xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:9a21ab662181120b60f20071d2ea0510b12ff141
Branches Tags
xin:master
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
...
compare: xin:273c0932b170eb5786c72ce0b2575082b82ba606
Branches Tags
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

7 commits
9a21ab6621 ... 273c0932b1

Author SHA1 Message Date
xinyangli
273c0932b1
bump version 2024-12-10 14:13:44 +08:00
xinyangli
6c04a968e8
calcite: revert seperate home-manager 2024-12-10 12:42:12 +08:00
xinyangli
2f31395fb3
home/xin: add modern unix tools and alias 2024-12-10 12:41:38 +08:00
xinyangli
dacd22b7d2
modules/monitoring: add sing-box monitoring 2024-12-10 12:05:05 +08:00
xinyangli
e4fd9e8b23
modules/monitoring: fix probes 2024-12-06 23:25:44 +08:00
xinyangli
082e64b960
modules/proxy: multi-user support 2024-12-06 23:24:49 +08:00
xinyangli
7727c5cf43
massicot: drop ntfy 2024-12-05 20:02:48 +08:00
16 changed files with 391 additions and 207 deletions
Show stats Expand all files Collapse all files

117
flake.lock generated
View file

@ -68,11 +68,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732988076, "lastModified": 1733168902,
"narHash": "sha256-2uMaVAZn7fiyTUGhKgleuLYe5+EAAYB/diKxrM7g3as=", "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "2814a5224a47ca19e858e027f7e8bff74a8ea9f1", "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -167,6 +167,27 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"nur",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1659877975, "lastModified": 1659877975,
@ -281,11 +302,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733085484, "lastModified": 1733754861,
"narHash": "sha256-dVmNuUajnU18oHzBQWZm1BQtANCHaqNuxTHZQ+GN0r8=", "narHash": "sha256-3JKzIou54yjiMVmvgdJwopekEvZxX3JDT8DpKZs4oXY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c1fee8d4a60b89cae12b288ba9dbc608ff298163", "rev": "9ebaa80a227eaca9c87c53ed515ade013bc2bca9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -418,11 +439,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733024876, "lastModified": 1733629314,
"narHash": "sha256-vy9Q41hBE7Zg0yakF79neVgb3i3PQMSMR7uHPpPywFE=", "narHash": "sha256-U0vivjQFAwjNDYt49Krevs1murX9hKBFe2Ye0cHpgbU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "6e0b7f81367069589a480b91603a10bcf71f3103", "rev": "f1e477a7dd11e27e7f98b646349cd66bbabf2fb8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -442,11 +463,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733104664, "lastModified": 1733795858,
"narHash": "sha256-UhlyYYO84s36aSj0/xZdclY6CgwJSWPYtTHTOBuHodM=", "narHash": "sha256-K595Q2PrZv2iiumdBkwM2G456T2lKsLD71bn/fbJiQ0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "e3a9b717e8327886d4ab6115f6989f4d1ef44e51", "rev": "66ced222ef9235f90dbdd754ede3d6476722aaa9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -457,11 +478,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1733066523, "lastModified": 1733481457,
"narHash": "sha256-aQorWITXZu7b095UwnpUvcGt9dNJie/GO9r4hZfe2sU=", "narHash": "sha256-IS3bxa4N1VMSh3/P6vhEAHQZecQ3oAlKCDvzCQSO5Is=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "fe01780d356d70fd119a19277bff71d3e78dad00", "rev": "e563803af3526852b6b1d77107a81908c66a9fcf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -501,11 +522,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1733016324, "lastModified": 1733730953,
"narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=", "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6", "rev": "7109b680d161993918b0a126f38bc39763e5a709",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -517,11 +538,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1733128666, "lastModified": 1733805440,
"narHash": "sha256-JOIhbU0EPRXwFv1wCXGTkUZ9KnIcLxChvCqeV9hh63U=", "narHash": "sha256-AQdCeGt3dMV9/cchlWGMcP0Z8qM47V+B0p7cSRr+HhA=",
"owner": "xinyangli", "owner": "xinyangli",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6273ca0a0fd51ac708a71e380c0cda97a72bbb07", "rev": "61b1078fca3a097ce06ada68a6f2766347eed02c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -531,6 +552,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1733581040,
"narHash": "sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "22c3f2cf41a0e70184334a958e6b124fb0ce3e01",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
@ -558,12 +595,17 @@
} }
}, },
"nur": { "nur": {
"inputs": {
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_3",
"treefmt-nix": "treefmt-nix_2"
},
"locked": { "locked": {
"lastModified": 1733125101, "lastModified": 1733805328,
"narHash": "sha256-C8f6ekiZ4kP84JWLDrMigvnSK6RXQoxLEDoteXMx1yc=", "narHash": "sha256-5F49/mOzFb40uUZh71uNr7kBXjDCw5ZfHMbpZjjUVBQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "1844924bf1e7e5a98198eca17b6c27cc9a363b05", "rev": "b54fa3d8c020e077d88be036a12a711b84fe2031",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -620,11 +662,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733128155, "lastModified": 1733785344,
"narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "narHash": "sha256-pm4cfEcPXripE36PYCl0A2Tu5ruwHEvTee+HzNk+SQE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "rev": "a80af8929781b5fe92ddb8ae52e9027fae780d2a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -700,6 +742,27 @@
"repo": "treefmt-nix", "repo": "treefmt-nix",
"type": "github" "type": "github"
} }
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nur",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733222881,
"narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49717b5af6f80172275d47a418c9719a31a78b53",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

3
flake.nix
View file

@ -111,10 +111,9 @@
nodeNixosModules = { nodeNixosModules = {
calcite = [ calcite = [
nixos-hardware.nixosModules.asus-zephyrus-ga401 nixos-hardware.nixosModules.asus-zephyrus-ga401
nur.nixosModules.nur
catppuccin.nixosModules.catppuccin catppuccin.nixosModules.catppuccin
machines/calcite/configuration.nix machines/calcite/configuration.nix
# (mkHome "xin" "calcite") (mkHome "xin" "calcite")
]; ];
hk-00 = [ hk-00 = [
./machines/dolomite/claw.nix ./machines/dolomite/claw.nix

8
home/xin/common/default.nix
View file

@ -5,13 +5,12 @@
... ...
}: }:
{ {
imports = [ ]; imports = [
./modern-unix.nix
];
home.packages = with pkgs; [ home.packages = with pkgs; [
dig dig
du-dust # du + rust
zoxide # autojumper
ripgrep
file file
man-pages man-pages
unar unar
@ -19,7 +18,6 @@
wget wget
tmux tmux
ffmpeg ffmpeg
tealdeer
rclone rclone
wl-clipboard wl-clipboard

17
home/xin/common/modern-unix.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, ... }:
{
home.packages = with pkgs; [
httpie
curlie
bat
htop
procs
rust-parallel
jq
fd
du-dust # du + rust
zoxide # autojumper
ripgrep
tealdeer
];
}

1
machines/biotite/default.nix
View file

@ -44,6 +44,7 @@
custom.prometheus.exporters = { custom.prometheus.exporters = {
enable = true; enable = true;
node.enable = true;
}; };
services.tailscale.enable = true; services.tailscale.enable = true;

9
machines/calcite/configuration.nix
View file

@ -16,7 +16,7 @@ in
]; ];
commonSettings = { commonSettings = {
auth.enable = true; # auth.enable = true;
nix = { nix = {
signing.enable = true; signing.enable = true;
}; };
@ -301,11 +301,16 @@ in
zotero zotero
# onlyoffice-bin # onlyoffice-bin
config.nur.repos.linyinfeng.wemeet wemeet
virt-manager virt-manager
wineWowPackages.waylandFull
winetricks
]; ];
services.esphome.enable = true;
users.groups.dialout.members = [ "xin" ];
system.stateVersion = "22.05"; system.stateVersion = "22.05";
system.switch.enable = false; system.switch.enable = false;

16
machines/dolomite/common.nix
View file

@ -3,6 +3,7 @@
config = { config = {
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets/secrets.yaml;
secrets = { secrets = {
wg_private_key = { wg_private_key = {
owner = "root"; owner = "root";
@ -12,14 +13,6 @@
owner = "root"; owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
}; };
"sing-box/password" = {
owner = "root";
sopsFile = ./secrets/secrets.yaml;
};
"sing-box/uuid" = {
owner = "root";
sopsFile = ./secrets/secrets.yaml;
};
}; };
}; };
swapDevices = [ swapDevices = [
@ -32,6 +25,8 @@
custom.prometheus.exporters = { custom.prometheus.exporters = {
enable = true; enable = true;
node.enable = true; node.enable = true;
blackbox.enable = true;
v2ray.enable = true;
}; };
custom.monitoring = { custom.monitoring = {
@ -44,6 +39,11 @@
auth.enable = true; auth.enable = true;
proxyServer = { proxyServer = {
enable = true; enable = true;
users = [
"wyj"
"yhb"
"xin"
];
}; };
}; };
}; };

16
machines/dolomite/secrets/secrets.yaml
View file

@ -1,6 +1,14 @@
sing-box: sing-box:
password: ENC[AES256_GCM,data:qCc1v8nAL0oYisRinMDXGrBQA+r6XNoa,iv:eTxtad4kEdE28XqnrZEek8BtXNY1rNgLvGLxlMzRtl4=,tag:s/shWAkYE4DSnScpTY8ulQ==,type:str] users:
uuid: ENC[AES256_GCM,data:lEpz15sLOVrGDzQwTJyS+tFJY0bMeO265bxocWAjB6qrvxYx,iv:lhk5jl/udUH3AZEuk5ffuvin/qhRUaOZ/3nk1Jaw+DI=,tag:4mKFIVKT+D47njfDsxe9iA==,type:str] wyj:
password: ENC[AES256_GCM,data:yp+T3eci9RiuZzdmRSq5nTjHaz8e/Rri,iv:hIPc+7YHUnaIdU9O8GGx3r7l3oBA6prQb+KBQV0G+8k=,tag:2GNiBP4PQy+KGHgLupKGSg==,type:str]
uuid: ENC[AES256_GCM,data:Qrgil6G7pjQAQzCCOlstDi27EqqmSuBMhs+RTl9++wrPrIgJ,iv:u+3Z17uX4I6li2qd9UP3y+WaKn7aKfbb3J6H1Pyc1QY=,tag:hSa4AB383/B58XMmZ8LIfQ==,type:str]
yhb:
password: ENC[AES256_GCM,data:TwRct68TePpcZcnpWIQpFaF23WGMre8=,iv:YU4mQNm0rt2u4ItJwQ8nZPEmJi0+lmEIPG2Kxh/nI58=,tag:ukZem38O/b42dEKM3CYa+w==,type:str]
uuid: ENC[AES256_GCM,data:6hVhEqWPLVrn8rCS4x/eapd+iL7JRaXtOGCj9uuPlkGjBTMK,iv:VZ27KWCY6/K5GoNwRNmaRWzqfV7+8iFjtias1vKeGfA=,tag:8mhmZPooxHaGNYdznuFhMQ==,type:str]
xin:
password: ENC[AES256_GCM,data:SRiPFO+Uwy/PT41SIg7eI68wk4AX6so=,iv:aXwP5wa1IrlnvFo/ZL+DYFFHDdWw2Z83de3ApHUTsXo=,tag:sxXoy1FnDxZBQCDeNxphzQ==,type:str]
uuid: ENC[AES256_GCM,data:7xK53SO4x0tOIEIYl6kmmAvnpdsR/tYQoG1t/ytsnO4QqWY3,iv:i694Fnu7g1OA3IGzSaoSGA5/eMPo+I/1TZbYuaQrgNA=,tag:4cUlioJn/IvsvZclgboOSA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -43,8 +51,8 @@ sops:
K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE
m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q== m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-02T05:26:17Z" lastmodified: "2024-12-06T04:35:52Z"
mac: ENC[AES256_GCM,data:K94zFWPWGUisLCqDjSLs17QxHXPH4tPU/98Sb4lCnt7IRAIn14x/T+BnInY/DK+DOVLLtzSfuN0kgzzGjSzwJx5Vq1G3MkhngRQQRT9dvODTCMAw6lPt98Ofw1CEEsFQnpYo9zIUlCGKg2YPKFLqE7OjkPxqw7VYvgzr5dDw58s=,iv:3xcJfNX5v/e9HgZt3UrHs2/C5ivaBV1rXKIBs9hKKFg=,tag:RQPQQ1cmZiOpQjUwqnzZQA==,type:str] mac: ENC[AES256_GCM,data:DAg4UTwNv+rs6hye2z5UUtA1a4yZbFaAWjLoKAXf87tKgBCZzK8C1q6gLyTQOqp07ptYQd5Q951kfE1a/35SFJsubREzJmu6haxznRgq7pO5HDGqgtjYEHsngsWZh3bUSX/aG2dLISdD81VY68nLzTO0r4h/SL6DNG36RzJgL8E=,iv:V0WhENNt/Szi5VWVD2t5AsWP1tOZUGjFjMNYPDq59XI=,tag:ThRstdzVNtSs6E7qlvKPOw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1

31
machines/massicot/services.nix
View file

@ -46,18 +46,6 @@ in
}; };
}; };
services.ntfy-sh = {
enable = true;
group = "caddy";
settings = {
listen-unix = "/var/run/ntfy-sh/ntfy.sock";
listen-unix-mode = 432; # octal 0660
base-url = "https://ntfy.xinyang.life";
};
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";
services.kanidm = { services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning; package = pkgs.kanidm.withSecretProvisioning;
enableServer = true; enableServer = true;
@ -98,15 +86,6 @@ in
services.caddy = { services.caddy = {
enable = true; enable = true;
virtualHosts."xinyang.life:443".extraConfig = ''
tls internal
encode zstd gzip
reverse_proxy /.well-known/matrix/* localhost:6167
reverse_proxy * http://localhost:8080 {
flush_interval -1
}
'';
virtualHosts."http://auth.xinyang.life:80".extraConfig = '' virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
''; '';
@ -119,15 +98,5 @@ in
} }
} }
''; '';
virtualHosts."https://ntfy.xinyang.life".extraConfig = ''
reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
@httpget {
protocol http
method GET
path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
}
redir @httpget https://{host}{uri}
'';
}; };
} }

30
machines/thorite/monitoring.nix
View file

@ -67,10 +67,18 @@ in
let let
probeList = [ probeList = [
"la-00.video.namely.icu:8080" "la-00.video.namely.icu:8080"
"fre-00.video.namely.icu:8080" "fra-00.video.namely.icu:8080"
"hk-00.video.namely.icu:8080" "hk-00.video.namely.icu:8080"
"home.xinyang.life:8000" "home.xinyang.life:8000"
]; ];
chinaTargets = [
"bj-cu-v4.ip.zstaticcdn.com:80"
"bj-cm-v4.ip.zstaticcdn.com:80"
"bj-ct-v4.ip.zstaticcdn.com:80"
"sh-cu-v4.ip.zstaticcdn.com:80"
"sh-cm-v4.ip.zstaticcdn.com:80"
"sh-ct-v4.ip.zstaticcdn.com:80"
];
passwordFile = config.sops.secrets."prometheus/metrics_password".path; passwordFile = config.sops.secrets."prometheus/metrics_password".path;
in in
(mkScrapes [ (mkScrapes [
@ -123,6 +131,7 @@ in
{ address = "thorite.coho-tet.ts.net"; } { address = "thorite.coho-tet.ts.net"; }
{ address = "massicot.coho-tet.ts.net"; } { address = "massicot.coho-tet.ts.net"; }
{ address = "weilite.coho-tet.ts.net"; } { address = "weilite.coho-tet.ts.net"; }
{ address = "biotite.coho-tet.ts.net"; }
{ address = "hk-00.coho-tet.ts.net"; } { address = "hk-00.coho-tet.ts.net"; }
{ address = "la-00.coho-tet.ts.net"; } { address = "la-00.coho-tet.ts.net"; }
{ address = "fra-00.coho-tet.ts.net"; } { address = "fra-00.coho-tet.ts.net"; }
@ -140,10 +149,27 @@ in
hostAddress = "weilite.coho-tet.ts.net"; hostAddress = "weilite.coho-tet.ts.net";
targetAddresses = [ targetAddresses = [
"la-00.video.namely.icu:8080" "la-00.video.namely.icu:8080"
"fre-00.video.namely.icu:8080" "fra-00.video.namely.icu:8080"
"hk-00.video.namely.icu:8080" "hk-00.video.namely.icu:8080"
]; ];
} }
{
hostAddress = "la-00.coho-tet.ts.net";
targetAddresses = chinaTargets;
}
{
hostAddress = "hk-00.coho-tet.ts.net";
targetAddresses = chinaTargets;
}
{
hostAddress = "fra-00.coho-tet.ts.net";
targetAddresses = chinaTargets;
}
])
++ (mkV2rayScrapes [
{ address = "la-00.coho-tet.ts.net"; }
{ address = "hk-00.coho-tet.ts.net"; }
{ address = "fra-00.coho-tet.ts.net"; }
]); ]);
}; };

4
modules/home-manager/fish.nix
View file

@ -91,6 +91,10 @@ in
${pkgs.comma}/bin/comma $argv ${pkgs.comma}/bin/comma $argv
end end
set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha) set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
alias ctlsp="systemctl stop"
alias ctlst="systemctl start"
alias ctlrt="systemctl restart"
alias ctls="systemctl status"
'' ''
else else
""; "";

9
modules/home-manager/git.nix
View file

@ -25,8 +25,9 @@ in
}; };
}; };
}; };
config = { config = mkIf cfg.enable {
programs.git = mkIf cfg.enable { home.packages = [ pkgs.git-absorb ];
programs.git = {
enable = true; enable = true;
delta.enable = true; delta.enable = true;
userName = "Xinyang Li"; userName = "Xinyang Li";
@ -42,6 +43,10 @@ in
signByDefault = true; signByDefault = true;
key = cfg.signing.keyFile; key = cfg.signing.keyFile;
}; };
extraConfig.absorb = {
oneFixupPerCommit = true;
maxStack = 20;
};
extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; };
extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; }; extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; };
}; };

282
modules/nixos/common-settings/proxy-server.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
pkgs,
lib, lib,
... ...
}: }:
@ -21,106 +22,117 @@ let
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
}; };
mkSingConfig = mkSingConfig = users: {
{ uuid, password, ... }: log = {
{ level = "warn";
log = { };
level = "warn"; inbounds =
}; [
inbounds = {
[ tag = "sg0";
{ type = "trojan";
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = cfg.trojan.port;
tcp_multi_path = true;
tcp_fast_open = true;
users = [
{
name = "proxy";
password = {
_secret = password;
};
}
];
tls = singTls;
}
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::"; listen = "::";
listen_port = port; listen_port = cfg.trojan.port;
congestion_control = "bbr"; tcp_multi_path = true;
users = [ tcp_fast_open = true;
users = map (user: {
name = user.name;
password = {
_secret = user.passwordFile;
};
}) users;
tls = singTls;
}
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = map (user: {
name = user.name;
uuid = {
_secret = user.uuidFile;
};
password = {
_secret = user.passwordFile;
};
}) users;
tls = singTls;
});
outbounds =
# warp outbound goes first to make it default outbound
(lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{ {
name = "proxy"; public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
uuid = { allowed_ips = [
_secret = uuid; "0.0.0.0/0"
}; "::/0"
password = { ];
_secret = password; server = "162.159.192.1";
}; server_port = 500;
} }
]; ];
tls = singTls; }
}); ])
outbounds = ++ [
# warp outbound goes first to make it default outbound
(lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
])
++ [
{
type = "direct";
tag = "direct";
}
];
route = {
rules =
[
{ {
type = "direct"; inbound = "sg4";
tag = "direct"; outbound = "direct";
} }
]; ]
route = { ++ (lib.optionals (!cfg.warp.onTuic) (
rules = lib.forEach (lib.range 1 3) (i: {
[ inbound = "sg${toString i}";
{ outbound = "direct";
inbound = "sg4"; })
outbound = "direct"; ))
} ++ (lib.optionals (!cfg.warp.onTrojan) [
] {
++ (lib.optionals (!cfg.warp.onTuic) ( inbound = "sg0";
lib.forEach (lib.range 1 3) (i: { outbound = "direct";
inbound = "sg${toString i}"; }
outbound = "direct"; ]);
}) };
)) experimental = {
++ (lib.optionals (!cfg.warp.onTrojan) [ v2ray_api = {
{ listen = "127.0.0.1:15175";
inbound = "sg0"; stats = {
outbound = "direct"; users = map (u: u.name) users;
} enabled = true;
]); inbounds = map (p: "sg" + toString p) (lib.range 0 4);
};
}; };
}; };
};
sing-box = pkgs.sing-box.overrideAttrs (
finalAttrs: previousAttrs: {
tags = previousAttrs.tags ++ [
"with_v2ray_api"
];
}
);
in in
{ {
options.commonSettings.proxyServer = { options.commonSettings.proxyServer = {
@ -137,40 +149,62 @@ in
onTrojan = mkEnableOption "forward to warp in trojan"; onTrojan = mkEnableOption "forward to warp in trojan";
onTuic = mkEnableOption "forward to warp in first two port of tuic"; onTuic = mkEnableOption "forward to warp in first two port of tuic";
}; };
};
config = mkIf cfg.enable { users = mkOption {
boot.kernel.sysctl = { type = lib.types.listOf lib.types.str;
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
networking.firewall.trustedInterfaces = [ "tun0" ];
security.acme = {
acceptTerms = true;
certs.${config.deployment.targetHost} = {
email = "me@namely.icu";
# Avoid port conflict
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
};
};
services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
cfg.trojan.port
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
services.sing-box = {
enable = true;
settings = mkSingConfig {
uuid = config.sops.secrets."sing-box/uuid".path;
password = config.sops.secrets."sing-box/password".path;
};
}; };
}; };
config = mkIf cfg.enable (
{
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
networking.firewall.trustedInterfaces = [ "tun0" ];
security.acme = {
acceptTerms = true;
certs.${config.deployment.targetHost} = {
email = "me@namely.icu";
# Avoid port conflict
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
};
};
services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
cfg.trojan.port
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
services.sing-box = {
enable = true;
package = sing-box;
settings = (
mkSingConfig (
map (n: {
name = n;
uuidFile = config.sops.secrets."sing-box/users/${n}/uuid".path;
passwordFile = config.sops.secrets."sing-box/users/${n}/password".path;
}) cfg.users
)
);
};
}
// {
sops.secrets = (
builtins.foldl' (a: b: a // b) { } (
map (u: {
"sing-box/users/${u}/uuid" = { };
"sing-box/users/${u}/password" = { };
}) cfg.users
)
);
}
);
} }

7
modules/nixos/monitor/default.nix
View file

@ -57,6 +57,13 @@ in
default = "${config.networking.hostName}.coho-tet.ts.net"; default = "${config.networking.hostName}.coho-tet.ts.net";
}; };
}; };
v2ray = {
enable = mkEnableOption "blackbox exporter";
listenAddress = mkOption {
type = types.str;
default = "${config.networking.hostName}.coho-tet.ts.net";
};
};
}; };
}; };
}; };

7
modules/nixos/monitor/exporters.nix
View file

@ -47,6 +47,13 @@ in
); );
}; };
services.prometheus.exporters.v2ray = mkIf cfg.v2ray.enable {
enable = true;
listenAddress = cfg.v2ray.listenAddress;
port = 9516;
v2rayEndpoint = config.services.sing-box.settings.experimental.v2ray_api.listen;
};
# gotosocial # gotosocial
sops.templates."gotosocial_metrics.env" = { sops.templates."gotosocial_metrics.env" = {
content = '' content = ''

41
overlays/my-lib/prometheus.nix
View file

@ -28,6 +28,36 @@ in
) )
); );
mkV2rayScrapes = targets: [
{
job_name = "v2ray-exporter";
scheme = "http";
static_configs = map (
{
address,
port ? 9516,
}:
{
targets = [ "${address}${mkPort port}" ];
}
) targets;
}
{
job_name = "singbox_stat";
scheme = "http";
metrics_path = "/scrape";
static_configs = map (
{
address,
port ? 9516,
}:
{
targets = [ "${address}${mkPort port}" ];
}
) targets;
}
];
mkCaddyScrapes = targets: [ mkCaddyScrapes = targets: [
{ {
job_name = "caddy"; job_name = "caddy";
@ -237,6 +267,17 @@ in
{ {
inherit name; inherit name;
rules = [ rules = [
{
alert = "ProbeError";
expr = "probe_success != 1";
for = "3m";
labels = {
severity = "critical";
};
annotations = {
summary = "Probing {{ $labels.instance }} from {{ $labels.from }} failed";
};
}
{ {
alert = "HighProbeLatency"; alert = "HighProbeLatency";
expr = "probe_duration_seconds > 0.5"; expr = "probe_duration_seconds > 0.5";