Merge branch 'production' into next

modules/packages/desktop.nix

@@ -70,8 +70,10 @@ inputs:
           # daily management
           activitywatch super-productivity
         ]
-          ++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ])))
-            (builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)))
+          ++ (builtins.filter
+            (p: (inputs.lib.isDerivation p) && !(p.meta.broken or false)
+              && !(builtins.elem p.pname or null [ "falkon" "kalzium" "calligra" ]))
+            (builtins.attrValues kdePackages.kdeGear))
           ++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
             [ inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix ]);
         _pythonPackages = [(pythonPackages: with pythonPackages;
@@ -133,6 +135,7 @@ inputs:
       alvr = { enable = true; openFirewall = true; };
       localsend.enable = true;
       thunderbird.enable = true;
+      nh.enable = true;
     };
     services = { pcscd.enable = true; lact.enable = true; };
   };

modules/services/coredns.nix

@@ -31,7 +31,7 @@ inputs:
           }
           template IN AAAA autoroute.chn.moe {
             match ^autoroute\.chn\.moe\.$
-            rcode NXDOMAIN
+            rcode NOERROR
           }
           header {
             response set aa
@@ -50,7 +50,7 @@ inputs:
           }
           template IN AAAA autoroute.chn.moe {
             match ^autoroute\.chn\.moe\.$
-            rcode NXDOMAIN
+            rcode NOERROR
           }
           header {
             response set aa

modules/services/tailscale.nix

@@ -16,5 +16,16 @@ inputs:
     };
     nixos.system.sops.secrets."tailscale" = {};
     networking.firewall.trustedInterfaces = [ inputs.config.services.tailscale.interfaceName ];
+    users =
+    {
+      users.tailscale = { uid = inputs.config.nixos.user.uid.tailscale; group = "tailscale"; isSystemUser = true; };
+      groups.tailscale.gid = inputs.config.nixos.user.gid.tailscale;
+    };
+    systemd.services.tailscaled.serviceConfig =
+    {
+      User = "tailscale";
+      Group = "tailscale";
+      AmbientCapabilities = [ "CAP_NET_RAW" "CAP_NET_ADMIN" "CAP_SYS_MODULE" ];
+    };
   };
 }

modules/services/xray/client.nix

@@ -19,7 +19,7 @@ inputs:
         extraInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
         hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
       };
-      v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
+      v2ray-forwarder.asRouter = mkOption { type = types.bool; default = false; };
     };}));
     default = null;
   };
@@ -273,7 +273,7 @@ inputs:
             loNetStr = builtins.concatStringsSep ", " loNet;
             noproxyUserStr = builtins.concatStringsSep ", " (builtins.map
               (user: builtins.toString inputs.config.nixos.user.uid.${user})
-              (client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ]));
+              [ "v2ray" "tailscale" ]);
           in
           ''
             set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; }
@@ -290,6 +290,9 @@ inputs:
               fib daddr type local ct state new counter ct mark set ct mark | 1 return
               ct mark & 1 == 1 counter return
 
+              # 如果不作为路由器使用，则可以返回那些没有被标记的流量
+              ${if client.v2ray-forwarder.asRouter then "" else "meta mark & 1 == 0 counter return"}
+
               ip saddr @noproxy_src_net counter return
               ip daddr @noproxy_net counter return
               ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } counter \

modules/services/xray/server.nix

@@ -128,12 +128,14 @@ inputs:
               };
             };
           };
-          secrets = builtins.listToAttrs
-            (builtins.map (n: inputs.lib.nameValuePair "xray-server/clients/${n}" {}) userList)
-            // (builtins.listToAttrs (builtins.map
-              (name: inputs.lib.nameValuePair "telegram/${name}" { group = "telegram"; mode = "0440"; })
-              [ "token" "user/chn" ]))
-            // { "xray-server/private-key" = {}; };
+          secrets = inputs.lib.mergeAttrsList
+          [
+            (inputs.lib.genAttrs' userList
+              (n: inputs.lib.nameValuePair "xray-server/clients/${n}" {}))
+            { "xray-server/private-key" = {}; }
+            (inputs.lib.genAttrs' [ "token" "user/chn" ]
+              (n: inputs.lib.nameValuePair "telegram/${n}" { group = "telegram"; mode = "0440"; }))
+          ];
         };
         services =
         {

modules/system/fileSystems/impermanence.nix

@@ -68,7 +68,7 @@ inputs:
       [
         "bin" "Desktop" "Documents" "Downloads" "Music" "Pictures" "repo" "share" "Public" "Videos" ".config"
         ".local/share" ".ecdata" { directory = ".mozilla/firefox/default"; mode = "0700"; } ".steam" ".zotero"
-        "Zotero"
+        "Zotero" ".thunderbird"
       ];
     })
     # 对于集群的工作节点，挂载一些本来由 home-manager 生成的文件，以及一些用来存放 home-manager 生成文件的目录

modules/system/fileSystems/nfs.nix

@@ -5,11 +5,11 @@ inputs:
     type = types.attrsOf (types.oneOf
     [
       types.nonEmptyStr
-      (types.submodule { options =
+      (types.submodule (submoduleInputs: { options =
       {
         mountPoint = mkOption { type = types.nonEmptyStr; };
-        hard = mkOption { type = types.bool; default = true; };
-      };})
+        neededForBoot = mkOption { type = types.bool; default = true; };
+      };}))
     ]);
     default = {};
   };
@@ -26,7 +26,7 @@ inputs:
             {
               device = device.name;
               fsType = "nfs4";
-              neededForBoot = device.value.hard or true;
+              neededForBoot = device.value.neededForBoot or true;
               options = builtins.concatLists
               [
                 [
@@ -35,18 +35,17 @@ inputs:
                   "x-gvfs-hide" # hide in file managers (e.g. dolphin)
                 ]
                 # when try to mount at startup, wait 15 minutes before giving up
-                (inputs.lib.optionals (device.value.hard or true) [ "retry=15" "x-systemd.device-timeout=15min" ])
-                # do not fail, just try continuously in background
-                # nfs4 use tcp, tcp itself will retransmit several times, which is enough
-                (inputs.lib.optionals (!(device.value.hard or true))
-                  [ "bg" "soft" "retrans=1" "timeo=20" "softreval" "x-systemd.requires=network-online.target" ])
+                (inputs.lib.optionals (device.value.neededForBoot or true)
+                  [ "retry=15" "x-systemd.device-timeout=15min" ])
+                (inputs.lib.optionals (!(device.value.neededForBoot or true))
+                  [ "bg" "x-systemd.requires=network-online.target" "x-systemd.after=network-online.target" ])
               ];
             };
           })
           (inputs.localLib.attrsToList nfs));
         services.rpcbind.enable = true;
       }
-      (inputs.lib.mkIf (builtins.any (mount: mount.hard or true) (builtins.attrValues nfs))
+      (inputs.lib.mkIf (builtins.any (mount: mount.neededForBoot or true) (builtins.attrValues nfs))
       {
         boot.initrd.systemd.extraBin =
         {

modules/system/nix.nix

@@ -3,8 +3,11 @@ inputs:
   options.nixos.system.nix = let inherit (inputs.lib) mkOption types; in
   {
     # marches allowed to be compiled on this machine
-    marches = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
-    substituters = mkOption { type = types.listOf types.nonEmptyStr; default = [ "https://nix-store.chn.moe" ]; };
+    marches = mkOption
+    {
+      type = types.listOf types.nonEmptyStr;
+      default = with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ march ];
+    };
     remote =
     {
       slave = mkOption { type = types.nullOr (types.submodule {}); default = null; };
@@ -36,6 +39,8 @@ inputs:
         # do not keep unused outputs, backup it manually on nas
         keep-outputs = false;
         connect-timeout = 5;
+        # https://cache.nixos.org 已经自带
+        substituters = [ "https://nix-store.chn.moe" "https://nix-store.nas.chn.moe" ];
       };
       systemd.services.nix-daemon = { serviceConfig.CacheDirectory = "nix"; environment.TMPDIR = "/var/cache/nix"; };
     }
@@ -63,21 +68,9 @@ inputs:
       };
     }
     # marches
-    {
-      nix.settings.system-features =
-      (map
-        (march: "gccarch-${march}")
-        (
-          if nix.marches == null then
-            (with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ march ])
-          else nix.marches
-        ))
-      ++ (with inputs.config.nixos.system.nixpkgs; if march == null then [] else [ "gccarch-exact-${march}" ]);
-    }
+    { nix.settings.system-features = builtins.map (march: "gccarch-${march}") nix.marches; }
     # includeBuildDependencies
     { system.includeBuildDependencies = inputs.topInputs.self.config.branch == "archive"; }
-    # substituters
-    { nix.settings.substituters = nix.substituters ++ [ "https://cache.nixos.org" ]; }
     # remote.slave
     (inputs.lib.mkIf (nix.remote.slave != null)
     {

modules/system/sops.nix

@@ -80,8 +80,8 @@ inputs:
               (defaultSopsFile "${devicePath}/${model.cluster.clusterName}/${model.cluster.nodeName}")
                 ++ (defaultSopsFile "${devicePath}/${model.cluster.clusterName}")
             ))
-          ++ (inputs.lib.optionals model.private [ "${devicePath}/cross/secrets/chn.yaml" ])
-          ++ (defaultSopsFile "${devicePath}/cross");
+          ++ (defaultSopsFile "${devicePath}/cross")
+          ++ [ "${devicePath}/cross/secrets/chn.yaml" "${devicePath}/cross/secrets/xray-server.yaml" ];
     };
     availableKeys = mkOption
     {

modules/user/default.nix

@@ -54,6 +54,7 @@ inputs:
         synapse-matrix = 2010;
         hpcstat = 2011;
         speedtest = 2012;
+        tailscale = 2013;
       };
     };
     gid = mkOption