diff --git a/machines/agate/default.nix b/machines/agate/default.nix index 1f6dbff..59c65ca 100644 --- a/machines/agate/default.nix +++ b/machines/agate/default.nix @@ -106,12 +106,6 @@ in nixpkgs.config.contentAddressedByDefault = true; nixpkgs.overlays = [ fix-folly-build ]; - services.tailscale = { - enable = true; - openFirewall = true; - permitCertUid = "caddy"; - }; - custom.prometheus.exporters = { enable = true; blackbox = { diff --git a/machines/agate/services/minio.nix b/machines/agate/services/minio.nix new file mode 100644 index 0000000..07d4987 --- /dev/null +++ b/machines/agate/services/minio.nix @@ -0,0 +1,6 @@ +{ + services.minio = { + enable = true; + region = "ap-east-1"; + }; +} diff --git a/machines/baryte/default.nix b/machines/baryte/default.nix index 1add92a..c4e2936 100644 --- a/machines/baryte/default.nix +++ b/machines/baryte/default.nix @@ -13,7 +13,6 @@ }; services.openssh.enable = true; - services.tailscale.enable = true; time.timeZone = "Asia/Shanghai"; }; } diff --git a/machines/baryte/hardware-configuration.nix b/machines/baryte/hardware-configuration.nix new file mode 100644 index 0000000..8328e1c --- /dev/null +++ b/machines/baryte/hardware-configuration.nix @@ -0,0 +1,20 @@ +{ config, modulesPath, ... }: +{ + imports = [ ]; + + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + boot = config.diskPartitions.grubMbr; + root = config.diskPartitions.btrfs; + }; + }; + }; + }; + }; +} diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index e643950..6b27160 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -40,19 +40,6 @@ comin.enable = true; }; - custom.monitoring = { - promtail.enable = true; - }; - - custom.prometheus.exporters = { - enable = true; - node.enable = true; - }; - - services.tailscale.enable = true; - - services.caddy.enable = true; - sops = { defaultSopsFile = ./secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 6438977..5a68e26 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -17,19 +17,8 @@ }; }; - services.tailscale = { - enable = true; - extraUpFlags = [ "--accept-routes" ]; - }; - # Open ports in the firewall. networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 3389 ]; - networking.firewall.allowedUDPPorts = [ - 3389 - 41641 - ]; - networking.firewall.trustedInterfaces = [ "tailscale0" ]; # Use nftables to manager firewall networking.nftables.enable = true; diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index 322786f..7c6af56 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -33,8 +33,6 @@ promtail.enable = true; }; - services.tailscale.enable = true; - commonSettings = { auth.enable = true; comin.enable = true; diff --git a/machines/osmium/default.nix b/machines/osmium/default.nix index ad6dd10..82717ed 100644 --- a/machines/osmium/default.nix +++ b/machines/osmium/default.nix @@ -139,11 +139,6 @@ }; }; - services.tailscale = { - enable = true; - extraSetFlags = [ - "--advertise-routes=10.1.1.0/24" - ]; - }; + services.tailscale.extraSetFlags = [ "--advertise-routes=10.1.1.0/24" ]; }; } diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 4173275..e0770a6 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -12,6 +12,8 @@ nix.enable = true; auth.enable = true; comin.enable = true; + network.enableProxy = false; + serverComponents.enable = true; }; nixpkgs.overlays = [ @@ -36,15 +38,4 @@ }; time.timeZone = "Asia/Shanghai"; - - # fileSystems."/".fsType = lib.mkForce "btrfs"; - boot.supportedFilesystems.zfs = lib.mkForce false; - - services.dae.enable = false; - - services.tailscale = { - enable = true; - permitCertUid = config.services.caddy.user; - openFirewall = true; - }; } diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 03a6178..9bb399f 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -3,6 +3,8 @@ prometheus: metrics_password: ENC[AES256_GCM,data:qGbdk5tRmBw1rYHkmid87w==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:+cVF89YF35hA+fPvEQNgHA==,type:str] dae: sub: ENC[AES256_GCM,data:wCv8je47gBa2bb2aWCbUYHIuxGxkXUfJUvogwviYUNJJZJCdL5Q2qJX+tXOL4JRkzicRzFfiPEa3rcYIfoB6DC7caDPevpepHtTENzI3YKppiz0KIXedUWr+,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:e8X4PTiY/60W6XbFLOmSBQ==,type:str] +tailscale: + authkey: ENC[AES256_GCM,data:GKfhg4Co1us4UQ6Jn3KT85OrIIVDd8aJmv8hmhtLZnAM4McxPmpVZ1tnYu7GIfKdqgCQqEl+lgS0xlV+qA==,iv:qugnzLpCZqHyRnJaP0tS2y5R5i0lrhm9PnIuG3kiGqE=,tag:KV/fcG4rceG4AHCzFEoksg==,type:str] sops: age: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c @@ -95,7 +97,7 @@ sops: MHJubDlRVW40TDVJNnNqQktKcGVVYWcK1nCRXYjyLpNdj2Mnjgop5R6DSpRUSxDT VstIwZiQgACPKcP7H2dFSPNDaaAH1YqZzqr7ILLV6jYRApZFte/SRw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-01T16:16:05Z" - mac: ENC[AES256_GCM,data:sXZm1YVBaF//vU5Vtou4HOvKMZ9L6i9YCH6DASiEE6VQYQ6aN3RI5bf25c9C4Lx7ARxsqCFz1pUVGiSd6AIAx1swSZHwC0nRz77GW9B8S1Gn+uyvVdbhP7xYfJ3XP8jFPJetKQLYIIynjdT7uUA833ZydmtaUC85j+Kmw7aEIoQ=,iv:rXkqJqJX43bLxrjT19mP4qO/fpZboVLN3nbQ7RrJWto=,tag:5ZPThu4YCT0K8GJMmYK6Yg==,type:str] + lastmodified: "2025-05-09T01:56:54Z" + mac: ENC[AES256_GCM,data:wZXKzRD+2I0mQoSOu3Xj8uzsSV7rK7wg+GjlzFqbP3qWd5DWSa1wmHuC9xBe3GRNps5L7vopGwngnFXbXu6tlsYuWUhSV/r7lh/wnrXKNlrt5qkWCpL3nXoYqkby+QzFG5ykCYOTsiMg31JYcbobO0kdNNjK0thKqLdFS7YBZig=,iv:O0Rccf08B27bfikTjQ2h+x6rbMUSqUSOSB3jW3Y4MJA=,tag:jBvzVKZgilzmUKQ6M+psAA==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2 diff --git a/machines/thorite/default.nix b/machines/thorite/default.nix index 2ea7cf4..a7254af 100644 --- a/machines/thorite/default.nix +++ b/machines/thorite/default.nix @@ -31,8 +31,6 @@ 443 ]; - services.tailscale.enable = true; - services.caddy.enable = true; commonSettings = { diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 2a568c6..fe6edb1 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -133,12 +133,6 @@ ]; }; - services.tailscale = { - enable = true; - openFirewall = true; - permitCertUid = "caddy"; - }; - services.tailscale.derper = { enable = true; domain = "derper00.namely.icu"; diff --git a/modules/nixos/common-settings/network.nix b/modules/nixos/common-settings/network.nix index a7175e1..535fa74 100644 --- a/modules/nixos/common-settings/network.nix +++ b/modules/nixos/common-settings/network.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let inherit (lib) mkEnableOption mkOption mkIf; inherit (config.my-lib.settings) @@ -16,87 +21,138 @@ in default = 100; }; }; + tailscale = { + enable = mkEnableOption "Tailscale client" // { + default = true; + }; + before = mkOption { + default = [ ]; + type = lib.types.listOf lib.types.string; + }; + }; }; - config = { - networking.resolvconf = mkIf cfg.localdns.enable { - enable = true; - dnsExtensionMechanism = false; - # We should disable local resolver if dae is enabled - # to let dns traffic go through dae - useLocalResolver = !config.commonSettings.network.enableProxy; - }; + config = lib.mkMerge [ + (mkIf cfg.tailscale.enable { + sops = mkIf config.commonSettings.network.enableProxy { + secrets = { + "tailscale/authkey" = { + sopsFile = ../../../machines/secrets.yaml; + owner = config.systemd.services.tailscale.user; + }; + }; + }; - services.resolved.enable = mkIf cfg.localdns.enable false; + services.tailscale = { + enable = true; + openFirewall = true; + permitCertUid = mkIf config.services.caddy.enable config.services.caddy.user; + extraUpFlags = [ "--accept-routes" ] ++ (lib.optional cfg.localdns.enable "--accept-dns=false"); + authKeyFile = config.sops.secrets."tailscale/authkey".path; + }; + commonSettings.network.tailscale.before = ( + lib.optional config.services.caddy.enable "caddy.service" + ); - networking.firewall.trustedInterfaces = [ - config.services.tailscale.interfaceName - ]; - services.tailscale = mkIf cfg.localdns.enable { - extraUpFlags = [ "--accept-dns=false" ]; - }; - - services.kresd = mkIf cfg.localdns.enable { - enable = true; - listenPlain = [ "127.0.0.1:53" ]; - listenTLS = [ "127.0.0.1:853" ]; - extraConfig = - let - listToLuaTable = - x: - lib.pipe x [ - (builtins.split "\n") - (builtins.filter (s: s != [ ] && s != "")) - (lib.strings.concatMapStrings (x: "'${x}',")) + systemd.services.tailscaled.before = cfg.tailscale.before; + systemd.services.tailscaled.serviceConfig.ExecStartPost = + pkgs.writers.writePython3 "tailscale-wait-online" + { + flakeIgnore = [ + "E401" # import on one line + "E501" # line length limit ]; - chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt); - globalSettings = '' - log_level("notice") - modules = { 'hints > iterate', 'stats', 'predict' } - cache.size = ${toString cfg.localdns.cacheSize} * MB - trust_anchors.remove(".") + } + '' + import subprocess, json, time + + for _ in range(30): + status = json.loads( + subprocess.run( + ["${lib.getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True + ).stdout + )["Self"]["Online"] + if status: + exit(0) + time.sleep(1) + + exit(1) ''; - tsSettings = '' - internalDomains = policy.todnames({'${internalDomain}'}) - policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains)) - ''; - proxySettings = '' - policy.add(policy.domains( - policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }), - { todname('hk-00.namely.icu') })) - policy.add(policy.domains( - policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }), - { todname('la-00.namely.icu') })) - policy.add(policy.domains( - policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }), - { todname('fra-00.namely.icu') })) - ''; - mainlandSettings = '' - chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}}) - policy.add(policy.suffix(policy.TLS_FORWARD({ - { "223.5.5.5", hostname="dns.alidns.com" }, - { "223.6.6.6", hostname="dns.alidns.com" }, - }), chinaDomains)) - policy.add(policy.all(policy.TLS_FORWARD({ - { "8.8.8.8", hostname="dns.google" }, - { "8.8.4.4", hostname="dns.google" }, - }))) - ''; - overseaSettings = '' - policy.add(policy.all(policy.TLS_FORWARD({ - { "8.8.8.8", hostname="dns.google" }, - { "8.8.4.4", hostname="dns.google" }, - }))) - ''; - in - globalSettings - + (if config.services.tailscale.enable then tsSettings else "") - + ( - if config.commonSettings.network.enableProxy then - proxySettings + mainlandSettings - else - overseaSettings - ); - }; - }; + + }) + + (mkIf cfg.localdns.enable { + networking.resolvconf = { + enable = true; + dnsExtensionMechanism = false; + # We should disable local resolver if dae is enabled + # to let dns traffic go through dae + useLocalResolver = !config.commonSettings.network.enableProxy; + }; + services.resolved.enable = false; + + services.kresd = { + enable = true; + listenPlain = [ "127.0.0.1:53" ]; + listenTLS = [ "127.0.0.1:853" ]; + extraConfig = + let + listToLuaTable = + x: + lib.pipe x [ + (builtins.split "\n") + (builtins.filter (s: s != [ ] && s != "")) + (lib.strings.concatMapStrings (x: "'${x}',")) + ]; + chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt); + globalSettings = '' + log_level("notice") + modules = { 'hints > iterate', 'stats', 'predict' } + cache.size = ${toString cfg.localdns.cacheSize} * MB + trust_anchors.remove(".") + ''; + tsSettings = '' + internalDomains = policy.todnames({'${internalDomain}'}) + policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains)) + ''; + proxySettings = '' + policy.add(policy.domains( + policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }), + { todname('hk-00.namely.icu') })) + policy.add(policy.domains( + policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }), + { todname('la-00.namely.icu') })) + policy.add(policy.domains( + policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }), + { todname('fra-00.namely.icu') })) + ''; + mainlandSettings = '' + chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}}) + policy.add(policy.suffix(policy.TLS_FORWARD({ + { "223.5.5.5", hostname="dns.alidns.com" }, + { "223.6.6.6", hostname="dns.alidns.com" }, + }), chinaDomains)) + policy.add(policy.all(policy.TLS_FORWARD({ + { "8.8.8.8", hostname="dns.google" }, + { "8.8.4.4", hostname="dns.google" }, + }))) + ''; + overseaSettings = '' + policy.add(policy.all(policy.TLS_FORWARD({ + { "8.8.8.8", hostname="dns.google" }, + { "8.8.4.4", hostname="dns.google" }, + }))) + ''; + in + globalSettings + + (if config.services.tailscale.enable then tsSettings else "") + + ( + if config.commonSettings.network.enableProxy then + proxySettings + mainlandSettings + else + overseaSettings + ); + }; + }) + ]; } diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index 5e75975..81b4a9d 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -11,35 +11,9 @@ let in { config = { - systemd.services.tailscaled.before = + commonSettings.network.tailscale.before = (lib.optional cfg.node.enable "prometheus-node-exporters.service") - ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service") - ++ (lib.optional config.services.caddy.enable "caddy.service"); - - systemd.services.tailscaled.serviceConfig.ExecStartPost = - pkgs.writers.writePython3 "tailscale-wait-online" - { - flakeIgnore = [ - "E401" # import on one line - "E501" # line length limit - ]; - } - '' - import subprocess, json, time - - for _ in range(30): - status = json.loads( - subprocess.run( - ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True - ).stdout - )["Self"]["Online"] - if status: - exit(0) - time.sleep(1) - - exit(1) - ''; - + ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service"); services.prometheus.exporters.node = mkIf cfg.node.enable { enable = true; enabledCollectors = [ @@ -122,26 +96,6 @@ in services.ntfy-sh.settings.enable-metrics = true; - services.caddy.globalConfig = '' - servers { - metrics - } - - admin unix//var/run/caddy/admin.sock { - origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019 - } - ''; - - systemd.services.caddy.serviceConfig = { - RuntimeDirectory = "caddy"; - RuntimeDirectoryMode = "0700"; - }; - - services.tailscale = { - permitCertUid = config.services.caddy.user; - openFirewall = true; - }; - services.caddy = { virtualHosts."https://${config.networking.hostName}.coho-tet.ts.net:2019".extraConfig = '' handle /metrics {