From ce4a0b248694ec551b4219593b1ce96460169fd3 Mon Sep 17 00:00:00 2001 From: Chaos Date: Thu, 17 Nov 2022 22:25:41 +0000 Subject: [PATCH] stuff & possibly things, maybe a shenanigan or two idk --- deployNodes.nix | 7 +- flake.lock | 24 ++-- hosts/hetzner-vm/hetzner-vm.nix | 2 +- hosts/tablet/profiles/harry-vpn.nix | 7 +- hosts/tablet/profiles/wireguard.nix | 14 +- hosts/tablet/secrets-db.nix | 39 ------ hosts/tablet/secrets.nix | 97 +++++++------- hosts/tablet/tablet.nix | 15 --- hosts/vault/secrets.nix | 102 ++++++--------- overlay/default.nix | 7 +- overlay/invidious-latest/default.nix | 106 --------------- overlay/invidious-latest/lsquic.nix | 63 --------- overlay/invidious/default.nix | 123 ++++++++++++++++++ overlay/invidious/lsquic.nix | 111 ++++++++++++++++ .../shards.nix | 18 ++- overlay/invidious/update.sh | 96 ++++++++++++++ overlay/invidious/use-etc-ssl-certs.patch | 13 ++ overlay/invidious/versions.json | 18 +++ overlay/invidious/videojs.nix | 18 +++ overlay/invidious/videojs.sh | 9 ++ presets/nixos/desktop.nix | 1 - profiles/nix-gc.nix | 2 +- scripts/update.sh | 2 +- wg.key | 1 - wg.pub | 1 - 25 files changed, 523 insertions(+), 373 deletions(-) delete mode 100644 hosts/tablet/secrets-db.nix delete mode 100644 overlay/invidious-latest/default.nix delete mode 100644 overlay/invidious-latest/lsquic.nix create mode 100644 overlay/invidious/default.nix create mode 100644 overlay/invidious/lsquic.nix rename overlay/{invidious-latest => invidious}/shards.nix (79%) create mode 100755 overlay/invidious/update.sh create mode 100644 overlay/invidious/use-etc-ssl-certs.patch create mode 100644 overlay/invidious/versions.json create mode 100644 overlay/invidious/videojs.nix create mode 100644 overlay/invidious/videojs.sh delete mode 100644 wg.key delete mode 100644 wg.pub diff --git a/deployNodes.nix b/deployNodes.nix index abb4da6..0a666b4 100644 --- a/deployNodes.nix +++ b/deployNodes.nix @@ -1,11 +1,12 @@ { nixosConfigurations, deploy-rs, ... }: let activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos; in { - lappy = { - hostname = "lappy.tailscale-internal.genderfucked.monster"; + tablet = { + hostname = "tablet.internal.genderfucked.monster"; profiles.system = { user = "root"; - path = activateNixOS_x64_64-linux nixosConfigurations.lappy; + sshUser = "root"; + path = activateNixOS_x64_64-linux nixosConfigurations.tablet; }; }; hetzner-vm = { diff --git a/flake.lock b/flake.lock index 6f0b74a..0ce8474 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1668166163, - "narHash": "sha256-XCuM+n98KcG0v+DT1HolGCO3j5FOBUjV4K8YcZsVeQw=", + "lastModified": 1668453806, + "narHash": "sha256-rDyF0essyFdCIo336gI6nPjWhjoczGn701D1JID5wl8=", "owner": "serokell", "repo": "deploy-rs", - "rev": "b011f13bc577b978f52aaefde5605332f7bca7e9", + "rev": "be40823735bbdc40c1f6b7725c8b74d5a85d8023", "type": "github" }, "original": { @@ -100,11 +100,11 @@ "utils": "utils_3" }, "locked": { - "lastModified": 1667981810, - "narHash": "sha256-p27zd5M+OkfND46gzbGkaHlNBZsYe95M48OJuFeuuSY=", + "lastModified": 1668332334, + "narHash": "sha256-YT1qcE/MCqBO1Bi/Yr6GcFpNKsvmzrBKh8juyXDbxQc=", "owner": "nix-community", "repo": "home-manager", - "rev": "6ce3493a3c5c6a8f4cfa6f5f88723272e0cfd335", + "rev": "bc90de24d898655542589237cc0a6ada7564cb6c", "type": "github" }, "original": { @@ -137,11 +137,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1667991831, - "narHash": "sha256-DHgEsLZI044B9T4AjA3K6+yB9/DqLr4dyA7OIx0FG7o=", + "lastModified": 1668596599, + "narHash": "sha256-rhHyZTGI31/OfgYa9xF49UTchDXTI94pEsSNa0fOkpk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "872fceeed60ae6b7766cc0a4cd5bf5901b9098ec", + "rev": "b457130e8a21608675ddf12c7d85227b22a27112", "type": "github" }, "original": { @@ -153,11 +153,11 @@ }, "nur": { "locked": { - "lastModified": 1668255064, - "narHash": "sha256-JWVzaBAC9eL+Eg/SG71ZPSDQQd/eO9sS2YNGrlDDEH4=", + "lastModified": 1668680510, + "narHash": "sha256-5O/8cXku2/JxY3AglxnzWRb3I8kFZSQRh3YHLeegYA8=", "owner": "nix-community", "repo": "NUR", - "rev": "9a0be7d4b9de779707b8788c6bdaaf23160a7975", + "rev": "6970572e6143893eab37a8aacfe9dd872d48a867", "type": "github" }, "original": { diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index b916db2..0876a81 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -17,7 +17,7 @@ hosts.hetzner-vm.profiles.mpd hosts.hetzner-vm.profiles.mailserver hosts.hetzner-vm.profiles.gitlab-static-sites - hosts.hetzner-vm.profiles.lappy-dev + #hosts.hetzner-vm.profiles.lappy-dev hosts.hetzner-vm.profiles.misskey hosts.hetzner-vm.profiles.wireguard diff --git a/hosts/tablet/profiles/harry-vpn.nix b/hosts/tablet/profiles/harry-vpn.nix index 77a6c08..17ed50c 100644 --- a/hosts/tablet/profiles/harry-vpn.nix +++ b/hosts/tablet/profiles/harry-vpn.nix @@ -1,4 +1,6 @@ -{ pkgs, ... }: { +{ config, pkgs, ... }: +let secrets = config.services.secrets.secrets; +in { environment.systemPackages = with pkgs; [ wireguard-tools ]; networking.wg-quick.interfaces = { wg-harry-vpn = { @@ -6,10 +8,11 @@ address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ]; dns = [ "8.8.8.8" ]; mtu = 1280; - privateKeyFile = "/secrets/harry_vpn_wg_priv"; + privateKeyFile = "${secrets.wg_harry_priv.path}"; peers = [{ publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc="; + presharedKeyFile = "${secrets.wg_harry_preshared.path}"; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "185.186.9.1:8081"; persistentKeepalive = 25; diff --git a/hosts/tablet/profiles/wireguard.nix b/hosts/tablet/profiles/wireguard.nix index 7ceacdb..4a67e98 100644 --- a/hosts/tablet/profiles/wireguard.nix +++ b/hosts/tablet/profiles/wireguard.nix @@ -1,16 +1,18 @@ -{ ... }: -let secrets-db = (import ../secrets-db.nix { }); +{ config, ... }: +let secrets = config.services.secrets.secrets; in { + + networking.firewall.trustedInterfaces = [ "wg0" ]; networking.wg-quick.interfaces = { wg0 = { address = [ "10.69.42.2/32" ]; - privateKeyFile = "${secrets-db.wg_priv.path}"; + privateKeyFile = "${secrets.wg_priv.path}"; peers = [ # hetzner-vm { publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc="; - presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}"; + presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}"; allowedIPs = [ "10.69.42.1/32" ]; endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; persistentKeepalive = 25; @@ -18,7 +20,7 @@ in { # vault { publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; - presharedKeyFile = "${secrets-db.wg_preshared_vault.path}"; + presharedKeyFile = "${secrets.wg_preshared_vault.path}"; allowedIPs = [ "10.69.42.3/32" ]; endpoint = "vault.servers.genderfucked.monster:51820"; persistentKeepalive = 25; @@ -26,7 +28,7 @@ in { # storage { publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg="; - presharedKeyFile = "${secrets-db.wg_preshared_storage.path}"; + presharedKeyFile = "${secrets.wg_preshared_storage.path}"; allowedIPs = [ "10.69.42.4/32" ]; endpoint = "storage.servers.genderfucked.monster:51820"; persistentKeepalive = 25; diff --git a/hosts/tablet/secrets-db.nix b/hosts/tablet/secrets-db.nix deleted file mode 100644 index dc0fa8c..0000000 --- a/hosts/tablet/secrets-db.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ }: { - # Manually Created, Not Stored In Vault - usb_encryption_passphrase = { - user = "root"; - group = "root"; - permissions = "660"; - path = "/secrets/usb_encryption_passphrase"; - }; - music_stream_password = { - user = "chaos"; - group = "users"; - permissions = "660"; - path = "/secrets/music_stream_password"; - }; - wg_priv = { - user = "root"; - group = "root"; - permissions = "660"; - path = "/secrets/wg_priv"; - }; - wg_preshared_hetzner-vm = { - user = "root"; - group = "root"; - permissions = "660"; - path = "/secrets/wg_preshared_hetzner-vm"; - }; - wg_preshared_vault = { - user = "root"; - group = "root"; - permissions = "660"; - path = "/secrets/wg_preshared_vault"; - }; - wg_preshared_storage = { - user = "root"; - group = "root"; - permissions = "660"; - path = "/secrets/wg_preshared_storage"; - }; -} diff --git a/hosts/tablet/secrets.nix b/hosts/tablet/secrets.nix index 189ed3a..61a8d74 100644 --- a/hosts/tablet/secrets.nix +++ b/hosts/tablet/secrets.nix @@ -1,54 +1,45 @@ -{ pkgs, ... }: -let secrets-db = (import ./secrets-db.nix { }); -in { - systemd.tmpfiles.rules = [ "d /secrets - root root" ]; - environment.systemPackages = [ - (pkgs.writeShellScriptBin "init-secrets" '' - set -e -o pipefail - - VAULT_ADDR_DEFAULT="https://vault.owo.monster" - [ -z "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT" - - export PATH=$PATH:${pkgs.vault}/bin - export PATH=$PATH:${pkgs.jq}/bin - - kv_get() { - vault kv get -format json $1 - } - - simple_get() { - kv_get $1 | jq .data.data$2 -r - } - - file=${secrets-db.music_stream_password.path} - echo $file - simple_get "/api-keys/music-stream" .password > $file - chown ${secrets-db.music_stream_password.user}:${secrets-db.music_stream_password.group} $file - chmod ${secrets-db.music_stream_password.permissions} $file - - file=${secrets-db.wg_priv.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $file - chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file - chmod ${secrets-db.wg_priv.permissions} $file - - file=${secrets-db.wg_preshared_hetzner-vm.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $file - chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file - chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file - - file=${secrets-db.wg_preshared_vault.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $file - chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file - chmod ${secrets-db.wg_preshared_vault.permissions} $file - - file=${secrets-db.wg_preshared_storage.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $file - chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file - chmod ${secrets-db.wg_preshared_storage.permissions} $file - '') - ]; +{ pkgs, ... }: { + services.secrets = { + enable = true; + secrets = { + usb_encryption_passphrase = { manual = true; }; + music_stream_password = { + user = "chaos"; + group = "users"; + fetchScript = '' + simple_get "/api-keys/music-stream" .password > $secretFile + ''; + }; + wg_priv = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $secretFile + ''; + }; + wg_preshared_hetzner-vm = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $secretFile + ''; + }; + wg_preshared_vault = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $secretFile + ''; + }; + wg_preshared_storage = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $secretFile + ''; + }; + wg_harry_priv = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/harry/tablet" .private > $secretFile + ''; + }; + wg_harry_preshared = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/harry/tablet" .preshared_keys.main > $secretFile + ''; + }; + }; + }; } diff --git a/hosts/tablet/tablet.nix b/hosts/tablet/tablet.nix index 0b5d90e..197e169 100644 --- a/hosts/tablet/tablet.nix +++ b/hosts/tablet/tablet.nix @@ -36,21 +36,6 @@ networking.enableIPv6 = false; - # let vscode, vivaldi, etc work. - security.unprivilegedUsernsClone = true; - - nix.settings.auto-optimise-store = true; - nix.gc = { - automatic = true; - dates = "daily"; - options = "--delete-older-than 30d"; - }; - - nix.extraOptions = '' - keep-outputs = true - keep-derivations = true - ''; - networking.hostName = "tablet"; time.timeZone = "Europe/London"; diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 835a4b8..be80ab6 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -1,64 +1,46 @@ { pkgs, ... }: let secrets-db = (import ./secrets-db.nix { }); in { - systemd.tmpfiles.rules = [ "d /secrets - root root" ]; - environment.systemPackages = [ - (pkgs.writeShellScriptBin "init-secrets" '' - set -e -o pipefail - - VAULT_ADDR_DEFAULT="https://vault.owo.monster" - [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT" - - export PATH=$PATH:${pkgs.vault}/bin - export PATH=$PATH:${pkgs.jq}/bin - - kv_get() { - vault kv get -format json $1 - } - - simple_get() { - kv_get $1 | jq .data.data$2 -r - } - - simple_get "/private-public-keys/restic/Vault" .password > /secrets/restic_password - chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} /secrets/restic_password - chmod ${secrets-db.restic_password.permissions} /secrets/restic_password - - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env - chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env - chmod ${secrets-db.restic_env.permissions} /secrets/restic_env - - file=${secrets-db.wg_priv.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $file - chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file - chmod ${secrets-db.wg_priv.permissions} $file - - file=${secrets-db.wg_preshared_hetzner-vm.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $file - chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file - chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file - - file=${secrets-db.wg_preshared_tablet.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $file - chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file - chmod ${secrets-db.wg_preshared_tablet.permissions} $file - - file=${secrets-db.wg_preshared_storage.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $file - chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file - chmod ${secrets-db.wg_preshared_storage.permissions} $file - - file=${secrets-db.wg_preshared_iphone8.path} - echo $file - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $file - chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file - chmod ${secrets-db.wg_preshared_iphone8.permissions} $file - '') - ]; + services.secrets = { + enable = true; + secrets = { + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Vault" .password > $secretFile + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > $secretFile + ''; + }; + wg_priv = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $secretFile + ''; + }; + wg_preshared_hetzner-vm = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $secretFile + ''; + }; + wg_preshared_tablet = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $secretFile + ''; + }; + wg_preshared_storage = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $secretFile + ''; + }; + wg_preshared_iphone8 = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $secretFile + ''; + }; + }; + }; } diff --git a/overlay/default.nix b/overlay/default.nix index 35e153f..f9993b2 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -1,8 +1,11 @@ final: prev: { comic-sans = final.callPackage ./comic-sans { }; comic-code = final.callPackage ./comic-code { }; - zar = final.callPackage ./zar { }; - gobar = final.callPackage ./gobar { }; roc-toolkit-patched = final.callPackage ./roc-toolkit-patched { }; roc-send-pcm = final.callPackage ./roc-send-pcm { }; + invidious = final.callPackage ./invidious { + lsquic = final.callPackage ./invidious/lsquic.nix { }; + videojs = final.callPackage ./invidious/videojs.nix { }; + }; + } diff --git a/overlay/invidious-latest/default.nix b/overlay/invidious-latest/default.nix deleted file mode 100644 index 6eaa925..0000000 --- a/overlay/invidious-latest/default.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ lib, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, sqlite -, lsquic, shards }: -let - # When updating, always update the following: - # * the git revision - # * the version attribute - # * the source hash (sha256) - # If the shards.lock file changed, also the following: - # * shards.nix (by running `crystal2nix` in invidious’ source tree) - # * If the lsquic.cr dependency changed: lsquic in lsquic.nix (version, sha256) - # * If the lsquic version changed: boringssl' in lsquic.nix (version, sha256) - rev = "d928b9eaadc8298f2e92a766fdd10c79e6048858"; -in crystal.buildCrystalPackage rec { - pname = "invidious"; - version = "master"; - - src = fetchFromGitHub { - owner = "iv-org"; - repo = pname; - inherit rev; - sha256 = "sha256-WojYv9HMqS3UcZFewgE/svbpqeAY6BIyAtxAMfdn1xk="; - }; - - postPatch = let - # Replacing by the value (templates) of the variables ensures that building - # fails if upstream changes the way the metadata is formatted. - branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}''; - commitTemplate = - ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}''; - versionTemplate = '' - {{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}''; - # This always uses the latest commit which invalidates the cache even if - # the assets were not changed - assetCommitTemplate = '' - {{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}''; - in '' - # Use the version metadata from the derivation instead of using git at - # build-time - substituteInPlace src/invidious.cr \ - --replace ${lib.escapeShellArg branchTemplate} '"master"' \ - --replace ${lib.escapeShellArg commitTemplate} '"${ - lib.substring 0 7 rev - }"' \ - --replace ${lib.escapeShellArg versionTemplate} '"${ - lib.replaceChars [ "-" ] [ "." ] (lib.substring 9 10 version) - }"' \ - --replace ${lib.escapeShellArg assetCommitTemplate} '"${ - lib.substring 0 7 rev - }"' - - # Patch the assets and locales paths to be absolute - substituteInPlace src/invidious.cr \ - --replace 'public_folder "assets"' 'public_folder "${ - placeholder "out" - }/share/invidious/assets"' - substituteInPlace src/invidious/helpers/i18n.cr \ - --replace 'File.read("locales/' 'File.read("${ - placeholder "out" - }/share/invidious/locales/' - - # Reference sql initialisation/migration scripts by absolute path - substituteInPlace src/invidious/database/base.cr \ - --replace 'config/sql' '${ - placeholder "out" - }/share/invidious/config/sql' - - substituteInPlace src/invidious/users.cr \ - --replace 'Process.run(%(rsvg-convert' 'Process.run(%(${ - lib.getBin librsvg - }/bin/rsvg-convert' - ''; - - # shards required for spectator - nativeBuildInputs = [ pkg-config shards ]; - buildInputs = [ libxml2 openssl sqlite ]; - - format = "crystal"; - shardsFile = ./shards.nix; - crystalBinaries.invidious.src = "src/invidious.cr"; - - postConfigure = '' - # lib includes nix store paths which can’t be patched, so the links have to - # be dereferenced first. - cp -rL lib lib2 - rm -r lib - mv lib2 lib - chmod +w -R lib - cp ${lsquic}/lib/liblsquic.a lib/lsquic/src/lsquic/ext - ''; - - postInstall = '' - mkdir -p $out/share/invidious/config - - # Copy static parts - cp -r assets locales $out/share/invidious - cp -r config/sql $out/share/invidious/config - ''; - - # Invidious tries to open config/config.yml and connect to the database, even - # when running --help. This specifies a minimal configuration in an - # environment variable. Even though the database is bogus, --help still - # works. - installCheckPhase = '' - INVIDIOUS_CONFIG="database_url: sqlite3:///dev/null" $out/bin/invidious --help - ''; -} diff --git a/overlay/invidious-latest/lsquic.nix b/overlay/invidious-latest/lsquic.nix deleted file mode 100644 index e7ed449..0000000 --- a/overlay/invidious-latest/lsquic.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent -}: -let - # lsquic requires a specific boringssl version (noted in its README) - boringssl' = boringssl.overrideAttrs (old: rec { - version = "251b5169fd44345f455438312ec4e18ae07fd58c"; - src = fetchgit { - url = "https://boringssl.googlesource.com/boringssl"; - rev = version; - sha256 = "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A="; - }; - }); -in stdenv.mkDerivation rec { - pname = "lsquic"; - version = "2.18.1"; - - src = fetchFromGitHub { - owner = "litespeedtech"; - repo = pname; - rev = "v${version}"; - sha256 = "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM="; - fetchSubmodules = true; - }; - - nativeBuildInputs = [ cmake perl ]; - buildInputs = [ boringssl' libevent zlib ]; - - cmakeFlags = [ - "-DBORINGSSL_DIR=${lib.getDev boringssl'}" - "-DBORINGSSL_LIB_crypto=${lib.getLib boringssl'}/lib/libcrypto.a" - "-DBORINGSSL_LIB_ssl=${lib.getLib boringssl'}/lib/libssl.a" - "-DZLIB_LIB=${zlib}/lib/libz.so" - ]; - - # adapted from lsquic.cr’s Dockerfile - # (https://github.com/iv-org/lsquic.cr/blob/master/docker/Dockerfile) - installPhase = '' - runHook preInstall - - mkdir combinedlib - cd combinedlib - ar -x ${lib.getLib boringssl'}/lib/libssl.a - ar -x ${lib.getLib boringssl'}/lib/libcrypto.a - ar -x ../src/liblsquic/liblsquic.a - ar rc liblsquic.a *.o - ranlib liblsquic.a - install -D liblsquic.a $out/lib/liblsquic.a - - runHook postInstall - ''; - - meta = with lib; { - description = "A library for QUIC and HTTP/3 (version for Invidious)"; - homepage = "https://github.com/litespeedtech/lsquic"; - maintainers = with maintainers; [ infinisil sbruder ]; - license = with licenses; [ - openssl - isc - mit - bsd3 - ]; # statically links against boringssl, so has to include its licenses - }; -} diff --git a/overlay/invidious/default.nix b/overlay/invidious/default.nix new file mode 100644 index 0000000..66856b8 --- /dev/null +++ b/overlay/invidious/default.nix @@ -0,0 +1,123 @@ +{ lib, stdenv, crystal, fetchFromGitHub, librsvg, pkg-config, libxml2, openssl, shards, sqlite, lsquic, videojs, nixosTests }: +let + # All versions, revisions, and checksums are stored in ./versions.json. + # The update process is the following: + # * pick the latest commit + # * update .invidious.rev, .invidious.version, and .invidious.sha256 + # * prefetch the videojs dependencies with scripts/fetch-player-dependencies.cr + # and update .videojs.sha256 (they are normally fetched during build + # but nix's sandboxing does not allow that) + # * if shard.lock changed + # * recreate shards.nix by running crystal2nix + # * update lsquic and boringssl if necessarry, lsquic.cr depends on + # the same version of lsquic and lsquic requires the boringssl + # commit mentioned in its README + versions = builtins.fromJSON (builtins.readFile ./versions.json); +in +crystal.buildCrystalPackage rec { + pname = "invidious"; + inherit (versions.invidious) version; + + src = fetchFromGitHub { + owner = "iv-org"; + repo = pname; + fetchSubmodules = true; + inherit (versions.invidious) rev sha256; + }; + + postPatch = + let + # Replacing by the value (templates) of the variables ensures that building + # fails if upstream changes the way the metadata is formatted. + branchTemplate = ''{{ "#{`git branch | sed -n '/* /s///p'`.strip}" }}''; + commitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit`.strip}" }}''; + versionTemplate = ''{{ "#{`git log -1 --format=%ci | awk '{print $1}' | sed s/-/./g`.strip}" }}''; + # This always uses the latest commit which invalidates the cache even if + # the assets were not changed + assetCommitTemplate = ''{{ "#{`git rev-list HEAD --max-count=1 --abbrev-commit -- assets`.strip}" }}''; + in + '' + for d in ${videojs}/*; do ln -s "$d" assets/videojs; done + + # Use the version metadata from the derivation instead of using git at + # build-time + substituteInPlace src/invidious.cr \ + --replace ${lib.escapeShellArg branchTemplate} '"master"' \ + --replace ${lib.escapeShellArg commitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"' \ + --replace ${lib.escapeShellArg versionTemplate} '"${lib.replaceChars ["-"] ["."] (lib.substring 9 10 version)}"' \ + --replace ${lib.escapeShellArg assetCommitTemplate} '"${lib.substring 0 7 versions.invidious.rev}"' + + # Patch the assets and locales paths to be absolute + substituteInPlace src/invidious.cr \ + --replace 'public_folder "assets"' 'public_folder "${placeholder "out"}/share/invidious/assets"' + substituteInPlace src/invidious/helpers/i18n.cr \ + --replace 'File.read("locales/' 'File.read("${placeholder "out"}/share/invidious/locales/' + + # Reference sql initialisation/migration scripts by absolute path + substituteInPlace src/invidious/database/base.cr \ + --replace 'config/sql' '${placeholder "out"}/share/invidious/config/sql' + + substituteInPlace src/invidious/user/captcha.cr \ + --replace 'Process.run(%(rsvg-convert' 'Process.run(%(${lib.getBin librsvg}/bin/rsvg-convert' + ''; + + nativeBuildInputs = [ pkg-config shards ]; + buildInputs = [ libxml2 openssl sqlite ]; + + format = "crystal"; + shardsFile = ./shards.nix; + crystalBinaries.invidious = { + src = "src/invidious.cr"; + options = [ + #"--release" + "--debug" + "--progress" + "--verbose" + #"--no-debug" + "-Dskip_videojs_download" + "-Ddisable_quic" + ]; + }; + + dontStrip = true; + + postConfigure = '' + # lib includes nix store paths which can’t be patched, so the links have to + # be dereferenced first. + cp -rL lib lib2 + rm -r lib + mv lib2 lib + chmod +w -R lib + cp ${lsquic}/lib/liblsquic.a lib/lsquic/src/lsquic/ext + ''; + + postInstall = '' + mkdir -p $out/share/invidious/config + + # Copy static parts + cp -r assets locales $out/share/invidious + cp -r config/sql $out/share/invidious/config + ''; + + # Invidious tries to open config/config.yml and connect to the database, even + # when running --help. This specifies a minimal configuration in an + # environment variable. Even though the database is bogus, --help still + # works. + installCheckPhase = '' + INVIDIOUS_CONFIG="database_url: sqlite3:///dev/null" $out/bin/invidious --help + ''; + + passthru = { + inherit lsquic; + tests = { inherit (nixosTests) invidious; }; + updateScript = ./update.sh; + }; + + meta = with lib; { + description = "An open source alternative front-end to YouTube"; + homepage = "https://invidious.io/"; + license = licenses.agpl3; + maintainers = with maintainers; [ infinisil sbruder ]; + broken = stdenv.isDarwin && stdenv.isAarch64; + }; +} diff --git a/overlay/invidious/lsquic.nix b/overlay/invidious/lsquic.nix new file mode 100644 index 0000000..ca04c97 --- /dev/null +++ b/overlay/invidious/lsquic.nix @@ -0,0 +1,111 @@ +{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }: +let + versions = builtins.fromJSON (builtins.readFile ./versions.json); + + fetchGitilesPatch = { name, url, sha256 }: + fetchurl { + url = "${url}%5E%21?format=TEXT"; + inherit name sha256; + downloadToTemp = true; + postFetch = '' + base64 -d < $downloadedFile > $out + ''; + }; + + # lsquic requires a specific boringssl version (noted in its README) + boringssl' = boringssl.overrideAttrs ({ preBuild, ... }: { + version = versions.boringssl.rev; + src = fetchgit { + url = "https://boringssl.googlesource.com/boringssl"; + inherit (versions.boringssl) rev sha256; + }; + + patches = [ + # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem + ./use-etc-ssl-certs.patch + + # because lsquic requires that specific boringssl version and that + # version does not yet include fixes for gcc11 build errors, they + # must be backported + (fetchGitilesPatch { + name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920"; + sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj"; + }) + (fetchGitilesPatch { + name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2"; + sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm"; + }) +/* + # the following patch is too complex, so we will modify the build flags + # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild + # and turn off -Werror=stringop-overflow + (fetchGitilesPatch { + name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc"; + sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr"; + }) +*/ + (fetchGitilesPatch { + name = "fix-array-parameter-warnings.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804"; + sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv"; + }) + ]; + + preBuild = '' + ${preBuild} + sed -e '/^build crypto\/fipsmodule\/CMakeFiles\/fipsmodule\.dir\/bcm\.c\.o:/,/^ *FLAGS =/ s/^ *FLAGS = -Werror/& -Wno-error=stringop-overflow/' \ + -i build.ninja + ''; + }); +in +stdenv.mkDerivation rec { + pname = "lsquic"; + version = versions.lsquic.version; + + src = fetchFromGitHub { + owner = "litespeedtech"; + repo = pname; + rev = "v${version}"; + inherit (versions.lsquic) sha256; + fetchSubmodules = true; + }; + + nativeBuildInputs = [ cmake perl ]; + buildInputs = [ boringssl' libevent zlib ]; + + cmakeFlags = [ + "-DBORINGSSL_DIR=${lib.getDev boringssl'}" + "-DBORINGSSL_LIB_crypto=${lib.getLib boringssl'}/lib/libcrypto.a" + "-DBORINGSSL_LIB_ssl=${lib.getLib boringssl'}/lib/libssl.a" + "-DZLIB_LIB=${zlib}/lib/libz.so" + ]; + + # adapted from lsquic.cr’s Dockerfile + # (https://github.com/iv-org/lsquic.cr/blob/master/docker/Dockerfile) + installPhase = '' + runHook preInstall + + mkdir combinedlib + cd combinedlib + ar -x ${lib.getLib boringssl'}/lib/libssl.a + ar -x ${lib.getLib boringssl'}/lib/libcrypto.a + ar -x ../src/liblsquic/liblsquic.a + ar rc liblsquic.a *.o + ranlib liblsquic.a + install -D liblsquic.a $out/lib/liblsquic.a + + runHook postInstall + ''; + + passthru.boringssl = boringssl'; + + meta = with lib; { + description = "A library for QUIC and HTTP/3 (version for Invidious)"; + homepage = "https://github.com/litespeedtech/lsquic"; + maintainers = with maintainers; [ infinisil sbruder ]; + license = with licenses; [ openssl isc mit bsd3 ]; # statically links against boringssl, so has to include its licenses + }; +} diff --git a/overlay/invidious-latest/shards.nix b/overlay/invidious/shards.nix similarity index 79% rename from overlay/invidious-latest/shards.nix rename to overlay/invidious/shards.nix index 82f34b4..e5f297d 100644 --- a/overlay/invidious-latest/shards.nix +++ b/overlay/invidious/shards.nix @@ -20,14 +20,14 @@ exception_page = { owner = "crystal-loot"; repo = "exception_page"; - rev = "v0.2.0"; - sha256 = "0nlgnh5iykbr1v2132342k2mz6s2laws6nkgqsqlwhhcr4gb4jcx"; + rev = "v0.2.2"; + sha256 = "1c8askb9b7621jjz5pjj6b8pdbhw3r1l3dym6swg1saspf5j3jwi"; }; kemal = { owner = "kemalcr"; repo = "kemal"; - rev = "v1.1.0"; - sha256 = "07vlvddy4mba9li2bvskzqzywwq55cyvlgkz13q6dsl4zfgc96ca"; + rev = "v1.1.2"; + sha256 = "1149q4qw0zrws5asqqr4snrdi67xsmisdcq58zcrbgqgsxgly9d0"; }; kilt = { owner = "jeromegn"; @@ -62,8 +62,8 @@ spectator = { owner = "icy-arctic-fox"; repo = "spectator"; - rev = "v0.10.3"; - sha256 = "0gh9g7ycn17n4g4sr728c8fdrrznx68alhpkwhcrzxxn2hgsp46v"; + rev = "v0.10.4"; + sha256 = "0rcxq2nbslvwrd8m9ajw6dzaw3hagxmkdy9s8p34cgnr4c9dijdq"; }; sqlite3 = { owner = "crystal-lang"; @@ -71,4 +71,10 @@ rev = "v0.18.0"; sha256 = "03nnvpchhq9f9ywsm3pk2rrj4a3figw7xs96zdziwgr5znkz6x93"; }; + ameba = { + owner = "crystal-ameba"; + repo = "ameba"; + rev = "v0.14.3"; + sha256 = "1cfr95xi6hsyxw1wlrh571hc775xhwmssk3k14i8b7dgbwfmm5x1"; + }; } diff --git a/overlay/invidious/update.sh b/overlay/invidious/update.sh new file mode 100755 index 0000000..4810534 --- /dev/null +++ b/overlay/invidious/update.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl crystal crystal2nix jq git moreutils nix nix-prefetch pkg-config +git_url='https://github.com/iv-org/invidious.git' +git_branch='master' +git_dir='/var/tmp/invidious.git' +pkg='invidious' + +set -euo pipefail + +cd "$(dirname "${BASH_SOURCE[0]}")" + +info() { + if [ -t 2 ]; then + set -- '\033[32m%s\033[39m\n' "$@" + else + set -- '%s\n' "$@" + fi + printf "$@" >&2 +} + +json_get() { + jq -r "$1" < 'versions.json' +} + +json_set() { + jq --arg x "$2" "$1 = \$x" < 'versions.json' | sponge 'versions.json' +} + +old_rev=$(json_get '.invidious.rev') +old_version=$(json_get '.invidious.version') +today=$(LANG=C date -u +'%Y-%m-%d') + +info "fetching $git_url..." +if [ ! -d "$git_dir" ]; then + git init --initial-branch="$git_branch" "$git_dir" + git -C "$git_dir" remote add origin "$git_url" +fi +git -C "$git_dir" fetch origin "$git_branch" + +# use latest commit before today, we should not call the version *today* +# because there might still be commits coming +# use the day of the latest commit we picked as version +new_rev=$(git -C "$git_dir" log -n 1 --format='format:%H' --before="${today}T00:00:00Z" "origin/$git_branch") +new_version="unstable-$(TZ=UTC git -C "$git_dir" log -n 1 --date='format-local:%Y-%m-%d' --format='%cd' "$new_rev")" +info "latest commit before $today: $new_rev" + +if [ "$new_rev" = "$old_rev" ]; then + info "$pkg is up-to-date." + exit +fi + +json_set '.invidious.version' "$new_version" +json_set '.invidious.rev' "$new_rev" +new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "$pkg") +json_set '.invidious.sha256' "$new_sha256" +commit_msg="$pkg: $old_version -> $new_version" + +# fetch video.js dependencies +info "Running scripts/fetch-player-dependencies.cr..." +git -C "$git_dir" reset --hard "$new_rev" +(cd "$git_dir" && crystal run scripts/fetch-player-dependencies.cr -- --minified) +rm -f "$git_dir/assets/videojs/.gitignore" +videojs_new_sha256=$(nix-hash --type sha256 --base32 "$git_dir/assets/videojs") +json_set '.videojs.sha256' "$videojs_new_sha256" + +if git -C "$git_dir" diff-tree --quiet "${old_rev}..${new_rev}" -- 'shard.lock'; then + info "shard.lock did not change since $old_rev." +else + info "Updating shards.nix..." + crystal2nix -- "$git_dir/shard.lock" # argv's index seems broken + + lsquic_old_version=$(json_get '.lsquic.version') + # lsquic.cr's version tracks lsquic's, so lsquic must be updated to the + # version in the shards file + lsquic_new_version=$(nix eval --raw -f 'shards.nix' lsquic.rev \ + | sed -e 's/^v//' -e 's/-[0-9]*$//') + if [ "$lsquic_old_version" != "$lsquic_new_version" ]; then + info "Updating lsquic to $lsquic_new_version..." + json_set '.lsquic.version' "$lsquic_new_version" + lsquic_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic") + json_set '.lsquic.sha256' "$lsquic_new_sha256" + + info "Updating boringssl..." + # lsquic specifies the boringssl commit it requires in its README + boringssl_new_rev=$(curl -LSsf "https://github.com/litespeedtech/lsquic/raw/v${lsquic_new_version}/README.md" \ + | grep -Pom1 '(?<=^git checkout ).*') + json_set '.boringssl.rev' "$boringssl_new_rev" + boringssl_new_sha256=$(nix-prefetch -I 'nixpkgs=../../..' "${pkg}.lsquic.boringssl") + json_set '.boringssl.sha256' "$boringssl_new_sha256" + commit_msg="$commit_msg + +lsquic: $lsquic_old_version -> $lsquic_new_version" + fi +fi + +git commit --verbose --message "$commit_msg" -- versions.json shards.nix diff --git a/overlay/invidious/use-etc-ssl-certs.patch b/overlay/invidious/use-etc-ssl-certs.patch new file mode 100644 index 0000000..b60b0b1 --- /dev/null +++ b/overlay/invidious/use-etc-ssl-certs.patch @@ -0,0 +1,13 @@ +diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c +index d2bc3e5c1..329580075 100644 +--- a/crypto/x509/x509_def.c ++++ b/crypto/x509/x509_def.c +@@ -67,7 +67,7 @@ + + #define X509_CERT_AREA OPENSSLDIR + #define X509_CERT_DIR OPENSSLDIR "/certs" +-#define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++#define X509_CERT_FILE "/etc/ssl/certs/ca-certificates.crt" + #define X509_PRIVATE_DIR OPENSSLDIR "/private" + #define X509_CERT_DIR_EVP "SSL_CERT_DIR" + #define X509_CERT_FILE_EVP "SSL_CERT_FILE" diff --git a/overlay/invidious/versions.json b/overlay/invidious/versions.json new file mode 100644 index 0000000..6df91c3 --- /dev/null +++ b/overlay/invidious/versions.json @@ -0,0 +1,18 @@ +{ + "boringssl": { + "rev": "251b5169fd44345f455438312ec4e18ae07fd58c", + "sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A=" + }, + "invidious": { + "rev": "09942dee6621e7047a63dffcc61b3bbf78cef2c6", + "sha256": "sha256-0Cb1Qsn6vnrzd4pZm1GZxlVQNn5dYKUR/xWMCG37GSk=", + "version": "unstable-2022-11-02" + }, + "lsquic": { + "sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=", + "version": "2.18.1" + }, + "videojs": { + "sha256": "0m09pc9acpzhfwwvc9dayl60nn28skmmglgvmlp48dlkqgfbgc27" + } +} diff --git a/overlay/invidious/videojs.nix b/overlay/invidious/videojs.nix new file mode 100644 index 0000000..e447079 --- /dev/null +++ b/overlay/invidious/videojs.nix @@ -0,0 +1,18 @@ +{ stdenvNoCC, cacert, crystal, openssl, pkg-config, invidious }: + +let + versions = builtins.fromJSON (builtins.readFile ./versions.json); +in +stdenvNoCC.mkDerivation { + name = "videojs"; + + inherit (invidious) src; + + builder = ./videojs.sh; + + nativeBuildInputs = [ cacert crystal openssl pkg-config ]; + + outputHashAlgo = "sha256"; + outputHashMode = "recursive"; + outputHash = versions.videojs.sha256; +} diff --git a/overlay/invidious/videojs.sh b/overlay/invidious/videojs.sh new file mode 100644 index 0000000..31609db --- /dev/null +++ b/overlay/invidious/videojs.sh @@ -0,0 +1,9 @@ +source $stdenv/setup + +unpackPhase +cd source +# this helper downloads the videojs files and checks their checksums +# against videojs-dependencies.yml so it should be pure +crystal run scripts/fetch-player-dependencies.cr -- --minified +rm -f assets/videojs/.gitignore +mv assets/videojs "$out" diff --git a/presets/nixos/desktop.nix b/presets/nixos/desktop.nix index 40cdc46..210e969 100644 --- a/presets/nixos/desktop.nix +++ b/presets/nixos/desktop.nix @@ -19,7 +19,6 @@ home.apps.pavucontrol home.apps.mpv - home.apps.vivaldi home.apps.firefox home.apps.telegram home.apps.quassel diff --git a/profiles/nix-gc.nix b/profiles/nix-gc.nix index df7c466..b7ef078 100644 --- a/profiles/nix-gc.nix +++ b/profiles/nix-gc.nix @@ -3,6 +3,6 @@ nix.gc = { automatic = true; dates = "daily"; - options = "--delete-older-than 1d"; + options = "--delete-older-than 10d"; }; } diff --git a/scripts/update.sh b/scripts/update.sh index 346926b..6964181 100755 --- a/scripts/update.sh +++ b/scripts/update.sh @@ -3,5 +3,5 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) REPO_ROOT="${SCRIPT_DIR}/.." cd $REPO_ROOT - +./overlay/invidious/update.sh nix flake update diff --git a/wg.key b/wg.key deleted file mode 100644 index dd4fa5c..0000000 --- a/wg.key +++ /dev/null @@ -1 +0,0 @@ -qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ= diff --git a/wg.pub b/wg.pub deleted file mode 100644 index e6ecd14..0000000 --- a/wg.pub +++ /dev/null @@ -1 +0,0 @@ -+gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=