try to migrate to nix

2026-04-14 14:21:45 +04:00 · 2025-01-11 20:48:22 +04:00 · 2025-01-11 20:48:22 +04:00 · 94da1ce936
commit 94da1ce936
parent f2f4ead62f
26 changed files with 830 additions and 181 deletions
--- a/nix/server/stream.nginx
+++ b/nix/server/stream.nginx
@ -0,0 +1,86 @@
+map $ssl_preread_server_name $name {
+	chat.signal.org                         signal-service;
+	ud-chat.signal.org                      signal-service;
+	storage.signal.org                      storage-service;
+	cdn.signal.org                          signal-cdn;
+	cdn2.signal.org                         signal-cdn2;
+	cdn3.signal.org                         signal-cdn3;
+	cdsi.signal.org                         cdsi;
+	contentproxy.signal.org                 content-proxy;
+	sfu.voip.signal.org                     sfu;
+	svr2.signal.org                         svr2;
+	updates.signal.org                      updates;
+	updates2.signal.org                     updates2;
+	backend1.svr3.signal.org                svr31;
+	backend2.svr3.signal.org                svr32;
+	backend3.svr3.signal.org                svr33;
+	default                                 deny;
+}
+
+upstream signal-service {
+	 server chat.signal.org:443;
+}
+
+upstream storage-service {
+	server storage.signal.org:443;
+}
+
+upstream signal-cdn {
+	server cdn.signal.org:443;
+}
+
+upstream signal-cdn2 {
+	server cdn2.signal.org:443;
+}
+
+upstream signal-cdn3 {
+	server cdn3.signal.org:443;
+}
+
+upstream cdsi {
+	server cdsi.signal.org:443;
+}
+
+upstream content-proxy {
+	server contentproxy.signal.org:443;
+}
+
+upstream sfu {
+	server sfu.voip.signal.org:443;
+}
+
+upstream svr2 {
+	server svr2.signal.org:443;
+}
+
+upstream svr31 {
+	server backend1.svr3.signal.org:443;
+}
+
+upstream svr32 {
+	server backend2.svr3.signal.org:443;
+}
+
+upstream svr33 {
+	server backend3.svr3.signal.org:443;
+}
+
+upstream updates {
+	server updates.signal.org:443;
+}
+
+upstream updates2 {
+	server updates2.signal.org:443;
+}
+
+upstream deny {
+	server 127.0.0.1:9;
+}
+
+server {
+	listen                443;
+	proxy_pass            $name;
+	ssl_preread           on;
+	error_log             /dev/null;
+	access_log            off;
+}
--- a/nix/server/user.nix
+++ b/nix/server/user.nix
@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+	isNormalUser = true;
+	openssh.authorizedKeys.keys = [
+		"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmc+wSjdvbyiFmB55r1ilegor533eo7hsE62z+pXCu0YIaVZwUoRe0Sqj0GoMzfn80jXubNmQgV+Wk8byz/xAsZ4R9Y/PFVuZYA/uDRAQ0TXpqxBSCH2CHkwioolg6q+sMXdUJTvvKkCpluXVk8o9ZN+5+rBhc2xAeZw2FDbz+u2HHYN8zCXFB3MPPJNG9CscBQirBgOkhg0ASCJ2rahaAJVaBosS7DD6S6iEip8bGgwByuWJl0oZr9cdJHkQDl2AMdNZrxoPcLqItCk5Mz9ssxTcK0lj/xIBXqLNMe4RPUJeWOOMNexeKRbzJEaF+G3Pfboqqeg7UPM6/9h9CXW9cyY/DXEj2pQmEi2jYWdTpx/ViCg83/rLboGyiyAuE6AWGte8r5YqYKuFEB0ixswENlH0s4TXEmouimRRkypzT4KAJ/ObPLsnGAkbzbLcsPCQUQSywQ8TGo3b72gNWTKjn9PeqBZkzgU9AXtxN1hCmKAX+/KwnGUSqyDz2YRhcO1E= kp2pml30@r3vdy2b10vv-pc"
+	];
+	extraGroups = [ "wheel" "networkmanager" ];
+}