starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-05-28 18:39:31 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

Compare commits

base: starred/nix-config:v0.4.2
Branches Tags
starred/nix-config:main starred/nix-config:dma-shell starred/nix-config:i3-kickstarter
starred/nix-config:v0.15.0 starred/nix-config:v0.14.0 starred/nix-config:v0.13.0 starred/nix-config:v0.12.0 starred/nix-config:v0.11.0 starred/nix-config:v0.10.0 starred/nix-config:v0.9.0 starred/nix-config:v0.8.0 starred/nix-config:v0.7.0 starred/nix-config:v0.6.0 starred/nix-config:v0.5.5 starred/nix-config:v0.5.4 starred/nix-config:v0.5.3 starred/nix-config:v0.5.2 starred/nix-config:v0.5.1 starred/nix-config:v0.5.0 starred/nix-config:v0.4.5 starred/nix-config:v0.4.4 starred/nix-config:v0.4.3 starred/nix-config:v0.4.2 starred/nix-config:v0.4.1 starred/nix-config:v0.4.0 starred/nix-config:v0.3.0 starred/nix-config:v0.2.2 starred/nix-config:v0.2.1 starred/nix-config:v0.2.0 starred/nix-config:v0.1.1 starred/nix-config:v0.1.0 starred/nix-config:v0.0.5 starred/nix-config:v0.0.4 starred/nix-config:v0.0.3 starred/nix-config:v0.0.2 starred/nix-config:v0.0.1
..
compare: starred/nix-config:v0.4.3
Branches Tags
starred/nix-config:main starred/nix-config:dma-shell starred/nix-config:i3-kickstarter
starred/nix-config:v0.15.0 starred/nix-config:v0.14.0 starred/nix-config:v0.13.0 starred/nix-config:v0.12.0 starred/nix-config:v0.11.0 starred/nix-config:v0.10.0 starred/nix-config:v0.9.0 starred/nix-config:v0.8.0 starred/nix-config:v0.7.0 starred/nix-config:v0.6.0 starred/nix-config:v0.5.5 starred/nix-config:v0.5.4 starred/nix-config:v0.5.3 starred/nix-config:v0.5.2 starred/nix-config:v0.5.1 starred/nix-config:v0.5.0 starred/nix-config:v0.4.5 starred/nix-config:v0.4.4 starred/nix-config:v0.4.3 starred/nix-config:v0.4.2 starred/nix-config:v0.4.1 starred/nix-config:v0.4.0 starred/nix-config:v0.3.0 starred/nix-config:v0.2.2 starred/nix-config:v0.2.1 starred/nix-config:v0.2.0 starred/nix-config:v0.1.1 starred/nix-config:v0.1.0 starred/nix-config:v0.0.5 starred/nix-config:v0.0.4 starred/nix-config:v0.0.3 starred/nix-config:v0.0.2 starred/nix-config:v0.0.1

152 Commits
v0.4.2 .. v0.4.3

Author SHA1 Message Date
Ryan Yin bf3f364f89 Merge pull request #77 from ryan4yin/use-optionals 
refactor: use lib.optionals instead of if...then...else
 2024-03-08 23:18:41 +08:00
Ryan Yin 3247e4a8e6 refactor: use lib.optionals instead of if...then...else... 2024-03-08 23:16:45 +08:00
Ryan Yin 54c2240be6 feat: update dae & its config 2024-03-08 17:44:25 +08:00
Ryan Yin 2b8d059ecc feat: add gitops tools 2024-03-08 17:06:40 +08:00
Ryan Yin 52d04c1cb1 Merge pull request #75 from ryan4yin/aarch-tmpfs-on-root 
feat: aarch64 - tmpfs on root + impermanence
 2024-03-07 23:11:23 +08:00
Ryan Yin 5ed77b764f feat: aarch64 - tmpfs on root + impermanence 2024-03-07 23:01:20 +08:00
Ryan Yin 7c91ffb251 Merge pull request #74 from ryan4yin/update-aarch-riscv 
feat: UEFI NixOS on aarch64(rk3588)
 2024-03-07 22:12:48 +08:00
Ryan Yin f12e5a4293 fix: broken image link 2024-03-07 22:11:56 +08:00
Ryan Yin fb9f757519 docs: add other info for orangepi5 & orangepi5 plus 2024-03-07 22:10:44 +08:00
Ryan Yin 606b1d3412 docs: add screenshot for orangepi5 & orangepi5 plus 2024-03-07 22:07:28 +08:00
Ryan Yin 4d0741c841 feat: install nixos on orange pi 5 plus with edk2-rk3588(uefi) 2024-03-07 21:59:23 +08:00
Ryan Yin efcee11839 docs: README 2024-03-07 17:26:40 +08:00
Ryan Yin 310ac5c3e7 docs: README 2024-03-07 17:12:57 +08:00
Ryan Yin 5a56d4808c fix: enable sudo password - proxmox 2024-03-07 13:00:47 +08:00
Ryan Yin 9385c5dba5 feat: update nixos-licheepi4a 2024-03-07 00:39:28 +08:00
Ryan Yin ab414236ce fix: steam - cjk fonts 2024-03-06 11:49:53 +08:00
Ryan Yin b997697aed docs: flake description 2024-03-05 15:16:32 +08:00
Ryan Yin d59061e526 feat: nix related tools 2024-03-05 14:37:59 +08:00
Ryan Yin 2c8d0f629c fix(security): enable sudo password for ryan, use root for remote deployment 2024-03-04 18:36:59 +08:00
Ryan Yin 2072da67a5 fix(security): enable sudo password for ryan, use root for remote deployment 2024-03-04 18:28:49 +08:00
Ryan Yin 77bd038f32 Merge pull request #73 from ryan4yin/attic 
feat: add attic - a self-hosted nix cache server
 2024-03-04 02:36:50 +08:00
Ryan Yin b4015c2189 feat: add attic - a self-hosted nix cache server 2024-03-04 02:35:00 +08:00
Ryan Yin 69a64b209a refactor: packages & fhs 2024-03-04 01:06:13 +08:00
Ryan Yin c7c771804a refactor: packages & fhs 2024-03-04 01:05:55 +08:00
Ryan Yin f933146a42 fix: suzu 2024-03-04 00:48:01 +08:00
Ryan Yin d20760cd61 feat: migrate k8s related configs to another repo 2024-03-03 20:48:32 +08:00
Ryan Yin 5811a41aca fix: dae - cache.nixos.org & analytics.google.com 2024-03-03 20:38:42 +08:00
Ryan Yin b7845ef85e Merge pull request #71 from ryan4yin/kubevirt 
feat: kubevirt on k3s
 2024-03-03 20:03:43 +08:00
Ryan Yin 996a27965f feat: kubevirt - add cdi & ovs 2024-03-03 20:01:09 +08:00
Ryan Yin d3ddf34267 feat: add flake.nix for pulumi 2024-03-03 12:06:29 +08:00
Ryan Yin f141b49dc3 feat: kubevirt on k3s 2024-03-03 12:06:25 +08:00
Ryan Yin 9914644189 feat: kubevirt on k3s 2024-03-03 12:06:04 +08:00
Ryan Yin 7d56db3e47 fix: pip mirror - sjtu -> ustc 2024-03-03 12:04:10 +08:00
Ryan Yin dbc5fcbd01 feat: dae - use pr 466 2024-03-03 00:49:06 +08:00
Ryan Yin b8e580ee5a Merge pull request #72 from DataEraserC/main 
Fix boolean expectation error and update conditional checks.
 2024-03-03 00:26:50 +08:00
Sacabambaspis fa5b1b2752 Fix boolean expectation error and update conditional checks. 2024-03-03 00:25:04 +08:00
Ryan Yin eb75f1fa49 fix: typo 2024-03-02 20:02:44 +08:00
Ryan Yin 8542fef152 docs: README 2024-03-01 10:20:14 +08:00
Ryan Yin 4cf92e7199 fix: dae 2024-03-01 09:43:24 +08:00
Ryan Yin 4d24c74c16 feat: aqua - use dae - pr458 2024-02-29 22:23:55 +08:00
Ryan Yin 1a7e4d52aa feat: add home-manager for host - ruby 2024-02-29 22:04:23 +08:00
Ryan Yin fcde4b8e83 feat: update ssh.nix 2024-02-28 09:02:24 +08:00
Ryan Yin 3c5f0751f5 docs: speedFactor 2024-02-27 22:24:48 +08:00
Ryan Yin f4ee1a0685 fix: 'xterm-kitty': unknown terminal type 2024-02-27 22:18:38 +08:00
Ryan Yin a6499f3cb9 feat: update dae & it's secrets 2024-02-27 22:12:51 +08:00
Ryan Yin 8deb3f809b feat: install colmena & ventoy at user-level 2024-02-27 21:36:23 +08:00
Ryan Yin bff316ab7e fix: nixpkgs's joplin not work on macOS intel 2024-02-27 21:24:09 +08:00
Ryan Yin 985beb8bd4 feat: increase cache ttl of gnupg-agent 2024-02-23 21:33:39 +08:00
Ryan Yin 629ef6e451 feat: darwin - Disable password authentication for SSH 2024-02-23 20:12:53 +08:00
Ryan Yin fa492e0b26 feat: add notes for nixos-installer 2024-02-23 19:16:41 +08:00
Ryan Yin 9f0570d367 fix: typo 2024-02-23 12:09:57 +08:00
Ryan Yin bbe0f29435 feat: adjust wayland related settings for chromium & vscode 2024-02-22 16:14:07 +08:00
Ryan Yin b047c064d6 chore: polish 2024-02-20 17:54:14 +08:00
Ryan Yin 3b346c4dd9 fix: some packages has been removed from macOS 
introduced by ae238d401d
 2024-02-20 16:15:21 +08:00
Ryan Yin ed1b4775eb docs: README 2024-02-20 09:54:18 +08:00
Ryan Yin 0286a84f23 fix: homepage 2024-02-20 01:13:27 +08:00
Ryan Yin c31525e667 feat: dashy is too slow to start/reload, replace it with homepage-dashboard 2024-02-20 00:46:08 +08:00
Ryan Yin b50c59d60e Merge pull request #68 from ryan4yin/webdav 
feat: webdav server - sftpgo
 2024-02-19 22:59:26 +08:00
Ryan Yin 7a229f6e79 feat: webdav provided by sftpgo 2024-02-19 22:57:57 +08:00
Ryan Yin 2cbf8df0fa fix: just homelab 2024-02-19 22:07:31 +08:00
Ryan Yin 533fcb6144 docs: comment 2024-02-19 18:19:52 +08:00
Ryan Yin f0217c68f5 feat: note-taking - joplin 2024-02-19 15:05:24 +08:00
Ryan Yin e2f9c59cb6 fix: pulumi - fix go's import paths 2024-02-19 02:30:20 +08:00
Ryan Yin 5a57d97d36 fix: pulumi stack for k3s-prod-1 2024-02-19 01:52:19 +08:00
Ryan Yin 3a470f1b1f chore: pulumi - upgrade go dependencies 2024-02-19 01:35:45 +08:00
Ryan Yin 37fff317ef Merge pull request #67 from ryan4yin/dependabot/go_modules/pulumi/k3s-prod-1/github.com/cloudflare/circl-1.3.7 
chore(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 in /pulumi/k3s-prod-1
 2024-02-19 01:31:31 +08:00
dependabot[bot] 1ead059695 chore(deps): bump github.com/cloudflare/circl in /pulumi/k3s-prod-1 
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.3 to 1.3.7.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.3.3...v1.3.7)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-02-18 17:30:44 +00:00
Ryan Yin 9a61f3c889 docs: pulumi 2024-02-19 01:30:34 +08:00
Ryan Yin f800d96673 feat: add pulumi stack for k3s-prod-1 2024-02-19 01:28:57 +08:00
Ryan Yin 64205a79fd feat: add pulumi related tools 2024-02-18 23:05:31 +08:00
Ryan Yin 2ec9eed885 feat: add home-manager - k8s-master 2024-02-18 22:38:02 +08:00
Ryan Yin 9a71920fd4 fix: k9s skin 2024-02-18 22:30:56 +08:00
Ryan Yin 0a9dee2aee docs: pulumi 2024-02-18 22:24:26 +08:00
Ryan Yin f6b34b042f feat: impermanence 2024-02-18 22:02:39 +08:00
Ryan Yin 6d1bdd2b40 feat: k3s disable-helm-controller 2024-02-18 21:13:21 +08:00
Ryan Yin 010f3ece90 feat: prometheus targets 2024-02-18 20:44:24 +08:00
Ryan Yin 5f8f5c79d5 docs: k8s nodes overview - screenshots 2024-02-18 20:24:41 +08:00
Ryan Yin 2390ece70b fix: colmena tags for my k3s clusters 2024-02-18 20:17:54 +08:00
Ryan Yin 36f5367a5d feat: k3s - kubeconfig 2024-02-18 20:13:34 +08:00
Ryan Yin a73ebc7726 Merge pull request #64 from ryan4yin/k8s 
feat: new k3s cluster
 2024-02-18 18:57:36 +08:00
Ryan Yin c19184a6be feat: new k3s cluster 2024-02-18 18:55:23 +08:00
Ryan Yin 1a3b02a062 feat: remove emulatedSystem from kana & ruby 2024-02-18 13:41:39 +08:00
Ryan Yin 996b1dd077 docs: README 2024-02-18 13:21:36 +08:00
Ryan Yin 0c60bc495f docs: k8s 2024-02-18 12:21:10 +08:00
Ryan Yin 96ee6f2c01 docs: monitoring gpu 2024-02-18 12:13:44 +08:00
Ryan Yin 517949b78f docs: hosts - k8s 2024-02-18 11:52:15 +08:00
Ryan Yin cb43947e32 docs: hosts 2024-02-18 11:51:38 +08:00
Ryan Yin f1c79bbb70 Merge pull request #63 from ryan4yin/caddy 
feat: add caddy as a reverse proxy for applications
 2024-02-18 11:33:15 +08:00
Ryan Yin 5fe647c0d3 feat: add caddy as a reverse proxy for applications 2024-02-18 11:27:26 +08:00
Ryan Yin a321d2c803 fix: ssh hosts aliases not working on darwin 2024-02-18 10:49:09 +08:00
Ryan Yin e5fa57c660 docs: priority of dae routing rules 2024-02-18 02:05:42 +08:00
Ryan Yin e5b0545dfd feat: monitoring - grafana dashboards for kubernetes 2024-02-18 00:45:06 +08:00
Ryan Yin ef1fb417ad feat: monitoring - grafana dashboards, alertmanager alerting rules 2024-02-18 00:35:25 +08:00
Ryan Yin b75e9d6abe feat: adjust colmena tags 2024-02-17 23:47:06 +08:00
Ryan Yin 05028b84d4 Merge pull request #62 from ryan4yin/monitoring 
feat: monitoring + containers
 2024-02-17 23:36:25 +08:00
Ryan Yin b6e51e1950 feat: monitoring + containers - grafana + prometheus + node_exporter + other exporters 2024-02-17 23:33:48 +08:00
Ryan Yin 9626986524 fix: typo 2024-02-17 16:46:07 +08:00
Ryan Yin 279b1b69eb fix: dae - github's ssh access 2024-02-17 15:51:49 +08:00
Ryan Yin 88092aba5b fix: dae - github 2024-02-17 15:06:34 +08:00
Ryan Yin 4c00a430d6 feat: justfile 2024-02-17 14:53:20 +08:00
Ryan Yin 4d23a5eb19 fix: typo 2024-02-17 14:51:43 +08:00
Ryan Yin 9c07aa1113 feat: monitor dnsmasq + v2ray 2024-02-17 14:51:04 +08:00
Ryan Yin 34ca7615b4 fix: dnsmasq dhcp 2024-02-17 14:22:54 +08:00
Ryan Yin fd4f1f9086 feat: dnsmasq 2024-02-17 05:46:02 +08:00
Ryan Yin fe6caebe2e docs: dae & v2ray 2024-02-17 04:42:41 +08:00
Ryan Yin 0da119a5e8 docs: dae & v2ray 2024-02-17 04:41:02 +08:00
Ryan Yin a2af4728f3 Merge pull request #60 from ryan4yin/bypass-router 
feat: bypass router
 2024-02-17 04:38:00 +08:00
Ryan Yin ae238d401d fix: bypass router 2024-02-17 04:36:41 +08:00
Ryan Yin 7cbff9ef3b feat: dae 2024-02-16 11:15:16 +08:00
Ryan Yin fa5aaf4f97 feat: set https proxy for nix daemon 2024-02-16 10:27:06 +08:00
Ryan Yin 45c6d0f604 feat: update flake.lock, fix some api/package changes 2024-02-16 10:09:31 +08:00
Ryan Yin 47225fffbc feat: pick the highest resolution for systemd-boot's console 2024-02-15 03:07:58 +08:00
Ryan Yin d022fc3fa9 Merge pull request #57 from we-do-it-lu/patch-3 
quote markdown on 'main' not correct
 2024-02-11 23:31:52 +08:00
Ryan Yin f034011f96 Merge pull request #58 from we-do-it-lu/patch-4 
Tiny typo
 2024-02-11 23:31:28 +08:00
Ryan Yin a5bb4a471a Merge pull request #59 from we-do-it-lu/patch-5 
Tiny typo
 2024-02-11 23:31:04 +08:00
JayDeLux 2b781b030c Tiny typo 2024-02-11 15:44:08 +01:00
JayDeLux 32e0131620 Tiny typo 2024-02-11 15:36:57 +01:00
JayDeLux 339e1ddb76 quote markdown on 'main' not correct 2024-02-11 15:15:02 +01:00
Ryan Yin 2db93b7b01 feat: sjtu's mirror for pypi 2024-02-09 19:09:46 +08:00
Ryan Yin 7fcafe3d04 feat: dae subsciption 2024-02-09 00:01:37 +08:00
Ryan Yin 28ea82df03 feat: transmission & uptime-kuma 2024-02-08 23:47:01 +08:00
Ryan Yin 18a40b49e3 feat: restic drafts 2024-02-08 21:46:05 +08:00
Ryan Yin 140b84df2b fix: typo 2024-02-08 19:56:32 +08:00
Ryan Yin 9b3a431942 fix: style 2024-02-08 19:56:19 +08:00
Ryan Yin e7d5ad707f Merge pull request #56 from we-do-it-lu/patch-2 
Little error in comment
 2024-02-07 18:58:33 +08:00
JayDeLux fb55262f39 Little error in comment 2024-02-07 10:09:56 +01:00
Ryan Yin 6c80d9907b feat: luks - disable workqueue for increased SSD performance 2024-02-06 23:44:30 +08:00
Ryan Yin a541754381 docs: proxy 2024-02-05 22:45:39 +08:00
Ryan Yin e88f42182f feat: update secrets 2024-02-05 01:43:08 +08:00
Ryan Yin 6dacc92ba3 feat: update secrets 2024-02-05 01:02:09 +08:00
Ryan Yin 36ac1b51da feat: darwin - proxy & README, update brew apps 2024-02-05 00:52:11 +08:00
Ryan Yin f4c39598ec feat: persistent - ~/.conda 2024-02-04 21:58:03 +08:00
Ryan Yin f765fcd633 fix: conda init failed because ~/.zshrc not modifiable 2024-02-04 14:23:47 +08:00
Ryan Yin 54c797396c feat: darwin - add miniforge - a miniconda replacement 2024-02-04 11:06:00 +08:00
Ryan Yin 036d5c7fba feat: update nix-darwin & yabai 2024-02-01 15:37:33 +08:00
Ryan Yin af225f2271 docs: darwin & linux 2024-02-01 00:52:36 +08:00
Ryan Yin 1126e8c6a7 docs: deploy on a new machine 2024-02-01 00:40:45 +08:00
Ryan Yin 3f505194b5 docs: systems 2024-01-31 12:07:46 +08:00
Ryan Yin 819463aa20 docs: luks2 2024-01-31 11:53:08 +08:00
Ryan Yin 7e674669d3 docs: secrets 2024-01-31 11:48:53 +08:00
Ryan Yin fa6dd68818 docs: secrets 2024-01-31 11:48:34 +08:00
Ryan Yin 6367c91f7a docs: secrets 2024-01-31 11:45:47 +08:00
Ryan Yin 3f9d23dbad fix: gpg: [stdin]: encryption failed: Unusable public key 2024-01-31 11:45:47 +08:00
Ryan Yin aa95ad60b7 chore: remove some useless config 2024-01-30 23:16:42 +08:00
Ryan Yin f91d4a26fc feat: persistent vscode's data 2024-01-30 23:07:19 +08:00
Ryan Yin 5c92c0e0ac feat: add vscode again, to get the best experience of copilot chat 2024-01-30 22:59:48 +08:00
Ryan Yin 0695229e9d feat: use flameshot for region screenshot 2024-01-30 21:33:13 +08:00
Ryan Yin d8901e3169 fix: waybar & hyprland 2024-01-30 21:16:41 +08:00
Ryan Yin 544ec79aff feat: add hyprshot for screenshot 2024-01-30 21:07:12 +08:00
Ryan Yin c70f9de97c docs: TODO - homelab & k8s 2024-01-29 15:15:03 +08:00
Ryan Yin 45a149f05a feat: darwin - add tencent-lemon, a macOS cleaner 2024-01-29 11:06:42 +08:00
Ryan Yin f3b233330b feat: update mysecrets 2024-01-29 09:45:58 +08:00
160 changed files with 61488 additions and 1200 deletions
Expand all files Collapse all files
Justfile
+101 -32
View File
@@ -85,44 +85,97 @@ yabai-reload:
############################################################################
#
# Colmena - Remote NixOS deployment
# Homelab - NixOS servers running on bare metal
#
############################################################################
colmena-ssh-key:
ssh-add /etc/agenix/ssh-key-romantic
virt:
colmena apply --on '@virt-*' --verbose --show-trace
dist:
colmena apply --on '@dist-build'
shoryu:
colmena apply --on '@shoryu' --verbose --show-trace
dist-debug:
colmena apply --on '@dist-build' --verbose --show-trace
shushou:
colmena apply --on '@shushou' --verbose --show-trace
youko:
colmena apply --on '@youko' --verbose --show-trace
############################################################################
#
# Homelab - Virtual Machines running on Kubevirt
#
############################################################################
lab:
colmena apply --on '@homelab-*' --verbose --show-trace
aqua:
colmena apply --on '@aqua'
colmena apply --on '@aqua' --verbose --show-trace
# some config changes require a restart of the dae service
ssh root@aquamarine "sudo systemctl stop dae; sleep 1; sudo systemctl start dae"
ruby:
colmena apply --on '@ruby'
colmena apply --on '@ruby' --verbose --show-trace
kana:
colmena apply --on '@kana'
colmena apply --on '@kana' --verbose --show-trace
tailscale_gw:
colmena apply --on '@tailscale_gw'
tsgw:
colmena apply --on '@tailscale-gw' --verbose --show-trace
pve-image:
nom build .#tailscale_gw
rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
# pve-aqua:
# nom build .#aquamarine
# rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
#
# pve-ruby:
# nom build .#ruby
# rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
#
# pve-kana:
# nom build .#kana
# rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
#
# pve-tsgw:
# nom build .#tailscale_gw
# rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-tailscale_gw.vma.zst
#
nom build .#aquamarine
rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
############################################################################
#
# Kubernetes related commands
#
############################################################################
nom build .#ruby
rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst
k8s:
colmena apply --on '@k8s-*' --verbose --show-trace
nom build .#kana
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst
master:
colmena apply --on '@k8s-prod-master-*' --verbose --show-trace
worker:
colmena apply --on '@k8s-prod-worker-*' --verbose --show-trace
# pve-k8s:
# nom build .#k3s_prod_1_master_1
# rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-k3s_prod_1_master_1.vma.zst
#
# nom build .#k3s_prod_1_master_2
# rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-k3s_prod_1_master_2.vma.zst
#
# nom build .#k3s_prod_1_master_3
# rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s_prod_1_master_3.vma.zst
#
# nom build .#k3s_prod_1_worker_1
# rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-k3s_prod_1_worker_1.vma.zst
#
# nom build .#k3s_prod_1_worker_2
# rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s_prod_1_worker_2.vma.zst
#
# nom build .#k3s_prod_1_worker_3
# rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-k3s_prod_1_worker_3.vma.zst
#
############################################################################
#
@@ -130,17 +183,14 @@ pve-image:
#
############################################################################
roll:
colmena apply --on '@riscv'
roll-debug:
colmena apply --on '@dist-build' --verbose --show-trace
riscv:
colmena apply --on '@riscv' --verbose --show-trace
nozomi:
colmena apply --on '@nozomi'
colmena apply --on '@nozomi' --verbose --show-trace
yukina:
colmena apply --on '@yukina'
colmena apply --on '@yukina' --verbose --show-trace
############################################################################
#
@@ -149,13 +199,21 @@ yukina:
############################################################################
aarch:
colmena apply --on '@aarch'
colmena apply --on '@aarch' --verbose --show-trace
suzu:
colmena apply --on '@suzu'
colmena apply --on '@suzu' --build-on-target --verbose --show-trace
suzu-debug:
colmena apply --on '@suzu' --verbose --show-trace
suzu-local mode="default":
use utils.nu *; \
nixos-switch suzu {{mode}}
rakushun:
colmena apply --on '@rakushun' --build-on-target --verbose --show-trace
rakushun-local mode="default":
use utils.nu *; \
nixos-switch rakushun {{mode}}
############################################################################
#
@@ -212,3 +270,14 @@ emacs-purge:
emacs-reload:
doom sync
{{reload-emacs-cmd}}
# =================================================
#
# Kubernetes related commands
#
# =================================================
del-failed:
kubectl delete pod --all-namespaces --field-selector="status.phase==Failed"
README.md
+26 -13
View File
@@ -14,7 +14,16 @@
</a>
</p>
This repository is home to the nix code that builds my systems.
> My configuration is becoming more and more complex, and it may be difficult for beginners to read it.
> If you are new to NixOS and want to know how I use NixOS, I would recommend you to take a look at the [ryan4yin/nix-config/releases](https://github.com/ryan4yin/nix-config/releases) first, **checkout to some simpler older versions**, which will be much easier to understand.
This repository is home to the nix code that builds my systems:
1. NixOS Desktops: NixOS with home-manager, i3, hyprland, agenix, etc.
2. macOS Desktops: nix-darwin with home-manager, share the same home-manager configuration with NixOS Desktops.
3. NixOS Servers: virtual machines running on Proxmox, with various services, such as kubernetes, homepage, prometheus, grafana, etc.
See [./hosts](./hosts) for details of each host.
## Why NixOS & Flakes?
@@ -47,7 +56,7 @@ As for Flakes, refer to [Introduction to Flakes - NixOS & Nix Flakes Book](https
| **Text Editor** | [Neovim][Neovim] + [DoomEmacs][DoomEmacs] | [Neovim][Neovim] + [DoomEmacs][DoomEmacs] |
| **Fonts** | [Nerd fonts][Nerd fonts] | [Nerd fonts][Nerd fonts] |
| **Image Viewer** | [imv][imv] | [imv][imv] |
| **Screenshot Software** | [grim][grim] | [flameshot](https://github.com/flameshot-org/flameshot) |
| **Screenshot Software** | [flameshot][flameshot] + [grim][grim] | [flameshot][flameshot] |
| **Screen Recording** | [OBS][OBS] | [OBS][OBS] |
| **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase |
| **Secure Boot** | [lanzaboote][lanzaboote] | [lanzaboote][lanzaboote] |
@@ -75,17 +84,16 @@ See [./home/base/desktop/editors/neovim/](./home/base/desktop/editors/neovim/) f
See [./home/base/desktop/editors/emacs/](./home/base/desktop/editors/emacs/) for details.
## Hosts
See [./hosts](./hosts) for details.
## Secrets Management
See [./secrets](./secrets) for details.
## How to Deploy this Flake?
> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine:exclamation: It will not succeed.** this flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols_ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/default.nix#L77-L91), etc.) which is not suitable for your hardware, and my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) that only I have access to. You may use this repo as a reference to build your own configuration.
> :red_circle: **IMPORTANT**: **You should NOT deploy this flake directly on your machine :exclamation: It will not succeed.**
> This flake contains my hardware configuration(such as [hardware-configuration.nix](hosts/idols_ai/hardware-configuration.nix), [cifs-mount.nix](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/cifs-mount.nix), [Nvidia Support](https://github.com/ryan4yin/nix-config/blob/v0.1.1/hosts/idols_ai/default.nix#L77-L91), etc.) which is not suitable for your hardwares,
> and requires my private secrets repository [ryan4yin/nix-secrets](https://github.com/ryan4yin/nix-config/tree/main/secrets) to deploy.
> You may use this repo as a reference to build your own configuration.
For NixOS:
@@ -110,12 +118,15 @@ just i3 debug
For macOS:
```bash
# deploy harmonica's configuration(macOS Intel)
just ha
# If you are deploying for the first time,
# enter a shell with essential packages available
# nix shell nixpkgs#just nixpkgs#git
# 1. install nix & homebrew manually.
# 2. prepare the deployment environment with essential packages available
nix-shell -p just nushell
# 3. comment home-manager's code in lib/macosSystem.nix to speed up the first deplyment.
# 4. comment out the proxy settings in scripts/darwin_set_proxy.py if the proxy is not ready yet.
# 4. deploy harmonica's configuration(macOS Intel)
just ha
# deploy fern's configuration(Apple Silicon)
just fe
@@ -137,7 +148,7 @@ nom build .#aquamarine # `nom`(nix-output-monitor) can be replaced by the stand
# 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump`
# please replace the vma file name with the one you generated in step 1.
rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst
# 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now.
```
@@ -169,6 +180,7 @@ Other dotfiles that inspired me:
- [gvolpe/nix-config](https://github.com/gvolpe/nix-config)
- [Ruixi-rebirth/flakes](https://github.com/Ruixi-rebirth/flakes)
- [fufexan/dotfiles](https://github.com/fufexan/dotfiles): gtk theme, xdg, git, media, anyrun, etc.
- [nix-community/srvos](https://github.com/nix-community/srvos): a collection of opinionated and sharable NixOS configurations for servers
- Modularized NixOS Configuration
- [hlissner/dotfiles](https://github.com/hlissner/dotfiles)
- [viperML/dotfiles](https://github.com/viperML/dotfiles)
@@ -203,6 +215,7 @@ Other dotfiles that inspired me:
[DoomEmacs]: https://github.com/doomemacs/doomemacs
[flameshot]: https://github.com/flameshot-org/flameshot
[grim]: https://github.com/emersion/grim
[flameshot]: https://github.com/flameshot-org/flameshot
[imv]: https://sr.ht/~exec64/imv/
[OBS]: https://obsproject.com
[Mako]: https://github.com/emersion/mako
_img/2024-02-18_k8s-nodes-overview.webp
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

_img/2024-03-07_orangepi5_suzu.webp
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

_img/2024-03-07_orangepi5plus_rakushun.webp
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

flake.lock
Generated
+545 -174
View File
File diff suppressed because it is too large Load Diff
flake.nix
+14 -4
View File
@@ -1,5 +1,5 @@
{
description = "NixOS & macOS configuration of Ryan Yin";
description = "Ryan Yin's nix configuration for both NixOS & macOS";
##################################################################################################################
#
@@ -96,7 +96,7 @@
# There are many ways to reference flake inputs. The most widely used is github:owner/name/reference,
# which represents the GitHub repository URL + branch/commit-id/tag.
# Official NixOS package source, using nixos's stable branch by default
# Official NixOS package source, using nixos's unstable branch by default
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
@@ -147,8 +147,8 @@
};
# secrets management
agenix = {
# lock with git commit at 0.14.0
url = "github:ryantm/agenix/54693c91d923fecb4cf04c4535e3d84f8dec7919";
# lock with git commit at 0.15.0
url = "github:ryantm/agenix/564595d0ad4be7277e07fa63b5a991b3c645655d";
# replaced with a type-safe reimplementation to get a better error message and less bugs.
# url = "github:ryan4yin/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
@@ -156,6 +156,11 @@
nix-gaming.url = "github:fufexan/nix-gaming";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
# add git hooks to format nix code before commit
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
@@ -164,6 +169,11 @@
nuenv.url = "github:DeterminateSystems/nuenv";
# daeuniverse.url = "github:daeuniverse/flake.nix/unstable";
daeuniverse.url = "github:daeuniverse/flake.nix/exp";
attic.url = "github:zhaofengli/attic";
######################## Some non-flake repositories #########################################
# AstroNvim is an aesthetic and feature-rich neovim config.
home/base/desktop/cloud/default.nix
+17 -5
View File
@@ -1,10 +1,24 @@
{pkgs, ...}: {
{
lib,
pkgs,
...
}: {
home.packages = with pkgs;
[
# general tools
packer # machine image builder
# infrastructure as code
pulumi
pulumictl
packer # machine image builder
tf2pulumi
crd2pulumi
pulumiPackages.pulumi-random
pulumiPackages.pulumi-command
pulumiPackages.pulumi-aws-native
pulumiPackages.pulumi-language-go
pulumiPackages.pulumi-language-python
pulumiPackages.pulumi-language-nodejs
# aws
awscli2
@@ -16,12 +30,10 @@
aliyun-cli
]
++ (
if pkgs.stdenv.isLinux
then [
lib.optionals pkgs.stdenv.isLinux [
# cloud tools that nix do not have cache for.
terraform
terraformer # generate terraform configs from existing cloud resources
]
else []
);
}
home/base/desktop/dev-tools.nix
+4 -4
View File
@@ -16,6 +16,8 @@
home.packages = with pkgs;
[
colmena # nixos's remote deployment tool
# db related
dbeaver
mycli
@@ -34,14 +36,12 @@
bfg-repo-cleaner # remove large files from git history
k6 # load testing tool
protobuf # protocol buffer compiler
nix-init # generate nix package from url
# solve coding extercises - learn by doing
exercism
]
++ (
if pkgs.stdenv.isLinux
then [
lib.optionals pkgs.stdenv.isLinux [
# Automatically trims your branches whose tracking remote refs are merged or gone
# It's really useful when you work on a project for a long time.
git-trim
@@ -54,8 +54,8 @@
mitmproxy # http/https proxy tool
insomnia # REST client
wireshark # network analyzer
ventoy # create bootable usb
]
else []
);
programs = {
home/base/desktop/editors/emacs/default.nix
+1 -1
View File
@@ -47,7 +47,7 @@ in {
zstd # for undo-fu-session/undo-tree compression
# go-mode
gocode
# gocode # project archived, use gopls instead
## Module dependencies
# :checkers spell
home/base/desktop/editors/packages.nix
+1 -3
View File
@@ -129,9 +129,7 @@
(ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
]
++ (
if pkgs.stdenv.isDarwin
then []
else [
lib.optionals pkgs.stdenv.isLinux [
#-- verilog / systemverilog
verible
gdb
home/base/desktop/gpg/default.nix
+4 -4
View File
@@ -19,10 +19,10 @@
mutableKeys = false;
publicKeys = [
# https://www.gnupg.org/gph/en/manual/x334.html
# {
# source = "${mysecrets}/public/ryan4yin-gpg-keys.pub";
# trust = 5;
# } # ultimate trust, my own keys.
{
source = "${mysecrets}/public/ryan4yin-gpg-keys-2014-01-27.pub";
trust = 5;
} # ultimate trust, my own keys.
];
# This configuration is based on the tutorial below, it allows for a robust setup
home/base/desktop/ssh.nix
+3 -15
View File
@@ -4,12 +4,12 @@
programs.ssh = {
enable = true;
# all my ssh private key are generated by `ssh-keygen -t ed25519 -C "ryan@nickname"`
# the config's format:
# All my ssh private key are generated by `ssh-keygen -t ed25519 -a 256 -C "xxx@xxx"`
# Config format:
# Host — given the pattern used to match against the host name given on the command line.
# HostName — specify nickname or abbreviation for host
# IdentityFile — the location of your SSH key authentication file for the account.
# format in details:
# Format in details:
# https://www.ssh.com/academy/ssh/config
extraConfig = ''
# a private key that is used during authentication will be added to ssh-agent if it is running
@@ -36,18 +36,6 @@
Host s500plus
HostName 192.168.5.174
Port 22
Host k8s-main
HostName 192.168.5.181
ForwardAgent yes
Host k8s-data1
HostName 192.168.5.182
ForwardAgent yes
Host k8s-data2
HostName 192.168.5.183
ForwardAgent yes
'';
};
}
home/base/desktop/terminal/wezterm.nix
+75 -80
View File
@@ -18,93 +18,88 @@
# we can add wezterm as a flake input once this PR is merged:
# https://github.com/wez/wezterm/pull/3547
programs.wezterm =
{
enable = false; # disable
programs.wezterm = {
enable = true; # disable
# TODO: Fix: https://github.com/wez/wezterm/issues/4483
# package = pkgs.wezterm.override { };
# install wezterm via homebrew on macOS to avoid compilation, dummy package here.
package =
if pkgs.stdenv.isLinux
then pkgs.wezterm
else pkgs.hello;
extraConfig = let
fontsize =
if pkgs.stdenv.isDarwin
then "14.0"
else "13.0";
in ''
-- Pull in the wezterm API
local wezterm = require 'wezterm'
enableBashIntegration = pkgs.stdenv.isLinux;
enableZshIntegration = pkgs.stdenv.isLinux;
-- This table will hold the configuration.
local config = {}
extraConfig = let
fontsize =
if pkgs.stdenv.isLinux
then "13.0"
else "14.0";
in ''
-- Pull in the wezterm API
local wezterm = require 'wezterm'
-- In newer versions of wezterm, use the config_builder which will
-- help provide clearer error messages
if wezterm.config_builder then
config = wezterm.config_builder()
-- This table will hold the configuration.
local config = {}
-- In newer versions of wezterm, use the config_builder which will
-- help provide clearer error messages
if wezterm.config_builder then
config = wezterm.config_builder()
end
wezterm.on('toggle-opacity', function(window, pane)
local overrides = window:get_config_overrides() or {}
if not overrides.window_background_opacity then
overrides.window_background_opacity = 0.93
else
overrides.window_background_opacity = nil
end
window:set_config_overrides(overrides)
end)
wezterm.on('toggle-opacity', function(window, pane)
local overrides = window:get_config_overrides() or {}
if not overrides.window_background_opacity then
overrides.window_background_opacity = 0.93
else
overrides.window_background_opacity = nil
end
window:set_config_overrides(overrides)
end)
wezterm.on('toggle-maximize', function(window, pane)
window:maximize()
end)
wezterm.on('toggle-maximize', function(window, pane)
window:maximize()
end)
-- This is where you actually apply your config choices
config.color_scheme = "Catppuccin Mocha"
config.font = wezterm.font_with_fallback {
"JetBrainsMono Nerd Font",
"FiraCode Nerd Font",
-- This is where you actually apply your config choices
config.color_scheme = "Catppuccin Mocha"
config.font = wezterm.font_with_fallback {
"JetBrainsMono Nerd Font",
"FiraCode Nerd Font",
-- To avoid 'Chinese characters displayed as variant (Japanese) glyphs'
"Source Han Sans SC",
"Source Han Sans TC"
}
config.hide_tab_bar_if_only_one_tab = true
config.scrollback_lines = 10000
config.enable_scroll_bar = true
config.term = 'wezterm'
config.keys = {
-- toggle opacity(CTRL + SHIFT + B)
{
key = 'B',
mods = 'CTRL',
action = wezterm.action.EmitEvent 'toggle-opacity',
},
{
key = 'M',
mods = 'CTRL',
action = wezterm.action.EmitEvent 'toggle-maximize',
},
}
config.font_size = ${fontsize}
-- To resolve issues:
-- 1. https://github.com/ryan4yin/nix-config/issues/26
-- 2. https://github.com/ryan4yin/nix-config/issues/8
-- Spawn a nushell in login mode via `bash`
config.default_prog = { '${pkgs.bash}/bin/bash', '--login', '-c', 'nu --login --interactive' }
return config
'';
}
// (
if pkgs.stdenv.isDarwin
then {
# install wezterm via homebrew on macOS to avoid compilation, dummy package here.
# package = pkgs.hello;
enableBashIntegration = false;
enableZshIntegration = false;
-- To avoid 'Chinese characters displayed as variant (Japanese) glyphs'
"Source Han Sans SC",
"Source Han Sans TC"
}
else {}
);
config.hide_tab_bar_if_only_one_tab = true
config.scrollback_lines = 10000
config.enable_scroll_bar = true
config.term = 'wezterm'
config.keys = {
-- toggle opacity(CTRL + SHIFT + B)
{
key = 'B',
mods = 'CTRL',
action = wezterm.action.EmitEvent 'toggle-opacity',
},
{
key = 'M',
mods = 'CTRL',
action = wezterm.action.EmitEvent 'toggle-maximize',
},
}
config.font_size = ${fontsize}
-- To resolve issues:
-- 1. https://github.com/ryan4yin/nix-config/issues/26
-- 2. https://github.com/ryan4yin/nix-config/issues/8
-- Spawn a nushell in login mode via `bash`
config.default_prog = { '${pkgs.bash}/bin/bash', '--login', '-c', 'nu --login --interactive' }
return config
'';
};
}
home/base/desktop/zellij/default.nix
+1 -1
View File
@@ -10,7 +10,7 @@ in {
programs.nushell.extraConfig = ''
# auto start zellij
# except when in emacs or zellij itself
if (not "ZELLIJ" in $env) and (not "INSIDE_EMACS" in $env) {
if (not ("ZELLIJ" in $env)) and (not ("INSIDE_EMACS" in $env)) {
if "ZELLIJ_AUTO_ATTACH" in $env and $env.ZELLIJ_AUTO_ATTACH == "true" {
^zellij attach -c
} else {
home/base/server/container.nix
+9 -1
View File
@@ -12,13 +12,21 @@
kubectl
istioctl
kubevirt # virtctl
kubernetes-helm
fluxcd
argocd
];
programs = {
k9s = {
enable = true;
skin = let
# https://k9scli.io/topics/aliases/
# aliases = {};
settings = {
skin = "catppuccino-mocha";
};
skins.catppuccin-mocha = let
skin_file = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-k9s}/dist/mocha.yml"; # theme - catppuccin mocha
skin_attr = builtins.fromJSON (
builtins.readFile
home/base/server/core.nix
+48 -70
View File
@@ -1,84 +1,62 @@
{
pkgs,
attic,
nur-ryan4yin,
...
}: {
home.packages = with pkgs; [
neofetch
home.packages = with pkgs;
[
# Misc
tldr
cowsay
gnupg
gnumake
# networking tools
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
# Morden cli tools, replacement of grep/sed/...
# archives
zip
xz
unzip
p7zip
# Interactively filter its input using fuzzy searching, not limit to filenames.
fzf
# search for files by name, faster than find
fd
# search for files by its content, replacement of grep
(ripgrep.override {withPCRE2 = true;})
# misc
tldr
cowsay
file
findutils
which
tree
gnutar
zstd
gnupg
rsync
# A fast and polyglot tool for code searching, linting, rewriting at large scale
# supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
ast-grep
# Text Processing
# Docs: https://github.com/learnbyexample/Command-line-text-processing
sad # CLI search and replace, just like sed, but with diff preview.
yq-go # yaml processer https://github.com/mikefarah/yq
just # a command runner like make, but simpler
delta # A viewer for git and diff output
lazygit # Git terminal UI.
hyperfine # command-line benchmarking tool
gping # ping, but with a graph(TUI)
doggo # DNS client for humans
duf # Disk Usage/Free Utility - a better 'df' alternative
du-dust # A more intuitive version of `du` in rust
ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
gdu # disk usage analyzer(replacement of `du`)
gnugrep # GNU grep, provides `grep`/`egrep`/`fgrep`
gnused # GNU sed, very powerful(mainly for replacing text in files)
gnumake
gawk # GNU awk, a pattern scanning and processing language
jq # A lightweight and flexible command-line JSON processor
# nix related
#
# it provides the command `nom` works just like `nix
# with more details log output
nix-output-monitor
hydra-check # check hydra(nix's build farm) for the build status of a package
nix-index # A small utility to index nix store paths
nix-init # generate nix derivation from url
# https://github.com/nix-community/nix-melt
nix-melt # A TUI flake.lock viewer
# https://github.com/utdemir/nix-tree
nix-tree # A TUI to visualize the dependency graph of a nix derivation
# morden cli tools, replacement of grep/sed/...
# Interactively filter its input using fuzzy searching, not limit to filenames.
fzf
# search for files by name, faster than find
fd
# search for files by its content, replacement of grep
(ripgrep.override {withPCRE2 = true;})
# A fast and polyglot tool for code searching, linting, rewriting at large scale
# supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
ast-grep
sad # CLI search and replace, just like sed, but with diff preview.
yq-go # yaml processer https://github.com/mikefarah/yq
just # a command runner like make, but simpler
delta # A viewer for git and diff output
lazygit # Git terminal UI.
hyperfine # command-line benchmarking tool
gping # ping, but with a graph(TUI)
doggo # DNS client for humans
duf # Disk Usage/Free Utility - a better 'df' alternative
du-dust # A more intuitive version of `du` in rust
ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
gdu # disk usage analyzer(replacement of `du`)
# nix related
#
# it provides the command `nom` works just like `nix
# with more details log output
nix-output-monitor
# productivity
caddy # A webserver with automatic HTTPS via Let's Encrypt(replacement of nginx)
croc # File transfer between computers securely and easily
];
# productivity
caddy # A webserver with automatic HTTPS via Let's Encrypt(replacement of nginx)
croc # File transfer between computers securely and easily
]
# self-hosted nix cache server
++ lib.optionals pkgs.stdenv.isLinux [attic.packages.${pkgs.system}.attic-client];
programs = {
# A modern replacement for ls
home/base/server/pip.nix
+7 -1
View File
@@ -2,6 +2,12 @@ _: {
# use mirror for pip install
xdg.configFile."pip/pip.conf".text = ''
[global]
index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
index-url = https://mirrors.ustc.edu.cn/pypi/web/simple
format = columns
'';
# xdg.configFile."pip/pip.conf".text = ''
# [global]
# index-url = https://mirrors.bfsu.edu.cn/pypi/web/simple
# '';
}
home/darwin/shell.nix
+20 -2
View File
@@ -2,6 +2,24 @@ let
envExtra = ''
export PATH="$PATH:/opt/homebrew/bin:/usr/local/bin"
'';
# copied from the content generated by `conda init bash`
initExtra = ''
arch=$(uname -m)
if [ "aarch64" = "$arch" ] || [ "arm64" = "$arch" ]; then
# >>> (miniforge)conda initialize >>>
# !! Contents within this block are managed by 'conda init' !!
if [ -f "/opt/homebrew/Caskroom/miniforge/base/etc/profile.d/conda.sh" ]; then
. "/opt/homebrew/Caskroom/miniforge/base/etc/profile.d/conda.sh"
else
export PATH="/opt/homebrew/Caskroom/miniforge/base/bin:$PATH"
fi
# <<< conda initialize <<<
elif [[ "x86_64" = "$arch" ]]; then
# do nothing
true
fi
'';
in {
# Homebrew's default install location:
# /opt/homebrew for Apple Silicon
@@ -10,10 +28,10 @@ in {
# in /opt/homebrew for Apple Silicon and /usr/local for Rosetta 2 to coexist and use bottles.
programs.bash = {
enable = true;
bashrcExtra = envExtra;
bashrcExtra = envExtra + initExtra;
};
programs.zsh = {
enable = true;
inherit envExtra;
inherit envExtra initExtra;
};
}
home/darwin/ssh.nix
+3
View File
@@ -0,0 +1,3 @@
{vars_networking, ...}: {
programs.ssh.extraConfig = vars_networking.ssh.extraConfig;
}
home/linux/base/system-tools.nix
-20
View File
@@ -1,29 +1,9 @@
{pkgs, ...}: {
# Linux Only Packages, not available on Darwin
home.packages = with pkgs; [
nmon
iotop
iftop
# misc
libnotify
wireguard-tools # manage wireguard vpn manually, via wg-quick
# system call monitoring
strace # system call monitoring
ltrace # library call monitoring
bpftrace # powerful tracing tool
tcpdump # network sniffer
lsof # list open files
# system tools
sysstat
lm_sensors # for `sensors` command
ethtool
pciutils # lspci
usbutils # lsusb
hdparm # for disk performance, command
dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
];
# auto mount usb drives
home/linux/desktop/README.md
+2 -2
View File
@@ -9,8 +9,8 @@
## Why install I3/Hyprland in Home Manager instead of a NixOS Module?
1. I3 & Hyprland's configuration file is located in `~/.config`, which can be easily managed by Home Manager.
2. There're other user-specific systemd servcies, such gammastep, wallpaper-switcher, etc. which can be easily managed by Home Manager, but if we start i3/hyprland in NixOS Module, they may failed to start automatically. With i3/hyprland installed via home-manager, we can control their systemd service's dependent order, to avoid issues like this.
3. By install as less as possible in NixOS Module, we can:
2. I have many user-specific systemd servcies, such gammastep, wallpaper-switcher, etc. Which can be easily managed by Home Manager, but if we add i3/hyprland in a NixOS Module, those user-level services may failed to start automatically. With i3/hyprland in a Home Manager Module, we can control their systemd service's dependent order more easily, so we can avoid issues like this.
3. By install packages as less as possible in NixOS Module, we can:
1. Make the NixOS system more secure and stable.
2. Make this flake more portable to other non-NixOS systems, as home-manager can be installed on any Linux system.
home/linux/desktop/base/note-taking.nix
+7
View File
@@ -0,0 +1,7 @@
{pkgs, ...}: {
home.packages = with pkgs; [
# https://joplinapp.org/help/
joplin # joplin-cli
joplin-desktop
];
}
home/linux/desktop/base/xdg.nix
+12 -3
View File
@@ -30,14 +30,17 @@
# ls /etc/profiles/per-user/ryan/share/applications/
mimeApps = {
enable = true;
# let `xdg-open` to open the url with the correct application.
defaultApplications = let
browser = ["firefox.desktop"];
editor = ["nvim.desktop" "Helix.desktop" "code.desktop" "code-insiders.desktop"];
in {
"application/json" = browser;
"application/pdf" = browser; # TODO: pdf viewer
"text/html" = browser;
"text/xml" = browser;
"text/plain" = editor;
"application/xml" = browser;
"application/xhtml+xml" = browser;
"application/xhtml_xml" = browser;
@@ -48,12 +51,18 @@
"application/x-extension-shtml" = browser;
"application/x-extension-xht" = browser;
"application/x-extension-xhtml" = browser;
"application/x-wine-extension-ini" = editor;
"x-scheme-handler/about" = browser;
"x-scheme-handler/ftp" = browser;
# define default applications for some url schemes.
"x-scheme-handler/about" = browser; # open `about:` url with `browser`
"x-scheme-handler/ftp" = browser; # open `ftp:` url with `browser`
"x-scheme-handler/http" = browser;
"x-scheme-handler/https" = browser;
"x-scheme-handler/unknown" = browser;
# https://github.com/microsoft/vscode/issues/146408
"x-scheme-handler/vscode" = ["code-url-handler.desktop"]; # open `vscode://` url with `code-url-handler.desktop`
"x-scheme-handler/vscode-insiders" = ["code-insiders-url-handler.desktop"]; # open `vscode-insiders://` url with `code-insiders-url-handler.desktop`
# all other unknown schemes will be opened by this default application.
# "x-scheme-handler/unknown" = editor;
"x-scheme-handler/discord" = ["discord.desktop"];
"x-scheme-handler/tg" = ["org.telegram.desktop.desktop "];
home/linux/desktop/hyprland/conf/hyprland.conf
+5 -9
View File
@@ -94,7 +94,6 @@ $term = kitty
$app_launcher = ~/.config/hypr/scripts/menu
$volume = ~/.config/hypr/scripts/volume
$backlight = ~/.config/hypr/scripts/brightness
$screenshot = ~/.config/hypr/scripts/screenshot
$lockscreen = ~/.config/hypr/scripts/lockscreen
$wlogout = ~/.config/hypr/scripts/wlogout
$colorpicker = ~/.config/hypr/scripts/colorpicker
@@ -137,9 +136,11 @@ bind=,XF86AudioPlay,exec,mpc toggle
bind=,XF86AudioStop,exec,mpc stop
# -- Screenshots --
bind=,Print,exec,$screenshot --now
bind=SUPER,Print,exec,$screenshot --win
bind=CTRL,Print,exec,$screenshot --area
bind=,Print,exec,hyprshot -m output -o ~/Pictures/Screenshots -- imv
bind=SUPER,Print,exec,hyprshot -m window -o ~/Pictures/Screenshots -- imv
# flameshot do not recognize hyprland as a wayland compositor, so we set it to sway here
bind=CTRL,Print,exec,XDG_CURRENT_DESKTOP=sway flameshot gui --raw -p ~/Pictures/Screenshots | wl-copy
# bind=CTRL,Print,exec,hyprshot -m region -o ~/Pictures/Screenshots -- imv
# Focus
bind=SUPER,left,movefocus,l
@@ -195,8 +196,3 @@ exec-once=cp ~/.config/fcitx5/profile-bak ~/.config/fcitx5/profile # restore
exec-once=fcitx5 -d --replace # start fcitx5 daemon
bind=ALT,E,exec,pkill fcitx5 -9;sleep 1;fcitx5 -d --replace; sleep 1;fcitx5-remote -r
# fix xwayland apps
windowrulev2 = rounding 0, xwayland:1, floating:1
windowrulev2 = center, class:^(.*jetbrains.*)$, title:^(Confirm Exit|Open Project|win424|win201|splash)$
windowrulev2 = size 640 400, class:^(.*jetbrains.*)$, title:^(splash)$
home/linux/desktop/hyprland/conf/scripts/screenshot
-55
View File
@@ -1,55 +0,0 @@
#!/usr/bin/env bash
## Script to take screenshots with grim, slurp (in Wayland)
iDIR="$HOME/.config/hypr/mako/icons"
time=$(date +%Y-%m-%d-%H-%M-%S)
dir="$(xdg-user-dir PICTURES)/Screenshots" # need
file="Screenshot_${time}_${RANDOM}.png"
# notify and view screenshot
notify_cmd_shot="notify-send -h string:x-canonical-private-synchronous:shot-notify -u low -i ${iDIR}/picture.png"
notify_view () {
${notify_cmd_shot} "Copied to clipboard."
imv ${dir}/"$file"
if [[ -e "$dir/$file" ]]; then
${notify_cmd_shot} "Screenshot Saved."
else
${notify_cmd_shot} "Screenshot Deleted."
fi
}
# take shots
shotnow () {
cd ${dir} && grim - | tee "$file" | wl-copy
notify_view
}
shotwin () {
w_pos=$(hyprctl activewindow | grep 'at:' | cut -d':' -f2 | tr -d ' ' | tail -n1)
w_size=$(hyprctl activewindow | grep 'size:' | cut -d':' -f2 | tr -d ' ' | tail -n1 | sed s/,/x/g)
cd ${dir} && grim -g "$w_pos $w_size" - | tee "$file" | wl-copy
notify_view
}
shotarea () {
cd ${dir} && grim -g "$(slurp -b 1B1F28CC -c E06B74ff -s C778DD0D -w 2)" - | tee "$file" | wl-copy
notify_view
}
if [[ ! -d "$dir" ]]; then
mkdir -p "$dir"
fi
if [[ "$1" == "--now" ]]; then
shotnow
elif [[ "$1" == "--area" ]]; then
shotarea
elif [[ "$1" == "--win" ]]; then
shotwin
else
echo -e "Available Options : --now --win --area"
fi
exit 0
home/linux/desktop/hyprland/conf/waybar/config.jsonc
+2 -2
View File
@@ -6,7 +6,7 @@
"custom/launcher",
"temperature",
"backlight",
"wlr/workspaces"
"hyprland/workspaces"
],
"modules-center": [
"custom/playerctl"
@@ -23,7 +23,7 @@
"custom/powermenu",
"tray"
],
"wlr/workspaces": {
"hyprland/workspaces": {
"format": "{icon}",
"on-click": "activate",
"format-icons": {
home/linux/desktop/hyprland/values/packages.nix
+7 -3
View File
@@ -1,4 +1,8 @@
{pkgs, ...}: {
{
pkgs,
pkgs-unstable,
...
}: {
home.packages = with pkgs; [
waybar # the status bar
swaybg # the wallpaper
@@ -8,10 +12,10 @@
wl-clipboard # copying and pasting
hyprpicker # color picker
wf-recorder # creen recording
pkgs-unstable.hyprshot # screen shot
grim # taking screenshots
slurp # selecting a region to screenshot
# TODO replace by `flameshot gui --raw | wl-copy`
wf-recorder # creen recording
mako # the notification daemon, the same as dunst
home/linux/desktop/hyprland/values/wayland-apps.nix
+36 -2
View File
@@ -39,12 +39,13 @@
google-chrome = {
enable = true;
# https://wiki.archlinux.org/title/Chromium#Native_Wayland_support
commandLineArgs = [
"--ozone-platform-hint=auto"
"--ozone-platform=wayland"
# make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
# (only supported by chromium/chrome at this time, not electron)
"--gtk-version=4"
"--enable-features=UseOzonePlatform"
"--ozone-platform=wayland"
# make it use text-input-v1, which works for kwin 5.27 and weston
"--enable-wayland-ime"
@@ -58,5 +59,38 @@
enableGnomeExtensions = false;
package = pkgs.firefox-wayland; # firefox with wayland support
};
vscode = {
enable = true;
# let vscode sync and update its configuration & extensions across devices, using github account.
userSettings = {};
package =
(pkgs.vscode.override
{
isInsiders = true;
# https://wiki.archlinux.org/title/Wayland#Electron
commandLineArgs = [
"--ozone-platform-hint=auto"
"--ozone-platform=wayland"
# make it use GTK_IM_MODULE if it runs with Gtk4, so fcitx5 can work with it.
# (only supported by chromium/chrome at this time, not electron)
"--gtk-version=4"
# make it use text-input-v1, which works for kwin 5.27 and weston
"--enable-wayland-ime"
# TODO: fix https://github.com/microsoft/vscode/issues/187436
# still not works...
"--password-store=gnome" # use gnome-keyring as password store
];
})
.overrideAttrs (oldAttrs: rec {
# Use VSCode Insiders to fix crash: https://github.com/NixOS/nixpkgs/issues/246509
src = builtins.fetchTarball {
url = "https://update.code.visualstudio.com/latest/linux-x64/insider";
sha256 = "0k2sh7rb6mrx9d6bkk2744ry4g17d13xpnhcisk4akl4x7dn6a83";
};
version = "latest";
});
};
};
}
home/linux/desktop/i3/values/x11-apps.nix
+11 -2
View File
@@ -1,9 +1,12 @@
{pkgs, ...}: {
{
pkgs,
pkgs-unstable,
...
}: {
home.packages = with pkgs; [
firefox
];
# TODO vscode & chrome both have wayland support, but they don't work with fcitx5, need to fix it.
programs = {
# source code: https://github.com/nix-community/home-manager/blob/master/modules/programs/chromium.nix
google-chrome = {
@@ -16,5 +19,11 @@
# commandLineArgs = [
# ];
};
vscode = {
enable = true;
package = pkgs-unstable.vscode;
# let vscode sync and update its configuration & extensions across devices, using github account.
# userSettings = {};
};
};
}
hosts/12kingdoms_rakushun/README.md
+149
View File
@@ -0,0 +1,149 @@
# Rakushun - Orange Pi 5 Plus
LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
## Showcases
![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
Disk layout:
```bash
[ryan@rakushun:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 487M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 1.8T 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 1.8T 0 part
└─crypted 253:0 0 1.8T 0 crypt /tmp
/swap
/snapshots
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/codes
/home/ryan/.ssh
/home/ryan/.local/state
/home/ryan/.npm
/home/ryan/.local/share
/home/ryan/.conda
/etc/ssh
/etc/nix/inputs
/etc/secureboot
/etc/agenix
/etc/NetworkManager/system-connections
/etc/machine-id
/nix/store
/var/log
/var/lib
/nix
/persistent
[ryan@rakushun:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 785M 0 785M 0% /dev
tmpfs tmpfs 7.7G 0 7.7G 0% /dev/shm
tmpfs tmpfs 3.9G 6.8M 3.9G 1% /run
tmpfs tmpfs 7.7G 1.9M 7.7G 1% /run/wrappers
none tmpfs 4.0G 48K 4.0G 1% /
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /persistent
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /nix
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /snapshots
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /swap
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /tmp
/dev/nvme0n1p1 vfat 629M 96M 534M 16% /boot
tmpfs tmpfs 1.6G 4.0K 1.6G 1% /run/user/1000
```
CPU info:
```bash
[ryan@rakushun:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 67%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
## How to install NixOS on Orange Pi 5 Plus
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5plus-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5plus-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5P_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# transfer the nix-config to the target machine
rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
# login via ssh
ssh rk@<ip-addr>
cd ~/nix-config/hosts/12kingdoms_rakushun
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
# NOTE: the root password you set here will be discarded when reboot
sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
```
hosts/12kingdoms_rakushun/default.nix
+49
View File
@@ -0,0 +1,49 @@
{
disko,
nixos-rk3588,
vars_networking,
...
}:
#############################################################
#
# Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
#
#############################################################
let
hostName = "rakushun"; # Define your hostname.
hostAddress = vars_networking.hostAddress.${hostName};
in {
imports = [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
./hardware-configuration.nix
./disko-fs.nix
./impermanence.nix
];
networking = {
inherit hostName;
inherit (vars_networking) defaultGateway nameservers;
networkmanager.enable = false;
# RJ45 port 1
interfaces.enP4p65s0 = {
useDHCP = false;
ipv4.addresses = [hostAddress];
};
# RJ45 port 2
# interfaces.enP3p49s0 = {
# useDHCP = false;
# ipv4.addresses = [hostAddress];
# };
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}
hosts/12kingdoms_rakushun/disko-fs.nix
+102
View File
@@ -0,0 +1,102 @@
{
# required by impermanence
fileSystems."/persistent".neededForBoot = true;
disko.devices = {
nodev."/" = {
fsType = "tmpfs";
mountOptions = [
"size=4G"
"defaults"
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
# relatime: Update inode access times relative to modify or change time.
"mode=755"
];
};
# TODO: rename to main
disk.sda = {
type = "disk";
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/nvme0n1"; # The device to partition
content = {
type = "gpt";
partitions = {
# The EFI & Boot partition
ESP = {
size = "630M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
# The root partition
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
settings = {
keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick
# The maxium size of the keyfile is 8192 bytes
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
allowDiscards = true;
};
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
initrdUnlock = true;
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
# cryptsetup luksFormat
extraFormatArgs = [
"--type luks2"
"--cipher aes-xts-plain64"
"--hash sha512"
"--iter-time 5000"
"--key-size 256"
"--pbkdf argon2id"
# use true random data from /dev/random, will block until enough entropy is available
"--use-random"
];
extraOpenArgs = [
"--timeout 10"
];
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@nix" = {
mountpoint = "/nix";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@tmp" = {
mountpoint = "/tmp";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@snapshots" = {
mountpoint = "/snapshots";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@swap" = {
mountpoint = "/swap";
swap.swapfile.size = "16384M";
};
};
};
};
};
};
};
};
};
}
hosts/12kingdoms_rakushun/hardware-configuration.nix
+39
View File
@@ -0,0 +1,39 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.loader = {
# depending on how you configured your disk mounts, change this to /boot or /boot/efi.
efi.efiSysMountPoint = "/boot/";
efi.canTouchEfiVariables = true;
# do not use systemd-boot here, it has problems when running `nixos-install`
grub = {
device = "nodev";
efiSupport = true;
};
};
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}
hosts/12kingdoms_shoukei/impermanence.nix → hosts/12kingdoms_rakushun/impermanence.nix
+1 -44
View File
@@ -41,11 +41,6 @@
"/var/log"
"/var/lib"
# created by modules/nixos/misc/fhs-fonts.nix
# for flatpak apps
# "/usr/share/fonts"
# "/usr/share/icons"
];
files = [
"/etc/machine-id"
@@ -58,44 +53,10 @@
"nix-config"
"tmp"
"Downloads"
"Music"
"Pictures"
"Documents"
"Videos"
{
directory = ".gnupg";
mode = "0700";
}
{
directory = ".ssh";
mode = "0700";
}
{
directory = ".aws";
mode = "0700";
}
{
directory = ".docker";
mode = "0700";
}
{
directory = ".kube";
mode = "0700";
}
# misc
".config/pulse"
".pki"
# remote desktop
".config/remmina"
".config/freerdp"
# browsers
".mozilla"
".config/google-chrome"
# neovim / remmina / flatpak / ...
".local/share"
@@ -103,14 +64,10 @@
# language package managers
".npm"
".conda" # generated by `conda-shell`
"go"
# neovim plugins(wakatime & copilot)
".wakatime"
".config/github-copilot"
];
files = [
".wakatime.cfg"
".config/nushell/history.txt"
];
};
hosts/12kingdoms_shoukei/default.nix
+2 -2
View File
@@ -18,10 +18,10 @@ in {
{hardware.myapple-t2.enableAppleSetOsLoader = true;}
./hardware-configuration.nix
./impermanence.nix
../idols_ai/impermanence.nix
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
hosts/12kingdoms_shoukei/hardware-configuration.nix
+5
View File
@@ -53,6 +53,11 @@
# whether to allow TRIM requests to the underlying device.
# it's less secure, but faster.
allowDiscards = true;
# Whether to bypass dm-crypts internal read and write workqueues.
# Enabling this should improve performance on SSDs;
# https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
bypassWorkqueues = true;
};
};
hosts/12kingdoms_suzu/README.md
+149
View File
@@ -0,0 +1,149 @@
# Suzu - Orange Pi 5
LUKS encrypted SSD for NixOS, on Orange Pi 5.
## Showcases
![](../../_img/2024-03-07_orangepi5_suzu.webp)
Disk layout:
```bash
[ryan@suzu:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 486M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 237.9G 0 part
└─crypted 253:0 0 237.8G 0 crypt /tmp
/snapshots
/swap
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/.local/state
/home/ryan/codes
/home/ryan/.npm
/home/ryan/.ssh
/home/ryan/.local/share
/etc/ssh
/home/ryan/.conda
/etc/secureboot
/etc/agenix
/etc/nix/inputs
/etc/NetworkManager/system-connections
/nix/store
/var/log
/var/lib
/nix
/persistent
[ryan@suzu:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 383M 0 383M 0% /dev
tmpfs tmpfs 3.8G 0 3.8G 0% /dev/shm
tmpfs tmpfs 1.9G 6.2M 1.9G 1% /run
tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run/wrappers
none tmpfs 2.0G 48K 2.0G 1% /
/dev/mapper/crypted btrfs 238G 11G 226G 5% /persistent
/dev/mapper/crypted btrfs 238G 11G 226G 5% /nix
/dev/mapper/crypted btrfs 238G 11G 226G 5% /swap
/dev/mapper/crypted btrfs 238G 11G 226G 5% /snapshots
/dev/mapper/crypted btrfs 238G 11G 226G 5% /tmp
/dev/nvme0n1p1 vfat 629M 86M 543M 14% /boot
tmpfs tmpfs 766M 4.0K 766M 1% /run/user/1000
```
CPU info:
```bash
[ryan@suzu:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 56%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
## How to install NixOS on Orange Pi 5
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart primary 2M 512MB
mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow [UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# login via ssh
ssh rk@<ip-addr>
git clone https://github.com/ryan4yin/nix-config.git
cd ~/nix-config/hosts/12kingdoms_suzu
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
# NOTE: the root password you set here will be discarded when reboot
sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
```
hosts/12kingdoms_suzu/default.nix
+7 -2
View File
@@ -1,11 +1,12 @@
{
disko,
nixos-rk3588,
vars_networking,
...
}:
#############################################################
#
# Suzu - Orange Pi 5, RK3588s
# Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
#
#############################################################
let
@@ -14,7 +15,11 @@ let
in {
imports = [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
./hardware-configuration.nix
./disko-fs.nix
./impermanence.nix
];
networking = {
hosts/12kingdoms_suzu/disko-fs.nix
+102
View File
@@ -0,0 +1,102 @@
{
# required by impermanence
fileSystems."/persistent".neededForBoot = true;
disko.devices = {
nodev."/" = {
fsType = "tmpfs";
mountOptions = [
"size=2G"
"defaults"
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
# relatime: Update inode access times relative to modify or change time.
"mode=755"
];
};
# TODO: rename to main
disk.sda = {
type = "disk";
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/nvme0n1"; # The device to partition
content = {
type = "gpt";
partitions = {
# The EFI & Boot partition
ESP = {
size = "630M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
# The root partition
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
settings = {
keyFile = "/dev/disk/by-label/OPI5_DSC"; # The keyfile is stored on a USB stick
# The maxium size of the keyfile is 8192 bytes
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
allowDiscards = true;
};
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
initrdUnlock = true;
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
# cryptsetup luksFormat
extraFormatArgs = [
"--type luks2"
"--cipher aes-xts-plain64"
"--hash sha512"
"--iter-time 5000"
"--key-size 256"
"--pbkdf argon2id"
# use true random data from /dev/random, will block until enough entropy is available
"--use-random"
];
extraOpenArgs = [
"--timeout 10"
];
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"@nix" = {
mountpoint = "/nix";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@tmp" = {
mountpoint = "/tmp";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@snapshots" = {
mountpoint = "/snapshots";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@swap" = {
mountpoint = "/swap";
swap.swapfile.size = "8192M";
};
};
};
};
};
};
};
};
};
}
hosts/12kingdoms_suzu/hardware-configuration.nix
+39
View File
@@ -0,0 +1,39 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.loader = {
# depending on how you configured your disk mounts, change this to /boot or /boot/efi.
efi.efiSysMountPoint = "/boot/";
efi.canTouchEfiVariables = true;
# do not use systemd-boot here, it has problems when running `nixos-install`
grub = {
device = "nodev";
efiSupport = true;
};
};
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}
hosts/12kingdoms_suzu/impermanence.nix
+75
View File
@@ -0,0 +1,75 @@
{
impermanence,
pkgs,
...
}: {
imports = [
impermanence.nixosModules.impermanence
];
environment.systemPackages = [
# `sudo ncdu -x /`
pkgs.ncdu
];
# There are two ways to clear the root filesystem on every boot:
## 1. use tmpfs for /
## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
## boot.initrd.postDeviceCommands = ''
## mkdir -p /run/mymount
## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
## btrfs subvolume delete /run/mymount
## btrfs subvolume snapshot / /run/mymount
## '';
#
# See also https://grahamc.com/blog/erase-your-darlings/
# NOTE: impermanence only mounts the directory/file list below to /persistent
# If the directory/file already exists in the root filesystem, you should
# move those files/directories to /persistent first!
environment.persistence."/persistent" = {
# sets the mount option x-gvfs-hide on all the bind mounts
# to hide them from the file manager
hideMounts = true;
directories = [
"/etc/NetworkManager/system-connections"
"/etc/ssh"
"/etc/nix/inputs"
"/etc/secureboot" # lanzaboote - secure boot
# my secrets
"/etc/agenix/"
"/var/log"
"/var/lib"
];
files = [
"/etc/machine-id"
];
# the following directories will be passed to /persistent/home/$USER
users.ryan = {
directories = [
"codes"
"nix-config"
"tmp"
{
directory = ".ssh";
mode = "0700";
}
# neovim / remmina / flatpak / ...
".local/share"
".local/state"
# language package managers
".npm"
".conda" # generated by `conda-shell`
"go"
];
files = [
".config/nushell/history.txt"
];
};
};
}
hosts/README.md
+24 -17
View File
@@ -5,29 +5,24 @@
1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use.
2. `idols`
1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
2. `aquamarine`: My NixOS virtual machine as a passby router(IPv4 only) to access the global internet.
4. `ruby`: Another NixOS vm with R9-5900HX(8C16T), for distributed building & testing.
3. `kana`: Yet another NixOS vm with R7-5225U(6C12T), for desktop testing.
3. `rolling_girls`: My RISCV64 hosts.
2. `aquamarine`: My NixOS virtual machine as a router(IPv4 only) with a tranparent proxy to bypass the G|F|W.
3. `ruby`: Another NixOS VM running operation and maintenance related services, such as prometheus, grafana, restic, etc.
4. `kana`: Yet another NixOS VM running some common applications, such as hompage, file browser, torrent downloader, etc.
3. Homelab:
1. `tailscale_gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
4. `rolling_girls`: My RISCV64 hosts.
1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 8GB RAM + 32G eMMC + 64G SD Card.
2. `yukina`: Lichee Pi 4A(Internal Test Version), TH1520(4xC910@2.0G), 8GB RAM + 8G eMMC + 128G SD Card.
3. `chiaya`: Milk-V Mars, JH7110(4xU74@1.5 GHz), 4G RAM + No eMMC + 64G SD Card.
4. `12kingdoms`:
1. `shoukei`: NixOS on Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
5. `12kingdoms`:
1. `shoukei`: NixOS on Macbook Pro 2020 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + 256G SSD.
5. Homelab:
1. `tailscale_gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox.
1. `rakushun`: Orange Pi 5 Plus, RK3588(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 16G RAM + 2T SSD.
6. `kubernetes`: My Kubernetes Cluster
# idols - Oshi no Ko
## idols - Oshi no Ko
These four servers are named after the four main characters of the mange/anime Oshi no Ko, they form a NixOS distributed building cluster,
I usually run the build command on `Ai` and nix will distribute the build to other three machines, which is convenient and fast.
When building some packages for riscv64 or aarch64, I often have no cache available because of various changes under the hood, so I need to build much more packages than usual, which is one of the reasons why the cluster was originally built, and another reason is distributed building is cool!
![](/_img/nix-distributed-building.webp)
![](/_img/nix-distributed-building-log.webp)
These four servers are named after the four main characters of the mange/anime Oshi no Ko.
## rolling girls
@@ -35,6 +30,16 @@ My All RISCV64 hosts.
![](/_img/nixos-riscv-cluster.webp)
## Distributed Building
I usually run the build command on `Ai` and nix will distribute the build to other NixOS machines, which is convenient and fast.
When building some packages for riscv64 or aarch64, I often have no cache available because of various changes under the hood, so I need to build much more packages than usual, which is one of the reasons why the cluster was originally built, and another reason is distributed building is cool!
![](/_img/nix-distributed-building.webp)
![](/_img/nix-distributed-building-log.webp)
## References
[Oshi no Ko 【推しの子】 - Wikipedia](https://en.wikipedia.org/wiki/Oshi_no_Ko):
@@ -50,3 +55,5 @@ My All RISCV64 hosts.
![](/_img/12kingdoms-1.webp)
![](/_img/12kingdoms-Youko-Rakushun.webp)
[List of Frieren characters](https://en.wikipedia.org/wiki/List_of_Frieren_characters)
hosts/homelab_tailscale_gw/default.nix
+7 -6
View File
@@ -1,16 +1,14 @@
{vars_networking, ...}:
{vars_networking, mylib, ...}:
#############################################################
#
# Tailscale Gateway(homelab subnet router) - a NixOS VM running on Proxmox
#
#############################################################
let
hostName = "tailscale_gw"; # Define your hostname.
hostName = "tailscale-gw"; # Define your hostname.
hostAddress = vars_networking.hostAddress.${hostName};
in {
imports = [
./tailscale.nix
];
imports = mylib.scanPaths ./.;
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
@@ -24,7 +22,10 @@ in {
networking = {
inherit hostName;
inherit (vars_networking) defaultGateway nameservers;
inherit (vars_networking) nameservers;
# Use mainGateway instead of defaultGateway to make NAT Traversal work
defaultGateway = vars_networking.mainGateway;
networkmanager.enable = false;
interfaces.ens18 = {
hosts/idols_ai/README.md
+4
View File
@@ -4,6 +4,10 @@ Related:
- [/nixos-installer/README.md](/nixos-installer/README.md)
## TODOs
1. Install DCGM-Exporter on `ai` to monitor the GPU status.
## Info
disk status & mountpoints:
hosts/idols_ai/hardware-configuration.nix
+4
View File
@@ -56,6 +56,10 @@
# whether to allow TRIM requests to the underlying device.
# it's less secure, but faster.
allowDiscards = true;
# Whether to bypass dm-crypts internal read and write workqueues.
# Enabling this should improve performance on SSDs;
# https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
bypassWorkqueues = true;
};
};
hosts/idols_ai/impermanence.nix
+20 -5
View File
@@ -72,6 +72,19 @@
directory = ".ssh";
mode = "0700";
}
# misc
".config/pulse"
".config/attic" # attic nix cache server
".pki"
".steam" # steam games
# cloud native
{
# pulumi - infrastructure as code
directory = ".pulumi";
mode = "0700";
}
{
directory = ".aws";
mode = "0700";
@@ -85,11 +98,6 @@
mode = "0700";
}
# misc
".config/pulse"
".pki"
".steam" # steam games
# remote desktop
".config/remmina"
".config/freerdp"
@@ -98,6 +106,12 @@
".config/emacs"
"org" # org files
# vscode
".vscode"
".vscode-insiders"
".config/Code/User"
".config/Code - Insiders/User"
# browsers
".mozilla"
".config/google-chrome"
@@ -108,6 +122,7 @@
# language package managers
".npm"
".conda" # generated by `conda-shell`
"go"
# neovim plugins(wakatime & copilot)
hosts/idols_aquamarine/README.md
+33 -1
View File
@@ -1,6 +1,38 @@
# Idols - Aquamarine
TODO: use aqua as a passby router(IPv4 only) to access the global internet.
A router(IPv4 only) with a tranparent proxy to bypass the G|F|W.
NOTE: dae(running on aquamarine) do not provides a http/socks5 proxy server, so a v2ray server is running on [idols_kana](../idols_kana/proxy.nix) to provides a http/socks5 proxy service.
## Troubleshooting
### Can not access the global internet
1. Check wether the subscription url is accessible.
- If not, then you need to get a new subscription url and update the `dae`'s configuration.
1. Check the `dae` service's log by `journalctl -u dae -n 1000`.
### DNS cannot be resolved
1. `sudo systemctl stop dae`, then try to resolve the domain name again.
- If it works, the problem is caused by `dae` service.
- check dae's log by `journalctl -u dae -n 1000`
1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
### DHCP cannot be obtained
1. `ss -tunlp`, check if `dnsmasq` is running and listening on udp port 67.
1. `journalctl -u dnsmasq -n 1000` to check the log of `dnsmasq`.
1. Request a new IP address by disconnect and reconnect one of your devices' wifi.
1. `nix shell nixpkgs#dhcpdump` and then `sudo dhcpdump -i br-lan`, check if the DHCP request is received by `dnsmasq`.
1. The server listens on UDP port number 67, and the client listens on UDP port number 68.
1. DHCP operations fall into four phases:
1. Server **discovery**: The DHCP client broadcasts a DHCPDISCOVER message on the network subnet using the destination address 255.255.255.255 (limited broadcast) or the specific subnet broadcast address (directed broadcast).
1. IP lease **offer**: When a DHCP server receives a DHCPDISCOVER message from a client, which is an IP address lease request, the DHCP server reserves an IP address for the client and makes a lease offer by sending a DHCPOFFER message to the client.
1. IP lease **request**: In response to the DHCP offer, the client replies with a DHCPREQUEST message, broadcast to the server,[a] requesting the offered address.
1. IP lease **acknowledgement**: When the DHCP server receives the DHCPREQUEST message from the client, it sends a DHCPACK packet to the client, which includes the lease duration and any other configuration information that the client might have requested.
1. So if you see only `DISCOVER` messages, the dhsmasq is not working properly.
## References
hosts/idols_aquamarine/bypass-router.dae → hosts/idols_aquamarine/config.dae
+166 -79
View File
@@ -1,3 +1,10 @@
# https://github.com/daeuniverse/dae/discussions/81
# https://github.com/daeuniverse/dae/blob/main/example.dae
# load all dae files placed in ./config.d/
include {
config.d/*.dae
}
global {
##### Software options.
@@ -11,7 +18,7 @@ global {
# If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
# rules.
so_mark_from_dae: 0
so_mark_from_dae: 1
# Log level: error, warn, info, debug, trace.
log_level: info
@@ -24,20 +31,17 @@ global {
# The LAN interface to bind. Use it if you want to proxy LAN.
# Multiple interfaces split by ",".
lan_interface: ens18
lan_interface: br-lan
# The WAN interface to bind. Use it if you want to proxy localhost.
# Multiple interfaces split by ",". Use "auto" to auto detect.
wan_interface: auto
#
# Disable this to avoid problems with the proxy server that prevent the subscription link from being updated
# wan_interface: auto
# Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
auto_config_kernel_parameter: true
# Automatically configure firewall rules like firewalld and fw4.
# firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
# fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
auto_config_firewall_rule: true
auto_config_kernel_parameter: false
##### Node connectivity check.
@@ -98,30 +102,11 @@ global {
utls_imitate: chrome_auto
}
# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
subscription {
# Add your subscription links here.
'file://mysubscription-1.sub' # the path is related to /etc/dae/
'file://mysubscription-2.sub'
}
# Nodes defined here will be merged as a part of the global node pool.
node {
# Add your node links here.
# Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, etc.
# Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
# mylink: 'ss://LINK'
# node1: 'vmess://LINK'
# node2: 'vless://LINK'
# chains: 'tuic://LINK -> vmess://LINK'
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
# For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
# respond to type A queries and response empty answer to type AAAA queries.
#ipversion_prefer: 4
ipversion_prefer: 4
# Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
# for these domains.
@@ -137,8 +122,8 @@ dns {
# Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
# If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
alidns: 'udp://dns.alidns.com:53'
googledns: 'tcp+udp://dns.google.com:53'
alidns: 'udp://223.5.5.5:53'
googledns: 'tcp+udp://8.8.8.8:53'
}
routing {
# According to the request of dns query, decide to use which DNS upstream.
@@ -148,70 +133,105 @@ dns {
qname(geosite:cn) -> alidns
# fallback is also called default.
fallback: googledns
# other custom rules
qname(full:analytics.google.com) -> googledns # do not block google analytics(console)
qname(regex: '.+\.nixos.org$') -> googledns
qname(geosite:category-ads) -> reject
qname(geosite:category-ads-all) -> reject
qtype(aaaa) -> reject
qname(regex: '.+\.linkedin$') -> googledns
}
# According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# Match rules from top to bottom.
response {
# Trusted upstream. Always accept its result.
upstream(googledns) -> accept
# Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
ip(geoip:private) && !qname(geosite:cn) -> googledns
fallback: accept
}
}
# routing {
# # According to the request of dns query, decide to use which DNS upstream.
# # Match rules from top to bottom.
# request {
# # fallback is also called default.
# fallback: alidns
# }
# # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# # Match rules from top to bottom.
# response {
# # Trusted upstream. Always accept its result.
# upstream(googledns) -> accept
# # Possibly polluted, re-lookup using googledns.
# ip(geoip:private) && !qname(geosite:cn) -> googledns
# # fallback is also called default.
# fallback: accept
# }
# }
}
# Node group (outbound).
group {
my_group {
# No filter. Use all nodes.
# Randomly select a node from the group for every connection.
#policy: random
# Select the first node from the group for every connection.
#policy: fixed(0)
# Select the node with min last latency from the group for every connection.
#policy: min
# Select the node with min moving average of latencies from the group for every connection.
policy: min_moving_avg
}
group2 {
# Filter nodes from the global node pool defined by the subscription and node section above.
#filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
#filter: name(node1, node2)
proxy {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
# Filter nodes and give a fixed latency offset to archive latency-based failover.
# In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
filter: name(HK_node)
filter: name(US_node) [add_latency: -500ms]
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
# filter: name(keyword: '英国') [add_latency: -300ms]
# filter: name(keyword: 'Japan') [add_latency: 300ms]
# filter: name(keyword: '日本') [add_latency: 300ms]
# Other filters:
# Filter nodes from the global node pool defined by the subscription and node section above.
# filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
# filter: name('node_a','node_b')
# Select the node with min average of the last 10 latencies from the group for every connection.
policy: min_avg10
# Other policies:
# random - Randomly select a node from the group for every connection.
# fixed(0) - Select the first node from the group for every connection.
# min - Select the node with min last latency from the group for every connection.
# min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
}
media {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
filter: name(keyword: '英国') [add_latency: -300ms]
filter: name(keyword: 'Japan') [add_latency: 300ms]
filter: name(keyword: '日本') [add_latency: 300ms]
policy: min_avg10
}
ssh-proxy {
filter: name(keyword: 'UK')
filter: name(keyword: '英国')
policy: min_avg10
}
sg {
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
policy: min_avg10
}
usa {
filter: name(keyword: 'USA')
filter: name(keyword: '美国')
policy: min_avg10
}
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
# Pname has the highest priority, so should be placed in the front.
# Priority of other rules is the same as the order of the rules defined in this file.
routing {
### Preset rules.
# Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
# WAN.
# Network managers in localhost should be direct to
# avoid false negative network connectivity check when binding to WAN.
pname(NetworkManager) -> direct
pname(systemd-networkd) -> direct
# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
# forwarded by the proxy.
@@ -222,12 +242,79 @@ routing {
# private addresses in your proxy host network, modify the below line.
dip(geoip:private) -> direct
### Write your rules below.
# --- Core rules ---#
# Disable h3 because it usually consumes too much cpu/mem resources.
# Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
l4proto(udp) && dport(443) -> block
# Direct access to all Chinese mainland-related IP addresses
dip(geoip:cn) -> direct
domain(geosite:cn) -> direct
fallback: my_group
# Block ads
domain(full:analytics.google.com) -> proxy # do not block google analytics(console)
domain(geosite:category-ads) -> block
domain(geosite:category-ads-all) -> block
# DNS
dip(8.8.8.8, 8.8.4.4) -> proxy
dip(223.5.5.5, 223.6.6.6) -> direct
domain(full:dns.alidns.com) -> direct
domain(full:dns.googledns.com) -> proxy
domain(full:dns.opendns.com) -> proxy
# --- Rules for other commonly used sites ---#
# SSH - tcp port 22 is blocked by many proxy servers.
dport(22) && !dip(geoip:cn) && !domain(geosite:cn) -> ssh-proxy
### OpenAI
domain(geosite:openai) -> sg
domain(regex:'.+\.openai$') -> sg
### Media
domain(geosite:netflix) -> media
### Proxy
domain(suffix: linkedin.com) -> proxy
domain(keyword:'linkedin') -> proxy
domain(regex:'.+\.linkedin\.com$') -> proxy
domain(regex:'.+\.quay\.io$') -> proxy
domain(regex:'.+\.notion\.so$') -> proxy
domain(regex:'.+\.amazon\.com$') -> proxy
domain(regex:'.+\.oracle\.com$') -> proxy
domain(regex:'.+\.docker\.com$') -> proxy
domain(regex:'.+\.kubernetes\.io$') -> proxy
domain(regex:'.+\.nixos\.org$') -> proxy
domain(geosite:microsoft) -> proxy
domain(geosite:linkedin) -> proxy
domain(geosite:twitter) -> proxy
domain(geosite:telegram) -> proxy
domain(geosite:google) -> proxy
domain(geosite:apple) -> proxy
domain(geosite:category-container) -> proxy
domain(geosite:category-dev) -> proxy
domain(geosite:google-scholar) -> proxy
domain(geosite:category-scholar-!cn) -> proxy
### Direct
domain(regex:'.+\.edu\.cn$') -> direct
domain(keyword:'baidu') -> direct
domain(keyword:'bilibili') -> direct
domain(keyword:'taobao') -> direct
domain(keyword:'alibabadns') -> direct
domain(keyword:'alicdn') -> direct
domain(keyword:'tbcache') -> direct
domain(keyword:'zhihu') -> direct
domain(keyword:'douyu') -> direct
domain(geosite:cloudflare-cn) -> direct
# --- Fallback rules ---#
# Access all other foreign sites
domain(geosite:geolocation-!cn) -> proxy
!dip(geoip:cn) -> proxy
fallback: direct
}
hosts/idols_aquamarine/dae.nix
+48 -2
View File
@@ -1,11 +1,57 @@
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/dae.nix
{
config,
pkgs,
daeuniverse,
...
}:
# https://github.com/daeuniverse/flake.nix
let
daeConfigPath = "/etc/dae/config.dae";
subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
in {
imports = [
daeuniverse.nixosModules.dae
daeuniverse.nixosModules.daed
];
# dae - eBPF-based Linux high-performance transparent proxy.
services.dae = {
enable = true;
package = daeuniverse.packages.${pkgs.system}.dae;
disableTxChecksumIpGeneric = false;
configFile = daeConfigPath;
assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
# alternatively, specify assets dir
# assetsPath = "/etc/dae";
openFirewall = {
enable = true;
port = 12345;
};
configFile = ./bypass-router.dae;
};
# dae supports two types of subscriptions: base64 encoded proxies, and sip008.
# subscription can be a url return the subscription, or a file path that contains the subscription.
#
# Nix decrypt and merge my dae's base config and subscription config here.
# the subscription config is something like:
# ```
# subscription {
# 'https://www.example.com/subscription/link'
# 'https://example.com/no_tag_link'
# }
# node {
# # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
# node_a: 'trojan://'
# node_b: 'trojan://'
# node_c: 'vless://'
# node_d: 'vless://'
# node_e: 'vmess://'
# node_f: 'tuic://'
# node_h: 'juicity://'
# }
# ```
system.activationScripts.installDaeConfig = ''
install -Dm 600 ${./config.dae} ${daeConfigPath}
install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
'';
}
hosts/idols_aquamarine/default.nix
+3 -14
View File
@@ -6,39 +6,28 @@
#############################################################
let
hostName = "aquamarine"; # Define your hostname.
hostAddress = vars_networking.hostAddress.${hostName};
in {
imports = [
./router.nix
./dae.nix
];
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
"btrfs"
"xfs"
#"zfs"
"ntfs"
"fat"
"vfat"
"exfat"
"cifs" # mount windows share
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
inherit hostName;
inherit (vars_networking) defaultGateway nameservers;
networkmanager.enable = false;
interfaces.ens18 = {
useDHCP = false;
ipv4.addresses = [hostAddress];
};
inherit (vars_networking) nameservers;
};
# This value determines the NixOS release from which the default
hosts/idols_aquamarine/router.nix
+90 -27
View File
File diff suppressed because one or more lines are too long
hosts/idols_kana/README.md
+16
View File
@@ -0,0 +1,16 @@
# Idols - Kana
Host running some common applications, such as hompage, file browser, torrent downloader, etc.
All the services assumes a reverse proxy to be setup in the front, they are all listening on localhost,
and a caddy service is listening on the local network interface and proxy the requests to the services.
## Services
1. dashy: Homepage
1. ddns
1. transmission & AriaNg: Torrent downloader and HTTP downloader
1. uptime-kuma: uptime monitoring
1. alist/filebrower: File browser for local/SMB/Cloud
1. excalidraw/DDTV/owncast/jitsi-meet/...
hosts/idols_kana/caddy.nix
+48
View File
@@ -0,0 +1,48 @@
{useremail, ...}: {
services.caddy = {
enable = true;
# Reload Caddy instead of restarting it when configuration file changes.
enableReload = true;
user = "caddy"; # User account under which caddy runs.
dataDir = "/var/lib/caddy";
logDir = "/var/log/caddy";
# Additional lines of configuration appended to the global config section of the Caddyfile.
# Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
globalConfig = ''
http_port 80
https_port 443
auto_https off
'';
# ACME related settings.
# email = useremail;
# acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts."http://dashy.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:4000
'';
virtualHosts."http://transmission.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9091
'';
virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3001
'';
virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:5010
'';
virtualHosts."http://webdav.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:5005
'';
virtualHosts."http://home.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:8082
'';
};
networking.firewall.allowedTCPPorts = [80 443];
}
hosts/idols_kana/default.nix
+8 -4
View File
@@ -1,4 +1,8 @@
{vars_networking, ...}:
{
vars_networking,
mylib,
...
}:
#############################################################
#
# Kana - a NixOS VM running on Proxmox
@@ -8,8 +12,8 @@ let
hostName = "kana"; # Define your hostname.
hostAddress = vars_networking.hostAddress.${hostName};
in {
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
imports = mylib.scanPaths ./.;
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
@@ -23,7 +27,7 @@ in {
"cifs" # mount windows share
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
hosts/idols_kana/homepage/README.md
+4
View File
@@ -0,0 +1,4 @@
# Homepage for my Homelab
> WIP, just a demo for now
hosts/idols_kana/homepage/config/bookmarks.yaml
+9
View File
@@ -0,0 +1,9 @@
---
- About Me:
- Blog:
- abbr: Blog
href: https://thiscute.world/
- Github:
- abbr: GH
href: https://github.com/ryan4yin
hosts/idols_kana/homepage/config/docker.yaml
+3
View File
@@ -0,0 +1,3 @@
# kana-docker:
# socket: /var/run/docker.sock
#
hosts/idols_kana/homepage/config/images/rolling-girls.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.5 MiB

hosts/idols_kana/homepage/config/kubernetes.yaml
+8
View File
@@ -0,0 +1,8 @@
# https://gethomepage.dev/latest/configs/kubernetes/
# uses the default kubeconfig to access the cluster
# read kubbecofig from $KUBECONFIG or $HOME/.kube/config
# mode: default
mode: disabled
hosts/idols_kana/homepage/config/services.yaml
+69
View File
@@ -0,0 +1,69 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/services
- Proxmox VE 虚拟化集群:
- PVE-UM560:
icon: si-proxmox
href: https://192.168.5.173:8006/
description: 'CPU: R5-5625U / MEM: 32G / DISK: 512G+4T*2'
siteMonitor: https://192.168.5.173:8006/
- PVE-S500Plus:
icon: si-proxmox
href: https://192.168.5.174:8006/
description: 'CPU: R7-5825U / MEM: 64G / DISK: 1T'
siteMonitor: https://192.168.5.174:8006/
- PVE-GTR5:
icon: si-proxmox
href: https://192.168.5.172:8006/
description: 'CPU: R9-5900HX / MEM: 64G / DISK: 1T'
siteMonitor: https://192.168.5.172:8006/
- Homelab Monitoring:
- Grafana:
icon: si-grafana
href: http://grafana.writefor.fun
description: Data visualised on dashboards
siteMonitor: http://grafana.writefor.fun
- Prometheus Dashboard:
icon: si-prometheus
href: http://prometheus.writefor.fun
description: Monitoring - Prometheus
siteMonitor: http://prometheus.writefor.fun
- Uptime Kuma:
icon: si-uptimekuma
href: http://uptime-kuma.writefor.fun
description: Uptime Checking
siteMonitor: http://uptime-kuma.writefor.fun
- Homelab Applications:
- SFTPGO:
icon: sftpgo.png
href: "http://sftpgo.writefor.fun/web/admin/folders"
description: WebDAV & SFTP server
siteMonitor: http://sftpgo.writefor.fun/
# - Kubernetes Monitoring:
# # TODO: Update this
# - Emby:
# icon: emby.png
# href: "http://emby.home/"
# description: Media server
# namespace: media # The kubernetes namespace the app resides in
# app: emby # The name of the deployed app
#
# - Element Chat:
# icon: matrix-light.png
# href: https://chat.example.com
# description: Matrix Synapse Powered Chat
# app: matrix-element
# namespace: comms
# pod-selector: >-
# app.kubernetes.io/instance in (
# matrix-element,
# matrix-media-repo,
# matrix-media-repo-postgresql,
# matrix-synapse
# )
hosts/idols_kana/homepage/config/settings.yaml
+83
View File
@@ -0,0 +1,83 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/settings
title: Ryan Yin's Homelab
base: http://home.writefor.fun/
favicon: https://thiscute.world/favicon.ico
# https://developer.mozilla.org/en-US/docs/Web/Manifest/start_url
# Used by some browsers to determine the start page of the web application
startUrl: http://home.writefor.fun/
language: zh
# Define shared API provider options and secrets here,
# You can then pass provider instead of apiKey in your widget configuration.
providers:
# read api keys from environment variables
openweathermap: {{HOMEPAGE_VAR_WEATHERAPI_APIKEY}}
weatherapi: {{HOMEPAGE_VAR_WEATHERAPI_APIKEY}}
background:
image: /images/rolling-girls.png
blur: sm # sm, "", md, xl... see https://tailwindcss.com/docs/backdrop-blur
saturate: 50 # 0, 50, 100... see https://tailwindcss.com/docs/backdrop-saturate
brightness: 50 # 0, 50, 75... see https://tailwindcss.com/docs/backdrop-brightness
opacity: 50 # 0-100
theme: dark # or light
# Supported colors are:
# slate, gray, zinc, neutral, stone, amber,
# yellow, lime, green, emerald, teal, cyan,
# sky, blue, indigo, violet, purple, fuchsia, pink, rose, red, white
color: indigo
# make all cards in a row the same height.
useEqualHeights: true
# Groups and its layout
# Groups Name should match the name defined in your services.yaml or widgets.yaml
layout:
Proxmox VE 虚拟化集群:
icon: si-proxmox
tab: First
Group A:
initiallyCollapsed: true # collasped by default
tab: First
style: row
columns: 4
Second Service Group:
useEqualHeights: true # overrides global setting
tab: Second
columns: 4
Third Service Group:
tab: Third
style: row
Bookmark Group on Fourth Tab:
tab: Fourth
Service Group on every Tab:
style: row
columns: 4
# https://gethomepage.dev/latest/configs/services/#icons
# iconStyle: theme # optional, defaults to gradient
# Typing in homepage to quick search
quicklaunch:
searchDescriptions: true
hideInternetSearch: true
showSearchSuggestions: true
hideVisitURL: true
# Show docker stats
showStats: true
hideErrors: false
hosts/idols_kana/homepage/config/widgets.yaml
+21
View File
@@ -0,0 +1,21 @@
# TODO: add access to kubernetes cluster
# - kubernetes:
# cluster:
# show: true
# cpu: true
# memory: true
# showLabel: true
# label: "cluster"
# nodes:
# show: true
# cpu: true
# memory: true
# showLabel: true
# - resources:
# backend: resources
# expanded: true
# cpu: true
# memory: true
- search:
provider: google
target: _blank
hosts/idols_kana/homepage/default.nix
+25
View File
@@ -0,0 +1,25 @@
{pkgs, ...}: let
configDir = "/var/lib/homepage-dashboard";
in {
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix
services.homepage-dashboard = {
enable = true;
listenPort = 8082;
openFirewall = false;
};
systemd.services.homepage-dashboard.environment = {
HOMEPAGE_CONFIG_DIR = configDir;
# 1. The value of env var HOMEPAGE_VAR_XXX will replace {{HOMEPAGE_VAR_XXX}} in any config
# HOMEPAGE_VAR_XXX_APIKEY = "myapikey";
# 2. The value of env var HOMEPAGE_FILE_XXX must be a file path,
# the contents of which will be used to replace {{HOMEPAGE_FILE_XXX}} in any config
};
# Install the homepage-dashboard configuration files
system.activationScripts.installHomepageDashboardConfig = ''
mkdir -p configDir
${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/
${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard
'';
}
hosts/idols_kana/oci-containers/dashy/default.nix
+26
View File
@@ -0,0 +1,26 @@
{
# Replace dashy with gethomepage, because dashy is too slow to start/reload.
# # Install the dashy configuration file instaed of symlink it
# system.activationScripts.installDashyConfig = ''
# install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
# '';
#
# # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/oci-containers.nix
# virtualisation.oci-containers.containers = {
# # check its logs via `journalctl -u podman-dashy`
# dashy = {
# hostname = "dashy";
# image = "lissy93/dashy:latest";
# ports = ["127.0.0.1:4000:80"];
# environment = {
# "NODE_ENV" = "production";
# };
# volumes = [
# "/etc/dashy/dashy_conf.yml:/app/public/conf.yml"
# ];
# autoStart = true;
# # cmd = [];
# };
# };
}
hosts/idols_kana/oci-containers/default.nix
+28
View File
@@ -0,0 +1,28 @@
{
lib,
mylib,
...
}: {
imports = mylib.scanPaths ./.;
virtualisation = {
docker.enable = lib.mkForce false;
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
# Periodically prune Podman resources
autoPrune = {
enable = true;
dates = "weekly";
flags = ["--all"];
};
};
oci-containers = {
backend = "podman";
};
};
}
hosts/idols_kana/proxy.nix
+90
View File
@@ -0,0 +1,90 @@
{
# dae(running on aquamarine) do not provides http/socks5 proxy server; so we use v2ray here.
# https=//github.com/v2fly
services.v2ray = {
enable = true;
config = {
# for monitoring
"stats" = {};
"api" = {
"tag" = "api";
"services" = [
"StatsService"
];
};
"policy" = {
"levels" = {
"0" = {
"statsUserUplink" = true;
"statsUserDownlink" = true;
};
};
"system" = {
"statsInboundUplink" = true;
"statsInboundDownlink" = true;
"statsOutboundUplink" = true;
"statsOutboundDownlink" = true;
};
};
inbounds = [
# core inbound
{
listen = "0.0.0.0";
port = 7890;
protocol = "http";
}
{
listen = "0.0.0.0";
port = 7891;
protocol = "socks";
settings = {
auth = "noauth";
udp = true;
};
}
# for monitoring
{
"tag" = "api";
"listen" = "127.0.0.1";
"port" = 54321;
"protocol" = "dokodemo-door";
"settings" = {
"address" = "127.0.0.1";
};
}
];
outbounds = [
# forward traffic directly via system's default network(to dae proxy running on aquamarine)
{
protocol = "freedom";
tag = "freedom";
}
];
# for monitoring
"routing" = {
"rules" = [
{
"inboundTag" = [
"api"
];
"outboundTag" = "api";
"type" = "field";
}
];
};
};
};
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/v2ray.nix
# https://github.com/wi1dcard/v2ray-exporter
services.prometheus.exporters.v2ray = {
enable = true;
listenAddress = "0.0.0.0";
port = 9153;
openFirewall = false;
v2rayEndpoint = "127.0.0.1:54321";
};
}
hosts/idols_kana/sftpgo.nix
+97
View File
@@ -0,0 +1,97 @@
{config, ...}: {
# Read SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD from a file
systemd.services.sftpgo.serviceConfig.EnvironmentFile = config.age.secrets."sftpgo.env".path;
services.sftpgo = {
enable = true;
user = "sftpgo";
dataDir = "/var/lib/sftpgo";
extraArgs = [
"--log-level"
"info"
];
# https://github.com/drakkan/sftpgo/blob/2.5.x/docs/full-configuration.md
settings = {
common = {
# Auto-blocking policy for SFTPGo and thus helps to prevent DoS (Denial of Service) and brute force password guessing.
defender = {
enable = true;
};
};
# Where to store stfpgo's data
data_provider = {
driver = "sqlite";
name = "sftpgo.db";
password_hashing = {
algo = "argon2id";
# options for argon2id hashing algorithm.
# The memory and iterations parameters control the computational cost of hashing the password.
argon2_options = {
memory = 65536; # KiB
iterations = 2; # The number of iterations over the memory.
parallelism = 2; # The number of threads (or lanes) used by the algorithm.
};
};
password_validation = {
# What Entropy Value Should I Use?
# somewhere in the 50-70 range seems "reasonable".
# https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
admins.min_entropy = 60;
users.min_entropy = 60;
};
# Cache passwords in memory to avoid hashing the same password multiple times(it costs).
password_caching = true;
# create the default admin user via environment variables
# SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD
create_default_admin = true;
};
# WebDAV is a popular protocol for file sharing, better than CIFS/SMB, NFS, etc.
# it's save to use WebDAV over HTTPS on public networks.
webdavd.bindings = [
{
address = "127.0.0.1";
port = 5005;
}
];
# HTTP Server provides a simple web interface to manage the server.
httpd.bindings = [
{
address = "127.0.0.1";
enable_https = false;
port = 5010;
client_ip_proxy_header = "X-Forwarded-For";
# a basic built-in web interface that allows you to manage users,
# virtual folders, admins and connections.
# url: http://127.0.0.1:8080/web/admin
enable_web_admin = true;
# A basic front-end web interface for your users.
# It allows end-users to browse and manage their files and change their credentials.
enable_web_client = true;
enable_rest_api = true;
}
];
# prometheus metrics
telemetry = {
bind_port = 10000;
bind_address = "0.0.0.0";
# auth_user_file = "";
};
# multi-factor authentication settings
mfa.totp = [
{
# Unique configuration name, not visible to the authentication apps.
# Should not to be changed after the first user has been created.
name = "SFTPGo";
# Name of the issuing Organization/Company
issuer = "SFTPGo";
# Algorithm to use for HMAC
# Currently Google Authenticator app on iPhone seems to only support sha1
algo = "sha1";
}
];
# SMTP configuration enables SFTPGo email sending capabilities
# smtp = {};
};
};
}
hosts/idols_kana/transmission.nix
+117
View File
@@ -0,0 +1,117 @@
{
config,
username,
...
}: let
dataDir = "/var/lib/transmission";
name = "transmission";
in {
# the headless Transmission BitTorrent daemon
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/torrent/transmission.nix
# https://wiki.archlinux.org/title/transmission
services.transmission = {
enable = true;
user = name;
group = name;
home = dataDir;
downloadDirPermissions = "0770";
# Whether to enable tweaking of kernel parameters to open many more connections at the same time.
# Note that you may also want to increase peer-limit-global.
# And be aware that these settings are quite aggressive and might not suite your regular desktop use.
# For instance, SSH sessions may time out more easily.
performanceNetParameters = true;
# Path to a JSON file to be merged with the settings.
# Useful to merge a file which is better kept out of the Nix store to set secret config parameters like `rpc-password`.
credentialsFile = config.age.secrets."transmission-credentials.json".path;
# Whether to open the RPC port in the firewall.
openRPCPort = false;
openPeerPorts = true;
# https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md
settings = {
# 0 = None, 1 = Critical, 2 = Error, 3 = Warn, 4 = Info, 5 = Debug, 6 = Trace;
message-level = 3;
# Encryption may help get around some ISP filtering,
# but at the cost of slightly higher CPU use.
# 0 = Prefer unencrypted connections,
# 1 = Prefer encrypted connections,
# 2 = Require encrypted connections; default = 1)
encryption = 2;
# rpc = Web Interface
rpc-port = 9091;
rpc-bind-address = "127.0.0.1";
anti-brute-force-enabled = true;
# After this amount of failed authentication attempts is surpassed,
# the RPC server will deny any further authentication attempts until it is restarted.
# This is not tracked per IP but in total.
anti-brute-force-threshold = 20;
rpc-authentication-required = true;
# Comma-delimited list of IP addresses.
# Wildcards allowed using '*'. Example: "127.0.0.*,192.168.*.*",
rpc-whitelist-enabled = true;
rpc-whitelist = "127.0.0.*,192.168.*.*";
# Comma-delimited list of domain names.
# Wildcards allowed using '*'. Example: "*.foo.org,example.com",
rpc-host-whitelist-enabled = true;
rpc-host-whitelist = "*.writefor.fun,localhost,192.168.5.*";
rpc-user = username;
rpc-username = username;
# rpc-password = "test"; # you'd better use the credentialsFile for this.
incomplete-dir-enabled = true;
incomplete-dir = "${dataDir}/incomplete";
download-dir = "${dataDir}/downloads";
# Watch a directory for torrent files and add them to transmission.
watch-dir-enabled = false;
watch-dir = "${dataDir}/watch";
# Whether to enable Micro Transport Protocol (µTP).
utp-enabled = true;
# Executable to be run at torrent completion.
script-torrent-done-enabled = false;
# script-torrent-done-filename = "/path/to/script";
# Enable Local Peer Discovery (LPD).
lpd-enabled = true;
# The peer port to listen for incoming connections.
peer-port = 51413;
# Enable UPnP or NAT-PMP to forward a port through your firewall(NAT).
# https://github.com/transmission/transmission/blob/main/docs/Port-Forwarding-Guide.md
port-forwarding-enabled = true;
# "normal" speed limits
speed-limit-down-enabled = true;
speed-limit-down = 30000; # KB/s
speed-limit-up-enabled = true;
speed-limit-up = 500; # KB/s
upload-slots-per-torrent = 8;
# Start torrents as soon as they are added
start-added-torrents = true;
# Queuing
# When true, Transmission will only download
# download-queue-size non-stalled torrents at once.
download-queue-enabled = true;
download-queue-size = 5;
# When true, torrents that have not shared data for
# queue-stalled-minutes are treated as 'stalled'
# and are not counted against the queue-download-size
# and seed-queue-size limits.
queue-stalled-enabled = true;
queue-stalled-minutes = 60;
# When true. Transmission will only seed seed-queue-size
# non-stalled torrents at once.
seed-queue-enabled = true;
seed-queue-size = 10;
};
};
}
hosts/idols_kana/uptime-kuma.nix
+12
View File
@@ -0,0 +1,12 @@
{
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/uptime-kuma.nix
services.uptime-kuma = {
enable = true;
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
settings = {
"UPTIME_KUMA_HOST" = "127.0.0.1";
"UPTIME_KUMA_PORT" = "3001";
"DATA_DIR" = "/var/lib/uptime-kuma/";
};
};
}
hosts/idols_ruby/README.md
+14
View File
@@ -0,0 +1,14 @@
# Idols - Ruby
Host running operation and maintenance related services:
1. Backup or sync my personal data to cloud or NAS.
- For safety, those data should be encrypted before sending to the cloud or my NAS.
1. Collect and monitor the metrics/logs of my homelab.
## Services
1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
1. restic: Backup my personal data to cloud or NAS.
1. synthing: Sync file between android/macbook/PC and NAS.
hosts/idols_ruby/attic.nix
+74
View File
@@ -0,0 +1,74 @@
{
config,
attic,
...
}: {
#=====================================================
#
# Attic
#
# A self-hostable Nix Binary Cache server
# backed by an S3-compatible storage provider
#
# https://docs.attic.rs/tutorial.html
#
#=====================================================
imports = [
attic.nixosModules.atticd
];
# Self-Hosted Nix Cache Server
# https://github.com/zhaofengli/attic
#
# The first thing to do after setting up the server is:
# 1. Generate a admin token on the server via command:
# `sudo atticd-atticadm make-token --sub "admin-1" --validity "2y" --pull "*" --push "*" --delete "*" --create-cache "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*"`
# 2. Login at the desktop via command:
# `attic login central http://attic.writefor.fun <TOKEN>`
# 3. Create a new cache via command:
# `attic cache create rk3588`
# `attic use cache rk3588`
# 4. Push Caches to the cache server via:
# it's similar to cachix, related docs:
# https://docs.attic.rs/reference/attic-cli.html
# https://docs.cachix.org/pushing#pushing
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
# The HS256 JWT secret can be generated with the openssl:
# openssl rand 64 | base64 -w0
#
# Content:
# ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
credentialsFile = config.age.secrets."attic-nix-cache-server.env".path;
settings = {
listen = "[::]:8888";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
}
hosts/idols_ruby/caddy.nix
+40
View File
@@ -0,0 +1,40 @@
{useremail, ...}: {
services.caddy = {
enable = true;
# Reload Caddy instead of restarting it when configuration file changes.
enableReload = true;
user = "caddy"; # User account under which caddy runs.
dataDir = "/var/lib/caddy";
logDir = "/var/log/caddy";
# Additional lines of configuration appended to the global config section of the Caddyfile.
# Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
globalConfig = ''
http_port 80
https_port 443
auto_https off
'';
# ACME related settings.
# email = useremail;
# acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts."http://grafana.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3000
'';
virtualHosts."http://prometheus.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9090
'';
virtualHosts."http://alertmanager.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9093
'';
virtualHosts."http://attic.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:8888
'';
};
networking.firewall.allowedTCPPorts = [80 443];
}
hosts/idols_ruby/default.nix
+8 -4
View File
@@ -1,4 +1,8 @@
{vars_networking, ...}:
{
vars_networking,
mylib,
...
}:
#############################################################
#
# Ruby - a NixOS VM running on Proxmox
@@ -8,8 +12,8 @@ let
hostName = "ruby"; # Define your hostname.
hostAddress = vars_networking.hostAddress.${hostName};
in {
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
imports = mylib.scanPaths ./.;
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
@@ -23,7 +27,7 @@ in {
"cifs" # mount windows share
];
boot.kernelModules = ["kvm-amd" "kvm-intel"];
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
hosts/idols_ruby/exporters/default.nix
+3
View File
@@ -0,0 +1,3 @@
{mylib, ...}: {
imports = mylib.scanPaths ./.;
}
hosts/idols_ruby/exporters/pve.nix
+4
View File
@@ -0,0 +1,4 @@
{
# TODO
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/pve.nix
}
hosts/idols_ruby/grafana/dashboards.yml
+20
View File
@@ -0,0 +1,20 @@
apiVersion: 1
providers:
# <string> an unique provider name. Required
- name: 'Dashboards'
# <int> Org id. Default to 1
orgId: 1
# <string> provider type. Default to 'file'
type: file
# <bool> disable dashboard deletion
disableDeletion: false
# <int> how often Grafana will scan for changed dashboards
updateIntervalSeconds: 20
# <bool> allow updating provisioned dashboards from the UI
allowUiUpdates: false
options:
# <string, required> path to dashboard files on disk. Required when using the 'file' type
path: /etc/grafana/dashboards
# <bool> use folder names from filesystem to create folders in Grafana
foldersFromFilesStructure: true
hosts/idols_ruby/grafana/dashboards/README.md
+11
View File
@@ -0,0 +1,11 @@
# Grafana Dashbaords
## Homelab
1. https://grafana.com/grafana/dashboards/1860-node-exporter-full/
2. https://grafana.com/grafana/dashboards/9578-alertmanager/
## Kubernetes
1. https://github.com/dotdc/grafana-dashboards-kubernetes/
hosts/idols_ruby/grafana/dashboards/homelab/alertmanager-9578_rev4.json
+11216
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json
+23821
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-addons-prometheus.json
+3150
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json
+2696
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-system-api-server.json
+1363
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-system-coredns.json
+1634
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-views-global.json
+2989
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-views-namespaces.json
+2307
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-views-nodes.json
+3939
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/dashboards/kubernetes/k8s-views-pods.json
+2674
View File
File diff suppressed because it is too large Load Diff
hosts/idols_ruby/grafana/datasources.yml
+21
View File
@@ -0,0 +1,21 @@
# https://grafana.com/docs/grafana/latest/datasources/prometheus/
apiVersion: 1
datasources:
- name: prometheus-homelab
type: prometheus
access: proxy
# Access mode - proxy (server in the UI) or direct (browser in the UI).
url: http://localhost:9090
jsonData:
httpMethod: POST
manageAlerts: true
prometheusType: Prometheus
prometheusVersion: 2.49.0
cacheLevel: 'High'
disableRecordingRules: false
# As of Grafana 10, the Prometheus data source can be configured to query live dashboards
# incrementally, instead of re-querying the entire duration on each dashboard refresh.
# Increasing the duration of the incrementalQueryOverlapWindow will increase the size of every incremental query,
# but might be helpful for instances that have inconsistent results for recent data.
incrementalQueryOverlapWindow: 10m
hosts/idols_ruby/grafana/default.nix
+54
View File
@@ -0,0 +1,54 @@
{
config,
pkgs,
username,
useremail,
...
}: {
services.grafana = {
enable = true;
dataDir = "/var/lib/grafana";
# DeclarativePlugins = with pkgs.grafanaPlugins; [ grafana-piechart-panel ];
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3000;
protocol = "http";
domain = "grafana.writefo.fun";
# Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks.
serve_from_sub_path = false;
# Add subpath to the root_url if serve_from_sub_path is true
root_url = "%(protocol)s://%(domain)s:%(http_port)s/";
enforce_domain = false;
read_timeout = "180s";
# Enable HTTP compression, this can improve transfer speed and bandwidth utilization.
enable_gzip = true;
# Cdn for accelerating loading of frontend assets.
# cdn_url = "https://cdn.jsdelivr.net/npm/grafana@7.5.5";
};
security = {
admin_user = username;
admin_email = useremail;
# Use file provider to read the admin password from a file.
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
admin_password = "$__file{${config.age.secrets."grafana-admin-password".path}}";
};
users = {
allow_sign_up = false;
# home_page = "";
default_theme = "dark";
};
};
# Declaratively provision Grafana's data sources, dashboards, and alerting rules.
# Grafana's alerting rules is not recommended to use, we use Prometheus alertmanager instead.
# https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
provision = {
datasources.path = ./datasources.yml;
dashboards.path = ./dashboards.yml;
};
};
environment.etc."grafana/dashboards".source = ./dashboards;
}
hosts/idols_ruby/prometheus/README.md
+7
View File
@@ -0,0 +1,7 @@
# Prometheus & Alertmanager
## Alert Rules
- [awesome-prometheus-alerts](https://github.com/samber/awesome-prometheus-alerts): Collection of Prometheus alerting rules
hosts/idols_ruby/prometheus/alert_rules/coredns_embedded-exporter.yml
+14
View File
@@ -0,0 +1,14 @@
groups:
- name: EmbeddedExporter
rules:
- alert: CorednsPanicCount
expr: 'increase(coredns_panics_total[1m]) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: CoreDNS Panic Count (instance {{ $labels.instance }})
description: "Number of CoreDNS panics encountered\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
hosts/idols_ruby/prometheus/alert_rules/etcd_embedded-exporter.yml
+122
View File
@@ -0,0 +1,122 @@
groups:
- name: EmbeddedExporter
rules:
- alert: EtcdInsufficientMembers
expr: 'count(etcd_server_id) % 2 == 0'
for: 0m
labels:
severity: critical
annotations:
summary: Etcd insufficient Members (instance {{ $labels.instance }})
description: "Etcd cluster should have an odd number of members\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdNoLeader
expr: 'etcd_server_has_leader == 0'
for: 0m
labels:
severity: critical
annotations:
summary: Etcd no Leader (instance {{ $labels.instance }})
description: "Etcd cluster have no leader\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighNumberOfLeaderChanges
expr: 'increase(etcd_server_leader_changes_seen_total[10m]) > 2'
for: 0m
labels:
severity: warning
annotations:
summary: Etcd high number of leader changes (instance {{ $labels.instance }})
description: "Etcd leader changed more than 2 times during 10 minutes\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighNumberOfFailedGrpcRequests
expr: 'sum(rate(grpc_server_handled_total{grpc_code!="OK"}[1m])) BY (grpc_service, grpc_method) / sum(rate(grpc_server_handled_total[1m])) BY (grpc_service, grpc_method) > 0.01'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd high number of failed GRPC requests (instance {{ $labels.instance }})
description: "More than 1% GRPC request failure detected in Etcd\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighNumberOfFailedGrpcRequests
expr: 'sum(rate(grpc_server_handled_total{grpc_code!="OK"}[1m])) BY (grpc_service, grpc_method) / sum(rate(grpc_server_handled_total[1m])) BY (grpc_service, grpc_method) > 0.05'
for: 2m
labels:
severity: critical
annotations:
summary: Etcd high number of failed GRPC requests (instance {{ $labels.instance }})
description: "More than 5% GRPC request failure detected in Etcd\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdGrpcRequestsSlow
expr: 'histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{grpc_type="unary"}[1m])) by (grpc_service, grpc_method, le)) > 0.15'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd GRPC requests slow (instance {{ $labels.instance }})
description: "GRPC requests slowing down, 99th percentile is over 0.15s\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighNumberOfFailedHttpRequests
expr: 'sum(rate(etcd_http_failed_total[1m])) BY (method) / sum(rate(etcd_http_received_total[1m])) BY (method) > 0.01'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd high number of failed HTTP requests (instance {{ $labels.instance }})
description: "More than 1% HTTP failure detected in Etcd\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighNumberOfFailedHttpRequests
expr: 'sum(rate(etcd_http_failed_total[1m])) BY (method) / sum(rate(etcd_http_received_total[1m])) BY (method) > 0.05'
for: 2m
labels:
severity: critical
annotations:
summary: Etcd high number of failed HTTP requests (instance {{ $labels.instance }})
description: "More than 5% HTTP failure detected in Etcd\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHttpRequestsSlow
expr: 'histogram_quantile(0.99, rate(etcd_http_successful_duration_seconds_bucket[1m])) > 0.15'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd HTTP requests slow (instance {{ $labels.instance }})
description: "HTTP requests slowing down, 99th percentile is over 0.15s\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdMemberCommunicationSlow
expr: 'histogram_quantile(0.99, rate(etcd_network_peer_round_trip_time_seconds_bucket[1m])) > 0.15'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd member communication slow (instance {{ $labels.instance }})
description: "Etcd member communication slowing down, 99th percentile is over 0.15s\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighNumberOfFailedProposals
expr: 'increase(etcd_server_proposals_failed_total[1h]) > 5'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd high number of failed proposals (instance {{ $labels.instance }})
description: "Etcd server got more than 5 failed proposals past hour\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighFsyncDurations
expr: 'histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket[1m])) > 0.5'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd high fsync durations (instance {{ $labels.instance }})
description: "Etcd WAL fsync duration increasing, 99th percentile is over 0.5s\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: EtcdHighCommitDurations
expr: 'histogram_quantile(0.99, rate(etcd_disk_backend_commit_duration_seconds_bucket[1m])) > 0.25'
for: 2m
labels:
severity: warning
annotations:
summary: Etcd high commit durations (instance {{ $labels.instance }})
description: "Etcd commit duration increasing, 99th percentile is over 0.25s\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
hosts/idols_ruby/prometheus/alert_rules/istio_embedded-exporter.yml
+95
View File
@@ -0,0 +1,95 @@
groups:
- name: EmbeddedExporter
rules:
- alert: IstioKubernetesGatewayAvailabilityDrop
expr: 'min(kube_deployment_status_replicas_available{deployment="istio-ingressgateway", namespace="istio-system"}) without (instance, pod) < 2'
for: 1m
labels:
severity: warning
annotations:
summary: Istio Kubernetes gateway availability drop (instance {{ $labels.instance }})
description: "Gateway pods have dropped. Inbound traffic will likely be affected.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioPilotHighTotalRequestRate
expr: 'sum(rate(pilot_xds_push_errors[1m])) / sum(rate(pilot_xds_pushes[1m])) * 100 > 5'
for: 1m
labels:
severity: warning
annotations:
summary: Istio Pilot high total request rate (instance {{ $labels.instance }})
description: "Number of Istio Pilot push errors is too high (> 5%). Envoy sidecars might have outdated configuration.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioMixerPrometheusDispatchesLow
expr: 'sum(rate(mixer_runtime_dispatches_total{adapter=~"prometheus"}[1m])) < 180'
for: 1m
labels:
severity: warning
annotations:
summary: Istio Mixer Prometheus dispatches low (instance {{ $labels.instance }})
description: "Number of Mixer dispatches to Prometheus is too low. Istio metrics might not be being exported properly.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioHighTotalRequestRate
expr: 'sum(rate(istio_requests_total{reporter="destination"}[5m])) > 1000'
for: 2m
labels:
severity: warning
annotations:
summary: Istio high total request rate (instance {{ $labels.instance }})
description: "Global request rate in the service mesh is unusually high.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioLowTotalRequestRate
expr: 'sum(rate(istio_requests_total{reporter="destination"}[5m])) < 100'
for: 2m
labels:
severity: warning
annotations:
summary: Istio low total request rate (instance {{ $labels.instance }})
description: "Global request rate in the service mesh is unusually low.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioHigh4xxErrorRate
expr: 'sum(rate(istio_requests_total{reporter="destination", response_code=~"4.*"}[5m])) / sum(rate(istio_requests_total{reporter="destination"}[5m])) * 100 > 5'
for: 1m
labels:
severity: warning
annotations:
summary: Istio high 4xx error rate (instance {{ $labels.instance }})
description: "High percentage of HTTP 5xx responses in Istio (> 5%).\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioHigh5xxErrorRate
expr: 'sum(rate(istio_requests_total{reporter="destination", response_code=~"5.*"}[5m])) / sum(rate(istio_requests_total{reporter="destination"}[5m])) * 100 > 5'
for: 1m
labels:
severity: warning
annotations:
summary: Istio high 5xx error rate (instance {{ $labels.instance }})
description: "High percentage of HTTP 5xx responses in Istio (> 5%).\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioHighRequestLatency
expr: 'rate(istio_request_duration_milliseconds_sum{reporter="destination"}[1m]) / rate(istio_request_duration_milliseconds_count{reporter="destination"}[1m]) > 100'
for: 1m
labels:
severity: warning
annotations:
summary: Istio high request latency (instance {{ $labels.instance }})
description: "Istio average requests execution is longer than 100ms.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioLatency99Percentile
expr: 'histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket[1m])) by (destination_canonical_service, destination_workload_namespace, source_canonical_service, source_workload_namespace, le)) > 1000'
for: 1m
labels:
severity: warning
annotations:
summary: Istio latency 99 percentile (instance {{ $labels.instance }})
description: "Istio 1% slowest requests are longer than 1000ms.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: IstioPilotDuplicateEntry
expr: 'sum(rate(pilot_duplicate_envoy_clusters{}[5m])) > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Istio Pilot Duplicate Entry (instance {{ $labels.instance }})
description: "Istio pilot duplicate entry error.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
hosts/idols_ruby/prometheus/alert_rules/kubestate-exporter.yml
+311
View File
@@ -0,0 +1,311 @@
groups:
- name: KubestateExporter
rules:
- alert: KubernetesNodeNotReady
expr: 'kube_node_status_condition{condition="Ready",status="true"} == 0'
for: 10m
labels:
severity: critical
annotations:
summary: Kubernetes Node ready (node {{ $labels.node }})
description: "Node {{ $labels.node }} has been unready for a long time\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesNodeMemoryPressure
expr: 'kube_node_status_condition{condition="MemoryPressure",status="true"} == 1'
for: 2m
labels:
severity: critical
annotations:
summary: Kubernetes memory pressure (node {{ $labels.node }})
description: "Node {{ $labels.node }} has MemoryPressure condition\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesNodeDiskPressure
expr: 'kube_node_status_condition{condition="DiskPressure",status="true"} == 1'
for: 2m
labels:
severity: critical
annotations:
summary: Kubernetes disk pressure (node {{ $labels.node }})
description: "Node {{ $labels.node }} has DiskPressure condition\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesNodeNetworkUnavailable
expr: 'kube_node_status_condition{condition="NetworkUnavailable",status="true"} == 1'
for: 2m
labels:
severity: critical
annotations:
summary: Kubernetes Node network unavailable (instance {{ $labels.instance }})
description: "Node {{ $labels.node }} has NetworkUnavailable condition\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesNodeOutOfPodCapacity
expr: 'sum by (node) ((kube_pod_status_phase{phase="Running"} == 1) + on(uid) group_left(node) (0 * kube_pod_info{pod_template_hash=""})) / sum by (node) (kube_node_status_allocatable{resource="pods"}) * 100 > 90'
for: 2m
labels:
severity: warning
annotations:
summary: Kubernetes Node out of pod capacity (instance {{ $labels.instance }})
description: "Node {{ $labels.node }} is out of pod capacity\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesContainerOomKiller
expr: '(kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1'
for: 0m
labels:
severity: warning
annotations:
summary: Kubernetes container oom killer ({{ $labels.namespace }}/{{ $labels.pod }}:{{ $labels.container }})
description: "Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesJobFailed
expr: 'kube_job_status_failed > 0'
for: 0m
labels:
severity: warning
annotations:
summary: Kubernetes Job failed ({{ $labels.namespace }}/{{ $labels.job_name }})
description: "Job {{ $labels.namespace }}/{{ $labels.job_name }} failed to complete\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesCronjobSuspended
expr: 'kube_cronjob_spec_suspend != 0'
for: 0m
labels:
severity: warning
annotations:
summary: Kubernetes CronJob suspended ({{ $labels.namespace }}/{{ $labels.cronjob }})
description: "CronJob {{ $labels.namespace }}/{{ $labels.cronjob }} is suspended\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesPersistentvolumeclaimPending
expr: 'kube_persistentvolumeclaim_status_phase{phase="Pending"} == 1'
for: 2m
labels:
severity: warning
annotations:
summary: Kubernetes PersistentVolumeClaim pending ({{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }})
description: "PersistentVolumeClaim {{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }} is pending\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesVolumeOutOfDiskSpace
expr: 'kubelet_volume_stats_available_bytes / kubelet_volume_stats_capacity_bytes * 100 < 10'
for: 2m
labels:
severity: warning
annotations:
summary: Kubernetes Volume out of disk space (instance {{ $labels.instance }})
description: "Volume is almost full (< 10% left)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesVolumeFullInFourDays
expr: 'predict_linear(kubelet_volume_stats_available_bytes[6h:5m], 4 * 24 * 3600) < 0'
for: 0m
labels:
severity: critical
annotations:
summary: Kubernetes Volume full in four days (instance {{ $labels.instance }})
description: "Volume under {{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }} is expected to fill up within four days. Currently {{ $value | humanize }}% is available.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesPersistentvolumeError
expr: 'kube_persistentvolume_status_phase{phase=~"Failed|Pending", job="kube-state-metrics"} > 0'
for: 0m
labels:
severity: critical
annotations:
summary: Kubernetes PersistentVolumeClaim pending ({{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }})
description: "Persistent volume {{ $labels.persistentvolume }} is in bad state\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesStatefulsetDown
expr: 'kube_statefulset_replicas != kube_statefulset_status_replicas_ready > 0'
for: 1m
labels:
severity: critical
annotations:
summary: Kubernetes StatefulSet down ({{ $labels.namespace }}/{{ $labels.statefulset }})
description: "StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} went down\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesHpaScaleInability
expr: 'kube_horizontalpodautoscaler_status_condition{status="false", condition="AbleToScale"} == 1'
for: 2m
labels:
severity: warning
annotations:
summary: Kubernetes HPA scale inability (instance {{ $labels.instance }})
description: "HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }} is unable to scale\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesHpaMetricsUnavailability
expr: 'kube_horizontalpodautoscaler_status_condition{status="false", condition="ScalingActive"} == 1'
for: 0m
labels:
severity: warning
annotations:
summary: Kubernetes HPA metrics unavailability (instance {{ $labels.instance }})
description: "HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }} is unable to collect metrics\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesHpaScaleMaximum
expr: 'kube_horizontalpodautoscaler_status_desired_replicas >= kube_horizontalpodautoscaler_spec_max_replicas'
for: 2m
labels:
severity: info
annotations:
summary: Kubernetes HPA scale maximum (instance {{ $labels.instance }})
description: "HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }} has hit maximum number of desired pods\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesHpaUnderutilized
expr: 'max(quantile_over_time(0.5, kube_horizontalpodautoscaler_status_desired_replicas[1d]) == kube_horizontalpodautoscaler_spec_min_replicas) by (horizontalpodautoscaler) > 3'
for: 0m
labels:
severity: info
annotations:
summary: Kubernetes HPA underutilized (instance {{ $labels.instance }})
description: "HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }} is constantly at minimum replicas for 50% of the time. Potential cost saving here.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesPodNotHealthy
expr: 'sum by (namespace, pod) (kube_pod_status_phase{phase=~"Pending|Unknown|Failed"}) > 0'
for: 15m
labels:
severity: critical
annotations:
summary: Kubernetes Pod not healthy ({{ $labels.namespace }}/{{ $labels.pod }})
description: "Pod {{ $labels.namespace }}/{{ $labels.pod }} has been in a non-running state for longer than 15 minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesPodCrashLooping
expr: 'increase(kube_pod_container_status_restarts_total[1m]) > 3'
for: 2m
labels:
severity: warning
annotations:
summary: Kubernetes pod crash looping ({{ $labels.namespace }}/{{ $labels.pod }})
description: "Pod {{ $labels.namespace }}/{{ $labels.pod }} is crash looping\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesReplicasetReplicasMismatch
expr: 'kube_replicaset_spec_replicas != kube_replicaset_status_ready_replicas'
for: 10m
labels:
severity: warning
annotations:
summary: Kubernetes ReplicasSet mismatch ({{ $labels.namespace }}/{{ $labels.replicaset }})
description: "ReplicaSet {{ $labels.namespace }}/{{ $labels.replicaset }} replicas mismatch\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesDeploymentReplicasMismatch
expr: 'kube_deployment_spec_replicas != kube_deployment_status_replicas_available'
for: 10m
labels:
severity: warning
annotations:
summary: Kubernetes Deployment replicas mismatch ({{ $labels.namespace }}/{{ $labels.deployment }})
description: "Deployment {{ $labels.namespace }}/{{ $labels.deployment }} replicas mismatch\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesStatefulsetReplicasMismatch
expr: 'kube_statefulset_status_replicas_ready != kube_statefulset_status_replicas'
for: 10m
labels:
severity: warning
annotations:
summary: Kubernetes StatefulSet replicas mismatch (instance {{ $labels.instance }})
description: "StatefulSet does not match the expected number of replicas.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesDeploymentGenerationMismatch
expr: 'kube_deployment_status_observed_generation != kube_deployment_metadata_generation'
for: 10m
labels:
severity: critical
annotations:
summary: Kubernetes Deployment generation mismatch ({{ $labels.namespace }}/{{ $labels.deployment }})
description: "Deployment {{ $labels.namespace }}/{{ $labels.deployment }} has failed but has not been rolled back.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesStatefulsetGenerationMismatch
expr: 'kube_statefulset_status_observed_generation != kube_statefulset_metadata_generation'
for: 10m
labels:
severity: critical
annotations:
summary: Kubernetes StatefulSet generation mismatch ({{ $labels.namespace }}/{{ $labels.statefulset }})
description: "StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} has failed but has not been rolled back.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesStatefulsetUpdateNotRolledOut
expr: 'max without (revision) (kube_statefulset_status_current_revision unless kube_statefulset_status_update_revision) * (kube_statefulset_replicas != kube_statefulset_status_replicas_updated)'
for: 10m
labels:
severity: warning
annotations:
summary: Kubernetes StatefulSet update not rolled out ({{ $labels.namespace }}/{{ $labels.statefulset }})
description: "StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} update has not been rolled out.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesDaemonsetRolloutStuck
expr: 'kube_daemonset_status_number_ready / kube_daemonset_status_desired_number_scheduled * 100 < 100 or kube_daemonset_status_desired_number_scheduled - kube_daemonset_status_current_number_scheduled > 0'
for: 10m
labels:
severity: warning
annotations:
summary: Kubernetes DaemonSet rollout stuck ({{ $labels.namespace }}/{{ $labels.daemonset }})
description: "Some Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset }} are not scheduled or not ready\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesDaemonsetMisscheduled
expr: 'kube_daemonset_status_number_misscheduled > 0'
for: 1m
labels:
severity: critical
annotations:
summary: Kubernetes DaemonSet misscheduled ({{ $labels.namespace }}/{{ $labels.daemonset }})
description: "Some Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset }} are running where they are not supposed to run\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesCronjobTooLong
expr: 'time() - kube_cronjob_next_schedule_time > 3600'
for: 0m
labels:
severity: warning
annotations:
summary: Kubernetes CronJob too long ({{ $labels.namespace }}/{{ $labels.cronjob }})
description: "CronJob {{ $labels.namespace }}/{{ $labels.cronjob }} is taking more than 1h to complete.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesJobSlowCompletion
expr: 'kube_job_spec_completions - kube_job_status_succeeded - kube_job_status_failed > 0'
for: 12h
labels:
severity: critical
annotations:
summary: Kubernetes job slow completion ({{ $labels.namespace }}/{{ $labels.job_name }})
description: "Kubernetes Job {{ $labels.namespace }}/{{ $labels.job_name }} did not complete in time.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesApiServerErrors
expr: 'sum(rate(apiserver_request_total{job="apiserver",code=~"^(?:5..)$"}[1m])) / sum(rate(apiserver_request_total{job="apiserver"}[1m])) * 100 > 3'
for: 2m
labels:
severity: critical
annotations:
summary: Kubernetes API server errors (instance {{ $labels.instance }})
description: "Kubernetes API server is experiencing high error rate\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesApiClientErrors
expr: '(sum(rate(rest_client_requests_total{code=~"(4|5).."}[1m])) by (instance, job) / sum(rate(rest_client_requests_total[1m])) by (instance, job)) * 100 > 1'
for: 2m
labels:
severity: critical
annotations:
summary: Kubernetes API client errors (instance {{ $labels.instance }})
description: "Kubernetes API client is experiencing high error rate\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesClientCertificateExpiresNextWeek
expr: 'apiserver_client_certificate_expiration_seconds_count{job="apiserver"} > 0 and histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job="apiserver"}[5m]))) < 7*24*60*60'
for: 0m
labels:
severity: warning
annotations:
summary: Kubernetes client certificate expires next week (instance {{ $labels.instance }})
description: "A client certificate used to authenticate to the apiserver is expiring next week.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesClientCertificateExpiresSoon
expr: 'apiserver_client_certificate_expiration_seconds_count{job="apiserver"} > 0 and histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job="apiserver"}[5m]))) < 24*60*60'
for: 0m
labels:
severity: critical
annotations:
summary: Kubernetes client certificate expires soon (instance {{ $labels.instance }})
description: "A client certificate used to authenticate to the apiserver is expiring in less than 24.0 hours.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: KubernetesApiServerLatency
expr: 'histogram_quantile(0.99, sum(rate(apiserver_request_duration_seconds_bucket{subresource!="log",verb!~"^(?:CONNECT|WATCHLIST|WATCH|PROXY)$"} [10m])) WITHOUT (instance, resource)) > 1'
for: 2m
labels:
severity: warning
annotations:
summary: Kubernetes API server latency (instance {{ $labels.instance }})
description: "Kubernetes API server has a 99th percentile latency of {{ $value }} seconds for {{ $labels.verb }} {{ $labels.resource }}.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
hosts/idols_ruby/prometheus/alert_rules/node-exporter.yml
+347
View File
@@ -0,0 +1,347 @@
groups:
- name: NodeExporter
rules:
- alert: HostOutOfMemory
expr: '(node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host out of memory (instance {{ $labels.instance }})
description: "Node memory is filling up (< 10% left)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostMemoryUnderMemoryPressure
expr: '(rate(node_vmstat_pgmajfault[1m]) > 1000) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host memory under memory pressure (instance {{ $labels.instance }})
description: "The node is under heavy memory pressure. High rate of major page faults\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostMemoryIsUnderutilized
expr: '(100 - (avg_over_time(node_memory_MemAvailable_bytes[30m]) / node_memory_MemTotal_bytes * 100) < 20) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 1w
labels:
severity: info
annotations:
summary: Host Memory is underutilized (instance {{ $labels.instance }})
description: "Node memory is < 20% for 1 week. Consider reducing memory space. (instance {{ $labels.instance }})\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualNetworkThroughputIn
expr: '(sum by (instance) (rate(node_network_receive_bytes_total[2m])) / 1024 / 1024 > 100) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual network throughput in (instance {{ $labels.instance }})
description: "Host network interfaces are probably receiving too much data (> 100 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualNetworkThroughputOut
expr: '(sum by (instance) (rate(node_network_transmit_bytes_total[2m])) / 1024 / 1024 > 100) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual network throughput out (instance {{ $labels.instance }})
description: "Host network interfaces are probably sending too much data (> 100 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskReadRate
expr: '(sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual disk read rate (instance {{ $labels.instance }})
description: "Disk is probably reading too much data (> 50 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskWriteRate
expr: '(sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 50) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk write rate (instance {{ $labels.instance }})
description: "Disk is probably writing too much data (> 50 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostOutOfDiskSpace
expr: '((node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host out of disk space (instance {{ $labels.instance }})
description: "Disk is almost full (< 10% left)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostDiskWillFillIn24Hours
expr: '((node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) predict_linear(node_filesystem_avail_bytes{fstype!~"tmpfs"}[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host disk will fill in 24 hours (instance {{ $labels.instance }})
description: "Filesystem is predicted to run out of space within the next 24 hours at current write rate\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostOutOfInodes
expr: '(node_filesystem_files_free{fstype!="msdosfs"} / node_filesystem_files{fstype!="msdosfs"} * 100 < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host out of inodes (instance {{ $labels.instance }})
description: "Disk is almost running out of available inodes (< 10% left)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostFilesystemDeviceError
expr: 'node_filesystem_device_error == 1'
for: 0m
labels:
severity: critical
annotations:
summary: Host filesystem device error (instance {{ $labels.instance }})
description: "{{ $labels.instance }}: Device error with the {{ $labels.mountpoint }} filesystem\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostInodesWillFillIn24Hours
expr: '(node_filesystem_files_free{fstype!="msdosfs"} / node_filesystem_files{fstype!="msdosfs"} * 100 < 10 and predict_linear(node_filesystem_files_free{fstype!="msdosfs"}[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly{fstype!="msdosfs"} == 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host inodes will fill in 24 hours (instance {{ $labels.instance }})
description: "Filesystem is predicted to run out of inodes within the next 24 hours at current write rate\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskReadLatency
expr: '(rate(node_disk_read_time_seconds_total[1m]) / rate(node_disk_reads_completed_total[1m]) > 0.1 and rate(node_disk_reads_completed_total[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk read latency (instance {{ $labels.instance }})
description: "Disk latency is growing (read operations > 100ms)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskWriteLatency
expr: '(rate(node_disk_write_time_seconds_total[1m]) / rate(node_disk_writes_completed_total[1m]) > 0.1 and rate(node_disk_writes_completed_total[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host unusual disk write latency (instance {{ $labels.instance }})
description: "Disk latency is growing (write operations > 100ms)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostHighCpuLoad
expr: '(sum by (instance) (avg by (mode, instance) (rate(node_cpu_seconds_total{mode!="idle"}[2m]))) > 0.8) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 10m
labels:
severity: warning
annotations:
summary: Host high CPU load (instance {{ $labels.instance }})
description: "CPU load is > 80%\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostCpuIsUnderutilized
expr: '(100 - (rate(node_cpu_seconds_total{mode="idle"}[30m]) * 100) < 20) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 1w
labels:
severity: info
annotations:
summary: Host CPU is underutilized (instance {{ $labels.instance }})
description: "CPU load is < 20% for 1 week. Consider reducing the number of CPUs.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostCpuStealNoisyNeighbor
expr: '(avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: warning
annotations:
summary: Host CPU steal noisy neighbor (instance {{ $labels.instance }})
description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostCpuHighIowait
expr: '(avg by (instance) (rate(node_cpu_seconds_total{mode="iowait"}[5m])) * 100 > 10) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: warning
annotations:
summary: Host CPU high iowait (instance {{ $labels.instance }})
description: "CPU iowait > 10%. A high iowait means that you are disk or network bound.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostUnusualDiskIo
expr: '(rate(node_disk_io_time_seconds_total[1m]) > 0.5) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 5m
labels:
severity: warning
annotations:
summary: Host unusual disk IO (instance {{ $labels.instance }})
description: "Time spent in IO is too high on {{ $labels.instance }}. Check storage for issues.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostContextSwitching
expr: '((rate(node_context_switches_total[5m])) / (count without(cpu, mode) (node_cpu_seconds_total{mode="idle"})) > 10000) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: warning
annotations:
summary: Host context switching (instance {{ $labels.instance }})
description: "Context switching is growing on the node (> 10000 / CPU / s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostSwapIsFillingUp
expr: '((1 - (node_memory_SwapFree_bytes / node_memory_SwapTotal_bytes)) * 100 > 80) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host swap is filling up (instance {{ $labels.instance }})
description: "Swap is filling up (>80%)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostSystemdServiceCrashed
expr: '(node_systemd_unit_state{state="failed"} == 1) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: warning
annotations:
summary: Host systemd service crashed (instance {{ $labels.instance }})
description: "systemd service crashed\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostPhysicalComponentTooHot
expr: '((node_hwmon_temp_celsius * ignoring(label) group_left(instance, job, node, sensor) node_hwmon_sensor_label{label!="tctl"} > 75)) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 5m
labels:
severity: warning
annotations:
summary: Host physical component too hot (instance {{ $labels.instance }})
description: "Physical hardware component too hot\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNodeOvertemperatureAlarm
expr: '(node_hwmon_temp_crit_alarm_celsius == 1) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: critical
annotations:
summary: Host node overtemperature alarm (instance {{ $labels.instance }})
description: "Physical node temperature alarm triggered\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostRaidArrayGotInactive
expr: '(node_md_state{state="inactive"} > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: critical
annotations:
summary: Host RAID array got inactive (instance {{ $labels.instance }})
description: "RAID array {{ $labels.device }} is in a degraded state due to one or more disk failures. The number of spare drives is insufficient to fix the issue automatically.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostRaidDiskFailure
expr: '(node_md_disks{state="failed"} > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host RAID disk failure (instance {{ $labels.instance }})
description: "At least one device in RAID array on {{ $labels.instance }} failed. Array {{ $labels.md_device }} needs attention and possibly a disk swap\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostKernelVersionDeviations
expr: '(count(sum(label_replace(node_uname_info, "kernel", "$1", "release", "([0-9]+.[0-9]+.[0-9]+).*")) by (kernel)) > 1) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 6h
labels:
severity: warning
annotations:
summary: Host kernel version deviations (instance {{ $labels.instance }})
description: "Different kernel versions are running\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostOomKillDetected
expr: '(increase(node_vmstat_oom_kill[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: warning
annotations:
summary: Host OOM kill detected (instance {{ $labels.instance }})
description: "OOM kill detected\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostEdacCorrectableErrorsDetected
expr: '(increase(node_edac_correctable_errors_total[1m]) > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: info
annotations:
summary: Host EDAC Correctable Errors detected (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} has had {{ printf \"%.0f\" $value }} correctable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostEdacUncorrectableErrorsDetected
expr: '(node_edac_uncorrectable_errors_total > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 0m
labels:
severity: warning
annotations:
summary: Host EDAC Uncorrectable Errors detected (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} has had {{ printf \"%.0f\" $value }} uncorrectable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkReceiveErrors
expr: '(rate(node_network_receive_errs_total[2m]) / rate(node_network_receive_packets_total[2m]) > 0.01) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Receive Errors (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf \"%.0f\" $value }} receive errors in the last two minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkTransmitErrors
expr: '(rate(node_network_transmit_errs_total[2m]) / rate(node_network_transmit_packets_total[2m]) > 0.01) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Transmit Errors (instance {{ $labels.instance }})
description: "Host {{ $labels.instance }} interface {{ $labels.device }} has encountered {{ printf \"%.0f\" $value }} transmit errors in the last two minutes.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkInterfaceSaturated
expr: '((rate(node_network_receive_bytes_total{device!~"^tap.*|^vnet.*|^veth.*|^tun.*"}[1m]) + rate(node_network_transmit_bytes_total{device!~"^tap.*|^vnet.*|^veth.*|^tun.*"}[1m])) / node_network_speed_bytes{device!~"^tap.*|^vnet.*|^veth.*|^tun.*"} > 0.8 < 10000) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 1m
labels:
severity: warning
annotations:
summary: Host Network Interface Saturated (instance {{ $labels.instance }})
description: "The network interface \"{{ $labels.device }}\" on \"{{ $labels.instance }}\" is getting overloaded.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostNetworkBondDegraded
expr: '((node_bonding_active - node_bonding_slaves) != 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host Network Bond Degraded (instance {{ $labels.instance }})
description: "Bond \"{{ $labels.device }}\" degraded on \"{{ $labels.instance }}\".\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostConntrackLimit
expr: '(node_nf_conntrack_entries / node_nf_conntrack_entries_limit > 0.8) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 5m
labels:
severity: warning
annotations:
summary: Host conntrack limit (instance {{ $labels.instance }})
description: "The number of conntrack is approaching limit\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostClockSkew
expr: '((node_timex_offset_seconds > 0.05 and deriv(node_timex_offset_seconds[5m]) >= 0) or (node_timex_offset_seconds < -0.05 and deriv(node_timex_offset_seconds[5m]) <= 0)) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 10m
labels:
severity: warning
annotations:
summary: Host clock skew (instance {{ $labels.instance }})
description: "Clock skew detected. Clock is out of sync. Ensure NTP is configured correctly on this host.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostClockNotSynchronising
expr: '(min_over_time(node_timex_sync_status[1m]) == 0 and node_timex_maxerror_seconds >= 16) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 2m
labels:
severity: warning
annotations:
summary: Host clock not synchronising (instance {{ $labels.instance }})
description: "Clock not synchronising. Ensure NTP is configured on this host.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: HostRequiresReboot
expr: '(node_reboot_required > 0) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}'
for: 4h
labels:
severity: info
annotations:
summary: Host requires reboot (instance {{ $labels.instance }})
description: "{{ $labels.instance }} requires a reboot.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
hosts/idols_ruby/prometheus/default.nix
+157
View File
@@ -0,0 +1,157 @@
{
config,
vars_networking,
...
}: {
# https://prometheus.io/docs/prometheus/latest/configuration/configuration/
services.prometheus = {
enable = true;
checkConfig = true;
listenAddress = "127.0.0.1";
port = 9090;
webExternalUrl = "http://prometheus.writefor.fun";
extraFlags = ["--storage.tsdb.retention.time=15d"];
# Directory below /var/lib to store Prometheus metrics data.
stateDir = "prometheus2";
# Reload prometheus when configuration file changes (instead of restart).
enableReload = true;
# https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read
# remoteRead = [];
# Rules are read from these files.
# https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/
#
# Prometheus supports two types of rules which may be configured
# and then evaluated at regular intervals:
# 1. Recording rules
# Recording rules allow you to precompute frequently needed or computationally
# expensive expressions and save their result as a new set of time series.
# Querying the precomputed result will then often be much faster than executing the original expression.
# This is especially useful for dashboards, which need to query the same expression repeatedly every time they refresh.
# 2. Alerting rules
# Alerting rules allow you to define alert conditions based on Prometheus expression language expressions
# and to send notifications about firing alerts to an external service.
ruleFiles = [
./alert_rules/node-exporter.yml
./alert_rules/kubestate-exporter.yml
./alert_rules/etcd_embedded-exporter.yml
./alert_rules/istio_embedded-exporter.yml
./alert_rules/coredns_embedded-exporter.yml
# ./recording_rules.yml
];
# specifies a set of targets and parameters describing how to scrape metrics from them.
# https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
scrapeConfigs = [
# --- Hosts --- #
{
job_name = "node-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
# All my NixOS hosts.
targets =
map (host: "${host.address}:9100")
(builtins.attrValues vars_networking.hostAddress);
labels.type = "node";
}
];
}
# --- Homelab Applications --- #
{
job_name = "dnsmasq-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${vars_networking.hostAddress.aquamarine.address}:9153"];
labels.type = "app";
labels.app = "dnsmasq";
}
];
}
{
job_name = "v2ray-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${vars_networking.hostAddress.kana.address}:9153"];
labels.type = "app";
labels.app = "v2ray";
}
];
}
{
job_name = "sftpgo-embedded-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${vars_networking.hostAddress.kana.address}:10000"];
labels.type = "app";
labels.app = "v2ray";
}
];
}
];
# specifies Alertmanager instances the Prometheus server sends alerts to
# https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config
alertmanagers = [{static_configs = [{targets = ["localhost:9093"];}];}];
};
services.prometheus.alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
port = 9093;
webExternalUrl = "http://alertmanager.writefor.fun";
logLevel = "info";
environmentFile = config.age.secrets."alertmanager.env".path;
configuration = {
global = {
# The smarthost and SMTP sender used for mail notifications.
smtp_smarthost = "smtp.qq.com:465";
smtp_from = "$SMTP_SENDER_EMAIL";
smtp_auth_username = "$SMTP_AUTH_USERNAME";
smtp_auth_password = "$SMTP_AUTH_PASSWORD";
# smtp.qq.com:465 support SSL only, so we need to disable TLS here.
# https://service.mail.qq.com/detail/0/310
smtp_require_tls = false;
};
route = {
receiver = "default";
routes = [
{
group_by = ["host"];
group_wait = "5m";
group_interval = "5m";
repeat_interval = "4h";
receiver = "default";
}
];
};
receivers = [
{
name = "default";
email_configs = [
{
to = "ryan4yin@linux.com";
# Whether to notify about resolved alerts.
send_resolved = true;
}
];
}
];
};
};
}
hosts/idols_ruby/restic.nix
+83
View File
@@ -0,0 +1,83 @@
{pkgs, ...}: let
passwordFile = "/etc/agenix/restic-password";
sshKeyPath = "/etc/agenix/ssh-key-for-restic-backup";
rcloneConfigFile = "/etc/agenix/rclone-conf-for-restic-backup";
in {
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/backup/restic.nix
services.restic.backups = {
homelab-backup = {
inherit passwordFile;
initialize = true; # Initialize the repository if it doesn't exist.
repository = "rclone:smb-downloads:/Downloads/proxmox-backup/"; # backup to a rclone remote
# rclone related
# rcloneOptions = {
# bwlimit = "100M"; # Limit the bandwidth used by rclone.
# };
inherit rcloneConfigFile;
# Which local paths to backup, in addition to ones specified via `dynamicFilesFrom`.
paths = [
"/tmp/restic-backup-temp"
];
#
# A script that produces a list of files to back up. The
# results of this command are given to the '--files-from'
# option. The result is merged with paths specified via `paths`.
# dynamicFilesFrom = "find /home/matt/git -type d -name .git";
#
# Patterns to exclude when backing up. See
# https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
# for details on syntax.
exclude = [];
# A script that must run before starting the backup process.
backupPrepareCommand = ''
${pkgs.nushell}/bin/nu -c '
let pve_nodes = [
# proxmox cluster's nodes
"um560"
"gtr5"
"s500plus"
# others
"kana"
]
pve_nodes | each {|it|
rsync -avz \
-e "ssh -i ${sshKeyPath}" \
$"($it):/var/lib/vz" $"/tmp/restic-backup-temp/($it)"
}
'
'';
# A script that must run after finishing the backup process.
backupCleanupCommand = "rm -rf /tmp/restic-backup-temp";
# Extra extended options to be passed to the restic --option flag.
# extraOptions = [];
# Extra arguments passed to restic backup.
# extraBackupArgs = [
# "--exclude-file=/etc/restic/excludes-list"
# ];
# repository = "/mnt/backup-hdd"; # backup to a local directory
# When to run the backup. See {manpage}`systemd.timer(5)` for details.
timerConfig = {
OnCalendar = "01:30";
RandomizedDelaySec = "1h";
};
# A list of options (--keep-* et al.) for 'restic forget --prune',
# to automatically prune old snapshots.
# The 'forget' command is run *after* the 'backup' command, so
# keep that in mind when constructing the --keep-* options.
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 3"
"--keep-monthly 3"
"--keep-yearly 3"
];
};
};
}
hosts/k8s/README.md
+31
View File
@@ -0,0 +1,31 @@
# Kubernetes Clusters
> WIP, not finished yet.
I'm running two Kubernetes clusters, one for production and one for testing.
I prefer to use [k3s] as the Kubernetes distribution, because it's lightweight, easy to install, and full featured(see [what-have-k3s-removed-from-upstream-kubernetes] for details).
## Hosts
![](/_img/2024-02-18_k8s-nodes-overview.webp)
1. For production:
1. `k3s-prod-1-master-1`
1. `k3s-prod-1-master-2`
1. `k3s-prod-1-master-3`
2. `k3s-prod-1-worker-1`
2. `k3s-prod-1-worker-2`
2. `k3s-prod-1-worker-3`
1. For testing:.
1. `k3s-test-1-master-1`
2. `k3s-test-1-worker-1`
3. `k3s-test-1-worker-2`
4. `k3s-test-1-worker-3`
## Kubernetes Resources
Kubernetes resouces are deployed and managed separately through [nix-config/pulumi/k8s/](../../pulumi/k8s/).
[k3s]: https://github.com/k3s-io/k3s/
[what-have-k3s-removed-from-upstream-kubernetes]: https://github.com/k3s-io/k3s/?tab=readme-ov-file#what-have-you-removed-from-upstream-kubernetes
hosts/k8s/disko_config/README.md
+33
View File
@@ -0,0 +1,33 @@
# Disko Config
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
parted /dev/sdb -- mklabel gpt
parted /dev/sdb -- mkpart primary 2M 512MB
parted /dev/sdb -- mkpart primary 512MB 1024MB
mkfs.fat -F 32 -n NIXOS_DSC /dev/sdb1
mkfs.fat -F 32 -n NIXOS_K3S /dev/sdb2
# Generate a keyfile from the true random number generator
KEYFILE=./kubevirt-luks-keyfile
dd bs=8192 count=4 iflag=fullblock if=/dev/random of=$KEYFILE
# generate token for k3s
K3S_TOKEN_FILE=./kubevirt-k3s-token
K3S_TOKEN=$(grep -ao '[A-Za-z0-9]' < /dev/random | head -64 | tr -d '\n' ; echo "")
echo $K3S_TOKEN > $K3S_TOKEN_FILE
# copy the keyfile and token to the usb stick
KEYFILE=./kubevirt-luks-keyfile
DEVICE=/dev/disk/by-label/NIXOS_DSC
dd bs=8192 count=4 iflag=fullblock if=$KEYFILE of=$DEVICE
K3S_TOKEN_FILE=./kubevirt-k3s-token
USB_PATH=/run/media/ryan/NIXOS_K3S
cp $K3S_TOKEN_FILE $USB_PATH
```

Some files were not shown because too many files have changed in this diff Show More