gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Refactors + firefox + shell helper script

Browse source 
Moved each virtualhost related to a service into that service file.
Set up firefox syncserver.
Moved to using home-manager to fully manage firefox profiles.
Moved waybar into its own folder.
Moved NUR into sources. Stopped using sources for arc's scream package,
so on.
This commit is contained in:
kat witch 2021-02-26 05:32:24 +00:00
parent 8c076ecd2f
commit 567cb12a13
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
21 changed files with 398 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/common/default.nix
View file

@ -15,6 +15,7 @@ in {
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
"nixpkgs-unstable=${sources.nixpkgs-unstable}"
"nixpkgs-mozilla=${sources.nixpkgs-mozilla}"
"NUR=${sources.NUR}"
"arc=${sources.arc-nixexprs}"
];
gc.automatic = lib.mkDefault true;

10
config/hosts/athame/bitwarden.nix
View file

@ -12,4 +12,14 @@ in {
domain = "https://vault.kittywit.ch";
};
};
services.nginx.virtualHosts."vault.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:4000";
"/notifications/hub".proxyPass = "http://127.0.0.1:3012";
"/notifications/hub/negotiate".proxyPass = "http://127.0.0.1:80";
};
};
}

4
config/hosts/athame/fail2ban.nix
View file

@ -5,7 +5,7 @@
enable = true;
jails = {
DEFAULT = ''
bantime = 3600
bantime = 1d
blocktype = DROP
logpath = /var/log/auth.log
'';
@ -80,5 +80,5 @@
'';
};
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
systemd.services.fail2ban.serviceConfig.LimitSTACK = 128 * 1024;
}

6
config/hosts/athame/gitea.nix
View file

@ -7,4 +7,10 @@
domain = "git.kittywit.ch";
rootUrl = "https://git.kittywit.ch";
};
services.nginx.virtualHosts."git.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:3000"; };
};
}

25
config/hosts/athame/matrix.nix
View file

@ -27,6 +27,7 @@ in {
}];
}];
};
services.mautrix-telegram = {
enable = true;
settings = {
@ -50,6 +51,7 @@ in {
};
environmentFile = "/etc/secrets/mautrix-telegram.env";
};
systemd.services.mx-puppet-discord = {
serviceConfig = {
Type = "simple";
@ -71,6 +73,7 @@ in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
systemd.services.mautrix-whatsapp = {
serviceConfig = {
Type = "simple";
@ -92,4 +95,26 @@ in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
services.nginx.virtualHosts."kittywit.ch" = {
locations = {
"/_matrix" = { proxyPass = "http://[::1]:8008"; };
"= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "kittywit.ch:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
"= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://kittywit.ch"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
};
}

16
config/hosts/athame/syncserver.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, ... }:
{
services.firefox.syncserver = {
enable = true;
listen.port = 5001;
allowNewUsers = false;
publicUrl = "https://sync.kittywit.ch";
};
services.nginx.virtualHosts."sync.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:5001"; };
};
}

45
config/hosts/athame/virtualhosts.nix
View file

@ -8,50 +8,7 @@ let
secrets = (import ../../../secrets.nix);
in {
services.nginx.virtualHosts = {
"kittywit.ch" = {
root = "/var/www/kittywitch";
locations = {
"/_matrix" = { proxyPass = "http://[::1]:8008"; };
"= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "kittywit.ch:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
"= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = { "base_url" = "https://kittywit.ch"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
} // common;
"kittywit.ch" = { root = "/var/www/kittywitch"; } // common;
"athame.kittywit.ch" = { root = "/var/www/athame"; } // common;
"vault.kittywit.ch" = {
locations = {
"/".proxyPass = "http://127.0.0.1:4000";
"/notifications/hub".proxyPass = "http://127.0.0.1:3012";
"/notifications/hub/negotiate".proxyPass = "http://127.0.0.1:80";
};
} // common;
"git.kittywit.ch" = {
locations = { "/".proxyPass = "http://127.0.0.1:3000"; };
} // common;
"znc.kittywit.ch" = {
locations = { "/".proxyPass = "http://127.0.0.1:5000"; };
} // common;
"irc.kittywit.ch" = {
locations = {
"/" = { root = pkgs.glowing-bear; };
"^~ /weechat" = {
proxyPass = "http://127.0.0.1:9000";
proxyWebsockets = true;
};
};
} // common;
} // secrets.virtualHosts.athame;
}

12
config/hosts/athame/weechat.nix
View file

@ -24,4 +24,16 @@ in {
multiuser on
acladd kat
'';
services.nginx.virtualHosts."irc.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = { root = pkgs.glowing-bear; };
"^~ /weechat" = {
proxyPass = "http://127.0.0.1:9000";
proxyWebsockets = true;
};
};
};
}

6
config/hosts/athame/znc.nix
View file

@ -17,4 +17,10 @@ in {
User = secrets.hosts.athame.znc;
};
};
services.nginx.virtualHosts."znc.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:5000"; };
};
}

16
config/hosts/samhain/configuration.nix
View file

@ -1,6 +1,7 @@
{ config, pkgs, lib, ... }:
{
let sources = (import ../../../nix/sources.nix);
in {
imports = [
../../services/zfs.nix
./hardware.nix
@ -51,14 +52,6 @@
modprobe -i vfio-pci
'';
# the nur is used for arc's packages, so we include it here
nixpkgs.config.packageOverrides = pkgs: {
nur = import (builtins.fetchTarball
"https://github.com/nix-community/NUR/archive/master.tar.gz") {
inherit pkgs;
};
};
# rules are for:
# * monitor ddc/ci
# * input for qemu
@ -73,7 +66,7 @@
environment.systemPackages = [
# pkgs.nur.repos.arc.packages.screenstub # for DDC/CI and input forwarding (currently disabled due to using changed source)
pkgs.nur.repos.arc.packages.scream-arc # for audio forwarding
pkgs.arc.pkgs.scream-arc # for audio forwarding
pkgs.ddcutil # for diagnostics on DDC/CI
pkgs.virt-manager # obvious reasons
pkgs.cachix # arc caching
@ -92,8 +85,7 @@
wantedBy = [ "multi-user.target" ];
description = "Scream - Audio forwarding from the VM.";
serviceConfig = {
ExecStart =
"${pkgs.nur.repos.arc.packages.scream-arc}/bin/scream -i virbr0 -o pulse";
ExecStart = "${pkgs.arc.pkgs.scream-arc}/bin/scream -i virbr0 -o pulse";
Restart = "always";
};
};

1
config/users/kat/default.nix
View file

@ -6,7 +6,6 @@
./gaming.nix
./network.nix
./sway.nix
./waybar.nix
./kitty.nix
./emacs.nix
];

22
config/users/kat/desktop.nix
View file

@ -3,9 +3,11 @@
let
sources = import ../../../nix/sources.nix;
unstable = import sources.nixpkgs-unstable { inherit (pkgs) config; };
nur = import sources.NUR;
in {
config = lib.mkIf (lib.elem "desktop" config.meta.deploy.profiles) {
imports = [ ./firefox ];
config = lib.mkIf (lib.elem "desktop" config.meta.deploy.profiles) {
nixpkgs.config = {
mumble.speechdSupport = true;
pulseaudio = true;
@ -16,6 +18,17 @@ in {
programs.light.enable = true;
services.tumbler.enable = true;
xdg = {
portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
gtkUsePortal = true;
};
};
users.users.kat = {
packages = with pkgs; [
_1password
@ -67,6 +80,11 @@ in {
};
home-manager.users.kat = {
home.sessionVariables = {
MOZ_ENABLE_WAYLAND = 1;
XDG_CURRENT_DESKTOP = "sway";
XDG_SESSION_TYPE = "wayland";
};
home.file.".gnupg/gpg-agent.conf".text = ''
enable-ssh-support
@ -75,8 +93,6 @@ in {
services.nextcloud-client.enable = true;
programs.firefox = { enable = true; };
services.kdeconnect = {
enable = true;
indicator = true;

76
config/users/kat/firefox/default.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:
let
sources = import ../../../../nix/sources.nix;
unstable = import sources.nixpkgs-unstable { inherit (pkgs) config; };
nur = import sources.NUR { inherit pkgs; };
commonSettings = {
"app.update.auto" = false;
"identity.fxaccounts.account.device.name" = config.networking.hostName;
"signon.rememberSignons" = false;
"browser.urlbar.placeholderName" = "DuckDuckGo";
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"identity.sync.tokenserver.uri" =
"https://sync.kittywit.ch/token/1.0/sync/1.5";
};
in {
home-manager.users.kat = {
programs.fish.shellAliases = {
ff-pm = "firefox --ProfileManager";
ff-main = "firefox -P main";
ff-work = "firefox -P work";
ff-lewd = "firefox -P lewd";
};
programs.firefox = {
enable = true;
extensions = with nur.repos.rycee.firefox-addons; [
auto-tab-discard
bitwarden
darkreader
decentraleyes
foxyproxy-standard
google-search-link-fix
https-everywhere
#old-reddit-redirect # made unnecessary due to tridactylrc
privacy-badger
reddit-enhancement-suite
refined-github
stylus
terms-of-service-didnt-read
tabcenter-reborn
tridactyl
ublock-origin
violentmonkey
];
profiles = {
main = {
id = 0;
isDefault = true;
settings = commonSettings // {
};
userChrome = import ./userChrome.css.nix { profile = "main"; };
};
work = {
id = 1;
settings = commonSettings // {
};
userChrome = import ./userChrome.css.nix { profile = "work"; };
};
lewd = {
id = 2;
settings = commonSettings // {
};
userChrome = import ./userChrome.css.nix { profile = "lewd"; };
};
};
package =
pkgs.wrapFirefox pkgs.firefox-unwrapped { forceWayland = true; };
};
home.file.".config/tridactyl/tridactylrc".source = ./tridactylrc;
};
}

151
config/users/kat/firefox/tridactylrc Normal file
View file

@ -0,0 +1,151 @@
" bovine3dom's dogfood
" WARNING: This file defines and runs a command called fixamo_quiet. If you
" also have a malicious addon that operates on `<all_urls>` installed this
" will allow it to steal your firefox account credentials!
"
" With those credentials, an attacker can read anything in your sync account,
" publish addons to the AMO, etc, etc.
"
" Without this command a malicious addon can steal credentials from any site
" that you visit that is not in the restrictedDomains list.
"
" You should comment out the fixamo lines unless you are entirely sure that
" they are what you want.
"
" The advantage of running the command is that you can use the tridactyl
" interface on addons.mozilla.org and other restricted sites.
" Provided only as an example.
" Do not install/run without reading through as you may be surprised by some
" of the settings.
" May require the latest beta builds.
" Move this to $XDG_CONFIG_DIR/tridactyl/tridactylrc (that's
" ~/.config/tridactyl/tridactylrc to mere mortals) or ~/.tridactylrc and
" install the native messenger (:installnative in Tridactyl). Run :source to
" get it in the browser, or just restart.
"
" Binds
"
" Comment toggler for Reddit, Hacker News and Lobste.rs
bind ;c hint -Jc [class*="expand"],[class="togg"],[class="comment_folder"]
" GitHub pull request checkout command to clipboard (only works if you're a collaborator or above)
bind yp composite js document.getElementById("clone-help-step-1").textContent.replace("git checkout -b", "git checkout -B").replace("git pull ", "git fetch ") + "git reset --hard " + document.getElementById("clone-help-step-1").textContent.split(" ")[3].replace("-","/") | yank
" Git{Hub,Lab} git clone via SSH yank
bind yg composite js "git clone " + document.location.href.replace(/https?:\/\//,"git@").replace("/",":").replace(/$/,".git") | clipboard yank
" As above but execute it and open terminal in folder
bind ,g js let uri = document.location.href.replace(/https?:\/\//,"git@").replace("/",":").replace(/$/,".git"); tri.native.run("cd ~/projects; git clone " + uri + "; cd \"$(basename \"" + uri + "\" .git)\"; st")
" make d take you to the tab you were just on (I find it much less confusing)
bind d composite tab #; tabclose #
bind D tabclose
" I like wikiwand but I don't like the way it changes URLs
bindurl wikiwand.com yy composite js document.location.href.replace("wikiwand.com/en","wikipedia.org/wiki") | clipboard yank
" Make gu take you back to subreddit from comments
bindurl reddit.com gu urlparent 4
" Only hint search results on Google and DDG
bindurl www.google.com f hint -Jc #search div:not(.action-menu) > a
bindurl www.google.com F hint -Jbc #search div:not(.action-menu) > a
bindurl ^https://duckduckgo.com f hint -Jc [class=result__a]
bindurl ^https://duckduckgo.com F hint -Jbc [class=result__a]
" Allow Ctrl-a to select all in the commandline
unbind --mode=ex <C-a>
" Allow Ctrl-c to copy in the commandline
unbind --mode=ex <C-c>
" Handy multiwindow/multitasking binds
bind gd tabdetach
bind gD composite tabduplicate; tabdetach
" Make yy use canonical / short links on the 5 websites that support them
bind yy clipboard yankcanon
" Stupid workaround to let hint -; be used with composite which steals semi-colons
command hint_focus hint -;
" Open right click menu on links
bind ;C composite hint_focus; !s xdotool key Menu
"
" Misc settings
"
" set editorcmd to suckless terminal, or use the defaults on other platforms
js tri.browserBg.runtime.getPlatformInfo().then(os=>{const editorcmd = os.os=="linux" ? "st vim" : "auto"; tri.config.set("editorcmd", editorcmd)})
" set profile dir on Windows
jsb browser.runtime.getPlatformInfo().then(os=>{const profiledir = os.os=="win" ? "C:\\Users\\olie\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\gwm76nmk.default" : "auto"; tri.config.set("profiledir", profiledir)})
" Sane hinting mode
set hintfiltermode vimperator-reflow
set hintnames numeric
" Defaults to 300ms but I'm a 'move fast and close the wrong tabs' kinda chap
set hintdelay 100
" Add helper commands that Mozillians think make Firefox irredeemably
" insecure. For details, read the comment at the top of this file.
command fixamo_quiet jsb tri.excmds.setpref("privacy.resistFingerprinting.block_mozAddonManager", "true").then(tri.excmds.setpref("extensions.webextensions.restrictedDomains", '""'))
command fixamo js tri.excmds.setpref("privacy.resistFingerprinting.block_mozAddonManager", "true").then(tri.excmds.setpref("extensions.webextensions.restrictedDomains", '""').then(tri.excmds.fillcmdline_tmp(3000, "Permissions added to user.js. Please restart Firefox to make them take affect.")))
" Make Tridactyl work on more sites at the expense of some security. For
" details, read the comment at the top of this file.
fixamo_quiet
" Equivalent to `set csp clobber` before it was removed. This weakens your
" defences against cross-site-scripting attacks and other types of
" code-injection by reducing the strictness of Content Security Policy on
" every site in a couple of ways.
"
" You may not wish to run this. Mozilla strongly feels that you shouldn't.
"
" It allows Tridactyl to function on more pages, e.g. raw GitHub pages.
"
" We remove the sandbox directive
" https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
" which allows our iframe to run (and anyone else's) on any website.
"
" We weaken the style-src directive
" https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
" to allow us to theme our elements. This exposes you to 'cross site styling'
" attacks.
"
" Read https://wiki.mozilla.org/Security/CSP#Goals for more information.
jsb browser.webRequest.onHeadersReceived.addListener(tri.request.clobberCSP,{urls:["<all_urls>"],types:["main_frame"]},["blocking","responseHeaders"])
" Make quickmarks for the sane Tridactyl issue view
quickmark t https://github.com/tridactyl/tridactyl/issues?utf8=%E2%9C%93&q=sort%3Aupdated-desc+
" Inject Google Translate
" This (clearly) is remotely hosted code. Google will be sent the whole
" contents of the page you are on if you run `:translate`
" From https://github.com/jeremiahlee/page-translator
command translate js let googleTranslateCallback = document.createElement('script'); googleTranslateCallback.innerHTML = "function googleTranslateElementInit(){ new google.translate.TranslateElement(); }"; document.body.insertBefore(googleTranslateCallback, document.body.firstChild); let googleTranslateScript = document.createElement('script'); googleTranslateScript.charset="UTF-8"; googleTranslateScript.src = "https://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&tl=&sl=&hl="; document.body.insertBefore(googleTranslateScript, document.body.firstChild);
"
" URL redirects
"
" New reddit is bad
autocmd DocStart ^http(s?)://www.reddit.com js tri.excmds.urlmodify("-t", "www", "old")
" Mosquito nets won't make themselves
autocmd DocStart ^http(s?)://www.amazon.co.uk js tri.excmds.urlmodify("-t", "www", "smile")
" For syntax highlighting see https://github.com/tridactyl/vim-tridactyl
" vim: set filetype=tridactyl

15
config/users/kat/firefox/userChrome.css.nix Normal file
View file

@ -0,0 +1,15 @@
{ profile }:
''
#main-window[tabsintitlebar="true"]:not([extradragspace="true"]) #TabsToolbar > .toolbar-items {
opacity: 0;
pointer-events: none;
}
#main-window:not([tabsintitlebar="true"]) #TabsToolbar {
visibility: collapse !important;
}
#sidebar-box[sidebarcommand="tabcenter-reborn_ariasuni-sidebar-action"] #sidebar-header {
visibility: collapse;
}
''

3
config/users/kat/sway.nix
View file

@ -4,7 +4,10 @@ let
style = import ./style.nix;
secrets = import ../../../secrets.nix;
in {
imports = [ ./waybar ];
config = lib.mkIf (lib.elem "sway" config.meta.deploy.profiles) {
fonts.fonts = with pkgs; [
font-awesome
nerdfonts

10
config/users/kat/waybar.nix → config/users/kat/waybar/default.nix
View file

@ -1,10 +1,9 @@
{ config, lib, pkgs, ... }:
let
style = import ./style.nix;
secrets = import ../../../secrets.nix;
style = import ../style.nix;
secrets = import ../../../../secrets.nix;
in {
config = lib.mkIf (lib.elem "sway" config.meta.deploy.profiles) {
home-manager.users.kat = {
programs.waybar = {
enable = true;
@ -32,9 +31,9 @@ in {
interval = 3600;
on-click = "xdg-open 'https://google.com/search?q=weather'";
exec = "nix-shell --command 'python ${
../../../scripts/weather.py
../../../../scripts/weather.py
} ${secrets.profiles.sway.city} ${secrets.profiles.sway.api_key}' ${
../../../scripts/weather.nix
../../../../scripts/weather.nix
}";
};
cpu = { format = " {usage}%"; };
@ -77,5 +76,4 @@ in {
}];
};
};
};
}

0
config/users/kat/waybar.css.nix → config/users/kat/waybar/waybar.css.nix
View file

12
nix/sources.json
View file

@ -1,4 +1,16 @@
{
"NUR": {
"branch": "master",
"description": "Nix User Repository: User contributed nix packages [maintainer=@Mic92]",
"homepage": "https://nur.nix-community.org/",
"owner": "nix-community",
"repo": "NUR",
"rev": "edff1588e7923d718bd0bc739f5fb1a48e28ec0a",
"sha256": "1fip7mrz60rm488d0fxrhx6hih5g6ar00id9xgs0hcrx9hv0jd4x",
"type": "tarball",
"url": "https://github.com/nix-community/NUR/archive/edff1588e7923d718bd0bc739f5fb1a48e28ec0a.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"arc-nixexprs": {
"branch": "master",
"description": "nix stuff",

33
nyx Executable file
View file

@ -0,0 +1,33 @@
#!/usr/bin/env bash
set -eu
usage() {
echo example: $0 build samhain boot
}
build() {
HOST=$1
if [ $# -gt 2 ]; then
METHOD=$2
else
METHOD="switch"
fi
nix build -f . deploy.$HOST && ./result $METHOD
}
main() {
if [ $# -lt 2 ]; then
usage
else
CMD=$1
shift
if [[ $CMD == "build" ]]; then
build "$@"
fi
fi
}
main "$@"

2
pkgs/default.nix
View file

@ -15,6 +15,8 @@ let
arc = import sources.arc-nixexprs { inherit pkgs; };
nur = import sources.NUR { inherit pkgs; };
linuxPackagesFor = kernel:
(pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
vendor-reset =