xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dolomite: refactor

Browse source
This commit is contained in:
xinyangli 2024-11-22 14:45:16 +08:00
parent 9bf25972e9
commit d5ff5cbbb2
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
12 changed files with 139 additions and 224 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -24,6 +24,14 @@ creation_rules:
- age:
- *xin
- *host-massicot
- path_regex: machines/dolomite/secrets/secrets.yaml
key_groups:
- age:
- *xin
- *host-sgp-00
- *host-tok-00
- *host-la-00
- *host-hk-00
- path_regex: machines/dolomite/secrets/sgp-00.yaml
key_groups:
- age:

18
flake.nix
View file

@ -104,6 +104,18 @@
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
];
hk-00 = [
./machines/dolomite/claw.nix
./machines/dolomite/common.nix
];
la-00 = [
./machines/dolomite/bandwagon.nix
./machines/dolomite/common.nix
];
tok-00 = [
./machines/dolomite/lightsail.nix
./machines/dolomite/common.nix
];
};
sharedColmenaModules = [
deploymentModule
@ -175,7 +187,7 @@
tok-00 =
{ ... }:
{
imports = [ machines/dolomite ] ++ sharedColmenaModules;
imports = nodeNixosModules.tok-00 ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00";
system.stateVersion = "23.11";
@ -189,7 +201,7 @@
la-00 =
{ ... }:
{
imports = [ machines/dolomite ] ++ sharedColmenaModules;
imports = nodeNixosModules.la-00 ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "la-00";
system.stateVersion = "21.05";
@ -203,7 +215,7 @@
hk-00 =
{ ... }:
{
imports = [ machines/dolomite ] ++ sharedColmenaModules;
imports = nodeNixosModules.hk-00 ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "hk-00";
system.stateVersion = "24.05";

12
machines/dolomite/bandwagon.nix
View file

@ -1,21 +1,11 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
cfg = config.isBandwagon;
in
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
options = {
isBandwagon = lib.mkEnableOption "Bandwagon instance";
};
config = lib.mkIf cfg {
config = {
boot.initrd.availableKernelModules = [
"ata_piix"
"xhci_pci"

10
machines/dolomite/claw.nix
View file

@ -1,22 +1,14 @@
{
config,
lib,
modulesPath,
...
}:
let
cfg = config.isClaw;
in
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
options = {
isClaw = lib.mkEnableOption "Lightsail instance";
};
config = lib.mkIf cfg {
config = {
boot.initrd.availableKernelModules = [
"uhci_hcd"
"virtio_blk"

36
machines/dolomite/common.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, ... }:
{
config = {
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
"sing-box/password" = {
owner = "root";
sopsFile = ./secrets/secrets.yaml;
};
"sing-box/uuid" = {
owner = "root";
sopsFile = ./secrets/secrets.yaml;
};
};
};
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
};
commonSettings = {
auth.enable = true;
proxyServer.enable = true;
};
};
}

159
machines/dolomite/default.nix
View file

@ -1,159 +0,0 @@
{ config, lib, ... }:
let
awsHosts = [ "tok-00" ];
bwgHosts = [ "la-00" ];
clawHosts = [ "hk-00" ];
in
{
imports = [
../sops.nix
./bandwagon.nix
./lightsail.nix
./claw.nix
];
config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts;
isClaw = builtins.elem config.networking.hostName clawHosts;
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
};
};
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
networking.firewall.trustedInterfaces = [ "tun0" ];
security.acme = {
acceptTerms = true;
certs.${config.deployment.targetHost} = {
email = "me@namely.icu";
# Avoid port conflict
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
};
};
services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
};
custom.commonSettings = {
auth.enable = true;
};
services.sing-box =
let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true;
settings = {
inbounds =
[
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{
name = "proxy";
password = password;
}
];
tls = singTls;
}
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{
name = "proxy";
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
];
route = {
rules = [
{
inbound = "sg0";
outbound = "direct";
}
{
inbound = "sg4";
outbound = "direct";
}
];
};
};
};
};
}

8
machines/dolomite/lightsail.nix
View file

@ -1,11 +1,9 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
with lib;
let
cfg = config.ec2;
in
@ -20,11 +18,7 @@ in
"${modulesPath}/virtualisation/amazon-init.nix"
];
options = {
isLightsail = mkEnableOption "Lightsail instance";
};
config = mkIf config.isLightsail {
config = {
boot.loader.grub.device = "/dev/nvme0n1";
# from nixpkgs amazon-image.nix

59
machines/dolomite/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,59 @@
sing-box:
password: ENC[AES256_GCM,data:aifvj/rBvmIF6M4SJ6j4rkw0J0oBGUmO,iv:C9KlVngh74z/VjjOGxnlpA4CqFv7TCSD3KSm2l/xGB4=,tag:10zUgbP2exTQ4KK0zeMM2A==,type:str]
uuid: ENC[AES256_GCM,data:ZPEqllAXeLMyVEp/6+9LSL346J2tiuM5tYs404/vp9rnkrvc,iv:Oy/U1c2sW5a2eQQxXAEjqaE85xX5rFapz9k/DtcZR+w=,tag:BHU+ScDBeWnctkDBRnm+4g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dElZTXFjbzhNbE1OYmdP
M0JLVWMyOUpSMnQ1Q2hDc2VXVUxpblhDVUNjCmxGZXRsUmdWWjZPZGFhaDFHNnpx
YVVSWFl1YThwWENSVTdiWkRENlBhdDQKLS0tIGl0OWsrNXljLy9wejd4Q3JmTUFE
WGFaN21vb1EwTDdSOEFVSWlQZWR1Z1kKIy+vG42G/7hTJX9BNYXjy4GNnUEnzUgB
aRoLxgTpkTKezZiKkISQwEuFD8qC7aeQIV1kmGDpNK2uucJfFswvbQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNGE0Sk5lbXVNSjVQUTFF
VFFrVzJKczJwTWJJOEdKTVFhai9RWmJNSkJjCkNKQzRQWmcxTndIcERkMTFubi9K
SXVhbDhEMmRFRCtXdEVqMFdRbjQ3RTgKLS0tIGNIOWYzL0NUeklBRU5paEoyZ211
NDY5RDdwelMwVjVscHdOaGV2aTMwQUUKZaCo5jFlWxTsELGyQiY4CmcjdUcnBzOU
JzcWDMcODTo/yER/0jdPpdfvUWiGi12voIuqRJkON0x7d3X2d2Sexg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2LzI1M2orSDVyYTRRRnB6
d25oaHZSMWFUQ2lZTWxtVzFRSkxjd01tNjFZCmJHUWVGd2hYWVlpdk80WUxwM080
N0V1UW1hUC9GNWlPRCtuYUsxSzdmWUEKLS0tIEhSazVWeEpIVnoweWdnOEU2Q1hT
Yjl6bFRZS2RSRGpPWFdDS2lObCt0MGsKcFXy/2mLLlxY/vP+kCaeaR+9aBRL7ys1
x+HBAPqvcqvYk3MGBD9TpIW317RthDhEkY57GmtHgqIUsSLWsBgNdw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2NXTDNqWkYzQlVvM0xO
ZDk2RTFISHh3TmpTN2cxT3RTVnFUaURpK3dRCmJEVWJnNXdoT0JYYjBvcm4rSkZ0
QW5WeWhqWnZqaGlLRHphZW5PMUNZTDQKLS0tIGZFc2ZlREgwKysrNEhROUJzbHBU
TzhHdlV1bjduT1hlTVFMTmRtQmN0MFUKhCYQh5uVOjEj2kKSfSUVa8k35mqkDoTk
3CchebRciIR+w52d6uEsQove0248+OniG6bJ5ykkExLo1RzDQD7pBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS0tDdThIRnNaZVZKanZY
bm1uV25nUzZITW5QY2Z2SkZtMFAvY1RVOWdrCnZMZ3F6dHd1TmhCMnZvbFhZYjJK
ZXRVUWNtVXVpOWFYWmdFQ2RZajlTQk0KLS0tIFJSYkxkelFTWkRYMjAvQ2lpTGRQ
bmE0bWg1U1ZkZHR4TEVtR0crbVZxdmcKeVUli/Tt4Xy4XxbUbFj9a4y6c9ZE/NjE
nCKLNYYPsZ/nS6qN3Pdetps4ziajJHUVmxCqNMHD+OoWqT6W8V/O6w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-22T05:51:19Z"
mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

11
machines/secrets.yaml
View file

@ -4,8 +4,9 @@ autofs-nas-secret: ENC[AES256_GCM,data:gbOizRZAvh79HlJWIWeKTk79Ux311XGL1eIswc0P2
github_public_token: ENC[AES256_GCM,data:6Gt+oJcCRHeoLK7CRndMMbszTXSEbnN0nQzsVOnl/+zB4hxbEPD5k/vkkl+cZ/qmxdxFXV0OOsYvktn44Yv1DMUE3mkB0hcAdoyPwLuYM7W3RpOoW3OktH8DRCUi6msvFp3ykpdmIl9WyjVhc/lMwTaYJQyRh1ue,iv:PJSFtJBelyc3rzd6hqjMp+ciU2Q3FTOEXsiq5F2KKTY=,tag:Y/stRg6kwyjjIFZCXS/peg==,type:str]
singbox_sg_server: ENC[AES256_GCM,data:SF2ja6W4TwThwoug5x2KTA==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:7XA9KSoR0GA6FoYRhCv4BQ==,type:str]
singbox_jp_server: ENC[AES256_GCM,data:S3Bs5yVMzyz6vD51GYElOM5h,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:o9d55cZuWmX4NDYexWjvYQ==,type:str]
singbox_password: ENC[AES256_GCM,data:bZ50/gG53D9fyGnQ7ky8VRdNEDhGjbFD,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:nbr2zNCs3RAr/uidkp08ng==,type:str]
singbox_uuid: ENC[AES256_GCM,data:gYppcUvF5Aj4mBQTMy56kb9JazUM6SeiYLspqiZjbTkPOhhk,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:IiBZRfFpjKB/swmJNjodyA==,type:str]
sing-box:
password: ENC[AES256_GCM,data:xyqmoJEDI5959zHPTVelln/iThtoeDwS,iv:rLyqJsE/4JDf08RlMLLPh+MKJkba9bL0z8jx6bTEfgc=,tag:cgLHdeLIyPvLhRNaVcQ0TQ==,type:str]
uuid: ENC[AES256_GCM,data:lWBCM5wyz6BcUUHdvynkn5y166Kk15jO0EhWUDuhXXhrve5l,iv:RmDJYFnYqIEIShLn25sf4h8AO2E3+3Xa2U9Mff+Xk2w=,tag:SN0DUdwZXKO/VEnozrr5mA==,type:str]
grafana_cloud_api: ENC[AES256_GCM,data:eEvPAwtThK1FMhbrnmSo89+GlWZAF+LQRMLXA2C6f1vR7ZPlXJZGWzjYwDcPlnpiC737/cG14M4kZqvPGBuNub5A83rBS/+FeebvGDIF59L5PC1Ys1jWBB9YRI/L9EU0tvwTTUCvLRA9j28n7Jw7wR6mWXm63XA+OMu8/UbTwbeV/WUQn8vnwqadSUdCnNKJXMsAY+q9t/st0DPm5+aNxA==,iv:cHvbeCmLFmJPNKsl1BBYx9WJP7ZJWi+8c9yHZWc6FTs=,tag:87C+0FVvzDIowE0+QpY1zA==,type:str]
private_dns_address: ENC[AES256_GCM,data:YJxNOH4hsZHResvANEqJRTANhnL4PLp/Pmi/PhgtSTbTKiJKPqudhTEkNg==,iv:8+qG5rQXAKfrykEjt9qrbtyNaBuKvi7EaIWouRqEipY=,tag:VH0w5ZbXcWFGZ9GLavm7/w==,type:str]
sops:
@ -86,8 +87,8 @@ sops:
NzA1cy80ZW5vUFplQzVMZ0txSmVkMUEKFUvgmJNdo9sV33gOx7LVUSCYvIqCNwaP
u+XoWTfg4kp9f4KVTy/8huPsVLhZBUaf6jI10mV2z4QwaLHje4JiHw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-17T12:19:12Z"
mac: ENC[AES256_GCM,data:3Z22GxxDjR2FVZ7VnFY/QhQ1i//1WC93GIwK4d51i13OWmcb71UPmmA6O/HlvLdP6goFCj95eRMUEiiVcdKagt1ca6HsDd6bkOEXwdl//fgOHUsgx5SNtA4kVJwK2bJuUvG72aOiLq89qvNprMLslJ47YqS9WM3rudk3Wp/P+og=,iv:GMN806nsrQg0+ZS0AReamzVv2FrLGELfA6x3RLNE/II=,tag:j2Bq9xYETCSL13zHx1BztA==,type:str]
lastmodified: "2024-11-22T05:48:59Z"
mac: ENC[AES256_GCM,data:In/gSIYnXKbbv1lzS/nmSESCHBcBv/TtkvhzdNiIn73N4kP9aJ+1JE8Npix8zNItzk46DX+nHBk8Kwgl6uq26YtL+sMTBKh5K8Ny0H8ivlgS+olXswv3Y9h1cYD7FBHUKzbMuiJd0ppjC0ZIn20rRpb4d57rwUbvY0KstyQW4JA=,iv:DcdTAimbXXpKhhiB9rriS75+XGNOCcScqi/804+Xx6g=,tag:NHW+UViRmbUDHb0gTd9TDg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
version: 3.9.1

6
machines/sops.nix
View file

@ -19,12 +19,6 @@
singbox_jp_server = {
owner = "root";
};
singbox_password = {
owner = "root";
};
singbox_uuid = {
owner = "root";
};
private_dns_address = {
owner = "root";
};

35
modules/nixos/common-settings/proxy-server.nix
View file

@ -36,7 +36,9 @@ let
users = [
{
name = "proxy";
password = password;
password = {
_secret = password;
};
}
];
tls = singTls;
@ -51,8 +53,12 @@ let
users = [
{
name = "proxy";
uuid = uuid;
password = password;
uuid = {
_secret = uuid;
};
password = {
_secret = password;
};
}
];
tls = singTls;
@ -102,12 +108,6 @@ in
{
options.commonSettings.proxyServer = {
enable = mkEnableOption "sing-box as a server";
uuidFile = mkOption {
type = types.path;
};
passwordFile = mkOption {
type = types.path;
};
};
config = mkIf cfg.enable {
@ -118,19 +118,6 @@ in
networking.firewall.trustedInterfaces = [ "tun0" ];
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
};
};
security.acme = {
acceptTerms = true;
certs.${config.deployment.targetHost} = {
@ -157,8 +144,8 @@ in
services.sing-box = {
enable = true;
settings = mkSingConfig {
uuid = cfg.uuidFile;
password = cfg.passwordFile;
uuid = config.sops.secrets."sing-box/uuid".path;
password = config.sops.secrets."sing-box/password".path;
};
};
};

1
modules/nixos/default.nix
View file

@ -3,6 +3,7 @@
./common-settings/auth.nix
./common-settings/autoupgrade.nix
./common-settings/nix-conf.nix
./common-settings/proxy-server.nix
./restic.nix
./vaultwarden.nix
./prometheus