chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:39:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

暂存

Browse Source
This commit is contained in:
陈浩南
2023-07-27 19:01:58 +08:00
parent 68f4374c91
commit 3d2624284f
7 changed files with 225 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
flake.nix
View File

@@ -150,6 +150,7 @@
./modules/system
./modules/virtualization
./modules/services
./modules/bugs
(inputs: { config =
{
nixos =
@@ -178,7 +179,7 @@
};
kernel =
{
patches = [ "hdmi" "cjktty" "preempt" ];
patches = [ "cjktty" "preempt" ];
modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
};
hardware =
@@ -257,56 +258,12 @@
};
};
sshd.enable = true;
xrayClient = { enable = true; dnsAdditionalInterfaces = [ "docker0" ]; };
firewall.trustedInterfaces = [ "docker0" "virbr0" ];
};
};
systemd =
{
sleep.extraConfig = localLib.stripeTabs
"
SuspendState=freeze
HibernateMode=shutdown
";
services =
{
reload-iwlwifi-after-hibernate =
{
description = "reload iwlwifi after resume from hibernate";
after = [ "systemd-hibernate.service" ];
serviceConfig =
{
Type = "oneshot";
script =
let
modprobe = "${inputs.pkgs.kmod}/bin/modprobe";
in localLib.stripeTabs
"
${modprobe} -r iwlwifi
${modprobe} iwlwifi
echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
";
};
wantedBy = [ "systemd-hibernate.service" ];
};
lid-no-wakeup =
{
description = "lid no wake up";
serviceConfig.ExecStart =
let
cat = "${inputs.pkgs.coreutils}/bin/cat";
grep = "${inputs.pkgs.gnugrep}/bin/grep";
in localLib.stripeTabs
"
if ${cat} /proc/acpi/wakeup | ${grep} LID0 | ${grep} -q enabled
then
echo LID0 > /proc/acpi/wakeup
fi
";
wantedBy = [ "multi-user.target" ];
};
};
bugs = [ "intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" ];
};
}; })
./modules/networking/wall_client.nix
./modules/networking/xmunet.nix
./modules/networking/chn-PC.nix
[ ./modules/users/root.nix {} ]

65
modules/bugs/default.nix Normal file
View File

@@ -0,0 +1,65 @@
inputs:
{
options.nixos.bugs = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.listOf (types.enum
[
# intel i915 hdmi
"intel-hdmi"
# suspend & hibernate do not use platform
"suspend-hibernate-no-platform"
# reload iwlwifi after resume from hibernate
"hibernate-iwlwifi"
# disable wakeup on lid open
"suspend-lid-no-wakeup"
]);
default = [];
};
config =
let
inherit (inputs.localLib) stripeTabs;
inherit (builtins) map;
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.config) bugs;
patches =
{
intel-hdmi = { boot.kernelPatches = { name = "intel-hdmi"; patch = ./intel-hdmi.patch; };};
suspend-hibernate-no-platform.systemd.sleep.extraConfig = stripeTabs
"
SuspendState=freeze
HibernateMode=shutdown
";
hibernate-iwlwifi.systemd.services.reload-iwlwifi-after-hibernate =
{
description = "reload iwlwifi after resume from hibernate";
after = [ "systemd-hibernate.service" ];
serviceConfig.Type = "oneshot";
script = let modprobe = "${inputs.pkgs.kmod}/bin/modprobe"; in stripeTabs
"
${modprobe} -r iwlwifi
${modprobe} iwlwifi
echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
";
wantedBy = [ "systemd-hibernate.service" ];
};
suspend-lid-no-wakeup.systemd.services.lid-no-wakeup =
{
description = "lid no wake up";
serviceConfig.Type = "oneshot";
script =
let
cat = "${inputs.pkgs.coreutils}/bin/cat";
grep = "${inputs.pkgs.gnugrep}/bin/grep";
in stripeTabs
"
if ${cat} /proc/acpi/wakeup | ${grep} LID0 | ${grep} -q enabled
then
echo LID0 > /proc/acpi/wakeup
fi
";
wantedBy = [ "multi-user.target" ];
};
};
in
mkMerge (map (bug: patches.${bug}) bugs);
}

0
modules/kernel/hdmi.patch → modules/bugs/intel-hdmi.patch
View File

3
modules/kernel/default.nix
View File

@@ -2,7 +2,7 @@ inputs:
{
options.nixos.kernel = let inherit (inputs.lib) mkOption types; in
{
patches = mkOption { type = types.listOf (types.enum [ "hdmi" "cjktty" "preempt" ]); default = []; };
patches = mkOption { type = types.listOf (types.enum [ "cjktty" "preempt" ]); default = []; };
modules =
{
install = mkOption { type = types.listOf types.str; default = []; };
@@ -45,7 +45,6 @@ inputs:
let
patches =
{
hdmi = { patch = ./hdmi.patch; };
cjktty =
{
patch = inputs.pkgs.fetchurl

55
modules/networking/wall_client.nix
View File

@@ -1,55 +0,0 @@
inputs:
{
config =
{
services =
{
dnsmasq =
{
enable = true;
settings =
{
no-poll = true;
server = [ "127.0.0.1#10853" ];
listen-address = [ "127.0.0.1" "172.17.0.1" ];
bind-interfaces = true;
ipset =
[
"/developer.download.nvidia.com/noproxy_net"
"/yuanshen.com/noproxy_net"
"/zoom.us/noproxy_net"
];
};
};
xray = { enable = true; settingsFile = inputs.config.sops.secrets."xray.json".path; };
v2ray-forwarder = { enable = true; proxyPort = 10880; xmuPort = 10881; };
};
sops.secrets."xray.json" =
{ mode = "0440"; owner = "v2ray"; group = "v2ray"; restartUnits = [ "xray.service" ]; };
systemd.services.xray.serviceConfig =
{
DynamicUser = inputs.lib.mkForce false;
User = "v2ray";
Group = "v2ray";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
LimitNPROC = 10000;
LimitNOFILE = 1000000;
};
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
boot.kernel.sysctl =
{
"net.ipv4.conf.all.route_localnet" = true;
"net.ipv4.conf.default.route_localnet" = true;
"net.ipv4.conf.all.accept_local" = true;
"net.ipv4.conf.default.accept_local" = true;
"net.ipv4.ip_forward" = true;
"net.ipv4.ip_nonlocal_bind" = true;
"net.bridge.bridge-nf-call-iptables" = false;
"net.bridge.bridge-nf-call-ip6tables" = false;
"net.bridge.bridge-nf-call-arptables" = false;
};
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
networking.firewall.trustedInterfaces = [ "docker0" "virbr0" ];
};
}

145
modules/services/default.nix
View File

@@ -37,6 +37,12 @@ inputs:
};
};
sshd.enable = mkOption { type = types.bool; default = false; };
xrayClient =
{
enable = mkOption { type = types.bool; default = false; };
dnsAdditionalInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
config =
let
@@ -191,5 +197,144 @@ inputs:
(
mkIf services.sshd.enable { services.openssh.enable = true; }
)
(
mkIf services.xrayClient.enable
{
services =
{
dnsmasq =
{
enable = true;
settings =
{
no-poll = true;
server = [ "127.0.0.1#10853" ];
interface = services.xrayClient.dnsAdditionalInterfaces ++ [ "lo" ];
bind-interfaces = true;
ipset =
[
"/developer.download.nvidia.com/noproxy_net"
"/yuanshen.com/noproxy_net"
"/zoom.us/noproxy_net"
];
};
};
xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-client.json".path; };
v2ray-forwarder = { enable = true; proxyPort = 10880; xmuPort = 10881; };
};
sops.templates."xray-client.json" =
{
mode = "0440";
owner = "v2ray";
group = "v2ray";
restartUnits = [ "xray.service" ];
content = builtins.toJSON
{
log.loglevel = "warning";
dns =
{
servers =
[
{ address = "223.5.5.5"; domains = [ "geosite:geolocation-cn" ]; port = 53; skipFallback = true; }
{ address = "8.8.8.8"; domains = [ "geosite:geolocation-!cn" ]; port = 53; skipFallback = true; }
{ address = "223.5.5.5"; expectIPs = [ "geoip:cn" ]; }
{ address = "8.8.8.8"; }
];
disableCache = true;
queryStrategy = "UseIPv4";
tag = "dns-internal";
};
inbounds =
[
{
port = 10853;
protocol = "dokodemo-door";
settings = { address = "8.8.8.8"; network = "tcp,udp"; port = 53; };
tag = "dns-in";
}
{
port = 10880;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
sniffing = { enabled = true; destOverride = [ "http" "tls" ]; routeOnly = true; };
tag = "common-in";
}
{
port = 10881;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
tag = "xmu-in";
}
{ port = 10882; protocol = "socks"; tag = "direct-in"; }
];
outbounds =
[
{
protocol = "vless";
settings.vnext =
[{
address = inputs.config.sops.placeholder.xray-client.server;
port = 443;
users =
[{
id = inputs.config.sops.placeholder.xray-client.uuid;
encryption = "none";
flow = "xtls-rprx-vision-udp443";
}];
}];
streamSettings =
{
network = "tcp";
security = "tls";
tlssettings =
{
serverName = inputs.config.sops.placeholder.xray-client.serverName;
allowInsecure = false;
fingerprint = "firefox";
};
};
tag = "proxy-vless";
}
{ protocol = "freedom"; tag = "direct"; }
{ protocol = "dns"; tag = "dns-out"; }
{
protocol = "socks";
settings.servers = [{ address = "127.0.0.1"; port = 10069; }];
tag = "xmu-out";
}
];
routing =
{
domainStrategy = "IPIfNonMatch";
rules = builtins.map (rule: rule // { type = "field"; })
[
{ inboundTag = [ "dns-in" ]; outboundTag = "dns-out"; }
{ inboundTag = [ "xmu-in" ]; outboundTag = "xmu-out"; }
{ inboundTag = [ "direct-in" ]; outboundTag = "direct"; }
{ inboundTag = [ "common-in" ]; domain = [ "geosite:geolocation-cn" ]; outboundTag = "direct"; }
{ inboundTag = [ "common-in" ]; domain = [ "geosite:geolocation-!cn" ]; outboundTag = "proxy-vless"; }
{ inboundTag = [ "common-in" "dns-internal" ]; ip = [ "geoip:cn" ]; outboundTag = "direct"; }
{ inboundTag = [ "common-in" "dns-internal" ]; outboundTag = "proxy-vless"; }
];
};
};
};
systemd.services.xray.serviceConfig =
{
DynamicUser = inputs.lib.mkForce false;
User = "v2ray";
Group = "v2ray";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
LimitNPROC = 10000;
LimitNOFILE = 1000000;
};
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
}
)
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
];
}

9
modules/system/default.nix
View File

@@ -72,6 +72,15 @@ inputs:
"vm.oom_dump_tasks" = false;
"vm.overcommit_memory" = 1;
"dev.i915.perf_stream_paranoid" = false;
"net.ipv4.conf.all.route_localnet" = true;
"net.ipv4.conf.default.route_localnet" = true;
"net.ipv4.conf.all.accept_local" = true;
"net.ipv4.conf.default.accept_local" = true;
"net.ipv4.ip_forward" = true;
"net.ipv4.ip_nonlocal_bind" = true;
"net.bridge.bridge-nf-call-iptables" = false;
"net.bridge.bridge-nf-call-ip6tables" = false;
"net.bridge.bridge-nf-call-arptables" = false;
};
supportedFilesystems = [ "ntfs" ];
consoleLogLevel = 7;