starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-05-28 18:39:31 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

Compare commits

base: starred/nix-config:v0.5.3
Branches Tags
starred/nix-config:main starred/nix-config:dma-shell starred/nix-config:i3-kickstarter
starred/nix-config:v0.15.0 starred/nix-config:v0.14.0 starred/nix-config:v0.13.0 starred/nix-config:v0.12.0 starred/nix-config:v0.11.0 starred/nix-config:v0.10.0 starred/nix-config:v0.9.0 starred/nix-config:v0.8.0 starred/nix-config:v0.7.0 starred/nix-config:v0.6.0 starred/nix-config:v0.5.5 starred/nix-config:v0.5.4 starred/nix-config:v0.5.3 starred/nix-config:v0.5.2 starred/nix-config:v0.5.1 starred/nix-config:v0.5.0 starred/nix-config:v0.4.5 starred/nix-config:v0.4.4 starred/nix-config:v0.4.3 starred/nix-config:v0.4.2 starred/nix-config:v0.4.1 starred/nix-config:v0.4.0 starred/nix-config:v0.3.0 starred/nix-config:v0.2.2 starred/nix-config:v0.2.1 starred/nix-config:v0.2.0 starred/nix-config:v0.1.1 starred/nix-config:v0.1.0 starred/nix-config:v0.0.5 starred/nix-config:v0.0.4 starred/nix-config:v0.0.3 starred/nix-config:v0.0.2 starred/nix-config:v0.0.1
..
compare: starred/nix-config:v0.6.0
Branches Tags
starred/nix-config:main starred/nix-config:dma-shell starred/nix-config:i3-kickstarter
starred/nix-config:v0.15.0 starred/nix-config:v0.14.0 starred/nix-config:v0.13.0 starred/nix-config:v0.12.0 starred/nix-config:v0.11.0 starred/nix-config:v0.10.0 starred/nix-config:v0.9.0 starred/nix-config:v0.8.0 starred/nix-config:v0.7.0 starred/nix-config:v0.6.0 starred/nix-config:v0.5.5 starred/nix-config:v0.5.4 starred/nix-config:v0.5.3 starred/nix-config:v0.5.2 starred/nix-config:v0.5.1 starred/nix-config:v0.5.0 starred/nix-config:v0.4.5 starred/nix-config:v0.4.4 starred/nix-config:v0.4.3 starred/nix-config:v0.4.2 starred/nix-config:v0.4.1 starred/nix-config:v0.4.0 starred/nix-config:v0.3.0 starred/nix-config:v0.2.2 starred/nix-config:v0.2.1 starred/nix-config:v0.2.0 starred/nix-config:v0.1.1 starred/nix-config:v0.1.0 starred/nix-config:v0.0.5 starred/nix-config:v0.0.4 starred/nix-config:v0.0.3 starred/nix-config:v0.0.2 starred/nix-config:v0.0.1

78 Commits
v0.5.3 .. v0.6.0

Author SHA1 Message Date
Ryan Yin 0693713e94 feat: list systemd services 2024-08-17 20:40:27 +08:00
Ryan Yin 1bf67acde9 fix: hdd storage - auto unlock after booted (#158) 2024-08-17 04:05:22 +08:00
Ryan Yin f1a5d419fb fix: hdd storage - do not unlock on boot, increase boot.loader.timeout 2024-08-17 03:06:37 +08:00
Ryan Yin e8be41f8e1 Merge pull request #156 from ryan4yin/data-crypted 
feat: data-crypted
 2024-08-17 02:28:12 +08:00
Ryan Yin d853036fb1 feat: data-crypted 2024-08-17 02:26:39 +08:00
Ryan Yin df1f9b0070 chore: remove sbc's just commands 2024-08-16 15:13:21 +08:00
Ryan Yin 4def213b08 Merge pull request #155 from ryan4yin/remove-sbcs 
refactor: migrate sbcs to https://github.com/ryan4yin/nixos-config-sbc
 2024-08-16 15:08:12 +08:00
Ryan Yin 35eb6ed5c9 refactor: migrate sbcs to https://github.com/ryan4yin/nixos-config-sbc 2024-08-16 15:06:24 +08:00
Ryan Yin 07178984b1 Merge pull request #154 from ryan4yin/refactor-vars 
refactor: migrate ssh auth keys & hashed password into vars
 2024-08-16 14:40:54 +08:00
Ryan Yin eb83e88267 refactor: migrate ssh auth keys & hashed password into vars 2024-08-16 14:40:06 +08:00
Ryan Yin 6c8e8111c6 docs: dae - comment 2024-08-16 11:46:37 +08:00
Ryan Yin 62e96cde7e feat: dae - avoid rate limit of GitHub API & Docker Hub API 2024-08-16 11:44:30 +08:00
Ryan Yin 4bb53d0190 feat: justfile - gc 2024-08-15 22:50:20 +08:00
Ryan Yin 41af2c1444 Merge pull request #152 from ryan4yin/kubevirt-hugepages 
feat: kubevirt - use 75% of the memory for hugepages
 2024-08-15 22:50:05 +08:00
Ryan Yin 43db6bcf63 feat: kubevirt - use 75% of the memory for hugepages 2024-08-15 17:19:26 +08:00
Ryan Yin e17bc1ec23 feat: neovim - tree-sitter - just 2024-08-12 18:30:26 +08:00
Ryan Yin c9954c009a chore: justfile - gc - delete old than 7 days 2024-08-12 17:56:46 +08:00
Ryan Yin e68a43edce docs: justfile - nix gc 2024-08-12 17:51:02 +08:00
Ryan Yin 08a6885873 feat: justfile - nix gc 2024-08-12 17:44:37 +08:00
Ryan Yin 930d8322d1 feat: use the latest version of neovim 2024-08-12 17:18:59 +08:00
Ryan Yin 2363ab59c4 chore: add default to just 2024-08-12 17:18:18 +08:00
Ryan Yin 1394e26a59 chore: update flake.lock 2024-08-12 17:18:02 +08:00
Ryan Yin 940367c790 chore: update scripts 2024-08-12 15:17:38 +08:00
Ryan Yin cae48ede1b fix: update ntp time servers 2024-08-11 20:18:20 +08:00
Ryan Yin 9535c09a33 feat: add kubectx 2024-08-06 15:13:54 +08:00
Ryan Yin 194c3d9895 chore: remove some unused just commands 2024-08-01 10:14:54 +08:00
Ryan Yin a8f613ead1 docs: justfile 2024-08-01 10:11:56 +08:00
Ryan Yin 5d69019f60 docs: virtual machine 2024-08-01 10:03:12 +08:00
Ryan Yin 648021b0ca docs: virtual machine 2024-08-01 10:02:49 +08:00
Ryan Yin c30730bedd docs: virtual machine 2024-08-01 09:58:42 +08:00
Ryan Yin e9b502fa5f feat: yazi & neovim - show shidden files 2024-08-01 09:44:02 +08:00
Ryan Yin 3e2340aee7 feat: adjust configs for gitea 2024-07-31 23:18:52 +08:00
Ryan Yin 94c8eef2cb Merge pull request #151 from ryan4yin/homepage 
feat: adjust homepage config
 2024-07-31 23:04:01 +08:00
Ryan Yin 2581c9d562 feat: adjust homepage config 2024-07-31 23:03:07 +08:00
Ryan Yin 3aaa4c0372 Merge pull request #150 from ryan4yin/p8s-scrape-configs 
refactor: p8s scrape configs
 2024-07-31 21:41:19 +08:00
Ryan Yin c446a693ea refactor: p8s scrape configs 2024-07-31 19:22:01 +08:00
Ryan Yin 9b0c5d7d50 Merge pull request #149 from ryan4yin/fix-nodejs-based-apps 
fix: fix nodejs-based apps
 2024-07-31 17:19:49 +08:00
Ryan Yin 86ee8132b7 fix: homelab - use https 2024-07-31 17:19:35 +08:00
Ryan Yin 2f3d644234 fix: fix nodejs-based apps 2024-07-31 17:09:20 +08:00
Ryan Yin 87dfa7669f Merge pull request #145 from ryan4yin/migrate-services-to-aqua 
feat: migrate grafana & prometheus to aqua
 2024-07-31 16:22:27 +08:00
Ryan Yin 64dd1fc2f3 fix: typo 2024-07-31 16:20:32 +08:00
Ryan Yin fc81143c10 chore: update mysecrets 2024-07-31 16:01:02 +08:00
Ryan Yin 5178a3e638 fix: sftpgo - directory 2024-07-31 15:52:41 +08:00
Ryan Yin b3127a18c9 fix: uptime kuma 2024-07-31 15:42:40 +08:00
Ryan Yin 15e0b150e9 fix: home page 2024-07-31 15:38:48 +08:00
Ryan Yin 41dc24e350 feat: aqua - no fail if usb storage is not available 2024-07-31 15:07:53 +08:00
Ryan Yin 8c795c7d0d feat: change data directories, add disko for usb storage 2024-07-31 14:29:21 +08:00
Ryan Yin b671c05db9 feat: migrate services to aqua 2024-07-31 14:29:21 +08:00
Ryan Yin 80e0bcf031 fix: nix path 2024-07-31 14:28:40 +08:00
Ryan Yin 64ab375d1f feat: update shell sessin 2024-07-31 14:09:53 +08:00
Ryan Yin 325f82b9cc fix: nix path (#147) 2024-07-31 13:39:49 +08:00
Ryan Yin 59a46844a7 fix: justfile & nushell - should use absolute path 2024-07-31 11:22:17 +08:00
Ryan Yin 5e21effb15 refactor: just - emacs reload for linux & macos 2024-07-31 11:08:07 +08:00
Ryan Yin 1e7b9697e1 feat: check process environment variables 2024-07-31 10:56:29 +08:00
Ryan Yin 422ec75ec0 refactor: justfile 2024-07-31 10:56:29 +08:00
Ryan Yin c059d90b17 feat: aqua - mount usb storage 2024-07-31 09:43:30 +08:00
Ryan Yin 880e0ac65e chore: update public keys 2024-07-30 14:21:07 +08:00
Ryan Yin ed4a2f00fe chore: nix flake update mysecrets 2024-07-30 14:01:26 +08:00
Ryan Yin 7a1788520b fix: typo 2024-07-30 13:50:32 +08:00
Ryan Yin e86d7a1020 fix: aqua - networking 2024-07-30 13:48:44 +08:00
Ryan Yin 6670c5bd7d fix: btrbk - kubevirt 2024-07-30 12:41:08 +08:00
Ryan Yin 0620f199b2 feat: update btrbk configs 2024-07-30 11:41:38 +08:00
Ryan Yin e2457e80aa docs: kubevirt-youko - pci passthrough 2024-07-30 10:22:42 +08:00
Ryan Yin 8ffaf4e3ae feat: decrease pre-allocated hugepages 2024-07-30 01:21:04 +08:00
Ryan Yin f9d07d92de fix: virt guest - use default gateway for better network 2024-07-30 00:31:37 +08:00
Ryan Yin 2b91c6f99d chore: nix flake update mysecrets 2024-07-30 00:02:55 +08:00
Ryan Yin fed3bc981b fix: k3s test cluster - token path 2024-07-29 23:42:14 +08:00
Ryan Yin d02331c1e0 Merge pull request #143 from ryan4yin/kubevirt-hugepages 
feat: pre-allocate hugepages for kubevirt
 2024-07-29 22:43:28 +08:00
Ryan Yin 5ec72c848f fix: allocate only hugepages with size 1Gi 2024-07-29 22:31:17 +08:00
Ryan Yin 5a6ccd8794 chore: update caddy's vm image path, checksum when uploading 2024-07-29 17:41:51 +08:00
Ryan Yin 3dc7ec1fe8 Merge pull request #141 from DataEraserC/fix-gtk-theme 
fix(home/linux/gui/base/gtk.nix): gtk theme name mismatch after upgrade
 2024-07-26 16:35:14 +08:00
DataEraserC 414a222d19 fix(home/linux/gui/base/gtk.nix): gtk theme name mismatch after upgrade 2024-07-26 04:28:16 +08:00
Ryan Yin 783d61999c docs: neovim - mason issue about nixos 2024-07-26 00:06:19 +08:00
Ryan Yin 86ec08aecb Merge pull request #140 from ryan4yin/nix-ld 
feat: add nix-ld and LIBRARY_PATH for mason.nvim and other downloaded…
 2024-07-25 23:27:46 +08:00
Ryan Yin b7b913b444 feat: add nix-ld and LIBRARY_PATH for mason.nvim and other downloaded binaries 2024-07-25 23:25:33 +08:00
Ryan Yin aa0e1d84e0 Merge pull request #139 from DataEraserC/patch-11 
fix(docs typo):`Morden` -> `Modern`
 2024-07-24 08:51:56 +08:00
DataEraserC 94e2e17c60 fix(typo):morden -> modern 2024-07-24 01:45:32 +08:00
Ryan Yin 41f4dc6237 docs: typo 2024-07-23 18:29:01 +08:00
127 changed files with 905 additions and 3437 deletions
Expand all files Collapse all files
.gitignore
+1
View File
@@ -3,3 +3,4 @@ result/
.direnv/
.DS_Store
.pre-commit-config.yaml
logs/
Justfile
+203 -116
View File
@@ -1,57 +1,85 @@
# just is a command runner, Justfile is very similar to Makefile, but simpler.
# use nushell for shell commands
# Use nushell for shell commands
# To usage this justfile, you need to enter a shell with just & nushell installed:
#
# nix shell nixpkgs#just nixpkgs#nushell
set shell := ["nu", "-c"]
utils_nu := absolute_path("utils.nu")
############################################################################
#
# Common commands(suitable for all machines)
#
############################################################################
# Remote deployment via colmena
col tag:
colmena apply --on '@{{tag}}' --verbose --show-trace
local name mode="default":
use utils.nu *; \
nixos-switch {{name}} {{mode}}
# List all the just commands
default:
@just --list
# Run eval tests
[group('nix')]
test:
nix eval .#evalTests --show-trace --print-build-logs --verbose
# update all the flake inputs
# Update all the flake inputs
[group('nix')]
up:
nix flake update
# Update specific input
# Usage: just upp nixpkgs
[group('nix')]
upp input:
nix flake update {{input}}
# List all generations of the system profile
[group('nix')]
history:
nix profile history --profile /nix/var/nix/profiles/system
# Open a nix shell with the flake
[group('nix')]
repl:
nix repl -f flake:nixpkgs
# remove all generations older than 7 days
# on darwin, you may need to switch to root user to run this command
[group('nix')]
clean:
sudo nix profile wipe-history --profile /nix/var/nix/profiles/system --older-than 7d
# Garbage collect all unused nix store entries
[group('nix')]
gc:
# garbage collect all unused nix store entries
sudo nix store gc --debug
sudo nix-collect-garbage --delete-old
# garbage collect all unused nix store entries(system-wide)
sudo nix-collect-garbage --delete-older-than 7d
# garbage collect all unused nix store entries(for the user - home-manager)
# https://github.com/LnL7/nix-darwin/issues/237
nix-collect-garbage --delete-older-than 7d
# Remove all reflog entries and prune unreachable objects
gitgc:
git reflog expire --expire-unreachable=now --all
git gc --prune=now
# Enter a shell session which has all the necessary tools for this flake
[linux]
[group('nix')]
shell:
nix shell nixpkgs#git nixpkgs#neovim nixpkgs#colmena
# Enter a shell session which has all the necessary tools for this flake
[macos]
[group('nix')]
shell:
nix shell nixpkgs#git nixpkgs#neovim
[group('nix')]
fmt:
# format the nix files in this repo
nix fmt
# Show all the auto gc roots in the nix store
[group('nix')]
gcroot:
ls -al /nix/var/nix/gcroots/auto/
############################################################################
#
@@ -60,24 +88,32 @@ gitgc:
############################################################################
[linux]
[group('desktop')]
i3 mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch ai-i3 {{mode}}
[linux]
[group('desktop')]
hypr mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch ai-hyprland {{mode}}
[linux]
[group('desktop')]
s-i3 mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch shoukei-i3 {{mode}}
[linux]
[group('desktop')]
s-hypr mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch shoukei-hyprland {{mode}}
############################################################################
@@ -87,31 +123,39 @@ s-hypr mode="default":
############################################################################
[macos]
[group('desktop')]
darwin-set-proxy:
sudo python3 scripts/darwin_set_proxy.py
sleep 1sec
[macos]
[group('desktop')]
darwin-rollback:
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
darwin-rollback
# Deploy to harmonica(macOS host)
[macos]
[group('desktop')]
ha mode="default":
use utils.nu *; \
darwin-build "harmonica" {{mode}}; \
#!/usr/bin/env nu
use {{utils_nu}} *;
darwin-build "harmonica" {{mode}};
darwin-switch "harmonica" {{mode}}
# Depoly to fern(macOS host)
[macos]
[group('desktop')]
fe mode="default": darwin-set-proxy
use utils.nu *; \
darwin-build "fern" {{mode}}; \
#!/usr/bin/env nu
use {{utils_nu}} *;
darwin-build "fern" {{mode}};
darwin-switch "fern" {{mode}}
# Reload yabai and skhd(macOS)
[macos]
[group('desktop')]
yabai-reload:
launchctl kickstart -k "gui/502/org.nixos.yabai";
launchctl kickstart -k "gui/502/org.nixos.skhd";
@@ -122,34 +166,67 @@ yabai-reload:
#
############################################################################
# Remote deployment via colmena
[linux]
[group('homelab')]
col tag:
colmena apply --on '@{{tag}}' --verbose --show-trace
[linux]
[group('homelab')]
local name mode="default":
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch {{name}} {{mode}}
# Build and upload a vm image
[linux]
[group('homelab')]
upload-vm name mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
upload-vm {{name}} {{mode}}
# Deploy all the KubeVirt nodes(Physical machines running KubeVirt)
[linux]
[group('homelab')]
lab:
colmena apply --on '@virt-*' --verbose --show-trace
[linux]
[group('homelab')]
shoryu:
colmena apply --on '@kubevirt-shoryu' --verbose --show-trace
[linux]
[group('homelab')]
shoryu-local mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch kubevirt-shoryu {{mode}}
[linux]
[group('homelab')]
shushou:
colmena apply --on '@kubevirt-shushou' --verbose --show-trace
[linux]
[group('homelab')]
shushou-local mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch kubevirt-shushou {{mode}}
[linux]
[group('homelab')]
youko:
colmena apply --on '@kubevirt-youko' --verbose --show-trace
[linux]
[group('homelab')]
youko-local mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch kubevirt-youko {{mode}}
############################################################################
@@ -159,31 +236,49 @@ youko-local mode="default":
############################################################################
# Build and upload a vm image
[linux]
[group('homelab')]
upload-idols mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
upload-vm aquamarine {{mode}}
upload-vm ruby {{mode}}
upload-vm kana {{mode}}
[linux]
[group('homelab')]
aqua:
colmena apply --on '@aqua' --verbose --show-trace
[linux]
[group('homelab')]
aqua-local mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch aquamarine {{mode}}
[linux]
[group('homelab')]
ruby:
colmena apply --on '@ruby' --verbose --show-trace
[linux]
[group('homelab')]
ruby-local mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch ruby {{mode}}
[linux]
[group('homelab')]
kana:
colmena apply --on '@kana' --verbose --show-trace
[linux]
[group('homelab')]
kana-local mode="default":
use utils.nu *; \
#!/usr/bin/env nu
use {{utils_nu}} *;
nixos-switch kana {{mode}}
############################################################################
@@ -193,90 +288,49 @@ kana-local mode="default":
############################################################################
# Build and upload a vm image
upload-k3s mode="default":
use utils.nu *; \
upload-vm k3s-prod-1-master-1 {{mode}}; \
upload-vm k3s-prod-1-master-2 {{mode}}; \
upload-vm k3s-prod-1-master-3 {{mode}}; \
upload-vm k3s-prod-1-worker-1 {{mode}}; \
upload-vm k3s-prod-1-worker-2 {{mode}}; \
[linux]
[group('homelab')]
upload-k3s-prod mode="default":
#!/usr/bin/env nu
use {{utils_nu}} *;
upload-vm k3s-prod-1-master-1 {{mode}};
upload-vm k3s-prod-1-master-2 {{mode}};
upload-vm k3s-prod-1-master-3 {{mode}};
upload-vm k3s-prod-1-worker-1 {{mode}};
upload-vm k3s-prod-1-worker-2 {{mode}};
upload-vm k3s-prod-1-worker-3 {{mode}};
[linux]
[group('homelab')]
upload-k3s-test mode="default":
use utils.nu *; \
upload-vm k3s-test-1-master-1 {{mode}}; \
upload-vm k3s-test-1-master-2 {{mode}}; \
#!/usr/bin/env nu
use {{utils_nu}} *;
upload-vm k3s-test-1-master-1 {{mode}};
upload-vm k3s-test-1-master-2 {{mode}};
upload-vm k3s-test-1-master-3 {{mode}};
k3s:
colmena apply --on '@k3s-*' --verbose --show-trace
master:
colmena apply --on '@k3s-prod-1-master-*' --verbose --show-trace
worker:
colmena apply --on '@k3s-prod-1-worker-*' --verbose --show-trace
[linux]
[group('homelab')]
k3s-prod:
colmena apply --on '@k3s-prod-*' --verbose --show-trace
[linux]
[group('homelab')]
k3s-test:
colmena apply --on '@k3s-test-*' --verbose --show-trace
############################################################################
#
# RISC-V related commands
# Neovim related commands
#
############################################################################
riscv:
colmena apply --on '@riscv' --verbose --show-trace
nozomi:
colmena apply --on '@nozomi' --verbose --show-trace
yukina:
colmena apply --on '@yukina' --verbose --show-trace
############################################################################
#
# Aarch64 related commands
#
############################################################################
rakushun:
colmena apply --on '@rakushun' --build-on-target --verbose --show-trace
rakushun-local mode="default":
use utils.nu *; \
nixos-switch rakushun {{mode}}
suzu-set-proxy:
ip route del default via 192.168.5.1
ip route add default via 192.168.5.178
suzu-unset-proxy:
ip route del default via 192.168.5.178
ip route add default via 192.168.5.1
suzu-local mode="default":
use utils.nu *; \
nixos-switch suzu {{mode}}
############################################################################
#
# Misc, other useful commands
#
############################################################################
fmt:
# format the nix files in this repo
nix fmt
path:
$env.PATH | split row ":"
[group('neovim')]
nvim-test:
rm -rf $"($env.HOME)/.config/nvim"
rsync -avz --copy-links --chmod=D2755,F744 home/base/tui/editors/neovim/nvim/ $"($env.HOME)/.config/nvim/"
[group('neovim')]
nvim-clean:
rm -rf $"($env.HOME)/.config/nvim"
@@ -284,45 +338,78 @@ nvim-clean:
# Emacs related commands
# =================================================
emacs-plist-path := "~/Library/LaunchAgents/org.nix-community.home.emacs.plist"
reload-emacs-cmd := if os() == "macos" {
"launchctl unload " + emacs-plist-path
+ "\n"
+ "launchctl load " + emacs-plist-path
+ "\n"
+ "tail -f ~/Library/Logs/emacs-daemon.stderr.log"
} else {
"systemctl --user restart emacs.service"
+ "\n"
+ "systemctl --user status emacs.service"
}
[group('emacs')]
emacs-test:
rm -rf $"($env.HOME)/.config/doom"
rsync -avz --copy-links --chmod=D2755,F744 home/base/tui/editors/emacs/doom/ $"($env.HOME)/.config/doom/"
doom clean
doom sync
[group('emacs')]
emacs-clean:
rm -rf $"($env.HOME)/.config/doom/"
[group('emacs')]
emacs-purge:
doom purge
doom clean
doom sync
[linux]
[group('emacs')]
emacs-reload:
doom sync
{{reload-emacs-cmd}}
systemctl --user restart emacs.service
systemctl --user status emacs.service
emacs-plist-path := "~/Library/LaunchAgents/org.nix-community.home.emacs.plist"
[macos]
[group('emacs')]
emacs-reload:
doom sync
launchctl unload {{emacs-plist-path}}
launchctl load {{emacs-plist-path}}
tail -f ~/Library/Logs/emacs-daemon.stderr.log
# =================================================
#
# Kubernetes related commands
# Other useful commands
#
# =================================================
[group('common')]
path:
$env.PATH | split row ":"
[linux]
[group('common')]
penvof pid:
sudo cat $"/proc/($pid)/environ" | tr '\0' '\n'
# Remove all reflog entries and prune unreachable objects
[group('git')]
ggc:
git reflog expire --expire-unreachable=now --all
git gc --prune=now
# Amend the last commit without changing the commit message
[group('git')]
game:
git commit --amend -a --no-edit
# Delete all failed pods
[group('k8s')]
del-failed:
kubectl delete pod --all-namespaces --field-selector="status.phase==Failed"
kubectl delete pod --all-namespaces --field-selector="status.phase==Failed"
[linux]
[group('services')]
list-inactive:
systemctl list-units -all --state=inactive
[linux]
[group('services')]
list-failed:
systemctl list-units -all --state=failed
README.md
+3
View File
@@ -31,6 +31,9 @@ This repository is home to the nix code that builds my systems:
See [./hosts](./hosts) for details of each host.
See [./Virtual-Machine.md](./Virtual-Machine.md) for details of how to create & manage KubeVirt's
Virtual Machine from this flake.
## Why NixOS & Flakes?
Nix allows for easy-to-manage, collaborative, reproducible deployments. This means that once
Virtual-Machine.md
+6 -2
View File
@@ -1,13 +1,17 @@
## How to create & managage KubeVirt's Virtual Machine from this flake?
Use `aquamarine` as an example, we can create a virtual machine with the following command:
Use `aquamarine` as an example, first build and upload the virtual machine's qcow2 image to the file
server:
```shell
just upload-vm aquamarine
```
Then create the virtual machine by creating a yaml file at
[ryan4yin/k8s-gitops](https://github.com/ryan4yin/k8s-gitops/tree/main/vms)
[ryan4yin/k8s-gitops](https://github.com/ryan4yin/k8s-gitops/tree/main/vms), set the
`spec.dataVolumeTemplates[0].source.http.url` to the uploaded file's URL, and fluxcd will
automatically apply the changes, then a virtual machine named `aquamarine` will be created in the
KubeVirt cluster.
Once the virtual machine `aquamarine` is created, we can deploy updates to it with the following
commands:
flake.lock
Generated
+95 -656
View File
File diff suppressed because it is too large Load Diff
flake.nix
-15
View File
@@ -101,19 +101,11 @@
nuenv.url = "github:DeterminateSystems/nuenv";
daeuniverse.url = "github:daeuniverse/flake.nix";
# daeuniverse.url = "github:daeuniverse/flake.nix/exp";
haumea = {
url = "github:nix-community/haumea/v0.2.2";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
######################## Some non-flake repositories #########################################
# doom-emacs is a configuration framework for GNU Emacs.
@@ -146,12 +138,5 @@
url = "github:ryan4yin/nur-packages";
# inputs.nixpkgs.follows = "nixpkgs";
};
# riscv64 SBCs
nixos-licheepi4a.url = "github:ryan4yin/nixos-licheepi4a";
# nixos-jh7110.url = "github:ryan4yin/nixos-jh7110";
# aarch64 SBCs
nixos-rk3588.url = "github:ryan4yin/nixos-rk3588";
};
}
home/base/core/container.nix
+1
View File
@@ -12,6 +12,7 @@
go-containerregistry # provides `crane` & `gcrane`, it's similar to skopeo
kubectl
kubectx
kubebuilder
istioctl
clusterctl # for kubernetes cluster-api
home/base/core/core.nix
+1 -1
View File
@@ -10,7 +10,7 @@
gnupg
gnumake
# Morden cli tools, replacement of grep/sed/...
# Modern cli tools, replacement of grep/sed/...
# Interactively filter its input using fuzzy searching, not limit to filenames.
fzf
home/base/core/yazi.nix
+6
View File
@@ -11,6 +11,12 @@
# Changing working directory when exiting Yazi
enableBashIntegration = true;
enableNushellIntegration = true;
settings = {
manager = {
show_hidden = true;
sort_dir_first = true;
};
};
};
xdg.configFile."yazi/theme.toml".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-yazi}/mocha.toml";
home/base/tui/editors/Structured-Editing.md
+1 -1
View File
@@ -5,7 +5,7 @@
- paredit/[lispy](https://github.com/doomemacs/doomemacs/tree/master/modules/editor/lispy): too
complex.
- [evil-cleverparens](https://github.com/emacs-evil/evil-cleverparens): simple and useful.
- [parinfer(par-in-fer)](https://shaunlebron.github.io/parinfer/): morden, simple, elegant and
- [parinfer(par-in-fer)](https://shaunlebron.github.io/parinfer/): modern, simple, elegant and
useful, but works not well with some other completion plugins...
- to make parinfer works, you should disable sexp & smartparens in any lisp mode.
home/base/tui/editors/helix/README.md
+1 -1
View File
@@ -20,7 +20,7 @@ Use `:tutor` in helix to start the tutorial.
1. Helix: delete 2 word: `2w` then `x`. You can always see what you're selecting before you apply
the action.
2. Neovim: delete 2 word: `d`. then `2w`. No visual feedback before you apply the action.
1. Helix - Morden builtin features: LSP, tree-sitter, fuzzy finder, multi cursors, surround and
1. Helix - Modern builtin features: LSP, tree-sitter, fuzzy finder, multi cursors, surround and
more.
1. They're all available in Neovim too, but you need to find and use the right plugins manually,
which takes time and effort.
home/base/tui/editors/neovim/README.md
+17 -3
View File
@@ -94,8 +94,11 @@ plugin.
### Splitting and Buffers
| | Action | Shortcut | | --------------------- | ------------- | | Horizontal Split | `\` | |
Vertical Split | `\|` | | Close Buffer | `<Space> + c` |
| Action | Shortcut |
| ---------------- | ------------- |
| Horizontal Split | `\` |
| Vertical Split | `\|` |
| Close Buffer | `<Space> + c` |
### Editing and Formatting
@@ -109,7 +112,18 @@ Vertical Split | `\|` | | Close Buffer | `<Space> + c` |
| Comment Line(support multiple lines) | `<Space> + /` |
| Open filepath/URL at cursor(neovim's builtin command) | `gx` |
| Find files by name (fzf) | `<Space> + ff` |
| Find files by name (include hidden files) | `<Space> + fF` |
| Grep string in files (ripgrep) | `<Space> + fw` |
| Grep string in files (include hidden files) | `<Space> + fW` |
### Git
| Action | Shortcut |
| -------------------------- | --------------- |
| Git Commits (repository) | `:<Space> + gc` |
| Git Commits (current file) | `:<Space> + gC` |
| Git Branches | `:<Space> + gb` |
| Git Status | `:<Space> + gt` |
### Sessions
@@ -163,7 +177,7 @@ Provided by mini.surround plugin.
| --------------------------------- | --------------- |
| Show all Yank History | `:<Space> + yh` |
| Show undo history | `:<Space> + uh` |
| Show the path of the current file | `:!echo $%` |
| Show the path of the current file | `:!echo $%` |
## Additional Resources
home/base/tui/editors/neovim/default.nix
+23
View File
@@ -2,6 +2,7 @@
config,
lib,
pkgs,
pkgs-unstable,
...
}:
###############################################################################
@@ -25,11 +26,33 @@ in {
programs = {
neovim = {
enable = true;
package = pkgs-unstable.neovim-unwrapped;
defaultEditor = true;
viAlias = true;
vimAlias = true;
# These environment variables are needed to build and run binaries
# with external package managers like mason.nvim.
#
# LD_LIBRARY_PATH is also needed to run the non-FHS binaries downloaded by mason.nvim.
# it will be set by nix-ld, so we do not need to set it here again.
extraWrapperArgs = with pkgs; [
# LIBRARY_PATH is used by gcc before compilation to search directories
# containing static and shared libraries that need to be linked to your program.
"--suffix"
"LIBRARY_PATH"
":"
"${lib.makeLibraryPath [stdenv.cc.cc zlib]}"
# PKG_CONFIG_PATH is used by pkg-config before compilation to search directories
# containing .pc files that describe the libraries that need to be linked to your program.
"--suffix"
"PKG_CONFIG_PATH"
":"
"${lib.makeSearchPathOutput "dev" "lib/pkgconfig" [stdenv.cc.cc zlib]}"
];
# Currently we use lazy.nvim as neovim's package manager, so comment this one.
#
# NOTE: These plugins will not be used by astronvim by default!
home/base/tui/editors/neovim/nvim/lua/plugins/mason.lua
+3
View File
@@ -1,4 +1,7 @@
-- Customize Mason plugins
--
-- NOTE: Issue - mason.nvim does not support NixOS:
-- https://github.com/williamboman/mason.nvim/issues/428
---@type LazySpec
return {
home/base/tui/editors/neovim/nvim/lua/plugins/treesitter.lua
+1
View File
@@ -24,6 +24,7 @@ return {
opts.ensure_installed = require("astrocore").list_insert_unique(opts.ensure_installed, {
-- please add only the tree-sitters that are not available in nixpkgs here
"just",
"kdl",
"csv",
"xml",
home/base/tui/encryption/README.md
+1 -1
View File
@@ -16,7 +16,7 @@ using a Cloud provider for key management.
Both age, Sops & GnuPG provide asymmetric encryption, which is useful for encrypting files for a
specific user.
For morden use, age is recommended, as it use [AEAD encryption function -
For modern use, age is recommended, as it use [AEAD encryption function -
ChaCha20-Poly1305][age Format v1], If you do not want to manage the keys by yourself, Sops is
recommended, as it use KMS for key management.
home/base/tui/gpg/README.md
+1 -1
View File
@@ -104,7 +104,7 @@ one keypair, or a keyring/keychain(which contains multiple sub key-pairs).
Let's generate a keypair interactively:
> Now in 2024, GnuPG 2.4.1 defaults to ECC algorithm (9) and Curve 25519 for ECC, which is morden
> Now in 2024, GnuPG 2.4.1 defaults to ECC algorithm (9) and Curve 25519 for ECC, which is modern
> and safe, I would recommend to use these defaults directly.
```bash
home/linux/gui/base/gtk.nix
+1 -1
View File
@@ -45,7 +45,7 @@
theme = {
# https://github.com/catppuccin/gtk
name = "Catppuccin-Macchiato-Compact-Pink-Dark";
name = "catppuccin-macchiato-pink-compact";
package = pkgs.catppuccin-gtk.override {
# https://github.com/NixOS/nixpkgs/blob/nixos-23.05/pkgs/data/themes/catppuccin-gtk/default.nix
accents = ["pink"];
hosts/12kingdoms-rakushun/Disk-and-Installation.md
-157
View File
@@ -1,157 +0,0 @@
# Rakushun - Disk and Installation
Disk layout:
```bash
[ryan@rakushun:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 487M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 1.8T 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 1.8T 0 part
└─encrypted 253:0 0 1.8T 0 crypt /tmp
/swap
/snapshots
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/codes
/home/ryan/.ssh
/home/ryan/.local/state
/home/ryan/.npm
/home/ryan/.local/share
/home/ryan/.conda
/etc/ssh
/etc/nix/inputs
/etc/secureboot
/etc/agenix
/etc/NetworkManager/system-connections
/etc/machine-id
/nix/store
/var/log
/var/lib
/nix
/persistent
[ryan@rakushun:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 785M 0 785M 0% /dev
tmpfs tmpfs 7.7G 0 7.7G 0% /dev/shm
tmpfs tmpfs 3.9G 6.8M 3.9G 1% /run
tmpfs tmpfs 7.7G 1.9M 7.7G 1% /run/wrappers
none tmpfs 4.0G 48K 4.0G 1% /
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /persistent
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /nix
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /snapshots
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /swap
/dev/mapper/crypted btrfs 1.9T 19G 1.8T 2% /tmp
/dev/nvme0n1p1 vfat 629M 96M 534M 16% /boot
tmpfs tmpfs 1.6G 4.0K 1.6G 1% /run/user/1000
```
CPU info:
```bash
[ryan@rakushun:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 67%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
## How to install NixOS on Orange Pi 5 Plus
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart OPI5P_DSC fat32 0% 512MB
mkfs.fat -F 32 -n OPI5P_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5plus-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5plus-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5P_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow
[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# transfer the nix-config to the target machine
rsync -avzP ~/nix-config rk@<ip-addr>:/home/rk/
# login via ssh
ssh rk@<ip-addr>
cd ~/nix-config/hosts/12kingdoms_rakushun
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
sudo nixos-install --root /mnt --flake .#rakushun --no-root-password --show-trace --verbose
# enter into the installed system, check password & users
# `su ryan` => `sudo -i` => enter ryan's password => successfully login
# if login failed, check the password you set in install-1, and try again
nixos-enter
# NOTE: DO NOT skip this step!!!
# copy the essential files into /persistent
# otherwise the / will be cleared and data will lost
## NOTE: impermanence just create links from / to /persistent
## We need to copy files into /persistent manually!!!
mv /etc/machine-id /persistent/etc/
mv /etc/ssh /persistent/etc/
mkdir -p /persistent/home/ryan
chown -R ryan:ryan /persistent/home/ryan
```
hosts/12kingdoms-rakushun/README.md
-40
View File
@@ -1,40 +0,0 @@
# Rakushun - Orange Pi 5 Plus
LUKS encrypted SSD for NixOS, on Orange Pi 5 Plus.
Storage, operation and maintenance related services are running on this host:
1. Storage such as git server, file server/browser, torrent downloader,, etc.
1. Backup or sync my personal data to cloud or NAS.
- For safety, those data should be encrypted before sending to the cloud or my NAS.
1. Collect and monitor the metrics/logs of my homelab.
## Showcases
![](../../_img/2024-03-07_orangepi5plus_rakushun.webp)
## Features
Services:
1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
1. restic: Backup my personal data to cloud or NAS.
1. synthing: Sync file between android/macbook/PC and NAS.
1. gitea: Self-hosted git service.
1. sftpgo: SFTP server.
1. transmission & AriaNg: Torrent downloader and HTTP downloader
1. alist/filebrower: File browser for local/SMB/Cloud
All the services assumes a reverse proxy to be setup in the front, they are all listening on
localhost, and a caddy service is listening on the local network interface and proxy the requests to
the services.
TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
services.
## Misc
```bash
# copy closure to another arm64 machine
nix-copy-closure --to root@suzu /run/current-system
```
hosts/12kingdoms-rakushun/default.nix
-38
View File
@@ -1,38 +0,0 @@
{
mylib,
disko,
nixos-rk3588,
myvars,
...
}:
#############################################################
#
# Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
#
#############################################################
let
hostName = "rakushun"; # Define your hostname.
in {
imports =
(mylib.scanPaths ./.)
++ [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
];
networking = {
inherit hostName;
inherit (myvars.networking) defaultGateway nameservers;
inherit (myvars.networking.hostsInterface.${hostName}) interfaces;
networkmanager.enable = false;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}
hosts/12kingdoms-rakushun/disko-fs.nix
-111
View File
@@ -1,111 +0,0 @@
{
# required by impermanence
fileSystems."/persistent".neededForBoot = true;
disko.devices = {
nodev."/" = {
fsType = "tmpfs";
mountOptions = [
"size=4G"
"defaults"
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
# relatime: Update inode access times relative to modify or change time.
"mode=755"
];
};
# TODO: rename to main
disk.sda = {
type = "disk";
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/nvme0n1"; # The device to partition
content = {
type = "gpt";
partitions = {
# The EFI & Boot partition
ESP = {
size = "630M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
# The root partition
luks = {
size = "100%";
content = {
type = "luks";
name = "encrypted";
settings = {
keyFile = "/dev/disk/by-label/OPI5P_DSC"; # The keyfile is stored on a USB stick
# The maximum size of the keyfile is 8192 KiB
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
allowDiscards = true;
};
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
initrdUnlock = true;
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
# cryptsetup luksFormat
extraFormatArgs = [
"--type luks2"
"--cipher aes-xts-plain64"
"--hash sha512"
"--iter-time 5000"
"--key-size 256"
"--pbkdf argon2id"
# use true random data from /dev/random, will block until enough entropy is available
"--use-random"
];
extraOpenArgs = [
"--timeout 10"
];
content = {
type = "btrfs";
extraArgs = ["-f"]; # Force override existing partition
subvolumes = {
# mount the top-level subvolume at /btr_pool
# it will be used by btrbk to create snapshots
"/" = {
mountpoint = "/btr_pool";
# btrfs's top-level subvolume, internally has an id 5
# we can access all other subvolumes from this subvolume.
mountOptions = ["subvolid=5"];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@tmp" = {
mountpoint = "/tmp";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@snapshots" = {
mountpoint = "/snapshots";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@swap" = {
mountpoint = "/swap";
swap.swapfile.size = "16384M";
};
};
};
};
};
};
};
};
};
}
hosts/12kingdoms-rakushun/hardware-configuration.nix
-39
View File
@@ -1,39 +0,0 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.loader = {
# depending on how you configured your disk mounts, change this to /boot or /boot/efi.
efi.efiSysMountPoint = "/boot/";
efi.canTouchEfiVariables = true;
# do not use systemd-boot here, it has problems when running `nixos-install`
grub = {
device = "nodev";
efiSupport = true;
};
};
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}
hosts/12kingdoms-rakushun/homepage/README.md
-1
View File
@@ -1 +0,0 @@
# Homepage for my Homelab
hosts/12kingdoms-rakushun/homepage/default.nix
-25
View File
@@ -1,25 +0,0 @@
{pkgs, ...}: let
configDir = "/var/lib/homepage-dashboard";
in {
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix
services.homepage-dashboard = {
enable = true;
listenPort = 4401;
openFirewall = false;
};
systemd.services.homepage-dashboard.environment = {
HOMEPAGE_CONFIG_DIR = configDir;
# 1. The value of env var HOMEPAGE_VAR_XXX will replace {{HOMEPAGE_VAR_XXX}} in any config
# HOMEPAGE_VAR_XXX_APIKEY = "myapikey";
# 2. The value of env var HOMEPAGE_FILE_XXX must be a file path,
# the contents of which will be used to replace {{HOMEPAGE_FILE_XXX}} in any config
};
# Install the homepage-dashboard configuration files
system.activationScripts.installHomepageDashboardConfig = ''
mkdir -p ${configDir}
${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/
${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard
'';
}
hosts/12kingdoms-rakushun/impermanence.nix
-75
View File
@@ -1,75 +0,0 @@
{
impermanence,
pkgs,
...
}: {
imports = [
impermanence.nixosModules.impermanence
];
environment.systemPackages = [
# `sudo ncdu -x /`
pkgs.ncdu
];
# There are two ways to clear the root filesystem on every boot:
## 1. use tmpfs for /
## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
## boot.initrd.postDeviceCommands = ''
## mkdir -p /run/mymount
## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
## btrfs subvolume delete /run/mymount
## btrfs subvolume snapshot / /run/mymount
## '';
#
# See also https://grahamc.com/blog/erase-your-darlings/
# NOTE: impermanence only mounts the directory/file list below to /persistent
# If the directory/file already exists in the root filesystem, you should
# move those files/directories to /persistent first!
environment.persistence."/persistent" = {
# sets the mount option x-gvfs-hide on all the bind mounts
# to hide them from the file manager
hideMounts = true;
directories = [
"/etc/NetworkManager/system-connections"
"/etc/ssh"
"/etc/nix/inputs"
"/etc/secureboot" # lanzaboote - secure boot
# my secrets
"/etc/agenix/"
"/var/log"
"/var/lib"
];
files = [
"/etc/machine-id"
];
# the following directories will be passed to /persistent/home/$USER
users.ryan = {
directories = [
"codes"
"nix-config"
"tmp"
{
directory = ".ssh";
mode = "0700";
}
# neovim / remmina / flatpak / ...
".local/share"
".local/state"
# language package managers
".npm"
".conda" # generated by `conda-shell`
"go"
];
files = [
".config/nushell/history.txt"
];
};
};
}
hosts/12kingdoms-rakushun/oci-containers/dashy/default.nix
-26
View File
@@ -1,26 +0,0 @@
{
# Replace dashy with gethomepage, because dashy is too slow to start/reload.
# # Install the dashy configuration file instead of symlink it
# system.activationScripts.installDashyConfig = ''
# install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
# '';
#
# # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/virtualisation/oci-containers.nix
# virtualisation.oci-containers.containers = {
# # check its logs via `journalctl -u podman-dashy`
# dashy = {
# hostname = "dashy";
# image = "lissy93/dashy:latest";
# ports = ["127.0.0.1:4000:80"];
# environment = {
# "NODE_ENV" = "production";
# };
# volumes = [
# "/etc/dashy/dashy_conf.yml:/app/public/conf.yml"
# ];
# autoStart = true;
# # cmd = [];
# };
# };
}
hosts/12kingdoms-rakushun/uptime-kuma.nix
-12
View File
@@ -1,12 +0,0 @@
{
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/uptime-kuma.nix
services.uptime-kuma = {
enable = true;
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
settings = {
"UPTIME_KUMA_HOST" = "127.0.0.1";
"UPTIME_KUMA_PORT" = "3350";
"DATA_DIR" = "/var/lib/uptime-kuma/";
};
};
}
hosts/12kingdoms-suzu/Disk-and-installation.md
-156
View File
@@ -1,156 +0,0 @@
# Suzu - Disk and Installation
Disk layout:
```bash
[ryan@suzu:~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 58.6G 0 disk
└─sda1 8:1 1 486M 0 part
mtdblock0 31:0 0 16M 0 disk
zram0 254:0 0 0B 0 disk
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 630M 0 part /boot
└─nvme0n1p2 259:2 0 237.9G 0 part
└─encrypted 253:0 0 237.8G 0 crypt /tmp
/snapshots
/swap
/home/ryan/tmp
/home/ryan/nix-config
/home/ryan/go
/home/ryan/.local/state
/home/ryan/codes
/home/ryan/.npm
/home/ryan/.ssh
/home/ryan/.local/share
/etc/ssh
/home/ryan/.conda
/etc/secureboot
/etc/agenix
/etc/nix/inputs
/etc/NetworkManager/system-connections
/nix/store
/var/log
/var/lib
/nix
/persistent
[ryan@suzu:~]$ df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 383M 0 383M 0% /dev
tmpfs tmpfs 3.8G 0 3.8G 0% /dev/shm
tmpfs tmpfs 1.9G 6.2M 1.9G 1% /run
tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run/wrappers
none tmpfs 2.0G 48K 2.0G 1% /
/dev/mapper/crypted btrfs 238G 11G 226G 5% /persistent
/dev/mapper/crypted btrfs 238G 11G 226G 5% /nix
/dev/mapper/crypted btrfs 238G 11G 226G 5% /swap
/dev/mapper/crypted btrfs 238G 11G 226G 5% /snapshots
/dev/mapper/crypted btrfs 238G 11G 226G 5% /tmp
/dev/nvme0n1p1 vfat 629M 86M 543M 14% /boot
tmpfs tmpfs 766M 4.0K 766M 1% /run/user/1000
```
CPU info:
```bash
[ryan@suzu:~]$ lscpu
Architecture: aarch64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: ARM
Model name: Cortex-A55
Model: 0
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: r2p0
CPU(s) scaling MHz: 56%
CPU max MHz: 1800.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Model name: Cortex-A76
Model: 0
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
Stepping: r4p0
CPU(s) scaling MHz: 18%
CPU max MHz: 2256.0000
CPU min MHz: 408.0000
BogoMIPS: 48.00
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm lrcpc dcpop asimddp
Caches (sum of all):
L1d: 384 KiB (8 instances)
L1i: 384 KiB (8 instances)
L2: 2.5 MiB (8 instances)
L3: 3 MiB (1 instance)
```
## How to install NixOS on Orange Pi 5
### 1. Prepare a USB LUKS key
Generate LUKS keyfile to encrypt the root partition, it's used by disko.
```bash
# partition the usb stick
DEV=/dev/sdX
parted ${DEV} -- mklabel gpt
parted ${DEV} -- mkpart primary 2M 512MB
mkfs.fat -F 32 -n OPI5_DSC ${DEV}1
# Generate a keyfile from the true random number generator
KEYFILE=./orangepi5-luks-keyfile
dd bs=512 count=64 iflag=fullblock if=/dev/random of=$KEYFILE
# copy the keyfile and token to the usb stick
KEYFILE=./orangepi5-luks-keyfile
DEVICE=/dev/disk/by-label/OPI5_DSC
# seek=128 skip N obs-sized output blocks to avoid overwriting the filesystem header
dd bs=512 count=64 iflag=fullblock seek=128 if=$KEYFILE of=$DEVICE
```
### 2. Partition the SSD & install NixOS via disko
First, follow
[UEFI - ryan4yin/nixos-rk3588](https://github.com/ryan4yin/nixos-rk3588/blob/main/UEFI.md) to
install UEFI bootloader and boot into NixOS live environment via a USB stick.
Then, run the following commands:
```bash
# login via ssh
ssh rk@<ip-addr>
git clone https://github.com/ryan4yin/nix-config.git
cd ~/nix-config/hosts/12kingdoms_suzu
# 1. change the disk device path in ./disko-fs.nix to the disk you want to use
# 2. partition & format the disk via disko
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko ./disko-fs.nix
cd ~/nix-config
# install nixos
sudo nixos-install --root /mnt --flake .#suzu --no-root-password --show-trace --verbose
# enter into the installed system, check password & users
# `su ryan` => `sudo -i` => enter ryan's password => successfully login
# if login failed, check the password you set in install-1, and try again
nixos-enter
# NOTE: DO NOT skip this step!!!
# copy the essential files into /persistent
# otherwise the / will be cleared and data will lost
## NOTE: impermanence just create links from / to /persistent
## We need to copy files into /persistent manually!!!
mv /etc/machine-id /persistent/etc/
mv /etc/ssh /persistent/etc/
mkdir -p /persistent/home/ryan
chown -R ryan:ryan /persistent/home/ryan
```
hosts/12kingdoms-suzu/README.md
-34
View File
@@ -1,34 +0,0 @@
# Suzu - Orange Pi 5
LUKS encrypted SSD for NixOS, on Orange Pi 5.
## TODOs
- [ ] Add support for BGP routing.
- [Comparing Open Source BGP Stacks](https://elegantnetwork.github.io/posts/comparing-open-source-bgp-stacks/)
- [`services.frr.*` - search.nixos.org](https://search.nixos.org/options?channel=unstable&query=services.frr)
## Showcases
![](../../_img/2024-03-07_orangepi5_suzu.webp)
## Features
Micro VMs:
1. suzi: dae router(transparent proxy, dhcp)
1. mitsuha: tailscale gateway(sub router)
Services:
1. OCI Containers: to run some servides that's not available in NixOS.
1. ddns
1. uptime-kuma: uptime monitoring
1. excalidraw/DDTV/owncast/jitsi-meet/...
All the services assumes a reverse proxy to be setup in the front, they are all listening on
localhost, and a caddy service is listening on the local network interface and proxy the requests to
the services.
TODO: create a private PKI for caddy, to achieve end-to-end encryption between caddy and the
services.
hosts/12kingdoms-suzu/default.nix
-34
View File
@@ -1,34 +0,0 @@
{
disko,
nixos-rk3588,
mylib,
...
}:
#############################################################
#
# Suzu - Orange Pi 5 Plus, RK3588 + 16GB RAM
#
# https://github.com/astro/microvm.nix
#
#############################################################
let
hostName = "suzu"; # Define your hostname.
in {
imports =
(mylib.scanPaths ./.)
++ [
# import the rk3588 module, which contains the configuration for bootloader/kernel/firmware
nixos-rk3588.nixosModules.orangepi5plus.core
disko.nixosModules.default
];
networking = {inherit hostName;};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}
hosts/12kingdoms-suzu/disko-fs.nix
-111
View File
@@ -1,111 +0,0 @@
{
# required by impermanence
fileSystems."/persistent".neededForBoot = true;
disko.devices = {
nodev."/" = {
fsType = "tmpfs";
mountOptions = [
"size=2G"
"defaults"
# set mode to 755, otherwise systemd will set it to 777, which cause problems.
# relatime: Update inode access times relative to modify or change time.
"mode=755"
];
};
# TODO: rename to main
disk.sda = {
type = "disk";
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/nvme0n1"; # The device to partition
content = {
type = "gpt";
partitions = {
# The EFI & Boot partition
ESP = {
size = "630M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
# The root partition
luks = {
size = "100%";
content = {
type = "luks";
name = "encrypted";
settings = {
keyFile = "/dev/disk/by-label/OPI5_DSC"; # The keyfile is stored on a USB stick
# The maximum size of the keyfile is 8192 KiB
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
allowDiscards = true;
};
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
initrdUnlock = true;
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
# cryptsetup luksFormat
extraFormatArgs = [
"--type luks2"
"--cipher aes-xts-plain64"
"--hash sha512"
"--iter-time 5000"
"--key-size 256"
"--pbkdf argon2id"
# use true random data from /dev/random, will block until enough entropy is available
"--use-random"
];
extraOpenArgs = [
"--timeout 10"
];
content = {
type = "btrfs";
extraArgs = ["-f"]; # Force override existing partition
subvolumes = {
# mount the top-level subvolume at /btr_pool
# it will be used by btrbk to create snapshots
"/" = {
mountpoint = "/btr_pool";
# btrfs's top-level subvolume, internally has an id 5
# we can access all other subvolumes from this subvolume.
mountOptions = ["subvolid=5"];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@tmp" = {
mountpoint = "/tmp";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@snapshots" = {
mountpoint = "/snapshots";
mountOptions = ["compress-force=zstd:1" "noatime"];
};
"@swap" = {
mountpoint = "/swap";
swap.swapfile.size = "8192M";
};
};
};
};
};
};
};
};
};
}
hosts/12kingdoms-suzu/hardware-configuration.nix
-39
View File
@@ -1,39 +0,0 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.loader = {
# depending on how you configured your disk mounts, change this to /boot or /boot/efi.
efi.efiSysMountPoint = "/boot/";
efi.canTouchEfiVariables = true;
# do not use systemd-boot here, it has problems when running `nixos-install`
grub = {
device = "nodev";
efiSupport = true;
};
};
# clear /tmp on boot to get a stateless /tmp directory.
boot.tmp.cleanOnBoot = true;
boot.initrd.availableKernelModules = ["nvme" "usbhid" "usb_storage"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enP3p49s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enP4p65s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}
hosts/12kingdoms-suzu/impermanence.nix
-75
View File
@@ -1,75 +0,0 @@
{
impermanence,
pkgs,
...
}: {
imports = [
impermanence.nixosModules.impermanence
];
environment.systemPackages = [
# `sudo ncdu -x /`
pkgs.ncdu
];
# There are two ways to clear the root filesystem on every boot:
## 1. use tmpfs for /
## 2. (btrfs/zfs only)take a blank snapshot of the root filesystem and revert to it on every boot via:
## boot.initrd.postDeviceCommands = ''
## mkdir -p /run/mymount
## mount -o subvol=/ /dev/disk/by-uuid/UUID /run/mymount
## btrfs subvolume delete /run/mymount
## btrfs subvolume snapshot / /run/mymount
## '';
#
# See also https://grahamc.com/blog/erase-your-darlings/
# NOTE: impermanence only mounts the directory/file list below to /persistent
# If the directory/file already exists in the root filesystem, you should
# move those files/directories to /persistent first!
environment.persistence."/persistent" = {
# sets the mount option x-gvfs-hide on all the bind mounts
# to hide them from the file manager
hideMounts = true;
directories = [
"/etc/NetworkManager/system-connections"
"/etc/ssh"
"/etc/nix/inputs"
"/etc/secureboot" # lanzaboote - secure boot
# my secrets
"/etc/agenix/"
"/var/log"
"/var/lib"
];
files = [
"/etc/machine-id"
];
# the following directories will be passed to /persistent/home/$USER
users.ryan = {
directories = [
"codes"
"nix-config"
"tmp"
{
directory = ".ssh";
mode = "0700";
}
# neovim / remmina / flatpak / ...
".local/share"
".local/state"
# language package managers
".npm"
".conda" # generated by `conda-shell`
"go"
];
files = [
".config/nushell/history.txt"
];
};
};
}
hosts/12kingdoms-suzu/microvm/README.md
-45
View File
@@ -1,45 +0,0 @@
# microvm.nix
## Commands
> https://github.com/astro/microvm.nix/blob/main/doc/src/microvm-command.md
```bash
# list vm
microvm -l
# update vm
microvm -u my-microvm
# show logs of a vm
journalctl -u microvm@my-microvm -n 50
# stop vm
systemctl stop microvm@$NAME
# remove vm
rm -rf /var/lib/microvms/$NAME
# Run a MicroVM in foreground(for testing)
# You have to stop the vm before running this command!
microvm -r my-microvm
# Stop a MicroVM that is running in foreground
## 1. run `sudo shutdown -h now` in the vm
## 2. run `systemctl stop microvm@my-microvm` in the host
```
## VM's pros compared to container
1. VM has its own kernel, so it can use a fullfeatured kernel or customise the kernel's
configuration, without affecting the host.
1. VM use a fullfeatured init system, so it can run services like a real machine.
1. VM can use a fullfeatured network stack, so it can run network services like a real machine. it's
very useful for hosting some network services(such as tailscale, dae, etc).
## FAQ
### 1. enter the vm without ssh
[Enter running machine as systemd service](https://github.com/astro/microvm.nix/issues/123)
hosts/12kingdoms-suzu/microvm/default.nix
-35
View File
@@ -1,35 +0,0 @@
{
myvars,
mylib,
daeuniverse,
agenix,
microvm,
mysecrets,
nuenv,
...
}: {
imports = [
# Include the microvm host module
microvm.nixosModules.host
];
microvm.vms = {
suzi = {
autostart = true;
restartIfChanged = true;
specialArgs = {inherit myvars mylib daeuniverse agenix mysecrets nuenv;};
config.imports = [./suzi];
};
mitsuha = {
autostart = true;
restartIfChanged = true;
specialArgs = {inherit myvars mylib nuenv;};
config.imports = [./mitsuha];
};
};
}
hosts/12kingdoms-suzu/microvm/mitsuha/default.nix
-67
View File
@@ -1,67 +0,0 @@
{mylib, ...}: {
imports =
(mylib.scanPaths ./.)
++ [
../../../../modules/nixos/base/ssh.nix
../../../../modules/nixos/base/user-group.nix
../../../../modules/base.nix
];
microvm = {
mem = 1024; # RAM allocation in MB
vcpu = 1; # Number of Virtual CPU cores
interfaces = [
{
type = "tap";
id = "vm-mitsuha"; # should be prefixed with "vm-"
mac = "02:00:00:00:00:02"; # Unique MAC address
}
];
# Block device images for persistent storage
# microvm use tmpfs for root(/), so everything else
# is ephemeral and will be lost on reboot.
#
# you can check this by running `df -Th` & `lsblk` in the VM.
volumes = [
{
mountPoint = "/var";
image = "var.img";
size = 512;
}
{
mountPoint = "/etc";
image = "etc.img";
size = 50;
}
];
# shares can not be set to `neededForBoot = true;`
# so if you try to use a share in boot script(such as system.activationScripts), it will fail!
shares = [
{
# It is highly recommended to share the host's nix-store
# with the VMs to prevent building huge images.
# a host's /nix/store will be picked up so that no
# squashfs/erofs will be built for it.
#
# by this way, /nix/store is readonly in the VM,
# and thus the VM can't run any command that modifies
# the store. such as nix build, nix shell, etc...
# if you want to run nix commands in the VM, see
# https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay
tag = "ro-store"; # Unique virtiofs daemon tag
proto = "virtiofs"; # virtiofs is faster than 9p
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
];
hypervisor = "qemu";
# Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly
socket = "control.socket";
};
system.stateVersion = "24.05";
}
hosts/12kingdoms-suzu/microvm/mitsuha/networking.nix
-19
View File
@@ -1,19 +0,0 @@
{myvars, ...}: let
hostName = "mitsuha";
inherit (myvars.networking) mainGateway nameservers;
inherit (myvars.networking.hostsAddr.${hostName}) ipv4;
ipv4WithMask = "${ipv4}/24";
in {
systemd.network.enable = true;
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = [ipv4WithMask];
Gateway = mainGateway;
DNS = nameservers;
DHCP = "no";
};
};
}
hosts/12kingdoms-suzu/microvm/mitsuha/tailscale.nix
-42
View File
@@ -1,42 +0,0 @@
{pkgs, ...}:
# =============================================================
#
# Tailscale - your own private network(VPN) that uses WireGuard
#
# It's open source and free for personal use,
# and it's really easy to setup and use.
# Tailscale has great client coverage for Linux, windows, Mac, android, and iOS.
# Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker.
# Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale.
#
# How to use:
# 1. Create a Tailscale account at https://login.tailscale.com
# 2. Login via `tailscale login`
# 3. join into your Tailscale network via `tailscale up --advertise-routes 192.168.5.0/24`
# 4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below.
#
# Status Data:
# `journalctl -u tailscaled` shows tailscaled's logs
# logs indicate that tailscale store its data in /var/lib/tailscale
# which is already persistent across reboots(via impermanence.nix)
#
# References:
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/tailscale.nix
#
# =============================================================
{
# make the tailscale command usable to users
environment.systemPackages = [pkgs.tailscale];
# enable the tailscale service
services.tailscale = {
enable = true;
port = 41641;
interfaceName = "tailscale0";
# allow the Tailscale UDP port through the firewall
openFirewall = true;
useRoutingFeatures = "server";
extraUpFlags = "--advertise-routes 192.168.5.0/24";
# authKeyFile = "/var/lib/tailscale/authkey";
};
}
hosts/12kingdoms-suzu/microvm/suzi/README.md
-48
View File
@@ -1,48 +0,0 @@
# Dae - NixOS Router
A router(IPv4 only) with a transparent proxy to bypass the G|F|W.
NOTE: dae do not provides a http/socks5 proxy server, so a v2ray server is running on
[idols_kana](../idols_kana/proxy.nix) to provides a http/socks5 proxy service.
## Troubleshooting
### Can not access the global internet
1. Check whether the subscription url is accessible.
- If not, then you need to get a new subscription url and update the `dae`'s configuration.
1. Check the `dae` service's log by `journalctl -u dae -n 1000`.
### DNS cannot be resolved
1. `sudo systemctl stop dae`, then try to resolve the domain name again.
- If it works, the problem is caused by `dae` service.
- check dae's log by `journalctl -u dae -n 1000`
1. DNS & DHCP is provided by `dnsmasq` service, check the configuration of `dnsmasq`.
### DHCP cannot be obtained
1. `ss -tunlp`, check if `dnsmasq` is running and listening on udp port 67.
1. `journalctl -u dnsmasq -n 1000` to check the log of `dnsmasq`.
1. Request a new IP address by disconnect and reconnect one of your devices' wifi.
1. `nix shell nixpkgs#dhcpdump` and then `sudo dhcpdump -i br-lan`, check if the DHCP request is
received by `dnsmasq`.
1. The server listens on UDP port number 67, and the client listens on UDP port number 68.
1. DHCP operations fall into four phases:
1. Server **discovery**: The DHCP client broadcasts a DHCPDISCOVER message on the network
subnet using the destination address 255.255.255.255 (limited broadcast) or the specific
subnet broadcast address (directed broadcast).
1. IP lease **offer**: When a DHCP server receives a DHCPDISCOVER message from a client, which
is an IP address lease request, the DHCP server reserves an IP address for the client and
makes a lease offer by sending a DHCPOFFER message to the client.
1. IP lease **request**: In response to the DHCP offer, the client replies with a DHCPREQUEST
message, broadcast to the server,[a] requesting the offered address.
1. IP lease **acknowledgement**: When the DHCP server receives the DHCPREQUEST message from
the client, it sends a DHCPACK packet to the client, which includes the lease duration and
any other configuration information that the client might have requested.
1. So if you see only `DISCOVER` messages, the dhsmasq is not working properly.
## References
- <https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md>
- <https://github.com/ghostbuster91/nixos-router>
hosts/12kingdoms-suzu/microvm/suzi/config.dae
-326
View File
@@ -1,326 +0,0 @@
# https://github.com/daeuniverse/dae/discussions/81
# https://github.com/daeuniverse/dae/blob/main/example.dae
# load all dae files placed in ./config.d/
include {
config.d/*.dae
}
global {
##### Software options.
# tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
# In normal case, you do not need to use it.
tproxy_port: 12345
# Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
# iptables tproxy rules.
tproxy_port_protect: true
# If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
# rules.
so_mark_from_dae: 1
# Log level: error, warn, info, debug, trace.
log_level: info
# Disable waiting for network before pulling subscriptions.
disable_waiting_network: false
##### Interface and kernel options.
# The LAN interface to bind. Use it if you want to proxy LAN.
# Multiple interfaces split by ",".
lan_interface: br-lan
# The WAN interface to bind. Use it if you want to proxy localhost.
# Multiple interfaces split by ",". Use "auto" to auto detect.
#
# Disable this to avoid problems with the proxy server that prevent the subscription link from being updated
# wan_interface: auto
# Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
auto_config_kernel_parameter: false
##### Node connectivity check.
# Host of URL should have both IPv4 and IPv6 if you have double stack in local.
# First is URL, others are IP addresses if given.
# Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
#tcp_check_url: 'http://cp.cloudflare.com'
tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
# The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
# accounting for this kind of traffic.
tcp_check_http_method: HEAD
# This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
# TCP DNS connectivity of nodes.
# First is URL, others are IP addresses if given.
# This DNS should have both IPv4 and IPv6 if you have double stack in local.
#udp_check_dns: 'dns.google.com:53'
udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
check_interval: 30s
# Group will switch node only when new_latency <= old_latency - tolerance.
check_tolerance: 50ms
##### Connecting options.
# Optional values of dial_mode are:
# 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
# respectively, and makes the IP version requested by the application meet expectations. For example, if you
# use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
# This may solve some weird full-cone problem if your are be your node support that. Sniffing will be disabled
# in this mode.
# 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
# if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
# re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
# That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
# 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
# DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
# go through dae, dae cannot split traffic by domain.
# 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
# domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
dial_mode: domain
# Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
allow_insecure: false
# Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
# in high latency LAN network.
sniffing_timeout: 100ms
# TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
tls_implementation: tls
# The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
# See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
utls_imitate: chrome_auto
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
# For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
# respond to type A queries and response empty answer to type AAAA queries.
ipversion_prefer: 4
# Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
# for these domains.
#fixed_domain_ttl {
# ddns.example.org: 10
# test.example.org: 3600
#}
upstream {
# Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
# If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
# IPv4 or IPv6 to use according to group policy (such as min latency policy).
# Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
# If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.
alidns: 'udp://223.5.5.5:53'
googledns: 'tcp+udp://8.8.8.8:53'
}
routing {
# According to the request of dns query, decide to use which DNS upstream.
# Match rules from top to bottom.
request {
# Lookup China mainland domains using alidns, otherwise googledns.
qname(geosite:cn) -> alidns
# fallback is also called default.
fallback: googledns
# other custom rules
qname(full:analytics.google.com) -> googledns # do not block google analytics(console)
qname(regex: '.+\.nixos.org$') -> googledns
qname(geosite:category-ads) -> reject
qname(geosite:category-ads-all) -> reject
qtype(aaaa) -> reject
qname(regex: '.+\.linkedin$') -> googledns
}
# According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
# Match rules from top to bottom.
response {
# Trusted upstream. Always accept its result.
upstream(googledns) -> accept
# Possibly polluted(domain resolved to a private ip), re-lookup using googledns.
ip(geoip:private) && !qname(geosite:cn) -> googledns
fallback: accept
}
}
}
# Node group (outbound).
group {
proxy {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
# Filter nodes and give a fixed latency offset to archive latency-based failover.
# In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
# filter: name(keyword: '英国') [add_latency: -300ms]
# filter: name(keyword: 'Japan') [add_latency: 300ms]
# filter: name(keyword: '日本') [add_latency: 300ms]
# Other filters:
# Filter nodes from the global node pool defined by the subscription and node section above.
# filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')
# Filter nodes from the global node pool defined by tag.
# filter: name('node_a','node_b')
# Select the node with min average of the last 10 latencies from the group for every connection.
policy: min_avg10
# Other policies:
# random - Randomly select a node from the group for every connection.
# fixed(0) - Select the first node from the group for every connection.
# min - Select the node with min last latency from the group for every connection.
# min_moving_avg - Select the node with min moving average of latencies from the group for every connection.
}
media {
filter: name(keyword: 'Hong Kong')
filter: name(keyword: '香港')
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
filter: name(keyword: 'USA') [add_latency: -500ms]
filter: name(keyword: '美国') [add_latency: -500ms]
filter: name(keyword: 'UK') [add_latency: -300ms]
filter: name(keyword: '英国') [add_latency: -300ms]
filter: name(keyword: 'Japan') [add_latency: 300ms]
filter: name(keyword: '日本') [add_latency: 300ms]
policy: min_avg10
}
ssh-proxy {
filter: name(keyword: 'UK')
filter: name(keyword: '英国')
policy: min_avg10
}
sg {
filter: name(keyword: 'Singapore')
filter: name(keyword: '新加坡')
policy: min_avg10
}
usa {
filter: name(keyword: 'USA')
filter: name(keyword: '美国')
policy: min_avg10
}
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
# Pname has the highest priority, so should be placed in the front.
# Priority of other rules is the same as the order of the rules defined in this file.
routing {
### Preset rules.
# Network managers in localhost should be direct to
# avoid false negative network connectivity check when binding to WAN.
pname(NetworkManager) -> direct
pname(systemd-networkd) -> direct
# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
# forwarded by the proxy.
# "dip" means destination IP.
dip(224.0.0.0/3, 'ff00::/8') -> direct
# This line allows you to access private addresses directly instead of via your proxy. If you really want to access
# private addresses in your proxy host network, modify the below line.
dip(geoip:private) -> direct
# --- Core rules ---#
# Disable HTTP3(QUIC) because it usually consumes too much cpu/mem resources.
l4proto(udp) && dport(443) -> block
# Direct access to all Chinese mainland-related IP addresses
dip(geoip:cn) -> direct
domain(geosite:cn) -> direct
# Block ads
domain(full:analytics.google.com) -> proxy # do not block google analytics(console)
domain(geosite:category-ads) -> block
domain(geosite:category-ads-all) -> block
# DNS
dip(8.8.8.8, 8.8.4.4) -> proxy
dip(223.5.5.5, 223.6.6.6) -> direct
domain(full:dns.alidns.com) -> direct
domain(full:dns.googledns.com) -> proxy
domain(full:dns.opendns.com) -> proxy
# --- Rules for other commonly used sites ---#
# SSH - tcp port 22 is blocked by many proxy servers.
dport(22) && !dip(geoip:cn) && !domain(geosite:cn) -> ssh-proxy
### OpenAI
domain(geosite:openai) -> sg
domain(regex:'.+\.openai$') -> sg
# Steam
domain(suffix: steampowered.com) -> direct
domain(suffix: steamserver.net) -> direct
domain(geosite:steam@cn) -> direct
domain(geosite:steam) -> proxy
### Media
domain(geosite:netflix) -> media
### Proxy
domain(suffix: linkedin.com) -> proxy
domain(keyword:'linkedin') -> proxy
domain(regex:'.+\.linkedin\.com$') -> proxy
domain(regex:'.+\.quay\.io$') -> proxy
domain(regex:'.+\.notion\.so$') -> proxy
domain(regex:'.+\.amazon\.com$') -> proxy
domain(regex:'.+\.oracle\.com$') -> proxy
domain(regex:'.+\.docker\.com$') -> proxy
domain(regex:'.+\.kubernetes\.io$') -> proxy
domain(regex:'.+\.nixos\.org$') -> proxy
domain(geosite:microsoft) -> proxy
domain(geosite:linkedin) -> proxy
domain(geosite:twitter) -> proxy
domain(geosite:telegram) -> proxy
domain(geosite:google) -> proxy
domain(geosite:apple) -> proxy
domain(geosite:category-container) -> proxy
domain(geosite:category-dev) -> proxy
domain(geosite:google-scholar) -> proxy
domain(geosite:category-scholar-!cn) -> proxy
### Direct
domain(regex:'.+\.edu\.cn$') -> direct
domain(keyword:'baidu') -> direct
domain(keyword:'bilibili') -> direct
domain(keyword:'taobao') -> direct
domain(keyword:'alibabadns') -> direct
domain(keyword:'alicdn') -> direct
domain(keyword:'tbcache') -> direct
domain(keyword:'zhihu') -> direct
domain(keyword:'douyu') -> direct
domain(geosite:cloudflare-cn) -> direct
# --- Fallback rules ---#
# Access all other foreign sites
domain(geosite:geolocation-!cn) -> proxy
!dip(geoip:cn) -> proxy
fallback: direct
}
hosts/12kingdoms-suzu/microvm/suzi/dae.nix
-61
View File
@@ -1,61 +0,0 @@
{
config,
pkgs,
daeuniverse,
...
}:
# https://github.com/daeuniverse/flake.nix
let
daeConfigPath = "/etc/dae/config.dae";
subscriptionConfigPath = "/etc/dae/config.d/subscription.dae";
in {
imports = [
daeuniverse.nixosModules.dae
];
# dae - eBPF-based Linux high-performance transparent proxy.
services.dae = {
enable = true;
package = daeuniverse.packages.${pkgs.system}.dae;
disableTxChecksumIpGeneric = false;
configFile = daeConfigPath;
assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
# alternatively, specify assets dir
# assetsPath = "/etc/dae";
openFirewall = {
enable = true;
port = 12345;
};
};
systemd.services.dae.serviceConfig = {
Restart = "on-failure";
RestartSec = 10;
};
# dae supports two types of subscriptions: base64 encoded proxies, and sip008.
# subscription can be a url return the subscription, or a file path that contains the subscription.
#
# Nix decrypt and merge my dae's base config and subscription config here.
# the subscription config is something like:
# ```
# subscription {
# 'https://www.example.com/subscription/link'
# 'https://example.com/no_tag_link'
# }
# node {
# # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go, tuic, juicity
# node_a: 'trojan://'
# node_b: 'trojan://'
# node_c: 'vless://'
# node_d: 'vless://'
# node_e: 'vmess://'
# node_f: 'tuic://'
# node_h: 'juicity://'
# }
# ```
system.activationScripts.installDaeConfig = ''
install -Dm 600 ${./config.dae} ${daeConfigPath}
install -Dm 600 ${config.age.secrets."dae-subscription.dae".path} ${subscriptionConfigPath}
'';
}
hosts/12kingdoms-suzu/microvm/suzi/default.nix
-70
View File
@@ -1,70 +0,0 @@
{mylib, ...}: {
imports =
(mylib.scanPaths ./.)
++ [
../../../../secrets/nixos.nix
../../../../modules/nixos/base/ssh.nix
../../../../modules/nixos/base/user-group.nix
../../../../modules/base.nix
];
modules.secrets.server.network.enable = true;
microvm = {
mem = 1024; # RAM allocation in MB
vcpu = 1; # Number of Virtual CPU cores
interfaces = [
{
type = "tap";
id = "vm-suzi"; # should be prefixed with "vm-"
mac = "02:00:00:00:00:01"; # unique MAC address
}
];
# Block device images for persistent storage
# microvm use tmpfs for root(/), so everything else
# is ephemeral and will be lost on reboot.
#
# you can check this by running `df -Th` & `lsblk` in the VM.
volumes = [
{
mountPoint = "/var";
image = "var.img";
size = 512;
}
{
mountPoint = "/etc";
image = "etc.img";
size = 50;
}
];
# shares can not be set to `neededForBoot = true;`
# so if you try to use a share in boot script(such as system.activationScripts), it will fail!
shares = [
{
# It is highly recommended to share the host's nix-store
# with the VMs to prevent building huge images.
# a host's /nix/store will be picked up so that no
# squashfs/erofs will be built for it.
#
# by this way, /nix/store is readonly in the VM,
# and thus the VM can't run any command that modifies
# the store. such as nix build, nix shell, etc...
# if you want to run nix commands in the VM, see
# https://github.com/astro/microvm.nix/blob/main/doc/src/shares.md#writable-nixstore-overlay
tag = "ro-store"; # Unique virtiofs daemon tag
proto = "virtiofs"; # virtiofs is faster than 9p
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
];
hypervisor = "qemu";
# Control socket for the Hypervisor so that a MicroVM can be shutdown cleanly
socket = "control.socket";
};
system.stateVersion = "24.05";
}
hosts/12kingdoms-suzu/microvm/suzi/networking.nix
-180
View File
@@ -1,180 +0,0 @@
{
lib,
myvars,
...
}: let
hostName = "suzi";
inherit (myvars.networking) mainGateway nameservers;
inherit (myvars.networking.hostsAddr.${hostName}) ipv4;
ipv4WithMask = "${ipv4}/24";
dhcpRange = {
start = "192.168.5.5";
end = "192.168.5.99";
};
in {
boot.kernel.sysctl = {
# https://github.com/ghostbuster91/blogposts/blob/main/router2023-part2/main.md
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md
# forward network packets that are not destined for the interface on which they were received
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
"net.ipv4.conf.br-lan.rp_filter" = 1;
"net.ipv4.conf.br-lan.send_redirects" = 0;
};
# Docker uses iptables internally to setup NAT for containers.
# This module disables the ip_tables kernel module, which is required for nftables to work.
# So make sure to disable docker here.
virtualisation.docker.enable = lib.mkForce false;
networking = {
useNetworkd = true;
useDHCP = false;
networkmanager.enable = false;
wireless.enable = false; # Enables wireless support via wpa_supplicant.
# No local firewall.
nat.enable = false;
firewall.enable = false;
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nftables.nix
nftables = {
enable = true;
# Check the applied rules with `nft -a list ruleset`.
# Since this is a internal bypass router, we don't need to do NAT & can forward all traffic.
ruleset = ''
# Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6.
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iifname lo accept
# accept any lan traffic
iifname br-lan accept
# count and drop any other traffic
counter drop
}
# Allow all outgoing connections.
chain output {
type filter hook output priority 0;
accept
}
# Allow all forwarding all traffic.
chain forward {
type filter hook forward priority 0;
accept
}
}
'';
};
};
# https://nixos.wiki/wiki/Systemd-networkd
systemd.network = {
netdevs = {
# Create the bridge interface
"20-br-lan" = {
netdevConfig = {
Kind = "bridge";
Name = "br-lan";
};
};
};
# This is a bypass router, so we do not need a wan interface here.
networks = {
"30-lan0" = {
# match the interface by type
matchConfig.Type = "ether";
# Connect to the bridge
networkConfig = {
Bridge = "br-lan";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
};
# Configure the bridge device we just created
"40-br-lan" = {
matchConfig.Name = "br-lan";
address = [
# configure addresses including subnet mask
ipv4WithMask # forwards all traffic to the gateway except for the router address itself
];
routes = [
# forward all traffic to the main gateway
{routeConfig.Gateway = mainGateway;}
];
bridgeConfig = {};
linkConfig.RequiredForOnline = "routable";
};
};
};
# resolved is conflict with dnsmasq
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
# resolve local queries (add 127.0.0.1 to /etc/resolv.conf)
resolveLocalQueries = true; # may be conflict with dae, disable this.
alwaysKeepRunning = true;
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=tree
settings = {
# upstream DNS servers
server = nameservers;
# forces dnsmasq to try each query with each server strictly
# in the order they appear in the config.
strict-order = true;
# Never forward plain names (without a dot or domain part)
domain-needed = true;
# Never forward addresses in the non-routed address spaces(e.g. private IP).
bogus-priv = true;
# don't needlessly read /etc/resolv.conf which only contains the localhost addresses of dnsmasq itself.
no-resolv = true;
# Cache dns queries.
cache-size = 1000;
dhcp-range = ["${dhcpRange.start},${dhcpRange.end},24h"];
interface = "br-lan";
dhcp-sequential-ip = true;
dhcp-option = [
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
"option:router,${ipv4}"
"option:dns-server,${ipv4}"
];
# local domains
local = "/lan/";
domain = "lan";
expand-hosts = true;
# don't use /etc/hosts
no-hosts = true;
address = [
# "/surfer.lan/192.168.10.1"
];
};
};
# monitoring with prometheus
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
services.prometheus.exporters.dnsmasq = {
enable = true;
listenAddress = "0.0.0.0";
port = 9153;
openFirewall = false;
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
};
# The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of
# letting the first CPU core to handle everything.
# This is supposed to increase performance by hitting CPU cache more often.
services.irqbalance.enable = false;
}
hosts/12kingdoms-suzu/networking.nix
-45
View File
@@ -1,45 +0,0 @@
{myvars, ...}: let
hostName = "suzu";
inherit (myvars.networking) mainGateway nameservers;
inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4;
ipv4WithMask = "${ipv4}/24";
in {
boot.kernel.sysctl = {
# forward network packets that are not destined for the interface on which they were received
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.useNetworkd = true;
systemd.network.enable = true;
# A bridge to link all VM's TAP interfaces into local network.
# https://github.com/astro/microvm.nix/blob/main/doc/src/simple-network.md
systemd.network.networks."10-lan" = {
# match on the main interface and all VM interfaces
matchConfig.Name = [iface "vm-*"];
networkConfig = {
Bridge = "br0";
};
};
systemd.network.netdevs."br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
};
};
# Add ipv4 address to the bridge.
systemd.network.networks."10-lan-bridge" = {
matchConfig.Name = "br0";
networkConfig = {
Address = [ipv4WithMask];
Gateway = mainGateway;
DNS = nameservers;
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
};
}
hosts/README.md
+6 -13
View File
@@ -2,26 +2,19 @@
1. `12kingdoms`:
1. `shoukei`: NixOS on Macbook Pro 2020 Intel i5, 13.3-inch, 16G RAM + 512G SSD.
1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM +
256G SSD.
1. Network related services running via microvm.nix, such as router(transparent proxy - dae),
tailscale subrouter, etc.
1. `rakushun`: Orange Pi 5 Plus, RK3588(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8),
16G RAM + 2T SSD.
1. Monitoring(prometheus, grafana, exporters), CI/CD(gitea, runner), homepage, file browser,
and other services.
1. `darwin`(macOS)
1. `fern`: MacBook Pro 2022 13-inch M2 16G, mainly for business.
1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use.
1. `k8s`: My Kubernetes Clusters
1. `k8s`: My Kubevirt & Kubernetes Clusters
1. `idols`
1. `ai`: My main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
2. `aquamarine`: Not used now.
2. `aquamarine`: Kubevirt Virtual Machine.
- Monitoring(prometheus, grafana, exporters), CI/CD(gitea, runner), homepage, file browser,
and other services.
3. `ruby`: Not used now.
4. `kana`: Not used now.
1. `rolling_girls`: My RISCV64 hosts.
1. `nozomi`: Lichee Pi 4A, TH1520(4xC910@2.0G), 16GB RAM + 32G eMMC + 128G SD Card.
2. `yukina`: Milk-V Mars, JH7110(4xU74@1.5 GHz), 4G RAM + No eMMC + 64G SD Card.
1. Other aarch64/riscv64 SBCs:
[ryan4yin/nixos-config-sbc](https://github.com/ryan4yin/nixos-config-sbc)
## How to add a new host
hosts/idols-aquamarine/README.md
+22 -1
View File
@@ -1,3 +1,24 @@
# Idols - Aquamarine
TODO
Storage, operation and maintenance related services are running on this host:
1. Storage such as git server, file server/browser, torrent downloader,, etc.
1. Backup or sync my personal data to cloud or NAS.
- For safety, those data should be encrypted before sending to the cloud or my NAS.
1. Collect and monitor the metrics/logs of my homelab.
## Features
Services:
1. prometheus + alertmanager + grafana + loki: Monitor the metrics/logs of my homelab.
1. restic: Backup my personal data to cloud or NAS.
1. synthing: Sync file between android/macbook/PC and NAS.
1. gitea: Self-hosted git service.
1. sftpgo: SFTP server.
1. transmission & AriaNg: Torrent downloader and HTTP downloader
1. alist/filebrower: File browser for local/SMB/Cloud
All the services assumes a reverse proxy to be setup in the front, they are all listening on
localhost, and a caddy service is listening on the local network interface and proxy the requests to
the services.
hosts/12kingdoms-rakushun/caddy.nix → hosts/idols-aquamarine/caddy.nix
+9 -9
View File
@@ -17,7 +17,7 @@ in {
# Reload Caddy instead of restarting it when configuration file changes.
enableReload = true;
user = "caddy"; # User account under which caddy runs.
dataDir = "/var/lib/caddy";
dataDir = "/data/apps/caddy";
logDir = "/var/log/caddy";
# Additional lines of configuration appended to the global config section of the Caddyfile.
@@ -31,12 +31,12 @@ in {
# Dashboard
virtualHosts."home.writefor.fun".extraConfig = ''
${hostCommonConfig}
reverse_proxy http://localhost:4401
reverse_proxy http://localhost:54401
'';
# https://caddyserver.com/docs/caddyfile/directives/file_server
virtualHosts."file.writefor.fun".extraConfig = ''
root * /var/lib/caddy/fileserver/
root * /data/apps/caddy/fileserver/
${hostCommonConfig}
file_server browse {
hide .git
@@ -64,7 +64,7 @@ in {
# Monitoring
virtualHosts."uptime-kuma.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3350
reverse_proxy http://localhost:53350
'';
virtualHosts."grafana.writefor.fun".extraConfig = ''
encode zstd gzip
@@ -83,15 +83,15 @@ in {
# Create Directories
systemd.tmpfiles.rules = [
"d /var/lib/caddy/fileserver/ 0755 caddy caddy"
"d /data/apps/caddy/fileserver/ 0755 caddy caddy"
# directory for virtual machine's images
"d /var/lib/caddy/fileserver/vms 0755 caddy caddy"
"d /data/apps/caddy/fileserver/vms 0755 caddy caddy"
];
# Add all my wallpapers into /var/lib/caddy/fileserver/wallpapers
# Add all my wallpapers into /data/apps/caddy/fileserver/wallpapers
# Install the homepage-dashboard configuration files
system.activationScripts.installCaddyWallpapers = ''
mkdir -p /var/lib/caddy/fileserver/wallpapers
${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F644 ${wallpapers}/ /var/lib/caddy/fileserver/wallpapers/
mkdir -p /data/apps/caddy/fileserver/wallpapers
${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F644 ${wallpapers}/ /data/apps/caddy/fileserver/wallpapers/
'';
}
hosts/idols-aquamarine/default.nix
+20 -6
View File
@@ -1,4 +1,10 @@
{myvars, ...}:
{
mylib,
myvars,
pkgs,
disko,
...
}:
#############################################################
#
# Aquamarine - A NixOS VM running on Proxmox/KubeVirt
@@ -7,25 +13,33 @@
let
hostName = "aquamarine"; # Define your hostname.
in {
imports = [
];
imports =
(mylib.scanPaths ./.)
++ [
disko.nixosModules.default
];
# supported file systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
"btrfs"
"xfs"
#"zfs"
"ntfs"
"fat"
"vfat"
"exfat"
];
# boot.kernelModules = ["kvm-amd"];
# boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = ["kvm-amd"];
boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu
networking = {
inherit hostName;
inherit (myvars.networking) nameservers;
inherit (myvars.networking) defaultGateway nameservers;
inherit (myvars.networking.hostsInterface.${hostName}) interfaces;
networkmanager.enable = false;
};
# This value determines the NixOS release from which the default
hosts/idols-aquamarine/disko-fs.nix
+112
View File
@@ -0,0 +1,112 @@
# auto disk partitioning:
# nix run github:nix-community/disko -- --mode disko ./disko-fs.nix
let
cryptKeyFile = "/etc/agenix/hdd-luks-crypt-key";
unlockDisk = "data-encrypted";
in {
fileSystems."/data/fileshare/public".depends = ["/data/fileshare"];
# By adding this crypttab entry, the disk will be unlocked by systemd-cryptsetup@xxx.service at boot time.
# This systemd service is running after agenix, so that the keyfile is already available.
environment.etc = {
"crypttab".text = ''
${unlockDisk} /dev/disk/by-partlabel/disk-${unlockDisk}-luks ${cryptKeyFile} luks,discard,keyfile-size=32768,keyfile-offset=65536
'';
};
disko.devices = {
disk.data-encrypted = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EZRZ-22GXCB0_WD-WCC7K7VV9613";
content = {
type = "gpt";
partitions = {
luks = {
size = "100%";
content = {
type = "luks";
name = "data-encrypted";
settings = {
keyFile = cryptKeyFile;
# The maximum size of the keyfile is 8192 KiB
# type `cryptsetup --help` to see the compiled-in key and passphrase maximum sizes
# to generate a key file:
# dd bs=512 count=1024 iflag=fullblock if=/dev/random of=./hdd-luks-crypt-key
keyFileSize = 512 * 64; # match the `bs * count` of the `dd` command
keyFileOffset = 512 * 128; # match the `bs * skip` of the `dd` command
fallbackToPassword = true;
allowDiscards = true;
};
# Whether to add a boot.initrd.luks.devices entry for the specified disk.
# The keyfile do not exist before agenix decrypts its data, do we have to disable this option.
# Otherwise, the initrd will fail to unlock the disk, which causes the boot process to fail.
initrdUnlock = false;
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
# cryptsetup luksFormat
extraFormatArgs = [
"--type luks2"
"--cipher aes-xts-plain64"
"--hash sha512"
"--iter-time 5000"
"--key-size 256"
"--pbkdf argon2id"
# use true random data from /dev/random, will block until enough entropy is available
"--use-random"
];
extraOpenArgs = [
"--timeout 10"
];
content = {
type = "btrfs";
extraArgs = ["-f"]; # Force override existing partition
subvolumes = {
"@apps" = {
mountpoint = "/data/apps";
mountOptions = [
"compress-force=zstd:1"
# https://www.freedesktop.org/software/systemd/man/latest/systemd.mount.html
"nofail"
];
};
"@fileshare" = {
mountpoint = "/data/fileshare";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
};
"@backups" = {
mountpoint = "/data/backups";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
};
"@snapshots" = {
mountpoint = "/data/apps-snapshots";
mountOptions = ["compress-force=zstd:1" "noatime" "nofail"];
};
};
};
};
};
};
};
};
disk.data-public = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EJRX-89T1XY0_WD-WCC7K0XDCZE6";
content = {
type = "gpt";
partitions.data-fileshare = {
size = "100%";
content = {
type = "btrfs";
# extraArgs = ["-f"]; # Override existing partition
subvolumes = {
"@persistent" = {
mountpoint = "/data/fileshare/public";
mountOptions = ["compress-force=zstd:1" "nofail"];
};
};
};
};
};
};
};
}
hosts/12kingdoms-rakushun/exporters/default.nix → hosts/idols-aquamarine/exporters/default.nix
View File
hosts/12kingdoms-rakushun/gitea.nix → hosts/idols-aquamarine/gitea.nix
+5 -2
View File
@@ -5,7 +5,7 @@ in {
enable = true;
user = "gitea";
group = "gitea";
stateDir = "/var/lib/gitea";
stateDir = "/data/apps/gitea";
appName = "Ryan Yin's Gitea Service";
lfs.enable = true;
# Enable a timer that runs gitea dump to generate backup-files of the current gitea database and repositories.
@@ -27,7 +27,10 @@ in {
};
# one of "Trace", "Debug", "Info", "Warn", "Error", "Critical"
log.LEVEL = "Info";
session.COOKIE_SECURE = false;
# Marks session cookies as "secure" as a hint for browsers to only send them via HTTPS.
session.COOKIE_SECURE = true;
# NOTE: The first registered user will be the administrator,
# so this parameter should NOT be set before the first user registers!
service.DISABLE_REGISTRATION = true;
# "cron.sync_external_users" = {
hosts/12kingdoms-rakushun/grafana/dashboards.yml → hosts/idols-aquamarine/grafana/dashboards.yml
View File
hosts/12kingdoms-rakushun/grafana/dashboards/README.md → hosts/idols-aquamarine/grafana/dashboards/README.md
View File
hosts/12kingdoms-rakushun/grafana/dashboards/homelab/alertmanager-9578_rev4.json → hosts/idols-aquamarine/grafana/dashboards/homelab/alertmanager-9578_rev4.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json → hosts/idols-aquamarine/grafana/dashboards/homelab/node-exporter-full-1860_rev33.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-prometheus.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-addons-prometheus.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-addons-trivy-operator.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-api-server.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-system-api-server.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-system-coredns.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-system-coredns.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-global.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-views-global.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-namespaces.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-views-namespaces.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-nodes.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-views-nodes.json
View File
hosts/12kingdoms-rakushun/grafana/dashboards/kubernetes/k8s-views-pods.json → hosts/idols-aquamarine/grafana/dashboards/kubernetes/k8s-views-pods.json
View File
hosts/12kingdoms-rakushun/grafana/datasources.yml → hosts/idols-aquamarine/grafana/datasources.yml
View File
hosts/12kingdoms-rakushun/grafana/default.nix → hosts/idols-aquamarine/grafana/default.nix
+1 -1
View File
@@ -5,7 +5,7 @@
}: {
services.grafana = {
enable = true;
dataDir = "/var/lib/grafana";
dataDir = "/data/apps/grafana";
# DeclarativePlugins = with pkgs.grafanaPlugins; [ grafana-piechart-panel ];
settings = {
server = {
hosts/12kingdoms-rakushun/oci-containers/default.nix → hosts/idols-aquamarine/oci-containers/default.nix
View File
hosts/12kingdoms-rakushun/homepage/config/bookmarks.yaml → hosts/idols-aquamarine/oci-containers/homepage/config/bookmarks.yaml
View File
hosts/idols-aquamarine/oci-containers/homepage/config/custom.css
View File
hosts/idols-aquamarine/oci-containers/homepage/config/custom.js
View File
hosts/12kingdoms-rakushun/homepage/config/docker.yaml → hosts/idols-aquamarine/oci-containers/homepage/config/docker.yaml
View File
hosts/12kingdoms-rakushun/homepage/config/kubernetes.yaml → hosts/idols-aquamarine/oci-containers/homepage/config/kubernetes.yaml
View File
hosts/12kingdoms-rakushun/homepage/config/services.yaml → hosts/idols-aquamarine/oci-containers/homepage/config/services.yaml
+30 -24
View File
@@ -1,56 +1,62 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/services
#
# Icons:
# 1. .png/.svg: will be referenced from https://github.com/walkxcode/dashboard-icons
# 2. mdi-XXX: https://pictogrammers.com/library/mdi/
# 3. si-XXX: https://simpleicons.org/
- KubeVirt 虚拟化集群:
- KubeVirt-Shoryu:
icon: si-kubevirt
icon: mdi-server
description: "CPU: R7-5825U / MEM: 64G / DISK: 1T"
href: http://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.181:9100
siteMonitor: http://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.181:9100
href: https://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.181:9100
siteMonitor: https://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.181:9100
- KubeVirt-Shushou:
icon: si-kubevirt
icon: mdi-server
description: "CPU: R9-5900HX / MEM: 64G / DISK: 1T"
href: http://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.182:9100
siteMonitor: http://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.182:9100
href: https://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.182:9100
siteMonitor: https://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.182:9100
- KubeVirt-Youko:
icon: si-kubevirt
icon: mdi-server
description: "CPU: R5-5625U / MEM: 32G / DISK: 512G+4T*2"
href: http://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.183:9100
siteMonitor: http://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.183:9100
href: https://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.183:9100
siteMonitor: https://grafana.writefor.fun/d/rYdddlPWk/node-exporter-full?orgId=1&var-node=192.168.5.183:9100
- LongHorn-Storage:
icon: si-longhorn
icon: longhorn.svg
href: http://longhorn.writefor.fun/
- Victoria-Metrics:
icon: si-victoriametrics
href: http://vm.writefor.fun/
- KubeVirt-Grafana:
icon: si-grafana
icon: grafana.svg
href: http://k8s-grafana.writefor.fun/
- Homelab Monitoring:
- Grafana:
icon: si-grafana
href: http://grafana.writefor.fun
icon: grafana.svg
href: https://grafana.writefor.fun
description: Data visualised on dashboards
siteMonitor: http://grafana.writefor.fun
siteMonitor: https://grafana.writefor.fun
- Prometheus Dashboard:
icon: si-prometheus
href: http://prometheus.writefor.fun
icon: prometheus.svg
href: https://prometheus.writefor.fun
description: Monitoring - Prometheus
siteMonitor: http://prometheus.writefor.fun
siteMonitor: https://prometheus.writefor.fun
- Uptime Kuma:
icon: si-uptimekuma
href: http://uptime-kuma.writefor.fun
icon: uptime-kuma.svg
href: https://uptime-kuma.writefor.fun
description: Uptime Checking
siteMonitor: http://uptime-kuma.writefor.fun
siteMonitor: https://uptime-kuma.writefor.fun
- Homelab Applications:
- SFTPGO:
icon: sftpgo.png
href: "http://sftpgo.writefor.fun/web/admin/folders"
description: WebDAV & SFTP server
siteMonitor: http://sftpgo.writefor.fun/
icon: sftpgo.png
href: "https://sftpgo.writefor.fun/web/admin/folders"
description: WebDAV & SFTP server
siteMonitor: https://sftpgo.writefor.fun/
#
# - Kubernetes Monitoring:
# # TODO: Update this
# - Emby:
hosts/12kingdoms-rakushun/homepage/config/settings.yaml → hosts/idols-aquamarine/oci-containers/homepage/config/settings.yaml
+17 -28
View File
@@ -21,10 +21,10 @@ providers:
background:
image: https://file.writefor.fun/wallpapers/rolling-girls.png
blur: sm # sm, "", md, xl... see https://tailwindcss.com/docs/backdrop-blur
saturate: 90 # 0, 50, 100... see https://tailwindcss.com/docs/backdrop-saturate
blur: sm # 模糊 - sm, "", md, xl... see https://tailwindcss.com/docs/backdrop-blur
saturate: 90 # 色彩饱和度 - 0, 50, 100... see https://tailwindcss.com/docs/backdrop-saturate
brightness: 90 # 0, 50, 75... see https://tailwindcss.com/docs/backdrop-brightness
opacity: 85 # 0-100
opacity: 25 # 透明度 - 0-100
theme: dark # or light
@@ -32,7 +32,7 @@ theme: dark # or light
# slate, gray, zinc, neutral, stone, amber,
# yellow, lime, green, emerald, teal, cyan,
# sky, blue, indigo, violet, purple, fuchsia, pink, rose, red, white
color: indigo
color: slate
# make all cards in a row the same height.
useEqualHeights: true
@@ -40,31 +40,20 @@ useEqualHeights: true
# Groups and its layout
# Groups Name should match the name defined in your services.yaml or widgets.yaml
layout:
Homelab Monitoring:
icon: mdi-monitor-dashboard
initiallyCollapsed: false # collapsed by default
tab: Main
style: row
columns: 3
Homelab Applications:
icon: si-homepage
tab: Main
KubeVirt 虚拟化集群:
icon: si-kubevirt
tab: First
Group A:
initiallyCollapsed: true # collapsed by default
tab: First
style: row
columns: 4
Second Service Group:
useEqualHeights: true # overrides global setting
tab: Second
columns: 4
Third Service Group:
tab: Third
style: row
Bookmark Group on Fourth Tab:
tab: Fourth
Service Group on every Tab:
style: row
columns: 4
icon: si-kubernetes
tab: KubeVirt
# https://gethomepage.dev/latest/configs/services/#icons
# iconStyle: theme # optional, defaults to gradient
hosts/12kingdoms-rakushun/homepage/config/widgets.yaml → hosts/idols-aquamarine/oci-containers/homepage/config/widgets.yaml
View File
hosts/idols-aquamarine/oci-containers/homepage/default.nix
+41
View File
@@ -0,0 +1,41 @@
{
config,
pkgs,
...
}: let
user = "homepage";
configDir = "/data/apps/homepage-dashboard";
in {
users.groups.${user} = {};
users.users.${user} = {
group = user;
home = configDir;
isSystemUser = true;
};
# Install the homepage-dashboard configuration files
system.activationScripts.installHomepageDashboardConfig = ''
mkdir -p ${configDir}
${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F644 ${./config}/ ${configDir}/
chown -R ${user}:${user} ${configDir}
'';
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/virtualisation/oci-containers.nix
virtualisation.oci-containers.containers = {
# check its logs via `journalctl -u podman-homepage`
homepage = {
hostname = "homepage";
image = "ghcr.io/gethomepage/homepage:latest";
ports = ["127.0.0.1:54401:3000"];
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
environment = {
# "PUID" = config.users.users.${user}.uid;
# "PGID" = config.users.groups.${user}.gid;
};
volumes = [
"${configDir}:/app/config"
];
autoStart = true;
};
};
}
hosts/idols-aquamarine/oci-containers/uptime-kuma/default.nix
+35
View File
@@ -0,0 +1,35 @@
{config, ...}: let
user = "kuma";
dataDir = "/data/apps/uptime-kuma";
in {
users.groups.${user} = {};
users.users.${user} = {
group = user;
home = dataDir;
isSystemUser = true;
};
# Create Directories
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${user} ${user}"
];
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/virtualisation/oci-containers.nix
virtualisation.oci-containers.containers = {
# check its logs via `journalctl -u podman-homepage`
uptime-kuma = {
hostname = "uptime-kuma";
image = "louislam/uptime-kuma:1";
ports = ["127.0.0.1:53350:3001"];
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
environment = {
# "PUID" = config.users.users.${user}.uid;
# "PGID" = config.users.groups.${user}.gid;
};
volumes = [
"${dataDir}:/app/data"
];
autoStart = true;
};
};
}
hosts/12kingdoms-rakushun/prometheus/README.md → hosts/idols-aquamarine/prometheus/README.md
View File
hosts/12kingdoms-rakushun/prometheus/alert_rules/coredns_embedded-exporter.yml → hosts/idols-aquamarine/prometheus/alert_rules/coredns_embedded-exporter.yml
View File
hosts/12kingdoms-rakushun/prometheus/alert_rules/etcd_embedded-exporter.yml → hosts/idols-aquamarine/prometheus/alert_rules/etcd_embedded-exporter.yml
View File
hosts/12kingdoms-rakushun/prometheus/alert_rules/istio_embedded-exporter.yml → hosts/idols-aquamarine/prometheus/alert_rules/istio_embedded-exporter.yml
View File
hosts/12kingdoms-rakushun/prometheus/alert_rules/kubestate-exporter.yml → hosts/idols-aquamarine/prometheus/alert_rules/kubestate-exporter.yml
View File
hosts/12kingdoms-rakushun/prometheus/alert_rules/node-exporter.yml → hosts/idols-aquamarine/prometheus/alert_rules/node-exporter.yml
View File
hosts/12kingdoms-rakushun/prometheus/default.nix → hosts/idols-aquamarine/prometheus/default.nix
+69 -57
View File
@@ -1,4 +1,5 @@
{
lib,
config,
myvars,
...
@@ -45,64 +46,75 @@
# specifies a set of targets and parameters describing how to scrape metrics from them.
# https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
scrapeConfigs = [
scrapeConfigs =
[
# --- Homelab Applications --- #
{
job_name = "dnsmasq-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"];
labels.type = "app";
labels.app = "dnsmasq";
labels.host = "suzi";
}
];
}
{
job_name = "v2ray-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:9153"];
labels.type = "app";
labels.app = "v2ray";
labels.host = "aquamarine";
}
];
}
{
job_name = "sftpgo-embedded-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.aquamarine.ipv4}:10000"];
labels.type = "app";
labels.app = "sftpgo";
labels.host = "aquamarine";
}
];
}
]
# --- Hosts --- #
{
job_name = "node-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
# All my NixOS hosts.
targets =
map (addr: "${addr.ipv4}:9100")
(builtins.attrValues myvars.networking.hostsAddr);
labels.type = "node";
}
];
}
# --- Homelab Applications --- #
{
job_name = "dnsmasq-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.suzi.ipv4}:9153"];
labels.type = "app";
labels.app = "dnsmasq";
}
];
}
{
job_name = "v2ray-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:9153"];
labels.type = "app";
labels.app = "v2ray";
}
];
}
{
job_name = "sftpgo-embedded-exporter";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
targets = ["${myvars.networking.hostsAddr.rakushun.ipv4}:10000"];
labels.type = "app";
labels.app = "v2ray";
}
];
}
];
++ (
lib.attrsets.foldlAttrs
(acc: hostname: addr:
acc
++ [
{
job_name = "node-exporter-${hostname}";
scrape_interval = "30s";
metrics_path = "/metrics";
static_configs = [
{
# All my NixOS hosts.
targets = ["${addr.ipv4}:9100"];
labels.type = "node";
labels.host = hostname;
}
];
}
])
[]
myvars.networking.hostsAddr
);
# specifies Alertmanager instances the Prometheus server sends alerts to
# https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config
hosts/12kingdoms-rakushun/proxy.nix → hosts/idols-aquamarine/proxy.nix
View File
hosts/12kingdoms-rakushun/restic.nix → hosts/idols-aquamarine/restic.nix
View File
hosts/12kingdoms-rakushun/sftpgo.nix → hosts/idols-aquamarine/sftpgo.nix
+10 -3
View File
@@ -1,11 +1,18 @@
{config, ...}: {
{config, ...}: let
user = "sftpgo";
dataDir = "/data/apps/sftpgo";
in {
# Read SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD from a file
systemd.services.sftpgo.serviceConfig.EnvironmentFile = config.age.secrets."sftpgo.env".path;
# Create Directories
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${user} ${user}"
];
services.sftpgo = {
enable = true;
user = "sftpgo";
dataDir = "/var/lib/sftpgo";
inherit user dataDir;
extraArgs = [
"--log-level"
"info"
hosts/12kingdoms-rakushun/transmission.nix → hosts/idols-aquamarine/transmission.nix
+1 -1
View File
@@ -3,7 +3,7 @@
myvars,
...
}: let
dataDir = "/var/lib/transmission";
dataDir = "/data/fileshare/public/transmission";
name = "transmission";
in {
# the headless Transmission BitTorrent daemon
hosts/k8s/README.md
+1 -5
View File
@@ -28,11 +28,7 @@ Clusters running as virtual machines on the KubeVirt cluster, for testing and pr
1. `k3s-prod-1-worker-1`
1. `k3s-prod-1-worker-2`
1. `k3s-prod-1-worker-3`
1. For testing:.
1. `k3s-test-1-master-1`
2. `k3s-test-1-worker-1`
3. `k3s-test-1-worker-2`
4. `k3s-test-1-worker-3`
1. For testing:. 2. `k3s-test-1-master-1` 3. `k3s-test-1-master-2` 4. `k3s-test-1-master-3`
## Kubernetes Resources
hosts/k8s/k3s-test-1-master-1/default.nix
+1 -1
View File
@@ -14,7 +14,7 @@
k3sModule = mylib.genK3sServerModule {
inherit pkgs;
kubeconfigFile = "/home/${myvars.username}/.kube/config";
tokenFile = config.age.secrets."k3s-prod-1-token".path;
tokenFile = config.age.secrets."k3s-test-1-token".path;
# the first node in the cluster should be the one to initialize the cluster
clusterInit = true;
# use my own domain & kube-vip's virtual IP for the API server
hosts/k8s/k3s-test-1-master-2/default.nix
+1 -1
View File
@@ -14,7 +14,7 @@
k3sModule = mylib.genK3sServerModule {
inherit pkgs;
kubeconfigFile = "/home/${myvars.username}/.kube/config";
tokenFile = config.age.secrets."k3s-prod-1-token".path;
tokenFile = config.age.secrets."k3s-test-1-token".path;
# use my own domain & kube-vip's virtual IP for the API server
# so that the API server can always be accessed even if some nodes are down
masterHost = "test-cluster-1.writefor.fun";
hosts/k8s/k3s-test-1-master-3/default.nix
+1 -1
View File
@@ -14,7 +14,7 @@
k3sModule = mylib.genK3sServerModule {
inherit pkgs;
kubeconfigFile = "/home/${myvars.username}/.kube/config";
tokenFile = config.age.secrets."k3s-prod-1-token".path;
tokenFile = config.age.secrets."k3s-test-1-token".path;
# use my own domain & kube-vip's virtual IP for the API server
# so that the API server can always be accessed even if some nodes are down
masterHost = "test-cluster-1.writefor.fun";
hosts/k8s/kubevirt-shoryu/default.nix
+13
View File
@@ -49,4 +49,17 @@ in {
coreModule
k3sModule
];
boot.kernelParams = [
# disable transparent hugepage(allocate hugepages dynamically)
"transparent_hugepage=never"
# https://kubevirt.io/user-guide/compute/hugepages/
#
# pre-allocate hugepages manually(for kubevirt guest vms)
# NOTE: the hugepages allocated here can not be used for other purposes!
# so we should left some memory for the host OS and other vms that don't use hugepages
"hugepagesz=1G"
"hugepages=48" # use 75% of the total memory for hugepages
];
}
hosts/k8s/kubevirt-shushou/default.nix
+13
View File
@@ -43,4 +43,17 @@ in {
coreModule
k3sModule
];
boot.kernelParams = [
# disable transparent hugepage(allocate hugepages dynamically)
"transparent_hugepage=never"
# https://kubevirt.io/user-guide/compute/hugepages/
#
# pre-allocate hugepages manually(for kubevirt guest vms)
# NOTE: the hugepages allocated here can not be used for other purposes!
# so we should left some memory for the host OS and other vms that don't use hugepages
"hugepagesz=1G"
"hugepages=48" # use 75% of the total memory for hugepages
];
}
hosts/k8s/kubevirt-youko/default.nix
+20
View File
@@ -43,4 +43,24 @@ in {
coreModule
k3sModule
];
boot.kernelParams = [
# disable transparent hugepage(allocate hugepages dynamically)
"transparent_hugepage=never"
# https://kubevirt.io/user-guide/compute/hugepages/
#
# pre-allocate hugepages manually(for kubevirt guest vms)
# NOTE: the hugepages allocated here can not be used for other purposes!
# so we should left some memory for the host OS and other vms that don't use hugepages
"hugepagesz=1G"
"hugepages=15" # use 15/24 of the total memory for hugepages
# https://kubevirt.io/user-guide/compute/host-devices/
#
# PCI passthrough
# "amd_iommu=on" # enable IOMMU
# "iommu=pt" # use passthrough mode
# "pcie_acs_override=downstream" # enable ACS override
];
}
hosts/rolling-girls-nozomi/default.nix
-78
View File
@@ -1,78 +0,0 @@
{
nixos-licheepi4a,
myvars,
...
}:
#############################################################
#
# Nozomi - NixOS configuration for Lichee Pi 4A
#
#############################################################
let
hostName = "nozomi"; # Define your hostname.
in {
imports = [
# import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
(nixos-licheepi4a + "/modules/licheepi4a.nix")
# import the sd-image module, which contains the fileSystems & kernel parameters for booting from sd card.
(nixos-licheepi4a + "/modules/sd-image/sd-image-lp4a.nix")
];
# Set static IP address / gateway / DNS servers.
networking = {
inherit hostName;
inherit (myvars.networking) defaultGateway nameservers;
inherit (myvars.networking.hostsInterface.${hostName}) interfaces;
wireless = {
# https://wiki.archlinux.org/title/wpa_supplicant
enable = true;
# The path to the file containing the WPA passphrase.
# secrets are not supported well on riscv64, I nned to create this file manually.
# Format: "PSK_WEMEET_PRIVATE_WIFI=your_password"
environmentFile = "/etc/wpa_supplicant.env";
# The network definitions to automatically connect to when wpa_supplicant is running.
networks = {
# read WPAPSK from environmentFile
"shadow_light_ryan".psk = "@PSK_WEMEET_PRIVATE_WIFI@";
};
};
# Failed to enable firewall due to the following error:
# firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported
firewall.enable = false;
# Configure network proxy if necessary
# proxy.default = "http://user:password@proxy:port/";
# proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# LPI4A's first ethernet interface
# interfaces.end0 = {
# useDHCP = false;
# ipv4.addresses = [
# {
# address = "192.168.5.104";
# prefixLength = 24;
# }
# ];
# };
# LPI4A's second ethernet interface
# interfaces.end1 = {
# useDHCP = false;
# ipv4.addresses = [
# {
# address = "192.168.xx.xx";
# prefixLength = 24;
# }
# ];
# };
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}
hosts/rolling-girls-yukina/default.nix
-78
View File
@@ -1,78 +0,0 @@
{
nixos-licheepi4a,
myvars,
...
}:
#############################################################
#
# Yukina - NixOS configuration for Lichee Pi 4A
#
#############################################################
let
hostName = "yukina"; # Define your hostname.
in {
imports = [
# import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware
(nixos-licheepi4a + "/modules/licheepi4a.nix")
# import the sd-image module, which contains the fileSystems & kernel parameters for booting from sd card.
(nixos-licheepi4a + "/modules/sd-image/sd-image-lp4a.nix")
];
# Set static IP address / gateway / DNS servers.
networking = {
inherit hostName;
inherit (myvars.networking) defaultGateway nameservers;
inherit (myvars.networking.hostsInterface.${hostName}) interfaces;
wireless = {
# https://wiki.archlinux.org/title/wpa_supplicant
enable = true;
# The path to the file containing the WPA passphrase.
# secrets are not supported well on riscv64, I nned to create this file manually.
# Format: "PSK_WEMEET_PRIVATE_WIFI=your_password"
environmentFile = "/etc/wpa_supplicant.env";
# The network definitions to automatically connect to when wpa_supplicant is running.
networks = {
# read WPAPSK from environmentFile
"shadow_light_ryan".psk = "@PSK_WEMEET_PRIVATE_WIFI@";
};
};
# Failed to enable firewall due to the following error:
# firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported
firewall.enable = false;
# Configure network proxy if necessary
# proxy.default = "http://user:password@proxy:port/";
# proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# LPI4A's first ethernet interface
# interfaces.end0 = {
# useDHCP = false;
# ipv4.addresses = [
# {
# address = "192.168.5.104";
# prefixLength = 24;
# }
# ];
# };
# LPI4A's second ethernet interface
# interfaces.end1 = {
# useDHCP = false;
# ipv4.addresses = [
# {
# address = "192.168.xx.xx";
# prefixLength = 24;
# }
# ];
# };
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}
lib/genKubeVirtGuestModule.nix
+2 -2
View File
@@ -4,7 +4,7 @@
networking,
...
}: let
inherit (networking) mainGateway nameservers;
inherit (networking) defaultGateway nameservers;
inherit (networking.hostsAddr.${hostName}) iface ipv4;
ipv4WithMask = "${ipv4}/24";
in {
@@ -27,7 +27,7 @@ in {
matchConfig.Name = [iface];
networkConfig = {
Address = [ipv4WithMask];
Gateway = mainGateway;
Gateway = defaultGateway;
DNS = nameservers;
IPv6AcceptRA = true;
};
modules/base.nix
+13 -5
View File
@@ -2,6 +2,8 @@
pkgs,
myvars,
nuenv,
nixpkgs,
lib,
...
} @ args: {
nixpkgs.overlays =
@@ -72,11 +74,7 @@
# ```
# 2. Never leave the device and never sent over the network.
# 2. Or just use hardware security keys like Yubikey/CanoKey.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
];
openssh.authorizedKeys.keys = myvars.sshAuthorizedKeys;
};
nix.settings = {
@@ -111,4 +109,14 @@
];
builders-use-substitutes = true;
};
# make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
nix.registry.nixpkgs.flake = nixpkgs;
environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
# make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
# discard all the default paths, and only use the one from this flake.
nix.nixPath = lib.mkForce ["/etc/nix/inputs"];
# https://github.com/NixOS/nix/issues/9574
nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
}
modules/darwin/nix-core.nix
-12
View File
@@ -1,8 +1,4 @@
{
lib,
nixpkgs,
...
}: {
###################################################################################
#
# Core configuration for nix-darwin
@@ -28,12 +24,4 @@
nix.settings.auto-optimise-store = false;
nix.gc.automatic = false;
# make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
nix.registry.nixpkgs.flake = nixpkgs;
environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
# make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
# discard all the default paths, and only use the one from this flake.
nix.nixPath = lib.mkForce ["/etc/nix/inputs"];
}

Some files were not shown because too many files have changed in this diff Show More