diff --git a/flake.lock b/flake.lock index 8218ee64..dcebd789 100644 --- a/flake.lock +++ b/flake.lock @@ -892,10 +892,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1711384638, - "narHash": "sha256-1XyAHel88+uqA6yzT2/mwgfxYt4JfJKmnI5OI93vDYg=", + "lastModified": 1711871709, + "narHash": "sha256-Pj667YJdXbJPhQVUutpKoqH6e66eF8my5q8RQyl0BXI=", "ref": "refs/heads/main", - "rev": "691dce5db5077c4f668468434cc422f93e7834c5", + "rev": "c0239ed183c43c18f6bdf2f9045602e1bb9ca310", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" diff --git a/hosts/12kingdoms-rakushun/Disk-and-Installation.md b/hosts/12kingdoms-rakushun/Disk-and-Installation.md new file mode 100644 index 00000000..57ecf71e --- /dev/null +++ b/hosts/12kingdoms-rakushun/Disk-and-Installation.md @@ -0,0 +1,143 @@ +# Rakushun - Disk and Installation + +Disk layout: + +```bash +[ryan@rakushun:~]$ lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS +sda 8:0 1 58.6G 0 disk +└─sda1 8:1 1 487M 0 part +mtdblock0 31:0 0 16M 0 disk +zram0 254:0 0 0B 0 disk +nvme0n1 259:0 0 1.8T 0 disk +├─nvme0n1p1 259:1 0 630M 0 part /boot +└─nvme0n1p2 259:2 0 1.8T 0 part + └─encrypted 253:0 0 1.8T 0 crypt /tmp + /swap + /snapshots + /home/ryan/tmp + /home/ryan/nix-config + /home/ryan/go + /home/ryan/codes + /home/ryan/.ssh + /home/ryan/.local/state + /home/ryan/.npm + /home/ryan/.local/share + /home/ryan/.conda + /etc/ssh + /etc/nix/inputs + /etc/secureboot + /etc/agenix + /etc/NetworkManager/system-connections + /etc/machine-id + /nix/store + /var/log + /var/lib + /nix + /persistent + +[ryan@rakushun:~]$ df -Th +Filesystem Type Size Used Avail Use% Mounted on +devtmpfs devtmpfs 785M 0 785M 0% /dev +tmpfs tmpfs 7.7G 0 7.7G 0% /dev/shm +tmpfs tmpfs 3.9G 6.8M 3.9G 1% /run +tmpfs tmpfs 7.7G 1.9M 7.7G 1% /run/wrappers +none tmpfs 4.0G 48K 4.0G 1% / +/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /persistent +/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /nix +/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /snapshots +/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /swap +/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /tmp +/dev/nvme0n1p1 vfat 629M 96M 534M 16% /boot +tmpfs tmpfs 1.6G 4.0K 1.6G 1% /run/user/1000 +``` + +CPU info: + +```bash +[ryan@rakushun:~]$ lscpu +Architecture: aarch64 + CPU op-mode(s): 32-bit, 64-bit + Byte Order: Little Endian +CPU(s): 8 + On-line CPU(s) list: 0-7 +Vendor ID: ARM + Model name: Cortex-A55 + Model: 0 + Thread(s) per core: 1 + Core(s) per socket: 4 + Socket(s): 1 + Stepping: r2p0 + CPU(s) scaling MHz: 67% + CPU max MHz: 1800.0000 + CPU min MHz: 408.0000 + BogoMIPS: 48.00 + Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp + Model name: Cortex-A76 + Model: 0 + Thread(s) per core: 1 + Core(s) per socket: 2 + Socket(s): 2 + Stepping: r4p0 + CPU(s) scaling MHz: 18% + CPU max MHz: 2256.0000 + CPU min MHz: 408.0000 + BogoMIPS: 48.00 + Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp +Caches (sum of all): + L1d: 384 KiB (8 instances) + L1i: 384 KiB (8 instances) + L2: 2.5 MiB (8 instances) + L3: 3 MiB (1 instance) +``` + +## How to install NixOS on Orange Pi 5 Plus + +### 1. Prepare a USB LUKS key + +Generate LUKS keyfile to encrypt the root partition, it's used by disko. + +```bash +# partition the usb stick +DEV=/dev/sdX +parted ${DEV} -- mklabel gpt +parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB +mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1 + +# Generate a keyfile from the true random number generator +KEYFILE=./orangepi5plus-luks-keyfile +dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE + +# copy the keyfile and token to the usb stick +KEYFILE=./orangepi5plus-luks-keyfile +DEVICE=/dev/disk/by-label/OPI5P_DSC +# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header +dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE +``` + +### 2. Partition the SSD & install NixOS via disko + +First, follow +[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to +install UEFI bootloader and boot into NixOS live environment via a USB stick. + +Then, run the following commands: + +```bash +# transfer the nix-config to the target machine +rsync -avzP ~/nix-config rk@:/home/rk/ + +# login via ssh +ssh rk@ + +cd ~/nix-config/hosts/12kingdoms_rakushun +# 1. change the disk device path in ./disko-fs.nix to the disk you want to use +# 2. partition & format the disk via disko +sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix + + +cd ~/nix-config +# install nixos +# NOTE: the root password you set here will be discarded when reboot +sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose +``` diff --git a/hosts/12kingdoms-rakushun/README.md b/hosts/12kingdoms-rakushun/README.md index 2f51e826..861fac06 100644 --- a/hosts/12kingdoms-rakushun/README.md +++ b/hosts/12kingdoms-rakushun/README.md @@ -2,148 +2,33 @@ LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus. +Host running storage, operation and maintenance related services: + +1. Storage such as git server, file server/browser, torrent downloader,, etc. +1. Backup or sync my personal data to cloud or NAS. + - For safety, those data should be encrypted before sending to the cloud or my NAS. +1. Collect and monitor the metrics/logs of my homelab. + ## Showcases ![](../../_img/2024-03-07_orangepi5plus_rakushun.webp) -Disk layout: +## Features -```bash -[ryan@rakushun:~]$ lsblk -NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS -sda 8:0 1 58.6G 0 disk -└─sda1 8:1 1 487M 0 part -mtdblock0 31:0 0 16M 0 disk -zram0 254:0 0 0B 0 disk -nvme0n1 259:0 0 1.8T 0 disk -├─nvme0n1p1 259:1 0 630M 0 part /boot -└─nvme0n1p2 259:2 0 1.8T 0 part - └─encrypted 253:0 0 1.8T 0 crypt /tmp - /swap - /snapshots - /home/ryan/tmp - /home/ryan/nix-config - /home/ryan/go - /home/ryan/codes - /home/ryan/.ssh - /home/ryan/.local/state - /home/ryan/.npm - /home/ryan/.local/share - /home/ryan/.conda - /etc/ssh - /etc/nix/inputs - /etc/secureboot - /etc/agenix - /etc/NetworkManager/system-connections - /etc/machine-id - /nix/store - /var/log - /var/lib - /nix - /persistent +Services: -[ryan@rakushun:~]$ df -Th -Filesystem Type Size Used Avail Use% Mounted on -devtmpfs devtmpfs 785M 0 785M 0% /dev -tmpfs tmpfs 7.7G 0 7.7G 0% /dev/shm -tmpfs tmpfs 3.9G 6.8M 3.9G 1% /run -tmpfs tmpfs 7.7G 1.9M 7.7G 1% /run/wrappers -none tmpfs 4.0G 48K 4.0G 1% / -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /persistent -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /nix -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /snapshots -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /swap -/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /tmp -/dev/nvme0n1p1 vfat 629M 96M 534M 16% /boot -tmpfs tmpfs 1.6G 4.0K 1.6G 1% /run/user/1000 -``` +1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab. +1. restic: Backup my personal data to cloud or NAS. +1. synthing: Sync file between android/macbook/PC and NAS. +1. attic: Nix cache server. +1. gitea: Self-hosted git service. +1. sftpgo: SFTP server. +1. transmission & AriaNg: Torrent downloader and HTTP downloader +1. alist/filebrower: File browser for local/SMB/Cloud -CPU info: +All the services assumes a reverse proxy to be setup in the front, they are all listening on +localhost, and a caddy service is listening on the local network interface and proxy the requests to +the services. -```bash -[ryan@rakushun:~]$ lscpu -Architecture: aarch64 - CPU op-mode(s): 32-bit, 64-bit - Byte Order: Little Endian -CPU(s): 8 - On-line CPU(s) list: 0-7 -Vendor ID: ARM - Model name: Cortex-A55 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 4 - Socket(s): 1 - Stepping: r2p0 - CPU(s) scaling MHz: 67% - CPU max MHz: 1800.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp - Model name: Cortex-A76 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 2 - Socket(s): 2 - Stepping: r4p0 - CPU(s) scaling MHz: 18% - CPU max MHz: 2256.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp -Caches (sum of all): - L1d: 384 KiB (8 instances) - L1i: 384 KiB (8 instances) - L2: 2.5 MiB (8 instances) - L3: 3 MiB (1 instance) -``` - -## How to install NixOS on Orange Pi 5 Plus - -### 1. Prepare a USB LUKS key - -Generate LUKS keyfile to encrypt the root partition, it's used by disko. - -```bash -# partition the usb stick -DEV=/dev/sdX -parted ${DEV} -- mklabel gpt -parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB -mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1 - -# Generate a keyfile from the true random number generator -KEYFILE=./orangepi5plus-luks-keyfile -dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE - -# copy the keyfile and token to the usb stick -KEYFILE=./orangepi5plus-luks-keyfile -DEVICE=/dev/disk/by-label/OPI5P_DSC -# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header -dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE -``` - -### 2. Partition the SSD & install NixOS via disko - -First, follow -[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to -install UEFI bootloader and boot into NixOS live environment via a USB stick. - -Then, run the following commands: - -```bash -# transfer the nix-config to the target machine -rsync -avzP ~/nix-config rk@:/home/rk/ - -# login via ssh -ssh rk@ - -cd ~/nix-config/hosts/12kingdoms_rakushun -# 1. change the disk device path in ./disko-fs.nix to the disk you want to use -# 2. partition & format the disk via disko -sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix - - -cd ~/nix-config -# install nixos -# NOTE: the root password you set here will be discarded when reboot -sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose -``` +TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the +services. diff --git a/hosts/idols-ruby/attic.nix b/hosts/12kingdoms-rakushun/attic.nix similarity index 98% rename from hosts/idols-ruby/attic.nix rename to hosts/12kingdoms-rakushun/attic.nix index 66f2fa0e..94534dd6 100644 --- a/hosts/idols-ruby/attic.nix +++ b/hosts/12kingdoms-rakushun/attic.nix @@ -45,7 +45,7 @@ credentialsFile = config.age.secrets."attic-nix-cache-server.env".path; settings = { - listen = "[::]:8888"; + listen = "127.0.0.1:3300"; # Data chunking # diff --git a/hosts/12kingdoms-rakushun/caddy.nix b/hosts/12kingdoms-rakushun/caddy.nix index d89a942c..a9b4c0d1 100644 --- a/hosts/12kingdoms-rakushun/caddy.nix +++ b/hosts/12kingdoms-rakushun/caddy.nix @@ -19,9 +19,10 @@ # email = myvars.useremail; # acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; - virtualHosts."http://git.writefor.fun".extraConfig = '' + # Dashboard + virtualHosts."http://home.writefor.fun".extraConfig = '' encode zstd gzip - reverse_proxy http://localhost:3000 + reverse_proxy http://localhost:4401 ''; # https://caddyserver.com/docs/caddyfile/directives/file_server @@ -33,13 +34,54 @@ precompressed zstd br gzip } ''; + + # Datastore + virtualHosts."http://attic.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3300 + ''; + + virtualHosts."http://git.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3301 + ''; + virtualHosts."http://sftpgo.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3302 + ''; + virtualHosts."http://webdav.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3303 + ''; + virtualHosts."http://transmission.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:9091 + ''; + + # Monitoring + virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3350 + ''; + virtualHosts."http://grafana.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:3351 + ''; + virtualHosts."http://prometheus.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:9090 + ''; + virtualHosts."http://alertmanager.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:9093 + ''; }; networking.firewall.allowedTCPPorts = [80 443]; # Create Directories systemd.tmpfiles.rules = [ "d /var/lib/caddy/fileserver/ 0755 caddy caddy" - # directory for virual machine's images + # directory for virtual machine's images "d /var/lib/caddy/fileserver/vms 0755 caddy caddy" ]; } diff --git a/hosts/12kingdoms-rakushun/default.nix b/hosts/12kingdoms-rakushun/default.nix index 0132a213..00fc3500 100644 --- a/hosts/12kingdoms-rakushun/default.nix +++ b/hosts/12kingdoms-rakushun/default.nix @@ -1,4 +1,5 @@ { + mylib, disko, nixos-rk3588, myvars, @@ -12,17 +13,13 @@ let hostName = "rakushun"; # Define your hostname. in { - imports = [ - # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware - nixos-rk3588.nixosModules.orangepi5plus.core - disko.nixosModules.default - ./hardware-configuration.nix - ./disko-fs.nix - ./impermanence.nix - - ./gitea.nix - ./caddy.nix - ]; + imports = + (mylib.scanPaths ./.) + ++ [ + # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware + nixos-rk3588.nixosModules.orangepi5plus.core + disko.nixosModules.default + ]; networking = { inherit hostName; diff --git a/hosts/idols-ruby/exporters/default.nix b/hosts/12kingdoms-rakushun/exporters/default.nix similarity index 100% rename from hosts/idols-ruby/exporters/default.nix rename to hosts/12kingdoms-rakushun/exporters/default.nix diff --git a/hosts/12kingdoms-rakushun/gitea.nix b/hosts/12kingdoms-rakushun/gitea.nix index 83770494..884bf918 100644 --- a/hosts/12kingdoms-rakushun/gitea.nix +++ b/hosts/12kingdoms-rakushun/gitea.nix @@ -21,7 +21,7 @@ in { server = { SSH_PORT = 2222; PROTOCOL = "http"; - HTTP_PORT = 3000; + HTTP_PORT = 3301; HTTP_ADDR = "127.0.0.1"; DOMAIN = "git.writefor.fun"; }; diff --git a/hosts/idols-ruby/grafana/dashboards.yml b/hosts/12kingdoms-rakushun/grafana/dashboards.yml similarity index 100% rename from hosts/idols-ruby/grafana/dashboards.yml rename to hosts/12kingdoms-rakushun/grafana/dashboards.yml diff --git a/hosts/idols-ruby/grafana/dashboards/README.md b/hosts/12kingdoms-rakushun/grafana/dashboards/README.md similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/README.md rename to hosts/12kingdoms-rakushun/grafana/dashboards/README.md diff --git a/hosts/idols-ruby/grafana/dashboards/homelab/alertmanager-9578_rev4.json b/hosts/12kingdoms-rakushun/grafana/dashboards/homelab/alertmanager-9578_rev4.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/homelab/alertmanager-9578_rev4.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/homelab/alertmanager-9578_rev4.json diff --git a/hosts/idols-ruby/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json b/hosts/12kingdoms-rakushun/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-addons-prometheus.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-prometheus.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-addons-prometheus.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-prometheus.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-system-api-server.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-api-server.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-system-api-server.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-api-server.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-system-coredns.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-coredns.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-system-coredns.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-coredns.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-global.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-global.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-global.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-global.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-namespaces.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-namespaces.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-namespaces.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-namespaces.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-nodes.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-nodes.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-nodes.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-nodes.json diff --git a/hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-pods.json b/hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-pods.json similarity index 100% rename from hosts/idols-ruby/grafana/dashboards/kubernetes/k8s-views-pods.json rename to hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-pods.json diff --git a/hosts/idols-ruby/grafana/datasources.yml b/hosts/12kingdoms-rakushun/grafana/datasources.yml similarity index 100% rename from hosts/idols-ruby/grafana/datasources.yml rename to hosts/12kingdoms-rakushun/grafana/datasources.yml diff --git a/hosts/idols-ruby/grafana/default.nix b/hosts/12kingdoms-rakushun/grafana/default.nix similarity index 98% rename from hosts/idols-ruby/grafana/default.nix rename to hosts/12kingdoms-rakushun/grafana/default.nix index a26a92c6..7520bdc9 100644 --- a/hosts/idols-ruby/grafana/default.nix +++ b/hosts/12kingdoms-rakushun/grafana/default.nix @@ -10,7 +10,7 @@ settings = { server = { http_addr = "127.0.0.1"; - http_port = 3000; + http_port = 3351; protocol = "http"; domain = "grafana.writefo.fun"; # Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks. diff --git a/hosts/idols-kana/homepage/README.md b/hosts/12kingdoms-rakushun/homepage/README.md similarity index 100% rename from hosts/idols-kana/homepage/README.md rename to hosts/12kingdoms-rakushun/homepage/README.md diff --git a/hosts/idols-kana/homepage/config/bookmarks.yaml b/hosts/12kingdoms-rakushun/homepage/config/bookmarks.yaml similarity index 100% rename from hosts/idols-kana/homepage/config/bookmarks.yaml rename to hosts/12kingdoms-rakushun/homepage/config/bookmarks.yaml diff --git a/hosts/idols-kana/homepage/config/docker.yaml b/hosts/12kingdoms-rakushun/homepage/config/docker.yaml similarity index 100% rename from hosts/idols-kana/homepage/config/docker.yaml rename to hosts/12kingdoms-rakushun/homepage/config/docker.yaml diff --git a/hosts/idols-kana/homepage/config/images/rolling-girls.png b/hosts/12kingdoms-rakushun/homepage/config/images/rolling-girls.png similarity index 100% rename from hosts/idols-kana/homepage/config/images/rolling-girls.png rename to hosts/12kingdoms-rakushun/homepage/config/images/rolling-girls.png diff --git a/hosts/idols-kana/homepage/config/kubernetes.yaml b/hosts/12kingdoms-rakushun/homepage/config/kubernetes.yaml similarity index 100% rename from hosts/idols-kana/homepage/config/kubernetes.yaml rename to hosts/12kingdoms-rakushun/homepage/config/kubernetes.yaml diff --git a/hosts/idols-kana/homepage/config/services.yaml b/hosts/12kingdoms-rakushun/homepage/config/services.yaml similarity index 100% rename from hosts/idols-kana/homepage/config/services.yaml rename to hosts/12kingdoms-rakushun/homepage/config/services.yaml diff --git a/hosts/idols-kana/homepage/config/settings.yaml b/hosts/12kingdoms-rakushun/homepage/config/settings.yaml similarity index 100% rename from hosts/idols-kana/homepage/config/settings.yaml rename to hosts/12kingdoms-rakushun/homepage/config/settings.yaml diff --git a/hosts/idols-kana/homepage/config/widgets.yaml b/hosts/12kingdoms-rakushun/homepage/config/widgets.yaml similarity index 100% rename from hosts/idols-kana/homepage/config/widgets.yaml rename to hosts/12kingdoms-rakushun/homepage/config/widgets.yaml diff --git a/hosts/idols-kana/homepage/default.nix b/hosts/12kingdoms-rakushun/homepage/default.nix similarity index 94% rename from hosts/idols-kana/homepage/default.nix rename to hosts/12kingdoms-rakushun/homepage/default.nix index 3fb308af..9147284d 100644 --- a/hosts/idols-kana/homepage/default.nix +++ b/hosts/12kingdoms-rakushun/homepage/default.nix @@ -4,7 +4,7 @@ in { # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix services.homepage-dashboard = { enable = true; - listenPort = 8082; + listenPort = 4401; openFirewall = false; }; systemd.services.homepage-dashboard.environment = { @@ -17,7 +17,7 @@ in { }; # Install the homepage-dashboard configuration files system.activationScripts.installHomepageDashboardConfig = '' - mkdir -p configDir + mkdir -p ${configDir} ${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/ ${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard diff --git a/hosts/idols-kana/oci-containers/dashy/default.nix b/hosts/12kingdoms-rakushun/oci-containers/dashy/default.nix similarity index 92% rename from hosts/idols-kana/oci-containers/dashy/default.nix rename to hosts/12kingdoms-rakushun/oci-containers/dashy/default.nix index b43feac8..e05f9ae1 100644 --- a/hosts/idols-kana/oci-containers/dashy/default.nix +++ b/hosts/12kingdoms-rakushun/oci-containers/dashy/default.nix @@ -1,7 +1,7 @@ { # Replace dashy with gethomepage, because dashy is too slow to start/reload. - # # Install the dashy configuration file instaed of symlink it + # # Install the dashy configuration file instead of symlink it # system.activationScripts.installDashyConfig = '' # install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml # ''; diff --git a/hosts/idols-kana/oci-containers/default.nix b/hosts/12kingdoms-rakushun/oci-containers/default.nix similarity index 100% rename from hosts/idols-kana/oci-containers/default.nix rename to hosts/12kingdoms-rakushun/oci-containers/default.nix diff --git a/hosts/idols-ruby/prometheus/README.md b/hosts/12kingdoms-rakushun/prometheus/README.md similarity index 100% rename from hosts/idols-ruby/prometheus/README.md rename to hosts/12kingdoms-rakushun/prometheus/README.md diff --git a/hosts/idols-ruby/prometheus/alert_rules/coredns_embedded-exporter.yml b/hosts/12kingdoms-rakushun/prometheus/alert_rules/coredns_embedded-exporter.yml similarity index 100% rename from hosts/idols-ruby/prometheus/alert_rules/coredns_embedded-exporter.yml rename to hosts/12kingdoms-rakushun/prometheus/alert_rules/coredns_embedded-exporter.yml diff --git a/hosts/idols-ruby/prometheus/alert_rules/etcd_embedded-exporter.yml b/hosts/12kingdoms-rakushun/prometheus/alert_rules/etcd_embedded-exporter.yml similarity index 100% rename from hosts/idols-ruby/prometheus/alert_rules/etcd_embedded-exporter.yml rename to hosts/12kingdoms-rakushun/prometheus/alert_rules/etcd_embedded-exporter.yml diff --git a/hosts/idols-ruby/prometheus/alert_rules/istio_embedded-exporter.yml b/hosts/12kingdoms-rakushun/prometheus/alert_rules/istio_embedded-exporter.yml similarity index 100% rename from hosts/idols-ruby/prometheus/alert_rules/istio_embedded-exporter.yml rename to hosts/12kingdoms-rakushun/prometheus/alert_rules/istio_embedded-exporter.yml diff --git a/hosts/idols-ruby/prometheus/alert_rules/kubestate-exporter.yml b/hosts/12kingdoms-rakushun/prometheus/alert_rules/kubestate-exporter.yml similarity index 100% rename from hosts/idols-ruby/prometheus/alert_rules/kubestate-exporter.yml rename to hosts/12kingdoms-rakushun/prometheus/alert_rules/kubestate-exporter.yml diff --git a/hosts/idols-ruby/prometheus/alert_rules/node-exporter.yml b/hosts/12kingdoms-rakushun/prometheus/alert_rules/node-exporter.yml similarity index 100% rename from hosts/idols-ruby/prometheus/alert_rules/node-exporter.yml rename to hosts/12kingdoms-rakushun/prometheus/alert_rules/node-exporter.yml diff --git a/hosts/idols-ruby/prometheus/default.nix b/hosts/12kingdoms-rakushun/prometheus/default.nix similarity index 94% rename from hosts/idols-ruby/prometheus/default.nix rename to hosts/12kingdoms-rakushun/prometheus/default.nix index ccc37bff..df073d47 100644 --- a/hosts/idols-ruby/prometheus/default.nix +++ b/hosts/12kingdoms-rakushun/prometheus/default.nix @@ -11,7 +11,7 @@ port = 9090; webExternalUrl = "http://prometheus.writefor.fun"; - extraFlags = ["--storage.tsdb.retention.time=15d"]; + extraFlags = ["--storage.tsdb.retention.time=45d"]; # Directory below /var/lib to store Prometheus metrics data. stateDir = "prometheus2"; @@ -70,7 +70,7 @@ metrics_path = "/metrics"; static_configs = [ { - targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9153"]; + targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"]; labels.type = "app"; labels.app = "dnsmasq"; } @@ -83,7 +83,7 @@ metrics_path = "/metrics"; static_configs = [ { - targets = ["${myvars.networking.hostsAddr.kana.ipv4}:9153"]; + targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:9153"]; labels.type = "app"; labels.app = "v2ray"; } @@ -96,7 +96,7 @@ metrics_path = "/metrics"; static_configs = [ { - targets = ["${myvars.networking.hostsAddr.kana.ipv4}:10000"]; + targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:10000"]; labels.type = "app"; labels.app = "v2ray"; } diff --git a/hosts/idols-kana/proxy.nix b/hosts/12kingdoms-rakushun/proxy.nix similarity index 100% rename from hosts/idols-kana/proxy.nix rename to hosts/12kingdoms-rakushun/proxy.nix diff --git a/hosts/idols-ruby/restic.nix b/hosts/12kingdoms-rakushun/restic.nix similarity index 100% rename from hosts/idols-ruby/restic.nix rename to hosts/12kingdoms-rakushun/restic.nix diff --git a/hosts/idols-kana/sftpgo.nix b/hosts/12kingdoms-rakushun/sftpgo.nix similarity index 98% rename from hosts/idols-kana/sftpgo.nix rename to hosts/12kingdoms-rakushun/sftpgo.nix index b5330529..997b4717 100644 --- a/hosts/idols-kana/sftpgo.nix +++ b/hosts/12kingdoms-rakushun/sftpgo.nix @@ -51,7 +51,7 @@ webdavd.bindings = [ { address = "127.0.0.1"; - port = 5005; + port = 3303; } ]; # HTTP Server provides a simple web interface to manage the server. @@ -59,7 +59,7 @@ { address = "127.0.0.1"; enable_https = false; - port = 5010; + port = 3302; client_ip_proxy_header = "X-Forwarded-For"; # a basic built-in web interface that allows you to manage users, # virtual folders, admins and connections. diff --git a/hosts/idols-kana/transmission.nix b/hosts/12kingdoms-rakushun/transmission.nix similarity index 100% rename from hosts/idols-kana/transmission.nix rename to hosts/12kingdoms-rakushun/transmission.nix diff --git a/hosts/idols-kana/uptime-kuma.nix b/hosts/12kingdoms-rakushun/uptime-kuma.nix similarity index 90% rename from hosts/idols-kana/uptime-kuma.nix rename to hosts/12kingdoms-rakushun/uptime-kuma.nix index b7ba46e2..bc9b7039 100644 --- a/hosts/idols-kana/uptime-kuma.nix +++ b/hosts/12kingdoms-rakushun/uptime-kuma.nix @@ -5,7 +5,7 @@ # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables settings = { "UPTIME_KUMA_HOST" = "127.0.0.1"; - "UPTIME_KUMA_PORT" = "3001"; + "UPTIME_KUMA_PORT" = "3350"; "DATA_DIR" = "/var/lib/uptime-kuma/"; }; }; diff --git a/hosts/12kingdoms-suzu/Disk-and-installation.md b/hosts/12kingdoms-suzu/Disk-and-installation.md new file mode 100644 index 00000000..b934e3f0 --- /dev/null +++ b/hosts/12kingdoms-suzu/Disk-and-installation.md @@ -0,0 +1,142 @@ +# Suzu - Disk and Installation + +Disk layout: + +```bash +[ryan@suzu:~]$ lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS +sda 8:0 1 58.6G 0 disk +└─sda1 8:1 1 486M 0 part +mtdblock0 31:0 0 16M 0 disk +zram0 254:0 0 0B 0 disk +nvme0n1 259:0 0 238.5G 0 disk +├─nvme0n1p1 259:1 0 630M 0 part /boot +└─nvme0n1p2 259:2 0 237.9G 0 part + └─encrypted 253:0 0 237.8G 0 crypt /tmp + /snapshots + /swap + /home/ryan/tmp + /home/ryan/nix-config + /home/ryan/go + /home/ryan/.local/state + /home/ryan/codes + /home/ryan/.npm + /home/ryan/.ssh + /home/ryan/.local/share + /etc/ssh + /home/ryan/.conda + /etc/secureboot + /etc/agenix + /etc/nix/inputs + /etc/NetworkManager/system-connections + /nix/store + /var/log + /var/lib + /nix + /persistent + +[ryan@suzu:~]$ df -Th +Filesystem Type Size Used Avail Use% Mounted on +devtmpfs devtmpfs 383M 0 383M 0% /dev +tmpfs tmpfs 3.8G 0 3.8G 0% /dev/shm +tmpfs tmpfs 1.9G 6.2M 1.9G 1% /run +tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run/wrappers +none tmpfs 2.0G 48K 2.0G 1% / +/dev/mapper/crypted btrfs 238G 11G 226G 5% /persistent +/dev/mapper/crypted btrfs 238G 11G 226G 5% /nix +/dev/mapper/crypted btrfs 238G 11G 226G 5% /swap +/dev/mapper/crypted btrfs 238G 11G 226G 5% /snapshots +/dev/mapper/crypted btrfs 238G 11G 226G 5% /tmp +/dev/nvme0n1p1 vfat 629M 86M 543M 14% /boot +tmpfs tmpfs 766M 4.0K 766M 1% /run/user/1000 +``` + +CPU info: + +```bash +[ryan@suzu:~]$ lscpu +Architecture: aarch64 + CPU op-mode(s): 32-bit, 64-bit + Byte Order: Little Endian +CPU(s): 8 + On-line CPU(s) list: 0-7 +Vendor ID: ARM + Model name: Cortex-A55 + Model: 0 + Thread(s) per core: 1 + Core(s) per socket: 4 + Socket(s): 1 + Stepping: r2p0 + CPU(s) scaling MHz: 56% + CPU max MHz: 1800.0000 + CPU min MHz: 408.0000 + BogoMIPS: 48.00 + Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp + Model name: Cortex-A76 + Model: 0 + Thread(s) per core: 1 + Core(s) per socket: 2 + Socket(s): 2 + Stepping: r4p0 + CPU(s) scaling MHz: 18% + CPU max MHz: 2256.0000 + CPU min MHz: 408.0000 + BogoMIPS: 48.00 + Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp +Caches (sum of all): + L1d: 384 KiB (8 instances) + L1i: 384 KiB (8 instances) + L2: 2.5 MiB (8 instances) + L3: 3 MiB (1 instance) +``` + +## How to install NixOS on Orange Pi 5 + +### 1. Prepare a USB LUKS key + +Generate LUKS keyfile to encrypt the root partition, it's used by disko. + +```bash +# partition the usb stick +DEV=/dev/sdX +parted ${DEV} -- mklabel gpt +parted ${DEV} -- mkpart primary 2M 512MB +mkfs.fat -F 32 -n OPI5_DSC ${DEV}1 + + +# Generate a keyfile from the true random number generator +KEYFILE=./orangepi5-luks-keyfile +dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE + +# copy the keyfile and token to the usb stick +KEYFILE=./orangepi5-luks-keyfile +DEVICE=/dev/disk/by-label/OPI5_DSC +# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header +dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE +``` + +### 2. Partition the SSD & install NixOS via disko + +First, follow +[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to +install UEFI bootloader and boot into NixOS live environment via a USB stick. + +Then, run the following commands: + +```bash +# login via ssh +ssh rk@ + +git clone https://github.com/ryan4yin/nix-config.git + +cd ~/nix-config/hosts/12kingdoms_suzu +# 1. change the disk device path in ./disko-fs.nix to the disk you want to use +# 2. partition & format the disk via disko +sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix + + +cd ~/nix-config +# install nixos +# NOTE: the root password you set here will be discarded when reboot +sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose +``` diff --git a/hosts/12kingdoms-suzu/README.md b/hosts/12kingdoms-suzu/README.md index 04e5e2ea..4f5222a6 100644 --- a/hosts/12kingdoms-suzu/README.md +++ b/hosts/12kingdoms-suzu/README.md @@ -6,143 +6,23 @@ LUKS encrypted SSD for NixOS, on Orange Pi 5. ![](../../_img/2024-03-07_orangepi5_suzu.webp) -Disk layout: +## Features -```bash -[ryan@suzu:~]$ lsblk -NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS -sda 8:0 1 58.6G 0 disk -└─sda1 8:1 1 486M 0 part -mtdblock0 31:0 0 16M 0 disk -zram0 254:0 0 0B 0 disk -nvme0n1 259:0 0 238.5G 0 disk -├─nvme0n1p1 259:1 0 630M 0 part /boot -└─nvme0n1p2 259:2 0 237.9G 0 part - └─encrypted 253:0 0 237.8G 0 crypt /tmp - /snapshots - /swap - /home/ryan/tmp - /home/ryan/nix-config - /home/ryan/go - /home/ryan/.local/state - /home/ryan/codes - /home/ryan/.npm - /home/ryan/.ssh - /home/ryan/.local/share - /etc/ssh - /home/ryan/.conda - /etc/secureboot - /etc/agenix - /etc/nix/inputs - /etc/NetworkManager/system-connections - /nix/store - /var/log - /var/lib - /nix - /persistent +Micro VMs: -[ryan@suzu:~]$ df -Th -Filesystem Type Size Used Avail Use% Mounted on -devtmpfs devtmpfs 383M 0 383M 0% /dev -tmpfs tmpfs 3.8G 0 3.8G 0% /dev/shm -tmpfs tmpfs 1.9G 6.2M 1.9G 1% /run -tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run/wrappers -none tmpfs 2.0G 48K 2.0G 1% / -/dev/mapper/crypted btrfs 238G 11G 226G 5% /persistent -/dev/mapper/crypted btrfs 238G 11G 226G 5% /nix -/dev/mapper/crypted btrfs 238G 11G 226G 5% /swap -/dev/mapper/crypted btrfs 238G 11G 226G 5% /snapshots -/dev/mapper/crypted btrfs 238G 11G 226G 5% /tmp -/dev/nvme0n1p1 vfat 629M 86M 543M 14% /boot -tmpfs tmpfs 766M 4.0K 766M 1% /run/user/1000 -``` +1. suzi: dae router(transparent proxy, dhcp) +1. mitsuha: tailscale gateway(sub router) -CPU info: +Services: -```bash -[ryan@suzu:~]$ lscpu -Architecture: aarch64 - CPU op-mode(s): 32-bit, 64-bit - Byte Order: Little Endian -CPU(s): 8 - On-line CPU(s) list: 0-7 -Vendor ID: ARM - Model name: Cortex-A55 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 4 - Socket(s): 1 - Stepping: r2p0 - CPU(s) scaling MHz: 56% - CPU max MHz: 1800.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp - Model name: Cortex-A76 - Model: 0 - Thread(s) per core: 1 - Core(s) per socket: 2 - Socket(s): 2 - Stepping: r4p0 - CPU(s) scaling MHz: 18% - CPU max MHz: 2256.0000 - CPU min MHz: 408.0000 - BogoMIPS: 48.00 - Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp -Caches (sum of all): - L1d: 384 KiB (8 instances) - L1i: 384 KiB (8 instances) - L2: 2.5 MiB (8 instances) - L3: 3 MiB (1 instance) -``` +1. OCI Containers: to run some servides that's not available in NixOS. +1. ddns +1. uptime-kuma: uptime monitoring +1. excalidraw/DDTV/owncast/jitsi-meet/... -## How to install NixOS on Orange Pi 5 +All the services assumes a reverse proxy to be setup in the front, they are all listening on +localhost, and a caddy service is listening on the local network interface and proxy the requests to +the services. -### 1. Prepare a USB LUKS key - -Generate LUKS keyfile to encrypt the root partition, it's used by disko. - -```bash -# partition the usb stick -DEV=/dev/sdX -parted ${DEV} -- mklabel gpt -parted ${DEV} -- mkpart primary 2M 512MB -mkfs.fat -F 32 -n OPI5_DSC ${DEV}1 - - -# Generate a keyfile from the true random number generator -KEYFILE=./orangepi5-luks-keyfile -dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE - -# copy the keyfile and token to the usb stick -KEYFILE=./orangepi5-luks-keyfile -DEVICE=/dev/disk/by-label/OPI5_DSC -# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header -dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE -``` - -### 2. Partition the SSD & install NixOS via disko - -First, follow -[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to -install UEFI bootloader and boot into NixOS live environment via a USB stick. - -Then, run the following commands: - -```bash -# login via ssh -ssh rk@ - -git clone https://github.com/ryan4yin/nix-config.git - -cd ~/nix-config/hosts/12kingdoms_suzu -# 1. change the disk device path in ./disko-fs.nix to the disk you want to use -# 2. partition & format the disk via disko -sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix - - -cd ~/nix-config -# install nixos -# NOTE: the root password you set here will be discarded when reboot -sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose -``` +TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the +services. diff --git a/hosts/12kingdoms-suzu/default.nix b/hosts/12kingdoms-suzu/default.nix index 5068e029..d165b0ca 100644 --- a/hosts/12kingdoms-suzu/default.nix +++ b/hosts/12kingdoms-suzu/default.nix @@ -1,7 +1,7 @@ { disko, nixos-rk3588, - myvars, + mylib, ... }: ############################################################# @@ -14,17 +14,13 @@ let hostName = "suzu"; # Define your hostname. in { - imports = [ - # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware - nixos-rk3588.nixosModules.orangepi5plus.core - disko.nixosModules.default - ./hardware-configuration.nix - ./disko-fs.nix - ./impermanence.nix - - ./networking.nix - ./microvm-host.nix - ]; + imports = + (mylib.scanPaths ./.) + ++ [ + # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware + nixos-rk3588.nixosModules.orangepi5plus.core + disko.nixosModules.default + ]; networking = {inherit hostName;}; diff --git a/hosts/12kingdoms-suzu/microvm.md b/hosts/12kingdoms-suzu/microvm/README.md similarity index 100% rename from hosts/12kingdoms-suzu/microvm.md rename to hosts/12kingdoms-suzu/microvm/README.md diff --git a/hosts/12kingdoms-suzu/microvm-host.nix b/hosts/12kingdoms-suzu/microvm/default.nix similarity index 100% rename from hosts/12kingdoms-suzu/microvm-host.nix rename to hosts/12kingdoms-suzu/microvm/default.nix diff --git a/hosts/12kingdoms-suzu/mitsuha/default.nix b/hosts/12kingdoms-suzu/microvm/mitsuha/default.nix similarity index 93% rename from hosts/12kingdoms-suzu/mitsuha/default.nix rename to hosts/12kingdoms-suzu/microvm/mitsuha/default.nix index e1ccfd4d..8e54f883 100644 --- a/hosts/12kingdoms-suzu/mitsuha/default.nix +++ b/hosts/12kingdoms-suzu/microvm/mitsuha/default.nix @@ -2,9 +2,9 @@ imports = (mylib.scanPaths ./.) ++ [ - ../../../modules/nixos/base/ssh.nix - ../../../modules/nixos/base/user-group.nix - ../../../modules/base.nix + ../../../../modules/nixos/base/ssh.nix + ../../../../modules/nixos/base/user-group.nix + ../../../../modules/base.nix ]; microvm = { diff --git a/hosts/12kingdoms-suzu/mitsuha/networking.nix b/hosts/12kingdoms-suzu/microvm/mitsuha/networking.nix similarity index 100% rename from hosts/12kingdoms-suzu/mitsuha/networking.nix rename to hosts/12kingdoms-suzu/microvm/mitsuha/networking.nix diff --git a/hosts/12kingdoms-suzu/mitsuha/tailscale.nix b/hosts/12kingdoms-suzu/microvm/mitsuha/tailscale.nix similarity index 100% rename from hosts/12kingdoms-suzu/mitsuha/tailscale.nix rename to hosts/12kingdoms-suzu/microvm/mitsuha/tailscale.nix diff --git a/hosts/12kingdoms-suzu/suzi/README.md b/hosts/12kingdoms-suzu/microvm/suzi/README.md similarity index 100% rename from hosts/12kingdoms-suzu/suzi/README.md rename to hosts/12kingdoms-suzu/microvm/suzi/README.md diff --git a/hosts/12kingdoms-suzu/suzi/config.dae b/hosts/12kingdoms-suzu/microvm/suzi/config.dae similarity index 100% rename from hosts/12kingdoms-suzu/suzi/config.dae rename to hosts/12kingdoms-suzu/microvm/suzi/config.dae diff --git a/hosts/12kingdoms-suzu/suzi/dae.nix b/hosts/12kingdoms-suzu/microvm/suzi/dae.nix similarity index 100% rename from hosts/12kingdoms-suzu/suzi/dae.nix rename to hosts/12kingdoms-suzu/microvm/suzi/dae.nix diff --git a/hosts/12kingdoms-suzu/suzi/default.nix b/hosts/12kingdoms-suzu/microvm/suzi/default.nix similarity index 92% rename from hosts/12kingdoms-suzu/suzi/default.nix rename to hosts/12kingdoms-suzu/microvm/suzi/default.nix index 92bdba14..e817d330 100644 --- a/hosts/12kingdoms-suzu/suzi/default.nix +++ b/hosts/12kingdoms-suzu/microvm/suzi/default.nix @@ -2,10 +2,10 @@ imports = (mylib.scanPaths ./.) ++ [ - ../../../secrets/nixos.nix - ../../../modules/nixos/base/ssh.nix - ../../../modules/nixos/base/user-group.nix - ../../../modules/base.nix + ../../../../secrets/nixos.nix + ../../../../modules/nixos/base/ssh.nix + ../../../../modules/nixos/base/user-group.nix + ../../../../modules/base.nix ]; modules.secrets.server.network.enable = true; diff --git a/hosts/12kingdoms-suzu/suzi/networking.nix b/hosts/12kingdoms-suzu/microvm/suzi/networking.nix similarity index 100% rename from hosts/12kingdoms-suzu/suzi/networking.nix rename to hosts/12kingdoms-suzu/microvm/suzi/networking.nix diff --git a/hosts/idols-kana/README.md b/hosts/idols-kana/README.md index 7d382444..ab8bddbc 100644 --- a/hosts/idols-kana/README.md +++ b/hosts/idols-kana/README.md @@ -1,16 +1,3 @@ # Idols - Kana -Host running some common applications, such as hompage, file browser, torrent downloader, etc. - -All the services assumes a reverse proxy to be setup in the front, they are all listening on -localhost, and a caddy service is listening on the local network interface and proxy the requests to -the services. - -## Services - -1. dashy: Homepage -1. ddns -1. transmission & AriaNg: Torrent downloader and HTTP downloader -1. uptime-kuma: uptime monitoring -1. alist/filebrower: File browser for local/SMB/Cloud -1. excalidraw/DDTV/owncast/jitsi-meet/... +TODO diff --git a/hosts/idols-kana/caddy.nix b/hosts/idols-kana/caddy.nix deleted file mode 100644 index 36b7bc47..00000000 --- a/hosts/idols-kana/caddy.nix +++ /dev/null @@ -1,48 +0,0 @@ -{myvars, ...}: { - services.caddy = { - enable = true; - # Reload Caddy instead of restarting it when configuration file changes. - enableReload = true; - user = "caddy"; # User account under which caddy runs. - dataDir = "/var/lib/caddy"; - logDir = "/var/log/caddy"; - - # Additional lines of configuration appended to the global config section of the Caddyfile. - # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values. - globalConfig = '' - http_port 80 - https_port 443 - auto_https off - ''; - - # ACME related settings. - # email = myvars.useremail; - # acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; - - virtualHosts."http://dashy.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:4000 - ''; - virtualHosts."http://transmission.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:9091 - ''; - virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:3001 - ''; - virtualHosts."http://sftpgo.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:5010 - ''; - virtualHosts."http://webdav.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:5005 - ''; - virtualHosts."http://home.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:8082 - ''; - }; - networking.firewall.allowedTCPPorts = [80 443]; -} diff --git a/hosts/idols-ruby/README.md b/hosts/idols-ruby/README.md index 92c90d10..e9d52d72 100644 --- a/hosts/idols-ruby/README.md +++ b/hosts/idols-ruby/README.md @@ -1,13 +1,3 @@ # Idols - Ruby -Host running operation and maintenance related services: - -1. Backup or sync my personal data to cloud or NAS. - - For safety, those data should be encrypted before sending to the cloud or my NAS. -1. Collect and monitor the metrics/logs of my homelab. - -## Services - -1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab. -1. restic: Backup my personal data to cloud or NAS. -1. synthing: Sync file between android/macbook/PC and NAS. +TODO diff --git a/hosts/idols-ruby/caddy.nix b/hosts/idols-ruby/caddy.nix deleted file mode 100644 index a0e3e5ba..00000000 --- a/hosts/idols-ruby/caddy.nix +++ /dev/null @@ -1,40 +0,0 @@ -{myvars, ...}: { - services.caddy = { - enable = true; - # Reload Caddy instead of restarting it when configuration file changes. - enableReload = true; - user = "caddy"; # User account under which caddy runs. - dataDir = "/var/lib/caddy"; - logDir = "/var/log/caddy"; - - # Additional lines of configuration appended to the global config section of the Caddyfile. - # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values. - globalConfig = '' - http_port 80 - https_port 443 - auto_https off - ''; - - # ACME related settings. - # email = myvars.useremail; - # acmeCA = "https://acme-v02.api.letsencrypt.org/directory"; - - virtualHosts."http://grafana.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:3000 - ''; - virtualHosts."http://prometheus.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:9090 - ''; - virtualHosts."http://alertmanager.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:9093 - ''; - virtualHosts."http://attic.writefor.fun".extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:8888 - ''; - }; - networking.firewall.allowedTCPPorts = [80 443]; -} diff --git a/hosts/idols-ruby/exporters/pve.nix b/hosts/idols-ruby/exporters/pve.nix deleted file mode 100644 index 71332668..00000000 --- a/hosts/idols-ruby/exporters/pve.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - # TODO - # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/pve.nix -} diff --git a/outputs/aarch64-linux/src/12kingdoms-rakushun.nix b/outputs/aarch64-linux/src/12kingdoms-rakushun.nix index d5ff1657..6c2b26ec 100644 --- a/outputs/aarch64-linux/src/12kingdoms-rakushun.nix +++ b/outputs/aarch64-linux/src/12kingdoms-rakushun.nix @@ -16,11 +16,17 @@ ssh-user = "root"; modules = { - nixos-modules = map mylib.relativeToRoot [ - "modules/nixos/server/server-aarch64.nix" - # host specific modules - "hosts/12kingdoms-${name}" - ]; + nixos-modules = + (map mylib.relativeToRoot [ + "secrets/nixos.nix" + "modules/nixos/server/server-aarch64.nix" + # host specific modules + "hosts/12kingdoms-${name}" + ]) + ++ [ + {modules.secrets.server.application.enable = true;} + {modules.secrets.server.operation.enable = true;} + ]; }; inherit (inputs) nixos-rk3588; diff --git a/scripts/darwin_set_proxy.py b/scripts/darwin_set_proxy.py index 17f90961..d06bc181 100644 --- a/scripts/darwin_set_proxy.py +++ b/scripts/darwin_set_proxy.py @@ -21,12 +21,12 @@ pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes()) # set http/https proxy # NOTE: curl only accept the lowercase of `http_proxy`! # NOTE: https://curl.se/libcurl/c/libcurl-env.html -pl["EnvironmentVariables"]["http_proxy"] = HTTP_PROXY -pl["EnvironmentVariables"]["https_proxy"] = HTTP_PROXY +# pl["EnvironmentVariables"]["http_proxy"] = HTTP_PROXY +# pl["EnvironmentVariables"]["https_proxy"] = HTTP_PROXY # remove http proxy -# pl["EnvironmentVariables"].pop("http_proxy", None) -# pl["EnvironmentVariables"].pop("https_proxy", None) +pl["EnvironmentVariables"].pop("http_proxy", None) +pl["EnvironmentVariables"].pop("https_proxy", None) os.chmod(NIX_DAEMON_PLIST, 0o644) NIX_DAEMON_PLIST.write_bytes(plistlib.dumps(pl))