diff --git a/flake.lock b/flake.lock index 97d1f266..a54480a4 100644 --- a/flake.lock +++ b/flake.lock @@ -112,28 +112,6 @@ "type": "github" } }, - "daeuniverse": { - "inputs": { - "devshell": "devshell", - "flake-parts": "flake-parts_2", - "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_3", - "pre-commit-hooks": "pre-commit-hooks" - }, - "locked": { - "lastModified": 1721655093, - "narHash": "sha256-IiUd700gUN8jxeD1xJv+s1v9vW/ILgw0/KfJLNFyutY=", - "owner": "daeuniverse", - "repo": "flake.nix", - "rev": "140c54a145b5e88684e5e88e36230b6cdf6aff87", - "type": "github" - }, - "original": { - "owner": "daeuniverse", - "repo": "flake.nix", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -157,24 +135,6 @@ "type": "github" } }, - "devshell": { - "inputs": { - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1722113426, - "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", - "owner": "numtide", - "repo": "devshell", - "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -212,28 +172,6 @@ "type": "github" } }, - "fenix": { - "inputs": { - "nixpkgs": [ - "microvm", - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1722580276, - "narHash": "sha256-VaNcSh7n8OaFW/DJsR6Fm23V+EGpSei0DyF71RKB+90=", - "owner": "nix-community", - "repo": "fenix", - "rev": "286f371b3cfeaa5c856c8e6dfb893018e86cc947", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -266,22 +204,6 @@ "type": "github" } }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -304,45 +226,6 @@ } }, "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "id": "flake-parts", - "type": "indirect" - } - }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "daeuniverse", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -363,9 +246,9 @@ "type": "github" } }, - "flake-parts_5": { + "flake-parts_3": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_2" + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { "lastModified": 1722555600, @@ -421,42 +304,6 @@ "inputs": { "systems": "systems_5" }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "inputs": { - "systems": "systems_6" - }, - "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "inputs": { - "systems": "systems_7" - }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -472,28 +319,6 @@ } }, "gitignore": { - "inputs": { - "nixpkgs": [ - "daeuniverse", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -515,29 +340,7 @@ "type": "github" } }, - "gitignore_3": { - "inputs": { - "nixpkgs": [ - "nixos-rk3588", - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "gitignore_4": { + "gitignore_2": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -640,8 +443,8 @@ "lanzaboote": { "inputs": { "crane": "crane_2", - "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts_4", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts_2", "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" @@ -664,29 +467,6 @@ "type": "github" } }, - "microvm": { - "inputs": { - "fenix": "fenix", - "flake-utils": "flake-utils_3", - "nixpkgs": [ - "nixpkgs" - ], - "spectrum": "spectrum" - }, - "locked": { - "lastModified": 1723407630, - "narHash": "sha256-iBvdy5KAYWew4sAIVbrqrNL7jCMWFoB5hObocCXkHiY=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "802ef1704f6a050f272bed5e226d0e86fa3e8c39", - "type": "github" - }, - "original": { - "owner": "astro", - "repo": "microvm.nix", - "type": "github" - } - }, "mysecrets": { "flake": false, "locked": { @@ -724,31 +504,10 @@ "type": "github" } }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts_3", - "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_2", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1723372011, - "narHash": "sha256-zqenoufFiPfobw74idorZMG8AXG3DnFzbHplt/Nkvrg=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "8802412b8747633e9d80639897e4d58fa6290909", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, "nix-gaming": { "inputs": { - "flake-parts": "flake-parts_5", - "nixpkgs": "nixpkgs_4", + "flake-parts": "flake-parts_3", + "nixpkgs": "nixpkgs", "umu": "umu" }, "locked": { @@ -765,28 +524,6 @@ "type": "github" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "daeuniverse", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1720066371, - "narHash": "sha256-uPlLYH2S0ACj0IcgaK9Lsf4spmJoGejR9DotXiXSBZQ=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "622f829f5fe69310a866c8a6cd07e747c44ef820", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixlib": { "locked": { "lastModified": 1722732880, @@ -802,21 +539,6 @@ "type": "github" } }, - "nixlib_2": { - "locked": { - "lastModified": 1709426687, - "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -838,28 +560,6 @@ "type": "github" } }, - "nixos-generators_2": { - "inputs": { - "nixlib": "nixlib_2", - "nixpkgs": [ - "nixos-rk3588", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709557527, - "narHash": "sha256-PV8oYqhTHX6FGZMQ1m5dhRuS914AhofPwgnAMhUZtwE=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "d048d6fc4bada612ff08d4b9d5edc48d45389431", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, "nixos-hardware": { "locked": { "lastModified": 1723310128, @@ -876,52 +576,13 @@ "type": "github" } }, - "nixos-licheepi4a": { - "inputs": { - "nixpkgs": "nixpkgs_5" - }, - "locked": { - "lastModified": 1721481969, - "narHash": "sha256-KTHUwzTmZCdS7FUghKvjjMm1WgwnHfS/LKZqT8MLohw=", - "owner": "ryan4yin", - "repo": "nixos-licheepi4a", - "rev": "0fb4b65137de445de543ed8532d4aac6ecc27271", - "type": "github" - }, - "original": { - "owner": "ryan4yin", - "repo": "nixos-licheepi4a", - "type": "github" - } - }, - "nixos-rk3588": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixos-generators": "nixos-generators_2", - "nixpkgs": "nixpkgs_6", - "pre-commit-hooks": "pre-commit-hooks_2" - }, - "locked": { - "lastModified": 1723427077, - "narHash": "sha256-SFTRomK5nNC56HRd24R+io6fzvojioIsdY3zyoYsbmA=", - "owner": "ryan4yin", - "repo": "nixos-rk3588", - "rev": "bee44589a40c6e64b09644ab33ad7f48e9f29950", - "type": "github" - }, - "original": { - "owner": "ryan4yin", - "repo": "nixos-rk3588", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1722073938, - "narHash": "sha256-OpX0StkL8vpXyWOGUD6G+MA26wAXK6SpT94kLJXo6B4=", + "lastModified": 1723221148, + "narHash": "sha256-7pjpeQlZUNQ4eeVntytU3jkw9dFK3k1Htgk2iuXjaD8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e36e9f57337d0ff0cf77aceb58af4c805472bfae", + "rev": "154bcb95ad51bc257c2ce4043a725de6ca700ef6", "type": "github" }, "original": { @@ -959,35 +620,7 @@ "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" } }, - "nixpkgs-lib_2": { - "locked": { - "lastModified": 1722555339, - "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" - } - }, "nixpkgs-stable": { - "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_2": { "locked": { "lastModified": 1710695816, "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", @@ -1003,7 +636,7 @@ "type": "github" } }, - "nixpkgs-stable_3": { + "nixpkgs-stable_2": { "locked": { "lastModified": 1723282977, "narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=", @@ -1019,7 +652,7 @@ "type": "github" } }, - "nixpkgs-stable_4": { + "nixpkgs-stable_3": { "locked": { "lastModified": 1720386169, "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", @@ -1053,101 +686,21 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1723221148, - "narHash": "sha256-7pjpeQlZUNQ4eeVntytU3jkw9dFK3k1Htgk2iuXjaD8=", - "owner": "NixOS", + "lastModified": 1723175592, + "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "154bcb95ad51bc257c2ce4043a725de6ca700ef6", + "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", + "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_3": { - "locked": { - "lastModified": 1723175592, - "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1723221148, - "narHash": "sha256-7pjpeQlZUNQ4eeVntytU3jkw9dFK3k1Htgk2iuXjaD8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "154bcb95ad51bc257c2ce4043a725de6ca700ef6", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1691280485, - "narHash": "sha256-/8Ct9092OC1TTNzHgbcE9ejQdS2QxZYGqrWXEwUxdtQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "240472b7e47a641e9e7675f58b64d3626ca7824d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_6": { - "locked": { - "lastModified": 1709309926, - "narHash": "sha256-VZFBtXGVD9LWTecGi6eXrE0hJ/mVB3zGUlHImUs2Qak=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "79baff8812a0d68e24a836df0a364c678089e2c7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_7": { - "locked": { - "lastModified": 1723175592, - "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_8": { "locked": { "lastModified": 1701436327, "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", @@ -1161,7 +714,7 @@ "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz" } }, - "nixpkgs_9": { + "nixpkgs_4": { "locked": { "lastModified": 1702921762, "narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=", @@ -1179,7 +732,7 @@ }, "nuenv": { "inputs": { - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_3", "rust-overlay": "rust-overlay_3" }, "locked": { @@ -1198,7 +751,7 @@ }, "nur-ryan4yin": { "inputs": { - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1717568000, @@ -1232,13 +785,12 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", + "flake-compat": "flake-compat_2", + "gitignore": "gitignore_2", "nixpkgs": [ - "daeuniverse", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { "lastModified": 1723202784, @@ -1260,12 +812,12 @@ "lanzaboote", "flake-compat" ], - "gitignore": "gitignore_2", + "gitignore": "gitignore", "nixpkgs": [ "lanzaboote", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { "lastModified": 1717664902, @@ -1281,109 +833,32 @@ "type": "github" } }, - "pre-commit-hooks_2": { - "inputs": { - "flake-compat": [ - "nixos-rk3588" - ], - "flake-utils": [ - "nixos-rk3588", - "flake-utils" - ], - "gitignore": "gitignore_3", - "nixpkgs": [ - "nixos-rk3588", - "nixpkgs" - ], - "nixpkgs-stable": [ - "nixos-rk3588", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1702456155, - "narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_3": { - "inputs": { - "flake-compat": "flake-compat_3", - "gitignore": "gitignore_4", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_4" - }, - "locked": { - "lastModified": 1723202784, - "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "c7012d0c18567c889b948781bc74a501e92275d1", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", "anyrun": "anyrun", - "daeuniverse": "daeuniverse", "disko": "disko", "doomemacs": "doomemacs", "haumea": "haumea", "home-manager": "home-manager_2", "impermanence": "impermanence", "lanzaboote": "lanzaboote", - "microvm": "microvm", "mysecrets": "mysecrets", "nix-darwin": "nix-darwin", "nix-gaming": "nix-gaming", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", - "nixos-licheepi4a": "nixos-licheepi4a", - "nixos-rk3588": "nixos-rk3588", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_2", "nixpkgs-darwin": "nixpkgs-darwin", - "nixpkgs-stable": "nixpkgs-stable_3", + "nixpkgs-stable": "nixpkgs-stable_2", "nixpkgs-unstable": "nixpkgs-unstable", "nuenv": "nuenv", "nur-ryan4yin": "nur-ryan4yin", "polybar-themes": "polybar-themes", - "pre-commit-hooks": "pre-commit-hooks_3", + "pre-commit-hooks": "pre-commit-hooks", "wallpapers": "wallpapers" } }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1722521768, - "narHash": "sha256-FvJ4FaMy1kJbZ3Iw1RyvuiUAsbHJXoU2HwylzaFzj1o=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "f149dc5029d8406fae8b2c541603bcac06e30deb", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } - }, "rust-overlay": { "inputs": { "flake-utils": [ @@ -1436,7 +911,7 @@ }, "rust-overlay_3": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nuenv", "nixpkgs" @@ -1456,22 +931,6 @@ "type": "github" } }, - "spectrum": { - "flake": false, - "locked": { - "lastModified": 1720264467, - "narHash": "sha256-xzM92n3Q9L90faJIJrkrTtTx+JqCGRHMkHWztkV4PuY=", - "ref": "refs/heads/main", - "rev": "fb59d42542049f586c84b0f8bb86ff3be338e9d3", - "revCount": 674, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -1547,58 +1006,6 @@ "type": "github" } }, - "systems_6": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_7": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "daeuniverse", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723303070, - "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "14c092e0326de759e16b37535161b3cb9770cea3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "umu": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 51fe4dc4..c21632b0 100644 --- a/flake.nix +++ b/flake.nix @@ -101,19 +101,11 @@ nuenv.url = "github:DeterminateSystems/nuenv"; - daeuniverse.url = "github:daeuniverse/flake.nix"; - # daeuniverse.url = "github:daeuniverse/flake.nix/exp"; - haumea = { url = "github:nix-community/haumea/v0.2.2"; inputs.nixpkgs.follows = "nixpkgs"; }; - microvm = { - url = "github:astro/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - ######################## Some non-flake repositories ######################################### # doom-emacs is a configuration framework for GNU Emacs. @@ -146,12 +138,5 @@ url = "github:ryan4yin/nur-packages"; # inputs.nixpkgs.follows = "nixpkgs"; }; - - # riscv64 SBCs - nixos-licheepi4a.url = "github:ryan4yin/nixos-licheepi4a"; - # nixos-jh7110.url = "github:ryan4yin/nixos-jh7110"; - - # aarch64 SBCs - nixos-rk3588.url = "github:ryan4yin/nixos-rk3588"; }; } diff --git a/hosts/12kingdoms-rakushun/Disk-and-Installation.md b/hosts/12kingdoms-rakushun/Disk-and-Installation.md deleted file mode 100644 index fc652f20..00000000 --- a/hosts/12kingdoms-rakushun/Disk-and-Installation.md +++ /dev/null @@ -1,157 +0,0 @@ -# Rakushun - Disk and Installation - -Disk layout: - -```bash -[ryan@rakushun:~]$ lsblk -NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS -sda 8:0 1 58.6G 0 disk -└─sda1 8:1 1 487M 0 part -mtdblock0 31:0 0 16M 0 disk -zram0 254:0 0 0B 0 disk -nvme0n1 259:0 0 1.8T 0 disk -├─nvme0n1p1 259:1 0 630M 0 part /boot -└─nvme0n1p2 259:2 0 1.8T 0 part - └─encrypted 253:0 0 1.8T 0 crypt /tmp - /swap - /snapshots - /home/ryan/tmp - /home/ryan/nix-config - /home/ryan/go - /home/ryan/codes - /home/ryan/.ssh - /home/ryan/.local/state - /home/ryan/.npm - /home/ryan/.local/share - /home/ryan/.conda - /etc/ssh - /etc/nix/inputs - /etc/secureboot - /etc/agenix - /etc/NetworkManager/system-connections - /etc/machine-id - /nix/store - /var/log - /var/lib - /nix - /persistent - -[ryan@rakushun:~]$ df -Th -Filesystem Type Size Used Avail Use% Mounted on -devtmpfs devtmpfs 785M 0 785M 0% /dev -tmpfs tmpfs 7.7G 0 7.7G 0% /dev/shm -tmpfs tmpfs 3.9G 6.8M 3.9G 1% /run -tmpfs tmpfs 7.7G 1.9M 7.7G 1% /run/wrappers -none tmpfs 4.0G 48K 4.0G 1% / -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /persistent -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /nix -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /snapshots -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /swap -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /tmp -/dev/nvme0n1p1 vfat 629M 96M 534M 16% /boot -tmpfs tmpfs 1.6G 4.0K 1.6G 1% /run/user/1000 -``` - -CPU info: - -```bash -[ryan@rakushun:~]$ lscpu -Architecture: aarch64 - CPU op-mode(s): 32-bit, 64-bit - Byte Order: Little Endian -CPU(s): 8 - On-line CPU(s) list: 0-7 -Vendor ID: ARM - Model name: Cortex-A55 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 4 - Socket(s): 1 - Stepping: r2p0 - CPU(s) scaling MHz: 67% - CPU max MHz: 1800.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp - Model name: Cortex-A76 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 2 - Socket(s): 2 - Stepping: r4p0 - CPU(s) scaling MHz: 18% - CPU max MHz: 2256.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp -Caches (sum of all): - L1d: 384 KiB (8 instances) - L1i: 384 KiB (8 instances) - L2: 2.5 MiB (8 instances) - L3: 3 MiB (1 instance) -``` - -## How to install NixOS on Orange Pi 5 Plus - -### 1. Prepare a USB LUKS key - -Generate LUKS keyfile to encrypt the root partition, it's used by disko. - -```bash -# partition the usb stick -DEV=/dev/sdX -parted ${DEV} -- mklabel gpt -parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB -mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1 - -# Generate a keyfile from the true random number generator -KEYFILE=./orangepi5plus-luks-keyfile -dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE - -# copy the keyfile and token to the usb stick -KEYFILE=./orangepi5plus-luks-keyfile -DEVICE=/dev/disk/by-label/OPI5P_DSC -# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header -dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE -``` - -### 2. Partition the SSD & install NixOS via disko - -First, follow -[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to -install UEFI bootloader and boot into NixOS live environment via a USB stick. - -Then, run the following commands: - -```bash -# transfer the nix-config to the target machine -rsync -avzP ~/nix-config rk@:/home/rk/ - -# login via ssh -ssh rk@ - -cd ~/nix-config/hosts/12kingdoms_rakushun -# 1. change the disk device path in ./disko-fs.nix to the disk you want to use -# 2. partition & format the disk via disko -sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix - - -cd ~/nix-config -# install nixos -sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose - -# enter into the installed system, check password & users -# `su ryan` => `sudo -i` => enter ryan's password => successfully login -# if login failed, check the password you set in install-1, and try again -nixos-enter - -# NOTE: DO NOT skip this step!!! -# copy the essential files into /persistent -# otherwise the / will be cleared and data will lost -## NOTE: impermanence just create links from / to /persistent -## We need to copy files into /persistent manually!!! -mv /etc/machine-id /persistent/etc/ -mv /etc/ssh /persistent/etc/ -mkdir -p /persistent/home/ryan -chown -R ryan:ryan /persistent/home/ryan -``` diff --git a/hosts/12kingdoms-rakushun/README.md b/hosts/12kingdoms-rakushun/README.md deleted file mode 100644 index 17bca0f0..00000000 --- a/hosts/12kingdoms-rakushun/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# Rakushun - Orange Pi 5 Plus - -LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus. - -TODO - -## Showcases - -![](../../_img/2024-03-07_orangepi5plus_rakushun.webp) - -## Misc - -```bash -# copy closure to another arm64 machine -nix-copy-closure --to root@suzu /run/current-system -``` diff --git a/hosts/12kingdoms-rakushun/default.nix b/hosts/12kingdoms-rakushun/default.nix deleted file mode 100644 index 53fcffb4..00000000 --- a/hosts/12kingdoms-rakushun/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - mylib, - disko, - nixos-rk3588, - myvars, - ... -}: -############################################################# -# -# Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM -# -############################################################# -let - hostName = "rakushun"; # Define your hostname. -in { - imports = - (mylib.scanPaths ./.) - ++ [ - # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware - nixos-rk3588.nixosModules.orangepi5plus.core - disko.nixosModules.default - ]; - - networking = { - inherit hostName; - inherit (myvars.networking) defaultGateway nameservers; - inherit (myvars.networking.hostsInterface.${hostName}) interfaces; - networkmanager.enable = false; - }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? -} diff --git a/hosts/12kingdoms-rakushun/disko-fs.nix b/hosts/12kingdoms-rakushun/disko-fs.nix deleted file mode 100644 index df5bdbb4..00000000 --- a/hosts/12kingdoms-rakushun/disko-fs.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ - # required by impermanence - fileSystems."/persistent".neededForBoot = true; - - disko.devices = { - nodev."/" = { - fsType = "tmpfs"; - mountOptions = [ - "size=4G" - "defaults" - # set mode to 755, otherwise systemd will set it to 777, which cause problems. - # relatime: Update inode access times relative to modify or change time. - "mode=755" - ]; - }; - - # TODO: rename to main - disk.sda = { - type = "disk"; - # When using disko-install, we will overwrite this value from the commandline - device = "/dev/nvme0n1"; # The device to partition - content = { - type = "gpt"; - partitions = { - # The EFI & Boot partition - ESP = { - size = "630M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; - }; - }; - # The root partition - luks = { - size = "100%"; - content = { - type = "luks"; - name = "encrypted"; - settings = { - keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick - # The maximum size of the keyfile is 8192 KiB - # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes - keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command - keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command - fallbackToPassword = true; - allowDiscards = true; - }; - # Whether to add a boot.initrd.luks.devices entry for the specified disk. - initrdUnlock = true; - - # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition. - # cryptsetup luksFormat - extraFormatArgs = [ - "--type luks2" - "--cipher aes-xts-plain64" - "--hash sha512" - "--iter-time 5000" - "--key-size 256" - "--pbkdf argon2id" - # use true random data from /dev/random, will block until enough entropy is available - "--use-random" - ]; - extraOpenArgs = [ - "--timeout 10" - ]; - content = { - type = "btrfs"; - extraArgs = ["-f"]; # Force override existing partition - subvolumes = { - # mount the top-level subvolume at /btr_pool - # it will be used by btrbk to create snapshots - "/" = { - mountpoint = "/btr_pool"; - # btrfs's top-level subvolume, internally has an id 5 - # we can access all other subvolumes from this subvolume. - mountOptions = ["subvolid=5"]; - }; - "@nix" = { - mountpoint = "/nix"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@persistent" = { - mountpoint = "/persistent"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@tmp" = { - mountpoint = "/tmp"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@snapshots" = { - mountpoint = "/snapshots"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@swap" = { - mountpoint = "/swap"; - swap.swapfile.size = "16384M"; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/12kingdoms-rakushun/hardware-configuration.nix b/hosts/12kingdoms-rakushun/hardware-configuration.nix deleted file mode 100644 index ea194483..00000000 --- a/hosts/12kingdoms-rakushun/hardware-configuration.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.loader = { - # depending on how you configured your disk mounts, change this to /boot or /boot/efi. - efi.efiSysMountPoint = "/boot/"; - efi.canTouchEfiVariables = true; - # do not use systemd-boot here, it has problems when running `nixos-install` - grub = { - device = "nodev"; - efiSupport = true; - }; - }; - # clear /tmp on boot to get a stateless /tmp directory. - boot.tmp.cleanOnBoot = true; - - boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true; - # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/hosts/12kingdoms-rakushun/impermanence.nix b/hosts/12kingdoms-rakushun/impermanence.nix deleted file mode 100644 index bdabdd10..00000000 --- a/hosts/12kingdoms-rakushun/impermanence.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - impermanence, - pkgs, - ... -}: { - imports = [ - impermanence.nixosModules.impermanence - ]; - - environment.systemPackages = [ - # `sudo ncdu -x /` - pkgs.ncdu - ]; - - # There are two ways to clear the root filesystem on every boot: - ## 1. use tmpfs for / - ## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via: - ## boot.initrd.postDeviceCommands = '' - ## mkdir -p /run/mymount - ## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount - ## btrfs subvolume delete /run/mymount - ## btrfs subvolume snapshot / /run/mymount - ## ''; - # - # See also https://grahamc.com/blog/erase-your-darlings/ - - # NOTE: impermanence only mounts the directory/file list below to /persistent - # If the directory/file already exists in the root filesystem, you should - # move those files/directories to /persistent first! - environment.persistence."/persistent" = { - # sets the mount option x-gvfs-hide on all the bind mounts - # to hide them from the file manager - hideMounts = true; - directories = [ - "/etc/NetworkManager/system-connections" - "/etc/ssh" - "/etc/nix/inputs" - "/etc/secureboot" # lanzaboote - secure boot - # my secrets - "/etc/agenix/" - - "/var/log" - "/var/lib" - ]; - files = [ - "/etc/machine-id" - ]; - - # the following directories will be passed to /persistent/home/$USER - users.ryan = { - directories = [ - "codes" - "nix-config" - "tmp" - - { - directory = ".ssh"; - mode = "0700"; - } - - # neovim / remmina / flatpak / ... - ".local/share" - ".local/state" - - # language package managers - ".npm" - ".conda" # generated by `conda-shell` - "go" - ]; - files = [ - ".config/nushell/history.txt" - ]; - }; - }; -} diff --git a/hosts/12kingdoms-suzu/Disk-and-installation.md b/hosts/12kingdoms-suzu/Disk-and-installation.md deleted file mode 100644 index e88623bb..00000000 --- a/hosts/12kingdoms-suzu/Disk-and-installation.md +++ /dev/null @@ -1,156 +0,0 @@ -# Suzu - Disk and Installation - -Disk layout: - -```bash -[ryan@suzu:~]$ lsblk -NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS -sda 8:0 1 58.6G 0 disk -└─sda1 8:1 1 486M 0 part -mtdblock0 31:0 0 16M 0 disk -zram0 254:0 0 0B 0 disk -nvme0n1 259:0 0 238.5G 0 disk -├─nvme0n1p1 259:1 0 630M 0 part /boot -└─nvme0n1p2 259:2 0 237.9G 0 part - └─encrypted 253:0 0 237.8G 0 crypt /tmp - /snapshots - /swap - /home/ryan/tmp - /home/ryan/nix-config - /home/ryan/go - /home/ryan/.local/state - /home/ryan/codes - /home/ryan/.npm - /home/ryan/.ssh - /home/ryan/.local/share - /etc/ssh - /home/ryan/.conda - /etc/secureboot - /etc/agenix - /etc/nix/inputs - /etc/NetworkManager/system-connections - /nix/store - /var/log - /var/lib - /nix - /persistent - -[ryan@suzu:~]$ df -Th -Filesystem Type Size Used Avail Use% Mounted on -devtmpfs devtmpfs 383M 0 383M 0% /dev -tmpfs tmpfs 3.8G 0 3.8G 0% /dev/shm -tmpfs tmpfs 1.9G 6.2M 1.9G 1% /run -tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run/wrappers -none tmpfs 2.0G 48K 2.0G 1% / -/dev/mapper/crypted btrfs 238G 11G 226G 5% /persistent -/dev/mapper/crypted btrfs 238G 11G 226G 5% /nix -/dev/mapper/crypted btrfs 238G 11G 226G 5% /swap -/dev/mapper/crypted btrfs 238G 11G 226G 5% /snapshots -/dev/mapper/crypted btrfs 238G 11G 226G 5% /tmp -/dev/nvme0n1p1 vfat 629M 86M 543M 14% /boot -tmpfs tmpfs 766M 4.0K 766M 1% /run/user/1000 -``` - -CPU info: - -```bash -[ryan@suzu:~]$ lscpu -Architecture: aarch64 - CPU op-mode(s): 32-bit, 64-bit - Byte Order: Little Endian -CPU(s): 8 - On-line CPU(s) list: 0-7 -Vendor ID: ARM - Model name: Cortex-A55 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 4 - Socket(s): 1 - Stepping: r2p0 - CPU(s) scaling MHz: 56% - CPU max MHz: 1800.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp - Model name: Cortex-A76 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 2 - Socket(s): 2 - Stepping: r4p0 - CPU(s) scaling MHz: 18% - CPU max MHz: 2256.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp -Caches (sum of all): - L1d: 384 KiB (8 instances) - L1i: 384 KiB (8 instances) - L2: 2.5 MiB (8 instances) - L3: 3 MiB (1 instance) -``` - -## How to install NixOS on Orange Pi 5 - -### 1. Prepare a USB LUKS key - -Generate LUKS keyfile to encrypt the root partition, it's used by disko. - -```bash -# partition the usb stick -DEV=/dev/sdX -parted ${DEV} -- mklabel gpt -parted ${DEV} -- mkpart primary 2M 512MB -mkfs.fat -F 32 -n OPI5_DSC ${DEV}1 - - -# Generate a keyfile from the true random number generator -KEYFILE=./orangepi5-luks-keyfile -dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE - -# copy the keyfile and token to the usb stick -KEYFILE=./orangepi5-luks-keyfile -DEVICE=/dev/disk/by-label/OPI5_DSC -# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header -dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE -``` - -### 2. Partition the SSD & install NixOS via disko - -First, follow -[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to -install UEFI bootloader and boot into NixOS live environment via a USB stick. - -Then, run the following commands: - -```bash -# login via ssh -ssh rk@ - -git clone https://github.com/ryan4yin/nix-config.git - -cd ~/nix-config/hosts/12kingdoms_suzu -# 1. change the disk device path in ./disko-fs.nix to the disk you want to use -# 2. partition & format the disk via disko -sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix - - -cd ~/nix-config -# install nixos -sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose - -# enter into the installed system, check password & users -# `su ryan` => `sudo -i` => enter ryan's password => successfully login -# if login failed, check the password you set in install-1, and try again -nixos-enter - -# NOTE: DO NOT skip this step!!! -# copy the essential files into /persistent -# otherwise the / will be cleared and data will lost -## NOTE: impermanence just create links from / to /persistent -## We need to copy files into /persistent manually!!! -mv /etc/machine-id /persistent/etc/ -mv /etc/ssh /persistent/etc/ -mkdir -p /persistent/home/ryan -chown -R ryan:ryan /persistent/home/ryan -``` diff --git a/hosts/12kingdoms-suzu/README.md b/hosts/12kingdoms-suzu/README.md deleted file mode 100644 index edd7ca7a..00000000 --- a/hosts/12kingdoms-suzu/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# Suzu - Orange Pi 5 - -LUKS encrypted SSD for NixOS, on Orange Pi 5. - -## TODOs - -- [ ] Add support for BGP routing. - - [Comparing Open Source BGP Stacks](https://elegantnetwork.github.io/posts/comparing-open-source-bgp-stacks/) - - [`services.frr.*` - search.nixos.org](https://search.nixos.org/options?channel=unstable&query=services.frr) - -## Showcases - -![](../../_img/2024-03-07_orangepi5_suzu.webp) - -## Features - -Micro VMs: - -1. suzi: dae router(transparent proxy, dhcp) -1. mitsuha: tailscale gateway(sub router) - -Services: - -1. OCI Containers: to run some servides that's not available in NixOS. -1. ddns -1. uptime-kuma: uptime monitoring -1. excalidraw/DDTV/owncast/jitsi-meet/... - -All the services assumes a reverse proxy to be setup in the front, they are all listening on -localhost, and a caddy service is listening on the local network interface and proxy the requests to -the services. - -TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the -services. diff --git a/hosts/12kingdoms-suzu/default.nix b/hosts/12kingdoms-suzu/default.nix deleted file mode 100644 index feddfa81..00000000 --- a/hosts/12kingdoms-suzu/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - disko, - nixos-rk3588, - mylib, - ... -}: -############################################################# -# -# Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM -# -# https://github.com/astro/microvm.nix -# -############################################################# -let - hostName = "suzu"; # Define your hostname. -in { - imports = - (mylib.scanPaths ./.) - ++ [ - # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware - nixos-rk3588.nixosModules.orangepi5plus.core - disko.nixosModules.default - ]; - - networking = {inherit hostName;}; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? -} diff --git a/hosts/12kingdoms-suzu/disko-fs.nix b/hosts/12kingdoms-suzu/disko-fs.nix deleted file mode 100644 index 703bba52..00000000 --- a/hosts/12kingdoms-suzu/disko-fs.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ - # required by impermanence - fileSystems."/persistent".neededForBoot = true; - - disko.devices = { - nodev."/" = { - fsType = "tmpfs"; - mountOptions = [ - "size=2G" - "defaults" - # set mode to 755, otherwise systemd will set it to 777, which cause problems. - # relatime: Update inode access times relative to modify or change time. - "mode=755" - ]; - }; - - # TODO: rename to main - disk.sda = { - type = "disk"; - # When using disko-install, we will overwrite this value from the commandline - device = "/dev/nvme0n1"; # The device to partition - content = { - type = "gpt"; - partitions = { - # The EFI & Boot partition - ESP = { - size = "630M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; - }; - }; - # The root partition - luks = { - size = "100%"; - content = { - type = "luks"; - name = "encrypted"; - settings = { - keyFile = "/dev/disk/by-label/OPI5_DSC"; # The keyfile is stored on a USB stick - # The maximum size of the keyfile is 8192 KiB - # type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes - keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command - keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command - fallbackToPassword = true; - allowDiscards = true; - }; - # Whether to add a boot.initrd.luks.devices entry for the specified disk. - initrdUnlock = true; - - # encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition. - # cryptsetup luksFormat - extraFormatArgs = [ - "--type luks2" - "--cipher aes-xts-plain64" - "--hash sha512" - "--iter-time 5000" - "--key-size 256" - "--pbkdf argon2id" - # use true random data from /dev/random, will block until enough entropy is available - "--use-random" - ]; - extraOpenArgs = [ - "--timeout 10" - ]; - content = { - type = "btrfs"; - extraArgs = ["-f"]; # Force override existing partition - subvolumes = { - # mount the top-level subvolume at /btr_pool - # it will be used by btrbk to create snapshots - "/" = { - mountpoint = "/btr_pool"; - # btrfs's top-level subvolume, internally has an id 5 - # we can access all other subvolumes from this subvolume. - mountOptions = ["subvolid=5"]; - }; - "@nix" = { - mountpoint = "/nix"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@persistent" = { - mountpoint = "/persistent"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@tmp" = { - mountpoint = "/tmp"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@snapshots" = { - mountpoint = "/snapshots"; - mountOptions = ["compress-force=zstd:1" "noatime"]; - }; - "@swap" = { - mountpoint = "/swap"; - swap.swapfile.size = "8192M"; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/12kingdoms-suzu/hardware-configuration.nix b/hosts/12kingdoms-suzu/hardware-configuration.nix deleted file mode 100644 index ea194483..00000000 --- a/hosts/12kingdoms-suzu/hardware-configuration.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.loader = { - # depending on how you configured your disk mounts, change this to /boot or /boot/efi. - efi.efiSysMountPoint = "/boot/"; - efi.canTouchEfiVariables = true; - # do not use systemd-boot here, it has problems when running `nixos-install` - grub = { - device = "nodev"; - efiSupport = true; - }; - }; - # clear /tmp on boot to get a stateless /tmp directory. - boot.tmp.cleanOnBoot = true; - - boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true; - # networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/hosts/12kingdoms-suzu/impermanence.nix b/hosts/12kingdoms-suzu/impermanence.nix deleted file mode 100644 index bdabdd10..00000000 --- a/hosts/12kingdoms-suzu/impermanence.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - impermanence, - pkgs, - ... -}: { - imports = [ - impermanence.nixosModules.impermanence - ]; - - environment.systemPackages = [ - # `sudo ncdu -x /` - pkgs.ncdu - ]; - - # There are two ways to clear the root filesystem on every boot: - ## 1. use tmpfs for / - ## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via: - ## boot.initrd.postDeviceCommands = '' - ## mkdir -p /run/mymount - ## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount - ## btrfs subvolume delete /run/mymount - ## btrfs subvolume snapshot / /run/mymount - ## ''; - # - # See also https://grahamc.com/blog/erase-your-darlings/ - - # NOTE: impermanence only mounts the directory/file list below to /persistent - # If the directory/file already exists in the root filesystem, you should - # move those files/directories to /persistent first! - environment.persistence."/persistent" = { - # sets the mount option x-gvfs-hide on all the bind mounts - # to hide them from the file manager - hideMounts = true; - directories = [ - "/etc/NetworkManager/system-connections" - "/etc/ssh" - "/etc/nix/inputs" - "/etc/secureboot" # lanzaboote - secure boot - # my secrets - "/etc/agenix/" - - "/var/log" - "/var/lib" - ]; - files = [ - "/etc/machine-id" - ]; - - # the following directories will be passed to /persistent/home/$USER - users.ryan = { - directories = [ - "codes" - "nix-config" - "tmp" - - { - directory = ".ssh"; - mode = "0700"; - } - - # neovim / remmina / flatpak / ... - ".local/share" - ".local/state" - - # language package managers - ".npm" - ".conda" # generated by `conda-shell` - "go" - ]; - files = [ - ".config/nushell/history.txt" - ]; - }; - }; -} diff --git a/hosts/12kingdoms-suzu/microvm/README.md b/hosts/12kingdoms-suzu/microvm/README.md deleted file mode 100644 index 6458499b..00000000 --- a/hosts/12kingdoms-suzu/microvm/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# microvm.nix - -## Commands - -> https://github.com/astro/microvm.nix/blob/main/doc/src/microvm-command.md - -```bash -# list vm -microvm -l - -# update vm -microvm -u my-microvm - - -# show logs of a vm -journalctl -u microvm@my-microvm -n 50 - -# stop vm -systemctl stop microvm@$NAME - -# remove vm -rm -rf /var/lib/microvms/$NAME - -# Run a MicroVM in foreground(for testing) -# You have to stop the vm before running this command! -microvm -r my-microvm - -# Stop a MicroVM that is running in foreground -## 1. run `sudo shutdown -h now` in the vm -## 2. run `systemctl stop microvm@my-microvm` in the host -``` - -## VM's pros compared to container - -1. VM has its own kernel, so it can use a fullfeatured kernel or customise the kernel's - configuration, without affecting the host. -1. VM use a fullfeatured init system, so it can run services like a real machine. -1. VM can use a fullfeatured network stack, so it can run network services like a real machine. it's - very useful for hosting some network services(such as tailscale, dae, etc). - -## FAQ - -### 1. enter the vm without ssh - -[Enter running machine as systemd service](https://github.com/astro/microvm.nix/issues/123) diff --git a/hosts/12kingdoms-suzu/microvm/default.nix b/hosts/12kingdoms-suzu/microvm/default.nix deleted file mode 100644 index 2f898352..00000000 --- a/hosts/12kingdoms-suzu/microvm/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - myvars, - mylib, - daeuniverse, - agenix, - microvm, - mysecrets, - nuenv, - ... -}: { - imports = [ - # Include the microvm host module - microvm.nixosModules.host - ]; - - microvm.vms = { - suzi = { - autostart = true; - restartIfChanged = true; - - specialArgs = {inherit myvars mylib daeuniverse agenix mysecrets nuenv;}; - - config.imports = [./suzi]; - }; - - mitsuha = { - autostart = true; - restartIfChanged = true; - - specialArgs = {inherit myvars mylib nuenv;}; - - config.imports = [./mitsuha]; - }; - }; -} diff --git a/hosts/12kingdoms-suzu/microvm/mitsuha/default.nix b/hosts/12kingdoms-suzu/microvm/mitsuha/default.nix deleted file mode 100644 index 4a9414d6..00000000 --- a/hosts/12kingdoms-suzu/microvm/mitsuha/default.nix +++ /dev/null @@ -1,67 +0,0 @@ -{mylib, ...}: { - imports = - (mylib.scanPaths ./.) - ++ [ - ../../../../modules/nixos/base/ssh.nix - ../../../../modules/nixos/base/user-group.nix - ../../../../modules/base.nix - ]; - - microvm = { - mem = 1024; # RAM allocation in MB - vcpu = 1; # Number of Virtual CPU cores - - interfaces = [ - { - type = "tap"; - id = "vm-mitsuha"; # should be prefixed with "vm-" - mac = "02:00:00:00:00:02"; # Unique MAC address - } - ]; - - # Block device images for persistent storage - # microvm use tmpfs for root(/), so everything else - # is ephemeral and will be lost on reboot. - # - # you can check this by running `df -Th` & `lsblk` in the VM. - volumes = [ - { - mountPoint = "/var"; - image = "var.img"; - size = 512; - } - { - mountPoint = "/etc"; - image = "etc.img"; - size = 50; - } - ]; - - # shares can not be set to `neededForBoot = true;` - # so if you try to use a share in boot script(such as system.activationScripts), it will fail! - shares = [ - { - # It is highly recommended to share the host's nix-store - # with the VMs to prevent building huge images. - # a host's /nix/store will be picked up so that no - # squashfs/erofs will be built for it. - # - # by this way, /nix/store is readonly in the VM, - # and thus the VM can't run any command that modifies - # the store. such as nix build, nix shell, etc... - # if you want to run nix commands in the VM, see - # https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay - tag = "ro-store"; # Unique virtiofs daemon tag - proto = "virtiofs"; # virtiofs is faster than 9p - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - - hypervisor = "qemu"; - # Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly - socket = "control.socket"; - }; - - system.stateVersion = "24.05"; -} diff --git a/hosts/12kingdoms-suzu/microvm/mitsuha/networking.nix b/hosts/12kingdoms-suzu/microvm/mitsuha/networking.nix deleted file mode 100644 index b0e21862..00000000 --- a/hosts/12kingdoms-suzu/microvm/mitsuha/networking.nix +++ /dev/null @@ -1,19 +0,0 @@ -{myvars, ...}: let - hostName = "mitsuha"; - inherit (myvars.networking) mainGateway nameservers; - inherit (myvars.networking.hostsAddr.${hostName}) ipv4; - - ipv4WithMask = "${ipv4}/24"; -in { - systemd.network.enable = true; - - systemd.network.networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = [ipv4WithMask]; - Gateway = mainGateway; - DNS = nameservers; - DHCP = "no"; - }; - }; -} diff --git a/hosts/12kingdoms-suzu/microvm/mitsuha/tailscale.nix b/hosts/12kingdoms-suzu/microvm/mitsuha/tailscale.nix deleted file mode 100644 index 359d1148..00000000 --- a/hosts/12kingdoms-suzu/microvm/mitsuha/tailscale.nix +++ /dev/null @@ -1,42 +0,0 @@ -{pkgs, ...}: -# ============================================================= -# -# Tailscale - your own private network(VPN) that uses WireGuard -# -# It's open source and free for personal use, -# and it's really easy to setup and use. -# Tailscale has great client coverage for Linux, windows, Mac, android, and iOS. -# Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker. -# Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale. -# -# How to use: -# 1. Create a Tailscale account at https://login.tailscale.com -# 2. Login via `tailscale login` -# 3. join into your Tailscale network via `tailscale up --advertise-routes 192.168.5.0/24` -# 4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below. -# -# Status Data: -# `journalctl -u tailscaled` shows tailscaled's logs -# logs indicate that tailscale store its data in /var/lib/tailscale -# which is already persistent across reboots(via impermanence.nix) -# -# References: -# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/tailscale.nix -# -# ============================================================= -{ - # make the tailscale command usable to users - environment.systemPackages = [pkgs.tailscale]; - - # enable the tailscale service - services.tailscale = { - enable = true; - port = 41641; - interfaceName = "tailscale0"; - # allow the Tailscale UDP port through the firewall - openFirewall = true; - useRoutingFeatures = "server"; - extraUpFlags = "--advertise-routes 192.168.5.0/24"; - # authKeyFile = "/var/lib/tailscale/authkey"; - }; -} diff --git a/hosts/12kingdoms-suzu/microvm/suzi/README.md b/hosts/12kingdoms-suzu/microvm/suzi/README.md deleted file mode 100644 index bf35766b..00000000 --- a/hosts/12kingdoms-suzu/microvm/suzi/README.md +++ /dev/null @@ -1,48 +0,0 @@ -# Dae - NixOS Router - -A router(IPv4 only) with a transparent proxy to bypass the G|F|W. - -NOTE: dae do not provides a http/socks5 proxy server, so a v2ray server is running on -[idols_kana](../idols_kana/proxy.nix) to provides a http/socks5 proxy service. - -## Troubleshooting - -### Can not access the global internet - -1. Check whether the subscription url is accessible. - - If not, then you need to get a new subscription url and update the `dae`'s configuration. -1. Check the `dae` service's log by `journalctl -u dae -n 1000`. - -### DNS cannot be resolved - -1. `sudo systemctl stop dae`, then try to resolve the domain name again. - - If it works, the problem is caused by `dae` service. - - check dae's log by `journalctl -u dae -n 1000` -1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`. - -### DHCP cannot be obtained - -1. `ss -tunlp`, check if `dnsmasq` is running and listening on udp port 67. -1. `journalctl -u dnsmasq -n 1000` to check the log of `dnsmasq`. -1. Request a new IP address by disconnect and reconnect one of your devices' wifi. -1. `nix shell nixpkgs#dhcpdump` and then `sudo dhcpdump -i br-lan`, check if the DHCP request is - received by `dnsmasq`. - 1. The server listens on UDP port number 67, and the client listens on UDP port number 68. - 1. DHCP operations fall into four phases: - 1. Server **discovery**: The DHCP client broadcasts a DHCPDISCOVER message on the network - subnet using the destination address 255.255.255.255 (limited broadcast) or the specific - subnet broadcast address (directed broadcast). - 1. IP lease **offer**: When a DHCP server receives a DHCPDISCOVER message from a client, which - is an IP address lease request, the DHCP server reserves an IP address for the client and - makes a lease offer by sending a DHCPOFFER message to the client. - 1. IP lease **request**: In response to the DHCP offer, the client replies with a DHCPREQUEST - message, broadcast to the server,[a] requesting the offered address. - 1. IP lease **acknowledgement**: When the DHCP server receives the DHCPREQUEST message from - the client, it sends a DHCPACK packet to the client, which includes the lease duration and - any other configuration information that the client might have requested. - 1. So if you see only `DISCOVER` messages, the dhsmasq is not working properly. - -## References - -- -- diff --git a/hosts/12kingdoms-suzu/microvm/suzi/config.dae b/hosts/12kingdoms-suzu/microvm/suzi/config.dae deleted file mode 100644 index 184277eb..00000000 --- a/hosts/12kingdoms-suzu/microvm/suzi/config.dae +++ /dev/null @@ -1,339 +0,0 @@ -# https://github.com/daeuniverse/dae/discussions/81 -# https://github.com/daeuniverse/dae/blob/main/example.dae - -# load all dae files placed in ./config.d/ -include { - config.d/*.dae -} -global { - ##### Software options. - - # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program. - # In normal case, you do not need to use it. - tproxy_port: 12345 - - # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed - # iptables tproxy rules. - tproxy_port_protect: true - - # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy - # rules. - so_mark_from_dae: 1 - - # Log level: error, warn, info, debug, trace. - log_level: info - - # Disable waiting for network before pulling subscriptions. - disable_waiting_network: false - - - ##### Interface and kernel options. - - # The LAN interface to bind. Use it if you want to proxy LAN. - # Multiple interfaces split by ",". - lan_interface: br-lan - - # The WAN interface to bind. Use it if you want to proxy localhost. - # Multiple interfaces split by ",". Use "auto" to auto detect. - # - # Disable this to avoid problems with the proxy server that prevent the subscription link from being updated - # wan_interface: auto - - # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out - # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do. - auto_config_kernel_parameter: false - - ##### Node connectivity check. - - # Host of URL should have both IPv4 and IPv6 if you have double stack in local. - # First is URL, others are IP addresses if given. - # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response. - #tcp_check_url: 'http://cp.cloudflare.com' - tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111' - - # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass - # accounting for this kind of traffic. - tcp_check_http_method: HEAD - - # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check - # TCP DNS connectivity of nodes. - # First is URL, others are IP addresses if given. - # This DNS should have both IPv4 and IPv6 if you have double stack in local. - #udp_check_dns: 'dns.google.com:53' - udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888' - - check_interval: 30s - - # Group will switch node only when new_latency <= old_latency - tolerance. - check_tolerance: 50ms - - - ##### Connecting options. - - # Optional values of dial_mode are: - # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path - # respectively, and makes the IP version requested by the application meet expectations. For example, if you - # use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6. - # This may solve some weird full-cone problem if your are be your node support that. Sniffing will be disabled - # in this mode. - # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent - # if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will - # re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing. - # That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it. - # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose - # DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not - # go through dae, dae cannot split traffic by domain. - # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover - # domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources. - dial_mode: domain - - # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to. - allow_insecure: false - - # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful - # in high latency LAN network. - sniffing_timeout: 100ms - - # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello. - tls_implementation: tls - - # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls. - # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17 - utls_imitate: chrome_auto -} - -# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples. -dns { - # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only - # respond to type A queries and response empty answer to type AAAA queries. - ipversion_prefer: 4 - - # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results - # for these domains. - #fixed_domain_ttl { - # ddns.example.org: 10 - # test.example.org: 3600 - #} - - upstream { - # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp. - # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose - # IPv4 or IPv6 to use according to group policy (such as min latency policy). - # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing. - # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended. - - alidns: 'udp://223.5.5.5:53' - googledns: 'tcp+udp://8.8.8.8:53' - } - routing { - # According to the request of dns query, decide to use which DNS upstream. - # Match rules from top to bottom. - request { - # Lookup China mainland domains using alidns, otherwise googledns. - qname(geosite:cn) -> alidns - # fallback is also called default. - fallback: googledns - - # other custom rules - qname(full:analytics.google.com) -> googledns # do not block google analytics(console) - qname(regex: '.+\.nixos.org$') -> googledns - qname(geosite:category-ads) -> reject - qname(geosite:category-ads-all) -> reject - qtype(aaaa) -> reject - qname(regex: '.+\.linkedin$') -> googledns - } - - # According to the response of dns query, decide to accept or re-lookup using another DNS upstream. - # Match rules from top to bottom. - response { - # Trusted upstream. Always accept its result. - upstream(googledns) -> accept - - # Possibly polluted(domain resolved to a private ip), re-lookup using googledns. - ip(geoip:private) && !qname(geosite:cn) -> googledns - - fallback: accept - } - } -} - -# Node group (outbound). -group { - proxy { - filter: name(keyword: 'Hong Kong') - filter: name(keyword: '香港') - filter: name(keyword: 'Singapore') - filter: name(keyword: '新加坡') - # Filter nodes and give a fixed latency offset to archive latency-based failover. - # In this example, there is bigger possibility to choose US node even if original latency of US node is higher. - filter: name(keyword: 'USA') [add_latency: -500ms] - filter: name(keyword: '美国') [add_latency: -500ms] - filter: name(keyword: 'UK') [add_latency: -300ms] - # filter: name(keyword: '英国') [add_latency: -300ms] - # filter: name(keyword: 'Japan') [add_latency: 300ms] - # filter: name(keyword: '日本') [add_latency: 300ms] - - # Other filters: - # Filter nodes from the global node pool defined by the subscription and node section above. - # filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:') - # Filter nodes from the global node pool defined by tag. - # filter: name('node_a','node_b') - - # Select the node with min average of the last 10 latencies from the group for every connection. - policy: min_avg10 - # Other policies: - # random - Randomly select a node from the group for every connection. - # fixed(0) - Select the first node from the group for every connection. - # min - Select the node with min last latency from the group for every connection. - # min_moving_avg - Select the node with min moving average of latencies from the group for every connection. - } - - media { - filter: name(keyword: 'Hong Kong') - filter: name(keyword: '香港') - filter: name(keyword: 'Singapore') - filter: name(keyword: '新加坡') - filter: name(keyword: 'USA') [add_latency: -500ms] - filter: name(keyword: '美国') [add_latency: -500ms] - filter: name(keyword: 'UK') [add_latency: -300ms] - filter: name(keyword: '英国') [add_latency: -300ms] - filter: name(keyword: 'Japan') [add_latency: 300ms] - filter: name(keyword: '日本') [add_latency: 300ms] - - policy: min_avg10 - } - - ssh-proxy { - filter: name(keyword: 'UK') - filter: name(keyword: '英国') - policy: min_avg10 - } - - proxy-random { - filter: name(keyword: 'UK') - filter: name(keyword: '英国') - policy: random - } - - sg { - filter: name(keyword: 'Singapore') - filter: name(keyword: '新加坡') - policy: min_avg10 - } - - usa { - filter: name(keyword: 'USA') - filter: name(keyword: '美国') - policy: min_avg10 - } -} - -# Ref: https://github.com/v2fly/domain-list-community -# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples. -# Pname has the highest priority, so should be placed in the front. -# Priority of other rules is the same as the order of the rules defined in this file. -routing { - ### Preset rules. - - # Network managers in localhost should be direct to - # avoid false negative network connectivity check when binding to WAN. - pname(NetworkManager) -> direct - pname(systemd-networkd) -> direct - - # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being - # forwarded by the proxy. - # "dip" means destination IP. - dip(224.0.0.0/3, 'ff00::/8') -> direct - - # This line allows you to access private addresses directly instead of via your proxy. If you really want to access - # private addresses in your proxy host network, modify the below line. - dip(geoip:private) -> direct - - # --- Core rules ---# - - # Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources. - l4proto(udp) && dport(443) -> block - - # Direct access to all Chinese mainland-related IP addresses - dip(geoip:cn) -> direct - domain(geosite:cn) -> direct - - # Block ads - domain(full:analytics.google.com) -> proxy # do not block google analytics(console) - domain(geosite:category-ads) -> block - domain(geosite:category-ads-all) -> block - - # DNS - dip(8.8.8.8, 8.8.4.4) -> proxy - dip(223.5.5.5, 223.6.6.6) -> direct - domain(full:dns.alidns.com) -> direct - domain(full:dns.googledns.com) -> proxy - domain(full:dns.opendns.com) -> proxy - - # --- Rules for other commonly used sites ---# - - # SSH - tcp port 22 is blocked by many proxy servers. - dport(22) && !dip(geoip:cn) && !domain(geosite:cn) -> ssh-proxy - - ### GitHub / Docker Hub - ### randomly select a node from the group for every connection - ### to avoid the rate limit of GitHub API and Docker Hub API - domain(geosite:github) -> proxy-random - domain(geosite:docker) -> proxy-random - - ### OpenAI - domain(geosite:openai) -> sg - domain(regex:'.+\.openai$') -> sg - - # Steam - domain(suffix: steampowered.com) -> direct - domain(suffix: steamserver.net) -> direct - domain(geosite:steam@cn) -> direct - domain(geosite:steam) -> proxy - - ### Media - domain(geosite:netflix) -> media - - ### Proxy - domain(suffix: linkedin.com) -> proxy - domain(keyword:'linkedin') -> proxy - domain(regex:'.+\.linkedin\.com$') -> proxy - domain(regex:'.+\.quay\.io$') -> proxy - domain(regex:'.+\.notion\.so$') -> proxy - domain(regex:'.+\.amazon\.com$') -> proxy - domain(regex:'.+\.oracle\.com$') -> proxy - domain(regex:'.+\.docker\.com$') -> proxy - domain(regex:'.+\.kubernetes\.io$') -> proxy - domain(regex:'.+\.nixos\.org$') -> proxy - - domain(geosite:microsoft) -> proxy - domain(geosite:linkedin) -> proxy - domain(geosite:twitter) -> proxy - domain(geosite:telegram) -> proxy - domain(geosite:google) -> proxy - domain(geosite:apple) -> proxy - domain(geosite:category-container) -> proxy - domain(geosite:category-dev) -> proxy - domain(geosite:google-scholar) -> proxy - domain(geosite:category-scholar-!cn) -> proxy - - ### Direct - domain(regex:'.+\.edu\.cn$') -> direct - domain(keyword:'baidu') -> direct - domain(keyword:'bilibili') -> direct - domain(keyword:'taobao') -> direct - domain(keyword:'alibabadns') -> direct - domain(keyword:'alicdn') -> direct - domain(keyword:'tbcache') -> direct - domain(keyword:'zhihu') -> direct - domain(keyword:'douyu') -> direct - domain(geosite:cloudflare-cn) -> direct - - # --- Fallback rules ---# - - # Access all other foreign sites - domain(geosite:geolocation-!cn) -> proxy - !dip(geoip:cn) -> proxy - - fallback: direct -} diff --git a/hosts/12kingdoms-suzu/microvm/suzi/dae.nix b/hosts/12kingdoms-suzu/microvm/suzi/dae.nix deleted file mode 100644 index 8ede1b82..00000000 --- a/hosts/12kingdoms-suzu/microvm/suzi/dae.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ - config, - pkgs, - daeuniverse, - ... -}: -# https://github.com/daeuniverse/flake.nix -let - daeConfigPath = "/etc/dae/config.dae"; - subscriptionConfigPath = "/etc/dae/config.d/subscription.dae"; -in { - imports = [ - daeuniverse.nixosModules.dae - ]; - - # dae - eBPF-based Linux high-performance transparent proxy. - services.dae = { - enable = true; - package = daeuniverse.packages.${pkgs.system}.dae; - disableTxChecksumIpGeneric = false; - configFile = daeConfigPath; - assets = with pkgs; [v2ray-geoip v2ray-domain-list-community]; - # alternatively, specify assets dir - # assetsPath = "/etc/dae"; - openFirewall = { - enable = true; - port = 12345; - }; - }; - - systemd.services.dae.serviceConfig = { - Restart = "on-failure"; - RestartSec = 10; - }; - - # dae supports two types of subscriptions: base64 encoded proxies, and sip008. - # subscription can be a url return the subscription, or a file path that contains the subscription. - # - # Nix decrypt and merge my dae's base config and subscription config here. - # the subscription config is something like: - # ``` - # subscription { - # 'https://www.example.com/subscription/link' - # 'https://example.com/no_tag_link' - # } - # node { - # # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity - # node_a: 'trojan://' - # node_b: 'trojan://' - # node_c: 'vless://' - # node_d: 'vless://' - # node_e: 'vmess://' - # node_f: 'tuic://' - # node_h: 'juicity://' - # } - # ``` - system.activationScripts.installDaeConfig = '' - install -Dm 600 ${./config.dae} ${daeConfigPath} - install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath} - ''; -} diff --git a/hosts/12kingdoms-suzu/microvm/suzi/default.nix b/hosts/12kingdoms-suzu/microvm/suzi/default.nix deleted file mode 100644 index 67e9eee0..00000000 --- a/hosts/12kingdoms-suzu/microvm/suzi/default.nix +++ /dev/null @@ -1,70 +0,0 @@ -{mylib, ...}: { - imports = - (mylib.scanPaths ./.) - ++ [ - ../../../../secrets/nixos.nix - ../../../../modules/nixos/base/ssh.nix - ../../../../modules/nixos/base/user-group.nix - ../../../../modules/base.nix - ]; - - modules.secrets.server.network.enable = true; - - microvm = { - mem = 1024; # RAM allocation in MB - vcpu = 1; # Number of Virtual CPU cores - - interfaces = [ - { - type = "tap"; - id = "vm-suzi"; # should be prefixed with "vm-" - mac = "02:00:00:00:00:01"; # unique MAC address - } - ]; - - # Block device images for persistent storage - # microvm use tmpfs for root(/), so everything else - # is ephemeral and will be lost on reboot. - # - # you can check this by running `df -Th` & `lsblk` in the VM. - volumes = [ - { - mountPoint = "/var"; - image = "var.img"; - size = 512; - } - { - mountPoint = "/etc"; - image = "etc.img"; - size = 50; - } - ]; - - # shares can not be set to `neededForBoot = true;` - # so if you try to use a share in boot script(such as system.activationScripts), it will fail! - shares = [ - { - # It is highly recommended to share the host's nix-store - # with the VMs to prevent building huge images. - # a host's /nix/store will be picked up so that no - # squashfs/erofs will be built for it. - # - # by this way, /nix/store is readonly in the VM, - # and thus the VM can't run any command that modifies - # the store. such as nix build, nix shell, etc... - # if you want to run nix commands in the VM, see - # https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay - tag = "ro-store"; # Unique virtiofs daemon tag - proto = "virtiofs"; # virtiofs is faster than 9p - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - - hypervisor = "qemu"; - # Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly - socket = "control.socket"; - }; - - system.stateVersion = "24.05"; -} diff --git a/hosts/12kingdoms-suzu/microvm/suzi/networking.nix b/hosts/12kingdoms-suzu/microvm/suzi/networking.nix deleted file mode 100644 index 1bbc922b..00000000 --- a/hosts/12kingdoms-suzu/microvm/suzi/networking.nix +++ /dev/null @@ -1,180 +0,0 @@ -{ - lib, - myvars, - ... -}: let - hostName = "suzi"; - inherit (myvars.networking) mainGateway nameservers; - inherit (myvars.networking.hostsAddr.${hostName}) ipv4; - - ipv4WithMask = "${ipv4}/24"; - dhcpRange = { - start = "192.168.5.5"; - end = "192.168.5.99"; - }; -in { - boot.kernel.sysctl = { - # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md - # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md - # forward network packets that are not destined for the interface on which they were received - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv4.conf.br-lan.rp_filter" = 1; - "net.ipv4.conf.br-lan.send_redirects" = 0; - }; - - # Docker uses iptables internally to setup NAT for containers. - # This module disables the ip_tables kernel module, which is required for nftables to work. - # So make sure to disable docker here. - virtualisation.docker.enable = lib.mkForce false; - networking = { - useNetworkd = true; - - useDHCP = false; - networkmanager.enable = false; - wireless.enable = false; # Enables wireless support via wpa_supplicant. - # No local firewall. - nat.enable = false; - firewall.enable = false; - - # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nftables.nix - nftables = { - enable = true; - # Check the applied rules with `nft -a list ruleset`. - # Since this is a internal bypass router, we don't need to do NAT & can forward all traffic. - ruleset = '' - # Check out https://wiki.nftables.org/ for better documentation. - # Table for both IPv4 and IPv6. - table inet filter { - chain input { - type filter hook input priority 0; - - # accept any localhost traffic - iifname lo accept - - # accept any lan traffic - iifname br-lan accept - - # count and drop any other traffic - counter drop - } - - # Allow all outgoing connections. - chain output { - type filter hook output priority 0; - accept - } - - # Allow all forwarding all traffic. - chain forward { - type filter hook forward priority 0; - accept - } - } - ''; - }; - }; - - # https://nixos.wiki/wiki/Systemd-networkd - systemd.network = { - netdevs = { - # Create the bridge interface - "20-br-lan" = { - netdevConfig = { - Kind = "bridge"; - Name = "br-lan"; - }; - }; - }; - # This is a bypass router, so we do not need a wan interface here. - networks = { - "30-lan0" = { - # match the interface by type - matchConfig.Type = "ether"; - # Connect to the bridge - networkConfig = { - Bridge = "br-lan"; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - }; - # Configure the bridge device we just created - "40-br-lan" = { - matchConfig.Name = "br-lan"; - address = [ - # configure addresses including subnet mask - ipv4WithMask # forwards all traffic to the gateway except for the router address itself - ]; - routes = [ - # forward all traffic to the main gateway - {routeConfig.Gateway = mainGateway;} - ]; - bridgeConfig = {}; - linkConfig.RequiredForOnline = "routable"; - }; - }; - }; - - # resolved is conflict with dnsmasq - services.resolved.enable = false; - services.dnsmasq = { - enable = true; - # resolve local queries (add 127.0.0.1 to /etc/resolv.conf) - resolveLocalQueries = true; # may be conflict with dae, disable this. - alwaysKeepRunning = true; - # https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=tree - settings = { - # upstream DNS servers - server = nameservers; - # forces dnsmasq to try each query with each server strictly - # in the order they appear in the config. - strict-order = true; - - # Never forward plain names (without a dot or domain part) - domain-needed = true; - # Never forward addresses in the non-routed address spaces(e.g. private IP). - bogus-priv = true; - # don't needlessly read /etc/resolv.conf which only contains the localhost addresses of dnsmasq itself. - no-resolv = true; - - # Cache dns queries. - cache-size = 1000; - - dhcp-range = ["${dhcpRange.start},${dhcpRange.end},24h"]; - interface = "br-lan"; - dhcp-sequential-ip = true; - dhcp-option = [ - # Override the default route supplied by dnsmasq, which assumes the - # router is the same machine as the one running dnsmasq. - "option:router,${ipv4}" - "option:dns-server,${ipv4}" - ]; - - # local domains - local = "/lan/"; - domain = "lan"; - expand-hosts = true; - - # don't use /etc/hosts - no-hosts = true; - address = [ - # "/surfer.lan/192.168.10.1" - ]; - }; - }; - - # monitoring with prometheus - # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix - services.prometheus.exporters.dnsmasq = { - enable = true; - listenAddress = "0.0.0.0"; - port = 9153; - openFirewall = false; - leasesPath = "/var/lib/dnsmasq/dnsmasq.leases"; - }; - - # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of - # letting the first CPU core to handle everything. - # This is supposed to increase performance by hitting CPU cache more often. - services.irqbalance.enable = false; -} diff --git a/hosts/12kingdoms-suzu/networking.nix b/hosts/12kingdoms-suzu/networking.nix deleted file mode 100644 index dbe07fa5..00000000 --- a/hosts/12kingdoms-suzu/networking.nix +++ /dev/null @@ -1,45 +0,0 @@ -{myvars, ...}: let - hostName = "suzu"; - inherit (myvars.networking) mainGateway nameservers; - inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4; - - ipv4WithMask = "${ipv4}/24"; -in { - boot.kernel.sysctl = { - # forward network packets that are not destined for the interface on which they were received - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - - networking.useNetworkd = true; - systemd.network.enable = true; - - # A bridge to link all VM's TAP interfaces into local network. - # https://github.com/astro/microvm.nix/blob/main/doc/src/simple-network.md - systemd.network.networks."10-lan" = { - # match on the main interface and all VM interfaces - matchConfig.Name = [iface "vm-*"]; - networkConfig = { - Bridge = "br0"; - }; - }; - - systemd.network.netdevs."br0" = { - netdevConfig = { - Name = "br0"; - Kind = "bridge"; - }; - }; - - # Add ipv4 address to the bridge. - systemd.network.networks."10-lan-bridge" = { - matchConfig.Name = "br0"; - networkConfig = { - Address = [ipv4WithMask]; - Gateway = mainGateway; - DNS = nameservers; - IPv6AcceptRA = true; - }; - linkConfig.RequiredForOnline = "routable"; - }; -} diff --git a/hosts/README.md b/hosts/README.md index 4457bf95..b1585e93 100644 --- a/hosts/README.md +++ b/hosts/README.md @@ -2,13 +2,6 @@ 1. `12kingdoms`: 1. `shoukei`: NixOS on Macbook Pro 2020 Intel i5, 13.3-inch, 16G RAM + 512G SSD. - 1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + - 256G SSD. - - Network related services running via microvm.nix, such as router(transparent proxy - dae), - tailscale subrouter, etc. - 1. `rakushun`: Orange Pi 5 Plus, RK3588(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), - 16G RAM + 2T SSD. - - Not used now. 1. `darwin`(macOS) 1. `fern`: MacBook Pro 2022 13-inch M2 16G, mainly for business. 1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use. @@ -20,9 +13,8 @@ and other services. 3. `ruby`: Not used now. 4. `kana`: Not used now. -1. `rolling_girls`: My RISCV64 hosts. - 1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 16GB RAM + 32G eMMC + 128G SD Card. - 2. `yukina`: Milk-V Mars, JH7110(4xU74@1.5 GHz), 4G RAM + No eMMC + 64G SD Card. +1. Other aarch64/riscv64 SBCs: + [ryan4yin/nixos-config-sbc](https://github.com/ryan4yin/nixos-config-sbc) ## How to add a new host diff --git a/hosts/rolling-girls-nozomi/default.nix b/hosts/rolling-girls-nozomi/default.nix deleted file mode 100644 index b524d853..00000000 --- a/hosts/rolling-girls-nozomi/default.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ - nixos-licheepi4a, - myvars, - ... -}: -############################################################# -# -# Nozomi - NixOS configuration for Lichee Pi 4A -# -############################################################# -let - hostName = "nozomi"; # Define your hostname. -in { - imports = [ - # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware - (nixos-licheepi4a + "/modules/licheepi4a.nix") - # import the sd-image module, which contains the fileSystems & kernel parameters for booting from sd card. - (nixos-licheepi4a + "/modules/sd-image/sd-image-lp4a.nix") - ]; - - # Set static IP address / gateway / DNS servers. - networking = { - inherit hostName; - inherit (myvars.networking) defaultGateway nameservers; - inherit (myvars.networking.hostsInterface.${hostName}) interfaces; - - wireless = { - # https://wiki.archlinux.org/title/wpa_supplicant - enable = true; - # The path to the file containing the WPA passphrase. - # secrets are not supported well on riscv64, I nned to create this file manually. - # Format: "PSK_WEMEET_PRIVATE_WIFI=your_password" - environmentFile = "/etc/wpa_supplicant.env"; - # The network definitions to automatically connect to when wpa_supplicant is running. - networks = { - # read WPAPSK from environmentFile - "shadow_light_ryan".psk = "@PSK_WEMEET_PRIVATE_WIFI@"; - }; - }; - - # Failed to enable firewall due to the following error: - # firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported - firewall.enable = false; - - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # LPI4A's first ethernet interface - # interfaces.end0 = { - # useDHCP = false; - # ipv4.addresses = [ - # { - # address = "192.168.5.104"; - # prefixLength = 24; - # } - # ]; - # }; - # LPI4A's second ethernet interface - # interfaces.end1 = { - # useDHCP = false; - # ipv4.addresses = [ - # { - # address = "192.168.xx.xx"; - # prefixLength = 24; - # } - # ]; - # }; - }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? -} diff --git a/hosts/rolling-girls-yukina/default.nix b/hosts/rolling-girls-yukina/default.nix deleted file mode 100644 index 0508ac61..00000000 --- a/hosts/rolling-girls-yukina/default.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ - nixos-licheepi4a, - myvars, - ... -}: -############################################################# -# -# Yukina - NixOS configuration for Lichee Pi 4A -# -############################################################# -let - hostName = "yukina"; # Define your hostname. -in { - imports = [ - # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware - (nixos-licheepi4a + "/modules/licheepi4a.nix") - # import the sd-image module, which contains the fileSystems & kernel parameters for booting from sd card. - (nixos-licheepi4a + "/modules/sd-image/sd-image-lp4a.nix") - ]; - - # Set static IP address / gateway / DNS servers. - networking = { - inherit hostName; - inherit (myvars.networking) defaultGateway nameservers; - inherit (myvars.networking.hostsInterface.${hostName}) interfaces; - - wireless = { - # https://wiki.archlinux.org/title/wpa_supplicant - enable = true; - # The path to the file containing the WPA passphrase. - # secrets are not supported well on riscv64, I nned to create this file manually. - # Format: "PSK_WEMEET_PRIVATE_WIFI=your_password" - environmentFile = "/etc/wpa_supplicant.env"; - # The network definitions to automatically connect to when wpa_supplicant is running. - networks = { - # read WPAPSK from environmentFile - "shadow_light_ryan".psk = "@PSK_WEMEET_PRIVATE_WIFI@"; - }; - }; - - # Failed to enable firewall due to the following error: - # firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported - firewall.enable = false; - - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # LPI4A's first ethernet interface - # interfaces.end0 = { - # useDHCP = false; - # ipv4.addresses = [ - # { - # address = "192.168.5.104"; - # prefixLength = 24; - # } - # ]; - # }; - # LPI4A's second ethernet interface - # interfaces.end1 = { - # useDHCP = false; - # ipv4.addresses = [ - # { - # address = "192.168.xx.xx"; - # prefixLength = 24; - # } - # ]; - # }; - }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? -} diff --git a/outputs/aarch64-linux/default.nix b/outputs/aarch64-linux/default.nix deleted file mode 100644 index c800eee1..00000000 --- a/outputs/aarch64-linux/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - lib, - inputs, - ... -} @ args: let - inherit (inputs) haumea; - - # Contains all the flake outputs of this system architecture. - data = haumea.lib.load { - src = ./src; - inputs = args; - }; - # nix file names is redundant, so we remove it. - dataWithoutPaths = builtins.attrValues data; - - # Merge all the machine's data into a single attribute set. - outputs = { - nixosConfigurations = lib.attrsets.mergeAttrsList (map (it: it.nixosConfigurations or {}) dataWithoutPaths); - packages = lib.attrsets.mergeAttrsList (map (it: it.packages or {}) dataWithoutPaths); - # colmena contains some meta info, which need to be merged carefully. - colmenaMeta = { - nodeNixpkgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeNixpkgs or {}) dataWithoutPaths); - nodeSpecialArgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeSpecialArgs or {}) dataWithoutPaths); - }; - # colmena's per-machine data. - colmena = lib.attrsets.mergeAttrsList (map (it: it.colmena or {}) dataWithoutPaths); - }; -in - outputs - // { - inherit data; # for debugging purposes - - # NixOS's unit tests. - evalTests = haumea.lib.loadEvalTests { - src = ./tests; - inputs = args // {inherit outputs;}; - }; - } diff --git a/outputs/aarch64-linux/src/12kingdoms-rakushun.nix b/outputs/aarch64-linux/src/12kingdoms-rakushun.nix deleted file mode 100644 index df5a4c31..00000000 --- a/outputs/aarch64-linux/src/12kingdoms-rakushun.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ - # NOTE: the args not used in this file CAN NOT be removed! - # because haumea pass argument lazily, - # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc. - inputs, - lib, - mylib, - myvars, - system, - genSpecialArgs, - ... -} @ args: let - # 楽俊, Rakushun - name = "rakushun"; - tags = [name "aarch"]; - ssh-user = "root"; - - modules = { - nixos-modules = - (map mylib.relativeToRoot [ - "secrets/nixos.nix" - "modules/nixos/server/server-aarch64.nix" - # host specific modules - "hosts/12kingdoms-${name}" - ]) - ++ [ - ]; - home-modules = - map mylib.relativeToRoot [ - ]; - }; - - inherit (inputs) nixos-rk3588; - baseSpecialArgs = genSpecialArgs system; - - rk3588Pkgs = import nixos-rk3588.inputs.nixpkgs {inherit system;}; - rk3588SpecialArgs = let - # using the same nixpkgs as nixos-rk3588 - inherit (nixos-rk3588.inputs) nixpkgs; - # use aarch64-linux's native toolchain - pkgsKernel = import nixpkgs {inherit system;}; - in - baseSpecialArgs - // { - inherit nixpkgs; - # Provide rk3588 inputs as special argument - rk3588 = {inherit nixpkgs pkgsKernel;}; - }; - - rk3588SystemArgs = - modules - // args - // { - inherit (nixos-rk3588.inputs) nixpkgs; # or nixpkgs-unstable - specialArgs = rk3588SpecialArgs; - }; -in { - nixosConfigurations.${name} = mylib.nixosSystem rk3588SystemArgs; - - colmenaMeta = { - nodeSpecialArgs.${name} = rk3588SpecialArgs; - nodeNixpkgs.${name} = rk3588Pkgs; - }; - colmena.${name} = - mylib.colmenaSystem - (rk3588SystemArgs // {inherit tags ssh-user;}); -} diff --git a/outputs/aarch64-linux/src/12kingdoms-suzu.nix b/outputs/aarch64-linux/src/12kingdoms-suzu.nix deleted file mode 100644 index 9d0c6d00..00000000 --- a/outputs/aarch64-linux/src/12kingdoms-suzu.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - # NOTE: the args not used in this file CAN NOT be removed! - # because haumea pass argument lazily, - # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc. - inputs, - lib, - mylib, - myvars, - system, - genSpecialArgs, - ... -} @ args: let - # 大木 鈴, Ōki Suzu - name = "suzu"; - tags = [name "aarch"]; - ssh-user = "root"; - - modules = { - nixos-modules = - (map mylib.relativeToRoot [ - "secrets/nixos.nix" - "modules/nixos/server/server-aarch64.nix" - # host specific modules - "hosts/12kingdoms-${name}" - ]) - ++ [ - {modules.secrets.server.network.enable = true;} - ]; - }; - - inherit (inputs) nixos-rk3588; - baseSpecialArgs = genSpecialArgs system; - - rk3588Pkgs = import nixos-rk3588.inputs.nixpkgs {inherit system;}; - rk3588SpecialArgs = let - # using the same nixpkgs as nixos-rk3588 - inherit (nixos-rk3588.inputs) nixpkgs; - # use aarch64-linux's native toolchain - pkgsKernel = import nixpkgs {inherit system;}; - in - baseSpecialArgs - // { - inherit nixpkgs; - # Provide rk3588 inputs as special argument - rk3588 = {inherit nixpkgs pkgsKernel;}; - }; - - rk3588SystemArgs = - modules - // args - // { - inherit (nixos-rk3588.inputs) nixpkgs; # or nixpkgs-unstable - specialArgs = rk3588SpecialArgs; - }; -in { - nixosConfigurations.${name} = mylib.nixosSystem rk3588SystemArgs; - - colmenaMeta = { - nodeSpecialArgs.${name} = rk3588SpecialArgs; - nodeNixpkgs.${name} = rk3588Pkgs; - }; - colmena.${name} = - mylib.colmenaSystem - (rk3588SystemArgs // {inherit tags ssh-user;}); -} diff --git a/outputs/aarch64-linux/tests/hostname/expected.nix b/outputs/aarch64-linux/tests/hostname/expected.nix deleted file mode 100644 index 0ab7728b..00000000 --- a/outputs/aarch64-linux/tests/hostname/expected.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - outputs, -}: let - hostsNames = builtins.attrNames outputs.nixosConfigurations; - expected = lib.genAttrs hostsNames (name: name); -in - expected diff --git a/outputs/aarch64-linux/tests/hostname/expr.nix b/outputs/aarch64-linux/tests/hostname/expr.nix deleted file mode 100644 index 6f6c291a..00000000 --- a/outputs/aarch64-linux/tests/hostname/expr.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - lib, - outputs, -}: -lib.genAttrs -(builtins.attrNames outputs.nixosConfigurations) -( - name: outputs.nixosConfigurations.${name}.config.networking.hostName -) diff --git a/outputs/aarch64-linux/tests/kernel/expected.nix b/outputs/aarch64-linux/tests/kernel/expected.nix deleted file mode 100644 index 677d30f4..00000000 --- a/outputs/aarch64-linux/tests/kernel/expected.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - outputs, -}: let - hostsNames = builtins.attrNames outputs.nixosConfigurations; - expected = lib.genAttrs hostsNames (_: true); -in - expected diff --git a/outputs/aarch64-linux/tests/kernel/expr.nix b/outputs/aarch64-linux/tests/kernel/expr.nix deleted file mode 100644 index 1e0e72e0..00000000 --- a/outputs/aarch64-linux/tests/kernel/expr.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - lib, - outputs, -}: -lib.genAttrs -(builtins.attrNames outputs.nixosConfigurations) -( - # test only if kernelPackages is set, to avoid build the kernel. - # name: outputs.nixosConfigurations.${name}.config.boot.kernelPackages.kernel.system - name: outputs.nixosConfigurations.${name}.config.boot.kernelPackages != null -) diff --git a/outputs/default.nix b/outputs/default.nix index 195bbab6..b53272f8 100644 --- a/outputs/default.nix +++ b/outputs/default.nix @@ -34,8 +34,8 @@ # modules for each supported system nixosSystems = { x86_64-linux = import ./x86_64-linux (args // {system = "x86_64-linux";}); - aarch64-linux = import ./aarch64-linux (args // {system = "aarch64-linux";}); - riscv64-linux = import ./riscv64-linux (args // {system = "riscv64-linux";}); + # aarch64-linux = import ./aarch64-linux (args // {system = "aarch64-linux";}); + # riscv64-linux = import ./riscv64-linux (args // {system = "riscv64-linux";}); }; darwinSystems = { aarch64-darwin = import ./aarch64-darwin (args // {system = "aarch64-darwin";}); diff --git a/outputs/riscv64-linux/default.nix b/outputs/riscv64-linux/default.nix deleted file mode 100644 index c800eee1..00000000 --- a/outputs/riscv64-linux/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - lib, - inputs, - ... -} @ args: let - inherit (inputs) haumea; - - # Contains all the flake outputs of this system architecture. - data = haumea.lib.load { - src = ./src; - inputs = args; - }; - # nix file names is redundant, so we remove it. - dataWithoutPaths = builtins.attrValues data; - - # Merge all the machine's data into a single attribute set. - outputs = { - nixosConfigurations = lib.attrsets.mergeAttrsList (map (it: it.nixosConfigurations or {}) dataWithoutPaths); - packages = lib.attrsets.mergeAttrsList (map (it: it.packages or {}) dataWithoutPaths); - # colmena contains some meta info, which need to be merged carefully. - colmenaMeta = { - nodeNixpkgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeNixpkgs or {}) dataWithoutPaths); - nodeSpecialArgs = lib.attrsets.mergeAttrsList (map (it: it.colmenaMeta.nodeSpecialArgs or {}) dataWithoutPaths); - }; - # colmena's per-machine data. - colmena = lib.attrsets.mergeAttrsList (map (it: it.colmena or {}) dataWithoutPaths); - }; -in - outputs - // { - inherit data; # for debugging purposes - - # NixOS's unit tests. - evalTests = haumea.lib.loadEvalTests { - src = ./tests; - inputs = args // {inherit outputs;}; - }; - } diff --git a/outputs/riscv64-linux/src/rolling-girls-nozomi.nix b/outputs/riscv64-linux/src/rolling-girls-nozomi.nix deleted file mode 100644 index 80152720..00000000 --- a/outputs/riscv64-linux/src/rolling-girls-nozomi.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - # NOTE: the args not used in this file CAN NOT be removed! - # because haumea pass argument lazily, - # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc. - inputs, - lib, - mylib, - myvars, - system, - genSpecialArgs, - ... -} @ args: let - # 森友 望未, Moritomo Nozomi - name = "nozomi"; - tags = [name "riscv"]; - ssh-user = "root"; - - modules = { - nixos-modules = - (map mylib.relativeToRoot [ - "modules/nixos/server/server-riscv64.nix" - # host specific modules - "hosts/rolling-girls-${name}" - ]) - ++ [ - # cross-compilation this flake. - {nixpkgs.crossSystem.system = "riscv64-linux";} - ]; - }; - - inherit (inputs) nixos-licheepi4a; - baseSpecialArgs = genSpecialArgs system; - - # using the same nixpkgs as nixos-licheepi4a to utilize the cross-compilation cache. - lpi4aPkgs = import nixos-licheepi4a.inputs.nixpkgs {inherit system;}; - lpi4aSpecialArgs = - baseSpecialArgs - // { - inherit (nixos-licheepi4a.inputs) nixpkgs; - pkgsKernel = nixos-licheepi4a.packages.${system}.pkgsKernelCross; - } - // args; - lpi4aSystemArgs = - modules - // args - // { - inherit (nixos-licheepi4a.inputs) nixpkgs; - specialArgs = lpi4aSpecialArgs; - }; -in { - nixosConfigurations.${name} = mylib.nixosSystem lpi4aSystemArgs; - - colmenaMeta = { - nodeSpecialArgs.${name} = lpi4aSpecialArgs; - nodeNixpkgs.${name} = lpi4aPkgs; - }; - colmena.${name} = - mylib.colmenaSystem - (lpi4aSystemArgs // {inherit tags ssh-user;}); -} diff --git a/outputs/riscv64-linux/src/rolling-girls-yukina.nix b/outputs/riscv64-linux/src/rolling-girls-yukina.nix deleted file mode 100644 index a54fbaa2..00000000 --- a/outputs/riscv64-linux/src/rolling-girls-yukina.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - # NOTE: the args not used in this file CAN NOT be removed! - # because haumea pass argument lazily, - # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc. - inputs, - lib, - mylib, - myvars, - system, - genSpecialArgs, - ... -} @ args: let - # 小坂 結季奈, Kosaka Yukina - name = "yukina"; - tags = [name "riscv"]; - ssh-user = "root"; - - modules = { - nixos-modules = - (map mylib.relativeToRoot [ - "modules/nixos/server/server-riscv64.nix" - # host specific modules - "hosts/rolling-girls-${name}" - ]) - ++ [ - # cross-compilation this flake. - {nixpkgs.crossSystem.system = "riscv64-linux";} - ]; - }; - - inherit (inputs) nixos-licheepi4a; - baseSpecialArgs = genSpecialArgs system; - - # using the same nixpkgs as nixos-licheepi4a to utilize the cross-compilation cache. - lpi4aPkgs = import nixos-licheepi4a.inputs.nixpkgs {inherit system;}; - lpi4aSpecialArgs = - baseSpecialArgs - // { - inherit (nixos-licheepi4a.inputs) nixpkgs; - pkgsKernel = nixos-licheepi4a.packages.${system}.pkgsKernelCross; - } - // args; - lpi4aSystemArgs = - modules - // args - // { - inherit (nixos-licheepi4a.inputs) nixpkgs; - specialArgs = lpi4aSpecialArgs; - }; -in { - nixosConfigurations.${name} = mylib.nixosSystem lpi4aSystemArgs; - - colmenaMeta = { - nodeSpecialArgs.${name} = lpi4aSpecialArgs; - nodeNixpkgs.${name} = lpi4aPkgs; - }; - colmena.${name} = - mylib.colmenaSystem - (lpi4aSystemArgs // {inherit tags ssh-user;}); -} diff --git a/outputs/riscv64-linux/tests/hostname/expected.nix b/outputs/riscv64-linux/tests/hostname/expected.nix deleted file mode 100644 index 0ab7728b..00000000 --- a/outputs/riscv64-linux/tests/hostname/expected.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - lib, - outputs, -}: let - hostsNames = builtins.attrNames outputs.nixosConfigurations; - expected = lib.genAttrs hostsNames (name: name); -in - expected diff --git a/outputs/riscv64-linux/tests/hostname/expr.nix b/outputs/riscv64-linux/tests/hostname/expr.nix deleted file mode 100644 index 6f6c291a..00000000 --- a/outputs/riscv64-linux/tests/hostname/expr.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - lib, - outputs, -}: -lib.genAttrs -(builtins.attrNames outputs.nixosConfigurations) -( - name: outputs.nixosConfigurations.${name}.config.networking.hostName -)