flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746650299,
+        "lastModified": 1746175539,
-        "narHash": "sha256-4+pxk1KcSH8ww3tgN808nNJ3E7Q8gNWI+U0sesW7mBQ=",
+        "narHash": "sha256-/wjcn1CDQqOhwOoYKS8Xp0KejrdXSJZQMF1CbbrVtMw=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "f746600f15b69df05c84e3037749a3be5b1276d1",
+        "rev": "a5db9e41a4dccfa5ffe38e6f1841a5f9ad5c5c04",
         "type": "github"
       },
       "original": {
@@ -72,11 +72,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746695246,
+        "lastModified": 1745812220,
-        "narHash": "sha256-7Tz4PQA/iLnwJX56VdCxMB66HOiWT/i9pmSiCNHqDKc=",
+        "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "c7e0b00007ff6c0e2a6dd5c521aeef22ccdad026",
+        "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78",
         "type": "github"
       },
       "original": {
@@ -220,11 +220,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746661235,
+        "lastModified": 1746369725,
-        "narHash": "sha256-TAm/SnOT8AD3YKYOdjtg5Nmf/hCKEwc0USHBIoXV8qo=",
+        "narHash": "sha256-m3ai7LLFYsymMK0uVywCceWfUhP0k3CALyFOfcJACqE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ec71b5162848e6369bdf2be8d2f1dd41cded88e8",
+        "rev": "1a1793f6d940d22c6e49753548c5b6cb7dc5545d",
         "type": "github"
       },
       "original": {
@@ -336,11 +336,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746669583,
+        "lastModified": 1746362215,
-        "narHash": "sha256-zQbz1kINODnwY1stHEZfkpWX1D6jn/h/lEOQpQlOoRM=",
+        "narHash": "sha256-f1N9rw5GiQZjUuAd14z2yml9IPt16v+RrteLEYyCMvo=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "2e10ad11395ac09a73ad38f0cbe975e410065ca5",
+        "rev": "5809c8500215e5a46ca2e3469daff8f2c0a80665",
         "type": "github"
       },
       "original": {
@@ -351,11 +351,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1746621361,
+        "lastModified": 1746341346,
-        "narHash": "sha256-T9vOxEqI1j1RYugV0b9dgy0AreiZ9yBDKZJYyclF0og=",
+        "narHash": "sha256-WjupK5Xpc+viJlJWiyPHp/dF4aJItp1BPuFsEdv2/fI=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2ea3ad8a1f26a76f8a8e23fc4f7757c46ef30ee5",
+        "rev": "0833dc8bbc4ffa9cf9b0cbfccf1c5ec8632fc66e",
         "type": "github"
       },
       "original": {
@@ -372,11 +372,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746635197,
+        "lastModified": 1745943985,
-        "narHash": "sha256-7tcX3LUPp7Qmi1s14Sm2qaudvRBBMJ0gvEw8dumViYU=",
+        "narHash": "sha256-cpznjE3lJ0uEfBinVgODRkvBj+R1m+7cOkNvPgy+OuU=",
         "owner": "nakato",
         "repo": "nixos-sbc",
-        "rev": "cf727094afb89c2f94b9f7dcf596c34d55429b88",
+        "rev": "04a93bd482a43d97ab5b86df8e737c1c74ffb91b",
         "type": "github"
       },
       "original": {
@@ -451,11 +451,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1746461020,
+        "lastModified": 1746232882,
-        "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=",
+        "narHash": "sha256-MHmBH2rS8KkRRdoU/feC/dKbdlMkcNkB5mwkuipVHeQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae",
+        "rev": "7a2622e2c0dbad5c4493cb268aba12896e28b008",
         "type": "github"
       },
       "original": {
@@ -492,11 +492,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1746694489,
+        "lastModified": 1746366397,
-        "narHash": "sha256-g7kaChZ34J4RabOLJt1t37dLysmOjKNxW1gEmZ8kJnQ=",
+        "narHash": "sha256-eLivytoIgyu75s7CDjf1z5jLmTGPPONmi2zPayIUNsM=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "62161e584fcd651968963baf092a4a02931de216",
+        "rev": "7882dfa39dad5ada77012882191e5c94b066a864",
         "type": "github"
       },
       "original": {
@@ -555,11 +555,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746485181,
+        "lastModified": 1745310711,
-        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
+        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
+        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -115,7 +115,7 @@
         self.homeManagerModules.default
         sops-nix.homeManagerModules.sops
         nix-index-database.hmModules.nix-index
-        catppuccin.homeModules.catppuccin
+        catppuccin.homeManagerModules.catppuccin
       ];
       sharedNixosModules = [
         self.nixosModules.default

home/xin/calcite.nix

@@ -44,40 +44,6 @@ in
     wechat-uos
     wpsoffice
     ttf-wps-fonts
-
-    eudic
-
-    exiftool
-    darktable
-    kdePackages.kdenlive
-    inkscape
-    gimp3
-    gthumb
-    oculante
-
-    # Multimedia
-    vlc
-    obs-studio
-    spotify
-    spot
-    # IM
-    element-desktop
-    tdesktop
-
-    # Password manager
-    bitwarden
-
-    # Browser
-    chromium
-
-    # Writting
-    zotero
-
-    # wemeet
-    wemeet
-
-    imhex
-    oidc-agent
   ];
 
   # Theme

machines/agate/default.nix

@@ -106,6 +106,12 @@ in
   nixpkgs.config.contentAddressedByDefault = true;
   nixpkgs.overlays = [ fix-folly-build ];
 
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    permitCertUid = "caddy";
+  };
+
   custom.prometheus.exporters = {
     enable = true;
     blackbox = {

machines/agate/services/minio.nix

@@ -1,6 +0,0 @@
-{
-  services.minio = {
-    enable = true;
-    region = "ap-east-1";
-  };
-}

machines/baryte/default.nix

@@ -13,6 +13,7 @@
     };
 
     services.openssh.enable = true;
+    services.tailscale.enable = true;
     time.timeZone = "Asia/Shanghai";
   };
 }

machines/baryte/hardware-configuration.nix

@@ -1,20 +0,0 @@
-{ config, modulesPath, ... }:
-{
-  imports = [ ];
-
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/vda";
-        content = {
-          type = "gpt";
-          partitions = {
-            boot = config.diskPartitions.grubMbr;
-            root = config.diskPartitions.btrfs;
-          };
-        };
-      };
-    };
-  };
-}

machines/biotite/default.nix

@@ -40,6 +40,19 @@
     comin.enable = true;
   };
 
+  custom.monitoring = {
+    promtail.enable = true;
+  };
+
+  custom.prometheus.exporters = {
+    enable = true;
+    node.enable = true;
+  };
+
+  services.tailscale.enable = true;
+
+  services.caddy.enable = true;
+
   sops = {
     defaultSopsFile = ./secrets.yaml;
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

machines/calcite/configuration.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  inherit (lib) getExe;
+  inherit (lib) mkForce getExe;
   inherit (config.my-lib.settings) idpUrl;
 in
 {
@@ -17,7 +17,7 @@ in
   ];
 
   commonSettings = {
-    auth.enable = true;
+    # auth.enable = true;
     nix = {
       signing.enable = true;
     };
@@ -37,6 +37,7 @@ in
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.kernelModules = [
     "nvidia"
     "nvidia_modeset"
@@ -60,6 +61,7 @@ in
     # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
     tctiEnvironment.enable = true;
   };
+  # services.gnome.gnome-keyring.enable = lib.mkForce false;
   security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
 
   programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
@@ -185,6 +187,7 @@ in
         settings = {
           main = {
             mouse2 = "leftmeta";
+            # leftalt = "mouse1";
           };
         };
       };
@@ -203,6 +206,7 @@ in
     extraBackends = [ pkgs.hplipWithPlugin ];
   };
 
+  hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
   services.avahi.enable = true;
   services.pipewire = {
@@ -213,6 +217,23 @@ in
     pulse.enable = true;
     # If you want to use JACK applications, uncomment this
     jack.enable = true;
+
+    # Airplay client
+    raopOpenFirewall = true;
+    extraConfig.pipewire = {
+      "10-airplay" = {
+        "context.modules" = [
+          {
+            name = "libpipewire-module-raop-discover";
+
+            # increase the buffer size if you get dropouts/glitches
+            # args = {
+            #   "raop.latency.ms" = 500;
+            # };
+          }
+        ];
+      };
+    };
   };
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
@@ -228,6 +249,13 @@ in
     ];
   };
 
+  services.kanidm = {
+    enableClient = true;
+    clientSettings = {
+      uri = "https://${idpUrl}";
+    };
+  };
+
   # Smart services
   services.smartd.enable = true;
 
@@ -236,9 +264,36 @@ in
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.permittedInsecurePackages = [
     "openssl-1.1.1w"
+    # FIXME: Waiting for https://github.com/NixOS/nixpkgs/pull/335753
+    "jitsi-meet-1.0.8043"
   ];
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
   environment.systemPackages = with pkgs; [
+    imhex
+    oidc-agent
+    # Filesystem
+    (owncloud-client.overrideAttrs (
+      finalAttrs: previousAttrs: {
+        src = pkgs.fetchFromGitHub {
+          owner = "xinyangli";
+          repo = "client";
+          rev = "780d1c4c8bf02be42e118c792ff833ab10c2fdcc";
+          hash = "sha256-pEwcGJI9sN9nooW/RQHmi52Du6yzofgZeB8PcjwPtZ8=";
+        };
+      }
+    ))
+    nfs-utils
+
+    # tesseract5 # ocr
+    ocrmypdf # pdfocr
+
+    gtkwave
+    bubblewrap
+
     # ==== Development ==== #
+    # Python
+    # reference: https://nixos.wiki/wiki/Python
     (
       let
         my-python-packages =
@@ -256,7 +311,11 @@ in
 
     # ==== GUI Softwares ==== #
 
+    eudic
+
     bibata-cursors
+    gthumb
+    oculante
 
     (epsonscan2.overrideAttrs (
       finalAttrs: prevAttrs: {
@@ -264,6 +323,28 @@ in
       }
     ))
 
+    # Multimedia
+    vlc
+    obs-studio
+    spotify
+    spot
+    # IM
+    element-desktop
+    tdesktop
+
+    # Password manager
+    bitwarden
+
+    # Browser
+    chromium
+
+    # Writting
+    zotero
+    # onlyoffice-bin
+
+    # wemeet
+    wemeet
+
     virt-manager
     wineWowPackages.waylandFull
     winetricks
@@ -286,6 +367,10 @@ in
       owner = "xin";
       sopsFile = ./secrets.yaml;
     };
+    "gitea/envfile" = {
+      owner = "root";
+      sopsFile = ./secrets.yaml;
+    };
     "davfs2/photosync_password" = {
       sopsFile = ./secrets.yaml;
       mode = "0600";
@@ -316,6 +401,16 @@ in
     ];
   };
 
+  # custom.forgejo-actions-runner = {
+  #   enable = false;
+  #   tokenFile = config.sops.secrets."gitea/envfile".path;
+  #   settings = {
+  #     runner.capacity = 2;
+  #     runner.fetch_timeout = "120s";
+  #     runner.fetch_interval = "30s";
+  #   };
+  # };
+  #
   custom.prometheus = {
     exporters.node.enable = true;
   };

machines/calcite/hardware-configuration.nix

@@ -18,6 +18,7 @@
     "ahci"
     "usbhid"
   ];
+  boot.initrd.kernelModules = [ ];
 
   boot.initrd = {
     systemd.enable = true; # initrd uses systemd
@@ -30,8 +31,10 @@
     };
   };
   boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
+    # device = "/dev/disk/by-label/NIXROOT";
     device = "/dev/mapper/cryptroot";
     fsType = "btrfs";
   };
@@ -54,6 +57,16 @@
 
   swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
 
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   hardware.graphics = {

machines/calcite/network.nix

@@ -1,7 +1,14 @@
 {
+  config,
   pkgs,
+  lib,
   ...
 }:
+let
+  inherit (config.my-lib.settings)
+    internalDomain
+    ;
+in
 {
   imports = [ ];
 
@@ -17,8 +24,27 @@
     };
   };
 
+  # Enable Tailscale
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [ "--accept-dns=false" ];
+  };
+  # services.tailscale.useRoutingFeatures = "both";
+
+  # services.dae.enable = true;
+  # services.dae.configFile = "/var/lib/dae/config.dae";
+  # systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [
+  #   "NetworkManager-wait-online.service"
+  # ];
+  #
   # Open ports in the firewall.
   networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 3389 ];
+  networking.firewall.allowedUDPPorts = [
+    3389
+    41641
+  ];
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
   # Use nftables to manager firewall
   networking.nftables.enable = true;
 

machines/calcite/secrets.yaml

@@ -1,9 +1,15 @@
 restic:
     repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str]
     repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str]
+gitea:
+    envfile: ENC[AES256_GCM,data:CK+JNELuzjKgWnImuV4Euif3f3nNOACOrvc4NiIXs+q/F7QWrtpb3TK8/FrLNQk=,iv:QSDrlKJCBld2gDx/y1sT8anh37GhqSS2QZd2JJi5Yis=,tag:x5T6h59LBXhEyVwSr2dnuQ==,type:str]
 davfs2:
     photosync_password: ENC[AES256_GCM,data:J3+pJCjjV+hlPC2il5f7Vn+9k+Aatolgut1DX1G+JF4=,iv:OgZn6Glho3Cfrl0GJhGSbmcYjSe6sjM9PjvEZnM/c4w=,tag:i5AVG139nK3ecK3VwWpQuQ==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
@@ -23,7 +29,8 @@ sops:
             WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
             FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-08T09:47:09Z"
+    lastmodified: "2025-04-07T08:57:13Z"
-    mac: ENC[AES256_GCM,data:pBryBOfgVYROAJ6LfqpEXz8ph4bcAoWLADibpET0jwb4CBNuEW9BWXzVu+Ci+gKjKhSxh8xwr+TLSvo8zNOeGz/Mdl2vVaEWNKX4dUMMd9IXRJ+8jSlhxkMWPi25xoiMjY763MgOnBYsdqPpKKB1xLHkRtULAHlZ2m3VhVWxMWM=,iv:egYcxVjCH4uPbHvCcU9MVCRHoDbNH8tYet1vyDf9nhw=,tag:DDBC0TSdsnaF3SFTuH6rOQ==,type:str]
+    mac: ENC[AES256_GCM,data:UvMXEu2UFapYNHa7kxvFhDzvJZvuV6mwRqmxFISDpp0VhRhY1+Mj2GFxrS5RgTW1ozUnCB0DSBUwWcmsPZeOUveMkHqqRFGZIjinh6blwseZjJMOR30KG3atY6L2adOOZaBERi+HJXqXfdqymeSCmkMC5iJ2jt2KGuMx5NqSfbE=,iv:pueL1hT/tvug65KPYxqY3RwNYeBOlGpIFf70+26VOYQ=,tag:VLwuipBxchMBSSuOMXYKJQ==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.4

machines/dolomite/common.nix

@@ -33,6 +33,8 @@
       promtail.enable = true;
     };
 
+    services.tailscale.enable = true;
+
     commonSettings = {
       auth.enable = true;
       comin.enable = true;

machines/osmium/default.nix

@@ -139,6 +139,11 @@
       };
     };
 
-    services.tailscale.extraSetFlags = [ "--advertise-routes=10.1.1.0/24" ];
+    services.tailscale = {
+      enable = true;
+      extraSetFlags = [
+        "--advertise-routes=10.1.1.0/24"
+      ];
+    };
   };
 }

machines/raspite/configuration.nix

@@ -12,8 +12,6 @@
     nix.enable = true;
     auth.enable = true;
     comin.enable = true;
-    network.enableProxy = false;
-    serverComponents.enable = true;
   };
 
   nixpkgs.overlays = [
@@ -38,4 +36,15 @@
   };
 
   time.timeZone = "Asia/Shanghai";
+
+  # fileSystems."/".fsType = lib.mkForce "btrfs";
+  boot.supportedFilesystems.zfs = lib.mkForce false;
+
+  services.dae.enable = false;
+
+  services.tailscale = {
+    enable = true;
+    permitCertUid = config.services.caddy.user;
+    openFirewall = true;
+  };
 }

machines/secrets.yaml

@@ -3,8 +3,6 @@ prometheus:
     metrics_password: ENC[AES256_GCM,data:qGbdk5tRmBw1rYHkmid87w==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:+cVF89YF35hA+fPvEQNgHA==,type:str]
 dae:
     sub: ENC[AES256_GCM,data:wCv8je47gBa2bb2aWCbUYHIuxGxkXUfJUvogwviYUNJJZJCdL5Q2qJX+tXOL4JRkzicRzFfiPEa3rcYIfoB6DC7caDPevpepHtTENzI3YKppiz0KIXedUWr+,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:e8X4PTiY/60W6XbFLOmSBQ==,type:str]
-tailscale:
-    authkey: ENC[AES256_GCM,data:GKfhg4Co1us4UQ6Jn3KT85OrIIVDd8aJmv8hmhtLZnAM4McxPmpVZ1tnYu7GIfKdqgCQqEl+lgS0xlV+qA==,iv:qugnzLpCZqHyRnJaP0tS2y5R5i0lrhm9PnIuG3kiGqE=,tag:KV/fcG4rceG4AHCzFEoksg==,type:str]
 sops:
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
@@ -97,7 +95,7 @@ sops:
             MHJubDlRVW40TDVJNnNqQktKcGVVYWcK1nCRXYjyLpNdj2Mnjgop5R6DSpRUSxDT
             VstIwZiQgACPKcP7H2dFSPNDaaAH1YqZzqr7ILLV6jYRApZFte/SRw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-09T01:56:54Z"
+    lastmodified: "2025-05-01T16:16:05Z"
-    mac: ENC[AES256_GCM,data:wZXKzRD+2I0mQoSOu3Xj8uzsSV7rK7wg+GjlzFqbP3qWd5DWSa1wmHuC9xBe3GRNps5L7vopGwngnFXbXu6tlsYuWUhSV/r7lh/wnrXKNlrt5qkWCpL3nXoYqkby+QzFG5ykCYOTsiMg31JYcbobO0kdNNjK0thKqLdFS7YBZig=,iv:O0Rccf08B27bfikTjQ2h+x6rbMUSqUSOSB3jW3Y4MJA=,tag:jBvzVKZgilzmUKQ6M+psAA==,type:str]
+    mac: ENC[AES256_GCM,data:sXZm1YVBaF//vU5Vtou4HOvKMZ9L6i9YCH6DASiEE6VQYQ6aN3RI5bf25c9C4Lx7ARxsqCFz1pUVGiSd6AIAx1swSZHwC0nRz77GW9B8S1Gn+uyvVdbhP7xYfJ3XP8jFPJetKQLYIIynjdT7uUA833ZydmtaUC85j+Kmw7aEIoQ=,iv:rXkqJqJX43bLxrjT19mP4qO/fpZboVLN3nbQ7RrJWto=,tag:5ZPThu4YCT0K8GJMmYK6Yg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.4

machines/thorite/default.nix

@@ -31,6 +31,8 @@
       443
     ];
 
+    services.tailscale.enable = true;
+
     services.caddy.enable = true;
 
     commonSettings = {

machines/weilite/default.nix

@@ -1,4 +1,5 @@
 {
+  config,
   pkgs,
   lib,
   modulesPath,
@@ -11,6 +12,13 @@
     ./services
   ];
 
+  options = {
+    node = lib.mkOption {
+      type = lib.types.attrs;
+      default = { };
+    };
+  };
+
   config = {
     networking = {
       hostName = "weilite";
@@ -33,6 +41,9 @@
       comin.enable = true;
       network.localdns.enable = true;
     };
+    node = {
+      mediaDir = "/mnt/nixos/media";
+    };
 
     boot = {
       loader = {
@@ -133,6 +144,17 @@
       ];
     };
 
+    services.openssh.ports = [
+      22
+      2222
+    ];
+
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      permitCertUid = "caddy";
+    };
+
     services.tailscale.derper = {
       enable = true;
       domain = "derper00.namely.icu";

machines/weilite/secrets.yaml

@@ -1,7 +1,6 @@
 caddy:
     cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str]
-    huawei_dns_access_key: ENC[AES256_GCM,data:3y9Sl9RDJlRkgTsctH8O4gRAcAU=,iv:2e03AKVniVYFyHV6KB00I/Y1rHD0Ira6kgly7zDqNT0=,tag:w6j1g329XIOrvshx7Ft7aA==,type:str]
+    dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str]
-    huawei_dns_secret_key: ENC[AES256_GCM,data:or4WW7uFvbIoUwh1G63YDQxTFUnkkYrDJG0HEqoKzOSV+8rqy9cHrA==,iv:wB+TT8bh7jhN0ppJ3pqh882cs6RczpOtxKuYuyjRhMY=,tag:GlTSuYeGrGY/3b0g7IbLzw==,type:str]
 immich:
     oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
     auto_stack_apikey: ENC[AES256_GCM,data:pormMdxkevrw1sJrmVtD+jEbfQFTOHeyZRepZt2roftjDYAdbzpppg==,iv:wumPYaTAfU+J0MD6yOFKmxY8eDMzwqVsd3IUXyTfk0A=,tag:54HlWH3iKyWG2Gv9QS/wLA==,type:str]
@@ -17,6 +16,10 @@ webdav:
     photosync:
         password: ENC[AES256_GCM,data:s+omleBtVALG5bpbTnlzbwBj0oCZX8Dm8IbcUV6COnI=,iv:vwCs3ujmCcE87rl91ZtOEAgSQF1/0t17/7/0UM4x8fE=,tag:ylw76CX9SCylWoJt86rmjg==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
@@ -36,7 +39,8 @@ sops:
             V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
             RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-08T13:07:05Z"
+    lastmodified: "2025-04-06T14:28:44Z"
-    mac: ENC[AES256_GCM,data:19bgXUH6rhQLin0RO0F5pgqzNIzHq5x+oSpIscbDimRvUhnvalMX6KSmbVgrHeNHrx4n3MpwI65Z+/6eeiR0Y6O2MOv49580UVKIEEP/yAPd3tbOW28/WsNp7MMhtF1Fx6o/rirV+H4vkvzq9+/z3tHO2MMjh9LeLcFB36b8ZD8=,iv:lU9o59P8BS1Azd0lVRtq8d3yNau54J9attOEiC32E4E=,tag:zUawHckwaXSxc7RWimVPUQ==,type:str]
+    mac: ENC[AES256_GCM,data:tYAhkwRs2CFOUCw3Iuq6T5C+QkbpSz80fI6CP65VyFrNiej9hshmjngPnf8bFElF+bHI64a/zpo2y4CqV213011tOX2YYvLD5zrAQb18rBFUdJblY5wQyx/DXiPaIf5jK6WGHIRaOmqZJuqXKrQKnf99N12JydXjt6usBGGZr8M=,iv:wySf7lctw14iUbKo5fDu+p6TMY5QXGYYmBukh2qb19I=,tag:pZrnFiNZEK01pnDN0+1Rcw==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.9.4

machines/weilite/services/caddy.nix

@@ -6,19 +6,14 @@
         owner = "caddy";
         mode = "400";
       };
-      "caddy/huawei_dns_access_key" = {
+      "caddy/dnspod_dns_token" = {
-        owner = "caddy";
-        mode = "400";
-      };
-      "caddy/huawei_dns_secret_key" = {
         owner = "caddy";
         mode = "400";
       };
     };
     templates."caddy.env".content = ''
       CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
-      HUAWEICLOUD_ACCESS_KEY=${config.sops.placeholder."caddy/huawei_dns_access_key"}
+      DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"}
-      HUAWEICLOUD_SECRET_KEY=${config.sops.placeholder."caddy/huawei_dns_secret_key"}
     '';
   };
 
@@ -27,25 +22,28 @@
       acmeCF = "tls {
         dns cloudflare {env.CF_API_TOKEN}
       }";
-      acmeHuawei = "tls {
+      acmeDnspod = "tls {
-        dns huaweicloud  {
+        dns dnspod {env.DNSPOD_API_TOKEN}
-          access_key_id {env.HUAWEICLOUD_ACCESS_KEY}
-          secret_access_key {env.HUAWEICLOUD_SECRET_KEY}
-        }
       }";
     in
     {
       enable = true;
       package = pkgs.caddy.withPlugins {
         plugins = [
-          "github.com/caddy-dns/cloudflare@v0.2.1"
+          "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
+          "github.com/caddy-dns/dnspod@v0.0.4"
         ];
-        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+        hash = "sha256-/BxdY36MZriRNhh3peU+XjYRAuuYiKhLY+RwO45Q2Ws=";
       };
       virtualHosts."derper00.namely.icu:8443".extraConfig = ''
-        ${acmeCF}
+        ${acmeDnspod}
         reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
       '';
+      # API Token must be added in systemd environment file
+      virtualHosts."immich.xinyang.life:8000".extraConfig = ''
+        ${acmeDnspod}
+        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+      '';
       virtualHosts."immich.xiny.li:8443".extraConfig = ''
         ${acmeCF}
         reverse_proxy 127.0.0.1:${toString config.services.immich.port}

modules/nixos/common-settings/mainland.nix

@@ -102,7 +102,7 @@ in
 
           upstream {
         	    globaldns: 'tls://dns.quad9.net'
-        	    cndns: 'quic://dns.alidns.com:853'
+        	    cndns: 'h3://dns.alidns.com:443'
         	    tsdns: 'udp://100.100.100.100'
         	    localdns: 'udp://127.0.0.1:53' 
           }
@@ -133,11 +133,6 @@ in
             filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
             policy: min_moving_avg
           }
-
-          clean_ip {
-            filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
-            policy: fixed(0)
-          }
         }
 
         # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
@@ -161,13 +156,9 @@ in
 
           # === Force Proxy ===
           domain(geosite:linkedin) -> default_group
-          domain(full: sourceware.org) -> clean_ip
 
           # === Custom direct rules ===
           domain(geosite:cn) -> direct
-          domain(geosite:steam@cn) -> direct
-          domain(suffix:steamserver.net) -> direct
-          domain(suffix:test.steampowered.com) -> direct
 
           dip(geoip:cn) -> direct
 

modules/nixos/common-settings/network.nix

@@ -1,9 +1,4 @@
-{
+{ config, lib, ... }:
-  config,
-  pkgs,
-  lib,
-  ...
-}:
 let
   inherit (lib) mkEnableOption mkOption mkIf;
   inherit (config.my-lib.settings)
@@ -21,138 +16,81 @@ in
         default = 100;
       };
     };
-    tailscale = {
-      enable = mkEnableOption "Tailscale client" // {
-        default = true;
-      };
-      before = mkOption {
-        default = [ ];
-        type = lib.types.listOf lib.types.string;
-      };
-    };
   };
 
-  config = lib.mkMerge [
+  config = {
-    (mkIf cfg.tailscale.enable {
+    networking.resolvconf = mkIf cfg.localdns.enable {
-      sops = mkIf config.commonSettings.network.enableProxy {
+      enable = true;
-        secrets = {
+      dnsExtensionMechanism = false;
-          "tailscale/authkey" = {
+      useLocalResolver = true;
-            sopsFile = ../../../machines/secrets.yaml;
+    };
-            owner = config.systemd.services.tailscale.user;
-          };
-        };
-      };
 
-      services.tailscale = {
+    services.resolved.enable = mkIf cfg.localdns.enable false;
-        enable = true;
-        openFirewall = true;
-        permitCertUid = mkIf config.services.caddy.enable config.services.caddy.user;
-        extraUpFlags = [ "--accept-routes" ] ++ (lib.optional cfg.localdns.enable "--accept-dns=false");
-        authKeyFile = config.sops.secrets."tailscale/authkey".path;
-      };
-      commonSettings.network.tailscale.before = (
-        lib.optional config.services.caddy.enable "caddy.service"
-      );
 
-      systemd.services.tailscaled.before = cfg.tailscale.before;
+    networking.firewall.trustedInterfaces = [
-      systemd.services.tailscaled.serviceConfig.ExecStartPost =
+      config.services.tailscale.interfaceName
-        pkgs.writers.writePython3 "tailscale-wait-online"
+    ];
-          {
+    services.tailscale = mkIf cfg.localdns.enable {
-            flakeIgnore = [
+      extraUpFlags = [ "--accept-dns=false" ];
-              "E401" # import on one line
+    };
-              "E501" # line length limit
+
+    services.kresd = mkIf cfg.localdns.enable {
+      enable = true;
+      listenPlain = [ "127.0.0.1:53" ];
+      listenTLS = [ "127.0.0.1:853" ];
+      extraConfig =
+        let
+          listToLuaTable =
+            x:
+            lib.pipe x [
+              (builtins.split "\n")
+              (builtins.filter (s: s != [ ] && s != ""))
+              (lib.strings.concatMapStrings (x: "'${x}',"))
             ];
-          }
+          chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
-          ''
+          globalSettings = ''
-            import subprocess, json, time
+            log_level("notice")
-
+            modules = { 'hints > iterate', 'stats', 'predict' }
-            for _ in range(30):
+            cache.size = ${toString cfg.localdns.cacheSize} * MB
-                status = json.loads(
+            trust_anchors.remove(".")
-                    subprocess.run(
-                        ["${lib.getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
-                    ).stdout
-                )["Self"]["Online"]
-                if status:
-                    exit(0)
-                time.sleep(1)
-
-            exit(1)
           '';
-
+          tsSettings = ''
-    })
+            internalDomains = policy.todnames({'${internalDomain}'})
-
+            policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
-    (mkIf cfg.localdns.enable {
+          '';
-      networking.resolvconf = {
+          proxySettings = ''
-        enable = true;
+            policy.add(policy.domains(
-        dnsExtensionMechanism = false;
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
-        # We should disable local resolver if dae is enabled
+              { todname('hk-00.namely.icu') }))
-        # to let dns traffic go through dae
+            policy.add(policy.domains(
-        useLocalResolver = !config.commonSettings.network.enableProxy;
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
-      };
+              { todname('la-00.namely.icu') }))
-      services.resolved.enable = false;
+            policy.add(policy.domains(
-
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
-      services.kresd = {
+              { todname('fra-00.namely.icu') }))
-        enable = true;
+          '';
-        listenPlain = [ "127.0.0.1:53" ];
+          mainlandSettings = ''
-        listenTLS = [ "127.0.0.1:853" ];
+            chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
-        extraConfig =
+            policy.add(policy.suffix(policy.TLS_FORWARD({
-          let
+              { "223.5.5.5", hostname="dns.alidns.com" },
-            listToLuaTable =
+              { "223.6.6.6", hostname="dns.alidns.com" },
-              x:
+            }), chinaDomains))
-              lib.pipe x [
+            policy.add(policy.all(policy.TLS_FORWARD({
-                (builtins.split "\n")
+              { "8.8.8.8", hostname="dns.google" },
-                (builtins.filter (s: s != [ ] && s != ""))
+              { "8.8.4.4", hostname="dns.google" },
-                (lib.strings.concatMapStrings (x: "'${x}',"))
+            })))
-              ];
+          '';
-            chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
+          overseaSettings = ''
-            globalSettings = ''
+            policy.add(policy.all(policy.TLS_FORWARD({
-              log_level("notice")
+              { "8.8.8.8", hostname="dns.google" },
-              modules = { 'hints > iterate', 'stats', 'predict' }
+              { "8.8.4.4", hostname="dns.google" },
-              cache.size = ${toString cfg.localdns.cacheSize} * MB
+            })))
-              trust_anchors.remove(".")
+          '';
-            '';
+        in
-            tsSettings = ''
+        globalSettings
-              internalDomains = policy.todnames({'${internalDomain}'})
+        + (if config.services.dae.enable then proxySettings else "")
-              policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
+        + (if config.services.tailscale.enable then tsSettings else "")
-            '';
+        + (if config.inMainland then mainlandSettings else overseaSettings);
-            proxySettings = ''
+    };
-              policy.add(policy.domains(
+  };
-                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
-                { todname('hk-00.namely.icu') }))
-              policy.add(policy.domains(
-                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
-                { todname('la-00.namely.icu') }))
-              policy.add(policy.domains(
-                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
-                { todname('fra-00.namely.icu') }))
-            '';
-            mainlandSettings = ''
-              chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
-              policy.add(policy.suffix(policy.TLS_FORWARD({
-                { "223.5.5.5", hostname="dns.alidns.com" },
-                { "223.6.6.6", hostname="dns.alidns.com" },
-              }), chinaDomains))
-              policy.add(policy.all(policy.TLS_FORWARD({
-                { "8.8.8.8", hostname="dns.google" },
-                { "8.8.4.4", hostname="dns.google" },
-              })))
-            '';
-            overseaSettings = ''
-              policy.add(policy.all(policy.TLS_FORWARD({
-                { "8.8.8.8", hostname="dns.google" },
-                { "8.8.4.4", hostname="dns.google" },
-              })))
-            '';
-          in
-          globalSettings
-          + (if config.services.tailscale.enable then tsSettings else "")
-          + (
-            if config.commonSettings.network.enableProxy then
-              proxySettings + mainlandSettings
-            else
-              overseaSettings
-          );
-      };
-    })
-  ];
 }

modules/nixos/monitor/exporters.nix

@@ -11,9 +11,35 @@ let
 in
 {
   config = {
-    commonSettings.network.tailscale.before =
+    systemd.services.tailscaled.before =
       (lib.optional cfg.node.enable "prometheus-node-exporters.service")
-      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service");
+      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service")
+      ++ (lib.optional config.services.caddy.enable "caddy.service");
+
+    systemd.services.tailscaled.serviceConfig.ExecStartPost =
+      pkgs.writers.writePython3 "tailscale-wait-online"
+        {
+          flakeIgnore = [
+            "E401" # import on one line
+            "E501" # line length limit
+          ];
+        }
+        ''
+          import subprocess, json, time
+
+          for _ in range(30):
+              status = json.loads(
+                  subprocess.run(
+                      ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
+                  ).stdout
+              )["Self"]["Online"]
+              if status:
+                  exit(0)
+              time.sleep(1)
+
+          exit(1)
+        '';
+
     services.prometheus.exporters.node = mkIf cfg.node.enable {
       enable = true;
       enabledCollectors = [
@@ -96,6 +122,26 @@ in
 
     services.ntfy-sh.settings.enable-metrics = true;
 
+    services.caddy.globalConfig = ''
+      servers {
+        metrics
+      }
+
+      admin unix//var/run/caddy/admin.sock {
+        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
+      }
+    '';
+
+    systemd.services.caddy.serviceConfig = {
+      RuntimeDirectory = "caddy";
+      RuntimeDirectoryMode = "0700";
+    };
+
+    services.tailscale = {
+      permitCertUid = config.services.caddy.user;
+      openFirewall = true;
+    };
+
     services.caddy = {
       virtualHosts."https://${config.networking.hostName}.coho-tet.ts.net:2019".extraConfig = ''
         handle /metrics {

scripts/update-china-list.sh

@@ -2,10 +2,3 @@ output_file="modules/nixos/common-settings/china-domains.txt"
 curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/accelerated-domains.china.raw.txt" > "$output_file"
 curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/apple.china.raw.txt" >> "$output_file"
 curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/google.china.raw.txt" >> "$output_file"
-# extra rules
-cat >> $output_file <<- EOM
-test.steampowered.com
-steamserver.net
-api.steampowered.com
-EOM
-