xin/diffu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'calcite'

Browse source
This commit is contained in:
xinyangli 2023-11-24 20:50:19 +08:00
commit 8b2120f9ec
11 changed files with 246 additions and 175 deletions
Download patch file Download diff file Expand all files Collapse all files

27
machines/calcite/configuration.nix
View file

@ -7,7 +7,6 @@
./hardware-configuration.nix
./network.nix
../sops.nix
../clash.nix
];
# Bootloader.
@ -17,6 +16,7 @@
# boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ];
boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = ["aarch64-linux"];
networking.hostName = "calcite";
@ -104,9 +104,9 @@
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1u"
"openssl-1.1.1w"
# For wechat-uos
"electron-19.0.7"
"electron-19.1.9"
];
# List packages installed in system profile. To search, run:
# $ nix search wget
@ -173,8 +173,6 @@
gnome.gnome-tweaks
gthumb
steam
# Multimedia
vlc
obs-studio
@ -188,11 +186,12 @@
config.nur.repos.xddxdd.wechat-uos
# Password manager
keepassxc
bitwarden
# Browser
firefox
chromium
brave
microsoft-edge
# Writting
@ -208,24 +207,23 @@
ghidra
];
programs.steam = {
enable = true;
};
system.stateVersion = "22.05";
# Use mirror for binary cache
nix.settings.substituters = [
"https://mirrors.bfsu.edu.cn/nix-channels/store"
"https://mirrors.ustc.edu.cn/nix-channels/store"
"https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
];
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings.trusted-users = [ "xin" "root" ];
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
auto-optimise-store = true;
trusted-users = [ "xin" "root" ];
};
nix.extraOptions = ''
!include "${config.sops.secrets.github_public_token.path}"
'';
@ -240,7 +238,7 @@
# Fonts
fonts = {
fonts = with pkgs; [
packages = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" ]; })
noto-fonts
noto-fonts-emoji
@ -274,7 +272,6 @@
};
docker = {
enable = true;
enableNvidia = true;
autoPrune.enable = true;
};
};

4
machines/calcite/hardware-configuration.nix
View file

@ -46,4 +46,8 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.opengl = {
enable = true;
driSupport32Bit = false;
};
}

33
machines/calcite/network.nix
View file

@ -1,32 +1,20 @@
{ pkgs, ...}:
{
imports = [
../sing-box.nix
];
# Enable networking
networking = {
networkmanager = {
enable = true;
dns = "systemd-resolved";
# dns = "none";
};
};
services.resolved = {
enable = true;
extraConfig = ''
[Resolve]
Domains=~.
DNS=114.114.114.114 1.1.1.1
DNSOverTLS=opportunistic
'';
};
# Configure network proxy if necessary
networking.proxy = {
allProxy = "socks5://127.0.0.1:7891/";
httpProxy = "http://127.0.0.1:7890/";
httpsProxy = "http://127.0.0.1:7890/";
noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net";
};
# Enable Tailscale
@ -34,15 +22,15 @@
# services.tailscale.useRoutingFeatures = "both";
# Open ports in the firewall.
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ ];
networking.firewall.allowedUDPPorts = [ 41641 ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
networking.firewall.trustedInterfaces = [
"tun0"
"tailscale0"
];
programs.steam.remotePlay.openFirewall = true;
# Use nftables to manager firewall
networking.nftables.enable = true;
# Add gsconnect, open firewall
programs.kdeconnect = {
@ -54,9 +42,4 @@
enable = true;
package = pkgs.wireshark-qt;
};
# services.gnome.gnome-remote-desktop.enable = true;
# services.xrdp.enable = true;
# services.xrdp.openFirewall = true;
# services.xrdp.defaultWindowManager = icewm;
}

34
machines/clash.nix
View file

@ -1,34 +0,0 @@
{ config, lib, pkgs, ... }:
{
sops = {
secrets.clash_subscription_link = {
owner = "xin";
};
};
systemd.timers."clash-config-update" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnUnitActiveSec = "1d";
Unit = "clash-config-update.service";
};
};
systemd.services."clash-config-update" = {
script = ''
${pkgs.curl}/bin/curl $(${pkgs.coreutils}/bin/cat ${config.sops.secrets.clash_subscription_link.path}) > /tmp/config.yaml && mv /tmp/config.yaml /home/xin/.config/clash/
'';
serviceConfig = {
Type = "oneshot";
User= "xin";
};
};
systemd.services.clash = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.clash}/bin/clash -d /home/xin/.config/clash";
};
}

28
machines/dnscrypt.nix
View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = false;
require_dnssec = true;
sources = {
public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
server_names = [ "cloudflare" "tuna-doh-ipv4" ];
};
};
networking.networkmanager.dns = "none";
# dns
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
}

8
machines/secrets.yaml
View file

@ -2,6 +2,8 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN
autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str]
autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str]
github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str]
singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str]
singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str]
sops:
kms: []
gcp_kms: []
@ -35,8 +37,8 @@ sops:
dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou
DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-22T02:00:48Z"
mac: ENC[AES256_GCM,data:DXQaCRuD4trEjIFvVAGF3/F/AiUcIOKGmqKKF/S7tJ51ZGXIh64g7vXZhZC22UxGs2pYU/gQOfA58cSxrHav0hmA0KbidLGA2ySRzVCSP3IH2jLx9KXdYv6SIS5I3MRMUqf7ZH+5rtdjTrrYBDWZrDzB9T7naMn1BujMqi+SwsU=,iv:QrFcEz7sxC0kbRtFr45cUaT4VosFq5ICtF3HOZ3If9I=,tag:Ste0v4xcONasn182R2ZyFw==,type:str]
lastmodified: "2023-11-11T19:16:18Z"
mac: ENC[AES256_GCM,data:iyqD4XJHw072IYKyRnWKJRVLex/GfnYn5QY4/YPkGK9cHjVML/97k1IWM76zXOpoJ9wSENvTqQirjMZz0TS92Ak2Ps/3fsyPj2f9BEFmF+q8r+VWEj9ZGEzHb52uMKyj3vYs5Mg9O5eeDmdAifdvC3RmRkoQ7WFoLDVCwcVFKoU=,iv:AuqLIPVMhX537MPaqnrYgOuHPH+P8Ili8tkg4p1jC1I=,tag:t2gQZzO1dIXnM3UqOnn/FA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.8.0

157
machines/sing-box.nix Normal file
View file

@ -0,0 +1,157 @@
{ config, lib, pkgs, ... }:
let
server = {
_secret = config.sops.secrets.singbox_domain.path;
};
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_password.path;
};
in
{
services.sing-box = {
enable = true;
settings = {
log = { level = "warning"; };
experimental = {
clash_api = {
external_controller = "127.0.0.1:9090";
store_selected = true;
external_ui = "${config.nur.repos.linyinfeng.yacd}";
};
};
dns = {
rules = [
{
disable_cache = true;
geosite = "category-ads-all";
server = "_dns_block";
}
{
geosite = "cn";
server = "_dns_doh_mainland";
}
{
domain_suffix = server;
server = "_dns_doh_mainland";
}
];
servers = [
{
address = "https://cloudflare-dns.com/dns-query";
address_strategy = "prefer_ipv4";
address_resolver = "_dns_doh_mainland";
detour = "_proxy_select";
tag = "_dns_global";
}
{
address = "119.29.29.29";
detour = "direct";
tag = "_dns_udp_mainland";
}
{
address = "https://doh.pub/dns-query";
address_resolver = "_dns_udp_mainland";
detour = "direct";
tag = "_dns_doh_mainland";
}
{
address = "rcode://success";
tag = "_dns_block";
}
];
strategy = "prefer_ipv4";
final = "_dns_global";
disable_cache = false;
};
inbounds = [
{
type = "mixed";
tag = "mixed-in";
listen = "127.0.0.1";
listen_port = 7891;
}
{
type = "tun";
tag = "tun-in";
auto_route = true;
strict_route = false;
inet4_address = "172.19.0.1/30";
sniff = true;
}
];
route = {
auto_detect_interface = true;
final = "_proxy_select";
rules = [
{ outbound = "dns-out"; protocol = "dns"; }
{
geoip = "cn";
geosite = "cn";
outbound = "direct";
}
{ geoip = "private"; outbound = "direct"; }
{
geosite = "cn";
geoip = "cn";
invert = true;
outbound = "_proxy_select";
}
];
};
outbounds = [
{ default = "auto"; outbounds = [ "auto" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
{ interval = "1m0s"; outbounds = [ "SS-01" "SS-02" "SS-03" "SS-04" "SS-01" "SS-02" "SS-03" "SS-01" "SS-02" "SS-03" "SS-01" "SS-02" "SS-03" "SS-04" "1" "2" "3" "4" "5" "6" "7" "8" "1" "2" "3" "4" "1" "2" "3" "4" "5" "6" "7" "8" "1" "2" "1" "2" "3" "4" "5" "6" "1" "2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; }
{ tag = "direct"; type = "direct"; }
{ tag = "block"; type = "block"; }
{ tag = "dns-out"; type = "dns"; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12001; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12002; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12003; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12004; tag = "SS-04"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12011; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12012; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12013; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12021; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12022; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12023; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12031; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12032; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12033; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12034; tag = "SS-04"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server uuid; security = "auto"; server_port = 1201; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1202; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1203; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1204; tag = "4"; transport = { path = "/"; type = "ws"; }; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1205; tag = "5"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1206; tag = "6"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1207; tag = "7"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1208; tag = "8"; transport = { path = "/"; type = "ws"; }; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1211; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1212; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1213; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1214; tag = "4"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1231; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1232; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1233; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1234; tag = "4"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1235; tag = "5"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1236; tag = "6"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1237; tag = "7"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1238; tag = "8"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1241; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1242; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1261; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1262; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1263; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1264; tag = "4"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1265; tag = "5"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1266; tag = "6"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1251; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1252; tag = "2"; type = "vmess"; }
];
};
};
}

14
machines/sops.nix
View file

@ -2,8 +2,18 @@
{
sops = {
defaultSopsFile = ./secrets.yaml;
# TODO: How to generate this key when bootstrap?
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# age.keyFile = "/var/lib/sops-nix/keys.txt";
# age.generateKey = true;
secrets = {
clash_subscription_link = {
owner = "xin";
};
singbox_password = {
owner = "xin";
};
singbox_domain = {
owner = "xin";
};
};
};
}