Compare commits
7 commits
7fb530b64e
...
9cee7f22d7
Author | SHA1 | Date | |
---|---|---|---|
chayleaf | 9cee7f22d7 | ||
chayleaf | 762e02ef3f | ||
chayleaf | c415a21fae | ||
chayleaf | 105c3dd321 | ||
chayleaf | beb834e04c | ||
chayleaf | 2b61423e72 | ||
chayleaf | b41ca57cb3 |
|
@ -298,11 +298,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715947901,
|
"lastModified": 1717670534,
|
||||||
"narHash": "sha256-nAcmnm4/PBA+E3kjtLZJy7aKmzu4Ou5dzVFAC0j9ORM=",
|
"narHash": "sha256-pzkVew3wK8RIa8tQMzU3kd8Cf+u9g1XDfNpBT+k5lyo=",
|
||||||
"owner": "chayleaf",
|
"owner": "chayleaf",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8620504340e055daa4f81b43117e55952c8b7a87",
|
"rev": "b4313b98b86d588375cdad46f75279b7aa45bd41",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -26,6 +26,26 @@ in
|
||||||
stable = nixForNixPlugins;
|
stable = nixForNixPlugins;
|
||||||
unstable = nixForNixPlugins;
|
unstable = nixForNixPlugins;
|
||||||
};
|
};
|
||||||
|
matrix-appservice-discord = pkgs.matrix-appservice-discord.overrideAttrs (old: {
|
||||||
|
patches = (old.patches or []) ++ [
|
||||||
|
(pkgs.fetchpatch {
|
||||||
|
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/eb989fa710e8db4ebc8f2ce36c6679ee6cbc1a44.patch";
|
||||||
|
hash = "sha256-GPeFDw3XujqXHJveHSsBHwHuG51vad50p55FX1Esq58=";
|
||||||
|
})
|
||||||
|
(pkgs.fetchpatch {
|
||||||
|
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/a4cd5e3a6a2d544adac2a263e164671c8a9009d9.patch";
|
||||||
|
hash = "sha256-qQJ4V6/Ns2Msu8+X8JoEycuQ2Jc90TXulsuLLmPecGU=";
|
||||||
|
})
|
||||||
|
(pkgs.fetchpatch {
|
||||||
|
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/fc850ba2473973e28858449ec4020380470d78b2.patch";
|
||||||
|
hash = "sha256-Lq0FWmR08wLsoq4APRTokZzb7U2po98pgyxH4UR/9/M=";
|
||||||
|
})
|
||||||
|
(pkgs.fetchpatch {
|
||||||
|
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/7f3d41d86ebce057cfdc82ce3aaab64b533e8f0b.patch";
|
||||||
|
hash = "sha256-HmQ1KASZS+a78fe5yOCVXAnXLRmJUglzc6OxNJazOSk=";
|
||||||
|
})
|
||||||
|
];
|
||||||
|
});
|
||||||
# Various patches to change Nix version of existing packages so they don't error out because of nix-plugins in nix.conf
|
# Various patches to change Nix version of existing packages so they don't error out because of nix-plugins in nix.conf
|
||||||
/*nix-plugins = (pkgs.nix-plugins.override { nix = nixForNixPlugins; }).overrideAttrs (old: {
|
/*nix-plugins = (pkgs.nix-plugins.override { nix = nixForNixPlugins; }).overrideAttrs (old: {
|
||||||
version = "13.0.0";
|
version = "13.0.0";
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -483,7 +483,7 @@ in {
|
||||||
{ ipv6 = true; extraArgs = [ "fwmark" wan_table "table" wan_table ]; }
|
{ ipv6 = true; extraArgs = [ "fwmark" wan_table "table" wan_table ]; }
|
||||||
# below is dnat config
|
# below is dnat config
|
||||||
] ++ builtins.concatLists (map (rule: let
|
] ++ builtins.concatLists (map (rule: let
|
||||||
table = if rule.inVpn then 0 else wan_table;
|
table = if rule.inVpn then vpn_table else wan_table;
|
||||||
forEachPort = func: port:
|
forEachPort = func: port:
|
||||||
if builtins.isInt port then [ (func port) ]
|
if builtins.isInt port then [ (func port) ]
|
||||||
else if port?set then builtins.concatLists (map (forEachPort func) port.set)
|
else if port?set then builtins.concatLists (map (forEachPort func) port.set)
|
||||||
|
@ -894,10 +894,12 @@ in {
|
||||||
# fetch vpn_ips.json and vpn_domains.json for unbound
|
# fetch vpn_ips.json and vpn_domains.json for unbound
|
||||||
script = ''
|
script = ''
|
||||||
BLACKLIST=$(${pkgs.coreutils}/bin/mktemp) || exit 1
|
BLACKLIST=$(${pkgs.coreutils}/bin/mktemp) || exit 1
|
||||||
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v2/ips/json/" -o "$BLACKLIST" || exit 1
|
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v3/ips/" -o "$BLACKLIST" || exit 1
|
||||||
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_ips.json
|
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_ips.json
|
||||||
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v2/domains/json/" -o "$BLACKLIST" || exit 1
|
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v3/domains/" -o "$BLACKLIST" || exit 1
|
||||||
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_domains.json
|
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_domains.json
|
||||||
|
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v3/dpi/" -o "$BLACKLIST" || exit 1
|
||||||
|
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_dpi.json
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
|
|
|
@ -37,14 +37,14 @@ def main() -> None:
|
||||||
spot.add_argument("--domain", "-d", type=str, required=True)
|
spot.add_argument("--domain", "-d", type=str, required=True)
|
||||||
spot.add_argument("--cache_file", "-c", type=str, required=True)
|
spot.add_argument("--cache_file", "-c", type=str, required=True)
|
||||||
spot.add_argument("certs", type=str, nargs="*")
|
spot.add_argument("certs", type=str, nargs="*")
|
||||||
hash = subparsers.add_parser("hash")
|
tbs = subparsers.add_parser("tbs")
|
||||||
hash.set_defaults(func=print_hash)
|
tbs.set_defaults(func=print_tbs)
|
||||||
hash.add_argument("path", type=str)
|
tbs.add_argument("path", type=str)
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
args.func(args)
|
args.func(args)
|
||||||
|
|
||||||
|
|
||||||
def print_hash(args) -> None:
|
def print_tbs(args) -> None:
|
||||||
with open(args.path, "rb") as f:
|
with open(args.path, "rb") as f:
|
||||||
print(calc_tbs(f.read()))
|
print(calc_tbs(f.read()))
|
||||||
|
|
||||||
|
|
|
@ -107,14 +107,11 @@ in {
|
||||||
# make sure only hydra has access to this file
|
# make sure only hydra has access to this file
|
||||||
# so normal nix evals don't have access to builtins
|
# so normal nix evals don't have access to builtins
|
||||||
nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
|
nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
|
||||||
|
# required for hydra which uses restricted mode
|
||||||
nix.settings.allowed-uris = [
|
nix.settings.allowed-uris = [
|
||||||
# required for home-manager (no idea if it's required at this point)
|
"https://git.sr.ht/"
|
||||||
"https://git.sr.ht/~rycee/nmd/"
|
"https://api.github.com/repos/"
|
||||||
# ...for the rest of the home config
|
"https://github.com/"
|
||||||
"https://api.github.com/repos/FAForever/"
|
|
||||||
"https://github.com/nix-community/nix-index-database/releases/download/"
|
|
||||||
# required for server (I suppose since nvfetcher uses fetchTarball here...)
|
|
||||||
"https://github.com/searxng/searxng/"
|
|
||||||
# for nginx CF-Connecting-IP config generation
|
# for nginx CF-Connecting-IP config generation
|
||||||
"https://www.cloudflare.com/ips-v4"
|
"https://www.cloudflare.com/ips-v4"
|
||||||
"https://www.cloudflare.com/ips-v6"
|
"https://www.cloudflare.com/ips-v6"
|
||||||
|
@ -283,7 +280,7 @@ in {
|
||||||
job_name = "local_medium_freq";
|
job_name = "local_medium_freq";
|
||||||
scrape_interval = "15m";
|
scrape_interval = "15m";
|
||||||
static_configs = [ {
|
static_configs = [ {
|
||||||
targets = [ "127.0.0.1:9548" "127.0.0.1:9198" ];
|
targets = [ "127.0.0.1:9548" "127.0.0.1:9198" "127.0.0.1:9173" ];
|
||||||
labels.machine = "server";
|
labels.machine = "server";
|
||||||
} ];
|
} ];
|
||||||
}
|
}
|
||||||
|
@ -359,6 +356,12 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
# TODO: enable
|
||||||
|
services.matrix-appservice-discord.settings.metrics = {
|
||||||
|
enable = true;
|
||||||
|
host = "127.0.0.1";
|
||||||
|
port = 9173;
|
||||||
|
};
|
||||||
services.matrix-synapse.settings = {
|
services.matrix-synapse.settings = {
|
||||||
enable_metrics = true;
|
enable_metrics = true;
|
||||||
federation_metrics_domains = [ "matrix.org" ];
|
federation_metrics_domains = [ "matrix.org" ];
|
||||||
|
|
|
@ -36,7 +36,8 @@ in {
|
||||||
|
|
||||||
# a crude way to make some python packages available for synapse
|
# a crude way to make some python packages available for synapse
|
||||||
services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ];
|
services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ];
|
||||||
services.matrix-synapse.settings.password_config.enabled = false;
|
# i'm managing this manually in a stateful way
|
||||||
|
# services.matrix-synapse.settings.password_config.enabled = false;
|
||||||
systemd.services.matrix-synapse.after = [ "keycloak.service" ];
|
systemd.services.matrix-synapse.after = [ "keycloak.service" ];
|
||||||
|
|
||||||
# See also https://meta.akkoma.dev/t/390
|
# See also https://meta.akkoma.dev/t/390
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
{ config
|
{ config
|
||||||
, lib
|
, lib
|
||||||
|
, pkgs
|
||||||
, ... }:
|
, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
@ -51,12 +52,32 @@ in {
|
||||||
homeserver = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}/";
|
homeserver = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}/";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.matrix-appservice-discord = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = "/secrets/discord-bridge-token";
|
||||||
|
settings = {
|
||||||
|
auth.usePrivilegedIntents = true;
|
||||||
|
database.filename = "";
|
||||||
|
bridge = {
|
||||||
|
domain = "matrix.${cfg.domainName}";
|
||||||
|
homeserverUrl = "https://matrix.${cfg.domainName}";
|
||||||
|
enableSelfServiceBridging = true;
|
||||||
|
disablePresence = true;
|
||||||
|
disablePortalBridging = true;
|
||||||
|
disableInviteNotifications = true;
|
||||||
|
disableJoinLeaveNotifications = true;
|
||||||
|
disableRoomTopicNotifications = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.matrix-synapse = {
|
services.matrix-synapse = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraConfigFiles = [ "/var/lib/matrix-synapse/config.yaml" ];
|
extraConfigFiles = [ "/var/lib/matrix-synapse/config.yaml" ];
|
||||||
settings = {
|
settings = {
|
||||||
app_service_config_files = [
|
app_service_config_files = [
|
||||||
"/var/lib/heisenbridge/registration.yml"
|
"/var/lib/heisenbridge/registration.yml"
|
||||||
|
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||||
];
|
];
|
||||||
allow_guest_access = true;
|
allow_guest_access = true;
|
||||||
url_preview_enabled = true;
|
url_preview_enabled = true;
|
||||||
|
|
|
@ -30,5 +30,6 @@ in {
|
||||||
];
|
];
|
||||||
services.maubot.pythonPackages = with pkgs.python3.pkgs; [
|
services.maubot.pythonPackages = with pkgs.python3.pkgs; [
|
||||||
levenshtein
|
levenshtein
|
||||||
|
pillow
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue