Refactors, konawall-py for darwin, sumireko update to Sonoma

nixos/servers/matrix-homeserver/nginx.nix

@@ -0,0 +1,23 @@
+{config, ...}: let
+  fqdn = "${config.networking.hostName}.${config.networking.domain}";
+in {
+  services.nginx = {
+    virtualHosts = {
+      "${fqdn}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations = {
+          "/".extraConfig = ''
+            return 404;
+          '';
+          "/_matrix".proxyPass = "http://[::1]:8008";
+          "/_synapse".proxyPass = "http://[::1]:8008";
+        };
+        extraConfig = ''
+          http2_max_requests 100000;
+          keepalive_requests 100000;
+        '';
+      };
+    };
+  };
+}

nixos/servers/matrix-homeserver/scalpel.nix

@@ -0,0 +1,21 @@
+{
+  lib,
+  config,
+  prev,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+  start = prev.config.systemd.services.matrix-synapse.serviceConfig.ExecStart;
+  synapse_cfgfile = builtins.head (builtins.match "^.*--config-path ([^\ ]*).*$" "${start}");
+in {
+  systemd.services.matrix-synapse.serviceConfig.ExecStart = mkForce (
+    builtins.replaceStrings ["${synapse_cfgfile}"] ["${config.scalpel.trafos."homeserver.yaml".destination} "] "${start}"
+  );
+  scalpel.trafos."homeserver.yaml" = {
+    source = synapse_cfgfile;
+    matchers."MATRIX_SHARED_REGISTRATION_SECRET".secret = config.sops.secrets.matrix_shared_registration_secret.path;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    mode = "0440";
+  };
+}

nixos/servers/matrix-homeserver/secrets.nix

@@ -0,0 +1,10 @@
+_: {
+  sops.secrets.matrix_shared_registration_secret = {
+    format = "yaml";
+    sopsFile = ./secrets.yaml;
+  };
+
+  scalpels = [
+    ./scalpel.nix
+  ];
+}

nixos/servers/matrix-homeserver/secrets.yaml

@@ -0,0 +1,43 @@
+matrix_shared_registration_secret: ENC[AES256_GCM,data:DsCqfbS2yxN7nVRevcjpfO63jBUsyQHfEfbpZpD3cBtPf+JuZ8TFPBNNQwx2NYdyty60INdr4w==,iv:pSf6VDS9bqZIq8ZqOW0v4siRbDp9EEdw7TtSSjjrC6A=,tag:V61OqmdsNzczOzf+2Y6LSA==,type:str]
+api_id: ENC[AES256_GCM,data:z1FqOKDSG1uo4BYgt2Ct9cUUy/daSgMNCnOHsdhG0ocw7eNI,iv:2cpOFO0Fcv/Y2xj/5UErbZ9qiLtn0QUWUg12Z9z/Ug4=,tag:cYEgrUM8GJ+uGNXKz4GpdQ==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaTgyQVhRZHRPTzRSNW9Y
+            SmRFVXl2TTV3RWF3QUlneDl4ZFFvS0ZHREVBCnNxUEdwRS9ObEZKNTM2dHAxRlhS
+            M0R5TithU0ViZUc0NHFHM3JrdE13V0kKLS0tIFhFZ2dZc21hL2RtNzZ0djVqUjlD
+            eWdDbGxobFlkZG1SL3UrTEJXajU3RXMK9ULFsUDHxBtzCy5tbwSFeKm18TRjX1mO
+            B1SbGXUNG1XreeRpb5n7r01njVrPpbJI3DPtjvoKquNTc2BhZHi0Xg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-29T18:54:02Z"
+    mac: ENC[AES256_GCM,data:fJdeN80RbQ3wq9udQt/XA7XlvhT+y9gR8z38t2l5P9vnyfqlxEiyfPIdFO8p01ZW3HZFVMessx2ev469LTMXcvf3Ln+L/dopSzZm7L4IRx2EvLYN2PbrZ86/AhgI/CEWyYX/xEMdwxZFR08KNBIMfu161YeDGDgPeevbRpCWkRA=,iv:kY59Y+wN2ZbGFDFOGplFzWpgW0OG+RBcTfucpZNyjq0=,tag:4vPdTfw0lEr5+fH/ACqSuQ==,type:str]
+    pgp:
+        - created_at: "2023-04-25T21:47:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UARAAvW2vHtvnKwV0K6b01vK/6T5SnJERlDfTKLpv3sLYlii8
+            FysxBaODgYvnR37/hf2CoWRlYFYZt7wqj811vUMkayBey9FY8nj1k0t5wyM0T1AU
+            qFz5fBCjP6tyhk2RBkWCLVfnLUvhnN7h/XIc3W/05VnIMQF39SbXIQ2gfqnI7R6V
+            keLoHXT0DBwboFVTdA9HjSFc5riEY+fadQf0PZT/xVCTCJH4yeZ/ba6pa/9yX2PU
+            UbHqnoR+M7RkQBrFn0r4nH9r3jFR0VkGri20v9IIby59wkCPVdhX7VPBRtQm0xXN
+            /EqtLMsR+U5bOPvKPM0s2BXXrTTACmsJ9AN2n70l1Sm6/5E3QoTQ7lbH5qSv/wXT
+            ZUkZmqxv3OHJIez2VHqjW6vlraPDL++H/4rsX3DBvK0BSAtr53r9KFoMwgMnMj2N
+            ucX+Sa7ZiI8vXGn3rjfj68Kc0BqzrFgpY8ZrH1RM3weGrsyAugAP4iunnqjYhxrc
+            y2Hh2NZFyRBGTCrbxAr6vJ3MJXLlyNbofPi9Bnx0clI83ksju11rZjb9yFRCLJ+/
+            oRxws+jq7t/lbMVhKaVQjY0LVLn6MCFbb5j5ulQXq9qiv1x+XuRTiPyPJksIiJDE
+            vjf7dMshIooWVNoECWfilEdVCldnYEmxEgr7gZHcTpgDjgeY3fCVvAS7SfD/BDfS
+            XgFw8C3nv2I9zHZZCI0XKFlmNU/MCBOfyK7mHv6UZtUx1YC2lw783R1uGHXZbVu4
+            iPKkytzxgOZms45CfxL3xEPTwO2lZL9GTCZ8pMbwB1jjP1bsH8nyro8vRZRuVoo=
+            =4YT5
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

nixos/servers/matrix-homeserver/synapse.nix

@@ -0,0 +1,85 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+  fqdn = "${config.networking.hostName}.${config.networking.domain}";
+in {
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "kittywit.ch";
+      max_upload_size = "512M";
+      rc_messages_per_second = mkDefault 0.1;
+      rc_message_burst_count = mkDefault 25;
+      public_baseurl = "https://${fqdn}";
+      url_preview_enabled = true;
+      enable_registration = false;
+      enable_metrics = true;
+      report_stats = false;
+      dynamic_thumbnails = true;
+      registration_shared_secret = "!!MATRIX_SHARED_REGISTRATION_SECRET!!";
+      allow_guest_access = true;
+      suppress_key_server_warning = true;
+      log_config = pkgs.writeText "nya.yaml" ''
+        version: 1
+        formatters:
+          precise:
+            format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+        filters:
+          context:
+            (): synapse.util.logcontext.LoggingContextFilter
+            request: ""
+        handlers:
+          console:
+            class: logging.StreamHandler
+            formatter: precise
+            filters: [context]
+        loggers:
+          synapse:
+            level: WARNING
+          synapse.storage.SQL:
+            # beware: increasing this to DEBUG will make synapse log sensitive
+            # information such as access tokens.
+            level: WARNING
+        root:
+          level: WARNING
+          handlers: [console]
+      '';
+      listeners = [
+        {
+          port = 8009;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["metrics"];
+              compress = true;
+            }
+          ];
+        }
+        {
+          port = 8008;
+          bind_addresses = ["::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    synapse-cleanup
+  ];
+}

nixos/servers/monica-server.nix

@@ -0,0 +1,9 @@
+_: {
+  services.monica = {
+    enable = true;
+    appURL = "https://monica.gensokyo.zone";
+    nginx = {
+      serverName = "monica.gensokyo.zone";
+    };
+  };
+}

nixos/servers/monitoring-server/grafana.nix

@@ -0,0 +1,11 @@
+_: {
+  services.grafana = {
+    enable = true;
+    settings.server = {
+      domain = "mon.kittywit.ch";
+      http_port = 2342;
+      http_addr = "127.0.0.1";
+      root_url = "https://mon.kittywit.ch/";
+    };
+  };
+}

nixos/servers/monitoring-server/nginx.nix

@@ -0,0 +1,10 @@
+{config, ...}: {
+  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+      proxyWebsockets = true;
+    };
+  };
+}

nixos/servers/monitoring-server/prometheus.nix

@@ -0,0 +1,115 @@
+{config, ...}: {
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = ["systemd"];
+        port = 9002;
+      };
+      postgres = {
+        enable = true;
+        port = 9187;
+        runAsLocalSuperUser = true;
+        extraFlags = ["--auto-discover-databases"];
+      };
+      domain = {
+        enable = true;
+      };
+      nginx = {
+        enable = true;
+        sslVerify = false;
+      };
+    };
+    ruleFiles = [
+      ./synapse-v2.rules
+    ];
+    scrapeConfigs = [
+      {
+        job_name = "tewi-hass";
+        scrape_interval = "60s";
+        metrics_path = "/api/prometheus";
+        scheme = "https";
+        bearer_token = "!!HOME_ASSISTANT_API_TOKEN!!";
+        static_configs = [
+          {
+            targets = ["home.gensokyo.zone:443"];
+          }
+        ];
+      }
+      {
+        job_name = "${config.networking.hostName}-minecraft";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:25585"];
+          }
+        ];
+      }
+      {
+        job_name = "${config.networking.hostName}";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
+          }
+        ];
+      }
+      {
+        job_name = "${config.networking.hostName}-telegraf";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:9125"];
+          }
+        ];
+      }
+      {
+        job_name = "${config.networking.hostName}-postgres";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"];
+          }
+        ];
+      }
+      {
+        job_name = "${config.networking.hostName}-nginx";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"];
+          }
+        ];
+      }
+      {
+        job_name = "domains";
+        metrics_path = "/probe";
+        relabel_configs = [
+          {
+            source_labels = ["__address__"];
+            target_label = "__param_target";
+          }
+          {
+            target_label = "__address__";
+            replacement = "127.0.0.1:${toString config.services.prometheus.exporters.domain.port}";
+          }
+        ];
+        static_configs = [
+          {
+            targets = [
+              "dork.dev"
+              "inskip.me"
+              "gensokyo.zone"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "${config.networking.hostName}-synapse";
+        metrics_path = "/_synapse/metrics";
+        static_configs = [
+          {
+            targets = ["[::1]:8009"];
+          }
+        ];
+      }
+    ];
+  };
+}

nixos/servers/monitoring-server/scalpel.nix

@@ -0,0 +1,34 @@
+{
+  lib,
+  config,
+  prev,
+  ...
+}: let
+  inherit (lib.strings) addContextFrom;
+  inherit (lib.modules) mkForce;
+  telegraf_start = prev.config.systemd.services.telegraf.serviceConfig.ExecStart;
+  telegraf_cfgfile = builtins.head (builtins.match "^.*-config ([^\ ]*).*$" "${telegraf_start}");
+  prometheus_start = prev.config.systemd.services.prometheus.serviceConfig.ExecStart;
+  prometheus_cfgfile = builtins.head (builtins.match "^.*-config\.file=([^\ ]*).*$" "${prometheus_start}");
+in {
+  systemd.services.telegraf.serviceConfig.ExecStart = mkForce (
+    builtins.replaceStrings ["${telegraf_cfgfile}"] ["${config.scalpel.trafos."config.toml".destination} "] "${telegraf_start}"
+  );
+  scalpel.trafos."config.toml" = {
+    source = addContextFrom telegraf_start telegraf_cfgfile;
+    matchers."TELEGRAF_API_KEY".secret = config.sops.secrets.telegraf_api_key.path;
+    owner = "telegraf";
+    group = "telegraf";
+    mode = "0440";
+  };
+  systemd.services.prometheus.serviceConfig.ExecStart = mkForce (
+    builtins.replaceStrings ["${prometheus_cfgfile}"] ["${config.scalpel.trafos."prometheus.yml".destination} "] "${prometheus_start}"
+  );
+  scalpel.trafos."prometheus.yml" = {
+    source = addContextFrom prometheus_start prometheus_cfgfile;
+    matchers."HOME_ASSISTANT_API_TOKEN".secret = config.sops.secrets.home_assistant_api_key.path;
+    owner = "prometheus";
+    group = "prometheus";
+    mode = "0440";
+  };
+}

nixos/servers/monitoring-server/secrets.nix

@@ -0,0 +1,13 @@
+_: {
+  sops.secrets.telegraf_api_key = {
+    format = "yaml";
+    sopsFile = ./secrets.yaml;
+  };
+  sops.secrets.home_assistant_api_key = {
+    format = "yaml";
+    sopsFile = ./secrets.yaml;
+  };
+  scalpels = [
+    ./scalpel.nix
+  ];
+}

nixos/servers/monitoring-server/secrets.yaml

@@ -0,0 +1,43 @@
+telegraf_api_key: ENC[AES256_GCM,data:XXMLlIxtFYmURr6QuRdZFL+Z3OIm1nm8ReZq/sAML1DzFKO8U2sbdyHjXnqUWw==,iv:mMpzUrZozfcxUSpxXki64loHWtt7VwdilWTLpie01NI=,tag:a0iRgCemgDCUxKV0gMoKow==,type:str]
+home_assistant_api_key: ENC[AES256_GCM,data:+RSRYTXro9vZChEwTZNcyqFnwwDfdOEcXMbp7AAH6wo+R3+bVhTHNvUJU3q78CZkIzXquDDczvySHho28EUaKyUNXLWtmlHG99SL6qXPwZLbTpcMX+5pA//qcRHFss17LrxTXXkAuepQqWrSq8rxXEYshMsbLVo/L38jrW5y13YknLovXzUItRf4lDoX/fDhq6OD2EH1G6GoCjOUtIurzeaHMRo4nc4aO1/k1s9rAAVRBoFnFknM,iv:k2UuicBJ4UFKO6QV15ZUQ3Asur00MLT/DJzgKeZ+I8U=,tag:Wz6FPlu5CFQ3anljvGxenw==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnOTB2LzByVHU1T1pxWFZQ
+            b2JZMXEzWEY5ZjRNNnlqMW5UUmVWTk9kM2lRCjlpemIzb1FhWEE1WFNGNXZMK1Vz
+            YmRrYW91bno1alh3M0dZN3dyYUk5dWMKLS0tIDdWbFk2a2hiU0pLMitYeWZPYkkw
+            T0NKQzIzY2g3TnBoT00xa0xBUW1BNDgK/Uj+ldtdx1E+hQlKBUWo9TEPa8vmk3dZ
+            QWE6YSlY9kYjGNs+WHjnUXoO3VMmyzxNFFkrnOHLcfKQbi9p5Qrp0w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-12T16:28:10Z"
+    mac: ENC[AES256_GCM,data:7t9dAJPUiOD93Hyt+YLVjR/SdqIcuLi8TFP2/8gzem8Hrn97Yqx5Iow57alFcOWcb1ymhSQLIWjh5RydhlnoeLj/HbacSKxxFirFFv842mBVKqbVyfQcNozGl5D0oo0yd8gKzXQ6BaKqel7ZeOeIeY6XKAzH2RH2r8Gj1kPhkHY=,iv:bZuu+kFJcc8SDA1uShXroQcLMjUj+DTSvsbIABLddFs=,tag:bNLzxOll5UL5uFJeoq5XzA==,type:str]
+    pgp:
+        - created_at: "2023-07-29T22:10:05Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UARAApdK00AgsnRCH34W9dESFQm4ji7jjP+E4b0UDP6bEdPmX
+            KtFGSp4jZoTJYBpN2HJzeuVGPFfHUVMc8iZz/bkO120n41si0mwUQA+eNt7350sj
+            qhzjsjgYRG+iogaDI/VwEkcEtuONa3GtBjXQnXXtcI2F0e+40imXhYqezmtvjH02
+            BNkY+rTvmg6LLIVrMhJXQmT+qXg+4iP/gIbCjezjO1ah16JY18dK45dqDJd+uWSN
+            WmqHFjqEXUJ6dzXPPkOpbGUeVkAs1OCqnNB7Hl5A5r3v8d47KPhYA9Sqkocag/NQ
+            Y/LMaLS6SJrugmtbNtC7FhmPHfgOnDG+8gz3m1XgP4QWKXkuOdbqoeSlXWCFlIPi
+            px3hXdeqaHYQvDYaUJpJqnwPbpgHIb29mTaPtP4RWbvXJzoBEshS4ONcGPMmemcg
+            qi+F24h6UdIDpFCguqLdf0SY10InmGB/5XCaN6Bd7zuLAq3iel5zvAW/u8Irt37J
+            QoUlB5OwgJds2MpBwd9RJOczlO63VJzVrGDNAVD0D6KBZHRkdEWOgpv3w8DxhIpF
+            lNLz78/XYvCsjgQCV+SjeJjxtQea0JOk2Xtt7nQVCrwDKh7TIIOdT8jI2EbKDAbi
+            bJgI1NGDxfyrk79ga7qyjLN9jhCubdKRibPPzKXqNdCahN5ldFlMvL8rZeJNYtjS
+            XgGaiB/wBjAmn863D4brJOH7KqALxP/tEKc4FM4uH8fcDOpsbPcgZ6Q4nQbIVHBa
+            9bt8heM8006oeLPQM2raWM0/ETf+4rQzEwIO+Av4q2Rypnv47q1Qxbmag6Sh5Yw=
+            =wOQn
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

nixos/servers/monitoring-server/synapse-v2.rules

@@ -0,0 +1,74 @@
+groups:
+- name: synapse
+  rules:
+
+  ###
+  ### Prometheus Console Only
+  ### The following rules are only needed if you use the Prometheus Console
+  ### in contrib/prometheus/consoles/synapse.html
+  ###
+  - record: 'synapse_federation_client_sent'
+    labels:
+      type: "EDU"
+    expr: 'synapse_federation_client_sent_edus_total + 0'
+  - record: 'synapse_federation_client_sent'
+    labels:
+      type: "PDU"
+    expr: 'synapse_federation_client_sent_pdu_destinations_count_total + 0'
+  - record: 'synapse_federation_client_sent'
+    labels:
+      type: "Query"
+    expr: 'sum(synapse_federation_client_sent_queries) by (job)'
+
+  - record: 'synapse_federation_server_received'
+    labels:
+      type: "EDU"
+    expr: 'synapse_federation_server_received_edus_total + 0'
+  - record: 'synapse_federation_server_received'
+    labels:
+      type: "PDU"
+    expr: 'synapse_federation_server_received_pdus_total + 0'
+  - record: 'synapse_federation_server_received'
+    labels:
+      type: "Query"
+    expr: 'sum(synapse_federation_server_received_queries) by (job)'
+
+  - record: 'synapse_federation_transaction_queue_pending'
+    labels:
+      type: "EDU"
+    expr: 'synapse_federation_transaction_queue_pending_edus + 0'
+  - record: 'synapse_federation_transaction_queue_pending'
+    labels:
+      type: "PDU"
+    expr: 'synapse_federation_transaction_queue_pending_pdus + 0'
+  ###
+  ### End of 'Prometheus Console Only' rules block
+  ###
+
+
+  ###
+  ### Grafana Only
+  ### The following rules are only needed if you use the Grafana dashboard
+  ### in contrib/grafana/synapse.json
+  ###
+  - record: synapse_storage_events_persisted_by_source_type
+    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_type="remote"})
+    labels:
+      type: remote
+  - record: synapse_storage_events_persisted_by_source_type
+    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity="*client*",origin_type="local"})
+    labels:
+      type: local
+  - record: synapse_storage_events_persisted_by_source_type
+    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity!="*client*",origin_type="local"})
+    labels:
+      type: bridges
+
+  - record: synapse_storage_events_persisted_by_event_type
+    expr: sum without(origin_entity, origin_type) (synapse_storage_events_persisted_events_sep_total)
+
+  - record: synapse_storage_events_persisted_by_origin
+    expr: sum without(type) (synapse_storage_events_persisted_events_sep_total)
+  ###
+  ### End of 'Grafana Only' rules block
+  ###

nixos/servers/monitoring-server/telegraf.nix

@@ -0,0 +1,77 @@
+{config, ...}: {
+  users.users.telegraf = {
+    extraGroups = [
+      "nginx"
+    ];
+  };
+  systemd.services.telegraf = {
+    serviceConfig = {
+      AmbientCapabilities = [
+        "CAP_NET_RAW"
+      ];
+      CapabilityBoundingSet = [
+        "CAP_NET_RAW"
+      ];
+    };
+  };
+  services.telegraf = {
+    enable = true;
+    extraConfig = {
+      inputs = {
+        nginx = {
+          urls = [
+            "http://localhost/nginx_status"
+          ];
+          response_timeout = "5s";
+        };
+        tail = {
+          name_override = "nginxlog";
+          files = [
+            "/var/log/nginx/access.log"
+          ];
+          from_beginning = true;
+          pipe = false;
+          data_format = "grok";
+          grok_patterns = ["%{COMBINED_LOG_FORMAT}"];
+        };
+        cpu = {
+          percpu = true;
+        };
+        disk = {
+        };
+        diskio = {
+        };
+        io = {
+        };
+        net = {
+        };
+        mem = {
+        };
+        ping = {
+          interval = "60s";
+          method = "native";
+          urls = [
+            "8.8.8.8"
+            "2001:4860:4860:0:0:0:0:8888"
+          ];
+          count = 3;
+          timeout = 2.0;
+        };
+        system = {
+        };
+      };
+      outputs = {
+        prometheus_client = {
+          listen = "127.0.0.1:9125";
+        };
+        http = {
+          url = "http://localhost:${toString config.services.grafana.settings.server.http_port}/api/live/push/custom_stream_id";
+          data_format = "influx";
+          headers = {
+            Authorization = "Bearer !!TELEGRAF_API_KEY!!";
+          };
+        };
+      };
+    };
+  };
+}

nixos/servers/postgres-server.nix

@@ -0,0 +1,3 @@
+_: {
+  services.postgresql.enable = true;
+}

nixos/servers/public-directory.nix

@@ -0,0 +1,40 @@
+_: {
+  services.nginx = {
+    virtualHosts = {
+      "public.gensokyo.zone" = {
+        extraConfig = ''
+          allow 103.21.244.0/22;
+          allow 103.22.200.0/22;
+          allow 103.31.4.0/22;
+          allow 104.16.0.0/12;
+          allow 108.162.192.0/18;
+          allow 131.0.72.0/22;
+          allow 141.101.64.0/18;
+          allow 162.158.0.0/15;
+          allow 172.64.0.0/13;
+          allow 173.245.48.0/20;
+          allow 188.114.96.0/20;
+          allow 190.93.240.0/20;
+          allow 197.234.240.0/22;
+          allow 198.41.128.0/17;
+
+          # IPv6
+          allow 2400:cb00::/32;
+          allow 2405:b500::/32;
+          allow 2606:4700::/32;
+          allow 2803:f800::/32;
+          allow 2c0f:f248::/32;
+          allow 2a06:98c0::/29;
+
+          deny all;
+        '';
+        locations."/kat-is-a-cute-girl/" = {
+          alias = "/var/www/public/";
+          extraConfig = ''
+            autoindex on;
+          '';
+        };
+      };
+    };
+  };
+}

nixos/servers/vaultwarden-server/nginx.nix

@@ -0,0 +1,21 @@
+_: {
+  services.nginx.virtualHosts."vault.kittywit.ch" = {
+    enableACME = true;
+    forceSSL = true;
+    acmeRoot = null;
+    locations = {
+      "/" = {
+        proxyPass = "http://localhost:4000";
+        proxyWebsockets = true;
+      };
+      "/notifications/hub" = {
+        proxyPass = "http://localhost:3012";
+        proxyWebsockets = true;
+      };
+      "/notifications/hub/negotiate" = {
+        proxyPass = "http://localhost:4000";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

nixos/servers/vaultwarden-server/postgres.nix

@@ -0,0 +1,11 @@
+_: {
+  services.postgresql = {
+    ensureDatabases = ["bitwarden_rs"];
+    ensureUsers = [
+      {
+        name = "bitwarden_rs";
+        ensurePermissions = {"DATABASE bitwarden_rs" = "ALL PRIVILEGES";};
+      }
+    ];
+  };
+}

nixos/servers/vaultwarden-server/scalpel.nix

@@ -0,0 +1,20 @@
+_: {
+  secrets.files.vaultwarden-env = {
+    owner = "bitwarden_rs";
+    group = "bitwarden_rs";
+  };
+
+  services.vaultwarden = {
+    environmentFile = config.secrets.files.vaultwarden-env.path;
+  };
+
+  scalpel.trafos."environment_file" = {
+    source = "/etc/vaultwarden/environment_file_template";
+    matchers."VAULTWARDEN_ADMIN_TOKEN".secret = config.sops.secrets.vaultwarden_admin_token.path;
+    owner = "acme";
+    group = "acme";
+    mode = "0440";
+  };
+
+  services.vaultwarden.environmentFile = config.scalpel.trafos."environment_file".destination;
+}

nixos/servers/vaultwarden-server/secrets.yaml

@@ -0,0 +1,42 @@
+vaultwarden_admin_token: ENC[AES256_GCM,data:aA1eO9z4XLpynGmpfdSiXtjft5Nmlu/VfZSA3J8wCbLaUau0P6qHQSAqNRTTJOUjqard7bMnjC5s3sEu9waLMQ==,iv:HWU/25zBd/v3tiySjSOsFUqCTrvtetrXIGyqqvqz+sk=,tag:TgPVkgXkzGTqO6r9H9Jixg==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTkdCQ1ptaTY2cysvRlJk
+            Ylh1amlFZExzc0gxSFY1Zm5XUDRkUzl0bUNZClF1REJUbXUvQjhWa3FNanZJQXh2
+            SVlXdHRqUDdIdHZvMlNPaGxCdlJRZW8KLS0tIEJab3NZbDZqdlIwR3laeUx3N3cr
+            S0ZSYXhTNnMwRXVPa3RsS29PZEM4STgKkN4KuaiH5MnSKs2HsrZvdf6c8oYUZzDs
+            m6Cxcoasow0eY/3G65x5Rn5Klc0LXm6/kwJuHq4Og0njDBgzY0h53g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-27T00:57:18Z"
+    mac: ENC[AES256_GCM,data:8QwxkjAuISrTs8Ls0fFtQ52AhzDRJIw130Dox2c5zrdqnr3rTjZDvz+zmOjFt+gg0iC6gDrvEkYh+4+9+g3o3D3A8wdQHCpi4ia7pSiZ4palxKwHkq8XY9sgDOamYb1534QlLZk5OmpxFPLATyNfDt1+UoM2++ATkZ3t1MjL1PM=,iv:9C59fPOga2/aih1Wty1HFdZJk5T3xyIWRVuogZ6k4dM=,tag:Eh7uYYty+mkC828aJKd9iA==,type:str]
+    pgp:
+        - created_at: "2023-04-27T00:55:52Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ//egTjrBCYrVLa0vQRoFDEcflSXNzAhOGHr7O2ZL3aDHLx
+            V5JNYr03u6VzpFADpram8Cdz1JrCDYicjly8MT37dNqbzddr/1eaezfbzD9itI+A
+            iNQNrIpQiqm7boznVnlw6xm1BCforU0ddyAKVbGNkDCE9XXUWwBggGRshTFSGBa0
+            wOM5haBrY7AXz1VvvhTTWh5qjEZQEwlqTvtxbpXty0P9L8jkntwE+Tgr+h7sqPXR
+            QwWgUypxbNrV+yso+rHxMof9ti1aD0m0TzpJrKVllQYdIppNCnWF6GPB640o5g4C
+            S2XgDDf64xS1j1KhezPrB1s1u6P2Cwodlf45Gaoq2Xb4KQ/n+dg23P8W6Y/baEkp
+            5jvzvJ1SoANxvspkMCKbDcQoDT1MnvIX08yZQK5NUbwMtmwjgJh1XdRAuktCAWSV
+            Cxhv+hP2STVxtZqa6ekXze4Yuw0B2U3Vu2YLtgaTCMr3sq8Cvy3Mjz6lS3H6adob
+            x4Oq8ra56ZszAChoVpfKIyYjRaZxZjBi/XdiCugLmR3P2Em8KM7447N1p+RqP+Va
+            Vm3mHAfhdIemZlySJNvIQkbQQw119Lgqbr2WzrGaYts9TVHMhzgU1Ej7z9kP1IRa
+            mBetkO92zShSS2uEAd5g58P98SLFBncN6VVDc+nOQoUTfFWAeG0HV9EYya7oVNTS
+            XgHuSXOBoj2bNJlcw1QZw68CpYoBQgzJx7lXWGKAIY8r60xJcmeY9sj623rQAATS
+            s4tiQHXMAvRpdCogniKmdgs6Z4Br82sTQOuRw9CSBlHDHn/COsvlp/Xw1bmVsJ0=
+            =CFLr
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

nixos/servers/vaultwarden-server/vaultwarden.nix

@@ -0,0 +1,20 @@
+_: {
+  users.users.vaultwarden.name = "bitwarden_rs";
+  users.groups.vaultwarden.name = "bitwarden_rs";
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    config = {
+      rocketPort = 4000;
+      websocketEnabled = true;
+      signupsAllowed = false;
+      domain = "https://vault.kittywit.ch";
+      databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
+    };
+  };
+
+  environment.etc."vaultwarden/environment_file_template".text = ''
+    ADMIN_TOKEN=!!VAULTWARDEN_ADMIN_TOKEN!!
+  '';
+}

nixos/servers/web-irc-client/nginx.nix

@@ -0,0 +1,14 @@
+_: {
+  services.nginx = {
+    virtualHosts = {
+      "irc.kittywit.ch" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:9000";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}

nixos/servers/web-irc-client/thelounge.nix

@@ -0,0 +1,12 @@
+_: {
+  services.thelounge = {
+    enable = true;
+    extraConfig = {
+      reverseProxy = true;
+      public = false;
+      fileUpload = {
+        enable = true;
+      };
+    };
+  };
+}

nixos/servers/web-server/acme.nix

@@ -0,0 +1,14 @@
+_: {
+  environment.etc."ssl/credentials_template".text = ''
+    CF_API_EMAIL=!!CLOUDFLARE_EMAIL!!
+    CLOUDFLARE_API_KEY=!!CLOUDFLARE_API_KEY!!
+  '';
+
+  security.acme = {
+    defaults = {
+      dnsProvider = "cloudflare";
+      email = "acme@inskip.me";
+    };
+    acceptTerms = true;
+  };
+}

nixos/servers/web-server/firewall.nix

@@ -0,0 +1,6 @@
+_: {
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}

nixos/servers/web-server/nginx.nix

@@ -0,0 +1,10 @@
+_: {
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    statusPage = true;
+  };
+}

nixos/servers/web-server/scalpel.nix

@@ -0,0 +1,12 @@
+{config, ...}: {
+  scalpel.trafos."credentials_file" = {
+    source = "/etc/ssl/credentials_template";
+    matchers."CLOUDFLARE_EMAIL".secret = config.sops.secrets.cloudflare_email.path;
+    matchers."CLOUDFLARE_API_KEY".secret = config.sops.secrets.cloudflare_api_key.path;
+    owner = "acme";
+    group = "acme";
+    mode = "0440";
+  };
+
+  security.acme.defaults.credentialsFile = config.scalpel.trafos."credentials_file".destination;
+}

nixos/servers/web-server/secrets.nix

@@ -0,0 +1,13 @@
+_: let
+  secretConfig = {
+    format = "yaml";
+    sopsFile = ./secrets.yaml;
+  };
+in {
+  sops.secrets.cloudflare_email = secretConfig;
+  sops.secrets.cloudflare_api_key = secretConfig;
+
+  scalpels = [
+    ./scalpel.nix
+  ];
+}

nixos/servers/web-server/secrets.yaml

@@ -0,0 +1,43 @@
+cloudflare_email: ENC[AES256_GCM,data:fwcHkWRqH3hEPDbFmA==,iv:He6yJHpD9oXrZSHPJKL7mnkRWm621HRj2cS6qLSn6aI=,tag:lON1D+55zSiJQljTox2JKQ==,type:str]
+cloudflare_api_key: ENC[AES256_GCM,data:kCDaXb1BPWoNVFVRjfOw4577BlIbMtsaouRT8dwNiL/JGNWH9w==,iv:rKSpeSfjIiQNFu58qjNnUtdBPIfXhIa6u7G7wqBohSg=,tag:7wnoB1MBj55okWzNISKftA==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVG5kTUFmcHdZNmtUZlFO
+            Mm9wWVV5NkdRb1hCZmNyZDU5Y3UxZ2NRSGxnCjl0QktuWHgzTk1lQW9hQUxzVzdU
+            QllDZXcvYVJVVnliQ3BCcFhIeWRGdjQKLS0tIFplZzdnMmx2RS9TbEZESHVnSHlP
+            VDM0QUcyeVBmRzdyUHNrTUVablcyY2cK4WD0mB/EvZNmagFMq1kZz8y5M9mdHxwB
+            o44D7JYE31czIpM/CJTfjsxG4NlQn//H48W60edSZPFHwIDNzjnbLA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-27T01:10:09Z"
+    mac: ENC[AES256_GCM,data:tsvbspqI3jrwWQ/728g+urvhbDTvYJ70rcW1F3w5hC0YR6n7M4oED+QXOoH437Q85A9168OvfNqoIIIq3zEq7OWhk1dtInW2EWh2j5nHz1aFkiYg7VonfktJN9ylyamuZVKkmarMc87thzZrU+Ntb2VOdYsYd0AdWtlfY1CT++4=,iv:TI7tUjAUNc6DxpPRrrEdrsWxiJP6F+BZLGaOzTyo+3I=,tag:2zbq3/rMWFNjkRoBnYgfEA==,type:str]
+    pgp:
+        - created_at: "2023-04-25T23:00:27Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ//fd8bxMcv1cIrBPEc1w0LKWaQtpeRhHmVOaU+DdHvzo5L
+            ++aw+pe8Tz/+D5lfz67Aw0U3R4eBrBnjetZ5C+sjVHqrzaKEReddlk22dG0NF9JM
+            Ejepxo/G85PwWsC3cXgoBeJs2IqcWdAhtS6dH9GoiM4Wwhx0Am4JvLrvo9OJO7dR
+            ZpSGpBeC9OJGw+nkPLrwMK7dVtfx9JO5A1jdAvapGa+XwP8XxC31IhRHOH0hSwjQ
+            JQuQFOPz/MqjHb8eHuZa6GPUxjQTX5RN9RbvtRNI5h/fvQxNycQR4GETI/Y+P5Pb
+            r55+jgR8acJ8p/Z6R7uQLF5tbcHdtM2SY6ANDVgcoBoHe29hAXe6gpLzme54Wo3j
+            Cm/pt5+TS14uKGKiQjeHJ84EGUsOr+GL2Hpm1qu8VKSkznI19f3zyqcDNWQTYKJA
+            P5EGO4c4vMp2ihqnDqZC8FurKmzkFpFLgua+snNOd5rVy5kC8f8BA6lQyIdA5dOf
+            KHf1OjpfbwASr4RrHdNLKj8Z7bkJ+yQ7fmkP2z3uQjk7WveMVa+1r5GNaMk/wYUV
+            YUOl3TSZNuNaIOnqIqjTCYntbkuwliyenREB8GN1iZA8pCp/mEwa1zyvU6xP8x17
+            zPhwveevs96GgZBK4QMLJfYoUD5wCaMuXKIvUGHvM653+eL+Fk6Z1v3lo9+pPC3S
+            XAEQAzvt47ZhTvQVzWHEnBh9KlsxC6hS0vqbdIddSGXYZ7vsQMszG2r8CNGAGjJ2
+            OIq2LsKlrW1KVgrBCWrYnH6HxPi+t+TBVjgehAWZ6qiVoTkI09yNC9MarC64
+            =4AdG
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3