biotite/vaultwarden: enable admin page

machines/biotite/secrets.yaml

@@ -11,6 +11,8 @@ hedgedoc:
     client_secret: ENC[AES256_GCM,data:J6lRBM7V6F+gPYVyEbOzsFUQe8+3ggP0r58c655DNt7TGgKGdq95pRvLaghMmBCc,iv:i+eLYwnmG1/bKtad2iM2pwEAC3GZLNaKS5ldbubRvyY=,tag:yxaug6YdYo8RR3YOyHd/iA==,type:str]
 forgejo:
     client_secret: ENC[AES256_GCM,data:5OXhaGzBCbge2tvTaU4ry6/KoavQeYJ45EuakCQJlxb5gMXjRK/s+feF25YJSr2f,iv:TT8j+ciKeSQCZzu1E7D70hWNFpn0cGiomz7jURXjavc=,tag:JVJR033Pc2vaLudaovkl8w==,type:str]
+vaultwarden:
+    admin_token: ENC[AES256_GCM,data:hRmnuehfMk3bF7tkxShnAGH1OB/yyCyaJqhdJQvSmVMtr6Cz7j1ZEeqfRI+jrqOi,iv:xYmP0Kwp5XkCcJWjqLwFOxRtUxIUH1r1fLUr5xyvpWo=,tag:Yj2nME07cA+ve3ipN6Ehqg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -35,8 +37,8 @@ sops:
             RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT
             ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-04T05:07:32Z"
+    lastmodified: "2025-03-23T13:32:31Z"
-    mac: ENC[AES256_GCM,data:hD7645epMVYHU6K1AZsHu+fp/PMIqqiZpv7K4Vxzo84slzn0CfZSYaVaYxKNGjOIgEGN9D2FFmq9WL6ChMskMfqqafY7qDpSQqFp9TUwb5jN34XcQg9vplfNw+lMqsnDCt1HENWErRnlDxTI2ctSEcx3UKGBOQ3ttLzUIySdnFY=,iv:reOsqvc8E3l8yxb5gVcqF/rU2o2yKmaUyGNRNT+Skx8=,tag:eBoV8G+X0cPs3Q1xAuv55w==,type:str]
+    mac: ENC[AES256_GCM,data:9xbcK+hl+tZTyikCpIOY6YBgaY8AOvaekyKTbQ47KJkQeNb3eyfAxBB1kivu/LU8H8pWWST8GpL/umllbwMzjRLVXU63CQle5cDuDVq9ySPMdxhmxyZ23bKJp7jUzTrGQMm+jnguCuCMxEeDo+R0ZD8a2nvbBT1XKYyVFSBB/0E=,iv:D5RrNSRa7bxivGCu24YT0nO0vuorSEK1VNVOEsJIfaA=,tag:xXXk9uCqZpr4RYqfnF0Ogw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4

machines/biotite/services/vaultwarden.nix

@@ -3,6 +3,18 @@ let
   inherit (config.my-lib.settings) vaultwardenUrl;
 in
 {
+
+  sops.secrets."vaultwarden/admin_token" = {
+    owner = "vaultwarden";
+  };
+
+  sops.templates."vaultwarden.env" = {
+    owner = "vaultwarden";
+    content = ''
+      ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin_token"}
+    '';
+  };
+
   services.vaultwarden = {
     enable = true;
     dbBackend = "sqlite";
@@ -15,6 +27,7 @@ in
 
       ROCKET_LOG = "normal";
     };
+    environmentFile = config.sops.templates."vaultwarden.env".path;
   };
 
   services.caddy = {

machines/calcite/configuration.nix

@@ -22,8 +22,17 @@ in
       signing.enable = true;
     };
     comin.enable = true;
+    network.localdns.enable = true;
   };
 
+  nix.settings.substituters = [
+    "https://nix-community.cachix.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    # Compare to the key published at https://nix-community.org/cache
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+  ];
+
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -56,6 +65,7 @@ in
   security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
 
   programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
+  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
 
   networking.hostName = "calcite";
 
@@ -198,6 +208,7 @@ in
 
   hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
+  services.avahi.enable = true;
   services.pipewire = {
     enable = true;
     wireplumber.enable = true;
@@ -206,6 +217,23 @@ in
     pulse.enable = true;
     # If you want to use JACK applications, uncomment this
     jack.enable = true;
+
+    # Airplay client
+    raopOpenFirewall = true;
+    extraConfig.pipewire = {
+      "10-airplay" = {
+        "context.modules" = [
+          {
+            name = "libpipewire-module-raop-discover";
+
+            # increase the buffer size if you get dropouts/glitches
+            # args = {
+            #   "raop.latency.ms" = 500;
+            # };
+          }
+        ];
+      };
+    };
   };
 
   # Define a user account. Don't forget to set a password with ‘passwd’.

machines/calcite/network.nix

@@ -4,11 +4,14 @@
   lib,
   ...
 }:
-
+let
+  inherit (config.my-lib.settings)
+    internalDomain
+    ;
+in
 {
   imports = [ ];
 
-  # Enable networking
   networking = {
     networkmanager = {
       enable = true;
@@ -21,27 +24,6 @@
     };
   };
 
-  networking.resolvconf = {
-    enable = true;
-    dnsExtensionMechanism = false;
-    useLocalResolver = false;
-  };
-
-  services.kresd = {
-    enable = true;
-    listenPlain = [ ];
-    extraConfig = ''
-      log_level("notice")
-      net.listen('127.0.0.1', 53)
-      modules = { 'hints > iterate', 'stats', 'predict' }
-      cache.size = 100 * MB
-      trust_anchors.remove(".")
-      policy.add(policy.all(policy.TLS_FORWARD( {
-        { "8.8.8.8", hostname="dns.google" } })))
-    '';
-      # policy.add(policy.suffix(policy.FORWARD({ "100.100.100.100" }), policy.todnames({ 'coho-tet.ts.net' })))
-  };
-
   # Enable Tailscale
   services.tailscale = {
     enable = true;

modules/nixos/common-settings/network.nix

@@ -0,0 +1,87 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkOption mkIf;
+  inherit (config.my-lib.settings)
+    internalDomain
+    ;
+  cfg = config.commonSettings.network;
+in
+{
+  options.commonSettings.network = {
+    localdns = {
+      enable = mkEnableOption "Local DNS resolver";
+      cacheSize = mkOption {
+        type = lib.types.int;
+        description = "Max cache size for knot-resolver in MB";
+        default = 100;
+      };
+    };
+  };
+
+  config = {
+    networking.resolvconf = mkIf cfg.localdns.enable {
+      enable = true;
+      dnsExtensionMechanism = false;
+      useLocalResolver = true;
+    };
+
+    services.kresd = mkIf cfg.localdns.enable {
+      enable = true;
+      listenPlain = [ "127.0.0.1:53" ];
+      listenTLS = [ "127.0.0.1:853" ];
+      extraConfig =
+        let
+          listToLuaTable =
+            x:
+            lib.pipe x [
+              (builtins.split "\n")
+              (builtins.filter (s: s != [ ] && s != ""))
+              (lib.strings.concatMapStrings (x: "'${x}',"))
+            ];
+          chinaDomains = listToLuaTable (builtins.readFile ./china-domain.txt);
+          globalSettings = ''
+            log_level("notice")
+            modules = { 'hints > iterate', 'stats', 'predict' }
+            cache.size = ${cfg.localdns.cacheSize} * MB
+            trust_anchors.remove(".")
+          '';
+          tsSettings = ''
+            internalDomains = policy.todnames({'${internalDomain}'})
+            policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
+          '';
+          proxySettings = ''
+            policy.add(policy.domains(
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
+              { todname('hk-00.namely.icu') }))
+            policy.add(policy.domains(
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
+              { todname('la-00.namely.icu') }))
+            policy.add(policy.domains(
+              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
+              { todname('fra-00.namely.icu') }))
+          '';
+          mainlandSettings = ''
+            chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
+            policy.add(policy.suffix(policy.TLS_FORWARD({
+              { "223.5.5.5", hostname="dns.alidns.com" },
+              { "223.6.6.6", hostname="dns.alidns.com" },
+            }), chinaDomains))
+            policy.add(policy.all(policy.TLS_FORWARD({
+              { "8.8.8.8", hostname="dns.google" },
+              { "8.8.4.4", hostname="dns.google" },
+            })))
+          '';
+          overseaSettings = ''
+            policy.add(policy.all(policy.TLS_FORWARD({
+              { "8.8.8.8", hostname="dns.google" },
+              { "8.8.4.4", hostname="dns.google" },
+            })))
+          '';
+        in
+        globalSettings
+        + (if config.services.dae.enable then proxySettings else "")
+        + (if config.services.tailscale.enable then tsSettings else "")
+        + (if config.inMainland then mainlandSettings else overseaSettings);
+    };
+  };
+}

scripts/update-china-list.sh

@@ -0,0 +1,4 @@
+output_file="modules/nixos/common-settings/china-domains.txt"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/accelerated-domains.china.raw.txt" > "$output_file"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/apple.china.raw.txt" >> "$output_file"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/google.china.raw.txt" >> "$output_file"