diff --git a/.gitignore b/.gitignore index 812980f..c4a847d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ /result -/.env diff --git a/flake.lock b/flake.lock index f5cc9bc..2a3297a 100644 --- a/flake.lock +++ b/flake.lock @@ -44,16 +44,16 @@ ] }, "locked": { - "lastModified": 1758463745, - "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", + "lastModified": 1744117652, + "narHash": "sha256-t7dFCDl4vIOOUMhEZnJF15aAzkpaup9x4ZRGToDFYWI=", "owner": "nix-community", "repo": "home-manager", - "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", + "rev": "b4e98224ad1336751a2ac7493967a4c9f6d9cb3f", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-25.05", + "ref": "release-24.11", "repo": "home-manager", "type": "github" } @@ -158,16 +158,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1761999846, - "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", + "lastModified": 1744309437, + "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", + "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index d0929d6..75f9208 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,12 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; nixos-wsl = { url = "github:nix-community/NixOS-WSL/main"; inputs.nixpkgs.follows = "nixpkgs"; }; home-manager = { - url = "github:nix-community/home-manager/release-25.05"; + url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; nixos-generators = { @@ -44,8 +44,6 @@ hostname = "kp2pml30.moe"; nginx = true; forgejo = true; - nix-cache = true; - xray = true; }; } @@ -68,7 +66,7 @@ networking.hostName = "kp2pml30-personal-pc"; networking.hostId = "e31a5cc2"; - time.timeZone = "Asia/Tokyo"; + time.timeZone = "Asia/Yerevan"; } ./nix/hardware/mini.nix diff --git a/nix/hardware/mini.nix b/nix/hardware/mini.nix index e8954bc..4c58a19 100644 --- a/nix/hardware/mini.nix +++ b/nix/hardware/mini.nix @@ -1,3 +1,4 @@ + { pkgs , inputs , lib @@ -5,10 +6,7 @@ , ... }: { - imports = [ - ./common.nix - # ./nvidia.nix - ]; + imports = [ ./common.nix ]; fileSystems."/" = { device = "/dev/disk/by-uuid/1ec7bbd6-cb83-427a-a901-d5fb7a4ef3ba"; @@ -21,15 +19,15 @@ options = [ "fmask=0077" "dmask=0077" ]; }; -# fileSystems."/mnt/d" = { -# device = "/dev/sda1"; -# fsType = "exfat"; -# options = [ -# "users" -# "exec" -# "nofail" -# ]; -# }; + fileSystems."/mnt/d" = { + device = "/dev/sda1"; + fsType = "exfat"; + options = [ + "users" + "exec" + "nofail" + ]; + }; swapDevices = [ { device = "/dev/disk/by-uuid/c68daa9f-f165-4e23-8710-2aab0ad8d282"; } ]; diff --git a/nix/hardware/nvidia.nix b/nix/hardware/nvidia.nix deleted file mode 100644 index bed6b44..0000000 --- a/nix/hardware/nvidia.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ pkgs -, inputs -, lib -, config -, ... -}: -{ - services.xserver.videoDrivers = ["nvidia"]; - - hardware.nvidia = { - package = config.boot.kernelPackages.nvidiaPackages.production; - modesetting.enable = true; - open = false; - nvidiaSettings = true; - }; -} diff --git a/nix/personal/default.nix b/nix/personal/default.nix index 0d9afbe..8ba9323 100644 --- a/nix/personal/default.nix +++ b/nix/personal/default.nix @@ -54,7 +54,6 @@ in { "C.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "ru_RU.UTF-8/UTF-8" - "ja_JP.UTF-8/UTF-8" ]; programs = { @@ -72,7 +71,6 @@ in { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ - "anytype-heart" "vscode" "steam" "steam-run" @@ -82,7 +80,7 @@ in { "nvidia-settings" "nvidia-persistenced" "opera" - "discord" + "discord-ptb" "slack" "anytype" ]; diff --git a/nix/personal/graphical/default.nix b/nix/personal/graphical/default.nix index cf24440..218f684 100644 --- a/nix/personal/graphical/default.nix +++ b/nix/personal/graphical/default.nix @@ -20,16 +20,11 @@ in { environment.systemPackages = [ pkgs.anytype ]; - fonts.enableDefaultFonts = true; fonts.packages = with pkgs; [ - noto-fonts - noto-fonts-cjk-sans - noto-fonts-cjk-sans - fira-code fira-code-nerdfont fira-code-symbols - nerd-fonts.fira-code + (nerdfonts.override { fonts = [ "FiraCode" ]; }) ]; } diff --git a/nix/personal/graphical/messengers.nix b/nix/personal/graphical/messengers.nix index e1a2498..a9ab1ce 100644 --- a/nix/personal/graphical/messengers.nix +++ b/nix/personal/graphical/messengers.nix @@ -7,15 +7,11 @@ }: let cfg = config.kp2pml30; - signal-pkgs = import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/71cbb752aa36854eb4a7deb3685b9789256d643c.tar.gz"; - sha256 = "10dnjv2c28bjgplyj6nbk2q9lng6f95jf75i5yh541zngrr8b2qg"; - }) { - system = pkgs.system; - }; + signalSuffix = if system == "x86_64-linux" then "amd64" else "arm64"; in lib.mkIf cfg.messengers.personal { users.users.${cfg.username}.packages = with pkgs; [ - discord + discord-ptb telegram-desktop - ] ++ [signal-pkgs.signal-desktop]; + pkgs.signal-desktop + ]; } diff --git a/nix/personal/graphical/opera.nix b/nix/personal/graphical/opera.nix index 5c3caa9..66d4807 100644 --- a/nix/personal/graphical/opera.nix +++ b/nix/personal/graphical/opera.nix @@ -6,37 +6,10 @@ }: let cfg = config.kp2pml30; - version = "123.0.5669.23"; - legacy-nixpkgs = import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/refs/tags/24.11.tar.gz"; - sha256 = "1gx0hihb7kcddv5h0k7dysp2xhf1ny0aalxhjbpj2lmvj7h9g80a"; - }) { - system = pkgs.system; - config.allowUnfreePredicate = pkg: - builtins.elem (pkgs.lib.getName pkg) [ - "vscode" - "steam" - "steam-run" - "steam-original" - "steam-unwrapped" - "nvidia-x11" - "nvidia-settings" - "nvidia-persistenced" - "opera" - "discord" - "slack" - "anytype" - ]; - }; in lib.mkIf cfg.opera { home-manager.users.${cfg.username}.home = { - packages = with legacy-nixpkgs; [ - ((opera.override { proprietaryCodecs = true; }).overrideAttrs (finalAttrs: previousAttrs: { - src = fetchurl { - url = "https://get.geo.opera.com/pub/opera/desktop/${version}/linux/opera-stable_${version}_amd64.deb"; - hash = "sha256-j2kHdg8d60S9j3bLychjmH/cRAXHGIjOgGKqmNIhnHU="; - }; - })) + packages = with pkgs; [ + (opera.override { proprietaryCodecs = true; }) ]; }; } diff --git a/nix/personal/graphical/vscode.nix b/nix/personal/graphical/vscode.nix index 5f28a48..7704879 100644 --- a/nix/personal/graphical/vscode.nix +++ b/nix/personal/graphical/vscode.nix @@ -10,36 +10,30 @@ in lib.mkIf cfg.vscode { home-manager.users.${cfg.username} = { programs.vscode = { enable = true; - package = (pkgs.vscode.overrideAttrs (oldAttrs: rec { - src = (builtins.fetchTarball { - url = "https://update.code.visualstudio.com/1.104.1/linux-x64/stable"; - sha256 = "sha256:109mdk1v323dyhzrq0444gjjhfpjxbllkqkhsapfj44ypjzdjcy8"; - }); - version = "1.102.2"; - })); + package = pkgs.vscode; mutableExtensionsDir = false; userSettings = lib.importJSON("${rootPath}/vscode/settings.json"); -# extensions = with pkgs; [ -# vscode-extensions.eamodio.gitlens -# vscode-extensions.editorconfig.editorconfig -# -# vscode-extensions.bierner.markdown-mermaid + extensions = with pkgs; [ + vscode-extensions.eamodio.gitlens + vscode-extensions.editorconfig.editorconfig -# vscode-extensions.tamasfe.even-better-toml + vscode-extensions.bierner.markdown-mermaid -# vscode-extensions.streetsidesoftware.code-spell-checker -# (pkgs.vscode-utils.buildVscodeMarketplaceExtension { -# mktplcRef = { -# name = "code-spell-checker-russian"; -# publisher = "streetsidesoftware"; -# version = "0.2.2"; -# sha256 = "a3b00c76a4aafecb962d6c292a3b9240a27d84b17de2119bb8007d0ad90ab443"; -# }; -# meta = { -# license = lib.licenses.mit; -# }; -# }) -# ]; + vscode-extensions.tamasfe.even-better-toml + + vscode-extensions.streetsidesoftware.code-spell-checker + (pkgs.vscode-utils.buildVscodeMarketplaceExtension { + mktplcRef = { + name = "code-spell-checker-russian"; + publisher = "streetsidesoftware"; + version = "0.2.2"; + sha256 = "a3b00c76a4aafecb962d6c292a3b9240a27d84b17de2119bb8007d0ad90ab443"; + }; + meta = { + license = lib.licenses.mit; + }; + }) + ]; }; }; } diff --git a/nix/personal/neovim.nix b/nix/personal/neovim.nix index 027c1e0..59839f3 100644 --- a/nix/personal/neovim.nix +++ b/nix/personal/neovim.nix @@ -27,9 +27,7 @@ in nerdtree tokyonight-nvim barbar-nvim - ((fromGitHub "3587f57480b88e8009df7b36dc84e9c7ff8f2c49" "famiu/feline.nvim").overrideAttrs (old: { - doCheck = false; - })) + feline-nvim (fromGitHub "d63c811337b2f75de52f16efee176695f31e7fbc" "timakro/vim-yadi") (fromGitHub "aafa5c187a15701a7299a392b907ec15d9a7075f" "nvim-tree/nvim-web-devicons") ]; diff --git a/nix/personal/tui.nix b/nix/personal/tui.nix index 2dc48d9..64f0b9a 100644 --- a/nix/personal/tui.nix +++ b/nix/personal/tui.nix @@ -14,9 +14,8 @@ in { htop.enable = true; }; - environment.systemPackages = with pkgs; [ + environment.systemPackages = with pkgs; [ ncdu - timewarrior ]; }; diff --git a/nix/server/default.nix b/nix/server/default.nix index 767eba1..a3eadd9 100644 --- a/nix/server/default.nix +++ b/nix/server/default.nix @@ -20,26 +20,17 @@ in { forgejo = lib.mkEnableOption ""; - dns = lib.mkEnableOption ""; - nix-cache = lib.mkEnableOption ""; - xray = lib.mkEnableOption ""; - sitePath = lib.mkOption { type = lib.types.str; }; }; imports = [ - ./ports.nix ./ssh.nix ./nginx.nix ./boot.nix ./site.nix ./forgejo.nix - ./dns.nix - ./nix-cache.nix - ./xray.nix - ./secrets.nix ]; config = { diff --git a/nix/server/dns.nix b/nix/server/dns.nix deleted file mode 100644 index 7f5fe8f..0000000 --- a/nix/server/dns.nix +++ /dev/null @@ -1,35 +0,0 @@ - -{ config -, pkgs -, lib -, self -, nixpkgs -, kp2pml30-moe -, system -, ... -}@args: -let - cfg = config.kp2pml30.server; - ports = config.kp2pml30.server.ports; -in lib.mkIf cfg.nginx { - services.coredns.enable = true; - services.coredns.config = '' - dns://.:53 { - forward . tls://1.1.1.1 { - tls - tls_servername cloudflare-dns.com - } - cache - } - - https://.:${toString ports.coredns-https} { - forward . dns://127.0.0.1:53 { - tls - tls_servername cloudflare-dns.com - policy random - } - cache - } - ''; - # networking.networkmanager.insertNameservers = [ "127.0.0.1" ]; -} diff --git a/nix/server/forgejo.nix b/nix/server/forgejo.nix index 08e2583..c8e68e5 100644 --- a/nix/server/forgejo.nix +++ b/nix/server/forgejo.nix @@ -5,7 +5,6 @@ }: let cfg = config.kp2pml30.server; - ports = config.kp2pml30.server.ports; in lib.mkIf cfg.forgejo { services.forgejo = { enable = true; @@ -15,7 +14,7 @@ in lib.mkIf cfg.forgejo { server = { DOMAIN = "git.${cfg.hostname}"; ROOT_URL = "https://git.${cfg.hostname}/"; - HTTP_PORT = ports.forgejo; + HTTP_PORT = 8002; }; service.DISABLE_REGISTRATION = true; }; diff --git a/nix/server/modify-secrets.sh b/nix/server/modify-secrets.sh deleted file mode 100755 index e82f3d7..0000000 --- a/nix/server/modify-secrets.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -set -e - -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) - -if ! command -v nvim -then - echo "no nvim" - exit 1 -fi - -if ! command -v base64 -then - echo "no base64" - exit 1 -fi - -if ! command -v openssl -then - echo "no openssl" - exit 1 -fi - -env $(cat /var/lib/secrets/.env | xargs) nvim --clean -n \ - -u "$SCRIPT_DIR/modify-secrets.vim" \ - "$SCRIPT_DIR/secrets.yaml" diff --git a/nix/server/modify-secrets.vim b/nix/server/modify-secrets.vim deleted file mode 100644 index 41f8fff..0000000 --- a/nix/server/modify-secrets.vim +++ /dev/null @@ -1,43 +0,0 @@ -set nobackup nowritebackup noundofile noswapfile viminfo= history=0 noshelltemp secure - -function! s:OpenSSLReadPre() -endfunction - -function! s:OpenSSLReadPost() - silent! execute "0,$!openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -d -k '" . $KP2_DOTFILES_SECRET_KEY . "'" - if v:shell_error - silent! 0,$y - silent! undo - echo "Note that your version of openssl may not have the given cipher engine built-in" - echo "even though the engine may be documented in the openssl man pages." - echo "ERROR FROM OPENSSL:" - echo @" - echo "COULD NOT DECRYPT" - return - endif - redraw! -endfunction - -function! s:OpenSSLWritePre() - silent! execute "0,$!openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -k '" . $KP2_DOTFILES_SECRET_KEY . "'" - if v:shell_error - silent! 0,$y - silent! undo - echo "Note that your version of openssl may not have the given cipher engine built in" - echo "even though the engine may be documented in the openssl man pages." - echo "ERROR FROM OPENSSL:" - echo @" - echo "COULD NOT ENCRYPT" - return - endif -endfunction - -function! s:OpenSSLWritePost() - "silent! undo - "redraw! -endfunction - -autocmd BufReadPre,FileReadPre * call s:OpenSSLReadPre() -autocmd BufReadPost,FileReadPost * call s:OpenSSLReadPost() -autocmd BufWritePre,FileWritePre * call s:OpenSSLWritePre() -autocmd BufWritePost,FileWritePost * call s:OpenSSLWritePost() diff --git a/nix/server/nginx.nix b/nix/server/nginx.nix index 0d18f17..b2ffa75 100644 --- a/nix/server/nginx.nix +++ b/nix/server/nginx.nix @@ -5,7 +5,6 @@ }: let cfg = config.kp2pml30.server; - ports = config.kp2pml30.server.ports; acmeRoot = "/var/lib/acme/acme-challenge"; pref = "kp2"; in lib.mkIf cfg.nginx { @@ -15,7 +14,7 @@ in lib.mkIf cfg.nginx { defaults.email = "kp2pml30@gmail.com"; #defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; certs."${cfg.hostname}" = { - extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" "git.${cfg.hostname}" "backend.${cfg.hostname}" "dns.${cfg.hostname}" "cache.nix.${cfg.hostname}" "x.${cfg.hostname}" ]; + extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" "git.${cfg.hostname}" "backend.${cfg.hostname}" ]; webroot = acmeRoot; group = "nginx"; }; @@ -24,180 +23,47 @@ in lib.mkIf cfg.nginx { services.nginx = { enable = true; - logError = "stderr debug"; + virtualHosts."git.${cfg.hostname}" = { + enableACME = true; + acmeRoot = acmeRoot; + listen = [ + { addr = "0.0.0.0"; port = 80; } + ]; - virtualHosts = { - "git.${cfg.hostname}" = { - enableACME = true; - acmeRoot = acmeRoot; - - listen = [ - { addr = "0.0.0.0"; port = 80; } - ]; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString ports.forgejo}"; - }; + locations."/" = { + proxyPass = "http://127.0.0.1:8002"; }; + }; - "backend.${cfg.hostname}" = { - enableACME = true; - acmeRoot = acmeRoot; + virtualHosts."backend.${cfg.hostname}" = { + enableACME = true; + acmeRoot = acmeRoot; - listen = [ - { addr = "0.0.0.0"; port = 80; } - ]; + listen = [ + { addr = "0.0.0.0"; port = 80; } + ]; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString ports.backend}"; - }; + locations."/" = { + proxyPass = "http://127.0.0.1:8001"; }; + }; - "dns.${cfg.hostname}" = { - enableACME = true; - acmeRoot = acmeRoot; + virtualHosts."${cfg.hostname}" = { + # addSSL = true; + # forceSSL = true; + enableACME = true; + acmeRoot = acmeRoot; - listen = [ - { addr = "0.0.0.0"; port = 80; } - ]; + listen = [ + { addr = "0.0.0.0"; port = 80; } + ]; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString ports.coredns-https}"; - }; + locations."/" = { + root = cfg.sitePath; + tryFiles = "$uri $uri/ /index.html"; }; - - "x.${cfg.hostname}" = { - enableACME = true; - acmeRoot = acmeRoot; - - listen = [ - { addr = "0.0.0.0"; port = 80; } - ]; - - locations."/" = { - proxyPass = "https://www.lovelive-anime.jp"; - extraConfig = '' - sub_filter $proxy_host $host; - sub_filter_once off; - - proxy_set_header Host $proxy_host; - proxy_http_version 1.1; - proxy_cache_bypass $http_upgrade; - proxy_ssl_server_name on; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - resolver 1.1.1.1; - ''; - }; - }; - - - "${cfg.hostname}" = { - # addSSL = true; - # forceSSL = true; - enableACME = true; - acmeRoot = acmeRoot; - - listen = [ - { addr = "0.0.0.0"; port = 80; } - ]; - - locations."/" = { - root = cfg.sitePath; - tryFiles = "$uri $uri/ /index.html"; - }; - }; - } // (if cfg.xray then { - # Xray fallback proxy servers - "127.0.0.1:${toString ports.xray-fallback}" = { - listen = [ - { addr = "127.0.0.1"; port = ports.xray-fallback; proxyProtocol = true; } - ]; - - locations."/" = { - proxyPass = "https://www.lovelive-anime.jp"; - extraConfig = '' - sub_filter $proxy_host $host; - sub_filter_once off; - - proxy_set_header Host $proxy_host; - proxy_http_version 1.1; - proxy_cache_bypass $http_upgrade; - proxy_ssl_server_name on; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - resolver 1.1.1.1; - ''; - }; - }; - - "127.0.0.1:${toString ports.xray-websocket}" = { - listen = [ - { addr = "127.0.0.1"; port = ports.xray-websocket; proxyProtocol = true; } - ]; - - locations."/" = { - proxyPass = "https://www.lovelive-anime.jp"; - extraConfig = '' - sub_filter $proxy_host $host; - sub_filter_once off; - - proxy_set_header Host $proxy_host; - proxy_http_version 1.1; - proxy_cache_bypass $http_upgrade; - proxy_ssl_server_name on; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; - - resolver 1.1.1.1; - ''; - }; - }; - } else {}) // (if cfg.nix-cache then { - "cache.nix.${cfg.hostname}" = { - enableACME = true; - acmeRoot = acmeRoot; - listen = [ - { addr = "0.0.0.0"; port = 80; } - ]; - locations."/" = { - proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; - }; - }; - } else {}); + }; streamConfig = (builtins.readFile ./stream.nginx); }; diff --git a/nix/server/nix-cache.nix b/nix/server/nix-cache.nix deleted file mode 100644 index 14beb5a..0000000 --- a/nix/server/nix-cache.nix +++ /dev/null @@ -1,18 +0,0 @@ - -{ config -, pkgs -, lib -, self -, nixpkgs -, kp2pml30-moe -, system -, ... -}@args: -let - cfg = config.kp2pml30.server; -in lib.mkIf cfg.nix-cache { - services.nix-serve = { - enable = true; - secretKeyFile = "/var/cache-priv-key.pem"; - }; -} diff --git a/nix/server/ports.nix b/nix/server/ports.nix deleted file mode 100644 index 903ac2f..0000000 --- a/nix/server/ports.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ lib, ... }: -{ - # Server Port Usage Configuration - # This file documents and centralizes all port assignments - - options.kp2pml30.server.ports = { - # Application Services - backend = lib.mkOption { - type = lib.types.int; - default = 8001; - description = "Backend service port (kp2pml30-moe-backend)"; - }; - - forgejo = lib.mkOption { - type = lib.types.int; - default = 8002; - description = "Forgejo Git service port"; - }; - - coredns-https = lib.mkOption { - type = lib.types.int; - default = 8003; - description = "CoreDNS HTTPS interface port"; - }; - - # Available ports for new services - xray-main = lib.mkOption { - type = lib.types.int; - default = 8010; - description = "Xray VLESS inbound port"; - }; - - xray-fallback = lib.mkOption { - type = lib.types.int; - default = 8011; - description = "Xray fallback proxy port"; - }; - - xray-websocket = lib.mkOption { - type = lib.types.int; - default = 8012; - description = "Xray websocket fallback port"; - }; - }; -} \ No newline at end of file diff --git a/nix/server/secrets.nix b/nix/server/secrets.nix deleted file mode 100644 index cf9ad4f..0000000 --- a/nix/server/secrets.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: -let - cfg = config.kp2pml30.server; - - # Script to decrypt secrets.yaml and extract XRAY_UIDS - decryptSecrets = pkgs.writeShellScript "decrypt-secrets" '' - set -euo pipefail - - source /var/lib/secrets/.env - - if [ -z "''${KP2_DOTFILES_SECRET_KEY:-}" ]; then - echo "Error: KP2_DOTFILES_SECRET_KEY environment variable not set" >&2 - exit 1 - fi - - if [ ! -f "${./secrets.yaml}" ]; then - echo "Error: secrets.yaml not found" >&2 - exit 1 - fi - - # Decrypt and parse XRAY_UIDS - ${pkgs.openssl}/bin/openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -d -k "$KP2_DOTFILES_SECRET_KEY" -in "${./secrets.yaml}" | ${pkgs.yq}/bin/yq '.XRAY_UIDS[]' -r - ''; - - xray-config-base = builtins.toFile "xray.json" (builtins.readFile ./xray.json); - - # Script to generate complete xray configuration - generateXrayConfig = pkgs.writeShellScript "generate-xray-config" '' - set -euo pipefail - - ALL_IDS="[" - - first=true - while IFS= read -r uuid; do - if [ "$first" = true ]; then - first=false - else - ALL_IDS="$ALL_IDS," - fi - ALL_IDS="$ALL_IDS{\"id\":\"$uuid\",\"flow\": \"xtls-rprx-vision\"}" - done < <(${decryptSecrets}) - - ALL_IDS="$ALL_IDS]" - - cat "${xray-config-base}" | \ - jq --argjson val "$ALL_IDS" '.inbounds.[0].settings.clients = $val' - ''; - -in { - options.kp2pml30.server.secretsDir = lib.mkOption { - type = lib.types.str; - default = "/var/lib/secrets"; - description = "Directory for secrets management"; - }; - - config = lib.mkIf cfg.xray { - # Ensure xray user and group exist - users.users.xray = { - isSystemUser = true; - group = "xray"; - }; - - users.groups.xray = {}; - - # Create a systemd service to decrypt and prepare xray clients config - systemd.services.xray-secrets = { - description = "Decrypt Xray client configuration"; - wantedBy = [ "xray.service" ]; - before = [ "xray.service" ]; - - serviceConfig = { - Type = "oneshot"; - User = "root"; - EnvironmentFile = "${cfg.secretsDir}/.env"; - }; - - script = '' - mkdir -p /run/secrets - ${generateXrayConfig} > /run/secrets/xray-config.json - chown xray:xray /run/secrets/xray-config.json - chmod 440 /run/secrets/xray-config.json - ''; - - path = [ pkgs.jq ]; - }; - - # Ensure secrets directory exists - systemd.tmpfiles.rules = [ - "d ${cfg.secretsDir} 0750 root root -" - "d /run/secrets 0755 root root -" - ]; - }; -} diff --git a/nix/server/secrets.yaml b/nix/server/secrets.yaml deleted file mode 100644 index de129d6..0000000 --- a/nix/server/secrets.yaml +++ /dev/null @@ -1,4 +0,0 @@ -U2FsdGVkX18N4BW9sin9kPVNkpbtVNoDqBAm+080vcYSS7qySHVOCfe94a7S8mh4 -G5tbvoRrOFxJ+RW/WYNMsEZ7wgsJM8b9AiKPaT30BMHXriTdtai80i6xKqv9zdCb -moGUlBSgMtqEhvAnvpYBxHQ+NtDhxw7K9UjaO7eodNp+l9PR6z+IeL29rC2DMxQc -jXAjbfPa3aeSikXF0g118HbUwVJQwlXq99n/fjkJ8XOhBo/S4tWbt0U8O97VKlA6 diff --git a/nix/server/site.nix b/nix/server/site.nix index a075874..243074d 100644 --- a/nix/server/site.nix +++ b/nix/server/site.nix @@ -9,7 +9,6 @@ }@args: let cfg = config.kp2pml30.server; - ports = config.kp2pml30.server.ports; backend = kp2pml30-moe.packages.${system}.kp2pml30-moe-backend; frontend = kp2pml30-moe.packages.${system}.kp2pml30-moe-frontend; in lib.mkIf cfg.nginx { @@ -46,7 +45,7 @@ in lib.mkIf cfg.nginx { Restart = "on-failure"; RestartSec = "3"; - ExecStart = ''${pkgs.bash}/bin/bash -c "source /home/kp2pml30-moe-backend/env.sh && touch /home/kp2pml30-moe-backend/db.json && ${backend}/bin/kp2pml30-moe-backend --port ${toString ports.backend} --moderated-path /home/kp2pml30-moe-backend/chatbox-db.json"''; + ExecStart = ''${pkgs.bash}/bin/bash -c "source /home/kp2pml30-moe-backend/env.sh && touch /home/kp2pml30-moe-backend/db.json && ${backend}/bin/kp2pml30-moe-backend --port 8001 --moderated-path /home/kp2pml30-moe-backend/chatbox-db.json"''; }; }; } diff --git a/nix/server/stream.nginx b/nix/server/stream.nginx index dcdcc95..3075273 100644 --- a/nix/server/stream.nginx +++ b/nix/server/stream.nginx @@ -12,15 +12,8 @@ map $ssl_preread_server_name $name { updates.signal.org updates; updates2.signal.org updates2; - www.microsoft.com xray-entrypoint; - x.kp2pml30.moe xray-entrypoint; - pr.kp2pml30.moe signal-proxy; - - kp2pml30.moe ssl-terminator; - dns.kp2pml30.moe ssl-terminator; - git.kp2pml30.moe ssl-terminator; - cache.nix.kp2pml30.moe ssl-terminator; - backend.kp2pml30.moe ssl-terminator; + kp2pml30.moe self; + git.kp2pml30.moe self; default deny; } @@ -69,10 +62,6 @@ upstream updates2 { server updates2.signal.org:443; } -upstream xray-entrypoint { - server 127.0.0.1:8010; -} - upstream deny { server 127.0.0.1:9; } @@ -81,45 +70,23 @@ upstream self { server 127.0.0.1:80; } -upstream ssl-terminator { - server 127.0.0.1:8443; -} - -upstream signal-proxy { - server 127.0.0.1:8444; -} - server { - listen 443; - ssl_preread on; + listen 443 ssl; + server_name pr.kp2pml30.moe; proxy_pass $name; + ssl_preread on; + + ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem; + ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem; + ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem; } server { - listen 8443 ssl; - server_name kp2pml30.moe git.kp2pml30.moe cache.nix.kp2pml30.moe backend.kp2pml30.moe dns.kp2pml30.moe; + listen 443 ssl; + server_name kp2pml30.moe git.kp2pml30.moe backend.kp2pml30.moe; proxy_pass self; ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem; ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem; ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem; } - -server { - listen 8444 ssl; - server_name pr.kp2pml30.moe; - ssl_preread on; - proxy_pass $name; - - ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem; - ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem; - ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem; -} - -log_format proxy_log '$remote_addr [$time_local] ' - '$protocol $status $bytes_sent $bytes_received ' - '$session_time "$upstream_addr" ' - '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"' - 'Proxy: "$ssl_preread_server_name" $name"'; - -access_log /var/log/nginx/aboba-access.log proxy_log buffer=1k flush=1m; diff --git a/nix/server/xray-client.json b/nix/server/xray-client.json deleted file mode 100644 index a2989e0..0000000 --- a/nix/server/xray-client.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "log": { - "loglevel": "warning" - }, - "routing": { - "domainStrategy": "IPIfNonMatch", - "rules": [ - { - "type": "field", - "domain": [ - "regexp:\\.ru$", - "regexp:\\.рф$", - "domain:vk.com" - ], - "outboundTag": "direct" - }, - { - "type": "field", - "domain": [ - "geosite:cn", - "geosite:private" - ], - "outboundTag": "direct" - }, - { - "type": "field", - "ip": [ - "geoip:cn", - "geoip:ru", - "geoip:private" - ], - "outboundTag": "direct" - } - ] - }, - "inbounds": [ - { - "listen": "127.0.0.1", - "port": 10808, - "protocol": "socks", - "settings": { - "udp": true - }, - "sniffing": { - "enabled": true, - "destOverride": [ - "http", - "tls" - ] - } - }, - { - "listen": "127.0.0.1", - "port": 10809, - "protocol": "http", - "sniffing": { - "enabled": true, - "destOverride": [ - "http", - "tls" - ] - } - } - ], - "outbounds": [ - { - "protocol": "vless", - "settings": { - "vnext": [ - { - "address": "x.kp2pml30.moe", - "port": 443, - "users": [ - { - "id": "", - "encryption": "none", - "flow": "xtls-rprx-vision" - } - ] - } - ] - }, - "streamSettings": { - "network": "tcp", - "security": "tls", - "tlsSettings": { - "serverName": "", - "allowInsecure": false, - "fingerprint": "chrome" - } - }, - "tag": "proxy" - }, - { - "protocol": "freedom", - "tag": "direct" - }, - { - "protocol": "blackhole", - "tag": "block" - } - ] -} diff --git a/nix/server/xray-reality-client.json b/nix/server/xray-reality-client.json deleted file mode 100644 index 4916a85..0000000 --- a/nix/server/xray-reality-client.json +++ /dev/null @@ -1,81 +0,0 @@ -{ - "log": { - "loglevel": "warning" - }, - "inbounds": [ - { - "port": 1080, - "listen": "127.0.0.1", - "protocol": "socks", - "settings": { - "udp": true - } - }, - { - "port": 1081, - "listen": "127.0.0.1", - "protocol": "http" - } - ], - "outbounds": [ - { - "tag": "proxy", - "protocol": "vless", - "settings": { - "vnext": [ - { - "address": "x.kp2pml30.moe", - "port": 443, - "users": [ - { - "id": "YOUR-UUID-HERE", - "encryption": "none", - "flow": "xtls-rprx-vision" - } - ] - } - ] - }, - "streamSettings": { - "network": "tcp", - "security": "reality", - "realitySettings": { - "show": false, - "fingerprint": "chrome", - "serverName": "www.microsoft.com", - "publicKey": "dRvlorHTupOukJ7aFZNPx-wXUMYJt3GQNrtSjMm9lAg", - "shortId": "deadbabe", - "spiderX": "/" - } - } - }, - { - "tag": "direct", - "protocol": "freedom" - }, - { - "tag": "block", - "protocol": "blackhole" - } - ], - "routing": { - "domainStrategy": "AsIs", - "rules": [ - { - "type": "field", - "domain": [ - "regexp:\\.ru$", - "geosite:category-ru", - "regexp:\\.рф$", - "regexp:(^|\\.)vk\\.com$" - ], - "outboundTag": "block" - }, - { - "type": "field", - "network": "tcp,udp", - "outboundTag": "proxy" - } - ] - } -} diff --git a/nix/server/xray-reality.json b/nix/server/xray-reality.json deleted file mode 100644 index 4787277..0000000 --- a/nix/server/xray-reality.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "log": { - "loglevel": "debug" - }, - "routing": { - "domainStrategy": "IPIfNonMatch", - "rules": [ - { - "type": "field", - "domain": [ - "regexp:\\.ru$", - "regexp:\\.рф$", - "domain:vk.com" - ], - "outboundTag": "block" - }, - { - "type": "field", - "ip": [ - "geoip:cn", - "geoip:ru" - ], - "outboundTag": "block" - }, - { - "type": "field", - "network": "tcp,udp", - "outboundTag": "direct" - } - ] - }, - "inbounds": [ - { - "listen": "127.0.0.1", - "port": 8010, - "protocol": "vless", - "settings": { - "clients": [ - { - "id": "YOUR-UUID-HERE", - "flow": "xtls-rprx-vision" - } - ], - "decryption": "none" - }, - "streamSettings": { - "network": "tcp", - "security": "reality", - "realitySettings": { - "show": true, - "dest": "www.microsoft.com:443", - "xver": 0, - "serverNames": [ - "www.microsoft.com" - ], - "privateKey": "", - "shortIds": [ - "deadbabe" - ], - "debug": true - } - }, - "sniffing": { - "enabled": true, - "destOverride": [ - "http", - "tls" - ] - } - } - ], - "outbounds": [ - { - "protocol": "freedom", - "tag": "direct" - }, - { - "protocol": "blackhole", - "tag": "block" - } - ], - "policy": { - "levels": { - "0": { - "handshake": 3, - "connIdle": 127 - } - } - } -} diff --git a/nix/server/xray.json b/nix/server/xray.json deleted file mode 100644 index 24fe990..0000000 --- a/nix/server/xray.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "log": { - "loglevel": "warning" - }, - "routing": { - "domainStrategy": "IPIfNonMatch", - "rules": [ - { - "type": "field", - "domain": [ - "regexp:\\.ru$", - "regexp:\\.рф$", - "domain:vk.com" - ], - "outboundTag": "block" - }, - { - "type": "field", - "ip": [ - "geoip:cn", - "geoip:ru" - ], - "outboundTag": "block" - } - ] - }, - "inbounds": [ - { - "listen": "127.0.0.1", - "port": 8010, - "protocol": "vless", - "settings": { - "clients": [ - ], - "decryption": "none", - "fallbacks": [ - { - "dest": "8011", - "xver": 1 - } - ] - }, - "streamSettings": { - "network": "tcp", - "security": "tls", - "tlsSettings": { - "rejectUnknownSni": true, - "minVersion": "1.2", - "alpn": ["http/1.1"], - "certificates": [ - { - "ocspStapling": 3600, - "certificateFile": "/var/lib/acme/kp2pml30.moe/fullchain.pem", - "keyFile": "/var/lib/acme/kp2pml30.moe/key.pem" - } - ] - } - }, - "sniffing": { - "enabled": true, - "destOverride": [ - "http", - "tls" - ] - } - } - ], - "outbounds": [ - { - "protocol": "freedom", - "tag": "direct" - }, - { - "protocol": "blackhole", - "tag": "block" - } - ], - "policy": { - "levels": { - "0": { - "handshake": 3, - "connIdle": 127 - } - } - } -} diff --git a/nix/server/xray.nix b/nix/server/xray.nix deleted file mode 100644 index 49fcf35..0000000 --- a/nix/server/xray.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: -let - cfg = config.kp2pml30.server; - ports = config.kp2pml30.server.ports; -in lib.mkIf cfg.xray { - services.xray = { - enable = true; - settingsFile = "/run/secrets/xray-config.json"; - }; - - # Ensure xray can read the certificates - users.users.xray.extraGroups = [ "nginx" ]; - - # Ensure the xray service starts after ACME certificates are available - systemd.services.xray.after = [ "acme-${cfg.hostname}.service" ]; - systemd.services.xray.wants = [ "acme-${cfg.hostname}.service" ]; -} \ No newline at end of file