weilite: more media services

dolomite: disable warp
osmium: added
2024-11-25 01:27:03 +08:00 · 2024-11-24 23:43:32 +08:00 · 2024-11-24 21:58:43 +08:00 · 2024-11-24 21:44:45 +08:00
14 changed files with 402 additions and 84 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -7,7 +7,7 @@ keys:
  - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
  - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
  - &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
-  - &host-hk-00 age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0
+  - &host-hk-00 age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
 creation_rules:
  - path_regex: machines/calcite/secrets.yaml
    key_groups:
--- a/flake.nix
+++ b/flake.nix
@ -116,6 +116,9 @@
          ./machines/dolomite/lightsail.nix
          ./machines/dolomite/common.nix
        ];
+        osmium = [
+          ./machines/osmium
+        ];
      };
      sharedColmenaModules = [
        deploymentModule
@ -258,6 +261,10 @@
        calcite = mkNixos {
          hostname = "calcite";
        };
+
+        osmium = mkNixos {
+          hostname = "osmium";
+        };
      } // self.colmenaHive.nodes;

    }
--- a/home/xin/calcite.nix
+++ b/home/xin/calcite.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 let
  homeDirectory = "/home/xin";
 in
@ -61,6 +61,12 @@ in
    fcitx5.addons = with pkgs; [ fcitx5-rime ];
  };

+  # Using wayland
+  home.sessionVariables = {
+    GTK_IM_MODULE = lib.mkForce "";
+    QT_IM_MODULE = lib.mkForce "";
+  };
+
  custom-hm = {
    alacritty = {
      enable = true;
--- a/machines/dolomite/claw.nix
+++ b/machines/dolomite/claw.nix
@ -27,7 +27,7 @@
    };

    fileSystems."/" = {
-      device = "/dev/disk/by-uuid/fe563e38-9a57-447a-ba57-c3e53ddd84ee";
+      device = "/dev/vda1";
      fsType = "ext4";
    };

--- a/machines/dolomite/common.nix
+++ b/machines/dolomite/common.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  config = {
    sops = {
@ -29,7 +29,9 @@

    commonSettings = {
      auth.enable = true;
-      proxyServer.enable = true;
+      proxyServer = {
+        enable = true;
+      };
    };
  };

--- a/machines/dolomite/lightsail.nix
+++ b/machines/dolomite/lightsail.nix
@ -39,6 +39,13 @@ in
      fsType = "vfat";
    };

+    swapDevices = [
+      {
+        device = "/var/lib/swapfile";
+        size = 4 * 1024;
+      }
+    ];
+
    boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
    boot.initrd.kernelModules = [ "xen-blkfront" ];
    boot.initrd.availableKernelModules = [ "nvme" ];
--- a/machines/dolomite/secrets/hk-00.yaml
+++ b/machines/dolomite/secrets/hk-00.yaml
@ -9,20 +9,20 @@ sops:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNmVpY09ZNzhacDdpdVUr
-            SGc2NGNrRWlMMzE2RVNSN0tHTGNoeVhlWUFRCnpqNy9qMExKUFA0akFnNG1HS0h2
-            NXlmWkJMemJkam5oSEFaSENkRTRnczQKLS0tIGNha0RWbGFUWGpROEdoKy9WbC9n
-            WTUrUjMydHRHODN3TDhyakpHNG1hZjQKR3I8TwUDvvht9ck8YIplCjafhUdvxw7M
-            VNSjUoacKg0Uu5m777UlBpDdDXBwulrVryFxrKA0Q395+YRJ2Sg0wQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UUhoT3hSSmhEM3ZteDhJ
+            VWdweThOUHVLVlNBUW5yVXpMOTN3UTNTbkd3CmlZL21yYWJvaW1VRGl5a0JCSVA5
+            RUdndFJqSnRCUllXTmNERkU2UHJIV3cKLS0tIFYvZkhpaDZEcVNCMzhZNzV2K0J4
+            QklidnA5Qmd0dGQ3UEFLdFBmaVNLajQKgw2HN9ksquyh+FV1c8OuThFSJlzGGgXM
+            HhmTFOrGBwLF2N8XGpVp+HcFnIWzjjK62sAVsomO/ak3Schg8283vg==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0
+        - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZC9GU085TmV6b1FsdGFw
-            OEFJeVM1WFJib1lFM1luQmlQSGt3Ym1PaVVjCkd4TmhIcVB2Nk4xaHdwSVVHOGJJ
-            TVErNHZ1ZURKMmk2SzJUajFTV0tJSE0KLS0tIG5jVnZHNm55dncvaDdsWXNidDB1
-            TURVTjR3RUJzMmxmNVIyTk5rM0YvMU0KP3R78NlGqbRHmSn2WqanPq8Y9m+olBLO
-            2CTJI9QQfPACzz9KoEt5hlpqVpsgQT9CGDpyYEwXrFyxFY4QIh5NPw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NU5RREplWEdsUkJiTVEx
+            QXdNUXlkdGdFQU5PZ2lwYTFmdHFUei9Fcnc0CjB1bjhuM3dhUXd3aEpwdlFMeith
+            aXFYV1hVVjd1SUwvNmhyeGNBMUZtT3cKLS0tIDFkQk9NN09zUFBuWm83R1hmWDZk
+            QWVGWVB5Rk1DcVBuSzFYRmRsOU5jL0kK0z3uFNq6dl67YepenXjoIkdV6sZaA7jB
+            QHe2qz1SzrQQ/7Lqf8aZNT6W5IwkNHpht27jetl119DerOhx6N58vQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-10-17T10:52:20Z"
    mac: ENC[AES256_GCM,data:lxqZaTqs5d/b/iIZ7BbD2jYJq3fTIbFlbdwKbCAAiXJv8abxN6SjOKuecKEvkJ0Y7qf2e0Cl8lbRwSy5FJb9Wsl9O4LzF0KBu0lssnBtDuZujFldgxJSWB8kQ3vMsPQ+NbmRME3zdKazmuhEwS0h/O6L6KmnfHjtfnDpAjYD+MY=,iv:Xue3R2qGxiw5/hjr9dLiLqeKDTpnwAnx8v9M3qjz5EM=,tag:T67z1oCMoW/ApF6tFJL3dA==,type:str]
--- a/machines/dolomite/secrets/secrets.yaml
+++ b/machines/dolomite/secrets/secrets.yaml
@ -10,47 +10,47 @@ sops:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dElZTXFjbzhNbE1OYmdP
-            M0JLVWMyOUpSMnQ1Q2hDc2VXVUxpblhDVUNjCmxGZXRsUmdWWjZPZGFhaDFHNnpx
-            YVVSWFl1YThwWENSVTdiWkRENlBhdDQKLS0tIGl0OWsrNXljLy9wejd4Q3JmTUFE
-            WGFaN21vb1EwTDdSOEFVSWlQZWR1Z1kKIy+vG42G/7hTJX9BNYXjy4GNnUEnzUgB
-            aRoLxgTpkTKezZiKkISQwEuFD8qC7aeQIV1kmGDpNK2uucJfFswvbQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZUYrRUY0N3hOczFUR2Fq
+            amx5RHAwVnRoTStlTlJISkk5TUFCaDhuUGxjCmVYbExkK1AzbURVWXNvU0Zkcjg5
+            ZTlWK0ExVnNNWmxJMkxlcHkxd1MvWkkKLS0tIFY3a3FoNzl2bitYTTl1R1R4K3hz
+            ZlcxT243dzd0amlHSmpOc1AvakNjRlkKwT2hNwDsc3WZkJ05Qq8INnG9Ii0iswqT
+            jnvMt9VTkZ8JHsq5vCaV+TtM3kswuw6hF9UoHdRM/JIvqMdPkXuZoQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNGE0Sk5lbXVNSjVQUTFF
-            VFFrVzJKczJwTWJJOEdKTVFhai9RWmJNSkJjCkNKQzRQWmcxTndIcERkMTFubi9K
-            SXVhbDhEMmRFRCtXdEVqMFdRbjQ3RTgKLS0tIGNIOWYzL0NUeklBRU5paEoyZ211
-            NDY5RDdwelMwVjVscHdOaGV2aTMwQUUKZaCo5jFlWxTsELGyQiY4CmcjdUcnBzOU
-            JzcWDMcODTo/yER/0jdPpdfvUWiGi12voIuqRJkON0x7d3X2d2Sexg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSzkzMmU2SUMvWXVFRHM4
+            dWhsbEtFSUhHem1NZ1Q5aWJJWWlqelcyT2hBClRIeDE1M20vdm5rQnRvLzBGWnk3
+            aFZ2MFlrUHRudSt5M1Rod3NrUS8rdkEKLS0tIHlPSFUvUC93WlU5dHdaV0R6dTFh
+            c203K2VHb2hsSTBjOWxpUStOQ2VYTFEKbDTeoUSBFWB3W/fxS471aTysahlQUJ6D
+            JvvUJL63Y2XpvCQVCduO+Kl9A7B7LGran+2SUzqHBisQyR2eUcg/HQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2LzI1M2orSDVyYTRRRnB6
-            d25oaHZSMWFUQ2lZTWxtVzFRSkxjd01tNjFZCmJHUWVGd2hYWVlpdk80WUxwM080
-            N0V1UW1hUC9GNWlPRCtuYUsxSzdmWUEKLS0tIEhSazVWeEpIVnoweWdnOEU2Q1hT
-            Yjl6bFRZS2RSRGpPWFdDS2lObCt0MGsKcFXy/2mLLlxY/vP+kCaeaR+9aBRL7ys1
-            x+HBAPqvcqvYk3MGBD9TpIW317RthDhEkY57GmtHgqIUsSLWsBgNdw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZDBtTWxZbGpZRlYvMnpE
+            MTNEQXZJdGRpMmV0azhXbE1UeWlqZjdKQlhFCkU4RlBZUmdpTC9TamVwREFnM1Nt
+            eDZ0SDRQUmMxYmJ1bnBSS29qNGQ4THMKLS0tIDhVMWJoWTNBWjAyMHc0K2Z5Zjhi
+            UkU5dEpjSGZKOERPR2hUQ1lBK1ZXSWsKo/76+/Iq9sxJGxuk81yMBaX+mg98FD8p
+            F/PY4/oJjaUmpErdrWuE7Tgjycx+DTSDJv1ESyvLC6NPnXTRlZgg6A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2NXTDNqWkYzQlVvM0xO
-            ZDk2RTFISHh3TmpTN2cxT3RTVnFUaURpK3dRCmJEVWJnNXdoT0JYYjBvcm4rSkZ0
-            QW5WeWhqWnZqaGlLRHphZW5PMUNZTDQKLS0tIGZFc2ZlREgwKysrNEhROUJzbHBU
-            TzhHdlV1bjduT1hlTVFMTmRtQmN0MFUKhCYQh5uVOjEj2kKSfSUVa8k35mqkDoTk
-            3CchebRciIR+w52d6uEsQove0248+OniG6bJ5ykkExLo1RzDQD7pBQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjFsZ1o1alBIV2JkKy9j
+            ajArY1RydFllc1VLc3dQek5IcXNyWTIxNDBzCkhKYzdHSXowaGhnY2E5aVRPaDNJ
+            M3NOZEd1UHg4MDd3YTNidld5UGhKYUUKLS0tIG9QVlV3UXNSSXp6L3djaXZjcTNL
+            bmVYb1g3NnBOekZkUFNlOVZFY2N6YVUKsdTgykgHkFSQJfZeNJz2TkcDENg84plG
+            zBqz6HP6AK6SBI7C/lPus0VXuzjDVDr29jvemBQ3cNBodc6yKyReAQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0
+        - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS0tDdThIRnNaZVZKanZY
-            bm1uV25nUzZITW5QY2Z2SkZtMFAvY1RVOWdrCnZMZ3F6dHd1TmhCMnZvbFhZYjJK
-            ZXRVUWNtVXVpOWFYWmdFQ2RZajlTQk0KLS0tIFJSYkxkelFTWkRYMjAvQ2lpTGRQ
-            bmE0bWg1U1ZkZHR4TEVtR0crbVZxdmcKeVUli/Tt4Xy4XxbUbFj9a4y6c9ZE/NjE
-            nCKLNYYPsZ/nS6qN3Pdetps4ziajJHUVmxCqNMHD+OoWqT6W8V/O6w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNUF4cWwrZ0Vlb0Nxbk0z
+            VnRucWJVK2h0MG13YVkyMlJNZ3RxRmJqUlRBCmxrckV1a0xnSEhvWUN4RmF2ZHBl
+            VkFicWlnR0dvTmRBQ21NWVo4aFNQRmsKLS0tIEMxVGxTRHp6ZGJzYksxY1BUKzBh
+            Yk52TS81REhJd0lLRVpMZnhGMDRMK0UKzph2gK0LXqu44zQXGoGbyPjte2t4BqHE
+            WAufrQiamOgA7TUZYlZApzYhEY6iIbs/t7BQPn/OKZwzRYdXnzxqiw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-22T05:51:19Z"
    mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str]
--- a/machines/osmium/default.nix
+++ b/machines/osmium/default.nix
@ -0,0 +1,111 @@
+{
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image.nix")
+    ./sd-image-aarch64-orangepi-r1plus.nix
+  ];
+
+  config = {
+    system.stateVersion = "24.05";
+
+    nixpkgs.system = "aarch64-linux";
+
+    boot.tmp.useTmpfs = false;
+    boot.kernelModules = [
+      "br_netfilter"
+      "bridge"
+    ];
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv4.ip_nonlocal_bind" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+      "net.ipv6.ip_nonlocal_bind" = 1;
+      "net.bridge.bridge-nf-call-ip6tables" = 1;
+      "net.bridge.bridge-nf-call-iptables" = 1;
+      "net.bridge.bridge-nf-call-arptables" = 1;
+      "fs.inotify.max_user_watches" = 524288;
+      "dev.i915.perf_stream_paranoid" = 0;
+      "net.ipv4.conf.all.rp_filter" = 0;
+      "vm.max_map_count" = 2000000;
+      "net.ipv4.conf.all.route_localnet" = 1;
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "kernel.msgmnb" = 65536;
+      "kernel.msgmax" = 65536;
+      "net.ipv4.tcp_timestamps" = 0;
+      "net.ipv4.tcp_synack_retries" = 1;
+      "net.ipv4.tcp_syn_retries" = 1;
+      "net.ipv4.tcp_tw_recycle" = 1;
+      "net.ipv4.tcp_tw_reuse" = 1;
+      "net.ipv4.tcp_fin_timeout" = 15;
+      "net.ipv4.tcp_keepalive_time" = 1800;
+      "net.ipv4.tcp_keepalive_probes" = 3;
+      "net.ipv4.tcp_keepalive_intvl" = 15;
+      "net.ipv4.ip_local_port_range" = "2048 65535";
+      "fs.file-max" = 102400;
+      "net.ipv4.tcp_max_tw_buckets" = 180000;
+    };
+
+    commonSettings = {
+      nix.enableMirrors = true;
+      auth.enable = true;
+    };
+
+    documentation.enable = false;
+
+    time.timeZone = "Asia/Shanghai";
+    i18n = {
+      defaultLocale = "en_US.UTF-8";
+    };
+
+    environment.systemPackages = with pkgs; [
+      lsof
+      wget
+      curl
+      neovim
+      jq
+      iptables
+      ebtables
+      tcpdump
+      busybox
+      ethtool
+      socat
+      htop
+      iftop
+      lm_sensors
+    ];
+
+    programs.command-not-found.enable = false;
+
+    networking = {
+      useDHCP = false;
+      hostName = "osmium";
+    };
+
+    systemd.network = {
+      enable = true;
+      networks."lan" = {
+        matchConfig.Name = "enu1";
+        networkConfig.DHCP = "no";
+        linkConfig.RequiredForOnline = "no";
+      };
+      networks."wan" = {
+        matchConfig.Name = "end0";
+        networkConfig.DHCP = "yes";
+        linkConfig.RequiredForOnline = "yes";
+      };
+    };
+
+    services.dae = {
+      enable = true;
+      configFile = "/var/lib/dae/config.dae";
+    };
+
+    services.tailscale.enable = true;
+
+  };
+}
--- a/machines/osmium/sd-image-aarch64-orangepi-r1plus.nix
+++ b/machines/osmium/sd-image-aarch64-orangepi-r1plus.nix
@ -0,0 +1,44 @@
+{
+  config,
+  modulesPath,
+  lib,
+  pkgs,
+  ...
+}:
+let
+in
+{
+  imports = [
+    (modulesPath + "/profiles/base.nix")
+  ];
+
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  boot.kernelParams = [
+    "earlycon"
+    "console=ttyS2,1500000"
+    "consoleblank=0"
+  ];
+  boot.supportedFilesystems = lib.mkForce [
+    "ext4"
+    "vfat"
+    "ntfs"
+  ];
+
+  sdImage = {
+    compressImage = false;
+    imageBaseName = "nixos-sd-image-orange-pi-r1-plus-lts";
+    firmwarePartitionOffset = 16;
+    populateFirmwareCommands = ''
+      echo "Install U-Boot: ${pkgs.ubootOrangePiR1LtsPackage}"
+      dd if=${pkgs.ubootOrangePiR1LtsPackage}/idbloader.img of=$img seek=64 conv=notrunc
+      dd if=${pkgs.ubootOrangePiR1LtsPackage}/u-boot.itb of=$img seek=16384 conv=notrunc
+    '';
+    populateRootCommands = ''
+      mkdir -p ./files/boot
+      ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
+    '';
+  };
+}
--- a/machines/weilite/services/media-download.nix
+++ b/machines/weilite/services/media-download.nix
@ -1,6 +1,23 @@
+{ pkgs, ... }:
 {
  services.jackett = {
    enable = true;
+    package = pkgs.jackett.overrideAttrs {
+      src = pkgs.fetchFromGitHub {
+        owner = "jackett";
+        repo = "jackett";
+        rev = "v0.22.998";
+        hash = "sha256-CZvgDWxxIAOTkodgmFNuT3VDW6Ln4Mz+Ki7m91f0BgE=";
+      };
+    };
    openFirewall = false;
  };
+
+  services.sonarr = {
+    enable = true;
+  };
+
+  services.radarr = {
+    enable = true;
+  };
 }
--- a/modules/nixos/common-settings/proxy-server.nix
+++ b/modules/nixos/common-settings/proxy-server.nix
@ -1,7 +1,6 @@
 {
  config,
  lib,
-  pkgs,
  ...
 }:

@ -32,7 +31,9 @@ let
            tag = "sg0";
            type = "trojan";
            listen = "::";
-            listen_port = 8080;
+            listen_port = cfg.trojan.port;
+            tcp_multi_path = true;
+            tcp_fast_open = true;
            users = [
              {
                name = "proxy";
@ -63,51 +64,77 @@ let
          ];
          tls = singTls;
        });
-      outbounds = [
-        {
-          type = "wireguard";
-          tag = "wg-out";
-          private_key = {
-            _secret = config.sops.secrets.wg_private_key.path;
-          };
-          local_address = [
-            "172.16.0.2/32"
-            { _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
-          ];
-          peers = [
-            {
-              public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
-              allowed_ips = [
-                "0.0.0.0/0"
-                "::/0"
-              ];
-              server = "162.159.192.1";
-              server_port = 500;
-            }
-          ];
-        }
-        {
-          type = "direct";
-          tag = "direct";
-        }
-      ];
-      route = {
-        rules = [
+      outbounds =
+        # warp outbound goes first to make it default outbound
+        (lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [
          {
-            inbound = "sg0";
-            outbound = "direct";
+            type = "wireguard";
+            tag = "wg-out";
+            private_key = {
+              _secret = config.sops.secrets.wg_private_key.path;
+            };
+            local_address = [
+              "172.16.0.2/32"
+              { _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
+            ];
+            peers = [
+              {
+                public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
+                allowed_ips = [
+                  "0.0.0.0/0"
+                  "::/0"
+                ];
+                server = "162.159.192.1";
+                server_port = 500;
+              }
+            ];
          }
+        ])
+        ++ [
+
          {
-            inbound = "sg4";
-            outbound = "direct";
+            type = "direct";
+            tag = "direct";
          }
        ];
+      route = {
+        rules =
+          [
+            {
+              inbound = "sg4";
+              outbound = "direct";
+            }
+          ]
+          ++ (lib.optionals (!cfg.warp.onTuic) (
+            lib.forEach (lib.range 1 3) (i: {
+              inbound = "sg${toString i}";
+              outbound = "direct";
+            })
+          ))
+          ++ (lib.optionals (!cfg.warp.onTrojan) [
+            {
+              inbound = "sg0";
+              outbound = "direct";
+            }
+          ]);
      };
    };
 in
 {
  options.commonSettings.proxyServer = {
    enable = mkEnableOption "sing-box as a server";
+
+    trojan = {
+      port = mkOption {
+        type = lib.types.port;
+        default = cfg.trojan.port;
+      };
+    };
+
+    warp = {
+      onTrojan = mkEnableOption "forward to warp in trojan";
+      onTuic = mkEnableOption "forward to warp in first two port of tuic";
+    };
  };

  config = mkIf cfg.enable {
@ -132,7 +159,7 @@ in

    networking.firewall.allowedTCPPorts = [
      80
-      8080
+      cfg.trojan.port
    ];
    networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);

--- a/overlays/add-pkgs.nix
+++ b/overlays/add-pkgs.nix
@ -1,5 +1,12 @@
-(
-  final: prev:
-  {
-  }
-)
+(final: prev: {
+  ubootOrangePiR1LtsPackage = prev.buildUBoot {
+    defconfig = "orangepi-r1-plus-lts-rk3328_defconfig";
+    enableParallelBuilding = true;
+
+    BL31 = "${prev.armTrustedFirmwareRK3328}/bl31.elf";
+    filesToInstall = [
+      "u-boot.itb"
+      "idbloader.img"
+    ];
+  };
+})
--- a/scripts/nixos-updater.py
+++ b/scripts/nixos-updater.py
@ -0,0 +1,90 @@
+import requests
+import os
+import socket
+import json
+from os import path as osp
+from dataclasses import dataclass
+
+"""
+This updater consists of several parts: 
+
+- Update checker: Check an url for update (if outPath is different from /run/current-system or some specified profile) or maybe use timestamp for update
+- Nix copy --from: copy from remote. Need to specify remote url.
+- Create a symlink: /run/next-system -> <new system derivation>
+- Listen for POST request to trigger system switch (optional)
+"""
+
+
+@dataclass
+class GarnixConfig:
+    token: str
+
+
+@dataclass
+class Config:
+    check_type: str
+    check_url: str
+    remote_url: str
+    garnix: GarnixConfig
+    hostname: str = socket.gethostname()
+
+
+class Nix:
+    def __init__(self, args):
+        self.args = args
+
+    def copy_from_remote(self):
+        # run nix copy with subprocess
+        pass
+
+    def eval(self):
+
+
+class Updater:
+    def __init__(self, config: Config):
+        self.config = config
+
+        # TODO: Make this configurable
+        self.current_drv = os.readlink("/run/current-system")
+        self.next_dev = None
+
+    # checkers take an url and returns the outPath of the latest success build
+    def garnix_checker(self) -> str:
+        domain = "garnix.io"
+        build_endpoint = "/api/build/commit"
+
+        # Latest commit from git
+
+        # Check build status of this commit
+        resp = requests.get(
+            f"https://{domain}{build_endpoint}/40b1e9ff23aaa5f555420dd22414c3f137a02cfe"
+        )
+        # Raise error if status code is not valid
+
+        # Fetch outPath from eval endpoint
+        # TODO: In theory, this could be done by parsing raw log from garnix.
+
+        # Try to evaluate locally if eval endpoint is not configured
+
+        resp = resp.json()
+        # TODO
+        return "null"
+
+    def hydra_checker(self) -> str:
+        # TODO
+        return "null"
+
+    # Check for update
+    def poll(self) -> str | None:
+        cfg = self.config
+        if cfg.check_type == "garnix":
+            pass
+        elif cfg.check_type == "hydra":
+            pass
+        else:
+            pass
+        pass
+
+
+if __name__ == "__main__":
+    pass
Author	SHA1	Message	Date
xinyangli	5b19d8a97e	weilite: more media services	2024-11-25 01:27:03 +08:00
xinyangli	7c5c8be995	dolomite: disable warp	2024-11-24 23:43:32 +08:00
xinyangli	ca8f27bafa	osmium: added	2024-11-24 21:58:43 +08:00
xinyangli	02636ac5a1	dolomite: fix hk-00	2024-11-24 21:44:45 +08:00