ptr.pet / ark
nix machine / user configurations
fork atom

feat(wolumonde): nsid tracker, use proxyWebsockets, hetzner things [skip ci]

ptr.pet 0626ed12 3163f8b0

verified
options
unified split
Changed files
+439 -31
.gitignore
flake.lock
flake.nix
hosts
wolumonde
default.nix
modules
hardware-configuration.nix
netbird.nix
nginx.nix
nsid-tracker.nix
pds.nix
ssh.nix
tangled.nix
unbound.nix
secrets
netbirdClientKey.age
+3 -6
.gitignore
··· 3 3 doc/index.html 4 4 keys 5 5 6 - # Result of bud commands 7 - vm 8 - iso 9 - doi 10 - 11 - pkgs/_sources/.shake* 12 6 ssh_key 13 7 secrets/deploy-webhook.nu 14 8 15 9 # dnscontrol 16 10 creds.json 11 + 12 + # deploy resources 13 + .hetzner
+347
flake.lock
··· 86 86 "type": "github" 87 87 } 88 88 }, 89 + "crane_2": { 90 + "flake": false, 91 + "locked": { 92 + "lastModified": 1727316705, 93 + "narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=", 94 + "owner": "ipetkov", 95 + "repo": "crane", 96 + "rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e", 97 + "type": "github" 98 + }, 99 + "original": { 100 + "owner": "ipetkov", 101 + "ref": "v0.19.0", 102 + "repo": "crane", 103 + "type": "github" 104 + } 105 + }, 89 106 "darwin": { 90 107 "inputs": { 91 108 "nixpkgs": [ ··· 108 125 "type": "github" 109 126 } 110 127 }, 128 + "dream2nix": { 129 + "inputs": { 130 + "nixpkgs": [ 131 + "nsid-tracker", 132 + "nci", 133 + "nixpkgs" 134 + ], 135 + "purescript-overlay": "purescript-overlay", 136 + "pyproject-nix": "pyproject-nix" 137 + }, 138 + "locked": { 139 + "lastModified": 1752547840, 140 + "narHash": "sha256-T6wYez5urMcY8oUetwOIqPcqj77Ey3qka7wQsi6YCd4=", 141 + "owner": "nix-community", 142 + "repo": "dream2nix", 143 + "rev": "667ba5ee25c95cf63ace92307db270e235dce66e", 144 + "type": "github" 145 + }, 146 + "original": { 147 + "owner": "nix-community", 148 + "repo": "dream2nix", 149 + "type": "github" 150 + } 151 + }, 111 152 "flake-compat": { 112 153 "flake": false, 113 154 "locked": { ··· 116 157 "owner": "edolstra", 117 158 "repo": "flake-compat", 118 159 "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", 160 + "type": "github" 161 + }, 162 + "original": { 163 + "owner": "edolstra", 164 + "repo": "flake-compat", 165 + "type": "github" 166 + } 167 + }, 168 + "flake-compat_2": { 169 + "flake": false, 170 + "locked": { 171 + "lastModified": 1696426674, 172 + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", 173 + "owner": "edolstra", 174 + "repo": "flake-compat", 175 + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", 119 176 "type": "github" 120 177 }, 121 178 "original": { ··· 430 487 "url": "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip" 431 488 } 432 489 }, 490 + "mk-naked-shell": { 491 + "flake": false, 492 + "locked": { 493 + "lastModified": 1681286841, 494 + "narHash": "sha256-3XlJrwlR0nBiREnuogoa5i1b4+w/XPe0z8bbrJASw0g=", 495 + "owner": "yusdacra", 496 + "repo": "mk-naked-shell", 497 + "rev": "7612f828dd6f22b7fb332cc69440e839d7ffe6bd", 498 + "type": "github" 499 + }, 500 + "original": { 501 + "owner": "yusdacra", 502 + "repo": "mk-naked-shell", 503 + "type": "github" 504 + } 505 + }, 433 506 "naked-shell": { 434 507 "locked": { 435 508 "lastModified": 1681286841, ··· 461 534 "type": "github" 462 535 } 463 536 }, 537 + "naked-shell_3": { 538 + "locked": { 539 + "lastModified": 1681286841, 540 + "narHash": "sha256-3XlJrwlR0nBiREnuogoa5i1b4+w/XPe0z8bbrJASw0g=", 541 + "owner": "90-008", 542 + "repo": "mk-naked-shell", 543 + "rev": "7612f828dd6f22b7fb332cc69440e839d7ffe6bd", 544 + "type": "github" 545 + }, 546 + "original": { 547 + "owner": "90-008", 548 + "repo": "mk-naked-shell", 549 + "type": "github" 550 + } 551 + }, 552 + "nci": { 553 + "inputs": { 554 + "crane": "crane_2", 555 + "dream2nix": "dream2nix", 556 + "mk-naked-shell": "mk-naked-shell", 557 + "nixpkgs": [ 558 + "nsid-tracker", 559 + "nixpkgs" 560 + ], 561 + "parts": "parts_2", 562 + "rust-overlay": "rust-overlay_2", 563 + "treefmt": "treefmt" 564 + }, 565 + "locked": { 566 + "lastModified": 1752905922, 567 + "narHash": "sha256-fhwoEa+rjxLsRANRqh4jl4evnGpVNTLWUf4a/KDkQ3k=", 568 + "owner": "yusdacra", 569 + "repo": "nix-cargo-integration", 570 + "rev": "47e02f590e1e2c72b4ffc2bcf92b2b11c3195395", 571 + "type": "github" 572 + }, 573 + "original": { 574 + "owner": "yusdacra", 575 + "repo": "nix-cargo-integration", 576 + "type": "github" 577 + } 578 + }, 579 + "ncr": { 580 + "inputs": { 581 + "nixpkgs": [ 582 + "nixpkgs" 583 + ] 584 + }, 585 + "locked": { 586 + "lastModified": 1752857134, 587 + "narHash": "sha256-1ANFEQe6KW3ncMuIOxwLiwvwC3dpALUSYxq9CSPsOz8=", 588 + "ref": "refs/heads/main", 589 + "rev": "52576c71435602e25555a4116dfb0a42f3412b11", 590 + "revCount": 17, 591 + "type": "git", 592 + "url": "https://tangled.sh/@poor.dog/nixos-cloud-resources" 593 + }, 594 + "original": { 595 + "type": "git", 596 + "url": "https://tangled.sh/@poor.dog/nixos-cloud-resources" 597 + } 598 + }, 464 599 "nixos-hardware": { 465 600 "locked": { 466 601 "lastModified": 1752048960, ··· 558 693 "type": "github" 559 694 } 560 695 }, 696 + "nixpkgs-lib_3": { 697 + "locked": { 698 + "lastModified": 1751159883, 699 + "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", 700 + "owner": "nix-community", 701 + "repo": "nixpkgs.lib", 702 + "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab", 703 + "type": "github" 704 + }, 705 + "original": { 706 + "owner": "nix-community", 707 + "repo": "nixpkgs.lib", 708 + "type": "github" 709 + } 710 + }, 561 711 "nixpkgs-wayland": { 562 712 "flake": false, 563 713 "locked": { ··· 620 770 "ref": "nixos-unstable", 621 771 "repo": "nixpkgs", 622 772 "type": "github" 773 + } 774 + }, 775 + "nsid-tracker": { 776 + "inputs": { 777 + "naked-shell": "naked-shell_3", 778 + "nci": "nci", 779 + "nixpkgs": [ 780 + "nixpkgs" 781 + ], 782 + "parts": "parts_3", 783 + "systems": "systems_6" 784 + }, 785 + "locked": { 786 + "lastModified": 1752990833, 787 + "narHash": "sha256-c8H6QAX2iIDLaYTLN8b1iOKxnpQouJoSGtDqMuyV9Nw=", 788 + "ref": "refs/heads/main", 789 + "rev": "73978e71f695685986843f71c46387117fc8f4f8", 790 + "revCount": 28, 791 + "type": "git", 792 + "url": "https://tangled.sh/@poor.dog/nsid-tracker" 793 + }, 794 + "original": { 795 + "type": "git", 796 + "url": "https://tangled.sh/@poor.dog/nsid-tracker" 623 797 } 624 798 }, 625 799 "nur": { ··· 659 833 "type": "github" 660 834 } 661 835 }, 836 + "parts_2": { 837 + "inputs": { 838 + "nixpkgs-lib": [ 839 + "nsid-tracker", 840 + "nci", 841 + "nixpkgs" 842 + ] 843 + }, 844 + "locked": { 845 + "lastModified": 1751413152, 846 + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", 847 + "owner": "hercules-ci", 848 + "repo": "flake-parts", 849 + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", 850 + "type": "github" 851 + }, 852 + "original": { 853 + "owner": "hercules-ci", 854 + "repo": "flake-parts", 855 + "type": "github" 856 + } 857 + }, 858 + "parts_3": { 859 + "inputs": { 860 + "nixpkgs-lib": "nixpkgs-lib_3" 861 + }, 862 + "locked": { 863 + "lastModified": 1751413152, 864 + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", 865 + "owner": "hercules-ci", 866 + "repo": "flake-parts", 867 + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", 868 + "type": "github" 869 + }, 870 + "original": { 871 + "owner": "hercules-ci", 872 + "repo": "flake-parts", 873 + "type": "github" 874 + } 875 + }, 876 + "purescript-overlay": { 877 + "inputs": { 878 + "flake-compat": "flake-compat_2", 879 + "nixpkgs": [ 880 + "nsid-tracker", 881 + "nci", 882 + "dream2nix", 883 + "nixpkgs" 884 + ], 885 + "slimlock": "slimlock" 886 + }, 887 + "locked": { 888 + "lastModified": 1728546539, 889 + "narHash": "sha256-Sws7w0tlnjD+Bjck1nv29NjC5DbL6nH5auL9Ex9Iz2A=", 890 + "owner": "thomashoneyman", 891 + "repo": "purescript-overlay", 892 + "rev": "4ad4c15d07bd899d7346b331f377606631eb0ee4", 893 + "type": "github" 894 + }, 895 + "original": { 896 + "owner": "thomashoneyman", 897 + "repo": "purescript-overlay", 898 + "type": "github" 899 + } 900 + }, 901 + "pyproject-nix": { 902 + "inputs": { 903 + "nixpkgs": [ 904 + "nsid-tracker", 905 + "nci", 906 + "dream2nix", 907 + "nixpkgs" 908 + ] 909 + }, 910 + "locked": { 911 + "lastModified": 1752481895, 912 + "narHash": "sha256-luVj97hIMpCbwhx3hWiRwjP2YvljWy8FM+4W9njDhLA=", 913 + "owner": "pyproject-nix", 914 + "repo": "pyproject.nix", 915 + "rev": "16ee295c25107a94e59a7fc7f2e5322851781162", 916 + "type": "github" 917 + }, 918 + "original": { 919 + "owner": "pyproject-nix", 920 + "repo": "pyproject.nix", 921 + "type": "github" 922 + } 923 + }, 662 924 "root": { 663 925 "inputs": { 664 926 "agenix": "agenix", ··· 668 930 "limbusart": "limbusart", 669 931 "lix-module": "lix-module", 670 932 "naked-shell": "naked-shell_2", 933 + "ncr": "ncr", 671 934 "nixos-hardware": "nixos-hardware", 672 935 "nixos-persistence": "nixos-persistence", 673 936 "nixos-wsl": "nixos-wsl", 674 937 "nixpkgs": "nixpkgs_3", 675 938 "nixpkgs-wayland": "nixpkgs-wayland", 939 + "nsid-tracker": "nsid-tracker", 676 940 "nur": "nur", 677 941 "skeetdeck": "skeetdeck", 678 942 "tangled": "tangled" ··· 700 964 "type": "github" 701 965 } 702 966 }, 967 + "rust-overlay_2": { 968 + "inputs": { 969 + "nixpkgs": [ 970 + "nsid-tracker", 971 + "nci", 972 + "nixpkgs" 973 + ] 974 + }, 975 + "locked": { 976 + "lastModified": 1752892850, 977 + "narHash": "sha256-LLvDqLiK2+dr7bQqKTnZIZ8F1H67DLt3FUyVrGolGVw=", 978 + "owner": "oxalica", 979 + "repo": "rust-overlay", 980 + "rev": "742248f12aed0183a124637e8b27a238a47f46a2", 981 + "type": "github" 982 + }, 983 + "original": { 984 + "owner": "oxalica", 985 + "repo": "rust-overlay", 986 + "type": "github" 987 + } 988 + }, 703 989 "skeetdeck": { 704 990 "flake": false, 705 991 "locked": { ··· 713 999 "url": "file:///home/kirara/proj/skeetdeck-dist.tar.gz" 714 1000 } 715 1001 }, 1002 + "slimlock": { 1003 + "inputs": { 1004 + "nixpkgs": [ 1005 + "nsid-tracker", 1006 + "nci", 1007 + "dream2nix", 1008 + "purescript-overlay", 1009 + "nixpkgs" 1010 + ] 1011 + }, 1012 + "locked": { 1013 + "lastModified": 1688756706, 1014 + "narHash": "sha256-xzkkMv3neJJJ89zo3o2ojp7nFeaZc2G0fYwNXNJRFlo=", 1015 + "owner": "thomashoneyman", 1016 + "repo": "slimlock", 1017 + "rev": "cf72723f59e2340d24881fd7bf61cb113b4c407c", 1018 + "type": "github" 1019 + }, 1020 + "original": { 1021 + "owner": "thomashoneyman", 1022 + "repo": "slimlock", 1023 + "type": "github" 1024 + } 1025 + }, 716 1026 "sqlite-lib-src": { 717 1027 "flake": false, 718 1028 "locked": { ··· 801 1111 "type": "github" 802 1112 } 803 1113 }, 1114 + "systems_6": { 1115 + "locked": { 1116 + "lastModified": 1680978846, 1117 + "narHash": "sha256-Gtqg8b/v49BFDpDetjclCYXm8mAnTrUzR0JnE2nv5aw=", 1118 + "owner": "nix-systems", 1119 + "repo": "x86_64-linux", 1120 + "rev": "2ecfcac5e15790ba6ce360ceccddb15ad16d08a8", 1121 + "type": "github" 1122 + }, 1123 + "original": { 1124 + "owner": "nix-systems", 1125 + "repo": "x86_64-linux", 1126 + "type": "github" 1127 + } 1128 + }, 804 1129 "tangled": { 805 1130 "inputs": { 806 1131 "gitignore": "gitignore", ··· 827 1152 "original": { 828 1153 "type": "git", 829 1154 "url": "https://tangled.sh/@tangled.sh/core" 1155 + } 1156 + }, 1157 + "treefmt": { 1158 + "inputs": { 1159 + "nixpkgs": [ 1160 + "nsid-tracker", 1161 + "nci", 1162 + "nixpkgs" 1163 + ] 1164 + }, 1165 + "locked": { 1166 + "lastModified": 1752055615, 1167 + "narHash": "sha256-19m7P4O/Aw/6+CzncWMAJu89JaKeMh3aMle1CNQSIwM=", 1168 + "owner": "numtide", 1169 + "repo": "treefmt-nix", 1170 + "rev": "c9d477b5d5bd7f26adddd3f96cfd6a904768d4f9", 1171 + "type": "github" 1172 + }, 1173 + "original": { 1174 + "owner": "numtide", 1175 + "repo": "treefmt-nix", 1176 + "type": "github" 830 1177 } 831 1178 } 832 1179 },
+14 -2
flake.nix
··· 94 94 95 95 tangled.url = "git+https://tangled.sh/@tangled.sh/core"; 96 96 tangled.inputs.nixpkgs.follows = "nixpkgs"; 97 + 98 + ncr.url = "git+https://tangled.sh/@poor.dog/nixos-cloud-resources"; 99 + ncr.inputs.nixpkgs.follows = "nixpkgs"; 100 + 101 + nsid-tracker.url = "git+https://tangled.sh/@poor.dog/nsid-tracker"; 102 + nsid-tracker.inputs.nixpkgs.follows = "nixpkgs"; 97 103 }; 98 104 99 105 outputs = ··· 124 130 }) cmds 125 131 ) 126 132 ( 127 - lib.mapAttrs (_: pkgs: { 133 + lib.mapAttrs 134 + (_: pkgs: ( 135 + lib.mapAttrs 136 + (_: app: app.program) 137 + (inputs.ncr.makeApps {inherit pkgs; inherit (inputs) self;}) 138 + ) // { 128 139 generate-firefox-addons = toString "${pkgs.generate-firefox-addons}/bin/generate-firefox-addons"; 129 140 dns = toString "${pkgs.dnsmngmt}/bin/dns"; 130 - }) allPkgs 141 + }) 142 + allPkgs 131 143 ); 132 144 in 133 145 {
+5 -11
hosts/wolumonde/default.nix
··· 7 7 { 8 8 imports = [ 9 9 inputs.agenix.nixosModules.default 10 - # inputs.nixtopo.nixosModules.default 10 + inputs.ncr.nixosModules.firewall 11 + inputs.ncr.nixosModules.firewall-hetzner 11 12 ] ++ (tlib.importFolder (toString ./modules)); 12 13 13 14 environment.systemPackages = with pkgs; [ ··· 19 20 zramSwap.enable = true; 20 21 21 22 # firewall stuffs 22 - networking.firewall = { 23 + networking.firewall.enable = true; 24 + providers.hetzner.firewall = { 23 25 enable = true; 24 - allowedTCPPorts = [ 25 - 22 26 - 80 27 - 443 28 - 5005 29 - ]; 30 - allowedUDPPortRanges = [ ]; 26 + id = 476406; 31 27 }; 32 - 33 - virtualisation.docker.enable = false; 34 28 35 29 system.stateVersion = "22.05"; 36 30 }
+5
hosts/wolumonde/modules/hardware-configuration.nix
··· 12 12 device = "/dev/sda1"; 13 13 fsType = "ext4"; 14 14 }; 15 + fileSystems."/mnt/data" = { 16 + device = "/dev/disk/by-id/scsi-0HC_Volume_102930299"; 17 + fsType = "btrfs"; 18 + options = [ "noatime" "autodefrag" "compress-force=zstd:8" ]; 19 + }; 15 20 }
+4
hosts/wolumonde/modules/netbird.nix
··· 52 52 useAcmeCertificates = true; 53 53 }; 54 54 }; 55 + networking.firewall.public."netbird coturn" ={ 56 + allowedTCPPortRanges = [{from = 3478; to = 3479;}]; 57 + allowedUDPPortRanges = [{from = 3478; to = 3479;} {from = 49152; to = 65535;}]; 58 + }; 55 59 56 60 services.nginx.virtualHosts.${cfg.domain} = { 57 61 useACMEHost = "gaze.systems";
+2
hosts/wolumonde/modules/nginx.nix
··· 16 16 statusPage = true; 17 17 }; 18 18 19 + networking.firewall.public."http(s)".allowedTCPPorts = [80 443]; 20 + 19 21 # output json logs so we can consume them more easily 20 22 services.nginx.appendHttpConfig = '' 21 23 log_format json_logs escape=json '{'
+53
hosts/wolumonde/modules/nsid-tracker.nix
··· 1 + { 2 + pkgs, 3 + inputs, 4 + ... 5 + }: 6 + let 7 + server = inputs.nsid-tracker.packages.${pkgs.system}.server; 8 + client = inputs.nsid-tracker.packages.${pkgs.system}.client.overrideAttrs (old: { 9 + PUBLIC_API_URL = "gaze.systems/nsid-tracker/api"; 10 + }); 11 + port = 6432; 12 + in 13 + { 14 + users.users.nsidtracker = { 15 + isSystemUser = true; 16 + home = "/mnt/data/nsid-tracker"; 17 + createHome = true; 18 + group = "nsidtracker"; 19 + }; 20 + users.groups.nsidtracker = { }; 21 + 22 + systemd.services.nsid-tracker = { 23 + description = "nsid-tracker"; 24 + wantedBy = [ "multi-user.target" ]; 25 + after = [ "network.target" ]; 26 + environment = { 27 + HOME = "/mnt/data/nsid-tracker"; 28 + PORT = toString port; 29 + }; 30 + serviceConfig = { 31 + User = "nsidtracker"; 32 + ExecStart = "${server}/bin/server"; 33 + Restart = "on-failure"; 34 + RestartSec = 5; 35 + WorkingDirectory = "/mnt/data/nsid-tracker"; 36 + }; 37 + }; 38 + 39 + services.nginx.virtualHosts."gaze.systems" = { 40 + locations."/nsid-tracker/api" = { 41 + proxyPass = "http://localhost:${toString port}/"; 42 + proxyWebsockets = true; 43 + extraConfig = '' 44 + rewrite ^/nsid-tracker/api/(.*) /$1 break; 45 + ''; 46 + }; 47 + locations."/nsid-tracker".return = "301 /nsid-tracker/"; 48 + locations."/nsid-tracker/" = { 49 + alias = "${client}/"; 50 + tryFiles = "$uri $uri/ /index.html"; 51 + }; 52 + }; 53 + }
+1 -2
hosts/wolumonde/modules/pds.nix
··· 12 12 # silly but i want root domain >:3 13 13 "/xrpc" = { 14 14 proxyPass = pdsLocalhost; 15 + proxyWebsockets = true; 15 16 # pass ws headers so we can actually proxy the ws 16 17 extraConfig = '' 17 - proxy_set_header Upgrade $http_upgrade; 18 - proxy_set_header Connection $connection_upgrade; 19 18 proxy_set_header id $request_id; 20 19 client_max_body_size 100M; 21 20 '';
+1
hosts/wolumonde/modules/ssh.nix
··· 8 8 users.users.root.openssh.authorizedKeys.keys = [ 9 9 (builtins.readFile "${inputs.self}/secrets/yusdacra.key.pub") 10 10 ]; 11 + networking.firewall.public."ssh".allowedTCPPorts = [22]; 11 12 }
+2 -10
hosts/wolumonde/modules/tangled.nix
··· 25 25 kTLS = true; 26 26 locations."/" = { 27 27 proxyPass = "http://${knotCfg.server.listenAddr}"; 28 - extraConfig = '' 29 - proxy_set_header Upgrade $http_upgrade; 30 - proxy_set_header Connection $connection_upgrade; 31 - proxy_set_header id $request_id; 32 - ''; 28 + proxyWebsockets = true; 33 29 }; 34 30 }; 35 31 ··· 62 58 kTLS = true; 63 59 locations."/" = { 64 60 proxyPass = "http://${spindleCfg.server.listenAddr}"; 65 - extraConfig = '' 66 - proxy_set_header Upgrade $http_upgrade; 67 - proxy_set_header Connection $connection_upgrade; 68 - proxy_set_header id $request_id; 69 - ''; 61 + proxyWebsockets = true; 70 62 }; 71 63 }; 72 64
+2
hosts/wolumonde/modules/unbound.nix
··· 39 39 forward-addr = [ 40 40 "1.1.1.1" 41 41 "1.0.0.1" 42 + "9.9.9.9" 43 + "8.8.8.8" 42 44 ]; 43 45 } 44 46 ];
secrets/netbirdClientKey.age

This is a binary file and will not be displayed.