about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-11-05 18:10:26 +0300
committerAzat Bahawi <azat@bahawi.net>2023-11-05 18:10:26 +0300
commit647ea0667423ced895e4bcdd73a9401b1fe3ee69 (patch)
tree700db0911e1e2193bf07e8e756910378b4f8d4eb
parent2023-11-04 (diff)
2023-11-05
-rw-r--r--flake.nix1
-rw-r--r--modules/common/profiles/email.nix2
-rw-r--r--modules/nixos/alertmanager.nix5
-rw-r--r--modules/nixos/firefox/userContent.css5
-rw-r--r--modules/nixos/games/minecraft.nix4
-rw-r--r--modules/nixos/shadowsocks.nix124
-rw-r--r--modules/nixos/thunderbird.nix64
-rw-r--r--nixosConfigurations/manwe/mailserver/default.nix8
-rw-r--r--packages/nixfiles.nix2
9 files changed, 119 insertions, 96 deletions
diff --git a/flake.nix b/flake.nix
index 8df7f19..49a3527 100644
--- a/flake.nix
+++ b/flake.nix
@@ -111,7 +111,6 @@
       };
     };
 
-    # TODO Check out https://github.com/nix-community/mineflake
     nix-minecraft = {
       type = "github";
       owner = "Infinidoge";
diff --git a/modules/common/profiles/email.nix b/modules/common/profiles/email.nix
index 9064f70..19eaee5 100644
--- a/modules/common/profiles/email.nix
+++ b/modules/common/profiles/email.nix
@@ -29,7 +29,7 @@ in {
                 msmtp.enable = true;
                 mu.enable = true;
                 thunderbird = {
-                  enable = pkgs.stdenv.isLinux;
+                  enable = hasSuffix "linux" this.system;
                   settings = id: {
                     "mail.identity.id_${id}.compose_html" = false;
                     "mail.identity.id_${id}.reply_on_top" = 0;
diff --git a/modules/nixos/alertmanager.nix b/modules/nixos/alertmanager.nix
index 8f5b34b..c8f0bf2 100644
--- a/modules/nixos/alertmanager.nix
+++ b/modules/nixos/alertmanager.nix
@@ -45,7 +45,10 @@ in {
         listenAddress = "127.0.0.1";
         inherit (cfg) port;
 
-        extraFlags = ["--web.external-url=https://${cfg.domain}"];
+        extraFlags = [
+          "--cluster.listen-address=\"\""
+          "--web.external-url=https://${cfg.domain}"
+        ];
 
         configuration = {
           global = {
diff --git a/modules/nixos/firefox/userContent.css b/modules/nixos/firefox/userContent.css
index bb80dbc..9d59704 100644
--- a/modules/nixos/firefox/userContent.css
+++ b/modules/nixos/firefox/userContent.css
@@ -49,17 +49,15 @@
 
 @-moz-document regexp("https?://(.*\.)?github.com.*")
 {
-    .Overlay-footer,
     .color-fg-muted.f6.mt-4, /* GitHub profile guide. */
     .flex-order-1.flex-md-order-none, /* Follow button. */
     .js-user-status-item,
     .protip,
     .pt-3.mt-3.d-none.d-md-block, /* Profile achievements. */
-    .text-small.color-fg-muted.mx-md-2.mt-3.mt-md-2.mb-2, /* Community guidelines. */
+    .text-small.color-fg-muted, /* Useless tips. */
     .user-status-circle-badge-container,
     .user-status-container,
     a[href^="/account/choose?action=upgrade"],
-    a[href^="/codespaces"],
     a[href^="/collections"],
     a[href^="/contact/report-content"],
     a[href^="/events"],
@@ -71,6 +69,7 @@
     a[href^="/sponsors"],
     a[href^="/topics"],
     a[href^="/trending"],
+    a[href^="https://github.com/codespaces"], /* No code reviews on GitHub? */
     details[id^="funding-links-modal"],
     footer {
         display: none !important;
diff --git a/modules/nixos/games/minecraft.nix b/modules/nixos/games/minecraft.nix
index 2242df4..888c479 100644
--- a/modules/nixos/games/minecraft.nix
+++ b/modules/nixos/games/minecraft.nix
@@ -16,9 +16,9 @@ in {
       enable = mkEnableOption "Minecraft server";
 
       port = mkOption {
-        description = "OpenSSH server port.";
+        description = "Server port.";
         type = types.port;
-        default = 50505; # Keeping 25565 as the default is a big security risk.
+        default = 25565;
       };
 
       memory = mkOption {
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index 7307933..c04799b 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -19,69 +19,84 @@ in {
   };
 
   config = mkIf cfg.enable {
-    secrets.shadowsocks-password.file = "${inputs.self}/secrets/shadowsocks-password";
+    secrets.shadowsocks-json.file = "${inputs.self}/secrets/shadowsocks-json";
 
-    services = {
-      shadowsocks = {
-        enable = true;
-        passwordFile = config.secrets.shadowsocks-password.path;
-        localAddress = ["0.0.0.0"];
-        mode = "tcp_only";
-      };
-
-      fail2ban.jails.shadowsocks-libev = {
-        enabled = true;
-        settings = {
-          filter = "shadowsocks-libev";
-          inherit (cfg) port;
-        };
+    services.fail2ban.jails.shadowsocks = {
+      enabled = true;
+      settings = {
+        filter = "shadowsocks";
+        inherit (cfg) port;
       };
     };
 
-    systemd.services.shadowsocks-libev.path = with pkgs;
-      mkForce [
-        (writeShellApplication {
-          name = "ss-server";
-          runtimeInputs = [shadowsocks-libev];
-          text = let
-            # https://github.com/shadowsocks/shadowsocks-libev/blob/master/acl/server_block_local.acl
-            aclFile = writeText "outbound_block_list.acl" ''
-              [outbound_block_list]
-              0.0.0.0/8
-              10.0.0.0/8
-              100.64.0.0/10
-              127.0.0.0/8
-              169.254.0.0/16
-              172.16.0.0/12
-              192.0.0.0/24
-              192.0.2.0/24
-              192.88.99.0/24
-              192.168.0.0/16
-              198.18.0.0/15
-              198.51.100.0/24
-              203.0.113.0/24
-              224.0.0.0/4
-              240.0.0.0/4
-              255.255.255.255/32
-              ::1/128
-              ::ffff:127.0.0.1/104
-              fc00::/7
-              fe80::/10
+    systemd.services.shadowsocks = {
+      description = "Shadowsocks";
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        DynamicUser = true;
+        RuntimeDirectory = "shadowsocks";
+        LoadCredential = "secret.json:${config.secrets.shadowsocks-json.path}";
+        ExecStartPre = let
+          mergeJson = let
+            configFile = pkgs.writeText "config.json" (generators.toJSON {} {
+              server = "::";
+              server_port = cfg.port;
+              # Can't really use AEAD-2022[1] just yet because it's not
+              # supported by some[2] clients.
+              #
+              # [1]: https://shadowsocks.org/doc/sip022.html
+              # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480
+              # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448
+              # method = "2022-blake3-chacha20-poly1305";
+              method = "chacha20-ietf-poly1305";
+              password = null; # Must be set as a secret.
+              users = null; # Muse be set as a secret.
+              fast_open = true;
+              acl = pkgs.writeText "block-internal-access.acl" ''
+                [outbound_block_list]
+                0.0.0.0/8
+                10.0.0.0/8
+                100.64.0.0/10
+                127.0.0.0/8
+                169.254.0.0/16
+                172.16.0.0/12
+                192.0.0.0/24
+                192.0.2.0/24
+                192.88.99.0/24
+                192.168.0.0/16
+                198.18.0.0/15
+                198.51.100.0/24
+                203.0.113.0/24
+                224.0.0.0/4
+                240.0.0.0/4
+                255.255.255.255/32
+                ::1/128
+                ::ffff:127.0.0.1/104
+                fc00::/7
+                fe80::/10
+              '';
+            });
+          in
+            pkgs.writeShellScript "meregeJson" ''
+              ${pkgs.jq}/bin/jq \
+                -s '.[0] * .[1]' \
+                ${configFile} \
+                $CREDENTIALS_DIRECTORY/secret.json \
+                >$RUNTIME_DIRECTORY/config.json
             '';
-          in ''
-            ss-server --acl ${aclFile} "$@"
-          '';
-        })
-        coreutils-full
-        jq
-      ];
+        in
+          mergeJson;
+        ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver --config \${RUNTIME_DIRECTORY}/config.json";
+      };
+    };
 
     environment.etc = mkIf config.nixfiles.modules.fail2ban.enable {
-      "fail2ban/filter.d/shadowsocks-libev.conf".text = ''
+      "fail2ban/filter.d/shadowsocks.conf".text = ''
         [Definition]
-        failregex = ^.*failed to handshake with <ADDR>: authentication error$
+        failregex = ^.*tcp handshake failed.*\[::ffff:<ADDR>\].*$
         ignoreregex =
-        journalmatch = _SYSTEMD_UNIT=shadowsocks-libev.service
+        journalmatch = _SYSTEMD_UNIT=shadowsocks.service
       '';
     };
 
@@ -94,6 +109,7 @@ in {
       '';
     };
 
+    # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
     boot.kernel.sysctl = {
       "net.core.rmem_max" = mkOverride 100 (pow 2 26);
       "net.core.wmem_max" = mkOverride 100 (pow 2 26);
diff --git a/modules/nixos/thunderbird.nix b/modules/nixos/thunderbird.nix
index 5afb163..2261dcd 100644
--- a/modules/nixos/thunderbird.nix
+++ b/modules/nixos/thunderbird.nix
@@ -14,39 +14,37 @@ in {
       "x-scheme-handler/mailto"
     ];
 
-    hm = {
-      programs.thunderbird = {
-        enable = true;
-        profiles.default = {
-          isDefault = true;
-          withExternalGnupg = true;
-        };
-        settings = {
-          "app.update.auto" = false;
-          "browser.display.document_color_use" = 2;
-          "browser.display.use_system_colors" = true;
-          "browser.search.region" = "US";
-          "browser.search.update" = false;
-          "datareporting.healthreport.uploadEnabled" = false;
-          "full-screen-api.warning.delay" = 0;
-          "full-screen-api.warning.timeout" = 0;
-          "general.autoScroll" = true;
-          "general.smoothScroll" = true;
-          "mail.default_send_format" = 0;
-          "mail.tabs.drawInTitlebar" =
-            if config.nixfiles.modules.kde.enable
-            then 1
-            else 0;
-          "mailnews.start_page.url" = "about:blank";
-          "media.autoplay.blocking_policy" = 2;
-          "media.autoplay.default" = 5;
-          "media.autoplay.enabled" = false;
-          "media.hardwaremediakeys.enabled" = false;
-          "network.cookie.cookieBehavior" = 2;
-          "places.history.enabled" = false;
-          "reader.parse-on-load.enabled" = false;
-          "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
-        };
+    hm.programs.thunderbird = {
+      enable = true;
+      profiles.default = {
+        isDefault = true;
+        withExternalGnupg = true;
+      };
+      settings = {
+        "app.update.auto" = false;
+        "browser.display.document_color_use" = 2;
+        "browser.display.use_system_colors" = true;
+        "browser.search.region" = "US";
+        "browser.search.update" = false;
+        "datareporting.healthreport.uploadEnabled" = false;
+        "full-screen-api.warning.delay" = 0;
+        "full-screen-api.warning.timeout" = 0;
+        "general.autoScroll" = true;
+        "general.smoothScroll" = true;
+        "mail.default_send_format" = 0;
+        "mail.tabs.drawInTitlebar" =
+          if config.nixfiles.modules.kde.enable
+          then 1
+          else 0;
+        "mailnews.start_page.url" = "about:blank";
+        "media.autoplay.blocking_policy" = 2;
+        "media.autoplay.default" = 5;
+        "media.autoplay.enabled" = false;
+        "media.hardwaremediakeys.enabled" = false;
+        "network.cookie.cookieBehavior" = 2;
+        "places.history.enabled" = false;
+        "reader.parse-on-load.enabled" = false;
+        "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
       };
     };
   };
diff --git a/nixosConfigurations/manwe/mailserver/default.nix b/nixosConfigurations/manwe/mailserver/default.nix
index 4f58df7..88edf25 100644
--- a/nixosConfigurations/manwe/mailserver/default.nix
+++ b/nixosConfigurations/manwe/mailserver/default.nix
@@ -54,6 +54,14 @@ with lib; {
   in {
     enable = true;
 
+    # Disable potentially insecure[1] STARTTLS connections. SSL-only connections
+    # are still enabled by default.
+    #
+    # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6
+    enableImap = false;
+    enablePop3 = false;
+    enableSubmission = false;
+
     fqdn = config.networking.domain;
     domains = with my.domain; [azahi gondor rohan shire];
 
diff --git a/packages/nixfiles.nix b/packages/nixfiles.nix
index c342501..a114bab 100644
--- a/packages/nixfiles.nix
+++ b/packages/nixfiles.nix
@@ -20,7 +20,7 @@
         nix
         openssh
       ]
-      ++ lib.optional (!stdenv.isDarwin) xdg-utils;
+      ++ lib.optional stdenv.isLinux xdg-utils;
 
     # Shamelessly appropriated from https://github.com/ncfavier/config.
     # Hopefully Naïm will not sue me for copyright infrigment.

Consider giving Nix/NixOS a try! <3