···

       
1
       
1
       
 
       
# deadnix: skip

     

       
2
       
2
       
-
       
{ inputs, ...}: final: prev: {

     

       
3
       
3
       
-
       
  py = inputs.self.packages.${prev.system};

     

       
4
       
4
       
-
       
}

     

       
2
       
2
       
+
       
{ inputs, ... }: final: prev: { py = inputs.self.packages.${prev.system}; }

     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  pkgs

     

       
3
       
3
       
-
       
}: let

     

       
1
       
1
       
+
       
{ pkgs }:

     

       
2
       
2
       
+
       
let

     

       
4
       
3
       
 
       
  olympus = pkgs.stdenv.mkDerivation rec {

     

       
5
       
4
       
 
       
    pname = "olympus";

     

       
6
       
5
       
 
       
    version = "4085";

     
···

       
11
       
10
       
 
       
      hash = "sha256-8qHQ59QQvUfm4/2rbPaweh+q6dbzTUMMJ1n5duJ3XpI=";

     

       
12
       
11
       
 
       
    };

     

       
13
       
12
       
 
       


     

       
14
       
14
       
-
       
    buildInputs = [pkgs.unzip];

     

       
13
       
13
       
+
       
    buildInputs = [ pkgs.unzip ];

     

       
15
       
14
       
 
       
    installPhase = ''

     

       
16
       
15
       
 
       
      mkdir -p "$out/opt/olympus/"

     

       
17
       
16
       
 
       
      mv dist.zip "$out/opt/olympus/" && cd "$out/opt/olympus/"

     
···

       
25
       
24
       
 
       
    '';

     

       
26
       
25
       
 
       
  };

     

       
27
       
26
       
 
       
in

     

       
28
       
28
       
-
       
  pkgs.buildFHSUserEnv {

     

       
29
       
29
       
-
       
    name = "olympus";

     

       
30
       
30
       
-
       
    runScript = "${olympus}/opt/olympus/olympus";

     

       
31
       
31
       
-
       
    targetPkgs = pkgs: [

     

       
32
       
32
       
-
       
      pkgs.freetype

     

       
33
       
33
       
-
       
      pkgs.zlib

     

       
34
       
34
       
-
       
      pkgs.SDL2

     

       
35
       
35
       
-
       
      pkgs.curl

     

       
36
       
36
       
-
       
      pkgs.libpulseaudio

     

       
37
       
37
       
-
       
      pkgs.gtk3

     

       
38
       
38
       
-
       
      pkgs.glib

     

       
39
       
39
       
-
       
      pkgs.libGL

     

       
40
       
40
       
-
       
      pkgs.libdrm

     

       
41
       
41
       
-
       
    ];

     

       
27
       
27
       
+
       
pkgs.buildFHSUserEnv {

     

       
28
       
28
       
+
       
  name = "olympus";

     

       
29
       
29
       
+
       
  runScript = "${olympus}/opt/olympus/olympus";

     

       
30
       
30
       
+
       
  targetPkgs = pkgs: [

     

       
31
       
31
       
+
       
    pkgs.freetype

     

       
32
       
32
       
+
       
    pkgs.zlib

     

       
33
       
33
       
+
       
    pkgs.SDL2

     

       
34
       
34
       
+
       
    pkgs.curl

     

       
35
       
35
       
+
       
    pkgs.libpulseaudio

     

       
36
       
36
       
+
       
    pkgs.gtk3

     

       
37
       
37
       
+
       
    pkgs.glib

     

       
38
       
38
       
+
       
    pkgs.libGL

     

       
39
       
39
       
+
       
    pkgs.libdrm

     

       
40
       
40
       
+
       
  ];

     

       
42
       
41
       
 
       


     

       
43
       
43
       
-
       
    # https://github.com/EverestAPI/Olympus/blob/main/lib-linux/olympus.desktop

     

       
44
       
44
       
-
       
    # https://stackoverflow.com/questions/8822097/how-to-replace-a-whole-line-with-sed

     

       
45
       
45
       
-
       
    extraInstallCommands = ''cp -r "${olympus}/share/" $out'';

     

       
46
       
46
       
-
       
  }

     

       
42
       
42
       
+
       
  # https://github.com/EverestAPI/Olympus/blob/main/lib-linux/olympus.desktop

     

       
43
       
43
       
+
       
  # https://stackoverflow.com/questions/8822097/how-to-replace-a-whole-line-with-sed

     

       
44
       
44
       
+
       
  extraInstallCommands = ''cp -r "${olympus}/share/" $out'';

     

       
45
       
45
       
+
       
}

     

···

       
1
       
1
       
-
       
{networking.firewall = {

     

       
2
       
2
       
-
       
  allowedTCPPorts = [80 443 6912 34197];

     

       
3
       
3
       
-
       
  allowedUDPPorts = [4367 34197];

     

       
4
       
4
       
-
       
  trustedInterfaces = ["tailscale0" "wg0"];

     

       
5
       
5
       
-
       
};}

     

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  networking.firewall = {

     

       
3
       
3
       
+
       
    allowedTCPPorts = [

     

       
4
       
4
       
+
       
      80

     

       
5
       
5
       
+
       
      443

     

       
6
       
6
       
+
       
      6912

     

       
7
       
7
       
+
       
      34197

     

       
8
       
8
       
+
       
    ];

     

       
9
       
9
       
+
       
    allowedUDPPorts = [

     

       
10
       
10
       
+
       
      4367

     

       
11
       
11
       
+
       
      34197

     

       
12
       
12
       
+
       
    ];

     

       
13
       
13
       
+
       
    trustedInterfaces = [

     

       
14
       
14
       
+
       
      "tailscale0"

     

       
15
       
15
       
+
       
      "wg0"

     

       
16
       
16
       
+
       
    ];

     

       
17
       
17
       
+
       
  };

     

       
18
       
18
       
+
       
}

     

···

       
1
       
1
       
+
       
{ lib, pkgs, ... }:

     

       
1
       
2
       
 
       
{

     

       
2
       
2
       
-
       
  lib,

     

       
3
       
3
       
-
       
  pkgs,

     

       
4
       
4
       
-
       
  ...

     

       
5
       
5
       
-
       
}: {

     

       
6
       
3
       
 
       
  networking = {

     

       
7
       
4
       
 
       
    hostName = "marvin";

     

       
8
       
5
       
 
       
    hostId = "5711215d";

     
···

       
12
       
9
       
 
       
      enp42s0.useDHCP = lib.mkDefault true;

     

       
13
       
10
       
 
       
      wlp41s0.useDHCP = lib.mkDefault true;

     

       
14
       
11
       
 
       
    };

     

       
15
       
15
       
-
       
    networkmanager = {enable = true;};

     

       
12
       
12
       
+
       
    networkmanager = {

     

       
13
       
13
       
+
       
      enable = true;

     

       
14
       
14
       
+
       
    };

     

       
16
       
15
       
 
       
    wireless.enable = false;

     

       
17
       
16
       
 
       


     

       
18
       
17
       
 
       
    # Enable NAT for containers

     

       
19
       
18
       
 
       
    nat = {

     

       
20
       
19
       
 
       
      enable = true;

     

       
21
       
21
       
-
       
      internalInterfaces = ["ve-+"];

     

       
20
       
20
       
+
       
      internalInterfaces = [ "ve-+" ];

     

       
22
       
21
       
 
       
      externalInterface = "wlp41s0";

     

       
23
       
22
       
 
       
      # Lazy IPv6 connectivity for the container

     

       
24
       
23
       
 
       
      enableIPv6 = true;

     

···

       
1
       
1
       
-
       
{config, lib, ...}: let

     

       
1
       
1
       
+
       
{ config, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  d = lib.py.data.services.authentik;

     

       
3
       
3
       
-
       
in {

     

       
4
       
4
       
-
       
  virtualisation.oci-containers.containers = let

     

       
5
       
5
       
-
       
    authentikVersion = "2024.2";

     

       
6
       
6
       
-
       
    base = {

     

       
7
       
7
       
-
       
      environmentFiles = [config.age.secrets.authentik-env.path];

     

       
8
       
8
       
-
       
      extraOptions = ["--network=authentik"];

     

       
9
       
9
       
-
       
    };

     

       
10
       
10
       
-
       
    authentikBase = base // {

     

       
11
       
11
       
-
       
      image = "ghcr.io/goauthentik/server:${authentikVersion}";

     

       
12
       
12
       
-
       
      environment = {

     

       
13
       
13
       
-
       
        AUTHENTIK_REDIS__HOST = "authentik-redict";

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
6
       
6
       
+
       
  virtualisation.oci-containers.containers =

     

       
7
       
7
       
+
       
    let

     

       
8
       
8
       
+
       
      authentikVersion = "2024.2";

     

       
9
       
9
       
+
       
      base = {

     

       
10
       
10
       
+
       
        environmentFiles = [ config.age.secrets.authentik-env.path ];

     

       
11
       
11
       
+
       
        extraOptions = [ "--network=authentik" ];

     

       
12
       
12
       
+
       
      };

     

       
13
       
13
       
+
       
      authentikBase = base // {

     

       
14
       
14
       
+
       
        image = "ghcr.io/goauthentik/server:${authentikVersion}";

     

       
15
       
15
       
+
       
        environment = {

     

       
16
       
16
       
+
       
          AUTHENTIK_REDIS__HOST = "authentik-redict";

     

       
14
       
17
       
 
       


     

       
15
       
15
       
-
       
        # Postgres Settings

     

       
16
       
16
       
-
       
        AUTHENTIK_POSTGRESQL__HOST = "authentik-db";

     

       
17
       
17
       
-
       
        AUTHENTIK_POSTGRESQL__PORT = "5432";

     

       
18
       
18
       
-
       
        AUTHENTIK_POSTGRESQL__USER = "authentik";

     

       
19
       
19
       
-
       
        AUTHENTIK_POSTGRESQL__NAME = "authentik";

     

       
20
       
20
       
-
       
        AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}";

     

       
18
       
18
       
+
       
          # Postgres Settings

     

       
19
       
19
       
+
       
          AUTHENTIK_POSTGRESQL__HOST = "authentik-db";

     

       
20
       
20
       
+
       
          AUTHENTIK_POSTGRESQL__PORT = "5432";

     

       
21
       
21
       
+
       
          AUTHENTIK_POSTGRESQL__USER = "authentik";

     

       
22
       
22
       
+
       
          AUTHENTIK_POSTGRESQL__NAME = "authentik";

     

       
23
       
23
       
+
       
          AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}";

     

       
21
       
24
       
 
       


     

       
22
       
22
       
-
       
        # Disable error reporting

     

       
23
       
23
       
-
       
        AUTHENTIK_ERROR_REPORTING__ENABLED = "false";

     

       
25
       
25
       
+
       
          # Disable error reporting

     

       
26
       
26
       
+
       
          AUTHENTIK_ERROR_REPORTING__ENABLED = "false";

     

       
24
       
27
       
 
       


     

       
25
       
25
       
-
       
        # Avatars are an attribute based on an uploaded file

     

       
26
       
26
       
-
       
        AUTHENTIK_AVATARS = "attributes.user.avatar";

     

       
28
       
28
       
+
       
          # Avatars are an attribute based on an uploaded file

     

       
29
       
29
       
+
       
          AUTHENTIK_AVATARS = "attributes.user.avatar";

     

       
27
       
30
       
 
       


     

       
28
       
28
       
-
       
        # Email Settings

     

       
29
       
29
       
-
       
        AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev";

     

       
30
       
30
       
-
       
        AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev";

     

       
31
       
31
       
-
       
        AUTHENTIK_EMAIL__PORT = "465";

     

       
32
       
32
       
-
       
        AUTHENTIK_EMAIL__USE_TLS = "true";

     

       
33
       
33
       
-
       
        AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>";

     

       
31
       
31
       
+
       
          # Email Settings

     

       
32
       
32
       
+
       
          AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev";

     

       
33
       
33
       
+
       
          AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev";

     

       
34
       
34
       
+
       
          AUTHENTIK_EMAIL__PORT = "465";

     

       
35
       
35
       
+
       
          AUTHENTIK_EMAIL__USE_TLS = "true";

     

       
36
       
36
       
+
       
          AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>";

     

       
37
       
37
       
+
       
        };

     

       
38
       
38
       
+
       
      };

     

       
39
       
39
       
+
       
      authentikVols = [

     

       
40
       
40
       
+
       
        "/var/lib/authentik/media:/media"

     

       
41
       
41
       
+
       
        "/var/lib/authentik/templates:/templates"

     

       
42
       
42
       
+
       
      ];

     

       
43
       
43
       
+
       
    in

     

       
44
       
44
       
+
       
    {

     

       
45
       
45
       
+
       
      authentik-db = base // {

     

       
46
       
46
       
+
       
        image = "postgres:12-alpine";

     

       
47
       
47
       
+
       
        volumes = [ "/var/lib/authentik/db_12:/var/lib/postgresql/data" ];

     

       
48
       
48
       
+
       
        environment = {

     

       
49
       
49
       
+
       
          POSTGRES_PASSWORD = "\${PG_PASS}";

     

       
50
       
50
       
+
       
          POSTGRES_USER = "authentik";

     

       
51
       
51
       
+
       
          POSTGRES_DB = "authentik";

     

       
52
       
52
       
+
       
        };

     

       
53
       
53
       
+
       
      };

     

       
54
       
54
       
+
       
      authentik-redict = {

     

       
55
       
55
       
+
       
        image = "registry.redict.io/redict:alpine";

     

       
56
       
56
       
+
       
        extraOptions = [ "--network=authentik" ];

     

       
57
       
57
       
+
       
      };

     

       
58
       
58
       
+
       
      authentik-server = authentikBase // {

     

       
59
       
59
       
+
       
        cmd = [ "server" ];

     

       
60
       
60
       
+
       
        ports = [

     

       
61
       
61
       
+
       
          "${toString d.port}:9000"

     

       
62
       
62
       
+
       
          "6943:9443"

     

       
63
       
63
       
+
       
          "9301:9300"

     

       
64
       
64
       
+
       
        ];

     

       
65
       
65
       
+
       
        volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ];

     

       
34
       
66
       
 
       
      };

     

       
35
       
35
       
-
       
    };

     

       
36
       
36
       
-
       
    authentikVols = [

     

       
37
       
37
       
-
       
      "/var/lib/authentik/media:/media"

     

       
38
       
38
       
-
       
      "/var/lib/authentik/templates:/templates"

     

       
39
       
39
       
-
       
    ];

     

       
40
       
40
       
-
       
  in {

     

       
41
       
41
       
-
       
    authentik-db = base // {

     

       
42
       
42
       
-
       
      image = "postgres:12-alpine";

     

       
43
       
43
       
-
       
      volumes = ["/var/lib/authentik/db_12:/var/lib/postgresql/data"];

     

       
44
       
44
       
-
       
      environment = {

     

       
45
       
45
       
-
       
        POSTGRES_PASSWORD = "\${PG_PASS}";

     

       
46
       
46
       
-
       
        POSTGRES_USER = "authentik";

     

       
47
       
47
       
-
       
        POSTGRES_DB = "authentik";

     

       
67
       
67
       
+
       
      authentik-worker = authentikBase // {

     

       
68
       
68
       
+
       
        cmd = [ "worker" ];

     

       
69
       
69
       
+
       
        volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ];

     

       
48
       
70
       
 
       
      };

     

       
49
       
49
       
-
       
    };

     

       
50
       
50
       
-
       
    authentik-redict = {

     

       
51
       
51
       
-
       
      image = "registry.redict.io/redict:alpine";

     

       
52
       
52
       
-
       
      extraOptions = ["--network=authentik"];

     

       
53
       
53
       
-
       
    };

     

       
54
       
54
       
-
       
    authentik-server = authentikBase // {

     

       
55
       
55
       
-
       
      cmd = ["server"];

     

       
56
       
56
       
-
       
      ports = ["${toString d.port}:9000" "6943:9443" "9301:9300"];

     

       
57
       
57
       
-
       
      volumes = authentikVols ++ [

     

       
58
       
58
       
-
       
        "/var/lib/authentik/custom.css:/web/dist/custom.css"

     

       
59
       
59
       
-
       
      ];

     

       
60
       
60
       
-
       
    };

     

       
61
       
61
       
-
       
    authentik-worker = authentikBase // {

     

       
62
       
62
       
-
       
      cmd = ["worker"];

     

       
63
       
63
       
-
       
      volumes = authentikVols ++ [

     

       
64
       
64
       
-
       
        "/var/lib/authentik/certs:/certs"

     

       
65
       
65
       
-
       
      ];

     

       
66
       
66
       
-
       
    };

     

       
67
       
67
       
-
       
    authentik-ldap = base // {

     

       
68
       
68
       
-
       
      image = "ghcr.io/goauthentik/ldap:${authentikVersion}";

     

       
69
       
69
       
-
       
      ports = ["389:3389" "636:6636"];

     

       
70
       
70
       
-
       
      environment = {

     

       
71
       
71
       
-
       
        AUTHENTIK_HOST = "https://${d.extUrl}";

     

       
72
       
72
       
-
       
        AUTHENTIK_INSECURE = "false";

     

       
71
       
71
       
+
       
      authentik-ldap = base // {

     

       
72
       
72
       
+
       
        image = "ghcr.io/goauthentik/ldap:${authentikVersion}";

     

       
73
       
73
       
+
       
        ports = [

     

       
74
       
74
       
+
       
          "389:3389"

     

       
75
       
75
       
+
       
          "636:6636"

     

       
76
       
76
       
+
       
        ];

     

       
77
       
77
       
+
       
        environment = {

     

       
78
       
78
       
+
       
          AUTHENTIK_HOST = "https://${d.extUrl}";

     

       
79
       
79
       
+
       
          AUTHENTIK_INSECURE = "false";

     

       
80
       
80
       
+
       
        };

     

       
73
       
81
       
 
       
      };

     

       
74
       
82
       
 
       
    };

     

       
75
       
75
       
-
       
  };

     

       
76
       
83
       
 
       
  age.secrets.authentik-env = {

     

       
77
       
84
       
 
       
    file = ../secrets/authentik-env.age;

     

       
78
       
85
       
 
       
    owner = "thehedgehog";

     

···

       
1
       
1
       
-
       
{services.bookstack = {enable = true;};}

     

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  services.bookstack = {

     

       
3
       
3
       
+
       
    enable = true;

     

       
4
       
4
       
+
       
  };

     

       
5
       
5
       
+
       
}

     

···

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
1
       
2
       
 
       
{

     

       
2
       
2
       
-
       
  pkgs,

     

       
3
       
3
       
-
       
  ...

     

       
4
       
4
       
-
       
}: {

     

       
5
       
3
       
 
       
  systemd.services = {

     

       
6
       
6
       
-
       
  io-bot = {

     

       
7
       
7
       
-
       
    enable = false;

     

       
8
       
8
       
-
       
    wantedBy = ["multi-user.target"];

     

       
9
       
9
       
-
       
    after = ["network.target" "io-bot-lavalink.service"];

     

       
10
       
10
       
-
       
    description = "I/O, my personal bot";

     

       
11
       
11
       
-
       
    path = [pkgs.python311];

     

       
12
       
12
       
-
       
    serviceConfig = {

     

       
13
       
13
       
-
       
      ExecStart = "${pkgs.bash}/bin/bash start.sh";

     

       
14
       
14
       
-
       
      Restart = "always";

     

       
15
       
15
       
-
       
      RestartSec = 3;

     

       
16
       
16
       
-
       
      WorkingDirectory = "/home/thehedgehog/io-py";

     

       
4
       
4
       
+
       
    io-bot = {

     

       
5
       
5
       
+
       
      enable = false;

     

       
6
       
6
       
+
       
      wantedBy = [ "multi-user.target" ];

     

       
7
       
7
       
+
       
      after = [

     

       
8
       
8
       
+
       
        "network.target"

     

       
9
       
9
       
+
       
        "io-bot-lavalink.service"

     

       
10
       
10
       
+
       
      ];

     

       
11
       
11
       
+
       
      description = "I/O, my personal bot";

     

       
12
       
12
       
+
       
      path = [ pkgs.python311 ];

     

       
13
       
13
       
+
       
      serviceConfig = {

     

       
14
       
14
       
+
       
        ExecStart = "${pkgs.bash}/bin/bash start.sh";

     

       
15
       
15
       
+
       
        Restart = "always";

     

       
16
       
16
       
+
       
        RestartSec = 3;

     

       
17
       
17
       
+
       
        WorkingDirectory = "/home/thehedgehog/io-py";

     

       
18
       
18
       
+
       
      };

     

       
17
       
19
       
 
       
    };

     

       
18
       
18
       
-
       
  };

     

       
19
       
19
       
-
       
  io-bot-lavalink = {

     

       
20
       
20
       
-
       
    enable = false;

     

       
21
       
21
       
-
       
    wantedBy = ["multi-user.target"];

     

       
22
       
22
       
-
       
    after = ["network.target"];

     

       
23
       
23
       
-
       
    description = "Lavalink server for I/O";

     

       
24
       
24
       
-
       
    serviceConfig = {

     

       
25
       
25
       
-
       
      ExecStart = "${pkgs.openjdk17_headless}/bin/java -jar ../Lavalink.jar";

     

       
26
       
26
       
-
       
      Restart = "always";

     

       
27
       
27
       
-
       
      RestartSec = 3;

     

       
28
       
28
       
-
       
      WorkingDirectory = "/home/thehedgehog/io-py/config";

     

       
20
       
20
       
+
       
    io-bot-lavalink = {

     

       
21
       
21
       
+
       
      enable = false;

     

       
22
       
22
       
+
       
      wantedBy = [ "multi-user.target" ];

     

       
23
       
23
       
+
       
      after = [ "network.target" ];

     

       
24
       
24
       
+
       
      description = "Lavalink server for I/O";

     

       
25
       
25
       
+
       
      serviceConfig = {

     

       
26
       
26
       
+
       
        ExecStart = "${pkgs.openjdk17_headless}/bin/java -jar ../Lavalink.jar";

     

       
27
       
27
       
+
       
        Restart = "always";

     

       
28
       
28
       
+
       
        RestartSec = 3;

     

       
29
       
29
       
+
       
        WorkingDirectory = "/home/thehedgehog/io-py/config";

     

       
30
       
30
       
+
       
      };

     

       
29
       
31
       
 
       
    };

     

       
30
       
30
       
-
       
  };

     

       
31
       
31
       
-
       
  misc-bot = {

     

       
32
       
32
       
-
       
    enable = false;

     

       
33
       
33
       
-
       
    wantedBy = ["multi-user.target"];

     

       
34
       
34
       
-
       
    after = ["network.target"];

     

       
35
       
35
       
-
       
    description = "Random Bot 1";

     

       
36
       
36
       
-
       
    path = [pkgs.python311];

     

       
37
       
37
       
-
       
    serviceConfig = {

     

       
38
       
38
       
-
       
      ExecStart = "${pkgs.bash}/bin/bash start.sh";

     

       
39
       
39
       
-
       
      Restart = "always";

     

       
40
       
40
       
-
       
      RestartSec = 3;

     

       
41
       
41
       
-
       
      WorkingDirectory = "/home/thehedgehog/bots/bot1";

     

       
32
       
32
       
+
       
    misc-bot = {

     

       
33
       
33
       
+
       
      enable = false;

     

       
34
       
34
       
+
       
      wantedBy = [ "multi-user.target" ];

     

       
35
       
35
       
+
       
      after = [ "network.target" ];

     

       
36
       
36
       
+
       
      description = "Random Bot 1";

     

       
37
       
37
       
+
       
      path = [ pkgs.python311 ];

     

       
38
       
38
       
+
       
      serviceConfig = {

     

       
39
       
39
       
+
       
        ExecStart = "${pkgs.bash}/bin/bash start.sh";

     

       
40
       
40
       
+
       
        Restart = "always";

     

       
41
       
41
       
+
       
        RestartSec = 3;

     

       
42
       
42
       
+
       
        WorkingDirectory = "/home/thehedgehog/bots/bot1";

     

       
43
       
43
       
+
       
      };

     

       
42
       
44
       
 
       
    };

     

       
43
       
43
       
-
       
  };

     

       
44
       
45
       
 
       
  };

     

       
45
       
46
       
 
       
}

     

···

       
1
       
1
       
-
       
{config, lib, ...}: let

     

       
1
       
1
       
+
       
{ config, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  as = config.age.secrets;

     

       
3
       
4
       
 
       
  d = lib.py.data.services.buildbot;

     

       
4
       
5
       
 
       
  g = lib.py.data.services.git;

     
···

       
6
       
7
       
 
       
    owner = "buildbot";

     

       
7
       
8
       
 
       
    group = "buildbot";

     

       
8
       
9
       
 
       
  };

     

       
9
       
9
       
-
       
in {

     

       
10
       
10
       
+
       
in

     

       
11
       
11
       
+
       
{

     

       
10
       
12
       
 
       
  services = {

     

       
11
       
11
       
-
       
  buildbot-nix.master = {

     

       
12
       
12
       
-
       
    enable = true;

     

       
13
       
13
       
-
       
    dbUrl = "postgresql://buildbot@localhost/buildbot";

     

       
14
       
14
       
-
       
    workersFile = as.buildbot-workers.path;

     

       
15
       
15
       
-
       
    authBackend = "gitea";

     

       
16
       
16
       
-
       
    gitea = {

     

       
13
       
13
       
+
       
    buildbot-nix.master = {

     

       
17
       
14
       
 
       
      enable = true;

     

       
18
       
18
       
-
       
      tokenFile = as.buildbot-gitea-token.path;

     

       
19
       
19
       
-
       
      oauthSecretFile = as.buildbot-oauth-secret.path;

     

       
20
       
20
       
-
       
      instanceUrl = g.extUrl;

     

       
21
       
21
       
-
       
      oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452";

     

       
22
       
22
       
-
       
      topic = "buildbot-enable";

     

       
15
       
15
       
+
       
      dbUrl = "postgresql://buildbot@localhost/buildbot";

     

       
16
       
16
       
+
       
      workersFile = as.buildbot-workers.path;

     

       
17
       
17
       
+
       
      authBackend = "gitea";

     

       
18
       
18
       
+
       
      gitea = {

     

       
19
       
19
       
+
       
        enable = true;

     

       
20
       
20
       
+
       
        tokenFile = as.buildbot-gitea-token.path;

     

       
21
       
21
       
+
       
        oauthSecretFile = as.buildbot-oauth-secret.path;

     

       
22
       
22
       
+
       
        instanceUrl = g.extUrl;

     

       
23
       
23
       
+
       
        oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452";

     

       
24
       
24
       
+
       
        topic = "buildbot-enable";

     

       
25
       
25
       
+
       
      };

     

       
26
       
26
       
+
       
      admins = [ "pyrox" ];

     

       
27
       
27
       
+
       
      domain = d.extUrl;

     

       
28
       
28
       
+
       
      useHttps = true;

     

       
23
       
29
       
 
       
    };

     

       
24
       
24
       
-
       
    admins = [

     

       
25
       
25
       
-
       
      "pyrox"

     

       
26
       
26
       
-
       
    ];

     

       
27
       
27
       
-
       
    domain = d.extUrl;

     

       
28
       
28
       
-
       
    useHttps = true;

     

       
29
       
29
       
-
       
  };

     

       
30
       
30
       
-
       
  postgresql = {

     

       
31
       
31
       
-
       
    ensureUsers = [{

     

       
32
       
32
       
-
       
      name = "buildbot";

     

       
33
       
33
       
-
       
      ensureDBOwnership = true;

     

       
34
       
34
       
-
       
      ensureClauses.login = true;

     

       
35
       
35
       
-
       
    }];

     

       
36
       
36
       
-
       
    ensureDatabases = [ "buildbot" ];

     

       
37
       
37
       
-
       
  };

     

       
38
       
38
       
-
       
  buildbot-master.port = 6915;

     

       
30
       
30
       
+
       
    postgresql = {

     

       
31
       
31
       
+
       
      ensureUsers = [

     

       
32
       
32
       
+
       
        {

     

       
33
       
33
       
+
       
          name = "buildbot";

     

       
34
       
34
       
+
       
          ensureDBOwnership = true;

     

       
35
       
35
       
+
       
          ensureClauses.login = true;

     

       
36
       
36
       
+
       
        }

     

       
37
       
37
       
+
       
      ];

     

       
38
       
38
       
+
       
      ensureDatabases = [ "buildbot" ];

     

       
39
       
39
       
+
       
    };

     

       
40
       
40
       
+
       
    buildbot-master.port = 6915;

     

       
39
       
41
       
 
       
  };

     

       
40
       
42
       
 
       
  age.secrets = {

     

       
41
       
43
       
 
       
    buildbot-gitea-token = bbSecret // {

     

···

       
1
       
1
       
-
       
{data, lib, ...}: let

     

       
1
       
1
       
+
       
{ data, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  d = lib.py.data.services.deemix;

     

       
3
       
3
       
-
       
in {

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
4
       
6
       
 
       
  virtualisation.oci-containers.containers.deemix = {

     

       
5
       
7
       
 
       
    image = "registry.gitlab.com/bockiii/deemix-docker";

     

       
6
       
6
       
-
       
    volumes = ["/var/lib/deemix:/config" "/var/lib/music:/downloads"];

     

       
7
       
7
       
-
       
    ports = ["${toString d.port}:6595"];

     

       
8
       
8
       
+
       
    volumes = [

     

       
9
       
9
       
+
       
      "/var/lib/deemix:/config"

     

       
10
       
10
       
+
       
      "/var/lib/music:/downloads"

     

       
11
       
11
       
+
       
    ];

     

       
12
       
12
       
+
       
    ports = [ "${toString d.port}:6595" ];

     

       
8
       
13
       
 
       
    environment = {

     

       
9
       
14
       
 
       
      PUID = "1000";

     

       
10
       
15
       
 
       
      PGID = "1000";

     

···

       
1
       
1
       
-
       
{config, lib, ...}: let

     

       
1
       
1
       
+
       
{ config, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  d = lib.py.data.services.grafana;

     

       
3
       
4
       
 
       
  a = lib.py.data.services.authentik;

     

       
4
       
4
       
-
       
in {

     

       
5
       
5
       
+
       
in

     

       
6
       
6
       
+
       
{

     

       
5
       
7
       
 
       
  services.grafana = {

     

       
6
       
8
       
 
       
    enable = true;

     

       
7
       
9
       
 
       
    settings = {

     

···

       
1
       
1
       
 
       
{

     

       
2
       
2
       
-
       
  services.jellyfin = {enable = true;};

     

       
3
       
3
       
-
       
  networking.firewall.allowedUDPPorts = [1900 7359];

     

       
2
       
2
       
+
       
  services.jellyfin = {

     

       
3
       
3
       
+
       
    enable = true;

     

       
4
       
4
       
+
       
  };

     

       
5
       
5
       
+
       
  networking.firewall.allowedUDPPorts = [

     

       
6
       
6
       
+
       
    1900

     

       
7
       
7
       
+
       
    7359

     

       
8
       
8
       
+
       
  ];

     

       
4
       
9
       
 
       
}

     

···

       
1
       
1
       
-
       
{config, ...}: {

     

       
1
       
1
       
+
       
{ config, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  services.minio = {

     

       
3
       
4
       
 
       
    enable = true;

     

       
4
       
5
       
 
       
    region = "us-east-1";

     

···

       
1
       
1
       
-
       
{ lib, ...}: let

     

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  d = lib.py.data.services.nextcloud-imaginary;

     

       
3
       
3
       
-
       
in{

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
4
       
6
       
 
       
  services.imaginary = {

     

       
5
       
7
       
 
       
    inherit (d) port;

     

       
6
       
8
       
 
       
    enable = true;

     

···

       
1
       
1
       
-
       
{ lib, ...}: let

     

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  d = lib.py.data.services.nextcloud-office;

     

       
3
       
3
       
-
       
in {

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
4
       
6
       
 
       
  virtualisation.oci-containers.containers.collabora-office = {

     

       
5
       
7
       
 
       
    image = "collabora/code";

     

       
6
       
8
       
 
       
    ports = [ "${toString d.port}:9980" ];

     
···

       
10
       
12
       
 
       
      "--cap-add=CHOWN"

     

       
11
       
13
       
 
       
      "--cap-add=FOWNER"

     

       
12
       
14
       
 
       
    ];

     

       
13
       
13
       
-
       
    environment = let

     

       
14
       
14
       
-
       
      mkAlias = domain:

     

       
15
       
15
       
-
       
        "https://" + (builtins.replaceStrings [ "." ] [ "\\." ] domain)

     

       
16
       
16
       
-
       
        + ":443";

     

       
17
       
17
       
-
       
    in {

     

       
18
       
18
       
-
       
      server_name = "office.pyrox.dev";

     

       
19
       
19
       
-
       
      aliasgroup1 = mkAlias "office.pyrox.dev";

     

       
20
       
20
       
-
       
      aliasgroup2 = mkAlias "cloud.pyrox.dev";

     

       
21
       
21
       
-
       
      extra_params = "--o:ssl.enable=false --o:ssl.termination=true";

     

       
22
       
22
       
-
       
    };

     

       
23
       
23
       
-
       
    volumes = [

     

       
24
       
24
       
-
       
      "/var/lib/nextcloud-office/coolwsd.xml:/etc/coolwsd/coolwsd.xml"

     

       
25
       
25
       
-
       
    ];

     

       
15
       
15
       
+
       
    environment =

     

       
16
       
16
       
+
       
      let

     

       
17
       
17
       
+
       
        mkAlias = domain: "https://" + (builtins.replaceStrings [ "." ] [ "\\." ] domain) + ":443";

     

       
18
       
18
       
+
       
      in

     

       
19
       
19
       
+
       
      {

     

       
20
       
20
       
+
       
        server_name = "office.pyrox.dev";

     

       
21
       
21
       
+
       
        aliasgroup1 = mkAlias "office.pyrox.dev";

     

       
22
       
22
       
+
       
        aliasgroup2 = mkAlias "cloud.pyrox.dev";

     

       
23
       
23
       
+
       
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true";

     

       
24
       
24
       
+
       
      };

     

       
25
       
25
       
+
       
    volumes = [ "/var/lib/nextcloud-office/coolwsd.xml:/etc/coolwsd/coolwsd.xml" ];

     

       
26
       
26
       
 
       
  };

     

       
27
       
27
       
 
       
}

     

···

       
1
       
1
       
-
       
{lib, ...}: let

     

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  n = lib.py.data.services.nextcloud;

     

       
3
       
3
       
-
       
in {

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
4
       
6
       
 
       
  services.nginx = {

     

       
5
       
7
       
 
       
    virtualHosts = {

     

       
6
       
8
       
 
       
      "${n.extUrl}" = {

     

       
7
       
7
       
-
       
        listen = [ { inherit (n) port; addr = "0.0.0.0"; } ];

     

       
9
       
9
       
+
       
        listen = [

     

       
10
       
10
       
+
       
          {

     

       
11
       
11
       
+
       
            inherit (n) port;

     

       
12
       
12
       
+
       
            addr = "0.0.0.0";

     

       
13
       
13
       
+
       
          }

     

       
14
       
14
       
+
       
        ];

     

       
8
       
15
       
 
       
      };

     

       
9
       
16
       
 
       
    };

     

       
10
       
17
       
 
       
  };

     

···

       
1
       
1
       
-
       
{ config, lib, ... }: let

     

       
1
       
1
       
+
       
{ config, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  dataDir = "/var/lib/planka";

     

       
3
       
4
       
 
       
  d = lib.py.data.services.planka;

     

       
4
       
4
       
-
       
in {

     

       
5
       
5
       
+
       
in

     

       
6
       
6
       
+
       
{

     

       
5
       
7
       
 
       
  virtualisation.oci-containers.containers = {

     

       
6
       
8
       
 
       
    planka-server = {

     

       
7
       
9
       
 
       
      image = "ghcr.io/plankanban/planka:latest";

     

       
8
       
8
       
-
       
      ports = ["${toString d.port}:1337"];

     

       
10
       
10
       
+
       
      ports = [ "${toString d.port}:1337" ];

     

       
9
       
11
       
 
       
      environment = {

     

       
10
       
12
       
 
       
        BASE_URL = "https://${d.extUrl}";

     

       
11
       
13
       
 
       
        DATABASE_URL = "postgresql://planka@planka-db/planka";

     
···

       
13
       
15
       
 
       
        DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev";

     

       
14
       
16
       
 
       
        DEFAULT_ADMIN_USERNAME = "pyrox";

     

       
15
       
17
       
 
       
      };

     

       
16
       
16
       
-
       
      environmentFiles = [

     

       
17
       
17
       
-
       
        config.age.secrets.planka-env.path

     

       
18
       
18
       
-
       
      ];

     

       
18
       
18
       
+
       
      environmentFiles = [ config.age.secrets.planka-env.path ];

     

       
19
       
19
       
 
       
      volumes = [

     

       
20
       
20
       
 
       
        "${dataDir}/user-avatars:/app/public/user-avatars"

     

       
21
       
21
       
 
       
        "${dataDir}/project-background-images:/app/public/project-background-images"

     

       
22
       
22
       
 
       
        "${dataDir}/attachments:/app/private/attachments"

     

       
23
       
23
       
 
       
      ];

     

       
24
       
24
       
-
       
      extraOptions = ["--network=planka"];

     

       
24
       
24
       
+
       
      extraOptions = [ "--network=planka" ];

     

       
25
       
25
       
 
       
    };

     

       
26
       
26
       
 
       
    planka-db = {

     

       
27
       
27
       
 
       
      image = "postgres:16-alpine";

     

       
28
       
28
       
-
       
      volumes = [

     

       
29
       
29
       
-
       
        "${dataDir}/db:/var/lib/postgresql/data"

     

       
30
       
30
       
-
       
      ];

     

       
28
       
28
       
+
       
      volumes = [ "${dataDir}/db:/var/lib/postgresql/data" ];

     

       
31
       
29
       
 
       
      environment = {

     

       
32
       
30
       
 
       
        POSTGRES_USER = "planka";

     

       
33
       
31
       
 
       
        POSTGRES_DB = "planka";

     

       
34
       
32
       
 
       
        POSTGRES_HOST_AUTH_METHOD = "trust";

     

       
35
       
33
       
 
       
      };

     

       
36
       
36
       
-
       
      extraOptions = ["--network=planka"];

     

       
34
       
34
       
+
       
      extraOptions = [ "--network=planka" ];

     

       
37
       
35
       
 
       
    };

     

       
38
       
36
       
 
       
  };

     

       
39
       
37
       
 
       
  age.secrets.planka-env = {

     

···

       
1
       
1
       
-
       
{virtualisation = {

     

       
2
       
2
       
-
       
  oci-containers.backend = "docker";

     

       
3
       
3
       
-
       
  docker = {

     

       
4
       
4
       
-
       
    enable = true;

     

       
5
       
5
       
-
       
    storageDriver = "zfs";

     

       
6
       
6
       
-
       
    autoPrune.enable = true;

     

       
7
       
7
       
-
       
    liveRestore = true;

     

       
8
       
8
       
-
       
    daemon.settings = {

     

       
9
       
9
       
-
       
      experimental = true;

     

       
10
       
10
       
-
       
      ip6tables = true;

     

       
11
       
11
       
-
       
      fixed-cidr-v6 = "2001:db8:1::/64";

     

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  virtualisation = {

     

       
3
       
3
       
+
       
    oci-containers.backend = "docker";

     

       
4
       
4
       
+
       
    docker = {

     

       
5
       
5
       
+
       
      enable = true;

     

       
6
       
6
       
+
       
      storageDriver = "zfs";

     

       
7
       
7
       
+
       
      autoPrune.enable = true;

     

       
8
       
8
       
+
       
      liveRestore = true;

     

       
9
       
9
       
+
       
      daemon.settings = {

     

       
10
       
10
       
+
       
        experimental = true;

     

       
11
       
11
       
+
       
        ip6tables = true;

     

       
12
       
12
       
+
       
        fixed-cidr-v6 = "2001:db8:1::/64";

     

       
13
       
13
       
+
       
      };

     

       
12
       
14
       
 
       
    };

     

       
13
       
15
       
 
       
  };

     

       
14
       
14
       
-
       
};}

     

       
16
       
16
       
+
       
}

     

···

       
1
       
1
       
-
       
{pkgs, config, ...}: let

     

       
2
       
2
       
-
       
cfg = config.services.postgresql;

     

       
3
       
3
       
-
       
in {

     

       
1
       
1
       
+
       
{ pkgs, config, ... }:

     

       
2
       
2
       
+
       
let

     

       
3
       
3
       
+
       
  cfg = config.services.postgresql;

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
4
       
6
       
 
       
  services.postgresql = {

     

       
5
       
7
       
 
       
    enable = true;

     

       
6
       
8
       
 
       
    package = pkgs.postgresql_16;

     
···

       
35
       
37
       
 
       
  };

     

       
36
       
38
       
 
       
  systemd.services.pg-autovacuum = {

     

       
37
       
39
       
 
       
    description = "Vacuum all Postgres databases.";

     

       
38
       
38
       
-
       
    requisite = [

     

       
39
       
39
       
-
       
      "postgresql.service"

     

       
40
       
40
       
-
       
    ];

     

       
41
       
41
       
-
       
    wantedBy = ["multi-user.target"];

     

       
40
       
40
       
+
       
    requisite = [ "postgresql.service" ];

     

       
41
       
41
       
+
       
    wantedBy = [ "multi-user.target" ];

     

       
42
       
42
       
 
       
    serviceConfig = {

     

       
43
       
43
       
 
       
      Type = "oneshot";

     

       
44
       
44
       
 
       
      User = "postgres";

     

···

       
1
       
1
       
-
       
{config, ...}: {

     

       
1
       
1
       
+
       
{ config, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  services.prometheus = {

     

       
3
       
4
       
 
       
    enable = true;

     

       
4
       
5
       
 
       
    port = 6999;

     

       
5
       
6
       
 
       
    exporters = {

     

       
6
       
7
       
 
       
      node = {

     

       
7
       
8
       
 
       
        enable = true;

     

       
8
       
8
       
-
       
        enabledCollectors = ["systemd"];

     

       
9
       
9
       
+
       
        enabledCollectors = [ "systemd" ];

     

       
9
       
10
       
 
       
        port = 6998;

     

       
10
       
11
       
 
       
      };

     

       
11
       
12
       
 
       
    };

     
···

       
13
       
14
       
 
       
      {

     

       
14
       
15
       
 
       
        job_name = "marvin";

     

       
15
       
16
       
 
       
        static_configs = [

     

       
16
       
16
       
-
       
          {

     

       
17
       
17
       
-
       
            targets = [

     

       
18
       
18
       
-
       
              "127.0.0.1:${

     

       
19
       
19
       
-
       
                toString config.services.prometheus.exporters.node.port

     

       
20
       
20
       
-
       
              }"

     

       
21
       
21
       
-
       
            ];

     

       
22
       
22
       
-
       
          }

     

       
17
       
17
       
+
       
          { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }

     

       
23
       
18
       
 
       
        ];

     

       
24
       
19
       
 
       
      }

     

       
25
       
20
       
 
       
      {

     

       
26
       
21
       
 
       
        job_name = "gitea";

     

       
27
       
22
       
 
       
        static_configs = [

     

       
28
       
28
       
-
       
          {

     

       
29
       
29
       
-
       
            targets = [

     

       
30
       
30
       
-
       
              "127.0.0.1:${

     

       
31
       
31
       
-
       
                toString config.services.gitea.settings.server.HTTP_PORT

     

       
32
       
32
       
-
       
              }"

     

       
33
       
33
       
-
       
            ];

     

       
34
       
34
       
-
       
          }

     

       
23
       
23
       
+
       
          { targets = [ "127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}" ]; }

     

       
35
       
24
       
 
       
        ];

     

       
36
       
25
       
 
       
      }

     

       
37
       
26
       
 
       
      {

     

       
38
       
27
       
 
       
        job_name = "jellyfin";

     

       
39
       
39
       
-
       
        static_configs = [{targets = ["127.0.0.1:8096"];}];

     

       
28
       
28
       
+
       
        static_configs = [ { targets = [ "127.0.0.1:8096" ]; } ];

     

       
40
       
29
       
 
       
      }

     

       
41
       
30
       
 
       
      {

     

       
42
       
31
       
 
       
        job_name = "authentik";

     

       
43
       
43
       
-
       
        static_configs = [{targets = ["127.0.0.1:9301"];}];

     

       
32
       
32
       
+
       
        static_configs = [ { targets = [ "127.0.0.1:9301" ]; } ];

     

       
44
       
33
       
 
       
      }

     

       
45
       
34
       
 
       
      {

     

       
46
       
35
       
 
       
        job_name = "prometheus";

     

       
47
       
47
       
-
       
        static_configs = [{targets = ["127.0.0.1:6999"];}];

     

       
36
       
36
       
+
       
        static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ];

     

       
48
       
37
       
 
       
      }

     

       
49
       
38
       
 
       
    ];

     

       
50
       
39
       
 
       
  };

     

···

       
6
       
6
       
 
       
  # deadnix: skip

     

       
7
       
7
       
 
       
  lib,

     

       
8
       
8
       
 
       
  ...

     

       
9
       
9
       
-
       
}: {services.prosody = {enable = true;};}

     

       
9
       
9
       
+
       
}:

     

       
10
       
10
       
+
       
{

     

       
11
       
11
       
+
       
  services.prosody = {

     

       
12
       
12
       
+
       
    enable = true;

     

       
13
       
13
       
+
       
  };

     

       
14
       
14
       
+
       
}

     

···

       
1
       
1
       
-
       
{ pkgs, lib, ...}: let

     

       
1
       
1
       
+
       
{ pkgs, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  d = lib.py.data.services.redlib;

     

       
3
       
3
       
-
       
in {

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
4
       
6
       
 
       
  services.libreddit = {

     

       
5
       
7
       
 
       
    inherit (d) port;

     

       
6
       
8
       
 
       
    enable = true;

     

···

       
4
       
4
       
 
       
    guiAddress = "0.0.0.0:8384";

     

       
5
       
5
       
 
       
  };

     

       
6
       
6
       
 
       
  # Open The Ports!

     

       
7
       
7
       
-
       
  networking.firewall.allowedTCPPorts = [8384 22000];

     

       
8
       
8
       
-
       
  networking.firewall.allowedUDPPorts = [22000 21027];

     

       
7
       
7
       
+
       
  networking.firewall.allowedTCPPorts = [

     

       
8
       
8
       
+
       
    8384

     

       
9
       
9
       
+
       
    22000

     

       
10
       
10
       
+
       
  ];

     

       
11
       
11
       
+
       
  networking.firewall.allowedUDPPorts = [

     

       
12
       
12
       
+
       
    22000

     

       
13
       
13
       
+
       
    21027

     

       
14
       
14
       
+
       
  ];

     

       
9
       
15
       
 
       
}

     

···

       
1
       
1
       
-
       
{config, ...}: {

     

       
1
       
1
       
+
       
{ config, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  services.tailscale = {

     

       
3
       
4
       
 
       
    enable = true;

     

       
4
       
5
       
 
       
    permitCertUid = "962";

     

       
5
       
6
       
 
       
  };

     

       
6
       
7
       
 
       
  networking.firewall = {

     

       
7
       
7
       
-
       
    trustedInterfaces = ["tailscale0"];

     

       
8
       
8
       
-
       
    allowedUDPPorts = [config.services.tailscale.port];

     

       
8
       
8
       
+
       
    trustedInterfaces = [ "tailscale0" ];

     

       
9
       
9
       
+
       
    allowedUDPPorts = [ config.services.tailscale.port ];

     

       
9
       
10
       
 
       
    checkReversePath = "loose";

     

       
10
       
11
       
 
       
  };

     

       
11
       
12
       
 
       
}

     

···

       
1
       
1
       
-
       
{pkgs, config, lib, ...}: let

     

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  pkgs,

     

       
3
       
3
       
+
       
  config,

     

       
4
       
4
       
+
       
  lib,

     

       
5
       
5
       
+
       
  ...

     

       
6
       
6
       
+
       
}:

     

       
7
       
7
       
+
       
let

     

       
2
       
8
       
 
       


     

       
3
       
3
       
-
       
d = lib.py.data.services.vaultwarden;

     

       
9
       
9
       
+
       
  d = lib.py.data.services.vaultwarden;

     

       
4
       
10
       
 
       


     

       
5
       
5
       
-
       
vaultwardenSecret = {

     

       
6
       
6
       
-
       
  owner = "vaultwarden";

     

       
7
       
7
       
-
       
  group = "vaultwarden";

     

       
8
       
8
       
-
       
};

     

       
9
       
9
       
-
       
in {

     

       
11
       
11
       
+
       
  vaultwardenSecret = {

     

       
12
       
12
       
+
       
    owner = "vaultwarden";

     

       
13
       
13
       
+
       
    group = "vaultwarden";

     

       
14
       
14
       
+
       
  };

     

       
15
       
15
       
+
       
in

     

       
16
       
16
       
+
       
{

     

       
10
       
17
       
 
       
  services.vaultwarden = {

     

       
11
       
18
       
 
       
    enable = true;

     

       
12
       
19
       
 
       
    dbBackend = "postgresql";

     
···

       
101
       
108
       
 
       
    environmentFile = config.age.secrets.vaultwarden-vars.path;

     

       
102
       
109
       
 
       
  };

     

       
103
       
110
       
 
       
  systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path;

     

       
104
       
104
       
-
       
  environment.systemPackages = with pkgs; [vaultwarden-vault];

     

       
111
       
111
       
+
       
  environment.systemPackages = with pkgs; [ vaultwarden-vault ];

     

       
105
       
112
       
 
       
  age.secrets.vaultwarden-vars = vaultwardenSecret // {

     

       
106
       
113
       
 
       
    file = ../secrets/vaultwarden-vars.age;

     

       
107
       
114
       
 
       
  };

     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  config,

     

       
3
       
3
       
-
       
  lib,

     

       
4
       
4
       
-
       
  ...

     

       
5
       
5
       
-
       
}: let

     

       
1
       
1
       
+
       
{ config, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
6
       
3
       
 
       
  d = lib.py.data.services.webmentiond;

     

       
7
       
4
       
 
       
  p = toString d.port;

     

       
8
       
8
       
-
       
in {

     

       
5
       
5
       
+
       
in

     

       
6
       
6
       
+
       
{

     

       
9
       
7
       
 
       
  virtualisation.oci-containers.containers.webmentiond = {

     

       
10
       
8
       
 
       
    image = "zerok/webmentiond:latest";

     

       
11
       
11
       
-
       
    volumes = ["/var/lib/webmentiond:/data"];

     

       
12
       
12
       
-
       
    environmentFiles = [config.age.secrets.webmentiond-env.path];

     

       
13
       
13
       
-
       
    ports = [ "${p}:${p}"];

     

       
9
       
9
       
+
       
    volumes = [ "/var/lib/webmentiond:/data" ];

     

       
10
       
10
       
+
       
    environmentFiles = [ config.age.secrets.webmentiond-env.path ];

     

       
11
       
11
       
+
       
    ports = [ "${p}:${p}" ];

     

       
14
       
12
       
 
       
    cmd = [

     

       
15
       
13
       
 
       
      "--addr 0.0.0.0:${p}"

     

       
16
       
14
       
 
       
      "--public-url https://${d.extUrl}"

     

···

       
2
       
2
       
 
       
  services.zfs = {

     

       
3
       
3
       
 
       
    trim.enable = true;

     

       
4
       
4
       
 
       
    autoScrub.enable = true;

     

       
5
       
5
       
-
       
    autoScrub.pools = ["tank"];

     

       
5
       
5
       
+
       
    autoScrub.pools = [ "tank" ];

     

       
6
       
6
       
 
       
    autoSnapshot.enable = true;

     

       
7
       
7
       
 
       
  };

     

       
8
       
8
       
 
       
}

     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
2
       
2
       
-
       
  imports = [./services.nix ./wireguard.nix];

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
3
       
3
       
+
       
  imports = [

     

       
4
       
4
       
+
       
    ./services.nix

     

       
5
       
5
       
+
       
    ./wireguard.nix

     

       
6
       
6
       
+
       
  ];

     

       
3
       
7
       
 
       
  networking.interfaces.lo = {

     

       
4
       
8
       
 
       
    ipv4.addresses = [

     

       
5
       
9
       
 
       
      {

     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  pkgs,

     

       
3
       
3
       
-
       
  lib,

     

       
4
       
4
       
-
       
  ...

     

       
5
       
5
       
-
       
}: let

     

       
1
       
1
       
+
       
{ pkgs, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
6
       
3
       
 
       
  script = pkgs.writeShellScriptBin "update-roa" ''

     

       
7
       
4
       
 
       
    mkdir -p /etc/bird/

     

       
8
       
5
       
 
       
    ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf

     
···

       
10
       
7
       
 
       
    ${pkgs.bird2}/bin/birdc c

     

       
11
       
8
       
 
       
    ${pkgs.bird2}/bin/birdc reload in all

     

       
12
       
9
       
 
       
  '';

     

       
13
       
13
       
-
       
  bgp = import ./bgp.nix {};

     

       
14
       
14
       
-
       
in {

     

       
10
       
10
       
+
       
  bgp = import ./bgp.nix { };

     

       
11
       
11
       
+
       
in

     

       
12
       
12
       
+
       
{

     

       
15
       
13
       
 
       
  systemd = {

     

       
16
       
16
       
-
       
  timers.dn42-roa = {

     

       
17
       
17
       
-
       
    description = "Trigger a ROA table update";

     

       
14
       
14
       
+
       
    timers.dn42-roa = {

     

       
15
       
15
       
+
       
      description = "Trigger a ROA table update";

     

       
18
       
16
       
 
       


     

       
19
       
19
       
-
       
    timerConfig = {

     

       
20
       
20
       
-
       
      OnBootSec = "5m";

     

       
21
       
21
       
-
       
      OnUnitInactiveSec = "1h";

     

       
22
       
22
       
-
       
      Unit = "dn42-roa.service";

     

       
23
       
23
       
-
       
    };

     

       
17
       
17
       
+
       
      timerConfig = {

     

       
18
       
18
       
+
       
        OnBootSec = "5m";

     

       
19
       
19
       
+
       
        OnUnitInactiveSec = "1h";

     

       
20
       
20
       
+
       
        Unit = "dn42-roa.service";

     

       
21
       
21
       
+
       
      };

     

       
24
       
22
       
 
       


     

       
25
       
25
       
-
       
    wantedBy = ["timers.target"];

     

       
26
       
26
       
-
       
    before = ["bird.service"];

     

       
27
       
27
       
-
       
  };

     

       
28
       
28
       
-
       
  services = {

     

       
29
       
29
       
-
       
    dn42-roa = {

     

       
30
       
30
       
-
       
      after = ["network.target"];

     

       
31
       
31
       
-
       
      description = "DN42 ROA Updated";

     

       
32
       
32
       
-
       
      unitConfig = {Type = "one-shot";};

     

       
33
       
33
       
-
       
      serviceConfig = {ExecStart = "${script}/bin/update-roa";};

     

       
23
       
23
       
+
       
      wantedBy = [ "timers.target" ];

     

       
24
       
24
       
+
       
      before = [ "bird.service" ];

     

       
25
       
25
       
+
       
    };

     

       
26
       
26
       
+
       
    services = {

     

       
27
       
27
       
+
       
      dn42-roa = {

     

       
28
       
28
       
+
       
        after = [ "network.target" ];

     

       
29
       
29
       
+
       
        description = "DN42 ROA Updated";

     

       
30
       
30
       
+
       
        unitConfig = {

     

       
31
       
31
       
+
       
          Type = "one-shot";

     

       
32
       
32
       
+
       
        };

     

       
33
       
33
       
+
       
        serviceConfig = {

     

       
34
       
34
       
+
       
          ExecStart = "${script}/bin/update-roa";

     

       
35
       
35
       
+
       
        };

     

       
36
       
36
       
+
       
      };

     

       
34
       
37
       
 
       
    };

     

       
35
       
35
       
-
       
  };

     

       
36
       
36
       
-
       
  services.bird-lg-proxy.serviceConfig.User = lib.mkForce "bird2";

     

       
37
       
37
       
-
       
  services.bird-lg-proxy.serviceConfig.Group = lib.mkForce "bird2";

     

       
38
       
38
       
+
       
    services.bird-lg-proxy.serviceConfig.User = lib.mkForce "bird2";

     

       
39
       
39
       
+
       
    services.bird-lg-proxy.serviceConfig.Group = lib.mkForce "bird2";

     

       
38
       
40
       
 
       
  };

     

       
39
       
41
       
 
       


     

       
40
       
42
       
 
       
  services = {

     
···

       
53
       
55
       
 
       
        netSpecificMode = "dn42";

     

       
54
       
56
       
 
       
        # protocolFilter = ["bgp" "ospf" "static"];

     

       
55
       
57
       
 
       
        proxyPort = 8000;

     

       
56
       
56
       
-
       
        servers = ["dn42"];

     

       
58
       
58
       
+
       
        servers = [ "dn42" ];

     

       
57
       
59
       
 
       
        whois = "whois.burble.dn42";

     

       
58
       
60
       
 
       
        # titleBrand = "THEHEDGEHOG LG";

     

       
59
       
61
       
 
       
        # navbar.brand = "THEHEDGEHOG LG";

     
···

       
65
       
67
       
 
       
      checkConfig = false;

     

       
66
       
68
       
 
       
      config =

     

       
67
       
69
       
 
       
        builtins.readFile ./bird.conf

     

       
68
       
68
       
-
       
        + lib.concatStrings (builtins.map

     

       
69
       
69
       
-
       
          (x: "\n      protocol bgp ${x.name} from dnpeers {\n        ${

     

       
70
       
70
       
-
       
              if x.multihop

     

       
71
       
71
       
-
       
              then "multihop;"

     

       
72
       
72
       
-
       
              else ""

     

       
70
       
70
       
+
       
        + lib.concatStrings (

     

       
71
       
71
       
+
       
          builtins.map (

     

       
72
       
72
       
+
       
            x:

     

       
73
       
73
       
+
       
            "\n      protocol bgp ${x.name} from dnpeers {\n        ${

     

       
74
       
74
       
+
       
              if x.multihop then "multihop;" else ""

     

       
73
       
75
       
 
       
            }\n        ${

     

       
74
       
74
       
-
       
              if x.gracefulRestart

     

       
75
       
75
       
-
       
              then "graceful restart on;"

     

       
76
       
76
       
-
       
              else ""

     

       
76
       
76
       
+
       
              if x.gracefulRestart then "graceful restart on;" else ""

     

       
77
       
77
       
 
       
            }\n        neighbor ${x.neigh} as ${x.as};\n        ${

     

       
78
       
78
       
-
       
              if x.multi || x.v4

     

       
79
       
79
       
-
       
              then "\n        ipv4 {\n                extended next hop on;\n                import where dn42_import_filter(${x.link},25,34);\n                export where dn42_export_filter(${x.link},25,34);\n                import keep filtered;\n        };\n        "

     

       
80
       
80
       
-
       
              else ""

     

       
78
       
78
       
+
       
              if x.multi || x.v4 then

     

       
79
       
79
       
+
       
                "\n        ipv4 {\n                extended next hop on;\n                import where dn42_import_filter(${x.link},25,34);\n                export where dn42_export_filter(${x.link},25,34);\n                import keep filtered;\n        };\n        "

     

       
80
       
80
       
+
       
              else

     

       
81
       
81
       
+
       
                ""

     

       
81
       
82
       
 
       
            }\n        ${

     

       
82
       
82
       
-
       
              if x.multi || x.v6

     

       
83
       
83
       
-
       
              then "\n        ipv6 {\n                extended next hop on;\n                import where dn42_import_filter(${x.link},25,34);\n                export where dn42_export_filter(${x.link},25,34);\n                import keep filtered;\n        };\n        "

     

       
84
       
84
       
-
       
              else ""

     

       
85
       
85
       
-
       
            }\n    }\n        ")

     

       
86
       
86
       
-
       
          bgp.sessions)

     

       
83
       
83
       
+
       
              if x.multi || x.v6 then

     

       
84
       
84
       
+
       
                "\n        ipv6 {\n                extended next hop on;\n                import where dn42_import_filter(${x.link},25,34);\n                export where dn42_export_filter(${x.link},25,34);\n                import keep filtered;\n        };\n        "

     

       
85
       
85
       
+
       
              else

     

       
86
       
86
       
+
       
                ""

     

       
87
       
87
       
+
       
            }\n    }\n        "

     

       
88
       
88
       
+
       
          ) bgp.sessions

     

       
89
       
89
       
+
       
        )

     

       
87
       
90
       
 
       
        + bgp.extraConfig;

     

       
88
       
91
       
 
       
    };

     

       
89
       
92
       
 
       
  };

     

       
90
       
90
       
-
       
  users.users.thehedgehog.extraGroups = ["bird2"];

     

       
93
       
93
       
+
       
  users.users.thehedgehog.extraGroups = [ "bird2" ];

     

       
91
       
94
       
 
       
}

     

···

       
1
       
1
       
-
       
{

     

       
2
       
2
       
-
       
  pkgs,

     

       
3
       
3
       
-
       
  lib,

     

       
4
       
4
       
-
       
  ...

     

       
5
       
5
       
-
       
}: let

     

       
1
       
1
       
+
       
{ pkgs, lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
6
       
3
       
 
       
  defaultLocalIPv4 = "172.20.43.96/32";

     

       
7
       
4
       
 
       
  defaultLocalIPv6 = "fe80::1/64";

     

       
8
       
5
       
 
       
  privKeyFile = "/run/agenix/dn42-privkey";

     

       
9
       
6
       
 
       
  # deadnix: skip

     

       
10
       
7
       
 
       
  defaultPubKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";

     

       
11
       
11
       
-
       
in {

     

       
12
       
12
       
-
       
  environment.systemPackages = [pkgs.wireguard-tools];

     

       
8
       
8
       
+
       
in

     

       
9
       
9
       
+
       
{

     

       
10
       
10
       
+
       
  environment.systemPackages = [ pkgs.wireguard-tools ];

     

       
13
       
11
       
 
       


     

       
14
       
12
       
 
       
  networking.wireguard.interfaces = import ./tunnels.nix rec {

     

       
15
       
15
       
-
       
    customTunnel = listenPort: privKeyFile: peerPubKey: endpoint: name: peerIPv4: peerIPv6: localIPv4: localIPv6: isOspf: {

     

       
16
       
16
       
-
       
      inherit listenPort;

     

       
17
       
17
       
-
       
      privateKeyFile = privKeyFile;

     

       
18
       
18
       
-
       
      allowedIPsAsRoutes = false;

     

       
19
       
19
       
-
       
      peers = [

     

       
20
       
20
       
-
       
        {

     

       
21
       
21
       
-
       
          inherit endpoint;

     

       
22
       
22
       
-
       
          publicKey = peerPubKey;

     

       
23
       
23
       
-
       
          allowedIPs = ["0.0.0.0/0" "::/0"];

     

       
24
       
24
       
-
       
          dynamicEndpointRefreshSeconds = 5;

     

       
25
       
25
       
-
       
          persistentKeepalive = 15;

     

       
26
       
26
       
-
       
        }

     

       
27
       
27
       
-
       
      ];

     

       
28
       
28
       
-
       
      postSetup =

     

       
29
       
29
       
-
       
        ''

     

       
30
       
30
       
-
       
          ${

     

       
31
       
31
       
-
       
            if peerIPv4 != ""

     

       
32
       
32
       
-
       
            then "${pkgs.iproute2}/bin/ip addr add ${localIPv4} peer ${peerIPv4} dev ${name}"

     

       
33
       
33
       
-
       
            else ""

     

       
34
       
34
       
-
       
          }

     

       
35
       
35
       
-
       
          ${

     

       
36
       
36
       
-
       
            if peerIPv6 != ""

     

       
37
       
37
       
-
       
            then "${pkgs.iproute2}/bin/ip -6 addr add ${localIPv6} peer ${peerIPv6} dev ${name}"

     

       
38
       
38
       
-
       
            else ""

     

       
13
       
13
       
+
       
    customTunnel =

     

       
14
       
14
       
+
       
      listenPort: privKeyFile: peerPubKey: endpoint: name: peerIPv4: peerIPv6: localIPv4: localIPv6: isOspf: {

     

       
15
       
15
       
+
       
        inherit listenPort;

     

       
16
       
16
       
+
       
        privateKeyFile = privKeyFile;

     

       
17
       
17
       
+
       
        allowedIPsAsRoutes = false;

     

       
18
       
18
       
+
       
        peers = [

     

       
19
       
19
       
+
       
          {

     

       
20
       
20
       
+
       
            inherit endpoint;

     

       
21
       
21
       
+
       
            publicKey = peerPubKey;

     

       
22
       
22
       
+
       
            allowedIPs = [

     

       
23
       
23
       
+
       
              "0.0.0.0/0"

     

       
24
       
24
       
+
       
              "::/0"

     

       
25
       
25
       
+
       
            ];

     

       
26
       
26
       
+
       
            dynamicEndpointRefreshSeconds = 5;

     

       
27
       
27
       
+
       
            persistentKeepalive = 15;

     

       
39
       
28
       
 
       
          }

     

       
40
       
40
       
-
       
        ''

     

       
41
       
41
       
-
       
        + lib.optionalString isOspf

     

       
42
       
42
       
-
       
        "${pkgs.iproute2}/bin/ip -6 addr add ${defaultLocalIPv6} dev ${name}";

     

       
43
       
43
       
-
       
    };

     

       
29
       
29
       
+
       
        ];

     

       
30
       
30
       
+
       
        postSetup =

     

       
31
       
31
       
+
       
          ''

     

       
32
       
32
       
+
       
            ${

     

       
33
       
33
       
+
       
              if peerIPv4 != "" then

     

       
34
       
34
       
+
       
                "${pkgs.iproute2}/bin/ip addr add ${localIPv4} peer ${peerIPv4} dev ${name}"

     

       
35
       
35
       
+
       
              else

     

       
36
       
36
       
+
       
                ""

     

       
37
       
37
       
+
       
            }

     

       
38
       
38
       
+
       
            ${

     

       
39
       
39
       
+
       
              if peerIPv6 != "" then

     

       
40
       
40
       
+
       
                "${pkgs.iproute2}/bin/ip -6 addr add ${localIPv6} peer ${peerIPv6} dev ${name}"

     

       
41
       
41
       
+
       
              else

     

       
42
       
42
       
+
       
                ""

     

       
43
       
43
       
+
       
            }

     

       
44
       
44
       
+
       
          ''

     

       
45
       
45
       
+
       
          + lib.optionalString isOspf "${pkgs.iproute2}/bin/ip -6 addr add ${defaultLocalIPv6} dev ${name}";

     

       
46
       
46
       
+
       
      };

     

       
44
       
47
       
 
       
    # deadnix: skip

     

       
45
       
45
       
-
       
    tunnel = listenPort: privKey: peerPubKey: localIPv4: localIPv6: endpoint: name: peerIPv4: peerIPv6:

     

       
46
       
46
       
-
       
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4

     

       
47
       
47
       
-
       
      peerIPv6

     

       
48
       
48
       
-
       
      localIPv4

     

       
49
       
49
       
-
       
      localIPv6

     

       
50
       
50
       
-
       
      false;

     

       
48
       
48
       
+
       
    tunnel =

     

       
49
       
49
       
+
       
      listenPort: privKey: peerPubKey: localIPv4: localIPv6: endpoint: name: peerIPv4: peerIPv6:

     

       
50
       
50
       
+
       
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 localIPv4 localIPv6

     

       
51
       
51
       
+
       
        false;

     

       
51
       
52
       
 
       
    # deadnix: skip

     

       
52
       
52
       
-
       
    ospf = listenPort: privKey: peerPubKey: endpoint: name: peerIPv4: peerIPv6: ULAIPv6:

     

       
53
       
53
       
-
       
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4

     

       
54
       
54
       
-
       
      peerIPv6

     

       
55
       
55
       
-
       
      defaultLocalIPv4

     

       
56
       
56
       
-
       
      ULAIPv6

     

       
57
       
57
       
-
       
      true;

     

       
53
       
53
       
+
       
    ospf =

     

       
54
       
54
       
+
       
      listenPort: privKey: peerPubKey: endpoint: name: peerIPv4: peerIPv6: ULAIPv6:

     

       
55
       
55
       
+
       
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 defaultLocalIPv4

     

       
56
       
56
       
+
       
        ULAIPv6

     

       
57
       
57
       
+
       
        true;

     

       
58
       
58
       
 
       
  };

     

       
59
       
59
       
 
       
}

     

···

       
3
       
3
       
 
       
  networking.nftables.enable = true;

     

       
4
       
4
       
 
       
  networking.firewall = {

     

       
5
       
5
       
 
       
    enable = true;

     

       
6
       
6
       
-
       
    allowedTCPPorts = [80 143 179 389 443 465 587 636 993 4130 6900 8000];

     

       
7
       
7
       
-
       
    allowedUDPPorts = [636 4367 6900 34197];

     

       
6
       
6
       
+
       
    allowedTCPPorts = [

     

       
7
       
7
       
+
       
      80

     

       
8
       
8
       
+
       
      143

     

       
9
       
9
       
+
       
      179

     

       
10
       
10
       
+
       
      389

     

       
11
       
11
       
+
       
      443

     

       
12
       
12
       
+
       
      465

     

       
13
       
13
       
+
       
      587

     

       
14
       
14
       
+
       
      636

     

       
15
       
15
       
+
       
      993

     

       
16
       
16
       
+
       
      4130

     

       
17
       
17
       
+
       
      6900

     

       
18
       
18
       
+
       
      8000

     

       
19
       
19
       
+
       
    ];

     

       
20
       
20
       
+
       
    allowedUDPPorts = [

     

       
21
       
21
       
+
       
      636

     

       
22
       
22
       
+
       
      4367

     

       
23
       
23
       
+
       
      6900

     

       
24
       
24
       
+
       
      34197

     

       
25
       
25
       
+
       
    ];

     

       
8
       
26
       
 
       
    allowedUDPPortRanges = [

     

       
9
       
27
       
 
       
      {

     

       
10
       
28
       
 
       
        from = 480;