magpie/3proxy: add credentials

home/zsh.nix

@@ -52,8 +52,8 @@
         src = pkgs.fetchFromGitHub {
           owner = "sindresorhus";
           repo = "pure";
-          rev = "87e6f5dd4c793f6d980532205aaefe196780606f";
+          rev = "a02209d36c8509c0e62f44324127632999c9c0cf";
-          hash = "sha256-TR4CyBZ+KoZRs9XDmWE5lJuUXXU1J8E2Z63nt+FS+5w=";
+          hash = "sha256-BmQO4xqd/3QnpLUitD2obVxL0UulpboT8jGNEh4ri8k=";
         };
         file = "pure.plugin.zsh";
       }

magpie/configuration.nix

@@ -13,8 +13,6 @@
   nix.optimise.automatic = true;
   nix.settings.experimental-features = ["nix-command" "flakes"];
 
-  nixpkgs.overlays = [ nvim.overlays.${system}.overlay ];
-
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.systemd-boot.configurationLimit = 2;
@@ -41,6 +39,7 @@
     fzy
     git
     goatcounter.packages.${system}.goatcounter
+    nvim.packages.${system}.nvim
     htop-vim
     nvim
     pciutils
@@ -93,17 +92,10 @@
     };
   };
 
-  services.restya-board = {
-    enable = true;
-    virtualHost.serverName = "board.project-cloud.net";
-    virtualHost.listenHost = "localhost";
-    virtualHost.listenPort = 4001;
-  };
-
   services.goatcounter = {
     enable = true;
     environmentFile = "/var/lib/goatcounter.env";
-    extraArgs = ["-listen='*:8002'" "-tls=proxy" ];
+    extraArgs = ["-listen='*:8002'" "-tls=proxy"];
     database = {
       backend = "sqlite";
       name = "goatcounter";
@@ -182,15 +174,6 @@
       };
     };
 
-    virtualHosts."board.project-cloud.net" = {
-      quic = true;
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.restya-board.virtualHost.listenPort}";
-      };
-    };
-
     virtualHosts."stats.project-cloud.net" = {
       quic = true;
       forceSSL = true;
@@ -247,6 +230,24 @@
     ProtectSystem = lib.mkForce false;
   };
 
+  services._3proxy = {
+    enable = true;
+    services = [
+      {
+        type = "socks";
+        auth = ["strong"];
+        acl = [
+          {
+            rule = "allow";
+            users = ["3proxy_user"];
+          }
+        ];
+	bindPort = 13128;
+      }
+    ];
+    usersFile = config.sops.secrets."3proxy".path;
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "asmir.abdulahovic@gmail.com";
@@ -276,8 +277,13 @@
     owner = config.users.users.nextcloud.name;
   };
 
+  sops.secrets."3proxy" = {
+    sopsFile = ./secrets/3proxy.yaml;
+  };
+
+
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [80 443 587];
+  networking.firewall.allowedTCPPorts = [80 443 587 13128];
   networking.firewall.allowedUDPPorts = [];
   networking.firewall.allowPing = true;
   networking.firewall.logRefusedConnections = lib.mkDefault false;

magpie/secrets/3proxy.yaml

@@ -0,0 +1,21 @@
+string: ENC[AES256_GCM,data:9PAgqNliAEo5NIc8uFho1dYt/90X9Y6iOz2HP2aLzqA3ghvasi5l3n79wV0wxI+Vnw==,iv:Atkz33cnTLQ4RyT0nVt2/VhWgLiQE0acGbOJUbWZ2kM=,tag:IWLpVYeiYtzLK6h2K/MjLA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVTAvOFAvbGdLUWxNcElp
+            NmY2MC9XUzBHWVdOek1oTkFSaWdENnhmZWgwCktock10L3YrL2JoTHVaOWhtWlhK
+            K2lMeUpqNFZTNnBOMmtJajdHWjRLT1UKLS0tIFd2OXBLRGQzVzF4TzhrOXFjWDVL
+            VzRqWXBYT0RHN1V3bnVMRHc2SXVUcDAKD8Et0nJv8mT1KoWQKcxfpv8s57zqIK0J
+            TCm3sby77wZ9i3BpO1Mg8S2GGwM0X+fZme8S5HVTzAgpzIyUbdcmww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-17T18:25:56Z"
+    mac: ENC[AES256_GCM,data:ezv1W5jPjZxDt5gs+ljha/ywjSc1P00QtdEZBoWye6y61iOAMlF+VeWgI1yAIz9h2STdb2mqbFj1pmJcFujCYzxTY6Vx4j1GHpVv+Zczvnj1AnepDgLZn320FzwUmWscGcSL/Tn9+H/g0rH0BR2qv5GfRE9vmdXpXPsS6jZ+mcw=,iv:t4yaE56jPI4ozMpEChAT6y0zN9v1vlsR2J5VriFoV48=,tag:zs7vtq5J0EnwBgT9rjZIMA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1