diff --git a/devices/cross/ssh.nix b/devices/cross/ssh.nix index 9107f7ac..1de4cdb8 100644 --- a/devices/cross/ssh.nix +++ b/devices/cross/ssh.nix @@ -55,9 +55,6 @@ in hostNames = # 直接访问 [ "${device.name}.chn.moe" ] - # 通过 wirewireguard 访问 - ++ (builtins.map (net: "${net}.${device.name}.chn.moe") - (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net)) # 通过 tinc 访问 ++ (builtins.map (net: "tinc0.${device.name}.chn.moe") (builtins.attrNames inputs.topInputs.self.config.dns.tinc)) @@ -91,18 +88,6 @@ in }) ((device.value.extraAccess or []) ++ [ device.name ])) (inputs.localLib.attrsToList devices)) - # 通过 wireguard 访问 - (builtins.concatLists (builtins.map - (net: builtins.map - (device: builtins.map - (name: - { - name = "${net}.${name}"; - value = genericConfig // { host = "${net}.${name}"; hostname = "${net}.${name}.chn.moe"; }; - }) - ((device.value.extraAccess or []) ++ [ device.name ])) - (inputs.localLib.attrsToList devices)) - (builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net))) # 通过 tinc 访问 (builtins.map (device: builtins.map diff --git a/devices/cross/wireguard.nix b/devices/cross/wireguard.nix deleted file mode 100644 index 43532d62..00000000 --- a/devices/cross/wireguard.nix +++ /dev/null @@ -1,213 +0,0 @@ -inputs: -let - publicKey = - { - vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g="; - vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4="; - pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; - nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY="; - srv1-node0 = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM="; - srv1-node1 = "wyNONnJF2WHykaHsQIV4gNntOaCsdTfi7ysXDsR2Bww="; - srv1-node2 = "zWvkVyJwtQhwmxM2fHwNDnK+iwYm1O0RHrwCQ/VXdEo="; - srv2-node0 = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE="; - srv2-node1 = "wc+DkY/WlGkLeI8cMcoRHcCcITNqX26P1v5JlkQwWSc="; - }; - dns = inputs.topInputs.self.config.dns.wireguard; - inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress; - listenPort = - { - wg0 = builtins.listToAttrs (builtins.map - (name: inputs.lib.nameValuePair name 51820) - (builtins.attrNames publicKey)); - wg1 = builtins.listToAttrs (builtins.map - (name: inputs.lib.nameValuePair name (51820 + dns.peer.${name})) - (builtins.attrNames publicKey)); - }; - subnet = # 设备之间可以直接连接的子网。若一个设备可以主动接受连接,则设置它接受连接的 ip;否则设置为 null - { - wg0 = - [ - # 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接 - (builtins.listToAttrs - ( - (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ]) - ++ (builtins.map - (n: { name = n; value = null; }) - (inputs.lib.subtractLists [ "vps4" "vps6" ] (builtins.attrNames publicKey))) - )) - ]; - wg1 = - [ - # 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接 - (builtins.listToAttrs - ( - (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ]) - ++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" "srv1-node0" "srv2-node0" ]) - )) - # 校内网络 - (builtins.listToAttrs - ( - (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "srv1-node0" "srv2-node0" ]) - ++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" ]) - )) - # 办公室或者宿舍局域网 - (builtins.listToAttrs (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "pc" "nas" ])) - # 集群内部网络 - (builtins.listToAttrs (builtins.map - (n: inputs.lib.nameValuePair "srv1-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}") - (builtins.genList (n: n) 3))) - (builtins.listToAttrs (builtins.map - (n: inputs.lib.nameValuePair "srv2-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}") - (builtins.genList (n: n) 2))) - ]; - }; - # 给定起止点,返回最短路径的第一跳的目的地 - # 如果两个设备不能连接,返回 null; - # 如果可以直接、主动连接,返回 { address = xx; port = xx; };如果可以直接连接但是被动连接,返回 { address = null; }; - # 如果需要中转,返回 { jump = 下一跳; } - connection = - let - # 将给定子网翻译成一列边,返回 [{ dev1 = null or ip; dev2 = null or ip; }] - # 边中至少有一个端点是可以接受连接的 - netToEdges = subnet: - let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet); - in inputs.lib.unique (builtins.concatLists (builtins.map - (dev1: builtins.map - (dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; }) - (inputs.lib.remove dev1 (builtins.attrNames subnet))) - devWithAddress)); - # 在一个图中加入一个边 - # current 的结构是:from.to = null or { address = xxx or null; length = l; jump = ""; } - addEdge = current: newEdge: builtins.mapAttrs - (nameFrom: valueFrom: builtins.mapAttrs - (nameTo: valueTo: - # 不处理自己到自己的路 - if nameFrom == nameTo then null - # 如果要加入的边包含起点 - else if newEdge ? "${nameFrom}" then - # 如果要加入的边包含终点,那么这两个点可以直连 - if newEdge ? "${nameTo}" - then { address = newEdge.${nameTo}; length = 1; } - else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in - # 如果边的另外一个点到终点可以连接 - if current.${edgePoint2}.${nameTo} != null then - # 如果之前不能连接,则使用新的连接 - if current.${nameFrom}.${nameTo} == null then - { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; } - # 如果之前可以连接,且新连接更短,同样更新连接 - else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then - { jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; } - # 否则,不更新连接 - else current.${nameFrom}.${nameTo} - # 否则,不更新连接 - else current.${nameFrom}.${nameTo} - # 如果要加入的边包不包含起点但包含终点 - else if newEdge ? "${nameTo}" then - let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in - # 如果起点与另外一个点可以相连 - if current.${nameFrom}.${edgePoint2} != null then - # 如果之前不能连接,则使用新的连接 - if current.${nameFrom}.${nameTo} == null then - { - jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2; - length = current.${nameFrom}.${edgePoint2}.length + 1; - } - # 如果之前可以连接,且新连接更短,同样更新连接 - else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then - { - jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2; - length = current.${nameFrom}.${edgePoint2}.length + 1; - } - # 否则,不更新连接 - else current.${nameFrom}.${nameTo} - # 如果起点与另外一个点不可以相连,则不改变连接 - else current.${nameFrom}.${nameTo} - # 如果要加入的边不包含起点和终点 - else - let - edgePoints = builtins.attrNames newEdge; - p1 = builtins.elemAt edgePoints 0; - p2 = builtins.elemAt edgePoints 1; - in - # 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接 - if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then - # 如果之前不能连接,则新连接必然是唯一的连接,使用新连接 - if current.${nameFrom}.${nameTo} == null then - { - jump = current.${nameFrom}.${p1}.jump or p1; - length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length; - } - # 如果之前可以连接,那么反过来一定也能连接,选取三种连接中最短的 - else builtins.head (inputs.lib.sort - (a: b: if a == null then false else if b == null then true else a.length < b.length) - [ - # 原先的连接 - current.${nameFrom}.${nameTo} - # 正着连接 - { - jump = current.${nameFrom}.${p1}.jump or p1; - length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length; - } - # 反着连接 - { - jump = current.${nameFrom}.${p2}.jump or p2; - length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length; - } - ]) - # 如果正着不能连接、反过来可以连接,那么反过来连接一定是唯一的通路,使用反向的连接 - else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then - { - jump = current.${nameFrom}.${p2}.jump or p2; - length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length; - } - # 如果正着连接、反向连接都不行,那么就不更新连接 - else current.${nameFrom}.${nameTo}) - valueFrom) - current; - # 初始时,所有点之间都不连接 - init = builtins.listToAttrs (builtins.map - (dev1: - { - name = dev1; - value = builtins.listToAttrs (builtins.map - (dev2: { name = dev2; value = null; }) - (builtins.attrNames publicKey)); - }) - (builtins.attrNames publicKey)); - in builtins.mapAttrs (_: v: builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges v))) subnet; - networks = builtins.mapAttrs - (n: v: builtins.listToAttrs (builtins.map - (deviceName: inputs.lib.nameValuePair deviceName - { - ip = "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${deviceName}}"; - listenPort = listenPort.${n}.${deviceName}; - peer = builtins.listToAttrs (builtins.concatLists (builtins.map - (peerName: - # 如果不能直连,就不用加 peer - inputs.lib.optionals (v.${deviceName}.${peerName} ? address) - [{ - name = peerName; - value = - { - publicKey = publicKey.${peerName}; - allowedIPs = - [ "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${peerName}}" ] - ++ builtins.map - (destination: - "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${destination}}") - (builtins.filter - (destination: v.${deviceName}.${destination}.jump or null == peerName) - (builtins.attrNames publicKey)); - } - // inputs.lib.optionalAttrs (v.${deviceName}.${peerName}.address != null) - { - endpoint = "${v.${deviceName}.${peerName}.address}:" - + builtins.toString (listenPort.${n}.${peerName}); - }; - }]) - (inputs.lib.remove deviceName (builtins.attrNames publicKey)))); - }) - (builtins.attrNames publicKey)) - ) - connection; -in { config.nixos.services.wireguard = builtins.mapAttrs (_: v: v.${inputs.config.nixos.model.hostname}) networks; } diff --git a/devices/nas/secrets.yaml b/devices/nas/secrets.yaml index 7ea7047c..a80f0299 100644 --- a/devices/nas/secrets.yaml +++ b/devices/nas/secrets.yaml @@ -1,6 +1,5 @@ xray-client: uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str] -wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str] xray-xmu-server: ENC[AES256_GCM,data:3O5rFi5szla70M/c62JV4nGWKPSOREImrOucjeVYf9bde6K8,iv:PGCqlmHtaNuWOtAAeJ6O+CWFpMszijozU1OpUFrftjs=,tag:iGTOoNvQhhZy2FL9jy1KIQ==,type:str] xray-server: clients: @@ -100,7 +99,7 @@ sops: by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-08T06:03:10Z" - mac: ENC[AES256_GCM,data:mbIk6yeeCuf6lbS8oLuHly7Gpa4QrsHeWJatHGRQJSbZAZYRivw6TGx43LNY0JC8ITe8Lv5pYZt6EdZtxHQhoxy1rPdZu57L4QrI9bzkf1nmZPhnRRRnBL6YJMFjDQKjbKwDgHy27sUUysVnTwam+f9Ygt4LnUyCpLcGScLztOY=,iv:l87rl+wJvQ182hII21v/r4EfV9FCJ47RTiERLW79fr0=,tag:ZhJVWn2sstbCdi2tqW5rIg==,type:str] + lastmodified: "2025-10-12T08:53:54Z" + mac: ENC[AES256_GCM,data:BmUcsv1AFkmIYdrYsYcjZExdyIfbAK+RHeIgaHvvgaGNxl3LxaS04CIwTB7HKA2vl87V+1Z2I/pGdEgE+KcUxl1RaRhGDTjkJeoxubSnwnhPb7B1WAb18MXXD5LiMUZzoGoMcqRTbkBIX9JJHcrdiKuSiXuyn6HbP/9g50unr2w=,iv:XMWqHOtodBX8UvPfGhoSt08gbacabzEJ59r4qrPOx2s=,tag:/dEIE5lMG1J54cIVB2Impg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/pc/secrets/default.yaml b/devices/pc/secrets/default.yaml index f7714f3a..b8872c3c 100644 --- a/devices/pc/secrets/default.yaml +++ b/devices/pc/secrets/default.yaml @@ -6,7 +6,6 @@ postgresql: misskey_misskey: ENC[AES256_GCM,data:MSDbQffk/WjZ6EYiwVuUMdhdv9VE59ZM7t4XldOKRO0=,iv:J/x9t4Pk5zi7Av9fbzxgAbbtbEUZttSx/JGRmmgmvE4=,tag:CwFR9K++T7YqYR932z3IAg==,type:str] redis: misskey-misskey: ENC[AES256_GCM,data:vcvQ/hs/F3BZd1sfvWwfEeB8vVoqdnprxobcmL6xsmg=,iv:S32yrjrjj56HbxTlfFGjOb+sO2M9KKEDEazCrpQWj6Q=,tag:iwnvqwQEdd6jicx9jJBdbg==,type:str] -wireguard: ENC[AES256_GCM,data:9QoVM69efr3+UGEo/GPY6IBBxfcqE+3erRTrqSdeTf4XziVMlzWTMdhV9jU=,iv:3abQtZ8cpejqXsJPx6SvSS2cXAKMDkEKEhl9LE319RQ=,tag:1uBPK/0VLPPMzj4rl+iQMQ==,type:str] mariadb: slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str] nix: @@ -40,7 +39,7 @@ sops: OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-08T06:03:40Z" - mac: ENC[AES256_GCM,data:NyveggH8M3ZKzSXlkwwPF7n1G6nUVQJ0yKj5NR6wPboO0Qq1En5AaxvuX0unswM6elPAcCDmV3j5hKgKuU5tPm5yVmfBxXNPVjCtbw4L3faoKefFqeoo6kVeOhvzhj68jYlJXGf/SKyG725mQHWBGpg7C1LOoqHQkzBysqgWUmw=,iv:iDHU1iVvVf6L+PCMlrbvKB87PmeSAr4jxARB9n7NlSc=,tag:qdaS8D7b5IB2hoNGYia4EA==,type:str] + lastmodified: "2025-10-12T08:54:46Z" + mac: ENC[AES256_GCM,data:WDImciB99J8YKHGUljCX0ZgaFdKyIm8N5jcItRtF53vOCejsKIRaOUKiqxCdWmDqdLW1V+osmVn0k0b1+GDp6MJ7yB1p8RftwyBoC7CNErld3HNcfc4nElYAvTCxqR9QOHDGmZCEw9e94tTHvs7TYxnFaFXg8iBjDgZwTpz6ZSU=,iv:Z+WT6Dtx9PZjPtYhwm6MbTw87S3aKqJ+LSw6aSN4/K0=,tag:x+tWUCQouFEFtBO1+8TKjQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv1/node0/secrets.yaml b/devices/srv1/node0/secrets.yaml index 427f5f85..ad071d2e 100644 --- a/devices/srv1/node0/secrets.yaml +++ b/devices/srv1/node0/secrets.yaml @@ -1,4 +1,3 @@ -wireguard: ENC[AES256_GCM,data:B5YdOhpXruQY1Hqb7hpIyPZinSNG+Ub/jE2/hiwZT2WCHjT6Ujz/W8eKbuk=,iv:XcfZb34SjYEsxvo6HEGCd7wy0dsrNIEJ0bORznZZceA=,tag:uFlbepSwch2wJCRITlVNTA==,type:str] xray-client: uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str] mariadb: @@ -24,7 +23,7 @@ sops: OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX 2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-07T13:08:43Z" - mac: ENC[AES256_GCM,data:sUwS3uRtsxBfQbP3irw6KUih4llj8snqbq70BJblVG3MgdNuPtiUpyp3DShQ6BWRUHXYsS+fGVhM5dTFDalxKis0eP0tzUl6TaVLiDZ0TOJ3hco++owgwQEB/TD/3efGm3jqkrYht8yzSF1fe8ySqtQAR6dqdDpECeBWbHlr9EQ=,iv:Brq52ofx7+VBpng4ebwX1pEB68x2RJVKiOnXKtW7IIE=,tag:Z9p3sa7Y8VLAiZwOPoSXXA==,type:str] + lastmodified: "2025-10-12T08:54:25Z" + mac: ENC[AES256_GCM,data:FqqrUai8MNxO6gPQnRNqoROdQPiPnh42ixQgkWJxeBK3dnvNGCNAWtfUopnup6Qo0TcmAEQ38rmYFZbGlFLKMon0atov3tFmyvIAbOhHDnWxp+bTGDJJjw9Xs3vd4Yukd2ag2cgyS5hV9xO0N825oT3mzJFo6g8CukBLF3BH+kQ=,iv:3sfhIcSNVZsPw3tbyOjNi04NWpV+Nunx4i8d/RIsXtE=,tag:03Kx+HQ4uSR5QxBlBqc9Dw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv1/node1/secrets.yaml b/devices/srv1/node1/secrets.yaml index a4211b14..022fc379 100644 --- a/devices/srv1/node1/secrets.yaml +++ b/devices/srv1/node1/secrets.yaml @@ -1,4 +1,3 @@ -wireguard: ENC[AES256_GCM,data:D4ukKVu4yn3hS3AZJqt3XTgZNbt44Vyiu6I5lCNw9c/VEqXBx3GDlKdcVPY=,iv:S1S0sU0vQcTahFI+GyBz1n/0LVsK3ImFDuLtuQxmgik=,tag:oZ1NWOCcsRb+kjfq/LcL2w==,type:str] tinc: ENC[AES256_GCM,data:s/mcjWKxEp8f6OgAUqkHg8IHA/coBtht20pqSdwGp9OBRta64xyzszeS6o8uW1cV65vm1qQR9XkC7nmBx7F9RAZpMwEYh3anAfzWvL1dd6nNl9NLaz9eqrRGJJH4lyMAmErQRF6epEe2Z0kfs3icsZJ3p8rmWSHjIETFR+pQvepTzLXfz7mi3EftqFxK6o5LXe6t2df7PD5q7x8loB7eu4Qyh14NrklgMifmGoNBsGdIBAiqbZ+3xMt2VgEk4wc7X2ZmBJFx19U=,iv:343e5eRAGxwhb4ITadyKJOcvCnLp5emgz737kBmYlig=,tag:O/cwMZJofSKxMhzFMBV+Mg==,type:str] sops: age: @@ -20,7 +19,7 @@ sops: cWpEMWU1TjZKbnFTWm4xY2QwdWx3aFkK0O6p2piq8RKOcSTT49i0pnlt+gOk+QMF r+EJU0zobWwe3PrDg8jjw5HpMxrpDzHcD0XMnVQW0Fd9pn6n4VfpUw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-07T13:09:59Z" - mac: ENC[AES256_GCM,data:cDQL6aWOIIJc8Bhh/RBt50ZYi2Cb1xJpysBvWBvkFYgO31o+vx0hE7L3Od8clN1UcAXQ+4C1GMRpchtqzZgAC9ycA+/4UICQhE1Tv1lgmzsWE309SN7b1I38b/kOCABR4M2nQYgztq0IXO37Qo7BoR4xY/ozq55xIVDFrSwF3z0=,iv:vb6Y0ErWKAWOA7GCR0C1o38p2tJVG5q5ufVE90wfhdo=,tag:b6rZlyNaKPnc9GUv7++Gvg==,type:str] + lastmodified: "2025-10-12T08:54:16Z" + mac: ENC[AES256_GCM,data:Vk9TJgMM41NhB9XEzBRNuUxZ+pIdFTS4/9VoeBjVB8nMtRb0ZmjB9CTmYGXGxFfB/dg63qmXGfQITgKmtANXiQpMHXYdHw1xnEOTtlTa/ndp3xszVxAEBBhsVlAiXSYmAxKFtIw6W2Erpz1cFhkC0XjlE8/EGe1Srbre0JCzbCA=,iv:pmd1ZM0nhDyNZ6eiNkFEDX5Z0XRSbg2fAPEW6EonsIU=,tag:YM7H+B/IdFVkD5f519FOAg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv1/node2/secrets.yaml b/devices/srv1/node2/secrets.yaml index 967ed0a2..4ad735b1 100644 --- a/devices/srv1/node2/secrets.yaml +++ b/devices/srv1/node2/secrets.yaml @@ -1,6 +1,5 @@ xray-client: uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str] -wireguard: ENC[AES256_GCM,data:xoIm26btEBuHjgcIrB8gRHAaEdBq3/E5XtoF0YPxnSHB7k3GWJfAxeL4vrw=,iv:HuOFNUgGROF97beF6C4amspd+NV/2uO6OihNMz23hSY=,tag:YJjFM8mqYOuJEulpVHt8FA==,type:str] tinc: ENC[AES256_GCM,data:vDPVgWBFmzDvF98/oJvJ6Yj0rDkkTJGYYRJrLY454fzg4EOyGe4FwR1GgHqFeHo6e1Tk76K3odGiUGyOcWOtTCbEKKIli76/P9KCAY6sItTwc1xsPw540vIZXqFv0/lNladhgGznXKMQ4U9bzKuM+KcxmLlTE2QGJAhPeFox7OQmSYba3ww24+XXJaGWL1fZZaLFABZ56bTggNmY2z+orThg2i5yMrO5TjaGXMcFsFJg7A6HzDCv1TuBNRPTMeiWTYqSDFQGUcU=,iv:T25lfAmdpPz+mWJEPu/NK/2PFFP6jfphYTijjEg5o7Q=,tag:oTNOi81SZnsDEjZVTngoQw==,type:str] sops: age: @@ -22,7 +21,7 @@ sops: MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-07T13:10:56Z" - mac: ENC[AES256_GCM,data:crF192gxhvZj3qBHwnEf7g02tKHhYLEfFUL+KeMxVg1ADI8Dm1DmEkikgAqEbW3WQFxcHDKZWKaeBeEpjcUVrIwgwO0QWc+WchwEnUAvLO7yokE+ixWjDBLbuuWuNl7b2qYCds8BO6u+HTgSdaTDm8op01ateUwTrM4XBJXoztA=,iv:RZnyCv/kPz2Nw1/5w+YWXIwTVa4fEQZrzOffY+lczYQ=,tag:bB1AT3C4Gb19/wzzU+/pXQ==,type:str] + lastmodified: "2025-10-12T08:54:06Z" + mac: ENC[AES256_GCM,data:XUduuj65erI3cgddmtVLy5PnVPzqMk5y6ikpE38G+QwN+/ZdS5ZQ/FD/BWnXFohH6gk/ClBhS6EJO3G4e1J0yI1HngHjy6SN8Hpe9EmfxrQEyyEGb4/NS0vk0iMDr76nqlb7+dBreYdte/VQakOxvPHlMWYPZZ6oQvfx9k+Vsz8=,iv:uUiaNgfvKz1+5d0GHVFWEeAMM4kBKGON3xmTq8XDVeU=,tag:/3T1+DQHUWuONNBPFavIPQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv2/node0/secrets.yaml b/devices/srv2/node0/secrets.yaml index ddb6a0dd..da6c279c 100644 --- a/devices/srv2/node0/secrets.yaml +++ b/devices/srv2/node0/secrets.yaml @@ -1,6 +1,5 @@ xray-client: uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str] -wireguard: ENC[AES256_GCM,data:TEi3LAZA0BaPxeXA1yFMD6fQPRKSndVyAzNycCD/5CYXmNVyO7zv4o23ahg=,iv:tEKFPyuqmpsWf0vDoSaw4Ai6S5DzacZFA4otNgnknxY=,tag:qZJzr/Yyoex2hDfVtT6nYA==,type:str] mariadb: slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str] hpcstat: @@ -29,7 +28,7 @@ sops: M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-07T13:12:08Z" - mac: ENC[AES256_GCM,data:N4bro1QNf5LcBpLCMeKbWzB7dADpAP7my6B6rM/J4FkUeqal39REDuDVDq3QD3/bKew4ltfj8j/9tXbWAClq5l2P/1z4RJVqbranjEdBL3nwhYMcdG3jGmf/E1xRmYaIs5Lo9F7KY1yWyVmArfH+/enRMTNO3kvn4Zg22KsOfMY=,iv:ytX/k8Lnru71CftYREQYZ3hhmh1nKfJfuy2HD+bFaPk=,tag:SMfy7V9F9Ob+iwpyaTlYsw==,type:str] + lastmodified: "2025-10-12T08:53:38Z" + mac: ENC[AES256_GCM,data:65vJWsL3KDz200mYsRVgsXM1N1nm/m+fHdFKeVufm/Nr9zsB/Q9e3KVmrjQAKC7s/WYxOYc1IY3yI+bf5duJzYWeVMzLQb1BqYOV0/UhYsPPGVHMe85+daThufo6rAWgHVALu/rC9Lo01hMRL+VwFglfiStDOP38Greku+Z/ruk=,iv:6APK7Ar1xbYgMTKeiLE0BSY48oPWDCV0JD+19s4iAQI=,tag:wbBrvnQMrPzSPXAw0bIYHw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/srv2/node1/secrets.yaml b/devices/srv2/node1/secrets.yaml index e2bb148a..c4c64f15 100644 --- a/devices/srv2/node1/secrets.yaml +++ b/devices/srv2/node1/secrets.yaml @@ -1,4 +1,3 @@ -wireguard: ENC[AES256_GCM,data:zfyNpCZ2EhQdsz+/vknjtbT1vMLebil1tarIcxLoUQ3J5XOKTCQBay4jBL8=,iv:tF6I5HHhDMfoGAfrtkmvrlqsSpX9YZL8dtzxAgBCp5c=,tag:DeOFwrIGbwVtf42iO1dm6g==,type:str] tinc: ENC[AES256_GCM,data:0fOvjy/b+87HS+bcNENY3jfxcxMLcjeQh/hT5HIUG2aCiTLbsmlqXTR9j18ZwcKAAEbzzDSonpPmQv/kGeMyvk9B4Q0En8FSdBaW5y5HQVLf32KlSoq8+MBRPTQREcHHMDZ/tQw02aAdq0jvYpHnFIKiqOZFfGhKo2oS12wxlR33n+zwqwyBu5quN0ynbwG+BMZua9uJrlsfFe8ttu5BHzl5xdCTVzmJ7vV7H1K7lJBwlDF62Rn6zsQV2uGaUew1ScephX/KC40=,iv:eA6YLGY+d4BldBAsqFsrrUiTY3Xa7eJ687C3gS7ofG0=,tag:40QXjFYc0ht7/OuIPDo1Wg==,type:str] sops: age: @@ -20,7 +19,7 @@ sops: c0I4VUdiZytoQWRsUUhBVStDR2VPT3MKDkDQ3sKJjotYUfoBWF85t3LYtz1OVFws 2IdtJBHISb5j3xnAs/UUHDPzjUUsgb+sTHm9krQy3LDuELNY6KGMPw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-07T13:12:57Z" - mac: ENC[AES256_GCM,data:dEAd/vpSY8gGbyQrvGfCe4Qhun2BjhpSZDjjxrOWWe29GkXHyMpdGf89hgeIO3V0lfoX3iipoWT2QSUxJDPK0szJY8W2U+hz2aIis9hqC1UKIggIJWxev2aV1kvVHx5xw7Hl6JLs1OBtpTZpXSV2ySVXc7U3OobituTpYdqXx58=,iv:mZBCqng0K1LuUjg6fEMeWYEJlbkNAnUaSgyyIWA/p9A=,tag:jVUmWteAHr0UhPXY47sMbw==,type:str] + lastmodified: "2025-10-12T08:53:30Z" + mac: ENC[AES256_GCM,data:+WZvi4HIk3P1ZKL5Bml4OgAsB4XdPVtlioVQYgaEGoTy/g3lqkCKRQok2ceQ85Mpj4NTf9PEK1Xlx8k07Mqrk51zINPNGOe2LCl233Wdbk9wCOOU3pdrj+Vj+zrd07P3KR/PVR79Mr/jrFgHRYKfdbGLOANyfDG3bUedTLLWcNw=,iv:oxpDJeSlGWl+331VJUyL+IaTezu1GPHJwo/8JKJ0+XA=,tag:fvT24Dtt1ECDCm5wJKWCwA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/vps4/secrets.yaml b/devices/vps4/secrets.yaml index 77d9632b..c58c1ac0 100644 --- a/devices/vps4/secrets.yaml +++ b/devices/vps4/secrets.yaml @@ -39,7 +39,6 @@ xray-server: #ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment] user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str] private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str] -wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str] tinc: ENC[AES256_GCM,data:MO+GKj5Ma1weblDjViBXUR5JS8fKoc5XQp6jVimhgip1MiulkUTgJ0Z+ecazAdBh9WnaI65SnLMXLMzk5wiJfblE5KJ+UlSvn7TXKvFPoWw9WXsU96to7D+IZNAYRXj6eMJ6g9j/u01Q348s5F9RE30C9jtk2mwM1n8yyAP/BuwcyyVZK6jOwtE5zsZyinGzLTCyD8pZqhVQ63qdrNMAdvNowl38cVm5pKYsiZiU9r8fzQJXS+5R65rJPxNKJ9CYBI3ca8OGJbY=,iv:bJgHF4CFagARNXFvkNFznzyUit6LsO75RiDTxZGsmr0=,tag:zDX6N6tDoooRUmovhgKsZw==,type:str] sops: age: @@ -61,7 +60,7 @@ sops: Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/ 1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-05T21:10:30Z" - mac: ENC[AES256_GCM,data:yy+mbLJ0kjmNxonwFt1wxZck4AeCEKa8iW6JvhrDnCnvxvSw8DHRc5xvNT/m+lZemqVbkCy5ipnS72rHCf3V6kswdCvgIqhLK5ECkppHaeSr4M2n097Zf56o69S7BYw4MC0oQ8XNT322SHD0zyJCC2fE6Wgs7+PS89QczxO3ch8=,iv:H3fpKlJ7vS5kUow3zgqsF/9DZtsG+b3NpBcKUAjhVGo=,tag:/FhgegbibNY99CuANbSEsw==,type:str] + lastmodified: "2025-10-12T08:53:17Z" + mac: ENC[AES256_GCM,data:uJPxF01MX0WXrkSrjBY+GHM58gSZqKjs3777LNfou2VMfwWtmiEcOTrx+i9iWAWA1idnCoDfLy4EEIGo1EhLJBFcmMvSpoFBfJUvpTCefOLkTYW6J7AHI/Bd+aYK5UXYZxk4uoCURFt1inSCiDWAw2aQ+1g+j5a/HgRtTux9FEo=,iv:a/SuzpuHkq+D2tddrMaWjn1pLJJjpb2zzEbDkcVjH7o=,tag:+lq8vfZxBRmyG9U8KXTsHA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix index c2cbaa42..19756697 100644 --- a/devices/vps6/default.nix +++ b/devices/vps6/default.nix @@ -64,27 +64,24 @@ inputs: networking.nftables.tables.forward = { family = "inet"; - content = - let - srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; - in - '' - chain prerouting { - type nat hook prerouting priority dstnat; policy accept; - tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22 - } - chain output { - type nat hook output priority dstnat; policy accept; - # 需要忽略透明代理发出的流量(gid 不是 nginx) - meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \ - tcp dport 7011 fib daddr type local \ - counter meta mark set meta mark | 4 dnat ip to ${srv2}:22 - } - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - oifname wg0 meta mark & 4 == 4 counter masquerade - } - ''; + content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "tinc0.srv2-node0"; in + '' + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22 + } + chain output { + type nat hook output priority dstnat; policy accept; + # 需要忽略透明代理发出的流量(gid 不是 nginx) + meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \ + tcp dport 7011 fib daddr type local \ + counter meta mark set meta mark | 4 dnat ip to ${srv2}:22 + } + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + oifname tinc0 meta mark & 4 == 4 counter masquerade + } + ''; }; }; } diff --git a/devices/vps6/secrets.yaml b/devices/vps6/secrets.yaml index 98b1bb61..65524e27 100644 --- a/devices/vps6/secrets.yaml +++ b/devices/vps6/secrets.yaml @@ -43,7 +43,6 @@ send: redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str] coturn: auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str] -wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str] xray-xmu-client: cookie: ENC[AES256_GCM,data:RZ2WFnsX7s/PVqA7ZKhGqw==,iv:CknFoAcHIiIwJI1IEXkFdWXcOCAZr50pfwmQN72OI8o=,tag:w2pNU1APxlSQsGMIEdE2OA==,type:str] tinc: ENC[AES256_GCM,data:E3OrPA67R48x5FJUW0ZbERlclz8Z/XokAaGTeBQLPEHSeqEArHYSZkdJRZejFrBruJPlGZMPNBQzlIBXOfXKwMnlBDaGJIIJHIzPDGG9W7QF4IIRK/BjVZHFwfKvZtbUDGsqLcCSe5+ttmyucBaFGquXhnD/Tu09uyWtRvS10KAJLY0Z2/16CFB1+8egJIcYw2TFXObo+KR92Va0qwiDSepKaJtYLimDGRKk04QGj+BYa5y8PjIG6bz8UG82mmCiV7XM3EPlSMA=,iv:kawsklNGFbRhxKuUwvNL2WyBxuYu2T/uks1cJ4i8NhA=,tag:V+jAaxQX7JCiR5+wIVW4Nw==,type:str] @@ -67,7 +66,7 @@ sops: ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-05T21:17:49Z" - mac: ENC[AES256_GCM,data:Pp87u4oiU3gljDn9tg//eH2jyQA4CS9yog/ms/iDNO9Ov2T1Bw2Y1ImDjaTrk6pjsJflZin6T/FFb3t6mmjC2raHJy2iasu93/fWJDFeFr27SykRGgew4x9hOWFB3a1lXqlpARskerXhFIucLZVv0m1EMJJ9rBb1G6tPz/XreDE=,iv:Zeo1FrWAvICfY4j7wFgVfjryiiSYD2igXWOkpvwU1VI=,tag:kO3a0hcXS/Bzw7QqsyMiQA==,type:str] + lastmodified: "2025-10-12T08:53:02Z" + mac: ENC[AES256_GCM,data:Nx+PkDiF0Rz1jqO93ylzCPAWOFoc9KFnMGixcHgvzl+hvxFMHFEx0CzPceLGBLaz3s22nSL5PPq2k2fPJ1Yi9+kndWsTQuTu7gHQLABCriFysTshcOHd9m5/I8vgKHNaaYGOfDNjhji8xL/naSx2rpCyJDKSygRvfPvBaNdOYMg=,iv:VRIOc8eSWSZPveq2sbojNs2u9qEyOOoomhGE+Jwgnw4=,tag:xKdg4x/DWjktD0QZpycwGg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/flake/dns/config/chn.moe.nix b/flake/dns/config/chn.moe.nix index 41e71249..ba0383b5 100644 --- a/flake/dns/config/chn.moe.nix +++ b/flake/dns/config/chn.moe.nix @@ -19,8 +19,8 @@ let "铜锣湾实验室" ]; "xlog.autoroute" = [ "xlog" ]; - "wg0.srv1-node0" = [ "wg0.srv1" ]; - "wg0.srv2-node0" = [ "wg0.srv2" ]; + "tinc0.srv1-node0" = [ "tinc0.srv1" ]; + "tinc0.srv2-node0" = [ "tinc0.srv2" ]; srv1-node0 = [ "srv1" ]; srv2-node0 = [ "srv2" ]; "tinc0.pc" = [ "nix-store" "chat" ]; @@ -41,7 +41,6 @@ let srv2-node1 = "192.168.178.2"; "409test" = "192.168.1.5"; }; - wireguard = import ./wireguard.nix; tinc = import ./tinc.nix; in { @@ -76,15 +75,6 @@ in // builtins.listToAttrs (builtins.map (a: {inherit (a) name; value = { inherit (a) value; type = "A"; }; }) (localLib.attrsToList a)) -// builtins.listToAttrs (builtins.concatLists (builtins.map - (net: builtins.map - (peer: - { - name = "${net.name}.${peer.name}"; - value = { type = "A"; value = "192.168.${builtins.toString net.value}.${builtins.toString peer.value}"; }; - }) - (localLib.attrsToList wireguard.peer)) - (localLib.attrsToList wireguard.net))) // lib.mapAttrs' (n: v: lib.nameValuePair "tinc0.${n}" { type = "A"; value = "192.168.85.${builtins.toString v}"; }) tinc diff --git a/flake/dns/config/wireguard.nix b/flake/dns/config/wireguard.nix deleted file mode 100644 index c96959e3..00000000 --- a/flake/dns/config/wireguard.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - net = { wg0 = 83; wg1 = 84; }; - peer = - { - vps4 = 2; - vps6 = 1; - pc = 3; - nas = 4; - srv1-node0 = 9; - srv1-node1 = 6; - srv1-node2 = 8; - srv2-node0 = 7; - srv2-node1 = 10; - }; -} diff --git a/flake/dns/default.nix b/flake/dns/default.nix index 5a091bf1..2a797f35 100644 --- a/flake/dns/default.nix +++ b/flake/dns/default.nix @@ -15,7 +15,6 @@ let }; meta.config = config // { - wireguard = import ./config/wireguard.nix; tinc = import ./config/tinc.nix; "chn.moe" = config."chn.moe" // { diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix deleted file mode 100644 index 7ade84f0..00000000 --- a/modules/services/wireguard.nix +++ /dev/null @@ -1,50 +0,0 @@ -inputs: -{ - options.nixos.services.wireguard = let inherit (inputs.lib) mkOption types; in mkOption - { - type = types.attrsOf (types.submodule (submoduleInputs: { options = - { - # wireguard 接口的 ip,不是 wireguard 监听的 ip(它实际上监听所有 ip) - ip = mkOption { type = types.str; }; - # wireguard 接口的网段 - netmask = mkOption { type = types.int; default = 24; }; - # 设置 wireguard 监听的端口,如果不设置则随机,同时不开放防火墙 - listenPort = mkOption { type = types.nullOr types.int; default = null; }; - peer = mkOption { type = types.attrsOf (types.submodule { options = - { - publicKey = mkOption { type = types.nonEmptyStr; }; - endpoint = mkOption { type = types.nullOr types.nonEmptyStr; default = null; }; - allowedIPs = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; }; - };});}; - };})); - default = {}; - }; - config = let inherit (inputs.config.nixos.services) wireguard; in inputs.lib.mkIf (wireguard != {}) - { - networking = inputs.lib.mkMerge (builtins.map - (wg: - { - firewall = - { - allowedUDPPorts = inputs.lib.mkIf (wg.value.listenPort != null) [ wg.value.listenPort ]; - trustedInterfaces = [ wg.name ]; - }; - wireguard.interfaces.${wg.name} = - { - inherit (wg.value) listenPort; - ips = [ "${wg.value.ip}/${builtins.toString wg.value.netmask}" ]; - privateKeyFile = inputs.config.nixos.system.sops.secrets.wireguard.path; - peers = builtins.map - (peer: - { - inherit (peer) name; - inherit (peer.value) publicKey allowedIPs endpoint; - persistentKeepalive = if peer.value.endpoint != null then 10 else null; - }) - (inputs.localLib.attrsToList wg.value.peer); - }; - }) - (inputs.localLib.attrsToList wireguard)); - nixos.system.sops.secrets.wireguard = {}; - }; -} diff --git a/modules/user/chn/ssh.nix b/modules/user/chn/ssh.nix index 4779c764..3e9b77e7 100644 --- a/modules/user/chn/ssh.nix +++ b/modules/user/chn/ssh.nix @@ -13,7 +13,7 @@ inputs: xmuhk = { host = "xmuhk"; hostname = "10.26.14.64"; user = "xmuhk"; }; xmuhk2 = { host = "xmuhk2"; hostname = "183.233.219.132"; user = "xmuhk"; port = 62022; }; jykang.setEnv.TERM = "chn_unset_ls_colors:chn_cd:linwei/chn:xterm-256color"; - "wg0.jykang" = jykang; + "tinc0.jykang" = jykang; }; extraConfig = inputs.lib.mkIf inputs.config.nixos.model.private ''