atridad/haschel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: atridad:3f53946a7f948e489d5c3ce5e8ad4415791707ab
Branches Tags
atridad:main
...
compare: atridad:main
Branches Tags
atridad:main

69 Commits
3f53946a7f ... main

Author SHA1 Message Date
Atridad Lahiji
af561f95c0 Tweaked some URLs
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-07 17:12:07 -07:00
Atridad Lahiji
17f49d28ed Update proxy.nix 2026-03-07 17:11:00 -07:00
Atridad Lahiji
f7b36ea02f Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-03-07 00:40:42 -07:00
Atridad Lahiji
ef59d3b6ca Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 34s
Details
2026-03-06 18:25:47 -07:00
Atridad Lahiji
8dfc55fcdb Oops broke gitea
All checks were successful
Deploy NixOS / deploy (push) Successful in 38s
Details
2026-03-06 18:22:52 -07:00
Atridad Lahiji
49dd32fda4 Add this in again.
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-03-06 18:20:39 -07:00
Atridad Lahiji
19bfa69daa Ok this makes a lot more sense and is cleaner now that we have defender.
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 18:19:37 -07:00
Atridad Lahiji
b0a95d5a45 Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-06 18:11:30 -07:00
Atridad Lahiji
2b5ec9f2f1 Oops
Some checks failed
Deploy NixOS / deploy (push) Has been cancelled
Details
2026-03-06 18:11:09 -07:00
Atridad Lahiji
21774d2865 Welp
Some checks failed
Deploy NixOS / deploy (push) Failing after 37s
Details
2026-03-06 18:08:59 -07:00
Atridad Lahiji
440952520f Update proxy.nix 2026-03-06 18:01:12 -07:00
Atridad Lahiji
bae346af19 Ugh... I guess I do want to be on google. 2026-03-06 17:59:19 -07:00
Atridad Lahiji
1382a2e6ec Update proxy.nix
Some checks failed
Deploy NixOS / deploy (push) Failing after 31s
Details
2026-03-06 17:53:53 -07:00
Atridad Lahiji
82bbf7aafd Fix for matrix
All checks were successful
Deploy NixOS / deploy (push) Successful in 48s
Details
2026-03-06 17:41:31 -07:00
Atridad Lahiji
629d4d34aa Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 39s
Details
2026-03-06 17:10:45 -07:00
Atridad Lahiji
f4e35a4c96 Update proxy.nix
Some checks failed
Deploy NixOS / deploy (push) Has been cancelled
Details
2026-03-06 17:07:58 -07:00
Atridad Lahiji
c46f6064e9 Oops
Some checks failed
Deploy NixOS / deploy (push) Failing after 1m6s
Details
2026-03-06 17:05:58 -07:00
Atridad Lahiji
75f075fc7d This plugin seems cool
Some checks failed
Deploy NixOS / deploy (push) Failing after 38s
Details
2026-03-06 17:03:32 -07:00
Atridad Lahiji
b561101d80 Even better
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 16:52:51 -07:00
Atridad Lahiji
cc6460c078 This is much funnier
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-06 16:50:02 -07:00
Atridad Lahiji
a66dfd2392 This time for sure
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-03-06 16:47:24 -07:00
Atridad Lahiji
0bc2cadd1c Maybe this will work
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 16:43:29 -07:00
Atridad Lahiji
e0bfd89594 Add some additional config
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 16:16:00 -07:00
Atridad Lahiji
0862b8d9a0 Update modules/proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 43s
Details
2026-03-06 16:09:44 -07:00
Atridad Lahiji
f246bad660 Update modules/proxy.nix
Some checks failed
Deploy NixOS / deploy (push) Failing after 29s
Details
2026-03-06 16:08:03 -07:00
Atridad Lahiji
bdaa68a797 Try caddy
All checks were successful
Deploy NixOS / deploy (push) Successful in 17s
Details
2026-03-06 15:58:03 -07:00
Atridad Lahiji
cf0cd34ceb Oops
All checks were successful
Deploy NixOS / deploy (push) Successful in 46s
Details
2026-03-06 13:57:47 -07:00
Atridad Lahiji
1bff640204 Deps
All checks were successful
Deploy NixOS / deploy (push) Successful in 21s
Details
2026-03-05 16:30:32 -07:00
Atridad Lahiji
e48aeea6cb Fixed a number of security vulns 2026-03-05 16:30:30 -07:00
Atridad Lahiji
e018174401 Update Makefile 2026-03-05 16:30:29 -07:00
Atridad Lahiji
10f8ca41a4 Update modules/nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-02 10:25:34 -07:00
Atridad Lahiji
d919430891 Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-01 23:10:56 -07:00
Atridad Lahiji
59ccf5984e Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 34s
Details
2026-03-01 23:00:21 -07:00
Atridad Lahiji
99fd1e6356 Update flake.lock
All checks were successful
Deploy NixOS / deploy (push) Successful in 1m8s
Details
2026-03-01 01:00:34 -07:00
Atridad Lahiji
149547b8db Update nginx.nix 2026-03-01 00:11:41 -07:00
Atridad Lahiji
5004580b0d Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 39s
Details
2026-02-27 09:52:19 -07:00
Atridad Lahiji
aa1c065f4a Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 20s
Details
2026-02-26 16:12:03 -07:00
Atridad Lahiji
4cd9596dca Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-02-26 15:53:33 -07:00
Atridad Lahiji
39f1441bca Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-02-26 15:21:57 -07:00
Atridad Lahiji
43759316a0 Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 1m24s
Details
2026-02-26 13:37:17 -07:00
Atridad Lahiji
4147bd3c4a Deps
All checks were successful
Deploy NixOS / deploy (push) Successful in 15s
Details
2026-02-24 15:07:00 -07:00
Atridad Lahiji
8a8df0e9f5 Fixed a bunch of warnings now that I have a working linter
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-02-23 14:52:59 -07:00
Atridad Lahiji
eef3cb387c Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 42s
Details
2026-02-22 16:45:48 -07:00
Atridad Lahiji
3195fb0968 Updated pods port
All checks were successful
Deploy NixOS / deploy (push) Successful in 30s
Details
2026-02-22 15:08:41 -07:00
Atridad Lahiji
bdf7644b9d Add update to makefile
All checks were successful
Deploy NixOS / deploy (push) Successful in 21s
Details
2026-02-19 09:57:34 -07:00
Atridad Lahiji
527a73ac52 Updated nixpkgs
Some checks failed
Deploy NixOS / deploy (push) Has been cancelled
Details
2026-02-19 09:56:51 -07:00
Atridad Lahiji
fd7e56a150 Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 43s
Details
2026-02-17 19:05:15 -07:00
Atridad Lahiji
097a60c0e0 Update nginx.nix 2026-02-17 19:03:47 -07:00
Atridad Lahiji
38620aba96 Proxy fix for media srv
All checks were successful
Deploy NixOS / deploy (push) Successful in 20s
Details
2026-02-14 20:30:36 -07:00
Atridad Lahiji
ff0c7c8b6f Proxy fix for media srv
Some checks are pending
Deploy NixOS / deploy (push) Waiting to run
Details
2026-02-14 20:20:26 -07:00
Atridad Lahiji
5f69a2893c Oops that doesnt work
All checks were successful
Deploy NixOS / deploy (push) Successful in 38s
Details
2026-02-14 16:39:28 -07:00
Atridad Lahiji
2b7c094627 Fail2ban
Some checks failed
Deploy NixOS / deploy (push) Failing after 23s
Details
2026-02-14 16:38:11 -07:00
Atridad Lahiji
588e385512 Dont do this... its super insecure as it turns out.
All checks were successful
Deploy NixOS / deploy (push) Successful in 47s
Details
2026-02-14 12:55:32 -07:00
Atridad Lahiji
00abeeec21 Update makefile
All checks were successful
Deploy NixOS / deploy (push) Successful in 20s
Details
2026-02-14 12:48:04 -07:00
Atridad Lahiji
788a58d06b Moved to unstable
Some checks failed
Deploy NixOS / deploy (push) Failing after 2m59s
Details
2026-02-14 12:43:37 -07:00
Atridad Lahiji
1191e9c39c Added some extra config back in for tuwunel
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-02-14 12:36:14 -07:00
Atridad Lahiji
1ef2816a9c This time for realzies
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-02-13 10:39:38 -07:00
Atridad Lahiji
4df3457aa8 Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 31s
Details
2026-02-13 10:29:18 -07:00
Atridad Lahiji
410ab37a91 Uncommented
All checks were successful
Deploy NixOS / deploy (push) Successful in 27s
Details
2026-02-13 10:21:31 -07:00
Atridad Lahiji
c49e5ce7c1 plsplspls
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-02-13 10:19:24 -07:00
Atridad Lahiji
54dab83782 Update matrix.nix
Some checks failed
Deploy NixOS / deploy (push) Failing after 15s
Details
2026-02-13 10:16:35 -07:00
Atridad Lahiji
71b58cd57b Update matrix.nix
Some checks failed
Deploy NixOS / deploy (push) Failing after 26s
Details
2026-02-13 10:15:11 -07:00
Atridad Lahiji
a94c902ee1 try this
All checks were successful
Deploy NixOS / deploy (push) Successful in 32s
Details
2026-02-13 10:01:13 -07:00
Atridad Lahiji
e290fa43a4 Praying🙏
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-02-13 00:40:23 -07:00
Atridad Lahiji
14d9c8bec6 cert and cors
All checks were successful
Deploy NixOS / deploy (push) Successful in 32s
Details
2026-02-13 00:25:20 -07:00
Atridad Lahiji
3ea2e7eaaa Update matrix.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 38s
Details
2026-02-13 00:12:55 -07:00
Atridad Lahiji
9c419d1f95 Maybe this works 2026-02-13 00:12:46 -07:00
Atridad Lahiji
58d2f550be ??
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-02-12 23:50:11 -07:00
Atridad Lahiji
365adbc6f6 Element Call wasn't working properly 2026-02-12 23:49:56 -07:00
15 changed files with 426 additions and 494 deletions
Expand all files Collapse all files

22
Makefile
View File

@@ -1,18 +1,10 @@
.PHONY: help certs switch .PHONY: lock update build
help: build:
@grep -E '^[a-zA-Z_-]+:.*##' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*## "}; {printf " \033[36m%-20s\033[0m %s\n", $$1, $$2}'
switch:
sudo nixos-rebuild switch --flake .#haschel sudo nixos-rebuild switch --flake .#haschel
certs: lock:
@for unit in $$(systemctl list-units 'acme-order-renew-*' --all --plain --no-legend --state=inactive --state=failed | awk '{print $$1}'); do \ nix flake lock
domain=$$(echo "$$unit" | sed 's/acme-order-renew-//;s/\.service//'); \
if [ ! -f "/var/lib/acme/$$domain/fullchain.pem" ]; then \ update:
echo "Requesting cert for $$domain..."; \ nix flake update
sudo systemctl start "$$unit" & \
fi; \
done; \
wait; \
echo "Done. Check status with: systemctl list-units 'acme-order-renew-*' --all --state=failed"

10
configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
@@ -9,11 +9,15 @@
./modules/users.nix ./modules/users.nix
./modules/hardware.nix ./modules/hardware.nix
./modules/services.nix ./modules/services.nix
./modules/nginx.nix ./modules/proxy.nix
./modules/matrix.nix ./modules/matrix.nix
./modules/fail2ban.nix
]; ];
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [
"nix-command"
"flakes"
];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git

27
flake.lock generated Normal file
View File

@@ -0,0 +1,27 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1772624091,
"narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

2
flake.nix
View File

@@ -2,7 +2,7 @@
description = "Haschel Proxy Server"; description = "Haschel Proxy Server";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
}; };
outputs = { self, nixpkgs, ... }@inputs: outputs = { self, nixpkgs, ... }@inputs:

37
hardware-configuration.nix
View File

@@ -1,28 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { lib, modulesPath, ... }:
{ {
imports = imports = [
[ (modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/7a81e9fe-a727-4979-b63f-209ec593bd1d"; device = "/dev/disk/by-uuid/7a81e9fe-a727-4979-b63f-209ec593bd1d";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/FFAB-FF4F"; device = "/dev/disk/by-uuid/FFAB-FF4F";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [
}; "fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ]; swapDevices = [ ];

4
modules/boot.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { pkgs, ... }:
{ {
boot.loader.grub = { boot.loader.grub = {
@@ -9,7 +9,7 @@
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ "tcp_bbr" ]; boot.kernelModules = [ "tcp_bbr" ];
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq"; "net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr"; "net.ipv4.tcp_congestion_control" = "bbr";

71
modules/fail2ban.nix Normal file
View File

@@ -0,0 +1,71 @@
{ ... }:
{
services.fail2ban = {
enable = true;
bantime = "1h";
bantime-increment = {
enable = true;
maxtime = "168h";
factor = "4";
};
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"::1"
"100.64.0.0/10"
];
jails = {
sshd = {
settings = {
enabled = true;
port = "22";
filter = "sshd[mode=aggressive]";
maxretry = 5;
findtime = "10m";
bantime = "1h";
};
};
nginx-botsearch = {
settings = {
enabled = true;
port = "http,https";
filter = "nginx-botsearch";
logpath = "/var/log/nginx/access.log";
maxretry = 5;
findtime = "10m";
bantime = "1h";
};
};
nginx-http-auth = {
settings = {
enabled = true;
port = "http,https";
filter = "nginx-http-auth";
logpath = "/var/log/nginx/error.log";
maxretry = 5;
findtime = "10m";
bantime = "1h";
};
};
nginx-bad-request = {
settings = {
enabled = true;
port = "http,https";
filter = "nginx-bad-request";
logpath = "/var/log/nginx/access.log";
maxretry = 15;
findtime = "10m";
bantime = "30m";
};
};
};
};
}

2
modules/hardware.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
{ {
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;

2
modules/locale.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
let let
settings = import ../settings.nix; settings = import ../settings.nix;

75
modules/matrix.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }: { pkgs, ... }:
let let
livekitKeyFile = "/run/livekit.key"; livekitKeyFile = "/var/lib/livekit/livekit.key";
serverName = "atri.dad"; serverName = "atri.dad";
matrixDomain = "matrix.atri.dad"; matrixDomain = "matrix.atri.dad";
matrixRtcDomain = "matrixrtc.atri.dad"; matrixRtcDomain = "matrixrtc.atri.dad";
@@ -12,13 +12,19 @@ in
settings = { settings = {
global = { global = {
server_name = serverName; server_name = serverName;
address = [ "127.0.0.1" "::1" ]; address = [
"127.0.0.1"
"::1"
];
port = [ 6167 ]; port = [ 6167 ];
max_request_size = 104857600; max_request_size = 104857600;
allow_registration = false; allow_registration = false;
allow_encryption = true; allow_encryption = true;
allow_federation = true; allow_federation = true;
trusted_servers = [ "matrix.org" "chat.blahaj.zone" ]; trusted_servers = [
"matrix.org"
"chat.blahaj.zone"
];
ip_range_denylist = [ ip_range_denylist = [
"127.0.0.0/8" "127.0.0.0/8"
"10.0.0.0/8" "10.0.0.0/8"
@@ -33,13 +39,21 @@ in
"fc00::/7" "fc00::/7"
]; ];
zstd_compression = true;
gzip_compression = true;
brotli_compression = true;
allow_local_presence = true;
allow_incoming_presence = true;
allow_outgoing_presence = true;
well_known = { well_known = {
server = "${matrixDomain}:443"; server = "${matrixDomain}:443";
client = "https://${matrixDomain}"; client = "https://${matrixDomain}";
rtc_transports = [ rtc_transports = [
{ {
type = "livekit"; type = "livekit";
livekit_service_url = "https://${matrixRtcDomain}"; livekit_service_url = "https://${matrixDomain}/livekit/jwt";
} }
]; ];
}; };
@@ -55,9 +69,21 @@ in
rtc = { rtc = {
port_range_start = 50000; port_range_start = 50000;
port_range_end = 60000; port_range_end = 60000;
tcp_port = 7881;
use_external_ip = true; use_external_ip = true;
allow_tcp_fallback = true;
};
room.auto_create = true;
turn = {
enabled = true;
domain = matrixRtcDomain;
tls_port = 5349;
udp_port = 3478;
relay_range_start = 50000;
relay_range_end = 60000;
cert_file = "/run/credentials/livekit.service/turn-cert";
key_file = "/run/credentials/livekit.service/turn-key";
}; };
room.auto_create = false;
}; };
keyFile = livekitKeyFile; keyFile = livekitKeyFile;
}; };
@@ -70,22 +96,49 @@ in
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName; systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName;
systemd.services.livekit.serviceConfig.LoadCredential = [
"turn-cert:/var/lib/acme/${matrixRtcDomain}/fullchain.pem"
"turn-key:/var/lib/acme/${matrixRtcDomain}/key.pem"
];
systemd.services.livekit.after = [ "acme-${matrixRtcDomain}.service" ];
systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ];
systemd.services.livekit-key = { systemd.services.livekit-key = {
before = [ "lk-jwt-service.service" "livekit.service" ]; before = [
"lk-jwt-service.service"
"livekit.service"
];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ livekit coreutils gawk ]; path = with pkgs; [
livekit
coreutils
gawk
];
script = '' script = ''
echo "Key missing, generating key" echo "Key missing, generating key"
install -d -m 0700 "$(dirname "${livekitKeyFile}")"
install -m 0600 /dev/null "${livekitKeyFile}"
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
''; '';
serviceConfig.Type = "oneshot"; serviceConfig = {
Type = "oneshot";
UMask = "0177";
};
unitConfig.ConditionPathExists = "!${livekitKeyFile}"; unitConfig.ConditionPathExists = "!${livekitKeyFile}";
}; };
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 7880 7881 ]; allowedTCPPorts = [
7880
7881
5349
];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
{ from = 50000; to = 60000; } {
from = 50000;
to = 60000;
}
]; ];
}; };
} }

8
modules/networking.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
let let
settings = import ../settings.nix; settings = import ../settings.nix;
@@ -7,10 +7,4 @@ in
networking.hostName = settings.hostname; networking.hostName = settings.hostname;
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
allowedUDPPorts = [ ];
};
} }

435
modules/nginx.nix
View File

@@ -1,435 +0,0 @@
{ config, pkgs, lib, ... }:
let
serverName = "atri.dad";
matrixDomain = "matrix.atri.dad";
wellKnownServer = builtins.toJSON {
"m.server" = "${matrixDomain}:443";
};
wellKnownClient = builtins.toJSON {
"m.homeserver" = {
base_url = "https://${matrixDomain}";
};
};
in
{
security.acme = {
acceptTerms = true;
defaults.email = "me@atri.dad";
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Fuck AI
clientMaxBodySize = "3g";
commonHttpConfig = ''
more_clear_headers Server;
more_clear_headers X-Powered-By;
map $http_user_agent $fuckai {
default 0;
"~*GPTBot" 1;
"~*ChatGPT-User" 1;
"~*OAI-SearchBot" 1;
"~*ChatGPT-Browser" 1;
"~*ClaudeBot" 1;
"~*Claude-Web" 1;
"~*anthropic-ai" 1;
"~*Anthropic-Claude" 1;
"~*xAI-Bot" 1;
"~*DeepseekBot" 1;
"~*Google-Extended" 1;
"~*Gemini-Ai" 1;
"~*Gemini-Deep-Research" 1;
"~*Google-CloudVertexBot" 1;
"~*Google-NotebookLM" 1;
"~*GoogleAgent-Mariner" 1;
"~*Bard-Ai" 1;
"~*FacebookBot" 1;
"~*Meta-ExternalAgent" 1;
"~*meta-webindexer" 1;
"~*Applebot-Extended" 1;
"~*bingbot" 1;
"~*CCBot" 1;
"~*PerplexityBot" 1;
"~*Perplexity-User" 1;
"~*Bytespider" 1;
"~*Diffbot" 1;
"~*Amazonbot" 1;
"~*cohere-ai" 1;
"~*Cohere-Command" 1;
"~*YouBot" 1;
"~*Omgilibot" 1;
"~*ImagesiftBot" 1;
"~*AI2Bot" 1;
"~*Andibot" 1;
"~*bigsur.ai" 1;
"~*Brightbot" 1;
"~*TerraCotta" 1;
"~*Character-AI" 1;
"~*Devin" 1;
"~*Crawlspace" 1;
"~*DuckAssistBot" 1;
"~*FirecrawlAgent" 1;
"~*Groq-Bot" 1;
"~*HuggingFace-Bot" 1;
"~*IbouBot" 1;
"~*MistralAI-User" 1;
"~*Replicate-Bot" 1;
"~*RunPod-Bot" 1;
"~*TimpiBot" 1;
"~*Together-Bot" 1;
"~*Kangaroo Bot" 1;
"~*PanguBot" 1;
"~*Cotoyogi" 1;
"~*Webzio-Extended" 1;
}
'';
# Stream Hosts
streamConfig = ''
# Port 69
server {
listen 69;
listen 69 udp;
proxy_pass lloyd.tadpole-pain.ts.net:69;
}
# Port 420
server {
listen 420;
listen 420 udp;
proxy_pass lloyd.tadpole-pain.ts.net:420;
}
# Minecraft / Game Ports
server {
listen 25565;
listen 25565 udp;
proxy_pass lloyd.tadpole-pain.ts.net:25565;
}
server {
listen 25566;
listen 25566 udp;
proxy_pass lloyd.tadpole-pain.ts.net:25566;
}
server {
listen 25567;
listen 25567 udp;
proxy_pass lloyd.tadpole-pain.ts.net:25567;
}
'';
# Proxy Hosts
virtualHosts = {
# atri.dad hosts
"atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:3000";
extraConfig = "if ($fuckai) { return 444; }";
};
locations."= /.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '${wellKnownServer}';
'';
};
locations."= /.well-known/matrix/client" = {
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '${wellKnownClient}';
'';
};
};
"analytics.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30060";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"archive.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30288";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"ascently.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:8838";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"bsky.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:31173";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"chef.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30111";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"democlimb.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:8008";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"fedi.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:8181";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"gist.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:1227";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"git.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30010";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"links.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30243";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"media.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30013";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"memos.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30311";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"mermaid.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:8280";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"msrc.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:3311";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"n8n.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30109";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"ocr.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30070";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"openclimb.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:1337";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"photos.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30041";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"pods.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:8828";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"requests.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30042";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"ripkyle.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:4321";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"s3.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30188";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"search.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30053";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"sync.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:20910";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"travel.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30251";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"travelapi.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30250";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"vault.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:30032";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"matrix.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://[::1]:6167";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 100M;
'';
};
};
"matrixrtc.atri.dad" = {
enableACME = true;
forceSSL = true;
locations."~ ^(/sfu/get|/healthz)" = {
priority = 400;
proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffering off;
proxy_set_header Accept-Encoding gzip;
'';
};
};
"atash.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:6969";
extraConfig = "if ($fuckai) { return 444; }";
};
};
"chronus.atash.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://lloyd.tadpole-pain.ts.net:7337";
extraConfig = "if ($fuckai) { return 444; }";
};
};
};
};
# Open Ports
networking.firewall.allowedTCPPorts = [ 80 443 69 420 25565 25566 25567 ];
networking.firewall.allowedUDPPorts = [ 69 420 25565 25566 25567 ];
}

213
modules/proxy.nix Normal file
View File

@@ -0,0 +1,213 @@
{
config,
lib,
pkgs,
...
}:
let
atriDotDad = "atri.dad";
atashDotDev = "atash.dev";
matrixDomain = "matrix.${atriDotDad}";
matrixRtcDomain = "matrixrtc.${atriDotDad}";
upstream = "lloyd.tadpole-pain.ts.net";
streamPorts = [
69
420
25565
25566
25567
];
wellKnownServer = builtins.toJSON {
"m.server" = "${matrixDomain}:443";
};
wellKnownClient = builtins.toJSON {
"m.homeserver" = {
base_url = "https://${matrixDomain}";
};
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}
];
};
mkProxy = port: config_preset: ''
import ${config_preset}
reverse_proxy http://${upstream}:${toString port}
'';
mkSocatService =
port: proto:
lib.nameValuePair "socat-${proto}-${toString port}" {
description = "Socat ${proto} proxy for port ${toString port}";
after = [
"network-online.target"
"tailscaled.service"
];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.socat}/bin/socat ${lib.toUpper proto}-LISTEN:${toString port},fork,reuseaddr ${lib.toUpper proto}:${upstream}:${toString port}";
Restart = "on-failure";
RestartSec = "5s";
DynamicUser = true;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};
in
{
services.caddy = {
enable = true;
email = "me@${atriDotDad}";
package = pkgs.caddy.withPlugins {
plugins = [ "pkg.jsn.cam/caddy-defender@v0.10.0" ];
hash = "sha256-DpCaOp9pXV3sdMz1hh/1SQ7ww7Fo4aAgLvFyQFgIJdI=";
};
extraConfig = ''
(common_config) {
encode zstd gzip
defender garbage {
ranges openai deepseek aliyun azurepubliccloud aws gcloud githubcopilot mistral oci vultr digitalocean linode cloudflare
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.atri.dad https://*.atash.dev; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
-Server
-alt-svc
}
}
(relaxed_config) {
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
-Server
-alt-svc
}
}
${atriDotDad} {
import common_config
handle /.well-known/matrix/server {
header Content-Type application/json
header X-Content-Type-Options nosniff
respond `${wellKnownServer}` 200
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin "*"
header Vary Origin
header X-Content-Type-Options nosniff
respond `${wellKnownClient}` 200
}
handle {
reverse_proxy http://${upstream}:3000
}
}
analytics.${atriDotDad} { ${mkProxy 30060 "common_config"} }
ascently.${atriDotDad} { ${mkProxy 8838 "common_config"} }
chef.${atriDotDad} { ${mkProxy 30111 "common_config"} }
democlimb.${atriDotDad} { ${mkProxy 8008 "common_config"} }
fedi.${atriDotDad} { ${mkProxy 8181 "common_config"} }
gist.${atriDotDad} { ${mkProxy 1227 "common_config"} }
git.${atriDotDad} { ${mkProxy 30010 "common_config"} }
links.${atriDotDad} { ${mkProxy 30243 "common_config"} }
memos.${atriDotDad} { ${mkProxy 30311 "common_config"} }
mermaid.${atriDotDad} { ${mkProxy 8280 "relaxed_config"} }
msrc.${atriDotDad} { ${mkProxy 3311 "common_config"} }
openclimb.${atriDotDad} { ${mkProxy 1337 "common_config"} }
photos.${atriDotDad} { ${mkProxy 30041 "common_config"} }
abs.${atriDotDad} { ${mkProxy 30067 "common_config"} }
s3.${atriDotDad} { ${mkProxy 30188 "common_config"} }
search.${atriDotDad} { ${mkProxy 30053 "relaxed_config"} }
vault.${atriDotDad} { ${mkProxy 30032 "common_config"} }
vids.${atriDotDad} { ${mkProxy 31008 "common_config"} }
music.${atriDotDad} { ${mkProxy 30043 "common_config"} }
books.${atriDotDad} { ${mkProxy 31067 "common_config"} }
tv.${atriDotDad} { ${mkProxy 30013 "common_config"} }
ripkyle.org { ${mkProxy 4321 "common_config"} }
${atashDotDev} { ${mkProxy 6969 "common_config"} }
chronus.${atashDotDev} { ${mkProxy 7337 "common_config"} }
${matrixDomain} {
request_body {
max_size 1GB
}
handle_path /livekit/jwt/* {
@allowed path /sfu/get /get_token /healthz
handle @allowed {
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port}
}
handle {
respond 404
}
}
handle {
reverse_proxy http://[::1]:6167
}
}
${matrixRtcDomain} {
handle /.well-known/acme-challenge/* {
root * /var/lib/acme/acme-challenge
file_server
}
handle {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
flush_interval -1
}
}
}
'';
};
systemd.services = lib.listToAttrs (
(map (port: mkSocatService port "tcp") streamPorts)
++ (map (port: mkSocatService port "udp") streamPorts)
);
networking.firewall = {
allowedTCPPorts = [
80
443
]
++ streamPorts;
allowedUDPPorts = streamPorts;
};
security.acme = {
acceptTerms = true;
defaults.email = "me@${atriDotDad}";
certs."${matrixRtcDomain}" = {
webroot = "/var/lib/acme/acme-challenge";
};
};
}

2
modules/services.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
{ {
services.openssh = { services.openssh = {

10
modules/users.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
let let
settings = import ../settings.nix; settings = import ../settings.nix;
@@ -8,10 +8,14 @@ in
isNormalUser = true; isNormalUser = true;
description = settings.userDescription; description = settings.userDescription;
extraGroups = settings.userGroups; extraGroups = settings.userGroups;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC"
];
}; };
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC"
];
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
} }