valkyrie: init

2026-06-24 17:36:41 +00:00 · 2026-06-23 12:13:21 +02:00
parent f89ff639c7
commit 0c8f567a7e
19 changed files with 687 additions and 6 deletions
@@ -0,0 +1,38 @@
+{
+  config,
+  pkgs,
+  lib,
+  mkk,
+  ...
+}:
+{
+  options.valkyrieService.dcbot.enable = mkk.lib.mkBoolOpt false "Enable muse bot";
+
+  config =
+    let
+      cfg = config.valkyrieService.dcbot;
+    in
+    lib.mkIf cfg.enable {
+      sops.templates."muse.env".content = ''
+        CACHE_LIMIT=512MB
+        BOT_STATUS=online
+        BOT_ACTIVITY_TYPE=LISTENING
+        BOT_ACTIVITY=Coś
+        DISCORD_TOKEN=${config.sops.placeholder.discord-token}
+        YOUTUBE_API_KEY=${config.sops.placeholder.youtube-api}
+        SPOTIFY_CLIENT_ID=${config.sops.placeholder.spotify-client-id}
+        SPOTIFY_CLIENT_SECRET=${config.sops.placeholder.spotify-client-secret}
+      '';
+
+      systemd.tmpfiles.rules = [
+        "d    /var/lib/muse  0776    root    root     -"
+      ];
+      virtualisation.oci-containers.containers.dcbot = {
+        image = "sl33ping/muse:pr-1195";
+        volumes = [ "/var/lib/muse:/data" ];
+        environmentFiles = [ config.sops.templates."muse.env".path ];
+      };
+
+    };
+
+}
@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+{
+  imports =
+    [
+      ./pleroma.nix
+      ./pihole.nix
+      ./dcbot.nix
+      ./secureyoursoul.nix
+    ];
+  services.adguardhome.enable = true;
+
+  valkyrieService.pihole.enable = false;
+  valkyrieService.pleroma.enable = false;
+  valkyrieService.dcbot.enable = true;
+  valkyrieService.secureyoursoul.enable = true;
+
+}
@@ -0,0 +1,56 @@
+{ config, pkgs, lib, mkk, ... }:
+{
+  options.valkyrieService.pihole.enable = mkk.lib.mkBoolOpt false "Enable pihole";
+  options.valkyrieService.pihole.dnsIP = lib.mkOption { default = "127.0.0.1"; };
+  options.valkyrieService.pihole.webIP = lib.mkOption { default = "127.0.0.1"; };
+
+
+
+  config =
+    let
+      cfg = config.valkyrieService.pihole;
+      dnsmasqConf = pkgs.writeText "02-dnsmasq-custom.conf" ''
+        no-hosts
+      '';
+
+    in
+    lib.mkIf config.valkyrieService.pihole.enable {
+      systemd.tmpfiles.rules = [
+        "d    /var/lib/dnsmasq.d   0776    root    root     -"
+        "d    /var/lib/pihole   0776    root    root     -"
+        "L+   /var/lib/dnsmasq.d/02-dnsmasq-custom.conf  0776 root root - ${dnsmasqConf}"
+      ];
+
+      virtualisation.oci-containers.containers.pihole = {
+        image = "pihole/pihole:latest";
+        ports =
+          [
+            "${cfg.dnsIP}:53:53/tcp"
+            "${cfg.dnsIP}:53:53/udp"
+            "${cfg.webIP}:3000:80"
+          ];
+        environment = {
+          TZ = "Europe/Warsaw";
+          FTLCONF_LOCAL_IPV4 = "127.0.0.1";
+          DNSMASQ_USER = "root";
+          VIRTUAL_HOST = "pi.hole";
+          PROXY_LOCATION = "pi.hole";
+        };
+        volumes = [
+          "/var/lib/pihole/:/etc/pihole/"
+          "/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
+          "/nix/store:/nix/store"
+        ];
+        extraOptions =
+          [
+            "--cap-add=NET_ADMIN"
+            "--dns=127.0.0.1"
+            "--dns=9.9.9.9"
+            "--hostname=pi.hole"
+          ];
+      };
+
+    };
+
+
+}
@@ -0,0 +1,149 @@
+{ config, pkgs, lib, mkk, ... }:
+let
+
+  socketPath = "/run/pleroma/http.sock";
+
+
+  socketChmod = with pkgs; with lib; pkgs.writers.writeBashBin "pleroma-socket"
+    ''
+      coproc {
+          ${inotify-tools}/bin/inotifywait -q -m -e create ${escapeShellArg (dirOf socketPath)}
+        }
+
+        trap 'kill "$COPROC_PID"' EXIT TERM
+
+        until ${pkgs.coreutils}/bin/test -S ${escapeShellArg socketPath}
+          do read -r -u "''${COPROC[0]}"
+        done
+
+      ${pkgs.coreutils}/bin/chmod 0666 ${socketPath}
+    '';
+
+  soapbox = pkgs.stdenv.mkDerivation rec {
+    pname = "soapbox";
+    version = "v3.2.0";
+    dontBuild = true;
+    dontConfigure = true;
+    src = pkgs.fetchurl {
+      name = "soapbox";
+      url = "https://gitlab.com/soapbox-pub/soapbox/-/jobs/artifacts/${version}/download?job=build-production";
+      sha256 = "sha256-AdW6JK7JkIKLZ8X+N9STeOHqmGNUdhcXyC9jsQPTa9o=";
+    };
+    nativeBuildInputs = [ pkgs.unzip ];
+    unpackPhase = ''
+      unzip $src -d .
+    '';
+    installPhase = ''
+      mv ./static $out
+    '';
+
+  };
+
+in
+{
+  options.valkyrieService.pleroma.enable = mkk.lib.mkBoolOpt false "Enable pleroma";
+  config = lib.mkIf config.valkyrieService.pleroma.enable {
+    systemd.tmpfiles.rules = [
+      "d    /var/lib/pleroma   0766    pleroma    pleroma     -"
+      "d    /var/lib/pleroma/static   0766    pleroma    pleroma     -"
+      "d    /var/lib/pleroma/uploads   0766    pleroma    pleroma     -"
+      "L+   /var/lib/pleroma/static/frontends/soapbox/${soapbox.version}  0766 pleroma pleroma - ${soapbox}"
+    ];
+
+   services.nginx.virtualHosts."podkos.xyz" = {
+      http2 = true;
+      useACMEHost = "podkos.xyz";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://unix:${socketPath}";
+        extraConfig = ''
+          etag on;
+          gzip on;
+
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
+          add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
+          add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
+          if ($request_method = OPTIONS) {
+            return 204;
+          }
+
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Permitted-Cross-Domain-Policies none;
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header Referrer-Policy same-origin;
+          add_header X-Download-Options noopen;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+
+          client_max_body_size 8m;
+      
+      
+        '';
+      };
+
+    };
+    systemd.services.pleroma.serviceConfig = {
+      RuntimeDirectory = "pleroma";
+      RuntimeDirectoryPreserve = true;
+
+
+      ExecStartPost = "${socketChmod}/bin/pleroma-socket";
+      ExecStopPost = ''${pkgs.coreutils}/bin/rm -f ${socketPath}'';
+    };
+
+
+
+
+    services.pleroma = {
+      enable = true;
+      secretConfigFile = "/var/lib/pleroma/secrets.exs";
+      configs = [
+        ''
+          import Config
+
+          config :pleroma, Pleroma.Web.Endpoint,
+            url: [host: "podkos.xyz", scheme: "https", port: 443],
+            http: [ip: {:local, "${socketPath}"}, port: 0]
+
+          config :pleroma, :instance,
+            name: "Podziemia Kosmosu",
+            email: "admin@podkos.xyz",
+            notify_email: "noreply@podkos.xyz",
+            limit: 5000,
+            registrations_open: false
+
+          config :pleroma, :media_proxy,
+            enabled: false,
+            redirect_on_failure: true
+
+          config :pleroma, Pleroma.Repo,
+            adapter: Ecto.Adapters.Postgres,
+            socket: "/run/postgresql/.s.PGSQL.5432",
+            username: "pleroma",
+            database: "pleroma"
+          
+
+          # Configure web push notifications
+          config :web_push_encryption, :vapid_details,
+            subject: "mailto:admin@podkos.x yz"
+          config :pleroma, :frontends,
+            primary: %{
+              "name" => "soapbox",
+              "ref" => "${soapbox.version}"
+            }
+
+          config :pleroma, :database, rum_enabled: false
+          config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+          config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+
+          config :pleroma, configurable_from_database: true  
+          config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.AnonymizeFilename]
+        ''
+      ];
+    };
+  };
+}
@@ -0,0 +1,141 @@
+{ config, pkgs, lib, mkk, ... }:
+{
+  options.valkyrieService.secureyoursoul.enable = mkk.lib.mkBoolOpt false "Enable secureyoursoul, web archive";
+
+
+
+
+  config =
+    let
+      cfg = config.valkyrieService.secureyoursoul;
+    in
+    lib.mkIf cfg.enable {
+      systemd.timers.secureyoursoul-steam = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "*-*-1,7,14,21 3:00:00";
+          Persistent = true; 
+          Unit = "secureyoursoul-steam.service";
+        };
+      };
+      systemd.timers.secureyoursoul-p1 = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "*-*-3,9,16,23 3:00:00";
+          Persistent = true; 
+          Unit = "secureyoursoul-p1.service";
+        };
+      };
+      systemd.timers.secureyoursoul-p2 = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "*-*-5,11,18,25 3:00:00";
+          Persistent = true; 
+          Unit = "secureyoursoul-p2.service";
+        };
+      };
+
+      systemd.services.secureyoursoul-steam = {
+        description = "Make curl requests to archive steam related things";
+        path = [ pkgs.coreutils pkgs.util-linux pkgs.curl ];
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = false;
+        script = ''
+          STEAM_IDS=( ${ builtins.foldl' (x: y:  x +"\""+ y + "\" ") "" mkk.to_save.steamids })
+          EXTRA_LINKS=( ${ builtins.foldl' (x: y:  x +"\""+ y + "\" ") "" mkk.to_save.extraLinks-steam  })
+
+          steamladder() {
+                  for id in ''${STEAM_IDS[@]}; do
+                          curl -X POST -H "Authorization: Token ''$(cat ${config.sops.secrets.steamladder-api.path})" \
+                          "https://steamladder.com/api/v1/profile/$id/"
+                  done;
+          }
+
+          webarchive(){
+          for id in ''${STEAM_IDS[@]}; do
+                  curl -X POST -H "Accept: application/json" \
+                          -H "Authorization: LOW ''$(cat ${config.sops.secrets.webarchive-accesskey.path}):''$(cat ${config.sops.secrets.webarchive-secretkey.path})" \
+                          -d"url=https://steamcommunity.com/profiles/$id" \
+                          -d"capture_outlinks=1" \
+                          -d"capture_screenshot=on" \
+                          -d"capture_all=on" \
+                          "https://web.archive.org/save";
+                  sleep 180;
+          done;
+
+
+          for link in ''${EXTRA_LINKS[@]}; do
+                  curl -X POST -H "Accept: application/json" \
+                          -H "Authorization: LOW ''$(cat ${config.sops.secrets.webarchive-accesskey.path}):''$(cat ${config.sops.secrets.webarchive-secretkey.path})" \
+                          -d"url=$link" \
+                          -d"capture_outlinks=1" \
+                          -d"capture_screenshot=on" \
+                          -d"capture_all=on" \
+                          "https://web.archive.org/save";
+                  sleep 180;
+          done;
+
+          }
+
+
+
+          steamladder &
+          webarchive
+          wait
+        '';
+      };
+
+
+       systemd.services.secureyoursoul-p1 = {
+        description = "Make curl requests to archive related things";
+        path = [ pkgs.coreutils pkgs.util-linux pkgs.curl ];
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = false;
+        script = ''
+          EXTRA_LINKS=( ${ builtins.foldl' (x: y:  x +"\""+ y + "\" ") "" mkk.to_save.extraLinks1  })
+          webarchive(){
+          for link in ''${EXTRA_LINKS[@]}; do
+                  curl -X POST -H "Accept: application/json" \
+                          -H "Authorization: LOW ''$(cat ${config.sops.secrets.webarchive-accesskey.path}):''$(cat ${config.sops.secrets.webarchive-secretkey.path})" \
+                          -d"url=$link" \
+                          -d"capture_outlinks=1" \
+                          -d"capture_screenshot=on" \
+                          -d"capture_all=on" \
+                          "https://web.archive.org/save";
+                  sleep 180;
+          done;
+
+          }
+          webarchive
+        '';
+      };
+
+      systemd.services.secureyoursoul-p2 = {
+        description = "Make curl requests to archive related things - part 2";
+        path = [ pkgs.coreutils pkgs.util-linux pkgs.curl ];
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = false;
+        script = ''
+          EXTRA_LINKS=( ${ builtins.foldl' (x: y:  x +"\""+ y + "\" ") "" mkk.to_save.extraLinks2  })
+          webarchive(){
+          for link in ''${EXTRA_LINKS[@]}; do
+                  curl -X POST -H "Accept: application/json" \
+                          -H "Authorization: LOW ''$(cat ${config.sops.secrets.webarchive-accesskey.path}):''$(cat ${config.sops.secrets.webarchive-secretkey.path})" \
+                          -d"url=$link" \
+                          -d"capture_outlinks=1" \
+                          -d"capture_screenshot=on" \
+                          -d"capture_all=on" \
+                          "https://web.archive.org/save";
+                  sleep 180;
+          done;
+
+          }
+          webarchive
+        '';
+      };
+
+
+    };
+
+
+}