From 1c40bbc98f7c3ddfd396c4ca39cb0caf4d89df0a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 26 Nov 2024 17:36:16 +0800 Subject: [PATCH] dolomite: drop tok-00, add fre-00 --- .sops.yaml | 16 +-- flake.nix | 18 +++ machines/dolomite/common.nix | 2 +- machines/dolomite/ec2-metadata-fetcher.sh | 66 ---------- machines/dolomite/fra.nix | 62 ++++++++++ machines/dolomite/lightsail.nix | 114 ------------------ machines/dolomite/secrets/fra-00.yaml | 31 +++++ machines/dolomite/secrets/secrets.yaml | 58 ++++----- machines/dolomite/secrets/sgp-00.yaml | 31 ----- machines/dolomite/secrets/tok-00.yaml | 31 ----- .../nixos/common-settings/proxy-server.nix | 8 +- 11 files changed, 151 insertions(+), 286 deletions(-) delete mode 100644 machines/dolomite/ec2-metadata-fetcher.sh create mode 100644 machines/dolomite/fra.nix delete mode 100644 machines/dolomite/lightsail.nix create mode 100644 machines/dolomite/secrets/fra-00.yaml delete mode 100644 machines/dolomite/secrets/sgp-00.yaml delete mode 100644 machines/dolomite/secrets/tok-00.yaml diff --git a/.sops.yaml b/.sops.yaml index 4c2fbbc..5056c87 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,11 +3,11 @@ keys: - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta - &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml - &host-hk-00 age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 + - &host-fra-00 age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -29,19 +29,14 @@ creation_rules: - age: - *xin - *host-sgp-00 - - *host-tok-00 - *host-la-00 - *host-hk-00 + - *host-fra-00 - path_regex: machines/dolomite/secrets/sgp-00.yaml key_groups: - age: - *xin - *host-sgp-00 - - path_regex: machines/dolomite/secrets/tok-00.yaml - key_groups: - - age: - - *xin - - *host-tok-00 - path_regex: machines/dolomite/secrets/la-00.yaml key_groups: - age: @@ -52,6 +47,12 @@ creation_rules: - age: - *xin - *host-hk-00 + + - path_regex: machines/dolomite/secrets/fra-00.yaml + key_groups: + - age: + - *xin + - *host-fra-00 - path-regex: machines/weilite/secrets.yaml key_groups: - age: @@ -64,7 +65,6 @@ creation_rules: - *host-calcite - *host-raspite - *host-sgp-00 - - *host-tok-00 - *host-la-00 - *host-hk-00 - *host-massicot diff --git a/flake.nix b/flake.nix index 5dcb727..99d1f8e 100644 --- a/flake.nix +++ b/flake.nix @@ -116,6 +116,10 @@ ./machines/dolomite/lightsail.nix ./machines/dolomite/common.nix ]; + fra-00 = [ + ./machines/dolomite/fra.nix + ./machines/dolomite/common.nix + ]; osmium = [ ./machines/osmium ]; @@ -229,6 +233,20 @@ }; }; + fra-00 = + { ... }: + { + imports = nodeNixosModules.fra-00 ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "fra-00"; + system.stateVersion = "24.05"; + deployment = { + targetHost = "fra-00.video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; + }; + raspite = { ... }: { diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index fffb74d..3b511ef 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -23,7 +23,7 @@ }; custom.prometheus = { - enable = true; + enable = lib.mkDefault true; exporters.blackbox.enable = true; }; diff --git a/machines/dolomite/ec2-metadata-fetcher.sh b/machines/dolomite/ec2-metadata-fetcher.sh deleted file mode 100644 index 716aff7..0000000 --- a/machines/dolomite/ec2-metadata-fetcher.sh +++ /dev/null @@ -1,66 +0,0 @@ -metaDir=/etc/ec2-metadata -mkdir -m 0755 -p "$metaDir" -rm -f "$metaDir/*" - -get_imds_token() { - # retry-delay of 1 selected to give the system a second to get going, - # but not add a lot to the bootup time - curl \ - --silent \ - --show-error \ - --retry 3 \ - --retry-delay 1 \ - --fail \ - -X PUT \ - --connect-timeout 1 \ - -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \ - http://169.254.169.254/latest/api/token -} - -preflight_imds_token() { - # retry-delay of 1 selected to give the system a second to get going, - # but not add a lot to the bootup time - curl \ - --silent \ - --show-error \ - --retry 3 \ - --retry-delay 1 \ - --fail \ - --connect-timeout 1 \ - -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \ - -o /dev/null \ - http://169.254.169.254/1.0/meta-data/instance-id -} - -try=1 -while [ $try -le 3 ]; do - echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..." - IMDS_TOKEN=$(get_imds_token) && break - try=$((try + 1)) - sleep 1 -done - -if [ "x$IMDS_TOKEN" == "x" ]; then - echo "failed to fetch an IMDS2v token." -fi - -try=1 -while [ $try -le 10 ]; do - echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..." - preflight_imds_token && break - try=$((try + 1)) - sleep 1 -done - -echo "getting EC2 instance metadata..." - -get_imds() { - # --fail to avoid populating missing files with 404 HTML response body - # || true to allow the script to continue even when encountering a 404 - curl --silent --show-error --fail --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@" || true -} - -get_imds -o "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path -(umask 077 && get_imds -o "$metaDir/user-data" http://169.254.169.254/1.0/user-data) -get_imds -o "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname -get_imds -o "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key diff --git a/machines/dolomite/fra.nix b/machines/dolomite/fra.nix new file mode 100644 index 0000000..0caf650 --- /dev/null +++ b/machines/dolomite/fra.nix @@ -0,0 +1,62 @@ +# Do not modify this file! It was generated by ‘nixos-generate-co +# and may be overwritten by future invocations. Please make chang +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + swapDevices = [ + { + device = "/swapfile"; + size = 2 * 1024; + } + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "virtio_scsi" + "sd_mod" + "sr_mod" + "ahci" + "ata_piix" + "virtio_pci" + "xen_blkfront" + "vmw_pvscsi" + ]; + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + }; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.MACAddress = "00:16:3c:d2:7b:64"; + networkConfig = { + DHCP = "no"; + Gateway = "185.217.108.1"; + }; + address = [ "185.217.108.59/24" ]; + }; + + custom.prometheus.enable = false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix deleted file mode 100644 index 0c22e07..0000000 --- a/machines/dolomite/lightsail.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ - config, - pkgs, - modulesPath, - ... -}: -let - cfg = config.ec2; -in -{ - imports = [ - "${modulesPath}/profiles/headless.nix" - # Note: While we do use the headless profile, we also explicitly - # turn on the serial console on ttyS0 below. This is because - # AWS does support accessing the serial console: - # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html - "${modulesPath}/virtualisation/ec2-data.nix" - "${modulesPath}/virtualisation/amazon-init.nix" - ]; - - config = { - boot.loader.grub.device = "/dev/nvme0n1"; - - # from nixpkgs amazon-image.nix - assertions = [ ]; - - boot.growPartition = true; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - fileSystems."/boot" = { - # The ZFS image uses a partition labeled ESP whether or not we're - # booting with EFI. - device = "/dev/disk/by-label/ESP"; - fsType = "vfat"; - }; - - swapDevices = [ - { - device = "/var/lib/swapfile"; - size = 4 * 1024; - } - ]; - - boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; - boot.initrd.kernelModules = [ "xen-blkfront" ]; - boot.initrd.availableKernelModules = [ "nvme" ]; - boot.kernelParams = [ - "console=ttyS0,115200n8" - "random.trust_cpu=on" - ]; - - # Prevent the nouveau kernel module from being loaded, as it - # interferes with the nvidia/nvidia-uvm modules needed for CUDA. - # Also blacklist xen_fbfront to prevent a 30 second delay during - # boot. - boot.blacklistedKernelModules = [ - "nouveau" - "xen_fbfront" - ]; - - boot.loader.grub.efiSupport = cfg.efi; - boot.loader.grub.efiInstallAsRemovable = cfg.efi; - boot.loader.timeout = 1; - boot.loader.grub.extraConfig = '' - serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 - terminal_output console serial - terminal_input console serial - ''; - - systemd.services.fetch-ec2-metadata = { - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - path = [ pkgs.curl ]; - script = builtins.readFile ./ec2-metadata-fetcher.sh; - serviceConfig.Type = "oneshot"; - serviceConfig.StandardOutput = "journal+console"; - }; - - # Amazon-issued AMIs include the SSM Agent by default, so we do the same. - # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html - services.amazon-ssm-agent.enable = true; - - # Allow root logins only using the SSH key that the user specified - # at instance creation time. - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - - # Enable the serial console on ttyS0 - systemd.services."serial-getty@ttyS0".enable = true; - - # Creates symlinks for block device names. - services.udev.packages = [ pkgs.amazon-ec2-utils ]; - - # Force getting the hostname from EC2. - # networking.hostName = mkDefault ""; - - # Always include cryptsetup so that Charon can use it. - environment.systemPackages = [ pkgs.cryptsetup ]; - - # EC2 has its own NTP server provided by the hypervisor - services.timesyncd.enable = true; - services.timesyncd.servers = [ "169.254.169.123" ]; - - # udisks has become too bloated to have in a headless system - # (e.g. it depends on GTK). - services.udisks2.enable = false; - }; -} diff --git a/machines/dolomite/secrets/fra-00.yaml b/machines/dolomite/secrets/fra-00.yaml new file mode 100644 index 0000000..11e9c94 --- /dev/null +++ b/machines/dolomite/secrets/fra-00.yaml @@ -0,0 +1,31 @@ +wg_private_key: ENC[AES256_GCM,data:wKZfXvNLh578VpWRkEGRiyDqEgJ9nHMGbliDP/FhX3ZqrPFLwuSF4D4tQgw=,iv:EU6OkblWfWuC7CPW0U0peYY6171TnhljqnszQhVJTFw=,tag:CBrZRXDSKYoqbx5x7wQ1Ew==,type:str] +wg_ipv6_local_addr: ENC[AES256_GCM,data:A6oUJngb1sOAAVTbgeceEgTd3Ejs5WM4GmXLvJBif5nbQSgU67EHZpDv,iv:Yf9063C784jPjJICee/YEj6fgl357G9yfkz0haHJGss=,tag:++LbjP8AI0HdS/9rtMYDDg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBud0JBa3A0VTk5SHhpK0tq + THZEWkY0Yk1CNjVVOGVOckRncEJUT2MxdW13ClQ1ZXV1bVRTNnUvVVBmbVhTZ3Fa + Wm1iTDRYOUJ2MW04dkNlemxzdGk5ZXcKLS0tIEZpNXZINUxGN3ZyL2JTSzEwWWRY + NStaK1kyM0ozWVEyemNiN2pQZGNqRXMKOBwTvk4Sfl2BsB7foVqjw2GqPOdQwB+g + GUR09dG0z4/1rT3gPtDn88pjs2EZYWOMKq+BPGbz0951HFPOgPVB5g== + -----END AGE ENCRYPTED FILE----- + - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dnRMY3NSbWtyUlpXWFRJ + VGRKLzdjMStldmtVbW9ZM05QaWJzSWV0MndzCkdpWFppTC9DVnJDc0lDRkZLZ2F1 + WDJGWjNMZEZraWg3VUpDVDVtOE9YanMKLS0tIEUvWmRwcTBkUzZIMEVjNGhqeXU5 + YmxtM0hoWTIwY3RKcFkrdzdrRFYwVGcKhBIi6YKPROrTo/QTClmv/xFa8/KAsqJD + bA5gHAYJCu3WLpZqo1FXqMMX/4Jj3gtWq0jLDzQ0Xoma842dhJo4bw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-26T03:13:11Z" + mac: ENC[AES256_GCM,data:0cMicsi2HGDY28ZCRaIP9ynR0amfOSGYJtgJryWkbf8CVaDAmA51W5yXRxKYrdwd7T22wAWeFdKIeItm51FXtlPwUZyyWlOtfdq3JE/vKRPk711wuS30VY8rObW49A10jqZzM6sJ7jKVf3b1RvjCVqd5xuPLLczhg3Ft5jmAOtY=,iv:Vv80TdEYIEKQ5HExJHImDlEVfPO4k7THdN6XH8dLJ6Q=,tag:vNoA9vFRRrTOJbq93W0Ldw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/machines/dolomite/secrets/secrets.yaml b/machines/dolomite/secrets/secrets.yaml index 477a4b4..1cdd7e9 100644 --- a/machines/dolomite/secrets/secrets.yaml +++ b/machines/dolomite/secrets/secrets.yaml @@ -10,47 +10,47 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZUYrRUY0N3hOczFUR2Fq - amx5RHAwVnRoTStlTlJISkk5TUFCaDhuUGxjCmVYbExkK1AzbURVWXNvU0Zkcjg5 - ZTlWK0ExVnNNWmxJMkxlcHkxd1MvWkkKLS0tIFY3a3FoNzl2bitYTTl1R1R4K3hz - ZlcxT243dzd0amlHSmpOc1AvakNjRlkKwT2hNwDsc3WZkJ05Qq8INnG9Ii0iswqT - jnvMt9VTkZ8JHsq5vCaV+TtM3kswuw6hF9UoHdRM/JIvqMdPkXuZoQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdCtZK2FVRTh3YVd3dm9m + ZWR5VVIvS3VOSGh2cmg2ZUFrYmNIdVNLSTNVCjlhVlJER1BZMlRUd1RkYnpvTE9F + bExGa1NBWWR0enBmUFJYVVA4UlI1cUkKLS0tIC8wa3FGRnFldVdTdkpBb2xQc3BD + cTlhNHplRUoyS3pxNnF0TVlFTy9kdzQK4kDSzSV4ZnELvCsajGwvsc/vzua2hbI1 + Vht7rmZ8Dl4Y3xEIXG7XVnWK2GOblpqZ/eza1T6kWEkXp2uCdQnM6Q== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSzkzMmU2SUMvWXVFRHM4 - dWhsbEtFSUhHem1NZ1Q5aWJJWWlqelcyT2hBClRIeDE1M20vdm5rQnRvLzBGWnk3 - aFZ2MFlrUHRudSt5M1Rod3NrUS8rdkEKLS0tIHlPSFUvUC93WlU5dHdaV0R6dTFh - c203K2VHb2hsSTBjOWxpUStOQ2VYTFEKbDTeoUSBFWB3W/fxS471aTysahlQUJ6D - JvvUJL63Y2XpvCQVCduO+Kl9A7B7LGran+2SUzqHBisQyR2eUcg/HQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZDBtTWxZbGpZRlYvMnpE - MTNEQXZJdGRpMmV0azhXbE1UeWlqZjdKQlhFCkU4RlBZUmdpTC9TamVwREFnM1Nt - eDZ0SDRQUmMxYmJ1bnBSS29qNGQ4THMKLS0tIDhVMWJoWTNBWjAyMHc0K2Z5Zjhi - UkU5dEpjSGZKOERPR2hUQ1lBK1ZXSWsKo/76+/Iq9sxJGxuk81yMBaX+mg98FD8p - F/PY4/oJjaUmpErdrWuE7Tgjycx+DTSDJv1ESyvLC6NPnXTRlZgg6A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dVV0U3kwSmdnTU1HcGpr + U2FKZVV1c1R6a3ovRGxoOUlrcUNWUUFHN25ZClBBTUZGeTc0Tkx1OXdaK1p6aWpr + aSsvN0ZDR1V3VnVrb1FBYzdHSTNXOVkKLS0tIFlSUk5LT1hVUUd1aVg1eVNTUURX + OXRVVmNRWEhmVXZkWC9HNTUyUTNrMlUK370K3D1vU97vHV9aGjYrFOIJzmOQAnzH + QR6XsOkM0FRvSkhTsEZ3qC4Wd2MTIyRzHYPKvZmz9LufIr1N/JFj1Q== -----END AGE ENCRYPTED FILE----- - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjFsZ1o1alBIV2JkKy9j - ajArY1RydFllc1VLc3dQek5IcXNyWTIxNDBzCkhKYzdHSXowaGhnY2E5aVRPaDNJ - M3NOZEd1UHg4MDd3YTNidld5UGhKYUUKLS0tIG9QVlV3UXNSSXp6L3djaXZjcTNL - bmVYb1g3NnBOekZkUFNlOVZFY2N6YVUKsdTgykgHkFSQJfZeNJz2TkcDENg84plG - zBqz6HP6AK6SBI7C/lPus0VXuzjDVDr29jvemBQ3cNBodc6yKyReAQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQT0YyeXI4d2o4V0lWUE4x + ZXZWWDFiakdqNlU5RWt6QUdxYVRSZzQyZkZBCi9Tdm5wRXB2cTYxdnVYRXJaS0d0 + Lzg3VWpqQ1NOb1NTYXE4RGVRZVZoM1UKLS0tIFdGM01VU3FEc0ZyeEN3bVM1WEZq + M3BFa1hoWkQyRkJqSlZiTnBwQWphemcKLTAza2y96h+IyWB2EN6e4WIFQqeL5E7p + CDmHr+hSt6u9cr8C/etljxGMbKf9GqFOeuCyPugrJGdu4/qlR5iE0g== -----END AGE ENCRYPTED FILE----- - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUF4cWwrZ0Vlb0Nxbk0z - VnRucWJVK2h0MG13YVkyMlJNZ3RxRmJqUlRBCmxrckV1a0xnSEhvWUN4RmF2ZHBl - VkFicWlnR0dvTmRBQ21NWVo4aFNQRmsKLS0tIEMxVGxTRHp6ZGJzYksxY1BUKzBh - Yk52TS81REhJd0lLRVpMZnhGMDRMK0UKzph2gK0LXqu44zQXGoGbyPjte2t4BqHE - WAufrQiamOgA7TUZYlZApzYhEY6iIbs/t7BQPn/OKZwzRYdXnzxqiw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFa1RHN2s4ajYzZmwvUlN2 + c05SdERTTEhPRnJWOUF6TExIMnBEZkVMb1I4CkxBeTRQWmZEOGNrcFlGV2wrMkhI + QnAwSzZPaWNWbmdnZmFjZVJyRVdzN2cKLS0tIHVMU3Z6a1MrV3BVV1hqbEdYODJu + cGgvNU05eGx4alRNT2d5MWp6Q3lWZDAKQ+D1niMzaso/lQwdmepvACF8/SDEt2mQ + 7nTRVJIpjGPTxO4ezcQWUGej+BSEnOoZno3epoIXLNlwDnHOAawTWQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcHNReHZibVlrNUtncnl1 + SzczRGVFdUNvcFdqeWpZUk5FL0hwOS9LT3l3CnFLdXozcUxXYUpjUXJZWEtjMXo3 + d28reWd0Z1Y0NWdBTG1MTkRGSEphY2sKLS0tIGw5U3NiOU1DNitUd0x5SkJ3SHFj + RVpWNDNUb2d1SEZpQlFBK2tFVjFzU0kKtI7e+kkiBm1L/WzkBApRI8IIo3gHdrE1 + fzR+sbYEHWf95iEmb/oGlH++TrFW/zRXEyWPAi4ORTs7s/Ql1UC4Wg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-22T05:51:19Z" mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str] diff --git a/machines/dolomite/secrets/sgp-00.yaml b/machines/dolomite/secrets/sgp-00.yaml deleted file mode 100644 index aef9c5d..0000000 --- a/machines/dolomite/secrets/sgp-00.yaml +++ /dev/null @@ -1,31 +0,0 @@ -wg_private_key: ENC[AES256_GCM,data:UjxZ3iC5hxVcVJdEUJ3+myaQ/6MvghDw6eKa2flSuxMwFS31WB7r3evjlI0=,iv:BjgXCps6gx1ISghEO42x5aKb+c/n0P1V8FMVlPxAyLY=,tag:IkxCkpyVre+sFoBlRSFpMA==,type:str] -wg_ipv6_local_addr: ENC[AES256_GCM,data:ejDYuZjZCKcsvyUUKdXtxgBqWloIwYHmpc/YwCYq7O2thsxvOou6iSHf,iv:HDrMlec4svxHpZXMyRDzpdSKeJbTmkZPd98SHv2ZLhQ=,tag:LjpapuaJ6sl4USZC8xEU5w==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUkpVa0dCSE1rTjZpaWR1 - cjJjc25iOEV4TnhQUWE4SjI4QWVZYXdVcHdBCkIrNlVrV2xJRURVSG9sUHozeE5s - NitsV1MvcENZTHhmU01CSTRVNENXUFEKLS0tIGgxakQ2cGIzdzg5QzRoT3ZSaXUx - TkN5MkNTNitWMzVKZWdhNGRIZ3VNNDgKQ6lwM6EowuGOrskUpwD8VGirravE+e3/ - Hkv5jLvvfVjmg0kvKlNRotTHrRUGV04JsbW7T9FfbKyYpmEb6oCrsg== - -----END AGE ENCRYPTED FILE----- - - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSUlkQzhYSGwyNnYvNHpQ - UktKOUZiYk56S0piVy9ZMFdYVFdsN1FEVkhVCnZETEM5MW84TlNpbm1hSXJtR2Yy - OEdrSi9lcmJOR2F1cUZqc0NyQjl4RDgKLS0tIHVLcnRicmVNd2MwVjB4cGFXTlBu - VkJCcXdqTkUzejNzSjIvV2YrVUc5Sm8KutTATsWJ5+yB/CFoGwTNshyI5LzwH4x5 - i5EIIkVPdxSIHrXUp0j6+RPWMJvEOFIE3dVwxz+MxqqHqtmEny1WKA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-19T12:31:51Z" - mac: ENC[AES256_GCM,data:AY0/qJ1ZXv4mQlHnG3uY2zQ0FhIYjHBWKyXXpv2/Q6yZkuSu6nIQk039nd+nk7lczXy2cylTHyjYv5vDF6BJARhu4jeYov6yMqYR8ye8rXjZKcOfrN5yv7LV6jyuzBRBkCWTQsaoR8ycKHlrMe+vkAGu50epdAQjAG+Qv6RkBiM=,iv:dMi2CququdEIg+g8NMUb8ioKwEkUqTP+nrivtsUYUUY=,tag:drHI6oJUUwN3JadCHbWWkg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/machines/dolomite/secrets/tok-00.yaml b/machines/dolomite/secrets/tok-00.yaml deleted file mode 100644 index 5872491..0000000 --- a/machines/dolomite/secrets/tok-00.yaml +++ /dev/null @@ -1,31 +0,0 @@ -wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str] -wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTc2a2J3ZXRXTlRxQTAx - UjZVTTVPa0FjbS9jekI5eXhLOTdUQTlBS2pJCnVPL2Q1d05QR2NpTDVZeDFpSCs3 - Yjh3aXkvdTBIOThVMGMzcUZmUWhtTjgKLS0tIFZvcy9zRVBRcDN0ekp0MEV5cEph - ZURTL3hnSHgwQTlSNklCK25icEM0SGsKq2jM6jXLfK38BgV0calwKLuHIcGw0zed - lT19Mt9jFsqmIkpJh1U9Ddpz63WND+7ruMdTZt6RWStIxww4m7pevg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSXBqdXcxUDNkS29Gd3ZY - dTA3bmNUVThtTFJtdnFpSjZQT01TTXhpYUc4CkFhcm14eUw1YXIyWEViMSsyc3pr - VUJqWWdHMCtoRGQ1T3dMQlg3ZTZ5dGMKLS0tIGQvbGpFZTdrVUFURE9tdENCZGwr - aDBKbitCTmhxNXVNRGh6TVBvbkNhTUEKIuj7B4RdueX7BfExgzVoo6YJf59GsUHa - j5kIJ5UeTqWEBGBaXcPjhHMEQjYqwSBsVz2XJmsxLhi8WxejLio8FA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-19T12:30:24Z" - mac: ENC[AES256_GCM,data:f+7+O2ZVSZJhr0fJlfO/AtZC2N/7gsNu1f4cnUoXYFb1wobyU6tLkbwGqeyIulokgIDAU5lJ62TJXAjybe+kE+PGtpr61KS7dyiO0LjzcT/X898oBYvJ9jtkuxDzKM4ve570U7ZmS7Jbxt2NJEkcBvSUJRdJHH5l0sDrvmW8cwY=,iv:mno6jVUDUWxsO353hbCqGub+NYfk0XFsWzmWCBUt6Gg=,tag:KOw7HTy+pETha5pzx5Pf8Q==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix index 166bf2d..5ed0416 100644 --- a/modules/nixos/common-settings/proxy-server.nix +++ b/modules/nixos/common-settings/proxy-server.nix @@ -9,6 +9,7 @@ let mkIf mkEnableOption mkOption + mkDefault types ; @@ -127,7 +128,7 @@ in trojan = { port = mkOption { type = lib.types.port; - default = cfg.trojan.port; + default = 8080; }; }; @@ -163,11 +164,6 @@ in ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - custom.prometheus = { - enable = true; - exporters.blackbox.enable = true; - }; - services.sing-box = { enable = true; settings = mkSingConfig {