teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: teidesu:327f2452c59d3a38643d2ae9b938e84ce443daec
Branches Tags
teidesu:master
...
compare: teidesu:ace17c393210304b09a2cf2b3ec1e5f7fc94837c
Branches Tags
teidesu:master

2 commits
327f2452c5 ... ace17c3932

Author SHA1 Message Date
teidesu
ace17c3932
feat(koi): activepieces 2025-01-06 02:53:28 +03:00
teidesu
e3e1964ffa
chore(arumi): friendship ended with sing-box, now xray is my new best friend 2025-01-06 02:52:40 +03:00
9 changed files with 136 additions and 36 deletions
Show stats Expand all files Collapse all files

86
hosts/arumi/services/sing-box.nix
View file

@ -1,53 +1,69 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
desu.secrets.arumi-singbox-pk = {}; desu.secrets.arumi-singbox-pk.owner = "xray";
desu.secrets.arumi-singbox-sid = {}; desu.secrets.arumi-singbox-sid.owner = "xray";
desu.secrets.arumi-singbox-users = {}; desu.secrets.arumi-singbox-users.owner = "xray";
services.sing-box = { users.users.xray = {
isNormalUser = true;
uid = 1102;
};
services.xray = {
enable = true; enable = true;
settings = { settingsFile = "/etc/xray/config.json";
};
systemd.tmpfiles.rules = [
"d /etc/xray 0700 1102 1102 -"
];
systemd.services.xray.serviceConfig = {
DynamicUser = lib.mkForce false;
User = "xray";
};
systemd.services.xray.preStart = let
file = "/etc/xray/config.json";
template = pkgs.writeText "config.json" (builtins.toJSON {
log = { level = "info"; timestamp = true; }; log = { level = "info"; timestamp = true; };
inbounds = [ inbounds = [
{ {
type = "vless"; port = 443;
tag = "vless-in"; protocol = "vless";
listen = "::"; settings = {
listen_port = 443; decryption = "none";
sniff = true; clients = []; # populated later in the preStart script
sniff_override_destination = true; };
domain_strategy = "ipv4_only"; streamSettings = {
users = []; # populated later in the preStart script network = "tcp";
tls = let server = "updates.cdn-apple.com"; in { security = "reality";
enabled = true; realitySettings = {
server_name = server; alpn = [ "h2" ];
reality = { target = "updates.cdn-apple.com:443";
enabled = true; serverNames = [ "updates.cdn-apple.com" ];
handshake = { inherit server; server_port = 443; }; privateKey = ""; # populated later in the preStart script
private_key._secret = config.desu.secrets.arumi-singbox-pk.path; shortIds = []; # populated later in the preStart script
short_id = [
{ _secret = config.desu.secrets.arumi-singbox-sid.path; }
];
}; };
}; };
sniffing = {
enabled = true;
destOverride = [ "tls" "http" "quic" ];
routeOnly = true;
};
} }
]; ];
outbounds = [ outbounds = [
{ type = "direct"; tag = "direct"; } { protocol = "freedom"; tag = "direct"; }
{ type = "block"; tag = "block"; }
]; ];
}; });
};
systemd.services.sing-box.preStart = let
file = "/etc/sing-box/config.json";
in '' in ''
users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path}) users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
${pkgs.jq}/bin/jq --arg users "$users" \ pk=$(cat ${config.desu.secrets.arumi-singbox-pk.path})
'.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ sid=$(cat ${config.desu.secrets.arumi-singbox-sid.path})
${file} > ${file}.tmp ${pkgs.jq}/bin/jq --arg users "$users" --arg pk "$pk" --arg sid "$sid" \
mv ${file}.tmp ${file} '.inbounds[0].settings.clients = ($users | fromjson | map({ "id": ., "flow": "xtls-rprx-vision" }))
| .inbounds[0].streamSettings.realitySettings.privateKey = $pk
| .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
''; '';
networking.firewall.allowedTCPPorts = [ 443 ]; networking.firewall.allowedTCPPorts = [ 443 ];

3
hosts/koi/configuration.nix
View file

@ -41,6 +41,7 @@
./containers/outline ./containers/outline
./containers/docmost ./containers/docmost
./containers/forgejo ./containers/forgejo
./containers/activepieces
./containers/teisu.nix ./containers/teisu.nix
./containers/bots/pcre-sub-bot.nix ./containers/bots/pcre-sub-bot.nix
./containers/bots/channel-logger-bot.nix ./containers/bots/channel-logger-bot.nix
@ -112,6 +113,8 @@
boot.kernelParams = [ "panic=5" "panic_on_oops=1" "mitigations=off" ]; boot.kernelParams = [ "panic=5" "panic_on_oops=1" "mitigations=off" ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
networking.firewall.allowedTCPPorts = [ 25565 ];
services.desu-deploy = { services.desu-deploy = {
enable = true; enable = true;
key = builtins.readFile (abs "ssh/desu-deploy.pub"); key = builtins.readFile (abs "ssh/desu-deploy.pub");

67
hosts/koi/containers/activepieces/default.nix Normal file
View file

@ -0,0 +1,67 @@
{ pkgs, config, ... }:
let
UID = 1127;
context = pkgs.copyPathToStore ./image;
in {
desu.secrets.activepieces-env.owner = "activepieces";
users.users.activepieces = {
isNormalUser = true;
uid = UID;
};
services.postgresql.ensureUsers = [
{ name = "activepieces"; ensureDBOwnership = true; }
];
services.postgresql.ensureDatabases = [ "activepieces" ];
desu.postgresql.ensurePasswords.activepieces = "activepieces";
virtualisation.oci-containers.containers.activepieces-redis = {
image = "docker.io/redis:7.0-alpine";
user = builtins.toString UID;
extraOptions = [
"--mount=type=bind,source=/srv/activepieces/redis,target=/data"
];
};
systemd.tmpfiles.rules = [
"d /srv/activepieces/redis 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
systemd.services.docker-activepieces.serviceConfig.ExecStartPre = [
(pkgs.writeShellScript "build-activepieces" ''
docker build -t local/activepieces ${context}
'')
];
virtualisation.oci-containers.containers.activepieces = {
image = "local/activepieces";
dependsOn = [ "activepieces-redis" ];
environment = {
AP_EXECUTION_MODE = "SANDBOX_CODE_ONLY";
AP_FRONTEND_URL = "https://ap.stupid.fish";
AP_POSTGRES_URL = "postgres://activepieces:activepieces@172.17.0.1:5432/activepieces";
AP_TELEMETRY_ENABLED = "false";
AP_EDITION = "ee";
AP_QUEUE_MODE = "REDIS";
AP_REDIS_HOST = "activepieces-redis.docker";
AP_REDIS_PORT = "6379";
};
environmentFiles = [
# oidc related config + SECRET_KEY, UTILS_SECRET
config.desu.secrets.activepieces-env.path
];
user = builtins.toString UID;
};
systemd.services.docker-activepieces.requires = [ "postgresql.service" ];
services.nginx.virtualHosts."ap.stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
locations."/" = {
proxyPass = "http://activepieces.docker$request_uri";
proxyWebsockets = true;
};
};
}

8
hosts/koi/containers/activepieces/image/Dockerfile Normal file
View file

@ -0,0 +1,8 @@
FROM ghcr.io/activepieces/activepieces:0.38.3
RUN sed -i -E 's!https://secrets.activepieces.com/license-keys!https://license.stupid.fish/services/activepieces!' /usr/src/app/dist/packages/server/api/main.js && \
chmod -R 777 /var/log/nginx/ && \
chmod -R 777 /var/lib/nginx && \
chmod -R 777 /run/ && \
mkdir -p /usr/src/app/cache && \
chmod -R 777 /usr/src/app/cache

2
hosts/koi/containers/teisu.nix
View file

@ -11,7 +11,7 @@ in {
}; };
virtualisation.oci-containers.containers.teisu = { virtualisation.oci-containers.containers.teisu = {
image = "ghcr.io/teidesu/tei.su:latest"; image = "git.stupid.fish/teidesu/tei.su:latest";
environmentFiles = [ environmentFiles = [
config.desu.secrets.teisu-env.path config.desu.secrets.teisu-env.path
]; ];

BIN
secrets/activepieces-env.age Normal file
View file

Binary file not shown.

BIN
secrets/arumi-singbox-users.age
View file

Binary file not shown.

BIN
secrets/forgejo-packages-token.age Normal file
View file

Binary file not shown.

6
secrets/license-servers-env.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 sj88Xw x8G6D56j1N7kjMuU9TXdKxpmCyPyDnkbRSAAjcmIXGc
qzQbchvolZgSIWisyKg/eiNRh+826iz6WHu5HQOiBoU
--- MnAF7KtGU97wxf2tCfRbitqRPV/Bfg/GftUCrZAjtuU
YC¥`+Û¬¦k÷bt½b¥‰CGRÿoùUtMü5b<35>UäZ
xN÷I(pÜž6ºjÏ]y°_ÃP&ÎE…<45>ÒjSO‰¢ZŽÒCÜkñÇmCW¾4´4M°g¼ªÖtìÏvhÆHá