feat: migrate all nixos services from idols to 12kingdoms

flake.lock

@@ -892,10 +892,10 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1711384638,
+        "lastModified": 1711871709,
-        "narHash": "sha256-1XyAHel88+uqA6yzT2/mwgfxYt4JfJKmnI5OI93vDYg=",
+        "narHash": "sha256-Pj667YJdXbJPhQVUutpKoqH6e66eF8my5q8RQyl0BXI=",
         "ref": "refs/heads/main",
-        "rev": "691dce5db5077c4f668468434cc422f93e7834c5",
+        "rev": "c0239ed183c43c18f6bdf2f9045602e1bb9ca310",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"

hosts/12kingdoms-rakushun/Disk-and-Installation.md

@@ -0,0 +1,143 @@
+# Rakushun - Disk and Installation
+
+Disk layout:
+
+```bash
+[ryan@rakushun:~]$ lsblk
+NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
+sda           8:0    1 58.6G  0 disk
+└─sda1        8:1    1  487M  0 part
+mtdblock0    31:0    0   16M  0 disk
+zram0       254:0    0    0B  0 disk
+nvme0n1     259:0    0  1.8T  0 disk
+├─nvme0n1p1 259:1    0  630M  0 part  /boot
+└─nvme0n1p2 259:2    0  1.8T  0 part
+  └─encrypted 253:0    0  1.8T  0 crypt /tmp
+                                      /swap
+                                      /snapshots
+                                      /home/ryan/tmp
+                                      /home/ryan/nix-config
+                                      /home/ryan/go
+                                      /home/ryan/codes
+                                      /home/ryan/.ssh
+                                      /home/ryan/.local/state
+                                      /home/ryan/.npm
+                                      /home/ryan/.local/share
+                                      /home/ryan/.conda
+                                      /etc/ssh
+                                      /etc/nix/inputs
+                                      /etc/secureboot
+                                      /etc/agenix
+                                      /etc/NetworkManager/system-connections
+                                      /etc/machine-id
+                                      /nix/store
+                                      /var/log
+                                      /var/lib
+                                      /nix
+                                      /persistent
+
+[ryan@rakushun:~]$ df -Th
+Filesystem          Type      Size  Used Avail Use% Mounted on
+devtmpfs            devtmpfs  785M     0  785M   0% /dev
+tmpfs               tmpfs     7.7G     0  7.7G   0% /dev/shm
+tmpfs               tmpfs     3.9G  6.8M  3.9G   1% /run
+tmpfs               tmpfs     7.7G  1.9M  7.7G   1% /run/wrappers
+none                tmpfs     4.0G   48K  4.0G   1% /
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /persistent
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /nix
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /snapshots
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /swap
+/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /tmp
+/dev/nvme0n1p1      vfat      629M   96M  534M  16% /boot
+tmpfs               tmpfs     1.6G  4.0K  1.6G   1% /run/user/1000
+```
+
+CPU info:
+
+```bash
+[ryan@rakushun:~]$ lscpu
+Architecture:           aarch64
+  CPU op-mode(s):       32-bit, 64-bit
+  Byte Order:           Little Endian
+CPU(s):                 8
+  On-line CPU(s) list:  0-7
+Vendor ID:              ARM
+  Model name:           Cortex-A55
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 4
+    Socket(s):          1
+    Stepping:           r2p0
+    CPU(s) scaling MHz: 67%
+    CPU max MHz:        1800.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+  Model name:           Cortex-A76
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 2
+    Socket(s):          2
+    Stepping:           r4p0
+    CPU(s) scaling MHz: 18%
+    CPU max MHz:        2256.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+Caches (sum of all):
+  L1d:                  384 KiB (8 instances)
+  L1i:                  384 KiB (8 instances)
+  L2:                   2.5 MiB (8 instances)
+  L3:                   3 MiB (1 instance)
+```
+
+## How to install NixOS on Orange Pi 5 Plus
+
+### 1. Prepare a USB LUKS key
+
+Generate LUKS keyfile to encrypt the root partition, it's used by disko.
+
+```bash
+# partition the usb stick
+DEV=/dev/sdX
+parted ${DEV} -- mklabel gpt
+parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
+mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
+
+# Generate a keyfile from the true random number generator
+KEYFILE=./orangepi5plus-luks-keyfile
+dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
+
+# copy the keyfile and token to the usb stick
+KEYFILE=./orangepi5plus-luks-keyfile
+DEVICE=/dev/disk/by-label/OPI5P_DSC
+# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
+dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
+```
+
+### 2. Partition the SSD & install NixOS via disko
+
+First, follow
+[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
+install UEFI bootloader and boot into NixOS live environment via a USB stick.
+
+Then, run the following commands:
+
+```bash
+# transfer the nix-config to the target machine
+rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
+
+# login via ssh
+ssh rk@<ip-addr>
+
+cd ~/nix-config/hosts/12kingdoms_rakushun
+# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
+# 2. partition & format the disk via disko
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
+
+
+cd ~/nix-config
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
+```

hosts/12kingdoms-rakushun/README.md

@@ -2,148 +2,33 @@
 
 LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
 
+Host running storage, operation and maintenance related services:
+
+1. Storage such as git server, file server/browser, torrent downloader,, etc.
+1. Backup or sync my personal data to cloud or NAS.
+   - For safety, those data should be encrypted before sending to the cloud or my NAS.
+1. Collect and monitor the metrics/logs of my homelab.
+
 ## Showcases
 
 ![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
 
-Disk layout:
+## Features
 
-```bash
+Services:
-[ryan@rakushun:~]$ lsblk
-NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
-sda           8:0    1 58.6G  0 disk
-└─sda1        8:1    1  487M  0 part
-mtdblock0    31:0    0   16M  0 disk
-zram0       254:0    0    0B  0 disk
-nvme0n1     259:0    0  1.8T  0 disk
-├─nvme0n1p1 259:1    0  630M  0 part  /boot
-└─nvme0n1p2 259:2    0  1.8T  0 part
-  └─encrypted 253:0    0  1.8T  0 crypt /tmp
-                                      /swap
-                                      /snapshots
-                                      /home/ryan/tmp
-                                      /home/ryan/nix-config
-                                      /home/ryan/go
-                                      /home/ryan/codes
-                                      /home/ryan/.ssh
-                                      /home/ryan/.local/state
-                                      /home/ryan/.npm
-                                      /home/ryan/.local/share
-                                      /home/ryan/.conda
-                                      /etc/ssh
-                                      /etc/nix/inputs
-                                      /etc/secureboot
-                                      /etc/agenix
-                                      /etc/NetworkManager/system-connections
-                                      /etc/machine-id
-                                      /nix/store
-                                      /var/log
-                                      /var/lib
-                                      /nix
-                                      /persistent
 
-[ryan@rakushun:~]$ df -Th
+1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
-Filesystem          Type      Size  Used Avail Use% Mounted on
+1. restic: Backup my personal data to cloud or NAS.
-devtmpfs            devtmpfs  785M     0  785M   0% /dev
+1. synthing: Sync file between android/macbook/PC and NAS.
-tmpfs               tmpfs     7.7G     0  7.7G   0% /dev/shm
+1. attic: Nix cache server.
-tmpfs               tmpfs     3.9G  6.8M  3.9G   1% /run
+1. gitea: Self-hosted git service.
-tmpfs               tmpfs     7.7G  1.9M  7.7G   1% /run/wrappers
+1. sftpgo: SFTP server.
-none                tmpfs     4.0G   48K  4.0G   1% /
+1. transmission & AriaNg: Torrent downloader and HTTP downloader
-/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /persistent
+1. alist/filebrower: File browser for local/SMB/Cloud
-/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /nix
-/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /snapshots
-/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /swap
-/dev/mapper/crypted btrfs     1.9T   19G  1.8T   2% /tmp
-/dev/nvme0n1p1      vfat      629M   96M  534M  16% /boot
-tmpfs               tmpfs     1.6G  4.0K  1.6G   1% /run/user/1000
-```
 
-CPU info:
+All the services assumes a reverse proxy to be setup in the front, they are all listening on
+localhost, and a caddy service is listening on the local network interface and proxy the requests to
+the services.
 
-```bash
+TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
-[ryan@rakushun:~]$ lscpu
+services.
-Architecture:           aarch64
-  CPU op-mode(s):       32-bit, 64-bit
-  Byte Order:           Little Endian
-CPU(s):                 8
-  On-line CPU(s) list:  0-7
-Vendor ID:              ARM
-  Model name:           Cortex-A55
-    Model:              0
-    Thread(s) per core: 1
-    Core(s) per socket: 4
-    Socket(s):          1
-    Stepping:           r2p0
-    CPU(s) scaling MHz: 67%
-    CPU max MHz:        1800.0000
-    CPU min MHz:        408.0000
-    BogoMIPS:           48.00
-    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
-  Model name:           Cortex-A76
-    Model:              0
-    Thread(s) per core: 1
-    Core(s) per socket: 2
-    Socket(s):          2
-    Stepping:           r4p0
-    CPU(s) scaling MHz: 18%
-    CPU max MHz:        2256.0000
-    CPU min MHz:        408.0000
-    BogoMIPS:           48.00
-    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
-Caches (sum of all):
-  L1d:                  384 KiB (8 instances)
-  L1i:                  384 KiB (8 instances)
-  L2:                   2.5 MiB (8 instances)
-  L3:                   3 MiB (1 instance)
-```
-
-## How to install NixOS on Orange Pi 5 Plus
-
-### 1. Prepare a USB LUKS key
-
-Generate LUKS keyfile to encrypt the root partition, it's used by disko.
-
-```bash
-# partition the usb stick
-DEV=/dev/sdX
-parted ${DEV} -- mklabel gpt
-parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
-mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
-
-# Generate a keyfile from the true random number generator
-KEYFILE=./orangepi5plus-luks-keyfile
-dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
-
-# copy the keyfile and token to the usb stick
-KEYFILE=./orangepi5plus-luks-keyfile
-DEVICE=/dev/disk/by-label/OPI5P_DSC
-# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
-dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
-```
-
-### 2. Partition the SSD & install NixOS via disko
-
-First, follow
-[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
-install UEFI bootloader and boot into NixOS live environment via a USB stick.
-
-Then, run the following commands:
-
-```bash
-# transfer the nix-config to the target machine
-rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
-
-# login via ssh
-ssh rk@<ip-addr>
-
-cd ~/nix-config/hosts/12kingdoms_rakushun
-# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
-# 2. partition & format the disk via disko
-sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
-
-
-cd ~/nix-config
-# install nixos
-# NOTE: the root password you set here will be discarded when reboot
-sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
-```

hosts/12kingdoms-rakushun/attic.nix

@@ -45,7 +45,7 @@
     credentialsFile = config.age.secrets."attic-nix-cache-server.env".path;
 
     settings = {
-      listen = "[::]:8888";
+      listen = "127.0.0.1:3300";
 
       # Data chunking
       #

hosts/12kingdoms-rakushun/caddy.nix

@@ -19,9 +19,10 @@
     # email = myvars.useremail;
     # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
 
-    virtualHosts."http://git.writefor.fun".extraConfig = ''
+    # Dashboard
+    virtualHosts."http://home.writefor.fun".extraConfig = ''
       encode zstd gzip
-      reverse_proxy http://localhost:3000
+      reverse_proxy http://localhost:4401
     '';
 
     # https://caddyserver.com/docs/caddyfile/directives/file_server
@@ -33,13 +34,54 @@
         precompressed zstd br gzip
       }
     '';
+
+    # Datastore
+    virtualHosts."http://attic.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3300
+    '';
+
+    virtualHosts."http://git.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3301
+    '';
+    virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3302
+    '';
+    virtualHosts."http://webdav.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3303
+    '';
+    virtualHosts."http://transmission.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9091
+    '';
+
+    # Monitoring
+    virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3350
+    '';
+    virtualHosts."http://grafana.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:3351
+    '';
+    virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9090
+    '';
+    virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:9093
+    '';
   };
   networking.firewall.allowedTCPPorts = [80 443];
 
   # Create Directories
   systemd.tmpfiles.rules = [
     "d /var/lib/caddy/fileserver/ 0755 caddy caddy"
-    # directory for virual machine's images
+    # directory for virtual machine's images
     "d /var/lib/caddy/fileserver/vms 0755 caddy caddy"
   ];
 }

hosts/12kingdoms-rakushun/default.nix

@@ -1,4 +1,5 @@
 {
+  mylib,
   disko,
   nixos-rk3588,
   myvars,
@@ -12,17 +13,13 @@
 let
   hostName = "rakushun"; # Define your hostname.
 in {
-  imports = [
+  imports =
-    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
+    (mylib.scanPaths ./.)
-    nixos-rk3588.nixosModules.orangepi5plus.core
+    ++ [
-    disko.nixosModules.default
+      # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
-    ./hardware-configuration.nix
+      nixos-rk3588.nixosModules.orangepi5plus.core
-    ./disko-fs.nix
+      disko.nixosModules.default
-    ./impermanence.nix
+    ];
-
-    ./gitea.nix
-    ./caddy.nix
-  ];
 
   networking = {
     inherit hostName;

hosts/12kingdoms-rakushun/gitea.nix

@@ -21,7 +21,7 @@ in {
       server = {
         SSH_PORT = 2222;
         PROTOCOL = "http";
-        HTTP_PORT = 3000;
+        HTTP_PORT = 3301;
         HTTP_ADDR = "127.0.0.1";
         DOMAIN = "git.writefor.fun";
       };

hosts/12kingdoms-rakushun/grafana/default.nix

@@ -10,7 +10,7 @@
     settings = {
       server = {
         http_addr = "127.0.0.1";
-        http_port = 3000;
+        http_port = 3351;
         protocol = "http";
         domain = "grafana.writefo.fun";
         # Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks.

hosts/12kingdoms-rakushun/homepage/default.nix

@@ -4,7 +4,7 @@ in {
   # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix
   services.homepage-dashboard = {
     enable = true;
-    listenPort = 8082;
+    listenPort = 4401;
     openFirewall = false;
   };
   systemd.services.homepage-dashboard.environment = {
@@ -17,7 +17,7 @@ in {
   };
   # Install the homepage-dashboard configuration files
   system.activationScripts.installHomepageDashboardConfig = ''
-    mkdir -p configDir
+    mkdir -p ${configDir}
     ${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/
 
     ${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard

hosts/12kingdoms-rakushun/oci-containers/dashy/default.nix

@@ -1,7 +1,7 @@
 {
   # Replace dashy with gethomepage, because dashy is too slow to start/reload.
 
-  # # Install the dashy configuration file instaed of symlink it
+  # # Install the dashy configuration file instead of symlink it
   # system.activationScripts.installDashyConfig = ''
   #   install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
   # '';

hosts/12kingdoms-rakushun/prometheus/default.nix

@@ -11,7 +11,7 @@
     port = 9090;
     webExternalUrl = "http://prometheus.writefor.fun";
 
-    extraFlags = ["--storage.tsdb.retention.time=15d"];
+    extraFlags = ["--storage.tsdb.retention.time=45d"];
     # Directory below /var/lib to store Prometheus metrics data.
     stateDir = "prometheus2";
 
@@ -70,7 +70,7 @@
         metrics_path = "/metrics";
         static_configs = [
           {
-            targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9153"];
+            targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"];
             labels.type = "app";
             labels.app = "dnsmasq";
           }
@@ -83,7 +83,7 @@
         metrics_path = "/metrics";
         static_configs = [
           {
-            targets = ["${myvars.networking.hostsAddr.kana.ipv4}:9153"];
+            targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:9153"];
             labels.type = "app";
             labels.app = "v2ray";
           }
@@ -96,7 +96,7 @@
         metrics_path = "/metrics";
         static_configs = [
           {
-            targets = ["${myvars.networking.hostsAddr.kana.ipv4}:10000"];
+            targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:10000"];
             labels.type = "app";
             labels.app = "v2ray";
           }

hosts/12kingdoms-rakushun/sftpgo.nix

@@ -51,7 +51,7 @@
       webdavd.bindings = [
         {
           address = "127.0.0.1";
-          port = 5005;
+          port = 3303;
         }
       ];
       # HTTP Server provides a simple web interface to manage the server.
@@ -59,7 +59,7 @@
         {
           address = "127.0.0.1";
           enable_https = false;
-          port = 5010;
+          port = 3302;
           client_ip_proxy_header = "X-Forwarded-For";
           # a basic built-in web interface that allows you to manage users,
           # virtual folders, admins and connections.

hosts/12kingdoms-rakushun/uptime-kuma.nix

@@ -5,7 +5,7 @@
     # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
     settings = {
       "UPTIME_KUMA_HOST" = "127.0.0.1";
-      "UPTIME_KUMA_PORT" = "3001";
+      "UPTIME_KUMA_PORT" = "3350";
       "DATA_DIR" = "/var/lib/uptime-kuma/";
     };
   };

hosts/12kingdoms-suzu/Disk-and-installation.md

@@ -0,0 +1,142 @@
+# Suzu - Disk and Installation
+
+Disk layout:
+
+```bash
+[ryan@suzu:~]$ lsblk
+NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
+sda           8:0    1  58.6G  0 disk
+└─sda1        8:1    1   486M  0 part
+mtdblock0    31:0    0    16M  0 disk
+zram0       254:0    0     0B  0 disk
+nvme0n1     259:0    0 238.5G  0 disk
+├─nvme0n1p1 259:1    0   630M  0 part  /boot
+└─nvme0n1p2 259:2    0 237.9G  0 part
+  └─encrypted 253:0    0 237.8G  0 crypt /tmp
+                                       /snapshots
+                                       /swap
+                                       /home/ryan/tmp
+                                       /home/ryan/nix-config
+                                       /home/ryan/go
+                                       /home/ryan/.local/state
+                                       /home/ryan/codes
+                                       /home/ryan/.npm
+                                       /home/ryan/.ssh
+                                       /home/ryan/.local/share
+                                       /etc/ssh
+                                       /home/ryan/.conda
+                                       /etc/secureboot
+                                       /etc/agenix
+                                       /etc/nix/inputs
+                                       /etc/NetworkManager/system-connections
+                                       /nix/store
+                                       /var/log
+                                       /var/lib
+                                       /nix
+                                       /persistent
+
+[ryan@suzu:~]$ df -Th
+Filesystem          Type      Size  Used Avail Use% Mounted on
+devtmpfs            devtmpfs  383M     0  383M   0% /dev
+tmpfs               tmpfs     3.8G     0  3.8G   0% /dev/shm
+tmpfs               tmpfs     1.9G  6.2M  1.9G   1% /run
+tmpfs               tmpfs     3.8G  1.9M  3.8G   1% /run/wrappers
+none                tmpfs     2.0G   48K  2.0G   1% /
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /persistent
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /nix
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /swap
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /snapshots
+/dev/mapper/crypted btrfs     238G   11G  226G   5% /tmp
+/dev/nvme0n1p1      vfat      629M   86M  543M  14% /boot
+tmpfs               tmpfs     766M  4.0K  766M   1% /run/user/1000
+```
+
+CPU info:
+
+```bash
+[ryan@suzu:~]$ lscpu
+Architecture:           aarch64
+  CPU op-mode(s):       32-bit, 64-bit
+  Byte Order:           Little Endian
+CPU(s):                 8
+  On-line CPU(s) list:  0-7
+Vendor ID:              ARM
+  Model name:           Cortex-A55
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 4
+    Socket(s):          1
+    Stepping:           r2p0
+    CPU(s) scaling MHz: 56%
+    CPU max MHz:        1800.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+  Model name:           Cortex-A76
+    Model:              0
+    Thread(s) per core: 1
+    Core(s) per socket: 2
+    Socket(s):          2
+    Stepping:           r4p0
+    CPU(s) scaling MHz: 18%
+    CPU max MHz:        2256.0000
+    CPU min MHz:        408.0000
+    BogoMIPS:           48.00
+    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
+Caches (sum of all):
+  L1d:                  384 KiB (8 instances)
+  L1i:                  384 KiB (8 instances)
+  L2:                   2.5 MiB (8 instances)
+  L3:                   3 MiB (1 instance)
+```
+
+## How to install NixOS on Orange Pi 5
+
+### 1. Prepare a USB LUKS key
+
+Generate LUKS keyfile to encrypt the root partition, it's used by disko.
+
+```bash
+# partition the usb stick
+DEV=/dev/sdX
+parted ${DEV} -- mklabel gpt
+parted ${DEV} -- mkpart primary 2M 512MB
+mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
+
+
+# Generate a keyfile from the true random number generator
+KEYFILE=./orangepi5-luks-keyfile
+dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
+
+# copy the keyfile and token to the usb stick
+KEYFILE=./orangepi5-luks-keyfile
+DEVICE=/dev/disk/by-label/OPI5_DSC
+# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
+dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
+```
+
+### 2. Partition the SSD & install NixOS via disko
+
+First, follow
+[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
+install UEFI bootloader and boot into NixOS live environment via a USB stick.
+
+Then, run the following commands:
+
+```bash
+# login via ssh
+ssh rk@<ip-addr>
+
+git clone https://github.com/ryan4yin/nix-config.git
+
+cd ~/nix-config/hosts/12kingdoms_suzu
+# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
+# 2. partition & format the disk via disko
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
+
+
+cd ~/nix-config
+# install nixos
+# NOTE: the root password you set here will be discarded when reboot
+sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
+```

hosts/12kingdoms-suzu/README.md

@@ -6,143 +6,23 @@ LUKS encrypted SSD for NixOS, on Orange Pi 5.
 
 ![](../../_img/2024-03-07_orangepi5_suzu.webp)
 
-Disk layout:
+## Features
 
-```bash
+Micro VMs:
-[ryan@suzu:~]$ lsblk
-NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
-sda           8:0    1  58.6G  0 disk
-└─sda1        8:1    1   486M  0 part
-mtdblock0    31:0    0    16M  0 disk
-zram0       254:0    0     0B  0 disk
-nvme0n1     259:0    0 238.5G  0 disk
-├─nvme0n1p1 259:1    0   630M  0 part  /boot
-└─nvme0n1p2 259:2    0 237.9G  0 part
-  └─encrypted 253:0    0 237.8G  0 crypt /tmp
-                                       /snapshots
-                                       /swap
-                                       /home/ryan/tmp
-                                       /home/ryan/nix-config
-                                       /home/ryan/go
-                                       /home/ryan/.local/state
-                                       /home/ryan/codes
-                                       /home/ryan/.npm
-                                       /home/ryan/.ssh
-                                       /home/ryan/.local/share
-                                       /etc/ssh
-                                       /home/ryan/.conda
-                                       /etc/secureboot
-                                       /etc/agenix
-                                       /etc/nix/inputs
-                                       /etc/NetworkManager/system-connections
-                                       /nix/store
-                                       /var/log
-                                       /var/lib
-                                       /nix
-                                       /persistent
 
-[ryan@suzu:~]$ df -Th
+1. suzi: dae router(transparent proxy, dhcp)
-Filesystem          Type      Size  Used Avail Use% Mounted on
+1. mitsuha: tailscale gateway(sub router)
-devtmpfs            devtmpfs  383M     0  383M   0% /dev
-tmpfs               tmpfs     3.8G     0  3.8G   0% /dev/shm
-tmpfs               tmpfs     1.9G  6.2M  1.9G   1% /run
-tmpfs               tmpfs     3.8G  1.9M  3.8G   1% /run/wrappers
-none                tmpfs     2.0G   48K  2.0G   1% /
-/dev/mapper/crypted btrfs     238G   11G  226G   5% /persistent
-/dev/mapper/crypted btrfs     238G   11G  226G   5% /nix
-/dev/mapper/crypted btrfs     238G   11G  226G   5% /swap
-/dev/mapper/crypted btrfs     238G   11G  226G   5% /snapshots
-/dev/mapper/crypted btrfs     238G   11G  226G   5% /tmp
-/dev/nvme0n1p1      vfat      629M   86M  543M  14% /boot
-tmpfs               tmpfs     766M  4.0K  766M   1% /run/user/1000
-```
 
-CPU info:
+Services:
 
-```bash
+1. OCI Containers: to run some servides that's not available in NixOS.
-[ryan@suzu:~]$ lscpu
+1. ddns
-Architecture:           aarch64
+1. uptime-kuma: uptime monitoring
-  CPU op-mode(s):       32-bit, 64-bit
+1. excalidraw/DDTV/owncast/jitsi-meet/...
-  Byte Order:           Little Endian
-CPU(s):                 8
-  On-line CPU(s) list:  0-7
-Vendor ID:              ARM
-  Model name:           Cortex-A55
-    Model:              0
-    Thread(s) per core: 1
-    Core(s) per socket: 4
-    Socket(s):          1
-    Stepping:           r2p0
-    CPU(s) scaling MHz: 56%
-    CPU max MHz:        1800.0000
-    CPU min MHz:        408.0000
-    BogoMIPS:           48.00
-    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
-  Model name:           Cortex-A76
-    Model:              0
-    Thread(s) per core: 1
-    Core(s) per socket: 2
-    Socket(s):          2
-    Stepping:           r4p0
-    CPU(s) scaling MHz: 18%
-    CPU max MHz:        2256.0000
-    CPU min MHz:        408.0000
-    BogoMIPS:           48.00
-    Flags:              fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
-Caches (sum of all):
-  L1d:                  384 KiB (8 instances)
-  L1i:                  384 KiB (8 instances)
-  L2:                   2.5 MiB (8 instances)
-  L3:                   3 MiB (1 instance)
-```
 
-## How to install NixOS on Orange Pi 5
+All the services assumes a reverse proxy to be setup in the front, they are all listening on
+localhost, and a caddy service is listening on the local network interface and proxy the requests to
+the services.
 
-### 1. Prepare a USB LUKS key
+TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
-
+services.
-Generate LUKS keyfile to encrypt the root partition, it's used by disko.
-
-```bash
-# partition the usb stick
-DEV=/dev/sdX
-parted ${DEV} -- mklabel gpt
-parted ${DEV} -- mkpart primary 2M 512MB
-mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
-
-
-# Generate a keyfile from the true random number generator
-KEYFILE=./orangepi5-luks-keyfile
-dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
-
-# copy the keyfile and token to the usb stick
-KEYFILE=./orangepi5-luks-keyfile
-DEVICE=/dev/disk/by-label/OPI5_DSC
-# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
-dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
-```
-
-### 2. Partition the SSD & install NixOS via disko
-
-First, follow
-[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
-install UEFI bootloader and boot into NixOS live environment via a USB stick.
-
-Then, run the following commands:
-
-```bash
-# login via ssh
-ssh rk@<ip-addr>
-
-git clone https://github.com/ryan4yin/nix-config.git
-
-cd ~/nix-config/hosts/12kingdoms_suzu
-# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
-# 2. partition & format the disk via disko
-sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
-
-
-cd ~/nix-config
-# install nixos
-# NOTE: the root password you set here will be discarded when reboot
-sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
-```

hosts/12kingdoms-suzu/default.nix

@@ -1,7 +1,7 @@
 {
   disko,
   nixos-rk3588,
-  myvars,
+  mylib,
   ...
 }:
 #############################################################
@@ -14,17 +14,13 @@
 let
   hostName = "suzu"; # Define your hostname.
 in {
-  imports = [
+  imports =
-    # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
+    (mylib.scanPaths ./.)
-    nixos-rk3588.nixosModules.orangepi5plus.core
+    ++ [
-    disko.nixosModules.default
+      # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
-    ./hardware-configuration.nix
+      nixos-rk3588.nixosModules.orangepi5plus.core
-    ./disko-fs.nix
+      disko.nixosModules.default
-    ./impermanence.nix
+    ];
-
-    ./networking.nix
-    ./microvm-host.nix
-  ];
 
   networking = {inherit hostName;};
 

hosts/12kingdoms-suzu/microvm/mitsuha/default.nix

@@ -2,9 +2,9 @@
   imports =
     (mylib.scanPaths ./.)
     ++ [
-      ../../../modules/nixos/base/ssh.nix
+      ../../../../modules/nixos/base/ssh.nix
-      ../../../modules/nixos/base/user-group.nix
+      ../../../../modules/nixos/base/user-group.nix
-      ../../../modules/base.nix
+      ../../../../modules/base.nix
     ];
 
   microvm = {

hosts/12kingdoms-suzu/microvm/suzi/default.nix

@@ -2,10 +2,10 @@
   imports =
     (mylib.scanPaths ./.)
     ++ [
-      ../../../secrets/nixos.nix
+      ../../../../secrets/nixos.nix
-      ../../../modules/nixos/base/ssh.nix
+      ../../../../modules/nixos/base/ssh.nix
-      ../../../modules/nixos/base/user-group.nix
+      ../../../../modules/nixos/base/user-group.nix
-      ../../../modules/base.nix
+      ../../../../modules/base.nix
     ];
 
   modules.secrets.server.network.enable = true;

hosts/idols-kana/README.md

@@ -1,16 +1,3 @@
 # Idols - Kana
 
-Host running some common applications, such as hompage, file browser, torrent downloader, etc.
+TODO
-
-All the services assumes a reverse proxy to be setup in the front, they are all listening on
-localhost, and a caddy service is listening on the local network interface and proxy the requests to
-the services.
-
-## Services
-
-1. dashy: Homepage
-1. ddns
-1. transmission & AriaNg: Torrent downloader and HTTP downloader
-1. uptime-kuma: uptime monitoring
-1. alist/filebrower: File browser for local/SMB/Cloud
-1. excalidraw/DDTV/owncast/jitsi-meet/...

hosts/idols-kana/caddy.nix

@@ -1,48 +0,0 @@
-{myvars, ...}: {
-  services.caddy = {
-    enable = true;
-    # Reload Caddy instead of restarting it when configuration file changes.
-    enableReload = true;
-    user = "caddy"; # User account under which caddy runs.
-    dataDir = "/var/lib/caddy";
-    logDir = "/var/log/caddy";
-
-    # Additional lines of configuration appended to the global config section of the Caddyfile.
-    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
-    globalConfig = ''
-      http_port    80
-      https_port   443
-      auto_https   off
-    '';
-
-    # ACME related settings.
-    # email = myvars.useremail;
-    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
-
-    virtualHosts."http://dashy.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:4000
-    '';
-    virtualHosts."http://transmission.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:9091
-    '';
-    virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:3001
-    '';
-    virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:5010
-    '';
-    virtualHosts."http://webdav.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:5005
-    '';
-    virtualHosts."http://home.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:8082
-    '';
-  };
-  networking.firewall.allowedTCPPorts = [80 443];
-}

hosts/idols-ruby/README.md

@@ -1,13 +1,3 @@
 # Idols - Ruby
 
-Host running operation and maintenance related services:
+TODO
-
-1. Backup or sync my personal data to cloud or NAS.
-   - For safety, those data should be encrypted before sending to the cloud or my NAS.
-1. Collect and monitor the metrics/logs of my homelab.
-
-## Services
-
-1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
-1. restic: Backup my personal data to cloud or NAS.
-1. synthing: Sync file between android/macbook/PC and NAS.

hosts/idols-ruby/caddy.nix

@@ -1,40 +0,0 @@
-{myvars, ...}: {
-  services.caddy = {
-    enable = true;
-    # Reload Caddy instead of restarting it when configuration file changes.
-    enableReload = true;
-    user = "caddy"; # User account under which caddy runs.
-    dataDir = "/var/lib/caddy";
-    logDir = "/var/log/caddy";
-
-    # Additional lines of configuration appended to the global config section of the Caddyfile.
-    # Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
-    globalConfig = ''
-      http_port    80
-      https_port   443
-      auto_https   off
-    '';
-
-    # ACME related settings.
-    # email = myvars.useremail;
-    # acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
-
-    virtualHosts."http://grafana.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:3000
-    '';
-    virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:9090
-    '';
-    virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:9093
-    '';
-    virtualHosts."http://attic.writefor.fun".extraConfig = ''
-      encode zstd gzip
-      reverse_proxy http://localhost:8888
-    '';
-  };
-  networking.firewall.allowedTCPPorts = [80 443];
-}

hosts/idols-ruby/exporters/pve.nix

@@ -1,4 +0,0 @@
-{
-  # TODO
-  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/pve.nix
-}

outputs/aarch64-linux/src/12kingdoms-rakushun.nix

@@ -16,11 +16,17 @@
   ssh-user = "root";
 
   modules = {
-    nixos-modules = map mylib.relativeToRoot [
+    nixos-modules =
-      "modules/nixos/server/server-aarch64.nix"
+      (map mylib.relativeToRoot [
-      # host specific modules
+        "secrets/nixos.nix"
-      "hosts/12kingdoms-${name}"
+        "modules/nixos/server/server-aarch64.nix"
-    ];
+        # host specific modules
+        "hosts/12kingdoms-${name}"
+      ])
+      ++ [
+        {modules.secrets.server.application.enable = true;}
+        {modules.secrets.server.operation.enable = true;}
+      ];
   };
 
   inherit (inputs) nixos-rk3588;

scripts/darwin_set_proxy.py

@@ -21,12 +21,12 @@ pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes())
 # set http/https proxy
 # NOTE: curl only accept the lowercase of `http_proxy`!
 # NOTE: https://curl.se/libcurl/c/libcurl-env.html
-pl["EnvironmentVariables"]["http_proxy"] = HTTP_PROXY
+# pl["EnvironmentVariables"]["http_proxy"] = HTTP_PROXY
-pl["EnvironmentVariables"]["https_proxy"] = HTTP_PROXY
+# pl["EnvironmentVariables"]["https_proxy"] = HTTP_PROXY
                                                                                                                                                                                                                                                                                           
 # remove http proxy
-# pl["EnvironmentVariables"].pop("http_proxy", None)
+pl["EnvironmentVariables"].pop("http_proxy", None)
-# pl["EnvironmentVariables"].pop("https_proxy", None)
+pl["EnvironmentVariables"].pop("https_proxy", None)
                                                                                                                                                                                                                                                                                           
 os.chmod(NIX_DAEMON_PLIST, 0o644)
 NIX_DAEMON_PLIST.write_bytes(plistlib.dumps(pl))