From e850800e9e0c05a44fb704e62a9dc76ac8ded22a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 29 Mar 2023 21:12:30 +0800 Subject: [PATCH 001/136] git-crypt: initiate --- .gitattributes | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..0dab521 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +machines/laptop/secret.nix filter=git-crypt diff=git-crypt +machines/clash.nix filter=git-crypt diff=git-crypt \ No newline at end of file From 5705b8145d4e2dbaa96d0069b66cdbd469e0b7e2 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 29 Mar 2023 21:12:59 +0800 Subject: [PATCH 002/136] add .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e2f5dd2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +result \ No newline at end of file From 4f066986f02c3874d8fab20d57ab976c8d591f19 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 29 Mar 2023 21:14:37 +0800 Subject: [PATCH 003/136] laptop: initial commit --- LICENSE | 24 ++ flake.lock | 43 +++ flake.nix | 19 ++ machines/clash.nix | Bin 0 -> 1276 bytes machines/dnscrypt.nix | 28 ++ machines/laptop/configuration.nix | 356 +++++++++++++++++++++ machines/laptop/hardware-configuration.nix | 42 +++ machines/laptop/secret.nix | Bin 0 -> 494 bytes machines/vscode.nix | 36 +++ 9 files changed, 548 insertions(+) create mode 100644 LICENSE create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 machines/clash.nix create mode 100644 machines/dnscrypt.nix create mode 100644 machines/laptop/configuration.nix create mode 100644 machines/laptop/hardware-configuration.nix create mode 100644 machines/laptop/secret.nix create mode 100644 machines/vscode.nix diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..fdddb29 --- /dev/null +++ b/LICENSE @@ -0,0 +1,24 @@ +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..3b6fe86 --- /dev/null +++ b/flake.lock @@ -0,0 +1,43 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1679944645, + "narHash": "sha256-e5Qyoe11UZjVfgRfwNoSU57ZeKuEmjYb77B9IVW7L/M=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4bb072f0a8b267613c127684e099a70e1f6ff106", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 1680080610, + "narHash": "sha256-e5GOM6FHXXPu4byNAiLQDKu/REVM2MtDH5QJ/C/JQbI=", + "owner": "nix-community", + "repo": "NUR", + "rev": "a9ac1b12b58122c9c1ba4cbdfd444f5ba080fe36", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "nur": "nur" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..492e415 --- /dev/null +++ b/flake.nix @@ -0,0 +1,19 @@ +{ + inputs = { + # Pin nixpkgs to a specific commit + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + + nur.url = "github:nix-community/NUR"; + }; + + outputs = { self, nixpkgs, nur }: { + nixosConfigurations.xin-laptop = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + nur.nixosModules.nur + machines/laptop/configuration.nix + ]; + }; + }; +} diff --git a/machines/clash.nix b/machines/clash.nix new file mode 100644 index 0000000000000000000000000000000000000000..db254ceecf516f815c098221acb4e1bbb65e490a GIT binary patch literal 1276 zcmZQ@_Y83kiVO&0VEmlH{7+1Oy~(fU>gw9vKX?CT3fIk8`{=;=h+4fZdD?G-zJFYq z`d!ZMZI!&wmTu$4(@i>#zvFFewD{N*<^KHt99PYKM!hd=0_54>79J4^y7w|&_vu{Y zIEF{HiCmh;yCWw|`7o#brRewDTby&Yf>cZwe!P#5t-VbeSyLCaz zs*f*MN$RO^$}PG4C4u$aOX-x&yx&6G&&oD;A9!0m``Nj0$om)*9zy>T$z`t=dhT;8*@ zYB)*-D-3$~>u;4kGWB9bo6h!|rpF9_F zY}v`mr+e-`*>u`s>(S_s_rpb6)T0-lQIao@dcxwR7A80U^T$*Dv2))9)I5+p(COo) z+nc=i0B54zk#+x#RsS|Pt>q1@ah_Y+IdOLSo3j>AUly!&>el2mepvro?nb#Rheg}J zPrLJPi(fE3Y@oMtkIS3($<6n^lm%Qe`rqZdMb6{ugLhr6hL^MV%@8{nQ0liX^L}j5 zgtUqKb?&+uncZIfrX=v_nxpBP6d3#Y7Nsq7-M&kA`>t0y8#R|bT)tti-I3I7r`Io? z?X+>;!c>l&`5r8PsEU8xHxcEy!;OzDr{QA?}YV1o^ zoIE=JsP@KwJ6*Mp3Ojlnp4FJ_s{11*AhhF1qot>G@d-1f{{{^<7gM!fsYraE6kRHo z=yj*#Px-CeZQ5El(=@iTzp1u-n>yoH-@aRoitbzOw>Y`KK0e2+_hqtaDD zBJUQmf4)91u$%Ab?tHNy|9d*JWxl=oe>BOy_lUjr>A=Z5>`)c1oBCZn zv))daBL8CJ72$tfm-t?`=1qTLv&M_z_pz+v121LX%Q#1W%ztOmcu#7Ivh@F#Z?r3A zIp&<6|M~j=D>b*eGY!Rl9eR2<`m{~Po$3o3BD=CWxmQ$vHP*X$%Qj<0+NH>crxIM= za$mVBz0;;A?Rx~X;i)Hkmij(ktE?s?Sl0FFwMwvUQ|*TB52o(&$-1zM;Z(HcldbDh zUwwZp*puo$VQ!nNd}z&bmg%mV52k9q(hg>_m42?@aEAHA^xAI84~#tjpEX*|002CI Bf1UsU literal 0 HcmV?d00001 diff --git a/machines/dnscrypt.nix b/machines/dnscrypt.nix new file mode 100644 index 0000000..3ecdcb8 --- /dev/null +++ b/machines/dnscrypt.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: +{ + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = false; + require_dnssec = true; + sources = { + public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + server_names = [ "cloudflare" "tuna-doh-ipv4" ]; + }; + }; + + networking.networkmanager.dns = "none"; + + # dns + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; +} diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix new file mode 100644 index 0000000..cb416cc --- /dev/null +++ b/machines/laptop/configuration.nix @@ -0,0 +1,356 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../clash.nix + ../vscode.nix + # ../dnscrypt.nix + ./secret.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ]; + + networking.hostName = "xin-laptop"; # Define your hostname. + + # Enable networking + networking = { + nameservers = [ "127.0.0.1" "::1" ]; + networkmanager = { + enable = true; + }; + resolvconf.useLocalResolver = true; + }; + + # Setup wireguard + # Set your time zone. + time.timeZone = "Asia/Shanghai"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.utf8"; + + # Chinese Input Method + i18n.inputMethod = { + enabled = "fcitx5"; + fcitx5.addons = with pkgs; [ fcitx5-rime ]; + fcitx5.enableRimeData = true; + }; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "zh_CN.utf8"; + LC_IDENTIFICATION = "zh_CN.utf8"; + LC_MEASUREMENT = "zh_CN.utf8"; + LC_MONETARY = "zh_CN.utf8"; + LC_NAME = "zh_CN.utf8"; + LC_NUMERIC = "zh_CN.utf8"; + LC_PAPER = "zh_CN.utf8"; + LC_TELEPHONE = "zh_CN.utf8"; + LC_TIME = "en_US.utf8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + # services.xserver.dpi = 96; + + # Enable the GNOME Desktop Environment. + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + services.xserver = { + layout = "us"; + xkbVariant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + services.printing.drivers = [ pkgs.hplip ]; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + wireplumber.enable = true; + alsa.enable = true; + #alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.xin = { + isNormalUser = true; + description = "xin"; + extraGroups = [ "networkmanager" "wheel" "wireshark" ]; + }; + + # Enable automatic login for the user. + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = "xin"; + + # Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229 + systemd.services."getty@tty1".enable = false; + systemd.services."autovt@tty1".enable = false; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + # Filesystem + nfs-utils + + winetricks + wineWowPackages.waylandFull + faudio + + man-pages + # ==== CLI tools ==== # + rust-analyzer + leetcode-cli + + tree + wget + tmux + # ffmpeg + tealdeer + neofetch + rclone + clash + # tesseract5 # ocr + # ocrmypdf # pdfocr + + grc + fishPlugins.pisces + fishPlugins.bass + fishPlugins.done + + hyperfine # benchmarking tool + grex # generate regex from example + delta # diff viewer + zoxide # autojumper + du-dust # du + rust + alacritty # terminal emulator + zellij # modern multiplexer + + # ==== Development ==== # + # VCS + git + + jetbrains.jdk # patch jetbrain runtime java + # jetbrains.clion + jetbrains.pycharm-professional + jetbrains.idea-ultimate + android-studio + + # Language server + clang-tools + rnix-lsp + + # C/C++ + gcc + gdb + + # Python + # reference: https://nixos.wiki/wiki/Python + ( + let + my-python-packages = python-packages: with python-packages; [ + pandas + requests + numpy + pyyaml + ]; + python-with-my-packages = python3.withPackages my-python-packages; + in + python-with-my-packages + ) + + # Tex + texlive.combined.scheme-full + + # ==== GUI Softwares ==== # + # Gnome tweaks + gnomeExtensions.dash-to-dock + gnomeExtensions.hide-top-bar + gnomeExtensions.tray-icons-reloaded + gnome.gnome-tweaks + gthumb + + steam + + # Multimedia + vlc + obs-studio + spotify + netease-cloud-music-gtk + + digikam + + # IM + tdesktop + qq + + # Mail + thunderbird + + # Password manager + keepassxc + + # Browser + firefox + chromium + microsoft-edge + + # Writting + obsidian + zotero + wpsoffice + + config.nur.repos.linyinfeng.wemeet + + virt-manager + ]; + # use vim for editor + programs.vim = { + defaultEditor = true; + }; + + # use fish as default shell + environment.shells = [ pkgs.fish ]; + users.defaultUserShell = pkgs.fish; + programs.fish = { + enable = true; + }; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark-qt; + }; + + # Add gsconnect, open firewall + programs.kdeconnect = { + enable = true; + package = pkgs.gnomeExtensions.gsconnect; + }; + + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + }; + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # services.gnome.gnome-remote-desktop.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? + + # Use mirror for binary cache + nix.settings.substituters = [ + "https://mirrors.ustc.edu.cn/nix-channels/store" + # "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" + ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # MTP support + services.gvfs.enable = true; + + # Enable Tailscale + services.tailscale.enable = true; + + # Setup Nvidia driver + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.opengl = { + enable = true; + # driSupport = true; + }; + hardware.nvidia.modesetting.enable = true; + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.stable; + # hardware.nvidia.open = true; + hardware.nvidia.prime = { + offload.enable = true; + # offload.enableOffloadCmd = true; + nvidiaBusId = "PCI:1:0:0"; + amdgpuBusId = "PCI:4:0:0"; + }; + + # Fonts + fonts = { + fonts = with pkgs; [ + noto-fonts + noto-fonts-emoji + liberation_ttf + fira-code + fira-code-symbols + mplus-outline-fonts.githubRelease + dina-font + proggyfonts + ubuntu_font_family + # Chinese + wqy_microhei + wqy_zenhei + noto-fonts-cjk-sans + noto-fonts-cjk-serif + source-han-sans + source-han-serif + ]; + fontconfig = { + defaultFonts = { + serif = [ "Noto Serif CJK SC" "Ubuntu" ]; + sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ]; + monospace = [ "FiraCode" "Ubuntu" ]; + }; + }; + }; + # Virtualization + virtualisation = { + libvirtd.enable = true; + podman = { + enable = true; + enableNvidia = true; + }; + }; +} diff --git a/machines/laptop/hardware-configuration.nix b/machines/laptop/hardware-configuration.nix new file mode 100644 index 0000000..6c5f7e1 --- /dev/null +++ b/machines/laptop/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/73ff3986-ff55-4e9b-a857-9fc3878ea94f"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = + { device = "/dev/disk/by-uuid/5A85-9129"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/ccf8e837-d9c6-4e59-a36d-6bbd4836d11a"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; + # networking.interfaces.virbr0.useDHCP = lib.mkDefault true; + # networking.interfaces.wg0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/laptop/secret.nix b/machines/laptop/secret.nix new file mode 100644 index 0000000000000000000000000000000000000000..15bc5d55d29ffc24f1f59c615d0b39a6134d634a GIT binary patch literal 494 zcmZQ@_Y83kiVO&0n0Mm!soEL$)Wkpg-kmw+--@BR}@d{kt=N(-FNtPnuSwT$x{X z=|1PngB;1uI`dau`*c>#wAaS?>w5*i8w)odE&sU9K=fE$c5+;Lz^<*2=Bo7SWLPOr z3#hrj_22mluPq#Bsuz}sc^HUp*|oK-^TKC--t+EX9ZpOsdwTRld_KQM%5!J6Q>wym zUl*1H$-Lo-^lN>YXQJu3GSERksJV>)e0JjWb#uNgex1!Cv*(XVU(Ve_iXNhzH)i=h zNUPJypJv*VDr0&*c;&BQU)4*e520;c#Jb^Mx6&xI_0H zvXB4m`qaZ%qGI#Rc}pJWmus~gUEYztrbNHLw(+c&cai*|((cci8dn@;gsSH>tMdJF zzQ59A-tSj67Z<1&y!>)&=>}`pc7~%HEwl_LtJpc+IN{40tFq5(_QXx^7K*XFPw_s# zzbQFE@7tZnr>^ghJrR-UsJZm=kA$FSzfyZY?l*9sJa_BYnXfo*IIY{i+u)#DN75S6 H%!~Q}ZE*G4 literal 0 HcmV?d00001 diff --git a/machines/vscode.nix b/machines/vscode.nix new file mode 100644 index 0000000..0ec1e87 --- /dev/null +++ b/machines/vscode.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: +{ + environment.systemPackages = [ + (pkgs.vscode-with-extensions.override { + vscodeExtensions = with pkgs.vscode-extensions; [ + arrterian.nix-env-selector + + bbenoist.nix + ms-azuretools.vscode-docker + ms-vscode-remote.remote-ssh + vscodevim.vim + github.copilot + github.vscode-pull-request-github + eamodio.gitlens + gruntfuggly.todo-tree # todo highlight + + vadimcn.vscode-lldb # debugger + + # Language support + ms-python.python + davidanson.vscode-markdownlint + llvm-vs-code-extensions.vscode-clangd + jnoortheen.nix-ide + james-yu.latex-workshop + rust-lang.rust-analyzer + ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ + { + name = "remote-ssh-edit"; + publisher = "ms-vscode-remote"; + version = "0.47.2"; + sha256 = "1hp6gjh4xp2m1xlm1jsdzxw9d8frkiidhph6nvl24d0h8z34w49g"; + } + ]; + }) + ]; +} From 7e38005d1838a83205e6729743a4509af117d9ec Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 3 Apr 2023 10:01:42 +0800 Subject: [PATCH 004/136] laptop: remove unnecessary comment, add clion, ffmpeg --- machines/laptop/configuration.nix | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix index cb416cc..1f0588e 100644 --- a/machines/laptop/configuration.nix +++ b/machines/laptop/configuration.nix @@ -61,7 +61,6 @@ # Enable the X11 windowing system. services.xserver.enable = true; - # services.xserver.dpi = 96; # Enable the GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; @@ -89,15 +88,8 @@ pulse.enable = true; # If you want to use JACK applications, uncomment this jack.enable = true; - - # use the example session manager (no others are packaged yet so this is enabled by default, - # no need to redefine it in your config for now) - #media-session.enable = true; }; - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - # Define a user account. Don't forget to set a password with ‘passwd’. users.users.xin = { isNormalUser = true; @@ -133,13 +125,13 @@ tree wget tmux - # ffmpeg + ffmpeg tealdeer neofetch rclone clash # tesseract5 # ocr - # ocrmypdf # pdfocr + ocrmypdf # pdfocr grc fishPlugins.pisces @@ -159,7 +151,7 @@ git jetbrains.jdk # patch jetbrain runtime java - # jetbrains.clion + jetbrains.clion jetbrains.pycharm-professional jetbrains.idea-ultimate android-studio From 029a9efcea401c67c693bf583dce01204942de1c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 3 Apr 2023 15:33:15 +0800 Subject: [PATCH 005/136] update flake --- flake.lock | 12 ++++++------ machines/laptop/configuration.nix | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 3b6fe86..c22a2a7 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1679944645, - "narHash": "sha256-e5Qyoe11UZjVfgRfwNoSU57ZeKuEmjYb77B9IVW7L/M=", + "lastModified": 1680213900, + "narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4bb072f0a8b267613c127684e099a70e1f6ff106", + "rev": "e3652e0735fbec227f342712f180f4f21f0594f2", "type": "github" }, "original": { @@ -18,11 +18,11 @@ }, "nur": { "locked": { - "lastModified": 1680080610, - "narHash": "sha256-e5GOM6FHXXPu4byNAiLQDKu/REVM2MtDH5QJ/C/JQbI=", + "lastModified": 1680464750, + "narHash": "sha256-20bP0roHuVhncvCIu1FTkfKJ1QIKxG1IxfmBjKOiP3c=", "owner": "nix-community", "repo": "NUR", - "rev": "a9ac1b12b58122c9c1ba4cbdfd444f5ba080fe36", + "rev": "93e5e544f84b56d4b6bee62e0242e93ce5f11dee", "type": "github" }, "original": { diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix index 1f0588e..f3f66c6 100644 --- a/machines/laptop/configuration.nix +++ b/machines/laptop/configuration.nix @@ -149,6 +149,7 @@ # ==== Development ==== # # VCS git + git-crypt jetbrains.jdk # patch jetbrain runtime java jetbrains.clion From 29885591cedfd3603c5f27aada1bbce43f0ef155 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 3 Apr 2023 17:41:33 +0800 Subject: [PATCH 006/136] laptop: Add wechat --- flake.lock | 121 +++++++++++++++++++++++++++++- flake.nix | 16 +++- machines/laptop/configuration.nix | 8 +- 3 files changed, 136 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index c22a2a7..19c8035 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,77 @@ { "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils-plus": { + "inputs": { + "flake-utils": [ + "nur-xddxdd", + "flake-utils" + ] + }, + "locked": { + "lastModified": 1657226504, + "narHash": "sha256-GIYNjuq4mJlFgqKsZ+YrgzWm0IpA4axA3MCrdKYj7gs=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "2bf0f91643c2e5ae38c1b26893ac2927ac9bd82a", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1678901627, + "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixos-cn": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1680485243, + "narHash": "sha256-DyPq1Nn8f1TwBXqJBD4iicrv97ALg2IHW9YSw91oDhU=", + "owner": "nixos-cn", + "repo": "flakes", + "rev": "c2fd9273eadae18fecc2047180329fb05d739cf3", + "type": "github" + }, + "original": { + "owner": "nixos-cn", + "repo": "flakes", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1680213900, @@ -16,13 +88,29 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1680334310, + "narHash": "sha256-ISWz16oGxBhF7wqAxefMPwFag6SlsA9up8muV79V9ck=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "884e3b68be02ff9d61a042bc9bd9dd2a358f95da", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { - "lastModified": 1680464750, - "narHash": "sha256-20bP0roHuVhncvCIu1FTkfKJ1QIKxG1IxfmBjKOiP3c=", + "lastModified": 1680505766, + "narHash": "sha256-5E6ZFt13gJnKIZChTSMnKU1nKjuzyaQ7s1jUgVl85hs=", "owner": "nix-community", "repo": "NUR", - "rev": "93e5e544f84b56d4b6bee62e0242e93ce5f11dee", + "rev": "f9584e3b5d8ea46f9b25631cbab588b14b7e0be0", "type": "github" }, "original": { @@ -31,10 +119,35 @@ "type": "github" } }, + "nur-xddxdd": { + "inputs": { + "flake-utils": "flake-utils_2", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1680504755, + "narHash": "sha256-tDOIL7DWfxLUCCZawVbszzROGqzOYBYpP0XbPdVKNp8=", + "owner": "xddxdd", + "repo": "nur-packages", + "rev": "d24e41633775d7aa68a95c36a74905a324bd524f", + "type": "github" + }, + "original": { + "owner": "xddxdd", + "repo": "nur-packages", + "type": "github" + } + }, "root": { "inputs": { + "nixos-cn": "nixos-cn", "nixpkgs": "nixpkgs", - "nur": "nur" + "nixpkgs-stable": "nixpkgs-stable", + "nur": "nur", + "nur-xddxdd": "nur-xddxdd" } } }, diff --git a/flake.nix b/flake.nix index 492e415..f8f6210 100644 --- a/flake.nix +++ b/flake.nix @@ -2,14 +2,26 @@ inputs = { # Pin nixpkgs to a specific commit nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - # nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-22.11"; nur.url = "github:nix-community/NUR"; + nur-xddxdd = { + url = "github:xddxdd/nur-packages"; + inputs.nixpkgs.follows = "nixpkgs-stable"; }; - outputs = { self, nixpkgs, nur }: { + nixos-cn = { + url = "github:nixos-cn/flakes"; + # Use the same nixpkgs + inputs.nixpkgs.follows = "nixpkgs-stable"; + }; + }; + + + outputs = { self, nixpkgs, nur, nixos-cn, ...}@attrs: { nixosConfigurations.xin-laptop = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = attrs; modules = [ nur.nixosModules.nur machines/laptop/configuration.nix diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix index f3f66c6..0b5fef1 100644 --- a/machines/laptop/configuration.nix +++ b/machines/laptop/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: +{ config, pkgs, nixos-cn, nur-xddxdd, ... }: { imports = @@ -150,7 +150,7 @@ # VCS git git-crypt - + jetbrains.jdk # patch jetbrain runtime java jetbrains.clion jetbrains.pycharm-professional @@ -204,6 +204,8 @@ # IM tdesktop qq + nur-xddxdd.packages.${system}.wechat-uos-bin + # nixos-cn.legacyPackages.${system}.wechat-uos # Mail thunderbird @@ -305,7 +307,7 @@ # hardware.nvidia.open = true; hardware.nvidia.prime = { offload.enable = true; - # offload.enableOffloadCmd = true; + offload.enableOffloadCmd = true; nvidiaBusId = "PCI:1:0:0"; amdgpuBusId = "PCI:4:0:0"; }; From c0e2e3b8b9b93e5d0b7e106a64db1e15b79b2a11 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 16 Apr 2023 10:30:45 +0800 Subject: [PATCH 007/136] use home manager --- .gitattributes | 2 +- .sops.yaml | 14 ++++ flake.lock | 133 +++++++++++++++++++++++++----- flake.nix | 40 ++++++--- home/xin/laptop/default.nix | 15 ++++ machines/laptop/configuration.nix | 11 ++- machines/laptop/secret.nix | Bin 494 -> 598 bytes modules/home-manager/default.nix | 3 + modules/nixos/default.nix | 3 + secrets/laptop/default.yaml | 30 +++++++ 10 files changed, 215 insertions(+), 36 deletions(-) create mode 100644 .sops.yaml create mode 100644 home/xin/laptop/default.nix create mode 100644 modules/home-manager/default.nix create mode 100644 modules/nixos/default.nix create mode 100644 secrets/laptop/default.yaml diff --git a/.gitattributes b/.gitattributes index 0dab521..e8965a2 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,2 @@ machines/laptop/secret.nix filter=git-crypt diff=git-crypt -machines/clash.nix filter=git-crypt diff=git-crypt \ No newline at end of file +machines/clash.nix filter=git-crypt diff=git-crypt diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..56ad9bb --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &xin age1n359y6qkgzypu0lkcy66pfpneskul35xyhrzz3qumjsmeyp2wsuqq0df49 + - &host-laptop age179ldmg92wqsspgujc70hujfgttw0ljxkh7g86w8rqzywx0f7psysrk0cfn +creation_rules: + - path_regex: secrets/laptop/[^/]+\.yaml$ + key_groups: + - age: + - *xin + - *host-laptop + - path_regex: secrets/common/[^/]+\.yaml$ + kay_groups: + - age: + - *xin + - *host-laptop diff --git a/flake.lock b/flake.lock index 19c8035..ed3a4f5 100644 --- a/flake.lock +++ b/flake.lock @@ -37,12 +37,15 @@ } }, "flake-utils_2": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1678901627, - "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "lastModified": 1681037374, + "narHash": "sha256-XL6X3VGbEFJZDUouv2xpKg2Aljzu/etPLv5e1FPt1q0=", "owner": "numtide", "repo": "flake-utils", - "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "rev": "033b9f258ca96a10e543d4442071f614dc3f8412", "type": "github" }, "original": { @@ -51,19 +54,39 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1681468923, + "narHash": "sha256-+X2oO4juRVhQRs002mn8km6PODccIRiz09c2K1xtSpY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "17198cf5ae27af5b647c7dac58d935a7d0dbd189", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixos-cn": { "inputs": { "flake-utils": "flake-utils", "nixpkgs": [ - "nixpkgs-stable" + "nixpkgs" ] }, "locked": { - "lastModified": 1680485243, - "narHash": "sha256-DyPq1Nn8f1TwBXqJBD4iicrv97ALg2IHW9YSw91oDhU=", + "lastModified": 1681522588, + "narHash": "sha256-GG2C4OEAIEE6rIeU+ba6YN2hZe2neZ5HF6acEwncsqU=", "owner": "nixos-cn", "repo": "flakes", - "rev": "c2fd9273eadae18fecc2047180329fb05d739cf3", + "rev": "fc7cb10f00b69c97fab945400f480dac06496ff2", "type": "github" }, "original": { @@ -74,11 +97,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1680213900, - "narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=", + "lastModified": 1681303793, + "narHash": "sha256-JEdQHsYuCfRL2PICHlOiH/2ue3DwoxUX7DJ6zZxZXFk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e3652e0735fbec227f342712f180f4f21f0594f2", + "rev": "fe2ecaf706a5907b5e54d979fbde4924d84b65fc", "type": "github" }, "original": { @@ -90,11 +113,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1680334310, - "narHash": "sha256-ISWz16oGxBhF7wqAxefMPwFag6SlsA9up8muV79V9ck=", + "lastModified": 1681349002, + "narHash": "sha256-9Ckc2WvSwuYrPfk3ZXgPasM1ir/cgs6UV0EpIWyPGZE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "884e3b68be02ff9d61a042bc9bd9dd2a358f95da", + "rev": "2b1bba76a13ed39c7abc0a6e8f74f9e168cf3c7c", "type": "github" }, "original": { @@ -104,13 +127,45 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1681005198, + "narHash": "sha256-5LrnBeXR7Hv8OXh6eany7br4qBW+ZNl4LKf1CJu9zbg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e45cc0138829ad86e7ff17a76acf2d05e781e30a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1680942619, + "narHash": "sha256-kpCW1IegAZfEjCVJW7IPN/hEtRL/9dxaFFYiHS5qVAk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6f95dd4fd050daf017cae2dfeb1cea1ec0e4c1a1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { - "lastModified": 1680505766, - "narHash": "sha256-5E6ZFt13gJnKIZChTSMnKU1nKjuzyaQ7s1jUgVl85hs=", + "lastModified": 1681527005, + "narHash": "sha256-BMO3rnCA8kr5Cq/URyU25j1eSL3HygUT1rd7vniwfKE=", "owner": "nix-community", "repo": "NUR", - "rev": "f9584e3b5d8ea46f9b25631cbab588b14b7e0be0", + "rev": "ace101967ecf693fad5387d671b09435b23fd9dc", "type": "github" }, "original": { @@ -124,15 +179,15 @@ "flake-utils": "flake-utils_2", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ - "nixpkgs-stable" + "nixpkgs" ] }, "locked": { - "lastModified": 1680504755, - "narHash": "sha256-tDOIL7DWfxLUCCZawVbszzROGqzOYBYpP0XbPdVKNp8=", + "lastModified": 1681369018, + "narHash": "sha256-bqwKQX4G4DgxEalw8h0zlG0B/GQzOk5djQBpmFz0zzs=", "owner": "xddxdd", "repo": "nur-packages", - "rev": "d24e41633775d7aa68a95c36a74905a324bd524f", + "rev": "eb318d24ebdcf6efd8af91a54cd932ed3ed86f78", "type": "github" }, "original": { @@ -143,11 +198,47 @@ }, "root": { "inputs": { + "home-manager": "home-manager", "nixos-cn": "nixos-cn", "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", - "nur-xddxdd": "nur-xddxdd" + "nur-xddxdd": "nur-xddxdd", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1681209176, + "narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "00d5fd73756d424de5263b92235563bc06f2c6e1", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index f8f6210..3c3b675 100644 --- a/flake.nix +++ b/flake.nix @@ -4,28 +4,46 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-22.11"; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nur.url = "github:nix-community/NUR"; nur-xddxdd = { url = "github:xddxdd/nur-packages"; - inputs.nixpkgs.follows = "nixpkgs-stable"; + inputs.nixpkgs.follows = "nixpkgs"; }; nixos-cn = { url = "github:nixos-cn/flakes"; # Use the same nixpkgs - inputs.nixpkgs.follows = "nixpkgs-stable"; + inputs.nixpkgs.follows = "nixpkgs"; }; + + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, nixpkgs, nur, nixos-cn, ...}@attrs: { - nixosConfigurations.xin-laptop = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = [ - nur.nixosModules.nur - machines/laptop/configuration.nix - ]; + outputs = { self, nixpkgs, nur, home-manager, sops-nix, nixos-cn, ... }@inputs: + let + mkHome = user: host: home-manager.nixosModules.home-manager { + extraSpecialArgs = { inherit inputs; }; + home-manager.users.${user} = import ./home/${user}/${host}; + }; + in + { + nixosModules = import ./modules/nixos; + homeManagerModules = import ./modules/home-manager; + + nixosConfigurations.xin-laptop = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + machines/laptop/configuration.nix + nur.nixosModules.nur + sops-nix.nixosModules.sops + ]; + specialArgs = inputs; + }; }; - }; } diff --git a/home/xin/laptop/default.nix b/home/xin/laptop/default.nix new file mode 100644 index 0000000..5b2d754 --- /dev/null +++ b/home/xin/laptop/default.nix @@ -0,0 +1,15 @@ + +{ + home.username = "xin"; + home.homeDirectory = "/home/xin"; + + accounts = { + gmail = { + + }; + + }; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; +} \ No newline at end of file diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix index 0b5fef1..6eb7607 100644 --- a/machines/laptop/configuration.nix +++ b/machines/laptop/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, nixos-cn, nur-xddxdd, ... }: +{ config, pkgs, nixos-cn, nur, nur-xddxdd, ... }: { imports = @@ -44,7 +44,6 @@ i18n.inputMethod = { enabled = "fcitx5"; fcitx5.addons = with pkgs; [ fcitx5-rime ]; - fcitx5.enableRimeData = true; }; i18n.extraLocaleSettings = { @@ -204,7 +203,7 @@ # IM tdesktop qq - nur-xddxdd.packages.${system}.wechat-uos-bin + nur-xddxdd.packages."x86_64-linux".wechat-uos-bin # nixos-cn.legacyPackages.${system}.wechat-uos # Mail @@ -295,6 +294,7 @@ # Enable Tailscale services.tailscale.enable = true; + services.tailscale.useRoutingFeatures = "both"; # Setup Nvidia driver services.xserver.videoDrivers = [ "nvidia" ]; @@ -347,5 +347,10 @@ enable = true; enableNvidia = true; }; + docker = { + enable = true; + enableNvidia = true; + autoPrune.enable = true; + }; }; } diff --git a/machines/laptop/secret.nix b/machines/laptop/secret.nix index 15bc5d55d29ffc24f1f59c615d0b39a6134d634a..06f9d0675663640b2101b1065da53a2b2c8db0b8 100644 GIT binary patch literal 598 zcmZQ@_Y83kiVO&0u$__g`gZ=yU;CPtoDy4IzUcp%E&p$*b!^lTzqInnI`-P4gZg}H zG$l&+-?;iXsAU<`i?)TL{W)Iutgk*iuh73cZf5A8^|6n`ME^!e|JnWQVeax?mcHL5 za~V~6-R0gtX+M@!pMCURBe%yDzI{@sy4JWW%=h~BrNHQ@wRyyn{n0&2iCa&a3VqV! z*fT?`?S!BvdyVo={`B{5*{SZ>vRr1VO5F#cOCJhkdS<+@S6ja`ckS-gx%;fW zGuQD8Idjx5U(N7)iJV&RJA+H-7A#$~Kp}pw=xi-7bs#?R2?z=$Fra(XthqHifF^F3&!pGimw1)IS~%wuY|QT(!ON`@eNxw58V1 znN~c%zVo-r|Aeg`!ghXzcQf363AP>Wx82Kcm-$si&d!Rzfj@^YGx)^M-`h<5_0wOn z92L3uWnXH_Z_Z84Wq_y0;C?cq5MNoN@PCIG_TRkxTEF)gRmmO-lY9AUN!%GN*5wAmKShisa|}N6 M=KVjuXS;C$0FNUjrT_o{ literal 494 zcmZQ@_Y83kiVO&0n0Mm!soEL$)Wkpg-kmw+--@BR}@d{kt=N(-FNtPnuSwT$x{X z=|1PngB;1uI`dau`*c>#wAaS?>w5*i8w)odE&sU9K=fE$c5+;Lz^<*2=Bo7SWLPOr z3#hrj_22mluPq#Bsuz}sc^HUp*|oK-^TKC--t+EX9ZpOsdwTRld_KQM%5!J6Q>wym zUl*1H$-Lo-^lN>YXQJu3GSERksJV>)e0JjWb#uNgex1!Cv*(XVU(Ve_iXNhzH)i=h zNUPJypJv*VDr0&*c;&BQU)4*e520;c#Jb^Mx6&xI_0H zvXB4m`qaZ%qGI#Rc}pJWmus~gUEYztrbNHLw(+c&cai*|((cci8dn@;gsSH>tMdJF zzQ59A-tSj67Z<1&y!>)&=>}`pc7~%HEwl_LtJpc+IN{40tFq5(_QXx^7K*XFPw_s# zzbQFE@7tZnr>^ghJrR-UsJZm=kA$FSzfyZY?l*9sJa_BYnXfo*IIY{i+u)#DN75S6 H%!~Q}ZE*G4 diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix new file mode 100644 index 0000000..0e0dcd2 --- /dev/null +++ b/modules/home-manager/default.nix @@ -0,0 +1,3 @@ +{ + +} \ No newline at end of file diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..077404a --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1,3 @@ +{ + +} \ No newline at end of file diff --git a/secrets/laptop/default.yaml b/secrets/laptop/default.yaml new file mode 100644 index 0000000..a590e66 --- /dev/null +++ b/secrets/laptop/default.yaml @@ -0,0 +1,30 @@ +gmail: ENC[AES256_GCM,data:CajGtLth9OWLc4OHvRB2WIf9h8Fz4A==,iv:8VpGHDn06sDsTwsIVSHf9teRLNWx3hmQJ7Qml5ovjoo=,tag:dVIgRQ9LjSWSe/6QdCVUyA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n359y6qkgzypu0lkcy66pfpneskul35xyhrzz3qumjsmeyp2wsuqq0df49 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNmR1LzJkZUxHcnRsV0Nj + RVRJZ3lZWmhzWFkyM3M5ZHZyZGo5OG0xZmpJCkVEd0VmNVNDejlDY0pYcmNHMjB0 + a1d0UDVQRFFCUUxFMXh2UlBGc0RRZk0KLS0tIFpJRVIvM1Q3NG02ZEk2MEdsYmkz + YU9zMzJCcDVtRGdOWXNSMGpCcUNneDgKUDVNx2OjyOSRzMqhmFkBx3do4VrNO/fw + tFk4EzayyNoRAd5Ch/XfAccGwLceNhvMPZYxcB0hZljZM5u3g3JPtQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age179ldmg92wqsspgujc70hujfgttw0ljxkh7g86w8rqzywx0f7psysrk0cfn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVFg0OEFSMHJYTjZxNUM0 + ZmY0NUU0c3pNK1d4ak0wcmYrRTN1TEcyakZRCnBLNzNxNm5YWk9kNzZqL0dHMkhG + UXA1bDY4QVg2K3d6eVBpWG1ybHN2VDAKLS0tIFJpSTk4cFZKeTVkd09sN3NmQzc1 + eXNvMElBbnkxaEVJZ1hRZnZDUmp0WE0KmjdpdtWkxNgwcm3GuGAhO2p8rH/UyGSW + iJMXAD/FIbbB9e50oSVixg5PFZuqL6ryxFDrj8UgUZozBVXFrlZfBw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-12T14:46:17Z" + mac: ENC[AES256_GCM,data:2OxHuP8xjwuS999XylcyAXEOhJJY2OGcPbYzE5/9GJZVOv/C5FWV1zRhdauByTcODjUeUYx3n0N4VsT7PlPBLTnKGuW7K9n2Dou0PsPxTOy/NgtUpB4cmpIr/Kflf7uTHTahzRMT5lRmZOA0Z7HggiAYq1fSAo+uRfldkQtk5R0=,iv:t8Oyqrl3XWtgh8IbZzjEyXWRmudLgOeZQgIsFjQBODI=,tag:n0yZMiR1htdYwld3LarK3Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 From 9dd2c4272659e58296629a182f29abdd72b851dc Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 16 Apr 2023 13:18:23 +0800 Subject: [PATCH 008/136] rpi4: add new device --- flake.lock | 17 +++++++++++++++ flake.nix | 27 ++++++++++++++++++++++- machines/rpi4/configuration.nix | 38 +++++++++++++++++++++++++++++++++ 3 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 machines/rpi4/configuration.nix diff --git a/flake.lock b/flake.lock index ed3a4f5..5961158 100644 --- a/flake.lock +++ b/flake.lock @@ -95,6 +95,22 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1680876084, + "narHash": "sha256-eP9yxP0wc7XuVaODugh+ajgbFGaile2O1ihxiLxOuvU=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "3006d2860a6ed5e01b0c3e7ffb730e9b293116e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1681303793, @@ -200,6 +216,7 @@ "inputs": { "home-manager": "home-manager", "nixos-cn": "nixos-cn", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", diff --git a/flake.nix b/flake.nix index 3c3b675..10d3a93 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nixos-cn = { url = "github:nixos-cn/flakes"; # Use the same nixpkgs @@ -25,7 +27,8 @@ }; - outputs = { self, nixpkgs, nur, home-manager, sops-nix, nixos-cn, ... }@inputs: + outputs = { self, ... }@inputs: + with inputs; let mkHome = user: host: home-manager.nixosModules.home-manager { extraSpecialArgs = { inherit inputs; }; @@ -45,5 +48,27 @@ ]; specialArgs = inputs; }; + nixosConfigurations.rpi4 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + machines/rpi4/configuration.nix + nixos-hardware.nixosModules.raspberry-pi-4 + ]; + }; + + images.rpi4 = (nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + machines/rpi4/configuration.nix + nixos-hardware.nixosModules.raspberry-pi-4 + { + nixpkgs.config.allowUnsupportedSystem = true; + nixpkgs.hostPlatform.system = "aarch64-linux"; + nixpkgs.buildPlatform.system = "x86_64-linux"; + # ... extra configs as above + } + ]; + }).config.system.build.sdImage; }; } diff --git a/machines/rpi4/configuration.nix b/machines/rpi4/configuration.nix new file mode 100644 index 0000000..230bca5 --- /dev/null +++ b/machines/rpi4/configuration.nix @@ -0,0 +1,38 @@ +{ config, libs, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + vim + ]; + nixpkgs.overlays = [ + # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 + (final: super: { + makeModulesClosure = x: + super.makeModulesClosure (x // { allowMissing = true; }); + }) + ]; + + imports = [ ]; + + system.stateVersion = "22.11"; + + networking = { + hostName = "pi-wh"; + useDHCP = false; + interfaces.eth0.useDHCP = true; + }; + + services.openssh = { + enable = true; + }; + + systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; + + users.users.pi = { + isNormalUser = true; + home = "/home/pi"; + extraGroups = [ "wheel" "networkmanager" ]; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ]; + }; + +} \ No newline at end of file From 71b20209b212fa17cd733656b013475567dbf640 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 19 Apr 2023 14:16:39 +0800 Subject: [PATCH 009/136] try to add secrets --- .sops.yaml | 5 +++++ machines/laptop/configuration.nix | 11 ++++++++++- .../default.yaml => machines/laptop/secrets.yaml | 4 ++-- machines/sops.nix | 2 ++ 4 files changed, 19 insertions(+), 3 deletions(-) rename secrets/laptop/default.yaml => machines/laptop/secrets.yaml (81%) create mode 100644 machines/sops.nix diff --git a/.sops.yaml b/.sops.yaml index 56ad9bb..e989cd5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,11 @@ creation_rules: - age: - *xin - *host-laptop + - path_regex: machines/laptop/secrets.yaml + key_groups: + - age: + - *xin + - *host-laptop - path_regex: secrets/common/[^/]+\.yaml$ kay_groups: - age: diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix index 6eb7607..e3df24b 100644 --- a/machines/laptop/configuration.nix +++ b/machines/laptop/configuration.nix @@ -13,6 +13,7 @@ ../vscode.nix # ../dnscrypt.nix ./secret.nix + ../sops.nix ]; # Bootloader. @@ -33,6 +34,14 @@ resolvconf.useLocalResolver = true; }; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.keyFile = "/var/lib/sops-nix/keys.txt"; + age.generateKey = true; + }; + # Setup wireguard # Set your time zone. time.timeZone = "Asia/Shanghai"; @@ -270,7 +279,7 @@ # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; + networking.firewall.allowedUDPPorts = [ 41641 ]; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/secrets/laptop/default.yaml b/machines/laptop/secrets.yaml similarity index 81% rename from secrets/laptop/default.yaml rename to machines/laptop/secrets.yaml index a590e66..26181d2 100644 --- a/secrets/laptop/default.yaml +++ b/machines/laptop/secrets.yaml @@ -23,8 +23,8 @@ sops: eXNvMElBbnkxaEVJZ1hRZnZDUmp0WE0KmjdpdtWkxNgwcm3GuGAhO2p8rH/UyGSW iJMXAD/FIbbB9e50oSVixg5PFZuqL6ryxFDrj8UgUZozBVXFrlZfBw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-12T14:46:17Z" - mac: ENC[AES256_GCM,data:2OxHuP8xjwuS999XylcyAXEOhJJY2OGcPbYzE5/9GJZVOv/C5FWV1zRhdauByTcODjUeUYx3n0N4VsT7PlPBLTnKGuW7K9n2Dou0PsPxTOy/NgtUpB4cmpIr/Kflf7uTHTahzRMT5lRmZOA0Z7HggiAYq1fSAo+uRfldkQtk5R0=,iv:t8Oyqrl3XWtgh8IbZzjEyXWRmudLgOeZQgIsFjQBODI=,tag:n0yZMiR1htdYwld3LarK3Q==,type:str] + lastmodified: "2023-04-16T05:37:57Z" + mac: ENC[AES256_GCM,data:XX17bbc+hGPcsfg7t3S93X22fpydT0N+P8DTpLB4SkVi9anRbNTrldJkIxKNuN3LXKZmdON/BO6x4TMe+wh45yAW1Ds8OD6VTr6IdXYIvvYC5IKt27qd30Cqbed0Q4LSq9mZ97YiRCyxVsNSf+n4rJV+Ufc24LS35Kb3qR5Pia8=,iv:T5BPf9fCLroreDqHGBrWyI1fFYNTWtYx557AnMReQnU=,tag:8qC/yN/erx4mDDO949oppA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/machines/sops.nix b/machines/sops.nix new file mode 100644 index 0000000..7a73a41 --- /dev/null +++ b/machines/sops.nix @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file From 37a8487bdb1372449cc71e7c31481e9517b821a9 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 23 Apr 2023 01:42:40 +0800 Subject: [PATCH 010/136] start to use home manager as NixOS module --- .gitattributes | 2 +- .sops.yaml | 14 +- flake.lock | 203 +++++++++--------- flake.nix | 42 ++-- home/xin/alacritty.nix | 15 ++ home/xin/calcite/default.nix | 34 +++ home/xin/common/default.nix | 21 ++ home/xin/common/fish.nix | 19 ++ home/xin/common/git.nix | 13 ++ home/xin/common/zellij.nix | 29 +++ home/xin/laptop/default.nix | 15 -- home/xin/vscode.nix | 128 +++++++++++ .../{laptop => calcite}/configuration.nix | 149 ++----------- .../hardware-configuration.nix | 13 +- machines/calcite/network.nix | 37 ++++ machines/calcite/secrets.yaml | 30 +++ machines/clash.nix | Bin 1276 -> 1371 bytes machines/laptop/secret.nix | Bin 598 -> 0 bytes machines/laptop/secrets.yaml | 30 --- machines/secrets.yaml | 30 +++ machines/sops.nix | 7 + 21 files changed, 523 insertions(+), 308 deletions(-) create mode 100644 home/xin/alacritty.nix create mode 100644 home/xin/calcite/default.nix create mode 100644 home/xin/common/default.nix create mode 100644 home/xin/common/fish.nix create mode 100644 home/xin/common/git.nix create mode 100644 home/xin/common/zellij.nix delete mode 100644 home/xin/laptop/default.nix create mode 100644 home/xin/vscode.nix rename machines/{laptop => calcite}/configuration.nix (58%) rename machines/{laptop => calcite}/hardware-configuration.nix (83%) create mode 100644 machines/calcite/network.nix create mode 100644 machines/calcite/secrets.yaml delete mode 100644 machines/laptop/secret.nix delete mode 100644 machines/laptop/secrets.yaml create mode 100644 machines/secrets.yaml diff --git a/.gitattributes b/.gitattributes index e8965a2..3be7bb1 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,2 @@ -machines/laptop/secret.nix filter=git-crypt diff=git-crypt +machines/calcite/secret.nix filter=git-crypt diff=git-crypt machines/clash.nix filter=git-crypt diff=git-crypt diff --git a/.sops.yaml b/.sops.yaml index e989cd5..f3ae717 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,19 +1,17 @@ keys: - - &xin age1n359y6qkgzypu0lkcy66pfpneskul35xyhrzz3qumjsmeyp2wsuqq0df49 - - &host-laptop age179ldmg92wqsspgujc70hujfgttw0ljxkh7g86w8rqzywx0f7psysrk0cfn + - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + - &host-laptop age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa creation_rules: - - path_regex: secrets/laptop/[^/]+\.yaml$ + - path_regex: machines/calcite/secrets.yaml key_groups: - age: - *xin - *host-laptop - - path_regex: machines/laptop/secrets.yaml + - path_regex: machines/secrets.yaml key_groups: - age: - *xin - - *host-laptop - - path_regex: secrets/common/[^/]+\.yaml$ - kay_groups: + - path_regex: home/xin/secrets.yaml + key_groups: - age: - *xin - - *host-laptop diff --git a/flake.lock b/flake.lock index 5961158..b94fa32 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,37 @@ { "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1638122382, "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", @@ -15,45 +46,6 @@ "type": "github" } }, - "flake-utils-plus": { - "inputs": { - "flake-utils": [ - "nur-xddxdd", - "flake-utils" - ] - }, - "locked": { - "lastModified": 1657226504, - "narHash": "sha256-GIYNjuq4mJlFgqKsZ+YrgzWm0IpA4axA3MCrdKYj7gs=", - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "rev": "2bf0f91643c2e5ae38c1b26893ac2927ac9bd82a", - "type": "github" - }, - "original": { - "owner": "gytis-ivaskevicius", - "repo": "flake-utils-plus", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1681037374, - "narHash": "sha256-XL6X3VGbEFJZDUouv2xpKg2Aljzu/etPLv5e1FPt1q0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "033b9f258ca96a10e543d4442071f614dc3f8412", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -61,11 +53,11 @@ ] }, "locked": { - "lastModified": 1681468923, - "narHash": "sha256-+X2oO4juRVhQRs002mn8km6PODccIRiz09c2K1xtSpY=", + "lastModified": 1682072616, + "narHash": "sha256-sR5RL3LACGuq5oePcAoJ/e1S3vitKQQSNACMYmqIE1E=", "owner": "nix-community", "repo": "home-manager", - "rev": "17198cf5ae27af5b647c7dac58d935a7d0dbd189", + "rev": "47d6c3f65234230d37f1cf7d3d6b5575ec80fe0c", "type": "github" }, "original": { @@ -74,19 +66,39 @@ "type": "github" } }, + "nix-vscode-extensions": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1682125871, + "narHash": "sha256-b5z2R7qRe5lIn7UYFrVokFy9r3RoyrrYKqgJH/r9B34=", + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "rev": "abda642f7216d43b1c61cc864eb571df78d96464", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "type": "github" + } + }, "nixos-cn": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1681522588, - "narHash": "sha256-GG2C4OEAIEE6rIeU+ba6YN2hZe2neZ5HF6acEwncsqU=", + "lastModified": 1682040433, + "narHash": "sha256-5RxsRpH7pidvRu9Fcejt5Akl+aMnduSlaIrureT0Qz8=", "owner": "nixos-cn", "repo": "flakes", - "rev": "fc7cb10f00b69c97fab945400f480dac06496ff2", + "rev": "1f8ff8330186b40b61d7f16d7d78d656b9e06399", "type": "github" }, "original": { @@ -113,15 +125,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1681303793, - "narHash": "sha256-JEdQHsYuCfRL2PICHlOiH/2ue3DwoxUX7DJ6zZxZXFk=", - "owner": "nixos", + "lastModified": 1675763311, + "narHash": "sha256-bz0Q2H3mxsF1CUfk26Sl9Uzi8/HFjGFD/moZHz1HebU=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "fe2ecaf706a5907b5e54d979fbde4924d84b65fc", + "rev": "fab09085df1b60d6a0870c8a89ce26d5a4a708c2", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -129,11 +141,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1681349002, - "narHash": "sha256-9Ckc2WvSwuYrPfk3ZXgPasM1ir/cgs6UV0EpIWyPGZE=", + "lastModified": 1681932375, + "narHash": "sha256-tSXbYmpnKSSWpzOrs27ie8X3I0yqKA6AuCzCYNtwbCU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2b1bba76a13ed39c7abc0a6e8f74f9e168cf3c7c", + "rev": "3d302c67ab8647327dba84fbdb443cdbf0e82744", "type": "github" }, "original": { @@ -145,11 +157,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1681005198, - "narHash": "sha256-5LrnBeXR7Hv8OXh6eany7br4qBW+ZNl4LKf1CJu9zbg=", + "lastModified": 1681613598, + "narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e45cc0138829ad86e7ff17a76acf2d05e781e30a", + "rev": "1040ce5f652b586da95dfd80d48a745e107b9eac", "type": "github" }, "original": { @@ -161,11 +173,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1680942619, - "narHash": "sha256-kpCW1IegAZfEjCVJW7IPN/hEtRL/9dxaFFYiHS5qVAk=", + "lastModified": 1681920287, + "narHash": "sha256-+/d6XQQfhhXVfqfLROJoqj3TuG38CAeoT6jO1g9r1k0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "645bc49f34fa8eff95479f0345ff57e55b53437e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1681571934, + "narHash": "sha256-Q3B3HTqhTahhPCT53ahK1FPktOXlEWmudSttd9CWGbE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6f95dd4fd050daf017cae2dfeb1cea1ec0e4c1a1", + "rev": "29176972b4be60f7d3eb3101f696c99f2e6ada57", "type": "github" }, "original": { @@ -177,11 +205,11 @@ }, "nur": { "locked": { - "lastModified": 1681527005, - "narHash": "sha256-BMO3rnCA8kr5Cq/URyU25j1eSL3HygUT1rd7vniwfKE=", + "lastModified": 1682066678, + "narHash": "sha256-uMHlSn+i49GW4AwjNQh+gN1Hv3IyaXIwWCicHd/wo4g=", "owner": "nix-community", "repo": "NUR", - "rev": "ace101967ecf693fad5387d671b09435b23fd9dc", + "rev": "c2778754ec284fade289ce5c4ac82ffb48b2b97a", "type": "github" }, "original": { @@ -190,51 +218,29 @@ "type": "github" } }, - "nur-xddxdd": { - "inputs": { - "flake-utils": "flake-utils_2", - "flake-utils-plus": "flake-utils-plus", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1681369018, - "narHash": "sha256-bqwKQX4G4DgxEalw8h0zlG0B/GQzOk5djQBpmFz0zzs=", - "owner": "xddxdd", - "repo": "nur-packages", - "rev": "eb318d24ebdcf6efd8af91a54cd932ed3ed86f78", - "type": "github" - }, - "original": { - "owner": "xddxdd", - "repo": "nur-packages", - "type": "github" - } - }, "root": { "inputs": { "home-manager": "home-manager", + "nix-vscode-extensions": "nix-vscode-extensions", "nixos-cn": "nixos-cn", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", - "nur-xddxdd": "nur-xddxdd", "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1681209176, - "narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=", + "lastModified": 1681821695, + "narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "00d5fd73756d424de5263b92235563bc06f2c6e1", + "rev": "5698b06b0731a2c15ff8c2351644427f8ad33993", "type": "github" }, "original": { @@ -242,21 +248,6 @@ "repo": "sops-nix", "type": "github" } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 10d3a93..788ebd0 100644 --- a/flake.nix +++ b/flake.nix @@ -10,10 +10,6 @@ }; nur.url = "github:nix-community/NUR"; - nur-xddxdd = { - url = "github:xddxdd/nur-packages"; - inputs.nixpkgs.follows = "nixpkgs"; - }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; @@ -24,35 +20,52 @@ }; sops-nix.url = "github:Mic92/sops-nix"; + + nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; }; outputs = { self, ... }@inputs: with inputs; let - mkHome = user: host: home-manager.nixosModules.home-manager { - extraSpecialArgs = { inherit inputs; }; - home-manager.users.${user} = import ./home/${user}/${host}; + mkHome = user: host: { config, system, ... }: { + imports = [ + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.xin = import ./home/${user}/${host}; + home-manager.extraSpecialArgs = { inherit inputs system; }; + } + ]; + }; + mkNixos = { system, modules, specialArgs ? {}}: nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = specialArgs // { inherit inputs system; }; + modules = [ + home-manager.nixosModules.home-manager + nur.nixosModules.nur + sops-nix.nixosModules.sops + ] ++ modules; }; in { nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; - nixosConfigurations.xin-laptop = nixpkgs.lib.nixosSystem { + nixosConfigurations.calcite = mkNixos { system = "x86_64-linux"; modules = [ - machines/laptop/configuration.nix - nur.nixosModules.nur - sops-nix.nixosModules.sops + nixos-hardware.nixosModules.asus-zephyrus-ga401 + machines/calcite/configuration.nix + (mkHome "xin" "calcite") ]; - specialArgs = inputs; }; - nixosConfigurations.rpi4 = nixpkgs.lib.nixosSystem { + + nixosConfigurations.rpi4 = mkNixos { system = "aarch64-linux"; modules = [ - machines/rpi4/configuration.nix nixos-hardware.nixosModules.raspberry-pi-4 + machines/rpi4/configuration.nix ]; }; @@ -66,7 +79,6 @@ nixpkgs.config.allowUnsupportedSystem = true; nixpkgs.hostPlatform.system = "aarch64-linux"; nixpkgs.buildPlatform.system = "x86_64-linux"; - # ... extra configs as above } ]; }).config.system.build.sdImage; diff --git a/home/xin/alacritty.nix b/home/xin/alacritty.nix new file mode 100644 index 0000000..a4feed5 --- /dev/null +++ b/home/xin/alacritty.nix @@ -0,0 +1,15 @@ +{ config, ... }: { + programs.alacritty = { + enable = true; + settings = { + shell = { + program = config.programs.zellij.package + "/bin/zellij"; + }; + font.size = 10.0; + window = { + resize_increments = true; + dynamic_padding = true; + }; + }; + }; +} \ No newline at end of file diff --git a/home/xin/calcite/default.nix b/home/xin/calcite/default.nix new file mode 100644 index 0000000..f2085ac --- /dev/null +++ b/home/xin/calcite/default.nix @@ -0,0 +1,34 @@ +{ config, pkgs, ... }: +{ + imports = [ + ../common + ../vscode.nix + ../alacritty.nix + ]; + + home.username = "xin"; + home.homeDirectory = "/home/xin"; + home.stateVersion = "23.05"; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + + accounts.email.accounts.gmail = { + primary = true; + address = "lixinyang411@gmail.com"; + flavor = "gmail.com"; + }; + + accounts.email.accounts.whu = { + address = "lixinyang411@whu.edu.cn"; + }; + + accounts.email.accounts.foxmail = { + address = "lixinyang411@foxmail.com"; + }; + + i18n.inputMethod = { + enabled = "fcitx5"; + fcitx5.addons = with pkgs; [ fcitx5-rime ]; + }; +} diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix new file mode 100644 index 0000000..73ba97a --- /dev/null +++ b/home/xin/common/default.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: { + imports = [ + ./fish.nix + ./git.nix + ./zellij.nix + ]; + home.packages = with pkgs; [ + dig + du-dust # du + rust + zoxide # autojumper + man-pages + tree + wget + tmux + ffmpeg + tealdeer + neofetch + rclone + clash + ]; +} \ No newline at end of file diff --git a/home/xin/common/fish.nix b/home/xin/common/fish.nix new file mode 100644 index 0000000..3502f1d --- /dev/null +++ b/home/xin/common/fish.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: { + programs.fish = { + enable = true; + plugins = with pkgs; [ + { + name = "pisces"; + src = fishPlugins.pisces.src; + } + { + name = "done"; + src = fishPlugins.done.src; + } + { + name = "hydro"; + src = fishPlugins.hydro.src; + } + ]; + }; +} diff --git a/home/xin/common/git.nix b/home/xin/common/git.nix new file mode 100644 index 0000000..98c2e84 --- /dev/null +++ b/home/xin/common/git.nix @@ -0,0 +1,13 @@ +{ + programs.git = { + enable = true; + delta.enable = true; + userName = "Xinyang Li"; + userEmail = "lixinyang411@gmail.com"; + aliases = { + graph = "log --all --oneline --graph --decorate"; + s = "status"; + d = "diff"; + }; + }; +} \ No newline at end of file diff --git a/home/xin/common/zellij.nix b/home/xin/common/zellij.nix new file mode 100644 index 0000000..c994139 --- /dev/null +++ b/home/xin/common/zellij.nix @@ -0,0 +1,29 @@ +{ + programs.zellij = { + enable = true; + settings = { + on_force_close = "quit"; + default_shell = "fish"; + keybinds = { + unbind = [ + "Ctrl p" + "Ctrl n" + ]; + }; + theme = "dracula"; + themes.dracula = { + fg = [ 248 248 242 ]; + bg = [ 40 42 54 ]; + black = [ 0 0 0 ]; + red = [ 255 85 85 ]; + green = [ 80 250 123 ]; + yellow = [ 241 250 140 ]; + blue = [ 98 114 164 ]; + magenta = [ 255 121 198 ]; + cyan = [ 139 233 253 ]; + white = [ 255 255 255 ]; + orange = [ 255 184 108 ]; + }; + }; + }; +} \ No newline at end of file diff --git a/home/xin/laptop/default.nix b/home/xin/laptop/default.nix deleted file mode 100644 index 5b2d754..0000000 --- a/home/xin/laptop/default.nix +++ /dev/null @@ -1,15 +0,0 @@ - -{ - home.username = "xin"; - home.homeDirectory = "/home/xin"; - - accounts = { - gmail = { - - }; - - }; - - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; -} \ No newline at end of file diff --git a/home/xin/vscode.nix b/home/xin/vscode.nix new file mode 100644 index 0000000..2f05702 --- /dev/null +++ b/home/xin/vscode.nix @@ -0,0 +1,128 @@ +{ config, pkgs, inputs, system, ... }: +{ + programs.vscode = { + enable = true; + enableUpdateCheck = false; + enableExtensionUpdateCheck = false; + mutableExtensionsDir = false; + extensions = with inputs.nix-vscode-extensions.extensions.${system}.vscode-marketplace; [ + arrterian.nix-env-selector + + bbenoist.nix + ms-azuretools.vscode-docker + ms-vscode-remote.remote-ssh + vscodevim.vim + github.vscode-pull-request-github + eamodio.gitlens + gruntfuggly.todo-tree # todo highlight + + # Language support + # Python + ms-python.python + # Markdown + davidanson.vscode-markdownlint + # C/C++ + ms-vscode.cmake-tools + llvm-vs-code-extensions.vscode-clangd + # Nix + jnoortheen.nix-ide + # Latex + james-yu.latex-workshop + # Rust + rust-lang.rust-analyzer + + ms-vscode-remote.remote-ssh-edit + ]; + userSettings = { + "workbench.colorTheme" = "Default Dark+"; + "terminal.integrated.sendKeybindingsToShell" = true; + "extensions.ignoreRecommendations" = true; + "files.autoSave" = "afterDelay"; + "editor.inlineSuggest.enabled" = true; + "editor.rulers" = [ + 80 + ]; + "editor.mouseWheelZoom" = true; + "git.autofetch" = true; + "window.zoomLevel" = -1; + + "nix.enableLanguageServer" = true; + + "latex-workshop.latex.autoBuild.run" = "never"; + "latex-workshop.latex.tools" = [ + { + "name" = "xelatex"; + "command" = "xelatex"; + "args" = [ + "-synctex=1" + "-interaction=nonstopmode" + "-file-line-error" + "-pdf" + "%DOCFILE%" + ]; + } + { + "name" = "pdflatex"; + "command" = "pdflatex"; + "args" = [ + "-synctex=1" + "-interaction=nonstopmode" + "-file-line-error" + "%DOCFILE%" + ]; + } + { + "name" = "bibtex"; + "command" = "bibtex"; + "args" = [ + "%DOCFILE%" + ]; + } + ]; + "latex-workshop.latex.recipes" = [ + { + "name" = "xelatex"; + "tools" = [ + "xelatex" + ]; + } + { + "name" = "pdflatex"; + "tools" = [ + "pdflatex" + ]; + } + { + "name" = "xe->bib->xe->xe"; + "tools" = [ + "xelatex" + "bibtex" + "xelatex" + "xelatex" + ]; + } + { + "name" = "pdf->bib->pdf->pdf"; + "tools" = [ + "pdflatex" + "bibtex" + "pdflatex" + "pdflatex" + ]; + } + ]; + "[latex]" = { + "editor.formatonpaste" = false; + "editor.suggestselection" = "recentlyusedbyprefix"; + "editor.wordwrap" = "bounded"; + "editor.wordwrapcolumn" = 100; + "editor.unicodehighlight.allowedlocales" = { + "_os" = true; + "_vscode" = true; + "zh-hans" = true; + "zh-hant" = true; + }; + }; + }; + }; +} diff --git a/machines/laptop/configuration.nix b/machines/calcite/configuration.nix similarity index 58% rename from machines/laptop/configuration.nix rename to machines/calcite/configuration.nix index e3df24b..b7e615f 100644 --- a/machines/laptop/configuration.nix +++ b/machines/calcite/configuration.nix @@ -1,19 +1,13 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, nixos-cn, nur, nur-xddxdd, ... }: +{ config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../clash.nix - ../vscode.nix - # ../dnscrypt.nix - ./secret.nix + ./network.nix ../sops.nix + ../clash.nix ]; # Bootloader. @@ -22,25 +16,16 @@ boot.loader.efi.efiSysMountPoint = "/boot/efi"; # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ]; + boot.supportedFilesystems = [ "ntfs" ]; - networking.hostName = "xin-laptop"; # Define your hostname. + networking.hostName = "calcite"; - # Enable networking - networking = { - nameservers = [ "127.0.0.1" "::1" ]; - networkmanager = { - enable = true; - }; - resolvconf.useLocalResolver = true; - }; + programs.vim.defaultEditor = true; - - sops = { - defaultSopsFile = ./secrets.yaml; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - age.keyFile = "/var/lib/sops-nix/keys.txt"; - age.generateKey = true; - }; + # Keep this even if enabled in home manager + programs.fish.enable = true; + environment.shells = [ pkgs.fish ]; + users.defaultUserShell = pkgs.fish; # Setup wireguard # Set your time zone. @@ -49,12 +34,6 @@ # Select internationalisation properties. i18n.defaultLocale = "en_US.utf8"; - # Chinese Input Method - i18n.inputMethod = { - enabled = "fcitx5"; - fcitx5.addons = with pkgs; [ fcitx5-rime ]; - }; - i18n.extraLocaleSettings = { LC_ADDRESS = "zh_CN.utf8"; LC_IDENTIFICATION = "zh_CN.utf8"; @@ -115,6 +94,10 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; + nixpkgs.config.permittedInsecurePackages = [ + # For wechat-uos + "electron-19.0.7" + ]; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ @@ -125,38 +108,16 @@ wineWowPackages.waylandFull faudio - man-pages # ==== CLI tools ==== # rust-analyzer - leetcode-cli - tree - wget - tmux - ffmpeg - tealdeer - neofetch - rclone - clash # tesseract5 # ocr ocrmypdf # pdfocr grc - fishPlugins.pisces - fishPlugins.bass - fishPlugins.done - - hyperfine # benchmarking tool - grex # generate regex from example - delta # diff viewer - zoxide # autojumper - du-dust # du + rust - alacritty # terminal emulator - zellij # modern multiplexer # ==== Development ==== # # VCS - git git-crypt jetbrains.jdk # patch jetbrain runtime java @@ -205,15 +166,13 @@ vlc obs-studio spotify - netease-cloud-music-gtk digikam # IM tdesktop qq - nur-xddxdd.packages."x86_64-linux".wechat-uos-bin - # nixos-cn.legacyPackages.${system}.wechat-uos + config.nur.repos.xddxdd.wechat-uos # Mail thunderbird @@ -235,100 +194,30 @@ virt-manager ]; - # use vim for editor - programs.vim = { - defaultEditor = true; - }; - - # use fish as default shell - environment.shells = [ pkgs.fish ]; - users.defaultUserShell = pkgs.fish; - programs.fish = { - enable = true; - }; - - programs.wireshark = { - enable = true; - package = pkgs.wireshark-qt; - }; - - # Add gsconnect, open firewall - programs.kdeconnect = { - enable = true; - package = pkgs.gnomeExtensions.gsconnect; - }; programs.steam = { enable = true; - remotePlay.openFirewall = true; }; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; - - # services.gnome.gnome-remote-desktop.enable = true; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - networking.firewall.allowedUDPPorts = [ 41641 ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? + system.stateVersion = "22.05"; # Use mirror for binary cache nix.settings.substituters = [ "https://mirrors.ustc.edu.cn/nix-channels/store" - # "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" + "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; # MTP support services.gvfs.enable = true; - # Enable Tailscale - services.tailscale.enable = true; - services.tailscale.useRoutingFeatures = "both"; - - # Setup Nvidia driver - services.xserver.videoDrivers = [ "nvidia" ]; - hardware.opengl = { - enable = true; - # driSupport = true; - }; - hardware.nvidia.modesetting.enable = true; - hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.stable; - # hardware.nvidia.open = true; - hardware.nvidia.prime = { - offload.enable = true; - offload.enableOffloadCmd = true; - nvidiaBusId = "PCI:1:0:0"; - amdgpuBusId = "PCI:4:0:0"; - }; - # Fonts fonts = { fonts = with pkgs; [ + (nerdfonts.override { fonts = [ "FiraCode" ]; }) noto-fonts noto-fonts-emoji liberation_ttf - fira-code - fira-code-symbols mplus-outline-fonts.githubRelease dina-font proggyfonts @@ -345,7 +234,7 @@ defaultFonts = { serif = [ "Noto Serif CJK SC" "Ubuntu" ]; sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ]; - monospace = [ "FiraCode" "Ubuntu" ]; + monospace = [ "FiraCode NerdFont Mono" "Ubuntu" ]; }; }; }; diff --git a/machines/laptop/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix similarity index 83% rename from machines/laptop/hardware-configuration.nix rename to machines/calcite/hardware-configuration.nix index 6c5f7e1..4baf3c7 100644 --- a/machines/laptop/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -14,17 +14,24 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/73ff3986-ff55-4e9b-a857-9fc3878ea94f"; + { device = "/dev/disk/by-label/NIXROOT"; fsType = "ext4"; }; fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/5A85-9129"; + { device = "/dev/disk/by-label/EFIBOOT"; fsType = "vfat"; }; + fileSystems."/media/data" = + { + device = "/dev/disk/by-label/WINDATA"; + fsType = "ntfs3"; + options = [ "rw" "uid=1000" ]; + }; + swapDevices = - [ { device = "/dev/disk/by-uuid/ccf8e837-d9c6-4e59-a36d-6bbd4836d11a"; } + [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix new file mode 100644 index 0000000..f77ead5 --- /dev/null +++ b/machines/calcite/network.nix @@ -0,0 +1,37 @@ +{ pkgs, ...}: + +{ + # Enable networking + networking = { + nameservers = [ "127.0.0.1" "::1" ]; + networkmanager = { + enable = true; + }; + resolvconf.useLocalResolver = true; + }; + + # Enable Tailscale + services.tailscale.enable = true; + # services.tailscale.useRoutingFeatures = "both"; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + networking.firewall.allowedUDPPorts = [ 41641 ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + programs.steam.remotePlay.openFirewall = true; + + # Add gsconnect, open firewall + programs.kdeconnect = { + enable = true; + package = pkgs.gnomeExtensions.gsconnect; + }; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark-qt; + }; + + # services.gnome.gnome-remote-desktop.enable = true; +} \ No newline at end of file diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml new file mode 100644 index 0000000..ae8271c --- /dev/null +++ b/machines/calcite/secrets.yaml @@ -0,0 +1,30 @@ +clash_subscription_link: ENC[AES256_GCM,data:HKHMCu6FAhXroM+j33coUhJybw2P0k4c+2NyVoLkHRtxyWc2qDmwLfyaYfU9hkBdE60eZ6t5ewNFnMFe78DatVTcwPXGznY=,iv:0yP9LG8lUdjKiize6z5LjY3NsGmKST4H2aMvOZoUXyo=,tag:vcBk7seKuaSpEw8PXmM05A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRXoxNVJzZERQTFdDNWlL + N2s2ajdCVzFFZWlSY1dndWhCL0RuMnk3aVdJCjJaQUJ2a1VPanArN2YxMy9vSEYv + blBISEZQL3UvNnRFN0ozZ3hzbEcvaDQKLS0tIEYydmF2bHBwQWdTSFFQQ29ROGxi + OFo3K3N6VWsyRnphblVsM2pHZnljUncKWLyzuKl+8WXtvlPtsaYG4PyGYNmPFdG5 + gxlMsQvaUrGReCs9M3EeS0KKvl9INzOP33KCiwrIAfq1PygP1xF1QQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZHpMa0NiYzJSa0Jyd3dD + WUFzenY3dEYzRjBxbVk4NWFGUnp0N0oySjE4CllEMlRXSmR6cWR0QlMrOWJGdEhO + ZzkwaFRRMVdjcVhLaEpMcFhxMTVxcTQKLS0tIEY3eER1d3B0NGtsdk9RaENscTBk + eHg2UVZRRkdVWm5PdW1MSzhVTGlpc3cKnZj4fil9mysiJJcDK4SLo+I0TcUtgww1 + 67W3wpd2y+ofIEP/qBSTVU4PYJ+ZsYDr1hy+6qJ7r4rgQ9wzLiWBog== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-22T15:22:58Z" + mac: ENC[AES256_GCM,data:3LtivTLt04ADulz9XkMxcpgAY6it+hWFuXZVI9AOuFVQCgGE41fpH0RUKgJ4kIpr5kvbe4wVLQ6OTFqBcAkPnBBPCCg/Npzo7sWbGOiBEyK3aEk2uGsmZHqpDexHS5VJvSY0iePD+Qb/LNxjBo4KLWGNj+frKnpGALV0Qn6yzIE=,iv:alylpWLPhIIL4piaVFpjHbXJY4nz0pcUIFN5TvVcj74=,tag:HaSjcpwRMZ06UjXoDwEmyg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/clash.nix b/machines/clash.nix index db254ceecf516f815c098221acb4e1bbb65e490a..5001a80f03aefb2cf68b09955b3297ed3a9970e1 100644 GIT binary patch literal 1371 zcmZQ@_Y83kiVO&0aQOJlb;o*E@6&rHgzR8Rsg?FhQhqy`S5ntJQi5@Ya)jD8$+>pf zo5b#MT-wgE?AiwT1@#iO=WeOyX!uB4FB7}fpD}y?wfWUgI!`F9xFXo^P#=~re@Nm7 zi{9-+mF+XuZR6=*n8WH5C}Fttv0ulwxw3Ee>avLbS>U~J>AVITn;o+2zxmhkUCG%! zmuvny|C<~3%#3>Zuuk@ZP9O0=kZ9!9_Q`R25^DHnUbs^i6 zhcnr-o4E@kPNke>`k8F4V8M0L!tbN;?2o5zyqG(CciA_-zehh>lywFv#ZFY4T`eLM z;+NlOQQ+VoqFQz>S8Q%v^Gt`r&b1a3GffqIUG1M9WP72r^Xb{T9TIJBz3F$EW;BUy z<@25M>7mi?{g304-!LA#qxWcz+WLmL?U6fEk8{Wy*)0CZcai(O$dxD_|LIv;vl6HH zE?6#-SZwv?xR>8;m;0Hyhc)h2x0F=A;&doqy8oj8-`h9RH#Y_F@n{Ns`sjan!KVFg zMQLK3ZB}j&#dS$%OUs0zn13t5)pyz@(zv>wnl4qP1oB0gd^Eb&S{k;r}P2mw|SA< z!j|pp|9$)6UBg||Z?Im!Z?)vz`e6O5T4}3<@2Gsyb*S;&_wJ>!sZzL7&8+`os?q`+ z_a?`AXf&kUQ_y0a{P?CtzVw}hgTF3boqp3rWzU?>j45H)HOyEJep#2fm;F`ja_i$Z zE)Hu?DePp)nDpt_*7*T?l-RDcdVlQN z#ozOCW*f{mYdU9LwXEQC(oU}0O&oC;q2u&Ot1dsFBYU&eTzEm}u@Wc$>Vn5jR@ zT6~uweWt&4@Qr?^T{|OJTbM83FY`(~$MW*`Z|4HN4Ypkf+ID5r zVP03>lx>Xmlf^%|wm;l=<(kpYx`pSjm4vg;RxmDa=6$B=t?7{b;_&vLOp)8p|DIT` z?-73F+RC~^ZZ&sU8ZKU7t`0TY9PXNDB7FX~WBC4E1r6~l($wo#u9z>HC2Ga}bxw|1 zuEGli@!&qISFZJ~D@_z1#m=oQemM8&Rh>I&%fxtFFZBG}b#ZZkj*7eShs9lQSPU<> zteVsw;%}R|`}XSo#1(QI6vX>{WBL|5@=HJXwtxMHEh*2tA1=L_W+GZIEs^0K*Ae>u zibxxTI_ZytZ!bb z(o$Vh=;3*M)55+!#XD9S76;we^fIlzef(p{MRrd$`JYUyZk+77>1(I&>BN5c)ykKe twv#7p@CeL%x<9vFCz4%SeaFP`ZsW3tlBxmbGmjbElhr(&`sv7&?En&wlO6y7 literal 1276 zcmZQ@_Y83kiVO&0VEmlH{7+1Oy~(fU>gw9vKX?CT3fIk8`{=;=h+4fZdD?G-zJFYq z`d!ZMZI!&wmTu$4(@i>#zvFFewD{N*<^KHt99PYKM!hd=0_54>79J4^y7w|&_vu{Y zIEF{HiCmh;yCWw|`7o#brRewDTby&Yf>cZwe!P#5t-VbeSyLCaz zs*f*MN$RO^$}PG4C4u$aOX-x&yx&6G&&oD;A9!0m``Nj0$om)*9zy>T$z`t=dhT;8*@ zYB)*-D-3$~>u;4kGWB9bo6h!|rpF9_F zY}v`mr+e-`*>u`s>(S_s_rpb6)T0-lQIao@dcxwR7A80U^T$*Dv2))9)I5+p(COo) z+nc=i0B54zk#+x#RsS|Pt>q1@ah_Y+IdOLSo3j>AUly!&>el2mepvro?nb#Rheg}J zPrLJPi(fE3Y@oMtkIS3($<6n^lm%Qe`rqZdMb6{ugLhr6hL^MV%@8{nQ0liX^L}j5 zgtUqKb?&+uncZIfrX=v_nxpBP6d3#Y7Nsq7-M&kA`>t0y8#R|bT)tti-I3I7r`Io? z?X+>;!c>l&`5r8PsEU8xHxcEy!;OzDr{QA?}YV1o^ zoIE=JsP@KwJ6*Mp3Ojlnp4FJ_s{11*AhhF1qot>G@d-1f{{{^<7gM!fsYraE6kRHo z=yj*#Px-CeZQ5El(=@iTzp1u-n>yoH-@aRoitbzOw>Y`KK0e2+_hqtaDD zBJUQmf4)91u$%Ab?tHNy|9d*JWxl=oe>BOy_lUjr>A=Z5>`)c1oBCZn zv))daBL8CJ72$tfm-t?`=1qTLv&M_z_pz+v121LX%Q#1W%ztOmcu#7Ivh@F#Z?r3A zIp&<6|M~j=D>b*eGY!Rl9eR2<`m{~Po$3o3BD=CWxmQ$vHP*X$%Qj<0+NH>crxIM= za$mVBz0;;A?Rx~X;i)Hkmij(ktE?s?Sl0FFwMwvUQ|*TB52o(&$-1zM;Z(HcldbDh zUwwZp*puo$VQ!nNd}z&bmg%mV52k9q(hg>_m42?@aEAHA^xAI84~#tjpEX*|002CI Bf1UsU diff --git a/machines/laptop/secret.nix b/machines/laptop/secret.nix deleted file mode 100644 index 06f9d0675663640b2101b1065da53a2b2c8db0b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 598 zcmZQ@_Y83kiVO&0u$__g`gZ=yU;CPtoDy4IzUcp%E&p$*b!^lTzqInnI`-P4gZg}H zG$l&+-?;iXsAU<`i?)TL{W)Iutgk*iuh73cZf5A8^|6n`ME^!e|JnWQVeax?mcHL5 za~V~6-R0gtX+M@!pMCURBe%yDzI{@sy4JWW%=h~BrNHQ@wRyyn{n0&2iCa&a3VqV! z*fT?`?S!BvdyVo={`B{5*{SZ>vRr1VO5F#cOCJhkdS<+@S6ja`ckS-gx%;fW zGuQD8Idjx5U(N7)iJV&RJA+H-7A#$~Kp}pw=xi-7bs#?R2?z=$Fra(XthqHifF^F3&!pGimw1)IS~%wuY|QT(!ON`@eNxw58V1 znN~c%zVo-r|Aeg`!ghXzcQf363AP>Wx82Kcm-$si&d!Rzfj@^YGx)^M-`h<5_0wOn z92L3uWnXH_Z_Z84Wq_y0;C?cq5MNoN@PCIG_TRkxTEF)gRmmO-lY9AUN!%GN*5wAmKShisa|}N6 M=KVjuXS;C$0FNUjrT_o{ diff --git a/machines/laptop/secrets.yaml b/machines/laptop/secrets.yaml deleted file mode 100644 index 26181d2..0000000 --- a/machines/laptop/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -gmail: ENC[AES256_GCM,data:CajGtLth9OWLc4OHvRB2WIf9h8Fz4A==,iv:8VpGHDn06sDsTwsIVSHf9teRLNWx3hmQJ7Qml5ovjoo=,tag:dVIgRQ9LjSWSe/6QdCVUyA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1n359y6qkgzypu0lkcy66pfpneskul35xyhrzz3qumjsmeyp2wsuqq0df49 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNmR1LzJkZUxHcnRsV0Nj - RVRJZ3lZWmhzWFkyM3M5ZHZyZGo5OG0xZmpJCkVEd0VmNVNDejlDY0pYcmNHMjB0 - a1d0UDVQRFFCUUxFMXh2UlBGc0RRZk0KLS0tIFpJRVIvM1Q3NG02ZEk2MEdsYmkz - YU9zMzJCcDVtRGdOWXNSMGpCcUNneDgKUDVNx2OjyOSRzMqhmFkBx3do4VrNO/fw - tFk4EzayyNoRAd5Ch/XfAccGwLceNhvMPZYxcB0hZljZM5u3g3JPtQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age179ldmg92wqsspgujc70hujfgttw0ljxkh7g86w8rqzywx0f7psysrk0cfn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVFg0OEFSMHJYTjZxNUM0 - ZmY0NUU0c3pNK1d4ak0wcmYrRTN1TEcyakZRCnBLNzNxNm5YWk9kNzZqL0dHMkhG - UXA1bDY4QVg2K3d6eVBpWG1ybHN2VDAKLS0tIFJpSTk4cFZKeTVkd09sN3NmQzc1 - eXNvMElBbnkxaEVJZ1hRZnZDUmp0WE0KmjdpdtWkxNgwcm3GuGAhO2p8rH/UyGSW - iJMXAD/FIbbB9e50oSVixg5PFZuqL6ryxFDrj8UgUZozBVXFrlZfBw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-16T05:37:57Z" - mac: ENC[AES256_GCM,data:XX17bbc+hGPcsfg7t3S93X22fpydT0N+P8DTpLB4SkVi9anRbNTrldJkIxKNuN3LXKZmdON/BO6x4TMe+wh45yAW1Ds8OD6VTr6IdXYIvvYC5IKt27qd30Cqbed0Q4LSq9mZ97YiRCyxVsNSf+n4rJV+Ufc24LS35Kb3qR5Pia8=,iv:T5BPf9fCLroreDqHGBrWyI1fFYNTWtYx557AnMReQnU=,tag:8qC/yN/erx4mDDO949oppA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/machines/secrets.yaml b/machines/secrets.yaml new file mode 100644 index 0000000..ae8271c --- /dev/null +++ b/machines/secrets.yaml @@ -0,0 +1,30 @@ +clash_subscription_link: ENC[AES256_GCM,data:HKHMCu6FAhXroM+j33coUhJybw2P0k4c+2NyVoLkHRtxyWc2qDmwLfyaYfU9hkBdE60eZ6t5ewNFnMFe78DatVTcwPXGznY=,iv:0yP9LG8lUdjKiize6z5LjY3NsGmKST4H2aMvOZoUXyo=,tag:vcBk7seKuaSpEw8PXmM05A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRXoxNVJzZERQTFdDNWlL + N2s2ajdCVzFFZWlSY1dndWhCL0RuMnk3aVdJCjJaQUJ2a1VPanArN2YxMy9vSEYv + blBISEZQL3UvNnRFN0ozZ3hzbEcvaDQKLS0tIEYydmF2bHBwQWdTSFFQQ29ROGxi + OFo3K3N6VWsyRnphblVsM2pHZnljUncKWLyzuKl+8WXtvlPtsaYG4PyGYNmPFdG5 + gxlMsQvaUrGReCs9M3EeS0KKvl9INzOP33KCiwrIAfq1PygP1xF1QQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZHpMa0NiYzJSa0Jyd3dD + WUFzenY3dEYzRjBxbVk4NWFGUnp0N0oySjE4CllEMlRXSmR6cWR0QlMrOWJGdEhO + ZzkwaFRRMVdjcVhLaEpMcFhxMTVxcTQKLS0tIEY3eER1d3B0NGtsdk9RaENscTBk + eHg2UVZRRkdVWm5PdW1MSzhVTGlpc3cKnZj4fil9mysiJJcDK4SLo+I0TcUtgww1 + 67W3wpd2y+ofIEP/qBSTVU4PYJ+ZsYDr1hy+6qJ7r4rgQ9wzLiWBog== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-22T15:22:58Z" + mac: ENC[AES256_GCM,data:3LtivTLt04ADulz9XkMxcpgAY6it+hWFuXZVI9AOuFVQCgGE41fpH0RUKgJ4kIpr5kvbe4wVLQ6OTFqBcAkPnBBPCCg/Npzo7sWbGOiBEyK3aEk2uGsmZHqpDexHS5VJvSY0iePD+Qb/LNxjBo4KLWGNj+frKnpGALV0Qn6yzIE=,iv:alylpWLPhIIL4piaVFpjHbXJY4nz0pcUIFN5TvVcj74=,tag:HaSjcpwRMZ06UjXoDwEmyg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/sops.nix b/machines/sops.nix index 7a73a41..5c6a079 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -1,2 +1,9 @@ +{ ... }: { + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # age.keyFile = "/var/lib/sops-nix/keys.txt"; + # age.generateKey = true; + }; } \ No newline at end of file From 41ce883dd8a82cb0e5c8460f5137c1c21ac6dcca Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 23 Apr 2023 01:43:13 +0800 Subject: [PATCH 011/136] remove .git-crypt --- .gitattributes | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index 3be7bb1..0000000 --- a/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -machines/calcite/secret.nix filter=git-crypt diff=git-crypt -machines/clash.nix filter=git-crypt diff=git-crypt From ec6476d4706a5897917b7d107e8d3d9e21af61a3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 23 Apr 2023 11:06:57 +0800 Subject: [PATCH 012/136] rpi4: rename to raspite, add password --- .sops.yaml | 14 ++++++-- flake.nix | 9 ++--- home/xin/common/default.nix | 3 +- home/xin/raspite/default.nix | 28 ++++++++++++++++ machines/{rpi4 => raspite}/configuration.nix | 33 ++++++++++++++---- machines/raspite/secrets.yaml | 30 +++++++++++++++++ machines/secrets.yaml | 35 ++++++++++++-------- 7 files changed, 125 insertions(+), 27 deletions(-) create mode 100644 home/xin/raspite/default.nix rename machines/{rpi4 => raspite}/configuration.nix (56%) create mode 100644 machines/raspite/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index f3ae717..f928eee 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,17 +1,27 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - - &host-laptop age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: - age: - *xin - - *host-laptop + - *host-calcite + - path_regex: machines/raspite/secrets.yaml + key_groups: + - age: + - *xin + - *host-raspite - path_regex: machines/secrets.yaml key_groups: - age: - *xin + - *host-calcite + - *host-raspite - path_regex: home/xin/secrets.yaml key_groups: - age: - *xin + - *host-raspite + - *host-calcite diff --git a/flake.nix b/flake.nix index 788ebd0..6097107 100644 --- a/flake.nix +++ b/flake.nix @@ -61,20 +61,21 @@ ]; }; - nixosConfigurations.rpi4 = mkNixos { + nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; modules = [ nixos-hardware.nixosModules.raspberry-pi-4 - machines/rpi4/configuration.nix + machines/raspite/configuration.nix + (mkHome "xin" "raspite") ]; }; - images.rpi4 = (nixpkgs.lib.nixosSystem { + images.raspite = (mkNixos { system = "aarch64-linux"; modules = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - machines/rpi4/configuration.nix nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix { nixpkgs.config.allowUnsupportedSystem = true; nixpkgs.hostPlatform.system = "aarch64-linux"; diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 73ba97a..391bf9c 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -8,7 +8,8 @@ dig du-dust # du + rust zoxide # autojumper - man-pages + file + # man-pages tree wget tmux diff --git a/home/xin/raspite/default.nix b/home/xin/raspite/default.nix new file mode 100644 index 0000000..d09be89 --- /dev/null +++ b/home/xin/raspite/default.nix @@ -0,0 +1,28 @@ + +{ config, pkgs, ... }: +{ + imports = [ + ../common + ]; + + home.username = "xin"; + home.homeDirectory = "/home/xin"; + home.stateVersion = "23.05"; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + + accounts.email.accounts.gmail = { + primary = true; + address = "lixinyang411@gmail.com"; + flavor = "gmail.com"; + }; + + accounts.email.accounts.whu = { + address = "lixinyang411@whu.edu.cn"; + }; + + accounts.email.accounts.foxmail = { + address = "lixinyang411@foxmail.com"; + }; +} diff --git a/machines/rpi4/configuration.nix b/machines/raspite/configuration.nix similarity index 56% rename from machines/rpi4/configuration.nix rename to machines/raspite/configuration.nix index 230bca5..4e3c149 100644 --- a/machines/rpi4/configuration.nix +++ b/machines/raspite/configuration.nix @@ -1,9 +1,6 @@ { config, libs, pkgs, ... }: { - environment.systemPackages = with pkgs; [ - vim - ]; nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { @@ -12,12 +9,33 @@ }) ]; - imports = [ ]; + imports = [ + ../clash.nix + ../sops.nix + ]; + + environment.systemPackages = with pkgs; [ + git + clash + ]; + + # Use mirror for binary cache + nix.settings.substituters = [ + "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" + ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + sops = { + secrets.password = { + sopsFile = ./secrets.yaml; + }; + }; system.stateVersion = "22.11"; networking = { - hostName = "pi-wh"; + hostName = "raspite"; useDHCP = false; interfaces.eth0.useDHCP = true; }; @@ -28,11 +46,12 @@ systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; - users.users.pi = { + users.users.xin = { isNormalUser = true; - home = "/home/pi"; extraGroups = [ "wheel" "networkmanager" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ]; + # passwordFile = config.sops.secrets.password.path; + hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; }; } \ No newline at end of file diff --git a/machines/raspite/secrets.yaml b/machines/raspite/secrets.yaml new file mode 100644 index 0000000..fcb790e --- /dev/null +++ b/machines/raspite/secrets.yaml @@ -0,0 +1,30 @@ +password: ENC[AES256_GCM,data:QHPNTvjNjrcUaV7aVvnFQFF+1bA+g1Y2emYIabBgHQ7Dmg7SuOwVpBsZCvsh+BgrWLykK3Gcf+huTMzixjaqXbGHrpqx9Eq9wi1O1alVG8bJ/UvWr7H3qBCuye85KUopBxXLF93skT7H1Q==,iv:Iq/s+AuMJN/Z/Pbc5UsZQA6gvnPXxihKJzWYl+N6Gmc=,tag:6UvNTQlLrl1ay3BI6vPqTw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieXZQcFZ6R0ZBQUdTMWtL + QXM2djdBNThrNnpuT1lpNDU1R3NIM2FRNnhZCkZqbUtrWldFMS9oOTE3T2ZCTklm + emxsL21pQThiMDJIUXA1Y0RKSVBRWFUKLS0tIE1qK0dySHZHUVZ1aDZoZ1lEZHoy + dnBLOWV4NjBrZzM5VkhRZFFrNFByVFkKK7j/rDiD7WbCU/Z1+FRuxjOitS6Y9cc1 + L2oW35AJluG27tdwe39nBORzeLwDrcFy5TpUSV9hMEBbeDBlhLNSiA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb0RxTHFhZjZ5bEtpblo1 + VHJkeDFpNjhoc294eWs5TmxxcEMwOTQ4SmxVCmp1dnFXSlNiUzdtWm9WSmlMa3BR + RDFmWVdxcXJzRmdzbzVOMkUvNDd4Y1UKLS0tIDVkNHBrYWFmNWtkNllidUlPdFJ1 + djhXQ2RzM0JEdnRvUkxVNm9MdFNJUHMKmacD8MIV7r92c5KbJtg7CbnI09QMclQl + 5rIF5vcgaRRpS6zXq22OgxSjsjIHg7jDOkUJdueGNHzc4f9F91+0yQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-23T03:02:43Z" + mac: ENC[AES256_GCM,data:7k+Eoua6DviF6XN5QiVOXE4LHr0gggvvYY9EMBU4J6RsA9hzi0L3DjdofppAvG2928mCd/SYiZC3vGU8UFohXbZuxFLq9YJGkE1P+VxvlggkMKoJkIbE2d2t78zm2gt4nd60tDyJgYINqbbgfs2qOdnm8Y/WShRkmNs/ggf5Azo=,iv:cXoP6GYOzhfXov/l9rSg/2GIGI4aeJonAXCQ6k6YuaQ=,tag:Tv/JYpj6DfhddSzSkh8zcQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/secrets.yaml b/machines/secrets.yaml index ae8271c..95ec167 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -1,4 +1,4 @@ -clash_subscription_link: ENC[AES256_GCM,data:HKHMCu6FAhXroM+j33coUhJybw2P0k4c+2NyVoLkHRtxyWc2qDmwLfyaYfU9hkBdE60eZ6t5ewNFnMFe78DatVTcwPXGznY=,iv:0yP9LG8lUdjKiize6z5LjY3NsGmKST4H2aMvOZoUXyo=,tag:vcBk7seKuaSpEw8PXmM05A==,type:str] +clash_subscription_link: ENC[AES256_GCM,data:QwszQooTzHboIgIsbxcL1ZrVgOn91pKC8mMUSY7R0FB426ERiVPNyGWBy5ar4m0yk/XwcFLdFRmiWOrQG9mWsx9J6/tH7K8=,iv:zeDuLmDRUiCtKfUlpl1KJl62DP4DnQ2c6gOjpiHw+4c=,tag:w5AQIUC1p3nrwepdxH7Kkw==,type:str] sops: kms: [] gcp_kms: [] @@ -8,23 +8,32 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRXoxNVJzZERQTFdDNWlL - N2s2ajdCVzFFZWlSY1dndWhCL0RuMnk3aVdJCjJaQUJ2a1VPanArN2YxMy9vSEYv - blBISEZQL3UvNnRFN0ozZ3hzbEcvaDQKLS0tIEYydmF2bHBwQWdTSFFQQ29ROGxi - OFo3K3N6VWsyRnphblVsM2pHZnljUncKWLyzuKl+8WXtvlPtsaYG4PyGYNmPFdG5 - gxlMsQvaUrGReCs9M3EeS0KKvl9INzOP33KCiwrIAfq1PygP1xF1QQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYjBKUUNCTlpoYXJqMkVL + U0xoNDNXVUpGaEdTVFVVL05MYng4N3l5dlhRCjZXMmplRGY1UWdlUTB4NHBFNHVO + QThQTkhwVlc2NE1HWUc5RlRyS2lURE0KLS0tIDZPOW1EMis2TjFjaS9sUHEvenRJ + cmZYOEVHTE1ybDBXMDFZRnJQaWRjeU0KVAiaO0xMhDQTh26e4lTRigkG2P6KfXov + c2DItjmdWmdfN/QOKl6JzObtHBxSWxXGZwbnWmDkGq69t20TDus2Xw== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZHpMa0NiYzJSa0Jyd3dD - WUFzenY3dEYzRjBxbVk4NWFGUnp0N0oySjE4CllEMlRXSmR6cWR0QlMrOWJGdEhO - ZzkwaFRRMVdjcVhLaEpMcFhxMTVxcTQKLS0tIEY3eER1d3B0NGtsdk9RaENscTBk - eHg2UVZRRkdVWm5PdW1MSzhVTGlpc3cKnZj4fil9mysiJJcDK4SLo+I0TcUtgww1 - 67W3wpd2y+ofIEP/qBSTVU4PYJ+ZsYDr1hy+6qJ7r4rgQ9wzLiWBog== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWWx3TGJTWEtLd0ROVXZQ + OUcycUlCUmhJT3JybldLYytJNlhld3lSVENJCmd0YUVBbWN3MU8yQ2FFMTRSWXln + S0x4c0pGemVDdVV6N3hCM3BsWGxBYzQKLS0tIDdyNFBtK2RQTFNXdlRDaVZBNjZ6 + TVo3cmh0eFlDU1d2RnVZVUI1NXcrbnMKU+tJhePvEk/awxtoZA8NWTxUr5buXSRu + CyIZXG3THbrIWAzBRlgtKqmlvdOseIASSO9OgOUPb8/EKSD5eUTH3g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-22T15:22:58Z" - mac: ENC[AES256_GCM,data:3LtivTLt04ADulz9XkMxcpgAY6it+hWFuXZVI9AOuFVQCgGE41fpH0RUKgJ4kIpr5kvbe4wVLQ6OTFqBcAkPnBBPCCg/Npzo7sWbGOiBEyK3aEk2uGsmZHqpDexHS5VJvSY0iePD+Qb/LNxjBo4KLWGNj+frKnpGALV0Qn6yzIE=,iv:alylpWLPhIIL4piaVFpjHbXJY4nz0pcUIFN5TvVcj74=,tag:HaSjcpwRMZ06UjXoDwEmyg==,type:str] + - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidXFsbFBPc3hhMzFMSk9v + NVdKWDE5MWoyMnUyVWdwOXhsK3dpQ1o2bGlBClZHVTZzc2lxblYrUUUvRFRmQ2Mv + S1I4YzJYd1JCcUx5b0E2MTlwYWlwRDAKLS0tIGphM2NaSXBwdlZSR3kwSUkzcXkv + dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou + DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-23T03:03:14Z" + mac: ENC[AES256_GCM,data:LxnM5wRjyV0VxOWm0/XDF6iVoe2PoJ/Ps8iW6mNI4JDDy8EK7pRElcU0W+IuOq09eUCBJ4KzIssbUTqumUtQHXIOhkCx0qrsf4XWsLnKNqteMwkDuWhQAiUgzGa4T0zD7B1chnos9J85rHGrGLZ9aGzC04hwUrADcw0HbxQIBm4=,iv:U2sYlCl8cppaJT8ldJhVoHj2NbTCanJyPblsO11/hBs=,tag:h8cE/+uNDz5CXoX29RKCgQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From c78890f6ead056108b31cfd9c4908b670851f8a0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 27 May 2023 09:39:16 +0800 Subject: [PATCH 013/136] Bump version --- flake.lock | 92 +++++++++++++++++------------ flake.nix | 2 +- home/xin/calcite/default.nix | 8 +-- home/xin/common/default.nix | 6 +- home/xin/common/vim.nix | 27 +++++++++ home/xin/vscode.nix | 11 +++- machines/calcite/configuration.nix | 21 +++++-- machines/calcite/network.nix | 33 +++++++++-- machines/clash.nix | Bin 1371 -> 1472 bytes machines/netdrives.nix | 22 +++++++ machines/raspite/configuration.nix | 5 ++ machines/secrets.yaml | 6 +- 12 files changed, 175 insertions(+), 58 deletions(-) create mode 100644 home/xin/common/vim.nix create mode 100644 machines/netdrives.nix diff --git a/flake.lock b/flake.lock index b94fa32..7cb9f86 100644 --- a/flake.lock +++ b/flake.lock @@ -17,12 +17,15 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", "type": "github" }, "original": { @@ -53,11 +56,11 @@ ] }, "locked": { - "lastModified": 1682072616, - "narHash": "sha256-sR5RL3LACGuq5oePcAoJ/e1S3vitKQQSNACMYmqIE1E=", + "lastModified": 1685108129, + "narHash": "sha256-6Jv6LxrLfaueHj095oBUKBk++eW4Ya0qfHwhQVQqyoo=", "owner": "nix-community", "repo": "home-manager", - "rev": "47d6c3f65234230d37f1cf7d3d6b5575ec80fe0c", + "rev": "bec196cd9b5f34213c7dc90ef2a524336df70e30", "type": "github" }, "original": { @@ -73,11 +76,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1682125871, - "narHash": "sha256-b5z2R7qRe5lIn7UYFrVokFy9r3RoyrrYKqgJH/r9B34=", + "lastModified": 1685150126, + "narHash": "sha256-Pzliu5Q0Ck95vtuIAGw+rjuvEpnZOdQ6hnEoEOwhEE4=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "abda642f7216d43b1c61cc864eb571df78d96464", + "rev": "10ce968c6896fb0866d4c80c7e4c684f849d56d2", "type": "github" }, "original": { @@ -94,11 +97,11 @@ ] }, "locked": { - "lastModified": 1682040433, - "narHash": "sha256-5RxsRpH7pidvRu9Fcejt5Akl+aMnduSlaIrureT0Qz8=", + "lastModified": 1682818384, + "narHash": "sha256-l8jh9BQj6nfjPDYGyrZkZwX1GaOqBX+pBHU+7fFZU3w=", "owner": "nixos-cn", "repo": "flakes", - "rev": "1f8ff8330186b40b61d7f16d7d78d656b9e06399", + "rev": "2d475ec68cca251ef6c6c69a9224db5c264c5e5b", "type": "github" }, "original": { @@ -109,11 +112,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1680876084, - "narHash": "sha256-eP9yxP0wc7XuVaODugh+ajgbFGaile2O1ihxiLxOuvU=", + "lastModified": 1684899633, + "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "3006d2860a6ed5e01b0c3e7ffb730e9b293116e2", + "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", "type": "github" }, "original": { @@ -125,11 +128,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1675763311, - "narHash": "sha256-bz0Q2H3mxsF1CUfk26Sl9Uzi8/HFjGFD/moZHz1HebU=", + "lastModified": 1684570954, + "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fab09085df1b60d6a0870c8a89ce26d5a4a708c2", + "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", "type": "github" }, "original": { @@ -141,27 +144,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1681932375, - "narHash": "sha256-tSXbYmpnKSSWpzOrs27ie8X3I0yqKA6AuCzCYNtwbCU=", + "lastModified": 1685004253, + "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3d302c67ab8647327dba84fbdb443cdbf0e82744", + "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1681613598, - "narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=", + "lastModified": 1684632198, + "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1040ce5f652b586da95dfd80d48a745e107b9eac", + "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247", "type": "github" }, "original": { @@ -173,11 +176,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1681920287, - "narHash": "sha256-+/d6XQQfhhXVfqfLROJoqj3TuG38CAeoT6jO1g9r1k0=", + "lastModified": 1684935479, + "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "645bc49f34fa8eff95479f0345ff57e55b53437e", + "rev": "f91ee3065de91a3531329a674a45ddcb3467a650", "type": "github" }, "original": { @@ -189,11 +192,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1681571934, - "narHash": "sha256-Q3B3HTqhTahhPCT53ahK1FPktOXlEWmudSttd9CWGbE=", + "lastModified": 1684585791, + "narHash": "sha256-lYPboblKrchmbkGMoAcAivomiOscZCjtGxxTSCY51SM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "29176972b4be60f7d3eb3101f696c99f2e6ada57", + "rev": "eea79d584eff53bf7a76aeb63f8845da6d386129", "type": "github" }, "original": { @@ -205,11 +208,11 @@ }, "nur": { "locked": { - "lastModified": 1682066678, - "narHash": "sha256-uMHlSn+i49GW4AwjNQh+gN1Hv3IyaXIwWCicHd/wo4g=", + "lastModified": 1685145797, + "narHash": "sha256-a4mMWQKgjWShf0MkEMoDJPYEJ8eu2T7MA8DxbTMQRUA=", "owner": "nix-community", "repo": "NUR", - "rev": "c2778754ec284fade289ce5c4ac82ffb48b2b97a", + "rev": "cbc0fb5c6412cc84de6a4fb33d6500217082c4c9", "type": "github" }, "original": { @@ -236,11 +239,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1681821695, - "narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=", + "lastModified": 1684637723, + "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5698b06b0731a2c15ff8c2351644427f8ad33993", + "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9", "type": "github" }, "original": { @@ -248,6 +251,21 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 6097107..500585a 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ inputs = { # Pin nixpkgs to a specific commit nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-22.11"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { url = "github:nix-community/home-manager"; diff --git a/home/xin/calcite/default.nix b/home/xin/calcite/default.nix index f2085ac..84af437 100644 --- a/home/xin/calcite/default.nix +++ b/home/xin/calcite/default.nix @@ -27,8 +27,8 @@ address = "lixinyang411@foxmail.com"; }; - i18n.inputMethod = { - enabled = "fcitx5"; - fcitx5.addons = with pkgs; [ fcitx5-rime ]; - }; + home.packages = with pkgs; [ + thunderbird + ]; + } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 391bf9c..fc8de9d 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -3,13 +3,15 @@ ./fish.nix ./git.nix ./zellij.nix + ./vim.nix ]; home.packages = with pkgs; [ dig du-dust # du + rust zoxide # autojumper file - # man-pages + man-pages + unar tree wget tmux @@ -19,4 +21,4 @@ rclone clash ]; -} \ No newline at end of file +} diff --git a/home/xin/common/vim.nix b/home/xin/common/vim.nix new file mode 100644 index 0000000..c6ae2af --- /dev/null +++ b/home/xin/common/vim.nix @@ -0,0 +1,27 @@ +{ pkgs, ... }: { + programs.neovim = { + enable = true; + vimAlias = true; + vimdiffAlias = true; + plugins = with pkgs.vimPlugins; [ + nvim-treesitter.withAllGrammars + dracula-nvim + ]; + extraConfig = '' + set nocompatible + + syntax on + set number + set relativenumber + set shortmess+=I + set laststatus=2 + + set ignorecase + set smartcase + + set mouse+=a + + colorscheme dracula + ''; + }; +} \ No newline at end of file diff --git a/home/xin/vscode.nix b/home/xin/vscode.nix index 2f05702..66f1a15 100644 --- a/home/xin/vscode.nix +++ b/home/xin/vscode.nix @@ -5,7 +5,7 @@ enableUpdateCheck = false; enableExtensionUpdateCheck = false; mutableExtensionsDir = false; - extensions = with inputs.nix-vscode-extensions.extensions.${system}.vscode-marketplace; [ + extensions = (with inputs.nix-vscode-extensions.extensions.${system}.vscode-marketplace; [ arrterian.nix-env-selector bbenoist.nix @@ -28,11 +28,16 @@ jnoortheen.nix-ide # Latex james-yu.latex-workshop + # Vue + vue.volar + + ms-vscode-remote.remote-ssh-edit + ]) ++ (with inputs.nixpkgs.legacyPackages.${system}.vscode-extensions; [ # Rust rust-lang.rust-analyzer - ms-vscode-remote.remote-ssh-edit - ]; + mkhl.direnv + ]); userSettings = { "workbench.colorTheme" = "Default Dark+"; "terminal.integrated.sendKeybindingsToShell" = true; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index b7e615f..5590c30 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -46,12 +46,18 @@ LC_TIME = "en_US.utf8"; }; + i18n.inputMethod = { + enabled = "fcitx5"; + fcitx5.addons = with pkgs; [ fcitx5-rime ]; + }; + # Enable the X11 windowing system. services.xserver.enable = true; # Enable the GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; + services.xserver.windowManager.icewm.enable = true; # Configure keymap in X11 services.xserver = { @@ -88,6 +94,9 @@ services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.user = "xin"; + # Smart services + services.smartd.enable = true; + # Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229 systemd.services."getty@tty1".enable = false; systemd.services."autovt@tty1".enable = false; @@ -95,6 +104,7 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ + "openssl-1.1.1t" # For wechat-uos "electron-19.0.7" ]; @@ -116,10 +126,11 @@ grc - # ==== Development ==== # - # VCS + sops git-crypt + # ==== Development ==== # + jetbrains.jdk # patch jetbrain runtime java jetbrains.clion jetbrains.pycharm-professional @@ -174,9 +185,6 @@ qq config.nur.repos.xddxdd.wechat-uos - # Mail - thunderbird - # Password manager keepassxc @@ -189,10 +197,13 @@ obsidian zotero wpsoffice + onlyoffice-bin config.nur.repos.linyinfeng.wemeet virt-manager + + ghidra ]; programs.steam = { diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index f77ead5..16a1c94 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -3,11 +3,30 @@ { # Enable networking networking = { - nameservers = [ "127.0.0.1" "::1" ]; networkmanager = { enable = true; + dns = "systemd-resolved"; + # dns = "none"; + }; - resolvconf.useLocalResolver = true; + }; + + services.resolved = { + enable = true; + extraConfig = '' + [Resolve] + Domains=~. + DNS=114.114.114.114 1.1.1.1 + DNSOverTLS=opportunistic + ''; + }; + + # Configure network proxy if necessary + networking.proxy = { + allProxy = "socks5://127.0.0.1:7891/"; + httpProxy = "http://127.0.0.1:7890/"; + httpsProxy = "http://127.0.0.1:7890/"; + noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net"; }; # Enable Tailscale @@ -15,10 +34,13 @@ # services.tailscale.useRoutingFeatures = "both"; # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; + networking.firewall.allowedTCPPorts = [ ]; networking.firewall.allowedUDPPorts = [ 41641 ]; # Or disable the firewall altogether. # networking.firewall.enable = false; + networking.firewall.trustedInterfaces = [ + "tailscale0" + ]; programs.steam.remotePlay.openFirewall = true; @@ -34,4 +56,7 @@ }; # services.gnome.gnome-remote-desktop.enable = true; -} \ No newline at end of file + # services.xrdp.enable = true; + # services.xrdp.openFirewall = true; + # services.xrdp.defaultWindowManager = icewm; +} diff --git a/machines/clash.nix b/machines/clash.nix index 5001a80f03aefb2cf68b09955b3297ed3a9970e1..1ba117eddf421e74a4bb04a1b318ff6a01b4f7c4 100644 GIT binary patch literal 1472 zcmb9RRA#+6pB-mi&9I9 z^^$WEi!+w1BvlDy8dzU>VqQsVic_V6twOYd5>!h` zVo`c(iIPGr$WR3Zu&6WGCvbfV3jTSad6^}S$t9U(sllnqAm7Z6hkEwOB7V9ApxTYiVHmgaiCX_SdvkzsbHs|Uy@s(57k+jn46=ZrlycvhAFI{ zk)NBYUy+%ouLn`B4-OE0SWH44mY!EyoSFi0RdH&Hf^MdQda-_LUSd*Cs+B@oVoq@? zoL5p*nyQ~}tx&9=lb^1elUkOVW2KOpmzIyrFHbDW%gjsHPghsKQcyB9FwjH7N+AExH3EwD%gf94(u+$H zOEQ!7lJg+k{QUHsRK4WNKvJ@TtpX_VLTpb=D*=~b(F#g=sU_w4McI02#SUuGlv|oplBru- woLYpg4r(XFA9}78smZ}5iA5zKFF>;wIL|?H7nrG_n}RD_fPD)tlDKNQ0Be8Lp8x;= literal 1371 zcmZQ@_Y83kiVO&0aQOJlb;o*E@6&rHgzR8Rsg?FhQhqy`S5ntJQi5@Ya)jD8$+>pf zo5b#MT-wgE?AiwT1@#iO=WeOyX!uB4FB7}fpD}y?wfWUgI!`F9xFXo^P#=~re@Nm7 zi{9-+mF+XuZR6=*n8WH5C}Fttv0ulwxw3Ee>avLbS>U~J>AVITn;o+2zxmhkUCG%! zmuvny|C<~3%#3>Zuuk@ZP9O0=kZ9!9_Q`R25^DHnUbs^i6 zhcnr-o4E@kPNke>`k8F4V8M0L!tbN;?2o5zyqG(CciA_-zehh>lywFv#ZFY4T`eLM z;+NlOQQ+VoqFQz>S8Q%v^Gt`r&b1a3GffqIUG1M9WP72r^Xb{T9TIJBz3F$EW;BUy z<@25M>7mi?{g304-!LA#qxWcz+WLmL?U6fEk8{Wy*)0CZcai(O$dxD_|LIv;vl6HH zE?6#-SZwv?xR>8;m;0Hyhc)h2x0F=A;&doqy8oj8-`h9RH#Y_F@n{Ns`sjan!KVFg zMQLK3ZB}j&#dS$%OUs0zn13t5)pyz@(zv>wnl4qP1oB0gd^Eb&S{k;r}P2mw|SA< z!j|pp|9$)6UBg||Z?Im!Z?)vz`e6O5T4}3<@2Gsyb*S;&_wJ>!sZzL7&8+`os?q`+ z_a?`AXf&kUQ_y0a{P?CtzVw}hgTF3boqp3rWzU?>j45H)HOyEJep#2fm;F`ja_i$Z zE)Hu?DePp)nDpt_*7*T?l-RDcdVlQN z#ozOCW*f{mYdU9LwXEQC(oU}0O&oC;q2u&Ot1dsFBYU&eTzEm}u@Wc$>Vn5jR@ zT6~uweWt&4@Qr?^T{|OJTbM83FY`(~$MW*`Z|4HN4Ypkf+ID5r zVP03>lx>Xmlf^%|wm;l=<(kpYx`pSjm4vg;RxmDa=6$B=t?7{b;_&vLOp)8p|DIT` z?-73F+RC~^ZZ&sU8ZKU7t`0TY9PXNDB7FX~WBC4E1r6~l($wo#u9z>HC2Ga}bxw|1 zuEGli@!&qISFZJ~D@_z1#m=oQemM8&Rh>I&%fxtFFZBG}b#ZZkj*7eShs9lQSPU<> zteVsw;%}R|`}XSo#1(QI6vX>{WBL|5@=HJXwtxMHEh*2tA1=L_W+GZIEs^0K*Ae>u zibxxTI_ZytZ!bb z(o$Vh=;3*M)55+!#XD9S76;we^fIlzef(p{MRrd$`JYUyZk+77>1(I&>BN5c)ykKe twv#7p@CeL%x<9vFCz4%SeaFP`ZsW3tlBxmbGmjbElhr(&`sv7&?En&wlO6y7 diff --git a/machines/netdrives.nix b/machines/netdrives.nix new file mode 100644 index 0000000..8092196 --- /dev/null +++ b/machines/netdrives.nix @@ -0,0 +1,22 @@ +{ pkgs, config, ... }: +{ + sops.secrets = { + autofs-nas = { + owner = "davfs2"; + }; + autofs-nas-secret = { + path = "/etc/davfs2/secrets"; + }; + }; + fileSystems."/media/nas" = { + device = "https://home.xinyang.life:5244/dav"; + fsType = "davfs"; + options = [ + "uid=1000" + "gid=1000" + "rw" + "_netdev" + ]; + + }; +} \ No newline at end of file diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 4e3c149..b178e9e 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -40,6 +40,11 @@ interfaces.eth0.useDHCP = true; }; + networking.proxy = { + default = "http://127.0.0.1:7890/"; + noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net"; + }; + services.openssh = { enable = true; }; diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 95ec167..3d9bfee 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -1,4 +1,6 @@ clash_subscription_link: ENC[AES256_GCM,data:QwszQooTzHboIgIsbxcL1ZrVgOn91pKC8mMUSY7R0FB426ERiVPNyGWBy5ar4m0yk/XwcFLdFRmiWOrQG9mWsx9J6/tH7K8=,iv:zeDuLmDRUiCtKfUlpl1KJl62DP4DnQ2c6gOjpiHw+4c=,tag:w5AQIUC1p3nrwepdxH7Kkw==,type:str] +autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] +autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +34,8 @@ sops: dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-23T03:03:14Z" - mac: ENC[AES256_GCM,data:LxnM5wRjyV0VxOWm0/XDF6iVoe2PoJ/Ps8iW6mNI4JDDy8EK7pRElcU0W+IuOq09eUCBJ4KzIssbUTqumUtQHXIOhkCx0qrsf4XWsLnKNqteMwkDuWhQAiUgzGa4T0zD7B1chnos9J85rHGrGLZ9aGzC04hwUrADcw0HbxQIBm4=,iv:U2sYlCl8cppaJT8ldJhVoHj2NbTCanJyPblsO11/hBs=,tag:h8cE/+uNDz5CXoX29RKCgQ==,type:str] + lastmodified: "2023-04-25T04:49:58Z" + mac: ENC[AES256_GCM,data:Xig/sBJAEs9D6hsoeTAJ4CL156IrFLipacI7eHfBd79Lsa0IXPfLvVn/tVTIfEixmBA9QKkQ9QYjTFVZNr0BTRqHC/C7izgZbOBn73EE+KXYLQEiZ4RbgRfrFb8gU2/uSWXGZEO6YELuom9BEXWCMp0HTS+MQTKk8Tz20/hVyV4=,iv:Uq74PG7DDanb5WpcXUdylT8LW4ERlEsT8YX0BxZdo8w=,tag:7zKveIEJjh0Yc2fLKsTUjA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From 77da0446653cfe8e4eef30b04b3e35efd36bbbc3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 29 May 2023 16:21:24 +0800 Subject: [PATCH 014/136] Update vim config --- home/xin/common/vim.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/home/xin/common/vim.nix b/home/xin/common/vim.nix index c6ae2af..dac31ee 100644 --- a/home/xin/common/vim.nix +++ b/home/xin/common/vim.nix @@ -18,10 +18,15 @@ set ignorecase set smartcase + set list + set listchars=tab:→· + set tabstop=4 + set shiftwidth=4 + set expandtab set mouse+=a colorscheme dracula ''; }; -} \ No newline at end of file +} From 9d4decff9c6488e9e16a8b799b677b9d832c8f76 Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Fri, 21 Jul 2023 07:03:59 +0000 Subject: [PATCH 015/136] gold: add gold as a standalone home manager config --- flake.lock | 40 ++++++++++++++++++++++++++++++++++--- flake.nix | 13 +++++++++++- home/xin/common/default.nix | 2 +- home/xin/common/fish.nix | 15 ++++++++++++++ home/xin/gold/default.nix | 15 ++++++++++++++ 5 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 home/xin/gold/default.nix diff --git a/flake.lock b/flake.lock index b94fa32..0fbdee4 100644 --- a/flake.lock +++ b/flake.lock @@ -17,6 +17,24 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -31,7 +49,7 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "locked": { "lastModified": 1638122382, "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", @@ -69,7 +87,7 @@ "nix-vscode-extensions": { "inputs": { "flake-compat": "flake-compat", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs" }, "locked": { @@ -88,7 +106,7 @@ }, "nixos-cn": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] @@ -220,6 +238,7 @@ }, "root": { "inputs": { + "flake-utils": "flake-utils", "home-manager": "home-manager", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-cn": "nixos-cn", @@ -248,6 +267,21 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 6097107..b1343fd 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,8 @@ sops-nix.url = "github:Mic92/sops-nix"; nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; + + flake-utils.url = "github:numtide/flake-utils"; }; @@ -70,6 +72,7 @@ ]; }; + images.raspite = (mkNixos { system = "aarch64-linux"; modules = [ @@ -83,5 +86,13 @@ } ]; }).config.system.build.sdImage; - }; + } // + (with flake-utils.lib; (eachSystem defaultSystems (system: + let pkgs = import nixpkgs { inherit system; }; in + { + packages = { + homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; }; + }; + } + ))); } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 391bf9c..a5da1a2 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -19,4 +19,4 @@ rclone clash ]; -} \ No newline at end of file +} diff --git a/home/xin/common/fish.nix b/home/xin/common/fish.nix index 3502f1d..19950bf 100644 --- a/home/xin/common/fish.nix +++ b/home/xin/common/fish.nix @@ -15,5 +15,20 @@ src = fishPlugins.hydro.src; } ]; + interactiveShellInit = '' + fish_config theme choose 'ayu Dark' + fish_config prompt choose arrow + ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source + function fish_right_prompt + if test -n "$IN_NIX_SHELL" + echo -n "" + else if test $SHLVL -ge 3 + echo -n "<🚀lv$SHLVL>" + end + end + ''; + functions = { + gitignore = "curl -sL https://www.gitignore.io/api/$argv"; + }; }; } diff --git a/home/xin/gold/default.nix b/home/xin/gold/default.nix new file mode 100644 index 0000000..192e11c --- /dev/null +++ b/home/xin/gold/default.nix @@ -0,0 +1,15 @@ +{ pkgs, home-manager, ... }: + home-manager.lib.homeManagerConfiguration { + inherit pkgs; + modules = [ + ../common + { + home.username = "xin"; + home.homeDirectory = "/home/xin"; + home.stateVersion = "23.05"; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + } + ]; + } From 5cc78b3494232e65592f8592e5c6c49e3f098d5f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 22 Jul 2023 01:20:55 +0800 Subject: [PATCH 016/136] Bump version --- flake.lock | 56 +++++++++++++++--------------- home/xin/alacritty.nix | 6 +++- home/xin/calcite/default.nix | 2 +- home/xin/common/default.nix | 2 ++ home/xin/common/vim.nix | 2 +- home/xin/common/zellij.nix | 3 +- home/xin/vscode.nix | 26 +++++++------- machines/calcite/configuration.nix | 24 +++++++++---- 8 files changed, 68 insertions(+), 53 deletions(-) diff --git a/flake.lock b/flake.lock index 7cb9f86..c5d4f12 100644 --- a/flake.lock +++ b/flake.lock @@ -56,11 +56,11 @@ ] }, "locked": { - "lastModified": 1685108129, - "narHash": "sha256-6Jv6LxrLfaueHj095oBUKBk++eW4Ya0qfHwhQVQqyoo=", + "lastModified": 1689891262, + "narHash": "sha256-Pc4wDczbdgd6QXKJIXprgxe7L9AVDsoAkMnvm5vmpUU=", "owner": "nix-community", "repo": "home-manager", - "rev": "bec196cd9b5f34213c7dc90ef2a524336df70e30", + "rev": "ee5673246de0254186e469935909e821b8f4ec15", "type": "github" }, "original": { @@ -76,11 +76,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1685150126, - "narHash": "sha256-Pzliu5Q0Ck95vtuIAGw+rjuvEpnZOdQ6hnEoEOwhEE4=", + "lastModified": 1689903271, + "narHash": "sha256-t3CPQ3afi5fUbY/I4nldZgsUMO9/17UwIC9XPiD0ybs=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "10ce968c6896fb0866d4c80c7e4c684f849d56d2", + "rev": "2064829219ef11822e539664ba975fdf443bbe7b", "type": "github" }, "original": { @@ -112,11 +112,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1684899633, - "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", + "lastModified": 1689320556, + "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", + "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b", "type": "github" }, "original": { @@ -144,11 +144,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1685004253, - "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", + "lastModified": 1689885880, + "narHash": "sha256-2ikAcvHKkKh8J/eUrwMA+wy1poscC+oL1RkN1V3RmT8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", + "rev": "fa793b06f56896b7d1909e4b69977c7bf842b2f0", "type": "github" }, "original": { @@ -160,27 +160,27 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1684632198, - "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=", + "lastModified": 1689473667, + "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247", + "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1684935479, - "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=", + "lastModified": 1689850295, + "narHash": "sha256-fUYf6WdQlhd2H+3aR8jST5dhFH1d0eE22aes8fNIfyk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f91ee3065de91a3531329a674a45ddcb3467a650", + "rev": "5df4d78d54f7a34e9ea1f84a22b4fd9baebc68d0", "type": "github" }, "original": { @@ -192,11 +192,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1684585791, - "narHash": "sha256-lYPboblKrchmbkGMoAcAivomiOscZCjtGxxTSCY51SM=", + "lastModified": 1689413807, + "narHash": "sha256-exuzOvOhGAEKWQKwDuZAL4N8a1I837hH5eocaTcIbLc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eea79d584eff53bf7a76aeb63f8845da6d386129", + "rev": "46ed466081b9cad1125b11f11a2af5cc40b942c7", "type": "github" }, "original": { @@ -208,11 +208,11 @@ }, "nur": { "locked": { - "lastModified": 1685145797, - "narHash": "sha256-a4mMWQKgjWShf0MkEMoDJPYEJ8eu2T7MA8DxbTMQRUA=", + "lastModified": 1689957702, + "narHash": "sha256-65SH/R79QEJMy41Z4oKGV6aGI0maFy7kgOExORJ5ttM=", "owner": "nix-community", "repo": "NUR", - "rev": "cbc0fb5c6412cc84de6a4fb33d6500217082c4c9", + "rev": "5bf71ded2372cbf1df969164193523c09a36b92c", "type": "github" }, "original": { @@ -239,11 +239,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1684637723, - "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=", + "lastModified": 1689534977, + "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9", + "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", "type": "github" }, "original": { diff --git a/home/xin/alacritty.nix b/home/xin/alacritty.nix index a4feed5..f34ff67 100644 --- a/home/xin/alacritty.nix +++ b/home/xin/alacritty.nix @@ -4,6 +4,10 @@ settings = { shell = { program = config.programs.zellij.package + "/bin/zellij"; + args = [ + "attach" + "-c" + ]; }; font.size = 10.0; window = { @@ -12,4 +16,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/home/xin/calcite/default.nix b/home/xin/calcite/default.nix index 84af437..1a13e94 100644 --- a/home/xin/calcite/default.nix +++ b/home/xin/calcite/default.nix @@ -29,6 +29,6 @@ home.packages = with pkgs; [ thunderbird + remmina ]; - } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index fc8de9d..20f1d80 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -20,5 +20,7 @@ neofetch rclone clash + + inetutils ]; } diff --git a/home/xin/common/vim.nix b/home/xin/common/vim.nix index dac31ee..f73228d 100644 --- a/home/xin/common/vim.nix +++ b/home/xin/common/vim.nix @@ -28,5 +28,5 @@ colorscheme dracula ''; - }; +}; } diff --git a/home/xin/common/zellij.nix b/home/xin/common/zellij.nix index c994139..e485d11 100644 --- a/home/xin/common/zellij.nix +++ b/home/xin/common/zellij.nix @@ -2,7 +2,6 @@ programs.zellij = { enable = true; settings = { - on_force_close = "quit"; default_shell = "fish"; keybinds = { unbind = [ @@ -26,4 +25,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/home/xin/vscode.nix b/home/xin/vscode.nix index 66f1a15..a0b9eac 100644 --- a/home/xin/vscode.nix +++ b/home/xin/vscode.nix @@ -1,5 +1,8 @@ { config, pkgs, inputs, system, ... }: { + home.packages = with pkgs; [ + pkgs.wl-clipboard-x11 + ]; programs.vscode = { enable = true; enableUpdateCheck = false; @@ -32,11 +35,11 @@ vue.volar ms-vscode-remote.remote-ssh-edit - ]) ++ (with inputs.nixpkgs.legacyPackages.${system}.vscode-extensions; [ + mushan.vscode-paste-image + ]) ++ (with pkgs.vscode-extensions; [ # Rust rust-lang.rust-analyzer - - mkhl.direnv + github.copilot ]); userSettings = { "workbench.colorTheme" = "Default Dark+"; @@ -117,17 +120,14 @@ } ]; "[latex]" = { - "editor.formatonpaste" = false; - "editor.suggestselection" = "recentlyusedbyprefix"; - "editor.wordwrap" = "bounded"; - "editor.wordwrapcolumn" = 100; - "editor.unicodehighlight.allowedlocales" = { - "_os" = true; - "_vscode" = true; - "zh-hans" = true; - "zh-hant" = true; - }; + "editor.formatOnPaste" = false; + "editor.suggestSelection" = "recentlyusedbyprefix"; + "editor.wordWrap" = "bounded"; + "editor.wordWrapColumn" = 80; + "editor.unicodeHighlight.ambiguousCharacters" = false; }; + # Extension vscode-paste-image + "pasteImage.path" = "\${currentFileDir}/.assets"; }; }; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 5590c30..2599fad 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -104,7 +104,7 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ - "openssl-1.1.1t" + "openssl-1.1.1u" # For wechat-uos "electron-19.0.7" ]; @@ -131,12 +131,6 @@ # ==== Development ==== # - jetbrains.jdk # patch jetbrain runtime java - jetbrains.clion - jetbrains.pycharm-professional - jetbrains.idea-ultimate - android-studio - # Language server clang-tools rnix-lsp @@ -164,6 +158,14 @@ texlive.combined.scheme-full # ==== GUI Softwares ==== # + + # IDE + jetbrains.jdk # patch jetbrain runtime java + jetbrains.clion + jetbrains.pycharm-professional + jetbrains.idea-ultimate + android-studio + # Gnome tweaks gnomeExtensions.dash-to-dock gnomeExtensions.hide-top-bar @@ -218,6 +220,14 @@ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.auto-optimise-store = true; + nix.settings.access-tokens = [ "github.com=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" ]; + nix.settings.trusted-users = [ "xin" "root" ]; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; # MTP support services.gvfs.enable = true; From 8f0971ab2b5f161ae4c19681ebb1c26f2302d45f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 22 Jul 2023 22:56:46 +0800 Subject: [PATCH 017/136] auto run unfound commands with comma --- home/xin/common/default.nix | 9 +++++++++ home/xin/common/fish.nix | 3 +++ machines/calcite/configuration.nix | 14 ++++++++++---- machines/calcite/secrets.yaml | 30 ------------------------------ machines/clash.nix | 4 ---- machines/secrets.yaml | 7 ++++--- note.md | 3 +++ 7 files changed, 29 insertions(+), 41 deletions(-) create mode 100644 note.md diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 20f1d80..da76694 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -5,6 +5,15 @@ ./zellij.nix ./vim.nix ]; + + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + auto-optimise-store = true; + substituters = "https://cache.nixos.org https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store https://cache.nixos.org/ https://cuda-maintainers.cachix.org"; + trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="; + }; + + home.packages = with pkgs; [ dig du-dust # du + rust diff --git a/home/xin/common/fish.nix b/home/xin/common/fish.nix index 19950bf..7d8fecb 100644 --- a/home/xin/common/fish.nix +++ b/home/xin/common/fish.nix @@ -26,6 +26,9 @@ echo -n "<🚀lv$SHLVL>" end end + function fish_command_not_found + ${pkgs.comma}/bin/comma $argv + end ''; functions = { gitignore = "curl -sL https://www.gitignore.io/api/$argv"; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 2599fad..a5d45f8 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -212,6 +212,7 @@ enable = true; }; + system.stateVersion = "22.05"; # Use mirror for binary cache @@ -219,15 +220,20 @@ "https://mirrors.ustc.edu.cn/nix-channels/store" "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - nix.settings.auto-optimise-store = true; - nix.settings.access-tokens = [ "github.com=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" ]; - nix.settings.trusted-users = [ "xin" "root" ]; nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; + nix.settings.trusted-users = [ "xin" "root" ]; + nix.extraOptions = '' + !include "${config.sops.secrets.github_public_token.path}" + ''; + sops = { + secrets.github_public_token = { + owner = "xin"; + }; + }; # MTP support services.gvfs.enable = true; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index ae8271c..e69de29 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,30 +0,0 @@ -clash_subscription_link: ENC[AES256_GCM,data:HKHMCu6FAhXroM+j33coUhJybw2P0k4c+2NyVoLkHRtxyWc2qDmwLfyaYfU9hkBdE60eZ6t5ewNFnMFe78DatVTcwPXGznY=,iv:0yP9LG8lUdjKiize6z5LjY3NsGmKST4H2aMvOZoUXyo=,tag:vcBk7seKuaSpEw8PXmM05A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRXoxNVJzZERQTFdDNWlL - N2s2ajdCVzFFZWlSY1dndWhCL0RuMnk3aVdJCjJaQUJ2a1VPanArN2YxMy9vSEYv - blBISEZQL3UvNnRFN0ozZ3hzbEcvaDQKLS0tIEYydmF2bHBwQWdTSFFQQ29ROGxi - OFo3K3N6VWsyRnphblVsM2pHZnljUncKWLyzuKl+8WXtvlPtsaYG4PyGYNmPFdG5 - gxlMsQvaUrGReCs9M3EeS0KKvl9INzOP33KCiwrIAfq1PygP1xF1QQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZHpMa0NiYzJSa0Jyd3dD - WUFzenY3dEYzRjBxbVk4NWFGUnp0N0oySjE4CllEMlRXSmR6cWR0QlMrOWJGdEhO - ZzkwaFRRMVdjcVhLaEpMcFhxMTVxcTQKLS0tIEY3eER1d3B0NGtsdk9RaENscTBk - eHg2UVZRRkdVWm5PdW1MSzhVTGlpc3cKnZj4fil9mysiJJcDK4SLo+I0TcUtgww1 - 67W3wpd2y+ofIEP/qBSTVU4PYJ+ZsYDr1hy+6qJ7r4rgQ9wzLiWBog== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-22T15:22:58Z" - mac: ENC[AES256_GCM,data:3LtivTLt04ADulz9XkMxcpgAY6it+hWFuXZVI9AOuFVQCgGE41fpH0RUKgJ4kIpr5kvbe4wVLQ6OTFqBcAkPnBBPCCg/Npzo7sWbGOiBEyK3aEk2uGsmZHqpDexHS5VJvSY0iePD+Qb/LNxjBo4KLWGNj+frKnpGALV0Qn6yzIE=,iv:alylpWLPhIIL4piaVFpjHbXJY4nz0pcUIFN5TvVcj74=,tag:HaSjcpwRMZ06UjXoDwEmyg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/machines/clash.nix b/machines/clash.nix index 1ba117e..e6c76ca 100644 --- a/machines/clash.nix +++ b/machines/clash.nix @@ -17,10 +17,6 @@ systemd.services."clash-config-update" = { script = '' ${pkgs.curl}/bin/curl $(${pkgs.coreutils}/bin/cat ${config.sops.secrets.clash_subscription_link.path}) > /tmp/config.yaml && mv /tmp/config.yaml /home/xin/.config/clash/ - ${pkgs.gnused}/bin/sed -i 's/enable: false/enable: true/g; s/log-level: info/log-level: warning/g' /home/xin/.config/clash/config.yaml - ${pkgs.gnused}/bin/sed -i '0,/proxies/s/114.114.114.114/https:\/\/dns.alidns.com\/dns-query/g; 0,/proxies/s/119.29.29.29/tls:\/\/dns.tuna.tsinghua.edu.cn:8853/g' /home/xin/.config/clash/config.yaml - ${pkgs.gnused}/bin/sed -i 's/dns:/dns: \n nameserver-policy:\n +.ts.net: "100.100.100.100"/g; s/log-level: info/log-level: warning/g' /home/xin/.config/clash/config.yaml - ${pkgs.gnused}/bin/sed -i 's/www.gstatic.cn/www.google.com/g' /home/xin/.config/clash/config.yaml ''; serviceConfig = { Type = "oneshot"; diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 3d9bfee..97a4df9 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -1,6 +1,7 @@ -clash_subscription_link: ENC[AES256_GCM,data:QwszQooTzHboIgIsbxcL1ZrVgOn91pKC8mMUSY7R0FB426ERiVPNyGWBy5ar4m0yk/XwcFLdFRmiWOrQG9mWsx9J6/tH7K8=,iv:zeDuLmDRUiCtKfUlpl1KJl62DP4DnQ2c6gOjpiHw+4c=,tag:w5AQIUC1p3nrwepdxH7Kkw==,type:str] +clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN/iCnihbbJYW78LNfPfvmVAEXjQlf5Ycts2Cb2JHGtWp3rmQQtWBx8LfIewqhNDk9fCywqIv7uSmqVpJNTHfYhjpF6PLvtz51VfTKph+fplZ9dMu23P9g7Wn6dzVizo8DX6xHWN2jDyHza5zkiNrzbmiaLwbLu1dAzvNSI67A=,iv:pZ189IPPCBjscXzEdgQCRdFlls3TniwDfNCd+H1FFaQ=,tag:dpt+3kdx8m1f0X0SHm+ATA==,type:str] autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] +github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] sops: kms: [] gcp_kms: [] @@ -34,8 +35,8 @@ sops: dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-25T04:49:58Z" - mac: ENC[AES256_GCM,data:Xig/sBJAEs9D6hsoeTAJ4CL156IrFLipacI7eHfBd79Lsa0IXPfLvVn/tVTIfEixmBA9QKkQ9QYjTFVZNr0BTRqHC/C7izgZbOBn73EE+KXYLQEiZ4RbgRfrFb8gU2/uSWXGZEO6YELuom9BEXWCMp0HTS+MQTKk8Tz20/hVyV4=,iv:Uq74PG7DDanb5WpcXUdylT8LW4ERlEsT8YX0BxZdo8w=,tag:7zKveIEJjh0Yc2fLKsTUjA==,type:str] + lastmodified: "2023-07-22T02:00:48Z" + mac: ENC[AES256_GCM,data:DXQaCRuD4trEjIFvVAGF3/F/AiUcIOKGmqKKF/S7tJ51ZGXIh64g7vXZhZC22UxGs2pYU/gQOfA58cSxrHav0hmA0KbidLGA2ySRzVCSP3IH2jLx9KXdYv6SIS5I3MRMUqf7ZH+5rtdjTrrYBDWZrDzB9T7naMn1BujMqi+SwsU=,iv:QrFcEz7sxC0kbRtFr45cUaT4VosFq5ICtF3HOZ3If9I=,tag:Ste0v4xcONasn182R2ZyFw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/note.md b/note.md new file mode 100644 index 0000000..93a14d6 --- /dev/null +++ b/note.md @@ -0,0 +1,3 @@ +# nix-tree + +Demonstrate disk usage by nix-store path. From 42f550f15627aa034b088e0cdd0cf15f6dae581f Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Sat, 29 Jul 2023 23:34:24 +0800 Subject: [PATCH 018/136] massicot: add new machine --- flake.nix | 8 +++++ machines/massicot/default.nix | 37 ++++++++++++++++++++ machines/massicot/hardware-configuration.nix | 36 +++++++++++++++++++ machines/massicot/networking.nix | 13 +++++++ 4 files changed, 94 insertions(+) create mode 100644 machines/massicot/default.nix create mode 100644 machines/massicot/hardware-configuration.nix create mode 100644 machines/massicot/networking.nix diff --git a/flake.nix b/flake.nix index d990e06..02117ee 100644 --- a/flake.nix +++ b/flake.nix @@ -63,6 +63,14 @@ ]; }; + nixosConfigurations.massicot = mkNixos { + system = "aarch64-linux"; + modules = [ + machines/massicot + (mkHome "xin" "gold") + ] + } + nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; modules = [ diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix new file mode 100644 index 0000000..ebe8e33 --- /dev/null +++ b/machines/massicot/default.nix @@ -0,0 +1,37 @@ +{ config, libs, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./networking.nix + ]; + + environment.systemPackages = with pkgs; [ + git + ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + system.stateVersion = "22.11"; + + networking = { + hostName = "massicot"; + useDHCP = false; + }; + + services.openssh = { + enable = true; + }; + + systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; + + users.users.xin = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd" + ]; + }; + +} \ No newline at end of file diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix new file mode 100644 index 0000000..2cb3a29 --- /dev/null +++ b/machines/massicot/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/934bc9cd-c80f-4af0-a446-e92c3b21ad9e"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/06F4-7777"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} \ No newline at end of file diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix new file mode 100644 index 0000000..b93990a --- /dev/null +++ b/machines/massicot/networking.nix @@ -0,0 +1,13 @@ +networking = { + interfaces = { + eth0.ipv6.addresses = [{ + address = "2a01:4f8:c17:345f::1"; + prefixLength = 64; + }]; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"] +}; \ No newline at end of file From a31020a9eac25099b615cf1c8d084d8a2a3b580a Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Sun, 30 Jul 2023 01:15:35 +0800 Subject: [PATCH 019/136] massicot: fix bugs --- machines/massicot/default.nix | 8 ++++++++ machines/massicot/hardware-configuration.nix | 2 +- machines/massicot/networking.nix | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index ebe8e33..78b06f0 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -6,6 +6,13 @@ ./networking.nix ]; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + boot.loader.grub = { + enable = true; + efiSupport = true; + } + environment.systemPackages = with pkgs; [ git ]; @@ -32,6 +39,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd" ]; + hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; }; } \ No newline at end of file diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index 2cb3a29..5d6574a 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -18,7 +18,7 @@ fsType = "ext4"; }; - fileSystems."/boot" = + fileSystems."/boot/efi" = { device = "/dev/disk/by-uuid/06F4-7777"; fsType = "vfat"; }; diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index b93990a..ec0bd4d 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -9,5 +9,5 @@ networking = { address = "fe80::1"; interface = "eth0"; }; - nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"] + nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"]; }; \ No newline at end of file From 9c61da80465d1de0649ae85aa40f9bce0a05ee0d Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Sun, 30 Jul 2023 01:53:14 +0800 Subject: [PATCH 020/136] fix bug --- machines/massicot/default.nix | 5 +++-- machines/massicot/networking.nix | 26 ++++++++++++++------------ 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 78b06f0..81fd528 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -7,11 +7,12 @@ ]; boot.loader.efi.canTouchEfiVariables = true; - boot.loader.efi.efiSysMountPoint = "/boot/efi"; + boot.loader.efi.efiSysMountPoint = "/boot"; boot.loader.grub = { enable = true; efiSupport = true; - } + device = "/dev/sda"; + }; environment.systemPackages = with pkgs; [ git diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index ec0bd4d..fd5bf27 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,13 +1,15 @@ -networking = { - interfaces = { - eth0.ipv6.addresses = [{ - address = "2a01:4f8:c17:345f::1"; - prefixLength = 64; - }]; +{ + networking = { + interfaces = { + eth0.ipv6.addresses = [{ + address = "2a01:4f8:c17:345f::1"; + prefixLength = 64; + }]; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"]; }; - defaultGateway6 = { - address = "fe80::1"; - interface = "eth0"; - }; - nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"]; -}; \ No newline at end of file +} \ No newline at end of file From 74ad2b8425036c4cec88f0926a7367cf2bedc5f8 Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Mon, 11 Sep 2023 12:20:32 +0000 Subject: [PATCH 021/136] Add gitea service --- flake.lock | 245 +++++++++++++++---- flake.nix | 26 +- machines/massicot/default.nix | 9 +- machines/massicot/hardware-configuration.nix | 47 +--- machines/massicot/networking.nix | 5 +- machines/massicot/services.nix | 69 ++++++ 6 files changed, 308 insertions(+), 93 deletions(-) create mode 100644 machines/massicot/services.nix diff --git a/flake.lock b/flake.lock index 62d175d..e4691a0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,78 @@ { "nodes": { + "conduit": { + "inputs": { + "crane": "crane", + "fenix": "fenix", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691686916, + "narHash": "sha256-TpNssMHvSKcxJMas5lQNWEbIv09u4/niBN2C27Mp0JY=", + "owner": "famedly", + "repo": "conduit", + "rev": "0c2cfda3ae923d9e922d5edf379e4d8976a52d4e", + "type": "gitlab" + }, + "original": { + "owner": "famedly", + "ref": "v0.6.0", + "repo": "conduit", + "type": "gitlab" + } + }, + "crane": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "conduit", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1688772518, + "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1689488573, + "narHash": "sha256-diVASflKCCryTYv0djvMnP2444mFsIG0ge5pa7ahauQ=", + "owner": "nix-community", + "repo": "fenix", + "rev": "39096fe3f379036ff4a5fa198950b8e79defe939", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -16,6 +89,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -38,6 +127,24 @@ "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1692799911, + "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -52,7 +159,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "locked": { "lastModified": 1638122382, "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", @@ -74,11 +181,11 @@ ] }, "locked": { - "lastModified": 1689891262, - "narHash": "sha256-Pc4wDczbdgd6QXKJIXprgxe7L9AVDsoAkMnvm5vmpUU=", + "lastModified": 1694375657, + "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=", "owner": "nix-community", "repo": "home-manager", - "rev": "ee5673246de0254186e469935909e821b8f4ec15", + "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7", "type": "github" }, "original": { @@ -89,16 +196,16 @@ }, "nix-vscode-extensions": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1689903271, - "narHash": "sha256-t3CPQ3afi5fUbY/I4nldZgsUMO9/17UwIC9XPiD0ybs=", + "lastModified": 1694395166, + "narHash": "sha256-F0SRxtFF8EsEff6cRO81NdCpVz/S761ytETNqRkRwU4=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2064829219ef11822e539664ba975fdf443bbe7b", + "rev": "e6c8e1659000d07804526e42b99fa5f15190c324", "type": "github" }, "original": { @@ -109,7 +216,7 @@ }, "nixos-cn": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] @@ -130,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1689320556, - "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", + "lastModified": 1693718952, + "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b", + "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35", "type": "github" }, "original": { @@ -162,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1689885880, - "narHash": "sha256-2ikAcvHKkKh8J/eUrwMA+wy1poscC+oL1RkN1V3RmT8=", + "lastModified": 1694304580, + "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa793b06f56896b7d1909e4b69977c7bf842b2f0", + "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760", "type": "github" }, "original": { @@ -178,11 +285,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1689473667, - "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", + "lastModified": 1693675694, + "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", + "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", "type": "github" }, "original": { @@ -194,11 +301,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1689940971, - "narHash": "sha256-397xShPnFqPC59Bmpo3lS+/Aw0yoDRMACGo1+h2VJMo=", + "lastModified": 1694183432, + "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9ca785644d067445a4aa749902b29ccef61f7476", + "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b", "type": "github" }, "original": { @@ -208,29 +315,13 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1689413807, - "narHash": "sha256-exuzOvOhGAEKWQKwDuZAL4N8a1I837hH5eocaTcIbLc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "46ed466081b9cad1125b11f11a2af5cc40b942c7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "locked": { - "lastModified": 1689986542, - "narHash": "sha256-nfAoJhHAeOM+G2E4qzE3E8vtt5VH14bq9u7a9wxTR1c=", + "lastModified": 1694400936, + "narHash": "sha256-MOUf6iF1B5jw25xWgRTj47L2lS32F5wIACEErYqq2n0=", "owner": "nix-community", "repo": "NUR", - "rev": "3d51c81356bd84bfa7b5b2ccb11c36b58b9f5cde", + "rev": "1850109f159c735841f7f6a51100b05d5b055113", "type": "github" }, "original": { @@ -241,7 +332,8 @@ }, "root": { "inputs": { - "flake-utils": "flake-utils", + "conduit": "conduit", + "flake-utils": "flake-utils_2", "home-manager": "home-manager", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-cn": "nixos-cn", @@ -252,17 +344,63 @@ "sops-nix": "sops-nix" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1689441253, + "narHash": "sha256-4MSDZaFI4DOfsLIZYPMBl0snzWhX1/OqR/QHir382CY=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "996e054f1eb1dbfc8455ecabff0f6ff22ba7f7c8", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "conduit", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688351637, + "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_3", + "nixpkgs": [ + "nixpkgs" + ], "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1689534977, - "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", + "lastModified": 1693898833, + "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", + "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623", "type": "github" }, "original": { @@ -300,6 +438,21 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 02117ee..d84f120 100644 --- a/flake.nix +++ b/flake.nix @@ -9,9 +9,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nur.url = "github:nix-community/NUR"; + nur = { + url = "github:nix-community/NUR"; + }; - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + }; nixos-cn = { url = "github:nixos-cn/flakes"; @@ -19,11 +23,19 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix.url = "github:Mic92/sops-nix"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + conduit.url = "gitlab:famedly/conduit/v0.6.0"; + conduit.inputs.nixpkgs.follows = "nixpkgs"; nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - flake-utils.url = "github:numtide/flake-utils"; + flake-utils = { + url = "github:numtide/flake-utils"; + }; }; @@ -67,9 +79,9 @@ system = "aarch64-linux"; modules = [ machines/massicot - (mkHome "xin" "gold") - ] - } + (mkHome "xin" "raspite") + ]; + }; nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 81fd528..8dd59d5 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ./networking.nix + ./services.nix ]; boot.loader.efi.canTouchEfiVariables = true; @@ -11,7 +12,6 @@ boot.loader.grub = { enable = true; efiSupport = true; - device = "/dev/sda"; }; environment.systemPackages = with pkgs; [ @@ -24,11 +24,13 @@ networking = { hostName = "massicot"; - useDHCP = false; }; services.openssh = { enable = true; + settings = { + PasswordAuthentication = false; + }; }; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; @@ -39,8 +41,9 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeNQ43f/ce4VxVPsAaKPPTp8rokQpmwNIsOX7JBZq4A" ]; hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; }; -} \ No newline at end of file +} diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index 5d6574a..89358f7 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -1,36 +1,13 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - +{ modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/934bc9cd-c80f-4af0-a446-e92c3b21ad9e"; - fsType = "ext4"; - }; - - fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/06F4-7777"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} \ No newline at end of file + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + device = "nodev"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index fd5bf27..4aadb44 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,6 +1,7 @@ { networking = { interfaces = { + eth0.useDHCP = true; eth0.ipv6.addresses = [{ address = "2a01:4f8:c17:345f::1"; prefixLength = 64; @@ -10,6 +11,6 @@ address = "fe80::1"; interface = "eth0"; }; - nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"]; + nameservers = [ ]; }; -} \ No newline at end of file +} diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix new file mode 100644 index 0000000..161b83b --- /dev/null +++ b/machines/massicot/services.nix @@ -0,0 +1,69 @@ +{ config, pkgs, inputs, ... }: +{ + services.matrix-conduit = { + enable = true; + # package = inputs.conduit.packages.${pkgs.system}.default; + package = pkgs.matrix-conduit; + settings.global = { + server_name = "xinyang.life"; + port = 6167; + # database_path = "/var/lib/matrix-conduit/"; + database_backend = "rocksdb"; + allow_registration = false; + }; + }; + + services.gotosocial = { + enable = true; + settings = { + log-level = "debug"; + host = "xinyang.life"; + letsencrypt-enabled = false; + bind-address = "localhost"; + landing-page-user = "me"; + instance-expose-public-timeline = true; + }; + }; + + services.gitea = { + enable = true; + package = pkgs.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + ROOT_URL = "https://git.xinyang.life/"; + }; + }; + }; + + services.caddy = { + enable = true; + virtualHosts."xinyang.life:443".extraConfig = '' + tls internal + encode zstd gzip + reverse_proxy /_matrix/* localhost:6167 + handle_path /.well-known/matrix/client { + header Content-Type "application/json" + header Access-Control-Allow-Origin "*" + header Content-Disposition attachment; filename="client" + respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}` + } + handle_path /.well-known/matrix/server { + header Content-Type "application/json" + header Access-Control-Allow-Origin "*" + respond `{"m.server": "xinyang.life:443"}` + } + + reverse_proxy * http://localhost:8080 { + flush_interval -1 + } + ''; + virtualHosts."git.xinyang.life:443".extraConfig = '' + tls internal + reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; + networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; +} From df20c486e746d6c0c5fdc7ca99c84dadf8b4fd16 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 23 Sep 2023 01:12:38 +0800 Subject: [PATCH 022/136] calcite: bump version, drop steam, drop opengl32 --- flake.lock | 60 ++++++++++----------- flake.nix | 4 +- home/xin/common/default.nix | 3 +- machines/calcite/configuration.nix | 14 ++--- machines/calcite/hardware-configuration.nix | 4 ++ machines/calcite/network.nix | 7 ++- machines/clash.nix | 5 -- machines/sops.nix | 8 ++- 8 files changed, 49 insertions(+), 56 deletions(-) diff --git a/flake.lock b/flake.lock index 62d175d..81619de 100644 --- a/flake.lock +++ b/flake.lock @@ -21,11 +21,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -74,11 +74,11 @@ ] }, "locked": { - "lastModified": 1689891262, - "narHash": "sha256-Pc4wDczbdgd6QXKJIXprgxe7L9AVDsoAkMnvm5vmpUU=", + "lastModified": 1695224363, + "narHash": "sha256-+hfjJLUMck5G92RVFDZA7LWkR3kOxs5zQ7RPW9t3eM8=", "owner": "nix-community", "repo": "home-manager", - "rev": "ee5673246de0254186e469935909e821b8f4ec15", + "rev": "408ba13188ff9ce309fa2bdd2f81287d79773b00", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1689903271, - "narHash": "sha256-t3CPQ3afi5fUbY/I4nldZgsUMO9/17UwIC9XPiD0ybs=", + "lastModified": 1695345913, + "narHash": "sha256-TkCmI8cLQ02HW9jW2HEquQZ1u1ljeOlEFMU+9PS2tLg=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2064829219ef11822e539664ba975fdf443bbe7b", + "rev": "8f30a4bcd475bff9f23097e4450754ec068523b2", "type": "github" }, "original": { @@ -130,11 +130,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1689320556, - "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", + "lastModified": 1695109627, + "narHash": "sha256-4rpyoVzmunIG6xWA/EonnSSqC69bDBzciFi6SjBze/0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b", + "rev": "cb4dc98f776ddb6af165e6f06b2902efe31ca67a", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1689885880, - "narHash": "sha256-2ikAcvHKkKh8J/eUrwMA+wy1poscC+oL1RkN1V3RmT8=", + "lastModified": 1695272228, + "narHash": "sha256-4uw2OdJPVyjdB+xcDst9SecrNIpxKXJ2usN3M5HVa7o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa793b06f56896b7d1909e4b69977c7bf842b2f0", + "rev": "55ac2a9d2024f15c56adf20da505b29659911da8", "type": "github" }, "original": { @@ -178,11 +178,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1689473667, - "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", + "lastModified": 1694908564, + "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", + "rev": "596611941a74be176b98aeba9328aa9d01b8b322", "type": "github" }, "original": { @@ -194,11 +194,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1689940971, - "narHash": "sha256-397xShPnFqPC59Bmpo3lS+/Aw0yoDRMACGo1+h2VJMo=", + "lastModified": 1695145219, + "narHash": "sha256-Eoe9IHbvmo5wEDeJXKFOpKUwxYJIOxKUesounVccNYk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9ca785644d067445a4aa749902b29ccef61f7476", + "rev": "5ba549eafcf3e33405e5f66decd1a72356632b96", "type": "github" }, "original": { @@ -210,11 +210,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1689413807, - "narHash": "sha256-exuzOvOhGAEKWQKwDuZAL4N8a1I837hH5eocaTcIbLc=", + "lastModified": 1694760568, + "narHash": "sha256-3G07BiXrp2YQKxdcdms22MUx6spc6A++MSePtatCYuI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "46ed466081b9cad1125b11f11a2af5cc40b942c7", + "rev": "46688f8eb5cd6f1298d873d4d2b9cf245e09e88e", "type": "github" }, "original": { @@ -226,11 +226,11 @@ }, "nur": { "locked": { - "lastModified": 1689986542, - "narHash": "sha256-nfAoJhHAeOM+G2E4qzE3E8vtt5VH14bq9u7a9wxTR1c=", + "lastModified": 1695395799, + "narHash": "sha256-D/SfJk+w2AknDWfR4KX5lEs/1zYtpq814oQfwEpmXC0=", "owner": "nix-community", "repo": "NUR", - "rev": "3d51c81356bd84bfa7b5b2ccb11c36b58b9f5cde", + "rev": "e256049bbaab62633de72dd14be51a8f592d6631", "type": "github" }, "original": { @@ -258,11 +258,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1689534977, - "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", + "lastModified": 1695284550, + "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", + "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 02117ee..4ca0638 100644 --- a/flake.nix +++ b/flake.nix @@ -68,8 +68,8 @@ modules = [ machines/massicot (mkHome "xin" "gold") - ] - } + ]; + }; nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index da76694..6681fb7 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -9,8 +9,7 @@ nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; - substituters = "https://cache.nixos.org https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store https://cache.nixos.org/ https://cuda-maintainers.cachix.org"; - trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="; + substituters = "https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"; }; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index a5d45f8..1b1abd4 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -104,9 +104,9 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ - "openssl-1.1.1u" + "openssl-1.1.1w" # For wechat-uos - "electron-19.0.7" + "electron-19.1.9" ]; # List packages installed in system profile. To search, run: # $ nix search wget @@ -173,8 +173,6 @@ gnome.gnome-tweaks gthumb - steam - # Multimedia vlc obs-studio @@ -208,11 +206,6 @@ ghidra ]; - programs.steam = { - enable = true; - }; - - system.stateVersion = "22.05"; # Use mirror for binary cache @@ -240,7 +233,7 @@ # Fonts fonts = { - fonts = with pkgs; [ + packages = with pkgs; [ (nerdfonts.override { fonts = [ "FiraCode" ]; }) noto-fonts noto-fonts-emoji @@ -274,7 +267,6 @@ }; docker = { enable = true; - enableNvidia = true; autoPrune.enable = true; }; }; diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 4baf3c7..0bd2426 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -46,4 +46,8 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.opengl = { + enable = true; + driSupport32Bit = false; + }; } diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 16a1c94..1d9fb88 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -6,8 +6,7 @@ networkmanager = { enable = true; dns = "systemd-resolved"; - # dns = "none"; - + # dns = "resolvconf"; }; }; @@ -16,9 +15,9 @@ extraConfig = '' [Resolve] Domains=~. - DNS=114.114.114.114 1.1.1.1 - DNSOverTLS=opportunistic + DNS=127.0.0.1 ''; + # DNSOverTLS=opportunistic }; # Configure network proxy if necessary diff --git a/machines/clash.nix b/machines/clash.nix index e6c76ca..fc90056 100644 --- a/machines/clash.nix +++ b/machines/clash.nix @@ -1,10 +1,5 @@ { config, lib, pkgs, ... }: { - sops = { - secrets.clash_subscription_link = { - owner = "xin"; - }; - }; systemd.timers."clash-config-update" = { wantedBy = [ "timers.target" ]; diff --git a/machines/sops.nix b/machines/sops.nix index 5c6a079..d3f04f8 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -2,8 +2,12 @@ { sops = { defaultSopsFile = ./secrets.yaml; + # TODO: How to generate this key when bootstrap? age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # age.keyFile = "/var/lib/sops-nix/keys.txt"; - # age.generateKey = true; + secrets = { + clash_subscription_link = { + owner = "xin"; + }; + }; }; } \ No newline at end of file From 356f4e32f117f7a380def25502bd0b0831f327c1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 26 Sep 2023 23:32:52 +0800 Subject: [PATCH 023/136] calcite: replace clash with sing-box --- machines/calcite/configuration.nix | 2 +- machines/calcite/network.nix | 32 ++---- machines/clash.nix | 29 ------ machines/dnscrypt.nix | 28 ----- machines/secrets.yaml | 8 +- machines/sing-box.nix | 157 +++++++++++++++++++++++++++++ machines/sops.nix | 6 ++ 7 files changed, 177 insertions(+), 85 deletions(-) delete mode 100644 machines/clash.nix delete mode 100644 machines/dnscrypt.nix create mode 100644 machines/sing-box.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 1b1abd4..b9f6809 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -7,7 +7,6 @@ ./hardware-configuration.nix ./network.nix ../sops.nix - ../clash.nix ]; # Bootloader. @@ -191,6 +190,7 @@ # Browser firefox chromium + brave microsoft-edge # Writting diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 1d9fb88..3689211 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -1,31 +1,20 @@ { pkgs, ...}: { + imports = [ + ../sing-box.nix + ]; + # Enable networking networking = { networkmanager = { enable = true; dns = "systemd-resolved"; - # dns = "resolvconf"; }; }; services.resolved = { enable = true; - extraConfig = '' - [Resolve] - Domains=~. - DNS=127.0.0.1 - ''; - # DNSOverTLS=opportunistic - }; - - # Configure network proxy if necessary - networking.proxy = { - allProxy = "socks5://127.0.0.1:7891/"; - httpProxy = "http://127.0.0.1:7890/"; - httpsProxy = "http://127.0.0.1:7890/"; - noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net"; }; # Enable Tailscale @@ -33,15 +22,15 @@ # services.tailscale.useRoutingFeatures = "both"; # Open ports in the firewall. + networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ ]; networking.firewall.allowedUDPPorts = [ 41641 ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; networking.firewall.trustedInterfaces = [ + "tun0" "tailscale0" ]; - - programs.steam.remotePlay.openFirewall = true; + # Use nftables to manager firewall + networking.nftables.enable = true; # Add gsconnect, open firewall programs.kdeconnect = { @@ -53,9 +42,4 @@ enable = true; package = pkgs.wireshark-qt; }; - - # services.gnome.gnome-remote-desktop.enable = true; - # services.xrdp.enable = true; - # services.xrdp.openFirewall = true; - # services.xrdp.defaultWindowManager = icewm; } diff --git a/machines/clash.nix b/machines/clash.nix deleted file mode 100644 index fc90056..0000000 --- a/machines/clash.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - systemd.timers."clash-config-update" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnUnitActiveSec = "1d"; - Unit = "clash-config-update.service"; - }; - }; - - systemd.services."clash-config-update" = { - script = '' - ${pkgs.curl}/bin/curl $(${pkgs.coreutils}/bin/cat ${config.sops.secrets.clash_subscription_link.path}) > /tmp/config.yaml && mv /tmp/config.yaml /home/xin/.config/clash/ - ''; - serviceConfig = { - Type = "oneshot"; - User= "xin"; - }; - }; - - systemd.services.clash = { - enable = true; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.clash}/bin/clash -d /home/xin/.config/clash"; - }; - -} diff --git a/machines/dnscrypt.nix b/machines/dnscrypt.nix deleted file mode 100644 index 3ecdcb8..0000000 --- a/machines/dnscrypt.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.dnscrypt-proxy2 = { - enable = true; - settings = { - ipv6_servers = false; - require_dnssec = true; - sources = { - public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - }; - server_names = [ "cloudflare" "tuna-doh-ipv4" ]; - }; - }; - - networking.networkmanager.dns = "none"; - - # dns - systemd.services.dnscrypt-proxy2.serviceConfig = { - StateDirectory = "dnscrypt-proxy"; - }; -} diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 97a4df9..9006057 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -2,6 +2,8 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] +singbox_domain: ENC[AES256_GCM,data:26WBV6F6JsdR81BzFbeFA0c8,iv:SRkEJdAxH/0in5oq7kCz6sBeMQzjDcV9242SqwFwMis=,tag:u6sn2Xs3Pwsmo8xwAfObCA==,type:str] +singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] sops: kms: [] gcp_kms: [] @@ -35,8 +37,8 @@ sops: dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-22T02:00:48Z" - mac: ENC[AES256_GCM,data:DXQaCRuD4trEjIFvVAGF3/F/AiUcIOKGmqKKF/S7tJ51ZGXIh64g7vXZhZC22UxGs2pYU/gQOfA58cSxrHav0hmA0KbidLGA2ySRzVCSP3IH2jLx9KXdYv6SIS5I3MRMUqf7ZH+5rtdjTrrYBDWZrDzB9T7naMn1BujMqi+SwsU=,iv:QrFcEz7sxC0kbRtFr45cUaT4VosFq5ICtF3HOZ3If9I=,tag:Ste0v4xcONasn182R2ZyFw==,type:str] + lastmodified: "2023-09-26T15:10:12Z" + mac: ENC[AES256_GCM,data:R1y2LCVbIcJ4hHLrgRT+H45jdSPUIE8uuW1EoJattnciLExlpZzNtuUxV6yVUKoUxh/Bdl4gUwRP6YINegMflUJIlby9vUyDTVAwzFpk5p4Ev0YF/X8ZgXcerwOZjEkHqekqEtDjEsnOt2U41XsXOzQsFXkmWl/aBRlxGYiTHcU=,iv:jFM3EKnTIJbBP1FHw3t7Q1+NvGIQYWtVCV+4Z9snPIQ=,tag:NkdeGL6IFA0iQoUqWmPZgw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.0 diff --git a/machines/sing-box.nix b/machines/sing-box.nix new file mode 100644 index 0000000..c77aefc --- /dev/null +++ b/machines/sing-box.nix @@ -0,0 +1,157 @@ +{ config, lib, pkgs, ... }: +let + server = { + _secret = config.sops.secrets.singbox_domain.path; + }; + password = { + _secret = config.sops.secrets.singbox_password.path; + }; + uuid = { + _secret = config.sops.secrets.singbox_password.path; + }; +in +{ + services.sing-box = { + enable = true; + settings = { + log = { level = "warning"; }; + experimental = { + clash_api = { + external_controller = "127.0.0.1:9090"; + store_selected = true; + external_ui = "${config.nur.repos.linyinfeng.yacd}"; + }; + }; + dns = { + rules = [ + { + disable_cache = true; + geosite = "category-ads-all"; + server = "_dns_block"; + } + { + geosite = "cn"; + server = "_dns_doh_mainland"; + } + { + domain_suffix = "tiktokuu.xyz"; + server = "_dns_doh_mainland"; + } + ]; + servers = [ + { + address = "https://cloudflare-dns.com/dns-query"; + address_strategy = "prefer_ipv4"; + address_resolver = "_dns_doh_mainland"; + detour = "_proxy_select"; + tag = "_dns_global"; + } + { + address = "119.29.29.29"; + detour = "direct"; + tag = "_dns_udp_mainland"; + } + { + address = "https://doh.pub/dns-query"; + address_resolver = "_dns_udp_mainland"; + detour = "direct"; + tag = "_dns_doh_mainland"; + } + { + address = "rcode://success"; + tag = "_dns_block"; + } + ]; + strategy = "prefer_ipv4"; + final = "_dns_global"; + disable_cache = false; + }; + inbounds = [ + { + type = "mixed"; + tag = "mixed-in"; + listen = "127.0.0.1"; + listen_port = 7891; + } + { + type = "tun"; + tag = "tun-in"; + auto_route = true; + strict_route = false; + inet4_address = "172.19.0.1/30"; + sniff = true; + } + ]; + route = { + auto_detect_interface = true; + final = "_proxy_select"; + rules = [ + { outbound = "dns-out"; protocol = "dns"; } + { + geoip = "cn"; + geosite = "cn"; + outbound = "direct"; + } + { geoip = "private"; outbound = "direct"; } + { + geosite = "cn"; + geoip = "cn"; + invert = true; + outbound = "_proxy_select"; + } + ]; + }; + outbounds = [ + { default = "auto"; outbounds = [ "auto" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } + { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } + { tag = "direct"; type = "direct"; } + { tag = "block"; type = "block"; } + { tag = "dns-out"; type = "dns"; } + { inherit server password; method = "aes-128-gcm"; server_port = 12001; tag = "香港SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12002; tag = "香港SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12003; tag = "香港SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12004; tag = "香港SS-04"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12011; tag = "日本SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12012; tag = "日本SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12013; tag = "日本SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12021; tag = "美国SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12022; tag = "美国SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12023; tag = "美国SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12031; tag = "台湾SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12032; tag = "台湾SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12033; tag = "台湾SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12034; tag = "台湾SS-04"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server uuid; security = "auto"; server_port = 1201; tag = "香港中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1202; tag = "香港中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1203; tag = "香港中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1204; tag = "香港中继4"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1205; tag = "香港中继5"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1206; tag = "香港中继6"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1207; tag = "香港中继7"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1208; tag = "香港中继8"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1211; tag = "日本中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1212; tag = "日本中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1213; tag = "日本中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1214; tag = "日本中继4"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1231; tag = "美国中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1232; tag = "美国中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1233; tag = "美国中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1234; tag = "美国中继4"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1235; tag = "美国中继5"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1236; tag = "美国中继6"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1237; tag = "美国中继7"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1238; tag = "美国中继8"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1241; tag = "新加坡中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1242; tag = "新加坡中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1261; tag = "台湾中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1262; tag = "台湾中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1263; tag = "台湾中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1264; tag = "台湾中继4"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1265; tag = "台湾中继5"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1266; tag = "台湾中继6"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1251; tag = "韩国中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1252; tag = "韩国中继2"; type = "vmess"; } + ]; + }; + }; +} diff --git a/machines/sops.nix b/machines/sops.nix index d3f04f8..f2b93f3 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -8,6 +8,12 @@ clash_subscription_link = { owner = "xin"; }; + singbox_password = { + owner = "xin"; + }; + singbox_domain = { + owner = "xin"; + }; }; }; } \ No newline at end of file From 7c447b4872be05cbf887c1e3d829ebb0d820e328 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 27 Sep 2023 02:32:27 +0800 Subject: [PATCH 024/136] calcite: add microsoft intune service --- flake.lock | 64 ++++++++++++------------------ flake.nix | 20 +++++----- machines/calcite/configuration.nix | 2 + 3 files changed, 38 insertions(+), 48 deletions(-) diff --git a/flake.lock b/flake.lock index 81619de..a242d44 100644 --- a/flake.lock +++ b/flake.lock @@ -74,11 +74,11 @@ ] }, "locked": { - "lastModified": 1695224363, - "narHash": "sha256-+hfjJLUMck5G92RVFDZA7LWkR3kOxs5zQ7RPW9t3eM8=", + "lastModified": 1695738267, + "narHash": "sha256-LTNAbTQ96xSj17xBfsFrFS9i56U2BMLpD0BduhrsVkU=", "owner": "nix-community", "repo": "home-manager", - "rev": "408ba13188ff9ce309fa2bdd2f81287d79773b00", + "rev": "0f4e5b4999fd6a42ece5da8a3a2439a50e48e486", "type": "github" }, "original": { @@ -91,14 +91,16 @@ "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1695345913, - "narHash": "sha256-TkCmI8cLQ02HW9jW2HEquQZ1u1ljeOlEFMU+9PS2tLg=", + "lastModified": 1695691129, + "narHash": "sha256-tUbgZOgmR/9vh4yvW3Bw6Xd+1f4DDcEI/EoqbO0SOuI=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "8f30a4bcd475bff9f23097e4450754ec068523b2", + "rev": "bd2d4d8c383ca5236a174742ef2d8d42307de40f", "type": "github" }, "original": { @@ -130,11 +132,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1695109627, - "narHash": "sha256-4rpyoVzmunIG6xWA/EonnSSqC69bDBzciFi6SjBze/0=", + "lastModified": 1695541019, + "narHash": "sha256-rs++zfk41K9ArWkDAlmBDlGlKO8qeRIRzdjo+9SmNFI=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cb4dc98f776ddb6af165e6f06b2902efe31ca67a", + "rev": "61283b30d11f27d5b76439d43f20d0c0c8ff5296", "type": "github" }, "original": { @@ -146,15 +148,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1684570954, - "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", - "owner": "NixOS", + "lastModified": 1695750249, + "narHash": "sha256-uE7t9hJwa6ngwWvOiQxVpWRX8iOWgiU7+STXbTFttMI=", + "owner": "xinyangli", "repo": "nixpkgs", - "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", + "rev": "0e6469c77887662764a5e65808641b1ecf6d106c", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "xinyangli", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -162,11 +164,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1695272228, - "narHash": "sha256-4uw2OdJPVyjdB+xcDst9SecrNIpxKXJ2usN3M5HVa7o=", + "lastModified": 1695559356, + "narHash": "sha256-kXZ1pUoImD9OEbPCwpTz4tHsNTr4CIyIfXb3ocuR8sI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "55ac2a9d2024f15c56adf20da505b29659911da8", + "rev": "261abe8a44a7e8392598d038d2e01f7b33cf26d0", "type": "github" }, "original": { @@ -193,22 +195,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1695145219, - "narHash": "sha256-Eoe9IHbvmo5wEDeJXKFOpKUwxYJIOxKUesounVccNYk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5ba549eafcf3e33405e5f66decd1a72356632b96", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1694760568, "narHash": "sha256-3G07BiXrp2YQKxdcdms22MUx6spc6A++MSePtatCYuI=", @@ -226,11 +212,11 @@ }, "nur": { "locked": { - "lastModified": 1695395799, - "narHash": "sha256-D/SfJk+w2AknDWfR4KX5lEs/1zYtpq814oQfwEpmXC0=", + "lastModified": 1695750428, + "narHash": "sha256-IAT2N9tmdV6Rp2UYQsF/dv7d6iUsgmW9OtPa8D6TzAQ=", "owner": "nix-community", "repo": "NUR", - "rev": "e256049bbaab62633de72dd14be51a8f592d6631", + "rev": "e0da1a7ac4f93eec44939d6f75eaa5b7242a179f", "type": "github" }, "original": { @@ -246,7 +232,7 @@ "nix-vscode-extensions": "nix-vscode-extensions", "nixos-cn": "nixos-cn", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", "sops-nix": "sops-nix" @@ -254,7 +240,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { diff --git a/flake.nix b/flake.nix index 4ca0638..7153504 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:xinyangli/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { @@ -9,20 +9,22 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nix-vscode-extensions = { + url = "github:nix-community/nix-vscode-extensions"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-cn = { + url = "github:nixos-cn/flakes"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nur.url = "github:nix-community/NUR"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - nixos-cn = { - url = "github:nixos-cn/flakes"; - # Use the same nixpkgs - inputs.nixpkgs.follows = "nixpkgs"; - }; - sops-nix.url = "github:Mic92/sops-nix"; - nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - flake-utils.url = "github:numtide/flake-utils"; }; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index b9f6809..4977976 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -100,6 +100,8 @@ systemd.services."getty@tty1".enable = false; systemd.services."autovt@tty1".enable = false; + services.intune.enable = true; + # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ From 4a8df3675e40107689dbca91522b39c466f14a00 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 28 Sep 2023 19:16:45 +0800 Subject: [PATCH 025/136] calcite: add emulatex aarch64 support --- home/xin/common/default.nix | 1 + machines/calcite/configuration.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 6681fb7..a4ee121 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -17,6 +17,7 @@ dig du-dust # du + rust zoxide # autojumper + ripgrep file man-pages unar diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 4977976..7fdab31 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -16,6 +16,7 @@ # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ]; boot.supportedFilesystems = [ "ntfs" ]; + boot.binfmt.emulatedSystems = ["aarch64-linux"]; networking.hostName = "calcite"; From b3744b41ceb96bea7c880cedd26ec1610797f2e1 Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Thu, 28 Sep 2023 10:58:29 +0000 Subject: [PATCH 026/136] massicot: add kanidm service --- flake.lock | 58 ++++++++++++++++------------------ flake.nix | 3 +- machines/massicot/services.nix | 50 +++++++++++++++++++++++++++-- 3 files changed, 76 insertions(+), 35 deletions(-) diff --git a/flake.lock b/flake.lock index e4691a0..44f32e4 100644 --- a/flake.lock +++ b/flake.lock @@ -128,11 +128,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1692799911, - "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1694375657, - "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=", + "lastModified": 1694469544, + "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", "owner": "nix-community", "repo": "home-manager", - "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7", + "rev": "5171f5ef654425e09d9c2100f856d887da595437", "type": "github" }, "original": { @@ -201,11 +201,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1694395166, - "narHash": "sha256-F0SRxtFF8EsEff6cRO81NdCpVz/S761ytETNqRkRwU4=", + "lastModified": 1694481387, + "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "e6c8e1659000d07804526e42b99fa5f15190c324", + "rev": "3901c1225944eda6c85f09a57c338f87f06748d2", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1693718952, - "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=", + "lastModified": 1694432324, + "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35", + "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779", "type": "github" }, "original": { @@ -269,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694304580, - "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=", + "lastModified": 1694426803, + "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760", + "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a", "type": "github" }, "original": { @@ -301,27 +301,23 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694183432, - "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b", - "type": "github" + "lastModified": 1694538145, + "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=", + "path": "/home/xin/nixpkgs", + "type": "path" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "path": "/home/xin/nixpkgs", + "type": "path" } }, "nur": { "locked": { - "lastModified": 1694400936, - "narHash": "sha256-MOUf6iF1B5jw25xWgRTj47L2lS32F5wIACEErYqq2n0=", + "lastModified": 1694533535, + "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=", "owner": "nix-community", "repo": "NUR", - "rev": "1850109f159c735841f7f6a51100b05d5b055113", + "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a", "type": "github" }, "original": { @@ -396,11 +392,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1693898833, - "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=", + "lastModified": 1694495315, + "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623", + "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d84f120..a6be7dc 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,8 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "path:/home/xin/nixpkgs"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 161b83b..3fee0e6 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -1,5 +1,27 @@ { config, pkgs, inputs, ... }: +let + kanidm_listen_port = 5324; +in { + security.acme = { + acceptTerms = true; + certs."auth.xinyang.life" = { + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; + }; + }; + services.kanidm = { + enableServer = true; + serverSettings = { + domain = "auth.xinyang.life"; + origin = "https://auth.xinyang.life"; + bindaddress = "[::]:${toString kanidm_listen_port}"; + tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; + tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; + # db_path = "/var/lib/kanidm/kanidm.db"; + }; + }; services.matrix-conduit = { enable = true; # package = inputs.conduit.packages.${pkgs.system}.default; @@ -20,8 +42,13 @@ host = "xinyang.life"; letsencrypt-enabled = false; bind-address = "localhost"; - landing-page-user = "me"; instance-expose-public-timeline = true; + oidc-enabled = true; + oidc-idp-name = "Kanidm"; + oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; + oidc-client-id = "gts"; + oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5"; + oidc-link-existing = true; }; }; @@ -53,15 +80,32 @@ header Access-Control-Allow-Origin "*" respond `{"m.server": "xinyang.life:443"}` } - reverse_proxy * http://localhost:8080 { flush_interval -1 } ''; virtualHosts."git.xinyang.life:443".extraConfig = '' - tls internal reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; + + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' + reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + route { + reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first + abort + } + ''; + virtualHosts."https://auth.xinyang.life:443".extraConfig = '' + reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + # + # respond `Hello World` + }; networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; From 7bc160d20a5524f40ed84e21d4513e455b26df55 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Oct 2023 11:52:54 +0800 Subject: [PATCH 027/136] massicot: update kanidm to 1.1.0-rc.14-dev --- flake.lock | 58 ++++++++++++++++++++----------------- flake.nix | 29 +++++++++++++++++-- home/xin/common/default.nix | 2 -- 3 files changed, 58 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 44f32e4..5fcba7d 100644 --- a/flake.lock +++ b/flake.lock @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1694469544, - "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", + "lastModified": 1695984718, + "narHash": "sha256-LQwKgaaaFOkIcxarf0xQXeDJFwZ5BZWcgmPeo3xp2CM=", "owner": "nix-community", "repo": "home-manager", - "rev": "5171f5ef654425e09d9c2100f856d887da595437", + "rev": "4f02e35f9d150573e1a710afa338846c2f6d850c", "type": "github" }, "original": { @@ -201,11 +201,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1694481387, - "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=", + "lastModified": 1696036838, + "narHash": "sha256-GmzS2RWWG98Lw/NsXlBpVxBfH9deP6UtyB/IKj/vKUw=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "3901c1225944eda6c85f09a57c338f87f06748d2", + "rev": "d9c11ddc1817497981466faba1fc7b8d1ea4f865", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1694432324, - "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=", + "lastModified": 1695887975, + "narHash": "sha256-u3+5FR12dI305jCMb0fJNQx2qwoQ54lv1tPoEWp0hmg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779", + "rev": "adcfd6aa860d1d129055039696bc457af7d50d0e", "type": "github" }, "original": { @@ -269,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694426803, - "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=", + "lastModified": 1695825837, + "narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a", + "rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e", "type": "github" }, "original": { @@ -285,11 +285,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1693675694, - "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", + "lastModified": 1694908564, + "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", + "rev": "596611941a74be176b98aeba9328aa9d01b8b322", "type": "github" }, "original": { @@ -301,23 +301,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694538145, - "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=", - "path": "/home/xin/nixpkgs", - "type": "path" + "dirtyRev": "5b78f2a4b69d95016f8dd9f2e931cbf83d4dab07-dirty", + "dirtyShortRev": "5b78f2a4-dirty", + "lastModified": 1695994956, + "narHash": "sha256-cFTJutLWWzMhidPHVDgBjdr4BtarTshnbAnvGbGvfOg=", + "shallow": true, + "type": "git", + "url": "file:///home/xin/repo/GitHub/xinyangli/nixpkgs" }, "original": { - "path": "/home/xin/nixpkgs", - "type": "path" + "shallow": true, + "type": "git", + "url": "file:///home/xin/repo/GitHub/xinyangli/nixpkgs" } }, "nur": { "locked": { - "lastModified": 1694533535, - "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=", + "lastModified": 1696042552, + "narHash": "sha256-/n20VRUYywPiV5MS9eUoFMbuvX8m0gM3pHdKHW8Ah64=", "owner": "nix-community", "repo": "NUR", - "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a", + "rev": "33b3ce67676a10b875dc58d187120b47e61b90a3", "type": "github" }, "original": { @@ -392,11 +396,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1694495315, - "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", + "lastModified": 1695284550, + "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", + "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a6be7dc..0a388ab 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,7 @@ { inputs = { - # Pin nixpkgs to a specific commit # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "path:/home/xin/nixpkgs"; + nixpkgs.url = "/home/xin/repo/GitHub/xinyangli/nixpkgs"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { @@ -67,6 +66,25 @@ nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + machinesFile = ./nixbuild.net; + }; + + massicot = { name, nodes, pkgs, ... }: with inputs; { + deployment.targetHost = "***REMOVED***"; + deployment.targetUser = "root"; + + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ]; + }; + }; + nixosConfigurations.calcite = mkNixos { system = "x86_64-linux"; modules = [ @@ -84,6 +102,13 @@ ]; }; + nixosConfigurations.dolomite = mkNixos { + system = "x86_64-linux"; + modules = [ + machines/dolomite + ]; + }; + nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; modules = [ diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index da76694..3c665c6 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -9,8 +9,6 @@ nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; - substituters = "https://cache.nixos.org https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store https://cache.nixos.org/ https://cuda-maintainers.cachix.org"; - trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="; }; From 243de7213b2c777a88ec3de5db7fc914ee7b30c3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Oct 2023 11:53:16 +0800 Subject: [PATCH 028/136] massicot: gitea -> forgejo --- machines/massicot/services.nix | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 3fee0e6..c81fe41 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -52,14 +52,31 @@ in }; }; - services.gitea = { + services.forgejo = { enable = true; - package = pkgs.forgejo; settings = { service.DISABLE_REGISTRATION = true; server = { ROOT_URL = "https://git.xinyang.life/"; }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + service = { + ENABLE_BASIC_AUTHENTICATION = false; + }; + oauth2 = { + ENABLE = false; # Disable forgejo as oauth2 provider + }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + OPENID_CONNECT_SCOPES = "openid profile email"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; }; }; @@ -98,6 +115,7 @@ in virtualHosts."https://auth.xinyang.life:443".extraConfig = '' reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} { header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" transport http { tls_server_name ${config.services.kanidm.serverSettings.domain} } From 3168385c71abab905b3a6a925aa0aacca5a8fa6f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Oct 2023 11:53:31 +0800 Subject: [PATCH 029/136] massicot: add mosh --- machines/massicot/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 8dd59d5..9d48c08 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -32,6 +32,7 @@ PasswordAuthentication = false; }; }; + programs.mosh.enable = true; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; From 103ab720c509c9f52890355956d67605c611b518 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 6 Oct 2023 22:03:47 +0800 Subject: [PATCH 030/136] add colmena --- .gitattributes | 1 + flake.nix | 21 +++++++++++++++++++-- nixbuild.net | 1 + 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 .gitattributes create mode 100644 nixbuild.net diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..88bb85c --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +eval_secrets.nix diff=sops diff --git a/flake.nix b/flake.nix index 02117ee..1e4595a 100644 --- a/flake.nix +++ b/flake.nix @@ -49,11 +49,28 @@ sops-nix.nixosModules.sops ] ++ modules; }; + evalSecrets = import ./eval_secrets.nix; in { nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + machinesFile = ./nixbuild.net; + }; + + massicot = { name, nodes, pkgs, ... }: with inputs; { + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ]; + }; + }; + nixosConfigurations.calcite = mkNixos { system = "x86_64-linux"; modules = [ @@ -68,8 +85,8 @@ modules = [ machines/massicot (mkHome "xin" "gold") - ] - } + ]; + }; nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; diff --git a/nixbuild.net b/nixbuild.net new file mode 100644 index 0000000..77c50ac --- /dev/null +++ b/nixbuild.net @@ -0,0 +1 @@ +ssh-ng://eu.nixbuild.net aarch64-linux - 100 1 big-parallel,benchmark From 8b7920d4b1b8ec8d85eb9bd30e9bfa2d6f3dad89 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 6 Oct 2023 22:05:19 +0800 Subject: [PATCH 031/136] dolomite: init --- machines/dolomite/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 machines/dolomite/default.nix diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix new file mode 100644 index 0000000..71f7ed1 --- /dev/null +++ b/machines/dolomite/default.nix @@ -0,0 +1,11 @@ +{ config, pkgs, modulesPath, ... }: +{ + imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + + services.sing-box = { + enable = true; + settings = { + + }; + }; +} From add25d866dba39d997502ecd6df66141ca89dd39 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 15 Nov 2023 07:50:26 +0000 Subject: [PATCH 032/136] bump version --- flake.lock | 58 ++++++++++++++++-------------- flake.nix | 3 +- home/xin/common/default.nix | 3 -- machines/calcite/configuration.nix | 1 - machines/clash.nix | 34 ------------------ machines/raspite/configuration.nix | 4 +-- 6 files changed, 33 insertions(+), 70 deletions(-) delete mode 100644 machines/clash.nix diff --git a/flake.lock b/flake.lock index 44f32e4..801872b 100644 --- a/flake.lock +++ b/flake.lock @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1694469544, - "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", + "lastModified": 1699783872, + "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=", "owner": "nix-community", "repo": "home-manager", - "rev": "5171f5ef654425e09d9c2100f856d887da595437", + "rev": "280721186ab75a76537713ec310306f0eba3e407", "type": "github" }, "original": { @@ -201,11 +201,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1694481387, - "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=", + "lastModified": 1700011274, + "narHash": "sha256-NtZqLNEjgaCGowT2+HEeOoZsXqVSAZMA/vk2t0jikN0=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "3901c1225944eda6c85f09a57c338f87f06748d2", + "rev": "a8c236477b4251ba739463de7e863a07b124fdd3", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1694432324, - "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=", + "lastModified": 1699997707, + "narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779", + "rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9", "type": "github" }, "original": { @@ -269,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694426803, - "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=", + "lastModified": 1699596684, + "narHash": "sha256-XSXP8zjBZJBVvpNb2WmY0eW8O2ce+sVyj1T0/iBRIvg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a", + "rev": "da4024d0ead5d7820f6bd15147d3fe2a0c0cec73", "type": "github" }, "original": { @@ -285,11 +285,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1693675694, - "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", + "lastModified": 1699756042, + "narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", + "rev": "9502d0245983bb233da8083b55d60d96fd3c29ff", "type": "github" }, "original": { @@ -301,23 +301,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694538145, - "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=", - "path": "/home/xin/nixpkgs", - "type": "path" + "lastModified": 1699781429, + "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d", + "type": "github" }, "original": { - "path": "/home/xin/nixpkgs", - "type": "path" + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nur": { "locked": { - "lastModified": 1694533535, - "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=", + "lastModified": 1700012630, + "narHash": "sha256-m+FOsAtH3He/QoiPqJ/MuF9aw0P/+47vZ3H24pB9MaI=", "owner": "nix-community", "repo": "NUR", - "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a", + "rev": "89fdcae74a069abd30b4d26ed043853b338ba88c", "type": "github" }, "original": { @@ -392,11 +396,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1694495315, - "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", + "lastModified": 1699951338, + "narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", + "rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a6be7dc..d84f120 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,7 @@ { inputs = { # Pin nixpkgs to a specific commit - # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "path:/home/xin/nixpkgs"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index da76694..088d6a6 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -9,8 +9,6 @@ nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; - substituters = "https://cache.nixos.org https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store https://cache.nixos.org/ https://cuda-maintainers.cachix.org"; - trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="; }; @@ -28,7 +26,6 @@ tealdeer neofetch rclone - clash inetutils ]; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index a5d45f8..ffc1a28 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -7,7 +7,6 @@ ./hardware-configuration.nix ./network.nix ../sops.nix - ../clash.nix ]; # Bootloader. diff --git a/machines/clash.nix b/machines/clash.nix deleted file mode 100644 index e6c76ca..0000000 --- a/machines/clash.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - sops = { - secrets.clash_subscription_link = { - owner = "xin"; - }; - }; - - systemd.timers."clash-config-update" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnUnitActiveSec = "1d"; - Unit = "clash-config-update.service"; - }; - }; - - systemd.services."clash-config-update" = { - script = '' - ${pkgs.curl}/bin/curl $(${pkgs.coreutils}/bin/cat ${config.sops.secrets.clash_subscription_link.path}) > /tmp/config.yaml && mv /tmp/config.yaml /home/xin/.config/clash/ - ''; - serviceConfig = { - Type = "oneshot"; - User= "xin"; - }; - }; - - systemd.services.clash = { - enable = true; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.clash}/bin/clash -d /home/xin/.config/clash"; - }; - -} diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index b178e9e..72b7978 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -10,13 +10,11 @@ ]; imports = [ - ../clash.nix ../sops.nix ]; environment.systemPackages = with pkgs; [ git - clash ]; # Use mirror for binary cache @@ -59,4 +57,4 @@ hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; }; -} \ No newline at end of file +} From 56e67018d618ad69b6be95380c9dde4136d827da Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 15 Nov 2023 08:10:35 +0000 Subject: [PATCH 033/136] massicot: passwordless sudo for user xin --- machines/massicot/default.nix | 6 ++++++ machines/massicot/services.nix | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 8dd59d5..c502312 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -45,5 +45,11 @@ ]; hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; }; + + security.sudo.extraRules = [ + { users = [ "xin" ]; + commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; + } + ]; } diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 3fee0e6..6574466 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -52,9 +52,8 @@ in }; }; - services.gitea = { + services.forgejo = { enable = true; - package = pkgs.forgejo; settings = { service.DISABLE_REGISTRATION = true; server = { From c804a493c29dbf45704de1e3e203c638a22f7f34 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 18 Nov 2023 22:13:22 +0800 Subject: [PATCH 034/136] calcite: bump version --- flake.lock | 58 ++++++++++++++++++------------------- flake.nix | 2 +- home/xin/common/default.nix | 1 - machines/secrets.yaml | 6 ++-- machines/sing-box.nix | 2 +- 5 files changed, 34 insertions(+), 35 deletions(-) diff --git a/flake.lock b/flake.lock index a242d44..a84647f 100644 --- a/flake.lock +++ b/flake.lock @@ -74,11 +74,11 @@ ] }, "locked": { - "lastModified": 1695738267, - "narHash": "sha256-LTNAbTQ96xSj17xBfsFrFS9i56U2BMLpD0BduhrsVkU=", + "lastModified": 1700087144, + "narHash": "sha256-LJP1RW0hKNWmv2yRhnjkUptMXInKpn/rV6V6ofuZkHU=", "owner": "nix-community", "repo": "home-manager", - "rev": "0f4e5b4999fd6a42ece5da8a3a2439a50e48e486", + "rev": "ab1459a1fb646c40419c732d05ec0bf2416d4506", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1695691129, - "narHash": "sha256-tUbgZOgmR/9vh4yvW3Bw6Xd+1f4DDcEI/EoqbO0SOuI=", + "lastModified": 1700097605, + "narHash": "sha256-nVqtih7bV5zso/y8tCSYwqmkEdMDU6R5NBb8D7w5mEY=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "bd2d4d8c383ca5236a174742ef2d8d42307de40f", + "rev": "4192069cbb3f98b114e6f0bc0e7e4720c6c98c09", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1695541019, - "narHash": "sha256-rs++zfk41K9ArWkDAlmBDlGlKO8qeRIRzdjo+9SmNFI=", + "lastModified": 1699997707, + "narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "61283b30d11f27d5b76439d43f20d0c0c8ff5296", + "rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9", "type": "github" }, "original": { @@ -148,15 +148,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1695750249, - "narHash": "sha256-uE7t9hJwa6ngwWvOiQxVpWRX8iOWgiU7+STXbTFttMI=", - "owner": "xinyangli", + "lastModified": 1699781429, + "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "0e6469c77887662764a5e65808641b1ecf6d106c", + "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d", "type": "github" }, "original": { - "owner": "xinyangli", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -164,11 +164,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1695559356, - "narHash": "sha256-kXZ1pUoImD9OEbPCwpTz4tHsNTr4CIyIfXb3ocuR8sI=", + "lastModified": 1699994397, + "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "261abe8a44a7e8392598d038d2e01f7b33cf26d0", + "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8", "type": "github" }, "original": { @@ -180,11 +180,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1694908564, - "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", + "lastModified": 1699756042, + "narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "596611941a74be176b98aeba9328aa9d01b8b322", + "rev": "9502d0245983bb233da8083b55d60d96fd3c29ff", "type": "github" }, "original": { @@ -196,11 +196,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694760568, - "narHash": "sha256-3G07BiXrp2YQKxdcdms22MUx6spc6A++MSePtatCYuI=", + "lastModified": 1699374756, + "narHash": "sha256-X21OIoVcJejN9JKoLuoZSx3ZZkMh/iSpJ+GGrSNQyGU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "46688f8eb5cd6f1298d873d4d2b9cf245e09e88e", + "rev": "9b92dad3804b543a8b5db878aabf7132d601fa91", "type": "github" }, "original": { @@ -212,11 +212,11 @@ }, "nur": { "locked": { - "lastModified": 1695750428, - "narHash": "sha256-IAT2N9tmdV6Rp2UYQsF/dv7d6iUsgmW9OtPa8D6TzAQ=", + "lastModified": 1700127871, + "narHash": "sha256-Vc+CZ/Ev/MhzYdKGIX/qp8GGiKfztvfL6bJZSW2m6zE=", "owner": "nix-community", "repo": "NUR", - "rev": "e0da1a7ac4f93eec44939d6f75eaa5b7242a179f", + "rev": "7cf29aef2e074a1ad6c12a196f3e4a140837f33f", "type": "github" }, "original": { @@ -244,11 +244,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1695284550, - "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", + "lastModified": 1699951338, + "narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", + "rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7153504..3865656 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:xinyangli/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index a4ee121..e461b9c 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -28,7 +28,6 @@ tealdeer neofetch rclone - clash inetutils ]; diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 9006057..a6c2d77 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -2,7 +2,7 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] -singbox_domain: ENC[AES256_GCM,data:26WBV6F6JsdR81BzFbeFA0c8,iv:SRkEJdAxH/0in5oq7kCz6sBeMQzjDcV9242SqwFwMis=,tag:u6sn2Xs3Pwsmo8xwAfObCA==,type:str] +singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str] singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] sops: kms: [] @@ -37,8 +37,8 @@ sops: dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-26T15:10:12Z" - mac: ENC[AES256_GCM,data:R1y2LCVbIcJ4hHLrgRT+H45jdSPUIE8uuW1EoJattnciLExlpZzNtuUxV6yVUKoUxh/Bdl4gUwRP6YINegMflUJIlby9vUyDTVAwzFpk5p4Ev0YF/X8ZgXcerwOZjEkHqekqEtDjEsnOt2U41XsXOzQsFXkmWl/aBRlxGYiTHcU=,iv:jFM3EKnTIJbBP1FHw3t7Q1+NvGIQYWtVCV+4Z9snPIQ=,tag:NkdeGL6IFA0iQoUqWmPZgw==,type:str] + lastmodified: "2023-11-11T19:16:18Z" + mac: ENC[AES256_GCM,data:iyqD4XJHw072IYKyRnWKJRVLex/GfnYn5QY4/YPkGK9cHjVML/97k1IWM76zXOpoJ9wSENvTqQirjMZz0TS92Ak2Ps/3fsyPj2f9BEFmF+q8r+VWEj9ZGEzHb52uMKyj3vYs5Mg9O5eeDmdAifdvC3RmRkoQ7WFoLDVCwcVFKoU=,iv:AuqLIPVMhX537MPaqnrYgOuHPH+P8Ili8tkg4p1jC1I=,tag:t2gQZzO1dIXnM3UqOnn/FA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.0 diff --git a/machines/sing-box.nix b/machines/sing-box.nix index c77aefc..050267f 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -34,7 +34,7 @@ in server = "_dns_doh_mainland"; } { - domain_suffix = "tiktokuu.xyz"; + domain_suffix = server; server = "_dns_doh_mainland"; } ]; From cb5a5794bd36ebb41ad8791510600d1d63c7081d Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 24 Nov 2023 20:49:18 +0800 Subject: [PATCH 035/136] home: move nix substituter to machine level nix conf --- home/xin/common/default.nix | 7 ------- machines/calcite/configuration.nix | 12 +++++++----- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index e461b9c..c76d3e8 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -6,13 +6,6 @@ ./vim.nix ]; - nix.settings = { - experimental-features = [ "nix-command" "flakes" ]; - auto-optimise-store = true; - substituters = "https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"; - }; - - home.packages = with pkgs; [ dig du-dust # du + rust diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 7fdab31..c89aa84 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -101,8 +101,6 @@ systemd.services."getty@tty1".enable = false; systemd.services."autovt@tty1".enable = false; - services.intune.enable = true; - # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ @@ -188,7 +186,7 @@ config.nur.repos.xddxdd.wechat-uos # Password manager - keepassxc + bitwarden # Browser firefox @@ -213,15 +211,19 @@ # Use mirror for binary cache nix.settings.substituters = [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" "https://mirrors.ustc.edu.cn/nix-channels/store" - "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; - nix.settings.trusted-users = [ "xin" "root" ]; + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + auto-optimise-store = true; + trusted-users = [ "xin" "root" ]; + }; nix.extraOptions = '' !include "${config.sops.secrets.github_public_token.path}" ''; From 500ad4be6374e9e3d74df8a0d1a456ebde89e9fc Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 28 Nov 2023 21:38:50 +0800 Subject: [PATCH 036/136] dolomite: host sing-box --- .sops.yaml | 2 + flake.nix | 19 +++++++- machines/calcite/configuration.nix | 10 ++++- machines/dolomite/default.nix | 71 ++++++++++++++++++++++++++++-- machines/secrets.yaml | 48 ++++++++++++-------- machines/sing-box.nix | 32 +++++++++++--- machines/sops.nix | 20 ++++++--- 7 files changed, 167 insertions(+), 35 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index f928eee..fd6a3d4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj + - &host-dolomite age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -19,6 +20,7 @@ creation_rules: - *xin - *host-calcite - *host-raspite + - *host-dolomite - path_regex: home/xin/secrets.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index 0858ffe..0c61577 100644 --- a/flake.nix +++ b/flake.nix @@ -48,7 +48,6 @@ modules = [ home-manager.nixosModules.home-manager nur.nixosModules.nur - sops-nix.nixosModules.sops ] ++ modules; }; evalSecrets = import ./eval_secrets.nix; @@ -63,6 +62,9 @@ system = "x86_64-linux"; }; machinesFile = ./nixbuild.net; + specialArgs = { + inherit inputs; + }; }; massicot = { name, nodes, pkgs, ... }: with inputs; { @@ -71,6 +73,17 @@ machines/massicot ]; }; + + dolomite = { name, nodes, pkgs, ... }: with inputs; { + imports = [ + { nixpkgs.system = "x86_64-linux"; } + machines/dolomite + ]; + deployment = { + targetHost = "video.namely.icu"; + buildOnTarget = false; + }; + }; }; nixosConfigurations.calcite = mkNixos { @@ -99,7 +112,6 @@ ]; }; - images.raspite = (mkNixos { system = "aarch64-linux"; modules = [ @@ -120,6 +132,9 @@ packages = { homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; }; }; + devShells.default = pkgs.mkShell { + buildInputs = with pkgs; [ git colmena nix-output-monitor ssh-to-age ]; + }; } ))); } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c89aa84..c538867 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -18,6 +18,14 @@ boot.supportedFilesystems = [ "ntfs" ]; boot.binfmt.emulatedSystems = ["aarch64-linux"]; + security.tpm2 = { + enable = true; + # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + pkcs11.enable = true; + # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + tctiEnvironment.enable = true; + }; + networking.hostName = "calcite"; programs.vim.defaultEditor = true; @@ -87,7 +95,7 @@ users.users.xin = { isNormalUser = true; description = "xin"; - extraGroups = [ "networkmanager" "wheel" "wireshark" ]; + extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ]; }; # Enable automatic login for the user. diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 71f7ed1..cf83768 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,11 +1,76 @@ -{ config, pkgs, modulesPath, ... }: +{ config, pkgs, lib, modulesPath, ... }: +let + sg_server = { + _secret = config.sops.secrets.singbox_sg_server.path; + }; + sg_password = { + _secret = config.sops.secrets.singbox_sg_password.path; + }; + sg_uuid = { + _secret = config.sops.secrets.singbox_sg_uuid.path; + }; + singTls = { + enabled = true; + server_name = sg_server; + key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem"; + certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem"; + }; +in { - imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + imports = [ + "${modulesPath}/virtualisation/amazon-image.nix" + ../sops.nix + ]; + + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + networking.firewall.trustedInterfaces = [ "tun0" ]; + + security.acme = { + acceptTerms = true; + certs."video.namely.icu" = { + email = "me@namely.icu"; + listenHTTP = ":80"; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 8080 ]; + networking.firewall.allowedUDPPorts = [ 6311 ]; services.sing-box = { enable = true; settings = { - + inbounds = [ + { + tag = "sg1"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = [ + { name = "proxy"; + password = sg_password; + } + ]; + tls = singTls; + } + { + tag = "sg2"; + type = "tuic"; + listen = "::"; + listen_port = 6311; + congestion_control = "bbr"; + users = [ + { name = "proxy"; + uuid = sg_uuid; + password = sg_password; + } + ]; + tls = singTls; + } + ]; }; }; } diff --git a/machines/secrets.yaml b/machines/secrets.yaml index a6c2d77..57fbeb6 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -4,6 +4,9 @@ autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9a github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str] singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] +singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] +singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str] +singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str] sops: kms: [] gcp_kms: [] @@ -13,32 +16,41 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYjBKUUNCTlpoYXJqMkVL - U0xoNDNXVUpGaEdTVFVVL05MYng4N3l5dlhRCjZXMmplRGY1UWdlUTB4NHBFNHVO - QThQTkhwVlc2NE1HWUc5RlRyS2lURE0KLS0tIDZPOW1EMis2TjFjaS9sUHEvenRJ - cmZYOEVHTE1ybDBXMDFZRnJQaWRjeU0KVAiaO0xMhDQTh26e4lTRigkG2P6KfXov - c2DItjmdWmdfN/QOKl6JzObtHBxSWxXGZwbnWmDkGq69t20TDus2Xw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW9oblRGVXZSYU1UaUpY + bEJvd0FST3gydXRzQ25GNm5vMEsyMlJpU0RRCjNFTk9rajQraGhoWFhFTDFtTnNE + aDNuaTZRZUtVcWkrN1RvZmZBRmJVTVkKLS0tIFdta3l4M3JoTU9tTllLUENOdTU0 + K2UxRnNTcEw4OC85cWdFNlVSMnlseFUKXtUh8vavnw5I+16bZszXNXmDndXovAN/ + XzrbfhXyE8B7jxlsSp6b5mu7RXWHP9knM2BqfrhhK0NJ/uuKfKNIEA== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWWx3TGJTWEtLd0ROVXZQ - OUcycUlCUmhJT3JybldLYytJNlhld3lSVENJCmd0YUVBbWN3MU8yQ2FFMTRSWXln - S0x4c0pGemVDdVV6N3hCM3BsWGxBYzQKLS0tIDdyNFBtK2RQTFNXdlRDaVZBNjZ6 - TVo3cmh0eFlDU1d2RnVZVUI1NXcrbnMKU+tJhePvEk/awxtoZA8NWTxUr5buXSRu - CyIZXG3THbrIWAzBRlgtKqmlvdOseIASSO9OgOUPb8/EKSD5eUTH3g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzd2tMOXVCZFJsaWJDV1FQ + UWpoSDgxVUZ6UCt3Z2I5YjFxcnUzK3dNVndnClZBV29OV0swZzd5UmJsQ2J3RFpo + UnpvQ21BajBYc2xzWDNHWStzNTJLelkKLS0tIDNROGJQTzNDZUZHU09RcUpGemJr + dnpGSmdCRXJsU2FNV0V1N0pSczJwRTgK99s4wGGlpgkmr6sFzw8iqEPy2c3CvrvK + Ak+DlVCx6G9YXCIoXPIysY3EkfrKQwf/5LUMxSTN8V1gOMeTyomt/w== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidXFsbFBPc3hhMzFMSk9v - NVdKWDE5MWoyMnUyVWdwOXhsK3dpQ1o2bGlBClZHVTZzc2lxblYrUUUvRFRmQ2Mv - S1I4YzJYd1JCcUx5b0E2MTlwYWlwRDAKLS0tIGphM2NaSXBwdlZSR3kwSUkzcXkv - dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou - DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWU0xQzRqbG1CTnlSZmFj + TFZvMHU3NVVQTTVHZzJkZ3FGS3doRXhGamdjCk0vaGVaZWlwT2NLd0NPeUliQ09Q + cFNiMGZqUHliUEw1WDlWV3ZsR0lRYzAKLS0tIG8wWm1IK2tpRGhQVVNCQU83cnFB + S1lwZ2NDRGQyOW92R2JLakRUMG1JUkUKHNvXcHFlbgssrzLVdFxIT7QpMiPK5zoy + /OqQhXZ/ewER3b+kMidZv5QXU6GvMWsriT24/yyfTc0tEe7t/Ojm4A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-11T19:16:18Z" - mac: ENC[AES256_GCM,data:iyqD4XJHw072IYKyRnWKJRVLex/GfnYn5QY4/YPkGK9cHjVML/97k1IWM76zXOpoJ9wSENvTqQirjMZz0TS92Ak2Ps/3fsyPj2f9BEFmF+q8r+VWEj9ZGEzHb52uMKyj3vYs5Mg9O5eeDmdAifdvC3RmRkoQ7WFoLDVCwcVFKoU=,iv:AuqLIPVMhX537MPaqnrYgOuHPH+P8Ili8tkg4p1jC1I=,tag:t2gQZzO1dIXnM3UqOnn/FA==,type:str] + - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK3o4WkZqaldXd2lBUm5r + NWVNMVh5SXZmVmFlUldiVUdrYitPK3dUUVJzCjJnSHR0ZmpmMzF3ZnlBeEJ6bHc0 + T0p2SXpoOGprbEdyUC9oWklTRndFcTAKLS0tIGN6VUZmVEJkWk5xR2dUaU1mbkZB + TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb + naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-25T11:52:08Z" + mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.0 + version: 3.8.1 diff --git a/machines/sing-box.nix b/machines/sing-box.nix index 050267f..037fa09 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -9,6 +9,15 @@ let uuid = { _secret = config.sops.secrets.singbox_password.path; }; + sg_server = { + _secret = config.sops.secrets.singbox_sg_server.path; + }; + sg_password = { + _secret = config.sops.secrets.singbox_sg_password.path; + }; + sg_uuid = { + _secret = config.sops.secrets.singbox_sg_uuid.path; + }; in { services.sing-box = { @@ -37,15 +46,23 @@ in domain_suffix = server; server = "_dns_doh_mainland"; } + { + domain_suffix = sg_server; + server = "_dns_doh_mainland"; + } ]; servers = [ { - address = "https://cloudflare-dns.com/dns-query"; - address_strategy = "prefer_ipv4"; - address_resolver = "_dns_doh_mainland"; + address = "tls://dns.google:853/"; + address_resolver = "_dns_udp_global"; detour = "_proxy_select"; tag = "_dns_global"; } + { + address = "1.1.1.1"; + detour = "_proxy_select"; + tag = "_dns_udp_global"; + } { address = "119.29.29.29"; detour = "direct"; @@ -62,9 +79,8 @@ in tag = "_dns_block"; } ]; - strategy = "prefer_ipv4"; final = "_dns_global"; - disable_cache = false; + disable_cache = true; }; inbounds = [ { @@ -79,6 +95,7 @@ in auto_route = true; strict_route = false; inet4_address = "172.19.0.1/30"; + inet6_address = "fdfe:dcba:9876::1/126"; sniff = true; } ]; @@ -102,7 +119,10 @@ in ]; }; outbounds = [ - { default = "auto"; outbounds = [ "auto" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } + { tag = "selfhost"; type = "urltest"; outbounds = [ "sg1" "sg2" ]; tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; } + { tag = "sg1"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { tag = "sg2"; type = "tuic"; congestion_control = "bbr"; server = sg_server; server_port = 6311; uuid = sg_uuid; password = sg_password; tls = { enabled = true; server_name = sg_server; }; } + { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } { tag = "direct"; type = "direct"; } { tag = "block"; type = "block"; } diff --git a/machines/sops.nix b/machines/sops.nix index f2b93f3..96ac399 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -1,19 +1,29 @@ -{ ... }: +{ inputs, ... }: { + imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { defaultSopsFile = ./secrets.yaml; # TODO: How to generate this key when bootstrap? age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { clash_subscription_link = { - owner = "xin"; + owner = "root"; }; singbox_password = { - owner = "xin"; + owner = "root"; }; singbox_domain = { - owner = "xin"; + owner = "root"; + }; + singbox_sg_server = { + owner = "root"; + }; + singbox_sg_password = { + owner = "root"; + }; + singbox_sg_uuid = { + owner = "root"; }; }; }; -} \ No newline at end of file +} From 12bb3e13c82f5c802b8fc25cbac64084cdce9229 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 30 Nov 2023 12:07:23 +0800 Subject: [PATCH 037/136] sing-box: add more servers --- flake.lock | 54 +++++++++++++++--------------- machines/calcite/configuration.nix | 3 +- machines/calcite/network.nix | 4 +-- machines/dolomite/default.nix | 13 ++++--- machines/sing-box.nix | 22 +++++++++--- 5 files changed, 54 insertions(+), 42 deletions(-) diff --git a/flake.lock b/flake.lock index a84647f..6f3a0f9 100644 --- a/flake.lock +++ b/flake.lock @@ -74,11 +74,11 @@ ] }, "locked": { - "lastModified": 1700087144, - "narHash": "sha256-LJP1RW0hKNWmv2yRhnjkUptMXInKpn/rV6V6ofuZkHU=", + "lastModified": 1701071203, + "narHash": "sha256-lQywA7QU/vzTdZ1apI0PfgCWNyQobXUYghVrR5zuIeM=", "owner": "nix-community", "repo": "home-manager", - "rev": "ab1459a1fb646c40419c732d05ec0bf2416d4506", + "rev": "db1878f013b52ba5e4034db7c1b63e8d04173a86", "type": "github" }, "original": { @@ -96,11 +96,11 @@ ] }, "locked": { - "lastModified": 1700097605, - "narHash": "sha256-nVqtih7bV5zso/y8tCSYwqmkEdMDU6R5NBb8D7w5mEY=", + "lastModified": 1701048169, + "narHash": "sha256-gsYFAIDMyXztMl39/EQzIVjQx/7z+0XPuCDhkrF2tbw=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "4192069cbb3f98b114e6f0bc0e7e4720c6c98c09", + "rev": "23dfda3e3df1901d38f1efc98d3e90cefd73ff5d", "type": "github" }, "original": { @@ -132,11 +132,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1699997707, - "narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=", + "lastModified": 1701020860, + "narHash": "sha256-NwnRn04C8s+hH+KdVtGmVB1FFNIG7DtPJmQSCBDaET4=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9", + "rev": "b006ec52fce23b1d57f6ab4a42d7400732e9a0a2", "type": "github" }, "original": { @@ -148,11 +148,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699781429, - "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=", + "lastModified": 1700794826, + "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d", + "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", "type": "github" }, "original": { @@ -164,11 +164,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1699994397, - "narHash": "sha256-xxNeIcMNMXH2EA9IAX6Cny+50mvY22LhIBiGZV363gc=", + "lastModified": 1701053011, + "narHash": "sha256-8QQ7rFbKFqgKgLoaXVJRh7Ik5LtI3pyBBCfOnNOGkF0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d4b5a67bbe9ef750bd2fdffd4cad400dd5553af8", + "rev": "5b528f99f73c4fad127118a8c1126b5e003b01a9", "type": "github" }, "original": { @@ -180,11 +180,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1699756042, - "narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=", + "lastModified": 1700905716, + "narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9502d0245983bb233da8083b55d60d96fd3c29ff", + "rev": "dfb95385d21475da10b63da74ae96d89ab352431", "type": "github" }, "original": { @@ -196,11 +196,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1699374756, - "narHash": "sha256-X21OIoVcJejN9JKoLuoZSx3ZZkMh/iSpJ+GGrSNQyGU=", + "lastModified": 1700856099, + "narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9b92dad3804b543a8b5db878aabf7132d601fa91", + "rev": "0bd59c54ef06bc34eca01e37d689f5e46b3fe2f1", "type": "github" }, "original": { @@ -212,11 +212,11 @@ }, "nur": { "locked": { - "lastModified": 1700127871, - "narHash": "sha256-Vc+CZ/Ev/MhzYdKGIX/qp8GGiKfztvfL6bJZSW2m6zE=", + "lastModified": 1701176534, + "narHash": "sha256-AFYe8bkcwYZOBjkbEXzo82jy6hOrduCkoHV9eCPa4NA=", "owner": "nix-community", "repo": "NUR", - "rev": "7cf29aef2e074a1ad6c12a196f3e4a140837f33f", + "rev": "1cd0a267b09c8c035e5c32bf9e1017b5ae90bec4", "type": "github" }, "original": { @@ -244,11 +244,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1699951338, - "narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=", + "lastModified": 1701127353, + "narHash": "sha256-qVNX0wOl0b7+I35aRu78xUphOyELh+mtUp1KBx89K1Q=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46", + "rev": "b1edbf5c0464b4cced90a3ba6f999e671f0af631", "type": "github" }, "original": { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c538867..58221f0 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -65,7 +65,6 @@ # Enable the GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; - services.xserver.windowManager.icewm.enable = true; # Configure keymap in X11 services.xserver = { @@ -176,8 +175,8 @@ # Gnome tweaks gnomeExtensions.dash-to-dock - gnomeExtensions.hide-top-bar gnomeExtensions.tray-icons-reloaded + gnomeExtensions.paperwm gnome.gnome-tweaks gthumb diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 3689211..f0f3e1c 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -23,8 +23,8 @@ # Open ports in the firewall. networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ ]; - networking.firewall.allowedUDPPorts = [ 41641 ]; + networking.firewall.allowedTCPPorts = [ 3389 ]; + networking.firewall.allowedUDPPorts = [ 3389 41641 ]; networking.firewall.trustedInterfaces = [ "tun0" "tailscale0" diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index cf83768..9bb2580 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -38,14 +38,14 @@ in }; }; networking.firewall.allowedTCPPorts = [ 80 8080 ]; - networking.firewall.allowedUDPPorts = [ 6311 ]; + networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); services.sing-box = { enable = true; settings = { inbounds = [ { - tag = "sg1"; + tag = "sg0"; type = "trojan"; listen = "::"; listen_port = 8080; @@ -56,11 +56,11 @@ in ]; tls = singTls; } - { - tag = "sg2"; + ] ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); type = "tuic"; listen = "::"; - listen_port = 6311; + listen_port = port; congestion_control = "bbr"; users = [ { name = "proxy"; @@ -69,8 +69,7 @@ in } ]; tls = singTls; - } - ]; + }); }; }; } diff --git a/machines/sing-box.nix b/machines/sing-box.nix index 037fa09..fe775f6 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -110,6 +110,10 @@ in outbound = "direct"; } { geoip = "private"; outbound = "direct"; } + { + domain = sg_server; + outbound = "direct"; + } { geosite = "cn"; geoip = "cn"; @@ -119,9 +123,9 @@ in ]; }; outbounds = [ - { tag = "selfhost"; type = "urltest"; outbounds = [ "sg1" "sg2" ]; tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; } - { tag = "sg1"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } - { tag = "sg2"; type = "tuic"; congestion_control = "bbr"; server = sg_server; server_port = 6311; uuid = sg_uuid; password = sg_password; tls = { enabled = true; server_name = sg_server; }; } + { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; } + { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } { tag = "direct"; type = "direct"; } @@ -171,7 +175,17 @@ in { inherit server uuid; security = "auto"; server_port = 1266; tag = "台湾中继6"; type = "vmess"; } { inherit server uuid; security = "auto"; server_port = 1251; tag = "韩国中继1"; type = "vmess"; } { inherit server uuid; security = "auto"; server_port = 1252; tag = "韩国中继2"; type = "vmess"; } - ]; + ] ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); + type = "tuic"; + congestion_control = "bbr"; + server = sg_server; + server_port = port; + uuid = sg_uuid; + password = sg_password; + tls = { enabled = true; server_name = sg_server; }; + }); }; }; } + From 28bb623cc10a299687980ee4a6d3d781f18d22fb Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 30 Nov 2023 23:56:32 +0800 Subject: [PATCH 038/136] calcite: add cinny-desktop --- machines/calcite/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 58221f0..7fec3e2 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -188,6 +188,7 @@ digikam # IM + cinny-desktop tdesktop qq config.nur.repos.xddxdd.wechat-uos From 9bec6270ef0562342ada4d8912f7b41d4065f100 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 1 Dec 2023 22:22:43 +0800 Subject: [PATCH 039/136] calcite: add restic --- machines/calcite/configuration.nix | 18 +++++++++--- machines/calcite/secrets.yaml | 31 ++++++++++++++++++++ machines/restic.nix | 47 ++++++++++++++++++++++++++++++ machines/secrets.yaml | 4 +-- machines/sops.nix | 3 ++ 5 files changed, 97 insertions(+), 6 deletions(-) create mode 100644 machines/restic.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 7fec3e2..d19bcd0 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -7,6 +7,7 @@ ./hardware-configuration.nix ./network.nix ../sops.nix + ../restic.nix ]; # Bootloader. @@ -174,9 +175,9 @@ android-studio # Gnome tweaks - gnomeExtensions.dash-to-dock - gnomeExtensions.tray-icons-reloaded gnomeExtensions.paperwm + gnomeExtensions.search-light + gnomeExtensions.tray-icons-reloaded gnome.gnome-tweaks gthumb @@ -235,11 +236,20 @@ nix.extraOptions = '' !include "${config.sops.secrets.github_public_token.path}" ''; - sops = { - secrets.github_public_token = { + + sops.secrets = { + restic_repo_calcite_password = { owner = "xin"; + sopsFile = ./secrets.yaml; + }; + restic_repo_calcite = { + owner = "xin"; + sopsFile = ./secrets.yaml; }; }; + custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path; + custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path; + # MTP support services.gvfs.enable = true; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index e69de29..8e918b4 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -0,0 +1,31 @@ +restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] +restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMDdkc2RUVlR5aEFtZ01l + d3EzaG9RNFd1QTVrNFIrZlJmOXNVWG1jRFJNCnFqL2VrUFljdGdGMW02RnJkNGxm + dmhUS0pMOURyWWkyVlp1UDQ5ZG11U2cKLS0tIDBiNnI0Qm5QN04zQ3NpTVMzNGpY + eFlOKzdGa0FRZ0R5Um12bUE2T0ZzbHMK62B0QniOnaUKLGrrRV934PqbCbUKtK3u + hN+53kRiitkL1gmaGqRbfu4FMns9VPKdoyfECcJ39HyScl9ZEj8mMw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycTBkMWlWMncybUFraS9R + ZWFjOGdDRlFLV2RlZHVFSEhMdExaekJWMFQwCk5hbFJhQ3cvbG9qdERnbFhLTnFs + NXQvcndjNHBMdk1XOTYydVlDMzk0Y0UKLS0tIGpLM20zTnREdllxRlc1SnJEVFBZ + WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g + FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-30T16:43:19Z" + mac: ENC[AES256_GCM,data:U3TilLQvxM01gwIkBM4vT53JRBiE4VBOC0T6dxLjZ9btVMEhGp3MNQMRK0I06JP/vm532/oOTh/No/AwdzOpXxlfNY/hxxij03v83cZraSy8eT53uFV2TfU9HELVmmItqV2rJ96jBvCIzZJ+uif1OwIefcU+ii/MC333sW5DL1A=,iv:9pKUp08MPtECxUE3gxud/4220RsJ/d+xOFljntOdxfo=,tag:vvFpZRDoIz4NGll5XxRhAg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/restic.nix b/machines/restic.nix new file mode 100644 index 0000000..1e8c763 --- /dev/null +++ b/machines/restic.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.custom.restic; +in +{ + options = { + custom.restic = { + repositoryFile = lib.mkOption { + type = lib.types.str; + default = ""; + }; + passwordFile = lib.mkOption { + type = lib.types.str; + default = ""; + }; + }; + }; + config = { + services.restic.backups = { + remotebackup = { + repositoryFile = cfg.repositoryFile; + passwordFile = cfg.passwordFile; + paths = [ + "/home" + "/var/lib" + ]; + exclude = [ + "/home/*/.cache" + "/home/*/.cargo" + "/home/*/.local/share/Steam" + "/home/*/.local/share/flatpak" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + }; + }; +} + diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 57fbeb6..d868166 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -49,8 +49,8 @@ sops: TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-25T11:52:08Z" - mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str] + lastmodified: "2023-11-30T16:23:27Z" + mac: ENC[AES256_GCM,data:TMy8toui6/DbFpyc+K7r+DN6Q21W9XKNxZeB44hJ+Sw3i+z46/m+lNJYbFVn/l/g7KykWMCi0UP8bgQtRrf6ARqyZkgXX/2H3FRyC1WXY9IJFXib05TtvXQQCkqscyWjEjkGBR8VREkVGCKEZAKdHqXFve70FrlxiWZgDv6QrIM=,iv:ukv1Mo6bwrTjsLnKzOesZiT1z5k6nvg7F8dk4fUsDUI=,tag:JM/iCdj+broRn1AxD2tQTg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sops.nix b/machines/sops.nix index 96ac399..21a89c2 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -6,6 +6,9 @@ # TODO: How to generate this key when bootstrap? age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { + github_public_token = { + owner = "xin"; + }; clash_subscription_link = { owner = "root"; }; From 99861009450dc880e888c6b504654721d80f07f1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 2 Dec 2023 01:33:20 +0800 Subject: [PATCH 040/136] move restic to nixosModules --- flake.nix | 3 ++- machines/calcite/configuration.nix | 2 +- modules/nixos/default.nix | 5 ++++- {machines => modules/nixos}/restic.nix | 5 +++-- 4 files changed, 10 insertions(+), 5 deletions(-) rename {machines => modules/nixos}/restic.nix (87%) diff --git a/flake.nix b/flake.nix index 0c61577..22af664 100644 --- a/flake.nix +++ b/flake.nix @@ -46,6 +46,7 @@ inherit system; specialArgs = specialArgs // { inherit inputs system; }; modules = [ + self.nixosModules.default home-manager.nixosModules.home-manager nur.nixosModules.nur ] ++ modules; @@ -53,7 +54,7 @@ evalSecrets = import ./eval_secrets.nix; in { - nixosModules = import ./modules/nixos; + nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; colmena = { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index d19bcd0..92dc4ca 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -7,7 +7,6 @@ ./hardware-configuration.nix ./network.nix ../sops.nix - ../restic.nix ]; # Bootloader. @@ -247,6 +246,7 @@ sopsFile = ./secrets.yaml; }; }; + custom.restic.enable = true; custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path; custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 077404a..1759f2f 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,3 +1,6 @@ +{ config, pkgs, ... }: { - + imports = [ + ./restic.nix + ]; } \ No newline at end of file diff --git a/machines/restic.nix b/modules/nixos/restic.nix similarity index 87% rename from machines/restic.nix rename to modules/nixos/restic.nix index 1e8c763..178d599 100644 --- a/machines/restic.nix +++ b/modules/nixos/restic.nix @@ -5,18 +5,19 @@ in { options = { custom.restic = { + enable = lib.mkEnableOption "restic"; repositoryFile = lib.mkOption { type = lib.types.str; default = ""; }; - passwordFile = lib.mkOption { + passwordFile = lib.mkOption { type = lib.types.str; default = ""; }; }; }; config = { - services.restic.backups = { + services.restic.backups = lib.mkIf cfg.enable { remotebackup = { repositoryFile = cfg.repositoryFile; passwordFile = cfg.passwordFile; From 9fb8bcd6213c202fd616d0aca4ba7d74a8d7ab81 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 6 Dec 2023 22:54:22 +0800 Subject: [PATCH 041/136] dolomite: add an instance at sg --- .sops.yaml | 6 +- flake.nix | 15 +++- machines/calcite/configuration.nix | 2 +- machines/dolomite/default.nix | 110 ++++++++++++++++------------- machines/secrets.yaml | 54 ++++++++------ machines/sing-box.nix | 20 +++++- machines/sops.nix | 5 +- 7 files changed, 132 insertions(+), 80 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index fd6a3d4..63e67a7 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,8 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - - &host-dolomite age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -20,7 +21,8 @@ creation_rules: - *xin - *host-calcite - *host-raspite - - *host-dolomite + - *host-dolomite00 + - *host-dolomite01 - path_regex: home/xin/secrets.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index 22af664..ce335c2 100644 --- a/flake.nix +++ b/flake.nix @@ -75,9 +75,9 @@ ]; }; - dolomite = { name, nodes, pkgs, ... }: with inputs; { + dolomite00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ - { nixpkgs.system = "x86_64-linux"; } + { nixpkgs.system = "x86_64-linux"; custom.domain = "video.namely.icu"; } machines/dolomite ]; deployment = { @@ -85,6 +85,17 @@ buildOnTarget = false; }; }; + + dolomite01 = { name, nodes, pkgs, ... }: with inputs; { + imports = [ + { nixpkgs.system = "x86_64-linux"; custom.domain = "video01.namely.icu"; } + machines/dolomite + ]; + deployment = { + targetHost = "video01.namely.icu"; + buildOnTarget = false; + }; + }; }; nixosConfigurations.calcite = mkNixos { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 92dc4ca..c04f6ab 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -188,7 +188,7 @@ digikam # IM - cinny-desktop + element-desktop tdesktop qq config.nur.repos.xddxdd.wechat-uos diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 9bb2580..f50fb6f 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,8 +1,6 @@ { config, pkgs, lib, modulesPath, ... }: let - sg_server = { - _secret = config.sops.secrets.singbox_sg_server.path; - }; + cfg = config.custom; sg_password = { _secret = config.sops.secrets.singbox_sg_password.path; }; @@ -11,65 +9,75 @@ let }; singTls = { enabled = true; - server_name = sg_server; - key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem"; - certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem"; + server_name = cfg.domain; + key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem"; + certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem"; }; in { + options = { + custom.domain = lib.mkOption { + type = lib.types.str; + default = ""; + }; + }; + imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ../sops.nix ]; - boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; - boot.kernel.sysctl = { - "net.core.default_qdisc" = "fq"; - "net.ipv4.tcp_congestion_control" = "bbr"; - }; + config = { + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; - networking.firewall.trustedInterfaces = [ "tun0" ]; + networking.firewall.trustedInterfaces = [ "tun0" ]; - security.acme = { - acceptTerms = true; - certs."video.namely.icu" = { - email = "me@namely.icu"; - listenHTTP = ":80"; + security.acme = { + acceptTerms = true; + certs.${cfg.domain} = { + email = "me@namely.icu"; + listenHTTP = ":80"; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 8080 ]; + networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); + + services.sing-box = { + enable = true; + settings = { + inbounds = [ + { + tag = "sg0"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = [ + { name = "proxy"; + password = sg_password; + } + ]; + tls = singTls; + } + ] ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); + type = "tuic"; + listen = "::"; + listen_port = port; + congestion_control = "bbr"; + users = [ + { name = "proxy"; + uuid = sg_uuid; + password = sg_password; + } + ]; + tls = singTls; + }); + }; }; }; - networking.firewall.allowedTCPPorts = [ 80 8080 ]; - networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - services.sing-box = { - enable = true; - settings = { - inbounds = [ - { - tag = "sg0"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = [ - { name = "proxy"; - password = sg_password; - } - ]; - tls = singTls; - } - ] ++ lib.forEach (lib.range 6311 6314) (port: { - tag = "sg" + toString (port - 6310); - type = "tuic"; - listen = "::"; - listen_port = port; - congestion_control = "bbr"; - users = [ - { name = "proxy"; - uuid = sg_uuid; - password = sg_password; - } - ]; - tls = singTls; - }); - }; - }; } diff --git a/machines/secrets.yaml b/machines/secrets.yaml index d868166..6f33bd8 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -5,6 +5,7 @@ github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGt singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str] singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] +singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str] singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str] singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str] sops: @@ -16,41 +17,50 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW9oblRGVXZSYU1UaUpY - bEJvd0FST3gydXRzQ25GNm5vMEsyMlJpU0RRCjNFTk9rajQraGhoWFhFTDFtTnNE - aDNuaTZRZUtVcWkrN1RvZmZBRmJVTVkKLS0tIFdta3l4M3JoTU9tTllLUENOdTU0 - K2UxRnNTcEw4OC85cWdFNlVSMnlseFUKXtUh8vavnw5I+16bZszXNXmDndXovAN/ - XzrbfhXyE8B7jxlsSp6b5mu7RXWHP9knM2BqfrhhK0NJ/uuKfKNIEA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweTlPTGVRbUlndTdES0s2 + SVM2N2FUMnozQk11cDk0cTFEb1l6YldkVHc4CmhnNzJyY1VKRWhpc0tTbFNKeDBD + a0hzMi93Ly9zY2Fjd1RCdjV6WnVmOU0KLS0tIFh6NVFteWxxNithMGM0dnJiNE9X + dGovQ2ZMZWx1djVkb0Y4ZVNLRDJPRncKz0N/zP3mN97BpLaDgE9hx/zooGyHAnvC + D8iH/1PZ21uMYeUQq83B8mDKbv+qAltA/vD+ZNnb4ULjYLmVn5p/hQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzd2tMOXVCZFJsaWJDV1FQ - UWpoSDgxVUZ6UCt3Z2I5YjFxcnUzK3dNVndnClZBV29OV0swZzd5UmJsQ2J3RFpo - UnpvQ21BajBYc2xzWDNHWStzNTJLelkKLS0tIDNROGJQTzNDZUZHU09RcUpGemJr - dnpGSmdCRXJsU2FNV0V1N0pSczJwRTgK99s4wGGlpgkmr6sFzw8iqEPy2c3CvrvK - Ak+DlVCx6G9YXCIoXPIysY3EkfrKQwf/5LUMxSTN8V1gOMeTyomt/w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUkxVTUtYZ0RWUFVxY0Rl + UFFadVlzUFJVMGpzRVd5bHVDQmQycVlNSkcwCkMvcUJMRFVWTzNHZ3pxemRLelJP + K3pQMFdURmpRUVRuL1lzT09FVVdBd3MKLS0tIE9LY0NHSW1UWUJpbWdNQW1CVUlD + b1FmZnVjOFFCMDVXdFBtZzZWdkt6RVUKvLoHmEhkyeKHlstRoT3duTIQTojxzcFI + NapIBB3/6Qqho+kYc8/hLWb61EsSX9yqO9C6f6FpFrwi0696OvP3mA== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWU0xQzRqbG1CTnlSZmFj - TFZvMHU3NVVQTTVHZzJkZ3FGS3doRXhGamdjCk0vaGVaZWlwT2NLd0NPeUliQ09Q - cFNiMGZqUHliUEw1WDlWV3ZsR0lRYzAKLS0tIG8wWm1IK2tpRGhQVVNCQU83cnFB - S1lwZ2NDRGQyOW92R2JLakRUMG1JUkUKHNvXcHFlbgssrzLVdFxIT7QpMiPK5zoy - /OqQhXZ/ewER3b+kMidZv5QXU6GvMWsriT24/yyfTc0tEe7t/Ojm4A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFNoMmNXV2F1U2E2bUhv + K3lGTCs2KzZYbXVlWEdVelNDTS80SW85c0J3CkszNGkrbFVKWks4dmwyYlpQMkpW + Zm02cG41ZlpwcEdCbzFkSHpjWHpCdG8KLS0tIHlrNXp6TTI5ZnhGTUNMWTZ0ekVS + VExPWk1zeVExYXdaL2o1WVB5NlhsNFkK3vsnc4qE08W13ttzt+YCHbQh2c/mOxFZ + DneXTgOjkyBaY5JDFKlzlIN3m8QRBG5vPOuSKXaoFmY8E68RzNey3w== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK3o4WkZqaldXd2lBUm5r - NWVNMVh5SXZmVmFlUldiVUdrYitPK3dUUVJzCjJnSHR0ZmpmMzF3ZnlBeEJ6bHc0 - T0p2SXpoOGprbEdyUC9oWklTRndFcTAKLS0tIGN6VUZmVEJkWk5xR2dUaU1mbkZB - TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb - naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdHA5WHA2V2RNTTZXNVVT + Wks2a2tqT045ZkJFYTN2RHhmdkZxMjlPRDNFCm1HaHhLNkp6NWZxNUYvOTRybE1Z + Y1l5eDFkcXRWSko3ODhqV2htb3pzcDQKLS0tIGI3YlI4dCtMbGl1aHFZdDBic0Jv + LzV3NWhFQTlaZ1Y3R0paaEZPZDNpZzgK3/ZE3+F+mq574MfiF7PRlKmAU6mUTiGF + Ffqh0kQumHH7nBuunD0L7Zp2j15hMjUs/oxX558jY9BNl+rN2VWO0Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-30T16:23:27Z" - mac: ENC[AES256_GCM,data:TMy8toui6/DbFpyc+K7r+DN6Q21W9XKNxZeB44hJ+Sw3i+z46/m+lNJYbFVn/l/g7KykWMCi0UP8bgQtRrf6ARqyZkgXX/2H3FRyC1WXY9IJFXib05TtvXQQCkqscyWjEjkGBR8VREkVGCKEZAKdHqXFve70FrlxiWZgDv6QrIM=,iv:ukv1Mo6bwrTjsLnKzOesZiT1z5k6nvg7F8dk4fUsDUI=,tag:JM/iCdj+broRn1AxD2tQTg==,type:str] + - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueFhiQzdMaU1zR2VtOEtO + WFVtdVJLU3B3TzRSSENodUpuUm03TnBHQnhBCmRrdjJScEVsS0JTQmthZWIzVFlv + TVY3TUo0VllPWElua21mczZvT3YxYjAKLS0tIFpDcE0wSXdSRXFGY2tLd1orVE9L + Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO + OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-02T15:24:19Z" + mac: ENC[AES256_GCM,data:dgWoBRMuDxVT/j/ybQX7suehwsjy86rJ0pJ1UeDQcTywIeK8WgIvNuq+T1x9UFgPWn7xt+vMQV665hugTl8T4Wb7Eot2FqM3KPq8EONVaGLAxtQv75MQmcJD+5kfSSsDC+HVujmWl5uFy5jzFJgrHEsm2v9lCxRO/2kvjbQbZAM=,iv:YBz+OewY51YNhjPF4QSq27vT6zEwFCkPW5MctOQ7AvQ=,tag:Tfbo7o4QgMUP6UPTJ36dTg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sing-box.nix b/machines/sing-box.nix index fe775f6..e83fa05 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -12,6 +12,10 @@ let sg_server = { _secret = config.sops.secrets.singbox_sg_server.path; }; + jp_server = { + _secret = config.sops.secrets.singbox_jp_server.path; + }; + # TODO: diffrent password sg_password = { _secret = config.sops.secrets.singbox_sg_password.path; }; @@ -50,6 +54,10 @@ in domain_suffix = sg_server; server = "_dns_doh_mainland"; } + { + domain_suffix = jp_server; + server = "_dns_doh_mainland"; + } ]; servers = [ { @@ -123,8 +131,9 @@ in ]; }; outbounds = [ - { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; } + { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://www.gstatic.com/generate_204"; } { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } @@ -184,6 +193,15 @@ in uuid = sg_uuid; password = sg_password; tls = { enabled = true; server_name = sg_server; }; + }) ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "jp" + toString (port - 6310); + type = "tuic"; + congestion_control = "bbr"; + server = jp_server; + server_port = port; + uuid = sg_uuid; + password = sg_password; + tls = { enabled = true; server_name = jp_server; }; }); }; }; diff --git a/machines/sops.nix b/machines/sops.nix index 21a89c2..13a57d3 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -7,7 +7,7 @@ age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { github_public_token = { - owner = "xin"; + owner = "root"; }; clash_subscription_link = { owner = "root"; @@ -21,6 +21,9 @@ singbox_sg_server = { owner = "root"; }; + singbox_jp_server = { + owner = "root"; + }; singbox_sg_password = { owner = "root"; }; From fecdda70d7fac93bde719fe38b7a4121e9c5adad Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 7 Dec 2023 00:00:30 +0800 Subject: [PATCH 042/136] massicot: add ssh to forgejo --- machines/massicot/services.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index c81fe41..84322c1 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -58,6 +58,10 @@ in service.DISABLE_REGISTRATION = true; server = { ROOT_URL = "https://git.xinyang.life/"; + START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_DOMAIN = "ssh.xinyang.life"; + SSH_PORT = 2222; }; repository = { ENABLE_PUSH_CREATE_USER = true; @@ -126,6 +130,6 @@ in }; - networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; + networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; } From dd1e8193292d7a9728cef5daa513af0b3e2321ff Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 7 Dec 2023 00:00:43 +0800 Subject: [PATCH 043/136] massicot: turn on optimise --- machines/massicot/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 955d647..9b1dcd7 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -19,6 +19,14 @@ ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + nix.optimise.automatic = true; + nix.settings.auto-optimise-store = true; + system.stateVersion = "22.11"; @@ -32,7 +40,6 @@ PasswordAuthentication = false; }; }; - programs.mosh.enable = true; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; From 60b1409b137335743862be439ea75ff86ae31628 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 15 Dec 2023 21:24:46 +0800 Subject: [PATCH 044/136] calcite: add nix-index-database --- flake.lock | 324 ++++++----------------------- flake.nix | 8 +- home/xin/calcite/default.nix | 5 +- machines/calcite/configuration.nix | 4 + 4 files changed, 74 insertions(+), 267 deletions(-) diff --git a/flake.lock b/flake.lock index b1fc420..714b2a5 100644 --- a/flake.lock +++ b/flake.lock @@ -1,78 +1,5 @@ { "nodes": { - "conduit": { - "inputs": { - "crane": "crane", - "fenix": "fenix", - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1691686916, - "narHash": "sha256-TpNssMHvSKcxJMas5lQNWEbIv09u4/niBN2C27Mp0JY=", - "owner": "famedly", - "repo": "conduit", - "rev": "0c2cfda3ae923d9e922d5edf379e4d8976a52d4e", - "type": "gitlab" - }, - "original": { - "owner": "famedly", - "ref": "v0.6.0", - "repo": "conduit", - "type": "gitlab" - } - }, - "crane": { - "inputs": { - "flake-compat": "flake-compat", - "flake-utils": [ - "conduit", - "flake-utils" - ], - "nixpkgs": [ - "conduit", - "nixpkgs" - ], - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1688772518, - "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", - "owner": "ipetkov", - "repo": "crane", - "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "fenix": { - "inputs": { - "nixpkgs": [ - "conduit", - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1689488573, - "narHash": "sha256-diVASflKCCryTYv0djvMnP2444mFsIG0ge5pa7ahauQ=", - "owner": "nix-community", - "repo": "fenix", - "rev": "39096fe3f379036ff4a5fa198950b8e79defe939", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -89,83 +16,16 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "locked": { - "lastModified": 1638122382, - "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { @@ -181,11 +41,11 @@ ] }, "locked": { - "lastModified": 1701071203, - "narHash": "sha256-lQywA7QU/vzTdZ1apI0PfgCWNyQobXUYghVrR5zuIeM=", + "lastModified": 1701728041, + "narHash": "sha256-x0pyrI1vC8evVDxCxyO6olOyr4wlFg9+VS3C3p4xFYQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "db1878f013b52ba5e4034db7c1b63e8d04173a86", + "rev": "ac7216918cd65f3824ba7817dea8f22e61221eaf", "type": "github" }, "original": { @@ -194,20 +54,42 @@ "type": "github" } }, - "nix-vscode-extensions": { + "nix-index-database": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1701048169, - "narHash": "sha256-gsYFAIDMyXztMl39/EQzIVjQx/7z+0XPuCDhkrF2tbw=", + "lastModified": 1702177733, + "narHash": "sha256-lr3hkmmuqDFPj3i41cHpaALF3Txo3kxsJ3L6jZLujJ8=", + "owner": "Mic92", + "repo": "nix-index-database", + "rev": "58ecd98e27e27fcbb27a51a588555c828b1ec56e", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-index-database", + "type": "github" + } + }, + "nix-vscode-extensions": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1701825722, + "narHash": "sha256-vpT4hY8DDu39b9AMKCJIEVgQSfm+QKDGUjpVPFxNhTs=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "23dfda3e3df1901d38f1efc98d3e90cefd73ff5d", + "rev": "8f5a362c9ea3824d70458485abf9d162b8765034", "type": "github" }, "original": { @@ -218,7 +100,9 @@ }, "nixos-cn": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": [ + "flake-utils" + ], "nixpkgs": [ "nixpkgs" ] @@ -239,11 +123,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1701020860, - "narHash": "sha256-NwnRn04C8s+hH+KdVtGmVB1FFNIG7DtPJmQSCBDaET4=", + "lastModified": 1701656485, + "narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b006ec52fce23b1d57f6ab4a42d7400732e9a0a2", + "rev": "fa194fc484fd7270ab324bb985593f71102e84d1", "type": "github" }, "original": { @@ -255,11 +139,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700794826, - "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=", + "lastModified": 1701718080, + "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8", + "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335", "type": "github" }, "original": { @@ -271,11 +155,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1701053011, - "narHash": "sha256-8QQ7rFbKFqgKgLoaXVJRh7Ik5LtI3pyBBCfOnNOGkF0=", + "lastModified": 1701615100, + "narHash": "sha256-7VI84NGBvlCTduw2aHLVB62NvCiZUlALLqBe5v684Aw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5b528f99f73c4fad127118a8c1126b5e003b01a9", + "rev": "e9f06adb793d1cca5384907b3b8a4071d5d7cb19", "type": "github" }, "original": { @@ -287,11 +171,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1700905716, - "narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=", + "lastModified": 1701568804, + "narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dfb95385d21475da10b63da74ae96d89ab352431", + "rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4", "type": "github" }, "original": { @@ -301,29 +185,13 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1700856099, - "narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0bd59c54ef06bc34eca01e37d689f5e46b3fe2f1", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "locked": { - "lastModified": 1701176534, - "narHash": "sha256-AFYe8bkcwYZOBjkbEXzo82jy6hOrduCkoHV9eCPa4NA=", + "lastModified": 1701906331, + "narHash": "sha256-4dzaExoiung1HWn0nTp9xBHtB5rQMTsfOC2FtJuUoH4=", "owner": "nix-community", "repo": "NUR", - "rev": "1cd0a267b09c8c035e5c32bf9e1017b5ae90bec4", + "rev": "b8ad2b1feccf3b75e2d7fabad6d97769318febf4", "type": "github" }, "original": { @@ -334,9 +202,9 @@ }, "root": { "inputs": { - "conduit": "conduit", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "home-manager": "home-manager", + "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-cn": "nixos-cn", "nixos-hardware": "nixos-hardware", @@ -346,61 +214,19 @@ "sops-nix": "sops-nix" } }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1689441253, - "narHash": "sha256-4MSDZaFI4DOfsLIZYPMBl0snzWhX1/OqR/QHir382CY=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "996e054f1eb1dbfc8455ecabff0f6ff22ba7f7c8", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } - }, - "rust-overlay": { - "inputs": { - "flake-utils": [ - "conduit", - "crane", - "flake-utils" - ], - "nixpkgs": [ - "conduit", - "crane", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688351637, - "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_2", + "nixpkgs": [ + "nixpkgs" + ], "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1701127353, - "narHash": "sha256-qVNX0wOl0b7+I35aRu78xUphOyELh+mtUp1KBx89K1Q=", + "lastModified": 1701728052, + "narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b1edbf5c0464b4cced90a3ba6f999e671f0af631", + "rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d", "type": "github" }, "original": { @@ -423,36 +249,6 @@ "repo": "default", "type": "github" } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index c8c02e2..0ed4249 100644 --- a/flake.nix +++ b/flake.nix @@ -12,11 +12,13 @@ nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; }; nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; }; nur = { @@ -36,8 +38,10 @@ url = "github:numtide/flake-utils"; }; - conduit.url = "gitlab:famedly/conduit/v0.6.0"; - conduit.inputs.nixpkgs.follows = "nixpkgs"; + nix-index-database = { + url = "github:Mic92/nix-index-database"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; diff --git a/home/xin/calcite/default.nix b/home/xin/calcite/default.nix index 1a13e94..94e3d77 100644 --- a/home/xin/calcite/default.nix +++ b/home/xin/calcite/default.nix @@ -1,11 +1,14 @@ -{ config, pkgs, ... }: +{ inputs, config, pkgs, ... }: { imports = [ ../common ../vscode.nix ../alacritty.nix + inputs.nix-index-database.hmModules.nix-index ]; + programs.nix-index-database.comma.enable = true; + home.username = "xin"; home.homeDirectory = "/home/xin"; home.stateVersion = "23.05"; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c04f6ab..d6b36dd 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -119,6 +119,7 @@ # $ nix search wget environment.systemPackages = with pkgs; [ # Filesystem + owncloud-client nfs-utils winetricks @@ -177,6 +178,7 @@ gnomeExtensions.paperwm gnomeExtensions.search-light gnomeExtensions.tray-icons-reloaded + gnomeExtensions.gsconnect gnome.gnome-tweaks gthumb @@ -227,6 +229,8 @@ dates = "weekly"; options = "--delete-older-than 30d"; }; + nix.optimise.automatic = true; + nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; From 0b772880b5a3f60e11dfea413520783da7b676e5 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 15 Dec 2023 21:26:20 +0800 Subject: [PATCH 045/136] massicot: add storage-box as extra storage --- .sops.yaml | 7 +++++++ machines/massicot/default.nix | 24 ++++++++++++++++++++++- machines/massicot/networking.nix | 2 +- machines/massicot/secrets.yaml | 31 ++++++++++++++++++++++++++++++ machines/massicot/services.nix | 33 +++++++++++++++++++++++++------- 5 files changed, 88 insertions(+), 9 deletions(-) create mode 100644 machines/massicot/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 63e67a7..b712e57 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -15,6 +16,12 @@ creation_rules: - age: - *xin - *host-raspite + - path_regex: machines/massicot/secrets.yaml + key_groups: + - age: + - *xin + - *host-massicot + - path_regex: machines/secrets.yaml key_groups: - age: diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 9b1dcd7..ab6a5f3 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -1,11 +1,25 @@ -{ config, libs, pkgs, ... }: +{ inputs, config, libs, pkgs, ... }: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./networking.nix ./services.nix ]; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + storage_box_mount = { + owner = "root"; + }; + gts_env = { + owner = "gotosocial"; + }; + }; + }; boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot"; @@ -14,7 +28,14 @@ efiSupport = true; }; + fileSystems."/mnt/storage" = { + device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; + fsType = "cifs"; + options = ["credentials=${config.sops.secrets.storage_box_mount.path}"]; + }; + environment.systemPackages = with pkgs; [ + cifs-utils git ]; @@ -59,5 +80,6 @@ commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } ]; + } diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index 4aadb44..9588be9 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,4 +1,4 @@ -{ +{ pkgs, ... }: { networking = { interfaces = { eth0.useDHCP = true; diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml new file mode 100644 index 0000000..d2b0faa --- /dev/null +++ b/machines/massicot/secrets.yaml @@ -0,0 +1,31 @@ +storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] +gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aGRvUUtjcDU2bnhaNDJD + K3c5TnFJeHQzM2VpeHphR2dGeS9NYzcyYjJnCnNrQ3dxL1hqR2MyQXhldUZ1VEJp + N25nVHZ1QjRydW9hTWE5d0x2M2pPNkkKLS0tIFpiRW8rZ1Q1R1RCZGN1ZGs3ek45 + UENaRjJPWFJqUlpzd3dHSC9pdnZ6STQKQaaY28FYUk3O9TTkX9LQTzlrqZVojgxY + M+N6LApfdoioQCmXduDbj18i0eUbECTBXR/uEFEIHbn6AJVD/vx7iw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRY0lIeE9tWDA3Q21IWk1E + YnlaQUJybFB2bmFpbG1UZ0UyNG16WkRkZlNVCmUySHVBcXpWekpVN3R5dGs5ODY1 + V1ZlUk4zRSs1NkVjY3JSMVVQSXJ1OEkKLS0tIFMzeUNaYVpoNnV3TE1oamEwTEo2 + dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i + V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-15T13:06:05Z" + mac: ENC[AES256_GCM,data:ArxA3+i+W2hU0mpzjPqzBA1pQdZySwJ+LVAez2PWFMsrgT4QATi+KmlWWfuPBkOq/DYafAES8lTemDeuzuQl7bWZq06g3s35C8Q3D/TDUKFF3ALEL5grSxKTVzg4Npjc2q2OIOXrIp/j83Gn1lBuyBFg0YdGkJ+b/BmDGkTbyUg=,iv:8MB/+WklLsFTnlvxLyvCK8VUMNeXtaPTGXlp9hRGzOM=,tag:VbbnQfPewNGdrPqmZJSYlA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 84322c1..48cbed2 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -3,6 +3,23 @@ let kanidm_listen_port = 5324; in { + networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; + networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; + + fileSystems = builtins.listToAttrs (map (share: { + name = "/mnt/storage/${share}"; + value = { + device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + fsType = "cifs"; + options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"]; + }; + }) [ "forgejo" "gotosocial" "conduit" ] ); + + system.activationScripts = { + conduit-media-link.text = '' + ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media + ''; + }; security.acme = { acceptTerms = true; certs."auth.xinyang.life" = { @@ -47,13 +64,19 @@ in oidc-idp-name = "Kanidm"; oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; oidc-client-id = "gts"; - oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5"; oidc-link-existing = true; + storage-local-base-path = "/mnt/storage/gotosocial/storage"; }; + environmentFile = config.sops.secrets.gts_env.path; }; services.forgejo = { enable = true; + repositoryRoot = "/mnt/storage/forgejo/repositories"; + lfs = { + enable = true; + contentDir = "/mnt/storage/forgejo/lfs"; + }; settings = { service.DISABLE_REGISTRATION = true; server = { @@ -62,6 +85,8 @@ in BUILTIN_SSH_SERVER_USER = "git"; SSH_DOMAIN = "ssh.xinyang.life"; SSH_PORT = 2222; + LFS_MAX_FILE_SIZE = 10737418240; + LANDING_PAGE = "/explore/repos"; }; repository = { ENABLE_PUSH_CREATE_USER = true; @@ -125,11 +150,5 @@ in } } ''; - # - # respond `Hello World` - }; - - networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; - networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; } From 079ece082a4870ff0bfd81b014daf0ad0ab5e11a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 17 Dec 2023 14:55:53 +0800 Subject: [PATCH 046/136] massicot: add vaultwarden server --- flake.nix | 5 ++-- machines/massicot/services.nix | 5 ++++ modules/nixos/default.nix | 1 + modules/nixos/vaultwarden.nix | 47 ++++++++++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 modules/nixos/vaultwarden.nix diff --git a/flake.nix b/flake.nix index 0ed4249..8584b8d 100644 --- a/flake.nix +++ b/flake.nix @@ -85,11 +85,12 @@ }; massicot = { name, nodes, pkgs, ... }: with inputs; { - deployment.targetHost = "***REMOVED***"; - deployment.targetUser = "root"; + deployment.targetHost = "49.13.13.122"; + deployment.targetUser = "xin"; imports = [ { nixpkgs.system = "aarch64-linux"; } + self.nixosModules.default machines/massicot ]; }; diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 48cbed2..410d546 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -6,6 +6,11 @@ in networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; + custom.vaultwarden = { + enable = true; + domain = "vaultwarden.xinyang.life"; + }; + fileSystems = builtins.listToAttrs (map (share: { name = "/mnt/storage/${share}"; value = { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 1759f2f..1b91ad5 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,5 +2,6 @@ { imports = [ ./restic.nix + ./vaultwarden.nix ]; } \ No newline at end of file diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix new file mode 100644 index 0000000..6c0af66 --- /dev/null +++ b/modules/nixos/vaultwarden.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom.vaultwarden; +in +{ + options = { + custom.vaultwarden = { + enable = mkEnableOption "vaultwarden server"; + domain = mkOption { + type = types.str; + default = "bitwarden.example.com"; + description = "Domain name of the vaultwarden server"; + }; + caddy = mkOption { + type = types.bool; + default = true; + description = "Enable Caddy as reverse proxy"; + }; + # TODO: mailserver support + }; + }; + config = { + services.vaultwarden = mkIf cfg.enable { + enable = true; + dbBackend = "sqlite"; + config = { + DOMAIN = "https://${cfg.domain}"; + SIGNUPS_ALLOWED = false; + + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + ROCKET_LOG = "critical"; + }; + }; + services.caddy = mkIf cfg.caddy { + enable = true; + virtualHosts."https://${cfg.domain}".extraConfig = '' + reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT} + ''; + }; + }; +} + From 4e9bf3ebacd76541a69595d3f9792d8981760b53 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 18 Dec 2023 10:46:01 +0800 Subject: [PATCH 047/136] init prometheus module --- modules/nixos/default.nix | 1 + modules/nixos/prometheus.nix | 48 ++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 modules/nixos/prometheus.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 1b91ad5..e89ad69 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,5 +3,6 @@ imports = [ ./restic.nix ./vaultwarden.nix + ./prometheus.nix ]; } \ No newline at end of file diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix new file mode 100644 index 0000000..ac0a976 --- /dev/null +++ b/modules/nixos/prometheus.nix @@ -0,0 +1,48 @@ + +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom.prometheus; +in +{ + options = { + custom.prometheus = { + enable = mkEnableOption "Prometheus instance"; + exporters = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable Prometheus exporter on every supported services"; + }; + }; + }; + }; + + config = { + services.prometheus = mkIf cfg.enable { + enable = true; + port = 9091; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9100; + }; + }; + scrapeConfigs = [ + { job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } + ]; + } + { job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } + ]; + }; + }; +} \ No newline at end of file From 3bc12ecfa3b01b96da97aa12f2e36e415d0a5641 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 19 Dec 2023 14:25:22 +0800 Subject: [PATCH 048/136] calcite: add keyd service to map keyboard --- machines/calcite/configuration.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index d6b36dd..43251e2 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -71,6 +71,21 @@ layout = "us"; xkbVariant = ""; }; + # Keyboard mapping on internal keyboard + services.keyd = { + enable = true; + keyboards = { + "internal" = { + ids = [ "0b05:1866" ]; + settings = { + main = { + capslock = "overload(control, esc)"; + leftcontrol = "capslock"; + }; + }; + }; + }; + }; # Enable CUPS to print documents. services.printing.enable = true; From fcdc65d8cea8928b0168f364e887023b29b52240 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 19 Dec 2023 21:32:40 +0800 Subject: [PATCH 049/136] dolomite: sing-box outbound to cf warp+ --- .sops.yaml | 20 +++-- flake.lock | 46 ++++++++++- flake.nix | 89 +++++++++----------- machines/dolomite/default.nix | 112 +++++++++++++++++++------- machines/dolomite/secrets/sgp-00.yaml | 31 +++++++ machines/dolomite/secrets/tok-00.yaml | 31 +++++++ machines/secrets.yaml | 10 +-- machines/sing-box.nix | 81 +++---------------- machines/sops.nix | 10 +-- 9 files changed, 261 insertions(+), 169 deletions(-) create mode 100644 machines/dolomite/secrets/sgp-00.yaml create mode 100644 machines/dolomite/secrets/tok-00.yaml diff --git a/.sops.yaml b/.sops.yaml index b712e57..baadf5e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,8 +2,8 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta creation_rules: - path_regex: machines/calcite/secrets.yaml @@ -21,18 +21,28 @@ creation_rules: - age: - *xin - *host-massicot - + - path_regex: machines/dolomite/secrets/sgp-00.yaml + key_groups: + - age: + - *xin + - *host-sgp-00 + - path_regex: machines/dolomite/secrets/tok-00.yaml + key_groups: + - age: + - *xin + - *host-tok-00 - path_regex: machines/secrets.yaml key_groups: - age: - *xin - *host-calcite - *host-raspite - - *host-dolomite00 - - *host-dolomite01 + - *host-sgp-00 + - *host-tok-00 - path_regex: home/xin/secrets.yaml key_groups: - age: - *xin - *host-raspite - *host-calcite + diff --git a/flake.lock b/flake.lock index 714b2a5..c8658bc 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,49 @@ { "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699171528, + "narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "665603956a1c3040d756987bc7a810ffe86a3b15", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -76,7 +119,7 @@ }, "nix-vscode-extensions": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": [ "flake-utils" ], @@ -202,6 +245,7 @@ }, "root": { "inputs": { + "colmena": "colmena", "flake-utils": "flake-utils", "home-manager": "home-manager", "nix-index-database": "nix-index-database", diff --git a/flake.nix b/flake.nix index 8584b8d..f7e2e10 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,13 @@ url = "github:numtide/flake-utils"; }; + colmena = { + url = "github:zhaofengli/colmena"; + inputs.stable.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; @@ -73,7 +80,7 @@ nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; - colmena = { + colmenaHive = colmena.lib.makeHive { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; @@ -95,60 +102,53 @@ ]; }; - dolomite00 = { name, nodes, pkgs, ... }: with inputs; { + sgp-00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ - { nixpkgs.system = "x86_64-linux"; custom.domain = "video.namely.icu"; } - machines/dolomite + machines/dolomite ]; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "sgp-00"; + system.stateVersion = "23.11"; deployment = { targetHost = "video.namely.icu"; buildOnTarget = false; + tags = [ "proxy" ]; }; }; - dolomite01 = { name, nodes, pkgs, ... }: with inputs; { + tok-00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ - { nixpkgs.system = "x86_64-linux"; custom.domain = "video01.namely.icu"; } - machines/dolomite + machines/dolomite ]; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "tok-00"; + system.stateVersion = "23.11"; deployment = { targetHost = "video01.namely.icu"; buildOnTarget = false; + tags = [ "proxy" ]; }; }; }; - nixosConfigurations.calcite = mkNixos { - system = "x86_64-linux"; - modules = [ - nixos-hardware.nixosModules.asus-zephyrus-ga401 - machines/calcite/configuration.nix - (mkHome "xin" "calcite") - ]; - }; - - nixosConfigurations.massicot = mkNixos { - system = "aarch64-linux"; - modules = [ - machines/massicot - ]; - }; - - nixosConfigurations.dolomite = mkNixos { - system = "x86_64-linux"; - modules = [ - machines/dolomite - ]; - }; - - nixosConfigurations.raspite = mkNixos { - system = "aarch64-linux"; - modules = [ - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - (mkHome "xin" "raspite") - ]; - }; + nixosConfigurations = { + calcite = mkNixos { + system = "x86_64-linux"; + modules = [ + nixos-hardware.nixosModules.asus-zephyrus-ga401 + machines/calcite/configuration.nix + (mkHome "xin" "calcite") + ]; + }; + raspite = mkNixos { + system = "aarch64-linux"; + modules = [ + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + (mkHome "xin" "raspite") + ]; + }; + } // self.colmenaHive.nodes; images.raspite = (mkNixos { system = "aarch64-linux"; @@ -163,16 +163,5 @@ } ]; }).config.system.build.sdImage; - } // - (with flake-utils.lib; (eachSystem defaultSystems (system: - let pkgs = import nixpkgs { inherit system; }; in - { - packages = { - homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; }; - }; - devShells.default = pkgs.mkShell { - buildInputs = with pkgs; [ git colmena nix-output-monitor ssh-to-age ]; - }; - } - ))); + }; } diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index f50fb6f..5dd6073 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,33 +1,24 @@ -{ config, pkgs, lib, modulesPath, ... }: -let - cfg = config.custom; - sg_password = { - _secret = config.sops.secrets.singbox_sg_password.path; - }; - sg_uuid = { - _secret = config.sops.secrets.singbox_sg_uuid.path; - }; - singTls = { - enabled = true; - server_name = cfg.domain; - key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem"; - certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem"; - }; -in +{ inputs, config, pkgs, lib, modulesPath, ... }: { - options = { - custom.domain = lib.mkOption { - type = lib.types.str; - default = ""; - }; - }; - imports = [ - "${modulesPath}/virtualisation/amazon-image.nix" ../sops.nix + "${modulesPath}/virtualisation/amazon-image.nix" ]; + config = { + sops = { + secrets = { + wg_private_key = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + wg_ipv6_local_addr = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + }; + }; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; boot.kernel.sysctl = { "net.core.default_qdisc" = "fq"; @@ -38,7 +29,7 @@ in security.acme = { acceptTerms = true; - certs.${cfg.domain} = { + certs.${config.deployment.targetHost} = { email = "me@namely.icu"; listenHTTP = ":80"; }; @@ -46,9 +37,31 @@ in networking.firewall.allowedTCPPorts = [ 80 8080 ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - services.sing-box = { + services.sing-box = let + singTls = { + enabled = true; + server_name = config.deployment.targetHost; + key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; + certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; + }; + password = { + _secret = config.sops.secrets.singbox_password.path; + }; + uuid = { + _secret = config.sops.secrets.singbox_uuid.path; + }; + in + { enable = true; settings = { + dns = { + servers = [ + { + address = "1.1.1.1"; + detour = "wg-out"; + } + ]; + }; inbounds = [ { tag = "sg0"; @@ -57,7 +70,7 @@ in listen_port = 8080; users = [ { name = "proxy"; - password = sg_password; + password = password; } ]; tls = singTls; @@ -70,12 +83,53 @@ in congestion_control = "bbr"; users = [ { name = "proxy"; - uuid = sg_uuid; - password = sg_password; + uuid = uuid; + password = password; } ]; tls = singTls; }); + outbounds = [ + { + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ "0.0.0.0/0" "::/0" ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; + } + { + type = "direct"; + tag = "direct"; + } + { + type = "dns"; + tag = "dns-out"; + } + ]; + route = { + rules = [ + { + outbound = "dns-out"; + protocol = "dns"; + } + { + geoip = "cn"; + geosite = "cn"; + outbound = "direct"; + } + ]; + }; }; }; }; diff --git a/machines/dolomite/secrets/sgp-00.yaml b/machines/dolomite/secrets/sgp-00.yaml new file mode 100644 index 0000000..aef9c5d --- /dev/null +++ b/machines/dolomite/secrets/sgp-00.yaml @@ -0,0 +1,31 @@ +wg_private_key: ENC[AES256_GCM,data:UjxZ3iC5hxVcVJdEUJ3+myaQ/6MvghDw6eKa2flSuxMwFS31WB7r3evjlI0=,iv:BjgXCps6gx1ISghEO42x5aKb+c/n0P1V8FMVlPxAyLY=,tag:IkxCkpyVre+sFoBlRSFpMA==,type:str] +wg_ipv6_local_addr: ENC[AES256_GCM,data:ejDYuZjZCKcsvyUUKdXtxgBqWloIwYHmpc/YwCYq7O2thsxvOou6iSHf,iv:HDrMlec4svxHpZXMyRDzpdSKeJbTmkZPd98SHv2ZLhQ=,tag:LjpapuaJ6sl4USZC8xEU5w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUkpVa0dCSE1rTjZpaWR1 + cjJjc25iOEV4TnhQUWE4SjI4QWVZYXdVcHdBCkIrNlVrV2xJRURVSG9sUHozeE5s + NitsV1MvcENZTHhmU01CSTRVNENXUFEKLS0tIGgxakQ2cGIzdzg5QzRoT3ZSaXUx + TkN5MkNTNitWMzVKZWdhNGRIZ3VNNDgKQ6lwM6EowuGOrskUpwD8VGirravE+e3/ + Hkv5jLvvfVjmg0kvKlNRotTHrRUGV04JsbW7T9FfbKyYpmEb6oCrsg== + -----END AGE ENCRYPTED FILE----- + - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSUlkQzhYSGwyNnYvNHpQ + UktKOUZiYk56S0piVy9ZMFdYVFdsN1FEVkhVCnZETEM5MW84TlNpbm1hSXJtR2Yy + OEdrSi9lcmJOR2F1cUZqc0NyQjl4RDgKLS0tIHVLcnRicmVNd2MwVjB4cGFXTlBu + VkJCcXdqTkUzejNzSjIvV2YrVUc5Sm8KutTATsWJ5+yB/CFoGwTNshyI5LzwH4x5 + i5EIIkVPdxSIHrXUp0j6+RPWMJvEOFIE3dVwxz+MxqqHqtmEny1WKA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-19T12:31:51Z" + mac: ENC[AES256_GCM,data:AY0/qJ1ZXv4mQlHnG3uY2zQ0FhIYjHBWKyXXpv2/Q6yZkuSu6nIQk039nd+nk7lczXy2cylTHyjYv5vDF6BJARhu4jeYov6yMqYR8ye8rXjZKcOfrN5yv7LV6jyuzBRBkCWTQsaoR8ycKHlrMe+vkAGu50epdAQjAG+Qv6RkBiM=,iv:dMi2CququdEIg+g8NMUb8ioKwEkUqTP+nrivtsUYUUY=,tag:drHI6oJUUwN3JadCHbWWkg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/dolomite/secrets/tok-00.yaml b/machines/dolomite/secrets/tok-00.yaml new file mode 100644 index 0000000..5872491 --- /dev/null +++ b/machines/dolomite/secrets/tok-00.yaml @@ -0,0 +1,31 @@ +wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str] +wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTc2a2J3ZXRXTlRxQTAx + UjZVTTVPa0FjbS9jekI5eXhLOTdUQTlBS2pJCnVPL2Q1d05QR2NpTDVZeDFpSCs3 + Yjh3aXkvdTBIOThVMGMzcUZmUWhtTjgKLS0tIFZvcy9zRVBRcDN0ekp0MEV5cEph + ZURTL3hnSHgwQTlSNklCK25icEM0SGsKq2jM6jXLfK38BgV0calwKLuHIcGw0zed + lT19Mt9jFsqmIkpJh1U9Ddpz63WND+7ruMdTZt6RWStIxww4m7pevg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSXBqdXcxUDNkS29Gd3ZY + dTA3bmNUVThtTFJtdnFpSjZQT01TTXhpYUc4CkFhcm14eUw1YXIyWEViMSsyc3pr + VUJqWWdHMCtoRGQ1T3dMQlg3ZTZ5dGMKLS0tIGQvbGpFZTdrVUFURE9tdENCZGwr + aDBKbitCTmhxNXVNRGh6TVBvbkNhTUEKIuj7B4RdueX7BfExgzVoo6YJf59GsUHa + j5kIJ5UeTqWEBGBaXcPjhHMEQjYqwSBsVz2XJmsxLhi8WxejLio8FA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-19T12:30:24Z" + mac: ENC[AES256_GCM,data:f+7+O2ZVSZJhr0fJlfO/AtZC2N/7gsNu1f4cnUoXYFb1wobyU6tLkbwGqeyIulokgIDAU5lJ62TJXAjybe+kE+PGtpr61KS7dyiO0LjzcT/X898oBYvJ9jtkuxDzKM4ve570U7ZmS7Jbxt2NJEkcBvSUJRdJHH5l0sDrvmW8cwY=,iv:mno6jVUDUWxsO353hbCqGub+NYfk0XFsWzmWCBUt6Gg=,tag:KOw7HTy+pETha5pzx5Pf8Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 6f33bd8..fba11c5 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -2,12 +2,10 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] -singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str] -singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str] -singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str] -singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str] +singbox_password: ENC[AES256_GCM,data:0tBIzwtNSQqbGlD+CDnQfJigbFVBChEL,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:5BtYAv1NO70IL4m/uG8QKA==,type:str] +singbox_uuid: ENC[AES256_GCM,data:ufN+vDl/rDASoQL23tHwlr3ybMyrlC/Kd7bT0c5+SP+bc6Zj,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:6Yma9+yrISwQoSRDgUbuwA==,type:str] sops: kms: [] gcp_kms: [] @@ -59,8 +57,8 @@ sops: Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-02T15:24:19Z" - mac: ENC[AES256_GCM,data:dgWoBRMuDxVT/j/ybQX7suehwsjy86rJ0pJ1UeDQcTywIeK8WgIvNuq+T1x9UFgPWn7xt+vMQV665hugTl8T4Wb7Eot2FqM3KPq8EONVaGLAxtQv75MQmcJD+5kfSSsDC+HVujmWl5uFy5jzFJgrHEsm2v9lCxRO/2kvjbQbZAM=,iv:YBz+OewY51YNhjPF4QSq27vT6zEwFCkPW5MctOQ7AvQ=,tag:Tfbo7o4QgMUP6UPTJ36dTg==,type:str] + lastmodified: "2023-12-19T12:56:28Z" + mac: ENC[AES256_GCM,data:v7Rn7dPOzfcgab2MhiU7h0CXjkAbkpBX7l7iLdnw3RUIjxulTXVuPpgenojF5yVqFCPgm2LKBKniD+cvtMvVhb00a1tnDNM/tfjH9GjBYNZH9xtPWJED7GLASd6nIF5BZhANKhH8yphAi5VJ/4cyEdMFbWu+2gO8GyQxJQYhgY8=,iv:bbbZ8vF+Vbwq/6PXN/7qvRO62M/eDZ591v4gXc1fs+g=,tag:dyt9LVU32hnbVT12C/Afqw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sing-box.nix b/machines/sing-box.nix index e83fa05..060d028 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -1,13 +1,10 @@ { config, lib, pkgs, ... }: let - server = { - _secret = config.sops.secrets.singbox_domain.path; - }; password = { _secret = config.sops.secrets.singbox_password.path; }; uuid = { - _secret = config.sops.secrets.singbox_password.path; + _secret = config.sops.secrets.singbox_uuid.path; }; sg_server = { _secret = config.sops.secrets.singbox_sg_server.path; @@ -15,13 +12,6 @@ let jp_server = { _secret = config.sops.secrets.singbox_jp_server.path; }; - # TODO: diffrent password - sg_password = { - _secret = config.sops.secrets.singbox_sg_password.path; - }; - sg_uuid = { - _secret = config.sops.secrets.singbox_sg_uuid.path; - }; in { services.sing-box = { @@ -47,14 +37,12 @@ in server = "_dns_doh_mainland"; } { - domain_suffix = server; - server = "_dns_doh_mainland"; - } - { + disable_cache = false; domain_suffix = sg_server; server = "_dns_doh_mainland"; } { + disable_cache = false; domain_suffix = jp_server; server = "_dns_doh_mainland"; } @@ -77,7 +65,7 @@ in tag = "_dns_udp_mainland"; } { - address = "https://doh.pub/dns-query"; + address = "tls://1.12.12.12:853/"; address_resolver = "_dns_udp_mainland"; detour = "direct"; tag = "_dns_doh_mainland"; @@ -88,6 +76,7 @@ in } ]; final = "_dns_global"; + strategy = "prefer_ipv4"; disable_cache = true; }; inbounds = [ @@ -131,76 +120,28 @@ in ]; }; outbounds = [ - { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://www.gstatic.com/generate_204"; } - { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } - { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } - - { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } - { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } + { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://cp.cloudflare.com/"; } + { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { default = "auto"; outbounds = [ "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } { tag = "direct"; type = "direct"; } { tag = "block"; type = "block"; } { tag = "dns-out"; type = "dns"; } - { inherit server password; method = "aes-128-gcm"; server_port = 12001; tag = "香港SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12002; tag = "香港SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12003; tag = "香港SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12004; tag = "香港SS-04"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12011; tag = "日本SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12012; tag = "日本SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12013; tag = "日本SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12021; tag = "美国SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12022; tag = "美国SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12023; tag = "美国SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12031; tag = "台湾SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12032; tag = "台湾SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12033; tag = "台湾SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12034; tag = "台湾SS-04"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server uuid; security = "auto"; server_port = 1201; tag = "香港中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1202; tag = "香港中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1203; tag = "香港中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1204; tag = "香港中继4"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1205; tag = "香港中继5"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1206; tag = "香港中继6"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1207; tag = "香港中继7"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1208; tag = "香港中继8"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1211; tag = "日本中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1212; tag = "日本中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1213; tag = "日本中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1214; tag = "日本中继4"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1231; tag = "美国中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1232; tag = "美国中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1233; tag = "美国中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1234; tag = "美国中继4"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1235; tag = "美国中继5"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1236; tag = "美国中继6"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1237; tag = "美国中继7"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1238; tag = "美国中继8"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1241; tag = "新加坡中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1242; tag = "新加坡中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1261; tag = "台湾中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1262; tag = "台湾中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1263; tag = "台湾中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1264; tag = "台湾中继4"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1265; tag = "台湾中继5"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1266; tag = "台湾中继6"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1251; tag = "韩国中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1252; tag = "韩国中继2"; type = "vmess"; } ] ++ lib.forEach (lib.range 6311 6314) (port: { + inherit uuid password; tag = "sg" + toString (port - 6310); type = "tuic"; congestion_control = "bbr"; server = sg_server; server_port = port; - uuid = sg_uuid; - password = sg_password; tls = { enabled = true; server_name = sg_server; }; }) ++ lib.forEach (lib.range 6311 6314) (port: { + inherit uuid password; tag = "jp" + toString (port - 6310); type = "tuic"; congestion_control = "bbr"; server = jp_server; server_port = port; - uuid = sg_uuid; - password = sg_password; tls = { enabled = true; server_name = jp_server; }; }); }; diff --git a/machines/sops.nix b/machines/sops.nix index 13a57d3..1a8aa50 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -12,22 +12,16 @@ clash_subscription_link = { owner = "root"; }; - singbox_password = { - owner = "root"; - }; - singbox_domain = { - owner = "root"; - }; singbox_sg_server = { owner = "root"; }; singbox_jp_server = { owner = "root"; }; - singbox_sg_password = { + singbox_password = { owner = "root"; }; - singbox_sg_uuid = { + singbox_uuid = { owner = "root"; }; }; From b9eebc2a7ef94e3752fabd9660e4e7be97aa44da Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 20 Dec 2023 11:13:20 +0800 Subject: [PATCH 050/136] all: add prometheus --- .sops.yaml | 1 + flake.nix | 2 ++ machines/dolomite/default.nix | 9 +++++ machines/massicot/default.nix | 4 +++ machines/massicot/services.nix | 9 +++++ machines/secrets.yaml | 64 ++++++++++++++++++++-------------- machines/sops.nix | 3 ++ modules/nixos/prometheus.nix | 55 ++++++++++++++++++++++++++--- 8 files changed, 116 insertions(+), 31 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index baadf5e..dac73f2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -39,6 +39,7 @@ creation_rules: - *host-raspite - *host-sgp-00 - *host-tok-00 + - *host-massicot - path_regex: home/xin/secrets.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index f7e2e10..d89b9ae 100644 --- a/flake.nix +++ b/flake.nix @@ -104,6 +104,7 @@ sgp-00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ + self.nixosModules.default machines/dolomite ]; nixpkgs.system = "x86_64-linux"; @@ -118,6 +119,7 @@ tok-00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ + self.nixosModules.default machines/dolomite ]; nixpkgs.system = "x86_64-linux"; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 5dd6073..f03d8b4 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -37,6 +37,15 @@ networking.firewall.allowedTCPPorts = [ 80 8080 ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); + custom.prometheus = { + enable = true; + exporters.enable = true; + grafana = { + enable = true; + password_file = config.sops.secrets.grafana_cloud_api.path; + }; + }; + services.sing-box = let singTls = { enabled = true; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index ab6a5f3..7ffd7b6 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -18,6 +18,10 @@ gts_env = { owner = "gotosocial"; }; + grafana_cloud_api = { + owner = "prometheus"; + sopsFile = ../secrets.yaml; + }; }; }; diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 410d546..e0b00bd 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -11,6 +11,15 @@ in domain = "vaultwarden.xinyang.life"; }; + custom.prometheus = { + enable = true; + exporters.enable = true; + grafana = { + enable = true; + password_file = config.sops.secrets.grafana_cloud_api.path; + }; + }; + fileSystems = builtins.listToAttrs (map (share: { name = "/mnt/storage/${share}"; value = { diff --git a/machines/secrets.yaml b/machines/secrets.yaml index fba11c5..46b1575 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -6,6 +6,7 @@ singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReu singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str] singbox_password: ENC[AES256_GCM,data:0tBIzwtNSQqbGlD+CDnQfJigbFVBChEL,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:5BtYAv1NO70IL4m/uG8QKA==,type:str] singbox_uuid: ENC[AES256_GCM,data:ufN+vDl/rDASoQL23tHwlr3ybMyrlC/Kd7bT0c5+SP+bc6Zj,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:6Yma9+yrISwQoSRDgUbuwA==,type:str] +grafana_cloud_api: ENC[AES256_GCM,data:Pz+tE09dcJa+ZEWS3vtpOtitGCA9Cg/+gOd/0FsF8ooxzPyN9/UMuTcP02aIPW5v7yZCkGJOAXufIyechNf0crgAV/KmwGGwixH7I+1f3sDtGiFZEMnQgrysyfJo0KIrIZ8XP0SyXDs3vKjDU8cUI4+IyucHacWQ1kWdEtINjcPNHRPS2yaMUIvsRn0z8Cs2byMD3ghUHHHOz40CuO6r4A==,iv:cHvbeCmLFmJPNKsl1BBYx9WJP7ZJWi+8c9yHZWc6FTs=,tag:yWXtPokYE4frCmzzzyEqEg==,type:str] sops: kms: [] gcp_kms: [] @@ -15,50 +16,59 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweTlPTGVRbUlndTdES0s2 - SVM2N2FUMnozQk11cDk0cTFEb1l6YldkVHc4CmhnNzJyY1VKRWhpc0tTbFNKeDBD - a0hzMi93Ly9zY2Fjd1RCdjV6WnVmOU0KLS0tIFh6NVFteWxxNithMGM0dnJiNE9X - dGovQ2ZMZWx1djVkb0Y4ZVNLRDJPRncKz0N/zP3mN97BpLaDgE9hx/zooGyHAnvC - D8iH/1PZ21uMYeUQq83B8mDKbv+qAltA/vD+ZNnb4ULjYLmVn5p/hQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUxIZHJTYk9YS0lPOGZK + VUJhQ1liNEtXZ3ZYaCtqQWVBTGVJclVVRER3CmJUcS9yY2x1TFFYMkpZOWxZeW5w + WFk0WTNoWmphdG12dTdHaW9tYVRjS1UKLS0tIHd4enVwalRDaHQwK0U1RFNHOEVI + N0UrRjRxTWJRanI4VnRjWlhzQS8zSGsKSJJnFuEp7yO8bIh2LpSvgjsYAK05u2TE + a+UBiu6xQQaUnL02CAau4xHqBn9GZxeqlVAjVSJITArLR/uQkkUM6g== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUkxVTUtYZ0RWUFVxY0Rl - UFFadVlzUFJVMGpzRVd5bHVDQmQycVlNSkcwCkMvcUJMRFVWTzNHZ3pxemRLelJP - K3pQMFdURmpRUVRuL1lzT09FVVdBd3MKLS0tIE9LY0NHSW1UWUJpbWdNQW1CVUlD - b1FmZnVjOFFCMDVXdFBtZzZWdkt6RVUKvLoHmEhkyeKHlstRoT3duTIQTojxzcFI - NapIBB3/6Qqho+kYc8/hLWb61EsSX9yqO9C6f6FpFrwi0696OvP3mA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT3ZES3BHWWpDekt0VEYz + emUvUTQ3WUFWd0w2VlVSWHMrd3ZvZjYvYlJZCkcyRjBZWEdGTXJZVENyZ1U2YTV2 + eU1MS3NCQzZ3Y3ZhOG4rRVByU1ZlRU0KLS0tIFdGVTliOFpSTWl0YlV6OTVUbk9O + SjBoUnNOVTB1QWFDYnVwWkhaN3d0VGMKjNiW597mLAogPyDBUhEDYd/VyePXesL7 + kzyV/e8t/5zHs3/I17ZUd8bxdCjbrrXI1g4Swx31yCgZOk8uKAuLRQ== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFNoMmNXV2F1U2E2bUhv - K3lGTCs2KzZYbXVlWEdVelNDTS80SW85c0J3CkszNGkrbFVKWks4dmwyYlpQMkpW - Zm02cG41ZlpwcEdCbzFkSHpjWHpCdG8KLS0tIHlrNXp6TTI5ZnhGTUNMWTZ0ekVS - VExPWk1zeVExYXdaL2o1WVB5NlhsNFkK3vsnc4qE08W13ttzt+YCHbQh2c/mOxFZ - DneXTgOjkyBaY5JDFKlzlIN3m8QRBG5vPOuSKXaoFmY8E68RzNey3w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaTlNTjVXTHFzNS9GUk1S + bVMxeWdwSUlmN3B6QlovejI3SlNuc2dJMjFVClF2VFRVNjFrQldRcHNLeWhpWFE1 + UDRvY3RTZHZCa2RDZ1RmVWRHb2ttUVUKLS0tIEI0QS9SL3lTeXVITVgvcHVCNmdW + cVl6T3NWWEVkWExuTldqQU5CUzFTM1UKFYD1jdEQfFRNBkRyL+1gZzCdpJHN7QqU + 4CVOsIeVl6ufWG4D2FfP4Zow5uhnvDXmWqBCmpJ/iVKnu3klihlndA== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdHA5WHA2V2RNTTZXNVVT - Wks2a2tqT045ZkJFYTN2RHhmdkZxMjlPRDNFCm1HaHhLNkp6NWZxNUYvOTRybE1Z - Y1l5eDFkcXRWSko3ODhqV2htb3pzcDQKLS0tIGI3YlI4dCtMbGl1aHFZdDBic0Jv - LzV3NWhFQTlaZ1Y3R0paaEZPZDNpZzgK3/ZE3+F+mq574MfiF7PRlKmAU6mUTiGF - Ffqh0kQumHH7nBuunD0L7Zp2j15hMjUs/oxX558jY9BNl+rN2VWO0Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRGZ5WVFJQzFSWlR6dDMv + bXJsNlZLeVVpK1RuaVpySkcreHE1SkNMSjA4CkxGMzVvZHZ4ZTdRdzh6K3V6OVQ0 + RkI3bWg5ZUw5RFlQN05zdC9HVkdjYlUKLS0tIGdibTdwbnRhMmZEZ2VPelF6a3Aw + U1dGQmxOTklFTmFaMTc1MGQvRVB1TzgKkhxjImoj1lxpvBMjKJJOiM2eC2bQ73Ay + Rket8CjZnfRhYDD9YoOWBNswONQoVY8/dSXgLDObtfFxbnjZ1pj63A== -----END AGE ENCRYPTED FILE----- - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueFhiQzdMaU1zR2VtOEtO - WFVtdVJLU3B3TzRSSENodUpuUm03TnBHQnhBCmRrdjJScEVsS0JTQmthZWIzVFlv - TVY3TUo0VllPWElua21mczZvT3YxYjAKLS0tIFpDcE0wSXdSRXFGY2tLd1orVE9L - Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO - OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RWRsdXNTQkNJWXFTODY4 + WVNYb2xKZHJWWTUvZmlMS3VkYnhWQkVaZHpFCjJjY2JzeFQza3llNHZFYWVVK0Ri + K2ZJNUlZMWxFbGdhQ2pxRlh4VjVITFkKLS0tIGFHSDI5aW5aTUdFTEJOMnNjVXlm + SVlDVk9Xdnc0WVpFN2VmSlZIajJielkKz8xnfxIArN9PLjUorYPzakmLx7/bsoq0 + EfoiB6ZpuWMeNEmfHygTEUPTC7eWw42EIYk964vI6LySFQyO3Z8p5g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-19T12:56:28Z" - mac: ENC[AES256_GCM,data:v7Rn7dPOzfcgab2MhiU7h0CXjkAbkpBX7l7iLdnw3RUIjxulTXVuPpgenojF5yVqFCPgm2LKBKniD+cvtMvVhb00a1tnDNM/tfjH9GjBYNZH9xtPWJED7GLASd6nIF5BZhANKhH8yphAi5VJ/4cyEdMFbWu+2gO8GyQxJQYhgY8=,iv:bbbZ8vF+Vbwq/6PXN/7qvRO62M/eDZ591v4gXc1fs+g=,tag:dyt9LVU32hnbVT12C/Afqw==,type:str] + - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFIzVEZPUmFBclpweDZR + WXZFb0FjcWxDRTNpQmFRaU9BY0lPTzAxNWhvClk5UmxFQllGQ29VOGIxeS9xMmV2 + SUdEaFJ3bFZPSjVjQ1JnVS9jSWxXaWcKLS0tIGs0ZE0wMUZDeGNWNlhoN3JOMmlG + c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1 + P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-20T01:34:00Z" + mac: ENC[AES256_GCM,data:6MLBRPA5g2r3yy/i7DSxjWaYhHH/4GiAqL/pRIvYyIrKQWYvfviWlTX9dqHVzzCXjueEXUM5dXFb2B+Sds68EGgBuBlZvBchtstHUOtMLE3pttC+xCzerQFyrPDrXbnpfdDYPHWxvhhhFpWu8G5RSfzSgkgp7+cx9iZHq/g1k/Q=,iv:8yFIOgHtBiCtbamufrXXHrjIq5DV3MIJbTJPtXlgpPg=,tag:CVOIojTN2KkXJsDVyiZjMQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sops.nix b/machines/sops.nix index 1a8aa50..64cc721 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -24,6 +24,9 @@ singbox_uuid = { owner = "root"; }; + grafana_cloud_api = { + owner = "prometheus"; + }; }; }; } diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix index ac0a976..5234e76 100644 --- a/modules/nixos/prometheus.nix +++ b/modules/nixos/prometheus.nix @@ -1,4 +1,3 @@ - { config, pkgs, lib, ... }: with lib; @@ -17,13 +16,38 @@ in description = "Enable Prometheus exporter on every supported services"; }; }; + grafana = { + enable = mkEnableOption "Grafana Cloud"; + password_file = mkOption { + type = types.path; + }; + }; }; }; - config = { + config = mkMerge [{ + services.caddy.globalConfig = '' + servers { + metrics + } + ''; + services.restic.server.prometheus = cfg.enable; + services.gotosocial.settings = { + metrics-enable = true; + }; services.prometheus = mkIf cfg.enable { enable = true; port = 9091; + globalConfig.external_labels = { hostname = config.networking.hostName; }; + remoteWrite = mkIf cfg.grafana.enable [ + { name = "grafana"; + url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; + basic_auth = { + username = "1340065"; + password_file = cfg.grafana.password_file; + }; + } + ]; exporters = { node = { enable = true; @@ -44,5 +68,28 @@ in } ]; }; - }; -} \ No newline at end of file + } + { + services.prometheus.scrapeConfigs = [ + ( mkIf config.services.caddy.enable { + job_name = "caddy"; + static_configs = [ + { targets = [ "localhost:2019" ]; } + ]; + }) + ( mkIf config.services.restic.server.enable { + job_name = "restic"; + static_configs = [ + { targets = [ config.services.restic.server.listenAddress ]; } + ]; + }) + ( mkIf config.services.gotosocial.enable { + job_name = "gotosocial"; + static_configs = [ + { targets = [ "localhost:${toString config.services.gotosocial.settings.port}" ]; } + ]; + }) + ]; + } + ]; +} From b944954b3c8fccae070e948f483b89c13320a268 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 24 Dec 2023 13:55:56 +0800 Subject: [PATCH 051/136] calcite: remove win drive from fstab - Remove ntfs drive from fstab as it will cause systemd enter emergency mode if corrupted. - TODO: use autofs to mount the ntfs drive, or add extra options to ignore failed ntfs drive. --- machines/calcite/configuration.nix | 4 ---- machines/calcite/hardware-configuration.nix | 7 ------- 2 files changed, 11 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 43251e2..1871c6d 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -158,10 +158,6 @@ clang-tools rnix-lsp - # C/C++ - gcc - gdb - # Python # reference: https://nixos.wiki/wiki/Python ( diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 0bd2426..c59286d 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -23,13 +23,6 @@ fsType = "vfat"; }; - fileSystems."/media/data" = - { - device = "/dev/disk/by-label/WINDATA"; - fsType = "ntfs3"; - options = [ "rw" "uid=1000" ]; - }; - swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; From 8b735dd5da8ae18578741e38f2aa63a98a60e4e0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 24 Dec 2023 13:58:53 +0800 Subject: [PATCH 052/136] massicot: host hedgedoc with oidc --- machines/massicot/default.nix | 3 ++ machines/massicot/secrets.yaml | 5 +- machines/massicot/services.nix | 23 ++++++++-- modules/nixos/default.nix | 3 +- modules/nixos/hedgedoc.nix | 83 ++++++++++++++++++++++++++++++++++ 5 files changed, 110 insertions(+), 7 deletions(-) create mode 100644 modules/nixos/hedgedoc.nix diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 7ffd7b6..98328f3 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -18,6 +18,9 @@ gts_env = { owner = "gotosocial"; }; + hedgedoc_env = { + owner = "hedgedoc"; + }; grafana_cloud_api = { owner = "prometheus"; sopsFile = ../secrets.yaml; diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index d2b0faa..5e5d0fe 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -1,5 +1,6 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] +hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +25,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-15T13:06:05Z" - mac: ENC[AES256_GCM,data:ArxA3+i+W2hU0mpzjPqzBA1pQdZySwJ+LVAez2PWFMsrgT4QATi+KmlWWfuPBkOq/DYafAES8lTemDeuzuQl7bWZq06g3s35C8Q3D/TDUKFF3ALEL5grSxKTVzg4Npjc2q2OIOXrIp/j83Gn1lBuyBFg0YdGkJ+b/BmDGkTbyUg=,iv:8MB/+WklLsFTnlvxLyvCK8VUMNeXtaPTGXlp9hRGzOM=,tag:VbbnQfPewNGdrPqmZJSYlA==,type:str] + lastmodified: "2023-12-22T08:05:27Z" + mac: ENC[AES256_GCM,data:CiXU49arW+3w4/Lkh4l+6VjopyP7XNCU4AmuwZmnmQ7Vv4RCt84fC6lM6o4HiCc5jB07QY+2WZ5LvWz9zgSt636UpnCMgbG1w2Lxae38fW02RHJv90rn+cyyddB5kSucr5/P5NKBOZut54Cf4zVW9BaqajpQMxe4hEOn+xXpXz8=,iv:beWRlUvb6OUOK+mUXdvpvmM8S7xK0QIkIA2Bk9QA35c=,tag:KrBXqsAdBAhtwygdEHnUqQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index e0b00bd..e5ecdcc 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -11,6 +11,21 @@ in domain = "vaultwarden.xinyang.life"; }; + custom.hedgedoc = { + enable = true; + caddy = true; + domain = "docs.xinyang.life"; + mediaPath = "/mnt/storage/hedgedoc"; + oidc = { + enable = true; + baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc"; + authorizationURL = "https://auth.xinyang.life/ui/oauth2"; + tokenURL = "https://auth.xinyang.life/oauth2/token"; + userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo"; + }; + environmentFile = config.sops.secrets.hedgedoc_env.path; + }; + custom.prometheus = { enable = true; exporters.enable = true; @@ -27,7 +42,7 @@ in fsType = "cifs"; options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"]; }; - }) [ "forgejo" "gotosocial" "conduit" ] ); + }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] ); system.activationScripts = { conduit-media-link.text = '' @@ -144,7 +159,7 @@ in flush_interval -1 } ''; - virtualHosts."git.xinyang.life:443".extraConfig = '' + virtualHosts."https://git.xinyang.life:443".extraConfig = '' reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; @@ -155,8 +170,8 @@ in abort } ''; - virtualHosts."https://auth.xinyang.life:443".extraConfig = '' - reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} { + virtualHosts."https://auth.xinyang.life".extraConfig = '' + reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { header_up Host {upstream_hostport} header_down Access-Control-Allow-Origin "*" transport http { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index e89ad69..f963802 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -4,5 +4,6 @@ ./restic.nix ./vaultwarden.nix ./prometheus.nix + ./hedgedoc.nix ]; -} \ No newline at end of file +} diff --git a/modules/nixos/hedgedoc.nix b/modules/nixos/hedgedoc.nix new file mode 100644 index 0000000..934420d --- /dev/null +++ b/modules/nixos/hedgedoc.nix @@ -0,0 +1,83 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom.hedgedoc; +in +{ + options = { + custom.hedgedoc = { + enable = mkEnableOption "HedgeDoc Markdown Editor"; + domain = mkOption { + type = types.str; + default = "docs.example.com"; + description = "Domain name of the HedgeDoc server"; + }; + caddy = mkOption { + type = types.bool; + default = true; + description = "Enable Caddy as reverse proxy"; + }; + mediaPath = mkOption { + type = types.path; + default = /var/lib/hedgedoc/uploads; + description = "Directory for storing medias"; + }; + oidc = { + enable = mkEnableOption "OIDC support for HedgeDoc"; + baseURL = mkOption { + type = types.str; + }; + authorizationURL = mkOption { + type = types.str; + }; + tokenURL = mkOption { + type = types.str; + }; + userProfileURL = mkOption { + type = types.str; + }; + }; + environmentFile = mkOption { + type = types.path; + }; + }; + }; + config = { + services.hedgedoc = mkIf cfg.enable { + enable = true; + environmentFile = cfg.environmentFile; + settings = { + domain = cfg.domain; + protocolUseSSL = cfg.caddy; + uploadsPath = cfg.mediaPath; + path = "/run/hedgedoc/hedgedoc.sock"; + email = false; + allowEmailRegister = false; + oauth2 = mkIf cfg.oidc.enable { + baseURL = cfg.oidc.baseURL; + authorizationURL = cfg.oidc.authorizationURL; + tokenURL = cfg.oidc.tokenURL; + userProfileURL = cfg.oidc.userProfileURL; + userProfileEmailAttr = "email"; + userProfileUsernameAttr = "name"; + userProfileDisplayNameAttr = "preferred_name"; + scope = "openid email profile"; + clientID = "$HEDGEDOC_CLIENT_ID"; + clientSecret = "$HEDGEDOC_CLIENT_SECRET"; + }; + allowAnonymous = false; + defaultPermission = "private"; + }; + }; + services.caddy = mkIf ( cfg.enable && cfg.enable ) { + enable = true; + virtualHosts."https://${cfg.domain}".extraConfig = '' + reverse_proxy unix/${config.services.hedgedoc.settings.path} + ''; + }; + users.users.caddy.extraGroups = mkIf ( cfg.enable && cfg.enable ) [ "hedgedoc" ]; + + }; +} From ac9918c75960fad578ba224fe7e022e2d4ce7424 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 17 Dec 2023 13:59:09 +0800 Subject: [PATCH 053/136] wip: modularize home-manager --- flake.nix | 1 + home/xin/calcite/default.nix | 7 +++ home/xin/common/default.nix | 9 +--- home/xin/common/fish.nix | 37 --------------- home/xin/common/git.nix | 13 ------ home/xin/common/vim.nix | 32 ------------- home/xin/common/zellij.nix | 28 ------------ machines/calcite/configuration.nix | 1 - modules/home-manager/default.nix | 9 +++- modules/home-manager/fish.nix | 72 ++++++++++++++++++++++++++++++ modules/home-manager/git.nix | 26 +++++++++++ modules/home-manager/tmux.nix | 1 + modules/home-manager/vim.nix | 43 ++++++++++++++++++ modules/home-manager/zellij.nix | 40 +++++++++++++++++ 14 files changed, 200 insertions(+), 119 deletions(-) delete mode 100644 home/xin/common/fish.nix delete mode 100644 home/xin/common/git.nix delete mode 100644 home/xin/common/vim.nix delete mode 100644 home/xin/common/zellij.nix create mode 100644 modules/home-manager/fish.nix create mode 100644 modules/home-manager/git.nix create mode 100644 modules/home-manager/tmux.nix create mode 100644 modules/home-manager/vim.nix create mode 100644 modules/home-manager/zellij.nix diff --git a/flake.nix b/flake.nix index d89b9ae..e15efa8 100644 --- a/flake.nix +++ b/flake.nix @@ -63,6 +63,7 @@ home-manager.users.xin = import ./home/${user}/${host}; home-manager.extraSpecialArgs = { inherit inputs system; }; } + self.homeManagerModules ]; }; mkNixos = { system, modules, specialArgs ? {}}: nixpkgs.lib.nixosSystem { diff --git a/home/xin/calcite/default.nix b/home/xin/calcite/default.nix index 94e3d77..544e438 100644 --- a/home/xin/calcite/default.nix +++ b/home/xin/calcite/default.nix @@ -34,4 +34,11 @@ thunderbird remmina ]; + + # custom-hm = { + # fish = { enable = true; }; + # git = { enable = true; }; + # neovim = { enable = true; }; + # zellij = { enable = true; }; + # }; } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index c76d3e8..0e0677c 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -1,10 +1,5 @@ -{ pkgs, ... }: { - imports = [ - ./fish.nix - ./git.nix - ./zellij.nix - ./vim.nix - ]; +{ inputs, pkgs, ... }: { + imports = [ ]; home.packages = with pkgs; [ dig diff --git a/home/xin/common/fish.nix b/home/xin/common/fish.nix deleted file mode 100644 index 7d8fecb..0000000 --- a/home/xin/common/fish.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, ... }: { - programs.fish = { - enable = true; - plugins = with pkgs; [ - { - name = "pisces"; - src = fishPlugins.pisces.src; - } - { - name = "done"; - src = fishPlugins.done.src; - } - { - name = "hydro"; - src = fishPlugins.hydro.src; - } - ]; - interactiveShellInit = '' - fish_config theme choose 'ayu Dark' - fish_config prompt choose arrow - ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source - function fish_right_prompt - if test -n "$IN_NIX_SHELL" - echo -n "" - else if test $SHLVL -ge 3 - echo -n "<🚀lv$SHLVL>" - end - end - function fish_command_not_found - ${pkgs.comma}/bin/comma $argv - end - ''; - functions = { - gitignore = "curl -sL https://www.gitignore.io/api/$argv"; - }; - }; -} diff --git a/home/xin/common/git.nix b/home/xin/common/git.nix deleted file mode 100644 index 98c2e84..0000000 --- a/home/xin/common/git.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - programs.git = { - enable = true; - delta.enable = true; - userName = "Xinyang Li"; - userEmail = "lixinyang411@gmail.com"; - aliases = { - graph = "log --all --oneline --graph --decorate"; - s = "status"; - d = "diff"; - }; - }; -} \ No newline at end of file diff --git a/home/xin/common/vim.nix b/home/xin/common/vim.nix deleted file mode 100644 index f73228d..0000000 --- a/home/xin/common/vim.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ pkgs, ... }: { - programs.neovim = { - enable = true; - vimAlias = true; - vimdiffAlias = true; - plugins = with pkgs.vimPlugins; [ - nvim-treesitter.withAllGrammars - dracula-nvim - ]; - extraConfig = '' - set nocompatible - - syntax on - set number - set relativenumber - set shortmess+=I - set laststatus=2 - - set ignorecase - set smartcase - set list - set listchars=tab:→· - set tabstop=4 - set shiftwidth=4 - set expandtab - - set mouse+=a - - colorscheme dracula - ''; -}; -} diff --git a/home/xin/common/zellij.nix b/home/xin/common/zellij.nix deleted file mode 100644 index e485d11..0000000 --- a/home/xin/common/zellij.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - programs.zellij = { - enable = true; - settings = { - default_shell = "fish"; - keybinds = { - unbind = [ - "Ctrl p" - "Ctrl n" - ]; - }; - theme = "dracula"; - themes.dracula = { - fg = [ 248 248 242 ]; - bg = [ 40 42 54 ]; - black = [ 0 0 0 ]; - red = [ 255 85 85 ]; - green = [ 80 250 123 ]; - yellow = [ 241 250 140 ]; - blue = [ 98 114 164 ]; - magenta = [ 255 121 198 ]; - cyan = [ 139 233 253 ]; - white = [ 255 255 255 ]; - orange = [ 255 184 108 ]; - }; - }; - }; -} diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 1871c6d..7017de9 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -189,7 +189,6 @@ gnomeExtensions.paperwm gnomeExtensions.search-light gnomeExtensions.tray-icons-reloaded - gnomeExtensions.gsconnect gnome.gnome-tweaks gthumb diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index 0e0dcd2..6ab8a89 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -1,3 +1,10 @@ +{ config, pkgs, ... }: { - + imports = [ + ./fish.nix + ./git.nix + ./tmux.nix + ./vim.nix + ./zellij.nix + ]; } \ No newline at end of file diff --git a/modules/home-manager/fish.nix b/modules/home-manager/fish.nix new file mode 100644 index 0000000..54dda10 --- /dev/null +++ b/modules/home-manager/fish.nix @@ -0,0 +1,72 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom-hm.fish; +in +{ + options = { + enable = mkEnableOption "fish"; + plugins = mkOption { + type = types.listOf types.str; + default = [ "pisces" "done" "hydro" ]; + }; + functions = { + enable = mkOption { + type = types.bool; + default = true; + }; + }; + alias = { + enable = mkOption { + type = types.bool; + default = true; + }; + }; + }; + + config = { + programs.fish = mkIf cfg.enable { + enable = true; + plugins = with pkgs; filter ( + e: hasAttr e.name builtins.listToAttrs # { "xxx" = true; } + (map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; } + ) [ + { + name = "pisces"; + src = fishPlugins.pisces.src; + } + { + name = "done"; + src = fishPlugins.done.src; + } + { + name = "hydro"; + src = fishPlugins.hydro.src; + } + ]; + interactiveShellInit = let + extraInit = if cfg.functions.enable then '' + ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source + function fish_right_prompt + if test -n "$IN_NIX_SHELL" + echo -n "" + else if test $SHLVL -ge 3 + echo -n "<🚀lv$SHLVL>" + end + end + function fish_command_not_found + ${pkgs.comma}/bin/comma $argv + end + '' else ""; + in '' + fish_config theme choose 'ayu Dark' + fish_config prompt choose arrow + '' + extraInit; + functions = mkIf cfg.functions.enable { + gitignore = "curl -sL https://www.gitignore.io/api/$argv"; + }; + }; + }; +} diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix new file mode 100644 index 0000000..2eefe65 --- /dev/null +++ b/modules/home-manager/git.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom-hm.git; +in +{ + options = { + enable = mkEnableOption "Enable git configuration"; + }; + config = { + programs.git = { + enable = true; + delta.enable = true; + userName = "Xinyang Li"; + userEmail = "lixinyang411@gmail.com"; + aliases = { + graph = "log --all --oneline --graph --decorate"; + a = "add"; + d = "diff"; + s = "status"; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/home-manager/tmux.nix b/modules/home-manager/tmux.nix new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/modules/home-manager/tmux.nix @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/modules/home-manager/vim.nix b/modules/home-manager/vim.nix new file mode 100644 index 0000000..0c1f886 --- /dev/null +++ b/modules/home-manager/vim.nix @@ -0,0 +1,43 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom-hm.neovim; +in +{ + options = { + enable = mkEnableOption "neovim configurations"; + }; + config = mkIf cfg.enable { + programs.neovim = { + enable = true; + vimAlias = true; + vimdiffAlias = true; + plugins = with pkgs.vimPlugins; [ + catppuccin-nvim + ]; + extraConfig = '' + set nocompatible + + syntax on + set number + set relativenumber + set shortmess+=I + set laststatus=2 + + set ignorecase + set smartcase + set list + set listchars=tab:→· + set tabstop=4 + set shiftwidth=4 + set expandtab + + set mouse+=a + + colorscheme catppuccin-macchiato + ''; + }; + }; +} diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix new file mode 100644 index 0000000..b795130 --- /dev/null +++ b/modules/home-manager/zellij.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom-hm.zellij; +in +{ + options = { + enable = mkEnableOption "zellij configurations"; + }; + config = { + programs.zellij = mkIf cfg.enable { + enable = true; + settings = { + default_shell = "fish"; + keybinds = { + unbind = [ + "Ctrl p" + "Ctrl n" + ]; + }; + theme = "catppuccin-macchiato"; + themes.dracula = { + fg = [ 248 248 242 ]; + bg = [ 40 42 54 ]; + black = [ 0 0 0 ]; + red = [ 255 85 85 ]; + green = [ 80 250 123 ]; + yellow = [ 241 250 140 ]; + blue = [ 98 114 164 ]; + magenta = [ 255 121 198 ]; + cyan = [ 139 233 253 ]; + white = [ 255 255 255 ]; + orange = [ 255 184 108 ]; + }; + }; + }; + }; +} From 552cc4f144c0235191be8fdad9dbcee4f033b2a0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 24 Dec 2023 18:53:47 +0800 Subject: [PATCH 054/136] home-manager: modularize home configurations --- .envrc | 1 + .gitignore | 4 +- flake.nix | 44 +++++- home/default.nix | 5 + home/xin/alacritty.nix | 19 --- home/xin/{calcite/default.nix => calcite.nix} | 22 +-- home/xin/vscode.nix | 133 ---------------- machines/vscode.nix | 36 ----- modules/home-manager/alacritty.nix | 31 ++++ modules/home-manager/default.nix | 4 +- modules/home-manager/direnv.nix | 18 +++ modules/home-manager/fish.nix | 6 +- modules/home-manager/git.nix | 2 +- modules/home-manager/vim.nix | 2 +- modules/home-manager/vscode.nix | 146 ++++++++++++++++++ modules/home-manager/zellij.nix | 15 +- 16 files changed, 261 insertions(+), 227 deletions(-) create mode 100644 .envrc create mode 100644 home/default.nix delete mode 100644 home/xin/alacritty.nix rename home/xin/{calcite/default.nix => calcite.nix} (67%) delete mode 100644 home/xin/vscode.nix delete mode 100644 machines/vscode.nix create mode 100644 modules/home-manager/alacritty.nix create mode 100644 modules/home-manager/direnv.nix create mode 100644 modules/home-manager/vscode.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore index e2f5dd2..9f05b1e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -result \ No newline at end of file +.direnv +.vscode +result diff --git a/flake.nix b/flake.nix index e15efa8..d4d7633 100644 --- a/flake.nix +++ b/flake.nix @@ -55,23 +55,42 @@ outputs = { self, ... }@inputs: with inputs; let + homeConfigurations = import ./home; + sharedModules = [ + self.homeManagerModules + inputs.nix-index-database.hmModules.nix-index + ]; mkHome = user: host: { config, system, ... }: { imports = [ + home-manager.nixosModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.xin = import ./home/${user}/${host}; - home-manager.extraSpecialArgs = { inherit inputs system; }; + home-manager = { + inherit sharedModules; + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { inherit inputs; }; + }; + home-manager.users.${user} = homeConfigurations.${user}.${host}; } - self.homeManagerModules ]; }; + mkHomeConfiguration = user: settings: { + name = user; + value = home-manager.lib.homeManagerConfiguration { + pkgs = import nixpkgs { system = "x86_64-linux"; }; + modules = [ + self.homeManagerModules + ] ++ sharedModules; + specialArgs = { + inherit inputs; + }; + }; + }; mkNixos = { system, modules, specialArgs ? {}}: nixpkgs.lib.nixosSystem { inherit system; specialArgs = specialArgs // { inherit inputs system; }; modules = [ self.nixosModules.default - home-manager.nixosModules.home-manager nur.nixosModules.nur ] ++ modules; }; @@ -81,6 +100,8 @@ nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; + homeConfigurations = listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; + colmenaHive = colmena.lib.makeHive { meta = { nixpkgs = import nixpkgs { @@ -166,5 +187,14 @@ } ]; }).config.system.build.sdImage; - }; + } // flake-utils.lib.eachDefaultSystem (system: + let pkgs = nixpkgs.legacyPackages.${system}; in + { + devShells = { + default = pkgs.mkShell { + packages = with pkgs; [ git colmena ]; + }; + }; + } + ); } diff --git a/home/default.nix b/home/default.nix new file mode 100644 index 0000000..0c683f6 --- /dev/null +++ b/home/default.nix @@ -0,0 +1,5 @@ +{ + xin = { + calcite = import ./xin/calcite.nix; + }; +} \ No newline at end of file diff --git a/home/xin/alacritty.nix b/home/xin/alacritty.nix deleted file mode 100644 index f34ff67..0000000 --- a/home/xin/alacritty.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, ... }: { - programs.alacritty = { - enable = true; - settings = { - shell = { - program = config.programs.zellij.package + "/bin/zellij"; - args = [ - "attach" - "-c" - ]; - }; - font.size = 10.0; - window = { - resize_increments = true; - dynamic_padding = true; - }; - }; - }; -} diff --git a/home/xin/calcite/default.nix b/home/xin/calcite.nix similarity index 67% rename from home/xin/calcite/default.nix rename to home/xin/calcite.nix index 544e438..31c9811 100644 --- a/home/xin/calcite/default.nix +++ b/home/xin/calcite.nix @@ -1,10 +1,7 @@ -{ inputs, config, pkgs, ... }: +{ config, pkgs, ... }: { imports = [ - ../common - ../vscode.nix - ../alacritty.nix - inputs.nix-index-database.hmModules.nix-index + ./common ]; programs.nix-index-database.comma.enable = true; @@ -35,10 +32,13 @@ remmina ]; - # custom-hm = { - # fish = { enable = true; }; - # git = { enable = true; }; - # neovim = { enable = true; }; - # zellij = { enable = true; }; - # }; + custom-hm = { + alacritty = { enable = true; }; + direnv = { enable = true; }; + fish = { enable = true; }; + git = { enable = true; }; + neovim = { enable = true; }; + vscode = { enable = true; }; + zellij = { enable = true; }; + }; } diff --git a/home/xin/vscode.nix b/home/xin/vscode.nix deleted file mode 100644 index a0b9eac..0000000 --- a/home/xin/vscode.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ config, pkgs, inputs, system, ... }: -{ - home.packages = with pkgs; [ - pkgs.wl-clipboard-x11 - ]; - programs.vscode = { - enable = true; - enableUpdateCheck = false; - enableExtensionUpdateCheck = false; - mutableExtensionsDir = false; - extensions = (with inputs.nix-vscode-extensions.extensions.${system}.vscode-marketplace; [ - arrterian.nix-env-selector - - bbenoist.nix - ms-azuretools.vscode-docker - ms-vscode-remote.remote-ssh - vscodevim.vim - github.vscode-pull-request-github - eamodio.gitlens - gruntfuggly.todo-tree # todo highlight - - # Language support - # Python - ms-python.python - # Markdown - davidanson.vscode-markdownlint - # C/C++ - ms-vscode.cmake-tools - llvm-vs-code-extensions.vscode-clangd - # Nix - jnoortheen.nix-ide - # Latex - james-yu.latex-workshop - # Vue - vue.volar - - ms-vscode-remote.remote-ssh-edit - mushan.vscode-paste-image - ]) ++ (with pkgs.vscode-extensions; [ - # Rust - rust-lang.rust-analyzer - github.copilot - ]); - userSettings = { - "workbench.colorTheme" = "Default Dark+"; - "terminal.integrated.sendKeybindingsToShell" = true; - "extensions.ignoreRecommendations" = true; - "files.autoSave" = "afterDelay"; - "editor.inlineSuggest.enabled" = true; - "editor.rulers" = [ - 80 - ]; - "editor.mouseWheelZoom" = true; - "git.autofetch" = true; - "window.zoomLevel" = -1; - - "nix.enableLanguageServer" = true; - - "latex-workshop.latex.autoBuild.run" = "never"; - "latex-workshop.latex.tools" = [ - { - "name" = "xelatex"; - "command" = "xelatex"; - "args" = [ - "-synctex=1" - "-interaction=nonstopmode" - "-file-line-error" - "-pdf" - "%DOCFILE%" - ]; - } - { - "name" = "pdflatex"; - "command" = "pdflatex"; - "args" = [ - "-synctex=1" - "-interaction=nonstopmode" - "-file-line-error" - "%DOCFILE%" - ]; - } - { - "name" = "bibtex"; - "command" = "bibtex"; - "args" = [ - "%DOCFILE%" - ]; - } - ]; - "latex-workshop.latex.recipes" = [ - { - "name" = "xelatex"; - "tools" = [ - "xelatex" - ]; - } - { - "name" = "pdflatex"; - "tools" = [ - "pdflatex" - ]; - } - { - "name" = "xe->bib->xe->xe"; - "tools" = [ - "xelatex" - "bibtex" - "xelatex" - "xelatex" - ]; - } - { - "name" = "pdf->bib->pdf->pdf"; - "tools" = [ - "pdflatex" - "bibtex" - "pdflatex" - "pdflatex" - ]; - } - ]; - "[latex]" = { - "editor.formatOnPaste" = false; - "editor.suggestSelection" = "recentlyusedbyprefix"; - "editor.wordWrap" = "bounded"; - "editor.wordWrapColumn" = 80; - "editor.unicodeHighlight.ambiguousCharacters" = false; - }; - # Extension vscode-paste-image - "pasteImage.path" = "\${currentFileDir}/.assets"; - }; - }; -} diff --git a/machines/vscode.nix b/machines/vscode.nix deleted file mode 100644 index 0ec1e87..0000000 --- a/machines/vscode.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - environment.systemPackages = [ - (pkgs.vscode-with-extensions.override { - vscodeExtensions = with pkgs.vscode-extensions; [ - arrterian.nix-env-selector - - bbenoist.nix - ms-azuretools.vscode-docker - ms-vscode-remote.remote-ssh - vscodevim.vim - github.copilot - github.vscode-pull-request-github - eamodio.gitlens - gruntfuggly.todo-tree # todo highlight - - vadimcn.vscode-lldb # debugger - - # Language support - ms-python.python - davidanson.vscode-markdownlint - llvm-vs-code-extensions.vscode-clangd - jnoortheen.nix-ide - james-yu.latex-workshop - rust-lang.rust-analyzer - ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - { - name = "remote-ssh-edit"; - publisher = "ms-vscode-remote"; - version = "0.47.2"; - sha256 = "1hp6gjh4xp2m1xlm1jsdzxw9d8frkiidhph6nvl24d0h8z34w49g"; - } - ]; - }) - ]; -} diff --git a/modules/home-manager/alacritty.nix b/modules/home-manager/alacritty.nix new file mode 100644 index 0000000..7e217d8 --- /dev/null +++ b/modules/home-manager/alacritty.nix @@ -0,0 +1,31 @@ +{ config, lib, ... }: +with lib; + +let + cfg = config.custom-hm.alacritty; +in +{ + options.custom-hm.alacritty = { + enable = mkEnableOption "alacritty"; + }; + + config = mkIf cfg.enable { + programs.alacritty = { + enable = true; + settings = { + shell = { + program = config.programs.zellij.package + "/bin/zellij"; + args = [ + "attach" + "-c" + ]; + }; + font.size = 10.0; + window = { + resize_increments = true; + dynamic_padding = true; + }; + }; + }; + }; +} diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index 6ab8a89..23f5c24 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: { imports = [ + ./alacritty.nix + ./direnv.nix ./fish.nix ./git.nix ./tmux.nix ./vim.nix + ./vscode.nix ./zellij.nix ]; } \ No newline at end of file diff --git a/modules/home-manager/direnv.nix b/modules/home-manager/direnv.nix new file mode 100644 index 0000000..850534d --- /dev/null +++ b/modules/home-manager/direnv.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: +with lib; + +let + cfg = config.custom-hm.direnv; +in +{ + options.custom-hm.direnv = { + enable = mkEnableOption "direnv"; + }; + config = { + programs = mkIf config.custom-hm.direnv.enable { + direnv = { + enable = true; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/home-manager/fish.nix b/modules/home-manager/fish.nix index 54dda10..0b002e0 100644 --- a/modules/home-manager/fish.nix +++ b/modules/home-manager/fish.nix @@ -6,7 +6,7 @@ let cfg = config.custom-hm.fish; in { - options = { + options.custom-hm.fish = { enable = mkEnableOption "fish"; plugins = mkOption { type = types.listOf types.str; @@ -30,9 +30,9 @@ in programs.fish = mkIf cfg.enable { enable = true; plugins = with pkgs; filter ( - e: hasAttr e.name builtins.listToAttrs # { "xxx" = true; } + e: hasAttr e.name (builtins.listToAttrs # { "xxx" = true; } (map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; } - ) [ + )) [ { name = "pisces"; src = fishPlugins.pisces.src; diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index 2eefe65..2b19136 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -6,7 +6,7 @@ let cfg = config.custom-hm.git; in { - options = { + options.custom-hm.git = { enable = mkEnableOption "Enable git configuration"; }; config = { diff --git a/modules/home-manager/vim.nix b/modules/home-manager/vim.nix index 0c1f886..d818132 100644 --- a/modules/home-manager/vim.nix +++ b/modules/home-manager/vim.nix @@ -6,7 +6,7 @@ let cfg = config.custom-hm.neovim; in { - options = { + options.custom-hm.neovim = { enable = mkEnableOption "neovim configurations"; }; config = mkIf cfg.enable { diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix new file mode 100644 index 0000000..301b794 --- /dev/null +++ b/modules/home-manager/vscode.nix @@ -0,0 +1,146 @@ +{ inputs, config, lib, pkgs, ... }: +with lib; + +let + cfg = config.custom-hm.vscode; +in +{ + options.custom-hm.vscode = { + enable = mkEnableOption "Vscode config"; + }; + config = mkIf cfg.enable { + home.packages = with pkgs; [ + pkgs.wl-clipboard-x11 + ]; + programs.vscode = { + enable = true; + enableUpdateCheck = false; + enableExtensionUpdateCheck = false; + mutableExtensionsDir = false; + extensions = (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + mkhl.direnv + + bbenoist.nix + ms-azuretools.vscode-docker + ms-vscode-remote.remote-ssh + vscodevim.vim + github.vscode-pull-request-github + eamodio.gitlens + gruntfuggly.todo-tree # todo highlight + + # Language support + # Python + ms-python.python + # Markdown + davidanson.vscode-markdownlint + # C/C++ + ms-vscode.cmake-tools + llvm-vs-code-extensions.vscode-clangd + # Nix + jnoortheen.nix-ide + # Latex + james-yu.latex-workshop + # Vue + vue.volar + # Scale / chisel + scalameta.metals + + sterben.fpga-support + + ms-vscode-remote.remote-ssh-edit + mushan.vscode-paste-image + ]) ++ (with pkgs.vscode-extensions; [ + catppuccin.catppuccin-vsc + # Rust + rust-lang.rust-analyzer + github.copilot + ]); + userSettings = { + "workbench.colorTheme" = "Catppuccin Macchiato"; + "terminal.integrated.sendKeybindingsToShell" = true; + "extensions.ignoreRecommendations" = true; + "files.autoSave" = "afterDelay"; + "editor.inlineSuggest.enabled" = true; + "editor.rulers" = [ + 80 + ]; + "editor.mouseWheelZoom" = true; + "git.autofetch" = true; + "window.zoomLevel" = -1; + + "nix.enableLanguageServer" = true; + + "latex-workshop.latex.autoBuild.run" = "never"; + "latex-workshop.latex.tools" = [ + { + "name" = "xelatex"; + "command" = "xelatex"; + "args" = [ + "-synctex=1" + "-interaction=nonstopmode" + "-file-line-error" + "-pdf" + "%DOCFILE%" + ]; + } + { + "name" = "pdflatex"; + "command" = "pdflatex"; + "args" = [ + "-synctex=1" + "-interaction=nonstopmode" + "-file-line-error" + "%DOCFILE%" + ]; + } + { + "name" = "bibtex"; + "command" = "bibtex"; + "args" = [ + "%DOCFILE%" + ]; + } + ]; + "latex-workshop.latex.recipes" = [ + { + "name" = "xelatex"; + "tools" = [ + "xelatex" + ]; + } + { + "name" = "pdflatex"; + "tools" = [ + "pdflatex" + ]; + } + { + "name" = "xe->bib->xe->xe"; + "tools" = [ + "xelatex" + "bibtex" + "xelatex" + "xelatex" + ]; + } + { + "name" = "pdf->bib->pdf->pdf"; + "tools" = [ + "pdflatex" + "bibtex" + "pdflatex" + "pdflatex" + ]; + } + ]; + "[latex]" = { + "editor.formatOnPaste" = false; + "editor.suggestSelection" = "recentlyusedbyprefix"; + "editor.wordWrap" = "bounded"; + "editor.wordWrapColumn" = 80; + "editor.unicodeHighlight.ambiguousCharacters" = false; + }; + }; + }; + }; +} diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index b795130..16d0d70 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -6,7 +6,7 @@ let cfg = config.custom-hm.zellij; in { - options = { + options.custom-hm.zellij = { enable = mkEnableOption "zellij configurations"; }; config = { @@ -21,19 +21,6 @@ in ]; }; theme = "catppuccin-macchiato"; - themes.dracula = { - fg = [ 248 248 242 ]; - bg = [ 40 42 54 ]; - black = [ 0 0 0 ]; - red = [ 255 85 85 ]; - green = [ 80 250 123 ]; - yellow = [ 241 250 140 ]; - blue = [ 98 114 164 ]; - magenta = [ 255 121 198 ]; - cyan = [ 139 233 253 ]; - white = [ 255 255 255 ]; - orange = [ 255 184 108 ]; - }; }; }; }; From b0facfa211922f100e570101d474f44f0a6e990a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 7 Jan 2024 21:41:01 +0800 Subject: [PATCH 055/136] calcite: remove unused packages --- flake.lock | 54 ++++++++++----------- flake.nix | 6 +-- machines/calcite/configuration.nix | 53 +++++++++----------- machines/calcite/hardware-configuration.nix | 8 ++- machines/secrets.yaml | 5 +- machines/sops.nix | 52 ++++++++++---------- modules/home-manager/alacritty.nix | 9 +++- modules/home-manager/fish.nix | 24 ++++----- modules/home-manager/vscode.nix | 5 +- 9 files changed, 114 insertions(+), 102 deletions(-) diff --git a/flake.lock b/flake.lock index c8658bc..5a9d972 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1701728041, - "narHash": "sha256-x0pyrI1vC8evVDxCxyO6olOyr4wlFg9+VS3C3p4xFYQ=", + "lastModified": 1703657526, + "narHash": "sha256-C3fQG/tasnhtfJb0cvXthMDUJ/OLgCKNLqfMuR/M+0k=", "owner": "nix-community", "repo": "home-manager", - "rev": "ac7216918cd65f3824ba7817dea8f22e61221eaf", + "rev": "d1d950841d230490f308f5fcf8c0d4f2bd3f24a7", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1702177733, - "narHash": "sha256-lr3hkmmuqDFPj3i41cHpaALF3Txo3kxsJ3L6jZLujJ8=", + "lastModified": 1703387252, + "narHash": "sha256-XKJqGj0BaEn/zyctEnkgVIh6Ba1rgTRc+UBi9EU8Y54=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "58ecd98e27e27fcbb27a51a588555c828b1ec56e", + "rev": "f4340c1a42c38d79293ba69bfd839fbd6268a538", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1701825722, - "narHash": "sha256-vpT4hY8DDu39b9AMKCJIEVgQSfm+QKDGUjpVPFxNhTs=", + "lastModified": 1703639874, + "narHash": "sha256-54bkJbvGRb9Wq4re5tbtbHaFSPg7wnQfgAjCvggEDZ4=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "8f5a362c9ea3824d70458485abf9d162b8765034", + "rev": "52061beda00305b26445dc84ca7ab8a6036685c4", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1701656485, - "narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=", + "lastModified": 1703545041, + "narHash": "sha256-nvQA+k1rSszrf4kA4eK2i/SGbzoXyoKHzzyzq/Jca1w=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "fa194fc484fd7270ab324bb985593f71102e84d1", + "rev": "a15b6e525f5737a47b4ce28445c836996fb2ea8c", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1701718080, - "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=", + "lastModified": 1703438236, + "narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335", + "rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b", "type": "github" }, "original": { @@ -198,11 +198,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1701615100, - "narHash": "sha256-7VI84NGBvlCTduw2aHLVB62NvCiZUlALLqBe5v684Aw=", + "lastModified": 1703351344, + "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e9f06adb793d1cca5384907b3b8a4071d5d7cb19", + "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", "type": "github" }, "original": { @@ -214,11 +214,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1701568804, - "narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=", + "lastModified": 1703351344, + "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4", + "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1701906331, - "narHash": "sha256-4dzaExoiung1HWn0nTp9xBHtB5rQMTsfOC2FtJuUoH4=", + "lastModified": 1703663873, + "narHash": "sha256-WHt475cqqOZp8+2FSZf3L6xVTQlIN8eAAVJzCeo8ydU=", "owner": "nix-community", "repo": "NUR", - "rev": "b8ad2b1feccf3b75e2d7fabad6d97769318febf4", + "rev": "e65636be64a336e7110fc82cf7aab577f1ed8233", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1701728052, - "narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=", + "lastModified": 1703387502, + "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d", + "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d4d7633..c0c0867 100644 --- a/flake.nix +++ b/flake.nix @@ -81,7 +81,7 @@ modules = [ self.homeManagerModules ] ++ sharedModules; - specialArgs = { + extraSpecialArgs = { inherit inputs; }; }; @@ -100,7 +100,7 @@ nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; - homeConfigurations = listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; + homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; colmenaHive = colmena.lib.makeHive { meta = { @@ -192,7 +192,7 @@ { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena ]; + packages = with pkgs; [ git colmena nix-output-monitor ]; }; }; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 7017de9..b039b1d 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -28,6 +28,11 @@ networking.hostName = "calcite"; + programs.steam = { + enable = true; + gamescopeSession = { enable = true; }; + }; + programs.vim.defaultEditor = true; # Keep this even if enabled in home manager @@ -99,7 +104,7 @@ enable = true; wireplumber.enable = true; alsa.enable = true; - #alsa.support32Bit = true; + alsa.support32Bit = true; pulse.enable = true; # If you want to use JACK applications, uncomment this jack.enable = true; @@ -112,6 +117,17 @@ extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ]; }; + services.kanidm = { + enableClient = true; + enablePam = true; + clientSettings = { + uri = "https://auth.xinyang.life"; + }; + unixSettings = { + pam_allowed_login_groups = [ "linux_users" "xin@auth.xinyang.life" "test" ]; + }; + }; + # Enable automatic login for the user. services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.user = "xin"; @@ -129,6 +145,7 @@ "openssl-1.1.1w" # For wechat-uos "electron-19.1.9" + "electron-25.9.0" ]; # List packages installed in system profile. To search, run: # $ nix search wget @@ -141,23 +158,10 @@ wineWowPackages.waylandFull faudio - # ==== CLI tools ==== # - rust-analyzer - # tesseract5 # ocr ocrmypdf # pdfocr - grc - - sops - git-crypt - # ==== Development ==== # - - # Language server - clang-tools - rnix-lsp - # Python # reference: https://nixos.wiki/wiki/Python ( @@ -173,37 +177,28 @@ python-with-my-packages ) - # Tex - texlive.combined.scheme-full - # ==== GUI Softwares ==== # - # IDE - jetbrains.jdk # patch jetbrain runtime java - jetbrains.clion - jetbrains.pycharm-professional - jetbrains.idea-ultimate - android-studio - # Gnome tweaks gnomeExtensions.paperwm gnomeExtensions.search-light gnomeExtensions.tray-icons-reloaded gnome.gnome-tweaks gthumb + oculante # Multimedia vlc obs-studio spotify + rawtherapee digikam # IM element-desktop tdesktop qq - config.nur.repos.xddxdd.wechat-uos # Password manager bitwarden @@ -212,19 +207,16 @@ firefox chromium brave - microsoft-edge # Writting obsidian zotero - wpsoffice onlyoffice-bin + wpsoffice config.nur.repos.linyinfeng.wemeet virt-manager - - ghidra ]; system.stateVersion = "22.05"; @@ -291,9 +283,10 @@ defaultFonts = { serif = [ "Noto Serif CJK SC" "Ubuntu" ]; sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ]; - monospace = [ "FiraCode NerdFont Mono" "Ubuntu" ]; + monospace = [ "FiraCode NerdFont Mono" "Noto Sans Mono CJK SC" "Ubuntu" ]; }; }; + enableDefaultPackages = true; }; # Virtualization virtualisation = { diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index c59286d..c84f41b 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -23,6 +23,12 @@ fsType = "vfat"; }; + fileSystems."/media/data" = + { device = "/dev/nvme0n1p7"; + fsType = "ntfs-3g"; + options = [ "rw" "uid=1000" "nofail" "x-systemd.device-timeout=2" ]; + }; + swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; @@ -41,6 +47,6 @@ hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.opengl = { enable = true; - driSupport32Bit = false; + driSupport32Bit = true; }; } diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 46b1575..0de58ab 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -7,6 +7,7 @@ singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2 singbox_password: ENC[AES256_GCM,data:0tBIzwtNSQqbGlD+CDnQfJigbFVBChEL,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:5BtYAv1NO70IL4m/uG8QKA==,type:str] singbox_uuid: ENC[AES256_GCM,data:ufN+vDl/rDASoQL23tHwlr3ybMyrlC/Kd7bT0c5+SP+bc6Zj,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:6Yma9+yrISwQoSRDgUbuwA==,type:str] grafana_cloud_api: ENC[AES256_GCM,data:Pz+tE09dcJa+ZEWS3vtpOtitGCA9Cg/+gOd/0FsF8ooxzPyN9/UMuTcP02aIPW5v7yZCkGJOAXufIyechNf0crgAV/KmwGGwixH7I+1f3sDtGiFZEMnQgrysyfJo0KIrIZ8XP0SyXDs3vKjDU8cUI4+IyucHacWQ1kWdEtINjcPNHRPS2yaMUIvsRn0z8Cs2byMD3ghUHHHOz40CuO6r4A==,iv:cHvbeCmLFmJPNKsl1BBYx9WJP7ZJWi+8c9yHZWc6FTs=,tag:yWXtPokYE4frCmzzzyEqEg==,type:str] +private_dns_address: ENC[AES256_GCM,data:m/u3oc+6ef8dLa7Dpu+5T9TTSdXqJjS9ecA+sPj0r8qX06+QgiQnpmEW4w==,iv:8+qG5rQXAKfrykEjt9qrbtyNaBuKvi7EaIWouRqEipY=,tag:XlMccTKL239/NnAprtqYrg==,type:str] sops: kms: [] gcp_kms: [] @@ -67,8 +68,8 @@ sops: c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1 P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-20T01:34:00Z" - mac: ENC[AES256_GCM,data:6MLBRPA5g2r3yy/i7DSxjWaYhHH/4GiAqL/pRIvYyIrKQWYvfviWlTX9dqHVzzCXjueEXUM5dXFb2B+Sds68EGgBuBlZvBchtstHUOtMLE3pttC+xCzerQFyrPDrXbnpfdDYPHWxvhhhFpWu8G5RSfzSgkgp7+cx9iZHq/g1k/Q=,iv:8yFIOgHtBiCtbamufrXXHrjIq5DV3MIJbTJPtXlgpPg=,tag:CVOIojTN2KkXJsDVyiZjMQ==,type:str] + lastmodified: "2024-01-07T13:13:50Z" + mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sops.nix b/machines/sops.nix index 64cc721..de0cf5b 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -1,31 +1,33 @@ -{ inputs, ... }: +{ inputs, config, lib, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; - sops = { - defaultSopsFile = ./secrets.yaml; - # TODO: How to generate this key when bootstrap? - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - secrets = { - github_public_token = { - owner = "root"; + config = { + sops = { + defaultSopsFile = ./secrets.yaml; + # TODO: How to generate this key when bootstrap? + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + github_public_token = { + owner = "root"; + }; + singbox_sg_server = { + owner = "root"; + }; + singbox_jp_server = { + owner = "root"; + }; + singbox_password = { + owner = "root"; + }; + singbox_uuid = { + owner = "root"; + }; + private_dns_address = { + owner = "root"; + }; }; - clash_subscription_link = { - owner = "root"; - }; - singbox_sg_server = { - owner = "root"; - }; - singbox_jp_server = { - owner = "root"; - }; - singbox_password = { - owner = "root"; - }; - singbox_uuid = { - owner = "root"; - }; - grafana_cloud_api = { - owner = "prometheus"; + secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { + owner = "prometheus"; }; }; }; diff --git a/modules/home-manager/alacritty.nix b/modules/home-manager/alacritty.nix index 7e217d8..9f10b00 100644 --- a/modules/home-manager/alacritty.nix +++ b/modules/home-manager/alacritty.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, pkgs, lib, ... }: with lib; let @@ -25,7 +25,14 @@ in resize_increments = true; dynamic_padding = true; }; + import = [ + "${config.xdg.configHome}/alacritty/catppuccin-macchiato.yml" + ]; }; }; + xdg.configFile."alacritty/catppuccin-macchiato.yml".source = builtins.fetchurl { + url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.yml"; + sha256 = "sha256-+m8FyPStdh1A1xMVBOkHpfcaFPcyVL99tIxHuDZ2zXI="; + }; }; } diff --git a/modules/home-manager/fish.nix b/modules/home-manager/fish.nix index 0b002e0..927b69f 100644 --- a/modules/home-manager/fish.nix +++ b/modules/home-manager/fish.nix @@ -10,7 +10,7 @@ in enable = mkEnableOption "fish"; plugins = mkOption { type = types.listOf types.str; - default = [ "pisces" "done" "hydro" ]; + default = [ "pisces" "done" "hydro" "grc" ]; }; functions = { enable = mkOption { @@ -26,26 +26,27 @@ in }; }; - config = { - programs.fish = mkIf cfg.enable { + config = mkIf cfg.enable { + home.packages = [ pkgs.grc ]; + programs.fish = { enable = true; - plugins = with pkgs; filter ( + plugins = with pkgs; (filter ( e: hasAttr e.name (builtins.listToAttrs # { "xxx" = true; } (map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; } )) [ - { - name = "pisces"; + { name = "pisces"; src = fishPlugins.pisces.src; } - { - name = "done"; + { name = "done"; src = fishPlugins.done.src; } - { - name = "hydro"; + { name = "hydro"; src = fishPlugins.hydro.src; } - ]; + { name = "grc"; + src = fishPlugins.grc.src; + } + ]); interactiveShellInit = let extraInit = if cfg.functions.enable then '' ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source @@ -61,7 +62,6 @@ in end '' else ""; in '' - fish_config theme choose 'ayu Dark' fish_config prompt choose arrow '' + extraInit; functions = mkIf cfg.functions.enable { diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 301b794..d3b604c 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -25,7 +25,6 @@ in ms-vscode-remote.remote-ssh vscodevim.vim github.vscode-pull-request-github - eamodio.gitlens gruntfuggly.todo-tree # todo highlight # Language support @@ -35,6 +34,7 @@ in davidanson.vscode-markdownlint # C/C++ ms-vscode.cmake-tools + twxs.cmake llvm-vs-code-extensions.vscode-clangd # Nix jnoortheen.nix-ide @@ -43,6 +43,7 @@ in # Vue vue.volar # Scale / chisel + scala-lang.scala scalameta.metals sterben.fpga-support @@ -50,6 +51,7 @@ in ms-vscode-remote.remote-ssh-edit mushan.vscode-paste-image ]) ++ (with pkgs.vscode-extensions; [ + waderyan.gitblame catppuccin.catppuccin-vsc # Rust rust-lang.rust-analyzer @@ -140,6 +142,7 @@ in "editor.wordWrapColumn" = 80; "editor.unicodeHighlight.ambiguousCharacters" = false; }; + "cmake.configureOnEdit" = false; }; }; }; From 29d7585e272ec4e6731a792ee369b16ff385bfcf Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 8 Jan 2024 01:03:42 +0800 Subject: [PATCH 056/136] modules: add sing-box module --- flake.nix | 2 +- machines/calcite/configuration.nix | 4 + machines/calcite/network.nix | 16 ++- machines/calcite/secrets.yaml | 5 +- machines/sing-box.nix | 150 ----------------------------- modules/nixos/default.nix | 1 + modules/nixos/sing-box.nix | 84 ++++++++++++++++ 7 files changed, 104 insertions(+), 158 deletions(-) delete mode 100644 machines/sing-box.nix create mode 100644 modules/nixos/sing-box.nix diff --git a/flake.nix b/flake.nix index c0c0867..f3b3633 100644 --- a/flake.nix +++ b/flake.nix @@ -192,7 +192,7 @@ { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena nix-output-monitor ]; + packages = with pkgs; [ git colmena sops nix-output-monitor ]; }; }; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index b039b1d..3309e68 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -251,6 +251,10 @@ owner = "xin"; sopsFile = ./secrets.yaml; }; + sing_box_url = { + owner = "root"; + sopsFile = ./secrets.yaml; + }; }; custom.restic.enable = true; custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path; diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index f0f3e1c..e439899 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -1,9 +1,7 @@ -{ pkgs, ...}: +{ config, pkgs, ...}: { - imports = [ - ../sing-box.nix - ]; + imports = [ ]; # Enable networking networking = { @@ -21,12 +19,20 @@ services.tailscale.enable = true; # services.tailscale.useRoutingFeatures = "both"; + custom.sing-box = { + enable = true; + configFile = { + urlFile = config.sops.secrets.sing_box_url.path; + hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588"; + }; + overrideSettings.experimental.clash_api.external_ui = "${config.nur.repos.linyinfeng.yacd}"; + }; + # Open ports in the firewall. networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 3389 ]; networking.firewall.allowedUDPPorts = [ 3389 41641 ]; networking.firewall.trustedInterfaces = [ - "tun0" "tailscale0" ]; # Use nftables to manager firewall diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 8e918b4..90312d4 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,5 +1,6 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] +sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +25,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-30T16:43:19Z" - mac: ENC[AES256_GCM,data:U3TilLQvxM01gwIkBM4vT53JRBiE4VBOC0T6dxLjZ9btVMEhGp3MNQMRK0I06JP/vm532/oOTh/No/AwdzOpXxlfNY/hxxij03v83cZraSy8eT53uFV2TfU9HELVmmItqV2rJ96jBvCIzZJ+uif1OwIefcU+ii/MC333sW5DL1A=,iv:9pKUp08MPtECxUE3gxud/4220RsJ/d+xOFljntOdxfo=,tag:vvFpZRDoIz4NGll5XxRhAg==,type:str] + lastmodified: "2024-01-07T16:18:51Z" + mac: ENC[AES256_GCM,data:lBbtSYZ/UxBPBVVa6Bg0NiZxhFcjEREGBPEgCZau+C9aMQcMJp4s+SPKRaBDGuf2ee95pwuyYOb6M9Jr9dQxRAoAubgyaxAXUrC6U5Q8+VlKxMdvfBNJ5m8OGbkwHACrjkaWTRfHB8rPMH/yuIuuSZl8AB1m2GcT8uoluTsCMGo=,iv:FmFLPhoaR/YAVEJhQIhoUrZGX4p+fw/iCf1BN+NdX/U=,tag:/rZTAt20hd9LretuOHhTbQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sing-box.nix b/machines/sing-box.nix deleted file mode 100644 index 060d028..0000000 --- a/machines/sing-box.nix +++ /dev/null @@ -1,150 +0,0 @@ -{ config, lib, pkgs, ... }: -let - password = { - _secret = config.sops.secrets.singbox_password.path; - }; - uuid = { - _secret = config.sops.secrets.singbox_uuid.path; - }; - sg_server = { - _secret = config.sops.secrets.singbox_sg_server.path; - }; - jp_server = { - _secret = config.sops.secrets.singbox_jp_server.path; - }; -in -{ - services.sing-box = { - enable = true; - settings = { - log = { level = "warning"; }; - experimental = { - clash_api = { - external_controller = "127.0.0.1:9090"; - store_selected = true; - external_ui = "${config.nur.repos.linyinfeng.yacd}"; - }; - }; - dns = { - rules = [ - { - disable_cache = true; - geosite = "category-ads-all"; - server = "_dns_block"; - } - { - geosite = "cn"; - server = "_dns_doh_mainland"; - } - { - disable_cache = false; - domain_suffix = sg_server; - server = "_dns_doh_mainland"; - } - { - disable_cache = false; - domain_suffix = jp_server; - server = "_dns_doh_mainland"; - } - ]; - servers = [ - { - address = "tls://dns.google:853/"; - address_resolver = "_dns_udp_global"; - detour = "_proxy_select"; - tag = "_dns_global"; - } - { - address = "1.1.1.1"; - detour = "_proxy_select"; - tag = "_dns_udp_global"; - } - { - address = "119.29.29.29"; - detour = "direct"; - tag = "_dns_udp_mainland"; - } - { - address = "tls://1.12.12.12:853/"; - address_resolver = "_dns_udp_mainland"; - detour = "direct"; - tag = "_dns_doh_mainland"; - } - { - address = "rcode://success"; - tag = "_dns_block"; - } - ]; - final = "_dns_global"; - strategy = "prefer_ipv4"; - disable_cache = true; - }; - inbounds = [ - { - type = "mixed"; - tag = "mixed-in"; - listen = "127.0.0.1"; - listen_port = 7891; - } - { - type = "tun"; - tag = "tun-in"; - auto_route = true; - strict_route = false; - inet4_address = "172.19.0.1/30"; - inet6_address = "fdfe:dcba:9876::1/126"; - sniff = true; - } - ]; - route = { - auto_detect_interface = true; - final = "_proxy_select"; - rules = [ - { outbound = "dns-out"; protocol = "dns"; } - { - geoip = "cn"; - geosite = "cn"; - outbound = "direct"; - } - { geoip = "private"; outbound = "direct"; } - { - domain = sg_server; - outbound = "direct"; - } - { - geosite = "cn"; - geoip = "cn"; - invert = true; - outbound = "_proxy_select"; - } - ]; - }; - outbounds = [ - { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://cp.cloudflare.com/"; } - { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } - { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } - { default = "auto"; outbounds = [ "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } - { tag = "direct"; type = "direct"; } - { tag = "block"; type = "block"; } - { tag = "dns-out"; type = "dns"; } - ] ++ lib.forEach (lib.range 6311 6314) (port: { - inherit uuid password; - tag = "sg" + toString (port - 6310); - type = "tuic"; - congestion_control = "bbr"; - server = sg_server; - server_port = port; - tls = { enabled = true; server_name = sg_server; }; - }) ++ lib.forEach (lib.range 6311 6314) (port: { - inherit uuid password; - tag = "jp" + toString (port - 6310); - type = "tuic"; - congestion_control = "bbr"; - server = jp_server; - server_port = port; - tls = { enabled = true; server_name = jp_server; }; - }); - }; - }; -} - diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index f963802..81ab1d0 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,5 +5,6 @@ ./vaultwarden.nix ./prometheus.nix ./hedgedoc.nix + ./sing-box.nix ]; } diff --git a/modules/nixos/sing-box.nix b/modules/nixos/sing-box.nix new file mode 100644 index 0000000..572291b --- /dev/null +++ b/modules/nixos/sing-box.nix @@ -0,0 +1,84 @@ +{ config, pkgs, lib, utils, ... }: +let + cfg = config.custom.sing-box; + settingsFormat = pkgs.formats.json { }; +in +{ + options = { + custom.sing-box = { + enable = lib.mkEnableOption "sing-box"; + + package = lib.mkPackageOption pkgs "sing-box" { }; + + stateDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/sing-box"; + }; + + configFile = { + urlFile = lib.mkOption { + type = lib.types.path; + }; + name = lib.mkOption { + type = lib.types.str; + default = "config.json"; + }; + hash = lib.mkOption { + type = lib.types.str; + example = "9a304bcb87d4c3f1e50f6281f25dd78635255ebde06cd4d2555729ecda43aed4"; + }; + }; + + overrideSettings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options = { + route = { + geoip.path = lib.mkOption { + type = lib.types.path; + default = "${pkgs.sing-geoip}/share/sing-box/geoip.db"; + defaultText = lib.literalExpression "\${pkgs.sing-geoip}/share/sing-box/geoip.db"; + description = lib.mdDoc '' + The path to the sing-geoip database. + ''; + }; + geosite.path = lib.mkOption { + type = lib.types.path; + default = "${pkgs.sing-geosite}/share/sing-box/geosite.db"; + defaultText = lib.literalExpression "\${pkgs.sing-geosite}/share/sing-box/geosite.db"; + description = lib.mdDoc '' + The path to the sing-geosite database. + ''; + }; + }; + }; + }; + default = { }; + }; + }; + }; + config = lib.mkIf cfg.enable { + networking.firewall.trustedInterfaces = [ "tun0" ]; + + systemd.packages = [ cfg.package ]; + + systemd.services.sing-box = + let + configFile = cfg.stateDir + "/${cfg.configFile.name}"; + in + { + preStart = '' + umask 0077 + mkdir -p /etc/sing-box + if ! [ -e ${configFile} ]; then + ${pkgs.curl}/bin/curl "$(${pkgs.coreutils}/bin/cat ${cfg.configFile.urlFile})" > '${configFile}' + test "${cfg.configFile.hash}" $(${pkgs.coreutils}/bin/sha256sum '${configFile}' | ${pkgs.coreutils}/bin/cut -d ' ' -f 1) + fi + ${utils.genJqSecretsReplacementSnippet cfg.overrideSettings "/etc/sing-box/config.json"} + ${cfg.package}/bin/sing-box merge -c '${configFile}' -c /etc/sing-box/config.json /etc/sing-box/config.json + ''; + wantedBy = [ "multi-user.target" ]; + }; + }; +} + From 45abb882218238ee9f138667790753ad8aad6b7f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 8 Jan 2024 15:30:02 +0800 Subject: [PATCH 057/136] home-manager: add signing option to git --- flake.lock | 54 ++++++++++++++++++------------------ home/xin/calcite.nix | 2 +- modules/home-manager/git.nix | 26 +++++++++++++++-- 3 files changed, 52 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index 5a9d972..45cbde5 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1703657526, - "narHash": "sha256-C3fQG/tasnhtfJb0cvXthMDUJ/OLgCKNLqfMuR/M+0k=", + "lastModified": 1704498488, + "narHash": "sha256-yINKdShHrtjdiJhov+q0s3Y3B830ujRoSbHduUNyKag=", "owner": "nix-community", "repo": "home-manager", - "rev": "d1d950841d230490f308f5fcf8c0d4f2bd3f24a7", + "rev": "51e44a13acea71b36245e8bd8c7db53e0a3e61ee", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1703387252, - "narHash": "sha256-XKJqGj0BaEn/zyctEnkgVIh6Ba1rgTRc+UBi9EU8Y54=", + "lastModified": 1704596958, + "narHash": "sha256-BK3Ohsz7m8X6qVKFxDtr8KVcHipfr5hYE9PDIJevHbQ=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "f4340c1a42c38d79293ba69bfd839fbd6268a538", + "rev": "f46800ac5a6e9f892fe36e50821c5d85794ecc62", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1703639874, - "narHash": "sha256-54bkJbvGRb9Wq4re5tbtbHaFSPg7wnQfgAjCvggEDZ4=", + "lastModified": 1704590722, + "narHash": "sha256-exh2bDwYYkdJgm5wLvpWht5bRuPigk8v4Z7l4RegX3Q=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "52061beda00305b26445dc84ca7ab8a6036685c4", + "rev": "7d0eace387cf4fd2812d0791684f4befa0865512", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1703545041, - "narHash": "sha256-nvQA+k1rSszrf4kA4eK2i/SGbzoXyoKHzzyzq/Jca1w=", + "lastModified": 1704632650, + "narHash": "sha256-83J/nd/NoLqo3vj0S0Ppqe8L+ijIFiGL6HNDfCCUD/Q=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a15b6e525f5737a47b4ce28445c836996fb2ea8c", + "rev": "c478b3d56969006e015e55aaece4931f3600c1b2", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1703438236, - "narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=", + "lastModified": 1704194953, + "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b", + "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", "type": "github" }, "original": { @@ -198,11 +198,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1703351344, - "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { @@ -214,11 +214,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1703351344, - "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1703663873, - "narHash": "sha256-WHt475cqqOZp8+2FSZf3L6xVTQlIN8eAAVJzCeo8ydU=", + "lastModified": 1704645857, + "narHash": "sha256-YRFry+uleoeDKs0kr039eVCN5XSCOuUbgbyKMJRXeFY=", "owner": "nix-community", "repo": "NUR", - "rev": "e65636be64a336e7110fc82cf7aab577f1ed8233", + "rev": "e72bc8a4fff841c6a131fe40471e4ae401f31096", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1703387502, - "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=", + "lastModified": 1704596510, + "narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3", + "rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a", "type": "github" }, "original": { diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 31c9811..eecb258 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -36,7 +36,7 @@ alacritty = { enable = true; }; direnv = { enable = true; }; fish = { enable = true; }; - git = { enable = true; }; + git = { enable = true; signing.enable = true; }; neovim = { enable = true; }; vscode = { enable = true; }; zellij = { enable = true; }; diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index 2b19136..e4b4c31 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -8,9 +8,20 @@ in { options.custom-hm.git = { enable = mkEnableOption "Enable git configuration"; + signing = mkOption { + type = types.submodule { + options = { + enable = mkEnableOption "Git ssh signing"; + keyFile = mkOption { + type = types.str; + default = "~/.ssh/id_ed25519_sk"; + }; + }; + }; + }; }; config = { - programs.git = { + programs.git = mkIf cfg.enable { enable = true; delta.enable = true; userName = "Xinyang Li"; @@ -21,6 +32,17 @@ in d = "diff"; s = "status"; }; + signing = mkIf cfg.signing.enable { + signByDefault = true; + key = cfg.signing.keyFile; + }; + + extraConfig.user = mkIf cfg.signing.enable { + signingkey = cfg.signing.keyFile; + }; + extraConfig.gpg = mkIf cfg.signing.enable { + format = "ssh"; + }; }; }; -} \ No newline at end of file +} From 5da958c996512a82bcb8046faede44c4bc94937f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 9 Jan 2024 12:27:51 +0800 Subject: [PATCH 058/136] modules: add kanidm-client module --- flake.nix | 1 - machines/calcite/configuration.nix | 4 -- machines/dolomite/default.nix | 26 ++++++++++++ machines/massicot/default.nix | 40 ++++++++++--------- machines/massicot/services.nix | 12 +++++- modules/home-manager/vscode.nix | 2 +- modules/nixos/default.nix | 1 + modules/nixos/kanidm-client.nix | 64 ++++++++++++++++++++++++++++++ 8 files changed, 124 insertions(+), 26 deletions(-) create mode 100644 modules/nixos/kanidm-client.nix diff --git a/flake.nix b/flake.nix index f3b3633..e5d7755 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,6 @@ massicot = { name, nodes, pkgs, ... }: with inputs; { deployment.targetHost = "49.13.13.122"; - deployment.targetUser = "xin"; imports = [ { nixpkgs.system = "aarch64-linux"; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 3309e68..4354bcd 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -119,13 +119,9 @@ services.kanidm = { enableClient = true; - enablePam = true; clientSettings = { uri = "https://auth.xinyang.life"; }; - unixSettings = { - pam_allowed_login_groups = [ "linux_users" "xin@auth.xinyang.life" "test" ]; - }; }; # Enable automatic login for the user. diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index f03d8b4..e10df8b 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -46,6 +46,32 @@ }; }; + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life/"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkForce "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; + }; + services.fail2ban.enable = true; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; + }; + services.sing-box = let singTls = { enabled = true; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 98328f3..283dadb 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -62,31 +62,33 @@ hostName = "massicot"; }; + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life/"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; + }; + services.openssh = { enable = true; settings = { PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; }; }; + + services.fail2ban.enable = true; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; - - users.users.xin = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeNQ43f/ce4VxVPsAaKPPTp8rokQpmwNIsOX7JBZq4A" - ]; - hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; - }; - - security.sudo.extraRules = [ - { users = [ "xin" ]; - commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; - } - ]; - - } diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index e5ecdcc..9c7504e 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -40,7 +40,7 @@ in value = { device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; fsType = "cifs"; - options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"]; + options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"]; }; }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] ); @@ -112,6 +112,7 @@ in ROOT_URL = "https://git.xinyang.life/"; START_SSH_SERVER = true; BUILTIN_SSH_SERVER_USER = "git"; + SSH_USER = "git"; SSH_DOMAIN = "ssh.xinyang.life"; SSH_PORT = 2222; LFS_MAX_FILE_SIZE = 10737418240; @@ -138,6 +139,15 @@ in }; }; + users.users.git = { + isSystemUser = true; + useDefaultShell = true; + group = "git"; + extraGroups = [ "forgejo" ]; + }; + users.groups.git = { }; + + services.caddy = { enable = true; virtualHosts."xinyang.life:443".extraConfig = '' diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index d3b604c..38e70e9 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -67,7 +67,7 @@ in 80 ]; "editor.mouseWheelZoom" = true; - "git.autofetch" = true; + "git.autofetch" = false; "window.zoomLevel" = -1; "nix.enableLanguageServer" = true; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 81ab1d0..3ba4a9b 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -6,5 +6,6 @@ ./prometheus.nix ./hedgedoc.nix ./sing-box.nix + ./kanidm-client.nix ]; } diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix new file mode 100644 index 0000000..8821fc1 --- /dev/null +++ b/modules/nixos/kanidm-client.nix @@ -0,0 +1,64 @@ +{ config, pkgs, lib, ... }: +with lib; + +let + cfg = config.custom.kanidm-client; +in +{ + options = { + custom.kanidm-client = { + enable = mkEnableOption "Kanidm client service"; + asSSHAuth = mkOption { + type = types.submodule { + options = { + enable = mkEnableOption "Kanidm as system authentication source"; + allowedGroups = mkOption { + type = types.listOf types.str; + example = [ "linux_users" ]; + }; + }; + }; + }; + sudoers = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + uri = mkOption { + type = types.str; + }; + }; + }; + config = mkIf cfg.enable { + services.kanidm = mkMerge + [ (mkIf cfg.enable { + enableClient = true; + clientSettings = { + uri = cfg.uri; + }; + }) + (mkIf cfg.asSSHAuth.enable { + enablePam = true; + unixSettings = { + pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups; + default_shell = "/bin/sh"; + }; + }) + ]; + services.openssh = mkIf cfg.asSSHAuth.enable { + enable = true; + authorizedKeysCommand = "/etc/ssh/auth %u"; + authorizedKeysCommandUser = "kanidm-ssh-runner"; + }; + environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable { + mode = "0555"; + text = '' + #!${pkgs.stdenv.shell} + ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1 + ''; + }; + users.groups.wheel.members = cfg.sudoers; + users.groups.kanidm-ssh-runner = { }; + users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; + }; +} + From 55473f78ad7b015737a0e18355338fafa90f73aa Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 13 Jan 2024 10:47:37 +0800 Subject: [PATCH 059/136] chore: fix format --- flake.nix | 98 ++++++++++++++++++--------------- machines/dolomite/default.nix | 5 ++ machines/massicot/default.nix | 2 +- modules/home-manager/vscode.nix | 2 +- 4 files changed, 60 insertions(+), 47 deletions(-) diff --git a/flake.nix b/flake.nix index e5d7755..c8182ad 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nix-vscode-extensions = { + nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; @@ -20,7 +20,7 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; - + nur = { url = "github:nix-community/NUR"; }; @@ -86,7 +86,7 @@ }; }; }; - mkNixos = { system, modules, specialArgs ? {}}: nixpkgs.lib.nixosSystem { + mkNixos = { system, modules, specialArgs ? { } }: nixpkgs.lib.nixosSystem { inherit system; specialArgs = specialArgs // { inherit inputs system; }; modules = [ @@ -102,57 +102,65 @@ homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; - colmenaHive = colmena.lib.makeHive { + colmenaHive = + let + deploymentModule = { + deployment.targetUser = "xin"; + }; + sharedModules = [ + self.nixosModules.default + deploymentModule + ]; + in + colmena.lib.makeHive { meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - }; - machinesFile = ./nixbuild.net; - specialArgs = { - inherit inputs; - }; + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + machinesFile = ./nixbuild.net; + specialArgs = { + inherit inputs; + }; }; massicot = { name, nodes, pkgs, ... }: with inputs; { - deployment.targetHost = "49.13.13.122"; + deployment.targetHost = "49.13.13.122"; + deployment.buildOnTarget = true; - imports = [ - { nixpkgs.system = "aarch64-linux"; } - self.nixosModules.default - machines/massicot - ]; + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ] ++ sharedModules; }; sgp-00 = { name, nodes, pkgs, ... }: with inputs; { - imports = [ - self.nixosModules.default - machines/dolomite - ]; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "sgp-00"; - system.stateVersion = "23.11"; - deployment = { - targetHost = "video.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; + imports = [ + machines/dolomite + ] ++ sharedModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "sgp-00"; + system.stateVersion = "23.11"; + deployment = { + targetHost = "video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; }; tok-00 = { name, nodes, pkgs, ... }: with inputs; { - imports = [ - self.nixosModules.default - machines/dolomite - ]; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "tok-00"; - system.stateVersion = "23.11"; - deployment = { - targetHost = "video01.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; + imports = [ + machines/dolomite + ] ++ sharedModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "tok-00"; + system.stateVersion = "23.11"; + deployment = { + targetHost = "video01.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; }; - }; + }; nixosConfigurations = { calcite = mkNixos { @@ -162,7 +170,7 @@ machines/calcite/configuration.nix (mkHome "xin" "calcite") ]; - }; + }; raspite = mkNixos { system = "aarch64-linux"; modules = [ @@ -186,12 +194,12 @@ } ]; }).config.system.build.sdImage; - } // flake-utils.lib.eachDefaultSystem (system: + } // flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; in { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena sops nix-output-monitor ]; + packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp ]; }; }; } diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index e10df8b..bb91fa5 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -66,12 +66,17 @@ }; }; services.fail2ban.enable = true; + programs.mosh.enable = true; security.sudo = { execWheelOnly = true; wheelNeedsPassword = false; }; + nix.settings = { + trusted-users = config.users.groups.wheel.members; + }; + services.sing-box = let singTls = { enabled = true; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 283dadb..7a40b4e 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -87,8 +87,8 @@ KerberosAuthentication = "no"; }; }; - services.fail2ban.enable = true; + programs.mosh.enable = true; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; } diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 38e70e9..f8c98cc 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -5,7 +5,7 @@ let cfg = config.custom-hm.vscode; in { - options.custom-hm.vscode = { + options.custom-hm.vscode = { enable = mkEnableOption "Vscode config"; }; config = mkIf cfg.enable { From 6d6e66a056cf7e0e81237173c207bc34c938369e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 13 Jan 2024 11:06:58 +0800 Subject: [PATCH 060/136] bump version --- flake.lock | 36 +++++++++++++++--------------- modules/home-manager/alacritty.nix | 8 +++---- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/flake.lock b/flake.lock index 45cbde5..2cf70b8 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1704498488, - "narHash": "sha256-yINKdShHrtjdiJhov+q0s3Y3B830ujRoSbHduUNyKag=", + "lastModified": 1705104164, + "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=", "owner": "nix-community", "repo": "home-manager", - "rev": "51e44a13acea71b36245e8bd8c7db53e0a3e61ee", + "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1704590722, - "narHash": "sha256-exh2bDwYYkdJgm5wLvpWht5bRuPigk8v4Z7l4RegX3Q=", + "lastModified": 1705108826, + "narHash": "sha256-1xOzPcS8Zr4rqgLoaRwAcKqdCdzrBDaNwT+tiBdXf18=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "7d0eace387cf4fd2812d0791684f4befa0865512", + "rev": "92fd8c24719f08692c36b685de6884a20080edf0", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1704632650, - "narHash": "sha256-83J/nd/NoLqo3vj0S0Ppqe8L+ijIFiGL6HNDfCCUD/Q=", + "lastModified": 1704786394, + "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c478b3d56969006e015e55aaece4931f3600c1b2", + "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704194953, - "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", + "lastModified": 1704722960, + "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", + "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1704645857, - "narHash": "sha256-YRFry+uleoeDKs0kr039eVCN5XSCOuUbgbyKMJRXeFY=", + "lastModified": 1705110884, + "narHash": "sha256-8t8C+vYVoNsG7uv1cH/vkUHM84EkxGRoPuwk1TMXBZE=", "owner": "nix-community", "repo": "NUR", - "rev": "e72bc8a4fff841c6a131fe40471e4ae401f31096", + "rev": "075357ead2dbaf5c64120371f6a1e57d1ee23a02", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1704596510, - "narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=", + "lastModified": 1704908274, + "narHash": "sha256-74W9Yyomv3COGRmKi8zvyA5tL2KLiVkBeaYmYLjXyOw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a", + "rev": "c0b3a5af90fae3ba95645bbf85d2b64880addd76", "type": "github" }, "original": { diff --git a/modules/home-manager/alacritty.nix b/modules/home-manager/alacritty.nix index 9f10b00..4c79b19 100644 --- a/modules/home-manager/alacritty.nix +++ b/modules/home-manager/alacritty.nix @@ -26,13 +26,13 @@ in dynamic_padding = true; }; import = [ - "${config.xdg.configHome}/alacritty/catppuccin-macchiato.yml" + "${config.xdg.configHome}/alacritty/catppuccin-macchiato.toml" ]; }; }; - xdg.configFile."alacritty/catppuccin-macchiato.yml".source = builtins.fetchurl { - url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.yml"; - sha256 = "sha256-+m8FyPStdh1A1xMVBOkHpfcaFPcyVL99tIxHuDZ2zXI="; + xdg.configFile."alacritty/catppuccin-macchiato.toml".source = builtins.fetchurl { + url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.toml"; + sha256 = "sha256:1iq187vg64h4rd15b8fv210liqkbzkh8sw04ykq0hgpx20w3qilv"; }; }; } From 8aa6841249bab7a9847f673950f4a00f56475e0a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 27 Feb 2024 12:56:45 +0800 Subject: [PATCH 061/136] dolomite: add direct tuic inbound in sing-box --- machines/dolomite/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index bb91fa5..12aee75 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -164,8 +164,7 @@ protocol = "dns"; } { - geoip = "cn"; - geosite = "cn"; + inbound = "sg4"; outbound = "direct"; } ]; From 87b1468c46fef670b498fd33cc5983e381ed75e1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 27 Feb 2024 12:58:29 +0800 Subject: [PATCH 062/136] calcite: drop copilot --- flake.lock | 60 +++++++++++++++--------------- machines/calcite/configuration.nix | 1 + modules/home-manager/vscode.nix | 1 - 3 files changed, 31 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 2cf70b8..a982d34 100644 --- a/flake.lock +++ b/flake.lock @@ -14,11 +14,11 @@ ] }, "locked": { - "lastModified": 1699171528, - "narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=", + "lastModified": 1706509311, + "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", "owner": "zhaofengli", "repo": "colmena", - "rev": "665603956a1c3040d756987bc7a810ffe86a3b15", + "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", "type": "github" }, "original": { @@ -64,11 +64,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1705104164, - "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=", + "lastModified": 1706798041, + "narHash": "sha256-BbvuF4CsVRBGRP8P+R+JUilojk0M60D7hzqE0bEvJBQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd", + "rev": "4d53427bce7bf3d17e699252fd84dc7468afc46e", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1704596958, - "narHash": "sha256-BK3Ohsz7m8X6qVKFxDtr8KVcHipfr5hYE9PDIJevHbQ=", + "lastModified": 1706411424, + "narHash": "sha256-BzziJYucEZvdCE985vjPoo3ztWcmUiSQ1wJ2CoT6jCc=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "f46800ac5a6e9f892fe36e50821c5d85794ecc62", + "rev": "c782f2a4f6fc94311ab5ef31df2f1149a1856181", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1705108826, - "narHash": "sha256-1xOzPcS8Zr4rqgLoaRwAcKqdCdzrBDaNwT+tiBdXf18=", + "lastModified": 1706922884, + "narHash": "sha256-38/Q57G5H6U4plhGUUNrhQHjpKh/17jyE16UU1QS5oU=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "92fd8c24719f08692c36b685de6884a20080edf0", + "rev": "d31d6462dd90873291fba89e7ccd530644347384", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1704786394, - "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=", + "lastModified": 1706834982, + "narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b", + "rev": "83e571bb291161682b9c3ccd48318f115143a550", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704722960, - "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", + "lastModified": 1706732774, + "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", + "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", "type": "github" }, "original": { @@ -214,11 +214,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "lastModified": 1705957679, + "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1705110884, - "narHash": "sha256-8t8C+vYVoNsG7uv1cH/vkUHM84EkxGRoPuwk1TMXBZE=", + "lastModified": 1706938866, + "narHash": "sha256-iMgX+sv6dCrSjISBCbpuWKsUF3oPAeVJxaQMyOcr3n4=", "owner": "nix-community", "repo": "NUR", - "rev": "075357ead2dbaf5c64120371f6a1e57d1ee23a02", + "rev": "d81831044d87718c4ce4d268b0528dddb7758a68", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1704908274, - "narHash": "sha256-74W9Yyomv3COGRmKi8zvyA5tL2KLiVkBeaYmYLjXyOw=", + "lastModified": 1706410821, + "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c0b3a5af90fae3ba95645bbf85d2b64880addd76", + "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef", "type": "github" }, "original": { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 4354bcd..e02357e 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -180,6 +180,7 @@ gnomeExtensions.search-light gnomeExtensions.tray-icons-reloaded gnome.gnome-tweaks + gnome.gnome-themes-extra gthumb oculante diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index f8c98cc..75cef07 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -55,7 +55,6 @@ in catppuccin.catppuccin-vsc # Rust rust-lang.rust-analyzer - github.copilot ]); userSettings = { "workbench.colorTheme" = "Catppuccin Macchiato"; From 40ae3cc6e2e3202a34e55945e2ceeee52054afeb Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 2 Mar 2024 18:12:53 +0800 Subject: [PATCH 063/136] bump version --- flake.lock | 56 ++++++++++++++++----------------- modules/home-manager/vscode.nix | 4 +-- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index a982d34..50b6181 100644 --- a/flake.lock +++ b/flake.lock @@ -64,11 +64,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1706798041, - "narHash": "sha256-BbvuF4CsVRBGRP8P+R+JUilojk0M60D7hzqE0bEvJBQ=", + "lastModified": 1709204054, + "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=", "owner": "nix-community", "repo": "home-manager", - "rev": "4d53427bce7bf3d17e699252fd84dc7468afc46e", + "rev": "2f3367769a93b226c467551315e9e270c3f78b15", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1706411424, - "narHash": "sha256-BzziJYucEZvdCE985vjPoo3ztWcmUiSQ1wJ2CoT6jCc=", + "lastModified": 1708830466, + "narHash": "sha256-nGKe3Y1/jkLR2eh1aRSVBtKadMBNv8kOnB52UXqRy6A=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c782f2a4f6fc94311ab5ef31df2f1149a1856181", + "rev": "f070c7eeec3bde8c8c8baa9c02b6d3d5e114d73b", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1706922884, - "narHash": "sha256-38/Q57G5H6U4plhGUUNrhQHjpKh/17jyE16UU1QS5oU=", + "lastModified": 1709341970, + "narHash": "sha256-r/Xwhz4ESWGztKRBcLqi76zDZv1HeSgXEdkyOPWkluY=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "d31d6462dd90873291fba89e7ccd530644347384", + "rev": "75224309c1a5378bbee401360dbcc5e8865895e4", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1706834982, - "narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=", + "lastModified": 1709147990, + "narHash": "sha256-vpXMWoaCtMYJ7lisJedCRhQG9BSsInEyZnnG5GfY9tQ=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "83e571bb291161682b9c3ccd48318f115143a550", + "rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706732774, - "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", + "lastModified": 1709237383, + "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", + "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", "type": "github" }, "original": { @@ -214,27 +214,27 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", + "lastModified": 1708819810, + "narHash": "sha256-1KosU+ZFXf31GPeCBNxobZWMgHsSOJcrSFA6F2jhzdE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", + "rev": "89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "nixpkgs", "type": "github" } }, "nur": { "locked": { - "lastModified": 1706938866, - "narHash": "sha256-iMgX+sv6dCrSjISBCbpuWKsUF3oPAeVJxaQMyOcr3n4=", + "lastModified": 1709348332, + "narHash": "sha256-63SZlPordsga65TlNcZbLPUZU4MLGqj/jn3XFuVTE+4=", "owner": "nix-community", "repo": "NUR", - "rev": "d81831044d87718c4ce4d268b0528dddb7758a68", + "rev": "5b634d8100c7e7d3ac195e393ea5c14fb6e90db3", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1706410821, - "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=", + "lastModified": 1708987867, + "narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef", + "rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf", "type": "github" }, "original": { diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 75cef07..b8f6121 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -33,8 +33,6 @@ in # Markdown davidanson.vscode-markdownlint # C/C++ - ms-vscode.cmake-tools - twxs.cmake llvm-vs-code-extensions.vscode-clangd # Nix jnoortheen.nix-ide @@ -51,6 +49,8 @@ in ms-vscode-remote.remote-ssh-edit mushan.vscode-paste-image ]) ++ (with pkgs.vscode-extensions; [ + ms-vscode.cmake-tools + twxs.cmake waderyan.gitblame catppuccin.catppuccin-vsc # Rust From 26a11e0df092441a6d3241e4fd6fdb14c2f723b6 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 7 Mar 2024 12:03:59 +0800 Subject: [PATCH 064/136] fix: xkb options change, see nixpkgs#259891 --- machines/calcite/configuration.nix | 5 ++--- machines/calcite/hardware-configuration.nix | 5 +++++ machines/dolomite/default.nix | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index e02357e..a93f49d 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -73,8 +73,8 @@ # Configure keymap in X11 services.xserver = { - layout = "us"; - xkbVariant = ""; + xkb.layout = "us"; + xkb.variant = ""; }; # Keyboard mapping on internal keyboard services.keyd = { @@ -294,7 +294,6 @@ libvirtd.enable = true; podman = { enable = true; - enableNvidia = true; }; docker = { enable = true; diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index c84f41b..9ebd38d 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -49,4 +49,9 @@ enable = true; driSupport32Bit = true; }; + + hardware.nvidia = { + powerManagement.enable = true; + dynamicBoost.enable = lib.mkForce false; + }; } diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 12aee75..1599db5 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -38,7 +38,7 @@ networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); custom.prometheus = { - enable = true; + enable = false; exporters.enable = true; grafana = { enable = true; From aa230d639fd93fab13f7fda75d94ee2b3011f0b8 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 25 Mar 2024 16:26:48 +0800 Subject: [PATCH 065/136] calcite: add ssh-tpm-agent --- flake.lock | 48 +++++++++++++++--------------- flake.nix | 3 +- machines/calcite/configuration.nix | 9 +++++- modules/home-manager/git.nix | 2 +- modules/home-manager/vscode.nix | 5 ++-- modules/nixos/default.nix | 1 + modules/nixos/ssh-tpm-agent.nix | 48 ++++++++++++++++++++++++++++++ overlays/add-pkgs.nix | 10 +++++++ overlays/default.nix | 6 ++++ overlays/pkgs/ssh-tpm-agent.nix | 33 ++++++++++++++++++++ 10 files changed, 136 insertions(+), 29 deletions(-) create mode 100644 modules/nixos/ssh-tpm-agent.nix create mode 100644 overlays/add-pkgs.nix create mode 100644 overlays/default.nix create mode 100644 overlays/pkgs/ssh-tpm-agent.nix diff --git a/flake.lock b/flake.lock index 50b6181..c6047e5 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1709204054, - "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=", + "lastModified": 1709764752, + "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f3367769a93b226c467551315e9e270c3f78b15", + "rev": "cf111d1a849ddfc38e9155be029519b0e2329615", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1708830466, - "narHash": "sha256-nGKe3Y1/jkLR2eh1aRSVBtKadMBNv8kOnB52UXqRy6A=", + "lastModified": 1709708644, + "narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "f070c7eeec3bde8c8c8baa9c02b6d3d5e114d73b", + "rev": "94a1e46434736a40f976a454f8bd3ea2144f349b", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1709341970, - "narHash": "sha256-r/Xwhz4ESWGztKRBcLqi76zDZv1HeSgXEdkyOPWkluY=", + "lastModified": 1709773506, + "narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "75224309c1a5378bbee401360dbcc5e8865895e4", + "rev": "a17ea69caec11561e73c985360fb596c25f74131", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1709147990, - "narHash": "sha256-vpXMWoaCtMYJ7lisJedCRhQG9BSsInEyZnnG5GfY9tQ=", + "lastModified": 1709410583, + "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159", + "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1709479366, + "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", "type": "github" }, "original": { @@ -214,11 +214,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1708819810, - "narHash": "sha256-1KosU+ZFXf31GPeCBNxobZWMgHsSOJcrSFA6F2jhzdE=", + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1709348332, - "narHash": "sha256-63SZlPordsga65TlNcZbLPUZU4MLGqj/jn3XFuVTE+4=", + "lastModified": 1709780742, + "narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=", "owner": "nix-community", "repo": "NUR", - "rev": "5b634d8100c7e7d3ac195e393ea5c14fb6e90db3", + "rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1708987867, - "narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=", + "lastModified": 1709711091, + "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf", + "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c8182ad..f29cae9 100644 --- a/flake.nix +++ b/flake.nix @@ -169,6 +169,7 @@ nixos-hardware.nixosModules.asus-zephyrus-ga401 machines/calcite/configuration.nix (mkHome "xin" "calcite") + (./overlays) ]; }; raspite = mkNixos { @@ -199,7 +200,7 @@ { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp ]; + packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ]; }; }; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index a93f49d..5e0b056 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = @@ -22,9 +22,16 @@ enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so pkcs11.enable = true; + # TODO: Need this until fapi-config is fixed in NixOS + pkcs11.package = pkgs.tpm2-pkcs11.override { fapiSupport = false; }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables tctiEnvironment.enable = true; }; + services.gnome.gnome-keyring.enable = lib.mkForce false; + security.pam.services.login.enableGnomeKeyring = lib.mkForce false; + services.ssh-tpm-agent.enable = true; + + programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so"; networking.hostName = "calcite"; diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index e4b4c31..cee2e22 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -14,7 +14,7 @@ in enable = mkEnableOption "Git ssh signing"; keyFile = mkOption { type = types.str; - default = "~/.ssh/id_ed25519_sk"; + default = "~/.ssh/id.pub"; }; }; }; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index b8f6121..f164de4 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -44,13 +44,14 @@ in scala-lang.scala scalameta.metals + (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) + twxs.cmake + sterben.fpga-support ms-vscode-remote.remote-ssh-edit mushan.vscode-paste-image ]) ++ (with pkgs.vscode-extensions; [ - ms-vscode.cmake-tools - twxs.cmake waderyan.gitblame catppuccin.catppuccin-vsc # Rust diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 3ba4a9b..1a6a520 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -7,5 +7,6 @@ ./hedgedoc.nix ./sing-box.nix ./kanidm-client.nix + ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge ]; } diff --git a/modules/nixos/ssh-tpm-agent.nix b/modules/nixos/ssh-tpm-agent.nix new file mode 100644 index 0000000..f368c46 --- /dev/null +++ b/modules/nixos/ssh-tpm-agent.nix @@ -0,0 +1,48 @@ +# Temporary workaround +{ config, pkgs, lib, ... }: +let + cfg = config.services.ssh-tpm-agent; +in +{ + options = { + services.ssh-tpm-agent.enable = lib.mkEnableOption "TPM supported ssh agent in go"; + }; + config = lib.mkIf cfg.enable { + systemd.user.services.ssh-tpm-agent = { + enable = true; + unitConfig = { + Description = "SSH TPM agent service"; + Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; + Requires = "ssh-tpm-agent.socket"; + ConditionEnvironment = "!SSH_AGENT_PID"; + }; + serviceConfig = { + Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.socket"; + ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-agent"; + PassEnvironment = "SSH_AGENT_PID"; + SuccessExitStatus = 2; + Type = "simple"; + }; + wants = [ "ssh-tpm-agent.socket" ]; + }; + + systemd.user.sockets.ssh-tpm-agent = { + enable = true; + description = "SSH TPM agent socket"; + socketConfig = { + ListenStream = "%t/ssh-tpm-agent.sock"; + SocketMode = "0600"; + Service = "ssh-tpm-agent.service"; + }; + + wantedBy = [ "sockets.target" ]; + }; + + environment = { + systemPackages = [ pkgs.ssh-tpm-agent ]; + extraInit = '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-tpm-agent.sock" + ''; + }; + }; +} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix new file mode 100644 index 0000000..2a8aa2f --- /dev/null +++ b/overlays/add-pkgs.nix @@ -0,0 +1,10 @@ +{ config, pkgs, lib, ... }: + +{ + nixpkgs.overlays = [ + (self: super: { + ssh-tpm-agent = + pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; + }) + ]; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..de8ee08 --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,6 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./add-pkgs.nix + ]; +} diff --git a/overlays/pkgs/ssh-tpm-agent.nix b/overlays/pkgs/ssh-tpm-agent.nix new file mode 100644 index 0000000..0f960fc --- /dev/null +++ b/overlays/pkgs/ssh-tpm-agent.nix @@ -0,0 +1,33 @@ +{ lib +, buildGo122Module +, fetchFromGitHub +, openssl +}: + +buildGo122Module rec { + pname = "ssh-tpm-agent"; + version = "0.3.1"; + + src = fetchFromGitHub { + owner = "Foxboron"; + repo = "ssh-tpm-agent"; + rev = "v${version}"; + hash = "sha256-8CGSiCOcns4cWkYWqibs6hAFRipYabKPCpkhxF4OE8w="; + }; + + proxyVendor = true; + + vendorHash = "sha256-zUAIesBeuh1zlxXcjKSNmMawZGgUr9z3NzT0XKn/YCQ="; + + buildInputs = [ + openssl + ]; + + meta = with lib; { + description = "SSH agent with support for TPM sealed keys for public key authentication"; + homepage = "https://github.com/Foxboron/ssh-agent-tpm"; + license = licenses.mit; + platforms = platforms.linux; + maintainers = with maintainers; [ sgo ]; + }; +} From c6a1982ede092384e667aab50ae098eaf2d2dd7b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 26 Mar 2024 01:56:59 +0800 Subject: [PATCH 066/136] calcite: use as forgejo runner --- machines/calcite/configuration.nix | 6 + machines/calcite/secrets.yaml | 5 +- modules/home-manager/git.nix | 2 +- modules/nixos/default.nix | 1 + modules/nixos/forgejo-actions-runner.nix | 34 ++++++ oci-images/nix-ci-base/flake.lock | 134 +++++++++++++++++++++++ oci-images/nix-ci-base/flake.nix | 68 ++++++++++++ 7 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 modules/nixos/forgejo-actions-runner.nix create mode 100644 oci-images/nix-ci-base/flake.lock create mode 100644 oci-images/nix-ci-base/flake.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 5e0b056..f906f3b 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -259,11 +259,17 @@ owner = "root"; sopsFile = ./secrets.yaml; }; + gitea_env = { + owner = "root"; + sopsFile = ./secrets.yaml; + }; }; custom.restic.enable = true; custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path; custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path; + custom.forgejo-actions-runner.enable = true; + custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path; # MTP support services.gvfs.enable = true; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 90312d4..80381ef 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,6 +1,7 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] +gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +26,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-07T16:18:51Z" - mac: ENC[AES256_GCM,data:lBbtSYZ/UxBPBVVa6Bg0NiZxhFcjEREGBPEgCZau+C9aMQcMJp4s+SPKRaBDGuf2ee95pwuyYOb6M9Jr9dQxRAoAubgyaxAXUrC6U5Q8+VlKxMdvfBNJ5m8OGbkwHACrjkaWTRfHB8rPMH/yuIuuSZl8AB1m2GcT8uoluTsCMGo=,iv:FmFLPhoaR/YAVEJhQIhoUrZGX4p+fw/iCf1BN+NdX/U=,tag:/rZTAt20hd9LretuOHhTbQ==,type:str] + lastmodified: "2024-03-25T13:44:27Z" + mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index cee2e22..e198c0b 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -14,7 +14,7 @@ in enable = mkEnableOption "Git ssh signing"; keyFile = mkOption { type = types.str; - default = "~/.ssh/id.pub"; + default = "~/.ssh/id_ecdsa.pub"; }; }; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 1a6a520..a19ba87 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -8,5 +8,6 @@ ./sing-box.nix ./kanidm-client.nix ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge + ./forgejo-actions-runner.nix ]; } diff --git a/modules/nixos/forgejo-actions-runner.nix b/modules/nixos/forgejo-actions-runner.nix new file mode 100644 index 0000000..5b76c69 --- /dev/null +++ b/modules/nixos/forgejo-actions-runner.nix @@ -0,0 +1,34 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.custom.forgejo-actions-runner; +in +{ + options = { + custom.forgejo-actions-runner = { + enable = lib.mkEnableOption "TPM supported ssh agent in go"; + tokenFile = lib.mkOption { + type = lib.types.path; + }; + }; + }; + config = lib.mkIf cfg.enable { + virtualisation.docker.enable = true; + services.gitea-actions-runner.package = pkgs.forgejo-actions-runner; + services.gitea-actions-runner.instances = { + "git.xinyang.life" = { + enable = true; + url = "https://git.xinyang.life"; + tokenFile = cfg.tokenFile; + name = config.networking.hostName; + labels = [ + "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:18-bullseye" + "nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11" + ]; + settings = { + container.network = "host"; + }; + }; + }; + }; +} diff --git a/oci-images/nix-ci-base/flake.lock b/oci-images/nix-ci-base/flake.lock new file mode 100644 index 0000000..82fcde6 --- /dev/null +++ b/oci-images/nix-ci-base/flake.lock @@ -0,0 +1,134 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "libgit2": { + "flake": false, + "locked": { + "lastModified": 1697646580, + "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", + "owner": "libgit2", + "repo": "libgit2", + "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", + "type": "github" + }, + "original": { + "owner": "libgit2", + "repo": "libgit2", + "type": "github" + } + }, + "nix": { + "inputs": { + "flake-compat": "flake-compat", + "libgit2": "libgit2", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1710178469, + "narHash": "sha256-9b9qJ+7rGjLKbIswMf0/2pgUWH/xOlYLk7P4WYNcGDs=", + "owner": "nixos", + "repo": "nix", + "rev": "34807c8906a61219ec2e9132c9cf0bd4d29e1d12", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "2.21.0", + "repo": "nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1711124224, + "narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "56528ee42526794d413d6f244648aaee4a7b56c0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nix": "nix", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix new file mode 100644 index 0000000..56bba4f --- /dev/null +++ b/oci-images/nix-ci-base/flake.nix @@ -0,0 +1,68 @@ +{ + inputs = { + nix.url = "github:/nixos/nix?ref=2.21.0"; + nix.inputs.nixpkgs.follows = "nixpkgs"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { + self, + flake-utils, + nix, + nixpkgs, + ... + }: + flake-utils.lib.eachDefaultSystem (system: let + pkgs = (import nixpkgs) { + inherit system; + }; + lib = pkgs.lib; + in rec { + packages = rec { + # a modified version of the nixos/nix image + # re-using the upstream nix docker image generation code + base = import (nix + "/docker.nix") { + inherit pkgs; + name = "nix-ci-base"; + maxLayers = 10; + extraPkgs = with pkgs; [ + nodejs_20 # nodejs is needed for running most 3rdparty actions + # add any other pre-installed packages here + ]; + # change this is you want + channelURL = "https://nixos.org/channels/nixpkgs-23.11"; + nixConf = { + substituters = [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" + "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://cache.nixos.org/" + + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + # allow using the new flake commands in our workflows + experimental-features = ["nix-command" "flakes"]; + }; + }; + # make /bin/sleep available on the image + runner = pkgs.dockerTools.buildImage { + name = "nix-runner"; + tag = "2.21.0-pkgs-23.11"; + + fromImage = base; + fromImageName = null; + fromImageTag = "latest"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [pkgs.coreutils-full]; + pathsToLink = ["/bin"]; # add coreutuls (which includes sleep) to /bin + }; + }; + }; + }); +} From dd077d98e2bb915469a48b0eefdf09c92f2cf1e0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 27 Mar 2024 16:13:21 +0800 Subject: [PATCH 067/136] pkgs: add wechat-uos (not merged by nixpkgs yet) --- machines/calcite/configuration.nix | 1 + oci-images/nix-ci-base/flake.nix | 2 + overlays/add-pkgs.nix | 4 +- overlays/pkgs/wechat-uos.nix | 239 +++++++++++++++++++++++++++++ 4 files changed, 244 insertions(+), 2 deletions(-) create mode 100644 overlays/pkgs/wechat-uos.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index f906f3b..c31ce3e 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -203,6 +203,7 @@ element-desktop tdesktop qq + wechat-uos # Password manager bitwarden diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix index 56bba4f..b45cd9f 100644 --- a/oci-images/nix-ci-base/flake.nix +++ b/oci-images/nix-ci-base/flake.nix @@ -40,6 +40,8 @@ "https://nix-community.cachix.org" ]; + accept-flake-config = "true"; + log-lines = "300"; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index 2a8aa2f..5759252 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -3,8 +3,8 @@ { nixpkgs.overlays = [ (self: super: { - ssh-tpm-agent = - pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; + ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; + wechat-uos = pkgs.callPackage ./pkgs/wechat-uos.nix { }; }) ]; } diff --git a/overlays/pkgs/wechat-uos.nix b/overlays/pkgs/wechat-uos.nix new file mode 100644 index 0000000..83d3cfd --- /dev/null +++ b/overlays/pkgs/wechat-uos.nix @@ -0,0 +1,239 @@ +{ stdenvNoCC +, stdenv +, lib +, fetchurl +, requireFile +, dpkg +, nss +, nspr +, xorg +, pango +, zlib +, atkmm +, libdrm +, libxkbcommon +, xcbutilwm +, xcbutilimage +, xcbutilkeysyms +, xcbutilrenderutil +, mesa +, alsa-lib +, wayland +, openssl_1_1 +, atk +, qt6 +, at-spi2-atk +, at-spi2-core +, dbus +, cups +, gtk3 +, libxml2 +, cairo +, freetype +, fontconfig +, vulkan-loader +, gdk-pixbuf +, libexif +, ffmpeg +, pulseaudio +, systemd +, libuuid +, expat +, bzip2 +, glib +, libva +, libGL +, libnotify +, buildFHSEnv +, writeShellScript +, /** + License for wechat-uos, packed in a gz archive named "license.tar.gz". + It should have the following files: + license.tar.gz + ├── etc + │ ├── lsb-release + │ └── os-release + └── var + ├── lib + │ └── uos-license + │ └── .license.json + └── uos + └── .license.key + */ + uosLicense ? requireFile { + name = "license.tar.gz"; + url = "https://www.uniontech.com"; + sha256 = "53760079c1a5b58f2fa3d5effe1ed35239590b288841d812229ef4e55b2dbd69"; + } +}: +let + wechat-uos-env = stdenvNoCC.mkDerivation { + meta.priority = 1; + name = "wechat-uos-env"; + buildCommand = '' + mkdir -p $out/etc + mkdir -p $out/lib/license + mkdir -p $out/usr/bin + mkdir -p $out/usr/share + mkdir -p $out/opt + mkdir -p $out/var + ln -s ${wechat}/opt/* $out/opt/ + ln -s ${wechat}/usr/lib/wechat-uos/license/etc/os-release $out/etc/os-release + ln -s ${wechat}/usr/lib/wechat-uos/license/etc/lsb-release $out/etc/lsb-release + ln -s ${wechat}/usr/lib/wechat-uos/license/var/* $out/var/ + ln -s ${wechat}/usr/lib/wechat-uos/license/libuosdevicea.so $out/lib/license/ + ''; + preferLocalBuild = true; + }; + + wechat-uos-runtime = with xorg; [ + stdenv.cc.cc + stdenv.cc.libc + pango + zlib + xcbutilwm + xcbutilimage + xcbutilkeysyms + xcbutilrenderutil + libX11 + libXt + libXext + libSM + libICE + libxcb + libxkbcommon + libxshmfence + libXi + libXft + libXcursor + libXfixes + libXScrnSaver + libXcomposite + libXdamage + libXtst + libXrandr + libnotify + atk + atkmm + cairo + at-spi2-atk + at-spi2-core + alsa-lib + dbus + cups + gtk3 + gdk-pixbuf + libexif + ffmpeg + libva + freetype + fontconfig + libXrender + libuuid + expat + glib + nss + nspr + libGL + libxml2 + pango + libdrm + mesa + vulkan-loader + systemd + wayland + pulseaudio + qt6.qt5compat + openssl_1_1 + bzip2 + ]; + + wechat = stdenvNoCC.mkDerivation + rec { + pname = "wechat-uos"; + version = "1.0.0.238"; + + src = { + x86_64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_amd64.deb"; + hash = "sha256-NxAmZ526JaAzAjtAd9xScFnZBuwD6i2wX2/AEqtAyWs="; + }; + aarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_arm64.deb"; + hash = "sha256-3ru6KyBYXiuAlZuWhyyvtQCWbOJhGYzker3FS0788RE="; + }; + loongarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_loongarch64.deb"; + hash = "sha256-iuJeLMKD6v8J8iKw3+cyODN7PZQrLpi9p0//mkI0ujE="; + }; + }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); + + # Don't blame about this. WeChat requires some binary from here to work properly + uosSrc = { + x86_64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_amd64.deb"; + hash = "sha256-vVN7w+oPXNTMJ/g1Rpw/AVLIytMXI+gLieNuddyyIYE="; + }; + aarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_arm64.deb"; + hash = "sha256-XvGFPYJlsYPqRyDycrBGzQdXn/5Da1AJP5LgRVY1pzI="; + }; + loongarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_loongarch64.deb"; + hash = "sha256-oa6rLE6QXMCPlbebto9Tv7xT3fFqYIlXL6WHpB2U35s="; + }; + }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); + + inherit uosLicense; + + nativeBuildInputs = [ dpkg ]; + + unpackPhase = '' + runHook preUnpack + dpkg -x $src ./wechat-uos + dpkg -x $uosSrc ./wechat-uos-old-source + tar -xvf $uosLicense + runHook postUnpack + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out + cp -r wechat-uos/* $out + mkdir -pv $out/usr/lib/wechat-uos/license + cp -r license/* $out/usr/lib/wechat-uos/license + cp -r wechat-uos-old-source/usr/lib/license/libuosdevicea.so $out/usr/lib/wechat-uos/license/ + runHook postInstall + ''; + + meta = with lib; { + description = "Messaging app"; + homepage = "https://weixin.qq.com/"; + license = licenses.unfree; + platforms = [ "x86_64-linux" "aarch64-linux" "loongarch64-linux" ]; + sourceProvenance = with sourceTypes; [ binaryNativeCode ]; + maintainers = with maintainers; [ pokon548 ]; + mainProgram = "wechat-uos"; + }; + }; +in +buildFHSEnv { + inherit (wechat) name meta; + runScript = writeShellScript "wechat-uos-launcher" '' + export QT_QPA_PLATFORM=xcb + export LD_LIBRARY_PATH=${lib.makeLibraryPath wechat-uos-runtime} + ${wechat.outPath}/opt/apps/com.tencent.wechat/files/wechat + ''; + extraInstallCommands = '' + mkdir -p $out/share/applications + mkdir -p $out/share/icons + cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/applications/com.tencent.wechat.desktop $out/share/applications + cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/icons/* $out/share/icons/ + mv $out/bin/$name $out/bin/wechat-uos + substituteInPlace $out/share/applications/com.tencent.wechat.desktop \ + --replace-quiet 'Exec=/usr/bin/wechat' "Exec=$out/bin/wechat-uos --" + ''; + targetPkgs = pkgs: [ wechat-uos-env ]; + + extraOutputsToInstall = [ "usr" "var/lib/uos" "var/uos" "etc" ]; +} From af11897dda1844c23129f550348fa52b2a9ffced Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 16 Apr 2024 15:53:02 +0800 Subject: [PATCH 068/136] home-manager: refactor vscode module, seperate language settings --- modules/home-manager/vscode.nix | 237 ++++++++++++++++---------------- 1 file changed, 122 insertions(+), 115 deletions(-) diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index f164de4..ef5f45a 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -3,62 +3,139 @@ with lib; let cfg = config.custom-hm.vscode; + + packages = { + nixPackages = { + systemPackages = with pkgs; [ nixd nixpkgs-fmt ]; + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + jnoortheen.nix-ide + ]; + settings = { + "nix.enableLanguageServer" = true; + "nix.formatterPath" = "nixpkgs-fmt"; + "nix.serverPath" = "nixd"; + }; + }; + cxxPackages = { + systemPackages = with pkgs; [ clang-tools ]; + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + llvm-vs-code-extensions.vscode-clangd + (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) + twxs.cmake + ]; + settings = { + "cmake.configureOnEdit" = false; + "cmake.showOptionsMovedNotification" = false; + "cmake.showNotAllDocumentsSavedQuestion" = false; + }; + }; + pythonPackages = { + systemPackages = with pkgs; [ ]; + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + ms-python.python + ]; + settings = { }; + }; + scalaPackages = { + systemPackages = with pkgs; [ ]; + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + scala-lang.scala + scalameta.metals + ]; + settings = { }; + }; + latexPackages = { + systemPackages = with pkgs; [ texliveSmall ]; + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + james-yu.latex-workshop + ]; + settings = { + "latex-workshop.latex.autoBuild.run" = "never"; + "latex-workshop.latex.tools" = [ + { "name" = "xelatex"; + "command" = "xelatex"; + "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "%DOCFILE%" ]; + } + { "name" = "pdflatex"; + "command" = "pdflatex"; + "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; + } + { "name" = "bibtex"; "command" = "bibtex"; "args" = [ "%DOCFILE%" ]; } + ]; + "latex-workshop.latex.recipes" = [ + { "name" = "xelatex"; "tools" = [ "xelatex" ]; } + { "name" = "pdflatex"; "tools" = [ "pdflatex" ]; } + { "name" = "xe->bib->xe->xe"; "tools" = [ "xelatex" "bibtex" "xelatex" "xelatex" ]; } + { "name" = "pdf->bib->pdf->pdf"; "tools" = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ]; } + ]; + "[latex]" = { + "editor.formatOnPaste" = false; + "editor.suggestSelection" = "recentlyusedbyprefix"; + "editor.wordWrap" = "bounded"; + "editor.wordWrapColumn" = 80; + "editor.unicodeHighlight.ambiguousCharacters" = false; + }; + }; + }; + }; + + languages = [ "nix" "cxx" "python" "scala" "latex" ]; + zipAttrsWithLanguageOption = (attr: + (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages) + ); in { options.custom-hm.vscode = { enable = mkEnableOption "Vscode config"; + languages = { + nix = mkOption { + type = lib.types.bool; + default = true; + }; + cxx = mkEnableOption "C++"; + python = mkEnableOption "Python"; + scala = mkEnableOption "Scala"; + latex = mkEnableOption "Latex"; + }; }; config = mkIf cfg.enable { - home.packages = with pkgs; [ - pkgs.wl-clipboard-x11 - ]; + home.packages = lib.mkMerge ([ + [ pkgs.clang-tools ] + ] ++ zipAttrsWithLanguageOption "systemPackages"); programs.vscode = { enable = true; enableUpdateCheck = false; enableExtensionUpdateCheck = false; mutableExtensionsDir = false; - extensions = (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ - mkhl.direnv + extensions = lib.mkMerge ([ + (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + mkhl.direnv - bbenoist.nix - ms-azuretools.vscode-docker - ms-vscode-remote.remote-ssh - vscodevim.vim - github.vscode-pull-request-github - gruntfuggly.todo-tree # todo highlight + ms-azuretools.vscode-docker + ms-vscode-remote.remote-ssh + vscodevim.vim + github.vscode-pull-request-github + gruntfuggly.todo-tree # todo highlight - # Language support - # Python - ms-python.python - # Markdown - davidanson.vscode-markdownlint - # C/C++ - llvm-vs-code-extensions.vscode-clangd - # Nix - jnoortheen.nix-ide - # Latex - james-yu.latex-workshop - # Vue - vue.volar - # Scale / chisel - scala-lang.scala - scalameta.metals + # Markdown + davidanson.vscode-markdownlint + # Latex + # Scale / chisel + sterben.fpga-support - (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) - twxs.cmake - - sterben.fpga-support - - ms-vscode-remote.remote-ssh-edit - mushan.vscode-paste-image - ]) ++ (with pkgs.vscode-extensions; [ - waderyan.gitblame - catppuccin.catppuccin-vsc - # Rust - rust-lang.rust-analyzer - ]); - userSettings = { - "workbench.colorTheme" = "Catppuccin Macchiato"; + ms-vscode-remote.remote-ssh-edit + mushan.vscode-paste-image + ]) + (with pkgs.vscode-extensions; [ + waderyan.gitblame + catppuccin.catppuccin-vsc + # Rust + rust-lang.rust-analyzer + # ]) ++ ; + ]) + ] ++ zipAttrsWithLanguageOption "extension"); + userSettings = lib.mkMerge ([ + {"workbench.colorTheme" = "Catppuccin Macchiato"; "terminal.integrated.sendKeybindingsToShell" = true; "extensions.ignoreRecommendations" = true; "files.autoSave" = "afterDelay"; @@ -70,80 +147,10 @@ in "git.autofetch" = false; "window.zoomLevel" = -1; - "nix.enableLanguageServer" = true; - - "latex-workshop.latex.autoBuild.run" = "never"; - "latex-workshop.latex.tools" = [ - { - "name" = "xelatex"; - "command" = "xelatex"; - "args" = [ - "-synctex=1" - "-interaction=nonstopmode" - "-file-line-error" - "-pdf" - "%DOCFILE%" - ]; - } - { - "name" = "pdflatex"; - "command" = "pdflatex"; - "args" = [ - "-synctex=1" - "-interaction=nonstopmode" - "-file-line-error" - "%DOCFILE%" - ]; - } - { - "name" = "bibtex"; - "command" = "bibtex"; - "args" = [ - "%DOCFILE%" - ]; - } - ]; - "latex-workshop.latex.recipes" = [ - { - "name" = "xelatex"; - "tools" = [ - "xelatex" - ]; - } - { - "name" = "pdflatex"; - "tools" = [ - "pdflatex" - ]; - } - { - "name" = "xe->bib->xe->xe"; - "tools" = [ - "xelatex" - "bibtex" - "xelatex" - "xelatex" - ]; - } - { - "name" = "pdf->bib->pdf->pdf"; - "tools" = [ - "pdflatex" - "bibtex" - "pdflatex" - "pdflatex" - ]; - } - ]; - "[latex]" = { - "editor.formatOnPaste" = false; - "editor.suggestSelection" = "recentlyusedbyprefix"; - "editor.wordWrap" = "bounded"; - "editor.wordWrapColumn" = 80; - "editor.unicodeHighlight.ambiguousCharacters" = false; + "extensions.experimental.affinity" = { + "vscodevim.vim" = 1; }; - "cmake.configureOnEdit" = false; - }; + }] ++ zipAttrsWithLanguageOption "settings"); }; }; } From d2013a50d43c2f9d1d134aeb0594ecf4c0d69971 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 16 Apr 2024 16:48:56 +0800 Subject: [PATCH 069/136] dolomite: bandwagon support --- .sops.yaml | 7 +++++ machines/dolomite/bandwagon.nix | 38 ++++++++++++++++++++++++++++ machines/dolomite/default.nix | 14 +++++++--- machines/dolomite/lightsail.nix | 13 ++++++++++ machines/dolomite/secrets/la-00.yaml | 31 +++++++++++++++++++++++ 5 files changed, 99 insertions(+), 4 deletions(-) create mode 100644 machines/dolomite/bandwagon.nix create mode 100644 machines/dolomite/lightsail.nix create mode 100644 machines/dolomite/secrets/la-00.yaml diff --git a/.sops.yaml b/.sops.yaml index dac73f2..4c42092 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta creation_rules: - path_regex: machines/calcite/secrets.yaml @@ -31,6 +32,11 @@ creation_rules: - age: - *xin - *host-tok-00 + - path_regex: machines/dolomite/secrets/la-00.yaml + key_groups: + - age: + - *xin + - *host-la-00 - path_regex: machines/secrets.yaml key_groups: - age: @@ -39,6 +45,7 @@ creation_rules: - *host-raspite - *host-sgp-00 - *host-tok-00 + - *host-la-00 - *host-massicot - path_regex: home/xin/secrets.yaml key_groups: diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix new file mode 100644 index 0000000..853f8d8 --- /dev/null +++ b/machines/dolomite/bandwagon.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, modulesPath, ... }: +let + cfg = config.isBandwagon; +in +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + + options = { + isBandwagon = lib.mkEnableOption "Bandwagon instance"; + }; + + config = lib.mkIf cfg.isBandwagon { + boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + boot.loader.grub.enable = lib.mkForce true; + boot.loader.grub.version = lib.mkForce 2; + boot.loader.grub.device = lib.mkForce "/dev/sda"; + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens19.useDHCP = true; + }; +} diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 1599db5..15f7e2e 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,12 +1,19 @@ { inputs, config, pkgs, lib, modulesPath, ... }: +let + awsHosts = [ "sgp-00" "tok-00 "]; + bwgHosts = [ "la-00" ]; +in { imports = [ ../sops.nix - "${modulesPath}/virtualisation/amazon-image.nix" + ./bandwagon.nix + ./lightsail.nix ]; config = { + isBandwagon = builtins.elem config.networking.hostName bwgHosts; + isLightsail = builtins.elem config.networking.hostName awsHosts; sops = { secrets = { wg_private_key = { @@ -19,7 +26,6 @@ }; }; }; - boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; boot.kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; @@ -39,9 +45,9 @@ custom.prometheus = { enable = false; - exporters.enable = true; + exporters.enable = false; grafana = { - enable = true; + enable = false; password_file = config.sops.secrets.grafana_cloud_api.path; }; }; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix new file mode 100644 index 0000000..187c6ff --- /dev/null +++ b/machines/dolomite/lightsail.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, modulesPath, ... }: +let + cfg = config.isLightsail; +in +{ + imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + options = { + isLightsail = lib.mkEnableOption "Lightsail instance"; + }; + config = lib.mkIf cfg.isLightsail{ + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + }; +} diff --git a/machines/dolomite/secrets/la-00.yaml b/machines/dolomite/secrets/la-00.yaml new file mode 100644 index 0000000..266dae5 --- /dev/null +++ b/machines/dolomite/secrets/la-00.yaml @@ -0,0 +1,31 @@ +wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str] +wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WjRVY3BKdVU1WERrVzla + L1NNYWp2SFZEaW84b0h1clFGRHVmRDhnM3o0CkUrZjZKNHp2TGtrTXpyOHNVckJw + VURjOEVaR3VQU1pJY2NaOFBQRjVIdWcKLS0tIFBQRWRnNnk4aWxsQVhhdUdVWWpy + aG9Oa3lOY0JjY2tFU3ZTazcyZW5SM0kKRfTrM65aI5LMOHoGsls3PWChrY5pEz91 + EERpRd552+PxYBKvumI59mtdlD263d5kmlTxIIZXTOJ2fcl1bii2bg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdzk4ajV5ekNpZXNGTHdD + aVBLZDlSbzE1aG5LT0cvVVVlVDBNOWtackNVCjVnZDhYZmFoT21DZHNYT2pMVDF6 + ZW5UY1ZFRFdtbDdPZHZIWUVuWjhJMk0KLS0tIGR4UUYwcjJtZUFYYlJSS2d6Q3hZ + WVJYSWhOaTEvNUdYTXV6OThPenJaY0UKv3WK6gacUxO6PFklkW+jDMG5FgIUuEvN + RvvI9ZXRD4QwKW1mpVrxbC+fRqlKawyyyyikvHFGJvpts4/88IcgUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-15T11:37:57Z" + mac: ENC[AES256_GCM,data:iCgvJMijsUjdBT9hMQx4owYkbp2nV1jORB5HGtz5IPHgI9A5FXAAPFtaSGgQSI3twSkYMU94NULjumCyyWt3syH5KK9itHgHwONyVFieyXLiWozqpN2Z0SA5G4SnK3E6X273br9gwNAj33I2MdS/3K8b4EOO2yEzilWmrW7f3rk=,iv:UD7uHrtq4O6+EsWFrjegTXHtQUFcnhKsu4J0e0srDtk=,tag:b0eJEeUJPwi4+rDPeBY7oA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 From 59fe4dcbc2ccea7507fc1740c8cb83b0a759a121 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Jun 2024 18:02:55 +0800 Subject: [PATCH 070/136] home-manager: use catppuccin flake to manage themes --- flake.lock | 106 ++++++++++++-------------- flake.nix | 116 ++++++++++++++--------------- modules/home-manager/alacritty.nix | 8 +- modules/home-manager/git.nix | 1 - modules/home-manager/vscode.nix | 8 +- modules/home-manager/zellij.nix | 1 - 6 files changed, 110 insertions(+), 130 deletions(-) diff --git a/flake.lock b/flake.lock index c6047e5..a1c98d7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,20 @@ { "nodes": { + "catppuccin": { + "locked": { + "lastModified": 1717070887, + "narHash": "sha256-ZTEMINFqQL+m55kmoDYIKf3i2NGitSkjBnnLu99ezh0=", + "owner": "catppuccin", + "repo": "nix", + "rev": "2c7661c9fa26a920b8088300ef87d14179c71a27", + "type": "github" + }, + "original": { + "owner": "catppuccin", + "repo": "nix", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -14,11 +29,11 @@ ] }, "locked": { - "lastModified": 1706509311, - "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", + "lastModified": 1711386353, + "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", "owner": "zhaofengli", "repo": "colmena", - "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", + "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", "type": "github" }, "original": { @@ -46,11 +61,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -64,11 +79,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1709126324, - "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -84,11 +99,11 @@ ] }, "locked": { - "lastModified": 1709764752, - "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=", + "lastModified": 1717052710, + "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=", "owner": "nix-community", "repo": "home-manager", - "rev": "cf111d1a849ddfc38e9155be029519b0e2329615", + "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae", "type": "github" }, "original": { @@ -104,11 +119,11 @@ ] }, "locked": { - "lastModified": 1709708644, - "narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=", + "lastModified": 1716772633, + "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "94a1e46434736a40f976a454f8bd3ea2144f349b", + "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", "type": "github" }, "original": { @@ -128,11 +143,11 @@ ] }, "locked": { - "lastModified": 1709773506, - "narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=", + "lastModified": 1717032429, + "narHash": "sha256-1+87CE8xOUsJChiq9aNQqWPKoWMuyurW+aXrGbMWH7I=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "a17ea69caec11561e73c985360fb596c25f74131", + "rev": "0309d806a5431a46fb7fd81e20d7133ac8b1de55", "type": "github" }, "original": { @@ -141,36 +156,13 @@ "type": "github" } }, - "nixos-cn": { - "inputs": { - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1682818384, - "narHash": "sha256-l8jh9BQj6nfjPDYGyrZkZwX1GaOqBX+pBHU+7fFZU3w=", - "owner": "nixos-cn", - "repo": "flakes", - "rev": "2d475ec68cca251ef6c6c69a9224db5c264c5e5b", - "type": "github" - }, - "original": { - "owner": "nixos-cn", - "repo": "flakes", - "type": "github" - } - }, "nixos-hardware": { "locked": { - "lastModified": 1709410583, - "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", + "lastModified": 1716987116, + "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", + "rev": "8251761f93d6f5b91cee45ac09edb6e382641009", "type": "github" }, "original": { @@ -182,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709479366, - "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", + "lastModified": 1716948383, + "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", + "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "type": "github" }, "original": { @@ -214,11 +206,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1709428628, - "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", + "lastModified": 1716655032, + "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", + "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f", "type": "github" }, "original": { @@ -230,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1709780742, - "narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=", + "lastModified": 1717079713, + "narHash": "sha256-mvTQgi86WwALm6NGi9tvCx92zrNjSr8Mz+nCqbG0ZhE=", "owner": "nix-community", "repo": "NUR", - "rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2", + "rev": "1a7bbb238afcada295aabc758941ce82e6b1d292", "type": "github" }, "original": { @@ -245,12 +237,12 @@ }, "root": { "inputs": { + "catppuccin": "catppuccin", "colmena": "colmena", "flake-utils": "flake-utils", "home-manager": "home-manager", "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", - "nixos-cn": "nixos-cn", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", @@ -266,11 +258,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1709711091, - "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", + "lastModified": 1716692524, + "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", + "rev": "962797a8d7f15ed7033031731d0bb77244839960", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f29cae9..fe3632d 100644 --- a/flake.nix +++ b/flake.nix @@ -15,12 +15,6 @@ inputs.flake-utils.follows = "flake-utils"; }; - nixos-cn = { - url = "github:nixos-cn/flakes"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; - }; - nur = { url = "github:nix-community/NUR"; }; @@ -49,38 +43,47 @@ url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + + catppuccin.url = "github:catppuccin/nix"; }; - outputs = { self, ... }@inputs: - with inputs; + outputs = + { self + , home-manager + , nixpkgs + , nixos-hardware + , flake-utils + , nur + , catppuccin + , ... }@inputs: let - homeConfigurations = import ./home; - sharedModules = [ - self.homeManagerModules + sharedHmModules = [ inputs.nix-index-database.hmModules.nix-index + catppuccin.homeManagerModules.catppuccin + self.homeManagerModules ]; - mkHome = user: host: { config, system, ... }: { + mkHome = user: host: { ... }: { imports = [ home-manager.nixosModules.home-manager { home-manager = { - inherit sharedModules; + sharedModules = sharedHmModules; useGlobalPkgs = true; useUserPackages = true; extraSpecialArgs = { inherit inputs; }; }; - home-manager.users.${user} = homeConfigurations.${user}.${host}; + home-manager.users.${user} = (import ./home).${user}.${host}; } ]; }; - mkHomeConfiguration = user: settings: { + mkHomeConfiguration = user: host: { name = user; value = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; }; modules = [ - self.homeManagerModules - ] ++ sharedModules; + (import ./home).${user}.${host} + ] ++ sharedHmModules; extraSpecialArgs = { inherit inputs; }; @@ -92,9 +95,9 @@ modules = [ self.nixosModules.default nur.nixosModules.nur + ./overlays ] ++ modules; }; - evalSecrets = import ./eval_secrets.nix; in { nixosModules.default = import ./modules/nixos; @@ -107,12 +110,12 @@ deploymentModule = { deployment.targetUser = "xin"; }; - sharedModules = [ + sharedColmenaModules = [ self.nixosModules.default deploymentModule ]; in - colmena.lib.makeHive { + inputs.colmena.lib.makeHive { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; @@ -123,34 +126,20 @@ }; }; - massicot = { name, nodes, pkgs, ... }: with inputs; { + massicot = { ... }: { deployment.targetHost = "49.13.13.122"; deployment.buildOnTarget = true; imports = [ { nixpkgs.system = "aarch64-linux"; } machines/massicot - ] ++ sharedModules; + ] ++ sharedColmenaModules; }; - sgp-00 = { name, nodes, pkgs, ... }: with inputs; { + tok-00 = { ... }: { imports = [ machines/dolomite - ] ++ sharedModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "sgp-00"; - system.stateVersion = "23.11"; - deployment = { - targetHost = "video.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; - }; - - tok-00 = { name, nodes, pkgs, ... }: with inputs; { - imports = [ - machines/dolomite - ] ++ sharedModules; + ] ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "tok-00"; system.stateVersion = "23.11"; @@ -160,6 +149,33 @@ tags = [ "proxy" ]; }; }; + + la-00 = { ... }: { + imports = [ + machines/dolomite + ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "la-00"; + system.stateVersion = "21.05"; + deployment = { + targetHost = "la-00.video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; + }; + + raspite = { ... }: { + deployment = { + targetHost = "raspite.local"; + buildOnTarget = false; + }; + nixpkgs.system = "aarch64-linux"; + imports = [ + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + ] ++ sharedColmenaModules; + }; }; nixosConfigurations = { @@ -169,38 +185,16 @@ nixos-hardware.nixosModules.asus-zephyrus-ga401 machines/calcite/configuration.nix (mkHome "xin" "calcite") - (./overlays) - ]; - }; - raspite = mkNixos { - system = "aarch64-linux"; - modules = [ - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - (mkHome "xin" "raspite") ]; }; } // self.colmenaHive.nodes; - images.raspite = (mkNixos { - system = "aarch64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - { - nixpkgs.config.allowUnsupportedSystem = true; - nixpkgs.hostPlatform.system = "aarch64-linux"; - nixpkgs.buildPlatform.system = "x86_64-linux"; - } - ]; - }).config.system.build.sdImage; } // flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; in { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ]; + packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ]; }; }; } diff --git a/modules/home-manager/alacritty.nix b/modules/home-manager/alacritty.nix index 4c79b19..b4b7c2a 100644 --- a/modules/home-manager/alacritty.nix +++ b/modules/home-manager/alacritty.nix @@ -18,6 +18,7 @@ in args = [ "attach" "-c" + "alacritty-zellij" ]; }; font.size = 10.0; @@ -25,14 +26,7 @@ in resize_increments = true; dynamic_padding = true; }; - import = [ - "${config.xdg.configHome}/alacritty/catppuccin-macchiato.toml" - ]; }; }; - xdg.configFile."alacritty/catppuccin-macchiato.toml".source = builtins.fetchurl { - url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.toml"; - sha256 = "sha256:1iq187vg64h4rd15b8fv210liqkbzkh8sw04ykq0hgpx20w3qilv"; - }; }; } diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index e198c0b..5b2bc63 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -36,7 +36,6 @@ in signByDefault = true; key = cfg.signing.keyFile; }; - extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index ef5f45a..6405310 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -22,11 +22,13 @@ let llvm-vs-code-extensions.vscode-clangd (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) twxs.cmake + ms-vscode.cpptools ]; settings = { "cmake.configureOnEdit" = false; "cmake.showOptionsMovedNotification" = false; "cmake.showNotAllDocumentsSavedQuestion" = false; + "C_Cpp.intelliSenseEngine" = "Disabled"; }; }; pythonPackages = { @@ -37,7 +39,7 @@ let settings = { }; }; scalaPackages = { - systemPackages = with pkgs; [ ]; + systemPackages = with pkgs; [ coursier ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ scala-lang.scala scalameta.metals @@ -54,7 +56,7 @@ let "latex-workshop.latex.tools" = [ { "name" = "xelatex"; "command" = "xelatex"; - "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "%DOCFILE%" ]; + "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; } { "name" = "pdflatex"; "command" = "pdflatex"; @@ -104,6 +106,7 @@ in ] ++ zipAttrsWithLanguageOption "systemPackages"); programs.vscode = { enable = true; + package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; }; enableUpdateCheck = false; enableExtensionUpdateCheck = false; mutableExtensionsDir = false; @@ -131,7 +134,6 @@ in catppuccin.catppuccin-vsc # Rust rust-lang.rust-analyzer - # ]) ++ ; ]) ] ++ zipAttrsWithLanguageOption "extension"); userSettings = lib.mkMerge ([ diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index 16d0d70..6eda3e5 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -20,7 +20,6 @@ in "Ctrl n" ]; }; - theme = "catppuccin-macchiato"; }; }; }; From 74a6b82d37415b1a8bd6fe607e3fa83ed82f7916 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Jun 2024 18:05:25 +0800 Subject: [PATCH 071/136] home-manager: vscode refactor --- home/xin/calcite.nix | 17 +++++++++++++++-- home/xin/common/default.nix | 4 ++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index eecb258..9ba1359 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, ... }@inputs: { imports = [ ./common @@ -17,6 +17,7 @@ primary = true; address = "lixinyang411@gmail.com"; flavor = "gmail.com"; + realName = "Xinyang Li"; }; accounts.email.accounts.whu = { @@ -32,13 +33,25 @@ remmina ]; + # Theme + catppuccin = { + enable = true; + flavor = "mocha"; + }; + xdg.enable = true; + + i18n.inputMethod = { + enabled = "fcitx5"; + fcitx5.addons = with pkgs; [ fcitx5-rime ]; + }; + custom-hm = { alacritty = { enable = true; }; direnv = { enable = true; }; fish = { enable = true; }; git = { enable = true; signing.enable = true; }; neovim = { enable = true; }; - vscode = { enable = true; }; + vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; zellij = { enable = true; }; }; } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 0e0677c..d4bc579 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -19,4 +19,8 @@ inetutils ]; + nix.extraOptions = '' + extra-substituters = https://nix-community.cachix.org + extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= + ''; } From 436ca779a1396c70cdffd63772999c4492f5457c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Jun 2024 18:11:15 +0800 Subject: [PATCH 072/136] modules: drop wechat-uos (merged upstream) --- overlays/add-ime-electron.nix | 9 ++ overlays/add-pkgs.nix | 1 - overlays/pkgs/wechat-uos.nix | 239 ---------------------------------- 3 files changed, 9 insertions(+), 240 deletions(-) create mode 100644 overlays/add-ime-electron.nix delete mode 100644 overlays/pkgs/wechat-uos.nix diff --git a/overlays/add-ime-electron.nix b/overlays/add-ime-electron.nix new file mode 100644 index 0000000..74e94c6 --- /dev/null +++ b/overlays/add-ime-electron.nix @@ -0,0 +1,9 @@ +{ config, pkgs, lib, ... }: + +{ + nixpkgs.overlays = [ + (self: super: { + element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; }; + }) + ]; +} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index 5759252..e7cc761 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -4,7 +4,6 @@ nixpkgs.overlays = [ (self: super: { ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; - wechat-uos = pkgs.callPackage ./pkgs/wechat-uos.nix { }; }) ]; } diff --git a/overlays/pkgs/wechat-uos.nix b/overlays/pkgs/wechat-uos.nix deleted file mode 100644 index 83d3cfd..0000000 --- a/overlays/pkgs/wechat-uos.nix +++ /dev/null @@ -1,239 +0,0 @@ -{ stdenvNoCC -, stdenv -, lib -, fetchurl -, requireFile -, dpkg -, nss -, nspr -, xorg -, pango -, zlib -, atkmm -, libdrm -, libxkbcommon -, xcbutilwm -, xcbutilimage -, xcbutilkeysyms -, xcbutilrenderutil -, mesa -, alsa-lib -, wayland -, openssl_1_1 -, atk -, qt6 -, at-spi2-atk -, at-spi2-core -, dbus -, cups -, gtk3 -, libxml2 -, cairo -, freetype -, fontconfig -, vulkan-loader -, gdk-pixbuf -, libexif -, ffmpeg -, pulseaudio -, systemd -, libuuid -, expat -, bzip2 -, glib -, libva -, libGL -, libnotify -, buildFHSEnv -, writeShellScript -, /** - License for wechat-uos, packed in a gz archive named "license.tar.gz". - It should have the following files: - license.tar.gz - ├── etc - │ ├── lsb-release - │ └── os-release - └── var - ├── lib - │ └── uos-license - │ └── .license.json - └── uos - └── .license.key - */ - uosLicense ? requireFile { - name = "license.tar.gz"; - url = "https://www.uniontech.com"; - sha256 = "53760079c1a5b58f2fa3d5effe1ed35239590b288841d812229ef4e55b2dbd69"; - } -}: -let - wechat-uos-env = stdenvNoCC.mkDerivation { - meta.priority = 1; - name = "wechat-uos-env"; - buildCommand = '' - mkdir -p $out/etc - mkdir -p $out/lib/license - mkdir -p $out/usr/bin - mkdir -p $out/usr/share - mkdir -p $out/opt - mkdir -p $out/var - ln -s ${wechat}/opt/* $out/opt/ - ln -s ${wechat}/usr/lib/wechat-uos/license/etc/os-release $out/etc/os-release - ln -s ${wechat}/usr/lib/wechat-uos/license/etc/lsb-release $out/etc/lsb-release - ln -s ${wechat}/usr/lib/wechat-uos/license/var/* $out/var/ - ln -s ${wechat}/usr/lib/wechat-uos/license/libuosdevicea.so $out/lib/license/ - ''; - preferLocalBuild = true; - }; - - wechat-uos-runtime = with xorg; [ - stdenv.cc.cc - stdenv.cc.libc - pango - zlib - xcbutilwm - xcbutilimage - xcbutilkeysyms - xcbutilrenderutil - libX11 - libXt - libXext - libSM - libICE - libxcb - libxkbcommon - libxshmfence - libXi - libXft - libXcursor - libXfixes - libXScrnSaver - libXcomposite - libXdamage - libXtst - libXrandr - libnotify - atk - atkmm - cairo - at-spi2-atk - at-spi2-core - alsa-lib - dbus - cups - gtk3 - gdk-pixbuf - libexif - ffmpeg - libva - freetype - fontconfig - libXrender - libuuid - expat - glib - nss - nspr - libGL - libxml2 - pango - libdrm - mesa - vulkan-loader - systemd - wayland - pulseaudio - qt6.qt5compat - openssl_1_1 - bzip2 - ]; - - wechat = stdenvNoCC.mkDerivation - rec { - pname = "wechat-uos"; - version = "1.0.0.238"; - - src = { - x86_64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_amd64.deb"; - hash = "sha256-NxAmZ526JaAzAjtAd9xScFnZBuwD6i2wX2/AEqtAyWs="; - }; - aarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_arm64.deb"; - hash = "sha256-3ru6KyBYXiuAlZuWhyyvtQCWbOJhGYzker3FS0788RE="; - }; - loongarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_loongarch64.deb"; - hash = "sha256-iuJeLMKD6v8J8iKw3+cyODN7PZQrLpi9p0//mkI0ujE="; - }; - }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); - - # Don't blame about this. WeChat requires some binary from here to work properly - uosSrc = { - x86_64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_amd64.deb"; - hash = "sha256-vVN7w+oPXNTMJ/g1Rpw/AVLIytMXI+gLieNuddyyIYE="; - }; - aarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_arm64.deb"; - hash = "sha256-XvGFPYJlsYPqRyDycrBGzQdXn/5Da1AJP5LgRVY1pzI="; - }; - loongarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_loongarch64.deb"; - hash = "sha256-oa6rLE6QXMCPlbebto9Tv7xT3fFqYIlXL6WHpB2U35s="; - }; - }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); - - inherit uosLicense; - - nativeBuildInputs = [ dpkg ]; - - unpackPhase = '' - runHook preUnpack - dpkg -x $src ./wechat-uos - dpkg -x $uosSrc ./wechat-uos-old-source - tar -xvf $uosLicense - runHook postUnpack - ''; - - installPhase = '' - runHook preInstall - mkdir -p $out - cp -r wechat-uos/* $out - mkdir -pv $out/usr/lib/wechat-uos/license - cp -r license/* $out/usr/lib/wechat-uos/license - cp -r wechat-uos-old-source/usr/lib/license/libuosdevicea.so $out/usr/lib/wechat-uos/license/ - runHook postInstall - ''; - - meta = with lib; { - description = "Messaging app"; - homepage = "https://weixin.qq.com/"; - license = licenses.unfree; - platforms = [ "x86_64-linux" "aarch64-linux" "loongarch64-linux" ]; - sourceProvenance = with sourceTypes; [ binaryNativeCode ]; - maintainers = with maintainers; [ pokon548 ]; - mainProgram = "wechat-uos"; - }; - }; -in -buildFHSEnv { - inherit (wechat) name meta; - runScript = writeShellScript "wechat-uos-launcher" '' - export QT_QPA_PLATFORM=xcb - export LD_LIBRARY_PATH=${lib.makeLibraryPath wechat-uos-runtime} - ${wechat.outPath}/opt/apps/com.tencent.wechat/files/wechat - ''; - extraInstallCommands = '' - mkdir -p $out/share/applications - mkdir -p $out/share/icons - cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/applications/com.tencent.wechat.desktop $out/share/applications - cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/icons/* $out/share/icons/ - mv $out/bin/$name $out/bin/wechat-uos - substituteInPlace $out/share/applications/com.tencent.wechat.desktop \ - --replace-quiet 'Exec=/usr/bin/wechat' "Exec=$out/bin/wechat-uos --" - ''; - targetPkgs = pkgs: [ wechat-uos-env ]; - - extraOutputsToInstall = [ "usr" "var/lib/uos" "var/uos" "etc" ]; -} From 2ce1e1a65e214996732046bfe3f37d4a32e722c3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Jun 2024 18:18:07 +0800 Subject: [PATCH 073/136] calcite: switch to btrfs root --- machines/calcite/configuration.nix | 39 ++++++++------------- machines/calcite/hardware-configuration.nix | 8 +++-- machines/calcite/network.nix | 5 ++- machines/calcite/secrets.yaml | 6 ++-- 4 files changed, 28 insertions(+), 30 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c31ce3e..d53496a 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -66,11 +66,6 @@ LC_TIME = "en_US.utf8"; }; - i18n.inputMethod = { - enabled = "fcitx5"; - fcitx5.addons = with pkgs; [ fcitx5-rime ]; - }; - # Enable the X11 windowing system. services.xserver.enable = true; @@ -78,6 +73,7 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; + # Configure keymap in X11 services.xserver = { xkb.layout = "us"; @@ -132,8 +128,8 @@ }; # Enable automatic login for the user. - services.xserver.displayManager.autoLogin.enable = true; - services.xserver.displayManager.autoLogin.user = "xin"; + services.displayManager.autoLogin.enable = true; + services.displayManager.autoLogin.user = "xin"; # Smart services services.smartd.enable = true; @@ -145,10 +141,6 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ - "openssl-1.1.1w" - # For wechat-uos - "electron-19.1.9" - "electron-25.9.0" ]; # List packages installed in system profile. To search, run: # $ nix search wget @@ -157,10 +149,6 @@ owncloud-client nfs-utils - winetricks - wineWowPackages.waylandFull - faudio - # tesseract5 # ocr ocrmypdf # pdfocr @@ -174,6 +162,7 @@ requests numpy pyyaml + setuptools ]; python-with-my-packages = python3.withPackages my-python-packages; in @@ -185,9 +174,11 @@ # Gnome tweaks gnomeExtensions.paperwm gnomeExtensions.search-light - gnomeExtensions.tray-icons-reloaded + gnomeExtensions.appindicator gnome.gnome-tweaks gnome.gnome-themes-extra + gnome.gnome-remote-desktop + bibata-cursors gthumb oculante @@ -195,29 +186,29 @@ vlc obs-studio spotify - - rawtherapee - digikam - # IM element-desktop tdesktop qq - wechat-uos # Password manager bitwarden # Browser firefox - chromium + (chromium.override { + commandLineArgs = [ + "--ozone-platform-hint=auto" + "--enable-wayland-ime" + ]; + }) brave # Writting - obsidian zotero - onlyoffice-bin + # onlyoffice-bin wpsoffice + zed-editor config.nur.repos.linyinfeng.wemeet diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 9ebd38d..94415af 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -10,12 +10,16 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; boot.initrd.kernelModules = [ ]; + boot.initrd.luks.devices.cryptroot = { + device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; + }; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-label/NIXROOT"; - fsType = "ext4"; + { # device = "/dev/disk/by-label/NIXROOT"; + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; }; fileSystems."/boot/efi" = diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index e439899..94a7e71 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -19,8 +19,11 @@ services.tailscale.enable = true; # services.tailscale.useRoutingFeatures = "both"; + services.dae.enable = true; + services.dae.configFile = "/var/lib/dae/config.dae"; + custom.sing-box = { - enable = true; + enable = false; configFile = { urlFile = config.sops.secrets.sing_box_url.path; hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588"; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 80381ef..780f6cb 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,7 +1,7 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] -gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str] +gitea_env: ENC[AES256_GCM,data:ShKKQWSiIkQ4uaWBhN5uB3xSu/8u8LkDjZeFi3G5BZUj7Vy4hoMweyUXyMf7w9A=,iv:JK6NgIJlU8G7G/LrZtNyGC4K9jblImFXnzhUMdkFbUw=,tag:PYeafqgXaSpDNJ0oIENW4A==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +26,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-25T13:44:27Z" - mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str] + lastmodified: "2024-04-05T04:32:32Z" + mac: ENC[AES256_GCM,data:esdTvjxnVP5t721ROLvMCvHMAkcpEFgTzHIQNyEkEaL1DKYDOJKFjufPPXDiEBX8+ni9RGYL4QHuDxlh89p0HAFHb3XCkE639NyHr6MD/DzFHbenaMJXEcWy/RSoWqroyHJA8XL7ymBGeDH7ERqyQaxc3oG653V/Uq5+/a++HQI=,iv:QvSee/Wes5RygpoCOJpVuatj+xij8EPUBayE1yUWM3g=,tag:8Un2qrflqAFB0iWz2Evi5Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From 9ac58819e623c9b9ca1c1b52c5b7fb5c56c7b1ff Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Jun 2024 18:19:43 +0800 Subject: [PATCH 074/136] dolmite: support bandwagon and lightsail --- machines/dolomite/bandwagon.nix | 7 +-- machines/dolomite/default.nix | 8 +-- machines/dolomite/lightsail.nix | 103 ++++++++++++++++++++++++++++++-- 3 files changed, 105 insertions(+), 13 deletions(-) diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 853f8d8..32d2b9f 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -10,7 +10,7 @@ in isBandwagon = lib.mkEnableOption "Bandwagon instance"; }; - config = lib.mkIf cfg.isBandwagon { + config = lib.mkIf cfg { boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; @@ -28,9 +28,8 @@ in swapDevices = [ ]; - boot.loader.grub.enable = lib.mkForce true; - boot.loader.grub.version = lib.mkForce 2; - boot.loader.grub.device = lib.mkForce "/dev/sda"; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; networking.useDHCP = false; networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens19.useDHCP = true; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 15f7e2e..e8b2797 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,13 +1,13 @@ -{ inputs, config, pkgs, lib, modulesPath, ... }: +{ config, lib, ... }: let - awsHosts = [ "sgp-00" "tok-00 "]; + awsHosts = [ "tok-00 "]; bwgHosts = [ "la-00" ]; in { imports = [ ../sops.nix - ./bandwagon.nix - ./lightsail.nix + ./bandwagon.nix + ./lightsail.nix ]; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index 187c6ff..a71c460 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -1,13 +1,106 @@ { config, lib, pkgs, modulesPath, ... }: +with lib; let - cfg = config.isLightsail; + cfg = config.ec2; in { - imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + imports = [ + "${modulesPath}/profiles/headless.nix" + # Note: While we do use the headless profile, we also explicitly + # turn on the serial console on ttyS0 below. This is because + # AWS does support accessing the serial console: + # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html + "${modulesPath}/virtualisation/ec2-data.nix" + "${modulesPath}/virtualisation/amazon-init.nix" + ]; + options = { - isLightsail = lib.mkEnableOption "Lightsail instance"; + isLightsail = mkEnableOption "Lightsail instance"; }; - config = lib.mkIf cfg.isLightsail{ - boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + + config = mkIf config.isLightsail { + boot.loader.grub.device = "/dev/nvme0n1"; + + # from nixpkgs amazon-image.nix + assertions = [ ]; + + boot.growPartition = true; + + fileSystems."/" = mkIf (!cfg.zfs.enable) { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; + + fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) { + # The ZFS image uses a partition labeled ESP whether or not we're + # booting with EFI. + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + + services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all"; + + boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/"; + + boot.extraModulePackages = [ + config.boot.kernelPackages.ena + ]; + boot.initrd.kernelModules = [ "xen-blkfront" ]; + boot.initrd.availableKernelModules = [ "nvme" ]; + boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; + + # Prevent the nouveau kernel module from being loaded, as it + # interferes with the nvidia/nvidia-uvm modules needed for CUDA. + # Also blacklist xen_fbfront to prevent a 30 second delay during + # boot. + boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; + + boot.loader.grub.efiSupport = cfg.efi; + boot.loader.grub.efiInstallAsRemovable = cfg.efi; + boot.loader.timeout = 1; + boot.loader.grub.extraConfig = '' + serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 + terminal_output console serial + terminal_input console serial + ''; + + systemd.services.fetch-ec2-metadata = { + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = ["network-online.target"]; + path = [ pkgs.curl ]; + script = builtins.readFile ./ec2-metadata-fetcher.sh; + serviceConfig.Type = "oneshot"; + serviceConfig.StandardOutput = "journal+console"; + }; + + # Amazon-issued AMIs include the SSM Agent by default, so we do the same. + # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html + services.amazon-ssm-agent.enable = true; + + # Allow root logins only using the SSH key that the user specified + # at instance creation time. + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + + # Enable the serial console on ttyS0 + systemd.services."serial-getty@ttyS0".enable = true; + + # Creates symlinks for block device names. + services.udev.packages = [ pkgs.amazon-ec2-utils ]; + + # Force getting the hostname from EC2. + # networking.hostName = mkDefault ""; + + # Always include cryptsetup so that Charon can use it. + environment.systemPackages = [ pkgs.cryptsetup ]; + + # EC2 has its own NTP server provided by the hypervisor + networking.timeServers = [ "169.254.169.123" ]; + + # udisks has become too bloated to have in a headless system + # (e.g. it depends on GTK). + services.udisks2.enable = false; }; } From c21ce5dc818beea6081f4c2218de9e4020122d1d Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Jun 2024 18:20:21 +0800 Subject: [PATCH 075/136] massicot: fix cifs disk mount --- machines/massicot/services.nix | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 9c7504e..a0efd28 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -35,18 +35,23 @@ in }; }; - fileSystems = builtins.listToAttrs (map (share: { - name = "/mnt/storage/${share}"; - value = { - device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - fsType = "cifs"; - options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"]; - }; - }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] ); + systemd.mounts = map (share: { + what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + where = "/mnt/storage/${share}"; + type = "cifs"; + options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; + before = [ "${share}.service" ]; + after = [ "cachefilesd.service" ]; + wantedBy = [ "${share}.service" ]; + }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; + + services.cachefilesd.enable = true; system.activationScripts = { conduit-media-link.text = '' - ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media + mkdir -m 700 -p /var/lib/private/matrix-conduit/media + chown conduit:conduit /var/lib/private/matrix-conduit/media + mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media ''; }; security.acme = { @@ -76,6 +81,8 @@ in server_name = "xinyang.life"; port = 6167; # database_path = "/var/lib/matrix-conduit/"; + max_concurrent_requests = 100; + log = "info"; database_backend = "rocksdb"; allow_registration = false; }; @@ -153,22 +160,24 @@ in virtualHosts."xinyang.life:443".extraConfig = '' tls internal encode zstd gzip - reverse_proxy /_matrix/* localhost:6167 handle_path /.well-known/matrix/client { header Content-Type "application/json" header Access-Control-Allow-Origin "*" header Content-Disposition attachment; filename="client" - respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}` + respond `{"m.homeserver":{"base_url":"https://msg.xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://msg.xinyang.life/"}}` } handle_path /.well-known/matrix/server { header Content-Type "application/json" header Access-Control-Allow-Origin "*" - respond `{"m.server": "xinyang.life:443"}` + respond `{"m.server": "msg.xinyang.life:443"}` } reverse_proxy * http://localhost:8080 { flush_interval -1 } ''; + virtualHosts."https://msg.xinyang.life:443".extraConfig = '' + reverse_proxy /_matrix/* localhost:6167 + ''; virtualHosts."https://git.xinyang.life:443".extraConfig = '' reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; From 087b583dd261ac808b16b73e08068d27e3ccec6a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Jun 2024 18:24:22 +0800 Subject: [PATCH 076/136] raspite: rewrite --- machines/raspite/configuration.nix | 59 +++++++++++++------------ machines/raspite/hass.nix | 50 ++++++++++++++++++++++ machines/secrets.yaml | 69 +++++++++++++++++------------- modules/nixos/kanidm-client.nix | 13 ++++++ oci-images/nix-ci-base/flake.nix | 7 +++ 5 files changed, 140 insertions(+), 58 deletions(-) create mode 100644 machines/raspite/hass.nix diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 72b7978..489032b 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -1,6 +1,9 @@ -{ config, libs, pkgs, ... }: +{ config, lib, pkgs, ... }: { + imports = [ + ./hass.nix + ]; nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { @@ -8,29 +11,21 @@ super.makeModulesClosure (x // { allowMissing = true; }); }) ]; - - imports = [ - ../sops.nix - ]; environment.systemPackages = with pkgs; [ git + libraspberrypi + raspberrypi-eeprom ]; # Use mirror for binary cache nix.settings.substituters = [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" "https://mirrors.ustc.edu.cn/nix-channels/store" - "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; - sops = { - secrets.password = { - sopsFile = ./secrets.yaml; - }; - }; - - system.stateVersion = "22.11"; + system.stateVersion = "24.05"; networking = { hostName = "raspite"; @@ -38,23 +33,31 @@ interfaces.eth0.useDHCP = true; }; - networking.proxy = { - default = "http://127.0.0.1:7890/"; - noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net"; + # boot.kernelPackages = pkgs.linuxPackages_stable; + + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + hardening = true; + }; + sudoers = [ "xin@auth.xinyang.life" ]; }; - services.openssh = { - enable = true; + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; }; - - systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; - - users.users.xin = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" ]; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ]; - # passwordFile = config.sops.secrets.password.path; - hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; + + nix.settings = { + trusted-users = [ "@wheel" ]; }; - + + # fileSystems."/".fsType = lib.mkForce "btrfs"; + boot.supportedFilesystems.zfs = lib.mkForce false; + + services.dae.enable = false; + services.dae.configFile = "/var/lib/dae/config.dae"; } diff --git a/machines/raspite/hass.nix b/machines/raspite/hass.nix new file mode 100644 index 0000000..8482129 --- /dev/null +++ b/machines/raspite/hass.nix @@ -0,0 +1,50 @@ +{ config, pkgs, ... }: { + services.home-assistant = { + enable = true; + extraComponents = [ + "default_config" + "esphome" + "met" + "radio_browser" + ]; + openFirewall = false; + config = { + default_config = {}; + http = { + server_host = "::1"; + base_url = "raspite.local:1000"; + use_x_forward_for = true; + trusted_proxies = [ + "::1" + ]; + }; + }; + }; + + services.esphome = { + enable = true; + openFirewall = false; + }; + + users.groups.dialout.members = config.users.groups.wheel.members; + + environment.systemPackages = with pkgs; [ + zigbee2mqtt + ]; + + networking.firewall.allowedTCPPorts = [ 1000 1001 ]; + + services.caddy = { + enable = true; + virtualHosts = { + # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} + "raspite.local:1000".extraConfig = '' + reverse_proxy http://[::1]:8123 + ''; + + "raspite.local:1001".extraConfig = '' + reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port} + ''; + }; + }; +} diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 0de58ab..40ccb0d 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -17,56 +17,65 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUxIZHJTYk9YS0lPOGZK - VUJhQ1liNEtXZ3ZYaCtqQWVBTGVJclVVRER3CmJUcS9yY2x1TFFYMkpZOWxZeW5w - WFk0WTNoWmphdG12dTdHaW9tYVRjS1UKLS0tIHd4enVwalRDaHQwK0U1RFNHOEVI - N0UrRjRxTWJRanI4VnRjWlhzQS8zSGsKSJJnFuEp7yO8bIh2LpSvgjsYAK05u2TE - a+UBiu6xQQaUnL02CAau4xHqBn9GZxeqlVAjVSJITArLR/uQkkUM6g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdjlhNVZpUjYzRTVXNG9Y + S0lEUVdoM003YVZoeXYyOXdwY3Rla3VJSkZvCkl0a3FPeVpMY1JTWkdCb3NaeVBQ + dHVSVzg1cDNIS3JnMmYxbUlzbjFicG8KLS0tIHFENDNaZENzSzJQZDVLSVJ5VHBP + aVpJN1dkbEQ2djQyWVdRTUx4NGdaaTgKgfcGovmMgVFHkPLHT7C5bg75LXg8MFK0 + s8IL8qhHif4uzMuFjdw9MzyuQc1bqGzazX5YC1MYLYCOWHRlLq9mXw== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT3ZES3BHWWpDekt0VEYz - emUvUTQ3WUFWd0w2VlVSWHMrd3ZvZjYvYlJZCkcyRjBZWEdGTXJZVENyZ1U2YTV2 - eU1MS3NCQzZ3Y3ZhOG4rRVByU1ZlRU0KLS0tIFdGVTliOFpSTWl0YlV6OTVUbk9O - SjBoUnNOVTB1QWFDYnVwWkhaN3d0VGMKjNiW597mLAogPyDBUhEDYd/VyePXesL7 - kzyV/e8t/5zHs3/I17ZUd8bxdCjbrrXI1g4Swx31yCgZOk8uKAuLRQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQXdMdzMxNzE3SHpZR09w + OTFtNzJLdVk5bWlyNGl4RzA4NWFUQTlvbUQ4ClhGZHI3ekJWYnNwamJXWWVtc3do + TXpoWERqT24rMjRtQUJUb2RKSm9BUjQKLS0tIHd6QXUrWVJ5aU52VEtDL01Kd2d2 + V3U4cTNoVzYzdmt5YkpNUmsyUWtCaEkKhxEQVVt2zvVGFGtlfPr0sQ7b0yUDRDOV + CN8nxyO0NiuvEKSkw+KCkcNWNQZDnHTQ3pwWyAohRZk3vB/RSuApCg== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaTlNTjVXTHFzNS9GUk1S - bVMxeWdwSUlmN3B6QlovejI3SlNuc2dJMjFVClF2VFRVNjFrQldRcHNLeWhpWFE1 - UDRvY3RTZHZCa2RDZ1RmVWRHb2ttUVUKLS0tIEI0QS9SL3lTeXVITVgvcHVCNmdW - cVl6T3NWWEVkWExuTldqQU5CUzFTM1UKFYD1jdEQfFRNBkRyL+1gZzCdpJHN7QqU - 4CVOsIeVl6ufWG4D2FfP4Zow5uhnvDXmWqBCmpJ/iVKnu3klihlndA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlh1Kyt4KzlFR2RkTmFo + S00zK1RDNnJwVzQ4Um93TDBEcnJZUjJLUG00CjloMFdaNm5LU2lRRVpnM0RpN3BR + Ly9pUkxuZHd3NHJRSG1Ha3ZVcE50RkUKLS0tIDN1K0xnb01EL2Q3aG5RV0grdmdl + TWh3ZStZQ3lNYkh2cjJ1RWhLRDJ0KzQK/+R6hFg8ErtT/rkSOCwRdArTPIE/J9Yv + 2qZmREM7q99L5w6lEBTn9SRekowk0ncwIoTxRfn576wyl++b8gBv9Q== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRGZ5WVFJQzFSWlR6dDMv - bXJsNlZLeVVpK1RuaVpySkcreHE1SkNMSjA4CkxGMzVvZHZ4ZTdRdzh6K3V6OVQ0 - RkI3bWg5ZUw5RFlQN05zdC9HVkdjYlUKLS0tIGdibTdwbnRhMmZEZ2VPelF6a3Aw - U1dGQmxOTklFTmFaMTc1MGQvRVB1TzgKkhxjImoj1lxpvBMjKJJOiM2eC2bQ73Ay - Rket8CjZnfRhYDD9YoOWBNswONQoVY8/dSXgLDObtfFxbnjZ1pj63A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJelptN09Oa0NRdTFER2du + clZGM09uMlhpMlZDQ2VvTTZOZ09VWGNwaWpjCmRuMjM3VTRpT3hRaWpEYW5HaWRr + K2pEM3dLYjhSS25hSUtrYkRvYXpCd2MKLS0tIHU2eDlXdVBlZUFTMjYxRTladVJV + cjZ0dGtmM29YdXI5Z1RpVVdRSktBU2MKdR5d6fb2EHX5j51qE5gg0GXKjy4fCpT0 + Q+fZslCPDZqaOX/9kGT874TuW4CC1wttpsCDNIEzrX54SvIGfsVPgg== -----END AGE ENCRYPTED FILE----- - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RWRsdXNTQkNJWXFTODY4 - WVNYb2xKZHJWWTUvZmlMS3VkYnhWQkVaZHpFCjJjY2JzeFQza3llNHZFYWVVK0Ri - K2ZJNUlZMWxFbGdhQ2pxRlh4VjVITFkKLS0tIGFHSDI5aW5aTUdFTEJOMnNjVXlm - SVlDVk9Xdnc0WVpFN2VmSlZIajJielkKz8xnfxIArN9PLjUorYPzakmLx7/bsoq0 - EfoiB6ZpuWMeNEmfHygTEUPTC7eWw42EIYk964vI6LySFQyO3Z8p5g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRUhOaVhSMFJFcC9qYytK + dHJ1ZUg1SWRBeTVSeFhDRW1VbG1HWUJaUEhvCnBOaENFUXlJWHAxQ0ZGVGFxQkpC + b3dwb0VJVTR1MUNDT3VQR0tsNE5vUDQKLS0tIEJkbWN5MWRtKzRveldvT2dMR2k1 + djdBQzNvSFNPRDZwN1B1dG5sUzlRdzgK35bNxRGDQw+dtnXcXSXk67kJFce52vqn + srABR9FOYmSfesLKXOdKItLAGffkfB7kuiXO7CvyVTkgJOjBgK6Tnw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2JOOUlGL1pCVXVYZk1j + cWg0NE13WnBUWDA4VTNRdlNmWktRN0lJbkVBCkpHTklwbnFsd0NBOTY5V0JCTVJN + alVFeW41ajlZR2dHZDlrL2FtazB6QU0KLS0tIDhoTXppS0lnZmFJY1lhSDBudVB4 + NHFLdnorOUtJSzVPWldYakppZFJwdlEKbZnT7m6R7H/yLG+tDbQECgQVGX0xT4jC + 67z8k6xbnsT2srhhXk/NHi+/j7AcHhPG6cTO1z8MrxkMikk8ihU1Iw== -----END AGE ENCRYPTED FILE----- - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFIzVEZPUmFBclpweDZR - WXZFb0FjcWxDRTNpQmFRaU9BY0lPTzAxNWhvClk5UmxFQllGQ29VOGIxeS9xMmV2 - SUdEaFJ3bFZPSjVjQ1JnVS9jSWxXaWcKLS0tIGs0ZE0wMUZDeGNWNlhoN3JOMmlG - c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1 - P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaHFOa1ArRW5xWFAyWXlh + enpQUzZKbFFFUzN1cisrd2JGelpXSWppRnhvCmY5VDlSTFhJakt3aU8zYjRrZXVQ + b3o2NlpCeGZZU1ROeW5XOFVpdEZnZXcKLS0tIGZ5M2IxNHp0Qm8rckROdy96a0pG + NjVEaWN3cU1rRjQ2a29wV1g1NzE0UTAKNefzj+p+U735LHqm5lnWGHCARuqvFmgA + 6bxJN9frAMZQIXZSwOTrfpYrTmKcBLcfWxq7LUPluw9HinQnkFpWqg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-01-07T13:13:50Z" mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str] diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix index 8821fc1..41d974d 100644 --- a/modules/nixos/kanidm-client.nix +++ b/modules/nixos/kanidm-client.nix @@ -16,6 +16,10 @@ in type = types.listOf types.str; example = [ "linux_users" ]; }; + hardening = mkOption { + type = types.bool; + default = false; + }; }; }; }; @@ -48,7 +52,15 @@ in enable = true; authorizedKeysCommand = "/etc/ssh/auth %u"; authorizedKeysCommandUser = "kanidm-ssh-runner"; + settings = mkIf cfg.asSSHAuth.enable { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkForce "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; }; + environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable { mode = "0555"; text = '' @@ -59,6 +71,7 @@ in users.groups.wheel.members = cfg.sudoers; users.groups.kanidm-ssh-runner = { }; users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; + }; } diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix index b45cd9f..8e6b882 100644 --- a/oci-images/nix-ci-base/flake.nix +++ b/oci-images/nix-ci-base/flake.nix @@ -29,6 +29,13 @@ extraPkgs = with pkgs; [ nodejs_20 # nodejs is needed for running most 3rdparty actions # add any other pre-installed packages here + curl + xz + openssl + coreutils-full + cmake + gnumake + gcc ]; # change this is you want channelURL = "https://nixos.org/channels/nixpkgs-23.11"; From 7118348263ea041b4e77d6656258b058a1baf391 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 15 Jun 2024 15:29:29 +0800 Subject: [PATCH 077/136] pkgs: drop ssh-tpm-agent (merged upstream) --- overlays/add-pkgs.nix | 1 - overlays/pkgs/ssh-tpm-agent.nix | 33 --------------------------------- 2 files changed, 34 deletions(-) delete mode 100644 overlays/pkgs/ssh-tpm-agent.nix diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index e7cc761..021dfcb 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -3,7 +3,6 @@ { nixpkgs.overlays = [ (self: super: { - ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; }) ]; } diff --git a/overlays/pkgs/ssh-tpm-agent.nix b/overlays/pkgs/ssh-tpm-agent.nix deleted file mode 100644 index 0f960fc..0000000 --- a/overlays/pkgs/ssh-tpm-agent.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ lib -, buildGo122Module -, fetchFromGitHub -, openssl -}: - -buildGo122Module rec { - pname = "ssh-tpm-agent"; - version = "0.3.1"; - - src = fetchFromGitHub { - owner = "Foxboron"; - repo = "ssh-tpm-agent"; - rev = "v${version}"; - hash = "sha256-8CGSiCOcns4cWkYWqibs6hAFRipYabKPCpkhxF4OE8w="; - }; - - proxyVendor = true; - - vendorHash = "sha256-zUAIesBeuh1zlxXcjKSNmMawZGgUr9z3NzT0XKn/YCQ="; - - buildInputs = [ - openssl - ]; - - meta = with lib; { - description = "SSH agent with support for TPM sealed keys for public key authentication"; - homepage = "https://github.com/Foxboron/ssh-agent-tpm"; - license = licenses.mit; - platforms = platforms.linux; - maintainers = with maintainers; [ sgo ]; - }; -} From cc19e46df0ea70e1465b16fab4b90be947e07b1b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 9 Jul 2024 21:16:26 +0800 Subject: [PATCH 078/136] dolomite: fix lightsail --- machines/dolomite/default.nix | 4 +- machines/dolomite/ec2-metadata-fetcher.sh | 66 +++++++++++++++++++++++ machines/dolomite/lightsail.nix | 8 +-- 3 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 machines/dolomite/ec2-metadata-fetcher.sh diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index e8b2797..a6fcfc5 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: let - awsHosts = [ "tok-00 "]; + awsHosts = [ "tok-00"]; bwgHosts = [ "la-00" ]; in { @@ -80,7 +80,7 @@ in }; nix.settings = { - trusted-users = config.users.groups.wheel.members; + trusted-users = config.users.groups.wheel.members ++ [ "root" ]; }; services.sing-box = let diff --git a/machines/dolomite/ec2-metadata-fetcher.sh b/machines/dolomite/ec2-metadata-fetcher.sh new file mode 100644 index 0000000..716aff7 --- /dev/null +++ b/machines/dolomite/ec2-metadata-fetcher.sh @@ -0,0 +1,66 @@ +metaDir=/etc/ec2-metadata +mkdir -m 0755 -p "$metaDir" +rm -f "$metaDir/*" + +get_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + curl \ + --silent \ + --show-error \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + -X PUT \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \ + http://169.254.169.254/latest/api/token +} + +preflight_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + curl \ + --silent \ + --show-error \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \ + -o /dev/null \ + http://169.254.169.254/1.0/meta-data/instance-id +} + +try=1 +while [ $try -le 3 ]; do + echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..." + IMDS_TOKEN=$(get_imds_token) && break + try=$((try + 1)) + sleep 1 +done + +if [ "x$IMDS_TOKEN" == "x" ]; then + echo "failed to fetch an IMDS2v token." +fi + +try=1 +while [ $try -le 10 ]; do + echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..." + preflight_imds_token && break + try=$((try + 1)) + sleep 1 +done + +echo "getting EC2 instance metadata..." + +get_imds() { + # --fail to avoid populating missing files with 404 HTML response body + # || true to allow the script to continue even when encountering a 404 + curl --silent --show-error --fail --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@" || true +} + +get_imds -o "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path +(umask 077 && get_imds -o "$metaDir/user-data" http://169.254.169.254/1.0/user-data) +get_imds -o "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname +get_imds -o "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index a71c460..bd8634c 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -26,23 +26,19 @@ in boot.growPartition = true; - fileSystems."/" = mkIf (!cfg.zfs.enable) { + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; autoResize = true; }; - fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) { + fileSystems."/boot" = { # The ZFS image uses a partition labeled ESP whether or not we're # booting with EFI. device = "/dev/disk/by-label/ESP"; fsType = "vfat"; }; - services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all"; - - boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/"; - boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; From 3771134e3ad770a5b571d40b56aaf921c410cb00 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 9 Jul 2024 21:17:10 +0800 Subject: [PATCH 079/136] overlays: add oidc-agent --- flake.lock | 8 +- flake.nix | 2 +- home/xin/common/default.nix | 1 - machines/calcite/configuration.nix | 14 ++- modules/home-manager/vscode.nix | 2 +- modules/nixos/default.nix | 1 + modules/nixos/inbounds.nix | 126 +++++++++++++++++++++++++++ modules/nixos/oidc-agent.nix | 50 +++++++++++ overlays/add-pkgs.nix | 2 + overlays/pkgs/oidc-agent/default.nix | 58 ++++++++++++ 10 files changed, 256 insertions(+), 8 deletions(-) create mode 100644 modules/nixos/inbounds.nix create mode 100644 modules/nixos/oidc-agent.nix create mode 100644 overlays/pkgs/oidc-agent/default.nix diff --git a/flake.lock b/flake.lock index a1c98d7..5b6c4a9 100644 --- a/flake.lock +++ b/flake.lock @@ -174,17 +174,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716948383, - "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", + "lastModified": 1718870667, + "narHash": "sha256-jab3Kpc8O1z3qxwVsCMHL4+18n5Wy/HHKyu1fcsF7gs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", + "rev": "9b10b8f00cb5494795e5f51b39210fed4d2b0748", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", "repo": "nixpkgs", + "rev": "9b10b8f00cb5494795e5f51b39210fed4d2b0748", "type": "github" } }, diff --git a/flake.nix b/flake.nix index fe3632d..f01c389 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/9b10b8f00cb5494795e5f51b39210fed4d2b0748"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index d4bc579..c5b2817 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -14,7 +14,6 @@ tmux ffmpeg tealdeer - neofetch rclone inetutils diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index d53496a..7de3001 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -40,6 +40,17 @@ gamescopeSession = { enable = true; }; }; + programs.oidc-agent.enable = true; + programs.oidc-agent.providers = [ + { issuer = "https://home.xinyang.life:9201"; + pubclient = { + client_id = "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69"; + client_secret = "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"; + scope = "openid offline_access profile email"; + }; + } + ]; + programs.vim.defaultEditor = true; # Keep this even if enabled in home manager @@ -97,7 +108,7 @@ # Enable CUPS to print documents. services.printing.enable = true; - services.printing.drivers = [ pkgs.hplip ]; + # services.printing.drivers = [ pkgs.hplip ]; # Enable sound with pipewire. sound.enable = true; @@ -145,6 +156,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ + oidc-agent # Filesystem owncloud-client nfs-utils diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 6405310..e08eedb 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -17,7 +17,7 @@ let }; }; cxxPackages = { - systemPackages = with pkgs; [ clang-tools ]; + systemPackages = with pkgs; [ clang-tools cmake-format ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ llvm-vs-code-extensions.vscode-clangd (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index a19ba87..c3d43a0 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -9,5 +9,6 @@ ./kanidm-client.nix ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge ./forgejo-actions-runner.nix + ./oidc-agent.nix ]; } diff --git a/modules/nixos/inbounds.nix b/modules/nixos/inbounds.nix new file mode 100644 index 0000000..0cbd33f --- /dev/null +++ b/modules/nixos/inbounds.nix @@ -0,0 +1,126 @@ +{ config +, lib +, ... }: +let + cfg = config.custom.sing-box-server; + + secretFileType = lib.types.submodule { + _secret = lib.types.path; + }; + singTls = { + enabled = true; + server_name = config.deployment.targetHost; + key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; + certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; + }; +in +{ + options = { + enable = lib.mkEnableOption "sing-box proxy server"; + users = lib.types.listOf lib.types.submodule { + name = lib.mkOption { + type = lib.types.str; + default = "proxy"; + }; + password = lib.mkOption { + type = secretFileType; + }; + uuid = lib.mkOption { + type = secretFileType; + }; + }; + wgOut = { + privKeyFile = lib.mkOption { + type = lib.types.path; + }; + pubkey = lib.mkOption { + type = lib.types.str; + default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + }; + }; + inbounds = { + trojan = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + }; + }; + tuic = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + }; + ports = lib.mkOption { + type = lib.types.listOf lib.types.int; + default = lib.range 6311 6313; + }; + directPorts = lib.mkOption { + type = lib.types.listOf lib.types.int; + default = [ 6314 ]; + }; + }; + }; + }; + config = lib.mkIf cfg.enable { + services.sing-box = { + enable = true; + settings = { + dns = { + servers = [ + { + address = "1.1.1.1"; + detour = "wg-out"; + } + ]; + }; + inbounds = [ + # TODO: Trojan and tuic enable + { + tag = "trojan-in"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = map (u: removeAttrs u [ "uuid" ]) cfg.users; + tls = singTls; + } + ] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: { + tag = "tuic-in" + toString port; + type = "tuic"; + listen = "::"; + listen_port = port; + congestion_control = "bbr"; + users = cfg.users; + tls = singTls; + }); + outbounds = [ + { + type = "wireguard"; + tag = "wg-out"; + private_key = cfg.wgOut.privKeyFile; + local_address = [ + "172.16.0.2/32" + "2606:4700:110:82ed:a443:3c62:6cbc:b59b/128" + ]; + peers = [ + { public_key= cfg.wgOut.pubkey; + allowed_ips = [ "0.0.0.0/0" "::/0" ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; + } + { type = "direct"; tag = "direct-out"; } + { type = "dns"; tag = "dns-out"; } + ]; + route = { + rules = [ + { outbound = "dns-out"; protocol = "dns"; } + ] ++ lib.forEach cfg.tuic.directPorts (port: { + inbound = "tuic-in" + toString port; + outbound = "direct-out"; + }); + }; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/oidc-agent.nix b/modules/nixos/oidc-agent.nix new file mode 100644 index 0000000..35ce679 --- /dev/null +++ b/modules/nixos/oidc-agent.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.programs.oidc-agent; + providerFormat = pkgs.formats.json {}; +in +{ + options.programs.oidc-agent = { + enable = mkEnableOption "OpenID Connect Agent"; + package = mkOption { + type = types.package; + default = pkgs.oidc-agent; + description = '' + Which oidc-agent package to use + ''; + }; + providers = mkOption { + type = providerFormat.type; + default = {}; + description = '' + Configuration of providers which contains a json array of json objects + each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.user.services.oidc-agent = { + unitConfig = { + Description = "OpenID Connect Agent"; + Documentation = "man:oidc-agent(1)"; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/oidc-agent -d --log-stderr -a %t/oidc-agent"; + }; + }; + + # environment.etc."oidc-agent/config".source = "${pkgs.oidc-agent}/etc/oidc-agent/config"; + + # environment.etc."oidc-agent/issuer.config.d".source = + # "${pkgs.oidc-agent}/etc/oidc-agent/issuer.config.d"; + + # environment.etc."oidc-agent/issuer.config".source = + # providerFormat.generate "oidc-agent-issuer.config" cfg.providers; + + environment.extraInit = ''export OIDC_SOCK="$XDG_RUNTIME_DIR/oidc-agent"''; + }; +} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index 021dfcb..ce339b0 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -3,6 +3,8 @@ { nixpkgs.overlays = [ (self: super: { + oidc-agent = pkgs.callPackage ./pkgs/oidc-agent { }; + python3 = super.python312; }) ]; } diff --git a/overlays/pkgs/oidc-agent/default.nix b/overlays/pkgs/oidc-agent/default.nix new file mode 100644 index 0000000..42f398e --- /dev/null +++ b/overlays/pkgs/oidc-agent/default.nix @@ -0,0 +1,58 @@ +{ lib +, stdenv +, fetchFromGitHub +, curl +, webkitgtk +, libmicrohttpd +, libsecret +, qrencode +, libsodium +, pkg-config +, help2man +}: + +stdenv.mkDerivation rec { + pname = "oidc-agent"; + version = "5.1.0"; + + src = fetchFromGitHub { + owner = "indigo-dc"; + repo = "oidc-agent"; + rev = "v${version}"; + sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c=" + ; + }; + + buildInputs = [ + pkg-config + help2man + ]; + nativeBuildInputs = [ + curl + webkitgtk + libmicrohttpd + libsecret + qrencode + libsodium + ]; + enableParallelBuilding = true; + + installPhase = '' + make -j $NIX_BUILD_CORES PREFIX=$out BIN_PATH=$out LIB_PATH=$out/lib \ + install_bin install_lib install_conf + ''; + postFixup = '' + # Override with patched binary to be used by help2man + cp -r $out/bin/* bin + make install_man PREFIX=$out + ''; + + + meta = with lib; { + description = "oidc-agent for managing OpenID Connect tokens on the command line"; + homepage = "https://github.com/indigo-dc/oidc-agent"; + maintainers = [ ]; + license = licenses.mit; + }; +} + From d23748567b0b9dc06cb14da54cd3ba2aa49b3cc5 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 10 Jul 2024 16:39:00 +0800 Subject: [PATCH 080/136] massicot: use conduit native well_known handler --- flake.lock | 6 +++--- machines/dolomite/default.nix | 2 +- machines/massicot/services.nix | 17 ++++++----------- 3 files changed, 10 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 5b6c4a9..1d9d40d 100644 --- a/flake.lock +++ b/flake.lock @@ -158,11 +158,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1716987116, - "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=", + "lastModified": 1720515935, + "narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "8251761f93d6f5b91cee45ac09edb6e382641009", + "rev": "a111ce6b537df12a39874aa9672caa87f8677eda", "type": "github" }, "original": { diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index a6fcfc5..69ac5cc 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -80,7 +80,7 @@ in }; nix.settings = { - trusted-users = config.users.groups.wheel.members ++ [ "root" ]; + trusted-users = [ "root" ]; }; services.sing-box = let diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index a0efd28..a9889f0 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -85,6 +85,11 @@ in log = "info"; database_backend = "rocksdb"; allow_registration = false; + + well_known = { + client = "https://msg.xinyang.life"; + server = "msg.xinyang.life:443"; + }; }; }; @@ -160,17 +165,7 @@ in virtualHosts."xinyang.life:443".extraConfig = '' tls internal encode zstd gzip - handle_path /.well-known/matrix/client { - header Content-Type "application/json" - header Access-Control-Allow-Origin "*" - header Content-Disposition attachment; filename="client" - respond `{"m.homeserver":{"base_url":"https://msg.xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://msg.xinyang.life/"}}` - } - handle_path /.well-known/matrix/server { - header Content-Type "application/json" - header Access-Control-Allow-Origin "*" - respond `{"m.server": "msg.xinyang.life:443"}` - } + reverse_proxy /.well-known/matrix/* localhost:6167 reverse_proxy * http://localhost:8080 { flush_interval -1 } From dd2feddfd6ed30516632850ed9c831f9619a9d36 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 4 Apr 2024 01:44:27 +0800 Subject: [PATCH 081/136] Initial commit --- .clang-format | 2 + .envrc | 1 + .gitignore | 97 ++++++++++++++++++++++++ CMakeLists.txt | 9 +++ flake.lock | 172 +++++++++++++++++++++++++++++++++++++++++++ flake.nix | 43 +++++++++++ include/api.h | 35 +++++++++ include/difftest.hpp | 4 + src/CMakeLists.txt | 2 + src/main.cpp | 5 ++ 10 files changed, 370 insertions(+) create mode 100644 .clang-format create mode 100644 .envrc create mode 100644 .gitignore create mode 100644 CMakeLists.txt create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 include/api.h create mode 100644 include/difftest.hpp create mode 100644 src/CMakeLists.txt create mode 100644 src/main.cpp diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..f6b8fdf --- /dev/null +++ b/.clang-format @@ -0,0 +1,2 @@ +--- +BasedOnStyle: LLVM diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9875358 --- /dev/null +++ b/.gitignore @@ -0,0 +1,97 @@ +.direnv/ +.pre-commit-config.yaml + +# Created by https://www.toptal.com/developers/gitignore/api/c++,c,cmake +# Edit at https://www.toptal.com/developers/gitignore?templates=c++,c,cmake + +### C ### +# Prerequisites +*.d + +# Object files +*.o +*.ko +*.obj +*.elf + +# Linker output +*.ilk +*.map +*.exp + +# Precompiled Headers +*.gch +*.pch + +# Libraries +*.lib +*.a +*.la +*.lo + +# Shared objects (inc. Windows DLLs) +*.dll +*.so +*.so.* +*.dylib + +# Executables +*.exe +*.out +*.app +*.i*86 +*.x86_64 +*.hex + +# Debug files +*.dSYM/ +*.su +*.idb +*.pdb + +# Kernel Module Compile Results +*.mod* +*.cmd +.tmp_versions/ +modules.order +Module.symvers +Mkfile.old +dkms.conf + +### C++ ### +# Prerequisites + +# Compiled Object files +*.slo + +# Precompiled Headers + +# Compiled Dynamic libraries + +# Fortran module files +*.mod +*.smod + +# Compiled Static libraries +*.lai + +# Executables + +### CMake ### +CMakeLists.txt.user +CMakeCache.txt +CMakeFiles +CMakeScripts +Testing +Makefile +cmake_install.cmake +install_manifest.txt +compile_commands.json +CTestTestfile.cmake +_deps + +### CMake Patch ### +# External projects +*-prefix/ + +# End of https://www.toptal.com/developers/gitignore/api/c++,c,cmake diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 0000000..da2aa01 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,9 @@ +cmake_minimum_required(VERSION 3.26) + +project(difftest) +set(CMAKE_CXX_STANDARD 17) +set(CMAKE_C_STANDARD 17) + +include_directories(include) +add_subdirectory(src) + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..513a7e2 --- /dev/null +++ b/flake.lock @@ -0,0 +1,172 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1712055707, + "narHash": "sha256-4XLvuSIDZJGS17xEwSrNuJLL7UjDYKGJSbK1WWX2AK8=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "e35aed5fda3cc79f88ed7f1795021e559582093a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "pre-commit-hooks": "pre-commit-hooks" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..6966514 --- /dev/null +++ b/flake.nix @@ -0,0 +1,43 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + pre-commit-hooks = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { self, ... }@inputs: with inputs; + flake-utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; }; + in + { + checks = { + pre-commit-check = pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + trim-trailing-whitespace.enable = true; + clang-format = { + enable = true; + types_or = pkgs.lib.mkForce [ "c" "c++" ]; + }; + nil.enable = true; + nixpkgs-fmt.enable = true; + }; + }; + }; + devShells.default = with pkgs; mkShell { + inherit (self.checks.${system}.pre-commit-check) shellHook; + buildInputs = self.checks.${system}.pre-commit-check.enabledPackages; + packages = [ + clang-tools + cmake + gdb + ]; + }; + } + ); +} + diff --git a/include/api.h b/include/api.h new file mode 100644 index 0000000..bf966f2 --- /dev/null +++ b/include/api.h @@ -0,0 +1,35 @@ +#ifndef _DIFFTEST_API_H_ +#define _DIFFTEST_API_H_ + +#include + +extern "C" { + +typedef struct { + enum { + ACT_NONE, + ACT_BREAKPOINT, + ACT_WATCH, + ACT_RWATCH, + ACT_WWATCH, + ACT_SHUTDOWN + } reason; + size_t data; +} gdb_action_t; + +typedef enum { BP_SOFTWARE = 0, BP_WRITE, BP_READ, BP_ACCESS } bp_type_t; + +struct target_ops { + void (*cont)(void *args, gdb_action_t *res); + void (*stepi)(void *args, gdb_action_t *res); + int (*read_reg)(void *args, int regno, size_t *value); + int (*write_reg)(void *args, int regno, size_t value); + int (*read_mem)(void *args, size_t addr, size_t len, void *val); + int (*write_mem)(void *args, size_t addr, size_t len, void *val); + bool (*set_bp)(void *args, size_t addr, bp_type_t type); + bool (*del_bp)(void *args, size_t addr, bp_type_t type); + void (*on_interrupt)(void *args); +}; +} + +#endif \ No newline at end of file diff --git a/include/difftest.hpp b/include/difftest.hpp new file mode 100644 index 0000000..3fe1dcd --- /dev/null +++ b/include/difftest.hpp @@ -0,0 +1,4 @@ +#ifndef _DIFFTEST_DIFFTEST_H_ +#define _DIFFTEST_DIFFTEST_H_ + +#endif \ No newline at end of file diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt new file mode 100644 index 0000000..cf986e3 --- /dev/null +++ b/src/CMakeLists.txt @@ -0,0 +1,2 @@ +add_executable(test main.cpp) + diff --git a/src/main.cpp b/src/main.cpp new file mode 100644 index 0000000..6752843 --- /dev/null +++ b/src/main.cpp @@ -0,0 +1,5 @@ +#include + +using reg_t = uint32_t; + +int main() { return 0; } From 9d54c2d56c8534b5c2c6f62bf35d480a51088fa2 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 14 Jul 2024 14:04:52 +0800 Subject: [PATCH 082/136] update flake --- flake.lock | 66 ++++++++++----------- flake.nix | 4 +- home/xin/common/default.nix | 1 + machines/calcite/configuration.nix | 8 ++- machines/calcite/hardware-configuration.nix | 4 +- modules/home-manager/vscode.nix | 4 ++ 6 files changed, 48 insertions(+), 39 deletions(-) diff --git a/flake.lock b/flake.lock index 1d9d40d..4e0d662 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1717070887, - "narHash": "sha256-ZTEMINFqQL+m55kmoDYIKf3i2NGitSkjBnnLu99ezh0=", + "lastModified": 1720472194, + "narHash": "sha256-CYscFEts6tyvosc1T29nxhzIYJAj/1CCEkV3ZMzSN/c=", "owner": "catppuccin", "repo": "nix", - "rev": "2c7661c9fa26a920b8088300ef87d14179c71a27", + "rev": "d75d5803852fb0833767dc969a4581ac13204e22", "type": "github" }, "original": { @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1717052710, - "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=", + "lastModified": 1720734513, + "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=", "owner": "nix-community", "repo": "home-manager", - "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae", + "rev": "90ae324e2c56af10f20549ab72014804a3064c7f", "type": "github" }, "original": { @@ -119,11 +119,11 @@ ] }, "locked": { - "lastModified": 1716772633, - "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", + "lastModified": 1720926593, + "narHash": "sha256-fW6e27L6qY6s+TxInwrS2EXZZfhMAlaNqT0sWS49qMA=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", + "rev": "5fe5b0cdf1268112dc96319388819b46dc051ef4", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1717032429, - "narHash": "sha256-1+87CE8xOUsJChiq9aNQqWPKoWMuyurW+aXrGbMWH7I=", + "lastModified": 1720920808, + "narHash": "sha256-aq9nBiDz0i+JH47YDtPcx/f5OaMMxy/JvBNLDMe97aI=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "0309d806a5431a46fb7fd81e20d7133ac8b1de55", + "rev": "2571d560820e4ce23cf060a4460cebc0d9d17f60", "type": "github" }, "original": { @@ -158,11 +158,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1720515935, - "narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=", + "lastModified": 1720737798, + "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a111ce6b537df12a39874aa9672caa87f8677eda", + "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751", "type": "github" }, "original": { @@ -174,59 +174,59 @@ }, "nixpkgs": { "locked": { - "lastModified": 1718870667, - "narHash": "sha256-jab3Kpc8O1z3qxwVsCMHL4+18n5Wy/HHKyu1fcsF7gs=", + "lastModified": 1720768451, + "narHash": "sha256-EYekUHJE2gxeo2pM/zM9Wlqw1Uw2XTJXOSAO79ksc4Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9b10b8f00cb5494795e5f51b39210fed4d2b0748", + "rev": "7e7c39ea35c5cdd002cd4588b03a3fb9ece6fad9", "type": "github" }, "original": { "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", - "rev": "9b10b8f00cb5494795e5f51b39210fed4d2b0748", "type": "github" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "lastModified": 1720691131, + "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1716655032, - "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=", + "lastModified": 1720915306, + "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f", + "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.11", + "ref": "release-24.05", "repo": "nixpkgs", "type": "github" } }, "nur": { "locked": { - "lastModified": 1717079713, - "narHash": "sha256-mvTQgi86WwALm6NGi9tvCx92zrNjSr8Mz+nCqbG0ZhE=", + "lastModified": 1720935990, + "narHash": "sha256-SAji50yPFmnQfD2XsDHk6tqEkRHDcWMpEoOlnEneqAY=", "owner": "nix-community", "repo": "NUR", - "rev": "1a7bbb238afcada295aabc758941ce82e6b1d292", + "rev": "42851361fdfde870bfd7e3c71f2ac5d3113c63d6", "type": "github" }, "original": { @@ -258,11 +258,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1716692524, - "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=", + "lastModified": 1720926522, + "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "962797a8d7f15ed7033031731d0bb77244839960", + "rev": "0703ba03fd9c1665f8ab68cc3487302475164617", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f01c389..3433ffa 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,8 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:nixos/nixpkgs/9b10b8f00cb5494795e5f51b39210fed4d2b0748"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05"; home-manager = { url = "github:nix-community/home-manager"; diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index c5b2817..44cb225 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -15,6 +15,7 @@ ffmpeg tealdeer rclone + wl-clipboard inetutils ]; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 7de3001..502498d 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -187,8 +187,9 @@ gnomeExtensions.paperwm gnomeExtensions.search-light gnomeExtensions.appindicator - gnome.gnome-tweaks - gnome.gnome-themes-extra + gnomeExtensions.pano + gnome-tweaks + gnome-themes-extra gnome.gnome-remote-desktop bibata-cursors gthumb @@ -202,6 +203,7 @@ element-desktop tdesktop qq + feishu # Password manager bitwarden @@ -317,4 +319,6 @@ autoPrune.enable = true; }; }; + + services.nixseparatedebuginfod.enable = true; } diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 94415af..8a08bcd 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -49,9 +49,9 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - hardware.opengl = { + hardware.graphics = { enable = true; - driSupport32Bit = true; + enable32Bit = true; }; hardware.nvidia = { diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index e08eedb..32b09e7 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -28,6 +28,10 @@ let "cmake.configureOnEdit" = false; "cmake.showOptionsMovedNotification" = false; "cmake.showNotAllDocumentsSavedQuestion" = false; + "cmake.pinnedCommands" = [ + "workbench.action.tasks.configureTaskRunner" + "workbench.action.tasks.runTask" + ]; "C_Cpp.intelliSenseEngine" = "Disabled"; }; }; From 5ddf0b48beb73f0f3dd2c3cdd189c55efcbd7568 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 15 Jul 2024 18:47:44 +0800 Subject: [PATCH 083/136] feat: initial support --- .gitignore | 41 ++++++++++++++++++ CMakeLists.txt | 1 - flake.lock | 21 ++++++++++ flake.nix | 14 ++++++- include/api.h | 35 ---------------- include/api.hpp | 68 ++++++++++++++++++++++++++++++ include/config.hpp | 14 +++++++ include/difftest.hpp | 69 +++++++++++++++++++++++++++++++ src/CMakeLists.txt | 5 ++- src/cli.cpp | 25 +++++++++++ src/difftest.cpp | 98 ++++++++++++++++++++++++++++++++++++++++++++ src/loader.cpp | 76 ++++++++++++++++++++++++++++++++++ src/main.cpp | 24 +++++++++-- 13 files changed, 449 insertions(+), 42 deletions(-) delete mode 100644 include/api.h create mode 100644 include/api.hpp create mode 100644 include/config.hpp create mode 100644 src/cli.cpp create mode 100644 src/difftest.cpp create mode 100644 src/loader.cpp diff --git a/.gitignore b/.gitignore index 9875358..6ba7f7d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,7 @@ +.cache/ +.vscode/ .direnv/ +build/ .pre-commit-config.yaml # Created by https://www.toptal.com/developers/gitignore/api/c++,c,cmake @@ -95,3 +98,41 @@ _deps *-prefix/ # End of https://www.toptal.com/developers/gitignore/api/c++,c,cmake +# Created by https://www.toptal.com/developers/gitignore/api/c++ +# Edit at https://www.toptal.com/developers/gitignore?templates=c++ + +### C++ ### +# Prerequisites +*.d + +# Compiled Object files +*.slo +*.lo +*.o +*.obj + +# Precompiled Headers +*.gch +*.pch + +# Compiled Dynamic libraries +*.so +*.dylib +*.dll + +# Fortran module files +*.mod +*.smod + +# Compiled Static libraries +*.lai +*.la +*.a +*.lib + +# Executables +*.exe +*.out +*.app + +# End of https://www.toptal.com/developers/gitignore/api/c++ diff --git a/CMakeLists.txt b/CMakeLists.txt index da2aa01..de98228 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -6,4 +6,3 @@ set(CMAKE_C_STANDARD 17) include_directories(include) add_subdirectory(src) - diff --git a/flake.lock b/flake.lock index 513a7e2..b4bf5e4 100644 --- a/flake.lock +++ b/flake.lock @@ -105,6 +105,26 @@ "type": "github" } }, + "nur-xin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714033851, + "narHash": "sha256-Mi7m3p9vmtNOdyD1hLse/tzxDuV3bwP0gKrmOBPiQ4c=", + "ref": "refs/heads/master", + "rev": "809554f41ac44acc4b1ec21473746c2af9993f2f", + "revCount": 149, + "type": "git", + "url": "https://git.xinyang.life/xin/nur.git" + }, + "original": { + "type": "git", + "url": "https://git.xinyang.life/xin/nur.git" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -133,6 +153,7 @@ "inputs": { "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", + "nur-xin": "nur-xin", "pre-commit-hooks": "pre-commit-hooks" } }, diff --git a/flake.nix b/flake.nix index 6966514..f79213a 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,10 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; + nur-xin = { + url = "git+https://git.xinyang.life/xin/nur.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; pre-commit-hooks = { url = "github:cachix/pre-commit-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -11,7 +15,13 @@ outputs = { self, ... }@inputs: with inputs; flake-utils.lib.eachDefaultSystem (system: let - pkgs = import nixpkgs { inherit system; }; + pkgs = import nixpkgs { + inherit system; overlays = [ + (self: super: { + mini-gdbstub = nur-xin.legacyPackages.${system}.mini-gdbstub; + }) + ]; + }; in { checks = { @@ -35,6 +45,8 @@ clang-tools cmake gdb + cli11 + mini-gdbstub ]; }; } diff --git a/include/api.h b/include/api.h deleted file mode 100644 index bf966f2..0000000 --- a/include/api.h +++ /dev/null @@ -1,35 +0,0 @@ -#ifndef _DIFFTEST_API_H_ -#define _DIFFTEST_API_H_ - -#include - -extern "C" { - -typedef struct { - enum { - ACT_NONE, - ACT_BREAKPOINT, - ACT_WATCH, - ACT_RWATCH, - ACT_WWATCH, - ACT_SHUTDOWN - } reason; - size_t data; -} gdb_action_t; - -typedef enum { BP_SOFTWARE = 0, BP_WRITE, BP_READ, BP_ACCESS } bp_type_t; - -struct target_ops { - void (*cont)(void *args, gdb_action_t *res); - void (*stepi)(void *args, gdb_action_t *res); - int (*read_reg)(void *args, int regno, size_t *value); - int (*write_reg)(void *args, int regno, size_t value); - int (*read_mem)(void *args, size_t addr, size_t len, void *val); - int (*write_mem)(void *args, size_t addr, size_t len, void *val); - bool (*set_bp)(void *args, size_t addr, bp_type_t type); - bool (*del_bp)(void *args, size_t addr, bp_type_t type); - void (*on_interrupt)(void *args); -}; -} - -#endif \ No newline at end of file diff --git a/include/api.hpp b/include/api.hpp new file mode 100644 index 0000000..7a0f2d3 --- /dev/null +++ b/include/api.hpp @@ -0,0 +1,68 @@ +#ifndef _DIFFTEST_API_H_ +#define _DIFFTEST_API_H_ + +#include +#include +#include +#include +#include + +// Target dynamic library has to implement these functions +struct TargetOps { + typedef void (*cont_t)(void *args, gdb_action_t *res); + cont_t cont; + + typedef void (*stepi_t)(void *args, gdb_action_t *res); + stepi_t stepi; + + typedef int (*read_reg_t)(void *args, int regno, size_t *value); + read_reg_t read_reg; + + typedef int (*write_reg_t)(void *args, int regno, size_t value); + write_reg_t write_reg; + + typedef int (*read_mem_t)(void *args, size_t addr, size_t len, void *val); + read_mem_t read_mem; + + typedef int (*write_mem_t)(void *args, size_t addr, size_t len, void *val); + write_mem_t write_mem; + + typedef bool (*set_bp_t)(void *args, size_t addr, bp_type_t type); + set_bp_t set_bp; + + typedef bool (*del_bp_t)(void *args, size_t addr, bp_type_t type); + del_bp_t del_bp; + + typedef void (*on_interrupt_t)(void *args); + on_interrupt_t on_interrupt; + + typedef void (*init_t)(void *args); + init_t init; +}; + +struct TargetMeta { + std::string name; + std::filesystem::path libpath; + void *dlhandle; +}; + +class Target { +public: + TargetOps ops; + TargetMeta meta; + arch_info_t arch; + size_t argsize; + std::vector args; // used as a buffer to store target specific values + + gdb_action_t last_res; + + Target(){}; + Target(const std::string &name, const std::string &prefix, + const std::filesystem::path &path); + ~Target(); + + bool is_on_breakpoint() const; + bool is_on_breakpoint(const gdb_action_t &res) const; +}; + +#endif \ No newline at end of file diff --git a/include/config.hpp b/include/config.hpp new file mode 100644 index 0000000..f08593f --- /dev/null +++ b/include/config.hpp @@ -0,0 +1,14 @@ +#include +#include +#include +#include +#include + +struct Config { + std::filesystem::path memory_file; + std::vector refs; + std::filesystem::path dut; + int cli_parse(int argc, char **argv); +}; + +extern Config config; diff --git a/include/difftest.hpp b/include/difftest.hpp index 3fe1dcd..e4fbdd2 100644 --- a/include/difftest.hpp +++ b/include/difftest.hpp @@ -1,4 +1,73 @@ #ifndef _DIFFTEST_DIFFTEST_H_ #define _DIFFTEST_DIFFTEST_H_ +#include "api.hpp" +#include +#include +#include +#include + +#include +class Difftest { +private: + Target dut; + std::vector refs; + +public: + Difftest(Target &&dut, std::vector &&refs); + + void setup(const std::filesystem::path &memory_file); + gdb_action_t stepi(); + gdb_action_t cont(); + static bool check(Target &dut, Target &ref) { + for (int r = 0; r < dut.arch.reg_num; r++) { + size_t regdut = 0, regref = 0; + dut.ops.read_reg(dut.args.data(), r, ®dut); + ref.ops.read_reg(ref.args.data(), r, ®ref); + if (regdut != regref) { + std::cout << "reg: " << r << " dut: " << regdut << " ref: " << regref + << std::endl; + throw std::runtime_error("Difftest failed"); + } + } + return true; + }; + bool check_all(); + + class Iterator { + private: + Difftest &difftest; + size_t index; + bool on_dut; + + public: + Iterator(Difftest &difftest, size_t index, bool on_dut) + : difftest(difftest), index(index), on_dut(on_dut) {} + + Iterator &operator++() { + if (on_dut) { + on_dut = false; + } else { + ++index; + } + return *this; + } + + bool operator!=(const Iterator &other) const { + return index != other.index || on_dut != other.on_dut; + } + + Target &operator*() { + if (on_dut) { + return difftest.dut; + } else { + return difftest.refs.at(index); + } + } + }; + + Iterator begin() { return Iterator(*this, 0, true); } + + Iterator end() { return Iterator(*this, refs.size(), false); } +}; #endif \ No newline at end of file diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index cf986e3..e30dab7 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,2 +1,3 @@ -add_executable(test main.cpp) - +add_executable(diffu cli.cpp difftest.cpp loader.cpp main.cpp) +target_link_libraries(diffu PRIVATE gdbstub) +set_target_properties(diffu PROPERTIES ENABLE_EXPORTS 1) diff --git a/src/cli.cpp b/src/cli.cpp new file mode 100644 index 0000000..e17214b --- /dev/null +++ b/src/cli.cpp @@ -0,0 +1,25 @@ +#include "config.hpp" +#include +#include + +int Config::cli_parse(int argc, char **argv) { + CLI::App app; + app.add_option("-m,--memory", memory_file, "Content of memory") + ->required() + ->check(CLI::ExistingFile); + + app.add_option("--ref", refs, "Reference dynamic library") + ->required() + ->check(CLI::ExistingFile); + + app.add_option("--dut", dut, "Design under test") + ->required() + ->check(CLI::ExistingFile); + + app.set_config("-c,--config") + ->transform(CLI::FileOnDefaultPath("./difftest.toml")); + + CLI11_PARSE(app, argc, argv); + + return 0; +} \ No newline at end of file diff --git a/src/difftest.cpp b/src/difftest.cpp new file mode 100644 index 0000000..cb6aaf3 --- /dev/null +++ b/src/difftest.cpp @@ -0,0 +1,98 @@ +#include "api.hpp" +#include +#include +#include + +#include + +Difftest::Difftest(Target &&dut, std::vector &&refs) { + this->dut = std::move(dut); + this->refs = std::move(refs); + + for (const auto &ref : refs) { + if (dut.arch.reg_byte != ref.arch.reg_byte || + dut.arch.reg_num != ref.arch.reg_num) { + throw std::runtime_error("Ref and dut must have the same architecture"); + } + } +} + +void Difftest::setup(const std::filesystem::path &memory_file) { + std::ifstream is = std::ifstream(memory_file, std::ios::binary); + + // Seek to the end to determine the file size + is.seekg(0, std::ios::end); + std::streampos memsize = is.tellg(); + is.seekg(0, std::ios::beg); + + std::vector membuf(memsize); + is.read(membuf.data(), memsize); + is.close(); + + // Initialize memory + // TODO: reset vector should not be hardcoded + // for(auto target : *this) { + for (auto it = this->begin(); it != this->end(); ++it) { + auto &target = *it; + printf("init addr: %p\n", target.ops.init); + target.ops.init(target.args.data()); + target.ops.write_mem(target.args.data(), 0x80000000UL, membuf.size(), + membuf.data()); + target.ops.write_reg(target.args.data(), 32, 0x80000000UL); + } +} + +bool Difftest::check_all() { + for (auto &ref : refs) { + check(dut, ref); + } + return true; +} + +gdb_action_t Difftest::stepi() { + bool breakflag = false; + Target *pbreak; + for (auto it = this->begin(); it != this->end(); ++it) { + auto &target = *it; + target.ops.stepi(target.args.data(), &target.last_res); + if (target.is_on_breakpoint()) { + breakflag = true; + pbreak = ⌖ + } + } + + if (breakflag) { + gdb_action_t ret = {.reason = gdb_action_t::ACT_BREAKPOINT}; + pbreak->ops.read_reg(pbreak->args.data(), 32, &ret.data); + return ret; + } + return {gdb_action_t::ACT_NONE, 0}; +} + +gdb_action_t Difftest::cont() { + bool breakflag = false; + Target *pbreak; + check_all(); + std::cerr << "setup finished." << std::endl; + while (true) { + // for(auto &target : *this) { + for (auto it = this->begin(); it != this->end(); ++it) { + auto &target = *it; + target.ops.stepi(target.args.data(), &target.last_res); + + if (target.is_on_breakpoint()) { + breakflag = true; + pbreak = ⌖ + } + } + + check_all(); + + if (breakflag) { + gdb_action_t ret = {.reason = gdb_action_t::ACT_BREAKPOINT}; + pbreak->ops.read_reg(pbreak->args.data(), 32, &ret.data); + return ret; + } + } + return {gdb_action_t::ACT_NONE, 0}; +} diff --git a/src/loader.cpp b/src/loader.cpp new file mode 100644 index 0000000..ae91bb1 --- /dev/null +++ b/src/loader.cpp @@ -0,0 +1,76 @@ +#include "api.hpp" +#include +#include +#include +#include + +Target::Target(const std::string &name, const std::string &func_prefix, + const std::filesystem::path &path) { + + std::cout << path.c_str() << std::endl; + meta = {.name = name, + .libpath = path, + .dlhandle = dlopen(path.c_str(), RTLD_LAZY)}; + + if (!meta.dlhandle) { + throw std::runtime_error(dlerror()); + } + +#define LOAD_SYMBOL(ops, handle, prefix, name) \ + do { \ + ops.name = reinterpret_cast( \ + dlsym(handle, (prefix + #name).c_str())); \ + if (!ops.name) \ + goto load_error; \ + } while (0); + + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, cont); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, stepi); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, read_reg); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, write_reg); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, read_mem); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, write_mem); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, set_bp); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, del_bp); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, on_interrupt); + LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, init); + +#undef LOAD_SYMBOL + + size_t *argsize_sym; + argsize_sym = reinterpret_cast(dlsym(meta.dlhandle, "argsize")); + if (!argsize_sym) + goto load_error; + + argsize = *argsize_sym; + args = std::vector(argsize); + + arch_info_t *arch_sym; + arch_sym = + reinterpret_cast(dlsym(meta.dlhandle, "isa_arch_info")); + if (!arch_sym) + goto load_error; + return; + +load_error: + std::string err = std::string(dlerror()); + dlclose(meta.dlhandle); + throw std::runtime_error(err); +} + +Target::~Target() { + std::cout << "Destruct target " << meta.name << std::endl; + dlclose(meta.dlhandle); +} + +bool Target::is_on_breakpoint() const { return is_on_breakpoint(last_res); } + +bool Target::is_on_breakpoint(const gdb_action_t &res) const { + if (res.reason == gdb_action_t::ACT_BREAKPOINT || + res.reason == gdb_action_t::ACT_RWATCH || + res.reason == gdb_action_t::ACT_WATCH || + res.reason == gdb_action_t::ACT_WWATCH) { + return true; + } + return false; +} diff --git a/src/main.cpp b/src/main.cpp index 6752843..2379e9c 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -1,5 +1,23 @@ -#include +#include "api.hpp" +#include "config.hpp" +#include "difftest.hpp" -using reg_t = uint32_t; +int main(int argc, char **argv) { + Config config; + int ret = 0; + ret = config.cli_parse(argc, argv); + if (ret) + return ret; -int main() { return 0; } + std::vector refs; + Target dut = Target{"dut", "nemu_", config.dut}; + for (const auto &ref_libpath : config.refs) { + refs.emplace_back(ref_libpath.string(), "nemu_", ref_libpath); + } + + Difftest difftest{std::move(dut), std::move(refs)}; + difftest.setup(config.memory_file); + difftest.cont(); + + return 0; +} From cac75f1698acb7f7631b25320fe24f120725c13f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 15 Jul 2024 18:54:07 +0800 Subject: [PATCH 084/136] chore: rename TargetOps to DiffTargetApi --- include/api.hpp | 4 ++-- src/export.cpp | 0 src/loader.cpp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 src/export.cpp diff --git a/include/api.hpp b/include/api.hpp index 7a0f2d3..8c0461c 100644 --- a/include/api.hpp +++ b/include/api.hpp @@ -8,7 +8,7 @@ #include // Target dynamic library has to implement these functions -struct TargetOps { +struct DiffTargetApi { typedef void (*cont_t)(void *args, gdb_action_t *res); cont_t cont; @@ -48,7 +48,7 @@ struct TargetMeta { class Target { public: - TargetOps ops; + DiffTargetApi ops; TargetMeta meta; arch_info_t arch; size_t argsize; diff --git a/src/export.cpp b/src/export.cpp new file mode 100644 index 0000000..e69de29 diff --git a/src/loader.cpp b/src/loader.cpp index ae91bb1..2378ca2 100644 --- a/src/loader.cpp +++ b/src/loader.cpp @@ -18,7 +18,7 @@ Target::Target(const std::string &name, const std::string &func_prefix, #define LOAD_SYMBOL(ops, handle, prefix, name) \ do { \ - ops.name = reinterpret_cast( \ + ops.name = reinterpret_cast( \ dlsym(handle, (prefix + #name).c_str())); \ if (!ops.name) \ goto load_error; \ From 5de642f998594ad043b63ff35df46b05a36922fe Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 16 Jul 2024 09:50:17 +0800 Subject: [PATCH 085/136] feat: export gdbstub api, connect to gdb --- include/api.hpp | 5 +++- include/difftest.hpp | 24 +++++++++++++++-- src/CMakeLists.txt | 3 +-- src/difftest.cpp | 41 ++++++++++++++++++++++++++-- src/export.cpp | 0 src/gdbstub.cpp | 64 ++++++++++++++++++++++++++++++++++++++++++++ src/loader.cpp | 1 + src/main.cpp | 7 +++-- 8 files changed, 136 insertions(+), 9 deletions(-) delete mode 100644 src/export.cpp create mode 100644 src/gdbstub.cpp diff --git a/include/api.hpp b/include/api.hpp index 8c0461c..ed19fd0 100644 --- a/include/api.hpp +++ b/include/api.hpp @@ -3,10 +3,13 @@ #include #include -#include #include #include +extern "C" { +#include +} + // Target dynamic library has to implement these functions struct DiffTargetApi { typedef void (*cont_t)(void *args, gdb_action_t *res); diff --git a/include/difftest.hpp b/include/difftest.hpp index e4fbdd2..7a12776 100644 --- a/include/difftest.hpp +++ b/include/difftest.hpp @@ -2,9 +2,11 @@ #define _DIFFTEST_DIFFTEST_H_ #include "api.hpp" #include -#include #include #include +extern "C" { +#include +} #include class Difftest { @@ -12,12 +14,30 @@ private: Target dut; std::vector refs; + // target used for read_reg, write_reg, read_mem, write_mem + Target *current_target = &dut; + public: Difftest(Target &&dut, std::vector &&refs); void setup(const std::filesystem::path &memory_file); - gdb_action_t stepi(); + + // Export API for gdbstub gdb_action_t cont(); + gdb_action_t stepi(); + int read_reg(int regno, size_t *value); + int write_reg(int regno, size_t value); + int read_mem(size_t addr, size_t len, void *val); + int write_mem(size_t addr, size_t len, void *val); + bool set_bp(size_t addr, bp_type_t type); + bool del_bp(size_t addr, bp_type_t type); + + arch_info_t get_arch() const { + std::cout << dut.arch.reg_num << std::endl; + return dut.arch; + } + + // Other APi static bool check(Target &dut, Target &ref) { for (int r = 0; r < dut.arch.reg_num; r++) { size_t regdut = 0, regref = 0; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index e30dab7..696b8e9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,3 +1,2 @@ -add_executable(diffu cli.cpp difftest.cpp loader.cpp main.cpp) +add_executable(diffu cli.cpp difftest.cpp gdbstub.cpp loader.cpp main.cpp) target_link_libraries(diffu PRIVATE gdbstub) -set_target_properties(diffu PROPERTIES ENABLE_EXPORTS 1) diff --git a/src/difftest.cpp b/src/difftest.cpp index cb6aaf3..024ac2c 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -72,8 +72,6 @@ gdb_action_t Difftest::stepi() { gdb_action_t Difftest::cont() { bool breakflag = false; Target *pbreak; - check_all(); - std::cerr << "setup finished." << std::endl; while (true) { // for(auto &target : *this) { for (auto it = this->begin(); it != this->end(); ++it) { @@ -96,3 +94,42 @@ gdb_action_t Difftest::cont() { } return {gdb_action_t::ACT_NONE, 0}; } + +int Difftest::read_reg(int regno, size_t *value) { + std::cout << "read_reg(" << regno << ", " << value << ")" << std::endl; + return current_target->ops.read_reg(current_target->args.data(), regno, + value); +} + +int Difftest::write_reg(int regno, size_t value) { + return current_target->ops.write_reg(current_target->args.data(), regno, + value); +} + +int Difftest::read_mem(size_t addr, size_t len, void *val) { + return current_target->ops.read_mem(current_target->args.data(), addr, len, + val); +} + +int Difftest::write_mem(size_t addr, size_t len, void *val) { + return current_target->ops.write_mem(current_target->args.data(), addr, len, + val); +} + +bool Difftest::set_bp(size_t addr, bp_type_t type) { + bool ret = true; + for (auto it = this->begin(); it != this->end(); ++it) { + auto &target = *it; + ret = ret && target.ops.set_bp(target.args.data(), addr, type); + } + return ret; +} + +bool Difftest::del_bp(size_t addr, bp_type_t type) { + bool ret = true; + for (auto it = this->begin(); it != this->end(); ++it) { + auto &target = *it; + ret = ret && target.ops.del_bp(target.args.data(), addr, type); + } + return ret; +} diff --git a/src/export.cpp b/src/export.cpp deleted file mode 100644 index e69de29..0000000 diff --git a/src/gdbstub.cpp b/src/gdbstub.cpp new file mode 100644 index 0000000..a9c9b8d --- /dev/null +++ b/src/gdbstub.cpp @@ -0,0 +1,64 @@ +#include +extern "C" { +#include +} + +static void difftest_cont(void *args, gdb_action_t *res) { + Difftest *diff = (Difftest *)args; + *res = diff->cont(); +}; + +static void difftest_stepi(void *args, gdb_action_t *res) { + Difftest *diff = (Difftest *)args; + *res = diff->stepi(); +}; + +static int difftest_read_reg(void *args, int regno, size_t *value) { + Difftest *diff = (Difftest *)args; + return diff->read_reg(regno, value); +}; + +static int difftest_write_reg(void *args, int regno, size_t value) { + Difftest *diff = (Difftest *)args; + return diff->write_reg(regno, value); +} + +static int difftest_read_mem(void *args, size_t addr, size_t len, void *val) { + Difftest *diff = (Difftest *)args; + return diff->read_mem(addr, len, val); +} + +static int difftest_write_mem(void *args, size_t addr, size_t len, void *val) { + Difftest *diff = (Difftest *)args; + return diff->write_mem(addr, len, val); +} + +static bool difftest_set_bp(void *args, size_t addr, bp_type_t type) { + Difftest *diff = (Difftest *)args; + return diff->set_bp(addr, type); +} + +static bool difftest_del_bp(void *args, size_t addr, bp_type_t type) { + Difftest *diff = (Difftest *)args; + return diff->del_bp(addr, type); +} + +int gdbstub_loop(Difftest *diff) { + target_ops gdbstub_ops = {.cont = difftest_cont, + .stepi = difftest_stepi, + .read_reg = difftest_read_reg, + .write_reg = difftest_write_reg, + .read_mem = difftest_read_mem, + .write_mem = difftest_write_mem, + .set_bp = difftest_set_bp, + .del_bp = difftest_del_bp, + .on_interrupt = NULL}; + gdbstub_t gdbstub_priv; + char socket_addr[] = "127.0.0.1:1234"; + gdbstub_init(&gdbstub_priv, &gdbstub_ops, diff->get_arch(), socket_addr); + + bool success = gdbstub_run(&gdbstub_priv, diff); + std::cout << "Waiting for gdb connection at " << socket_addr; + gdbstub_close(&gdbstub_priv); + return !success; +} \ No newline at end of file diff --git a/src/loader.cpp b/src/loader.cpp index 2378ca2..2289076 100644 --- a/src/loader.cpp +++ b/src/loader.cpp @@ -50,6 +50,7 @@ Target::Target(const std::string &name, const std::string &func_prefix, reinterpret_cast(dlsym(meta.dlhandle, "isa_arch_info")); if (!arch_sym) goto load_error; + arch = *arch_sym; return; load_error: diff --git a/src/main.cpp b/src/main.cpp index 2379e9c..4fbb945 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -2,6 +2,9 @@ #include "config.hpp" #include "difftest.hpp" +// extern "C" { +int gdbstub_loop(Difftest *); +// } int main(int argc, char **argv) { Config config; int ret = 0; @@ -16,8 +19,8 @@ int main(int argc, char **argv) { } Difftest difftest{std::move(dut), std::move(refs)}; - difftest.setup(config.memory_file); - difftest.cont(); + + gdbstub_loop(&difftest); return 0; } From 6501c55e306f178587a2147f2165ef75270a70b0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 16 Jul 2024 10:06:08 +0800 Subject: [PATCH 086/136] fix: forget to setup difftest before gdbstub loop. --- src/main.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main.cpp b/src/main.cpp index 4fbb945..ec546ed 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -20,6 +20,8 @@ int main(int argc, char **argv) { Difftest difftest{std::move(dut), std::move(refs)}; + difftest.setup(config.memory_file); + gdbstub_loop(&difftest); return 0; From 7db988bdee5409823826a54dd4fc5fde252176a0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 16 Jul 2024 11:16:11 +0800 Subject: [PATCH 087/136] feat: graceful shutdown --- include/difftest.hpp | 6 ++++-- src/difftest.cpp | 46 +++++++++++++++++--------------------------- src/loader.cpp | 4 +++- src/main.cpp | 4 ++-- 4 files changed, 27 insertions(+), 33 deletions(-) diff --git a/include/difftest.hpp b/include/difftest.hpp index 7a12776..4985516 100644 --- a/include/difftest.hpp +++ b/include/difftest.hpp @@ -17,6 +17,8 @@ private: // target used for read_reg, write_reg, read_mem, write_mem Target *current_target = &dut; + bool exec(size_t n, gdb_action_t *ret); + public: Difftest(Target &&dut, std::vector &&refs); @@ -32,12 +34,13 @@ public: bool set_bp(size_t addr, bp_type_t type); bool del_bp(size_t addr, bp_type_t type); + bool check_all(); + arch_info_t get_arch() const { std::cout << dut.arch.reg_num << std::endl; return dut.arch; } - // Other APi static bool check(Target &dut, Target &ref) { for (int r = 0; r < dut.arch.reg_num; r++) { size_t regdut = 0, regref = 0; @@ -51,7 +54,6 @@ public: } return true; }; - bool check_all(); class Iterator { private: diff --git a/src/difftest.cpp b/src/difftest.cpp index 024ac2c..49493e9 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -1,6 +1,7 @@ #include "api.hpp" #include #include +#include #include #include @@ -49,9 +50,9 @@ bool Difftest::check_all() { return true; } -gdb_action_t Difftest::stepi() { +bool Difftest::exec(size_t n, gdb_action_t *ret) { bool breakflag = false; - Target *pbreak; + Target *pbreak = &(*(this->begin())); for (auto it = this->begin(); it != this->end(); ++it) { auto &target = *it; target.ops.stepi(target.args.data(), &target.last_res); @@ -62,37 +63,26 @@ gdb_action_t Difftest::stepi() { } if (breakflag) { - gdb_action_t ret = {.reason = gdb_action_t::ACT_BREAKPOINT}; - pbreak->ops.read_reg(pbreak->args.data(), 32, &ret.data); - return ret; + ret->reason = pbreak->last_res.reason; + ret->data = pbreak->last_res.data; + return false; } - return {gdb_action_t::ACT_NONE, 0}; + return true; +} + +gdb_action_t Difftest::stepi() { + gdb_action_t ret = {.reason = gdb_action_t::ACT_NONE}; + exec(1, &ret); + check_all(); + return ret; } gdb_action_t Difftest::cont() { - bool breakflag = false; - Target *pbreak; - while (true) { - // for(auto &target : *this) { - for (auto it = this->begin(); it != this->end(); ++it) { - auto &target = *it; - target.ops.stepi(target.args.data(), &target.last_res); - - if (target.is_on_breakpoint()) { - breakflag = true; - pbreak = ⌖ - } - } - + gdb_action_t ret = {.reason = gdb_action_t::ACT_NONE}; + while (exec(1, &ret)) { check_all(); - - if (breakflag) { - gdb_action_t ret = {.reason = gdb_action_t::ACT_BREAKPOINT}; - pbreak->ops.read_reg(pbreak->args.data(), 32, &ret.data); - return ret; - } - } - return {gdb_action_t::ACT_NONE, 0}; + }; + return ret; } int Difftest::read_reg(int regno, size_t *value) { diff --git a/src/loader.cpp b/src/loader.cpp index 2289076..b4a3bfc 100644 --- a/src/loader.cpp +++ b/src/loader.cpp @@ -1,6 +1,7 @@ #include "api.hpp" #include #include +#include #include #include @@ -70,7 +71,8 @@ bool Target::is_on_breakpoint(const gdb_action_t &res) const { if (res.reason == gdb_action_t::ACT_BREAKPOINT || res.reason == gdb_action_t::ACT_RWATCH || res.reason == gdb_action_t::ACT_WATCH || - res.reason == gdb_action_t::ACT_WWATCH) { + res.reason == gdb_action_t::ACT_WWATCH || + res.reason == gdb_action_t::ACT_SHUTDOWN) { return true; } return false; diff --git a/src/main.cpp b/src/main.cpp index ec546ed..e432690 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -13,12 +13,12 @@ int main(int argc, char **argv) { return ret; std::vector refs; - Target dut = Target{"dut", "nemu_", config.dut}; + Target *dut = new Target{"dut", "nemu_", config.dut}; for (const auto &ref_libpath : config.refs) { refs.emplace_back(ref_libpath.string(), "nemu_", ref_libpath); } - Difftest difftest{std::move(dut), std::move(refs)}; + Difftest difftest{std::move(*dut), std::move(refs)}; difftest.setup(config.memory_file); From 607ed58ffa2c5b8e8dbae6cfe490bbda7f845a77 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 16 Jul 2024 14:33:45 +0800 Subject: [PATCH 088/136] feat: provide cli options for library api prefix --- include/config.hpp | 3 +++ src/cli.cpp | 23 +++++++++++++++++++++++ src/difftest.cpp | 34 +++++++++++++++++----------------- src/gdbstub.cpp | 2 +- src/loader.cpp | 7 +------ src/main.cpp | 11 ++++++++--- 6 files changed, 53 insertions(+), 27 deletions(-) diff --git a/include/config.hpp b/include/config.hpp index f08593f..bb90278 100644 --- a/include/config.hpp +++ b/include/config.hpp @@ -7,7 +7,10 @@ struct Config { std::filesystem::path memory_file; std::vector refs; + std::vector refs_prefix; std::filesystem::path dut; + std::string dut_prefix = ""; + int cli_parse(int argc, char **argv); }; diff --git a/src/cli.cpp b/src/cli.cpp index e17214b..a92ecbb 100644 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -1,6 +1,8 @@ #include "config.hpp" #include +#include #include +#include int Config::cli_parse(int argc, char **argv) { CLI::App app; @@ -12,13 +14,34 @@ int Config::cli_parse(int argc, char **argv) { ->required() ->check(CLI::ExistingFile); + app.add_option("--ref-prefix", refs_prefix, + "Optional prefix for each reference library"); + app.add_option("--dut", dut, "Design under test") ->required() ->check(CLI::ExistingFile); + app.add_option("--dut-prefix", dut_prefix, + "Optional prefix for design under test"); + app.set_config("-c,--config") ->transform(CLI::FileOnDefaultPath("./difftest.toml")); + // Default value for refs_prefix + app.callback([&]() { + if (refs_prefix.size() == 0) { + refs_prefix.insert(refs_prefix.end(), refs.size(), ""); + } + }); + + // Check if refs_prefix matches refs. + app.callback([&]() { + if (refs_prefix.size() != refs.size()) { + throw CLI::ParseError( + "Same number of --ref and --ref-prefix must be provided.", EINVAL); + } + }); + CLI11_PARSE(app, argc, argv); return 0; diff --git a/src/difftest.cpp b/src/difftest.cpp index 49493e9..3d5d333 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -35,7 +35,6 @@ void Difftest::setup(const std::filesystem::path &memory_file) { // for(auto target : *this) { for (auto it = this->begin(); it != this->end(); ++it) { auto &target = *it; - printf("init addr: %p\n", target.ops.init); target.ops.init(target.args.data()); target.ops.write_mem(target.args.data(), 0x80000000UL, membuf.size(), membuf.data()); @@ -51,21 +50,23 @@ bool Difftest::check_all() { } bool Difftest::exec(size_t n, gdb_action_t *ret) { - bool breakflag = false; - Target *pbreak = &(*(this->begin())); - for (auto it = this->begin(); it != this->end(); ++it) { - auto &target = *it; - target.ops.stepi(target.args.data(), &target.last_res); - if (target.is_on_breakpoint()) { - breakflag = true; - pbreak = ⌖ + while (n--) { + bool breakflag = false; + Target *pbreak = &(*(this->begin())); + for (auto it = this->begin(); it != this->end(); ++it) { + auto &target = *it; + target.ops.stepi(target.args.data(), &target.last_res); + if (target.is_on_breakpoint()) { + breakflag = true; + pbreak = ⌖ + } } - } - if (breakflag) { - ret->reason = pbreak->last_res.reason; - ret->data = pbreak->last_res.data; - return false; + if (breakflag) { + ret->reason = pbreak->last_res.reason; + ret->data = pbreak->last_res.data; + return false; + } } return true; } @@ -86,7 +87,6 @@ gdb_action_t Difftest::cont() { } int Difftest::read_reg(int regno, size_t *value) { - std::cout << "read_reg(" << regno << ", " << value << ")" << std::endl; return current_target->ops.read_reg(current_target->args.data(), regno, value); } @@ -110,7 +110,7 @@ bool Difftest::set_bp(size_t addr, bp_type_t type) { bool ret = true; for (auto it = this->begin(); it != this->end(); ++it) { auto &target = *it; - ret = ret && target.ops.set_bp(target.args.data(), addr, type); + ret = target.ops.set_bp(target.args.data(), addr, type) && ret; } return ret; } @@ -119,7 +119,7 @@ bool Difftest::del_bp(size_t addr, bp_type_t type) { bool ret = true; for (auto it = this->begin(); it != this->end(); ++it) { auto &target = *it; - ret = ret && target.ops.del_bp(target.args.data(), addr, type); + ret = target.ops.del_bp(target.args.data(), addr, type) && ret; } return ret; } diff --git a/src/gdbstub.cpp b/src/gdbstub.cpp index a9c9b8d..583c4e3 100644 --- a/src/gdbstub.cpp +++ b/src/gdbstub.cpp @@ -57,8 +57,8 @@ int gdbstub_loop(Difftest *diff) { char socket_addr[] = "127.0.0.1:1234"; gdbstub_init(&gdbstub_priv, &gdbstub_ops, diff->get_arch(), socket_addr); + std::cout << "Waiting for gdb connection at " << socket_addr << std::endl; bool success = gdbstub_run(&gdbstub_priv, diff); - std::cout << "Waiting for gdb connection at " << socket_addr; gdbstub_close(&gdbstub_priv); return !success; } \ No newline at end of file diff --git a/src/loader.cpp b/src/loader.cpp index b4a3bfc..cab95ab 100644 --- a/src/loader.cpp +++ b/src/loader.cpp @@ -2,13 +2,11 @@ #include #include #include -#include #include Target::Target(const std::string &name, const std::string &func_prefix, const std::filesystem::path &path) { - std::cout << path.c_str() << std::endl; meta = {.name = name, .libpath = path, .dlhandle = dlopen(path.c_str(), RTLD_LAZY)}; @@ -60,10 +58,7 @@ load_error: throw std::runtime_error(err); } -Target::~Target() { - std::cout << "Destruct target " << meta.name << std::endl; - dlclose(meta.dlhandle); -} +Target::~Target() { dlclose(meta.dlhandle); } bool Target::is_on_breakpoint() const { return is_on_breakpoint(last_res); } diff --git a/src/main.cpp b/src/main.cpp index e432690..eed1644 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -13,9 +13,14 @@ int main(int argc, char **argv) { return ret; std::vector refs; - Target *dut = new Target{"dut", "nemu_", config.dut}; - for (const auto &ref_libpath : config.refs) { - refs.emplace_back(ref_libpath.string(), "nemu_", ref_libpath); + Target *dut = new Target{"dut", config.dut_prefix, config.dut}; + auto ref_libpath = config.refs.begin(); + auto ref_prefix = config.refs_prefix.begin(); + while (ref_libpath != config.refs.end() && + ref_prefix != config.refs_prefix.end()) { + refs.emplace_back(ref_libpath->string(), *ref_prefix, *ref_libpath); + ref_libpath++; + ref_prefix++; } Difftest difftest{std::move(*dut), std::move(refs)}; From f06e1710a1ca317e6e01c2233f89034d66b38d2d Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 15 Jul 2024 10:54:25 +0800 Subject: [PATCH 089/136] fix(home-manager): build error --- home/xin/common/default.nix | 4 +++- modules/home-manager/vscode.nix | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 44cb225..0eb2bae 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -1,4 +1,4 @@ -{ inputs, pkgs, ... }: { +{ inputs, pkgs, lib, ... }: { imports = [ ]; home.packages = with pkgs; [ @@ -19,6 +19,8 @@ inetutils ]; + + nix.package = lib.mkForce pkgs.nixVersions.latest; nix.extraOptions = '' extra-substituters = https://nix-community.cachix.org extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 32b09e7..6042b6a 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -105,6 +105,8 @@ in }; }; config = mkIf cfg.enable { + nixpkgs.config.allowUnfree = true; + home.packages = lib.mkMerge ([ [ pkgs.clang-tools ] ] ++ zipAttrsWithLanguageOption "systemPackages"); From 0a84c4644b7de9d3ed187b2f2d3fe4fcaec76c15 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 17 Jul 2024 11:45:15 +0800 Subject: [PATCH 090/136] feat: switch to my nixpkgs branch --- flake.nix | 2 +- machines/calcite/configuration.nix | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 3433ffa..879ae3e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:xinyangli/nixpkgs/deploy"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05"; home-manager = { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 502498d..458e1db 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -110,8 +110,6 @@ services.printing.enable = true; # services.printing.drivers = [ pkgs.hplip ]; - # Enable sound with pipewire. - sound.enable = true; hardware.pulseaudio.enable = false; security.rtkit.enable = true; services.pipewire = { From e5bd395fd86fd9f932c18683ffc1ed2fc5a1bf5d Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 17 Jul 2024 12:02:09 +0800 Subject: [PATCH 091/136] massicot: use binary cache from garnix --- machines/massicot/default.nix | 7 ++++++- machines/secrets.yaml | 8 ++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 7a40b4e..b96499a 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -46,7 +46,12 @@ git ]; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + substituters = "https://cache.garnix.io"; + trusted-public-keys = "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="; + }; + nix.gc = { automatic = true; dates = "weekly"; diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 40ccb0d..dec3d21 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -1,7 +1,7 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN/iCnihbbJYW78LNfPfvmVAEXjQlf5Ycts2Cb2JHGtWp3rmQQtWBx8LfIewqhNDk9fCywqIv7uSmqVpJNTHfYhjpF6PLvtz51VfTKph+fplZ9dMu23P9g7Wn6dzVizo8DX6xHWN2jDyHza5zkiNrzbmiaLwbLu1dAzvNSI67A=,iv:pZ189IPPCBjscXzEdgQCRdFlls3TniwDfNCd+H1FFaQ=,tag:dpt+3kdx8m1f0X0SHm+ATA==,type:str] autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] -github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] +github_public_token: ENC[AES256_GCM,data:AmAfmq5mDGxmHUUlGzD7k50jRTCcnZqqFdYdrMtYysmw6FUjPc1YgsEVNqHOjiEMYbr8Gs+wjVu8BYIuh1wuDzOOfE+ejIbosrOtK4dCapmIzZFlRiK/AyrUCm2qDWUObhJDPMJN4px947VFJ5to5GLifGEXdUGm,iv:PJSFtJBelyc3rzd6hqjMp+ciU2Q3FTOEXsiq5F2KKTY=,tag:MjrTl+4+8SZeBDJpUJtsiw==,type:str] singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str] singbox_password: ENC[AES256_GCM,data:0tBIzwtNSQqbGlD+CDnQfJigbFVBChEL,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:5BtYAv1NO70IL4m/uG8QKA==,type:str] @@ -77,8 +77,8 @@ sops: NjVEaWN3cU1rRjQ2a29wV1g1NzE0UTAKNefzj+p+U735LHqm5lnWGHCARuqvFmgA 6bxJN9frAMZQIXZSwOTrfpYrTmKcBLcfWxq7LUPluw9HinQnkFpWqg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-07T13:13:50Z" - mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str] + lastmodified: "2024-07-17T03:43:42Z" + mac: ENC[AES256_GCM,data:5dnJSeY8lZrIo/bl8MECwmaQo+fQ+BEun9BQ7tFHUo1lzk4wn2N1RuPMuPLPE1wARfOJR2lUyh+o3froFqQT6EGDhA68ETHxm+NqxbstouK+pSu0WJzg7ImuAuzd8B81xXBTQj6umOZy6oRsgvAYo2C8aEfzs19+kYrAM4bXo7k=,iv:YvtOVDD347fCFvqyTljHOQm6ewSR01WlYVBNVdm/BNc=,tag:r/HzESO6csxzLJMHTRC7bA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 From e36875131bd1dd78d3527f982282d98d7bd8da36 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 17 Jul 2024 15:52:30 +0800 Subject: [PATCH 092/136] feat(modules): move nix settings to a seperate module --- flake.lock | 12 +++---- home/xin/common/default.nix | 5 +-- machines/calcite/configuration.nix | 21 +++--------- machines/dolomite/default.nix | 4 --- machines/massicot/default.nix | 15 --------- machines/raspite/configuration.nix | 14 ++------ modules/nixos/common-nix-conf.nix | 51 ++++++++++++++++++++++++++++++ modules/nixos/default.nix | 1 + 8 files changed, 66 insertions(+), 57 deletions(-) create mode 100644 modules/nixos/common-nix-conf.nix diff --git a/flake.lock b/flake.lock index 4e0d662..299f626 100644 --- a/flake.lock +++ b/flake.lock @@ -174,16 +174,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1720768451, - "narHash": "sha256-EYekUHJE2gxeo2pM/zM9Wlqw1Uw2XTJXOSAO79ksc4Y=", - "owner": "nixos", + "lastModified": 1721187324, + "narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=", + "owner": "xinyangli", "repo": "nixpkgs", - "rev": "7e7c39ea35c5cdd002cd4588b03a3fb9ece6fad9", + "rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "xinyangli", + "ref": "deploy", "repo": "nixpkgs", "type": "github" } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 0eb2bae..6957c4d 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -20,9 +20,6 @@ inetutils ]; + # Required for standalone home configuration nix.package = lib.mkForce pkgs.nixVersions.latest; - nix.extraOptions = '' - extra-substituters = https://nix-community.cachix.org - extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= - ''; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 458e1db..d5a152f 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -9,6 +9,10 @@ ../sops.nix ]; + commonSettings = { + nix.enableMirrors = true; + }; + # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -229,23 +233,6 @@ system.stateVersion = "22.05"; - # Use mirror for binary cache - nix.settings.substituters = [ - "https://mirrors.bfsu.edu.cn/nix-channels/store" - "https://mirrors.ustc.edu.cn/nix-channels/store" - ]; - nix.gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - nix.optimise.automatic = true; - - nix.settings = { - experimental-features = [ "nix-command" "flakes" ]; - auto-optimise-store = true; - trusted-users = [ "xin" "root" ]; - }; nix.extraOptions = '' !include "${config.sops.secrets.github_public_token.path}" ''; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 69ac5cc..3965655 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -79,10 +79,6 @@ in wheelNeedsPassword = false; }; - nix.settings = { - trusted-users = [ "root" ]; - }; - services.sing-box = let singTls = { enabled = true; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index b96499a..66c7b50 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -46,21 +46,6 @@ git ]; - nix.settings = { - experimental-features = [ "nix-command" "flakes" ]; - substituters = "https://cache.garnix.io"; - trusted-public-keys = "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="; - }; - - nix.gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 7d"; - }; - nix.optimise.automatic = true; - nix.settings.auto-optimise-store = true; - - system.stateVersion = "22.11"; networking = { diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 489032b..71bc747 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -4,6 +4,9 @@ imports = [ ./hass.nix ]; + + commonSettings.nix.enableMirrors = true; + nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { @@ -18,13 +21,6 @@ raspberrypi-eeprom ]; - # Use mirror for binary cache - nix.settings.substituters = [ - "https://mirrors.bfsu.edu.cn/nix-channels/store" - "https://mirrors.ustc.edu.cn/nix-channels/store" - ]; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - system.stateVersion = "24.05"; networking = { @@ -51,10 +47,6 @@ wheelNeedsPassword = false; }; - nix.settings = { - trusted-users = [ "@wheel" ]; - }; - # fileSystems."/".fsType = lib.mkForce "btrfs"; boot.supportedFilesystems.zfs = lib.mkForce false; diff --git a/modules/nixos/common-nix-conf.nix b/modules/nixos/common-nix-conf.nix new file mode 100644 index 0000000..00929ce --- /dev/null +++ b/modules/nixos/common-nix-conf.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.commonSettings.nix; +in +{ + options.commonSettings.nix = { + enable = mkOption { + default = true; + type = types.bool; + }; + enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China"; + }; + + config = mkIf cfg.enable { + nix.package = pkgs.nixVersions.latest; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + nix.optimise.automatic = true; + + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + auto-optimise-store = true; + trusted-users = [ "root" ]; + + substituters = [ + "https://nix-community.cachix.org" + "https://cache.garnix.io" + ]; + + extra-substituters = mkIf cfg.enableMirrors [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" + "https://mirrors.ustc.edu.cn/nix-channels/store" + ]; + + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + ]; + }; + }; +} + diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index c3d43a0..0d64656 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: { imports = [ + ./common-nix-conf.nix ./restic.nix ./vaultwarden.nix ./prometheus.nix From 6c39724060c204ae0668c88ba8bf158ce79eda00 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 18 Jul 2024 11:44:09 +0800 Subject: [PATCH 093/136] feat(calcite): sign locally build paths in nix store --- flake.nix | 3 +-- machines/calcite/configuration.nix | 5 ++++- modules/nixos/common-nix-conf.nix | 13 ++++++++++++- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 879ae3e..422c338 100644 --- a/flake.nix +++ b/flake.nix @@ -120,7 +120,6 @@ nixpkgs = import nixpkgs { system = "x86_64-linux"; }; - machinesFile = ./nixbuild.net; specialArgs = { inherit inputs; }; @@ -194,7 +193,7 @@ { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ]; + packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ]; }; }; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index d5a152f..4b35351 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -10,7 +10,10 @@ ]; commonSettings = { - nix.enableMirrors = true; + nix = { + enableMirrors = true; + signing.enable = true; + }; }; # Bootloader. diff --git a/modules/nixos/common-nix-conf.nix b/modules/nixos/common-nix-conf.nix index 00929ce..9d7f31e 100644 --- a/modules/nixos/common-nix-conf.nix +++ b/modules/nixos/common-nix-conf.nix @@ -12,6 +12,13 @@ in type = types.bool; }; enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China"; + signing = { + enable = mkEnableOption "Sign locally-built paths"; + keyFile = mkOption { + default = "/etc/nix/key.private"; + type = types.str; + }; + }; }; config = mkIf cfg.enable { @@ -41,9 +48,13 @@ in ]; trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y=" + ]; + + secret-key-files = mkIf cfg.signing.enable [ + cfg.signing.keyFile ]; }; }; From 46c943dea9061920664ac083327a633e89136e4f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 22 Jul 2024 16:15:45 +0800 Subject: [PATCH 094/136] refactor: load global variable with macro, rename symbols --- src/loader.cpp | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/src/loader.cpp b/src/loader.cpp index cab95ab..fa5b062 100644 --- a/src/loader.cpp +++ b/src/loader.cpp @@ -9,7 +9,7 @@ Target::Target(const std::string &name, const std::string &func_prefix, meta = {.name = name, .libpath = path, - .dlhandle = dlopen(path.c_str(), RTLD_LAZY)}; + .dlhandle = dlopen(path.c_str(), RTLD_NOW)}; if (!meta.dlhandle) { throw std::runtime_error(dlerror()); @@ -17,9 +17,9 @@ Target::Target(const std::string &name, const std::string &func_prefix, #define LOAD_SYMBOL(ops, handle, prefix, name) \ do { \ - ops.name = reinterpret_cast( \ - dlsym(handle, (prefix + #name).c_str())); \ - if (!ops.name) \ + (ops).name = reinterpret_cast( \ + dlsym((handle), ((prefix) + #name).c_str())); \ + if (!((ops).name)) \ goto load_error; \ } while (0); @@ -34,22 +34,14 @@ Target::Target(const std::string &name, const std::string &func_prefix, LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, on_interrupt); LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, init); + LOAD_SYMBOL(*this, meta.dlhandle, func_prefix, do_difftest); + *do_difftest = true; + + LOAD_SYMBOL(*this, meta.dlhandle, func_prefix, dbg_state_size); + args.resize(*dbg_state_size); + LOAD_SYMBOL(*this, meta.dlhandle, func_prefix, isa_arch_info); #undef LOAD_SYMBOL - size_t *argsize_sym; - argsize_sym = reinterpret_cast(dlsym(meta.dlhandle, "argsize")); - if (!argsize_sym) - goto load_error; - - argsize = *argsize_sym; - args = std::vector(argsize); - - arch_info_t *arch_sym; - arch_sym = - reinterpret_cast(dlsym(meta.dlhandle, "isa_arch_info")); - if (!arch_sym) - goto load_error; - arch = *arch_sym; return; load_error: From 5228b6117d5dd1732b746e2f5590451dbf8d00e8 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 22 Jul 2024 16:20:19 +0800 Subject: [PATCH 095/136] feat: process custom gdb commands --- flake.lock | 8 ++--- flake.nix | 1 - include/api.hpp | 7 ++-- include/config.hpp | 2 ++ include/difftest.hpp | 27 ++++++++++---- src/cli.cpp | 8 +++-- src/difftest.cpp | 55 ++++++++++++++++++++++------- src/gdbstub.cpp | 84 +++++++++++++++++++++++++++++++++++++++++--- src/main.cpp | 11 +++--- 9 files changed, 164 insertions(+), 39 deletions(-) diff --git a/flake.lock b/flake.lock index b4bf5e4..5e5d23f 100644 --- a/flake.lock +++ b/flake.lock @@ -112,11 +112,11 @@ ] }, "locked": { - "lastModified": 1714033851, - "narHash": "sha256-Mi7m3p9vmtNOdyD1hLse/tzxDuV3bwP0gKrmOBPiQ4c=", + "lastModified": 1721457008, + "narHash": "sha256-ekpve0om5hzC1Ntd3zm1cZ9oS5pnr7a2n/tueyqFOsg=", "ref": "refs/heads/master", - "rev": "809554f41ac44acc4b1ec21473746c2af9993f2f", - "revCount": 149, + "rev": "e7aa3319d52fa987ac2192f63aef3dcb1b057e3a", + "revCount": 151, "type": "git", "url": "https://git.xinyang.life/xin/nur.git" }, diff --git a/flake.nix b/flake.nix index f79213a..a78db2d 100644 --- a/flake.nix +++ b/flake.nix @@ -52,4 +52,3 @@ } ); } - diff --git a/include/api.hpp b/include/api.hpp index ed19fd0..114aee8 100644 --- a/include/api.hpp +++ b/include/api.hpp @@ -53,10 +53,11 @@ class Target { public: DiffTargetApi ops; TargetMeta meta; - arch_info_t arch; - size_t argsize; std::vector args; // used as a buffer to store target specific values + bool *do_difftest; + arch_info_t *isa_arch_info; + size_t *dbg_state_size; gdb_action_t last_res; Target(){}; @@ -68,4 +69,4 @@ public: bool is_on_breakpoint(const gdb_action_t &res) const; }; -#endif \ No newline at end of file +#endif diff --git a/include/config.hpp b/include/config.hpp index bb90278..7574852 100644 --- a/include/config.hpp +++ b/include/config.hpp @@ -10,6 +10,8 @@ struct Config { std::vector refs_prefix; std::filesystem::path dut; std::string dut_prefix = ""; + std::string gdbstub_addr = "/tmp/gdbstub-diffu.sock"; + bool use_debugger = false; int cli_parse(int argc, char **argv); }; diff --git a/include/difftest.hpp b/include/difftest.hpp index 4985516..7410e0e 100644 --- a/include/difftest.hpp +++ b/include/difftest.hpp @@ -16,8 +16,19 @@ private: // target used for read_reg, write_reg, read_mem, write_mem Target *current_target = &dut; + bool halt_status = false; + inline void start_run() { + __atomic_store_n(&halt_status, false, __ATOMIC_RELAXED); + }; + inline bool is_halt() { + return __atomic_load_n(&halt_status, __ATOMIC_RELAXED); + }; - bool exec(size_t n, gdb_action_t *ret); + struct ExecRet { + bool at_breakpoint; + bool do_difftest; + }; + ExecRet exec(size_t n, gdb_action_t *ret); public: Difftest(Target &&dut, std::vector &&refs); @@ -35,14 +46,16 @@ public: bool del_bp(size_t addr, bp_type_t type); bool check_all(); + int sync_regs_to_ref(void); - arch_info_t get_arch() const { - std::cout << dut.arch.reg_num << std::endl; - return dut.arch; - } + inline void halt() { + __atomic_store_n(&halt_status, true, __ATOMIC_RELAXED); + }; + + arch_info_t get_arch() const { return *dut.isa_arch_info; } static bool check(Target &dut, Target &ref) { - for (int r = 0; r < dut.arch.reg_num; r++) { + for (int r = 0; r < dut.isa_arch_info->reg_num; r++) { size_t regdut = 0, regref = 0; dut.ops.read_reg(dut.args.data(), r, ®dut); ref.ops.read_reg(ref.args.data(), r, ®ref); @@ -92,4 +105,4 @@ public: Iterator end() { return Iterator(*this, refs.size(), false); } }; -#endif \ No newline at end of file +#endif diff --git a/src/cli.cpp b/src/cli.cpp index a92ecbb..add616d 100644 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -24,8 +24,12 @@ int Config::cli_parse(int argc, char **argv) { app.add_option("--dut-prefix", dut_prefix, "Optional prefix for design under test"); + app.add_option("--listen", gdbstub_addr, "Gdb remote listen address"); + + app.add_flag("-g", use_debugger, "Launch gdb remote stub"); + app.set_config("-c,--config") - ->transform(CLI::FileOnDefaultPath("./difftest.toml")); + ->transform(CLI::FileOnDefaultPath("difftest.toml")); // Default value for refs_prefix app.callback([&]() { @@ -45,4 +49,4 @@ int Config::cli_parse(int argc, char **argv) { CLI11_PARSE(app, argc, argv); return 0; -} \ No newline at end of file +} diff --git a/src/difftest.cpp b/src/difftest.cpp index 3d5d333..8da7c30 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -11,8 +11,8 @@ Difftest::Difftest(Target &&dut, std::vector &&refs) { this->refs = std::move(refs); for (const auto &ref : refs) { - if (dut.arch.reg_byte != ref.arch.reg_byte || - dut.arch.reg_num != ref.arch.reg_num) { + if (dut.isa_arch_info->reg_byte != ref.isa_arch_info->reg_byte || + dut.isa_arch_info->reg_num != ref.isa_arch_info->reg_num) { throw std::runtime_error("Ref and dut must have the same architecture"); } } @@ -36,9 +36,9 @@ void Difftest::setup(const std::filesystem::path &memory_file) { for (auto it = this->begin(); it != this->end(); ++it) { auto &target = *it; target.ops.init(target.args.data()); - target.ops.write_mem(target.args.data(), 0x80000000UL, membuf.size(), - membuf.data()); - target.ops.write_reg(target.args.data(), 32, 0x80000000UL); + if (target.ops.write_mem(target.args.data(), 0x80000000UL, membuf.size(), + membuf.data()) != 0) + throw std::runtime_error("write_mem failed"); } } @@ -49,26 +49,29 @@ bool Difftest::check_all() { return true; } -bool Difftest::exec(size_t n, gdb_action_t *ret) { +Difftest::ExecRet Difftest::exec(size_t n, gdb_action_t *ret) { + ExecRet exec_ret = {.at_breakpoint = false, .do_difftest = true}; while (n--) { - bool breakflag = false; Target *pbreak = &(*(this->begin())); + // TODO: For improvement, use ThreadPool here for concurrent execution? for (auto it = this->begin(); it != this->end(); ++it) { auto &target = *it; + *target.do_difftest = true; target.ops.stepi(target.args.data(), &target.last_res); if (target.is_on_breakpoint()) { - breakflag = true; + exec_ret.at_breakpoint = true; pbreak = ⌖ } + exec_ret.do_difftest = *target.do_difftest && exec_ret.do_difftest; } - if (breakflag) { + if (exec_ret.at_breakpoint) { ret->reason = pbreak->last_res.reason; ret->data = pbreak->last_res.data; - return false; + break; } } - return true; + return exec_ret; } gdb_action_t Difftest::stepi() { @@ -80,8 +83,14 @@ gdb_action_t Difftest::stepi() { gdb_action_t Difftest::cont() { gdb_action_t ret = {.reason = gdb_action_t::ACT_NONE}; - while (exec(1, &ret)) { - check_all(); + ExecRet exec_ret; + start_run(); + while (!is_halt()) { + exec_ret = exec(1, &ret); + if (exec_ret.do_difftest) + check_all(); + if (exec_ret.at_breakpoint) + break; }; return ret; } @@ -96,6 +105,26 @@ int Difftest::write_reg(int regno, size_t value) { value); } +int Difftest::sync_regs_to_ref(void) { + std::vector regs; + int ret = 0; + for (int i = 0; i <= get_arch().reg_num; i++) { + size_t r; + ret = dut.ops.read_reg(dut.args.data(), i, &r); + if (ret) + return ret; + regs.push_back(r); + } + for (auto &ref : refs) { + for (int i = 0; i <= get_arch().reg_num; i++) { + ret = ref.ops.write_reg(ref.args.data(), i, regs.at(i)); + if (ret) + return ret; + } + } + return ret; +} + int Difftest::read_mem(size_t addr, size_t len, void *val) { return current_target->ops.read_mem(current_target->args.data(), addr, len, val); diff --git a/src/gdbstub.cpp b/src/gdbstub.cpp index 583c4e3..6d613bb 100644 --- a/src/gdbstub.cpp +++ b/src/gdbstub.cpp @@ -1,4 +1,8 @@ +#include +#include +#include #include +#include extern "C" { #include } @@ -43,7 +47,71 @@ static bool difftest_del_bp(void *args, size_t addr, bp_type_t type) { return diff->del_bp(addr, type); } -int gdbstub_loop(Difftest *diff) { +static void difftest_on_interrupt(void *args) { + Difftest *diff = (Difftest *)args; + puts("interrupt"); + diff->halt(); +} + +std::vector split_into_args(const std::string &command) { + std::istringstream iss(command); + std::vector args; + std::string token; + while (iss >> token) { + args.push_back(token); + } + return args; +} + +static char *gdbstub_monitor(void *args, const char *s) { + Difftest *diff = (Difftest *)args; + CLI::App parser; + std::string ret = ""; + + parser.add_subcommand("help", "Print help message")->callback([&]() { + ret = parser.help(); + }); + auto sync = parser.add_subcommand("sync", "Sync states between targets") + ->callback([&]() { diff->sync_regs_to_ref(); }); + + std::string cmdstr; + int slen = strlen(s); + int ch; + for (int i = 0; i < slen; i += 2) { + sscanf(&s[i], "%02x", &ch); + cmdstr.push_back(ch); + } + + auto arglist = split_into_args(cmdstr); + std::vector argv = {""}; + for (const auto &arg : arglist) { + argv.push_back(static_cast(arg.c_str())); + } + + try { + (parser).parse((argv.size()), (argv.data())); + } catch (const CLI ::ParseError &e) { + std::ostringstream os; + os << "Failed to parse " << cmdstr << std::endl + << parser.help() << std::endl; + ret = os.str(); + } + + if (ret[0] == '\0') { + return NULL; + } else { + std::ostringstream ret_stream; + // Set formatting options for the stream + ret_stream << std::hex << std::setfill('0'); + + for (unsigned char c : ret) { + ret_stream << std::setw(2) << static_cast(c); + } + return strdup(ret_stream.str().c_str()); + } +} + +int gdbstub_loop(Difftest *diff, std::string socket_addr) { target_ops gdbstub_ops = {.cont = difftest_cont, .stepi = difftest_stepi, .read_reg = difftest_read_reg, @@ -52,13 +120,19 @@ int gdbstub_loop(Difftest *diff) { .write_mem = difftest_write_mem, .set_bp = difftest_set_bp, .del_bp = difftest_del_bp, - .on_interrupt = NULL}; + .on_interrupt = difftest_on_interrupt, + .monitor = gdbstub_monitor}; gdbstub_t gdbstub_priv; - char socket_addr[] = "127.0.0.1:1234"; - gdbstub_init(&gdbstub_priv, &gdbstub_ops, diff->get_arch(), socket_addr); std::cout << "Waiting for gdb connection at " << socket_addr << std::endl; + + if (!gdbstub_init(&gdbstub_priv, &gdbstub_ops, diff->get_arch(), + socket_addr.c_str())) { + std::cerr << "Failed to init socket at: " << socket_addr << std::endl; + return false; + } + bool success = gdbstub_run(&gdbstub_priv, diff); gdbstub_close(&gdbstub_priv); return !success; -} \ No newline at end of file +} diff --git a/src/main.cpp b/src/main.cpp index eed1644..7b1110d 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -2,9 +2,8 @@ #include "config.hpp" #include "difftest.hpp" -// extern "C" { -int gdbstub_loop(Difftest *); -// } +int gdbstub_loop(Difftest *, std::string); + int main(int argc, char **argv) { Config config; int ret = 0; @@ -27,7 +26,11 @@ int main(int argc, char **argv) { difftest.setup(config.memory_file); - gdbstub_loop(&difftest); + if (config.use_debugger) { + gdbstub_loop(&difftest, config.gdbstub_addr); + } else { + difftest.cont(); + } return 0; } From 837149b8f642b10d36b9d04e3dc8a819f73b3a18 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 22 Jul 2024 16:43:02 +0800 Subject: [PATCH 096/136] feat(home-manager): bind zellij pane key --- modules/home-manager/zellij.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index 6eda3e5..e03047c 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -19,6 +19,13 @@ in "Ctrl p" "Ctrl n" ]; + shared_except = { + _args = [ "pane" "locked" ]; + bind = { + _args = [ "Ctrl b"]; + SwitchToMode = "Pane"; + }; + }; }; }; }; From 1ce5b9ef9ab3ee55e868a510368315c80a6d2493 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 22 Jul 2024 16:45:21 +0800 Subject: [PATCH 097/136] feat(home-manager): add atuin --- home/xin/calcite.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 9ba1359..b26d5d8 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -54,4 +54,9 @@ vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; zellij = { enable = true; }; }; + + programs.atuin = { + enable = true; + flags = [ "--disable-up-arrow" ]; + }; } From 4d41ff63eb710ece8661da586485d1e294dca764 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 22 Jul 2024 17:30:02 +0800 Subject: [PATCH 098/136] chore: create package for nix --- CMakeLists.txt | 2 ++ default.nix | 17 +++++++++++++++++ flake.nix | 1 + src/CMakeLists.txt | 2 ++ 4 files changed, 22 insertions(+) create mode 100644 default.nix diff --git a/CMakeLists.txt b/CMakeLists.txt index de98228..5d0720c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -4,5 +4,7 @@ project(difftest) set(CMAKE_CXX_STANDARD 17) set(CMAKE_C_STANDARD 17) +include(GNUInstallDirs) + include_directories(include) add_subdirectory(src) diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..e632c4c --- /dev/null +++ b/default.nix @@ -0,0 +1,17 @@ +{ lib +, stdenv +, cmake +, mini-gdbstub +, cli11 +}: stdenv.mkDerivation { + pname = "diffu"; + version = "0.0.0"; + + src = ./.; + + nativeBuildInputs = [ + cmake + mini-gdbstub + cli11 + ]; +} diff --git a/flake.nix b/flake.nix index a78db2d..fb8fb90 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,7 @@ mini-gdbstub ]; }; + packages.default = pkgs.callPackage ./default.nix { }; } ); } diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 696b8e9..2c13e71 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,2 +1,4 @@ add_executable(diffu cli.cpp difftest.cpp gdbstub.cpp loader.cpp main.cpp) target_link_libraries(diffu PRIVATE gdbstub) +install ( TARGETS diffu ) + From 645b0f607ae510fda4d71b8152ea932a2b38bc32 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 22 Jul 2024 17:39:52 +0800 Subject: [PATCH 099/136] doc: add README --- README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..ded87f0 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# diffu From ffb223d03fd059e867d121ea0f1289c3127420a2 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 29 Jul 2024 14:56:01 +0800 Subject: [PATCH 100/136] feat(modules): add modules for some common settings --- modules/nixos/common-settings/auth.nix | 41 +++++++++++++++++++ .../nix-conf.nix} | 0 modules/nixos/default.nix | 3 +- modules/nixos/vaultwarden.nix | 4 +- 4 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 modules/nixos/common-settings/auth.nix rename modules/nixos/{common-nix-conf.nix => common-settings/nix-conf.nix} (100%) diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix new file mode 100644 index 0000000..f70d350 --- /dev/null +++ b/modules/nixos/common-settings/auth.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.commonSettings.auth; +in +{ + options.commonSettings.auth = { + enable = mkEnableOption "Common auth settings for servers"; + }; + + config = mkIf cfg.enable { + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; + }; + services.fail2ban.enable = true; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; + }; + }; +} + diff --git a/modules/nixos/common-nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix similarity index 100% rename from modules/nixos/common-nix-conf.nix rename to modules/nixos/common-settings/nix-conf.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0d64656..7908b49 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,7 +1,8 @@ { config, pkgs, ... }: { imports = [ - ./common-nix-conf.nix + ./common-settings/auth.nix + ./common-settings/nix-conf.nix ./restic.nix ./vaultwarden.nix ./prometheus.nix diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 6c0af66..b4c7d04 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -22,8 +22,8 @@ in # TODO: mailserver support }; }; - config = { - services.vaultwarden = mkIf cfg.enable { + config = mkIf cfg.enable { + services.vaultwarden = { enable = true; dbBackend = "sqlite"; config = { From 56f7449ed9e49530cd6b4ea7b7377018acd95db6 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 29 Jul 2024 14:56:28 +0800 Subject: [PATCH 101/136] feat(weilite): add a vm for running immich --- flake.lock | 60 ++++++++++++------------ flake.nix | 13 ++++++ machines/weilite/default.nix | 88 ++++++++++++++++++++++++++++++++++++ 3 files changed, 131 insertions(+), 30 deletions(-) create mode 100644 machines/weilite/default.nix diff --git a/flake.lock b/flake.lock index 299f626..6a58e96 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1720472194, - "narHash": "sha256-CYscFEts6tyvosc1T29nxhzIYJAj/1CCEkV3ZMzSN/c=", + "lastModified": 1721784420, + "narHash": "sha256-bgF6fN4Qgk7NErFKGuuqWXcLORsiykTYyqMUFRiAUBY=", "owner": "catppuccin", "repo": "nix", - "rev": "d75d5803852fb0833767dc969a4581ac13204e22", + "rev": "8bdb55cc1c13f572b6e4307a3c0d64f1ae286a4f", "type": "github" }, "original": { @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1720734513, - "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=", + "lastModified": 1722119539, + "narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=", "owner": "nix-community", "repo": "home-manager", - "rev": "90ae324e2c56af10f20549ab72014804a3064c7f", + "rev": "d0240a064db3987eb4d5204cf2400bc4452d9922", "type": "github" }, "original": { @@ -119,11 +119,11 @@ ] }, "locked": { - "lastModified": 1720926593, - "narHash": "sha256-fW6e27L6qY6s+TxInwrS2EXZZfhMAlaNqT0sWS49qMA=", + "lastModified": 1722136042, + "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "5fe5b0cdf1268112dc96319388819b46dc051ef4", + "rev": "c0ca47e8523b578464014961059999d8eddd4aae", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1720920808, - "narHash": "sha256-aq9nBiDz0i+JH47YDtPcx/f5OaMMxy/JvBNLDMe97aI=", + "lastModified": 1722130475, + "narHash": "sha256-VT2GvIRL8+nNSQ/XS9N6m42VDBiNDy7Luz3wMHoPLBk=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2571d560820e4ce23cf060a4460cebc0d9d17f60", + "rev": "25a36236f5051034e2085fb3414493c921bb1994", "type": "github" }, "original": { @@ -158,11 +158,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1720737798, - "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=", + "lastModified": 1722114937, + "narHash": "sha256-MOZ9woPwdpFJcHx3wic2Mlw9aztdKjMnFT3FaeLzJkM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751", + "rev": "e67b60fb1b2c3aad2202d95b91d4c218cf2a4fdd", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1721187324, - "narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=", + "lastModified": 1722178855, + "narHash": "sha256-x842DNrWlcEW4O3ghvoVDkphr8ve1AWzSU2E25Q0hMM=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694", + "rev": "85549341bb07139d6d12531114d45efad79cfb60", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1720691131, - "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", + "lastModified": 1722087241, + "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", + "rev": "8c50662509100d53229d4be607f1a3a31157fa12", "type": "github" }, "original": { @@ -206,11 +206,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1720915306, - "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=", + "lastModified": 1721524707, + "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d", + "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1720935990, - "narHash": "sha256-SAji50yPFmnQfD2XsDHk6tqEkRHDcWMpEoOlnEneqAY=", + "lastModified": 1722176547, + "narHash": "sha256-Z1nF2QaPEVdflInS3R1++mAJR0TIZ1V5hKNm8x6OjFA=", "owner": "nix-community", "repo": "NUR", - "rev": "42851361fdfde870bfd7e3c71f2ac5d3113c63d6", + "rev": "4bf1f4aecb27b07334f138eb22668c76d14ce62d", "type": "github" }, "original": { @@ -258,11 +258,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1720926522, - "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=", + "lastModified": 1722114803, + "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0703ba03fd9c1665f8ab68cc3487302475164617", + "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 422c338..7b39af7 100644 --- a/flake.nix +++ b/flake.nix @@ -59,6 +59,7 @@ , ... }@inputs: let sharedHmModules = [ + inputs.sops-nix.homeManagerModules.sops inputs.nix-index-database.hmModules.nix-index catppuccin.homeManagerModules.catppuccin self.homeManagerModules @@ -175,6 +176,18 @@ machines/raspite/configuration.nix ] ++ sharedColmenaModules; }; + + weilite = { ... }: { + imports = [ + machines/weilite + ] ++ sharedColmenaModules; + deployment = { + targetHost = "weilite.coho-tet.ts.net"; + targetPort = 2222; + buildOnTarget = false; + }; + nixpkgs.system = "x86_64-linux"; + }; }; nixosConfigurations = { diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix new file mode 100644 index 0000000..83bd70b --- /dev/null +++ b/machines/weilite/default.nix @@ -0,0 +1,88 @@ +{ config, pkgs, lib, modulesPath, ... }: + +with lib; + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + config = { + networking.hostName = "weilite"; + commonSettings = { + auth.enable = true; + nix = { + enable = true; + enableMirrors = true; + }; + }; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; + kernelModules = [ "kvm-intel" ]; + }; + + environment.systemPackages = [ + pkgs.virtiofsd + ]; + + systemd.mounts = [ + { what = "XinPhotos"; + where = "/mnt/XinPhotos"; + type = "virtiofs"; + wantedBy = [ "immich-server.service" ]; + } + ]; + + services.openssh.ports = [ 22 2222 ]; + + services.immich = { + enable = true; + mediaLocation = "/mnt/XinPhotos/immich"; + host = "127.0.0.1"; + port = 3001; + openFirewall = true; + machine-learning.enable = false; + environment = { + IMMICH_MACHINE_LEARNING_ENABLED = "false"; + }; + }; + + services.dae = { + enable = true; + configFile = "/var/lib/dae/config.dae"; + }; + + services.tailscale = { + enable = true; + openFirewall = true; + permitCertUid = "caddy"; + }; + + services.caddy = { + enable = true; + virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.immich.port} + ''; + }; + + time.timeZone = "Asia/Shanghai"; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + system.stateVersion = "24.11"; + }; +} From c4cb1165140d77f66a28e4d432591ee34ca2c10c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 30 Jul 2024 10:59:12 +0800 Subject: [PATCH 102/136] feat(massicot): provision kanidm --- flake.lock | 30 ++++++------ flake.nix | 3 +- machines/massicot/default.nix | 1 + machines/massicot/services.nix | 83 ++++++++++++++++++++++++++++++++-- 4 files changed, 97 insertions(+), 20 deletions(-) diff --git a/flake.lock b/flake.lock index 6a58e96..e74d8bd 100644 --- a/flake.lock +++ b/flake.lock @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1722119539, - "narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=", + "lastModified": 1722203588, + "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=", "owner": "nix-community", "repo": "home-manager", - "rev": "d0240a064db3987eb4d5204cf2400bc4452d9922", + "rev": "792757f643cedc13f02098d8ed506d82e19ec1da", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1722130475, - "narHash": "sha256-VT2GvIRL8+nNSQ/XS9N6m42VDBiNDy7Luz3wMHoPLBk=", + "lastModified": 1722302960, + "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "25a36236f5051034e2085fb3414493c921bb1994", + "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66", "type": "github" }, "original": { @@ -158,11 +158,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1722114937, - "narHash": "sha256-MOZ9woPwdpFJcHx3wic2Mlw9aztdKjMnFT3FaeLzJkM=", + "lastModified": 1722278305, + "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e67b60fb1b2c3aad2202d95b91d4c218cf2a4fdd", + "rev": "eab049fe178c11395d65a858ba1b56461ba9652d", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722178855, - "narHash": "sha256-x842DNrWlcEW4O3ghvoVDkphr8ve1AWzSU2E25Q0hMM=", + "lastModified": 1722307517, + "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "85549341bb07139d6d12531114d45efad79cfb60", + "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722176547, - "narHash": "sha256-Z1nF2QaPEVdflInS3R1++mAJR0TIZ1V5hKNm8x6OjFA=", + "lastModified": 1722304333, + "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=", "owner": "nix-community", "repo": "NUR", - "rev": "4bf1f4aecb27b07334f138eb22668c76d14ce62d", + "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7b39af7..c2ba7c6 100644 --- a/flake.nix +++ b/flake.nix @@ -101,6 +101,7 @@ }; in { + nixpkgs = nixpkgs; nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; @@ -183,7 +184,7 @@ ] ++ sharedColmenaModules; deployment = { targetHost = "weilite.coho-tet.ts.net"; - targetPort = 2222; + targetPort = 22; buildOnTarget = false; }; nixpkgs.system = "x86_64-linux"; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 66c7b50..56cbfe5 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -33,6 +33,7 @@ boot.loader.grub = { enable = true; efiSupport = true; + configurationLimit = 5; }; fileSystems."/mnt/storage" = { diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index a9889f0..2bb6541 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -63,6 +63,7 @@ in }; }; services.kanidm = { + package = pkgs.kanidm.withSecretProvisioning; enableServer = true; serverSettings = { domain = "auth.xinyang.life"; @@ -72,6 +73,84 @@ in tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; # db_path = "/var/lib/kanidm/kanidm.db"; }; + provision = { + enable = true; + autoRemove = true; + groups = { + forgejo-access = { + members = [ "xin" ]; + }; + gts-users = { + members = [ "xin" ]; + }; + ocis-users = { + members = [ "xin" ]; + }; + linux_users = { + members = [ "xin" ]; + }; + hedgedoc-users = { + members = [ "xin" ]; + }; + immich-users = { + members = [ "xin" "zhuo" ]; + }; + }; + persons = { + xin = { + displayName = "Xinyang Li"; + mailAddresses = [ "lixinyang411@gmail.com" ]; + }; + + zhuo = { + displayName = "Zhuo"; + mailAddresses = [ "13681104320@163.com" ]; + }; + }; + systems.oauth2 = { + forgejo = { + displayName = "ForgeJo"; + originUrl = "https://git.xinyang.life/"; + originLanding = " https://git.xinyang.life/user/oauth2/kandim"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + forgejo-access = [ "openid" "email" "profile" "groups" ]; + }; + }; + gts = { + displayName = "GoToSocial"; + originUrl = "https://xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ "openid" "email" "profile" "groups" ]; + }; + }; + owncloud = { + displayName = "ownCloud"; + originUrl = "https://home.xinyang.life:9201/"; + public = true; + scopeMaps = { + ocis-users = [ "openid" "email" "profile" ]; + }; + }; + hedgedoc = { + displayName = "HedgeDoc"; + originUrl = "https://docs.xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + hedgedoc-users = [ "openid" "email" "profile" ]; + }; + }; + immich-mobile = { + displayName = "Immich"; + originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + immich-users = [ "openid" "email" "profile" ]; + }; + }; + }; + }; }; services.matrix-conduit = { enable = true; @@ -179,10 +258,6 @@ in virtualHosts."http://auth.xinyang.life:80".extraConfig = '' reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} - route { - reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first - abort - } ''; virtualHosts."https://auth.xinyang.life".extraConfig = '' reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { From 13ce7e87b0944366e3a8db9cbb62793b15220216 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 30 Jul 2024 11:01:07 +0800 Subject: [PATCH 103/136] feat(weilite): make immich public --- .sops.yaml | 7 +++++- machines/weilite/default.nix | 46 ++++++++++++++++++++++++++++++++--- machines/weilite/secrets.yaml | 30 +++++++++++++++++++++++ 3 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 machines/weilite/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 4c42092..a716cb1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta + - &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -37,6 +38,11 @@ creation_rules: - age: - *xin - *host-la-00 + - path-regex: machines/weilite/secrets.yaml + key_groups: + - age: + - *xin + - *host-weilite - path_regex: machines/secrets.yaml key_groups: - age: @@ -53,4 +59,3 @@ creation_rules: - *xin - *host-raspite - *host-calcite - diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 83bd70b..0f6bf18 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -1,9 +1,10 @@ -{ config, pkgs, lib, modulesPath, ... }: +{ inputs, config, pkgs, lib, modulesPath, ... }: with lib; { imports = [ + inputs.sops-nix.nixosModules.sops (modulesPath + "/profiles/qemu-guest.nix") ]; @@ -30,10 +31,28 @@ with lib; pkgs.virtiofsd ]; + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + cloudflare_dns_token = { + owner = "caddy"; + mode = "400"; + }; + }; + }; + systemd.mounts = [ - { what = "XinPhotos"; - where = "/mnt/XinPhotos"; + { what = "immich"; + where = "/mnt/XinPhotos/immich"; type = "virtiofs"; + options = "rw"; + wantedBy = [ "immich-server.service" ]; + } + { what = "originals"; + where = "/mnt/XinPhotos/originals"; + type = "virtiofs"; + options = "ro,nodev,nosuid"; wantedBy = [ "immich-server.service" ]; } ]; @@ -65,9 +84,30 @@ with lib; services.caddy = { enable = true; + package = pkgs.caddy.withPlugins { + caddyModules = [ + { repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; } + ]; + vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; + }; virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.immich.port} ''; + # API Token must be added in systemd environment file + virtualHosts."immich.xinyang.life:8000".extraConfig = '' + tls { + dns cloudflare {env.CLOUDFLARE_API_TOKEN} + } + reverse_proxy 127.0.0.1:${toString config.services.immich.port} + ''; + }; + + networking.firewall.allowedTCPPorts = [ 8000 ]; + + systemd.services.caddy = { + serviceConfig = { + EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path; + }; }; time.timeZone = "Asia/Shanghai"; diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml new file mode 100644 index 0000000..02f78d6 --- /dev/null +++ b/machines/weilite/secrets.yaml @@ -0,0 +1,30 @@ +cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYkRNYmtjUkpoOXhRY1Yz + UkxnSEJiSXRvMy9WQWx5R1VHYVlnL1R2Tm1jCk8yUi80MG9kTWtSRndXRThuVThv + bERaUGwzaVJDem9IeFFIb2hiT1ZjTzQKLS0tIHo4bDJQa2dVbTl1aWxyYVd6bkl0 + c0g5TW03TU51L1hiSk95S05Eaks5TEEKBfA6XNAtcl7bKgDyVmuO6M45x9IJ7gqV + Nd+BvOK+iomEubZqsyMPLM3NfOL1dwSOnmwSdUZasUzuGCaw6IdlOA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZlVTY1hhcC95RExJL1Jn + blBncWxlWmxsQS8vQ3dhd1pXR1VCbXltUEQ4ClE0NEZweERYK3cyelpDRjkrNlBH + RHBIQTI0M2pnNm5qdnorNWFmMmd0ZFUKLS0tIEE4cFVteUZjT04wbk1RSWlmOU1P + V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV + RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-29T09:05:41Z" + mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 From 2d995896c265b7e4b5511a0939d4cb179303dca9 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 30 Jul 2024 11:01:07 +0800 Subject: [PATCH 104/136] feat(weilite): make immich public --- flake.lock | 6 +- machines/massicot/kanidm-provision.nix | 78 +++++++++++++++++++++++++ machines/massicot/services.nix | 79 +------------------------- 3 files changed, 82 insertions(+), 81 deletions(-) create mode 100644 machines/massicot/kanidm-provision.nix diff --git a/flake.lock b/flake.lock index e74d8bd..70b6d93 100644 --- a/flake.lock +++ b/flake.lock @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722304333, - "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=", + "lastModified": 1722309060, + "narHash": "sha256-lJ5auEUvSI0H0GwW5yWLgizvJ2A+N4aL2u2Xqa6JVCc=", "owner": "nix-community", "repo": "NUR", - "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e", + "rev": "e491266f3f0e1fee7709c4d3d68130b5500dcd46", "type": "github" }, "original": { diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix new file mode 100644 index 0000000..0fdb7b1 --- /dev/null +++ b/machines/massicot/kanidm-provision.nix @@ -0,0 +1,78 @@ +{ + enable = true; + autoRemove = true; + groups = { + forgejo-access = { + members = [ "xin" ]; + }; + gts-users = { + members = [ "xin" ]; + }; + ocis-users = { + members = [ "xin" ]; + }; + linux_users = { + members = [ "xin" ]; + }; + hedgedoc-users = { + members = [ "xin" ]; + }; + immich-users = { + members = [ "xin" "zhuo" ]; + }; + }; + persons = { + xin = { + displayName = "Xinyang Li"; + mailAddresses = [ "lixinyang411@gmail.com" ]; + }; + + zhuo = { + displayName = "Zhuo"; + mailAddresses = [ "13681104320@163.com" ]; + }; + }; + systems.oauth2 = { + forgejo = { + displayName = "ForgeJo"; + originUrl = "https://git.xinyang.life/"; + originLanding = " https://git.xinyang.life/user/oauth2/kandim"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + forgejo-access = [ "openid" "email" "profile" "groups" ]; + }; + }; + gts = { + displayName = "GoToSocial"; + originUrl = "https://xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ "openid" "email" "profile" "groups" ]; + }; + }; + owncloud = { + displayName = "ownCloud"; + originUrl = "https://home.xinyang.life:9201/"; + public = true; + scopeMaps = { + ocis-users = [ "openid" "email" "profile" ]; + }; + }; + hedgedoc = { + displayName = "HedgeDoc"; + originUrl = "https://docs.xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + hedgedoc-users = [ "openid" "email" "profile" ]; + }; + }; + immich-mobile = { + displayName = "Immich"; + originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + immich-users = [ "openid" "email" "profile" ]; + }; + }; + }; +} \ No newline at end of file diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 2bb6541..6c87d4a 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -73,84 +73,7 @@ in tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; # db_path = "/var/lib/kanidm/kanidm.db"; }; - provision = { - enable = true; - autoRemove = true; - groups = { - forgejo-access = { - members = [ "xin" ]; - }; - gts-users = { - members = [ "xin" ]; - }; - ocis-users = { - members = [ "xin" ]; - }; - linux_users = { - members = [ "xin" ]; - }; - hedgedoc-users = { - members = [ "xin" ]; - }; - immich-users = { - members = [ "xin" "zhuo" ]; - }; - }; - persons = { - xin = { - displayName = "Xinyang Li"; - mailAddresses = [ "lixinyang411@gmail.com" ]; - }; - - zhuo = { - displayName = "Zhuo"; - mailAddresses = [ "13681104320@163.com" ]; - }; - }; - systems.oauth2 = { - forgejo = { - displayName = "ForgeJo"; - originUrl = "https://git.xinyang.life/"; - originLanding = " https://git.xinyang.life/user/oauth2/kandim"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - forgejo-access = [ "openid" "email" "profile" "groups" ]; - }; - }; - gts = { - displayName = "GoToSocial"; - originUrl = "https://xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - gts-users = [ "openid" "email" "profile" "groups" ]; - }; - }; - owncloud = { - displayName = "ownCloud"; - originUrl = "https://home.xinyang.life:9201/"; - public = true; - scopeMaps = { - ocis-users = [ "openid" "email" "profile" ]; - }; - }; - hedgedoc = { - displayName = "HedgeDoc"; - originUrl = "https://docs.xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - hedgedoc-users = [ "openid" "email" "profile" ]; - }; - }; - immich-mobile = { - displayName = "Immich"; - originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - immich-users = [ "openid" "email" "profile" ]; - }; - }; - }; - }; + provision = import ./kanidm-provision.nix; }; services.matrix-conduit = { enable = true; From 62fe085b31e1cb022ac91bb8ff33baca5aa47e1c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 30 Jul 2024 11:31:27 +0800 Subject: [PATCH 105/136] fix ci --- modules/nixos/hedgedoc.nix | 8 ++++---- modules/nixos/prometheus.nix | 4 ++-- modules/nixos/restic.nix | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/nixos/hedgedoc.nix b/modules/nixos/hedgedoc.nix index 934420d..6aa5de2 100644 --- a/modules/nixos/hedgedoc.nix +++ b/modules/nixos/hedgedoc.nix @@ -44,8 +44,8 @@ in }; }; }; - config = { - services.hedgedoc = mkIf cfg.enable { + config = mkIf cfg.enable { + services.hedgedoc = { enable = true; environmentFile = cfg.environmentFile; settings = { @@ -71,13 +71,13 @@ in defaultPermission = "private"; }; }; - services.caddy = mkIf ( cfg.enable && cfg.enable ) { + services.caddy = mkIf cfg.caddy { enable = true; virtualHosts."https://${cfg.domain}".extraConfig = '' reverse_proxy unix/${config.services.hedgedoc.settings.path} ''; }; - users.users.caddy.extraGroups = mkIf ( cfg.enable && cfg.enable ) [ "hedgedoc" ]; + users.users.caddy.extraGroups = mkIf cfg.caddy [ "hedgedoc" ]; }; } diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix index 5234e76..9ddd255 100644 --- a/modules/nixos/prometheus.nix +++ b/modules/nixos/prometheus.nix @@ -25,7 +25,7 @@ in }; }; - config = mkMerge [{ + config = mkIf cfg.enable (mkMerge [{ services.caddy.globalConfig = '' servers { metrics @@ -91,5 +91,5 @@ in }) ]; } - ]; + ]); } diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index 178d599..07a8dad 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -16,8 +16,8 @@ in }; }; }; - config = { - services.restic.backups = lib.mkIf cfg.enable { + config = lib.mkIf cfg.enable { + services.restic.backups = { remotebackup = { repositoryFile = cfg.repositoryFile; passwordFile = cfg.passwordFile; From f418cf8620070d429f9b2e74a196dc913d68cd83 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 30 Jul 2024 15:56:02 +0800 Subject: [PATCH 106/136] feat: better prometheus integration --- modules/nixos/prometheus.nix | 274 +++++++++++++++++++++++++++-------- 1 file changed, 212 insertions(+), 62 deletions(-) diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix index 9ddd255..b4a02cc 100644 --- a/modules/nixos/prometheus.nix +++ b/modules/nixos/prometheus.nix @@ -25,71 +25,221 @@ in }; }; - config = mkIf cfg.enable (mkMerge [{ - services.caddy.globalConfig = '' - servers { - metrics - } - ''; - services.restic.server.prometheus = cfg.enable; - services.gotosocial.settings = { - metrics-enable = true; - }; - services.prometheus = mkIf cfg.enable { - enable = true; - port = 9091; - globalConfig.external_labels = { hostname = config.networking.hostName; }; - remoteWrite = mkIf cfg.grafana.enable [ - { name = "grafana"; - url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; - basic_auth = { - username = "1340065"; - password_file = cfg.grafana.password_file; - }; - } - ]; - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9100; - }; + config = mkIf cfg.enable (mkMerge [ + { + services.tailscale = { + enable = true; + permitCertUid = config.services.caddy.user; }; - scrapeConfigs = [ - { job_name = "prometheus"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } - ]; + + services.caddy = { + enable = true; + virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.prometheus.port} + ''; + }; + + services.caddy.globalConfig = '' + servers { + metrics } - { job_name = "node"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ''; + services.restic.server.prometheus = cfg.enable; + services.gotosocial.settings = mkIf cfg.enable { + metrics-enabled = true; + }; + services.ntfy-sh.settings.enable-metrics = true; + + services.prometheus = mkIf cfg.enable + { + enable = true; + port = 9091; + globalConfig.external_labels = { hostname = config.networking.hostName; }; + remoteWrite = mkIf cfg.grafana.enable [ + { + name = "grafana"; + url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; + basic_auth = { + username = "1340065"; + password_file = cfg.grafana.password_file; + }; + } ]; - } + exporters = { + node = { + enable = true; + enabledCollectors = [ + "conntrack" + "diskstats" + "entropy" + "filefd" + "filesystem" + "loadavg" + "meminfo" + "netdev" + "netstat" + "stat" + "time" + "vmstat" + "systemd" + "logind" + "interrupts" + "ksmd" + ]; + port = 9100; + }; + }; + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } + ]; + } + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } + ]; + + alertmanager = { + enable = true; + listenAddress = "127.0.0.1"; + logLevel = "debug"; + configuration = { + route = { + receiver = "ntfy"; + }; + receivers = [ + { + name = "ntfy"; + webhook_configs = [ + { + url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' + Alert {{.status}} + {{range .alerts}}-----{{range $k,$v := .labels}} + {{$k}}={{$v}}{{end}} + {{end}} + ''}"; + send_resolved = true; + } + ]; + } + ]; + }; + }; + + alertmanagers = [ + { + scheme = "http"; + static_configs = [ + { + targets = [ + "${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" + ]; + } + ]; + } + ]; + + rules = let mkRule = condition: { ... }@rule: (if condition then [ rule ] else [ ]); in [ + (lib.generators.toYAML { } { + groups = (mkRule true + { + name = "system_alerts"; + rules = [ + { + alert = "SystemdFailedUnits"; + expr = "node_systemd_unit_state{state=\"failed\"} > 0"; + for = "5m"; + labels = { severity = "critical"; }; + annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; }; + } + { + alert = "HighLoadAverage"; + expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; + for = "1m"; + labels = { severity = "warning"; }; + annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; + } + { + alert = "HighTransmitTraffic"; + expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; + for = "1m"; + labels = { severity = "warning"; }; + annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; }; + } + ]; + }) ++ (mkRule config.services.restic.server.enable { + name = "restic_alerts"; + rules = [ + { + alert = "ResticCheckFailed"; + expr = "restic_check_success == 0"; + for = "5m"; + labels = { severity = "critical"; }; + annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; + } + { + alert = "ResticOutdatedBackup"; + expr = "time() - restic_backup_timestamp > 518400"; + for = "0m"; + labels = { severity = "critical"; }; + annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; + } + ]; + }) ++ (mkRule config.services.caddy.enable { + name = "caddy_alerts"; + rules = [ + { + alert = "UpstreamHealthy"; + expr = "caddy_reverse_proxy_upstreams_healthy == 0"; + for = "5m"; + labels = { severity = "critical"; }; + annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; }; + } + { + alert = "HighRequestLatency"; + expr = "histogram_quantile(0.95, rate(caddy_http_request_duration_seconds_bucket[10m])) > 0.5"; + for = "2m"; + labels = { severity = "warning"; }; + annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; + } + ]; + }); + }) + ]; + }; + } + { + services.prometheus.scrapeConfigs = [ + (mkIf config.services.caddy.enable { + job_name = "caddy"; + static_configs = [ + { targets = [ "localhost:2019" ]; } + ]; + }) + (mkIf config.services.restic.server.enable { + job_name = "restic"; + static_configs = [ + { targets = [ config.services.restic.server.listenAddress ]; } + ]; + }) + (mkIf config.services.gotosocial.enable { + job_name = "gotosocial"; + static_configs = [ + { targets = [ "localhost:${toString config.services.gotosocial.settings.port}" ]; } + ]; + }) + (mkIf config.services.ntfy-sh.enable { + job_name = "ntfy-sh"; + static_configs = [ + { targets = [ "auth.xinyang.life" ]; } + ]; + }) ]; - }; - } - { - services.prometheus.scrapeConfigs = [ - ( mkIf config.services.caddy.enable { - job_name = "caddy"; - static_configs = [ - { targets = [ "localhost:2019" ]; } - ]; - }) - ( mkIf config.services.restic.server.enable { - job_name = "restic"; - static_configs = [ - { targets = [ config.services.restic.server.listenAddress ]; } - ]; - }) - ( mkIf config.services.gotosocial.enable { - job_name = "gotosocial"; - static_configs = [ - { targets = [ "localhost:${toString config.services.gotosocial.settings.port}" ]; } - ]; - }) - ]; - } + } ]); } From 9b38853216d0e4af781957107278b1d56885611a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 31 Jul 2024 11:38:44 +0800 Subject: [PATCH 107/136] massicot/ntfy-sh: add --- machines/massicot/kanidm-provision.nix | 1 + machines/massicot/services.nix | 27 ++++++++++++++++++++++++++ modules/nixos/prometheus.nix | 2 +- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 0fdb7b1..9eb10dd 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -61,6 +61,7 @@ hedgedoc = { displayName = "HedgeDoc"; originUrl = "https://docs.xinyang.life/"; + originLanding = "https://docs.xinyang.life/auth/oauth2"; allowInsecureClientDisablePkce = true; scopeMaps = { hedgedoc-users = [ "openid" "email" "profile" ]; diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 6c87d4a..f7c9b6b 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -62,6 +62,19 @@ in group = "kanidm"; }; }; + + services.ntfy-sh = { + enable = true; + group = "caddy"; + settings = { + listen-unix = "/var/run/ntfy-sh/ntfy.sock"; + listen-unix-mode = 432; # octal 0660 + base-url = "https://ntfy.xinyang.life"; + }; + }; + + systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh"; + services.kanidm = { package = pkgs.kanidm.withSecretProvisioning; enableServer = true; @@ -161,6 +174,11 @@ in }; users.groups.git = { }; + users.users = { + ${config.services.caddy.user}.extraGroups = [ + config.services.ntfy-sh.group + ]; + }; services.caddy = { enable = true; @@ -191,5 +209,14 @@ in } } ''; + virtualHosts."https://ntfy.xinyang.life".extraConfig = '' + reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} + @httpget { + protocol http + method GET + path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) + } + redir @httpget https://{host}{uri} + ''; }; } diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix index b4a02cc..d7e23fc 100644 --- a/modules/nixos/prometheus.nix +++ b/modules/nixos/prometheus.nix @@ -202,7 +202,7 @@ in } { alert = "HighRequestLatency"; - expr = "histogram_quantile(0.95, rate(caddy_http_request_duration_seconds_bucket[10m])) > 0.5"; + expr = "histogram_quantile(0.95, rate(caddy_http_request_duration_seconds_bucket[10m])) > 5"; for = "2m"; labels = { severity = "warning"; }; annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; From 5fe7ff043449c8c4b42b34428e59cb161590150e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 31 Jul 2024 14:27:03 +0800 Subject: [PATCH 108/136] modules/prometheus: split exporters and alerts to seperate files --- modules/nixos/default.nix | 2 +- modules/nixos/prometheus.nix | 245 ------------------------ modules/nixos/prometheus/caddy.nix | 45 +++++ modules/nixos/prometheus/default.nix | 194 +++++++++++++++++++ modules/nixos/prometheus/gotosocial.nix | 19 ++ modules/nixos/prometheus/ntfy-sh.nix | 17 ++ modules/nixos/prometheus/restic.nix | 41 ++++ 7 files changed, 317 insertions(+), 246 deletions(-) delete mode 100644 modules/nixos/prometheus.nix create mode 100644 modules/nixos/prometheus/caddy.nix create mode 100644 modules/nixos/prometheus/default.nix create mode 100644 modules/nixos/prometheus/gotosocial.nix create mode 100644 modules/nixos/prometheus/ntfy-sh.nix create mode 100644 modules/nixos/prometheus/restic.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 7908b49..0b31ac1 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,7 +5,7 @@ ./common-settings/nix-conf.nix ./restic.nix ./vaultwarden.nix - ./prometheus.nix + ./prometheus ./hedgedoc.nix ./sing-box.nix ./kanidm-client.nix diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix deleted file mode 100644 index d7e23fc..0000000 --- a/modules/nixos/prometheus.nix +++ /dev/null @@ -1,245 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.custom.prometheus; -in -{ - options = { - custom.prometheus = { - enable = mkEnableOption "Prometheus instance"; - exporters = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable Prometheus exporter on every supported services"; - }; - }; - grafana = { - enable = mkEnableOption "Grafana Cloud"; - password_file = mkOption { - type = types.path; - }; - }; - }; - }; - - config = mkIf cfg.enable (mkMerge [ - { - services.tailscale = { - enable = true; - permitCertUid = config.services.caddy.user; - }; - - services.caddy = { - enable = true; - virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.prometheus.port} - ''; - }; - - services.caddy.globalConfig = '' - servers { - metrics - } - ''; - services.restic.server.prometheus = cfg.enable; - services.gotosocial.settings = mkIf cfg.enable { - metrics-enabled = true; - }; - services.ntfy-sh.settings.enable-metrics = true; - - services.prometheus = mkIf cfg.enable - { - enable = true; - port = 9091; - globalConfig.external_labels = { hostname = config.networking.hostName; }; - remoteWrite = mkIf cfg.grafana.enable [ - { - name = "grafana"; - url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; - basic_auth = { - username = "1340065"; - password_file = cfg.grafana.password_file; - }; - } - ]; - exporters = { - node = { - enable = true; - enabledCollectors = [ - "conntrack" - "diskstats" - "entropy" - "filefd" - "filesystem" - "loadavg" - "meminfo" - "netdev" - "netstat" - "stat" - "time" - "vmstat" - "systemd" - "logind" - "interrupts" - "ksmd" - ]; - port = 9100; - }; - }; - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } - ]; - } - { - job_name = "node"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } - ]; - } - ]; - - alertmanager = { - enable = true; - listenAddress = "127.0.0.1"; - logLevel = "debug"; - configuration = { - route = { - receiver = "ntfy"; - }; - receivers = [ - { - name = "ntfy"; - webhook_configs = [ - { - url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' - Alert {{.status}} - {{range .alerts}}-----{{range $k,$v := .labels}} - {{$k}}={{$v}}{{end}} - {{end}} - ''}"; - send_resolved = true; - } - ]; - } - ]; - }; - }; - - alertmanagers = [ - { - scheme = "http"; - static_configs = [ - { - targets = [ - "${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" - ]; - } - ]; - } - ]; - - rules = let mkRule = condition: { ... }@rule: (if condition then [ rule ] else [ ]); in [ - (lib.generators.toYAML { } { - groups = (mkRule true - { - name = "system_alerts"; - rules = [ - { - alert = "SystemdFailedUnits"; - expr = "node_systemd_unit_state{state=\"failed\"} > 0"; - for = "5m"; - labels = { severity = "critical"; }; - annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; }; - } - { - alert = "HighLoadAverage"; - expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; - for = "1m"; - labels = { severity = "warning"; }; - annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; - } - { - alert = "HighTransmitTraffic"; - expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; - for = "1m"; - labels = { severity = "warning"; }; - annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; }; - } - ]; - }) ++ (mkRule config.services.restic.server.enable { - name = "restic_alerts"; - rules = [ - { - alert = "ResticCheckFailed"; - expr = "restic_check_success == 0"; - for = "5m"; - labels = { severity = "critical"; }; - annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; - } - { - alert = "ResticOutdatedBackup"; - expr = "time() - restic_backup_timestamp > 518400"; - for = "0m"; - labels = { severity = "critical"; }; - annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; - } - ]; - }) ++ (mkRule config.services.caddy.enable { - name = "caddy_alerts"; - rules = [ - { - alert = "UpstreamHealthy"; - expr = "caddy_reverse_proxy_upstreams_healthy == 0"; - for = "5m"; - labels = { severity = "critical"; }; - annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; }; - } - { - alert = "HighRequestLatency"; - expr = "histogram_quantile(0.95, rate(caddy_http_request_duration_seconds_bucket[10m])) > 5"; - for = "2m"; - labels = { severity = "warning"; }; - annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; - } - ]; - }); - }) - ]; - }; - } - { - services.prometheus.scrapeConfigs = [ - (mkIf config.services.caddy.enable { - job_name = "caddy"; - static_configs = [ - { targets = [ "localhost:2019" ]; } - ]; - }) - (mkIf config.services.restic.server.enable { - job_name = "restic"; - static_configs = [ - { targets = [ config.services.restic.server.listenAddress ]; } - ]; - }) - (mkIf config.services.gotosocial.enable { - job_name = "gotosocial"; - static_configs = [ - { targets = [ "localhost:${toString config.services.gotosocial.settings.port}" ]; } - ]; - }) - (mkIf config.services.ntfy-sh.enable { - job_name = "ntfy-sh"; - static_configs = [ - { targets = [ "auth.xinyang.life" ]; } - ]; - }) - ]; - } - ]); -} diff --git a/modules/nixos/prometheus/caddy.nix b/modules/nixos/prometheus/caddy.nix new file mode 100644 index 0000000..a62b639 --- /dev/null +++ b/modules/nixos/prometheus/caddy.nix @@ -0,0 +1,45 @@ +{ config, lib, ... }: +let + cfg = config.custom.prometheus; +in +{ + config = lib.mkIf cfg.enable { + services.caddy.globalConfig = lib.mkIf cfg.exporters.caddy.enable '' + servers { + metrics + } + ''; + + services.prometheus.scrapeConfigs = [ + (lib.mkIf cfg.exporters.caddy.enable { + job_name = "caddy"; + static_configs = [ + { targets = [ "127.0.0.1:2019" ]; } + ]; + }) + ]; + + custom.prometheus.ruleModules = [ + (lib.mkIf cfg.exporters.caddy.enable { + name = "caddy_alerts"; + rules = [ + { + alert = "UpstreamHealthy"; + expr = "caddy_reverse_proxy_upstreams_healthy != 1"; + for = "5m"; + labels = { severity = "critical"; }; + annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; }; + } + { + alert = "HighRequestLatency"; + expr = "histogram_quantile(0.95, rate(caddy_http_request_duration_seconds_bucket[10m])) > 5"; + for = "2m"; + labels = { severity = "warning"; }; + annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; + } + ]; + }) + ]; + }; + +} diff --git a/modules/nixos/prometheus/default.nix b/modules/nixos/prometheus/default.nix new file mode 100644 index 0000000..803b9aa --- /dev/null +++ b/modules/nixos/prometheus/default.nix @@ -0,0 +1,194 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.custom.prometheus; + exporterCfg = config.custom.prometheus.exporters; + mkExporterOption = enableOption: (mkOption { + type = types.bool; + default = enableOption; + description = "Enable this exporter"; + }); + + mkRulesOption = mkOption { + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = lib.types.str; + }; + rules = mkOption { + type = lib.types.listOf lib.types.attrs; + }; + }; + }); + }; +in +{ + imports = [ + ./caddy.nix + ./gotosocial.nix + ./ntfy-sh.nix + ./restic.nix + ]; + + options = { + custom.prometheus = { + enable = mkEnableOption "Prometheus instance"; + exporters = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable Prometheus exporter on every supported services"; + }; + + restic.enable = mkExporterOption config.services.restic.server.enable; + caddy.enable = mkExporterOption config.services.caddy.enable; + gotosocial.enable = mkExporterOption config.services.gotosocial.enable; + ntfy-sh.enable = mkExporterOption config.services.gotosocial.enable; + }; + grafana = { + enable = mkEnableOption "Grafana Cloud"; + password_file = mkOption { + type = types.path; + }; + }; + ruleModules = mkRulesOption; + }; + }; + + config = mkIf cfg.enable + { + services.tailscale = { + enable = true; + permitCertUid = config.services.caddy.user; + openFirewall = true; + }; + + services.caddy = { + enable = true; + virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.prometheus.port} + ''; + }; + + services.prometheus = mkIf cfg.enable + { + enable = true; + port = 9091; + globalConfig.external_labels = { hostname = config.networking.hostName; }; + remoteWrite = mkIf cfg.grafana.enable [ + { + name = "grafana"; + url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; + basic_auth = { + username = "1340065"; + password_file = cfg.grafana.password_file; + }; + } + ]; + exporters = { + node = { + enable = true; + enabledCollectors = [ + "diskstats" + "loadavg" + "time" + "systemd" + ]; + port = 9100; + }; + }; + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } + ]; + } + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } + ]; + + alertmanager = { + enable = true; + listenAddress = "127.0.0.1"; + logLevel = "debug"; + configuration = { + route = { + receiver = "ntfy"; + }; + receivers = [ + { + name = "ntfy"; + webhook_configs = [ + { + url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' + Alert {{.status}} + {{range .alerts}}-----{{range $k,$v := .labels}} + {{$k}}={{$v}}{{end}} + {{end}} + ''}"; + send_resolved = true; + } + ]; + } + ]; + }; + }; + + alertmanagers = [ + { + scheme = "http"; + static_configs = [ + { + targets = [ + "${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" + ]; + } + ]; + } + ]; + rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ]; + }; + custom.prometheus.ruleModules = [ + { + name = "system_alerts"; + rules = [ + { + alert = "SystemdFailedUnits"; + expr = "node_systemd_unit_state{state=\"failed\"} > 0"; + for = "5m"; + labels = { severity = "critical"; }; + annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; }; + } + { + alert = "HighLoadAverage"; + expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; + for = "1m"; + labels = { severity = "warning"; }; + annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; + } + { + alert = "HighTransmitTraffic"; + expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; + for = "1m"; + labels = { severity = "warning"; }; + annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; }; + } + { + alert = "NetworkTrafficExceedLimit"; + expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; + for = "0m"; + labels = { severity = "critical"; }; + annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; }; + } + ]; + } + ]; + }; +} diff --git a/modules/nixos/prometheus/gotosocial.nix b/modules/nixos/prometheus/gotosocial.nix new file mode 100644 index 0000000..4870e88 --- /dev/null +++ b/modules/nixos/prometheus/gotosocial.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: +let + cfg = config.custom.prometheus; +in +{ + config = lib.mkIf cfg.exporters.gotosocial.enable { + services.gotosocial.settings = lib.mkIf cfg.exporters.gotosocial.enable { + metrics-enabled = true; + }; + services.prometheus.scrapeConfigs = [ + { + job_name = "gotosocial"; + static_configs = [ + { targets = [ "localhost:8080" ]; } + ]; + } + ]; + }; +} diff --git a/modules/nixos/prometheus/ntfy-sh.nix b/modules/nixos/prometheus/ntfy-sh.nix new file mode 100644 index 0000000..35d62ff --- /dev/null +++ b/modules/nixos/prometheus/ntfy-sh.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: +let + cfg = config.custom.prometheus; +in +{ + config = lib.mkIf cfg.enable { + services.ntfy-sh.settings.enable-metrics = true; + services.prometheus.scrapeConfigs = [ + (lib.mkIf cfg.exporters.ntfy-sh.enable { + job_name = "ntfy-sh"; + static_configs = [ + { targets = [ "ntfy.xinyang.life" ]; } + ]; + }) + ]; + }; +} diff --git a/modules/nixos/prometheus/restic.nix b/modules/nixos/prometheus/restic.nix new file mode 100644 index 0000000..80f0316 --- /dev/null +++ b/modules/nixos/prometheus/restic.nix @@ -0,0 +1,41 @@ +{ config, lib, ... }: +let + cfg = config.custom.prometheus; +in +{ + config = lib.mkIf cfg.enable { + services.restic.server.prometheus = true; + + services.prometheus.scrapeConfigs = [ + (lib.mkIf cfg.exporters.restic.enable { + job_name = "restic"; + static_configs = [ + { targets = [ config.services.restic.server.listenAddress ]; } + ]; + }) + ]; + + custom.prometheus.ruleModules = [ + (lib.mkIf cfg.exporters.restic.enable { + name = "restic_alerts"; + rules = [ + { + alert = "ResticCheckFailed"; + expr = "restic_check_success == 0"; + for = "5m"; + labels = { severity = "critical"; }; + annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; + } + { + alert = "ResticOutdatedBackup"; + expr = "time() - restic_backup_timestamp > 518400"; + for = "0m"; + labels = { severity = "critical"; }; + annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; + } + ]; + }) + ]; + }; + +} From daeeb211a2acc03872419ab0d623475c72f27f80 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 31 Jul 2024 15:37:42 +0800 Subject: [PATCH 109/136] modules/prometheus: add blackbox exporter --- modules/nixos/prometheus/blackbox.nix | 83 +++++++++++++++++++++++++ modules/nixos/prometheus/caddy.nix | 10 +-- modules/nixos/prometheus/default.nix | 10 ++- modules/nixos/prometheus/gotosocial.nix | 4 +- modules/nixos/prometheus/ntfy-sh.nix | 6 +- modules/nixos/prometheus/restic.nix | 6 +- 6 files changed, 105 insertions(+), 14 deletions(-) create mode 100644 modules/nixos/prometheus/blackbox.nix diff --git a/modules/nixos/prometheus/blackbox.nix b/modules/nixos/prometheus/blackbox.nix new file mode 100644 index 0000000..7886b06 --- /dev/null +++ b/modules/nixos/prometheus/blackbox.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.custom.prometheus; +in +{ + config = lib.mkIf (cfg.enable && cfg.exporters.blackbox.enable) { + services.prometheus.exporters.blackbox = { + enable = true; + listenAddress = "127.0.0.1"; + configFile = pkgs.writeText "blackbox.config.yaml" ( + lib.generators.toYAML {} { + modules = { + tcp4_connect = { + prober = "tcp"; + tcp = { + ip_protocol_fallback = false; + preferred_ip_protocol = "ip4"; + tls = false; + }; + timeout = "15s"; + }; + }; + } + ); + }; + + services.prometheus.scrapeConfigs = [ + { + job_name = "blackbox"; + scrape_interval = "1m"; + metrics_path = "/probe"; + params = { + module = [ "tcp4_connect" ]; + }; + static_configs = [ + { + targets = [ + "tok-00.namely.icu:8080" + "la-00.video.namely.icu:8080" + "auth.xinyang.life:443" + "home.xinyang.life:8000" + ]; + } + ]; + relabel_configs = [ + { + source_labels = [ "__address__" ]; + target_label = "__param_target"; + } + { + source_labels = [ "__param_target" ]; + target_label = "instance"; + } + { + target_label = "__address__"; + replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}"; + } + ]; + } + { + job_name = "blackbox_exporter"; + static_configs = [ + { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}" ]; } + ]; + } + ]; + + custom.prometheus.ruleModules = [ + { + name = "probe_alerts"; + rules = [ + { + alert = "HighProbeLatency"; + expr = "probe_duration_seconds > 0.5"; + for = "2m"; + labels = { severity = "warning"; }; + annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; + } + ]; + } + ]; + }; +} diff --git a/modules/nixos/prometheus/caddy.nix b/modules/nixos/prometheus/caddy.nix index a62b639..d35049b 100644 --- a/modules/nixos/prometheus/caddy.nix +++ b/modules/nixos/prometheus/caddy.nix @@ -3,7 +3,7 @@ let cfg = config.custom.prometheus; in { - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && cfg.exporters.caddy.enable) { services.caddy.globalConfig = lib.mkIf cfg.exporters.caddy.enable '' servers { metrics @@ -11,16 +11,16 @@ in ''; services.prometheus.scrapeConfigs = [ - (lib.mkIf cfg.exporters.caddy.enable { + { job_name = "caddy"; static_configs = [ { targets = [ "127.0.0.1:2019" ]; } ]; - }) + } ]; custom.prometheus.ruleModules = [ - (lib.mkIf cfg.exporters.caddy.enable { + { name = "caddy_alerts"; rules = [ { @@ -38,7 +38,7 @@ in annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; } ]; - }) + } ]; }; diff --git a/modules/nixos/prometheus/default.nix b/modules/nixos/prometheus/default.nix index 803b9aa..c0f0a70 100644 --- a/modules/nixos/prometheus/default.nix +++ b/modules/nixos/prometheus/default.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.custom.prometheus; - exporterCfg = config.custom.prometheus.exporters; mkExporterOption = enableOption: (mkOption { type = types.bool; default = enableOption; @@ -26,6 +25,7 @@ let in { imports = [ + ./blackbox.nix ./caddy.nix ./gotosocial.nix ./ntfy-sh.nix @@ -43,6 +43,7 @@ in }; restic.enable = mkExporterOption config.services.restic.server.enable; + blackbox.enable = mkExporterOption false; caddy.enable = mkExporterOption config.services.caddy.enable; gotosocial.enable = mkExporterOption config.services.gotosocial.enable; ntfy-sh.enable = mkExporterOption config.services.gotosocial.enable; @@ -187,6 +188,13 @@ in labels = { severity = "critical"; }; annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; }; } + { + alert = "JobDown"; + expr = "up == 0"; + for = "1m"; + labels = { severity = "critical"; }; + annotations = { summary = "Job {{ $labels.job }} down for 1m."; }; + } ]; } ]; diff --git a/modules/nixos/prometheus/gotosocial.nix b/modules/nixos/prometheus/gotosocial.nix index 4870e88..a643d19 100644 --- a/modules/nixos/prometheus/gotosocial.nix +++ b/modules/nixos/prometheus/gotosocial.nix @@ -3,8 +3,8 @@ let cfg = config.custom.prometheus; in { - config = lib.mkIf cfg.exporters.gotosocial.enable { - services.gotosocial.settings = lib.mkIf cfg.exporters.gotosocial.enable { + config = lib.mkIf (cfg.enable && cfg.exporters.gotosocial.enable) { + services.gotosocial.settings = { metrics-enabled = true; }; services.prometheus.scrapeConfigs = [ diff --git a/modules/nixos/prometheus/ntfy-sh.nix b/modules/nixos/prometheus/ntfy-sh.nix index 35d62ff..513f130 100644 --- a/modules/nixos/prometheus/ntfy-sh.nix +++ b/modules/nixos/prometheus/ntfy-sh.nix @@ -3,15 +3,15 @@ let cfg = config.custom.prometheus; in { - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && cfg.exporters.ntfy-sh.enable) { services.ntfy-sh.settings.enable-metrics = true; services.prometheus.scrapeConfigs = [ - (lib.mkIf cfg.exporters.ntfy-sh.enable { + { job_name = "ntfy-sh"; static_configs = [ { targets = [ "ntfy.xinyang.life" ]; } ]; - }) + } ]; }; } diff --git a/modules/nixos/prometheus/restic.nix b/modules/nixos/prometheus/restic.nix index 80f0316..750b61a 100644 --- a/modules/nixos/prometheus/restic.nix +++ b/modules/nixos/prometheus/restic.nix @@ -3,7 +3,7 @@ let cfg = config.custom.prometheus; in { - config = lib.mkIf cfg.enable { + config = lib.mkIf (cfg.enable && cfg.exporters.restic.enable) { services.restic.server.prometheus = true; services.prometheus.scrapeConfigs = [ @@ -16,7 +16,7 @@ in ]; custom.prometheus.ruleModules = [ - (lib.mkIf cfg.exporters.restic.enable { + { name = "restic_alerts"; rules = [ { @@ -34,7 +34,7 @@ in annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; } ]; - }) + } ]; }; From 428a9651d8560f6b8679b022a615df5effed6c47 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 31 Jul 2024 15:38:24 +0800 Subject: [PATCH 110/136] massicot,calcite: enable blackbox exporter and probes --- machines/calcite/configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 4b35351..03f1801 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -265,6 +265,11 @@ custom.forgejo-actions-runner.enable = true; custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path; + custom.prometheus = { + enable = true; + exporters.blackbox.enable = true; + }; + # MTP support services.gvfs.enable = true; From ddc755632463c875df7196ad1aa7b26361eba215 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 31 Jul 2024 15:39:32 +0800 Subject: [PATCH 111/136] massicot,dolomite,calcite: enable blackbox exporter and probes --- machines/dolomite/default.nix | 6 +----- machines/massicot/services.nix | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 3965655..9bdb8e0 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -45,11 +45,7 @@ in custom.prometheus = { enable = false; - exporters.enable = false; - grafana = { - enable = false; - password_file = config.sops.secrets.grafana_cloud_api.path; - }; + exporters.blackbox.enable = true; }; custom.kanidm-client = { diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index f7c9b6b..d5d5c13 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -28,11 +28,7 @@ in custom.prometheus = { enable = true; - exporters.enable = true; - grafana = { - enable = true; - password_file = config.sops.secrets.grafana_cloud_api.path; - }; + exporters.blackbox.enable = true; }; systemd.mounts = map (share: { From ced05f99fcbab5516138d6f86dccfff389a5ba6c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 1 Aug 2024 17:01:53 +0800 Subject: [PATCH 112/136] prometheus: enable every where --- flake.lock | 36 ++++++------- machines/dolomite/default.nix | 6 ++- machines/massicot/default.nix | 3 ++ machines/massicot/kanidm-provision.nix | 36 ++++++++++++- machines/massicot/secrets.yaml | 7 +-- machines/massicot/services.nix | 73 ++++++++++++++++++++------ machines/weilite/default.nix | 4 ++ modules/nixos/prometheus/caddy.nix | 7 --- modules/nixos/prometheus/default.nix | 2 + modules/nixos/prometheus/immich.nix | 26 +++++++++ 10 files changed, 154 insertions(+), 46 deletions(-) create mode 100644 modules/nixos/prometheus/immich.nix diff --git a/flake.lock b/flake.lock index 70b6d93..d78098f 100644 --- a/flake.lock +++ b/flake.lock @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1722203588, - "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=", + "lastModified": 1722462338, + "narHash": "sha256-ss0G8t8RJVDewA3MyqgAlV951cWRK6EtVhVKEZ7J5LU=", "owner": "nix-community", "repo": "home-manager", - "rev": "792757f643cedc13f02098d8ed506d82e19ec1da", + "rev": "6e090576c4824b16e8759ebca3958c5b09659ee8", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1722302960, - "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=", + "lastModified": 1722476581, + "narHash": "sha256-dCNcvjaOTu+cPin3VUym9pglsghWYJe5oUpKTuAgiiU=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66", + "rev": "1fe57eaf074d28246ec310486fe3db4ae44d0451", "type": "github" }, "original": { @@ -158,11 +158,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1722278305, - "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=", + "lastModified": 1722332872, + "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "eab049fe178c11395d65a858ba1b56461ba9652d", + "rev": "14c333162ba53c02853add87a0000cbd7aa230c2", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722307517, - "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=", + "lastModified": 1722489601, + "narHash": "sha256-sB37J92AwEcmzg0GgxdI1TU6M+psUpbo0iYLFJBmsfo=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34", + "rev": "eee3d54e62749dfd0f263e3903ca0ec1ebdbe72b", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1722087241, - "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=", + "lastModified": 1722221733, + "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8c50662509100d53229d4be607f1a3a31157fa12", + "rev": "12bf09802d77264e441f48e25459c10c93eada2e", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722309060, - "narHash": "sha256-lJ5auEUvSI0H0GwW5yWLgizvJ2A+N4aL2u2Xqa6JVCc=", + "lastModified": 1722485061, + "narHash": "sha256-opkrX6noshjk2V3PKBiksA8+M6K7cu3EuiuAWL04pNs=", "owner": "nix-community", "repo": "NUR", - "rev": "e491266f3f0e1fee7709c4d3d68130b5500dcd46", + "rev": "3bf06551d5922d420607091f5a3321e712ece307", "type": "github" }, "original": { diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 9bdb8e0..3a5406f 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -44,7 +44,7 @@ in networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); custom.prometheus = { - enable = false; + enable = true; exporters.blackbox.enable = true; }; @@ -161,6 +161,10 @@ in outbound = "dns-out"; protocol = "dns"; } + { + inbound = "sg0"; + outbound = "direct"; + } { inbound = "sg4"; outbound = "direct"; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 56cbfe5..2e7597f 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -25,6 +25,9 @@ owner = "prometheus"; sopsFile = ../secrets.yaml; }; + grafana_oauth_secret = { + owner = "grafana"; + }; }; }; diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 9eb10dd..3bbf1ca 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -18,7 +18,19 @@ members = [ "xin" ]; }; immich-users = { - members = [ "xin" "zhuo" ]; + members = [ "xin" "zhuo" "ycm" ]; + }; + grafana-superadmins = { + members = [ "xin" ]; + }; + grafana-admins = { + members = [ "xin" ]; + }; + grafana-editors = { + members = [ "xin" ]; + }; + grafana-users = { + members = [ "xin" ]; }; }; persons = { @@ -31,6 +43,11 @@ displayName = "Zhuo"; mailAddresses = [ "13681104320@163.com" ]; }; + + ycm = { + displayName = "Chunming"; + mailAddresses = [ "chunmingyou@gmail.com" ]; + }; }; systems.oauth2 = { forgejo = { @@ -75,5 +92,22 @@ immich-users = [ "openid" "email" "profile" ]; }; }; + grafana = { + displayName = "Grafana"; + originUrl = "https://grafana.xinyang.life/"; + scopeMaps = { + grafana-users = [ "openid" "email" "profile" "groups" ]; + }; + claimMaps = { + grafana_role = { + joinType = "array"; + valuesByGroup = { + grafana-superadmins = [ "GrafanaAdmin" ]; + grafana-admins = [ "Admin" ]; + grafana-editors = [ "Editor" ]; + }; + }; + }; + }; }; } \ No newline at end of file diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index 5e5d0fe..c1dbf8e 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -1,6 +1,7 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] +grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +26,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-22T08:05:27Z" - mac: ENC[AES256_GCM,data:CiXU49arW+3w4/Lkh4l+6VjopyP7XNCU4AmuwZmnmQ7Vv4RCt84fC6lM6o4HiCc5jB07QY+2WZ5LvWz9zgSt636UpnCMgbG1w2Lxae38fW02RHJv90rn+cyyddB5kSucr5/P5NKBOZut54Cf4zVW9BaqajpQMxe4hEOn+xXpXz8=,iv:beWRlUvb6OUOK+mUXdvpvmM8S7xK0QIkIA2Bk9QA35c=,tag:KrBXqsAdBAhtwygdEHnUqQ==,type:str] + lastmodified: "2024-07-31T09:24:12Z" + mac: ENC[AES256_GCM,data:/TIuK0O0e3Kkb9yjVE4GEPLRRFo1wQEzfcuCcX/hS4eGSgVPu8p52meEzVW7Z9GLiKsmgSW+L5fW4k+kXGcOfKr1BarjfHa0pGcfoW/gb8BV2TFmX9rQk9ioh5m5NT97pv5KgrpPIU+HjUEe5ORebVZh5sW/R3Vh3PCyagINcIs=,iv:mU4P7BUnMjA/hIhX9SUImOuazoccPdnmeNIPGJUXaLw=,tag:EMXAVLgFZk3Mgv2O1rgibg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index d5d5c13..2db1118 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -1,4 +1,4 @@ -{ config, pkgs, inputs, ... }: +{ config, pkgs, ... }: let kanidm_listen_port = 5324; in @@ -31,15 +31,16 @@ in exporters.blackbox.enable = true; }; - systemd.mounts = map (share: { - what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - where = "/mnt/storage/${share}"; - type = "cifs"; - options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; - before = [ "${share}.service" ]; - after = [ "cachefilesd.service" ]; - wantedBy = [ "${share}.service" ]; - }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; + systemd.mounts = map + (share: { + what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + where = "/mnt/storage/${share}"; + type = "cifs"; + options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; + before = [ "${share}.service" ]; + after = [ "cachefilesd.service" ]; + wantedBy = [ "${share}.service" ]; + }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; services.cachefilesd.enable = true; @@ -53,9 +54,9 @@ in security.acme = { acceptTerms = true; certs."auth.xinyang.life" = { - email = "lixinyang411@gmail.com"; - listenHTTP = "127.0.0.1:1360"; - group = "kanidm"; + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; }; }; @@ -162,6 +163,38 @@ in }; }; + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = 3003; + root_url = "https://grafana.xinyang.life"; + domain = "grafana.xinyang.life"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "Kanidm"; + client_id = "grafana"; + scopes = "openid,profile,email,groups"; + auth_url = "https://auth.xinyang.life/ui/oauth2"; + token_url = "https://auth.xinyang.life/oauth2/token"; + api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo"; + use_pkce = true; + use_refresh_token = true; + allow_sign_up = true; + login_attribute_path = "preferred_username"; + groups_attribute_path = "groups"; + role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'"; + allow_assign_grafana_admin = true; + auto_login = true; + }; + "auth" = { disable_login_form = true; }; + }; + }; + + systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path; + users.users.git = { isSystemUser = true; useDefaultShell = true; @@ -192,9 +225,9 @@ in virtualHosts."https://git.xinyang.life:443".extraConfig = '' reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; - + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' - reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} ''; virtualHosts."https://auth.xinyang.life".extraConfig = '' reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { @@ -205,7 +238,7 @@ in } } ''; - virtualHosts."https://ntfy.xinyang.life".extraConfig = '' + virtualHosts."https://ntfy.xinyang.life".extraConfig = '' reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} @httpget { protocol http @@ -214,5 +247,13 @@ in } redir @httpget https://{host}{uri} ''; + + virtualHosts."https://grafana.xinyang.life".extraConfig = + let + grafanaSettings = config.services.grafana.settings.server; + in + '' + reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port} + ''; }; } diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 0f6bf18..0ad8822 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -42,6 +42,10 @@ with lib; }; }; + custom.prometheus = { + enable = true; + }; + systemd.mounts = [ { what = "immich"; where = "/mnt/XinPhotos/immich"; diff --git a/modules/nixos/prometheus/caddy.nix b/modules/nixos/prometheus/caddy.nix index d35049b..96b7f43 100644 --- a/modules/nixos/prometheus/caddy.nix +++ b/modules/nixos/prometheus/caddy.nix @@ -30,13 +30,6 @@ in labels = { severity = "critical"; }; annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; }; } - { - alert = "HighRequestLatency"; - expr = "histogram_quantile(0.95, rate(caddy_http_request_duration_seconds_bucket[10m])) > 5"; - for = "2m"; - labels = { severity = "warning"; }; - annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; - } ]; } ]; diff --git a/modules/nixos/prometheus/default.nix b/modules/nixos/prometheus/default.nix index c0f0a70..8c43908 100644 --- a/modules/nixos/prometheus/default.nix +++ b/modules/nixos/prometheus/default.nix @@ -28,6 +28,7 @@ in ./blackbox.nix ./caddy.nix ./gotosocial.nix + ./immich.nix ./ntfy-sh.nix ./restic.nix ]; @@ -46,6 +47,7 @@ in blackbox.enable = mkExporterOption false; caddy.enable = mkExporterOption config.services.caddy.enable; gotosocial.enable = mkExporterOption config.services.gotosocial.enable; + immich.enable = mkExporterOption config.services.immich.enable; ntfy-sh.enable = mkExporterOption config.services.gotosocial.enable; }; grafana = { diff --git a/modules/nixos/prometheus/immich.nix b/modules/nixos/prometheus/immich.nix new file mode 100644 index 0000000..095075d --- /dev/null +++ b/modules/nixos/prometheus/immich.nix @@ -0,0 +1,26 @@ +{ config, lib, ... }: +let + cfg = config.custom.prometheus; + immichEnv = config.services.immich.environment; + metricPort = + if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv + then immichEnv.IMMICH_API_METRICS_PORT + else 8081; +in +{ + config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) { + services.immich.environment = { + IMMICH_METRICS = "true"; + }; + + services.prometheus.scrapeConfigs = [ + { + job_name = "immich"; + static_configs = [ + { targets = [ "127.0.0.1:${toString metricPort}" ]; } + ]; + } + ]; + }; + +} From 0743f745277614b4f7643d0b17f4ca1818df0ddf Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 4 Aug 2024 15:25:18 +0800 Subject: [PATCH 113/136] modules/nix-conf: fix mirror priority settings --- modules/nixos/common-settings/nix-conf.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix index 9d7f31e..f24dfc9 100644 --- a/modules/nixos/common-settings/nix-conf.nix +++ b/modules/nixos/common-settings/nix-conf.nix @@ -43,8 +43,8 @@ in ]; extra-substituters = mkIf cfg.enableMirrors [ - "https://mirrors.bfsu.edu.cn/nix-channels/store" - "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://mirrors.bfsu.edu.cn/nix-channels/store?priority=100" + "https://mirrors.ustc.edu.cn/nix-channels/store?priority=100" ]; trusted-public-keys = [ From 9ffc2ad23db09ade01c612a34365addba8e67d3e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 5 Aug 2024 09:57:11 +0800 Subject: [PATCH 114/136] massicot/miniflux: added with kanidm provision --- flake.lock | 24 ++++++++++++------------ machines/massicot/default.nix | 17 ++++++++++------- machines/massicot/kanidm-provision.nix | 14 ++++++++++++-- machines/massicot/services.nix | 22 +++++++++++++++++++++- 4 files changed, 55 insertions(+), 22 deletions(-) diff --git a/flake.lock b/flake.lock index d78098f..00dfea1 100644 --- a/flake.lock +++ b/flake.lock @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1722476581, - "narHash": "sha256-dCNcvjaOTu+cPin3VUym9pglsghWYJe5oUpKTuAgiiU=", + "lastModified": 1722562293, + "narHash": "sha256-JLhM5xSbx5Isjyfz8+WhCfJ9hgEJ4VYRivTOANYZVWM=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "1fe57eaf074d28246ec310486fe3db4ae44d0451", + "rev": "2056dac5adce82433b1dae711868b1c22e5ed07e", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722489601, - "narHash": "sha256-sB37J92AwEcmzg0GgxdI1TU6M+psUpbo0iYLFJBmsfo=", + "lastModified": 1722578639, + "narHash": "sha256-yge4OI8r8JBFtoajezauguXwYJ7M+Enwb3ZGbJF4YKA=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "eee3d54e62749dfd0f263e3903ca0ec1ebdbe72b", + "rev": "4c71f761584bd9f9a4c4ba090c353c7f3e65c430", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1722221733, - "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", + "lastModified": 1722372011, + "narHash": "sha256-B2xRiC3NEJy/82ugtareBkRqEkPGpMyjaLxaR8LBxNs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "12bf09802d77264e441f48e25459c10c93eada2e", + "rev": "cf05eeada35e122770c5c14add958790fcfcbef5", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722485061, - "narHash": "sha256-opkrX6noshjk2V3PKBiksA8+M6K7cu3EuiuAWL04pNs=", + "lastModified": 1722577920, + "narHash": "sha256-+Nilyq9pr3f13pNqE3UaJ/zxB69fQ8MmkA5xu6oYtIs=", "owner": "nix-community", "repo": "NUR", - "rev": "3bf06551d5922d420607091f5a3321e712ece307", + "rev": "a3f8a8853ee2e17c2efd5a33a5c91c1d79bc9c49", "type": "github" }, "original": { diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 2e7597f..ab45a34 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -7,7 +7,7 @@ ./networking.nix ./services.nix ]; - + sops = { defaultSopsFile = ./secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -28,6 +28,9 @@ grafana_oauth_secret = { owner = "grafana"; }; + miniflux_oauth_secret = { + owner = "miniflux"; + }; }; }; @@ -42,7 +45,7 @@ fileSystems."/mnt/storage" = { device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; fsType = "cifs"; - options = ["credentials=${config.sops.secrets.storage_box_mount.path}"]; + options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ]; }; environment.systemPackages = with pkgs; [ @@ -51,7 +54,7 @@ ]; system.stateVersion = "22.11"; - + networking = { hostName = "massicot"; }; @@ -67,9 +70,9 @@ }; security.sudo = { - execWheelOnly = true; - wheelNeedsPassword = false; - }; + execWheelOnly = true; + wheelNeedsPassword = false; + }; services.openssh = { enable = true; @@ -83,6 +86,6 @@ }; services.fail2ban.enable = true; programs.mosh.enable = true; - + systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; } diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 3bbf1ca..374fb69 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -32,13 +32,16 @@ grafana-users = { members = [ "xin" ]; }; + miniflux-users = { + members = [ "xin" ]; + }; }; persons = { xin = { displayName = "Xinyang Li"; mailAddresses = [ "lixinyang411@gmail.com" ]; }; - + zhuo = { displayName = "Zhuo"; mailAddresses = [ "13681104320@163.com" ]; @@ -92,6 +95,13 @@ immich-users = [ "openid" "email" "profile" ]; }; }; + miniflux = { + displayName = "Miniflux"; + originUrl = "https://rss.xinyang.life/"; + scopeMaps = { + miniflux-users = [ "openid" "email" "profile" ]; + }; + }; grafana = { displayName = "Grafana"; originUrl = "https://grafana.xinyang.life/"; @@ -110,4 +120,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 2db1118..b16d42d 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let kanidm_listen_port = 5324; in @@ -85,6 +85,21 @@ in }; provision = import ./kanidm-provision.nix; }; + + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "127.0.0.1:58173"; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIEND_ID = "miniflux"; + OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux"; + OAUTH2_USER_CREATION = 1; + CREATE_ADMIN = lib.mkForce ""; + }; + adminCredentialsFile = config.sops.secrets.miniflux_oauth_secret; + }; + services.matrix-conduit = { enable = true; # package = inputs.conduit.packages.${pkgs.system}.default; @@ -238,6 +253,11 @@ in } } ''; + + virtualHosts."https://rss.xinyang.life".extraConfig = '' + reverse_proxy ${config.services.miniflux.config.LISTEN_ADDR} + ''; + virtualHosts."https://ntfy.xinyang.life".extraConfig = '' reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} @httpget { From 9d44f6eb07cb2d2129b84f5c3fd613a953dd7177 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 5 Aug 2024 10:52:54 +0800 Subject: [PATCH 115/136] modules/miniflux: handle oauth2 secret with LoadCredential --- machines/massicot/default.nix | 4 +--- machines/massicot/secrets.yaml | 5 +++-- machines/massicot/services.nix | 6 +++--- modules/nixos/default.nix | 1 + modules/nixos/miniflux.nix | 36 ++++++++++++++++++++++++++++++++++ 5 files changed, 44 insertions(+), 8 deletions(-) create mode 100644 modules/nixos/miniflux.nix diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index ab45a34..06f9fcf 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -28,9 +28,7 @@ grafana_oauth_secret = { owner = "grafana"; }; - miniflux_oauth_secret = { - owner = "miniflux"; - }; + "miniflux/oauth2_secret" = { }; }; }; diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index c1dbf8e..64dee73 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -2,6 +2,7 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str] +miniflux: ENC[AES256_GCM,data:26/dYh3jrcqIxmo2WSy1tz54BQQAQg==,iv:yv7dS/RcsitYb/7firhr5lcy1TUDMuFRpwk6WaPHOKk=,tag:FdJcvBCL96GqG3uB41i6Ng==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +27,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-31T09:24:12Z" - mac: ENC[AES256_GCM,data:/TIuK0O0e3Kkb9yjVE4GEPLRRFo1wQEzfcuCcX/hS4eGSgVPu8p52meEzVW7Z9GLiKsmgSW+L5fW4k+kXGcOfKr1BarjfHa0pGcfoW/gb8BV2TFmX9rQk9ioh5m5NT97pv5KgrpPIU+HjUEe5ORebVZh5sW/R3Vh3PCyagINcIs=,iv:mU4P7BUnMjA/hIhX9SUImOuazoccPdnmeNIPGJUXaLw=,tag:EMXAVLgFZk3Mgv2O1rgibg==,type:str] + lastmodified: "2024-08-05T02:36:03Z" + mac: ENC[AES256_GCM,data:VD2tlgzwUujeuvO1SX4TBvJPyAQUKroZZ6KjJHwWvx/nOS/MfZQshuccP3QofHMKdBfSal22WVuxTzmzVCWv870/EOVKr3Tw1vAEpidDOLwmKHp6GrJXh5ReKg00j2yHgClsjetSMCQfaWmrO11Wa2UjS9+XDRMCQZ2sw2qbUtI=,iv:5kMwdTEeR7Dx0jfI4afeR88L1Sgij3S18KXGc77qzBU=,tag:4nKzV7vSX3T1b/HoAnCX8A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index b16d42d..7989aeb 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -86,9 +86,9 @@ in provision = import ./kanidm-provision.nix; }; - services.miniflux = { + custom.miniflux = { enable = true; - config = { + environment = { LISTEN_ADDR = "127.0.0.1:58173"; OAUTH2_PROVIDER = "oidc"; OAUTH2_CLIEND_ID = "miniflux"; @@ -97,7 +97,7 @@ in OAUTH2_USER_CREATION = 1; CREATE_ADMIN = lib.mkForce ""; }; - adminCredentialsFile = config.sops.secrets.miniflux_oauth_secret; + oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path; }; services.matrix-conduit = { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0b31ac1..3fe5855 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -12,5 +12,6 @@ ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge ./forgejo-actions-runner.nix ./oidc-agent.nix + ./miniflux.nix ]; } diff --git a/modules/nixos/miniflux.nix b/modules/nixos/miniflux.nix new file mode 100644 index 0000000..9fcb8ad --- /dev/null +++ b/modules/nixos/miniflux.nix @@ -0,0 +1,36 @@ +{ config, pkgs, lib, ... }: +let + inherit (lib) mkEnableOption mkOption types; + cfg = config.custom.miniflux; +in +{ + options = { + custom.miniflux = { + enable = mkEnableOption "miniflux"; + oauth2SecretFile = mkOption { + type = types.path; + }; + environmentFile = mkOption { + type = types.path; + default = "/dev/null"; + }; + environment = mkOption { + type = with types; attrsOf (oneOf [ int str ]); + }; + }; + }; + + config = lib.mkIf cfg.enable { + services.miniflux = { + enable = true; + adminCredentialsFile = cfg.environmentFile; + }; + systemd.services.miniflux = { + serviceConfig = { + LoadCredential = [ "oauth2_secret:${cfg.oauth2SecretFile}" ]; + EnvironmentFile = [ "%d/oauth2_secret" ]; + }; + environment = lib.mapAttrs (_: lib.mkForce) (lib.mapAttrs (_: toString) cfg.environment); + }; + }; +} From 1b2ed92211709c75c10cc13db67dc8496b986361 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 5 Aug 2024 13:39:53 +0800 Subject: [PATCH 116/136] massicot/secrets: fix ci --- flake.lock | 24 ++++++++++++------------ machines/massicot/default.nix | 4 +++- machines/massicot/secrets.yaml | 7 ++++--- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index 00dfea1..d78098f 100644 --- a/flake.lock +++ b/flake.lock @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1722562293, - "narHash": "sha256-JLhM5xSbx5Isjyfz8+WhCfJ9hgEJ4VYRivTOANYZVWM=", + "lastModified": 1722476581, + "narHash": "sha256-dCNcvjaOTu+cPin3VUym9pglsghWYJe5oUpKTuAgiiU=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2056dac5adce82433b1dae711868b1c22e5ed07e", + "rev": "1fe57eaf074d28246ec310486fe3db4ae44d0451", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722578639, - "narHash": "sha256-yge4OI8r8JBFtoajezauguXwYJ7M+Enwb3ZGbJF4YKA=", + "lastModified": 1722489601, + "narHash": "sha256-sB37J92AwEcmzg0GgxdI1TU6M+psUpbo0iYLFJBmsfo=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "4c71f761584bd9f9a4c4ba090c353c7f3e65c430", + "rev": "eee3d54e62749dfd0f263e3903ca0ec1ebdbe72b", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1722372011, - "narHash": "sha256-B2xRiC3NEJy/82ugtareBkRqEkPGpMyjaLxaR8LBxNs=", + "lastModified": 1722221733, + "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cf05eeada35e122770c5c14add958790fcfcbef5", + "rev": "12bf09802d77264e441f48e25459c10c93eada2e", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722577920, - "narHash": "sha256-+Nilyq9pr3f13pNqE3UaJ/zxB69fQ8MmkA5xu6oYtIs=", + "lastModified": 1722485061, + "narHash": "sha256-opkrX6noshjk2V3PKBiksA8+M6K7cu3EuiuAWL04pNs=", "owner": "nix-community", "repo": "NUR", - "rev": "a3f8a8853ee2e17c2efd5a33a5c91c1d79bc9c49", + "rev": "3bf06551d5922d420607091f5a3321e712ece307", "type": "github" }, "original": { diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 06f9fcf..ac3ba94 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -28,7 +28,9 @@ grafana_oauth_secret = { owner = "grafana"; }; - "miniflux/oauth2_secret" = { }; + "miniflux/oauth2_secret" = { + owner = "root"; + }; }; }; diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index 64dee73..fb88246 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -2,7 +2,8 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str] -miniflux: ENC[AES256_GCM,data:26/dYh3jrcqIxmo2WSy1tz54BQQAQg==,iv:yv7dS/RcsitYb/7firhr5lcy1TUDMuFRpwk6WaPHOKk=,tag:FdJcvBCL96GqG3uB41i6Ng==,type:str] +miniflux: + oauth2_secret: ENC[AES256_GCM,data:ktwQgPwcXTmMFhiTjXUGmPysfSg6X+EFBbfZMQ==,iv:vYF86NFW1EGf1TYLicTGiTIRKP/XC914zmVm42SyWPc=,tag:E1BdVp35362X373EE1HKvg==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +28,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-05T02:36:03Z" - mac: ENC[AES256_GCM,data:VD2tlgzwUujeuvO1SX4TBvJPyAQUKroZZ6KjJHwWvx/nOS/MfZQshuccP3QofHMKdBfSal22WVuxTzmzVCWv870/EOVKr3Tw1vAEpidDOLwmKHp6GrJXh5ReKg00j2yHgClsjetSMCQfaWmrO11Wa2UjS9+XDRMCQZ2sw2qbUtI=,iv:5kMwdTEeR7Dx0jfI4afeR88L1Sgij3S18KXGc77qzBU=,tag:4nKzV7vSX3T1b/HoAnCX8A==,type:str] + lastmodified: "2024-08-05T07:07:04Z" + mac: ENC[AES256_GCM,data:1/PFLb8fgNgBz4YZDqNUxw5JMzt+ATD1wuFWNwJkVGVlXgLpSuOYZc5TYte3W8HTLDY8YOFYdcZtvDyjeFf7PAGxAVhqE1TgAfs0HxEHY3S8Ivcen86LTmcsiPy1frGHOLhzFfim3GRLyNA+MUFzCSLCbERJ0t0iK+L0EZ9SoyY=,iv:+DeQvoP3xBBEkv0IaQ5R0EFtQ/19bKSG/eRrDp4JPJs=,tag:Xz3sSbS07rcNaoImy10P5A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 From 1906c39add406f385f90ede7aa6251a9ea492e39 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 5 Aug 2024 20:04:10 +0800 Subject: [PATCH 117/136] modules/miniflux: use custom module to replace the upstream one --- machines/massicot/secrets.yaml | 6 +- machines/massicot/services.nix | 8 +- modules/nixos/miniflux.nix | 119 +++++++++++++++++++++++--- modules/nixos/prometheus/default.nix | 4 +- modules/nixos/prometheus/miniflux.nix | 17 ++++ 5 files changed, 136 insertions(+), 18 deletions(-) create mode 100644 modules/nixos/prometheus/miniflux.nix diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index fb88246..b5ca7fe 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -3,7 +3,7 @@ gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str] miniflux: - oauth2_secret: ENC[AES256_GCM,data:ktwQgPwcXTmMFhiTjXUGmPysfSg6X+EFBbfZMQ==,iv:vYF86NFW1EGf1TYLicTGiTIRKP/XC914zmVm42SyWPc=,tag:E1BdVp35362X373EE1HKvg==,type:str] + oauth2_secret: ENC[AES256_GCM,data:Q0JeT5VHGEDATXB9jf5+eU1Hoi9FsJrw6IK2T0bodvVgki+1oF+sWld5NGpoiXm/bQ==,iv:e8+84Zk5eXNIyIPhTG8jFhO+DCRorPFG0lDDNT4OxCs=,tag:IxlyFBcFaSy7Nz0aQCH3bw==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +28,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-05T07:07:04Z" - mac: ENC[AES256_GCM,data:1/PFLb8fgNgBz4YZDqNUxw5JMzt+ATD1wuFWNwJkVGVlXgLpSuOYZc5TYte3W8HTLDY8YOFYdcZtvDyjeFf7PAGxAVhqE1TgAfs0HxEHY3S8Ivcen86LTmcsiPy1frGHOLhzFfim3GRLyNA+MUFzCSLCbERJ0t0iK+L0EZ9SoyY=,iv:+DeQvoP3xBBEkv0IaQ5R0EFtQ/19bKSG/eRrDp4JPJs=,tag:Xz3sSbS07rcNaoImy10P5A==,type:str] + lastmodified: "2024-08-05T08:53:56Z" + mac: ENC[AES256_GCM,data:DtAL9k/t4pGV2UqCrb1R/1nT3gjJ8wced5yQOF5oneoncg/uuyX7IDZ0iZz0eGirj9Zadh9UQWNwxMzoiNu6pD1v04MkxT0NVDJ32vt5X+YDQJ60vRJjn9+zKvLk8Esx9sFsuBxjVXXmbtev7+djU+LbpPLfaobdheO2XlJXtdU=,iv:y2KI5ylgvuQ7ktYAr6XPEX3qyxnSP7BWC79mdsr4hgk=,tag:cvXvXeKvRwvttgQfmZRi2w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 7989aeb..96ede16 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -29,6 +29,7 @@ in custom.prometheus = { enable = true; exporters.blackbox.enable = true; + exporters.miniflux.enable = true; }; systemd.mounts = map @@ -89,13 +90,14 @@ in custom.miniflux = { enable = true; environment = { + LOG_LEVEL = "debug"; LISTEN_ADDR = "127.0.0.1:58173"; + BASE_URL = "https://rss.xinyang.life/"; OAUTH2_PROVIDER = "oidc"; - OAUTH2_CLIEND_ID = "miniflux"; + OAUTH2_CLIENT_ID = "miniflux"; OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback"; OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux"; OAUTH2_USER_CREATION = 1; - CREATE_ADMIN = lib.mkForce ""; }; oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path; }; @@ -255,7 +257,7 @@ in ''; virtualHosts."https://rss.xinyang.life".extraConfig = '' - reverse_proxy ${config.services.miniflux.config.LISTEN_ADDR} + reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} ''; virtualHosts."https://ntfy.xinyang.life".extraConfig = '' diff --git a/modules/nixos/miniflux.nix b/modules/nixos/miniflux.nix index 9fcb8ad..2d539e0 100644 --- a/modules/nixos/miniflux.nix +++ b/modules/nixos/miniflux.nix @@ -1,36 +1,133 @@ { config, pkgs, lib, ... }: let - inherit (lib) mkEnableOption mkOption types; + inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault; cfg = config.custom.miniflux; + + defaultAddress = "localhost:8080"; + + pgbin = "${config.services.postgresql.package}/bin"; + preStart = pkgs.writeScript "miniflux-pre-start" '' + #!${pkgs.runtimeShell} + ${pgbin}/psql "miniflux" -c "CREATE EXTENSION IF NOT EXISTS hstore" + ''; in { options = { custom.miniflux = { enable = mkEnableOption "miniflux"; + + package = mkPackageOption pkgs "miniflux" { }; + oauth2SecretFile = mkOption { type = types.path; }; - environmentFile = mkOption { - type = types.path; - default = "/dev/null"; - }; + environment = mkOption { type = with types; attrsOf (oneOf [ int str ]); }; + + createDatabaseLocally = mkOption { + type = types.bool; + default = true; + description = '' + Whether a PostgreSQL database should be automatically created and + configured on the local host. If set to `false`, you need provision a + database yourself and make sure to create the hstore extension in it. + ''; + }; }; }; config = lib.mkIf cfg.enable { - services.miniflux = { + services.miniflux.enable = false; + custom.miniflux.environment = { + LISTEN_ADDR = mkDefault defaultAddress; + RUN_MIGRATIONS = mkDefault 1; + DATABASE_URL = lib.mkIf cfg.createDatabaseLocally "user=miniflux host=/run/postgresql dbname=miniflux"; + OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret"; + WATCHDOG = mkDefault 1; + }; + + services.postgresql = lib.mkIf cfg.createDatabaseLocally { enable = true; - adminCredentialsFile = cfg.environmentFile; + ensureUsers = [{ + name = "miniflux"; + ensureDBOwnership = true; + }]; + ensureDatabases = [ "miniflux" ]; }; - systemd.services.miniflux = { + + systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally { + description = "Miniflux database setup"; + requires = [ "postgresql.service" ]; + after = [ "network.target" "postgresql.service" ]; serviceConfig = { - LoadCredential = [ "oauth2_secret:${cfg.oauth2SecretFile}" ]; - EnvironmentFile = [ "%d/oauth2_secret" ]; + Type = "oneshot"; + User = config.services.postgresql.superUser; + ExecStart = preStart; }; - environment = lib.mapAttrs (_: lib.mkForce) (lib.mapAttrs (_: toString) cfg.environment); }; + + systemd.services.miniflux = { + description = "Miniflux service"; + wantedBy = [ "multi-user.target" ]; + requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service"; + after = [ "network.target" ] + ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = lib.getExe cfg.package; + User = "miniflux"; + DynamicUser = true; + LoadCredential = [ "oauth2_secret:${cfg.oauth2SecretFile}" ]; + RuntimeDirectory = "miniflux"; + RuntimeDirectoryMode = "0750"; + WatchdogSec = 60; + WatchdogSignal = "SIGKILL"; + Restart = "always"; + RestartSec = 5; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + UMask = "0077"; + }; + + environment = lib.mapAttrs (_: toString) cfg.environment; + }; + environment.systemPackages = [ cfg.package ]; + + security.apparmor.policies."bin.miniflux".profile = '' + include + ${cfg.package}/bin/miniflux { + include + include + include + include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" + r ${cfg.package}/bin/miniflux, + r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, + rw /run/miniflux/**, + } + ''; }; } diff --git a/modules/nixos/prometheus/default.nix b/modules/nixos/prometheus/default.nix index 8c43908..070e3d2 100644 --- a/modules/nixos/prometheus/default.nix +++ b/modules/nixos/prometheus/default.nix @@ -29,6 +29,7 @@ in ./caddy.nix ./gotosocial.nix ./immich.nix + ./miniflux.nix ./ntfy-sh.nix ./restic.nix ]; @@ -48,7 +49,8 @@ in caddy.enable = mkExporterOption config.services.caddy.enable; gotosocial.enable = mkExporterOption config.services.gotosocial.enable; immich.enable = mkExporterOption config.services.immich.enable; - ntfy-sh.enable = mkExporterOption config.services.gotosocial.enable; + miniflux.enable = mkExporterOption config.services.miniflux.enable; + ntfy-sh.enable = mkExporterOption config.services.ntfy-sh.enable; }; grafana = { enable = mkEnableOption "Grafana Cloud"; diff --git a/modules/nixos/prometheus/miniflux.nix b/modules/nixos/prometheus/miniflux.nix new file mode 100644 index 0000000..2a64f47 --- /dev/null +++ b/modules/nixos/prometheus/miniflux.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: +let + cfg = config.custom.prometheus; +in +{ + config = lib.mkIf (cfg.enable && cfg.exporters.miniflux.enable) { + systemd.services.miniflux.environment.METRICS_COLLECTOR = 1; + services.prometheus.scrapeConfigs = [ + { + job_name = "miniflux"; + static_configs = [ + { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } + ]; + } + ]; + }; +} From c4dadf2b456e24b0722a6ca8a67847dd88fbf9f7 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 5 Aug 2024 20:04:37 +0800 Subject: [PATCH 118/136] modules/prometheus: support miniflux --- modules/nixos/prometheus/default.nix | 2 +- modules/nixos/prometheus/miniflux.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/prometheus/default.nix b/modules/nixos/prometheus/default.nix index 070e3d2..a560737 100644 --- a/modules/nixos/prometheus/default.nix +++ b/modules/nixos/prometheus/default.nix @@ -96,11 +96,11 @@ in node = { enable = true; enabledCollectors = [ - "diskstats" "loadavg" "time" "systemd" ]; + listenAddress = "127.0.0.1"; port = 9100; }; }; diff --git a/modules/nixos/prometheus/miniflux.nix b/modules/nixos/prometheus/miniflux.nix index 2a64f47..5339de3 100644 --- a/modules/nixos/prometheus/miniflux.nix +++ b/modules/nixos/prometheus/miniflux.nix @@ -4,7 +4,7 @@ let in { config = lib.mkIf (cfg.enable && cfg.exporters.miniflux.enable) { - systemd.services.miniflux.environment.METRICS_COLLECTOR = 1; + systemd.services.miniflux.environment.METRICS_COLLECTOR = "1"; services.prometheus.scrapeConfigs = [ { job_name = "miniflux"; From db2e696389cf49c9c14ff764352be20d130d04fb Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 5 Aug 2024 20:07:03 +0800 Subject: [PATCH 119/136] bump version --- flake.lock | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index d78098f..18bc38a 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1721784420, - "narHash": "sha256-bgF6fN4Qgk7NErFKGuuqWXcLORsiykTYyqMUFRiAUBY=", + "lastModified": 1722661201, + "narHash": "sha256-2JX3S1hmmUhHuyGyGWnaM4xT0SiaDdVkNzmBrEowwK0=", "owner": "catppuccin", "repo": "nix", - "rev": "8bdb55cc1c13f572b6e4307a3c0d64f1ae286a4f", + "rev": "19a0f144f0204a12a89243363efb6a493b8cfc83", "type": "github" }, "original": { @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1722462338, - "narHash": "sha256-ss0G8t8RJVDewA3MyqgAlV951cWRK6EtVhVKEZ7J5LU=", + "lastModified": 1722630065, + "narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=", "owner": "nix-community", "repo": "home-manager", - "rev": "6e090576c4824b16e8759ebca3958c5b09659ee8", + "rev": "afc892db74d65042031a093adb6010c4c3378422", "type": "github" }, "original": { @@ -119,11 +119,11 @@ ] }, "locked": { - "lastModified": 1722136042, - "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", + "lastModified": 1722740924, + "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c0ca47e8523b578464014961059999d8eddd4aae", + "rev": "97ca0a0fca0391de835f57e44f369a283e37890f", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1722476581, - "narHash": "sha256-dCNcvjaOTu+cPin3VUym9pglsghWYJe5oUpKTuAgiiU=", + "lastModified": 1722821408, + "narHash": "sha256-FMCo35ZmMfvAcae+9neKfu6QzXjU3WL6vW2OFMXx6wI=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "1fe57eaf074d28246ec310486fe3db4ae44d0451", + "rev": "f25962fbd632afea744dc7e6868f24d2e73ccedb", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722489601, - "narHash": "sha256-sB37J92AwEcmzg0GgxdI1TU6M+psUpbo0iYLFJBmsfo=", + "lastModified": 1722578639, + "narHash": "sha256-yge4OI8r8JBFtoajezauguXwYJ7M+Enwb3ZGbJF4YKA=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "eee3d54e62749dfd0f263e3903ca0ec1ebdbe72b", + "rev": "4c71f761584bd9f9a4c4ba090c353c7f3e65c430", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1722221733, - "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", + "lastModified": 1722651103, + "narHash": "sha256-IRiJA0NVAoyaZeKZluwfb2DoTpBAj+FLI0KfybBeDU0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "12bf09802d77264e441f48e25459c10c93eada2e", + "rev": "a633d89c6dc9a2a8aae11813a62d7c58b2c0cc51", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722485061, - "narHash": "sha256-opkrX6noshjk2V3PKBiksA8+M6K7cu3EuiuAWL04pNs=", + "lastModified": 1722859145, + "narHash": "sha256-Y0X6yzkq5hU/A8MlC9/DfMz1i6mXEauD9539xUkEvo8=", "owner": "nix-community", "repo": "NUR", - "rev": "3bf06551d5922d420607091f5a3321e712ece307", + "rev": "ef567c82705d29b0b32d63ffd006c56c92953f4d", "type": "github" }, "original": { From 13ded9c314079f06622d9fda66da7c421d764f25 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 8 Aug 2024 16:38:05 +0800 Subject: [PATCH 120/136] chore: add spdlog for logging, no early break in check() --- CMakeLists.txt | 2 ++ difftest.toml | 13 +++++++++++++ flake.lock | 8 ++++---- flake.nix | 4 +++- include/difftest.hpp | 16 ++++++++++------ src/CMakeLists.txt | 3 +-- src/difftest.cpp | 19 ++++++++++++++----- src/gdbstub.cpp | 12 ++++++++---- src/loader.cpp | 7 +++++-- src/main.cpp | 2 ++ 10 files changed, 62 insertions(+), 24 deletions(-) create mode 100644 difftest.toml diff --git a/CMakeLists.txt b/CMakeLists.txt index 5d0720c..6f4e3f8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -6,5 +6,7 @@ set(CMAKE_C_STANDARD 17) include(GNUInstallDirs) +find_package(spdlog REQUIRED) + include_directories(include) add_subdirectory(src) diff --git a/difftest.toml b/difftest.toml new file mode 100644 index 0000000..f45fd50 --- /dev/null +++ b/difftest.toml @@ -0,0 +1,13 @@ +# ref = "/home/xin/repo/spike-diff/build/lib/libspike-diff.so" +# ref-prefix = "spike_" +# dut = "/home/xin/repo/ysyx-workbench/nemu/build/riscv32-nemu-interpreter-so" +# dut-prefix = "nemu_" + +ref = /home/xin/repo/ysyx-workbench/nemu/build/riscv32-nemu-interpreter-so +ref-prefix = nemu_ +dut = "/home/xin/repo/spike-diff/build/lib/libspike-diff.so" +dut-prefix = "spike_" +listen = "/tmp/gdbstub-diffu.sock" +# listen = "127.0.0.1:1234" +memory = "/nix/store/37986mdgsqm5m8w74k0f5llzqhxgsbnv-am-kernel-riscv32-none-elf-2024-07-10/share/am-kernels/string.bin" +# g = true diff --git a/flake.lock b/flake.lock index 5e5d23f..fae0e3e 100644 --- a/flake.lock +++ b/flake.lock @@ -112,11 +112,11 @@ ] }, "locked": { - "lastModified": 1721457008, - "narHash": "sha256-ekpve0om5hzC1Ntd3zm1cZ9oS5pnr7a2n/tueyqFOsg=", + "lastModified": 1721891452, + "narHash": "sha256-2c9nDuXXARzoRXE67lte5kKBeFb1XmTNsvdiIbRUEgE=", "ref": "refs/heads/master", - "rev": "e7aa3319d52fa987ac2192f63aef3dcb1b057e3a", - "revCount": 151, + "rev": "de8ad578fc4fe527772cec23a7f660bde14c8570", + "revCount": 152, "type": "git", "url": "https://git.xinyang.life/xin/nur.git" }, diff --git a/flake.nix b/flake.nix index fb8fb90..1ef76ad 100644 --- a/flake.nix +++ b/flake.nix @@ -38,14 +38,16 @@ }; }; }; - devShells.default = with pkgs; mkShell { + devShells.default = with pkgs; (mkShell.override { stdenv = ccacheStdenv; }) { inherit (self.checks.${system}.pre-commit-check) shellHook; buildInputs = self.checks.${system}.pre-commit-check.enabledPackages; packages = [ clang-tools cmake + ninja gdb cli11 + spdlog mini-gdbstub ]; }; diff --git a/include/difftest.hpp b/include/difftest.hpp index 7410e0e..c585844 100644 --- a/include/difftest.hpp +++ b/include/difftest.hpp @@ -2,13 +2,12 @@ #define _DIFFTEST_DIFFTEST_H_ #include "api.hpp" #include -#include +#include #include extern "C" { #include } -#include class Difftest { private: Target dut; @@ -55,17 +54,22 @@ public: arch_info_t get_arch() const { return *dut.isa_arch_info; } static bool check(Target &dut, Target &ref) { + size_t pcref, pcdut; + bool passed = true; + dut.ops.read_reg(dut.args.data(), 32, &pcdut); + ref.ops.read_reg(ref.args.data(), 32, &pcref); for (int r = 0; r < dut.isa_arch_info->reg_num; r++) { size_t regdut = 0, regref = 0; dut.ops.read_reg(dut.args.data(), r, ®dut); ref.ops.read_reg(ref.args.data(), r, ®ref); if (regdut != regref) { - std::cout << "reg: " << r << " dut: " << regdut << " ref: " << regref - << std::endl; - throw std::runtime_error("Difftest failed"); + spdlog::error("Reg {} different: \n\tPC:\t(ref) {:x}\t(dut) {:x}\n\t" + "value:\t(ref) {:x}\t(dut) {:x}", + r, pcref, pcdut, regref, regdut); + passed = false; } } - return true; + return passed; }; class Iterator { diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 2c13e71..6166ab9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,4 +1,3 @@ add_executable(diffu cli.cpp difftest.cpp gdbstub.cpp loader.cpp main.cpp) -target_link_libraries(diffu PRIVATE gdbstub) +target_link_libraries(diffu PRIVATE gdbstub spdlog::spdlog) install ( TARGETS diffu ) - diff --git a/src/difftest.cpp b/src/difftest.cpp index 8da7c30..acba918 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -2,10 +2,9 @@ #include #include #include +#include #include -#include - Difftest::Difftest(Target &&dut, std::vector &&refs) { this->dut = std::move(dut); this->refs = std::move(refs); @@ -36,6 +35,7 @@ void Difftest::setup(const std::filesystem::path &memory_file) { for (auto it = this->begin(); it != this->end(); ++it) { auto &target = *it; target.ops.init(target.args.data()); + target.ops.write_reg(target.args.data(), 32, 0x80000000UL); if (target.ops.write_mem(target.args.data(), 0x80000000UL, membuf.size(), membuf.data()) != 0) throw std::runtime_error("write_mem failed"); @@ -43,10 +43,12 @@ void Difftest::setup(const std::filesystem::path &memory_file) { } bool Difftest::check_all() { + bool passed = true; for (auto &ref : refs) { - check(dut, ref); + if (check(dut, ref) == false) + passed = false; } - return true; + return passed; } Difftest::ExecRet Difftest::exec(size_t n, gdb_action_t *ret) { @@ -58,9 +60,12 @@ Difftest::ExecRet Difftest::exec(size_t n, gdb_action_t *ret) { auto &target = *it; *target.do_difftest = true; target.ops.stepi(target.args.data(), &target.last_res); + spdlog::trace("{} stepped once", target.meta.name); if (target.is_on_breakpoint()) { exec_ret.at_breakpoint = true; pbreak = ⌖ + spdlog::trace("{} on breakpoint", target.meta.name); + continue; } exec_ret.do_difftest = *target.do_difftest && exec_ret.do_difftest; } @@ -88,7 +93,10 @@ gdb_action_t Difftest::cont() { while (!is_halt()) { exec_ret = exec(1, &ret); if (exec_ret.do_difftest) - check_all(); + if (check_all() == false) { + ret.reason = gdb_action_t::ACT_BREAKPOINT; + break; + } if (exec_ret.at_breakpoint) break; }; @@ -122,6 +130,7 @@ int Difftest::sync_regs_to_ref(void) { return ret; } } + spdlog::trace("Applied registers value from dut to ref"); return ret; } diff --git a/src/gdbstub.cpp b/src/gdbstub.cpp index 6d613bb..e5774f2 100644 --- a/src/gdbstub.cpp +++ b/src/gdbstub.cpp @@ -2,10 +2,10 @@ #include #include #include +#include #include extern "C" { #include -} static void difftest_cont(void *args, gdb_action_t *res) { Difftest *diff = (Difftest *)args; @@ -65,6 +65,7 @@ std::vector split_into_args(const std::string &command) { static char *gdbstub_monitor(void *args, const char *s) { Difftest *diff = (Difftest *)args; + spdlog::trace("monitor"); CLI::App parser; std::string ret = ""; @@ -110,6 +111,7 @@ static char *gdbstub_monitor(void *args, const char *s) { return strdup(ret_stream.str().c_str()); } } +} int gdbstub_loop(Difftest *diff, std::string socket_addr) { target_ops gdbstub_ops = {.cont = difftest_cont, @@ -124,14 +126,16 @@ int gdbstub_loop(Difftest *diff, std::string socket_addr) { .monitor = gdbstub_monitor}; gdbstub_t gdbstub_priv; - std::cout << "Waiting for gdb connection at " << socket_addr << std::endl; + arch_info_t arch = diff->get_arch(); - if (!gdbstub_init(&gdbstub_priv, &gdbstub_ops, diff->get_arch(), + if (!gdbstub_init(&gdbstub_priv, &gdbstub_ops, arch, nullptr, socket_addr.c_str())) { - std::cerr << "Failed to init socket at: " << socket_addr << std::endl; + spdlog::error("Failed to init socket at: {}", socket_addr); return false; } + spdlog::info("Connected to gdb at {}", socket_addr); + bool success = gdbstub_run(&gdbstub_priv, diff); gdbstub_close(&gdbstub_priv); return !success; diff --git a/src/loader.cpp b/src/loader.cpp index fa5b062..b7f8413 100644 --- a/src/loader.cpp +++ b/src/loader.cpp @@ -1,7 +1,7 @@ #include "api.hpp" -#include #include #include +#include #include Target::Target(const std::string &name, const std::string &func_prefix, @@ -11,16 +11,19 @@ Target::Target(const std::string &name, const std::string &func_prefix, .libpath = path, .dlhandle = dlopen(path.c_str(), RTLD_NOW)}; + spdlog::info("Library handle: {}", meta.dlhandle); if (!meta.dlhandle) { throw std::runtime_error(dlerror()); } #define LOAD_SYMBOL(ops, handle, prefix, name) \ do { \ + std::string symbol_name = func_prefix + #name; \ (ops).name = reinterpret_cast( \ - dlsym((handle), ((prefix) + #name).c_str())); \ + dlsym((handle), symbol_name.c_str())); \ if (!((ops).name)) \ goto load_error; \ + spdlog::debug("Found {} at {}", symbol_name, ((void *)((ops).name))); \ } while (0); LOAD_SYMBOL(ops, meta.dlhandle, func_prefix, cont); diff --git a/src/main.cpp b/src/main.cpp index 7b1110d..29d209f 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -1,10 +1,12 @@ #include "api.hpp" #include "config.hpp" #include "difftest.hpp" +#include int gdbstub_loop(Difftest *, std::string); int main(int argc, char **argv) { + spdlog::cfg::load_env_levels(); Config config; int ret = 0; ret = config.cli_parse(argc, argv); From 407216b17cb8b81fc5fe13af977b995834a8c013 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 8 Aug 2024 17:06:59 +0800 Subject: [PATCH 121/136] feat: find image file relative to config option image_path --- difftest.toml | 3 ++- include/config.hpp | 1 + src/cli.cpp | 13 ++++++++++--- src/difftest.cpp | 1 + src/loader.cpp | 4 +++- src/main.cpp | 9 ++++++++- 6 files changed, 25 insertions(+), 6 deletions(-) diff --git a/difftest.toml b/difftest.toml index f45fd50..9d9bad8 100644 --- a/difftest.toml +++ b/difftest.toml @@ -9,5 +9,6 @@ dut = "/home/xin/repo/spike-diff/build/lib/libspike-diff.so" dut-prefix = "spike_" listen = "/tmp/gdbstub-diffu.sock" # listen = "127.0.0.1:1234" -memory = "/nix/store/37986mdgsqm5m8w74k0f5llzqhxgsbnv-am-kernel-riscv32-none-elf-2024-07-10/share/am-kernels/string.bin" +# memory = "/nix/store/37986mdgsqm5m8w74k0f5llzqhxgsbnv-am-kernel-riscv32-none-elf-2024-07-10/share/am-kernels/string.bin" +memory = "./add.bin" # g = true diff --git a/include/config.hpp b/include/config.hpp index 7574852..bf27c5e 100644 --- a/include/config.hpp +++ b/include/config.hpp @@ -5,6 +5,7 @@ #include struct Config { + std::filesystem::path images_path = "./"; std::filesystem::path memory_file; std::vector refs; std::vector refs_prefix; diff --git a/src/cli.cpp b/src/cli.cpp index add616d..e6913fa 100644 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -6,9 +6,16 @@ int Config::cli_parse(int argc, char **argv) { CLI::App app; - app.add_option("-m,--memory", memory_file, "Content of memory") - ->required() - ->check(CLI::ExistingFile); + app.add_option( + "--images-path", images_path, + "Directory containing image files. Search image files in this path.") + ->envname("DIFFU_IMAGES_PATH") + ->check(CLI::ExistingPath); + + app.add_option("-m,--memory", memory_file, + "Image file used to fill up the memory. Relative path to " + "--images-path") + ->required(); app.add_option("--ref", refs, "Reference dynamic library") ->required() diff --git a/src/difftest.cpp b/src/difftest.cpp index acba918..e5648d1 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -20,6 +20,7 @@ Difftest::Difftest(Target &&dut, std::vector &&refs) { void Difftest::setup(const std::filesystem::path &memory_file) { std::ifstream is = std::ifstream(memory_file, std::ios::binary); + spdlog::debug("Reading image file: {}", memory_file.c_str()); // Seek to the end to determine the file size is.seekg(0, std::ios::end); std::streampos memsize = is.tellg(); diff --git a/src/loader.cpp b/src/loader.cpp index b7f8413..2a0ab38 100644 --- a/src/loader.cpp +++ b/src/loader.cpp @@ -11,7 +11,9 @@ Target::Target(const std::string &name, const std::string &func_prefix, .libpath = path, .dlhandle = dlopen(path.c_str(), RTLD_NOW)}; - spdlog::info("Library handle: {}", meta.dlhandle); + spdlog::info("Found dlopen API handle for {} at {}", meta.name, + meta.dlhandle); + if (!meta.dlhandle) { throw std::runtime_error(dlerror()); } diff --git a/src/main.cpp b/src/main.cpp index 29d209f..c2b3bf3 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -1,7 +1,9 @@ #include "api.hpp" #include "config.hpp" #include "difftest.hpp" +#include #include +#include int gdbstub_loop(Difftest *, std::string); @@ -26,7 +28,12 @@ int main(int argc, char **argv) { Difftest difftest{std::move(*dut), std::move(refs)}; - difftest.setup(config.memory_file); + std::filesystem::path image_file = config.images_path / config.memory_file; + if (!std::filesystem::exists(image_file)) { + spdlog::error("Cannot find {} in {}.", config.memory_file.c_str(), + config.images_path.c_str()); + } + difftest.setup(image_file); if (config.use_debugger) { gdbstub_loop(&difftest, config.gdbstub_addr); From b96a280e10a800cf2962704b03db430ecc47f6b3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 9 Aug 2024 13:10:47 +0800 Subject: [PATCH 122/136] feat: support switching targets through monitor commands --- include/difftest.hpp | 2 ++ src/difftest.cpp | 50 +++++++++++++++++++++++++++++++++++++------- src/gdbstub.cpp | 12 +++++++++-- 3 files changed, 55 insertions(+), 9 deletions(-) diff --git a/include/difftest.hpp b/include/difftest.hpp index c585844..2f7b301 100644 --- a/include/difftest.hpp +++ b/include/difftest.hpp @@ -46,6 +46,8 @@ public: bool check_all(); int sync_regs_to_ref(void); + std::string list_targets(void); + std::string switch_target(int index); inline void halt() { __atomic_store_n(&halt_status, true, __ATOMIC_RELAXED); diff --git a/src/difftest.cpp b/src/difftest.cpp index e5648d1..0567ae3 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -1,9 +1,12 @@ #include "api.hpp" +#include #include #include #include #include +#include #include +#include Difftest::Difftest(Target &&dut, std::vector &&refs) { this->dut = std::move(dut); @@ -82,8 +85,12 @@ Difftest::ExecRet Difftest::exec(size_t n, gdb_action_t *ret) { gdb_action_t Difftest::stepi() { gdb_action_t ret = {.reason = gdb_action_t::ACT_NONE}; - exec(1, &ret); - check_all(); + ExecRet exec_result = exec(1, &ret); + if (exec_result.do_difftest) { + check_all(); + } else { + sync_regs_to_ref(); + } return ret; } @@ -93,11 +100,14 @@ gdb_action_t Difftest::cont() { start_run(); while (!is_halt()) { exec_ret = exec(1, &ret); - if (exec_ret.do_difftest) - if (check_all() == false) { - ret.reason = gdb_action_t::ACT_BREAKPOINT; - break; - } + if (exec_ret.do_difftest) { + check_all(); + } else { + size_t pc = 0; + read_reg(32, &pc); + spdlog::debug("Difftest skipped at {}", (void *)pc); + sync_regs_to_ref(); + } if (exec_ret.at_breakpoint) break; }; @@ -135,6 +145,32 @@ int Difftest::sync_regs_to_ref(void) { return ret; } +std::string Difftest::list_targets(void) { + std::ostringstream os; + int i = 0; + for (auto it = this->begin(); it != this->end(); ++it, ++i) { + auto &target = *it; + os << i << ": " << target.meta.name << std::endl; + } + os << "current: " << current_target->meta.name << std::endl; + return os.str(); +} + +std::string Difftest::switch_target(int index) { + std::ostringstream os; + int i = 0; + for (auto it = this->begin(); it != this->end(); ++it, ++i) { + auto &target = *it; + if (i == index) { + current_target = ⌖ + os << "Switched to " << current_target->meta.name << std::endl; + return os.str(); + } + } + os << "Invalid target target index: " << index << std::endl; + return os.str(); +} + int Difftest::read_mem(size_t addr, size_t len, void *val) { return current_target->ops.read_mem(current_target->args.data(), addr, len, val); diff --git a/src/gdbstub.cpp b/src/gdbstub.cpp index e5774f2..4bb585c 100644 --- a/src/gdbstub.cpp +++ b/src/gdbstub.cpp @@ -1,3 +1,4 @@ +#include "api.hpp" #include #include #include @@ -69,12 +70,19 @@ static char *gdbstub_monitor(void *args, const char *s) { CLI::App parser; std::string ret = ""; + auto sync = parser.add_subcommand("sync", "Sync states between targets") + ->callback([&]() { diff->sync_regs_to_ref(); }); + parser.add_subcommand("list", "List targets.")->callback([&]() { + ret = diff->list_targets(); + }); parser.add_subcommand("help", "Print help message")->callback([&]() { ret = parser.help(); }); - auto sync = parser.add_subcommand("sync", "Sync states between targets") - ->callback([&]() { diff->sync_regs_to_ref(); }); + int target_index = -1; + parser.add_subcommand("switch", "Switch to another target") + ->callback([&]() { ret = diff->switch_target(target_index); }) + ->add_option("target_index", target_index, "Index of the target"); std::string cmdstr; int slen = strlen(s); int ch; From 810178e3f22f0f42844842b71931364d45682d59 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 13 Aug 2024 19:20:50 +0800 Subject: [PATCH 123/136] fix: c++ function signature in extern C --- src/gdbstub.cpp | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/gdbstub.cpp b/src/gdbstub.cpp index 4bb585c..2f62a60 100644 --- a/src/gdbstub.cpp +++ b/src/gdbstub.cpp @@ -1,4 +1,3 @@ -#include "api.hpp" #include #include #include @@ -7,7 +6,19 @@ #include extern "C" { #include +} +static std::vector split_into_args(const std::string &command) { + std::istringstream iss(command); + std::vector args; + std::string token; + while (iss >> token) { + args.push_back(token); + } + return args; +} + +extern "C" { static void difftest_cont(void *args, gdb_action_t *res) { Difftest *diff = (Difftest *)args; *res = diff->cont(); @@ -54,16 +65,6 @@ static void difftest_on_interrupt(void *args) { diff->halt(); } -std::vector split_into_args(const std::string &command) { - std::istringstream iss(command); - std::vector args; - std::string token; - while (iss >> token) { - args.push_back(token); - } - return args; -} - static char *gdbstub_monitor(void *args, const char *s) { Difftest *diff = (Difftest *)args; spdlog::trace("monitor"); From 3cbee013c03e025c1023716101edc728ffd6e95a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 13 Aug 2024 19:36:48 +0800 Subject: [PATCH 124/136] fix: miss spdlog in nix package --- default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/default.nix b/default.nix index e632c4c..240238c 100644 --- a/default.nix +++ b/default.nix @@ -3,6 +3,7 @@ , cmake , mini-gdbstub , cli11 +, spdlog }: stdenv.mkDerivation { pname = "diffu"; version = "0.0.0"; @@ -13,5 +14,6 @@ cmake mini-gdbstub cli11 + spdlog ]; } From 7b3881a9712bcb7bfea90614a44888ae5df6e849 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 14 Aug 2024 15:29:58 +0800 Subject: [PATCH 125/136] ci: build nix packages --- .gdbinit | 8 ++++++++ .gitea/workflows/build.yml | 20 ++++++++++++++++++++ difftest.toml | 15 +++++++++------ 3 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 .gdbinit create mode 100644 .gitea/workflows/build.yml diff --git a/.gdbinit b/.gdbinit new file mode 100644 index 0000000..c1022cc --- /dev/null +++ b/.gdbinit @@ -0,0 +1,8 @@ +file /nix/store/ijxm784gr0sx5p4d92rlag0ippyd0mvm-am-kernel-riscv32-none-elf-2024-07-10/libexec/am-kernels/bench + +set substitute-path /build/am-kernels /home/xin/repo/ysyx-workbench/am-kernels +set substitute-path /build/abstract-machine /home/xin/repo/ysyx-workbench/abstract-machine +# set debug remote 1 +target remote /tmp/gdbstub-diffu.sock +break *halt + 24 + diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml new file mode 100644 index 0000000..80bedb4 --- /dev/null +++ b/.gitea/workflows/build.yml @@ -0,0 +1,20 @@ +name: Build nix packages +on: [push] + +jobs: + build-matrix: + runs-on: nix + strategy: + matrix: + package: [ "default" ] + steps: + - uses: https://github.com/cachix/cachix-action@v14 + with: + name: ysyx + authToken: '${{ secrets.CACHIX_SIGNING_KEY }}' + + - uses: actions/checkout@v4 + + - name: Build + run: | + nix build -L .#${{ matrix.package }} diff --git a/difftest.toml b/difftest.toml index 9d9bad8..3fdac6d 100644 --- a/difftest.toml +++ b/difftest.toml @@ -1,14 +1,17 @@ # ref = "/home/xin/repo/spike-diff/build/lib/libspike-diff.so" # ref-prefix = "spike_" +ref= "/home/xin/repo/ysyx-workbench/nemu/build/riscv32-nemu-interpreter-so" +ref-prefix = "nemu_" # dut = "/home/xin/repo/ysyx-workbench/nemu/build/riscv32-nemu-interpreter-so" # dut-prefix = "nemu_" -ref = /home/xin/repo/ysyx-workbench/nemu/build/riscv32-nemu-interpreter-so -ref-prefix = nemu_ -dut = "/home/xin/repo/spike-diff/build/lib/libspike-diff.so" -dut-prefix = "spike_" +dut = "/home/xin/repo/ysyx-workbench/npc/build/csrc/Flow/libFlow.so" +dut-prefix = "npc_" + +# dut = "/home/xin/repo/ysyx-workbench/nemu/build/riscv32-nemu-interpreter-so" +# dut-prefix = "nemu_" listen = "/tmp/gdbstub-diffu.sock" # listen = "127.0.0.1:1234" -# memory = "/nix/store/37986mdgsqm5m8w74k0f5llzqhxgsbnv-am-kernel-riscv32-none-elf-2024-07-10/share/am-kernels/string.bin" -memory = "./add.bin" +images-path = "/nix/store/z7mc0y608145cfwlb2g1gsii7bij7li1-am-kernel-riscv32-none-elf-2024-07-10/share/am-kernels" +memory = "bench.bin" # g = true From 9ba8c3d97bb78c3714edb68d78dace0fc1c42ead Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 15 Aug 2024 19:02:44 +0800 Subject: [PATCH 126/136] fix: do not check exsitance of lib on cli. --- src/cli.cpp | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/cli.cpp b/src/cli.cpp index e6913fa..dcbd193 100644 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -17,16 +17,12 @@ int Config::cli_parse(int argc, char **argv) { "--images-path") ->required(); - app.add_option("--ref", refs, "Reference dynamic library") - ->required() - ->check(CLI::ExistingFile); + app.add_option("--ref", refs, "Reference dynamic library")->required(); app.add_option("--ref-prefix", refs_prefix, "Optional prefix for each reference library"); - app.add_option("--dut", dut, "Design under test") - ->required() - ->check(CLI::ExistingFile); + app.add_option("--dut", dut, "Design under test")->required(); app.add_option("--dut-prefix", dut_prefix, "Optional prefix for design under test"); From 507d20390c294466a22ad8722341e7510f28222c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 16 Aug 2024 12:27:24 +0800 Subject: [PATCH 127/136] fix: exit execution when first difftest failed --- .gdbinit | 2 +- include/difftest.hpp | 13 +++++++------ src/difftest.cpp | 33 +++++++++++++++++++-------------- src/main.cpp | 11 ++++++++++- 4 files changed, 37 insertions(+), 22 deletions(-) diff --git a/.gdbinit b/.gdbinit index c1022cc..0199ab7 100644 --- a/.gdbinit +++ b/.gdbinit @@ -1,4 +1,4 @@ -file /nix/store/ijxm784gr0sx5p4d92rlag0ippyd0mvm-am-kernel-riscv32-none-elf-2024-07-10/libexec/am-kernels/bench +file /nix/store/ijxm784gr0sx5p4d92rlag0ippyd0mvm-am-kernel-riscv32-none-elf-2024-07-10/libexec/am-kernels/demo set substitute-path /build/am-kernels /home/xin/repo/ysyx-workbench/am-kernels set substitute-path /build/abstract-machine /home/xin/repo/ysyx-workbench/abstract-machine diff --git a/include/difftest.hpp b/include/difftest.hpp index 2f7b301..211a6ff 100644 --- a/include/difftest.hpp +++ b/include/difftest.hpp @@ -23,12 +23,6 @@ private: return __atomic_load_n(&halt_status, __ATOMIC_RELAXED); }; - struct ExecRet { - bool at_breakpoint; - bool do_difftest; - }; - ExecRet exec(size_t n, gdb_action_t *ret); - public: Difftest(Target &&dut, std::vector &&refs); @@ -44,6 +38,13 @@ public: bool set_bp(size_t addr, bp_type_t type); bool del_bp(size_t addr, bp_type_t type); + struct ExecRet { + bool at_breakpoint; + bool do_difftest; + bool check_failed; + }; + ExecRet exec(size_t n, gdb_action_t *ret); + bool check_all(); int sync_regs_to_ref(void); std::string list_targets(void); diff --git a/src/difftest.cpp b/src/difftest.cpp index 0567ae3..8a09618 100644 --- a/src/difftest.cpp +++ b/src/difftest.cpp @@ -56,7 +56,8 @@ bool Difftest::check_all() { } Difftest::ExecRet Difftest::exec(size_t n, gdb_action_t *ret) { - ExecRet exec_ret = {.at_breakpoint = false, .do_difftest = true}; + ExecRet exec_ret = { + .at_breakpoint = false, .do_difftest = true, .check_failed = false}; while (n--) { Target *pbreak = &(*(this->begin())); // TODO: For improvement, use ThreadPool here for concurrent execution? @@ -74,23 +75,35 @@ Difftest::ExecRet Difftest::exec(size_t n, gdb_action_t *ret) { exec_ret.do_difftest = *target.do_difftest && exec_ret.do_difftest; } + // Do difftest, or sync registers to ref + if (exec_ret.do_difftest) { + if (!check_all()) { + exec_ret.check_failed = true; + } + } else { + size_t pc = 0; + read_reg(32, &pc); + spdlog::debug("Difftest skipped at {}", (void *)pc); + sync_regs_to_ref(); + } + + if (exec_ret.check_failed) { + ret->reason = gdb_action_t::ACT_SHUTDOWN; + } + if (exec_ret.at_breakpoint) { ret->reason = pbreak->last_res.reason; ret->data = pbreak->last_res.data; break; } } + return exec_ret; } gdb_action_t Difftest::stepi() { gdb_action_t ret = {.reason = gdb_action_t::ACT_NONE}; ExecRet exec_result = exec(1, &ret); - if (exec_result.do_difftest) { - check_all(); - } else { - sync_regs_to_ref(); - } return ret; } @@ -100,14 +113,6 @@ gdb_action_t Difftest::cont() { start_run(); while (!is_halt()) { exec_ret = exec(1, &ret); - if (exec_ret.do_difftest) { - check_all(); - } else { - size_t pc = 0; - read_reg(32, &pc); - spdlog::debug("Difftest skipped at {}", (void *)pc); - sync_regs_to_ref(); - } if (exec_ret.at_breakpoint) break; }; diff --git a/src/main.cpp b/src/main.cpp index c2b3bf3..6dea91f 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -38,7 +38,16 @@ int main(int argc, char **argv) { if (config.use_debugger) { gdbstub_loop(&difftest, config.gdbstub_addr); } else { - difftest.cont(); + gdb_action_t ret = {.reason = gdb_action_t::ACT_NONE}; + Difftest::ExecRet exec_ret; + while (1) { + exec_ret = difftest.exec(1, &ret); + if (exec_ret.check_failed) + return 1; + if (exec_ret.at_breakpoint) + break; + }; + return 0; } return 0; From 47ee5ef21fdc396e549a6607043b4f2f13cc4471 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 20 Aug 2024 21:04:46 +0800 Subject: [PATCH 128/136] modules/nixvim: add nixvim to config --- flake.lock | 395 ++++++++++++++++++++++++++++--- flake.nix | 41 +++- modules/home-manager/default.nix | 2 +- modules/home-manager/vim.nix | 43 +--- overlays/add-pkgs.nix | 13 +- overlays/default.nix | 7 +- 6 files changed, 407 insertions(+), 94 deletions(-) diff --git a/flake.lock b/flake.lock index 18bc38a..2f78082 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1722661201, - "narHash": "sha256-2JX3S1hmmUhHuyGyGWnaM4xT0SiaDdVkNzmBrEowwK0=", + "lastModified": 1724156255, + "narHash": "sha256-rpUCeS/QZwQdJmDrvCm0hRi8bFvQNQKAnIMK5ZDBfpM=", "owner": "catppuccin", "repo": "nix", - "rev": "19a0f144f0204a12a89243363efb6a493b8cfc83", + "rev": "8886a68edadb1d93c7101337f995ffce4b410ff2", "type": "github" }, "original": { @@ -42,6 +42,28 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722113426, + "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", + "owner": "numtide", + "repo": "devshell", + "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -59,6 +81,20 @@ } }, "flake-compat_2": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -74,6 +110,46 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -92,6 +168,80 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "my-nixvim", + "nixvim", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723803910, + "narHash": "sha256-yezvUuFiEnCFbGuwj/bQcqg7RykIEqudOy/RBrId0pc=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "bfef0ada09e2c8ac55bbcd0831bd0c9d42e651ba", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "my-nixvim", + "nixvim", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -99,11 +249,11 @@ ] }, "locked": { - "lastModified": 1722630065, - "narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=", + "lastModified": 1723986931, + "narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=", "owner": "nix-community", "repo": "home-manager", - "rev": "afc892db74d65042031a093adb6010c4c3378422", + "rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671", "type": "github" }, "original": { @@ -112,6 +262,72 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723986931, + "narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "my-nixvim": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "nixvim": "nixvim" + }, + "locked": { + "lastModified": 1724158316, + "narHash": "sha256-cz2N0vPfe0jmjxqKWh7dgVecLqmPLHQrvxGJk0atDbg=", + "ref": "refs/heads/master", + "rev": "a5eb7fe89ee8ba654f339d8f75cecb39851743ec", + "revCount": 4, + "type": "git", + "url": "https://git.xinyang.life/xin/nixvim" + }, + "original": { + "type": "git", + "url": "https://git.xinyang.life/xin/nixvim" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723859949, + "narHash": "sha256-kiaGz4deGYKMjJPOji/JVvSP/eTefrIA3rAjOnOpXl4=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "076b9a905af8a52b866c8db068d6da475839d97b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "repo": "nix-darwin", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -119,11 +335,11 @@ ] }, "locked": { - "lastModified": 1722740924, - "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=", + "lastModified": 1723950649, + "narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "97ca0a0fca0391de835f57e44f369a283e37890f", + "rev": "392828aafbed62a6ea6ccab13728df2e67481805", "type": "github" }, "original": { @@ -134,7 +350,7 @@ }, "nix-vscode-extensions": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-utils": [ "flake-utils" ], @@ -143,11 +359,11 @@ ] }, "locked": { - "lastModified": 1722821408, - "narHash": "sha256-FMCo35ZmMfvAcae+9neKfu6QzXjU3WL6vW2OFMXx6wI=", + "lastModified": 1724117347, + "narHash": "sha256-/nfm6P0owPtCRjT8ktq/8OChtg2HpkrvNaDJGm9N1Lk=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "f25962fbd632afea744dc7e6868f24d2e73ccedb", + "rev": "2ef60116ef361d988317cbe52a09acfeda7d3416", "type": "github" }, "original": { @@ -158,11 +374,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1722332872, - "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=", + "lastModified": 1724067415, + "narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "14c333162ba53c02853add87a0000cbd7aa230c2", + "rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2", "type": "github" }, "original": { @@ -174,27 +390,39 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722578639, - "narHash": "sha256-yge4OI8r8JBFtoajezauguXwYJ7M+Enwb3ZGbJF4YKA=", - "owner": "xinyangli", + "lastModified": 1723991338, + "narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "4c71f761584bd9f9a4c4ba090c353c7f3e65c430", + "rev": "8a3354191c0d7144db9756a74755672387b702ba", "type": "github" }, "original": { - "owner": "xinyangli", - "ref": "deploy", + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1722555339, + "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" + } + }, "nixpkgs-stable": { "locked": { - "lastModified": 1722651103, - "narHash": "sha256-IRiJA0NVAoyaZeKZluwfb2DoTpBAj+FLI0KfybBeDU0=", + "lastModified": 1723938990, + "narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a633d89c6dc9a2a8aae11813a62d7c58b2c0cc51", + "rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890", "type": "github" }, "original": { @@ -220,13 +448,55 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1723173329, + "narHash": "sha256-r8lB8vNn0dEBD7opds4REPS4eDChcOz6ZWit4DTiSU8=", + "owner": "xinyangli", + "repo": "nixpkgs", + "rev": "e3fa5a239ae55cc330f8a54ed3c0738e1bcfa301", + "type": "github" + }, + "original": { + "owner": "xinyangli", + "ref": "deploy", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixvim": { + "inputs": { + "devshell": "devshell", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", + "git-hooks": "git-hooks", + "home-manager": "home-manager_2", + "nix-darwin": "nix-darwin", + "nixpkgs": "nixpkgs", + "nuschtosSearch": "nuschtosSearch", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1724127528, + "narHash": "sha256-fKtsvNQeLhPuz1O53x6Xxkd/yYecpolNXRq7mfvnXQk=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "cb413995e1e101c76d755b7f131ce60c7ea3985d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, "nur": { "locked": { - "lastModified": 1722859145, - "narHash": "sha256-Y0X6yzkq5hU/A8MlC9/DfMz1i6mXEauD9539xUkEvo8=", + "lastModified": 1724150696, + "narHash": "sha256-FXuWhg5wD9uFaG/cBazHjmp1Gmd3rZswjaca8FqHQLU=", "owner": "nix-community", "repo": "NUR", - "rev": "ef567c82705d29b0b32d63ffd006c56c92953f4d", + "rev": "ea4eb7133060e7f2079f3cc3213c6200eafc7253", "type": "github" }, "original": { @@ -235,16 +505,40 @@ "type": "github" } }, + "nuschtosSearch": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723969429, + "narHash": "sha256-BuewfNEXEf11MIkJY+uvWsdLu1dIvgJqntWChvNdALg=", + "owner": "NuschtOS", + "repo": "search", + "rev": "a05d1805f2a2bc47d230e5e92aecbf69f784f3d0", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, "root": { "inputs": { "catppuccin": "catppuccin", "colmena": "colmena", "flake-utils": "flake-utils", "home-manager": "home-manager", + "my-nixvim": "my-nixvim", "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", "sops-nix": "sops-nix" @@ -258,11 +552,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1722114803, - "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=", + "lastModified": 1723501126, + "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab", + "rev": "be0eec2d27563590194a9206f551a6f73d52fa34", "type": "github" }, "original": { @@ -285,6 +579,43 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "my-nixvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723808491, + "narHash": "sha256-rhis3qNuGmJmYC/okT7Dkc4M8CeUuRCSvW6kC2f3hBc=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "1d07739554fdc4f8481068f1b11d6ab4c1a4167a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index c2ba7c6..61a65a3 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + my-nixvim = { + url = "git+https://git.xinyang.life/xin/nixvim"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + catppuccin.url = "github:catppuccin/nix"; }; @@ -56,8 +61,25 @@ , flake-utils , nur , catppuccin + , my-nixvim , ... }@inputs: let + nixvimOverlay = (final: prev: { + nixvim = self.packages.${prev.stdenv.system}.nixvim; + }); + overlayModule = { ... }: { + nixpkgs.overlays = [ + nixvimOverlay + (import ./overlays/add-pkgs.nix) + ]; + }; + deploymentModule = { + deployment.targetUser = "xin"; + }; + sharedColmenaModules = [ + self.nixosModules.default + deploymentModule + ]; sharedHmModules = [ inputs.sops-nix.homeManagerModules.sops inputs.nix-index-database.hmModules.nix-index @@ -96,28 +118,17 @@ modules = [ self.nixosModules.default nur.nixosModules.nur - ./overlays ] ++ modules; }; in { nixpkgs = nixpkgs; - nixosModules.default = import ./modules/nixos; + nixosModules.default = { imports = [ ./modules/nixos overlayModule ]; }; homeManagerModules = import ./modules/home-manager; homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; - colmenaHive = - let - deploymentModule = { - deployment.targetUser = "xin"; - }; - sharedColmenaModules = [ - self.nixosModules.default - deploymentModule - ]; - in - inputs.colmena.lib.makeHive { + colmenaHive = inputs.colmena.lib.makeHive { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; @@ -210,6 +221,10 @@ packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ]; }; }; + + packages = { + nixvim = my-nixvim.packages.${system}.default; + }; } ); } diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index 23f5c24..14159ce 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -9,4 +9,4 @@ ./vscode.nix ./zellij.nix ]; -} \ No newline at end of file +} diff --git a/modules/home-manager/vim.nix b/modules/home-manager/vim.nix index d818132..f66535f 100644 --- a/modules/home-manager/vim.nix +++ b/modules/home-manager/vim.nix @@ -1,43 +1,22 @@ -{ config, pkgs, lib, ... }: - -with lib; - +{ config, pkgs, lib, ... }: let + inherit (lib) mkIf mkEnableOption getExe; cfg = config.custom-hm.neovim; + tomlFormat = pkgs.formats.toml { }; + neovideConfig = { + neovim-bin = getExe pkgs.nixvim; + fork = true; + }; in { options.custom-hm.neovim = { enable = mkEnableOption "neovim configurations"; }; config = mkIf cfg.enable { - programs.neovim = { - enable = true; - vimAlias = true; - vimdiffAlias = true; - plugins = with pkgs.vimPlugins; [ - catppuccin-nvim - ]; - extraConfig = '' - set nocompatible - - syntax on - set number - set relativenumber - set shortmess+=I - set laststatus=2 - - set ignorecase - set smartcase - set list - set listchars=tab:→· - set tabstop=4 - set shiftwidth=4 - set expandtab - - set mouse+=a - - colorscheme catppuccin-macchiato - ''; + home.packages = with pkgs; [ nixvim neovide ]; + programs.neovim.enable = false; + home.file.".config/neovide/config.toml" = { + source = tomlFormat.generate "neovide-config" neovideConfig; }; }; } diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index ce339b0..35b6981 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -1,10 +1,3 @@ -{ config, pkgs, lib, ... }: - -{ - nixpkgs.overlays = [ - (self: super: { - oidc-agent = pkgs.callPackage ./pkgs/oidc-agent { }; - python3 = super.python312; - }) - ]; -} +(final: prev: { + oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; +}) diff --git a/overlays/default.nix b/overlays/default.nix index de8ee08..a94c09a 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,6 +1 @@ -{ config, pkgs, ... }: -{ - imports = [ - ./add-pkgs.nix - ]; -} +final: prev: (import ./add-pkgs.nix) From ed19829fe4bdb5060a4484901549b5c6b9b5bec1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 20 Aug 2024 21:07:34 +0800 Subject: [PATCH 129/136] modules/vscode: llm support --- home/xin/calcite.nix | 17 ++++++++- modules/home-manager/vscode.nix | 64 +++++++++++++++++++++++---------- 2 files changed, 61 insertions(+), 20 deletions(-) diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index b26d5d8..130bd00 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -51,7 +51,7 @@ fish = { enable = true; }; git = { enable = true; signing.enable = true; }; neovim = { enable = true; }; - vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; + vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; llm = true; }; zellij = { enable = true; }; }; @@ -59,4 +59,19 @@ enable = true; flags = [ "--disable-up-arrow" ]; }; + + programs.firefox.enable = true; + + programs.firefox.policies = { + DefaultDownloadDirectory = "/media/data/Downloads"; + }; + + programs.firefox.profiles.default = { + isDefault = true; + userChrome = builtins.readFile "${pkgs.fetchgit { + url = "https://gist.github.com/0ded98af9fe3da35f3688f81364d8c14.git"; + rev = "11bb4f428382052bcbbceb6cc3fef97f3c939481"; + hash = "sha256-J11indzEGdUA0HSW8eFe5AjesOxCL/G05KwkJk9GZSY="; + }}/userChrome.css"; + }; } diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 6042b6a..9017f4c 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -31,7 +31,7 @@ let "cmake.pinnedCommands" = [ "workbench.action.tasks.configureTaskRunner" "workbench.action.tasks.runTask" - ]; + ]; "C_Cpp.intelliSenseEngine" = "Disabled"; }; }; @@ -43,7 +43,7 @@ let settings = { }; }; scalaPackages = { - systemPackages = with pkgs; [ coursier ]; + systemPackages = with pkgs; [ coursier metals ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ scala-lang.scala scalameta.metals @@ -58,11 +58,13 @@ let settings = { "latex-workshop.latex.autoBuild.run" = "never"; "latex-workshop.latex.tools" = [ - { "name" = "xelatex"; + { + "name" = "xelatex"; "command" = "xelatex"; "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; } - { "name" = "pdflatex"; + { + "name" = "pdflatex"; "command" = "pdflatex"; "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; } @@ -84,6 +86,7 @@ let }; }; }; + llmExtensions = [ pkgs.vscode-extensions.continue.continue ]; languages = [ "nix" "cxx" "python" "scala" "latex" ]; zipAttrsWithLanguageOption = (attr: @@ -103,12 +106,14 @@ in scala = mkEnableOption "Scala"; latex = mkEnableOption "Latex"; }; + llm = mkEnableOption "tab completion with Continue and ollama"; }; config = mkIf cfg.enable { nixpkgs.config.allowUnfree = true; home.packages = lib.mkMerge ([ [ pkgs.clang-tools ] + (mkIf cfg.llm [ pkgs.ollama ]) ] ++ zipAttrsWithLanguageOption "systemPackages"); programs.vscode = { enable = true; @@ -135,30 +140,51 @@ in ms-vscode-remote.remote-ssh-edit mushan.vscode-paste-image ]) + (with pkgs.vscode-extensions; [ waderyan.gitblame catppuccin.catppuccin-vsc # Rust rust-lang.rust-analyzer ]) + + (mkIf cfg.llm llmExtensions) ] ++ zipAttrsWithLanguageOption "extension"); userSettings = lib.mkMerge ([ - {"workbench.colorTheme" = "Catppuccin Macchiato"; - "terminal.integrated.sendKeybindingsToShell" = true; - "extensions.ignoreRecommendations" = true; - "files.autoSave" = "afterDelay"; - "editor.inlineSuggest.enabled" = true; - "editor.rulers" = [ - 80 - ]; - "editor.mouseWheelZoom" = true; - "git.autofetch" = false; - "window.zoomLevel" = -1; + { + "workbench.colorTheme" = "Catppuccin Macchiato"; + "terminal.integrated.sendKeybindingsToShell" = true; + "extensions.ignoreRecommendations" = true; + "files.autoSave" = "afterDelay"; + "editor.inlineSuggest.enabled" = true; + "editor.rulers" = [ + 80 + ]; + "editor.mouseWheelZoom" = true; + "git.autofetch" = false; + "window.zoomLevel" = -1; - "extensions.experimental.affinity" = { - "vscodevim.vim" = 1; - }; - }] ++ zipAttrsWithLanguageOption "settings"); + "extensions.experimental.affinity" = { + "vscodevim.vim" = 1; + }; + } + ] ++ zipAttrsWithLanguageOption "settings"); + }; + + home.file.".continue/config.json".text = lib.generators.toJSON { } { + models = [ + { + model = "AUTODETECT"; + provider = "ollama"; + title = "Ollama"; + } + ]; + tabAutocompleteModel = { + model ="deepseek-coder:6.7b-base"; + provider = "ollama"; + title = "codegemma"; + }; }; }; + } From 27901b05c6da74cdbf9872f45ce194d782390fc4 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 20 Aug 2024 21:09:31 +0800 Subject: [PATCH 130/136] chore: small fixes --- machines/calcite/configuration.nix | 19 ++++++++++++++----- machines/calcite/network.nix | 3 +++ machines/calcite/secrets.yaml | 9 +++++---- machines/dolomite/default.nix | 15 +++++++++++++++ modules/home-manager/direnv.nix | 18 +++++++++++++++--- 5 files changed, 52 insertions(+), 12 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 03f1801..a39d487 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -10,6 +10,7 @@ ]; commonSettings = { + auth.enable = true; nix = { enableMirrors = true; signing.enable = true; @@ -23,7 +24,7 @@ # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ]; boot.supportedFilesystems = [ "ntfs" ]; - boot.binfmt.emulatedSystems = ["aarch64-linux"]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; security.tpm2 = { enable = true; @@ -49,7 +50,8 @@ programs.oidc-agent.enable = true; programs.oidc-agent.providers = [ - { issuer = "https://home.xinyang.life:9201"; + { + issuer = "https://home.xinyang.life:9201"; pubclient = { client_id = "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69"; client_secret = "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"; @@ -157,6 +159,7 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ + "openssl-1.1.1w" ]; # List packages installed in system profile. To search, run: # $ nix search wget @@ -208,13 +211,13 @@ element-desktop tdesktop qq + wechat-uos feishu # Password manager bitwarden # Browser - firefox (chromium.override { commandLineArgs = [ "--ozone-platform-hint=auto" @@ -253,7 +256,7 @@ owner = "root"; sopsFile = ./secrets.yaml; }; - gitea_env = { + "gitea/envfile" = { owner = "root"; sopsFile = ./secrets.yaml; }; @@ -263,13 +266,19 @@ custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path; custom.forgejo-actions-runner.enable = true; - custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path; + custom.forgejo-actions-runner.tokenFile = config.sops.secrets."gitea/envfile".path; custom.prometheus = { enable = true; exporters.blackbox.enable = true; }; + services.ollama = { + enable = true; + acceleration = "cuda"; + }; + + # MTP support services.gvfs.enable = true; diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 94a7e71..3ed94c5 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -13,6 +13,9 @@ services.resolved = { enable = true; + extraConfig = '' + Cache=no + ''; }; # Enable Tailscale diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 780f6cb..d0e1b64 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,7 +1,8 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] -gitea_env: ENC[AES256_GCM,data:ShKKQWSiIkQ4uaWBhN5uB3xSu/8u8LkDjZeFi3G5BZUj7Vy4hoMweyUXyMf7w9A=,iv:JK6NgIJlU8G7G/LrZtNyGC4K9jblImFXnzhUMdkFbUw=,tag:PYeafqgXaSpDNJ0oIENW4A==,type:str] +gitea: + envfile: ENC[AES256_GCM,data:bO1aMYm0kPTBbyPD5cweVRzNjiDK2WlWDsxz52L3faFg5HSVmBoi5DZC17XBXYw=,iv:lo9XEcwY4FPD/rRbnuiUviioMIiiphS26UgPro56DIU=,tag:0eKfsS0pYw+FPW+Y5dgisg==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +27,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T04:32:32Z" - mac: ENC[AES256_GCM,data:esdTvjxnVP5t721ROLvMCvHMAkcpEFgTzHIQNyEkEaL1DKYDOJKFjufPPXDiEBX8+ni9RGYL4QHuDxlh89p0HAFHb3XCkE639NyHr6MD/DzFHbenaMJXEcWy/RSoWqroyHJA8XL7ymBGeDH7ERqyQaxc3oG653V/Uq5+/a++HQI=,iv:QvSee/Wes5RygpoCOJpVuatj+xij8EPUBayE1yUWM3g=,tag:8Un2qrflqAFB0iWz2Evi5Q==,type:str] + lastmodified: "2024-08-14T01:46:18Z" + mac: ENC[AES256_GCM,data:+RuyHG1wLykJX792bkHvRXEiW7vDYj7i2tbR0MnZZUuFcr3xQDIuCW0/XnzxeX643k4iq+h/YUer/v7tIbCh75UXTG7oxQpfJhI8zMfaxKcCZBntD+wDhEmpWhgonOR/RwOAPMPz7FntJVvt9BHnpSLVjZC7KqVPohob0DRJs2Q=,iv:p6Lov35M8SN9RIV9I3D+3cO+wi3Kd2pVe08xgWYi/tM=,tag:aOMQauv2FFEsdwaS7WOraQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 3a5406f..22fc0e8 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -95,9 +95,24 @@ in dns = { servers = [ { + tag = "warp"; address = "1.1.1.1"; detour = "wg-out"; } + { + tag = "directdns"; + address = "h3://8.8.8.8/dns-query"; + } + ]; + rules = [ + { + outbound = "wg-out"; + server = "warp"; + } + { + outbound = "direct"; + server = "directdns"; + } ]; }; inbounds = [ diff --git a/modules/home-manager/direnv.nix b/modules/home-manager/direnv.nix index 850534d..46297b8 100644 --- a/modules/home-manager/direnv.nix +++ b/modules/home-manager/direnv.nix @@ -1,18 +1,30 @@ -{ config, lib, ... }: +{ config, lib, ... }: with lib; let cfg = config.custom-hm.direnv; + changeCacheDir = '' + declare -A direnv_layout_dirs + direnv_layout_dir() { + local hash path + echo "''${direnv_layout_dirs[$PWD]:=$( + hash="$(sha1sum - <<< "$PWD" | head -c40)" + path="''${PWD//[^a-zA-Z0-9]/-}" + echo "''${XDG_CACHE_HOME}/direnv/layouts/''${hash}''${path}" + )}" + } + ''; in { options.custom-hm.direnv = { enable = mkEnableOption "direnv"; }; config = { - programs = mkIf config.custom-hm.direnv.enable { + programs = mkIf cfg.enable { direnv = { enable = true; + stdlib = changeCacheDir; }; }; }; -} \ No newline at end of file +} From 08f7e3bf4adf1b2448a4ca6f7ebc01a133a117c9 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 20 Aug 2024 21:14:45 +0800 Subject: [PATCH 131/136] fix ci --- flake.nix | 162 +++++++++++++++++++++++++++--------------------------- 1 file changed, 82 insertions(+), 80 deletions(-) diff --git a/flake.nix b/flake.nix index 61a65a3..eeccc83 100644 --- a/flake.nix +++ b/flake.nix @@ -62,7 +62,8 @@ , nur , catppuccin , my-nixvim - , ... }@inputs: + , ... + }@inputs: let nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; @@ -106,6 +107,7 @@ pkgs = import nixpkgs { system = "x86_64-linux"; }; modules = [ (import ./home).${user}.${host} + overlayModule ] ++ sharedHmModules; extraSpecialArgs = { inherit inputs; @@ -129,79 +131,79 @@ homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; colmenaHive = inputs.colmena.lib.makeHive { - meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - }; - specialArgs = { - inherit inputs; - }; + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; }; - - massicot = { ... }: { - deployment.targetHost = "49.13.13.122"; - deployment.buildOnTarget = true; - - imports = [ - { nixpkgs.system = "aarch64-linux"; } - machines/massicot - ] ++ sharedColmenaModules; - }; - - tok-00 = { ... }: { - imports = [ - machines/dolomite - ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "tok-00"; - system.stateVersion = "23.11"; - deployment = { - targetHost = "video01.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; - }; - - la-00 = { ... }: { - imports = [ - machines/dolomite - ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "la-00"; - system.stateVersion = "21.05"; - deployment = { - targetHost = "la-00.video.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; - }; - - raspite = { ... }: { - deployment = { - targetHost = "raspite.local"; - buildOnTarget = false; - }; - nixpkgs.system = "aarch64-linux"; - imports = [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - ] ++ sharedColmenaModules; - }; - - weilite = { ... }: { - imports = [ - machines/weilite - ] ++ sharedColmenaModules; - deployment = { - targetHost = "weilite.coho-tet.ts.net"; - targetPort = 22; - buildOnTarget = false; - }; - nixpkgs.system = "x86_64-linux"; + specialArgs = { + inherit inputs; }; }; + massicot = { ... }: { + deployment.targetHost = "49.13.13.122"; + deployment.buildOnTarget = true; + + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ] ++ sharedColmenaModules; + }; + + tok-00 = { ... }: { + imports = [ + machines/dolomite + ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "tok-00"; + system.stateVersion = "23.11"; + deployment = { + targetHost = "video01.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; + }; + + la-00 = { ... }: { + imports = [ + machines/dolomite + ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "la-00"; + system.stateVersion = "21.05"; + deployment = { + targetHost = "la-00.video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; + }; + + raspite = { ... }: { + deployment = { + targetHost = "raspite.local"; + buildOnTarget = false; + }; + nixpkgs.system = "aarch64-linux"; + imports = [ + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + ] ++ sharedColmenaModules; + }; + + weilite = { ... }: { + imports = [ + machines/weilite + ] ++ sharedColmenaModules; + deployment = { + targetHost = "weilite.coho-tet.ts.net"; + targetPort = 22; + buildOnTarget = false; + }; + nixpkgs.system = "x86_64-linux"; + }; + }; + nixosConfigurations = { calcite = mkNixos { system = "x86_64-linux"; @@ -214,17 +216,17 @@ } // self.colmenaHive.nodes; } // flake-utils.lib.eachDefaultSystem (system: - let pkgs = nixpkgs.legacyPackages.${system}; in - { - devShells = { - default = pkgs.mkShell { - packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ]; - }; + let pkgs = nixpkgs.legacyPackages.${system}; in + { + devShells = { + default = pkgs.mkShell { + packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ]; }; + }; - packages = { - nixvim = my-nixvim.packages.${system}.default; - }; - } + packages = { + nixvim = my-nixvim.packages.${system}.default; + }; + } ); } From 899c43fbfc363385509d2a167cfd96320ae623a5 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 20 Aug 2024 21:23:59 +0800 Subject: [PATCH 132/136] bump version 20240820 --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 2f78082..12edbd9 100644 --- a/flake.lock +++ b/flake.lock @@ -450,11 +450,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1723173329, - "narHash": "sha256-r8lB8vNn0dEBD7opds4REPS4eDChcOz6ZWit4DTiSU8=", + "lastModified": 1724160083, + "narHash": "sha256-ROiCJNYSbjO45ajyTfRxp+aqvX+R1M3xwlWOLtfD0iw=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "e3fa5a239ae55cc330f8a54ed3c0738e1bcfa301", + "rev": "885d5117645517b70eb3922acfbb83226fc77dbb", "type": "github" }, "original": { @@ -492,11 +492,11 @@ }, "nur": { "locked": { - "lastModified": 1724150696, - "narHash": "sha256-FXuWhg5wD9uFaG/cBazHjmp1Gmd3rZswjaca8FqHQLU=", + "lastModified": 1724159175, + "narHash": "sha256-3z9wRL+h+gTVFtecCUGrRaW6nvPPAtBCIDE9KAmZj7c=", "owner": "nix-community", "repo": "NUR", - "rev": "ea4eb7133060e7f2079f3cc3213c6200eafc7253", + "rev": "0b86d5643d99e3982471f0d79e553871c6f35396", "type": "github" }, "original": { From 8935fe34c36494cc3e72bcd5df580e7cd977e183 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 21 Aug 2024 10:21:07 +0800 Subject: [PATCH 133/136] calcite/element-web: temporarily allow jitsi-meet - Waiting for NixOS/nixpkgs#335753 --- machines/calcite/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index a39d487..8817563 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -160,6 +160,8 @@ nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" + # FIXME: Waiting for https://github.com/NixOS/nixpkgs/pull/335753 + "jitsi-meet-1.0.8043" ]; # List packages installed in system profile. To search, run: # $ nix search wget From 153762ca5ba6bb73f780a252a847e7a006776789 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 21 Aug 2024 10:23:22 +0800 Subject: [PATCH 134/136] massicot/kanidm-provision: upstream force the existance of landingURL --- machines/massicot/kanidm-provision.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 374fb69..48c4c0b 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -56,7 +56,7 @@ forgejo = { displayName = "ForgeJo"; originUrl = "https://git.xinyang.life/"; - originLanding = " https://git.xinyang.life/user/oauth2/kandim"; + originLanding = "https://git.xinyang.life/user/oauth2/kandim"; allowInsecureClientDisablePkce = true; scopeMaps = { forgejo-access = [ "openid" "email" "profile" "groups" ]; @@ -65,6 +65,7 @@ gts = { displayName = "GoToSocial"; originUrl = "https://xinyang.life/"; + originLanding = "https://xinyang.life/"; allowInsecureClientDisablePkce = true; scopeMaps = { gts-users = [ "openid" "email" "profile" "groups" ]; @@ -73,6 +74,7 @@ owncloud = { displayName = "ownCloud"; originUrl = "https://home.xinyang.life:9201/"; + originLanding = "https://home.xinyang.life:9201/"; public = true; scopeMaps = { ocis-users = [ "openid" "email" "profile" ]; @@ -90,6 +92,7 @@ immich-mobile = { displayName = "Immich"; originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; allowInsecureClientDisablePkce = true; scopeMaps = { immich-users = [ "openid" "email" "profile" ]; @@ -98,6 +101,7 @@ miniflux = { displayName = "Miniflux"; originUrl = "https://rss.xinyang.life/"; + originLanding = "https://rss.xinyang.life/"; scopeMaps = { miniflux-users = [ "openid" "email" "profile" ]; }; @@ -105,6 +109,7 @@ grafana = { displayName = "Grafana"; originUrl = "https://grafana.xinyang.life/"; + originLanding = "https://grafana.xinyang.life/"; scopeMaps = { grafana-users = [ "openid" "email" "profile" "groups" ]; }; From 509304de03c1da502a4f63d17d0c369c7d2319cc Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 21 Aug 2024 11:05:49 +0800 Subject: [PATCH 135/136] modules/nix-conf: local mirror take precedence over official cache --- modules/nixos/common-settings/nix-conf.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix index f24dfc9..5313b9f 100644 --- a/modules/nixos/common-settings/nix-conf.nix +++ b/modules/nixos/common-settings/nix-conf.nix @@ -43,8 +43,7 @@ in ]; extra-substituters = mkIf cfg.enableMirrors [ - "https://mirrors.bfsu.edu.cn/nix-channels/store?priority=100" - "https://mirrors.ustc.edu.cn/nix-channels/store?priority=100" + "https://mirrors.cernet.edu.cn/nix-channels/store?priority=20" ]; trusted-public-keys = [ From 9a53ca1cea4bbf5b929306924a55a1f8f2589a79 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 21 Aug 2024 17:16:30 +0800 Subject: [PATCH 136/136] massicot/forgejo: provision auth --- machines/massicot/default.nix | 3 +++ machines/massicot/kanidm-provision.nix | 15 ++++++++++++ machines/massicot/secrets.yaml | 12 ++++++---- machines/massicot/services.nix | 32 ++++++++++++++++++++------ 4 files changed, 50 insertions(+), 12 deletions(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index ac3ba94..bcdc5f7 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -31,6 +31,9 @@ "miniflux/oauth2_secret" = { owner = "root"; }; + "forgejo/env" = { + owner = "forgejo"; + }; }; }; diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 48c4c0b..71ca402 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -5,6 +5,9 @@ forgejo-access = { members = [ "xin" ]; }; + forgejo-admin = { + members = [ "xin" ]; + }; gts-users = { members = [ "xin" ]; }; @@ -35,6 +38,9 @@ miniflux-users = { members = [ "xin" ]; }; + idm_people_self_mail_write = { + members = [ ]; + }; }; persons = { xin = { @@ -61,6 +67,15 @@ scopeMaps = { forgejo-access = [ "openid" "email" "profile" "groups" ]; }; + claimMaps = { + forgejo_role = { + joinType = "array"; + valuesByGroup = { + forgejo-access = [ "Access" ]; + forgejo-admin = [ "Admin" ]; + }; + }; + }; }; gts = { displayName = "GoToSocial"; diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index b5ca7fe..cc3fd7f 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -1,9 +1,11 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] -gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] +gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str] hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] -grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str] +grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str] miniflux: - oauth2_secret: ENC[AES256_GCM,data:Q0JeT5VHGEDATXB9jf5+eU1Hoi9FsJrw6IK2T0bodvVgki+1oF+sWld5NGpoiXm/bQ==,iv:e8+84Zk5eXNIyIPhTG8jFhO+DCRorPFG0lDDNT4OxCs=,tag:IxlyFBcFaSy7Nz0aQCH3bw==,type:str] + oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str] +forgejo: + env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +30,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-05T08:53:56Z" - mac: ENC[AES256_GCM,data:DtAL9k/t4pGV2UqCrb1R/1nT3gjJ8wced5yQOF5oneoncg/uuyX7IDZ0iZz0eGirj9Zadh9UQWNwxMzoiNu6pD1v04MkxT0NVDJ32vt5X+YDQJ60vRJjn9+zKvLk8Esx9sFsuBxjVXXmbtev7+djU+LbpPLfaobdheO2XlJXtdU=,iv:y2KI5ylgvuQ7ktYAr6XPEX3qyxnSP7BWC79mdsr4hgk=,tag:cvXvXeKvRwvttgQfmZRi2w==,type:str] + lastmodified: "2024-08-21T05:54:31Z" + mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 96ede16..3137765 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -142,6 +142,8 @@ in services.forgejo = { enable = true; + # Use cutting edge instead of lts + package = pkgs.forgejo; repositoryRoot = "/mnt/storage/forgejo/repositories"; lfs = { enable = true; @@ -151,11 +153,10 @@ in service.DISABLE_REGISTRATION = true; server = { ROOT_URL = "https://git.xinyang.life/"; - START_SSH_SERVER = true; - BUILTIN_SSH_SERVER_USER = "git"; - SSH_USER = "git"; + START_SSH_SERVER = false; + SSH_USER = config.services.forgejo.user; SSH_DOMAIN = "ssh.xinyang.life"; - SSH_PORT = 2222; + SSH_PORT = 22; LFS_MAX_FILE_SIZE = 10737418240; LANDING_PAGE = "/explore/repos"; }; @@ -166,13 +167,14 @@ in ENABLE_BASIC_AUTHENTICATION = false; }; oauth2 = { - ENABLE = false; # Disable forgejo as oauth2 provider + ENABLED = false; # Disable forgejo as oauth2 provider }; oauth2_client = { ACCOUNT_LINKING = "auto"; + USERNAME = "email"; ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = true; - OPENID_CONNECT_SCOPES = "openid profile email"; + UPDATE_AVATAR = false; + OPENID_CONNECT_SCOPES = "openid profile email groups"; }; other = { SHOW_FOOTER_VERSION = false; @@ -180,6 +182,22 @@ in }; }; + systemd.services.forgejo = { + serviceConfig = { + EnvironmentFile = config.sops.secrets."forgejo/env".path; + ExecStartPost = '' + ${lib.getExe config.services.forgejo.package} admin auth update-oauth \ + --id 1 \ + --name kanidm \ + --provider openidConnect \ + --key forgejo \ + --secret $CLIENT_SECRET \ + --icon-url https://auth.xinyang.life/pkg/img/favicon.png \ + --group-claim-name forgejo_role --admin-group Admin + ''; + }; + }; + services.grafana = { enable = true; settings = {