diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 2d6f6f0..80e3d83 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -31,12 +31,12 @@ in }; # services.tailscale.useRoutingFeatures = "both"; - # services.dae.enable = true; - # services.dae.configFile = "/var/lib/dae/config.dae"; - # systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [ - # "NetworkManager-wait-online.service" - # ]; - # + services.dae.enable = true; + services.dae.configFile = "/var/lib/dae/config.dae"; + systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [ + "NetworkManager-wait-online.service" + ]; + # Open ports in the firewall. networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 3389 ]; diff --git a/machines/secrets.yaml b/machines/secrets.yaml index cacbc47..6d94d7e 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -1,8 +1,6 @@ prometheus: metrics_username: ENC[AES256_GCM,data:/CQfOA==,iv:BjhB+uLfjmYHdgpc/+tDJXJ8C1EK9kngQWbo4NleOmE=,tag:JCdqyqGLRh09T25vmufiZw==,type:str] metrics_password: ENC[AES256_GCM,data:q/xMPuNtlcUFewMdVu6w2Q==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:B4LrObH1DsnnD5CcuOPOyg==,type:str] -dae: - sub: ENC[AES256_GCM,data:kruAGgIBwiN508hwczGeVmh6Jr4Mg9BNEWSBNfYnBCCOrkSM1I5GRuG8EZqTq1+Ib+TRN8cgaqCEk2mpZ+7po1FjW1K8M0EBj9QvQCs7a+QVSmP6qS14WY1B,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:V/nZgi7AWHU2Kp5WGhaGAw==,type:str] sops: kms: [] gcp_kms: [] @@ -90,8 +88,8 @@ sops: am04NVRtU2N6SThYZWdXVE5RZ1B2aE0KVcHvB5k2Gcu/St0P8WPFzlCtuZthZTKo hwVc0lC6Xxt25hriaUFinwnyvcjxrLCx0Nq7f9Zn16nJcza5kev1nQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-10T03:53:49Z" - mac: ENC[AES256_GCM,data:ioiGVfCWOn8Hc5EpCtcDTF4YoKtsMAchBlRM0C00WQbM9Ss3571Oly4jtymshDVbDFbH+y0gYcEXn8Fs5XYjd0rIa6mbaISLvPlG+P34SqHcVsh6eDU15z0vTAncbOHrok+/xAmg64WtiBxteMaWPsTVngCrmPYS247eCav+Jpo=,iv:K7PiHNn2IS0pGUh1F75TjliHMk8l6PaHmDshSPPA4BE=,tag:Jd/lHdeWUDQa5AwSwFCeSw==,type:str] + lastmodified: "2024-11-30T06:31:42Z" + mac: ENC[AES256_GCM,data:xh8x9IrQ01ZzdcCTIfBrifIGduMYVmSSP52BkTyr/bx7AgQAz2WeA7LFrccxIayCGHrQKfMQDLUKJ/EBamG/6p8AX6QqZBTfqFD688ZhmRfxgpj7fYR9jPYnhb/9XHI9R2jTaJWwrorXvu3pa+Gy/hWB3Kb+WZc3fslmIuKuLH0=,iv:GDrHSFZxPbpACdusVDPHXEjeEusYfk53N/KGHtdvrYo=,tag:ap38sCSTZVDQ0ZazXM3vlg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.9.1 diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 8e53efc..9b9d442 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -102,7 +102,7 @@ type = "virtiofs"; options = "rw,nodev,nosuid"; } - { +{ what = "originals"; where = "/mnt/photos/xin/originals"; type = "virtiofs"; @@ -148,6 +148,11 @@ 2222 ]; + services.dae = { + enable = true; + configFile = "/var/lib/dae/config.dae"; + }; + services.tailscale = { enable = true; openFirewall = true; diff --git a/modules/nixos/common-settings/mainland.nix b/modules/nixos/common-settings/mainland.nix index adaba72..9757b9b 100644 --- a/modules/nixos/common-settings/mainland.nix +++ b/modules/nixos/common-settings/mainland.nix @@ -16,15 +16,9 @@ let cfg = config.inMainland; in { - options = { - inMainland = mkOption { - type = types.bool; - default = config.time.timeZone == "Asia/Shanghai"; - }; - commonSettings.network.enableProxy = mkOption { - type = types.bool; - default = config.inMainland; - }; + options.inMainland = mkOption { + type = types.bool; + default = config.time.timeZone == "Asia/Shanghai"; }; config = mkIf cfg { @@ -37,136 +31,9 @@ in "ntp.ntsc.ac.cn" ]; - sops = mkIf config.commonSettings.network.enableProxy { - secrets = { - "dae/sub" = { - sopsFile = ../../../machines/secrets.yaml; - }; - }; - templates."dae/sub.dae".content = '' - subscription { - my_sub: '${config.sops.placeholder."dae/sub"}' - } - ''; - }; - - systemd.services.dae.serviceConfig.LoadCredential = mkIf config.commonSettings.network.enableProxy [ - "sub.dae:${config.sops.templates."dae/sub.dae".path}" - ]; - - services.dae = mkIf config.commonSettings.network.enableProxy { + services.dae = { enable = mkDefault true; - config = '' - include { - ./sub.dae - } - global { - tproxy_port: 12345 - tproxy_port_protect: true - so_mark_from_dae: 0 - log_level: info - disable_waiting_network: false - - ##### Interface and kernel options. - # lan_interface: docker0 - wan_interface: auto - - auto_config_kernel_parameter: true - - ##### Node connectivity check. - tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111' - tcp_check_http_method: HEAD - - udp_check_dns: 'dns.quad9.net:53,9.9.9.9,2620:fe::fe' - - check_interval: 30s - - # Group will switch node only when new_latency <= old_latency - tolerance. - check_tolerance: 100ms - - ##### Connecting options. - - - dial_mode: ${if config.commonSettings.network.localdns.enable then "domain+" else "domain"} - allow_insecure: false - sniffing_timeout: 100ms - tls_implementation: tls - # utls_imitate: firefox_auto - - mptcp: true - } - - # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples. - dns { - ipversion_prefer: 4 - - upstream { - globaldns: 'tls://dns.quad9.net' - cndns: 'h3://dns.alidns.com:443' - tsdns: 'udp://100.100.100.100' - localdns: 'udp://127.0.0.1:53' - } - - routing { - request { - ${ - if config.commonSettings.network.localdns.enable then - '' - fallback: localdns - '' - else - '' - qname(suffix:ts.net) -> tsdns - qname(geosite:cn) -> cndns - fallback: globaldns - '' - } - } - } - } - - # Node group (outbound). - group { - default_group { - filter: name(regex: '^(hk)[0-9]+') [add_latency: -30ms] - filter: name(regex: '^(la)[0-9]+') [add_latency: -140ms] - filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms] - policy: min_moving_avg - } - } - - # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples. - routing { - # pname(kresd) && dport(53) && l4proto(udp)-> must_direct - # Disable h3 because it usually consumes too much cpu/mem resources. - l4proto(udp) && dport(443) -> block - - pname(blackbox_exporter) -> direct - pname(tailscaled) -> direct - - dip(224.0.0.0/3, 'ff00::/8') -> direct - dip(geoip:private) -> direct - - # Direct traffic to dns server - dip(1.12.12.12) -> direct - dip(223.5.5.5) -> direct - dip(223.6.6.6) -> direct - - # === Force Proxy === - domain(geosite:linkedin) -> default_group - - # === Custom direct rules === - domain(geosite:cn) -> direct - - domain(suffix:ipify.org) -> direct - domain(geosite:steam@cn) -> direct - - dip(geoip:cn) -> direct - - fallback: default_group - } - ''; - + configFile = mkDefault "/var/lib/dae/config.dae"; }; }; } diff --git a/note.md b/note.md index 6302b94..6b25aae 100644 --- a/note.md +++ b/note.md @@ -8,4 +8,3 @@ Demonstrate disk usage by nix-store path. - [x] synapse jmalloc - [ ] backup all directories under /var/lib/forgejo - [ ] collect caddy access logs with promtail (waiting for caddy v2.9.0 release after which log file mode can be set) -- [ ] update "https" to "https-file" with dae 1.0.0