comparing e8e102ffb9871e527e35add3e75a2d64437fa800 and main on pyrox.dev/nix

-2

TODO.md

···

       18
        
       - [ ] Move all Docker containers to using native versions of databases, redis, etc.

     

       19
        
         - Ensures higher performance and reduces the number of running containers.

     

       20
        
         - https://github.com/felschr/nixos-config/blob/main/services/immich.nix for an example of how to do it

     

       21
       -
       - [ ] Add Archivebox service(needs custom module)

     

       22
       -
       - [ ] Add Immich service

     

       23
        
       

     

       24
        
       ## Zaphod

     

       25

···

       18
        
       - [ ] Move all Docker containers to using native versions of databases, redis, etc.

     

       19
        
         - Ensures higher performance and reduces the number of running containers.

     

       20
        
         - https://github.com/felschr/nixos-config/blob/main/services/immich.nix for an example of how to do it

     

       0
        
       
     

       0
        
       
     

       21
        
       

     

       22
        
       ## Zaphod

     

       23

+7 -3

devShells/default/default.nix

···

       4
        
       }:

     

       5
        
       pkgs.mkShellNoCC {

     

       6
        
         packages = [

     

       0
        
       
     

       7
        
           pkgs.deadnix

     

       8
        
           pkgs.just

     

       9
        
           pkgs.nil

     

       0
        
       
     

       10
        
           pkgs.nix-tree

     

       0
        
       
     

       11
        
           pkgs.nixd

     

       12
       -
           pkgs.nix-output-monitor

     

       13
        
           pkgs.nixfmt-rfc-style

     

       14
       -
           pkgs.statix

     

       15
        
           pkgs.nvd

     

       16
       -
           pkgs.nixos-rebuild-ng

     

       0
        
       
     

       0
        
       
     

       17
        
         ];

     

       18
        
       }

···

       4
        
       }:

     

       5
        
       pkgs.mkShellNoCC {

     

       6
        
         packages = [

     

       7
       +
           # keep-sorted start

     

       8
        
           pkgs.deadnix

     

       9
        
           pkgs.just

     

       10
        
           pkgs.nil

     

       11
       +
           pkgs.nix-output-monitor

     

       12
        
           pkgs.nix-tree

     

       13
       +
           pkgs.nix-update

     

       14
        
           pkgs.nixd

     

       0
        
       
     

       15
        
           pkgs.nixfmt-rfc-style

     

       16
       +
           pkgs.nixos-rebuild-ng

     

       17
        
           pkgs.nvd

     

       18
       +
           pkgs.statix

     

       19
       +
           pkgs.tokei

     

       20
       +
           # keep-sorted endd

     

       21
        
         ];

     

       22
        
       }

+41 -41

flake.lock

···

       99
        
               ]

     

       100
        
             },

     

       101
        
             "locked": {

     

       102
       -
               "lastModified": 1763974329,

     

       103
       -
               "narHash": "sha256-8bljTh08KrIzTwzJEM8rGCg56hGtIH6/oT0LctCPTOQ=",

     

       104
        
               "owner": "caelestia-dots",

     

       105
        
               "repo": "shell",

     

       106
       -
               "rev": "11282f6abe32f9671dc0a7ce49d64bc4f2d79e6b",

     

       107
        
               "type": "github"

     

       108
        
             },

     

       109
        
             "original": {

     
···

       123
        
               ]

     

       124
        
             },

     

       125
        
             "locked": {

     

       126
       -
               "lastModified": 1763517499,

     

       127
       -
               "narHash": "sha256-N5y55DwDNT+0kLFck2sy1+DcnLOZ/N05UEvZ2R5pmWo=",

     

       128
        
               "owner": "caelestia-dots",

     

       129
        
               "repo": "cli",

     

       130
       -
               "rev": "1cfd405eaa74e66f33e7790c5c6586676f03a395",

     

       131
        
               "type": "github"

     

       132
        
             },

     

       133
        
             "original": {

     
···

       141
        
               "nixpkgs": "nixpkgs"

     

       142
        
             },

     

       143
        
             "locked": {

     

       144
       -
               "lastModified": 1763974424,

     

       145
       -
               "narHash": "sha256-jPpxBhrBOAKrXPxdrdXnq4w7x3UIkUZjarNLNYkb7Zo=",

     

       146
        
               "owner": "catppuccin",

     

       147
        
               "repo": "nix",

     

       148
       -
               "rev": "931c6465c3eac4709684dbc320bca243252927df",

     

       149
        
               "type": "github"

     

       150
        
             },

     

       151
        
             "original": {

     
···

       205
        
               ]

     

       206
        
             },

     

       207
        
             "locked": {

     

       208
       -
               "lastModified": 1764100979,

     

       209
       -
               "narHash": "sha256-Z/XgP+Lt4NnMELhQkLIfYsjwSXQQH5xLYuL/5fRZ/Sw=",

     

       210
        
               "owner": "AvengeMedia",

     

       211
        
               "repo": "DankMaterialShell",

     

       212
       -
               "rev": "08641790856d293a11c7647dcb940b05c184abbb",

     

       213
        
               "type": "github"

     

       214
        
             },

     

       215
        
             "original": {

     
···

       274
        
               ]

     

       275
        
             },

     

       276
        
             "locked": {

     

       277
       -
               "lastModified": 1763574204,

     

       278
       -
               "narHash": "sha256-rZimVCGH7w2NX+G1BpLQZC09nrS3clhmUTv2PO3TQhg=",

     

       279
        
               "owner": "pyrox0",

     

       280
        
               "repo": "dn43.nix",

     

       281
       -
               "rev": "20d58bc84b9c73f2b309fa37e6237584f4ee345d",

     

       282
        
               "type": "github"

     

       283
        
             },

     

       284
        
             "original": {

     
···

       411
        
               "systems": "systems_4"

     

       412
        
             },

     

       413
        
             "locked": {

     

       414
       -
               "lastModified": 1760925941,

     

       415
       -
               "narHash": "sha256-M+EJsr6z05heKk6iuh3RWZS+9gAMBwG9IyryACVpOy0=",

     

       416
        
               "owner": "tailscale",

     

       417
        
               "repo": "golink",

     

       418
       -
               "rev": "42765dea97afa9f9f5ea167fb0df6f5372d78481",

     

       419
        
               "type": "github"

     

       420
        
             },

     

       421
        
             "original": {

     
···

       448
        
           },

     

       449
        
           "hardware": {

     

       450
        
             "locked": {

     

       451
       -
               "lastModified": 1764080039,

     

       452
       -
               "narHash": "sha256-b1MtLQsQc4Ji1u08f+C6g5XrmLPkJQ1fhNkCt+0AERQ=",

     

       453
        
               "owner": "nixos",

     

       454
        
               "repo": "nixos-hardware",

     

       455
       -
               "rev": "da17006633ca9cda369be82893ae36824a2ddf1a",

     

       456
        
               "type": "github"

     

       457
        
             },

     

       458
        
             "original": {

     
···

       493
        
               ]

     

       494
        
             },

     

       495
        
             "locked": {

     

       496
       -
               "lastModified": 1764075860,

     

       497
       -
               "narHash": "sha256-KYEIHCBBw+/lwKsJNRNoUxBB4ZY2LK0G0T8f+0i65q0=",

     

       498
        
               "owner": "nix-community",

     

       499
        
               "repo": "home-manager",

     

       500
       -
               "rev": "295d90e22d557ccc3049dc92460b82f372cd3892",

     

       501
        
               "type": "github"

     

       502
        
             },

     

       503
        
             "original": {

     
···

       612
        
               ]

     

       613
        
             },

     

       614
        
             "locked": {

     

       615
       -
               "lastModified": 1763870992,

     

       616
       -
               "narHash": "sha256-NPyc76Wxmv/vAsXJ8F+/8fXECHYcv2YGSqdiSHp/F/A=",

     

       617
        
               "owner": "Mic92",

     

       618
        
               "repo": "nix-index-database",

     

       619
       -
               "rev": "d7423982c7a26586aa237d130b14c8b302c7a367",

     

       620
        
               "type": "github"

     

       621
        
             },

     

       622
        
             "original": {

     
···

       627
        
           },

     

       628
        
           "nixpkgs": {

     

       629
        
             "locked": {

     

       630
       -
               "lastModified": 1763421233,

     

       631
       -
               "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=",

     

       632
        
               "owner": "NixOS",

     

       633
        
               "repo": "nixpkgs",

     

       634
       -
               "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648",

     

       635
        
               "type": "github"

     

       636
        
             },

     

       637
        
             "original": {

     
···

       674
        
           },

     

       675
        
           "nixpkgs_2": {

     

       676
        
             "locked": {

     

       677
       -
               "lastModified": 1763934636,

     

       678
       -
               "narHash": "sha256-C1ZBijVfDnXQxVjITn2omp5rSP4TyENKyFsxozcYFzo=",

     

       679
       -
               "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",

     

       680
        
               "type": "tarball",

     

       681
       -
               "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre901289.ee09932cedce/nixexprs.tar.xz"

     

       682
        
             },

     

       683
        
             "original": {

     

       684
        
               "type": "tarball",

     
···

       708
        
               ]

     

       709
        
             },

     

       710
        
             "locked": {

     

       711
       -
               "lastModified": 1764045583,

     

       712
       -
               "narHash": "sha256-W24ReyRrhOKTKIsuAMkY5hnVlCufGoONM79sjUoyQkk=",

     

       713
        
               "owner": "quickshell-mirror",

     

       714
        
               "repo": "quickshell",

     

       715
       -
               "rev": "e9bad67619ee9937a1bbecfc6ad3b4231d2ecdc3",

     

       716
        
               "type": "github"

     

       717
        
             },

     

       718
        
             "original": {

     
···

       851
        
               "sqlite-lib-src": "sqlite-lib-src"

     

       852
        
             },

     

       853
        
             "locked": {

     

       854
       -
               "lastModified": 1764005195,

     

       855
       -
               "narHash": "sha256-PzuWiW/nMxwQTX0i1bHwGazQF4ptLNI9OGwpmhDb9i0=",

     

       856
        
               "ref": "refs/heads/master",

     

       857
       -
               "rev": "7358ec6edfa4d17b8b8f543d99e83a4705901148",

     

       858
       -
               "revCount": 1687,

     

       859
        
               "type": "git",

     

       860
        
               "url": "https://tangled.org/@tangled.org/core"

     

       861
        
             },

···

       99
        
               ]

     

       100
        
             },

     

       101
        
             "locked": {

     

       102
       +
               "lastModified": 1764466211,

     

       103
       +
               "narHash": "sha256-rBK+usqfAP9ZuEthw9wMCwTKQgKUMmziuzrrkpDZdzY=",

     

       104
        
               "owner": "caelestia-dots",

     

       105
        
               "repo": "shell",

     

       106
       +
               "rev": "40813e520582c5df11f6d4c870a31900fe171cce",

     

       107
        
               "type": "github"

     

       108
        
             },

     

       109
        
             "original": {

     
···

       123
        
               ]

     

       124
        
             },

     

       125
        
             "locked": {

     

       126
       +
               "lastModified": 1764381410,

     

       127
       +
               "narHash": "sha256-WR/oQQjveFqQxo8oHngZuOVgBQINDgPe+lCXLeNhAAg=",

     

       128
        
               "owner": "caelestia-dots",

     

       129
        
               "repo": "cli",

     

       130
       +
               "rev": "ed12d4cb82600872a82feb577711be1148c7af35",

     

       131
        
               "type": "github"

     

       132
        
             },

     

       133
        
             "original": {

     
···

       141
        
               "nixpkgs": "nixpkgs"

     

       142
        
             },

     

       143
        
             "locked": {

     

       144
       +
               "lastModified": 1764325801,

     

       145
       +
               "narHash": "sha256-LQ7tsrXs1wuB6KBwUctL3JlUsG/FWI2pCI6NkoO52dk=",

     

       146
        
               "owner": "catppuccin",

     

       147
        
               "repo": "nix",

     

       148
       +
               "rev": "a696fed6b9b6aa89ef495842cdca3fc2a7cef0de",

     

       149
        
               "type": "github"

     

       150
        
             },

     

       151
        
             "original": {

     
···

       205
        
               ]

     

       206
        
             },

     

       207
        
             "locked": {

     

       208
       +
               "lastModified": 1764553800,

     

       209
       +
               "narHash": "sha256-kHlx3E3K2UNWI1Hpbyl5zieoOVevZfwz8P/OcyViDHY=",

     

       210
        
               "owner": "AvengeMedia",

     

       211
        
               "repo": "DankMaterialShell",

     

       212
       +
               "rev": "7959a795753d9f646cfb9e21cfb778adf7e5c933",

     

       213
        
               "type": "github"

     

       214
        
             },

     

       215
        
             "original": {

     
···

       274
        
               ]

     

       275
        
             },

     

       276
        
             "locked": {

     

       277
       +
               "lastModified": 1764646680,

     

       278
       +
               "narHash": "sha256-HEVzGL23bev8CuZXbLgDZRWy+mD/qPZhRBpjag7G/dU=",

     

       279
        
               "owner": "pyrox0",

     

       280
        
               "repo": "dn43.nix",

     

       281
       +
               "rev": "c8b68602cf1ef696e6a9f9c25e8c177d4101331b",

     

       282
        
               "type": "github"

     

       283
        
             },

     

       284
        
             "original": {

     
···

       411
        
               "systems": "systems_4"

     

       412
        
             },

     

       413
        
             "locked": {

     

       414
       +
               "lastModified": 1764170522,

     

       415
       +
               "narHash": "sha256-4c9jCOfkKNRHJLXgOIcVcNSaw/XaiVaqesaLJn86wGA=",

     

       416
        
               "owner": "tailscale",

     

       417
        
               "repo": "golink",

     

       418
       +
               "rev": "6821994de926c565d3ef9fbf3cb0e0fcb780f4be",

     

       419
        
               "type": "github"

     

       420
        
             },

     

       421
        
             "original": {

     
···

       448
        
           },

     

       449
        
           "hardware": {

     

       450
        
             "locked": {

     

       451
       +
               "lastModified": 1764440730,

     

       452
       +
               "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",

     

       453
        
               "owner": "nixos",

     

       454
        
               "repo": "nixos-hardware",

     

       455
       +
               "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",

     

       456
        
               "type": "github"

     

       457
        
             },

     

       458
        
             "original": {

     
···

       493
        
               ]

     

       494
        
             },

     

       495
        
             "locked": {

     

       496
       +
               "lastModified": 1764544324,

     

       497
       +
               "narHash": "sha256-GVBGjO7UsmzLrlOJV8NlKSxukHaHencrJqWkCA6FkqI=",

     

       498
        
               "owner": "nix-community",

     

       499
        
               "repo": "home-manager",

     

       500
       +
               "rev": "e4e25a8c310fa45f2a8339c7972dc43d2845a612",

     

       501
        
               "type": "github"

     

       502
        
             },

     

       503
        
             "original": {

     
···

       612
        
               ]

     

       613
        
             },

     

       614
        
             "locked": {

     

       615
       +
               "lastModified": 1764475780,

     

       616
       +
               "narHash": "sha256-77jL5H5x51ksLiOUDjY0ZK8e2T4ZXLhj3ap8ETvknWI=",

     

       617
        
               "owner": "Mic92",

     

       618
        
               "repo": "nix-index-database",

     

       619
       +
               "rev": "5a3ff8c1a09003f399f43d5742d893c0b1ab8af0",

     

       620
        
               "type": "github"

     

       621
        
             },

     

       622
        
             "original": {

     
···

       627
        
           },

     

       628
        
           "nixpkgs": {

     

       629
        
             "locked": {

     

       630
       +
               "lastModified": 1763966396,

     

       631
       +
               "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",

     

       632
        
               "owner": "NixOS",

     

       633
        
               "repo": "nixpkgs",

     

       634
       +
               "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",

     

       635
        
               "type": "github"

     

       636
        
             },

     

       637
        
             "original": {

     
···

       674
        
           },

     

       675
        
           "nixpkgs_2": {

     

       676
        
             "locked": {

     

       677
       +
               "lastModified": 1764527385,

     

       678
       +
               "narHash": "sha256-gpwyCnyi2or0InBXe+4I9YeED3Uly3EGH58qvVnchBY=",

     

       679
       +
               "rev": "23258e03aaa49b3a68597e3e50eb0cbce7e42e9d",

     

       680
        
               "type": "tarball",

     

       681
       +
               "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre904683.23258e03aaa4/nixexprs.tar.xz"

     

       682
        
             },

     

       683
        
             "original": {

     

       684
        
               "type": "tarball",

     
···

       708
        
               ]

     

       709
        
             },

     

       710
        
             "locked": {

     

       711
       +
               "lastModified": 1764482797,

     

       712
       +
               "narHash": "sha256-ynV90KoBrPe38YFlKAHtPFk4Ee3IANUsIFGxRaq7H/s=",

     

       713
        
               "owner": "quickshell-mirror",

     

       714
        
               "repo": "quickshell",

     

       715
       +
               "rev": "d24e8e9736287d01ee73ef9d573d2bc316a62d5c",

     

       716
        
               "type": "github"

     

       717
        
             },

     

       718
        
             "original": {

     
···

       851
        
               "sqlite-lib-src": "sqlite-lib-src"

     

       852
        
             },

     

       853
        
             "locked": {

     

       854
       +
               "lastModified": 1764494836,

     

       855
       +
               "narHash": "sha256-u1i7aMo0fTQ6WVdOZhG2fo/gEx2Fq8+3URmuqEBZGWI=",

     

       856
        
               "ref": "refs/heads/master",

     

       857
       +
               "rev": "d37f774fb8c60aa2bd0cb965c9884457d0afb660",

     

       858
       +
               "revCount": 1689,

     

       859
        
               "type": "git",

     

       860
        
               "url": "https://tangled.org/@tangled.org/core"

     

       861
        
             },

+1 -1

homeModules/profiles/base/default.nix

···

       10
        
       {

     

       11
        
         options.py.profiles.base.enable = lib.mkEnableOption "Base Home Profile";

     

       12
        
         config = lib.mkIf cfg.enable {

     

       13
       -
           home.stateVersion = "25.11";

     

       14
        
           home.language = {

     

       15
        
             base = "en_US.utf8";

     

       16
        
           };

···

       10
        
       {

     

       11
        
         options.py.profiles.base.enable = lib.mkEnableOption "Base Home Profile";

     

       12
        
         config = lib.mkIf cfg.enable {

     

       13
       +
           home.stateVersion = "26.05";

     

       14
        
           home.language = {

     

       15
        
             base = "en_US.utf8";

     

       16
        
           };

-1

hosts/default.nix

···

       41
        
                 "vps"

     

       42
        
               ];

     

       43
        
               modules = [

     

       44
       -
                 inputs.self.nixosModules.dn42Wireguard

     

       45
        
                 inputs.dn42.nixosModules.default

     

       46
        
               ];

     

       47
        
             };

···

       41
        
                 "vps"

     

       42
        
               ];

     

       43
        
               modules = [

     

       0
        
       
     

       44
        
                 inputs.dn42.nixosModules.default

     

       45
        
               ];

     

       46
        
             };

hosts/marvin/default.nix

···

       17
        
           ./services/git.nix

     

       18
        
           ./services/golink.nix

     

       19
        
           ./services/grafana.nix

     

       0
        
       
     

       20
        
           ./services/jellyfin.nix

     

       21
        
           ./services/matrix.nix

     

       22
        
           ./services/miniflux.nix

···

       17
        
           ./services/git.nix

     

       18
        
           ./services/golink.nix

     

       19
        
           ./services/grafana.nix

     

       20
       +
           ./services/immich.nix

     

       21
        
           ./services/jellyfin.nix

     

       22
        
           ./services/matrix.nix

     

       23
        
           ./services/miniflux.nix

hosts/marvin/services/anubis.nix

···

       1
        
       {

     

       2
        
         config,

     

       0
        
       
     

       3
        
         ...

     

       4
        
       }:

     

       5
        
       {

     
···

       15
        
               ED25519_PRIVATE_KEY_HEX_FILE = config.age.secrets.anubis-key.path;

     

       16
        
               OG_PASSTHROUGH = true;

     

       17
        
               OG_CACHE_CONSIDER_HOST = true;

     

       0
        
       
     

       18
        
             };

     

       19
        
           };

     

       20
        
           age.secrets.anubis-key = {

···

       1
        
       {

     

       2
        
         config,

     

       3
       +
         self',

     

       4
        
         ...

     

       5
        
       }:

     

       6
        
       {

     
···

       16
        
               ED25519_PRIVATE_KEY_HEX_FILE = config.age.secrets.anubis-key.path;

     

       17
        
               OG_PASSTHROUGH = true;

     

       18
        
               OG_CACHE_CONSIDER_HOST = true;

     

       19
       +
               POLICY_FNAME = "${self'.packages.anubis-files}/policies/default.yaml";

     

       20
        
             };

     

       21
        
           };

     

       22
        
           age.secrets.anubis-key = {

+5 -5

hosts/marvin/services/git.nix

···

       41
        
           };

     

       42
        
           settings = {

     

       43
        
             DEFAULT = {

     

       44
       -
               APP_NAME = "PyroNet Git";

     

       45
        
               RUN_MODE = "prod";

     

       46
        
             };

     

       47
        
             attachment = {

     

       48
        
               MAX_SIZE = 200;

     

       49
        
             };

     

       50
       -
             log."logger.router.MODE" = "";

     

       51
        
             mailer = {

     

       52
        
               ENABLED = true;

     

       53
       -
               FROM = "PyroNet Git <git@pyrox.dev>";

     

       54
        
               PROTOCOL = "smtps";

     

       55
        
               SMTP_ADDR = "mail.pyrox.dev";

     

       56
        
               SMTP_PORT = 465;

     
···

       66
        
             };

     

       67
        
             "ui.meta" = {

     

       68
        
               AUTHOR = "dish";

     

       69
       -
               DESCRIPTION = "PyroNet Git Services";

     

       70
        
             };

     

       71
        
             metrics = {

     

       72
        
               ENABLED = true;

     
···

       85
        
               ISSUE_INDEXER_PATH = "indexers/issues.bleve";

     

       86
        
               # Enable repo indexing

     

       87
        
               REPO_INDEXER_ENABLED = true;

     

       88
       -
               REPO_INDEXER_REPO_TYPES = "sources,forks,templates,mirrors";

     

       89
        
               REPO_INDEXER_TYPE = "bleve";

     

       90
        
               REPO_INDEXER_PATH = "indexers/repos.bleve";

     

       91
        
             };

···

       41
        
           };

     

       42
        
           settings = {

     

       43
        
             DEFAULT = {

     

       44
       +
               APP_NAME = "dishNet Git";

     

       45
        
               RUN_MODE = "prod";

     

       46
        
             };

     

       47
        
             attachment = {

     

       48
        
               MAX_SIZE = 200;

     

       49
        
             };

     

       50
       +
             log.LOGGER_ROUTER_MODE = "";

     

       51
        
             mailer = {

     

       52
        
               ENABLED = true;

     

       53
       +
               FROM = "dishNet Git <git@pyrox.dev>";

     

       54
        
               PROTOCOL = "smtps";

     

       55
        
               SMTP_ADDR = "mail.pyrox.dev";

     

       56
        
               SMTP_PORT = 465;

     
···

       66
        
             };

     

       67
        
             "ui.meta" = {

     

       68
        
               AUTHOR = "dish";

     

       69
       +
               DESCRIPTION = "dishNet Git Services";

     

       70
        
             };

     

       71
        
             metrics = {

     

       72
        
               ENABLED = true;

     
···

       85
        
               ISSUE_INDEXER_PATH = "indexers/issues.bleve";

     

       86
        
               # Enable repo indexing

     

       87
        
               REPO_INDEXER_ENABLED = true;

     

       88
       +
               REPO_INDEXER_REPO_TYPES = "sources,forks";

     

       89
        
               REPO_INDEXER_TYPE = "bleve";

     

       90
        
               REPO_INDEXER_PATH = "indexers/repos.bleve";

     

       91
        
             };

+4 -4

hosts/marvin/services/grafana.nix

···

       40
        
             };

     

       41
        
             smtp = {

     

       42
        
               enabled = true;

     

       43
       -
               user = "grafana@thehedgehog.me";

     

       44
       -
               from_address = "grafana@thehedgehog.me";

     

       45
       -
               host = "smtp.migadu.com:465";

     

       46
        
               password = "$__file{${config.age.secrets.grafana-smtp-password.path}}";

     

       47
        
             };

     

       48
        
           };

     
···

       62
        
         services.anubis.instances.grafana = {

     

       63
        
           settings = {

     

       64
        
             BIND = ":${toString d.anubis}";

     

       65
       -
             POLICY_FNAME = "${self'.packages.anubis-files}/policies/grafana.yaml";

     

       66
        
             TARGET = "http://localhost:${toString d.port}";

     

       67
        
           };

     

       68
        
         };

···

       40
        
             };

     

       41
        
             smtp = {

     

       42
        
               enabled = true;

     

       43
       +
               user = "grafana@pyrox.dev";

     

       44
       +
               from_address = "grafana@pyrox.dev";

     

       45
       +
               host = "mail.pyrox.dev:465";

     

       46
        
               password = "$__file{${config.age.secrets.grafana-smtp-password.path}}";

     

       47
        
             };

     

       48
        
           };

     
···

       62
        
         services.anubis.instances.grafana = {

     

       63
        
           settings = {

     

       64
        
             BIND = ":${toString d.anubis}";

     

       65
       +
             POLICY_FNAME = "${self'.packages.anubis-files}/policies/default.yaml";

     

       66
        
             TARGET = "http://localhost:${toString d.port}";

     

       67
        
           };

     

       68
        
         };

+223

hosts/marvin/services/immich-config.json

···

       1
       +
       {

     

       2
       +
         "backup": {

     

       3
       +
           "database": {

     

       4
       +
             "cronExpression": "0 02 * * *",

     

       5
       +
             "enabled": true,

     

       6
       +
             "keepLastAmount": 14

     

       7
       +
           }

     

       8
       +
         },

     

       9
       +
         "ffmpeg": {

     

       10
       +
           "accel": "vaapi",

     

       11
       +
           "accelDecode": true,

     

       12
       +
           "acceptedAudioCodecs": ["aac", "mp3", "libopus"],

     

       13
       +
           "acceptedContainers": ["mov", "ogg", "webm"],

     

       14
       +
           "acceptedVideoCodecs": ["h264"],

     

       15
       +
           "bframes": -1,

     

       16
       +
           "cqMode": "auto",

     

       17
       +
           "crf": 23,

     

       18
       +
           "gopSize": 0,

     

       19
       +
           "maxBitrate": "0",

     

       20
       +
           "preferredHwDevice": "auto",

     

       21
       +
           "preset": "veryfast",

     

       22
       +
           "refs": 0,

     

       23
       +
           "targetAudioCodec": "aac",

     

       24
       +
           "targetResolution": "720",

     

       25
       +
           "targetVideoCodec": "h264",

     

       26
       +
           "temporalAQ": false,

     

       27
       +
           "threads": 0,

     

       28
       +
           "tonemap": "hable",

     

       29
       +
           "transcode": "required",

     

       30
       +
           "twoPass": false

     

       31
       +
         },

     

       32
       +
         "image": {

     

       33
       +
           "colorspace": "p3",

     

       34
       +
           "extractEmbedded": false,

     

       35
       +
           "fullsize": {

     

       36
       +
             "enabled": false,

     

       37
       +
             "format": "jpeg",

     

       38
       +
             "quality": 80

     

       39
       +
           },

     

       40
       +
           "preview": {

     

       41
       +
             "format": "jpeg",

     

       42
       +
             "quality": 80,

     

       43
       +
             "size": 1440

     

       44
       +
           },

     

       45
       +
           "thumbnail": {

     

       46
       +
             "format": "webp",

     

       47
       +
             "quality": 80,

     

       48
       +
             "size": 250

     

       49
       +
           }

     

       50
       +
         },

     

       51
       +
         "job": {

     

       52
       +
           "backgroundTask": {

     

       53
       +
             "concurrency": 5

     

       54
       +
           },

     

       55
       +
           "faceDetection": {

     

       56
       +
             "concurrency": 2

     

       57
       +
           },

     

       58
       +
           "library": {

     

       59
       +
             "concurrency": 5

     

       60
       +
           },

     

       61
       +
           "metadataExtraction": {

     

       62
       +
             "concurrency": 5

     

       63
       +
           },

     

       64
       +
           "migration": {

     

       65
       +
             "concurrency": 5

     

       66
       +
           },

     

       67
       +
           "notifications": {

     

       68
       +
             "concurrency": 5

     

       69
       +
           },

     

       70
       +
           "ocr": {

     

       71
       +
             "concurrency": 1

     

       72
       +
           },

     

       73
       +
           "search": {

     

       74
       +
             "concurrency": 5

     

       75
       +
           },

     

       76
       +
           "sidecar": {

     

       77
       +
             "concurrency": 5

     

       78
       +
           },

     

       79
       +
           "smartSearch": {

     

       80
       +
             "concurrency": 2

     

       81
       +
           },

     

       82
       +
           "thumbnailGeneration": {

     

       83
       +
             "concurrency": 3

     

       84
       +
           },

     

       85
       +
           "videoConversion": {

     

       86
       +
             "concurrency": 1

     

       87
       +
           },

     

       88
       +
           "workflow": {

     

       89
       +
             "concurrency": 5

     

       90
       +
           }

     

       91
       +
         },

     

       92
       +
         "library": {

     

       93
       +
           "scan": {

     

       94
       +
             "cronExpression": "0 0 * * *",

     

       95
       +
             "enabled": true

     

       96
       +
           },

     

       97
       +
           "watch": {

     

       98
       +
             "enabled": false

     

       99
       +
           }

     

       100
       +
         },

     

       101
       +
         "logging": {

     

       102
       +
           "enabled": true,

     

       103
       +
           "level": "log"

     

       104
       +
         },

     

       105
       +
         "machineLearning": {

     

       106
       +
           "availabilityChecks": {

     

       107
       +
             "enabled": true,

     

       108
       +
             "interval": 30000,

     

       109
       +
             "timeout": 2000

     

       110
       +
           },

     

       111
       +
           "clip": {

     

       112
       +
             "enabled": true,

     

       113
       +
             "modelName": "ViT-B-16-SigLIP2__webli"

     

       114
       +
           },

     

       115
       +
           "duplicateDetection": {

     

       116
       +
             "enabled": true,

     

       117
       +
             "maxDistance": 0.01

     

       118
       +
           },

     

       119
       +
           "enabled": true,

     

       120
       +
           "facialRecognition": {

     

       121
       +
             "enabled": true,

     

       122
       +
             "maxDistance": 0.5,

     

       123
       +
             "minFaces": 7,

     

       124
       +
             "minScore": 0.7,

     

       125
       +
             "modelName": "buffalo_l"

     

       126
       +
           },

     

       127
       +
           "ocr": {

     

       128
       +
             "enabled": true,

     

       129
       +
             "maxResolution": 736,

     

       130
       +
             "minDetectionScore": 0.5,

     

       131
       +
             "minRecognitionScore": 0.8,

     

       132
       +
             "modelName": "EN__PP-OCRv5_mobile"

     

       133
       +
           },

     

       134
       +
           "urls": ["http://localhost:3003"]

     

       135
       +
         },

     

       136
       +
         "map": {

     

       137
       +
           "darkStyle": "https://tiles.immich.cloud/v1/style/dark.json",

     

       138
       +
           "enabled": true,

     

       139
       +
           "lightStyle": "https://tiles.immich.cloud/v1/style/light.json"

     

       140
       +
         },

     

       141
       +
         "metadata": {

     

       142
       +
           "faces": {

     

       143
       +
             "import": false

     

       144
       +
           }

     

       145
       +
         },

     

       146
       +
         "newVersionCheck": {

     

       147
       +
           "enabled": false

     

       148
       +
         },

     

       149
       +
         "nightlyTasks": {

     

       150
       +
           "clusterNewFaces": true,

     

       151
       +
           "databaseCleanup": true,

     

       152
       +
           "generateMemories": true,

     

       153
       +
           "missingThumbnails": true,

     

       154
       +
           "startTime": "00:00",

     

       155
       +
           "syncQuotaUsage": true

     

       156
       +
         },

     

       157
       +
         "notifications": {

     

       158
       +
           "smtp": {

     

       159
       +
             "enabled": true,

     

       160
       +
             "from": "dishNet Photos <immich@pyrox.dev>",

     

       161
       +
             "replyTo": "",

     

       162
       +
             "transport": {

     

       163
       +
               "host": "mail.pyrox.dev",

     

       164
       +
               "ignoreCert": false,

     

       165
       +
               "port": 25,

     

       166
       +
               "secure": true,

     

       167
       +
               "username": "immich@pyrox.dev"

     

       168
       +
             }

     

       169
       +
           }

     

       170
       +
         },

     

       171
       +
         "oauth": {

     

       172
       +
           "autoLaunch": false,

     

       173
       +
           "autoRegister": true,

     

       174
       +
           "buttonText": "Login with Pocket-ID",

     

       175
       +
           "clientId": "f1312240-d9fc-4336-aca6-b98316867848",

     

       176
       +
           "defaultStorageQuota": null,

     

       177
       +
           "enabled": true,

     

       178
       +
           "issuerUrl": "https://auth.pyrox.dev",

     

       179
       +
           "mobileOverrideEnabled": false,

     

       180
       +
           "mobileRedirectUri": "",

     

       181
       +
           "profileSigningAlgorithm": "none",

     

       182
       +
           "roleClaim": "immich_role",

     

       183
       +
           "scope": "openid email profile immich_role",

     

       184
       +
           "signingAlgorithm": "RS256",

     

       185
       +
           "storageLabelClaim": "preferred_username",

     

       186
       +
           "storageQuotaClaim": "immich_quota",

     

       187
       +
           "timeout": 30000,

     

       188
       +
           "tokenEndpointAuthMethod": "client_secret_post"

     

       189
       +
         },

     

       190
       +
         "passwordLogin": {

     

       191
       +
           "enabled": true

     

       192
       +
         },

     

       193
       +
         "reverseGeocoding": {

     

       194
       +
           "enabled": true

     

       195
       +
         },

     

       196
       +
         "server": {

     

       197
       +
           "externalDomain": "https://img.pyrox.dev",

     

       198
       +
           "loginPageMessage": "",

     

       199
       +
           "publicUsers": true

     

       200
       +
         },

     

       201
       +
         "storageTemplate": {

     

       202
       +
           "enabled": false,

     

       203
       +
           "hashVerificationEnabled": true,

     

       204
       +
           "template": "{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}"

     

       205
       +
         },

     

       206
       +
         "templates": {

     

       207
       +
           "email": {

     

       208
       +
             "albumInviteTemplate": "",

     

       209
       +
             "albumUpdateTemplate": "",

     

       210
       +
             "welcomeTemplate": ""

     

       211
       +
           }

     

       212
       +
         },

     

       213
       +
         "theme": {

     

       214
       +
           "customCss": ""

     

       215
       +
         },

     

       216
       +
         "trash": {

     

       217
       +
           "days": 30,

     

       218
       +
           "enabled": true

     

       219
       +
         },

     

       220
       +
         "user": {

     

       221
       +
           "deleteDelay": 7

     

       222
       +
         }

     

       223
       +
       }

+51

hosts/marvin/services/immich.nix

···

       1
       +
       {

     

       2
       +
         self,

     

       3
       +
         config,

     

       4
       +
         lib,

     

       5
       +
         ...

     

       6
       +
       }:

     

       7
       +
       let

     

       8
       +
         d = self.lib.data.services.immich;

     

       9
       +
       in

     

       10
       +
       {

     

       11
       +
         services = {

     

       12
       +
           immich = {

     

       13
       +
             inherit (d) port;

     

       14
       +
             enable = true;

     

       15
       +
             host = "0.0.0.0";

     

       16
       +
             redis.enable = true;

     

       17
       +
             mediaLocation = "/var/media/photos/";

     

       18
       +
             accelerationDevices = [ "/dev/dri/renderD128" ];

     

       19
       +
             settings = lib.recursiveUpdate (builtins.fromJSON (builtins.readFile ./immich-config.json)) {

     

       20
       +
               oauth.clientSecret._secret = config.age.secrets.immich-oauth-secret.path;

     

       21
       +
               notifications.smtp.transport.password._secret = config.age.secrets.immich-mail-pw.path;

     

       22
       +
               server.externalDomain = "https://${d.extUrl}";

     

       23
       +
             };

     

       24
       +
           };

     

       25
       +
           immich-public-proxy = {

     

       26
       +
             enable = true;

     

       27
       +
             port = d.pubProxy;

     

       28
       +
             immichUrl = "http://localhost:${toString d.port}";

     

       29
       +
             settings.ipp = {

     

       30
       +
               downloadedFilename = 1;

     

       31
       +
             };

     

       32
       +
           };

     

       33
       +
         };

     

       34
       +
         systemd.services.immich-public-proxy.environment.PUBLIC_BASE_URL = "https://${d.extUrl}";

     

       35
       +
         users.users.immich.extraGroups = [

     

       36
       +
           "video"

     

       37
       +
           "render"

     

       38
       +
         ];

     

       39
       +
         age.secrets = {

     

       40
       +
           immich-oauth-secret = {

     

       41
       +
             file = ./secrets/immich/oauth-secret.age;

     

       42
       +
             owner = "immich";

     

       43
       +
             group = "immich";

     

       44
       +
           };

     

       45
       +
           immich-mail-pw = {

     

       46
       +
             file = ./secrets/immich/mail-pw.age;

     

       47
       +
             owner = "immich";

     

       48
       +
             group = "immich";

     

       49
       +
           };

     

       50
       +
         };

     

       51
       +
       }

-2

hosts/marvin/services/miniflux.nix

···

       1
        
       {

     

       2
        
         config,

     

       3
       -
         self',

     

       4
        
         self,

     

       5
        
         ...

     

       6
        
       }:

     
···

       33
        
         services.anubis.instances.miniflux = {

     

       34
        
           settings = {

     

       35
        
             BIND = ":${toString d.anubis}";

     

       36
       -
             POLICY_FNAME = "${self'.packages.anubis-files}/policies/miniflux.yaml";

     

       37
        
             TARGET = "http://localhost:${toString d.port}";

     

       38
        
           };

     

       39
        
         };

···

       1
        
       {

     

       2
        
         config,

     

       0
        
       
     

       3
        
         self,

     

       4
        
         ...

     

       5
        
       }:

     
···

       32
        
         services.anubis.instances.miniflux = {

     

       33
        
           settings = {

     

       34
        
             BIND = ":${toString d.anubis}";

     

       0
        
       
     

       35
        
             TARGET = "http://localhost:${toString d.port}";

     

       36
        
           };

     

       37
        
         };

+97 -34

hosts/marvin/services/planka.nix

···

       1
        
       {

     

       0
        
       
     

       2
        
         config,

     

       0
        
       
     

       3
        
         self',

     

       4
       -
         self,

     

       5
        
         ...

     

       6
        
       }:

     

       7
        
       let

     

       8
       -
         dataDir = "/var/lib/planka";

     

       9
        
         d = self.lib.data.services.planka;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
       in

     

       11
        
       {

     

       12
       -
         virtualisation.oci-containers.containers = {

     

       13
       -
           planka-server = {

     

       14
       -
             image = "ghcr.io/plankanban/planka:2.0.0-rc.4";

     

       15
       -
             ports = [ "${toString d.port}:1337" ];

     

       16
       -
             environment = {

     

       17
       -
               BASE_URL = "https://${d.extUrl}";

     

       18
       -
               DATABASE_URL = "postgresql://planka@planka-db/planka";

     

       19
       -
               # Default Admin

     

       20
       -
               DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev";

     

       21
       -
               DEFAULT_ADMIN_USERNAME = "pyrox";

     

       22
       -
               TRUST_PROXY = "true";

     

       23
       -
               DEFAULT_LANGUAGE = "en-US";

     

       24
        
             };

     

       25
       -
             environmentFiles = [ config.age.secrets.planka-env.path ];

     

       26
       -
             volumes = [

     

       27
       -
               "${dataDir}/user-avatars:/app/public/user-avatars"

     

       28
       -
               "${dataDir}/project-background-images:/app/public/project-background-images"

     

       29
       -
               "${dataDir}/attachments:/app/private/attachments"

     

       30
       -
               "${dataDir}/favicons:/app/public/favicons"

     

       31
       -
               "${dataDir}/background-images:/app/public/background-images"

     

       32
       -
             ];

     

       33
       -
             extraOptions = [ "--network=planka" ];

     

       34
        
           };

     

       35
       -
           planka-db = {

     

       36
       -
             image = "postgres:16-alpine";

     

       37
       -
             volumes = [ "${dataDir}/db:/var/lib/postgresql/data" ];

     

       38
       -
             environment = {

     

       39
       -
               POSTGRES_USER = "planka";

     

       40
       -
               POSTGRES_DB = "planka";

     

       41
       -
               POSTGRES_HOST_AUTH_METHOD = "trust";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       42
        
             };

     

       43
       -
             extraOptions = [ "--network=planka" ];

     

       44
        
           };

     

       45
        
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       46
        
         age.secrets.planka-env = {

     

       47
        
           file = ./secrets/planka-env.age;

     

       48
       -
           owner = "thehedgehog";

     

       49
       -
           group = "misc";

     

       50
        
         };

     

       51
        
         services.anubis.instances.planka = {

     

       52
        
           settings = {

     

       53
        
             COOKIE_DOMAIN = ".cs2a.club";

     

       54
        
             BIND = ":${toString d.anubis}";

     

       55
       -
             POLICY_FNAME = "${self'.packages.anubis-files}/policies/planka.yaml";

     

       56
        
             TARGET = "http://localhost:${toString d.port}";

     

       57
        
           };

     

       58
        
         };

···

       1
        
       {

     

       2
       +
         lib,

     

       3
        
         config,

     

       4
       +
         self,

     

       5
        
         self',

     

       6
       +
         pkgs,

     

       7
        
         ...

     

       8
        
       }:

     

       9
        
       let

     

       0
        
       
     

       10
        
         d = self.lib.data.services.planka;

     

       11
       +
       

     

       12
       +
         commonServiceConfig = {

     

       13
       +
           EnvironmentFile = config.age.secrets.planka-env.path;

     

       14
       +
           StateDirectory = "planka";

     

       15
       +
           WorkingDirectory = "/var/lib/planka";

     

       16
       +
           User = "planka";

     

       17
       +
           Group = "planka";

     

       18
       +
       

     

       19
       +
           # Hardening

     

       20
       +
           LockPersonality = true;

     

       21
       +
           NoNewPrivileges = true;

     

       22
       +
           PrivateDevices = true;

     

       23
       +
           PrivateMounts = true;

     

       24
       +
           PrivateTmp = true;

     

       25
       +
           PrivateUsers = true;

     

       26
       +
           ProtectClock = true;

     

       27
       +
           ProtectControlGroups = true;

     

       28
       +
           ProtectHome = true;

     

       29
       +
           ProtectHostname = true;

     

       30
       +
           ProtectKernelLogs = true;

     

       31
       +
           ProtectKernelModules = true;

     

       32
       +
           ProtectKernelTunables = true;

     

       33
       +
           ProtectProc = "invisible";

     

       34
       +
           RemoveIPC = true;

     

       35
       +
           RestrictRealtime = true;

     

       36
       +
           RestrictSUIDSGID = true;

     

       37
       +
           UMask = "0660";

     

       38
       +
           RestrictAddressFamilies = [

     

       39
       +
             "AF_UNIX"

     

       40
       +
             "AF_INET"

     

       41
       +
             "AF_INET6"

     

       42
       +
           ];

     

       43
       +
         };

     

       44
        
       in

     

       45
        
       {

     

       46
       +
         systemd = {

     

       47
       +
           tmpfiles.settings = {

     

       48
       +
             "10-planka"."/var/lib/planka".d = {

     

       49
       +
               group = "planka";

     

       50
       +
               user = "planka";

     

       51
       +
               mode = "0755";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       52
        
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       53
        
           };

     

       54
       +
           services = {

     

       55
       +
             planka-init-db = {

     

       56
       +
               wantedBy = [ "multi-user.target" ];

     

       57
       +
               after = [ "postgres.target" ];

     

       58
       +
               description = "Planka Kanban Database Init Script";

     

       59
       +
               path = [

     

       60
       +
                 pkgs.nodejs

     

       61
       +
               ];

     

       62
       +
               script = ''

     

       63
       +
                 if [ ! -f /var/lib/planka/db-init-ran ]; then

     

       64
       +
                   node run ${self'.packages.planka}/lib/node_modules/planka/db/init.js && \

     

       65
       +
                   touch /var/lib/planka/db-init-ran

     

       66
       +
                 fi

     

       67
       +
               '';

     

       68
       +
               serviceConfig = commonServiceConfig // {

     

       69
       +
                 Type = "oneshot";

     

       70
       +
                 SyslogIdentifier = "planka-init-db";

     

       71
       +
               };

     

       72
       +
             };

     

       73
       +
             planka-server = {

     

       74
       +
               after = [ "planka-init-db.service" ];

     

       75
       +
               wantedBy = [ "multi-user.target" ];

     

       76
       +
               description = "Planka Kanban Server";

     

       77
       +
               documentation = [ "https://docs.planka.cloud" ];

     

       78
       +
               environment = {

     

       79
       +
                 DATABASE_URL = "postgresql://%2Frun%2Fpostgresql/planka";

     

       80
       +
                 DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev";

     

       81
       +
                 DEFAULT_ADMIN_USERNAME = "pyrox";

     

       82
       +
                 TRUST_PROXY = "true";

     

       83
       +
                 DEFAULT_LANGUAGE = "en-US";

     

       84
       +
                 BASE_URL = "https://${d.extUrl}";

     

       85
       +
                 NODE_ENV = "production";

     

       86
       +
               };

     

       87
       +
               serviceConfig = commonServiceConfig // {

     

       88
       +
                 Type = "simple";

     

       89
       +
                 ExecStart = "${lib.getExe self'.packages.planka} --port ${toString d.port}";

     

       90
       +
                 SyslogIdentifier = "planka";

     

       91
       +
               };

     

       92
        
             };

     

       0
        
       
     

       93
        
           };

     

       94
        
         };

     

       95
       +
         users.users.planka = {

     

       96
       +
           isSystemUser = true;

     

       97
       +
           group = "planka";

     

       98
       +
         };

     

       99
       +
         users.groups.planka = { };

     

       100
       +
         services.postgresql = {

     

       101
       +
           ensureUsers = [

     

       102
       +
             {

     

       103
       +
               name = "planka";

     

       104
       +
               ensureDBOwnership = true;

     

       105
       +
               ensureClauses.login = true;

     

       106
       +
             }

     

       107
       +
           ];

     

       108
       +
           ensureDatabases = [ "planka" ];

     

       109
       +
         };

     

       110
        
         age.secrets.planka-env = {

     

       111
        
           file = ./secrets/planka-env.age;

     

       112
       +
           owner = "planka";

     

       113
       +
           group = "planka";

     

       114
        
         };

     

       115
        
         services.anubis.instances.planka = {

     

       116
        
           settings = {

     

       117
        
             COOKIE_DOMAIN = ".cs2a.club";

     

       118
        
             BIND = ":${toString d.anubis}";

     

       0
        
       
     

       119
        
             TARGET = "http://localhost:${toString d.port}";

     

       120
        
           };

     

       121
        
         };

-2

hosts/marvin/services/pocket-id.nix

···

       1
        
       {

     

       2
        
         config,

     

       3
       -
         self',

     

       4
        
         self,

     

       5
        
         ...

     

       6
        
       }:

     
···

       43
        
           pocket-id = {

     

       44
        
             settings = {

     

       45
        
               BIND = ":${toString d.anubis}";

     

       46
       -
               POLICY_FNAME = "${self'.packages.anubis-files}/policies/pocket-id.yaml";

     

       47
        
               TARGET = "http://localhost:${toString d.port}";

     

       48
        
             };

     

       49
        
           };

···

       1
        
       {

     

       2
        
         config,

     

       0
        
       
     

       3
        
         self,

     

       4
        
         ...

     

       5
        
       }:

     
···

       42
        
           pocket-id = {

     

       43
        
             settings = {

     

       44
        
               BIND = ":${toString d.anubis}";

     

       0
        
       
     

       45
        
               TARGET = "http://localhost:${toString d.port}";

     

       46
        
             };

     

       47
        
           };

+23 -23

hosts/marvin/services/postgres.nix

···

       1
       -
       { pkgs, config, ... }:

     

       2
       -
       let

     

       3
       -
         cfg = config.services.postgresql;

     

       4
       -
       in

     

       5
        
       {

     

       6
        
         services.postgresql = {

     

       7
        
           enable = true;

     
···

       28
        
             max_parallel_maintenance_workers = 4;

     

       29
        
           };

     

       30
        
         };

     

       31
       -
         systemd.timers.pg-autovacuum = {

     

       32
       -
           description = "Timer for Postgres Autovacuum";

     

       33
       -
           timerConfig = {

     

       34
       -
             OnCalendar = "*-*-* 01:00:00";

     

       35
       -
             Unit = "pg-autovacuum.service";

     

       36
       -
           };

     

       37
       -
         };

     

       38
       -
         systemd.services.pg-autovacuum = {

     

       39
       -
           description = "Vacuum all Postgres databases.";

     

       40
       -
           requisite = [ "postgresql.service" ];

     

       41
       -
           wantedBy = [ "multi-user.target" ];

     

       42
       -
           serviceConfig = {

     

       43
       -
             Type = "oneshot";

     

       44
       -
             User = "postgres";

     

       45
       -
             Group = "postgres";

     

       46
       -
             SyslogIdentifier = "pg-autovacuum";

     

       47
       -
             ExecStart = "${cfg.package}/bin/vacuumdb --all --echo --jobs=6 --parallel=5 --analyze --verbose";

     

       48
       -
           };

     

       49
       -
         };

     

       50
        
       }

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       # let

     

       3
       +
       #   cfg = config.services.postgresql;

     

       4
       +
       # in

     

       5
        
       {

     

       6
        
         services.postgresql = {

     

       7
        
           enable = true;

     
···

       28
        
             max_parallel_maintenance_workers = 4;

     

       29
        
           };

     

       30
        
         };

     

       31
       +
         # systemd.timers.pg-autovacuum = {

     

       32
       +
         #   description = "Timer for Postgres Autovacuum";

     

       33
       +
         #   timerConfig = {

     

       34
       +
         #     OnCalendar = "*-*-* 01:00:00";

     

       35
       +
         #     Unit = "pg-autovacuum.service";

     

       36
       +
         #   };

     

       37
       +
         # };

     

       38
       +
         # systemd.services.pg-autovacuum = {

     

       39
       +
         #   description = "Vacuum all Postgres databases.";

     

       40
       +
         #   requisite = [ "postgresql.service" ];

     

       41
       +
         #   wantedBy = [ "multi-user.target" ];

     

       42
       +
         #   serviceConfig = {

     

       43
       +
         #     Type = "oneshot";

     

       44
       +
         #     User = "postgres";

     

       45
       +
         #     Group = "postgres";

     

       46
       +
         #     SyslogIdentifier = "pg-autovacuum";

     

       47
       +
         #     ExecStart = "${cfg.package}/bin/vacuumdb --all --echo --jobs=6 --parallel=5 --analyze --verbose";

     

       48
       +
         #   };

     

       49
       +
         # };

     

       50
        
       }

-23

hosts/marvin/services/secrets/iceshrimp-db-password.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 iqBxIA g+DkjSGDd+i/sdqRCuU2I2Qzmq4Q+FI7wSyfkdM9q0Q

     

       3
       -
       cG52xAS/VPjCNgHdky0/jbMvF5tF+cB8BxFNCHYlf2s

     

       4
       -
       -> ssh-rsa fFaiTA

     

       5
       -
       r5mQer6QBi+HdSS16OLHfv/oh0hbug5drdX/BuQHMORogiDfHEM03K6pmg9064Ep

     

       6
       -
       CJgl6z3IS9hlLX7cSq2kVSvP9gk+l5AmI+pMZkJyT9ED43g6wtRI7yiy1ALO0rqB

     

       7
       -
       z/CPaoLkFNFlt7sDg5rijAB+t6DNAxULfFj8KR3b+NvGrrW6Vbaio+T5mg1A2PTd

     

       8
       -
       60eEfuqdn9dHVI82FQFmai1LwoyButrUNn3UiP8aIdvFUueixcqsAXSK1zjPJZ5B

     

       9
       -
       VeAkshwhB9+HKMH1cyRa6LUbzJYxAQBhkgTFqS/r64h3ZAYHTc0lY44VtVhbnEQI

     

       10
       -
       76PBEOcQXXjvPR6yvbcVZfpqCkqfo9hb7wogPfJiRMjKM/qlpR19KOf21T0hsV6q

     

       11
       -
       b7nYf01yBscx6GKXREkZoxgpo6iLLzVQqU5SzQgs7nxW089JdJ62WoZvJwTxv2G8

     

       12
       -
       AdzImnsw73q55MgOYtv/A3hGM8O1Jw4Q4UfMSS43xB+cuvtlEmSqi5mFh0gPbqQR

     

       13
       -
       LN8+OcDLz0SR8U6xHj9ufXfhHc4nwO8iZpzav5nZXMEb3Gmva3k8U+nnmuPKqsrL

     

       14
       -
       VxFmGNxqmWPfxO0FJC/cxLKME/Lj2MU9r6KT8RQ00BjHUfoDgbFzHVLqIEbIE+Vr

     

       15
       -
       /Glcmz/Ecrt3kTwfAhEDpj6g0XVNHt7HA+r4SDWjI00

     

       16
       -
       -> ssh-ed25519 wpmdHA LUF/UncaQTEMQepVAhEqFm345dICeW3d3QGhiflTSH8

     

       17
       -
       ImxpR4innOw1jMSF4gvmOGRDl0BzqAhOyz+GFstsJG4

     

       18
       -
       -> Cg-grease k7q9

     

       19
       -
       MLRf60C4nbEc9XHo26cg7UYySbZtOMP2kZtZmvLiS1XFeIqQaR0RgRcUOoTblYzo

     

       20
       -
       KQ

     

       21
       -
       --- PV6HHY8kDdpFcgNu83K/cwz4qQCW38jcHkTOkCunxrk

     

       22
       -
       �*ǜ�lq��^��fʀ���l�� R��C}Մ�ɧ���F�ĩ�&�~h�

     

       23
       -
       ̟�r��6ʞac,����lc�
>

hosts/marvin/services/secrets/iceshrimp-secret-config.age

This is a binary file and will not be displayed.

+19

hosts/marvin/services/secrets/immich/mail-pw.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 iqBxIA 3PVJMF6BgxuDxN9NAEYqcZaYEUhK9TB5XprRyW13Kx0

     

       3
       +
       AIQQG+4/9SVPcfq9ZtL/JsWDmLvW03UiAJaJ1nHSckQ

     

       4
       +
       -> ssh-rsa fFaiTA

     

       5
       +
       ZPBI1w2a48Md+Rt92ssVcfxN26zTLCEalT+jG8SJBv07ouOzd4ibPq65m6uOQU/+

     

       6
       +
       EEgHe23fGsPP4oISWDUgVFxesLA3wjsTWmbVrkrBzGQNeNnevIRMcJu7vWDtby/+

     

       7
       +
       dVxPQIoXH0jPlcDQCm2lwOGD+du+Nb4PnVseRPDaXRypKKmx+J057FQemYBk4OWx

     

       8
       +
       yUfbKV2gHHcuRTVUQG6XAQwWvhh4e25fyc+MzKZNPUK4c/SVibjAsUH+Edd+NaV5

     

       9
       +
       yxku5k4TFZkU69sl2zCdgWfYVTowTGYGyf4Kf+I/kl9m13zIk9vRpocgt4APaJnv

     

       10
       +
       p+KxJvbYRiprWl+IzZg6TwXY5mA1IbvlppR4aak1pwaIE76CgF5mGNDGkviGndtP

     

       11
       +
       +eCMIocp6lk2U0dJEYkBtmjNbxFh3dxOcirgdNDypYPlZTSGvSRGhpL4nUJRsR+l

     

       12
       +
       A7rJ5aHH2B4Vi93zgSV0PWiWSA7899bzgN1kQKKIgYln6Tl8UxQSNt5L3L4VajuW

     

       13
       +
       3UqCltyGWt/926BMS+GrDZSWCEtVsDs5XQqDKEx6D+iviHZJXniI+RhH/eM7FLjp

     

       14
       +
       iXgCRkBIALo2lOiScpr2rtfGDViq3Nh64cIslEPiewjVFTCxkxH+LuQ1stukrNki

     

       15
       +
       IF0+pZ65rgatMAdnZRFXfRxmywKD99z4WRHAxvYloXc

     

       16
       +
       -> ssh-ed25519 wpmdHA SQlzD3yqbnoF0JHqPFFDUugbm8jlBsdntLzF/WlJbjo

     

       17
       +
       FggpB1k5xbq62QNlwkocwjiWhEqNjHAxR/GwoPhXbC8

     

       18
       +
       --- 1g4f2OQbS5iXm/cqBamEWuapvZHorxfX7wHizfPcYsc

     

       19
       +
       �z�92�LN=9���$O���fP���E���~�.��}7�eڰq��y�N�I�L����"%�V�lz'�أ�

+19

hosts/marvin/services/secrets/immich/oauth-secret.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 iqBxIA 4osfKV5/wFT7mCdc4TjP7pJHdD8wzV7VKKiBSGRqImk

     

       3
       +
       wU6RSxJh8SBbXbiwCl4lXD/m1THoAg5n1Y7pyKFPiec

     

       4
       +
       -> ssh-rsa fFaiTA

     

       5
       +
       RTHaBLsBWbDEmY80LktVL/C6CeFinLm3/4t/hoWmbzLLoElBL86EGVdrE5ovjUYl

     

       6
       +
       j5+ZacmqahwjCtF/ZGBt8MFkWOK9u90YDfLp+kb2ILVy/E+CcQ3xPpH9bf83pPl/

     

       7
       +
       aZmttaRlhnhSDYVXB0lHx3u/cCrYhTf6TjEoVGZ/XrLW0BRmO6GSwcmTrachZzdJ

     

       8
       +
       je+pf2ug//mnAJR0y4MxjGlNPD/Vaj/UiaFQjPT+7ZvUUSkbv/QpPqyhhosFA11e

     

       9
       +
       1EGp21ppwUnJSNdYh2vulpQGurB5bPlv6Y8FpcFKivq/qKmA4ydyER3NcCca5Ly+

     

       10
       +
       01jQ1HRqWylYJj7K4hnxSjnNlOXCrJATuPJYoNdt2U1DnolUAqL6JIP/qNmYx8Fb

     

       11
       +
       ZrfFINBmPsNc9XJn14T4J+VB6e68ODBOvZdbzoBQOWAObnP5OH+zLYCB3II+aLPp

     

       12
       +
       Zo5WsNBBdZih4EbO0Y9PNWBjyCzxqs7zXPg1PjjDVHN/tIpSGnqoCqCPGuePhgRV

     

       13
       +
       h1gnP/lqOW2U1oL004hi3etsUsk3kXHjr35GXMVBeay+3uGXkZqhNYYSluQnJSrs

     

       14
       +
       rzahZZ8/q0FDdlUixWHb2uQjL1XMTqUcw8wPsUak8shkx8s7GPKNxtEKFcK46jk4

     

       15
       +
       ac9TCyee4HzPC/SWkLGFl0bt9s9lGTBSNQrVzogY/sg

     

       16
       +
       -> ssh-ed25519 wpmdHA C6npqn5aqimGJlo+UlvYOoqXSu/hW1JVNAmBPP1Vvjk

     

       17
       +
       gWzXqL92jI83iqSr3dydJo+UAz5OGBo6kw6QC4KRWgM

     

       18
       +
       --- ltHFDmeAbJsQtyY4CKFEz8OGAkPkue/8upHNOOQgn5I

     

       19
       +
       ��O�ӌ#&`���P�IZ�#�[��+�tdeG�ui�����?n"��(��b� ]s�	y줔���

-20

hosts/marvin/services/secrets/pingvin-secrets.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 iqBxIA HdZwcvp9cLpqrUp0M7sK7ipTslMxK0EYqFfS8xtYeDk

     

       3
       -
       Ud7ismLtRG4RlugV3P5wRNjRe8HcJW0rAz/adadWCNc

     

       4
       -
       -> ssh-rsa fFaiTA

     

       5
       -
       KwjETLhUBpq8Hfp41rg3++syweOB+yNIIdd0KeS2YjxjbDfgwzRVoM+wlB/C3b4X

     

       6
       -
       W0561y9+wsnB5A6k/peXLASfVodw30vI9LdW+nHejQr9v/UooXPztoJNrfgaKUow

     

       7
       -
       PsLbLUj+M8Y4i22GRKrY6rrCfJk8F4a+2b0PzDc1EqUcZOjMV7aE+fQ4U7+FD1jv

     

       8
       -
       xGmrKNRXNUL1j5GpPAi7E7YXuGj2SxjZOiisKqyep5KTEFyIJ04lrN/rtbi2vkEJ

     

       9
       -
       ejAFg2jIvxAWiEzEUbjOLFzeIdpb8pPqQJ3OUF4U0crT/r5dxmJKxB0J7ktS6eEY

     

       10
       -
       NZ4/CtY/kLXjo9sWc6G2UtWAm+myXKsxETxFtp/RQ6LXMjS+3xbzGvkAoY/fzVMt

     

       11
       -
       zLGdOV0X/paLb1jGl9CHkflq7qrpkdgqc6I5nmsOCRLHrsiVWLaCVCvu2T1fpjCh

     

       12
       -
       tP+Mwdjv5ONXduoGUOxjCT8IVv7ceTt93S/9cZakpDIFJ38I1XymrjuFLfbhLMVK

     

       13
       -
       VMfo9cLhWyz2/DAKA4gKnmagUhnYO2vdNBzzM9dg0/ysrLoX71ujEcxB0tx21pkE

     

       14
       -
       eB3LEfFH94Izzn9crNJ1YMUFCpFayedN2uQjv89LN2oHx+mUKemXCdl+AV2sLP7P

     

       15
       -
       pi4/UDjKOcIeK8cSvqJtsemjUn7QJdOamH4/IpgFh5o

     

       16
       -
       -> ssh-ed25519 wpmdHA X+4vtGSjMeIuSearcEfYA8Mv5kmghhItcE1n5BPWLSo

     

       17
       -
       uYkj1VkPXs8mJu99J4GFth6LyqhWymEH5fsN0+5TDsw

     

       18
       -
       --- Ql8rRuZH0kS1eDQ9EYB7mW+GvcHtjXcW/Wu1ZGhjpKI

     

       19
       -
       虌d0dj̭�ھ�f����� g�D�+�q��W��d������%5��1�?�U��)�tܫ��[

     

       20
       -
       S�DV�+��U�".� q�i�,g{}#y�@���3O/M~��CЎBV�š� }�=����*#�7�?Q��

+2 -3

hosts/marvin/services/secrets/secrets.nix

···

       27
        
         "golink-authkey.age".publicKeys = marvinDefault;

     

       28
        
         "grafana-admin-password.age".publicKeys = marvinDefault;

     

       29
        
         "grafana-smtp-password.age".publicKeys = marvinDefault;

     

       30
       -
         "iceshrimp-secret-config.age".publicKeys = marvinDefault;

     

       31
       -
         "iceshrimp-db-password.age".publicKeys = marvinDefault;

     

       32
        
         "jellyfin-exporter-config.age".publicKeys = marvinDefault;

     

       33
        
         "minio-root.age".publicKeys = marvinDefault;

     

       34
        
         "miniflux-admin.age".publicKeys = marvinDefault;

     

       35
        
         "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault;

     

       36
        
         "nix-serve-priv.age".publicKeys = marvinDefault;

     

       37
        
         "pinchflat-secrets.age".publicKeys = marvinDefault;

     

       38
       -
         "pingvin-secrets.age".publicKeys = marvinDefault;

     

       39
        
         "planka-env.age".publicKeys = marvinDefault;

     

       40
        
         "pocket-id-secrets.age".publicKeys = marvinDefault;

     

       41
        
         "vaultwarden-vars.age".publicKeys = marvinDefault;

···

       27
        
         "golink-authkey.age".publicKeys = marvinDefault;

     

       28
        
         "grafana-admin-password.age".publicKeys = marvinDefault;

     

       29
        
         "grafana-smtp-password.age".publicKeys = marvinDefault;

     

       30
       +
         "immich/oauth-secret.age".publicKeys = marvinDefault;

     

       31
       +
         "immich/mail-pw.age".publicKeys = marvinDefault;

     

       32
        
         "jellyfin-exporter-config.age".publicKeys = marvinDefault;

     

       33
        
         "minio-root.age".publicKeys = marvinDefault;

     

       34
        
         "miniflux-admin.age".publicKeys = marvinDefault;

     

       35
        
         "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault;

     

       36
        
         "nix-serve-priv.age".publicKeys = marvinDefault;

     

       37
        
         "pinchflat-secrets.age".publicKeys = marvinDefault;

     

       0
        
       
     

       38
        
         "planka-env.age".publicKeys = marvinDefault;

     

       39
        
         "pocket-id-secrets.age".publicKeys = marvinDefault;

     

       40
        
         "vaultwarden-vars.age".publicKeys = marvinDefault;

+2 -23

hosts/marvin/services/vaultwarden.nix

···

       23
        
             rocketAddress = "0.0.0.0";

     

       24
        
             rocketCliColors = false;

     

       25
        
             rocketPort = d.port;

     

       26
       -
             websocketEnabled = true;

     

       27
       -
             ipHeader = "X-Real-IP";

     

       28
        
             reloadTemplates = false;

     

       29
        
             logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";

     

       30
        
             # # Ratelimiting

     
···

       36
        
       

     

       37
        
             # Logging

     

       38
        
             useSyslog = true;

     

       39
       -
             logLevel = "info";

     

       40
        
             extendedLogging = true;

     

       41
        
       

     

       42
        
             # Features

     
···

       46
        
       

     

       47
        
             # Invitations

     

       48
        
             invitationsAllowed = true;

     

       49
       -
             invitationOrgName = "PyroNet Vault";

     

       50
        
             invitationExpirationHours = 168;

     

       51
        
       

     

       52
        
             # Database

     
···

       55
        
             # Signups

     

       56
        
             signupsAllowed = false;

     

       57
        
             signupsVerify = true;

     

       58
       -
             signupsVerifyResendTime = 3600;

     

       59
       -
             signupsVerifyResendLimit = 5;

     

       60
        
             signupsDomainWhitelist = "pyrox.dev";

     

       61
        
       

     

       62
        
             # Passwords

     
···

       67
        
       

     

       68
        
             # Mail

     

       69
        
             smtpFrom = "vault@pyrox.dev";

     

       70
       -
             smtpFromName = "PyroNet Vault <vault@pyrox.dev>";

     

       71
        
             smtpUsername = "vault@pyrox.dev";

     

       72
        
             smtpSecurity = "force_tls";

     

       73
        
             smtpPort = 465;

     
···

       76
        
             smtpTimeout = 20;

     

       77
        
             smtpEmbedImages = true;

     

       78
        
             useSendmail = false;

     

       79
       -
             smtpDebug = false;

     

       80
       -
             smtpAcceptInvalidCerts = false;

     

       81
       -
             smtpAcceptInvalidHostnames = false;

     

       82
        
       

     

       83
        
             # Authentication

     

       84
       -
             authenticatorDisableTimeDrift = false;

     

       85
       -
             disable2faRemember = false;

     

       86
        
             incomplete2faTimeLimit = 5;

     

       87
        
             # # Email 2FA

     

       88
       -
             emailAttemptsLimit = 3;

     

       89
        
             emailExpirationTime = 180;

     

       90
        
             emailTokenSize = 7;

     

       91
        
             requireDeviceEmail = true;

     

       92
       -
       

     

       93
       -
             # Icons

     

       94
       -
             disableIconDownload = false;

     

       95
       -
             iconService = "internal";

     

       96
       -
             iconRedirectCode = 302;

     

       97
       -
             iconDownloadTimeout = 10;

     

       98
       -
             iconBlacklistNonGlobalIps = true;

     

       99
       -
             # # 30 Day TTL

     

       100
       -
             iconCacheTtl = 30 * 24 * 60 * 60;

     

       101
       -
             iconCacheNegttl = 30 * 24 * 60 * 60;

     

       102
        
       

     

       103
        
             # Misc Settings

     

       104
        
             trashAutoDeleteDays = 14;

···

       23
        
             rocketAddress = "0.0.0.0";

     

       24
        
             rocketCliColors = false;

     

       25
        
             rocketPort = d.port;

     

       0
        
       
     

       0
        
       
     

       26
        
             reloadTemplates = false;

     

       27
        
             logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";

     

       28
        
             # # Ratelimiting

     
···

       34
        
       

     

       35
        
             # Logging

     

       36
        
             useSyslog = true;

     

       0
        
       
     

       37
        
             extendedLogging = true;

     

       38
        
       

     

       39
        
             # Features

     
···

       43
        
       

     

       44
        
             # Invitations

     

       45
        
             invitationsAllowed = true;

     

       46
       +
             invitationOrgName = "dishNet Vault";

     

       47
        
             invitationExpirationHours = 168;

     

       48
        
       

     

       49
        
             # Database

     
···

       52
        
             # Signups

     

       53
        
             signupsAllowed = false;

     

       54
        
             signupsVerify = true;

     

       0
        
       
     

       0
        
       
     

       55
        
             signupsDomainWhitelist = "pyrox.dev";

     

       56
        
       

     

       57
        
             # Passwords

     
···

       62
        
       

     

       63
        
             # Mail

     

       64
        
             smtpFrom = "vault@pyrox.dev";

     

       65
       +
             smtpFromName = "dishNet Vault <vault@pyrox.dev>";

     

       66
        
             smtpUsername = "vault@pyrox.dev";

     

       67
        
             smtpSecurity = "force_tls";

     

       68
        
             smtpPort = 465;

     
···

       71
        
             smtpTimeout = 20;

     

       72
        
             smtpEmbedImages = true;

     

       73
        
             useSendmail = false;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       74
        
       

     

       75
        
             # Authentication

     

       0
        
       
     

       0
        
       
     

       76
        
             incomplete2faTimeLimit = 5;

     

       77
        
             # # Email 2FA

     

       0
        
       
     

       78
        
             emailExpirationTime = 180;

     

       79
        
             emailTokenSize = 7;

     

       80
        
             requireDeviceEmail = true;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       81
        
       

     

       82
        
             # Misc Settings

     

       83
        
             trashAutoDeleteDays = 14;

+7 -4

hosts/prefect/dn42/default.nix

···

       1
        
       { pkgs, config, ... }:

     

       2
        
       let

     

       3
       -
         cfg42 = config.networking.dn42;

     

       4
        
       in

     

       5
        
       {

     

       6
        
         imports = [

     
···

       33
        
           tcpdump

     

       34
        
           wireguard-tools

     

       35
        
         ];

     

       36
       -
         networking.dn42 = {

     

       37
        
           enable = true;

     

       38
        
           # ASN corresponding to DN42 PYRONET

     

       39
        
           as = 4242422459;

     

       40
        
           # Communities config

     

       41
        
           # https://dn42.dev/howto/BGP-communities

     

       42
       -
           geo = 42;

     

       43
        
           country = 1840;

     

       44
        
           routerId = cfg42.addr.v4;

     

       45
        
           # Primary IP Addresses

     
···

       52
        
             v4 = [ "172.20.43.96/27" ];

     

       53
        
             v6 = [ "fd21:1500:66b0::/48" ];

     

       54
        
           };

     

       55
       -
       

     

       56
        
           # Enable StayRTR

     

       57
        
           # https://github.com/bgp/stayrtr

     

       58
        
           stayrtr.enable = true;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       59
        
           wg.tunnelDefaults = {

     

       60
        
             privateKeyFile = "/run/agenix/dn42-privkey";

     

       61
        
             localAddrs.v4 = cfg42.addr.v4;

···

       1
        
       { pkgs, config, ... }:

     

       2
        
       let

     

       3
       +
         cfg42 = config.dn42;

     

       4
        
       in

     

       5
        
       {

     

       6
        
         imports = [

     
···

       33
        
           tcpdump

     

       34
        
           wireguard-tools

     

       35
        
         ];

     

       36
       +
         dn42 = {

     

       37
        
           enable = true;

     

       38
        
           # ASN corresponding to DN42 PYRONET

     

       39
        
           as = 4242422459;

     

       40
        
           # Communities config

     

       41
        
           # https://dn42.dev/howto/BGP-communities

     

       42
       +
           region = 42;

     

       43
        
           country = 1840;

     

       44
        
           routerId = cfg42.addr.v4;

     

       45
        
           # Primary IP Addresses

     
···

       52
        
             v4 = [ "172.20.43.96/27" ];

     

       53
        
             v6 = [ "fd21:1500:66b0::/48" ];

     

       54
        
           };

     

       0
        
       
     

       55
        
           # Enable StayRTR

     

       56
        
           # https://github.com/bgp/stayrtr

     

       57
        
           stayrtr.enable = true;

     

       58
       +
           # Peer with GRC

     

       59
       +
           # https://dn42.dev/services/Route-Collector

     

       60
       +
           collector.enable = true;

     

       61
       +
       

     

       62
        
           wg.tunnelDefaults = {

     

       63
        
             privateKeyFile = "/run/agenix/dn42-privkey";

     

       64
        
             localAddrs.v4 = cfg42.addr.v4;

+1 -1

hosts/prefect/dn42/peers/bandura.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.bandura = {

     

       5
        
             as = 4242422923;

     

       6
        
             addr.v6 = "fe80::2926";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.bandura = {

     

       5
        
             as = 4242422923;

     

       6
        
             addr.v6 = "fe80::2926";

+1 -1

hosts/prefect/dn42/peers/catgirls.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.catgirls = {

     

       5
        
             as = 4242421411;

     

       6
        
             addr.v6 = "fe80::2189:124";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.catgirls = {

     

       5
        
             as = 4242421411;

     

       6
        
             addr.v6 = "fe80::2189:124";

+1 -1

hosts/prefect/dn42/peers/chrismoos.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.chrismoos = {

     

       5
        
             as = 4242421588;

     

       6
        
             addr.v6 = "fe80::1588";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.chrismoos = {

     

       5
        
             as = 4242421588;

     

       6
        
             addr.v6 = "fe80::1588";

+1 -1

hosts/prefect/dn42/peers/darkpoint.nix

···

       4
        
         localv6 = "fe80::113";

     

       5
        
       in

     

       6
        
       {

     

       7
       -
         config.networking.dn42 = {

     

       8
        
           peers.darkpoint = {

     

       9
        
             as = 4242420150;

     

       10
        
             addr.v6 = peerv6;

···

       4
        
         localv6 = "fe80::113";

     

       5
        
       in

     

       6
        
       {

     

       7
       +
         config.dn42 = {

     

       8
        
           peers.darkpoint = {

     

       9
        
             as = 4242420150;

     

       10
        
             addr.v6 = peerv6;

hosts/prefect/dn42/peers/default.nix

···

       14
        
           (import ./kioubit.nix { inherit dn42Types; })

     

       15
        
           (import ./lare.nix { inherit dn42Types; })

     

       16
        
           (import ./potato.nix { inherit dn42Types; })

     

       0
        
       
     

       17
        
           (import ./routedbits.nix { inherit dn42Types; })

     

       18
        
           (import ./sunnet.nix { inherit dn42Types; })

     

       19
        
           (import ./uffsalot.nix { inherit dn42Types; })

···

       14
        
           (import ./kioubit.nix { inherit dn42Types; })

     

       15
        
           (import ./lare.nix { inherit dn42Types; })

     

       16
        
           (import ./potato.nix { inherit dn42Types; })

     

       17
       +
           (import ./prefixlabs.nix { inherit dn42Types; })

     

       18
        
           (import ./routedbits.nix { inherit dn42Types; })

     

       19
        
           (import ./sunnet.nix { inherit dn42Types; })

     

       20
        
           (import ./uffsalot.nix { inherit dn42Types; })

+1 -1

hosts/prefect/dn42/peers/iedon.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.iedon = {

     

       5
        
             as = 4242422189;

     

       6
        
             addr.v6 = "fe80::2189:124";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.iedon = {

     

       5
        
             as = 4242422189;

     

       6
        
             addr.v6 = "fe80::2189:124";

+1 -1

hosts/prefect/dn42/peers/kioubit.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.kioubit = {

     

       5
        
             as = 4242423914;

     

       6
        
             addr.v6 = "fe80::ade0";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.kioubit = {

     

       5
        
             as = 4242423914;

     

       6
        
             addr.v6 = "fe80::ade0";

+1 -1

hosts/prefect/dn42/peers/lare.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.lare = {

     

       5
        
             as = 4242423035;

     

       6
        
             addr.v6 = "fe80::3035:137";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.lare = {

     

       5
        
             as = 4242423035;

     

       6
        
             addr.v6 = "fe80::3035:137";

+1 -1

hosts/prefect/dn42/peers/potato.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.potato = {

     

       5
        
             as = 4242421816;

     

       6
        
             addr.v6 = "fe80::1816";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.potato = {

     

       5
        
             as = 4242421816;

     

       6
        
             addr.v6 = "fe80::1816";

+26

hosts/prefect/dn42/peers/prefixlabs.nix

···

       1
       +
       { dn42Types, ... }:

     

       2
       +
       {

     

       3
       +
         config.dn42 = {

     

       4
       +
           peers.prefixlabs = {

     

       5
       +
             as = 4242421240;

     

       6
       +
             addr.v6 = "fe80::1240:2";

     

       7
       +
             interface = "wg42_prefixlabs";

     

       8
       +
             extendedNextHop = true;

     

       9
       +
             # My side

     

       10
       +
             srcAddr.v6 = "fe80::240";

     

       11
       +
             # Communities

     

       12
       +
             crypto = dn42Types.crypto.safePFS;

     

       13
       +
             latency = dn42Types.latency."7.3ms";

     

       14
       +
             bandwidth = dn42Types.bandwidth."1000mb";

     

       15
       +
             transit = true;

     

       16
       +
           };

     

       17
       +
           wg.tunnels.prefixlabs = {

     

       18
       +
             listenPort = 43240;

     

       19
       +
             peerPubKey = "uRYzFGi+/B6pD0FR2SW3G/OzC5LPJXePNIt0s+nJfW0=";

     

       20
       +
             peerEndpoint = "us-01.prefixlabs.net:22459";

     

       21
       +
             peerAddrs.v4 = "172.20.209.11";

     

       22
       +
             peerAddrs.v6 = "fe80::1240:2";

     

       23
       +
             localAddrs.v6 = "fe80::240";

     

       24
       +
           };

     

       25
       +
         };

     

       26
       +
       }

+1 -1

hosts/prefect/dn42/peers/routedbits.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.routedbits = {

     

       5
        
             as = 4242420207;

     

       6
        
             addr.v6 = "fe80::207";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.routedbits = {

     

       5
        
             as = 4242420207;

     

       6
        
             addr.v6 = "fe80::207";

+1 -1

hosts/prefect/dn42/peers/sunnet.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.sunnet = {

     

       5
        
             as = 4242423088;

     

       6
        
             addr.v6 = "fe80::3088:193";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.sunnet = {

     

       5
        
             as = 4242423088;

     

       6
        
             addr.v6 = "fe80::3088:193";

+1 -1

hosts/prefect/dn42/peers/uffsalot.nix

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       -
         config.networking.dn42 = {

     

       4
        
           peers.uffsalot = {

     

       5
        
             as = 4242420780;

     

       6
        
             addr.v6 = "fe80::780";

···

       1
        
       { dn42Types, ... }:

     

       2
        
       {

     

       3
       +
         config.dn42 = {

     

       4
        
           peers.uffsalot = {

     

       5
        
             as = 4242420780;

     

       6
        
             addr.v6 = "fe80::780";

+8 -13

hosts/prefect/services/caddy.nix

···

       67
        
             # Authentication

     

       68
        
             ${pns.pocket-id.extUrl} = {

     

       69
        
               extraConfig = ''

     

       70
       -
                 reverse_proxy / ${marvin}:${toString pns.pocket-id.port} {

     

       71
       -
                   header_up X-Real-IP {remote_host}

     

       72
       -
                   header_up X-Http-Version {http.request.proto}

     

       73
       -
                 }

     

       74
        
               '';

     

       75
        
             };

     

       76
        
       

     
···

       214
        
               '';

     

       215
        
             };

     

       216
        
       

     

       217
       -
             # Pingvin Share

     

       218
       -
             ${pns.pingvin-share.extUrl} = {

     

       219
        
               extraConfig = ''

     

       220
       -
                 reverse_proxy /api/* ${marvin}:${toString pns.pingvin-share.be-anubis} {

     

       221
       -
                   header_up X-Real-IP {remote_host}

     

       222
       -
                   header_up X-Http-Version {http.request.proto}

     

       223
       -
                 }

     

       224
       -
                 reverse_proxy /* ${marvin}:${toString pns.pingvin-share.anubis} {

     

       225
       -
                   header_up X-Real-IP {remote_host}

     

       226
       -
                   header_up X-Http-Version {http.request.proto}

     

       227
        
                 }

     

       0
        
       
     

       228
        
               '';

     

       229
        
             };

     

       0
        
       
     

       230
        
             # Tangled Services

     

       231
        
             ${pns.tangled-knot.extUrl} = {

     

       232
        
               extraConfig = ''

···

       67
        
             # Authentication

     

       68
        
             ${pns.pocket-id.extUrl} = {

     

       69
        
               extraConfig = ''

     

       70
       +
                 reverse_proxy ${marvin}:${toString pns.pocket-id.port}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       71
        
               '';

     

       72
        
             };

     

       73
        
       

     
···

       211
        
               '';

     

       212
        
             };

     

       213
        
       

     

       214
       +
             # Immich

     

       215
       +
             ${pns.immich.extUrl} = {

     

       216
        
               extraConfig = ''

     

       217
       +
                 @public path /share /share/*

     

       218
       +
                 handle @public {

     

       219
       +
                   reverse_proxy ${marvin}:${toString pns.immich.pubProxy}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       220
        
                 }

     

       221
       +
                 reverse_proxy ${marvin}:${toString pns.immich.port}

     

       222
        
               '';

     

       223
        
             };

     

       224
       +
       

     

       225
        
             # Tangled Services

     

       226
        
             ${pns.tangled-knot.extUrl} = {

     

       227
        
               extraConfig = ''

lib/data/services.toml

···

       5
        
       # anubis: What port the anubis service for this domain will use, int

     

       6
        
       # tsHost: (optional) What Tailscale host this service will run on, for services only available via Tailscale.

     

       7
        
       # # Should only be set if this is available externally, if at all, since TS-only services aren't able to be scraped.

     

       0
        
       
     

       8
        
       [authentik]

     

       9
        
       port = 6908

     

       10
        
       host = "marvin"

     
···

       43
        
       port = 6923

     

       44
        
       host = "marvin"

     

       45
        
       extUrl = "soc.pyrox.dev"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       46
        
       

     

       47
        
       [jellyfin]

     

       48
        
       port = 8096

···

       5
        
       # anubis: What port the anubis service for this domain will use, int

     

       6
        
       # tsHost: (optional) What Tailscale host this service will run on, for services only available via Tailscale.

     

       7
        
       # # Should only be set if this is available externally, if at all, since TS-only services aren't able to be scraped.

     

       8
       +
       # Current lowest unassigned port: 6938

     

       9
        
       [authentik]

     

       10
        
       port = 6908

     

       11
        
       host = "marvin"

     
···

       44
        
       port = 6923

     

       45
        
       host = "marvin"

     

       46
        
       extUrl = "soc.pyrox.dev"

     

       47
       +
       

     

       48
       +
       [immich]

     

       49
       +
       port = 6936

     

       50
       +
       host = "marvin"

     

       51
       +
       extUrl = "img.pyrox.dev"

     

       52
       +
       pubProxy = 6937

     

       53
        
       

     

       54
        
       [jellyfin]

     

       55
        
       port = 8096

+1 -1

nixosModules/default-config/default.nix

···

       14
        
           ./users.nix

     

       15
        
         ];

     

       16
        
         system = {

     

       17
       -
           stateVersion = "25.05";

     

       18
        
           disableInstallerTools = true;

     

       19
        
           tools.nixos-rebuild.enable = true;

     

       20
        
         };

···

       14
        
           ./users.nix

     

       15
        
         ];

     

       16
        
         system = {

     

       17
       +
           stateVersion = "26.05";

     

       18
        
           disableInstallerTools = true;

     

       19
        
           tools.nixos-rebuild.enable = true;

     

       20
        
         };

+2 -4

nixosModules/default-config/nixConfig.nix

···

       15
        
       {

     

       16
        
         nix = {

     

       17
        
           enable = true;

     

       18
       -
           # We use `nh.clean` instead, so this is disabled

     

       19
       -
           gc.automatic = false;

     

       20
        
           registry = lib.mapAttrs (_: v: { flake = v; }) flakeInputs;

     

       21
        
           settings = {

     

       22
        
             # Don't auto-accept flake-defined nix settings, they're a CVE waiting to happen.

     
···

       58
        
             keep-going = true;

     

       59
        
             # More direnv gc root stuff

     

       60
        
             keep-outputs = true;

     

       61
       -
             # Show fewer log lines from failed builds since I get them from nh

     

       62
       -
             log-lines = 10;

     

       63
        
             # Limit the max amount of builds

     

       64
        
             max-jobs = lib.mkDefault 4;

     

       65
        
             # Extra system features

···

       15
        
       {

     

       16
        
         nix = {

     

       17
        
           enable = true;

     

       18
       +
           gc.automatic = true;

     

       0
        
       
     

       19
        
           registry = lib.mapAttrs (_: v: { flake = v; }) flakeInputs;

     

       20
        
           settings = {

     

       21
        
             # Don't auto-accept flake-defined nix settings, they're a CVE waiting to happen.

     
···

       57
        
             keep-going = true;

     

       58
        
             # More direnv gc root stuff

     

       59
        
             keep-outputs = true;

     

       60
       +
             log-lines = 20;

     

       0
        
       
     

       61
        
             # Limit the max amount of builds

     

       62
        
             max-jobs = lib.mkDefault 4;

     

       63
        
             # Extra system features

-1

nixosModules/default-config/programs/default.nix

···

       1
        
       {

     

       2
        
         imports = [

     

       3
        
           ./ssh.nix

     

       4
       -
           ./nh.nix

     

       5
        
         ];

     

       6
        
         programs.fish.enable = true;

     

       7
        
       }

···

       1
        
       {

     

       2
        
         imports = [

     

       3
        
           ./ssh.nix

     

       0
        
       
     

       4
        
         ];

     

       5
        
         programs.fish.enable = true;

     

       6
        
       }

-7

nixosModules/default-config/programs/nh.nix

···

       1
       -
       _: {

     

       2
       -
         programs.nh = {

     

       3
       -
           enable = true;

     

       4
       -
           clean.enable = true;

     

       5
       -
           clean.extraArgs = "-k 5";

     

       6
       -
         };

     

       7
       -
       }

+1 -1

nixosModules/homes/pyrox/default.nix

···

       9
        
             inputs.self.homeModules.allModules

     

       10
        
             {

     

       11
        
               home.username = "pyrox";

     

       12
       -
               home.stateVersion = "25.11";

     

       13
        
               py.profiles.server.enable = lib.mkDefault true;

     

       14
        
               py.profiles.desktop.enable = lib.mkDefault false;

     

       15
        
             }

···

       9
        
             inputs.self.homeModules.allModules

     

       10
        
             {

     

       11
        
               home.username = "pyrox";

     

       12
       +
               home.stateVersion = "26.05";

     

       13
        
               py.profiles.server.enable = lib.mkDefault true;

     

       14
        
               py.profiles.desktop.enable = lib.mkDefault false;

     

       15
        
             }

+1 -1

nixosModules/homes/thehedgehog/default.nix

···

       9
        
             inputs.self.homeModules.allModules

     

       10
        
             {

     

       11
        
               home.username = "thehedgehog";

     

       12
       -
               home.stateVersion = "25.11";

     

       13
        
               py.profiles.server.enable = lib.mkDefault true;

     

       14
        
               py.profiles.desktop.enable = lib.mkDefault false;

     

       15
        
             }

···

       9
        
             inputs.self.homeModules.allModules

     

       10
        
             {

     

       11
        
               home.username = "thehedgehog";

     

       12
       +
               home.stateVersion = "26.05";

     

       13
        
               py.profiles.server.enable = lib.mkDefault true;

     

       14
        
               py.profiles.desktop.enable = lib.mkDefault false;

     

       15
        
             }

-2

nixosModules/services/forgejo-runner/default.nix

···

       26
        
             };

     

       27
        
             cache = {

     

       28
        
               enabled = true;

     

       29
       -
               dir = "/var/lib/forgejo/runners/cache/";

     

       30
       -
               host = "";

     

       31
        
               port = 0;

     

       32
        
             };

     

       33
        
             container = {

···

       26
        
             };

     

       27
        
             cache = {

     

       28
        
               enabled = true;

     

       0
        
       
     

       0
        
       
     

       29
        
               port = 0;

     

       30
        
             };

     

       31
        
             container = {

+1 -1

packages/anubis-files/package.nix

···

       10
        
       

     

       11
        
         buildPhase = ''

     

       12
        
           substituteInPlace policies/*.yaml \

     

       13
       -
             --replace-fail "CUSTOM" $out/rules

     

       14
        
         '';

     

       15
        
       

     

       16
        
         installPhase = ''

···

       10
        
       

     

       11
        
         buildPhase = ''

     

       12
        
           substituteInPlace policies/*.yaml \

     

       13
       +
             --replace-fail "CUSTOM" $out

     

       14
        
         '';

     

       15
        
       

     

       16
        
         installPhase = ''

+56

packages/anubis-files/src/policies/default.yaml

···

       1
       +
       bots:

     

       2
       +
         - import: CUSTOM/policies/meta/base.yaml

     

       3
       +
       dnsbl: false

     

       4
       +
       openGraph:

     

       5
       +
         enabled: true

     

       6
       +
         considerHost: false

     

       7
       +
         ttl: 24h

     

       8
       +
       status_codes:

     

       9
       +
         CHALLENGE: 200

     

       10
       +
         DENY: 200

     

       11
       +
       thresholds:

     

       12
       +
         - name: minimal-suspicion

     

       13
       +
           expression: weight <= 0

     

       14
       +
           action: ALLOW

     

       15
       +
         - name: mild-suspicion

     

       16
       +
           expression:

     

       17
       +
             all:

     

       18
       +
               - weight > 0

     

       19
       +
               - weight < 10

     

       20
       +
           action: CHALLENGE

     

       21
       +
           challenge:

     

       22
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

     

       23
       +
             algorithm: metarefresh

     

       24
       +
             difficulty: 1

     

       25
       +
             report_as: 1

     

       26
       +
         - name: moderate-suspicion

     

       27
       +
           expression:

     

       28
       +
             all:

     

       29
       +
               - weight >= 10

     

       30
       +
               - weight < 20

     

       31
       +
           action: CHALLENGE

     

       32
       +
           challenge:

     

       33
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       34
       +
             algorithm: fast

     

       35
       +
             difficulty: 2 # two leading zeros, very fast for most clients

     

       36
       +
             report_as: 2

     

       37
       +
         - name: mild-proof-of-work

     

       38
       +
           expression:

     

       39
       +
             all:

     

       40
       +
               - weight >= 20

     

       41
       +
               - weight < 30

     

       42
       +
           action: CHALLENGE

     

       43
       +
           challenge:

     

       44
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       45
       +
             algorithm: fast

     

       46
       +
             difficulty: 4

     

       47
       +
             report_as: 4

     

       48
       +
         # For clients that are browser like and have gained many points from custom rules

     

       49
       +
         - name: extreme-suspicion

     

       50
       +
           expression: weight >= 30

     

       51
       +
           action: CHALLENGE

     

       52
       +
           challenge:

     

       53
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       54
       +
             algorithm: fast

     

       55
       +
             difficulty: 6

     

       56
       +
             report_as: 5

+60 -6

packages/anubis-files/src/policies/forgejo.yaml

···

       1
        
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
        
         - import: (data)/clients/git.yaml

     

       5
       -
         - import: (data)/common/keep-internet-working.yaml

     

       6
        
         - import: (data)/apps/gitea-rss-feeds.yaml

     

       7
       -
         - import: (data)/crawlers/internet-archive.yaml

     

       8
       -
         - import: (data)/crawlers/kagibot.yaml

     

       9
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
       dnsbl: false

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
        
       bots:

     

       2
       +
         - import: CUSTOM/policies/meta/base.yaml

     

       0
        
       
     

       3
        
         - import: (data)/clients/git.yaml

     

       0
        
       
     

       4
        
         - import: (data)/apps/gitea-rss-feeds.yaml

     

       5
       +
       

     

       6
       +
         # Allow forgejo runner connections from localhost and tailscale

     

       7
       +
         - name: forgejo-runner

     

       8
       +
           user_agent_regex: connect-go

     

       9
       +
           action: ALLOW

     

       10
       +
       

     

       11
        
       dnsbl: false

     

       12
       +
       openGraph:

     

       13
       +
         enabled: true

     

       14
       +
         considerHost: false

     

       15
       +
         ttl: 24h

     

       16
       +
       status_codes:

     

       17
       +
         CHALLENGE: 200

     

       18
       +
         DENY: 200

     

       19
       +
       thresholds:

     

       20
       +
         - name: minimal-suspicion

     

       21
       +
           expression: weight <= 0

     

       22
       +
           action: ALLOW

     

       23
       +
         - name: mild-suspicion

     

       24
       +
           expression:

     

       25
       +
             all:

     

       26
       +
               - weight > 0

     

       27
       +
               - weight < 10

     

       28
       +
           action: CHALLENGE

     

       29
       +
           challenge:

     

       30
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

     

       31
       +
             algorithm: metarefresh

     

       32
       +
             difficulty: 1

     

       33
       +
             report_as: 1

     

       34
       +
         - name: moderate-suspicion

     

       35
       +
           expression:

     

       36
       +
             all:

     

       37
       +
               - weight >= 10

     

       38
       +
               - weight < 20

     

       39
       +
           action: CHALLENGE

     

       40
       +
           challenge:

     

       41
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       42
       +
             algorithm: fast

     

       43
       +
             difficulty: 2 # two leading zeros, very fast for most clients

     

       44
       +
             report_as: 2

     

       45
       +
         - name: mild-proof-of-work

     

       46
       +
           expression:

     

       47
       +
             all:

     

       48
       +
               - weight >= 20

     

       49
       +
               - weight < 30

     

       50
       +
           action: CHALLENGE

     

       51
       +
           challenge:

     

       52
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       53
       +
             algorithm: fast

     

       54
       +
             difficulty: 4

     

       55
       +
             report_as: 4

     

       56
       +
         # For clients that are browser like and have gained many points from custom rules

     

       57
       +
         - name: extreme-suspicion

     

       58
       +
           expression: weight >= 30

     

       59
       +
           action: CHALLENGE

     

       60
       +
           challenge:

     

       61
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       62
       +
             algorithm: fast

     

       63
       +
             difficulty: 6

     

       64
       +
             report_as: 5

-6

packages/anubis-files/src/policies/grafana.yaml

···

       1
       -
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
       -
         - import: (data)/common/keep-internet-working.yaml

     

       5
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       6
       -
       dnsbl: false

+54

packages/anubis-files/src/policies/meta/base.yaml

···

       1
       +
       # keep-sorted start

     

       2
       +
       - import: (data)/bots/_deny-pathological.yaml

     

       3
       +
       - import: (data)/bots/aggressive-brazilian-scrapers.yaml

     

       4
       +
       - import: (data)/clients/x-firefox-ai.yaml

     

       5
       +
       - import: (data)/common/keep-internet-working.yaml

     

       6
       +
       - import: (data)/common/rfc-violations.yaml

     

       7
       +
       - import: (data)/crawlers/_allow-good.yaml

     

       8
       +
       - import: (data)/meta/ai-block-aggressive.yaml

     

       9
       +
       # keep-sorted end

     

       10
       +
       - name: realistic-browser-catchall

     

       11
       +
         expression:

     

       12
       +
           all:

     

       13
       +
             - '"User-Agent" in headers'

     

       14
       +
             - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'

     

       15
       +
             - '"Accept" in headers'

     

       16
       +
             - '"Sec-Fetch-Dest" in headers'

     

       17
       +
             - '"Sec-Fetch-Mode" in headers'

     

       18
       +
             - '"Sec-Fetch-Site" in headers'

     

       19
       +
             - '"Accept-Encoding" in headers'

     

       20
       +
             - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'

     

       21
       +
             - '"Accept-Language" in headers'

     

       22
       +
         action: WEIGH

     

       23
       +
         weight:

     

       24
       +
           adjust: -10

     

       25
       +
           # The Upgrade-Insecure-Requests header is typically sent by browsers, but not always

     

       26
       +
       - name: upgrade-insecure-requests

     

       27
       +
         expression: '"Upgrade-Insecure-Requests" in headers'

     

       28
       +
         action: WEIGH

     

       29
       +
         weight:

     

       30
       +
           adjust: -2

     

       31
       +
       # Chrome should behave like Chrome

     

       32
       +
       - name: chrome-is-proper

     

       33
       +
         expression:

     

       34
       +
           all:

     

       35
       +
             - userAgent.contains("Chrome")

     

       36
       +
             - '"Sec-Ch-Ua" in headers'

     

       37
       +
             - 'headers["Sec-Ch-Ua"].contains("Chromium")'

     

       38
       +
             - '"Sec-Ch-Ua-Mobile" in headers'

     

       39
       +
             - '"Sec-Ch-Ua-Platform" in headers'

     

       40
       +
         action: WEIGH

     

       41
       +
         weight:

     

       42
       +
           adjust: -5

     

       43
       +
       - name: should-have-accept

     

       44
       +
         expression: '!("Accept" in headers)'

     

       45
       +
         action: WEIGH

     

       46
       +
         weight:

     

       47
       +
           adjust: 5

     

       48
       +
       # Generic catchall rule

     

       49
       +
       - name: generic-browser

     

       50
       +
         user_agent_regex: >-

     

       51
       +
           Mozilla|Opera|Chrome|Chromium

     

       52
       +
         action: WEIGH

     

       53
       +
         weight:

     

       54
       +
           adjust: 10

packages/anubis-files/src/policies/meta/openGraph.yaml

This is a binary file and will not be displayed.

-6

packages/anubis-files/src/policies/miniflux.yaml

···

       1
       -
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
       -
         - import: (data)/common/keep-internet-working.yaml

     

       5
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       6
       -
       dnsbl: false

+50 -4

packages/anubis-files/src/policies/nextcloud-office.yaml

···

       1
        
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
        
         # Allow requests from the nextcloud server to bypass checks

     

       5
        
         - name: allow-nextcloud-server

     

       6
        
           user_agent_regex: ^Nextcloud Server / richdocuments$

     

       7
        
           action: ALLOW

     

       8
       -
         - import: (data)/common/keep-internet-working.yaml

     

       9
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       10
        
       dnsbl: false

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
        
       bots:

     

       2
       +
         - import: CUSTOM/policies/meta/base.yaml

     

       0
        
       
     

       3
        
         # Allow requests from the nextcloud server to bypass checks

     

       4
        
         - name: allow-nextcloud-server

     

       5
        
           user_agent_regex: ^Nextcloud Server / richdocuments$

     

       6
        
           action: ALLOW

     

       0
        
       
     

       0
        
       
     

       7
        
       dnsbl: false

     

       8
       +
       status_codes:

     

       9
       +
         CHALLENGE: 200

     

       10
       +
         DENY: 200

     

       11
       +
       thresholds:

     

       12
       +
         - name: minimal-suspicion

     

       13
       +
           expression: weight <= 0

     

       14
       +
           action: ALLOW

     

       15
       +
         - name: mild-suspicion

     

       16
       +
           expression:

     

       17
       +
             all:

     

       18
       +
               - weight > 0

     

       19
       +
               - weight < 10

     

       20
       +
           action: CHALLENGE

     

       21
       +
           challenge:

     

       22
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

     

       23
       +
             algorithm: metarefresh

     

       24
       +
             difficulty: 1

     

       25
       +
             report_as: 1

     

       26
       +
         - name: moderate-suspicion

     

       27
       +
           expression:

     

       28
       +
             all:

     

       29
       +
               - weight >= 10

     

       30
       +
               - weight < 20

     

       31
       +
           action: CHALLENGE

     

       32
       +
           challenge:

     

       33
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       34
       +
             algorithm: fast

     

       35
       +
             difficulty: 2 # two leading zeros, very fast for most clients

     

       36
       +
             report_as: 2

     

       37
       +
         - name: mild-proof-of-work

     

       38
       +
           expression:

     

       39
       +
             all:

     

       40
       +
               - weight >= 20

     

       41
       +
               - weight < 30

     

       42
       +
           action: CHALLENGE

     

       43
       +
           challenge:

     

       44
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       45
       +
             algorithm: fast

     

       46
       +
             difficulty: 4

     

       47
       +
             report_as: 4

     

       48
       +
         # For clients that are browser like and have gained many points from custom rules

     

       49
       +
         - name: extreme-suspicion

     

       50
       +
           expression: weight >= 30

     

       51
       +
           action: CHALLENGE

     

       52
       +
           challenge:

     

       53
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       54
       +
             algorithm: fast

     

       55
       +
             difficulty: 6

     

       56
       +
             report_as: 5

+54 -5

packages/anubis-files/src/policies/nextcloud.yaml

···

       1
        
       bots:

     

       2
       -
         # Block scrapers and abusive cloud providers

     

       3
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       4
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       5
        
         # Allow android apps that I use

     

       6
        
         - name: allow-android-apps

     

       7
        
           user_agent_regex: Nextcloud-android|DAVx5|ICSx5

     
···

       34
        
               - 'path.startsWith("/apps/theming/")'

     

       35
        
               # Public DAV endpoint

     

       36
        
               - 'path.startsWith("/public.php/dav/files/")'

     

       37
       -
         - import: (data)/common/keep-internet-working.yaml

     

       38
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       39
        
       dnsbl: false

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
        
       bots:

     

       2
       +
         - import: CUSTOM/policies/meta/base.yaml

     

       0
        
       
     

       0
        
       
     

       3
        
         # Allow android apps that I use

     

       4
        
         - name: allow-android-apps

     

       5
        
           user_agent_regex: Nextcloud-android|DAVx5|ICSx5

     
···

       32
        
               - 'path.startsWith("/apps/theming/")'

     

       33
        
               # Public DAV endpoint

     

       34
        
               - 'path.startsWith("/public.php/dav/files/")'

     

       0
        
       
     

       0
        
       
     

       35
        
       dnsbl: false

     

       36
       +
       openGraph:

     

       37
       +
         enabled: true

     

       38
       +
         considerHost: false

     

       39
       +
         ttl: 24h

     

       40
       +
       status_codes:

     

       41
       +
         CHALLENGE: 200

     

       42
       +
         DENY: 200

     

       43
       +
       thresholds:

     

       44
       +
         - name: minimal-suspicion

     

       45
       +
           expression: weight <= 0

     

       46
       +
           action: ALLOW

     

       47
       +
         - name: mild-suspicion

     

       48
       +
           expression:

     

       49
       +
             all:

     

       50
       +
               - weight > 0

     

       51
       +
               - weight < 10

     

       52
       +
           action: CHALLENGE

     

       53
       +
           challenge:

     

       54
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

     

       55
       +
             algorithm: metarefresh

     

       56
       +
             difficulty: 1

     

       57
       +
             report_as: 1

     

       58
       +
         - name: moderate-suspicion

     

       59
       +
           expression:

     

       60
       +
             all:

     

       61
       +
               - weight >= 10

     

       62
       +
               - weight < 20

     

       63
       +
           action: CHALLENGE

     

       64
       +
           challenge:

     

       65
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       66
       +
             algorithm: fast

     

       67
       +
             difficulty: 2 # two leading zeros, very fast for most clients

     

       68
       +
             report_as: 2

     

       69
       +
         - name: mild-proof-of-work

     

       70
       +
           expression:

     

       71
       +
             all:

     

       72
       +
               - weight >= 20

     

       73
       +
               - weight < 30

     

       74
       +
           action: CHALLENGE

     

       75
       +
           challenge:

     

       76
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       77
       +
             algorithm: fast

     

       78
       +
             difficulty: 4

     

       79
       +
             report_as: 4

     

       80
       +
         # For clients that are browser like and have gained many points from custom rules

     

       81
       +
         - name: extreme-suspicion

     

       82
       +
           expression: weight >= 30

     

       83
       +
           action: CHALLENGE

     

       84
       +
           challenge:

     

       85
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       86
       +
             algorithm: fast

     

       87
       +
             difficulty: 6

     

       88
       +
             report_as: 5

-6

packages/anubis-files/src/policies/pingvin-share.yaml

···

       1
       -
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
       -
         - import: (data)/common/keep-internet-working.yaml

     

       5
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       6
       -
       dnsbl: false

-6

packages/anubis-files/src/policies/planka.yaml

···

       1
       -
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
       -
         - import: (data)/common/keep-internet-working.yaml

     

       5
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       6
       -
       dnsbl: false

-6

packages/anubis-files/src/policies/pocket-id.yaml

···

       1
       -
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
       -
         - import: (data)/common/keep-internet-working.yaml

     

       5
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       6
       -
       dnsbl: false

+54 -4

packages/anubis-files/src/policies/vaultwarden.yaml

···

       1
        
       bots:

     

       2
       -
         - import: (data)/bots/ai-robots-txt.yaml

     

       3
       -
         - import: CUSTOM/block/alibaba-cloud.yaml

     

       4
        
         # Allow bitwarden apps

     

       5
        
         - name: allow-bitwarden-mobile

     

       6
        
           user_agent_regex: Bitwarden_Mobile

     
···

       8
        
         - name: allow-bitwarden-webext

     

       9
        
           user_agent_regex: Mozilla

     

       10
        
           action: ALLOW

     

       11
       -
         - import: (data)/common/keep-internet-working.yaml

     

       12
       -
         - import: CUSTOM/challenge/generic-browser.yaml

     

       13
        
       dnsbl: false

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
        
       bots:

     

       2
       +
         - import: CUSTOM/policies/meta/base.yaml

     

       0
        
       
     

       3
        
         # Allow bitwarden apps

     

       4
        
         - name: allow-bitwarden-mobile

     

       5
        
           user_agent_regex: Bitwarden_Mobile

     
···

       7
        
         - name: allow-bitwarden-webext

     

       8
        
           user_agent_regex: Mozilla

     

       9
        
           action: ALLOW

     

       0
        
       
     

       0
        
       
     

       10
        
       dnsbl: false

     

       11
       +
       openGraph:

     

       12
       +
         enabled: true

     

       13
       +
         considerHost: false

     

       14
       +
         ttl: 24h

     

       15
       +
       status_codes:

     

       16
       +
         CHALLENGE: 200

     

       17
       +
         DENY: 200

     

       18
       +
       thresholds:

     

       19
       +
         - name: minimal-suspicion

     

       20
       +
           expression: weight <= 0

     

       21
       +
           action: ALLOW

     

       22
       +
         - name: mild-suspicion

     

       23
       +
           expression:

     

       24
       +
             all:

     

       25
       +
               - weight > 0

     

       26
       +
               - weight < 10

     

       27
       +
           action: CHALLENGE

     

       28
       +
           challenge:

     

       29
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

     

       30
       +
             algorithm: metarefresh

     

       31
       +
             difficulty: 1

     

       32
       +
             report_as: 1

     

       33
       +
         - name: moderate-suspicion

     

       34
       +
           expression:

     

       35
       +
             all:

     

       36
       +
               - weight >= 10

     

       37
       +
               - weight < 20

     

       38
       +
           action: CHALLENGE

     

       39
       +
           challenge:

     

       40
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       41
       +
             algorithm: fast

     

       42
       +
             difficulty: 2 # two leading zeros, very fast for most clients

     

       43
       +
             report_as: 2

     

       44
       +
         - name: mild-proof-of-work

     

       45
       +
           expression:

     

       46
       +
             all:

     

       47
       +
               - weight >= 20

     

       48
       +
               - weight < 30

     

       49
       +
           action: CHALLENGE

     

       50
       +
           challenge:

     

       51
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       52
       +
             algorithm: fast

     

       53
       +
             difficulty: 4

     

       54
       +
             report_as: 4

     

       55
       +
         # For clients that are browser like and have gained many points from custom rules

     

       56
       +
         - name: extreme-suspicion

     

       57
       +
           expression: weight >= 30

     

       58
       +
           action: CHALLENGE

     

       59
       +
           challenge:

     

       60
       +
             # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work

     

       61
       +
             algorithm: fast

     

       62
       +
             difficulty: 6

     

       63
       +
             report_as: 5

-3

packages/anubis-files/src/rules/block/alibaba-cloud.yaml

···

       1
       -
       - name: alibaba-cloud

     

       2
       -
         action: DENY

     

       3
       -
         remote_addresses: ["45.196.28.0/24", "161.117.128.0/17", "8.209.42.0/23", "47.89.125.0/24", "8.222.48.0/20", "47.79.16.0/21", "149.129.16.0/23", "8.212.0.0/17", "47.89.0.0/19", "47.240.128.0/17", "8.213.176.0/20", "47.77.8.0/22", "47.79.96.0/19", "47.246.198.0/23", "47.91.128.0/17", "47.89.104.0/21", "47.89.102.0/24", "8.222.96.0/19", "170.33.31.0/24", "8.215.168.0/24", "8.222.40.0/21", "47.235.1.0/24", "240b:400f::/32", "170.33.32.0/24", "8.208.0.0/18", "47.79.24.0/21", "47.91.16.0/20", "47.252.0.0/17", "8.213.176.0/21", "8.212.0.0/18", "8.211.192.0/18", "47.79.54.0/23", "47.235.18.0/24", "47.88.0.0/17", "43.96.21.0/24", "47.235.22.0/24", "240b:4001::/33", "47.79.64.0/20", "139.95.4.0/23", "47.254.128.0/19", "47.81.64.0/18", "47.77.128.0/18", "240b:4009::/33", "47.246.90.0/23", "47.89.32.0/19", "205.204.125.0/24", "47.79.56.0/23", "240b:400c:100::/41", "47.235.26.0/23", "8.209.64.0/19", "8.222.16.0/20", "47.235.12.0/23", "116.251.64.0/18", "139.95.64.0/24", "47.235.31.0/24", "8.208.32.0/19", "240b:400c:f00::/48", "47.235.6.0/24", "47.246.160.0/21", "47.246.196.0/22", "2404:2280:3000::/37", "47.74.0.0/21", "240b:4007:8000::/33", "47.91.0.0/20", "2400:3200:baba::/48", "198.11.137.0/24", "47.84.168.0/21", "240b:4006:1020::/44", "149.129.192.0/18", "8.219.40.0/21", "43.96.3.0/24", "240b:4004::/32", "47.77.64.0/20", "47.83.48.0/21", "47.77.104.0/21", "240b:4001:8000::/33", "43.96.5.0/24", "240b:400c:180::/41", "43.96.25.0/24", "47.77.96.0/21", "8.211.160.0/19", "47.245.32.0/19", "8.215.0.0/16", "47.79.32.0/20", "8.213.160.0/21", "47.74.0.0/19", "43.96.4.0/24", "170.33.75.0/24", "8.211.128.0/18", "8.217.0.0/16", "47.81.0.0/19", "47.82.96.0/19", "47.83.56.0/21", "203.107.64.0/24", "240b:4006:1020::/45", "240b:4004::/33", "47.242.0.0/15", "47.80.128.0/17", "8.215.0.0/17", "240b:4000::/32", "47.246.192.0/23", "47.246.176.0/21", "8.212.224.0/19", "47.90.0.0/17", "170.33.107.0/24", "47.237.32.0/20", "47.240.0.0/16", "47.253.0.0/16", "161.117.0.0/16", "47.77.12.0/22", "47.88.128.0/17", "8.220.147.0/24", "47.236.0.0/16", "149.129.192.0/19", "170.33.73.0/24", "47.87.160.0/19", "47.79.0.0/20", "47.246.153.0/24", "47.235.29.0/24", "47.81.128.0/18", "43.96.35.0/24", "8.212.128.0/18", "8.219.0.0/16", "47.246.155.0/24", "8.216.64.0/18", "8.213.253.0/24", "8.220.116.0/24", "8.222.128.0/18", "240b:400e:8000::/33", "43.96.33.0/24", "47.77.192.0/18", "47.81.32.0/19", "47.77.8.0/21", "47.79.16.0/20", "240b:400f:8000::/33", "47.246.145.0/24", "47.88.128.0/18", "170.33.104.0/24", "8.219.0.0/17", "47.82.0.0/18", "139.95.10.0/23", "47.238.0.0/16", "240b:4006:1002::/47", "8.221.188.0/22", "8.213.251.0/24", "47.254.192.0/19", "47.79.32.0/21", "8.212.128.0/19", "47.246.83.0/24", "47.87.64.0/19", "8.222.192.0/18", "170.33.68.0/24", "240b:400c:f01::/48", "170.33.136.0/24", "2400:b200:4101::/48", "2401:8680:4100::/48", "240b:400c::/32", "47.89.92.0/22", "8.223.128.0/18", "47.89.124.0/23", "47.74.32.0/19", "47.244.0.0/17", "43.96.80.0/24", "8.211.104.0/21", "8.213.224.0/19", "47.86.0.0/17", "8.222.64.0/21", "240b:400e::/33", "161.117.143.0/24", "47.246.152.0/23", "47.246.93.0/24", "240b:4006:1010::/45", "47.254.224.0/19", "8.209.40.0/22", "149.129.64.0/18", "43.96.20.0/24", "240b:4000:8000::/33", "47.251.0.0/16", "240b:4002::/32", "8.222.16.0/21", "203.107.66.0/24", "8.222.24.0/21", "47.89.128.0/19", "240b:400c:8000::/33", "8.218.128.0/17", "8.216.128.0/17", "47.91.128.0/18", "8.221.64.0/18", "2404:2280:4000::/36", "8.211.80.0/21", "8.217.128.0/17", "8.220.229.0/24", "170.33.66.0/24", "47.237.0.0/16", "47.235.28.0/23", "170.33.74.0/24", "47.90.64.0/18", "47.246.82.0/23", "8.209.38.0/23", "240b:4005:8000::/33", "8.220.128.0/18", "139.95.14.0/23", "8.216.192.0/18", "8.218.0.0/16", "47.91.192.0/18", "8.221.48.0/21", "149.129.8.0/21", "43.91.0.0/16", "8.223.64.0/18", "8.216.148.0/24", "8.222.80.0/21", "2401:b180:4100::/48", "47.91.0.0/19", "47.246.154.0/24", "47.246.152.0/24", "47.250.64.0/18", "8.216.128.0/18", "170.33.72.0/24", "139.95.12.0/23", "240b:400c::/40", "8.221.128.0/18", "43.96.32.0/24", "47.90.128.0/17", "47.251.0.0/17", "43.96.34.0/24", "47.245.0.0/18", "47.85.112.0/23", "8.209.56.0/21", "8.213.252.0/24", "47.77.128.0/17", "139.95.2.0/23", "43.96.69.0/24", "161.117.126.0/24", "47.75.0.0/16", "47.89.82.0/23", "47.89.224.0/19", "8.209.0.0/20", "47.246.128.0/22", "8.221.0.0/21", "139.95.8.0/23", "47.253.128.0/17", "156.236.12.0/24", "203.107.65.0/24", "47.241.128.0/17", "8.222.88.0/21", "47.87.128.0/18", "47.254.128.0/18", "8.221.192.0/18", "240b:4001::/32", "47.235.16.0/24", "240b:4007::/32", "47.235.13.0/24", "47.235.24.0/23", "47.91.80.0/20", "43.96.11.0/24", "47.235.5.0/24", "8.209.160.0/19", "47.246.88.0/23", "47.77.4.0/22", "156.236.17.0/24", "8.209.224.0/19", "14.1.115.0/24", "149.129.96.0/19", "47.254.192.0/18", "47.245.192.0/18", "8.208.0.0/16", "47.83.0.0/16", "47.87.96.0/19", "47.252.64.0/18", "47.89.192.0/18", "47.89.122.0/24", "47.85.114.0/23", "2404:2280:1000::/36", "47.81.128.0/17", "47.246.147.0/24", "47.87.64.0/18", "47.235.9.0/24", "47.52.0.0/17", "47.246.156.0/22", "47.246.96.0/22", "47.74.0.0/18", "8.214.0.0/17", "47.246.192.0/22", "47.246.150.0/24", "43.91.0.0/17", "170.33.138.0/24", "8.213.0.0/18", "47.90.192.0/18", "47.85.0.0/16", "47.235.24.0/22", "47.235.16.0/23", "47.85.128.0/17", "103.81.186.0/23", "8.221.0.0/18", "43.96.7.0/24", "47.79.56.0/21", "240b:4013::/32", "47.89.108.0/22", "47.235.28.0/24", "47.246.82.0/24", "47.91.48.0/20", "185.78.106.0/23", "47.84.160.0/21", "140.205.1.0/24", "47.88.43.0/24", "47.83.32.0/21", "47.91.64.0/19", "43.96.100.0/24", "43.96.72.0/24", "47.87.0.0/18", "8.210.0.0/16", "47.88.192.0/18", "47.88.42.0/24", "170.33.92.0/24", "149.129.32.0/19", "47.52.128.0/17", "47.246.108.0/22", "8.221.56.0/21", "47.253.0.0/17", "110.76.23.0/24", "170.33.65.0/24", "240b:4006::/48", "47.245.0.0/19", "47.77.64.0/19", "8.209.39.0/24", "47.77.96.0/20", "47.80.128.0/18", "170.33.83.0/24", "47.77.32.0/19", "8.212.64.0/18", "43.96.40.0/24", "2400:b200:4102::/48", "43.96.81.0/24", "8.214.0.0/16", "161.117.128.0/24", "43.96.75.0/24", "8.215.160.0/24", "47.77.0.0/22", "47.239.0.0/16", "47.89.76.0/22", "47.82.14.0/23", "43.91.128.0/17", "47.89.88.0/22", "47.79.8.0/21", "240b:4004:8000::/33", "47.246.140.0/22", "43.96.74.0/24", "161.117.127.0/24", "8.212.192.0/19", "240b:4006:1000::/44", "47.80.192.0/18", "47.79.48.0/21", "47.254.64.0/18", "47.246.144.0/23", "47.246.92.0/24", "47.246.66.0/24", "47.246.150.0/23", "47.91.96.0/20", "47.89.98.0/23", "47.77.80.0/20", "8.210.240.0/24", "8.213.0.0/17", "47.250.99.0/24", "47.88.41.0/24", "47.80.32.0/19", "47.250.0.0/17", "43.96.8.0/24", "14.1.112.0/22", "240b:4006:1008::/45", "8.211.224.0/19", "47.84.144.0/21", "47.88.109.0/24", "2400:3200::/48", "47.56.0.0/16", "8.220.192.0/18", "8.223.0.0/17", "8.222.72.0/21", "47.246.69.0/24", "240b:4002:8000::/33", "43.96.66.0/24", "47.246.92.0/23", "47.246.136.0/22", "205.204.117.0/24", "8.222.80.0/20", "47.85.112.0/22", "47.79.128.0/19", "240b:400d:8000::/33", "170.33.64.0/24", "8.222.56.0/21", "240b:400d::/33", "8.222.64.0/20", "47.75.128.0/17", "8.209.48.0/21", "47.57.0.0/16", "139.95.0.0/23", "47.79.192.0/18", "170.33.30.0/24", "47.77.152.0/21", "8.212.192.0/18", "8.213.128.0/19", "47.77.6.0/23", "47.246.32.0/22", "140.205.122.0/24", "47.244.0.0/16", "47.246.158.0/23", "8.209.192.0/19", "170.33.77.0/24", "8.216.69.0/24", "8.213.192.0/19", "47.77.16.0/22", "47.235.10.0/24", "202.144.199.0/24", "47.254.0.0/17", "43.98.128.0/17", "240b:400c::/41", "47.250.128.0/17", "47.89.101.0/24", "47.90.128.0/18", "240b:4013:8000::/33", "8.209.44.0/23", "240b:400c:80::/41", "161.117.129.0/24", "47.91.64.0/20", "8.209.36.0/24", "8.221.8.0/21", "47.82.32.0/19", "47.77.4.0/23", "47.79.72.0/21", "8.212.160.0/19", "170.33.80.0/24", "47.246.156.0/23", "8.220.192.0/19", "47.246.68.0/24", "47.254.160.0/19", "47.82.56.0/21", "8.223.128.0/17", "47.74.128.0/18", "47.77.24.0/23", "170.33.93.0/24", "47.89.72.0/23", "47.84.152.0/21", "240b:400e::/32", "149.129.224.0/19", "2400:b200:4103::/48", "47.87.32.0/19", "47.86.0.0/16", "47.235.4.0/24", "139.95.6.0/23", "47.252.67.0/24", "47.246.123.0/24", "47.81.96.0/19", "43.96.10.0/24", "8.223.0.0/18", "240b:4005::/32", "47.246.130.0/23", "47.91.96.0/19", "240b:400b::/33", "47.246.132.0/23", "8.213.184.0/21", "47.246.124.0/24", "8.209.64.0/18", "2404:2280:3000::/36", "47.89.78.0/23", "47.250.128.0/18", "47.79.128.0/20", "240b:4011::/33", "47.244.128.0/17", "47.246.151.0/24", "8.211.226.0/24", "47.88.135.0/24", "47.80.0.0/18", "43.96.88.0/24", "47.235.6.0/23", "205.204.111.0/24", "240b:4006:1000::/45", "47.250.0.0/18", "47.89.76.0/23", "47.89.99.0/24", "8.211.0.0/17", "47.89.123.0/24", "8.209.128.0/19", "47.246.160.0/20", "43.99.0.0/16", "47.236.0.0/15", "240b:400e:fffe::/48", "47.80.96.0/19", "47.246.184.0/21", "47.235.8.0/24", "8.222.48.0/21", "47.89.94.0/23", "47.245.64.0/18", "47.77.128.0/21", "47.74.192.0/18", "2404:2280:4000::/37", "8.211.88.0/21", "8.213.192.0/18", "8.223.192.0/18", "240b:4002::/33", "149.129.64.0/19", "47.241.0.0/16", "240b:4006:1018::/45", "8.216.0.0/17", "149.129.0.0/21", "47.254.0.0/18", "8.220.64.0/18", "43.96.22.0/24", "170.33.33.0/24", "47.91.32.0/19", "47.246.76.0/22", "47.246.68.0/23", "47.246.146.0/23", "47.254.113.0/24", "47.89.128.0/18", "47.77.144.0/21", "47.89.104.0/22", "8.211.96.0/21", "47.80.0.0/19", "47.246.104.0/22", "47.80.64.0/18", "161.117.0.0/17", "170.33.88.0/24", "47.77.2.0/23", "47.241.0.0/17", "47.79.224.0/19", "170.33.105.0/24", "47.82.12.0/23", "47.246.146.0/24", "8.213.144.0/20", "43.99.0.0/17", "47.89.88.0/23", "8.220.64.0/19", "47.89.90.0/23", "47.235.19.0/24", "8.215.128.0/17", "47.235.21.0/24", "47.81.192.0/18", "8.211.0.0/18", "47.246.72.0/22", "8.211.64.0/18", "203.107.68.0/24", "59.82.136.0/23", "8.209.44.0/22", "8.209.36.0/23", "47.89.0.0/18", "8.216.0.0/18", "47.246.104.0/21", "240b:400b::/32", "47.246.72.0/21", "8.214.128.0/17", "8.209.48.0/20", "170.33.86.0/24", "110.76.21.0/24", "8.209.128.0/18", "8.222.96.0/20", "47.89.100.0/24", "47.89.192.0/19", "8.213.128.0/20", "2400:b200:4100::/48", "8.208.0.0/17", "170.33.90.0/24", "47.83.0.0/17", "240b:400c:100::/40", "170.33.82.0/24", "8.222.32.0/21", "47.246.86.0/23", "47.52.0.0/16", "47.79.192.0/19", "2404:2280:1800::/37", "8.222.112.0/20", "170.33.24.0/24", "47.89.92.0/23", "47.78.0.0/17", "47.84.0.0/16", "240b:400b:8000::/33", "8.209.38.0/24", "47.235.7.0/24", "47.235.23.0/24", "47.237.34.0/24", "47.79.144.0/20", "43.96.71.0/24", "5.181.224.0/23", "47.246.88.0/22", "47.246.96.0/21", "47.82.0.0/19", "8.209.40.0/23", "47.77.48.0/20", "8.209.16.0/20", "240b:4009::/32", "47.246.176.0/20", "47.250.192.0/18", "47.246.168.0/21", "47.89.160.0/19", "8.222.32.0/20", "223.5.5.0/24", "47.81.0.0/18", "47.89.96.0/24", "47.77.0.0/23", "43.96.24.0/24", "8.221.128.0/17", "47.246.144.0/24", "47.246.125.0/24", "240b:400e:ffff::/48", "47.84.0.0/17", "170.33.106.0/24", "156.227.20.0/24", "170.33.35.0/24", "240b:4006:1028::/45", "170.33.78.0/24", "198.11.128.0/18", "8.210.0.0/17", "47.83.40.0/21", "47.89.80.0/23", "43.98.0.0/16", "47.88.0.0/18", "47.89.74.0/23", "43.96.67.0/24", "47.79.48.0/20", "2404:2280:3800::/37", "47.235.11.0/24", "8.220.160.0/19", "43.96.84.0/24", "8.221.208.0/21", "139.95.18.0/23", "47.246.84.0/22", "47.77.16.0/21", "170.33.69.0/24", "47.78.128.0/17", "8.220.96.0/19", "8.209.0.0/19", "240b:400d::/32", "205.204.102.0/23", "47.87.128.0/19", "47.83.128.0/17", "8.218.0.0/17", "47.235.10.0/23", "8.208.128.0/17", "170.33.137.0/24", "8.209.37.0/24", "8.220.128.0/19", "47.79.112.0/20", "47.243.0.0/16", "47.246.196.0/23", "170.33.79.0/24", "47.252.0.0/18", "47.87.0.0/19", "2404:2280:2000::/36", "47.79.58.0/23", "170.33.34.0/24", "47.246.132.0/22", "240b:4012::/48", "47.91.112.0/20", "47.77.32.0/20", "240b:4005::/33", "8.222.8.0/21", "47.246.194.0/23", "2404:2280:1000::/37", "8.221.200.0/21", "43.96.23.0/24", "47.82.64.0/18", "147.139.128.0/17", "8.211.192.0/19", "47.251.128.0/17", "240b:4011::/32", "8.222.0.0/20", "47.235.12.0/24", "43.99.128.0/17", "47.246.80.0/24", "47.246.67.0/24", "47.246.122.0/24", "156.245.1.0/24", "8.210.128.0/17", "8.213.64.0/18", "45.199.179.0/24", "47.235.0.0/22", "47.246.136.0/21", "8.213.164.0/22", "8.209.192.0/18", "47.77.24.0/22", "47.82.64.0/19", "47.244.73.0/24", "47.89.72.0/22", "47.76.128.0/17", "47.76.0.0/16", "47.245.128.0/17", "47.75.0.0/17", "47.245.96.0/19", "47.235.20.0/24", "47.79.52.0/23", "47.79.80.0/20", "47.82.32.0/21", "47.251.224.0/22", "47.74.128.0/17", "223.6.6.0/24", "47.246.128.0/23", "147.139.128.0/18", "47.246.84.0/23", "240b:4007::/33", "170.33.85.0/24", "43.96.102.0/24", "43.98.0.0/17", "203.107.67.0/24", "8.222.0.0/21", "2404:2280:2800::/37", "43.96.101.0/24", "170.33.84.0/24", "8.219.128.0/17", "47.80.64.0/19", "43.96.85.0/24", "43.96.96.0/24", "43.96.73.0/24", "47.246.100.0/22", "47.79.60.0/23", "47.77.26.0/23", "8.222.128.0/17", "161.117.138.0/24", "47.235.18.0/23", "47.235.0.0/23", "240b:4006:1010::/44", "47.76.0.0/17", "8.221.216.0/21", "47.82.8.0/23", "2404:2280:4800::/37", "170.33.29.0/24", "47.245.128.0/18", "47.79.80.0/21", "47.89.221.0/24", "198.11.184.0/21", "240b:4009:8000::/33", "8.215.162.0/23", "8.211.128.0/19", "47.79.83.0/24", "2408:4009:500::/48", "47.81.64.0/19", "8.208.0.0/19", "47.240.0.0/17", "47.79.64.0/21", "47.90.0.0/18", "43.96.70.0/24", "149.129.0.0/20", "240b:400c::/33", "2408:4000:1000::/48", "170.33.76.0/24", "205.204.96.0/19", "47.88.64.0/18", "8.209.96.0/19", "47.79.104.0/21", "47.82.10.0/23", "47.79.88.0/21", "47.245.64.0/19", "139.95.16.0/23", "47.77.20.0/22", "240b:400f::/33", "47.235.2.0/23", "8.221.0.0/17", "8.213.160.0/22", "8.215.169.0/24", "170.33.81.0/24", "47.89.124.0/24", "47.235.30.0/24", "47.79.62.0/23", "43.96.68.0/24", "47.246.120.0/24", "8.221.192.0/21", "8.221.184.0/22", "47.77.136.0/21", "8.220.224.0/19", "156.240.76.0/23", "8.208.141.0/24", "2404:2280:2000::/37", "47.84.128.0/17", "47.85.0.0/17", "8.217.0.0/17", "47.89.84.0/24", "47.238.0.0/15", "47.86.128.0/17", "240b:4011:8000::/33", "240b:4006:1000::/47", "47.246.134.0/23", "47.79.96.0/20", "47.79.0.0/21", "47.89.103.0/24", "47.89.97.0/24", "240b:4000::/33", "47.242.0.0/16", "47.56.0.0/15", "47.91.32.0/20", "147.139.192.0/18", "240b:4013::/33", "47.79.40.0/21", "8.209.46.0/23", "47.82.48.0/21", "47.82.40.0/21", "47.87.192.0/22", "47.87.192.0/23", "47.87.194.0/23", "47.87.196.0/22", "47.87.196.0/23", "47.87.198.0/23", "240b:400c:ffff::/48", "47.87.208.0/23", "47.87.210.0/23", "47.87.208.0/22", "47.87.222.0/23", "47.87.216.0/23", "47.87.200.0/23", "47.87.220.0/23", "47.87.216.0/22", "47.87.224.0/22", "47.87.204.0/22", "47.87.212.0/23", "47.87.226.0/23", "47.87.200.0/22", "47.87.206.0/23", "43.100.0.0/16", "47.87.212.0/22", "47.87.218.0/23", "47.87.214.0/23", "43.100.0.0/15", "47.87.204.0/23", "47.87.220.0/22", "43.101.0.0/16", "47.87.224.0/23", "47.87.202.0/23"]

-4

packages/anubis-files/src/rules/challenge/generic-browser.yaml

···

       1
       -
       - name: generic-browser

     

       2
       -
         user_agent_regex: >-

     

       3
       -
           Mozilla|Opera

     

       4
       -
         action: CHALLENGE

+26

packages/bgutil-pot-server/librusty_v8.nix

···

       1
       +
       # COPIED FROM nixpkgs/pkgs/by-name/router

     

       2
       +
       {

     

       3
       +
         lib,

     

       4
       +
         stdenv,

     

       5
       +
         fetchurl,

     

       6
       +
       }:

     

       7
       +
       

     

       8
       +
       let

     

       9
       +
         fetch_librusty_v8 =

     

       10
       +
           args:

     

       11
       +
           fetchurl {

     

       12
       +
             name = "librusty_v8-${args.version}";

     

       13
       +
             url = "https://github.com/denoland/rusty_v8/releases/download/v${args.version}/librusty_v8_release_${stdenv.hostPlatform.rust.rustcTarget}.a";

     

       14
       +
             sha256 = args.shas.${stdenv.hostPlatform.system};

     

       15
       +
             meta = {

     

       16
       +
               inherit (args) version;

     

       17
       +
               sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];

     

       18
       +
             };

     

       19
       +
           };

     

       20
       +
       in

     

       21
       +
       fetch_librusty_v8 {

     

       22
       +
         version = "130.0.7";

     

       23
       +
         shas = {

     

       24
       +
           x86_64-linux = "sha256-pkdsuU6bAkcIHEZUJOt5PXdzK424CEgTLXjLtQ80t10=";

     

       25
       +
         };

     

       26
       +
       }

+49

packages/bgutil-pot-server/package.nix

···

       1
       +
       {

     

       2
       +
         lib,

     

       3
       +
         callPackage,

     

       4
       +
         rustPlatform,

     

       5
       +
         fetchFromGitHub,

     

       6
       +
         pkg-config,

     

       7
       +
         openssl,

     

       8
       +
         _experimental-update-script-combinators,

     

       9
       +
         nix-update-script,

     

       10
       +
       }:

     

       11
       +
       rustPlatform.buildRustPackage (finalAttrs: {

     

       12
       +
         pname = "bgutil-pot-server";

     

       13
       +
         version = "0.6.0";

     

       14
       +
       

     

       15
       +
         src = fetchFromGitHub {

     

       16
       +
           owner = "jim60105";

     

       17
       +
           repo = "bgutil-ytdlp-pot-provider-rs";

     

       18
       +
           tag = "v${finalAttrs.version}";

     

       19
       +
           hash = "sha256-kEu5WqOymH8yAyMhGKtVPOq3qlTRpFU/FO71uWEX/e8=";

     

       20
       +
         };

     

       21
       +
       

     

       22
       +
         cargoHash = "sha256-fJZeyIsFUfpWeC1MWsU1hANb6cqC9xHQOnhcohEMTeM=";

     

       23
       +
       

     

       24
       +
         nativeBuildInputs = [

     

       25
       +
           pkg-config

     

       26
       +
         ];

     

       27
       +
       

     

       28
       +
         buildInputs = [

     

       29
       +
           openssl

     

       30
       +
         ];

     

       31
       +
       

     

       32
       +
         env.RUSTY_V8_ARCHIVE = callPackage ./librusty_v8.nix { };

     

       33
       +
       

     

       34
       +
         doCheck = false;

     

       35
       +
       

     

       36
       +
         passthru.updateScript = _experimental-update-script-combinators.sequence [

     

       37
       +
           (nix-update-script { })

     

       38
       +
           ./update-librusty.sh

     

       39
       +
         ];

     

       40
       +
       

     

       41
       +
         meta = {

     

       42
       +
           changelog = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/releases/tag/v${finalAttrs.version}";

     

       43
       +
           description = "Proof-of-origin token provider plugin for yt-dlp in Rust";

     

       44
       +
           homepage = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs";

     

       45
       +
           license = lib.licenses.gpl3Plus;

     

       46
       +
           maintainers = with lib.maintainers; [ pyrox0 ];

     

       47
       +
           mainProgram = "bgutil-pot";

     

       48
       +
         };

     

       49
       +
       })

+45

packages/bgutil-pot-server/update-librusty.sh

···

       1
       +
       #!/usr/bin/env nix-shell

     

       2
       +
       #!nix-shell -i bash -p gnugrep gnused nix jq

     

       3
       +
       # shellcheck shell=bash

     

       4
       +
       # COPIED FROM nixpkgs/pkgs/by-name/wi/windmill

     

       5
       +
       

     

       6
       +
       set -eu -o pipefail

     

       7
       +
       

     

       8
       +
       echo "librusty_v8: UPDATING"

     

       9
       +
       

     

       10
       +
       BGUTIL_LATEST_VERSION=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://api.github.com/repos/jim60105/bgutil-ytdlp-pot-provider-rs/releases/latest" | jq --raw-output .tag_name)

     

       11
       +
       CARGO_LOCK=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/raw/$BGUTIL_LATEST_VERSION/Cargo.lock")

     

       12
       +
       

     

       13
       +
       PACKAGE_DIR=$(dirname "$(readlink --canonicalize-existing "${BASH_SOURCE[0]}")")

     

       14
       +
       OUTPUT_FILE="$PACKAGE_DIR/librusty_v8.nix"

     

       15
       +
       NEW_VERSION=$(echo "$CARGO_LOCK" | grep --after-context 5 'name = "v8"' | grep 'version =' | sed -E 's/version = "//;s/"//')

     

       16
       +
       

     

       17
       +
       CURRENT_VERSION=""

     

       18
       +
       if [ -f "$OUTPUT_FILE" ]; then

     

       19
       +
         CURRENT_VERSION="$(grep 'version =' "$OUTPUT_FILE" | sed -E 's/version = "//;s/"//')"

     

       20
       +
       fi

     

       21
       +
       

     

       22
       +
       if [ "$CURRENT_VERSION" == "$NEW_VERSION" ]; then

     

       23
       +
         echo "No update needed, $CURRENT_VERSION is already latest"

     

       24
       +
         exit 0

     

       25
       +
       fi

     

       26
       +
       

     

       27
       +
       x86Hash="$(nix-prefetch-url --type sha256 https://github.com/denoland/rusty_v8/releases/download/v"$NEW_V")"

     

       28
       +
       TEMP_FILE="$OUTPUT_FILE.tmp"

     

       29
       +
       cat >"$TEMP_FILE" <<EOF

     

       30
       +
       # COPIED FROM nixpkgs/pkgs/by-name/wi/windmill

     

       31
       +
       # auto-generated file -- DO NOT EDIT!

     

       32
       +
       { fetchLibrustyV8 }:

     

       33
       +
       

     

       34
       +
       fetchLibrustyV8 {

     

       35
       +
         version = "$NEW_VERSION";

     

       36
       +
         shas = {

     

       37
       +
           # NOTE; Follows supported platforms of package (see meta.platforms attribute)!

     

       38
       +
           x86_64-linux = "$(nix hash convert --hash-algo sha256 --from nix32 "$x86Hash")";

     

       39
       +
         };

     

       40
       +
       }

     

       41
       +
       EOF

     

       42
       +
       

     

       43
       +
       mv "$TEMP_FILE" "$OUTPUT_FILE"

     

       44
       +
       

     

       45
       +
       echo "librusty_v8: UPDATE DONE"

+6 -6

packages/glide-browser-bin/package.nix

···

       25
        
       }:

     

       26
        
       stdenv.mkDerivation (finalAttrs: {

     

       27
        
         pname = "glide-browser";

     

       28
       -
         version = "0.1.54a";

     

       29
        
       

     

       30
        
         src = fetchurl {

     

       31
        
           url = "https://github.com/glide-browser/glide/releases/download/${finalAttrs.version}/glide.linux-x86_64.tar.xz";

     

       32
       -
           hash = "sha256-Rw85b+9eaiM9szWpYZiF7FqJY7OpliOwt09/c8UWlGk=";

     

       33
        
         };

     

       34
        
       

     

       35
        
         nativeBuildInputs = [

     
···

       44
        
       

     

       45
        
         buildInputs = [

     

       46
        
           # keep-sorted start

     

       47
       -
           gtk3

     

       48
        
           adwaita-icon-theme

     

       49
       -
           hicolor-icon-theme

     

       50
        
           alsa-lib

     

       51
        
           dbus-glib

     

       0
        
       
     

       0
        
       
     

       52
        
           libXtst

     

       53
        
           # keep-sorted end

     

       54
        
         ];

     
···

       56
        
         runtimeDependencies = [

     

       57
        
           # keep-sorted start

     

       58
        
           curl

     

       59
       -
           pciutils

     

       60
        
           libva.out

     

       0
        
       
     

       61
        
           # keep-sorted end

     

       62
        
         ];

     

       63
        
       

     
···

       78
        
           for i in 16 32 48 64 128; do

     

       79
        
             iconSizeDir="$iconDir/''${i}x$i/apps"

     

       80
        
             mkdir -p $iconSizeDir

     

       81
       -
             cp $browserIcons/default$i.png $iconSizeDir/glide-brower.png

     

       82
        
           done

     

       83
        
       

     

       84

···

       25
        
       }:

     

       26
        
       stdenv.mkDerivation (finalAttrs: {

     

       27
        
         pname = "glide-browser";

     

       28
       +
         version = "0.1.55a";

     

       29
        
       

     

       30
        
         src = fetchurl {

     

       31
        
           url = "https://github.com/glide-browser/glide/releases/download/${finalAttrs.version}/glide.linux-x86_64.tar.xz";

     

       32
       +
           hash = "sha256-mjk8KmB/T5ZpB9AMQw1mtb9VbMXVX2VV4N+hWpWkSYI=";

     

       33
        
         };

     

       34
        
       

     

       35
        
         nativeBuildInputs = [

     
···

       44
        
       

     

       45
        
         buildInputs = [

     

       46
        
           # keep-sorted start

     

       0
        
       
     

       47
        
           adwaita-icon-theme

     

       0
        
       
     

       48
        
           alsa-lib

     

       49
        
           dbus-glib

     

       50
       +
           gtk3

     

       51
       +
           hicolor-icon-theme

     

       52
        
           libXtst

     

       53
        
           # keep-sorted end

     

       54
        
         ];

     
···

       56
        
         runtimeDependencies = [

     

       57
        
           # keep-sorted start

     

       58
        
           curl

     

       0
        
       
     

       59
        
           libva.out

     

       60
       +
           pciutils

     

       61
        
           # keep-sorted end

     

       62
        
         ];

     

       63
        
       

     
···

       78
        
           for i in 16 32 48 64 128; do

     

       79
        
             iconSizeDir="$iconDir/''${i}x$i/apps"

     

       80
        
             mkdir -p $iconSizeDir

     

       81
       +
             cp $browserIcons/default$i.png $iconSizeDir/glide-browser.png

     

       82
        
           done

     

       83
        
       

     

       84

+4 -1

packages/planka/package.nix

···

       78
        
       in

     

       79
        
       stdenv.mkDerivation (finalAttrs: {

     

       80
        
         pname = "planka";

     

       81
       -
         inherit version src meta;

     

       82
        
       

     

       83
        
         sourceRoot = "${finalAttrs.src.name}/server";

     

       84
        
       

     
···

       132
        
         '';

     

       133
        
       

     

       134
        
         passthru.updateScript = nix-update-script { extraArgs = [ "--version=unstable" ]; };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       135
        
       })

···

       78
        
       in

     

       79
        
       stdenv.mkDerivation (finalAttrs: {

     

       80
        
         pname = "planka";

     

       81
       +
         inherit version src;

     

       82
        
       

     

       83
        
         sourceRoot = "${finalAttrs.src.name}/server";

     

       84
        
       

     
···

       132
        
         '';

     

       133
        
       

     

       134
        
         passthru.updateScript = nix-update-script { extraArgs = [ "--version=unstable" ]; };

     

       135
       +
         meta = meta // {

     

       136
       +
           mainProgram = "planka";

     

       137
       +
         };

     

       138
        
       })

Compare changes