try to migrate to nix

.gitignore

@@ -0,0 +1 @@
+/result

README.md

@@ -1 +0,0 @@
-fish `scrap-default-tool-paths` to update paths and completions (persists after a restart)

default-configurations/.clang-format

@@ -0,0 +1,12 @@
+BasedOnStyle: Mozilla
+
+IndentWidth: 2
+TabWidth: 2
+UseTab: ForContinuationAndIndentation
+AllowShortIfStatementsOnASingleLine: false
+IndentCaseLabels: false
+AlignAfterOpenBracket: BlockIndent
+AlignArrayOfStructures: Right
+AlignConsecutiveAssignments: Consecutive
+AlignConsecutiveMacros: Consecutive
+IndentExternBlock: NoIndent

default-configurations/.editorconfig

@@ -4,13 +4,14 @@ root = true
 end_of_line = lf
 insert_final_newline = true
 charset = utf-8
+trim_trailing_whitespace = true
 indent_style = tab
-indent_size = 2
+tab_width = 2
 
-[*.yaml]
+[*.{json,yml}]
 indent_style = space
 indent_size = 2
 
-[*.zig]
+[*.{toml,rs,zig}]
 indent_style = space
 indent_size = 4

default-configurations/.pre-commit-config.yaml

@@ -0,0 +1,40 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+      - id: check-json
+      - id: check-yaml
+      - id: check-toml
+      - id: check-merge-conflict
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.6.9
+    hooks:
+      - id: ruff-format
+
+  - repo: https://github.com/pryorda/dockerfilelint-precommit-hooks
+    rev: v0.1.0
+    hooks:
+      - id: dockerfilelint
+
+  - repo: https://github.com/sirosen/check-jsonschema
+    rev: 0.28.2
+    hooks:
+      - id: check-github-actions
+      - id: check-github-workflows
+
+  - repo: https://github.com/pre-commit/mirrors-clang-format
+    rev: v19.1.0
+    hooks:
+    - id: clang-format
+      types_or: [c++, c]
+      exclude: ^runners/py-libs
+
+  - repo: https://github.com/editorconfig-checker/editorconfig-checker.python
+    rev: 3.0.3
+    hooks:
+      - id: editorconfig-checker
+        # exclude: <regex>

default-configurations/gitignore

@@ -0,0 +1,25 @@
+# editors
+.vscode/
+.idea/
+.godot/
+
+# apple
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# build related directories
+/build
+target
+zig-out
+zig-build
+
+# secrets
+.env
+
+# py
+__pycache__/
+.pytest_cache
+.mypy_cache
+.ruff_cache
+.coverage*

default-configurations/ruff.toml

@@ -0,0 +1,11 @@
+exclude = [
+]
+indent-width = 2
+
+[format]
+indent-style = "tab"
+quote-style = "single"
+line-ending = "lf"
+
+skip-magic-trailing-comma = false
+docstring-code-format = true

flake.lock

@@ -0,0 +1,88 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736373539,
+        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-24.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixos-wsl": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736095716,
+        "narHash": "sha256-csysw/Szu98QDiA2lhWk9seYOyCebeVEWL89zh1cduM=",
+        "owner": "nix-community",
+        "repo": "NixOS-WSL",
+        "rev": "63c3b4ed1712a3a0621002cd59bfdc80875ecbb0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "main",
+        "repo": "NixOS-WSL",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1736344531,
+        "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixos-wsl": "nixos-wsl",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,66 @@
+{
+	inputs = {
+		nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+		nixos-wsl = {
+			url = "github:nix-community/NixOS-WSL/main";
+			inputs.nixpkgs.follows = "nixpkgs";
+		};
+		home-manager = {
+			url = "github:nix-community/home-manager/release-24.11";
+			inputs.nixpkgs.follows = "nixpkgs";
+		};
+	};
+
+	outputs = inputs@{ self, nixpkgs, nixos-wsl, home-manager, ... }:
+		let
+			rootPath = self;
+			additionalArgs = { inherit inputs rootPath; };
+			importArg = inputs // { pkgs = nixpkgs; lib = nixpkgs.lib; } // additionalArgs;
+			hostNameMod = name: { networking.hostName = "kp2pml30-${name}"; };
+			makeNamedSys = nameArg: arg: {
+				"${nameArg}" =
+					nixpkgs.lib.nixosSystem
+					((builtins.removeAttrs arg ["modules"]) // { specialArgs = additionalArgs; modules = arg.modules ++ [(hostNameMod nameArg)]; });
+			};
+			makeSys = { sys }: [
+				(makeNamedSys "server-${sys}" {
+					system = sys;
+					modules = [
+						./nix/common.nix
+						./nix/server.nix
+					];
+				})
+
+				(makeNamedSys "personal-${sys}" {
+					system = sys;
+					modules = [
+						./nix/common.nix
+						./nix/personal.nix
+					];
+				})
+
+				(makeNamedSys "personal-${sys}-wsl" {
+					system = sys;
+					modules = [
+						./nix/wsl.nix
+						./nix/common.nix
+						./nix/personal.nix
+					];
+				})
+			] ;
+		in
+		{
+			nixosConfigurations =
+				builtins.foldl'
+					(x: y: x // y)
+					{}
+					(builtins.concatMap makeSys [ { sys = "x86_64-linux"; } ])
+			;
+		};
+}
+
+# example
+# + nix --extra-experimental-features 'nix-command flakes' build --out-link /tmp/nixos-rebuild.ydOEVb/nixos-rebuild '.#nixosConfigurations."wsl-amd64".config.system.build.nixos-rebuild' --show-trace
+# ++ readlink -e /tmp/nixos-rebuild.ydOEVb/nixos-rebuild
+# + p=/nix/store/rd18dwsifrcyghim695q18nhvyfykxxg-nixos-rebuild
+# exec /nix/store/rd18dwsifrcyghim695q18nhvyfykxxg-nixos-rebuild/bin/nixos-rebuild switch --flake .#wsl-amd64

home-test/.config/fish/functions/fish_prompt.fish

@@ -1,139 +0,0 @@
-# based on https://github.com/oh-my-fish/theme-eden/blob/master/LICENSE
-
-function _git_branch_name
-   echo (command git symbolic-ref HEAD 2> /dev/null | sed -e 's|^refs/heads/||')
-end
-
-function _is_git_dirty
-   set resStr (timeout 0.2s git status -s --ignore-submodules=dirty 2> /dev/null)
-   set res $status
-   if [ $res = 0 ]
-       if [ "$resStr" = "" ]
-           echo "clean"
-       else
-           echo "dirty"
-       end
-   else if [ $res = 124 ]
-       echo "?"
-   else
-       echo "dirty"
-   end
-end
-
-## Function to show a segment
-function _prompt_segment -d "Function to show a segment"
-   # Get colors
-   set -l bg $argv[1]
-   set -l fg $argv[2]
-
-   # Set 'em
-   set_color -b $bg
-   set_color $fg
-
-   # Print text
-   if [ -n "$argv[3]" ]
-       echo -n -s $argv[3]
-   end
-
-# Reset
-   set_color -b normal
-   set_color normal
-
-   # Print padding
-   if [ (count $argv) = 4 ]
-       echo -n -s $argv[4]
-   end
-end
-
-function show_ssh_status -d "Function to show the ssh tag"
-   if test "$THEME_EDEN_HIDE_SSH_TAG" != 'yes'
-       if [ -n "$SSH_CLIENT" ]
-           if [ (id -u) = "0" ]
-               _prompt_segment red white "-SSH-" ' '
-           else
-               _prompt_segment blue white "-SSH-" ' '
-           end
-       end
-   end
-end
-
-function show_host -d "Show host & user name"
-   if [ (id -u) = "0" ]
-       echo -n (set_color red)
-   else
-       echo -n (set_color blue)
-   end
-   echo -n "$USER@"(hostname|cut -d . -f 1)' ' (set color normal)
-end
-
-function show_cwd -d "Function to show the current working directory"
-   if test "$theme_short_path" != 'yes' -a (prompt_pwd) != '~' -a (prompt_pwd) != '/'
-       set -l cwd (dirname (prompt_pwd))
-       test $cwd != '/'; and set cwd $cwd'/'
-       _prompt_segment normal cyan $cwd
-   end
-   set_color -o cyan
-   echo -n (basename (prompt_pwd))' '
-   set_color normal
-end
-
-function show_git_info -d "Show git branch and dirty state"
-   if [ (_git_branch_name) ]
-       set -l git_branch '['(_git_branch_name)']'
-
-       set_color -o
-       echo -ne " "
-       set dirty (_is_git_dirty)
-       switch "$dirty"
-           case "clean"
-               set_color -o green
-               echo -ne "$git_branch "
-           case "dirty"
-               set_color -o red
-               echo -ne "$git_branch× "
-           case '*'
-               set_color -o yellow
-               echo -ne "$git_branch? "
-       end
-       set_color normal
-   end
-end
-
-function show_times
-   if test $CMD_DURATION -ge 500
-       if test $CMD_DURATION -ge 60000
-           set -l duration_minutes (math "floor($CMD_DURATION / 60000)")
-           set -l duration_seconds (math "round(($CMD_DURATION % 60000) / 1000)")
-           printf "%02d:%02d " $duration_minutes $duration_seconds
-       else if test $CMD_DURATION -ge 1000
-           set -l duration_seconds (math "round($CMD_DURATION / 1000)")
-           echo -ns "$duration_seconds""s "
-       else
-           echo -ns "$CMD_DURATION""ms "
-       end
-   end
-   # Output the current time
-   echo -ne (date "+%H:%M:%S")
-end
-
-function show_prompt_char -d "Terminate with a nice prompt char"
-   echo ""
-   echo -n -s $normal '» '
-end
-
-function fish_prompt
-   set -l code $status
-   # use tput to move cursor to line start
-   echo -ne (tput cr)
-
-   show_ssh_status
-   show_host
-   show_cwd
-   show_git_info
-   show_times
-
-   if test $code != 0
-       echo -ns (set_color red) '[' $code ']'
-   end
-   show_prompt_char
-end

home-test/.config/fish/functions/fish_right_prompt.fish

@@ -1,37 +0,0 @@
-function fish_right_prompt
-  return
-
-  # Last command status
-  set -l code $status
-
-  # https://github.com/fish-shell/fish-shell/issues/3476#issuecomment-256058730
-  # Save the cursor position, move it up one line, and move it to the right two spaces
-  tput sc; tput cuf 2
-
-  #if test $code != 0
-  #  echo -ns (set_color red) '-' $code '- '
-  #end
-
-  set_color $fish_color_autosuggestion 2> /dev/null; or set_color 555
-
-  # Output the duration of the last command
-  if test $CMD_DURATION -ge 500
-    if test $CMD_DURATION -ge 60000
-      set -l duration_minutes (math "floor($CMD_DURATION / 60000)")
-      set -l duration_seconds (math "round(($CMD_DURATION % 60000) / 1000)")
-      printf "%02d:%02d " $duration_minutes $duration_seconds
-    else if test $CMD_DURATION -ge 1000
-      set -l duration_seconds (math "round($CMD_DURATION / 1000)")
-      echo "$duration_seconds""s "
-    else
-      echo "$CMD_DURATION""ms "
-    end
-  end
-
-  # Output the current time
-  echo (date "+%H:%M:%S")
-
-  # Restores the cursor position
-  tput rc
-
-end

home/.config/nvim/base.vim

@@ -0,0 +1,75 @@
+set termguicolors
+set nowrap
+set nu rnu
+set list
+set listchars=tab:┆\ ,space:·,nbsp:␣
+set tabstop=2
+set shiftwidth=2
+set noexpandtab
+
+nmap <F2> :w<CR>
+imap <F2> <C-O>:w<CR>
+
+noremap <expr> <Home> (col('.') == matchend(getline('.'), '^\s*')+1 ? '0' : '^')
+imap <Home> <C-o><Home>
+
+vnoremap > >gv
+vnoremap < <gv
+
+let s:i = 1
+while s:i < 10
+	execute printf('nmap <Space>%i %i<C-w><C-w>', s:i, s:i)
+	let s:i += 1
+endwhile
+
+set clipboard=unnamedplus
+
+colorscheme tokyonight-night
+if exists(':GuiRenderLigatures')
+	GuiRenderLigatures 1
+endif
+
+if exists(':GuiFont')
+	GuiFont FiraCode\ Nerd\ Font
+endif
+
+if exists(':NERDTreeToggle')
+	map <F3> :NERDTreeToggle<CR>
+	autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
+endif
+
+if exists(':BufferGoto')
+	let s:i = 1
+	while s:i < 10
+		execute printf('nmap <Leader>%i :BufferGoto %i<CR>', s:i, s:i)
+		let s:i += 1
+	endwhile
+
+	nmap <C-Right> :BufferNext<CR>
+	nmap <C-Left> :BufferPrevious<CR>
+	nmap <C-q> :BufferClose<CR>
+endif
+
+if exists(':DetectIndent')
+	autocmd BufRead * DetectIndent
+endif
+
+if exists(':CocInfo')
+	inoremap <silent><expr> <c-space> coc#refresh()
+	inoremap <silent><expr> <TAB>
+		\ coc#pum#visible() ? coc#pum#confirm() : "\<Tab>"
+	nmap <silent> <Space>ld <Plug>(coc-definition)
+	nmap <silent> <Space>lt <Plug>(coc-type-definition)
+	nmap <silent> <Space>li <Plug>(coc-implementation)
+	nmap <silent> <Space>lr <Plug>(coc-references)
+endif
+
+if exists(':LeaderGuide')
+	nnoremap <silent> <leader> :<c-u>LeaderGuide '\'<CR>
+	nnoremap <silent> <Space> :<c-u>LeaderGuide '<Space>'<CR>
+	let g:smap = get(g:, 'smap', {})
+	" let g:smap['<Space>'] = get(g:smap, '<Space>', {})
+	" let g:smap['<Space>'].l = 'language'
+	let g:smap.l = {'name' : 'language'}
+	call leaderGuide#register_prefix_descriptions("<Space>", "g:smap")
+endif

home/.config/nvim/init.vim

@@ -3,6 +3,7 @@ call plug#begin()
 	Plug 'kyazdani42/nvim-web-devicons'
 	Plug 'romgrk/barbar.nvim'
 	Plug 'jiangmiao/auto-pairs'
+	Plug 'RaafatTurki/hex.nvim'
 	if executable('node')
 		Plug 'neoclide/coc.nvim', {'branch': 'release'}
 	endif
@@ -73,3 +74,4 @@ let g:smap.l = {'name' : 'language'}
 call leaderGuide#register_prefix_descriptions("<Space>", "g:smap")
 
 lua require('feline').setup()
+lua require('hex').setup()

nix/common.nix

@@ -0,0 +1,56 @@
+{  pkgs
+, ...
+}:
+{
+	system.stateVersion = "24.05";
+
+	users.mutableUsers = false;
+
+	nix.gc = {
+		automatic = true;
+		dates = "weekly";
+	};
+
+	networking = {
+		firewall = {
+			enable = true;
+			allowedTCPPorts = [ 80 443 ];
+		};
+	};
+
+	nix.settings.experimental-features = [ "nix-command" "flakes" ];
+	environment.systemPackages = with pkgs; [
+		curl
+		neovim
+		bash
+		git
+
+		zip unzip
+		xz
+		zstd
+		gnutar
+
+		diffutils
+		file
+		tree
+		gnused
+		gnugrep
+		stow
+
+		killall
+		gnupg
+	];
+
+	programs = {
+		neovim.enable = true;
+		neovim.defaultEditor = true;
+
+		git = {
+			enable = true;
+			lfs.enable = true;
+			config = {
+				init.defaultBranch = "main";
+			};
+		};
+	};
+}

nix/personal.nix

@@ -0,0 +1,29 @@
+{ pkgs
+, inputs
+, ...
+}@args:
+{
+	imports = [
+		inputs.home-manager.nixosModules.home-manager
+	];
+
+	home-manager.useGlobalPkgs = true;
+	home-manager.useUserPackages = true;
+	home-manager.users.kp2pml30 = import ./personal/home.nix args;
+
+	users.users.kp2pml30 = import ./personal/user.nix args;
+
+	programs = {
+		fish.enable = true;
+		tmux.enable = true;
+	};
+
+	environment.systemPackages = with pkgs; [
+		fish
+		fishPlugins.grc
+		grc
+
+		fira-code
+		nerd-fonts.fira-code
+	];
+}

nix/personal/home.nix

@@ -0,0 +1,50 @@
+{ pkgs
+, ...
+}@args:
+{
+	home.stateVersion = "24.05";
+
+	home = {
+		username = "kp2pml30";
+		homeDirectory = "/home/kp2pml30";
+		packages = with pkgs; [
+			starship
+			jq
+		];
+	};
+
+	nix.gc = {
+		automatic = true;
+		frequency = "weekly";
+	};
+
+	programs = {
+		git = {
+			enable = true;
+			userName = "kp2pml30";
+			userEmail = "kp2pml30@gmail.com";
+			lfs.enable = true;
+			extraConfig = {
+				init.defaultBranch = "main";
+			};
+		};
+
+		fish = {
+			enable = true;
+		};
+
+		starship = {
+			enable = true;
+			settings = {
+				add_newline = false;
+				format = "$cmd_duration$username$hostname$git_branch$git_commit$git_state$git_status$directory$status\n$character";
+				hostname.ssh_only = true;
+				cmd_duration.format = "took [$duration]($style)\n";
+			};
+		};
+
+		home-manager.enable = true;
+
+		neovim = import ./neovim.nix args;
+	};
+}

nix/personal/neovim.nix

@@ -0,0 +1,33 @@
+{ pkgs
+, lib
+, rootPath
+, ...
+}:
+let
+	fromGitHub = rev: repo: pkgs.vimUtils.buildVimPlugin {
+		pname = "${lib.strings.sanitizeDerivationName repo}";
+		version = rev;
+		src = builtins.fetchGit {
+			url = "https://github.com/${repo}.git";
+			rev = rev;
+		};
+	};
+	nvimConfig = builtins.readFile (rootPath + "/home/.config/nvim/base.vim");
+in
+{
+	enable = true;
+	defaultEditor = true;
+	
+	plugins = with pkgs.vimPlugins; [
+		nvim-treesitter.withAllGrammars
+		nvim-autopairs
+		nerdtree
+		tokyonight-nvim
+		barbar-nvim
+		feline-nvim
+		(fromGitHub "d63c811337b2f75de52f16efee176695f31e7fbc" "timakro/vim-yadi")
+		(fromGitHub "aafa5c187a15701a7299a392b907ec15d9a7075f" "nvim-tree/nvim-web-devicons")
+	];
+
+	extraConfig = nvimConfig;
+}

nix/personal/user.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+	isNormalUser = true;
+	extraGroups = [ "wheel" "networkmanager" ];
+	shell = pkgs.fish;
+	hashedPassword = "$6$UK6oHr2gPRYD4Rak$lgF.mYReC0jahNuI4kt0j/CsrajVzMprvp3HgjKwwsjYHU6/Ur9jfROXZbKhhpyCLRmnlCpWeRCbHEYO/jhIv/";
+}

nix/server.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+let
+	mhostname = "example.org" ;
+in
+{
+	services.openssh = {
+		enable = true;
+		ports = [ 22 ];
+		openFirewall = true;
+		settings = {
+			PasswordAuthentication = false;
+			KbdInteractiveAuthentication = false;
+			AllowUsers = [ "kp2pml30-serv" ];
+		};
+	};
+
+	users.users.kp2pml30-serv = import ./user.nix;
+	users.users.nginx.extraGroups = [ "acme" ];
+
+	security.acme = {
+		acceptTerms = true;
+		defaults.email = "kp2pml30@gmail.com";
+		certs."${mhostname}" = {
+			serverAliases = [ "*.${mhostname}" ];
+			webroot = "/var/lib/acme/.challenges";
+			group = "nginx";
+			#extraDomainNames = [ "mail.example.org" ];
+		};
+	};
+	services.nginx = {
+		virtualHosts."${mhostname}" = {
+			enableACME = true;
+			listen = [
+				{ port = 80; }
+			];
+			locations."/.well-known/acme-challenge/" = {
+				root = "/var/lib/acme/.challenges";
+			};
+			locations."/" = {
+				return = 404;
+			};
+		};
+		streamConfig = (builtins.readFile ./stream.nginx);
+	};
+}

nix/server/stream.nginx

@@ -0,0 +1,86 @@
+map $ssl_preread_server_name $name {
+	chat.signal.org                         signal-service;
+	ud-chat.signal.org                      signal-service;
+	storage.signal.org                      storage-service;
+	cdn.signal.org                          signal-cdn;
+	cdn2.signal.org                         signal-cdn2;
+	cdn3.signal.org                         signal-cdn3;
+	cdsi.signal.org                         cdsi;
+	contentproxy.signal.org                 content-proxy;
+	sfu.voip.signal.org                     sfu;
+	svr2.signal.org                         svr2;
+	updates.signal.org                      updates;
+	updates2.signal.org                     updates2;
+	backend1.svr3.signal.org                svr31;
+	backend2.svr3.signal.org                svr32;
+	backend3.svr3.signal.org                svr33;
+	default                                 deny;
+}
+
+upstream signal-service {
+	 server chat.signal.org:443;
+}
+
+upstream storage-service {
+	server storage.signal.org:443;
+}
+
+upstream signal-cdn {
+	server cdn.signal.org:443;
+}
+
+upstream signal-cdn2 {
+	server cdn2.signal.org:443;
+}
+
+upstream signal-cdn3 {
+	server cdn3.signal.org:443;
+}
+
+upstream cdsi {
+	server cdsi.signal.org:443;
+}
+
+upstream content-proxy {
+	server contentproxy.signal.org:443;
+}
+
+upstream sfu {
+	server sfu.voip.signal.org:443;
+}
+
+upstream svr2 {
+	server svr2.signal.org:443;
+}
+
+upstream svr31 {
+	server backend1.svr3.signal.org:443;
+}
+
+upstream svr32 {
+	server backend2.svr3.signal.org:443;
+}
+
+upstream svr33 {
+	server backend3.svr3.signal.org:443;
+}
+
+upstream updates {
+	server updates.signal.org:443;
+}
+
+upstream updates2 {
+	server updates2.signal.org:443;
+}
+
+upstream deny {
+	server 127.0.0.1:9;
+}
+
+server {
+	listen                443;
+	proxy_pass            $name;
+	ssl_preread           on;
+	error_log             /dev/null;
+	access_log            off;
+}

nix/server/user.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+	isNormalUser = true;
+	openssh.authorizedKeys.keys = [
+		"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmc+wSjdvbyiFmB55r1ilegor533eo7hsE62z+pXCu0YIaVZwUoRe0Sqj0GoMzfn80jXubNmQgV+Wk8byz/xAsZ4R9Y/PFVuZYA/uDRAQ0TXpqxBSCH2CHkwioolg6q+sMXdUJTvvKkCpluXVk8o9ZN+5+rBhc2xAeZw2FDbz+u2HHYN8zCXFB3MPPJNG9CscBQirBgOkhg0ASCJ2rahaAJVaBosS7DD6S6iEip8bGgwByuWJl0oZr9cdJHkQDl2AMdNZrxoPcLqItCk5Mz9ssxTcK0lj/xIBXqLNMe4RPUJeWOOMNexeKRbzJEaF+G3Pfboqqeg7UPM6/9h9CXW9cyY/DXEj2pQmEi2jYWdTpx/ViCg83/rLboGyiyAuE6AWGte8r5YqYKuFEB0ixswENlH0s4TXEmouimRRkypzT4KAJ/ObPLsnGAkbzbLcsPCQUQSywQ8TGo3b72gNWTKjn9PeqBZkzgU9AXtxN1hCmKAX+/KwnGUSqyDz2YRhcO1E= kp2pml30@r3vdy2b10vv-pc"
+	];
+	extraGroups = [ "wheel" "networkmanager" ];
+}

nix/wsl.nix

@@ -0,0 +1,14 @@
+{ pkgs
+, inputs
+, ...
+}:
+{
+	imports = [
+		inputs.nixos-wsl.nixosModules.default
+	];
+	wsl = {
+		enable = true;
+		defaultUser = "kp2pml30";
+		wslConf.interop.appendWindowsPath = false;
+	};
+}

scripts/git-config.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -ex
+
+git config --global init.defaultBranch main
+
+git lfs install
+
+git config --global user.email kp2pml30@gmail.com
+git config --global user.name kp2pml30

scripts/set-config-symlinks.sh

@@ -4,6 +4,6 @@ set -ex
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
-cd "$SCRIPT_DIR"
+cd "$SCRIPT_DIR/.."
 
 stow --no-folding --target "$HOME" --dir "$SCRIPT_DIR" home

vps/iptables.erb

@@ -0,0 +1,49 @@
+% # run it like this: `erb ports='[]' iptables.erb | iptables-restore`
+% # NOTE: it discards docker iptable rules
+*filter
+
+-N DOCKER-USER
+-N DOCKER-ISOLATION-STAGE-1
+
+# don't restrict output at all
+-A OUTPUT -j ACCEPT
+
+# allow all loopback
+-A INPUT -i lo -j ACCEPT
+-A FORWARD -i lo -j ACCEPT
+
+# allow all established
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# allow wireguard
+-A INPUT -i wg0 -j ACCEPT
+-A FORWARD -i wg0 -j ACCEPT
+-A DOCKER-USER -i wg0 -j ACCEPT
+
+# allow all docker
+-A DOCKER-USER -i docker0 -j DOCKER-ISOLATION-STAGE-1
+
+% require 'json'
+% prts = [22, 80, 443] + JSON.parse(ports)
+# apply it with `iptables-restore < ./iptables`
+
+# allow all loopback
+-A INPUT -i lo -j ACCEPT
+
+# custom ports
+% prts.each { |port|
+%   ['tcp', 'udp'].each { |proto|
+-A FORWARD -p <%= proto %> --dport <%= port %> -j ACCEPT
+-A INPUT -p <%= proto %> --dport <%= port %> -j ACCEPT
+-A DOCKER-USER -p <%= proto %> -m conntrack --ctorigdstport <%= port %> --ctdir ORIGINAL -j ACCEPT
+%   }
+
+% }
+%
+# disallow all other
+-A INPUT -j DROP
+-A FORWARD -j DROP
+-A DOCKER-USER -j DROP
+
+COMMIT

vps/vpn/make-server.sh

@@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+HOST=""
+PORT=""
+GENKEY=false
+
+function show_help {
+	echo "wireguard configurator"
+	echo "  --host host-name"
+	echo "  --port port"
+	echo "  [--gen-key]"
+}
+
+while [ $# -ne 0 ]
+do
+	ARG="$1"
+	shift
+	case "$ARG" in
+		--help)
+			show_help
+			exit 0
+			;;
+		--host)
+			HOST="$1"
+			shift
+			;;
+		--port)
+			PORT="$1"
+			shift
+			;;
+		--gen-keys)
+			GENKEY=true
+			;;
+		*)
+			echo "unknown argument $ARG"
+			show_help
+			exit 1
+			;;
+	esac
+done
+
+echo "Parsed:"
+echo "  --host $HOST"
+echo "  --port $PORTI"
+
+if [ "$HOST" == "" ]
+then
+	echo "host not set"
+	show_help
+	exit 1
+fi
+
+if [ "$PORT" == "" ]
+then
+	echo "port not set"
+	show_help
+	exit 1
+fi
+
+if [ ! -f .gitignore ]
+then
+	echo "INFO creating gitignore"
+	touch .gitignore
+fi
+
+if ! grep -Pq '^/key$' .gitignore
+then
+	echo "INFO adding key to .gitignore"
+	echo "/key" >> .gitignore
+fi
+
+if ! grep -Pq '^/wg0\.conf$' .gitignore
+then
+	echo "INFO adding wg0.conf to .gitignore"
+	echo "/wg0.conf" >> .gitignore
+fi
+
+if [ "$GENKEY" == "true" ]
+then
+	touch key
+	chmod 600 key
+	wg genkey > key
+	wg pubkey < key > key.pub
+fi
+
+touch wg0.conf
+chmod 600 wg0.conf
+KEY="$(cat key)"
+erb "private_key=$KEY" port="$PORT" "$SCRIPT_DIR/wg0.conf.erb" > wg0.conf
+KEY=""
+
+PUBKEY="$(cat key.pub)"
+
+echo ""
+echo "Run following to start wireguard:"
+echo "  wg-quick up ./wg0.conf"
+echo "You can add peers as follows:"
+echo "  wg set wg0 peer <pub key> allowed-ips IP"
+echo ""
+echo "Client's configuration is"
+echo "=================================="
+cat <<-EOF
+[Interface]
+Address = 10.30.30.@@/32
+PrivateKey = <Private key>
+DNS = 10.30.30.1
+
+[Peer]
+PublicKey = $PUBKEY
+Endpoint = $HOST:$PORT
+AllowedIPs = 10.30.30.0/24
+PersistentKeepalive = 25
+EOF
+echo "=================================="