comparing 2f00d3df61d3277aafb59fe8c1805d3ba5b0ce6e and refactor/move-global-system-config on soopy.moe/gensokyo

-4

.git-crypt/.gitattributes

···

       1
       -
       # Do not edit this file.  To specify the files to encrypt, create your own

     

       2
       -
       # .gitattributes file in the directory where your files are.

     

       3
       -
       * !filter !diff

     

       4
       -
       *.gpg binary

.git-crypt/keys/default/0/7595B36DF6C2E95E10E528662932BA0FA3DDD7D6.gpg

This is a binary file and will not be displayed.

-1

.gitattributes

···

       1
       -
       *.cry filter=git-crypt diff=git-crypt

···

       0

+4

.github/workflows/update-lockfile.yaml

···

       1
        
       name: "Update Flake Lockfile"

     

       2
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       3
        
       on:

     

       4
        
         workflow_dispatch:

     

       5
        
         schedule:

···

       1
        
       name: "Update Flake Lockfile"

     

       2
        
       

     

       3
       +
       permissions:

     

       4
       +
         pull-requests: write

     

       5
       +
         contents: write

     

       6
       +
       

     

       7
        
       on:

     

       8
        
         workflow_dispatch:

     

       9
        
         schedule:

+23

.sops.yaml

···

       1
       +
       keys:

     

       2
       +
         # maintainers

     

       3
       +
         - &soopyc_mpxl7a age10rkyshu0lswdqyvun4cs9cekm9zt4fw5c8ssa38tn3lukgcahcvsltnqx2

     

       4
       +
         - &soopyc_pgp302 8F3B277901484C6EA7E63F82D539637D518022C6

     

       5
       +
         # - &soopyc_age302 age1yubikey1qgmfcf0vddslyza7djdekjjk3t3u29d474c5xscmcdye8x3spvhlxxj23xz

     

       6
       +
         # failed to parse input as Bech32-encoded age public key: malformed recipient "age1yubikey1qgmfcf0vddslyza7djdekjjk3t3u29d474c5xscmcdye8x3spvhlxxj23xz": invalid type "age1yubikey"

     

       7
       +
       

     

       8
       +
         # Hosts

     

       9
       +
         - &koumakan_ssh age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt

     

       10
       +
       

     

       11
       +
       default_group: &default_group

     

       12
       +
         pgp:

     

       13
       +
           - *soopyc_pgp302

     

       14
       +
         age:

     

       15
       +
           # - *soopyc_age302

     

       16
       +
           - *soopyc_mpxl7a

     

       17
       +
       

     

       18
       +
       creation_rules:

     

       19
       +
         - path_regex: creds/sops/koumakan.yaml

     

       20
       +
           key_groups:

     

       21
       +
             - <<: *default_group

     

       22
       +
               age:

     

       23
       +
                 - *koumakan_ssh

+2

README.md

···

       0
        
       
     

       0
        
       
     

       1
        
       # Cow

     

       2
        
       ![a yak on some grass](docs/quaritsch-photography-1_6rJHQ2Gmw-unsplash.jpg)

     

       3

···

       1
       +
       [![Check and Build configuration](https://github.com/soopyc/nix-on-koumakan/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/soopyc/nix-on-koumakan/actions/workflows/build.yaml)

     

       2
       +
       

     

       3
        
       # Cow

     

       4
        
       ![a yak on some grass](docs/quaritsch-photography-1_6rJHQ2Gmw-unsplash.jpg)

     

       5

+3

creds/sops/.gitattributes

···

       1
       +
       # to use, make sure `sops` is in your path and run

     

       2
       +
       #  git config diff.sopsdiff.textconv "sops -d"

     

       3
       +
       *.yaml diff=sopsdiff

+68

creds/sops/koumakan.yaml

···

       1
       +
       comment_unencrypted: See https://github.com/Mic92/sops-nix/issues/120 for synapse.yaml quirks

     

       2
       +
       synapse.yaml: ENC[AES256_GCM,data:eQsUW4mwbSPzsoi8HIEngfU5x/PEaqPxvx1AXXJJj7WDX9RsPtQOqQJjuTAEPtz32Hm1nob+VVYuzAXXfCO8Cd0CIHG+xlV4cWNc4JB8wj1YgtMJu9J3yC7iv3HMULT0TL8MxmwWYKqSPKIVarLVN5gQl1G1SAfxEK3ET6qtmkmCD8y6ZVM/84fTR5lxpLe82CaplbUHXEHKk51XwGYLSp5IZsPwtMMFhYuaoqCsEVr65IiSozbD4LKddYNQKUlYmkSfThQsoPpe9ixE7+HS11S+LklyP1q3usWTfOPsQS8k5NJdcGkrCH2A4ddjWkDBAzdav3qauYoQEvbMd8BpoDqD/67lKuvoyXqDoPf5sLrQcxcUl8ObTI1I8zWhabGa9uTuiaTd3wYdMhvMvs/KIfPXNDqcBuIY9sR6LQmY2Zb9+FtYiQVnrr0XmzjB59oN023y1xC/xqkgRyXysndhnj4P1Q+PYbOMQi7hwAjM5xMk/mLkpLn41Ju4u0MqDwHSxA/NXbsEBp/u3Tim2jsrMZqjRZwQHt1n/gtMjm2cMTminM99c/fV2fcvAmcNB9u1KWgEte1JjQSRftg7pkaznYlfrQLyCQYghVu3kgeAJCaSPMewHVWOF/onTauNHYFMlJ8VDUuYOnt2LNJUk1Wap5dGfKm7661mTeYB8aw0h3111YEViuGkSp+oM5A8X6CBI6YsYYOWq5Qd+A3fFJVpcf9hhhdx0JsRmR3EZOupIVx5Y4ruuA6ipj/xMDRNfTZjqukpn3Y1s5xTjUYEo3moLdgd1PYxAVIY/KjPn31pmRThGG1NZpYHZ1yjmptVydtqf/tTd32i3e0WjIjUEZD1NE7Z5AiWJ+XAEaE3S804C6QxN1jHZvqIokA9C4HO+R/es1uDyf2KDvxf1It0hMLg7CAnq1AQcbLCDqXXZaqibSRNfv09lO4jZ3vBe3owvd1wGbK513nqC6m2gh8YDYiHdw7UlXMbMP9+,iv:fvaZQ66VKU+uzvn5AwTIFgzz+F2kJ8/QR2AfmynRfGU=,tag:8c/cAMZ6c7h3J+shh7l7tw==,type:str]

     

       3
       +
       matrix-signing-key: ENC[AES256_GCM,data:u6miE2oM3TUXaQ7wc776SwSMaOAxJOVlpl2kBW+AjI/aDH5vcGBp0L0uTpZbVfOtIe+RDNEv5E/mKA==,iv:abvwkrNe324QCbWLwiPY0UwqezS0wbyk2Fvi0vs3SI0=,tag:ZmpDB9LHbezQrxuwHNgpRg==,type:str]

     

       4
       +
       akkoma:

     

       5
       +
           dist:

     

       6
       +
               cookie: ENC[AES256_GCM,data:5jpsa4KsOAoCMGAt9laK9ioVTJfuT9+viKva8wDWRnAimVY6jDoNr4+hxVty6yQAAfSJYA7ddTxaSCEjnJtneg==,iv:V8+MpX/IEc57zEfhNGX5f+eMyipraaXDKPDNDOy0Ieo=,tag:+xCy18Ni8F5wYkO/4NbSzw==,type:str]

     

       7
       +
           endpoint:

     

       8
       +
               secret_base: ENC[AES256_GCM,data:l34Rj4iIQIykgzTLJolqWLQQz5pcfa0o5U/ZMKeNc2CBQedxiMXYrLSNOx6OuV38aqoOolccJEOSiVjfbTawtg==,iv:/x0ydo2gOPrhIZI7at877bzfFgMpraauozfLq95aHCk=,tag:RQI4aeLiAkAcWYlwLaTj5w==,type:str]

     

       9
       +
               salt: ENC[AES256_GCM,data:CP4805tG05A=,iv:aSun7ABJdbDQrFcrGQMM9H1/7d5lJqeMwO08gUYrD2A=,tag:ikhxbijsqyBFJs02j2j/vw==,type:str]

     

       10
       +
               live_view:

     

       11
       +
                   salt: ENC[AES256_GCM,data:4fKLclucoV0=,iv:ZvWKutuMTOm2X8w8a0fOTq+ldrXemayIUY2PUcurY80=,tag:qkIB1gPCI5HO0G0mLEsV+w==,type:str]

     

       12
       +
           joken_default_signer: ENC[AES256_GCM,data:myCEFUkf8s1YNQAigjxygRYvbwkpsv7cqgs00fARe9nxSFl2wveWM5JcfOnoVPwVBVV2GaAjFe4oMWXkaTPtqg==,iv:Yk1f/fzzbruW64mvTTeiyTlbrOO/G47CKKfr9BLtQ5g=,tag:QLpM22ec+VWtkjx5U/mzCw==,type:str]

     

       13
       +
           search:

     

       14
       +
               meili:

     

       15
       +
                   host_unencrypted: https://megumin.soopy.moe/

     

       16
       +
                   key: ENC[AES256_GCM,data:00TLCUneHn7NcSK1joURfIzxNFWyOBf/0/fceOn4RMcMt59dZz9LOvbs3F8B0vcH7tf/eUi3SnhYJNyRdPklyw==,iv:t0kQUCmjhFw8Z2CTmYOPUNFvyiYfsXETU8GSxhRR5KE=,tag:CPjtd7jQzgHJDrsIjHlVFQ==,type:str]

     

       17
       +
           vapid:

     

       18
       +
               pub: ENC[AES256_GCM,data:HYMKjhVCW/7DsMfPPssEduuwWnFezH4OOq4hfAovI82RUPsfVEKhgvkI9INY8hArAb/AIfyyxZhVx+bd2QkPlnASz51L7MxPtkPfZNUKqafjlMmK0nwH,iv:154BP5EmBqnKyf9BND2laKV3caVxa34MCRzrsg6/dik=,tag:wHLYdI6oQXPUzbw8dSxgwg==,type:str]

     

       19
       +
               key: ENC[AES256_GCM,data:t+da4NLEPZBMvq3MQkFEr+Fsj3XMGPMFKUWwbHDWNJAyuUZuiVcn3zX0kw==,iv:yQLu5CFl73GCojMBa2II6OhLrNNinsiVG1aPOAx+HtM=,tag:n0oelXaNFvilyee+MRSB8A==,type:str]

     

       20
       +
           postgres:

     

       21
       +
               hostname: ENC[AES256_GCM,data:rFEnhnn/Bw85,iv:GM2SH4Gkvt8tLG8AYIKxfHTZvB1sT+hgIoqkiViH6Es=,tag:yyGY9/nS9WFcJTGXlYpz6Q==,type:str]

     

       22
       +
               database_unencrypted: akkoma

     

       23
       +
               username: ENC[AES256_GCM,data:6skzOqv1,iv:OQ6zNmDn0uqKqNKEqOHWY6VBuT/4/CHog7b0Pf0TAPM=,tag:8HLmGykXg2V4t4RHzB8yaA==,type:str]

     

       24
       +
               password: ENC[AES256_GCM,data:J3OewVKr2A3TlT7ZUTk7tQr4olFs7bKx47Lus4LGbwGAZfNEmyk9coFTeQ8L/EJ0hpLfPfD1OcGBc+p0ZWK/XQ==,iv:UFe/3H/AfTgSlJikHqE1IED3zINjDuOs5niXpGWXGYE=,tag:MvT0z3TMs1dehg4gp54MyQ==,type:str]

     

       25
       +
           smtp:

     

       26
       +
               username: ENC[AES256_GCM,data:N7XbQkngWcUGzn/SR4AXCQ==,iv:wBXWtRYawOkjumsvTPcKfvL95CCB+RbsEyJv0YUG3WA=,tag:vGQREe+Cv0ITTxszl21J2g==,type:str]

     

       27
       +
               password: ENC[AES256_GCM,data:oU/aWkVmDU8WJhmwqOcXJ/EngiF7hvfUzPwpdjwkyh7Dw50dyG5AY7b2+hh6LIv9RZrN4yU+fXPAYr1W21OG/A==,iv:ds8Bg9JSJdNHUXh0FvD5a4pquyRnIXowcsJcVV1TyB4=,tag:JoYqas2RGSv8xyvJT9wHAQ==,type:str]

     

       28
       +
               relay: ENC[AES256_GCM,data:F2NnRLSTO5kmbWy4fx0=,iv:omnyn+Xa/cjqK+9l5bI573aR2p7UsUvqGX5ZQGf3CD0=,tag:t4u/jLQ1nZchyxf3WrhW6w==,type:str]

     

       29
       +
       sops:

     

       30
       +
           kms: []

     

       31
       +
           gcp_kms: []

     

       32
       +
           azure_kv: []

     

       33
       +
           hc_vault: []

     

       34
       +
           age:

     

       35
       +
               - recipient: age10rkyshu0lswdqyvun4cs9cekm9zt4fw5c8ssa38tn3lukgcahcvsltnqx2

     

       36
       +
                 enc: |

     

       37
       +
                   -----BEGIN AGE ENCRYPTED FILE-----

     

       38
       +
                   YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMFBMZHdrR2ZMaEErZVlE

     

       39
       +
                   RmRZNnoxRVpVSDc5Rlg3MmhiVkxnK1NkNmljCjBsNE5oejcyOTRJRVVvdzJsMmw3

     

       40
       +
                   SGdyaUM1T0JvN3lDQjd4V054MWc1UjQKLS0tIDVvSndXZ29KSC8yUW5SRjdIcEZL

     

       41
       +
                   WkFkK1hsdzRnMmRBdDI0dWU3a1hBOEUKf+pJ6PAH1tPLXG14ghG4gxHpVN4D6TU1

     

       42
       +
                   GHCvsS5qNW8Cjis/Ubb3PHJfFiN4quN3rLaM/Ivkl5G1gzf9cGSDyQ==

     

       43
       +
                   -----END AGE ENCRYPTED FILE-----

     

       44
       +
               - recipient: age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt

     

       45
       +
                 enc: |

     

       46
       +
                   -----BEGIN AGE ENCRYPTED FILE-----

     

       47
       +
                   YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbVhFQXJ5ZWVVZTJocmpn

     

       48
       +
                   Q1VFc01mcnZLRGtqQVF0VjB3RU1DL0phaFVVCkFmU2w3WlhuTDFHYnF5VC9TM0xz

     

       49
       +
                   VGdSSVpVbkN1Tlh4WnQxdHJkQU42dGMKLS0tIFVnVERoQWk1N1dmdWk0KzA0R1ZG

     

       50
       +
                   cHJ5aWIrQ2Zrb1dhbC9yZ1lIMU1jbzgK4mx+S5bF6KBMe6+TrSZfaBcuWEg9cHyd

     

       51
       +
                   tbJty1zxS9pndA/u3qz5EJxDouiAODvyAR07yeegtEcbw1FlG6W/gA==

     

       52
       +
                   -----END AGE ENCRYPTED FILE-----

     

       53
       +
           lastmodified: "2023-09-14T17:13:38Z"

     

       54
       +
           mac: ENC[AES256_GCM,data:Jyx0f+w9fJ+B1lz4jVVkcKxd1xUh3FzxDhk+KaxJLVh0BG/1d8Nx0/cOnxZV1FfJkn5Z2wYiLzBPSvJKe8MjlExOSH1mIAnuXcSP6dvXp21bgX17CXM6OP91Ny6IvwSZriqs6EIpWOkZNdxsEnySwtECoQfgs09ZnA4qmbtb01U=,iv:XHnY20d0WsnaECF1/68eu2/xcGLGeGnzba+/kBxDcc0=,tag:alo+8B2fVHon0lHGsQSUyQ==,type:str]

     

       55
       +
           pgp:

     

       56
       +
               - created_at: "2023-09-08T14:11:19Z"

     

       57
       +
                 enc: |-

     

       58
       +
                   -----BEGIN PGP MESSAGE-----

     

       59
       +
       

     

       60
       +
                   wV4DAxCcDC4ukRQSAQdA6IXTpPTgsoAuUSW0NqFw4MpqX4j3Wt9IqcGbrDobZGIw

     

       61
       +
                   FFZDSKuMgO7ADZCFoADJ9OWOQBUyE3htwkXWjT/NQdBbVX3nuANbsfRfTdPN5NJt

     

       62
       +
                   0lEB30Vck2fEXQsIGrIeg3pPRBl3U/z7F35tw+79EFZ5yOrAsOzSn3wzNA549/T7

     

       63
       +
                   dEVnej/86D4ZxtMqMjVB2NjsXrphqd7ENozlljMM6QKkjtg=

     

       64
       +
                   =juKF

     

       65
       +
                   -----END PGP MESSAGE-----

     

       66
       +
                 fp: 8F3B277901484C6EA7E63F82D539637D518022C6

     

       67
       +
           unencrypted_suffix: _unencrypted

     

       68
       +
           version: 3.7.3

+2 -1

creds/ssh/cassie

···

       0
        
       
     

       1
        
       # SmartCards

     

       2
        
       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvCpt7yWIptJ9XFBhwVIj9zR30OzkWI976B/P5+0whD cardno:13 901 056

     

       3
       -
       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvCpt7yWIptJ9XFBhwVIj9zR30OzkWI976B/P5+0whD cardno:19 302 295

     

       4
        
       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMjRM3BNkLbU57RyfUx7kOlZeBEj/NByr1PfXri82aP cardno:19 302 432

     

       5
        
       

     

       6
        
       # Static devices

···

       1
       +
       # If I had an option, I would not use ecdsa keys.

     

       2
        
       # SmartCards

     

       3
        
       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvCpt7yWIptJ9XFBhwVIj9zR30OzkWI976B/P5+0whD cardno:13 901 056

     

       4
       +
       ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJxpXpPlPEZPfnw2mIuWJEy/C/5h1bb6pIMeFsHAICQ+lLdEkbBSeDXQuA8feLN0MJw8KaB9jqrJbYgFadV/nVA= YubiKey #19302295 PIV Slot 9a

     

       5
        
       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMjRM3BNkLbU57RyfUx7kOlZeBEj/NByr1PfXri82aP cardno:19 302 432

     

       6
        
       

     

       7
        
       # Static devices

+42 -2

docs/utils.md

···

       1
        
       # utility functions

     

       2
        
       

     

       3
        
       ## `_utils.mkVhost`

     

       4
       -
       make virtual host with sensible defaults

     

       0
        
       
     

       5
        
       

     

       6
        
       pass in a set to override the defaults.

     

       7
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       8
        
       ## `_utils.mkSimpleProxy`

     

       0
        
       
     

       0
        
       
     

       9
        
       make a simple reverse proxy

     

       10
        
       

     

       11
        
       takes a set:

     
···

       14
        
         port,

     

       15
        
         protocol ? "http",

     

       16
        
         location ? "/",

     

       17
       -
         websockets ? false

     

       0
        
       
     

       18
        
       }

     

       19
        
       ```

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
        
       # utility functions

     

       2
        
       

     

       3
        
       ## `_utils.mkVhost`

     

       4
       +
       `attrset -> attrset`

     

       5
       +
       make a virtual host with sensible defaults

     

       6
        
       

     

       7
        
       pass in a set to override the defaults.

     

       8
        
       

     

       9
       +
       ### Example

     

       10
       +
       ```nix

     

       11
       +
       services.nginx.virtualHosts."balls.example" = _utils.mkVhost {};

     

       12
       +
       ```

     

       13
       +
       

     

       14
        
       ## `_utils.mkSimpleProxy`

     

       15
       +
       `attrset -> attrset`

     

       16
       +
       

     

       17
        
       make a simple reverse proxy

     

       18
        
       

     

       19
        
       takes a set:

     
···

       22
        
         port,

     

       23
        
         protocol ? "http",

     

       24
        
         location ? "/",

     

       25
       +
         websockets ? false,

     

       26
       +
         extraConfig ? {}

     

       27
        
       }

     

       28
        
       ```

     

       29
       +
       

     

       30
       +
       It is recommended to override/add attributes with `extraConfig` to

     

       31
       +
       preserve defaults.

     

       32
       +
       

     

       33
       +
       Items in `extraConfig` are merged verbatim to the base attrset with defaults.

     

       34
       +
       They are overridden based on their order.

     

       35
       +
       

     

       36
       +
       ## `_utils.genSecrets`

     

       37
       +
       `namespace[str] -> files[list[str]] -> value[attrset] -> attrset`

     

       38
       +
       a

     

       39
       +
       generate an attrset to be passed into sops.secrets.

     

       40
       +
       

     

       41
       +
       ### Example

     

       42
       +
       ```nix

     

       43
       +
       { _utils, ... }:

     

       44
       +
       let

     

       45
       +
         secrets = [

     

       46
       +
           "secure_secret"

     

       47
       +
           # this is a directory structure, so secrets will be stored as a file in /run/secrets/service/test/secret.

     

       48
       +
           "service/test/secret"

     

       49
       +
         ];

     

       50
       +
       in {

     

       51
       +
         sops.secrets = _utils.genSecrets "" secrets {}; # it's recommended to use a namespace, but having none is still fine.

     

       52
       +
         # -> sops.secrets."secure_secret" = {};

     

       53
       +
         #    sops.secrets."service/test/secret" = {};

     

       54
       +
         sops.secrets = _utils.genSecrets "balls" ["balls_secret"] {owner = "balls"};

     

       55
       +
         # -> sops.secrets."balls/balls_secret" = {owner = "balls";};

     

       56
       +
       }

     

       57
       +
       ```

     

       58
       +
       

     

       59
       +
       See https://github.com/soopyc/nix-on-koumakan/blob/b7983776143c15c91df69ef34ba4264a22047ec6/systems/koumakan/services/fedivese/akkoma.nix#L8-L34 for a more extensive example

+45 -7

flake.lock

···

       267
        
               ]

     

       268
        
             },

     

       269
        
             "locked": {

     

       270
       -
               "lastModified": 1693755599,

     

       271
       -
               "narHash": "sha256-lNpiE6L0b1SKGTwQES8NNZErV6/rVMVgknpL8l3fv54=",

     

       272
        
               "owner": "soopyc",

     

       273
        
               "repo": "mystia",

     

       274
       -
               "rev": "1c6c686d0d2e7504fc492b3649a303bb1448b625",

     

       275
        
               "type": "github"

     

       276
        
             },

     

       277
        
             "original": {

     
···

       282
        
           },

     

       283
        
           "nixpkgs": {

     

       284
        
             "locked": {

     

       285
       -
               "lastModified": 1693755661,

     

       286
       -
               "narHash": "sha256-rnAlLZJsk5z0GAJy+ebNSN9KHiAzE3Q46j2zicZ1dxw=",

     

       287
        
               "owner": "NixOS",

     

       288
        
               "repo": "nixpkgs",

     

       289
       -
               "rev": "5f16b90e986bc5ae0c0fdaf1ccdbe100bdce6008",

     

       290
        
               "type": "github"

     

       291
        
             },

     

       292
        
             "original": {

     
···

       327
        
               "type": "github"

     

       328
        
             }

     

       329
        
           },

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       330
        
           "pre-commit-hooks-nix": {

     

       331
        
             "inputs": {

     

       332
        
               "flake-compat": [

     
···

       364
        
               "home-manager": "home-manager",

     

       365
        
               "lanzaboote": "lanzaboote",

     

       366
        
               "mystia": "mystia",

     

       367
       -
               "nixpkgs": "nixpkgs"

     

       0
        
       
     

       368
        
             }

     

       369
        
           },

     

       370
        
           "rust-overlay": {

     
···

       416
        
             "original": {

     

       417
        
               "owner": "oxalica",

     

       418
        
               "repo": "rust-overlay",

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       419
        
               "type": "github"

     

       420
        
             }

     

       421
        
           },

···

       267
        
               ]

     

       268
        
             },

     

       269
        
             "locked": {

     

       270
       +
               "lastModified": 1694357290,

     

       271
       +
               "narHash": "sha256-Mai5saiiuBWlQzTreLtIeUJQJN9zMH/UBIKJPOqnasM=",

     

       272
        
               "owner": "soopyc",

     

       273
        
               "repo": "mystia",

     

       274
       +
               "rev": "cfe783698ccd18cb27fb2e422917f14b82f7afc4",

     

       275
        
               "type": "github"

     

       276
        
             },

     

       277
        
             "original": {

     
···

       282
        
           },

     

       283
        
           "nixpkgs": {

     

       284
        
             "locked": {

     

       285
       +
               "lastModified": 1694237756,

     

       286
       +
               "narHash": "sha256-8T29BDnqRexwVy3jhEzIH9r7ROiF9I6ESVD0QLC6VXk=",

     

       287
        
               "owner": "NixOS",

     

       288
        
               "repo": "nixpkgs",

     

       289
       +
               "rev": "1a5bda2b28ea75a96dda2c349fe6d5e7864950ee",

     

       290
        
               "type": "github"

     

       291
        
             },

     

       292
        
             "original": {

     
···

       327
        
               "type": "github"

     

       328
        
             }

     

       329
        
           },

     

       330
       +
           "nixpkgs-stable_3": {

     

       331
       +
             "locked": {

     

       332
       +
               "lastModified": 1693675694,

     

       333
       +
               "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",

     

       334
       +
               "owner": "NixOS",

     

       335
       +
               "repo": "nixpkgs",

     

       336
       +
               "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",

     

       337
       +
               "type": "github"

     

       338
       +
             },

     

       339
       +
             "original": {

     

       340
       +
               "owner": "NixOS",

     

       341
       +
               "ref": "release-23.05",

     

       342
       +
               "repo": "nixpkgs",

     

       343
       +
               "type": "github"

     

       344
       +
             }

     

       345
       +
           },

     

       346
        
           "pre-commit-hooks-nix": {

     

       347
        
             "inputs": {

     

       348
        
               "flake-compat": [

     
···

       380
        
               "home-manager": "home-manager",

     

       381
        
               "lanzaboote": "lanzaboote",

     

       382
        
               "mystia": "mystia",

     

       383
       +
               "nixpkgs": "nixpkgs",

     

       384
       +
               "sops-nix": "sops-nix"

     

       385
        
             }

     

       386
        
           },

     

       387
        
           "rust-overlay": {

     
···

       433
        
             "original": {

     

       434
        
               "owner": "oxalica",

     

       435
        
               "repo": "rust-overlay",

     

       436
       +
               "type": "github"

     

       437
       +
             }

     

       438
       +
           },

     

       439
       +
           "sops-nix": {

     

       440
       +
             "inputs": {

     

       441
       +
               "nixpkgs": [

     

       442
       +
                 "nixpkgs"

     

       443
       +
               ],

     

       444
       +
               "nixpkgs-stable": "nixpkgs-stable_3"

     

       445
       +
             },

     

       446
       +
             "locked": {

     

       447
       +
               "lastModified": 1693898833,

     

       448
       +
               "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",

     

       449
       +
               "owner": "Mic92",

     

       450
       +
               "repo": "sops-nix",

     

       451
       +
               "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",

     

       452
       +
               "type": "github"

     

       453
       +
             },

     

       454
       +
             "original": {

     

       455
       +
               "owner": "Mic92",

     

       456
       +
               "repo": "sops-nix",

     

       457
        
               "type": "github"

     

       458
        
             }

     

       459
        
           },

+8 -2

flake.nix

···

       32
        
             url = "github:zhaofengli/attic";

     

       33
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       34
        
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       35
        
           mystia = {

     

       36
        
             url = "github:soopyc/mystia";

     

       37
        
             inputs.nixpkgs.follows = "nixpkgs";

     
···

       43
        
           home-manager,

     

       44
        
           ...

     

       45
        
         } @ inputs: let

     

       46
       -
           _utils = import ./global/utils.nix {};

     

       47
        
           lib = nixpkgs.lib;

     

       48
        
       

     

       49
        
           systems = [

     
···

       55
        
           forAllSystems = fn: lib.genAttrs systems (s: fn nixpkgs.legacyPackages.${s});

     

       56
        
         in {

     

       57
        
           nixosConfigurations = {

     

       58
       -
             koumakan = import ./systems/koumakan {inherit _utils lib inputs;};

     

       59
        
           };

     

       60
        
       

     

       61
        
           devShells = forAllSystems (pkgs: {

···

       32
        
             url = "github:zhaofengli/attic";

     

       33
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       34
        
           };

     

       35
       +
       

     

       36
       +
           sops-nix = {

     

       37
       +
             url = "github:Mic92/sops-nix";

     

       38
       +
             inputs.nixpkgs.follows = "nixpkgs";

     

       39
       +
           };

     

       40
       +
       

     

       41
        
           mystia = {

     

       42
        
             url = "github:soopyc/mystia";

     

       43
        
             inputs.nixpkgs.follows = "nixpkgs";

     
···

       49
        
           home-manager,

     

       50
        
           ...

     

       51
        
         } @ inputs: let

     

       52
       +
           utils = import ./global/utils.nix;

     

       53
        
           lib = nixpkgs.lib;

     

       54
        
       

     

       55
        
           systems = [

     
···

       61
        
           forAllSystems = fn: lib.genAttrs systems (s: fn nixpkgs.legacyPackages.${s});

     

       62
        
         in {

     

       63
        
           nixosConfigurations = {

     

       64
       +
             koumakan = import ./systems/koumakan {inherit utils lib inputs;};

     

       65
        
           };

     

       66
        
       

     

       67
        
           devShells = forAllSystems (pkgs: {

+2 -7

global/core.nix

···

       1
        
       {pkgs, ...}: {

     

       2
        
         imports = [

     

       3
        
           ./upgrade-diff.nix

     

       0
        
       
     

       4
        
         ];

     

       5
        
         # Set default i18n configuration

     

       6
        
         i18n.defaultLocale = "en_US.UTF-8";

     
···

       9
        
           keyMap = "us";

     

       10
        
         };

     

       11
        
       

     

       12
       -
         hardware.enableRedistributableFirmware = true;

     

       13
       -
       

     

       14
       -
         # # Enable crash dumps globally

     

       15
       -
         # boot.crashDump = {

     

       16
       -
         #   enable = true;

     

       17
       -
         #   reservedMemory = "128M";

     

       18
       -
         # };

     

       19
        
       

     

       20
        
         # Lock root account

     

       21
        
         users.users.root.shell = pkgs.shadow; # basically /bin/nologin

···

       1
        
       {pkgs, ...}: {

     

       2
        
         imports = [

     

       3
        
           ./upgrade-diff.nix

     

       4
       +
           ./system

     

       5
        
         ];

     

       6
        
         # Set default i18n configuration

     

       7
        
         i18n.defaultLocale = "en_US.UTF-8";

     
···

       10
        
           keyMap = "us";

     

       11
        
         };

     

       12
        
       

     

       13
       +
         time.timeZone = "Asia/Hong_Kong";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
       

     

       15
        
         # Lock root account

     

       16
        
         users.users.root.shell = pkgs.shadow; # basically /bin/nologin

+5

global/overlays/default.nix

···

       1
       +
       inputs:

     

       2
       +
       with inputs; [

     

       3
       +
         mystia.overlays.default

     

       4
       +
         attic.overlays.default

     

       5
       +
       ]

+1

global/programs/misc.nix

+1

global/programs/nix.nix

···

       5
        
           experimental-features = [

     

       6
        
             "nix-command"

     

       7
        
             "flakes"

     

       0
        
       
     

       8
        
           ];

     

       9
        
       

     

       10
        
           substituters = [

···

       5
        
           experimental-features = [

     

       6
        
             "nix-command"

     

       7
        
             "flakes"

     

       8
       +
             "repl-flake"

     

       9
        
           ];

     

       10
        
       

     

       11
        
           substituters = [

+5

global/system/default.nix

···

       1
       +
       {...}: {

     

       2
       +
         imports = [

     

       3
       +
           ./firmware.nix

     

       4
       +
         ];

     

       5
       +
       }

+4

global/system/firmware.nix

···

       1
       +
       {...}: {

     

       2
       +
         hardware.enableRedistributableFirmware = true;

     

       3
       +
         services.fwupd.enable = true;

     

       4
       +
       }

+39 -18

global/utils.nix

···

       1
        
       # see /docs/utils.md for a usage guide

     

       2
       -
       {...}:

     

       3
       -
       # let

     

       4
       -
       #   lib = pkgs.lib;

     

       5
       -
       # in

     

       6
       -
       rec {

     

       0
        
       
     

       0
        
       
     

       7
        
         mkVhost = opts:

     

       8
       -
           {

     

       9
       -
             # ideally mkOverride/mkDefault would be used, but i have 0 idea how it works.

     

       10
       -
             forceSSL = true;

     

       11
       -
             useACMEHost = "global.c.soopy.moe";

     

       12
       -
             kTLS = true;

     

       13
       -
           }

     

       14
       -
           // opts;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
       

     

       16
        
         mkSimpleProxy = {

     

       17
        
           port,

     

       18
        
           protocol ? "http",

     

       19
        
           location ? "/",

     

       20
        
           websockets ? false,

     

       0
        
       
     

       21
        
         }:

     

       22
       -
           mkVhost {

     

       23
       -
             locations."${location}" = {

     

       24
       -
               proxyPass = "${protocol}://localhost:${toString port}";

     

       25
       -
               proxyWebsockets = websockets;

     

       26
       -
             };

     

       27
       -
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       28
        
       }

···

       1
        
       # see /docs/utils.md for a usage guide

     

       2
       +
       {

     

       3
       +
         inputs,

     

       4
       +
         system,

     

       5
       +
         ...

     

       6
       +
       }: let

     

       7
       +
         lib = inputs.nixpkgs.lib;

     

       8
       +
       in rec {

     

       9
        
         mkVhost = opts:

     

       10
       +
           lib.mkMerge [

     

       11
       +
             {

     

       12
       +
               forceSSL = lib.mkDefault true;

     

       13
       +
               useACMEHost = lib.mkDefault "global.c.soopy.moe";

     

       14
       +
               kTLS = lib.mkDefault true;

     

       15
       +
       

     

       16
       +
               locations."/_cgi/error/" = {

     

       17
       +
                 alias = "${inputs.mystia.packages.${system}.staticly}/nginx_error_pages/";

     

       18
       +
               };

     

       19
       +
               extraConfig = ''

     

       20
       +
                 error_page 503 /_cgi/error/503.html;

     

       21
       +
                 error_page 502 /_cgi/error/502.html;

     

       22
       +
                 error_page 404 /_cgi/error/404.html;

     

       23
       +
               '';

     

       24
       +
             }

     

       25
       +
             opts

     

       26
       +
           ];

     

       27
        
       

     

       28
        
         mkSimpleProxy = {

     

       29
        
           port,

     

       30
        
           protocol ? "http",

     

       31
        
           location ? "/",

     

       32
        
           websockets ? false,

     

       33
       +
           extraConfig ? {},

     

       34
        
         }:

     

       35
       +
           mkVhost (lib.mkMerge [

     

       36
       +
             extraConfig

     

       37
       +
             {

     

       38
       +
               locations."${location}" = {

     

       39
       +
                 proxyPass = "${protocol}://localhost:${toString port}";

     

       40
       +
                 proxyWebsockets = websockets;

     

       41
       +
               };

     

       42
       +
             }

     

       43
       +
           ]);

     

       44
       +
       

     

       45
       +
         genSecrets = namespace: files: value:

     

       46
       +
           lib.genAttrs (

     

       47
       +
             map (x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x) files

     

       48
       +
           ) (_: value);

     

       49
        
       }

+11 -4

justfile

···

       1
        
       # friendship ended with Makefile

     

       2
        
       # I LOVE justFILE!!!!!!

     

       3
        
       

     

       4
       -
       default: build

     

       0
        
       
     

       0
        
       
     

       5
        
       

     

       0
        
       
     

       6
        
       test:

     

       7
        
       	nixos-rebuild test --flake .#

     

       8
        
       

     

       9
       -
       build:

     

       10
       -
       	nixos-rebuild build --flake .#

     

       11
       -
       

     

       12
        
       switch:

     

       13
        
       	nixos-rebuild switch --flake .#

     

       14
        
       

     

       0
        
       
     

       15
        
       utils recipe="list":

     

       16
        
         @echo "Running utils/{{recipe}}"

     

       17
        
         @cd utils && just {{recipe}}

     

       18
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       19
        
       ebuild system:

     

       20
        
         nix build -j8 .#nixosConfigurations."{{system}}".config.system.build.toplevel

···

       1
        
       # friendship ended with Makefile

     

       2
        
       # I LOVE justFILE!!!!!!

     

       3
        
       

     

       4
       +
       # build the current configuration

     

       5
       +
       build:

     

       6
       +
       	nixos-rebuild build --flake .#

     

       7
        
       

     

       8
       +
       # build and test the configuration, but don't switch

     

       9
        
       test:

     

       10
        
       	nixos-rebuild test --flake .#

     

       11
        
       

     

       12
       +
       # switch to the current configuration

     

       0
        
       
     

       0
        
       
     

       13
        
       switch:

     

       14
        
       	nixos-rebuild switch --flake .#

     

       15
        
       

     

       16
       +
       # run utility programs

     

       17
        
       utils recipe="list":

     

       18
        
         @echo "Running utils/{{recipe}}"

     

       19
        
         @cd utils && just {{recipe}}

     

       20
        
       

     

       21
       +
       # update an input in the flake lockfile

     

       22
       +
       update-input input:

     

       23
       +
         nix flake lock --update-input {{input}}

     

       24
       +
       

     

       25
       +
       # build the flake on a non-nixos platform

     

       26
        
       ebuild system:

     

       27
        
         nix build -j8 .#nixosConfigurations."{{system}}".config.system.build.toplevel

-1

overlays/default.nix

···

       0

+1

systems/koumakan/certificates/default.nix

···

       2
        
         imports = [

     

       3
        
           ./global.nix

     

       4
        
           ./postgresql.nix

     

       0
        
       
     

       5
        
         ];

     

       6
        
       

     

       7
        
         security.acme = {

···

       2
        
         imports = [

     

       3
        
           ./global.nix

     

       4
        
           ./postgresql.nix

     

       5
       +
           ./fediverse.nix

     

       6
        
         ];

     

       7
        
       

     

       8
        
         security.acme = {

+11

systems/koumakan/certificates/fediverse.nix

···

       1
       +
       {...}: {

     

       2
       +
         # Certificate for fedi services

     

       3
       +
         security.acme.certs."fedi.c.soopy.moe" = {

     

       4
       +
           group = "nginx";

     

       5
       +
           extraDomainNames = [

     

       6
       +
             "a.soopy.moe"

     

       7
       +
             "m.soopy.moe"

     

       8
       +
             "pixie.soopy.moe"

     

       9
       +
           ];

     

       10
       +
         };

     

       11
       +
       }

+15 -24

systems/koumakan/configuration.nix

···

       1
       -
       # Edit this configuration file to define what should be installed on

     

       2
       -
       # your system.  Help is available in the configuration.nix(5) man page

     

       3
       -
       # and in the NixOS manual (accessible by running `nixos-help`).

     

       4
        
       {inputs, ...}: {

     

       5
        
         imports = [

     

       6
        
           # Include the results of the hardware scan.

     
···

       15
        
           ./services

     

       16
        
         ];

     

       17
        
       

     

       18
       -
         nixpkgs.overlays =

     

       19
       -
           import ../../overlays

     

       20
       -
           ++ (with inputs; [

     

       21
       -
             mystia.overlays.default

     

       22
       -
             attic.overlays.default

     

       23
       -
           ]);

     

       24
        
       

     

       25
       -
         boot.loader.efi = {

     

       26
       -
           canTouchEfiVariables = true;

     

       27
       -
           efiSysMountPoint = "/boot/efi";

     

       28
       -
         };

     

       29
       -
       

     

       30
       -
         boot.loader.systemd-boot = {

     

       31
       -
           enable = true;

     

       32
       -
           graceful = true;

     

       33
       -
           netbootxyz.enable = true;

     

       0
        
       
     

       0
        
       
     

       34
        
         };

     

       35
        
       

     

       36
       -
         boot.loader.grub = {

     

       37
       -
           enable = false;

     

       38
       -
         };

     

       39
       -
       

     

       40
       -
         time.timeZone = "Asia/Hong_Kong";

     

       41
       -
       

     

       42
        
         # Define a user account. Don't forget to set a password with ‘passwd’.

     

       43
        
         users.users.cassie = {

     

       44
        
           isNormalUser = true;

     
···

       48
        
           };

     

       49
        
           # packages = with pkgs; [];

     

       50
        
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       51
        
       

     

       52
        
         # Just don't change this :p

     

       53
        
         system.stateVersion = "23.05"; # Did you read the comment?

···

       0
        
       
     

       0
        
       
     

       0
        
       
     

       1
        
       {inputs, ...}: {

     

       2
        
         imports = [

     

       3
        
           # Include the results of the hardware scan.

     
···

       12
        
           ./services

     

       13
        
         ];

     

       14
        
       

     

       15
       +
         nixpkgs.overlays = import ../../global/overlays inputs;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       16
        
       

     

       17
       +
         boot.loader = {

     

       18
       +
           efi = {

     

       19
       +
             canTouchEfiVariables = true;

     

       20
       +
             efiSysMountPoint = "/boot/efi";

     

       21
       +
           };

     

       22
       +
           systemd-boot = {

     

       23
       +
             enable = true;

     

       24
       +
             graceful = true;

     

       25
       +
             netbootxyz.enable = true;

     

       26
       +
           };

     

       27
       +
           grub.enable = false;

     

       28
        
         };

     

       29
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       30
        
         # Define a user account. Don't forget to set a password with ‘passwd’.

     

       31
        
         users.users.cassie = {

     

       32
        
           isNormalUser = true;

     
···

       36
        
           };

     

       37
        
           # packages = with pkgs; [];

     

       38
        
         };

     

       39
       +
       

     

       40
       +
         sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

     

       41
       +
         sops.defaultSopsFile = ../../creds/sops/koumakan.yaml;

     

       42
        
       

     

       43
        
         # Just don't change this :p

     

       44
        
         system.stateVersion = "23.05"; # Did you read the comment?

+7 -2

systems/koumakan/default.nix

···

       1
        
       {

     

       2
        
         lib,

     

       3
       -
         _utils,

     

       4
        
         inputs,

     

       5
        
         ...

     

       6
        
       }:

     
···

       10
        
         # see docs/tips_n_tricks.md#extra_opts for syntax

     

       11
        
         # see docs/utils.md for functions

     

       12
        
         specialArgs = {

     

       13
       -
           inherit inputs _utils;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       14
        
         };

     

       15
        
       

     

       16
        
         modules = [

     

       17
        
           inputs.lanzaboote.nixosModules.lanzaboote

     

       18
        
           inputs.attic.nixosModules.atticd

     

       0
        
       
     

       19
        
       

     

       20
        
           ./configuration.nix

     

       21
        
         ];

···

       1
        
       {

     

       2
        
         lib,

     

       3
       +
         utils,

     

       4
        
         inputs,

     

       5
        
         ...

     

       6
        
       }:

     
···

       10
        
         # see docs/tips_n_tricks.md#extra_opts for syntax

     

       11
        
         # see docs/utils.md for functions

     

       12
        
         specialArgs = {

     

       13
       +
           inherit inputs;

     

       14
       +
           _utils = utils {

     

       15
       +
             inherit inputs;

     

       16
       +
             system = "x86_64-linux";

     

       17
       +
           };

     

       18
        
         };

     

       19
        
       

     

       20
        
         modules = [

     

       21
        
           inputs.lanzaboote.nixosModules.lanzaboote

     

       22
        
           inputs.attic.nixosModules.atticd

     

       23
       +
           inputs.sops-nix.nixosModules.sops

     

       24
        
       

     

       25
        
           ./configuration.nix

     

       26
        
         ];

+1 -1

systems/koumakan/networking/interface.nix

···

       1
        
       {...}: {

     

       2
       -
         networking.networkmanager.ethernet.macAddress = builtins.readFile ./nma.cry;

     

       3
        
       }

···

       1
        
       {...}: {

     

       2
       +
         networking.networkmanager.ethernet.macAddress = "stable";

     

       3
        
       }

systems/koumakan/networking/nma.cry

This is a binary file and will not be displayed.

+1 -1

systems/koumakan/security/pam.nix

···

       1
        
       {...}: {

     

       2
        
         security.pam.yubico = {

     

       3
        
           enable = true;

     

       4
       -
           id = builtins.readFile ./ykid.cry;

     

       5
        
           mode = "client";

     

       6
        
           control = "requisite";

     

       7
        
         };

···

       1
        
       {...}: {

     

       2
        
         security.pam.yubico = {

     

       3
        
           enable = true;

     

       4
       +
           id = "91582";

     

       5
        
           mode = "client";

     

       6
        
           control = "requisite";

     

       7
        
         };

systems/koumakan/security/ykid.cry

This is a binary file and will not be displayed.

+4 -3

systems/koumakan/services/attic.nix

···

       39
        
           };

     

       40
        
         };

     

       41
        
       

     

       42
       -
         services.nginx.virtualHosts."nonbunary.soopy.moe" =

     

       43
       -
           _utils.mkSimpleProxy {port = 38191;}

     

       44
       -
           // {

     

       45
        
             extraConfig = ''

     

       46
        
               client_max_body_size 1G;

     

       47
        
               proxy_read_timeout 3h;

     
···

       49
        
               proxy_send_timeout 3h;

     

       50
        
             '';

     

       51
        
           };

     

       0
        
       
     

       52
        
       }

···

       39
        
           };

     

       40
        
         };

     

       41
        
       

     

       42
       +
         services.nginx.virtualHosts."nonbunary.soopy.moe" = _utils.mkSimpleProxy {

     

       43
       +
           port = 38191;

     

       44
       +
           extraConfig = {

     

       45
        
             extraConfig = ''

     

       46
        
               client_max_body_size 1G;

     

       47
        
               proxy_read_timeout 3h;

     
···

       49
        
               proxy_send_timeout 3h;

     

       50
        
             '';

     

       51
        
           };

     

       52
       +
         };

     

       53
        
       }

+6

systems/koumakan/services/databases/default.nix

···

       1
       +
       {...}: {

     

       2
       +
         imports = [

     

       3
       +
           ./postgresql.nix

     

       4
       +
           ./redis.nix

     

       5
       +
         ];

     

       6
       +
       }

+40

systems/koumakan/services/databases/postgresql.nix

···

       1
       +
       {pkgs, ...}: {

     

       2
       +
         services.postgresql = {

     

       3
       +
           enable = true;

     

       4
       +
       

     

       5
       +
           package = pkgs.postgresql_15;

     

       6
       +
           dataDir = "/var/lib/postgresql/15";

     

       7
       +
           logLinePrefix = "%m [%p] %h ";

     

       8
       +
       

     

       9
       +
           authentication = ''

     

       10
       +
             # unix socket connection

     

       11
       +
             local   all             all                                     peer

     

       12
       +
             # local ipv4/6 tcp connection

     

       13
       +
             host    all             all             127.0.0.1/32            scram-sha-256

     

       14
       +
             host    all             all             ::1/128                 scram-sha-256

     

       15
       +
             # world (encrypted) tcp traffic

     

       16
       +
             hostssl all             all             all                     scram-sha-256

     

       17
       +
           '';

     

       18
       +
       

     

       19
       +
           settings = let

     

       20
       +
             credsDir = "/run/credentials/postgresql.service";

     

       21
       +
           in {

     

       22
       +
             listen_addresses = pkgs.lib.mkForce "*";

     

       23
       +
             max_connections = 200;

     

       24
       +
             password_encryption = "scram-sha-256";

     

       25
       +
       

     

       26
       +
             ssl = "on";

     

       27
       +
             ssl_cert_file = "${credsDir}/cert.pem";

     

       28
       +
             ssl_key_file = "${credsDir}/key.pem";

     

       29
       +
       

     

       30
       +
             log_hostname = true;

     

       31
       +
             datestyle = "iso, dmy";

     

       32
       +
             log_timezone = "Asia/Hong_Kong";

     

       33
       +
             timezone = "Asia/Hong_Kong";

     

       34
       +
             default_text_search_config = "pc_catalog.english";

     

       35
       +
       

     

       36
       +
             max_wal_size = "2GB";

     

       37
       +
             min_wal_size = "80MB";

     

       38
       +
           };

     

       39
       +
         };

     

       40
       +
       }

+5

systems/koumakan/services/databases/redis.nix

···

       1
       +
       {...}: {

     

       2
       +
         services.redis.servers."" = {

     

       3
       +
           enable = true;

     

       4
       +
         };

     

       5
       +
       }

+5 -3

systems/koumakan/services/default.nix

···

       2
        
         imports = [

     

       3
        
           ./nginx.nix

     

       4
        
       

     

       5
       -
           # databases

     

       6
       -
           ./postgresql.nix

     

       7
       -
           ./redis.nix

     

       8
        
       

     

       9
        
           ./attic.nix

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
       

     

       11
        
           ./proxies

     

       12
        
           ./static-sites

···

       2
        
         imports = [

     

       3
        
           ./nginx.nix

     

       4
        
       

     

       5
       +
           ./databases

     

       0
        
       
     

       0
        
       
     

       6
        
       

     

       7
        
           ./attic.nix

     

       8
       +
       

     

       9
       +
           # fediverse

     

       10
       +
           ./matrix

     

       11
       +
           ./fediverse

     

       12
        
       

     

       13
        
           ./proxies

     

       14
        
           ./static-sites

+150

systems/koumakan/services/fediverse/akkoma.nix

···

       1
       +
       {

     

       2
       +
         _utils,

     

       3
       +
         pkgs,

     

       4
       +
         config,

     

       5
       +
         lib,

     

       6
       +
         ...

     

       7
       +
       }: let

     

       8
       +
         mkRaw = (pkgs.formats.elixirConf {}).lib.mkRaw;

     

       9
       +
         # I don't know what i did but i made this abomination

     

       10
       +
         mkSecret = file:

     

       11
       +
           if !lib.elem file secrets

     

       12
       +
           then throw "Provided secret file ${file} is not in the list of defined secrets."

     

       13
       +
           else {_secret = "/run/secrets/akkoma/${file}";};

     

       14
       +
         secrets = [

     

       15
       +
           "joken_default_signer" # can't think of any better name spacing

     

       16
       +
           "dist/cookie"

     

       17
       +
           "search/meili/host_unencrypted"

     

       18
       +
           "search/meili/key"

     

       19
       +
           "endpoint/secret_base"

     

       20
       +
           "endpoint/salt"

     

       21
       +
           "endpoint/live_view/salt"

     

       22
       +
           "vapid/pub"

     

       23
       +
           "vapid/key"

     

       24
       +
           "postgres/hostname"

     

       25
       +
           "postgres/database_unencrypted"

     

       26
       +
           "postgres/username"

     

       27
       +
           "postgres/password"

     

       28
       +
           "smtp/username"

     

       29
       +
           "smtp/password"

     

       30
       +
           "smtp/relay"

     

       31
       +
         ];

     

       32
       +
       in {

     

       33
       +
         # secrets definition

     

       34
       +
         sops.secrets = _utils.genSecrets "akkoma" secrets {};

     

       35
       +
       

     

       36
       +
         services.akkoma = {

     

       37
       +
           enable = true;

     

       38
       +
           initSecrets = false;

     

       39
       +
           initDb.enable = false;

     

       40
       +
           # TODO: figure out how to add swagger ui

     

       41
       +
           # frontends = {

     

       42
       +
           #   swagger

     

       43
       +
           # };

     

       44
       +
       

     

       45
       +
           # TODO: Issue #5

     

       46
       +
           dist.cookie = mkSecret "dist/cookie";

     

       47
       +
           config = {

     

       48
       +
             ":joken".":default_signer" = mkSecret "joken_default_signer";

     

       49
       +
       

     

       50
       +
             ":pleroma" = {

     

       51
       +
               ":http_security" = {

     

       52
       +
                 sts = true;

     

       53
       +
               };

     

       54
       +
       

     

       55
       +
               ":configurable_from_database" = true;

     

       56
       +
               ":instance" = {

     

       57
       +
                 name = "CassieAkko";

     

       58
       +
                 description = "You should not see this here...";

     

       59
       +
                 email = "me@soopy.moe";

     

       60
       +
                 notify_email = "noreply@a.soopy.moe";

     

       61
       +
                 limit = 5000;

     

       62
       +
                 registrations_open = true;

     

       63
       +
               };

     

       64
       +
       

     

       65
       +
               # TODO: add proper proxy support

     

       66
       +
               # also refer to https://meta.akkoma.dev/t/another-vector-for-the-injection-vulnerability-found/483

     

       67
       +
               ":media_proxy" = {

     

       68
       +
                 enabled = true;

     

       69
       +
                 redirect_on_failure = true;

     

       70
       +
               };

     

       71
       +
       

     

       72
       +
               "Pleroma.Repo" = {

     

       73
       +
                 adapter = mkRaw "Ecto.Adapters.Postgres";

     

       74
       +
                 database = mkSecret "postgres/database_unencrypted";

     

       75
       +
                 hostname = mkSecret "postgres/hostname";

     

       76
       +
                 username = mkSecret "postgres/username";

     

       77
       +
                 password = mkSecret "postgres/password";

     

       78
       +
               };

     

       79
       +
       

     

       80
       +
               "Pleroma.Upload" = {

     

       81
       +
                 filters = [

     

       82
       +
                   (mkRaw "Pleroma.Upload.Filter.Exiftool")

     

       83
       +
                   (mkRaw "Pleroma.Upload.Filter.Dedupe")

     

       84
       +
                 ];

     

       85
       +
               };

     

       86
       +
       

     

       87
       +
               "Pleroma.Web.Endpoint" = {

     

       88
       +
                 # We don't need to specify http ip/ports here because we use unix sockets

     

       89
       +
                 # ok we do because it's broken

     

       90
       +
                 http = {

     

       91
       +
                   ip = "127.0.0.1";

     

       92
       +
                   port = 35378;

     

       93
       +
                 };

     

       94
       +
                 url = {

     

       95
       +
                   host = "a.soopy.moe";

     

       96
       +
                   scheme = "https";

     

       97
       +
                   port = 443;

     

       98
       +
                 };

     

       99
       +
                 secure_cookie_flag = true;

     

       100
       +
       

     

       101
       +
                 secret_key_base = mkSecret "endpoint/secret_base";

     

       102
       +
                 signing_salt = mkSecret "endpoint/salt";

     

       103
       +
                 live_view = {

     

       104
       +
                   signing_salt = mkSecret "endpoint/live_view/salt";

     

       105
       +
                 };

     

       106
       +
               };

     

       107
       +
       

     

       108
       +
               "Pleroma.Emails.Mailer" = {

     

       109
       +
                 adapter = mkRaw "Swoosh.Adapters.SMTP";

     

       110
       +
                 relay = mkSecret "smtp/relay";

     

       111
       +
                 username = mkSecret "smtp/username";

     

       112
       +
                 password = mkSecret "smtp/password";

     

       113
       +
               };

     

       114
       +
       

     

       115
       +
               "Pleroma.Search.Meilisearch" = {

     

       116
       +
                 url = mkSecret "search/meili/host_unencrypted";

     

       117
       +
                 private_key = mkSecret "search/meili/key";

     

       118
       +
                 initial_indexing_chunk_size = 100000;

     

       119
       +
               };

     

       120
       +
             };

     

       121
       +
       

     

       122
       +
             ":web_push_encryption".":vapid_details" = {

     

       123
       +
               subject = "mailto:me@soopy.moe";

     

       124
       +
               public_key = mkSecret "vapid/pub";

     

       125
       +
               private_key = mkSecret "vapid/key";

     

       126
       +
             };

     

       127
       +
           };

     

       128
       +
       

     

       129
       +
           nginx = _utils.mkVhost {

     

       130
       +
             useACMEHost = "fedi.c.soopy.moe";

     

       131
       +
             extraConfig = ''

     

       132
       +
               client_max_body_size 100M;

     

       133
       +
             '';

     

       134
       +
           };

     

       135
       +
       

     

       136
       +
           extraStatic = {

     

       137
       +
             "static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''

     

       138
       +
               <h1>Terms of Service</h1><p>Please refer to this ToS:

     

       139
       +
               <a href="https://m.soopy.moe/@admin/pages/tos" rel="noopener noreferrer nofollow">

     

       140
       +
               https://m.soopy.moe/@admin/pages/tos</a></p>

     

       141
       +
             '';

     

       142
       +
             # refer to https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/servers/akkoma/emoji/blobs_gg.nix#L29

     

       143
       +
             # "emoji/Cat_girls_Emoji" = ...

     

       144
       +
           };

     

       145
       +
         };

     

       146
       +
       

     

       147
       +
         systemd.services.akkoma-config = {

     

       148
       +
           serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];

     

       149
       +
         };

     

       150
       +
       }

+5

systems/koumakan/services/fediverse/default.nix

···

       1
       +
       {...}: {

     

       2
       +
         imports = [

     

       3
       +
           ./akkoma.nix

     

       4
       +
         ];

     

       5
       +
       }

+5

systems/koumakan/services/matrix/default.nix

···

       1
       +
       {...}: {

     

       2
       +
         imports = [

     

       3
       +
           ./synapse.nix

     

       4
       +
         ];

     

       5
       +
       }

+116

systems/koumakan/services/matrix/synapse.nix

···

       1
       +
       {

     

       2
       +
         _utils,

     

       3
       +
         pkgs,

     

       4
       +
         config,

     

       5
       +
         ...

     

       6
       +
       }: {

     

       7
       +
         sops.secrets."synapse.yaml" = {

     

       8
       +
           mode = "0400";

     

       9
       +
           owner = config.users.users.matrix-synapse.name;

     

       10
       +
         };

     

       11
       +
       

     

       12
       +
         sops.secrets.matrix-signing-key = {

     

       13
       +
           mode = "0400";

     

       14
       +
           owner = config.users.users.matrix-synapse.name;

     

       15
       +
         };

     

       16
       +
       

     

       17
       +
         users.users.matrix-synapse.extraGroups = [config.users.groups.keys.name];

     

       18
       +
       

     

       19
       +
         services.matrix-synapse = {

     

       20
       +
           enable = true;

     

       21
       +
           withJemalloc = true;

     

       22
       +
           extras = [

     

       23
       +
             "jwt"

     

       24
       +
             "oidc"

     

       25
       +
           ];

     

       26
       +
       

     

       27
       +
           extraConfigFiles = [

     

       28
       +
             "/run/secrets/synapse.yaml"

     

       29
       +
           ];

     

       30
       +
       

     

       31
       +
           settings = {

     

       32
       +
             server_name = "nue.soopy.moe";

     

       33
       +
             serve_server_wellknown = true;

     

       34
       +
             allow_public_rooms_over_federation = true;

     

       35
       +
             federation_client_minimum_tls_version = 1.2;

     

       36
       +
             # TODO: Setup TURN servers

     

       37
       +
             # TODO: Setup OIDC providers

     

       38
       +
             # TODO: Configure email

     

       39
       +
             # TODO: Setup opentracing

     

       40
       +
             url_preview_enabled = true;

     

       41
       +
             enable_registration = false;

     

       42
       +
             session_lifetime = "99y";

     

       43
       +
       

     

       44
       +
             max_upload_size = "100M";

     

       45
       +
             signing_key_path = "/run/secrets/matrix-signing-key";

     

       46
       +
       

     

       47
       +
             server_notices = {

     

       48
       +
               system_mxid_localpart = "server";

     

       49
       +
               system_mxid_display_name = "Server Notices";

     

       50
       +
               room_name = "Server Notices";

     

       51
       +
             };

     

       52
       +
       

     

       53
       +
             trusted_key_servers = [

     

       54
       +
               {

     

       55
       +
                 server_name = "matrix.org";

     

       56
       +
                 verify_keys = {

     

       57
       +
                   "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";

     

       58
       +
                 };

     

       59
       +
               }

     

       60
       +
               {

     

       61
       +
                 server_name = "m.lea.moe";

     

       62
       +
               }

     

       63
       +
             ];

     

       64
       +
       

     

       65
       +
             password_config = {

     

       66
       +
               policy = {

     

       67
       +
                 enabled = true;

     

       68
       +
                 minimum_length = 12;

     

       69
       +
               };

     

       70
       +
             };

     

       71
       +
           };

     

       72
       +
         };

     

       73
       +
       

     

       74
       +
         services.postgresql = {

     

       75
       +
           ensureDatabases = ["synapse"];

     

       76
       +
           ensureUsers = [

     

       77
       +
             {

     

       78
       +
               name = "synapse";

     

       79
       +
               ensurePermissions = {

     

       80
       +
                 "database \"synapse\"" = "all privileges";

     

       81
       +
               };

     

       82
       +
             }

     

       83
       +
           ];

     

       84
       +
         };

     

       85
       +
       

     

       86
       +
         services.nginx.virtualHosts."nue.soopy.moe" = _utils.mkVhost {

     

       87
       +
           locations."= /config.json" = {

     

       88
       +
             alias = "${pkgs.staticly}/configs/";

     

       89
       +
             tryFiles = "cinny.json =404";

     

       90
       +
             extraConfig = ''

     

       91
       +
               add_header access_control_allow_origin "*";

     

       92
       +
             '';

     

       93
       +
           };

     

       94
       +
       

     

       95
       +
           locations."= /.well-known/matrix/server" = {

     

       96
       +
             return = "200 '{\"m.server\": \"nue.soopy.moe:443\"}'";

     

       97
       +
           };

     

       98
       +
       

     

       99
       +
           locations."~ ^(/_matrix|/_synapse/client)" = {

     

       100
       +
             proxyPass = "http://localhost:8008";

     

       101
       +
             extraConfig = ''

     

       102
       +
               client_max_body_size 100M;

     

       103
       +
             '';

     

       104
       +
           };

     

       105
       +
       

     

       106
       +
           locations."= /.well-known/matrix/client" = {

     

       107
       +
             alias = "${pkgs.staticly}/configs/matrix/";

     

       108
       +
             tryFiles = "stable.json =404";

     

       109
       +
           };

     

       110
       +
       

     

       111
       +
           locations."/" = {

     

       112
       +
             root = "${pkgs.staticly}/pages/matrix/landing/";

     

       113
       +
             tryFiles = "$uri $uri/index.html $uri.html =404";

     

       114
       +
           };

     

       115
       +
         };

     

       116
       +
       }

-40

systems/koumakan/services/postgresql.nix

···

       1
       -
       {pkgs, ...}: {

     

       2
       -
         services.postgresql = {

     

       3
       -
           enable = true;

     

       4
       -
       

     

       5
       -
           package = pkgs.postgresql_15;

     

       6
       -
           dataDir = "/var/lib/postgresql/15";

     

       7
       -
           logLinePrefix = "%m [%p] %h ";

     

       8
       -
       

     

       9
       -
           authentication = ''

     

       10
       -
             # unix socket connection

     

       11
       -
             local   all             all                                     trust

     

       12
       -
             # local ipv4/6 tcp connection

     

       13
       -
             host    all             all             127.0.0.1/32            scram-sha-256

     

       14
       -
             host    all             all             ::1/128                 scram-sha-256

     

       15
       -
             # world (encrypted) tcp traffic

     

       16
       -
             hostssl all             all             all                     scram-sha-256

     

       17
       -
           '';

     

       18
       -
       

     

       19
       -
           settings = let

     

       20
       -
             credsDir = "/run/credentials/postgresql.service";

     

       21
       -
           in {

     

       22
       -
             listen_addresses = pkgs.lib.mkForce "*";

     

       23
       -
             max_connections = 200;

     

       24
       -
             password_encryption = "scram-sha-256";

     

       25
       -
       

     

       26
       -
             ssl = "on";

     

       27
       -
             ssl_cert_file = "${credsDir}/cert.pem";

     

       28
       -
             ssl_key_file = "${credsDir}/key.pem";

     

       29
       -
       

     

       30
       -
             log_hostname = true;

     

       31
       -
             datestyle = "iso, dmy";

     

       32
       -
             log_timezone = "Asia/Hong_Kong";

     

       33
       -
             timezone = "Asia/Hong_Kong";

     

       34
       -
             default_text_search_config = "pc_catalog.english";

     

       35
       -
       

     

       36
       -
             max_wal_size = "2GB";

     

       37
       -
             min_wal_size = "80MB";

     

       38
       -
           };

     

       39
       -
         };

     

       40
       -
       }

-5

systems/koumakan/services/redis.nix

···

       1
       -
       {...}: {

     

       2
       -
         services.redis.servers."" = {

     

       3
       -
           enable = true;

     

       4
       -
         };

     

       5
       -
       }

+3 -3

systems/koumakan/services/static-sites/keine.nix

···

       1
       -
       {...}: {

     

       2
       -
         services.nginx.virtualHosts."keine.soopy.moe" = {

     

       3
       -
           useACMEHost = "global.c.soopy.moe";

     

       4
        
           addSSL = true; # Don't force SSL on a mirror (implications TBD)

     

       5
        
       

     

       6
        
           root = "/srv/www/keine";

···

       1
       +
       {_utils, ...}: {

     

       2
       +
         services.nginx.virtualHosts."keine.soopy.moe" = _utils.mkVhost {

     

       3
       +
           forceSSL = false;

     

       4
        
           addSSL = true; # Don't force SSL on a mirror (implications TBD)

     

       5
        
       

     

       6
        
           root = "/srv/www/keine";

+1

utils/justfile

···

       3
        
       list:

     

       4
        
         just -l

     

       5
        
       

     

       0
        
       
     

       6
        
       nitter-token:

     

       7
        
         {{python_executable}} nitter-guest-account.py tokens.json

···

       3
        
       list:

     

       4
        
         just -l

     

       5
        
       

     

       6
       +
       # grab a new nitter guest account and save it

     

       7
        
       nitter-token:

     

       8
        
         {{python_executable}} nitter-guest-account.py tokens.json

+78 -64

utils/nitter-guest-account.py

···

       3
        
       # thank you!

     

       4
        
       import sys

     

       5
        
       import json

     

       0
        
       
     

       0
        
       
     

       6
        
       import typing

     

       7
        
       import traceback

     

       8
        
       from base64 import b64encode

     
···

       256
        
       	success(f'flow token => {flow_token}')

     

       257
        
       

     

       258
        
       	info('Fetching final account object...')

     

       259
       -
       	tasks = send_req('post', TASKS_ENDPOINT, headers=request_headers, json=get_tasks_body(flow_token)).json()

     

       260
       -
       	try:

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       261
        
       		try:

     

       262
       -
       			open_account_task = next(filter(lambda i: i.get('subtask_id') == "OpenAccount", tasks['subtasks']))

     

       263
       -
       			account = open_account_task['open_account']

     

       264
       -
       		except StopIteration:

     

       265
       -
       			debug("resulting tasks =>", format_json(tasks), override=True)

     

       266
       -
       			error("Unable to acquire guest account credentials as it isn't present in the API response.")

     

       267
       -
       			error("This might be because of a wide variety of reasons, but it most likely is due to your IP being rate-limited.")

     

       268
       -
       			error("Try again with a new IP address or in 24 hours after this attempt.")

     

       269
       -
       			return 1

     

       0
        
       
     

       270
        
       

     

       271
       -
       		if args.outfile == "-":

     

       272
       -
       			debug("outfile is `-`, printing to stdout")

     

       273
       -
       			print(format_json(account))

     

       274
       -
       			return 0

     

       0
        
       
     

       275
        
       

     

       276
       -
       		# Sanity checks

     

       277
       -
       		try:

     

       278
       -
       			debug(f"attempting to read file: {args.outfile}")

     

       279
       -
       			with open(args.outfile) as f:

     

       280
       -
       				old_data = json.load(f)

     

       281
       -
       		except FileNotFoundError:

     

       282
       -
       			# that's okay, we might be able to create it later.

     

       283
       -
       			old_data = []

     

       284
       -
       		except PermissionError:

     

       285
       -
       			# that's not okay. we will need to access the file later anyways.

     

       286
       -
       			error("unable to read file due to a permission error.")

     

       287
       -
       			error("please make sure this script has read and write access to the file.")

     

       288
       -
       			print(format_json(account))

     

       289
       -
       			return 1

     

       290
       -
       		except json.JSONDecodeError:

     

       291
       -
       			error("could not parse the provided JSON file.")

     

       292
       -
       			if not prompt_bool("Do you want to overwrite the file?", default=None):

     

       293
       -
       				warn("Not overwriting file, printing to stdout instead.")

     

       294
        
       				print(format_json(account))

     

       295
        
       				return 1

     

       296
       -
       			debug('assuming old data is an empty array because we are overwriting')

     

       297
       -
       			old_data = []

     

       298
       -
       		if type(old_data) != list:

     

       299
       -
       			error("top-level object of the existing JSON file is not a list.")

     

       300
       -
       			error("due to the implementation, the file must be overwritten.")

     

       301
       -
       			if not (prompt_bool("Do you want to overwrite?", default=None)):

     

       302
       -
       				warn("Not overwriting existing data, printing to stdout instead.")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       303
        
       				print(format_json(account))

     

       304
        
       				return 1

     

       305
       -
       			debug("assuming old data is an empty array because we are overwriting")

     

       306
       -
       			old_data = []

     

       307
       -
       

     

       308
       -
       		old_data.append(account)

     

       0
        
       
     

       309
        
       

     

       310
       -
       		try:

     

       311
       -
       			debug("attempting to write file")

     

       312
       -
       			with open(args.outfile, 'w+') as f:

     

       313
       -
       				f.write(format_json(old_data))

     

       314
       -
       			success(f"successfully written to file {args.outfile}")

     

       315
       -
       			return 0

     

       316
       -
       		except PermissionError:

     

       317
       -
       			error("unable to write to file due to permission error.")

     

       318
       -
       			error("please make sure this script has write access to the file.")

     

       319
       -
       			print(format_json(account))

     

       320
       -
       			return 1

     

       321
       -
       		except Exception as e:

     

       322
       -
       			error("Unable to write to file due to an uncaught error:", e)

     

       323
       -
       			tb = ''.join(traceback.TracebackException.from_exception(e).format())

     

       324
       -
       			debug("exception stacktrace\n" + tb)

     

       325
       -
       			print(format_json(account))

     

       326
        
       

     

       327
       -
       	except Exception:

     

       328
       -
       		debug("resulting tasks =>", format_json(tasks), override=True)

     

       329
       -
       		error("an unhandled error occurred. the tasks object is printed to avoid losing otherwise successful data.")

     

       330
       -
       		error("please file a bug report and attach the traceback below.")

     

       331
       -
       		raise

     

       0
        
       
     

       332
        
       

     

       333
        
       	return 0

     

       334

···

       3
        
       # thank you!

     

       4
        
       import sys

     

       5
        
       import json

     

       6
       +
       import time

     

       7
       +
       import random

     

       8
        
       import typing

     

       9
        
       import traceback

     

       10
        
       from base64 import b64encode

     
···

       258
        
       	success(f'flow token => {flow_token}')

     

       259
        
       

     

       260
        
       	info('Fetching final account object...')

     

       261
       +
       	backoff_time = 0

     

       262
       +
       	exception = None

     

       263
       +
       	for attempt in range(0, 6):

     

       264
       +
       		debug(f"Attempt #{attempt + 1}")

     

       265
       +
       		tasks = send_req('post', TASKS_ENDPOINT, headers=request_headers, json=get_tasks_body(flow_token)).json()

     

       266
        
       		try:

     

       267
       +
       			try:

     

       268
       +
       				open_account_task = next(filter(lambda i: i.get('subtask_id') == "OpenAccount", tasks['subtasks']))

     

       269
       +
       				account = open_account_task['open_account']

     

       270
       +
       			except StopIteration as e:

     

       271
       +
       				backoff_time += random.randint(5000,10000) / 1000

     

       272
       +
       				exception = e

     

       273
       +
       				warn(f"attempt #{attempt + 1} failed to acquire token, retrying in {backoff_time}s.")

     

       274
       +
       				time.sleep(backoff_time)

     

       275
       +
       				continue

     

       276
        
       

     

       277
       +
       			info(f"Attempt #{attempt + 1} succeeded")

     

       278
       +
       			if args.outfile == "-":

     

       279
       +
       				debug("outfile is `-`, printing to stdout")

     

       280
       +
       				print(format_json(account))

     

       281
       +
       				return 0

     

       282
        
       

     

       283
       +
       			# Sanity checks

     

       284
       +
       			try:

     

       285
       +
       				debug(f"attempting to read file: {args.outfile}")

     

       286
       +
       				with open(args.outfile) as f:

     

       287
       +
       					old_data = json.load(f)

     

       288
       +
       			except FileNotFoundError:

     

       289
       +
       				# that's okay, we might be able to create it later.

     

       290
       +
       				old_data = []

     

       291
       +
       			except PermissionError:

     

       292
       +
       				# that's not okay. we will need to access the file later anyways.

     

       293
       +
       				error("unable to read file due to a permission error.")

     

       294
       +
       				error("please make sure this script has read and write access to the file.")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       295
        
       				print(format_json(account))

     

       296
        
       				return 1

     

       297
       +
       			except json.JSONDecodeError:

     

       298
       +
       				error("could not parse the provided JSON file.")

     

       299
       +
       				if not prompt_bool("Do you want to overwrite the file?", default=None):

     

       300
       +
       					warn("Not overwriting file, printing to stdout instead.")

     

       301
       +
       					print(format_json(account))

     

       302
       +
       					return 1

     

       303
       +
       				debug('assuming old data is an empty array because we are overwriting')

     

       304
       +
       				old_data = []

     

       305
       +
       			if type(old_data) != list:

     

       306
       +
       				error("top-level object of the existing JSON file is not a list.")

     

       307
       +
       				error("due to the implementation, the file must be overwritten.")

     

       308
       +
       				if not (prompt_bool("Do you want to overwrite?", default=None)):

     

       309
       +
       					warn("Not overwriting existing data, printing to stdout instead.")

     

       310
       +
       					print(format_json(account))

     

       311
       +
       					return 1

     

       312
       +
       				debug("assuming old data is an empty array because we are overwriting")

     

       313
       +
       				old_data = []

     

       314
       +
       

     

       315
       +
       			old_data.append(account)

     

       316
       +
       

     

       317
       +
       			try:

     

       318
       +
       				debug("attempting to write file")

     

       319
       +
       				with open(args.outfile, 'w+') as f:

     

       320
       +
       					f.write(format_json(old_data))

     

       321
       +
       				success(f"successfully written to file {args.outfile}")

     

       322
       +
       				return 0

     

       323
       +
       			except PermissionError:

     

       324
       +
       				error("unable to write to file due to permission error.")

     

       325
       +
       				error("please make sure this script has write access to the file.")

     

       326
        
       				print(format_json(account))

     

       327
        
       				return 1

     

       328
       +
       			except Exception as e:

     

       329
       +
       				error("Unable to write to file due to an uncaught error:", e)

     

       330
       +
       				tb = ''.join(traceback.TracebackException.from_exception(e).format())

     

       331
       +
       				debug("exception stacktrace\n" + tb)

     

       332
       +
       				print(format_json(account))

     

       333
        
       

     

       334
       +
       		except Exception:

     

       335
       +
       			debug("resulting tasks =>", format_json(tasks), override=True)

     

       336
       +
       			error("an unhandled error occurred. the tasks object is printed to avoid losing otherwise successful data.")

     

       337
       +
       			error("please file a bug report and attach the traceback below.")

     

       338
       +
       			raise

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       339
        
       

     

       340
       +
       	if exception != None:

     

       341
       +
       		debug("resulting tasks =>", format_json(tasks))

     

       342
       +
       		error("Unable to acquire guest account credentials with 5 attempts as it isn't present in any of the API responses.")

     

       343
       +
       		error("This might be because of a wide variety of reasons, but it most likely is due to your IP being rate-limited.")

     

       344
       +
       		error("Try again with a new IP address or in 24 hours after this attempt.")

     

       345
       +
       		return 1

     

       346
        
       

     

       347
        
       	return 0

     

       348

Compare changes