fabian/nix
1
0
Fork 2
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: fabian:92943358826cfb2a2724a584a32bc979392831e5
Branches Tags
fabian:master
fabian:v0.1
...
compare: fabian:f8c530203c862394a6242c489d37862c1d3efd01
Branches Tags
fabian:master
fabian:v0.1

3 commits
9294335882 ... f8c530203c

Author SHA1 Message Date
Fabian Montero
f8c530203c
general: update gpg/ssh keys and remove public_files from repo 2025-08-29 00:38:22 -06:00
Fabian Montero
e62691fbda
vps: add dufs 2025-08-28 18:34:17 -06:00
Fabian Montero
aa14f6f7ef
general: move fonts config to baseline 2025-08-28 18:32:42 -06:00
18 changed files with 283 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

2
home/modules/gpg.nix
View file

@ -12,7 +12,7 @@ in {
defaultKey = mkOption {
type = types.str;
description = "fingerprint of default public key to be used in gpg, git, email, etc.";
example = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
example = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
};
};
config = mkIf cfg.enable {

2
home/platforms/fabian@posixlycorrect/default.nix
View file

@ -32,7 +32,7 @@
deepState.enable = true;
gpg = {
enable = true;
defaultKey = "7AA277E604A4173916BBB4E91FFAC35E1798174F";
defaultKey = "A8981D346F8F4130CA16A7775517E687FCCE0BB9";
};
syncthing.enable = true;
};

3
homepage/posixlycorrect/content/about.md
View file

@ -5,5 +5,4 @@ title = "about"
- bio: Linux Embedded Engineer
- projects: [https://git.posixlycorrect.com/fabian/](https://git.posixlycorrect.com/fabian?tab=activity)
- email: fabian [at] posixlycorrect [dot] com
- gpg key: [click here](https://posixlycorrect.com/pki/fabian_primary.gpg)
- This is the public gpg key for my Yubikey. If you want to make sure your email reaches me, add both keys as recipients: [click here](https://posixlycorrect.com/pki/fabian_yubikey.gpg)
- gpg key: [click here](https://public.posixlycorrect.com/pki/A8981D346F8F4130CA16A7775517E687FCCE0BB9.asc)

10
sys/modules/baseline.nix
View file

@ -53,6 +53,16 @@ in {
];
};
fonts.packages = with pkgs; [
jetbrains-mono
noto-fonts
noto-fonts-cjk-sans
noto-fonts-emoji
noto-fonts-extra
nerd-fonts.fira-code
nerd-fonts.droid-sans-mono
];
services = {
openssh.enable = mkDefault true;

11
sys/modules/default.nix
View file

@ -17,15 +17,6 @@
./steam.nix
./gtklock.nix
./borgsync.nix
];
fonts.packages = with pkgs; [
jetbrains-mono
noto-fonts
noto-fonts-cjk-sans
noto-fonts-emoji
noto-fonts-extra
nerd-fonts.fira-code
nerd-fonts.droid-sans-mono
./dufs.nix
];
}

233
sys/modules/dufs.nix Normal file
View file

@ -0,0 +1,233 @@
# https://github.com/NixOS/nixpkgs/blob/c77cd68706b590b44334bb8c506239b3384c26a0/nixos/modules/services/misc/dufs.nix
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.local.sys.dufs;
types = lib.types;
in {
options.local.sys.dufs = {
enable = lib.mkEnableOption "the dufs server";
package = lib.mkPackageOption pkgs "dufs" {};
settings = lib.mkOption {
type = types.submodule {
options = {
serve-path = lib.mkOption {
type = types.path;
description = "Specific path to serve.";
};
bind = lib.mkOption {
type = types.nullOr types.str;
description = "Specify bind address or unix socket.";
default = null;
};
port = lib.mkOption {
type = types.port;
description = "Specify port to listen on.";
default = 5000;
};
path-prefix = lib.mkOption {
type = types.nullOr types.path;
description = "Specify a path prefix.";
default = null;
};
hidden = lib.mkOption {
type = types.listOf types.str;
description = "Hide paths from directory listings, e.g. tmp,*.log,*.lock.";
default = [];
example = lib.literalExpression ''
[
"tmp"
"*.log"
"*.lock."
]
'';
};
allow-all = lib.mkOption {
type = types.bool;
description = "Allow all operations.";
default = true;
};
allow-upload = lib.mkOption {
type = types.bool;
description = "Allow upload files/folders.";
default = false;
};
allow-delete = lib.mkOption {
type = types.bool;
description = "Allow delete files/folders.";
default = false;
};
allow-search = lib.mkOption {
type = types.bool;
description = "Allow search files/folders.";
default = false;
};
allow-symlink = lib.mkOption {
type = types.bool;
description = "Allow symlink to files/folders outside root directory.";
default = false;
};
allow-archive = lib.mkOption {
type = types.bool;
description = "Allow zip archive generation.";
default = false;
};
enable-cors = lib.mkOption {
type = types.bool;
description = "Enable CORS, sets `Access-Control-Allow-Origin: *`.";
default = false;
};
render-index = lib.mkOption {
type = types.bool;
description = "Serve index.html when requesting a directory, returns 404 if not found index.html.";
default = false;
};
render-try-index = lib.mkOption {
type = types.bool;
description = "Serve index.html when requesting a directory, returns directory listing if not found index.html.";
default = false;
};
render-spa = lib.mkOption {
type = types.bool;
description = "Serve SPA(Single Page Application).";
default = false;
};
assets = lib.mkOption {
type = types.nullOr types.path;
description = "Set the path to the assets directory for overriding the built-in assets.";
default = null;
};
log-format = lib.mkOption {
type = types.nullOr types.str;
description = "Customize http log format.";
default = null;
example = lib.literalExpression ''
"$remote_addr \"$request\" $status"
'';
};
compress = lib.mkOption {
type = types.enum [
"none"
"low"
"medium"
"high"
];
description = "Customize http log format.";
default = "none";
};
tls-cert = lib.mkOption {
type = types.nullOr types.path;
description = "Path to an SSL/TLS certificate to serve with HTTPS.";
default = null;
};
tls-key = lib.mkOption {
type = types.nullOr types.path;
description = "Path to the SSL/TLS certificate's private key.";
default = null;
};
};
};
description = "Settings for dufs.";
};
authFile = lib.mkOption {
type = types.nullOr types.path;
description = ''
Path to file containing auth roles (e.g. user:pass@/dir1:rw,/dir2), one per line.
Passwords may be hashed, see https://github.com/sigoden/dufs#hashed-password.
'';
default = null;
};
openFirewall = lib.mkOption {
type = types.bool;
description = "Open firewall on configured port.";
default = false;
};
user = lib.mkOption {
type = types.str;
description = "User to run dufs under.";
default = "dufs";
};
group = lib.mkOption {
type = types.str;
description = "Group to run dufs under.";
default = "dufs";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [cfg.settings.port];
systemd.services.dufs = let
settings = lib.filterAttrs (_: v: v != null) cfg.settings;
pathWritable = settings.allow-all || settings.allow-upload || settings.allow-delete;
in {
after = ["network.target"];
wantedBy = ["multi-user.target"];
environment.DUFS_CONFIG = (pkgs.formats.yaml {}).generate "dufs-config.yaml" settings;
script = ''
${lib.optionalString (cfg.authFile != null) ''
export DUFS_AUTH=$(tr '\n' '|' < ${lib.escapeShellArg cfg.authFile} | sed 's/|$//')
''}
exec ${lib.escapeShellArg (lib.getExe cfg.package)}
'';
serviceConfig = {
BindReadOnlyPaths =
[
builtins.storeDir
]
++ lib.optional (!pathWritable) settings.serve-path
++ lib.optional (cfg.authFile != null) cfg.authFile;
BindPaths = lib.mkIf pathWritable settings.serve-path;
CapabilityBoundingSet = "";
DeviceAllow = "";
Group = cfg.group;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RootDirectory = "/run/dufs";
RuntimeDirectory = "dufs";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
User = cfg.user;
};
};
users = {
users.dufs = lib.mkIf (cfg.user == "dufs") {
group = cfg.group;
home = cfg.settings.serve-path;
isSystemUser = true;
};
groups.dufs = lib.mkIf (cfg.group == "dufs") {};
};
};
meta.maintainers = with lib.maintainers; [jackwilsdon];
}

2
sys/platforms/vps/default.nix
View file

@ -32,7 +32,7 @@ with lib; {
users.fabian = {
enable = true;
sshKeyPublicFile = [public_files/pki/fabian.ssh];
sshKeyPublicFile = [pki/id_ed25519.pub]; # move this out someday
};
};

1
sys/platforms/vps/pki/id_ed25519.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICls/LbyzkIXj5HCp7Qc4eoGcUXzJdQFshNX2caPwgNh openpgp:0x1B7A8CB7

1
sys/platforms/vps/public_files/factorio_blueprints/nauvis_science.txt
View file

File diff suppressed because one or more lines are too long

1
sys/platforms/vps/public_files/factorio_blueprints/red_circuits.txt
View file

File diff suppressed because one or more lines are too long

BIN
sys/platforms/vps/public_files/memorias_de_seda.pdf
View file

Binary file not shown.

1
sys/platforms/vps/public_files/pki/fabian.ssh
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkK2Cg3dozG78AEA2OTzydezcKVnNTTj0MUJZcP/mrN fabian@posixlycorrect.com

25
sys/platforms/vps/public_files/pki/fabian_primary.gpg
View file

@ -1,25 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZHlROBYJKwYBBAHaRw8BAQdAhzA1JCghQ6KoHOuf6JPQhEmchHLVXFVye4I2
pRUOUMO0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiUBBMWCgA8FiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwMFCQlmAYAE
CwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEB/6w14XmBdPP2EA/i9ugFxpIFF6oOQs
clMfr+sNj6Il0OUTJK0dqpp4mGorAP0awa6nfhU8T1Ju7UWr6cfSmnL4bM6M/4Z3
D+AF/L5PBokCMwQQAQoAHRYhBOd6gIv5qVXWaO7qZHP6nJy18CSbBQJkeVKDAAoJ
EHP6nJy18CSbzTkP/Reio0ObRrRW+QSw62ZXrUG0mFcNeeoM9amldCToFRyGnSDu
wtZ9nqwLiTJ01VPBOsEZLsl4VonO3rdadqnMTZ3XqKK9VHBl6UNot3DQ8INDAcko
GW1zvEdxNkpMxhtAja0JkcBdG7+zxc2aEGeKfEna2qDXA+xtYw5+pssOWYMip7hm
jQ2NzYMYav2KYRBC7eXTkAIIIJi/l9pR1IwHtY3a0gfbkQymgCyt5wVG6LneYFIR
+ycNVCObwyP8gFASdId0bWnA23rkilc9ZBOCps/cGfDLM+KQ+sLAWBFBQyQeEjcv
tU+pLXncAEvWy/SFmprVSLDQMMooFaEJMZChojGcCkwAPG1twsihqIA3E44Q3/+G
K0gZN57jGMnfvuQiuLuttOMdu27KwEu++t3YUt0P6S4kARpx51zZJ7A2Yj2u22aM
7EL8qq6KTNdNoS7FgwQkrWbokdDZIl0HV+5TeMQfylPqOPhuFK/1A9qztqknBPVY
QUx2t6FZUgH9sT7uD+5gXxyeqmEIFo2i6D8G/4TEPbKtWivJfeOqDEBn4QEY2nvE
zgJLLU5XCv9xPz5rizRCa+h+kg+i4mH6fLCBCCAPXsbAAo0gUlGJvX4slPh7uPOa
T2r7A/7uezResBzP/L/vostlmjO5c8cOl9Wc6D1kRZq17/AjMUgy6+KR3iVnuDgE
ZHlROBIKKwYBBAGXVQEFAQEHQPRbCS2p8xpt3fRxfyRnDOdH9pULY4NtGmZUS0ve
ZGkTAwEIB4h+BBgWCgAmFiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwwF
CQlmAYAACgkQH/rDXheYF0/65AD+LtDeedCYv9zs+1Ia3DvejVZM256WEH+dRH5h
Pm3RzQ8A/2+bXRnfsgGqacj/kKEL3spuos95ngRNRkrQ39nc1koP
=PAxr
-----END PGP PUBLIC KEY BLOCK-----

19
sys/platforms/vps/public_files/pki/fabian_yubikey.gpg
View file

@ -1,19 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZukhMBYJKwYBBAHaRw8BAQdAC/Gy2p7RPFw3k+ROFnKpJvCVqQb+BUYboE2u
CP1kz/C0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiTBBMWCgA7FiEEcgbY7iR0898Y6odvDsFpH/jBqB8FAmbpITACGwMFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQDsFpH/jBqB+oGwEAhmegCZJAt8Opv/9+
HBbL51f2035qymHPgkV/SyFM1GEBAOVQY6A5U+NrLNiaQTN5Z7jcfQuBobzk4ksn
RzROhTcAiHUEEBYKAB0WIQR6onfmBKQXORa7tOkf+sNeF5gXTwUCZutnFQAKCRAf
+sNeF5gXT1juAQDsH/lDorfMdWxuP87eV9OP8jQvibuTuZ9n2jUllXsLcQEA5gDJ
05NW5Tw2g9mvlrocWr7N2/PC5UvFct4akwDXtA+4MwRm6SEwFgkrBgEEAdpHDwEB
B0AHSmncE+krtL9ZGe4eq865vjaLiUAVnZQaVObKm11CBYh4BBgWCgAgFiEEcgbY
7iR0898Y6odvDsFpH/jBqB8FAmbpITACGyAACgkQDsFpH/jBqB+hBwD/Y9vAcbPG
CTmZvtgYlZW5Oey5T3hHoANv1THOZwv9G58BALEBZRvDztmYPjRaMyAMonrpc2P0
GPHYLcqCPVbjkaAKuDgEZukhMBIKKwYBBAGXVQEFAQEHQC2+QJcHEJjdZikBYeMj
ks53MjfeawAXU31KtAU60KACAwEIB4h4BBgWCgAgFiEEcgbY7iR0898Y6odvDsFp
H/jBqB8FAmbpITACGwwACgkQDsFpH/jBqB+0TwD+K4IcFstNGLrijlgH2zuQaI+p
8QT8AInjSpGfC4zcMlEBAIVYvdTYw4IXPSQOs0qPyR0nhfGIeoBMeWrAAfoxQ0oB
=wpc0
-----END PGP PUBLIC KEY BLOCK-----

BIN
sys/platforms/vps/public_files/sfd_ClientesLinux_DEB64_Rev26.zip
View file

Binary file not shown.

1
sys/platforms/vps/srv/default.nix
View file

@ -17,5 +17,6 @@ with lib; {
./calibre-web.nix
./immich.nix
./mealie.nix
./dufs.nix
];
}

32
sys/platforms/vps/srv/dufs.nix Normal file
View file

@ -0,0 +1,32 @@
{
lib,
pkgs,
config,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."public.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:5000";
};
};
};
};
local.sys.dufs = {
enable = true;
settings = {
serve-path = "/var/public";
allow-all = false;
allow-archive = true;
};
};
}

12
sys/platforms/vps/srv/net.nix
View file

@ -37,17 +37,7 @@ in {
enableACME = true;
locations = {
"/".root = "${pkgs.local.homepage}";
"~ ^/public(?:/(.*))?$" = {
# https://serverfault.com/a/476368
alias = "${../public_files}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
"/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
};
};
};