ├── patroni-metricsCredentials.age │ ├── search-default.age │ ├── wireguard-meshPrivateKey-VEGAS.age │ ├── wireguard-meshPrivateKey-checkmate.age │ ├── wireguard-meshPrivateKey-grail.age │ ├── wireguard-meshPrivateKey-prophet.age │ └── wireguard-meshPrivateKey-thunderskin.age ├── services │ ├── .keep │ ├── acme-client │ │ ├── augment.nix │ │ ├── client.nix │ │ └── default.nix │ ├── attic │ │ ├── attic-cache-client.nix │ │ ├── binary-cache.nix │ │ ├── builder-cache-client.nix │ │ ├── default.nix │ │ ├── nar-serve.nix │ │ ├── options.nix │ │ ├── s3-cache-client.nix │ │ ├── server.nix │ │ └── token-provider.nix │ ├── bitwarden │ │ ├── default.nix │ │ └── host.nix │ ├── cachix-deploy-agent │ │ ├── agent.nix │ │ └── default.nix │ ├── cdn-shield │ │ └── default.nix │ ├── certificates │ │ ├── default.nix │ │ └── internal-wildcard.nix │ ├── chant │ │ ├── default.nix │ │ └── listener.nix │ ├── consul │ │ ├── agent.nix │ │ ├── default.nix │ │ ├── ready.nix │ │ ├── remote-api.nix │ │ └── test.nix │ ├── content-delivery │ │ └── default.nix │ ├── dns │ │ ├── acme-dns-direct-key.age │ │ ├── authoritative.nix │ │ ├── client.nix │ │ ├── coredns.nix │ │ ├── default.nix │ │ ├── nodes.nix │ │ ├── ns-records.nix │ │ ├── options.nix │ │ └── test.nix │ ├── fbi │ │ ├── default.nix │ │ └── host.nix │ ├── flake-reegistry │ │ ├── default.nix │ │ └── extra-flakes.nix │ ├── forge │ │ ├── default.nix │ │ └── server.nix │ ├── geoblock │ │ ├── default.nix │ │ ├── incoming.nix │ │ └── ranges │ │ │ └── v4 │ │ │ ├── as132203.json │ │ │ ├── as136907.json │ │ │ └── as45102.json │ ├── hercules-ci-multi-agent │ │ ├── attic-uploader.nix │ │ ├── builder-cache.nix │ │ ├── common.nix │ │ ├── default.nix │ │ └── modules │ │ │ └── multi-agent-refactored │ │ │ ├── default.nix │ │ │ ├── options.nix │ │ │ └── settings.nix │ ├── idm │ │ ├── client.nix │ │ ├── common.nix │ │ ├── default.nix │ │ ├── modules │ │ │ ├── idm-nss-ready.nix │ │ │ └── idm-tmpfiles.nix │ │ ├── policies │ │ │ ├── infra-admins.nix │ │ │ └── soda.nix │ │ └── server.nix │ ├── incandescence │ │ ├── default.nix │ │ ├── options.nix │ │ ├── provider-options.nix │ │ ├── provider.nix │ │ └── simulacrum │ │ │ ├── test-data.nix │ │ │ └── test.nix │ ├── ipfs │ │ ├── cluster.nix │ │ ├── default.nix │ │ ├── gateway.nix │ │ ├── io-tweaks.nix │ │ ├── monitoring.nix │ │ ├── node.nix │ │ └── remote-api.nix │ ├── irc │ │ ├── default.nix │ │ └── irc-host.nix │ ├── locksmith │ │ ├── default.nix │ │ ├── provider.nix │ │ └── receiver.nix │ ├── mail │ │ ├── certificate.nix │ │ ├── default.nix │ │ ├── generic-aliases │ │ ├── imap.nix │ │ ├── known-spam-domains │ │ ├── opendkim.nix │ │ ├── postfix.nix │ │ ├── sieve │ │ │ └── plus.sieve │ │ └── virtual-mail-domain-aliases │ ├── matrix │ │ ├── bridges │ │ │ └── discord.nix │ │ ├── coturn.nix │ │ ├── default.nix │ │ ├── federation.nix │ │ ├── homeserver.nix │ │ └── web-client.nix │ ├── meet │ │ ├── default.nix │ │ └── host.nix │ ├── monitoring │ │ ├── blackbox.nix │ │ ├── client.nix │ │ ├── default.nix │ │ ├── grafana-ha.nix │ │ ├── logging.nix │ │ ├── options.nix │ │ ├── provisioning │ │ │ ├── dashboards.nix │ │ │ └── objects │ │ │ │ └── dashboards │ │ │ │ ├── dashboard-DoU6WSXnk.json │ │ │ │ ├── dashboard-U3kpOSX7z.json │ │ │ │ ├── dashboard-c627e433-7959-4653-8f1a-1e54c7e9d474.json │ │ │ │ ├── dashboard-d3895570-2181-4d40-ad4a-1e3b3516ee87.json │ │ │ │ ├── dashboard-dc7545ef-3180-4a5e-a289-1e64571ebb87.json │ │ │ │ └── dashboard-wX13E8RGz.json │ │ ├── secrets │ │ │ ├── grafana-db-credentials.age │ │ │ ├── grafana-secrets.age │ │ │ └── secret-monitoring │ │ │ │ └── blackbox.age │ │ ├── server.nix │ │ └── tracing.nix │ ├── n8n │ │ └── default.nix │ ├── nextcloud │ │ ├── default.nix │ │ └── host.nix │ ├── nginx │ │ ├── default.nix │ │ ├── drop-bots.nix │ │ └── nginx.nix │ ├── patroni │ │ ├── create-databases.nix │ │ ├── default.nix │ │ ├── haproxy.nix │ │ ├── incandescence.nix │ │ ├── metrics.nix │ │ ├── options.nix │ │ ├── simulacrum │ │ │ ├── test-data.nix │ │ │ └── test.nix │ │ └── worker.nix │ ├── reflex │ │ ├── default.nix │ │ └── host.nix │ ├── search │ │ ├── default.nix │ │ └── host.nix │ ├── soda │ │ ├── default.nix │ │ └── host.nix │ ├── sso │ │ ├── default.nix │ │ ├── host.nix │ │ └── oauth2-proxy.nix │ ├── storage │ │ ├── default.nix │ │ ├── external.nix │ │ ├── garage-external.nix │ │ ├── garage-gateway.nix │ │ ├── garage-internal.nix │ │ ├── garage-layout.nix │ │ ├── garage-metrics.nix │ │ ├── garage-options.nix │ │ ├── garage.nix │ │ ├── heresy.nix │ │ ├── incandescence.nix │ │ ├── internal.nix │ │ ├── options.nix │ │ ├── s3ql-upgrades.nix │ │ ├── secrets │ │ │ ├── garage-rpc-secret.age │ │ │ ├── heresy-encryption-key.age │ │ │ └── storage-box-credentials.age │ │ └── simulacrum │ │ │ ├── snakeoil-heresy-passphrase.nix │ │ │ ├── snakeoil-rpc-secret.nix │ │ │ ├── test-data.nix │ │ │ └── test.nix │ ├── tor │ │ ├── client.nix │ │ └── default.nix │ ├── warehouse │ │ ├── default.nix │ │ └── host.nix │ ├── ways │ │ ├── default.nix │ │ ├── host.nix │ │ ├── options │ │ │ ├── default.nix │ │ │ └── way.nix │ │ └── simulacrum │ │ │ ├── test-data.nix │ │ │ └── test.nix │ ├── websites │ │ ├── default.nix │ │ └── websites.nix │ └── wireguard │ │ ├── default.nix │ │ ├── mesh.nix │ │ ├── simulacrum │ │ ├── keys │ │ │ ├── snakeoilPrivateKey-VEGAS │ │ │ ├── snakeoilPrivateKey-checkmate │ │ │ ├── snakeoilPrivateKey-grail │ │ │ ├── snakeoilPrivateKey-prophet │ │ │ └── snakeoilPrivateKey-thunderskin │ │ └── snakeoil-keys.nix │ │ ├── storm.nix │ │ └── test.nix └── simulacrum │ ├── checks.nix │ ├── default.nix │ └── nowhere │ ├── default.nix │ └── options.nix ├── flake.lock ├── flake.nix ├── hosts ├── VEGAS │ ├── default.nix │ ├── hardware-configuration.nix │ ├── modules │ │ ├── redis │ │ │ └── default.nix │ │ └── virtualisation │ │ │ └── default.nix │ ├── services │ │ ├── backbone-routing │ │ │ └── default.nix │ │ ├── cdn-shield │ │ │ ├── default.nix │ │ │ └── shields.nix │ │ ├── jokes │ │ │ └── default.nix │ │ ├── minecraft │ │ │ └── default.nix │ │ └── websites │ │ │ ├── default.nix │ │ │ └── websites.nix │ └── system.nix ├── checkmate │ ├── default.nix │ ├── hardware-configuration.nix │ └── system.nix ├── deploy.nix ├── grail │ ├── default.nix │ ├── hardware-configuration.nix │ └── system.nix ├── nixos.nix ├── options │ ├── default.nix │ └── hour │ │ ├── enterprise.nix │ │ ├── hardware.nix │ │ ├── hyprspace.nix │ │ ├── interfaces.nix │ │ ├── nixos.nix │ │ └── ssh.nix ├── part.nix ├── prophet │ ├── default.nix │ ├── hardware-configuration.nix │ └── system.nix ├── soda │ ├── data │ │ ├── ascii │ │ │ ├── adh │ │ │ ├── balls │ │ │ ├── blog │ │ │ ├── bope │ │ │ ├── camel │ │ │ ├── chokey │ │ │ ├── csua01 │ │ │ ├── csua02 │ │ │ ├── csua03 │ │ │ ├── csua04 │ │ │ ├── csua05 │ │ │ ├── csua06 │ │ │ ├── csua07 │ │ │ ├── csua08 │ │ │ ├── csua09 │ │ │ ├── csua10 │ │ │ ├── csua11 │ │ │ ├── csua12 │ │ │ ├── csua13 │ │ │ ├── dotted │ │ │ ├── goatsex │ │ │ ├── hole │ │ │ ├── hungry │ │ │ ├── peacepipe │ │ │ ├── scativist │ │ │ ├── sins │ │ │ ├── stall │ │ │ ├── thirsty │ │ │ ├── trolledo │ │ │ ├── unix │ │ │ ├── urinal │ │ │ ├── wipe │ │ │ ├── wwud │ │ │ └── yank │ │ └── default.nix │ ├── default.nix │ ├── shell-profile │ │ ├── default.nix │ │ ├── insults.sh │ │ ├── motd.sh │ │ └── soda-prompt.sh │ ├── soda.nix │ └── system.nix ├── thunderskin │ ├── default.nix │ ├── hardware-configuration.nix │ └── system.nix └── tools.nix ├── jobs ├── part.nix └── update-flake-lock │ └── default.nix ├── lib ├── catalog.nix ├── hours.nix ├── identity.nix ├── meta.nix ├── nginx.nix ├── part.nix └── time-travel.nix ├── modules ├── ascensions │ └── default.nix ├── consul-distributed-services │ └── default.nix ├── consul-service-registry │ └── default.nix ├── effect-receiver │ └── default.nix ├── enterprise │ └── default.nix ├── external-storage │ ├── default.nix │ ├── filesystem-type.nix │ ├── strict-mounts.nix │ └── underlay-type.nix ├── fail2ban │ ├── default.nix │ └── xdp.nix ├── hardened │ └── default.nix ├── hyprspace │ └── default.nix ├── ipfs-cluster │ └── default.nix ├── ipfs │ └── default.nix ├── maintenance │ └── default.nix ├── minimal │ └── default.nix ├── motd │ ├── default.nix │ └── motd.txt ├── networking │ └── default.nix ├── nix-builder │ └── default.nix ├── nix-config │ └── server.nix ├── nix-register-flakes │ └── default.nix ├── nixpkgs-config │ └── default.nix ├── part.nix ├── patroni │ └── default.nix ├── port-magic │ ├── default.nix │ └── link.nix ├── reflection │ └── default.nix ├── shell-config │ └── default.nix ├── ssh │ └── default.nix ├── system-recovery │ └── default.nix ├── systemd-extras │ ├── chant.nix │ ├── default.nix │ ├── distributed.nix │ └── strict-mounts.nix └── tested │ └── default.nix ├── packages ├── build-support │ ├── activate-shell │ ├── default.nix │ ├── drv-parts │ │ ├── backends │ │ │ ├── buildPythonPackage │ │ │ │ ├── default.nix │ │ │ │ ├── implementation.nix │ │ │ │ └── interface.nix │ │ │ ├── default.nix │ │ │ └── options.nix │ │ ├── default.nix │ │ └── dependency-sets │ │ │ └── default.nix │ ├── fetch-asset │ │ └── default.nix │ ├── hydrate-asset-directory │ │ └── default.nix │ └── options.nix ├── catalog │ ├── checks.nix │ ├── default.nix │ └── packages.nix ├── checks │ ├── ascensions.nix │ ├── default.nix │ ├── ipfs-cluster-upgrade.nix │ ├── jellyfin-stateless.nix │ ├── keycloak-custom-jre.nix │ ├── modules │ │ ├── consul.nix │ │ └── nixos │ │ │ ├── age-dummy-secrets │ │ │ ├── default.nix │ │ │ └── options.nix │ │ │ └── external-storage.nix │ ├── s3ql-upgrade.nix │ ├── searxng.nix │ └── snakeoil │ │ └── ssh │ │ ├── snakeoil-key │ │ └── snakeoil-key.pub ├── data │ └── stevenblack │ │ └── default.nix ├── dream2nix-overrides │ └── nodejs │ │ └── default.nix ├── lib │ └── tools.nix ├── modules │ └── devshell.nix ├── monitoring │ └── opentelemetry-java-agent-bin │ │ └── default.nix ├── networking │ └── ipfs │ │ ├── default.nix │ │ ├── ipfs-allow-publish-with-ipns-mounted.patch │ │ └── ipfs-fuse-nuke-getxattr.patch ├── part.nix ├── patched-derivations.nix ├── patched-inputs.nix ├── projects.nix ├── projects │ └── openbao │ │ └── default.nix ├── servers │ ├── consul │ │ └── default.nix │ ├── out-of-your-element │ │ └── default.nix │ ├── reflex-cache │ │ ├── .envrc │ │ ├── .gitignore │ │ ├── project.nix │ │ ├── pyproject.toml │ │ └── reflex_cache │ │ │ ├── db.py │ │ │ ├── ipfs.py │ │ │ ├── main.py │ │ │ ├── nix_cache.py │ │ │ ├── service_handler.py │ │ │ └── util.py │ └── sonarr │ │ └── deps.json ├── shadows.nix ├── sources │ ├── default.nix │ └── sources.json ├── system-filter.nix ├── tools │ ├── graf │ │ ├── default.nix │ │ └── graf.sh │ ├── npins │ │ ├── default.nix │ │ ├── source.nix │ │ └── sources.json │ ├── pin │ │ ├── default.nix │ │ └── pin.sh │ └── void │ │ └── default.nix ├── web-apps │ ├── cinny │ │ └── default.nix │ ├── excalidraw │ │ └── default.nix │ └── searxng │ │ ├── default.nix │ │ └── deps │ │ └── chompjs.nix └── websites │ ├── landing │ ├── .envrc │ ├── .gitignore │ ├── archetypes │ │ └── default.md │ ├── layouts │ │ └── _default │ │ │ ├── error-page-404.html │ │ │ ├── error-page-500.html │ │ │ ├── error-page-502.html │ │ │ ├── error-page-504.html │ │ │ └── index.html │ ├── project.nix │ └── static │ │ ├── css │ │ ├── .gitignore │ │ ├── custom.css │ │ ├── fonts.css │ │ ├── plugins.css.dvc │ │ ├── rtl.css.dvc │ │ ├── style.css.dvc │ │ └── theme.css.dvc │ │ ├── images │ │ ├── .gitignore │ │ ├── austrian-alps.jpg.dvc │ │ ├── clients │ │ │ ├── .gitignore │ │ │ ├── 1.png.dvc │ │ │ ├── 10.png.dvc │ │ │ ├── 11.png.dvc │ │ │ ├── 2.png.dvc │ │ │ ├── 3.png.dvc │ │ │ ├── 4.png.dvc │ │ │ ├── 5.png.dvc │ │ │ ├── 6.png.dvc │ │ │ ├── 7.png.dvc │ │ │ ├── 8.png.dvc │ │ │ └── 9.png.dvc │ │ ├── favicon.png.dvc │ │ ├── parallax │ │ │ ├── .gitignore │ │ │ ├── 29.jpg.dvc │ │ │ ├── 7.jpg.dvc │ │ │ └── _5.jpg.dvc │ │ ├── slider │ │ │ ├── .gitignore │ │ │ └── finland.jpeg.dvc │ │ └── team │ │ │ ├── .gitignore │ │ │ ├── alex.jpg.dvc │ │ │ └── max.jpg.dvc │ │ ├── js │ │ ├── .gitignore │ │ ├── custom.js │ │ ├── functions.js.dvc │ │ ├── hesoyam.min.js.dvc │ │ ├── jquery.js.dvc │ │ └── plugins.js.dvc │ │ └── webfonts │ │ ├── .gitignore │ │ ├── fa-brands-400.eot.dvc │ │ ├── fa-brands-400.svg.dvc │ │ ├── fa-brands-400.ttf.dvc │ │ ├── fa-brands-400.woff.dvc │ │ ├── fa-brands-400.woff2.dvc │ │ ├── fa-regular-400.eot.dvc │ │ ├── fa-regular-400.svg.dvc │ │ ├── fa-regular-400.ttf.dvc │ │ ├── fa-regular-400.woff.dvc │ │ ├── fa-regular-400.woff2.dvc │ │ ├── fa-solid-900.eot.dvc │ │ ├── fa-solid-900.svg.dvc │ │ ├── fa-solid-900.ttf.dvc │ │ ├── fa-solid-900.woff.dvc │ │ ├── fa-solid-900.woff2.dvc │ │ ├── inspiro-icons.svg.dvc │ │ ├── inspiro-icons.ttf.dvc │ │ └── inspiro-icons.woff.dvc │ └── stop-using-nix-env │ ├── project.nix │ └── src │ └── index.html ├── patches └── base │ ├── acme-dns │ ├── direct.patch │ └── do-not-lowercase-records.patch │ ├── cachix │ └── deploy-agent-dont-switch-for-kernel-upgrades.patch │ ├── forgejo │ └── oauth2-secret-from-env.patch │ ├── garage │ ├── fix-secrets-695.patch │ └── print-chill-pills.patch │ ├── kanidm │ ├── 389ds-pbkdf2_sha256.patch │ └── unixd-authenticated.patch │ ├── prometheus-jitsi-exporter │ └── reduce-log-noise.patch │ └── s3ql │ └── metadata-accurate-length.patch ├── secrets.nix ├── secrets ├── dovecot-ldap-token.age ├── hyprspace-key-VEGAS.age ├── hyprspace-key-checkmate.age ├── hyprspace-key-grail.age ├── hyprspace-key-prophet.age ├── hyprspace-key-thunderskin.age ├── nextcloud-adminpass.age ├── nextcloud-dbpass.age ├── oauth2_proxy-secrets.age ├── postfix-ldap-mailboxes.age └── wireguard-key-storm-VEGAS.age └── users └── max └── userinfo.nix /.envrc: -------------------------------------------------------------------------------- 1 | DEVSHELL_ATTR=default 2 | source ./packages/build-support/activate-shell 3 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "pip" # See documentation for possible values 9 | directory: "/packages/servers/reflex-cache" # Location of package manifests 10 | schedule: 11 | interval: "weekly" 12 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /wip 2 | result 3 | result-* 4 | **/.direnv/ 5 | .data/ 6 | .cache/ 7 | .nixos-test-history 8 | -------------------------------------------------------------------------------- /catalog/part.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | perSystem = { 5 | options.catalog = lib.mkOption { 6 | type = with lib.types; lazyAttrsOf (lazyAttrsOf (lazyAttrsOf (submodule ./target.nix))); 7 | default = {}; 8 | }; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /catalog/target.nix: -------------------------------------------------------------------------------- 1 | { lib, name, ... }: 2 | 3 | { 4 | options = { 5 | description = lib.mkOption { 6 | type = lib.types.str; 7 | default = name; 8 | }; 9 | 10 | actions = lib.mkOption { 11 | type = with lib.types; lazyAttrsOf (submodule { 12 | options = { 13 | description = lib.mkOption { 14 | type = lib.types.str; 15 | default = name; 16 | }; 17 | 18 | command = lib.mkOption { 19 | type = lib.types.str; 20 | }; 21 | 22 | packages = lib.mkOption { 23 | type = with lib.types; listOf package; 24 | default = []; 25 | }; 26 | }; 27 | }); 28 | default = {}; 29 | }; 30 | }; 31 | } 32 | -------------------------------------------------------------------------------- /cluster/catalog/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./services.nix 4 | ./secrets.nix 5 | ]; 6 | } 7 | -------------------------------------------------------------------------------- /cluster/default.nix: -------------------------------------------------------------------------------- 1 | { lib, depot }: 2 | 3 | lib.evalModules { 4 | specialArgs = { 5 | inherit depot; 6 | }; 7 | modules = [ 8 | # Arbitrary variables to reference across multiple services 9 | ./lib/vars 10 | 11 | # Cluster-level port-magic 12 | ../modules/port-magic 13 | 14 | ./lib/services.nix 15 | ./lib/inject-nixos-config.nix 16 | ./lib/port-magic-multi.nix 17 | ./lib/mesh.nix 18 | ./lib/secrets.nix 19 | ./lib/testing.nix 20 | ./lib/lib.nix 21 | 22 | ./import-services.nix 23 | ]; 24 | } 25 | -------------------------------------------------------------------------------- /cluster/import-services.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | let 4 | svcs' = builtins.readDir ./services; 5 | svcs = lib.filterAttrs (_: type: type == "directory") svcs'; 6 | loadService = ent: import ./services/${ent}; 7 | in { 8 | imports = map loadService (builtins.attrNames svcs); 9 | } 10 | -------------------------------------------------------------------------------- /cluster/lib/inject-nixos-config.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | 4 | { 5 | options.out = mkOption { 6 | description = "Output functions."; 7 | type = with types; lazyAttrsOf (functionTo raw); 8 | default = const []; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/lib/lib.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | options.lib = { 5 | forService = lib.mkOption { 6 | description = "Enable these definitions for a particular service only."; 7 | type = lib.types.functionTo lib.types.raw; 8 | readOnly = true; 9 | default = service: lib.mkIf (!config.simulacrum || lib.any (s: s == service) config.testConfig.activeServices); 10 | }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /cluster/lib/mesh.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | hostLinks = lib.pipe config.services [ 5 | (lib.filterAttrs (_: svc: svc.meshLinks != {})) 6 | (lib.mapAttrsToList (svcName: svc: 7 | lib.mapAttrsToList (groupName: links: 8 | lib.genAttrs svc.nodes.${groupName} (hostName: lib.mapAttrs (_: cfg: { ... }: { 9 | imports = [ cfg.link ]; 10 | ipv4 = config.vars.mesh.${hostName}.meshIp; 11 | }) links) 12 | ) svc.meshLinks 13 | )) 14 | (map lib.mkMerge) 15 | lib.mkMerge 16 | ]; 17 | } 18 | -------------------------------------------------------------------------------- /cluster/lib/port-magic-multi.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options.hostLinks = mkOption { 7 | type = types.attrsOf (types.attrsOf (types.submodule ../../modules/port-magic/link.nix)); 8 | description = "Port Magic links, per host."; 9 | default = {}; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /cluster/lib/secrets.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | options.secrets = { 5 | extraKeys = lib.mkOption { 6 | type = with lib.types; listOf str; 7 | description = "Additional keys with which to encrypt all secrets."; 8 | default = [ 9 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5C7mC5S2gM0K6x0L/jNwAeQYbFSzs16Q73lONUlIkL max@TITAN" 10 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho" 11 | ]; 12 | }; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /cluster/lib/testing.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | options = { 5 | simulacrum = lib.mkOption { 6 | description = "Whether we are in the Simulacrum."; 7 | type = lib.types.bool; 8 | default = false; 9 | }; 10 | testConfig = lib.mkOption { 11 | type = lib.types.attrs; 12 | readOnly = true; 13 | }; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /cluster/lib/vars/default.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | { 4 | options.vars = mkOption { 5 | description = "Miscellaneous variables."; 6 | type = types.attrs; 7 | default = {}; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /cluster/part.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ./catalog 6 | ./simulacrum/checks.nix 7 | ]; 8 | 9 | options.cluster = lib.mkOption { 10 | type = lib.types.raw; 11 | }; 12 | 13 | config.cluster = import ./. { 14 | inherit depot lib; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /cluster/secrets/attic-serverToken.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/attic-serverToken.age -------------------------------------------------------------------------------- /cluster/secrets/cachix-deploy-agent-token-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/cachix-deploy-agent-token-VEGAS.age -------------------------------------------------------------------------------- /cluster/secrets/cachix-deploy-agent-token-checkmate.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/cachix-deploy-agent-token-checkmate.age -------------------------------------------------------------------------------- /cluster/secrets/cachix-deploy-agent-token-grail.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/cachix-deploy-agent-token-grail.age -------------------------------------------------------------------------------- /cluster/secrets/cachix-deploy-agent-token-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/cachix-deploy-agent-token-prophet.age -------------------------------------------------------------------------------- /cluster/secrets/cachix-deploy-agent-token-thunderskin.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/cachix-deploy-agent-token-thunderskin.age -------------------------------------------------------------------------------- /cluster/secrets/forge-oidcSecret.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/forge-oidcSecret.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-cacheSigningKey.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-cacheSigningKey.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-hyprspace-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-hyprspace-VEGAS.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-hyprspace-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-hyprspace-prophet.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-max-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-max-VEGAS.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-max-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-max-prophet.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-nixpak-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-nixpak-VEGAS.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-nixpak-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-nixpak-prophet.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-private-void-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-private-void-VEGAS.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-private-void-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-clusterJoinToken-private-void-prophet.age -------------------------------------------------------------------------------- /cluster/secrets/hercules-ci-multi-agent-effectsSecrets.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/hercules-ci-multi-agent-effectsSecrets.age -------------------------------------------------------------------------------- /cluster/secrets/idm-serviceAccountCredentials-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/idm-serviceAccountCredentials-VEGAS.age -------------------------------------------------------------------------------- /cluster/secrets/idm-serviceAccountCredentials-checkmate.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/idm-serviceAccountCredentials-checkmate.age -------------------------------------------------------------------------------- /cluster/secrets/idm-serviceAccountCredentials-grail.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/idm-serviceAccountCredentials-grail.age -------------------------------------------------------------------------------- /cluster/secrets/idm-serviceAccountCredentials-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/idm-serviceAccountCredentials-prophet.age -------------------------------------------------------------------------------- /cluster/secrets/idm-serviceAccountCredentials-soda.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/idm-serviceAccountCredentials-soda.age -------------------------------------------------------------------------------- /cluster/secrets/idm-serviceAccountCredentials-thunderskin.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/idm-serviceAccountCredentials-thunderskin.age -------------------------------------------------------------------------------- /cluster/secrets/ipfs-clusterSecret.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/ipfs-clusterSecret.age -------------------------------------------------------------------------------- /cluster/secrets/ipfs-pinningServiceCredentials.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/ipfs-pinningServiceCredentials.age -------------------------------------------------------------------------------- /cluster/secrets/irc-peerKey.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/irc-peerKey.age -------------------------------------------------------------------------------- /cluster/secrets/matrix-coturnStaticAuth.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/matrix-coturnStaticAuth.age -------------------------------------------------------------------------------- /cluster/secrets/matrix-dbConfig.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/matrix-dbConfig.age -------------------------------------------------------------------------------- /cluster/secrets/matrix-discordBridgeToken.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/matrix-discordBridgeToken.age -------------------------------------------------------------------------------- /cluster/secrets/matrix-keysConfig.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/matrix-keysConfig.age -------------------------------------------------------------------------------- /cluster/secrets/matrix-ldapConfig.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/matrix-ldapConfig.age -------------------------------------------------------------------------------- /cluster/secrets/matrix-turnConfig.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/matrix-turnConfig.age -------------------------------------------------------------------------------- /cluster/secrets/patroni-PATRONI_REPLICATION_PASSWORD.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/patroni-PATRONI_REPLICATION_PASSWORD.age -------------------------------------------------------------------------------- /cluster/secrets/patroni-PATRONI_REWIND_PASSWORD.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/patroni-PATRONI_REWIND_PASSWORD.age -------------------------------------------------------------------------------- /cluster/secrets/patroni-PATRONI_SUPERUSER_PASSWORD.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/patroni-PATRONI_SUPERUSER_PASSWORD.age -------------------------------------------------------------------------------- /cluster/secrets/patroni-metricsCredentials.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/patroni-metricsCredentials.age -------------------------------------------------------------------------------- /cluster/secrets/search-default.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/search-default.age -------------------------------------------------------------------------------- /cluster/secrets/wireguard-meshPrivateKey-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/wireguard-meshPrivateKey-VEGAS.age -------------------------------------------------------------------------------- /cluster/secrets/wireguard-meshPrivateKey-checkmate.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/wireguard-meshPrivateKey-checkmate.age -------------------------------------------------------------------------------- /cluster/secrets/wireguard-meshPrivateKey-grail.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/wireguard-meshPrivateKey-grail.age -------------------------------------------------------------------------------- /cluster/secrets/wireguard-meshPrivateKey-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/wireguard-meshPrivateKey-prophet.age -------------------------------------------------------------------------------- /cluster/secrets/wireguard-meshPrivateKey-thunderskin.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/secrets/wireguard-meshPrivateKey-thunderskin.age -------------------------------------------------------------------------------- /cluster/services/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/.keep -------------------------------------------------------------------------------- /cluster/services/acme-client/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.acme-client = { 3 | nodes.client = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ]; 4 | nixos.client = ./client.nix; 5 | simulacrum.augments = ./augment.nix; 6 | }; 7 | } 8 | -------------------------------------------------------------------------------- /cluster/services/attic/attic-cache-client.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | nix.settings.substituters = [ "https://cache-api.${depot.lib.meta.domain}/nix-store" ]; 5 | } 6 | -------------------------------------------------------------------------------- /cluster/services/attic/builder-cache-client.nix: -------------------------------------------------------------------------------- 1 | { cluster, config, lib, ... }: 2 | 3 | { 4 | nix.settings.substituters = lib.pipe cluster.config.hostLinks [ 5 | (lib.filterAttrs (name: value: value ? builderCache && name != config.networking.hostName)) 6 | (lib.mapAttrsToList (_: value: "${value.builderCache.url}?priority=50")) 7 | ]; 8 | } 9 | -------------------------------------------------------------------------------- /cluster/services/attic/nar-serve.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | let 4 | mkNarServe = NAR_CACHE_URL: PORT: { 5 | after = [ "network.target" ]; 6 | wantedBy = [ "multi-user.target" ]; 7 | serviceConfig = { 8 | DynamicUser = true; 9 | ExecStart = "${depot.inputs.nar-serve.packages.nar-serve}/bin/nar-serve"; 10 | }; 11 | environment = { inherit NAR_CACHE_URL PORT; }; 12 | }; 13 | in 14 | { 15 | links = { 16 | nar-serve-self.protocol = "http"; 17 | nar-serve-nixos-org.protocol = "http"; 18 | }; 19 | 20 | systemd.services.nar-serve-self = mkNarServe "https://cache.${depot.lib.meta.domain}" config.links.nar-serve-self.portStr; 21 | systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr; 22 | } 23 | -------------------------------------------------------------------------------- /cluster/services/attic/s3-cache-client.nix: -------------------------------------------------------------------------------- 1 | { cluster, ... }: 2 | 3 | { 4 | nix.settings.substituters = [ "https://nix-store.${cluster.config.links.garageWeb.hostname}?priority=60" ]; 5 | } 6 | -------------------------------------------------------------------------------- /cluster/services/bitwarden/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | services.bitwarden = { 5 | nodes.host = [ "VEGAS" ]; 6 | nixos.host = ./host.nix; 7 | }; 8 | 9 | dns.records.keychain.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/services/bitwarden/host.nix: -------------------------------------------------------------------------------- 1 | { config, lib, depot, ... }: 2 | with depot.lib.nginx; 3 | { 4 | links.bitwarden.protocol = "http"; 5 | 6 | services.nginx.virtualHosts = mappers.mapSubdomains { 7 | keychain = vhosts.proxy config.links.bitwarden.url; 8 | }; 9 | services.vaultwarden = { 10 | enable = true; 11 | backupDir = "/srv/storage/private/bitwarden/backups"; 12 | config = { 13 | dataFolder = "/srv/storage/private/bitwarden/data"; 14 | rocketPort = config.links.bitwarden.port; 15 | }; 16 | #environmentFile = ""; # TODO: agenix 17 | }; 18 | systemd.services.vaultwarden.serviceConfig = { 19 | ReadWriteDirectories = "/srv/storage/private/bitwarden"; 20 | }; 21 | systemd.services.backup-vaultwarden = { 22 | environment.DATA_FOLDER = lib.mkForce config.services.vaultwarden.config.dataFolder; 23 | serviceConfig = { 24 | ReadWriteDirectories = "/srv/storage/private/bitwarden"; 25 | }; 26 | }; 27 | } 28 | -------------------------------------------------------------------------------- /cluster/services/cachix-deploy-agent/agent.nix: -------------------------------------------------------------------------------- 1 | { cluster, depot, ... }: 2 | 3 | { 4 | services.cachix-agent = { 5 | enable = true; 6 | credentialsFile = cluster.config.services.cachix-deploy-agent.secrets.token.path; 7 | package = depot.packages.cachix; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /cluster/services/cachix-deploy-agent/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.cachix-deploy-agent = { config, ... }: { 3 | nodes.agent = [ "checkmate" "grail" "prophet" "VEGAS" "thunderskin" ]; 4 | nixos.agent = ./agent.nix; 5 | secrets.token = { 6 | nodes = config.nodes.agent; 7 | shared = false; 8 | }; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/services/cdn-shield/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | dns.records = let 5 | cdnShieldAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; 6 | in { 7 | "fonts-googleapis-com.cdn-shield".target = cdnShieldAddr; 8 | "fonts-gstatic-com.cdn-shield".target = cdnShieldAddr; 9 | "cdnjs-cloudflare-com.cdn-shield".target = cdnShieldAddr; 10 | "wttr-in.cdn-shield".target = cdnShieldAddr; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /cluster/services/certificates/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.certificates = { 3 | nodes = { 4 | internal-wildcard = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ]; 5 | }; 6 | nixos = { 7 | internal-wildcard = [ 8 | ./internal-wildcard.nix 9 | ]; 10 | }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /cluster/services/certificates/internal-wildcard.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, depot, ... }: 2 | 3 | let 4 | inherit (depot.lib.meta) domain; 5 | 6 | extraGroups = [ "nginx" ] 7 | ++ lib.optional config.services.kanidm.enableServer "kanidm"; 8 | in 9 | 10 | { 11 | security.acme.certs."internal.${domain}" = { 12 | domain = "*.internal.${domain}"; 13 | extraDomainNames = [ "*.internal.${domain}" ]; 14 | dnsProvider = "exec"; 15 | group = "nginx"; 16 | postRun = '' 17 | ${pkgs.acl}/bin/setfacl -Rb . 18 | ${lib.concatStringsSep "\n" ( 19 | map (group: "${pkgs.acl}/bin/setfacl -Rm g:${group}:rX .") extraGroups 20 | )} 21 | ''; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /cluster/services/chant/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | services.chant = { 5 | nodes.listener = config.services.consul.nodes.agent; 6 | nixos.listener = [ 7 | ./listener.nix 8 | ]; 9 | simulacrum.deps = [ "consul" ]; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /cluster/services/consul/agent.nix: -------------------------------------------------------------------------------- 1 | { config, cluster, depot, ... }: 2 | 3 | let 4 | inherit (depot.lib.meta) domain; 5 | inherit (config.networking) hostName; 6 | inherit (cluster.config) hostLinks; 7 | cfg = cluster.config.services.consul; 8 | 9 | hl = hostLinks.${hostName}.consul; 10 | in 11 | 12 | { 13 | links.consulAgent.protocol = "http"; 14 | 15 | services.consul = { 16 | enable = true; 17 | webUi = true; 18 | package = depot.packages.consul; 19 | extraConfig = { 20 | datacenter = "eu-central"; 21 | domain = "sd-magic.${domain}."; 22 | recursors = [ "127.0.0.1" cluster.config.links.dnsResolver.ipv4 ]; 23 | server = true; 24 | node_name = config.networking.hostName; 25 | bind_addr = hl.ipv4; 26 | ports.serf_lan = hl.port; 27 | retry_join = map (hostName: hostLinks.${hostName}.consul.tuple) (cfg.otherNodes.agent hostName); 28 | bootstrap_expect = builtins.length cfg.nodes.agent; 29 | addresses.http = config.links.consulAgent.ipv4; 30 | ports.http = config.links.consulAgent.port; 31 | }; 32 | }; 33 | 34 | services.grafana-agent.settings.integrations.consul_exporter = { 35 | enabled = true; 36 | instance = hostName; 37 | server = config.links.consulAgent.url; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /cluster/services/consul/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | let 4 | cfg = config.services.consul; 5 | in 6 | 7 | { 8 | hostLinks = lib.genAttrs cfg.nodes.agent (hostName: { 9 | consul = { 10 | ipv4 = config.vars.mesh.${hostName}.meshIp; 11 | }; 12 | }); 13 | services.consul = { 14 | nodes = { 15 | agent = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ]; 16 | ready = config.services.consul.nodes.agent; 17 | }; 18 | nixos = { 19 | agent = [ 20 | ./agent.nix 21 | ./remote-api.nix 22 | ]; 23 | ready = ./ready.nix; 24 | }; 25 | simulacrum = { 26 | enable = true; 27 | deps = [ "wireguard" ]; 28 | settings = ./test.nix; 29 | }; 30 | }; 31 | 32 | dns.records."consul-remote.internal".consulService = "consul-remote"; 33 | } 34 | -------------------------------------------------------------------------------- /cluster/services/consul/remote-api.nix: -------------------------------------------------------------------------------- 1 | { config, depot, lib, ... }: 2 | 3 | let 4 | inherit (depot.lib.meta) domain; 5 | frontendDomain = "consul-remote.internal.${domain}"; 6 | 7 | inherit (config.reflection.interfaces.vstub) addr; 8 | in 9 | 10 | { 11 | services.nginx.virtualHosts.${frontendDomain} = depot.lib.nginx.vhosts.proxy config.links.consulAgent.url // { 12 | listenAddresses = lib.singleton addr; 13 | enableACME = false; 14 | useACMEHost = "internal.${domain}"; 15 | }; 16 | 17 | consul.services.consul-remote = { 18 | unit = "consul"; 19 | mode = "external"; 20 | definition = { 21 | name = "consul-remote"; 22 | address = addr; 23 | port = 443; 24 | checks = [ 25 | { 26 | name = "Frontend"; 27 | id = "service:consul-remote:frontend"; 28 | http = "https://${addr}/v1/status/leader"; 29 | tls_server_name = frontendDomain; 30 | header.Host = lib.singleton frontendDomain; 31 | interval = "60s"; 32 | } 33 | { 34 | name = "Backend"; 35 | id = "service:consul-remote:backend"; 36 | http = "${config.links.consulAgent.url}/v1/status/leader"; 37 | interval = "30s"; 38 | } 39 | ]; 40 | }; 41 | }; 42 | } 43 | -------------------------------------------------------------------------------- /cluster/services/consul/test.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { }; 5 | 6 | testScript = '' 7 | import json 8 | 9 | start_all() 10 | 11 | with subtest("should form cluster"): 12 | nodes = [ n for n in machines if n != nowhere ] 13 | for machine in nodes: 14 | machine.succeed("systemctl start consul-ready.service") 15 | for machine in nodes: 16 | consulConfig = json.loads(machine.succeed("cat /etc/consul.json")) 17 | addr = consulConfig["addresses"]["http"] 18 | port = consulConfig["ports"]["http"] 19 | setEnv = f"CONSUL_HTTP_ADDR={addr}:{port}" 20 | memberList = machine.succeed(f"{setEnv} consul members --status=alive") 21 | for machine2 in nodes: 22 | assert machine2.name in memberList 23 | ''; 24 | } 25 | -------------------------------------------------------------------------------- /cluster/services/content-delivery/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | garage = { 3 | buckets.content-delivery.web.enable = true; 4 | }; 5 | 6 | ways.cdn.bucket = "content-delivery"; 7 | } 8 | -------------------------------------------------------------------------------- /cluster/services/dns/acme-dns-direct-key.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/dns/acme-dns-direct-key.age -------------------------------------------------------------------------------- /cluster/services/dns/client.nix: -------------------------------------------------------------------------------- 1 | { cluster, lib, ... }: 2 | 3 | let 4 | recursors = lib.pipe (cluster.config.services.dns.nodes.coredns) [ 5 | (map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.ipv4)) 6 | ]; 7 | in 8 | 9 | { 10 | networking.nameservers = [ cluster.config.links.dnsResolver.ipv4 ] ++ recursors; 11 | } 12 | -------------------------------------------------------------------------------- /cluster/services/dns/nodes.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, ... }: 2 | 3 | { 4 | dns.records = lib.mapAttrs' (name: hour: { 5 | name = lib.toLower "${name}.${hour.enterprise.subdomain}"; 6 | value = { 7 | type = "A"; 8 | target = [ hour.interfaces.primary.addrPublic ]; 9 | }; 10 | }) depot.gods.fromLight; 11 | } 12 | -------------------------------------------------------------------------------- /cluster/services/dns/ns-records.nix: -------------------------------------------------------------------------------- 1 | { config, depot, lib, ... }: 2 | 3 | let 4 | cfg = config.services.dns; 5 | 6 | nsNodes = lib.imap1 (idx: node: { 7 | name = "eu${toString idx}.ns"; 8 | value = { 9 | type = "A"; 10 | target = [ depot.hours.${node}.interfaces.primary.addrPublic ]; 11 | }; 12 | }) cfg.nodes.authoritative; 13 | in 14 | 15 | { 16 | dns.records = lib.mkMerge [ 17 | (lib.listToAttrs nsNodes) 18 | { 19 | NS = { 20 | name = "@"; 21 | type = "NS"; 22 | target = map (ns: "${ns.name}.${depot.lib.meta.domain}.") nsNodes; 23 | }; 24 | } 25 | ]; 26 | } 27 | -------------------------------------------------------------------------------- /cluster/services/fbi/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | services.fbi = { 5 | nodes.host = [ "VEGAS" ]; 6 | nixos.host = ./host.nix; 7 | }; 8 | 9 | dns.records = let 10 | fbiAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; 11 | in { 12 | fbi-index.target = fbiAddr; 13 | fbi-requests.target = fbiAddr; 14 | radarr.target = fbiAddr; 15 | sonarr.target = fbiAddr; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /cluster/services/flake-reegistry/default.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | ways.registry.static = { depot, pkgs, ... }: pkgs.writeTextDir "flake-registry.json" (let 5 | flakes = { 6 | depot = { 7 | type = "tarball"; 8 | url = "https://forge.${depot.lib.meta.domain}/${depot.lib.meta.domain}/depot/archive/master.tar.gz"; 9 | }; 10 | depot-nixpkgs = { 11 | type = "github"; 12 | owner = "NixOS"; 13 | repo = "nixpkgs"; 14 | inherit (depot.inputs.nixpkgs.sourceInfo) rev narHash lastModified; 15 | }; 16 | blank = { 17 | type = "github"; 18 | owner = "divnix"; 19 | repo = "blank"; 20 | inherit (depot.inputs.blank.sourceInfo) rev narHash lastModified; 21 | }; 22 | } // import ./extra-flakes.nix; 23 | in builtins.toJSON { 24 | version = 2; 25 | flakes = lib.pipe flakes [ 26 | (lib.attrsToList) 27 | (map (f: { 28 | from = { 29 | type = "indirect"; 30 | id = f.name; 31 | }; 32 | to = f.value; 33 | })) 34 | ]; 35 | }); 36 | } 37 | -------------------------------------------------------------------------------- /cluster/services/flake-reegistry/extra-flakes.nix: -------------------------------------------------------------------------------- 1 | let 2 | github = owner: repo: { 3 | type = "github"; 4 | inherit owner repo; 5 | }; 6 | in { 7 | # own 8 | hyprspace = github "hyprspace" "hyprspace"; 9 | ai = github "nixified-ai" "flake"; 10 | nix-super = github "privatevoid-net" "nix-super"; 11 | nixpak = github "nixpak" "nixpak"; 12 | 13 | # other 14 | nix = github "NixOS" "nix"; 15 | flake-parts = github "hercules-ci" "flake-parts"; 16 | home-manager = github "nix-community" "home-manager"; 17 | dream2nix = github "nix-community" "dream2nix"; 18 | } 19 | -------------------------------------------------------------------------------- /cluster/services/forge/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | services.forge = { 5 | nodes.server = [ "VEGAS" ]; 6 | nixos.server = ./server.nix; 7 | meshLinks.server.forge.link.protocol = "http"; 8 | secrets = with config.services.forge.nodes; { 9 | oidcSecret = { 10 | nodes = server; 11 | owner = "forgejo"; 12 | }; 13 | }; 14 | }; 15 | 16 | ways = let 17 | host = builtins.head config.services.forge.nodes.server; 18 | in config.lib.forService "forge" { 19 | forge.target = config.hostLinks.${host}.forge.url; 20 | }; 21 | 22 | patroni = config.lib.forService "forge" { 23 | databases.forge = {}; 24 | users.forge.locksmith = { 25 | nodes = config.services.forge.nodes.server; 26 | format = "raw"; 27 | }; 28 | }; 29 | 30 | garage = config.lib.forService "forge" { 31 | keys.forgejo.locksmith.nodes = config.services.forge.nodes.server; 32 | buckets.forgejo.allow.forgejo = [ "read" "write" ]; 33 | }; 34 | 35 | monitoring.blackbox.targets.forge = config.lib.forService "forge" { 36 | address = "https://forge.${depot.lib.meta.domain}/api/v1/version"; 37 | module = "https2xx"; 38 | }; 39 | 40 | dns.records = config.lib.forService "forge" { 41 | "ssh.forge".target = map 42 | (node: depot.hours.${node}.interfaces.primary.addrPublic) 43 | config.services.forge.nodes.server; 44 | }; 45 | } 46 | -------------------------------------------------------------------------------- /cluster/services/geoblock/default.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, ... }: 2 | 3 | { 4 | services.geoblock = { 5 | nodes.host = lib.attrNames depot.gods.fromLight; 6 | nixos.host = [ 7 | ./incoming.nix 8 | ]; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/services/hercules-ci-multi-agent/builder-cache.nix: -------------------------------------------------------------------------------- 1 | { cluster, config, depot, pkgs, ... }: 2 | 3 | let 4 | link = cluster.config.hostLinks.${config.networking.hostName}.builderCache; 5 | linkLocal = config.links.builderCache; 6 | in 7 | { 8 | links.builderCache.protocol = "http"; 9 | 10 | services.nginx.virtualHosts.${link.hostname} = depot.lib.nginx.vhosts.proxy linkLocal.url; 11 | 12 | services.nix-serve = { 13 | enable = true; 14 | package = pkgs.nix-serve-ng; 15 | bindAddress = linkLocal.ipv4; 16 | inherit (linkLocal) port; 17 | secretKeyFile = cluster.config.services.hercules-ci-multi-agent.secrets.cacheSigningKey.path; 18 | extraParams = "--priority 50"; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /cluster/services/idm/common.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | services.kanidm.package = depot.packages.kanidm; 5 | } 6 | -------------------------------------------------------------------------------- /cluster/services/idm/modules/idm-nss-ready.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | 3 | let 4 | idmReady = pkgs.writers.writeHaskellBin "idm-nss-ready" { 5 | libraries = with pkgs.haskellPackages; [ watchdog ]; 6 | } '' 7 | import Control.Monad.IO.Class 8 | import Control.Watchdog 9 | import System.IO 10 | import System.IO.Error 11 | import System.Posix.User 12 | 13 | flushLogger :: WatchdogLogger String 14 | flushLogger taskErr delay = do 15 | defaultLogger taskErr delay 16 | hFlush stdout 17 | 18 | main :: IO () 19 | main = watchdog $ do 20 | setInitialDelay 300_000 21 | setMaximumDelay 30_000_000 22 | setLoggingAction flushLogger 23 | watch $ do 24 | check <- liftIO $ tryIOError $ getGroupEntryForName "infra_admins" 25 | case check of 26 | Right _ -> return $ Right () 27 | Left _ -> return $ Left "group not found" 28 | ''; 29 | in 30 | 31 | { 32 | systemd.services.idm-nss-ready = { 33 | description = "Wait for IDM NSS"; 34 | requires = [ "kanidm-unixd.service" "nscd.service" "nss-user-lookup.target" ]; 35 | after = [ "kanidm-unixd.service" "nscd.service" ]; 36 | before = [ "nss-user-lookup.target" ]; 37 | serviceConfig = { 38 | ExecStart = lib.getExe idmReady; 39 | DynamicUser = true; 40 | TimeoutStartSec = "2m"; 41 | Type = "oneshot"; 42 | }; 43 | }; 44 | } 45 | -------------------------------------------------------------------------------- /cluster/services/idm/modules/idm-tmpfiles.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | with lib; 3 | 4 | let 5 | cfg = config.idm.tmpfiles; 6 | 7 | rulesFile = pkgs.writeText "idm-tmpfiles.conf" (concatStringsSep "\n" cfg.rules); 8 | in 9 | 10 | { 11 | options.idm.tmpfiles.rules = mkOption { 12 | description = "systemd-tmpfiles rules to run after IDM is ready."; 13 | type = with types; listOf str; 14 | default = []; 15 | }; 16 | 17 | config = mkIf (cfg.rules != []) { 18 | systemd.services.idm-tmpfiles = { 19 | description = "Set up tmpfiles after IDM"; 20 | requires = [ "idm-nss-ready.service" "nss-user-lookup.target" ]; 21 | after = [ "idm-nss-ready.service" "nss-user-lookup.target" ]; 22 | wantedBy = [ "multi-user.target" ]; 23 | serviceConfig = { 24 | ExecStart = "${config.systemd.package}/bin/systemd-tmpfiles --create --remove ${rulesFile}"; 25 | Type = "oneshot"; 26 | }; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /cluster/services/idm/policies/infra-admins.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | services.kanidm.unixSettings = { 5 | pam_allowed_login_groups = [ 6 | "infra_admins" 7 | ]; 8 | }; 9 | 10 | security.sudo.extraRules = lib.singleton { 11 | groups = [ "infra_admins" ]; 12 | commands = lib.singleton { 13 | command = "ALL"; 14 | options = [ "SETENV" ]; 15 | }; 16 | }; 17 | 18 | idm.tmpfiles.rules = [ 19 | "a+ /run/log/journal - - - - d:group:infra_admins:r-x,group:infra_admins:r-x" 20 | "a+ /run/log/journal/%m - - - - d:group:infra_admins:r-x,group:infra_admins:r-x" 21 | "a+ /run/log/journal/%m/*.journal* - - - - group:infra_admins:r--" 22 | ]; 23 | } 24 | -------------------------------------------------------------------------------- /cluster/services/idm/policies/soda.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.kanidm.unixSettings = { 3 | pam_allowed_login_groups = [ 4 | "soda" 5 | "soda-admins" 6 | ]; 7 | }; 8 | } 9 | -------------------------------------------------------------------------------- /cluster/services/incandescence/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | imports = [ 5 | ./options.nix 6 | ./simulacrum/test-data.nix 7 | ]; 8 | 9 | services.incandescence = { 10 | nodes = { 11 | provider = config.services.consul.nodes.agent; 12 | }; 13 | nixos = { 14 | provider = [ 15 | ./provider.nix 16 | ./provider-options.nix 17 | ]; 18 | }; 19 | simulacrum = { 20 | enable = true; 21 | deps = [ "consul" "locksmith" ]; 22 | settings = ./simulacrum/test.nix; 23 | }; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /cluster/services/incandescence/options.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | let 4 | inherit (lib) mkOption; 5 | inherit (lib.types) attrsOf listOf submodule str; 6 | in 7 | 8 | { 9 | options.incandescence = { 10 | providers = mkOption { 11 | type = attrsOf (submodule ({ name, ... }: { 12 | options = { 13 | objects = mkOption { 14 | type = attrsOf (listOf str); 15 | default = { }; 16 | }; 17 | }; 18 | })); 19 | default = { }; 20 | }; 21 | }; 22 | } 23 | -------------------------------------------------------------------------------- /cluster/services/incandescence/simulacrum/test-data.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | incandescence = lib.mkIf config.simulacrum { 4 | providers = config.lib.forService "incandescence" { 5 | test.objects.example = [ "example1" "example2" ]; 6 | }; 7 | }; 8 | } 9 | -------------------------------------------------------------------------------- /cluster/services/ipfs/io-tweaks.nix: -------------------------------------------------------------------------------- 1 | { 2 | systemd.services.ipfs = { 3 | serviceConfig = { 4 | LimitNOFILE = 524288; 5 | IOSchedulingPriority = 7; 6 | }; 7 | }; 8 | 9 | systemd.slices.remotefshost.sliceConfig = { 10 | IOWeight = 5; 11 | IOReadIOPSMax = [ 12 | "/dev/sda 100" 13 | "/dev/sdb 100" 14 | ]; 15 | IOWriteIOPSMax = [ 16 | "/dev/sda 100" 17 | "/dev/sdb 100" 18 | ]; 19 | IODeviceLatencyTargetSec = [ 20 | "/dev/sda 500ms" 21 | "/dev/sdb 500ms" 22 | ]; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /cluster/services/ipfs/monitoring.nix: -------------------------------------------------------------------------------- 1 | { config, cluster, lib, ... }: 2 | 3 | let 4 | inherit (config) links; 5 | in 6 | 7 | { 8 | systemd.services.ipfs = { 9 | environment = { 10 | OTEL_TRACES_EXPORTER = "otlp"; 11 | OTEL_EXPORTER_OTLP_PROTOCOL = "grpc"; 12 | OTEL_EXPORTER_OTLP_ENDPOINT = "${cluster.config.ways.ingest-traces-otlp.url}:443"; 13 | OTEL_TRACES_SAMPLER = "parentbased_traceidratio"; 14 | OTEL_TRACES_SAMPLER_ARG = "0.50"; 15 | }; 16 | }; 17 | 18 | services.grafana-agent.settings.metrics.configs = lib.singleton { 19 | name = "metrics-ipfs"; 20 | scrape_configs = lib.singleton { 21 | job_name = "ipfs"; 22 | metrics_path = links.ipfsMetrics.path; 23 | static_configs = lib.singleton { 24 | targets = lib.singleton links.ipfsMetrics.tuple; 25 | labels.instance = config.networking.hostName; 26 | }; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /cluster/services/ipfs/remote-api.nix: -------------------------------------------------------------------------------- 1 | { cluster, config, depot, ... }: 2 | with depot.lib.nginx; 3 | let 4 | inherit (depot.lib.meta) domain; 5 | cfg = config.services.ipfs; 6 | gw = cluster.config.hostLinks.${config.networking.hostName}.ipfsGateway; 7 | in 8 | { 9 | users.users.nginx.extraGroups = [ cfg.group ]; 10 | 11 | services.nginx.virtualHosts = { 12 | "ipfs.admin.${domain}" = vhosts.basic // { 13 | locations."/api".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:"; 14 | locations."/ipns/webui.ipfs.io".proxyPass = "${gw.url}/ipns/webui.ipfs.io"; 15 | locations."= /".return = "302 /ipns/webui.ipfs.io"; 16 | }; 17 | }; 18 | 19 | services.oauth2-proxy.nginx.virtualHosts."ipfs.admin.${domain}" = { }; 20 | } 21 | -------------------------------------------------------------------------------- /cluster/services/locksmith/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | services.locksmith = { 5 | nodes = { 6 | receiver = config.services.consul.nodes.agent; 7 | provider = config.services.consul.nodes.agent; 8 | }; 9 | nixos = { 10 | receiver = [ 11 | ./receiver.nix 12 | ]; 13 | provider = [ 14 | ./provider.nix 15 | ]; 16 | }; 17 | simulacrum.deps = [ "chant" "consul" ]; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /cluster/services/mail/certificate.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, ... }: 2 | 3 | { 4 | security.acme.certs."mail.${depot.lib.meta.domain}" = { 5 | dnsProvider = "exec"; 6 | webroot = lib.mkForce null; 7 | extraDomainNames = map (x: "${x}.${depot.lib.meta.domain}") [ 8 | "mx" 9 | "imap" 10 | "smtp" 11 | ]; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /cluster/services/mail/known-spam-domains: -------------------------------------------------------------------------------- 1 | /\.ru$/ DISCARD 2 | /\.cf$/ DISCARD 3 | /\.gq$/ DISCARD 4 | /\.tk$/ DISCARD 5 | /\.ga$/ DISCARD 6 | /pixelsurplus.com$/ DISCARD 7 | /mega.nz$/ DISCARD 8 | /trypioneer.app$/ DISCARD 9 | -------------------------------------------------------------------------------- /cluster/services/mail/opendkim.nix: -------------------------------------------------------------------------------- 1 | { lib, depot, ... }: 2 | let 3 | inherit (depot.lib.meta) domain; 4 | in 5 | { 6 | services.opendkim = { 7 | enable = true; 8 | selector = domain; 9 | domains = domain; 10 | }; 11 | # ensure socket becomes group-writable 12 | systemd.services.opendkim.serviceConfig.UMask = lib.mkForce "0007"; 13 | # TODO: figure out which one works 14 | users.users.postfix.extraGroups = [ "opendkim" ]; 15 | } 16 | -------------------------------------------------------------------------------- /cluster/services/mail/sieve/plus.sieve: -------------------------------------------------------------------------------- 1 | require ["variables", "envelope", "fileinto", "subaddress", "mailbox"]; 2 | 3 | if envelope :matches :detail "to" "*" { 4 | set :lower :upperfirst "name" "''${1}"; 5 | } 6 | 7 | if not string :is "''${name}" "" { 8 | fileinto :create "Plus/''${name}"; 9 | } 10 | -------------------------------------------------------------------------------- /cluster/services/mail/virtual-mail-domain-aliases: -------------------------------------------------------------------------------- 1 | /.*@max.admin.privatevoid.net$/ max@privatevoid.net 2 | -------------------------------------------------------------------------------- /cluster/services/matrix/coturn.nix: -------------------------------------------------------------------------------- 1 | { cluster, depot, ... }: 2 | { 3 | services.coturn = { 4 | enable = true; 5 | no-cli = true; 6 | realm = depot.lib.meta.domain; 7 | 8 | no-tcp-relay = true; 9 | min-port = 64000; 10 | max-port = 65535; 11 | # TODO: unhardcode 12 | listening-ips = [ "95.216.8.12" ]; 13 | 14 | lt-cred-mech = true; 15 | use-auth-secret = true; 16 | 17 | static-auth-secret-file = cluster.config.services.matrix.secrets.coturnStaticAuth.path; 18 | # TODO: acme 19 | cert = "/etc/coturn/certs/fullchain.pem"; 20 | pkey = "/etc/coturn/certs/privkey.pem"; 21 | 22 | extraConfig = '' 23 | no-tlsv1 24 | no-tlsv1_1 25 | denied-peer-ip=10.0.0.0-10.255.255.255 26 | denied-peer-ip=192.168.0.0-192.168.255.255 27 | denied-peer-ip=172.16.0.0-172.31.255.255 28 | ''; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /cluster/services/matrix/federation.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, depot, ... }: 2 | let 3 | inherit (depot.lib.meta) domain; 4 | federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON { 5 | "m.server" = "matrix.${domain}:443"; 6 | }); 7 | in 8 | { 9 | services.nginx.virtualHosts."top-level.${domain}".locations = { 10 | "= /.well-known/matrix/server".alias = federation; 11 | "= /.well-known/matrix/client".return = "302 https://matrix.${domain}/.well-known/matrix/client"; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /cluster/services/matrix/web-client.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, pkgs, ... }: 2 | let 3 | inherit (depot.lib.nginx) domain vhosts; 4 | inherit (depot.packages) cinny; 5 | in 6 | { 7 | services.nginx.virtualHosts."chat.${domain}" = lib.recursiveUpdate 8 | (vhosts.static cinny.webroot) 9 | { 10 | locations."=/config.json".alias = pkgs.writeText "cinny-config.json" (builtins.toJSON { 11 | defaultHomeserver = 0; 12 | homeserverList = [ "${domain}" ]; 13 | allowCustomHomeservers = false; 14 | }); 15 | locations."/".extraConfig = '' 16 | rewrite ^/config.json$ /config.json break; 17 | rewrite ^/manifest.json$ /manifest.json break; 18 | 19 | rewrite ^.*/olm.wasm$ /olm.wasm break; 20 | rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break; 21 | 22 | rewrite ^/public/(.*)$ /public/$1 break; 23 | rewrite ^/assets/(.*)$ /assets/$1 break; 24 | 25 | rewrite ^(.+)$ /index.html break; 26 | ''; 27 | }; 28 | 29 | security.acme.certs."chat.${domain}" = { 30 | dnsProvider = "exec"; 31 | webroot = lib.mkForce null; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /cluster/services/meet/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | services.meet = { 5 | nodes.host = [ "prophet" ]; 6 | nixos.host = ./host.nix; 7 | }; 8 | 9 | dns.records.meet.target = map 10 | (node: depot.hours.${node}.interfaces.primary.addrPublic) 11 | config.services.meet.nodes.host; 12 | } 13 | -------------------------------------------------------------------------------- /cluster/services/monitoring/options.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | { 5 | options.monitoring = { 6 | blackbox = { 7 | targets = mkOption { 8 | description = "Blackbox targets to be monitored by the cluster."; 9 | default = {}; 10 | type = with types; attrsOf (submodule ({ ... }: { 11 | options = { 12 | module = mkOption { 13 | description = "The Blackbox module to use."; 14 | type = types.str; 15 | }; 16 | address = mkOption { 17 | description = "The target's address."; 18 | type = types.str; 19 | }; 20 | }; 21 | })); 22 | }; 23 | }; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /cluster/services/monitoring/provisioning/dashboards.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | 3 | let 4 | loadDashboard = file: lib.pipe file [ 5 | lib.importJSON 6 | ({ dashboard, ... }: rec { 7 | name = "provision-dashboard-${dashboard.uid}.json"; 8 | path = builtins.toFile name (builtins.toJSON dashboard); 9 | }) 10 | ]; 11 | 12 | dashboardsDir = pkgs.linkFarm 13 | "grafana-provisioning-dashboards" 14 | (map loadDashboard (lib.filesystem.listFilesRecursive ./objects/dashboards)); 15 | in 16 | 17 | { 18 | services.grafana.provision.dashboards.settings = { 19 | providers = lib.singleton { 20 | options.path = dashboardsDir; 21 | allowUiUpdates = true; 22 | }; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /cluster/services/monitoring/secrets/grafana-db-credentials.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/monitoring/secrets/grafana-db-credentials.age -------------------------------------------------------------------------------- /cluster/services/monitoring/secrets/grafana-secrets.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/monitoring/secrets/grafana-secrets.age -------------------------------------------------------------------------------- /cluster/services/monitoring/secrets/secret-monitoring/blackbox.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/monitoring/secrets/secret-monitoring/blackbox.age -------------------------------------------------------------------------------- /cluster/services/monitoring/server.nix: -------------------------------------------------------------------------------- 1 | { cluster, ... }: 2 | let 3 | inherit (cluster.config.links) prometheus-ingest; 4 | in 5 | { 6 | services.prometheus = { 7 | enable = true; 8 | listenAddress = prometheus-ingest.ipv4; 9 | inherit (prometheus-ingest) port; 10 | extraFlags = [ "--web.enable-remote-write-receiver" ]; 11 | globalConfig = { 12 | scrape_interval = "60s"; 13 | }; 14 | scrapeConfigs = [ ]; 15 | }; 16 | 17 | } 18 | -------------------------------------------------------------------------------- /cluster/services/n8n/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | dns.records.api.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; 5 | } 6 | -------------------------------------------------------------------------------- /cluster/services/nextcloud/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | services.nextcloud = { 5 | nodes.host = [ "VEGAS" ]; 6 | nixos.host = ./host.nix; 7 | }; 8 | 9 | monitoring.blackbox.targets.nextcloud = { 10 | address = "https://storage.${depot.lib.meta.domain}/status.php"; 11 | module = "nextcloudStatus"; 12 | }; 13 | 14 | dns.records.storage.target = map 15 | (node: depot.hours.${node}.interfaces.primary.addrPublic) 16 | config.services.nextcloud.nodes.host; 17 | } 18 | -------------------------------------------------------------------------------- /cluster/services/nginx/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.nginx = { 3 | nodes.host = [ "checkmate" "grail" "thunderskin" "VEGAS" "prophet" ]; 4 | nixos.host = [ 5 | ./nginx.nix 6 | ./drop-bots.nix 7 | ]; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /cluster/services/nginx/nginx.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | services.nginx = { 5 | enable = true; 6 | recommendedProxySettings = true; 7 | recommendedTlsSettings = true; 8 | recommendedOptimisation = true; 9 | recommendedGzipSettings = true; 10 | proxyResolveWhileRunning = true; 11 | resolver = { 12 | addresses = config.networking.nameservers; 13 | valid = "30s"; 14 | }; 15 | appendHttpConfig = '' 16 | server_names_hash_bucket_size 128; 17 | proxy_headers_hash_max_size 4096; 18 | proxy_headers_hash_bucket_size 128; 19 | log_format fmt_loki 'host=$host remote_addr=$remote_addr remote_user=$remote_user request="$request" status=$status body_bytes_sent=$body_bytes_sent http_referer="$http_referer" http_user_agent="$http_user_agent"'; 20 | access_log syslog:server=unix:/dev/log,tag=nginx_access,nohostname fmt_loki; 21 | ''; 22 | }; 23 | networking.firewall.allowedTCPPorts = [ 80 443 ]; 24 | systemd.services.nginx = { 25 | after = [ "network-online.target" ]; 26 | wants = [ "network-online.target" ]; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /cluster/services/patroni/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | imports = [ 5 | ./options.nix 6 | ./incandescence.nix 7 | ./simulacrum/test-data.nix 8 | ]; 9 | 10 | links = { 11 | patroni-pg-internal.ipv4 = "0.0.0.0"; 12 | patroni-api.ipv4 = "0.0.0.0"; 13 | patroni-pg-access.ipv4 = "127.0.0.1"; 14 | }; 15 | services.patroni = { 16 | nodes = { 17 | worker = [ "grail" "VEGAS" ]; 18 | haproxy = [ "checkmate" "grail" "VEGAS" "prophet" ]; 19 | }; 20 | nixos = { 21 | worker = [ 22 | ./worker.nix 23 | ./metrics.nix 24 | ./create-databases.nix 25 | ]; 26 | haproxy = ./haproxy.nix; 27 | }; 28 | secrets = let 29 | inherit (config.services.patroni) nodes; 30 | default = { 31 | nodes = nodes.worker; 32 | owner = "patroni"; 33 | }; 34 | in { 35 | PATRONI_REPLICATION_PASSWORD = default; 36 | PATRONI_SUPERUSER_PASSWORD = default; 37 | PATRONI_REWIND_PASSWORD = default; 38 | metricsCredentials.nodes = nodes.worker; 39 | }; 40 | simulacrum = { 41 | enable = true; 42 | deps = [ "consul" "incandescence" "locksmith" ]; 43 | settings = ./simulacrum/test.nix; 44 | }; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /cluster/services/patroni/haproxy.nix: -------------------------------------------------------------------------------- 1 | { cluster, ... }: 2 | 3 | let 4 | inherit (cluster.config) vars; 5 | 6 | internalPort = cluster.config.links.patroni-pg-internal.portStr; 7 | 8 | checkPort = cluster.config.links.patroni-api.portStr; 9 | 10 | nodes = cluster.config.services.patroni.nodes.worker; 11 | 12 | getMeshIp = name: vars.mesh.${name}.meshIp; 13 | 14 | mkServerString = name: "server pg_ha_${name}_${internalPort} ${getMeshIp name}:${internalPort} maxconn 200 check port ${checkPort}"; 15 | in 16 | 17 | { 18 | services.haproxy = { 19 | enable = true; 20 | config = '' 21 | global 22 | maxconn 200 23 | 24 | defaults 25 | log global 26 | mode tcp 27 | retries 2 28 | timeout client 30m 29 | timeout connect 4s 30 | timeout server 30m 31 | timeout check 5s 32 | 33 | listen patroni 34 | bind ${cluster.config.links.patroni-pg-access.tuple} 35 | option httpchk 36 | http-check expect status 200 37 | default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions 38 | ${builtins.concatStringsSep " \n" (map mkServerString nodes)} 39 | ''; 40 | }; 41 | systemd.services.haproxy.aliases = [ "postgresql.service" ]; 42 | } 43 | -------------------------------------------------------------------------------- /cluster/services/patroni/incandescence.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | incandescence.providers.patroni = { 5 | objects = { 6 | user = lib.attrNames config.patroni.users; 7 | database = lib.attrNames config.patroni.databases; 8 | }; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/services/patroni/metrics.nix: -------------------------------------------------------------------------------- 1 | { config, cluster, ... }: 2 | 3 | let 4 | inherit (cluster.config) links vars; 5 | inherit (cluster.config.services.patroni) secrets; 6 | 7 | getMeshIp = name: vars.mesh.${name}.meshIp; 8 | in 9 | 10 | { 11 | services.grafana-agent = { 12 | settings.integrations.postgres_exporter = { 13 | enabled = true; 14 | instance = config.networking.hostName; 15 | data_source_names = [ 16 | "postgresql://metrics:\${PG_METRICS_DB_PASSWORD}@${getMeshIp config.networking.hostName}:${links.patroni-pg-internal.portStr}/postgres?sslmode=disable" 17 | ]; 18 | autodiscover_databases = true; 19 | }; 20 | credentials = { 21 | PG_METRICS_DB_PASSWORD = secrets.metricsCredentials.path; 22 | }; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /cluster/services/patroni/options.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | let 4 | inherit (lib) mkOption; 5 | inherit (lib.types) attrsOf enum listOf submodule str; 6 | in 7 | 8 | { 9 | options.patroni = { 10 | databases = mkOption { 11 | type = attrsOf (submodule ({ name, ... }: { 12 | options = { 13 | owner = mkOption { 14 | type = str; 15 | default = name; 16 | }; 17 | }; 18 | })); 19 | default = {}; 20 | }; 21 | users = mkOption { 22 | type = attrsOf (submodule ({ ... }: { 23 | options = { 24 | locksmith = { 25 | nodes = mkOption { 26 | type = listOf str; 27 | default = []; 28 | }; 29 | format = mkOption { 30 | type = enum [ "pgpass" "envFile" "raw" ]; 31 | default = "pgpass"; 32 | }; 33 | owner = mkOption { 34 | type = str; 35 | default = "root"; 36 | }; 37 | group = mkOption { 38 | type = str; 39 | default = "root"; 40 | }; 41 | mode = mkOption { 42 | type = str; 43 | default = "0400"; 44 | }; 45 | }; 46 | }; 47 | })); 48 | default = {}; 49 | }; 50 | }; 51 | } 52 | -------------------------------------------------------------------------------- /cluster/services/patroni/simulacrum/test-data.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | patroni = lib.mkIf config.simulacrum { 4 | databases = config.lib.forService "patroni" { 5 | testdb.owner = "testuser"; 6 | existingdb.owner = "existinguser"; 7 | }; 8 | users = config.lib.forService "patroni" { 9 | testuser.locksmith = { 10 | nodes = config.services.patroni.nodes.haproxy; 11 | format = "pgpass"; 12 | }; 13 | existinguser.locksmith = { 14 | nodes = config.services.patroni.nodes.haproxy; 15 | format = "pgpass"; 16 | }; 17 | }; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /cluster/services/reflex/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | services.reflex = { 5 | nodes.host = [ "VEGAS" ]; 6 | nixos.host = ./host.nix; 7 | }; 8 | 9 | dns.records.reflex.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/services/reflex/host.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | links.nixIpfs.protocol = "http"; 5 | 6 | systemd.services.nix-ipfs-cache = { 7 | wantedBy = [ "multi-user.target" ]; 8 | serviceConfig = { 9 | ExecStart = "${depot.packages.reflex-cache}/bin/reflex"; 10 | DynamicUser = true; 11 | SupplementaryGroups = [ "ipfs" ]; 12 | CacheDirectory = "nix-ipfs-cache"; 13 | }; 14 | environment = { 15 | REFLEX_PORT = config.links.nixIpfs.portStr; 16 | IPFS_API = config.services.ipfs.apiAddress; 17 | IPFS_CLUSTER_API = config.services.ipfs-cluster.settings.api.restapi.http_listen_multiaddress; 18 | NIX_CACHES = toString [ 19 | "https://cache.nixos.org" 20 | "https://cache.${depot.lib.meta.domain}" 21 | ]; 22 | }; 23 | }; 24 | 25 | services.nginx.virtualHosts."reflex.${depot.lib.meta.domain}" = depot.lib.nginx.vhosts.proxy config.links.nixIpfs.url; 26 | } 27 | -------------------------------------------------------------------------------- /cluster/services/search/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | services.search = { 5 | nodes.host = [ "VEGAS" ]; 6 | nixos.host = ./host.nix; 7 | secrets.default.nodes = config.services.search.nodes.host; 8 | }; 9 | 10 | monitoring.blackbox.targets.search = { 11 | address = "https://search.${depot.lib.meta.domain}/healthz"; 12 | module = "https2xx"; 13 | }; 14 | 15 | dns.records.search.target = map 16 | (node: depot.hours.${node}.interfaces.primary.addrPublic) 17 | config.services.search.nodes.host; 18 | } 19 | -------------------------------------------------------------------------------- /cluster/services/search/host.nix: -------------------------------------------------------------------------------- 1 | { cluster, config, depot, lib, ... }: 2 | let 3 | inherit (config) links; 4 | in 5 | { 6 | links.searxng.protocol = "http"; 7 | 8 | services.searx = { 9 | enable = true; 10 | runInUwsgi = true; 11 | package = depot.packages.searxng; 12 | environmentFile = cluster.config.services.search.secrets.default.path; 13 | settings = { 14 | server = { 15 | secret_key = "@SEARXNG_SECRET@"; 16 | }; 17 | search.formats = [ 18 | "html" 19 | "json" 20 | ]; 21 | engines = [ 22 | { name = "bing"; disabled = true; } 23 | { name = "brave"; disabled = true; } 24 | ]; 25 | ui.theme_args.simple_style = "dark"; 26 | outgoing = { 27 | using_tor_proxy = true; 28 | proxies = rec { 29 | http = [ config.links.torSocks.url ]; 30 | https = http; 31 | }; 32 | }; 33 | }; 34 | uwsgiConfig = { 35 | http = links.searxng.tuple; 36 | cache2 = "name=searxcache,items=2000,blocks=2000,blocksize=65536,bitmap=1"; 37 | buffer-size = 65536; 38 | disable-logging = true; 39 | }; 40 | }; 41 | services.nginx.virtualHosts."search.${depot.lib.meta.domain}" = lib.recursiveUpdate (depot.lib.nginx.vhosts.proxy links.searxng.url) { 42 | extraConfig = "access_log off;"; 43 | }; 44 | systemd.services.uwsgi.after = [ "tor.service" ]; 45 | } 46 | -------------------------------------------------------------------------------- /cluster/services/soda/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | services.soda = { 5 | nodes.host = [ "VEGAS" ]; 6 | nixos.host = ./host.nix; 7 | }; 8 | 9 | monitoring.blackbox.targets.soda-machine = { 10 | address = "soda.int.${depot.lib.meta.domain}:22"; 11 | module = "sshConnect"; 12 | }; 13 | 14 | dns.records = { 15 | soda.target = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; 16 | "soda.int".target = [ "10.10.2.206" ]; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /cluster/services/soda/host.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | { 4 | containers.soda = { 5 | path = depot.nixosConfigurations.soda.config.system.build.toplevel; 6 | privateNetwork = true; 7 | hostBridge = "vmdefault"; 8 | localAddress = "${depot.hours.soda.interfaces.primary.addr}/24"; 9 | autoStart = true; 10 | bindMounts.sodaDir = { 11 | hostPath = "/srv/storage/www/soda"; 12 | mountPoint = "/soda"; 13 | isReadOnly = false; 14 | }; 15 | }; 16 | 17 | systemd.services."container@soda".after = [ "libvirtd.service" "sys-devices-virtual-net-vmdefault.device" ]; 18 | 19 | networking.nat.forwardPorts = [ 20 | { 21 | sourcePort = 52222; 22 | destination = "${depot.hours.soda.interfaces.primary.addr}:22"; 23 | proto = "tcp"; 24 | } 25 | ]; 26 | } 27 | -------------------------------------------------------------------------------- /cluster/services/sso/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | services.sso = { 5 | nodes = { 6 | host = [ "VEGAS" ]; 7 | oauth2-proxy = [ "VEGAS" ]; 8 | }; 9 | nixos = { 10 | host = ./host.nix; 11 | oauth2-proxy = ./oauth2-proxy.nix; 12 | }; 13 | }; 14 | 15 | dns.records = let 16 | ssoAddr = [ depot.hours.VEGAS.interfaces.primary.addrPublic ]; 17 | in { 18 | login.target = ssoAddr; 19 | account.target = ssoAddr; 20 | }; 21 | 22 | patroni = config.lib.forService "sso" { 23 | databases.keycloak = {}; 24 | users.keycloak.locksmith = { 25 | nodes = config.services.sso.nodes.host; 26 | format = "raw"; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /cluster/services/sso/oauth2-proxy.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | let 3 | inherit (depot.lib.meta) domain; 4 | login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}"; 5 | in 6 | { 7 | age.secrets.oauth2_proxy-secrets = { 8 | file = ../../../secrets/oauth2_proxy-secrets.age; 9 | owner = "root"; 10 | group = "root"; 11 | mode = "0400"; 12 | }; 13 | 14 | services.oauth2-proxy = { 15 | enable = true; 16 | nginx.domain = config.services.keycloak.settings.hostname; 17 | approvalPrompt = "auto"; 18 | provider = "keycloak"; 19 | scope = "openid"; 20 | clientID = "net.privatevoid.admin-interfaces1"; 21 | keyFile = config.age.secrets.oauth2_proxy-secrets.path; 22 | loginURL = login "auth"; 23 | redeemURL = login "token"; 24 | validateURL = login "userinfo"; 25 | cookie = { 26 | secure = true; 27 | domain = ".${domain}"; 28 | }; 29 | email.domains = [ domain ]; 30 | extraConfig = { 31 | keycloak-group = "/admins"; 32 | skip-provider-button = true; 33 | }; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /cluster/services/storage/external.nix: -------------------------------------------------------------------------------- 1 | { config, cluster, ... }: 2 | 3 | let 4 | inherit (config.networking) hostName; 5 | in 6 | 7 | { 8 | services.external-storage = { 9 | fileSystems.external = { 10 | mountpoint = "/srv/storage"; 11 | locksmithSecret = "garage-storage-${hostName}"; 12 | backend = "s3c4://${cluster.config.links.garageS3.hostname}/storage-${hostName}"; 13 | backendOptions = [ "disable-expect100" ]; 14 | }; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /cluster/services/storage/garage-external.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | services.external-storage = { 5 | underlays.garage = { 6 | subUser = "sub1"; 7 | credentialsFile = ./secrets/storage-box-credentials.age; 8 | path = "/garage/${config.networking.hostName}"; 9 | inherit (config.users.users.garage) uid; 10 | inherit (config.users.groups.garage) gid; 11 | }; 12 | }; 13 | 14 | services.garage.settings.data_dir = config.services.external-storage.underlays.garage.mountpoint; 15 | } 16 | -------------------------------------------------------------------------------- /cluster/services/storage/garage-gateway.nix: -------------------------------------------------------------------------------- 1 | { config, cluster, depot, lib, ... }: 2 | 3 | let 4 | linkS3 = cluster.config.hostLinks.${config.networking.hostName}.garageS3; 5 | linkWeb = cluster.config.hostLinks.${config.networking.hostName}.garageWeb; 6 | in 7 | 8 | { 9 | links.garageMetrics.protocol = "http"; 10 | 11 | services.garage.settings.admin.api_bind_addr = config.links.garageMetrics.tuple; 12 | 13 | consul.services = { 14 | garage = { 15 | mode = "external"; 16 | definition = { 17 | name = "garage"; 18 | address = linkS3.ipv4; 19 | inherit (linkS3) port; 20 | checks = [ 21 | { 22 | name = "Garage Node"; 23 | id = "service:garage:node"; 24 | interval = "5s"; 25 | http = "${config.links.garageMetrics.url}/health"; 26 | } 27 | ]; 28 | }; 29 | }; 30 | garage-web = { 31 | mode = "external"; 32 | unit = "garage"; 33 | definition = { 34 | name = "garage-web"; 35 | address = linkWeb.ipv4; 36 | inherit (linkWeb) port; 37 | checks = [ 38 | { 39 | name = "Garage Service Status"; 40 | id = "service:garage-web:garage"; 41 | alias_service = "garage"; 42 | } 43 | ]; 44 | }; 45 | }; 46 | }; 47 | } 48 | -------------------------------------------------------------------------------- /cluster/services/storage/garage-internal.nix: -------------------------------------------------------------------------------- 1 | let 2 | dataDir = "/srv/storage/private/garage"; 3 | in 4 | 5 | { 6 | systemd.tmpfiles.rules = [ 7 | "d '${dataDir}' 0700 garage garage -" 8 | ]; 9 | 10 | services.garage.settings.data_dir = dataDir; 11 | } 12 | -------------------------------------------------------------------------------- /cluster/services/storage/garage-layout.nix: -------------------------------------------------------------------------------- 1 | { 2 | system.ascensions.garage-layout.incantations = i: [ 3 | ]; 4 | 5 | services.garage.layout.initial = { 6 | grail = { zone = "eu-central"; capacity = 1000; }; 7 | prophet = { zone = "eu-central"; capacity = 1000; }; 8 | VEGAS = { zone = "eu-central"; capacity = 1000; }; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/services/storage/garage-metrics.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | let 4 | inherit (config.links) garageMetrics; 5 | in 6 | 7 | { 8 | services.grafana-agent = { 9 | settings.metrics.configs = lib.singleton { 10 | name = "metrics-garage"; 11 | scrape_configs = lib.singleton { 12 | job_name = "garage"; 13 | static_configs = lib.singleton { 14 | targets = lib.singleton garageMetrics.tuple; 15 | labels.instance = config.networking.hostName; 16 | }; 17 | }; 18 | }; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /cluster/services/storage/heresy.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.external-storage = { 3 | underlays.heresy = { 4 | subUser = "sub1"; 5 | credentialsFile = ./secrets/storage-box-credentials.age; 6 | path = "/fs/heresy"; 7 | }; 8 | fileSystems.heresy = { 9 | mountpoint = "/srv/heresy"; 10 | unitName = "heresy"; 11 | unitDescription = "Heresy Filesystem"; 12 | authFile = ./secrets/heresy-encryption-key.age; 13 | underlay = "heresy"; 14 | encrypt = true; 15 | }; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /cluster/services/storage/incandescence.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | incandescence.providers.garage = { 5 | objects = { 6 | key = lib.attrNames config.garage.keys; 7 | bucket = lib.attrNames config.garage.buckets; 8 | }; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /cluster/services/storage/internal.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | let 4 | storageDir = "/srv/storage"; 5 | in 6 | 7 | { 8 | systemd.tmpfiles.settings."00-storage" = { 9 | "${storageDir}".d.mode = "0755"; 10 | "${storageDir}/private".d.mode = "0751"; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /cluster/services/storage/options.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | options.garage = { 5 | buckets = lib.mkOption { 6 | description = "Buckets to create in Garage."; 7 | type = with lib.types; attrsOf anything; 8 | default = {}; 9 | }; 10 | 11 | keys = lib.mkOption { 12 | description = "Keys to create in Garage."; 13 | type = with lib.types; attrsOf anything; 14 | default = {}; 15 | }; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /cluster/services/storage/s3ql-upgrades.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | system.ascensions = lib.mapAttrs' (name: fs: { 5 | name = "s3ql-${name}"; 6 | value = { 7 | requiredBy = [ "${fs.unitName}.service" ]; 8 | before = [ "${fs.unitName}.service" ]; 9 | incantations = i: [ 10 | (i.runS3qlUpgrade name) # 4.0.0 -> 5.1.3 11 | ]; 12 | }; 13 | }) config.services.external-storage.fileSystems; 14 | } 15 | -------------------------------------------------------------------------------- /cluster/services/storage/secrets/garage-rpc-secret.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/storage/secrets/garage-rpc-secret.age -------------------------------------------------------------------------------- /cluster/services/storage/secrets/heresy-encryption-key.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/storage/secrets/heresy-encryption-key.age -------------------------------------------------------------------------------- /cluster/services/storage/secrets/storage-box-credentials.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/cluster/services/storage/secrets/storage-box-credentials.age -------------------------------------------------------------------------------- /cluster/services/storage/simulacrum/snakeoil-heresy-passphrase.nix: -------------------------------------------------------------------------------- 1 | { 2 | environment.etc."dummy-secrets/storageAuth-heresy".text = '' 3 | [local] 4 | storage-url: local:// 5 | fs-passphrase: simulacrum 6 | ''; 7 | } 8 | 9 | -------------------------------------------------------------------------------- /cluster/services/storage/simulacrum/snakeoil-rpc-secret.nix: -------------------------------------------------------------------------------- 1 | { 2 | environment.etc."dummy-secrets/garageRpcSecret".text = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; 3 | } 4 | -------------------------------------------------------------------------------- /cluster/services/storage/simulacrum/test-data.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | garage = lib.mkIf config.simulacrum { 5 | keys.testkey = {}; 6 | buckets.testbucket.allow.testKey = [ "read" "write" ]; 7 | }; 8 | } 9 | -------------------------------------------------------------------------------- /cluster/services/tor/client.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | links.torSocks.protocol = "socks5h"; 5 | 6 | services.tor = { 7 | enable = true; 8 | client = { 9 | enable = true; 10 | socksListenAddress = { 11 | IsolateDestAddr = true; 12 | addr = config.links.torSocks.ipv4; 13 | port = config.links.torSocks.port; 14 | }; 15 | }; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /cluster/services/tor/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.tor-client = { 3 | nodes.client = [ "VEGAS" ]; 4 | nixos.client = ./client.nix; 5 | }; 6 | } 7 | -------------------------------------------------------------------------------- /cluster/services/warehouse/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | services.warehouse = { 5 | nodes.host = [ "VEGAS" ]; 6 | nixos.host = [ ./host.nix ]; 7 | }; 8 | 9 | dns.records.warehouse.target = map 10 | (node: depot.hours.${node}.interfaces.primary.addrPublic) 11 | config.services.warehouse.nodes.host; 12 | } 13 | -------------------------------------------------------------------------------- /cluster/services/ways/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ./options 6 | ./simulacrum/test-data.nix 7 | ]; 8 | 9 | services.ways = { 10 | nodes.host = config.services.websites.nodes.host; 11 | nixos.host = ./host.nix; 12 | simulacrum = { 13 | enable = true; 14 | deps = [ "nginx" "acme-client" "dns" "certificates" "consul" ]; 15 | settings = ./simulacrum/test.nix; 16 | }; 17 | }; 18 | 19 | dns.records = lib.mapAttrs' 20 | (_: cfg: lib.nameValuePair cfg.dnsRecord.name ({ ... }: { 21 | imports = [ cfg.dnsRecord.value ]; 22 | root = cfg.domainSuffix; 23 | })) 24 | config.ways; 25 | } 26 | -------------------------------------------------------------------------------- /cluster/services/ways/options/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, depot, ... }: 2 | 3 | { 4 | options.ways = lib.mkOption { 5 | type = lib.types.attrsOf (lib.types.submodule ({ options, ... }: { 6 | imports = [ ./way.nix ]; 7 | domainSuffixExternal = depot.lib.meta.domain; 8 | domainSuffixInternal = "internal.${depot.lib.meta.domain}"; 9 | 10 | extras = lib.mkIf options.bucket.isDefined { 11 | locations."/".extraConfig = '' 12 | proxy_set_header Host "${options.bucket.value}.${config.links.garageWeb.hostname}"; 13 | ''; 14 | }; 15 | })); 16 | default = {}; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /cluster/services/ways/simulacrum/test-data.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | ways = lib.mkIf config.simulacrum { 4 | ways-test-simple = config.lib.forService "ways" { 5 | target = "http://nowhere"; 6 | }; 7 | ways-test-consul = config.lib.forService "ways" { 8 | consulService = "ways-test-service"; 9 | }; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /cluster/services/websites/websites.nix: -------------------------------------------------------------------------------- 1 | { inputs, packages, tools }: 2 | with tools.vhosts; 3 | let inherit (tools) domain; in 4 | { 5 | # websites 6 | www = static packages.landing.webroot // { default = true; }; 7 | draw = static packages.excalidraw.webroot; 8 | "docs.hyprspace" = static "${inputs.hyprspace.packages.docs}/share/www/hyprspace-docs"; 9 | 10 | # PSA sites 11 | stop-using-nix-env = static packages.stop-using-nix-env.webroot; 12 | 13 | whoami.locations = { # no tls 14 | "/".return = ''200 "$remote_addr\n"''; 15 | "/online".return = ''200 "CONNECTED_GLOBAL\n"''; 16 | }; 17 | 18 | top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; }; 19 | } 20 | -------------------------------------------------------------------------------- /cluster/services/wireguard/mesh.nix: -------------------------------------------------------------------------------- 1 | { cluster, config, ... }: 2 | let 3 | inherit (config.networking) hostName; 4 | 5 | link = cluster.config.hostLinks.${hostName}.mesh; 6 | 7 | mkPeer = peerName: let 8 | peerLink = cluster.config.hostLinks.${peerName}.mesh; 9 | in { 10 | publicKey = peerLink.extra.pubKey; 11 | allowedIPs = [ "${peerLink.extra.meshIp}/32" ] ++ peerLink.extra.extraRoutes; 12 | endpoint = peerLink.tuple; 13 | }; 14 | in 15 | { 16 | networking = { 17 | firewall = { 18 | trustedInterfaces = [ "wgmesh" ]; 19 | allowedUDPPorts = [ link.port ]; 20 | }; 21 | 22 | wireguard = { 23 | enable = true; 24 | interfaces.wgmesh = { 25 | ips = [ "${link.extra.meshIp}/24" ]; 26 | listenPort = link.port; 27 | privateKeyFile = cluster.config.services.wireguard.secrets.meshPrivateKey.path; 28 | peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName); 29 | }; 30 | }; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-VEGAS: -------------------------------------------------------------------------------- 1 | MNvWpMluuzQvPyGTp7jtyPSyz6n9lIly/WX1gW2NAHg= 2 | -------------------------------------------------------------------------------- /cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-checkmate: -------------------------------------------------------------------------------- 1 | YHzP8rBP6qiXs6ZdnvHop9KnCYRADIEejwZzAzvj8m4= 2 | -------------------------------------------------------------------------------- /cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-grail: -------------------------------------------------------------------------------- 1 | uD7X5E6N9d0sN+xPr/bWnehSa3bAok741GO7Z4I+Z3I= 2 | -------------------------------------------------------------------------------- /cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-prophet: -------------------------------------------------------------------------------- 1 | QHyIJ3HoKGGFN28qOrQP4UyoQMP5bM7Idn2MzayKzEM= 2 | -------------------------------------------------------------------------------- /cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-thunderskin: -------------------------------------------------------------------------------- 1 | YLl+hkWaCWx/5PpWs3cQ+bKqYdJef/qZ+FMTsM9ammM= 2 | -------------------------------------------------------------------------------- /cluster/services/wireguard/simulacrum/snakeoil-keys.nix: -------------------------------------------------------------------------------- 1 | { lib, config, ... }: { 2 | config.environment.etc = { 3 | "dummy-secrets/cluster-wireguard-meshPrivateKey".source = lib.mkForce ./keys/snakeoilPrivateKey-${config.networking.hostName}; 4 | "dummy-secrets/wireguard-key-storm".source = lib.mkForce ./keys/snakeoilPrivateKey-${config.networking.hostName}; 5 | }; 6 | } 7 | -------------------------------------------------------------------------------- /cluster/services/wireguard/storm.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | inherit (config.networking) hostName; 4 | 5 | vpnNet = "10.100.0.0/24"; 6 | in 7 | { 8 | age.secrets.wireguard-key-storm = { 9 | file = ../../../secrets + "/wireguard-key-storm-${hostName}.age"; 10 | mode = "0400"; 11 | }; 12 | 13 | networking = { 14 | firewall = { 15 | allowedUDPPorts = [ 123 ]; 16 | }; 17 | 18 | nat.internalIPs = [ 19 | vpnNet 20 | ]; 21 | 22 | wireguard = { 23 | enable = true; 24 | interfaces.wgstorm = { 25 | ips = [ "10.100.0.1/24" ]; 26 | listenPort = 123; 27 | privateKeyFile = config.age.secrets.wireguard-key-storm.path; 28 | peers = [ 29 | { 30 | publicKey = "1JzRMYmCDT9wqPT81u7VRF0KntThTGOsnSmYd0jovhQ="; 31 | allowedIPs = [ "10.100.0.4/32" ]; 32 | } 33 | { 34 | publicKey = "7Bx5Agg2fHio2G3+ksI3osWkXBg5nP1bi06LjPafYG8="; 35 | allowedIPs = [ "10.100.0.13/32" ]; 36 | } 37 | { 38 | publicKey = "GMVlOpvtIAmopM8W2bC6CzaK41/p3qLgq+/IgAjT8HY="; 39 | allowedIPs = [ "10.100.0.7/32" ]; 40 | } 41 | ]; 42 | }; 43 | }; 44 | }; 45 | } 46 | -------------------------------------------------------------------------------- /cluster/services/wireguard/test.nix: -------------------------------------------------------------------------------- 1 | { cluster, lib, ... }: 2 | 3 | { 4 | defaults.options.services.locksmith = lib.mkSinkUndeclaredOptions { }; 5 | 6 | testScript = '' 7 | start_all() 8 | ${lib.pipe cluster.config.services.wireguard.nodes.mesh [ 9 | (map (node: /*python*/ '' 10 | ${node}.wait_for_unit("wireguard-wgmesh.target") 11 | '')) 12 | (lib.concatStringsSep "\n") 13 | ]} 14 | 15 | ${lib.pipe cluster.config.services.wireguard.nodes.mesh [ 16 | (map (node: /*python*/ '' 17 | with subtest("${node} can reach all other nodes"): 18 | ${lib.pipe (cluster.config.services.wireguard.otherNodes.mesh node) [ 19 | (map (peer: /*python*/ '' 20 | ${node}.succeed("ping -c3 ${cluster.config.hostLinks.${peer}.mesh.extra.meshIp}") 21 | '')) 22 | (lib.concatStringsSep "\n ") 23 | ]} 24 | '')) 25 | (lib.concatStringsSep "\n") 26 | ]} 27 | ''; 28 | } 29 | -------------------------------------------------------------------------------- /cluster/simulacrum/checks.nix: -------------------------------------------------------------------------------- 1 | { config, extendModules, lib, ... }: 2 | 3 | { 4 | perSystem = { pkgs, system, ... }: { 5 | checks = lib.mkIf (system == "x86_64-linux") (lib.mapAttrs' (name: svc: let 6 | runSimulacrum = pkgs.callPackage ./. { 7 | inherit config extendModules; 8 | }; 9 | in { 10 | name = "simulacrum-${name}"; 11 | value = runSimulacrum { 12 | service = name; 13 | }; 14 | }) (lib.filterAttrs (_: svc: svc.simulacrum.enable) config.cluster.config.services)); 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /cluster/simulacrum/nowhere/options.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | options.nowhere = { 5 | names = lib.mkOption { 6 | description = "Hostnames that point Nowhere."; 7 | type = with lib.types; attrsOf str; 8 | default = {}; 9 | }; 10 | certs = lib.mkOption { 11 | description = "Snakeoil certificate packages."; 12 | type = with lib.types; attrsOf package; 13 | default = {}; 14 | }; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /hosts/VEGAS/default.nix: -------------------------------------------------------------------------------- 1 | tools: rec { 2 | ssh.enable = true; 3 | ssh.id = with tools.dns; { 4 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz2nGA+Y4OxhMKsV6vKIns3hOoBkK557712h7FfWXcE"; 5 | hostNames = subResolve "vegas" "backbone"; 6 | }; 7 | 8 | interfaces = { 9 | primary = { 10 | addr = "95.216.8.12"; 11 | link = "enp0s31f6"; 12 | }; 13 | vstub = { 14 | addr = "10.1.0.1"; 15 | link = "vstub"; 16 | }; 17 | }; 18 | 19 | hardware = { 20 | cpu.cores = 8; 21 | memory.gb = 64; 22 | }; 23 | 24 | hyprspace = { 25 | enable = true; 26 | id = "QmYs4xNBby2fTs8RnzfXEk161KD4mftBfCiR8yXtgGPj4J"; 27 | listenPort = 995; 28 | routes = [ 29 | "${interfaces.vstub.addr}/32" 30 | "10.10.0.0/16" 31 | ]; 32 | }; 33 | 34 | enterprise = { 35 | subdomain = "backbone"; 36 | }; 37 | 38 | system = "x86_64-linux"; 39 | nixos = ./system.nix; 40 | } 41 | -------------------------------------------------------------------------------- /hosts/VEGAS/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { modulesPath, ... }: 5 | 6 | { 7 | imports = 8 | [ (modulesPath + "/installer/scan/not-detected.nix") 9 | ]; 10 | 11 | boot.initrd.availableKernelModules = [ "ahci" ]; 12 | boot.initrd.kernelModules = [ "dm-snapshot" "dm-raid1" ]; 13 | boot.kernelModules = [ "kvm-intel" ]; 14 | boot.extraModulePackages = [ ]; 15 | 16 | fileSystems."/" = 17 | { device = "/dev/disk/by-uuid/1f8327a2-ece6-4e87-895c-b75253ecc584"; 18 | fsType = "xfs"; 19 | }; 20 | 21 | fileSystems."/boot" = 22 | { device = "/dev/disk/by-uuid/4c709e5b-9a94-4899-b1f9-abbcc4c8264c"; 23 | fsType = "ext4"; 24 | }; 25 | 26 | fileSystems."/srv/storage" = 27 | { device = "/dev/disk/by-uuid/4fc53695-3fc3-4053-a0d8-72255863fdc8"; 28 | fsType = "xfs"; 29 | }; 30 | 31 | swapDevices = [ ]; 32 | } 33 | -------------------------------------------------------------------------------- /hosts/VEGAS/modules/redis/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.redis.servers.default = { 3 | enable = true; 4 | port = 6379; 5 | }; 6 | } 7 | -------------------------------------------------------------------------------- /hosts/VEGAS/modules/virtualisation/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | virtualisation.libvirtd = { 5 | enable = true; 6 | qemu.package = pkgs.qemu_kvm; 7 | }; 8 | security.polkit.enable = true; 9 | # TODO: maybe be more strict 10 | networking.firewall.trustedInterfaces = [ 11 | "vmcore" 12 | "vmdefault" 13 | ]; 14 | } 15 | -------------------------------------------------------------------------------- /hosts/VEGAS/services/backbone-routing/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | let 3 | inherit (config.reflection) interfaces; 4 | in 5 | { 6 | networking.nat = { 7 | enable = true; 8 | externalInterface = interfaces.primary.link; 9 | internalIPs = [ 10 | "10.10.0.0/16" 11 | ]; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /hosts/VEGAS/services/cdn-shield/default.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, ... }: 2 | 3 | let 4 | tools = (depot.lib.override { 5 | meta.domain = lib.mkForce "cdn-shield.privatevoid.net"; 6 | }).nginx; 7 | in 8 | { 9 | services.nginx.virtualHosts = tools.mappers.mapSubdomains (import ./shields.nix { inherit tools; }); 10 | services.nginx.appendHttpConfig = '' 11 | proxy_cache_path /var/cache/nginx/wttr levels=1:2 keys_zone=wttr:10m max_size=100m inactive=30d use_temp_path=off; 12 | ''; 13 | } 14 | -------------------------------------------------------------------------------- /hosts/VEGAS/services/cdn-shield/shields.nix: -------------------------------------------------------------------------------- 1 | { tools }: 2 | with tools.vhosts; 3 | { 4 | "fonts-googleapis-com" = proxyGhost "https" "fonts.googleapis.com"; 5 | "fonts-gstatic-com" = proxyGhost "https" "fonts.gstatic.com"; 6 | "cdnjs-cloudflare-com" = proxyGhost "https" "cdnjs.cloudflare.com"; 7 | "wttr-in" = let 8 | proxy = proxyGhost "https" "wttr.in"; 9 | in proxy // { 10 | locations."/".extraConfig = proxy.locations."/".extraConfig + '' 11 | proxy_cache wttr; 12 | proxy_cache_key $uri; 13 | proxy_cache_min_uses 1; 14 | proxy_cache_methods GET HEAD POST; 15 | proxy_cache_valid any 10m; 16 | proxy_cache_bypass $cookie_nocache $arg_nocache$arg_comment; 17 | proxy_cache_lock on; 18 | proxy_cache_use_stale updating; 19 | ''; 20 | }; 21 | } 22 | -------------------------------------------------------------------------------- /hosts/VEGAS/services/jokes/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | with depot.lib.nginx.mappers; 3 | with depot.lib.nginx.vhosts; 4 | { 5 | services.nginx.virtualHosts = mapSubdomains { 6 | "bone-ds-dc.com-ldap" = static "/srv/storage/www/bone-meme/dist"; 7 | "rzentrale" = static "/srv/storage/www/rzentrale"; 8 | "wunschnachricht" = static "/srv/storage/www/wunschnachricht"; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /hosts/VEGAS/services/minecraft/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.modded-minecraft-servers.eula = true; 3 | imports = [ 4 | ]; 5 | } 6 | -------------------------------------------------------------------------------- /hosts/VEGAS/services/websites/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, lib, ... }: 2 | 3 | let 4 | importWebsites = expr: import expr { 5 | tools = depot.lib.nginx; 6 | inherit (depot) packages; 7 | }; 8 | 9 | acmeUseDNS = name: conf: { 10 | name = conf.useACMEHost or conf.serverName or name; 11 | value = { 12 | dnsProvider = "exec"; 13 | webroot = null; 14 | }; 15 | }; 16 | 17 | isACME = _: conf: conf ? enableACME && conf.enableACME; 18 | 19 | websites = depot.lib.nginx.mappers.mapSubdomains (importWebsites ./websites.nix); 20 | in { 21 | security.acme.certs = lib.mkIf config.services.nginx.enable (lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites)); 22 | services.nginx.virtualHosts = websites; 23 | } 24 | -------------------------------------------------------------------------------- /hosts/VEGAS/services/websites/websites.nix: -------------------------------------------------------------------------------- 1 | { packages, tools }: 2 | with tools.vhosts; 3 | { 4 | # websites 5 | ktp = static "/srv/storage/www/soda/ktp"; 6 | legacy = static "/srv/storage/www/legacy"; 7 | soda = static "/srv/storage/www/soda" // { 8 | extraConfig = '' 9 | error_page 404 /.nginx-private/404.html; 10 | error_page 500 502 503 504 /.nginx-private/50x.html; 11 | ''; 12 | }; 13 | 14 | # content delivery 15 | autoconfig = static "/srv/storage/www/autoconfig"; 16 | } 17 | -------------------------------------------------------------------------------- /hosts/checkmate/default.nix: -------------------------------------------------------------------------------- 1 | tools: rec { 2 | ssh.enable = true; 3 | ssh.id = with tools.dns; { 4 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINImnMfEzUBU5qiuu05DMPrddTGypOtr+cL1/yQN2GFn"; 5 | hostNames = subResolve "checkmate" "node"; 6 | }; 7 | 8 | interfaces = { 9 | primary = { 10 | addr = "10.0.243.198"; 11 | addrPublic = "152.67.73.164"; 12 | link = "ens3"; 13 | }; 14 | vstub = { 15 | addr = "10.1.0.32"; 16 | link = "vstub"; 17 | }; 18 | }; 19 | 20 | hardware = { 21 | cpu.cores = 1; 22 | memory.gb = 1; 23 | }; 24 | 25 | hyprspace = { 26 | enable = true; 27 | id = "12D3KooWL84sAtq1QTYwb7gVbhSNX5ZUfVt4kgYKz8pdif1zpGUh"; 28 | listenPort = 995; 29 | routes = [ 30 | "${interfaces.vstub.addr}/32" 31 | ]; 32 | }; 33 | 34 | enterprise = { 35 | subdomain = "node"; 36 | }; 37 | 38 | system = "x86_64-linux"; 39 | nixos = ./system.nix; 40 | } 41 | -------------------------------------------------------------------------------- /hosts/checkmate/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | 3 | { 4 | imports = 5 | [ (modulesPath + "/profiles/qemu-guest.nix") 6 | ]; 7 | fileSystems."/boot" = { device = "/dev/disk/by-partlabel/boot"; fsType = "vfat"; }; 8 | boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; 9 | boot.initrd.kernelModules = [ "nvme" ]; 10 | fileSystems."/" = { device = "/dev/disk/by-partlabel/rootfs"; fsType = "xfs"; }; 11 | swapDevices = [ { device = "/dev/disk/by-partlabel/swap"; } ]; 12 | } 13 | -------------------------------------------------------------------------------- /hosts/checkmate/system.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | imports = 5 | [ 6 | # Hardware 7 | ./hardware-configuration.nix 8 | 9 | depot.inputs.agenix.nixosModules.age 10 | 11 | depot.nixosModules.hyprspace 12 | depot.nixosModules.serverBase 13 | ]; 14 | 15 | # Use the systemd-boot EFI boot loader. 16 | boot.loader.systemd-boot.enable = true; 17 | boot.loader.efi.canTouchEfiVariables = true; 18 | 19 | networking.hostName = "checkmate"; 20 | networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ]; 21 | 22 | time.timeZone = "Europe/Zurich"; 23 | 24 | networking.useDHCP = false; 25 | networking.interfaces.${config.reflection.interfaces.primary.link}.useDHCP = true; 26 | 27 | i18n.defaultLocale = "en_US.UTF-8"; 28 | 29 | services.openssh.enable = true; 30 | 31 | zramSwap.enable = true; 32 | zramSwap.algorithm = "zstd"; 33 | 34 | system.stateVersion = "21.11"; 35 | 36 | } 37 | 38 | -------------------------------------------------------------------------------- /hosts/grail/default.nix: -------------------------------------------------------------------------------- 1 | tools: rec { 2 | ssh.enable = true; 3 | ssh.id = with tools.dns; { 4 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBi5Fm2pmMBhRgJms+me1ldt9Vgj9cMSnB7UllSz3mpY"; 5 | hostNames = subResolve "grail" "node"; 6 | }; 7 | 8 | interfaces = { 9 | primary = { 10 | addr = "37.27.11.202"; 11 | link = "enp1s0"; 12 | }; 13 | vstub = { 14 | addr = "10.1.0.6"; 15 | link = "vstub"; 16 | }; 17 | }; 18 | 19 | hardware = { 20 | cpu.cores = 4; 21 | memory.gb = 8; 22 | }; 23 | 24 | hyprspace = { 25 | enable = true; 26 | id = "12D3KooWN31twBvdEcxz2jTv4tBfPe3mkNueBwDJFCN4xn7ZwFbi"; 27 | listenPort = 995; 28 | routes = [ 29 | "${interfaces.vstub.addr}/32" 30 | ]; 31 | }; 32 | 33 | enterprise = { 34 | subdomain = "node"; 35 | }; 36 | 37 | system = "aarch64-linux"; 38 | nixos = ./system.nix; 39 | } 40 | -------------------------------------------------------------------------------- /hosts/grail/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | { 3 | imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 4 | boot.loader.systemd-boot.enable = true; 5 | boot.loader.efi.canTouchEfiVariables = true; 6 | fileSystems."/boot" = { device = "/dev/disk/by-partlabel/boot"; fsType = "vfat"; }; 7 | boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; 8 | boot.initrd.kernelModules = [ "nvme" ]; 9 | fileSystems."/" = { device = "/dev/disk/by-partlabel/rootfs"; fsType = "ext4"; }; 10 | } 11 | -------------------------------------------------------------------------------- /hosts/grail/system.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | let 4 | inherit (config.reflection.interfaces) primary; 5 | in 6 | 7 | { 8 | imports = [ 9 | ./hardware-configuration.nix 10 | 11 | depot.inputs.agenix.nixosModules.age 12 | 13 | depot.nixosModules.serverBase 14 | 15 | depot.nixosModules.hyprspace 16 | ]; 17 | 18 | zramSwap.enable = true; 19 | 20 | networking.hostName = "grail"; 21 | networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ]; 22 | 23 | i18n.defaultLocale = "en_US.UTF-8"; 24 | 25 | services.openssh.enable = true; 26 | 27 | time.timeZone = "Europe/Helsinki"; 28 | 29 | networking = { 30 | defaultGateway = "172.31.1.1"; 31 | useDHCP = false; 32 | dhcpcd.enable = false; 33 | interfaces = { 34 | ${primary.link} = { 35 | ipv4.addresses = [ 36 | { address = primary.addr; prefixLength = 32; } 37 | ]; 38 | ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ]; 39 | }; 40 | }; 41 | }; 42 | 43 | system.stateVersion = "23.05"; 44 | } 45 | -------------------------------------------------------------------------------- /hosts/nixos.nix: -------------------------------------------------------------------------------- 1 | { config, lib, withSystem, ... }: 2 | 3 | let 4 | inherit (lib) mapAttrs nixosSystem; 5 | inherit (config) gods; 6 | 7 | mkNixOS = name: host: nixosSystem { 8 | specialArgs = config.lib.summon host.system lib.id; 9 | modules = [ 10 | host.nixos 11 | (withSystem host.system ({ config, pkgs, ... }: { 12 | nixpkgs.pkgs = pkgs // config.shadows; 13 | })) 14 | ] ++ config.cluster.config.out.injectNixosConfig name; 15 | }; 16 | in { 17 | flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh); 18 | } 19 | -------------------------------------------------------------------------------- /hosts/options/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | 4 | let 5 | hourType = types.submodule { 6 | imports = [ 7 | ./hour/enterprise.nix 8 | ./hour/hyprspace.nix 9 | ./hour/interfaces.nix 10 | ./hour/nixos.nix 11 | ./hour/ssh.nix 12 | ./hour/hardware.nix 13 | ]; 14 | }; 15 | 16 | mkHours = description: mkOption { 17 | inherit description; 18 | type = with types; attrsOf hourType; 19 | default = {}; 20 | }; 21 | in 22 | 23 | { 24 | options = { 25 | gods = { 26 | fromLight = mkHours "Gods-from-Light: The emanations of The Glory"; 27 | fromFlesh = mkHours "Gods-from-Flesh: Mortals who penetrated the Mansus"; 28 | fromNowhere = mkHours "Gods-from-Nowhere: Lesser Hours"; 29 | }; 30 | hours = mkHours "Hours are the incarnate principles of the world." // { 31 | readOnly = true; 32 | default = with config.gods; fromLight // fromFlesh // fromNowhere; 33 | }; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /hosts/options/hour/enterprise.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | { 5 | options.enterprise = { 6 | subdomain = mkOption { 7 | description = "Host FQDN subdomain."; 8 | type = types.str; 9 | default = "services"; 10 | }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /hosts/options/hour/hardware.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | { 5 | options.hardware = { 6 | cpu = { 7 | cores = mkOption { 8 | type = types.ints.unsigned; 9 | }; 10 | }; 11 | memory = { 12 | gb = mkOption { 13 | type = types.ints.unsigned; 14 | }; 15 | }; 16 | }; 17 | } 18 | 19 | -------------------------------------------------------------------------------- /hosts/options/hour/hyprspace.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | { 5 | options.hyprspace = { 6 | enable = mkEnableOption "Cross-host Hyprspace configuration"; 7 | 8 | id = mkOption { 9 | description = "Hyprspace PeerID."; 10 | type = types.str; 11 | }; 12 | 13 | routes = mkOption { 14 | description = "Networks to export to Hyprspace."; 15 | type = with types; listOf str; 16 | default = []; 17 | }; 18 | 19 | listenPort = mkOption { 20 | description = "The port the Hyprspace daemon should listen on."; 21 | type = types.port; 22 | default = 8001; 23 | }; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /hosts/options/hour/interfaces.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | let 5 | interfaceType = types.submodule ({ config, name, ... }: { 6 | options = { 7 | addr = mkOption { 8 | description = "Static IP address assigned to this interface."; 9 | type = types.str; 10 | }; 11 | 12 | addrPublic = mkOption { 13 | description = "Static public IP address."; 14 | type = types.str; 15 | default = config.addr; 16 | }; 17 | 18 | link = mkOption { 19 | description = "Interface link name."; 20 | type = types.str; 21 | default = name; 22 | }; 23 | 24 | isNat = mkOption { 25 | description = "Whether the host is behind NAT."; 26 | type = types.bool; 27 | default = config.addr != config.addrPublic; 28 | }; 29 | }; 30 | }); 31 | in 32 | 33 | { 34 | options.interfaces = mkOption { 35 | description = "Network interface information."; 36 | type = with types; attrsOf interfaceType; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /hosts/options/hour/nixos.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | { 5 | options = { 6 | system = mkOption { 7 | description = "Nix system double for this NixOS host."; 8 | type = types.enum systems.doubles.linux; 9 | default = "x86_64-linux"; 10 | }; 11 | 12 | nixos = mkOption { 13 | description = "NixOS configuration."; 14 | type = with types; nullOr anything; 15 | default = null; 16 | }; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /hosts/options/hour/ssh.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | { 5 | options.ssh = { 6 | enable = mkEnableOption "Cross-host SSH configuration"; 7 | 8 | id = { 9 | publicKey = mkOption { 10 | description = "Host SSH public key."; 11 | type = with types; nullOr str; 12 | default = null; 13 | }; 14 | 15 | hostNames = mkOption { 16 | description = "Hostnames through which this host can be reached over SSH."; 17 | type = with types; listOf str; 18 | default = []; 19 | }; 20 | }; 21 | 22 | extraConfig = mkOption { 23 | description = "Extra SSH client configuration used to connect to this host."; 24 | type = types.lines; 25 | default = ""; 26 | }; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /hosts/part.nix: -------------------------------------------------------------------------------- 1 | let 2 | tools = import ./tools.nix; 3 | in with tools.dns; 4 | { 5 | imports = [ 6 | ./deploy.nix 7 | ./nixos.nix 8 | ./options 9 | ]; 10 | gods = { 11 | fromLight = { 12 | checkmate = import ./checkmate tools; 13 | 14 | thunderskin = import ./thunderskin tools; 15 | 16 | VEGAS = import ./VEGAS tools; 17 | 18 | prophet = import ./prophet tools; 19 | 20 | grail = import ./grail tools; 21 | }; 22 | 23 | fromFlesh = { 24 | soda = import ./soda tools; 25 | }; 26 | 27 | fromNowhere = { 28 | # peering 29 | 30 | # max 31 | TITAN.hyprspace = { 32 | enable = true; 33 | id = "QmfJ5Tv2z9jFv9Aocevyn6QqRcfm9eYQZhvYvmAVfACfuM"; 34 | # addr = "10.100.3.7"; 35 | }; 36 | 37 | jericho.hyprspace = { 38 | enable = true; 39 | id = "QmccBLgGP3HR36tTkwSYZX3KDv2EXb1MvYwGVs6PbpbHv9"; 40 | # addr = "10.100.3.13"; 41 | }; 42 | }; 43 | }; 44 | } 45 | -------------------------------------------------------------------------------- /hosts/prophet/default.nix: -------------------------------------------------------------------------------- 1 | tools: rec { 2 | ssh.enable = true; 3 | ssh.id = with tools.dns; { 4 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAUG/ubwo68tt2jMP5ia0Sa4mnkWtlKVN5n4Y50U2nTC"; 5 | hostNames = subResolve "prophet" "node"; 6 | }; 7 | 8 | interfaces = { 9 | primary = { 10 | addr = "10.0.243.216"; 11 | addrPublic = "152.67.75.145"; 12 | link = "enp0s6"; 13 | }; 14 | vstub = { 15 | addr = "10.1.0.9"; 16 | link = "vstub"; 17 | }; 18 | }; 19 | 20 | hardware = { 21 | cpu.cores = 4; 22 | memory.gb = 24; 23 | }; 24 | 25 | hyprspace = { 26 | enable = true; 27 | id = "QmbrAHuh4RYcyN9fWePCZMVmQjbaNXtyvrDCWz4VrchbXh"; 28 | listenPort = 995; 29 | routes = [ 30 | "${interfaces.vstub.addr}/32" 31 | ]; 32 | }; 33 | 34 | enterprise = { 35 | subdomain = "node"; 36 | }; 37 | 38 | system = "aarch64-linux"; 39 | nixos = ./system.nix; 40 | } 41 | -------------------------------------------------------------------------------- /hosts/prophet/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { modulesPath, ... }: 5 | 6 | { 7 | imports = 8 | [ (modulesPath + "/profiles/qemu-guest.nix") 9 | ]; 10 | 11 | boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" ]; 12 | boot.initrd.kernelModules = [ ]; 13 | boot.kernelModules = [ ]; 14 | boot.extraModulePackages = [ ]; 15 | 16 | fileSystems."/" = 17 | { device = "/dev/disk/by-partlabel/rootfs"; 18 | fsType = "xfs"; 19 | }; 20 | 21 | fileSystems."/boot" = 22 | { device = "/dev/disk/by-partlabel/boot"; 23 | fsType = "vfat"; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /hosts/prophet/system.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | imports = 5 | [ 6 | # Hardware 7 | ./hardware-configuration.nix 8 | 9 | depot.inputs.agenix.nixosModules.age 10 | 11 | depot.nixosModules.hyprspace 12 | depot.nixosModules.nix-builder 13 | 14 | depot.nixosModules.serverBase 15 | ]; 16 | 17 | # Use the systemd-boot EFI boot loader. 18 | boot.loader.systemd-boot.enable = true; 19 | boot.loader.efi.canTouchEfiVariables = true; 20 | 21 | networking.hostName = "prophet"; 22 | networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ]; 23 | 24 | time.timeZone = "Europe/Zurich"; 25 | 26 | networking.useDHCP = false; 27 | networking.interfaces.${config.reflection.interfaces.primary.link}.useDHCP = true; 28 | 29 | i18n.defaultLocale = "en_US.UTF-8"; 30 | 31 | services.openssh.enable = true; 32 | 33 | system.stateVersion = "21.11"; 34 | 35 | zramSwap.enable = true; 36 | zramSwap.algorithm = "zstd"; 37 | } 38 | 39 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/adh: -------------------------------------------------------------------------------- 1 | 2 | ____________________ 3 | /\ \ 4 | / \ \ 5 | / \ ALL DEAD HERE \ 6 | / \___________________\ 7 | | | | 8 | | ___ | __ ___ | 9 | | | | | |__| |_| | 10 | | | | | | 11 | | | | | | 12 | ////////__________________| 13 | 14 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/blog: -------------------------------------------------------------------------------- 1 | .---. 2 | / _\ BLOGGABLES ??? THE BLOGOSPHERE ??? BLOGOMATIC ??? 3 | / (={) SIMULBLOGCAST ??? ECOBLOGS ??? METABLOGS ??? BLOGS 4 | / /_/ OF BLOGS ??? MEDIABLOGS ??? CATABLOG ??? UBERBLOG ??? 5 | ( |(_ BLOGSERVATION ??? RADIOBLOGS ??? BLOGSPIRATION ??? 6 | /\_.--'// \ BLOGS OF BLOGS TALKING ABOUT BLOGGING BLOGS ??? 7 | /L.|`--'( \ 8 | / /\_____`).J\____'==HH===HH 9 | \ \ \ ` | \__..--."' 10 | \ \._) ` \ ( YES, LADIES AND GENTLEMEN 11 | \_/(`-..-'L ) THE FUTURE IS HERE 12 | / `\_( L\,--.' AND IT'S EVEN LAMER THAN 13 | > --'`-- \\ (_) YOU EVER THOUGHT POSSIBLE 14 | | | \ Y 15 | 16 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/camel: -------------------------------------------------------------------------------- 1 | THERE'S MORE THAN ONE WAY TO DO ME 2 | _ 3 | .--' | 4 | /___^ | .--. 5 | ) | / \ 6 | / | /` '. 7 | | '-' / \ 8 | \ | |\ 9 | \ / \ /\| 10 | \ /'----`\ / 11 | ||| \\ | 12 | ((| ((| 13 | ||| ||| 14 | //_( //_( 15 | 16 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/chokey: -------------------------------------------------------------------------------- 1 | 2 | , 3 | _,-""-._ THIS IS THE STORY OF 4 | ," ". CHOKEY THE LITTLE RETARD 5 | / ,-, ,"\ WHO, AS IT TURNS OUT, 6 | " / \ | o| COULDN'T 7 | \ `-o-" `-', 8 | `, _.--'`'--` 9 | `--`---' 10 | ,' ' 11 | ./ , `, 12 | / / \ 13 | (_)))_ _," 14 | _))))_, 15 | --------(_,-._)))-------------------- 16 | 17 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua01: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 1 : 3 | my, my.... 4 | we haven't sworn much today 5 | (at least not in plain text, I can't grep for figlet) 6 | --Boredcast message from 'tmonroe' 7 | -- 8 | 9 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua02: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 2 : 3 | 10/21 WHY DO YOU HATE AMERICA? 4 | \_ 'COS SHE NEVER CALLS, SHE NEVER WRITES, AND SHE RAN OFF WITH 5 | MY DOG AND MY BEST FRIEND. I REALLY JUST MISS THE DOG. 6 | \_ EMARKP WHO ARE YOU VOTING FOR? 7 | -- 8 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua03: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 3 : 3 | 7/9 Hot! What's the name of this actress / porn star (not sure which)? 4 | Thanks a lot!!! 5 | \_ Dunno, but she's gross. Are you boob guy? 6 | (...) 7 | \_ I'm not *the* MOTD Boob Guy, but I'm a boob guy. 8 | -- 9 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua04: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 4 : 3 | 1/29 Can politburo keep it together and make sure Soda is up? 4 | I can't troll dans 24/7. 5 | \_ how about getting a life? dans (claims to) get laid all 6 | the time, how about you? 7 | -- 8 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua05: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 5 : 3 | 6/13 motd boob guy RIP 4 | \_ He died??? 5 | \_ Yeah, dead. His fantasy of doing some chick with huge 6 | boobs came true, but she fell asleep on top of him with 7 | her boobs on either side of his face and he smothered. 8 | -- 9 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua06: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 6 : 3 | 4/10 troll deleted 4 | \_ if only it were so simple 5 | -- 6 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua07: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 7 : 3 | 7/25 Who the fuck is German John and why is he special? 4 | \_ What the fuck is an archive, and why the fuck do people search it 5 | before asking questions on the motd? 6 | \_ Who the fuck are you, and why don't you sign your name? --erikred 7 | -- 8 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua08: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 8 : 3 | 6/19 Stupid question. how do we implement POP and IMAP access on Soda? 4 | \_ imap and pop over SSL works fine - danh 5 | \_ Stupid answer. Slave monkeys and Google page-rank pigeons. - jvarga 6 | -- 7 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua09: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 0 9 : 3 | 9/23 Why is it that if I post a political troll, I get 3 pages of 4 | discussion, but I'm lucky if I can get one trollish replay to a 5 | technical question? 6 | \_ Nobody cares about computers at the CSUA. 7 | -- 8 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua10: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 1 0 : 3 | 8/20 Go fuck yourself emarkp. Feel free to censor this. 4 | \_ ??? -emarkp 5 | \_ "???" ? You didn't censor my messages? 6 | \_ I have no idea who you are or what your messages were. -emarkp 7 | \_ Hey, it's paranoid nutcase guy again! 8 | -- 9 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua11: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 1 1 : 3 | 3/20 If you're going to troll the motd today, please make 4 | that extra effort and at least try to use proper 5 | grammar. I know you like to pretend that you are 6 | an angry immigrant troll who just moved to Berkeley 7 | but I know you had to take the TOEFL before being 8 | admitted so I know you're not a moron. Thank you. 9 | -- 10 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua12: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 1 2 : 3 | 5/8 Motd nuked. 4 | \_ And there goes my erection. 5 | -- 6 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/csua13: -------------------------------------------------------------------------------- 1 | -- 2 | C S U A # 1 3 : 3 | 3/16 Clean your pr0n out of /csua/tmp 4 | \_ Fuck, now where am I gonna keep my Jenna pictures? 5 | \_ Who's Jenna? 6 | \_ if you have to ask... 7 | -- 8 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/dotted: -------------------------------------------------------------------------------- 1 | OKAY MAN 2 | SERIOUSLY, FOLLOW THE DOTTED LINE: _ _ _ 3 | \ 4 | _ _ _ _ _ _ _ _ _ _ _ _ / 5 | / 6 | \ _ _ _ _ _ 7 | \ 8 | _ _ _ _ _ _ _ _ _ _ _ / 9 | / 10 | \ _ _ _ _ _ _ _ _ _ _ _ _ SUCK COCK 11 | 12 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/goatsex: -------------------------------------------------------------------------------- 1 | 2 | * g o a t s e x * g o a t s e x * g o a t s e x * 3 | g g 4 | o / \ \ / \ o 5 | a| | \ | | a 6 | t| `. | | : t 7 | s` | | \| | s 8 | e \ | / / \\\ --__ \\ : e 9 | x \ \/ _--~~ ~--__| \ | x 10 | * \ \_-~ ~-_\ | * 11 | g \_ \ _.--------.______\| | g 12 | o \ \______// _ ___ _ (_(__> \ | o 13 | a \ . C ___) ______ (_(____> | / a 14 | t /\ | C ____)/ \ (_____> |_/ t 15 | s / /\| C_____) :) | (___> / \ s 16 | e | ( _C_____)\______/ // _/ / \ e 17 | x | \ |__ \\_________// (__/ | x 18 | * | \ \____) `---- --' | * 19 | g | \_ ___\ /_ _/ | g 20 | o | / | | \ | o 21 | a | | / \ \ | a 22 | t | / / | | \ |t 23 | s | / / \__/\___/ | |s 24 | e | / | | | |e 25 | x | | | | | |x 26 | * g o a t s e x * g o a t s e x * g o a t s e x * 27 | 28 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/hole: -------------------------------------------------------------------------------- 1 | LITERAL TRANSLATION FROM ANCIENT CHINESE TEXT READS: 2 | "THIS GLORYHOLE HAUNTED - TURN BACK NOW" 3 | 4 | ,g 8b ,g ,g 8g 8g 5 | o8888" 88 Y8 .od888888888P" 88' 88' 6 | 88 88 " 88 88 88 88' 88888888b 7 | 8888888888888888 d88888888888888b 888 88 oo 88 8 | 88 88 88 88 88 8'88 8' 88 P' 9 | 88,o 88 o9, 888888888888 88 8 88 10 | 88P 88,8P 88 88 o8 88 g 11 | ,888 888' 88888888b 88 8' 88 `8, 12 | d8'88 g88 88 gg ,88' 88 ,P 88 8b 13 | 8' 88 oP 88, d8' `g88' 88 8 88 `P 14 | 88 `88 g o8' gg88b, 88 f 88 15 | d8' `b' o8 oP' "Y8ao 88 d8' ZL 16 | 17 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/hungry: -------------------------------------------------------------------------------- 1 | )()()()()() 2 | |\ | 3 | |.\. . . . | 4 | \'.\ | 5 | \.:\ . . .| 6 | \'o\ | I EAT THE DIMENSIONS THAT NEVER 7 | \.'\. . | EVEN GOT TOURISM GOING 8 | \".\ | 9 | \'`\ .| 10 | \.'\ | 11 | \__\| 12 | 13 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/peacepipe: -------------------------------------------------------------------------------- 1 | ( ) 2 | ( LET'S SMOKE THIS PEACE PIPE 3 | _ 4 | __| | 5 | ==+===[_____\ NOW GIVE US YOUR FUCKING LAND 6 | | 7 | /|\ 8 | ||| 9 | \|/ 10 | ` 11 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/scativist: -------------------------------------------------------------------------------- 1 | ___ 2 | .-"` `"-. 3 | .' .-. '. 4 | / (/^\) \ 5 | / # (\ /) \ 6 | | # .-'-. | 7 | | /(_I_)\ | 8 | ; \\) (// ; 9 | ; / Y \ ; I'M A SKEPTICAL ACTIVIST 10 | \ \ | / / 11 | \ \|/ / OR AS I LIKE TO CALL IT 12 | \ /|\ / 13 | | \|/ | 14 | |__/Y\__| 15 | {=======} I'M A SCATIVIST 16 | }======={ 17 | {=======} 18 | }======={ 19 | {=======} 20 | `""u""` 21 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/sins: -------------------------------------------------------------------------------- 1 | _________________________________________ 2 | / You will pay for your sins. If you have \ 3 | | already paid, please disregard this | 4 | \ message. / 5 | ----------------------------------------- 6 | \ / \ //\ 7 | \ |\___/| / \// \\ 8 | /0 0 \__ / // | \ \ 9 | / / \/_/ // | \ \ 10 | @_^_@'/ \/_ // | \ \ 11 | //_^_/ \/_ // | \ \ 12 | ( //) | \/// | \ \ 13 | ( / /) _|_ / ) // | \ _\ 14 | ( // /) '/,_ _ _/ ( ; -. | _ _\.-~ .-~~~^-. 15 | (( / / )) ,-{ _ `-.|.-~-. .~ `. 16 | (( // / )) '/\ / ~-. _ .-~ .-~^-. \ 17 | (( /// )) `. { } / \ \ 18 | (( / )) .----~-.\ \-' .~ \ `. \^-. 19 | ///.----..> \ _ -~ `. ^-` ^-_ 20 | ///-._ _ _ _ _ _ _}^ - - - - ~ ~-- ,.-~ 21 | /.-~ 22 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/thirsty: -------------------------------------------------------------------------------- 1 | .-'"""`-. 2 | ( ) 3 | |`-.___.-'| THE GUY WHO BEGS YOU TO PISS ON HIM 4 | |.-'"""`-.| WHILE IN THE BIG STALL IS NOT THIRSTY 5 | | | 6 | |`-.___.-'| 7 | | | 8 | |. ' " ` .| 9 | | | 10 | `-.___.-' 11 | 12 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/trolledo: -------------------------------------------------------------------------------- 1 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 2 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣶⠟⠛⠛⠛⠛⠛⣛⣻⣿⣿⣿⣿⣿⣟⣛⣛⣛⠛⠒⠲⠶⠦⣤⣤⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ 3 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⠏⠁⠀⠀⢀⣤⠶⣛⣩⣥⠤⠤⠤⠤⢤⣤⣤⣭⣭⣉⣉⣛⣛⣻⣭⣥⠬⡍⠛⢶⣄⡀⠀⠀⠀⠀⠀⠀⠀ 4 | ⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⠃⠀⠀⣠⡶⢋⡵⢛⡩⠵⠒⠒⠒⠒⠢⡀⠀⠀⠀⠀⠀⢀⣠⠤⠤⠤⢤⣄⠀⠀⠀⠉⠻⣆⠀⠀⠀⠀⠀⠀ 5 | ⠀⠀⠀⠀⠀⠀⠀⢀⣿⠃⠀⠀⠘⢁⡴⢋⣴⢿⠒⠈⠉⣏⠉⠐⠒⡾⣄⠀⠀⠀⠀⠀⡠⠀⠀⢀⣀⣈⣙⣆⡀⠀⠀⢹⡆⠀⠀⠀⠀⠀ 6 | ⠀⠀⠀⠀⠀⠀⣠⣾⠃⠀⠀⠀⠀⠀⢀⠟⣁⠀⠁⢀⣤⣦⣤⡀⠘⠀⢈⣷⡄⠀⠀⠀⣇⠖⠉⠙⠅⠀⠀⠉⠉⠑⢦⡈⣷⡀⠀⠀⠀⠀ 7 | ⠀⠀⠀⠀⢠⣾⢿⣧⠤⠤⠤⠄⠀⠖⣿⠀⠃⠀⠀⣿⣿⣿⣿⡗⠀⠐⠁⢸⡇⠀⣀⣰⠉⠠⠀⠀⣰⣶⣷⣶⠀⠀⠀⢱⡈⢻⣦⠀⠀⠀ 8 | ⠀⠀⠀⣠⡿⣱⠋⢀⣴⠶⠚⠻⢶⣤⡘⢧⣄⠆⠂⠀⡉⠉⣉⣀⣀⠉⣠⡟⠁⠀⠉⢻⣆⠀⠀⠀⠘⠛⠟⠛⠀⠀⢈⡿⢍⢢⢹⡇⠀⠀ 9 | ⠀⠀⢠⣿⠁⡇⢠⣿⠁⠀⢰⣦⡀⠉⠉⠀⠈⠙⠲⠾⠾⠶⠶⠶⠚⠋⠉⠀⠀⠀⠀⢸⣯⡑⠢⢤⣀⣂⣀⣨⠤⠒⠛⠃⠘⡆⡇⡧⠀⠀ 10 | ⠀⠀⢸⣿⠀⡇⢸⡇⢠⣴⣾⠋⠛⢷⣦⣀⠀⠀⠀⠠⠤⠤⠴⢠⠶⠒⠀⠀⠀⠀⠀⠀⠉⢿⣦⡀⠀⠀⠀⠀⢸⣷⠀⠀⡼⢡⢣⡇⠀⠀ 11 | ⠀⠀⠀⢿⡇⣧⠘⠿⠀⠀⠸⣧⡀⠀⠈⢻⡿⢶⣦⣄⡀⠀⠀⠸⣆⠐⠟⠻⠷⠀⠀⠀⢀⣾⠛⠃⠑⠤⠀⢀⣼⣿⡇⢀⠤⢂⣾⠃⠀⠀ 12 | ⠀⠀⠀⠈⢻⣌⠑⠦⠀⠀⠀⢿⣿⣷⣤⣸⣷⡀⠀⠈⠙⠻⢿⣶⣤⣄⣀⡀⠀⠀⠙⠿⠟⠁⠀⠀⢀⣠⡴⣿⠉⣿⣿⠀⠀⣼⠁⠀⠀⠀ 13 | ⠀⠀⠀⠀⠀⠙⣷⡀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣶⣤⣀⣀⣼⠁⠀⠈⠉⠙⣿⠛⠛⠻⢿⠿⠛⠛⢻⡇⠀⢸⡀⣹⣿⠀⠀⡏⠀⠀⠀⠀ 14 | ⠀⠀⠀⠀⠀⠀⠈⢿⡀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣤⣤⣄⣀⣿⣄⣀⣀⣸⣄⣀⣠⣴⣿⣶⣿⣿⣿⣿⡇⠀⡇⠀⠀⠀⠀ 15 | ⠀⠀⠀⠀⠀⠀⠀⠈⢷⡄⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⡇⠀⠀⠀⠀ 16 | ⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣦⠀⠘⣿⠛⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⣷⠀⠀⠀⠀ 17 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⢷⣄⠘⢷⡀⠘⡟⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⣿⠀⠀⠀⠀ 18 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⣧⡀⠻⣾⡃⠀⠀⠈⠙⢿⡿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⣿⠀⠀⠀⠀ 19 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⢿⣄⠈⠻⣦⡀⠀⠀⡼⠀⠀⠈⠙⠻⣿⠿⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⢿⡿⣹⠇⠀⣿⠀⠀⠀⠀ 20 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⣷⣄⠈⠛⠷⣼⣇⡀⠀⠀⠀⠀⣿⠀⠀⠀⢸⡇⠀⠀⡿⠀⢸⠇⣘⣧⠟⠀⢀⡿⠀⠀⠀⠀ 21 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠛⢷⣄⡀⠀⠙⠻⠷⠶⣶⣾⣿⣤⣀⣠⣿⣄⣀⣴⠷⠶⠿⠿⠟⠋⠀⢀⣾⠃⠀⠀⠀⠀ 22 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⠿⣶⣤⣤⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣤⡤⠞⠁⠀⠀⠀⠀⠀ 23 | ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠙⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀ 24 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/urinal: -------------------------------------------------------------------------------- 1 | __ __ 2 | (,.) ,. (,.) ,. (,.) ,. 3 | || || || || || || 4 | || || || || || || REMEMBER: 5 | ,.||.. || ,.||.. || ,.||.. || 6 | //""""\\ || //""""\\ || //""""\\ || EVERY URINAL 7 | || || || || || || || || || STARTS WITH YOU 8 | || || || || || || || || || 9 | ||____|| || ||____|| || ||____|| || 10 | `.____.' || `.____.' || `.____.' || 11 | || || || 12 | || || || 13 | ______________||__________||__________||_________ 14 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/wipe: -------------------------------------------------------------------------------- 1 | __ IT'S THE DIE WIPING SERIES !!11 2 | /==\ 3 | .-. \==/ - DIE WIPING 4 | /oo\ __{") 5 | =.-\\//-- ":-|-----.= - DIE WIPING 2: WIPE HARDER 6 | =.' .||. _;_) .'= 7 | =.' `:--:' -' .'= - DIE WIPING 3: WITH A VENGEANCE 8 | =.'l42 (____) .'= 9 | ='-----------------'= - DIE WIPING 4: LIVE FREE OR WIPE HARD 10 | 11 | - DIE WIPING 5: HOLY SHIT DID THEY REALLY 12 | MAKE A FIFTH ONE 13 | 14 | 15 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/wwud: -------------------------------------------------------------------------------- 1 | _,,--,,_ 2 | /` .`\ 3 | / ' _.-' \ 4 | | `'_{}_ | 5 | | /` `\ | 6 | \/ == == \/ 7 | /| (.)(.) |\ 8 | \| __)_ |/ 9 | |\/____\/| 10 | | ` ~~ ` | 11 | \ / 12 | `.____.` 13 | 14 | WHAT WOULD UNITED 93 DO 15 | 16 | -------------------------------------------------------------------------------- /hosts/soda/data/ascii/yank: -------------------------------------------------------------------------------- 1 | ,dP""d8b, 2 | d" d88"8b 3 | I8 Y88a88) A LITTLE SOMETHING I LIKE TO CALL YIN / YANK 4 | `Y, a )888P 5 | "b,,a88P" 6 | 7 | -------------------------------------------------------------------------------- /hosts/soda/data/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | systemd.tmpfiles.rules = [ "L+ /ascii - - - - ${./ascii}" ]; 3 | } 4 | -------------------------------------------------------------------------------- /hosts/soda/default.nix: -------------------------------------------------------------------------------- 1 | tools: { 2 | ssh.enable = true; 3 | ssh.id = with tools.dns; { 4 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDShq3dbZy9SARsH8aSjfMQ+/eTW44eZuHVCLvgtDNKw"; 5 | hostNames = subResolve "soda" "int"; 6 | }; 7 | 8 | interfaces = { 9 | primary = { 10 | addr = "10.10.2.206"; 11 | addrPublic = "95.216.8.12"; 12 | link = "eth0"; 13 | }; 14 | }; 15 | 16 | enterprise = { 17 | subdomain = "int"; 18 | }; 19 | 20 | system = "x86_64-linux"; 21 | nixos = ./system.nix; 22 | } 23 | -------------------------------------------------------------------------------- /hosts/soda/shell-profile/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | environment.interactiveShellInit = '' 3 | source ${./insults.sh} 4 | source ${./motd.sh} 5 | source ${./soda-prompt.sh} 6 | ''; 7 | } -------------------------------------------------------------------------------- /hosts/soda/shell-profile/soda-prompt.sh: -------------------------------------------------------------------------------- 1 | if [ -n "${BASH_VERSION-}" ]; then 2 | if test $(id -u) -eq 0; then 3 | PS1='\h # ' 4 | else 5 | PS1='\h % ' 6 | fi 7 | fi 8 | -------------------------------------------------------------------------------- /hosts/soda/soda.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ./data 6 | ./shell-profile 7 | ]; 8 | 9 | environment.systemPackages = with pkgs; [ 10 | # provide some editors 11 | nano 12 | vim 13 | neovim 14 | ]; 15 | } 16 | -------------------------------------------------------------------------------- /hosts/soda/system.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | imports = with depot.nixosModules; [ 5 | containerBase 6 | fail2ban 7 | depot.inputs.agenix.nixosModules.age 8 | ./soda.nix 9 | ]; 10 | 11 | boot.isContainer = true; 12 | 13 | networking.useDHCP = false; 14 | 15 | networking.interfaces.${config.reflection.interfaces.primary.link}.useDHCP = true; 16 | 17 | networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ]; 18 | 19 | networking.resolvconf.extraConfig = "local_nameservers='${depot.hours.VEGAS.interfaces.vstub.addr}'"; 20 | 21 | networking.hostName = "soda"; 22 | 23 | time.timeZone = "Europe/Helsinki"; 24 | 25 | i18n.defaultLocale = "en_US.UTF-8"; 26 | 27 | services.openssh.enable = true; 28 | 29 | system.stateVersion = "21.11"; 30 | } 31 | -------------------------------------------------------------------------------- /hosts/thunderskin/default.nix: -------------------------------------------------------------------------------- 1 | tools: rec { 2 | ssh.enable = true; 3 | ssh.id = with tools.dns; { 4 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGV8TbMvGXfAp9R2I9GdR7aLlGjxh2CW1pCZjQSB4TJp"; 5 | hostNames = subResolve "thunderskin" "node"; 6 | }; 7 | 8 | interfaces = { 9 | primary = { 10 | addr = "10.0.243.121"; 11 | addrPublic = "140.238.208.154"; 12 | link = "ens3"; 13 | }; 14 | vstub = { 15 | addr = "10.1.0.4"; 16 | link = "vstub"; 17 | }; 18 | }; 19 | 20 | hardware = { 21 | cpu.cores = 1; 22 | memory.gb = 1; 23 | }; 24 | 25 | hyprspace = { 26 | enable = true; 27 | id = "12D3KooWB9AUPorFoACkWbphyargRBV9osJsYuQDumtQ85j7Aqmg"; 28 | listenPort = 995; 29 | routes = [ 30 | "${interfaces.vstub.addr}/32" 31 | ]; 32 | }; 33 | 34 | enterprise = { 35 | subdomain = "node"; 36 | }; 37 | 38 | system = "x86_64-linux"; 39 | nixos = ./system.nix; 40 | } 41 | -------------------------------------------------------------------------------- /hosts/thunderskin/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ... }: 2 | 3 | { 4 | imports = 5 | [ (modulesPath + "/profiles/qemu-guest.nix") 6 | ]; 7 | fileSystems."/boot" = { device = "/dev/disk/by-partlabel/boot"; fsType = "vfat"; }; 8 | boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; 9 | boot.initrd.kernelModules = [ "nvme" ]; 10 | fileSystems."/" = { device = "/dev/disk/by-partlabel/rootfs"; fsType = "xfs"; }; 11 | swapDevices = [ { device = "/dev/disk/by-partlabel/swap"; } ]; 12 | } 13 | -------------------------------------------------------------------------------- /hosts/thunderskin/system.nix: -------------------------------------------------------------------------------- 1 | { config, depot, ... }: 2 | 3 | { 4 | imports = 5 | [ 6 | # Hardware 7 | ./hardware-configuration.nix 8 | 9 | depot.inputs.agenix.nixosModules.age 10 | 11 | depot.nixosModules.hyprspace 12 | depot.nixosModules.serverBase 13 | ]; 14 | 15 | # Use the systemd-boot EFI boot loader. 16 | boot.loader.systemd-boot.enable = true; 17 | boot.loader.efi.canTouchEfiVariables = true; 18 | 19 | networking.hostName = "thunderskin"; 20 | networking.nameservers = [ depot.hours.VEGAS.interfaces.vstub.addr ]; 21 | 22 | time.timeZone = "Europe/Zurich"; 23 | 24 | networking.useDHCP = false; 25 | networking.interfaces.${config.reflection.interfaces.primary.link}.useDHCP = true; 26 | 27 | i18n.defaultLocale = "en_US.UTF-8"; 28 | 29 | services.openssh.enable = true; 30 | 31 | zramSwap.enable = true; 32 | zramSwap.algorithm = "zstd"; 33 | 34 | system.stateVersion = "22.11"; 35 | } 36 | -------------------------------------------------------------------------------- /hosts/tools.nix: -------------------------------------------------------------------------------- 1 | { 2 | dns = rec { 3 | findSvc = name: [ 4 | "any.${name}" 5 | "local.${name}" 6 | "tunnel.${name}" 7 | "wired.${name}" 8 | "wireless.${name}" 9 | "*.if.${name}" 10 | ]; 11 | findResolve = list: dnameResolve (append "find" list) ++ append "f.void" list; 12 | dnameResolve = list: append "private.void" list ++ append "privatevoid.net" list; 13 | vpnResolve = list: dnameResolve (append "vpn" list); 14 | llmnrResolve = append "local"; 15 | append = part: map (x: "${x}.${part}"); 16 | portMap = port: map (x: "[${x}]:${builtins.toString port}"); 17 | as = x: [x]; 18 | 19 | clientResolve = x: [x] ++ 20 | findResolve (findSvc x) ++ 21 | vpnResolve [x] ++ 22 | llmnrResolve [x]; 23 | 24 | subResolve = name: sub: [name] ++ dnameResolve ["${name}.${sub}"]; 25 | }; 26 | ssh = { 27 | extraConfig = patterns: config: with builtins; let 28 | match = "Host ${concatStringsSep " " patterns}"; 29 | indent = map (x: " " + x) config; 30 | in concatStringsSep "\n" ([match] ++ indent); 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /jobs/part.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./update-flake-lock 4 | ]; 5 | } 6 | -------------------------------------------------------------------------------- /jobs/update-flake-lock/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | hercules-ci.flake-update = { 3 | enable = true; 4 | createPullRequest = true; 5 | autoMergeMethod = "merge"; 6 | forgeType = "github"; 7 | updateBranch = "pr-flake-update"; 8 | when = { 9 | dayOfWeek = "Fri"; 10 | hour = 2; 11 | }; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /lib/hours.nix: -------------------------------------------------------------------------------- 1 | { config, inputs, lib, self, withSystem, ... }: 2 | 3 | let 4 | inherit (lib) const mapAttrs; 5 | in 6 | 7 | { 8 | lib.summon = system: f: let 9 | lift = config; 10 | in withSystem system ({ config, inputs', self', ... }: f { 11 | depot = self // self' // lift // config // { 12 | inputs = mapAttrs (name: const (inputs.${name} // inputs'.${name})) inputs; 13 | }; 14 | }); 15 | } 16 | -------------------------------------------------------------------------------- /lib/identity.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | lib = { config, ... }: with config.identity; { 5 | identity = { 6 | 7 | inherit (config.meta) domain; 8 | 9 | autoDomain = name: "${builtins.hashString "md5" name}.dev.${domain}"; 10 | 11 | ldap = { 12 | server = with ldap.server; { 13 | # TODO: unhardcode everything here 14 | protocol = "ldaps"; 15 | hostname = "idm-ldap.internal.${domain}"; 16 | port = 636; 17 | url = "${protocol}://${connectionString}"; 18 | connectionString = "${hostname}:${builtins.toString port}"; 19 | }; 20 | accounts = with ldap.accounts; { 21 | domainComponents = ldap.lib.convertDomain domain; 22 | uidAttribute = "name"; 23 | uidFilter = "(${uidAttribute}=%u)"; 24 | userSearchBase = "${domainComponents}"; 25 | }; 26 | lib = { 27 | convertDomain = domain: with builtins; lib.pipe domain [ 28 | (split "\\.") 29 | (filter isString) 30 | (map (x: "dc=${x}")) 31 | (concatStringsSep ",") 32 | ]; 33 | }; 34 | }; 35 | }; 36 | }; 37 | } 38 | -------------------------------------------------------------------------------- /lib/meta.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib = { config, ... }: with config.meta; { 3 | meta = { 4 | domain = "privatevoid.net"; 5 | adminEmail = "admins@${domain}"; 6 | }; 7 | }; 8 | } 9 | -------------------------------------------------------------------------------- /lib/nginx.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | lib = { config, ... }: with config.nginx; { 5 | nginx = { 6 | inherit (config.meta) domain; 7 | 8 | mappers = { 9 | 10 | mapSubdomains = with lib; mapAttrs' (k: nameValuePair "${k}.${domain}"); 11 | 12 | }; 13 | 14 | vhosts = with vhosts; { 15 | 16 | basic = { 17 | forceSSL = true; 18 | enableACME = true; 19 | }; 20 | 21 | redirect = target: basic // { 22 | locations."/".return = "301 ${target}"; 23 | }; 24 | 25 | proxy = target: basic // { 26 | locations."/".proxyPass = target; 27 | }; 28 | 29 | static = root: basic // { 30 | inherit root; 31 | }; 32 | 33 | indexedStatic = root: (static root) // { 34 | extraConfig = "autoindex on;"; 35 | }; 36 | 37 | proxyGhost = scheme: target: basic // { 38 | locations."/".extraConfig = '' 39 | set $nix_proxy_ghost_target "${scheme}://${target}"; 40 | proxy_pass $nix_proxy_ghost_target; 41 | proxy_set_header Host ${target}; 42 | proxy_set_header Referer ${scheme}://${target}; 43 | proxy_cookie_domain ${target} domain.invalid; 44 | proxy_set_header Cookie ""; 45 | ''; 46 | }; 47 | }; 48 | }; 49 | }; 50 | } 51 | 52 | -------------------------------------------------------------------------------- /lib/part.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ./time-travel.nix 6 | ./hours.nix 7 | ./meta.nix 8 | ./nginx.nix 9 | ./identity.nix 10 | ./catalog.nix 11 | ]; 12 | 13 | options.lib = lib.mkOption { 14 | default = {}; 15 | type = with lib.types; submodule ({ extendModules, ... }: { 16 | freeformType = let 17 | t = either (lazyAttrsOf t) raw; 18 | in t; 19 | config.override = conf: let 20 | overridden = extendModules { 21 | modules = [ conf ]; 22 | }; 23 | in overridden.config; 24 | }); 25 | }; 26 | 27 | config = { 28 | _module.args.depot = config; 29 | flake = { inherit (config) lib; }; 30 | }; 31 | } 32 | -------------------------------------------------------------------------------- /lib/time-travel.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib.timeTravel = rev: builtins.getFlake "github:privatevoid-net/depot/${rev}"; 3 | } 4 | -------------------------------------------------------------------------------- /modules/effect-receiver/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | users.users.root = { 3 | openssh.authorizedKeys.keys = [ 4 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9TxAaaN3Ysua72wes3hDupB7D1C37lwCteXA4GM5Ix" 5 | ]; 6 | }; 7 | } 8 | -------------------------------------------------------------------------------- /modules/enterprise/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, lib, ... }: 2 | let 3 | orgDomain = depot.lib.meta.domain; 4 | host = config.reflection; 5 | in { 6 | networking.domain = lib.mkDefault "${host.enterprise.subdomain or "services"}.${orgDomain}"; 7 | networking.search = [ config.networking.domain "search.${orgDomain}" ]; 8 | } 9 | -------------------------------------------------------------------------------- /modules/external-storage/strict-mounts.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | let 4 | cfg = config.services.external-storage; 5 | in 6 | 7 | with lib; 8 | { 9 | options.systemd.services = mkOption { 10 | type = with types; attrsOf (submodule ({ config, ... }: { 11 | config = mkIf (config.strictMounts != []) (let 12 | findFilesystemsFor = mount: pipe cfg.fileSystems [ 13 | (filterAttrs (_: fs: hasPrefix "${fs.mountpoint}/" "${mount}/")) 14 | (mapAttrsToList (_: fs: "${fs.unitName}.service")) 15 | ]; 16 | services = flatten (map findFilesystemsFor config.strictMounts); 17 | in { 18 | after = services; 19 | bindsTo = services; 20 | }); 21 | })); 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /modules/external-storage/underlay-type.nix: -------------------------------------------------------------------------------- 1 | { config, lib, name, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | mountpoint = mkOption { 8 | type = types.path; 9 | default = "/mnt/remote-storage-backends/${name}"; 10 | }; 11 | storageBoxAccount = mkOption { 12 | type = types.str; 13 | # Private Void's main Storage Box 14 | default = "u357754"; 15 | }; 16 | host = mkOption { 17 | type = types.str; 18 | default = "${config.storageBoxAccount}.your-storagebox.de"; 19 | }; 20 | subUser = mkOption { 21 | type = types.str; 22 | example = "sub1"; 23 | }; 24 | credentialsFile = mkOption { 25 | type = types.path; 26 | }; 27 | path = mkOption { 28 | type = types.path; 29 | default = "/"; 30 | }; 31 | uid = mkOption { 32 | type = types.int; 33 | default = 0; 34 | }; 35 | gid = mkOption { 36 | type = types.int; 37 | default = 0; 38 | }; 39 | }; 40 | } 41 | -------------------------------------------------------------------------------- /modules/fail2ban/default.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | imports = [ 4 | ./xdp.nix 5 | ]; 6 | 7 | services.fail2ban = { 8 | enable = true; 9 | banaction = "iptables-multiport[blocktype=DROP]"; 10 | jails.sshd.settings.mode = "aggressive"; 11 | ignoreIP = [ 12 | "10.0.0.0/8" 13 | config.reflection.interfaces.primary.addr 14 | ]; 15 | bantime-increment = { 16 | enable = true; 17 | maxtime = "48h"; 18 | }; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /modules/fail2ban/xdp.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | inherit (pkgs) xdp-tools; 4 | in 5 | { 6 | systemd.services."xdp-filter@" = { 7 | description = "XDP Filter on %I"; 8 | after = [ "network.target" ]; 9 | wants = [ "network.target" ]; 10 | serviceConfig = { 11 | ExecStart = "${xdp-tools}/bin/xdp-filter load %i -f ipv4 -m skb"; 12 | ExecStop = "${xdp-tools}/bin/xdp-filter unload %i"; 13 | RemainAfterExit = true; 14 | }; 15 | }; 16 | environment.etc."fail2ban/action.d/xdp.conf".text = '' 17 | [Definition] 18 | actionstart = systemctl start xdp-filter@${config.reflection.interfaces.primary.link}.service 19 | actionstop = systemctl stop xdp-filter@${config.reflection.interfaces.primary.link}.service 20 | actionban = ${xdp-tools}/bin/xdp-filter ip --mode src 21 | actionunban = ${xdp-tools}/bin/xdp-filter ip --remove --mode src 22 | ''; 23 | } 24 | -------------------------------------------------------------------------------- /modules/hardened/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | boot.kernel.sysctl = { 3 | "kernel.yama.ptrace_scope" = 1; 4 | "kernel.kptr_restrict" = 2; 5 | 6 | "net.ipv4.conf.all.rp_filter" = 1; 7 | "net.ipv4.conf.default.rp_filter" = 1; 8 | 9 | "net.ipv4.conf.all.send_redirects" = false; 10 | "net.ipv4.conf.default.send_redirects" = false; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /modules/maintenance/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | systemd.targets.maintenance = { 3 | unitConfig.AllowIsolate = true; 4 | wants = [ 5 | "basic.target" 6 | "getty.target" 7 | "network.target" 8 | "network-online.target" 9 | "sshd.service" 10 | "fail2ban.service" 11 | "hyprspace.service" 12 | "dbus.service" 13 | ]; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /modules/minimal/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ]; 3 | documentation.enable = false; 4 | } 5 | -------------------------------------------------------------------------------- /modules/motd/motd.txt: -------------------------------------------------------------------------------- 1 | 2 | ___ _ __ _ __ _ __ 3 | / _ \____(_) _____ _/ /____ | | / /__ (_)__/ / 4 | / ___/ __/ / |/ / _ `/ __/ -_) | |/ / _ \/ / _ / 5 | /_/ /_/ /_/|___/\_,_/\__/\__/ |___/\___/_/\_,_/ 6 | 7 | 8 | -------------------------------------------------------------------------------- /modules/networking/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | let 3 | inherit (config.reflection) interfaces; 4 | in 5 | { 6 | networking.interfaces = lib.mkIf (interfaces ? vstub) { 7 | ${interfaces.vstub.link} = { 8 | virtual = true; 9 | ipv4.addresses = [ 10 | { 11 | address = interfaces.vstub.addr; 12 | prefixLength = 32; 13 | } 14 | ]; 15 | }; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /modules/nix-builder/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | nix.settings.trusted-users = [ "nix" ]; 3 | users.users.nix = { 4 | isSystemUser = true; 5 | description = "Nix Remote Build"; 6 | home = "/var/tmp/nix-remote-builder"; 7 | createHome = true; 8 | useDefaultShell = true; 9 | openssh.authorizedKeys.keys = [ 10 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBa9gDXWdp7Kqzbjz9Zchu91ZoYcBD6AbjvuktYA//yg" 11 | ]; 12 | group = "nix"; 13 | }; 14 | users.groups.nix = {}; 15 | } 16 | -------------------------------------------------------------------------------- /modules/nix-config/server.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, ... }: 2 | 3 | { 4 | nix = { 5 | package = let 6 | nix = depot.inputs.nix-super.packages.default; 7 | in { version = lib.getVersion nix.name; } // nix; 8 | 9 | settings = { 10 | trusted-users = [ "root" "@wheel" "@admins" ]; 11 | trusted-public-keys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ]; 12 | }; 13 | 14 | extraOptions = '' 15 | experimental-features = nix-command flakes cgroups 16 | use-cgroups = true 17 | builders-use-substitutes = true 18 | flake-registry = https://registry.${depot.lib.meta.domain}/flake-registry.json 19 | 20 | # For Hercules CI agent 21 | narinfo-cache-negative-ttl = 0 22 | ''; 23 | 24 | gc = { 25 | automatic = true; 26 | dates = "weekly"; 27 | options = "--delete-older-than 7d"; 28 | }; 29 | 30 | daemonCPUSchedPolicy = "batch"; 31 | daemonIOSchedPriority = 7; 32 | }; 33 | 34 | systemd.services.nix-daemon = { 35 | serviceConfig.Slice = "builder.slice"; 36 | environment.AWS_EC2_METADATA_DISABLED = "true"; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/nix-register-flakes/default.nix: -------------------------------------------------------------------------------- 1 | { depot, ... }: 2 | 3 | with depot.inputs; 4 | { 5 | nix.nixPath = [ 6 | "repl=/etc/nixos/flake-channels/system/repl.nix" 7 | "nixpkgs=/etc/nixos/flake-channels/nixpkgs" 8 | ]; 9 | 10 | nix.registry = { 11 | system.flake = depot; 12 | nixpkgs.flake = nixpkgs; 13 | default.flake = nixpkgs; 14 | }; 15 | 16 | environment.etc = { 17 | "nixos/flake-channels/system".source = depot; 18 | "nixos/flake-channels/nixpkgs".source = nixpkgs; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /modules/nixpkgs-config/default.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | depot.inputs.nixpkgs.nixosModules.readOnlyPkgs 6 | ]; 7 | 8 | options.nixpkgs.system = lib.mkOption { 9 | type = lib.types.str; 10 | default = pkgs.system; 11 | readOnly = true; 12 | }; 13 | 14 | config.nixpkgs.overlays = lib.mkForce []; 15 | } 16 | -------------------------------------------------------------------------------- /modules/port-magic/default.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options.links = mkOption { 7 | type = types.attrsOf (types.submodule ./link.nix); 8 | description = "Port Magic links."; 9 | default = {}; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /modules/reflection/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, lib, ... }: 2 | 3 | { 4 | options.reflection = lib.mkOption { 5 | description = "Peer into the Watchman's Glass."; 6 | type = lib.types.raw; 7 | readOnly = true; 8 | default = depot.hours.${config.networking.hostName}; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /modules/ssh/default.nix: -------------------------------------------------------------------------------- 1 | { depot, lib, ... }: 2 | let 3 | filtered = lib.filterAttrs (_: host: host.ssh.enable) depot.hours; 4 | idCapable = lib.filterAttrs (_: host: host.ssh.id.publicKey != null) filtered; 5 | configCapable = lib.filterAttrs (_: host: host.ssh.extraConfig != "") filtered; 6 | 7 | sshHosts = lib.mapAttrs (_: host: host.ssh.id) idCapable; 8 | sshExtras = lib.mapAttrsToList (_: host: host.ssh.extraConfig) configCapable; 9 | in { 10 | programs.ssh = { 11 | knownHosts = sshHosts; 12 | extraConfig = builtins.concatStringsSep "\n" sshExtras; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /modules/systemd-extras/chant.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | with lib; 4 | { 5 | options.systemd.services = mkOption { 6 | type = with types; attrsOf (submodule ({ config, name, ... }: { 7 | options.chant = { 8 | enable = mkEnableOption "listening for a waking chant"; 9 | }; 10 | config = lib.mkIf config.chant.enable { 11 | serviceConfig = { 12 | Type = "oneshot"; 13 | LoadCredential = [ "chantPayload:/run/chant/${name}" ]; 14 | }; 15 | environment.CHANT_PAYLOAD = "%d/chantPayload"; 16 | }; 17 | })); 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /modules/systemd-extras/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./strict-mounts.nix 4 | ./distributed.nix 5 | ./chant.nix 6 | ]; 7 | } 8 | -------------------------------------------------------------------------------- /modules/systemd-extras/distributed.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | with lib; 4 | { 5 | options.systemd.services = mkOption { 6 | type = with types; attrsOf (submodule ({ config, ... }: { 7 | options.distributed = { 8 | enable = mkEnableOption "distributed mode"; 9 | 10 | replicas = mkOption { 11 | description = "Maximum number of replicas to run at once."; 12 | type = types.int; 13 | default = 1; 14 | }; 15 | registerService = mkOption { 16 | description = "Consul service to register when this service gets started."; 17 | type = with types; nullOr str; 18 | default = null; 19 | }; 20 | registerServices = mkOption { 21 | description = "Consul services to register when this service gets started."; 22 | type = with types; listOf str; 23 | default = if config.distributed.registerService == null then [ ] else [ config.distributed.registerService ]; 24 | }; 25 | }; 26 | })); 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /modules/systemd-extras/strict-mounts.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | with lib; 4 | { 5 | options.systemd.services = mkOption { 6 | type = with types; attrsOf (submodule ({ config, ... }: { 7 | options.strictMounts = mkOption { 8 | description = "Mount points which this service strictly depends on. What that means is up to other modules."; 9 | type = with types; listOf path; 10 | default = []; 11 | }; 12 | config = mkIf (config.strictMounts != []) { 13 | unitConfig.RequiresMountsFor = config.strictMounts; 14 | }; 15 | })); 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /modules/tested/default.nix: -------------------------------------------------------------------------------- 1 | { config, depot, lib, pkgs, ... }: 2 | with lib; 3 | 4 | { 5 | options = { 6 | tested.requiredChecks = mkOption { 7 | type = with types; listOf str; 8 | description = "Flake checks to perform."; 9 | default = []; 10 | }; 11 | }; 12 | config.system.extraDependencies = map (name: depot.checks.${name}) config.tested.requiredChecks; 13 | } 14 | -------------------------------------------------------------------------------- /packages/build-support/activate-shell: -------------------------------------------------------------------------------- 1 | export REPO_ROOT="$(git rev-parse --show-toplevel)" 2 | export REPO_DATA_DIR="$REPO_ROOT/.data" 3 | if ! has nix_direnv_version || ! nix_direnv_version 2.1.0; then 4 | source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.1.0/direnvrc" "sha256-FAT2R9yYvVg516v3LiogjIc8YfsbWbMM/itqWsm5xTA=" 5 | fi 6 | use flake "${REPO_ROOT}#${DEVSHELL_ATTR:-$(basename $PWD)}" 7 | -------------------------------------------------------------------------------- /packages/build-support/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./drv-parts 4 | ]; 5 | perSystem = { pkgs, ... }: { 6 | imports = [ 7 | ./options.nix 8 | ]; 9 | 10 | builders = rec { 11 | fetchAsset = pkgs.callPackage ./fetch-asset { }; 12 | 13 | hydrateAssetDirectory = pkgs.callPackage ./hydrate-asset-directory { 14 | inherit fetchAsset; 15 | }; 16 | }; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /packages/build-support/drv-parts/backends/buildPythonPackage/default.nix: -------------------------------------------------------------------------------- 1 | { drv-backends, ... }: 2 | 3 | { 4 | drv-backends.buildPythonPackage.imports = [ 5 | drv-backends.mkDerivation 6 | ./interface.nix 7 | ./implementation.nix 8 | ]; 9 | } 10 | -------------------------------------------------------------------------------- /packages/build-support/drv-parts/backends/buildPythonPackage/interface.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | 4 | let 5 | flag = default: description: mkOption { 6 | inherit description default; 7 | type = types.bool; 8 | }; 9 | in 10 | 11 | { 12 | options = { 13 | format = mkOption { 14 | description = "Python package source format"; 15 | type = types.enum [ 16 | "setuptools" 17 | "pyproject" 18 | "flit" 19 | "wheel" 20 | "other" 21 | ]; 22 | default = if config.pyprojectToml != null then "pyproject" else "setuptools"; 23 | defaultText = '' 24 | "pyproject" if pyprojectToml is set, otherwise "setuptools". 25 | ''; 26 | }; 27 | pyprojectToml = mkOption { 28 | description = "pyproject.toml file used for extracting package metadata"; 29 | type = with types; nullOr path; 30 | default = null; 31 | }; 32 | catchConflicts = flag true "If true, abort package build if a package name appears more than once in dependency tree."; 33 | dontWrapPythonPrograms = flag false "Skip wrapping of Python programs."; 34 | removeBinByteCode = flag true "Remove bytecode from /bin. Bytecode is only created when the filenames end with .py."; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /packages/build-support/drv-parts/backends/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./options.nix 4 | 5 | ./buildPythonPackage 6 | ]; 7 | } 8 | -------------------------------------------------------------------------------- /packages/build-support/drv-parts/backends/options.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | { 5 | options = { 6 | drv-backends = mkOption { 7 | description = "drv-parts backends"; 8 | type = with types; attrsOf raw; 9 | default = {}; 10 | }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /packages/build-support/drv-parts/default.nix: -------------------------------------------------------------------------------- 1 | { inputs, ... }: 2 | { 3 | perSystem = { config, ... }: { 4 | imports = [ 5 | ./backends 6 | ./dependency-sets 7 | ]; 8 | _module.args = { 9 | drv-backends = inputs.drv-parts.modules.drv-parts // config.drv-backends; 10 | }; 11 | }; 12 | } -------------------------------------------------------------------------------- /packages/build-support/drv-parts/dependency-sets/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, inputs', self', ... }: 2 | 3 | { 4 | drv-parts.packageSets = { 5 | inherit pkgs inputs' self'; 6 | inherit (pkgs) python3Packages; 7 | }; 8 | } 9 | -------------------------------------------------------------------------------- /packages/build-support/fetch-asset/default.nix: -------------------------------------------------------------------------------- 1 | { fetchurl }: 2 | 3 | { cdnURL ? "https://cdn.privatevoid.net/assets", index }: 4 | 5 | let 6 | dvc = builtins.fromJSON (builtins.readFile index); 7 | 8 | inherit (builtins.head dvc.outs) sha256 path; 9 | 10 | hashPrefix = builtins.substring 0 2 sha256; 11 | hashSuffix = builtins.substring 2 (-1) sha256; 12 | in 13 | 14 | fetchurl { 15 | name = path; 16 | url = "${cdnURL}/${hashPrefix}/${hashSuffix}"; 17 | inherit sha256; 18 | } 19 | -------------------------------------------------------------------------------- /packages/build-support/hydrate-asset-directory/default.nix: -------------------------------------------------------------------------------- 1 | { lib, fetchAsset, runCommandNoCC }: 2 | 3 | rootDir: let 4 | 5 | prefix = (toString rootDir) + "/"; 6 | 7 | files = lib.filesystem.listFilesRecursive rootDir; 8 | 9 | hydrate = index: fetchAsset { inherit index; }; 10 | 11 | isDvc = file: lib.strings.hasSuffix ".dvc" (toString file); 12 | 13 | relative = file: lib.strings.removePrefix prefix (toString file); 14 | 15 | files' = builtins.partition isDvc files; 16 | 17 | filesRaw = map relative files'.wrong; 18 | 19 | filesDvc = map (file: rec { 20 | dvc = hydrate file; 21 | installPath = (builtins.dirOf (relative file)) + "/${dvc.name}"; 22 | }) files'.right; 23 | 24 | installFile = file: "install -Dm644 ${file} $out/${file}"; 25 | 26 | installDvc = dvc: "install -Dm644 ${dvc.dvc} $out/${dvc.installPath}"; 27 | 28 | in runCommandNoCC (builtins.baseNameOf rootDir) {} '' 29 | cd ${rootDir} 30 | mkdir $out 31 | ${lib.concatStringsSep "\n" (map installFile filesRaw)} 32 | ${lib.concatStringsSep "\n" (map installDvc filesDvc)} 33 | '' 34 | -------------------------------------------------------------------------------- /packages/build-support/options.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options.builders = mkOption { 7 | description = "Collection of builder functions."; 8 | type = with types; attrsOf (functionTo package); 9 | default = {}; 10 | }; 11 | 12 | config._module.args = { inherit (config) builders; }; 13 | } 14 | -------------------------------------------------------------------------------- /packages/catalog/checks.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | perSystem = { config, pkgs, ... }: { 5 | catalog = lib.mkMerge (lib.mapAttrsToList (name': check: let 6 | simulacrum = lib.hasPrefix "simulacrum-" name'; 7 | name = lib.removePrefix "simulacrum-" name'; 8 | baseAttrPath = if simulacrum then 9 | [ "cluster" "simulacrum" ] 10 | else 11 | [ "depot" "checks" ]; 12 | in lib.setAttrByPath (baseAttrPath ++ [ name ]) { 13 | description = if simulacrum then 14 | "Simulacrum Test: ${name}" 15 | else 16 | "NixOS Test: ${name}"; 17 | actions = { 18 | build = { 19 | description = "Build this check."; 20 | command = "nix build -L --no-link '${builtins.unsafeDiscardStringContext check.drvPath}^*'"; 21 | }; 22 | runInteractive = { 23 | description = "Run interactive driver."; 24 | command = if simulacrum then 25 | "${pkgs.bubblewrap}/bin/bwrap --unshare-all --bind / / --dev-bind /dev /dev ${lib.getExe check.driverInteractive}" 26 | else 27 | lib.getExe check.driverInteractive; 28 | }; 29 | }; 30 | }) config.checks); 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /packages/catalog/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./checks.nix 4 | ./packages.nix 5 | ]; 6 | } 7 | -------------------------------------------------------------------------------- /packages/catalog/packages.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | let 4 | pins = import ../sources; 5 | in 6 | 7 | { 8 | perSystem = { config, ... }: { 9 | catalog.depot = { 10 | packages = lib.mapAttrs (name: package: { 11 | description = "Package: ${name}"; 12 | actions = lib.mkMerge [ 13 | { 14 | build = { 15 | description = "Build this package."; 16 | command = "nix build -L '${builtins.unsafeDiscardStringContext package.drvPath}^*'"; 17 | }; 18 | } 19 | (lib.mkIf (pins ? ${name}) { 20 | updatePin = { 21 | description = "Update this package's source pin."; 22 | command = "${lib.getExe config.packages.pin} update ${name}"; 23 | }; 24 | }) 25 | ]; 26 | }) config.packages; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /packages/checks/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, self, ... }: 2 | 3 | let 4 | timeMachine = { 5 | preUnstable = config.lib.timeTravel "637f048ee36d5052e2e7938bf9039e418accde66"; 6 | }; 7 | in 8 | 9 | { 10 | perSystem = { filters, pkgs, self', system, ... }: { 11 | checks = lib.mkIf (system == "x86_64-linux") { 12 | ascensions = pkgs.callPackage ./ascensions.nix { 13 | inherit (self'.packages) consul; 14 | inherit (self) nixosModules; 15 | inherit (config) cluster; 16 | }; 17 | 18 | ipfs-cluster-upgrade = pkgs.callPackage ./ipfs-cluster-upgrade.nix { 19 | inherit (self) nixosModules; 20 | previous = timeMachine.preUnstable; 21 | }; 22 | 23 | jellyfin-stateless = pkgs.callPackage ./jellyfin-stateless.nix { 24 | inherit (self'.packages) jellyfin; 25 | inherit (config) cluster; 26 | }; 27 | 28 | keycloak = pkgs.callPackage ./keycloak-custom-jre.nix { 29 | inherit (self'.packages) keycloak; 30 | }; 31 | 32 | s3ql-upgrade = pkgs.callPackage ./s3ql-upgrade.nix { 33 | inherit (self'.packages) s3ql; 34 | inherit (self) nixosModules; 35 | previous = timeMachine.preUnstable; 36 | }; 37 | 38 | searxng = pkgs.callPackage ./searxng.nix { 39 | inherit (self'.packages) searxng; 40 | }; 41 | }; 42 | }; 43 | } 44 | -------------------------------------------------------------------------------- /packages/checks/keycloak-custom-jre.nix: -------------------------------------------------------------------------------- 1 | { nixosTest, keycloak }: 2 | 3 | nixosTest { 4 | name = "keycloak"; 5 | nodes.machine.services.keycloak = { 6 | enable = true; 7 | package = keycloak; 8 | database.passwordFile = builtins.toFile "keycloak-test-password" "kcnixostest1234"; 9 | settings = { 10 | http-enabled = true; 11 | proxy-headers = "xforwarded"; 12 | hostname = "keycloak.local"; 13 | }; 14 | }; 15 | testScript = '' 16 | machine.wait_for_unit("keycloak.service") 17 | machine.wait_for_open_port(80) 18 | machine.succeed("curl --fail http://127.0.0.1:80") 19 | ''; 20 | } 21 | -------------------------------------------------------------------------------- /packages/checks/modules/consul.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | extraBaseModules = { 5 | services.consul.extraConfig.addresses.http = config.nodes.consul.networking.primaryIPAddress; 6 | }; 7 | 8 | nodes.consul = { config, ... }: { 9 | networking.firewall.allowedTCPPorts = [ 8500 ]; 10 | services.consul = { 11 | enable = true; 12 | extraConfig = { 13 | bind_addr = config.networking.primaryIPAddress; 14 | server = true; 15 | bootstrap_expect = 1; 16 | }; 17 | }; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /packages/checks/modules/nixos/age-dummy-secrets/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | with lib; 3 | 4 | { 5 | options.age.secrets = mkOption { 6 | type = types.attrsOf (types.submodule ({ name, config, ... }: { 7 | config.path = lib.mkForce "/etc/dummy-secrets/${name}"; 8 | })); 9 | }; 10 | config.environment.etc = mapAttrs' (name: secret: { 11 | name = removePrefix "/etc/" secret.path; 12 | value = mapAttrs (const mkDefault) { 13 | user = secret.owner; 14 | inherit (secret) mode group; 15 | text = builtins.hashString "md5" name; 16 | }; 17 | }) config.age.secrets; 18 | 19 | config.system.activationScripts = { 20 | agenixChown.text = lib.mkForce "echo using age-dummy-secrets"; 21 | agenixNewGeneration.text = lib.mkForce "echo using age-dummy-secrets"; 22 | agenixInstall.text = lib.mkForce '' 23 | ln -sf /etc/dummy-secrets /run/agenix 24 | ''; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /packages/checks/modules/nixos/age-dummy-secrets/options.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | with lib; 3 | 4 | let 5 | t = { 6 | string = default: mkOption { 7 | type = types.str; 8 | inherit default; 9 | }; 10 | }; 11 | in 12 | 13 | { 14 | options.age.secrets = mkOption { 15 | type = types.attrsOf (types.submodule ({ name, config, ... }: { 16 | options = { 17 | file = mkSinkUndeclaredOptions {}; 18 | owner = t.string "root"; 19 | group = t.string "root"; 20 | mode = t.string "400"; 21 | path = t.string "/etc/dummy-secrets/${name}"; 22 | }; 23 | })); 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /packages/checks/modules/nixos/external-storage.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | systemd.tmpfiles.settings."00-testing-external-storage-underlays" = lib.mapAttrs' (name: cfg: { 5 | name = cfg.mountpoint; 6 | value.d = { 7 | user = toString cfg.uid; 8 | group = toString cfg.gid; 9 | mode = "0700"; 10 | }; 11 | }) config.services.external-storage.underlays; 12 | } 13 | -------------------------------------------------------------------------------- /packages/checks/searxng.nix: -------------------------------------------------------------------------------- 1 | { nixosTest, searxng, writeText }: 2 | 3 | nixosTest { 4 | name = "searxng"; 5 | nodes.machine = { 6 | services.searx = { 7 | enable = true; 8 | runInUwsgi = true; 9 | package = searxng; 10 | settings.server.secret_key = "NixOSTestKey"; 11 | uwsgiConfig.http = "0.0.0.0:8080"; 12 | }; 13 | }; 14 | testScript = '' 15 | machine.wait_for_unit("uwsgi.service") 16 | machine.wait_for_open_port(8080) 17 | machine.wait_until_succeeds("curl --fail http://127.0.0.1:8080/") 18 | ''; 19 | } 20 | -------------------------------------------------------------------------------- /packages/checks/snakeoil/ssh/snakeoil-key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACAOx03X+LtW0aN8ejdN4IJgDPrTZgVwe7WbXhhBvqVwgwAAAJAS78fWEu/H 4 | 1gAAAAtzc2gtZWQyNTUxOQAAACAOx03X+LtW0aN8ejdN4IJgDPrTZgVwe7WbXhhBvqVwgw 5 | AAAEAUtGOZZIZdzGP6g85JuXBjDtciNQ9bLHNxSN5Gbwvb2Q7HTdf4u1bRo3x6N03ggmAM 6 | +tNmBXB7tZteGEG+pXCDAAAACW1heEBUSVRBTgECAwQ= 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /packages/checks/snakeoil/ssh/snakeoil-key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7HTdf4u1bRo3x6N03ggmAM+tNmBXB7tZteGEG+pXCD 2 | -------------------------------------------------------------------------------- /packages/data/stevenblack/default.nix: -------------------------------------------------------------------------------- 1 | { stdenvNoCC, npins, pins }: 2 | 3 | let 4 | src = npins.mkSource pins.stevenblack-hosts; 5 | in 6 | 7 | stdenvNoCC.mkDerivation { 8 | pname = "stevenblack-hosts"; 9 | inherit (pins.stevenblack-hosts) version; 10 | buildCommand = '' 11 | cp ${src}/hosts $out 12 | ''; 13 | } 14 | -------------------------------------------------------------------------------- /packages/dream2nix-overrides/nodejs/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | lib, 3 | pkgs, 4 | 5 | # dream2nix 6 | satisfiesSemver, 7 | ... 8 | }: 9 | 10 | let 11 | versionGate = pkg: target: 12 | assert 13 | lib.assertMsg (lib.versionOlder pkg.version target.version) 14 | "${pkg.name} has reached the desired version upstream"; 15 | target; 16 | in 17 | 18 | { 19 | excalidraw.build = { 20 | REACT_APP_DISABLE_SENTRY = "true"; 21 | REACT_APP_FIREBASE_CONFIG = ""; 22 | REACT_APP_GOOGLE_ANALYTICS_ID = ""; 23 | 24 | 25 | nativeBuildInputs = [ pkgs.yarn ]; 26 | 27 | installPhase = '' 28 | distRoot=$out/share/www 29 | dist=$distRoot/excalidraw 30 | mkdir -p $distRoot 31 | mv $nodeModules/excalidraw/build $dist 32 | find $dist -type f -name "*.map" -delete 33 | ''; 34 | 35 | passthru.webPath = "share/www/excalidraw"; 36 | }; 37 | 38 | sharp.build = with pkgs; { 39 | nativeBuildInputs = old: old ++ [ 40 | pkg-config 41 | ]; 42 | buildInputs = old: old ++ [ 43 | vips 44 | ]; 45 | }; 46 | 47 | puppeteer.dummy-build = { 48 | # HACK: doesn't build, but we don't need it anywhere 49 | configurePhase = "exit 0"; 50 | }; 51 | } 52 | -------------------------------------------------------------------------------- /packages/lib/tools.nix: -------------------------------------------------------------------------------- 1 | rec { 2 | dirfilter = type: path: 3 | (let root = builtins.readDir path; 4 | in builtins.filter (x: builtins.getAttr x root == type) 5 | (builtins.attrNames root)); 6 | 7 | absolutify = path: ../../. + ("/" + path); 8 | mkpatchlist = pkg: 9 | map (patch: absolutify (builtins.concatStringsSep "/" [ pkg patch ])) 10 | (dirfilter "regular" (absolutify pkg)); 11 | 12 | patch = super: patchdir: 13 | super.overrideAttrs 14 | (attrs: { patches = (attrs.patches or [ ]) ++ (mkpatchlist patchdir); }); 15 | 16 | patch-rename = super: pname: patchdir: 17 | super.overrideAttrs (attrs: { 18 | patches = (attrs.patches or [ ]) ++ (mkpatchlist patchdir); 19 | inherit pname; 20 | }); 21 | 22 | patch-rename-direct = super: renameWith: patchdir: 23 | super.overrideAttrs (attrs: { 24 | patches = (attrs.patches or [ ]) ++ (mkpatchlist patchdir); 25 | name = renameWith attrs; 26 | }); 27 | } 28 | -------------------------------------------------------------------------------- /packages/monitoring/opentelemetry-java-agent-bin/default.nix: -------------------------------------------------------------------------------- 1 | { fetchurl }: 2 | 3 | fetchurl rec { 4 | name = "opentelemetry-java-agent-${meta.version}.jar"; 5 | meta.version = "1.19.1"; 6 | url = "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v${meta.version}/opentelemetry-javaagent.jar"; 7 | sha256 = "sha256-f1kc0eqBrK+QmlRaZRiJq5OAKa2wrtTyLeBN8uK6698="; 8 | } 9 | -------------------------------------------------------------------------------- /packages/networking/ipfs/ipfs-allow-publish-with-ipns-mounted.patch: -------------------------------------------------------------------------------- 1 | diff --git a/core/coreapi/coreapi.go b/core/coreapi/coreapi.go 2 | index 81d05b58d..66460326f 100644 3 | --- a/core/coreapi/coreapi.go 4 | +++ b/core/coreapi/coreapi.go 5 | @@ -205,9 +205,6 @@ func (api *CoreAPI) WithOptions(opts ...options.ApiOption) (coreiface.CoreAPI, e 6 | } 7 | 8 | subAPI.checkPublishAllowed = func() error { 9 | - if n.Mounts.Ipns != nil && n.Mounts.Ipns.IsActive() { 10 | - return errors.New("cannot manually publish while IPNS is mounted") 11 | - } 12 | return nil 13 | } 14 | 15 | -------------------------------------------------------------------------------- /packages/networking/ipfs/ipfs-fuse-nuke-getxattr.patch: -------------------------------------------------------------------------------- 1 | diff --git a/fuse/readonly/readonly_unix.go b/fuse/readonly/readonly_unix.go 2 | index 3a2269393..8bff88f28 100644 3 | --- a/fuse/readonly/readonly_unix.go 4 | +++ b/fuse/readonly/readonly_unix.go 5 | @@ -228,12 +228,6 @@ func (s *Node) ReadDirAll(ctx context.Context) ([]fuse.Dirent, error) { 6 | return nil, fuse.ENOENT 7 | } 8 | 9 | -func (s *Node) Getxattr(ctx context.Context, req *fuse.GetxattrRequest, resp *fuse.GetxattrResponse) error { 10 | - // TODO: is nil the right response for 'bug off, we ain't got none' ? 11 | - resp.Xattr = nil 12 | - return nil 13 | -} 14 | - 15 | func (s *Node) Readlink(ctx context.Context, req *fuse.ReadlinkRequest) (string, error) { 16 | if s.cached == nil || s.cached.Type() != ft.TSymlink { 17 | return "", fuse.Errno(syscall.EINVAL) 18 | @@ -278,7 +272,6 @@ type roNode interface { 19 | fs.Node 20 | fs.NodeStringLookuper 21 | fs.NodeReadlinker 22 | - fs.NodeGetxattrer 23 | } 24 | 25 | var _ roNode = (*Node)(nil) 26 | -------------------------------------------------------------------------------- /packages/part.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | filters = import ./system-filter.nix; 4 | doFilter' = system: filterSet: lib.filterAttrs (name: _: 5 | filterSet ? "${name}" -> builtins.elem system filterSet."${name}" 6 | ); 7 | in { 8 | imports = [ 9 | ./projects.nix 10 | ./patched-inputs.nix 11 | ./catalog 12 | ./shadows.nix 13 | ]; 14 | perSystem = { pkgs, self', system, ... }: let 15 | patched-derivations = import ./patched-derivations.nix (pkgs // { flakePackages = self'.packages; }); 16 | in { 17 | _module.args.filters = filters // { doFilter = doFilter' system; }; 18 | packages = doFilter' system filters.packages patched-derivations; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /packages/patched-inputs.nix: -------------------------------------------------------------------------------- 1 | { 2 | perSystem = { filters, inputs', lib, pkgs, ... }: 3 | 4 | let 5 | tools = import ./lib/tools.nix; 6 | packages = builtins.mapAttrs (_: v: v.packages) inputs'; 7 | in with tools; 8 | 9 | { 10 | packages = filters.doFilter filters.packages rec { 11 | nix-super = packages.nix-super.nix; 12 | 13 | agenix = packages.agenix.agenix.override { nix = nix-super; }; 14 | }; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /packages/servers/reflex-cache/.envrc: -------------------------------------------------------------------------------- 1 | source ../../build-support/activate-shell 2 | -------------------------------------------------------------------------------- /packages/servers/reflex-cache/.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__ 2 | dist/ 3 | result/ -------------------------------------------------------------------------------- /packages/servers/reflex-cache/project.nix: -------------------------------------------------------------------------------- 1 | { inputs, ... }: 2 | 3 | { 4 | perSystem = { config, drv-backends, lib, pkgs, ... }: let 5 | deps = with config.drv-parts.packageSets.python3Packages; [ 6 | poetry-core 7 | requests-unixsocket 8 | py-multibase 9 | py-multiaddr 10 | ]; 11 | 12 | pythonForDev = pkgs.python3.withPackages (lib.const deps); 13 | in 14 | { 15 | projectShells.reflex-cache = { 16 | tools = [ 17 | pythonForDev 18 | ]; 19 | env.PYTHON = pythonForDev.interpreter; 20 | commands.reflex.command = "${pythonForDev.interpreter} -m reflex_cache.main"; 21 | }; 22 | drvs.reflex-cache = { packageSets, ... }: { 23 | imports = [ 24 | drv-backends.buildPythonPackage 25 | ]; 26 | pyprojectToml = ./pyproject.toml; 27 | 28 | mkDerivation = { 29 | propagatedBuildInputs = deps; 30 | 31 | src = with inputs.nix-filter.lib; filter { 32 | root = ./.; 33 | include = [ 34 | "pyproject.toml" 35 | (inDirectory "reflex_cache") 36 | ]; 37 | }; 38 | }; 39 | }; 40 | }; 41 | } -------------------------------------------------------------------------------- /packages/servers/reflex-cache/pyproject.toml: -------------------------------------------------------------------------------- 1 | [tool.poetry] 2 | name = "reflex-cache" 3 | version = "0.2.0" 4 | description = "Controller for Nix binary caches on IPFS" 5 | authors = ["Max "] 6 | license = "AGPL-3.0" 7 | 8 | [tool.poetry.dependencies] 9 | python = "^3.9" 10 | requests = "^2.28.1" 11 | requests-unixsocket = "^0.3.0" 12 | multiaddr = "^0.0.9" 13 | py-multibase = "^1.0.3" 14 | 15 | [tool.poetry.dev-dependencies] 16 | 17 | [build-system] 18 | requires = ["poetry-core>=1.0.0"] 19 | build-backend = "poetry.core.masonry.api" 20 | 21 | [tool.poetry.scripts] 22 | reflex = "reflex_cache.main:main" 23 | -------------------------------------------------------------------------------- /packages/servers/reflex-cache/reflex_cache/main.py: -------------------------------------------------------------------------------- 1 | from reflex_cache import service_handler, util 2 | 3 | CACHES = [ 4 | "https://cache.privatevoid.net", 5 | "https://cache.nixos.org", 6 | "https://max.cachix.org", 7 | ] 8 | 9 | 10 | def main(): 11 | server = util.ThreadingHTTPServer( 12 | ("127.0.0.1", int(util.envOr("REFLEX_PORT", "8002"))), 13 | service_handler.ReflexHTTPServiceHandler, 14 | ) 15 | server.serve_forever() 16 | 17 | 18 | if __name__ == "__main__": 19 | main() 20 | -------------------------------------------------------------------------------- /packages/servers/reflex-cache/reflex_cache/util.py: -------------------------------------------------------------------------------- 1 | from http.server import HTTPServer 2 | from os import environ 3 | from socketserver import ThreadingMixIn 4 | 5 | 6 | class Uncached(Exception): 7 | pass 8 | 9 | 10 | class ThreadingHTTPServer(ThreadingMixIn, HTTPServer): 11 | pass 12 | 13 | 14 | class MissingEnvironmentVariableError(Exception): 15 | pass 16 | 17 | 18 | def envOr(key, default): 19 | if key in environ: 20 | return environ[key] 21 | else: 22 | return default 23 | 24 | 25 | def envOrRaise(key): 26 | if key in environ: 27 | return environ[key] 28 | else: 29 | raise MissingEnvironmentVariableError(key) 30 | -------------------------------------------------------------------------------- /packages/shadows.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | perSystem = { inputs', self', ... }: { 5 | # much like overlays, shadows can *shadow* packages in nixpkgs 6 | # unlike overlays, shadows don't cause a nixpkgs re-evaluation 7 | # this is a hack for dealing with poorly written NixOS modules 8 | # that don't provide a `package` option to perform overrides 9 | 10 | options.shadows = lib.mkOption { 11 | type = with lib.types; lazyAttrsOf package; 12 | default = { 13 | jitsi-meet = self'.packages.jitsi-meet-insecure; 14 | }; 15 | }; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /packages/system-filter.nix: -------------------------------------------------------------------------------- 1 | { 2 | packages = { 3 | hydra = [ "x86_64-linux" ]; 4 | jellyfin = [ "x86_64-linux" ]; 5 | keycloak = [ "x86_64-linux" ]; 6 | out-of-your-element = [ "x86_64-linux" ]; 7 | prometheus-jitsi-exporter = [ "aarch64-linux" ]; 8 | searxng = [ "x86_64-linux" ]; 9 | sonarr5 = [ "x86_64-linux" ]; 10 | tempo = [ "x86_64-linux" ]; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /packages/tools/graf/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | writeShellApplication, 3 | curl, gum, jq 4 | }: 5 | 6 | writeShellApplication { 7 | name = "graf"; 8 | runtimeInputs = [ 9 | curl 10 | gum 11 | jq 12 | ]; 13 | text = builtins.readFile ./graf.sh; 14 | } 15 | -------------------------------------------------------------------------------- /packages/tools/npins/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , rustPlatform 3 | , fetchFromGitHub 4 | , nix-gitignore 5 | , makeWrapper 6 | , stdenv 7 | , darwin 8 | , callPackage 9 | 10 | # runtime dependencies 11 | , nix # for nix-prefetch-url 12 | , nix-prefetch-git 13 | , git # for git ls-remote 14 | }: 15 | 16 | let 17 | runtimePath = lib.makeBinPath [ nix nix-prefetch-git git ]; 18 | sources = (builtins.fromJSON (builtins.readFile ./sources.json)).pins; 19 | in rustPlatform.buildRustPackage rec { 20 | pname = "npins"; 21 | inherit (src) version; 22 | src = passthru.mkSource sources.npins; 23 | 24 | cargoHash = "sha256-aIpGTTLQ+HfLf5i4VON7Rq1xNl4rA+7TZ5yF1Ov8lmc="; 25 | 26 | buildInputs = lib.optional stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ Security ]); 27 | nativeBuildInputs = [ makeWrapper ]; 28 | 29 | # (Almost) all tests require internet 30 | doCheck = false; 31 | 32 | postFixup = '' 33 | wrapProgram $out/bin/npins --prefix PATH : "${runtimePath}" 34 | ''; 35 | 36 | meta = with lib; { 37 | description = "Simple and convenient dependency pinning for Nix"; 38 | homepage = "https://github.com/andir/npins"; 39 | license = licenses.eupl12; 40 | maintainers = with maintainers; [ piegames ]; 41 | }; 42 | 43 | passthru.mkSource = callPackage ./source.nix {}; 44 | } 45 | -------------------------------------------------------------------------------- /packages/tools/npins/sources.json: -------------------------------------------------------------------------------- 1 | { 2 | "pins": { 3 | "npins": { 4 | "type": "GitRelease", 5 | "repository": { 6 | "type": "GitHub", 7 | "owner": "andir", 8 | "repo": "npins" 9 | }, 10 | "pre_releases": false, 11 | "version_upper_bound": null, 12 | "version": "0.1.0", 13 | "revision": "5c9253ff6010f435ab73fbe1e50ae0fdca0ec07b", 14 | "url": "https://api.github.com/repos/andir/npins/tarball/0.1.0", 15 | "hash": "019fr9xsirld8kap75k18in3krkikqhjn4mglpy3lyhbhc5n1kh6" 16 | } 17 | }, 18 | "version": 2 19 | } 20 | -------------------------------------------------------------------------------- /packages/tools/pin/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | writeShellApplication, 3 | nix, npins, jq 4 | }: 5 | 6 | writeShellApplication { 7 | name = "pin"; 8 | runtimeInputs = [ 9 | nix 10 | npins 11 | jq 12 | ]; 13 | text = builtins.readFile ./pin.sh; 14 | } 15 | -------------------------------------------------------------------------------- /packages/tools/pin/pin.sh: -------------------------------------------------------------------------------- 1 | REPO_ROOT="${REPO_ROOT:-.}" 2 | NPINS_DIRECTORY="${NPINS_DIRECTORY:-npins}" 3 | 4 | cmd_update() { 5 | for pkg in "$@"; do 6 | oldver=$(nix eval --raw "${REPO_ROOT}#${pkg}.version") 7 | npins update "$pkg" 8 | newver=$(nix eval --raw "${REPO_ROOT}#${pkg}.version") 9 | git add "${NPINS_DIRECTORY}" 10 | git commit "${NPINS_DIRECTORY}" -m "packages/$pkg: $oldver -> $newver" || true 11 | done 12 | } 13 | 14 | cmd_update_all() { 15 | # shellcheck disable=SC2046 16 | cmd_update $(jq < "${NPINS_DIRECTORY}/sources.json" -r '.pins | keys | .[]') 17 | } 18 | 19 | cmd="$1" 20 | shift 21 | case $cmd in 22 | update) 23 | cmd_update "$@";; 24 | update-all) 25 | cmd_update_all "$@";; 26 | *) 27 | echo Unknown command: "$cmd";; 28 | esac -------------------------------------------------------------------------------- /packages/web-apps/cinny/default.nix: -------------------------------------------------------------------------------- 1 | { stdenvNoCC, fetchzip, pins }: 2 | 3 | let 4 | inherit (pins) cinny; 5 | repo = cinny.repository; 6 | 7 | app = stdenvNoCC.mkDerivation rec { 8 | pname = "cinny-bin"; 9 | version = builtins.substring 1 (-1) cinny.version; 10 | 11 | src = fetchzip { 12 | name = "cinny-tarball-${version}"; 13 | url = "https://github.com/${repo.owner}/${repo.repo}/releases/download/${cinny.version}/cinny-${cinny.version}.tar.gz"; 14 | sha256 = "sha256-gi88F1wpklJlsFAg2iMdEAN+jsuaMBMs7yRCJIDrk28="; 15 | }; 16 | 17 | buildCommand = '' 18 | mkdir -p $out/share/www/cinny 19 | cp -r $src/* $out/share/www/cinny 20 | ''; 21 | passthru.webroot = "${app}/share/www/cinny"; 22 | }; 23 | in app 24 | -------------------------------------------------------------------------------- /packages/web-apps/searxng/deps/chompjs.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , buildPythonPackage 3 | , fetchPypi 4 | }: 5 | 6 | buildPythonPackage rec { 7 | pname = "chompjs"; 8 | version = "1.2.2"; 9 | format = "setuptools"; 10 | 11 | src = fetchPypi { 12 | inherit pname version; 13 | hash = "sha256-I5PbVinyjO1OF78t9h67lVBM/VsogYoMj3iFZS4WTn8="; 14 | }; 15 | 16 | pythonImportsCheck = [ "chompjs" ]; 17 | 18 | meta = with lib; { 19 | description = "Parsing JavaScript objects into Python dictionaries"; 20 | homepage = "https://pypi.org/project/chompjs/"; 21 | license = licenses.mit; 22 | maintainers = with maintainers; [ ]; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /packages/websites/landing/.envrc: -------------------------------------------------------------------------------- 1 | source ../../build-support/activate-shell 2 | nix_direnv_watch_file project.nix 3 | -------------------------------------------------------------------------------- /packages/websites/landing/.gitignore: -------------------------------------------------------------------------------- 1 | # hugo generated files 2 | public/ 3 | resources/_gen/ 4 | assets/jsconfig.json 5 | .hugo_build.lock 6 | hugo_stats.json 7 | 8 | # nix config only 9 | /config.toml 10 | /config.yaml 11 | /config.yml 12 | /config.json 13 | -------------------------------------------------------------------------------- /packages/websites/landing/archetypes/default.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "{{ replace .Name "-" " " | title }}" 3 | date: {{ .Date }} 4 | draft: true 5 | --- 6 | 7 | -------------------------------------------------------------------------------- /packages/websites/landing/static/css/.gitignore: -------------------------------------------------------------------------------- 1 | /plugins.css 2 | /rtl.css 3 | /style.css 4 | /theme.css 5 | -------------------------------------------------------------------------------- /packages/websites/landing/static/css/custom.css: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | 1. Add your custom Css styles below 4 | 2. Place the this code in your template: 5 | 6 | 7 | 8 | */ -------------------------------------------------------------------------------- /packages/websites/landing/static/css/plugins.css.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "321dc29440ece6b3f3a3b35b37b61555c52990d234779776c090b794f89233ad", "size": 225462, "path": "plugins.css"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/css/rtl.css.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "b60e548b217856152b27f7f3f55a9a20dac454e929908c4c86d9b8d4e9b2ca23", "size": 13057, "path": "rtl.css"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/css/style.css.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "65bec51929144435207d16ab204122375de483e97fbb3ab232c3e070bbf7f7a0", "size": 427478, "path": "style.css"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/css/theme.css.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "c5b73188c041b544d1f43d30f15d724635faad72c0d1696e074fc6f445e775ee", "size": 22981, "path": "theme.css"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/.gitignore: -------------------------------------------------------------------------------- 1 | /austrian-alps.jpg 2 | /favicon.png 3 | -------------------------------------------------------------------------------- /packages/websites/landing/static/images/austrian-alps.jpg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "b5e62768d928b0f6ec313f1e1c576e05dcfaf5b14fda796c730281b308506236", "size": 1181295, "path": "austrian-alps.jpg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/.gitignore: -------------------------------------------------------------------------------- 1 | /1.png 2 | /10.png 3 | /11.png 4 | /2.png 5 | /3.png 6 | /4.png 7 | /5.png 8 | /6.png 9 | /7.png 10 | /8.png 11 | /9.png 12 | -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/1.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "1b37b7a243fcb9e40af59c0c8f9a52f23b4e99e4e7b9e856b9cd86a19ed8e368", "size": 21412, "path": "1.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/10.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "a9fdd551bbcd3aa5914ee57c9b07857628998c9766f18a80770c6b71e3d8f73f", "size": 4753, "path": "10.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/11.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "60d8174163c70f7c414b3463fb856710788e9aedc717a08d59216dab214bc3b1", "size": 2378, "path": "11.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/2.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "8f1d83088518cf6fb5510737a48d73b19d980cae81f5d6313ae08547ecfae537", "size": 14897, "path": "2.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/3.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "9e231317193ff26baeb090635205b8e709d23526ceea62dd38b0c104bdd857bd", "size": 10013, "path": "3.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/4.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "04a0fc49470c67320b633d84a3a5730678479c7c6e37b386ea7f800665770a1e", "size": 17433, "path": "4.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/5.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "39f672b9191380b4c46f6945d4a746d859f56778ae70beef8166ef6bff760582", "size": 4862, "path": "5.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/6.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "94233394ba8daf7039aa93e1fb7c4860aeb759dc1401018597282468371690fd", "size": 11272, "path": "6.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/7.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "522612938225df8c92cc2fbe8a9606ba510177240acc4f65dfc2771357c2a5fb", "size": 14719, "path": "7.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/8.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "93102e4c9c806c6612e4a962b28aa334942c947bc7f7413f1af444f2a92ab151", "size": 9013, "path": "8.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/clients/9.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "d438fac16eb7123e7508bc0cc856f416c43ad740f8e1d7f55f908035fe169dac", "size": 9337, "path": "9.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/favicon.png.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "f2cf0e460e6e221ebca174f408dc98b8cc21cfc4a4163f34a19bf6210cc02060", "size": 255, "path": "favicon.png"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/parallax/.gitignore: -------------------------------------------------------------------------------- 1 | /29.jpg 2 | /7.jpg 3 | /_5.jpg 4 | -------------------------------------------------------------------------------- /packages/websites/landing/static/images/parallax/29.jpg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "3a2d7d6acda68cf7d77b28de0d7a1ffe88afcebe46fd70903e8130f161123ef7", "size": 207560, "path": "29.jpg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/parallax/7.jpg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "2c851c1b2e38533ba102b37ebf9673191767b7eb8977d6a025e20799315d8486", "size": 114850, "path": "7.jpg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/parallax/_5.jpg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "82b61acf77f8c9e5c68eca97d4c780482ab2561c96d71015a9b149f0cdfa123b", "size": 85858, "path": "_5.jpg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/slider/.gitignore: -------------------------------------------------------------------------------- 1 | /finland.jpeg 2 | -------------------------------------------------------------------------------- /packages/websites/landing/static/images/slider/finland.jpeg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "2e630bb1beaa835747123a0e6b1bcc77ec0e8ec6cbcaf0e9666f2fe24d5f9ff9", "size": 239736, "path": "finland.jpeg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/team/.gitignore: -------------------------------------------------------------------------------- 1 | /alex.jpg 2 | /max.jpg 3 | -------------------------------------------------------------------------------- /packages/websites/landing/static/images/team/alex.jpg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "a24b33d71cb6d3c5ebf15b41d80121470ff5c681573c2291f10262b176319365", "size": 121191, "path": "alex.jpg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/images/team/max.jpg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "82e99e3625a02a422d250859b73535f21607b716bfd5a6d8a64dc280902d9fba", "size": 136235, "path": "max.jpg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/js/.gitignore: -------------------------------------------------------------------------------- 1 | /functions.js 2 | /hesoyam.min.js 3 | /jquery.js 4 | /plugins.js 5 | -------------------------------------------------------------------------------- /packages/websites/landing/static/js/custom.js: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | 1. Add your custom JavaScript code below 4 | 2. Place the this code in your template: 5 | 6 | 7 | 8 | */ -------------------------------------------------------------------------------- /packages/websites/landing/static/js/functions.js.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "11179216f1a344bd59fb5edd594635456777b573392afa60641e585be9c08136", "size": 121264, "path": "functions.js"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/js/hesoyam.min.js.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "5641711e106d733c694c0ac2e4a308ea9f9e46d943b5569363b920b25a8e2fe4", "size": 1788, "path": "hesoyam.min.js"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/js/jquery.js.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "0925e8ad7bd971391a8b1e98be8e87a6971919eb5b60c196485941c3c1df089a", "size": 88145, "path": "jquery.js"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/js/plugins.js.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "3107c64b1a590f7f7d93aa37f5bdce902e2cbc4205e42867d5f86663b9759cf7", "size": 257062, "path": "plugins.js"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/.gitignore: -------------------------------------------------------------------------------- 1 | /fa-brands-400.eot 2 | /fa-brands-400.svg 3 | /fa-brands-400.ttf 4 | /fa-brands-400.woff 5 | /fa-brands-400.woff2 6 | /fa-regular-400.eot 7 | /fa-regular-400.svg 8 | /fa-regular-400.ttf 9 | /fa-regular-400.woff 10 | /fa-regular-400.woff2 11 | /fa-solid-900.eot 12 | /fa-solid-900.svg 13 | /fa-solid-900.ttf 14 | /fa-solid-900.woff 15 | /fa-solid-900.woff2 16 | /inspiro-icons.svg 17 | /inspiro-icons.ttf 18 | /inspiro-icons.woff 19 | -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-brands-400.eot.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "60fb2d28d2f1dbd2bc1a7a3b44701fec1cb7f630bee439d926c024c3212c1a9c", "size": 130906, "path": "fa-brands-400.eot"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-brands-400.svg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "ed5bfbea42378c58a095a96a417f067808b4f753892bb2d449a31bd4b30884ce", "size": 700503, "path": "fa-brands-400.svg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-brands-400.ttf.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "ca785b3a0d0f4c1bd0cbbe298a989af28aff3086b6522c2eaf9f7c110f080874", "size": 130600, "path": "fa-brands-400.ttf"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-brands-400.woff.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "23d9a4585904deec93bbe23b911d97f40fe25bcdf6131737f17b1f87c4b68367", "size": 88428, "path": "fa-brands-400.woff"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-brands-400.woff2.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "d3caf12591d194712facd10bca14f0a924edb59c24447a3fd994a48286db8843", "size": 75336, "path": "fa-brands-400.woff2"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-regular-400.eot.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "b115d3ffeefd0c3a276fa964e3a8aeb8fb04f782f690c476c1042b06ea465cd1", "size": 34394, "path": "fa-regular-400.eot"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-regular-400.svg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "953c82ccf56ee1a292e40d8a704e192e5d9f41f1aa5cf37d0fe46a4281ab977f", "size": 144452, "path": "fa-regular-400.svg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-regular-400.ttf.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "913a94a29d838712cfed937028ac4ab14eac95ddc784d5207e4d4504ab42fa17", "size": 34096, "path": "fa-regular-400.ttf"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-regular-400.woff.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "43a881161585db16179f70e53240a274f209aff03aafbcc34bc32e17fb4d95c6", "size": 16804, "path": "fa-regular-400.woff"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-regular-400.woff2.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "0fc0a22e5e67c95d02c389a1454acc67df53e2f6a46af739f3eac7e352644751", "size": 13584, "path": "fa-regular-400.woff2"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-solid-900.eot.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "5ef4c7be9577dde004048607cc872221de00db893f29baa809c378b01370a370", "size": 192758, "path": "fa-solid-900.eot"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-solid-900.svg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "86c7d89d0f0d29d85c6684db2d8da9aac514c81bcabf41ea0af726e29de20a47", "size": 842605, "path": "fa-solid-900.svg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-solid-900.ttf.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "20656d1a8f2ea44e36c2b8354d15c4db21909ee5140b0224f74f92477e0899f7", "size": 192472, "path": "fa-solid-900.ttf"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-solid-900.woff.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "7dd5fcdf6f4b330bf82965887ef6b9196b8d27855eddee99ac04fb63de0e351e", "size": 98384, "path": "fa-solid-900.woff"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/fa-solid-900.woff2.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "3d1080625d3030e88357b3ac9aa377dcec23f1b529c4ad03f7a9a435ccae04be", "size": 75728, "path": "fa-solid-900.woff2"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/inspiro-icons.svg.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "3021201c6b1e0950385e6e089f1ec5ef2aebf410ffaf6288d3c153700e5517c4", "size": 298580, "path": "inspiro-icons.svg"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/inspiro-icons.ttf.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "3007f9bc5aed47b29ea7d70e8a12b63626589982adc9e4a56b6a6c9beebb55e6", "size": 80576, "path": "inspiro-icons.ttf"}]} -------------------------------------------------------------------------------- /packages/websites/landing/static/webfonts/inspiro-icons.woff.dvc: -------------------------------------------------------------------------------- 1 | {"outs": [{"sha256": "1cb52b4aeeb90f0e970f9d544a5ed70d4cb9a5dc83b544946ea738a9d485cfda", "size": 80652, "path": "inspiro-icons.woff"}]} -------------------------------------------------------------------------------- /packages/websites/stop-using-nix-env/project.nix: -------------------------------------------------------------------------------- 1 | { 2 | perSystem = { pkgs, ... }: { 3 | packages.stop-using-nix-env = let 4 | site = with pkgs; stdenvNoCC.mkDerivation rec { 5 | pname = "stop-using-nix-env"; 6 | version = "1.2.1"; 7 | src = ./src; 8 | buildCommand = '' 9 | install -Dm644 $src/* -t $out/share/www/${pname} 10 | substituteInPlace $out/share/www/${pname}/index.html \ 11 | --replace '' 'Version ${version} |' 12 | ''; 13 | passthru = { 14 | webroot = "${site}/share/www/${pname}"; 15 | }; 16 | }; 17 | in site; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /patches/base/acme-dns/do-not-lowercase-records.patch: -------------------------------------------------------------------------------- 1 | diff --git a/dns.go b/dns.go 2 | index a01fb9c..9a3b06b 100644 3 | --- a/dns.go 4 | +++ b/dns.go 5 | @@ -51,7 +51,7 @@ func (d *DNSServer) Start(errorChannel chan error) { 6 | // ParseRecords parses a slice of DNS record string 7 | func (d *DNSServer) ParseRecords(config DNSConfig) { 8 | for _, v := range config.General.StaticRecords { 9 | - rr, err := dns.NewRR(strings.ToLower(v)) 10 | + rr, err := dns.NewRR(v) 11 | if err != nil { 12 | log.WithFields(log.Fields{"error": err.Error(), "rr": v}).Warning("Could not parse RR from config") 13 | continue 14 | -------------------------------------------------------------------------------- /patches/base/cachix/deploy-agent-dont-switch-for-kernel-upgrades.patch: -------------------------------------------------------------------------------- 1 | diff --git a/cachix/src/Cachix/Deploy/Activate.hs b/cachix/src/Cachix/Deploy/Activate.hs 2 | index 0f54ce6..2bc0d7d 100644 3 | --- a/src/Cachix/Deploy/Activate.hs 4 | +++ b/src/Cachix/Deploy/Activate.hs 5 | @@ -122,6 +122,8 @@ getActivationScript profile storePath = do 6 | isNixDarwin <- checkPath "darwin-version" 7 | isHomeManager <- checkPath "hm-version" 8 | user <- InstallationMode.getUser 9 | + oldKernelPath <- Directory.getSymbolicLinkTarget "/run/booted-system/kernel" 10 | + newKernelPath <- Directory.getSymbolicLinkTarget $ toS storePath "kernel" 11 | let systemProfileDir = "/nix/var/nix/profiles" 12 | let perUserProfileDir = systemProfileDir "per-user" toS user 13 | let mkProfilePath profileBaseDir defaultProfile = 14 | @@ -136,7 +138,7 @@ getActivationScript profile storePath = do 15 | let profilePath = mkProfilePath systemProfileDir "system" 16 | in ( profilePath, 17 | [ setNewProfile profilePath, 18 | - (toS storePath "bin/switch-to-configuration", ["switch"]) 19 | + (toS storePath "bin/switch-to-configuration", [if oldKernelPath == newKernelPath then "switch" else "boot"]) 20 | ] 21 | ) 22 | (_, True, _) -> 23 | -------------------------------------------------------------------------------- /patches/base/forgejo/oauth2-secret-from-env.patch: -------------------------------------------------------------------------------- 1 | diff --git a/cmd/admin_auth_oauth.go b/cmd/admin_auth_oauth.go 2 | index c151c0af27..e8a4f34707 100644 3 | --- a/cmd/admin_auth_oauth.go 4 | +++ b/cmd/admin_auth_oauth.go 5 | @@ -34,6 +34,7 @@ var ( 6 | Name: "secret", 7 | Value: "", 8 | Usage: "Client Secret", 9 | + EnvVars: []string{"FORGEJO_ADMIN_OAUTH2_SECRET"}, 10 | }, 11 | &cli.StringFlag{ 12 | Name: "auto-discover-url", 13 | -------------------------------------------------------------------------------- /patches/base/prometheus-jitsi-exporter/reduce-log-noise.patch: -------------------------------------------------------------------------------- 1 | From d2b0794c2e7ecc45ccd237fb80ccd84efb976e7a Mon Sep 17 00:00:00 2001 2 | From: Max 3 | Date: Thu, 4 Aug 2022 13:46:03 +0200 4 | Subject: [PATCH] reduce log noise 5 | 6 | 7 | diff --git a/jitsiexporter.go b/jitsiexporter.go 8 | index 41663ee..2df96bd 100644 9 | --- a/jitsiexporter.go 10 | +++ b/jitsiexporter.go 11 | @@ -57,7 +57,7 @@ func (m *Metrics) Update() error { 12 | 13 | name := fmt.Sprintf("jitsi_%s", k) 14 | if _, ok := m.Metrics[name]; !ok { 15 | - fieldLogger.Info("creating and registering metric") 16 | + fieldLogger.Debug("creating and registering metric") 17 | 18 | m.Metrics[name] = Metric{ 19 | Name: name, 20 | @@ -72,11 +72,11 @@ func (m *Metrics) Update() error { 21 | } 22 | 23 | value := v.(float64) 24 | - fieldLogger.Infof("set to %f", value) 25 | + fieldLogger.Debugf("set to %f", value) 26 | m.Metrics[name].Gauge.Set(value) 27 | default: 28 | fieldLogger.Debugf("found %v", t) 29 | - fieldLogger.Info("skipping") 30 | + fieldLogger.Debug("skipping") 31 | 32 | continue 33 | } 34 | -------------------------------------------------------------------------------- /patches/base/s3ql/metadata-accurate-length.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/s3ql/database.py b/src/s3ql/database.py 2 | index 1c6df119..f3a47781 100644 3 | --- a/src/s3ql/database.py 4 | +++ b/src/s3ql/database.py 5 | @@ -677,7 +677,7 @@ def upload_metadata( 6 | ) 7 | obj = METADATA_OBJ_NAME % (blockno, params.seq_no) 8 | fh.seek(blockno * blocksize) 9 | - backend.write_fh(obj, fh, len_=blocksize) 10 | + backend.write_fh(obj, fh, len_=min(blocksize, db_size - blockno * blocksize)) 11 | 12 | if not update_params: 13 | return 14 | -------------------------------------------------------------------------------- /secrets/dovecot-ldap-token.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/dovecot-ldap-token.age -------------------------------------------------------------------------------- /secrets/hyprspace-key-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/hyprspace-key-VEGAS.age -------------------------------------------------------------------------------- /secrets/hyprspace-key-checkmate.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/hyprspace-key-checkmate.age -------------------------------------------------------------------------------- /secrets/hyprspace-key-grail.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/hyprspace-key-grail.age -------------------------------------------------------------------------------- /secrets/hyprspace-key-prophet.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/hyprspace-key-prophet.age -------------------------------------------------------------------------------- /secrets/hyprspace-key-thunderskin.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/hyprspace-key-thunderskin.age -------------------------------------------------------------------------------- /secrets/nextcloud-adminpass.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/nextcloud-adminpass.age -------------------------------------------------------------------------------- /secrets/nextcloud-dbpass.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/nextcloud-dbpass.age -------------------------------------------------------------------------------- /secrets/oauth2_proxy-secrets.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/oauth2_proxy-secrets.age -------------------------------------------------------------------------------- /secrets/postfix-ldap-mailboxes.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/postfix-ldap-mailboxes.age -------------------------------------------------------------------------------- /secrets/wireguard-key-storm-VEGAS.age: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/privatevoid-net/depot/80b71604bc105a034bc931b328165f548cb7a1d8/secrets/wireguard-key-storm-VEGAS.age -------------------------------------------------------------------------------- /users/max/userinfo.nix: -------------------------------------------------------------------------------- 1 | pkgs: rec { 2 | firstName = "Max"; 3 | lastName = "Headroom"; 4 | userName = "max"; 5 | orgDomain = "privatevoid.net"; 6 | 7 | security = { pkcs11Providers = [ "${pkgs.opensc}/lib/opensc-pkcs11.so" ]; }; 8 | 9 | sshKeys = [ 10 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5C7mC5S2gM0K6x0L/jNwAeQYbFSzs16Q73lONUlIkL max@TITAN" 11 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho" 12 | ]; 13 | 14 | email = "${userName}@${orgDomain}"; 15 | gecos = "${firstName} ${lastName}"; 16 | } 17 | --------------------------------------------------------------------------------