diff --git a/Justfile b/Justfile index 86532558..3b18cd6a 100644 --- a/Justfile +++ b/Justfile @@ -107,21 +107,22 @@ ruby: kana: colmena apply --on '@kana' -tailscale-gw: - colmena apply --on '@tailscale-gw' +tailscale_gw: + colmena apply --on '@tailscale_gw' pve-image: + nom build .#tailscale_gw + rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst + nom build .#aquamarine - rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst + rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst nom build .#ruby - rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst + rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst nom build .#kana rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst - nom build .#tailscale_gw - rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale-gw.vma.zst ############################################################################ # diff --git a/hosts/12kingdoms_shoukei/default.nix b/hosts/12kingdoms_shoukei/default.nix index c0d64fa2..9b7f1431 100644 --- a/hosts/12kingdoms_shoukei/default.nix +++ b/hosts/12kingdoms_shoukei/default.nix @@ -1,4 +1,8 @@ -{nixos-hardware, ...}: +{ + nixos-hardware, + vars_networking, + ... +}: ############################################################# # # Shoukei - NixOS running on Macbook Pro 2020 I5 16G @@ -7,7 +11,6 @@ ############################################################# let hostName = "shoukei"; # Define your hostname. - vars = import ../vars.nix; in { imports = [ nixos-hardware.nixosModules.apple-t2 @@ -23,7 +26,7 @@ in { networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; # configures the network interface(include wireless) via `nmcli` & `nmtui` networkmanager.enable = true; diff --git a/hosts/12kingdoms_suzu/default.nix b/hosts/12kingdoms_suzu/default.nix index 6875cfbd..127534f3 100644 --- a/hosts/12kingdoms_suzu/default.nix +++ b/hosts/12kingdoms_suzu/default.nix @@ -1,4 +1,8 @@ -{nixos-rk3588, ...}: +{ + nixos-rk3588, + vars_networking, + ... +}: ############################################################# # # Suzu - Orange Pi 5, RK3588s @@ -6,8 +10,7 @@ ############################################################# let hostName = "suzu"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { imports = [ # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware @@ -16,7 +19,7 @@ in { networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; networkmanager.enable = false; interfaces.end1 = { diff --git a/hosts/README.md b/hosts/README.md index 847eb228..d4c6f7d4 100644 --- a/hosts/README.md +++ b/hosts/README.md @@ -5,9 +5,9 @@ 1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use. 2. `idols` 1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use. - 2. `aquamarine`: My NixOS virtual machine with R9-5900HX(8C16T), for distributed building & testing. - 3. `kana`: Yet another NixOS vm on another physical machine with R5-5625U(6C12T). - 4. `ruby`: Another NixOS vm on another physical machine with R7-5825U(8C16T). + 2. `aquamarine`: My NixOS virtual machine as a passby router(IPv4 only) to access the global internet. + 4. `ruby`: Another NixOS vm with R9-5900HX(8C16T), for distributed building & testing. + 3. `kana`: Yet another NixOS vm with R7-5225U(6C12T), for desktop testing. 3. `rolling_girls`: My RISCV64 hosts. 1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 8GB RAM + 32G eMMC + 64G SD Card. 2. `yukina`: Lichee Pi 4A(Internal Test Version), TH1520(4xC910@2.0G), 8GB RAM + 8G eMMC + 128G SD Card. @@ -16,7 +16,7 @@ 1. `shoukei`: NixOS on Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD. 1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + 256G SSD. 5. Homelab: - 1. `tailscale-gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox. + 1. `tailscale_gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox. # idols - Oshi no Ko diff --git a/hosts/homelab_tailscale_gw/default.nix b/hosts/homelab_tailscale_gw/default.nix index 7a85aa77..b7d1a36d 100644 --- a/hosts/homelab_tailscale_gw/default.nix +++ b/hosts/homelab_tailscale_gw/default.nix @@ -1,12 +1,12 @@ +{vars_networking, ...}: ############################################################# # # Tailscale Gateway(homelab subnet router) - a NixOS VM running on Proxmox # ############################################################# let - hostName = "tailscale-gw"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostName = "tailscale_gw"; # Define your hostname. + hostAddress = vars_networking.hostAddress.${hostName}; in { imports = [ ./tailscale.nix @@ -24,7 +24,7 @@ in { networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; networkmanager.enable = false; interfaces.ens18 = { diff --git a/hosts/idols_ai/default.nix b/hosts/idols_ai/default.nix index dbfd45d8..2066262b 100644 --- a/hosts/idols_ai/default.nix +++ b/hosts/idols_ai/default.nix @@ -1,3 +1,4 @@ +{vars_networking, ...}: ############################################################# # # Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use. @@ -5,8 +6,7 @@ ############################################################# let hostName = "ai"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { imports = [ ./cifs-mount.nix @@ -19,7 +19,7 @@ in { networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; wireless.enable = false; # Enables wireless support via wpa_supplicant. # configures the network interface(include wireless) via `nmcli` & `nmtui` diff --git a/hosts/idols_aquamarine/README.md b/hosts/idols_aquamarine/README.md new file mode 100644 index 00000000..81d7377f --- /dev/null +++ b/hosts/idols_aquamarine/README.md @@ -0,0 +1,10 @@ +# Idols - Aquamarine + +TODO: use aqua as a passby router(IPv4 only) to access the global internet. + +## References + +- +- + + diff --git a/hosts/idols_aquamarine/bypass-router.dae b/hosts/idols_aquamarine/bypass-router.dae new file mode 100644 index 00000000..8bc61e0a --- /dev/null +++ b/hosts/idols_aquamarine/bypass-router.dae @@ -0,0 +1,233 @@ +global { + ##### Software options. + + # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program. + # In normal case, you do not need to use it. + tproxy_port: 12345 + + # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed + # iptables tproxy rules. + tproxy_port_protect: true + + # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy + # rules. + so_mark_from_dae: 0 + + # Log level: error, warn, info, debug, trace. + log_level: info + + # Disable waiting for network before pulling subscriptions. + disable_waiting_network: false + + + ##### Interface and kernel options. + + # The LAN interface to bind. Use it if you want to proxy LAN. + # Multiple interfaces split by ",". + lan_interface: ens18 + + # The WAN interface to bind. Use it if you want to proxy localhost. + # Multiple interfaces split by ",". Use "auto" to auto detect. + wan_interface: auto + + # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out + # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do. + auto_config_kernel_parameter: true + + # Automatically configure firewall rules like firewalld and fw4. + # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept' + # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept' + auto_config_firewall_rule: true + + ##### Node connectivity check. + + # Host of URL should have both IPv4 and IPv6 if you have double stack in local. + # First is URL, others are IP addresses if given. + # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response. + #tcp_check_url: 'http://cp.cloudflare.com' + tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111' + + # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass + # accounting for this kind of traffic. + tcp_check_http_method: HEAD + + # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check + # TCP DNS connectivity of nodes. + # First is URL, others are IP addresses if given. + # This DNS should have both IPv4 and IPv6 if you have double stack in local. + #udp_check_dns: 'dns.google.com:53' + udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888' + + check_interval: 30s + + # Group will switch node only when new_latency <= old_latency - tolerance. + check_tolerance: 50ms + + + ##### Connecting options. + + # Optional values of dial_mode are: + # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path + # respectively, and makes the IP version requested by the application meet expectations. For example, if you + # use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6. + # This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled + # in this mode. + # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent + # if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will + # re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing. + # That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it. + # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose + # DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not + # go through dae, dae cannot split traffic by domain. + # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover + # domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources. + dial_mode: domain + + # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to. + allow_insecure: false + + # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful + # in high latency LAN network. + sniffing_timeout: 100ms + + # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello. + tls_implementation: tls + + # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls. + # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17 + utls_imitate: chrome_auto +} + +# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool. +# Support to give the subscription a tag, and filter nodes from a given subscription in the group section. +subscription { + # Add your subscription links here. + 'file://mysubscription-1.sub' # the path is related to /etc/dae/ + 'file://mysubscription-2.sub' +} + +# Nodes defined here will be merged as a part of the global node pool. +node { + # Add your node links here. + # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc. + # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md + # mylink: 'ss://LINK' + # node1: 'vmess://LINK' + # node2: 'vless://LINK' + # chains: 'tuic://LINK -> vmess://LINK' +} + +# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples. +dns { + # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only + # respond to type A queries and response empty answer to type AAAA queries. + #ipversion_prefer: 4 + + # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results + # for these domains. + #fixed_domain_ttl { + # ddns.example.org: 10 + # test.example.org: 3600 + #} + + upstream { + # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp. + # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose + # IPv4 or IPv6 to use according to group policy (such as min latency policy). + # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing. + # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended. + + alidns: 'udp://dns.alidns.com:53' + googledns: 'tcp+udp://dns.google.com:53' + } + routing { + # According to the request of dns query, decide to use which DNS upstream. + # Match rules from top to bottom. + request { + # Lookup China mainland domains using alidns, otherwise googledns. + qname(geosite:cn) -> alidns + # fallback is also called default. + fallback: googledns + } + } +# routing { +# # According to the request of dns query, decide to use which DNS upstream. +# # Match rules from top to bottom. +# request { +# # fallback is also called default. +# fallback: alidns +# } +# # According to the response of dns query, decide to accept or re-lookup using another DNS upstream. +# # Match rules from top to bottom. +# response { +# # Trusted upstream. Always accept its result. +# upstream(googledns) -> accept +# # Possibly polluted, re-lookup using googledns. +# ip(geoip:private) && !qname(geosite:cn) -> googledns +# # fallback is also called default. +# fallback: accept +# } +# } +} + +# Node group (outbound). +group { + my_group { + # No filter. Use all nodes. + + # Randomly select a node from the group for every connection. + #policy: random + + # Select the first node from the group for every connection. + #policy: fixed(0) + + # Select the node with min last latency from the group for every connection. + #policy: min + + # Select the node with min moving average of latencies from the group for every connection. + policy: min_moving_avg + } + + group2 { + # Filter nodes from the global node pool defined by the subscription and node section above. + #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:') + + # Filter nodes from the global node pool defined by tag. + #filter: name(node1, node2) + + # Filter nodes and give a fixed latency offset to archive latency-based failover. + # In this example, there is bigger possibility to choose US node even if original latency of US node is higher. + filter: name(HK_node) + filter: name(US_node) [add_latency: -500ms] + + # Select the node with min average of the last 10 latencies from the group for every connection. + policy: min_avg10 + } +} + +# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples. +routing { + ### Preset rules. + + # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to + # WAN. + pname(NetworkManager) -> direct + + # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being + # forwarded by the proxy. + # "dip" means destination IP. + dip(224.0.0.0/3, 'ff00::/8') -> direct + + # This line allows you to access private addresses directly instead of via your proxy. If you really want to access + # private addresses in your proxy host network, modify the below line. + dip(geoip:private) -> direct + + ### Write your rules below. + + # Disable h3 because it usually consumes too much cpu/mem resources. + l4proto(udp) && dport(443) -> block + dip(geoip:cn) -> direct + domain(geosite:cn) -> direct + + fallback: my_group +} diff --git a/hosts/idols_aquamarine/dae.nix b/hosts/idols_aquamarine/dae.nix new file mode 100644 index 00000000..f2d4e553 --- /dev/null +++ b/hosts/idols_aquamarine/dae.nix @@ -0,0 +1,11 @@ +# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/dae.nix +{ + services.dae = { + enable = true; + openFirewall = { + enable = true; + port = 12345; + }; + configFile = ./bypass-router.dae; + }; +} diff --git a/hosts/idols_aquamarine/default.nix b/hosts/idols_aquamarine/default.nix index 4532133f..9c6881a4 100644 --- a/hosts/idols_aquamarine/default.nix +++ b/hosts/idols_aquamarine/default.nix @@ -1,3 +1,4 @@ +{vars_networking, ...}: ############################################################# # # Aquamarine - A NixOS VM running on Proxmox @@ -5,9 +6,12 @@ ############################################################# let hostName = "aquamarine"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { + imports = [ + ./router.nix + ]; + # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; # supported file systems, so we can mount any removable disks with these filesystems @@ -28,7 +32,7 @@ in { networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; networkmanager.enable = false; interfaces.ens18 = { diff --git a/hosts/idols_aquamarine/home.nix b/hosts/idols_aquamarine/home.nix deleted file mode 100644 index 2c63c085..00000000 --- a/hosts/idols_aquamarine/home.nix +++ /dev/null @@ -1,2 +0,0 @@ -{ -} diff --git a/hosts/idols_aquamarine/router.nix b/hosts/idols_aquamarine/router.nix new file mode 100644 index 00000000..8d1cb59e --- /dev/null +++ b/hosts/idols_aquamarine/router.nix @@ -0,0 +1,119 @@ +_: { + # https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md + boot = { + kernel = { + sysctl = { + # forward network packets that are not destined for the interface on which they were received + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + "net.ipv4.conf.br-lan.rp_filter" = 1; + "net.ipv4.conf.wan.rp_filter" = 1; + }; + }; + }; + + networking = { + wireless.enable = false; # Enables wireless support via wpa_supplicant. + useNetworkd = true; + useDHCP = false; + + # No local firewall. + nat.enable = false; + firewall.enable = false; + + nftables = { + enable = true; + checkRuleset = false; + # Since this is a internal bypass router, we don't need to do NAT, 7. + ruleset = '' + table inet filter { + flowtable f { + hook ingress priority 0; + devices = { "ens18" }; + flags offload; + } + + chain input { + type filter hook input priority 0; policy drop; + + iifname { "br-lan" } accept comment "Allow local network to access the router" + iifname "lo" accept comment "Accept everything from loopback interface" + } + chain forward { + type filter hook forward priority filter; policy drop; + ip protocol { tcp, udp } ct state { established } flow offload @f comment "Offload tcp/udp established traffic" + + iifname { "br-lan" } oifname { "br-lan" } accept comment "Allow LAN to LAN" + } + } + ''; + }; + }; + + # https://wiki.archlinux.org/title/systemd-networkd + systemd.network = { + wait-online.anyInterface = true; + netdevs = { + # Create the bridge interface + # it works as a switch, so that all the lan ports can communicate with each other at layer 2 + "20-br-lan" = { + netdevConfig = { + Kind = "bridge"; + Name = "br-lan"; + }; + }; + }; + networks = { + # Connect the bridge ports to the bridge + "30-lan0" = { + matchConfig.Name = "ens18"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + }; + }; + services.resolved.enable = false; + + services.dnsmasq = { + enable = true; + settings = { + # upstream DNS servers + server = [ + "119.29.29.29" # DNSPod + "223.5.5.5" # AliDNS + # "8.8.8.8" + # "1.1.1.1" + ]; + # sensible behaviours + domain-needed = true; + bogus-priv = true; + no-resolv = true; + + # Cache dns queries. + cache-size = 1000; + + dhcp-range = ["br-lan,192.168.5.50,192.168.5.100,24h"]; + interface = "br-lan"; + dhcp-host = "192.168.5.101"; + + # local domains + local = "/lan/"; + domain = "lan"; + expand-hosts = true; + + # don't use /etc/hosts as this would advertise surfer as localhost + no-hosts = true; + address = [ + # "/surfer.lan/192.168.10.1" + ]; + }; + }; + + # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of + # letting the first CPU core to handle everything. + # This is supposed to increase performance by hitting CPU cache more often. + services.irqbalance.enable = false; +} diff --git a/hosts/idols_kana/default.nix b/hosts/idols_kana/default.nix index d9625c52..a9dbce4a 100644 --- a/hosts/idols_kana/default.nix +++ b/hosts/idols_kana/default.nix @@ -1,3 +1,4 @@ +{vars_networking, ...}: ############################################################# # # Kana - a NixOS VM running on Proxmox @@ -5,8 +6,7 @@ ############################################################# let hostName = "kana"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; @@ -28,7 +28,7 @@ in { networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; networkmanager.enable = false; interfaces.ens18 = { diff --git a/hosts/idols_kana/home.nix b/hosts/idols_kana/home.nix deleted file mode 100644 index 2c63c085..00000000 --- a/hosts/idols_kana/home.nix +++ /dev/null @@ -1,2 +0,0 @@ -{ -} diff --git a/hosts/idols_ruby/default.nix b/hosts/idols_ruby/default.nix index 2df32584..1e9ee92b 100644 --- a/hosts/idols_ruby/default.nix +++ b/hosts/idols_ruby/default.nix @@ -1,3 +1,4 @@ +{vars_networking, ...}: ############################################################# # # Ruby - a NixOS VM running on Proxmox @@ -5,8 +6,7 @@ ############################################################# let hostName = "ruby"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; @@ -28,7 +28,7 @@ in { networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; networkmanager.enable = false; interfaces.ens18 = { diff --git a/hosts/idols_ruby/home.nix b/hosts/idols_ruby/home.nix deleted file mode 100644 index 2c63c085..00000000 --- a/hosts/idols_ruby/home.nix +++ /dev/null @@ -1,2 +0,0 @@ -{ -} diff --git a/hosts/rolling_girls_chiaya/default.nix b/hosts/rolling_girls_chiaya/default.nix index fa932c99..494beea3 100644 --- a/hosts/rolling_girls_chiaya/default.nix +++ b/hosts/rolling_girls_chiaya/default.nix @@ -1,5 +1,6 @@ { # nixos-jh7110, + vars_networking, ... }: ############################################################# @@ -11,8 +12,7 @@ ############################################################# let hostName = "chiaya"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { imports = [ ]; @@ -20,7 +20,7 @@ in { # Set static IP address / gateway / DNS servers. networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; # Failed to enable firewall due to the following error: # firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported diff --git a/hosts/rolling_girls_nozomi/default.nix b/hosts/rolling_girls_nozomi/default.nix index 7b2e22f9..785fe0ae 100644 --- a/hosts/rolling_girls_nozomi/default.nix +++ b/hosts/rolling_girls_nozomi/default.nix @@ -1,4 +1,8 @@ -{nixos-licheepi4a, ...}: +{ + nixos-licheepi4a, + vars_networking, + ... +}: ############################################################# # # Nozomi - NixOS configuration for Lichee Pi 4A @@ -6,8 +10,7 @@ ############################################################# let hostName = "nozomi"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { imports = [ # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware @@ -19,7 +22,7 @@ in { # Set static IP address / gateway / DNS servers. networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; wireless = { # https://wiki.archlinux.org/title/wpa_supplicant diff --git a/hosts/rolling_girls_yukina/default.nix b/hosts/rolling_girls_yukina/default.nix index 9687db07..faf228e9 100644 --- a/hosts/rolling_girls_yukina/default.nix +++ b/hosts/rolling_girls_yukina/default.nix @@ -1,4 +1,8 @@ -{nixos-licheepi4a, ...}: +{ + nixos-licheepi4a, + vars_networking, + ... +}: ############################################################# # # Yukina - NixOS configuration for Lichee Pi 4A @@ -6,8 +10,7 @@ ############################################################# let hostName = "yukina"; # Define your hostname. - vars = import ../vars.nix; - hostAddress = vars.networking.hostAddress.${hostName}; + hostAddress = vars_networking.hostAddress.${hostName}; in { imports = [ # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware @@ -19,7 +22,7 @@ in { # Set static IP address / gateway / DNS servers. networking = { inherit hostName; - inherit (vars.networking) defaultGateway nameservers; + inherit (vars_networking) defaultGateway nameservers; wireless = { # https://wiki.archlinux.org/title/wpa_supplicant diff --git a/hosts/vars.nix b/hosts/vars.nix deleted file mode 100644 index ddcae494..00000000 --- a/hosts/vars.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ - networking = rec { - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; - prefixLength = 24; - - hostAddress = { - "ai" = { - inherit prefixLength; - address = "192.168.5.100"; - }; - "aquamarine" = { - inherit prefixLength; - address = "192.168.5.101"; - }; - "ruby" = { - inherit prefixLength; - address = "192.168.5.102"; - }; - "kana" = { - inherit prefixLength; - address = "192.168.5.103"; - }; - "nozomi" = { - inherit prefixLength; - address = "192.168.5.104"; - }; - "yukina" = { - inherit prefixLength; - address = "192.168.5.105"; - }; - "chiaya" = { - inherit prefixLength; - address = "192.168.5.106"; - }; - "suzu" = { - inherit prefixLength; - address = "192.168.5.107"; - }; - "tailscale-gw" = { - inherit prefixLength; - address = "192.168.5.192"; - }; - }; - }; -} diff --git a/lib/attrs.nix b/lib/attrs.nix index d87d8a86..d3f17664 100644 --- a/lib/attrs.nix +++ b/lib/attrs.nix @@ -11,7 +11,7 @@ # mapAttrs # (name: value: ("bar-" + value)) # { x = "a"; y = "b"; } - # => { foo = "bar-a"; foo = "bar-b"; } + # => { x = "bar-a"; y = "bar-b"; } inherit (lib.attrsets) mapAttrs; # Update both the names and values of the given attribute set. diff --git a/modules/base.nix b/modules/base.nix index ae239ab1..c7596ba0 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -1,4 +1,5 @@ { + vars_networking, username, userfullname, nuenv, @@ -31,6 +32,11 @@ ]; }; + programs.ssh = { + extraConfig = vars_networking.ssh.extraConfig; + knownHosts = vars_networking.ssh.knownHosts; + }; + nix.settings = { # enable flakes globally experimental-features = ["nix-command" "flakes"]; diff --git a/modules/nixos/base/remote-building.nix b/modules/nixos/base/remote-building.nix index 44dc8fe5..f8291b75 100644 --- a/modules/nixos/base/remote-building.nix +++ b/modules/nixos/base/remote-building.nix @@ -16,7 +16,7 @@ nix.buildMachines = let sshUser = username; # ssh key's path on local machine - sshKey = "/home/${username}/.ssh/ai-idols"; + sshKey = "/etc/agenix/ssh-key-romantic"; systems = [ # native arch "x86_64-linux" @@ -68,64 +68,4 @@ nix.extraOptions = '' builders-use-substitutes = true ''; - - # define the host alias for remote builders - # this config will be written to /etc/ssh/ssh_config - programs.ssh.extraConfig = '' - # idols - Host ai - HostName 192.168.5.100 - Port 22 - - Host aquamarine - HostName 192.168.5.101 - Port 22 - - Host ruby - HostName 192.168.5.102 - Port 22 - - Host kana - HostName 192.168.5.103 - Port 22 - - # rolling girls - Host nozomi - HostName 192.168.5.104 - Port 22 - - Host yukina - HostName 192.168.5.105 - Port 22 - - Host chiaya - HostName 192.168.5.106 - Port 22 - - Host suzu - HostName 192.168.5.107 - Port 22 - ''; - - # define the host key for remote builders so that nix can verify all the remote builders - # this config will be written to /etc/ssh/ssh_known_hosts - programs.ssh.knownHosts = { - # 星野 愛久愛海, Hoshino Aquamarine - aquamarine = { - hostNames = ["aquamarine" "192.168.5.101"]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU"; - }; - - # 星野 瑠美衣, Hoshino Rubii - ruby = { - hostNames = ["ruby" "192.168.5.102"]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf"; - }; - - # 有馬 かな, Arima Kana - kana = { - hostNames = ["kana" "192.168.5.103"]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+"; - }; - }; } diff --git a/systems/default.nix b/systems/default.nix index e4e07176..b84fb2db 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -6,11 +6,12 @@ inherit (inputs.nixpkgs) lib; mylib = import ../lib {inherit lib;}; vars = import ./vars.nix; + vars_networking = import ./vars_networking.nix {inherit lib;}; specialArgsForSystem = system: { inherit (constants) username userfullname useremail; - inherit mylib; + inherit mylib vars_networking; # use unstable branch for some packages to get the latest updates pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; # refer the `system` parameter form outer scope recursively diff --git a/systems/vars.nix b/systems/vars.nix index eb57c748..c9c17514 100644 --- a/systems/vars.nix +++ b/systems/vars.nix @@ -47,12 +47,9 @@ in { ../modules/nixos/server/server.nix ../modules/nixos/server/proxmox-hardware-configuration.nix ]; - home-module.imports = [ - ../hosts/idols_aquamarine/home.nix - ../home/linux/server.nix - ]; + # home-module.imports = []; }; - idol_aquamarine_tags = ["dist-build" "aqua"]; + idol_aquamarine_tags = ["aqua" "router"]; # 星野 瑠美衣, Hoshino Rubii idol_ruby_modules = { @@ -61,10 +58,7 @@ in { ../modules/nixos/server/server.nix ../modules/nixos/server/proxmox-hardware-configuration.nix ]; - home-module.imports = [ - ../hosts/idols_ruby/home.nix - ../home/linux/server.nix - ]; + # home-module.imports = []; }; idol_ruby_tags = ["dist-build" "ruby"]; @@ -75,10 +69,7 @@ in { ../modules/nixos/server/server.nix ../modules/nixos/server/proxmox-hardware-configuration.nix ]; - home-module.imports = [ - ../hosts/idols_kana/home.nix - ../home/linux/server.nix - ]; + # home-module.imports = []; }; idol_kana_tags = ["dist-build" "kana"]; @@ -90,7 +81,7 @@ in { ]; # home-module.imports = []; }; - homelab_tailscale_gw_tags = ["tailscale-gw"]; + homelab_tailscale_gw_tags = ["tailscale_gw"]; # 森友 望未, Moritomo Nozomi rolling_nozomi_modules = { diff --git a/systems/vars_networking.nix b/systems/vars_networking.nix new file mode 100644 index 00000000..afecaac4 --- /dev/null +++ b/systems/vars_networking.nix @@ -0,0 +1,93 @@ +{lib, ...}: rec { + defaultGateway = "192.168.5.201"; + nameservers = [ + "119.29.29.29" # DNSPod + "223.5.5.5" # AliDNS + ]; + prefixLength = 24; + + hostAddress = { + "ai" = { + inherit prefixLength; + address = "192.168.5.100"; + }; + "aquamarine" = { + inherit prefixLength; + address = "192.168.5.101"; + }; + "ruby" = { + inherit prefixLength; + address = "192.168.5.102"; + }; + "kana" = { + inherit prefixLength; + address = "192.168.5.103"; + }; + "nozomi" = { + inherit prefixLength; + address = "192.168.5.104"; + }; + "yukina" = { + inherit prefixLength; + address = "192.168.5.105"; + }; + "chiaya" = { + inherit prefixLength; + address = "192.168.5.106"; + }; + "suzu" = { + inherit prefixLength; + address = "192.168.5.107"; + }; + "tailscale_gw" = { + inherit prefixLength; + address = "192.168.5.192"; + }; + }; + + ssh = { + # define the host alias for remote builders + # this config will be written to /etc/ssh/ssh_config + # '' + # Host ruby + # HostName 192.168.5.102 + # Port 22 + # + # Host kana + # HostName 192.168.5.103 + # Port 22 + # ... + # ''; + extraConfig = + lib.attrsets.foldlAttrs + (acc: host: value: + acc + + '' + Host ${host} + HostName ${value.address} + Port 22 + '') + "" + hostAddress; + + # define the host key for remote builders so that nix can verify all the remote builders + # this config will be written to /etc/ssh/ssh_known_hosts + knownHosts = + # Update only the values of the given attribute set. + # + # mapAttrs + # (name: value: ("bar-" + value)) + # { x = "a"; y = "b"; } + # => { x = "bar-a"; y = "bar-b"; } + lib.attrsets.mapAttrs + (host: value: { + hostNames = [host hostAddress.${host}.address]; + publicKey = value.publicKey; + }) + { + aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU"; + ruby.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf"; + kana.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+"; + }; + }; +}