dolomite: drop tok-00, add fre-00

2024-11-26 17:36:16 +08:00 · 2024-11-26 17:36:16 +08:00 · 1c40bbc98f
commit 1c40bbc98f
parent 5b19d8a97e
11 changed files with 151 additions and 286 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,11 +3,11 @@ keys:
  - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
  - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
  - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
-  - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
  - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
  - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
  - &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
  - &host-hk-00 age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
+  - &host-fra-00 age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
 creation_rules:
  - path_regex: machines/calcite/secrets.yaml
    key_groups:
@ -29,19 +29,14 @@ creation_rules:
    - age:
      - *xin
      - *host-sgp-00
-      - *host-tok-00
      - *host-la-00
      - *host-hk-00
+      - *host-fra-00
  - path_regex: machines/dolomite/secrets/sgp-00.yaml
    key_groups:
    - age:
      - *xin
      - *host-sgp-00
-  - path_regex: machines/dolomite/secrets/tok-00.yaml
-    key_groups:
-    - age:
-      - *xin
-      - *host-tok-00
  - path_regex: machines/dolomite/secrets/la-00.yaml
    key_groups:
    - age:
@ -52,6 +47,12 @@ creation_rules:
    - age:
      - *xin
      - *host-hk-00
+
+  - path_regex: machines/dolomite/secrets/fra-00.yaml
+    key_groups:
+    - age:
+      - *xin
+      - *host-fra-00
  - path-regex: machines/weilite/secrets.yaml
    key_groups:
    - age:
@ -64,7 +65,6 @@ creation_rules:
      - *host-calcite
      - *host-raspite
      - *host-sgp-00
-      - *host-tok-00
      - *host-la-00
      - *host-hk-00
      - *host-massicot
--- a/flake.nix
+++ b/flake.nix
@ -116,6 +116,10 @@
          ./machines/dolomite/lightsail.nix
          ./machines/dolomite/common.nix
        ];
+        fra-00 = [
+          ./machines/dolomite/fra.nix
+          ./machines/dolomite/common.nix
+        ];
        osmium = [
          ./machines/osmium
        ];
@ -229,6 +233,20 @@
            };
          };

+        fra-00 =
+          { ... }:
+          {
+            imports = nodeNixosModules.fra-00 ++ sharedColmenaModules;
+            nixpkgs.system = "x86_64-linux";
+            networking.hostName = "fra-00";
+            system.stateVersion = "24.05";
+            deployment = {
+              targetHost = "fra-00.video.namely.icu";
+              buildOnTarget = false;
+              tags = [ "proxy" ];
+            };
+          };
+
        raspite =
          { ... }:
          {
--- a/machines/dolomite/common.nix
+++ b/machines/dolomite/common.nix
@ -23,7 +23,7 @@
    };

    custom.prometheus = {
-      enable = true;
+      enable = lib.mkDefault true;
      exporters.blackbox.enable = true;
    };

--- a/machines/dolomite/ec2-metadata-fetcher.sh
+++ b/machines/dolomite/ec2-metadata-fetcher.sh
@ -1,66 +0,0 @@
-metaDir=/etc/ec2-metadata
-mkdir -m 0755 -p "$metaDir"
-rm -f "$metaDir/*"
-
-get_imds_token() {
-  # retry-delay of 1 selected to give the system a second to get going,
-  # but not add a lot to the bootup time
-  curl \
-    --silent \
-    --show-error \
-    --retry 3 \
-    --retry-delay 1 \
-    --fail \
-    -X PUT \
-    --connect-timeout 1 \
-    -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \
-    http://169.254.169.254/latest/api/token
-}
-
-preflight_imds_token() {
-  # retry-delay of 1 selected to give the system a second to get going,
-  # but not add a lot to the bootup time
-  curl \
-    --silent \
-    --show-error \
-    --retry 3 \
-    --retry-delay 1 \
-    --fail \
-    --connect-timeout 1 \
-    -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
-    -o /dev/null \
-    http://169.254.169.254/1.0/meta-data/instance-id
-}
-
-try=1
-while [ $try -le 3 ]; do
-  echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..."
-  IMDS_TOKEN=$(get_imds_token) && break
-  try=$((try + 1))
-  sleep 1
-done
-
-if [ "x$IMDS_TOKEN" == "x" ]; then
-  echo "failed to fetch an IMDS2v token."
-fi
-
-try=1
-while [ $try -le 10 ]; do
-  echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..."
-  preflight_imds_token && break
-  try=$((try + 1))
-  sleep 1
-done
-
-echo "getting EC2 instance metadata..."
-
-get_imds() {
-  # --fail to avoid populating missing files with 404 HTML response body
-  # || true to allow the script to continue even when encountering a 404
-  curl --silent --show-error --fail --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@" || true
-}
-
-get_imds -o "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path
-(umask 077 && get_imds -o "$metaDir/user-data" http://169.254.169.254/1.0/user-data)
-get_imds -o "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname
-get_imds -o "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
--- a/machines/dolomite/fra.nix
+++ b/machines/dolomite/fra.nix
@ -0,0 +1,62 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-co
+# and may be overwritten by future invocations.  Please make chang
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 2 * 1024;
+    }
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+    "ahci"
+    "ata_piix"
+    "virtio_pci"
+    "xen_blkfront"
+    "vmw_pvscsi"
+  ];
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
+
+  networking.useNetworkd = true;
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.MACAddress = "00:16:3c:d2:7b:64";
+    networkConfig = {
+      DHCP = "no";
+      Gateway = "185.217.108.1";
+    };
+    address = [ "185.217.108.59/24" ];
+  };
+
+  custom.prometheus.enable = false;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/machines/dolomite/lightsail.nix
+++ b/machines/dolomite/lightsail.nix
@ -1,114 +0,0 @@
-{
-  config,
-  pkgs,
-  modulesPath,
-  ...
-}:
-let
-  cfg = config.ec2;
-in
-{
-  imports = [
-    "${modulesPath}/profiles/headless.nix"
-    # Note: While we do use the headless profile, we also explicitly
-    # turn on the serial console on ttyS0 below. This is because
-    # AWS does support accessing the serial console:
-    # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
-    "${modulesPath}/virtualisation/ec2-data.nix"
-    "${modulesPath}/virtualisation/amazon-init.nix"
-  ];
-
-  config = {
-    boot.loader.grub.device = "/dev/nvme0n1";
-
-    # from nixpkgs amazon-image.nix
-    assertions = [ ];
-
-    boot.growPartition = true;
-
-    fileSystems."/" = {
-      device = "/dev/disk/by-label/nixos";
-      fsType = "ext4";
-      autoResize = true;
-    };
-
-    fileSystems."/boot" = {
-      # The ZFS image uses a partition labeled ESP whether or not we're
-      # booting with EFI.
-      device = "/dev/disk/by-label/ESP";
-      fsType = "vfat";
-    };
-
-    swapDevices = [
-      {
-        device = "/var/lib/swapfile";
-        size = 4 * 1024;
-      }
-    ];
-
-    boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
-    boot.initrd.kernelModules = [ "xen-blkfront" ];
-    boot.initrd.availableKernelModules = [ "nvme" ];
-    boot.kernelParams = [
-      "console=ttyS0,115200n8"
-      "random.trust_cpu=on"
-    ];
-
-    # Prevent the nouveau kernel module from being loaded, as it
-    # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
-    # Also blacklist xen_fbfront to prevent a 30 second delay during
-    # boot.
-    boot.blacklistedKernelModules = [
-      "nouveau"
-      "xen_fbfront"
-    ];
-
-    boot.loader.grub.efiSupport = cfg.efi;
-    boot.loader.grub.efiInstallAsRemovable = cfg.efi;
-    boot.loader.timeout = 1;
-    boot.loader.grub.extraConfig = ''
-      serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
-      terminal_output console serial
-      terminal_input console serial
-    '';
-
-    systemd.services.fetch-ec2-metadata = {
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-      path = [ pkgs.curl ];
-      script = builtins.readFile ./ec2-metadata-fetcher.sh;
-      serviceConfig.Type = "oneshot";
-      serviceConfig.StandardOutput = "journal+console";
-    };
-
-    # Amazon-issued AMIs include the SSM Agent by default, so we do the same.
-    # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
-    services.amazon-ssm-agent.enable = true;
-
-    # Allow root logins only using the SSH key that the user specified
-    # at instance creation time.
-    services.openssh.enable = true;
-    services.openssh.settings.PermitRootLogin = "prohibit-password";
-
-    # Enable the serial console on ttyS0
-    systemd.services."serial-getty@ttyS0".enable = true;
-
-    # Creates symlinks for block device names.
-    services.udev.packages = [ pkgs.amazon-ec2-utils ];
-
-    # Force getting the hostname from EC2.
-    # networking.hostName = mkDefault "";
-
-    # Always include cryptsetup so that Charon can use it.
-    environment.systemPackages = [ pkgs.cryptsetup ];
-
-    # EC2 has its own NTP server provided by the hypervisor
-    services.timesyncd.enable = true;
-    services.timesyncd.servers = [ "169.254.169.123" ];
-
-    # udisks has become too bloated to have in a headless system
-    # (e.g. it depends on GTK).
-    services.udisks2.enable = false;
-  };
-}
--- a/machines/dolomite/secrets/fra-00.yaml
+++ b/machines/dolomite/secrets/fra-00.yaml
@ -0,0 +1,31 @@
+wg_private_key: ENC[AES256_GCM,data:wKZfXvNLh578VpWRkEGRiyDqEgJ9nHMGbliDP/FhX3ZqrPFLwuSF4D4tQgw=,iv:EU6OkblWfWuC7CPW0U0peYY6171TnhljqnszQhVJTFw=,tag:CBrZRXDSKYoqbx5x7wQ1Ew==,type:str]
+wg_ipv6_local_addr: ENC[AES256_GCM,data:A6oUJngb1sOAAVTbgeceEgTd3Ejs5WM4GmXLvJBif5nbQSgU67EHZpDv,iv:Yf9063C784jPjJICee/YEj6fgl357G9yfkz0haHJGss=,tag:++LbjP8AI0HdS/9rtMYDDg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBud0JBa3A0VTk5SHhpK0tq
+            THZEWkY0Yk1CNjVVOGVOckRncEJUT2MxdW13ClQ1ZXV1bVRTNnUvVVBmbVhTZ3Fa
+            Wm1iTDRYOUJ2MW04dkNlemxzdGk5ZXcKLS0tIEZpNXZINUxGN3ZyL2JTSzEwWWRY
+            NStaK1kyM0ozWVEyemNiN2pQZGNqRXMKOBwTvk4Sfl2BsB7foVqjw2GqPOdQwB+g
+            GUR09dG0z4/1rT3gPtDn88pjs2EZYWOMKq+BPGbz0951HFPOgPVB5g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dnRMY3NSbWtyUlpXWFRJ
+            VGRKLzdjMStldmtVbW9ZM05QaWJzSWV0MndzCkdpWFppTC9DVnJDc0lDRkZLZ2F1
+            WDJGWjNMZEZraWg3VUpDVDVtOE9YanMKLS0tIEUvWmRwcTBkUzZIMEVjNGhqeXU5
+            YmxtM0hoWTIwY3RKcFkrdzdrRFYwVGcKhBIi6YKPROrTo/QTClmv/xFa8/KAsqJD
+            bA5gHAYJCu3WLpZqo1FXqMMX/4Jj3gtWq0jLDzQ0Xoma842dhJo4bw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-26T03:13:11Z"
+    mac: ENC[AES256_GCM,data:0cMicsi2HGDY28ZCRaIP9ynR0amfOSGYJtgJryWkbf8CVaDAmA51W5yXRxKYrdwd7T22wAWeFdKIeItm51FXtlPwUZyyWlOtfdq3JE/vKRPk711wuS30VY8rObW49A10jqZzM6sJ7jKVf3b1RvjCVqd5xuPLLczhg3Ft5jmAOtY=,iv:Vv80TdEYIEKQ5HExJHImDlEVfPO4k7THdN6XH8dLJ6Q=,tag:vNoA9vFRRrTOJbq93W0Ldw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/machines/dolomite/secrets/secrets.yaml
+++ b/machines/dolomite/secrets/secrets.yaml
@ -10,47 +10,47 @@ sops:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZUYrRUY0N3hOczFUR2Fq
-            amx5RHAwVnRoTStlTlJISkk5TUFCaDhuUGxjCmVYbExkK1AzbURVWXNvU0Zkcjg5
-            ZTlWK0ExVnNNWmxJMkxlcHkxd1MvWkkKLS0tIFY3a3FoNzl2bitYTTl1R1R4K3hz
-            ZlcxT243dzd0amlHSmpOc1AvakNjRlkKwT2hNwDsc3WZkJ05Qq8INnG9Ii0iswqT
-            jnvMt9VTkZ8JHsq5vCaV+TtM3kswuw6hF9UoHdRM/JIvqMdPkXuZoQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdCtZK2FVRTh3YVd3dm9m
+            ZWR5VVIvS3VOSGh2cmg2ZUFrYmNIdVNLSTNVCjlhVlJER1BZMlRUd1RkYnpvTE9F
+            bExGa1NBWWR0enBmUFJYVVA4UlI1cUkKLS0tIC8wa3FGRnFldVdTdkpBb2xQc3BD
+            cTlhNHplRUoyS3pxNnF0TVlFTy9kdzQK4kDSzSV4ZnELvCsajGwvsc/vzua2hbI1
+            Vht7rmZ8Dl4Y3xEIXG7XVnWK2GOblpqZ/eza1T6kWEkXp2uCdQnM6Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSzkzMmU2SUMvWXVFRHM4
-            dWhsbEtFSUhHem1NZ1Q5aWJJWWlqelcyT2hBClRIeDE1M20vdm5rQnRvLzBGWnk3
-            aFZ2MFlrUHRudSt5M1Rod3NrUS8rdkEKLS0tIHlPSFUvUC93WlU5dHdaV0R6dTFh
-            c203K2VHb2hsSTBjOWxpUStOQ2VYTFEKbDTeoUSBFWB3W/fxS471aTysahlQUJ6D
-            JvvUJL63Y2XpvCQVCduO+Kl9A7B7LGran+2SUzqHBisQyR2eUcg/HQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZDBtTWxZbGpZRlYvMnpE
-            MTNEQXZJdGRpMmV0azhXbE1UeWlqZjdKQlhFCkU4RlBZUmdpTC9TamVwREFnM1Nt
-            eDZ0SDRQUmMxYmJ1bnBSS29qNGQ4THMKLS0tIDhVMWJoWTNBWjAyMHc0K2Z5Zjhi
-            UkU5dEpjSGZKOERPR2hUQ1lBK1ZXSWsKo/76+/Iq9sxJGxuk81yMBaX+mg98FD8p
-            F/PY4/oJjaUmpErdrWuE7Tgjycx+DTSDJv1ESyvLC6NPnXTRlZgg6A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dVV0U3kwSmdnTU1HcGpr
+            U2FKZVV1c1R6a3ovRGxoOUlrcUNWUUFHN25ZClBBTUZGeTc0Tkx1OXdaK1p6aWpr
+            aSsvN0ZDR1V3VnVrb1FBYzdHSTNXOVkKLS0tIFlSUk5LT1hVUUd1aVg1eVNTUURX
+            OXRVVmNRWEhmVXZkWC9HNTUyUTNrMlUK370K3D1vU97vHV9aGjYrFOIJzmOQAnzH
+            QR6XsOkM0FRvSkhTsEZ3qC4Wd2MTIyRzHYPKvZmz9LufIr1N/JFj1Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjFsZ1o1alBIV2JkKy9j
-            ajArY1RydFllc1VLc3dQek5IcXNyWTIxNDBzCkhKYzdHSXowaGhnY2E5aVRPaDNJ
-            M3NOZEd1UHg4MDd3YTNidld5UGhKYUUKLS0tIG9QVlV3UXNSSXp6L3djaXZjcTNL
-            bmVYb1g3NnBOekZkUFNlOVZFY2N6YVUKsdTgykgHkFSQJfZeNJz2TkcDENg84plG
-            zBqz6HP6AK6SBI7C/lPus0VXuzjDVDr29jvemBQ3cNBodc6yKyReAQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQT0YyeXI4d2o4V0lWUE4x
+            ZXZWWDFiakdqNlU5RWt6QUdxYVRSZzQyZkZBCi9Tdm5wRXB2cTYxdnVYRXJaS0d0
+            Lzg3VWpqQ1NOb1NTYXE4RGVRZVZoM1UKLS0tIFdGM01VU3FEc0ZyeEN3bVM1WEZq
+            M3BFa1hoWkQyRkJqSlZiTnBwQWphemcKLTAza2y96h+IyWB2EN6e4WIFQqeL5E7p
+            CDmHr+hSt6u9cr8C/etljxGMbKf9GqFOeuCyPugrJGdu4/qlR5iE0g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUF4cWwrZ0Vlb0Nxbk0z
-            VnRucWJVK2h0MG13YVkyMlJNZ3RxRmJqUlRBCmxrckV1a0xnSEhvWUN4RmF2ZHBl
-            VkFicWlnR0dvTmRBQ21NWVo4aFNQRmsKLS0tIEMxVGxTRHp6ZGJzYksxY1BUKzBh
-            Yk52TS81REhJd0lLRVpMZnhGMDRMK0UKzph2gK0LXqu44zQXGoGbyPjte2t4BqHE
-            WAufrQiamOgA7TUZYlZApzYhEY6iIbs/t7BQPn/OKZwzRYdXnzxqiw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFa1RHN2s4ajYzZmwvUlN2
+            c05SdERTTEhPRnJWOUF6TExIMnBEZkVMb1I4CkxBeTRQWmZEOGNrcFlGV2wrMkhI
+            QnAwSzZPaWNWbmdnZmFjZVJyRVdzN2cKLS0tIHVMU3Z6a1MrV3BVV1hqbEdYODJu
+            cGgvNU05eGx4alRNT2d5MWp6Q3lWZDAKQ+D1niMzaso/lQwdmepvACF8/SDEt2mQ
+            7nTRVJIpjGPTxO4ezcQWUGej+BSEnOoZno3epoIXLNlwDnHOAawTWQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcHNReHZibVlrNUtncnl1
+            SzczRGVFdUNvcFdqeWpZUk5FL0hwOS9LT3l3CnFLdXozcUxXYUpjUXJZWEtjMXo3
+            d28reWd0Z1Y0NWdBTG1MTkRGSEphY2sKLS0tIGw5U3NiOU1DNitUd0x5SkJ3SHFj
+            RVpWNDNUb2d1SEZpQlFBK2tFVjFzU0kKtI7e+kkiBm1L/WzkBApRI8IIo3gHdrE1
+            fzR+sbYEHWf95iEmb/oGlH++TrFW/zRXEyWPAi4ORTs7s/Ql1UC4Wg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-22T05:51:19Z"
    mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str]
--- a/machines/dolomite/secrets/sgp-00.yaml
+++ b/machines/dolomite/secrets/sgp-00.yaml
@ -1,31 +0,0 @@
-wg_private_key: ENC[AES256_GCM,data:UjxZ3iC5hxVcVJdEUJ3+myaQ/6MvghDw6eKa2flSuxMwFS31WB7r3evjlI0=,iv:BjgXCps6gx1ISghEO42x5aKb+c/n0P1V8FMVlPxAyLY=,tag:IkxCkpyVre+sFoBlRSFpMA==,type:str]
-wg_ipv6_local_addr: ENC[AES256_GCM,data:ejDYuZjZCKcsvyUUKdXtxgBqWloIwYHmpc/YwCYq7O2thsxvOou6iSHf,iv:HDrMlec4svxHpZXMyRDzpdSKeJbTmkZPd98SHv2ZLhQ=,tag:LjpapuaJ6sl4USZC8xEU5w==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUkpVa0dCSE1rTjZpaWR1
-            cjJjc25iOEV4TnhQUWE4SjI4QWVZYXdVcHdBCkIrNlVrV2xJRURVSG9sUHozeE5s
-            NitsV1MvcENZTHhmU01CSTRVNENXUFEKLS0tIGgxakQ2cGIzdzg5QzRoT3ZSaXUx
-            TkN5MkNTNitWMzVKZWdhNGRIZ3VNNDgKQ6lwM6EowuGOrskUpwD8VGirravE+e3/
-            Hkv5jLvvfVjmg0kvKlNRotTHrRUGV04JsbW7T9FfbKyYpmEb6oCrsg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSUlkQzhYSGwyNnYvNHpQ
-            UktKOUZiYk56S0piVy9ZMFdYVFdsN1FEVkhVCnZETEM5MW84TlNpbm1hSXJtR2Yy
-            OEdrSi9lcmJOR2F1cUZqc0NyQjl4RDgKLS0tIHVLcnRicmVNd2MwVjB4cGFXTlBu
-            VkJCcXdqTkUzejNzSjIvV2YrVUc5Sm8KutTATsWJ5+yB/CFoGwTNshyI5LzwH4x5
-            i5EIIkVPdxSIHrXUp0j6+RPWMJvEOFIE3dVwxz+MxqqHqtmEny1WKA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-19T12:31:51Z"
-    mac: ENC[AES256_GCM,data:AY0/qJ1ZXv4mQlHnG3uY2zQ0FhIYjHBWKyXXpv2/Q6yZkuSu6nIQk039nd+nk7lczXy2cylTHyjYv5vDF6BJARhu4jeYov6yMqYR8ye8rXjZKcOfrN5yv7LV6jyuzBRBkCWTQsaoR8ycKHlrMe+vkAGu50epdAQjAG+Qv6RkBiM=,iv:dMi2CququdEIg+g8NMUb8ioKwEkUqTP+nrivtsUYUUY=,tag:drHI6oJUUwN3JadCHbWWkg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/machines/dolomite/secrets/tok-00.yaml
+++ b/machines/dolomite/secrets/tok-00.yaml
@ -1,31 +0,0 @@
-wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str]
-wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTc2a2J3ZXRXTlRxQTAx
-            UjZVTTVPa0FjbS9jekI5eXhLOTdUQTlBS2pJCnVPL2Q1d05QR2NpTDVZeDFpSCs3
-            Yjh3aXkvdTBIOThVMGMzcUZmUWhtTjgKLS0tIFZvcy9zRVBRcDN0ekp0MEV5cEph
-            ZURTL3hnSHgwQTlSNklCK25icEM0SGsKq2jM6jXLfK38BgV0calwKLuHIcGw0zed
-            lT19Mt9jFsqmIkpJh1U9Ddpz63WND+7ruMdTZt6RWStIxww4m7pevg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSXBqdXcxUDNkS29Gd3ZY
-            dTA3bmNUVThtTFJtdnFpSjZQT01TTXhpYUc4CkFhcm14eUw1YXIyWEViMSsyc3pr
-            VUJqWWdHMCtoRGQ1T3dMQlg3ZTZ5dGMKLS0tIGQvbGpFZTdrVUFURE9tdENCZGwr
-            aDBKbitCTmhxNXVNRGh6TVBvbkNhTUEKIuj7B4RdueX7BfExgzVoo6YJf59GsUHa
-            j5kIJ5UeTqWEBGBaXcPjhHMEQjYqwSBsVz2XJmsxLhi8WxejLio8FA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-19T12:30:24Z"
-    mac: ENC[AES256_GCM,data:f+7+O2ZVSZJhr0fJlfO/AtZC2N/7gsNu1f4cnUoXYFb1wobyU6tLkbwGqeyIulokgIDAU5lJ62TJXAjybe+kE+PGtpr61KS7dyiO0LjzcT/X898oBYvJ9jtkuxDzKM4ve570U7ZmS7Jbxt2NJEkcBvSUJRdJHH5l0sDrvmW8cwY=,iv:mno6jVUDUWxsO353hbCqGub+NYfk0XFsWzmWCBUt6Gg=,tag:KOw7HTy+pETha5pzx5Pf8Q==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
--- a/modules/nixos/common-settings/proxy-server.nix
+++ b/modules/nixos/common-settings/proxy-server.nix
@ -9,6 +9,7 @@ let
    mkIf
    mkEnableOption
    mkOption
+    mkDefault
    types
    ;

@ -127,7 +128,7 @@ in
    trojan = {
      port = mkOption {
        type = lib.types.port;
-        default = cfg.trojan.port;
+        default = 8080;
      };
    };

@ -163,11 +164,6 @@ in
    ];
    networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);

-    custom.prometheus = {
-      enable = true;
-      exporters.blackbox.enable = true;
-    };
-
    services.sing-box = {
      enable = true;
      settings = mkSingConfig {