From d5ff5cbbb2edca948106aaf252341f004da8c993 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 22 Nov 2024 14:45:16 +0800 Subject: [PATCH] dolomite: refactor --- .sops.yaml | 8 + flake.nix | 18 +- machines/dolomite/bandwagon.nix | 12 +- machines/dolomite/claw.nix | 10 +- machines/dolomite/common.nix | 36 ++++ machines/dolomite/default.nix | 159 ------------------ machines/dolomite/lightsail.nix | 8 +- machines/dolomite/secrets/secrets.yaml | 59 +++++++ machines/secrets.yaml | 11 +- machines/sops.nix | 6 - .../nixos/common-settings/proxy-server.nix | 35 ++-- modules/nixos/default.nix | 1 + 12 files changed, 139 insertions(+), 224 deletions(-) create mode 100644 machines/dolomite/common.nix delete mode 100644 machines/dolomite/default.nix create mode 100644 machines/dolomite/secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 79707f1..153993e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -24,6 +24,14 @@ creation_rules: - age: - *xin - *host-massicot + - path_regex: machines/dolomite/secrets/secrets.yaml + key_groups: + - age: + - *xin + - *host-sgp-00 + - *host-tok-00 + - *host-la-00 + - *host-hk-00 - path_regex: machines/dolomite/secrets/sgp-00.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index 1000f83..606276e 100644 --- a/flake.nix +++ b/flake.nix @@ -104,6 +104,18 @@ machines/calcite/configuration.nix (mkHome "xin" "calcite") ]; + hk-00 = [ + ./machines/dolomite/claw.nix + ./machines/dolomite/common.nix + ]; + la-00 = [ + ./machines/dolomite/bandwagon.nix + ./machines/dolomite/common.nix + ]; + tok-00 = [ + ./machines/dolomite/lightsail.nix + ./machines/dolomite/common.nix + ]; }; sharedColmenaModules = [ deploymentModule @@ -175,7 +187,7 @@ tok-00 = { ... }: { - imports = [ machines/dolomite ] ++ sharedColmenaModules; + imports = nodeNixosModules.tok-00 ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "tok-00"; system.stateVersion = "23.11"; @@ -189,7 +201,7 @@ la-00 = { ... }: { - imports = [ machines/dolomite ] ++ sharedColmenaModules; + imports = nodeNixosModules.la-00 ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "la-00"; system.stateVersion = "21.05"; @@ -203,7 +215,7 @@ hk-00 = { ... }: { - imports = [ machines/dolomite ] ++ sharedColmenaModules; + imports = nodeNixosModules.hk-00 ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "hk-00"; system.stateVersion = "24.05"; diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 91449c1..803be29 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -1,21 +1,11 @@ { - config, - lib, - pkgs, modulesPath, ... }: -let - cfg = config.isBandwagon; -in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - options = { - isBandwagon = lib.mkEnableOption "Bandwagon instance"; - }; - - config = lib.mkIf cfg { + config = { boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" diff --git a/machines/dolomite/claw.nix b/machines/dolomite/claw.nix index b8cf692..ead0225 100644 --- a/machines/dolomite/claw.nix +++ b/machines/dolomite/claw.nix @@ -1,22 +1,14 @@ { - config, lib, modulesPath, ... }: -let - cfg = config.isClaw; -in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - options = { - isClaw = lib.mkEnableOption "Lightsail instance"; - }; - - config = lib.mkIf cfg { + config = { boot.initrd.availableKernelModules = [ "uhci_hcd" "virtio_blk" diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix new file mode 100644 index 0000000..83b0e36 --- /dev/null +++ b/machines/dolomite/common.nix @@ -0,0 +1,36 @@ +{ config, ... }: +{ + config = { + sops = { + secrets = { + wg_private_key = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + wg_ipv6_local_addr = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + "sing-box/password" = { + owner = "root"; + sopsFile = ./secrets/secrets.yaml; + }; + "sing-box/uuid" = { + owner = "root"; + sopsFile = ./secrets/secrets.yaml; + }; + }; + }; + + custom.prometheus = { + enable = true; + exporters.blackbox.enable = true; + }; + + commonSettings = { + auth.enable = true; + proxyServer.enable = true; + }; + }; + +} diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix deleted file mode 100644 index e3bb640..0000000 --- a/machines/dolomite/default.nix +++ /dev/null @@ -1,159 +0,0 @@ -{ config, lib, ... }: -let - awsHosts = [ "tok-00" ]; - bwgHosts = [ "la-00" ]; - clawHosts = [ "hk-00" ]; -in -{ - imports = [ - ../sops.nix - ./bandwagon.nix - ./lightsail.nix - ./claw.nix - ]; - - config = { - isBandwagon = builtins.elem config.networking.hostName bwgHosts; - isLightsail = builtins.elem config.networking.hostName awsHosts; - isClaw = builtins.elem config.networking.hostName clawHosts; - sops = { - secrets = { - wg_private_key = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - wg_ipv6_local_addr = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - }; - }; - boot.kernel.sysctl = { - "net.core.default_qdisc" = "fq"; - "net.ipv4.tcp_congestion_control" = "bbr"; - }; - - networking.firewall.trustedInterfaces = [ "tun0" ]; - - security.acme = { - acceptTerms = true; - certs.${config.deployment.targetHost} = { - email = "me@namely.icu"; - # Avoid port conflict - listenHTTP = if config.services.caddy.enable then ":30310" else ":80"; - }; - }; - services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = '' - reverse_proxy 127.0.0.1:30310 - ''; - - networking.firewall.allowedTCPPorts = [ - 80 - 8080 - ]; - networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - - custom.prometheus = { - enable = true; - exporters.blackbox.enable = true; - }; - - custom.commonSettings = { - auth.enable = true; - }; - - services.sing-box = - let - singTls = { - enabled = true; - server_name = config.deployment.targetHost; - key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; - certificate_path = - config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; - }; - password = { - _secret = config.sops.secrets.singbox_password.path; - }; - uuid = { - _secret = config.sops.secrets.singbox_uuid.path; - }; - in - { - enable = true; - settings = { - inbounds = - [ - { - tag = "sg0"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = [ - { - name = "proxy"; - password = password; - } - ]; - tls = singTls; - } - ] - ++ lib.forEach (lib.range 6311 6314) (port: { - tag = "sg" + toString (port - 6310); - type = "tuic"; - listen = "::"; - listen_port = port; - congestion_control = "bbr"; - users = [ - { - name = "proxy"; - uuid = uuid; - password = password; - } - ]; - tls = singTls; - }); - outbounds = [ - { - type = "wireguard"; - tag = "wg-out"; - private_key = { - _secret = config.sops.secrets.wg_private_key.path; - }; - local_address = [ - "172.16.0.2/32" - { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } - ]; - peers = [ - { - public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; - allowed_ips = [ - "0.0.0.0/0" - "::/0" - ]; - server = "162.159.192.1"; - server_port = 500; - } - ]; - } - { - type = "direct"; - tag = "direct"; - } - ]; - route = { - rules = [ - { - inbound = "sg0"; - outbound = "direct"; - } - { - inbound = "sg4"; - outbound = "direct"; - } - ]; - }; - }; - }; - }; - -} diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index 230b23d..e44fac4 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -1,11 +1,9 @@ { config, - lib, pkgs, modulesPath, ... }: -with lib; let cfg = config.ec2; in @@ -20,11 +18,7 @@ in "${modulesPath}/virtualisation/amazon-init.nix" ]; - options = { - isLightsail = mkEnableOption "Lightsail instance"; - }; - - config = mkIf config.isLightsail { + config = { boot.loader.grub.device = "/dev/nvme0n1"; # from nixpkgs amazon-image.nix diff --git a/machines/dolomite/secrets/secrets.yaml b/machines/dolomite/secrets/secrets.yaml new file mode 100644 index 0000000..c05a97e --- /dev/null +++ b/machines/dolomite/secrets/secrets.yaml @@ -0,0 +1,59 @@ +sing-box: + password: ENC[AES256_GCM,data:aifvj/rBvmIF6M4SJ6j4rkw0J0oBGUmO,iv:C9KlVngh74z/VjjOGxnlpA4CqFv7TCSD3KSm2l/xGB4=,tag:10zUgbP2exTQ4KK0zeMM2A==,type:str] + uuid: ENC[AES256_GCM,data:ZPEqllAXeLMyVEp/6+9LSL346J2tiuM5tYs404/vp9rnkrvc,iv:Oy/U1c2sW5a2eQQxXAEjqaE85xX5rFapz9k/DtcZR+w=,tag:BHU+ScDBeWnctkDBRnm+4g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dElZTXFjbzhNbE1OYmdP + M0JLVWMyOUpSMnQ1Q2hDc2VXVUxpblhDVUNjCmxGZXRsUmdWWjZPZGFhaDFHNnpx + YVVSWFl1YThwWENSVTdiWkRENlBhdDQKLS0tIGl0OWsrNXljLy9wejd4Q3JmTUFE + WGFaN21vb1EwTDdSOEFVSWlQZWR1Z1kKIy+vG42G/7hTJX9BNYXjy4GNnUEnzUgB + aRoLxgTpkTKezZiKkISQwEuFD8qC7aeQIV1kmGDpNK2uucJfFswvbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNGE0Sk5lbXVNSjVQUTFF + VFFrVzJKczJwTWJJOEdKTVFhai9RWmJNSkJjCkNKQzRQWmcxTndIcERkMTFubi9K + SXVhbDhEMmRFRCtXdEVqMFdRbjQ3RTgKLS0tIGNIOWYzL0NUeklBRU5paEoyZ211 + NDY5RDdwelMwVjVscHdOaGV2aTMwQUUKZaCo5jFlWxTsELGyQiY4CmcjdUcnBzOU + JzcWDMcODTo/yER/0jdPpdfvUWiGi12voIuqRJkON0x7d3X2d2Sexg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2LzI1M2orSDVyYTRRRnB6 + d25oaHZSMWFUQ2lZTWxtVzFRSkxjd01tNjFZCmJHUWVGd2hYWVlpdk80WUxwM080 + N0V1UW1hUC9GNWlPRCtuYUsxSzdmWUEKLS0tIEhSazVWeEpIVnoweWdnOEU2Q1hT + Yjl6bFRZS2RSRGpPWFdDS2lObCt0MGsKcFXy/2mLLlxY/vP+kCaeaR+9aBRL7ys1 + x+HBAPqvcqvYk3MGBD9TpIW317RthDhEkY57GmtHgqIUsSLWsBgNdw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2NXTDNqWkYzQlVvM0xO + ZDk2RTFISHh3TmpTN2cxT3RTVnFUaURpK3dRCmJEVWJnNXdoT0JYYjBvcm4rSkZ0 + QW5WeWhqWnZqaGlLRHphZW5PMUNZTDQKLS0tIGZFc2ZlREgwKysrNEhROUJzbHBU + TzhHdlV1bjduT1hlTVFMTmRtQmN0MFUKhCYQh5uVOjEj2kKSfSUVa8k35mqkDoTk + 3CchebRciIR+w52d6uEsQove0248+OniG6bJ5ykkExLo1RzDQD7pBQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS0tDdThIRnNaZVZKanZY + bm1uV25nUzZITW5QY2Z2SkZtMFAvY1RVOWdrCnZMZ3F6dHd1TmhCMnZvbFhZYjJK + ZXRVUWNtVXVpOWFYWmdFQ2RZajlTQk0KLS0tIFJSYkxkelFTWkRYMjAvQ2lpTGRQ + bmE0bWg1U1ZkZHR4TEVtR0crbVZxdmcKeVUli/Tt4Xy4XxbUbFj9a4y6c9ZE/NjE + nCKLNYYPsZ/nS6qN3Pdetps4ziajJHUVmxCqNMHD+OoWqT6W8V/O6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-22T05:51:19Z" + mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 58dc777..cedd676 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -4,8 +4,9 @@ autofs-nas-secret: ENC[AES256_GCM,data:gbOizRZAvh79HlJWIWeKTk79Ux311XGL1eIswc0P2 github_public_token: ENC[AES256_GCM,data:6Gt+oJcCRHeoLK7CRndMMbszTXSEbnN0nQzsVOnl/+zB4hxbEPD5k/vkkl+cZ/qmxdxFXV0OOsYvktn44Yv1DMUE3mkB0hcAdoyPwLuYM7W3RpOoW3OktH8DRCUi6msvFp3ykpdmIl9WyjVhc/lMwTaYJQyRh1ue,iv:PJSFtJBelyc3rzd6hqjMp+ciU2Q3FTOEXsiq5F2KKTY=,tag:Y/stRg6kwyjjIFZCXS/peg==,type:str] singbox_sg_server: ENC[AES256_GCM,data:SF2ja6W4TwThwoug5x2KTA==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:7XA9KSoR0GA6FoYRhCv4BQ==,type:str] singbox_jp_server: ENC[AES256_GCM,data:S3Bs5yVMzyz6vD51GYElOM5h,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:o9d55cZuWmX4NDYexWjvYQ==,type:str] -singbox_password: ENC[AES256_GCM,data:bZ50/gG53D9fyGnQ7ky8VRdNEDhGjbFD,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:nbr2zNCs3RAr/uidkp08ng==,type:str] -singbox_uuid: ENC[AES256_GCM,data:gYppcUvF5Aj4mBQTMy56kb9JazUM6SeiYLspqiZjbTkPOhhk,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:IiBZRfFpjKB/swmJNjodyA==,type:str] +sing-box: + password: ENC[AES256_GCM,data:xyqmoJEDI5959zHPTVelln/iThtoeDwS,iv:rLyqJsE/4JDf08RlMLLPh+MKJkba9bL0z8jx6bTEfgc=,tag:cgLHdeLIyPvLhRNaVcQ0TQ==,type:str] + uuid: ENC[AES256_GCM,data:lWBCM5wyz6BcUUHdvynkn5y166Kk15jO0EhWUDuhXXhrve5l,iv:RmDJYFnYqIEIShLn25sf4h8AO2E3+3Xa2U9Mff+Xk2w=,tag:SN0DUdwZXKO/VEnozrr5mA==,type:str] grafana_cloud_api: ENC[AES256_GCM,data:eEvPAwtThK1FMhbrnmSo89+GlWZAF+LQRMLXA2C6f1vR7ZPlXJZGWzjYwDcPlnpiC737/cG14M4kZqvPGBuNub5A83rBS/+FeebvGDIF59L5PC1Ys1jWBB9YRI/L9EU0tvwTTUCvLRA9j28n7Jw7wR6mWXm63XA+OMu8/UbTwbeV/WUQn8vnwqadSUdCnNKJXMsAY+q9t/st0DPm5+aNxA==,iv:cHvbeCmLFmJPNKsl1BBYx9WJP7ZJWi+8c9yHZWc6FTs=,tag:87C+0FVvzDIowE0+QpY1zA==,type:str] private_dns_address: ENC[AES256_GCM,data:YJxNOH4hsZHResvANEqJRTANhnL4PLp/Pmi/PhgtSTbTKiJKPqudhTEkNg==,iv:8+qG5rQXAKfrykEjt9qrbtyNaBuKvi7EaIWouRqEipY=,tag:VH0w5ZbXcWFGZ9GLavm7/w==,type:str] sops: @@ -86,8 +87,8 @@ sops: NzA1cy80ZW5vUFplQzVMZ0txSmVkMUEKFUvgmJNdo9sV33gOx7LVUSCYvIqCNwaP u+XoWTfg4kp9f4KVTy/8huPsVLhZBUaf6jI10mV2z4QwaLHje4JiHw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-17T12:19:12Z" - mac: ENC[AES256_GCM,data:3Z22GxxDjR2FVZ7VnFY/QhQ1i//1WC93GIwK4d51i13OWmcb71UPmmA6O/HlvLdP6goFCj95eRMUEiiVcdKagt1ca6HsDd6bkOEXwdl//fgOHUsgx5SNtA4kVJwK2bJuUvG72aOiLq89qvNprMLslJ47YqS9WM3rudk3Wp/P+og=,iv:GMN806nsrQg0+ZS0AReamzVv2FrLGELfA6x3RLNE/II=,tag:j2Bq9xYETCSL13zHx1BztA==,type:str] + lastmodified: "2024-11-22T05:48:59Z" + mac: ENC[AES256_GCM,data:In/gSIYnXKbbv1lzS/nmSESCHBcBv/TtkvhzdNiIn73N4kP9aJ+1JE8Npix8zNItzk46DX+nHBk8Kwgl6uq26YtL+sMTBKh5K8Ny0H8ivlgS+olXswv3Y9h1cYD7FBHUKzbMuiJd0ppjC0ZIn20rRpb4d57rwUbvY0KstyQW4JA=,iv:DcdTAimbXXpKhhiB9rriS75+XGNOCcScqi/804+Xx6g=,tag:NHW+UViRmbUDHb0gTd9TDg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.9.1 diff --git a/machines/sops.nix b/machines/sops.nix index 3f56687..869fef7 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -19,12 +19,6 @@ singbox_jp_server = { owner = "root"; }; - singbox_password = { - owner = "root"; - }; - singbox_uuid = { - owner = "root"; - }; private_dns_address = { owner = "root"; }; diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix index a6b5af9..d2cfb0f 100644 --- a/modules/nixos/common-settings/proxy-server.nix +++ b/modules/nixos/common-settings/proxy-server.nix @@ -36,7 +36,9 @@ let users = [ { name = "proxy"; - password = password; + password = { + _secret = password; + }; } ]; tls = singTls; @@ -51,8 +53,12 @@ let users = [ { name = "proxy"; - uuid = uuid; - password = password; + uuid = { + _secret = uuid; + }; + password = { + _secret = password; + }; } ]; tls = singTls; @@ -102,12 +108,6 @@ in { options.commonSettings.proxyServer = { enable = mkEnableOption "sing-box as a server"; - uuidFile = mkOption { - type = types.path; - }; - passwordFile = mkOption { - type = types.path; - }; }; config = mkIf cfg.enable { @@ -118,19 +118,6 @@ in networking.firewall.trustedInterfaces = [ "tun0" ]; - sops = { - secrets = { - wg_private_key = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - wg_ipv6_local_addr = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - }; - }; - security.acme = { acceptTerms = true; certs.${config.deployment.targetHost} = { @@ -157,8 +144,8 @@ in services.sing-box = { enable = true; settings = mkSingConfig { - uuid = cfg.uuidFile; - password = cfg.passwordFile; + uuid = config.sops.secrets."sing-box/uuid".path; + password = config.sops.secrets."sing-box/password".path; }; }; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 2851a12..bcfdca7 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,6 +3,7 @@ ./common-settings/auth.nix ./common-settings/autoupgrade.nix ./common-settings/nix-conf.nix + ./common-settings/proxy-server.nix ./restic.nix ./vaultwarden.nix ./prometheus