starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 20:40:24 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: migrate all nixos services from idols to 12kingdoms

Browse Source
This commit is contained in:
Ryan Yin
2024-03-29 11:58:48 +08:00
parent 4da995fa88
commit bf6bc4bee2
65 changed files with 422 additions and 446 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
flake.lock generated
View File

@@ -892,10 +892,10 @@
"mysecrets": {
"flake": false,
"locked": {
"lastModified": 1711384638,
"narHash": "sha256-1XyAHel88+uqA6yzT2/mwgfxYt4JfJKmnI5OI93vDYg=",
"lastModified": 1711871709,
"narHash": "sha256-Pj667YJdXbJPhQVUutpKoqH6e66eF8my5q8RQyl0BXI=",
"ref": "refs/heads/main",
"rev": "691dce5db5077c4f668468434cc422f93e7834c5",
"rev": "c0239ed183c43c18f6bdf2f9045602e1bb9ca310",
"shallow": true,
"type": "git",
"url": "ssh://git@github.com/ryan4yin/nix-secrets.git"

143
hosts/12kingdoms-rakushun/Disk-and-Installation.md Normal file
View File

@@ -0,0 +1,143 @@
# Rakushun - Disk and Installation
Disk layout:
```bash
[ryan@rakushun:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 487M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 1.8T 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 1.8T 0 part
└─encrypted 253:0 0 1.8T 0 crypt /tmp
/swap
/snapshots
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/codes
/home/ryan/.ssh
/home/ryan/.local/state
/home/ryan/.npm
/home/ryan/.local/share
/home/ryan/.conda
/etc/ssh
/etc/nix/inputs
/etc/secureboot
/etc/agenix
/etc/NetworkManager/system-connections
/etc/machine-id
/nix/store
/var/log
/var/lib
/nix
/persistent
[ryan@rakushun:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 785M 0 785M 0% /dev
tmpfs tmpfs 7.7G 0 7.7G 0% /dev/shm
tmpfs tmpfs 3.9G 6.8M 3.9G 1% /run
tmpfs tmpfs 7.7G 1.9M 7.7G 1% /run/wrappers
none tmpfs 4.0G 48K 4.0G 1% /
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /persistent
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /nix
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /snapshots
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /swap
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /tmp
/dev/nvme0n1p1 vfat 629M 96M 534M 16% /boot
tmpfs tmpfs 1.6G 4.0K 1.6G 1% /run/user/1000
```
CPU info:
```bash
[ryan@rakushun:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 67%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
## How to install NixOS on Orange Pi 5 Plus
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5plus-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5plus-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5P_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow
[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# transfer the nix-config to the target machine
rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
# login via ssh
ssh rk@<ip-addr>
cd ~/nix-config/hosts/12kingdoms_rakushun
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
# NOTE: the root password you set here will be discarded when reboot
sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
```

159
hosts/12kingdoms-rakushun/README.md
View File

@@ -2,148 +2,33 @@
LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
Host running storage, operation and maintenance related services:
1. Storage such as git server, file server/browser, torrent downloader,, etc.
1. Backup or sync my personal data to cloud or NAS.
- For safety, those data should be encrypted before sending to the cloud or my NAS.
1. Collect and monitor the metrics/logs of my homelab.
## Showcases
![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
Disk layout:
## Features
```bash
[ryan@rakushun:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 487M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 1.8T 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 1.8T 0 part
└─encrypted 253:0 0 1.8T 0 crypt /tmp
/swap
/snapshots
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/codes
/home/ryan/.ssh
/home/ryan/.local/state
/home/ryan/.npm
/home/ryan/.local/share
/home/ryan/.conda
/etc/ssh
/etc/nix/inputs
/etc/secureboot
/etc/agenix
/etc/NetworkManager/system-connections
/etc/machine-id
/nix/store
/var/log
/var/lib
/nix
/persistent
Services:
[ryan@rakushun:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 785M 0 785M 0% /dev
tmpfs tmpfs 7.7G 0 7.7G 0% /dev/shm
tmpfs tmpfs 3.9G 6.8M 3.9G 1% /run
tmpfs tmpfs 7.7G 1.9M 7.7G 1% /run/wrappers
none tmpfs 4.0G 48K 4.0G 1% /
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /persistent
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /nix
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /snapshots
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /swap
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /tmp
/dev/nvme0n1p1 vfat 629M 96M 534M 16% /boot
tmpfs tmpfs 1.6G 4.0K 1.6G 1% /run/user/1000
```
1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
1. restic: Backup my personal data to cloud or NAS.
1. synthing: Sync file between android/macbook/PC and NAS.
1. attic: Nix cache server.
1. gitea: Self-hosted git service.
1. sftpgo: SFTP server.
1. transmission & AriaNg: Torrent downloader and HTTP downloader
1. alist/filebrower: File browser for local/SMB/Cloud
CPU info:
All the services assumes a reverse proxy to be setup in the front, they are all listening on
localhost, and a caddy service is listening on the local network interface and proxy the requests to
the services.
```bash
[ryan@rakushun:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 67%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
## How to install NixOS on Orange Pi 5 Plus
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5plus-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5plus-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5P_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow
[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# transfer the nix-config to the target machine
rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
# login via ssh
ssh rk@<ip-addr>
cd ~/nix-config/hosts/12kingdoms_rakushun
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
# NOTE: the root password you set here will be discarded when reboot
sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
```
TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
services.

2
hosts/idols-ruby/attic.nix → hosts/12kingdoms-rakushun/attic.nix
View File

@@ -45,7 +45,7 @@
credentialsFile = config.age.secrets."attic-nix-cache-server.env".path;
settings = {
listen = "[::]:8888";
listen = "127.0.0.1:3300";
# Data chunking
#

48
hosts/12kingdoms-rakushun/caddy.nix
View File

@@ -19,9 +19,10 @@
# email = myvars.useremail;
# acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts."http://git.writefor.fun".extraConfig = ''
# Dashboard
virtualHosts."http://home.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3000
reverse_proxy http://localhost:4401
'';
# https://caddyserver.com/docs/caddyfile/directives/file_server
@@ -33,13 +34,54 @@
precompressed zstd br gzip
}
'';
# Datastore
virtualHosts."http://attic.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3300
'';
virtualHosts."http://git.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3301
'';
virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3302
'';
virtualHosts."http://webdav.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3303
'';
virtualHosts."http://transmission.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9091
'';
# Monitoring
virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3350
'';
virtualHosts."http://grafana.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3351
'';
virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9090
'';
virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9093
'';
};
networking.firewall.allowedTCPPorts = [80 443];
# Create Directories
systemd.tmpfiles.rules = [
"d /var/lib/caddy/fileserver/ 0755 caddy caddy"
# directory for virual machine's images
# directory for virtual machine's images
"d /var/lib/caddy/fileserver/vms 0755 caddy caddy"
];
}

19
hosts/12kingdoms-rakushun/default.nix
View File

@@ -1,4 +1,5 @@
{
mylib,
disko,
nixos-rk3588,
myvars,
@@ -12,17 +13,13 @@
let
hostName = "rakushun"; # Define your hostname.
in {
imports = [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
./hardware-configuration.nix
./disko-fs.nix
./impermanence.nix
./gitea.nix
./caddy.nix
];
imports =
(mylib.scanPaths ./.)
++ [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
];
networking = {
inherit hostName;

0
hosts/idols-ruby/exporters/default.nix → hosts/12kingdoms-rakushun/exporters/default.nix
View File

2
hosts/12kingdoms-rakushun/gitea.nix
View File

@@ -21,7 +21,7 @@ in {
server = {
SSH_PORT = 2222;
PROTOCOL = "http";
HTTP_PORT = 3000;
HTTP_PORT = 3301;
HTTP_ADDR = "127.0.0.1";
DOMAIN = "git.writefor.fun";
};

0
hosts/idols-ruby/grafana/dashboards.yml → hosts/12kingdoms-rakushun/grafana/dashboards.yml
View File

0
hosts/idols-ruby/grafana/dashboards/README.md → hosts/12kingdoms-rakushun/grafana/dashboards/README.md
View File

0
hosts/idols-ruby/grafana/dashboards/homelab/alertmanager-9578_rev4.json → hosts/12kingdoms-rakushun/grafana/dashboards/homelab/alertmanager-9578_rev4.json
View File

0
hosts/idols-ruby/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json → hosts/12kingdoms-rakushun/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-addons-prometheus.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-prometheus.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-system-api-server.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-api-server.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-system-coredns.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-coredns.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-global.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-global.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-namespaces.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-namespaces.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-nodes.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-nodes.json
View File

0
hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-pods.json → hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-pods.json
View File

0
hosts/idols-ruby/grafana/datasources.yml → hosts/12kingdoms-rakushun/grafana/datasources.yml
View File

2
hosts/idols-ruby/grafana/default.nix → hosts/12kingdoms-rakushun/grafana/default.nix
View File

@@ -10,7 +10,7 @@
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3000;
http_port = 3351;
protocol = "http";
domain = "grafana.writefo.fun";
# Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks.

0
hosts/idols-kana/homepage/README.md → hosts/12kingdoms-rakushun/homepage/README.md
View File

0
hosts/idols-kana/homepage/config/bookmarks.yaml → hosts/12kingdoms-rakushun/homepage/config/bookmarks.yaml
View File

0
hosts/idols-kana/homepage/config/docker.yaml → hosts/12kingdoms-rakushun/homepage/config/docker.yaml
View File

0
hosts/idols-kana/homepage/config/images/rolling-girls.png → hosts/12kingdoms-rakushun/homepage/config/images/rolling-girls.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.5 MiB

After

Width:  |  Height:  |  Size: 5.5 MiB

0
hosts/idols-kana/homepage/config/kubernetes.yaml → hosts/12kingdoms-rakushun/homepage/config/kubernetes.yaml
View File

0
hosts/idols-kana/homepage/config/services.yaml → hosts/12kingdoms-rakushun/homepage/config/services.yaml
View File

0
hosts/idols-kana/homepage/config/settings.yaml → hosts/12kingdoms-rakushun/homepage/config/settings.yaml
View File

0
hosts/idols-kana/homepage/config/widgets.yaml → hosts/12kingdoms-rakushun/homepage/config/widgets.yaml
View File

4
hosts/idols-kana/homepage/default.nix → hosts/12kingdoms-rakushun/homepage/default.nix
View File

@@ -4,7 +4,7 @@ in {
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix
services.homepage-dashboard = {
enable = true;
listenPort = 8082;
listenPort = 4401;
openFirewall = false;
};
systemd.services.homepage-dashboard.environment = {
@@ -17,7 +17,7 @@ in {
};
# Install the homepage-dashboard configuration files
system.activationScripts.installHomepageDashboardConfig = ''
mkdir -p configDir
mkdir -p ${configDir}
${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/
${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard

2
hosts/idols-kana/oci-containers/dashy/default.nix → hosts/12kingdoms-rakushun/oci-containers/dashy/default.nix
View File

@@ -1,7 +1,7 @@
{
# Replace dashy with gethomepage, because dashy is too slow to start/reload.
# # Install the dashy configuration file instaed of symlink it
# # Install the dashy configuration file instead of symlink it
# system.activationScripts.installDashyConfig = ''
# install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
# '';

0
hosts/idols-kana/oci-containers/default.nix → hosts/12kingdoms-rakushun/oci-containers/default.nix
View File

0
hosts/idols-ruby/prometheus/README.md → hosts/12kingdoms-rakushun/prometheus/README.md
View File

0
hosts/idols-ruby/prometheus/alert_rules/coredns_embedded-exporter.yml → hosts/12kingdoms-rakushun/prometheus/alert_rules/coredns_embedded-exporter.yml
View File

0
hosts/idols-ruby/prometheus/alert_rules/etcd_embedded-exporter.yml → hosts/12kingdoms-rakushun/prometheus/alert_rules/etcd_embedded-exporter.yml
View File

0
hosts/idols-ruby/prometheus/alert_rules/istio_embedded-exporter.yml → hosts/12kingdoms-rakushun/prometheus/alert_rules/istio_embedded-exporter.yml
View File

0
hosts/idols-ruby/prometheus/alert_rules/kubestate-exporter.yml → hosts/12kingdoms-rakushun/prometheus/alert_rules/kubestate-exporter.yml
View File

0
hosts/idols-ruby/prometheus/alert_rules/node-exporter.yml → hosts/12kingdoms-rakushun/prometheus/alert_rules/node-exporter.yml
View File

8
hosts/idols-ruby/prometheus/default.nix → hosts/12kingdoms-rakushun/prometheus/default.nix
View File

@@ -11,7 +11,7 @@
port = 9090;
webExternalUrl = "http://prometheus.writefor.fun";
extraFlags = ["--storage.tsdb.retention.time=15d"];
extraFlags = ["--storage.tsdb.retention.time=45d"];
# Directory below /var/lib to store Prometheus metrics data.
stateDir = "prometheus2";
@@ -70,7 +70,7 @@
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9153"];
targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"];
labels.type = "app";
labels.app = "dnsmasq";
}
@@ -83,7 +83,7 @@
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.kana.ipv4}:9153"];
targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:9153"];
labels.type = "app";
labels.app = "v2ray";
}
@@ -96,7 +96,7 @@
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.kana.ipv4}:10000"];
targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:10000"];
labels.type = "app";
labels.app = "v2ray";
}

0
hosts/idols-kana/proxy.nix → hosts/12kingdoms-rakushun/proxy.nix
View File

0
hosts/idols-ruby/restic.nix → hosts/12kingdoms-rakushun/restic.nix
View File

4
hosts/idols-kana/sftpgo.nix → hosts/12kingdoms-rakushun/sftpgo.nix
View File

@@ -51,7 +51,7 @@
webdavd.bindings = [
{
address = "127.0.0.1";
port = 5005;
port = 3303;
}
];
# HTTP Server provides a simple web interface to manage the server.
@@ -59,7 +59,7 @@
{
address = "127.0.0.1";
enable_https = false;
port = 5010;
port = 3302;
client_ip_proxy_header = "X-Forwarded-For";
# a basic built-in web interface that allows you to manage users,
# virtual folders, admins and connections.

0
hosts/idols-kana/transmission.nix → hosts/12kingdoms-rakushun/transmission.nix
View File

2
hosts/idols-kana/uptime-kuma.nix → hosts/12kingdoms-rakushun/uptime-kuma.nix
View File

@@ -5,7 +5,7 @@
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
settings = {
"UPTIME_KUMA_HOST" = "127.0.0.1";
"UPTIME_KUMA_PORT" = "3001";
"UPTIME_KUMA_PORT" = "3350";
"DATA_DIR" = "/var/lib/uptime-kuma/";
};
};

142
hosts/12kingdoms-suzu/Disk-and-installation.md Normal file
View File

@@ -0,0 +1,142 @@
# Suzu - Disk and Installation
Disk layout:
```bash
[ryan@suzu:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 486M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 237.9G 0 part
└─encrypted 253:0 0 237.8G 0 crypt /tmp
/snapshots
/swap
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/.local/state
/home/ryan/codes
/home/ryan/.npm
/home/ryan/.ssh
/home/ryan/.local/share
/etc/ssh
/home/ryan/.conda
/etc/secureboot
/etc/agenix
/etc/nix/inputs
/etc/NetworkManager/system-connections
/nix/store
/var/log
/var/lib
/nix
/persistent
[ryan@suzu:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 383M 0 383M 0% /dev
tmpfs tmpfs 3.8G 0 3.8G 0% /dev/shm
tmpfs tmpfs 1.9G 6.2M 1.9G 1% /run
tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run/wrappers
none tmpfs 2.0G 48K 2.0G 1% /
/dev/mapper/crypted btrfs 238G 11G 226G 5% /persistent
/dev/mapper/crypted btrfs 238G 11G 226G 5% /nix
/dev/mapper/crypted btrfs 238G 11G 226G 5% /swap
/dev/mapper/crypted btrfs 238G 11G 226G 5% /snapshots
/dev/mapper/crypted btrfs 238G 11G 226G 5% /tmp
/dev/nvme0n1p1 vfat 629M 86M 543M 14% /boot
tmpfs tmpfs 766M 4.0K 766M 1% /run/user/1000
```
CPU info:
```bash
[ryan@suzu:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 56%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
## How to install NixOS on Orange Pi 5
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart primary 2M 512MB
mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow
[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# login via ssh
ssh rk@<ip-addr>
git clone https://github.com/ryan4yin/nix-config.git
cd ~/nix-config/hosts/12kingdoms_suzu
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
# NOTE: the root password you set here will be discarded when reboot
sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
```

148
hosts/12kingdoms-suzu/README.md
View File

@@ -6,143 +6,23 @@ LUKS encrypted SSD for NixOS, on Orange Pi 5.
![](../../_img/2024-03-07_orangepi5_suzu.webp)
Disk layout:
## Features
```bash
[ryan@suzu:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 486M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 237.9G 0 part
└─encrypted 253:0 0 237.8G 0 crypt /tmp
/snapshots
/swap
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/.local/state
/home/ryan/codes
/home/ryan/.npm
/home/ryan/.ssh
/home/ryan/.local/share
/etc/ssh
/home/ryan/.conda
/etc/secureboot
/etc/agenix
/etc/nix/inputs
/etc/NetworkManager/system-connections
/nix/store
/var/log
/var/lib
/nix
/persistent
Micro VMs:
[ryan@suzu:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 383M 0 383M 0% /dev
tmpfs tmpfs 3.8G 0 3.8G 0% /dev/shm
tmpfs tmpfs 1.9G 6.2M 1.9G 1% /run
tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run/wrappers
none tmpfs 2.0G 48K 2.0G 1% /
/dev/mapper/crypted btrfs 238G 11G 226G 5% /persistent
/dev/mapper/crypted btrfs 238G 11G 226G 5% /nix
/dev/mapper/crypted btrfs 238G 11G 226G 5% /swap
/dev/mapper/crypted btrfs 238G 11G 226G 5% /snapshots
/dev/mapper/crypted btrfs 238G 11G 226G 5% /tmp
/dev/nvme0n1p1 vfat 629M 86M 543M 14% /boot
tmpfs tmpfs 766M 4.0K 766M 1% /run/user/1000
```
1. suzi: dae router(transparent proxy, dhcp)
1. mitsuha: tailscale gateway(sub router)
CPU info:
Services:
```bash
[ryan@suzu:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 56%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
1. OCI Containers: to run some servides that's not available in NixOS.
1. ddns
1. uptime-kuma: uptime monitoring
1. excalidraw/DDTV/owncast/jitsi-meet/...
## How to install NixOS on Orange Pi 5
All the services assumes a reverse proxy to be setup in the front, they are all listening on
localhost, and a caddy service is listening on the local network interface and proxy the requests to
the services.
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart primary 2M 512MB
mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow
[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# login via ssh
ssh rk@<ip-addr>
git clone https://github.com/ryan4yin/nix-config.git
cd ~/nix-config/hosts/12kingdoms_suzu
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
# NOTE: the root password you set here will be discarded when reboot
sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
```
TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
services.

20
hosts/12kingdoms-suzu/default.nix
View File

@@ -1,7 +1,7 @@
{
disko,
nixos-rk3588,
myvars,
mylib,
...
}:
#############################################################
@@ -14,17 +14,13 @@
let
hostName = "suzu"; # Define your hostname.
in {
imports = [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
./hardware-configuration.nix
./disko-fs.nix
./impermanence.nix
./networking.nix
./microvm-host.nix
];
imports =
(mylib.scanPaths ./.)
++ [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
];
networking = {inherit hostName;};

0
hosts/12kingdoms-suzu/microvm.md → hosts/12kingdoms-suzu/microvm/README.md
View File

0
hosts/12kingdoms-suzu/microvm-host.nix → hosts/12kingdoms-suzu/microvm/default.nix
View File

6
hosts/12kingdoms-suzu/mitsuha/default.nix → hosts/12kingdoms-suzu/microvm/mitsuha/default.nix
View File

@@ -2,9 +2,9 @@
imports =
(mylib.scanPaths ./.)
++ [
../../../modules/nixos/base/ssh.nix
../../../modules/nixos/base/user-group.nix
../../../modules/base.nix
../../../../modules/nixos/base/ssh.nix
../../../../modules/nixos/base/user-group.nix
../../../../modules/base.nix
];
microvm = {

0
hosts/12kingdoms-suzu/mitsuha/networking.nix → hosts/12kingdoms-suzu/microvm/mitsuha/networking.nix
View File

0
hosts/12kingdoms-suzu/mitsuha/tailscale.nix → hosts/12kingdoms-suzu/microvm/mitsuha/tailscale.nix
View File

0
hosts/12kingdoms-suzu/suzi/README.md → hosts/12kingdoms-suzu/microvm/suzi/README.md
View File

0
hosts/12kingdoms-suzu/suzi/config.dae → hosts/12kingdoms-suzu/microvm/suzi/config.dae
View File

0
hosts/12kingdoms-suzu/suzi/dae.nix → hosts/12kingdoms-suzu/microvm/suzi/dae.nix
View File

8
hosts/12kingdoms-suzu/suzi/default.nix → hosts/12kingdoms-suzu/microvm/suzi/default.nix
View File

@@ -2,10 +2,10 @@
imports =
(mylib.scanPaths ./.)
++ [
../../../secrets/nixos.nix
../../../modules/nixos/base/ssh.nix
../../../modules/nixos/base/user-group.nix
../../../modules/base.nix
../../../../secrets/nixos.nix
../../../../modules/nixos/base/ssh.nix
../../../../modules/nixos/base/user-group.nix
../../../../modules/base.nix
];
modules.secrets.server.network.enable = true;

0
hosts/12kingdoms-suzu/suzi/networking.nix → hosts/12kingdoms-suzu/microvm/suzi/networking.nix
View File

15
hosts/idols-kana/README.md
View File

@@ -1,16 +1,3 @@
# Idols - Kana
Host running some common applications, such as hompage, file browser, torrent downloader, etc.
All the services assumes a reverse proxy to be setup in the front, they are all listening on
localhost, and a caddy service is listening on the local network interface and proxy the requests to
the services.
## Services
1. dashy: Homepage
1. ddns
1. transmission & AriaNg: Torrent downloader and HTTP downloader
1. uptime-kuma: uptime monitoring
1. alist/filebrower: File browser for local/SMB/Cloud
1. excalidraw/DDTV/owncast/jitsi-meet/...
TODO

48
hosts/idols-kana/caddy.nix
View File

@@ -1,48 +0,0 @@
{myvars, ...}: {
services.caddy = {
enable = true;
# Reload Caddy instead of restarting it when configuration file changes.
enableReload = true;
user = "caddy"; # User account under which caddy runs.
dataDir = "/var/lib/caddy";
logDir = "/var/log/caddy";
# Additional lines of configuration appended to the global config section of the Caddyfile.
# Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
globalConfig = ''
http_port 80
https_port 443
auto_https off
'';
# ACME related settings.
# email = myvars.useremail;
# acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts."http://dashy.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:4000
'';
virtualHosts."http://transmission.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9091
'';
virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3001
'';
virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:5010
'';
virtualHosts."http://webdav.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:5005
'';
virtualHosts."http://home.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:8082
'';
};
networking.firewall.allowedTCPPorts = [80 443];
}

12
hosts/idols-ruby/README.md
View File

@@ -1,13 +1,3 @@
# Idols - Ruby
Host running operation and maintenance related services:
1. Backup or sync my personal data to cloud or NAS.
- For safety, those data should be encrypted before sending to the cloud or my NAS.
1. Collect and monitor the metrics/logs of my homelab.
## Services
1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
1. restic: Backup my personal data to cloud or NAS.
1. synthing: Sync file between android/macbook/PC and NAS.
TODO

40
hosts/idols-ruby/caddy.nix
View File

@@ -1,40 +0,0 @@
{myvars, ...}: {
services.caddy = {
enable = true;
# Reload Caddy instead of restarting it when configuration file changes.
enableReload = true;
user = "caddy"; # User account under which caddy runs.
dataDir = "/var/lib/caddy";
logDir = "/var/log/caddy";
# Additional lines of configuration appended to the global config section of the Caddyfile.
# Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
globalConfig = ''
http_port 80
https_port 443
auto_https off
'';
# ACME related settings.
# email = myvars.useremail;
# acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts."http://grafana.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3000
'';
virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9090
'';
virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9093
'';
virtualHosts."http://attic.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:8888
'';
};
networking.firewall.allowedTCPPorts = [80 443];
}

4
hosts/idols-ruby/exporters/pve.nix
View File

@@ -1,4 +0,0 @@
{
# TODO
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/pve.nix
}

16
outputs/aarch64-linux/src/12kingdoms-rakushun.nix
View File

@@ -16,11 +16,17 @@
ssh-user = "root";
modules = {
nixos-modules = map mylib.relativeToRoot [
"modules/nixos/server/server-aarch64.nix"
# host specific modules
"hosts/12kingdoms-${name}"
];
nixos-modules =
(map mylib.relativeToRoot [
"secrets/nixos.nix"
"modules/nixos/server/server-aarch64.nix"
# host specific modules
"hosts/12kingdoms-${name}"
])
++ [
{modules.secrets.server.application.enable = true;}
{modules.secrets.server.operation.enable = true;}
];
};
inherit (inputs) nixos-rk3588;

8
scripts/darwin_set_proxy.py
View File

@@ -21,12 +21,12 @@ pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes())
# set http/https proxy
# NOTE: curl only accept the lowercase of `http_proxy`!
# NOTE: https://curl.se/libcurl/c/libcurl-env.html
pl["EnvironmentVariables"]["http_proxy"] = HTTP_PROXY
pl["EnvironmentVariables"]["https_proxy"] = HTTP_PROXY
# pl["EnvironmentVariables"]["http_proxy"] = HTTP_PROXY
# pl["EnvironmentVariables"]["https_proxy"] = HTTP_PROXY
# remove http proxy
# pl["EnvironmentVariables"].pop("http_proxy", None)
# pl["EnvironmentVariables"].pop("https_proxy", None)
pl["EnvironmentVariables"].pop("http_proxy", None)
pl["EnvironmentVariables"].pop("https_proxy", None)
os.chmod(NIX_DAEMON_PLIST, 0o644)
NIX_DAEMON_PLIST.write_bytes(plistlib.dumps(pl))