From 02636ac5a1a4183e5be784a5aa0f4166716a07b4 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 24 Nov 2024 21:44:45 +0800 Subject: [PATCH 1/4] dolomite: fix hk-00 --- .sops.yaml | 2 +- machines/dolomite/claw.nix | 2 +- machines/dolomite/secrets/hk-00.yaml | 22 +++++------ machines/dolomite/secrets/secrets.yaml | 52 +++++++++++++------------- 4 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 153993e..4c2fbbc 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,7 @@ keys: - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta - &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml - - &host-hk-00 age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0 + - &host-hk-00 age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: diff --git a/machines/dolomite/claw.nix b/machines/dolomite/claw.nix index ead0225..d169733 100644 --- a/machines/dolomite/claw.nix +++ b/machines/dolomite/claw.nix @@ -27,7 +27,7 @@ }; fileSystems."/" = { - device = "/dev/disk/by-uuid/fe563e38-9a57-447a-ba57-c3e53ddd84ee"; + device = "/dev/vda1"; fsType = "ext4"; }; diff --git a/machines/dolomite/secrets/hk-00.yaml b/machines/dolomite/secrets/hk-00.yaml index 91d6540..e3f3866 100644 --- a/machines/dolomite/secrets/hk-00.yaml +++ b/machines/dolomite/secrets/hk-00.yaml @@ -9,20 +9,20 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNmVpY09ZNzhacDdpdVUr - SGc2NGNrRWlMMzE2RVNSN0tHTGNoeVhlWUFRCnpqNy9qMExKUFA0akFnNG1HS0h2 - NXlmWkJMemJkam5oSEFaSENkRTRnczQKLS0tIGNha0RWbGFUWGpROEdoKy9WbC9n - WTUrUjMydHRHODN3TDhyakpHNG1hZjQKR3I8TwUDvvht9ck8YIplCjafhUdvxw7M - VNSjUoacKg0Uu5m777UlBpDdDXBwulrVryFxrKA0Q395+YRJ2Sg0wQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UUhoT3hSSmhEM3ZteDhJ + VWdweThOUHVLVlNBUW5yVXpMOTN3UTNTbkd3CmlZL21yYWJvaW1VRGl5a0JCSVA5 + RUdndFJqSnRCUllXTmNERkU2UHJIV3cKLS0tIFYvZkhpaDZEcVNCMzhZNzV2K0J4 + QklidnA5Qmd0dGQ3UEFLdFBmaVNLajQKgw2HN9ksquyh+FV1c8OuThFSJlzGGgXM + HhmTFOrGBwLF2N8XGpVp+HcFnIWzjjK62sAVsomO/ak3Schg8283vg== -----END AGE ENCRYPTED FILE----- - - recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0 + - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZC9GU085TmV6b1FsdGFw - OEFJeVM1WFJib1lFM1luQmlQSGt3Ym1PaVVjCkd4TmhIcVB2Nk4xaHdwSVVHOGJJ - TVErNHZ1ZURKMmk2SzJUajFTV0tJSE0KLS0tIG5jVnZHNm55dncvaDdsWXNidDB1 - TURVTjR3RUJzMmxmNVIyTk5rM0YvMU0KP3R78NlGqbRHmSn2WqanPq8Y9m+olBLO - 2CTJI9QQfPACzz9KoEt5hlpqVpsgQT9CGDpyYEwXrFyxFY4QIh5NPw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NU5RREplWEdsUkJiTVEx + QXdNUXlkdGdFQU5PZ2lwYTFmdHFUei9Fcnc0CjB1bjhuM3dhUXd3aEpwdlFMeith + aXFYV1hVVjd1SUwvNmhyeGNBMUZtT3cKLS0tIDFkQk9NN09zUFBuWm83R1hmWDZk + QWVGWVB5Rk1DcVBuSzFYRmRsOU5jL0kK0z3uFNq6dl67YepenXjoIkdV6sZaA7jB + QHe2qz1SzrQQ/7Lqf8aZNT6W5IwkNHpht27jetl119DerOhx6N58vQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-10-17T10:52:20Z" mac: ENC[AES256_GCM,data:lxqZaTqs5d/b/iIZ7BbD2jYJq3fTIbFlbdwKbCAAiXJv8abxN6SjOKuecKEvkJ0Y7qf2e0Cl8lbRwSy5FJb9Wsl9O4LzF0KBu0lssnBtDuZujFldgxJSWB8kQ3vMsPQ+NbmRME3zdKazmuhEwS0h/O6L6KmnfHjtfnDpAjYD+MY=,iv:Xue3R2qGxiw5/hjr9dLiLqeKDTpnwAnx8v9M3qjz5EM=,tag:T67z1oCMoW/ApF6tFJL3dA==,type:str] diff --git a/machines/dolomite/secrets/secrets.yaml b/machines/dolomite/secrets/secrets.yaml index c05a97e..477a4b4 100644 --- a/machines/dolomite/secrets/secrets.yaml +++ b/machines/dolomite/secrets/secrets.yaml @@ -10,47 +10,47 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dElZTXFjbzhNbE1OYmdP - M0JLVWMyOUpSMnQ1Q2hDc2VXVUxpblhDVUNjCmxGZXRsUmdWWjZPZGFhaDFHNnpx - YVVSWFl1YThwWENSVTdiWkRENlBhdDQKLS0tIGl0OWsrNXljLy9wejd4Q3JmTUFE - WGFaN21vb1EwTDdSOEFVSWlQZWR1Z1kKIy+vG42G/7hTJX9BNYXjy4GNnUEnzUgB - aRoLxgTpkTKezZiKkISQwEuFD8qC7aeQIV1kmGDpNK2uucJfFswvbQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZUYrRUY0N3hOczFUR2Fq + amx5RHAwVnRoTStlTlJISkk5TUFCaDhuUGxjCmVYbExkK1AzbURVWXNvU0Zkcjg5 + ZTlWK0ExVnNNWmxJMkxlcHkxd1MvWkkKLS0tIFY3a3FoNzl2bitYTTl1R1R4K3hz + ZlcxT243dzd0amlHSmpOc1AvakNjRlkKwT2hNwDsc3WZkJ05Qq8INnG9Ii0iswqT + jnvMt9VTkZ8JHsq5vCaV+TtM3kswuw6hF9UoHdRM/JIvqMdPkXuZoQ== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNGE0Sk5lbXVNSjVQUTFF - VFFrVzJKczJwTWJJOEdKTVFhai9RWmJNSkJjCkNKQzRQWmcxTndIcERkMTFubi9K - SXVhbDhEMmRFRCtXdEVqMFdRbjQ3RTgKLS0tIGNIOWYzL0NUeklBRU5paEoyZ211 - NDY5RDdwelMwVjVscHdOaGV2aTMwQUUKZaCo5jFlWxTsELGyQiY4CmcjdUcnBzOU - JzcWDMcODTo/yER/0jdPpdfvUWiGi12voIuqRJkON0x7d3X2d2Sexg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSzkzMmU2SUMvWXVFRHM4 + dWhsbEtFSUhHem1NZ1Q5aWJJWWlqelcyT2hBClRIeDE1M20vdm5rQnRvLzBGWnk3 + aFZ2MFlrUHRudSt5M1Rod3NrUS8rdkEKLS0tIHlPSFUvUC93WlU5dHdaV0R6dTFh + c203K2VHb2hsSTBjOWxpUStOQ2VYTFEKbDTeoUSBFWB3W/fxS471aTysahlQUJ6D + JvvUJL63Y2XpvCQVCduO+Kl9A7B7LGran+2SUzqHBisQyR2eUcg/HQ== -----END AGE ENCRYPTED FILE----- - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2LzI1M2orSDVyYTRRRnB6 - d25oaHZSMWFUQ2lZTWxtVzFRSkxjd01tNjFZCmJHUWVGd2hYWVlpdk80WUxwM080 - N0V1UW1hUC9GNWlPRCtuYUsxSzdmWUEKLS0tIEhSazVWeEpIVnoweWdnOEU2Q1hT - Yjl6bFRZS2RSRGpPWFdDS2lObCt0MGsKcFXy/2mLLlxY/vP+kCaeaR+9aBRL7ys1 - x+HBAPqvcqvYk3MGBD9TpIW317RthDhEkY57GmtHgqIUsSLWsBgNdw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZDBtTWxZbGpZRlYvMnpE + MTNEQXZJdGRpMmV0azhXbE1UeWlqZjdKQlhFCkU4RlBZUmdpTC9TamVwREFnM1Nt + eDZ0SDRQUmMxYmJ1bnBSS29qNGQ4THMKLS0tIDhVMWJoWTNBWjAyMHc0K2Z5Zjhi + UkU5dEpjSGZKOERPR2hUQ1lBK1ZXSWsKo/76+/Iq9sxJGxuk81yMBaX+mg98FD8p + F/PY4/oJjaUmpErdrWuE7Tgjycx+DTSDJv1ESyvLC6NPnXTRlZgg6A== -----END AGE ENCRYPTED FILE----- - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2NXTDNqWkYzQlVvM0xO - ZDk2RTFISHh3TmpTN2cxT3RTVnFUaURpK3dRCmJEVWJnNXdoT0JYYjBvcm4rSkZ0 - QW5WeWhqWnZqaGlLRHphZW5PMUNZTDQKLS0tIGZFc2ZlREgwKysrNEhROUJzbHBU - TzhHdlV1bjduT1hlTVFMTmRtQmN0MFUKhCYQh5uVOjEj2kKSfSUVa8k35mqkDoTk - 3CchebRciIR+w52d6uEsQove0248+OniG6bJ5ykkExLo1RzDQD7pBQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjFsZ1o1alBIV2JkKy9j + ajArY1RydFllc1VLc3dQek5IcXNyWTIxNDBzCkhKYzdHSXowaGhnY2E5aVRPaDNJ + M3NOZEd1UHg4MDd3YTNidld5UGhKYUUKLS0tIG9QVlV3UXNSSXp6L3djaXZjcTNL + bmVYb1g3NnBOekZkUFNlOVZFY2N6YVUKsdTgykgHkFSQJfZeNJz2TkcDENg84plG + zBqz6HP6AK6SBI7C/lPus0VXuzjDVDr29jvemBQ3cNBodc6yKyReAQ== -----END AGE ENCRYPTED FILE----- - - recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0 + - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS0tDdThIRnNaZVZKanZY - bm1uV25nUzZITW5QY2Z2SkZtMFAvY1RVOWdrCnZMZ3F6dHd1TmhCMnZvbFhZYjJK - ZXRVUWNtVXVpOWFYWmdFQ2RZajlTQk0KLS0tIFJSYkxkelFTWkRYMjAvQ2lpTGRQ - bmE0bWg1U1ZkZHR4TEVtR0crbVZxdmcKeVUli/Tt4Xy4XxbUbFj9a4y6c9ZE/NjE - nCKLNYYPsZ/nS6qN3Pdetps4ziajJHUVmxCqNMHD+OoWqT6W8V/O6w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUF4cWwrZ0Vlb0Nxbk0z + VnRucWJVK2h0MG13YVkyMlJNZ3RxRmJqUlRBCmxrckV1a0xnSEhvWUN4RmF2ZHBl + VkFicWlnR0dvTmRBQ21NWVo4aFNQRmsKLS0tIEMxVGxTRHp6ZGJzYksxY1BUKzBh + Yk52TS81REhJd0lLRVpMZnhGMDRMK0UKzph2gK0LXqu44zQXGoGbyPjte2t4BqHE + WAufrQiamOgA7TUZYlZApzYhEY6iIbs/t7BQPn/OKZwzRYdXnzxqiw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-22T05:51:19Z" mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str] From ca8f27bafa6ea4f296acc2b488d23a99b19dd31c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 24 Nov 2024 17:26:49 +0800 Subject: [PATCH 2/4] osmium: added --- flake.nix | 7 ++ home/xin/calcite.nix | 8 +- machines/osmium/default.nix | 111 ++++++++++++++++++ .../sd-image-aarch64-orangepi-r1plus.nix | 44 +++++++ overlays/add-pkgs.nix | 17 ++- scripts/nixos-updater.py | 90 ++++++++++++++ 6 files changed, 271 insertions(+), 6 deletions(-) create mode 100644 machines/osmium/default.nix create mode 100644 machines/osmium/sd-image-aarch64-orangepi-r1plus.nix create mode 100644 scripts/nixos-updater.py diff --git a/flake.nix b/flake.nix index 606276e..5dcb727 100644 --- a/flake.nix +++ b/flake.nix @@ -116,6 +116,9 @@ ./machines/dolomite/lightsail.nix ./machines/dolomite/common.nix ]; + osmium = [ + ./machines/osmium + ]; }; sharedColmenaModules = [ deploymentModule @@ -258,6 +261,10 @@ calcite = mkNixos { hostname = "calcite"; }; + + osmium = mkNixos { + hostname = "osmium"; + }; } // self.colmenaHive.nodes; } diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 11dd9ed..69d16d6 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: let homeDirectory = "/home/xin"; in @@ -61,6 +61,12 @@ in fcitx5.addons = with pkgs; [ fcitx5-rime ]; }; + # Using wayland + home.sessionVariables = { + GTK_IM_MODULE = lib.mkForce ""; + QT_IM_MODULE = lib.mkForce ""; + }; + custom-hm = { alacritty = { enable = true; diff --git a/machines/osmium/default.nix b/machines/osmium/default.nix new file mode 100644 index 0000000..823d2f0 --- /dev/null +++ b/machines/osmium/default.nix @@ -0,0 +1,111 @@ +{ + pkgs, + lib, + modulesPath, + ... +}: +{ + imports = [ + (modulesPath + "/installer/sd-card/sd-image.nix") + ./sd-image-aarch64-orangepi-r1plus.nix + ]; + + config = { + system.stateVersion = "24.05"; + + nixpkgs.system = "aarch64-linux"; + + boot.tmp.useTmpfs = false; + boot.kernelModules = [ + "br_netfilter" + "bridge" + ]; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv4.ip_nonlocal_bind" = 1; + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.ip_nonlocal_bind" = 1; + "net.bridge.bridge-nf-call-ip6tables" = 1; + "net.bridge.bridge-nf-call-iptables" = 1; + "net.bridge.bridge-nf-call-arptables" = 1; + "fs.inotify.max_user_watches" = 524288; + "dev.i915.perf_stream_paranoid" = 0; + "net.ipv4.conf.all.rp_filter" = 0; + "vm.max_map_count" = 2000000; + "net.ipv4.conf.all.route_localnet" = 1; + "net.ipv4.conf.all.send_redirects" = 0; + "kernel.msgmnb" = 65536; + "kernel.msgmax" = 65536; + "net.ipv4.tcp_timestamps" = 0; + "net.ipv4.tcp_synack_retries" = 1; + "net.ipv4.tcp_syn_retries" = 1; + "net.ipv4.tcp_tw_recycle" = 1; + "net.ipv4.tcp_tw_reuse" = 1; + "net.ipv4.tcp_fin_timeout" = 15; + "net.ipv4.tcp_keepalive_time" = 1800; + "net.ipv4.tcp_keepalive_probes" = 3; + "net.ipv4.tcp_keepalive_intvl" = 15; + "net.ipv4.ip_local_port_range" = "2048 65535"; + "fs.file-max" = 102400; + "net.ipv4.tcp_max_tw_buckets" = 180000; + }; + + commonSettings = { + nix.enableMirrors = true; + auth.enable = true; + }; + + documentation.enable = false; + + time.timeZone = "Asia/Shanghai"; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; + + environment.systemPackages = with pkgs; [ + lsof + wget + curl + neovim + jq + iptables + ebtables + tcpdump + busybox + ethtool + socat + htop + iftop + lm_sensors + ]; + + programs.command-not-found.enable = false; + + networking = { + useDHCP = false; + hostName = "osmium"; + }; + + systemd.network = { + enable = true; + networks."lan" = { + matchConfig.Name = "enu1"; + networkConfig.DHCP = "no"; + linkConfig.RequiredForOnline = "no"; + }; + networks."wan" = { + matchConfig.Name = "end0"; + networkConfig.DHCP = "yes"; + linkConfig.RequiredForOnline = "yes"; + }; + }; + + services.dae = { + enable = true; + configFile = "/var/lib/dae/config.dae"; + }; + + services.tailscale.enable = true; + + }; +} diff --git a/machines/osmium/sd-image-aarch64-orangepi-r1plus.nix b/machines/osmium/sd-image-aarch64-orangepi-r1plus.nix new file mode 100644 index 0000000..3802760 --- /dev/null +++ b/machines/osmium/sd-image-aarch64-orangepi-r1plus.nix @@ -0,0 +1,44 @@ +{ + config, + modulesPath, + lib, + pkgs, + ... +}: +let +in +{ + imports = [ + (modulesPath + "/profiles/base.nix") + ]; + + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + + boot.kernelParams = [ + "earlycon" + "console=ttyS2,1500000" + "consoleblank=0" + ]; + boot.supportedFilesystems = lib.mkForce [ + "ext4" + "vfat" + "ntfs" + ]; + + sdImage = { + compressImage = false; + imageBaseName = "nixos-sd-image-orange-pi-r1-plus-lts"; + firmwarePartitionOffset = 16; + populateFirmwareCommands = '' + echo "Install U-Boot: ${pkgs.ubootOrangePiR1LtsPackage}" + dd if=${pkgs.ubootOrangePiR1LtsPackage}/idbloader.img of=$img seek=64 conv=notrunc + dd if=${pkgs.ubootOrangePiR1LtsPackage}/u-boot.itb of=$img seek=16384 conv=notrunc + ''; + populateRootCommands = '' + mkdir -p ./files/boot + ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot + ''; + }; +} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index 135a2cb..f1b214e 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -1,5 +1,12 @@ -( - final: prev: - { - } -) +(final: prev: { + ubootOrangePiR1LtsPackage = prev.buildUBoot { + defconfig = "orangepi-r1-plus-lts-rk3328_defconfig"; + enableParallelBuilding = true; + + BL31 = "${prev.armTrustedFirmwareRK3328}/bl31.elf"; + filesToInstall = [ + "u-boot.itb" + "idbloader.img" + ]; + }; +}) diff --git a/scripts/nixos-updater.py b/scripts/nixos-updater.py new file mode 100644 index 0000000..c859250 --- /dev/null +++ b/scripts/nixos-updater.py @@ -0,0 +1,90 @@ +import requests +import os +import socket +import json +from os import path as osp +from dataclasses import dataclass + +""" +This updater consists of several parts: + +- Update checker: Check an url for update (if outPath is different from /run/current-system or some specified profile) or maybe use timestamp for update +- Nix copy --from: copy from remote. Need to specify remote url. +- Create a symlink: /run/next-system -> +- Listen for POST request to trigger system switch (optional) +""" + + +@dataclass +class GarnixConfig: + token: str + + +@dataclass +class Config: + check_type: str + check_url: str + remote_url: str + garnix: GarnixConfig + hostname: str = socket.gethostname() + + +class Nix: + def __init__(self, args): + self.args = args + + def copy_from_remote(self): + # run nix copy with subprocess + pass + + def eval(self): + + +class Updater: + def __init__(self, config: Config): + self.config = config + + # TODO: Make this configurable + self.current_drv = os.readlink("/run/current-system") + self.next_dev = None + + # checkers take an url and returns the outPath of the latest success build + def garnix_checker(self) -> str: + domain = "garnix.io" + build_endpoint = "/api/build/commit" + + # Latest commit from git + + # Check build status of this commit + resp = requests.get( + f"https://{domain}{build_endpoint}/40b1e9ff23aaa5f555420dd22414c3f137a02cfe" + ) + # Raise error if status code is not valid + + # Fetch outPath from eval endpoint + # TODO: In theory, this could be done by parsing raw log from garnix. + + # Try to evaluate locally if eval endpoint is not configured + + resp = resp.json() + # TODO + return "null" + + def hydra_checker(self) -> str: + # TODO + return "null" + + # Check for update + def poll(self) -> str | None: + cfg = self.config + if cfg.check_type == "garnix": + pass + elif cfg.check_type == "hydra": + pass + else: + pass + pass + + +if __name__ == "__main__": + pass From 7c5c8be995951b77f56ad9b9893dd80cd7f9bd84 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 24 Nov 2024 23:43:32 +0800 Subject: [PATCH 3/4] dolomite: disable warp --- machines/dolomite/common.nix | 6 +- machines/dolomite/lightsail.nix | 7 ++ .../nixos/common-settings/proxy-server.nix | 101 +++++++++++------- 3 files changed, 75 insertions(+), 39 deletions(-) diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index 83b0e36..fffb74d 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: { config = { sops = { @@ -29,7 +29,9 @@ commonSettings = { auth.enable = true; - proxyServer.enable = true; + proxyServer = { + enable = true; + }; }; }; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index e44fac4..0c22e07 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -39,6 +39,13 @@ in fsType = "vfat"; }; + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 4 * 1024; + } + ]; + boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.initrd.availableKernelModules = [ "nvme" ]; diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix index d2cfb0f..166bf2d 100644 --- a/modules/nixos/common-settings/proxy-server.nix +++ b/modules/nixos/common-settings/proxy-server.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -32,7 +31,9 @@ let tag = "sg0"; type = "trojan"; listen = "::"; - listen_port = 8080; + listen_port = cfg.trojan.port; + tcp_multi_path = true; + tcp_fast_open = true; users = [ { name = "proxy"; @@ -63,51 +64,77 @@ let ]; tls = singTls; }); - outbounds = [ - { - type = "wireguard"; - tag = "wg-out"; - private_key = { - _secret = config.sops.secrets.wg_private_key.path; - }; - local_address = [ - "172.16.0.2/32" - { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } - ]; - peers = [ - { - public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; - allowed_ips = [ - "0.0.0.0/0" - "::/0" - ]; - server = "162.159.192.1"; - server_port = 500; - } - ]; - } - { - type = "direct"; - tag = "direct"; - } - ]; - route = { - rules = [ + outbounds = + # warp outbound goes first to make it default outbound + (lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [ { - inbound = "sg0"; - outbound = "direct"; + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { + public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ + "0.0.0.0/0" + "::/0" + ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; } + ]) + ++ [ + { - inbound = "sg4"; - outbound = "direct"; + type = "direct"; + tag = "direct"; } ]; + route = { + rules = + [ + { + inbound = "sg4"; + outbound = "direct"; + } + ] + ++ (lib.optionals (!cfg.warp.onTuic) ( + lib.forEach (lib.range 1 3) (i: { + inbound = "sg${toString i}"; + outbound = "direct"; + }) + )) + ++ (lib.optionals (!cfg.warp.onTrojan) [ + { + inbound = "sg0"; + outbound = "direct"; + } + ]); }; }; in { options.commonSettings.proxyServer = { enable = mkEnableOption "sing-box as a server"; + + trojan = { + port = mkOption { + type = lib.types.port; + default = cfg.trojan.port; + }; + }; + + warp = { + onTrojan = mkEnableOption "forward to warp in trojan"; + onTuic = mkEnableOption "forward to warp in first two port of tuic"; + }; }; config = mkIf cfg.enable { @@ -132,7 +159,7 @@ in networking.firewall.allowedTCPPorts = [ 80 - 8080 + cfg.trojan.port ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); From 5b19d8a97e17331ef95aa7e2db1f4b147915c9d0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 25 Nov 2024 00:02:58 +0800 Subject: [PATCH 4/4] weilite: more media services --- machines/weilite/services/media-download.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/machines/weilite/services/media-download.nix b/machines/weilite/services/media-download.nix index 36ae424..0e1ab58 100644 --- a/machines/weilite/services/media-download.nix +++ b/machines/weilite/services/media-download.nix @@ -1,6 +1,23 @@ +{ pkgs, ... }: { services.jackett = { enable = true; + package = pkgs.jackett.overrideAttrs { + src = pkgs.fetchFromGitHub { + owner = "jackett"; + repo = "jackett"; + rev = "v0.22.998"; + hash = "sha256-CZvgDWxxIAOTkodgmFNuT3VDW6Ln4Mz+Ki7m91f0BgE="; + }; + }; openFirewall = false; }; + + services.sonarr = { + enable = true; + }; + + services.radarr = { + enable = true; + }; }