xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:deploy-next
Branches Tags
xin:master
xin:deploy-next
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
..
compare: xin:master
Branches Tags
xin:deploy-next
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

1 commit
deploy-nex ... master

Author SHA1 Message Date
xinyangli
6fe7504460
ci: eval deploy 2024-12-20 18:15:18 +08:00
89 changed files with 1374 additions and 216892 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.github/workflows/eval.yaml vendored
View file

@ -1,8 +1,10 @@
name: Eval NixOS Configurations name: Eval NixOS Configurations
on: on:
check_suite: push:
types: [completed] branches:
- deploy
workflow_dispatch:
permissions: permissions:
contents: write contents: write
@ -18,10 +20,6 @@ jobs:
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v25 uses: cachix/install-nix-action@v25
with:
extra_nix_conf: |
extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=
extra-substituters = https://cache.garnix.io
- name: Configure Git - name: Configure Git
run: | run: |
@ -35,26 +33,19 @@ jobs:
hosts=$(nix flake show --json | jq -r '.nixosConfigurations | keys[]') hosts=$(nix flake show --json | jq -r '.nixosConfigurations | keys[]')
echo "Found hosts: $hosts" echo "Found hosts: $hosts"
failed_hosts=""
for host in $hosts; do for host in $hosts; do
echo "Eval derivation for $host" echo "Eval derivation for $host"
if ! nix derivation show ".#nixosConfigurations.$host.config.system.build.toplevel" > "eval/$host.json"; then if ! nix show-derivation -L ".#nixosConfigurations.$host.config.system.build.toplevel" > "eval/$host.json"; then
echo "❌ Failed to evaluate $host" echo "❌ Failed to evaluate $host"
failed_hosts+="$host "
rm "eval/$host.json"
else else
echo "✅ Successfully evaluated $host" echo "✅ Successfully evaluated $host"
fi fi
done done
echo "Total hosts: $(echo "$hosts" | wc -w)"
echo "Failed hosts: $failed_hosts" echo "Failed hosts: $failed_hosts"
git add eval/ git add eval/
git commit -m "Update deployment configurations for all hosts" git commit -m "Update deployment configurations for all hosts"
git push -f origin deploy-comin-eval git push origin deploy-comin-eval
# After success, reset deploy-comin to new deploy
git checkout -b deploy-comin
git reset --hard deploy
git push -f origin deploy-comin

2
.sops.yaml
View file

@ -9,7 +9,6 @@ keys:
- &host-fra-00 age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s - &host-fra-00 age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
- &host-biotite age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv - &host-biotite age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv
- &host-thorite age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96 - &host-thorite age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96
- &host-agate age1x79t4crvt8qj34vn052s0kaj80z87np83adqra953yjpydrzkqqspt6zcj
creation_rules: creation_rules:
- path_regex: machines/secrets.yaml - path_regex: machines/secrets.yaml
key_groups: key_groups:
@ -23,7 +22,6 @@ creation_rules:
- *host-hk-00 - *host-hk-00
- *host-fra-00 - *host-fra-00
- *host-la-00 - *host-la-00
- *host-agate
- path_regex: machines/calcite/secrets.yaml - path_regex: machines/calcite/secrets.yaml
key_groups: key_groups:
- age: - age:

92435
china-domain.txt
View file

File diff suppressed because it is too large Load diff

351
flake.lock generated
View file

@ -1,17 +1,12 @@
{ {
"nodes": { "nodes": {
"catppuccin": { "catppuccin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1746650299, "lastModified": 1733001911,
"narHash": "sha256-4+pxk1KcSH8ww3tgN808nNJ3E7Q8gNWI+U0sesW7mBQ=", "narHash": "sha256-uX/9m0TbdhEzuWA0muM5mI/AaWcLiDLjCCyu5Qr9MRk=",
"owner": "catppuccin", "owner": "catppuccin",
"repo": "nix", "repo": "nix",
"rev": "f746600f15b69df05c84e3037749a3be5b1276d1", "rev": "a817009ebfd2cca7f70a77884e5098d0a8c83f8e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -31,11 +26,11 @@
"stable": "stable" "stable": "stable"
}, },
"locked": { "locked": {
"lastModified": 1739900653, "lastModified": 1731527002,
"narHash": "sha256-hPSLvw6AZQYrZyGI6Uq4XgST7benF/0zcCpugn/P0yM=", "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "colmena", "repo": "colmena",
"rev": "2370d4336eda2a9ef29fce10fa7076ae011983ab", "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -44,24 +39,25 @@
"type": "github" "type": "github"
} }
}, },
"comin": { "devshell": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"my-nixvim",
"nixvim",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1743515958, "lastModified": 1728330715,
"narHash": "sha256-KVRJFopEeIXROx0utbNeDINLGGJ2G2ET41Ccv9A1iow=", "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "xinyangli", "owner": "numtide",
"repo": "comin", "repo": "devshell",
"rev": "88e4f7cba2869acb8d738b1e8d15985a094f560f", "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "xinyangli", "owner": "numtide",
"ref": "garnix-executor", "repo": "devshell",
"repo": "comin",
"type": "github" "type": "github"
} }
}, },
@ -72,11 +68,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746695246, "lastModified": 1733168902,
"narHash": "sha256-7Tz4PQA/iLnwJX56VdCxMB66HOiWT/i9pmSiCNHqDKc=", "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "c7e0b00007ff6c0e2a6dd5c521aeef22ccdad026", "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -101,16 +97,46 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1743550720, "lastModified": 1730504689,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5", "rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -128,11 +154,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743550720, "lastModified": 1730504689,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5", "rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -200,11 +226,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1726560853,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -213,6 +239,62 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks": {
"inputs": {
"flake-compat": [
"my-nixvim",
"nixvim",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"my-nixvim",
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"my-nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730814269,
"narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "d70155fdc00df4628446352fc58adc640cd705c2",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"my-nixvim",
"nixvim",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -220,11 +302,33 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746661235, "lastModified": 1733754861,
"narHash": "sha256-TAm/SnOT8AD3YKYOdjtg5Nmf/hCKEwc0USHBIoXV8qo=", "narHash": "sha256-3JKzIou54yjiMVmvgdJwopekEvZxX3JDT8DpKZs4oXY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "ec71b5162848e6369bdf2be8d2f1dd41cded88e8", "rev": "9ebaa80a227eaca9c87c53ed515ade013bc2bca9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"my-nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731235328,
"narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "60bb110917844d354f3c18e05450606a435d2d10",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -249,16 +353,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1737371634, "lastModified": 1729958008,
"narHash": "sha256-fTVAWzT1UMm1lT+YxHuVPtH+DATrhYfea3B0MxG/cGw=", "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "ixx", "repo": "ixx",
"rev": "a1176e2a10ce745ff8f63e4af124ece8fe0b1648", "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NuschtOS", "owner": "NuschtOS",
"ref": "v0.0.7", "ref": "v0.0.6",
"repo": "ixx", "repo": "ixx",
"type": "github" "type": "github"
} }
@ -272,11 +376,11 @@
"nixvim": "nixvim" "nixvim": "nixvim"
}, },
"locked": { "locked": {
"lastModified": 1745412132, "lastModified": 1732936640,
"narHash": "sha256-TO2iwVW9qMOukTBhtqxtBOHjGH9DG40plde+53l4DPI=", "narHash": "sha256-NcluA0L+ZV5MUj3UuQhlkGCj8KoEhX/ObWlMHZ/F/ac=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "95b077c2bacf02f844f3bc169d8a91e38474fb72", "rev": "a3709a89797ea094f82d38edeb4a538c07c8c3fa",
"revCount": 28, "revCount": 20,
"type": "git", "type": "git",
"url": "https://git.xiny.li/xin/nixvim" "url": "https://git.xiny.li/xin/nixvim"
}, },
@ -285,6 +389,28 @@
"url": "https://git.xiny.li/xin/nixvim" "url": "https://git.xiny.li/xin/nixvim"
} }
}, },
"nix-darwin": {
"inputs": {
"nixpkgs": [
"my-nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731153869,
"narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "5c74ab862c8070cbf6400128a1b56abb213656da",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-github-actions": { "nix-github-actions": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -313,11 +439,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746330942, "lastModified": 1733629314,
"narHash": "sha256-ShizFaJCAST23tSrHHtFFGF0fwd72AG+KhPZFFQX/0o=", "narHash": "sha256-U0vivjQFAwjNDYt49Krevs1murX9hKBFe2Ye0cHpgbU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "137fd2bd726fff343874f85601b51769b48685cc", "rev": "f1e477a7dd11e27e7f98b646349cd66bbabf2fb8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -328,6 +454,7 @@
}, },
"nix-vscode-extensions": { "nix-vscode-extensions": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": [ "flake-utils": [
"flake-utils" "flake-utils"
], ],
@ -336,11 +463,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746669583, "lastModified": 1733795858,
"narHash": "sha256-zQbz1kINODnwY1stHEZfkpWX1D6jn/h/lEOQpQlOoRM=", "narHash": "sha256-K595Q2PrZv2iiumdBkwM2G456T2lKsLD71bn/fbJiQ0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "2e10ad11395ac09a73ad38f0cbe975e410065ca5", "rev": "66ced222ef9235f90dbdd754ede3d6476722aaa9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -351,11 +478,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1746621361, "lastModified": 1733481457,
"narHash": "sha256-T9vOxEqI1j1RYugV0b9dgy0AreiZ9yBDKZJYyclF0og=", "narHash": "sha256-IS3bxa4N1VMSh3/P6vhEAHQZecQ3oAlKCDvzCQSO5Is=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "2ea3ad8a1f26a76f8a8e23fc4f7757c46ef30ee5", "rev": "e563803af3526852b6b1d77107a81908c66a9fcf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -365,65 +492,41 @@
"type": "github" "type": "github"
} }
}, },
"nixos-sbc": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1746635197,
"narHash": "sha256-7tcX3LUPp7Qmi1s14Sm2qaudvRBBMJ0gvEw8dumViYU=",
"owner": "nakato",
"repo": "nixos-sbc",
"rev": "cf727094afb89c2f94b9f7dcf596c34d55429b88",
"type": "github"
},
"original": {
"owner": "nakato",
"ref": "main",
"repo": "nixos-sbc",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1744868846, "lastModified": 1731139594,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixpkgs-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1743296961, "lastModified": 1730504152,
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"owner": "nix-community", "type": "tarball",
"repo": "nixpkgs.lib", "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
"type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "type": "tarball",
"repo": "nixpkgs.lib", "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
"type": "github"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1735563628, "lastModified": 1733730953,
"narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "rev": "7109b680d161993918b0a126f38bc39763e5a709",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -435,11 +538,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1745844501, "lastModified": 1733805440,
"narHash": "sha256-QDm2ETNvTdjO+Uyr3FVQ11Y2hUYxKN1kc/U0NZ/Uo5o=", "narHash": "sha256-AQdCeGt3dMV9/cchlWGMcP0Z8qM47V+B0p7cSRr+HhA=",
"owner": "xinyangli", "owner": "xinyangli",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7f98e3a02655e198f720b704cc51a4c9030cb735", "rev": "61b1078fca3a097ce06ada68a6f2766347eed02c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -451,11 +554,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1746461020, "lastModified": 1733581040,
"narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=", "narHash": "sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae", "rev": "22c3f2cf41a0e70184334a958e6b124fb0ce3e01",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -467,16 +570,22 @@
}, },
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"git-hooks": "git-hooks",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nuschtosSearch": "nuschtosSearch" "nuschtosSearch": "nuschtosSearch",
"treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1745324162, "lastModified": 1731527733,
"narHash": "sha256-Sjb/LvtWpPtSXacjJCTrLAmWtXNJd0SWxO3PzTvD7Tc=", "narHash": "sha256-12OpSgbLDiKmxvBXwVracIfGI9FpjFyHpa1r0Ho+NFA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "60638182b8d1b0fe13631d02eafaf8903499ee60", "rev": "f11a877bcc1d66cc8bd7990c704f91c1e99c7d08",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -489,14 +598,14 @@
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1746694489, "lastModified": 1733805328,
"narHash": "sha256-g7kaChZ34J4RabOLJt1t37dLysmOjKNxW1gEmZ8kJnQ=", "narHash": "sha256-5F49/mOzFb40uUZh71uNr7kBXjDCw5ZfHMbpZjjUVBQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "62161e584fcd651968963baf092a4a02931de216", "rev": "b54fa3d8c020e077d88be036a12a711b84fe2031",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -516,11 +625,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1745046075, "lastModified": 1731060242,
"narHash": "sha256-8v4y6k16Ra/fiecb4DxhsoOGtzLKgKlS+9/XJ9z0T2I=", "narHash": "sha256-43yLsOm/wxBbfYSNDWVJeVv5Ij+23X3BIjFUfsdx/6M=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "search", "repo": "search",
"rev": "066afe8643274470f4a294442aadd988356a478f", "rev": "ef493352f9e1f051e01a55c062731503a6b36b4e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -533,7 +642,6 @@
"inputs": { "inputs": {
"catppuccin": "catppuccin", "catppuccin": "catppuccin",
"colmena": "colmena", "colmena": "colmena",
"comin": "comin",
"disko": "disko", "disko": "disko",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
"home-manager": "home-manager", "home-manager": "home-manager",
@ -541,7 +649,6 @@
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nix-vscode-extensions": "nix-vscode-extensions", "nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixos-sbc": "nixos-sbc",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable",
"nur": "nur", "nur": "nur",
@ -555,11 +662,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746485181, "lastModified": 1733785344,
"narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=", "narHash": "sha256-pm4cfEcPXripE36PYCl0A2Tu5ruwHEvTee+HzNk+SQE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e93ee1d900ad264d65e9701a5c6f895683433386", "rev": "a80af8929781b5fe92ddb8ae52e9027fae780d2a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -615,6 +722,28 @@
} }
}, },
"treefmt-nix": { "treefmt-nix": {
"inputs": {
"nixpkgs": [
"my-nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730321837,
"narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "746901bb8dba96d154b66492a29f5db0693dbfcc",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nur", "nur",

91
flake.nix
View file

@ -49,23 +49,12 @@
catppuccin = { catppuccin = {
url = "github:catppuccin/nix"; url = "github:catppuccin/nix";
inputs.nixpkgs.follows = "nixpkgs";
}; };
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
comin = {
url = "github:xinyangli/comin/garnix-executor";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-sbc = {
url = "github:nakato/nixos-sbc/main";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@ -83,8 +72,6 @@
colmena, colmena,
nix-index-database, nix-index-database,
disko, disko,
comin,
nixos-sbc,
... ...
}: }:
let let
@ -115,21 +102,13 @@
self.homeManagerModules.default self.homeManagerModules.default
sops-nix.homeManagerModules.sops sops-nix.homeManagerModules.sops
nix-index-database.hmModules.nix-index nix-index-database.hmModules.nix-index
catppuccin.homeModules.catppuccin catppuccin.homeManagerModules.catppuccin
]; ];
sharedNixosModules = [ sharedNixosModules = [
self.nixosModules.default self.nixosModules.default
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
comin.nixosModules.comin
]; ];
nodeNixosModules = { nodeNixosModules = {
weilite = [
./machines/weilite
];
agate = [
disko.nixosModules.disko
./machines/agate
];
calcite = [ calcite = [
nixos-hardware.nixosModules.asus-zephyrus-ga401 nixos-hardware.nixosModules.asus-zephyrus-ga401
catppuccin.nixosModules.catppuccin catppuccin.nixosModules.catppuccin
@ -159,11 +138,6 @@
disko.nixosModules.disko disko.nixosModules.disko
./machines/biotite ./machines/biotite
]; ];
baryte = [
nixos-sbc.nixosModules.default
nixos-sbc.nixosModules.boards.bananapi.bpir4
./machines/baryte
];
}; };
sharedColmenaModules = [ sharedColmenaModules = [
deploymentModule deploymentModule
@ -188,17 +162,7 @@
system ? null, system ? null,
}: }:
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
modules = modules = sharedNixosModules ++ nodeNixosModules.${hostname};
sharedNixosModules
++ nodeNixosModules.${hostname}
++ [
(
{ lib, ... }:
{
networking.hostName = lib.mkDefault hostname;
}
)
];
}; };
# TODO: # TODO:
mkColmenaHive = mkColmenaHive =
@ -229,6 +193,18 @@
}; };
}; };
massicot =
{ ... }:
{
deployment.targetHost = "49.13.13.122";
deployment.buildOnTarget = true;
imports = [
{ nixpkgs.system = "aarch64-linux"; }
machines/massicot
] ++ sharedColmenaModules;
};
la-00 = la-00 =
{ ... }: { ... }:
{ {
@ -286,6 +262,17 @@
] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
}; };
weilite =
{ ... }:
{
imports = [ machines/weilite ] ++ sharedColmenaModules;
deployment = {
targetHost = "weilite.coho-tet.ts.net";
targetPort = 22;
buildOnTarget = false;
};
nixpkgs.system = "x86_64-linux";
};
thorite = thorite =
{ ... }: { ... }:
{ {
@ -315,35 +302,8 @@
calcite = mkNixos { calcite = mkNixos {
hostname = "calcite"; hostname = "calcite";
}; };
weilite = mkNixos {
hostname = "weilite";
};
agate = mkNixos {
hostname = "agate";
};
baryte = mkNixos {
hostname = "baryte";
};
} // self.colmenaHive.nodes; } // self.colmenaHive.nodes;
hydraJobs =
let
includeHosts = [
"agate"
"raspite"
"baryte"
"osmium"
];
in
builtins.listToAttrs (
map (h: {
name = h;
value = self.nixosConfigurations.${h}.config.system.build.toplevel;
}) includeHosts
);
} }
// flake-utils.lib.eachDefaultSystem ( // flake-utils.lib.eachDefaultSystem (
system: system:
@ -367,6 +327,7 @@
packages = with pkgs; [ packages = with pkgs; [
nix nix
git git
colmena.packages.${system}.colmena
sops sops
nix-output-monitor nix-output-monitor
nil nil

46
garnix.yaml
View file

@ -1,38 +1,10 @@
builds: builds:
- include: include:
- nixosConfigurations.* - '*.x86_64-linux.*'
exclude: - defaultPackage.x86_64-linux
- nixosConfigurations.osmium - devShell.x86_64-linux
- nixosConfigurations.raspite - homeConfigurations.x86_64-linux.*
- nixosConfigurations.agate - homeConfigurations.aarch64-linux.*
- nixosConfigurations.baryte - darwinConfigurations.*
branch: deploy - nixosConfigurations.*
- include:
- nixosConfigurations.*
exclude:
- nixosConfigurations.osmium
- nixosConfigurations.raspite
- nixosConfigurations.agate
- nixosConfigurations.baryte
branch: deploy-next
- include:
- nixosConfigurations.biotite
branch: testing-biotite
- include:
- nixosConfigurations.calcite
branch: testing-calcite
- include:
- nixosConfigurations.fra-00
branch: testing-fra-00
- include:
- nixosConfigurations.hk-00
branch: testing-hk-00
- include:
- nixosConfigurations.la-00
branch: testing-la-00
- include:
- nixosConfigurations.thorite
branch: testing-thorite
- include:
- nixosConfigurations.weilite
branch: testing-weilite

1
home/default.nix
View file

@ -1,6 +1,5 @@
{ {
xin = { xin = {
calcite = import ./xin/calcite.nix; calcite = import ./xin/calcite.nix;
gold = import ./xin/gold;
}; };
} }

64
home/xin/calcite.nix
View file

@ -5,9 +5,6 @@ in
{ {
imports = [ imports = [
./common ./common
./common/pentesting.nix
./common/gui/foot.nix
./common/gui/default.nix
]; ];
programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;
@ -44,40 +41,6 @@ in
wechat-uos wechat-uos
wpsoffice wpsoffice
ttf-wps-fonts ttf-wps-fonts
eudic
exiftool
darktable
kdePackages.kdenlive
inkscape
gimp3
gthumb
oculante
# Multimedia
vlc
obs-studio
spotify
spot
# IM
element-desktop
tdesktop
# Password manager
bitwarden
# Browser
chromium
# Writting
zotero
# wemeet
wemeet
imhex
oidc-agent
]; ];
# Theme # Theme
@ -86,10 +49,21 @@ in
accent = "peach"; accent = "peach";
flavor = "mocha"; flavor = "mocha";
}; };
# Missing from catppuccin module
services.swaync.style = pkgs.fetchurl {
url = "https://github.com/catppuccin/swaync/releases/download/v0.2.3/mocha.css";
hash = "sha256-Hie/vDt15nGCy4XWERGy1tUIecROw17GOoasT97kIfc=";
};
xdg.enable = true; xdg.enable = true;
custom-hm = { custom-hm = {
alacritty = {
enable = true;
};
cosmic-term = {
enable = true;
};
direnv = { direnv = {
enable = true; enable = true;
}; };
@ -112,7 +86,7 @@ in
}; };
}; };
vscode = { vscode = {
enable = false; enable = true;
languages = { languages = {
cxx = true; cxx = true;
python = true; python = true;
@ -134,12 +108,10 @@ in
xdg.systemDirs.data = [ xdg.systemDirs.data = [
"/usr/share" "/usr/share"
"/var/lib/flatpak/exports/share"
"${homeDirectory}/.local/share/flatpak/exports/share"
]; ];
xdg.configFile."distrobox/distrobox.conf".text = ''
container_additional_volumes="/nix/store:/nix/store:ro /etc/profiles/per-user:/etc/profiles/per-user:ro"
'';
programs.man.generateCaches = false; programs.man.generateCaches = false;
programs.atuin = { programs.atuin = {
@ -147,14 +119,6 @@ in
flags = [ "--disable-up-arrow" ]; flags = [ "--disable-up-arrow" ];
}; };
programs.zathura = {
enable = true;
options = {
recolor = false;
selection-clipboard = "clipboard";
};
};
programs.firefox = { programs.firefox = {
enable = true; enable = true;
policies.DefaultDownloadDirectory = "/media/data/Downloads"; policies.DefaultDownloadDirectory = "/media/data/Downloads";

12
home/xin/common/gui/default.nix
View file

@ -1,12 +0,0 @@
{ config, pkgs, ... }:
{
home.packages = with pkgs; [
# File Manager
xfce.thunar
xfce.thunar-archive-plugin
xfce.thunar-media-tags-plugin
xfce.thunar-volman
swayimg
];
}

15
home/xin/common/gui/foot.nix
View file

@ -1,15 +0,0 @@
{ pkgs, lib, ... }:
{
programs.foot = {
enable = true;
settings = {
main = {
font = "monospace:size=14";
};
desktop-notifications = {
command = "${lib.getExe pkgs.libnotify} --wait --app-name \${app-id} --icon \${app-id} --category \${category} --urgency \${urgency} --expire-time \${expire-time} --hint STRING:image-path:\${icon} --hint BOOLEAN:suppress-sound:\${muted} --hint STRING:sound-name:\${sound-name} --replace-id \${replace-id} \${action-argument} --print-id -- \${title} \${body}";
inhibit-when-focused = "yes";
};
};
};
}

6
home/xin/common/pentesting.nix
View file

@ -1,6 +0,0 @@
{ pkgs, ... }:
{
home.packages = with pkgs; [
burpsuite
];
}

25
home/xin/raspite/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, pkgs, ... }:
{
imports = [ ../common ];
home.username = "xin";
home.homeDirectory = "/home/xin";
home.stateVersion = "23.05";
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
accounts.email.accounts.gmail = {
primary = true;
address = "lixinyang411@gmail.com";
flavor = "gmail.com";
};
accounts.email.accounts.whu = {
address = "lixinyang411@whu.edu.cn";
};
accounts.email.accounts.foxmail = {
address = "lixinyang411@foxmail.com";
};
}

122
machines/agate/default.nix
View file

@ -1,122 +0,0 @@
{ lib, ... }:
let
fix-folly-build = (
final: prev: {
folly =
let
lib = prev.lib;
stdenv = prev.stdenv;
in
prev.folly.overrideAttrs {
checkPhase = ''
runHook preCheck
ctest -j $NIX_BUILD_CORES --output-on-failure --exclude-regex ${
lib.escapeShellArg (
lib.concatMapStringsSep "|" (test: "^${lib.escapeRegex test}$") (
[
"concurrency_concurrent_hash_map_test.*/ConcurrentHashMapTest/*.StressTestReclamation"
"io_async_ssl_session_test.SSLSessionTest.BasicTest"
"io_async_ssl_session_test.SSLSessionTest.NullSessionResumptionTest"
"singleton_thread_local_test.SingletonThreadLocalDeathTest.Overload"
# very strict timing constraints, will fail under load
"io_async_hh_wheel_timer_test.HHWheelTimerTest.CancelTimeout"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.DefaultTimeout"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.DeleteWheelInTimeout"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.DestroyTimeoutSet"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.FireOnce"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.GetTimeRemaining"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.IntrusivePtr"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.Level1"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.NegativeTimeout"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.ReschedTest"
"io_async_hh_wheel_timer_test.HHWheelTimerTest.SlowFast"
"concurrent_skip_list_test.ConcurrentSkipList.ConcurrentAdd"
]
++ lib.optionals stdenv.hostPlatform.isLinux [
"concurrency_cache_locality_test.CacheLocality.BenchmarkSysfs"
"concurrency_cache_locality_test.CacheLocality.LinuxActual"
"futures_future_test.Future.NoThrow"
"futures_retrying_test.RetryingTest.largeRetries"
]
++ lib.optionals stdenv.hostPlatform.isDarwin [
"buffered_atomic_test.BufferedAtomic.singleThreadUnguardedAccess"
"io_async_notification_queue_test.NotificationQueueTest.UseAfterFork"
"container_heap_vector_types_test.HeapVectorTypes.SimpleSetTes"
]
)
)
}
runHook postCheck
'';
};
}
);
in
{
imports = [
./hardware-configuration.nix
./disk-config.nix
./services
];
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
devices = lib.mkForce [ ];
mirroredBoots = [
{
devices = [
"/dev/disk/by-partlabel/disk-ssd1-system_p1"
];
path = "/boot0";
}
{
devices = [
"/dev/disk/by-partlabel/disk-ssd2-system_p2"
];
path = "/boot1";
}
];
};
users.users.root.hashedPassword = "$y$j9T$vgLUF3/R0RJpDu7e22fSW.$CPomHsuRziERtNGUnnMZZDQG.Vj7LCe5PUOSbvkwSV3";
commonSettings = {
auth.enable = true;
nix = {
enable = true;
};
comin.enable = true;
network.localdns.enable = true;
};
system.stateVersion = "25.05";
time.timeZone = "Asia/Shanghai";
nix.settings = {
max-jobs = 8;
cores = 16;
substituters = [ "https://cache.ngi0.nixos.org/" ];
trusted-public-keys = [ "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" ];
};
nixpkgs.config.contentAddressedByDefault = true;
nixpkgs.overlays = [ fix-folly-build ];
custom.prometheus.exporters = {
enable = true;
blackbox = {
enable = true;
};
node = {
enable = true;
};
};
custom.monitoring = {
promtail.enable = true;
};
}

132
machines/agate/disk-config.nix
View file

@ -1,132 +0,0 @@
{
disko.devices = {
disk = {
ssd1 = {
type = "disk";
device = "/dev/disk/by-path/pci-0004:49:00.0-sas-exp0x500e004aaaaaaa1f-phy1-lun-0";
content = {
type = "gpt";
partitions = {
BOOT = {
size = "1M";
type = "EF02";
};
ESP = {
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot0";
};
};
system_p1 = {
size = "100%";
};
};
};
};
ssd2 = {
type = "disk";
device = "/dev/disk/by-path/pci-0004:49:00.0-sas-exp0x500e004aaaaaaa1f-phy2-lun-0";
content = {
type = "gpt";
partitions = {
BOOT = {
size = "1M";
type = "EF02";
};
ESP = {
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot1";
};
};
system_p2 = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [
"-f"
"-d raid1"
"/dev/disk/by-partlabel/disk-ssd1-system_p1"
];
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Subvolume name is the same as the mountpoint
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
"/persistent" = {
mountOptions = [
"noatime"
# Lots of dbs in /var/lib, let's disable cow
"nodatacow"
];
mountpoint = "/var/lib";
};
};
};
};
};
};
};
hdd1 = {
type = "disk";
device = "/dev/disk/by-id/ata-WUH721414ALE6L0_9KGEMPVL";
content = {
type = "gpt";
partitions = {
storage_p1 = {
size = "100%";
};
};
};
};
hdd2 = {
type = "disk";
device = "/dev/disk/by-id/ata-WUH721414ALE6L0_X1G14ZNL";
content = {
type = "gpt";
partitions = {
storage_p2 = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [
"-f"
"-d raid1"
"/dev/disk/by-partlabel/disk-hdd1-storage_p1"
];
subvolumes = {
"/storage" = {
mountOptions = [
"compress=zstd"
];
mountpoint = "/storage";
};
};
};
};
};
};
};
};
};
}

23
machines/agate/hardware-configuration.nix
View file

@ -1,23 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "mpt3sas" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

9
machines/agate/services/hydra.nix
View file

@ -1,9 +0,0 @@
{
services.hydra = {
enable = true;
hydraURL = "http://agate.coho-tet.ts.net:3000/";
notificationSender = "hydra@localhost";
buildMachinesFiles = [ ];
useSubstitutes = true;
};
}

6
machines/agate/services/minio.nix
View file

@ -1,6 +0,0 @@
{
services.minio = {
enable = true;
region = "ap-east-1";
};
}

19
machines/baryte/default.nix
View file

@ -1,19 +0,0 @@
{ config, lib, ... }:
{
imports = [
];
config = {
nixpkgs.hostPlatform = "aarch64-linux";
system.stateVersion = "25.05";
users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU.";
commonSettings = {
auth.enable = true;
network.localdns.enable = true;
serverComponents.enable = true;
};
services.openssh.enable = true;
time.timeZone = "Asia/Shanghai";
};
}

20
machines/baryte/hardware-configuration.nix
View file

@ -1,20 +0,0 @@
{ config, modulesPath, ... }:
{
imports = [ ];
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
boot = config.diskPartitions.grubMbr;
root = config.diskPartitions.btrfs;
};
};
};
};
};
}

15
machines/biotite/default.nix
View file

@ -15,7 +15,6 @@
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/forgejo.nix ./services/forgejo.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/kanidm.nix
]; ];
networking.hostName = "biotite"; networking.hostName = "biotite";
@ -37,9 +36,21 @@
commonSettings = { commonSettings = {
auth.enable = true; auth.enable = true;
comin.enable = true;
}; };
custom.monitoring = {
promtail.enable = true;
};
custom.prometheus.exporters = {
enable = true;
node.enable = true;
};
services.tailscale.enable = true;
services.caddy.enable = true;
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

8
machines/biotite/secrets.yaml
View file

@ -11,8 +11,6 @@ hedgedoc:
client_secret: ENC[AES256_GCM,data:J6lRBM7V6F+gPYVyEbOzsFUQe8+3ggP0r58c655DNt7TGgKGdq95pRvLaghMmBCc,iv:i+eLYwnmG1/bKtad2iM2pwEAC3GZLNaKS5ldbubRvyY=,tag:yxaug6YdYo8RR3YOyHd/iA==,type:str] client_secret: ENC[AES256_GCM,data:J6lRBM7V6F+gPYVyEbOzsFUQe8+3ggP0r58c655DNt7TGgKGdq95pRvLaghMmBCc,iv:i+eLYwnmG1/bKtad2iM2pwEAC3GZLNaKS5ldbubRvyY=,tag:yxaug6YdYo8RR3YOyHd/iA==,type:str]
forgejo: forgejo:
client_secret: ENC[AES256_GCM,data:5OXhaGzBCbge2tvTaU4ry6/KoavQeYJ45EuakCQJlxb5gMXjRK/s+feF25YJSr2f,iv:TT8j+ciKeSQCZzu1E7D70hWNFpn0cGiomz7jURXjavc=,tag:JVJR033Pc2vaLudaovkl8w==,type:str] client_secret: ENC[AES256_GCM,data:5OXhaGzBCbge2tvTaU4ry6/KoavQeYJ45EuakCQJlxb5gMXjRK/s+feF25YJSr2f,iv:TT8j+ciKeSQCZzu1E7D70hWNFpn0cGiomz7jURXjavc=,tag:JVJR033Pc2vaLudaovkl8w==,type:str]
vaultwarden:
admin_token: ENC[AES256_GCM,data:hRmnuehfMk3bF7tkxShnAGH1OB/yyCyaJqhdJQvSmVMtr6Cz7j1ZEeqfRI+jrqOi,iv:xYmP0Kwp5XkCcJWjqLwFOxRtUxIUH1r1fLUr5xyvpWo=,tag:Yj2nME07cA+ve3ipN6Ehqg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -37,8 +35,8 @@ sops:
RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT
ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg== ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-23T13:32:31Z" lastmodified: "2024-12-04T05:07:32Z"
mac: ENC[AES256_GCM,data:9xbcK+hl+tZTyikCpIOY6YBgaY8AOvaekyKTbQ47KJkQeNb3eyfAxBB1kivu/LU8H8pWWST8GpL/umllbwMzjRLVXU63CQle5cDuDVq9ySPMdxhmxyZ23bKJp7jUzTrGQMm+jnguCuCMxEeDo+R0ZD8a2nvbBT1XKYyVFSBB/0E=,iv:D5RrNSRa7bxivGCu24YT0nO0vuorSEK1VNVOEsJIfaA=,tag:xXXk9uCqZpr4RYqfnF0Ogw==,type:str] mac: ENC[AES256_GCM,data:hD7645epMVYHU6K1AZsHu+fp/PMIqqiZpv7K4Vxzo84slzn0CfZSYaVaYxKNGjOIgEGN9D2FFmq9WL6ChMskMfqqafY7qDpSQqFp9TUwb5jN34XcQg9vplfNw+lMqsnDCt1HENWErRnlDxTI2ctSEcx3UKGBOQ3ttLzUIySdnFY=,iv:reOsqvc8E3l8yxb5gVcqF/rU2o2yKmaUyGNRNT+Skx8=,tag:eBoV8G+X0cPs3Q1xAuv55w==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.1

43
machines/biotite/services/forgejo.nix
View file

@ -69,29 +69,28 @@ in
systemd.services.forgejo = { systemd.services.forgejo = {
serviceConfig = { serviceConfig = {
EnvironmentFile = config.sops.templates."forgejo/env".path; EnvironmentFile = config.sops.templates."forgejo/env".path;
preStart =
let
providerName = "kanidm";
args = lib.concatStringsSep " " [
"--name ${providerName}"
"--provider openidConnect"
"--key forgejo"
"--secret $CLIENT_SECRET"
"--icon-url ${idpUrl}/pkg/img/favicon.png"
"--group-claim-name forgejo_role --admin-group Admin"
];
exe = getExe config.services.forgejo.package;
in
''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args}
else
${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
}; };
preStart =
let
providerName = "kanidm";
args = lib.concatStringsSep " " [
"--name ${providerName}"
"--provider openidConnect"
"--key forgejo"
"--secret $CLIENT_SECRET"
"--auto-discover-url https://${idpUrl}/oauth2/openid/forgejo/.well-known/openid-configuration"
"--icon-url https://${idpUrl}/pkg/img/favicon.png"
"--group-claim-name forgejo_role --admin-group Admin"
];
exe = getExe config.services.forgejo.package;
in
''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args}
else
${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
}; };
users.users.git = { users.users.git = {

2
machines/biotite/services/gotosocial.nix
View file

@ -26,7 +26,7 @@ in
instance-expose-public-timeline = true; instance-expose-public-timeline = true;
oidc-enabled = true; oidc-enabled = true;
oidc-idp-name = "Kanidm"; oidc-idp-name = "Kanidm";
oidc-issuer = "https://${idpUrl}/oauth2/openid/gotosocial"; oidc-issuer = "${idpUrl}/oauth2/openid/gotosocial";
oidc-client-id = "gotosocial"; oidc-client-id = "gotosocial";
oidc-link-existing = true; oidc-link-existing = true;
}; };

8
machines/biotite/services/hedgedoc.nix
View file

@ -20,10 +20,10 @@ in
email = false; email = false;
allowEmailRegister = false; allowEmailRegister = false;
oauth2 = { oauth2 = {
baseURL = "https://${idpUrl}/oauth2/openid/hedgedoc"; baseURL = "${idpUrl}/oauth2/openid/hedgedoc";
authorizationURL = "https://${idpUrl}/ui/oauth2"; authorizationURL = "${idpUrl}/ui/oauth2";
tokenURL = "https://${idpUrl}/oauth2/token"; tokenURL = "${idpUrl}/oauth2/token";
userProfileURL = "https://${idpUrl}/oauth2/openid/hedgedoc/userinfo"; userProfileURL = "${idpUrl}/oauth2/openid/hedgedoc/userinfo";
userProfileEmailAttr = "email"; userProfileEmailAttr = "email";
userProfileUsernameAttr = "name"; userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "preferred_name"; userProfileDisplayNameAttr = "preferred_name";

54
machines/biotite/services/kanidm.nix
View file

@ -1,54 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
kanidm_listen_port = 5324;
inherit (config.my-lib.settings) idpUrl;
in
{
imports = [
./kanidm-provision.nix
];
security.acme = {
acceptTerms = true;
certs.${idpUrl} = {
email = "lixinyang411@gmail.com";
listenHTTP = "127.0.0.1:1360";
group = "kanidm";
};
};
services.kanidm = {
package = lib.mkForce pkgs.kanidmWithSecretProvisioning_1_5;
enableServer = true;
serverSettings = {
domain = idpUrl;
origin = "https://${idpUrl}";
bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs.${idpUrl}.directory}/key.pem'';
tls_chain = ''${config.security.acme.certs.${idpUrl}.directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
};
services.caddy = {
enable = true;
virtualHosts."http://${idpUrl}".extraConfig = ''
reverse_proxy ${config.security.acme.certs.${idpUrl}.listenHTTP}
'';
virtualHosts."https://${idpUrl}".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
}

2
machines/biotite/services/miniflux.nix
View file

@ -17,7 +17,7 @@ in
OAUTH2_CLIENT_ID = "miniflux"; OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret"; OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret";
OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback"; OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://${idpUrl}/oauth2/openid/miniflux"; OAUTH2_OIDC_DISCOVERY_ENDPOINT = "${idpUrl}/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1; OAUTH2_USER_CREATION = 1;
CREATE_ADMIN = 0; CREATE_ADMIN = 0;
}; };

21
machines/biotite/services/synapse.nix
View file

@ -29,13 +29,6 @@ in
''; '';
}; };
# TODO: Waiting for https://github.com/NixOS/nixpkgs/issues/367976
nixpkgs.overlays = [
(final: prev: {
matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overridePythonAttrs { doCheck = false; };
})
];
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
withJemalloc = true; withJemalloc = true;
@ -85,11 +78,11 @@ in
oidc_providers = [ oidc_providers = [
{ {
idp_id = "Kanidm"; idp_id = "Kanidm";
idp_name = idpUrl; idp_name = lib.removePrefix "https://" idpUrl;
issuer = "https://${idpUrl}/oauth2/openid/synapse"; issuer = "${idpUrl}/oauth2/openid/synapse";
authorization_endpoint = "https://${idpUrl}/ui/oauth2"; authorization_endpoint = "${idpUrl}/ui/oauth2";
token_endpoint = "https://${idpUrl}/oauth2/token"; token_endpoint = "${idpUrl}/oauth2/token";
userinfo_endpoint = "https://${idpUrl}/oauth2/openid/synapse/userinfo"; userinfo_endpoint = "${idpUrl}/oauth2/openid/synapse/userinfo";
client_id = "synapse"; client_id = "synapse";
client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path; client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path;
scopes = [ scopes = [
@ -120,4 +113,8 @@ in
reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse} reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse}
''; '';
}; };
networking.firewall.allowedTCPPorts = [
443
];
} }

13
machines/biotite/services/vaultwarden.nix
View file

@ -3,18 +3,6 @@ let
inherit (config.my-lib.settings) vaultwardenUrl; inherit (config.my-lib.settings) vaultwardenUrl;
in in
{ {
sops.secrets."vaultwarden/admin_token" = {
owner = "vaultwarden";
};
sops.templates."vaultwarden.env" = {
owner = "vaultwarden";
content = ''
ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin_token"}
'';
};
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "sqlite"; dbBackend = "sqlite";
@ -27,7 +15,6 @@ in
ROCKET_LOG = "normal"; ROCKET_LOG = "normal";
}; };
environmentFile = config.sops.templates."vaultwarden.env".path;
}; };
services.caddy = { services.caddy = {

173
machines/calcite/configuration.nix
View file

@ -5,8 +5,7 @@
... ...
}: }:
let let
inherit (lib) getExe; inherit (lib) mkForce getExe;
inherit (config.my-lib.settings) idpUrl;
in in
{ {
imports = [ imports = [
@ -17,32 +16,22 @@ in
]; ];
commonSettings = { commonSettings = {
auth.enable = true; # auth.enable = true;
nix = { nix = {
signing.enable = true; signing.enable = true;
}; };
comin.enable = true;
network.localdns.enable = true;
}; };
nix.settings.substituters = [
"https://nix-community.cachix.org"
];
nix.settings.trusted-public-keys = [
# Compare to the key published at https://nix-community.org/cache
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.efi.efiSysMountPoint = "/boot/efi";
# boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ boot.kernelModules = [
"nvidia" "nvidia"
"nvidia_modeset" "nvidia_modeset"
"nvidia_uvm" "nvidia_uvm"
]; ];
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
boot.supportedFilesystems = [ "ntfs" ]; boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@ -60,10 +49,10 @@ in
# TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
tctiEnvironment.enable = true; tctiEnvironment.enable = true;
}; };
# services.gnome.gnome-keyring.enable = lib.mkForce false;
security.pam.services.login.enableGnomeKeyring = lib.mkForce false; security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so"; programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
networking.hostName = "calcite"; networking.hostName = "calcite";
@ -162,15 +151,6 @@ in
services.keyd = { services.keyd = {
enable = true; enable = true;
keyboards = { keyboards = {
default = {
ids = [ "*" ];
settings = {
main = {
capslock = "overload(control, esc)";
control = "overload(control, esc)";
};
};
};
"internal" = { "internal" = {
ids = [ "0b05:1866" ]; ids = [ "0b05:1866" ];
settings = { settings = {
@ -185,6 +165,18 @@ in
settings = { settings = {
main = { main = {
mouse2 = "leftmeta"; mouse2 = "leftmeta";
# leftalt = "mouse1";
};
};
};
"keydous" = {
ids = [
"25a7:fa14"
"3151:4002"
];
settings = {
main = {
capslock = "overload(control, esc)";
}; };
}; };
}; };
@ -195,16 +187,12 @@ in
services.printing.enable = true; services.printing.enable = true;
services.printing.drivers = [ services.printing.drivers = [
pkgs.hplip pkgs.hplip
pkgs.gutenprint
pkgs.gutenprintBin pkgs.gutenprintBin
pkgs.canon-cups-ufr2
]; ];
hardware.sane = {
enable = true;
extraBackends = [ pkgs.hplipWithPlugin ];
};
hardware.pulseaudio.enable = false;
security.rtkit.enable = true; security.rtkit.enable = true;
services.avahi.enable = true;
services.pipewire = { services.pipewire = {
enable = true; enable = true;
wireplumber.enable = true; wireplumber.enable = true;
@ -224,10 +212,16 @@ in
"wheel" "wheel"
"wireshark" "wireshark"
"tss" "tss"
"scanner"
]; ];
}; };
services.kanidm = {
enableClient = true;
clientSettings = {
uri = "https://auth.xinyang.life";
};
};
# Smart services # Smart services
services.smartd.enable = true; services.smartd.enable = true;
@ -236,9 +230,36 @@ in
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w" "openssl-1.1.1w"
# FIXME: Waiting for https://github.com/NixOS/nixpkgs/pull/335753
"jitsi-meet-1.0.8043"
]; ];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
imhex
oidc-agent
# Filesystem
(owncloud-client.overrideAttrs (
finalAttrs: previousAttrs: {
src = pkgs.fetchFromGitHub {
owner = "xinyangli";
repo = "client";
rev = "780d1c4c8bf02be42e118c792ff833ab10c2fdcc";
hash = "sha256-pEwcGJI9sN9nooW/RQHmi52Du6yzofgZeB8PcjwPtZ8=";
};
}
))
nfs-utils
# tesseract5 # ocr
ocrmypdf # pdfocr
gtkwave
bubblewrap
# ==== Development ==== # # ==== Development ==== #
# Python
# reference: https://nixos.wiki/wiki/Python
( (
let let
my-python-packages = my-python-packages =
@ -256,13 +277,31 @@ in
# ==== GUI Softwares ==== # # ==== GUI Softwares ==== #
bibata-cursors eudic
(epsonscan2.overrideAttrs ( bibata-cursors
finalAttrs: prevAttrs: { gthumb
patches = prevAttrs.patches ++ [ ./fix-crash.patch ]; oculante
}
)) # Multimedia
vlc
obs-studio
spotify
# IM
element-desktop
tdesktop
# Password manager
bitwarden
# Browser
chromium
# Writting
zotero
# onlyoffice-bin
wemeet
virt-manager virt-manager
wineWowPackages.waylandFull wineWowPackages.waylandFull
@ -286,25 +325,9 @@ in
owner = "xin"; owner = "xin";
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;
}; };
"davfs2/photosync_password" = { "gitea/envfile" = {
owner = "root";
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;
mode = "0600";
};
};
sops.templates."davfs2.conf" = {
owner = config.services.davfs2.davUser;
content = ''
https://weilite.coho-tet.ts.net:6065/photosync photosync ${
config.sops.placeholder."davfs2/photosync_password"
}
'';
};
environment.etc = {
"davfs2/secrets" = {
source = config.sops.templates."davfs2.conf".path;
mode = "0600";
}; };
}; };
@ -316,6 +339,20 @@ in
]; ];
}; };
# custom.forgejo-actions-runner = {
# enable = false;
# tokenFile = config.sops.secrets."gitea/envfile".path;
# settings = {
# runner.capacity = 2;
# runner.fetch_timeout = "120s";
# runner.fetch_interval = "30s";
# };
# };
#
custom.prometheus = {
exporters.node.enable = true;
};
services.ollama = { services.ollama = {
enable = true; enable = true;
acceleration = "cuda"; acceleration = "cuda";
@ -326,32 +363,6 @@ in
services.flatpak.enable = true; services.flatpak.enable = true;
services.davfs2 = {
enable = true;
settings = {
globalSection = {
use_locks = 1;
gui_optimize = 1;
table_size = 4096;
cache_size = 10240;
};
};
};
fileSystems = {
"/media/photosync" = {
device = "https://weilite.coho-tet.ts.net:6065/photosync";
fsType = "davfs";
options = [
"rw"
"uid=1000"
"nodev"
"nosuid"
"nofail"
];
};
};
# Fonts # Fonts
fonts = { fonts = {
packages = with pkgs; [ packages = with pkgs; [

36
machines/calcite/fix-crash.patch
View file

@ -1,36 +0,0 @@
diff -uNr a/src/Controller/Src/Finder/UsbFinder.cpp b/src/Controller/Src/Finder/UsbFinder.cpp
--- a/src/Controller/Src/Finder/UsbFinder.cpp 2024-10-05 01:47:57.530027467 +0800
+++ b/src/Controller/Src/Finder/UsbFinder.cpp 2024-10-07 01:58:36.293405252 +0800
@@ -119,14 +119,26 @@
sprintf(const_cast<char*>(devInfo.displayName), "%s", "DS-5500/DS-6500/DS-7500");
isValidDeviceInfo = true;
}
+ else if (dd.idProduct == 0x14A)
+ {
+ sprintf(const_cast<char*>(devInfo.displayName), "%s", "Perfection V37/V370");
+ isValidDeviceInfo = true;
+ }
else
{
- sprintf((char*)strDescWithAddress, "%s:%s", strDesc, serialNumber);
- strncpy(const_cast<char*>(devInfo.displayName),(const char*)strDescWithAddress, MAX_DISPLAYNAME - 1);
- if (strlen(devInfo.displayName) != 0 || searchSecondDevice)
- {
- isValidDeviceInfo = true;
- }
+ if (dd.iSerialNumber == 0)
+ {
+ sprintf((char*)strDescWithAddress, "%s", strDesc);
+ }
+ else
+ {
+ sprintf((char*)strDescWithAddress, "%s:%s", strDesc, serialNumber);
+ }
+ strncpy(const_cast<char*>(devInfo.displayName),(const char*)strDescWithAddress, MAX_DISPLAYNAME - 1);
+ if (strlen(devInfo.displayName) != 0 || searchSecondDevice)
+ {
+ isValidDeviceInfo = true;
+ }
}
libusb_close (devHandle);
devHandle = nullptr;

13
machines/calcite/hardware-configuration.nix
View file

@ -18,6 +18,7 @@
"ahci" "ahci"
"usbhid" "usbhid"
]; ];
boot.initrd.kernelModules = [ ];
boot.initrd = { boot.initrd = {
systemd.enable = true; # initrd uses systemd systemd.enable = true; # initrd uses systemd
@ -30,8 +31,10 @@
}; };
}; };
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
# device = "/dev/disk/by-label/NIXROOT";
device = "/dev/mapper/cryptroot"; device = "/dev/mapper/cryptroot";
fsType = "btrfs"; fsType = "btrfs";
}; };
@ -54,6 +57,16 @@
swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
# networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.graphics = { hardware.graphics = {

34
machines/calcite/network.nix
View file

@ -1,24 +1,46 @@
{ {
config,
pkgs, pkgs,
lib,
... ...
}: }:
{ {
imports = [ ]; imports = [ ];
# Enable networking
networking = { networking = {
networkmanager = { networkmanager = {
enable = true; enable = true;
dns = "default"; dns = "systemd-resolved";
settings = {
main = {
rc-manager = "resolvconf";
};
};
}; };
}; };
services.resolved = {
enable = true;
extraConfig = ''
Cache=no
'';
};
# Enable Tailscale
services.tailscale.enable = true;
# services.tailscale.useRoutingFeatures = "both";
services.dae.enable = true;
services.dae.configFile = "/var/lib/dae/config.dae";
systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [
"NetworkManager-wait-online.service"
];
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 3389 ];
networking.firewall.allowedUDPPorts = [
3389
41641
];
networking.firewall.trustedInterfaces = [ "tailscale0" ];
# Use nftables to manager firewall # Use nftables to manager firewall
networking.nftables.enable = true; networking.nftables.enable = true;

15
machines/calcite/secrets.yaml
View file

@ -1,9 +1,13 @@
restic: restic:
repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str] repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str]
repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str] repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str]
davfs2: gitea:
photosync_password: ENC[AES256_GCM,data:J3+pJCjjV+hlPC2il5f7Vn+9k+Aatolgut1DX1G+JF4=,iv:OgZn6Glho3Cfrl0GJhGSbmcYjSe6sjM9PjvEZnM/c4w=,tag:i5AVG139nK3ecK3VwWpQuQ==,type:str] envfile: ENC[AES256_GCM,data:CK+JNELuzjKgWnImuV4Euif3f3nNOACOrvc4NiIXs+q/F7QWrtpb3TK8/FrLNQk=,iv:QSDrlKJCBld2gDx/y1sT8anh37GhqSS2QZd2JJi5Yis=,tag:x5T6h59LBXhEyVwSr2dnuQ==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: | enc: |
@ -23,7 +27,8 @@ sops:
WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-08T09:47:09Z" lastmodified: "2024-11-28T03:55:19Z"
mac: ENC[AES256_GCM,data:pBryBOfgVYROAJ6LfqpEXz8ph4bcAoWLADibpET0jwb4CBNuEW9BWXzVu+Ci+gKjKhSxh8xwr+TLSvo8zNOeGz/Mdl2vVaEWNKX4dUMMd9IXRJ+8jSlhxkMWPi25xoiMjY763MgOnBYsdqPpKKB1xLHkRtULAHlZ2m3VhVWxMWM=,iv:egYcxVjCH4uPbHvCcU9MVCRHoDbNH8tYet1vyDf9nhw=,tag:DDBC0TSdsnaF3SFTuH6rOQ==,type:str] mac: ENC[AES256_GCM,data:VH7RnRT33ltsxycuSsUsM+64onQeClwQ3fIHUVQUyRJ6t7aJkBiGMQ80QtmwGE5CJTbq7LV4cis5Pq/f9vTb0SsY4tCSIgXNAE2zW2rjjQKjdHr+rnnKSJExJA+k2tL06Q/FUu+3SP7pVSaYBGQKb53UAbHsdJYbx00Ko6MzZ7U=,iv:EiYhbr6o4n3kGEEWKXeWmDPSb5hOvUhRH7N2ZLPRHmQ=,tag:BdI140bhvBW0bwQPpRYiRw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.9.1

6
machines/dolomite/claw.nix
View file

@ -35,11 +35,7 @@
systemd.network.enable = true; systemd.network.enable = true;
systemd.network.networks."10-wan" = { systemd.network.networks."10-wan" = {
matchConfig.MACAddress = "00:16:3e:0a:ec:45"; matchConfig.MACAddress = "00:16:3e:0a:ec:45";
networkConfig = { networkConfig.DHCP = "ipv4";
DHCP = "ipv4";
LinkLocalAddressing = "no";
IPv6AcceptRA = "no";
};
dhcpV4Config = { dhcpV4Config = {
UseDNS = true; UseDNS = true;
}; };

5
machines/dolomite/common.nix
View file

@ -33,17 +33,16 @@
promtail.enable = true; promtail.enable = true;
}; };
services.tailscale.enable = true;
commonSettings = { commonSettings = {
auth.enable = true; auth.enable = true;
comin.enable = true;
serverComponents.enable = true;
proxyServer = { proxyServer = {
enable = true; enable = true;
users = [ users = [
"wyj" "wyj"
"yhb" "yhb"
"xin" "xin"
"zx"
]; ];
}; };
}; };

9
machines/dolomite/secrets/secrets.yaml
View file

@ -9,9 +9,6 @@ sing-box:
xin: xin:
password: ENC[AES256_GCM,data:SRiPFO+Uwy/PT41SIg7eI68wk4AX6so=,iv:aXwP5wa1IrlnvFo/ZL+DYFFHDdWw2Z83de3ApHUTsXo=,tag:sxXoy1FnDxZBQCDeNxphzQ==,type:str] password: ENC[AES256_GCM,data:SRiPFO+Uwy/PT41SIg7eI68wk4AX6so=,iv:aXwP5wa1IrlnvFo/ZL+DYFFHDdWw2Z83de3ApHUTsXo=,tag:sxXoy1FnDxZBQCDeNxphzQ==,type:str]
uuid: ENC[AES256_GCM,data:7xK53SO4x0tOIEIYl6kmmAvnpdsR/tYQoG1t/ytsnO4QqWY3,iv:i694Fnu7g1OA3IGzSaoSGA5/eMPo+I/1TZbYuaQrgNA=,tag:4cUlioJn/IvsvZclgboOSA==,type:str] uuid: ENC[AES256_GCM,data:7xK53SO4x0tOIEIYl6kmmAvnpdsR/tYQoG1t/ytsnO4QqWY3,iv:i694Fnu7g1OA3IGzSaoSGA5/eMPo+I/1TZbYuaQrgNA=,tag:4cUlioJn/IvsvZclgboOSA==,type:str]
zx:
password: ENC[AES256_GCM,data:UkRaj5aadq8Ea3j3wh6YQDzxmew=,iv:vrJ7h97KaWmp7+rkYowdTDI7HIq71ZUIERE3o0BY5Fc=,tag:YEPydn9fLmEBYBDD//6Pfw==,type:str]
uuid: ENC[AES256_GCM,data:W+qXN1Xa5ZMXRQh+7dtZkExFrp6qqEOkoxn8Fj5qQ5U23ytz,iv:559UEoMyY3/RfmwJLFCerkuV0DjTbhaRPbW56toxMEU=,tag:pv706bZgEblyGS7V9mwABA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -54,8 +51,8 @@ sops:
K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE
m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q== m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-31T07:11:08Z" lastmodified: "2024-12-06T04:35:52Z"
mac: ENC[AES256_GCM,data:CYOPIN29pg5ldsLgkMaqSqKmTKusSBKVVifU2eGPIEILcYEwMmmGkvCH7jG8+QnOicfSTIonA0sPBO/g36X5bLhQIcmzUEnImSXVFLXpvHM2haIxPSHG/xvaLbIPcHMKvHbeyIGIhIdfPp7ssyH1Aa/+PgtfTIMUeOFbIWykgfE=,iv:+u7kyGUgmeEJ2T6rnBS9ACAk4Ka2OPJrz4sCZLVTPP8=,tag:d2eimY7wGwoQZZEh3d0UZA==,type:str] mac: ENC[AES256_GCM,data:DAg4UTwNv+rs6hye2z5UUtA1a4yZbFaAWjLoKAXf87tKgBCZzK8C1q6gLyTQOqp07ptYQd5Q951kfE1a/35SFJsubREzJmu6haxznRgq7pO5HDGqgtjYEHsngsWZh3bUSX/aG2dLISdD81VY68nLzTO0r4h/SL6DNG36RzJgL8E=,iv:V0WhENNt/Szi5VWVD2t5AsWP1tOZUGjFjMNYPDq59XI=,tag:ThRstdzVNtSs6E7qlvKPOw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.2 version: 3.9.1

74
machines/massicot/default.nix Normal file
View file

@ -0,0 +1,74 @@
{
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./networking.nix
./services.nix
./services
];
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
gts_env = {
owner = "gotosocial";
};
};
};
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot";
boot.loader.grub = {
enable = true;
efiSupport = true;
configurationLimit = 5;
};
environment.systemPackages = with pkgs; [
cifs-utils
git
];
# Disable docs on servers
documentation.nixos.enable = false;
documentation.man.enable = false;
system.stateVersion = "22.11";
networking = {
hostName = "massicot";
};
services.tailscale.enable = true;
commonSettings = {
auth.enable = true;
nix = {
enable = true;
};
};
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
programs.mosh.enable = true;
systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
}

32
machines/massicot/hardware-configuration.nix Normal file
View file

@ -0,0 +1,32 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
device = "nodev";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AC27-D9D6";
fsType = "vfat";
};
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1";
fsType = "ext4";
};
fileSystems."/mnt/storage" = {
device = "/dev/disk/by-id/scsi-0HC_Volume_101302395";
fsType = "btrfs";
options = [
"subvol=storage"
"compress=zstd"
"noatime"
];
};
}

5
machines/biotite/services/kanidm-provision.nix → machines/massicot/kanidm-provision.nix
View file

@ -177,11 +177,8 @@ in
"https://immich.xinyang.life:8000/api/oauth/mobile-redirect/" "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
"https://immich.xinyang.life:8000/auth/login" "https://immich.xinyang.life:8000/auth/login"
"https://immich.xinyang.life:8000/user-settings" "https://immich.xinyang.life:8000/user-settings"
"https://immich.xiny.li:8443/api/oauth/mobile-redirect/"
"https://immich.xiny.li:8443/auth/login"
"https://immich.xiny.li:8443/user-settings"
]; ];
originLanding = "https://immich.xiny.li:8443/auth/login?autoLaunch=0"; originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
immich-users = [ immich-users = [

14
machines/massicot/networking.nix Normal file
View file

@ -0,0 +1,14 @@
{ pkgs, ... }:
{
networking.useNetworkd = true;
systemd.network.networks."10-wan" = {
matchConfig.MACAddress = "96:00:02:68:7d:2d";
networkConfig = {
DHCP = "ipv4";
Gateway = "fe80::1";
};
address = [
"2a01:4f8:c17:345f::3/64"
];
};
}

40
machines/massicot/secrets.yaml Normal file
View file

@ -0,0 +1,40 @@
storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str]
grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
miniflux:
oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
forgejo:
env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
restic:
repo_url: ENC[AES256_GCM,data:GMHbrjgwajnYSiqtoYaKiFT/aDWDwlzEkvMLPzYf7C9PvLr7T4zeWyAA9//8huldyxO3+nk6O9lR9ORZKZfb8/MYB7nRB03sZQ==,iv:6uBhsksOGDjoc13U2xWLz7I+0fzGRhnw0nStACqlnug=,tag:uhH28NYq+ly1bmCV/cpxkQ==,type:str]
repo_password: ENC[AES256_GCM,data:jRHNgOk5ChWdqMKsd/V4Xg==,iv:wrgF5pau/RylG1nmJYmvrZ02o67qkkT5PrZAQlXb6Qo=,tag:X0WVpMqi8xeoATss/sSPMA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aGRvUUtjcDU2bnhaNDJD
K3c5TnFJeHQzM2VpeHphR2dGeS9NYzcyYjJnCnNrQ3dxL1hqR2MyQXhldUZ1VEJp
N25nVHZ1QjRydW9hTWE5d0x2M2pPNkkKLS0tIFpiRW8rZ1Q1R1RCZGN1ZGs3ek45
UENaRjJPWFJqUlpzd3dHSC9pdnZ6STQKQaaY28FYUk3O9TTkX9LQTzlrqZVojgxY
M+N6LApfdoioQCmXduDbj18i0eUbECTBXR/uEFEIHbn6AJVD/vx7iw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRY0lIeE9tWDA3Q21IWk1E
YnlaQUJybFB2bmFpbG1UZ0UyNG16WkRkZlNVCmUySHVBcXpWekpVN3R5dGs5ODY1
V1ZlUk4zRSs1NkVjY3JSMVVQSXJ1OEkKLS0tIFMzeUNaYVpoNnV3TE1oamEwTEo2
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-28T03:57:35Z"
mac: ENC[AES256_GCM,data:xjZrlwfWLtZNYfH+KiE2ICt9Jo4nx/LKaEYi/ECN/Od+ZTjety0V6RJ/RfmI6q3K1WMj0sAGc56hCZ0iOn25L8wK6dc14hZVoSwwbIiQ7hTQE5LcK+NbXNmy3r/YC855DHG9kE08eYGHdNcBbckZg3HhkHQ9UYS/Ox/QFFuBa5Q=,iv:N3AW+sr9ET3c/ArXr176haRewYFsfgsNn+hkC0MDJwA=,tag:SCikn+F8btuSBswV+oCdXg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

102
machines/massicot/services.nix Normal file
View file

@ -0,0 +1,102 @@
{
config,
pkgs,
lib,
...
}:
let
kanidm_listen_port = 5324;
in
{
imports = [
./kanidm-provision.nix
];
networking.firewall.allowedTCPPorts = [
80
443
2222
8448
];
networking.firewall.allowedUDPPorts = [
80
443
8448
];
custom.monitoring = {
promtail.enable = true;
};
custom.prometheus.exporters = {
enable = true;
blackbox = {
enable = true;
};
node = {
enable = true;
};
};
security.acme = {
acceptTerms = true;
certs."auth.xinyang.life" = {
email = "lixinyang411@gmail.com";
listenHTTP = "127.0.0.1:1360";
group = "kanidm";
};
};
services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true;
serverSettings = {
domain = "auth.xinyang.life";
origin = "https://auth.xinyang.life";
bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
};
users.users.conduit = {
isSystemUser = true;
group = "conduit";
};
users.groups.conduit = { };
services.gotosocial = {
enable = true;
settings = {
log-level = "debug";
host = "xinyang.life";
letsencrypt-enabled = false;
bind-address = "localhost";
instance-expose-public-timeline = true;
oidc-enabled = true;
oidc-idp-name = "Kanidm";
oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
oidc-client-id = "gts";
oidc-link-existing = true;
storage-local-base-path = "/mnt/storage/gotosocial/storage";
};
environmentFile = config.sops.secrets.gts_env.path;
};
services.caddy = {
enable = true;
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
'';
virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
}

2
machines/agate/services/default.nix → machines/massicot/services/default.nix
View file

@ -1,5 +1,5 @@
{ {
imports = [ imports = [
./hydra.nix ./restic.nix
]; ];
} }

42
machines/massicot/services/restic.nix Normal file
View file

@ -0,0 +1,42 @@
{
config,
lib,
pkgs,
...
}:
let
sqliteBackup = fromPath: toPath: file: ''
mkdir -p ${toPath}
${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'"
'';
in
{
sops.secrets = {
"restic/repo_url" = {
sopsFile = ../secrets.yaml;
};
"restic/repo_password" = {
sopsFile = ../secrets.yaml;
};
};
custom.restic = {
enable = true;
paths = [
"/backup"
"/mnt/storage"
];
backupPrepareCommand = [
(sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite")
(sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3")
(sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite")
(sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db")
];
};
services.restic.backups.${config.networking.hostName} = {
extraBackupArgs = [
"--limit-upload=1024"
];
};
}

25
machines/minimal/default.nix Normal file
View file

@ -0,0 +1,25 @@
{
lib,
...
}:
{
imports = [
./hardware-configuration.nix
];
boot.initrd.availableKernelModules =
[
];
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

55
machines/osmium/default.nix
View file

@ -53,7 +53,6 @@
commonSettings = { commonSettings = {
nix.enable = true; nix.enable = true;
auth.enable = true; auth.enable = true;
network.localdns.enable = true;
}; };
documentation.enable = false; documentation.enable = false;
@ -70,7 +69,7 @@
neovim neovim
jq jq
iptables iptables
nftables ebtables
tcpdump tcpdump
busybox busybox
ethtool ethtool
@ -89,56 +88,24 @@
systemd.network = { systemd.network = {
enable = true; enable = true;
networks."lan" = {
matchConfig.Name = "enu1";
networkConfig.DHCP = "no";
linkConfig.RequiredForOnline = "no";
};
networks."wan" = { networks."wan" = {
matchConfig.Name = "end0"; matchConfig.Name = "end0";
networkConfig.DHCP = "yes"; networkConfig.DHCP = "yes";
linkConfig.RequiredForOnline = false; linkConfig.RequiredForOnline = "yes";
};
networks."lan" = {
matchConfig.Name = "enu1";
networkConfig = {
DHCP = "no";
DHCPServer = "yes";
Address = "10.1.1.1/24";
};
dhcpServerConfig = {
ServerAddress = "10.1.1.1/24";
UplinkInterface = "end0";
EmitDNS = "yes";
DNS = [ "192.168.1.1" ];
};
linkConfig.RequiredForOnline = false;
}; };
}; };
networking.firewall.enable = false; services.dae = {
networking.nftables = {
enable = true; enable = true;
tables = { configFile = "/var/lib/dae/config.dae";
filter = {
family = "inet";
content = ''
chain forward {
iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN"
iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs"
iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale"
}
'';
};
nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "end0" masquerade
oifname "tailscale0" masquerade
}
'';
};
};
}; };
services.tailscale.extraSetFlags = [ "--advertise-routes=10.1.1.0/24" ]; services.tailscale.enable = true;
}; };
} }

21
machines/raspite/configuration.nix
View file

@ -6,14 +6,11 @@
}: }:
{ {
imports = [ ./services/hass.nix ]; imports = [ ./hass.nix ];
commonSettings = { commonSettings = {
nix.enable = true; nix.enable = true;
auth.enable = true; auth.enable = true;
comin.enable = true;
network.enableProxy = false;
serverComponents.enable = true;
}; };
nixpkgs.overlays = [ nixpkgs.overlays = [
@ -23,8 +20,6 @@
}) })
]; ];
networking.firewall.allowedTCPPorts = [ 8443 ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
libraspberrypi libraspberrypi
@ -39,5 +34,17 @@
interfaces.eth0.useDHCP = true; interfaces.eth0.useDHCP = true;
}; };
time.timeZone = "Asia/Shanghai"; # boot.kernelPackages = pkgs.linuxPackages_stable;
# fileSystems."/".fsType = lib.mkForce "btrfs";
boot.supportedFilesystems.zfs = lib.mkForce false;
services.dae.enable = true;
services.dae.configFile = "/var/lib/dae/config.dae";
services.tailscale = {
enable = true;
permitCertUid = config.services.caddy.user;
openFirewall = true;
};
} }

54
machines/raspite/hass.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, pkgs, ... }:
{
services.home-assistant = {
enable = true;
openFirewall = false;
config = {
default_config = { };
http = {
server_host = "127.0.0.1";
use_x_forwarded_for = true;
trusted_proxies = [ "127.0.0.1" ];
};
};
extraPackages =
python3Packages: with python3Packages; [
# speed up aiohttp
isal
zlib-ng
];
};
services.esphome = {
enable = true;
openFirewall = false;
};
users.groups.dialout.members = config.users.groups.wheel.members;
services.mosquitto = {
enable = true;
};
services.zigbee2mqtt = {
enable = true;
settings = {
home-assistant = config.services.home-assistant.enable;
permit_join = true;
serial = {
port = "/dev/ttyUSB0";
};
};
};
networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy = {
enable = true;
virtualHosts = {
"raspite.coho-tet.ts.net".extraConfig = ''
reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
'';
};
};
}

236
machines/raspite/services/hass.nix
View file

@ -1,236 +0,0 @@
{ config, pkgs, ... }:
{
services.home-assistant = {
enable = true;
openFirewall = false;
config = {
logger = {
logs = {
homeassistant.helpers.llm = "debug";
homeassistant.components.conversation.chat_log = "debug";
homeassistant.components.openai_conversation = "debug";
};
};
http = {
server_host = "127.0.0.1";
use_x_forwarded_for = true;
trusted_proxies = [ "127.0.0.1" ];
};
assist_pipeline = { };
backup = { };
bluetooth = { };
config = { };
conversation = { };
history = { };
recorder = {
purge_keep_days = 14;
};
homeassistant_alerts = { };
image_upload = { };
logbook = { };
media_source = { };
mobile_app = { };
my = { };
ssdp = { };
stream = { };
sun = { };
usb = { };
webhook = { };
zeroconf = { };
};
extraPackages =
python3Packages: with python3Packages; [
# speed up aiohttp
isal
zlib-ng
];
extraComponents = [
"mqtt"
"roborock"
"openai_conversation"
];
};
systemd.services.home-assistant.environment = {
OPENAI_BASE_URL = "https://ark.cn-beijing.volces.com/api/v3";
};
services.esphome = {
enable = true;
openFirewall = false;
};
users.groups.dialout.members = config.users.groups.wheel.members;
services.mosquitto = {
enable = true;
};
services.zigbee2mqtt = {
enable = true;
package = pkgs.zigbee2mqtt_2;
settings = {
home-assistant = config.services.home-assistant.enable;
serial = {
adapter = "zstack";
port = "/dev/ttyUSB0";
};
frontend = {
enabled = true;
port = 15313;
host = "127.0.0.1";
};
advanced = {
log_level = "debug";
availability = {
# Periodically check whether devices are online/offline
enabled = true;
};
channel = 11;
homeassistant_legacy_entity_attributes = false;
homeassistant_legacy_triggers = false;
legacy_api = false;
legacy_availability_payload = false;
};
device_options = {
legacy = false;
};
devices = {
"0x000d6f001673c5d4" = {
friendly_name = "";
};
"0x000d6f001673c1df" = {
friendly_name = "";
};
"0x000d6f0014cbc2c6" = {
friendly_name = "";
};
"0x8cf681fffe0a5e38" = {
friendly_name = "";
description = "1: 2: ";
};
"0x8cf681fffe0d9f1c" = {
friendly_name = "1";
description = "1: 2: 西";
};
"0x000d6f00167839ff" = {
friendly_name = "2";
description = "1: 2: ";
};
"0x8cf681fffe0db266" = {
friendly_name = "3";
description = "";
};
"0x8cf681fffe0d9ccb" = {
friendly_name = "4";
description = "1.";
};
"0x000d6f001673c512" = {
friendly_name = "";
};
"0xa4c13815e2f92d74" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe54ced3" = {
friendly_name = "西";
transition = 1;
};
"0x540f57fffe54c8d4" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe54c82b" = {
friendly_name = "西";
transition = 1;
};
"0x540f57fffe5210bc" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe54c851" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe54ce63" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe54c8ce" = {
friendly_name = "";
transition = 1;
};
"0xa4c138693a2afad7" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe54c826" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe521114" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe54c86b" = {
friendly_name = "西";
transition = 1;
};
"0x540f57fffe54c82e" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe5210e3" = {
friendly_name = "";
transition = 1;
};
"0xfc4d6afffe6eb9e3" = {
friendly_name = "";
};
"0x540f57fffe5210cf" = {
friendly_name = "1";
transition = 1;
};
"0x540f57fffe54c8bb" = {
friendly_name = "2";
transition = 1;
};
"0x540f57fffe5210db" = {
friendly_name = "3";
transition = 1;
};
"0x540f57fffe54cec5" = {
friendly_name = "1";
transition = 1;
};
"0x540f57fffe520d1d" = {
friendly_name = "2";
transition = 1;
};
"0x540f57fffe54c966" = {
friendly_name = "3";
transition = 1;
};
"0x540f57fffe520ceb" = {
friendly_name = "";
transition = 1;
};
"0x540f57fffe5210cd" = {
friendly_name = "";
transition = 1;
};
};
};
};
services.caddy = {
virtualHosts = {
"raspite.coho-tet.ts.net".extraConfig = ''
reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
'';
"https://raspite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy ${config.services.zigbee2mqtt.settings.frontend.host}:${toString config.services.zigbee2mqtt.settings.frontend.port}
'';
};
};
}

118
machines/secrets.yaml
View file

@ -1,103 +1,95 @@
prometheus: prometheus:
metrics_username: ENC[AES256_GCM,data:7kcwPg==,iv:BjhB+uLfjmYHdgpc/+tDJXJ8C1EK9kngQWbo4NleOmE=,tag:wGLoVcsVxgFjorIMsV4mjw==,type:str] metrics_username: ENC[AES256_GCM,data:/CQfOA==,iv:BjhB+uLfjmYHdgpc/+tDJXJ8C1EK9kngQWbo4NleOmE=,tag:JCdqyqGLRh09T25vmufiZw==,type:str]
metrics_password: ENC[AES256_GCM,data:qGbdk5tRmBw1rYHkmid87w==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:+cVF89YF35hA+fPvEQNgHA==,type:str] metrics_password: ENC[AES256_GCM,data:q/xMPuNtlcUFewMdVu6w2Q==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:B4LrObH1DsnnD5CcuOPOyg==,type:str]
dae:
sub: ENC[AES256_GCM,data:wCv8je47gBa2bb2aWCbUYHIuxGxkXUfJUvogwviYUNJJZJCdL5Q2qJX+tXOL4JRkzicRzFfiPEa3rcYIfoB6DC7caDPevpepHtTENzI3YKppiz0KIXedUWr+,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:e8X4PTiY/60W6XbFLOmSBQ==,type:str]
tailscale:
authkey: ENC[AES256_GCM,data:GKfhg4Co1us4UQ6Jn3KT85OrIIVDd8aJmv8hmhtLZnAM4McxPmpVZ1tnYu7GIfKdqgCQqEl+lgS0xlV+qA==,iv:qugnzLpCZqHyRnJaP0tS2y5R5i0lrhm9PnIuG3kiGqE=,tag:KV/fcG4rceG4AHCzFEoksg==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdjRiWCtvUWNSTVJlNmh5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SjAzOEozUzh1bzVvaHgr
RDIzMW5rZmc4ZW9DbWs1cnVWbG16WDJhTkMwCkk5MENTTUJENDFwcFJ3K2Y3cW1Z T2xsVUszTHVSdWIyM3B5TFhtUEFMeVZlYzNrCk5IOWFNbTErbTVkQnNlVllMZWlV
ZFhzNSs1ZHRtd25za3pJUFJoYTU0WGcKLS0tIHVjSmZiTFIxTmdOcFVKTVdMOXg5 Q2lHZXRIdzBiRFRSZnNUVWd2NXVXVGcKLS0tIERhcjh3VVlqSGxHUHpnc1JzVksv
bjdhUFNjWlhFcitUaUZpOURzY1MvdlUKl6tM+siqmAN25lyobnPymIhniJkylZcy VXpQVVVCUC9xR3crWm9rTk13LzVhK1EKwiuvwx3ZhcDE+9w7/dR4PrZSSoJMvklT
yWw/iEj6l7dNrwCr5Ofb6llTPMIJeA7Y0wKPhp2ott13hBUUSeBDRg== m7I32dMRk0o9zcl5KYU5L9Hwb+z+EBE34raoGKBF5K4aQcbZQUX3Cw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbHIwSmlYQWdDV20rQjdI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R1ZIRlN2b3M2OUQ0T2cw
OVVNUmcwcFZaZzlWa1QxaERoV0oydzZHR2pZCjV4K2llR1lCNGZzRWVidExyTW1i eE5DTm9KY1NUY1p5eDhLNG4xMDVkVjRyWDNRClp3MTRWeGJMYTczcC9YQTNZdkxx
RTlBZzF1UHFFT0JzT3hnK28zeWN2UlEKLS0tIFFQVUJUVk5HcTRSQXczbDlsRTli ejJ3QnhjcUcyUldUNEVqVUh6Z2grd00KLS0tIDVvbDZWbmZPZVhDNHM1K1kzaE95
R3QrSVNXbnM3VjVvMHRvNGVTMFBPam8K1rJaII3N4xN8ArmEzSt5boqFrcKBbYWD aHJqSU16dlJiRGl0VWNMVXVYMmhPb2MKMboq9ShGIJMFVENgLPlQdwdtTOjVb0CC
T9sBOVitKudgGRbXirPdUbWHq//gP6bkpwGrh5cJA30jDXaTuEq31g== 4ttM3xWnYkf8416a0OYFrda5l1kfJJzQakbk/tbGcTu1yTcd+6lOtA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml - recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VGdpcHE0MGk2VU1hcDQ1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVby8wYS9pa0szTlVUS3FI
SVB0TUY1dkNQZGRtSElPajVCUktVbGZuTHpjCnI4NGl0dEdXdXhxZmN1SHkyL25U VWhjaCtyUzNLbkw2VXRlWkVMZlRkeXJMZGlRCnBTWklnZ0Uzd2lTMGt1M2wxZ0px
RGJiT1I4dHJscjZvdDdDZkVzdnZ1M0UKLS0tIG9lUGlwbmQvZ05IN1NMMFVQVWls NFl2RW5hSUZVdHI0aVFRMHJtMFQ3ODAKLS0tIFlYOHVRYVFGbkcvUWRmQitQQnI5
WlBIQVVPVWpTdm5pQ3NCSWIxazRKUHMK8SmC1itCVyr8KXBSLVVpiHwt7Hl9Vps3 bG5vemMvcWdpOEtxNGRpS0doQmtuUFkK8Hxl//kOtbEw3jf96ZZ4G1Yb94f4Jeb4
sc8cqv/Ou0LWz5MlqCGtiO5zKIQABCIAhmMMw9UDrqkYHyLCOhaGlw== TfPs7O/ESJY8ovNsoXRQEt99vOR5D1wBzyZBY9E3f2ZzY/uBmup0cw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZE05NGI3WlpNWXlGdlkx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSmRYMkNIdERJZVBxV1p1
OW5QK0NzbTl0RmJjQythRWdZdUJkczhLZ1NjCjFTVng5L1dnYTBYZ3R2RHhiVGxC emlqOTBpN3l2WXkzNjRRcFI5NUZDZnQ1WXdnCkRVbm8xais5aGVCTmtSTGxaTXlT
MHZ1Yi9IRUJySEZBazJ2ZnhYeElWWXcKLS0tIEhVV2lUSzZZbitKd1NaS2J6UzE2 L2ZWQ0p5WFZNRWl5SWVkRUYwc2R3b1UKLS0tIEZEck4yMmJUQWVvNHRJQnpCQTBo
QlFpVGV4YkJUbFA4Y2RVQm9JeVJMK0EKDwXNkNgAmsNMYvSpHVmSn098+Eurr3jp cDJsaG83MTdXWVd2NUpLczhjWTBBZVUK5BxBIYVqkqVLw9LTbnJ8SQWN2i4USdI8
KHtqLGRGq2EHK2Edo4gktXS39KhpYhhKTEMNiAJ8Tx2BG+edGKAJyg== 8m/hZFXTJ4GI0f795DEmbcZq9xET14aQqta0wSASqwP/5Ld1mo0a0w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96 - recipient: age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZGs5SnE5R0N5ZkpKRXky YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSkhjRTdBWklZUEpUanM0
c3JSK3F6NzZJbHI3WWNZbk1nY0UwUW4vNUNnCmV5eTJVRTdJc25VaXVJY05GeUFo Wjl4b2c3K0g0ZUxxMlRrUFhhZzhNRXhPVnpvCmpNWVBNTXNYczV3aWhCd05FOGJ0
UUFxNDM1M3pXaUVVekJJZ2tNV1UxNEUKLS0tIDdEN1BFWDF4cXRoS01VSHhPRjlu YlNobFhWdStGbDRZV2NlUWV6ZFRVNEkKLS0tIGd1RUR4K21GOEQ0aWtqRi9RREpE
ZjZCc2krMkxOWDkwMWM0WC9qQWZPNEUKt9s9SNkkoVOuGKW9AkGB6XYf7a90EeZD RXBXcXFYUDVXVzN4Q25zSklFU21wbFkKQuTHkgFC5HRPO7/PuVhJzbbHOTPaFXvN
b0q/P/mKVGYghwXjEQ89ipS+rF3BMlWXRwd6T8mb6NRLmseyt0dqyw== +Y31AK3OAVdUETMEuJ2mk50Bi5BiiUeOnnv1bZ6O+iX0o20ysUseTg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv - recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaGNVc1BvbnZNbFlFL2pL YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnc3NOZFRYT1VnaVZSaTRi
L3JOczFGNnlQVnpuMkVJZlRVU2hhcCtKNGhJCk9ZUFlYOERXWWlBMG4yVENUbk1P WnluSEk4d1U5TWx2REZRZ3VCRVp2ZzlKY0NvCjNlUnIwdWVqSnlQOWp1dlJ5THlW
UWJnNWpBeDVjRG1GdDBreWMzUVIzaHcKLS0tIFZFUmE2NE5wTXBIZWI4cjlFYk12 c2xTNHhnaE94a2ZTeXJjQTVxeGRLTmsKLS0tIFV4c2NZK1ZnL2xtUlVvSksxNi9o
TERkUkROTWpKTUF3ZUk2TFVRaVFTNVkKHaBMq9jHPM5e+4naO6aC3s6NMspe/v6e L3dodkJXVjZrekVldTVsRFRxSFlrTmMKiokjgIRIsI8D2aFP/Qem4iGzC4yr5lm2
sCZti+gw1pa3Sdlc9qZD6ZWN4G0UDJnRSxPNIxO7n3wMPWkMVQiztw== ZwggC/UfD56ysTEqrVaDnR7f5fSqZLWdstPJn7I/vr5CwKRMbMPYSA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9 - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUHJzUzhwbHhYMUNkbVRV YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN0llOTBJU1pNNVFxVWxt
MkdBd3c3cC9ZQ0x1ZHlzUUo4MHA5TkIzQmdvCkk0S3VMRkllbk9VS1R6d1BCTENr aFdKdStKL1ZlZ0p6WFRQbHpGNnpmdlJXdG1FCkx5eDhZWWJvQ2xSWEJqWnZ6NmNt
K29XQXpYSlV2YWJLbGdsbFM0UGZLZjQKLS0tIGRNR3U4MDFJektXMkg0R3I1Rkpt Y0MzNDg5QzVSbEZteW1LNlFyRFg5Q0EKLS0tIDBrT0dEZlBoTExYcGRNZjZ5Znpz
M1A2VlBmZ1V0UXltNW5zNTBqRDJKMVUKVOwFinUC3scboLI2qrYUAxLecMmz5V4w cnE4YWRTMmRsTENhOTl5R2dYSzQwazAKvnTvZz842Mg5AVlIoYHI2BG+0/hO5zIv
A8maHLb8SlDea0KM0NJjoYlBXgVG2OnQ0HaUJzGkQTWwCPUk/o3MGA== jRVJri98fgGterXADTPmeoY3p+fFQggTPhs/5s5GSQxd5aiX8vvvrA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNlZ6U3BMeE1NV2Q3UHRw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQWljdGg4VTlDdGhoblpk
YzVpYVVVSURGTzI3VEY4V09iWDh3ZU04dFRjCkZaWFRhV0tJd3hZYnFFZmVYenVp LytxK2FnQVI1dzB2bnFaWUtoUVNGS3lpU3prCnRwUTNnZVVXTnZ6eCtScTk5YzI3
QTNlZ1RYazRWeVI2R0VYTE9EbWNFVEkKLS0tIDJQU1BDYW80ZDBid2dYWGNEeXlZ TGM2MmNhaHQ3NXAzMk0rcnJoTlp5STQKLS0tIEp2U3YvUUhXTkt3VFczY3J1LzMv
ZU03cFpZQjlVOUdzT3FHTiswZmk1ajQKxRqo2ZZKIDTHIjOM0r/ZorgRq4Gm0UsQ ZzM0VHpqamRIZVROS2lQdXFhQTNBekEKEySldC+VvZvPY398ZVkB5s73bT3QbuLh
wFojWJQC52DTwF7oAKojb+93of5qDBVnXlN5YM12T1XnifVHk6Kc5A== IqTv+wbkbjlvZJUavVyycY5SwMXkSX3ge9W/64mt/RDs88gSXFS+Sw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDM3FTdXdCM3Z3b2NLR1Bw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bGppem15NlVod2hCRkM5
OC9HdDlraktMMUxRM3ovSXpScnhEM2U2a1I0CnkwSVZjSVI1UXBUTWJIVFlXRG9t MzY1aUZOdEVzRzdEYTRNakdMQWJlRkk0eEZzClRLSnRrQUoreU5MVG40KzRKSGcw
K1ZhbUtWYzFxSUU2dmMvbkFKVHRLYTAKLS0tIGloNC9JWG9pSTZmNjI0TitSUWQr bUU4ZnpLU0VtOWxXVllrSW5lN0NWb0kKLS0tIE1iemRlVVpieEhxRnlIb2dFUHZr
NzYyU1UrbS9Fc1ZicTR2NXNIYmpsdXMK5CEi9eLOMyZrs32rEEMAl65LFqN75Iow am04NVRtU2N6SThYZWdXVE5RZ1B2aE0KVcHvB5k2Gcu/St0P8WPFzlCtuZthZTKo
bApHV33LVxIYnbBYdPnHKGWj7U5VOPO3krq6q4pW4PViMotUx4BWow== hwVc0lC6Xxt25hriaUFinwnyvcjxrLCx0Nq7f9Zn16nJcza5kev1nQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1x79t4crvt8qj34vn052s0kaj80z87np83adqra953yjpydrzkqqspt6zcj lastmodified: "2024-11-30T06:31:42Z"
enc: | mac: ENC[AES256_GCM,data:xh8x9IrQ01ZzdcCTIfBrifIGduMYVmSSP52BkTyr/bx7AgQAz2WeA7LFrccxIayCGHrQKfMQDLUKJ/EBamG/6p8AX6QqZBTfqFD688ZhmRfxgpj7fYR9jPYnhb/9XHI9R2jTaJWwrorXvu3pa+Gy/hWB3Kb+WZc3fslmIuKuLH0=,iv:GDrHSFZxPbpACdusVDPHXEjeEusYfk53N/KGHtdvrYo=,tag:ap38sCSTZVDQ0ZazXM3vlg==,type:str]
-----BEGIN AGE ENCRYPTED FILE----- pgp: []
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK01iTkVEU3QvbUY0UUR1
VGQ2djZENnY3TU0wQ3BZa1JhZlduUWwySXlzCjhqM1MrWDV3bW1lUThHU2RXZE9P
VDBZZlNKZVBIdmE1RkVRbTZ2MTM5a2sKLS0tIHdOV004VEtWZ3ZhSXBkejlDSVp0
MHJubDlRVW40TDVJNnNqQktKcGVVYWcK1nCRXYjyLpNdj2Mnjgop5R6DSpRUSxDT
VstIwZiQgACPKcP7H2dFSPNDaaAH1YqZzqr7ILLV6jYRApZFte/SRw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-09T01:56:54Z"
mac: ENC[AES256_GCM,data:wZXKzRD+2I0mQoSOu3Xj8uzsSV7rK7wg+GjlzFqbP3qWd5DWSa1wmHuC9xBe3GRNps5L7vopGwngnFXbXu6tlsYuWUhSV/r7lh/wnrXKNlrt5qkWCpL3nXoYqkby+QzFG5ykCYOTsiMg31JYcbobO0kdNNjK0thKqLdFS7YBZig=,iv:O0Rccf08B27bfikTjQ2h+x6rbMUSqUSOSB3jW3Y4MJA=,tag:jBvzVKZgilzmUKQ6M+psAA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.9.1

11
machines/thorite/default.nix
View file

@ -26,10 +26,17 @@
address = [ "23.165.200.99/24" ]; address = [ "23.165.200.99/24" ];
}; };
networking.firewall.allowedTCPPorts = [
80
443
];
services.tailscale.enable = true;
services.caddy.enable = true;
commonSettings = { commonSettings = {
auth.enable = true; auth.enable = true;
comin.enable = true;
serverComponents.enable = true;
}; };
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";

65
machines/thorite/monitoring.nix
View file

@ -12,8 +12,6 @@ let
hedgedocDomain hedgedocDomain
grafanaUrl grafanaUrl
ntfyUrl ntfyUrl
internalDomain
transmissionExporterUrl
; ;
removeHttps = s: lib.removePrefix "https://" s; removeHttps = s: lib.removePrefix "https://" s;
in in
@ -60,22 +58,7 @@ in
node.enable = true; node.enable = true;
}; };
ruleModules = ruleModules =
[ (mkCaddyRules [ { host = "thorite"; } ])
{
name = "comin_rules";
rules = [
{
alert = "CominBuildFailed";
expr = "comin_build_info != 1";
for = "1m";
labels = {
severity = "critical";
};
}
];
}
]
++ (mkCaddyRules [ { host = "thorite"; } ])
++ (mkNodeRules [ { host = "thorite"; } ]) ++ (mkNodeRules [ { host = "thorite"; } ])
++ (mkBlackboxRules [ { host = "thorite"; } ]); ++ (mkBlackboxRules [ { host = "thorite"; } ]);
}; };
@ -98,24 +81,7 @@ in
]; ];
passwordFile = config.sops.secrets."prometheus/metrics_password".path; passwordFile = config.sops.secrets."prometheus/metrics_password".path;
in in
[ (mkScrapes [
{
job_name = "comin";
scheme = "http";
static_configs = [
{
targets = map (host: "${host}.${internalDomain}:4243") [
"weilite"
"thorite"
"la-00"
"hk-00"
"fra-00"
];
}
];
}
]
++ (mkScrapes [
{ {
name = "immich"; name = "immich";
scheme = "http"; scheme = "http";
@ -152,27 +118,9 @@ in
{ {
name = "loki"; name = "loki";
scheme = "http"; scheme = "http";
address = "thorite.${internalDomain}"; address = "thorite.coho-tet.ts.net";
port = 3100; port = 3100;
} }
{
name = "transmission";
scheme = "http";
address = "weilite.${internalDomain}";
port = 19091;
}
{
name = "sonarr";
scheme = "http";
address = "weilite.${internalDomain}";
port = 21560;
}
{
name = "radarr";
scheme = "http";
address = "weilite.${internalDomain}";
port = 21561;
}
]) ])
++ (mkCaddyScrapes [ ++ (mkCaddyScrapes [
{ address = "thorite.coho-tet.ts.net"; } { address = "thorite.coho-tet.ts.net"; }
@ -181,6 +129,7 @@ in
]) ])
++ (mkNodeScrapes [ ++ (mkNodeScrapes [
{ address = "thorite.coho-tet.ts.net"; } { address = "thorite.coho-tet.ts.net"; }
{ address = "massicot.coho-tet.ts.net"; }
{ address = "weilite.coho-tet.ts.net"; } { address = "weilite.coho-tet.ts.net"; }
{ address = "biotite.coho-tet.ts.net"; } { address = "biotite.coho-tet.ts.net"; }
{ address = "hk-00.coho-tet.ts.net"; } { address = "hk-00.coho-tet.ts.net"; }
@ -190,7 +139,11 @@ in
++ (mkBlackboxScrapes [ ++ (mkBlackboxScrapes [
{ {
hostAddress = "thorite.coho-tet.ts.net"; hostAddress = "thorite.coho-tet.ts.net";
targetAddresses = probeList; targetAddresses = probeList ++ [ "49.13.13.122:443" ];
}
{
hostAddress = "massicot.coho-tet.ts.net";
targetAddresses = probeList ++ [ "45.142.178.32:443" ];
} }
{ {
hostAddress = "weilite.coho-tet.ts.net"; hostAddress = "weilite.coho-tet.ts.net";

127
machines/weilite/default.nix
View file

@ -1,4 +1,5 @@
{ {
config,
pkgs, pkgs,
lib, lib,
modulesPath, modulesPath,
@ -12,27 +13,12 @@
]; ];
config = { config = {
networking = { networking.hostName = "weilite";
hostName = "weilite";
useNetworkd = true;
};
systemd.network = {
enable = true;
networks = {
"10-wan" = {
matchConfig.MACAddress = "52:54:00:db:23:d0";
networkConfig.DHCP = "ipv4";
};
};
};
commonSettings = { commonSettings = {
auth.enable = true; auth.enable = true;
nix = { nix = {
enable = true; enable = true;
}; };
comin.enable = true;
network.localdns.enable = true;
serverComponents.enable = true;
}; };
boot = { boot = {
@ -47,25 +33,25 @@
"usb_storage" "usb_storage"
"sd_mod" "sd_mod"
]; ];
kernelModules = [ kernelModules = [ "kvm-intel" ];
"kvm-intel"
];
kernelPackages = pkgs.linuxPackages_6_12;
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nixpkgs.hostPlatform = "x86_64-linux";
environment.systemPackages = [ environment.systemPackages = [ pkgs.virtiofsd ];
pkgs.virtiofsd
pkgs.intel-gpu-tools
pkgs.pciutils
];
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = { secrets = {
cloudflare_dns_token = {
owner = "caddy";
mode = "400";
};
dnspod_dns_token = {
owner = "caddy";
mode = "400";
};
"restic/localpass" = { "restic/localpass" = {
owner = "restic"; owner = "restic";
}; };
@ -88,50 +74,49 @@
systemd.mounts = [ systemd.mounts = [
{ {
what = "nixos"; what = "immich";
where = "/mnt/nixos"; where = "/mnt/XinPhotos/immich";
type = "virtiofs"; type = "virtiofs";
options = "rw,nodev,nosuid"; options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ];
} }
{ {
what = "originals"; what = "originals";
where = "/mnt/photos/xin/originals"; where = "/mnt/XinPhotos/originals";
type = "virtiofs"; type = "virtiofs";
options = "rw,nodev,nosuid"; options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ]; wantedBy = [ "immich-server.service" ];
} }
{ {
what = "/mnt/nixos/ocis"; what = "restic";
where = "/var/lib/ocis";
options = "bind";
after = [ "mnt-nixos.mount" ];
wantedBy = [ "ocis.service" ];
}
{
what = "/mnt/nixos/restic";
where = "/var/lib/restic"; where = "/var/lib/restic";
options = "bind"; type = "virtiofs";
after = [ "mnt-nixos.mount" ]; options = "rw,nodev,nosuid";
wantedBy = [ "restic-rest-server.service" ]; wantedBy = [ "restic-rest-server.service" ];
} }
{ {
what = "/mnt/nixos/immich"; what = "ocis";
where = "/var/lib/immich"; where = "/var/lib/ocis";
options = "bind"; type = "virtiofs";
after = [ "mnt-nixos.mount" ]; options = "rw,nodev,nosuid";
wantedBy = [ "immich-server.service" ]; wantedBy = [ "ocis.service" ];
} }
]; ];
hardware.graphics = { services.openssh.ports = [
22
2222
];
services.dae = {
enable = true; enable = true;
extraPackages = with pkgs; [ configFile = "/var/lib/dae/config.dae";
intel-media-driver };
intel-vaapi-driver
vaapiVdpau services.tailscale = {
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) enable = true;
intel-media-sdk # QSV up to 11th gen openFirewall = true;
]; permitCertUid = "caddy";
}; };
services.tailscale.derper = { services.tailscale.derper = {
@ -143,6 +128,44 @@
# tailscale derper module use nginx for reverse proxy # tailscale derper module use nginx for reverse proxy
services.nginx.enable = lib.mkForce false; services.nginx.enable = lib.mkForce false;
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
caddyModules = [
{
repo = "github.com/caddy-dns/cloudflare";
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
}
{
repo = "github.com/caddy-dns/dnspod";
version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
}
];
vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
};
virtualHosts."derper00.namely.icu:8443".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
'';
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
# API Token must be added in systemd environment file
virtualHosts."immich.xinyang.life:8000".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
globalConfig = ''
acme_dns dnspod {env.DNSPOD_API_TOKEN}
'';
};
networking.firewall.allowedTCPPorts = [ 8000 ];
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
};
};
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
fileSystems."/" = { fileSystems."/" = {

27
machines/weilite/secrets.yaml
View file

@ -1,22 +1,14 @@
caddy: cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str] dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str]
huawei_dns_access_key: ENC[AES256_GCM,data:3y9Sl9RDJlRkgTsctH8O4gRAcAU=,iv:2e03AKVniVYFyHV6KB00I/Y1rHD0Ira6kgly7zDqNT0=,tag:w6j1g329XIOrvshx7Ft7aA==,type:str]
huawei_dns_secret_key: ENC[AES256_GCM,data:or4WW7uFvbIoUwh1G63YDQxTFUnkkYrDJG0HEqoKzOSV+8rqy9cHrA==,iv:wB+TT8bh7jhN0ppJ3pqh882cs6RczpOtxKuYuyjRhMY=,tag:GlTSuYeGrGY/3b0g7IbLzw==,type:str]
immich: immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
auto_stack_apikey: ENC[AES256_GCM,data:pormMdxkevrw1sJrmVtD+jEbfQFTOHeyZRepZt2roftjDYAdbzpppg==,iv:wumPYaTAfU+J0MD6yOFKmxY8eDMzwqVsd3IUXyTfk0A=,tag:54HlWH3iKyWG2Gv9QS/wLA==,type:str]
restic: restic:
localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str] localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str]
transmission:
rpc-password: ENC[AES256_GCM,data:4dumy0hygGOuwU3ANky3xEKRDRBAJWE=,iv:HVV2J+F8HndHZNsMD2YmkWrJOzk5JIapGd0SuQP8VqU=,tag:xqp5pxh5cYYogA4alrmIfg==,type:str]
sonarr:
api-key: ENC[AES256_GCM,data:/CkApTCLQy8TLHGKSM1saacNi9uQDswAjshRSLJk1hg=,iv:PNX4BZLx7krs12lxgORMSarnt0c/ga8yPtoLSzbQ+sY=,tag:V1pp9OCtX5/5fbwLBMGlOQ==,type:str]
radarr:
api-key: ENC[AES256_GCM,data:AeJArngvgmqnxk2g13QjMa6XS893B+3ZdX2K8OqXRQg=,iv:NrQf3yyqRpHMeWQ3bpPH4fUDdo/x2uB6pQCq0ZrFP5c=,tag:Yj2PSy6zRfe8anW0RGuZAQ==,type:str]
webdav:
photosync:
password: ENC[AES256_GCM,data:s+omleBtVALG5bpbTnlzbwBj0oCZX8Dm8IbcUV6COnI=,iv:vwCs3ujmCcE87rl91ZtOEAgSQF1/0t17/7/0UM4x8fE=,tag:ylw76CX9SCylWoJt86rmjg==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: | enc: |
@ -36,7 +28,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-08T13:07:05Z" lastmodified: "2024-12-03T05:59:51Z"
mac: ENC[AES256_GCM,data:19bgXUH6rhQLin0RO0F5pgqzNIzHq5x+oSpIscbDimRvUhnvalMX6KSmbVgrHeNHrx4n3MpwI65Z+/6eeiR0Y6O2MOv49580UVKIEEP/yAPd3tbOW28/WsNp7MMhtF1Fx6o/rirV+H4vkvzq9+/z3tHO2MMjh9LeLcFB36b8ZD8=,iv:lU9o59P8BS1Azd0lVRtq8d3yNau54J9attOEiC32E4E=,tag:zUawHckwaXSxc7RWimVPUQ==,type:str] mac: ENC[AES256_GCM,data:0dLbfkm7fJvH5Mmct0/qHulg2AtDCeeeOgWMXfeGRUaX3GlLDiLga0zW4uNPDuahVecdh6ofvYfBOxFaGUdBCHk9vq5GzrwrzBNhqObWQ3AqVuq5rjqSxEKoFM4Eb5qoqaOefFzT/9qC94NDETTsHhjiEeIgd4fgSr2dazNiFPE=,iv:Ggw0FHzkrhKh5Uzo3seHGwwHsWW/tTAgAl0iIq9PVk4=,tag:rJvUI5/wsLJ01XyKmkRghw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.9.1

55
machines/weilite/services/caddy.nix
View file

@ -1,55 +0,0 @@
{ config, pkgs, ... }:
{
sops = {
secrets = {
"caddy/cf_dns_token" = {
owner = "caddy";
mode = "400";
};
"caddy/huawei_dns_access_key" = {
owner = "caddy";
mode = "400";
};
"caddy/huawei_dns_secret_key" = {
owner = "caddy";
mode = "400";
};
};
templates."caddy.env".content = ''
CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
HUAWEICLOUD_ACCESS_KEY=${config.sops.placeholder."caddy/huawei_dns_access_key"}
HUAWEICLOUD_SECRET_KEY=${config.sops.placeholder."caddy/huawei_dns_secret_key"}
'';
};
services.caddy =
let
acmeCF = "tls {
dns cloudflare {env.CF_API_TOKEN}
}";
acmeHuawei = "tls {
dns huaweicloud {
access_key_id {env.HUAWEICLOUD_ACCESS_KEY}
secret_access_key {env.HUAWEICLOUD_SECRET_KEY}
}
}";
in
{
virtualHosts."derper00.namely.icu:8443".extraConfig = ''
${acmeCF}
reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
'';
virtualHosts."immich.xiny.li:8443".extraConfig = ''
${acmeCF}
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
};
networking.firewall.allowedTCPPorts = [ 8443 ];
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.templates."caddy.env".path;
};
};
}

4
machines/weilite/services/default.nix
View file

@ -1,12 +1,8 @@
{ {
imports = [ imports = [
./caddy.nix
./ocis.nix ./ocis.nix
./restic.nix ./restic.nix
./media-download.nix ./media-download.nix
./immich.nix ./immich.nix
./jellyfin.nix
./transmission.nix
./webdav.nix
]; ];
} }

115
machines/weilite/services/immich.nix
View file

@ -1,18 +1,13 @@
{ {
config, config,
pkgs,
lib,
... ...
}: }:
let let
inherit (config.my-lib.settings) idpUrl;
user = config.systemd.services.immich-server.serviceConfig.User; user = config.systemd.services.immich-server.serviceConfig.User;
immichUrl = "immich.xiny.li:8443";
jsonSettings = { jsonSettings = {
oauth = { oauth = {
enabled = true; enabled = true;
issuerUrl = "https://${idpUrl}/oauth2/openid/immich/"; issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich"; clientId = "immich";
clientSecret = config.sops.placeholder."immich/oauth_client_secret"; clientSecret = config.sops.placeholder."immich/oauth_client_secret";
scope = "openid email profile"; scope = "openid email profile";
@ -21,21 +16,7 @@ let
buttonText = "Login with Kanidm"; buttonText = "Login with Kanidm";
autoLaunch = true; autoLaunch = true;
mobileOverrideEnabled = true; mobileOverrideEnabled = true;
mobileRedirectUri = "https://${immichUrl}/api/oauth/mobile-redirect/"; mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
};
job = {
faceDetection = {
concurrency = 3;
};
backgroundTask = {
concurrency = 2;
};
metadataExtraction = {
concurrency = 2;
};
thumbnailGeneration = {
concurrency = 1;
};
}; };
passwordLogin = { passwordLogin = {
enabled = false; enabled = false;
@ -46,123 +27,37 @@ let
newVersionCheck = { newVersionCheck = {
enabled = false; enabled = false;
}; };
ffmpeg = {
accel = "qsv";
accelDecode = true;
};
machineLearning = {
enabled = true;
urls = [
"http://calcite.coho-tet.ts.net:3003"
"http://127.0.0.1:3003"
];
clip = {
enabled = true;
modelName = "XLM-Roberta-Large-ViT-H-14__frozen_laion5b_s13b_b90k";
};
facialRecognition = {
maxDistance = 0.35;
minFaces = 10;
};
};
}; };
in in
{ {
config = { config = {
sops.secrets = { sops.secrets."immich/oauth_client_secret" = { };
"immich/oauth_client_secret" = { };
"immich/auto_stack_apikey" = { };
};
sops.templates."immich/config.json" = { sops.templates."immich/config.json" = {
owner = user; # Read when running owner = user; # Read when running
content = builtins.toJSON jsonSettings; content = builtins.toJSON jsonSettings;
}; };
sops.templates."immich/auto_stack.env" = {
owner = "immich_auto_stack";
content = ''
API_KEY=${config.sops.placeholder."immich/auto_stack_apikey"}
'';
};
systemd.timers.immich-auto-stack = {
enable = true;
wantedBy = [ "immich-server.service" ];
timerConfig = {
Unit = "immich-auto-stack.service";
OnCalendar = "*-*-* 4:00:00";
};
};
systemd.services.immich-auto-stack =
let
python = pkgs.python3.withPackages (
ps: with ps; [
requests
]
);
immich_auto_stack = pkgs.fetchurl {
url = "https://gist.githubusercontent.com/xinyangli/39de5979e72d81af6fe9ddb7d1805df4/raw/7798ed8cef7bcd3d06ed005feb0dd01b4b603684/immich_auto_stack.py";
hash = "sha256-qE7TRJ+TLFdSJanBiuKP6fgijdE1NqAeSXWSzsfyEO0=";
};
in
{
environment = {
SKIP_MATCH_MISS = "true";
DRY_RUN = "false";
API_URL = "http://127.0.0.1:${toString config.services.immich.port}/api";
PARENT_PROMOTE = "hdr,edit,export,selects,output";
};
serviceConfig = {
ExecStart = "${lib.getExe python} ${immich_auto_stack}";
EnvironmentFile = config.sops.templates."immich/auto_stack.env".path;
WorkingDirectory = "%t/immich-auto-stack";
RuntimeDirectory = "immich-auto-stack";
User = "immich_auto_stack";
Group = "immich_auto_stack";
};
};
systemd.services.immich-server = { systemd.services.immich-server = {
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [
"/mnt/photos/xin/originals:/mnt/immich/external-library/xin"
];
Environment = "IMMICH_CONFIG_FILE=${config.sops.templates."immich/config.json".path}"; Environment = "IMMICH_CONFIG_FILE=${config.sops.templates."immich/config.json".path}";
}; };
}; };
services.immich = { services.immich = {
enable = true; enable = true;
mediaLocation = "/mnt/XinPhotos/immich";
host = "127.0.0.1"; host = "127.0.0.1";
port = 3001; port = 3001;
openFirewall = true; openFirewall = true;
machine-learning.enable = true; machine-learning.enable = true;
accelerationDevices = [
"/dev/dri/renderD128"
"/dev/dri/card0"
];
environment = { environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "true"; IMMICH_MACHINE_LEARNING_ENABLED = "true";
}; };
database.enable = true; database.enable = true;
}; };
users.users.immich.extraGroups = [ # https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
"video"
"render"
"privimg"
];
users.groups.privimg = { };
users.groups.immich_auto_stack = { };
users.users.immich_auto_stack = {
isSystemUser = true;
group = "immich_auto_stack";
};
services.immich.redis.host = "/run/redis-immich/redis.sock"; services.immich.redis.host = "/run/redis-immich/redis.sock";
}; };
} }

25
machines/weilite/services/jellyfin.nix
View file

@ -1,25 +0,0 @@
{ config, pkgs, ... }:
let
cfg = config.services.jellyfin;
in
{
services.jellyfin.enable = true;
systemd.services.jellyfin.serviceConfig = {
BindReadOnlyPaths = [
"/mnt/nixos/media:${cfg.dataDir}/media"
];
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:8920".extraConfig = ''
reverse_proxy 127.0.0.1:8096
'';
users.users.jellyfin.extraGroups = [ "render" ];
users.groups.media.members = [ cfg.user ];
}

40
machines/weilite/services/media-download.nix
View file

@ -1,16 +1,15 @@
{ config, pkgs, ... }: { pkgs, ... }:
let
inherit (config.my-lib.settings)
internalDomain
;
in
{ {
sops.secrets = {
"sonarr/api-key" = { };
"radarr/api-key" = { };
};
services.jackett = { services.jackett = {
enable = true; enable = true;
package = pkgs.jackett.overrideAttrs {
src = pkgs.fetchFromGitHub {
owner = "jackett";
repo = "jackett";
rev = "v0.22.998";
hash = "sha256-CZvgDWxxIAOTkodgmFNuT3VDW6Ln4Mz+Ki7m91f0BgE=";
};
};
openFirewall = false; openFirewall = false;
}; };
@ -28,25 +27,4 @@ in
services.radarr = { services.radarr = {
enable = true; enable = true;
}; };
services.prometheus.exporters.exportarr-sonarr = {
enable = true;
url = "http://127.0.0.1:8989";
apiKeyFile = config.sops.secrets."sonarr/api-key".path;
listenAddress = "weilite.${internalDomain}";
port = 21560;
};
services.prometheus.exporters.exportarr-radarr = {
enable = true;
url = "http://127.0.0.1:7878";
apiKeyFile = config.sops.secrets."radarr/api-key".path;
listenAddress = "weilite.${internalDomain}";
port = 21561;
};
users.groups.media.members = [
config.services.sonarr.user
config.services.radarr.user
];
} }

1
machines/weilite/services/ocis.nix
View file

@ -27,6 +27,7 @@
# environmentFile = config.sops.secrets."ocis/env".path; # environmentFile = config.sops.secrets."ocis/env".path;
}; };
networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port} reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
''; '';

6
machines/weilite/services/restic.nix
View file

@ -34,14 +34,14 @@ in
services.restic.backups = builtins.listToAttrs [ services.restic.backups = builtins.listToAttrs [
(mkPrune "xin" "calcite") (mkPrune "xin" "calcite")
(mkPrune "xin" "massicot")
(mkPrune "xin" "biotite") (mkPrune "xin" "biotite")
(mkPrune "xin" "thorite") (mkPrune "xin" "thorite")
]; ];
networking.firewall.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
tls {
dns dnspod {env.DNSPOD_API_TOKEN}
}
reverse_proxy ${config.services.restic.server.listenAddress} reverse_proxy ${config.services.restic.server.listenAddress}
''; '';
} }

99
machines/weilite/services/transmission.nix
View file

@ -1,99 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.transmission;
inherit (config.my-lib.settings) transmissionExporterUrl;
in
{
sops.secrets = {
"transmission/rpc-password" = { };
};
sops.templates."transmission-cred.json" = {
content = builtins.toJSON {
rpc-password = config.sops.placeholder."transmission/rpc-password";
};
};
sops.templates."transmission-cred.env" = {
content = ''
TRANSMISSION_PASSWORD=${config.sops.placeholder."transmission/rpc-password"}
'';
};
services.transmission = {
enable = true;
package = pkgs.transmission_4;
openPeerPorts = true;
credentialsFile = config.sops.templates."transmission-cred.json".path;
settings = {
download-dir = "/mnt/nixos/media";
incomplete-dir = "/mnt/nixos/transmission/incomplete";
alt-speed-down = 40960;
alt-speed-enabled = true;
alt-speed-time-begin = 60;
alt-speed-time-day = 127;
alt-speed-time-enabled = true;
alt-speed-time-end = 420;
alt-speed-up = 4096;
bind-address-ipv4 = "0.0.0.0";
bind-address-ipv6 = "::";
download-queue-enabled = true;
download-queue-size = 10;
incomplete-dir-enabled = true;
lpd-enabled = false;
message-level = 4;
peer-congestion-algorithm = "";
peer-id-ttl-hours = 6;
peer-limit-global = 200;
peer-limit-per-torrent = 50;
peer-port = 51413;
peer-socket-tos = "cs1";
pex-enabled = true;
preallocation = 1;
prefetch-enabled = true;
queue-stalled-enabled = true;
queue-stalled-minutes = 30;
rename-partial-files = true;
rpc-bind-address = "127.0.0.1";
rpc-enabled = true;
rpc-authentication-required = true;
rpc-port = 9092;
rpc-username = "xin";
rpc-whitelist = "127.0.0.1";
speed-limit-down = 20480;
speed-limit-down-enabled = true;
speed-limit-up = 3072;
speed-limit-up-enabled = true;
start-added-torrents = true;
watch-dir-enabled = false;
};
};
networking.firewall.allowedTCPPorts = [ 9091 ];
services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:9091".extraConfig = ''
reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port}
'';
systemd.services.prometheus-transmission-exporter = {
enable = true;
wantedBy = [ "transmission.service" ];
environment = {
WEB_ADDR = transmissionExporterUrl;
TRANSMISSION_ADDR = "http://127.0.0.1:${toString cfg.settings.rpc-port}";
TRANSMISSION_USERNAME = "xin";
};
after = [ "tailscaled.service" ];
wants = [ "tailscaled.service" ];
serviceConfig = {
ExecStart = "${lib.getExe pkgs.transmission-exporter}";
EnvironmentFile = config.sops.templates."transmission-cred.env".path;
};
};
users.groups.media.members = [ cfg.user ];
}

47
machines/weilite/services/webdav.nix
View file

@ -1,47 +0,0 @@
{ config, ... }:
{
sops.secrets = {
"webdav/photosync/password" = { };
};
sops.templates."webdav.env" = {
content = ''
PHOTOSYNC_PASSWORD=${config.sops.placeholder."webdav/photosync/password"}
'';
};
services.webdav = {
enable = true;
settings = {
address = "127.0.0.1";
port = "16065";
permissions = "CRUD";
behindProxy = true;
users = [
{
username = "photosync";
password = "{env}PHOTOSYNC_PASSWORD";
}
];
};
group = "privimg";
environmentFile = config.sops.templates."webdav.env".path;
};
systemd.services.webdav.serviceConfig = {
BindPaths = [
"/mnt/photos/xin/originals:%t/webdav/photosync"
];
RuntimeDirectory = "webdav";
WorkingDirectory = "%t/webdav";
};
users.users."${config.services.webdav.user}".extraGroups = [
"privimg"
];
services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:6065".extraConfig = ''
reverse_proxy 127.0.0.1:16065
'';
}

4
modules/home-manager/fish.nix
View file

@ -91,6 +91,10 @@ in
${pkgs.comma}/bin/comma $argv ${pkgs.comma}/bin/comma $argv
end end
set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha) set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
alias ctlsp="systemctl stop"
alias ctlst="systemctl start"
alias ctlrt="systemctl restart"
alias ctls="systemctl status"
'' ''
else else
""; "";

4
modules/home-manager/gui/niri.nix
View file

@ -34,6 +34,10 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = with pkgs; [
cosmic-files
];
systemd.user.services.xwayland-satellite = { systemd.user.services.xwayland-satellite = {
Install = { Install = {
WantedBy = [ "graphical-session.target" ]; WantedBy = [ "graphical-session.target" ];

4
modules/home-manager/gui/themes.nix
View file

@ -13,10 +13,6 @@
name = "Catppuccin-GTK-Dark"; name = "Catppuccin-GTK-Dark";
package = pkgs.magnetic-catppuccin-gtk; package = pkgs.magnetic-catppuccin-gtk;
}; };
iconTheme = {
name = "Qogir";
package = pkgs.qogir-icon-theme;
};
gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc"; gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc";
}; };
}; };

79
modules/home-manager/gui/waybar.nix
View file

@ -16,66 +16,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
programs.waybar = { programs.waybar = {
enable = true; enable = true;
style = '' style = readFile ./waybar.css;
* {
font-family: Ubuntu Nerd Font, Noto Sans CJK SC;
font-size: 14px;
font-weight: bold;
min-height: 14px;
}
window#waybar {
color: @text;
opacity: 0.95;
background-color: @crust;
padding: 2px;
}
#custom-nixos {
background-color: #24273a;
padding-left: 15px;
padding-right: 18px;
}
#custom-separator {
margin: 0 2px;
}
#workspaces {
border-radius: 0;
}
#workspaces button {
padding: 0 10px;
border-radius: 0;
}
#workspaces button.focused,
#workspaces button.active {
border-bottom: 4px solid #8aadf4;
}
#workspaces button.empty {
font-size: 0;
min-width: 0;
min-height: 0;
margin: 0;
padding: 0;
border: 0;
opacity: 0;
box-shadow: none;
}
#cpu,
#memory,
#pulseaudio,
#network,
#backlight,
#battery,
#tray,
#custom-notification {
margin-right: 15px;
}
#clock {
font-size: 16px;
}
'';
settings = { settings = {
main = { main = {
margin = "2px 3px 2 3px"; margin = "2px 3px 2 3px";
@ -103,6 +44,8 @@ in
modules-right = [ modules-right = [
"network#speed" "network#speed"
"custom/separator" "custom/separator"
"network#if"
"custom/separator"
"pulseaudio" "pulseaudio"
"custom/separator" "custom/separator"
"memory" "memory"
@ -178,6 +121,22 @@ in
format = " {percentage}%"; format = " {percentage}%";
}; };
"network#if" = {
format = "{ifname}";
format-disconnected = "󰌙";
format-ethernet = "󰌘";
format-linked = "{ifname} (No IP) 󰈁";
format-wifi = "{icon}";
format-icons = [
"󰤯"
"󰤟"
"󰤢"
"󰤥"
"󰤨"
];
interval = 10;
};
"network#speed" = { "network#speed" = {
format = "{ifname}"; format = "{ifname}";
format-disconnected = "󰌙"; format-disconnected = "󰌙";

10
modules/nixos/common-settings/auth.nix
View file

@ -11,8 +11,6 @@ let
mkEnableOption mkEnableOption
; ;
inherit (config.my-lib.settings) idpUrl;
cfg = config.commonSettings.auth; cfg = config.commonSettings.auth;
in in
{ {
@ -22,10 +20,9 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.kanidm = { services.kanidm = {
package = pkgs.kanidm_1_5;
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = "https://${idpUrl}"; uri = "https://auth.xinyang.life";
}; };
enablePam = true; enablePam = true;
unixSettings = { unixSettings = {
@ -38,7 +35,6 @@ in
enable = true; enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u"; authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner"; authorizedKeysCommandUser = "kanidm-ssh-runner";
openFirewall = true;
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
@ -49,11 +45,11 @@ in
environment.etc."ssh/auth" = { environment.etc."ssh/auth" = {
mode = "0555"; mode = "0555";
text = '' text = ''
#!/bin/sh #!${pkgs.stdenv.shell}
${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1 ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
''; '';
}; };
users.groups.wheel.members = [ "xin@${idpUrl}" ]; users.groups.wheel.members = [ "xin@auth.xinyang.life" ];
users.groups.kanidm-ssh-runner = { }; users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { users.users.kanidm-ssh-runner = {
isSystemUser = true; isSystemUser = true;

122146
modules/nixos/common-settings/china-domains.txt
View file

File diff suppressed because it is too large Load diff

33
modules/nixos/common-settings/comin.nix
View file

@ -1,33 +0,0 @@
{
config,
lib,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
;
cfg = config.commonSettings.comin;
in
{
options.commonSettings.comin = {
enable = mkEnableOption "auto updater with comin";
};
config = {
services.comin = mkIf cfg.enable {
enable = true;
remotes = [
{
name = "origin";
url = "https://github.com/xinyangli/nixos-config.git";
branches.main.name = "deploy";
}
];
hostname = config.networking.hostName;
executor.type = "garnix";
};
};
}

150
modules/nixos/common-settings/mainland.nix
View file

@ -16,15 +16,9 @@ let
cfg = config.inMainland; cfg = config.inMainland;
in in
{ {
options = { options.inMainland = mkOption {
inMainland = mkOption { type = types.bool;
type = types.bool; default = config.time.timeZone == "Asia/Shanghai";
default = config.time.timeZone == "Asia/Shanghai";
};
commonSettings.network.enableProxy = mkOption {
type = types.bool;
default = config.inMainland;
};
}; };
config = mkIf cfg { config = mkIf cfg {
@ -37,144 +31,8 @@ in
"ntp.ntsc.ac.cn" "ntp.ntsc.ac.cn"
]; ];
sops = mkIf config.commonSettings.network.enableProxy { services.dae = {
secrets = {
"dae/sub" = {
sopsFile = ../../../machines/secrets.yaml;
};
};
templates."dae/sub.dae".content = ''
subscription {
my_sub: '${config.sops.placeholder."dae/sub"}'
}
'';
};
systemd.services.dae.serviceConfig.LoadCredential = mkIf config.commonSettings.network.enableProxy [
"sub.dae:${config.sops.templates."dae/sub.dae".path}"
];
services.dae = mkIf config.commonSettings.network.enableProxy {
enable = mkDefault true; enable = mkDefault true;
config = ''
include {
./sub.dae
}
global {
tproxy_port: 12345
tproxy_port_protect: true
so_mark_from_dae: 0
log_level: info
disable_waiting_network: false
##### Interface and kernel options.
# lan_interface: docker0
wan_interface: auto
auto_config_kernel_parameter: true
##### Node connectivity check.
tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
tcp_check_http_method: HEAD
udp_check_dns: 'dns.quad9.net:53,9.9.9.9,2620:fe::fe'
check_interval: 30s
# Group will switch node only when new_latency <= old_latency - tolerance.
check_tolerance: 100ms
##### Connecting options.
dial_mode: ${if config.commonSettings.network.localdns.enable then "domain+" else "domain"}
allow_insecure: false
sniffing_timeout: 100ms
tls_implementation: tls
# utls_imitate: firefox_auto
mptcp: true
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
ipversion_prefer: 4
upstream {
globaldns: 'tls://dns.quad9.net'
cndns: 'quic://dns.alidns.com:853'
tsdns: 'udp://100.100.100.100'
localdns: 'udp://127.0.0.1:53'
}
routing {
request {
${
if config.commonSettings.network.localdns.enable then
''
fallback: localdns
''
else
''
qname(suffix:ts.net) -> tsdns
qname(geosite:cn) -> cndns
fallback: globaldns
''
}
}
}
}
# Node group (outbound).
group {
default_group {
filter: name(regex: '^(hk)[0-9]+') [add_latency: -30ms]
filter: name(regex: '^(la)[0-9]+') [add_latency: -140ms]
filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
policy: min_moving_avg
}
clean_ip {
filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
policy: fixed(0)
}
}
# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
routing {
# pname(kresd) && dport(53) && l4proto(udp)-> must_direct
# Disable h3 because it usually consumes too much cpu/mem resources.
l4proto(udp) && dport(443) -> block
pname(blackbox_exporter) -> direct
pname(tailscaled) -> direct
pname(transmission-daemon) -> direct
dscp(0x8) -> direct
dip(224.0.0.0/3, 'ff00::/8') -> direct
dip(geoip:private) -> direct
# Direct traffic to dns server
dip(1.12.12.12) -> direct
dip(223.5.5.5) -> direct
dip(223.6.6.6) -> direct
# === Force Proxy ===
domain(geosite:linkedin) -> default_group
domain(full: sourceware.org) -> clean_ip
# === Custom direct rules ===
domain(geosite:cn) -> direct
domain(geosite:steam@cn) -> direct
domain(suffix:steamserver.net) -> direct
domain(suffix:test.steampowered.com) -> direct
dip(geoip:cn) -> direct
fallback: default_group
}
'';
}; };
}; };
} }

157
modules/nixos/common-settings/network.nix
View file

@ -1,157 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkEnableOption mkOption mkIf;
inherit (config.my-lib.settings)
internalDomain
;
cfg = config.commonSettings.network;
in
{
options.commonSettings.network = {
localdns = {
enable = mkEnableOption "Local DNS resolver";
cacheSize = mkOption {
type = lib.types.int;
description = "Max cache size for knot-resolver in MB";
default = 100;
};
};
tailscale = {
enable = mkEnableOption "Tailscale client" // {
default = true;
};
before = mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
};
};
};
config = lib.mkMerge [
(mkIf cfg.tailscale.enable {
sops = {
secrets = {
"tailscale/authkey" = {
sopsFile = ../../../machines/secrets.yaml;
};
};
};
services.tailscale = {
enable = true;
openFirewall = true;
permitCertUid = mkIf config.services.caddy.enable config.services.caddy.user;
extraUpFlags = [ "--accept-routes" ] ++ (lib.optional cfg.localdns.enable "--accept-dns=false");
authKeyFile = config.sops.secrets."tailscale/authkey".path;
};
commonSettings.network.tailscale.before = (
lib.optional config.services.caddy.enable "caddy.service"
);
systemd.services.tailscaled.before = cfg.tailscale.before;
systemd.services.tailscaled.serviceConfig.ExecStartPost =
pkgs.writers.writePython3 "tailscale-wait-online"
{
flakeIgnore = [
"E401" # import on one line
"E501" # line length limit
];
}
''
import subprocess, json, time
for _ in range(30):
status = json.loads(
subprocess.run(
["${lib.getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
).stdout
)["Self"]["Online"]
if status:
exit(0)
time.sleep(1)
exit(1)
'';
})
(mkIf cfg.localdns.enable {
networking.resolvconf = {
enable = true;
dnsExtensionMechanism = false;
# We should disable local resolver if dae is enabled
# to let dns traffic go through dae
useLocalResolver = !config.commonSettings.network.enableProxy;
};
services.resolved.enable = false;
services.kresd = {
enable = true;
listenPlain = [ "127.0.0.1:53" ];
listenTLS = [ "127.0.0.1:853" ];
extraConfig =
let
listToLuaTable =
x:
lib.pipe x [
(builtins.split "\n")
(builtins.filter (s: s != [ ] && s != ""))
(lib.strings.concatMapStrings (x: "'${x}',"))
];
chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
globalSettings = ''
log_level("notice")
modules = { 'hints > iterate', 'stats', 'predict' }
cache.size = ${toString cfg.localdns.cacheSize} * MB
trust_anchors.remove(".")
'';
tsSettings = ''
internalDomains = policy.todnames({'${internalDomain}'})
policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
'';
proxySettings = ''
policy.add(policy.domains(
policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
{ todname('hk-00.namely.icu') }))
policy.add(policy.domains(
policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
{ todname('la-00.namely.icu') }))
policy.add(policy.domains(
policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
{ todname('fra-00.namely.icu') }))
'';
mainlandSettings = ''
chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
policy.add(policy.suffix(policy.TLS_FORWARD({
{ "223.5.5.5", hostname="dns.alidns.com" },
{ "223.6.6.6", hostname="dns.alidns.com" },
}), chinaDomains))
policy.add(policy.all(policy.TLS_FORWARD({
{ "8.8.8.8", hostname="dns.google" },
{ "8.8.4.4", hostname="dns.google" },
})))
'';
overseaSettings = ''
policy.add(policy.all(policy.TLS_FORWARD({
{ "8.8.8.8", hostname="dns.google" },
{ "8.8.4.4", hostname="dns.google" },
})))
'';
in
globalSettings
+ (if config.services.tailscale.enable then tsSettings else "")
+ (
if config.commonSettings.network.enableProxy then
proxySettings + mainlandSettings
else
overseaSettings
);
};
})
];
}

3
modules/nixos/common-settings/nix-conf.nix
View file

@ -41,13 +41,10 @@ in
nix.optimise.automatic = true; nix.optimise.automatic = true;
nix.channel.enable = false;
nix.settings = { nix.settings = {
experimental-features = [ experimental-features = [
"nix-command" "nix-command"
"flakes" "flakes"
"ca-derivations"
]; ];
auto-optimise-store = true; auto-optimise-store = true;
trusted-users = [ "root" ]; trusted-users = [ "root" ];

7
modules/nixos/common-settings/proxy-server.nix
View file

@ -176,8 +176,11 @@ in
reverse_proxy 127.0.0.1:30310 reverse_proxy 127.0.0.1:30310
''; '';
networking.firewall.allowedTCPPorts = [ cfg.trojan.port ]; networking.firewall.allowedTCPPorts = [
networking.firewall.allowedUDPPorts = lib.range 6311 6314; 80
cfg.trojan.port
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
services.sing-box = { services.sing-box = {
enable = true; enable = true;

56
modules/nixos/common-settings/server.nix
View file

@ -1,56 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.commonSettings.serverComponents;
in
{
options = {
commonSettings.serverComponents = {
enable = lib.mkEnableOption "Common components on servers";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
80
443
];
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [
"github.com/caddy-dns/cloudflare@v0.2.1"
];
hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
};
};
services.caddy.globalConfig = ''
servers {
metrics
}
admin unix//var/run/caddy/admin.sock {
origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
}
'';
systemd.services.caddy.serviceConfig = {
RuntimeDirectory = "caddy";
RuntimeDirectoryMode = "0700";
};
custom.monitoring = {
promtail.enable = true;
};
custom.prometheus.exporters = {
enable = true;
node.enable = true;
};
};
}

3
modules/nixos/default.nix
View file

@ -2,12 +2,9 @@
imports = [ imports = [
./common-settings/auth.nix ./common-settings/auth.nix
./common-settings/autoupgrade.nix ./common-settings/autoupgrade.nix
./common-settings/comin.nix
./common-settings/nix-conf.nix ./common-settings/nix-conf.nix
./common-settings/proxy-server.nix ./common-settings/proxy-server.nix
./common-settings/mainland.nix ./common-settings/mainland.nix
./common-settings/network.nix
./common-settings/server.nix
./disk-partitions ./disk-partitions
./restic.nix ./restic.nix
./monitor ./monitor

45
modules/nixos/forgejo-actions-runner.nix Normal file
View file

@ -0,0 +1,45 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.forgejo-actions-runner;
settingsFormat = pkgs.formats.yaml { };
in
{
options = {
custom.forgejo-actions-runner = {
enable = lib.mkEnableOption "TPM supported ssh agent in go";
tokenFile = lib.mkOption { type = lib.types.path; };
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
};
default = { };
};
};
};
config = lib.mkIf cfg.enable {
virtualisation.docker.enable = true;
services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
services.gitea-actions-runner.instances = {
"git.xinyang.life" = {
enable = true;
url = "https://git.xinyang.life";
tokenFile = cfg.tokenFile;
name = config.networking.hostName;
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
"nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11"
];
settings = {
container.network = "host";
} // cfg.settings;
};
};
};
}

80
modules/nixos/kanidm-client.nix Normal file
View file

@ -0,0 +1,80 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.custom.kanidm-client;
in
{
options = {
custom.kanidm-client = {
enable = mkEnableOption "Kanidm client service";
asSSHAuth = mkOption {
type = types.submodule {
options = {
enable = mkEnableOption "Kanidm as system authentication source";
allowedGroups = mkOption {
type = types.listOf types.str;
example = [ "linux_users" ];
};
hardening = mkOption {
type = types.bool;
default = false;
};
};
};
};
sudoers = mkOption {
type = types.listOf types.str;
default = [ ];
};
uri = mkOption { type = types.str; };
};
};
config = mkIf cfg.enable {
services.kanidm = mkMerge [
(mkIf cfg.enable {
enableClient = true;
clientSettings = {
uri = cfg.uri;
};
})
(mkIf cfg.asSSHAuth.enable {
enablePam = true;
unixSettings = {
pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
default_shell = "/bin/sh";
};
})
];
services.openssh = mkIf cfg.asSSHAuth.enable {
enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = mkIf cfg.asSSHAuth.enable {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
};
};
environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
mode = "0555";
text = ''
#!${pkgs.stdenv.shell}
${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
'';
};
users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = {
isSystemUser = true;
group = "kanidm-ssh-runner";
};
};
}

9
modules/nixos/monitor/default.nix
View file

@ -119,9 +119,12 @@ in
name = "ntfy"; name = "ntfy";
webhook_configs = [ webhook_configs = [
{ {
url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=%7B%7Brange%20.alerts%7D%7D%7B%7B%20if%20eq%20.status%20%22resolved%22%20%7D%7D%E2%9C%85%7B%7B%20else%20%7D%7D%7B%7B%20if%20eq%20.status%20%22firing%22%20%7D%7D%F0%9F%94%A5%7B%7Bend%7D%7D%7B%7Bend%7D%7D%7B%7B.labels.alertname%7D%7D%0A%7B%7B.annotations.summary%7D%7D%0A%7B%7Bend%7D%7D"; url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
{{range .alerts}}[{{ if eq .status "resolved" }} RESOLVED{{ else }}{{ if eq .status "firing" }}🔥 FIRING{{end}}{{end}}]{{range $k,$v := .labels}}
{{$k}}={{$v}}{{end}}
{{end}}''}";
send_resolved = true; send_resolved = true;
max_alerts = 10;
} }
]; ];
} }
@ -155,7 +158,7 @@ in
severity = "critical"; severity = "critical";
}; };
annotations = { annotations = {
summary = "Instance {{ $labels.instance }} of {{ $labels.job }} is down."; summary = "Job {{ $labels.job }} down for 1m.";
}; };
} }
]; ];

28
modules/nixos/monitor/exporters.nix
View file

@ -5,15 +5,17 @@
... ...
}: }:
let let
inherit (lib) mkIf getExe; inherit (lib) mkIf concatStringsSep;
inherit (config.my-lib.settings) prometheusCollectors; inherit (config.my-lib.settings) prometheusCollectors;
cfg = config.custom.prometheus.exporters; cfg = config.custom.prometheus.exporters;
in in
{ {
config = { config = {
commonSettings.network.tailscale.before = systemd.services.tailscaled.after =
(lib.optional cfg.node.enable "prometheus-node-exporters.service") (lib.optional cfg.node.enable "prometheus-node-exporters.service")
++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service"); ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service")
++ (lib.optional config.services.caddy.enable "caddy.service");
services.prometheus.exporters.node = mkIf cfg.node.enable { services.prometheus.exporters.node = mkIf cfg.node.enable {
enable = true; enable = true;
enabledCollectors = [ enabledCollectors = [
@ -96,6 +98,26 @@ in
services.ntfy-sh.settings.enable-metrics = true; services.ntfy-sh.settings.enable-metrics = true;
services.caddy.globalConfig = ''
servers {
metrics
}
admin unix//var/run/caddy/admin.sock {
origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
}
'';
systemd.services.caddy.serviceConfig = {
RuntimeDirectory = "caddy";
RuntimeDirectoryMode = "0700";
};
services.tailscale = {
permitCertUid = config.services.caddy.user;
openFirewall = true;
};
services.caddy = { services.caddy = {
virtualHosts."https://${config.networking.hostName}.coho-tet.ts.net:2019".extraConfig = '' virtualHosts."https://${config.networking.hostName}.coho-tet.ts.net:2019".extraConfig = ''
handle /metrics { handle /metrics {

6
modules/nixos/monitor/grafana.nix
View file

@ -22,9 +22,9 @@ in
name = "Kanidm"; name = "Kanidm";
client_id = "grafana"; client_id = "grafana";
scopes = "openid,profile,email,groups"; scopes = "openid,profile,email,groups";
auth_url = "https://${idpUrl}/ui/oauth2"; auth_url = "${idpUrl}/ui/oauth2";
token_url = "https://${idpUrl}/oauth2/token"; token_url = "${idpUrl}/oauth2/token";
api_url = "https://${idpUrl}/oauth2/openid/grafana/userinfo"; api_url = "${idpUrl}/oauth2/openid/grafana/userinfo";
use_pkce = true; use_pkce = true;
use_refresh_token = true; use_refresh_token = true;
allow_sign_up = true; allow_sign_up = true;

10
modules/nixos/monitor/loki.nix
View file

@ -15,7 +15,6 @@ let
; ;
inherit (config.my-lib.settings) inherit (config.my-lib.settings)
alertmanagerPort alertmanagerPort
internalDomain
; ;
cfg = config.custom.monitoring; cfg = config.custom.monitoring;
lokiPort = 3100; lokiPort = 3100;
@ -95,17 +94,16 @@ in
rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig); rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig);
in in
mkIf cfg.loki.enable { mkIf cfg.loki.enable {
systemd.services.loki.serviceConfig.After = "tailscaled.service";
services.loki = { services.loki = {
enable = true; enable = true;
configuration = { configuration = {
auth_enabled = false; auth_enabled = false;
server.http_listen_address = "${config.networking.hostName}.${internalDomain}"; server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net";
server.http_listen_port = lokiPort; server.http_listen_port = lokiPort;
common = { common = {
ring = { ring = {
instance_addr = "${config.networking.hostName}.${internalDomain}"; instance_addr = "${config.networking.hostName}.coho-tet.ts.net";
kvstore.store = "inmemory"; kvstore.store = "inmemory";
}; };
replication_factor = 1; replication_factor = 1;
@ -162,7 +160,7 @@ in
configuration = { configuration = {
server = { server = {
http_listen_address = "${config.networking.hostName}.${internalDomain}"; http_listen_address = "${config.networking.hostName}.coho-tet.ts.net";
http_listen_port = 28183; http_listen_port = 28183;
grpc_listen_port = 0; grpc_listen_port = 0;
}; };
@ -171,7 +169,7 @@ in
clients = [ clients = [
{ {
url = "http://thorite.${internalDomain}:${toString lokiPort}/loki/api/v1/push"; url = "http://thorite.coho-tet.ts.net:${toString lokiPort}/loki/api/v1/push";
} }
]; ];

52
modules/nixos/vaultwarden.nix Normal file
View file

@ -0,0 +1,52 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.custom.vaultwarden;
in
{
options = {
custom.vaultwarden = {
enable = mkEnableOption "vaultwarden server";
domain = mkOption {
type = types.str;
default = "bitwarden.example.com";
description = "Domain name of the vaultwarden server";
};
caddy = mkOption {
type = types.bool;
default = true;
description = "Enable Caddy as reverse proxy";
};
# TODO: mailserver support
};
};
config = mkIf cfg.enable {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
DOMAIN = "https://${cfg.domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
};
};
services.caddy = mkIf cfg.caddy {
enable = true;
virtualHosts."https://${cfg.domain}".extraConfig = ''
reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
'';
};
};
}

6
note.md
View file

@ -2,15 +2,9 @@
Demonstrate disk usage by nix-store path. Demonstrate disk usage by nix-store path.
## Tools
- new sops key should be added by using `sops updatekeys`
## TODO ## TODO
- [x] change caddy admin to unix socket - [x] change caddy admin to unix socket
- [ ] admin config persist = false - [ ] admin config persist = false
- [x] synapse jmalloc - [x] synapse jmalloc
- [ ] backup all directories under /var/lib/forgejo - [ ] backup all directories under /var/lib/forgejo
- [ ] collect caddy access logs with promtail (waiting for caddy v2.9.0 release after which log file mode can be set) - [ ] collect caddy access logs with promtail (waiting for caddy v2.9.0 release after which log file mode can be set)
- [ ] update "https" to "https-file" with dae 1.0.0
- [ ] move away from dnspod

2
overlays/add-pkgs.nix
View file

@ -9,6 +9,4 @@
"idbloader.img" "idbloader.img"
]; ];
}; };
transmission-exporter = prev.callPackage ./pkgs/transmission-exporter.nix { };
}) })

22
overlays/my-lib/prometheus.nix
View file

@ -1,9 +1,6 @@
let let
mkFunction = f: (targets: (map f targets)); mkFunction = f: (targets: (map f targets));
mkPort = port: if isNull port then "" else ":${toString port}"; mkPort = port: if isNull port then "" else ":${toString port}";
# get text before "." in the url
subdomain = url: builtins.elemAt (builtins.elemAt (builtins.split "([a-zA-Z0-9]+)\..*" url) 1) 0;
in in
{ {
mkScrapes = mkFunction ( mkScrapes = mkFunction (
@ -132,7 +129,8 @@ in
severity = "critical"; severity = "critical";
}; };
annotations = { annotations = {
summary = "{{ $labels.job }} failed on {{ $labels.instance }}."; summary = "Systemd has failed units on {{ $labels.instance }}";
description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!";
}; };
} }
{ {
@ -143,7 +141,7 @@ in
severity = "warning"; severity = "warning";
}; };
annotations = { annotations = {
summary = "High load average on {{ $labels.instance }}."; summary = "High load average detected on {{ $labels.instance }}";
description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs.";
}; };
} }
@ -166,7 +164,7 @@ in
severity = "warning"; severity = "warning";
}; };
annotations = { annotations = {
summary = "Disk usage exceeeds 85% on {{ $labels.instance }}"; summary = "High disk usage on {{ $labels.instance }}";
}; };
} }
{ {
@ -179,6 +177,7 @@ in
}; };
annotations = { annotations = {
summary = "Disk usage will exceed 95% in 12 hours on {{ $labels.instance }}"; summary = "Disk usage will exceed 95% in 12 hours on {{ $labels.instance }}";
description = "Disk {{ $labels.mountpoint }} is predicted to exceed 92% usage within 12 hours at current growth rate";
}; };
} }
{ {
@ -189,7 +188,8 @@ in
severity = "warning"; severity = "warning";
}; };
annotations = { annotations = {
summary = "Swap usage above 80% on {{ $labels.instance }}"; summary = "High swap usage on {{ $labels.instance }}";
description = "Swap usage is above 80% for 5 minutes\n Current value: {{ $value }}%";
}; };
} }
{ {
@ -228,7 +228,7 @@ in
... ...
}: }:
{ {
job_name = "blackbox(${subdomain hostAddress})"; job_name = "blackbox(${hostAddress})";
scrape_interval = "1m"; scrape_interval = "1m";
metrics_path = "/probe"; metrics_path = "/probe";
params = { params = {
@ -268,14 +268,14 @@ in
inherit name; inherit name;
rules = [ rules = [
{ {
alert = "ProbeToError"; alert = "ProbeError";
expr = "sum by(instance) (probe_success != 1) > 0"; expr = "probe_success != 1";
for = "3m"; for = "3m";
labels = { labels = {
severity = "critical"; severity = "critical";
}; };
annotations = { annotations = {
summary = "Probing {{ $labels.instance }} failed"; summary = "Probing {{ $labels.instance }} from {{ $labels.from }} failed";
}; };
} }
{ {

6
overlays/my-lib/settings.nix
View file

@ -1,7 +1,7 @@
{ {
settings = { settings = {
alertmanagerPort = 9093; alertmanagerPort = 9093;
idpUrl = "auth.xiny.li"; idpUrl = "https://auth.xinyang.life";
gotosocialUrl = "https://gts.xiny.li"; gotosocialUrl = "https://gts.xiny.li";
minifluxUrl = "https://rss.xiny.li"; minifluxUrl = "https://rss.xiny.li";
hedgedocDomain = "docs.xiny.li"; hedgedocDomain = "docs.xiny.li";
@ -13,12 +13,8 @@
synapseUrl = "https://xiny.li"; synapseUrl = "https://xiny.li";
synapseDelegateUrl = "https://synapse.xiny.li"; synapseDelegateUrl = "https://synapse.xiny.li";
transmissionExporterUrl = "weilite.coho-tet.ts.net:19091";
prometheusCollectors = [ prometheusCollectors = [
"thorite.coho-tet.ts.net" "thorite.coho-tet.ts.net"
]; ];
internalDomain = "coho-tet.ts.net";
}; };
} }

32
overlays/pkgs/transmission-exporter.nix
View file

@ -1,32 +0,0 @@
{
lib,
fetchFromGitHub,
buildGoModule,
}:
buildGoModule rec {
pname = "transmission-exporter";
version = "0-unstable-2024-10-09";
rev = "v${version}";
src = fetchFromGitHub {
rev = "a7872aa2975c7a95af680c51198f4a363e226c8f";
owner = "metalmatze";
repo = "transmission-exporter";
sha256 = "sha256-Ky7eCvC1AqHheqGGOGBNKbtVgg4Y8hDG67gCVlpUwZo=";
};
vendorHash = "sha256-YhmfrM5iAK0zWcUM7LmbgFnH+k2M/tE+f/QQIQmQlZs=";
ldflags = [
"-X github.com/prometheus/common/version.Version=${version}"
"-X github.com/prometheus/common/version.Revision=${rev}"
];
meta = {
description = "Prometheus exporter for Transmission torrent client.";
homepage = "https://github.com/pborzenkov/transmission-exporter";
mainProgram = "transmission-exporter";
license = [ lib.licenses.mit ];
maintainers = [ lib.maintainers.xinyangli ];
};
}

11
scripts/update-china-list.sh
View file

@ -1,11 +0,0 @@
output_file="modules/nixos/common-settings/china-domains.txt"
curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/accelerated-domains.china.raw.txt" > "$output_file"
curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/apple.china.raw.txt" >> "$output_file"
curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/google.china.raw.txt" >> "$output_file"
# extra rules
cat >> $output_file <<- EOM
test.steampowered.com
steamserver.net
api.steampowered.com
EOM