starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 22:30:25 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

fix: bypass router

Browse Source
This commit is contained in:
Ryan Yin
2024-02-16 11:41:37 +08:00
parent 7cbff9ef3b
commit ae238d401d
28 changed files with 891 additions and 439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Justfile
View File

@@ -112,16 +112,16 @@ tailscale_gw:
pve-image:
nom build .#tailscale_gw
rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
nom build .#aquamarine
rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
nom build .#ruby
rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
nom build .#kana
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
############################################################################

2
README.md
View File

@@ -140,7 +140,7 @@ nom build .#aquamarine # `nom`(nix-output-monitor) can be replaced by the stand
# 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump`
# please replace the vma file name with the one you generated in step 1.
rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
# 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now.
```

413
flake.lock generated
View File

@@ -94,6 +94,28 @@
"type": "github"
}
},
"daeuniverse": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs",
"pnpm2nix": "pnpm2nix",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1708006709,
"narHash": "sha256-5WSBOUuYtPfpCL0v5scEVRis1qjv1haL3tmwM/LJPT8=",
"owner": "daeuniverse",
"repo": "flake.nix",
"rev": "5bb02d49a4ec48019758cf3893a6f614d307df0b",
"type": "github"
},
"original": {
"owner": "daeuniverse",
"ref": "unstable",
"repo": "flake.nix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@@ -133,6 +155,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@@ -148,7 +186,7 @@
"type": "github"
}
},
"flake-compat_2": {
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@@ -186,6 +224,23 @@
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1706830856,
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
@@ -206,9 +261,9 @@
"type": "github"
}
},
"flake-parts_3": {
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1706830856,
@@ -226,14 +281,14 @@
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
@@ -244,7 +299,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
@@ -296,7 +351,65 @@
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"daeuniverse",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703887061,
"narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
@@ -318,7 +431,7 @@
"type": "github"
}
},
"gitignore_2": {
"gitignore_3": {
"inputs": {
"nixpkgs": [
"nixos-rk3588",
@@ -340,7 +453,7 @@
"type": "github"
}
},
"gitignore_3": {
"gitignore_4": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
@@ -409,7 +522,7 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems",
"systems": "systems_3",
"wlroots": "wlroots",
"xdph": "xdph"
},
@@ -471,9 +584,9 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts_2",
"flake-utils": "flake-utils",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_3",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
],
@@ -515,10 +628,10 @@
"mysecrets": {
"flake": false,
"locked": {
"lastModified": 1707067920,
"narHash": "sha256-unTHx5LgbzIa3flAgiwxaYD/BPssYfCWCZhK30njLXs=",
"lastModified": 1708107208,
"narHash": "sha256-v2ugfiX05Kv+z1E1iO/nYiFj540V9SGES5JPAeLVu5M=",
"ref": "refs/heads/main",
"rev": "2fc5c6615c2a9216dc863b8adfb69f100b7788fb",
"rev": "57e9a6dab2d3e1702354ff4862afe9b48ed31e07",
"shallow": true,
"type": "git",
"url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
@@ -551,8 +664,8 @@
},
"nix-gaming": {
"inputs": {
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs"
"flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1707614138,
@@ -622,7 +735,7 @@
},
"nixos-licheepi4a": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"thead-kernel": "thead-kernel"
},
"locked": {
@@ -641,10 +754,10 @@
},
"nixos-rk3588": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_4",
"mesa-panfork": "mesa-panfork",
"nixpkgs": "nixpkgs_3",
"pre-commit-hooks": "pre-commit-hooks"
"nixpkgs": "nixpkgs_4",
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": {
"lastModified": 1703010942,
@@ -662,16 +775,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1707451808,
"narHash": "sha256-UwDBUNHNRsYKFJzyTMVMTF5qS4xeJlWoeyJf+6vvamU=",
"lastModified": 1706732774,
"narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "442d407992384ed9c0e6d352de75b69079904e4e",
"rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -710,7 +823,41 @@
"type": "github"
}
},
"nixpkgs-lib_2": {
"locked": {
"dir": "lib",
"lastModified": 1706550542,
"narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1704874635,
"narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
@@ -726,7 +873,7 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1707786466,
"narHash": "sha256-yLPfrmW87M2qt+8bAmwopJawa+MJLh3M9rUbXtpUc1o=",
@@ -742,7 +889,7 @@
"type": "github"
}
},
"nixpkgs-stable_3": {
"nixpkgs-stable_4": {
"locked": {
"lastModified": 1704874635,
"narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
@@ -775,6 +922,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1707451808,
"narHash": "sha256-UwDBUNHNRsYKFJzyTMVMTF5qS4xeJlWoeyJf+6vvamU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "442d407992384ed9c0e6d352de75b69079904e4e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1691280485,
"narHash": "sha256-/8Ct9092OC1TTNzHgbcE9ejQdS2QxZYGqrWXEwUxdtQ=",
@@ -790,7 +953,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1691486536,
"narHash": "sha256-W2jYTn6rNiJEpjXkOiZxNltgxxwgeZE5cQ967NgsrHU=",
@@ -806,7 +969,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1707956935,
"narHash": "sha256-ZL2TrjVsiFNKOYwYQozpbvQSwvtV/3Me7Zwhmdsfyu4=",
@@ -822,7 +985,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1701436327,
"narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=",
@@ -836,7 +999,7 @@
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1702921762,
"narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=",
@@ -854,7 +1017,7 @@
},
"nuenv": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_6",
"rust-overlay": "rust-overlay_2"
},
"locked": {
@@ -873,7 +1036,7 @@
},
"nur-ryan4yin": {
"inputs": {
"nixpkgs": "nixpkgs_6"
"nixpkgs": "nixpkgs_7"
},
"locked": {
"lastModified": 1705366605,
@@ -889,6 +1052,28 @@
"type": "github"
}
},
"pnpm2nix": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"daeuniverse",
"nixpkgs"
]
},
"locked": {
"lastModified": 1691661013,
"narHash": "sha256-m7dhwjnDw2U7PDUatHcVJXd8wrDLpIGlQac0im6+0fk=",
"owner": "Ninlives",
"repo": "pnpm2nix",
"rev": "86f8995bbe56a66459b6ca2f790db6272c616e39",
"type": "github"
},
"original": {
"owner": "Ninlives",
"repo": "pnpm2nix",
"type": "github"
}
},
"polybar-themes": {
"flake": false,
"locked": {
@@ -906,6 +1091,62 @@
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_2",
"gitignore": "gitignore",
"nixpkgs": [
"daeuniverse",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1706424699,
"narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": {
"flake-compat": [
"nixos-rk3588"
@@ -914,7 +1155,7 @@
"nixos-rk3588",
"flake-utils"
],
"gitignore": "gitignore_2",
"gitignore": "gitignore_3",
"nixpkgs": [
"nixos-rk3588",
"nixpkgs"
@@ -938,46 +1179,15 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"pre-commit-hooks_3": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_4",
"gitignore": "gitignore_3",
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_6",
"gitignore": "gitignore_4",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_3"
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1707297608,
@@ -998,6 +1208,7 @@
"agenix": "agenix",
"anyrun": "anyrun",
"astronvim": "astronvim",
"daeuniverse": "daeuniverse",
"doomemacs": "doomemacs",
"home-manager": "home-manager_2",
"hyprland": "hyprland",
@@ -1010,14 +1221,14 @@
"nixos-hardware": "nixos-hardware",
"nixos-licheepi4a": "nixos-licheepi4a",
"nixos-rk3588": "nixos-rk3588",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-stable": "nixpkgs-stable_2",
"nixpkgs-stable": "nixpkgs-stable_3",
"nixpkgs-unstable": "nixpkgs-unstable",
"nuenv": "nuenv",
"nur-ryan4yin": "nur-ryan4yin",
"polybar-themes": "polybar-themes",
"pre-commit-hooks": "pre-commit-hooks_2",
"pre-commit-hooks": "pre-commit-hooks_3",
"wallpapers": "wallpapers"
}
},
@@ -1048,7 +1259,7 @@
},
"rust-overlay_2": {
"inputs": {
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nuenv",
"nixpkgs"
@@ -1070,16 +1281,16 @@
},
"systems": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"repo": "default",
"type": "github"
}
},
@@ -1100,16 +1311,16 @@
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"repo": "default-linux",
"type": "github"
}
},
@@ -1143,6 +1354,36 @@
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"thead-kernel": {
"flake": false,
"locked": {

2
flake.nix
View File

@@ -164,7 +164,7 @@
nuenv.url = "github:DeterminateSystems/nuenv";
daeuniverse.url = "github:daeuniverse/flake.nix";
daeuniverse.url = "github:daeuniverse/flake.nix/unstable";
######################## Some non-flake repositories #########################################

37
home/base/server/core.nix
View File

@@ -4,46 +4,13 @@
...
}: {
home.packages = with pkgs; [
neofetch
# networking tools
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
# archives
zip
xz
unzip
p7zip
# misc
# Misc
tldr
cowsay
file
findutils
which
tree
gnutar
zstd
gnupg
rsync
# Text Processing
# Docs: https://github.com/learnbyexample/Command-line-text-processing
gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
gnused # GNU sed, very powerful(mainly for replacing text in files)
gnumake
gawk # GNU awk, a pattern scanning and processing language
jq # A lightweight and flexible command-line JSON processor
# morden cli tools, replacement of grep/sed/...
# Morden cli tools, replacement of grep/sed/...
# Interactively filter its input using fuzzy searching, not limit to filenames.
fzf

20
home/linux/base/system-tools.nix
View File

@@ -1,29 +1,9 @@
{pkgs, ...}: {
# Linux Only Packages, not available on Darwin
home.packages = with pkgs; [
nmon
iotop
iftop
# misc
libnotify
wireguard-tools # manage wireguard vpn manually, via wg-quick
# system call monitoring
strace # system call monitoring
ltrace # library call monitoring
bpftrace # powerful tracing tool
tcpdump # network sniffer
lsof # list open files
# system tools
sysstat
lm_sensors # for `sensors` command
ethtool
pciutils # lspci
usbutils # lsusb
hdparm # for disk performance, command
dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
];
# auto mount usb drives

2
hosts/12kingdoms_shoukei/default.nix
View File

@@ -21,7 +21,7 @@ in {
./impermanence.nix
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {

1
hosts/homelab_tailscale_gw/default.nix
View File

@@ -10,6 +10,7 @@ let
in {
imports = [
./tailscale.nix
./proxy.nix
];
# supported file systems, so we can mount any removable disks with these filesystems

31
hosts/homelab_tailscale_gw/proxy.nix Normal file
View File

@@ -0,0 +1,31 @@
{
# dae(running on aquamarine) do not provides http/socks5 proxy server, so we use v2ray here.
# https://github.com/v2fly
services.v2ray = {
enable = true;
config = {
inbounds = [
{
listen = "0.0.0.0";
port = 7890;
protocol = "http";
}
{
listen = "0.0.0.0";
port = 7891;
protocol = "socks";
settings = {
auth = "noauth";
udp = true;
};
}
];
outbounds = [
{
protocol = "freedom";
tag = "freedom";
}
];
};
};
}

5
hosts/idols_ai/default.nix
View File

@@ -17,11 +17,6 @@ in {
./secureboot.nix
];
# set http proxy for nix-daemon
systemd.services.nix-daemon.environment = {
https_proxy = "http://192.168.5.201:7890";
};
networking = {
inherit hostName;
inherit (vars_networking) defaultGateway nameservers;

13
hosts/idols_aquamarine/README.md
View File

@@ -1,6 +1,17 @@
# Idols - Aquamarine
TODO: use aqua as a passby router(IPv4 only) to access the global internet.
Use aqua as a passby router(IPv4 only) to access the global internet.
## Troubleshooting
### DNS cannot be resolved
1. `sudo systemctl stop dae`, then try to resolve the domain name again.
- If it works, the problem is caused by `dae` service.
- check dae's log by `sudo journalctl -u dae`
1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
## References

228
hosts/idols_aquamarine/bypass-router.dae → hosts/idols_aquamarine/config.dae
View File

@@ -1,3 +1,10 @@
# https://github.com/daeuniverse/dae/discussions/81
# https://github.com/daeuniverse/dae/blob/main/example.dae
# load all dae files placed in ./config.d/
include {
config.d/*.dae
}
global {
##### Software options.
@@ -14,7 +21,7 @@ global {
so_mark_from_dae: 0
# Log level: error, warn, info, debug, trace.
log_level: info
log_level: debug
# Disable waiting for network before pulling subscriptions.
disable_waiting_network: false
@@ -24,11 +31,12 @@ global {
# The LAN interface to bind. Use it if you want to proxy LAN.
# Multiple interfaces split by ",".
lan_interface: ens18
lan_interface: br-lan
# The WAN interface to bind. Use it if you want to proxy localhost.
# Multiple interfaces split by ",". Use "auto" to auto detect.
wan_interface: auto
# bypass router has no WAN interface, so comment it.
# wan_interface: auto
# Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
@@ -37,7 +45,7 @@ global {
# Automatically configure firewall rules like firewalld and fw4.
# firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
# fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
auto_config_firewall_rule: true
auto_config_firewall_rule: false
##### Node connectivity check.
@@ -98,30 +106,11 @@ global {
utls_imitate: chrome_auto
}
# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
subscription {
# Add your subscription links(or files that contains the link) here.
'file://dae-mysubscription-1.sub' # the path is related to /etc/dae/
'file://dae-mysubscription-2.sub'
}
# Nodes defined here will be merged as a part of the global node pool.
node {
# Add your node links here.
# Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
# Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
# mylink: 'ss://LINK'
# node1: 'vmess://LINK'
# node2: 'vless://LINK'
# chains: 'tuic://LINK -> vmess://LINK'
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
# For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
# respond to type A queries and response empty answer to type AAAA queries.
#ipversion_prefer: 4
ipversion_prefer: 4
# Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
# for these domains.
@@ -137,8 +126,8 @@ dns {
# Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
# If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
alidns: 'udp://dns.alidns.com:53'
googledns: 'tcp+udp://dns.google.com:53'
alidns: 'udp://223.5.5.5:53'
googledns: 'tcp+udp://8.8.8.8:53'
}
routing {
# According to the request of dns query, decide to use which DNS upstream.
@@ -148,60 +137,91 @@ dns {
qname(geosite:cn) -> alidns
# fallback is also called default.
fallback: googledns
# other custom rules
qname(geosite:category-ads) -> reject
qname(geosite:category-ads-all) -> reject
qtype(aaaa) -> reject
qname(regex: '.+\.linkedin$') -> googledns
}
# According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# Match rules from top to bottom.
response {
# Trusted upstream. Always accept its result.
upstream(googledns) -> accept
# Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
ip(geoip:private) && !qname(geosite:cn) -> googledns
fallback: accept
}
}
# routing {
# # According to the request of dns query, decide to use which DNS upstream.
# # Match rules from top to bottom.
# request {
# # fallback is also called default.
# fallback: alidns
# }
# # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# # Match rules from top to bottom.
# response {
# # Trusted upstream. Always accept its result.
# upstream(googledns) -> accept
# # Possibly polluted, re-lookup using googledns.
# ip(geoip:private) && !qname(geosite:cn) -> googledns
# # fallback is also called default.
# fallback: accept
# }
# }
}
# Node group (outbound).
group {
my_group {
# No filter. Use all nodes.
# Randomly select a node from the group for every connection.
#policy: random
# Select the first node from the group for every connection.
#policy: fixed(0)
# Select the node with min last latency from the group for every connection.
#policy: min
# Select the node with min moving average of latencies from the group for every connection.
policy: min_moving_avg
}
group2 {
# Filter nodes from the global node pool defined by the subscription and node section above.
#filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
#filter: name(node1, node2)
proxy {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
# Filter nodes and give a fixed latency offset to archive latency-based failover.
# In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
filter: name(HK_node)
filter: name(US_node) [add_latency: -500ms]
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
filter: name(keyword: '英国') [add_latency: -300ms]
filter: name(keyword: 'Japan') [add_latency: 300ms]
filter: name(keyword: '日本') [add_latency: 300ms]
# Other filters:
# Filter nodes from the global node pool defined by the subscription and node section above.
# filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
# filter: name('node_a','node_b')
# Select the node with min average of the last 10 latencies from the group for every connection.
policy: min_avg10
# Other policies:
# random - Randomly select a node from the group for every connection.
# fixed(0) - Select the first node from the group for every connection.
# min - Select the node with min last latency from the group for every connection.
# min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
}
media {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
filter: name(keyword: '英国') [add_latency: -300ms]
filter: name(keyword: 'Japan') [add_latency: 300ms]
filter: name(keyword: '日本') [add_latency: 300ms]
policy: min_avg10
}
sg {
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
policy: min_avg10
}
usa {
filter: name(keyword: 'USA')
filter: name(keyword: '美国')
policy: min_avg10
}
uk {
filter: name(keyword: 'UK')
filter: name(keyword: '英国')
filter: name(keyword: '美国')
policy: min_avg10
}
}
@@ -212,6 +232,7 @@ routing {
# Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
# WAN.
pname(NetworkManager) -> direct
pname(systemd-networkd) -> direct
# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
# forwarded by the proxy.
@@ -222,12 +243,75 @@ routing {
# private addresses in your proxy host network, modify the below line.
dip(geoip:private) -> direct
### Write your rules below.
# --- Core rules ---#
# Disable h3 because it usually consumes too much cpu/mem resources.
# Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
l4proto(udp) && dport(443) -> block
# Direct access to all Chinese mainland-related IP addresses
dip(geoip:cn) -> direct
domain(geosite:cn) -> direct
fallback: my_group
# Use HK to access all other foreign sites
domain(geosite:geolocation-!cn) -> proxy
!dip(geoip:cn) -> proxy
# Block ads
domain(geosite:category-ads) -> block
domain(geosite:category-ads-all) -> block
# DNS
dip(8.8.8.8, 8.8.4.4) -> proxy
dip(223.5.5.5, 223.6.6.6) -> direct
domain(full:dns.alidns.com) -> direct
domain(full:dns.googledns.com) -> proxy
domain(full:dns.opendns.com) -> proxy
# --- Rules for other commonly used sites ---#
# Access github.com via UK's proxies
domain(geosite:github) -> uk
### OpenAI
domain(geosite:openai) -> sg
domain(regex:'.+\.openai$') -> sg
### Media
domain(geosite:netflix) -> media
### Proxy
domain(suffix: linkedin.com) -> proxy
domain(keyword:'linkedin') -> proxy
domain(regex:'.+\.linkedin\.com$') -> proxy
domain(regex:'.+\.quay\.io$') -> proxy
domain(regex:'.+\.notion\.so$') -> proxy
domain(regex:'.+\.amazon\.com$') -> proxy
domain(regex:'.+\.oracle\.com$') -> proxy
domain(regex:'.+\.docker\.com$') -> proxy
domain(regex:'.+\.kubernetes\.io$') -> proxy
domain(geosite:microsoft) -> proxy
domain(geosite:linkedin) -> proxy
domain(geosite:twitter) -> proxy
domain(geosite:telegram) -> proxy
domain(geosite:google) -> proxy
domain(geosite:apple) -> proxy
domain(geosite:category-container) -> proxy
domain(geosite:category-dev) -> proxy
domain(geosite:google-scholar) -> proxy
domain(geosite:category-scholar-!cn) -> proxy
### Direct
domain(regex:'.+\.edu\.cn$') -> proxy
domain(keyword:'baidu') -> direct
domain(keyword:'bilibili') -> direct
domain(keyword:'taobao') -> direct
domain(keyword:'alibabadns') -> direct
domain(keyword:'alicdn') -> direct
domain(keyword:'tbcache') -> direct
domain(keyword:'zhihu') -> direct
domain(keyword:'douyu') -> direct
domain(geosite:cloudflare-cn) -> direct
fallback: direct
}

47
hosts/idols_aquamarine/dae.nix
View File

@@ -1,9 +1,14 @@
{
config,
pkgs,
daeuniverse,
...
}:
# https://github.com/daeuniverse/flake.nix
{
let
daeConfigPath = "/etc/dae/config.dae";
subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
in {
imports = [
daeuniverse.nixosModules.dae
daeuniverse.nixosModules.daed
@@ -12,9 +17,9 @@
# dae - eBPF-based Linux high-performance transparent proxy.
services.dae = {
enable = true;
package = pkgs.dae;
package = daeuniverse.packages.${pkgs.system}.dae;
disableTxChecksumIpGeneric = false;
configFile = ./bypass-router.dae;
configFile = daeConfigPath;
assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
# alternatively, specify assets dir
# assetsPath = "/etc/dae";
@@ -24,15 +29,29 @@
};
};
# daed, a modern web dashboard for dae.
services.daed = {
enable = true;
package = pkgs.daed;
configdir = "/etc/daed";
listen = "0.0.0.0:9090";
openfirewall = {
enable = true;
port = 9090;
};
};
# dae supports two types of subscriptions: base64 encoded proxies, and sip008.
# subscription can be a url return the subscription, or a file path that contains the subscription.
#
# Nix decrypt and merge my dae's base config and subscription config here.
# the subscription config is something like:
# ```
# subscription {
# 'https://www.example.com/subscription/link'
# 'https://example.com/no_tag_link'
# }
# node {
# # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
# node_a: 'trojan://'
# node_b: 'trojan://'
# node_c: 'vless://'
# node_d: 'vless://'
# node_e: 'vmess://'
# node_f: 'tuic://'
# node_h: 'juicity://'
# }
# ```
system.activationScripts.installDaeConfig = ''
install -Dm 600 ${./config.dae} ${daeConfigPath}
install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
'';
}

16
hosts/idols_aquamarine/default.nix
View File

@@ -6,40 +6,28 @@
#############################################################
let
hostName = "aquamarine"; # Define your hostname.
hostAddress = vars_networking.hostAddress.${hostName};
in {
imports = [
./router.nix
./dae.nix
];
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
"btrfs"
"xfs"
#"zfs"
"ntfs"
"fat"
"vfat"
"exfat"
"cifs" # mount windows share
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
inherit hostName;
inherit (vars_networking) defaultGateway nameservers;
networkmanager.enable = false;
interfaces.ens18 = {
useDHCP = false;
ipv4.addresses = [hostAddress];
};
inherit (vars_networking) nameservers;
};
# This value determines the NixOS release from which the default

93
hosts/idols_aquamarine/router.nix
View File

File diff suppressed because one or more lines are too long

2
hosts/idols_kana/default.nix
View File

@@ -23,7 +23,7 @@ in {
"cifs" # mount windows share
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {

2
hosts/idols_ruby/README.md
View File

@@ -1,6 +1,6 @@
# Idols - Ruby
TODO: use kana for backup / sync my personal data.
TODO: use ruby for backup / sync my personal data.
For safety, those data should be encrypted before sending to the cloud or my NAS.
1. restic: Backup file from homelab to NAS, or from NAS to Cloud

2
hosts/idols_ruby/default.nix
View File

@@ -27,7 +27,7 @@ in {
"cifs" # mount windows share
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {

52
modules/nixos/base/misc.nix
View File

@@ -60,15 +60,57 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
parted
psmisc # killall/pstree/prtstat/fuser/...
neofetch
neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
curl
aria2
git # used by nix flakes
git-lfs # used by huggingface models
# archives
zip
xz
zstd
unzip
p7zip
# Text Processing
# Docs: https://github.com/learnbyexample/Command-line-text-processing
gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
gnused # GNU sed, very powerful(mainly for replacing text in files)
gawk # GNU awk, a pattern scanning and processing language
jq # A lightweight and flexible command-line JSON processor
# system call monitoring
strace # system call monitoring
ltrace # library call monitoring
bpftrace # powerful tracing tool
tcpdump # network sniffer
lsof # list open files
# system monitoring
sysstat
iotop
iftop
btop
nmon
# system tools
psmisc # killall/pstree/prtstat/fuser/...
lm_sensors # for `sensors` command
ethtool
pciutils # lspci
usbutils # lsusb
hdparm # for disk performance, command
dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
parted
# misc
file
findutils
which
tree
gnutar
rsync
# create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos!
(
let

15
modules/nixos/base/networking.nix
View File

@@ -1,8 +1,23 @@
{
lib,
pkgs,
vars_networking,
...
}: {
environment.systemPackages = with pkgs; [
# networking tools
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
wget
curl
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
];
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.

25
modules/nixos/base/virtualisation.nix
View File

@@ -1,25 +0,0 @@
{pkgs, ...}: {
###################################################################################
#
# Virtualisation - Libvirt(QEMU/KVM) / Docker / LXD / WayDroid
#
###################################################################################
virtualisation = {
docker = {
enable = true;
daemon.settings = {
# enables pulling using containerd, which supports restarting from a partial pull
# https://docs.docker.com/storage/containerd/
"features" = {"containerd-snapshotter" = true;};
};
# start dockerd on boot.
# This is required for containers which are created with the `--restart=always` flag to work.
enableOnBoot = true;
};
waydroid.enable = true;
lxd.enable = true;
};
}

15
modules/nixos/desktop/virtualisation.nix
View File

@@ -9,7 +9,7 @@
# This should be set per host in /hosts, not here.
#
## For AMD CPU, add "kvm-amd" to kernelModules.
# boot.kernelModules = ["kvm-amd" "kvm-intel"];
# boot.kernelModules = ["kvm-amd"];
# boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
#
## For Intel CPU, add "kvm-intel" to kernelModules.
@@ -19,6 +19,19 @@
boot.kernelModules = ["vfio-pci"];
virtualisation = {
docker = {
enable = true;
daemon.settings = {
# enables pulling using containerd, which supports restarting from a partial pull
# https://docs.docker.com/storage/containerd/
"features" = {"containerd-snapshotter" = true;};
};
# start dockerd on boot.
# This is required for containers which are created with the `--restart=always` flag to work.
enableOnBoot = true;
};
libvirtd = {
enable = true;
# hanging this option to false may cause file permission issues for existing guests.

2
nixos-installer/configuration.nix
View File

@@ -16,7 +16,7 @@
networking = {
# configures the network interface(include wireless) via `nmcli` & `nmtui`
networkmanager.enable = true;
defaultGateway = "192.168.5.201";
defaultGateway = "192.168.5.101";
};
system.stateVersion = "23.11";
}

2
scripts/darwin_set_proxy.py
View File

@@ -14,7 +14,7 @@ from pathlib import Path
NIX_DAEMON_PLIST = Path("/Library/LaunchDaemons/org.nixos.nix-daemon.plist")
NIX_DAEMON_NAME = "org.nixos.nix-daemon"
# http proxy provided by my homelab's bypass router
HTTP_PROXY = "http://192.168.5.201:7890"
HTTP_PROXY = "http://192.168.5.192:7890"
pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes())

1
secrets/darwin.nix
View File

@@ -20,7 +20,6 @@
"/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
];
# owner = root
age.secrets = let
noaccess = {
mode = "0000";

276
secrets/nixos.nix
View File

@@ -1,137 +1,175 @@
{
lib,
config,
pkgs,
agenix,
mysecrets,
username,
...
}: {
}:
with lib; let
cfg = config.modules.secrets;
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
imports = [
agenix.nixosModules.default
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths = [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
];
# owner = root
age.secrets = let
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
options.modules.secrets = {
desktop.enable = mkEnableOption "NixOS Secrets for Desktops";
server.enable = mkEnableOption "NixOS Secrets for Servers";
impermanence.enable = mkEnableOption "Wether use impermanence and ephemeral root file sytem";
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
config = mkIf (cfg.server.enable || cfg.desktop.enable) (mkMerge [
{
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.impermanence.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
];
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = username;
};
assertions = [
{
# this expression should be true to pass the assertion
assertion = !(cfg.server.enable && cfg.desktop.enable);
message = "Enable either desktop or server's secrets, not both!";
}
];
}
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
(mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = username;
};
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
]);
}

14
systems/vars.nix
View File

@@ -14,7 +14,11 @@ in {
nixos-modules =
[
../hosts/idols_ai
{modules.desktop.xorg.enable = true;}
{
modules.desktop.xorg.enable = true;
modules.secrets.desktop.enable = true;
modules.secrets.impermanence.enable = true;
}
]
++ desktop_base_modules.nixos-modules;
home-module.imports =
@@ -29,7 +33,11 @@ in {
nixos-modules =
[
../hosts/idols_ai
{modules.desktop.wayland.enable = true;}
{
modules.desktop.wayland.enable = true;
modules.secrets.desktop.enable = true;
modules.secrets.impermanence.enable = true;
}
]
++ desktop_base_modules.nixos-modules;
home-module.imports =
@@ -43,9 +51,11 @@ in {
# 星野 愛久愛海, Hoshino Akuamarin
idol_aquamarine_modules = {
nixos-modules = [
../secrets/nixos.nix
../hosts/idols_aquamarine
../modules/nixos/server/server.nix
../modules/nixos/server/proxmox-hardware-configuration.nix
{modules.secrets.server.enable = true;}
];
# home-module.imports = [];
};

4
systems/vars_networking.nix
View File

@@ -1,5 +1,5 @@
{lib, ...}: rec {
defaultGateway = "192.168.5.201";
defaultGateway = "192.168.5.101";
nameservers = [
"119.29.29.29" # DNSPod
"223.5.5.5" # AliDNS
@@ -85,7 +85,7 @@
publicKey = value.publicKey;
})
{
aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU";
aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJrHY3BZRTu0hrlsKxqS+O4GDp4cbumF8aNnbPCGKji root@aquamarine";
ruby.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf";
kana.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+";
};