From f6e929a2b1eb28e806a0edcc03de36c2c36cf7b1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 8 May 2025 21:41:02 +0800 Subject: [PATCH] chore: clean up unused options --- flake.nix | 2 +- machines/calcite/configuration.nix | 53 +-------------------- machines/calcite/hardware-configuration.nix | 13 ----- machines/calcite/network.nix | 14 ------ machines/calcite/secrets.yaml | 13 ++--- machines/weilite/default.nix | 16 ------- machines/weilite/secrets.yaml | 14 ++---- machines/weilite/services/caddy.nix | 28 ++++++----- 8 files changed, 26 insertions(+), 127 deletions(-) diff --git a/flake.nix b/flake.nix index dc2c5c2..746380d 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,7 @@ self.homeManagerModules.default sops-nix.homeManagerModules.sops nix-index-database.hmModules.nix-index - catppuccin.homeManagerModules.catppuccin + catppuccin.homeModules.catppuccin ]; sharedNixosModules = [ self.nixosModules.default diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index be788a3..f71d213 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -5,7 +5,7 @@ ... }: let - inherit (lib) mkForce getExe; + inherit (lib) getExe; inherit (config.my-lib.settings) idpUrl; in { @@ -17,7 +17,7 @@ in ]; commonSettings = { - # auth.enable = true; + auth.enable = true; nix = { signing.enable = true; }; @@ -37,7 +37,6 @@ in boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelModules = [ "nvidia" "nvidia_modeset" @@ -61,7 +60,6 @@ in # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables tctiEnvironment.enable = true; }; - # services.gnome.gnome-keyring.enable = lib.mkForce false; security.pam.services.login.enableGnomeKeyring = lib.mkForce false; programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so"; @@ -187,7 +185,6 @@ in settings = { main = { mouse2 = "leftmeta"; - # leftalt = "mouse1"; }; }; }; @@ -206,7 +203,6 @@ in extraBackends = [ pkgs.hplipWithPlugin ]; }; - hardware.pulseaudio.enable = false; security.rtkit.enable = true; services.avahi.enable = true; services.pipewire = { @@ -217,23 +213,6 @@ in pulse.enable = true; # If you want to use JACK applications, uncomment this jack.enable = true; - - # Airplay client - raopOpenFirewall = true; - extraConfig.pipewire = { - "10-airplay" = { - "context.modules" = [ - { - name = "libpipewire-module-raop-discover"; - - # increase the buffer size if you get dropouts/glitches - # args = { - # "raop.latency.ms" = 500; - # }; - } - ]; - }; - }; }; # Define a user account. Don't forget to set a password with ‘passwd’. @@ -249,13 +228,6 @@ in ]; }; - services.kanidm = { - enableClient = true; - clientSettings = { - uri = "https://${idpUrl}"; - }; - }; - # Smart services services.smartd.enable = true; @@ -264,11 +236,7 @@ in nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" - # FIXME: Waiting for https://github.com/NixOS/nixpkgs/pull/335753 - "jitsi-meet-1.0.8043" ]; - # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ imhex oidc-agent @@ -292,8 +260,6 @@ in bubblewrap # ==== Development ==== # - # Python - # reference: https://nixos.wiki/wiki/Python ( let my-python-packages = @@ -340,7 +306,6 @@ in # Writting zotero - # onlyoffice-bin # wemeet wemeet @@ -367,10 +332,6 @@ in owner = "xin"; sopsFile = ./secrets.yaml; }; - "gitea/envfile" = { - owner = "root"; - sopsFile = ./secrets.yaml; - }; "davfs2/photosync_password" = { sopsFile = ./secrets.yaml; mode = "0600"; @@ -401,16 +362,6 @@ in ]; }; - # custom.forgejo-actions-runner = { - # enable = false; - # tokenFile = config.sops.secrets."gitea/envfile".path; - # settings = { - # runner.capacity = 2; - # runner.fetch_timeout = "120s"; - # runner.fetch_interval = "30s"; - # }; - # }; - # custom.prometheus = { exporters.node.enable = true; }; diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 393713f..cb8041e 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -18,7 +18,6 @@ "ahci" "usbhid" ]; - boot.initrd.kernelModules = [ ]; boot.initrd = { systemd.enable = true; # initrd uses systemd @@ -31,10 +30,8 @@ }; }; boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; fileSystems."/" = { - # device = "/dev/disk/by-label/NIXROOT"; device = "/dev/mapper/cryptroot"; fsType = "btrfs"; }; @@ -57,16 +54,6 @@ swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; - # networking.interfaces.virbr0.useDHCP = lib.mkDefault true; - # networking.interfaces.wg0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.graphics = { diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index d0e22dc..6438977 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -1,14 +1,7 @@ { - config, pkgs, - lib, ... }: -let - inherit (config.my-lib.settings) - internalDomain - ; -in { imports = [ ]; @@ -28,14 +21,7 @@ in enable = true; extraUpFlags = [ "--accept-routes" ]; }; - # services.tailscale.useRoutingFeatures = "both"; - # services.dae.enable = true; - # services.dae.configFile = "/var/lib/dae/config.dae"; - # systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [ - # "NetworkManager-wait-online.service" - # ]; - # # Open ports in the firewall. networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 3389 ]; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index f6ff278..6b7d63e 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,15 +1,9 @@ restic: repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str] repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str] -gitea: - envfile: ENC[AES256_GCM,data:CK+JNELuzjKgWnImuV4Euif3f3nNOACOrvc4NiIXs+q/F7QWrtpb3TK8/FrLNQk=,iv:QSDrlKJCBld2gDx/y1sT8anh37GhqSS2QZd2JJi5Yis=,tag:x5T6h59LBXhEyVwSr2dnuQ==,type:str] davfs2: photosync_password: ENC[AES256_GCM,data:J3+pJCjjV+hlPC2il5f7Vn+9k+Aatolgut1DX1G+JF4=,iv:OgZn6Glho3Cfrl0GJhGSbmcYjSe6sjM9PjvEZnM/c4w=,tag:i5AVG139nK3ecK3VwWpQuQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | @@ -29,8 +23,7 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-07T08:57:13Z" - mac: ENC[AES256_GCM,data:UvMXEu2UFapYNHa7kxvFhDzvJZvuV6mwRqmxFISDpp0VhRhY1+Mj2GFxrS5RgTW1ozUnCB0DSBUwWcmsPZeOUveMkHqqRFGZIjinh6blwseZjJMOR30KG3atY6L2adOOZaBERi+HJXqXfdqymeSCmkMC5iJ2jt2KGuMx5NqSfbE=,iv:pueL1hT/tvug65KPYxqY3RwNYeBOlGpIFf70+26VOYQ=,tag:VLwuipBxchMBSSuOMXYKJQ==,type:str] - pgp: [] + lastmodified: "2025-05-08T09:47:09Z" + mac: ENC[AES256_GCM,data:pBryBOfgVYROAJ6LfqpEXz8ph4bcAoWLADibpET0jwb4CBNuEW9BWXzVu+Ci+gKjKhSxh8xwr+TLSvo8zNOeGz/Mdl2vVaEWNKX4dUMMd9IXRJ+8jSlhxkMWPi25xoiMjY763MgOnBYsdqPpKKB1xLHkRtULAHlZ2m3VhVWxMWM=,iv:egYcxVjCH4uPbHvCcU9MVCRHoDbNH8tYet1vyDf9nhw=,tag:DDBC0TSdsnaF3SFTuH6rOQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2 diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index ccb0b2d..2a568c6 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -1,5 +1,4 @@ { - config, pkgs, lib, modulesPath, @@ -12,13 +11,6 @@ ./services ]; - options = { - node = lib.mkOption { - type = lib.types.attrs; - default = { }; - }; - }; - config = { networking = { hostName = "weilite"; @@ -41,9 +33,6 @@ comin.enable = true; network.localdns.enable = true; }; - node = { - mediaDir = "/mnt/nixos/media"; - }; boot = { loader = { @@ -144,11 +133,6 @@ ]; }; - services.openssh.ports = [ - 22 - 2222 - ]; - services.tailscale = { enable = true; openFirewall = true; diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index b5b0e87..e15ef18 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -1,6 +1,7 @@ caddy: cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str] - dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str] + huawei_dns_access_key: ENC[AES256_GCM,data:3y9Sl9RDJlRkgTsctH8O4gRAcAU=,iv:2e03AKVniVYFyHV6KB00I/Y1rHD0Ira6kgly7zDqNT0=,tag:w6j1g329XIOrvshx7Ft7aA==,type:str] + huawei_dns_secret_key: ENC[AES256_GCM,data:or4WW7uFvbIoUwh1G63YDQxTFUnkkYrDJG0HEqoKzOSV+8rqy9cHrA==,iv:wB+TT8bh7jhN0ppJ3pqh882cs6RczpOtxKuYuyjRhMY=,tag:GlTSuYeGrGY/3b0g7IbLzw==,type:str] immich: oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] auto_stack_apikey: ENC[AES256_GCM,data:pormMdxkevrw1sJrmVtD+jEbfQFTOHeyZRepZt2roftjDYAdbzpppg==,iv:wumPYaTAfU+J0MD6yOFKmxY8eDMzwqVsd3IUXyTfk0A=,tag:54HlWH3iKyWG2Gv9QS/wLA==,type:str] @@ -16,10 +17,6 @@ webdav: photosync: password: ENC[AES256_GCM,data:s+omleBtVALG5bpbTnlzbwBj0oCZX8Dm8IbcUV6COnI=,iv:vwCs3ujmCcE87rl91ZtOEAgSQF1/0t17/7/0UM4x8fE=,tag:ylw76CX9SCylWoJt86rmjg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | @@ -39,8 +36,7 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-06T14:28:44Z" - mac: ENC[AES256_GCM,data:tYAhkwRs2CFOUCw3Iuq6T5C+QkbpSz80fI6CP65VyFrNiej9hshmjngPnf8bFElF+bHI64a/zpo2y4CqV213011tOX2YYvLD5zrAQb18rBFUdJblY5wQyx/DXiPaIf5jK6WGHIRaOmqZJuqXKrQKnf99N12JydXjt6usBGGZr8M=,iv:wySf7lctw14iUbKo5fDu+p6TMY5QXGYYmBukh2qb19I=,tag:pZrnFiNZEK01pnDN0+1Rcw==,type:str] - pgp: [] + lastmodified: "2025-05-08T13:07:05Z" + mac: ENC[AES256_GCM,data:19bgXUH6rhQLin0RO0F5pgqzNIzHq5x+oSpIscbDimRvUhnvalMX6KSmbVgrHeNHrx4n3MpwI65Z+/6eeiR0Y6O2MOv49580UVKIEEP/yAPd3tbOW28/WsNp7MMhtF1Fx6o/rirV+H4vkvzq9+/z3tHO2MMjh9LeLcFB36b8ZD8=,iv:lU9o59P8BS1Azd0lVRtq8d3yNau54J9attOEiC32E4E=,tag:zUawHckwaXSxc7RWimVPUQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2 diff --git a/machines/weilite/services/caddy.nix b/machines/weilite/services/caddy.nix index f1fae5d..91e4072 100644 --- a/machines/weilite/services/caddy.nix +++ b/machines/weilite/services/caddy.nix @@ -6,14 +6,19 @@ owner = "caddy"; mode = "400"; }; - "caddy/dnspod_dns_token" = { + "caddy/huawei_dns_access_key" = { + owner = "caddy"; + mode = "400"; + }; + "caddy/huawei_dns_secret_key" = { owner = "caddy"; mode = "400"; }; }; templates."caddy.env".content = '' CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"} - DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"} + HUAWEICLOUD_ACCESS_KEY=${config.sops.placeholder."caddy/huawei_dns_access_key"} + HUAWEICLOUD_SECRET_KEY=${config.sops.placeholder."caddy/huawei_dns_secret_key"} ''; }; @@ -22,28 +27,25 @@ acmeCF = "tls { dns cloudflare {env.CF_API_TOKEN} }"; - acmeDnspod = "tls { - dns dnspod {env.DNSPOD_API_TOKEN} + acmeHuawei = "tls { + dns huaweicloud { + access_key_id {env.HUAWEICLOUD_ACCESS_KEY} + secret_access_key {env.HUAWEICLOUD_SECRET_KEY} + } }"; in { enable = true; package = pkgs.caddy.withPlugins { plugins = [ - "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" - "github.com/caddy-dns/dnspod@v0.0.4" + "github.com/caddy-dns/cloudflare@v0.2.1" ]; - hash = "sha256-/BxdY36MZriRNhh3peU+XjYRAuuYiKhLY+RwO45Q2Ws="; + hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90="; }; virtualHosts."derper00.namely.icu:8443".extraConfig = '' - ${acmeDnspod} + ${acmeCF} reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port} ''; - # API Token must be added in systemd environment file - virtualHosts."immich.xinyang.life:8000".extraConfig = '' - ${acmeDnspod} - reverse_proxy 127.0.0.1:${toString config.services.immich.port} - ''; virtualHosts."immich.xiny.li:8443".extraConfig = '' ${acmeCF} reverse_proxy 127.0.0.1:${toString config.services.immich.port}