this repo has no description
Temp commit
+619
-230
+10
-1
hosts/vulpes/infra/caddy.nix
+10
-1
hosts/vulpes/infra/caddy.nix
···
261
261
"pds.awoo.ren" = {
262
262
extraConfig = ''
263
263
handle /xrpc/com.atproto.identity.resolveHandle* {
264
-
@pup query handle=pup.awoo.ren
264
+
@pup query handle=awoo.ren
265
+
@snow query handle=mrsnowy.dev
265
266
handle @pup {
266
267
header Access-Control-Allow-Origin "*"
267
268
header Access-Control-Allow-Headers "*"
···
270
271
reverse_proxy localhost:3892
271
272
}
272
273
reverse_proxy 127.0.0.1:3892
274
+
'';
275
+
};
276
+
"mail.pds.awoo.ren" = {
277
+
extraConfig = ''
278
+
basic_auth {
279
+
mail $2a$14$pwigEqhih.kMbJrkooV8Y.iNfDT.o1vRzDOAXkWV5b.XvNasc7Wci
280
+
}
281
+
reverse_proxy 127.0.0.1:1026
273
282
'';
274
283
};
275
284
};
+3
-2
hosts/vulpes/infra/dns.nix
+3
-2
hosts/vulpes/infra/dns.nix
···
196
196
197
197
pds IN A ${pm.net.ipv4.sand-archives.addr}
198
198
pds IN AAAA ${pm.net.ipv6.sand-archives.addr}
199
-
pup IN A ${pm.net.ipv4.sand-archives.addr}
200
-
pup IN AAAA ${pm.net.ipv6.sand-archives.addr}
199
+
mail.pds IN A ${pm.net.ipv4.sand-archives.addr}
200
+
mail.pds IN AAAA ${pm.net.ipv6.sand-archives.addr}
201
+
201
202
'';
202
203
};
203
204
};
+1
hosts/vulpes/infra/misc.nix
+1
hosts/vulpes/infra/misc.nix
+15
justfile
+15
justfile
···
1
+
fluxer_vm_build:
2
+
nix build -f '<nixpkgs/nixos>' vm -I nixos-config=/home/roufpup/dots/vms/fluxer.nix --print-out-paths --print-build-logs --show-trace
3
+
4
+
fluxer_vm_build2:
5
+
nix build -f '<nixpkgs/nixos>' vm -I nixos-config=/home/roufpup/Documents/dots/vms/fluxer.nix --print-out-paths --print-build-logs --show-trace
6
+
7
+
fluxer_vm_run:
8
+
TMPDIR=/tmp ./result/bin/run-nixos-vm -nographic -serial mon:stdio
9
+
10
+
fluxer_vm_run2:
11
+
./result/bin/run-nixos-vm
12
+
13
+
fluxer_vm: fluxer_vm_build fluxer_vm_run
14
+
15
+
fluxer_vm2: fluxer_vm_build2 fluxer_vm_run2
+403
modules/pub/fluxer.nix
+403
modules/pub/fluxer.nix
···
1
+
{
2
+
pkgs,
3
+
lib,
4
+
config,
5
+
...
6
+
}:
7
+
let
8
+
cfg = config.services.fluxer;
9
+
systemd_hardenning = {
10
+
CapabilityBoundingSet = [
11
+
"" # empty entry forces allow-list instead of deny-list
12
+
];
13
+
14
+
# mounts entire filesystem read-only (except /dev, /proc, /sys)
15
+
# different options="full", true, false
16
+
ProtectSystem = "strict";
17
+
18
+
# makes /home/, /root and /run/user inaccessible
19
+
# different options="read-only", "tmpfs", false
20
+
ProtectHome = true;
21
+
22
+
# special directories for various purposes do exist, but defaulting them to something "more secure" is not universally possible.
23
+
# RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=, ConfigurationDirectory=
24
+
# RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=, ConfigurationDirectoryMode=
25
+
26
+
# It might make sense to default /nix/store to ReadOnly
27
+
# It might also make sense to default everything to NoExec except /run/wrappers/bin and /nix/store. However, doing so is quite radical.
28
+
# ReadWritePaths=, ReadOnlyPaths=, InaccessiblePaths=, ExecPaths=, NoExecPaths=
29
+
30
+
# create a private tmp directory for the process
31
+
# different options="disconnected" (makes a tmpfs), false
32
+
# implies a writable tmp path
33
+
PrivateTmp = true;
34
+
35
+
PrivateDevices = true; # block direct hardware access. Allows pseudo-devices like /dev/null and /dev/shm
36
+
37
+
# sets a new network namespace with only loopback device
38
+
# limits AF_UNIX and AF_NETLINK access to only services running in a joint namespace
39
+
# implies PrivateMounts
40
+
# PrivateNetwork = true;
41
+
42
+
# PrivateIPC exists, but has various complicated implications and implicit effects
43
+
# PrivateIPC=
44
+
45
+
# PrivatePIDs exists to define process namespacing. However, it does not work with service type `Forking` and should be used with care.
46
+
# implies MountAPIVFS=true
47
+
# mounts /proc in a way such that only processes in the same namespace are visible
48
+
PrivatePIDs = true;
49
+
50
+
# Use user namespacing
51
+
# WARNING=this makes the CaCapabilityBoundingSet only affect the user namespace, the service runs completely unprivileged on the host. Use with care!
52
+
PrivateUsers = true;
53
+
54
+
# protect the hostname from being changed.
55
+
# WARNING=even though nixos uses /etc/hostname to define and change hostname, this option also prevents services from simply detecting hostname changes.
56
+
ProtectHostname = true;
57
+
58
+
# prevent modifications and state checks to the system clock.
59
+
# implies removal of CAP_SYS_TIME and CAP_WAKE_ALARM
60
+
# implies block clock set system calls
61
+
# implies DeviceAllow=char-rtc r
62
+
ProtectClock = true;
63
+
64
+
# read-only=/proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs, /proc/irq
65
+
# inaccessible=/proc/kallsyms, /proc/kcore
66
+
# implies MountAPIVFS=true
67
+
# Does not prevent callbacks to other processes/services (e.g. via IPC) from setting kernel tunables
68
+
ProtectKernelTunables = true;
69
+
70
+
# disable explicit kernel module loading
71
+
# implies removal of CAP_SYS_MODULE
72
+
# implies inaccessible /usr/lib/modules
73
+
ProtectKernelModules = true;
74
+
75
+
# dines access to kernel log ring buffer
76
+
# implies removal of CAP_SYSLOG
77
+
# implies inaccessible /dev/kmsg and /proc/kmsg
78
+
ProtectKernelLogs = true;
79
+
80
+
# true or strict disables write access to control group hierarchies
81
+
# strict or private makes the unit run in a cgroup namespace with private /sys/fs/cgroup/
82
+
# different options="private", true, false
83
+
ProtectControlGroups = "strict";
84
+
85
+
# disable specific access for socket system call
86
+
# different options=list of AF_UNIX, AF_INET AF_INET6, AF_NETLINK, AF_PACKET
87
+
# RestrictAddressFamilies = "none";
88
+
89
+
# restrict access to namespacing
90
+
# different options=false, [ "pid" "user" "net" "uts" "mnt" "cgroup" "ipc" ]
91
+
# see `man namespaces` for a full list
92
+
RestrictNamespaces = true;
93
+
94
+
LockPersonality = true; # prevent service from initiating changes to its execution domain
95
+
96
+
# prevent creating memory mappings that are writable and executable simultaneously
97
+
# WARNING=breaks with JIT execution engines
98
+
# MemoryDenyWriteExecute = true;
99
+
100
+
RestrictRealtime = true; # prevent service from requesting realtime scheduling
101
+
102
+
RestrictSUIDSGID = true; # prevent setting suid/guid bit on files. Does NOT prevent existing suid/sgid binaries from being executed!
103
+
104
+
# PrivateMounts can be used to set mount namespaces. However, debugging issues caused by this is quite complex.
105
+
# PrivateMounts= MountFlags=
106
+
107
+
SystemCallFilter = [ "@system-service" ]; # sensible default, works for most services. Prevents e.g. "@clock", "@mount", "@swap", "@reboot"
108
+
SystemCallErrorNumber = "EPERM"; # services violating the SystemSystemCallFilter are killed silently by default. This makes debugging easier.
109
+
110
+
SystemCallArchitectures = "native"; # allow only native system calls for defined SystemCallFilters
111
+
112
+
# prevents access to /proc/<pid> of other processes
113
+
# options="noaccess", "invisible", "ptraceable", "default"
114
+
ProtectProc = "invisible";
115
+
116
+
# ProcSubset can be set to "pid" to prevent access to non-process files in /proc.
117
+
# However, this prevents a lot of linux kernel API calls and should not be default
118
+
# ProcSubset
119
+
120
+
NoNewPrivileges = true; # prevents service process and children from gaining privileges via execve
121
+
122
+
# use a dynamic user for this service instead of running as root
123
+
# WARNING=breaks dbus
124
+
DynamicUser = true;
125
+
};
126
+
in
127
+
{
128
+
options = {
129
+
services.fluxer = {
130
+
enable = lib.mkEnableOption "Enable selfhosted Fluxer";
131
+
data_dir = lib.mkOption {
132
+
type = lib.types.str;
133
+
default = "/var/lib/fluxer";
134
+
};
135
+
user = {
136
+
name = lib.mkOption {
137
+
type = lib.types.str;
138
+
default = "fluxer";
139
+
};
140
+
uid = lib.mkOption {
141
+
type = lib.types.int;
142
+
default = 3200;
143
+
};
144
+
};
145
+
group = {
146
+
name = lib.mkOption {
147
+
type = lib.types.str;
148
+
default = "fluxer";
149
+
};
150
+
gid = lib.mkOption {
151
+
type = lib.types.int;
152
+
default = 320;
153
+
};
154
+
};
155
+
api = {
156
+
port = lib.mkOption {
157
+
type = lib.types.int;
158
+
default = 8080;
159
+
};
160
+
media_proxy_host = lib.mkOption {
161
+
type = lib.types.str;
162
+
default = "127.0.0.1";
163
+
};
164
+
};
165
+
};
166
+
};
167
+
168
+
config = lib.mkIf cfg.enable {
169
+
users = {
170
+
users = {
171
+
"${cfg.user.name}" = {
172
+
isSystemUser = true;
173
+
uid = cfg.user.uid;
174
+
group = cfg.group.name;
175
+
home = cfg.data_dir;
176
+
};
177
+
};
178
+
179
+
groups = {
180
+
"${cfg.group.name}" = {
181
+
name = cfg.group.name;
182
+
gid = cfg.group.gid;
183
+
members = [ "${cfg.user.name}" ];
184
+
};
185
+
};
186
+
};
187
+
188
+
systemd = {
189
+
tmpfiles.rules = [
190
+
# Home dir
191
+
# "d ${cfg.data_dir} 0760 ${cfg.user.name} ${cfg.group.name} - -"
192
+
];
193
+
194
+
services =
195
+
let
196
+
# These are passed to all rust services according to the compose prod
197
+
rust_env = [
198
+
"FLUXER_S3_ACCESS_KEY_ID=52da2eb541a4d09ea427f2638d5d0dcd"
199
+
"FLUXER_S3_SECRET_ACCESS_KEY=728502847641b38f27490ffde79d5d0c2c0978c68ef9c7aba7aa927c3a02d78b"
200
+
"FLUXER_MEDIA_PROXY_SECRET_KEY=0fbd7b6a65aa972db3e71e3f48eeae37e06611d6e586706aeac96177e446e950"
201
+
"FLUXER_ADMIN_SECRET_KEY_BASE=4372971d8a51d4d97141230577b5c33e695b27b9817c6961cb4ca9737677cf67"
202
+
"FLUXER_ADMIN_OAUTH_CLIENT_SECRET=3f16b4b188d331be27fd4123bab720e8b63a96af6584b8f7627609f3f3fd3327"
203
+
"FLUXER_MARKETING_SECRET_KEY_BASE=c1093dee2774ed33cbd5cdc3071f977bea68f5555d0207d2962e200097fe50c6"
204
+
"FLUXER_MEILISEARCH_API_KEY=114153e9b71fe5643e87e6fcb249e73ddf3fc009e64a67449a4c580601d66046"
205
+
"FLUXER_AUTH_SUDO_MODE_SECRET=ceddbb2b3ef813e2c3794801b098c359a6e7fbae1a5594b7e340681383007a70"
206
+
"FLUXER_AUTH_CONNECTION_INITIATION_SECRET=d5ff35ceb029c549706bcce340159fcecb7eba4e060985184d835bc6479df1a4"
207
+
"FLUXER_AUTH_BAN_VIEW_SECRET=b00d8c94857e2a964d391aeda78c2ccffa270c27dc44ef1c32d54966af087237"
208
+
"FLUXER_EMAIL_SMTP_PASSWORD=64ea128ee6635e61896cb4ea2fc0451d"
209
+
"FLUXER_NATS_AUTH_TOKEN=180168dea004f3cac53eff7a5c913cc22295c0607e1558260280f6beb4b2d536"
210
+
"FLUXER_CONFIG_ENCRYPTION_KEY=b1deb0e47f47c775e1adbb5f023bf00b58ea74aab26ad3f1137d68c9d248f88d"
211
+
"FLUXER_SETUP_WIZARD_SECRET=2bdb2540a8f82e3847e3fc391ff9016da975bd4582a3756f314a99de51a4e7a5"
212
+
"FLUXER_VOICE_API_KEY=4fb89ff7501307991fbbd1fd3fa5350e"
213
+
"FLUXER_VOICE_API_SECRET=41ead73a6620928143627d18fba348490faa7a00ad4b4b17180916145669b0c8"
214
+
];
215
+
216
+
# These are received by every single service based on the compose prod
217
+
base_env = [
218
+
"FLUXER_ENV=production"
219
+
"FLUXER_CONFIG_SERVICE_TARGET=127.0.0.1:50071"
220
+
"FLUXER_KV_STORE_ENDPOINTS=http://127.0.0.1:50061"
221
+
"FLUXER_NATS_CORE_URL=nats://127.0.0.1:4222"
222
+
"FLUXER_NATS_JETSTREAM_URL=nats://127.0.0.1:4222"
223
+
"FLUXER_POSTGRES_URL=postgresql://fluxer@127.0.0.1:5432/fluxer"
224
+
"FLUXER_S3_ENDPOINT=http://127.0.0.1:8333"
225
+
"FLUXER_AUTH_TARGET=127.0.0.1:50051"
226
+
"FLUXER_OAUTH2_GRPC_TARGET=127.0.0.1:50051"
227
+
"FLUXER_SSO_GRPC_TARGET=127.0.0.1:50051"
228
+
"FLUXER_SNOWFLAKE_TARGET=127.0.0.1:50052"
229
+
"FLUXER_MEDIA_PROXY_TARGET=media_proxy:50051"
230
+
"FLUXER_LIMIT_CONFIG_SERVICE_GRPC_TARGET=127.0.0.1:50090"
231
+
"FLUXER_NOTIFICATION_GRPC_TARGET=127.0.0.1:50070"
232
+
"FLUXER_CHANNEL_MESSAGE_GRPC_TARGET=127.0.0.1:50060"
233
+
"FLUXER_UNFURLER_GRPC_TARGET=127.0.0.1:50069"
234
+
"FLUXER_VOICE_TARGET=127.0.0.1:50064"
235
+
"FLUXER_READ_STATE_GRPC_TARGET=127.0.0.1:50065"
236
+
"FLUXER_DM_PERMISSIONS_GRPC_TARGET=127.0.0.1:50081"
237
+
"FLUXER_SAFETY_GRPC_TARGET=127.0.0.1:50080"
238
+
"FLUXER_PAYMENTS_GRPC_TARGET=127.0.0.1:50092"
239
+
"FLUXER_SEARCH_SERVICE_GRPC_TARGET=127.0.0.1:50091"
240
+
"FLUXER_INTERNAL_SERVICE_TOKEN=2080f93dc673b79badceb474f20cb005fcd1121ce87103a9ae5ab40c6938af10"
241
+
];
242
+
in
243
+
{
244
+
fluxer_app_ingress = {
245
+
description = "Fluxer's app ingress";
246
+
wantedBy = [ "multi-user.target" ];
247
+
after = [
248
+
"network.target"
249
+
"fluxer_api.service"
250
+
"fluxer_aggregate.service"
251
+
];
252
+
requires = [
253
+
"fluxer_api.service"
254
+
"fluxer_aggregate.service"
255
+
];
256
+
script = ''
257
+
${pkgs.fluxer_app_ingress}/bin/fluxer_app_ingress
258
+
'';
259
+
serviceConfig = systemd_hardenning // {
260
+
Type = "simple";
261
+
Environment =
262
+
base_env
263
+
++ rust_env
264
+
++ [
265
+
"FLUXER_APP_INGRESS_ASSETS_DIR=${pkgs.fluxer_app}/assets"
266
+
"FLUXER_CSP_FRAME_SRC=\"https://www.youtube.com/embed/,https://www.youtube.com/s/player/,https://hcaptcha.com,https://*.hcaptcha.com,https://challenges.cloudflare.com\""
267
+
"FLUXER_CSP_IMG_SRC=\"https://i.ytimg.com,https://*.youtube.com\""
268
+
"FLUXER_CSP_MEDIA_SRC=\"https://*.youtube.com\""
269
+
"FLUXER_CSP_SCRIPT_SRC=\"https://hcaptcha.com,https://*.hcaptcha.com,https://challenges.cloudflare.com\""
270
+
"FLUXER_CSP_STYLE_SRC=\"https://hcaptcha.com,https://*.hcaptcha.com\""
271
+
"FLUXER_CSP_FONT_SRC="
272
+
"FLUXER_CSP_CONNECT_SRC=\"https://hcaptcha.com,https://*.hcaptcha.com,https://challenges.cloudflare.com\""
273
+
"FLUXER_CSP_WORKER_SRC="
274
+
"FLUXER_CSP_MANIFEST_SRC="
275
+
];
276
+
ExecStartPre = ''
277
+
${pkgs.bash}/bin/bash -c 'until ${pkgs.curl}/bin/curl -sf http://127.0.0.1:8081/_health; do sleep 1; done'
278
+
'';
279
+
};
280
+
};
281
+
282
+
fluxer_api = {
283
+
description = "Fluxer's api";
284
+
wantedBy = [ "multi-user.target" ];
285
+
after = [ "network.target" ];
286
+
script = ''
287
+
${pkgs.fluxer_api}/bin/fluxer_api
288
+
'';
289
+
path = with pkgs; [ bash ];
290
+
serviceConfig = systemd_hardenning // {
291
+
Type = "simple";
292
+
StateDirectory = "${cfg.data_dir}";
293
+
Environment = base_env ++ [
294
+
# "NODE_DEBUG=*"
295
+
"NODE_ENV=production"
296
+
"FLUXER_API_PORT=${toString cfg.api.port}"
297
+
"FLUXER_MEDIA_PROXY_HOST=${cfg.api.media_proxy_host}"
298
+
];
299
+
};
300
+
};
301
+
302
+
fluxer_api_worker = {
303
+
description = "Fluxer's api worker";
304
+
wantedBy = [ "multi-user.target" ];
305
+
after = [ "network.target" ];
306
+
script = ''
307
+
${pkgs.fluxer_api}/bin/fluxer_api_worker
308
+
'';
309
+
path = with pkgs; [ bash ];
310
+
serviceConfig = systemd_hardenning // {
311
+
Type = "simple";
312
+
StateDirectory = "${cfg.data_dir}";
313
+
Environment = base_env ++ [
314
+
# "NODE_DEBUG=*"
315
+
"NODE_ENV=production"
316
+
"FLUXER_API_PORT=${toString cfg.api.port}"
317
+
"FLUXER_MEDIA_PROXY_HOST=${cfg.api.media_proxy_host}"
318
+
];
319
+
};
320
+
};
321
+
322
+
fluxer_aggregate = {
323
+
description = "Fluxer's aggregate";
324
+
wantedBy = [ "multi-user.target" ];
325
+
after = [ "network.target" ];
326
+
script = ''
327
+
${pkgs.fluxer_aggregate}/bin/fluxer_aggregate
328
+
'';
329
+
serviceConfig = systemd_hardenning // {
330
+
Type = "simple";
331
+
StateDirectory = "${cfg.data_dir}";
332
+
Environment =
333
+
base_env
334
+
++ rust_env
335
+
++ [
336
+
# "NODE_DEBUG=*"
337
+
"FLUXER_AGGREGATE_SERVICE_MODE=AllInOne"
338
+
"FLUXER_AGGREGATE_HEALTH_ADDR=0.0.0.0:8081"
339
+
# KV store service (runs in-process)
340
+
"FLUXER_KV_STORE_GRPC_ADDR=0.0.0.0:50061"
341
+
"FLUXER_KV_STORE_HEALTH_ADDR=0.0.0.0:8103"
342
+
"FLUXER_KV_STORE_RAFT_ADDR=0.0.0.0:50062"
343
+
# Snowflake service (runs in-process, port 50052 to avoid conflict with auth)
344
+
"FLUXER_SNOWFLAKE_GRPC_ADDR=0.0.0.0:50052"
345
+
"FLUXER_SNOWFLAKE_HEALTH_ADDR=0.0.0.0:8101"
346
+
"FLUXER_SNOWFLAKE_WORKER_ID='0'"
347
+
"FLUXER_SNOWFLAKE_GRPC_TARGET=127.0.0.1:50052"
348
+
"FLUXER_ALLOW_DEFAULT_WORKER_ID='1'"
349
+
# Config service (runs in-process)
350
+
"FLUXER_CONFIG_GRPC_ADDR=0.0.0.0:50071"
351
+
"FLUXER_CONFIG_HEALTH_ADDR=0.0.0.0:8102"
352
+
"FLUXER_MEILISEARCH_URL=http://127.0.0.1:7700"
353
+
# Authentication service
354
+
"FLUXER_AUTH_GRPC_ADDR=0.0.0.0:50051"
355
+
"FLUXER_AUTH_HEALTH_ADDR=0.0.0.0:8091"
356
+
# Notification service
357
+
"FLUXER_NOTIFICATION_GRPC_ADDR=0.0.0.0:50070"
358
+
"FLUXER_NOTIFICATION_HEALTH_ADDR=0.0.0.0:8092"
359
+
# Safety service
360
+
"FLUXER_SAFETY_GRPC_ADDR=0.0.0.0:50080"
361
+
"FLUXER_SAFETY_HEALTH_ADDR=0.0.0.0:8098"
362
+
"FLUXER_SAFETY_SERVICE_GRPC_TARGET=127.0.0.1:50080"
363
+
# DM permissions service
364
+
"FLUXER_DM_PERMISSIONS_GRPC_ADDR=0.0.0.0:50081"
365
+
"FLUXER_DM_PERMISSIONS_HEALTH_ADDR=0.0.0.0:8093"
366
+
# Channel service
367
+
"FLUXER_CHANNEL_HTTP_ADDR=0.0.0.0:8001"
368
+
"FLUXER_CHANNEL_GRPC_ADDR=0.0.0.0:50060"
369
+
"FLUXER_CHANNEL_HEALTH_ADDR=0.0.0.0:8094"
370
+
# Read state service
371
+
"FLUXER_READ_STATE_HTTP_ADDR=0.0.0.0:8002"
372
+
"FLUXER_READ_STATE_HEALTH_ADDR=0.0.0.0:8095"
373
+
"FLUXER_READ_STATE_GRPC_ADDR=0.0.0.0:50065"
374
+
# Streams service
375
+
"FLUXER_STREAMS_HTTP_ADDR=0.0.0.0:8003"
376
+
"FLUXER_STREAMS_HEALTH_ADDR=0.0.0.0:8096"
377
+
"FLUXER_STREAMS_GRPC_ADDR=0.0.0.0:50066"
378
+
# Unfurler service
379
+
"FLUXER_UNFURL_GRPC_ADDR=0.0.0.0:50069"
380
+
"FLUXER_UNFURL_HEALTH_ADDR=0.0.0.0:8097"
381
+
# Limits service
382
+
"FLUXER_LIMITS_GRPC_ADDR=0.0.0.0:50090"
383
+
"FLUXER_LIMITS_HEALTH_ADDR=0.0.0.0:8099"
384
+
# Search service
385
+
"FLUXER_SEARCH_GRPC_ADDR=0.0.0.0:50091"
386
+
"FLUXER_SEARCH_HEALTH_ADDR=0.0.0.0:8100"
387
+
# Voice service (optional, enabled via ENABLE_VOICE)
388
+
"FLUXER_VOICE_HTTP_ADDR=0.0.0.0:8004"
389
+
"FLUXER_VOICE_HEALTH_ADDR=0.0.0.0:8104"
390
+
"FLUXER_VOICE_GRPC_ADDR=0.0.0.0:50064"
391
+
# Payments service
392
+
"FLUXER_PAYMENTS_GRPC_ADDR=0.0.0.0:50092"
393
+
"FLUXER_PAYMENTS_HEALTH_ADDR=0.0.0.0:8106"
394
+
# NCMEC service (optional, enabled via ENABLE_NCMEC)
395
+
"FLUXER_NCMEC_GRPC_ADDR=0.0.0.0:50063"
396
+
"FLUXER_NCMEC_HEALTH_ADDR=0.0.0.0:8105"
397
+
];
398
+
};
399
+
};
400
+
};
401
+
};
402
+
};
403
+
}
+37
-37
npins/sources.json
+37
-37
npins/sources.json
···
9
9
},
10
10
"branch": "main",
11
11
"submodules": false,
12
-
"revision": "cd7bed5b72ceeb50b862c550cc16c6f1b11a2d84",
13
-
"url": "https://github.com/mrshmllow/affinity-nix/archive/cd7bed5b72ceeb50b862c550cc16c6f1b11a2d84.tar.gz",
14
-
"hash": "sha256-JoXciqQCwHdIvENurNwgc6jH1e/d5xcjn9ybYNe+YQI="
12
+
"revision": "494090443b8086f14ce851ecba8463800176c1c1",
13
+
"url": "https://github.com/mrshmllow/affinity-nix/archive/494090443b8086f14ce851ecba8463800176c1c1.tar.gz",
14
+
"hash": "sha256-DAHcc8ghdDEX+xHPjuKf7qXSL/5G9NqP3mrq5jAKFi0="
15
15
},
16
16
"dune": {
17
17
"type": "Git",
···
64
64
},
65
65
"branch": "master",
66
66
"submodules": false,
67
-
"revision": "9d3ef138f70b3540397320d25ead6aa96101371d",
68
-
"url": "https://github.com/amaanq/helium-flake/archive/9d3ef138f70b3540397320d25ead6aa96101371d.tar.gz",
69
-
"hash": "sha256-OxeMEMxRJ6dF3UGXVJoNRwxU/F1nOVbdcyX9n8S3Mxk="
67
+
"revision": "e90541d0904593bec70fadd6383659ec42cd610b",
68
+
"url": "https://github.com/amaanq/helium-flake/archive/e90541d0904593bec70fadd6383659ec42cd610b.tar.gz",
69
+
"hash": "sha256-6FDLz9ydI32uoOJa2qsPpaxQ3T0DB/7Lw/Meos6NjRo="
70
70
},
71
71
"helix-nix": {
72
72
"type": "Git",
···
89
89
},
90
90
"branch": "main",
91
91
"submodules": false,
92
-
"revision": "f484cac67cfaa6329e1d1fe00be57929ae744b25",
93
-
"url": "https://github.com/feel-co/hjem/archive/f484cac67cfaa6329e1d1fe00be57929ae744b25.tar.gz",
94
-
"hash": "sha256-erwV+kMqRX/KhopMRq1B0MuyAGip4OkDG1nVJdW0nv8="
92
+
"revision": "d51b2e524794a61762453be5bf7b4fe259150191",
93
+
"url": "https://github.com/feel-co/hjem/archive/d51b2e524794a61762453be5bf7b4fe259150191.tar.gz",
94
+
"hash": "sha256-hOweDMc/uNFeliSVuNXZ4qa6WC8AbmRV8pNSAD/h4S0="
95
95
},
96
96
"hjem-rum": {
97
97
"type": "Git",
···
127
127
},
128
128
"branch": "main",
129
129
"submodules": false,
130
-
"revision": "1c1d8ea87b047788fd7567adf531418c5da321ec",
131
-
"url": "https://github.com/nix-community/nix-index-database/archive/1c1d8ea87b047788fd7567adf531418c5da321ec.tar.gz",
132
-
"hash": "sha256-PMt48sEQ8cgCeljQ9I/32uoBq/8t8y+7W/nAZhf72TQ="
130
+
"revision": "55b588747fa3d7fc351a11831c4b874dab992862",
131
+
"url": "https://github.com/nix-community/nix-index-database/archive/55b588747fa3d7fc351a11831c4b874dab992862.tar.gz",
132
+
"hash": "sha256-gdYe9wTPl4ignDyXUl1LlICWj41+S0GB5lG1fKP17+A="
133
133
},
134
134
"nix-minecraft": {
135
135
"type": "Git",
···
152
152
},
153
153
"branch": "nixos-unstable",
154
154
"submodules": false,
155
-
"revision": "9dcb002ca1690658be4a04645215baea8b95f31d",
156
-
"url": "https://github.com/NixOS/nixpkgs/archive/9dcb002ca1690658be4a04645215baea8b95f31d.tar.gz",
157
-
"hash": "sha256-9jVDGZnvCckTGdYT53d/EfznygLskyLQXYwJLKMPsZs="
155
+
"revision": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
156
+
"url": "https://github.com/NixOS/nixpkgs/archive/b40629efe5d6ec48dd1efba650c797ddbd39ace0.tar.gz",
157
+
"hash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4="
158
158
},
159
159
"nixpkgs-master": {
160
160
"type": "Git",
···
165
165
},
166
166
"branch": "master",
167
167
"submodules": false,
168
-
"revision": "743644663cab232c634de034f1a9f015a905ab67",
169
-
"url": "https://github.com/NixOS/nixpkgs/archive/743644663cab232c634de034f1a9f015a905ab67.tar.gz",
170
-
"hash": "sha256-ivls7Lgl+31Z/OxplPHYoAqYS/QTqQVaaQrjaLOyMIg="
168
+
"revision": "5150456e7f59a515b80c5ddca4f96176e3b5a95d",
169
+
"url": "https://github.com/NixOS/nixpkgs/archive/5150456e7f59a515b80c5ddca4f96176e3b5a95d.tar.gz",
170
+
"hash": "sha256-vBOtNu9CH9ssBAAAgJVxf66kHkT5mBNsV1gPJzk1Qco="
171
171
},
172
172
"nixpkgs-xr": {
173
173
"type": "Git",
···
178
178
},
179
179
"branch": "main",
180
180
"submodules": false,
181
-
"revision": "390bd6961152a4ae1802a20f5d61bc876d3d255e",
182
-
"url": "https://github.com/nix-community/nixpkgs-xr/archive/390bd6961152a4ae1802a20f5d61bc876d3d255e.tar.gz",
183
-
"hash": "sha256-NzeoTOG8HVsn2RM/SyC9NSoK1f+rUQUTwfbB5ZvdcRE="
181
+
"revision": "fee92ac11baf9e129100c7eb489c512179d657b4",
182
+
"url": "https://github.com/nix-community/nixpkgs-xr/archive/fee92ac11baf9e129100c7eb489c512179d657b4.tar.gz",
183
+
"hash": "sha256-hJXqAMkRmRibAwQg0LBErmo2h1Ej5rwsNSqSLu4WBbM="
184
184
},
185
185
"nur": {
186
186
"type": "Git",
···
191
191
},
192
192
"branch": "main",
193
193
"submodules": false,
194
-
"revision": "00b462568165e5be619ad76c1bde0df65266ea78",
195
-
"url": "https://github.com/nix-community/NUR/archive/00b462568165e5be619ad76c1bde0df65266ea78.tar.gz",
196
-
"hash": "sha256-dKafwJGBdbDhBtIYDLcX38RjACwMlnId+glJSGlONrI="
194
+
"revision": "f056738c4a176279dc993430bd4d72dbe73f1116",
195
+
"url": "https://github.com/nix-community/NUR/archive/f056738c4a176279dc993430bd4d72dbe73f1116.tar.gz",
196
+
"hash": "sha256-hbkhKx3KD4VAWqYchTI2Jhi7EyWa4A0o88251tutfsU="
197
197
},
198
198
"rust-overlay": {
199
199
"type": "Git",
···
204
204
},
205
205
"branch": "master",
206
206
"submodules": false,
207
-
"revision": "755d3669699a7c62aef35af187d75dc2728cfd85",
208
-
"url": "https://github.com/oxalica/rust-overlay/archive/755d3669699a7c62aef35af187d75dc2728cfd85.tar.gz",
209
-
"hash": "sha256-wieWskQxZLPlNXX06JEB0bMoS/ZYQ89xBzF0RL9lyLs="
207
+
"revision": "6a031966eab3bfaa19be9e261eed5b8a79c04b18",
208
+
"url": "https://github.com/oxalica/rust-overlay/archive/6a031966eab3bfaa19be9e261eed5b8a79c04b18.tar.gz",
209
+
"hash": "sha256-SYp8NyzwfCO3Guqmu9hPRHR1hwESlQia5nNz3lYo2qA="
210
210
},
211
211
"sops-nix": {
212
212
"type": "Git",
···
217
217
},
218
218
"branch": "master",
219
219
"submodules": false,
220
-
"revision": "c8e69670b316d6788e435a3aa0bda74eb1b82cc0",
221
-
"url": "https://github.com/Mic92/sops-nix/archive/c8e69670b316d6788e435a3aa0bda74eb1b82cc0.tar.gz",
222
-
"hash": "sha256-xTzsSd3r5HBeufSZ3fszAn0ldfKctvsYG7tT2YJg5gY="
220
+
"revision": "3e0d543e6ba6c0c48117a81614e90c6d8c425170",
221
+
"url": "https://github.com/Mic92/sops-nix/archive/3e0d543e6ba6c0c48117a81614e90c6d8c425170.tar.gz",
222
+
"hash": "sha256-zsTuloDSdKf+PrI1MsWx5z/cyGEJ8P3eERtAfdP8Bmg="
223
223
},
224
224
"stash": {
225
225
"type": "Git",
···
243
243
},
244
244
"branch": "master",
245
245
"submodules": false,
246
-
"revision": "5b627fe9a35eb406ec33a6f9f4cf173b61e1b94c",
246
+
"revision": "053117e52dfed49fe255b7211bda04d1d9e68bb5",
247
247
"url": null,
248
-
"hash": "sha256-XZQnhky7bbNRWpbcAFxz3bX2BKtdG8asNtjlZ2X+O20="
248
+
"hash": "sha256-j+VnqtEOFo4POZJoxy9nsuQ0b6pTBLFMapdUvVbSHZ0="
249
249
},
250
250
"tranquil_pds": {
251
251
"type": "Git",
···
255
255
},
256
256
"branch": "main",
257
257
"submodules": false,
258
-
"revision": "92e609d36711f7754bb8b2a1a1a7be96dfed6645",
258
+
"revision": "f07bcb82f77b5f6fbe2d1db9f5b75355cb0201ec",
259
259
"url": null,
260
-
"hash": "sha256-+264gZ5J1yUDzUTzSJd9qvbWBxwgTHqNlZYmW7pkKDA="
260
+
"hash": "sha256-lj+RDUlGpsndDfS372uGwMkiqdao4mmFrlA6CkpTXas="
261
261
},
262
262
"wire": {
263
263
"type": "Git",
···
268
268
},
269
269
"branch": "stable",
270
270
"submodules": false,
271
-
"revision": "53dad75b2503b8d9bb09ea3fbd9d87a0ab14bcf2",
272
-
"url": "https://github.com/mrshmllow/wire/archive/53dad75b2503b8d9bb09ea3fbd9d87a0ab14bcf2.tar.gz",
273
-
"hash": "sha256-eIi3o3TiYFlgk831lkWilNw9vTrO26PNaNwbG2UAF60="
271
+
"revision": "5439d792ec7f876992300f10da37ff068dbafb29",
272
+
"url": "https://github.com/mrshmllow/wire/archive/5439d792ec7f876992300f10da37ff068dbafb29.tar.gz",
273
+
"hash": "sha256-vTO8yQsn0lCwxaXx/i4Njuv8NcENP8k5w1PKdVhT4lI="
274
274
}
275
275
},
276
276
"version": 7
+10
overlays/fluxer/default.nix
+10
overlays/fluxer/default.nix
···
1
+
{ ... }:
2
+
let
3
+
path = ../../packages/fluxer_selfhost;
4
+
in
5
+
(final: prev: {
6
+
fluxer_api = prev.callPackage (path + /api.nix) { };
7
+
fluxer_app = prev.callPackage (path + /app.nix) { };
8
+
fluxer_app_ingress = prev.callPackage (path + /app_ingress.nix) { };
9
+
fluxer_aggregate = prev.callPackage (path + /aggregate.nix) { };
10
+
})
packages/fluxer-selfhost/.env
packages/fluxer_selfhost/.env
packages/fluxer-selfhost/.env
packages/fluxer_selfhost/.env
-56
packages/fluxer-selfhost/admin.nix
-56
packages/fluxer-selfhost/admin.nix
···
1
-
{
2
-
...
3
-
}:
4
-
let
5
-
pkgs = import <nixpkgs> { };
6
-
7
-
in
8
-
pkgs.stdenv.mkDerivation rec {
9
-
pname = "fluxer_admin";
10
-
version = "0.0.0";
11
-
12
-
src = pkgs.callPackage ./prune-repo.nix {
13
-
stdenv = pkgs.stdenv;
14
-
turbo = pkgs.turbo;
15
-
workspace = "fluxer_admin";
16
-
extra_install_steps = ''
17
-
cp -r ./tsconfigs $out/tsconfigs
18
-
cp -r ./packages/config $out/packages/config
19
-
'';
20
-
};
21
-
22
-
pnpmDeps = pkgs.fetchPnpmDeps {
23
-
inherit pname version src;
24
-
fetcherVersion = 3;
25
-
hash = "sha256-B3VVXgKLMOxI+EXFmf62dcN3dLmg8ZNJIYSt0+XlnnI=";
26
-
};
27
-
28
-
pnpmInstallFlags = [
29
-
"--frozen-lockfile"
30
-
];
31
-
32
-
nativeBuildInputs = with pkgs; [
33
-
pnpm
34
-
pnpmConfigHook
35
-
makeWrapper
36
-
];
37
-
38
-
buildInputs = [
39
-
40
-
];
41
-
42
-
installPhase = ''
43
-
runHook preInstall
44
-
45
-
mkdir -p $out/bin
46
-
mkdir -p $out/lib
47
-
cp -r ./* $out/lib
48
-
49
-
makeWrapper ${pkgs.pnpm}/bin/pnpm $out/bin/fluxer_admin \
50
-
--chdir $out/lib/fluxer_admin \
51
-
--add-flags "run start" \
52
-
--prefix PATH : ${pkgs.lib.makeBinPath (with pkgs; [ nodejs ])}
53
-
54
-
runHook postInstall
55
-
'';
56
-
}
packages/fluxer-selfhost/aggregate.nix
packages/fluxer_selfhost/aggregate.nix
packages/fluxer-selfhost/aggregate.nix
packages/fluxer_selfhost/aggregate.nix
packages/fluxer-selfhost/api.nix
packages/fluxer_selfhost/api.nix
packages/fluxer-selfhost/api.nix
packages/fluxer_selfhost/api.nix
+2
-4
packages/fluxer-selfhost/app.nix
packages/fluxer_selfhost/app.nix
+2
-4
packages/fluxer-selfhost/app.nix
packages/fluxer_selfhost/app.nix
···
69
69
pnpmDeps = fetchPnpmDeps {
70
70
inherit (finalAttrs) pname version src;
71
71
fetcherVersion = 3;
72
-
hash = "sha256-aNMhHYvnRm5J/zJEf5kFNi88+K6cgWgaOsDOiuZ0hmY=";
72
+
hash = "sha256-1lUWLeddRB7qKh0BNchFcdICExZ6IkEFcSA4Jn40YVg=";
73
73
};
74
74
75
75
pname = "fluxer-app";
···
90
90
src
91
91
# cargoRoot
92
92
;
93
-
hash = "sha256-caWR4/gabH5euGmTt8UItMvfWnIl/qwQQZ/Fh1qieRM=";
93
+
hash = "sha256-/vo5L4iCppv8zoiG0frhGMol6QPgPMSXn2KwFx+wMRM=";
94
94
};
95
95
96
96
nativeBuildInputs = [
···
111
111
buildPhase = ''
112
112
runHook preBuild
113
113
114
-
export FLUXER_CONFIG=${configFile}
115
-
pnpm --filter fluxer_app i18n:compile
116
114
pnpm --filter fluxer_app build
117
115
118
116
runHook postBuild
-61
packages/fluxer-selfhost/app_proxy.nix
-61
packages/fluxer-selfhost/app_proxy.nix
···
1
-
{
2
-
...
3
-
}:
4
-
let
5
-
pkgs = import <nixpkgs> { };
6
-
7
-
in
8
-
pkgs.stdenv.mkDerivation rec {
9
-
pname = "fluxer_app_proxy";
10
-
version = "0.0.0";
11
-
12
-
app-src = pkgs.callPackage ./app.nix { };
13
-
14
-
src = pkgs.callPackage ./prune-repo.nix {
15
-
stdenv = pkgs.stdenv;
16
-
turbo = pkgs.turbo;
17
-
workspace = "fluxer_app_proxy";
18
-
extra_install_steps = ''
19
-
cp -r ./packages $out/packages
20
-
cp -r ./tsconfigs $out/tsconfigs
21
-
'';
22
-
};
23
-
24
-
pnpmDeps = pkgs.fetchPnpmDeps {
25
-
inherit pname version src;
26
-
fetcherVersion = 3;
27
-
hash = "sha256-hzuBOoj5KAFq2yqPYYZh+pv2qZ9I32H3eZY/4ZTBYa8=";
28
-
};
29
-
30
-
pnpmInstallFlags = [
31
-
"--frozen-lockfile"
32
-
];
33
-
34
-
nativeBuildInputs = with pkgs; [
35
-
pnpm
36
-
pnpmConfigHook
37
-
makeWrapper
38
-
];
39
-
40
-
# buildInputs = [
41
-
42
-
# ];
43
-
44
-
installPhase = ''
45
-
runHook preInstall
46
-
47
-
ls -la ${app-src}
48
-
49
-
mkdir -p $out/bin
50
-
mkdir -p $out/lib
51
-
mkdir -p $out/lib/fluxer_app_proxy/assets
52
-
cp -r ./* $out/lib
53
-
ln -sf ${app-src}/assets $out/lib/fluxer_app_proxy/assets
54
-
55
-
makeWrapper ${pkgs.pnpm}/bin/pnpm $out/bin/fluxer_app_proxy \
56
-
--chdir $out/lib/fluxer_app_proxy \
57
-
--add-flags "run start" \
58
-
--prefix PATH : ${pkgs.lib.makeBinPath (with pkgs; [ nodejs ])}
59
-
runHook postInstall
60
-
'';
61
-
}
+1
-1
packages/fluxer-selfhost/common.nix
packages/fluxer_selfhost/common.nix
+1
-1
packages/fluxer-selfhost/common.nix
packages/fluxer_selfhost/common.nix
-11
packages/fluxer-selfhost/config.nix
-11
packages/fluxer-selfhost/config.nix
-11
packages/fluxer-selfhost/downloads.nix
-11
packages/fluxer-selfhost/downloads.nix
packages/fluxer-selfhost/gateway.nix
packages/fluxer_selfhost/gateway.nix
packages/fluxer-selfhost/gateway.nix
packages/fluxer_selfhost/gateway.nix
-11
packages/fluxer-selfhost/kv_store.nix
-11
packages/fluxer-selfhost/kv_store.nix
packages/fluxer-selfhost/media_proxy.nix
packages/fluxer_selfhost/media_proxy.nix
packages/fluxer-selfhost/media_proxy.nix
packages/fluxer_selfhost/media_proxy.nix
-13
packages/fluxer-selfhost/ncmec.nix
-13
packages/fluxer-selfhost/ncmec.nix
···
1
-
{ ... }:
2
-
let
3
-
pkgs = import <nixpkgs> { };
4
-
in
5
-
pkgs.callPackage ./common.nix {
6
-
package_name = "fluxer_ncmec";
7
-
rust_package_name = "fluxer_ncmec";
8
-
extra_options = {
9
-
PROTOC = "${pkgs.protobuf}/bin/protoc";
10
-
# I am too lazy to fix the tests that need certificates
11
-
doCheck = false;
12
-
};
13
-
}
packages/fluxer-selfhost/prune-repo.nix
packages/fluxer_selfhost/prune-repo.nix
packages/fluxer-selfhost/prune-repo.nix
packages/fluxer_selfhost/prune-repo.nix
-11
packages/fluxer-selfhost/snowflake.nix
-11
packages/fluxer-selfhost/snowflake.nix
-11
packages/fluxer-selfhost/voice.nix
-11
packages/fluxer-selfhost/voice.nix
+13
packages/fluxer_selfhost/app_ingress.nix
+13
packages/fluxer_selfhost/app_ingress.nix
···
1
+
{ ... }:
2
+
let
3
+
pkgs = import <nixpkgs> { };
4
+
in
5
+
pkgs.callPackage ./common.nix {
6
+
package_name = "fluxer_app_ingress";
7
+
rust_package_name = "fluxer_app_ingress";
8
+
extra_options = {
9
+
PROTOC = "${pkgs.protobuf}/bin/protoc";
10
+
# Disable tests until fixing certificate dependency
11
+
doCheck = false;
12
+
};
13
+
}
+5
packages/fluxer_selfhost/temp_app.nix
+5
packages/fluxer_selfhost/temp_app.nix
+2
shell.nix
+2
shell.nix
+114
vms/fluxer.nix
+114
vms/fluxer.nix
···
1
+
{ pkgs, ... }:
2
+
{
3
+
imports = [
4
+
../modules/pub/fluxer.nix
5
+
];
6
+
boot.loader.systemd-boot.enable = true;
7
+
boot.loader.efi.canTouchEfiVariables = true;
8
+
9
+
virtualisation.vmVariant = {
10
+
virtualisation = {
11
+
memorySize = 6144;
12
+
cores = 4;
13
+
diskSize = 10240;
14
+
diskImage = "./disk.img";
15
+
qemu = {
16
+
options = [
17
+
"-display none"
18
+
"-nographic"
19
+
];
20
+
};
21
+
forwardPorts = [
22
+
# forward local port 2222 -> 22, to ssh into the VM
23
+
{
24
+
from = "host";
25
+
host.port = 2222;
26
+
guest.port = 22;
27
+
}
28
+
{
29
+
from = "host";
30
+
host.port = 8888;
31
+
guest.port = 8081;
32
+
}
33
+
34
+
# # forward local port 80 -> 10.0.2.10:80 in the VLAN
35
+
# {
36
+
# from = "guest";
37
+
# guest.address = "10.0.2.10";
38
+
# guest.port = 80;
39
+
# host.address = "127.0.0.1";
40
+
# host.port = 80;
41
+
# }
42
+
];
43
+
};
44
+
};
45
+
46
+
users.users = {
47
+
roufpup = {
48
+
isNormalUser = true;
49
+
extraGroups = [ "wheel" ];
50
+
initialPassword = "pass";
51
+
};
52
+
};
53
+
environment.defaultPackages = with pkgs; [
54
+
helix
55
+
fluxer_app
56
+
];
57
+
nixpkgs.overlays = [
58
+
(import ../overlays/fluxer { })
59
+
];
60
+
61
+
services = {
62
+
fluxer = {
63
+
enable = true;
64
+
};
65
+
66
+
openssh = {
67
+
enable = true;
68
+
openFirewall = true;
69
+
};
70
+
getty = {
71
+
autologinUser = "roufpup";
72
+
};
73
+
nats = {
74
+
enable = true;
75
+
jetstream = true;
76
+
};
77
+
postgresql = {
78
+
enable = true;
79
+
enableTCPIP = true;
80
+
package = pkgs.postgresql_18_jit;
81
+
ensureUsers = [
82
+
{
83
+
name = "fluxer";
84
+
ensureDBOwnership = true;
85
+
ensureClauses = {
86
+
login = true;
87
+
superuser = true;
88
+
createdb = true;
89
+
createrole = true;
90
+
bypassrls = true;
91
+
replication = true;
92
+
};
93
+
}
94
+
];
95
+
ensureDatabases = [
96
+
"fluxer"
97
+
];
98
+
settings = {
99
+
listen_addresses = "*";
100
+
};
101
+
authentication = pkgs.lib.mkForce ''
102
+
local all all trust
103
+
host all all 127.0.0.1/8 trust
104
+
host all all ::1/8 trust
105
+
'';
106
+
};
107
+
meilisearch = {
108
+
enable = true;
109
+
masterKeyFile = "${pkgs.writeText "meilisearch_master_key" "114153e9b71fe5643e87e6fcb249e73ddf3fc009e64a67449a4c580601d66046"}";
110
+
listenAddress = "127.0.0.1";
111
+
listenPort = 7700;
112
+
};
113
+
};
114
+
}