awoo.ren / dots
this repo has no description
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Netbird proxy go brrrrrrrrr

roufpup e6e3d583 b529d3f9

+1223 -456
+16 -1
hive.nix
··· 13 13 pup_lib.gen_pins sources [ 14 14 "helix-nix" 15 15 "nixpkgs" 16 + "dune" 16 17 ] 17 18 ); 18 19 mods = pup_lib.get_mods; ··· 25 26 ./patches/forgejo.patch 26 27 (pkgs.fetchpatch2 { 27 28 url = "https://github.com/NixOS/nixpkgs/pull/483203.patch"; 28 - sha256 = "sha256-2czzH6Pe013jKtbs1DFwJKh8Jlc00CPmyOjOpPdYHw4="; 29 + sha256 = "sha256-+BfH8MPxShFHMDl81rIW/C1g91xt7lsMTFNXHZo721I="; 29 30 }) 30 31 ]; 31 32 }; ··· 45 46 inherit nixpkgs; 46 47 specialArgs = { inherit args; }; 47 48 }; 49 + work = 50 + { ... }: 51 + { 52 + imports = [ 53 + ./hosts/work/default.nix 54 + ]; 55 + deployment = { 56 + target = { 57 + host = "fennec-work"; 58 + user = "roufpup"; 59 + }; 60 + tags = [ "x86" ]; 61 + }; 62 + }; 48 63 49 64 vulpes = 50 65 {
+2
hosts/sand-archives/core/boot.nix
··· 29 29 # For valkey 30 30 "vm.overcommit_memory" = 1; 31 31 "net.ipv4.ip_forward" = 1; 32 + "net.core.rmem_max" = 7500000; 33 + "net.core.wmem_max" = 7500000; 32 34 }; 33 35 }; 34 36 }
+50 -7
hosts/sand-archives/core/caddy.nix
··· 1 1 { pkgs, args, ... }: 2 2 let 3 3 netbird_dashboard_settings = { 4 - NETBIRD_MGMT_API_ENDPOINT = "https://netbird.killuaa.dev"; 5 - NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://netbird.killuaa.dev"; 4 + NETBIRD_MGMT_API_ENDPOINT = "https://netbird.awoo.ren"; 5 + NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://netbird.awoo.ren"; 6 6 AUTH_AUTHORITY = "https://auth.awoo.ren/oauth2/openid/netbird"; 7 7 AUTH_AUDIENCE = "netbird"; 8 8 AUTH_CLIENT_ID = "netbird"; 9 - AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; 9 + AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api netbird_groups"; 10 10 NETBIRD_TOKEN_SOURCE = "idToken"; 11 11 USE_AUTH0 = false; 12 12 AUTH_REDIRECT_URI = "/auth"; ··· 25 25 "github.com/caddy-dns/rfc2136@v1.0.0" 26 26 "github.com/mholt/caddy-events-exec@v0.1.0" 27 27 ]; 28 - hash = "sha256-61qiNHbh7vgQuI6Ecc9xVpHpy4faTbpvIxz9B/8bPqQ="; 28 + hash = "sha256-Eromak7MFr+7EYCl5ETS5MQgApBo2m6+v3L8Fa9fSNU="; 29 29 }; 30 30 logFormat = pkgs.lib.mkForce "level DEBUG"; 31 31 globalConfig = '' ··· 44 44 :80 { 45 45 @local_http { 46 46 http { 47 - host netbird.killuaa.dev auth.awoo.ren 47 + host netbird.awoo.ren auth.awoo.ren 48 48 } 49 49 } 50 50 route @local_http { ··· 62 62 } 63 63 64 64 :443 { 65 + 66 + @netbird_proxy { 67 + tls { 68 + sni ${ 69 + pkgs.lib.concatStringsSep " " [ 70 + "proxy.netbird.awoo.ren" 71 + "*.proxy.netbird.awoo.ren" 72 + "cockpit.awoo.ren" 73 + "pihole.awoo.ren" 74 + "rss.awoo.ren" 75 + "knot.git.awoo.ren" 76 + "incus.awoo.ren" 77 + "pds.awoo.ren" 78 + "mail.pds.awoo.ren" 79 + "vaultwarden.awoo.ren" 80 + "mollysocket.awoo.ren" 81 + "ntfy.awoo.ren" 82 + "code.awoo.ren" 83 + "s3.awoo.ren" 84 + "ente.awoo.ren" 85 + "api.ente.awoo.ren" 86 + "albums.ente.awoo.ren" 87 + "pgadmin.awoo.ren" 88 + "media.awoo.ren" 89 + "seerr.awoo.ren" 90 + "anisonarr.awoo.ren" 91 + "aniradarr.awoo.ren" 92 + "showsonarr.awoo.ren" 93 + "movieradarr.awoo.ren" 94 + "prowlarr.awoo.ren" 95 + "torrent.awoo.ren" 96 + ] 97 + } 98 + } 99 + } 100 + route @netbird_proxy { 101 + proxy 127.0.0.1:8013 102 + } 103 + 65 104 @local_https { 66 105 tls { 67 - sni netbird.killuaa.dev auth.awoo.ren syncthing.killuaa.dev 106 + sni netbird.awoo.ren auth.awoo.ren syncthing.killuaa.dev 68 107 } 69 108 } 70 109 route @local_https { ··· 105 144 } 106 145 ''; 107 146 }; 108 - "netbird.killuaa.dev:4443" = { 147 + "netbird.awoo.ren" = { 109 148 extraConfig = '' 110 149 handle /api* { 111 150 reverse_proxy http://127.0.0.1:8011 ··· 126 165 127 166 handle /relay* { 128 167 reverse_proxy http://127.0.0.1:33080 168 + } 169 + 170 + handle /management.ProxyService* { 171 + reverse_proxy h2c://127.0.0.1:33073 129 172 } 130 173 131 174 handle /* {
+138 -38
hosts/sand-archives/core/netbird.nix
··· 6 6 }: 7 7 let 8 8 9 - netbird = pkgs.netbird.overrideAttrs (prev: { 10 - src = pkgs.fetchFromGitHub { 11 - owner = "netbirdio"; 12 - repo = "netbird"; 13 - tag = "v0.60.8"; 14 - hash = "sha256-XM4pUYimxbO3ZCmTPbg7dwDB3x2TnL9PUgbMfjHjxmo="; 15 - }; 16 - vendorHash = "sha256-b3Wl9jsAdYC91JM/kDo4yIF05hqbivtrcn1aRuZzP3s="; 17 - }); 18 - 19 9 pm = (args.mods.priv_mod.get_data args); 20 10 in 21 11 { 22 12 services.netbird = { 23 - package = netbird; 13 + package = pkgs.netbird; 24 14 server = { 25 15 enable = true; 26 - domain = "netbird.killuaa.dev"; 16 + domain = "netbird.awoo.ren"; 27 17 management = { 28 18 enable = true; 19 + logLevel = "DEBUG"; 29 20 oidcConfigEndpoint = "https://auth.awoo.ren/oauth2/openid/netbird/.well-known/openid-configuration"; 30 21 settings = { 31 22 DataStoreEncryptionKey = { 32 23 _secret = config.sops.secrets.netbird_data_store_encryption_key.path; 33 24 }; 34 - TURNConfig.Turns = [ ]; 35 - Stuns = [ ]; 25 + Datadir = "/var/lib/netbird-mgmt/data"; 26 + DeviceAuthorizationFlow = { 27 + Provider = "none"; 28 + ProviderConfig = { 29 + Audience = "netbird"; 30 + ClientID = "netbird"; 31 + DeviceAuthEndpoint = ""; 32 + Domain = null; 33 + Scope = "openid profile email"; 34 + TokenEndpoint = null; 35 + UseIDToken = false; 36 + }; 37 + }; 38 + HttpConfig = { 39 + Address = "127.0.0.1:8011"; 40 + IdpSignKeyRefreshEnabled = true; 41 + OIDCConfigEndpoint = "https://auth.awoo.ren/oauth2/openid/netbird/.well-known/openid-configuration"; 42 + AuthIssuer = "https://auth.awoo.ren/oauth2/openid/netbird"; 43 + AuthAudience = "netbird"; 44 + AuthClientID = "netbird"; 45 + AuthCallbackURL = "https://netbird.awoo.ren/api/reverse-proxy/callback"; 46 + }; 47 + IdpManagerConfig = { 48 + Auth0ClientCredentials = null; 49 + AzureClientCredentials = null; 50 + ClientConfig = { 51 + ClientID = "netbird"; 52 + ClientSecret = ""; 53 + GrantType = "client_credentials"; 54 + Issuer = ""; 55 + TokenEndpoint = ""; 56 + }; 57 + ExtraConfig = { }; 58 + KeycloakClientCredentials = null; 59 + ManagerType = "none"; 60 + ZitadelClientCredentials = null; 61 + }; 62 + PKCEAuthorizationFlow = { 63 + ProviderConfig = { 64 + Audience = "netbird"; 65 + AuthorizationEndpoint = "https://auth.awoo.ren/ui/oauth2"; 66 + ClientID = "netbird"; 67 + ClientSecret = config.sops.secrets.netbird_kanidm_basic_secret.path; 68 + RedirectURLs = [ "http://localhost:53000" ]; 69 + Scope = "openid profile email offline_access api netbird_groups"; 70 + TokenEndpoint = "https://auth.awoo.ren/oauth2/token"; 71 + UseIDToken = true; 72 + }; 73 + }; 36 74 Relay = { 37 - Addresses = [ "rels://netbird.killuaa.dev:443" ]; 75 + Addresses = [ "rels://netbird.awoo.ren:443" ]; 38 76 CredentialsTTL = "12h"; 39 77 Secret = { 40 78 _secret = config.sops.secrets.netbird_relay_secret.path; 41 79 }; 42 80 TimeBasedCredentials = false; 43 81 }; 82 + ReverseProxy = { 83 + TrustedHTTPProxies = [ ]; 84 + TrustedHTTPProxiesCount = 0; 85 + TrustedPeers = [ 86 + "0.0.0.0/0" 87 + ]; 88 + }; 89 + Signal = { 90 + Password = "null"; 91 + Proto = "https"; 92 + URI = "netbird.awoo.ren:443"; 93 + }; 94 + StoreConfig = { 95 + Engine = "sqlite"; 96 + }; 97 + TURNConfig = { 98 + CredentialsTTL = "12h"; 99 + Secret = ""; 100 + TimeBasedCredentials = false; 101 + Turns = [ ]; 102 + }; 103 + Stuns = [ ]; 44 104 }; 45 105 }; 46 106 dashboard = { ··· 53 113 clients.sand_arc = { 54 114 port = 51820; 55 115 openFirewall = false; 116 + hardened = false; 56 117 environment = { 57 - NB_MANAGEMENT_URL = "https://netbird.killuaa.dev"; 58 - NB_SETUP_KEY_FILE = config.sops.secrets.nb_setup_key.path; 118 + NB_MANAGEMENT_URL = "https://netbird.awoo.ren"; 119 + NB_ALLOW_SERVER_SSH = "true"; 59 120 }; 60 121 }; 61 122 }; 62 123 63 - systemd.services = { 64 - netbird-sand_arc = { 65 - serviceConfig = { 66 - AmbientCapabilities = [ 67 - "CAP_NET_BIND_SERVICE" 68 - "CAP_DAC_OVERRIDE" 69 - ]; 70 - ReadWritePaths = [ 71 - "/etc/resolv.conf" 72 - "/etc/resolv.conf.original.netbird" 73 - ]; 124 + systemd = { 125 + tmpfiles.rules = [ 126 + "d /var/lib/netbird-proxy 0750 netbird-sand_arc netbird-sand_arc -" 127 + "d /var/lib/netbird-proxy/certs 0750 netbird-sand_arc netbird-sand_arc -" 128 + ]; 129 + services = { 130 + netbird-sand_arc = { 131 + path = [ pkgs.shadow ]; 132 + serviceConfig = { 133 + AmbientCapabilities = [ 134 + "CAP_NET_BIND_SERVICE" 135 + "CAP_DAC_OVERRIDE" 136 + ]; 137 + ReadWritePaths = [ 138 + "/etc/resolv.conf" 139 + "/etc/resolv.conf.original.netbird" 140 + ]; 141 + }; 74 142 }; 75 - }; 76 - netbird-relay = { 77 - enable = true; 78 - wantedBy = [ "multi-user.target" ]; 79 - after = [ "network.target" ]; 80 - serviceConfig = { 81 - User = "netbird-sand_arc"; 82 - Group = "netbird-sand_arc"; 83 - ExecStart = "${pkgs.netbird-relay}/bin/netbird-relay --exposed-address rels://netbird.killuaa.dev:443 --listen-address :33080 --metrics-port 9092 --auth-secret ${pm.srv.netbird.relay_secret}"; 84 - Restart = "always"; 143 + 144 + netbird-relay = { 145 + enable = true; 146 + wantedBy = [ "multi-user.target" ]; 147 + after = [ "network.target" ]; 148 + serviceConfig = { 149 + User = "netbird-sand_arc"; 150 + Group = "netbird-sand_arc"; 151 + ExecStart = "${pkgs.netbird-relay}/bin/netbird-relay --exposed-address rels://netbird.awoo.ren:443 --listen-address :33080 --metrics-port 9092 --auth-secret ${pm.srv.netbird.relay_secret}"; 152 + Restart = "always"; 153 + }; 154 + }; 155 + netbird-proxy = { 156 + enable = true; 157 + wantedBy = [ "multi-user.target" ]; 158 + after = [ "network.target" ]; 159 + serviceConfig = { 160 + User = "netbird-sand_arc"; 161 + Group = "netbird-sand_arc"; 162 + ExecStart = "${pkgs.netbird-proxy}/bin/netbird-proxy"; 163 + Environment = [ 164 + "NB_PROXY_DEBUG_LOGS=true" 165 + "NB_PROXY_TOKEN=${pm.srv.netbird.proxy_token}" 166 + "NB_PROXY_MANAGEMENT_ADDRESS=https://netbird.awoo.ren" 167 + "NB_PROXY_ADDRESS=127.0.0.1:8013" 168 + "NB_PROXY_DOMAIN=proxy.netbird.awoo.ren" 169 + "NB_PROXY_OIDC_CLIENT_ID=netbird" 170 + "NB_PROXY_OIDC_ENDPOINT=https://auth.awoo.ren/oauth2/openid/netbird" 171 + "NB_PROXY_OIDC_SCOPES=openid,profile,email,offline_access,api,netbird_groups" 172 + "NB_PROXY_ACME_CERTIFICATES=true" 173 + "NB_PROXY_ACME_CHALLENGE_TYPE=tls-alpn-01" 174 + "NB_PROXY_CERTIFICATE_DIRECTORY=/var/lib/netbird-proxy/certs" 175 + "NB_PROXY_GEO_DATA_DIR=/var/lib/netbird-proxy" 176 + ]; 177 + Restart = "always"; 178 + }; 179 + }; 180 + 181 + netbird-signal = { 182 + serviceConfig = { 183 + Environment = [ "NB_PPROF_ADDR=6061" ]; 184 + }; 85 185 }; 86 186 }; 87 187 };
+1 -1
hosts/sand-archives/core/networking.nix
··· 44 44 45 45 hosts = { 46 46 "127.0.0.1" = [ 47 - "netbird.killuaa.dev" 47 + "netbird.awoo.ren" 48 48 "auth.awoo.ren" 49 49 ]; 50 50 };
+1 -5
hosts/sand-archives/core/sops.nix
··· 20 20 # Netbird 21 21 # 22 22 netbird_data_store_encryption_key = { }; 23 - nb_setup_key = { 24 - owner = "netbird-sand_arc"; 25 - group = "netbird-sand_arc"; 26 - mode = "0440"; 27 - }; 28 23 netbird_relay_secret = { 29 24 owner = "netbird-sand_arc"; 30 25 group = "netbird-sand_arc"; 31 26 mode = "0440"; 32 27 }; 28 + netbird_kanidm_basic_secret = { }; 33 29 # bind_caddy_key = { 34 30 # owner = "acme"; 35 31 # group = "acme";
+8
hosts/sand-archives/core/users.nix
··· 24 24 kanidm = { 25 25 extraGroups = [ "caddy" ]; 26 26 }; 27 + netbird-sand_arc = { 28 + isSystemUser = true; 29 + group = "netbird-sand_arc"; 30 + }; 27 31 }; 28 32 extraGroups = { 29 33 roufpup = { ··· 40 44 gid = 700; 41 45 name = "arr"; 42 46 members = [ "arr" ]; 47 + }; 48 + netbird-sand_arc = { 49 + name = "netbird-sand_arc"; 50 + members = [ "netbird-sand_arc" ]; 43 51 }; 44 52 }; 45 53 };
+10
hosts/sand-archives/default.nix
··· 3 3 pkgs, 4 4 ... 5 5 }: 6 + let 7 + overlays = (args.pup_lib.get_overlays args); 8 + in 6 9 { 7 10 imports = [ 8 11 (args.sources.nixpkgs.outPath + "/nixos/modules/profiles/minimal.nix") 9 12 args.pins.sops-nix.nixosModules.sops 10 13 ] 11 14 ++ (args.pup_lib.module_imports ./core); 15 + 16 + environment = { 17 + enableAllTerminfo = true; 18 + }; 12 19 13 20 security = { 14 21 sudo-rs = { ··· 36 43 config = { 37 44 allowUnfree = true; 38 45 }; 46 + overlays = [ 47 + overlays.default 48 + ]; 39 49 }; 40 50 41 51 nix = {
+1 -1
hosts/vulpes/core/networking.nix
··· 22 22 hosts = { 23 23 "${pm.net.ipv4.sand-archives.addr}" = [ 24 24 "sand-archives" 25 - "netbird.killuaa.dev" 25 + "netbird.awoo.ren" 26 26 ]; 27 27 }; 28 28 };
-8
hosts/vulpes/core/sops.nix
··· 70 70 mode = "0440"; 71 71 }; 72 72 # 73 - # Netbird 74 - # 75 - nb_setup_key = { 76 - owner = "netbird-vulpes"; 77 - group = "netbird-vulpes"; 78 - mode = "0440"; 79 - }; 80 - # 81 73 # Ente 82 74 # 83 75 ente_garage_key = { };
+6 -2
hosts/vulpes/core/virtualization.nix
··· 1 - { ... }: 1 + { args, ... }: 2 + let 3 + pm = (args.mods.priv_mod.get_data args); 4 + in 2 5 { 3 6 virtualisation = { 4 7 podman = { ··· 19 22 }; 20 23 preseed = { 21 24 config = { 22 - "core.https_address" = "127.0.0.1:8443"; 25 + "core.https_address" = "${pm.net.ipv4.vulpes.addr}:8443"; 26 + "oidc.audience" = "incus"; 23 27 "oidc.issuer" = "https://auth.awoo.ren/oauth2/openid/incus"; 24 28 "oidc.client.id" = "incus"; 25 29 };
+32 -246
hosts/vulpes/infra/caddy.nix
··· 8 8 photos-pkg = ( 9 9 pkgs.ente-web.override { 10 10 enteApp = "photos"; 11 - enteMainUrl = "https://ente.killuaa.dev"; 11 + enteMainUrl = "https://ente.awoo.ren"; 12 12 extraBuildEnv = { 13 - NEXT_PUBLIC_ENTE_ENDPOINT = "https://api.ente.killuaa.dev"; 14 - NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT = "https://albums.ente.killuaa.dev"; 13 + NEXT_PUBLIC_ENTE_ENDPOINT = "https://api.ente.awoo.ren"; 14 + NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT = "https://albums.ente.awoo.ren"; 15 15 NEXT_TELEMETRY_DISABLED = "1"; 16 16 }; 17 17 } ··· 35 35 server "127.0.0.1:5300" 36 36 } 37 37 ''; 38 - virtualHosts = { 39 - 40 - # Killuaa 41 - "killuaa.dev" = { 42 - extraConfig = '' 43 - handle / { 44 - redir https://git.killuaa.dev 45 - } 46 - handle /.well-known/matrix/server { 47 - header Content-Type application/json 48 - header Access-Control-Allow-Origin * 49 - respond `{"m.server": "yap.killuaa.dev:443"}` 200 50 - } 51 - 52 - handle /.well-known/matrix/client { 53 - header Content-Type application/json 54 - header Access-Control-Allow-Origin * 55 - respond `{"m.homeserver":{"base_url":"https://yap.killuaa.dev"}}` 200 56 - } 57 - ''; 58 - }; 59 - 60 - "fluxer.killuaa.dev" = { 61 - extraConfig = '' 62 - handle /_caddy_health { 63 - respond "OK" 200 64 - } 65 - @gateway path /gateway /gateway/* 66 - handle @gateway { 67 - uri strip_prefix /gateway 68 - reverse_proxy 127.0.0.1:5080 69 - } 70 - @marketing path /marketing /marketing/* 71 - handle @marketing { 72 - uri strip_prefix /marketing 73 - reverse_proxy 127.0.0.1:49531 74 - } 75 - @server path /admin /admin/* /api /api/* /s3 /s3/* /queue /queue/* /media /media/* /_health /_ready /_live /.well-known/fluxer 76 - handle @server { 77 - reverse_proxy 127.0.0.1:5079 78 - } 79 - @livekit path /livekit /livekit/* 80 - handle @livekit { 81 - uri strip_prefix /livekit 82 - reverse_proxy 127.0.0.1:7880 83 - } 84 - handle { 85 - reverse_proxy 127.0.0.1:49427 { 86 - header_up Connection {http.request.header.Connection} 87 - header_up Upgrade {http.request.header.Upgrade} 88 - } 89 - } 90 - log { 91 - output stdout 92 - format console 38 + extraConfig = '' 39 + http://${pm.net.ipv4.vulpes.addr}:3893 { 40 + handle /xrpc/com.atproto.identity.resolveHandle* { 41 + @pup query handle=awoo.ren 42 + @snow query handle=mrsnowy.dev 43 + handle @pup { 44 + header Access-Control-Allow-Origin "*" 45 + header Access-Control-Allow-Headers "*" 46 + respond `{"did":"did:plc:e6e4lgy3nzdshjbpmjvnkbfd"}` 200 93 47 } 94 - ''; 95 - }; 96 - 97 - # Git Forge 98 - "git.killuaa.dev" = { 99 - extraConfig = '' 100 - reverse_proxy 127.0.0.1:3000 101 - ''; 102 - }; 103 - 104 - "code.killuaa.dev" = { 105 - extraConfig = '' 106 - reverse_proxy 127.0.0.1:3300 { 107 - transport http { 108 - keepalive 30s 109 - keepalive_idle_conns 10 110 - } 111 - flush_interval -1 112 - } 113 - ''; 114 - serverAliases = [ "*.code.killuaa.dev" ]; 115 - }; 116 - 117 - "pgadmin.killuaa.dev" = { 118 - extraConfig = '' 119 - reverse_proxy 127.0.0.1:5050 120 - ''; 121 - }; 122 - 123 - # Ente 124 - "api.ente.killuaa.dev" = { 125 - extraConfig = '' 126 - reverse_proxy 127.0.0.1:7000 127 - ''; 128 - }; 129 - "ente.killuaa.dev" = { 130 - extraConfig = '' 131 - root * ${photos-pkg} 132 - file_server 133 - try_files {path} {path}.html /index.html 134 - ''; 135 - }; 136 - "albums.ente.killuaa.dev" = { 137 - extraConfig = '' 138 - root * ${photos-pkg} 139 - file_server 140 - try_files {path} {path}.html /index.html 141 - ''; 142 - }; 143 - "s3.garage.killuaa.dev" = { 144 - extraConfig = '' 145 - reverse_proxy 127.0.0.1:3900 146 - ''; 147 - }; 148 - 149 - # Media 150 - "media.killuaa.dev" = { 151 - extraConfig = '' 152 - reverse_proxy 127.0.0.1:8096 153 - ''; 154 - }; 155 - "seerr.killuaa.dev" = { 156 - extraConfig = '' 157 - reverse_proxy 127.0.0.1:5055 158 - ''; 159 - }; 160 - "anisonarr.killuaa.dev" = { 161 - extraConfig = '' 162 - reverse_proxy 127.0.0.1:8989 163 - ''; 164 - }; 165 - "aniradarr.killuaa.dev" = { 166 - extraConfig = '' 167 - reverse_proxy 127.0.0.1:7979 168 - ''; 169 - }; 170 - "showsonarr.killuaa.dev" = { 171 - extraConfig = '' 172 - reverse_proxy 127.0.0.1:8988 173 - ''; 174 - }; 175 - "movieradarr.killuaa.dev" = { 176 - extraConfig = '' 177 - reverse_proxy 127.0.0.1:7978 178 - ''; 179 - }; 180 - "prowlarr.killuaa.dev" = { 181 - extraConfig = '' 182 - reverse_proxy 127.0.0.1:4545 183 - ''; 184 - }; 185 - "torrent.killuaa.dev" = { 186 - extraConfig = '' 187 - reverse_proxy 127.0.0.1:9999 188 - ''; 189 - }; 190 - 191 - # Matrix 192 - "yap.killuaa.dev" = { 193 - extraConfig = '' 194 - reverse_proxy 127.0.0.1:6167 195 - ''; 196 - }; 197 - 198 - # NTFY 199 - "ntfy.killuaa.dev" = { 200 - serverAliases = [ "http://ntfy.killuaa.dev" ]; 201 - extraConfig = '' 202 - reverse_proxy 127.0.0.1:2586 203 - 204 - @httpget { 205 - protocol http 206 - method GET 207 - path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) 48 + reverse_proxy 127.0.0.1:3892 { 49 + header_up Host pds.awoo.ren 208 50 } 51 + } 52 + reverse_proxy 127.0.0.1:3892 { 53 + header_up Host pds.awoo.ren 54 + } 55 + } 209 56 210 - redir @httpget https://{host}{uri} 211 - ''; 212 - }; 213 - "mollysocket.killuaa.dev" = { 214 - extraConfig = '' 215 - reverse_proxy 127.0.0.1:8020 216 - ''; 217 - }; 57 + http://${pm.net.ipv4.vulpes.addr}:7001 { 58 + root * ${photos-pkg} 59 + file_server 60 + try_files {path} {path}.html /index.html 61 + header Host ente.awoo.ren 62 + } 218 63 219 - # Vaultwarden 220 - "vaultwarden.killuaa.dev" = { 221 - extraConfig = '' 222 - reverse_proxy 127.0.0.1:7474 223 - ''; 224 - }; 64 + http://${pm.net.ipv4.vulpes.addr}:7002 { 65 + root * ${photos-pkg} 66 + file_server 67 + try_files {path} {path}.html /index.html 68 + header Host albums.ente.awoo.ren 69 + } 225 70 226 - "cockpit.killuaa.dev" = { 227 - extraConfig = '' 228 - reverse_proxy 127.0.0.1:9090 229 - ''; 230 - }; 231 - } 232 - # Awoooooooooooooooo 233 - // { 234 - "knot.git.awoo.ren" = { 235 - extraConfig = '' 236 - reverse_proxy 127.0.0.1:5555 237 - ''; 238 - }; 239 - "git.awoo.ren" = { 240 - extraConfig = '' 241 - reverse_proxy 127.0.0.1:5656 242 - ''; 243 - }; 244 - 245 - "rss.awoo.ren" = { 246 - extraConfig = '' 247 - reverse_proxy 127.0.0.1:4678 248 - ''; 249 - }; 250 - "incus.awoo.ren" = { 251 - extraConfig = '' 252 - reverse_proxy https://127.0.0.1:8443 { 253 - header_up Host incus.awoo.ren 254 - transport http { 255 - tls_insecure_skip_verify 256 - } 257 - } 258 - ''; 259 - }; 260 - 261 - "pds.awoo.ren" = { 262 - extraConfig = '' 263 - handle /xrpc/com.atproto.identity.resolveHandle* { 264 - @pup query handle=awoo.ren 265 - @snow query handle=mrsnowy.dev 266 - handle @pup { 267 - header Access-Control-Allow-Origin "*" 268 - header Access-Control-Allow-Headers "*" 269 - respond `{"did":"did:plc:e6e4lgy3nzdshjbpmjvnkbfd"}` 200 270 - } 271 - reverse_proxy localhost:3892 272 - } 273 - reverse_proxy 127.0.0.1:3892 274 - ''; 275 - }; 276 - "mail.pds.awoo.ren" = { 277 - extraConfig = '' 278 - basic_auth { 279 - mail $2a$14$pwigEqhih.kMbJrkooV8Y.iNfDT.o1vRzDOAXkWV5b.XvNasc7Wci 280 - } 281 - reverse_proxy 127.0.0.1:1026 282 - ''; 283 - }; 284 - }; 285 - 71 + ''; 286 72 }; 287 73 }
+3 -3
hosts/vulpes/infra/coder.nix
··· 5 5 { 6 6 services.coder = { 7 7 enable = true; 8 - listenAddress = "127.0.0.1:3300"; 9 - accessUrl = "https://code.killuaa.dev"; 10 - wildcardAccessUrl = "*.code.killuaa.dev"; 8 + listenAddress = "${pm.net.ipv4.vulpes.addr}:3300"; 9 + accessUrl = "https://code.awoo.ren"; 10 + wildcardAccessUrl = "*.code.awoo.ren"; 11 11 database = { 12 12 createLocally = false; 13 13 host = "127.0.0.1";
+91 -32
hosts/vulpes/infra/dns.nix
··· 7 7 pihole-web = { 8 8 enable = true; 9 9 ports = [ 10 - "9001" 11 - "[::]:9001" 10 + "${pm.net.ipv4.vulpes.addr}:9001" 12 11 ]; 13 12 }; 14 13 pihole-ftl = { ··· 156 155 1w ; expire 157 156 1h ) ; negative cache TTL 158 157 159 - IN NS ns1.awoo.ren. 158 + IN NS ns1.awoo.ren. 160 159 161 - ns1 IN A ${pm.net.ipv4.sand-archives.addr} 162 - ns1 IN AAAA ${pm.net.ipv6.sand-archives.addr} 163 - @ IN A ${pm.net.ipv4.sand-archives.addr} 164 - @ IN AAAA ${pm.net.ipv6.sand-archives.addr} 160 + ; Base domain and name server 161 + ns1 IN A ${pm.net.ipv4.sand-archives.addr} 162 + ns1 IN AAAA ${pm.net.ipv6.sand-archives.addr} 163 + @ IN A ${pm.net.ipv4.sand-archives.addr} 164 + @ IN AAAA ${pm.net.ipv6.sand-archives.addr} 165 165 166 166 ; Tuta 167 - @ IN MX 10 mail.tutanota.de. 168 - @ IN TXT "t-verify=83be8df1ae29ced5fea6432b3a22111e" 169 - @ IN TXT "v=spf1 include:spf.tutanota.de -all" 170 - _dmarc IN TXT "v=DMARC1; p=quarantine; adkim=s" 171 - s1._domainkey IN CNAME s1.domainkey.tutanota.de. 172 - s2._domainkey IN CNAME s2.domainkey.tutanota.de. 173 - _mta-sts IN CNAME mta-sts.tutanota.de. 174 - mta-sts IN CNAME mta-sts.tutanota.de. 167 + @ IN MX 10 mail.tutanota.de. 168 + @ IN TXT "t-verify=83be8df1ae29ced5fea6432b3a22111e" 169 + @ IN TXT "v=spf1 include:spf.tutanota.de -all" 170 + _dmarc IN TXT "v=DMARC1; p=quarantine; adkim=s" 171 + s1._domainkey IN CNAME s1.domainkey.tutanota.de. 172 + s2._domainkey IN CNAME s2.domainkey.tutanota.de. 173 + _mta-sts IN CNAME mta-sts.tutanota.de. 174 + mta-sts IN CNAME mta-sts.tutanota.de. 175 175 176 176 ; Domain verificaitons 177 177 178 - _atproto IN TXT "did=did:plc:e6e4lgy3nzdshjbpmjvnkbfd" 179 - _atproto.pup IN TXT "did=did:plc:e6e4lgy3nzdshjbpmjvnkbfd" 180 - _fluxer IN TXT "fluxer-verification=a83d4bbb46d22050a732b4ea17b0ecba76589d60e9abcc9a2d727e021e53d435" 178 + _atproto IN TXT "did=did:plc:e6e4lgy3nzdshjbpmjvnkbfd" 179 + _atproto.pup IN TXT "did=did:plc:e6e4lgy3nzdshjbpmjvnkbfd" 180 + _fluxer IN TXT "fluxer-verification=a83d4bbb46d22050a732b4ea17b0ecba76589d60e9abcc9a2d727e021e53d435" 181 181 182 - auth IN A ${pm.net.ipv4.sand-archives.addr} 183 - auth IN AAAA ${pm.net.ipv6.sand-archives.addr} 182 + auth IN A ${pm.net.ipv4.sand-archives.addr} 183 + auth IN AAAA ${pm.net.ipv6.sand-archives.addr} 184 184 185 - git IN A ${pm.net.ipv4.sand-archives.addr} 186 - git IN AAAA ${pm.net.ipv6.sand-archives.addr} 187 - knot.git IN A ${pm.net.ipv4.sand-archives.addr} 188 - knot.git IN AAAA ${pm.net.ipv6.sand-archives.addr} 185 + git IN A ${pm.net.ipv4.sand-archives.addr} 186 + git IN AAAA ${pm.net.ipv6.sand-archives.addr} 187 + knot.git IN A ${pm.net.ipv4.sand-archives.addr} 188 + knot.git IN AAAA ${pm.net.ipv6.sand-archives.addr} 189 189 190 - rss IN A ${pm.net.ipv4.sand-archives.addr} 191 - rss IN AAAA ${pm.net.ipv6.sand-archives.addr} 190 + rss IN A ${pm.net.ipv4.sand-archives.addr} 191 + rss IN AAAA ${pm.net.ipv6.sand-archives.addr} 192 192 193 - incus IN A ${pm.net.ipv4.sand-archives.addr} 194 - incus IN AAAA ${pm.net.ipv6.sand-archives.addr} 193 + incus IN A ${pm.net.ipv4.sand-archives.addr} 194 + incus IN AAAA ${pm.net.ipv6.sand-archives.addr} 195 195 196 - pds IN A ${pm.net.ipv4.sand-archives.addr} 197 - pds IN AAAA ${pm.net.ipv6.sand-archives.addr} 198 - mail.pds IN A ${pm.net.ipv4.sand-archives.addr} 199 - mail.pds IN AAAA ${pm.net.ipv6.sand-archives.addr} 196 + pds IN A ${pm.net.ipv4.sand-archives.addr} 197 + pds IN AAAA ${pm.net.ipv6.sand-archives.addr} 198 + mail.pds IN A ${pm.net.ipv4.sand-archives.addr} 199 + mail.pds IN AAAA ${pm.net.ipv6.sand-archives.addr} 200 200 201 + ; Netbird 202 + netbird IN A ${pm.net.ipv4.sand-archives.addr} 203 + netbird IN AAAA ${pm.net.ipv6.sand-archives.addr} 204 + proxy.netbird IN A ${pm.net.ipv4.sand-archives.addr} 205 + proxy.netbird IN AAAA ${pm.net.ipv6.sand-archives.addr} 206 + *.proxy.netbird IN A ${pm.net.ipv4.sand-archives.addr} 207 + *.proxy.netbird IN AAAA ${pm.net.ipv6.sand-archives.addr} 208 + 209 + ; Netbird CNAMEs 210 + * IN CNAME proxy.netbird.awoo.ren. 211 + *.git IN CNAME proxy.netbird.awoo.ren. 212 + *.pds IN CNAME proxy.netbird.awoo.ren. 213 + *.ente IN CNAME proxy.netbird.awoo.ren. 214 + 215 + cockpit IN A ${pm.net.ipv4.sand-archives.addr} 216 + cockpit IN AAAA ${pm.net.ipv6.sand-archives.addr} 217 + 218 + pihole IN A ${pm.net.ipv4.sand-archives.addr} 219 + pihole IN AAAA ${pm.net.ipv6.sand-archives.addr} 220 + 221 + vaultwarden IN A ${pm.net.ipv4.sand-archives.addr} 222 + vaultwarden IN AAAA ${pm.net.ipv6.sand-archives.addr} 223 + 224 + mollysocket IN A ${pm.net.ipv4.sand-archives.addr} 225 + mollysocket IN AAAA ${pm.net.ipv6.sand-archives.addr} 226 + ntfy IN A ${pm.net.ipv4.sand-archives.addr} 227 + ntfy IN AAAA ${pm.net.ipv6.sand-archives.addr} 228 + 229 + code IN A ${pm.net.ipv4.sand-archives.addr} 230 + code IN AAAA ${pm.net.ipv6.sand-archives.addr} 231 + 232 + s3 IN A ${pm.net.ipv4.sand-archives.addr} 233 + s3 IN AAAA ${pm.net.ipv6.sand-archives.addr} 234 + ente IN A ${pm.net.ipv4.sand-archives.addr} 235 + ente IN AAAA ${pm.net.ipv6.sand-archives.addr} 236 + api.ente IN A ${pm.net.ipv4.sand-archives.addr} 237 + api.ente IN AAAA ${pm.net.ipv6.sand-archives.addr} 238 + albums.ente IN A ${pm.net.ipv4.sand-archives.addr} 239 + albums.ente IN AAAA ${pm.net.ipv6.sand-archives.addr} 240 + 241 + pgadmin IN A ${pm.net.ipv4.sand-archives.addr} 242 + pgadmin IN AAAA ${pm.net.ipv6.sand-archives.addr} 243 + 244 + media IN A ${pm.net.ipv4.sand-archives.addr} 245 + media IN AAAA ${pm.net.ipv6.sand-archives.addr} 246 + seerr IN A ${pm.net.ipv4.sand-archives.addr} 247 + seerr IN AAAA ${pm.net.ipv6.sand-archives.addr} 248 + anisonarr IN A ${pm.net.ipv4.sand-archives.addr} 249 + anisonarr IN AAAA ${pm.net.ipv6.sand-archives.addr} 250 + aniradarr IN A ${pm.net.ipv4.sand-archives.addr} 251 + aniradarr IN AAAA ${pm.net.ipv6.sand-archives.addr} 252 + showsonarr IN A ${pm.net.ipv4.sand-archives.addr} 253 + showsonarr IN AAAA ${pm.net.ipv6.sand-archives.addr} 254 + movieradarr IN A ${pm.net.ipv4.sand-archives.addr} 255 + movieradarr IN AAAA ${pm.net.ipv6.sand-archives.addr} 256 + prowlarr IN A ${pm.net.ipv4.sand-archives.addr} 257 + prowlarr IN AAAA ${pm.net.ipv6.sand-archives.addr} 258 + torrent IN A ${pm.net.ipv4.sand-archives.addr} 259 + torrent IN AAAA ${pm.net.ipv6.sand-archives.addr} 201 260 ''; 202 261 }; 203 262 };
+1 -1
hosts/vulpes/infra/ente.nix
··· 15 15 port = 7000; 16 16 }; 17 17 apps = { 18 - public-albums = "https://albums.ente.killuaa.dev"; 18 + public-albums = "https://albums.ente.awoo.ren"; 19 19 }; 20 20 webauthn = { 21 21 rpid = "127.0.0.1";
+17 -15
hosts/vulpes/infra/git.nix
··· 3 3 pkgs, 4 4 ... 5 5 }: 6 - # let 7 - # tangled = args.pins.tangled_core; 8 - # interFonts = pkgs.fetchzip { 9 - # url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"; 10 - # stripRoot = false; 11 - # sha256 = "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ="; 12 - # }; 13 - # appviewStaticFiles = tangled.packages.x86_64-linux.appview-static-files.override { 14 - # inter-fonts-src = interFonts; 15 - # }; 16 - # appview = tangled.packages.x86_64-linux.appview.override { 17 - # appview-static-files = appviewStaticFiles; 18 - # }; 19 - # in 6 + let 7 + # tangled = args.pins.tangled_core; 8 + # interFonts = pkgs.fetchzip { 9 + # url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"; 10 + # stripRoot = false; 11 + # sha256 = "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ="; 12 + # }; 13 + # appviewStaticFiles = tangled.packages.x86_64-linux.appview-static-files.override { 14 + # inter-fonts-src = interFonts; 15 + # }; 16 + # appview = tangled.packages.x86_64-linux.appview.override { 17 + # appview-static-files = appviewStaticFiles; 18 + # }; 19 + pm = (args.mods.priv_mod.get_data args); 20 + in 20 21 { 21 22 imports = [ 22 23 args.pins.tangled_core.nixosModules.knot ··· 48 49 server = { 49 50 owner = "did:plc:e6e4lgy3nzdshjbpmjvnkbfd"; 50 51 hostname = "knot.git.awoo.ren"; 51 - listenAddr = "127.0.0.1:5555"; 52 + listenAddr = "${pm.net.ipv4.vulpes.addr}:5555"; 52 53 }; 53 54 }; 54 55 }; ··· 81 82 isNormalUser = true; 82 83 group = "git-puppy-priv"; 83 84 home = "/var/lib/git-priv"; 85 + shell = "${pkgs.git}/bin/git-shell"; 84 86 85 87 openssh.authorizedKeys.keys = [ 86 88 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkUMYuTCjDCIldnrQlA8M5gPkEUZ/oXxD5+B7nNeoM3 openpgp:0x13D59319"
+22 -19
hosts/vulpes/infra/misc.nix
··· 16 16 cockpit-files 17 17 ]; 18 18 allowed-origins = [ 19 - "https://cockpit.killuaa.dev" 20 - "wss://cockpit.killuaa.dev" 19 + "https://cockpit.awoo.ren" 20 + "wss://cockpit.awoo.ren" 21 21 ]; 22 22 settings = { 23 23 WebService = { 24 24 AllowUnencrypted = true; 25 25 ProtocolHeader = "X-Forwarded-Proto"; 26 26 }; 27 + 27 28 }; 28 29 }; 29 30 ntfy-sh = { 30 31 enable = true; 31 32 settings = { 32 33 base-url = "https://ntfy.killuaa.dev"; 33 - listen-http = ":2586"; 34 + listen-http = "${pm.net.ipv4.vulpes.addr}:2586"; 34 35 behind-proxy = true; 35 36 }; 36 37 }; ··· 48 49 createDatabaseLocally = false; 49 50 config = { 50 51 DATABASE_URL = pm.srv.miniflux.db_connection_url; 51 - LISTEN_ADDR = "127.0.0.1:4678"; 52 + LISTEN_ADDR = "${pm.net.ipv4.vulpes.addr}:4678"; 52 53 OAUTH2_PROVIDER = "oidc"; 53 54 OAUTH2_CLIENT_ID = "miniflux"; 54 55 OAUTH2_CLIENT_SECRET = "${pm.srv.miniflux.oauth2_secret}"; ··· 61 62 instances = { 62 63 tranquil_pds = { 63 64 smtp = "127.0.0.1:1025"; 64 - listen = "127.0.0.1:1026"; 65 + listen = "${pm.net.ipv4.vulpes.addr}:1026"; 65 66 }; 66 67 }; 67 68 }; ··· 86 87 cockpit 87 88 sosreport 88 89 ]; 89 - systemd.services = { 90 - vaultwarden = { 91 - serviceConfig = { 92 - Environment = [ 93 - "ROCKET_ADDRESS=0.0.0.0" 94 - "ROCKET_PORT=7474" 95 - "DATA_FOLDER=/var/lib/vaultwarden" 96 - "WEB_VAULT_FOLDER=${pkgs.vaultwarden.webvault}/share/vaultwarden/vault" 97 - ]; 98 - EnvironmentFile = ""; 90 + systemd = { 91 + services = { 92 + vaultwarden = { 93 + serviceConfig = { 94 + Environment = [ 95 + "ROCKET_ADDRESS=${pm.net.ipv4.vulpes.addr}" 96 + "ROCKET_PORT=7474" 97 + "DATA_FOLDER=/var/lib/vaultwarden" 98 + "WEB_VAULT_FOLDER=${pkgs.vaultwarden.webvault}/share/vaultwarden/vault" 99 + ]; 100 + EnvironmentFile = ""; 101 + }; 99 102 }; 100 - }; 101 - mollysocket = { 102 - serviceConfig = { 103 - Environment = [ "MOLLY_VAPID_PRIVKEY=${pm.srv.molly.private_key}" ]; 103 + mollysocket = { 104 + serviceConfig = { 105 + Environment = [ "MOLLY_VAPID_PRIVKEY=${pm.srv.molly.private_key}" ]; 106 + }; 104 107 }; 105 108 }; 106 109 };
+18 -14
hosts/vulpes/infra/netbird.nix
··· 1 - { config, ... }: 1 + { pkgs, ... }: 2 2 { 3 3 services.netbird = { 4 4 clients.vulpes = { 5 5 port = 51820; 6 6 openFirewall = false; 7 + hardened = false; 7 8 environment = { 8 - NB_MANAGEMENT_URL = "https://netbird.killuaa.dev"; 9 - NB_SETUP_KEY_FILE = config.sops.secrets.nb_setup_key.path; 9 + NB_MANAGEMENT_URL = "https://netbird.awoo.ren"; 10 + NB_ALLOW_SERVER_SSH = "true"; 10 11 }; 11 12 }; 12 13 }; 13 14 14 - systemd.services = { 15 - netbird-vulpes = { 16 - serviceConfig = { 17 - AmbientCapabilities = [ 18 - "CAP_NET_BIND_SERVICE" 19 - "CAP_DAC_OVERRIDE" 20 - ]; 21 - ReadWritePaths = [ 22 - "/etc/resolv.conf" 23 - "/etc/resolv.conf.original.netbird" 24 - ]; 15 + systemd = { 16 + services = { 17 + netbird-vulpes = { 18 + path = [ pkgs.shadow ]; 19 + serviceConfig = { 20 + AmbientCapabilities = [ 21 + "CAP_NET_BIND_SERVICE" 22 + "CAP_DAC_OVERRIDE" 23 + ]; 24 + ReadWritePaths = [ 25 + "/etc/resolv.conf" 26 + "/etc/resolv.conf.original.netbird" 27 + ]; 28 + }; 25 29 }; 26 30 }; 27 31 };
+1 -1
hosts/vulpes/infra/postgres.nix
··· 92 92 initialEmail = pm.srv.pgadmin.email; 93 93 initialPasswordFile = config.sops.secrets.pgadmin_password.path; 94 94 settings = { 95 - DEFAULT_SERVER = "0.0.0.0"; 95 + DEFAULT_SERVER = "${pm.net.ipv4.vulpes.addr}"; 96 96 FIXED_BINARY_PATHS = { 97 97 pg-18 = "${pkgs.postgresql_18_jit}/bin"; 98 98 };
+1 -1
hosts/work/core/networking.nix
··· 27 27 hosts = { 28 28 "${pm.net.ipv4.sand-archives.addr}" = [ 29 29 "sand-archives" 30 - "netbird.killuaa.dev" 30 + "netbird.awoo.ren" 31 31 "auth.awoo.ren" 32 32 ]; 33 33 };
+18 -8
hosts/work/core/packages.nix
··· 43 43 nh 44 44 npins 45 45 git 46 - swww 46 + awww 47 47 stash 48 48 (lib.hiPrio wl-clipboard-rs) 49 49 yubikey-manager ··· 106 106 just 107 107 jetbrains.rider 108 108 jetbrains.idea 109 + tesseract 110 + 111 + netbird-proxy 112 + 113 + # KDE related 114 + kdePackages.dolphin 115 + kdePackages.okular 116 + kdePackages.kio 117 + kdePackages.kio-extras 118 + kdePackages.kio-fuse 119 + 120 + kdePackages.gwenview 121 + kdePackages.kimageformats 122 + kdePackages.ark 123 + 124 + kdePackages.breeze 125 + kdePackages.breeze-icons 109 126 110 127 # Cool but barely used 111 128 servo ··· 116 133 bitwarden-desktop 117 134 ente-desktop 118 135 onlyoffice-desktopeditors 119 - kdePackages.dolphin 120 - kdePackages.okular 121 136 rssguard 122 137 yazi 123 138 mpv ··· 125 140 mako 126 141 # librewolf-bin 127 142 syncplay 128 - kdePackages.gwenview 129 - kdePackages.kimageformats 130 - kdePackages.ark 131 143 132 144 #Theming 133 145 mint-themes 134 146 mint-y-icons 135 - kdePackages.breeze 136 - kdePackages.breeze-icons 137 147 vimix-icon-theme 138 148 139 149 # 3rd party
+21 -15
hosts/work/core/services.nix
··· 1 - { pkgs, config, ... }: 1 + { pkgs, ... }: 2 2 { 3 3 services = { 4 4 pcscd.enable = true; ··· 15 15 16 16 wivrn = { 17 17 enable = true; 18 - defaultRuntime = true; 19 18 autoStart = true; 20 19 highPriority = true; 21 20 steam = { ··· 98 97 openssh = { 99 98 enable = true; 100 99 settings = { 101 - PasswordAuthentication = false; 100 + PasswordAuthentication = true; 102 101 }; 103 102 }; 104 103 ··· 120 119 netbird = { 121 120 clients.work = { 122 121 port = 51820; 122 + hardened = false; 123 + 123 124 environment = { 124 - NB_MANAGEMENT_URL = "https://netbird.killuaa.dev"; 125 - NB_SETUP_KEY_FILE = config.sops.secrets.nb_setup_key.path; 125 + NB_MANAGEMENT_URL = "https://netbird.awoo.ren"; 126 + NB_ALLOW_SERVER_SSH = "true"; 127 + NB_LOG_LEVEL = pkgs.lib.mkForce "debug"; 126 128 }; 127 129 }; 128 130 }; 129 131 }; 130 - systemd.services.netbird-work = { 131 - serviceConfig = { 132 - AmbientCapabilities = [ 133 - "CAP_NET_BIND_SERVICE" 134 - "CAP_DAC_OVERRIDE" 135 - ]; 136 - ReadWritePaths = [ 137 - "/etc/resolv.conf" 138 - "/etc/resolv.conf.original.netbird" 139 - ]; 132 + 133 + systemd = { 134 + services.netbird-work = { 135 + path = [ pkgs.shadow ]; 136 + serviceConfig = { 137 + AmbientCapabilities = [ 138 + "CAP_NET_BIND_SERVICE" 139 + "CAP_DAC_OVERRIDE" 140 + ]; 141 + ReadWritePaths = [ 142 + "/etc/resolv.conf" 143 + "/etc/resolv.conf.original.netbird" 144 + ]; 145 + }; 140 146 }; 141 147 }; 142 148 }
+1 -1
hosts/work/core/systemd.nix
··· 36 36 37 37 serviceConfig = { 38 38 ExecStart = '' 39 - ${pkgs.swww}/bin/swww-daemon 39 + ${pkgs.awww}/bin/awww-daemon 40 40 ''; 41 41 Restart = "always"; 42 42 };
+8 -2
hosts/work/hjem-rum/niri.nix
··· 9 9 "/home/roufpup/.config/quickshell/shell/" 10 10 ] 11 11 [ 12 - "swww" 12 + "awww" 13 13 "img" 14 - "/home/roufpup/Pictures/Wallpapers/03_bg_look_a_plane.png_52758.png" 14 + "/home/roufpup/Pictures/Wallpapers/03_bg_look_a_plane.png" 15 15 ] 16 16 ]; 17 17 config = '' ··· 97 97 open-floating true 98 98 default-column-width { fixed 485; } 99 99 default-window-height { fixed 545; } 100 + } 101 + window-rule { 102 + match app-id="org.kde.gwenview" 103 + open-floating true 104 + default-column-width { fixed 940; } 105 + default-window-height { fixed 770; } 100 106 } 101 107 window-rule { 102 108 match app-id="com.mitchellh.ghostty"
+28 -28
npins/sources.json
··· 114 114 }, 115 115 "branch": "master", 116 116 "submodules": false, 117 - "revision": "1e7ee8915a87c0675aa4532d70eb1a26e9b94cd8", 118 - "url": "https://github.com/nix-community/lanzaboote/archive/1e7ee8915a87c0675aa4532d70eb1a26e9b94cd8.tar.gz", 119 - "hash": "sha256-wFeQPKZfSSVv7BAYpRK31UBy1V9/pPJ9/hLaLJIgIp0=" 117 + "revision": "45338aab3013924c75305f5cb3543b9cda993183", 118 + "url": "https://github.com/nix-community/lanzaboote/archive/45338aab3013924c75305f5cb3543b9cda993183.tar.gz", 119 + "hash": "sha256-rgHUoE4QhOvK3Rcl9cbuIVdjPjFjfhcTm/uPs8Y7+2w=" 120 120 }, 121 121 "nix-index": { 122 122 "type": "Git", ··· 127 127 }, 128 128 "branch": "main", 129 129 "submodules": false, 130 - "revision": "55b588747fa3d7fc351a11831c4b874dab992862", 131 - "url": "https://github.com/nix-community/nix-index-database/archive/55b588747fa3d7fc351a11831c4b874dab992862.tar.gz", 132 - "hash": "sha256-gdYe9wTPl4ignDyXUl1LlICWj41+S0GB5lG1fKP17+A=" 130 + "revision": "bc13aeaed568be76eab84df88ff39261bb52ff70", 131 + "url": "https://github.com/nix-community/nix-index-database/archive/bc13aeaed568be76eab84df88ff39261bb52ff70.tar.gz", 132 + "hash": "sha256-89Mh4Eb/5stVJX6kGagVMijcU2FmfeD8Qv7UXc5d92o=" 133 133 }, 134 134 "nix-minecraft": { 135 135 "type": "Git", ··· 152 152 }, 153 153 "branch": "nixos-unstable", 154 154 "submodules": false, 155 - "revision": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", 156 - "url": "https://github.com/NixOS/nixpkgs/archive/46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9.tar.gz", 157 - "hash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=" 155 + "revision": "6201e203d09599479a3b3450ed24fa81537ebc4e", 156 + "url": "https://github.com/NixOS/nixpkgs/archive/6201e203d09599479a3b3450ed24fa81537ebc4e.tar.gz", 157 + "hash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=" 158 158 }, 159 159 "nixpkgs-master": { 160 160 "type": "Git", ··· 165 165 }, 166 166 "branch": "master", 167 167 "submodules": false, 168 - "revision": "b78d8a6a0b6931439e702e615c66b1c621d8e77f", 169 - "url": "https://github.com/NixOS/nixpkgs/archive/b78d8a6a0b6931439e702e615c66b1c621d8e77f.tar.gz", 170 - "hash": "sha256-5qwLP+jNRzAOTCscnbFLMeZubiXbi39fewPQUVZLEsI=" 168 + "revision": "e76e315f47e316637b5ec21a80c38350a47c518a", 169 + "url": "https://github.com/NixOS/nixpkgs/archive/e76e315f47e316637b5ec21a80c38350a47c518a.tar.gz", 170 + "hash": "sha256-9Be1CiMA33q892HfxjMJKsQJrWPf6UBIKpJkWztsc+4=" 171 171 }, 172 172 "nixpkgs-xr": { 173 173 "type": "Git", ··· 178 178 }, 179 179 "branch": "main", 180 180 "submodules": false, 181 - "revision": "82adacd2ac84b353b98e9462be1e8af969a5c1f7", 182 - "url": "https://github.com/nix-community/nixpkgs-xr/archive/82adacd2ac84b353b98e9462be1e8af969a5c1f7.tar.gz", 183 - "hash": "sha256-/figgEf9bJgifAotR2z+KqAUSKriOL17DGkgwJqlI6w=" 181 + "revision": "665e1550f5411756b3cb678dbdca878f164814ea", 182 + "url": "https://github.com/nix-community/nixpkgs-xr/archive/665e1550f5411756b3cb678dbdca878f164814ea.tar.gz", 183 + "hash": "sha256-StAtpRoSbXBSxD4ZiwEj/0C9wwapBtR5fmWMz1yX59M=" 184 184 }, 185 185 "nur": { 186 186 "type": "Git", ··· 191 191 }, 192 192 "branch": "main", 193 193 "submodules": false, 194 - "revision": "9d2f7035c503731019118616bfa27bcf1ca26deb", 195 - "url": "https://github.com/nix-community/NUR/archive/9d2f7035c503731019118616bfa27bcf1ca26deb.tar.gz", 196 - "hash": "sha256-ddhwjQMJTUx5+hYBVcfRVxIvkrNm9XOkyD195k7VHfo=" 194 + "revision": "e14996aecc13c6754bf8637b5061c5d7e0baad36", 195 + "url": "https://github.com/nix-community/NUR/archive/e14996aecc13c6754bf8637b5061c5d7e0baad36.tar.gz", 196 + "hash": "sha256-HfrzWkXWerw5kxLb33CN86rhFotDRv6B++k4co8h9bo=" 197 197 }, 198 198 "rust-overlay": { 199 199 "type": "Git", ··· 204 204 }, 205 205 "branch": "master", 206 206 "submodules": false, 207 - "revision": "d6471ee5a8f470251e6e5b83a20a182eb6c46c9b", 208 - "url": "https://github.com/oxalica/rust-overlay/archive/d6471ee5a8f470251e6e5b83a20a182eb6c46c9b.tar.gz", 209 - "hash": "sha256-Jn9d9r85dmf3gTMnSRt6t+DP2nQ5uJns/MMXg2FpzfM=" 207 + "revision": "740fb0203b2852917b909a72b948d34d0b171ec0", 208 + "url": "https://github.com/oxalica/rust-overlay/archive/740fb0203b2852917b909a72b948d34d0b171ec0.tar.gz", 209 + "hash": "sha256-FwYb64ysv8J2TxaqsYYcDyHAHBUEaQlriPMWPMi1K7M=" 210 210 }, 211 211 "sops-nix": { 212 212 "type": "Git", ··· 217 217 }, 218 218 "branch": "master", 219 219 "submodules": false, 220 - "revision": "614e256310e0a4f8a9ccae3fa80c11844fba7042", 221 - "url": "https://github.com/Mic92/sops-nix/archive/614e256310e0a4f8a9ccae3fa80c11844fba7042.tar.gz", 222 - "hash": "sha256-fhG4JAcLgjKwt+XHbjs8brpWnyKUfU4LikLm3s0Q/ic=" 220 + "revision": "8f093d0d2f08f37317778bd94db5951d6cce6c46", 221 + "url": "https://github.com/Mic92/sops-nix/archive/8f093d0d2f08f37317778bd94db5951d6cce6c46.tar.gz", 222 + "hash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=" 223 223 }, 224 224 "stash": { 225 225 "type": "Git", ··· 243 243 }, 244 244 "branch": "master", 245 245 "submodules": false, 246 - "revision": "233111b316b5faf365bcd0ee1bc1632460fab552", 246 + "revision": "53c56c0bc96300d5f43d94712b7934a188193d57", 247 247 "url": null, 248 - "hash": "sha256-mlcZC2INHi8DRV4YHY9i+d7NNdrfwpWShf9lYeLpyao=" 248 + "hash": "sha256-Ls0fMh7hM6N3Z3LxQRzPl7/y1/bfQryGPDvpJiuI+u0=" 249 249 }, 250 250 "tranquil_pds": { 251 251 "type": "Git", ··· 255 255 }, 256 256 "branch": "main", 257 257 "submodules": false, 258 - "revision": "696940f7328db1b7daa884a9c249eaec4eb4db9b", 258 + "revision": "add1ff176b0e401c8d8ceeab1443b492974981ac", 259 259 "url": null, 260 - "hash": "sha256-+PUoJzSMxC5VNUvpKfaC+6q50Teji1g/Xju68Oa7b7I=" 260 + "hash": "sha256-6jSs7wNvVWi9kcSZayLkn7In+Q/78cK6sTH0jryMNGQ=" 261 261 }, 262 262 "wire": { 263 263 "type": "Git",
+17
overlays/default/overlay.nix
··· 8 8 btrustbiss = prev.callPackage ../../packages/btrustbiss { inherit safenet_authentication_client; }; 9 9 helix = pins.helix-nix.packages.helix; 10 10 steel = pins.helix-nix.packages.steel; 11 + # netbird = prev.netbird.overrideAttrs { 12 + # version = "0.67.3"; 13 + # src = prev.fetchFromGitHub { 14 + # owner = "netbirdio"; 15 + # repo = "netbird"; 16 + # tag = "v0.67.3"; 17 + # hash = "sha256-bt6NMyRxzzzAnMh0V62cu9+eg/jvV0RRwGqHJm32eZw="; 18 + # }; 19 + # patches = [ 20 + # ../../patches/netbird.patch 21 + # ]; 22 + # vendorHash = "sha256-tsAbNuSqH8NjI6VWDXJ/9u3JKkBAnhjcEdeDXT2Bbv8="; 23 + # }; 24 + netbird = prev.callPackage ../../packages/netbird { }; 25 + netbird-proxy = final.netbird.override { 26 + componentName = "proxy"; 27 + }; 11 28 chafa = prev.chafa.overrideAttrs (prev-chafa: { 12 29 buildInputs = 13 30 prev-chafa.buildInputs
+12 -7
packages/btrustbiss/default.nix
··· 4 4 autoPatchelfHook, 5 5 makeWrapper, 6 6 dpkg, 7 + libxext, 8 + libxtst, 9 + libxi, 10 + libx11, 11 + libxrender, 12 + libxxf86vm, 7 13 freetype, 8 14 pcsclite, 9 15 zlib, 10 16 alsa-lib, 11 - xorg, 12 17 libGL, 13 18 gtk3, 14 19 gdk-pixbuf, ··· 43 48 pcsclite.lib 44 49 zlib 45 50 alsa-lib 46 - xorg.libXext 47 - xorg.libXtst 48 - xorg.libXi 49 - xorg.libX11 50 - xorg.libXrender 51 - xorg.libXxf86vm 51 + libxext 52 + libxtst 53 + libxi 54 + libx11 55 + libxrender 56 + libxxf86vm 52 57 libGL 53 58 54 59 gtk3
+181
packages/netbird/default.nix
··· 1 + { 2 + stdenv, 3 + lib, 4 + nixosTests, 5 + nix-update-script, 6 + buildGoModule, 7 + fetchFromGitHub, 8 + installShellFiles, 9 + pkg-config, 10 + gtk3, 11 + libayatana-appindicator, 12 + libX11, 13 + libXcursor, 14 + libXxf86vm, 15 + versionCheckHook, 16 + netbird-management, 17 + netbird-relay, 18 + netbird-signal, 19 + netbird-ui, 20 + netbird-upload, 21 + componentName ? "client", 22 + needsUpdateScript ? componentName == "client", 23 + }: 24 + let 25 + /* 26 + License tagging is based off: 27 + - https://github.com/netbirdio/netbird/blob/9e95841252c62b50ae93805c8dfd2b749ac95ea7/LICENSES/REUSE.toml 28 + - https://github.com/netbirdio/netbird/blob/9e95841252c62b50ae93805c8dfd2b749ac95ea7/LICENSE#L1-L2 29 + */ 30 + availableComponents = { 31 + client = { 32 + module = "client"; 33 + binaryName = "netbird"; 34 + license = lib.licenses.bsd3; 35 + versionCheckProgramArg = "version"; 36 + hasCompletion = true; 37 + }; 38 + ui = { 39 + module = "client/ui"; 40 + binaryName = "netbird-ui"; 41 + license = lib.licenses.bsd3; 42 + }; 43 + upload = { 44 + module = "upload-server"; 45 + binaryName = "netbird-upload"; 46 + license = lib.licenses.bsd3; 47 + }; 48 + management = { 49 + module = "management"; 50 + binaryName = "netbird-mgmt"; 51 + license = lib.licenses.agpl3Only; 52 + versionCheckProgramArg = "--version"; 53 + hasCompletion = true; 54 + }; 55 + signal = { 56 + module = "signal"; 57 + binaryName = "netbird-signal"; 58 + license = lib.licenses.agpl3Only; 59 + hasCompletion = true; 60 + }; 61 + relay = { 62 + module = "relay"; 63 + binaryName = "netbird-relay"; 64 + license = lib.licenses.agpl3Only; 65 + }; 66 + proxy = { 67 + module = "proxy/cmd/proxy"; 68 + binaryName = "netbird-proxy"; 69 + license = lib.licenses.agpl3Only; 70 + }; 71 + }; 72 + component = availableComponents.${componentName}; 73 + in 74 + buildGoModule (finalAttrs: { 75 + pname = "netbird-${componentName}"; 76 + version = "0.67.4"; 77 + 78 + src = fetchFromGitHub { 79 + owner = "netbirdio"; 80 + repo = "netbird"; 81 + tag = "v${finalAttrs.version}"; 82 + hash = "sha256-8KafkdH92oOwDVH+fPi84+PYLvPtZuPMxJqzdWE0+B8="; 83 + }; 84 + 85 + patches = [ 86 + ../../patches/netbird.patch 87 + ]; 88 + vendorHash = "sha256-tsAbNuSqH8NjI6VWDXJ/9u3JKkBAnhjcEdeDXT2Bbv8="; 89 + 90 + nativeBuildInputs = [ installShellFiles ] ++ lib.optional (componentName == "ui") pkg-config; 91 + 92 + buildInputs = lib.optionals (stdenv.hostPlatform.isLinux && componentName == "ui") [ 93 + gtk3 94 + libayatana-appindicator 95 + libX11 96 + libXcursor 97 + libXxf86vm 98 + ]; 99 + 100 + subPackages = [ component.module ]; 101 + 102 + ldflags = [ 103 + "-s" 104 + "-w" 105 + "-X github.com/netbirdio/netbird/version.version=${finalAttrs.version}" 106 + "-X main.builtBy=nix" 107 + ]; 108 + 109 + # needs network access 110 + doCheck = false; 111 + 112 + postPatch = '' 113 + # make it compatible with systemd's RuntimeDirectory 114 + substituteInPlace client/cmd/root.go \ 115 + --replace-fail 'unix:///var/run/netbird.sock' 'unix:///var/run/netbird/sock' 116 + substituteInPlace client/ui/client_ui.go \ 117 + --replace-fail 'unix:///var/run/netbird.sock' 'unix:///var/run/netbird/sock' 118 + ''; 119 + 120 + postInstall = 121 + let 122 + builtBinaryName = lib.last (lib.splitString "/" component.module); 123 + in 124 + '' 125 + ls $out/bin/ 126 + mv $out/bin/${builtBinaryName} $out/bin/${component.binaryName} 127 + '' 128 + + 129 + lib.optionalString 130 + (stdenv.buildPlatform.canExecute stdenv.hostPlatform && (component.hasCompletion or false)) 131 + '' 132 + installShellCompletion --cmd ${component.binaryName} \ 133 + --bash <($out/bin/${component.binaryName} completion bash) \ 134 + --fish <($out/bin/${component.binaryName} completion fish) \ 135 + --zsh <($out/bin/${component.binaryName} completion zsh) 136 + '' 137 + # assemble & adjust netbird.desktop files for the GUI 138 + + lib.optionalString (stdenv.hostPlatform.isLinux && componentName == "ui") '' 139 + install -Dm644 "$src/client/ui/assets/netbird-systemtray-connected.png" "$out/share/pixmaps/netbird.png" 140 + install -Dm644 "$src/client/ui/build/netbird.desktop" "$out/share/applications/netbird.desktop" 141 + 142 + substituteInPlace $out/share/applications/netbird.desktop \ 143 + --replace-fail "Exec=/usr/bin/netbird-ui" "Exec=$out/bin/${component.binaryName}" 144 + ''; 145 + 146 + nativeInstallCheckInputs = lib.lists.optionals (component ? versionCheckProgramArg) [ 147 + versionCheckHook 148 + ]; 149 + versionCheckProgram = "${placeholder "out"}/bin/${component.binaryName}"; 150 + versionCheckProgramArg = component.versionCheckProgramArg or "version"; 151 + 152 + passthru = { 153 + tests = lib.attrsets.optionalAttrs (componentName == "client") { 154 + nixos = nixosTests.netbird; 155 + inherit 156 + # make sure child packages are built by `ofborg` 157 + netbird-management 158 + netbird-relay 159 + netbird-signal 160 + netbird-ui 161 + netbird-upload 162 + ; 163 + }; 164 + } 165 + // lib.attrsets.optionalAttrs needsUpdateScript { 166 + updateScript = nix-update-script { }; 167 + }; 168 + 169 + meta = { 170 + homepage = "https://netbird.io"; 171 + changelog = "https://github.com/netbirdio/netbird/releases/tag/v${finalAttrs.version}"; 172 + description = "Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls"; 173 + license = component.license; 174 + maintainers = with lib.maintainers; [ 175 + nazarewk 176 + saturn745 177 + loc 178 + ]; 179 + mainProgram = component.binaryName; 180 + }; 181 + })
+518
patches/netbird.patch
··· 1 + From 6dbf296e39ced6094ac0c6113f00c23f28f82b72 Mon Sep 17 00:00:00 2001 2 + From: Ujaan Das <ujaandas03@gmail.com> 3 + Date: Thu, 18 Dec 2025 16:46:29 +0000 4 + Subject: [PATCH 1/8] [signal] add NB_PPROF_ADDR envvar support 5 + 6 + --- 7 + signal/cmd/pprof.go | 33 +++++++++++++++++++++++++++++++++ 8 + signal/cmd/run.go | 14 +------------- 9 + 2 files changed, 34 insertions(+), 13 deletions(-) 10 + create mode 100644 signal/cmd/pprof.go 11 + 12 + diff --git a/signal/cmd/pprof.go b/signal/cmd/pprof.go 13 + new file mode 100644 14 + index 00000000000..e85e9125387 15 + --- /dev/null 16 + +++ b/signal/cmd/pprof.go 17 + @@ -0,0 +1,33 @@ 18 + +//go:build pprof 19 + +// +build pprof 20 + + 21 + +package cmd 22 + + 23 + +import ( 24 + + "net/http" 25 + + _ "net/http/pprof" 26 + + "os" 27 + + 28 + + log "github.com/sirupsen/logrus" 29 + +) 30 + + 31 + +func init() { 32 + + addr := pprofAddr() 33 + + go pprof(addr) 34 + +} 35 + + 36 + +func pprofAddr() string { 37 + + listenAddr := os.Getenv("NB_PPROF_ADDR") 38 + + if listenAddr == "" { 39 + + return "localhost:6060" 40 + + } 41 + + 42 + + return listenAddr 43 + +} 44 + + 45 + +func pprof(listenAddr string) { 46 + + log.Infof("listening pprof on: %s\n", listenAddr) 47 + + if err := http.ListenAndServe(listenAddr, nil); err != nil { 48 + + log.Fatalf("Failed to start pprof: %v", err) 49 + + } 50 + +} 51 + diff --git a/signal/cmd/run.go b/signal/cmd/run.go 52 + index bf8f8e3271b..dcb79267e7f 100644 53 + --- a/signal/cmd/run.go 54 + +++ b/signal/cmd/run.go 55 + @@ -8,8 +8,7 @@ import ( 56 + "fmt" 57 + "net" 58 + "net/http" 59 + - // nolint:gosec 60 + - _ "net/http/pprof" 61 + + 62 + "time" 63 + 64 + "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc" 65 + @@ -92,8 +91,6 @@ var ( 66 + RunE: func(cmd *cobra.Command, args []string) error { 67 + flag.Parse() 68 + 69 + - startPprof() 70 + - 71 + opts, certManager, tlsConfig, err := getTLSConfigurations() 72 + if err != nil { 73 + return err 74 + @@ -194,15 +191,6 @@ var ( 75 + } 76 + ) 77 + 78 + -func startPprof() { 79 + - go func() { 80 + - log.Debugf("Starting pprof server on 127.0.0.1:6060") 81 + - if err := http.ListenAndServe("127.0.0.1:6060", nil); err != nil { 82 + - log.Fatalf("pprof server failed: %v", err) 83 + - } 84 + - }() 85 + -} 86 + - 87 + func getTLSConfigurations() ([]grpc.ServerOption, *autocert.Manager, *tls.Config, error) { 88 + var ( 89 + err error 90 + 91 + From 6e4d3554917dae507bd000952f6b88a167d1a093 Mon Sep 17 00:00:00 2001 92 + From: Ujaan Das <ujaandas03@gmail.com> 93 + Date: Thu, 18 Dec 2025 17:21:13 +0000 94 + Subject: [PATCH 2/8] [management] add NB_PPROF_ADDR envvar support 95 + 96 + --- 97 + management/cmd/pprof.go | 33 +++++++++++++++++++++++++++++++++ 98 + management/main.go | 7 ------- 99 + 2 files changed, 33 insertions(+), 7 deletions(-) 100 + create mode 100644 management/cmd/pprof.go 101 + 102 + diff --git a/management/cmd/pprof.go b/management/cmd/pprof.go 103 + new file mode 100644 104 + index 00000000000..e85e9125387 105 + --- /dev/null 106 + +++ b/management/cmd/pprof.go 107 + @@ -0,0 +1,33 @@ 108 + +//go:build pprof 109 + +// +build pprof 110 + + 111 + +package cmd 112 + + 113 + +import ( 114 + + "net/http" 115 + + _ "net/http/pprof" 116 + + "os" 117 + + 118 + + log "github.com/sirupsen/logrus" 119 + +) 120 + + 121 + +func init() { 122 + + addr := pprofAddr() 123 + + go pprof(addr) 124 + +} 125 + + 126 + +func pprofAddr() string { 127 + + listenAddr := os.Getenv("NB_PPROF_ADDR") 128 + + if listenAddr == "" { 129 + + return "localhost:6060" 130 + + } 131 + + 132 + + return listenAddr 133 + +} 134 + + 135 + +func pprof(listenAddr string) { 136 + + log.Infof("listening pprof on: %s\n", listenAddr) 137 + + if err := http.ListenAndServe(listenAddr, nil); err != nil { 138 + + log.Fatalf("Failed to start pprof: %v", err) 139 + + } 140 + +} 141 + diff --git a/management/main.go b/management/main.go 142 + index ff8482f9723..8db54370783 100644 143 + --- a/management/main.go 144 + +++ b/management/main.go 145 + @@ -1,19 +1,12 @@ 146 + package main 147 + 148 + import ( 149 + - "log" 150 + - "net/http" 151 + - // nolint:gosec 152 + - _ "net/http/pprof" 153 + "os" 154 + 155 + "github.com/netbirdio/netbird/management/cmd" 156 + ) 157 + 158 + func main() { 159 + - go func() { 160 + - log.Println(http.ListenAndServe("localhost:6060", nil)) 161 + - }() 162 + if err := cmd.Execute(); err != nil { 163 + os.Exit(1) 164 + } 165 + 166 + From 8c2c251e950205b5126e1d28a9896047b186588b Mon Sep 17 00:00:00 2001 167 + From: Ujaan Das <ujaandas03@gmail.com> 168 + Date: Tue, 17 Mar 2026 18:23:17 +0000 169 + Subject: [PATCH 3/8] [util] add shared pprof package 170 + 171 + --- 172 + util/pprof/pprof.go | 33 +++++++++++++++++++++++++++++++++ 173 + util/pprof/pprof_off.go | 8 ++++++++ 174 + 2 files changed, 41 insertions(+) 175 + create mode 100644 util/pprof/pprof.go 176 + create mode 100644 util/pprof/pprof_off.go 177 + 178 + diff --git a/util/pprof/pprof.go b/util/pprof/pprof.go 179 + new file mode 100644 180 + index 00000000000..3ca541b301a 181 + --- /dev/null 182 + +++ b/util/pprof/pprof.go 183 + @@ -0,0 +1,33 @@ 184 + +//go:build pprof 185 + +// +build pprof 186 + + 187 + +package pprof 188 + + 189 + +import ( 190 + + "net/http" 191 + + _ "net/http/pprof" 192 + + "os" 193 + + 194 + + log "github.com/sirupsen/logrus" 195 + +) 196 + + 197 + +func init() { 198 + + addr := pprofAddr() 199 + + go pprof(addr) 200 + +} 201 + + 202 + +func pprofAddr() string { 203 + + listenAddr := os.Getenv("NB_PPROF_ADDR") 204 + + if listenAddr == "" { 205 + + return "localhost:6060" 206 + + } 207 + + 208 + + return listenAddr 209 + +} 210 + + 211 + +func pprof(listenAddr string) { 212 + + log.Infof("listening pprof on: %s\n", listenAddr) 213 + + if err := http.ListenAndServe(listenAddr, nil); err != nil { 214 + + log.Fatalf("Failed to start pprof: %v", err) 215 + + } 216 + +} 217 + diff --git a/util/pprof/pprof_off.go b/util/pprof/pprof_off.go 218 + new file mode 100644 219 + index 00000000000..2cbf8b6697f 220 + --- /dev/null 221 + +++ b/util/pprof/pprof_off.go 222 + @@ -0,0 +1,8 @@ 223 + +//go:build !pprof 224 + + 225 + +package pprof 226 + + 227 + +/* 228 + +Allow package build even without pprof tag. 229 + +Otherwise, Go complains that "build constraints exlude all Go files" 230 + +*/ 231 + 232 + From e94874980da1598142d78c3766305ddfa23725b3 Mon Sep 17 00:00:00 2001 233 + From: Ujaan Das <ujaandas03@gmail.com> 234 + Date: Tue, 17 Mar 2026 18:24:58 +0000 235 + Subject: [PATCH 4/8] [signal] use shared pprof package 236 + 237 + --- 238 + signal/cmd/pprof.go | 33 --------------------------------- 239 + signal/cmd/root.go | 1 + 240 + signal/main.go | 3 ++- 241 + 3 files changed, 3 insertions(+), 34 deletions(-) 242 + delete mode 100644 signal/cmd/pprof.go 243 + 244 + diff --git a/signal/cmd/pprof.go b/signal/cmd/pprof.go 245 + deleted file mode 100644 246 + index e85e9125387..00000000000 247 + --- a/signal/cmd/pprof.go 248 + +++ /dev/null 249 + @@ -1,33 +0,0 @@ 250 + -//go:build pprof 251 + -// +build pprof 252 + - 253 + -package cmd 254 + - 255 + -import ( 256 + - "net/http" 257 + - _ "net/http/pprof" 258 + - "os" 259 + - 260 + - log "github.com/sirupsen/logrus" 261 + -) 262 + - 263 + -func init() { 264 + - addr := pprofAddr() 265 + - go pprof(addr) 266 + -} 267 + - 268 + -func pprofAddr() string { 269 + - listenAddr := os.Getenv("NB_PPROF_ADDR") 270 + - if listenAddr == "" { 271 + - return "localhost:6060" 272 + - } 273 + - 274 + - return listenAddr 275 + -} 276 + - 277 + -func pprof(listenAddr string) { 278 + - log.Infof("listening pprof on: %s\n", listenAddr) 279 + - if err := http.ListenAndServe(listenAddr, nil); err != nil { 280 + - log.Fatalf("Failed to start pprof: %v", err) 281 + - } 282 + -} 283 + diff --git a/signal/cmd/root.go b/signal/cmd/root.go 284 + index 7fa75d92371..0e2d9e3dc38 100644 285 + --- a/signal/cmd/root.go 286 + +++ b/signal/cmd/root.go 287 + @@ -8,6 +8,7 @@ import ( 288 + 289 + "github.com/spf13/cobra" 290 + 291 + + _ "github.com/netbirdio/netbird/util/pprof" 292 + "github.com/netbirdio/netbird/version" 293 + ) 294 + 295 + diff --git a/signal/main.go b/signal/main.go 296 + index 328f23a9707..047b01c479d 100644 297 + --- a/signal/main.go 298 + +++ b/signal/main.go 299 + @@ -1,8 +1,9 @@ 300 + package main 301 + 302 + import ( 303 + - "github.com/netbirdio/netbird/signal/cmd" 304 + "os" 305 + + 306 + + "github.com/netbirdio/netbird/signal/cmd" 307 + ) 308 + 309 + func main() { 310 + 311 + From 39ccc02fd3d0209dddd94e0795a9b5255f371121 Mon Sep 17 00:00:00 2001 312 + From: Ujaan Das <ujaandas03@gmail.com> 313 + Date: Tue, 17 Mar 2026 18:28:09 +0000 314 + Subject: [PATCH 5/8] [management] use shared pprof package 315 + 316 + --- 317 + management/cmd/pprof.go | 33 --------------------------------- 318 + management/cmd/root.go | 1 + 319 + 2 files changed, 1 insertion(+), 33 deletions(-) 320 + delete mode 100644 management/cmd/pprof.go 321 + 322 + diff --git a/management/cmd/pprof.go b/management/cmd/pprof.go 323 + deleted file mode 100644 324 + index e85e9125387..00000000000 325 + --- a/management/cmd/pprof.go 326 + +++ /dev/null 327 + @@ -1,33 +0,0 @@ 328 + -//go:build pprof 329 + -// +build pprof 330 + - 331 + -package cmd 332 + - 333 + -import ( 334 + - "net/http" 335 + - _ "net/http/pprof" 336 + - "os" 337 + - 338 + - log "github.com/sirupsen/logrus" 339 + -) 340 + - 341 + -func init() { 342 + - addr := pprofAddr() 343 + - go pprof(addr) 344 + -} 345 + - 346 + -func pprofAddr() string { 347 + - listenAddr := os.Getenv("NB_PPROF_ADDR") 348 + - if listenAddr == "" { 349 + - return "localhost:6060" 350 + - } 351 + - 352 + - return listenAddr 353 + -} 354 + - 355 + -func pprof(listenAddr string) { 356 + - log.Infof("listening pprof on: %s\n", listenAddr) 357 + - if err := http.ListenAndServe(listenAddr, nil); err != nil { 358 + - log.Fatalf("Failed to start pprof: %v", err) 359 + - } 360 + -} 361 + diff --git a/management/cmd/root.go b/management/cmd/root.go 362 + index b60f79c2360..cb135c00fab 100644 363 + --- a/management/cmd/root.go 364 + +++ b/management/cmd/root.go 365 + @@ -6,6 +6,7 @@ import ( 366 + "github.com/spf13/cobra" 367 + 368 + nbconfig "github.com/netbirdio/netbird/management/internals/server/config" 369 + + _ "github.com/netbirdio/netbird/util/pprof" 370 + "github.com/netbirdio/netbird/version" 371 + ) 372 + 373 + 374 + From 8eb0f82eac167c75a1c3d1be84af41d91861421a Mon Sep 17 00:00:00 2001 375 + From: Ujaan Das <ujaandas03@gmail.com> 376 + Date: Tue, 17 Mar 2026 18:28:35 +0000 377 + Subject: [PATCH 6/8] [relay] use shared pprof package 378 + 379 + --- 380 + relay/cmd/pprof.go | 33 --------------------------------- 381 + relay/cmd/root.go | 1 + 382 + 2 files changed, 1 insertion(+), 33 deletions(-) 383 + delete mode 100644 relay/cmd/pprof.go 384 + 385 + diff --git a/relay/cmd/pprof.go b/relay/cmd/pprof.go 386 + deleted file mode 100644 387 + index 37efd35f0cd..00000000000 388 + --- a/relay/cmd/pprof.go 389 + +++ /dev/null 390 + @@ -1,32 +0,0 @@ 391 + -//go:build pprof 392 + - 393 + -package cmd 394 + - 395 + -import ( 396 + - "net/http" 397 + - _ "net/http/pprof" 398 + - "os" 399 + - 400 + - log "github.com/sirupsen/logrus" 401 + -) 402 + - 403 + -func init() { 404 + - addr := pprofAddr() 405 + - go pprof(addr) 406 + -} 407 + - 408 + -func pprofAddr() string { 409 + - listenAddr := os.Getenv("NB_PPROF_ADDR") 410 + - if listenAddr == "" { 411 + - return "localhost:6969" 412 + - } 413 + - 414 + - return listenAddr 415 + -} 416 + - 417 + -func pprof(listenAddr string) { 418 + - log.Infof("listening pprof on: %s\n", listenAddr) 419 + - if err := http.ListenAndServe(listenAddr, nil); err != nil { 420 + - log.Fatalf("Failed to start pprof: %v", err) 421 + - } 422 + -} 423 + diff --git a/relay/cmd/root.go b/relay/cmd/root.go 424 + index e7dadcfdf6a..2877343a111 100644 425 + --- a/relay/cmd/root.go 426 + +++ b/relay/cmd/root.go 427 + @@ -23,6 +23,7 @@ import ( 428 + "github.com/netbirdio/netbird/shared/relay/auth" 429 + "github.com/netbirdio/netbird/signal/metrics" 430 + "github.com/netbirdio/netbird/util" 431 + + _ "github.com/netbirdio/netbird/util/pprof" 432 + ) 433 + 434 + type Config struct { 435 + 436 + From 684fd308cfd7574520fbab9ea782d870431f2319 Mon Sep 17 00:00:00 2001 437 + From: Ujaan Das <ujaandas03@gmail.com> 438 + Date: Tue, 17 Mar 2026 18:29:38 +0000 439 + Subject: [PATCH 7/8] [client] use shared pprof package 440 + 441 + --- 442 + client/cmd/pprof.go | 33 --------------------------------- 443 + client/cmd/root.go | 1 + 444 + 2 files changed, 1 insertion(+), 33 deletions(-) 445 + delete mode 100644 client/cmd/pprof.go 446 + 447 + diff --git a/client/cmd/pprof.go b/client/cmd/pprof.go 448 + deleted file mode 100644 449 + index 37efd35f0cd..00000000000 450 + --- a/client/cmd/pprof.go 451 + +++ /dev/null 452 + @@ -1,32 +0,0 @@ 453 + -//go:build pprof 454 + - 455 + -package cmd 456 + - 457 + -import ( 458 + - "net/http" 459 + - _ "net/http/pprof" 460 + - "os" 461 + - 462 + - log "github.com/sirupsen/logrus" 463 + -) 464 + - 465 + -func init() { 466 + - addr := pprofAddr() 467 + - go pprof(addr) 468 + -} 469 + - 470 + -func pprofAddr() string { 471 + - listenAddr := os.Getenv("NB_PPROF_ADDR") 472 + - if listenAddr == "" { 473 + - return "localhost:6969" 474 + - } 475 + - 476 + - return listenAddr 477 + -} 478 + - 479 + -func pprof(listenAddr string) { 480 + - log.Infof("listening pprof on: %s\n", listenAddr) 481 + - if err := http.ListenAndServe(listenAddr, nil); err != nil { 482 + - log.Fatalf("Failed to start pprof: %v", err) 483 + - } 484 + -} 485 + diff --git a/client/cmd/root.go b/client/cmd/root.go 486 + index 9f2eb109c5e..72764785e77 100644 487 + --- a/client/cmd/root.go 488 + +++ b/client/cmd/root.go 489 + @@ -23,6 +23,7 @@ import ( 490 + "google.golang.org/grpc/credentials/insecure" 491 + 492 + "github.com/netbirdio/netbird/client/internal/profilemanager" 493 + + _ "github.com/netbirdio/netbird/util/pprof" 494 + ) 495 + 496 + const ( 497 + 498 + From 309a410d5e4dba50ccff728bda935ca3aaf1aca9 Mon Sep 17 00:00:00 2001 499 + From: Ujaan Das <79176268+ujaandas@users.noreply.github.com> 500 + Date: Tue, 17 Mar 2026 18:57:03 +0000 501 + Subject: [PATCH 8/8] [util] fix typo in util/pprof/pprof_off.go 502 + 503 + Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> 504 + --- 505 + util/pprof/pprof_off.go | 2 +- 506 + 1 file changed, 1 insertion(+), 1 deletion(-) 507 + 508 + diff --git a/util/pprof/pprof_off.go b/util/pprof/pprof_off.go 509 + index 2cbf8b6697f..93ae0882a21 100644 510 + --- a/util/pprof/pprof_off.go 511 + +++ b/util/pprof/pprof_off.go 512 + @@ -4,5 +4,5 @@ package pprof 513 + 514 + /* 515 + Allow package build even without pprof tag. 516 + -Otherwise, Go complains that "build constraints exlude all Go files" 517 + +Otherwise, Go complains that "build constraints exclude all Go files" 518 + */