soopy.moe / gensokyo
nixos config
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+719 -193
.git-crypt
.gitattributes
keys
default
0
7595B36DF6C2E95E10E528662932BA0FA3DDD7D6.gpg
.gitattributes
.github
workflows
update-lockfile.yaml
.sops.yaml
README.md
creds
sops
.gitattributes
koumakan.yaml
ssh
cassie
docs
utils.md
flake.lock
flake.nix
global
core.nix
overlays
default.nix
programs
misc.nix
nix.nix
system
default.nix
firmware.nix
utils.nix
justfile
overlays
default.nix
systems
koumakan
certificates
default.nix
fediverse.nix
configuration.nix
default.nix
networking
interface.nix
nma.cry
security
pam.nix
ykid.cry
services
attic.nix
databases
default.nix
postgresql.nix
redis.nix
default.nix
fediverse
akkoma.nix
default.nix
matrix
default.nix
synapse.nix
postgresql.nix
redis.nix
static-sites
keine.nix
utils
justfile
nitter-guest-account.py
-4
.git-crypt/.gitattributes 
···

       
1

       

       
-

       
# Do not edit this file.  To specify the files to encrypt, create your own


     

       
2

       

       
-

       
# .gitattributes file in the directory where your files are.


     

       
3

       

       
-

       
* !filter !diff


     

       
4

       

       
-

       
*.gpg binary
.git-crypt/keys/default/0/7595B36DF6C2E95E10E528662932BA0FA3DDD7D6.gpg

This is a binary file and will not be displayed.

-1
.gitattributes 
···

       
1

       

       
-

       
*.cry filter=git-crypt diff=git-crypt
+4
.github/workflows/update-lockfile.yaml 
···

       
1

       
1

       
 

       
name: "Update Flake Lockfile"


     

       
2

       
2

       
 

       



     

       

       
3

       
+

       
permissions:


     

       

       
4

       
+

       
  pull-requests: write


     

       

       
5

       
+

       
  contents: write


     

       

       
6

       
+

       



     

       
3

       
7

       
 

       
on:


     

       
4

       
8

       
 

       
  workflow_dispatch:


     

       
5

       
9

       
 

       
  schedule:
+23
.sops.yaml 
···

       

       
1

       
+

       
keys:


     

       

       
2

       
+

       
  # maintainers


     

       

       
3

       
+

       
  - &soopyc_mpxl7a age10rkyshu0lswdqyvun4cs9cekm9zt4fw5c8ssa38tn3lukgcahcvsltnqx2


     

       

       
4

       
+

       
  - &soopyc_pgp302 8F3B277901484C6EA7E63F82D539637D518022C6


     

       

       
5

       
+

       
  # - &soopyc_age302 age1yubikey1qgmfcf0vddslyza7djdekjjk3t3u29d474c5xscmcdye8x3spvhlxxj23xz


     

       

       
6

       
+

       
  # failed to parse input as Bech32-encoded age public key: malformed recipient "age1yubikey1qgmfcf0vddslyza7djdekjjk3t3u29d474c5xscmcdye8x3spvhlxxj23xz": invalid type "age1yubikey"


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  # Hosts


     

       

       
9

       
+

       
  - &koumakan_ssh age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt


     

       

       
10

       
+

       



     

       

       
11

       
+

       
default_group: &default_group


     

       

       
12

       
+

       
  pgp:


     

       

       
13

       
+

       
    - *soopyc_pgp302


     

       

       
14

       
+

       
  age:


     

       

       
15

       
+

       
    # - *soopyc_age302


     

       

       
16

       
+

       
    - *soopyc_mpxl7a


     

       

       
17

       
+

       



     

       

       
18

       
+

       
creation_rules:


     

       

       
19

       
+

       
  - path_regex: creds/sops/koumakan.yaml


     

       

       
20

       
+

       
    key_groups:


     

       

       
21

       
+

       
      - <<: *default_group


     

       

       
22

       
+

       
        age:


     

       

       
23

       
+

       
          - *koumakan_ssh
+2
README.md 
···

       

       
1

       
+

       
[![Check and Build configuration](https://github.com/soopyc/nix-on-koumakan/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/soopyc/nix-on-koumakan/actions/workflows/build.yaml)


     

       

       
2

       
+

       



     

       
1

       
3

       
 

       
# Cow


     

       
2

       
4

       
 

       
![a yak on some grass](docs/quaritsch-photography-1_6rJHQ2Gmw-unsplash.jpg)


     

       
3

       
5
+3
creds/sops/.gitattributes 
···

       

       
1

       
+

       
# to use, make sure `sops` is in your path and run


     

       

       
2

       
+

       
#  git config diff.sopsdiff.textconv "sops -d"


     

       

       
3

       
+

       
*.yaml diff=sopsdiff
+68
creds/sops/koumakan.yaml 
···

       

       
1

       
+

       
comment_unencrypted: See https://github.com/Mic92/sops-nix/issues/120 for synapse.yaml quirks


     

       

       
2

       
+

       
synapse.yaml: ENC[AES256_GCM,data:eQsUW4mwbSPzsoi8HIEngfU5x/PEaqPxvx1AXXJJj7WDX9RsPtQOqQJjuTAEPtz32Hm1nob+VVYuzAXXfCO8Cd0CIHG+xlV4cWNc4JB8wj1YgtMJu9J3yC7iv3HMULT0TL8MxmwWYKqSPKIVarLVN5gQl1G1SAfxEK3ET6qtmkmCD8y6ZVM/84fTR5lxpLe82CaplbUHXEHKk51XwGYLSp5IZsPwtMMFhYuaoqCsEVr65IiSozbD4LKddYNQKUlYmkSfThQsoPpe9ixE7+HS11S+LklyP1q3usWTfOPsQS8k5NJdcGkrCH2A4ddjWkDBAzdav3qauYoQEvbMd8BpoDqD/67lKuvoyXqDoPf5sLrQcxcUl8ObTI1I8zWhabGa9uTuiaTd3wYdMhvMvs/KIfPXNDqcBuIY9sR6LQmY2Zb9+FtYiQVnrr0XmzjB59oN023y1xC/xqkgRyXysndhnj4P1Q+PYbOMQi7hwAjM5xMk/mLkpLn41Ju4u0MqDwHSxA/NXbsEBp/u3Tim2jsrMZqjRZwQHt1n/gtMjm2cMTminM99c/fV2fcvAmcNB9u1KWgEte1JjQSRftg7pkaznYlfrQLyCQYghVu3kgeAJCaSPMewHVWOF/onTauNHYFMlJ8VDUuYOnt2LNJUk1Wap5dGfKm7661mTeYB8aw0h3111YEViuGkSp+oM5A8X6CBI6YsYYOWq5Qd+A3fFJVpcf9hhhdx0JsRmR3EZOupIVx5Y4ruuA6ipj/xMDRNfTZjqukpn3Y1s5xTjUYEo3moLdgd1PYxAVIY/KjPn31pmRThGG1NZpYHZ1yjmptVydtqf/tTd32i3e0WjIjUEZD1NE7Z5AiWJ+XAEaE3S804C6QxN1jHZvqIokA9C4HO+R/es1uDyf2KDvxf1It0hMLg7CAnq1AQcbLCDqXXZaqibSRNfv09lO4jZ3vBe3owvd1wGbK513nqC6m2gh8YDYiHdw7UlXMbMP9+,iv:fvaZQ66VKU+uzvn5AwTIFgzz+F2kJ8/QR2AfmynRfGU=,tag:8c/cAMZ6c7h3J+shh7l7tw==,type:str]


     

       

       
3

       
+

       
matrix-signing-key: ENC[AES256_GCM,data:u6miE2oM3TUXaQ7wc776SwSMaOAxJOVlpl2kBW+AjI/aDH5vcGBp0L0uTpZbVfOtIe+RDNEv5E/mKA==,iv:abvwkrNe324QCbWLwiPY0UwqezS0wbyk2Fvi0vs3SI0=,tag:ZmpDB9LHbezQrxuwHNgpRg==,type:str]


     

       

       
4

       
+

       
akkoma:


     

       

       
5

       
+

       
    dist:


     

       

       
6

       
+

       
        cookie: ENC[AES256_GCM,data:5jpsa4KsOAoCMGAt9laK9ioVTJfuT9+viKva8wDWRnAimVY6jDoNr4+hxVty6yQAAfSJYA7ddTxaSCEjnJtneg==,iv:V8+MpX/IEc57zEfhNGX5f+eMyipraaXDKPDNDOy0Ieo=,tag:+xCy18Ni8F5wYkO/4NbSzw==,type:str]


     

       

       
7

       
+

       
    endpoint:


     

       

       
8

       
+

       
        secret_base: ENC[AES256_GCM,data:l34Rj4iIQIykgzTLJolqWLQQz5pcfa0o5U/ZMKeNc2CBQedxiMXYrLSNOx6OuV38aqoOolccJEOSiVjfbTawtg==,iv:/x0ydo2gOPrhIZI7at877bzfFgMpraauozfLq95aHCk=,tag:RQI4aeLiAkAcWYlwLaTj5w==,type:str]


     

       

       
9

       
+

       
        salt: ENC[AES256_GCM,data:CP4805tG05A=,iv:aSun7ABJdbDQrFcrGQMM9H1/7d5lJqeMwO08gUYrD2A=,tag:ikhxbijsqyBFJs02j2j/vw==,type:str]


     

       

       
10

       
+

       
        live_view:


     

       

       
11

       
+

       
            salt: ENC[AES256_GCM,data:4fKLclucoV0=,iv:ZvWKutuMTOm2X8w8a0fOTq+ldrXemayIUY2PUcurY80=,tag:qkIB1gPCI5HO0G0mLEsV+w==,type:str]


     

       

       
12

       
+

       
    joken_default_signer: ENC[AES256_GCM,data:myCEFUkf8s1YNQAigjxygRYvbwkpsv7cqgs00fARe9nxSFl2wveWM5JcfOnoVPwVBVV2GaAjFe4oMWXkaTPtqg==,iv:Yk1f/fzzbruW64mvTTeiyTlbrOO/G47CKKfr9BLtQ5g=,tag:QLpM22ec+VWtkjx5U/mzCw==,type:str]


     

       

       
13

       
+

       
    search:


     

       

       
14

       
+

       
        meili:


     

       

       
15

       
+

       
            host_unencrypted: https://megumin.soopy.moe/


     

       

       
16

       
+

       
            key: ENC[AES256_GCM,data:00TLCUneHn7NcSK1joURfIzxNFWyOBf/0/fceOn4RMcMt59dZz9LOvbs3F8B0vcH7tf/eUi3SnhYJNyRdPklyw==,iv:t0kQUCmjhFw8Z2CTmYOPUNFvyiYfsXETU8GSxhRR5KE=,tag:CPjtd7jQzgHJDrsIjHlVFQ==,type:str]


     

       

       
17

       
+

       
    vapid:


     

       

       
18

       
+

       
        pub: ENC[AES256_GCM,data:HYMKjhVCW/7DsMfPPssEduuwWnFezH4OOq4hfAovI82RUPsfVEKhgvkI9INY8hArAb/AIfyyxZhVx+bd2QkPlnASz51L7MxPtkPfZNUKqafjlMmK0nwH,iv:154BP5EmBqnKyf9BND2laKV3caVxa34MCRzrsg6/dik=,tag:wHLYdI6oQXPUzbw8dSxgwg==,type:str]


     

       

       
19

       
+

       
        key: ENC[AES256_GCM,data:t+da4NLEPZBMvq3MQkFEr+Fsj3XMGPMFKUWwbHDWNJAyuUZuiVcn3zX0kw==,iv:yQLu5CFl73GCojMBa2II6OhLrNNinsiVG1aPOAx+HtM=,tag:n0oelXaNFvilyee+MRSB8A==,type:str]


     

       

       
20

       
+

       
    postgres:


     

       

       
21

       
+

       
        hostname: ENC[AES256_GCM,data:rFEnhnn/Bw85,iv:GM2SH4Gkvt8tLG8AYIKxfHTZvB1sT+hgIoqkiViH6Es=,tag:yyGY9/nS9WFcJTGXlYpz6Q==,type:str]


     

       

       
22

       
+

       
        database_unencrypted: akkoma


     

       

       
23

       
+

       
        username: ENC[AES256_GCM,data:6skzOqv1,iv:OQ6zNmDn0uqKqNKEqOHWY6VBuT/4/CHog7b0Pf0TAPM=,tag:8HLmGykXg2V4t4RHzB8yaA==,type:str]


     

       

       
24

       
+

       
        password: ENC[AES256_GCM,data:J3OewVKr2A3TlT7ZUTk7tQr4olFs7bKx47Lus4LGbwGAZfNEmyk9coFTeQ8L/EJ0hpLfPfD1OcGBc+p0ZWK/XQ==,iv:UFe/3H/AfTgSlJikHqE1IED3zINjDuOs5niXpGWXGYE=,tag:MvT0z3TMs1dehg4gp54MyQ==,type:str]


     

       

       
25

       
+

       
    smtp:


     

       

       
26

       
+

       
        username: ENC[AES256_GCM,data:N7XbQkngWcUGzn/SR4AXCQ==,iv:wBXWtRYawOkjumsvTPcKfvL95CCB+RbsEyJv0YUG3WA=,tag:vGQREe+Cv0ITTxszl21J2g==,type:str]


     

       

       
27

       
+

       
        password: ENC[AES256_GCM,data:oU/aWkVmDU8WJhmwqOcXJ/EngiF7hvfUzPwpdjwkyh7Dw50dyG5AY7b2+hh6LIv9RZrN4yU+fXPAYr1W21OG/A==,iv:ds8Bg9JSJdNHUXh0FvD5a4pquyRnIXowcsJcVV1TyB4=,tag:JoYqas2RGSv8xyvJT9wHAQ==,type:str]


     

       

       
28

       
+

       
        relay: ENC[AES256_GCM,data:F2NnRLSTO5kmbWy4fx0=,iv:omnyn+Xa/cjqK+9l5bI573aR2p7UsUvqGX5ZQGf3CD0=,tag:t4u/jLQ1nZchyxf3WrhW6w==,type:str]


     

       

       
29

       
+

       
sops:


     

       

       
30

       
+

       
    kms: []


     

       

       
31

       
+

       
    gcp_kms: []


     

       

       
32

       
+

       
    azure_kv: []


     

       

       
33

       
+

       
    hc_vault: []


     

       

       
34

       
+

       
    age:


     

       

       
35

       
+

       
        - recipient: age10rkyshu0lswdqyvun4cs9cekm9zt4fw5c8ssa38tn3lukgcahcvsltnqx2


     

       

       
36

       
+

       
          enc: |


     

       

       
37

       
+

       
            -----BEGIN AGE ENCRYPTED FILE-----


     

       

       
38

       
+

       
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMFBMZHdrR2ZMaEErZVlE


     

       

       
39

       
+

       
            RmRZNnoxRVpVSDc5Rlg3MmhiVkxnK1NkNmljCjBsNE5oejcyOTRJRVVvdzJsMmw3


     

       

       
40

       
+

       
            SGdyaUM1T0JvN3lDQjd4V054MWc1UjQKLS0tIDVvSndXZ29KSC8yUW5SRjdIcEZL


     

       

       
41

       
+

       
            WkFkK1hsdzRnMmRBdDI0dWU3a1hBOEUKf+pJ6PAH1tPLXG14ghG4gxHpVN4D6TU1


     

       

       
42

       
+

       
            GHCvsS5qNW8Cjis/Ubb3PHJfFiN4quN3rLaM/Ivkl5G1gzf9cGSDyQ==


     

       

       
43

       
+

       
            -----END AGE ENCRYPTED FILE-----


     

       

       
44

       
+

       
        - recipient: age18h7hya5terghrwawgpny28swlat2nqkdrfd4clk0svujqlz9xfusd3zeqt


     

       

       
45

       
+

       
          enc: |


     

       

       
46

       
+

       
            -----BEGIN AGE ENCRYPTED FILE-----


     

       

       
47

       
+

       
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbVhFQXJ5ZWVVZTJocmpn


     

       

       
48

       
+

       
            Q1VFc01mcnZLRGtqQVF0VjB3RU1DL0phaFVVCkFmU2w3WlhuTDFHYnF5VC9TM0xz


     

       

       
49

       
+

       
            VGdSSVpVbkN1Tlh4WnQxdHJkQU42dGMKLS0tIFVnVERoQWk1N1dmdWk0KzA0R1ZG


     

       

       
50

       
+

       
            cHJ5aWIrQ2Zrb1dhbC9yZ1lIMU1jbzgK4mx+S5bF6KBMe6+TrSZfaBcuWEg9cHyd


     

       

       
51

       
+

       
            tbJty1zxS9pndA/u3qz5EJxDouiAODvyAR07yeegtEcbw1FlG6W/gA==


     

       

       
52

       
+

       
            -----END AGE ENCRYPTED FILE-----


     

       

       
53

       
+

       
    lastmodified: "2023-09-14T17:13:38Z"


     

       

       
54

       
+

       
    mac: ENC[AES256_GCM,data:Jyx0f+w9fJ+B1lz4jVVkcKxd1xUh3FzxDhk+KaxJLVh0BG/1d8Nx0/cOnxZV1FfJkn5Z2wYiLzBPSvJKe8MjlExOSH1mIAnuXcSP6dvXp21bgX17CXM6OP91Ny6IvwSZriqs6EIpWOkZNdxsEnySwtECoQfgs09ZnA4qmbtb01U=,iv:XHnY20d0WsnaECF1/68eu2/xcGLGeGnzba+/kBxDcc0=,tag:alo+8B2fVHon0lHGsQSUyQ==,type:str]


     

       

       
55

       
+

       
    pgp:


     

       

       
56

       
+

       
        - created_at: "2023-09-08T14:11:19Z"


     

       

       
57

       
+

       
          enc: |-


     

       

       
58

       
+

       
            -----BEGIN PGP MESSAGE-----


     

       

       
59

       
+

       



     

       

       
60

       
+

       
            wV4DAxCcDC4ukRQSAQdA6IXTpPTgsoAuUSW0NqFw4MpqX4j3Wt9IqcGbrDobZGIw


     

       

       
61

       
+

       
            FFZDSKuMgO7ADZCFoADJ9OWOQBUyE3htwkXWjT/NQdBbVX3nuANbsfRfTdPN5NJt


     

       

       
62

       
+

       
            0lEB30Vck2fEXQsIGrIeg3pPRBl3U/z7F35tw+79EFZ5yOrAsOzSn3wzNA549/T7


     

       

       
63

       
+

       
            dEVnej/86D4ZxtMqMjVB2NjsXrphqd7ENozlljMM6QKkjtg=


     

       

       
64

       
+

       
            =juKF


     

       

       
65

       
+

       
            -----END PGP MESSAGE-----


     

       

       
66

       
+

       
          fp: 8F3B277901484C6EA7E63F82D539637D518022C6


     

       

       
67

       
+

       
    unencrypted_suffix: _unencrypted


     

       

       
68

       
+

       
    version: 3.7.3
+2 -1
creds/ssh/cassie 
···

       

       
1

       
+

       
# If I had an option, I would not use ecdsa keys.


     

       
1

       
2

       
 

       
# SmartCards


     

       
2

       
3

       
 

       
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvCpt7yWIptJ9XFBhwVIj9zR30OzkWI976B/P5+0whD cardno:13 901 056


     

       
3

       

       
-

       
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvCpt7yWIptJ9XFBhwVIj9zR30OzkWI976B/P5+0whD cardno:19 302 295


     

       

       
4

       
+

       
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJxpXpPlPEZPfnw2mIuWJEy/C/5h1bb6pIMeFsHAICQ+lLdEkbBSeDXQuA8feLN0MJw8KaB9jqrJbYgFadV/nVA= YubiKey #19302295 PIV Slot 9a


     

       
4

       
5

       
 

       
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMjRM3BNkLbU57RyfUx7kOlZeBEj/NByr1PfXri82aP cardno:19 302 432


     

       
5

       
6

       
 

       



     

       
6

       
7

       
 

       
# Static devices
+42 -2
docs/utils.md 
···

       
1

       
1

       
 

       
# utility functions


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
## `_utils.mkVhost`


     

       
4

       

       
-

       
make virtual host with sensible defaults


     

       

       
4

       
+

       
`attrset -> attrset`


     

       

       
5

       
+

       
make a virtual host with sensible defaults


     

       
5

       
6

       
 

       



     

       
6

       
7

       
 

       
pass in a set to override the defaults.


     

       
7

       
8

       
 

       



     

       

       
9

       
+

       
### Example


     

       

       
10

       
+

       
```nix


     

       

       
11

       
+

       
services.nginx.virtualHosts."balls.example" = _utils.mkVhost {};


     

       

       
12

       
+

       
```


     

       

       
13

       
+

       



     

       
8

       
14

       
 

       
## `_utils.mkSimpleProxy`


     

       

       
15

       
+

       
`attrset -> attrset`


     

       

       
16

       
+

       



     

       
9

       
17

       
 

       
make a simple reverse proxy


     

       
10

       
18

       
 

       



     

       
11

       
19

       
 

       
takes a set:


     
···

       
14

       
22

       
 

       
  port,


     

       
15

       
23

       
 

       
  protocol ? "http",


     

       
16

       
24

       
 

       
  location ? "/",


     

       
17

       

       
-

       
  websockets ? false


     

       

       
25

       
+

       
  websockets ? false,


     

       

       
26

       
+

       
  extraConfig ? {}


     

       
18

       
27

       
 

       
}


     

       
19

       
28

       
 

       
```


     

       

       
29

       
+

       



     

       

       
30

       
+

       
It is recommended to override/add attributes with `extraConfig` to


     

       

       
31

       
+

       
preserve defaults.


     

       

       
32

       
+

       



     

       

       
33

       
+

       
Items in `extraConfig` are merged verbatim to the base attrset with defaults.


     

       

       
34

       
+

       
They are overridden based on their order.


     

       

       
35

       
+

       



     

       

       
36

       
+

       
## `_utils.genSecrets`


     

       

       
37

       
+

       
`namespace[str] -> files[list[str]] -> value[attrset] -> attrset`


     

       

       
38

       
+

       
a


     

       

       
39

       
+

       
generate an attrset to be passed into sops.secrets.


     

       

       
40

       
+

       



     

       

       
41

       
+

       
### Example


     

       

       
42

       
+

       
```nix


     

       

       
43

       
+

       
{ _utils, ... }:


     

       

       
44

       
+

       
let


     

       

       
45

       
+

       
  secrets = [


     

       

       
46

       
+

       
    "secure_secret"


     

       

       
47

       
+

       
    # this is a directory structure, so secrets will be stored as a file in /run/secrets/service/test/secret.


     

       

       
48

       
+

       
    "service/test/secret"


     

       

       
49

       
+

       
  ];


     

       

       
50

       
+

       
in {


     

       

       
51

       
+

       
  sops.secrets = _utils.genSecrets "" secrets {}; # it's recommended to use a namespace, but having none is still fine.


     

       

       
52

       
+

       
  # -> sops.secrets."secure_secret" = {};


     

       

       
53

       
+

       
  #    sops.secrets."service/test/secret" = {};


     

       

       
54

       
+

       
  sops.secrets = _utils.genSecrets "balls" ["balls_secret"] {owner = "balls"};


     

       

       
55

       
+

       
  # -> sops.secrets."balls/balls_secret" = {owner = "balls";};


     

       

       
56

       
+

       
}


     

       

       
57

       
+

       
```


     

       

       
58

       
+

       



     

       

       
59

       
+

       
See https://github.com/soopyc/nix-on-koumakan/blob/b7983776143c15c91df69ef34ba4264a22047ec6/systems/koumakan/services/fedivese/akkoma.nix#L8-L34 for a more extensive example
+45 -7
flake.lock 
···

       
267

       
267

       
 

       
        ]


     

       
268

       
268

       
 

       
      },


     

       
269

       
269

       
 

       
      "locked": {


     

       
270

       

       
-

       
        "lastModified": 1693755599,


     

       
271

       

       
-

       
        "narHash": "sha256-lNpiE6L0b1SKGTwQES8NNZErV6/rVMVgknpL8l3fv54=",


     

       

       
270

       
+

       
        "lastModified": 1694357290,


     

       

       
271

       
+

       
        "narHash": "sha256-Mai5saiiuBWlQzTreLtIeUJQJN9zMH/UBIKJPOqnasM=",


     

       
272

       
272

       
 

       
        "owner": "soopyc",


     

       
273

       
273

       
 

       
        "repo": "mystia",


     

       
274

       

       
-

       
        "rev": "1c6c686d0d2e7504fc492b3649a303bb1448b625",


     

       

       
274

       
+

       
        "rev": "cfe783698ccd18cb27fb2e422917f14b82f7afc4",


     

       
275

       
275

       
 

       
        "type": "github"


     

       
276

       
276

       
 

       
      },


     

       
277

       
277

       
 

       
      "original": {


     
···

       
282

       
282

       
 

       
    },


     

       
283

       
283

       
 

       
    "nixpkgs": {


     

       
284

       
284

       
 

       
      "locked": {


     

       
285

       

       
-

       
        "lastModified": 1693755661,


     

       
286

       

       
-

       
        "narHash": "sha256-rnAlLZJsk5z0GAJy+ebNSN9KHiAzE3Q46j2zicZ1dxw=",


     

       

       
285

       
+

       
        "lastModified": 1694237756,


     

       

       
286

       
+

       
        "narHash": "sha256-8T29BDnqRexwVy3jhEzIH9r7ROiF9I6ESVD0QLC6VXk=",


     

       
287

       
287

       
 

       
        "owner": "NixOS",


     

       
288

       
288

       
 

       
        "repo": "nixpkgs",


     

       
289

       

       
-

       
        "rev": "5f16b90e986bc5ae0c0fdaf1ccdbe100bdce6008",


     

       

       
289

       
+

       
        "rev": "1a5bda2b28ea75a96dda2c349fe6d5e7864950ee",


     

       
290

       
290

       
 

       
        "type": "github"


     

       
291

       
291

       
 

       
      },


     

       
292

       
292

       
 

       
      "original": {


     
···

       
327

       
327

       
 

       
        "type": "github"


     

       
328

       
328

       
 

       
      }


     

       
329

       
329

       
 

       
    },


     

       

       
330

       
+

       
    "nixpkgs-stable_3": {


     

       

       
331

       
+

       
      "locked": {


     

       

       
332

       
+

       
        "lastModified": 1693675694,


     

       

       
333

       
+

       
        "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",


     

       

       
334

       
+

       
        "owner": "NixOS",


     

       

       
335

       
+

       
        "repo": "nixpkgs",


     

       

       
336

       
+

       
        "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",


     

       

       
337

       
+

       
        "type": "github"


     

       

       
338

       
+

       
      },


     

       

       
339

       
+

       
      "original": {


     

       

       
340

       
+

       
        "owner": "NixOS",


     

       

       
341

       
+

       
        "ref": "release-23.05",


     

       

       
342

       
+

       
        "repo": "nixpkgs",


     

       

       
343

       
+

       
        "type": "github"


     

       

       
344

       
+

       
      }


     

       

       
345

       
+

       
    },


     

       
330

       
346

       
 

       
    "pre-commit-hooks-nix": {


     

       
331

       
347

       
 

       
      "inputs": {


     

       
332

       
348

       
 

       
        "flake-compat": [


     
···

       
364

       
380

       
 

       
        "home-manager": "home-manager",


     

       
365

       
381

       
 

       
        "lanzaboote": "lanzaboote",


     

       
366

       
382

       
 

       
        "mystia": "mystia",


     

       
367

       

       
-

       
        "nixpkgs": "nixpkgs"


     

       

       
383

       
+

       
        "nixpkgs": "nixpkgs",


     

       

       
384

       
+

       
        "sops-nix": "sops-nix"


     

       
368

       
385

       
 

       
      }


     

       
369

       
386

       
 

       
    },


     

       
370

       
387

       
 

       
    "rust-overlay": {


     
···

       
416

       
433

       
 

       
      "original": {


     

       
417

       
434

       
 

       
        "owner": "oxalica",


     

       
418

       
435

       
 

       
        "repo": "rust-overlay",


     

       

       
436

       
+

       
        "type": "github"


     

       

       
437

       
+

       
      }


     

       

       
438

       
+

       
    },


     

       

       
439

       
+

       
    "sops-nix": {


     

       

       
440

       
+

       
      "inputs": {


     

       

       
441

       
+

       
        "nixpkgs": [


     

       

       
442

       
+

       
          "nixpkgs"


     

       

       
443

       
+

       
        ],


     

       

       
444

       
+

       
        "nixpkgs-stable": "nixpkgs-stable_3"


     

       

       
445

       
+

       
      },


     

       

       
446

       
+

       
      "locked": {


     

       

       
447

       
+

       
        "lastModified": 1693898833,


     

       

       
448

       
+

       
        "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",


     

       

       
449

       
+

       
        "owner": "Mic92",


     

       

       
450

       
+

       
        "repo": "sops-nix",


     

       

       
451

       
+

       
        "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",


     

       

       
452

       
+

       
        "type": "github"


     

       

       
453

       
+

       
      },


     

       

       
454

       
+

       
      "original": {


     

       

       
455

       
+

       
        "owner": "Mic92",


     

       

       
456

       
+

       
        "repo": "sops-nix",


     

       
419

       
457

       
 

       
        "type": "github"


     

       
420

       
458

       
 

       
      }


     

       
421

       
459

       
 

       
    },
+8 -2
flake.nix 
···

       
32

       
32

       
 

       
      url = "github:zhaofengli/attic";


     

       
33

       
33

       
 

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
34

       
34

       
 

       
    };


     

       

       
35

       
+

       



     

       

       
36

       
+

       
    sops-nix = {


     

       

       
37

       
+

       
      url = "github:Mic92/sops-nix";


     

       

       
38

       
+

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       

       
39

       
+

       
    };


     

       

       
40

       
+

       



     

       
35

       
41

       
 

       
    mystia = {


     

       
36

       
42

       
 

       
      url = "github:soopyc/mystia";


     

       
37

       
43

       
 

       
      inputs.nixpkgs.follows = "nixpkgs";


     
···

       
43

       
49

       
 

       
    home-manager,


     

       
44

       
50

       
 

       
    ...


     

       
45

       
51

       
 

       
  } @ inputs: let


     

       
46

       

       
-

       
    _utils = import ./global/utils.nix {};


     

       

       
52

       
+

       
    utils = import ./global/utils.nix;


     

       
47

       
53

       
 

       
    lib = nixpkgs.lib;


     

       
48

       
54

       
 

       



     

       
49

       
55

       
 

       
    systems = [


     
···

       
55

       
61

       
 

       
    forAllSystems = fn: lib.genAttrs systems (s: fn nixpkgs.legacyPackages.${s});


     

       
56

       
62

       
 

       
  in {


     

       
57

       
63

       
 

       
    nixosConfigurations = {


     

       
58

       

       
-

       
      koumakan = import ./systems/koumakan {inherit _utils lib inputs;};


     

       

       
64

       
+

       
      koumakan = import ./systems/koumakan {inherit utils lib inputs;};


     

       
59

       
65

       
 

       
    };


     

       
60

       
66

       
 

       



     

       
61

       
67

       
 

       
    devShells = forAllSystems (pkgs: {
+2 -7
global/core.nix 
···

       
1

       
1

       
 

       
{pkgs, ...}: {


     

       
2

       
2

       
 

       
  imports = [


     

       
3

       
3

       
 

       
    ./upgrade-diff.nix


     

       

       
4

       
+

       
    ./system


     

       
4

       
5

       
 

       
  ];


     

       
5

       
6

       
 

       
  # Set default i18n configuration


     

       
6

       
7

       
 

       
  i18n.defaultLocale = "en_US.UTF-8";


     
···

       
9

       
10

       
 

       
    keyMap = "us";


     

       
10

       
11

       
 

       
  };


     

       
11

       
12

       
 

       



     

       
12

       

       
-

       
  hardware.enableRedistributableFirmware = true;


     

       
13

       

       
-

       



     

       
14

       

       
-

       
  # # Enable crash dumps globally


     

       
15

       

       
-

       
  # boot.crashDump = {


     

       
16

       

       
-

       
  #   enable = true;


     

       
17

       

       
-

       
  #   reservedMemory = "128M";


     

       
18

       

       
-

       
  # };


     

       

       
13

       
+

       
  time.timeZone = "Asia/Hong_Kong";


     

       
19

       
14

       
 

       



     

       
20

       
15

       
 

       
  # Lock root account


     

       
21

       
16

       
 

       
  users.users.root.shell = pkgs.shadow; # basically /bin/nologin
+5
global/overlays/default.nix 
···

       

       
1

       
+

       
inputs:


     

       

       
2

       
+

       
with inputs; [


     

       

       
3

       
+

       
  mystia.overlays.default


     

       

       
4

       
+

       
  attic.overlays.default


     

       

       
5

       
+

       
]
+1
global/programs/misc.nix 
···

       
17

       
17

       
 

       
    nvd


     

       
18

       
18

       
 

       
    just


     

       
19

       
19

       
 

       



     

       

       
20

       
+

       
    attic


     

       
20

       
21

       
 

       
    git-crypt


     

       
21

       
22

       
 

       
  ];


     

       
22

       
23
+1
global/programs/nix.nix 
···

       
5

       
5

       
 

       
    experimental-features = [


     

       
6

       
6

       
 

       
      "nix-command"


     

       
7

       
7

       
 

       
      "flakes"


     

       

       
8

       
+

       
      "repl-flake"


     

       
8

       
9

       
 

       
    ];


     

       
9

       
10

       
 

       



     

       
10

       
11

       
 

       
    substituters = [
+5
global/system/default.nix 
···

       

       
1

       
+

       
{...}: {


     

       

       
2

       
+

       
  imports = [


     

       

       
3

       
+

       
    ./firmware.nix


     

       

       
4

       
+

       
  ];


     

       

       
5

       
+

       
}
+4
global/system/firmware.nix 
···

       

       
1

       
+

       
{...}: {


     

       

       
2

       
+

       
  hardware.enableRedistributableFirmware = true;


     

       

       
3

       
+

       
  services.fwupd.enable = true;


     

       

       
4

       
+

       
}
+39 -18
global/utils.nix 
···

       
1

       
1

       
 

       
# see /docs/utils.md for a usage guide


     

       
2

       

       
-

       
{...}:


     

       
3

       

       
-

       
# let


     

       
4

       

       
-

       
#   lib = pkgs.lib;


     

       
5

       

       
-

       
# in


     

       
6

       

       
-

       
rec {


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  inputs,


     

       

       
4

       
+

       
  system,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}: let


     

       

       
7

       
+

       
  lib = inputs.nixpkgs.lib;


     

       

       
8

       
+

       
in rec {


     

       
7

       
9

       
 

       
  mkVhost = opts:


     

       
8

       

       
-

       
    {


     

       
9

       

       
-

       
      # ideally mkOverride/mkDefault would be used, but i have 0 idea how it works.


     

       
10

       

       
-

       
      forceSSL = true;


     

       
11

       

       
-

       
      useACMEHost = "global.c.soopy.moe";


     

       
12

       

       
-

       
      kTLS = true;


     

       
13

       

       
-

       
    }


     

       
14

       

       
-

       
    // opts;


     

       

       
10

       
+

       
    lib.mkMerge [


     

       

       
11

       
+

       
      {


     

       

       
12

       
+

       
        forceSSL = lib.mkDefault true;


     

       

       
13

       
+

       
        useACMEHost = lib.mkDefault "global.c.soopy.moe";


     

       

       
14

       
+

       
        kTLS = lib.mkDefault true;


     

       

       
15

       
+

       



     

       

       
16

       
+

       
        locations."/_cgi/error/" = {


     

       

       
17

       
+

       
          alias = "${inputs.mystia.packages.${system}.staticly}/nginx_error_pages/";


     

       

       
18

       
+

       
        };


     

       

       
19

       
+

       
        extraConfig = ''


     

       

       
20

       
+

       
          error_page 503 /_cgi/error/503.html;


     

       

       
21

       
+

       
          error_page 502 /_cgi/error/502.html;


     

       

       
22

       
+

       
          error_page 404 /_cgi/error/404.html;


     

       

       
23

       
+

       
        '';


     

       

       
24

       
+

       
      }


     

       

       
25

       
+

       
      opts


     

       

       
26

       
+

       
    ];


     

       
15

       
27

       
 

       



     

       
16

       
28

       
 

       
  mkSimpleProxy = {


     

       
17

       
29

       
 

       
    port,


     

       
18

       
30

       
 

       
    protocol ? "http",


     

       
19

       
31

       
 

       
    location ? "/",


     

       
20

       
32

       
 

       
    websockets ? false,


     

       

       
33

       
+

       
    extraConfig ? {},


     

       
21

       
34

       
 

       
  }:


     

       
22

       

       
-

       
    mkVhost {


     

       
23

       

       
-

       
      locations."${location}" = {


     

       
24

       

       
-

       
        proxyPass = "${protocol}://localhost:${toString port}";


     

       
25

       

       
-

       
        proxyWebsockets = websockets;


     

       
26

       

       
-

       
      };


     

       
27

       

       
-

       
    };


     

       

       
35

       
+

       
    mkVhost (lib.mkMerge [


     

       

       
36

       
+

       
      extraConfig


     

       

       
37

       
+

       
      {


     

       

       
38

       
+

       
        locations."${location}" = {


     

       

       
39

       
+

       
          proxyPass = "${protocol}://localhost:${toString port}";


     

       

       
40

       
+

       
          proxyWebsockets = websockets;


     

       

       
41

       
+

       
        };


     

       

       
42

       
+

       
      }


     

       

       
43

       
+

       
    ]);


     

       

       
44

       
+

       



     

       

       
45

       
+

       
  genSecrets = namespace: files: value:


     

       

       
46

       
+

       
    lib.genAttrs (


     

       

       
47

       
+

       
      map (x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x) files


     

       

       
48

       
+

       
    ) (_: value);


     

       
28

       
49

       
 

       
}
+11 -4
justfile 
···

       
1

       
1

       
 

       
# friendship ended with Makefile


     

       
2

       
2

       
 

       
# I LOVE justFILE!!!!!!


     

       
3

       
3

       
 

       



     

       
4

       

       
-

       
default: build


     

       

       
4

       
+

       
# build the current configuration


     

       

       
5

       
+

       
build:


     

       

       
6

       
+

       
	nixos-rebuild build --flake .#


     

       
5

       
7

       
 

       



     

       

       
8

       
+

       
# build and test the configuration, but don't switch


     

       
6

       
9

       
 

       
test:


     

       
7

       
10

       
 

       
	nixos-rebuild test --flake .#


     

       
8

       
11

       
 

       



     

       
9

       

       
-

       
build:


     

       
10

       

       
-

       
	nixos-rebuild build --flake .#


     

       
11

       

       
-

       



     

       

       
12

       
+

       
# switch to the current configuration


     

       
12

       
13

       
 

       
switch:


     

       
13

       
14

       
 

       
	nixos-rebuild switch --flake .#


     

       
14

       
15

       
 

       



     

       

       
16

       
+

       
# run utility programs


     

       
15

       
17

       
 

       
utils recipe="list":


     

       
16

       
18

       
 

       
  @echo "Running utils/{{recipe}}"


     

       
17

       
19

       
 

       
  @cd utils && just {{recipe}}


     

       
18

       
20

       
 

       



     

       

       
21

       
+

       
# update an input in the flake lockfile


     

       

       
22

       
+

       
update-input input:


     

       

       
23

       
+

       
  nix flake lock --update-input {{input}}


     

       

       
24

       
+

       



     

       

       
25

       
+

       
# build the flake on a non-nixos platform


     

       
19

       
26

       
 

       
ebuild system:


     

       
20

       
27

       
 

       
  nix build -j8 .#nixosConfigurations."{{system}}".config.system.build.toplevel
-1
overlays/default.nix 
···

       
1

       

       
-

       
[]
+1
systems/koumakan/certificates/default.nix 
···

       
2

       
2

       
 

       
  imports = [


     

       
3

       
3

       
 

       
    ./global.nix


     

       
4

       
4

       
 

       
    ./postgresql.nix


     

       

       
5

       
+

       
    ./fediverse.nix


     

       
5

       
6

       
 

       
  ];


     

       
6

       
7

       
 

       



     

       
7

       
8

       
 

       
  security.acme = {
+11
systems/koumakan/certificates/fediverse.nix 
···

       

       
1

       
+

       
{...}: {


     

       

       
2

       
+

       
  # Certificate for fedi services


     

       

       
3

       
+

       
  security.acme.certs."fedi.c.soopy.moe" = {


     

       

       
4

       
+

       
    group = "nginx";


     

       

       
5

       
+

       
    extraDomainNames = [


     

       

       
6

       
+

       
      "a.soopy.moe"


     

       

       
7

       
+

       
      "m.soopy.moe"


     

       

       
8

       
+

       
      "pixie.soopy.moe"


     

       

       
9

       
+

       
    ];


     

       

       
10

       
+

       
  };


     

       

       
11

       
+

       
}
+15 -24
systems/koumakan/configuration.nix 
···

       
1

       

       
-

       
# Edit this configuration file to define what should be installed on


     

       
2

       

       
-

       
# your system.  Help is available in the configuration.nix(5) man page


     

       
3

       

       
-

       
# and in the NixOS manual (accessible by running `nixos-help`).


     

       
4

       
1

       
 

       
{inputs, ...}: {


     

       
5

       
2

       
 

       
  imports = [


     

       
6

       
3

       
 

       
    # Include the results of the hardware scan.


     
···

       
15

       
12

       
 

       
    ./services


     

       
16

       
13

       
 

       
  ];


     

       
17

       
14

       
 

       



     

       
18

       

       
-

       
  nixpkgs.overlays =


     

       
19

       

       
-

       
    import ../../overlays


     

       
20

       

       
-

       
    ++ (with inputs; [


     

       
21

       

       
-

       
      mystia.overlays.default


     

       
22

       

       
-

       
      attic.overlays.default


     

       
23

       

       
-

       
    ]);


     

       

       
15

       
+

       
  nixpkgs.overlays = import ../../global/overlays inputs;


     

       
24

       
16

       
 

       



     

       
25

       

       
-

       
  boot.loader.efi = {


     

       
26

       

       
-

       
    canTouchEfiVariables = true;


     

       
27

       

       
-

       
    efiSysMountPoint = "/boot/efi";


     

       
28

       

       
-

       
  };


     

       
29

       

       
-

       



     

       
30

       

       
-

       
  boot.loader.systemd-boot = {


     

       
31

       

       
-

       
    enable = true;


     

       
32

       

       
-

       
    graceful = true;


     

       
33

       

       
-

       
    netbootxyz.enable = true;


     

       

       
17

       
+

       
  boot.loader = {


     

       

       
18

       
+

       
    efi = {


     

       

       
19

       
+

       
      canTouchEfiVariables = true;


     

       

       
20

       
+

       
      efiSysMountPoint = "/boot/efi";


     

       

       
21

       
+

       
    };


     

       

       
22

       
+

       
    systemd-boot = {


     

       

       
23

       
+

       
      enable = true;


     

       

       
24

       
+

       
      graceful = true;


     

       

       
25

       
+

       
      netbootxyz.enable = true;


     

       

       
26

       
+

       
    };


     

       

       
27

       
+

       
    grub.enable = false;


     

       
34

       
28

       
 

       
  };


     

       
35

       
29

       
 

       



     

       
36

       

       
-

       
  boot.loader.grub = {


     

       
37

       

       
-

       
    enable = false;


     

       
38

       

       
-

       
  };


     

       
39

       

       
-

       



     

       
40

       

       
-

       
  time.timeZone = "Asia/Hong_Kong";


     

       
41

       

       
-

       



     

       
42

       
30

       
 

       
  # Define a user account. Don't forget to set a password with โ€˜passwdโ€™.


     

       
43

       
31

       
 

       
  users.users.cassie = {


     

       
44

       
32

       
 

       
    isNormalUser = true;


     
···

       
48

       
36

       
 

       
    };


     

       
49

       
37

       
 

       
    # packages = with pkgs; [];


     

       
50

       
38

       
 

       
  };


     

       

       
39

       
+

       



     

       

       
40

       
+

       
  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];


     

       

       
41

       
+

       
  sops.defaultSopsFile = ../../creds/sops/koumakan.yaml;


     

       
51

       
42

       
 

       



     

       
52

       
43

       
 

       
  # Just don't change this :p


     

       
53

       
44

       
 

       
  system.stateVersion = "23.05"; # Did you read the comment?
+7 -2
systems/koumakan/default.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  lib,


     

       
3

       

       
-

       
  _utils,


     

       

       
3

       
+

       
  utils,


     

       
4

       
4

       
 

       
  inputs,


     

       
5

       
5

       
 

       
  ...


     

       
6

       
6

       
 

       
}:


     
···

       
10

       
10

       
 

       
  # see docs/tips_n_tricks.md#extra_opts for syntax


     

       
11

       
11

       
 

       
  # see docs/utils.md for functions


     

       
12

       
12

       
 

       
  specialArgs = {


     

       
13

       

       
-

       
    inherit inputs _utils;


     

       

       
13

       
+

       
    inherit inputs;


     

       

       
14

       
+

       
    _utils = utils {


     

       

       
15

       
+

       
      inherit inputs;


     

       

       
16

       
+

       
      system = "x86_64-linux";


     

       

       
17

       
+

       
    };


     

       
14

       
18

       
 

       
  };


     

       
15

       
19

       
 

       



     

       
16

       
20

       
 

       
  modules = [


     

       
17

       
21

       
 

       
    inputs.lanzaboote.nixosModules.lanzaboote


     

       
18

       
22

       
 

       
    inputs.attic.nixosModules.atticd


     

       

       
23

       
+

       
    inputs.sops-nix.nixosModules.sops


     

       
19

       
24

       
 

       



     

       
20

       
25

       
 

       
    ./configuration.nix


     

       
21

       
26

       
 

       
  ];
+1 -1
systems/koumakan/networking/interface.nix 
···

       
1

       
1

       
 

       
{...}: {


     

       
2

       

       
-

       
  networking.networkmanager.ethernet.macAddress = builtins.readFile ./nma.cry;


     

       

       
2

       
+

       
  networking.networkmanager.ethernet.macAddress = "stable";


     

       
3

       
3

       
 

       
}
systems/koumakan/networking/nma.cry

This is a binary file and will not be displayed.

+1 -1
systems/koumakan/security/pam.nix 
···

       
1

       
1

       
 

       
{...}: {


     

       
2

       
2

       
 

       
  security.pam.yubico = {


     

       
3

       
3

       
 

       
    enable = true;


     

       
4

       

       
-

       
    id = builtins.readFile ./ykid.cry;


     

       

       
4

       
+

       
    id = "91582";


     

       
5

       
5

       
 

       
    mode = "client";


     

       
6

       
6

       
 

       
    control = "requisite";


     

       
7

       
7

       
 

       
  };
systems/koumakan/security/ykid.cry

This is a binary file and will not be displayed.

+4 -3
systems/koumakan/services/attic.nix 
···

       
39

       
39

       
 

       
    };


     

       
40

       
40

       
 

       
  };


     

       
41

       
41

       
 

       



     

       
42

       

       
-

       
  services.nginx.virtualHosts."nonbunary.soopy.moe" =


     

       
43

       

       
-

       
    _utils.mkSimpleProxy {port = 38191;}


     

       
44

       

       
-

       
    // {


     

       

       
42

       
+

       
  services.nginx.virtualHosts."nonbunary.soopy.moe" = _utils.mkSimpleProxy {


     

       

       
43

       
+

       
    port = 38191;


     

       

       
44

       
+

       
    extraConfig = {


     

       
45

       
45

       
 

       
      extraConfig = ''


     

       
46

       
46

       
 

       
        client_max_body_size 1G;


     

       
47

       
47

       
 

       
        proxy_read_timeout 3h;


     
···

       
49

       
49

       
 

       
        proxy_send_timeout 3h;


     

       
50

       
50

       
 

       
      '';


     

       
51

       
51

       
 

       
    };


     

       

       
52

       
+

       
  };


     

       
52

       
53

       
 

       
}
+6
systems/koumakan/services/databases/default.nix 
···

       

       
1

       
+

       
{...}: {


     

       

       
2

       
+

       
  imports = [


     

       

       
3

       
+

       
    ./postgresql.nix


     

       

       
4

       
+

       
    ./redis.nix


     

       

       
5

       
+

       
  ];


     

       

       
6

       
+

       
}
+40
systems/koumakan/services/databases/postgresql.nix 
···

       

       
1

       
+

       
{pkgs, ...}: {


     

       

       
2

       
+

       
  services.postgresql = {


     

       

       
3

       
+

       
    enable = true;


     

       

       
4

       
+

       



     

       

       
5

       
+

       
    package = pkgs.postgresql_15;


     

       

       
6

       
+

       
    dataDir = "/var/lib/postgresql/15";


     

       

       
7

       
+

       
    logLinePrefix = "%m [%p] %h ";


     

       

       
8

       
+

       



     

       

       
9

       
+

       
    authentication = ''


     

       

       
10

       
+

       
      # unix socket connection


     

       

       
11

       
+

       
      local   all             all                                     peer


     

       

       
12

       
+

       
      # local ipv4/6 tcp connection


     

       

       
13

       
+

       
      host    all             all             127.0.0.1/32            scram-sha-256


     

       

       
14

       
+

       
      host    all             all             ::1/128                 scram-sha-256


     

       

       
15

       
+

       
      # world (encrypted) tcp traffic


     

       

       
16

       
+

       
      hostssl all             all             all                     scram-sha-256


     

       

       
17

       
+

       
    '';


     

       

       
18

       
+

       



     

       

       
19

       
+

       
    settings = let


     

       

       
20

       
+

       
      credsDir = "/run/credentials/postgresql.service";


     

       

       
21

       
+

       
    in {


     

       

       
22

       
+

       
      listen_addresses = pkgs.lib.mkForce "*";


     

       

       
23

       
+

       
      max_connections = 200;


     

       

       
24

       
+

       
      password_encryption = "scram-sha-256";


     

       

       
25

       
+

       



     

       

       
26

       
+

       
      ssl = "on";


     

       

       
27

       
+

       
      ssl_cert_file = "${credsDir}/cert.pem";


     

       

       
28

       
+

       
      ssl_key_file = "${credsDir}/key.pem";


     

       

       
29

       
+

       



     

       

       
30

       
+

       
      log_hostname = true;


     

       

       
31

       
+

       
      datestyle = "iso, dmy";


     

       

       
32

       
+

       
      log_timezone = "Asia/Hong_Kong";


     

       

       
33

       
+

       
      timezone = "Asia/Hong_Kong";


     

       

       
34

       
+

       
      default_text_search_config = "pc_catalog.english";


     

       

       
35

       
+

       



     

       

       
36

       
+

       
      max_wal_size = "2GB";


     

       

       
37

       
+

       
      min_wal_size = "80MB";


     

       

       
38

       
+

       
    };


     

       

       
39

       
+

       
  };


     

       

       
40

       
+

       
}
+5
systems/koumakan/services/databases/redis.nix 
···

       

       
1

       
+

       
{...}: {


     

       

       
2

       
+

       
  services.redis.servers."" = {


     

       

       
3

       
+

       
    enable = true;


     

       

       
4

       
+

       
  };


     

       

       
5

       
+

       
}
+5 -3
systems/koumakan/services/default.nix 
···

       
2

       
2

       
 

       
  imports = [


     

       
3

       
3

       
 

       
    ./nginx.nix


     

       
4

       
4

       
 

       



     

       
5

       

       
-

       
    # databases


     

       
6

       

       
-

       
    ./postgresql.nix


     

       
7

       

       
-

       
    ./redis.nix


     

       

       
5

       
+

       
    ./databases


     

       
8

       
6

       
 

       



     

       
9

       
7

       
 

       
    ./attic.nix


     

       

       
8

       
+

       



     

       

       
9

       
+

       
    # fediverse


     

       

       
10

       
+

       
    ./matrix


     

       

       
11

       
+

       
    ./fediverse


     

       
10

       
12

       
 

       



     

       
11

       
13

       
 

       
    ./proxies


     

       
12

       
14

       
 

       
    ./static-sites
+150
systems/koumakan/services/fediverse/akkoma.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  _utils,


     

       

       
3

       
+

       
  pkgs,


     

       

       
4

       
+

       
  config,


     

       

       
5

       
+

       
  lib,


     

       

       
6

       
+

       
  ...


     

       

       
7

       
+

       
}: let


     

       

       
8

       
+

       
  mkRaw = (pkgs.formats.elixirConf {}).lib.mkRaw;


     

       

       
9

       
+

       
  # I don't know what i did but i made this abomination


     

       

       
10

       
+

       
  mkSecret = file:


     

       

       
11

       
+

       
    if !lib.elem file secrets


     

       

       
12

       
+

       
    then throw "Provided secret file ${file} is not in the list of defined secrets."


     

       

       
13

       
+

       
    else {_secret = "/run/secrets/akkoma/${file}";};


     

       

       
14

       
+

       
  secrets = [


     

       

       
15

       
+

       
    "joken_default_signer" # can't think of any better name spacing


     

       

       
16

       
+

       
    "dist/cookie"


     

       

       
17

       
+

       
    "search/meili/host_unencrypted"


     

       

       
18

       
+

       
    "search/meili/key"


     

       

       
19

       
+

       
    "endpoint/secret_base"


     

       

       
20

       
+

       
    "endpoint/salt"


     

       

       
21

       
+

       
    "endpoint/live_view/salt"


     

       

       
22

       
+

       
    "vapid/pub"


     

       

       
23

       
+

       
    "vapid/key"


     

       

       
24

       
+

       
    "postgres/hostname"


     

       

       
25

       
+

       
    "postgres/database_unencrypted"


     

       

       
26

       
+

       
    "postgres/username"


     

       

       
27

       
+

       
    "postgres/password"


     

       

       
28

       
+

       
    "smtp/username"


     

       

       
29

       
+

       
    "smtp/password"


     

       

       
30

       
+

       
    "smtp/relay"


     

       

       
31

       
+

       
  ];


     

       

       
32

       
+

       
in {


     

       

       
33

       
+

       
  # secrets definition


     

       

       
34

       
+

       
  sops.secrets = _utils.genSecrets "akkoma" secrets {};


     

       

       
35

       
+

       



     

       

       
36

       
+

       
  services.akkoma = {


     

       

       
37

       
+

       
    enable = true;


     

       

       
38

       
+

       
    initSecrets = false;


     

       

       
39

       
+

       
    initDb.enable = false;


     

       

       
40

       
+

       
    # TODO: figure out how to add swagger ui


     

       

       
41

       
+

       
    # frontends = {


     

       

       
42

       
+

       
    #   swagger


     

       

       
43

       
+

       
    # };


     

       

       
44

       
+

       



     

       

       
45

       
+

       
    # TODO: Issue #5


     

       

       
46

       
+

       
    dist.cookie = mkSecret "dist/cookie";


     

       

       
47

       
+

       
    config = {


     

       

       
48

       
+

       
      ":joken".":default_signer" = mkSecret "joken_default_signer";


     

       

       
49

       
+

       



     

       

       
50

       
+

       
      ":pleroma" = {


     

       

       
51

       
+

       
        ":http_security" = {


     

       

       
52

       
+

       
          sts = true;


     

       

       
53

       
+

       
        };


     

       

       
54

       
+

       



     

       

       
55

       
+

       
        ":configurable_from_database" = true;


     

       

       
56

       
+

       
        ":instance" = {


     

       

       
57

       
+

       
          name = "CassieAkko";


     

       

       
58

       
+

       
          description = "You should not see this here...";


     

       

       
59

       
+

       
          email = "me@soopy.moe";


     

       

       
60

       
+

       
          notify_email = "noreply@a.soopy.moe";


     

       

       
61

       
+

       
          limit = 5000;


     

       

       
62

       
+

       
          registrations_open = true;


     

       

       
63

       
+

       
        };


     

       

       
64

       
+

       



     

       

       
65

       
+

       
        # TODO: add proper proxy support


     

       

       
66

       
+

       
        # also refer to https://meta.akkoma.dev/t/another-vector-for-the-injection-vulnerability-found/483


     

       

       
67

       
+

       
        ":media_proxy" = {


     

       

       
68

       
+

       
          enabled = true;


     

       

       
69

       
+

       
          redirect_on_failure = true;


     

       

       
70

       
+

       
        };


     

       

       
71

       
+

       



     

       

       
72

       
+

       
        "Pleroma.Repo" = {


     

       

       
73

       
+

       
          adapter = mkRaw "Ecto.Adapters.Postgres";


     

       

       
74

       
+

       
          database = mkSecret "postgres/database_unencrypted";


     

       

       
75

       
+

       
          hostname = mkSecret "postgres/hostname";


     

       

       
76

       
+

       
          username = mkSecret "postgres/username";


     

       

       
77

       
+

       
          password = mkSecret "postgres/password";


     

       

       
78

       
+

       
        };


     

       

       
79

       
+

       



     

       

       
80

       
+

       
        "Pleroma.Upload" = {


     

       

       
81

       
+

       
          filters = [


     

       

       
82

       
+

       
            (mkRaw "Pleroma.Upload.Filter.Exiftool")


     

       

       
83

       
+

       
            (mkRaw "Pleroma.Upload.Filter.Dedupe")


     

       

       
84

       
+

       
          ];


     

       

       
85

       
+

       
        };


     

       

       
86

       
+

       



     

       

       
87

       
+

       
        "Pleroma.Web.Endpoint" = {


     

       

       
88

       
+

       
          # We don't need to specify http ip/ports here because we use unix sockets


     

       

       
89

       
+

       
          # ok we do because it's broken


     

       

       
90

       
+

       
          http = {


     

       

       
91

       
+

       
            ip = "127.0.0.1";


     

       

       
92

       
+

       
            port = 35378;


     

       

       
93

       
+

       
          };


     

       

       
94

       
+

       
          url = {


     

       

       
95

       
+

       
            host = "a.soopy.moe";


     

       

       
96

       
+

       
            scheme = "https";


     

       

       
97

       
+

       
            port = 443;


     

       

       
98

       
+

       
          };


     

       

       
99

       
+

       
          secure_cookie_flag = true;


     

       

       
100

       
+

       



     

       

       
101

       
+

       
          secret_key_base = mkSecret "endpoint/secret_base";


     

       

       
102

       
+

       
          signing_salt = mkSecret "endpoint/salt";


     

       

       
103

       
+

       
          live_view = {


     

       

       
104

       
+

       
            signing_salt = mkSecret "endpoint/live_view/salt";


     

       

       
105

       
+

       
          };


     

       

       
106

       
+

       
        };


     

       

       
107

       
+

       



     

       

       
108

       
+

       
        "Pleroma.Emails.Mailer" = {


     

       

       
109

       
+

       
          adapter = mkRaw "Swoosh.Adapters.SMTP";


     

       

       
110

       
+

       
          relay = mkSecret "smtp/relay";


     

       

       
111

       
+

       
          username = mkSecret "smtp/username";


     

       

       
112

       
+

       
          password = mkSecret "smtp/password";


     

       

       
113

       
+

       
        };


     

       

       
114

       
+

       



     

       

       
115

       
+

       
        "Pleroma.Search.Meilisearch" = {


     

       

       
116

       
+

       
          url = mkSecret "search/meili/host_unencrypted";


     

       

       
117

       
+

       
          private_key = mkSecret "search/meili/key";


     

       

       
118

       
+

       
          initial_indexing_chunk_size = 100000;


     

       

       
119

       
+

       
        };


     

       

       
120

       
+

       
      };


     

       

       
121

       
+

       



     

       

       
122

       
+

       
      ":web_push_encryption".":vapid_details" = {


     

       

       
123

       
+

       
        subject = "mailto:me@soopy.moe";


     

       

       
124

       
+

       
        public_key = mkSecret "vapid/pub";


     

       

       
125

       
+

       
        private_key = mkSecret "vapid/key";


     

       

       
126

       
+

       
      };


     

       

       
127

       
+

       
    };


     

       

       
128

       
+

       



     

       

       
129

       
+

       
    nginx = _utils.mkVhost {


     

       

       
130

       
+

       
      useACMEHost = "fedi.c.soopy.moe";


     

       

       
131

       
+

       
      extraConfig = ''


     

       

       
132

       
+

       
        client_max_body_size 100M;


     

       

       
133

       
+

       
      '';


     

       

       
134

       
+

       
    };


     

       

       
135

       
+

       



     

       

       
136

       
+

       
    extraStatic = {


     

       

       
137

       
+

       
      "static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''


     

       

       
138

       
+

       
        <h1>Terms of Service</h1><p>Please refer to this ToS:


     

       

       
139

       
+

       
        <a href="https://m.soopy.moe/@admin/pages/tos" rel="noopener noreferrer nofollow">


     

       

       
140

       
+

       
        https://m.soopy.moe/@admin/pages/tos</a></p>


     

       

       
141

       
+

       
      '';


     

       

       
142

       
+

       
      # refer to https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/servers/akkoma/emoji/blobs_gg.nix#L29


     

       

       
143

       
+

       
      # "emoji/Cat_girls_Emoji" = ...


     

       

       
144

       
+

       
    };


     

       

       
145

       
+

       
  };


     

       

       
146

       
+

       



     

       

       
147

       
+

       
  systemd.services.akkoma-config = {


     

       

       
148

       
+

       
    serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];


     

       

       
149

       
+

       
  };


     

       

       
150

       
+

       
}
+5
systems/koumakan/services/fediverse/default.nix 
···

       

       
1

       
+

       
{...}: {


     

       

       
2

       
+

       
  imports = [


     

       

       
3

       
+

       
    ./akkoma.nix


     

       

       
4

       
+

       
  ];


     

       

       
5

       
+

       
}
+5
systems/koumakan/services/matrix/default.nix 
···

       

       
1

       
+

       
{...}: {


     

       

       
2

       
+

       
  imports = [


     

       

       
3

       
+

       
    ./synapse.nix


     

       

       
4

       
+

       
  ];


     

       

       
5

       
+

       
}
+116
systems/koumakan/services/matrix/synapse.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  _utils,


     

       

       
3

       
+

       
  pkgs,


     

       

       
4

       
+

       
  config,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}: {


     

       

       
7

       
+

       
  sops.secrets."synapse.yaml" = {


     

       

       
8

       
+

       
    mode = "0400";


     

       

       
9

       
+

       
    owner = config.users.users.matrix-synapse.name;


     

       

       
10

       
+

       
  };


     

       

       
11

       
+

       



     

       

       
12

       
+

       
  sops.secrets.matrix-signing-key = {


     

       

       
13

       
+

       
    mode = "0400";


     

       

       
14

       
+

       
    owner = config.users.users.matrix-synapse.name;


     

       

       
15

       
+

       
  };


     

       

       
16

       
+

       



     

       

       
17

       
+

       
  users.users.matrix-synapse.extraGroups = [config.users.groups.keys.name];


     

       

       
18

       
+

       



     

       

       
19

       
+

       
  services.matrix-synapse = {


     

       

       
20

       
+

       
    enable = true;


     

       

       
21

       
+

       
    withJemalloc = true;


     

       

       
22

       
+

       
    extras = [


     

       

       
23

       
+

       
      "jwt"


     

       

       
24

       
+

       
      "oidc"


     

       

       
25

       
+

       
    ];


     

       

       
26

       
+

       



     

       

       
27

       
+

       
    extraConfigFiles = [


     

       

       
28

       
+

       
      "/run/secrets/synapse.yaml"


     

       

       
29

       
+

       
    ];


     

       

       
30

       
+

       



     

       

       
31

       
+

       
    settings = {


     

       

       
32

       
+

       
      server_name = "nue.soopy.moe";


     

       

       
33

       
+

       
      serve_server_wellknown = true;


     

       

       
34

       
+

       
      allow_public_rooms_over_federation = true;


     

       

       
35

       
+

       
      federation_client_minimum_tls_version = 1.2;


     

       

       
36

       
+

       
      # TODO: Setup TURN servers


     

       

       
37

       
+

       
      # TODO: Setup OIDC providers


     

       

       
38

       
+

       
      # TODO: Configure email


     

       

       
39

       
+

       
      # TODO: Setup opentracing


     

       

       
40

       
+

       
      url_preview_enabled = true;


     

       

       
41

       
+

       
      enable_registration = false;


     

       

       
42

       
+

       
      session_lifetime = "99y";


     

       

       
43

       
+

       



     

       

       
44

       
+

       
      max_upload_size = "100M";


     

       

       
45

       
+

       
      signing_key_path = "/run/secrets/matrix-signing-key";


     

       

       
46

       
+

       



     

       

       
47

       
+

       
      server_notices = {


     

       

       
48

       
+

       
        system_mxid_localpart = "server";


     

       

       
49

       
+

       
        system_mxid_display_name = "Server Notices";


     

       

       
50

       
+

       
        room_name = "Server Notices";


     

       

       
51

       
+

       
      };


     

       

       
52

       
+

       



     

       

       
53

       
+

       
      trusted_key_servers = [


     

       

       
54

       
+

       
        {


     

       

       
55

       
+

       
          server_name = "matrix.org";


     

       

       
56

       
+

       
          verify_keys = {


     

       

       
57

       
+

       
            "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";


     

       

       
58

       
+

       
          };


     

       

       
59

       
+

       
        }


     

       

       
60

       
+

       
        {


     

       

       
61

       
+

       
          server_name = "m.lea.moe";


     

       

       
62

       
+

       
        }


     

       

       
63

       
+

       
      ];


     

       

       
64

       
+

       



     

       

       
65

       
+

       
      password_config = {


     

       

       
66

       
+

       
        policy = {


     

       

       
67

       
+

       
          enabled = true;


     

       

       
68

       
+

       
          minimum_length = 12;


     

       

       
69

       
+

       
        };


     

       

       
70

       
+

       
      };


     

       

       
71

       
+

       
    };


     

       

       
72

       
+

       
  };


     

       

       
73

       
+

       



     

       

       
74

       
+

       
  services.postgresql = {


     

       

       
75

       
+

       
    ensureDatabases = ["synapse"];


     

       

       
76

       
+

       
    ensureUsers = [


     

       

       
77

       
+

       
      {


     

       

       
78

       
+

       
        name = "synapse";


     

       

       
79

       
+

       
        ensurePermissions = {


     

       

       
80

       
+

       
          "database \"synapse\"" = "all privileges";


     

       

       
81

       
+

       
        };


     

       

       
82

       
+

       
      }


     

       

       
83

       
+

       
    ];


     

       

       
84

       
+

       
  };


     

       

       
85

       
+

       



     

       

       
86

       
+

       
  services.nginx.virtualHosts."nue.soopy.moe" = _utils.mkVhost {


     

       

       
87

       
+

       
    locations."= /config.json" = {


     

       

       
88

       
+

       
      alias = "${pkgs.staticly}/configs/";


     

       

       
89

       
+

       
      tryFiles = "cinny.json =404";


     

       

       
90

       
+

       
      extraConfig = ''


     

       

       
91

       
+

       
        add_header access_control_allow_origin "*";


     

       

       
92

       
+

       
      '';


     

       

       
93

       
+

       
    };


     

       

       
94

       
+

       



     

       

       
95

       
+

       
    locations."= /.well-known/matrix/server" = {


     

       

       
96

       
+

       
      return = "200 '{\"m.server\": \"nue.soopy.moe:443\"}'";


     

       

       
97

       
+

       
    };


     

       

       
98

       
+

       



     

       

       
99

       
+

       
    locations."~ ^(/_matrix|/_synapse/client)" = {


     

       

       
100

       
+

       
      proxyPass = "http://localhost:8008";


     

       

       
101

       
+

       
      extraConfig = ''


     

       

       
102

       
+

       
        client_max_body_size 100M;


     

       

       
103

       
+

       
      '';


     

       

       
104

       
+

       
    };


     

       

       
105

       
+

       



     

       

       
106

       
+

       
    locations."= /.well-known/matrix/client" = {


     

       

       
107

       
+

       
      alias = "${pkgs.staticly}/configs/matrix/";


     

       

       
108

       
+

       
      tryFiles = "stable.json =404";


     

       

       
109

       
+

       
    };


     

       

       
110

       
+

       



     

       

       
111

       
+

       
    locations."/" = {


     

       

       
112

       
+

       
      root = "${pkgs.staticly}/pages/matrix/landing/";


     

       

       
113

       
+

       
      tryFiles = "$uri $uri/index.html $uri.html =404";


     

       

       
114

       
+

       
    };


     

       

       
115

       
+

       
  };


     

       

       
116

       
+

       
}
-40
systems/koumakan/services/postgresql.nix 
···

       
1

       

       
-

       
{pkgs, ...}: {


     

       
2

       

       
-

       
  services.postgresql = {


     

       
3

       

       
-

       
    enable = true;


     

       
4

       

       
-

       



     

       
5

       

       
-

       
    package = pkgs.postgresql_15;


     

       
6

       

       
-

       
    dataDir = "/var/lib/postgresql/15";


     

       
7

       

       
-

       
    logLinePrefix = "%m [%p] %h ";


     

       
8

       

       
-

       



     

       
9

       

       
-

       
    authentication = ''


     

       
10

       

       
-

       
      # unix socket connection


     

       
11

       

       
-

       
      local   all             all                                     trust


     

       
12

       

       
-

       
      # local ipv4/6 tcp connection


     

       
13

       

       
-

       
      host    all             all             127.0.0.1/32            scram-sha-256


     

       
14

       

       
-

       
      host    all             all             ::1/128                 scram-sha-256


     

       
15

       

       
-

       
      # world (encrypted) tcp traffic


     

       
16

       

       
-

       
      hostssl all             all             all                     scram-sha-256


     

       
17

       

       
-

       
    '';


     

       
18

       

       
-

       



     

       
19

       

       
-

       
    settings = let


     

       
20

       

       
-

       
      credsDir = "/run/credentials/postgresql.service";


     

       
21

       

       
-

       
    in {


     

       
22

       

       
-

       
      listen_addresses = pkgs.lib.mkForce "*";


     

       
23

       

       
-

       
      max_connections = 200;


     

       
24

       

       
-

       
      password_encryption = "scram-sha-256";


     

       
25

       

       
-

       



     

       
26

       

       
-

       
      ssl = "on";


     

       
27

       

       
-

       
      ssl_cert_file = "${credsDir}/cert.pem";


     

       
28

       

       
-

       
      ssl_key_file = "${credsDir}/key.pem";


     

       
29

       

       
-

       



     

       
30

       

       
-

       
      log_hostname = true;


     

       
31

       

       
-

       
      datestyle = "iso, dmy";


     

       
32

       

       
-

       
      log_timezone = "Asia/Hong_Kong";


     

       
33

       

       
-

       
      timezone = "Asia/Hong_Kong";


     

       
34

       

       
-

       
      default_text_search_config = "pc_catalog.english";


     

       
35

       

       
-

       



     

       
36

       

       
-

       
      max_wal_size = "2GB";


     

       
37

       

       
-

       
      min_wal_size = "80MB";


     

       
38

       

       
-

       
    };


     

       
39

       

       
-

       
  };


     

       
40

       

       
-

       
}
-5
systems/koumakan/services/redis.nix 
···

       
1

       

       
-

       
{...}: {


     

       
2

       

       
-

       
  services.redis.servers."" = {


     

       
3

       

       
-

       
    enable = true;


     

       
4

       

       
-

       
  };


     

       
5

       

       
-

       
}
+3 -3
systems/koumakan/services/static-sites/keine.nix 
···

       
1

       

       
-

       
{...}: {


     

       
2

       

       
-

       
  services.nginx.virtualHosts."keine.soopy.moe" = {


     

       
3

       

       
-

       
    useACMEHost = "global.c.soopy.moe";


     

       

       
1

       
+

       
{_utils, ...}: {


     

       

       
2

       
+

       
  services.nginx.virtualHosts."keine.soopy.moe" = _utils.mkVhost {


     

       

       
3

       
+

       
    forceSSL = false;


     

       
4

       
4

       
 

       
    addSSL = true; # Don't force SSL on a mirror (implications TBD)


     

       
5

       
5

       
 

       



     

       
6

       
6

       
 

       
    root = "/srv/www/keine";
+1
utils/justfile 
···

       
3

       
3

       
 

       
list:


     

       
4

       
4

       
 

       
  just -l


     

       
5

       
5

       
 

       



     

       

       
6

       
+

       
# grab a new nitter guest account and save it


     

       
6

       
7

       
 

       
nitter-token:


     

       
7

       
8

       
 

       
  {{python_executable}} nitter-guest-account.py tokens.json
+78 -64
utils/nitter-guest-account.py 
···

       
3

       
3

       
 

       
# thank you!


     

       
4

       
4

       
 

       
import sys


     

       
5

       
5

       
 

       
import json


     

       

       
6

       
+

       
import time


     

       

       
7

       
+

       
import random


     

       
6

       
8

       
 

       
import typing


     

       
7

       
9

       
 

       
import traceback


     

       
8

       
10

       
 

       
from base64 import b64encode


     
···

       
256

       
258

       
 

       
	success(f'flow token => {flow_token}')


     

       
257

       
259

       
 

       



     

       
258

       
260

       
 

       
	info('Fetching final account object...')


     

       
259

       

       
-

       
	tasks = send_req('post', TASKS_ENDPOINT, headers=request_headers, json=get_tasks_body(flow_token)).json()


     

       
260

       

       
-

       
	try:


     

       

       
261

       
+

       
	backoff_time = 0


     

       

       
262

       
+

       
	exception = None


     

       

       
263

       
+

       
	for attempt in range(0, 6):


     

       

       
264

       
+

       
		debug(f"Attempt #{attempt + 1}")


     

       

       
265

       
+

       
		tasks = send_req('post', TASKS_ENDPOINT, headers=request_headers, json=get_tasks_body(flow_token)).json()


     

       
261

       
266

       
 

       
		try:


     

       
262

       

       
-

       
			open_account_task = next(filter(lambda i: i.get('subtask_id') == "OpenAccount", tasks['subtasks']))


     

       
263

       

       
-

       
			account = open_account_task['open_account']


     

       
264

       

       
-

       
		except StopIteration:


     

       
265

       

       
-

       
			debug("resulting tasks =>", format_json(tasks), override=True)


     

       
266

       

       
-

       
			error("Unable to acquire guest account credentials as it isn't present in the API response.")


     

       
267

       

       
-

       
			error("This might be because of a wide variety of reasons, but it most likely is due to your IP being rate-limited.")


     

       
268

       

       
-

       
			error("Try again with a new IP address or in 24 hours after this attempt.")


     

       
269

       

       
-

       
			return 1


     

       

       
267

       
+

       
			try:


     

       

       
268

       
+

       
				open_account_task = next(filter(lambda i: i.get('subtask_id') == "OpenAccount", tasks['subtasks']))


     

       

       
269

       
+

       
				account = open_account_task['open_account']


     

       

       
270

       
+

       
			except StopIteration as e:


     

       

       
271

       
+

       
				backoff_time += random.randint(5000,10000) / 1000


     

       

       
272

       
+

       
				exception = e


     

       

       
273

       
+

       
				warn(f"attempt #{attempt + 1} failed to acquire token, retrying in {backoff_time}s.")


     

       

       
274

       
+

       
				time.sleep(backoff_time)


     

       

       
275

       
+

       
				continue


     

       
270

       
276

       
 

       



     

       
271

       

       
-

       
		if args.outfile == "-":


     

       
272

       

       
-

       
			debug("outfile is `-`, printing to stdout")


     

       
273

       

       
-

       
			print(format_json(account))


     

       
274

       

       
-

       
			return 0


     

       

       
277

       
+

       
			info(f"Attempt #{attempt + 1} succeeded")


     

       

       
278

       
+

       
			if args.outfile == "-":


     

       

       
279

       
+

       
				debug("outfile is `-`, printing to stdout")


     

       

       
280

       
+

       
				print(format_json(account))


     

       

       
281

       
+

       
				return 0


     

       
275

       
282

       
 

       



     

       
276

       

       
-

       
		# Sanity checks


     

       
277

       

       
-

       
		try:


     

       
278

       

       
-

       
			debug(f"attempting to read file: {args.outfile}")


     

       
279

       

       
-

       
			with open(args.outfile) as f:


     

       
280

       

       
-

       
				old_data = json.load(f)


     

       
281

       

       
-

       
		except FileNotFoundError:


     

       
282

       

       
-

       
			# that's okay, we might be able to create it later.


     

       
283

       

       
-

       
			old_data = []


     

       
284

       

       
-

       
		except PermissionError:


     

       
285

       

       
-

       
			# that's not okay. we will need to access the file later anyways.


     

       
286

       

       
-

       
			error("unable to read file due to a permission error.")


     

       
287

       

       
-

       
			error("please make sure this script has read and write access to the file.")


     

       
288

       

       
-

       
			print(format_json(account))


     

       
289

       

       
-

       
			return 1


     

       
290

       

       
-

       
		except json.JSONDecodeError:


     

       
291

       

       
-

       
			error("could not parse the provided JSON file.")


     

       
292

       

       
-

       
			if not prompt_bool("Do you want to overwrite the file?", default=None):


     

       
293

       

       
-

       
				warn("Not overwriting file, printing to stdout instead.")


     

       

       
283

       
+

       
			# Sanity checks


     

       

       
284

       
+

       
			try:


     

       

       
285

       
+

       
				debug(f"attempting to read file: {args.outfile}")


     

       

       
286

       
+

       
				with open(args.outfile) as f:


     

       

       
287

       
+

       
					old_data = json.load(f)


     

       

       
288

       
+

       
			except FileNotFoundError:


     

       

       
289

       
+

       
				# that's okay, we might be able to create it later.


     

       

       
290

       
+

       
				old_data = []


     

       

       
291

       
+

       
			except PermissionError:


     

       

       
292

       
+

       
				# that's not okay. we will need to access the file later anyways.


     

       

       
293

       
+

       
				error("unable to read file due to a permission error.")


     

       

       
294

       
+

       
				error("please make sure this script has read and write access to the file.")


     

       
294

       
295

       
 

       
				print(format_json(account))


     

       
295

       
296

       
 

       
				return 1


     

       
296

       

       
-

       
			debug('assuming old data is an empty array because we are overwriting')


     

       
297

       

       
-

       
			old_data = []


     

       
298

       

       
-

       
		if type(old_data) != list:


     

       
299

       

       
-

       
			error("top-level object of the existing JSON file is not a list.")


     

       
300

       

       
-

       
			error("due to the implementation, the file must be overwritten.")


     

       
301

       

       
-

       
			if not (prompt_bool("Do you want to overwrite?", default=None)):


     

       
302

       

       
-

       
				warn("Not overwriting existing data, printing to stdout instead.")


     

       

       
297

       
+

       
			except json.JSONDecodeError:


     

       

       
298

       
+

       
				error("could not parse the provided JSON file.")


     

       

       
299

       
+

       
				if not prompt_bool("Do you want to overwrite the file?", default=None):


     

       

       
300

       
+

       
					warn("Not overwriting file, printing to stdout instead.")


     

       

       
301

       
+

       
					print(format_json(account))


     

       

       
302

       
+

       
					return 1


     

       

       
303

       
+

       
				debug('assuming old data is an empty array because we are overwriting')


     

       

       
304

       
+

       
				old_data = []


     

       

       
305

       
+

       
			if type(old_data) != list:


     

       

       
306

       
+

       
				error("top-level object of the existing JSON file is not a list.")


     

       

       
307

       
+

       
				error("due to the implementation, the file must be overwritten.")


     

       

       
308

       
+

       
				if not (prompt_bool("Do you want to overwrite?", default=None)):


     

       

       
309

       
+

       
					warn("Not overwriting existing data, printing to stdout instead.")


     

       

       
310

       
+

       
					print(format_json(account))


     

       

       
311

       
+

       
					return 1


     

       

       
312

       
+

       
				debug("assuming old data is an empty array because we are overwriting")


     

       

       
313

       
+

       
				old_data = []


     

       

       
314

       
+

       



     

       

       
315

       
+

       
			old_data.append(account)


     

       

       
316

       
+

       



     

       

       
317

       
+

       
			try:


     

       

       
318

       
+

       
				debug("attempting to write file")


     

       

       
319

       
+

       
				with open(args.outfile, 'w+') as f:


     

       

       
320

       
+

       
					f.write(format_json(old_data))


     

       

       
321

       
+

       
				success(f"successfully written to file {args.outfile}")


     

       

       
322

       
+

       
				return 0


     

       

       
323

       
+

       
			except PermissionError:


     

       

       
324

       
+

       
				error("unable to write to file due to permission error.")


     

       

       
325

       
+

       
				error("please make sure this script has write access to the file.")


     

       
303

       
326

       
 

       
				print(format_json(account))


     

       
304

       
327

       
 

       
				return 1


     

       
305

       

       
-

       
			debug("assuming old data is an empty array because we are overwriting")


     

       
306

       

       
-

       
			old_data = []


     

       
307

       

       
-

       



     

       
308

       

       
-

       
		old_data.append(account)


     

       

       
328

       
+

       
			except Exception as e:


     

       

       
329

       
+

       
				error("Unable to write to file due to an uncaught error:", e)


     

       

       
330

       
+

       
				tb = ''.join(traceback.TracebackException.from_exception(e).format())


     

       

       
331

       
+

       
				debug("exception stacktrace\n" + tb)


     

       

       
332

       
+

       
				print(format_json(account))


     

       
309

       
333

       
 

       



     

       
310

       

       
-

       
		try:


     

       
311

       

       
-

       
			debug("attempting to write file")


     

       
312

       

       
-

       
			with open(args.outfile, 'w+') as f:


     

       
313

       

       
-

       
				f.write(format_json(old_data))


     

       
314

       

       
-

       
			success(f"successfully written to file {args.outfile}")


     

       
315

       

       
-

       
			return 0


     

       
316

       

       
-

       
		except PermissionError:


     

       
317

       

       
-

       
			error("unable to write to file due to permission error.")


     

       
318

       

       
-

       
			error("please make sure this script has write access to the file.")


     

       
319

       

       
-

       
			print(format_json(account))


     

       
320

       

       
-

       
			return 1


     

       
321

       

       
-

       
		except Exception as e:


     

       
322

       

       
-

       
			error("Unable to write to file due to an uncaught error:", e)


     

       
323

       

       
-

       
			tb = ''.join(traceback.TracebackException.from_exception(e).format())


     

       
324

       

       
-

       
			debug("exception stacktrace\n" + tb)


     

       
325

       

       
-

       
			print(format_json(account))


     

       

       
334

       
+

       
		except Exception:


     

       

       
335

       
+

       
			debug("resulting tasks =>", format_json(tasks), override=True)


     

       

       
336

       
+

       
			error("an unhandled error occurred. the tasks object is printed to avoid losing otherwise successful data.")


     

       

       
337

       
+

       
			error("please file a bug report and attach the traceback below.")


     

       

       
338

       
+

       
			raise


     

       
326

       
339

       
 

       



     

       
327

       

       
-

       
	except Exception:


     

       
328

       

       
-

       
		debug("resulting tasks =>", format_json(tasks), override=True)


     

       
329

       

       
-

       
		error("an unhandled error occurred. the tasks object is printed to avoid losing otherwise successful data.")


     

       
330

       

       
-

       
		error("please file a bug report and attach the traceback below.")


     

       
331

       

       
-

       
		raise


     

       

       
340

       
+

       
	if exception != None:


     

       

       
341

       
+

       
		debug("resulting tasks =>", format_json(tasks))


     

       

       
342

       
+

       
		error("Unable to acquire guest account credentials with 5 attempts as it isn't present in any of the API responses.")


     

       

       
343

       
+

       
		error("This might be because of a wide variety of reasons, but it most likely is due to your IP being rate-limited.")


     

       

       
344

       
+

       
		error("Try again with a new IP address or in 24 hours after this attempt.")


     

       

       
345

       
+

       
		return 1


     

       
332

       
346

       
 

       



     

       
333

       
347

       
 

       
	return 0


     

       
334

       
348