From 82eb0c2fc1ffdc1ccd10956c13f29494ac8daddf Mon Sep 17 00:00:00 2001 From: chn Date: Tue, 7 Oct 2025 21:25:44 +0800 Subject: [PATCH] devices.cross.tinc: refactory --- devices/cross/ssh.nix | 13 +++ devices/cross/tinc.nix | 167 ++++++++++++++++++++++++++++++++ devices/cross/tinc/default.nix | 102 ------------------- devices/srv1/node0/secrets.yaml | 12 +-- devices/srv1/node1/secrets.yaml | 12 +-- devices/srv1/node2/secrets.yaml | 12 +-- devices/srv2/node0/secrets.yaml | 5 +- devices/srv2/node1/secrets.yaml | 12 +-- devices/vps4/default.nix | 2 +- devices/vps6/default.nix | 9 +- flake/dns/config/chn.moe.nix | 3 +- flake/dns/default.nix | 1 + modules/packages/ssh.nix | 2 +- modules/services/bind.nix | 2 +- 14 files changed, 211 insertions(+), 143 deletions(-) create mode 100644 devices/cross/tinc.nix delete mode 100644 devices/cross/tinc/default.nix diff --git a/devices/cross/ssh.nix b/devices/cross/ssh.nix index ef28b1ae..9107f7ac 100644 --- a/devices/cross/ssh.nix +++ b/devices/cross/ssh.nix @@ -58,6 +58,9 @@ in # 通过 wirewireguard 访问 ++ (builtins.map (net: "${net}.${device.name}.chn.moe") (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net)) + # 通过 tinc 访问 + ++ (builtins.map (net: "tinc0.${device.name}.chn.moe") + (builtins.attrNames inputs.topInputs.self.config.dns.tinc)) # 额外的域名 ++ (builtins.map (domain: "${domain}.chn.moe") device.value.extraAccess or []); }; @@ -100,6 +103,16 @@ in ((device.value.extraAccess or []) ++ [ device.name ])) (inputs.localLib.attrsToList devices)) (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net))) + # 通过 tinc 访问 + (builtins.map + (device: builtins.map + (name: + { + name = "tinc0.${name}"; + value = genericConfig // { host = "tinc0.${name}"; hostname = "tinc0.${name}.chn.moe"; }; + }) + (device.value.extraAccess or [] ++ [ device.name ])) + (inputs.localLib.attrsToList devices)) ])); }]; }; diff --git a/devices/cross/tinc.nix b/devices/cross/tinc.nix new file mode 100644 index 00000000..2a434f9f --- /dev/null +++ b/devices/cross/tinc.nix @@ -0,0 +1,167 @@ +inputs: +let + inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress; + inherit (inputs.config.nixos.model) hostname; + publicKey = + { + nas = "sSN3eeBgrMXF6/XYfEBe54TXmfHETOESX+SyrpGlmDK"; + pc = "soafMZ/0EViMhKYNc8g8pp4sbhR/2HnnXwGQln0BgCK"; + srv1-node0 = "ZKUwi386ZssXLQGORUzlRxof7NhXigUw3QZHAP0Pb8N"; + srv1-node1 = "5eti59LrOMejEWYDxOYrh7SD93nLMSH+iX7vaBN4BrE"; + srv1-node2 = "e6jW9g4QY357ocMRoW4P0s6UHAspvKJzmAGb/WT1a+H"; + srv2-node0 = "zTv+o7K2SpcPp9YLrPe8iJqCunrCiJyqz13fXcDouEH"; + srv2-node1 = "sk/w+GBrt0lzkTZ3y3vZ/eHKNrG8X95eqR9IuhCFYwB"; + vps4 = "N03OoCyj4ADkeN3cimJI/bJrBw8g1kz3TJ+1BTe+oyA"; + vps6 = "rYOCGG+B4isTifKJQqsEdfhQuQRnUiIsvz7uI7vZiDN"; + }; + nodes = + [ + # 工位网络 + { to = "nas"; from = { pc = 1; srv2-node0 = 1; }; address = getAddress "nas"; } + { to = "pc"; from = { nas = 1; srv2-node0 = 1; }; address = getAddress "pc"; } + # srv1 内部网络 + { + to = "srv1-node0"; + from = { srv1-node1 = 1; srv1-node2 = 1; }; + address = "192.168.178.1"; + forwards = + [ + { weight = 1; address = [ "nas" "pc" "srv2-node0" ]; } + { weight = 2; address = [ "srv2-node1" ]; } + { weight = 10; address = [ "vps6" ]; } + { weight = 11; address = [ "vps4" ]; } + ]; + } + { to = "srv1-node1"; from = { srv1-node0 = 1; srv1-node2 = 1; }; address = "192.168.178.2"; } + { to = "srv1-node2"; from = { srv1-node0 = 1; srv1-node1 = 1; }; address = "192.168.178.3"; } + # srv2 内部网络 + { + to = "srv2-node0"; + from.srv2-node1 = 1; + address = "192.168.178.1"; + forwards = + [ + { weight = 1; address = [ "nas" "pc" "srv1-node0" ]; } + { weight = 2; address = [ "srv1-node1" "srv1-node2" ]; } + { weight = 10; address = [ "vps6" ]; } + { weight = 11; address = [ "vps4" ]; } + ]; + } + { to = "srv2-node1"; from.srv2-node0 = 1; address = "192.168.178.2"; } + # 厦大内网 + { + to = "srv1-node0"; + from = { nas = 1; pc = 1; srv2-node0 = 1; }; + address = getAddress "srv1-node0"; + forwards = [{ weight = 1; address = [ "srv1-node1" "srv1-node2" ]; }]; + } + { + to = "srv2-node0"; + from = { nas = 1; pc = 1; srv1-node0 = 1; }; + address = getAddress "srv2-node0"; + forwards = [{ weight = 1; address = [ "nas" "pc" "srv2-node1" ]; }]; + } + # 公网服务器 + { + to = "vps4"; + from = { nas = 10; vps6 = 1; }; + address = getAddress "vps4"; + forwards = + [ + { weight = 1; address = [ "vps6" ]; } + { weight = 10; address = [ "nas" ]; } + { weight = 11; address = [ "pc" "srv1-node0" "srv2-node0" ]; } + { weight = 12; address = [ "srv1-node1" "srv1-node2" "srv2-node1" ]; } + ]; + } + { + to = "vps6"; + from = { pc = 10; vps4 = 1; srv1-node0 = 10; srv2-node0 = 10; }; + address = getAddress "vps6"; + forwards = + [ + { weight = 1; address = [ "vps4" ]; } + { weight = 10; address = [ "pc" "srv1-node0" "srv2-node0" ]; } + { weight = 11; address = [ "nas" "srv1-node1" "srv1-node2" "srv2-node1" ]; } + ]; + } + ]; + nodesWithSettings = builtins.map + (node: node // { settings = + { + addresses = [{ inherit (node) address; }]; + settings.Ed25519PublicKey = publicKey.${node.to}; + subnets = builtins.concatLists + [ + (builtins.concatLists (builtins.map + (forward: builtins.map + (destNode: { address = getAddress "tinc0.${destNode}"; inherit (forward) weight; }) + forward.address) + (node.forwards or []))) + [{ address = getAddress "tinc0.${node.to}"; weight = 0; }] + ]; + };}) + nodes; +in +{ + config = inputs.lib.mkIf (builtins.hasAttr hostname publicKey) + { + services.tinc.networks.tinc0 = + { + settings = { Interface = "tinc0"; Name = builtins.replaceStrings [ "-" ] [ "_" ] hostname; }; + ed25519PrivateKeyFile = inputs.config.nixos.system.sops.secrets."tinc".path; + hostSettings = inputs.lib.mkMerge + [ + # 本机 + { + "${hostname}" = + { + settings.Ed25519PublicKey = publicKey.${hostname}; + subnets = [{ address = getAddress "tinc0.${hostname}"; weight = 0; }]; + }; + } + (inputs.lib.mkMerge (builtins.map + (node: + # 如果描述的是到本机的连接,给 from 中的机器加上信息,只用加它们的公钥和ip即可 + if node.to == hostname then inputs.lib.mkMerge (builtins.map + (fromNode: + { + "${fromNode}" = + { + settings.Ed25519PublicKey = publicKey.${fromNode}; + subnets = [{ address = getAddress "tinc0.${fromNode}"; weight = node.from.${fromNode}; }]; + }; + }) + (builtins.attrNames node.from)) + # 如果描述的是来自本机的连接,使用已经生成的设置,并加上权重的偏移 + else if builtins.hasAttr hostname node.from then + { + "${node.to}" = + { + inherit (node.settings) addresses settings; + subnets = builtins.map + (subnet: { inherit (subnet) address; weight = subnet.weight + node.from.${hostname}; }) + node.settings.subnets; + }; + } + else {}) + nodesWithSettings)) + ]; + }; + nixos.system = + { + sops.secrets."tinc".owner = "tinc-tinc0"; + network.settings = inputs.lib.mkIf (inputs.config.nixos.system.network.implementation == "systemd-networkd") + { static."tinc0" = { ip = getAddress "tinc0.${hostname}"; mask = 24; }; }; + }; + environment.etc = inputs.lib.mkIf (inputs.config.nixos.system.network.implementation == "networkmanager") + { + "tinc/tinc0/tinc-up".source = inputs.pkgs.writeShellScript "tinc-up" + '' + ${inputs.pkgs.iproute2}/bin/ip link set $INTERFACE up + ${inputs.pkgs.iproute2}/bin/ip addr add ${getAddress "tinc0.${hostname}"}/24 dev $INTERFACE + ''; + }; + networking.firewall = { allowedTCPPorts = [ 655 ]; allowedUDPPorts = [ 655 ]; trustedInterfaces = [ "tinc0" ]; }; + }; +} diff --git a/devices/cross/tinc/default.nix b/devices/cross/tinc/default.nix deleted file mode 100644 index ab5ce9e4..00000000 --- a/devices/cross/tinc/default.nix +++ /dev/null @@ -1,102 +0,0 @@ -inputs: -let - configs = - { - pc = - { - settings = - { - # 如何连接到这个节点 - addresses = [{ address = "192.168.1.3"; }]; - # 通过这个节点可以访问哪些地址,用于路由 - subnets = [{ address = "192.168.85.3"; weight = 1; }]; - settings.Ed25519PublicKey = "soafMZ/0EViMhKYNc8g8pp4sbhR/2HnnXwGQln0BgCK"; - }; - # 这个接口的地址 - address = "192.168.85.3"; - useNetworkd = false; - }; - nas = - { - settings = - { - addresses = [{ address = "192.168.1.2"; }]; - subnets = [{ address = "192.168.85.4"; weight = 1; }]; - settings.Ed25519PublicKey = "sSN3eeBgrMXF6/XYfEBe54TXmfHETOESX+SyrpGlmDK"; - }; - address = "192.168.85.4"; - useNetworkd = true; - }; - vps6 = - { - settings = - { - addresses = [{ address = "144.34.225.59"; }]; - subnets = - [ - { address = "192.168.85.1"; weight = 1; } - # { address = "192.168.85.0"; prefixLength = 24; weight = 10; } - ]; - settings.Ed25519PublicKey = "rYOCGG+B4isTifKJQqsEdfhQuQRnUiIsvz7uI7vZiDN"; - }; - address = "192.168.85.1"; - useNetworkd = true; - }; - vps4 = - { - settings = - { - addresses = [{ address = "104.234.37.61"; }]; - subnets = - [ - { address = "192.168.85.2"; weight = 1; } - { address = "192.168.85.0"; prefixLength = 24; weight = 10; } - ]; - settings.Ed25519PublicKey = "N03OoCyj4ADkeN3cimJI/bJrBw8g1kz3TJ+1BTe+oyA"; - }; - address = "192.168.85.2"; - useNetworkd = true; - }; - }; -in -{ - config = inputs.lib.mkIf (builtins.hasAttr inputs.config.nixos.model.hostname configs) - { - services.tinc.networks.tinc0 = - { - settings = - { - Interface = "tinc0"; - # Name = builtins.replaceStrings [ "-" ] [ "_" ] inputs.config.nixos.model.hostname; - Name = inputs.config.nixos.model.hostname; - }; - hostSettings = builtins.mapAttrs (n: v: v.settings) configs; - ed25519PrivateKeyFile = inputs.config.nixos.system.sops.secrets."tinc".path; - }; - nixos.system = - { - sops.secrets."tinc".owner = "tinc-tinc0"; - network.settings = inputs.lib.mkIf (configs.${inputs.config.nixos.model.hostname}.useNetworkd) - { - static."tinc0" = { ip = configs.${inputs.config.nixos.model.hostname}.address; mask = 24; }; - }; - }; - # systemd.network.networks = inputs.lib.mkIf (configs.${inputs.config.nixos.model.hostname}.useNetworkd) - # { - # "10-custom" = - # { - # matchConfig.Name = "tinc0"; - # routes = [{ Destination = "192.168.85.0/0"; }]; - # }; - # }; - environment.etc = inputs.lib.mkIf (!configs.${inputs.config.nixos.model.hostname}.useNetworkd) - { - "tinc/tinc0/tinc-up".source = inputs.pkgs.writeShellScript "tinc-up" - '' - ${inputs.pkgs.iproute2}/bin/ip link set $INTERFACE up - ${inputs.pkgs.iproute2}/bin/ip addr add ${configs.${inputs.config.nixos.model.hostname}.address}/24 dev $INTERFACE - ''; - }; - networking.firewall = { allowedTCPPorts = [ 655 ]; allowedUDPPorts = [ 655 ]; }; - }; -} diff --git a/devices/srv1/node0/secrets.yaml b/devices/srv1/node0/secrets.yaml index ca079ba9..427f5f85 100644 --- a/devices/srv1/node0/secrets.yaml +++ b/devices/srv1/node0/secrets.yaml @@ -3,11 +3,8 @@ xray-client: uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str] mariadb: slurm: ENC[AES256_GCM,data:IoRiruMV+bdf4qTSQBy9Npoyf1R0HkTdvxZShcSlvxlz7uKujWnlH4fc5eR6yytHcEZ9uPLib9XbGojUQOFERA==,iv:E0ac0DyhplaHEc2WmcXY0Fjpkt/pnY9PaATe0idqCRA=,tag:Vo/DBIUO6DBFCXQ1RLrchg==,type:str] +tinc: ENC[AES256_GCM,data:tQLfvn0hrvdMx1WjWreSU7PwWhLFE6cyesc8EATRG/HiXOdmOo1Yx3n9VNywmzSdj+zKXcagnsRLX7/MsFJqnifNZ+2+L1+eMkSmP+J/ia3gwsJuLmh3Knn74d1njya59lJvSlGLJGtxbRdzd/Jx3cSbOVRAvOjLiYI+OjXgmoio8EmvL9XizVcFyOeNTG9IETSjygmCg1r99Mss0aBfWl7aTQmk1WHeEZFauS1PF9lrtEjoB2GeRGIEshW2ruecM3irDhxFNS4=,iv:SjUiLHoh3dvoT/fOuwKUSKvIm71ptZH6h0HQeNw5Lgc=,tag:/wW+LdccRODyZ0QTnxvW8g==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m enc: | @@ -27,8 +24,7 @@ sops: OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX 2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-10T10:44:35Z" - mac: ENC[AES256_GCM,data:lfckL0SJXq+eY3d9SUHihE4Alp6VAI7ugoQygMsphi91yvmAZ1YBbrTVxjzQpL1dT+7zhOhzE2dTqCLXUl1gjbYYo1S6zco73EdU4k/AX3LEAhCJCxG1LVvN/Kf+XoMSauFM7z+E8zZJCvT9/Jijxy/Ty/XBoP9z7gmpQSuRntI=,iv:5hVa0bsv3B9/I+BSxNYOYHFRnM3BfP8GvhlM65lWLFo=,tag:gs2NOe7h6AqYbmCBUMd9FA==,type:str] - pgp: [] + lastmodified: "2025-10-07T13:08:43Z" + mac: ENC[AES256_GCM,data:sUwS3uRtsxBfQbP3irw6KUih4llj8snqbq70BJblVG3MgdNuPtiUpyp3DShQ6BWRUHXYsS+fGVhM5dTFDalxKis0eP0tzUl6TaVLiDZ0TOJ3hco++owgwQEB/TD/3efGm3jqkrYht8yzSF1fe8ySqtQAR6dqdDpECeBWbHlr9EQ=,iv:Brq52ofx7+VBpng4ebwX1pEB68x2RJVKiOnXKtW7IIE=,tag:Z9p3sa7Y8VLAiZwOPoSXXA==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/devices/srv1/node1/secrets.yaml b/devices/srv1/node1/secrets.yaml index 52a62fad..a4211b14 100644 --- a/devices/srv1/node1/secrets.yaml +++ b/devices/srv1/node1/secrets.yaml @@ -1,9 +1,6 @@ wireguard: ENC[AES256_GCM,data:D4ukKVu4yn3hS3AZJqt3XTgZNbt44Vyiu6I5lCNw9c/VEqXBx3GDlKdcVPY=,iv:S1S0sU0vQcTahFI+GyBz1n/0LVsK3ImFDuLtuQxmgik=,tag:oZ1NWOCcsRb+kjfq/LcL2w==,type:str] +tinc: ENC[AES256_GCM,data:s/mcjWKxEp8f6OgAUqkHg8IHA/coBtht20pqSdwGp9OBRta64xyzszeS6o8uW1cV65vm1qQR9XkC7nmBx7F9RAZpMwEYh3anAfzWvL1dd6nNl9NLaz9eqrRGJJH4lyMAmErQRF6epEe2Z0kfs3icsZJ3p8rmWSHjIETFR+pQvepTzLXfz7mi3EftqFxK6o5LXe6t2df7PD5q7x8loB7eu4Qyh14NrklgMifmGoNBsGdIBAiqbZ+3xMt2VgEk4wc7X2ZmBJFx19U=,iv:343e5eRAGxwhb4ITadyKJOcvCnLp5emgz737kBmYlig=,tag:O/cwMZJofSKxMhzFMBV+Mg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m enc: | @@ -23,8 +20,7 @@ sops: cWpEMWU1TjZKbnFTWm4xY2QwdWx3aFkK0O6p2piq8RKOcSTT49i0pnlt+gOk+QMF r+EJU0zobWwe3PrDg8jjw5HpMxrpDzHcD0XMnVQW0Fd9pn6n4VfpUw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-16T05:03:27Z" - mac: ENC[AES256_GCM,data:13eXFmTRo9lZvQ3+iApHuei5r/OCSCs2gxqEe3nmavQgq1kQXKcD+4ciS/Shd9CJFZrjAu9oRByu5ZeZOnj11u6z3EmnXIwHptMEZe+N6r+Z2uKcBUa/TSJBnYcCrMQ1NM16GXRTi1bwpx4iT4v377lgd1orCa5C10iD6W3/9b0=,iv:FBGi1hSAu0Bz5NKz4mixfbUXbjI725RHccmEO4/jumo=,tag:vCHzTsTV7kJKNapFTxS55A==,type:str] - pgp: [] + lastmodified: "2025-10-07T13:09:59Z" + mac: ENC[AES256_GCM,data:cDQL6aWOIIJc8Bhh/RBt50ZYi2Cb1xJpysBvWBvkFYgO31o+vx0hE7L3Od8clN1UcAXQ+4C1GMRpchtqzZgAC9ycA+/4UICQhE1Tv1lgmzsWE309SN7b1I38b/kOCABR4M2nQYgztq0IXO37Qo7BoR4xY/ozq55xIVDFrSwF3z0=,iv:vb6Y0ErWKAWOA7GCR0C1o38p2tJVG5q5ufVE90wfhdo=,tag:b6rZlyNaKPnc9GUv7++Gvg==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/devices/srv1/node2/secrets.yaml b/devices/srv1/node2/secrets.yaml index 0d2dccab..967ed0a2 100644 --- a/devices/srv1/node2/secrets.yaml +++ b/devices/srv1/node2/secrets.yaml @@ -1,11 +1,8 @@ xray-client: uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str] wireguard: ENC[AES256_GCM,data:xoIm26btEBuHjgcIrB8gRHAaEdBq3/E5XtoF0YPxnSHB7k3GWJfAxeL4vrw=,iv:HuOFNUgGROF97beF6C4amspd+NV/2uO6OihNMz23hSY=,tag:YJjFM8mqYOuJEulpVHt8FA==,type:str] +tinc: ENC[AES256_GCM,data:vDPVgWBFmzDvF98/oJvJ6Yj0rDkkTJGYYRJrLY454fzg4EOyGe4FwR1GgHqFeHo6e1Tk76K3odGiUGyOcWOtTCbEKKIli76/P9KCAY6sItTwc1xsPw540vIZXqFv0/lNladhgGznXKMQ4U9bzKuM+KcxmLlTE2QGJAhPeFox7OQmSYba3ww24+XXJaGWL1fZZaLFABZ56bTggNmY2z+orThg2i5yMrO5TjaGXMcFsFJg7A6HzDCv1TuBNRPTMeiWTYqSDFQGUcU=,iv:T25lfAmdpPz+mWJEPu/NK/2PFFP6jfphYTijjEg5o7Q=,tag:oTNOi81SZnsDEjZVTngoQw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m enc: | @@ -25,8 +22,7 @@ sops: MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-16T05:04:26Z" - mac: ENC[AES256_GCM,data:JlAgVoTpT6NRT1gvYQre6N8PzHLxbC9z1E42OM40Qs/nhcjYnsRNPiUEvSUClgx+B2G99S/b9R/wQqovBQFtdRDdlCMhz0ZVgLe48ak74EOYn6fwXy37amXP6doW86wS/N2fQeKhyMiJPHurRGamm+jsUUALohx6p1zm47NWL0c=,iv:oQV5be92oyOj0h6IrEY70VfoJYqEFVMtI0PYEALIXfo=,tag:WlH+fTUlPynhupXpBvdl+g==,type:str] - pgp: [] + lastmodified: "2025-10-07T13:10:56Z" + mac: ENC[AES256_GCM,data:crF192gxhvZj3qBHwnEf7g02tKHhYLEfFUL+KeMxVg1ADI8Dm1DmEkikgAqEbW3WQFxcHDKZWKaeBeEpjcUVrIwgwO0QWc+WchwEnUAvLO7yokE+ixWjDBLbuuWuNl7b2qYCds8BO6u+HTgSdaTDm8op01ateUwTrM4XBJXoztA=,iv:RZnyCv/kPz2Nw1/5w+YWXIwTVa4fEQZrzOffY+lczYQ=,tag:bB1AT3C4Gb19/wzzU+/pXQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/devices/srv2/node0/secrets.yaml b/devices/srv2/node0/secrets.yaml index bd81a5b9..ddb6a0dd 100644 --- a/devices/srv2/node0/secrets.yaml +++ b/devices/srv2/node0/secrets.yaml @@ -8,6 +8,7 @@ hpcstat: wireless: #ENC[AES256_GCM,data:n9OPSJsB7yNk,iv:xQzKJxqPB7uT83m/B4UoOje6NQbPLhuHR7Hp93oNz8A=,tag:gtsTx6ALnS/7fIDd7VimOg==,type:comment] 409的5G: ENC[AES256_GCM,data:K9wm3zedoil7jHgTcb+VmbdbkG2dgrMdr3BmDRUHDVADqLANMvnUMSecggYTO4HaiI9q6uv2/BSkluanD5K4Dw==,iv:7dGET3ULKlnaDMVmkuXDek+hQPLZ2VUbPqvEOX+5jlQ=,tag:MBGmQ0NNNqX+T9EsBiWCaw==,type:str] +tinc: ENC[AES256_GCM,data:9S3QK3lLT59GNhppHc1IoC7bN0mntbcQIZmVjtxOpQxzJDJQ63jBCfoupyfjmW3JCpWSWtelZ58VPeTOHZ6NXr2xJMitvqGAiJzsd9ZGYvlv6+OR2swXVyDMBhcQpU+1ui/5zEPFDWIxRMIoIJL3VO9la6gxHQY1st5p2REh3VpSu0R/b1ormlmSPyRtjCS4LlGpXF8FnHilE9wOLm6AhtGhq5nAHAwPCj/gVpDNI0Y+88shBbNTRG4ucXsEX3S/+IgDLElB7nE=,iv:nEa5NMxfi9rc194TMEldAw1E7Bw24qM5htVUerd1nNU=,tag:A8GB/LFeBNyAq7MfpSFaQw==,type:str] sops: age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m @@ -28,7 +29,7 @@ sops: M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-12T04:13:47Z" - mac: ENC[AES256_GCM,data:W+e5d1scvV24AdVdl7Pisp9HxsXQ/tPjN2NV/Bd0RXZNBRB7LNQrSfk1GadboBnihW0ctAQOFk66PZsxwE2czfFL2/yzFxm9Cf11Mc822ZL3BwjnQBK4uR9LJrbjL7x1lFUk9v0AIPhjrir8F6dcX8mq6++hHNN0wjGaH3J9E0Y=,iv:RK7e4Dxog+Qsgk6gxK0f8PN8oF9bjWIrTyYK67Cdras=,tag:QSKsETYXbhnvhhjavP4UiA==,type:str] + lastmodified: "2025-10-07T13:12:08Z" + mac: ENC[AES256_GCM,data:N4bro1QNf5LcBpLCMeKbWzB7dADpAP7my6B6rM/J4FkUeqal39REDuDVDq3QD3/bKew4ltfj8j/9tXbWAClq5l2P/1z4RJVqbranjEdBL3nwhYMcdG3jGmf/E1xRmYaIs5Lo9F7KY1yWyVmArfH+/enRMTNO3kvn4Zg22KsOfMY=,iv:ytX/k8Lnru71CftYREQYZ3hhmh1nKfJfuy2HD+bFaPk=,tag:SMfy7V9F9Ob+iwpyaTlYsw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv2/node1/secrets.yaml b/devices/srv2/node1/secrets.yaml index 6f9d0b1d..e2bb148a 100644 --- a/devices/srv2/node1/secrets.yaml +++ b/devices/srv2/node1/secrets.yaml @@ -1,9 +1,6 @@ wireguard: ENC[AES256_GCM,data:zfyNpCZ2EhQdsz+/vknjtbT1vMLebil1tarIcxLoUQ3J5XOKTCQBay4jBL8=,iv:tF6I5HHhDMfoGAfrtkmvrlqsSpX9YZL8dtzxAgBCp5c=,tag:DeOFwrIGbwVtf42iO1dm6g==,type:str] +tinc: ENC[AES256_GCM,data:0fOvjy/b+87HS+bcNENY3jfxcxMLcjeQh/hT5HIUG2aCiTLbsmlqXTR9j18ZwcKAAEbzzDSonpPmQv/kGeMyvk9B4Q0En8FSdBaW5y5HQVLf32KlSoq8+MBRPTQREcHHMDZ/tQw02aAdq0jvYpHnFIKiqOZFfGhKo2oS12wxlR33n+zwqwyBu5quN0ynbwG+BMZua9uJrlsfFe8ttu5BHzl5xdCTVzmJ7vV7H1K7lJBwlDF62Rn6zsQV2uGaUew1ScephX/KC40=,iv:eA6YLGY+d4BldBAsqFsrrUiTY3Xa7eJ687C3gS7ofG0=,tag:40QXjFYc0ht7/OuIPDo1Wg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m enc: | @@ -23,8 +20,7 @@ sops: c0I4VUdiZytoQWRsUUhBVStDR2VPT3MKDkDQ3sKJjotYUfoBWF85t3LYtz1OVFws 2IdtJBHISb5j3xnAs/UUHDPzjUUsgb+sTHm9krQy3LDuELNY6KGMPw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-16T05:05:21Z" - mac: ENC[AES256_GCM,data:aPNsWBi4sm4UhX1qpk412eYNCZltKkRMWWgopZw6mjMLSOSb6E1yi8NjRJMj04RpE2XoVCkKP6R5Qo0I95wxY5qZHJuUp/5srqjAf/fHWz1QmXThogaMzM2jue7+NHUSQXrPnh0ZspXD47HyxMUOhlnewZ3EfOw7B5qKAYR1f6I=,iv:mnwtf0B7x5AbMzivg27zqIkhBdkDb5qq8eDBCGMdK0c=,tag:PCtirta++gCSsQsQo+bSmA==,type:str] - pgp: [] + lastmodified: "2025-10-07T13:12:57Z" + mac: ENC[AES256_GCM,data:dEAd/vpSY8gGbyQrvGfCe4Qhun2BjhpSZDjjxrOWWe29GkXHyMpdGf89hgeIO3V0lfoX3iipoWT2QSUxJDPK0szJY8W2U+hz2aIis9hqC1UKIggIJWxev2aV1kvVHx5xw7Hl6JLs1OBtpTZpXSV2ySVXc7U3OobituTpYdqXx58=,iv:mZBCqng0K1LuUjg6fEMeWYEJlbkNAnUaSgyyIWA/p9A=,tag:jVUmWteAHr0UhPXY47sMbw==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 diff --git a/devices/vps4/default.nix b/devices/vps4/default.nix index 48a530ba..5d44d90e 100644 --- a/devices/vps4/default.nix +++ b/devices/vps4/default.nix @@ -28,7 +28,7 @@ inputs: fail2ban = {}; xray.server.serverName = "xserver2.vps4.chn.moe"; nginx.streamProxy.map = builtins.listToAttrs (builtins.map - (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.nas.chn.moe"; }) + (site: { name = "${site}.chn.moe"; value.upstream.address = "tinc0.nas.chn.moe"; }) [ "xn--s8w913fdga" "matrix" "send" "git" "grafana" "peertube" "rsshub" "misskey" "synapse" "vaultwarden" "photoprism" "nextcloud" "freshrss" "huginn" "api" "webdav" "chat" diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix index 5feb284b..c2cbaa42 100644 --- a/devices/vps6/default.nix +++ b/devices/vps6/default.nix @@ -33,10 +33,13 @@ inputs: "anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; }; "podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; }; "xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; }; - "xservernas.chn.moe" = { upstream = "wg0.nas.chn.moe:443"; proxyProtocol = false; }; + "xservernas.chn.moe" = { upstream = "tinc0.nas.chn.moe:443"; proxyProtocol = false; }; } // (builtins.listToAttrs (builtins.map - (site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.pc.chn.moe"; }) + (site: { name = "${site}.chn.moe"; value.upstream.address = "tinc0.nas.chn.moe"; }) + [ "xn--s8w913fdga" "matrix" ])) + // (builtins.listToAttrs (builtins.map + (site: { name = "${site}.chn.moe"; value.upstream.address = "tinc0.pc.chn.moe"; }) [ "xn--qbtm095lrg0bfka60z" ])); applications = { @@ -55,7 +58,7 @@ inputs: mirism = {}; fail2ban = {}; beesd."/" = {}; - # bind = {}; + bind = {}; }; }; networking.nftables.tables.forward = diff --git a/flake/dns/config/chn.moe.nix b/flake/dns/config/chn.moe.nix index 63e7c50d..54d33ba7 100644 --- a/flake/dns/config/chn.moe.nix +++ b/flake/dns/config/chn.moe.nix @@ -8,7 +8,7 @@ let [ "initrd.vps4" "xserver2.vps4" # to nas - "git" "grafana" "matrix" "peertube" "send" "vikunja" "铜锣湾" "xservernas" "chat" "freshrss" "huginn" "nextcloud" + "git" "grafana" "peertube" "send" "vikunja" "xservernas" "chat" "freshrss" "huginn" "nextcloud" "photoprism" "rsshub" "vaultwarden" "webdav" "synapse" "misskey" "api" ]; vps6 = @@ -25,6 +25,7 @@ let srv2-node0 = [ "srv2" ]; "tinc0.pc" = [ "nix-store" ]; "tinc0.nas" = [ "nix-store.nas" "ssh.git" ]; + autoroute = [ "铜锣湾" "matrix" ]; }; a = { diff --git a/flake/dns/default.nix b/flake/dns/default.nix index f30ea709..5a091bf1 100644 --- a/flake/dns/default.nix +++ b/flake/dns/default.nix @@ -16,6 +16,7 @@ let meta.config = config // { wireguard = import ./config/wireguard.nix; + tinc = import ./config/tinc.nix; "chn.moe" = config."chn.moe" // { # 查询域名对应的 ip diff --git a/modules/packages/ssh.nix b/modules/packages/ssh.nix index ae9ea2f3..25b756df 100644 --- a/modules/packages/ssh.nix +++ b/modules/packages/ssh.nix @@ -61,7 +61,7 @@ inputs: forwardAgent = true; extraOptions.AddKeysToAgent = "yes"; }; - "wg0.jykang" = jykang // { host = "wg0.jykang"; proxyJump = "wg0.srv2"; }; + "tinc0.jykang" = jykang // { host = "tinc0.jykang"; proxyJump = "tinc0.nas"; }; "*" = { controlMaster = "auto"; diff --git a/modules/services/bind.nix b/modules/services/bind.nix index e006ecf5..608d3333 100644 --- a/modules/services/bind.nix +++ b/modules/services/bind.nix @@ -32,7 +32,7 @@ inputs: 300 ; minimum ) @ IN NS vps6.chn.moe. - @ IN A ${inputs.topInputs.self.config.dns."chn.moe".getAddress "srv3"} + @ IN A ${inputs.topInputs.self.config.dns."chn.moe".getAddress "vps4"} ''; nullZone = inputs.pkgs.writeText "null.zone" ""; in