xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

treewide: apply the new rfc nixfmt

Browse source
This commit is contained in:
xinyangli 2024-08-25 17:45:58 +08:00
parent e702d503b9
commit 7a795e5ed9
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
53 changed files with 1371 additions and 888 deletions
Download patch file Download diff file Expand all files Collapse all files

34
machines/dolomite/bandwagon.nix
View file

@ -1,30 +1,42 @@
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
cfg = config.isBandwagon;
in
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
options = {
isBandwagon = lib.mkEnableOption "Bandwagon instance";
};
config = lib.mkIf cfg {
boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules = [
"ata_piix"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "xfs";
};
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "xfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
swapDevices = [ ];

214
machines/dolomite/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, ... }:
let
awsHosts = [ "tok-00"];
awsHosts = [ "tok-00" ];
bwgHosts = [ "la-00" ];
in
{
@ -10,7 +10,6 @@ in
./lightsail.nix
];
config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts;
@ -45,7 +44,10 @@ in
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [ 80 8080 ];
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = {
@ -80,119 +82,129 @@ in
wheelNeedsPassword = false;
};
services.sing-box = let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true;
settings = {
dns = {
servers = [
{
tag = "warp";
address = "1.1.1.1";
detour = "wg-out";
}
{
tag = "directdns";
address = "h3://8.8.8.8/dns-query";
}
];
rules = [
{
outbound = "wg-out";
server = "warp";
}
{
outbound = "direct";
server = "directdns";
}
];
services.sing-box =
let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
inbounds = [
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{ name = "proxy";
password = password;
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true;
settings = {
dns = {
servers = [
{
tag = "warp";
address = "1.1.1.1";
detour = "wg-out";
}
{
tag = "directdns";
address = "h3://8.8.8.8/dns-query";
}
];
tls = singTls;
}
] ++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{ name = "proxy";
uuid = uuid;
password = password;
rules = [
{
outbound = "wg-out";
server = "warp";
}
{
outbound = "direct";
server = "directdns";
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{ public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [ "0.0.0.0/0" "::/0" ];
server = "162.159.192.1";
server_port = 500;
};
inbounds =
[
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{
name = "proxy";
password = password;
}
];
tls = singTls;
}
];
}
{
type = "direct";
tag = "direct";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{
name = "proxy";
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{
outbound = "dns-out";
protocol = "dns";
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
inbound = "sg0";
outbound = "direct";
type = "direct";
tag = "direct";
}
{
inbound = "sg4";
outbound = "direct";
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{
outbound = "dns-out";
protocol = "dns";
}
{
inbound = "sg0";
outbound = "direct";
}
{
inbound = "sg4";
outbound = "direct";
}
];
};
};
};
};
};
}

26
machines/dolomite/lightsail.nix
View file

@ -1,10 +1,16 @@
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
with lib;
let
cfg = config.ec2;
in
{
imports = [
imports = [
"${modulesPath}/profiles/headless.nix"
# Note: While we do use the headless profile, we also explicitly
# turn on the serial console on ttyS0 below. This is because
@ -39,18 +45,22 @@ in
fsType = "vfat";
};
boot.extraModulePackages = [
config.boot.kernelPackages.ena
];
boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ];
boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ];
boot.kernelParams = [
"console=ttyS0,115200n8"
"random.trust_cpu=on"
];
# Prevent the nouveau kernel module from being loaded, as it
# interferes with the nvidia/nvidia-uvm modules needed for CUDA.
# Also blacklist xen_fbfront to prevent a 30 second delay during
# boot.
boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
boot.blacklistedKernelModules = [
"nouveau"
"xen_fbfront"
];
boot.loader.grub.efiSupport = cfg.efi;
boot.loader.grub.efiInstallAsRemovable = cfg.efi;
@ -64,7 +74,7 @@ in
systemd.services.fetch-ec2-metadata = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = ["network-online.target"];
after = [ "network-online.target" ];
path = [ pkgs.curl ];
script = builtins.readFile ./ec2-metadata-fetcher.sh;
serviceConfig.Type = "oneshot";