kp2pml30/dotfiles
1
0
Fork 0
mirror of https://github.com/kp2pml30/dotfiles.git synced 2026-02-17 07:44:41 +04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: kp2pml30:68a477910755d759a9d94eaf2cdc3e85bb75c0ee
Branches Tags
kp2pml30:main
..
compare: kp2pml30:a8ad7a32319599ec9493061165cdba6be3310d96
Branches Tags
kp2pml30:main

No commits in common. "68a477910755d759a9d94eaf2cdc3e85bb75c0ee" and "a8ad7a32319599ec9493061165cdba6be3310d96" have entirely different histories.
68a4779107 ... a8ad7a3231

29 changed files with 96 additions and 991 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,2 +1 @@
/result /result
/.env

16
flake.lock generated
View file

@ -44,16 +44,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758463745, "lastModified": 1744117652,
"narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", "narHash": "sha256-t7dFCDl4vIOOUMhEZnJF15aAzkpaup9x4ZRGToDFYWI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", "rev": "b4e98224ad1336751a2ac7493967a4c9f6d9cb3f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.05", "ref": "release-24.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@ -158,16 +158,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1761999846, "lastModified": 1744309437,
"narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.05", "ref": "nixos-24.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

8
flake.nix
View file

@ -1,12 +1,12 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
nixos-wsl = { nixos-wsl = {
url = "github:nix-community/NixOS-WSL/main"; url = "github:nix-community/NixOS-WSL/main";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-25.05"; url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-generators = { nixos-generators = {
@ -44,8 +44,6 @@
hostname = "kp2pml30.moe"; hostname = "kp2pml30.moe";
nginx = true; nginx = true;
forgejo = true; forgejo = true;
nix-cache = true;
xray = true;
}; };
} }
@ -68,7 +66,7 @@
networking.hostName = "kp2pml30-personal-pc"; networking.hostName = "kp2pml30-personal-pc";
networking.hostId = "e31a5cc2"; networking.hostId = "e31a5cc2";
time.timeZone = "Asia/Tokyo"; time.timeZone = "Asia/Yerevan";
} }
./nix/hardware/mini.nix ./nix/hardware/mini.nix

24
nix/hardware/mini.nix
View file

@ -1,3 +1,4 @@
{ pkgs { pkgs
, inputs , inputs
, lib , lib
@ -5,10 +6,7 @@
, ... , ...
}: }:
{ {
imports = [ imports = [ ./common.nix ];
./common.nix
# ./nvidia.nix
];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/1ec7bbd6-cb83-427a-a901-d5fb7a4ef3ba"; device = "/dev/disk/by-uuid/1ec7bbd6-cb83-427a-a901-d5fb7a4ef3ba";
@ -21,15 +19,15 @@
options = [ "fmask=0077" "dmask=0077" ]; options = [ "fmask=0077" "dmask=0077" ];
}; };
# fileSystems."/mnt/d" = { fileSystems."/mnt/d" = {
# device = "/dev/sda1"; device = "/dev/sda1";
# fsType = "exfat"; fsType = "exfat";
# options = [ options = [
# "users" "users"
# "exec" "exec"
# "nofail" "nofail"
# ]; ];
# }; };
swapDevices = [ { device = "/dev/disk/by-uuid/c68daa9f-f165-4e23-8710-2aab0ad8d282"; } ]; swapDevices = [ { device = "/dev/disk/by-uuid/c68daa9f-f165-4e23-8710-2aab0ad8d282"; } ];

16
nix/hardware/nvidia.nix
View file

@ -1,16 +0,0 @@
{ pkgs
, inputs
, lib
, config
, ...
}:
{
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.production;
modesetting.enable = true;
open = false;
nvidiaSettings = true;
};
}

4
nix/personal/default.nix
View file

@ -54,7 +54,6 @@ in {
"C.UTF-8/UTF-8" "C.UTF-8/UTF-8"
"en_US.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"
"ru_RU.UTF-8/UTF-8" "ru_RU.UTF-8/UTF-8"
"ja_JP.UTF-8/UTF-8"
]; ];
programs = { programs = {
@ -72,7 +71,6 @@ in {
nixpkgs.config.allowUnfreePredicate = pkg: nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (pkgs.lib.getName pkg) [ builtins.elem (pkgs.lib.getName pkg) [
"anytype-heart"
"vscode" "vscode"
"steam" "steam"
"steam-run" "steam-run"
@ -82,7 +80,7 @@ in {
"nvidia-settings" "nvidia-settings"
"nvidia-persistenced" "nvidia-persistenced"
"opera" "opera"
"discord" "discord-ptb"
"slack" "slack"
"anytype" "anytype"
]; ];

7
nix/personal/graphical/default.nix
View file

@ -20,16 +20,11 @@ in {
environment.systemPackages = [ pkgs.anytype ]; environment.systemPackages = [ pkgs.anytype ];
fonts.enableDefaultFonts = true;
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk-sans
fira-code fira-code
fira-code-nerdfont fira-code-nerdfont
fira-code-symbols fira-code-symbols
nerd-fonts.fira-code (nerdfonts.override { fonts = [ "FiraCode" ]; })
]; ];
} }

12
nix/personal/graphical/messengers.nix
View file

@ -7,15 +7,11 @@
}: }:
let let
cfg = config.kp2pml30; cfg = config.kp2pml30;
signal-pkgs = import (builtins.fetchTarball { signalSuffix = if system == "x86_64-linux" then "amd64" else "arm64";
url = "https://github.com/NixOS/nixpkgs/archive/71cbb752aa36854eb4a7deb3685b9789256d643c.tar.gz";
sha256 = "10dnjv2c28bjgplyj6nbk2q9lng6f95jf75i5yh541zngrr8b2qg";
}) {
system = pkgs.system;
};
in lib.mkIf cfg.messengers.personal { in lib.mkIf cfg.messengers.personal {
users.users.${cfg.username}.packages = with pkgs; [ users.users.${cfg.username}.packages = with pkgs; [
discord discord-ptb
telegram-desktop telegram-desktop
] ++ [signal-pkgs.signal-desktop]; pkgs.signal-desktop
];
} }

31
nix/personal/graphical/opera.nix
View file

@ -6,37 +6,10 @@
}: }:
let let
cfg = config.kp2pml30; cfg = config.kp2pml30;
version = "123.0.5669.23";
legacy-nixpkgs = import (builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs/archive/refs/tags/24.11.tar.gz";
sha256 = "1gx0hihb7kcddv5h0k7dysp2xhf1ny0aalxhjbpj2lmvj7h9g80a";
}) {
system = pkgs.system;
config.allowUnfreePredicate = pkg:
builtins.elem (pkgs.lib.getName pkg) [
"vscode"
"steam"
"steam-run"
"steam-original"
"steam-unwrapped"
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
"opera"
"discord"
"slack"
"anytype"
];
};
in lib.mkIf cfg.opera { in lib.mkIf cfg.opera {
home-manager.users.${cfg.username}.home = { home-manager.users.${cfg.username}.home = {
packages = with legacy-nixpkgs; [ packages = with pkgs; [
((opera.override { proprietaryCodecs = true; }).overrideAttrs (finalAttrs: previousAttrs: { (opera.override { proprietaryCodecs = true; })
src = fetchurl {
url = "https://get.geo.opera.com/pub/opera/desktop/${version}/linux/opera-stable_${version}_amd64.deb";
hash = "sha256-j2kHdg8d60S9j3bLychjmH/cRAXHGIjOgGKqmNIhnHU=";
};
}))
]; ];
}; };
} }

46
nix/personal/graphical/vscode.nix
View file

@ -10,36 +10,30 @@ in lib.mkIf cfg.vscode {
home-manager.users.${cfg.username} = { home-manager.users.${cfg.username} = {
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = (pkgs.vscode.overrideAttrs (oldAttrs: rec { package = pkgs.vscode;
src = (builtins.fetchTarball {
url = "https://update.code.visualstudio.com/1.104.1/linux-x64/stable";
sha256 = "sha256:109mdk1v323dyhzrq0444gjjhfpjxbllkqkhsapfj44ypjzdjcy8";
});
version = "1.102.2";
}));
mutableExtensionsDir = false; mutableExtensionsDir = false;
userSettings = lib.importJSON("${rootPath}/vscode/settings.json"); userSettings = lib.importJSON("${rootPath}/vscode/settings.json");
# extensions = with pkgs; [ extensions = with pkgs; [
# vscode-extensions.eamodio.gitlens vscode-extensions.eamodio.gitlens
# vscode-extensions.editorconfig.editorconfig vscode-extensions.editorconfig.editorconfig
#
# vscode-extensions.bierner.markdown-mermaid
# vscode-extensions.tamasfe.even-better-toml vscode-extensions.bierner.markdown-mermaid
# vscode-extensions.streetsidesoftware.code-spell-checker vscode-extensions.tamasfe.even-better-toml
# (pkgs.vscode-utils.buildVscodeMarketplaceExtension {
# mktplcRef = { vscode-extensions.streetsidesoftware.code-spell-checker
# name = "code-spell-checker-russian"; (pkgs.vscode-utils.buildVscodeMarketplaceExtension {
# publisher = "streetsidesoftware"; mktplcRef = {
# version = "0.2.2"; name = "code-spell-checker-russian";
# sha256 = "a3b00c76a4aafecb962d6c292a3b9240a27d84b17de2119bb8007d0ad90ab443"; publisher = "streetsidesoftware";
# }; version = "0.2.2";
# meta = { sha256 = "a3b00c76a4aafecb962d6c292a3b9240a27d84b17de2119bb8007d0ad90ab443";
# license = lib.licenses.mit; };
# }; meta = {
# }) license = lib.licenses.mit;
# ]; };
})
];
}; };
}; };
} }

4
nix/personal/neovim.nix
View file

@ -27,9 +27,7 @@ in
nerdtree nerdtree
tokyonight-nvim tokyonight-nvim
barbar-nvim barbar-nvim
((fromGitHub "3587f57480b88e8009df7b36dc84e9c7ff8f2c49" "famiu/feline.nvim").overrideAttrs (old: { feline-nvim
doCheck = false;
}))
(fromGitHub "d63c811337b2f75de52f16efee176695f31e7fbc" "timakro/vim-yadi") (fromGitHub "d63c811337b2f75de52f16efee176695f31e7fbc" "timakro/vim-yadi")
(fromGitHub "aafa5c187a15701a7299a392b907ec15d9a7075f" "nvim-tree/nvim-web-devicons") (fromGitHub "aafa5c187a15701a7299a392b907ec15d9a7075f" "nvim-tree/nvim-web-devicons")
]; ];

3
nix/personal/tui.nix
View file

@ -14,9 +14,8 @@ in {
htop.enable = true; htop.enable = true;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ncdu ncdu
timewarrior
]; ];
}; };

9
nix/server/default.nix
View file

@ -20,26 +20,17 @@ in {
forgejo = lib.mkEnableOption ""; forgejo = lib.mkEnableOption "";
dns = lib.mkEnableOption "";
nix-cache = lib.mkEnableOption "";
xray = lib.mkEnableOption "";
sitePath = lib.mkOption { sitePath = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
}; };
imports = [ imports = [
./ports.nix
./ssh.nix ./ssh.nix
./nginx.nix ./nginx.nix
./boot.nix ./boot.nix
./site.nix ./site.nix
./forgejo.nix ./forgejo.nix
./dns.nix
./nix-cache.nix
./xray.nix
./secrets.nix
]; ];
config = { config = {

35
nix/server/dns.nix
View file

@ -1,35 +0,0 @@
{ config
, pkgs
, lib
, self
, nixpkgs
, kp2pml30-moe
, system
, ...
}@args:
let
cfg = config.kp2pml30.server;
ports = config.kp2pml30.server.ports;
in lib.mkIf cfg.nginx {
services.coredns.enable = true;
services.coredns.config = ''
dns://.:53 {
forward . tls://1.1.1.1 {
tls
tls_servername cloudflare-dns.com
}
cache
}
https://.:${toString ports.coredns-https} {
forward . dns://127.0.0.1:53 {
tls
tls_servername cloudflare-dns.com
policy random
}
cache
}
'';
# networking.networkmanager.insertNameservers = [ "127.0.0.1" ];
}

3
nix/server/forgejo.nix
View file

@ -5,7 +5,6 @@
}: }:
let let
cfg = config.kp2pml30.server; cfg = config.kp2pml30.server;
ports = config.kp2pml30.server.ports;
in lib.mkIf cfg.forgejo { in lib.mkIf cfg.forgejo {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
@ -15,7 +14,7 @@ in lib.mkIf cfg.forgejo {
server = { server = {
DOMAIN = "git.${cfg.hostname}"; DOMAIN = "git.${cfg.hostname}";
ROOT_URL = "https://git.${cfg.hostname}/"; ROOT_URL = "https://git.${cfg.hostname}/";
HTTP_PORT = ports.forgejo; HTTP_PORT = 8002;
}; };
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
}; };

26
nix/server/modify-secrets.sh
View file

@ -1,26 +0,0 @@
#!/bin/sh
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
if ! command -v nvim
then
echo "no nvim"
exit 1
fi
if ! command -v base64
then
echo "no base64"
exit 1
fi
if ! command -v openssl
then
echo "no openssl"
exit 1
fi
env $(cat /var/lib/secrets/.env | xargs) nvim --clean -n \
-u "$SCRIPT_DIR/modify-secrets.vim" \
"$SCRIPT_DIR/secrets.yaml"

43
nix/server/modify-secrets.vim
View file

@ -1,43 +0,0 @@
set nobackup nowritebackup noundofile noswapfile viminfo= history=0 noshelltemp secure
function! s:OpenSSLReadPre()
endfunction
function! s:OpenSSLReadPost()
silent! execute "0,$!openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -d -k '" . $KP2_DOTFILES_SECRET_KEY . "'"
if v:shell_error
silent! 0,$y
silent! undo
echo "Note that your version of openssl may not have the given cipher engine built-in"
echo "even though the engine may be documented in the openssl man pages."
echo "ERROR FROM OPENSSL:"
echo @"
echo "COULD NOT DECRYPT"
return
endif
redraw!
endfunction
function! s:OpenSSLWritePre()
silent! execute "0,$!openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -k '" . $KP2_DOTFILES_SECRET_KEY . "'"
if v:shell_error
silent! 0,$y
silent! undo
echo "Note that your version of openssl may not have the given cipher engine built in"
echo "even though the engine may be documented in the openssl man pages."
echo "ERROR FROM OPENSSL:"
echo @"
echo "COULD NOT ENCRYPT"
return
endif
endfunction
function! s:OpenSSLWritePost()
"silent! undo
"redraw!
endfunction
autocmd BufReadPre,FileReadPre * call s:OpenSSLReadPre()
autocmd BufReadPost,FileReadPost * call s:OpenSSLReadPost()
autocmd BufWritePre,FileWritePre * call s:OpenSSLWritePre()
autocmd BufWritePost,FileWritePost * call s:OpenSSLWritePost()

196
nix/server/nginx.nix
View file

@ -5,7 +5,6 @@
}: }:
let let
cfg = config.kp2pml30.server; cfg = config.kp2pml30.server;
ports = config.kp2pml30.server.ports;
acmeRoot = "/var/lib/acme/acme-challenge"; acmeRoot = "/var/lib/acme/acme-challenge";
pref = "kp2"; pref = "kp2";
in lib.mkIf cfg.nginx { in lib.mkIf cfg.nginx {
@ -15,7 +14,7 @@ in lib.mkIf cfg.nginx {
defaults.email = "kp2pml30@gmail.com"; defaults.email = "kp2pml30@gmail.com";
#defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; #defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
certs."${cfg.hostname}" = { certs."${cfg.hostname}" = {
extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" "git.${cfg.hostname}" "backend.${cfg.hostname}" "dns.${cfg.hostname}" "cache.nix.${cfg.hostname}" "x.${cfg.hostname}" ]; extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" "git.${cfg.hostname}" "backend.${cfg.hostname}" ];
webroot = acmeRoot; webroot = acmeRoot;
group = "nginx"; group = "nginx";
}; };
@ -24,180 +23,47 @@ in lib.mkIf cfg.nginx {
services.nginx = { services.nginx = {
enable = true; enable = true;
logError = "stderr debug"; virtualHosts."git.${cfg.hostname}" = {
enableACME = true;
acmeRoot = acmeRoot;
listen = [
{ addr = "0.0.0.0"; port = 80; }
];
virtualHosts = { locations."/" = {
"git.${cfg.hostname}" = { proxyPass = "http://127.0.0.1:8002";
enableACME = true;
acmeRoot = acmeRoot;
listen = [
{ addr = "0.0.0.0"; port = 80; }
];
locations."/" = {
proxyPass = "http://127.0.0.1:${toString ports.forgejo}";
};
}; };
};
"backend.${cfg.hostname}" = { virtualHosts."backend.${cfg.hostname}" = {
enableACME = true; enableACME = true;
acmeRoot = acmeRoot; acmeRoot = acmeRoot;
listen = [ listen = [
{ addr = "0.0.0.0"; port = 80; } { addr = "0.0.0.0"; port = 80; }
]; ];
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString ports.backend}"; proxyPass = "http://127.0.0.1:8001";
};
}; };
};
"dns.${cfg.hostname}" = { virtualHosts."${cfg.hostname}" = {
enableACME = true; # addSSL = true;
acmeRoot = acmeRoot; # forceSSL = true;
enableACME = true;
acmeRoot = acmeRoot;
listen = [ listen = [
{ addr = "0.0.0.0"; port = 80; } { addr = "0.0.0.0"; port = 80; }
]; ];
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString ports.coredns-https}"; root = cfg.sitePath;
}; tryFiles = "$uri $uri/ /index.html";
}; };
};
"x.${cfg.hostname}" = {
enableACME = true;
acmeRoot = acmeRoot;
listen = [
{ addr = "0.0.0.0"; port = 80; }
];
locations."/" = {
proxyPass = "https://www.lovelive-anime.jp";
extraConfig = ''
sub_filter $proxy_host $host;
sub_filter_once off;
proxy_set_header Host $proxy_host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
resolver 1.1.1.1;
'';
};
};
"${cfg.hostname}" = {
# addSSL = true;
# forceSSL = true;
enableACME = true;
acmeRoot = acmeRoot;
listen = [
{ addr = "0.0.0.0"; port = 80; }
];
locations."/" = {
root = cfg.sitePath;
tryFiles = "$uri $uri/ /index.html";
};
};
} // (if cfg.xray then {
# Xray fallback proxy servers
"127.0.0.1:${toString ports.xray-fallback}" = {
listen = [
{ addr = "127.0.0.1"; port = ports.xray-fallback; proxyProtocol = true; }
];
locations."/" = {
proxyPass = "https://www.lovelive-anime.jp";
extraConfig = ''
sub_filter $proxy_host $host;
sub_filter_once off;
proxy_set_header Host $proxy_host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
resolver 1.1.1.1;
'';
};
};
"127.0.0.1:${toString ports.xray-websocket}" = {
listen = [
{ addr = "127.0.0.1"; port = ports.xray-websocket; proxyProtocol = true; }
];
locations."/" = {
proxyPass = "https://www.lovelive-anime.jp";
extraConfig = ''
sub_filter $proxy_host $host;
sub_filter_once off;
proxy_set_header Host $proxy_host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
resolver 1.1.1.1;
'';
};
};
} else {}) // (if cfg.nix-cache then {
"cache.nix.${cfg.hostname}" = {
enableACME = true;
acmeRoot = acmeRoot;
listen = [
{ addr = "0.0.0.0"; port = 80; }
];
locations."/" = {
proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
} else {});
streamConfig = (builtins.readFile ./stream.nginx); streamConfig = (builtins.readFile ./stream.nginx);
}; };

18
nix/server/nix-cache.nix
View file

@ -1,18 +0,0 @@
{ config
, pkgs
, lib
, self
, nixpkgs
, kp2pml30-moe
, system
, ...
}@args:
let
cfg = config.kp2pml30.server;
in lib.mkIf cfg.nix-cache {
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
}

45
nix/server/ports.nix
View file

@ -1,45 +0,0 @@
{ lib, ... }:
{
# Server Port Usage Configuration
# This file documents and centralizes all port assignments
options.kp2pml30.server.ports = {
# Application Services
backend = lib.mkOption {
type = lib.types.int;
default = 8001;
description = "Backend service port (kp2pml30-moe-backend)";
};
forgejo = lib.mkOption {
type = lib.types.int;
default = 8002;
description = "Forgejo Git service port";
};
coredns-https = lib.mkOption {
type = lib.types.int;
default = 8003;
description = "CoreDNS HTTPS interface port";
};
# Available ports for new services
xray-main = lib.mkOption {
type = lib.types.int;
default = 8010;
description = "Xray VLESS inbound port";
};
xray-fallback = lib.mkOption {
type = lib.types.int;
default = 8011;
description = "Xray fallback proxy port";
};
xray-websocket = lib.mkOption {
type = lib.types.int;
default = 8012;
description = "Xray websocket fallback port";
};
};
}

97
nix/server/secrets.nix
View file

@ -1,97 +0,0 @@
{ config
, pkgs
, lib
, ...
}:
let
cfg = config.kp2pml30.server;
# Script to decrypt secrets.yaml and extract XRAY_UIDS
decryptSecrets = pkgs.writeShellScript "decrypt-secrets" ''
set -euo pipefail
source /var/lib/secrets/.env
if [ -z "''${KP2_DOTFILES_SECRET_KEY:-}" ]; then
echo "Error: KP2_DOTFILES_SECRET_KEY environment variable not set" >&2
exit 1
fi
if [ ! -f "${./secrets.yaml}" ]; then
echo "Error: secrets.yaml not found" >&2
exit 1
fi
# Decrypt and parse XRAY_UIDS
${pkgs.openssl}/bin/openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -d -k "$KP2_DOTFILES_SECRET_KEY" -in "${./secrets.yaml}" | ${pkgs.yq}/bin/yq '.XRAY_UIDS[]' -r
'';
xray-config-base = builtins.toFile "xray.json" (builtins.readFile ./xray.json);
# Script to generate complete xray configuration
generateXrayConfig = pkgs.writeShellScript "generate-xray-config" ''
set -euo pipefail
ALL_IDS="["
first=true
while IFS= read -r uuid; do
if [ "$first" = true ]; then
first=false
else
ALL_IDS="$ALL_IDS,"
fi
ALL_IDS="$ALL_IDS{\"id\":\"$uuid\",\"flow\": \"xtls-rprx-vision\"}"
done < <(${decryptSecrets})
ALL_IDS="$ALL_IDS]"
cat "${xray-config-base}" | \
jq --argjson val "$ALL_IDS" '.inbounds.[0].settings.clients = $val'
'';
in {
options.kp2pml30.server.secretsDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/secrets";
description = "Directory for secrets management";
};
config = lib.mkIf cfg.xray {
# Ensure xray user and group exist
users.users.xray = {
isSystemUser = true;
group = "xray";
};
users.groups.xray = {};
# Create a systemd service to decrypt and prepare xray clients config
systemd.services.xray-secrets = {
description = "Decrypt Xray client configuration";
wantedBy = [ "xray.service" ];
before = [ "xray.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
EnvironmentFile = "${cfg.secretsDir}/.env";
};
script = ''
mkdir -p /run/secrets
${generateXrayConfig} > /run/secrets/xray-config.json
chown xray:xray /run/secrets/xray-config.json
chmod 440 /run/secrets/xray-config.json
'';
path = [ pkgs.jq ];
};
# Ensure secrets directory exists
systemd.tmpfiles.rules = [
"d ${cfg.secretsDir} 0750 root root -"
"d /run/secrets 0755 root root -"
];
};
}

4
nix/server/secrets.yaml
View file

@ -1,4 +0,0 @@
U2FsdGVkX18N4BW9sin9kPVNkpbtVNoDqBAm+080vcYSS7qySHVOCfe94a7S8mh4
G5tbvoRrOFxJ+RW/WYNMsEZ7wgsJM8b9AiKPaT30BMHXriTdtai80i6xKqv9zdCb
moGUlBSgMtqEhvAnvpYBxHQ+NtDhxw7K9UjaO7eodNp+l9PR6z+IeL29rC2DMxQc
jXAjbfPa3aeSikXF0g118HbUwVJQwlXq99n/fjkJ8XOhBo/S4tWbt0U8O97VKlA6

3
nix/server/site.nix
View file

@ -9,7 +9,6 @@
}@args: }@args:
let let
cfg = config.kp2pml30.server; cfg = config.kp2pml30.server;
ports = config.kp2pml30.server.ports;
backend = kp2pml30-moe.packages.${system}.kp2pml30-moe-backend; backend = kp2pml30-moe.packages.${system}.kp2pml30-moe-backend;
frontend = kp2pml30-moe.packages.${system}.kp2pml30-moe-frontend; frontend = kp2pml30-moe.packages.${system}.kp2pml30-moe-frontend;
in lib.mkIf cfg.nginx { in lib.mkIf cfg.nginx {
@ -46,7 +45,7 @@ in lib.mkIf cfg.nginx {
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "3"; RestartSec = "3";
ExecStart = ''${pkgs.bash}/bin/bash -c "source /home/kp2pml30-moe-backend/env.sh && touch /home/kp2pml30-moe-backend/db.json && ${backend}/bin/kp2pml30-moe-backend --port ${toString ports.backend} --moderated-path /home/kp2pml30-moe-backend/chatbox-db.json"''; ExecStart = ''${pkgs.bash}/bin/bash -c "source /home/kp2pml30-moe-backend/env.sh && touch /home/kp2pml30-moe-backend/db.json && ${backend}/bin/kp2pml30-moe-backend --port 8001 --moderated-path /home/kp2pml30-moe-backend/chatbox-db.json"'';
}; };
}; };
} }

55
nix/server/stream.nginx
View file

@ -12,15 +12,8 @@ map $ssl_preread_server_name $name {
updates.signal.org updates; updates.signal.org updates;
updates2.signal.org updates2; updates2.signal.org updates2;
www.microsoft.com xray-entrypoint; kp2pml30.moe self;
x.kp2pml30.moe xray-entrypoint; git.kp2pml30.moe self;
pr.kp2pml30.moe signal-proxy;
kp2pml30.moe ssl-terminator;
dns.kp2pml30.moe ssl-terminator;
git.kp2pml30.moe ssl-terminator;
cache.nix.kp2pml30.moe ssl-terminator;
backend.kp2pml30.moe ssl-terminator;
default deny; default deny;
} }
@ -69,10 +62,6 @@ upstream updates2 {
server updates2.signal.org:443; server updates2.signal.org:443;
} }
upstream xray-entrypoint {
server 127.0.0.1:8010;
}
upstream deny { upstream deny {
server 127.0.0.1:9; server 127.0.0.1:9;
} }
@ -81,45 +70,23 @@ upstream self {
server 127.0.0.1:80; server 127.0.0.1:80;
} }
upstream ssl-terminator {
server 127.0.0.1:8443;
}
upstream signal-proxy {
server 127.0.0.1:8444;
}
server { server {
listen 443; listen 443 ssl;
ssl_preread on; server_name pr.kp2pml30.moe;
proxy_pass $name; proxy_pass $name;
ssl_preread on;
ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem;
ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem;
ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
} }
server { server {
listen 8443 ssl; listen 443 ssl;
server_name kp2pml30.moe git.kp2pml30.moe cache.nix.kp2pml30.moe backend.kp2pml30.moe dns.kp2pml30.moe; server_name kp2pml30.moe git.kp2pml30.moe backend.kp2pml30.moe;
proxy_pass self; proxy_pass self;
ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem; ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem;
ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem; ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem;
ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem; ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
} }
server {
listen 8444 ssl;
server_name pr.kp2pml30.moe;
ssl_preread on;
proxy_pass $name;
ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem;
ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem;
ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
}
log_format proxy_log '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'
'Proxy: "$ssl_preread_server_name" $name"';
access_log /var/log/nginx/aboba-access.log proxy_log buffer=1k flush=1m;

103
nix/server/xray-client.json
View file

@ -1,103 +0,0 @@
{
"log": {
"loglevel": "warning"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"domain": [
"regexp:\\.ru$",
"regexp:\\.рф$",
"domain:vk.com"
],
"outboundTag": "direct"
},
{
"type": "field",
"domain": [
"geosite:cn",
"geosite:private"
],
"outboundTag": "direct"
},
{
"type": "field",
"ip": [
"geoip:cn",
"geoip:ru",
"geoip:private"
],
"outboundTag": "direct"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks",
"settings": {
"udp": true
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
},
{
"listen": "127.0.0.1",
"port": 10809,
"protocol": "http",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "x.kp2pml30.moe",
"port": 443,
"users": [
{
"id": "",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "",
"allowInsecure": false,
"fingerprint": "chrome"
}
},
"tag": "proxy"
},
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}

81
nix/server/xray-reality-client.json
View file

@ -1,81 +0,0 @@
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"udp": true
}
},
{
"port": 1081,
"listen": "127.0.0.1",
"protocol": "http"
}
],
"outbounds": [
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "x.kp2pml30.moe",
"port": 443,
"users": [
{
"id": "YOUR-UUID-HERE",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"fingerprint": "chrome",
"serverName": "www.microsoft.com",
"publicKey": "dRvlorHTupOukJ7aFZNPx-wXUMYJt3GQNrtSjMm9lAg",
"shortId": "deadbabe",
"spiderX": "/"
}
}
},
{
"tag": "direct",
"protocol": "freedom"
},
{
"tag": "block",
"protocol": "blackhole"
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"domain": [
"regexp:\\.ru$",
"geosite:category-ru",
"regexp:\\.рф$",
"regexp:(^|\\.)vk\\.com$"
],
"outboundTag": "block"
},
{
"type": "field",
"network": "tcp,udp",
"outboundTag": "proxy"
}
]
}
}

90
nix/server/xray-reality.json
View file

@ -1,90 +0,0 @@
{
"log": {
"loglevel": "debug"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"domain": [
"regexp:\\.ru$",
"regexp:\\.рф$",
"domain:vk.com"
],
"outboundTag": "block"
},
{
"type": "field",
"ip": [
"geoip:cn",
"geoip:ru"
],
"outboundTag": "block"
},
{
"type": "field",
"network": "tcp,udp",
"outboundTag": "direct"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 8010,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "YOUR-UUID-HERE",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": true,
"dest": "www.microsoft.com:443",
"xver": 0,
"serverNames": [
"www.microsoft.com"
],
"privateKey": "",
"shortIds": [
"deadbabe"
],
"debug": true
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
],
"policy": {
"levels": {
"0": {
"handshake": 3,
"connIdle": 127
}
}
}
}

86
nix/server/xray.json
View file

@ -1,86 +0,0 @@
{
"log": {
"loglevel": "warning"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"domain": [
"regexp:\\.ru$",
"regexp:\\.рф$",
"domain:vk.com"
],
"outboundTag": "block"
},
{
"type": "field",
"ip": [
"geoip:cn",
"geoip:ru"
],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 8010,
"protocol": "vless",
"settings": {
"clients": [
],
"decryption": "none",
"fallbacks": [
{
"dest": "8011",
"xver": 1
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"rejectUnknownSni": true,
"minVersion": "1.2",
"alpn": ["http/1.1"],
"certificates": [
{
"ocspStapling": 3600,
"certificateFile": "/var/lib/acme/kp2pml30.moe/fullchain.pem",
"keyFile": "/var/lib/acme/kp2pml30.moe/key.pem"
}
]
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
],
"policy": {
"levels": {
"0": {
"handshake": 3,
"connIdle": 127
}
}
}
}

21
nix/server/xray.nix
View file

@ -1,21 +0,0 @@
{ config
, pkgs
, lib
, ...
}:
let
cfg = config.kp2pml30.server;
ports = config.kp2pml30.server.ports;
in lib.mkIf cfg.xray {
services.xray = {
enable = true;
settingsFile = "/run/secrets/xray-config.json";
};
# Ensure xray can read the certificates
users.users.xray.extraGroups = [ "nginx" ];
# Ensure the xray service starts after ACME certificates are available
systemd.services.xray.after = [ "acme-${cfg.hostname}.service" ];
systemd.services.xray.wants = [ "acme-${cfg.hostname}.service" ];
}