Merge pull request #53 from ryan4yin/router

feat: nixos as a passby router
2026-04-24 17:58:30 +02:00 · 2024-01-29 01:25:01 +08:00
parent a2814f326c 22066db41b
commit b0f259253b
26 changed files with 542 additions and 176 deletions
--- a/13
+++ b/13
@@ -107,21 +107,22 @@ ruby:
 kana:
  colmena apply --on '@kana'
-tailscale-gw:
+tailscale_gw:
-  colmena apply --on '@tailscale-gw'
+  colmena apply --on '@tailscale_gw'
 pve-image:
  nom build .#tailscale_gw
  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
  nom build .#aquamarine
-  rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
+  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
  nom build .#ruby
-  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
+  rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
  nom build .#kana
  rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
  nom build .#tailscale_gw
  rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale-gw.vma.zst
 ############################################################################
 #
--- a/hosts/12kingdoms_shoukei/default.nix
+++ b/hosts/12kingdoms_shoukei/default.nix
@@ -1,4 +1,8 @@
-{nixos-hardware, ...}:
+{
  nixos-hardware,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Shoukei - NixOS running on Macbook Pro 2020 I5 16G
@@ -7,7 +11,6 @@
 #############################################################
 let
  hostName = "shoukei"; # Define your hostname.
  vars = import ../vars.nix;
 in {
  imports = [
    nixos-hardware.nixosModules.apple-t2
@@ -23,7 +26,7 @@ in {
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    # configures the network interface(include wireless) via `nmcli` & `nmtui`
    networkmanager.enable = true;
--- a/hosts/12kingdoms_suzu/default.nix
+++ b/hosts/12kingdoms_suzu/default.nix
@@ -1,4 +1,8 @@
-{nixos-rk3588, ...}:
+{
  nixos-rk3588,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Suzu - Orange Pi 5, RK3588s
@@ -6,8 +10,7 @@
 #############################################################
 let
  hostName = "suzu"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  imports = [
    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
@@ -16,7 +19,7 @@ in {
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    interfaces.end1 = {
--- a/hosts/README.md
+++ b/hosts/README.md
@@ -5,9 +5,9 @@
   1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use.
 2. `idols`
   1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
-   2. `aquamarine`: My NixOS virtual machine with R9-5900HX(8C16T), for distributed building & testing.
+   2. `aquamarine`: My NixOS virtual machine as a passby router(IPv4 only) to access the global internet.
-   3. `kana`: Yet another NixOS vm on another physical machine with R5-5625U(6C12T).
+   4. `ruby`: Another NixOS vm with R9-5900HX(8C16T), for distributed building & testing.
-   4. `ruby`: Another NixOS vm on another physical machine with R7-5825U(8C16T).
+   3. `kana`: Yet another NixOS vm with R7-5225U(6C12T), for desktop testing.
 3. `rolling_girls`: My RISCV64 hosts.
   1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 8GB RAM + 32G eMMC + 64G SD Card.
   2. `yukina`: Lichee Pi 4A(Internal Test Version), TH1520(4xC910@2.0G), 8GB RAM + 8G eMMC + 128G SD Card.
@@ -16,7 +16,7 @@
   1. `shoukei`: NixOS on Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
   1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + 256G SSD.
 5. Homelab:
-   1. `tailscale-gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
+   1. `tailscale_gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
 # idols - Oshi no Ko
--- a/hosts/homelab_tailscale_gw/default.nix
+++ b/hosts/homelab_tailscale_gw/default.nix
@@ -1,12 +1,12 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Tailscale Gateway(homelab subnet router) - a NixOS VM running on Proxmox
 #
 #############################################################
 let
-  hostName = "tailscale-gw"; # Define your hostname.
+  hostName = "tailscale_gw"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  imports = [
    ./tailscale.nix
@@ -24,7 +24,7 @@ in {
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    interfaces.ens18 = {
--- a/hosts/idols_ai/default.nix
+++ b/hosts/idols_ai/default.nix
@@ -1,3 +1,4 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -5,8 +6,7 @@
 #############################################################
 let
  hostName = "ai"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  imports = [
    ./cifs-mount.nix
@@ -19,7 +19,7 @@ in {
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    wireless.enable = false; # Enables wireless support via wpa_supplicant.
    # configures the network interface(include wireless) via `nmcli` & `nmtui`
--- a/hosts/idols_aquamarine/README.md
+++ b/hosts/idols_aquamarine/README.md
@@ -0,0 +1,10 @@
 # Idols - Aquamarine
 TODO: use aqua as a passby router(IPv4 only) to access the global internet.
 ## References
 - <https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md>
 - <https://github.com/ghostbuster91/nixos-router>
--- a/hosts/idols_aquamarine/bypass-router.dae
+++ b/hosts/idols_aquamarine/bypass-router.dae
@@ -0,0 +1,233 @@
 global {
    ##### Software options.
    # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
    # In normal case, you do not need to use it.
    tproxy_port: 12345
    # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
    # iptables tproxy rules.
    tproxy_port_protect: true
    # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
    # rules.
    so_mark_from_dae: 0
    # Log level: error, warn, info, debug, trace.
    log_level: info
    # Disable waiting for network before pulling subscriptions.
    disable_waiting_network: false
    ##### Interface and kernel options.
    # The LAN interface to bind. Use it if you want to proxy LAN.
    # Multiple interfaces split by ",".
    lan_interface: ens18
    # The WAN interface to bind. Use it if you want to proxy localhost.
    # Multiple interfaces split by ",". Use "auto" to auto detect.
    wan_interface: auto
    # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
    auto_config_kernel_parameter: true
    # Automatically configure firewall rules like firewalld and fw4.
    # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
    # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
    auto_config_firewall_rule: true
    ##### Node connectivity check.
    # Host of URL should have both IPv4 and IPv6 if you have double stack in local.
    # First is URL, others are IP addresses if given.
    # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
    #tcp_check_url: 'http://cp.cloudflare.com'
    tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
    # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
    # accounting for this kind of traffic.
    tcp_check_http_method: HEAD
    # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
    # TCP DNS connectivity of nodes.
    # First is URL, others are IP addresses if given.
    # This DNS should have both IPv4 and IPv6 if you have double stack in local.
    #udp_check_dns: 'dns.google.com:53'
    udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
    check_interval: 30s
    # Group will switch node only when new_latency <= old_latency - tolerance.
    check_tolerance: 50ms
    ##### Connecting options.
    # Optional values of dial_mode are:
    # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
    #       respectively, and makes the IP version requested by the application meet expectations. For example, if you
    #       use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
    #       This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled
    #       in this mode.
    # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
    #       if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
    #       re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
    #       That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
    # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
    #       DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
    #       go through dae, dae cannot split traffic by domain.
    # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
    #       domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
    dial_mode: domain
    # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
    allow_insecure: false
    # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
    # in high latency LAN network.
    sniffing_timeout: 100ms
    # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
    tls_implementation: tls
    # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
    # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
    utls_imitate: chrome_auto
 }
 # Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
 # Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
 subscription {
    # Add your subscription links here.
    'file://mysubscription-1.sub' # the path is related to /etc/dae/
    'file://mysubscription-2.sub'
 }
 # Nodes defined here will be merged as a part of the global node pool.
 node {
    # Add your node links here.
    # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
    # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
    # mylink: 'ss://LINK'
    # node1: 'vmess://LINK'
    # node2: 'vless://LINK'
    # chains: 'tuic://LINK -> vmess://LINK'
 }
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
 dns {
    # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
    # respond to type A queries and response empty answer to type AAAA queries.
    #ipversion_prefer: 4
    # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
    # for these domains.
    #fixed_domain_ttl {
    #    ddns.example.org: 10
    #    test.example.org: 3600
    #}
    upstream {
        # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
        # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
        # IPv4 or IPv6 to use according to group policy (such as min latency policy).
        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
        alidns: 'udp://dns.alidns.com:53'
        googledns: 'tcp+udp://dns.google.com:53'
    }
    routing {
        # According to the request of dns query, decide to use which DNS upstream.
        # Match rules from top to bottom.
        request {
            # Lookup China mainland domains using alidns, otherwise googledns.
            qname(geosite:cn) -> alidns
            # fallback is also called default.
            fallback: googledns
        }
    }
 #    routing {
 #        # According to the request of dns query, decide to use which DNS upstream.
 #        # Match rules from top to bottom.
 #        request {
 #            # fallback is also called default.
 #            fallback: alidns
 #        }
 #        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
 #        # Match rules from top to bottom.
 #        response {
 #            # Trusted upstream. Always accept its result.
 #            upstream(googledns) -> accept
 #            # Possibly polluted, re-lookup using googledns.
 #            ip(geoip:private) && !qname(geosite:cn) -> googledns
 #            # fallback is also called default.
 #            fallback: accept
 #        }
 #    }
 }
 # Node group (outbound).
 group {
    my_group {
        # No filter. Use all nodes.
        # Randomly select a node from the group for every connection.
        #policy: random
        # Select the first node from the group for every connection.
        #policy: fixed(0)
        # Select the node with min last latency from the group for every connection.
        #policy: min
        # Select the node with min moving average of latencies from the group for every connection.
        policy: min_moving_avg
    }
    group2 {
        # Filter nodes from the global node pool defined by the subscription and node section above.
        #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
        # Filter nodes from the global node pool defined by tag.
        #filter: name(node1, node2)
        # Filter nodes and give a fixed latency offset to archive latency-based failover.
        # In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
        filter: name(HK_node)
        filter: name(US_node) [add_latency: -500ms]
        # Select the node with min average of the last 10 latencies from the group for every connection.
        policy: min_avg10
    }
 }
 # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
 routing {
    ### Preset rules.
    # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
    # WAN.
    pname(NetworkManager) -> direct
    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
    # forwarded by the proxy.
    # "dip" means destination IP.
    dip(224.0.0.0/3, 'ff00::/8') -> direct
    # This line allows you to access private addresses directly instead of via your proxy. If you really want to access
    # private addresses in your proxy host network, modify the below line.
    dip(geoip:private) -> direct
    ### Write your rules below.
    # Disable h3 because it usually consumes too much cpu/mem resources.
    l4proto(udp) && dport(443) -> block
    dip(geoip:cn) -> direct
    domain(geosite:cn) -> direct
    fallback: my_group
 }
--- a/hosts/idols_aquamarine/dae.nix
+++ b/hosts/idols_aquamarine/dae.nix
@@ -0,0 +1,11 @@
 # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/dae.nix
 {
  services.dae = {
    enable = true;
    openFirewall = {
      enable = true;
      port = 12345;
    };
    configFile = ./bypass-router.dae;
  };
 }
--- a/hosts/idols_aquamarine/default.nix
+++ b/hosts/idols_aquamarine/default.nix
@@ -1,3 +1,4 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Aquamarine - A NixOS VM running on Proxmox
@@ -5,9 +6,12 @@
 #############################################################
 let
  hostName = "aquamarine"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  imports = [
    ./router.nix
  ];
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
  # supported file systems, so we can mount any removable disks with these filesystems
@@ -28,7 +32,7 @@ in {
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    interfaces.ens18 = {
--- a/hosts/idols_aquamarine/home.nix
+++ b/hosts/idols_aquamarine/home.nix
@@ -1,2 +0,0 @@
 {
 }
--- a/hosts/idols_aquamarine/router.nix
+++ b/hosts/idols_aquamarine/router.nix
--- a/hosts/idols_kana/default.nix
+++ b/hosts/idols_kana/default.nix
@@ -1,3 +1,4 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Kana - a NixOS VM running on Proxmox
@@ -5,8 +6,7 @@
 #############################################################
 let
  hostName = "kana"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
@@ -28,7 +28,7 @@ in {
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    interfaces.ens18 = {
--- a/hosts/idols_kana/home.nix
+++ b/hosts/idols_kana/home.nix
@@ -1,2 +0,0 @@
 {
 }
--- a/hosts/idols_ruby/default.nix
+++ b/hosts/idols_ruby/default.nix
@@ -1,3 +1,4 @@
 {vars_networking, ...}:
 #############################################################
 #
 #  Ruby - a NixOS VM running on Proxmox
@@ -5,8 +6,7 @@
 #############################################################
 let
  hostName = "ruby"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
@@ -28,7 +28,7 @@ in {
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    networkmanager.enable = false;
    interfaces.ens18 = {
--- a/hosts/idols_ruby/home.nix
+++ b/hosts/idols_ruby/home.nix
@@ -1,2 +0,0 @@
 {
 }
--- a/hosts/rolling_girls_chiaya/default.nix
+++ b/hosts/rolling_girls_chiaya/default.nix
@@ -1,5 +1,6 @@
 {
  # nixos-jh7110,
  vars_networking,
  ...
 }:
 #############################################################
@@ -11,8 +12,7 @@
 #############################################################
 let
  hostName = "chiaya"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  imports = [
  ];
@@ -20,7 +20,7 @@ in {
  # Set static IP address / gateway / DNS servers.
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    # Failed to enable firewall due to the following error:
    #   firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported
--- a/hosts/rolling_girls_nozomi/default.nix
+++ b/hosts/rolling_girls_nozomi/default.nix
@@ -1,4 +1,8 @@
-{nixos-licheepi4a, ...}:
+{
  nixos-licheepi4a,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Nozomi - NixOS configuration for Lichee Pi 4A
@@ -6,8 +10,7 @@
 #############################################################
 let
  hostName = "nozomi"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  imports = [
    # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
@@ -19,7 +22,7 @@ in {
  # Set static IP address / gateway / DNS servers.
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    wireless = {
      # https://wiki.archlinux.org/title/wpa_supplicant
--- a/hosts/rolling_girls_yukina/default.nix
+++ b/hosts/rolling_girls_yukina/default.nix
@@ -1,4 +1,8 @@
-{nixos-licheepi4a, ...}:
+{
  nixos-licheepi4a,
  vars_networking,
  ...
 }:
 #############################################################
 #
 #  Yukina - NixOS configuration for Lichee Pi 4A
@@ -6,8 +10,7 @@
 #############################################################
 let
  hostName = "yukina"; # Define your hostname.
-  vars = import ../vars.nix;
+  hostAddress = vars_networking.hostAddress.${hostName};
  hostAddress = vars.networking.hostAddress.${hostName};
 in {
  imports = [
    # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
@@ -19,7 +22,7 @@ in {
  # Set static IP address / gateway / DNS servers.
  networking = {
    inherit hostName;
-    inherit (vars.networking) defaultGateway nameservers;
+    inherit (vars_networking) defaultGateway nameservers;
    wireless = {
      # https://wiki.archlinux.org/title/wpa_supplicant
--- a/hosts/vars.nix
+++ b/hosts/vars.nix
@@ -1,49 +0,0 @@
 {
  networking = rec {
    defaultGateway = "192.168.5.201";
    nameservers = [
      "119.29.29.29" # DNSPod
      "223.5.5.5" # AliDNS
    ];
    prefixLength = 24;
    hostAddress = {
      "ai" = {
        inherit prefixLength;
        address = "192.168.5.100";
      };
      "aquamarine" = {
        inherit prefixLength;
        address = "192.168.5.101";
      };
      "ruby" = {
        inherit prefixLength;
        address = "192.168.5.102";
      };
      "kana" = {
        inherit prefixLength;
        address = "192.168.5.103";
      };
      "nozomi" = {
        inherit prefixLength;
        address = "192.168.5.104";
      };
      "yukina" = {
        inherit prefixLength;
        address = "192.168.5.105";
      };
      "chiaya" = {
        inherit prefixLength;
        address = "192.168.5.106";
      };
      "suzu" = {
        inherit prefixLength;
        address = "192.168.5.107";
      };
      "tailscale-gw" = {
        inherit prefixLength;
        address = "192.168.5.192";
      };
    };
  };
 }
--- a/lib/attrs.nix
+++ b/lib/attrs.nix
@@ -11,7 +11,7 @@
  #   mapAttrs
  #   (name: value: ("bar-" + value))
  #   { x = "a"; y = "b"; }
-  #     => { foo = "bar-a"; foo = "bar-b"; }
+  #     => { x = "bar-a"; y = "bar-b"; }
  inherit (lib.attrsets) mapAttrs;
  # Update both the names and values of the given attribute set.
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -1,4 +1,5 @@
 {
  vars_networking,
  username,
  userfullname,
  nuenv,
@@ -31,6 +32,11 @@
    ];
  };
  programs.ssh = {
    extraConfig = vars_networking.ssh.extraConfig;
    knownHosts = vars_networking.ssh.knownHosts;
  };
  nix.settings = {
    # enable flakes globally
    experimental-features = ["nix-command" "flakes"];
--- a/modules/nixos/base/remote-building.nix
+++ b/modules/nixos/base/remote-building.nix
@@ -16,7 +16,7 @@
  nix.buildMachines = let
    sshUser = username;
    # ssh key's path on local machine
-    sshKey = "/home/${username}/.ssh/ai-idols";
+    sshKey = "/etc/agenix/ssh-key-romantic";
    systems = [
      # native arch
      "x86_64-linux"
@@ -68,64 +68,4 @@
  nix.extraOptions = ''
    builders-use-substitutes = true
  '';
  # define the host alias for remote builders
  # this config will be written to /etc/ssh/ssh_config
  programs.ssh.extraConfig = ''
    # idols
    Host ai
      HostName 192.168.5.100
      Port 22
    Host aquamarine
      HostName 192.168.5.101
      Port 22
    Host ruby
      HostName 192.168.5.102
      Port 22
    Host kana
      HostName 192.168.5.103
      Port 22
    # rolling girls
    Host nozomi
      HostName 192.168.5.104
      Port 22
    Host yukina
      HostName 192.168.5.105
      Port 22
    Host chiaya
      HostName 192.168.5.106
      Port 22
    Host suzu
      HostName 192.168.5.107
      Port 22
  '';
  # define the host key for remote builders so that nix can verify all the remote builders
  # this config will be written to /etc/ssh/ssh_known_hosts
  programs.ssh.knownHosts = {
    # 星野 愛久愛海, Hoshino Aquamarine
    aquamarine = {
      hostNames = ["aquamarine" "192.168.5.101"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU";
    };
    # 星野 瑠美衣, Hoshino Rubii
    ruby = {
      hostNames = ["ruby" "192.168.5.102"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf";
    };
    # 有馬 かな, Arima Kana
    kana = {
      hostNames = ["kana" "192.168.5.103"];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+";
    };
  };
 }
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -6,11 +6,12 @@
  inherit (inputs.nixpkgs) lib;
  mylib = import ../lib {inherit lib;};
  vars = import ./vars.nix;
  vars_networking = import ./vars_networking.nix {inherit lib;};
  specialArgsForSystem = system:
    {
      inherit (constants) username userfullname useremail;
-      inherit mylib;
+      inherit mylib vars_networking;
      # use unstable branch for some packages to get the latest updates
      pkgs-unstable = import inputs.nixpkgs-unstable {
        inherit system; # refer the `system` parameter form outer scope recursively
--- a/systems/vars.nix
+++ b/systems/vars.nix
@@ -47,12 +47,9 @@ in {
      ../modules/nixos/server/server.nix
      ../modules/nixos/server/proxmox-hardware-configuration.nix
    ];
-    home-module.imports = [
+    # home-module.imports = [];
      ../hosts/idols_aquamarine/home.nix
      ../home/linux/server.nix
    ];
  };
-  idol_aquamarine_tags = ["dist-build" "aqua"];
+  idol_aquamarine_tags = ["aqua" "router"];
  # 星野 瑠美衣, Hoshino Rubii
  idol_ruby_modules = {
@@ -61,10 +58,7 @@ in {
      ../modules/nixos/server/server.nix
      ../modules/nixos/server/proxmox-hardware-configuration.nix
    ];
-    home-module.imports = [
+    # home-module.imports = [];
      ../hosts/idols_ruby/home.nix
      ../home/linux/server.nix
    ];
  };
  idol_ruby_tags = ["dist-build" "ruby"];
@@ -75,10 +69,7 @@ in {
      ../modules/nixos/server/server.nix
      ../modules/nixos/server/proxmox-hardware-configuration.nix
    ];
-    home-module.imports = [
+    # home-module.imports = [];
      ../hosts/idols_kana/home.nix
      ../home/linux/server.nix
    ];
  };
  idol_kana_tags = ["dist-build" "kana"];
@@ -90,7 +81,7 @@ in {
    ];
    # home-module.imports = [];
  };
-  homelab_tailscale_gw_tags = ["tailscale-gw"];
+  homelab_tailscale_gw_tags = ["tailscale_gw"];
  # 森友 望未, Moritomo Nozomi
  rolling_nozomi_modules = {
--- a/systems/vars_networking.nix
+++ b/systems/vars_networking.nix
@@ -0,0 +1,93 @@
 {lib, ...}: rec {
  defaultGateway = "192.168.5.201";
  nameservers = [
    "119.29.29.29" # DNSPod
    "223.5.5.5" # AliDNS
  ];
  prefixLength = 24;
  hostAddress = {
    "ai" = {
      inherit prefixLength;
      address = "192.168.5.100";
    };
    "aquamarine" = {
      inherit prefixLength;
      address = "192.168.5.101";
    };
    "ruby" = {
      inherit prefixLength;
      address = "192.168.5.102";
    };
    "kana" = {
      inherit prefixLength;
      address = "192.168.5.103";
    };
    "nozomi" = {
      inherit prefixLength;
      address = "192.168.5.104";
    };
    "yukina" = {
      inherit prefixLength;
      address = "192.168.5.105";
    };
    "chiaya" = {
      inherit prefixLength;
      address = "192.168.5.106";
    };
    "suzu" = {
      inherit prefixLength;
      address = "192.168.5.107";
    };
    "tailscale_gw" = {
      inherit prefixLength;
      address = "192.168.5.192";
    };
  };
  ssh = {
    # define the host alias for remote builders
    # this config will be written to /etc/ssh/ssh_config
    # ''
    #   Host ruby
    #     HostName 192.168.5.102
    #     Port 22
    #
    #   Host kana
    #     HostName 192.168.5.103
    #     Port 22
    #   ...
    # '';
    extraConfig =
      lib.attrsets.foldlAttrs
      (acc: host: value:
        acc
        + ''
          Host ${host}
            HostName ${value.address}
            Port 22
        '')
      ""
      hostAddress;
    # define the host key for remote builders so that nix can verify all the remote builders
    # this config will be written to /etc/ssh/ssh_known_hosts
    knownHosts =
      # Update only the values of the given attribute set.
      #
      #   mapAttrs
      #   (name: value: ("bar-" + value))
      #   { x = "a"; y = "b"; }
      #     => { x = "bar-a"; y = "bar-b"; }
      lib.attrsets.mapAttrs
      (host: value: {
        hostNames = [host hostAddress.${host}.address];
        publicKey = value.publicKey;
      })
      {
        aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0EzzjnuHBE9xEOZupLmaAj9xbYxkUDeLbMqFZ7YPjU";
        ruby.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrDXNQXELnbevZ1rImfXwmQHkRcd3TDNLsQo33c2tUf";
        kana.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMVX05DQD1XJ0AqFZzsRsqgeUOlZ4opAI+8tkVXyjq+";
      };
  };
 }