diff --git a/Justfile b/Justfile index 3b18cd6a..8e5c2da8 100644 --- a/Justfile +++ b/Justfile @@ -112,16 +112,16 @@ tailscale_gw: pve-image: nom build .#tailscale_gw - rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst + rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst nom build .#aquamarine - rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst + rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst nom build .#ruby - rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst + rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst nom build .#kana - rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst + rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst ############################################################################ diff --git a/README.md b/README.md index 8cfceec2..bb4d9f73 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ nom build .#aquamarine # `nom`(nix-output-monitor) can be replaced by the stand # 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump` # please replace the vma file name with the one you generated in step 1. -rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst +rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst # 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now. ``` diff --git a/flake.lock b/flake.lock index a20f7212..b6f41407 100644 --- a/flake.lock +++ b/flake.lock @@ -94,6 +94,28 @@ "type": "github" } }, + "daeuniverse": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs", + "pnpm2nix": "pnpm2nix", + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1708006709, + "narHash": "sha256-5WSBOUuYtPfpCL0v5scEVRis1qjv1haL3tmwM/LJPT8=", + "owner": "daeuniverse", + "repo": "flake.nix", + "rev": "5bb02d49a4ec48019758cf3893a6f614d307df0b", + "type": "github" + }, + "original": { + "owner": "daeuniverse", + "ref": "unstable", + "repo": "flake.nix", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -133,6 +155,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -148,7 +186,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -186,6 +224,23 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -206,9 +261,9 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib" + "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { "lastModified": 1706830856, @@ -226,14 +281,14 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", "type": "github" }, "original": { @@ -244,7 +299,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1701680307, @@ -296,7 +351,65 @@ "type": "github" } }, + "flake-utils_5": { + "inputs": { + "systems": "systems_6" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "inputs": { + "systems": "systems_7" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "gitignore": { + "inputs": { + "nixpkgs": [ + "daeuniverse", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703887061, + "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -318,7 +431,7 @@ "type": "github" } }, - "gitignore_2": { + "gitignore_3": { "inputs": { "nixpkgs": [ "nixos-rk3588", @@ -340,7 +453,7 @@ "type": "github" } }, - "gitignore_3": { + "gitignore_4": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -409,7 +522,7 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems", + "systems": "systems_3", "wlroots": "wlroots", "xdph": "xdph" }, @@ -471,9 +584,9 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts_2", - "flake-utils": "flake-utils", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_3", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ], @@ -515,10 +628,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1707067920, - "narHash": "sha256-unTHx5LgbzIa3flAgiwxaYD/BPssYfCWCZhK30njLXs=", + "lastModified": 1708107208, + "narHash": "sha256-v2ugfiX05Kv+z1E1iO/nYiFj540V9SGES5JPAeLVu5M=", "ref": "refs/heads/main", - "rev": "2fc5c6615c2a9216dc863b8adfb69f100b7788fb", + "rev": "57e9a6dab2d3e1702354ff4862afe9b48ed31e07", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" @@ -551,8 +664,8 @@ }, "nix-gaming": { "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs" + "flake-parts": "flake-parts_4", + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1707614138, @@ -622,7 +735,7 @@ }, "nixos-licheepi4a": { "inputs": { - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "thead-kernel": "thead-kernel" }, "locked": { @@ -641,10 +754,10 @@ }, "nixos-rk3588": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_4", "mesa-panfork": "mesa-panfork", - "nixpkgs": "nixpkgs_3", - "pre-commit-hooks": "pre-commit-hooks" + "nixpkgs": "nixpkgs_4", + "pre-commit-hooks": "pre-commit-hooks_2" }, "locked": { "lastModified": 1703010942, @@ -662,16 +775,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1707451808, - "narHash": "sha256-UwDBUNHNRsYKFJzyTMVMTF5qS4xeJlWoeyJf+6vvamU=", + "lastModified": 1706732774, + "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "442d407992384ed9c0e6d352de75b69079904e4e", + "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -710,7 +823,41 @@ "type": "github" } }, + "nixpkgs-lib_2": { + "locked": { + "dir": "lib", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { + "locked": { + "lastModified": 1704874635, + "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1678872516, "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", @@ -726,7 +873,7 @@ "type": "github" } }, - "nixpkgs-stable_2": { + "nixpkgs-stable_3": { "locked": { "lastModified": 1707786466, "narHash": "sha256-yLPfrmW87M2qt+8bAmwopJawa+MJLh3M9rUbXtpUc1o=", @@ -742,7 +889,7 @@ "type": "github" } }, - "nixpkgs-stable_3": { + "nixpkgs-stable_4": { "locked": { "lastModified": 1704874635, "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", @@ -775,6 +922,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1707451808, + "narHash": "sha256-UwDBUNHNRsYKFJzyTMVMTF5qS4xeJlWoeyJf+6vvamU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "442d407992384ed9c0e6d352de75b69079904e4e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1691280485, "narHash": "sha256-/8Ct9092OC1TTNzHgbcE9ejQdS2QxZYGqrWXEwUxdtQ=", @@ -790,7 +953,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1691486536, "narHash": "sha256-W2jYTn6rNiJEpjXkOiZxNltgxxwgeZE5cQ967NgsrHU=", @@ -806,7 +969,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1707956935, "narHash": "sha256-ZL2TrjVsiFNKOYwYQozpbvQSwvtV/3Me7Zwhmdsfyu4=", @@ -822,7 +985,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1701436327, "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", @@ -836,7 +999,7 @@ "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1702921762, "narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=", @@ -854,7 +1017,7 @@ }, "nuenv": { "inputs": { - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "rust-overlay": "rust-overlay_2" }, "locked": { @@ -873,7 +1036,7 @@ }, "nur-ryan4yin": { "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1705366605, @@ -889,6 +1052,28 @@ "type": "github" } }, + "pnpm2nix": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "daeuniverse", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691661013, + "narHash": "sha256-m7dhwjnDw2U7PDUatHcVJXd8wrDLpIGlQac0im6+0fk=", + "owner": "Ninlives", + "repo": "pnpm2nix", + "rev": "86f8995bbe56a66459b6ca2f790db6272c616e39", + "type": "github" + }, + "original": { + "owner": "Ninlives", + "repo": "pnpm2nix", + "type": "github" + } + }, "polybar-themes": { "flake": false, "locked": { @@ -906,6 +1091,62 @@ } }, "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils_2", + "gitignore": "gitignore", + "nixpkgs": [ + "daeuniverse", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1706424699, + "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks_2": { "inputs": { "flake-compat": [ "nixos-rk3588" @@ -914,7 +1155,7 @@ "nixos-rk3588", "flake-utils" ], - "gitignore": "gitignore_2", + "gitignore": "gitignore_3", "nixpkgs": [ "nixos-rk3588", "nixpkgs" @@ -938,46 +1179,15 @@ "type": "github" } }, - "pre-commit-hooks-nix": { + "pre-commit-hooks_3": { "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "lanzaboote", - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1681413034, - "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "pre-commit-hooks_2": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_4", - "gitignore": "gitignore_3", + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils_6", + "gitignore": "gitignore_4", "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_3" + "nixpkgs-stable": "nixpkgs-stable_4" }, "locked": { "lastModified": 1707297608, @@ -998,6 +1208,7 @@ "agenix": "agenix", "anyrun": "anyrun", "astronvim": "astronvim", + "daeuniverse": "daeuniverse", "doomemacs": "doomemacs", "home-manager": "home-manager_2", "hyprland": "hyprland", @@ -1010,14 +1221,14 @@ "nixos-hardware": "nixos-hardware", "nixos-licheepi4a": "nixos-licheepi4a", "nixos-rk3588": "nixos-rk3588", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nixpkgs-darwin": "nixpkgs-darwin", - "nixpkgs-stable": "nixpkgs-stable_2", + "nixpkgs-stable": "nixpkgs-stable_3", "nixpkgs-unstable": "nixpkgs-unstable", "nuenv": "nuenv", "nur-ryan4yin": "nur-ryan4yin", "polybar-themes": "polybar-themes", - "pre-commit-hooks": "pre-commit-hooks_2", + "pre-commit-hooks": "pre-commit-hooks_3", "wallpapers": "wallpapers" } }, @@ -1048,7 +1259,7 @@ }, "rust-overlay_2": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_5", "nixpkgs": [ "nuenv", "nixpkgs" @@ -1070,16 +1281,16 @@ }, "systems": { "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default-linux", + "repo": "default", "type": "github" } }, @@ -1100,16 +1311,16 @@ }, "systems_3": { "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default", + "repo": "default-linux", "type": "github" } }, @@ -1143,6 +1354,36 @@ "type": "github" } }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "thead-kernel": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 8b265b80..2527955f 100644 --- a/flake.nix +++ b/flake.nix @@ -164,6 +164,8 @@ nuenv.url = "github:DeterminateSystems/nuenv"; + daeuniverse.url = "github:daeuniverse/flake.nix/unstable"; + ######################## Some non-flake repositories ######################################### # AstroNvim is an aesthetic and feature-rich neovim config. diff --git a/home/base/server/core.nix b/home/base/server/core.nix index 12738887..62f3010c 100644 --- a/home/base/server/core.nix +++ b/home/base/server/core.nix @@ -4,46 +4,13 @@ ... }: { home.packages = with pkgs; [ - neofetch - - # networking tools - mtr # A network diagnostic tool - iperf3 - dnsutils # `dig` + `nslookup` - ldns # replacement of `dig`, it provide the command `drill` - aria2 # A lightweight multi-protocol & multi-source command-line download utility - socat # replacement of openbsd-netcat - nmap # A utility for network discovery and security auditing - ipcalc # it is a calculator for the IPv4/v6 addresses - - # archives - zip - xz - unzip - p7zip - - # misc + # Misc tldr cowsay - file - findutils - which - tree - gnutar - zstd gnupg - rsync - - # Text Processing - # Docs: https://github.com/learnbyexample/Command-line-text-processing - - gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep` - gnused # GNU sed, very powerful(mainly for replacing text in files) gnumake - gawk # GNU awk, a pattern scanning and processing language - jq # A lightweight and flexible command-line JSON processor - # morden cli tools, replacement of grep/sed/... + # Morden cli tools, replacement of grep/sed/... # Interactively filter its input using fuzzy searching, not limit to filenames. fzf diff --git a/home/linux/base/system-tools.nix b/home/linux/base/system-tools.nix index 75ad8e2e..1a925da8 100644 --- a/home/linux/base/system-tools.nix +++ b/home/linux/base/system-tools.nix @@ -1,29 +1,9 @@ {pkgs, ...}: { # Linux Only Packages, not available on Darwin home.packages = with pkgs; [ - nmon - iotop - iftop - # misc libnotify wireguard-tools # manage wireguard vpn manually, via wg-quick - - # system call monitoring - strace # system call monitoring - ltrace # library call monitoring - bpftrace # powerful tracing tool - tcpdump # network sniffer - lsof # list open files - - # system tools - sysstat - lm_sensors # for `sensors` command - ethtool - pciutils # lspci - usbutils # lsusb - hdparm # for disk performance, command - dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard ]; # auto mount usb drives diff --git a/hosts/12kingdoms_shoukei/default.nix b/hosts/12kingdoms_shoukei/default.nix index 9b7f1431..151e7f61 100644 --- a/hosts/12kingdoms_shoukei/default.nix +++ b/hosts/12kingdoms_shoukei/default.nix @@ -21,7 +21,7 @@ in { ./impermanence.nix ]; - boot.kernelModules = ["kvm-amd" "kvm-intel"]; + boot.kernelModules = ["kvm-amd"]; boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { diff --git a/hosts/homelab_tailscale_gw/default.nix b/hosts/homelab_tailscale_gw/default.nix index b7d1a36d..fef07519 100644 --- a/hosts/homelab_tailscale_gw/default.nix +++ b/hosts/homelab_tailscale_gw/default.nix @@ -10,6 +10,7 @@ let in { imports = [ ./tailscale.nix + ./proxy.nix ]; # supported file systems, so we can mount any removable disks with these filesystems diff --git a/hosts/homelab_tailscale_gw/proxy.nix b/hosts/homelab_tailscale_gw/proxy.nix new file mode 100644 index 00000000..445ebca0 --- /dev/null +++ b/hosts/homelab_tailscale_gw/proxy.nix @@ -0,0 +1,31 @@ +{ + # dae(running on aquamarine) do not provides http/socks5 proxy server, so we use v2ray here. + # https://github.com/v2fly + services.v2ray = { + enable = true; + config = { + inbounds = [ + { + listen = "0.0.0.0"; + port = 7890; + protocol = "http"; + } + { + listen = "0.0.0.0"; + port = 7891; + protocol = "socks"; + settings = { + auth = "noauth"; + udp = true; + }; + } + ]; + outbounds = [ + { + protocol = "freedom"; + tag = "freedom"; + } + ]; + }; + }; +} diff --git a/hosts/idols_aquamarine/README.md b/hosts/idols_aquamarine/README.md index 81d7377f..af238a42 100644 --- a/hosts/idols_aquamarine/README.md +++ b/hosts/idols_aquamarine/README.md @@ -1,6 +1,17 @@ # Idols - Aquamarine -TODO: use aqua as a passby router(IPv4 only) to access the global internet. +Use aqua as a passby router(IPv4 only) to access the global internet. + + +## Troubleshooting + +### DNS cannot be resolved + +1. `sudo systemctl stop dae`, then try to resolve the domain name again. + - If it works, the problem is caused by `dae` service. + - check dae's log by `sudo journalctl -u dae` +1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`. + ## References diff --git a/hosts/idols_aquamarine/bypass-router.dae b/hosts/idols_aquamarine/config.dae similarity index 57% rename from hosts/idols_aquamarine/bypass-router.dae rename to hosts/idols_aquamarine/config.dae index e39001c7..f8584ae3 100644 --- a/hosts/idols_aquamarine/bypass-router.dae +++ b/hosts/idols_aquamarine/config.dae @@ -1,3 +1,10 @@ +# https://github.com/daeuniverse/dae/discussions/81 +# https://github.com/daeuniverse/dae/blob/main/example.dae + +# load all dae files placed in ./config.d/ +include { + config.d/*.dae +} global { ##### Software options. @@ -14,7 +21,7 @@ global { so_mark_from_dae: 0 # Log level: error, warn, info, debug, trace. - log_level: info + log_level: debug # Disable waiting for network before pulling subscriptions. disable_waiting_network: false @@ -24,11 +31,12 @@ global { # The LAN interface to bind. Use it if you want to proxy LAN. # Multiple interfaces split by ",". - lan_interface: ens18 + lan_interface: br-lan # The WAN interface to bind. Use it if you want to proxy localhost. # Multiple interfaces split by ",". Use "auto" to auto detect. - wan_interface: auto + # bypass router has no WAN interface, so comment it. + # wan_interface: auto # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do. @@ -37,7 +45,7 @@ global { # Automatically configure firewall rules like firewalld and fw4. # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept' # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept' - auto_config_firewall_rule: true + auto_config_firewall_rule: false ##### Node connectivity check. @@ -98,30 +106,11 @@ global { utls_imitate: chrome_auto } -# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool. -# Support to give the subscription a tag, and filter nodes from a given subscription in the group section. -subscription { - # Add your subscription links(or files that contains the link) here. - 'file://dae-mysubscription-1.sub' # the path is related to /etc/dae/ - 'file://dae-mysubscription-2.sub' -} - -# Nodes defined here will be merged as a part of the global node pool. -node { - # Add your node links here. - # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc. - # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md - # mylink: 'ss://LINK' - # node1: 'vmess://LINK' - # node2: 'vless://LINK' - # chains: 'tuic://LINK -> vmess://LINK' -} - # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples. dns { # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only # respond to type A queries and response empty answer to type AAAA queries. - #ipversion_prefer: 4 + ipversion_prefer: 4 # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results # for these domains. @@ -137,8 +126,8 @@ dns { # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing. # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended. - alidns: 'udp://dns.alidns.com:53' - googledns: 'tcp+udp://dns.google.com:53' + alidns: 'udp://223.5.5.5:53' + googledns: 'tcp+udp://8.8.8.8:53' } routing { # According to the request of dns query, decide to use which DNS upstream. @@ -148,60 +137,91 @@ dns { qname(geosite:cn) -> alidns # fallback is also called default. fallback: googledns + + # other custom rules + qname(geosite:category-ads) -> reject + qname(geosite:category-ads-all) -> reject + qtype(aaaa) -> reject + qname(regex: '.+\.linkedin$') -> googledns + } + + # According to the response of dns query, decide to accept or re-lookup using another DNS upstream. + # Match rules from top to bottom. + response { + # Trusted upstream. Always accept its result. + upstream(googledns) -> accept + + # Possibly polluted(domain resolved to a private ip), re-lookup using googledns. + ip(geoip:private) && !qname(geosite:cn) -> googledns + + fallback: accept } } -# routing { -# # According to the request of dns query, decide to use which DNS upstream. -# # Match rules from top to bottom. -# request { -# # fallback is also called default. -# fallback: alidns -# } -# # According to the response of dns query, decide to accept or re-lookup using another DNS upstream. -# # Match rules from top to bottom. -# response { -# # Trusted upstream. Always accept its result. -# upstream(googledns) -> accept -# # Possibly polluted, re-lookup using googledns. -# ip(geoip:private) && !qname(geosite:cn) -> googledns -# # fallback is also called default. -# fallback: accept -# } -# } } # Node group (outbound). group { - my_group { - # No filter. Use all nodes. - - # Randomly select a node from the group for every connection. - #policy: random - - # Select the first node from the group for every connection. - #policy: fixed(0) - - # Select the node with min last latency from the group for every connection. - #policy: min - - # Select the node with min moving average of latencies from the group for every connection. - policy: min_moving_avg - } - - group2 { - # Filter nodes from the global node pool defined by the subscription and node section above. - #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:') - - # Filter nodes from the global node pool defined by tag. - #filter: name(node1, node2) - + proxy { + filter: name(keyword: 'Hong Kong') + filter: name(keyword: '香港') + filter: name(keyword: 'Singapore') + filter: name(keyword: '新加坡') # Filter nodes and give a fixed latency offset to archive latency-based failover. # In this example, there is bigger possibility to choose US node even if original latency of US node is higher. - filter: name(HK_node) - filter: name(US_node) [add_latency: -500ms] + filter: name(keyword: 'USA') [add_latency: -500ms] + filter: name(keyword: '美国') [add_latency: -500ms] + filter: name(keyword: 'UK') [add_latency: -300ms] + filter: name(keyword: '英国') [add_latency: -300ms] + filter: name(keyword: 'Japan') [add_latency: 300ms] + filter: name(keyword: '日本') [add_latency: 300ms] + + # Other filters: + # Filter nodes from the global node pool defined by the subscription and node section above. + # filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:') + # Filter nodes from the global node pool defined by tag. + # filter: name('node_a','node_b') # Select the node with min average of the last 10 latencies from the group for every connection. policy: min_avg10 + # Other policies: + # random - Randomly select a node from the group for every connection. + # fixed(0) - Select the first node from the group for every connection. + # min - Select the node with min last latency from the group for every connection. + # min_moving_avg - Select the node with min moving average of latencies from the group for every connection. + } + + media { + filter: name(keyword: 'Hong Kong') + filter: name(keyword: '香港') + filter: name(keyword: 'Singapore') + filter: name(keyword: '新加坡') + filter: name(keyword: 'USA') [add_latency: -500ms] + filter: name(keyword: '美国') [add_latency: -500ms] + filter: name(keyword: 'UK') [add_latency: -300ms] + filter: name(keyword: '英国') [add_latency: -300ms] + filter: name(keyword: 'Japan') [add_latency: 300ms] + filter: name(keyword: '日本') [add_latency: 300ms] + + policy: min_avg10 + } + + sg { + filter: name(keyword: 'Singapore') + filter: name(keyword: '新加坡') + policy: min_avg10 + } + + usa { + filter: name(keyword: 'USA') + filter: name(keyword: '美国') + policy: min_avg10 + } + + uk { + filter: name(keyword: 'UK') + filter: name(keyword: '英国') + filter: name(keyword: '美国') + policy: min_avg10 } } @@ -212,6 +232,7 @@ routing { # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to # WAN. pname(NetworkManager) -> direct + pname(systemd-networkd) -> direct # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being # forwarded by the proxy. @@ -222,12 +243,75 @@ routing { # private addresses in your proxy host network, modify the below line. dip(geoip:private) -> direct - ### Write your rules below. + # --- Core rules ---# - # Disable h3 because it usually consumes too much cpu/mem resources. + # Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources. l4proto(udp) && dport(443) -> block + + # Direct access to all Chinese mainland-related IP addresses dip(geoip:cn) -> direct domain(geosite:cn) -> direct - fallback: my_group + # Use HK to access all other foreign sites + domain(geosite:geolocation-!cn) -> proxy + !dip(geoip:cn) -> proxy + + # Block ads + domain(geosite:category-ads) -> block + domain(geosite:category-ads-all) -> block + + # DNS + dip(8.8.8.8, 8.8.4.4) -> proxy + dip(223.5.5.5, 223.6.6.6) -> direct + domain(full:dns.alidns.com) -> direct + domain(full:dns.googledns.com) -> proxy + domain(full:dns.opendns.com) -> proxy + + # --- Rules for other commonly used sites ---# + + # Access github.com via UK's proxies + domain(geosite:github) -> uk + + ### OpenAI + domain(geosite:openai) -> sg + domain(regex:'.+\.openai$') -> sg + + ### Media + domain(geosite:netflix) -> media + + ### Proxy + domain(suffix: linkedin.com) -> proxy + domain(keyword:'linkedin') -> proxy + domain(regex:'.+\.linkedin\.com$') -> proxy + domain(regex:'.+\.quay\.io$') -> proxy + domain(regex:'.+\.notion\.so$') -> proxy + domain(regex:'.+\.amazon\.com$') -> proxy + domain(regex:'.+\.oracle\.com$') -> proxy + domain(regex:'.+\.docker\.com$') -> proxy + domain(regex:'.+\.kubernetes\.io$') -> proxy + + domain(geosite:microsoft) -> proxy + domain(geosite:linkedin) -> proxy + domain(geosite:twitter) -> proxy + domain(geosite:telegram) -> proxy + domain(geosite:google) -> proxy + domain(geosite:apple) -> proxy + domain(geosite:category-container) -> proxy + domain(geosite:category-dev) -> proxy + domain(geosite:google-scholar) -> proxy + domain(geosite:category-scholar-!cn) -> proxy + + ### Direct + domain(regex:'.+\.edu\.cn$') -> proxy + domain(keyword:'baidu') -> direct + domain(keyword:'bilibili') -> direct + domain(keyword:'taobao') -> direct + domain(keyword:'alibabadns') -> direct + domain(keyword:'alicdn') -> direct + domain(keyword:'tbcache') -> direct + domain(keyword:'zhihu') -> direct + domain(keyword:'douyu') -> direct + domain(geosite:cloudflare-cn) -> direct + + fallback: direct } diff --git a/hosts/idols_aquamarine/dae.nix b/hosts/idols_aquamarine/dae.nix index f2d4e553..c908bda4 100644 --- a/hosts/idols_aquamarine/dae.nix +++ b/hosts/idols_aquamarine/dae.nix @@ -1,11 +1,57 @@ -# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/dae.nix { + config, + pkgs, + daeuniverse, + ... +}: +# https://github.com/daeuniverse/flake.nix +let + daeConfigPath = "/etc/dae/config.dae"; + subscriptionConfigPath = "/etc/dae/config.d/subscription.dae"; +in { + imports = [ + daeuniverse.nixosModules.dae + daeuniverse.nixosModules.daed + ]; + + # dae - eBPF-based Linux high-performance transparent proxy. services.dae = { enable = true; + package = daeuniverse.packages.${pkgs.system}.dae; + disableTxChecksumIpGeneric = false; + configFile = daeConfigPath; + assets = with pkgs; [v2ray-geoip v2ray-domain-list-community]; + # alternatively, specify assets dir + # assetsPath = "/etc/dae"; openFirewall = { enable = true; port = 12345; }; - configFile = ./bypass-router.dae; }; + + # dae supports two types of subscriptions: base64 encoded proxies, and sip008. + # subscription can be a url return the subscription, or a file path that contains the subscription. + # + # Nix decrypt and merge my dae's base config and subscription config here. + # the subscription config is something like: + # ``` + # subscription { + # 'https://www.example.com/subscription/link' + # 'https://example.com/no_tag_link' + # } + # node { + # # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity + # node_a: 'trojan://' + # node_b: 'trojan://' + # node_c: 'vless://' + # node_d: 'vless://' + # node_e: 'vmess://' + # node_f: 'tuic://' + # node_h: 'juicity://' + # } + # ``` + system.activationScripts.installDaeConfig = '' + install -Dm 600 ${./config.dae} ${daeConfigPath} + install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath} + ''; } diff --git a/hosts/idols_aquamarine/default.nix b/hosts/idols_aquamarine/default.nix index c60eefdf..704e8764 100644 --- a/hosts/idols_aquamarine/default.nix +++ b/hosts/idols_aquamarine/default.nix @@ -6,40 +6,28 @@ ############################################################# let hostName = "aquamarine"; # Define your hostname. - hostAddress = vars_networking.hostAddress.${hostName}; in { imports = [ ./router.nix ./dae.nix ]; - # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. - boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; # supported file systems, so we can mount any removable disks with these filesystems boot.supportedFilesystems = [ "ext4" "btrfs" "xfs" - #"zfs" - "ntfs" "fat" "vfat" "exfat" - "cifs" # mount windows share ]; - boot.kernelModules = ["kvm-amd" "kvm-intel"]; + boot.kernelModules = ["kvm-amd"]; boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { inherit hostName; - inherit (vars_networking) defaultGateway nameservers; - - networkmanager.enable = false; - interfaces.ens18 = { - useDHCP = false; - ipv4.addresses = [hostAddress]; - }; + inherit (vars_networking) nameservers; }; # This value determines the NixOS release from which the default diff --git a/hosts/idols_aquamarine/router.nix b/hosts/idols_aquamarine/router.nix index 8d1cb59e..7f5caa5f 100644 --- a/hosts/idols_aquamarine/router.nix +++ b/hosts/idols_aquamarine/router.nix @@ -1,4 +1,12 @@ -_: { +{lib, ...}: let + hostAddress = "192.168.5.101"; + hostAddressWithMask = "${hostAddress}/24"; + mainGatewayAddress = "192.168.5.1"; + dhcpRange = { + start = "192.168.5.50"; + end = "102.168.5.100"; + }; +in { # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md boot = { kernel = { @@ -12,50 +20,62 @@ _: { }; }; + # Docker uses iptables internally to setup NAT for containers. + # This module disables the ip_tables kernel module, which is required for nftables to work. + # So make sure to disable docker here. + virtualisation.docker.enable = lib.mkForce false; networking = { - wireless.enable = false; # Enables wireless support via wpa_supplicant. useNetworkd = true; - useDHCP = false; + useDHCP = false; + networkmanager.enable = false; + wireless.enable = false; # Enables wireless support via wpa_supplicant. # No local firewall. nat.enable = false; firewall.enable = false; + # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/nftables.nix nftables = { enable = true; - checkRuleset = false; - # Since this is a internal bypass router, we don't need to do NAT, 7. + # Check the applyed rules with `nft -a list ruleset`. + # Since this is a internal bypass router, we don't need to do NAT & can forward all traffic. ruleset = '' + # Check out https://wiki.nftables.org/ for better documentation. + # Table for both IPv4 and IPv6. table inet filter { - flowtable f { - hook ingress priority 0; - devices = { "ens18" }; - flags offload; - } - chain input { - type filter hook input priority 0; policy drop; + type filter hook input priority 0; - iifname { "br-lan" } accept comment "Allow local network to access the router" - iifname "lo" accept comment "Accept everything from loopback interface" + # accept any localhost traffic + iifname lo accept + + # accept any lan traffic + iifname br-lan accept + + # count and drop any other traffic + counter drop } - chain forward { - type filter hook forward priority filter; policy drop; - ip protocol { tcp, udp } ct state { established } flow offload @f comment "Offload tcp/udp established traffic" - iifname { "br-lan" } oifname { "br-lan" } accept comment "Allow LAN to LAN" + # Allow all outgoing connections. + chain output { + type filter hook output priority 0; + accept + } + + # Allow all forwarding all traffic. + chain forward { + type filter hook forward priority 0; + accept } } ''; }; }; - # https://wiki.archlinux.org/title/systemd-networkd + # https://nixos.wiki/wiki/Systemd-networkd systemd.network = { - wait-online.anyInterface = true; netdevs = { # Create the bridge interface - # it works as a switch, so that all the lan ports can communicate with each other at layer 2 "20-br-lan" = { netdevConfig = { Kind = "bridge"; @@ -63,22 +83,42 @@ _: { }; }; }; + # This is a bypass router, so we do not need a wan interface here. networks = { - # Connect the bridge ports to the bridge "30-lan0" = { + # match the interface by name matchConfig.Name = "ens18"; + # Connect to the bridge networkConfig = { Bridge = "br-lan"; ConfigureWithoutCarrier = true; }; linkConfig.RequiredForOnline = "enslaved"; }; + # Configure the bridge device we just created + "40-br-lan" = { + matchConfig.Name = "br-lan"; + address = [ + # configure addresses including subnet mask + hostAddressWithMask # forwards all traffic to the gateway except for the router address itself + ]; + routes = [ + # forward all traffic to the main gateway + {routeConfig.Gateway = mainGatewayAddress;} + ]; + bridgeConfig = {}; + linkConfig.RequiredForOnline = "routable"; + }; }; }; - services.resolved.enable = false; + # resolved is conflict with dnsmasq + services.resolved.enable = false; services.dnsmasq = { enable = true; + # resolve local queries (i.e. add 127.0.0.1 to /etc/resolv.conf) + resolveLocalQueries = true; + alwaysKeepRunning = true; settings = { # upstream DNS servers server = [ @@ -89,15 +129,18 @@ _: { ]; # sensible behaviours domain-needed = true; + # prevent packets with malformed domain names and packets with private IP addresses from leaving your network. bogus-priv = true; + # don't needlessly read /etc/resolv.conf which only contains the localhost addresses of dnsmasq itself. no-resolv = true; # Cache dns queries. cache-size = 1000; - dhcp-range = ["br-lan,192.168.5.50,192.168.5.100,24h"]; + dhcp-range = ["br-lan,${dhcpRange.start},${dhcpRange.end},24h"]; interface = "br-lan"; - dhcp-host = "192.168.5.101"; + dhcp-host = hostAddress; + dhcp-sequential-ip = true; # local domains local = "/lan/"; diff --git a/hosts/idols_kana/default.nix b/hosts/idols_kana/default.nix index a9dbce4a..db3afea7 100644 --- a/hosts/idols_kana/default.nix +++ b/hosts/idols_kana/default.nix @@ -23,7 +23,7 @@ in { "cifs" # mount windows share ]; - boot.kernelModules = ["kvm-amd" "kvm-intel"]; + boot.kernelModules = ["kvm-amd"]; boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { diff --git a/hosts/idols_ruby/README.md b/hosts/idols_ruby/README.md index a85a4305..675498e9 100644 --- a/hosts/idols_ruby/README.md +++ b/hosts/idols_ruby/README.md @@ -1,6 +1,6 @@ # Idols - Ruby -TODO: use kana for backup / sync my personal data. +TODO: use ruby for backup / sync my personal data. For safety, those data should be encrypted before sending to the cloud or my NAS. 1. restic: Backup file from homelab to NAS, or from NAS to Cloud diff --git a/hosts/idols_ruby/default.nix b/hosts/idols_ruby/default.nix index 4301f3f2..befc5ec8 100644 --- a/hosts/idols_ruby/default.nix +++ b/hosts/idols_ruby/default.nix @@ -27,7 +27,7 @@ in { "cifs" # mount windows share ]; - boot.kernelModules = ["kvm-amd" "kvm-intel"]; + boot.kernelModules = ["kvm-amd"]; boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { diff --git a/modules/nixos/base/misc.nix b/modules/nixos/base/misc.nix index 60b5578e..d1484e7b 100644 --- a/modules/nixos/base/misc.nix +++ b/modules/nixos/base/misc.nix @@ -60,15 +60,57 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - parted - psmisc # killall/pstree/prtstat/fuser/... + neofetch neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - wget - curl - aria2 git # used by nix flakes git-lfs # used by huggingface models + # archives + zip + xz + zstd + unzip + p7zip + + # Text Processing + # Docs: https://github.com/learnbyexample/Command-line-text-processing + gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep` + gnused # GNU sed, very powerful(mainly for replacing text in files) + gawk # GNU awk, a pattern scanning and processing language + jq # A lightweight and flexible command-line JSON processor + + # system call monitoring + strace # system call monitoring + ltrace # library call monitoring + bpftrace # powerful tracing tool + tcpdump # network sniffer + lsof # list open files + + # system monitoring + sysstat + iotop + iftop + btop + nmon + + # system tools + psmisc # killall/pstree/prtstat/fuser/... + lm_sensors # for `sensors` command + ethtool + pciutils # lspci + usbutils # lsusb + hdparm # for disk performance, command + dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard + parted + + # misc + file + findutils + which + tree + gnutar + rsync + # create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos! ( let diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix index 8667ca0c..09e602c2 100644 --- a/modules/nixos/base/networking.nix +++ b/modules/nixos/base/networking.nix @@ -1,8 +1,23 @@ { lib, + pkgs, vars_networking, ... }: { + environment.systemPackages = with pkgs; [ + # networking tools + mtr # A network diagnostic tool + iperf3 + dnsutils # `dig` + `nslookup` + ldns # replacement of `dig`, it provide the command `drill` + wget + curl + aria2 # A lightweight multi-protocol & multi-source command-line download utility + socat # replacement of openbsd-netcat + nmap # A utility for network discovery and security auditing + ipcalc # it is a calculator for the IPv4/v6 addresses + ]; + # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. diff --git a/modules/nixos/base/virtualisation.nix b/modules/nixos/base/virtualisation.nix deleted file mode 100644 index d10e6c5e..00000000 --- a/modules/nixos/base/virtualisation.nix +++ /dev/null @@ -1,25 +0,0 @@ -{pkgs, ...}: { - ################################################################################### - # - # Virtualisation - Libvirt(QEMU/KVM) / Docker / LXD / WayDroid - # - ################################################################################### - - virtualisation = { - docker = { - enable = true; - daemon.settings = { - # enables pulling using containerd, which supports restarting from a partial pull - # https://docs.docker.com/storage/containerd/ - "features" = {"containerd-snapshotter" = true;}; - }; - - # start dockerd on boot. - # This is required for containers which are created with the `--restart=always` flag to work. - enableOnBoot = true; - }; - - waydroid.enable = true; - lxd.enable = true; - }; -} diff --git a/modules/nixos/desktop/virtualisation.nix b/modules/nixos/desktop/virtualisation.nix index ab1d033c..cfd4cef6 100644 --- a/modules/nixos/desktop/virtualisation.nix +++ b/modules/nixos/desktop/virtualisation.nix @@ -9,7 +9,7 @@ # This should be set per host in /hosts, not here. # ## For AMD CPU, add "kvm-amd" to kernelModules. - # boot.kernelModules = ["kvm-amd" "kvm-intel"]; + # boot.kernelModules = ["kvm-amd"]; # boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu # ## For Intel CPU, add "kvm-intel" to kernelModules. @@ -19,6 +19,19 @@ boot.kernelModules = ["vfio-pci"]; virtualisation = { + docker = { + enable = true; + daemon.settings = { + # enables pulling using containerd, which supports restarting from a partial pull + # https://docs.docker.com/storage/containerd/ + "features" = {"containerd-snapshotter" = true;}; + }; + + # start dockerd on boot. + # This is required for containers which are created with the `--restart=always` flag to work. + enableOnBoot = true; + }; + libvirtd = { enable = true; # hanging this option to false may cause file permission issues for existing guests. diff --git a/nixos-installer/configuration.nix b/nixos-installer/configuration.nix index 1bccb4dc..e810c34e 100644 --- a/nixos-installer/configuration.nix +++ b/nixos-installer/configuration.nix @@ -16,7 +16,7 @@ networking = { # configures the network interface(include wireless) via `nmcli` & `nmtui` networkmanager.enable = true; - defaultGateway = "192.168.5.201"; + defaultGateway = "192.168.5.101"; }; system.stateVersion = "23.11"; } diff --git a/scripts/darwin_set_proxy.py b/scripts/darwin_set_proxy.py index 63bf4a1e..d93d2465 100644 --- a/scripts/darwin_set_proxy.py +++ b/scripts/darwin_set_proxy.py @@ -14,7 +14,7 @@ from pathlib import Path NIX_DAEMON_PLIST = Path("/Library/LaunchDaemons/org.nixos.nix-daemon.plist") NIX_DAEMON_NAME = "org.nixos.nix-daemon" # http proxy provided by my homelab's bypass router -HTTP_PROXY = "http://192.168.5.201:7890" +HTTP_PROXY = "http://192.168.5.192:7890" pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes()) diff --git a/secrets/darwin.nix b/secrets/darwin.nix index c20a8707..9408e59a 100644 --- a/secrets/darwin.nix +++ b/secrets/darwin.nix @@ -20,7 +20,6 @@ "/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption ]; - # owner = root age.secrets = let noaccess = { mode = "0000"; diff --git a/secrets/nixos.nix b/secrets/nixos.nix index e3994b98..952fbbf1 100644 --- a/secrets/nixos.nix +++ b/secrets/nixos.nix @@ -1,137 +1,175 @@ { + lib, config, pkgs, agenix, mysecrets, username, ... -}: { +}: +with lib; let + cfg = config.modules.secrets; + + noaccess = { + mode = "0000"; + owner = "root"; + }; + high_security = { + mode = "0500"; + owner = "root"; + }; + user_readable = { + mode = "0500"; + owner = username; + }; +in { imports = [ agenix.nixosModules.default ]; - environment.systemPackages = [ - agenix.packages."${pkgs.system}".default - ]; - - # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! - age.identityPaths = [ - # To decrypt secrets on boot, this key should exists when the system is booting, - # so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence. - "/persistent/etc/ssh/ssh_host_ed25519_key" # Linux - ]; - - # owner = root - age.secrets = let - noaccess = { - mode = "0000"; - owner = "root"; - }; - high_security = { - mode = "0500"; - owner = "root"; - }; - user_readable = { - mode = "0500"; - owner = username; - }; - in { - # --------------------------------------------- - # no one can read/write this file, even root. - # --------------------------------------------- - - # .age means the decrypted file is still encrypted by age(via a passphrase) - "ryan4yin-gpg-subkeys.priv.age" = - { - file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age"; - } - // noaccess; - - # --------------------------------------------- - # only root can read this file. - # --------------------------------------------- - - "wg-business.conf" = - { - file = "${mysecrets}/wg-business.conf.age"; - } - // high_security; - - # Used only by NixOS Modules - # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix - "smb-credentials" = - { - file = "${mysecrets}/smb-credentials.age"; - } - // high_security; - - "rclone.conf" = - { - file = "${mysecrets}/rclone.conf.age"; - } - // high_security; - - "nix-access-tokens" = - { - file = "${mysecrets}/nix-access-tokens.age"; - } - // high_security; - - # --------------------------------------------- - # user can read this file. - # --------------------------------------------- - - "ssh-key-romantic" = - { - file = "${mysecrets}/ssh-key-romantic.age"; - } - // user_readable; - - # alias-for-work - "alias-for-work.nushell" = - { - file = "${mysecrets}/alias-for-work.nushell.age"; - } - // user_readable; - - "alias-for-work.bash" = - { - file = "${mysecrets}/alias-for-work.bash.age"; - } - // user_readable; + options.modules.secrets = { + desktop.enable = mkEnableOption "NixOS Secrets for Desktops"; + server.enable = mkEnableOption "NixOS Secrets for Servers"; + impermanence.enable = mkEnableOption "Wether use impermanence and ephemeral root file sytem"; }; - # place secrets in /etc/ - environment.etc = { - # wireguard config used with `wg-quick up wg-business` - "wireguard/wg-business.conf" = { - source = config.age.secrets."wg-business.conf".path; - }; + config = mkIf (cfg.server.enable || cfg.desktop.enable) (mkMerge [ + { + environment.systemPackages = [ + agenix.packages."${pkgs.system}".default + ]; - "agenix/rclone.conf" = { - source = config.age.secrets."rclone.conf".path; - }; + # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! + age.identityPaths = + if cfg.impermanence.enable + then [ + # To decrypt secrets on boot, this key should exists when the system is booting, + # so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence. + "/persistent/etc/ssh/ssh_host_ed25519_key" # Linux + ] + else [ + "/etc/ssh/ssh_host_ed25519_key" + ]; - "agenix/ssh-key-romantic" = { - source = config.age.secrets."ssh-key-romantic".path; - mode = "0600"; - user = username; - }; + assertions = [ + { + # this expression should be true to pass the assertion + assertion = !(cfg.server.enable && cfg.desktop.enable); + message = "Enable either desktop or server's secrets, not both!"; + } + ]; + } - "agenix/ryan4yin-gpg-subkeys.priv.age" = { - source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path; - mode = "0000"; - }; + (mkIf cfg.desktop.enable { + age.secrets = { + # --------------------------------------------- + # no one can read/write this file, even root. + # --------------------------------------------- - # The following secrets are used by home-manager modules - # So we need to make then readable by the user - "agenix/alias-for-work.nushell" = { - source = config.age.secrets."alias-for-work.nushell".path; - mode = "0644"; # both the original file and the symlink should be readable and executable by the user - }; - "agenix/alias-for-work.bash" = { - source = config.age.secrets."alias-for-work.bash".path; - mode = "0644"; # both the original file and the symlink should be readable and executable by the user - }; - }; + # .age means the decrypted file is still encrypted by age(via a passphrase) + "ryan4yin-gpg-subkeys.priv.age" = + { + file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age"; + } + // noaccess; + + # --------------------------------------------- + # only root can read this file. + # --------------------------------------------- + + "wg-business.conf" = + { + file = "${mysecrets}/wg-business.conf.age"; + } + // high_security; + + # Used only by NixOS Modules + # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix + "smb-credentials" = + { + file = "${mysecrets}/smb-credentials.age"; + } + // high_security; + + "rclone.conf" = + { + file = "${mysecrets}/rclone.conf.age"; + } + // high_security; + + "nix-access-tokens" = + { + file = "${mysecrets}/nix-access-tokens.age"; + } + // high_security; + + # --------------------------------------------- + # user can read this file. + # --------------------------------------------- + + "ssh-key-romantic" = + { + file = "${mysecrets}/ssh-key-romantic.age"; + } + // user_readable; + + # alias-for-work + "alias-for-work.nushell" = + { + file = "${mysecrets}/alias-for-work.nushell.age"; + } + // user_readable; + + "alias-for-work.bash" = + { + file = "${mysecrets}/alias-for-work.bash.age"; + } + // user_readable; + }; + + # place secrets in /etc/ + environment.etc = { + # wireguard config used with `wg-quick up wg-business` + "wireguard/wg-business.conf" = { + source = config.age.secrets."wg-business.conf".path; + }; + + "agenix/rclone.conf" = { + source = config.age.secrets."rclone.conf".path; + }; + + "agenix/ssh-key-romantic" = { + source = config.age.secrets."ssh-key-romantic".path; + mode = "0600"; + user = username; + }; + + "agenix/ryan4yin-gpg-subkeys.priv.age" = { + source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path; + mode = "0000"; + }; + + # The following secrets are used by home-manager modules + # So we need to make then readable by the user + "agenix/alias-for-work.nushell" = { + source = config.age.secrets."alias-for-work.nushell".path; + mode = "0644"; # both the original file and the symlink should be readable and executable by the user + }; + "agenix/alias-for-work.bash" = { + source = config.age.secrets."alias-for-work.bash".path; + mode = "0644"; # both the original file and the symlink should be readable and executable by the user + }; + }; + }) + + (mkIf cfg.server.enable { + age.secrets = { + "dae-subscription.dae" = + { + file = "${mysecrets}/server/dae-subscription.dae.age"; + } + // high_security; + }; + }) + ]); } diff --git a/systems/vars.nix b/systems/vars.nix index c9c17514..0ffde3b9 100644 --- a/systems/vars.nix +++ b/systems/vars.nix @@ -14,7 +14,11 @@ in { nixos-modules = [ ../hosts/idols_ai - {modules.desktop.xorg.enable = true;} + { + modules.desktop.xorg.enable = true; + modules.secrets.desktop.enable = true; + modules.secrets.impermanence.enable = true; + } ] ++ desktop_base_modules.nixos-modules; home-module.imports = @@ -29,7 +33,11 @@ in { nixos-modules = [ ../hosts/idols_ai - {modules.desktop.wayland.enable = true;} + { + modules.desktop.wayland.enable = true; + modules.secrets.desktop.enable = true; + modules.secrets.impermanence.enable = true; + } ] ++ desktop_base_modules.nixos-modules; home-module.imports = @@ -43,9 +51,11 @@ in { # 星野 愛久愛海, Hoshino Akuamarin idol_aquamarine_modules = { nixos-modules = [ + ../secrets/nixos.nix ../hosts/idols_aquamarine ../modules/nixos/server/server.nix ../modules/nixos/server/proxmox-hardware-configuration.nix + {modules.secrets.server.enable = true;} ]; # home-module.imports = []; }; diff --git a/systems/vars_networking.nix b/systems/vars_networking.nix index afecaac4..777a39e1 100644 --- a/systems/vars_networking.nix +++ b/systems/vars_networking.nix @@ -1,5 +1,5 @@ {lib, ...}: rec { - defaultGateway = "192.168.5.201"; + defaultGateway = "192.168.5.101"; nameservers = [ "119.29.29.29" # DNSPod "223.5.5.5" # AliDNS @@ -85,7 +85,7 @@ publicKey = value.publicKey; }) { - aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU"; + aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJrHY3BZRTu0hrlsKxqS+O4GDp4cbumF8aNnbPCGKji root@aquamarine"; ruby.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf"; kana.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+"; };