migrate to trimounts · ptr.pet/ark@8ee102b

+22 -27

dns/dnsconfig.js

··· 3 3 4 4 var WOLUMONDE_IP = "23.88.101.188"; 5 5 var DZWONEK_IP = "94.237.26.47"; 6 + var TRIMOUNTS_IP = "159.195.58.28"; 6 7 7 8 D( 8 9 "gaze.systems", 9 10 REG_NONE, 10 11 DnsProvider(DSP_CLOUDFLARE), 11 12 DefaultTTL(1), 12 - A("@", WOLUMONDE_IP, CF_PROXY_OFF), 13 - A("doc", WOLUMONDE_IP, CF_PROXY_OFF), 14 - A("git", WOLUMONDE_IP, CF_PROXY_OFF), 15 - A("limbus", WOLUMONDE_IP, CF_PROXY_OFF), 16 - A("pmart", WOLUMONDE_IP, CF_PROXY_OFF), 13 + A("@", TRIMOUNTS_IP, CF_PROXY_OFF, TTL(60)), 14 + A("doc", TRIMOUNTS_IP, CF_PROXY_OFF), 15 + A("pmart", TRIMOUNTS_IP, CF_PROXY_OFF), 17 16 // A("webhook", WOLUMONDE_IP, CF_PROXY_OFF), 18 - A("dash", WOLUMONDE_IP, CF_PROXY_OFF), // perses 19 - A("knot", WOLUMONDE_IP, CF_PROXY_OFF), 20 - A("spindle", WOLUMONDE_IP, CF_PROXY_OFF), 21 - A("skeetdeck", WOLUMONDE_IP, CF_PROXY_OFF), 22 - A("likes", WOLUMONDE_IP, CF_PROXY_OFF), 23 - A("id", WOLUMONDE_IP, CF_PROXY_OFF), 24 - A("test", WOLUMONDE_IP, CF_PROXY_OFF), 25 - // atp handles 26 - A("dawn", WOLUMONDE_IP, CF_PROXY_OFF), 27 - A("guestbook", WOLUMONDE_IP, CF_PROXY_OFF), 28 - A("drew", WOLUMONDE_IP, CF_PROXY_OFF), 29 - A("eris", WOLUMONDE_IP, CF_PROXY_OFF), 17 + A("dash", TRIMOUNTS_IP, CF_PROXY_OFF), // perses 18 + A("knot", TRIMOUNTS_IP, CF_PROXY_OFF, TTL(60)), 19 + A("spindle", TRIMOUNTS_IP, CF_PROXY_OFF, TTL(60)), 20 + A("id", TRIMOUNTS_IP, CF_PROXY_OFF), 21 + // atp 22 + A("guestbook", TRIMOUNTS_IP, CF_PROXY_OFF), 30 23 // dzwonek 31 24 A("vpn", DZWONEK_IP, CF_PROXY_OFF), 32 25 // A("meow", WOLUMONDE_IP, CF_PROXY_OFF), ··· 54 47 TXT("send.poke", "v=spf1 include:amazonses.com ~all"), 55 48 // atproto 56 49 TXT("_atproto.eris", "did=did:plc:bxjnsrfzozl365rsdo5yvuz5", TTL(60)), 57 - // TXT("_atproto", "did=did:plc:dfl62fgb7wtjj3fcbb72naae", TTL(60)), 58 - // TXT("_atproto.dusk", "did=did:plc:dfl62fgb7wtjj3fcbb72naae", TTL(60)), 50 + TXT("_atproto.drew", "did=did:plc:vo6ie3kd6xvpjlof4pnb2zzp", TTL(60)), 59 51 ); 60 52 61 53 D( ··· 63 55 REG_NONE, 64 56 DnsProvider(DSP_CLOUDFLARE), 65 57 DefaultTTL(1), 66 - A("@", WOLUMONDE_IP, CF_PROXY_ON), 58 + A("@", TRIMOUNTS_IP, CF_PROXY_ON), 67 59 TXT("@", "a data endpoint for entity with serial id /90008/."), 68 60 TXT( 69 61 "@", ··· 79 71 ), 80 72 // atproto 81 73 // TXT("_atproto", "did=did:plc:dfl62fgb7wtjj3fcbb72naae"), 74 + IGNORE_NAME("_acme-challenge"), 82 75 ); 83 76 84 77 D( ··· 86 79 REG_NONE, 87 80 DnsProvider(DSP_CLOUDFLARE), 88 81 DefaultTTL(1), 89 - A("@", WOLUMONDE_IP, CF_PROXY_OFF), 82 + A("@", TRIMOUNTS_IP, CF_PROXY_OFF), 90 83 TXT("@", "v=spf1 -all"), 91 84 TXT("_dmarc", "v=DMARC1; p=reject;"), 85 + TXT("_atproto", "did=did:plc:dfl62fgb7wtjj3fcbb72naae", TTL(60)), 86 + IGNORE_NAME("_acme-challenge"), 92 87 ); 93 88 94 89 var EMAIL_TTL = 86400; ··· 98 93 REG_NONE, 99 94 DnsProvider(DSP_CLOUDFLARE), 100 95 DefaultTTL(1), 101 - A("@", WOLUMONDE_IP, CF_PROXY_OFF), 102 - A("test", WOLUMONDE_IP, CF_PROXY_OFF), 96 + A("@", TRIMOUNTS_IP, CF_PROXY_OFF), 103 97 A("nucleus", DZWONEK_IP, CF_PROXY_OFF), 104 98 A("trill", DZWONEK_IP, CF_PROXY_OFF), 105 99 // atproto 106 100 TXT("_atproto", "did=did:plc:dfl62fgb7wtjj3fcbb72naae"), 107 - A("nil", WOLUMONDE_IP, CF_PROXY_OFF), 108 101 TXT("_atproto.nil", "did=did:plc:dumbmutt4po52ept2tczimje"), 109 102 TXT("_atproto.june", "did=did:plc:y3z2rr7q5rywu4fjn3fmfyop"), 110 103 // june ··· 159 152 ), 160 153 161 154 // mta-sts 162 - A("mta-sts", WOLUMONDE_IP, CF_PROXY_OFF), 155 + A("mta-sts", TRIMOUNTS_IP, CF_PROXY_OFF), 163 156 TXT("_mta-sts", "v=STSv1; id=20250930T1945", TTL(EMAIL_TTL)), 164 157 165 158 // autoconfig 166 - A("autoconfig", WOLUMONDE_IP, CF_PROXY_OFF), 167 - A("autodiscover", WOLUMONDE_IP, CF_PROXY_OFF), 159 + A("autoconfig", TRIMOUNTS_IP, CF_PROXY_OFF), 160 + A("autodiscover", TRIMOUNTS_IP, CF_PROXY_OFF), 168 161 169 162 // autodiscovery 170 163 SRV( ··· 178 171 SRV("_submissions._tcp", 0, 1, 465, "smtp.migadu.com.", TTL(EMAIL_TTL)), 179 172 SRV("_imaps._tcp", 0, 1, 993, "imap.migadu.com.", TTL(EMAIL_TTL)), 180 173 SRV("_pop3s._tcp", 0, 1, 995, "pop.migadu.com.", TTL(EMAIL_TTL)), 174 + 175 + IGNORE_NAME("_acme-challenge"), 181 176 );

+18 -18

flake.lock

··· 9 9 "rust-overlay": "rust-overlay" 10 10 }, 11 11 "locked": { 12 - "lastModified": 1764153295, 13 - "narHash": "sha256-Y+Cp19zLo5JZVLSbzpyCTSK1bVYfE3Leuut6nQVkdR4=", 12 + "lastModified": 1764351487, 13 + "narHash": "sha256-7XJcTfz0dPhBd7nfyjcFxT1LIIctJZ2LthiI2Ltd7zY=", 14 14 "owner": "chaotic-cx", 15 15 "repo": "nyx", 16 - "rev": "29c49282c9b2e8216004a87086494defe401fee8", 16 + "rev": "2031f4a0507d0f7ab3e1aaff4c027a010feee447", 17 17 "type": "github" 18 18 }, 19 19 "original": { ··· 45 45 ] 46 46 }, 47 47 "locked": { 48 - "lastModified": 1764075860, 49 - "narHash": "sha256-KYEIHCBBw+/lwKsJNRNoUxBB4ZY2LK0G0T8f+0i65q0=", 48 + "lastModified": 1764194569, 49 + "narHash": "sha256-iUM9ktarEzThkayyZrzQ7oycPshAY2XRQqVKz0xX/L0=", 50 50 "owner": "nix-community", 51 51 "repo": "home-manager", 52 - "rev": "295d90e22d557ccc3049dc92460b82f372cd3892", 52 + "rev": "9651819d75f6c7ffaf8a9227490ac704f29659f0", 53 53 "type": "github" 54 54 }, 55 55 "original": { ··· 67 67 ] 68 68 }, 69 69 "locked": { 70 - "lastModified": 1763714684, 71 - "narHash": "sha256-ZNJPAaeSYQTDgvwwE8XHhCz4HiHqYoUyoXdoBE2nxug=", 70 + "lastModified": 1764275117, 71 + "narHash": "sha256-DRcv8Y0BnWm4ZhUQnaYk1dNzC6ZhA2W9Vv5Jl4n0RbE=", 72 72 "owner": "Jovian-Experiments", 73 73 "repo": "Jovian-NixOS", 74 - "rev": "6178d787ee61b8586fdb0ccb8644fbfd5317d0f3", 74 + "rev": "96023dcc9a0febaaa3b91f447b9ae2fbe86f2923", 75 75 "type": "github" 76 76 }, 77 77 "original": { ··· 105 105 }, 106 106 "nixpkgs": { 107 107 "locked": { 108 - "lastModified": 1763966396, 109 - "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", 108 + "lastModified": 1764242076, 109 + "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=", 110 110 "owner": "NixOS", 111 111 "repo": "nixpkgs", 112 - "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", 112 + "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4", 113 113 "type": "github" 114 114 }, 115 115 "original": { ··· 121 121 }, 122 122 "nixpkgs_2": { 123 123 "locked": { 124 - "lastModified": 1763966396, 125 - "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", 124 + "lastModified": 1764242076, 125 + "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=", 126 126 "owner": "NixOS", 127 127 "repo": "nixpkgs", 128 - "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", 128 + "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4", 129 129 "type": "github" 130 130 }, 131 131 "original": { ··· 149 149 ] 150 150 }, 151 151 "locked": { 152 - "lastModified": 1764038373, 153 - "narHash": "sha256-M6w2wNBRelcavoDAyFL2iO4NeWknD40ASkH1S3C0YGM=", 152 + "lastModified": 1764211126, 153 + "narHash": "sha256-p5y13PnMZYd5WdHk+XCzyUaLGBUCwnz2n4KYKEZM0Pw=", 154 154 "owner": "oxalica", 155 155 "repo": "rust-overlay", 156 - "rev": "ab3536fe850211a96673c6ffb2cb88aab8071cc9", 156 + "rev": "895935bff08cfcfb663fb9c8263c43596e7cd1ed", 157 157 "type": "github" 158 158 }, 159 159 "original": {

+1 -3

hosts/chernobog/default.nix

··· 49 49 noto-fonts 50 50 noto-fonts-cjk-serif 51 51 noto-fonts-cjk-sans 52 - noto-fonts-emoji 52 + noto-fonts-color-emoji 53 53 font-awesome 54 54 source-han-serif 55 55 source-han-sans 56 - source-han-sans-japanese 57 - source-han-serif-japanese 58 56 comic-mono 59 57 comic-relief 60 58 ];

+22 -2

hosts/chernobog/modules/vr.nix

··· 25 25 }; 26 26 }; 27 27 28 - # programs.envision.enable = true; 28 + environment.systemPackages = with pkgs; [ wlx-overlay-s eepyxr wayvr-dashboard xrizer ]; 29 29 30 - environment.systemPackages = with pkgs; [ wlx-overlay-s eepyxr wayvr-dashboard ]; 30 + home-manager.sharedModules = [{ 31 + xdg.configFile."openvr/openvrpaths.vrpath".text = '' 32 + { 33 + "config" : 34 + [ 35 + "/home/mayer/.local/share/Steam/config" 36 + ], 37 + "external_drivers" : null, 38 + "jsonid" : "vrpathreg", 39 + "log" : 40 + [ 41 + "/home/mayer/.local/share/Steam/logs" 42 + ], 43 + "runtime" : 44 + [ 45 + ${pkgs.xrizer}/lib/xrizer" 46 + ], 47 + "version" : 1 48 + } 49 + ''; 50 + }]; 31 51 }

+1 -1

hosts/default.nix

··· 29 29 systems = { 30 30 # lungmen = "x86_64-linux"; 31 31 # tkaronto = "x86_64-linux"; 32 - wolumonde = allPkgsSets.x86_64-linux; 32 + # wolumonde = allPkgsSets.x86_64-linux; 33 33 # wsl = allPkgsSets.x86_64-linux; 34 34 dzwonek = allPkgsSets.x86_64-linux; 35 35 volsinii = allPkgsSets.x86_64-linux;

-3

hosts/dzwonek/modules/nginx.nix

··· 1 1 { 2 - lib, 3 2 inputs, 4 - pkgs, 5 3 ... 6 4 }: 7 5 { 8 6 services.nginx = { 9 7 enable = true; 10 - package = pkgs.nginxQuic; 11 8 recommendedTlsSettings = true; 12 9 recommendedOptimisation = true; 13 10 recommendedGzipSettings = true;

+38

hosts/trimounts/modules/atproto.nix

··· 1 + { pkgs, lib, ... }: 2 + let 3 + getFileType = name: if lib.hasSuffix ".json" name then "application/json" else "text/plain"; 4 + mkWellKnownCfg = files: { 5 + quic = true; 6 + kTLS = true; 7 + locations = ( 8 + lib.mapAttrs' (name: file: { 9 + name = "=/.well-known/${name}"; 10 + value = { 11 + extraConfig = '' 12 + alias ${file}; 13 + add_header access-control-allow-origin *; 14 + default_type ${getFileType name}; 15 + ''; 16 + }; 17 + }) files 18 + ); 19 + }; 20 + mkDidWebCfg = domain: { 21 + "${domain}" = 22 + (mkWellKnownCfg { 23 + "did.json" = ../../../secrets/${domain}.did; 24 + "atproto-did" = pkgs.writeText "server" "did:web:${domain}"; 25 + }) 26 + // (lib.optionalAttrs (lib.hasSuffix "gaze.systems" domain) { 27 + useACMEHost = "gaze.systems"; 28 + forceSSL = true; 29 + quic = true; 30 + kTLS = true; 31 + }); 32 + }; 33 + guestbookDid = "guestbook.gaze.systems"; 34 + in 35 + { 36 + security.acme.certs."gaze.systems".extraDomainNames = [guestbookDid]; 37 + services.nginx.virtualHosts = mkDidWebCfg guestbookDid; 38 + }

+58

hosts/trimounts/modules/email.nix

··· 1 + { pkgs, ... }: 2 + { 3 + security.acme.certs."ptr.pet".extraDomainNames = [ 4 + "mta-sts.ptr.pet" 5 + "autoconfig.ptr.pet" 6 + "autodiscover.ptr.pet" 7 + ]; 8 + services.nginx.virtualHosts."ptr.pet" = { 9 + useACMEHost = "ptr.pet"; 10 + quic = true; 11 + kTLS = true; 12 + forceSSL = true; 13 + locations."/mail/config-v1.1.xml" = { 14 + return = "301 https://autoconfig.migadu.com/mail/config-v1.1.xml"; 15 + }; 16 + locations."/Autodiscover/Autodiscover.xml" = { 17 + return = "301 https://autodiscover.migadu.com/Autodiscover/Autodiscover.xml"; 18 + }; 19 + }; 20 + services.nginx.virtualHosts."mta-sts.ptr.pet" = 21 + let 22 + file = pkgs.writeText "mta-sts.txt" '' 23 + version: STSv1 24 + mode: enforce 25 + mx: aspmx1.migadu.com 26 + mx: aspmx2.migadu.com 27 + max_age: 31557600 28 + ''; 29 + in 30 + { 31 + useACMEHost = "ptr.pet"; 32 + quic = true; 33 + kTLS = true; 34 + forceSSL = true; 35 + locations."=/.well-known/mta-sts.txt".extraConfig = '' 36 + alias ${file}; 37 + default_type text/plain; 38 + ''; 39 + }; 40 + services.nginx.virtualHosts."autoconfig.ptr.pet" = { 41 + useACMEHost = "ptr.pet"; 42 + quic = true; 43 + kTLS = true; 44 + forceSSL = true; 45 + locations."/" = { 46 + return = "301 https://autoconfig.migadu.com$request_uri"; 47 + }; 48 + }; 49 + services.nginx.virtualHosts."autodiscover.ptr.pet" = { 50 + useACMEHost = "ptr.pet"; 51 + quic = true; 52 + kTLS = true; 53 + forceSSL = true; 54 + locations."/" = { 55 + return = "301 https://autodiscover.migadu.com$request_uri"; 56 + }; 57 + }; 58 + }

+47

hosts/trimounts/modules/limbusart.nix

··· 1 + { 2 + inputs, 3 + pkgs, 4 + lib, 5 + ... 6 + }: 7 + let 8 + pkg = pkgs.callPackage "${inputs.limbusart}/package.nix" { }; 9 + domain = "pmart.gaze.systems"; 10 + in 11 + { 12 + systemd.services.limbusart = { 13 + description = "limbusart"; 14 + wantedBy = [ "multi-user.target" ]; 15 + after = [ "network.target" ]; 16 + serviceConfig = lib.mkMerge [ 17 + { 18 + User = "limbusart"; 19 + ExecStart = "${pkg}/bin/limbusart"; 20 + Restart = "on-failure"; 21 + RestartSec = 5; 22 + WorkingDirectory = "/var/lib/limbusart"; 23 + EnvironmentFile = pkgs.writeText "limbusart.conf" '' 24 + ARTS_PATH="arts.txt" 25 + SITE_TITLE="random pm art" 26 + EMBED_TITLE="random pm art here!!" 27 + EMBED_DESC="click NOW to see random pm art" 28 + EMBED_COLOR="#bd0000" 29 + ''; 30 + } 31 + ]; 32 + }; 33 + users.users.limbusart = { 34 + isSystemUser = true; 35 + group = "limbusart"; 36 + }; 37 + users.groups.limbusart = { }; 38 + 39 + security.acme.certs."gaze.systems".extraDomainNames = [domain]; 40 + services.nginx.virtualHosts.${domain} = { 41 + useACMEHost = "gaze.systems"; 42 + forceSSL = true; 43 + quic = true; 44 + kTLS = true; 45 + locations."/".proxyPass = "http://localhost:3000"; 46 + }; 47 + }

+3

hosts/trimounts/modules/mosh.nix

··· 1 + { 2 + programs.mosh.enable = true; 3 + }

+134

hosts/trimounts/modules/nginx.nix

··· 1 + { 2 + config, 3 + lib, 4 + inputs, 5 + ... 6 + }: 7 + { 8 + services.nginx = { 9 + enable = true; 10 + recommendedTlsSettings = true; 11 + recommendedOptimisation = true; 12 + recommendedGzipSettings = true; 13 + recommendedProxySettings = true; 14 + # /nginx_status 15 + statusPage = true; 16 + }; 17 + 18 + networking.firewall.allowedTCPPorts = [ 80 443 ]; 19 + 20 + # output json logs so we can consume them more easily 21 + services.nginx.appendHttpConfig = '' 22 + log_format json_logs escape=json '{' 23 + '"_msg":"request completed",' 24 + '"time":"$time_local",' 25 + '"req.remoteAddr":"$remote_addr",' 26 + '"req.method":"$request_method",' 27 + '"req.url":"$uri",' 28 + '"req.httpVersion":"$server_protocol",' 29 + '"res.statusCode":$status,' 30 + '"res.bodySize":$body_bytes_sent,' 31 + '"req.headers.id":"$request_id",' 32 + '"req.headers.referer":"$http_referer",' 33 + '"req.headers.user-agent":"$http_user_agent",' 34 + '"requestTime":$request_time' 35 + '}'; 36 + access_log /var/log/nginx/access.log json_logs; 37 + ''; 38 + 39 + users.users.nginx.extraGroups = [ "acme" ]; 40 + 41 + age.secrets.cfDnsEditToken.file = ../../../secrets/cloudflareDnsEdit.age; 42 + security.acme = { 43 + acceptTerms = true; 44 + defaults = { 45 + group = "nginx"; 46 + email = (import "${inputs.self}/personal.nix").emails.primary; 47 + dnsProvider = "cloudflare"; 48 + credentialFiles = { 49 + CF_DNS_API_TOKEN_FILE = config.age.secrets.cfDnsEditToken.path; 50 + }; 51 + }; 52 + certs."poor.dog" = { }; 53 + certs."ptr.pet" = { }; 54 + certs."gaze.systems" = { }; 55 + }; 56 + services.nginx.virtualHosts."gaze.systems" = { 57 + quic = true; 58 + kTLS = true; 59 + useACMEHost = "gaze.systems"; 60 + forceSSL = true; 61 + }; 62 + services.nginx.virtualHosts."poor.dog" = { 63 + quic = true; 64 + kTLS = true; 65 + useACMEHost = "poor.dog"; 66 + forceSSL = true; 67 + }; 68 + services.nginx.virtualHosts."ptr.pet" = { 69 + quic = true; 70 + kTLS = true; 71 + useACMEHost = "ptr.pet"; 72 + forceSSL = true; 73 + }; 74 + 75 + services.fluent-bit.settings = { 76 + parsers = [ 77 + { 78 + name = "nginx_json"; 79 + format = "json"; 80 + time_key = "time"; 81 + time_format = "%d/%b/%Y:%H:%M:%S %z"; 82 + } 83 + ]; 84 + pipeline = { 85 + inputs = [ 86 + { 87 + name = "nginx_metrics"; 88 + tag = "metrics.nginx"; 89 + status_url = "/nginx_status"; 90 + nginx_plus = false; 91 + } 92 + { 93 + name = "tail"; 94 + tag = "logs.nginx"; 95 + path = "/var/log/nginx/*.log"; 96 + db = "/var/lib/fluent-bit/nginx-access.db"; 97 + "db.locking" = true; 98 + buffer_chunk_size = "4m"; 99 + buffer_max_size = "32m"; 100 + parser = "nginx_json"; 101 + } 102 + ]; 103 + filters = [ 104 + { 105 + name = "modify"; 106 + match = "logs.nginx"; 107 + Add = [ "name nginx" ]; 108 + } 109 + ]; 110 + }; 111 + }; 112 + 113 + # need so fluent-bit can access nginx 114 + systemd.services.fluent-bit.serviceConfig.SupplementaryGroups = lib.mkForce "systemd-journal nginx"; 115 + 116 + services.vmalert.instances."".rules.groups = [ 117 + { 118 + name = "nginx-logs"; 119 + type = "vlogs"; 120 + interval = "1m"; 121 + rules = [ 122 + { 123 + record = "nginx_request_count"; 124 + expr = "name:nginx | stats (res.statusCode) count() as total_requests"; 125 + } 126 + { 127 + record = "nginx_request_latency"; 128 + # filter out subscribeRepos requests because they are long polling http L 129 + expr = "name:nginx | filter req.url:!/xrpc/com.atproto.sync.subscribeRepos | stats avg(requestTime) avg, quantile(0.5, requestTime) p50, quantile(0.9, requestTime) p90, quantile(0.99, requestTime) p99"; 130 + } 131 + ]; 132 + } 133 + ]; 134 + }

+65

hosts/trimounts/modules/nsid-tracker.nix

··· 1 + { 2 + pkgs, 3 + terra, 4 + inputs, 5 + ... 6 + }: 7 + let 8 + client-modules = pkgs.callPackage "${inputs.nsid-tracker}/nix/client-modules.nix" { }; 9 + client = pkgs.callPackage "${inputs.nsid-tracker}/nix/client.nix" { 10 + PUBLIC_API_URL = "gaze.systems/nsid-tracker/api"; 11 + inherit client-modules; 12 + }; 13 + # server = terra.nsid-tracker-server; 14 + port = 3713; 15 + in 16 + { 17 + systemd.services.nsid-tracker-client = { 18 + description = "nsid-tracker-client"; 19 + wantedBy = [ "multi-user.target" ]; 20 + after = [ "network.target" ]; 21 + environment = { 22 + # ORIGIN = "https://gaze.systems"; 23 + PORT = toString port; 24 + }; 25 + serviceConfig = { 26 + DynamicUser = true; 27 + ExecStart = "${client}/bin/website"; 28 + Restart = "on-failure"; 29 + RestartSec = 5; 30 + WorkingDirectory = "/var/lib/nsid-tracker"; 31 + }; 32 + }; 33 + 34 + systemd.services.nsid-tracker-keep-alive = { 35 + description = "keeps nsid-tracker peer connection alive"; 36 + wantedBy = [ "multi-user.target" ]; 37 + after = [ "network.target" ]; 38 + serviceConfig = { 39 + Type = "oneshot"; 40 + ExecStart = "${pkgs.curl}/bin/curl http://dusk-devel-mobi:${toString port}/events"; 41 + }; 42 + }; 43 + systemd.timers.nsid-tracker-keep-alive.timerConfig = { 44 + OnBootSec = "5 min"; 45 + OnUnitActiveSec = "5 min"; 46 + Unit = "nsid-tracker-keep-alive.service"; 47 + }; 48 + 49 + services.nginx.virtualHosts."gaze.systems" = { 50 + locations."/nsid-tracker/api" = { 51 + proxyPass = "http://100.64.0.6:${toString port}/"; 52 + proxyWebsockets = true; 53 + extraConfig = '' 54 + rewrite ^/nsid-tracker/api/(.*) /$1 break; 55 + ''; 56 + }; 57 + locations."/nsid-tracker".return = "301 /nsid-tracker/"; 58 + locations."/nsid-tracker/" = { 59 + proxyPass = "http://localhost:${toString port}/"; 60 + extraConfig = '' 61 + rewrite ^/nsid-tracker/(.*)$ /$1 break; 62 + ''; 63 + }; 64 + }; 65 + }

+104

hosts/trimounts/modules/perses.nix/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + ... 5 + }: 6 + let 7 + domain = "dash.gaze.systems"; 8 + port = 7412; 9 + user = "perses"; 10 + 11 + provisionFolder = "provisioning"; 12 + provisioningFolder = "${config.users.users.${user}.home}/${provisionFolder}"; 13 + 14 + persesConfig = { 15 + database.file = { 16 + folder = config.users.users.${user}.home; 17 + extension = "json"; 18 + }; 19 + provisioning.folders = [ provisioningFolder ]; 20 + security = { 21 + enable_auth = true; 22 + authentication = { 23 + providers = { 24 + enable_native = false; 25 + oidc = [ 26 + { 27 + slug_id = "pocketid"; 28 + name = "Pocket ID"; 29 + client_id = "aa583db6-e03c-4490-853a-7f2b3e089fbe"; 30 + issuer = config.services.pocket-id.settings.APP_URL; 31 + scopes = [ "openid profile email" ]; 32 + } 33 + ]; 34 + }; 35 + disable_sign_up = false; 36 + }; 37 + cookie = { 38 + same_site = "strict"; 39 + secure = true; 40 + }; 41 + }; 42 + }; 43 + persesConfigYaml = pkgs.writers.writeYAML "config.yaml" persesConfig; 44 + 45 + secrets = config.age.secrets; 46 + in 47 + { 48 + environment.systemPackages = [ pkgs.perses ]; 49 + 50 + users.users.${user} = { 51 + isNormalUser = true; 52 + group = user; 53 + home = "/var/lib/${user}"; 54 + createHome = true; 55 + uid = 1001; 56 + }; 57 + users.groups.${user} = { 58 + gid = 976; 59 + }; 60 + 61 + age.secrets.persesSecret = { 62 + file = ../../../../secrets/persesSecret.age; 63 + owner = user; 64 + group = user; 65 + }; 66 + 67 + systemd.services.perses = { 68 + description = "perses"; 69 + after = [ 70 + "network.target" 71 + "pocket-id.service" 72 + ]; 73 + requires = [ "pocket-id.service" ]; 74 + serviceConfig = { 75 + ExecStart = "${pkgs.perses}/bin/perses --config=${persesConfigYaml} --web.listen-address=:${toString port} --log.level=info"; 76 + EnvironmentFile = secrets.persesSecret.path; 77 + WorkingDirectory = config.users.users.${user}.home; 78 + }; 79 + }; 80 + systemd.services.perses.preStart = '' 81 + rm -rf ${provisioningFolder} && mkdir -p ${provisioningFolder} 82 + cp -f ${./provision}/* ${provisioningFolder} 83 + ''; 84 + 85 + security.acme.certs."gaze.systems".extraDomainNames = [ domain ]; 86 + services.nginx.virtualHosts.${domain} = { 87 + useACMEHost = "gaze.systems"; # TODO: write a module to define vhosts for subdomains 88 + quic = true; 89 + kTLS = true; 90 + forceSSL = true; 91 + locations."/" = { 92 + proxyPass = "http://localhost:${toString port}"; 93 + }; 94 + }; 95 + 96 + # scrape perses metrics 97 + services.victoriametrics.prometheusConfig.scrape_configs = [ 98 + { 99 + job_name = "perses"; 100 + metrics_path = "/metrics"; 101 + static_configs = [ { targets = [ "localhost:${toString port}" ]; } ]; 102 + } 103 + ]; 104 + }

+3

hosts/trimounts/modules/perses.nix/provision/1-private-infra.yaml

··· 1 + kind: Project 2 + metadata: 3 + name: private-infra

+9

hosts/trimounts/modules/perses.nix/provision/2-admin-role.yaml

··· 1 + - kind: GlobalRole 2 + metadata: 3 + name: admin 4 + spec: 5 + permissions: 6 + - actions: 7 + - '*' 8 + scopes: 9 + - '*'

+8

hosts/trimounts/modules/perses.nix/provision/3-admin-bind-role.yaml

··· 1 + - kind: GlobalRoleBinding 2 + metadata: 3 + name: admin 4 + spec: 5 + role: admin 6 + subjects: 7 + - kind: User 8 + name: 90008

+12

hosts/trimounts/modules/perses.nix/provision/4-victoria.yaml

··· 1 + - kind: GlobalDatasource 2 + metadata: 3 + name: victoria 4 + spec: 5 + default: true 6 + plugin: 7 + kind: PrometheusDatasource 8 + spec: 9 + proxy: 10 + kind: HTTPProxy 11 + spec: 12 + url: http://localhost:8428

+12

hosts/trimounts/modules/perses.nix/provision/6-guest-role.yaml

··· 1 + - kind: GlobalRole 2 + metadata: 3 + name: guest 4 + spec: 5 + permissions: 6 + - actions: 7 + - 'read' 8 + scopes: 9 + - 'Dashboard' 10 + - 'Project' 11 + - 'Datasource' 12 + - 'GlobalDatasource'

+8

hosts/trimounts/modules/perses.nix/provision/7-guest-role-bind.yaml

··· 1 + - kind: GlobalRoleBinding 2 + metadata: 3 + name: guest 4 + spec: 5 + role: guest 6 + subjects: 7 + - kind: User 8 + name: sorryu02

+454

hosts/trimounts/modules/perses.nix/provision/90-wolumonde.yaml

··· 1 + kind: Dashboard 2 + metadata: 3 + name: wolumonde 4 + createdAt: 0001-01-01T00:00:00Z 5 + updatedAt: 0001-01-01T00:00:00Z 6 + version: 0 7 + project: private-infra 8 + spec: 9 + panels: 10 + "0_0": 11 + kind: Panel 12 + spec: 13 + display: 14 + name: load over 5 min 15 + plugin: 16 + kind: GaugeChart 17 + spec: 18 + calculation: mean 19 + format: 20 + unit: percent 21 + max: 100 22 + queries: 23 + - kind: TimeSeriesQuery 24 + spec: 25 + plugin: 26 + kind: PrometheusTimeSeriesQuery 27 + spec: 28 + query: node_load5 * 100 / count(count(node_cpu_seconds_total) by (cpu)) 29 + seriesNameFormat: load % 30 + "0_1": 31 + kind: Panel 32 + spec: 33 + display: 34 + name: cpu usage 35 + plugin: 36 + kind: GaugeChart 37 + spec: 38 + calculation: mean 39 + format: 40 + unit: percent 41 + max: 100 42 + queries: 43 + - kind: TimeSeriesQuery 44 + spec: 45 + plugin: 46 + kind: PrometheusTimeSeriesQuery 47 + spec: 48 + query: sum by (cpu) (rate(node_cpu_seconds_total{mode=~"user|system"}[1m])) * 100 49 + seriesNameFormat: cpu {{cpu}} 50 + "0_2": 51 + kind: Panel 52 + spec: 53 + display: 54 + name: memory usage 55 + plugin: 56 + kind: GaugeChart 57 + spec: 58 + calculation: mean 59 + format: 60 + unit: percent 61 + max: 100 62 + queries: 63 + - kind: TimeSeriesQuery 64 + spec: 65 + plugin: 66 + kind: PrometheusTimeSeriesQuery 67 + spec: 68 + query: (node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) * 100 / node_memory_MemTotal_bytes 69 + seriesNameFormat: memory usage % 70 + "0_3": 71 + kind: Panel 72 + spec: 73 + display: 74 + name: disk usage / 75 + plugin: 76 + kind: GaugeChart 77 + spec: 78 + calculation: last 79 + format: 80 + unit: percent 81 + max: 100 82 + queries: 83 + - kind: TimeSeriesQuery 84 + spec: 85 + plugin: 86 + kind: PrometheusTimeSeriesQuery 87 + spec: 88 + query: (node_filesystem_size_bytes{mountpoint="/"} - node_filesystem_free_bytes{mountpoint="/"}) * 100 / node_filesystem_size_bytes{mountpoint="/"} 89 + seriesNameFormat: disk usage % 90 + "0_4": 91 + kind: Panel 92 + spec: 93 + display: 94 + name: load over 5 min 95 + plugin: 96 + kind: TimeSeriesChart 97 + spec: 98 + yAxis: 99 + max: 2 100 + queries: 101 + - kind: TimeSeriesQuery 102 + spec: 103 + plugin: 104 + kind: PrometheusTimeSeriesQuery 105 + spec: 106 + query: node_load5 107 + seriesNameFormat: load 108 + "0_5": 109 + kind: Panel 110 + spec: 111 + display: 112 + name: cpu usage 113 + plugin: 114 + kind: TimeSeriesChart 115 + spec: 116 + yAxis: 117 + format: 118 + unit: percent 119 + max: 100 120 + queries: 121 + - kind: TimeSeriesQuery 122 + spec: 123 + plugin: 124 + kind: PrometheusTimeSeriesQuery 125 + spec: 126 + query: sum by (cpu) (rate(node_cpu_seconds_total{mode=~"user|system"}[1m])) * 100 127 + seriesNameFormat: cpu {{cpu}} 128 + "0_6": 129 + kind: Panel 130 + spec: 131 + display: 132 + name: memory usage 133 + plugin: 134 + kind: TimeSeriesChart 135 + spec: 136 + yAxis: 137 + format: 138 + unit: bytes 139 + max: 4e+09 140 + queries: 141 + - kind: TimeSeriesQuery 142 + spec: 143 + plugin: 144 + kind: PrometheusTimeSeriesQuery 145 + spec: 146 + query: node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes 147 + seriesNameFormat: current memory usage 148 + "0_7": 149 + kind: Panel 150 + spec: 151 + display: 152 + name: disk usage / 153 + plugin: 154 + kind: TimeSeriesChart 155 + spec: 156 + yAxis: 157 + format: 158 + unit: bytes 159 + max: 3.8e+10 160 + queries: 161 + - kind: TimeSeriesQuery 162 + spec: 163 + plugin: 164 + kind: PrometheusTimeSeriesQuery 165 + spec: 166 + query: node_filesystem_size_bytes{mountpoint="/"} - node_filesystem_free_bytes{mountpoint="/"} 167 + seriesNameFormat: disk usage 168 + "1_0": 169 + kind: Panel 170 + spec: 171 + display: 172 + name: nginx requests / min 173 + plugin: 174 + kind: TimeSeriesChart 175 + spec: 176 + legend: 177 + position: bottom 178 + size: small 179 + yAxis: 180 + format: 181 + unit: decimal 182 + visual: 183 + display: bar 184 + palette: 185 + mode: categorical 186 + stack: all 187 + queries: 188 + - kind: TimeSeriesQuery 189 + spec: 190 + plugin: 191 + kind: PrometheusTimeSeriesQuery 192 + spec: 193 + query: nginx_request_count 194 + seriesNameFormat: '{{res.statusCode}}' 195 + "1_1": 196 + kind: Panel 197 + spec: 198 + display: 199 + name: nginx latency / min 200 + plugin: 201 + kind: TimeSeriesChart 202 + spec: 203 + yAxis: 204 + format: 205 + unit: seconds 206 + max: 0.5 207 + queries: 208 + - kind: TimeSeriesQuery 209 + spec: 210 + plugin: 211 + kind: PrometheusTimeSeriesQuery 212 + spec: 213 + query: nginx_request_latency 214 + seriesNameFormat: '{{stats_result}}' 215 + "2_0": 216 + kind: Panel 217 + spec: 218 + display: 219 + name: pds requests / min 220 + plugin: 221 + kind: TimeSeriesChart 222 + spec: 223 + legend: 224 + position: bottom 225 + size: small 226 + yAxis: 227 + format: 228 + unit: decimal 229 + visual: 230 + display: bar 231 + palette: 232 + mode: categorical 233 + stack: all 234 + queries: 235 + - kind: TimeSeriesQuery 236 + spec: 237 + plugin: 238 + kind: PrometheusTimeSeriesQuery 239 + spec: 240 + query: pds_request_count 241 + seriesNameFormat: '{{res.statusCode}}' 242 + "2_1": 243 + kind: Panel 244 + spec: 245 + display: 246 + name: pds latency / min 247 + plugin: 248 + kind: TimeSeriesChart 249 + spec: 250 + yAxis: 251 + format: 252 + unit: milliseconds 253 + max: 500 254 + queries: 255 + - kind: TimeSeriesQuery 256 + spec: 257 + plugin: 258 + kind: PrometheusTimeSeriesQuery 259 + spec: 260 + query: pds_response_latency 261 + seriesNameFormat: '{{stats_result}}' 262 + "3_0": 263 + kind: Panel 264 + spec: 265 + display: 266 + name: gazesys visits 267 + plugin: 268 + kind: BarChart 269 + spec: 270 + calculation: last 271 + queries: 272 + - kind: TimeSeriesQuery 273 + spec: 274 + plugin: 275 + kind: PrometheusTimeSeriesQuery 276 + spec: 277 + query: gazesys_visit_real_total + gazesys_visit_fake_total 278 + seriesNameFormat: total visits 279 + - kind: TimeSeriesQuery 280 + spec: 281 + plugin: 282 + kind: PrometheusTimeSeriesQuery 283 + spec: 284 + query: gazesys_visit_fake_total 285 + seriesNameFormat: (ai) bot visits 286 + - kind: TimeSeriesQuery 287 + spec: 288 + plugin: 289 + kind: PrometheusTimeSeriesQuery 290 + spec: 291 + query: gazesys_visit_real_total 292 + seriesNameFormat: real visits 293 + "3_1": 294 + kind: Panel 295 + spec: 296 + display: 297 + name: gazesys pet 298 + plugin: 299 + kind: StatChart 300 + spec: 301 + calculation: last 302 + format: 303 + unit: decimal 304 + shortValues: true 305 + queries: 306 + - kind: TimeSeriesQuery 307 + spec: 308 + plugin: 309 + kind: PrometheusTimeSeriesQuery 310 + spec: 311 + query: gazesys_pet_bounce_total 312 + seriesNameFormat: bounce count 313 + - kind: TimeSeriesQuery 314 + spec: 315 + plugin: 316 + kind: PrometheusTimeSeriesQuery 317 + spec: 318 + query: gazesys_pet_distance_total 319 + seriesNameFormat: distance travelled 320 + "4_0": 321 + kind: Panel 322 + spec: 323 + display: 324 + name: anubis policy actions 325 + plugin: 326 + kind: BarChart 327 + spec: 328 + calculation: last 329 + queries: 330 + - kind: TimeSeriesQuery 331 + spec: 332 + plugin: 333 + kind: PrometheusTimeSeriesQuery 334 + spec: 335 + query: anubis_policy_results 336 + seriesNameFormat: '{{action}}: {{rule}}' 337 + layouts: 338 + - kind: Grid 339 + spec: 340 + display: 341 + title: resource usage 342 + items: 343 + - x: 0 344 + "y": 0 345 + width: 6 346 + height: 6 347 + content: 348 + $ref: '#/spec/panels/0_0' 349 + - x: 6 350 + "y": 0 351 + width: 6 352 + height: 6 353 + content: 354 + $ref: '#/spec/panels/0_1' 355 + - x: 12 356 + "y": 0 357 + width: 6 358 + height: 6 359 + content: 360 + $ref: '#/spec/panels/0_2' 361 + - x: 18 362 + "y": 0 363 + width: 6 364 + height: 6 365 + content: 366 + $ref: '#/spec/panels/0_3' 367 + - x: 0 368 + "y": 6 369 + width: 6 370 + height: 6 371 + content: 372 + $ref: '#/spec/panels/0_4' 373 + - x: 6 374 + "y": 6 375 + width: 6 376 + height: 6 377 + content: 378 + $ref: '#/spec/panels/0_5' 379 + - x: 12 380 + "y": 6 381 + width: 6 382 + height: 6 383 + content: 384 + $ref: '#/spec/panels/0_6' 385 + - x: 18 386 + "y": 6 387 + width: 6 388 + height: 6 389 + content: 390 + $ref: '#/spec/panels/0_7' 391 + - kind: Grid 392 + spec: 393 + display: 394 + title: nginx metrics 395 + items: 396 + - x: 0 397 + "y": 0 398 + width: 8 399 + height: 6 400 + content: 401 + $ref: '#/spec/panels/1_0' 402 + - x: 8 403 + "y": 0 404 + width: 8 405 + height: 6 406 + content: 407 + $ref: '#/spec/panels/1_1' 408 + - kind: Grid 409 + spec: 410 + display: 411 + title: pds metrics 412 + items: 413 + - x: 0 414 + "y": 0 415 + width: 8 416 + height: 6 417 + content: 418 + $ref: '#/spec/panels/2_0' 419 + - x: 8 420 + "y": 0 421 + width: 8 422 + height: 6 423 + content: 424 + $ref: '#/spec/panels/2_1' 425 + - kind: Grid 426 + spec: 427 + display: 428 + title: gazesys 429 + items: 430 + - x: 0 431 + "y": 0 432 + width: 8 433 + height: 6 434 + content: 435 + $ref: '#/spec/panels/3_0' 436 + - x: 8 437 + "y": 0 438 + width: 8 439 + height: 6 440 + content: 441 + $ref: '#/spec/panels/3_1' 442 + - kind: Grid 443 + spec: 444 + display: 445 + title: forgejo 446 + items: 447 + - x: 0 448 + "y": 0 449 + width: 8 450 + height: 6 451 + content: 452 + $ref: '#/spec/panels/4_0' 453 + duration: 30m 454 + refreshInterval: 1m

+6

hosts/trimounts/modules/tangled.nix/default.nix

··· 1 + { 2 + imports = [ 3 + ./knot.nix 4 + ./spindle.nix 5 + ]; 6 + }

+39

hosts/trimounts/modules/tangled.nix/knot.nix

··· 1 + { 2 + config, 3 + inputs, 4 + terra, 5 + ... 6 + }: 7 + let 8 + knotCfg = config.services.tangled.knot; 9 + in 10 + { 11 + imports = [ 12 + "${inputs.tangled}/nix/modules/knot.nix" 13 + ]; 14 + 15 + services.tangled.knot = { 16 + enable = true; 17 + package = terra.tangled-knot; 18 + gitUser = "git"; 19 + motdFile = ./motd; 20 + server = { 21 + listenAddr = "0.0.0.0:7777"; 22 + hostname = "knot.gaze.systems"; 23 + owner = "did:plc:dfl62fgb7wtjj3fcbb72naae"; 24 + }; 25 + }; 26 + 27 + security.acme.certs."gaze.systems".extraDomainNames = [ knotCfg.server.hostname ]; 28 + 29 + services.nginx.virtualHosts.${knotCfg.server.hostname} = { 30 + useACMEHost = "gaze.systems"; 31 + forceSSL = true; 32 + quic = true; 33 + kTLS = true; 34 + locations."/" = { 35 + proxyPass = "http://${knotCfg.server.listenAddr}"; 36 + proxyWebsockets = true; 37 + }; 38 + }; 39 + }

+5

hosts/trimounts/modules/tangled.nix/motd

··· 1 + 2 + ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ 3 + ┃ *paws at your commits* arf :3c ┃ 4 + ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛ 5 +

+64

hosts/trimounts/modules/tangled.nix/spindle.nix

··· 1 + { 2 + lib, 3 + config, 4 + inputs, 5 + terra, 6 + ... 7 + }: 8 + let 9 + spindleCfg = config.services.tangled.spindle; 10 + in 11 + { 12 + imports = [ 13 + "${inputs.tangled}/nix/modules/spindle.nix" 14 + ]; 15 + 16 + services.tangled.spindle = { 17 + enable = true; 18 + package = terra.tangled-spindle; 19 + server = { 20 + listenAddr = "0.0.0.0:7391"; 21 + hostname = "spindle.gaze.systems"; 22 + owner = "did:plc:dfl62fgb7wtjj3fcbb72naae"; 23 + # secrets = { 24 + # provider = "openbao"; 25 + # openbao.proxyAddr = "http://spindle.bao.lan.gaze.systems"; 26 + # }; 27 + secrets.provider = "sqlite"; 28 + }; 29 + }; 30 + users.users.spindle = { 31 + group = "spindle"; 32 + isSystemUser = true; 33 + }; 34 + users.groups.spindle = { }; 35 + users.groups.podman.members = [ "spindle" ]; 36 + systemd.services.spindle = { 37 + # after = lib.mkForce [ "network.target" "openbao-proxy-spindle.service" ]; 38 + serviceConfig = { 39 + User = "spindle"; 40 + Group = "spindle"; 41 + }; 42 + }; 43 + 44 + security.acme.certs."gaze.systems".extraDomainNames = [ spindleCfg.server.hostname ]; 45 + 46 + services.nginx.virtualHosts.${spindleCfg.server.hostname} = { 47 + useACMEHost = "gaze.systems"; 48 + forceSSL = true; 49 + quic = true; 50 + kTLS = true; 51 + locations."/" = { 52 + proxyPass = "http://${spindleCfg.server.listenAddr}"; 53 + proxyWebsockets = true; 54 + }; 55 + }; 56 + 57 + virtualisation.docker.enable = lib.mkForce false; 58 + virtualisation.podman = { 59 + enable = true; 60 + autoPrune.enable = true; 61 + dockerCompat = true; 62 + dockerSocket.enable = true; 63 + }; 64 + }

+85

hosts/trimounts/modules/website.nix

··· 1 + { 2 + config, 3 + pkgs, 4 + inputs, 5 + ... 6 + }: 7 + let 8 + PUBLIC_BASE_URL = "https://gaze.systems"; 9 + modules = (pkgs.callPackage "${inputs.blog}/nix/modules.nix" { }).overrideAttrs (_: { 10 + outputHash = "sha256-rzfSfiK8FSNFR+1QTwM/ltLZBprG9BoQsPmOt6IdXFc="; 11 + }); 12 + pkg = pkgs.callPackage "${inputs.blog}/nix" { 13 + inherit PUBLIC_BASE_URL; 14 + gazesys-modules = modules; 15 + }; 16 + port = 3003; 17 + in 18 + { 19 + users.users.website = { 20 + isSystemUser = true; 21 + group = "website"; 22 + }; 23 + users.groups.website = { }; 24 + 25 + age.secrets.websiteConfig.file = ../../../secrets/websiteConfig.age; 26 + 27 + systemd.services.website = { 28 + description = "website"; 29 + wantedBy = [ "multi-user.target" ]; 30 + after = [ "network.target" ]; 31 + environment = { 32 + HOME = "/var/lib/website"; 33 + ORIGIN = PUBLIC_BASE_URL; 34 + PORT = toString port; 35 + WEBSITE_DATA_DIR = "/var/lib/website"; 36 + VITE_CLOUDINARY_CLOUD_NAME = "dgtwf7mar"; 37 + }; 38 + serviceConfig = { 39 + User = "website"; 40 + ExecStart = "${pkg}/bin/website"; 41 + Restart = "on-failure"; 42 + RestartSec = 5; 43 + WorkingDirectory = "/var/lib/website"; 44 + EnvironmentFile = config.age.secrets.websiteConfig.path; 45 + KillSignal = "SIGKILL"; 46 + }; 47 + }; 48 + 49 + # systemd.services.annoy-keep-alive = { 50 + # description = "keeps annoy peer connection alive"; 51 + # wantedBy = [ "multi-user.target" ]; 52 + # after = [ "network.target" ]; 53 + # serviceConfig = { 54 + # Type = "oneshot"; 55 + # ExecStart = "${pkgs.curl}/bin/curl http://100.64.0.1:3111/"; 56 + # }; 57 + # }; 58 + # systemd.timers.annoy-keep-alive.timerConfig = { 59 + # OnBootSec = "5 min"; 60 + # OnUnitActiveSec = "5 min"; 61 + # Unit = "annoy-keep-alive.service"; 62 + # }; 63 + 64 + services.nginx.virtualHosts."gaze.systems" = { 65 + locations."/".proxyPass = "http://localhost:${toString port}"; 66 + locations."/annoy/ws/" = { 67 + proxyWebsockets = true; 68 + proxyPass = "http://100.64.0.9:3111/"; 69 + extraConfig = '' 70 + rewrite ^/annoy/ws/(.*) /$1 break; 71 + ''; 72 + }; 73 + locations."/annoy/ws" = { 74 + proxyWebsockets = true; 75 + proxyPass = "http://100.64.0.9:3111/"; 76 + extraConfig = '' 77 + rewrite ^/annoy/ws(.*) /$1 break; 78 + ''; 79 + }; 80 + }; 81 + 82 + services.nginx.virtualHosts."poor.dog" = { 83 + locations."/".return = "301 https://gaze.systems$request_uri"; 84 + }; 85 + }

+28

hosts/wolumonde/modules/arpa.disabled

··· 1 + { pkgs, ... }: 2 + let 3 + index = pkgs.writeText "index.txt" '' 4 + hi there~ 5 + 6 + you are currently interfacing with one of the data endpoints 7 + of entity with serial id /90008/. you may want to open a 8 + connection to https://gaze.systems/about for more data. 9 + 10 + /discord 90.008/ 11 + /bsky @poor.dog/ 12 + /email 90008@gaze.systems/ 13 + 14 + /dig +short TXT 9.0.0.0.8.e.f.1.5.0.7.4.0.1.0.0.2.ip6.arpa/ 15 + ''; 16 + root = pkgs.runCommand "root" { } '' 17 + mkdir -p $out 18 + ln -s ${index} $out/index.txt 19 + ''; 20 + in 21 + { 22 + services.nginx.virtualHosts."9.0.0.0.8.e.f.1.5.0.7.4.0.1.0.0.2.ip6.arpa" = { 23 + inherit root; 24 + locations."/".index = "index.txt"; 25 + quic = true; 26 + kTLS = true; 27 + }; 28 + }

hosts/wolumonde/modules/arpa.nix hosts/trimounts/modules/arpa.nix

hosts/wolumonde/modules/atproto.nix hosts/wolumonde/modules/atproto.disabled

+2

hosts/wolumonde/modules/blog.nix hosts/wolumonde/modules/website.nix

··· 22 22 }; 23 23 users.groups.website = { }; 24 24 25 + age.secrets.websiteConfig.file = ../../../secrets/websiteConfig.age; 26 + 25 27 systemd.services.website = { 26 28 description = "website"; 27 29 wantedBy = [ "multi-user.target" ];

+29

hosts/wolumonde/modules/clickee-proxy.disabled

··· 1 + { config, terra, ... }: 2 + let 3 + port = 7145; 4 + in 5 + { 6 + age.secrets.clickeeProxyConfig = { 7 + file = ../../../secrets/clickeeProxyConfig.age; 8 + }; 9 + 10 + systemd.services.clickee-proxy = { 11 + description = "clickee-proxy"; 12 + wantedBy = [ "multi-user.target" ]; 13 + after = [ "network.target" ]; 14 + environment = { 15 + PORT = toString port; 16 + }; 17 + serviceConfig = { 18 + DynamicUser = true; 19 + ExecStart = "${terra.clickee-proxy}/bin/clickee-proxy"; 20 + Restart = "on-failure"; 21 + RestartSec = 5; 22 + EnvironmentFile = config.age.secrets.clickeeProxyConfig.path; 23 + }; 24 + }; 25 + 26 + services.nginx.virtualHosts."poor.dog" = { 27 + locations."/click".proxyPass = "http://localhost:${toString port}"; 28 + }; 29 + }

hosts/wolumonde/modules/clickee-proxy.nix hosts/trimounts/modules/clickee-proxy.nix

hosts/wolumonde/modules/email.nix hosts/wolumonde/modules/email.disabled

+33

hosts/wolumonde/modules/fluentbit.disabled

··· 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + { 8 + services.fluent-bit = { 9 + enable = true; 10 + settings = { 11 + service.flush = 1; 12 + pipeline.inputs = [ 13 + { 14 + name = "node_exporter_metrics"; 15 + tag = "metrics.node"; 16 + scrape_interval = 5; 17 + } 18 + # { 19 + # name = "dummy"; 20 + # tag = "logs.dummy"; 21 + # dummy = ''{"_msg": "dummy"}''; 22 + # } 23 + { 24 + name = "fluentbit_metrics"; 25 + tag = "metrics.fluentbit"; 26 + scrape_interval = 5; 27 + } 28 + ]; 29 + }; 30 + }; 31 + 32 + systemd.services.fluent-bit.serviceConfig.StateDirectory = "fluent-bit"; 33 + }

hosts/wolumonde/modules/fluentbit.nix hosts/trimounts/modules/fluentbit.nix

hosts/wolumonde/modules/forgejo.nix/default.nix hosts/wolumonde/modules/forgejo.disabled/default.nix

hosts/wolumonde/modules/forgejo.nix/public/assets/css/theme-edge-dark.css hosts/wolumonde/modules/forgejo.disabled/public/assets/css/theme-edge-dark.css

hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comic.woff2 hosts/wolumonde/modules/forgejo.disabled/public/assets/fonts/comic.woff2

hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comicbd.woff2 hosts/wolumonde/modules/forgejo.disabled/public/assets/fonts/comicbd.woff2

hosts/wolumonde/modules/forgejo.nix/public/assets/fonts/comici.woff2 hosts/wolumonde/modules/forgejo.disabled/public/assets/fonts/comici.woff2

hosts/wolumonde/modules/forgejo.nix/public/assets/img/favicon.png hosts/wolumonde/modules/forgejo.disabled/public/assets/img/favicon.png

hosts/wolumonde/modules/forgejo.nix/public/assets/img/grrr.webp hosts/wolumonde/modules/forgejo.disabled/public/assets/img/grrr.webp

hosts/wolumonde/modules/forgejo.nix/public/assets/img/logo.png hosts/wolumonde/modules/forgejo.disabled/public/assets/img/logo.png

hosts/wolumonde/modules/forgejo.nix/public/assets/img/wecode.gif hosts/wolumonde/modules/forgejo.disabled/public/assets/img/wecode.gif

hosts/wolumonde/modules/forgejo.nix/templates/base/head.tmpl hosts/wolumonde/modules/forgejo.disabled/templates/base/head.tmpl

hosts/wolumonde/modules/forgejo.nix/templates/base/head_navbar.tmpl hosts/wolumonde/modules/forgejo.disabled/templates/base/head_navbar.tmpl

hosts/wolumonde/modules/forgejo.nix/templates/home.tmpl hosts/wolumonde/modules/forgejo.disabled/templates/home.tmpl

+28

hosts/wolumonde/modules/hedgedoc.disabled

··· 1 + { config, ... }: 2 + let 3 + cfg = config.services.hedgedoc.settings; 4 + in 5 + { 6 + services.hedgedoc = { 7 + enable = true; 8 + settings = { 9 + port = 3333; 10 + domain = "doc.gaze.systems"; 11 + protocolUseSSL = true; 12 + allowEmailRegister = false; 13 + allowAnonymous = false; 14 + allowAnonymousEdits = true; 15 + allowFreeURL = true; 16 + requireFreeURLAuthentication = true; 17 + }; 18 + }; 19 + 20 + security.acme.certs."gaze.systems".extraDomainNames = [ cfg.domain ]; 21 + services.nginx.virtualHosts.${cfg.domain} = { 22 + useACMEHost = "gaze.systems"; 23 + forceSSL = true; 24 + quic = true; 25 + kTLS = true; 26 + locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}"; 27 + }; 28 + }

hosts/wolumonde/modules/hedgedoc.nix hosts/trimounts/modules/hedgedoc.nix

hosts/wolumonde/modules/limbusart.nix hosts/wolumonde/modules/limbusart.disabled

+67 -61

hosts/wolumonde/modules/nginx.nix

··· 1 1 { 2 + config, 2 3 lib, 3 4 inputs, 4 - pkgs, 5 5 ... 6 6 }: 7 7 { 8 8 services.nginx = { 9 9 enable = true; 10 - package = pkgs.nginxQuic; 11 10 recommendedTlsSettings = true; 12 11 recommendedOptimisation = true; 13 12 recommendedGzipSettings = true; ··· 40 39 41 40 users.users.nginx.extraGroups = [ "acme" ]; 42 41 42 + age.secrets.cfDnsEditToken.file = ../../../secrets/cloudflareDnsEdit.age; 43 43 security.acme = { 44 44 acceptTerms = true; 45 - defaults.email = (import "${inputs.self}/personal.nix").emails.primary; 46 - defaults.webroot = "/var/lib/acme/acme-challenge"; 45 + defaults = { 46 + group = "nginx"; 47 + email = (import "${inputs.self}/personal.nix").emails.primary; 48 + dnsProvider = "cloudflare"; 49 + credentialFiles = { 50 + CF_DNS_API_TOKEN_FILE = config.age.secrets.cfDnsEditToken.path; 51 + }; 52 + }; 47 53 certs."poor.dog" = { }; 48 54 certs."ptr.pet" = { }; 49 55 certs."gaze.systems" = { }; ··· 67 73 forceSSL = true; 68 74 }; 69 75 70 - services.fluent-bit.settings = { 71 - parsers = [ 72 - { 73 - name = "nginx_json"; 74 - format = "json"; 75 - time_key = "time"; 76 - time_format = "%d/%b/%Y:%H:%M:%S %z"; 77 - } 78 - ]; 79 - pipeline = { 80 - inputs = [ 81 - { 82 - name = "nginx_metrics"; 83 - tag = "metrics.nginx"; 84 - status_url = "/nginx_status"; 85 - nginx_plus = false; 86 - } 87 - { 88 - name = "tail"; 89 - tag = "logs.nginx"; 90 - path = "/var/log/nginx/*.log"; 91 - db = "/var/lib/fluent-bit/nginx-access.db"; 92 - "db.locking" = true; 93 - buffer_chunk_size = "4m"; 94 - buffer_max_size = "32m"; 95 - parser = "nginx_json"; 96 - } 97 - ]; 98 - filters = [ 99 - { 100 - name = "modify"; 101 - match = "logs.nginx"; 102 - Add = [ "name nginx" ]; 103 - } 104 - ]; 105 - }; 106 - }; 76 + # services.fluent-bit.settings = { 77 + # parsers = [ 78 + # { 79 + # name = "nginx_json"; 80 + # format = "json"; 81 + # time_key = "time"; 82 + # time_format = "%d/%b/%Y:%H:%M:%S %z"; 83 + # } 84 + # ]; 85 + # pipeline = { 86 + # inputs = [ 87 + # { 88 + # name = "nginx_metrics"; 89 + # tag = "metrics.nginx"; 90 + # status_url = "/nginx_status"; 91 + # nginx_plus = false; 92 + # } 93 + # { 94 + # name = "tail"; 95 + # tag = "logs.nginx"; 96 + # path = "/var/log/nginx/*.log"; 97 + # db = "/var/lib/fluent-bit/nginx-access.db"; 98 + # "db.locking" = true; 99 + # buffer_chunk_size = "4m"; 100 + # buffer_max_size = "32m"; 101 + # parser = "nginx_json"; 102 + # } 103 + # ]; 104 + # filters = [ 105 + # { 106 + # name = "modify"; 107 + # match = "logs.nginx"; 108 + # Add = [ "name nginx" ]; 109 + # } 110 + # ]; 111 + # }; 112 + # }; 107 113 108 - # need so fluent-bit can access nginx 109 - systemd.services.fluent-bit.serviceConfig.SupplementaryGroups = lib.mkForce "systemd-journal nginx"; 114 + # # need so fluent-bit can access nginx 115 + # systemd.services.fluent-bit.serviceConfig.SupplementaryGroups = lib.mkForce "systemd-journal nginx"; 110 116 111 - services.vmalert.instances."".rules.groups = [ 112 - { 113 - name = "nginx-logs"; 114 - type = "vlogs"; 115 - interval = "1m"; 116 - rules = [ 117 - { 118 - record = "nginx_request_count"; 119 - expr = "name:nginx | stats (res.statusCode) count() as total_requests"; 120 - } 121 - { 122 - record = "nginx_request_latency"; 123 - # filter out subscribeRepos requests because they are long polling http L 124 - expr = "name:nginx | filter req.url:!/xrpc/com.atproto.sync.subscribeRepos | stats avg(requestTime) avg, quantile(0.5, requestTime) p50, quantile(0.9, requestTime) p90, quantile(0.99, requestTime) p99"; 125 - } 126 - ]; 127 - } 128 - ]; 117 + # services.vmalert.instances."".rules.groups = [ 118 + # { 119 + # name = "nginx-logs"; 120 + # type = "vlogs"; 121 + # interval = "1m"; 122 + # rules = [ 123 + # { 124 + # record = "nginx_request_count"; 125 + # expr = "name:nginx | stats (res.statusCode) count() as total_requests"; 126 + # } 127 + # { 128 + # record = "nginx_request_latency"; 129 + # # filter out subscribeRepos requests because they are long polling http L 130 + # expr = "name:nginx | filter req.url:!/xrpc/com.atproto.sync.subscribeRepos | stats avg(requestTime) avg, quantile(0.5, requestTime) p50, quantile(0.9, requestTime) p90, quantile(0.99, requestTime) p99"; 131 + # } 132 + # ]; 133 + # } 134 + # ]; 129 135 }

hosts/wolumonde/modules/nsid-tracker.nix hosts/wolumonde/modules/nsid-tracker.disabled

+152

hosts/wolumonde/modules/pds.disabled

··· 1 + { lib, config, ... }: 2 + let 3 + pdsLocalhost = "http://localhost:${toString config.services.bluesky-pds.settings.PDS_PORT}"; 4 + in 5 + { 6 + services.nginx.virtualHosts.${config.services.bluesky-pds.settings.PDS_HOSTNAME} = { 7 + useACMEHost = "gaze.systems"; 8 + forceSSL = true; 9 + locations = { 10 + # we need to proxy /xrpc for pds to work 11 + # silly but i want root domain >:3 12 + "/xrpc" = { 13 + proxyPass = pdsLocalhost; 14 + proxyWebsockets = true; 15 + # pass ws headers so we can actually proxy the ws 16 + extraConfig = '' 17 + proxy_set_header id $request_id; 18 + client_max_body_size 100M; 19 + ''; 20 + # higher prio just to make sure 21 + priority = 100; 22 + }; 23 + "/xrpc/app.bsky.unspecced.getAgeAssuranceState".extraConfig = '' 24 + default_type application/json; 25 + add_header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" always; 26 + add_header access-control-allow-origin "*" always; 27 + return 200 '{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}'; 28 + ''; 29 + } 30 + # others 31 + // (lib.genAttrs 32 + [ 33 + "/account" 34 + "/@atproto" 35 + "/oauth" 36 + "=/.well-known/oauth-protected-resource" 37 + "=/.well-known/oauth-authorization-server" 38 + ] 39 + (_: { 40 + proxyPass = pdsLocalhost; 41 + # higher prio just to make sure 42 + priority = 100; 43 + }) 44 + ); 45 + }; 46 + # setup pds stuff 47 + services.bluesky-pds = { 48 + enable = true; 49 + settings = { 50 + PDS_HOSTNAME = "gaze.systems"; 51 + PDS_PORT = 1334; 52 + 53 + PDS_SERVICE_NAME = ''"gazing at the sky"''; 54 + PDS_LOGO_URL = "https://gaze.systems/icons/gaze_site.webp"; 55 + 56 + PDS_RATE_LIMITS_ENABLED = "true"; 57 + PDS_INVITE_REQUIRED = "true"; 58 + 59 + PDS_DID_PLC_URL = "https://plc.directory"; 60 + PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app"; 61 + PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app"; 62 + PDS_REPORT_SERVICE_URL = "https://mod.bsky.app"; 63 + PDS_REPORT_SERVICE_DID = "did:plc:ar7c4by46qjdydhdevvrndac"; 64 + PDS_CRAWLERS = "https://bsky.network"; 65 + }; 66 + environmentFiles = [ config.age.secrets.pdsConfig.path ]; 67 + }; 68 + 69 + # services.fluent-bit.settings = { 70 + # parsers = [ 71 + # { 72 + # name = "pds_json"; 73 + # format = "json"; 74 + # time_key = "time"; 75 + # time_strict = false; 76 + # } 77 + # ]; 78 + # pipeline = { 79 + # inputs = [ 80 + # { 81 + # name = "systemd"; 82 + # tag = "logs.pds"; 83 + # systemd_filter = "_SYSTEMD_UNIT=bluesky-pds.service"; 84 + # } 85 + # ]; 86 + # filters = [ 87 + # { 88 + # name = "parser"; 89 + # match = "logs.pds"; 90 + # key_name = "MESSAGE"; 91 + # parser = "pds_json"; 92 + # } 93 + # { 94 + # name = "modify"; 95 + # match = "logs.pds"; 96 + # Rename = [ "msg _msg" ]; 97 + # } 98 + # ]; 99 + # }; 100 + # }; 101 + 102 + # services.vmalert.instances."".rules.groups = [ 103 + # { 104 + # name = "pds-logs"; 105 + # type = "vlogs"; 106 + # interval = "1m"; 107 + # rules = [ 108 + # { 109 + # record = "pds_request_count"; 110 + # expr = "name:pds | stats (res.statusCode) count() as total_requests"; 111 + # } 112 + # { 113 + # record = "pds_response_latency"; 114 + # expr = "name:pds | stats avg(responseTime) avg, quantile(0.5, responseTime) p50, quantile(0.9, responseTime) p90, quantile(0.99, responseTime) p99"; 115 + # } 116 + # ]; 117 + # } 118 + # ]; 119 + 120 + # virtualisation = { 121 + # podman = { 122 + # enable = true; 123 + # dockerCompat = true; 124 + # defaultNetwork.settings.dns_enabled = true; 125 + # }; 126 + # oci-containers.containers = { 127 + # pds = { 128 + # image = "ghcr.io/bluesky-social/pds:0.4"; 129 + # autoStart = true; 130 + # environmentFiles = [ ./pds.env config.age.secrets.pdsConfig.path ]; 131 + # ports = [ "1334:1334" ]; 132 + # volumes = [ 133 + # "/var/lib/pds:/pds" 134 + # ]; 135 + # extraOptions = [ 136 + # #"--network=host" 137 + # "--label=io.containers.autoupdate=registry" 138 + # ]; 139 + # }; 140 + # }; 141 + # }; 142 + # # This is the podman auto-update systemd timer. 143 + # # If I start to rely on podman auto-update more, I should move this out of the PDS definition. 144 + # systemd.timers."podman-auto-update" = { 145 + # enable = true; 146 + # timerConfig = { 147 + # OnCalendar = "*-*-* 4:00:00"; 148 + # Persistent = true; 149 + # }; 150 + # wantedBy = [ "timers.target" ]; 151 + # }; 152 + }

+2 -33

hosts/wolumonde/modules/pds.nix hosts/trimounts/modules/pds.nix

··· 3 3 pdsLocalhost = "http://localhost:${toString config.services.bluesky-pds.settings.PDS_PORT}"; 4 4 in 5 5 { 6 + age.secrets.pdsConfig.file = ../../../secrets/pdsConfig.age; 7 + 6 8 services.nginx.virtualHosts.${config.services.bluesky-pds.settings.PDS_HOSTNAME} = { 7 9 useACMEHost = "gaze.systems"; 8 10 forceSSL = true; ··· 116 118 ]; 117 119 } 118 120 ]; 119 - 120 - # virtualisation = { 121 - # podman = { 122 - # enable = true; 123 - # dockerCompat = true; 124 - # defaultNetwork.settings.dns_enabled = true; 125 - # }; 126 - # oci-containers.containers = { 127 - # pds = { 128 - # image = "ghcr.io/bluesky-social/pds:0.4"; 129 - # autoStart = true; 130 - # environmentFiles = [ ./pds.env config.age.secrets.pdsConfig.path ]; 131 - # ports = [ "1334:1334" ]; 132 - # volumes = [ 133 - # "/var/lib/pds:/pds" 134 - # ]; 135 - # extraOptions = [ 136 - # #"--network=host" 137 - # "--label=io.containers.autoupdate=registry" 138 - # ]; 139 - # }; 140 - # }; 141 - # }; 142 - # # This is the podman auto-update systemd timer. 143 - # # If I start to rely on podman auto-update more, I should move this out of the PDS definition. 144 - # systemd.timers."podman-auto-update" = { 145 - # enable = true; 146 - # timerConfig = { 147 - # OnCalendar = "*-*-* 4:00:00"; 148 - # Persistent = true; 149 - # }; 150 - # wantedBy = [ "timers.target" ]; 151 - # }; 152 121 }

+2

hosts/wolumonde/modules/perses.disabled/dashboards/.gitignore

··· 1 + # folder used to store the results of the `percli dac build` command 2 + built

+28

hosts/wolumonde/modules/perses.disabled/dashboards/go.mod

··· 1 + module dash 2 + 3 + go 1.24.2 4 + 5 + require ( 6 + github.com/beorn7/perks v1.0.1 // indirect 7 + github.com/cespare/xxhash/v2 v2.3.0 // indirect 8 + github.com/go-jose/go-jose/v4 v4.0.5 // indirect 9 + github.com/jpillora/backoff v1.0.0 // indirect 10 + github.com/muhlemmer/gu v0.3.1 // indirect 11 + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 12 + github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect 13 + github.com/perses/perses v0.50.3 // indirect 14 + github.com/prometheus/client_golang v1.20.5 // indirect 15 + github.com/prometheus/client_model v0.6.1 // indirect 16 + github.com/prometheus/common v0.63.0 // indirect 17 + github.com/prometheus/procfs v0.15.1 // indirect 18 + github.com/zitadel/oidc/v3 v3.36.1 // indirect 19 + github.com/zitadel/schema v1.3.0 // indirect 20 + golang.org/x/crypto v0.36.0 // indirect 21 + golang.org/x/net v0.35.0 // indirect 22 + golang.org/x/oauth2 v0.28.0 // indirect 23 + golang.org/x/sys v0.31.0 // indirect 24 + golang.org/x/text v0.23.0 // indirect 25 + google.golang.org/protobuf v1.36.5 // indirect 26 + gopkg.in/yaml.v2 v2.4.0 // indirect 27 + gopkg.in/yaml.v3 v3.0.1 // indirect 28 + )

+45

hosts/wolumonde/modules/perses.disabled/dashboards/go.sum

··· 1 + github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= 2 + github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= 3 + github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= 4 + github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 5 + github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= 6 + github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= 7 + github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= 8 + github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= 9 + github.com/muhlemmer/gu v0.3.1 h1:7EAqmFrW7n3hETvuAdmFmn4hS8W+z3LgKtrnow+YzNM= 10 + github.com/muhlemmer/gu v0.3.1/go.mod h1:YHtHR+gxM+bKEIIs7Hmi9sPT3ZDUvTN/i88wQpZkrdM= 11 + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= 12 + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= 13 + github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU= 14 + github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= 15 + github.com/perses/perses v0.50.3 h1:BHlU9qkCFCUSP4HP5p9GwophWcxm5Vnu6Fsrx8Fb/+w= 16 + github.com/perses/perses v0.50.3/go.mod h1:oqfHLOrXERvEqECShqXPjHXqVukQxcoaaTM6ySRF7hU= 17 + github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= 18 + github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= 19 + github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= 20 + github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= 21 + github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k= 22 + github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18= 23 + github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= 24 + github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= 25 + github.com/zitadel/oidc/v3 v3.36.1 h1:1AT1NqKKEqAwx4GmKJZ9fYkWH2WIn/VKMfQ46nBtRf0= 26 + github.com/zitadel/oidc/v3 v3.36.1/go.mod h1:dApGZLvWZTHRuxmcbQlW5d2XVjVYR3vGOdq536igmTs= 27 + github.com/zitadel/schema v1.3.0 h1:kQ9W9tvIwZICCKWcMvCEweXET1OcOyGEuFbHs4o5kg0= 28 + github.com/zitadel/schema v1.3.0/go.mod h1:NptN6mkBDFvERUCvZHlvWmmME+gmZ44xzwRXwhzsbtc= 29 + golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= 30 + golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= 31 + golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= 32 + golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= 33 + golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= 34 + golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= 35 + golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= 36 + golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 37 + golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= 38 + golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= 39 + google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= 40 + google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= 41 + gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 42 + gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 43 + gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 44 + gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 45 + gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

+334

hosts/wolumonde/modules/perses.disabled/dashboards/wolumonde.go

··· 1 + package main 2 + 3 + import ( 4 + "flag" 5 + "time" 6 + 7 + "github.com/perses/perses/go-sdk" 8 + "github.com/perses/perses/go-sdk/common" 9 + dash "github.com/perses/perses/go-sdk/dashboard" 10 + "github.com/perses/perses/go-sdk/panel" 11 + panels "github.com/perses/perses/go-sdk/panel-group" 12 + "github.com/perses/perses/go-sdk/panel/bar" 13 + "github.com/perses/perses/go-sdk/panel/gauge" 14 + "github.com/perses/perses/go-sdk/panel/stat" 15 + "github.com/perses/perses/go-sdk/prometheus/query" 16 + 17 + timeSeries "github.com/perses/perses/go-sdk/panel/time-series" 18 + // promDs "github.com/perses/perses/go-sdk/prometheus/datasource" 19 + ) 20 + 21 + func main() { 22 + flag.Parse() 23 + exec := sdk.NewExec() 24 + 25 + var loadPanel = panels.AddPanel("load over 5 min", 26 + timeSeries.Chart( 27 + timeSeries.WithYAxis( 28 + timeSeries.YAxis{ 29 + Max: 2.0, 30 + }, 31 + ), 32 + ), 33 + panel.AddQuery( 34 + query.PromQL( 35 + "node_load5", 36 + query.SeriesNameFormat("load"), 37 + ), 38 + ), 39 + ) 40 + var cpuPanel = panels.AddPanel("cpu usage", 41 + timeSeries.Chart( 42 + timeSeries.WithYAxis( 43 + timeSeries.YAxis{ 44 + Format: &common.Format{ 45 + Unit: "percent", 46 + }, 47 + Max: 100.0, 48 + }, 49 + ), 50 + ), 51 + panel.AddQuery( 52 + query.PromQL( 53 + `sum by (cpu) (rate(node_cpu_seconds_total{mode=~"user|system"}[1m])) * 100`, 54 + query.SeriesNameFormat("cpu {{cpu}}"), 55 + ), 56 + ), 57 + ) 58 + var memoryPanel = panels.AddPanel("memory usage", 59 + timeSeries.Chart( 60 + timeSeries.WithYAxis( 61 + timeSeries.YAxis{ 62 + Format: &common.Format{ 63 + Unit: "bytes", 64 + }, 65 + Max: 4000000000, 66 + }, 67 + ), 68 + ), 69 + panel.AddQuery( 70 + query.PromQL( 71 + "node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes", 72 + query.SeriesNameFormat("current memory usage"), 73 + ), 74 + ), 75 + ) 76 + 77 + var diskPanel = panels.AddPanel("disk usage /", 78 + timeSeries.Chart( 79 + timeSeries.WithYAxis( 80 + timeSeries.YAxis{ 81 + Format: &common.Format{ 82 + Unit: "bytes", 83 + }, 84 + Max: 38000000000, 85 + }, 86 + ), 87 + ), 88 + panel.AddQuery( 89 + query.PromQL( 90 + `node_filesystem_size_bytes{mountpoint="/"} - node_filesystem_free_bytes{mountpoint="/"}`, 91 + query.SeriesNameFormat("disk usage"), 92 + ), 93 + ), 94 + ) 95 + 96 + // Gauge versions (percent unit) 97 + var loadGaugePanel = panels.AddPanel("load over 5 min", 98 + gauge.Chart( 99 + gauge.Format(common.Format{Unit: "percent"}), 100 + gauge.Max(100), 101 + gauge.Calculation(common.MeanCalculation), 102 + ), 103 + panel.AddQuery( 104 + query.PromQL( 105 + "node_load5 * 100 / count(count(node_cpu_seconds_total) by (cpu))", 106 + query.SeriesNameFormat("load %"), 107 + ), 108 + ), 109 + ) 110 + var cpuGaugePanel = panels.AddPanel("cpu usage", 111 + gauge.Chart( 112 + gauge.Format(common.Format{Unit: "percent"}), 113 + gauge.Max(100), 114 + gauge.Calculation(common.MeanCalculation), 115 + ), 116 + panel.AddQuery( 117 + query.PromQL( 118 + `sum by (cpu) (rate(node_cpu_seconds_total{mode=~"user|system"}[1m])) * 100`, 119 + query.SeriesNameFormat("cpu {{cpu}}"), 120 + ), 121 + ), 122 + ) 123 + var memoryGaugePanel = panels.AddPanel("memory usage", 124 + gauge.Chart( 125 + gauge.Format(common.Format{Unit: "percent"}), 126 + gauge.Max(100), 127 + gauge.Calculation(common.MeanCalculation), 128 + ), 129 + panel.AddQuery( 130 + query.PromQL( 131 + "(node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) * 100 / node_memory_MemTotal_bytes", 132 + query.SeriesNameFormat("memory usage %"), 133 + ), 134 + ), 135 + ) 136 + var diskGaugePanel = panels.AddPanel("disk usage /", 137 + gauge.Chart( 138 + gauge.Format(common.Format{Unit: "percent"}), 139 + gauge.Max(100), 140 + ), 141 + panel.AddQuery( 142 + query.PromQL( 143 + `(node_filesystem_size_bytes{mountpoint="/"} - node_filesystem_free_bytes{mountpoint="/"}) * 100 / node_filesystem_size_bytes{mountpoint="/"}`, 144 + query.SeriesNameFormat("disk usage %"), 145 + ), 146 + ), 147 + ) 148 + 149 + var resPanels = dash.AddPanelGroup("resource usage", 150 + panels.PanelsPerLine(4), 151 + loadGaugePanel, cpuGaugePanel, memoryGaugePanel, diskGaugePanel, 152 + loadPanel, cpuPanel, memoryPanel, diskPanel, 153 + ) 154 + 155 + var nginxPanel = panels.AddPanel("nginx requests / min", 156 + timeSeries.Chart( 157 + timeSeries.WithYAxis( 158 + timeSeries.YAxis{ 159 + Format: &common.Format{ 160 + Unit: "decimal", 161 + }, 162 + }, 163 + ), 164 + timeSeries.WithVisual(timeSeries.Visual{ 165 + Display: timeSeries.BarDisplay, 166 + Palette: timeSeries.Palette{ 167 + Mode: timeSeries.CategoricalMode, 168 + }, 169 + Stack: timeSeries.AllStack, 170 + }), 171 + timeSeries.WithLegend(timeSeries.Legend{ 172 + Position: timeSeries.BottomPosition, 173 + Size: timeSeries.SmallSize, 174 + }), 175 + ), 176 + panel.AddQuery( 177 + query.PromQL( 178 + "nginx_request_count", 179 + query.SeriesNameFormat("{{res.statusCode}}"), 180 + ), 181 + ), 182 + ) 183 + 184 + var nginxLatencyPanel = panels.AddPanel("nginx latency / min", 185 + timeSeries.Chart( 186 + timeSeries.WithYAxis( 187 + timeSeries.YAxis{ 188 + Format: &common.Format{ 189 + Unit: "seconds", 190 + }, 191 + Max: 0.5, 192 + }, 193 + ), 194 + ), 195 + panel.AddQuery( 196 + query.PromQL( 197 + "nginx_request_latency", 198 + query.SeriesNameFormat("{{stats_result}}"), 199 + ), 200 + ), 201 + ) 202 + 203 + var nginxPanels = dash.AddPanelGroup("nginx metrics", 204 + panels.PanelsPerLine(3), 205 + nginxPanel, 206 + nginxLatencyPanel, 207 + ) 208 + 209 + var pdsPanel = panels.AddPanel("pds requests / min", 210 + timeSeries.Chart( 211 + timeSeries.WithYAxis( 212 + timeSeries.YAxis{ 213 + Format: &common.Format{ 214 + Unit: "decimal", 215 + }, 216 + }, 217 + ), 218 + timeSeries.WithVisual(timeSeries.Visual{ 219 + Display: timeSeries.BarDisplay, 220 + Palette: timeSeries.Palette{ 221 + Mode: timeSeries.CategoricalMode, 222 + }, 223 + Stack: timeSeries.AllStack, 224 + }), 225 + timeSeries.WithLegend(timeSeries.Legend{ 226 + Position: timeSeries.BottomPosition, 227 + Size: timeSeries.SmallSize, 228 + }), 229 + ), 230 + panel.AddQuery( 231 + query.PromQL( 232 + "pds_request_count", 233 + query.SeriesNameFormat("{{res.statusCode}}"), 234 + ), 235 + ), 236 + ) 237 + 238 + var pdsLatencyPanel = panels.AddPanel("pds latency / min", 239 + timeSeries.Chart( 240 + timeSeries.WithYAxis( 241 + timeSeries.YAxis{ 242 + Format: &common.Format{ 243 + Unit: "milliseconds", 244 + }, 245 + Max: 500, 246 + }, 247 + ), 248 + ), 249 + panel.AddQuery( 250 + query.PromQL( 251 + "pds_response_latency", 252 + query.SeriesNameFormat("{{stats_result}}"), 253 + ), 254 + ), 255 + ) 256 + 257 + var pdsPanels = dash.AddPanelGroup("pds metrics", 258 + panels.PanelsPerLine(3), 259 + pdsPanel, 260 + pdsLatencyPanel, 261 + ) 262 + 263 + var anubisForgejoPanel = panels.AddPanel("anubis policy actions", 264 + bar.Chart(), 265 + panel.AddQuery( 266 + query.PromQL( 267 + "anubis_policy_results", 268 + query.SeriesNameFormat("{{action}}: {{rule}}"), 269 + ), 270 + ), 271 + ) 272 + 273 + var forgejoPanels = dash.AddPanelGroup("forgejo", 274 + panels.PanelsPerLine(3), 275 + anubisForgejoPanel, 276 + ) 277 + 278 + var gazesys_visit_panel = panels.AddPanel("gazesys visits", 279 + bar.Chart(), 280 + panel.AddQuery( 281 + query.PromQL( 282 + "gazesys_visit_real_total + gazesys_visit_fake_total", 283 + query.SeriesNameFormat("total visits"), 284 + ), 285 + ), 286 + panel.AddQuery( 287 + query.PromQL( 288 + "gazesys_visit_fake_total", 289 + query.SeriesNameFormat("(ai) bot visits"), 290 + ), 291 + ), 292 + panel.AddQuery( 293 + query.PromQL( 294 + "gazesys_visit_real_total", 295 + query.SeriesNameFormat("real visits"), 296 + ), 297 + ), 298 + ) 299 + 300 + var gazesys_pet_panel = panels.AddPanel("gazesys pet", 301 + stat.Chart( 302 + stat.Format(common.Format{ 303 + Unit: "decimal", 304 + ShortValues: true, 305 + DecimalPlaces: 0, 306 + }), 307 + ), 308 + panel.AddQuery( 309 + query.PromQL( 310 + "gazesys_pet_bounce_total", 311 + query.SeriesNameFormat("bounce count"), 312 + ), 313 + ), 314 + panel.AddQuery( 315 + query.PromQL( 316 + "gazesys_pet_distance_total", 317 + query.SeriesNameFormat("distance travelled"), 318 + ), 319 + ), 320 + ) 321 + 322 + var gazesys_panels = dash.AddPanelGroup("gazesys", 323 + panels.PanelsPerLine(3), 324 + gazesys_visit_panel, gazesys_pet_panel, 325 + ) 326 + 327 + builder, buildErr := dash.New("wolumonde", 328 + dash.ProjectName("private-infra"), 329 + dash.Duration(30*time.Minute), 330 + dash.RefreshInterval(time.Minute), 331 + resPanels, nginxPanels, pdsPanels, gazesys_panels, forgejoPanels, 332 + ) 333 + exec.BuildDashboard(builder, buildErr) 334 + }

hosts/wolumonde/modules/perses.nix/dashboards/.gitignore hosts/trimounts/modules/perses.nix/dashboards/.gitignore

hosts/wolumonde/modules/perses.nix/dashboards/go.mod hosts/trimounts/modules/perses.nix/dashboards/go.mod

hosts/wolumonde/modules/perses.nix/dashboards/go.sum hosts/trimounts/modules/perses.nix/dashboards/go.sum

hosts/wolumonde/modules/perses.nix/dashboards/wolumonde.go hosts/trimounts/modules/perses.nix/dashboards/wolumonde.go

hosts/wolumonde/modules/perses.nix/default.nix hosts/wolumonde/modules/perses.disabled/default.nix

hosts/wolumonde/modules/perses.nix/provision/1-private-infra.yaml hosts/wolumonde/modules/perses.disabled/provision/1-private-infra.yaml

hosts/wolumonde/modules/perses.nix/provision/2-admin-role.yaml hosts/wolumonde/modules/perses.disabled/provision/2-admin-role.yaml

hosts/wolumonde/modules/perses.nix/provision/3-admin-bind-role.yaml hosts/wolumonde/modules/perses.disabled/provision/3-admin-bind-role.yaml

hosts/wolumonde/modules/perses.nix/provision/4-victoria.yaml hosts/wolumonde/modules/perses.disabled/provision/4-victoria.yaml

hosts/wolumonde/modules/perses.nix/provision/6-guest-role.yaml hosts/wolumonde/modules/perses.disabled/provision/6-guest-role.yaml

hosts/wolumonde/modules/perses.nix/provision/7-guest-role-bind.yaml hosts/wolumonde/modules/perses.disabled/provision/7-guest-role-bind.yaml

hosts/wolumonde/modules/perses.nix/provision/90-wolumonde.yaml hosts/wolumonde/modules/perses.disabled/provision/90-wolumonde.yaml

+30

hosts/wolumonde/modules/pocket-id.disabled

··· 1 + { config, ... }: 2 + let 3 + domain = "id.gaze.systems"; 4 + in 5 + { 6 + services.pocket-id = { 7 + enable = true; 8 + settings = { 9 + APP_URL = "https://${domain}"; 10 + TRUST_PROXY = true; 11 + PORT = 6823; 12 + ANALYTICS_DISABLED = true; 13 + }; 14 + }; 15 + 16 + security.acme.certs."gaze.systems".extraDomainNames = [ domain ]; 17 + 18 + services.nginx.virtualHosts.${domain} = { 19 + useACMEHost = "gaze.systems"; 20 + forceSSL = true; 21 + quic = true; 22 + kTLS = true; 23 + locations."/".proxyPass = "http://localhost:${toString config.services.pocket-id.settings.PORT}"; 24 + locations."/".extraConfig = '' 25 + proxy_busy_buffers_size 512k; 26 + proxy_buffers 4 512k; 27 + proxy_buffer_size 256k; 28 + ''; 29 + }; 30 + }

hosts/wolumonde/modules/pocket-id.nix hosts/trimounts/modules/pocket-id.nix

-1

hosts/wolumonde/modules/secrets.nix

··· 1 1 { lib, ... }: 2 2 { 3 3 # age.secrets.bernbotToken.file = ../../../secrets/bernbotToken.age; 4 - age.secrets.websiteConfig.file = ../../../secrets/websiteConfig.age; 5 4 age.secrets.pdsConfig.file = ../../../secrets/pdsConfig.age; 6 5 # age.secrets.wgWolumondeKey = { 7 6 # file = ../../../secrets/wgWolumondeKey.age;

hosts/wolumonde/modules/tangled.nix/default.nix hosts/wolumonde/modules/tangled.disabled/default.nix

hosts/wolumonde/modules/tangled.nix/knot.nix hosts/wolumonde/modules/tangled.disabled/knot.nix

hosts/wolumonde/modules/tangled.nix/motd hosts/wolumonde/modules/tangled.disabled/motd

hosts/wolumonde/modules/tangled.nix/spindle.nix hosts/wolumonde/modules/tangled.disabled/spindle.nix

hosts/wolumonde/modules/unbound.nix hosts/wolumonde/modules/unbound.disabled

+70

hosts/wolumonde/modules/victoria.disabled

··· 1 + { lib, config, ... }: 2 + let 3 + # syslogUdp = 5113; 4 + metricsPort = 8428; 5 + logsPort = 9428; 6 + in 7 + { 8 + services.victoriametrics = { 9 + enable = true; 10 + listenAddress = ":${toString metricsPort}"; 11 + }; 12 + 13 + services.victorialogs = { 14 + enable = true; 15 + listenAddress = ":${toString logsPort}"; 16 + # extraOptions = ["-syslog.listenAddr.udp=:${toString syslogUdp}" "-journald.maxRequestSize=1024000000"]; 17 + }; 18 + 19 + services.vmalert.instances."" = { 20 + enable = true; 21 + settings = 22 + let 23 + l = "http://localhost"; 24 + in 25 + { 26 + "datasource.url" = "${l}${config.services.victorialogs.listenAddress}"; 27 + "remoteWrite.url" = "${l}${config.services.victoriametrics.listenAddress}"; 28 + "remoteRead.url" = "${l}${config.services.victoriametrics.listenAddress}"; 29 + "rule.defaultRuleType" = "vlogs"; 30 + }; 31 + }; 32 + 33 + services.fluent-bit.settings.pipeline.outputs = [ 34 + # write metrics to victoriametrics via prometheus 35 + { 36 + name = "prometheus_remote_write"; 37 + match = "metrics.*"; 38 + port = lib.removePrefix ":" config.services.victoriametrics.listenAddress; 39 + uri = "/api/v1/write"; 40 + } 41 + { 42 + name = "http"; 43 + match = "logs.*"; 44 + port = lib.removePrefix ":" config.services.victorialogs.listenAddress; 45 + uri = "/insert/jsonline?_stream_fields=stream&_msg_field=log&_time_field=date"; 46 + format = "json_lines"; 47 + json_date_format = "iso8601"; 48 + } 49 + # write logs via syslog 50 + # { 51 + # name = "syslog"; 52 + # match = "*.log"; 53 + # port = syslogUdp; 54 + # syslog_maxsize = 4096; 55 + # syslog_severity_key = "severity"; 56 + # syslog_facility_key = "facility"; 57 + # syslog_hostname_key = "hostname"; 58 + # syslog_appname_key = "appname"; 59 + # syslog_procid_key = "procid"; 60 + # syslog_msgid_key = "msgid"; 61 + # syslog_sd_key = "sd"; 62 + # syslog_message_key = "message"; 63 + # } 64 + ]; 65 + 66 + # services.journald.upload = { 67 + # enable = true; 68 + # settings.Upload.URL = "http://localhost${config.services.victorialogs.listenAddress}/insert/journald"; 69 + # }; 70 + }

hosts/wolumonde/modules/victoria.nix hosts/trimounts/modules/victoria.nix

secrets/clickeeProxyConfig.age

This is a binary file and will not be displayed.

+22

secrets/cloudflareDnsEdit.age

··· 1 + age-encryption.org/v1 2 + -> ssh-rsa Abmvag 3 + RLzSHns6rm+PKThSJC768KmC2a9odftJWSSWqNR36LA5wb1wU5YpP/EHt6P50AY/ 4 + JsFPydPP+XTso4rSclWuW1gjEEzfQdwBJy0c9QNo6WRwtLsR2jLC/VBULqTPsHUH 5 + bSR138+wtdICBLRMY71VvEcdrtONMm8dqc/STV5e270yDU+HtCW2Vwxu837CpUzQ 6 + 6xHV1NDURR5NugjQspW3mVBrFSx7OpE2iGrSYsCzXNpFK9JsC40yG/YZzqf2ktM4 7 + BlWTNGRd2M/QOXwCOOdsgQHfN4DtHBR/nrC+sdauJahKxSR0RVB2jQgrH2LsmnB9 8 + Xh8ttoYKwkVHQmOEUbtCnqKpzf7qGqyRX2+smkGaB2RzSxhNmUEmdV0dAEMXtGZd 9 + aBFMw233WioqNygHxfgYkUtA2jFjBEVeAp74iKH7fB1/8fKa+SSeLEcv/IuIAOSp 10 + WjqI7El5U882SviAyMuQ6hzWBLejCNBueZTgJVR0Iyk0fTjeLNM4rhqTQswyDjBh 11 + 7jnjAgVMaqZTRHrQFkBimkjX3QXutvRcjyutY3niUNRCZacvJ8bVIuIhNbqFOLJR 12 + Io/bRwys/qR1a44GFMxbQG6Hm0NRIIK791cxxilZpnNiJHs02TLTXzuIq0bfTssz 13 + 3FjUZa6Oaerum2I/BidWJuYm4Cm6tJuftYn7XS1q+4I 14 + -> ssh-ed25519 y5W/qA /qpByEN29ydHS/WgwLlOQjby7fYCI7hDOUSMJ+s0ZHA 15 + Je4qhR22hERajFv/7EbQodKo4ldYqsrUgFdtt1KbXUA 16 + -> ssh-ed25519 KjIL7g v+JVYql3+Tm/eam/1Vl/VSN97rq/8idFMcea1u7JEgE 17 + bqgK9JhL1CF9O/35WzOj3J2fHSUQcMesbamMatJRBbk 18 + -> ssh-ed25519 LaQclg u0qjpT1TcL0sAapagUr6opDbr3FRFsTtnK9wEoIJvxM 19 + Uof2ZOkgEtdY301j0Ql6i9+WjQusspUvn1kMGgaSfp0 20 + --- 8kcgq1sQjU2uSmskmkb3SUmsXubI1HtWBhs2RuuVJcE 21 + �5��;�h9��#`c֎� 22 + ��9�k�4�S鯘��L:�/��׀P}a��oՇ:$��.��

secrets/develMobiTailscaleAuthKey.age

This is a binary file and will not be displayed.

secrets/headscaleOidcSecret.age

This is a binary file and will not be displayed.

secrets/nixGithubAccessToken.age

This is a binary file and will not be displayed.

+19 -17

secrets/pdsConfig.age

··· 1 1 age-encryption.org/v1 2 2 -> ssh-rsa Abmvag 3 - Ti+WByG/+vCEtMtvVSUYqnjhLnL6gmVHj+8+ARD12zrfV+l0LZxW7TFGqWvtQ+9N 4 - 0aCa5AGao4ngjom0JHhFm+DzklR13V6FyB1zAQugBuPDlJFPPZmRH9jTMpbiRWK0 5 - +uAFreWIkRtsYrOYaFOWIVOUxAl7immdbx7y55Q6u55y936t8aRRP+r8LCIsd+5E 6 - dlWmxTRyYBXG4MNkCfyDeuvCnFxGFlmPXVqJeXyHBL+/Gw4nLzMvRM0PQqlkOLeS 7 - DfJUpeWT0fptykuf7nmYr0sYembv4pks9E4lLNJ51PcdR2NqC4Aaq6s9+dM+b9Yg 8 - p8Zg7HvCWxlSeNuf/gnu5jisj93ImrwJJSpkSv+AqThGkVtRpN6gzErSXPOQe9tn 9 - RuESiumGO+Thh8+1F9iMitCm9pvVDkBrVDPmTBZS5xT8v67VcIcCmkmfh1Svq/di 10 - dWhMereLu9oXd9Nudtg3uvlzWp68kCAQFjOVyhi6Li15FuPw+vvkc72c2OPv9AeZ 11 - vNmIuaCHLa5VIPqOPJEaLGMuHSd80TFCAhYq4laca9gg6cgufyGlFCR4SVXA9qy8 12 - Gi8SI+wdBbi5+RKveju2/58Wbas6oIqmP6IOgTibwYl3uQ8EE4YhG1QocChN553X 13 - 0pjhtSBTyXgVuy3bqz5eA4QAkCcDocwT/4R4eaNGLW0 14 - -> ssh-ed25519 KjIL7g QPvc+LbTi8URL1atJNHHalHRyVGlz7pmrbOeMtjP6gM 15 - lH3IhynTXpQ3Z4hFGn4bJZ/vEWte7qZqeAhixghjoe8 16 - --- rIrWSZf0Q7b4fWtd9+gXxJpD9AoC0xWE7iWkUGCekDc 17 - ��)��ϲX� 0)��J�!��x�'E��vp�O�N~�23x��"��(Q�0�f_]7��ב��V�e��]+_/;:ؿ�g<.rJ��>W�R�K"�L#��/��+�Ƴ3M*Õ��:�Q'L��-}�#�Y�p��I 18 - ��Dm��{��ܫ�L��s��b�;� 19 - c*�ݷ�u�m��+^d�ؓ�0k2yty��>��F�L&��qk��Ⱦ��c�Y'{�,�G�V��tS�I��7�W�� Qp��a�f{f�2O`x�=��y��7�ߓ�}��{=﷋�Í�O��P0�=f�P�B\p��l�.��F��bm|Oл;-��ǾS��Ғ�_Ԥ 3 + SbNEqnr2eT0YR293LnQtJInXLmx7g+iCJwnZ4GmmEM2euePiEY69s8lRQUb7MQU8 4 + xghOLEo/gr74/wtrOUf+4Ge3OM8KiAZt3QLuREJYz1xI6+gnMaievWbinAA+Ly0L 5 + KdmFyshVGl+xKA0QPpc6fTO4XnAEH0g5Rg5upZoAfRARmOYeIQvXaWW2ehjI1Izw 6 + RINcoszonp5egzZ9QJ6huruT2actz2XIAsZX/0NYQdjC6xmChxfTOxuXQskbzzyK 7 + 42eholIkf/5fYre4HmB7ePKuZeUeVRhK0RYemBq/ZNNUCf1ExjE/wDKTWpuPOafV 8 + J2/7kP7OkwIEeEYXvLPvYM2HRasIbDUBmLOlj7L4E8BgMzKV7FmCr2n27m7iCjhz 9 + y0sTpEk1y2N/rDvc/GCuZNtGNZIrbfzGaz5fhgegvO0Jogc2km4LVaEOQlA+AI5w 10 + fxew6hCZkISaw+CjNaBOk45XXhMsONfW63uba6kgzj3h2+9jG1UmEPJAuNdgkjze 11 + 32lBZ58np+cA+aENt4sZu5nKk90Rsq54aNntfaHuFMFIfvK4RZj3HwHCAND+9XJ1 12 + SNkNetcehX9jzZYm5Npnlhleft92TACYbtIIoi/zqgYMLDaHeAW6ZDAnW9sgO7mo 13 + uSVwa8Gf5SwUY6v8IgVDwQVHiq8WTtRgRJmImP/mvS4 14 + -> ssh-ed25519 KjIL7g tRXe9XXGtJyjCQuHU4oD7L5veJ8BKCFHUdXuSAa6/D4 15 + vjVwtS7dKxTkjGHeLzV0G2uzIyEYaaSLplxOvfApIa0 16 + -> ssh-ed25519 LaQclg 81iLpPZTOiW2ZNnfy8lErpeHiQoTtIpariQ5153Nwl4 17 + 5wqZUoo5CxEPHwVy9SSspvECTWAQ8qgjbj44WCx/kdw 18 + --- z1wPplzF3WsIHxojXxcZnq91akMO+Hj1WFth2ujJAvY 19 + �X RM�V˛a^�Z2A욓ר)h��h�� hV�Z��e&�.��l��ɉ/n�aIد-��q��(�id� DT 20 + �d�e��T�cHiɂ*^�4��+�?� ��y��-nD=��]��(��ѝG�Z��ɲ��P�w9�g��j>��d��Ϥ��F�t�~��P�QS�,z�%Ad�E�t=�R�B�ُܱ~��7��ެ{1=��kOV=W3��e��CN��q�Ϥ��.\��n�wW��c�R;G 21 + �6�f"�W��7f_�MZ;��.Х�Ѓ�@��3��Ǫ&,��1�ܕ��]l�J�L!a֟��r��}9 ��o@�.]��ƈ�fS��=�@��

+17 -16

secrets/persesSecret.age

··· 1 1 age-encryption.org/v1 2 2 -> ssh-rsa Abmvag 3 - gnRXwWRObKH5JCBDDPVRDHsgSj4m3zwOHAFLDAXTmWjs0mVNKSu5AFtKkoJuUuzs 4 - RQFGn3b4pv6duPjpEW4t0DBkAOCwgqTqvF3oSKNBSDuhNU4+XzCJgBZDesO3VZ/S 5 - zZxM8kq14sM484pZSRI0A86VNSlR7q8lyF1kth+bn5dum7Ihq87Re6jW+OyFwL7L 6 - tkTON5L4aMqjI4fMQl/PcRU+04sYkKug6JQO/DDyFXvjvROuO43ZChjqGGj4ol9b 7 - mXPOJuabzUtWGoTwg7+IHhbyUbanoO+2gCMejRGbZbBTh+bOftNx0bvNj8lrxgit 8 - oE5sXhqPeI9BhOGWiJvR+32YdHl2WRYQ/7nNdWsnA0UuiPRHPu827g91NrVgjxBk 9 - SpgoabwZpCUl8GlfihtTvw3NbV6WnIUv0ew9bwlyf129uvH7Rn61o0JMnq5m37Zt 10 - rJjLJ262zIdb4eS1QgycI+ugeb290Vh22niTLLKoJxAFdLyzSr84XsfUVyrjhJfz 11 - Ll+12c7ApTcgwhuhOkFLmU8SUNwxhH523fV8zcQ/1E9yjpa26qQcTF+ujRV8FIwb 12 - kVGLDHUXehU5gm/nsuQVaULYHRC50pvu7wKKZsj0UqdQeKCx1CwBOdFk6Qctxl9N 13 - VvAenIra/FVImcrimQ/sNCeg8UasT+gvbY5KjhwPzkY 14 - -> ssh-ed25519 KjIL7g +FQdRCFxlkayD4Hq9xb4WCE139upxkpSrvh7412gqlo 15 - jxDJlUgJZfftyeyhikKi4zLhtM6fVXxAGMmD7gcQZgM 16 - --- OXRvMmNqRzo4NGF4ihpPSHu77W8dH45HwJJIDI3hUCY 17 - &}͘8��;YX5 18 - �$m3�1r['�%<7��W�D��h�0�%��C$�Il1;ɛl�1�i�A��E�z��,n݆�|b�?2N�}�m/Ӈ� 3 + IC9ZInud32ueWR3owngph/eKReklaRfgY6bDKDmA0OT5IEvisOYK8lhGwAzOZdIq 4 + i+K5p7C30qe1+1fmZ3ZNcQMKeIq79LdpiR7Xb6DT+BAT5g++wsXqqsvxZYyR4Ux7 5 + dPxr05VJXE6HkoUQ2gcG/rlED1M7EoRq1TBm1UV4wIDiWy/ZdZZRvM8C++CD2h4V 6 + d4cLoDzVZxYdi3s+NRXpbg62fIO//suAYvlMjbKQasEBWv88R8rwj5br+o/AbCR8 7 + hkjctI+EuMHzq7hwlZ211hb/HDLnFckWmIao9Hvw6PpyFMIUmuQWsgn6yHQ6zJQx 8 + zIXNgAYpX5bR8i0VXvwNwlfWOOqNcOU4QD7ZO4qFs+ZYTlHvo1m1RNhDIBbhC9UM 9 + v3C8fU0RTaWhUkcacXn3VXBiJIHXzFLiAfxQ1ft5HPOjsOOhHwphMFwblCukTJ45 10 + SNVErkK32YeW6J0nyQGHRNHNSgbZC274caZ8R3nlTynkYRoF6/dy7Q1OLNILF4Vd 11 + qW54oLZs9A6ralFkDfObl4rxOcz4HPdwH9p/kWzW1C1IrfZk0m5eOppFzZ2fUHra 12 + FED8mJ0vH5E0oCL7JBDVx3A+Ss5vj7zpJePL10UQvfWI8qUIXHZT6wbIt/XfRvtq 13 + rbr0g9tQtnnpOMJwgu1GzL1xQWGelAS8pvV8GPb5Vvg 14 + -> ssh-ed25519 KjIL7g 0DtiBKi0aL82kjE3AgAbwkCw+fuIWXMvzi52eem0JgM 15 + ujkcowuy/vokA+jqV7d5RcZGeg2yhzh8IdQQHJ/wZns 16 + -> ssh-ed25519 LaQclg m/1lrK8ks3LlAQYG0/85pZiyQvhh16/Y5bX+k9HPpgU 17 + zJD9xgF9GuHGHYSkczPGllccYqW7y/+UZrlCveFJIt4 18 + --- ZM1sl++OddBxYlx8/57o/BWcSsU3rHQ41q7cJCoZiPs 19 + �C{��9�C�yC��'�]��P�X��n��ZD��}�q2�[�@�R8�h��'��a�:�B2X��}<5��D��6��p��*��

+11 -1

secrets/secrets.nix

··· 2 2 yusdacra = builtins.readFile ./yusdacra.key.pub; 3 3 wolumonde = builtins.readFile ./wolumonde.key.pub; 4 4 dzwonek = builtins.readFile ./dzwonek.key.pub; 5 + trimounts = builtins.readFile ./trimounts.key.pub; 5 6 develMobi = builtins.readFile ./develMobi.key.pub; 6 7 in 7 8 { ··· 9 10 "websiteConfig.age".publicKeys = [ 10 11 yusdacra 11 12 wolumonde 13 + trimounts 12 14 ]; 13 15 "pdsConfig.age".publicKeys = [ 14 16 yusdacra 15 17 wolumonde 18 + trimounts 16 19 ]; 17 20 "clickeeProxyConfig.age".publicKeys = [ 18 21 yusdacra 19 22 wolumonde 23 + trimounts 20 24 ]; 21 - "deployWebhook.age".publicKeys = [ yusdacra ]; 22 25 "persesSecret.age".publicKeys = [ 23 26 yusdacra 24 27 wolumonde 28 + trimounts 25 29 ]; 26 30 "headscaleOidcSecret.age".publicKeys = [ 27 31 yusdacra ··· 30 34 "develMobiTailscaleAuthKey.age".publicKeys = [ 31 35 yusdacra 32 36 develMobi 37 + ]; 38 + "cloudflareDnsEdit.age".publicKeys = [ 39 + yusdacra 40 + dzwonek 41 + wolumonde 42 + trimounts 33 43 ]; 34 44 }

+1

secrets/trimounts.key.pub

··· 1 + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLuA1/cZ/xTN4dv5U0fvD9Glo6HlF5YA4U1pvFjxx6V

secrets/websiteConfig.age

This is a binary file and will not be displayed.

+1 -1

users/modules/discord/default.nix

··· 39 39 40 40 Service = { 41 41 Type = "simple"; 42 - ExecStart = "${pkgs.openssh}/bin/ssh -N -D 127.0.0.1:1337 root@wolumonde"; 42 + ExecStart = "${pkgs.openssh}/bin/ssh -N -D 127.0.0.1:1337 root@trimounts"; 43 43 Restart = "on-failure"; 44 44 RestartSec = "3s"; 45 45 };

Configure Feed

Configure Feed