atridad/haschel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: atridad:fd7e56a15062b4bcd1f664240448b4c2516e473b
Branches Tags
atridad:main
..
compare: atridad:main
Branches Tags
atridad:main

53 Commits
fd7e56a150 ... main

Author SHA1 Message Date
Atridad Lahiji
a4998e18d1 Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-03-08 16:27:48 -06:00
Atridad Lahiji
a3e879c64d Added VPN
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-03-08 16:19:10 -06:00
Atridad Lahiji
19ffeac19f Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 44s
Details
2026-03-08 15:37:34 -06:00
Atridad Lahiji
2fae693f1e Added coder
All checks were successful
Deploy NixOS / deploy (push) Successful in 40s
Details
2026-03-08 13:42:46 -06:00
Atridad Lahiji
13798f00f1 NVM
All checks were successful
Deploy NixOS / deploy (push) Successful in 1m0s
Details
2026-03-08 12:32:12 -06:00
Atridad Lahiji
e56a4ddb4b Added anubis (testing)
Some checks failed
Deploy NixOS / deploy (push) Failing after 35s
Details
2026-03-08 12:20:10 -06:00
Atridad Lahiji
2a077bad21 Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 29s
Details
2026-03-08 01:04:00 -07:00
Atridad Lahiji
af561f95c0 Tweaked some URLs
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-07 17:12:07 -07:00
Atridad Lahiji
17f49d28ed Update proxy.nix 2026-03-07 17:11:00 -07:00
Atridad Lahiji
f7b36ea02f Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-03-07 00:40:42 -07:00
Atridad Lahiji
ef59d3b6ca Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 34s
Details
2026-03-06 18:25:47 -07:00
Atridad Lahiji
8dfc55fcdb Oops broke gitea
All checks were successful
Deploy NixOS / deploy (push) Successful in 38s
Details
2026-03-06 18:22:52 -07:00
Atridad Lahiji
49dd32fda4 Add this in again.
All checks were successful
Deploy NixOS / deploy (push) Successful in 36s
Details
2026-03-06 18:20:39 -07:00
Atridad Lahiji
19bfa69daa Ok this makes a lot more sense and is cleaner now that we have defender.
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 18:19:37 -07:00
Atridad Lahiji
b0a95d5a45 Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-06 18:11:30 -07:00
Atridad Lahiji
2b5ec9f2f1 Oops
Some checks failed
Deploy NixOS / deploy (push) Has been cancelled
Details
2026-03-06 18:11:09 -07:00
Atridad Lahiji
21774d2865 Welp
Some checks failed
Deploy NixOS / deploy (push) Failing after 37s
Details
2026-03-06 18:08:59 -07:00
Atridad Lahiji
440952520f Update proxy.nix 2026-03-06 18:01:12 -07:00
Atridad Lahiji
bae346af19 Ugh... I guess I do want to be on google. 2026-03-06 17:59:19 -07:00
Atridad Lahiji
1382a2e6ec Update proxy.nix
Some checks failed
Deploy NixOS / deploy (push) Failing after 31s
Details
2026-03-06 17:53:53 -07:00
Atridad Lahiji
82bbf7aafd Fix for matrix
All checks were successful
Deploy NixOS / deploy (push) Successful in 48s
Details
2026-03-06 17:41:31 -07:00
Atridad Lahiji
629d4d34aa Update proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 39s
Details
2026-03-06 17:10:45 -07:00
Atridad Lahiji
f4e35a4c96 Update proxy.nix
Some checks failed
Deploy NixOS / deploy (push) Has been cancelled
Details
2026-03-06 17:07:58 -07:00
Atridad Lahiji
c46f6064e9 Oops
Some checks failed
Deploy NixOS / deploy (push) Failing after 1m6s
Details
2026-03-06 17:05:58 -07:00
Atridad Lahiji
75f075fc7d This plugin seems cool
Some checks failed
Deploy NixOS / deploy (push) Failing after 38s
Details
2026-03-06 17:03:32 -07:00
Atridad Lahiji
b561101d80 Even better
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 16:52:51 -07:00
Atridad Lahiji
cc6460c078 This is much funnier
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-06 16:50:02 -07:00
Atridad Lahiji
a66dfd2392 This time for sure
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-03-06 16:47:24 -07:00
Atridad Lahiji
0bc2cadd1c Maybe this will work
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 16:43:29 -07:00
Atridad Lahiji
e0bfd89594 Add some additional config
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-03-06 16:16:00 -07:00
Atridad Lahiji
0862b8d9a0 Update modules/proxy.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 43s
Details
2026-03-06 16:09:44 -07:00
Atridad Lahiji
f246bad660 Update modules/proxy.nix
Some checks failed
Deploy NixOS / deploy (push) Failing after 29s
Details
2026-03-06 16:08:03 -07:00
Atridad Lahiji
bdaa68a797 Try caddy
All checks were successful
Deploy NixOS / deploy (push) Successful in 17s
Details
2026-03-06 15:58:03 -07:00
Atridad Lahiji
cf0cd34ceb Oops
All checks were successful
Deploy NixOS / deploy (push) Successful in 46s
Details
2026-03-06 13:57:47 -07:00
Atridad Lahiji
1bff640204 Deps
All checks were successful
Deploy NixOS / deploy (push) Successful in 21s
Details
2026-03-05 16:30:32 -07:00
Atridad Lahiji
e48aeea6cb Fixed a number of security vulns 2026-03-05 16:30:30 -07:00
Atridad Lahiji
e018174401 Update Makefile 2026-03-05 16:30:29 -07:00
Atridad Lahiji
10f8ca41a4 Update modules/nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-02 10:25:34 -07:00
Atridad Lahiji
d919430891 Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 35s
Details
2026-03-01 23:10:56 -07:00
Atridad Lahiji
59ccf5984e Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 34s
Details
2026-03-01 23:00:21 -07:00
Atridad Lahiji
99fd1e6356 Update flake.lock
All checks were successful
Deploy NixOS / deploy (push) Successful in 1m8s
Details
2026-03-01 01:00:34 -07:00
Atridad Lahiji
149547b8db Update nginx.nix 2026-03-01 00:11:41 -07:00
Atridad Lahiji
5004580b0d Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 39s
Details
2026-02-27 09:52:19 -07:00
Atridad Lahiji
aa1c065f4a Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 20s
Details
2026-02-26 16:12:03 -07:00
Atridad Lahiji
4cd9596dca Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-02-26 15:53:33 -07:00
Atridad Lahiji
39f1441bca Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 37s
Details
2026-02-26 15:21:57 -07:00
Atridad Lahiji
43759316a0 Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 1m24s
Details
2026-02-26 13:37:17 -07:00
Atridad Lahiji
4147bd3c4a Deps
All checks were successful
Deploy NixOS / deploy (push) Successful in 15s
Details
2026-02-24 15:07:00 -07:00
Atridad Lahiji
8a8df0e9f5 Fixed a bunch of warnings now that I have a working linter
All checks were successful
Deploy NixOS / deploy (push) Successful in 33s
Details
2026-02-23 14:52:59 -07:00
Atridad Lahiji
eef3cb387c Update nginx.nix
All checks were successful
Deploy NixOS / deploy (push) Successful in 42s
Details
2026-02-22 16:45:48 -07:00
Atridad Lahiji
3195fb0968 Updated pods port
All checks were successful
Deploy NixOS / deploy (push) Successful in 30s
Details
2026-02-22 15:08:41 -07:00
Atridad Lahiji
bdf7644b9d Add update to makefile
All checks were successful
Deploy NixOS / deploy (push) Successful in 21s
Details
2026-02-19 09:57:34 -07:00
Atridad Lahiji
527a73ac52 Updated nixpkgs
Some checks failed
Deploy NixOS / deploy (push) Has been cancelled
Details
2026-02-19 09:56:51 -07:00
14 changed files with 305 additions and 310 deletions
Expand all files Collapse all files

8
Makefile
View File

@@ -1,4 +1,10 @@
.PHONY: lock .PHONY: lock update build
build:
sudo nixos-rebuild switch --flake .#haschel
lock: lock:
nix flake lock nix flake lock
update:
nix flake update

9
configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
@@ -9,12 +9,15 @@
./modules/users.nix ./modules/users.nix
./modules/hardware.nix ./modules/hardware.nix
./modules/services.nix ./modules/services.nix
./modules/nginx.nix ./modules/proxy.nix
./modules/matrix.nix ./modules/matrix.nix
./modules/fail2ban.nix ./modules/fail2ban.nix
]; ];
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [
"nix-command"
"flakes"
];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git

6
flake.lock generated
View File

@@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1771008912, "lastModified": 1772773019,
"narHash": "sha256-gf2AmWVTs8lEq7z/3ZAsgnZDhWIckkb+ZnAo5RzSxJg=", "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a82ccc39b39b621151d6732718e3e250109076fa", "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
"type": "github" "type": "github"
}, },
"original": { "original": {

37
hardware-configuration.nix
View File

@@ -1,28 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { lib, modulesPath, ... }:
{ {
imports = imports = [
[ (modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/7a81e9fe-a727-4979-b63f-209ec593bd1d"; device = "/dev/disk/by-uuid/7a81e9fe-a727-4979-b63f-209ec593bd1d";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/FFAB-FF4F"; device = "/dev/disk/by-uuid/FFAB-FF4F";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [
}; "fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ]; swapDevices = [ ];

2
modules/boot.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { pkgs, ... }:
{ {
boot.loader.grub = { boot.loader.grub = {

2
modules/fail2ban.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { ... }:
{ {
services.fail2ban = { services.fail2ban = {

2
modules/hardware.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
{ {
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;

2
modules/locale.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
let let
settings = import ../settings.nix; settings = import ../settings.nix;

43
modules/matrix.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }: { pkgs, ... }:
let let
livekitKeyFile = "/run/livekit.key"; livekitKeyFile = "/var/lib/livekit/livekit.key";
serverName = "atri.dad"; serverName = "atri.dad";
matrixDomain = "matrix.atri.dad"; matrixDomain = "matrix.atri.dad";
matrixRtcDomain = "matrixrtc.atri.dad"; matrixRtcDomain = "matrixrtc.atri.dad";
@@ -12,13 +12,19 @@ in
settings = { settings = {
global = { global = {
server_name = serverName; server_name = serverName;
address = [ "127.0.0.1" "::1" ]; address = [
"127.0.0.1"
"::1"
];
port = [ 6167 ]; port = [ 6167 ];
max_request_size = 104857600; max_request_size = 104857600;
allow_registration = false; allow_registration = false;
allow_encryption = true; allow_encryption = true;
allow_federation = true; allow_federation = true;
trusted_servers = [ "matrix.org" "chat.blahaj.zone" ]; trusted_servers = [
"matrix.org"
"chat.blahaj.zone"
];
ip_range_denylist = [ ip_range_denylist = [
"127.0.0.0/8" "127.0.0.0/8"
"10.0.0.0/8" "10.0.0.0/8"
@@ -98,22 +104,41 @@ in
systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ]; systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ];
systemd.services.livekit-key = { systemd.services.livekit-key = {
before = [ "lk-jwt-service.service" "livekit.service" ]; before = [
"lk-jwt-service.service"
"livekit.service"
];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ livekit coreutils gawk ]; path = with pkgs; [
livekit
coreutils
gawk
];
script = '' script = ''
echo "Key missing, generating key" echo "Key missing, generating key"
install -d -m 0700 "$(dirname "${livekitKeyFile}")"
install -m 0600 /dev/null "${livekitKeyFile}"
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
''; '';
serviceConfig.Type = "oneshot"; serviceConfig = {
Type = "oneshot";
UMask = "0177";
};
unitConfig.ConditionPathExists = "!${livekitKeyFile}"; unitConfig.ConditionPathExists = "!${livekitKeyFile}";
}; };
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 7880 7881 5349 ]; allowedTCPPorts = [
7880
7881
5349
];
allowedUDPPorts = [ 3478 ]; allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
{ from = 50000; to = 60000; } {
from = 50000;
to = 60000;
}
]; ];
}; };
} }

8
modules/networking.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
let let
settings = import ../settings.nix; settings = import ../settings.nix;
@@ -7,10 +7,4 @@ in
networking.hostName = settings.hostname; networking.hostName = settings.hostname;
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
allowedUDPPorts = [ ];
};
} }

264
modules/nginx.nix
View File

@@ -1,264 +0,0 @@
{
config,
lib,
...
}:
let
atriDotDad = "atri.dad";
atashDotDev = "atash.dev";
matrixDomain = "matrix.${atriDotDad}";
matrixRtcDomain = "matrixrtc.${atriDotDad}";
upstream = "lloyd.tadpole-pain.ts.net";
wellKnownServer = builtins.toJSON {
"m.server" = "${matrixDomain}:443";
};
wellKnownClient = builtins.toJSON {
"m.homeserver" = {
base_url = "https://${matrixDomain}";
};
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}
];
};
mkProxy = port: {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${upstream}:${toString port}";
proxyWebsockets = true;
extraConfig = "if ($fuckai) { return 444; }";
};
};
mkStream = port: ''
server {
listen ${toString port};
listen ${toString port} udp;
proxy_pass ${upstream}:${toString port};
}
'';
in
{
security.acme = {
acceptTerms = true;
defaults.email = "me@${atriDotDad}";
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Fuck AI
clientMaxBodySize = "3g";
commonHttpConfig = ''
more_clear_headers Server;
more_clear_headers X-Powered-By;
map $http_user_agent $fuckai {
default 0;
"~*GPTBot" 1;
"~*ChatGPT-User" 1;
"~*OAI-SearchBot" 1;
"~*ChatGPT-Browser" 1;
"~*ClaudeBot" 1;
"~*Claude-Web" 1;
"~*anthropic-ai" 1;
"~*Anthropic-Claude" 1;
"~*xAI-Bot" 1;
"~*DeepseekBot" 1;
"~*Google-Extended" 1;
"~*Gemini-Ai" 1;
"~*Gemini-Deep-Research" 1;
"~*Google-CloudVertexBot" 1;
"~*Google-NotebookLM" 1;
"~*GoogleAgent-Mariner" 1;
"~*Bard-Ai" 1;
"~*FacebookBot" 1;
"~*Meta-ExternalAgent" 1;
"~*meta-webindexer" 1;
"~*Applebot-Extended" 1;
"~*bingbot" 1;
"~*CCBot" 1;
"~*PerplexityBot" 1;
"~*Perplexity-User" 1;
"~*Bytespider" 1;
"~*Diffbot" 1;
"~*Amazonbot" 1;
"~*cohere-ai" 1;
"~*Cohere-Command" 1;
"~*YouBot" 1;
"~*Omgilibot" 1;
"~*ImagesiftBot" 1;
"~*AI2Bot" 1;
"~*Andibot" 1;
"~*bigsur.ai" 1;
"~*Brightbot" 1;
"~*TerraCotta" 1;
"~*Character-AI" 1;
"~*Devin" 1;
"~*Crawlspace" 1;
"~*DuckAssistBot" 1;
"~*FirecrawlAgent" 1;
"~*Groq-Bot" 1;
"~*HuggingFace-Bot" 1;
"~*IbouBot" 1;
"~*MistralAI-User" 1;
"~*Replicate-Bot" 1;
"~*RunPod-Bot" 1;
"~*TimpiBot" 1;
"~*Together-Bot" 1;
"~*Kangaroo Bot" 1;
"~*PanguBot" 1;
"~*Cotoyogi" 1;
"~*Webzio-Extended" 1;
}
'';
streamConfig = lib.concatStrings (
map mkStream [
69
420
25565
25566
25567
]
);
virtualHosts = {
"${atriDotDad}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${upstream}:3000";
extraConfig = "if ($fuckai) { return 444; }";
};
locations."= /.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '${wellKnownServer}';
'';
};
locations."= /.well-known/matrix/client" = {
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
return 200 '${wellKnownClient}';
'';
};
};
"analytics.${atriDotDad}" = mkProxy 30060;
"archive.${atriDotDad}" = mkProxy 30288;
"ascently.${atriDotDad}" = mkProxy 8838;
"bsky.${atriDotDad}" = mkProxy 31173;
"chef.${atriDotDad}" = mkProxy 30111;
"democlimb.${atriDotDad}" = mkProxy 8008;
"fedi.${atriDotDad}" = mkProxy 8181;
"gist.${atriDotDad}" = mkProxy 1227;
"git.${atriDotDad}" = mkProxy 30010;
"links.${atriDotDad}" = mkProxy 30243;
"memos.${atriDotDad}" = mkProxy 30311;
"mermaid.${atriDotDad}" = mkProxy 8280;
"msrc.${atriDotDad}" = mkProxy 3311;
"n8n.${atriDotDad}" = mkProxy 30109;
"ocr.${atriDotDad}" = mkProxy 30070;
"openclimb.${atriDotDad}" = mkProxy 1337;
"photos.${atriDotDad}" = mkProxy 30041;
"pods.${atriDotDad}" = mkProxy 8828;
"requests.${atriDotDad}" = mkProxy 30042;
"s3.${atriDotDad}" = mkProxy 30188;
"search.${atriDotDad}" = mkProxy 30053;
"sync.${atriDotDad}" = mkProxy 20910;
"travel.${atriDotDad}" = mkProxy 30251;
"travelapi.${atriDotDad}" = mkProxy 30250;
"vault.${atriDotDad}" = mkProxy 30032;
"media.${atriDotDad}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
client_max_body_size 0;
'';
locations."/" = {
proxyPass = "http://${upstream}:30013";
proxyWebsockets = true;
extraConfig = ''
if ($fuckai) { return 444; }
proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
send_timeout 86400s;
'';
};
};
"${matrixDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://[::1]:6167";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 100M;
'';
};
locations."^~ /livekit/jwt/" = {
priority = 400;
proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
};
};
"${matrixRtcDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffering off;
proxy_set_header Accept-Encoding gzip;
'';
};
};
"ripkyle.org" = mkProxy 4321;
"${atashDotDev}" = mkProxy 6969;
"chronus.${atashDotDev}" = mkProxy 7337;
};
};
networking.firewall.allowedTCPPorts = [
80
443
69
420
25565
25566
25567
];
networking.firewall.allowedUDPPorts = [
69
420
25565
25566
25567
];
}

218
modules/proxy.nix Normal file
View File

@@ -0,0 +1,218 @@
{
config,
lib,
pkgs,
...
}:
let
atriDotDad = "atri.dad";
atashDotDev = "atash.dev";
matrixDomain = "matrix.${atriDotDad}";
matrixRtcDomain = "matrixrtc.${atriDotDad}";
upstream = "lloyd.tadpole-pain.ts.net";
streamPorts = [
69
420
25565
25566
25567
30058
51820
];
wellKnownServer = builtins.toJSON {
"m.server" = "${matrixDomain}:443";
};
wellKnownClient = builtins.toJSON {
"m.homeserver" = {
base_url = "https://${matrixDomain}";
};
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${matrixDomain}/livekit/jwt";
}
];
};
mkProxy = port: config_preset: ''
import ${config_preset}
reverse_proxy http://${upstream}:${toString port}
'';
mkSocatService =
port: proto:
lib.nameValuePair "socat-${proto}-${toString port}" {
description = "Socat ${proto} proxy for port ${toString port}";
after = [
"network-online.target"
"tailscaled.service"
];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.socat}/bin/socat ${lib.toUpper proto}-LISTEN:${toString port},fork,reuseaddr ${lib.toUpper proto}:${upstream}:${toString port}";
Restart = "on-failure";
RestartSec = "5s";
DynamicUser = true;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};
in
{
services.caddy = {
enable = true;
email = "me@${atriDotDad}";
package = pkgs.caddy.withPlugins {
plugins = [ "pkg.jsn.cam/caddy-defender@v0.10.0" ];
hash = "sha256-DpCaOp9pXV3sdMz1hh/1SQ7ww7Fo4aAgLvFyQFgIJdI=";
};
extraConfig = ''
(strict_config) {
encode zstd gzip
defender garbage {
ranges openai deepseek aliyun azurepubliccloud aws gcloud githubcopilot mistral oci vultr digitalocean linode cloudflare
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-Robots-Tag "noimageindex, noodp, noydir, nofollow"
Referrer-Policy "strict-origin-when-cross-origin"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.atri.dad https://*.atash.dev; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
-Server
-alt-svc
}
}
(relaxed_config) {
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-Robots-Tag "noimageindex, noodp, noydir, nofollow"
Referrer-Policy "strict-origin-when-cross-origin"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; media-src 'self' https://rogers-hls.leanstream.co; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
-Server
-alt-svc
}
}
${atriDotDad} {
import strict_config
handle /.well-known/matrix/server {
header Content-Type application/json
header X-Content-Type-Options nosniff
respond `${wellKnownServer}` 200
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin "*"
header Vary Origin
header X-Content-Type-Options nosniff
respond `${wellKnownClient}` 200
}
handle {
reverse_proxy http://${upstream}:3000
}
}
analytics.${atriDotDad} { ${mkProxy 30060 "strict_config"} }
ascently.${atriDotDad} { ${mkProxy 8838 "strict_config"} }
chef.${atriDotDad} { ${mkProxy 30111 "strict_config"} }
democlimb.${atriDotDad} { ${mkProxy 8008 "strict_config"} }
fedi.${atriDotDad} { ${mkProxy 8181 "strict_config"} }
gist.${atriDotDad} { ${mkProxy 1227 "strict_config"} }
git.${atriDotDad} { ${mkProxy 30010 "strict_config"} }
links.${atriDotDad} { ${mkProxy 30243 "strict_config"} }
memos.${atriDotDad} { ${mkProxy 30311 "strict_config"} }
mermaid.${atriDotDad} { ${mkProxy 8280 "relaxed_config"} }
msrc.${atriDotDad} { ${mkProxy 3311 "strict_config"} }
openclimb.${atriDotDad} { ${mkProxy 1337 "strict_config"} }
photos.${atriDotDad} { ${mkProxy 30041 "strict_config"} }
abs.${atriDotDad} { ${mkProxy 30067 "strict_config"} }
s3.${atriDotDad} { ${mkProxy 30188 "strict_config"} }
search.${atriDotDad} { ${mkProxy 30053 "relaxed_config"} }
vault.${atriDotDad} { ${mkProxy 30032 "strict_config"} }
vids.${atriDotDad} { ${mkProxy 31008 "strict_config"} }
music.${atriDotDad} { ${mkProxy 30043 "strict_config"} }
books.${atriDotDad} { ${mkProxy 31067 "strict_config"} }
tv.${atriDotDad} { ${mkProxy 30013 "strict_config"} }
vpn.${atriDotDad} { ${mkProxy 30058 "strict_config"} }
ripkyle.org { ${mkProxy 4321 "strict_config"} }
${atashDotDev} { ${mkProxy 6969 "strict_config"} }
chronus.${atashDotDev} { ${mkProxy 7337 "strict_config"} }
${matrixDomain} {
request_body {
max_size 1GB
}
handle_path /livekit/jwt/* {
@allowed path /sfu/get /get_token /healthz
handle @allowed {
reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port}
}
handle {
respond 404
}
}
handle {
reverse_proxy http://[::1]:6167
}
}
${matrixRtcDomain} {
handle /.well-known/acme-challenge/* {
root * /var/lib/acme/acme-challenge
file_server
}
handle {
reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} {
flush_interval -1
}
}
}
'';
};
systemd.services = lib.listToAttrs (
(map (port: mkSocatService port "tcp") streamPorts)
++ (map (port: mkSocatService port "udp") streamPorts)
);
networking.firewall = {
allowedTCPPorts = [
80
443
]
++ streamPorts;
allowedUDPPorts = streamPorts;
};
security.acme = {
acceptTerms = true;
defaults.email = "me@${atriDotDad}";
certs."${matrixRtcDomain}" = {
webroot = "/var/lib/acme/acme-challenge";
};
};
}

2
modules/services.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
{ {
services.openssh = { services.openssh = {

10
modules/users.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
let let
settings = import ../settings.nix; settings = import ../settings.nix;
@@ -8,10 +8,14 @@ in
isNormalUser = true; isNormalUser = true;
description = settings.userDescription; description = settings.userDescription;
extraGroups = settings.userGroups; extraGroups = settings.userGroups;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC"
];
}; };
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC"
];
security.sudo.execWheelOnly = true; security.sudo.execWheelOnly = true;
} }