weilite/immich: remote machine learning

fixup! weilite/immich: enable auto stack timer
garnix: build all branch
2025-03-30 18:49:45 +08:00 · 2025-03-30 18:48:52 +08:00 · 2025-03-30 18:47:00 +08:00 · 2025-03-30 15:40:49 +08:00 · 2025-03-30 15:40:02 +08:00 · 2025-03-29 12:49:19 +08:00
21 changed files with 198217 additions and 111 deletions
--- a/china-domain.txt
+++ b/china-domain.txt
--- a/garnix.yaml
+++ b/garnix.yaml
@ -7,4 +7,3 @@ builds:
      - homeConfigurations.aarch64-linux.*
      - darwinConfigurations.*
      - nixosConfigurations.*
-    branch: deploy
--- a/gfw.txt
+++ b/gfw.txt
--- a/home/xin/calcite.nix
+++ b/home/xin/calcite.nix
@ -83,7 +83,7 @@ in
      };
    };
    vscode = {
-      enable = true;
+      enable = false;
      languages = {
        cxx = true;
        python = true;
--- a/machines/biotite/secrets.yaml
+++ b/machines/biotite/secrets.yaml
@ -11,6 +11,8 @@ hedgedoc:
    client_secret: ENC[AES256_GCM,data:J6lRBM7V6F+gPYVyEbOzsFUQe8+3ggP0r58c655DNt7TGgKGdq95pRvLaghMmBCc,iv:i+eLYwnmG1/bKtad2iM2pwEAC3GZLNaKS5ldbubRvyY=,tag:yxaug6YdYo8RR3YOyHd/iA==,type:str]
 forgejo:
    client_secret: ENC[AES256_GCM,data:5OXhaGzBCbge2tvTaU4ry6/KoavQeYJ45EuakCQJlxb5gMXjRK/s+feF25YJSr2f,iv:TT8j+ciKeSQCZzu1E7D70hWNFpn0cGiomz7jURXjavc=,tag:JVJR033Pc2vaLudaovkl8w==,type:str]
+vaultwarden:
+    admin_token: ENC[AES256_GCM,data:hRmnuehfMk3bF7tkxShnAGH1OB/yyCyaJqhdJQvSmVMtr6Cz7j1ZEeqfRI+jrqOi,iv:xYmP0Kwp5XkCcJWjqLwFOxRtUxIUH1r1fLUr5xyvpWo=,tag:Yj2nME07cA+ve3ipN6Ehqg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -35,8 +37,8 @@ sops:
            RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT
            ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-04T05:07:32Z"
-    mac: ENC[AES256_GCM,data:hD7645epMVYHU6K1AZsHu+fp/PMIqqiZpv7K4Vxzo84slzn0CfZSYaVaYxKNGjOIgEGN9D2FFmq9WL6ChMskMfqqafY7qDpSQqFp9TUwb5jN34XcQg9vplfNw+lMqsnDCt1HENWErRnlDxTI2ctSEcx3UKGBOQ3ttLzUIySdnFY=,iv:reOsqvc8E3l8yxb5gVcqF/rU2o2yKmaUyGNRNT+Skx8=,tag:eBoV8G+X0cPs3Q1xAuv55w==,type:str]
+    lastmodified: "2025-03-23T13:32:31Z"
+    mac: ENC[AES256_GCM,data:9xbcK+hl+tZTyikCpIOY6YBgaY8AOvaekyKTbQ47KJkQeNb3eyfAxBB1kivu/LU8H8pWWST8GpL/umllbwMzjRLVXU63CQle5cDuDVq9ySPMdxhmxyZ23bKJp7jUzTrGQMm+jnguCuCMxEeDo+R0ZD8a2nvbBT1XKYyVFSBB/0E=,iv:D5RrNSRa7bxivGCu24YT0nO0vuorSEK1VNVOEsJIfaA=,tag:xXXk9uCqZpr4RYqfnF0Ogw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4
--- a/machines/biotite/services/vaultwarden.nix
+++ b/machines/biotite/services/vaultwarden.nix
@ -3,6 +3,18 @@ let
  inherit (config.my-lib.settings) vaultwardenUrl;
 in
 {
+
+  sops.secrets."vaultwarden/admin_token" = {
+    owner = "vaultwarden";
+  };
+
+  sops.templates."vaultwarden.env" = {
+    owner = "vaultwarden";
+    content = ''
+      ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin_token"}
+    '';
+  };
+
  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
@ -15,6 +27,7 @@ in

      ROCKET_LOG = "normal";
    };
+    environmentFile = config.sops.templates."vaultwarden.env".path;
  };

  services.caddy = {
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@ -22,8 +22,17 @@ in
      signing.enable = true;
    };
    comin.enable = true;
+    network.localdns.enable = true;
  };

+  nix.settings.substituters = [
+    "https://nix-community.cachix.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    # Compare to the key published at https://nix-community.org/cache
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+  ];
+
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@ -56,6 +65,7 @@ in
  security.pam.services.login.enableGnomeKeyring = lib.mkForce false;

  programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
+  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;

  networking.hostName = "calcite";

@ -198,6 +208,7 @@ in

  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
+  services.avahi.enable = true;
  services.pipewire = {
    enable = true;
    wireplumber.enable = true;
@ -206,6 +217,23 @@ in
    pulse.enable = true;
    # If you want to use JACK applications, uncomment this
    jack.enable = true;
+
+    # Airplay client
+    raopOpenFirewall = true;
+    extraConfig.pipewire = {
+      "10-airplay" = {
+        "context.modules" = [
+          {
+            name = "libpipewire-module-raop-discover";
+
+            # increase the buffer size if you get dropouts/glitches
+            # args = {
+            #   "raop.latency.ms" = 500;
+            # };
+          }
+        ];
+      };
+    };
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
@ -293,6 +321,7 @@ in
    vlc
    obs-studio
    spotify
+    spot
    # IM
    element-desktop
    tdesktop
--- a/machines/calcite/network.nix
+++ b/machines/calcite/network.nix
@ -4,11 +4,14 @@
  lib,
  ...
 }:
-
+let
+  inherit (config.my-lib.settings)
+    internalDomain
+    ;
+in
 {
  imports = [ ];

-  # Enable networking
  networking = {
    networkmanager = {
      enable = true;
@ -21,27 +24,6 @@
    };
  };

-  networking.resolvconf = {
-    enable = true;
-    dnsExtensionMechanism = false;
-    useLocalResolver = false;
-  };
-
-  services.kresd = {
-    enable = true;
-    listenPlain = [ ];
-    extraConfig = ''
-      log_level("notice")
-      net.listen('127.0.0.1', 53)
-      modules = { 'hints > iterate', 'stats', 'predict' }
-      cache.size = 100 * MB
-      trust_anchors.remove(".")
-      policy.add(policy.all(policy.TLS_FORWARD( {
-        { "8.8.8.8", hostname="dns.google" } })))
-    '';
-      # policy.add(policy.suffix(policy.FORWARD({ "100.100.100.100" }), policy.todnames({ 'coho-tet.ts.net' })))
-  };
-
  # Enable Tailscale
  services.tailscale = {
    enable = true;
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@ -6,11 +6,12 @@
 }:

 {
-  imports = [ ./hass.nix ];
+  imports = [ ./services/hass.nix ];

  commonSettings = {
    nix.enable = true;
    auth.enable = true;
+    comin.enable = true;
  };

  nixpkgs.overlays = [
@ -34,13 +35,12 @@
    interfaces.eth0.useDHCP = true;
  };

-  # boot.kernelPackages = pkgs.linuxPackages_stable;
+  time.timeZone = "Asia/Shanghai";

  # fileSystems."/".fsType = lib.mkForce "btrfs";
  boot.supportedFilesystems.zfs = lib.mkForce false;

-  services.dae.enable = true;
-  services.dae.configFile = "/var/lib/dae/config.dae";
+  services.dae.enable = false;

  services.tailscale = {
    enable = true;
--- a/machines/raspite/hass.nix
+++ b/machines/raspite/hass.nix
@ -1,54 +0,0 @@
-{ config, pkgs, ... }:
-{
-  services.home-assistant = {
-    enable = true;
-    openFirewall = false;
-    config = {
-      default_config = { };
-      http = {
-        server_host = "127.0.0.1";
-        use_x_forwarded_for = true;
-        trusted_proxies = [ "127.0.0.1" ];
-      };
-    };
-    extraPackages =
-      python3Packages: with python3Packages; [
-        # speed up aiohttp
-        isal
-        zlib-ng
-      ];
-  };
-
-  services.esphome = {
-    enable = true;
-    openFirewall = false;
-  };
-
-  users.groups.dialout.members = config.users.groups.wheel.members;
-
-  services.mosquitto = {
-    enable = true;
-  };
-
-  services.zigbee2mqtt = {
-    enable = true;
-    settings = {
-      home-assistant = config.services.home-assistant.enable;
-      permit_join = true;
-      serial = {
-        port = "/dev/ttyUSB0";
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
-  services.caddy = {
-    enable = true;
-    virtualHosts = {
-      "raspite.coho-tet.ts.net".extraConfig = ''
-        reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
-      '';
-    };
-  };
-}
--- a/machines/raspite/services/hass.nix
+++ b/machines/raspite/services/hass.nix
@ -0,0 +1,239 @@
+{ config, pkgs, ... }:
+{
+  services.home-assistant = {
+    enable = true;
+    openFirewall = false;
+    config = {
+      logger = {
+        logs = {
+          homeassistant.helpers.llm = "debug";
+          homeassistant.components.conversation.chat_log = "debug";
+          homeassistant.components.openai_conversation = "debug";
+        };
+      };
+      http = {
+        server_host = "127.0.0.1";
+        use_x_forwarded_for = true;
+        trusted_proxies = [ "127.0.0.1" ];
+      };
+      assist_pipeline = { };
+      backup = { };
+      bluetooth = { };
+      config = { };
+      conversation = { };
+      history = { };
+      recorder = {
+        purge_keep_days = 14;
+      };
+      homeassistant_alerts = { };
+      image_upload = { };
+      logbook = { };
+      media_source = { };
+      mobile_app = { };
+      my = { };
+      ssdp = { };
+      stream = { };
+      sun = { };
+      usb = { };
+      webhook = { };
+      zeroconf = { };
+    };
+    extraPackages =
+      python3Packages: with python3Packages; [
+        # speed up aiohttp
+        isal
+        zlib-ng
+      ];
+    extraComponents = [
+      "mqtt"
+      "roborock"
+      "openai_conversation"
+    ];
+  };
+
+  systemd.services.home-assistant.environment = {
+    OPENAI_BASE_URL = "https://ark.cn-beijing.volces.com/api/v3";
+  };
+
+  services.esphome = {
+    enable = true;
+    openFirewall = false;
+  };
+
+  users.groups.dialout.members = config.users.groups.wheel.members;
+
+  services.mosquitto = {
+    enable = true;
+  };
+
+  services.zigbee2mqtt = {
+    enable = true;
+    package = pkgs.zigbee2mqtt_2;
+    settings = {
+      home-assistant = config.services.home-assistant.enable;
+      serial = {
+        adapter = "zstack";
+        port = "/dev/ttyUSB0";
+      };
+      frontend = {
+        enabled = true;
+        port = 15313;
+        host = "127.0.0.1";
+      };
+      advanced = {
+        log_level = "debug";
+        availability = {
+          # Periodically check whether devices are online/offline
+          enabled = true;
+        };
+        channel = 11;
+        homeassistant_legacy_entity_attributes = false;
+        homeassistant_legacy_triggers = false;
+        legacy_api = false;
+        legacy_availability_payload = false;
+      };
+      device_options = {
+        legacy = false;
+      };
+      devices = {
+        "0x000d6f001673c5d4" = {
+          friendly_name = "小次卧开关";
+        };
+        "0x000d6f001673c1df" = {
+          friendly_name = "衣帽间开关";
+        };
+        "0x000d6f0014cbc2c6" = {
+          friendly_name = "主卧床头开关";
+        };
+        "0x8cf681fffe0a5e38" = {
+          friendly_name = "玄关开关";
+          description = "1: 玄关灯 2: 书房灯";
+        };
+        "0x8cf681fffe0d9f1c" = {
+          friendly_name = "客厅开关1";
+          description = "1: 轨道灯东 2: 轨道灯西";
+        };
+        "0x000d6f00167839ff" = {
+          friendly_name = "客厅开关2";
+          description = "1: 客厅射灯北 2: 客厅射灯南";
+        };
+        "0x8cf681fffe0db266" = {
+          friendly_name = "客厅开关3";
+          description = "过道射灯";
+        };
+        "0x8cf681fffe0d9ccb" = {
+          friendly_name = "客厅开关4";
+          description = "1.厨房射灯";
+        };
+        "0x000d6f001673c512" = {
+          friendly_name = "小过道开关";
+        };
+        "0xa4c13815e2f92d74" = {
+          friendly_name = "客厅格栅灯";
+          transition = 1;
+        };
+        "0x540f57fffe54ced3" = {
+          friendly_name = "书房灯西南";
+          transition = 1;
+        };
+        "0x540f57fffe54c8d4" = {
+          friendly_name = "书房灯东北";
+          transition = 1;
+        };
+        "0x540f57fffe54c82b" = {
+          friendly_name = "书房灯西北";
+          transition = 1;
+        };
+        "0x540f57fffe5210bc" = {
+          friendly_name = "书房灯东南";
+          transition = 1;
+        };
+        "0x540f57fffe54c851" = {
+          friendly_name = "鞋柜灯";
+          transition = 1;
+        };
+        "0x540f57fffe54ce63" = {
+          friendly_name = "入户灯";
+          transition = 1;
+        };
+        "0x540f57fffe54c8ce" = {
+          friendly_name = "影壁灯";
+          transition = 1;
+        };
+        "0xa4c138693a2afad7" = {
+          friendly_name = "次卧泛光灯";
+          transition = 1;
+        };
+        "0x540f57fffe54c826" = {
+          friendly_name = "厨房水池灯";
+          transition = 1;
+        };
+        "0x540f57fffe521114" = {
+          friendly_name = "厨房灯";
+          transition = 1;
+        };
+        "0x540f57fffe54c86b" = {
+          friendly_name = "过道灯西";
+          transition = 1;
+        };
+        "0x540f57fffe54c82e" = {
+          friendly_name = "过道灯东";
+          transition = 1;
+        };
+        "0x540f57fffe5210e3" = {
+          friendly_name = "客卫洗手池射灯";
+          transition = 1;
+        };
+        "0xfc4d6afffe6eb9e3" = {
+          friendly_name = "客卫镜前灯";
+        };
+        "0x540f57fffe5210cf" = {
+          friendly_name = "客厅射灯北1";
+          transition = 1;
+        };
+        "0x540f57fffe54c8bb" = {
+          friendly_name = "客厅射灯北2";
+          transition = 1;
+        };
+        "0x540f57fffe5210db" = {
+          friendly_name = "客厅射灯北3";
+          transition = 1;
+        };
+        "0x540f57fffe54cec5" = {
+          friendly_name = "客厅射灯南1";
+          transition = 1;
+        };
+        "0x540f57fffe520d1d" = {
+          friendly_name = "客厅射灯南2";
+          transition = 1;
+        };
+        "0x540f57fffe54c966" = {
+          friendly_name = "客厅射灯南3";
+          transition = 1;
+        };
+        "0x540f57fffe520ceb" = {
+          friendly_name = "小次卧射灯北";
+          transition = 1;
+        };
+        "0x540f57fffe5210cd" = {
+          friendly_name = "小次卧射灯南";
+          transition = 1;
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "raspite.coho-tet.ts.net".extraConfig = ''
+        reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
+      '';
+      "https://raspite.coho-tet.ts.net:8080".extraConfig = ''
+        reverse_proxy ${config.services.zigbee2mqtt.settings.frontend.host}:${toString config.services.zigbee2mqtt.settings.frontend.port}
+      '';
+    };
+  };
+}
--- a/machines/weilite/secrets.yaml
+++ b/machines/weilite/secrets.yaml
@ -3,6 +3,7 @@ caddy:
    dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str]
 immich:
    oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
+    auto_stack_apikey: ENC[AES256_GCM,data:pormMdxkevrw1sJrmVtD+jEbfQFTOHeyZRepZt2roftjDYAdbzpppg==,iv:wumPYaTAfU+J0MD6yOFKmxY8eDMzwqVsd3IUXyTfk0A=,tag:54HlWH3iKyWG2Gv9QS/wLA==,type:str]
 restic:
    localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str]
 transmission:
@ -35,8 +36,8 @@ sops:
            V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
            RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-11T08:45:49Z"
-    mac: ENC[AES256_GCM,data:iObzkfSxKET1kE8yQbSxffG1qDO95SWfIRSdwbYcwP4mHOrl5sOtlGEjexVaLl7uKa0SMCK6BghbMr4EdLatiOmngsAzr8bxe/GsPZiCze04nr0VbKBgHxKr74gT8d14dwV+Y+np/5fgRZea7zxzJ4YaVfeUOG9PBsa7L6RWbx0=,iv:LMM096xLa5cOiLVTiFO20jBUaK1Uw4aOqsz7eH9u9vc=,tag:C1fPHN9KFbydcy1lRAhGvQ==,type:str]
+    lastmodified: "2025-03-30T06:50:46Z"
+    mac: ENC[AES256_GCM,data:o9mucckntBoKzO3+S1lWcvKeyolqlzYcRRWkosjLnJ7kY3S2ssYxdEz9PPBihpIU4z8ogy/TIuRjLV/XOiPyNUZy0a++2erfQjpr4YIc8KvivG9erE4S4YkNFCVOXv6XjQ7gypaYScX8pdhh0idkyuxJPb0N5HcB1Ngtx/bhrBY=,iv:YfFXYt0GGZsssyoImWKep0in0STGqgUgQ87v2g7E0MU=,tag:aMb/SDiboeRyCW9AItnhzw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
--- a/machines/weilite/services/immich.nix
+++ b/machines/weilite/services/immich.nix
@ -52,6 +52,10 @@ let
    };
    machineLearning = {
      enabled = true;
+      urls = [
+        "http://calcite.coho-tet.ts.net:3003"
+        "http://127.0.0.1:3003"
+      ];
      clip = {
        enabled = true;
        modelName = "XLM-Roberta-Large-ViT-H-14__frozen_laion5b_s13b_b90k";
@ -65,13 +69,23 @@ let
 in
 {
  config = {
-    sops.secrets."immich/oauth_client_secret" = { };
+    sops.secrets = {
+      "immich/oauth_client_secret" = { };
+      "immich/auto_stack_apikey" = { };
+    };

    sops.templates."immich/config.json" = {
      owner = user; # Read when running
      content = builtins.toJSON jsonSettings;
    };

+    sops.templates."immich/auto_stack.env" = {
+      owner = "immich_auto_stack";
+      content = ''
+        API_KEY=${config.sops.placeholder."immich/auto_stack_apikey"};
+      '';
+    };
+
    systemd.mounts = [
      {
        what = "originals";
@ -82,15 +96,15 @@ in
      }
    ];

-    # systemd.timers.immich-auto-stack = {
-    #   enable = true;
-    #   wantedBy = [ "immich-server.service" ];
-    #   timerConfig = {
-    #     Unit = "immich-auto-stack.service";
-    #     OnCalendar = "*-*-* 4:00:00";
-    #   };
-    # };
-    #
+    systemd.timers.immich-auto-stack = {
+      enable = true;
+      wantedBy = [ "immich-server.service" ];
+      timerConfig = {
+        Unit = "immich-auto-stack.service";
+        OnCalendar = "*-*-* 4:00:00";
+      };
+    };
+
    systemd.services.immich-auto-stack =
      let
        python = pkgs.python3.withPackages (
@ -98,12 +112,22 @@ in
            requests
          ]
        );
+        immich_auto_stack = pkgs.fetchurl {
+          url = "https://gist.github.com/xinyangli/39de5979e72d81af6fe9ddb7d1805df4";
+          hash = "sha256-izbzP+330tZUGPTfS3SdJnGS5uSn5uf8WmXd6ep8SQg=";
+        };
      in
      {
+        environment = {
+          SKIP_MATCH_MISS = "true";
+          DRY_RUN = "false";
+          API_URL = "http://127.0.0.1:${toString config.services.immich.port}/api";
+        };
        serviceConfig = {
-          ExecStart = "${lib.getExe python}";
-          # TODO:
-          environmentFile = "./.";
+          ExecStart = "${lib.getExe python} ${immich_auto_stack}";
+          EnvironmentFile = config.sops.templates."immich/auto_stack.env".path;
+          User = "immich_auto_stack";
+          Group = "immich_auto_stack";
        };
      };

@ -137,6 +161,12 @@ in
      "render"
    ];

+    users.groups.immich_auto_stack = { };
+    users.users.immich_auto_stack = {
+      isSystemUser = true;
+      group = "immich_auto_stack";
+    };
+
    services.immich.redis.host = "/run/redis-immich/redis.sock";
  };
 }
--- a/modules/home-manager/fish.nix
+++ b/modules/home-manager/fish.nix
@ -91,10 +91,6 @@ in
                  ${pkgs.comma}/bin/comma $argv
                end
                set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
-                alias ctlsp="systemctl stop"
-                alias ctlst="systemctl start"
-                alias ctlrt="systemctl restart"
-                alias ctls="systemctl status"
              ''
            else
              "";
--- a/modules/home-manager/gui/waybar.nix
+++ b/modules/home-manager/gui/waybar.nix
@ -16,7 +16,66 @@ in
  config = mkIf cfg.enable {
    programs.waybar = {
      enable = true;
-      style = readFile ./waybar.css;
+      style = ''
+        * {
+          font-family: Ubuntu Nerd Font, Noto Sans CJK SC;
+          font-size: 14px;
+          font-weight: bold;
+          min-height: 14px;
+        }
+
+        window#waybar {
+          color: @text;
+          opacity: 0.95;
+          background-color: @crust;
+          padding: 2px;
+        }
+
+        #custom-nixos {
+          background-color: #24273a;
+          padding-left: 15px;
+          padding-right: 18px;
+        }
+
+        #custom-separator {
+          margin: 0 2px;
+        }
+
+        #workspaces {
+          border-radius: 0;
+        }
+        #workspaces button {
+          padding: 0 10px;
+          border-radius: 0;
+        }
+        #workspaces button.focused,
+        #workspaces button.active {
+          border-bottom: 4px solid #8aadf4;
+        }
+        #workspaces button.empty {
+          font-size: 0;
+          min-width: 0;
+          min-height: 0;
+          margin: 0;
+          padding: 0;
+          border: 0;
+          opacity: 0;
+          box-shadow: none;
+        }
+        #cpu,
+        #memory,
+        #pulseaudio,
+        #network,
+        #backlight,
+        #battery,
+        #tray,
+        #custom-notification {
+          margin-right: 15px;
+        }
+        #clock {
+          font-size: 16px;
+        }
+      '';
      settings = {
        main = {
          margin = "2px 3px 2 3px";
--- a/modules/nixos/common-settings/china-domains.txt
+++ b/modules/nixos/common-settings/china-domains.txt
--- a/modules/nixos/common-settings/mainland.nix
+++ b/modules/nixos/common-settings/mainland.nix
@ -33,6 +33,7 @@ in

    services.dae = {
      enable = mkDefault true;
+      configFile = mkDefault "/var/lib/dae/config.dae";
    };
  };
 }
--- a/modules/nixos/common-settings/network.nix
+++ b/modules/nixos/common-settings/network.nix
@ -0,0 +1,87 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkOption mkIf;
+  inherit (config.my-lib.settings)
+    internalDomain
+    ;
+  cfg = config.commonSettings.network;
+in
+{
+  options.commonSettings.network = {
+    localdns = {
+      enable = mkEnableOption "Local DNS resolver";
+      cacheSize = mkOption {
+        type = lib.types.int;
+        description = "Max cache size for knot-resolver in MB";
+        default = 100;
+      };
+    };
+  };
+
+  config = {
+    networking.resolvconf = mkIf cfg.localdns.enable {
+      enable = true;
+      dnsExtensionMechanism = false;
+      useLocalResolver = true;
+    };
+
+    services.kresd = mkIf cfg.localdns.enable {
+      enable = true;
+      listenPlain = [ "127.0.0.1:53" ];
+      listenTLS = [ "127.0.0.1:853" ];
+      extraConfig =
+        let
+          listToLuaTable =
+            x:
+            lib.pipe x [
+              (builtins.split "\n")
+              (builtins.filter (s: s != [ ] && s != ""))
+              (lib.strings.concatMapStrings (x: "'${x}',"))
+            ];
+          chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
+          globalSettings = ''
+            log_level("notice")
+            modules = { 'hints > iterate', 'stats', 'predict' }
+            cache.size = ${toString cfg.localdns.cacheSize} * MB
+            trust_anchors.remove(".")
+          '';
+          tsSettings = ''
+            internalDomains = policy.todnames({'${internalDomain}'})
+            policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
+          '';
+          proxySettings = ''
+            policy.add(policy.domains(
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
+              { todname('hk-00.namely.icu') }))
+            policy.add(policy.domains(
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
+              { todname('la-00.namely.icu') }))
+            policy.add(policy.domains(
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
+              { todname('fra-00.namely.icu') }))
+          '';
+          mainlandSettings = ''
+            chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
+            policy.add(policy.suffix(policy.TLS_FORWARD({
+              { "223.5.5.5", hostname="dns.alidns.com" },
+              { "223.6.6.6", hostname="dns.alidns.com" },
+            }), chinaDomains))
+            policy.add(policy.all(policy.TLS_FORWARD({
+              { "8.8.8.8", hostname="dns.google" },
+              { "8.8.4.4", hostname="dns.google" },
+            })))
+          '';
+          overseaSettings = ''
+            policy.add(policy.all(policy.TLS_FORWARD({
+              { "8.8.8.8", hostname="dns.google" },
+              { "8.8.4.4", hostname="dns.google" },
+            })))
+          '';
+        in
+        globalSettings
+        + (if config.services.dae.enable then proxySettings else "")
+        + (if config.services.tailscale.enable then tsSettings else "")
+        + (if config.inMainland then mainlandSettings else overseaSettings);
+    };
+  };
+}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -6,6 +6,7 @@
    ./common-settings/nix-conf.nix
    ./common-settings/proxy-server.nix
    ./common-settings/mainland.nix
+    ./common-settings/network.nix
    ./disk-partitions
    ./restic.nix
    ./monitor
--- a/modules/nixos/monitor/default.nix
+++ b/modules/nixos/monitor/default.nix
@ -120,11 +120,12 @@ in
                webhook_configs = [
                  {
                    url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
-                      {{range .alerts}}{{ if eq .status "resolved" }}✅{{ else }}{{ if eq .status "firing" }}🔥{{end}}{{end}}{{.labels.alertname}}
-                      {{.annotations.summary}}
-                      {{end}}''}";
+                                            {{ if eq .truncatedAlerts 0 }}{{ else }}{{.truncatedAlerts}} truncated
+                      		      {{end}}{{range .alerts}}{{ if eq .status "resolved" }}✅{{ else }}{{ if eq .status "firing" }}🔥{{end}}{{end}}{{.labels.alertname}}
+                                            {{.annotations.summary}}
+                                            {{end}}''}";
                    send_resolved = true;
-                    max_alerts = 5;
+                    max_alerts = 10;
                  }
                ];
              }
--- a/scripts/update-china-list.sh
+++ b/scripts/update-china-list.sh
@ -0,0 +1,4 @@
+output_file="modules/nixos/common-settings/china-domains.txt"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/accelerated-domains.china.raw.txt" > "$output_file"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/apple.china.raw.txt" >> "$output_file"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/google.china.raw.txt" >> "$output_file"
Author	SHA1	Message	Date
xinyangli	127dd98ea5	weilite/immich: remote machine learning	2025-03-30 18:49:45 +08:00
xinyangli	a5678aaf8f	fixup! weilite/immich: enable auto stack timer	2025-03-30 18:48:52 +08:00
xinyangli	11765deacd	garnix: build all branch	2025-03-30 18:47:00 +08:00
xinyangli	4c257346f8	weilite/immich: enable auto stack timer	2025-03-30 15:40:49 +08:00
xinyangli	529f32a468	raspite/hass: show detailed chat logs send to llm	2025-03-30 15:40:02 +08:00
xinyangli	9b7053d259	raspite/hass: use volcengine deepseek	2025-03-29 12:49:19 +08:00
xinyangli	22bbe06513	raspite/hass: drop default_config, add deepseek agent	2025-03-29 09:06:05 +08:00
xinyangli	f275df95e5	bump china-domains	2025-03-26 11:25:10 +08:00
xinyangli	f1ec49cc58	modules/monitor: show truncated alerts count	2025-03-26 11:24:59 +08:00
xinyangli	e5ddc316b6	calcite: add spot	2025-03-26 11:22:36 +08:00
xinyangli	6ab5672a8c	raspite: add home devices	2025-03-26 11:21:23 +08:00
xinyangli	6ad4e9477c	fixup! fixup! modules/network: init kresd	2025-03-23 21:44:17 +08:00
xinyangli	d72931c555	fixup! modules/network: init kresd	2025-03-23 21:40:22 +08:00
xinyangli	e0c474c81d	biotite/vaultwarden: enable admin page	2025-03-23 21:37:29 +08:00
xinyangli	e45eb7807f	modules/network: init kresd	2025-03-23 21:36:57 +08:00
xinyangli	effcdee7f9	raspite: restore workaround for kernel mod	2025-03-15 21:35:58 +08:00
xinyangli	9de6269cb7	raspite: fix build	2025-03-15 21:14:48 +08:00
xinyangli	efaee5859c	calcite: fix build	2025-03-15 21:03:53 +08:00
xinyangli	5f68e5745a	raspite: add comin	2025-03-15 21:02:22 +08:00
xinyangli	2726ebc8ac	home/waybar: fix IFD	2025-03-11 00:05:16 +08:00