comparing becd1626b11d8233cb667c09f09eb63ac5d6adc5 and master on sapphic.moe/flake

+16

flake.lock

···

       82
        
               "type": "github"

     

       83
        
             }

     

       84
        
           },

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       85
        
           "easy-hosts": {

     

       86
        
             "locked": {

     

       87
        
               "lastModified": 1755470564,

     
···

       512
        
           "root": {

     

       513
        
             "inputs": {

     

       514
        
               "catppuccin": "catppuccin",

     

       0
        
       
     

       515
        
               "easy-hosts": "easy-hosts",

     

       516
        
               "flake-parts": "flake-parts",

     

       517
        
               "home-manager": "home-manager",

···

       82
        
               "type": "github"

     

       83
        
             }

     

       84
        
           },

     

       85
       +
           "darwin-login-items": {

     

       86
       +
             "locked": {

     

       87
       +
               "lastModified": 1763528199,

     

       88
       +
               "narHash": "sha256-8LQ5Wp3AJUp71Elax1R9lNkuEbO2Mrnpq+o8qpbhQyc=",

     

       89
       +
               "owner": "uncenter",

     

       90
       +
               "repo": "nix-darwin-login-items",

     

       91
       +
               "rev": "ab75c315893ca206ddf9529e6e3aac6cb01b2f1a",

     

       92
       +
               "type": "github"

     

       93
       +
             },

     

       94
       +
             "original": {

     

       95
       +
               "owner": "uncenter",

     

       96
       +
               "repo": "nix-darwin-login-items",

     

       97
       +
               "type": "github"

     

       98
       +
             }

     

       99
       +
           },

     

       100
        
           "easy-hosts": {

     

       101
        
             "locked": {

     

       102
        
               "lastModified": 1755470564,

     
···

       527
        
           "root": {

     

       528
        
             "inputs": {

     

       529
        
               "catppuccin": "catppuccin",

     

       530
       +
               "darwin-login-items": "darwin-login-items",

     

       531
        
               "easy-hosts": "easy-hosts",

     

       532
        
               "flake-parts": "flake-parts",

     

       533
        
               "home-manager": "home-manager",

+3 -5

flake.nix

···

       55
        
             url = "git+https://tangled.org/@tangled.org/core";

     

       56
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       57
        
           };

     

       0
        
       
     

       0
        
       
     

       58
        
         };

     

       59
        
       

     

       60
        
         outputs =

     

       61
       -
           inputs@{

     

       62
       -
             flake-parts,

     

       63
       -
             nixos-wsl,

     

       64
       -
             ...

     

       65
       -
           }:

     

       66
        
           flake-parts.lib.mkFlake { inherit inputs; } {

     

       67
        
             imports = [

     

       68
        
               inputs.easy-hosts.flakeModule

···

       55
        
             url = "git+https://tangled.org/@tangled.org/core";

     

       56
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       57
        
           };

     

       58
       +
       

     

       59
       +
           darwin-login-items.url = "github:uncenter/nix-darwin-login-items";

     

       60
        
         };

     

       61
        
       

     

       62
        
         outputs =

     

       63
       +
           inputs@{ flake-parts, ... }:

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       64
        
           flake-parts.lib.mkFlake { inherit inputs; } {

     

       65
        
             imports = [

     

       66
        
               inputs.easy-hosts.flakeModule

+20

home/chloe/activation.nix

···

       1
       +
       # macOS Tahoe (26.x) no longer supports symlinks in the Launchpad.

     

       2
       +
       # So, we're forced to copy applications instead of linking them.

     

       3
       +
       # This is computationally slower, but we're left with no choice.

     

       4
       +
       

     

       5
       +
       {

     

       6
       +
         pkgs,

     

       7
       +
         lib,

     

       8
       +
         ...

     

       9
       +
       }:

     

       10
       +
       

     

       11
       +
       {

     

       12
       +
         config = lib.mkIf pkgs.stdenv.hostPlatform.isDarwin {

     

       13
       +
           targets.darwin.copyApps = {

     

       14
       +
             enable = true;

     

       15
       +
             enableChecks = true;

     

       16
       +
           };

     

       17
       +
       

     

       18
       +
           targets.darwin.linkApps.enable = false;

     

       19
       +
         };

     

       20
       +
       }

+28

home/chloe/autostart.nix

···

       1
       +
       {

     

       2
       +
         lib,

     

       3
       +
         osConfig,

     

       4
       +
         pkgs,

     

       5
       +
         ...

     

       6
       +
       }:

     

       7
       +
       

     

       8
       +
       {

     

       9
       +
         config = lib.mkIf osConfig.settings.profiles.graphical.enable {

     

       10
       +
           xdg.configFile = {

     

       11
       +
             # .desktop files for autostart only work on Linux with XDG

     

       12
       +
             "autostart/1password.desktop" = lib.mkIf pkgs.stdenv.hostPlatform.isLinux {

     

       13
       +
               text = ''

     

       14
       +
                 [Desktop Entry]

     

       15
       +
                 Name=1Password

     

       16
       +
                 Exec=1password --silent %U

     

       17
       +
                 Terminal=false

     

       18
       +
                 Type=Application

     

       19
       +
                 Icon=1password

     

       20
       +
                 StartupWMClass=1Password

     

       21
       +
                 Comment=Password manager and secure wallet

     

       22
       +
                 MimeType=x-scheme-handler/onepassword;

     

       23
       +
                 Categories=Office;

     

       24
       +
               '';

     

       25
       +
             };

     

       26
       +
           };

     

       27
       +
         };

     

       28
       +
       }

+3

home/chloe/default.nix

···

       1
        
       {

     

       2
        
         imports = [

     

       0
        
       
     

       0
        
       
     

       3
        
           ./catppuccin.nix

     

       4
        
           ./docs.nix

     

       5
        
           ./files.nix

     

       6
        
           ./packages

     

       7
        
           ./programs

     

       0
        
       
     

       8
        
         ];

     

       9
        
       

     

       10
        
         xdg.enable = true;

···

       1
        
       {

     

       2
        
         imports = [

     

       3
       +
           ./activation.nix

     

       4
       +
           ./autostart.nix

     

       5
        
           ./catppuccin.nix

     

       6
        
           ./docs.nix

     

       7
        
           ./files.nix

     

       8
        
           ./packages

     

       9
        
           ./programs

     

       10
       +
           ./scripts.nix

     

       11
        
         ];

     

       12
        
       

     

       13
        
         xdg.enable = true;

-23

home/chloe/packages/autostart.nix

···

       1
       -
       { lib, osConfig, pkgs, ... }:

     

       2
       -
       

     

       3
       -
       {

     

       4
       -
         config = lib.mkIf osConfig.settings.profiles.graphical.enable {

     

       5
       -
           xdg.configFile = {

     

       6
       -
             # .desktop files for autostart only work on Linux with XDG

     

       7
       -
             "autostart/1password.desktop" = lib.mkIf pkgs.stdenv.isLinux {

     

       8
       -
               text = ''

     

       9
       -
                 [Desktop Entry]

     

       10
       -
                 Name=1Password

     

       11
       -
                 Exec=1password --silent %U

     

       12
       -
                 Terminal=false

     

       13
       -
                 Type=Application

     

       14
       -
                 Icon=1password

     

       15
       -
                 StartupWMClass=1Password

     

       16
       -
                 Comment=Password manager and secure wallet

     

       17
       -
                 MimeType=x-scheme-handler/onepassword;

     

       18
       -
                 Categories=Office;

     

       19
       -
               '';

     

       20
       -
             };

     

       21
       -
           };

     

       22
       -
         };

     

       23
       -
       }

+14

home/chloe/packages/base.nix

···

       1
       +
       { pkgs }:

     

       2
       +
       

     

       3
       +
       with pkgs;

     

       4
       +
       [

     

       5
       +
         # dev tools

     

       6
       +
         nodejs

     

       7
       +
         deno

     

       8
       +
         cloudflared

     

       9
       +
         corepack_latest

     

       10
       +
         bun

     

       11
       +
       

     

       12
       +
         # other

     

       13
       +
         _1password-cli

     

       14
       +
       ]

+15

home/chloe/packages/darwin.nix

···

       1
       +
       {

     

       2
       +
         pkgs,

     

       3
       +
         lib,

     

       4
       +
         osConfig,

     

       5
       +
       }:

     

       6
       +
       

     

       7
       +
       let

     

       8
       +
         packages = with pkgs; [

     

       9
       +
           # tools

     

       10
       +
           shottr

     

       11
       +
         ];

     

       12
       +
       in

     

       13
       +
       lib.optionals (

     

       14
       +
         osConfig.settings.profiles.graphical.enable && pkgs.stdenv.hostPlatform.isDarwin

     

       15
       +
       ) packages

+7 -10

home/chloe/packages/default.nix

···

       1
       -
       { 

     

       2
        
         pkgs,

     

       3
        
         lib,

     

       4
       -
         osConfig, 

     

       5
        
         ...

     

       6
        
       }:

     

       7
        
       

     

       8
        
       let

     

       9
       -
         defaultPackages = import ./list/default.nix { inherit pkgs; };

     

       10
       -
         guiPackages = import ./list/gui.nix { inherit pkgs lib osConfig; };

     

       0
        
       
     

       0
        
       
     

       11
        
       in

     

       12
        
       {

     

       13
       -
         imports = [

     

       14
       -
           ./autostart.nix

     

       15
       -
           ./scripts.nix

     

       16
       -
         ];

     

       17
       -
       

     

       18
        
         config = {

     

       19
       -
           home.packages = defaultPackages ++ guiPackages;

     

       20
        
         };

     

       21
        
       }

···

       1
       +
       {

     

       2
        
         pkgs,

     

       3
        
         lib,

     

       4
       +
         osConfig,

     

       5
        
         ...

     

       6
        
       }:

     

       7
        
       

     

       8
        
       let

     

       9
       +
         basePackages = import ./base.nix { inherit pkgs; };

     

       10
       +
         darwinPackages = import ./darwin.nix { inherit pkgs lib osConfig; };

     

       11
       +
         linuxPackages = import ./linux.nix { inherit pkgs lib osConfig; };

     

       12
       +
         universalPackages = import ./universal.nix { inherit pkgs lib osConfig; };

     

       13
        
       in

     

       14
        
       {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
         config = {

     

       16
       +
           home.packages = basePackages ++ darwinPackages ++ linuxPackages ++ universalPackages;

     

       17
        
         };

     

       18
        
       }

+32

home/chloe/packages/linux.nix

···

       1
       +
       {

     

       2
       +
         pkgs,

     

       3
       +
         lib,

     

       4
       +
         osConfig,

     

       5
       +
       }:

     

       6
       +
       

     

       7
       +
       let

     

       8
       +
         packages = with pkgs; [

     

       9
       +
           # messengers

     

       10
       +
           telegram-desktop

     

       11
       +
           vesktop

     

       12
       +
       

     

       13
       +
           # dev tools

     

       14
       +
           httpie-desktop

     

       15
       +
       

     

       16
       +
           # mail

     

       17
       +
           thunderbird

     

       18
       +
       

     

       19
       +
           # games

     

       20
       +
           xivlauncher

     

       21
       +
       

     

       22
       +
           # messengers

     

       23
       +
           discord

     

       24
       +
       

     

       25
       +
           # other GUI apps

     

       26
       +
           obs-studio

     

       27
       +
           _1password-gui

     

       28
       +
         ];

     

       29
       +
       in

     

       30
       +
       lib.optionals (

     

       31
       +
         osConfig.settings.profiles.graphical.enable && pkgs.stdenv.hostPlatform.isLinux

     

       32
       +
       ) packages

-19

home/chloe/packages/list/default.nix

···

       1
       -
       { pkgs }:

     

       2
       -
       

     

       3
       -
       with pkgs; [

     

       4
       -
         # dev tools

     

       5
       -
         nodejs

     

       6
       -
         deno

     

       7
       -
         cloudflared

     

       8
       -
         corepack_latest

     

       9
       -
         bun

     

       10
       -
       

     

       11
       -
         # fonts

     

       12
       -
         iosevka

     

       13
       -
         inter

     

       14
       -
         atkinson-hyperlegible

     

       15
       -
         nerd-fonts.jetbrains-mono

     

       16
       -
       

     

       17
       -
         # other

     

       18
       -
         _1password-cli

     

       19
       -
       ]

-31

home/chloe/packages/list/gui.nix

···

       1
       -
       { pkgs, lib, osConfig }:

     

       2
       -
       

     

       3
       -
       let

     

       4
       -
         # Common GUI packages available on all platforms

     

       5
       -
         commonPackages = with pkgs; [

     

       6
       -
           # cloud

     

       7
       -
           owncloud-client

     

       8
       -
       

     

       9
       -
           # messengers

     

       10
       -
           telegram-desktop

     

       11
       -
           vesktop

     

       12
       -
       

     

       13
       -
           # notes

     

       14
       -
           obsidian

     

       15
       -
       

     

       16
       -
           # dev tools

     

       17
       -
           zed-editor

     

       18
       -
           httpie-desktop

     

       19
       -
       

     

       20
       -
           # mail

     

       21
       -
           thunderbird

     

       22
       -
       

     

       23
       -
           # games

     

       24
       -
           prismlauncher

     

       25
       -
           xivlauncher

     

       26
       -
       

     

       27
       -
           # other GUI apps

     

       28
       -
           obs-studio

     

       29
       -
           _1password-gui

     

       30
       -
         ];

     

       31
       -
       in lib.optionals osConfig.settings.profiles.graphical.enable commonPackages

-15

home/chloe/packages/scripts.nix

···

       1
       -
       { pkgs, ... }:

     

       2
       -
       

     

       3
       -
       {  

     

       4
       -
         home.packages = with pkgs; [

     

       5
       -
           # Convert nix hash to SRI format and fetch from URL

     

       6
       -
           (writeShellScriptBin "shash" ''

     

       7
       -
             nix hash to-sri --type sha256 $(nix-prefetch-url ''$1)

     

       8
       -
           '')

     

       9
       -
       

     

       10
       -
           # Create a Python virtual environment with --copies flag

     

       11
       -
           (writeShellScriptBin "create-venv" ''

     

       12
       -
             nix run nixpkgs#python3 -- -m venv .venv --copies

     

       13
       -
           '')

     

       14
       -
         ];

     

       15
       -
       }

+25

home/chloe/packages/universal.nix

···

       1
       +
       {

     

       2
       +
         pkgs,

     

       3
       +
         lib,

     

       4
       +
         osConfig,

     

       5
       +
       }:

     

       6
       +
       

     

       7
       +
       let

     

       8
       +
         packages = with pkgs; [

     

       9
       +
           # dev tools

     

       10
       +
           zed-editor

     

       11
       +
       

     

       12
       +
           # fonts

     

       13
       +
           iosevka

     

       14
       +
           inter

     

       15
       +
           atkinson-hyperlegible

     

       16
       +
           nerd-fonts.jetbrains-mono

     

       17
       +
       

     

       18
       +
           # games

     

       19
       +
           prismlauncher

     

       20
       +
       

     

       21
       +
           # notes

     

       22
       +
           obsidian

     

       23
       +
         ];

     

       24
       +
       in

     

       25
       +
       lib.optionals osConfig.settings.profiles.graphical.enable packages

+12 -8

home/chloe/programs/cli/zsh.nix

···

       1
       -
       { lib, pkgs, osConfig, config, ... }:

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       2
        
       

     

       3
        
       {

     

       4
        
         programs.zsh = {

     
···

       18
        
           '';

     

       19
        
       

     

       20
        
           envExtra = ''

     

       21
       -
             ${lib.optionalString pkgs.stdenv.isLinux ''

     

       22
       -
               export PRISMA_SCHEMA_ENGINE_BINARY="${pkgs.prisma-engines}/bin/schema-engine"

     

       23
       -
               export PRISMA_QUERY_ENGINE_BINARY="${pkgs.prisma-engines}/bin/query-engine"

     

       24
       -
               export PRISMA_QUERY_ENGINE_LIBRARY="${pkgs.prisma-engines}/lib/libquery_engine.node"

     

       25
       -
               export PRISMA_INTROSPECTION_ENGINE_BINARY="${pkgs.prisma-engines}/bin/introspection-engine"

     

       26
       -
               export PRISMA_FMT_BINARY="${pkgs.prisma-engines}/bin/prisma-fmt"

     

       27
       -
             ''}

     

       28
        
           '';

     

       29
        
       

     

       30
        
           shellAliases = lib.mkMerge [

···

       1
       +
       {

     

       2
       +
         lib,

     

       3
       +
         pkgs,

     

       4
       +
         osConfig,

     

       5
       +
         config,

     

       6
       +
         ...

     

       7
       +
       }:

     

       8
        
       

     

       9
        
       {

     

       10
        
         programs.zsh = {

     
···

       24
        
           '';

     

       25
        
       

     

       26
        
           envExtra = ''

     

       27
       +
             export PRISMA_SCHEMA_ENGINE_BINARY="${pkgs.prisma-engines}/bin/schema-engine"

     

       28
       +
             export PRISMA_QUERY_ENGINE_BINARY="${pkgs.prisma-engines}/bin/query-engine"

     

       29
       +
             export PRISMA_QUERY_ENGINE_LIBRARY="${pkgs.prisma-engines}/lib/libquery_engine.node"

     

       30
       +
             export PRISMA_INTROSPECTION_ENGINE_BINARY="${pkgs.prisma-engines}/bin/introspection-engine"

     

       31
       +
             export PRISMA_FMT_BINARY="${pkgs.prisma-engines}/bin/prisma-fmt"

     

       0
        
       
     

       0
        
       
     

       32
        
           '';

     

       33
        
       

     

       34
        
           shellAliases = lib.mkMerge [

+15

home/chloe/scripts.nix

···

       1
       +
       { pkgs, ... }:

     

       2
       +
       

     

       3
       +
       {  

     

       4
       +
         home.packages = with pkgs; [

     

       5
       +
           # Convert nix hash to SRI format and fetch from URL

     

       6
       +
           (writeShellScriptBin "shash" ''

     

       7
       +
             nix hash to-sri --type sha256 $(nix-prefetch-url ''$1)

     

       8
       +
           '')

     

       9
       +
       

     

       10
       +
           # Create a Python virtual environment with --copies flag

     

       11
       +
           (writeShellScriptBin "create-venv" ''

     

       12
       +
             nix run nixpkgs#python3 -- -m venv .venv --copies

     

       13
       +
           '')

     

       14
       +
         ];

     

       15
       +
       }

+6

hosts/juniper/default.nix

···

       1
        
       {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       2
        
         system.stateVersion = 6; # Initial nix-darwin version

     

       3
        
       }

···

       1
        
       {

     

       2
       +
         settings = {

     

       3
       +
           profiles = {

     

       4
       +
             graphical.enable = true;

     

       5
       +
             laptop.enable = true;

     

       6
       +
           };

     

       7
       +
         };

     

       8
        
         system.stateVersion = 6; # Initial nix-darwin version

     

       9
        
       }

+1

modules/darwin/default.nix

···

       7
        
           ./packages.nix

     

       8
        
           ./preferences

     

       9
        
           ./security

     

       0
        
       
     

       10
        
           ./users.nix

     

       11
        
         ];

     

       12
        
       }

···

       7
        
           ./packages.nix

     

       8
        
           ./preferences

     

       9
        
           ./security

     

       10
       +
           ./startup.nix

     

       11
        
           ./users.nix

     

       12
        
         ];

     

       13
        
       }

+1

modules/darwin/extras.nix

···

       4
        
         imports = [

     

       5
        
           inputs.home-manager.darwinModules.home-manager

     

       6
        
           inputs.ragenix.darwinModules.default

     

       0
        
       
     

       7
        
         ];

     

       8
        
       }

···

       4
        
         imports = [

     

       5
        
           inputs.home-manager.darwinModules.home-manager

     

       6
        
           inputs.ragenix.darwinModules.default

     

       7
       +
           inputs.darwin-login-items.darwinModules.default

     

       8
        
         ];

     

       9
        
       }

+8 -1

modules/darwin/homebrew.nix

···

       22
        
           # Casks (GUI applications)

     

       23
        
           casks = [

     

       24
        
             "1password"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       25
        
             "maccy"

     

       0
        
       
     

       26
        
             "microsoft-teams"

     

       0
        
       
     

       27
        
             "music-presence"

     

       28
       -
             "prismlauncher"

     

       0
        
       
     

       0
        
       
     

       29
        
           ];

     

       30
        
       

     

       31
        
           # Mac App Store apps (requires mas-cli)

···

       22
        
           # Casks (GUI applications)

     

       23
        
           casks = [

     

       24
        
             "1password"

     

       25
       +
             "bruno"

     

       26
       +
             "crossover"

     

       27
       +
             "discord"

     

       28
        
             "maccy"

     

       29
       +
             "microsoft-edge"

     

       30
        
             "microsoft-teams"

     

       31
       +
             "mos"

     

       32
        
             "music-presence"

     

       33
       +
             "osu"

     

       34
       +
             "signal"

     

       35
       +
             "steam"

     

       36
        
           ];

     

       37
        
       

     

       38
        
           # Mac App Store apps (requires mas-cli)

+19

modules/darwin/startup.nix

···

       1
       +
       {

     

       2
       +
         config,

     

       3
       +
         pkgs,

     

       4
       +
         lib,

     

       5
       +
         ...

     

       6
       +
       }:

     

       7
       +
       

     

       8
       +
       {

     

       9
       +
         environment.loginItems = {

     

       10
       +
           enable = true;

     

       11
       +
           items = [

     

       12
       +
             "/Applications/1Password.app"

     

       13
       +
             "/Applications/Mos.app"

     

       14
       +
             "/Applications/Maccy.app"

     

       15
       +
             "/Users/chloe/Applications/Home Manager Apps/Shottr.app"

     

       16
       +
             "/Applications/Tailscale.app"

     

       17
       +
           ];

     

       18
       +
         };

     

       19
       +
       }

+14 -13

secrets/caddy.age

···

       1
        
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       -
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSA3OTRw

     

       3
       -
       N0pLbkIxZ2lvVEkyb0o4RGdZVVEzQ0VtSlp5MVJPMWNPd0xoc0JrCmRRMWR5N2hs

     

       4
       -
       dFRwUVQ3RCtIb2hKT2ZvVlU4UUFBM0dkWmZ0U0lCUERZMUEKLT4gc3NoLWVkMjU1

     

       5
       -
       MTkgMUNUOTd3IERweUM3ekJqTXBNTVYxU3p1OVhwZGxGdDl5bGNLRHBzbW12OHdN

     

       6
       -
       NlpMRmsKendPWjFTZFFmMnpSWWNsa0NDM2kvTTNKYk42M01uS1BpazJzSGErUnE5

     

       7
       -
       MAotPiBzc2gtZWQyNTUxOSBlUDNUdFEgb3prY01iWjBlS1pLSnZnTFJsOXM1NkVL

     

       8
       -
       S3hJZTJ5V21lNFBDN21RTFN5VQpCa1lVNStyVWl5TS9Lcm9ZZHArV3ExWmViVzNv

     

       9
       -
       cm9zNUdzN2ZjcVFkTjFrCi0+IDF3VVg2LWdyZWFzZSAvLUNTTzp0NSAyRUFrdSBp

     

       10
       -
       UH0xIEgKWDJxU2tkQ20wZ29aQzlEWlh4RTQzaHBFV0tUb1hNUVg3aENOT0NxY0Z4

     

       11
       -
       eEtpd3Nwb3BBYmU0a0JKZFBFOXFJYgpKMVNPcTIxNnhUelRmNmFqVGNsQVV6NTRO

     

       12
       -
       d2cKLS0tIDYrQ2tWRWhHcTFGUnVNRU9kaWJCRkRSTXB5YTJvVnpwZ2ttLzhubGg1

     

       13
       -
       N2sKd+UAtI0xQxss7MdlaHSRhAK6sOhBJ84PmnjDYDBhf4Xg2ON/EmD5AmUfcmcD

     

       14
       -
       yEfwQSp1/vvUCtW1CXzEUswCRUzzhufms8GSLC7ehRAbhImhIK0lCKU=

     

       0
        
       
     

       15
        
       -----END AGE ENCRYPTED FILE-----

···

       1
        
       -----BEGIN AGE ENCRYPTED FILE-----

     

       2
       +
       YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGN2U2dKQSA0THNq

     

       3
       +
       UjBzRllITWxyM0tWckVhU0p3SE4zNWhYdmVuUUVyREtLOGxwbFRJCkh3QXFOUW9p

     

       4
       +
       ZWxSUS9LTzJsMFdyK05jOXVBVzI2VUptTFFManZTQnRMUmsKLT4gc3NoLWVkMjU1

     

       5
       +
       MTkgMUNUOTd3IEdKUHhlMG1hakFJcThMdjVWMk5WZ3RzYUZnbE5RdXJycmk3TW9H

     

       6
       +
       TDF5bEUKTTIrbVh6UTZHYnhmV21sUFpSOGYwT3FCT1RacjRscUVabFpYWmh4U3Ft

     

       7
       +
       cwotPiBzc2gtZWQyNTUxOSBlUDNUdFEgTXhVUGFrcExTV05qb2ZuWDkzd0hYSCtl

     

       8
       +
       NjZLaWxFdi9ibmtUcDVzWE5DSQpSVTVvUlpBN2REZ2ZSMkRkWWlNWkFaekxROVVt

     

       9
       +
       bEc4NXBkdVpWTkF0OENVCi0+IEw5e0xlLWdyZWFzZSBUIHdHZHk5IgpwVERQMzZG

     

       10
       +
       ODgwUExoa082aFp2K0NvYmhtT1lvd2MzMlEycGc4YjlwVGNPcy9nS0FQV3lZTkpr

     

       11
       +
       SkkzdXlWdllBCnBGODRBRU9vQnB4THdBQzZycGdMS05mN3R4VWZvaUpnbWZ5M3Zu

     

       12
       +
       blN1cys1VGc4R09TdHdHaDhEQVF3Ci0tLSBYWmNaYkZiSzVQUXp0OU14WmY4cGNR

     

       13
       +
       Mk1VZ1NxOWV3RUxVb0taRWRxZTFrCvVGqFlzVEsdUx95OQNCI1lmXdAXY5SxwJ6q

     

       14
       +
       PI7Cj+zq+5BjUYqwPnu2KcMMKEtmBReSyL791bRn16PSzIS3yn2DzmIM72oea9hd

     

       15
       +
       WJCud87qCxejIF3LgczKUqpTILzXtM7jzR2CNhoBSc9VDDA3U+ku4jOnxfj6

     

       16
        
       -----END AGE ENCRYPTED FILE-----

+45 -2

services/bluesky-pds/default.nix

···

       28
        
           serverAliases = [ "*.pds.sappho.systems" ];

     

       29
        
           extraConfig = ''

     

       30
        
             import common

     

       31
       -
             import tls_cloudflare

     

       32
       -
             reverse_proxy http://127.0.0.1:3333

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       33
        
           '';

     

       34
        
         };

     

       35
        
       }

···

       28
        
           serverAliases = [ "*.pds.sappho.systems" ];

     

       29
        
           extraConfig = ''

     

       30
        
             import common

     

       31
       +
             import tls_bunny

     

       32
       +
       

     

       33
       +
             handle / {

     

       34
       +
               respond <<EOF

     

       35
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡀⢀⠀⢀⠀⠀⠀⠀

     

       36
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⢧⢳⣾⣂⣾⡁⣴⠀⠀

     

       37
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⠓⣬⠾⠋⠉⢸⣷⣋⣤⡦

     

       38
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢯⡞⠃⠀⠀⠀⡼⠊⣠⡏⠀

     

       39
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣶⣄⣀⣀⡴⣡⡴⠃⠀⠀

     

       40
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⣽⠧⢴⡀⢸⡛⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡿⠻⠛⠋⠉⠁⠀⠀⠀⠀

     

       41
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠾⡇⢸⠉⠀⠀⠹⣼⣽⡚⠉⠹⡄⠀⠀⠀⠀⠀⠀⠀⠀⡴⠛⠙⢳⡀⠀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       42
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡘⢿⣆⠀⠀⠀⣿⠉⠀⠀⢀⣧⠀⢀⣤⠤⢤⣄⠀⢸⠉⠀⠀⠈⣧⢸⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       43
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⠾⠉⠙⠻⢗⠀⣦⣏⣤⠀⣠⠞⠀⠀⣞⠋⠀⠀⠈⠻⡼⡀⣄⡀⢀⡯⠟⠧⢤⡀⠀⠀⠀⠀⠀⠀⠀⠀

     

       44
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⢯⣀⠀⠀⠲⣷⡿⣿⠋⠉⠁⠀⠀⠀⠹⣄⠀⠀⣠⣤⠘⠧⣽⣨⣞⡁⠀⠀⠀⡇⠀⠀⠀⠀⠀⠀⠀⠀

     

       45
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⠉⠁⠀⢸⣷⠀⠀⠀⠀⠀⠀⠈⣓⣦⣜⠉⣿⣶⠧⣟⣙⣀⣀⣠⠞⠁⠀⠀⠀⠀⠀⠀⠀⠀

     

       46
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⠀⠀⡞⠉⠀⠾⠞⡵⢜⣇⡀⠙⢦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       47
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡤⠤⠤⣄⠀⣼⣿⡠⠴⠶⠦⣄⠀⣷⣀⠀⢀⣠⡷⡀⠉⠁⠀⢸⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       48
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡋⠀⠀⠀⠈⢷⣿⠋⠀⠀⠀⠀⢸⡆⠀⠈⠉⣩⣿⠣⠙⠲⠤⠶⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       49
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⠀⢻⠀⠀⠀⠀⠀⠀⡇⣠⣴⣾⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       50
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⣄⠀⠀⠀⢠⣦⣌⡄⢠⣦⠀⠀⣾⠹⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       51
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡠⠤⠙⠢⢄⡀⠀⢳⡄⢃⡼⠉⣀⠜⠋⠉⠒⢦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       52
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⢠⡯⠀⠀⠀⠀⠀⣠⡉⠙⣹⣿⠶⣮⣁⡀⠀⠀⠀⠀⢻⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       53
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠳⣄⠀⠀⠀⠘⠛⠓⣛⠇⢸⡷⡀⠻⠟⠀⠀⠀⠀⢸⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       54
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣹⠒⠶⢶⠒⠉⠀⠀⠈⠉⢫⠳⢄⣀⣀⣀⡤⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       55
       +
               ⠀⠀⠀⠀⠀⠀⠀⢀⣀⣤⡾⠋⠀⠀⢰⠀⠀⠀⠀⠀⠀⢸⣇⠀⠈⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       56
       +
               ⠀⠀⠀⠀⣠⣴⣾⠿⠛⠁⠀⠀⠀⠀⠈⠳⣄⣀⣀⣀⡤⠞⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       57
       +
               ⠀⠀⣴⣿⡿⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       58
       +
               ⠀⣾⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       59
       +
               ⢸⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       60
       +
               ⠈⢧⡃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       61
       +
               ⠀⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       62
       +
       

     

       63
       +
             Welcome to Sapphic Angels' AT Protocol Personal Data Server (PDS).

     

       64
       +
       

     

       65
       +
             Website: https://sapphic.moe

     

       66
       +
                 PDS: https://github.com/bluesky-social/pds

     

       67
       +
             ATProto: https://atproto.com

     

       68
       +
       

     

       69
       +
             🌸 🐇

     

       70
       +
             EOF 200

     

       71
       +
             }

     

       72
       +
       

     

       73
       +
             handle {

     

       74
       +
               reverse_proxy http://127.0.0.1:3333

     

       75
       +
             }

     

       76
        
           '';

     

       77
        
         };

     

       78
        
       }

+9 -6

services/caddy/default.nix

···

       9
        
         services.caddy = {

     

       10
        
           enable = true;

     

       11
        
           package = pkgs.caddy.withPlugins {

     

       12
       -
             plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];

     

       13
       -
             hash = "sha256-iRzpN9awuEFsc7hqKzOMNiCFFEv833xhd4LM+VFQedI=";

     

       0
        
       
     

       0
        
       
     

       14
        
           };

     

       15
        
           environmentFile = config.age.secrets.caddy.path;

     

       16
        
           globalConfig = ''

     

       0
        
       
     

       17
        
             email chloe@sapphic.moe

     

       18
        
           '';

     

       19
        
           extraConfig = ''

     

       20
       -
             (tls_cloudflare) {

     

       21
        
               tls {

     

       22
       -
                 dns cloudflare {env.CF_API_TOKEN}

     

       23
       -
                 resolvers 8.8.8.8 1.1.1.1

     

       24
        
               }

     

       25
        
             }

     

       26
        
             (common) {

     
···

       28
        
             }

     

       29
        
           '';

     

       30
        
           logFormat = ''

     

       31
       -
             level info

     

       32
        
             format json

     

       33
        
           '';

     

       34
        
         };

···

       9
        
         services.caddy = {

     

       10
        
           enable = true;

     

       11
        
           package = pkgs.caddy.withPlugins {

     

       12
       +
             plugins = [

     

       13
       +
               "github.com/caddy-dns/bunny@v1.2.0"

     

       14
       +
             ];

     

       15
       +
             hash = "sha256-bwffi5sWq07DVoPQGgEIN1jnvQKL6c4tFfR9AT9ThD4=";

     

       16
        
           };

     

       17
        
           environmentFile = config.age.secrets.caddy.path;

     

       18
        
           globalConfig = ''

     

       19
       +
             debug

     

       20
        
             email chloe@sapphic.moe

     

       21
        
           '';

     

       22
        
           extraConfig = ''

     

       23
       +
             (tls_bunny) {

     

       24
        
               tls {

     

       25
       +
                 dns bunny {env.BUNNY_API_KEY}

     

       26
       +
                 resolvers 9.9.9.9 149.112.112.112

     

       27
        
               }

     

       28
        
             }

     

       29
        
             (common) {

     
···

       31
        
             }

     

       32
        
           '';

     

       33
        
           logFormat = ''

     

       34
       +
             level debug

     

       35
        
             format json

     

       36
        
           '';

     

       37
        
         };

+1 -1

services/destiny-labeler/default.nix

···

       41
        
         services.caddy.virtualHosts."labeler.sappho.systems" = {

     

       42
        
           extraConfig = ''

     

       43
        
             import common

     

       44
       -
             import tls_cloudflare

     

       45
        
             reverse_proxy http://127.0.0.1:4002

     

       46
        
           '';

     

       47
        
         };

···

       41
        
         services.caddy.virtualHosts."labeler.sappho.systems" = {

     

       42
        
           extraConfig = ''

     

       43
        
             import common

     

       44
       +
             import tls_bunny

     

       45
        
             reverse_proxy http://127.0.0.1:4002

     

       46
        
           '';

     

       47
        
         };

+25 -40

services/fail2ban/default.nix

···

       1
       -
       { config, pkgs, ... }:

     

       2
        
       

     

       3
        
       {

     

       4
        
         age.secrets.abuseipdb = {

     

       5
        
           file = ../../secrets/abuseipdb.age;

     

       6
        
           mode = "600";

     

       7
       -
           owner = "abuseipdb";

     

       8
       -
           group = "abuseipdb";

     

       9
        
         };

     

       10
        
       

     

       11
        
         services.fail2ban = {

     
···

       42
        
       

     

       43
        
           # Jails for protecting various services

     

       44
        
           jails = {

     

       45
       -
             # SSH protection - monitor failed login attempts

     

       46
       -
             sshd = {

     

       47
        
               enabled = true;

     

       48
        
               port = "ssh";

     

       49
        
               filter = "sshd";

     

       50
       -
               logpath = "%(syslog_authpriv)s";

     

       51
       -
               backend = "auto";

     

       52
        
               maxretry = 5;

     

       53
        
               findtime = "3600";

     

       54
        
               bantime = "86400";

     

       55
       -
               action = [

     

       56
       -
                 "iptables-multiport[name=SSH, port='ssh']"

     

       57
       -
                 "abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='18,22', abuseipdb_comment='Fail2Ban SSH Brute Force']"

     

       58
       -
               ];

     

       59
        
             };

     

       60
        
       

     

       61
        
             # Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors

     

       62
       -
             caddy-http = {

     

       63
        
               enabled = true;

     

       64
        
               port = "http,https";

     

       65
        
               filter = "caddy-http";

     

       66
       -
               logpath = "/var/log/caddy/access.log";

     

       67
        
               backend = "auto";

     

       68
        
               maxretry = 10;

     

       69
        
               findtime = "600";

     

       70
        
               bantime = "3600";

     

       71
       -
               action = [

     

       72
       -
                 "iptables-multiport[name=Caddy, port='http,https']"

     

       73
       -
                 "abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Caddy Abuse']"

     

       74
       -
               ];

     

       75
        
             };

     

       76
        
       

     

       77
        
             # Rate-based protection - ban on excessive requests

     

       78
       -
             caddy-ratelimit = {

     

       79
        
               enabled = true;

     

       80
        
               port = "http,https";

     

       81
        
               filter = "caddy-ratelimit";

     

       82
       -
               logpath = "/var/log/caddy/access.log";

     

       83
        
               backend = "auto";

     

       84
        
               maxretry = 50;

     

       85
        
               findtime = "60";

     

       86
        
               bantime = "1800";

     

       87
       -
               action = [

     

       88
       -
                 "iptables-multiport[name=Caddy-RateLimit, port='http,https']"

     

       89
       -
                 "abuseipdb[abuseipdb_apikey=${config.age.secrets.abuseipdb.path}, abuseipdb_category='21', abuseipdb_comment='Fail2Ban Rate Limiting']"

     

       90
       -
               ];

     

       91
        
             };

     

       92
        
           };

     

       93
        
         };

     
···

       108
        
             ignoreregex =

     

       109
        
           '';

     

       110
        
       

     

       111
       -
           # AbuseIPDB action for reporting IPs

     

       112
       -
           # The API key is passed via the abuseipdb_apikey parameter which should be

     

       113
       -
           # set to the path of the decrypted secret file (e.g., /run/agenix/abuseipdb)

     

       114
       -
           "fail2ban/action.d/abuseipdb.conf".text = ''

     

       115
        
             [Definition]

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       116
        
             actionstart =

     

       117
        
             actionstop =

     

       118
        
             actioncheck =

     

       119
       -
       

     

       120
       -
             # Report IP to AbuseIPDB

     

       121
       -
             # Reads the API key from the file specified in the abuseipdb_apikey parameter

     

       122
       -
             actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \

     

       123
       -
               -H "Key: $(cat <abuseipdb_apikey>)" \

     

       124
       -
               -H "Accept: application/json" \

     

       125
       -
               -d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>" \

     

       126
       -
               -o /dev/null

     

       127
       -
       

     

       128
       -
             # No action to unban - AbuseIPDB reports are permanent

     

       129
        
             actionunban =

     

       130
        
       

     

       131
        
             [Init]

     

       132
       -
             # Default path - will be overridden by jail configuration

     

       133
       -
             abuseipdb_apikey = /run/agenix/abuseipdb

     

       134
        
             abuseipdb_category = 18

     

       135
       -
             abuseipdb_comment = Fail2Ban Report

     

       136
        
           '';

     

       137
        
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       138
        
       }

···

       1
       +
       { pkgs, ... }:

     

       2
        
       

     

       3
        
       {

     

       4
        
         age.secrets.abuseipdb = {

     

       5
        
           file = ../../secrets/abuseipdb.age;

     

       6
        
           mode = "600";

     

       0
        
       
     

       0
        
       
     

       7
        
         };

     

       8
        
       

     

       9
        
         services.fail2ban = {

     
···

       40
        
       

     

       41
        
           # Jails for protecting various services

     

       42
        
           jails = {

     

       43
       +
             # SSH protection - monitor failed login attempts using systemd journal

     

       44
       +
             sshd.settings = {

     

       45
        
               enabled = true;

     

       46
        
               port = "ssh";

     

       47
        
               filter = "sshd";

     

       48
       +
               backend = "systemd";

     

       0
        
       
     

       49
        
               maxretry = 5;

     

       50
        
               findtime = "3600";

     

       51
        
               bantime = "86400";

     

       52
       +
               action = "iptables-multiport[name=SSH, port='ssh'] abuseipdb-agenix[abuseipdb_category='18,22']";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       53
        
             };

     

       54
        
       

     

       55
        
             # Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors

     

       56
       +
             caddy-http.settings = {

     

       57
        
               enabled = true;

     

       58
        
               port = "http,https";

     

       59
        
               filter = "caddy-http";

     

       60
       +
               logpath = "/var/log/caddy/access-*.log";

     

       61
        
               backend = "auto";

     

       62
        
               maxretry = 10;

     

       63
        
               findtime = "600";

     

       64
        
               bantime = "3600";

     

       65
       +
               action = "iptables-multiport[name=Caddy, port='http,https'] abuseipdb-agenix[abuseipdb_category='21']";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       66
        
             };

     

       67
        
       

     

       68
        
             # Rate-based protection - ban on excessive requests

     

       69
       +
             caddy-ratelimit.settings = {

     

       70
        
               enabled = true;

     

       71
        
               port = "http,https";

     

       72
        
               filter = "caddy-ratelimit";

     

       73
       +
               logpath = "/var/log/caddy/access-*.log";

     

       74
        
               backend = "auto";

     

       75
        
               maxretry = 50;

     

       76
        
               findtime = "60";

     

       77
        
               bantime = "1800";

     

       78
       +
               action = "iptables-multiport[name=Caddy-RateLimit, port='http,https'] abuseipdb-agenix[abuseipdb_category='21']";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       79
        
             };

     

       80
        
           };

     

       81
        
         };

     
···

       96
        
             ignoreregex =

     

       97
        
           '';

     

       98
        
       

     

       99
       +
           # Custom abuseipdb action that reads API key from file

     

       100
       +
           "fail2ban/action.d/abuseipdb-agenix.conf".text = ''

     

       0
        
       
     

       0
        
       
     

       101
        
             [Definition]

     

       102
       +
             # Report IP to AbuseIPDB, reading API key from Agenix secret file

     

       103
       +
             # Uses double quotes to allow shell expansion of $(cat /run/agenix/abuseipdb)

     

       104
       +
             # Sleep 12 seconds to respect AbuseIPDB rate limit (~5 requests per minute)

     

       105
       +
             # Note: Don't use <matches> - fail2ban's wrapper causes issues with multiline content

     

       106
       +
             # Don't use --fail so 429 rate limit errors don't mark action as failed

     

       107
       +
             actionban = sleep 12; curl 'https://api.abuseipdb.com/api/v2/report' -H 'Accept: application/json' -H "Key: $(cat /run/agenix/abuseipdb)" --data-urlencode 'ip=<ip>' --data 'categories=<abuseipdb_category>' > /dev/null 2>&1

     

       108
       +
       

     

       109
        
             actionstart =

     

       110
        
             actionstop =

     

       111
        
             actioncheck =

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       112
        
             actionunban =

     

       113
        
       

     

       114
        
             [Init]

     

       0
        
       
     

       0
        
       
     

       115
        
             abuseipdb_category = 18

     

       0
        
       
     

       116
        
           '';

     

       117
        
         };

     

       118
       +
       

     

       119
       +
         # Ensure the log directory exists

     

       120
       +
         systemd.tmpfiles.rules = [

     

       121
       +
           "d /var/log/fail2ban 0755 root root -"

     

       122
       +
         ];

     

       123
        
       }

+1 -2

services/glance/default.nix

···

       8
        
       

     

       9
        
         services.glance = {

     

       10
        
           enable = true;

     

       11
       -
           openFirewall = true;

     

       12
        
           environmentFile = config.age.secrets.glance.path;

     

       13
        
           settings = import ./settings.nix;

     

       14
        
         };

     
···

       16
        
         services.caddy.virtualHosts."home.sappho.systems" = {

     

       17
        
           extraConfig = ''

     

       18
        
             import common

     

       19
       -
             import tls_cloudflare

     

       20
        
             reverse_proxy http://localhost:4040

     

       21
        
           '';

     

       22
        
         };

···

       8
        
       

     

       9
        
         services.glance = {

     

       10
        
           enable = true;

     

       11
       +
           openFirewall = false;

     

       12
        
           environmentFile = config.age.secrets.glance.path;

     

       13
        
           settings = import ./settings.nix;

     

       14
        
         };

     
···

       16
        
         services.caddy.virtualHosts."home.sappho.systems" = {

     

       17
        
           extraConfig = ''

     

       18
        
             import common

     

       0
        
       
     

       19
        
             reverse_proxy http://localhost:4040

     

       20
        
           '';

     

       21
        
         };

+29 -3

services/knot/default.nix

···

       2
        
         services.tangled-knot = {

     

       3
        
           enable = true;

     

       4
        
           motd = ''

     

       5
       -
             🌸 welcome to the tangled knot server 🌸

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       6
        
       

     

       7
       -
             hosted by sapphic angels

     

       8
        
           '';

     

       9
        
           server = {

     

       10
        
             hostname = "knot.sappho.systems";

     
···

       15
        
         services.caddy.virtualHosts."knot.sappho.systems" = {

     

       16
        
           extraConfig = ''

     

       17
        
             import common

     

       18
       -
             import tls_cloudflare

     

       19
        
             reverse_proxy http://127.0.0.1:5555

     

       20
        
           '';

     

       21
        
         };

···

       2
        
         services.tangled-knot = {

     

       3
        
           enable = true;

     

       4
        
           motd = ''

     

       5
       +
                ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡀⢀⠀⢀⠀⠀⠀⠀

     

       6
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⢧⢳⣾⣂⣾⡁⣴⠀⠀

     

       7
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⠓⣬⠾⠋⠉⢸⣷⣋⣤⡦

     

       8
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢯⡞⠃⠀⠀⠀⡼⠊⣠⡏⠀

     

       9
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣶⣄⣀⣀⡴⣡⡴⠃⠀⠀

     

       10
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⣽⠧⢴⡀⢸⡛⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡿⠻⠛⠋⠉⠁⠀⠀⠀⠀

     

       11
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠾⡇⢸⠉⠀⠀⠹⣼⣽⡚⠉⠹⡄⠀⠀⠀⠀⠀⠀⠀⠀⡴⠛⠙⢳⡀⠀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       12
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡘⢿⣆⠀⠀⠀⣿⠉⠀⠀⢀⣧⠀⢀⣤⠤⢤⣄⠀⢸⠉⠀⠀⠈⣧⢸⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       13
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⠾⠉⠙⠻⢗⠀⣦⣏⣤⠀⣠⠞⠀⠀⣞⠋⠀⠀⠈⠻⡼⡀⣄⡀⢀⡯⠟⠧⢤⡀⠀⠀⠀⠀⠀⠀⠀⠀

     

       14
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⢯⣀⠀⠀⠲⣷⡿⣿⠋⠉⠁⠀⠀⠀⠹⣄⠀⠀⣠⣤⠘⠧⣽⣨⣞⡁⠀⠀⠀⡇⠀⠀⠀⠀⠀⠀⠀⠀

     

       15
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠉⠉⠁⠀⢸⣷⠀⠀⠀⠀⠀⠀⠈⣓⣦⣜⠉⣿⣶⠧⣟⣙⣀⣀⣠⠞⠁⠀⠀⠀⠀⠀⠀⠀⠀

     

       16
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⠀⠀⡞⠉⠀⠾⠞⡵⢜⣇⡀⠙⢦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       17
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡤⠤⠤⣄⠀⣼⣿⡠⠴⠶⠦⣄⠀⣷⣀⠀⢀⣠⡷⡀⠉⠁⠀⢸⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       18
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡋⠀⠀⠀⠈⢷⣿⠋⠀⠀⠀⠀⢸⡆⠀⠈⠉⣩⣿⠣⠙⠲⠤⠶⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       19
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡇⠀⠀⠀⠀⠀⠀⢻⠀⠀⠀⠀⠀⠀⡇⣠⣴⣾⠟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       20
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⣄⠀⠀⠀⢠⣦⣌⡄⢠⣦⠀⠀⣾⠹⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       21
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡠⠤⠙⠢⢄⡀⠀⢳⡄⢃⡼⠉⣀⠜⠋⠉⠒⢦⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       22
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⢠⡯⠀⠀⠀⠀⠀⣠⡉⠙⣹⣿⠶⣮⣁⡀⠀⠀⠀⠀⢻⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       23
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠳⣄⠀⠀⠀⠘⠛⠓⣛⠇⢸⡷⡀⠻⠟⠀⠀⠀⠀⢸⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       24
       +
               ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣹⠒⠶⢶⠒⠉⠀⠀⠈⠉⢫⠳⢄⣀⣀⣀⡤⠟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       25
       +
               ⠀⠀⠀⠀⠀⠀⠀⢀⣀⣤⡾⠋⠀⠀⢰⠀⠀⠀⠀⠀⠀⢸⣇⠀⠈⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       26
       +
               ⠀⠀⠀⠀⣠⣴⣾⠿⠛⠁⠀⠀⠀⠀⠈⠳⣄⣀⣀⣀⡤⠞⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       27
       +
               ⠀⠀⣴⣿⡿⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       28
       +
               ⠀⣾⡟⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       29
       +
               ⢸⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       30
       +
               ⠈⢧⡃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       31
       +
               ⠀⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

     

       32
        
       

     

       33
       +
             Welcome to Sapphic Angels' Knot server for tangled.org.

     

       34
        
           '';

     

       35
        
           server = {

     

       36
        
             hostname = "knot.sappho.systems";

     
···

       41
        
         services.caddy.virtualHosts."knot.sappho.systems" = {

     

       42
        
           extraConfig = ''

     

       43
        
             import common

     

       44
       +
             import tls_bunny

     

       45
        
             reverse_proxy http://127.0.0.1:5555

     

       46
        
           '';

     

       47
        
         };

+1 -1

services/lanyard/default.nix

···

       29
        
         services.caddy.virtualHosts."lanyard.sappho.systems" = {

     

       30
        
           extraConfig = ''

     

       31
        
             import common

     

       32
       -
             import tls_cloudflare

     

       33
        
             reverse_proxy http://127.0.0.1:4001

     

       34
        
           '';

     

       35
        
         };

···

       29
        
         services.caddy.virtualHosts."lanyard.sappho.systems" = {

     

       30
        
           extraConfig = ''

     

       31
        
             import common

     

       32
       +
             import tls_bunny

     

       33
        
             reverse_proxy http://127.0.0.1:4001

     

       34
        
           '';

     

       35
        
         };

+2 -4

services/ntfy/default.nix

···

       33
        
         services.caddy.virtualHosts."notify.sappho.systems" = {

     

       34
        
           extraConfig = ''

     

       35
        
             import common

     

       36
       -
             import tls_cloudflare

     

       0
        
       
     

       37
        
             reverse_proxy http://127.0.0.1:7070

     

       38
        
           '';

     

       39
        
         };

     

       40
       -
       

     

       41
       -
         # Firewall

     

       42
       -
         settings.firewall.allowedTCPPorts = [ 7070 ];

     

       43
        
       }

···

       33
        
         services.caddy.virtualHosts."notify.sappho.systems" = {

     

       34
        
           extraConfig = ''

     

       35
        
             import common

     

       36
       +
             import tls_bunny

     

       37
       +
       

     

       38
        
             reverse_proxy http://127.0.0.1:7070

     

       39
        
           '';

     

       40
        
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       41
        
       }

+2 -2

services/outline/default.nix

···

       108
        
         services.caddy.virtualHosts."wiki.sappho.systems" = {

     

       109
        
           extraConfig = ''

     

       110
        
             import common

     

       111
       -
             import tls_cloudflare

     

       112
        
             reverse_proxy http://localhost:3300

     

       113
        
           '';

     

       114
        
         };

     
···

       116
        
         services.caddy.virtualHosts."minio.sappho.systems" = {

     

       117
        
           extraConfig = ''

     

       118
        
             import common

     

       119
       -
             import tls_cloudflare

     

       120
        
             reverse_proxy http://localhost:9000

     

       121
        
           '';

     

       122
        
         };

···

       108
        
         services.caddy.virtualHosts."wiki.sappho.systems" = {

     

       109
        
           extraConfig = ''

     

       110
        
             import common

     

       111
       +
             import tls_bunny

     

       112
        
             reverse_proxy http://localhost:3300

     

       113
        
           '';

     

       114
        
         };

     
···

       116
        
         services.caddy.virtualHosts."minio.sappho.systems" = {

     

       117
        
           extraConfig = ''

     

       118
        
             import common

     

       119
       +
             import tls_bunny

     

       120
        
             reverse_proxy http://localhost:9000

     

       121
        
           '';

     

       122
        
         };

Compare changes