rm newsboat, add syncthingtray and cleanup unused stuff

backup: don't send ntfy notification
also traffic control caddy
2025-02-25 15:49:07 -05:00 · 2025-02-25 15:48:18 -05:00 · 2025-02-25 12:39:43 -05:00 · 2025-02-24 22:07:58 -05:00 · 2025-02-24 21:52:22 -05:00 · 2025-02-24 21:38:02 -05:00
13 changed files with 85 additions and 106 deletions
--- a/flake.nix
+++ b/flake.nix
@ -104,7 +104,7 @@
  nixConfig = {
    extra-substituters = [
-      "https://cache.cything.io/central"
+      "https://cache.cy7.sh/central"
      "https://niri.cachix.org"
      "https://nix-community.cachix.org"
      "https://cache.garnix.io"
@ -112,7 +112,7 @@
      "https://aseipp-nix-cache.global.ssl.fastly.net"
    ];
    extra-trusted-public-keys = [
-      "central:uWhjva6m6dhC2hqNisjn2hXGvdGBs19vPkA1dPEuwFg="
+      "central:KNxL0JFzHDGosui8ASem9n/tDmEAYLL9dtVMJ6TWsyg="
      "niri.cachix.org-1:Wv0OmO7PsuocRKzfDoJ3mulSl7Z6oezYhGhR+3W2964="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@ -19,30 +19,6 @@
  };
  programs.home-manager.enable = true;
  systemd.user.startServices = "sd-switch";
  # keep this commented when using plasma
  # otherwise "system settings" in KDE will not function
  # qt = {
  #   enable = true;
  #   platformTheme.name = "kde";
  #   style.name = "breeze-dark";
  #   style.package = pkgs.kdePackages.breeze;
  # };
  # this one too
  # gtk = {
  #   enable = true;
  #   theme = {
  #     package = pkgs.adw-gtk3;
  #     name = "adw-gtk3-dark";
  #   };
  #   iconTheme = {
  #     package = pkgs.adwaita-icon-theme;
  #     name = "Adwaita";
  #   };
  # };
  home.pointerCursor = {
    package = pkgs.bibata-cursors;
    name = "Bibata-Modern-Classic";
@ -56,7 +32,6 @@
    ungoogled-chromium
    librewolf
    bitwarden-desktop
    bitwarden-cli
    fastfetch
    nwg-look
    kdePackages.gwenview
@ -67,11 +42,6 @@
    signal-desktop
    pavucontrol
    btop
    grim
    slurp
    rofi-wayland
    rofimoji
    cliphist
    jq
    bash-language-server
    sqlite
@ -88,7 +58,6 @@
    pwgen
    lua-language-server
    gnumake
    foot
    minisign
    unzip
    lm_sensors
@ -125,7 +94,6 @@
    radare2
    p7zip
    qbittorrent
    # vscodium
    nil
    pkg-config
    gtk2
@ -144,27 +112,19 @@
    telegram-desktop
    jadx
    gradle
    localsend
    scrcpy
    syncthing
    syncthingtray
    obsidian
  ];
  programs.waybar.enable = true;
  programs.feh.enable = true;
  xdg.configFile = {
    rofi.source = ../rofi;
    waybar.source = ../waybar;
    mpv.source = ../mpv;
  };
  programs.newsboat = {
    enable = true;
    extraConfig = ''
      urls-source "miniflux"
      miniflux-url "https://rss.cything.io/"
      miniflux-login "cy"
      miniflux-passwordfile /run/secrets/newsboat/miniflux
    '';
  };
  programs.direnv = {
    enable = true;
    nix-direnv.enable = true;
@ -186,12 +146,12 @@
    # sccache stuff
    RUSTC_WRAPPER = "${lib.getExe pkgs.sccache}";
    SCCACHE_BUCKET = "sccache";
-    SCCACHE_REGION = "earth";
+    SCCACHE_REGION = "us-east-1";
    SCCACHE_ENDPOINT = "https://sccache.s3.cy7.sh";
    SCCACHE_ALLOW_CORE_DUMPS = "true";
    SCCACHE_S3_USE_SSL = "true";
    SCCACHE_CACHE_MULTIARCH = "true";
-    SCCACHE_LOG_LEVEL = "warn";
+    SCCACHE_LOG = "warn";
    AWS_DEFAULT_REGION = "us-east-1";
    AWS_ENDPOINT_URL = "https://s3.cy7.sh";
    AWS_ACCESS_KEY_ID = "$(cat /run/secrets/aws/key_id)";
--- a/hosts/chunk/attic.nix
+++ b/hosts/chunk/attic.nix
@ -7,32 +7,26 @@
    settings = {
      listen = "[::]:8090";
-      api-endpoint = "https://cache.cything.io/";
+      api-endpoint = "https://cache.cy7.sh/";
-      allowed-hosts = [ "cache.cything.io" ];
+      allowed-hosts = [ "cache.cy7.sh" ];
      require-proof-of-possession = false;
      compression.type = "zstd";
      database.url = "postgresql:///atticd?host=/run/postgresql";
      storage = {
-        type = "local";
+        type = "s3";
-        path = "/mnt/attic";
+        region = "auto";
        bucket = "attic";
        endpoint = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com";
      };
      garbage-collection = {
-        default-retention-period = "3 months";
+        default-retention-period = "2 weeks";
      };
      chunking = {
        nar-size-threshold = 0; # disables chunking
        min-size = 0;
        avg-size = 0;
        max-size = 0;
        concurrent-chunk-uploads = 32;
      };
    };
  };
-  services.caddy.virtualHosts."cache.cything.io".extraConfig = ''
+  services.caddy.virtualHosts."cache.cy7.sh".extraConfig = ''
    import common
    reverse_proxy localhost:8090
  '';
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -1,5 +1,6 @@
 {
  pkgs,
  lib,
  ...
 }:
 {
@ -10,7 +11,6 @@
    ./backup.nix
    ./rclone.nix
    ./postgres.nix
    ./adguard.nix
    ./hedgedoc.nix
    ./miniflux.nix
    ./redlib.nix
@ -31,9 +31,6 @@
    "borg/rsyncnet" = {
      sopsFile = ../../secrets/borg/chunk.yaml;
    };
    "services/ntfy" = {
      sopsFile = ../../secrets/services/ntfy.yaml;
    };
    "rclone/config" = {
      sopsFile = ../../secrets/rclone.yaml;
    };
@ -92,10 +89,36 @@
      53
      853
    ];
-    extraCommands = ''
+    extraCommands =
-      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
+      let
-      iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tor.service" -j MARK --set-mark 2
+        ethtool = lib.getExe pkgs.ethtool;
-    '';
+        tc = lib.getExe' pkgs.iproute2 "tc";
      in
      ''
        # disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
        ${ethtool} -K ens18 tso off
        # clear existing rules
        ${tc} qdisc del dev ens18 root || true
        # create HTB hierarchy
        ${tc} qdisc add dev ens18 root handle 1: htb default 30
        ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
        # tailscale
        ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 30% ceil 100%
        # caddy
        ${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 30% ceil 100%
        # rest
        ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
        # mark traffic
        iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
        iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 2
        # route marked packets
        ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10
        ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 2 fw flowid 1:20
      '';
  };
  networking.interfaces.ens18 = {
    ipv6.addresses = [
--- a/hosts/chunk/tailscale.nix
+++ b/hosts/chunk/tailscale.nix
@ -7,6 +7,9 @@
      "--advertise-exit-node"
      "--accept-dns=false"
    ];
    extraDaemonFlags = [
      "--no-logs-no-support"
    ];
    useRoutingFeatures = "server";
    openFirewall = true;
  };
--- a/hosts/common.nix
+++ b/hosts/common.nix
@ -10,7 +10,7 @@
        "@wheel"
      ];
      trusted-public-keys = [
-        "central:uWhjva6m6dhC2hqNisjn2hXGvdGBs19vPkA1dPEuwFg="
+        "central:KNxL0JFzHDGosui8ASem9n/tDmEAYLL9dtVMJ6TWsyg="
        "niri.cachix.org-1:Wv0OmO7PsuocRKzfDoJ3mulSl7Z6oezYhGhR+3W2964="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
@ -18,7 +18,7 @@
      ];
      substituters = [
        "https://aseipp-nix-cache.global.ssl.fastly.net"
-        "https://cache.cything.io/central"
+        "https://cache.cy7.sh/central"
        "https://niri.cachix.org"
        "https://nix-community.cachix.org"
        "https://cache.garnix.io"
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -17,16 +17,9 @@
    "borg/rsyncnet" = {
      sopsFile = ../../secrets/borg/yt.yaml;
    };
    "services/ntfy" = {
      sopsFile = ../../secrets/services/ntfy.yaml;
    };
    "rsyncnet/id_ed25519" = {
      sopsFile = ../../secrets/zh5061/yt.yaml;
    };
    "newsboat/miniflux" = {
      sopsFile = ../../secrets/newsboat.yaml;
      owner = "yt";
    };
    "tailscale/auth" = {
      sopsFile = ../../secrets/services/tailscale.yaml;
    };
@ -91,7 +84,10 @@
    resolvconf.enable = true;
    firewall = {
      enable = true;
-      allowedTCPPorts = [ 8080 ]; # for mitmproxy
+      allowedTCPPorts = [
        8080 # mitmproxy
        22000 # syncthing
      ];
    };
  };
  programs.nm-applet.enable = true;
@ -223,6 +219,7 @@
      "/home/yt/.local/share/Steam"
      "**/.wine"
      "/home/yt/Games"
      "/home/yt/Videos"
    ];
    repo = "yt";
    passFile = config.sops.secrets."borg/rsyncnet".path;
--- a/hosts/ytnix/tailscale.nix
+++ b/hosts/ytnix/tailscale.nix
@ -6,8 +6,13 @@
    openFirewall = true;
    useRoutingFeatures = "client";
    extraUpFlags = [
-      "--exit-node=100.122.132.30"
+      "--exit-node=chunk"
      "--accept-dns=false"
      "--operator=yt"
      "--exit-node-allow-lan-access"
    ];
    extraDaemonFlags = [
      "--no-logs-no-support"
    ];
  };
 }
--- a/modules/backup.nix
+++ b/modules/backup.nix
@ -6,7 +6,6 @@
 }:
 let
  cfg = config.my.backup;
  hostname = config.networking.hostName;
  defaultPaths = [
    "/root"
    "/home"
@ -97,23 +96,6 @@ in
      ];
      # warnings are often not that serious
      failOnWarnings = false;
      postHook = ''
        invocationId=$(systemctl show -p InvocationID --value borgbackup-job-${cfg.jobName}.service)
        title="${hostname}: backup completed with exit code: $exitStatus"
        msg=$(journalctl -o cat _SYSTEMD_INVOCATION_ID=$invocationId)
        if [ "$exitStatus" -eq 0 ]; then
          tag="v"
        else
          tag="rotating_light"
        fi
        ${pkgs.curl}/bin/curl -sL -u $(cat ${config.sops.secrets."services/ntfy".path}) \
        -H "Title: $title" \
        -H "Tags: $tag" \
        -d "$msg" \
        https://ntfy.cything.io/backups > /dev/null
      '';
      prune.keep = {
        within = "2d";
--- a/overlay/attic/concurrent-32.patch
+++ b/overlay/attic/concurrent-32.patch
@ -0,0 +1,13 @@
 diff --git a/server/src/config.rs b/server/src/config.rs
 index 4412cbf..6dd483a 100644
 --- a/server/src/config.rs
 +++ b/server/src/config.rs
@@ -565,7 +565,7 @@ fn default_default_retention_period() -> Duration {
 }
 fn default_concurrent_chunk_uploads() -> usize {
 -    10
 +    32
 }
 fn load_config_from_path(path: &Path) -> Result<Config> {
--- a/overlay/attic/default.nix
+++ b/overlay/attic/default.nix
@ -16,6 +16,9 @@ final: prev: {
            cargoLock = null;
            cargoHash = "sha256-AbpWnYfBMrR6oOfy2LkQvIPYsClCWE89bJav+iHTtLM=";
            useFetchCargoVendor = true;
            patches = [
              ./concurrent-32.patch
            ];
          }
        );
    };
--- a/overlay/zipline/default.nix
+++ b/overlay/zipline/default.nix
@ -1,5 +1,4 @@
-final: prev:
+final: prev: {
 {
  zipline = prev.zipline.overrideAttrs {
    patches = [
      ./no-check-bucket.patch
--- a/secrets/services/attic.yaml
+++ b/secrets/services/attic.yaml
Author	SHA1	Message	Date
cy	8b53c43e26	rm newsboat, add syncthingtray and cleanup unused stuff	2025-02-25 15:49:07 -05:00
cy	1cadfda410	backup: don't send ntfy notification	2025-02-25 15:48:18 -05:00
cy	d76a9f7f3a	also traffic control caddy	2025-02-25 12:39:43 -05:00
cy	47d703d9d1	Merge branch 'new-attic'	2025-02-24 22:07:58 -05:00
cy	066c0a5a74	update attic cache keys	2025-02-24 21:52:22 -05:00
cy	f5096f3917	make attic better	2025-02-24 21:38:02 -05:00
cy	131b4b2614	implement traffic control, remove adguard, misc tailscale stuff	2025-02-24 13:23:38 -05:00