container/Change.nix

@@ -0,0 +1,34 @@
+{ pkgs
+, storage
+, const
+, domain
+, host
+, util
+, mkContainer
+, mkContainerConfig
+, ... } @args: let
+	path = "${storage}/change";
+in {
+	systemd.tmpfiles.rules = map (
+		dirName: "d '${path}/${dirName}' 1777 root root - -"
+	) [ "data" ];
+
+	containers.change = mkContainer {
+		autoStart      = true;
+		localAddress   = "10.1.0.41";
+		privateNetwork = true;
+
+		bindMounts = {
+			"/datastore" = {
+				hostPath   = "${path}/data";
+				isReadOnly = false;
+			};
+		};
+
+		config = { config, lib, pkgs, ... }: mkContainerConfig {
+			services.changedetection-io = {
+				enable = true;
+			};
+		};
+	};
+}

container/Paste.nix

@@ -0,0 +1,129 @@
+{ pkgs
+, storage
+, const
+, domain
+, host
+, util
+, mkContainer
+, mkContainerConfig
+, mkServer
+, ... } @args: let
+	path    = "${storage}/paste";
+	package = (pkgs.callPackage ./pastebin args);
+	fqdn    = "paste.${domain}";
+in {
+	systemd.tmpfiles.rules = map (
+		dirName: "d '${path}/${dirName}' 1777 root root - -"
+	) [ "data" "tmp" "nginxtmp" "config" ];
+
+	containers.paste = mkContainer {
+		autoStart      = true;
+		hostAddress    = host;
+		localAddress   = "10.1.0.14";
+		privateNetwork = true;
+
+		bindMounts = {
+			"/srv/data" = {
+				hostPath   = "${path}/data";
+				isReadOnly = false;
+			};
+			"/tmp" = {
+				hostPath   = "${path}/tmp";
+				isReadOnly = false;
+			};
+			"/var/lib/nginx/tmp" = {
+				hostPath   = "${path}/nginxtmp";
+				isReadOnly = false;
+			};
+			"/srv/config" = {
+				hostPath   = "${path}/config";
+				isReadOnly = false;
+			};
+		};
+
+		config = { config, lib, ... }: mkContainerConfig {
+			system.stateVersion = const.stateVersion;
+
+			users.users.root.password = "";
+			users.mutableUsers = false;
+
+			networking = {
+				useHostResolvConf = lib.mkForce false;
+				firewall.enable = false;
+			};
+
+			environment = {
+				systemPackages = [ package pkgs.neovim ];
+				variables = {
+				};
+			};
+
+			systemd.packages = [ package ];
+
+			users.users.paste = {
+				group        = "nginx";
+				isSystemUser = true;
+			};
+
+			services.phpfpm.pools.paste = {
+				user  = "paste";
+				group = "nginx";
+
+				phpPackage = pkgs.php;
+
+				settings = {
+					"pm"                         = "dynamic";
+					"php_admin_value[error_log]" = "stderr";
+					"php_admin_flag[log_errors]" = true;
+					"listen.owner"               = "nginx";
+					"catch_workers_output"       = true;
+					"pm.max_children"            = "32";
+					"pm.start_servers"           = "2";
+					"pm.min_spare_servers"       = "2";
+					"pm.max_spare_servers"       = "4";
+					"pm.max_requests"            = "500";
+				};
+
+				phpEnv = {
+					# CONFIG_PATH = "${package}/cfg";
+				};
+			};
+
+			services.nginx = {
+				enable = true;
+				virtualHosts.${fqdn} = mkServer {
+					default = true;
+					root = "${package}";
+
+					locations = {
+						"/".extraConfig = ''
+							rewrite ^ /index.php;
+						'';
+
+						"~ \\.php$".extraConfig = util.trimTabs ''
+							fastcgi_split_path_info ^(.+\.php)(/.+)$;
+							fastcgi_pass unix:${config.services.phpfpm.pools.paste.socket};
+							include ${config.services.nginx.package}/conf/fastcgi.conf;
+							include ${config.services.nginx.package}/conf/fastcgi_params;
+						'';
+
+						"~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = util.trimTabs ''
+							add_header Cache-Control "public, max-age=15778463";
+							add_header X-Content-Type-Options nosniff;
+							add_header X-XSS-Protection "1; mode=block";
+							add_header X-Robots-Tag none;
+							add_header X-Download-Options noopen;
+							add_header X-Permitted-Cross-Domain-Policies none;
+							add_header Referrer-Policy no-referrer;
+							access_log off;
+						'';
+					};
+
+					extraConfig = util.trimTabs ''
+						try_files $uri /index.php;
+					'';
+				};
+			};
+		};
+	};
+}

container/Postgres.nix

@@ -0,0 +1,60 @@
+{ pkgs
+, storage
+, const
+, domain
+, host
+, util
+, mkContainer
+, mkContainerConfig
+, ... } @args: let
+	path = "${storage}/postgres";
+in {
+	systemd.tmpfiles.rules = map (
+		dirName: "d '${path}/${dirName}' 1777 root root - -"
+	) [ "data" ];
+
+	containers.postgres = mkContainer {
+		autoStart      = true;
+		localAddress   = "10.1.0.3";
+		privateNetwork = true;
+
+		bindMounts = {
+			"/var/lib/postgresql/data" = {
+				hostPath   = "${path}/data";
+				isReadOnly = false;
+			};
+		};
+
+		config = { config, lib, pkgs, ... }: mkContainerConfig {
+			system.stateVersion = const.stateVersion;
+
+			users.users.root.password = "";
+			users.mutableUsers = false;
+
+			networking = {
+				useHostResolvConf = lib.mkForce false;
+				firewall.enable = false;
+			};
+
+			services.postgresql = let
+				databases = [
+					"privatebin"
+				];
+			in {
+				enable = true;
+				package = pkgs.postgresql_14;
+				dataDir = "/var/lib/postgresql/data/14";
+				enableTCPIP = true;
+				authentication = ''
+					host all all ${host}/32 trust
+					host privatebin privatebin 10.1.0.14/32 trust
+				'';
+				ensureDatabases = databases;
+				ensureUsers = map (name: {
+					inherit name;
+					ensureDBOwnership = true;
+				}) databases;
+			};
+		};
+	};
+}

container/Proxy.nix

@@ -0,0 +1,54 @@
+{ pkgs
+, storage
+, const
+, domain
+, host
+, util
+, mkContainer
+, mkContainerConfig
+, ... } @args: let
+	path = "${storage}/proxy";
+	virtualHosts = util.catSet (util.ls ./proxy/host) args;
+in {
+	systemd.tmpfiles.rules = map (
+		dirName: "d '${path}/${dirName}' 1777 root root - -"
+	) [ "challenge" "letsencrypt" ];
+
+	containers.proxy = mkContainer {
+		autoStart      = true;
+		hostAddress    = host;
+		localAddress   = "10.1.0.2";
+		privateNetwork = true;
+
+		bindMounts = {
+			"/etc/letsencrypt" = {
+				hostPath   = "${path}/letsencrypt";
+				isReadOnly = true;
+			};
+			"/var/www/.well-known" = {
+				hostPath   = "${path}/challenge";
+				isReadOnly = false;
+			};
+		};
+
+		config = { config, lib, pkgs, ... }: mkContainerConfig {
+			system.stateVersion = const.stateVersion;
+
+			users.users.root.password = "";
+			users.mutableUsers = false;
+
+			networking = {
+				useHostResolvConf = lib.mkForce false;
+				firewall.enable = false;
+			};
+
+			environment.systemPackages = with pkgs; [ certbot ];
+
+			services.nginx = {
+				inherit virtualHosts;
+
+				enable = true;
+			};
+		};
+	};
+}

container/pastebin/Config.nix

@@ -0,0 +1,281 @@
+{ util, ... }: {
+	text = util.trimTabs ''
+		;<?php http_response_code(403); /*
+		; config file for PrivateBin
+		;
+		; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+		[main]
+		; (optional) set a project name to be displayed on the website
+		name = "PrivateBin"
+
+		; The full URL, with the domain name and directories that point to the
+		; PrivateBin files, including an ending slash (/). This URL is essential to
+		; allow Opengraph images to be displayed on social networks.
+		; basepath = "https://privatebin.example.com/"
+
+		; enable or disable the discussion feature, defaults to true
+		discussion = true
+
+		; preselect the discussion feature, defaults to false
+		opendiscussion = false
+
+		; enable or disable the display of dates & times in the comments, defaults to true
+		; Note that internally the creation time will still get tracked in order to sort
+		; the comments by creation time, but you can choose not to display them.
+		; discussiondatedisplay = false
+
+		; enable or disable the password feature, defaults to true
+		password = true
+
+		; enable or disable the file upload feature, defaults to false
+		fileupload = false
+
+		; preselect the burn-after-reading feature, defaults to false
+		burnafterreadingselected = false
+
+		; which display mode to preselect by default, defaults to "plaintext"
+		; make sure the value exists in [formatter_options]
+		defaultformatter = "plaintext"
+
+		; (optional) set a syntax highlighting theme, as found in css/prettify/
+		; syntaxhighlightingtheme = "sons-of-obsidian"
+
+		; size limit per paste or comment in bytes, defaults to 10 Mebibytes
+		sizelimit = 10485760
+
+		; template to include, default is "bootstrap" (tpl/bootstrap.php), also
+		; available are "page" (tpl/page.php), the classic ZeroBin style and several
+		; bootstrap variants: "bootstrap-dark", "bootstrap-compact", "bootstrap-page",
+		; which can be combined with "-dark" and "-compact" for "bootstrap-dark-page"
+		; and finally "bootstrap-compact-page" - previews at:
+		; https://privatebin.info/screenshots.html
+		template = "bootstrap"
+
+		; (optional) info text to display
+		; use single, instead of double quotes for HTML attributes
+		;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
+
+		; (optional) notice to display
+		; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
+
+		; by default PrivateBin will guess the visitors language based on the browsers
+		; settings. Optionally you can enable the language selection menu, which uses
+		; a session cookie to store the choice until the browser is closed.
+		languageselection = false
+
+		; set the language your installs defaults to, defaults to English
+		; if this is set and language selection is disabled, this will be the only language
+		; languagedefault = "en"
+
+		; (optional) URL shortener address to offer after a new paste is created.
+		; It is suggested to only use this with self-hosted shorteners as this will leak
+		; the pastes encryption key.
+		; urlshortener = "https://shortener.example.com/api?link="
+
+		; (optional) Let users create a QR code for sharing the paste URL with one click.
+		; It works both when a new paste is created and when you view a paste.
+		; qrcode = true
+
+		; (optional) Let users send an email sharing the paste URL with one click.
+		; It works both when a new paste is created and when you view a paste.
+		; email = true
+
+		; (optional) IP based icons are a weak mechanism to detect if a comment was from
+		; a different user when the same username was used in a comment. It might get
+		; used to get the IP of a comment poster if the server salt is leaked and a
+		; SHA512 HMAC rainbow table is generated for all (relevant) IPs.
+		; Can be set to one these values:
+		; "none" / "identicon" (default) / "jdenticon" / "vizhash".
+		; icon = "none"
+
+		; Content Security Policy headers allow a website to restrict what sources are
+		; allowed to be accessed in its context. You need to change this if you added
+		; custom scripts from third-party domains to your templates, e.g. tracking
+		; scripts or run your site behind certain DDoS-protection services.
+		; Check the documentation at https://content-security-policy.com/
+		; Notes:
+		; - If you use any bootstrap theme, you can remove the allow-popups from the
+		;   sandbox restrictions.
+		; - If you use the bootstrap5 theme, you must change default-src to 'self' to
+		;   enable display of the svg icons
+		; - By default this disallows to load images from third-party servers, e.g. when
+		;   they are embedded in pastes. If you wish to allow that, you can adjust the
+		;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
+		;   for details.
+		; - The 'unsafe-eval' is used in two cases; to check if the browser supports
+		;   async functions and display an error if not and for Chrome to enable
+		;   webassembly support (used for zlib compression). You can remove it if Chrome
+		;   doesn't need to be supported and old browsers don't need to be warned.
+		; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+
+		; stay compatible with PrivateBin Alpha 0.19, less secure
+		; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+		; sha256 in HMAC for the deletion token
+		; zerobincompatibility = false
+
+		; Enable or disable the warning message when the site is served over an insecure
+		; connection (insecure HTTP instead of HTTPS), defaults to true.
+		; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+		; It is **strongly discouraged** to disable this.
+		; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
+		; httpwarning = true
+
+		; Pick compression algorithm or disable it. Only applies to pastes/comments
+		; created after changing the setting.
+		; Can be set to one these values: "none" / "zlib" (default).
+		; compression = "zlib"
+
+		[expire]
+		; expire value that is selected per default
+		; make sure the value exists in [expire_options]
+		default = "1week"
+
+		[expire_options]
+		; Set each one of these to the number of seconds in the expiration period,
+		; or 0 if it should never expire
+		5min = 300
+		10min = 600
+		1hour = 3600
+		1day = 86400
+		1week = 604800
+		; Well this is not *exactly* one month, it's 30 days:
+		1month = 2592000
+		1year = 31536000
+		never = 0
+
+		[formatter_options]
+		; Set available formatters, their order and their labels
+		plaintext = "Plain Text"
+		syntaxhighlighting = "Source Code"
+		markdown = "Markdown"
+
+		[traffic]
+		; time limit between calls from the same IP address in seconds
+		; Set this to 0 to disable rate limiting.
+		limit = 10
+
+		; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
+		; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
+		; be exempted, the list needs to be comma separated. Leave unset to disable
+		; exemptions.
+		; exempted = "1.2.3.4,10.10.10/24"
+
+		; (optional) If you want only some source IP addresses (v4 or v6) or subnets
+		; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
+		; ignored. If multiple values are to be exempted, the list needs to be comma
+		; separated. Leave unset to allow anyone to create pastes.
+		; creators = "1.2.3.4,10.10.10/24"
+
+		; (optional) if your website runs behind a reverse proxy or load balancer,
+		; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+		; header = "X_FORWARDED_FOR"
+
+		[purge]
+		; minimum time limit between two purgings of expired pastes, it is only
+		; triggered when pastes are created
+		; Set this to 0 to run a purge every time a paste is created.
+		limit = 300
+
+		; maximum amount of expired pastes to delete in one purge
+		; Set this to 0 to disable purging. Set it higher, if you are running a large
+		; site
+		batchsize = 10
+
+		;[model]
+		; name of data model class to load and directory for storage
+		; the default model "Filesystem" stores everything in the filesystem
+		;class = Filesystem
+		;[model_options]
+		;dir = PATH "data"
+
+		;[model]
+		; example of a Google Cloud Storage configuration
+		;class = GoogleCloudStorage
+		;[model_options]
+		;bucket = "my-private-bin"
+		;prefix = "pastes"
+		;uniformacl = false
+
+		;[model]
+		; example of DB configuration for MySQL
+		;class = Database
+		;[model_options]
+		;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+		;tbl = "privatebin_"	; table prefix
+		;usr = "privatebin"
+		;pwd = "Z3r0P4ss"
+		;opt[12] = true	  ; PDO::ATTR_PERSISTENT
+
+		;[model]
+		; example of DB configuration for SQLite
+		;class = Database
+		;[model_options]
+		;dsn = "sqlite:" PATH "data/db.sq3"
+		;usr = null
+		;pwd = null
+		;opt[12] = true	; PDO::ATTR_PERSISTENT
+
+		[model]
+		; example of DB configuration for PostgreSQL
+		class = Database
+		[model_options]
+		dsn = "pgsql:host=10.1.0.3;dbname=privatebin"
+		tbl = "privatebin_"     ; table prefix
+		usr = "privatebin"
+		pwd = "privatebin"
+		opt[12] = true    ; PDO::ATTR_PERSISTENT
+
+		;[model]
+		; example of S3 configuration for Rados gateway / CEPH
+		;class = S3Storage
+		;[model_options]
+		;region = ""
+		;version = "2006-03-01"
+		;endpoint = "https://s3.my-ceph.invalid"
+		;use_path_style_endpoint = true
+		;bucket = "my-bucket"
+		;accesskey = "my-rados-user"
+		;secretkey = "my-rados-pass"
+
+		;[model]
+		; example of S3 configuration for AWS
+		;class = S3Storage
+		;[model_options]
+		;region = "eu-central-1"
+		;version = "latest"
+		;bucket = "my-bucket"
+		;accesskey = "access key id"
+		;secretkey = "secret access key"
+
+		;[model]
+		; example of S3 configuration for AWS using its SDK default credential provider chain
+		; if relying on environment variables, the AWS SDK will look for the following:
+		; - AWS_ACCESS_KEY_ID
+		; - AWS_SECRET_ACCESS_KEY
+		; - AWS_SESSION_TOKEN (if needed)
+		; for more details, see https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html#default-credential-chain
+		;class = S3Storage
+		;[model_options]
+		;region = "eu-central-1"
+		;version = "latest"
+		;bucket = "my-bucket"
+
+		[yourls]
+		; When using YOURLS as a "urlshortener" config item:
+		; - By default, "urlshortener" will point to the YOURLS API URL, with or without
+		;   credentials, and will be visible in public on the PrivateBin web page.
+		;   Only use this if you allow short URL creation without credentials.
+		; - Alternatively, using the parameters in this section ("signature" and
+		;   "apiurl"), "urlshortener" needs to point to the base URL of your PrivateBin
+		;   instance with "?shortenviayourls&link=" appended. For example:
+		;   urlshortener = "''${basepath}?shortenviayourls&link="
+		;   This URL will in turn call YOURLS on the server side, using the URL from
+		;   "apiurl" and the "access signature" from the "signature" parameters below.
+
+		; (optional) the "signature" (access key) issued by YOURLS for the using account
+		; signature = ""
+		; (optional) the URL of the YOURLS API, called to shorten a PrivateBin URL
+		; apiurl = "https://yourls.example.com/yourls-api.php"
+	'';
+}

container/pastebin/default.nix

@@ -0,0 +1,35 @@
+{ php, pkgs, util, ... } @args: let
+	cfg = pkgs.writeText "PrivateBinConfig" (import ./Config.nix args).text;
+in php.buildComposerProject (finalAttrs:  {
+	pname   = "PrivateBin";
+	version = "1.7.3";
+
+	src = pkgs.fetchFromGitHub {
+		owner = "PrivateBin";
+		repo  = "PrivateBin";
+		rev   = finalAttrs.version;
+		hash  = "sha256-9aTpLixvvyy3xTk8QQFj4rI6gFtElO4naPgTARtpo1k=";
+	};
+
+	vendorHash = "sha256-JGuO8kXLLXqq76EccdNSoHwYO5OuJT3Au1O2O2szAHI=";
+
+	installPhase = ''
+		runHook preInstall
+
+		mv $out/share/php/PrivateBin/* $out
+		rm -r $out/share
+
+		cp ${cfg} $out/cfg/conf.php
+
+		touch $out/.env
+		pushd $out
+
+		runHook postInstall
+	'';
+
+	postFixup = ''
+		substituteInPlace $out/index.php --replace-fail \
+			"define('PATH', ''')" \
+			"define('PATH', '$out/')"
+	'';
+})

container/proxy/host/Paste.nix

@@ -0,0 +1,20 @@
+{ domain, util, mkServer, ... }: {
+	"paste.${domain}" = mkServer {
+		extraConfig = util.trimTabs ''
+			listen 443 ssl;
+			set $paste 10.1.0.14:80;
+
+			location = / {
+				return 403;
+			}
+			location / {
+				proxy_pass http://$paste$request_uri;
+			}
+
+			ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+			ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+			include /etc/letsencrypt/conf/options-ssl-nginx.conf;
+			ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
+		'';
+	};
+}

host/desktop/Container.nix

@@ -0,0 +1,46 @@
+{ pkgs, const, lib, config, util, ... }: let
+	args = let
+		storage = "/storage/hot/container";
+		domain  = "local";
+		host    = "192.168.1.3";
+	in {
+		inherit storage domain host pkgs const lib config util;
+
+		mkContainer = cfg: lib.recursiveUpdate cfg {
+			hostAddress = host;
+		};
+
+		mkContainerConfig = cfg: lib.recursiveUpdate cfg {
+			system.stateVersion = const.stateVersion;
+
+			users.users.root.password = "";
+			users.mutableUsers = false;
+
+			networking = {
+				useHostResolvConf = lib.mkForce false;
+				firewall.enable = false;
+			};
+		};
+
+		mkServer = cfg: lib.recursiveUpdate cfg {
+			forceSSL = false;
+		};
+	};
+in {
+	networking.nat = {
+		enable = true;
+		internalInterfaces = [ "ve-+" ];
+		externalInterface = "enp4s0";
+	};
+
+	# NOTE: Remove this.
+	networking.extraHosts = ''
+		10.1.0.2 paste.local
+	'';
+
+	imports = [
+		(import ../../container/Paste.nix args)
+		(import ../../container/Postgres.nix args)
+		(import ../../container/Proxy.nix args)
+	];
+}

host/desktop/default.nix

@@ -1,5 +1,6 @@
 { ... }: {
 	imports = [
+		./Container.nix
 		./Filesystem.nix
 	];
 }

host/work/Container.nix

@@ -0,0 +1,25 @@
+{ pkgs, const, lib, config, util, ... }: let
+	args = let
+		storage = "/tmp/container";
+		domain  = "local";
+		host    = "192.168.0.174";
+	in {
+		inherit storage domain host pkgs const lib config util;
+	};
+in {
+	networking.nat = {
+		enable = true;
+		internalInterfaces = [ "ve-+" ];
+		externalInterface = "enp4s0";
+	};
+
+	# NOTE: Remove this.
+	networking.extraHosts = ''
+		10.1.0.2 paste.local
+	'';
+
+	imports = [
+		(import ../../container/Paste.nix args)
+		(import ../../container/Proxy.nix args)
+	];
+}

host/work/default.nix

@@ -1,5 +1,6 @@
 { lib, ... }: {
 	imports = [
+		./Container.nix
 		./Fprint.nix
 	];
 

module/common/Kernel.nix

@@ -3,24 +3,24 @@
 	boot.kernelPackages = pkgs.linuxPackages_latest;
 
 	boot.kernel.sysctl = {
-		# Spoof protection.
+	# 	# Spoof protection.
-		"net.ipv4.conf.default.rp_filter" = 1;
+	# 	"net.ipv4.conf.default.rp_filter" = 1;
-		"net.ipv4.conf.all.rp_filter"     = 1;
+	# 	"net.ipv4.conf.all.rp_filter"     = 1;
 
-		# Packet forwarding.
+	# 	# Packet forwarding.
-		"net.ipv4.ip_forward" = 1;
+	# 	"net.ipv4.ip_forward" = 1;
-		# "net.ipv6.conf.all.forwarding" = 1;
+	# 	# "net.ipv6.conf.all.forwarding" = 1;
 
-		# MITM protection.
+	# 	# MITM protection.
-		"net.ipv4.conf.all.accept_redirects" = 0;
+	# 	"net.ipv4.conf.all.accept_redirects" = 0;
-		"net.ipv6.conf.all.accept_redirects" = 0;
+	# 	"net.ipv6.conf.all.accept_redirects" = 0;
 
-		# Do not send ICMP redirects (we are not a router).
+	# 	# Do not send ICMP redirects (we are not a router).
-		"net.ipv4.conf.all.send_redirects" = 0;
+	# 	"net.ipv4.conf.all.send_redirects" = 0;
 
-		# Do not accept IP source route packets (we are not a router).
+	# 	# Do not accept IP source route packets (we are not a router).
-		"net.ipv4.conf.all.accept_source_route" = 0;
+	# 	"net.ipv4.conf.all.accept_source_route" = 0;
-		"net.ipv6.conf.all.accept_source_route" = 0;
+	# 	"net.ipv6.conf.all.accept_source_route" = 0;
 
 		# Allow sysrq.
 		"kernel.sysrq" = 1;
@@ -36,23 +36,23 @@
 		"kernel.core_uses_pid" = 1;
 		"kernel.kptr_restrict" = 2;
 
-		# IP hardening.
+	# 	# IP hardening.
-		"net.ipv4.conf.all.log_martians"            = 1;
+	# 	"net.ipv4.conf.all.log_martians"            = 1;
-		"net.ipv4.conf.default.accept_redirects"    = 0;
+	# 	"net.ipv4.conf.default.accept_redirects"    = 0;
-		"net.ipv4.conf.default.accept_source_route" = 0;
+	# 	"net.ipv4.conf.default.accept_source_route" = 0;
-		"net.ipv4.conf.default.log_martians"        = 0;
+	# 	"net.ipv4.conf.default.log_martians"        = 0;
-		"net.ipv4.tcp_timestamps"                   = 0;
+	# 	"net.ipv4.tcp_timestamps"                   = 0;
-		"net.ipv6.conf.default.accept_redirects"    = 0;
+	# 	"net.ipv6.conf.default.accept_redirects"    = 0;
 
 		# Increase file watchers.
 		"fs.inotify.max_user_instances" = 999999;
 		"fs.inotify.max_user_watches"   = 999999;
 		"fs.inotify.max_user_event"     = 999999;
 
-		# Disable ipv6.
+	# 	# Disable ipv6.
-		"net.ipv6.conf.all.disable_ipv6"     = 1;
+	# 	"net.ipv6.conf.all.disable_ipv6"     = 1;
-		"net.ipv6.conf.default.disable_ipv6" = 1;
+	# 	"net.ipv6.conf.default.disable_ipv6" = 1;
-		"net.ipv6.conf.lo.disable_ipv6"      = 1;
+	# 	"net.ipv6.conf.lo.disable_ipv6"      = 1;
-		"net.ipv6.conf.eth0.disable_ipv6"    = 1;
+	# 	"net.ipv6.conf.eth0.disable_ipv6"    = 1;
 	};
 }

module/common/httptoolkit/default.nix

@@ -0,0 +1,56 @@
+# Apple San Francisco and New York fonts.
+# They are not available in Nixpkgs repo, so this script
+# downloads the fonts from Apple website and adds them to Nix store.
+{ lib, stdenv, fetchurl, pkgs }: stdenv.mkDerivation {
+	pname   = "httptoolkit";
+	version = "1.15.0";
+
+	src = fetchurl {
+		url  = "https://github.com/httptoolkit/httptoolkit-desktop/releases/download/v1.15.0/HttpToolkit-linux-x64-1.15.0.zip";
+		hash = "sha256-wb4is5IX1/Sjea4tggFP48snAx7+Bp4ux+306xFBMtM=";
+	};
+
+	nativeBuildInputs = with pkgs; [
+		autoPatchelfHook
+		unzip
+	];
+
+	sourceRoot = ".";
+
+	buildInputs = with pkgs; [
+		alsa-lib
+		atk
+		cairo
+		cups
+		dbus
+		expat
+		glib
+		gtk3
+		libGL
+		libxkbcommon
+		mesa
+		nss
+		pango
+		playwright
+		xorg.libXcomposite
+		xorg.libXrandr
+		xorg.libxcb
+	];
+
+	preBuild = ''
+		addAutoPatchelfSearchPath .
+	'';
+
+	installPhase = ''
+		runHook preInstall
+		mkdir -p $out/bin
+		cp -r * $out/bin
+		install -m755 -D httptoolkit $out/bin
+		runHook postInstall
+	'';
+
+	meta = with lib; {
+		homapage = "https://github.com/httptoolkit/httptoolkit-desktop";
+		platform = platforms.linux;
+	};
+}