add prtapc matrix server

flake.nix

@@ -45,6 +45,8 @@
       url = "github:MOIS3Y/nvchad4nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    conduwuit.url = "github:girlbossceo/conduwuit";
   };
 
   outputs = inputs@{ self, nixpkgs, home-manager, nur, ... }:
@@ -86,7 +88,7 @@
         dlaptop = makeSystem "dlaptop" unstable;
         intelnuc = makeSystem "intelnuc" stable;
         huanan = makeSystem "huanan" pkgs;
-        prtapc = makeSystem "prtapc" pkgs;
+        prtapc = makeSystem "prtapc" stable;
       };
     };
 }

home/home.nix

@@ -144,9 +144,13 @@
       osc = "no";
       osd-bar = "no";
       border = "no";
+      demuxer-max-bytes = "8000000KiB";
+      cache = "yes";
+      cache-secs = "7200";
     };
-    scripts = with pkgs.mpvScripts; [autoload cutter quality-menu sponsorblock youtube-upnext thumbnail reload mpv-cheatsheet memo autoload 
+    scripts = with pkgs.mpvScripts; [autoload cutter quality-menu sponsorblock youtube-upnext reload mpv-cheatsheet memo autoload 
-    # uosc thumbfast
+    uosc thumbfast
+    # thumbnail
     ];
     scriptOpts = {
       autoload = {

home/theme.nix

@@ -31,7 +31,6 @@ in {
       adw-gtk3
       nerdfonts
       layan-gtk-theme
-      gruvbox-gtk-theme
     ];
     sessionVariables.XCURSOR_THEME = cursor-theme;
     pointerCursor = {
@@ -81,9 +80,14 @@ in {
     #   package = unstable.tokyonight-gtk-theme;
     # };
 
+    # theme = {
+    #   name = "Gruvbox-Dark";
+    #   package = unstable.gruvbox-gtk-theme;
+    # };
+
     theme = {
-      name = "Gruvbox-Dark";
+      name = "Dracula";
-      package = unstable.gruvbox-gtk-theme;
+      package = pkgs.dracula-theme;
     };
 
     iconTheme = {
@@ -91,6 +95,11 @@ in {
       # name = "Papirus";
       package = lib.mkForce stable.papirus-icon-theme;
     };
+
+    # iconTheme = {
+    #   name = "Dracula";
+    #   package = lib.mkForce pkgs.dracula-icon-theme;
+    # };
     # gtk3.extraCss = ''
     #   headerbar, .titlebar,
     #   .csd:not(.popup):not(tooltip):not(messagedialog) decoration{

hosts/dlaptop/hardware.nix

@@ -8,6 +8,7 @@
   lib,
   pkgs,
   modulesPath,
+  inputs,
   ...
 }: {
   imports = [(modulesPath + "/installer/scan/not-detected.nix")];
@@ -268,7 +269,7 @@
     # package32 = inputs.hyprland.inputs.nixpkgs.legacyPackages."x86_64-linux".pkgsi686Linux.mesa.drivers;
   };
 
-  chaotic.mesa-git.enable = true;
+  # chaotic.mesa-git.enable = true;
   # chaotic.mesa-git.extraPackages = [ pkgs.amdvlk ];
   # chaotic.mesa-git.extraPackages32 = [ pkgs.driversi686Linux.amdvlk ];
 

hosts/dlaptop/services.nix

@@ -62,7 +62,7 @@
   ];
   services.udev.extraRules = ''
       # Suspend the system when battery level drops to 6% or lower
-      SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-6]", RUN+="${pkgs.systemd}/bin/systemctl hibernate"
+      # SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-6]", RUN+="${pkgs.systemd}/bin/systemctl hibernate"
 
       # # lock when yubi removed
       # ACTION=="remove",\

hosts/dlaptop/system.nix

@@ -22,6 +22,7 @@
     inputs.chaotic.nixosModules.default
   ];
 
+
   services.blueman.enable = true;
 
   time.timeZone = "Europe/Moscow";
@@ -196,6 +197,28 @@
     podman = {
       enable = true;
       dockerCompat = true;
+    };
+     oci-containers.containers = {
+      cloudflare-warp = {
+        # image = "caomingjun/warp --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv4.conf.all.src_valid_mark=1 --cap-add NET_ADMIN,mknod --device /dev/net/tun --security-opt=\"label=disable\" --network ns:/var/run/netns/novpn";
+        image = "caomingjun/warp --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv4.conf.all.src_valid_mark=1 --cap-add NET_ADMIN,mknod --security-opt=\"label=disable\" --network ns:/var/run/netns/novpn";
+        ports = [
+          "1080:1080"
+          "1081:1081"
+        ];
+        environment = {
+          # GOST_ARGS =  " -L=socks5://:1081 -F=socks5://0.0.0.0:1082 & warp-cli mode proxy & warp-cli proxy port 1082";
+          GOST_ARGS =  " -L=socks5://:1080";
+          BETA_FIX_HOST_CONNECTIVITY="1";
+        };
+        volumes = [
+          "warp:/var/lib/cloudflare-warp"
+        ];
+        environment = {
+          WARP_SLEEP = "2";
+        };
+        extraOptions = [ "--privileged" ];
+      }; # do sudo rm /dev/net/tun; sudo modprobe tun before running contaner if it doesnt work
     };
     spiceUSBRedirection.enable = true;
     libvirtd.enable = true;

hosts/dlaptop/xorg.nix

@@ -1,5 +1,9 @@
-{ lib, pkgs, self, ... }:
+{ lib, pkgs, self, config, ... }:
-
+let 
+ greetdSessions = pkgs.writeText "sessions" ''
+ Hyprland 2>&1 > /dev/null:gnome-shell --wayland:gnome-shell --x11
+ '';
+in 
 {
   imports = [
     "${self}/pkgs/gnome.nix"
@@ -25,15 +29,50 @@
     TERMINAL = "foot";
   };
 
+  security = {
+    polkit.enable = true;
+    pam.services.greetd.enableGnomeKeyring = true;
+    rtkit.enable = true;
+  };
+
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        # command = ''${pkgs.greetd.tuigreet}/bin/tuigreet --time --sessions ${config.services.displayManager.sessionData.desktops}/share/xsessions:${config.services.displayManager.sessionData.desktops}/share/wayland-sessions --remember --cmd --cmd "Hyprland 2>&1 > /dev/null"'';
+        command = ''${pkgs.greetd.tuigreet}/bin/tuigreet --asterisks --time --sessions ${config.services.displayManager.sessionData.desktops}/share/wayland-sessions --remember --cmd "Hyprland 2>&1 > /dev/null"'';
+        user = "greeter";
+      };
+      gnome_x11_session = {
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd gnome-shell --x11";
+        user = "greeter";
+      };
+      gnome_wayland_session = {
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd gnome-shell --wayland";
+        user = "greeter";
+      };
+    };
+  };
+  systemd.services.greetd.serviceConfig = {
+    Type = "idle";
+    StandardInput = "tty";
+    StandardOutput = "tty";
+    StandardError = "journal";
+    TTYReset = true;
+    TTYHangup = true;
+    TTYVTDisallocate = true;
+  };
+
   services.xserver = {
     enable = true;
     videoDrivers = [ "amdgpu" ];
     displayManager = {
-      gdm.enable = true;
+      # gdm.enable = true;
-      autoLogin = {
+      # autoLogin = {
-        enable = false;
+      #   enable = false;
-        user = "delta";
+      #   user = "delta";
-      };
+      # };
+      # ly.enable = true;
     };
     desktopManager.gnome.enable = true;
     xkb.layout = "us";

hosts/generic.nix

@@ -63,12 +63,14 @@ in {
           "https://shwewo.cachix.org" 
           "https://anyrun.cachix.org"
           "https://hyprland.cachix.org"
+          "https://attic.kennel.juneis.dog/conduit"
           # "https://nyx.chaotic.cx/"
         ];
         trusted-public-keys = [ 
           "shwewo.cachix.org-1:84cIX7ETlqQwAWHBnd51cD4BeUVXCyGbFdtp+vLxKOo=" 
           "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
           "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+          "conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk="
           # "nyx.chaotic.cx-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
         ];
       };

hosts/prtapc/hardware-configuration.nix

@@ -24,19 +24,16 @@
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/0385-75D4";
+    { device = "/dev/disk/by-uuid/8962-C3EE";
       fsType = "vfat";
       options = [ "fmask=0077" "dmask=0077" ];
     };
 
-  swapDevices = [ ];
+    swapDevices =
+    [ { device = "/dev/disk/by-uuid/63d0283b-59bf-4e31-9d06-066815685509"; }
+    ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
   networking.hostId = "aabbcc00";
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

hosts/prtapc/system.nix

@@ -2,8 +2,34 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
+let 
+  nixpkgs2305 = import inputs.nixpkgs2305 { system = "${pkgs.system}"; config = { allowUnfree = true; }; };
+    update-iptables = pkgs.writeScriptBin "update-iptables" ''
+      #!/usr/bin/env bash
 
+      #!/usr/bin/env bash
+
+      # Define your target domain and port for redirection
+      TARGET_DOMAIN="catgirl.cloud"
+      REDIRECT_PORT="12345"
+
+      # Resolve the IP address of the target domain
+      TARGET_IP=$(dig +short $TARGET_DOMAIN | tail -n 1)
+
+      # Exit if no IP address is found
+      if [ -z "$TARGET_IP" ]; then
+        echo "Failed to resolve IP address for $TARGET_DOMAIN"
+        exit 1
+      fi
+
+      # Add the new iptables rule for the resolved IP
+      sudo iptables -t nat -A OUTPUT -p tcp -d "$TARGET_IP" -j REDIRECT --to-ports "$REDIRECT_PORT"
+
+      echo "iptables rule added for $TARGET_DOMAIN ($TARGET_IP) redirecting to port $REDIRECT_PORT"
+  '';
+  
+in 
 {
   imports =
     [ # Include the results of the hardware scan.
@@ -11,9 +37,9 @@
     ];
 
   # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
+  # boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/nvme0n1p1";
+  # boot.loader.grub.device = "/dev/";
-  #boot.loader.systemd-boot.enable = true;
+  boot.loader.systemd-boot.enable = true;
   # boot.loader.grub.efiSupport = true;
   # boot.loader.grub.efiInstallAsRemovable = true;
   # boot.loader.efi.efiSysMountPoint = "/boot/efi";
@@ -46,7 +72,7 @@
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGL2UD0frl9F2OPBiPlSQqxDsuACbAVgwH24F0KT14L delta@dlaptop"
   ];
-  users.users.root.hashedPassword = ""; # nopass on first boot
+  users.users.root.hashedPassword = ""; # i'll setup pass with passwd after boot
   users.users.delta = {
     uid = 1000;
     isNormalUser = true;
@@ -59,7 +85,140 @@
     hostName = "prtapc";
     networkmanager.enable = true;
   };
+
+  documentation.man.enable = false;
+  services.xserver.desktopManager.xfce.enable = true;
+  services.matrix-conduit = {
+    enable = true;
+    package = inputs.conduwuit.packages.x86_64-linux.default;
+    settings = {
+      global = {
+        allow_registration = true;
+        # database_backend = "rocksdb";
+        server_name = "${inputs.secrets.home.matrix.url}";
+        registration_token = "${inputs.secrets.home.matrix.regword}";
+        allow_federation = true;
+        address = "0.0.0.0";
+        well_known = {
+          client = "https://${inputs.secrets.home.matrix.url}";
+          server = "${inputs.secrets.home.matrix.url}:443";
+        };
+        max_request_size = 1073741824;
+      };
+      misc = {
+        new_user_displayname_suffix = "";
+        media_compat_file_link = false;
+      };
+    };
+  };
+  services.cloudflared.enable = true;
+  services.cloudflared.tunnels = {
+    "02c42e31-a1b6-49c4-b470-faca3a66f938" = {
+      default = "http_status:404";
+      credentialsFile = "/home/cloudflared/.cloudflared/02c42e31-a1b6-49c4-b470-faca3a66f938.json";
+    };
+  };
+  users.groups.cloudflared = { };
+  users.users.cloudflared = {
+    group = "cloudflared";
+    isSystemUser = true;
+  };
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = "--accept-dns=false";
+  };
   
+    environment.systemPackages = with pkgs; [
+      (pkgs.writeScriptBin "warp-cli" "${nixpkgs2305.cloudflare-warp}/bin/warp-cli $@")
+    ];
+
+    systemd.services.warp-svc = {
+      enable = true;
+      description = "Cloudflare Zero Trust Client Daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "pre-network.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "on-failure";
+        RestartSec = "15";
+        DynamicUser = "no";
+        # ReadOnlyPaths = "/etc/resolv.conf";
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE";
+        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE";
+        StateDirectory = "cloudflare-warp";
+        RuntimeDirectory = "cloudflare-warp";
+        LogsDirectory = "cloudflare-warp";
+        ExecStart = "${nixpkgs2305.cloudflare-warp}/bin/warp-svc";
+      };
+
+      postStart = ''
+        while true; do
+          set -e
+          status=$(${nixpkgs2305.cloudflare-warp}/bin/warp-cli status || true)
+          set +e
+
+          if [[ "$status" != *"Unable to connect to CloudflareWARP daemon"* ]]; then
+            ${nixpkgs2305.cloudflare-warp}/bin/warp-cli set-custom-endpoint 162.159.193.1:2408
+            exit 0
+          fi
+          sleep 1
+        done
+      '';
+    };
+
+  systemd.services.updateIptables = {
+    description = "Update iptables rules for dynamic DNS target (proxy for matrix)";
+    serviceConfig = {
+      ExecStart = "${update-iptables}/bin/update-iptables";
+      Type = "oneshot";
+    };
+    path = with pkgs; [ 
+          bash
+          iproute2 
+          iptables 
+          sing-box
+          dig
+    ];
+  };
+
+  systemd.timers.updateIptables = {
+    description = "Timer to update iptables rules for dynamic DNS target";
+    timerConfig = {
+      OnBootSec = "2min";
+      OnUnitActiveSec = "30min";
+    };
+    wantedBy = [ "timers.target" ];
+  };
+
+  systemd.services.updateIptables.wantedBy = [ "network-online.target" ];
+
+  systemd.services.sing-box = {
+    description = "Sing-Box Service";
+    after = [ "network.target" ];  # Ensure the service starts after the network is available
+
+    serviceConfig = {
+      ExecStart = "${pkgs.sing-box}/bin/sing-box run -c /etc/sing-box/config.json";
+      Restart = "always";
+      RestartSec = 5;
+      User = "root";
+    };
+
+    wantedBy = [ "multi-user.target" ];  # Ensure the service starts at boot
+  };
+
+
+  services.redsocks = {
+    enable = true;
+    redsocks = [
+      {
+        port = 12345;
+        proxy = "127.0.0.1:4000";
+        type = "socks5";
+        redirectCondition = "--dst 148.251.41.235";
+      }
+    ];
+  };
 
   # Configure keymap in X11
   # services.xserver.xkb.layout = "us";

pkgs/apps.nix

@@ -153,6 +153,8 @@ in {
     ffmpeg_7
     stable.qutebrowser
     tailwindcss
+    fluffychat
+    nheko
   ]);
   # services.flatpak.enable = true;
 
@@ -264,6 +266,8 @@ in {
   #   thunar-archive-plugin
   #   thunar-volman
   # ];
+
+  programs.mosh.enable = true;
   
   programs.fish = {
     enable = true;

pkgs/socks.nix

@@ -39,9 +39,9 @@ let
     };
   
   socksed = [ # IP of the proxies is 192.168.150.2
-    { name = "singbox-aus"; script = "sing-box run -c /run/secrets/singbox-aus";} # port 4000
+    { name = "singbox-aus"; script = "sing-box run -c /run/secrets/singbox-aus";            } # port 4000
-    { name = "socks-warp" ; script = "wireproxy -c /run/secrets/wproxy"; } # port 3333
+    { name = "socks-warp" ; script = "wireproxy -c /run/secrets/wproxy"; autostart = false; } # port 3333
-    { name = "socks-novpn"; script = "gost -L socks5://192.168.150.2:3334";     } # port 3334
+    { name = "socks-novpn"; script = "gost -L socks5://192.168.150.2:3334";                 } # port 3334
     { name = "opera-socks"; 
       # script = "sing-box run -c ${opera-singboxcfg} & opera-proxy -bootstrap-dns https://1.1.1.1/dns-query -bind-address 192.168.150.2:18088"; 
       # script = "gost -L=socks5://192.168.150.2:3335 -F=http://192.168.150.2:18088 opera-proxy -bootstrap-dns https://1.1.1.1/dns-query -bind-address 192.168.150.2:18088"; 
@@ -280,7 +280,8 @@ in {
       # UseBridges = true;
       # ClientTransportPlugin = "snowflake exec ${pkgs.snowflake}/bin/client";
       # Bridge = "snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ fronts=www.shazam.com,www.cosmopolitan.com,www.esquire.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn";
-      Socks5Proxy = "localhost:4000"; # requires setting warp-svc to proxy mode: warp-cli set-mode proxy && warp-cli set-proxy-port 4000
+      # Socks5Proxy = "localhost:4000"; # requires setting warp-svc to proxy mode: warp-cli set-mode proxy && warp-cli set-proxy-port 4000
+      # Socks5Proxy = "127.0.0.1:1080"; # requires setting warp-svc to proxy mode: warp-cli set-mode proxy && warp-cli set-proxy-port 4000
       ControlPort = 9051;
       CookieAuthentication = true;
     };