diff --git a/.sops.yaml b/.sops.yaml index 4103bef0..851a9b0e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -54,3 +54,6 @@ creation_rules: - path_regex: devices/cross/secrets/chn.yaml$ key_groups: - age: [ *chn, *pc, *nas ] + - path_regex: devices/cross/secrets/xray-server.yaml$ + key_groups: + - age: [ *chn, *vps4, *vps6, *vps9, *nas ] diff --git a/devices/cross/secrets/xray-server.yaml b/devices/cross/secrets/xray-server.yaml new file mode 100644 index 00000000..60790c04 --- /dev/null +++ b/devices/cross/secrets/xray-server.yaml @@ -0,0 +1,98 @@ +xray-server: + clients: + #ENC[AES256_GCM,data:apFo,iv:GVyUtpmMFo2KR06S6hgm0Zy/iUJk4cbi9Yl/TiNkxfs=,tag:KdaMi6k9bLqlnVeCZ5Ohlg==,type:comment] + user0: ENC[AES256_GCM,data:qbXM3ZlNPd2A8Jt12qO1huCpXEGN1MsL5oPPYIuIJWtJd/k4,iv:3/be8p4HZnRbplLo6XrVa8TCvnLGRB0pYSsHrqZnZuM=,tag:SiViFW7BHISfR4CTqZHHCw==,type:str] + #ENC[AES256_GCM,data:qK++2XZ8JQ==,iv:cTBGDX7ZvPuGBbueoxTaTRhAk94J+MVhLmCwPNYy2WM=,tag:cgcxD8niAhRzBHlW0Hb4YA==,type:comment] + user1: ENC[AES256_GCM,data:qrsdJEEH0K3FQUBy2z6uXgg7iIhSLjNdhytb4nlXWDS4s784,iv:2/QfNMq/mvXVr/Kkt1/8QT0SLQRMrIMQi7lV9JwtJUY=,tag:XraahXAHu6agGAzTIs8zNA==,type:str] + #ENC[AES256_GCM,data:HBbmq8qGjZXo3w==,iv:wUeTTL2ceksqBvjxtUiOAlZmmuvXktWB/DoEFUBGsMM=,tag:QTEp6rrFXyLf2UHtE4wcUQ==,type:comment] + user2: ENC[AES256_GCM,data:QjONa3SjB7B/uzu9g8Um9YB8JsIoGdWmvk7A+hSe+TniPHql,iv:7OH4gspFB4eIAxGBHTFBEq6y5N1MTErbgQ6jzbyXUIo=,tag:X8h0gidTnD55KKSFcbuiLA==,type:str] + #ENC[AES256_GCM,data:dxMJLsx7IPiEN9g=,iv:JtDsa8j4alMMm6v+Fv5CUDiliLh7iz16dSgEQQcjvi8=,tag:5PgogsAqbeVMEtpFCHOWmg==,type:comment] + user3: ENC[AES256_GCM,data:exjMqGscWD1EzA8PTGw4rrd75K6SVFPuiaixE5iCRIkGLyYZ,iv:dfP7ZOaMtNCFhWvfkaFeFPFUZD4h3vQhoHj/SI3+bG0=,tag:ohkuRMP7qVFtNP8QOFb8ng==,type:str] + #ENC[AES256_GCM,data:uSJneMPH2A==,iv:BIyirNs1W1SJ/f26D4V1MwQR+AllT4Se1KmEeHzqP7c=,tag:99GkRHlVdfhxdN3zaPN/uQ==,type:comment] + user4: ENC[AES256_GCM,data:2efLv9agodkVcZSBBsVzPPrCze5cpb0C9A3WkZIrfoBF1YxH,iv:YBciseSbBo7Wxm96X34uHOwTHoxMJL5bDWhQm66s0lM=,tag:T6/kBJPZLTj1l40mnp97xA==,type:str] + #ENC[AES256_GCM,data:x2izZg==,iv:MWq/PyJtSeRkvjtLOcuy1JZ2RA1JN+qfrkWNdH3D3W0=,tag:Y6MSxOQsxPIpeB3U5L5LuQ==,type:comment] + user5: ENC[AES256_GCM,data:t8agOEuxDtEHx4fmw4okIskHP5DBuY2NaMKL6OBBv/F+Imxd,iv:PKeQgxq/E4vE4FKaG8uyFKhuMAzhPlUpE25UiL+9oGM=,tag:DVPzdtcG3Hck5HQ1c2FoKQ==,type:str] + #ENC[AES256_GCM,data:LeZZ1g==,iv:1c9z1Id4SOy5M8zXbEBzK3ePaKm5iDlyGjPuxvd/P6c=,tag:D7s1oWI5ONur/zbJLFhfEg==,type:comment] + user7: ENC[AES256_GCM,data:Yk6XSTV8fvLEDOKO67WA0DkPPHWYMPHbY/agEo9N5UZKWd34,iv:VnfMVQeVGqEsrI4+F5FsJz+btO2JjIJ7+Xtb1y/a5mg=,tag:VFuy2HFuR/xL6TpfI2pXZQ==,type:str] + #ENC[AES256_GCM,data:LJrX+KL9IPx+Qg==,iv:CeDhlFJXwxNQf25V/z+1nK+l2ymkVhkKPjeqY8Txfn8=,tag:KMnvIEbhqKCpQK+7XkoR/A==,type:comment] + user8: ENC[AES256_GCM,data:qZlOJmLVhboazv+RN6TCOuxPheeM3+pmur8ZggaPlOJAyOYo,iv:Mrq1LLte/+8HzOZI3yKapH/vhEfNW9lP9py4JYkdW8A=,tag:HA/XFbLK2cu5Qx+F78M8tQ==,type:str] + #ENC[AES256_GCM,data:oJmtrGgpDsGGFw==,iv:OKt2T7A8X+ASW1AB1TisTqTMKaE5xQsrW/gSwTfjHBw=,tag:/OCwEYiQIK2MxfgpGJdQpA==,type:comment] + user9: ENC[AES256_GCM,data:R/R2+4kR6EE8CpVONcmkHDSBfvG1Vo82fXCUYA/XGfQL8Hu3,iv:iqkivoGnvNKWOXw+CQ+/xfQeRXfG/OSUMNmv1ZfcyUU=,tag:xeEWhHBR9dRyx542G6ywzw==,type:str] + #ENC[AES256_GCM,data:StwPOQo=,iv:VkuAD9NevMl0hdnb31vWN5CTOKpt/2agjjx0QUpkVf4=,tag:jPW4n28Yx7L2FOV9qC50hw==,type:comment] + user10: ENC[AES256_GCM,data:QrYqOyxFkNTNk1gzxZR5tyQCInAapf7ZQs5ZSDpBwysgolKg,iv:BJuTVRvpEKc6OpTtiwCmVwySoLSroxr7PrcHStezgAc=,tag:5j4TsHjyiLJPqZNtzvkhtg==,type:str] + #ENC[AES256_GCM,data:qYr1yinZQw==,iv:hhPlIlvqTQhx2aaykfvYHfp4WOPkUvt7V9RYyF4M+9Q=,tag:Zo7nVeDN6mEvLLQVQ00vbg==,type:comment] + user12: ENC[AES256_GCM,data:UP6+WhGaySTAu/CHhPKviinNG4idINYQrS9JS/rRARcC6D83,iv:KeqVGDWmukQmQP6jALXgiVu9tdYTdbUoLjuhio04UJw=,tag:0Lg89PSA1mtJbJxELu1+GA==,type:str] + #ENC[AES256_GCM,data:vwcHgHRYjkNISQ==,iv:dyjjpPBApwwMKdzBezl3CoplmqSkd86Xg/Cqt6LEI4U=,tag:iqSnfbIUE4eBcNBRn/4E2w==,type:comment] + user13: ENC[AES256_GCM,data:BC47uCs4ww6GvmVDyyxsfU1neXejZ7G2A2zgjdsABVCZBKRu,iv:n4+JPd35lhDaWkcf7c826b2eOg/UDmuarLYIjtDh1co=,tag:lD5gwDyiZ85O4790O+u4Ng==,type:str] + #ENC[AES256_GCM,data:uhxnoQ7KcZ6MFQ==,iv:aM3zaFvL2Zem9I1sC+Guqw33Zl3hk2RxBn+oP9xaHUw=,tag:2bDvig8aIN9mpvMeX5FU1g==,type:comment] + user16: ENC[AES256_GCM,data:zWOkpPwFoXUirk21I+VwAhX0uZ2j+W8dDCaYAnVQdpqCrTo7,iv:IAl6jhop6l6IqetMCd23PEqE3WvErlXa6kBbKrIni2c=,tag:Kk7alU4T0PeYSgfq3LbP8A==,type:str] + #ENC[AES256_GCM,data:+GWm3samEUggJw==,iv:LcLIjh1eXMT4JIxNPyCbgiqUCZyS6mUv5E6kYnupasg=,tag:C/P5lscrlu56o532A+qjlQ==,type:comment] + user17: ENC[AES256_GCM,data:pyaEKKNJrwJ7cVxHg64dVT3i08Wbboo1wmGC+U6qW1l73oHY,iv:AkJ32rtr+a50xw30Jr5/Sb/flIK7cJG30Iw44Hb5FUU=,tag:d0c+ezonaZ5mSFsPCRr+lg==,type:str] + #ENC[AES256_GCM,data:v8kPeimXbQc9fA==,iv:f4kPRsNSUpqy8Vhe1I7CoN5X2kq/h74H8GAbkKmcslU=,tag:6RiCtYXezZ1+7e3DI0Jlww==,type:comment] + user18: ENC[AES256_GCM,data:oza5WDfR+sGXdW5sTrHfjl1haxq8B6r3bddChsmV6FQIz/AF,iv:hH3Zr9gsd+fdIdbZTMD8L5c71WtODm/yLvj0TcvSa4Q=,tag:mQxIYxnyvsNPhlXC6SwcHQ==,type:str] + #ENC[AES256_GCM,data:t088qCSsFlUCHw==,iv:hmLtwQVU4sfaPRDs+hk4LuMGlLFh4X+jq/Lm1BndyyY=,tag:JkqjOFPqYZ6PkjDV2DC1LA==,type:comment] + user19: ENC[AES256_GCM,data:xALQ/0gw5FeInNhWACt4aL0PJhnXBBMrDIcmC8DuwKy8X8YS,iv:4AT8vFMFSnQ3f5W9dXyYlYGHegnN7+3Jvb+6AiIotgY=,tag:WLRWve/V37GK52xX61dphQ==,type:str] + #ENC[AES256_GCM,data:q9md9z3G56TxRxo=,iv:7iqkqUZkdTYZgDFG7W4LgUxu1Ej7BW2bbf/UKO6XHm0=,tag:rtTIzd11/w+ZaWylDO8qcQ==,type:comment] + user20: ENC[AES256_GCM,data:FoJvPPZZxUjPF/41kZnFeJl0tA6sMo3QZ861gJyOj/Z4H5b3,iv:oGjaZ6S4Cx18qOuxPhiJXsKsHgv78y6u5oe3yWegob4=,tag:Yaln5CwBcQxmOmPxK3QFWg==,type:str] + #ENC[AES256_GCM,data:NCSde360stul/Bg=,iv:s7sBwjT4gWqkRp2qRs6LVWmo6G9iul/YYGwFriLIOgU=,tag:b4n6y2Z9bGfdnMEd0Om1Ow==,type:comment] + user21: ENC[AES256_GCM,data:1ORcDJ3eb+ohwWYVQa2wqoEqJD+1SiSFP3ZGoSEzmn9v41xW,iv:QkZwkI4wxO6ELWozCSZCxR4/FUSeGSbPx655d8RzsD8=,tag:i9KcmcoV57zKNvRIMexV3g==,type:str] + #ENC[AES256_GCM,data:0nKWzfJN63aG,iv:TsVdd7xhf0m0v4hWYSrbLyU5yrfviBqWKW5iQ9fwmN4=,tag:h6k5YwGO3rWAdumWEWjOjQ==,type:comment] + user22: ENC[AES256_GCM,data:AOLJcash08/caBGQwAomJqn6twokZT3hR7v06LsA2SFzPO+d,iv:wR10fgBQJFdKMHiwnGrcpAPodojqF04MqICz3hS/NOg=,tag:i7QScjq+Q3bGCW31kmZ8cA==,type:str] + #ENC[AES256_GCM,data:MPxp5ByvaGlzT6E=,iv:jQgU1CkGL/7HWrPBfcuolcbH4JywEYishMgMs2U+Hf8=,tag:nUYRxYhuu84a4fB60c3/qA==,type:comment] + user23: ENC[AES256_GCM,data:Tu6wla+a1YJrwl4kPTBvOc7FfslJvU4dqvM0x8WWIgqMvtKx,iv:zHAK7zeW4oXnBDFhfhjYXG03utVV4e3Ytq4B3n2U1+A=,tag:LuGmEksvoxip5/2SUPptIQ==,type:str] + #ENC[AES256_GCM,data:N90c2ThJckmw+AE=,iv:Lrw0p/HLzWdz6WyO8CjHfnuIHsZut4eUcg786AYhGLI=,tag:J3s1QHEqmxA7Twaqy28X2w==,type:comment] + user24: ENC[AES256_GCM,data:oCBJAUCZMDMXcwQy5WTx4mgf+2R1P6GW3H47DQCQlqD3w/E6,iv:eBIbcALdsBo4DEgrqvF/Ikz96tDznZfGnyswPpnHF0s=,tag:VH9UpMdSCv6mUJhbNbB5NA==,type:str] + #ENC[AES256_GCM,data:L8sLOCZPDuDs/0I=,iv:fTGz1ic5oeVhPDKoioTBqaVgfPMx41Drsph757OJNZI=,tag:akxseSJLwJhQBbFUAQdbyw==,type:comment] + user25: ENC[AES256_GCM,data:mjGyAwUjgdnyIXwsHEF/QbZiyqF9qpq+iIFkG2YH28hs336f,iv:dqLR2uy+VguRnmn9HRuS8cTPf2n3Q7Z64t1n/iQInhE=,tag:CZHGF3z0pi6YD+jzXv2ZsQ==,type:str] + private-key: ENC[AES256_GCM,data:j3juaKDM2ybruxp0T+7BkGBRwLWWwZARnHg42r/lDYNn+HPSAAc3dKQKFg==,iv:lzyHejiEri4S4mzDPm7xtbvbva3Nssmx0MCzyt4SngI=,tag:0FpbyU7OlgpaLIoj93oNFg==,type:str] +sops: + age: + - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXhTN0RXRWRLK3A3RFRJ + ZzRkQVg0N043N1VObjFpdE05bnM4OWJQOTBJClhpVVFNN0ZmVVpzaThyREhLeFpI + SnErNXZVSWd3RW1DUlJ0eVpibTg2SFkKLS0tIFNVU1VCL0t5dWhRandrUmpITmlS + SW1mRzMyeVNpME53ZXhwQllWV1JxbkEKWze5y1HRR/79k7AIvofuc8RdkQVIEsJ2 + H2djW/x3KmKTtDVB9DTBQZHpNOOHIJ/nX//JP3s93xvPUizD0olQHQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK1V2eks1QXUzODJiWXRD + Vi9pT1hBNXNDODE0NUNKRXZPbEJobVpEaWhBCjl2WFhiZ1Y2dUx5L3BaVjdVdS94 + bUlKeGVNeEZJanUyazhsVG1ta2d6aEEKLS0tIFJYaVZCWXhyTDJNTW1EVnczS2ti + K1NNbk1uYUdpVnVYZEpiN3ZtbEpOK2MKI9G4JCU47BiW1zpWCgqtHuUaryIF3+Xn + hqE4/OIgF8od70eNZ5UWvMneQLsnDEcIOa9i9D/L9A3Hkn5AlRoPQQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MTZIWEQ1MVI0ZlNobHht + YjJjYndFaTVrOVNaaTNuVU9nNHJRdWlObkhjCnIwSTJBM3p2bXZOaWRZZ3MxSGV3 + emJTL3JFQUJPN1d0QVEvVVU3RC9kaWcKLS0tIFNYZmVrWmVQRXd2MXF5NHdmbFhG + Q3lSOFNsdDRkWHJlazNCL0VDK1czdEkK+kp9jQrSV1IPTG+r8q0MRD9jbPSj0z0I + dVxhPAUNUqf4MPM/YbqA5YOhwZ89Z7gXsbtFezZbPNxIqyTISgcmJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age19yt2tszdtnwylqh5qdmg25mlfd8cft0z24x4mp20fnyywfs88cxqgwt9m2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TGVpNmJ6bU9veTA5a2g5 + VmFEemxkTUtuMllJcnZsWG5lOExkalFHNGtzCm4xSnZnVHhrWVZFS05MQ0xtNElw + dlpOU2JuSHFuYm5KUncxaFAwaUxhUlkKLS0tIGV6a3A2SnJWbEVvTFFNc3dHOU81 + N1htdGwwNWtHR2R3cGdtNlF6ajF6MkkKSjbyxsPZYeXd/4A60g8E1aSIIwR3ca9g + /9p8PV1duXhKkJcGKgDiwL3FxrFZ54rpySZeqMC16nQtnk3Fzt1k9w== + -----END AGE ENCRYPTED FILE----- + - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTZIY0dmUkFHWHNKZHN6 + aEZyRkY3b0tnRGdJREQySHJBSkMxcFFxeUdzCjluYW0yRmM0V0RTQUhhcTFYU3VH + V2ZjK0grR0NEYW5kbzlVMHN4STFMdU0KLS0tIGRoNWNZTHdOWUpuaWhRQVZQZlkr + b3ovaWVTdHJ6SzBrS0JlVk5Fd2xBcHcK+RI+BsGiVQpd0hdAPZJwbzbTsb4xql6b + ozSUmoy7yLD/ubeKzkajXlF46ya5LonALUFkw6e0nbHKF85Rj9OBRA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-16T03:47:07Z" + mac: ENC[AES256_GCM,data:ekU7qBI4r3IEoKKx0DWooK8chmKt52ciKMBAbY3KxsWIN384mP1TLsmjSVB2emVgiJTB7fVHq5Zu0RZOPbrRdqS+FnRnlSwf7GdTxo7VjJV3/eCoMwsV1UEwsqTqr8DUhaYDlT8Wm08THrarlBYaaOKtEJ8Qas2ykOxVyJbyzAI=,iv:y294b1hMUX7GM/AjjEEbbpv4woIrj6OjRmNoZcRB26c=,tag:THsUv0NdNZWtrecpq6xtzA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/devices/cross/tinc.nix b/devices/cross/tinc.nix index 8d68c9c8..894f9e27 100644 --- a/devices/cross/tinc.nix +++ b/devices/cross/tinc.nix @@ -23,12 +23,12 @@ let # vps { device = inputs.lib.genAttrs [ "vps4" "vps6" "vps9" ] getAddress; distance = 1; } # 使用 vps9 代理的机器 - { device = { vps9 = getAddress "vps9"; nas = null; }; distance = 10; } - # 使用 vps6 代理的机器 { - device = (inputs.lib.genAttrs [ "pc" "srv1-node0" "srv2-node0" ] (_: null)) // { vps6 = getAddress "vps6"; }; + device = (inputs.lib.genAttrs [ "nas" "srv1-node0" "srv2-node0" ] (_: null)) // { vps9 = getAddress "vps9"; }; distance = 10; } + # 使用 vps6 代理的机器 + { device = { vps6 = getAddress "vps6"; pc = null; }; distance = 10; } # 校内网络 { device = (inputs.lib.genAttrs [ "srv1-node0" "srv2-node0" ] getAddress) // { nas = null; }; distance = 1; } # srv1 内部网络 @@ -155,7 +155,16 @@ in { services.tinc.networks.tinc0 = { - settings = { Interface = "tinc0"; Name = tincHostname hostname; PingInterval = 10; }; + settings = + { + Interface = "tinc0"; + Name = tincHostname hostname; + PingInterval = 10; + TCPOnly = true; + Proxy = inputs.lib.mkIf (inputs.config.nixos.services.xray.client != null) "socks5 127.0.0.1 10885"; + ConnectTo = builtins.map tincHostname (builtins.attrNames + (inputs.lib.filterAttrs (n: v: (v.address or null != null) && (v.jump or null == n)) connection.${hostname})); + }; ed25519PrivateKeyFile = inputs.config.nixos.system.sops.secrets."tinc".path; hostSettings = inputs.lib.mkMerge [ @@ -171,7 +180,7 @@ in (n: v: { "${tincHostname v.jump}" = { addresses = inputs.lib.optionals (v.address != null) [{ inherit (v) address; }]; - settings.Ed25519PublicKey = publicKey.${v.jump}; + settings = { Ed25519PublicKey = publicKey.${v.jump}; IndirectData = true; }; subnets = [{ address = getAddress "tinc0.${n}"; weight = v.length; }]; };}) (inputs.lib.filterAttrs (_: v: v != null) connection.${hostname}))) diff --git a/devices/nas/default.nix b/devices/nas/default.nix index 2d188eeb..14a4cb0a 100644 --- a/devices/nas/default.nix +++ b/devices/nas/default.nix @@ -25,6 +25,7 @@ inputs: }; initrd.sshd = {}; nixpkgs.march = "alderlake"; + nix.marches = inputs.topInputs.self.nixosConfigurations.pc.config.nixos.system.nix.marches; network.settings.static.enp3s0 = { ip = "192.168.1.2"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; }; kernel.patches = [ "btrfs" ]; @@ -67,9 +68,11 @@ inputs: podman = {}; peertube = {}; nginx.applications.webdav.instances."webdav.chn.moe" = {}; + nfs."/" = [ "100.97.101.0/24" ]; }; }; systemd.tmpfiles.rules = [ "w /sys/class/powercap/intel-rapl/intel-rapl:0/constraint_0_power_limit_uw - - - - 10000000" ]; + boot.nixStoreMountOpts = [ "nodev" "nosuid" ]; }; } diff --git a/devices/srv1/default.nix b/devices/srv1/default.nix index a22082dc..b78167ed 100644 --- a/devices/srv1/default.nix +++ b/devices/srv1/default.nix @@ -60,6 +60,7 @@ inputs: ]; }; mariadb.mountFrom = "nodatacow"; + xray.client.xray.serverName = "xserver2.vps9.chn.moe"; }; packages.vasp = {}; user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" "zgq" ]; diff --git a/devices/srv1/node0/default.nix b/devices/srv1/node0/default.nix index b4dfadf0..274a1b86 100644 --- a/devices/srv1/node0/default.nix +++ b/devices/srv1/node0/default.nix @@ -22,7 +22,6 @@ inputs: services = { sshd.motd = true; - xray.client.dnsmasq.extraInterfaces = [ "eno146" ]; beesd."/" = { hashTableSizeMB = 128; threads = 4; }; xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; }; samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; }; diff --git a/devices/srv1/node1/default.nix b/devices/srv1/node1/default.nix index 11939478..eb66c37a 100644 --- a/devices/srv1/node1/default.nix +++ b/devices/srv1/node1/default.nix @@ -9,8 +9,7 @@ inputs: nixpkgs.march = "broadwell"; network.settings = { - static.eno2 = - { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; }; + static.eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; }; trust = [ "eno2" ]; }; }; diff --git a/devices/srv1/node1/secrets.yaml b/devices/srv1/node1/secrets.yaml index 022fc379..dfa61727 100644 --- a/devices/srv1/node1/secrets.yaml +++ b/devices/srv1/node1/secrets.yaml @@ -1,4 +1,6 @@ tinc: ENC[AES256_GCM,data:s/mcjWKxEp8f6OgAUqkHg8IHA/coBtht20pqSdwGp9OBRta64xyzszeS6o8uW1cV65vm1qQR9XkC7nmBx7F9RAZpMwEYh3anAfzWvL1dd6nNl9NLaz9eqrRGJJH4lyMAmErQRF6epEe2Z0kfs3icsZJ3p8rmWSHjIETFR+pQvepTzLXfz7mi3EftqFxK6o5LXe6t2df7PD5q7x8loB7eu4Qyh14NrklgMifmGoNBsGdIBAiqbZ+3xMt2VgEk4wc7X2ZmBJFx19U=,iv:343e5eRAGxwhb4ITadyKJOcvCnLp5emgz737kBmYlig=,tag:O/cwMZJofSKxMhzFMBV+Mg==,type:str] +xray-client: + uuid: ENC[AES256_GCM,data:UxZlTqBDV5K3ywwERYYmW3ymTnioFQ7XS22I8ab5mdeI1TnD,iv:YR+07MWd5E97lz5iwMWjBLhd1tP0okhnodnmbWCVWxo=,tag:97EOKuBMdEm3ffdQuphMww==,type:str] sops: age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m @@ -19,7 +21,7 @@ sops: cWpEMWU1TjZKbnFTWm4xY2QwdWx3aFkK0O6p2piq8RKOcSTT49i0pnlt+gOk+QMF r+EJU0zobWwe3PrDg8jjw5HpMxrpDzHcD0XMnVQW0Fd9pn6n4VfpUw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-12T08:54:16Z" - mac: ENC[AES256_GCM,data:Vk9TJgMM41NhB9XEzBRNuUxZ+pIdFTS4/9VoeBjVB8nMtRb0ZmjB9CTmYGXGxFfB/dg63qmXGfQITgKmtANXiQpMHXYdHw1xnEOTtlTa/ndp3xszVxAEBBhsVlAiXSYmAxKFtIw6W2Erpz1cFhkC0XjlE8/EGe1Srbre0JCzbCA=,iv:pmd1ZM0nhDyNZ6eiNkFEDX5Z0XRSbg2fAPEW6EonsIU=,tag:YM7H+B/IdFVkD5f519FOAg==,type:str] + lastmodified: "2025-11-16T03:16:01Z" + mac: ENC[AES256_GCM,data:IRQxlKzSfCkAYESUDAgmkMAzhOiaqBBQC8ZniMKPM/11VlHGQpV89qB1NDSisdrCqFi9Iu4/iG6g6W/mc39x/V5MLdrQO9G3cGm568KWzh3rBZmD0wlkuCzQP1phFJpeLpg1BLWLn4i0nIWE/ER77pVtV/iA/vOWj0lmDb+GWvg=,iv:AmH3GJjPw9QMa+1utaXkqIfNuXI2qPXUrEVwPF3u1Io=,tag:fe2RiW1r2TAyftPcsuvowQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv1/node2/default.nix b/devices/srv1/node2/default.nix index 1291614c..5b176465 100644 --- a/devices/srv1/node2/default.nix +++ b/devices/srv1/node2/default.nix @@ -11,7 +11,7 @@ inputs: { static = { - br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; }; + br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; }; eno2 = { ip = "192.168.178.3"; mask = 24; }; }; trust = [ "eno2" ]; @@ -22,7 +22,6 @@ inputs: }; services = { - xray.client = {}; beesd."/".threads = 4; kvm.nodatacow = true; }; diff --git a/devices/srv2/default.nix b/devices/srv2/default.nix index db51e6ea..632cfccf 100644 --- a/devices/srv2/default.nix +++ b/devices/srv2/default.nix @@ -12,6 +12,7 @@ inputs: vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot"; btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; + nfs."nas.ts.chn.moe:/" = { mountPoint = "/nix/remote/nas"; neededForBoot = false; }; }; nixpkgs.cuda.capabilities = [ @@ -84,6 +85,7 @@ inputs: }; timeLimit = "48:00:00"; }; + xray.client.xray.serverName = "xserver2.vps9.chn.moe"; }; packages = { vasp = {}; desktop = {}; lumerical = {}; }; user.users = diff --git a/devices/srv2/node0/default.nix b/devices/srv2/node0/default.nix index 6dd0d27c..72a3c3ba 100644 --- a/devices/srv2/node0/default.nix +++ b/devices/srv2/node0/default.nix @@ -24,7 +24,6 @@ inputs: }; services = { - xray.client.dnsmasq.extraInterfaces = [ "enp58s0" ]; beesd."/".hashTableSizeMB = 10 * 128; hpcstat = {}; sshd = { groupBanner = true; motd = true; }; diff --git a/devices/srv2/node1/default.nix b/devices/srv2/node1/default.nix index a5b404ea..d2958bfd 100644 --- a/devices/srv2/node1/default.nix +++ b/devices/srv2/node1/default.nix @@ -8,10 +8,7 @@ inputs: { nixpkgs.march = "skylake"; network.settings = - { - static.eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; }; - trust = [ "eno2" ]; - }; + { static.eno2 = { ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; }; trust = [ "eno2" ]; }; fileSystems.swap = [ "/nix/swap/swap" ]; }; services = diff --git a/devices/srv2/node1/secrets.yaml b/devices/srv2/node1/secrets.yaml index ae87da21..7a8c67b2 100644 --- a/devices/srv2/node1/secrets.yaml +++ b/devices/srv2/node1/secrets.yaml @@ -1,4 +1,6 @@ tinc: ENC[AES256_GCM,data:0fOvjy/b+87HS+bcNENY3jfxcxMLcjeQh/hT5HIUG2aCiTLbsmlqXTR9j18ZwcKAAEbzzDSonpPmQv/kGeMyvk9B4Q0En8FSdBaW5y5HQVLf32KlSoq8+MBRPTQREcHHMDZ/tQw02aAdq0jvYpHnFIKiqOZFfGhKo2oS12wxlR33n+zwqwyBu5quN0ynbwG+BMZua9uJrlsfFe8ttu5BHzl5xdCTVzmJ7vV7H1K7lJBwlDF62Rn6zsQV2uGaUew1ScephX/KC40=,iv:eA6YLGY+d4BldBAsqFsrrUiTY3Xa7eJ687C3gS7ofG0=,tag:40QXjFYc0ht7/OuIPDo1Wg==,type:str] +xray-client: + uuid: ENC[AES256_GCM,data:i87JKtJD5CEcGioPILKgJKyDpBX/o56XFBwD8WCBfpoevt6F,iv:KMtg7KqO5q+SYossPyE7tF74vZ3yg8v3u+Q8F63hvxw=,tag:10VBfnyAfB5NkdL9GAX66g==,type:str] sops: age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m @@ -19,7 +21,7 @@ sops: ZU40ZzNDU29HeGtMMVhELzBGMXZZVFkK16e15tjwN12BYnGutnGBWIs2KBCkOJww wdgC+3aRnGjfb0Z8Htf8qUCW5omixcbaCmMoGmGsnkx1Agfr56qQ3w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-12T08:53:30Z" - mac: ENC[AES256_GCM,data:+WZvi4HIk3P1ZKL5Bml4OgAsB4XdPVtlioVQYgaEGoTy/g3lqkCKRQok2ceQ85Mpj4NTf9PEK1Xlx8k07Mqrk51zINPNGOe2LCl233Wdbk9wCOOU3pdrj+Vj+zrd07P3KR/PVR79Mr/jrFgHRYKfdbGLOANyfDG3bUedTLLWcNw=,iv:oxpDJeSlGWl+331VJUyL+IaTezu1GPHJwo/8JKJ0+XA=,tag:fvT24Dtt1ECDCm5wJKWCwA==,type:str] + lastmodified: "2025-11-16T03:16:19Z" + mac: ENC[AES256_GCM,data:SvvHb6EPAkt96DprqDSTKIFwshSm2rxGtFmpB+q4l9ZUu1uCCVJM1Gnxaogxiwf1CAk3+I0908/vRp9rwALcyZdM47VJq4MST2FFmEYXn1109jrQCW1EgkXnMBJwP8ywe2JLlyRpPXcGJfC/HPuKMpyxts9EEk6TnEsdrEQFbwE=,iv:mb7ZqFuaq8xee2k9nw7zdW05puOuIdsTq7alkn5V6Ts=,tag:6ZsbryE20u4OEtUMVD5dDA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv2/node2/default.nix b/devices/srv2/node2/default.nix index efd54691..8a706e7d 100644 --- a/devices/srv2/node2/default.nix +++ b/devices/srv2/node2/default.nix @@ -8,10 +8,7 @@ inputs: { nixpkgs.march = "icelake-server"; network.settings = - { - static.eno8303 = { ip = "192.168.178.3"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; }; - trust = [ "eno8303" ]; - }; + { static.eno8303 = { ip = "192.168.178.3"; mask = 24; gateway = "192.168.178.1"; }; trust = [ "eno8303" ]; }; fileSystems = { swap = [ "/nix/swap/swap" ]; diff --git a/devices/srv2/node2/secrets.yaml b/devices/srv2/node2/secrets.yaml index 5fff63b4..7e83c3ce 100644 --- a/devices/srv2/node2/secrets.yaml +++ b/devices/srv2/node2/secrets.yaml @@ -1,4 +1,6 @@ tinc: ENC[AES256_GCM,data:zz2sNzrCiqUvyccyhG7hzpF3E8RMdWWdIW98j4Kw8rSGZEKtSkCX/YDibTRSOIuSn/hX7P9FqKgoOgKhqQcuh2gsRjaZSbccMhc3NqOXujL5y586PD9xCk2bUXDXzmRiHx8oiB1rOO86KQovfevl0yGtfpDmkuqt14OXNXvrVoCA4ChfUVwy0Yw53JlQrXl9ZndRvP6pHN4esv9UmUxrA8b//hFyJHPzSKiIfX6NGx+htH0P5UUSxKomYNqCrrtJG9RoXSgo2Go=,iv:jy4qmcl5QDaA6ub7/vHQpgiWIFj4tw0IKxGeg40W/E0=,tag:g6+jb5fInKukYWvIekyDxw==,type:str] +xray-client: + uuid: ENC[AES256_GCM,data:jPo7ixnm8KnAfdC3b02qGrts7/0nc0Ahizj0EkFa15b5zr0F,iv:S41TMqOH5mqhF36B/ouMfCjim364LeeGbDnwQYiP4Po=,tag:aoC9JOZjtbduEMFijvDprA==,type:str] sops: age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m @@ -19,7 +21,7 @@ sops: bkk0ZWpobXh5dnFteTVVamxGT1RUblkKLU7cgLazHAzsstKjMW2GvwXkfNOtPzx8 QKIIM0rOXYUsDUQozrxRu2SChCJ/zkAxeLm6rvD1JYVMcUfuswCRlQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-27T06:34:19Z" - mac: ENC[AES256_GCM,data:0US1WVfJ9dvXTL36XpM+veFfdUl56CxgYBSdXJe0+LPHZhpcM/R9O2DsD4kzGmvqB8d8gm140zr02F6H+tqP6IHYbNSU20uISheF4dfWFFu6DlHqx3+c9aRxrmX8PUlwHmyDsjK0Uu6wdsEeWiPqkXkA9lpDNkATlHgsbspH3Zw=,iv:21mFu3TB4+SxwBQgPGhbLQI/6SPL97j3hATo66XWUtQ=,tag:2sn70EntUBrJ5w7zy/7dpw==,type:str] + lastmodified: "2025-11-16T03:16:36Z" + mac: ENC[AES256_GCM,data:0T9DXFvsCdDibpxBVX/GIkziEf9vR6Aic1+vIZFVPUkWCBa4/X7u7NF6Aeul/oIGy8WEH6EwyvijkFiHi4gzCoqetdHGDLeYXkBxarpSgUlcvcVbgd3EHsLJ2nclK7VAgrAu9NJpuXbiLGDl3IJyuW9qK2tzc1/ZfJHglpgyEh8=,iv:90D1aDIy8pI2MzeaZ+OwmKB4r7O2O1sibg4z7gAz6rE=,tag:mjaIC40oW5JWdlUvq0Ea7w==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/vps4/secrets.yaml b/devices/vps4/secrets.yaml index c58c1ac0..1ae236ba 100644 --- a/devices/vps4/secrets.yaml +++ b/devices/vps4/secrets.yaml @@ -1,44 +1,3 @@ -xray-server: - clients: - #ENC[AES256_GCM,data:d7cv,iv:RHzGIDLuuKejCTQ5YlNNITkCS3VoprsqH/kHckdpAv0=,tag:3cYw7uyUmXALo3v7SiqLJA==,type:comment] - user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str] - #ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment] - user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str] - #ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment] - user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str] - #ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment] - user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str] - #ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment] - user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str] - #ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment] - user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str] - #ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment] - user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str] - #ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment] - user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str] - #ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment] - user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str] - #ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment] - user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str] - #ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment] - user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str] - #ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment] - user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str] - #ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment] - user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str] - #ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment] - user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str] - #ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment] - user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str] - #ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment] - user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str] - #ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment] - user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str] - #ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment] - user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str] - #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment] - user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str] - private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str] tinc: ENC[AES256_GCM,data:MO+GKj5Ma1weblDjViBXUR5JS8fKoc5XQp6jVimhgip1MiulkUTgJ0Z+ecazAdBh9WnaI65SnLMXLMzk5wiJfblE5KJ+UlSvn7TXKvFPoWw9WXsU96to7D+IZNAYRXj6eMJ6g9j/u01Q348s5F9RE30C9jtk2mwM1n8yyAP/BuwcyyVZK6jOwtE5zsZyinGzLTCyD8pZqhVQ63qdrNMAdvNowl38cVm5pKYsiZiU9r8fzQJXS+5R65rJPxNKJ9CYBI3ca8OGJbY=,iv:bJgHF4CFagARNXFvkNFznzyUit6LsO75RiDTxZGsmr0=,tag:zDX6N6tDoooRUmovhgKsZw==,type:str] sops: age: @@ -60,7 +19,7 @@ sops: Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/ 1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-12T08:53:17Z" - mac: ENC[AES256_GCM,data:uJPxF01MX0WXrkSrjBY+GHM58gSZqKjs3777LNfou2VMfwWtmiEcOTrx+i9iWAWA1idnCoDfLy4EEIGo1EhLJBFcmMvSpoFBfJUvpTCefOLkTYW6J7AHI/Bd+aYK5UXYZxk4uoCURFt1inSCiDWAw2aQ+1g+j5a/HgRtTux9FEo=,iv:a/SuzpuHkq+D2tddrMaWjn1pLJJjpb2zzEbDkcVjH7o=,tag:+lq8vfZxBRmyG9U8KXTsHA==,type:str] + lastmodified: "2025-11-16T03:46:11Z" + mac: ENC[AES256_GCM,data:yRB5Y6raz1eCV/gOoJapJfmtXOEafgu4NyIbUVuyOvwV8XJtMQ3mihvlbi1ETdmNLqo8okiU4I1C/Pbgd2rOuW2E8Ymmcf9WSak+z46+YcXXTjKvYn1XRetae9l9hbB9ib6uBI0FlkhXflpf83yTibSF9codVhRsfRzTHfWPx+A=,iv:U0S5bV5ntwj38TOXc4C1yp6eFnHLxogjQw7hrFqjGLM=,tag:48vY9CStBQLnSHxK/eV+2A==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/vps6/secrets.yaml b/devices/vps6/secrets.yaml index 1cb90eda..b4e975cc 100644 --- a/devices/vps6/secrets.yaml +++ b/devices/vps6/secrets.yaml @@ -1,44 +1,3 @@ -xray-server: - clients: - #ENC[AES256_GCM,data:DXEC,iv:SZ1AhmK6fWQ/HGDk97kDUcRN84zQMp99eiz4SpRhig8=,tag:Fkdf28ZvB8XKCxSYdjuuHw==,type:comment] - user0: ENC[AES256_GCM,data:rJ00sfe/oJSry6Ixn4Bn+p41syqsOrdWv6fRGVCwPvn/unMY,iv:htTvFMvhIRkORA/gIU8J7CgA+tOncYQWh7sUh+F6XDs=,tag:VrSJBD7ti9WtSLHoWjMClw==,type:str] - #ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment] - user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str] - #ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment] - user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str] - #ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment] - user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str] - #ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment] - user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str] - #ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment] - user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str] - #ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment] - user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str] - #ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment] - user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str] - #ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment] - user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str] - #ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment] - user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str] - #ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment] - user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str] - #ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment] - user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str] - #ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment] - user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str] - #ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment] - user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str] - #ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment] - user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str] - #ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment] - user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str] - #ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment] - user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str] - #ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment] - user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str] - #ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment] - user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str] - private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str] send: redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str] coturn: @@ -68,7 +27,7 @@ sops: ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-06T12:37:48Z" - mac: ENC[AES256_GCM,data:Xi7Y1jNQqbj/Dn1vtUr5k867+rHVR60rX2DwpMx1r+XsIrd+3gh6fC2sIVFbT7H5qHxJTePJLxo6EwGTKlGwiIffTfFZzwUDbcL7bxe6V3yYzDxhrAs+bxBS66EfgJN41jlHJbw9JwsrA6VOQjiXe0u8srXt9nAg8s4Rv2cp4ec=,iv:ty+UcZ/jLTXlvdqPF978cC9Vys5sBsoBe4u8cw1TP4M=,tag:JWAPhpZHjTtvuIaWZo0V9Q==,type:str] + lastmodified: "2025-11-16T03:45:41Z" + mac: ENC[AES256_GCM,data:AnvNGraWYOKZHtmI73wWerrFRNjAlZdcVSPXDsv+x/0Dohq+9KB/PoWoczXQTUy240BDErXp7UrNmNgwyGtUofdQvJqmdJ2vFkTW0VIWJ1Alq489nafdanGwn97P/aluHqF+zhgBCANAGwIVLaEAggR/xCdidcyn01taHpKoVfE=,iv:frCptbX5gtEmjL7XfCIRaB5jwqOLGJkpVuaOoo/Tg6k=,tag:G0C0ZZ0V24YN+vNv4z4xHQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/vps9/secrets.yaml b/devices/vps9/secrets.yaml index 50c7db95..56e1332d 100644 --- a/devices/vps9/secrets.yaml +++ b/devices/vps9/secrets.yaml @@ -1,44 +1,3 @@ -xray-server: - clients: - #ENC[AES256_GCM,data:6KZ+,iv:w4GjlpGvDBZISVciU6lTk5I2vcMyo1wzy/NrYz7uQw0=,tag:LxRX/a4eCxyrEIt6BJyznw==,type:comment] - user0: ENC[AES256_GCM,data:Rt0LbKADz8QNPtc+lF43rvSAub7zIjUB/YKbk0Lm3VI7UsRP,iv:MGeguKNzF/y8eTKykl5HYSC+ddumoOgy2micz0+UxAg=,tag:3KjUh8JHO4vf5p40GxMUQg==,type:str] - #ENC[AES256_GCM,data:a4BoPyLGSQ==,iv:NhuOxDbD7hrHCuiUUC83ueOW4KNnm8XwwFJ0su2YSWI=,tag:Ht+T0MFU8cDGvptD59NwLw==,type:comment] - user1: ENC[AES256_GCM,data:LL6cng0xZQx/FFjsiUGktPk4SqYX3uwWAILqsWL461CORxau,iv:MKVugEoqjskj7r2siG+4q024Ye4XsAvrohXWQGIrU+o=,tag:jG4eioc7qh+87EmFpBDJog==,type:str] - #ENC[AES256_GCM,data:GwnRVrs6TTAEIg==,iv:fXTfQEgn9/EVksAuzMEydJfKJY4yheC7UF5ocoqWWxY=,tag:/hb596oQyafwOiM+/vU4xQ==,type:comment] - user2: ENC[AES256_GCM,data:JGKQJMyvdAM8RUewv3TOByvUIt782CK0RxLK4L2KZrz/1Lo2,iv:SGSwTD8INeKXerZmoyghCLR1kb36+XBmGQNntzOT8O4=,tag:Hv5X1hTnlwVS0BcFZ466mA==,type:str] - #ENC[AES256_GCM,data:mBhQhOJbhxA+YtY=,iv:ifTSsIGrvZTBAQBPNa87Bm4Pr/VPlDfZNa2S70+SqAk=,tag:derhkfFxjft0rSihJmEIFQ==,type:comment] - user3: ENC[AES256_GCM,data:dOtzAXfyhR/UVJX1hM0JGWl/4hlyTU+Cu2m0kUjuxViilBkE,iv:e3yqSiabnIfqgmCSUu+LlroWx7jY1B8ybM9eshXSNmU=,tag:l8xInyOv1fwPiANFoHuArw==,type:str] - #ENC[AES256_GCM,data:wRUHJfoDdA==,iv:a6jBtKh9QyTaoa4KEjNzNFch4O1I7d4Wgd9i4O9diPM=,tag:v1/KsgSlvp3lAULnBeEw4Q==,type:comment] - user4: ENC[AES256_GCM,data:yB74qJh8kSa/2OrDX4stFyxLRlumXM3HfN3+6NV9k3CCYNJT,iv:L2snukYrlhNe+A41unvgYxpNAK32xaTtfj+N2+XVZmc=,tag:xx4WuxJURrelmAnS5w82Tw==,type:str] - #ENC[AES256_GCM,data:mvRr6A==,iv:9MbwFk5iPIt7iVlXX4mgQ1Qb/N269GXWDYFqQ3HKHs0=,tag:3ylZTw7dVquZbUWDPHiuvQ==,type:comment] - user5: ENC[AES256_GCM,data:/QvsZt3TPTfYAZ/TIS+3eICff+8L/TgFSXzmIIwuRpZYM+m9,iv:E8mpjSAoi8VgnTMH8NGHQ4zlMccfOMXobfmo9fTt86Y=,tag:D8SvHV5M2ucSLc5hgVRcIQ==,type:str] - #ENC[AES256_GCM,data:LU1uRg==,iv:2CM6JSiGibkIlSUVkIg2h3oHNRVZlUcuAJvcColYWEY=,tag:w+ITp8u1CJQ6QHcn5ESrUg==,type:comment] - user7: ENC[AES256_GCM,data:Ja0t7okaJJUZiotYfoD/fziSS6kbNk2j/At31OVI3S5gzGvo,iv:za+M1EWNakdwyG2EMKwTPSesifYhm6iBSOYBVgDVygo=,tag:Q26Fgx83YM0RHGFSDIMTOQ==,type:str] - #ENC[AES256_GCM,data:2GnPxV/mzUTaEA==,iv:DVHTThTHl4VzJEcu6AHjDxXCYCRR+bIK6PzrTJDglTI=,tag:Ngzr1sWF1swureLNIUVI3A==,type:comment] - user8: ENC[AES256_GCM,data:ovI4BIiWO7fY4FF9nrhlpYg6dr7De7X+Yvwa0hbdYeys09qB,iv:N0PMjbiSiemlxi0knXEQG6ukJfljdDfe4P6Dm7BsnR4=,tag:R+6DRc2JlsG1LnKotYCHKA==,type:str] - #ENC[AES256_GCM,data:EffuejDrAIaWpw==,iv:g4WnQL3aoaeuoflzYnB7tJhd+1KM/NczRo2494MBVGQ=,tag:HLnC+5d4BNgwGWcL8Zm50A==,type:comment] - user9: ENC[AES256_GCM,data:jWp8GdvgEyIZqPz/lLDx4FyQpgNznKROSVv3PPt1bLcqnwGX,iv:f8j6Z+J1EgtmkFO+14ycr5RMKpZgaqzA0sr2MqM/Y8k=,tag:mmnwa+VzZkhIvkNakl90rA==,type:str] - #ENC[AES256_GCM,data:6p6MV1Q=,iv:4VXSy7qcALw/VGVDDioUsCMHK69G009667+cHDjzzGo=,tag:HDleuJzt8tQayESt2y8BNw==,type:comment] - user10: ENC[AES256_GCM,data:oKhogL2lpPlqv8nZzm9mEsNjda52Wm1Bac9+Uoh7po9unmif,iv:3AVsu2EJJt24jPsldzkCHZuUSF/A6B21h3jL7AO5AcQ=,tag:wqaGFYHpoIj6smA997OZ/Q==,type:str] - #ENC[AES256_GCM,data:S14xr90mhQ==,iv:9bhh8upaOJE75J40mEDWQHnZqwBVTWu4vFwnLy/CmwA=,tag:OhW9Asa262TiWJHrDMZ/bg==,type:comment] - user12: ENC[AES256_GCM,data:QnvnWlyYdD0ADpjytRfyLkz7QA5w7v/7nPtHZrcME6IKTQBJ,iv:+PrnpdjK7bLpoq3Z/UoEC42FR/S5z74OEg6IdNA2uhs=,tag:JW26a9IquQrclsXy7vTUmw==,type:str] - #ENC[AES256_GCM,data:Q3+6iHtGE5uQpA==,iv:vmONg9ro9S3z02QiqKTbvGSXIWJSNzLyftnvn1CaQyU=,tag:4pJDu6YvSSdcECqi3R6nwQ==,type:comment] - user13: ENC[AES256_GCM,data:jqw0PrrS3qb5ED40icSlijZ+F5aC+fQMqhwBxja48eShDPSG,iv:bnayGLWMi1qMiVu/4HVwNA6lIv/J1nuZFgZFwKaC8Rs=,tag:qyShWz+mOcYuJD/L6h+Www==,type:str] - #ENC[AES256_GCM,data:/+fV4s1fMRpKlw==,iv:ySBGdSqadwTYxBoNKu66r5xE2xIb9D6Baka2b1m/ztY=,tag:3oKLddSowlKkFuTcUxw6iw==,type:comment] - user16: ENC[AES256_GCM,data:+dIH/6xws1hQU4u4PnpSW6OOPF3AaQYRBTANaZ/14Jm9oIeI,iv:bOmFu4/PC203H7KzpPRdQplm1JEBmSzxlPBC2ITRSgQ=,tag:909+o4NzlGP7ViMqph5y0g==,type:str] - #ENC[AES256_GCM,data:oa5KcYWwJ+9z8w==,iv:kdDKDz51utlmdKMcMX8kG7E1t8hcq2X/PKT+r3Eq66c=,tag:paqN0yqo91uJ1pCs0fFkrg==,type:comment] - user17: ENC[AES256_GCM,data:WDlCxVqrf+L227/OukhjvFEOirw1ynO5wRCOWgGrDmECmSxC,iv:vqu1U5Y12J9u5okmPUmfenWDYqCHvPb6L1wKzk5/d9k=,tag:Q+y4rJn2sluPagKY5g/xSQ==,type:str] - #ENC[AES256_GCM,data:51G7HszgMfXX0w==,iv:Fnb52LWWc5yClD1uJjdCQQEe0FiFQf/o1tG75kRRVXA=,tag:H9aa0Pb6zK6S/Q3BVH5viw==,type:comment] - user18: ENC[AES256_GCM,data:b91IxlJwvjtQu7pdWmD0adpGnrFSV/2I2CJ2chpPT++WPsAr,iv:0ZXJXS9oU7bbfKGnyTGs6BZQ0MK0rkzSUQaeyYvaoAY=,tag:kS1MtLsK533q7bigeEbmGg==,type:str] - #ENC[AES256_GCM,data:j3CeaYv8QlqJkA==,iv:J0oAHXnlQDFlao7mDxbxqpoOUrLwDH+UTx2YySc3gqQ=,tag:VDpAssjv2ZLURrtQbslpJw==,type:comment] - user19: ENC[AES256_GCM,data:4FGBj8O3kR941am2I4Ne6jyMtftd70gXKvPQSpadNeFJnSnM,iv:OfSgzYVGy+nC3TCMVdf3DBUCggW7qzYphTtQCV69Etw=,tag:faIeE6PjVL00NlHAPqiXCQ==,type:str] - #ENC[AES256_GCM,data:7VwFrh2hk4XcnY0=,iv:0fBe4F3scNo3F6HHacDEs7D9uxFwyW5LTNZczuVs+HQ=,tag:tQKAfzIrEk/DHt66Jb1tUg==,type:comment] - user20: ENC[AES256_GCM,data:dFiMbY0IXUAumS93Ymv5hCgKJcNFlFxhRSNiDNizBeHe6+r1,iv:n6hXDRUYN2KfT2zHtO7Mus9aKw1ehuOnRIp+oJ6N9lk=,tag:YcG9W9P+/6vjAxr7rDdSGw==,type:str] - #ENC[AES256_GCM,data:NNStQscqF9OZJJs=,iv:ENycerVEl5YW/lYDHuL8jCFldZeu8hnR9dgDQaqer14=,tag:pEgUI28KwZNEGDNt/sg7LQ==,type:comment] - user21: ENC[AES256_GCM,data:FmLYeMQNuvxP4P2a+Xhui7s0nkYM6UIWwj363nVzNxHEX+an,iv:RycABIkWQhMyKaOl8GMjQhAUyCYK90IaZ5tCyjefZBg=,tag:A1bGug0pXLH6gKROWtdvAA==,type:str] - #ENC[AES256_GCM,data:ufLL4v493Q6d,iv:Ky9aIEFrMBmNBm2Tn2xTXcY2K67mGZwniEwEraeEdSI=,tag:TDcmpyDDkBi5DuJdT283gw==,type:comment] - user22: ENC[AES256_GCM,data:beZ0GP3datxFsIDClx5TO6B+t4LXqypRu9qIDZD+5YaD3CH4,iv:0IzV9E9QO2bi6770t5a7fWYhaNntMZ1cp3zauIZa8zA=,tag:aCaB96Qn6IFpnuAVsrCWXQ==,type:str] - private-key: ENC[AES256_GCM,data:mRbRYuozpLynUnu9iUOJmyd0JJlWyVwWoA6rHgD9r6lQEPQ87UaEwx79lQ==,iv:Hy3zwMlp9vGlYKRUf1/CFxF52KTK0v+PBXzb6b5/k2E=,tag:Of0nnc9W5gId6R7y6OKGDg==,type:str] tinc: ENC[AES256_GCM,data:8XXuOm+sb8Pda3Aiwhv9jdX6Alxy+UUbG1+ZnvM5nIJa8K4RXjSAWv9DEVh2SDpqee1uzhf2IMOBCYzicubb/BPA0vQ90SCC607B/pYb4dFuBiir/4ma5JdIliJmt9yP8qfFZKXYPsocArYoC+IUiwnxNCVjz+Pv+OwYSKJBeSlkwnRr2MAWY/KGeKEcoDrPcRohHvG9f+bcqFuTW40UdMOJNhKM2jKJh0aKcWYJOXGjAdy+41vCvWXH2FIanx0/Zt9qsPb2A8s=,iv:AmNHeAIN8DyzpXdpyM65bzpc4/6egGE7ggjBt04MpkY=,tag:Wl9/b/msR1M/EtnIhws1AQ==,type:str] sops: age: @@ -60,7 +19,7 @@ sops: VUFBcEpmTDRaWGg2eVZGS0tDdVp0K3cK25bDJaKLhjBUjkJWBNskR0XVOML+3dTl 04hKjDrs2TMBB5G9k6pBqqLZhoofxb1UOhlYNXlLE20HSuVntWjCNw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-10T05:03:44Z" - mac: ENC[AES256_GCM,data:52ljThqvqqNuDRZf9Me0soj84I5aVmTrlsWKP19pHGjG7wT07beqyys5s0OISdGqh9dAYsmWr8LyeEY79a+FYd3PzV8vriFwXeacnq5w8UEDBSbLYJGF9voMIdJcGUlzSFy7/iVTtM3ybEm58siQefP+Tmax2+C1XKmJUprbzuE=,iv:6QkUI5T9hCulX4DkbjhdCNil/77MSasKvDCTGJIjXYw=,tag:JTzUrNu0AllgM71pUtTcJg==,type:str] + lastmodified: "2025-11-16T03:45:25Z" + mac: ENC[AES256_GCM,data:5X0wV19ir/HvL3bcKv1b+Uw3lt33WpOWZxw3Lcbb1pY4FS2wfKimoFgKtPGM3Xj6cTtfNqw/b/ts5D4scgXH8f2lnYX6Dfk9mtGDQXYZWOJmpLZW5l6EVXZB4Dkc7LJzU0sQ9OwWUFpB746sDZFiwLUWvlgeKeHknJ70p+Psv7I=,iv:cEDWeQPkCuscvthUPJjFu8TD5LqRaJ5MrGG7VdSLfH8=,tag:6gdgy5hkogRBZi/n+slRYw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/flake.lock b/flake.lock index ec40bc16..009bb432 100644 --- a/flake.lock +++ b/flake.lock @@ -129,11 +129,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1762971638, - "narHash": "sha256-p7v0KH6uvX04lRPD0yOjUhciCYwtaCl7TY2MUESFzWM=", + "lastModified": 1763246168, + "narHash": "sha256-gUDJZGSOg5syHtQvLImOKL6Eaw4e1ybz4o5pid66kQg=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "505b7eae237867d71c65011c3e9dbcbf07e1925c", + "rev": "6476fbdd52621b4a532309d982d468dc08204151", "type": "github" }, "original": { @@ -524,11 +524,11 @@ ] }, "locked": { - "lastModified": 1762856455, - "narHash": "sha256-x7zgteJWIlbVexL2ubOadUXKlHSjh0RAjLO1KfWdgpU=", + "lastModified": 1762951919, + "narHash": "sha256-ma/xMEGf4J6n/RdZFdxXBJUQhP53HVEPQOC6Dp2TrkQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "29a671ae20223d182eaf54b963a735230497c2f9", + "rev": "3d248f6e8f877218dd2573fef8925ac997889922", "type": "github" }, "original": { @@ -844,12 +844,12 @@ "nixos-wallpaper": { "flake": false, "locked": { - "lastModified": 1760972207, + "lastModified": 1763054325, "lfs": true, - "narHash": "sha256-Bl7GHBTzYIC2XtGo4TjNjttpYRPWpqmdlV/Qu/lNoSQ=", + "narHash": "sha256-n9Kn7g7u8pi3U1xoNqNHcxzq4K6I5P1TpuZVnme4yLY=", "ref": "refs/heads/main", - "rev": "5e5309f74e293321fe0633ed4e6ea690f7a5b2e4", - "revCount": 12, + "rev": "8d07487c8979691f2c145f88580a0ce615d49fd7", + "revCount": 13, "type": "git", "url": "https://git.chn.moe/chn/nixos-wallpaper.git" }, @@ -1336,11 +1336,11 @@ ] }, "locked": { - "lastModified": 1762915112, - "narHash": "sha256-d9j1g8nKmYDHy+/bIOPQTh9IwjRliqaTM0QLHMV92Ic=", + "lastModified": 1763087910, + "narHash": "sha256-eB9Z1mWd1U6N61+F8qwDggX0ihM55s4E0CluwNukJRU=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "aa1e85921cfa04de7b6914982a94621fbec5cc02", + "rev": "cf4a68749733d45c0420726596367acd708eb2e8", "type": "github" }, "original": { diff --git a/flake/dns/config/chn.moe.nix b/flake/dns/config/chn.moe.nix index 0568da81..0bbcb1a5 100644 --- a/flake/dns/config/chn.moe.nix +++ b/flake/dns/config/chn.moe.nix @@ -36,7 +36,7 @@ let srv1-node0 = "59.77.36.250"; vps4 = "104.234.37.61"; vps6 = "144.34.225.59"; - vps9 = "154.3.32.213"; + vps9 = "154.3.39.17"; search = "127.0.0.1"; srv1-node1 = "192.168.178.2"; srv1-node2 = "192.168.178.3"; diff --git a/modules/packages/desktop.nix b/modules/packages/desktop.nix index c51da7e8..820fc008 100644 --- a/modules/packages/desktop.nix +++ b/modules/packages/desktop.nix @@ -70,8 +70,10 @@ inputs: # daily management activitywatch super-productivity ] - ++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ]))) - (builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear))) + ++ (builtins.filter + (p: (inputs.lib.isDerivation p) && !(p.meta.broken or false) + && !(builtins.elem p.pname or null [ "falkon" "kalzium" "calligra" ])) + (builtins.attrValues kdePackages.kdeGear)) ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde") [ inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix ]); _pythonPackages = [(pythonPackages: with pythonPackages; @@ -133,6 +135,7 @@ inputs: alvr = { enable = true; openFirewall = true; }; localsend.enable = true; thunderbird.enable = true; + nh.enable = true; }; services = { pcscd.enable = true; lact.enable = true; }; }; diff --git a/modules/services/coredns.nix b/modules/services/coredns.nix index ce61307b..b797c6fe 100644 --- a/modules/services/coredns.nix +++ b/modules/services/coredns.nix @@ -31,7 +31,7 @@ inputs: } template IN AAAA autoroute.chn.moe { match ^autoroute\.chn\.moe\.$ - rcode NXDOMAIN + rcode NOERROR } header { response set aa @@ -50,7 +50,7 @@ inputs: } template IN AAAA autoroute.chn.moe { match ^autoroute\.chn\.moe\.$ - rcode NXDOMAIN + rcode NOERROR } header { response set aa diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix index 0d81028a..bfe00fe3 100644 --- a/modules/services/tailscale.nix +++ b/modules/services/tailscale.nix @@ -16,5 +16,16 @@ inputs: }; nixos.system.sops.secrets."tailscale" = {}; networking.firewall.trustedInterfaces = [ inputs.config.services.tailscale.interfaceName ]; + users = + { + users.tailscale = { uid = inputs.config.nixos.user.uid.tailscale; group = "tailscale"; isSystemUser = true; }; + groups.tailscale.gid = inputs.config.nixos.user.gid.tailscale; + }; + systemd.services.tailscaled.serviceConfig = + { + User = "tailscale"; + Group = "tailscale"; + AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" "CAP_SYS_MODULE" ]; + }; }; } diff --git a/modules/services/xray/client.nix b/modules/services/xray/client.nix index 81c54243..09d45e78 100644 --- a/modules/services/xray/client.nix +++ b/modules/services/xray/client.nix @@ -19,7 +19,7 @@ inputs: extraInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; }; }; - v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; }; + v2ray-forwarder.asRouter = mkOption { type = types.bool; default = false; }; };})); default = null; }; @@ -273,7 +273,7 @@ inputs: loNetStr = builtins.concatStringsSep ", " loNet; noproxyUserStr = builtins.concatStringsSep ", " (builtins.map (user: builtins.toString inputs.config.nixos.user.uid.${user}) - (client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ])); + [ "v2ray" "tailscale" ]); in '' set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; } @@ -290,6 +290,9 @@ inputs: fib daddr type local ct state new counter ct mark set ct mark | 1 return ct mark & 1 == 1 counter return + # 如果不作为路由器使用,则可以返回那些没有被标记的流量 + ${if client.v2ray-forwarder.asRouter then "" else "meta mark & 1 == 0 counter return"} + ip saddr @noproxy_src_net counter return ip daddr @noproxy_net counter return ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } counter \ diff --git a/modules/services/xray/server.nix b/modules/services/xray/server.nix index b617607f..e53e7d28 100644 --- a/modules/services/xray/server.nix +++ b/modules/services/xray/server.nix @@ -128,12 +128,14 @@ inputs: }; }; }; - secrets = builtins.listToAttrs - (builtins.map (n: inputs.lib.nameValuePair "xray-server/clients/${n}" {}) userList) - // (builtins.listToAttrs (builtins.map - (name: inputs.lib.nameValuePair "telegram/${name}" { group = "telegram"; mode = "0440"; }) - [ "token" "user/chn" ])) - // { "xray-server/private-key" = {}; }; + secrets = inputs.lib.mergeAttrsList + [ + (inputs.lib.genAttrs' userList + (n: inputs.lib.nameValuePair "xray-server/clients/${n}" {})) + { "xray-server/private-key" = {}; } + (inputs.lib.genAttrs' [ "token" "user/chn" ] + (n: inputs.lib.nameValuePair "telegram/${n}" { group = "telegram"; mode = "0440"; })) + ]; }; services = { diff --git a/modules/system/fileSystems/impermanence.nix b/modules/system/fileSystems/impermanence.nix index d5ac6089..6e069985 100644 --- a/modules/system/fileSystems/impermanence.nix +++ b/modules/system/fileSystems/impermanence.nix @@ -68,7 +68,7 @@ inputs: [ "bin" "Desktop" "Documents" "Downloads" "Music" "Pictures" "repo" "share" "Public" "Videos" ".config" ".local/share" ".ecdata" { directory = ".mozilla/firefox/default"; mode = "0700"; } ".steam" ".zotero" - "Zotero" + "Zotero" ".thunderbird" ]; }) # 对于集群的工作节点,挂载一些本来由 home-manager 生成的文件,以及一些用来存放 home-manager 生成文件的目录 diff --git a/modules/system/fileSystems/nfs.nix b/modules/system/fileSystems/nfs.nix index cab81978..51657ad2 100644 --- a/modules/system/fileSystems/nfs.nix +++ b/modules/system/fileSystems/nfs.nix @@ -5,11 +5,11 @@ inputs: type = types.attrsOf (types.oneOf [ types.nonEmptyStr - (types.submodule { options = + (types.submodule (submoduleInputs: { options = { mountPoint = mkOption { type = types.nonEmptyStr; }; - hard = mkOption { type = types.bool; default = true; }; - };}) + neededForBoot = mkOption { type = types.bool; default = true; }; + };})) ]); default = {}; }; @@ -26,7 +26,7 @@ inputs: { device = device.name; fsType = "nfs4"; - neededForBoot = device.value.hard or true; + neededForBoot = device.value.neededForBoot or true; options = builtins.concatLists [ [ @@ -35,18 +35,17 @@ inputs: "x-gvfs-hide" # hide in file managers (e.g. dolphin) ] # when try to mount at startup, wait 15 minutes before giving up - (inputs.lib.optionals (device.value.hard or true) [ "retry=15" "x-systemd.device-timeout=15min" ]) - # do not fail, just try continuously in background - # nfs4 use tcp, tcp itself will retransmit several times, which is enough - (inputs.lib.optionals (!(device.value.hard or true)) - [ "bg" "soft" "retrans=1" "timeo=20" "softreval" "x-systemd.requires=network-online.target" ]) + (inputs.lib.optionals (device.value.neededForBoot or true) + [ "retry=15" "x-systemd.device-timeout=15min" ]) + (inputs.lib.optionals (!(device.value.neededForBoot or true)) + [ "bg" "x-systemd.requires=network-online.target" "x-systemd.after=network-online.target" ]) ]; }; }) (inputs.localLib.attrsToList nfs)); services.rpcbind.enable = true; } - (inputs.lib.mkIf (builtins.any (mount: mount.hard or true) (builtins.attrValues nfs)) + (inputs.lib.mkIf (builtins.any (mount: mount.neededForBoot or true) (builtins.attrValues nfs)) { boot.initrd.systemd.extraBin = { diff --git a/modules/system/nix.nix b/modules/system/nix.nix index ce0f7c08..b4750b16 100644 --- a/modules/system/nix.nix +++ b/modules/system/nix.nix @@ -3,8 +3,11 @@ inputs: options.nixos.system.nix = let inherit (inputs.lib) mkOption types; in { # marches allowed to be compiled on this machine - marches = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; }; - substituters = mkOption { type = types.listOf types.nonEmptyStr; default = [ "https://nix-store.chn.moe" ]; }; + marches = mkOption + { + type = types.listOf types.nonEmptyStr; + default = with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ march ]; + }; remote = { slave = mkOption { type = types.nullOr (types.submodule {}); default = null; }; @@ -36,6 +39,8 @@ inputs: # do not keep unused outputs, backup it manually on nas keep-outputs = false; connect-timeout = 5; + # https://cache.nixos.org 已经自带 + substituters = [ "https://nix-store.chn.moe" "https://nix-store.nas.chn.moe" ]; }; systemd.services.nix-daemon = { serviceConfig.CacheDirectory = "nix"; environment.TMPDIR = "/var/cache/nix"; }; } @@ -63,21 +68,9 @@ inputs: }; } # marches - { - nix.settings.system-features = - (map - (march: "gccarch-${march}") - ( - if nix.marches == null then - (with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ march ]) - else nix.marches - )) - ++ (with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ "gccarch-exact-${march}" ]); - } + { nix.settings.system-features = builtins.map (march: "gccarch-${march}") nix.marches; } # includeBuildDependencies { system.includeBuildDependencies = inputs.topInputs.self.config.branch == "archive"; } - # substituters - { nix.settings.substituters = nix.substituters ++ [ "https://cache.nixos.org" ]; } # remote.slave (inputs.lib.mkIf (nix.remote.slave != null) { diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 3d3f3766..848545ed 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -80,8 +80,8 @@ inputs: (defaultSopsFile "${devicePath}/${model.cluster.clusterName}/${model.cluster.nodeName}") ++ (defaultSopsFile "${devicePath}/${model.cluster.clusterName}") )) - ++ (inputs.lib.optionals model.private [ "${devicePath}/cross/secrets/chn.yaml" ]) - ++ (defaultSopsFile "${devicePath}/cross"); + ++ (defaultSopsFile "${devicePath}/cross") + ++ [ "${devicePath}/cross/secrets/chn.yaml" "${devicePath}/cross/secrets/xray-server.yaml" ]; }; availableKeys = mkOption { diff --git a/modules/user/default.nix b/modules/user/default.nix index 4835e3f4..55e29fda 100644 --- a/modules/user/default.nix +++ b/modules/user/default.nix @@ -54,6 +54,7 @@ inputs: synapse-matrix = 2010; hpcstat = 2011; speedtest = 2012; + tailscale = 2013; }; }; gid = mkOption