Merge branch 'main' of https://tangled.sh/@ocbwoy3.dev/nix

2025-10-24 23:18:25 +03:00
parent f65844f48f c226c1bdb3
commit eda5c75a07
4 changed files with 49 additions and 2 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -5,6 +5,7 @@
 		./modules/atproto-pds.nix
 		./modules/cloudflare.nix
 		./modules/knot.nix
+		./modules/misskey.nix
 		../../modules/force.nix
 	];

--- a/hosts/server/modules/atproto-pds.nix
+++ b/hosts/server/modules/atproto-pds.nix
@@ -6,7 +6,7 @@
 	# Upload PDS backup to /var/lib/pds
 	# and specify secrets in /private/atproto-pds.env

-	services.pds = {
+	services.bluesky-pds = {
 		enable = true;
 		pdsadmin.enable = true;
 		environmentFiles = [ "/private/atproto-pds.env" ];
@@ -14,7 +14,7 @@
 			PDS_CRAWLERS = "https://bsky.network";
 			LOG_ENABLED = "true";
 			PDS_HOSTNAME = "pds.ocbwoy3.dev";
-			PDS_VERSION = "\"ATProto PDS v69420\"";
+			# PDS_VERSION = "\"ATProto PDS v69420\"";
 			PDS_DID_PLC_URL = "https://plc.directory";
 			PDS_CONTACT_EMAIL_ADDRESS = "ocbwoy3@ocbwoy3.dev";
 			PDS_PRIVACY_POLICY_URL = "https://ocbwoy3.dev";
--- a/hosts/server/modules/misskey.nix
+++ b/hosts/server/modules/misskey.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, lib, ... }:
+
+{
+    services.misskey = {
+        enable = true;
+
+        settings = {
+            maxFileSize = 20 * 1024 * 1024;
+            port = 8089;
+            url = "https://ocbwoy3.dev";
+            publishTarballInsteadOfProvideRepositoryUrl = false;
+        };
+
+        database = {
+            # passwordFile = "/private/misskey-db.pw";
+            createLocally = true;
+        };
+
+        redis = {
+            # passwordFile = "/private/misskey-db.pw";
+            createLocally = true;
+        };
+
+        reverseProxy.enable = lib.mkDefault false; # shit, we already have cloudflared
+
+    };
+
+    systemd.tmpfiles.rules = [
+        "d /misskey 0755 root root -"
+    ];
+}
--- a/modules/nixos/programs.nix
+++ b/modules/nixos/programs.nix
@@ -26,9 +26,24 @@
 		c-ares ffmpeg gtk3 http-parser libevent libvpx libxslt minizip nss re2 snappy libnotify libappindicator-gtk3
 	];

+	services.fail2ban = {
+		enable = true;
+		# Ban IP after 5 failures
+		maxretry = 5;
+		ignoreIP = [
+			"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
+		];
+	};
+
 	services.openssh = {
 		enable = true;
 		ports = [ 22 ];
+		settings = {
+			PasswordAuthentication = false;
+			KbdInteractiveAuthentication = false;
+			PermitRootLogin = "no";
+			AllowUsers = [ "ocbwoy3" "git" ];
+		};
 		# fucks up ssh connections from iphone if you enable this
 		# settings = {
 		# 	KexAlgorithms = [ "curve25519-sha256@libssh.org" ];