summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-11-05 18:10:26 +0300
committerAzat Bahawi <azat@bahawi.net>2023-11-05 18:10:26 +0300
commit647ea0667423ced895e4bcdd73a9401b1fe3ee69 (patch)
tree700db0911e1e2193bf07e8e756910378b4f8d4eb /modules
parent5da01d688fcfd4d1956197f7b7f9372e88687d05 (diff)
2023-11-05
Diffstat (limited to 'modules')
-rw-r--r--modules/common/profiles/email.nix2
-rw-r--r--modules/nixos/alertmanager.nix5
-rw-r--r--modules/nixos/firefox/userContent.css5
-rw-r--r--modules/nixos/games/minecraft.nix4
-rw-r--r--modules/nixos/shadowsocks.nix124
-rw-r--r--modules/nixos/thunderbird.nix64
6 files changed, 110 insertions, 94 deletions
diff --git a/modules/common/profiles/email.nix b/modules/common/profiles/email.nix
index 9064f70..19eaee5 100644
--- a/modules/common/profiles/email.nix
+++ b/modules/common/profiles/email.nix
@@ -29,7 +29,7 @@ in {
msmtp.enable = true;
mu.enable = true;
thunderbird = {
- enable = pkgs.stdenv.isLinux;
+ enable = hasSuffix "linux" this.system;
settings = id: {
"mail.identity.id_${id}.compose_html" = false;
"mail.identity.id_${id}.reply_on_top" = 0;
diff --git a/modules/nixos/alertmanager.nix b/modules/nixos/alertmanager.nix
index 8f5b34b..c8f0bf2 100644
--- a/modules/nixos/alertmanager.nix
+++ b/modules/nixos/alertmanager.nix
@@ -45,7 +45,10 @@ in {
listenAddress = "127.0.0.1";
inherit (cfg) port;
- extraFlags = ["--web.external-url=https://${cfg.domain}"];
+ extraFlags = [
+ "--cluster.listen-address=\"\""
+ "--web.external-url=https://${cfg.domain}"
+ ];
configuration = {
global = {
diff --git a/modules/nixos/firefox/userContent.css b/modules/nixos/firefox/userContent.css
index bb80dbc..9d59704 100644
--- a/modules/nixos/firefox/userContent.css
+++ b/modules/nixos/firefox/userContent.css
@@ -49,17 +49,15 @@
@-moz-document regexp("https?://(.*\.)?github.com.*")
{
- .Overlay-footer,
.color-fg-muted.f6.mt-4, /* GitHub profile guide. */
.flex-order-1.flex-md-order-none, /* Follow button. */
.js-user-status-item,
.protip,
.pt-3.mt-3.d-none.d-md-block, /* Profile achievements. */
- .text-small.color-fg-muted.mx-md-2.mt-3.mt-md-2.mb-2, /* Community guidelines. */
+ .text-small.color-fg-muted, /* Useless tips. */
.user-status-circle-badge-container,
.user-status-container,
a[href^="/account/choose?action=upgrade"],
- a[href^="/codespaces"],
a[href^="/collections"],
a[href^="/contact/report-content"],
a[href^="/events"],
@@ -71,6 +69,7 @@
a[href^="/sponsors"],
a[href^="/topics"],
a[href^="/trending"],
+ a[href^="https://github.com/codespaces"], /* No code reviews on GitHub? */
details[id^="funding-links-modal"],
footer {
display: none !important;
diff --git a/modules/nixos/games/minecraft.nix b/modules/nixos/games/minecraft.nix
index 2242df4..888c479 100644
--- a/modules/nixos/games/minecraft.nix
+++ b/modules/nixos/games/minecraft.nix
@@ -16,9 +16,9 @@ in {
enable = mkEnableOption "Minecraft server";
port = mkOption {
- description = "OpenSSH server port.";
+ description = "Server port.";
type = types.port;
- default = 50505; # Keeping 25565 as the default is a big security risk.
+ default = 25565;
};
memory = mkOption {
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index 7307933..c04799b 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -19,69 +19,84 @@ in {
};
config = mkIf cfg.enable {
- secrets.shadowsocks-password.file = "${inputs.self}/secrets/shadowsocks-password";
+ secrets.shadowsocks-json.file = "${inputs.self}/secrets/shadowsocks-json";
- services = {
- shadowsocks = {
- enable = true;
- passwordFile = config.secrets.shadowsocks-password.path;
- localAddress = ["0.0.0.0"];
- mode = "tcp_only";
- };
-
- fail2ban.jails.shadowsocks-libev = {
- enabled = true;
- settings = {
- filter = "shadowsocks-libev";
- inherit (cfg) port;
- };
+ services.fail2ban.jails.shadowsocks = {
+ enabled = true;
+ settings = {
+ filter = "shadowsocks";
+ inherit (cfg) port;
};
};
- systemd.services.shadowsocks-libev.path = with pkgs;
- mkForce [
- (writeShellApplication {
- name = "ss-server";
- runtimeInputs = [shadowsocks-libev];
- text = let
- # https://github.com/shadowsocks/shadowsocks-libev/blob/master/acl/server_block_local.acl
- aclFile = writeText "outbound_block_list.acl" ''
- [outbound_block_list]
- 0.0.0.0/8
- 10.0.0.0/8
- 100.64.0.0/10
- 127.0.0.0/8
- 169.254.0.0/16
- 172.16.0.0/12
- 192.0.0.0/24
- 192.0.2.0/24
- 192.88.99.0/24
- 192.168.0.0/16
- 198.18.0.0/15
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- 240.0.0.0/4
- 255.255.255.255/32
- ::1/128
- ::ffff:127.0.0.1/104
- fc00::/7
- fe80::/10
+ systemd.services.shadowsocks = {
+ description = "Shadowsocks";
+ after = ["network.target"];
+ wantedBy = ["multi-user.target"];
+ serviceConfig = {
+ DynamicUser = true;
+ RuntimeDirectory = "shadowsocks";
+ LoadCredential = "secret.json:${config.secrets.shadowsocks-json.path}";
+ ExecStartPre = let
+ mergeJson = let
+ configFile = pkgs.writeText "config.json" (generators.toJSON {} {
+ server = "::";
+ server_port = cfg.port;
+ # Can't really use AEAD-2022[1] just yet because it's not
+ # supported by some[2] clients.
+ #
+ # [1]: https://shadowsocks.org/doc/sip022.html
+ # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480
+ # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448
+ # method = "2022-blake3-chacha20-poly1305";
+ method = "chacha20-ietf-poly1305";
+ password = null; # Must be set as a secret.
+ users = null; # Muse be set as a secret.
+ fast_open = true;
+ acl = pkgs.writeText "block-internal-access.acl" ''
+ [outbound_block_list]
+ 0.0.0.0/8
+ 10.0.0.0/8
+ 100.64.0.0/10
+ 127.0.0.0/8
+ 169.254.0.0/16
+ 172.16.0.0/12
+ 192.0.0.0/24
+ 192.0.2.0/24
+ 192.88.99.0/24
+ 192.168.0.0/16
+ 198.18.0.0/15
+ 198.51.100.0/24
+ 203.0.113.0/24
+ 224.0.0.0/4
+ 240.0.0.0/4
+ 255.255.255.255/32
+ ::1/128
+ ::ffff:127.0.0.1/104
+ fc00::/7
+ fe80::/10
+ '';
+ });
+ in
+ pkgs.writeShellScript "meregeJson" ''
+ ${pkgs.jq}/bin/jq \
+ -s '.[0] * .[1]' \
+ ${configFile} \
+ $CREDENTIALS_DIRECTORY/secret.json \
+ >$RUNTIME_DIRECTORY/config.json
'';
- in ''
- ss-server --acl ${aclFile} "$@"
- '';
- })
- coreutils-full
- jq
- ];
+ in
+ mergeJson;
+ ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver --config \${RUNTIME_DIRECTORY}/config.json";
+ };
+ };
environment.etc = mkIf config.nixfiles.modules.fail2ban.enable {
- "fail2ban/filter.d/shadowsocks-libev.conf".text = ''
+ "fail2ban/filter.d/shadowsocks.conf".text = ''
[Definition]
- failregex = ^.*failed to handshake with <ADDR>: authentication error$
+ failregex = ^.*tcp handshake failed.*\[::ffff:<ADDR>\].*$
ignoreregex =
- journalmatch = _SYSTEMD_UNIT=shadowsocks-libev.service
+ journalmatch = _SYSTEMD_UNIT=shadowsocks.service
'';
};
@@ -94,6 +109,7 @@ in {
'';
};
+ # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
boot.kernel.sysctl = {
"net.core.rmem_max" = mkOverride 100 (pow 2 26);
"net.core.wmem_max" = mkOverride 100 (pow 2 26);
diff --git a/modules/nixos/thunderbird.nix b/modules/nixos/thunderbird.nix
index 5afb163..2261dcd 100644
--- a/modules/nixos/thunderbird.nix
+++ b/modules/nixos/thunderbird.nix
@@ -14,39 +14,37 @@ in {
"x-scheme-handler/mailto"
];
- hm = {
- programs.thunderbird = {
- enable = true;
- profiles.default = {
- isDefault = true;
- withExternalGnupg = true;
- };
- settings = {
- "app.update.auto" = false;
- "browser.display.document_color_use" = 2;
- "browser.display.use_system_colors" = true;
- "browser.search.region" = "US";
- "browser.search.update" = false;
- "datareporting.healthreport.uploadEnabled" = false;
- "full-screen-api.warning.delay" = 0;
- "full-screen-api.warning.timeout" = 0;
- "general.autoScroll" = true;
- "general.smoothScroll" = true;
- "mail.default_send_format" = 0;
- "mail.tabs.drawInTitlebar" =
- if config.nixfiles.modules.kde.enable
- then 1
- else 0;
- "mailnews.start_page.url" = "about:blank";
- "media.autoplay.blocking_policy" = 2;
- "media.autoplay.default" = 5;
- "media.autoplay.enabled" = false;
- "media.hardwaremediakeys.enabled" = false;
- "network.cookie.cookieBehavior" = 2;
- "places.history.enabled" = false;
- "reader.parse-on-load.enabled" = false;
- "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
- };
+ hm.programs.thunderbird = {
+ enable = true;
+ profiles.default = {
+ isDefault = true;
+ withExternalGnupg = true;
+ };
+ settings = {
+ "app.update.auto" = false;
+ "browser.display.document_color_use" = 2;
+ "browser.display.use_system_colors" = true;
+ "browser.search.region" = "US";
+ "browser.search.update" = false;
+ "datareporting.healthreport.uploadEnabled" = false;
+ "full-screen-api.warning.delay" = 0;
+ "full-screen-api.warning.timeout" = 0;
+ "general.autoScroll" = true;
+ "general.smoothScroll" = true;
+ "mail.default_send_format" = 0;
+ "mail.tabs.drawInTitlebar" =
+ if config.nixfiles.modules.kde.enable
+ then 1
+ else 0;
+ "mailnews.start_page.url" = "about:blank";
+ "media.autoplay.blocking_policy" = 2;
+ "media.autoplay.default" = 5;
+ "media.autoplay.enabled" = false;
+ "media.hardwaremediakeys.enabled" = false;
+ "network.cookie.cookieBehavior" = 2;
+ "places.history.enabled" = false;
+ "reader.parse-on-load.enabled" = false;
+ "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
};
};
};
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 01:12:59 +0000