chore: move tailscale to common settings

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746175539,
+        "lastModified": 1746650299,
-        "narHash": "sha256-/wjcn1CDQqOhwOoYKS8Xp0KejrdXSJZQMF1CbbrVtMw=",
+        "narHash": "sha256-4+pxk1KcSH8ww3tgN808nNJ3E7Q8gNWI+U0sesW7mBQ=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "a5db9e41a4dccfa5ffe38e6f1841a5f9ad5c5c04",
+        "rev": "f746600f15b69df05c84e3037749a3be5b1276d1",
         "type": "github"
       },
       "original": {
@@ -72,11 +72,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745812220,
+        "lastModified": 1746695246,
-        "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=",
+        "narHash": "sha256-7Tz4PQA/iLnwJX56VdCxMB66HOiWT/i9pmSiCNHqDKc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78",
+        "rev": "c7e0b00007ff6c0e2a6dd5c521aeef22ccdad026",
         "type": "github"
       },
       "original": {
@@ -220,11 +220,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746369725,
+        "lastModified": 1746661235,
-        "narHash": "sha256-m3ai7LLFYsymMK0uVywCceWfUhP0k3CALyFOfcJACqE=",
+        "narHash": "sha256-TAm/SnOT8AD3YKYOdjtg5Nmf/hCKEwc0USHBIoXV8qo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "1a1793f6d940d22c6e49753548c5b6cb7dc5545d",
+        "rev": "ec71b5162848e6369bdf2be8d2f1dd41cded88e8",
         "type": "github"
       },
       "original": {
@@ -336,11 +336,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746362215,
+        "lastModified": 1746669583,
-        "narHash": "sha256-f1N9rw5GiQZjUuAd14z2yml9IPt16v+RrteLEYyCMvo=",
+        "narHash": "sha256-zQbz1kINODnwY1stHEZfkpWX1D6jn/h/lEOQpQlOoRM=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "5809c8500215e5a46ca2e3469daff8f2c0a80665",
+        "rev": "2e10ad11395ac09a73ad38f0cbe975e410065ca5",
         "type": "github"
       },
       "original": {
@@ -351,11 +351,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1746341346,
+        "lastModified": 1746621361,
-        "narHash": "sha256-WjupK5Xpc+viJlJWiyPHp/dF4aJItp1BPuFsEdv2/fI=",
+        "narHash": "sha256-T9vOxEqI1j1RYugV0b9dgy0AreiZ9yBDKZJYyclF0og=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "0833dc8bbc4ffa9cf9b0cbfccf1c5ec8632fc66e",
+        "rev": "2ea3ad8a1f26a76f8a8e23fc4f7757c46ef30ee5",
         "type": "github"
       },
       "original": {
@@ -372,11 +372,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745943985,
+        "lastModified": 1746635197,
-        "narHash": "sha256-cpznjE3lJ0uEfBinVgODRkvBj+R1m+7cOkNvPgy+OuU=",
+        "narHash": "sha256-7tcX3LUPp7Qmi1s14Sm2qaudvRBBMJ0gvEw8dumViYU=",
         "owner": "nakato",
         "repo": "nixos-sbc",
-        "rev": "04a93bd482a43d97ab5b86df8e737c1c74ffb91b",
+        "rev": "cf727094afb89c2f94b9f7dcf596c34d55429b88",
         "type": "github"
       },
       "original": {
@@ -451,11 +451,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1746232882,
+        "lastModified": 1746461020,
-        "narHash": "sha256-MHmBH2rS8KkRRdoU/feC/dKbdlMkcNkB5mwkuipVHeQ=",
+        "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7a2622e2c0dbad5c4493cb268aba12896e28b008",
+        "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae",
         "type": "github"
       },
       "original": {
@@ -492,11 +492,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1746366397,
+        "lastModified": 1746694489,
-        "narHash": "sha256-eLivytoIgyu75s7CDjf1z5jLmTGPPONmi2zPayIUNsM=",
+        "narHash": "sha256-g7kaChZ34J4RabOLJt1t37dLysmOjKNxW1gEmZ8kJnQ=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "7882dfa39dad5ada77012882191e5c94b066a864",
+        "rev": "62161e584fcd651968963baf092a4a02931de216",
         "type": "github"
       },
       "original": {
@@ -555,11 +555,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745310711,
+        "lastModified": 1746485181,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
         "type": "github"
       },
       "original": {

flake.nix

@@ -115,7 +115,7 @@
         self.homeManagerModules.default
         sops-nix.homeManagerModules.sops
         nix-index-database.hmModules.nix-index
-        catppuccin.homeManagerModules.catppuccin
+        catppuccin.homeModules.catppuccin
       ];
       sharedNixosModules = [
         self.nixosModules.default

home/xin/calcite.nix

@@ -44,6 +44,40 @@ in
     wechat-uos
     wpsoffice
     ttf-wps-fonts
+
+    eudic
+
+    exiftool
+    darktable
+    kdePackages.kdenlive
+    inkscape
+    gimp3
+    gthumb
+    oculante
+
+    # Multimedia
+    vlc
+    obs-studio
+    spotify
+    spot
+    # IM
+    element-desktop
+    tdesktop
+
+    # Password manager
+    bitwarden
+
+    # Browser
+    chromium
+
+    # Writting
+    zotero
+
+    # wemeet
+    wemeet
+
+    imhex
+    oidc-agent
   ];
 
   # Theme

machines/agate/default.nix

@@ -106,12 +106,6 @@ in
   nixpkgs.config.contentAddressedByDefault = true;
   nixpkgs.overlays = [ fix-folly-build ];
 
-  services.tailscale = {
-    enable = true;
-    openFirewall = true;
-    permitCertUid = "caddy";
-  };
-
   custom.prometheus.exporters = {
     enable = true;
     blackbox = {

machines/agate/services/minio.nix

@@ -0,0 +1,6 @@
+{
+  services.minio = {
+    enable = true;
+    region = "ap-east-1";
+  };
+}

machines/baryte/default.nix

@@ -13,7 +13,6 @@
     };
 
     services.openssh.enable = true;
-    services.tailscale.enable = true;
     time.timeZone = "Asia/Shanghai";
   };
 }

machines/baryte/hardware-configuration.nix

@@ -0,0 +1,20 @@
+{ config, modulesPath, ... }:
+{
+  imports = [ ];
+
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vda";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = config.diskPartitions.grubMbr;
+            root = config.diskPartitions.btrfs;
+          };
+        };
+      };
+    };
+  };
+}

machines/biotite/default.nix

@@ -40,19 +40,6 @@
     comin.enable = true;
   };
 
-  custom.monitoring = {
-    promtail.enable = true;
-  };
-
-  custom.prometheus.exporters = {
-    enable = true;
-    node.enable = true;
-  };
-
-  services.tailscale.enable = true;
-
-  services.caddy.enable = true;
-
   sops = {
     defaultSopsFile = ./secrets.yaml;
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

machines/calcite/configuration.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  inherit (lib) mkForce getExe;
+  inherit (lib) getExe;
   inherit (config.my-lib.settings) idpUrl;
 in
 {
@@ -17,7 +17,7 @@ in
   ];
 
   commonSettings = {
-    # auth.enable = true;
+    auth.enable = true;
     nix = {
       signing.enable = true;
     };
@@ -37,7 +37,6 @@ in
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.kernelModules = [
     "nvidia"
     "nvidia_modeset"
@@ -61,7 +60,6 @@ in
     # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
     tctiEnvironment.enable = true;
   };
-  # services.gnome.gnome-keyring.enable = lib.mkForce false;
   security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
 
   programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
@@ -187,7 +185,6 @@ in
         settings = {
           main = {
             mouse2 = "leftmeta";
-            # leftalt = "mouse1";
           };
         };
       };
@@ -206,7 +203,6 @@ in
     extraBackends = [ pkgs.hplipWithPlugin ];
   };
 
-  hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
   services.avahi.enable = true;
   services.pipewire = {
@@ -217,23 +213,6 @@ in
     pulse.enable = true;
     # If you want to use JACK applications, uncomment this
     jack.enable = true;
-
-    # Airplay client
-    raopOpenFirewall = true;
-    extraConfig.pipewire = {
-      "10-airplay" = {
-        "context.modules" = [
-          {
-            name = "libpipewire-module-raop-discover";
-
-            # increase the buffer size if you get dropouts/glitches
-            # args = {
-            #   "raop.latency.ms" = 500;
-            # };
-          }
-        ];
-      };
-    };
   };
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
@@ -249,13 +228,6 @@ in
     ];
   };
 
-  services.kanidm = {
-    enableClient = true;
-    clientSettings = {
-      uri = "https://${idpUrl}";
-    };
-  };
-
   # Smart services
   services.smartd.enable = true;
 
@@ -264,36 +236,9 @@ in
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.permittedInsecurePackages = [
     "openssl-1.1.1w"
-    # FIXME: Waiting for https://github.com/NixOS/nixpkgs/pull/335753
-    "jitsi-meet-1.0.8043"
   ];
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
   environment.systemPackages = with pkgs; [
-    imhex
-    oidc-agent
-    # Filesystem
-    (owncloud-client.overrideAttrs (
-      finalAttrs: previousAttrs: {
-        src = pkgs.fetchFromGitHub {
-          owner = "xinyangli";
-          repo = "client";
-          rev = "780d1c4c8bf02be42e118c792ff833ab10c2fdcc";
-          hash = "sha256-pEwcGJI9sN9nooW/RQHmi52Du6yzofgZeB8PcjwPtZ8=";
-        };
-      }
-    ))
-    nfs-utils
-
-    # tesseract5 # ocr
-    ocrmypdf # pdfocr
-
-    gtkwave
-    bubblewrap
-
     # ==== Development ==== #
-    # Python
-    # reference: https://nixos.wiki/wiki/Python
     (
       let
         my-python-packages =
@@ -311,11 +256,7 @@ in
 
     # ==== GUI Softwares ==== #
 
-    eudic
-
     bibata-cursors
-    gthumb
-    oculante
 
     (epsonscan2.overrideAttrs (
       finalAttrs: prevAttrs: {
@@ -323,28 +264,6 @@ in
       }
     ))
 
-    # Multimedia
-    vlc
-    obs-studio
-    spotify
-    spot
-    # IM
-    element-desktop
-    tdesktop
-
-    # Password manager
-    bitwarden
-
-    # Browser
-    chromium
-
-    # Writting
-    zotero
-    # onlyoffice-bin
-
-    # wemeet
-    wemeet
-
     virt-manager
     wineWowPackages.waylandFull
     winetricks
@@ -367,10 +286,6 @@ in
       owner = "xin";
       sopsFile = ./secrets.yaml;
     };
-    "gitea/envfile" = {
-      owner = "root";
-      sopsFile = ./secrets.yaml;
-    };
     "davfs2/photosync_password" = {
       sopsFile = ./secrets.yaml;
       mode = "0600";
@@ -401,16 +316,6 @@ in
     ];
   };
 
-  # custom.forgejo-actions-runner = {
-  #   enable = false;
-  #   tokenFile = config.sops.secrets."gitea/envfile".path;
-  #   settings = {
-  #     runner.capacity = 2;
-  #     runner.fetch_timeout = "120s";
-  #     runner.fetch_interval = "30s";
-  #   };
-  # };
-  #
   custom.prometheus = {
     exporters.node.enable = true;
   };

machines/calcite/hardware-configuration.nix

@@ -18,7 +18,6 @@
     "ahci"
     "usbhid"
   ];
-  boot.initrd.kernelModules = [ ];
 
   boot.initrd = {
     systemd.enable = true; # initrd uses systemd
@@ -31,10 +30,8 @@
     };
   };
   boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
-    # device = "/dev/disk/by-label/NIXROOT";
     device = "/dev/mapper/cryptroot";
     fsType = "btrfs";
   };
@@ -57,16 +54,6 @@
 
   swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   hardware.graphics = {

machines/calcite/network.nix

@@ -1,14 +1,7 @@
 {
-  config,
   pkgs,
-  lib,
   ...
 }:
-let
-  inherit (config.my-lib.settings)
-    internalDomain
-    ;
-in
 {
   imports = [ ];
 
@@ -24,27 +17,8 @@ in
     };
   };
 
-  # Enable Tailscale
-  services.tailscale = {
-    enable = true;
-    extraUpFlags = [ "--accept-dns=false" ];
-  };
-  # services.tailscale.useRoutingFeatures = "both";
-
-  # services.dae.enable = true;
-  # services.dae.configFile = "/var/lib/dae/config.dae";
-  # systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [
-  #   "NetworkManager-wait-online.service"
-  # ];
-  #
   # Open ports in the firewall.
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 3389 ];
-  networking.firewall.allowedUDPPorts = [
-    3389
-    41641
-  ];
-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
   # Use nftables to manager firewall
   networking.nftables.enable = true;
 

machines/calcite/secrets.yaml

@@ -1,15 +1,9 @@
 restic:
     repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str]
     repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str]
-gitea:
-    envfile: ENC[AES256_GCM,data:CK+JNELuzjKgWnImuV4Euif3f3nNOACOrvc4NiIXs+q/F7QWrtpb3TK8/FrLNQk=,iv:QSDrlKJCBld2gDx/y1sT8anh37GhqSS2QZd2JJi5Yis=,tag:x5T6h59LBXhEyVwSr2dnuQ==,type:str]
 davfs2:
     photosync_password: ENC[AES256_GCM,data:J3+pJCjjV+hlPC2il5f7Vn+9k+Aatolgut1DX1G+JF4=,iv:OgZn6Glho3Cfrl0GJhGSbmcYjSe6sjM9PjvEZnM/c4w=,tag:i5AVG139nK3ecK3VwWpQuQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
@@ -29,8 +23,7 @@ sops:
             WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
             FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-07T08:57:13Z"
+    lastmodified: "2025-05-08T09:47:09Z"
-    mac: ENC[AES256_GCM,data:UvMXEu2UFapYNHa7kxvFhDzvJZvuV6mwRqmxFISDpp0VhRhY1+Mj2GFxrS5RgTW1ozUnCB0DSBUwWcmsPZeOUveMkHqqRFGZIjinh6blwseZjJMOR30KG3atY6L2adOOZaBERi+HJXqXfdqymeSCmkMC5iJ2jt2KGuMx5NqSfbE=,iv:pueL1hT/tvug65KPYxqY3RwNYeBOlGpIFf70+26VOYQ=,tag:VLwuipBxchMBSSuOMXYKJQ==,type:str]
+    mac: ENC[AES256_GCM,data:pBryBOfgVYROAJ6LfqpEXz8ph4bcAoWLADibpET0jwb4CBNuEW9BWXzVu+Ci+gKjKhSxh8xwr+TLSvo8zNOeGz/Mdl2vVaEWNKX4dUMMd9IXRJ+8jSlhxkMWPi25xoiMjY763MgOnBYsdqPpKKB1xLHkRtULAHlZ2m3VhVWxMWM=,iv:egYcxVjCH4uPbHvCcU9MVCRHoDbNH8tYet1vyDf9nhw=,tag:DDBC0TSdsnaF3SFTuH6rOQ==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

machines/dolomite/common.nix

@@ -33,8 +33,6 @@
       promtail.enable = true;
     };
 
-    services.tailscale.enable = true;
-
     commonSettings = {
       auth.enable = true;
       comin.enable = true;

machines/osmium/default.nix

@@ -139,11 +139,6 @@
       };
     };
 
-    services.tailscale = {
+    services.tailscale.extraSetFlags = [ "--advertise-routes=10.1.1.0/24" ];
-      enable = true;
-      extraSetFlags = [
-        "--advertise-routes=10.1.1.0/24"
-      ];
-    };
   };
 }

machines/raspite/configuration.nix

@@ -12,6 +12,8 @@
     nix.enable = true;
     auth.enable = true;
     comin.enable = true;
+    network.enableProxy = false;
+    serverComponents.enable = true;
   };
 
   nixpkgs.overlays = [
@@ -36,15 +38,4 @@
   };
 
   time.timeZone = "Asia/Shanghai";
-
-  # fileSystems."/".fsType = lib.mkForce "btrfs";
-  boot.supportedFilesystems.zfs = lib.mkForce false;
-
-  services.dae.enable = false;
-
-  services.tailscale = {
-    enable = true;
-    permitCertUid = config.services.caddy.user;
-    openFirewall = true;
-  };
 }

machines/secrets.yaml

@@ -3,6 +3,8 @@ prometheus:
     metrics_password: ENC[AES256_GCM,data:qGbdk5tRmBw1rYHkmid87w==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:+cVF89YF35hA+fPvEQNgHA==,type:str]
 dae:
     sub: ENC[AES256_GCM,data:wCv8je47gBa2bb2aWCbUYHIuxGxkXUfJUvogwviYUNJJZJCdL5Q2qJX+tXOL4JRkzicRzFfiPEa3rcYIfoB6DC7caDPevpepHtTENzI3YKppiz0KIXedUWr+,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:e8X4PTiY/60W6XbFLOmSBQ==,type:str]
+tailscale:
+    authkey: ENC[AES256_GCM,data:GKfhg4Co1us4UQ6Jn3KT85OrIIVDd8aJmv8hmhtLZnAM4McxPmpVZ1tnYu7GIfKdqgCQqEl+lgS0xlV+qA==,iv:qugnzLpCZqHyRnJaP0tS2y5R5i0lrhm9PnIuG3kiGqE=,tag:KV/fcG4rceG4AHCzFEoksg==,type:str]
 sops:
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
@@ -95,7 +97,7 @@ sops:
             MHJubDlRVW40TDVJNnNqQktKcGVVYWcK1nCRXYjyLpNdj2Mnjgop5R6DSpRUSxDT
             VstIwZiQgACPKcP7H2dFSPNDaaAH1YqZzqr7ILLV6jYRApZFte/SRw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-01T16:16:05Z"
+    lastmodified: "2025-05-09T01:56:54Z"
-    mac: ENC[AES256_GCM,data:sXZm1YVBaF//vU5Vtou4HOvKMZ9L6i9YCH6DASiEE6VQYQ6aN3RI5bf25c9C4Lx7ARxsqCFz1pUVGiSd6AIAx1swSZHwC0nRz77GW9B8S1Gn+uyvVdbhP7xYfJ3XP8jFPJetKQLYIIynjdT7uUA833ZydmtaUC85j+Kmw7aEIoQ=,iv:rXkqJqJX43bLxrjT19mP4qO/fpZboVLN3nbQ7RrJWto=,tag:5ZPThu4YCT0K8GJMmYK6Yg==,type:str]
+    mac: ENC[AES256_GCM,data:wZXKzRD+2I0mQoSOu3Xj8uzsSV7rK7wg+GjlzFqbP3qWd5DWSa1wmHuC9xBe3GRNps5L7vopGwngnFXbXu6tlsYuWUhSV/r7lh/wnrXKNlrt5qkWCpL3nXoYqkby+QzFG5ykCYOTsiMg31JYcbobO0kdNNjK0thKqLdFS7YBZig=,iv:O0Rccf08B27bfikTjQ2h+x6rbMUSqUSOSB3jW3Y4MJA=,tag:jBvzVKZgilzmUKQ6M+psAA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

machines/thorite/default.nix

@@ -31,8 +31,6 @@
       443
     ];
 
-    services.tailscale.enable = true;
-
     services.caddy.enable = true;
 
     commonSettings = {

machines/weilite/default.nix

@@ -1,5 +1,4 @@
 {
-  config,
   pkgs,
   lib,
   modulesPath,
@@ -12,13 +11,6 @@
     ./services
   ];
 
-  options = {
-    node = lib.mkOption {
-      type = lib.types.attrs;
-      default = { };
-    };
-  };
-
   config = {
     networking = {
       hostName = "weilite";
@@ -41,9 +33,6 @@
       comin.enable = true;
       network.localdns.enable = true;
     };
-    node = {
-      mediaDir = "/mnt/nixos/media";
-    };
 
     boot = {
       loader = {
@@ -144,17 +133,6 @@
       ];
     };
 
-    services.openssh.ports = [
-      22
-      2222
-    ];
-
-    services.tailscale = {
-      enable = true;
-      openFirewall = true;
-      permitCertUid = "caddy";
-    };
-
     services.tailscale.derper = {
       enable = true;
       domain = "derper00.namely.icu";

machines/weilite/secrets.yaml

@@ -1,6 +1,7 @@
 caddy:
     cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str]
-    dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str]
+    huawei_dns_access_key: ENC[AES256_GCM,data:3y9Sl9RDJlRkgTsctH8O4gRAcAU=,iv:2e03AKVniVYFyHV6KB00I/Y1rHD0Ira6kgly7zDqNT0=,tag:w6j1g329XIOrvshx7Ft7aA==,type:str]
+    huawei_dns_secret_key: ENC[AES256_GCM,data:or4WW7uFvbIoUwh1G63YDQxTFUnkkYrDJG0HEqoKzOSV+8rqy9cHrA==,iv:wB+TT8bh7jhN0ppJ3pqh882cs6RczpOtxKuYuyjRhMY=,tag:GlTSuYeGrGY/3b0g7IbLzw==,type:str]
 immich:
     oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
     auto_stack_apikey: ENC[AES256_GCM,data:pormMdxkevrw1sJrmVtD+jEbfQFTOHeyZRepZt2roftjDYAdbzpppg==,iv:wumPYaTAfU+J0MD6yOFKmxY8eDMzwqVsd3IUXyTfk0A=,tag:54HlWH3iKyWG2Gv9QS/wLA==,type:str]
@@ -16,10 +17,6 @@ webdav:
     photosync:
         password: ENC[AES256_GCM,data:s+omleBtVALG5bpbTnlzbwBj0oCZX8Dm8IbcUV6COnI=,iv:vwCs3ujmCcE87rl91ZtOEAgSQF1/0t17/7/0UM4x8fE=,tag:ylw76CX9SCylWoJt86rmjg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
@@ -39,8 +36,7 @@ sops:
             V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
             RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-06T14:28:44Z"
+    lastmodified: "2025-05-08T13:07:05Z"
-    mac: ENC[AES256_GCM,data:tYAhkwRs2CFOUCw3Iuq6T5C+QkbpSz80fI6CP65VyFrNiej9hshmjngPnf8bFElF+bHI64a/zpo2y4CqV213011tOX2YYvLD5zrAQb18rBFUdJblY5wQyx/DXiPaIf5jK6WGHIRaOmqZJuqXKrQKnf99N12JydXjt6usBGGZr8M=,iv:wySf7lctw14iUbKo5fDu+p6TMY5QXGYYmBukh2qb19I=,tag:pZrnFiNZEK01pnDN0+1Rcw==,type:str]
+    mac: ENC[AES256_GCM,data:19bgXUH6rhQLin0RO0F5pgqzNIzHq5x+oSpIscbDimRvUhnvalMX6KSmbVgrHeNHrx4n3MpwI65Z+/6eeiR0Y6O2MOv49580UVKIEEP/yAPd3tbOW28/WsNp7MMhtF1Fx6o/rirV+H4vkvzq9+/z3tHO2MMjh9LeLcFB36b8ZD8=,iv:lU9o59P8BS1Azd0lVRtq8d3yNau54J9attOEiC32E4E=,tag:zUawHckwaXSxc7RWimVPUQ==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

machines/weilite/services/caddy.nix

@@ -6,14 +6,19 @@
         owner = "caddy";
         mode = "400";
       };
-      "caddy/dnspod_dns_token" = {
+      "caddy/huawei_dns_access_key" = {
+        owner = "caddy";
+        mode = "400";
+      };
+      "caddy/huawei_dns_secret_key" = {
         owner = "caddy";
         mode = "400";
       };
     };
     templates."caddy.env".content = ''
       CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
-      DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"}
+      HUAWEICLOUD_ACCESS_KEY=${config.sops.placeholder."caddy/huawei_dns_access_key"}
+      HUAWEICLOUD_SECRET_KEY=${config.sops.placeholder."caddy/huawei_dns_secret_key"}
     '';
   };
 
@@ -22,28 +27,25 @@
       acmeCF = "tls {
         dns cloudflare {env.CF_API_TOKEN}
       }";
-      acmeDnspod = "tls {
+      acmeHuawei = "tls {
-        dns dnspod {env.DNSPOD_API_TOKEN}
+        dns huaweicloud  {
+          access_key_id {env.HUAWEICLOUD_ACCESS_KEY}
+          secret_access_key {env.HUAWEICLOUD_SECRET_KEY}
+        }
       }";
     in
     {
       enable = true;
       package = pkgs.caddy.withPlugins {
         plugins = [
-          "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
+          "github.com/caddy-dns/cloudflare@v0.2.1"
-          "github.com/caddy-dns/dnspod@v0.0.4"
         ];
-        hash = "sha256-/BxdY36MZriRNhh3peU+XjYRAuuYiKhLY+RwO45Q2Ws=";
+        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
       };
       virtualHosts."derper00.namely.icu:8443".extraConfig = ''
-        ${acmeDnspod}
+        ${acmeCF}
         reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
       '';
-      # API Token must be added in systemd environment file
-      virtualHosts."immich.xinyang.life:8000".extraConfig = ''
-        ${acmeDnspod}
-        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
-      '';
       virtualHosts."immich.xiny.li:8443".extraConfig = ''
         ${acmeCF}
         reverse_proxy 127.0.0.1:${toString config.services.immich.port}

modules/nixos/common-settings/mainland.nix

@@ -102,7 +102,7 @@ in
 
           upstream {
         	    globaldns: 'tls://dns.quad9.net'
-        	    cndns: 'h3://dns.alidns.com:443'
+        	    cndns: 'quic://dns.alidns.com:853'
         	    tsdns: 'udp://100.100.100.100'
         	    localdns: 'udp://127.0.0.1:53' 
           }
@@ -133,6 +133,11 @@ in
             filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
             policy: min_moving_avg
           }
+
+          clean_ip {
+            filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
+            policy: fixed(0)
+          }
         }
 
         # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
@@ -156,9 +161,13 @@ in
 
           # === Force Proxy ===
           domain(geosite:linkedin) -> default_group
+          domain(full: sourceware.org) -> clean_ip
 
           # === Custom direct rules ===
           domain(geosite:cn) -> direct
+          domain(geosite:steam@cn) -> direct
+          domain(suffix:steamserver.net) -> direct
+          domain(suffix:test.steampowered.com) -> direct
 
           dip(geoip:cn) -> direct
 

modules/nixos/common-settings/network.nix

@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
   inherit (lib) mkEnableOption mkOption mkIf;
   inherit (config.my-lib.settings)
@@ -16,81 +21,138 @@ in
         default = 100;
       };
     };
+    tailscale = {
+      enable = mkEnableOption "Tailscale client" // {
+        default = true;
+      };
+      before = mkOption {
+        default = [ ];
+        type = lib.types.listOf lib.types.string;
+      };
+    };
   };
 
-  config = {
+  config = lib.mkMerge [
-    networking.resolvconf = mkIf cfg.localdns.enable {
+    (mkIf cfg.tailscale.enable {
-      enable = true;
+      sops = mkIf config.commonSettings.network.enableProxy {
-      dnsExtensionMechanism = false;
+        secrets = {
-      useLocalResolver = true;
+          "tailscale/authkey" = {
-    };
+            sopsFile = ../../../machines/secrets.yaml;
+            owner = config.systemd.services.tailscale.user;
+          };
+        };
+      };
 
-    services.resolved.enable = mkIf cfg.localdns.enable false;
+      services.tailscale = {
+        enable = true;
+        openFirewall = true;
+        permitCertUid = mkIf config.services.caddy.enable config.services.caddy.user;
+        extraUpFlags = [ "--accept-routes" ] ++ (lib.optional cfg.localdns.enable "--accept-dns=false");
+        authKeyFile = config.sops.secrets."tailscale/authkey".path;
+      };
+      commonSettings.network.tailscale.before = (
+        lib.optional config.services.caddy.enable "caddy.service"
+      );
 
-    networking.firewall.trustedInterfaces = [
+      systemd.services.tailscaled.before = cfg.tailscale.before;
-      config.services.tailscale.interfaceName
+      systemd.services.tailscaled.serviceConfig.ExecStartPost =
-    ];
+        pkgs.writers.writePython3 "tailscale-wait-online"
-    services.tailscale = mkIf cfg.localdns.enable {
+          {
-      extraUpFlags = [ "--accept-dns=false" ];
+            flakeIgnore = [
-    };
+              "E401" # import on one line
-
+              "E501" # line length limit
-    services.kresd = mkIf cfg.localdns.enable {
-      enable = true;
-      listenPlain = [ "127.0.0.1:53" ];
-      listenTLS = [ "127.0.0.1:853" ];
-      extraConfig =
-        let
-          listToLuaTable =
-            x:
-            lib.pipe x [
-              (builtins.split "\n")
-              (builtins.filter (s: s != [ ] && s != ""))
-              (lib.strings.concatMapStrings (x: "'${x}',"))
             ];
-          chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
+          }
-          globalSettings = ''
+          ''
-            log_level("notice")
+            import subprocess, json, time
-            modules = { 'hints > iterate', 'stats', 'predict' }
+
-            cache.size = ${toString cfg.localdns.cacheSize} * MB
+            for _ in range(30):
-            trust_anchors.remove(".")
+                status = json.loads(
+                    subprocess.run(
+                        ["${lib.getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
+                    ).stdout
+                )["Self"]["Online"]
+                if status:
+                    exit(0)
+                time.sleep(1)
+
+            exit(1)
           '';
-          tsSettings = ''
+
-            internalDomains = policy.todnames({'${internalDomain}'})
+    })
-            policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
+
-          '';
+    (mkIf cfg.localdns.enable {
-          proxySettings = ''
+      networking.resolvconf = {
-            policy.add(policy.domains(
+        enable = true;
-              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
+        dnsExtensionMechanism = false;
-              { todname('hk-00.namely.icu') }))
+        # We should disable local resolver if dae is enabled
-            policy.add(policy.domains(
+        # to let dns traffic go through dae
-              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
+        useLocalResolver = !config.commonSettings.network.enableProxy;
-              { todname('la-00.namely.icu') }))
+      };
-            policy.add(policy.domains(
+      services.resolved.enable = false;
-              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
+
-              { todname('fra-00.namely.icu') }))
+      services.kresd = {
-          '';
+        enable = true;
-          mainlandSettings = ''
+        listenPlain = [ "127.0.0.1:53" ];
-            chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
+        listenTLS = [ "127.0.0.1:853" ];
-            policy.add(policy.suffix(policy.TLS_FORWARD({
+        extraConfig =
-              { "223.5.5.5", hostname="dns.alidns.com" },
+          let
-              { "223.6.6.6", hostname="dns.alidns.com" },
+            listToLuaTable =
-            }), chinaDomains))
+              x:
-            policy.add(policy.all(policy.TLS_FORWARD({
+              lib.pipe x [
-              { "8.8.8.8", hostname="dns.google" },
+                (builtins.split "\n")
-              { "8.8.4.4", hostname="dns.google" },
+                (builtins.filter (s: s != [ ] && s != ""))
-            })))
+                (lib.strings.concatMapStrings (x: "'${x}',"))
-          '';
+              ];
-          overseaSettings = ''
+            chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
-            policy.add(policy.all(policy.TLS_FORWARD({
+            globalSettings = ''
-              { "8.8.8.8", hostname="dns.google" },
+              log_level("notice")
-              { "8.8.4.4", hostname="dns.google" },
+              modules = { 'hints > iterate', 'stats', 'predict' }
-            })))
+              cache.size = ${toString cfg.localdns.cacheSize} * MB
-          '';
+              trust_anchors.remove(".")
-        in
+            '';
-        globalSettings
+            tsSettings = ''
-        + (if config.services.dae.enable then proxySettings else "")
+              internalDomains = policy.todnames({'${internalDomain}'})
-        + (if config.services.tailscale.enable then tsSettings else "")
+              policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
-        + (if config.inMainland then mainlandSettings else overseaSettings);
+            '';
-    };
+            proxySettings = ''
-  };
+              policy.add(policy.domains(
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
+                { todname('hk-00.namely.icu') }))
+              policy.add(policy.domains(
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
+                { todname('la-00.namely.icu') }))
+              policy.add(policy.domains(
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
+                { todname('fra-00.namely.icu') }))
+            '';
+            mainlandSettings = ''
+              chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
+              policy.add(policy.suffix(policy.TLS_FORWARD({
+                { "223.5.5.5", hostname="dns.alidns.com" },
+                { "223.6.6.6", hostname="dns.alidns.com" },
+              }), chinaDomains))
+              policy.add(policy.all(policy.TLS_FORWARD({
+                { "8.8.8.8", hostname="dns.google" },
+                { "8.8.4.4", hostname="dns.google" },
+              })))
+            '';
+            overseaSettings = ''
+              policy.add(policy.all(policy.TLS_FORWARD({
+                { "8.8.8.8", hostname="dns.google" },
+                { "8.8.4.4", hostname="dns.google" },
+              })))
+            '';
+          in
+          globalSettings
+          + (if config.services.tailscale.enable then tsSettings else "")
+          + (
+            if config.commonSettings.network.enableProxy then
+              proxySettings + mainlandSettings
+            else
+              overseaSettings
+          );
+      };
+    })
+  ];
 }

modules/nixos/monitor/exporters.nix

@@ -11,35 +11,9 @@ let
 in
 {
   config = {
-    systemd.services.tailscaled.before =
+    commonSettings.network.tailscale.before =
       (lib.optional cfg.node.enable "prometheus-node-exporters.service")
-      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service")
+      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service");
-      ++ (lib.optional config.services.caddy.enable "caddy.service");
-
-    systemd.services.tailscaled.serviceConfig.ExecStartPost =
-      pkgs.writers.writePython3 "tailscale-wait-online"
-        {
-          flakeIgnore = [
-            "E401" # import on one line
-            "E501" # line length limit
-          ];
-        }
-        ''
-          import subprocess, json, time
-
-          for _ in range(30):
-              status = json.loads(
-                  subprocess.run(
-                      ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
-                  ).stdout
-              )["Self"]["Online"]
-              if status:
-                  exit(0)
-              time.sleep(1)
-
-          exit(1)
-        '';
-
     services.prometheus.exporters.node = mkIf cfg.node.enable {
       enable = true;
       enabledCollectors = [
@@ -122,26 +96,6 @@ in
 
     services.ntfy-sh.settings.enable-metrics = true;
 
-    services.caddy.globalConfig = ''
-      servers {
-        metrics
-      }
-
-      admin unix//var/run/caddy/admin.sock {
-        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
-      }
-    '';
-
-    systemd.services.caddy.serviceConfig = {
-      RuntimeDirectory = "caddy";
-      RuntimeDirectoryMode = "0700";
-    };
-
-    services.tailscale = {
-      permitCertUid = config.services.caddy.user;
-      openFirewall = true;
-    };
-
     services.caddy = {
       virtualHosts."https://${config.networking.hostName}.coho-tet.ts.net:2019".extraConfig = ''
         handle /metrics {

scripts/update-china-list.sh

@@ -2,3 +2,10 @@ output_file="modules/nixos/common-settings/china-domains.txt"
 curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/accelerated-domains.china.raw.txt" > "$output_file"
 curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/apple.china.raw.txt" >> "$output_file"
 curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/google.china.raw.txt" >> "$output_file"
+# extra rules
+cat >> $output_file <<- EOM
+test.steampowered.com
+steamserver.net
+api.steampowered.com
+EOM
+