Merge pull request #60 from ryan4yin/bypass-router

feat: bypass router
This commit is contained in:
Ryan Yin
2024-02-17 04:38:00 +08:00
committed by GitHub
27 changed files with 907 additions and 421 deletions
+4 -4
View File
@@ -112,16 +112,16 @@ tailscale_gw:
pve-image: pve-image:
nom build .#tailscale_gw nom build .#tailscale_gw
rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
nom build .#aquamarine nom build .#aquamarine
rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
nom build .#ruby nom build .#ruby
rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
nom build .#kana nom build .#kana
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
############################################################################ ############################################################################
+1 -1
View File
@@ -140,7 +140,7 @@ nom build .#aquamarine # `nom`(nix-output-monitor) can be replaced by the stand
# 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump` # 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump`
# please replace the vma file name with the one you generated in step 1. # please replace the vma file name with the one you generated in step 1.
rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
# 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now. # 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now.
``` ```
Generated
+327 -86
View File
@@ -94,6 +94,28 @@
"type": "github" "type": "github"
} }
}, },
"daeuniverse": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs",
"pnpm2nix": "pnpm2nix",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1708006709,
"narHash": "sha256-5WSBOUuYtPfpCL0v5scEVRis1qjv1haL3tmwM/LJPT8=",
"owner": "daeuniverse",
"repo": "flake.nix",
"rev": "5bb02d49a4ec48019758cf3893a6f614d307df0b",
"type": "github"
},
"original": {
"owner": "daeuniverse",
"ref": "unstable",
"repo": "flake.nix",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -133,6 +155,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@@ -148,7 +186,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": { "flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@@ -186,6 +224,23 @@
} }
}, },
"flake-parts_2": { "flake-parts_2": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1706830856,
"narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"lanzaboote", "lanzaboote",
@@ -206,9 +261,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_3": { "flake-parts_4": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1706830856, "lastModified": 1706830856,
@@ -226,14 +281,14 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1685518550,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -244,7 +299,7 @@
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1701680307,
@@ -296,7 +351,65 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_5": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": {
"nixpkgs": [
"daeuniverse",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703887061,
"narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"lanzaboote", "lanzaboote",
@@ -318,7 +431,7 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_2": { "gitignore_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixos-rk3588", "nixos-rk3588",
@@ -340,7 +453,7 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_3": { "gitignore_4": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"pre-commit-hooks", "pre-commit-hooks",
@@ -409,7 +522,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems", "systems": "systems_3",
"wlroots": "wlroots", "wlroots": "wlroots",
"xdph": "xdph" "xdph": "xdph"
}, },
@@ -471,9 +584,9 @@
"lanzaboote": { "lanzaboote": {
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_3",
"flake-utils": "flake-utils", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@@ -515,10 +628,10 @@
"mysecrets": { "mysecrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1707067920, "lastModified": 1708107208,
"narHash": "sha256-unTHx5LgbzIa3flAgiwxaYD/BPssYfCWCZhK30njLXs=", "narHash": "sha256-v2ugfiX05Kv+z1E1iO/nYiFj540V9SGES5JPAeLVu5M=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "2fc5c6615c2a9216dc863b8adfb69f100b7788fb", "rev": "57e9a6dab2d3e1702354ff4862afe9b48ed31e07",
"shallow": true, "shallow": true,
"type": "git", "type": "git",
"url": "ssh://git@github.com/ryan4yin/nix-secrets.git" "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
@@ -551,8 +664,8 @@
}, },
"nix-gaming": { "nix-gaming": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1707614138, "lastModified": 1707614138,
@@ -622,7 +735,7 @@
}, },
"nixos-licheepi4a": { "nixos-licheepi4a": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"thead-kernel": "thead-kernel" "thead-kernel": "thead-kernel"
}, },
"locked": { "locked": {
@@ -641,10 +754,10 @@
}, },
"nixos-rk3588": { "nixos-rk3588": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_4",
"mesa-panfork": "mesa-panfork", "mesa-panfork": "mesa-panfork",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_4",
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks_2"
}, },
"locked": { "locked": {
"lastModified": 1703010942, "lastModified": 1703010942,
@@ -662,16 +775,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1707451808, "lastModified": 1706732774,
"narHash": "sha256-UwDBUNHNRsYKFJzyTMVMTF5qS4xeJlWoeyJf+6vvamU=", "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "442d407992384ed9c0e6d352de75b69079904e4e", "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixpkgs-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -710,7 +823,41 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib_2": {
"locked": {
"dir": "lib",
"lastModified": 1706550542,
"narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": {
"lastModified": 1704874635,
"narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1678872516, "lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
@@ -726,7 +873,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_3": {
"locked": { "locked": {
"lastModified": 1707786466, "lastModified": 1707786466,
"narHash": "sha256-yLPfrmW87M2qt+8bAmwopJawa+MJLh3M9rUbXtpUc1o=", "narHash": "sha256-yLPfrmW87M2qt+8bAmwopJawa+MJLh3M9rUbXtpUc1o=",
@@ -742,7 +889,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_3": { "nixpkgs-stable_4": {
"locked": { "locked": {
"lastModified": 1704874635, "lastModified": 1704874635,
"narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
@@ -775,6 +922,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1707451808,
"narHash": "sha256-UwDBUNHNRsYKFJzyTMVMTF5qS4xeJlWoeyJf+6vvamU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "442d407992384ed9c0e6d352de75b69079904e4e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1691280485, "lastModified": 1691280485,
"narHash": "sha256-/8Ct9092OC1TTNzHgbcE9ejQdS2QxZYGqrWXEwUxdtQ=", "narHash": "sha256-/8Ct9092OC1TTNzHgbcE9ejQdS2QxZYGqrWXEwUxdtQ=",
@@ -790,7 +953,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1691486536, "lastModified": 1691486536,
"narHash": "sha256-W2jYTn6rNiJEpjXkOiZxNltgxxwgeZE5cQ967NgsrHU=", "narHash": "sha256-W2jYTn6rNiJEpjXkOiZxNltgxxwgeZE5cQ967NgsrHU=",
@@ -806,7 +969,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1707956935, "lastModified": 1707956935,
"narHash": "sha256-ZL2TrjVsiFNKOYwYQozpbvQSwvtV/3Me7Zwhmdsfyu4=", "narHash": "sha256-ZL2TrjVsiFNKOYwYQozpbvQSwvtV/3Me7Zwhmdsfyu4=",
@@ -822,7 +985,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_5": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1701436327, "lastModified": 1701436327,
"narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=",
@@ -836,7 +999,7 @@
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz" "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
} }
}, },
"nixpkgs_6": { "nixpkgs_7": {
"locked": { "locked": {
"lastModified": 1702921762, "lastModified": 1702921762,
"narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=", "narHash": "sha256-O/rP7gulApQAB47u6szEd8Pn8Biw0d84j5iuP2tcxzY=",
@@ -854,7 +1017,7 @@
}, },
"nuenv": { "nuenv": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_6",
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
@@ -873,7 +1036,7 @@
}, },
"nur-ryan4yin": { "nur-ryan4yin": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_6" "nixpkgs": "nixpkgs_7"
}, },
"locked": { "locked": {
"lastModified": 1705366605, "lastModified": 1705366605,
@@ -889,6 +1052,28 @@
"type": "github" "type": "github"
} }
}, },
"pnpm2nix": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"daeuniverse",
"nixpkgs"
]
},
"locked": {
"lastModified": 1691661013,
"narHash": "sha256-m7dhwjnDw2U7PDUatHcVJXd8wrDLpIGlQac0im6+0fk=",
"owner": "Ninlives",
"repo": "pnpm2nix",
"rev": "86f8995bbe56a66459b6ca2f790db6272c616e39",
"type": "github"
},
"original": {
"owner": "Ninlives",
"repo": "pnpm2nix",
"type": "github"
}
},
"polybar-themes": { "polybar-themes": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -906,6 +1091,62 @@
} }
}, },
"pre-commit-hooks": { "pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_2",
"gitignore": "gitignore",
"nixpkgs": [
"daeuniverse",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1706424699,
"narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
"nixos-rk3588" "nixos-rk3588"
@@ -914,7 +1155,7 @@
"nixos-rk3588", "nixos-rk3588",
"flake-utils" "flake-utils"
], ],
"gitignore": "gitignore_2", "gitignore": "gitignore_3",
"nixpkgs": [ "nixpkgs": [
"nixos-rk3588", "nixos-rk3588",
"nixpkgs" "nixpkgs"
@@ -938,46 +1179,15 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": { "pre-commit-hooks_3": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": "flake-compat_3",
"lanzaboote", "flake-utils": "flake-utils_6",
"flake-compat" "gitignore": "gitignore_4",
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_4",
"gitignore": "gitignore_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable_3" "nixpkgs-stable": "nixpkgs-stable_4"
}, },
"locked": { "locked": {
"lastModified": 1707297608, "lastModified": 1707297608,
@@ -998,6 +1208,7 @@
"agenix": "agenix", "agenix": "agenix",
"anyrun": "anyrun", "anyrun": "anyrun",
"astronvim": "astronvim", "astronvim": "astronvim",
"daeuniverse": "daeuniverse",
"doomemacs": "doomemacs", "doomemacs": "doomemacs",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"hyprland": "hyprland", "hyprland": "hyprland",
@@ -1010,14 +1221,14 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-licheepi4a": "nixos-licheepi4a", "nixos-licheepi4a": "nixos-licheepi4a",
"nixos-rk3588": "nixos-rk3588", "nixos-rk3588": "nixos-rk3588",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_5",
"nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-stable": "nixpkgs-stable_2", "nixpkgs-stable": "nixpkgs-stable_3",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nuenv": "nuenv", "nuenv": "nuenv",
"nur-ryan4yin": "nur-ryan4yin", "nur-ryan4yin": "nur-ryan4yin",
"polybar-themes": "polybar-themes", "polybar-themes": "polybar-themes",
"pre-commit-hooks": "pre-commit-hooks_2", "pre-commit-hooks": "pre-commit-hooks_3",
"wallpapers": "wallpapers" "wallpapers": "wallpapers"
} }
}, },
@@ -1048,7 +1259,7 @@
}, },
"rust-overlay_2": { "rust-overlay_2": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_5",
"nixpkgs": [ "nixpkgs": [
"nuenv", "nuenv",
"nixpkgs" "nixpkgs"
@@ -1070,16 +1281,16 @@
}, },
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1681028828,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default-linux", "repo": "default",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default-linux", "repo": "default",
"type": "github" "type": "github"
} }
}, },
@@ -1100,16 +1311,16 @@
}, },
"systems_3": { "systems_3": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1689347949,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default", "repo": "default-linux",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-systems", "owner": "nix-systems",
"repo": "default", "repo": "default-linux",
"type": "github" "type": "github"
} }
}, },
@@ -1143,6 +1354,36 @@
"type": "github" "type": "github"
} }
}, },
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"thead-kernel": { "thead-kernel": {
"flake": false, "flake": false,
"locked": { "locked": {
+2
View File
@@ -164,6 +164,8 @@
nuenv.url = "github:DeterminateSystems/nuenv"; nuenv.url = "github:DeterminateSystems/nuenv";
daeuniverse.url = "github:daeuniverse/flake.nix/unstable";
######################## Some non-flake repositories ######################################### ######################## Some non-flake repositories #########################################
# AstroNvim is an aesthetic and feature-rich neovim config. # AstroNvim is an aesthetic and feature-rich neovim config.
+2 -35
View File
@@ -4,46 +4,13 @@
... ...
}: { }: {
home.packages = with pkgs; [ home.packages = with pkgs; [
neofetch # Misc
# networking tools
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
# archives
zip
xz
unzip
p7zip
# misc
tldr tldr
cowsay cowsay
file
findutils
which
tree
gnutar
zstd
gnupg gnupg
rsync
# Text Processing
# Docs: https://github.com/learnbyexample/Command-line-text-processing
gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
gnused # GNU sed, very powerful(mainly for replacing text in files)
gnumake gnumake
gawk # GNU awk, a pattern scanning and processing language
jq # A lightweight and flexible command-line JSON processor
# morden cli tools, replacement of grep/sed/... # Morden cli tools, replacement of grep/sed/...
# Interactively filter its input using fuzzy searching, not limit to filenames. # Interactively filter its input using fuzzy searching, not limit to filenames.
fzf fzf
-20
View File
@@ -1,29 +1,9 @@
{pkgs, ...}: { {pkgs, ...}: {
# Linux Only Packages, not available on Darwin # Linux Only Packages, not available on Darwin
home.packages = with pkgs; [ home.packages = with pkgs; [
nmon
iotop
iftop
# misc # misc
libnotify libnotify
wireguard-tools # manage wireguard vpn manually, via wg-quick wireguard-tools # manage wireguard vpn manually, via wg-quick
# system call monitoring
strace # system call monitoring
ltrace # library call monitoring
bpftrace # powerful tracing tool
tcpdump # network sniffer
lsof # list open files
# system tools
sysstat
lm_sensors # for `sensors` command
ethtool
pciutils # lspci
usbutils # lsusb
hdparm # for disk performance, command
dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
]; ];
# auto mount usb drives # auto mount usb drives
+1 -1
View File
@@ -21,7 +21,7 @@ in {
./impermanence.nix ./impermanence.nix
]; ];
boot.kernelModules = ["kvm-amd" "kvm-intel"]; boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = { networking = {
+1
View File
@@ -10,6 +10,7 @@ let
in { in {
imports = [ imports = [
./tailscale.nix ./tailscale.nix
./proxy.nix
]; ];
# supported file systems, so we can mount any removable disks with these filesystems # supported file systems, so we can mount any removable disks with these filesystems
+31
View File
@@ -0,0 +1,31 @@
{
# dae(running on aquamarine) do not provides http/socks5 proxy server, so we use v2ray here.
# https://github.com/v2fly
services.v2ray = {
enable = true;
config = {
inbounds = [
{
listen = "0.0.0.0";
port = 7890;
protocol = "http";
}
{
listen = "0.0.0.0";
port = 7891;
protocol = "socks";
settings = {
auth = "noauth";
udp = true;
};
}
];
outbounds = [
{
protocol = "freedom";
tag = "freedom";
}
];
};
};
}
+12 -1
View File
@@ -1,6 +1,17 @@
# Idols - Aquamarine # Idols - Aquamarine
TODO: use aqua as a passby router(IPv4 only) to access the global internet. Use aqua as a passby router(IPv4 only) to access the global internet.
## Troubleshooting
### DNS cannot be resolved
1. `sudo systemctl stop dae`, then try to resolve the domain name again.
- If it works, the problem is caused by `dae` service.
- check dae's log by `sudo journalctl -u dae`
1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
## References ## References
@@ -1,3 +1,10 @@
# https://github.com/daeuniverse/dae/discussions/81
# https://github.com/daeuniverse/dae/blob/main/example.dae
# load all dae files placed in ./config.d/
include {
config.d/*.dae
}
global { global {
##### Software options. ##### Software options.
@@ -14,7 +21,7 @@ global {
so_mark_from_dae: 0 so_mark_from_dae: 0
# Log level: error, warn, info, debug, trace. # Log level: error, warn, info, debug, trace.
log_level: info log_level: debug
# Disable waiting for network before pulling subscriptions. # Disable waiting for network before pulling subscriptions.
disable_waiting_network: false disable_waiting_network: false
@@ -24,11 +31,12 @@ global {
# The LAN interface to bind. Use it if you want to proxy LAN. # The LAN interface to bind. Use it if you want to proxy LAN.
# Multiple interfaces split by ",". # Multiple interfaces split by ",".
lan_interface: ens18 lan_interface: br-lan
# The WAN interface to bind. Use it if you want to proxy localhost. # The WAN interface to bind. Use it if you want to proxy localhost.
# Multiple interfaces split by ",". Use "auto" to auto detect. # Multiple interfaces split by ",". Use "auto" to auto detect.
wan_interface: auto # bypass router has no WAN interface, so comment it.
# wan_interface: auto
# Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do. # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
@@ -37,7 +45,7 @@ global {
# Automatically configure firewall rules like firewalld and fw4. # Automatically configure firewall rules like firewalld and fw4.
# firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept' # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
# fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept' # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
auto_config_firewall_rule: true auto_config_firewall_rule: false
##### Node connectivity check. ##### Node connectivity check.
@@ -98,30 +106,11 @@ global {
utls_imitate: chrome_auto utls_imitate: chrome_auto
} }
# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
subscription {
# Add your subscription links(or files that contains the link) here.
'file://dae-mysubscription-1.sub' # the path is related to /etc/dae/
'file://dae-mysubscription-2.sub'
}
# Nodes defined here will be merged as a part of the global node pool.
node {
# Add your node links here.
# Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
# Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
# mylink: 'ss://LINK'
# node1: 'vmess://LINK'
# node2: 'vless://LINK'
# chains: 'tuic://LINK -> vmess://LINK'
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples. # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns { dns {
# For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
# respond to type A queries and response empty answer to type AAAA queries. # respond to type A queries and response empty answer to type AAAA queries.
#ipversion_prefer: 4 ipversion_prefer: 4
# Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
# for these domains. # for these domains.
@@ -137,8 +126,8 @@ dns {
# Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing. # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
# If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended. # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
alidns: 'udp://dns.alidns.com:53' alidns: 'udp://223.5.5.5:53'
googledns: 'tcp+udp://dns.google.com:53' googledns: 'tcp+udp://8.8.8.8:53'
} }
routing { routing {
# According to the request of dns query, decide to use which DNS upstream. # According to the request of dns query, decide to use which DNS upstream.
@@ -148,60 +137,91 @@ dns {
qname(geosite:cn) -> alidns qname(geosite:cn) -> alidns
# fallback is also called default. # fallback is also called default.
fallback: googledns fallback: googledns
# other custom rules
qname(geosite:category-ads) -> reject
qname(geosite:category-ads-all) -> reject
qtype(aaaa) -> reject
qname(regex: '.+\.linkedin$') -> googledns
}
# According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# Match rules from top to bottom.
response {
# Trusted upstream. Always accept its result.
upstream(googledns) -> accept
# Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
ip(geoip:private) && !qname(geosite:cn) -> googledns
fallback: accept
} }
} }
# routing {
# # According to the request of dns query, decide to use which DNS upstream.
# # Match rules from top to bottom.
# request {
# # fallback is also called default.
# fallback: alidns
# }
# # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# # Match rules from top to bottom.
# response {
# # Trusted upstream. Always accept its result.
# upstream(googledns) -> accept
# # Possibly polluted, re-lookup using googledns.
# ip(geoip:private) && !qname(geosite:cn) -> googledns
# # fallback is also called default.
# fallback: accept
# }
# }
} }
# Node group (outbound). # Node group (outbound).
group { group {
my_group { proxy {
# No filter. Use all nodes. filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
# Randomly select a node from the group for every connection. filter: name(keyword: 'Singapore')
#policy: random filter: name(keyword: '新加坡')
# Select the first node from the group for every connection.
#policy: fixed(0)
# Select the node with min last latency from the group for every connection.
#policy: min
# Select the node with min moving average of latencies from the group for every connection.
policy: min_moving_avg
}
group2 {
# Filter nodes from the global node pool defined by the subscription and node section above.
#filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
#filter: name(node1, node2)
# Filter nodes and give a fixed latency offset to archive latency-based failover. # Filter nodes and give a fixed latency offset to archive latency-based failover.
# In this example, there is bigger possibility to choose US node even if original latency of US node is higher. # In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
filter: name(HK_node) filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(US_node) [add_latency: -500ms] filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
filter: name(keyword: '英国') [add_latency: -300ms]
filter: name(keyword: 'Japan') [add_latency: 300ms]
filter: name(keyword: '日本') [add_latency: 300ms]
# Other filters:
# Filter nodes from the global node pool defined by the subscription and node section above.
# filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
# filter: name('node_a','node_b')
# Select the node with min average of the last 10 latencies from the group for every connection. # Select the node with min average of the last 10 latencies from the group for every connection.
policy: min_avg10 policy: min_avg10
# Other policies:
# random - Randomly select a node from the group for every connection.
# fixed(0) - Select the first node from the group for every connection.
# min - Select the node with min last latency from the group for every connection.
# min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
}
media {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
filter: name(keyword: '英国') [add_latency: -300ms]
filter: name(keyword: 'Japan') [add_latency: 300ms]
filter: name(keyword: '日本') [add_latency: 300ms]
policy: min_avg10
}
sg {
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
policy: min_avg10
}
usa {
filter: name(keyword: 'USA')
filter: name(keyword: '美国')
policy: min_avg10
}
uk {
filter: name(keyword: 'UK')
filter: name(keyword: '英国')
filter: name(keyword: '美国')
policy: min_avg10
} }
} }
@@ -212,6 +232,7 @@ routing {
# Network managers in localhost should be direct to avoid false negative network connectivity check when binding to # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
# WAN. # WAN.
pname(NetworkManager) -> direct pname(NetworkManager) -> direct
pname(systemd-networkd) -> direct
# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
# forwarded by the proxy. # forwarded by the proxy.
@@ -222,12 +243,75 @@ routing {
# private addresses in your proxy host network, modify the below line. # private addresses in your proxy host network, modify the below line.
dip(geoip:private) -> direct dip(geoip:private) -> direct
### Write your rules below. # --- Core rules ---#
# Disable h3 because it usually consumes too much cpu/mem resources. # Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
l4proto(udp) && dport(443) -> block l4proto(udp) && dport(443) -> block
# Direct access to all Chinese mainland-related IP addresses
dip(geoip:cn) -> direct dip(geoip:cn) -> direct
domain(geosite:cn) -> direct domain(geosite:cn) -> direct
fallback: my_group # Use HK to access all other foreign sites
domain(geosite:geolocation-!cn) -> proxy
!dip(geoip:cn) -> proxy
# Block ads
domain(geosite:category-ads) -> block
domain(geosite:category-ads-all) -> block
# DNS
dip(8.8.8.8, 8.8.4.4) -> proxy
dip(223.5.5.5, 223.6.6.6) -> direct
domain(full:dns.alidns.com) -> direct
domain(full:dns.googledns.com) -> proxy
domain(full:dns.opendns.com) -> proxy
# --- Rules for other commonly used sites ---#
# Access github.com via UK's proxies
domain(geosite:github) -> uk
### OpenAI
domain(geosite:openai) -> sg
domain(regex:'.+\.openai$') -> sg
### Media
domain(geosite:netflix) -> media
### Proxy
domain(suffix: linkedin.com) -> proxy
domain(keyword:'linkedin') -> proxy
domain(regex:'.+\.linkedin\.com$') -> proxy
domain(regex:'.+\.quay\.io$') -> proxy
domain(regex:'.+\.notion\.so$') -> proxy
domain(regex:'.+\.amazon\.com$') -> proxy
domain(regex:'.+\.oracle\.com$') -> proxy
domain(regex:'.+\.docker\.com$') -> proxy
domain(regex:'.+\.kubernetes\.io$') -> proxy
domain(geosite:microsoft) -> proxy
domain(geosite:linkedin) -> proxy
domain(geosite:twitter) -> proxy
domain(geosite:telegram) -> proxy
domain(geosite:google) -> proxy
domain(geosite:apple) -> proxy
domain(geosite:category-container) -> proxy
domain(geosite:category-dev) -> proxy
domain(geosite:google-scholar) -> proxy
domain(geosite:category-scholar-!cn) -> proxy
### Direct
domain(regex:'.+\.edu\.cn$') -> proxy
domain(keyword:'baidu') -> direct
domain(keyword:'bilibili') -> direct
domain(keyword:'taobao') -> direct
domain(keyword:'alibabadns') -> direct
domain(keyword:'alicdn') -> direct
domain(keyword:'tbcache') -> direct
domain(keyword:'zhihu') -> direct
domain(keyword:'douyu') -> direct
domain(geosite:cloudflare-cn) -> direct
fallback: direct
} }
+48 -2
View File
@@ -1,11 +1,57 @@
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/dae.nix
{ {
config,
pkgs,
daeuniverse,
...
}:
# https://github.com/daeuniverse/flake.nix
let
daeConfigPath = "/etc/dae/config.dae";
subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
in {
imports = [
daeuniverse.nixosModules.dae
daeuniverse.nixosModules.daed
];
# dae - eBPF-based Linux high-performance transparent proxy.
services.dae = { services.dae = {
enable = true; enable = true;
package = daeuniverse.packages.${pkgs.system}.dae;
disableTxChecksumIpGeneric = false;
configFile = daeConfigPath;
assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
# alternatively, specify assets dir
# assetsPath = "/etc/dae";
openFirewall = { openFirewall = {
enable = true; enable = true;
port = 12345; port = 12345;
}; };
configFile = ./bypass-router.dae;
}; };
# dae supports two types of subscriptions: base64 encoded proxies, and sip008.
# subscription can be a url return the subscription, or a file path that contains the subscription.
#
# Nix decrypt and merge my dae's base config and subscription config here.
# the subscription config is something like:
# ```
# subscription {
# 'https://www.example.com/subscription/link'
# 'https://example.com/no_tag_link'
# }
# node {
# # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
# node_a: 'trojan://'
# node_b: 'trojan://'
# node_c: 'vless://'
# node_d: 'vless://'
# node_e: 'vmess://'
# node_f: 'tuic://'
# node_h: 'juicity://'
# }
# ```
system.activationScripts.installDaeConfig = ''
install -Dm 600 ${./config.dae} ${daeConfigPath}
install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
'';
} }
+2 -14
View File
@@ -6,40 +6,28 @@
############################################################# #############################################################
let let
hostName = "aquamarine"; # Define your hostname. hostName = "aquamarine"; # Define your hostname.
hostAddress = vars_networking.hostAddress.${hostName};
in { in {
imports = [ imports = [
./router.nix ./router.nix
./dae.nix ./dae.nix
]; ];
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
# supported file systems, so we can mount any removable disks with these filesystems # supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [ boot.supportedFilesystems = [
"ext4" "ext4"
"btrfs" "btrfs"
"xfs" "xfs"
#"zfs"
"ntfs"
"fat" "fat"
"vfat" "vfat"
"exfat" "exfat"
"cifs" # mount windows share
]; ];
boot.kernelModules = ["kvm-amd" "kvm-intel"]; boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = { networking = {
inherit hostName; inherit hostName;
inherit (vars_networking) defaultGateway nameservers; inherit (vars_networking) nameservers;
networkmanager.enable = false;
interfaces.ens18 = {
useDHCP = false;
ipv4.addresses = [hostAddress];
};
}; };
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
File diff suppressed because one or more lines are too long
+1 -1
View File
@@ -23,7 +23,7 @@ in {
"cifs" # mount windows share "cifs" # mount windows share
]; ];
boot.kernelModules = ["kvm-amd" "kvm-intel"]; boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = { networking = {
+1 -1
View File
@@ -1,6 +1,6 @@
# Idols - Ruby # Idols - Ruby
TODO: use kana for backup / sync my personal data. TODO: use ruby for backup / sync my personal data.
For safety, those data should be encrypted before sending to the cloud or my NAS. For safety, those data should be encrypted before sending to the cloud or my NAS.
1. restic: Backup file from homelab to NAS, or from NAS to Cloud 1. restic: Backup file from homelab to NAS, or from NAS to Cloud
+1 -1
View File
@@ -27,7 +27,7 @@ in {
"cifs" # mount windows share "cifs" # mount windows share
]; ];
boot.kernelModules = ["kvm-amd" "kvm-intel"]; boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = { networking = {
+47 -5
View File
@@ -60,15 +60,57 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
parted neofetch
psmisc # killall/pstree/prtstat/fuser/...
neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
curl
aria2
git # used by nix flakes git # used by nix flakes
git-lfs # used by huggingface models git-lfs # used by huggingface models
# archives
zip
xz
zstd
unzip
p7zip
# Text Processing
# Docs: https://github.com/learnbyexample/Command-line-text-processing
gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
gnused # GNU sed, very powerful(mainly for replacing text in files)
gawk # GNU awk, a pattern scanning and processing language
jq # A lightweight and flexible command-line JSON processor
# system call monitoring
strace # system call monitoring
ltrace # library call monitoring
bpftrace # powerful tracing tool
tcpdump # network sniffer
lsof # list open files
# system monitoring
sysstat
iotop
iftop
btop
nmon
# system tools
psmisc # killall/pstree/prtstat/fuser/...
lm_sensors # for `sensors` command
ethtool
pciutils # lspci
usbutils # lsusb
hdparm # for disk performance, command
dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
parted
# misc
file
findutils
which
tree
gnutar
rsync
# create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos! # create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos!
( (
let let
+15
View File
@@ -1,8 +1,23 @@
{ {
lib, lib,
pkgs,
vars_networking, vars_networking,
... ...
}: { }: {
environment.systemPackages = with pkgs; [
# networking tools
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
wget
curl
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
];
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether. # Or disable the firewall altogether.
-25
View File
@@ -1,25 +0,0 @@
{pkgs, ...}: {
###################################################################################
#
# Virtualisation - Libvirt(QEMU/KVM) / Docker / LXD / WayDroid
#
###################################################################################
virtualisation = {
docker = {
enable = true;
daemon.settings = {
# enables pulling using containerd, which supports restarting from a partial pull
# https://docs.docker.com/storage/containerd/
"features" = {"containerd-snapshotter" = true;};
};
# start dockerd on boot.
# This is required for containers which are created with the `--restart=always` flag to work.
enableOnBoot = true;
};
waydroid.enable = true;
lxd.enable = true;
};
}
+14 -1
View File
@@ -9,7 +9,7 @@
# This should be set per host in /hosts, not here. # This should be set per host in /hosts, not here.
# #
## For AMD CPU, add "kvm-amd" to kernelModules. ## For AMD CPU, add "kvm-amd" to kernelModules.
# boot.kernelModules = ["kvm-amd" "kvm-intel"]; # boot.kernelModules = ["kvm-amd"];
# boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu # boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
# #
## For Intel CPU, add "kvm-intel" to kernelModules. ## For Intel CPU, add "kvm-intel" to kernelModules.
@@ -19,6 +19,19 @@
boot.kernelModules = ["vfio-pci"]; boot.kernelModules = ["vfio-pci"];
virtualisation = { virtualisation = {
docker = {
enable = true;
daemon.settings = {
# enables pulling using containerd, which supports restarting from a partial pull
# https://docs.docker.com/storage/containerd/
"features" = {"containerd-snapshotter" = true;};
};
# start dockerd on boot.
# This is required for containers which are created with the `--restart=always` flag to work.
enableOnBoot = true;
};
libvirtd = { libvirtd = {
enable = true; enable = true;
# hanging this option to false may cause file permission issues for existing guests. # hanging this option to false may cause file permission issues for existing guests.
+1 -1
View File
@@ -16,7 +16,7 @@
networking = { networking = {
# configures the network interface(include wireless) via `nmcli` & `nmtui` # configures the network interface(include wireless) via `nmcli` & `nmtui`
networkmanager.enable = true; networkmanager.enable = true;
defaultGateway = "192.168.5.201"; defaultGateway = "192.168.5.101";
}; };
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }
+1 -1
View File
@@ -14,7 +14,7 @@ from pathlib import Path
NIX_DAEMON_PLIST = Path("/Library/LaunchDaemons/org.nixos.nix-daemon.plist") NIX_DAEMON_PLIST = Path("/Library/LaunchDaemons/org.nixos.nix-daemon.plist")
NIX_DAEMON_NAME = "org.nixos.nix-daemon" NIX_DAEMON_NAME = "org.nixos.nix-daemon"
# http proxy provided by my homelab's bypass router # http proxy provided by my homelab's bypass router
HTTP_PROXY = "http://192.168.5.201:7890" HTTP_PROXY = "http://192.168.5.192:7890"
pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes()) pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes())
-1
View File
@@ -20,7 +20,6 @@
"/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption "/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
]; ];
# owner = root
age.secrets = let age.secrets = let
noaccess = { noaccess = {
mode = "0000"; mode = "0000";
+157 -119
View File
@@ -1,137 +1,175 @@
{ {
lib,
config, config,
pkgs, pkgs,
agenix, agenix,
mysecrets, mysecrets,
username, username,
... ...
}: { }:
with lib; let
cfg = config.modules.secrets;
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
imports = [ imports = [
agenix.nixosModules.default agenix.nixosModules.default
]; ];
environment.systemPackages = [ options.modules.secrets = {
agenix.packages."${pkgs.system}".default desktop.enable = mkEnableOption "NixOS Secrets for Desktops";
]; server.enable = mkEnableOption "NixOS Secrets for Servers";
impermanence.enable = mkEnableOption "Wether use impermanence and ephemeral root file sytem";
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths = [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
];
# owner = root
age.secrets = let
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
}; };
# place secrets in /etc/ config = mkIf (cfg.server.enable || cfg.desktop.enable) (mkMerge [
environment.etc = { {
# wireguard config used with `wg-quick up wg-business` environment.systemPackages = [
"wireguard/wg-business.conf" = { agenix.packages."${pkgs.system}".default
source = config.age.secrets."wg-business.conf".path; ];
};
"agenix/rclone.conf" = { # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
source = config.age.secrets."rclone.conf".path; age.identityPaths =
}; if cfg.impermanence.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
];
"agenix/ssh-key-romantic" = { assertions = [
source = config.age.secrets."ssh-key-romantic".path; {
mode = "0600"; # this expression should be true to pass the assertion
user = username; assertion = !(cfg.server.enable && cfg.desktop.enable);
}; message = "Enable either desktop or server's secrets, not both!";
}
];
}
"agenix/ryan4yin-gpg-subkeys.priv.age" = { (mkIf cfg.desktop.enable {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path; age.secrets = {
mode = "0000"; # ---------------------------------------------
}; # no one can read/write this file, even root.
# ---------------------------------------------
# The following secrets are used by home-manager modules # .age means the decrypted file is still encrypted by age(via a passphrase)
# So we need to make then readable by the user "ryan4yin-gpg-subkeys.priv.age" =
"agenix/alias-for-work.nushell" = { {
source = config.age.secrets."alias-for-work.nushell".path; file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
mode = "0644"; # both the original file and the symlink should be readable and executable by the user }
}; // noaccess;
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path; # ---------------------------------------------
mode = "0644"; # both the original file and the symlink should be readable and executable by the user # only root can read this file.
}; # ---------------------------------------------
};
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = username;
};
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
]);
} }
+12 -2
View File
@@ -14,7 +14,11 @@ in {
nixos-modules = nixos-modules =
[ [
../hosts/idols_ai ../hosts/idols_ai
{modules.desktop.xorg.enable = true;} {
modules.desktop.xorg.enable = true;
modules.secrets.desktop.enable = true;
modules.secrets.impermanence.enable = true;
}
] ]
++ desktop_base_modules.nixos-modules; ++ desktop_base_modules.nixos-modules;
home-module.imports = home-module.imports =
@@ -29,7 +33,11 @@ in {
nixos-modules = nixos-modules =
[ [
../hosts/idols_ai ../hosts/idols_ai
{modules.desktop.wayland.enable = true;} {
modules.desktop.wayland.enable = true;
modules.secrets.desktop.enable = true;
modules.secrets.impermanence.enable = true;
}
] ]
++ desktop_base_modules.nixos-modules; ++ desktop_base_modules.nixos-modules;
home-module.imports = home-module.imports =
@@ -43,9 +51,11 @@ in {
# 星野 愛久愛海, Hoshino Akuamarin # 星野 愛久愛海, Hoshino Akuamarin
idol_aquamarine_modules = { idol_aquamarine_modules = {
nixos-modules = [ nixos-modules = [
../secrets/nixos.nix
../hosts/idols_aquamarine ../hosts/idols_aquamarine
../modules/nixos/server/server.nix ../modules/nixos/server/server.nix
../modules/nixos/server/proxmox-hardware-configuration.nix ../modules/nixos/server/proxmox-hardware-configuration.nix
{modules.secrets.server.enable = true;}
]; ];
# home-module.imports = []; # home-module.imports = [];
}; };
+2 -2
View File
@@ -1,5 +1,5 @@
{lib, ...}: rec { {lib, ...}: rec {
defaultGateway = "192.168.5.201"; defaultGateway = "192.168.5.101";
nameservers = [ nameservers = [
"119.29.29.29" # DNSPod "119.29.29.29" # DNSPod
"223.5.5.5" # AliDNS "223.5.5.5" # AliDNS
@@ -85,7 +85,7 @@
publicKey = value.publicKey; publicKey = value.publicKey;
}) })
{ {
aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU"; aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJrHY3BZRTu0hrlsKxqS+O4GDp4cbumF8aNnbPCGKji root@aquamarine";
ruby.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf"; ruby.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf";
kana.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+"; kana.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+";
}; };