mirror of
https://github.com/CHN-beta/nixos.git
synced 2026-01-12 01:55:22 +08:00
modules.services.wireguard: drop
This commit is contained in:
@@ -55,9 +55,6 @@ in
|
||||
hostNames =
|
||||
# 直接访问
|
||||
[ "${device.name}.chn.moe" ]
|
||||
# 通过 wirewireguard 访问
|
||||
++ (builtins.map (net: "${net}.${device.name}.chn.moe")
|
||||
(builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net))
|
||||
# 通过 tinc 访问
|
||||
++ (builtins.map (net: "tinc0.${device.name}.chn.moe")
|
||||
(builtins.attrNames inputs.topInputs.self.config.dns.tinc))
|
||||
@@ -91,18 +88,6 @@ in
|
||||
})
|
||||
((device.value.extraAccess or []) ++ [ device.name ]))
|
||||
(inputs.localLib.attrsToList devices))
|
||||
# 通过 wireguard 访问
|
||||
(builtins.concatLists (builtins.map
|
||||
(net: builtins.map
|
||||
(device: builtins.map
|
||||
(name:
|
||||
{
|
||||
name = "${net}.${name}";
|
||||
value = genericConfig // { host = "${net}.${name}"; hostname = "${net}.${name}.chn.moe"; };
|
||||
})
|
||||
((device.value.extraAccess or []) ++ [ device.name ]))
|
||||
(inputs.localLib.attrsToList devices))
|
||||
(builtins.attrNames inputs.topInputs.self.config.dns.wireguard.net)))
|
||||
# 通过 tinc 访问
|
||||
(builtins.map
|
||||
(device: builtins.map
|
||||
|
||||
@@ -1,213 +0,0 @@
|
||||
inputs:
|
||||
let
|
||||
publicKey =
|
||||
{
|
||||
vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
|
||||
vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
|
||||
pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
|
||||
nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
|
||||
srv1-node0 = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
|
||||
srv1-node1 = "wyNONnJF2WHykaHsQIV4gNntOaCsdTfi7ysXDsR2Bww=";
|
||||
srv1-node2 = "zWvkVyJwtQhwmxM2fHwNDnK+iwYm1O0RHrwCQ/VXdEo=";
|
||||
srv2-node0 = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
|
||||
srv2-node1 = "wc+DkY/WlGkLeI8cMcoRHcCcITNqX26P1v5JlkQwWSc=";
|
||||
};
|
||||
dns = inputs.topInputs.self.config.dns.wireguard;
|
||||
inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
|
||||
listenPort =
|
||||
{
|
||||
wg0 = builtins.listToAttrs (builtins.map
|
||||
(name: inputs.lib.nameValuePair name 51820)
|
||||
(builtins.attrNames publicKey));
|
||||
wg1 = builtins.listToAttrs (builtins.map
|
||||
(name: inputs.lib.nameValuePair name (51820 + dns.peer.${name}))
|
||||
(builtins.attrNames publicKey));
|
||||
};
|
||||
subnet = # 设备之间可以直接连接的子网。若一个设备可以主动接受连接,则设置它接受连接的 ip;否则设置为 null
|
||||
{
|
||||
wg0 =
|
||||
[
|
||||
# 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ])
|
||||
++ (builtins.map
|
||||
(n: { name = n; value = null; })
|
||||
(inputs.lib.subtractLists [ "vps4" "vps6" ] (builtins.attrNames publicKey)))
|
||||
))
|
||||
];
|
||||
wg1 =
|
||||
[
|
||||
# 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ])
|
||||
++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" "srv1-node0" "srv2-node0" ])
|
||||
))
|
||||
# 校内网络
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "srv1-node0" "srv2-node0" ])
|
||||
++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" ])
|
||||
))
|
||||
# 办公室或者宿舍局域网
|
||||
(builtins.listToAttrs (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "pc" "nas" ]))
|
||||
# 集群内部网络
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(n: inputs.lib.nameValuePair "srv1-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}")
|
||||
(builtins.genList (n: n) 3)))
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(n: inputs.lib.nameValuePair "srv2-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}")
|
||||
(builtins.genList (n: n) 2)))
|
||||
];
|
||||
};
|
||||
# 给定起止点,返回最短路径的第一跳的目的地
|
||||
# 如果两个设备不能连接,返回 null;
|
||||
# 如果可以直接、主动连接,返回 { address = xx; port = xx; };如果可以直接连接但是被动连接,返回 { address = null; };
|
||||
# 如果需要中转,返回 { jump = 下一跳; }
|
||||
connection =
|
||||
let
|
||||
# 将给定子网翻译成一列边,返回 [{ dev1 = null or ip; dev2 = null or ip; }]
|
||||
# 边中至少有一个端点是可以接受连接的
|
||||
netToEdges = subnet:
|
||||
let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
|
||||
in inputs.lib.unique (builtins.concatLists (builtins.map
|
||||
(dev1: builtins.map
|
||||
(dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
|
||||
(inputs.lib.remove dev1 (builtins.attrNames subnet)))
|
||||
devWithAddress));
|
||||
# 在一个图中加入一个边
|
||||
# current 的结构是:from.to = null or { address = xxx or null; length = l; jump = ""; }
|
||||
addEdge = current: newEdge: builtins.mapAttrs
|
||||
(nameFrom: valueFrom: builtins.mapAttrs
|
||||
(nameTo: valueTo:
|
||||
# 不处理自己到自己的路
|
||||
if nameFrom == nameTo then null
|
||||
# 如果要加入的边包含起点
|
||||
else if newEdge ? "${nameFrom}" then
|
||||
# 如果要加入的边包含终点,那么这两个点可以直连
|
||||
if newEdge ? "${nameTo}"
|
||||
then { address = newEdge.${nameTo}; length = 1; }
|
||||
else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
|
||||
# 如果边的另外一个点到终点可以连接
|
||||
if current.${edgePoint2}.${nameTo} != null then
|
||||
# 如果之前不能连接,则使用新的连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{ jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
|
||||
# 如果之前可以连接,且新连接更短,同样更新连接
|
||||
else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
|
||||
{ jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果要加入的边包不包含起点但包含终点
|
||||
else if newEdge ? "${nameTo}" then
|
||||
let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
|
||||
# 如果起点与另外一个点可以相连
|
||||
if current.${nameFrom}.${edgePoint2} != null then
|
||||
# 如果之前不能连接,则使用新的连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{
|
||||
jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
|
||||
length = current.${nameFrom}.${edgePoint2}.length + 1;
|
||||
}
|
||||
# 如果之前可以连接,且新连接更短,同样更新连接
|
||||
else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
|
||||
{
|
||||
jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
|
||||
length = current.${nameFrom}.${edgePoint2}.length + 1;
|
||||
}
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果起点与另外一个点不可以相连,则不改变连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果要加入的边不包含起点和终点
|
||||
else
|
||||
let
|
||||
edgePoints = builtins.attrNames newEdge;
|
||||
p1 = builtins.elemAt edgePoints 0;
|
||||
p2 = builtins.elemAt edgePoints 1;
|
||||
in
|
||||
# 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
|
||||
if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
|
||||
# 如果之前不能连接,则新连接必然是唯一的连接,使用新连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{
|
||||
jump = current.${nameFrom}.${p1}.jump or p1;
|
||||
length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
|
||||
}
|
||||
# 如果之前可以连接,那么反过来一定也能连接,选取三种连接中最短的
|
||||
else builtins.head (inputs.lib.sort
|
||||
(a: b: if a == null then false else if b == null then true else a.length < b.length)
|
||||
[
|
||||
# 原先的连接
|
||||
current.${nameFrom}.${nameTo}
|
||||
# 正着连接
|
||||
{
|
||||
jump = current.${nameFrom}.${p1}.jump or p1;
|
||||
length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
|
||||
}
|
||||
# 反着连接
|
||||
{
|
||||
jump = current.${nameFrom}.${p2}.jump or p2;
|
||||
length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
|
||||
}
|
||||
])
|
||||
# 如果正着不能连接、反过来可以连接,那么反过来连接一定是唯一的通路,使用反向的连接
|
||||
else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
|
||||
{
|
||||
jump = current.${nameFrom}.${p2}.jump or p2;
|
||||
length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
|
||||
}
|
||||
# 如果正着连接、反向连接都不行,那么就不更新连接
|
||||
else current.${nameFrom}.${nameTo})
|
||||
valueFrom)
|
||||
current;
|
||||
# 初始时,所有点之间都不连接
|
||||
init = builtins.listToAttrs (builtins.map
|
||||
(dev1:
|
||||
{
|
||||
name = dev1;
|
||||
value = builtins.listToAttrs (builtins.map
|
||||
(dev2: { name = dev2; value = null; })
|
||||
(builtins.attrNames publicKey));
|
||||
})
|
||||
(builtins.attrNames publicKey));
|
||||
in builtins.mapAttrs (_: v: builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges v))) subnet;
|
||||
networks = builtins.mapAttrs
|
||||
(n: v: builtins.listToAttrs (builtins.map
|
||||
(deviceName: inputs.lib.nameValuePair deviceName
|
||||
{
|
||||
ip = "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${deviceName}}";
|
||||
listenPort = listenPort.${n}.${deviceName};
|
||||
peer = builtins.listToAttrs (builtins.concatLists (builtins.map
|
||||
(peerName:
|
||||
# 如果不能直连,就不用加 peer
|
||||
inputs.lib.optionals (v.${deviceName}.${peerName} ? address)
|
||||
[{
|
||||
name = peerName;
|
||||
value =
|
||||
{
|
||||
publicKey = publicKey.${peerName};
|
||||
allowedIPs =
|
||||
[ "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${peerName}}" ]
|
||||
++ builtins.map
|
||||
(destination:
|
||||
"192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${destination}}")
|
||||
(builtins.filter
|
||||
(destination: v.${deviceName}.${destination}.jump or null == peerName)
|
||||
(builtins.attrNames publicKey));
|
||||
}
|
||||
// inputs.lib.optionalAttrs (v.${deviceName}.${peerName}.address != null)
|
||||
{
|
||||
endpoint = "${v.${deviceName}.${peerName}.address}:"
|
||||
+ builtins.toString (listenPort.${n}.${peerName});
|
||||
};
|
||||
}])
|
||||
(inputs.lib.remove deviceName (builtins.attrNames publicKey))));
|
||||
})
|
||||
(builtins.attrNames publicKey))
|
||||
)
|
||||
connection;
|
||||
in { config.nixos.services.wireguard = builtins.mapAttrs (_: v: v.${inputs.config.nixos.model.hostname}) networks; }
|
||||
@@ -1,6 +1,5 @@
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str]
|
||||
xray-xmu-server: ENC[AES256_GCM,data:3O5rFi5szla70M/c62JV4nGWKPSOREImrOucjeVYf9bde6K8,iv:PGCqlmHtaNuWOtAAeJ6O+CWFpMszijozU1OpUFrftjs=,tag:iGTOoNvQhhZy2FL9jy1KIQ==,type:str]
|
||||
xray-server:
|
||||
clients:
|
||||
@@ -100,7 +99,7 @@ sops:
|
||||
by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
|
||||
kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-08T06:03:10Z"
|
||||
mac: ENC[AES256_GCM,data:mbIk6yeeCuf6lbS8oLuHly7Gpa4QrsHeWJatHGRQJSbZAZYRivw6TGx43LNY0JC8ITe8Lv5pYZt6EdZtxHQhoxy1rPdZu57L4QrI9bzkf1nmZPhnRRRnBL6YJMFjDQKjbKwDgHy27sUUysVnTwam+f9Ygt4LnUyCpLcGScLztOY=,iv:l87rl+wJvQ182hII21v/r4EfV9FCJ47RTiERLW79fr0=,tag:ZhJVWn2sstbCdi2tqW5rIg==,type:str]
|
||||
lastmodified: "2025-10-12T08:53:54Z"
|
||||
mac: ENC[AES256_GCM,data:BmUcsv1AFkmIYdrYsYcjZExdyIfbAK+RHeIgaHvvgaGNxl3LxaS04CIwTB7HKA2vl87V+1Z2I/pGdEgE+KcUxl1RaRhGDTjkJeoxubSnwnhPb7B1WAb18MXXD5LiMUZzoGoMcqRTbkBIX9JJHcrdiKuSiXuyn6HbP/9g50unr2w=,iv:XMWqHOtodBX8UvPfGhoSt08gbacabzEJ59r4qrPOx2s=,tag:/dEIE5lMG1J54cIVB2Impg==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -6,7 +6,6 @@ postgresql:
|
||||
misskey_misskey: ENC[AES256_GCM,data:MSDbQffk/WjZ6EYiwVuUMdhdv9VE59ZM7t4XldOKRO0=,iv:J/x9t4Pk5zi7Av9fbzxgAbbtbEUZttSx/JGRmmgmvE4=,tag:CwFR9K++T7YqYR932z3IAg==,type:str]
|
||||
redis:
|
||||
misskey-misskey: ENC[AES256_GCM,data:vcvQ/hs/F3BZd1sfvWwfEeB8vVoqdnprxobcmL6xsmg=,iv:S32yrjrjj56HbxTlfFGjOb+sO2M9KKEDEazCrpQWj6Q=,tag:iwnvqwQEdd6jicx9jJBdbg==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:9QoVM69efr3+UGEo/GPY6IBBxfcqE+3erRTrqSdeTf4XziVMlzWTMdhV9jU=,iv:3abQtZ8cpejqXsJPx6SvSS2cXAKMDkEKEhl9LE319RQ=,tag:1uBPK/0VLPPMzj4rl+iQMQ==,type:str]
|
||||
mariadb:
|
||||
slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
|
||||
nix:
|
||||
@@ -40,7 +39,7 @@ sops:
|
||||
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
|
||||
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-08T06:03:40Z"
|
||||
mac: ENC[AES256_GCM,data:NyveggH8M3ZKzSXlkwwPF7n1G6nUVQJ0yKj5NR6wPboO0Qq1En5AaxvuX0unswM6elPAcCDmV3j5hKgKuU5tPm5yVmfBxXNPVjCtbw4L3faoKefFqeoo6kVeOhvzhj68jYlJXGf/SKyG725mQHWBGpg7C1LOoqHQkzBysqgWUmw=,iv:iDHU1iVvVf6L+PCMlrbvKB87PmeSAr4jxARB9n7NlSc=,tag:qdaS8D7b5IB2hoNGYia4EA==,type:str]
|
||||
lastmodified: "2025-10-12T08:54:46Z"
|
||||
mac: ENC[AES256_GCM,data:WDImciB99J8YKHGUljCX0ZgaFdKyIm8N5jcItRtF53vOCejsKIRaOUKiqxCdWmDqdLW1V+osmVn0k0b1+GDp6MJ7yB1p8RftwyBoC7CNErld3HNcfc4nElYAvTCxqR9QOHDGmZCEw9e94tTHvs7TYxnFaFXg8iBjDgZwTpz6ZSU=,iv:Z+WT6Dtx9PZjPtYhwm6MbTw87S3aKqJ+LSw6aSN4/K0=,tag:x+tWUCQouFEFtBO1+8TKjQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
wireguard: ENC[AES256_GCM,data:B5YdOhpXruQY1Hqb7hpIyPZinSNG+Ub/jE2/hiwZT2WCHjT6Ujz/W8eKbuk=,iv:XcfZb34SjYEsxvo6HEGCd7wy0dsrNIEJ0bORznZZceA=,tag:uFlbepSwch2wJCRITlVNTA==,type:str]
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:6JzTyJ+GVzLd0jWfvCc2dBdBVWz6RFH/8Gr73TNz6dNCyQjG,iv:ddGpYbIHN9PV3w6Oh65vEvv82jTChxgMdltIRPz++DY=,tag:nbFFk3S/y0hS3NFWGLPVJQ==,type:str]
|
||||
mariadb:
|
||||
@@ -24,7 +23,7 @@ sops:
|
||||
OThDMWRsWnVTbzRGTTZqSDBkNWZJMlEKdQ/ipO7O5OvaGa81c2P7fi1ncufueSzX
|
||||
2njlHHz1gJCtjpktYaVvS6KSYtJoI9oNrF0YN5D/3kKW8TicsSGKaA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-07T13:08:43Z"
|
||||
mac: ENC[AES256_GCM,data:sUwS3uRtsxBfQbP3irw6KUih4llj8snqbq70BJblVG3MgdNuPtiUpyp3DShQ6BWRUHXYsS+fGVhM5dTFDalxKis0eP0tzUl6TaVLiDZ0TOJ3hco++owgwQEB/TD/3efGm3jqkrYht8yzSF1fe8ySqtQAR6dqdDpECeBWbHlr9EQ=,iv:Brq52ofx7+VBpng4ebwX1pEB68x2RJVKiOnXKtW7IIE=,tag:Z9p3sa7Y8VLAiZwOPoSXXA==,type:str]
|
||||
lastmodified: "2025-10-12T08:54:25Z"
|
||||
mac: ENC[AES256_GCM,data:FqqrUai8MNxO6gPQnRNqoROdQPiPnh42ixQgkWJxeBK3dnvNGCNAWtfUopnup6Qo0TcmAEQ38rmYFZbGlFLKMon0atov3tFmyvIAbOhHDnWxp+bTGDJJjw9Xs3vd4Yukd2ag2cgyS5hV9xO0N825oT3mzJFo6g8CukBLF3BH+kQ=,iv:3sfhIcSNVZsPw3tbyOjNi04NWpV+Nunx4i8d/RIsXtE=,tag:03Kx+HQ4uSR5QxBlBqc9Dw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
wireguard: ENC[AES256_GCM,data:D4ukKVu4yn3hS3AZJqt3XTgZNbt44Vyiu6I5lCNw9c/VEqXBx3GDlKdcVPY=,iv:S1S0sU0vQcTahFI+GyBz1n/0LVsK3ImFDuLtuQxmgik=,tag:oZ1NWOCcsRb+kjfq/LcL2w==,type:str]
|
||||
tinc: ENC[AES256_GCM,data:s/mcjWKxEp8f6OgAUqkHg8IHA/coBtht20pqSdwGp9OBRta64xyzszeS6o8uW1cV65vm1qQR9XkC7nmBx7F9RAZpMwEYh3anAfzWvL1dd6nNl9NLaz9eqrRGJJH4lyMAmErQRF6epEe2Z0kfs3icsZJ3p8rmWSHjIETFR+pQvepTzLXfz7mi3EftqFxK6o5LXe6t2df7PD5q7x8loB7eu4Qyh14NrklgMifmGoNBsGdIBAiqbZ+3xMt2VgEk4wc7X2ZmBJFx19U=,iv:343e5eRAGxwhb4ITadyKJOcvCnLp5emgz737kBmYlig=,tag:O/cwMZJofSKxMhzFMBV+Mg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
@@ -20,7 +19,7 @@ sops:
|
||||
cWpEMWU1TjZKbnFTWm4xY2QwdWx3aFkK0O6p2piq8RKOcSTT49i0pnlt+gOk+QMF
|
||||
r+EJU0zobWwe3PrDg8jjw5HpMxrpDzHcD0XMnVQW0Fd9pn6n4VfpUw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-07T13:09:59Z"
|
||||
mac: ENC[AES256_GCM,data:cDQL6aWOIIJc8Bhh/RBt50ZYi2Cb1xJpysBvWBvkFYgO31o+vx0hE7L3Od8clN1UcAXQ+4C1GMRpchtqzZgAC9ycA+/4UICQhE1Tv1lgmzsWE309SN7b1I38b/kOCABR4M2nQYgztq0IXO37Qo7BoR4xY/ozq55xIVDFrSwF3z0=,iv:vb6Y0ErWKAWOA7GCR0C1o38p2tJVG5q5ufVE90wfhdo=,tag:b6rZlyNaKPnc9GUv7++Gvg==,type:str]
|
||||
lastmodified: "2025-10-12T08:54:16Z"
|
||||
mac: ENC[AES256_GCM,data:Vk9TJgMM41NhB9XEzBRNuUxZ+pIdFTS4/9VoeBjVB8nMtRb0ZmjB9CTmYGXGxFfB/dg63qmXGfQITgKmtANXiQpMHXYdHw1xnEOTtlTa/ndp3xszVxAEBBhsVlAiXSYmAxKFtIw6W2Erpz1cFhkC0XjlE8/EGe1Srbre0JCzbCA=,iv:pmd1ZM0nhDyNZ6eiNkFEDX5Z0XRSbg2fAPEW6EonsIU=,tag:YM7H+B/IdFVkD5f519FOAg==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:U+unsiKt9vNo/EXEpLHR0Ny3DxQEwx7a40KmwZDZki7RQEuM,iv:7w90HNM5lfh2VY20AcUEVdu5X2uxqXxR0hARncmMR60=,tag:xIbKc+9SF5LP/tY/XoGYxA==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:xoIm26btEBuHjgcIrB8gRHAaEdBq3/E5XtoF0YPxnSHB7k3GWJfAxeL4vrw=,iv:HuOFNUgGROF97beF6C4amspd+NV/2uO6OihNMz23hSY=,tag:YJjFM8mqYOuJEulpVHt8FA==,type:str]
|
||||
tinc: ENC[AES256_GCM,data:vDPVgWBFmzDvF98/oJvJ6Yj0rDkkTJGYYRJrLY454fzg4EOyGe4FwR1GgHqFeHo6e1Tk76K3odGiUGyOcWOtTCbEKKIli76/P9KCAY6sItTwc1xsPw540vIZXqFv0/lNladhgGznXKMQ4U9bzKuM+KcxmLlTE2QGJAhPeFox7OQmSYba3ww24+XXJaGWL1fZZaLFABZ56bTggNmY2z+orThg2i5yMrO5TjaGXMcFsFJg7A6HzDCv1TuBNRPTMeiWTYqSDFQGUcU=,iv:T25lfAmdpPz+mWJEPu/NK/2PFFP6jfphYTijjEg5o7Q=,tag:oTNOi81SZnsDEjZVTngoQw==,type:str]
|
||||
sops:
|
||||
age:
|
||||
@@ -22,7 +21,7 @@ sops:
|
||||
MVU1UW9lWFJnSTE2aC9ZL0huYURUK3MK5U4cLWRMm+FFo8ATE/OoAcHzYHFMpOtV
|
||||
Q5kbq5PDMdp4qvoM3T4kLsB34oU55HjFvac0pilOhNRrz4xRMQgvoQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-07T13:10:56Z"
|
||||
mac: ENC[AES256_GCM,data:crF192gxhvZj3qBHwnEf7g02tKHhYLEfFUL+KeMxVg1ADI8Dm1DmEkikgAqEbW3WQFxcHDKZWKaeBeEpjcUVrIwgwO0QWc+WchwEnUAvLO7yokE+ixWjDBLbuuWuNl7b2qYCds8BO6u+HTgSdaTDm8op01ateUwTrM4XBJXoztA=,iv:RZnyCv/kPz2Nw1/5w+YWXIwTVa4fEQZrzOffY+lczYQ=,tag:bB1AT3C4Gb19/wzzU+/pXQ==,type:str]
|
||||
lastmodified: "2025-10-12T08:54:06Z"
|
||||
mac: ENC[AES256_GCM,data:XUduuj65erI3cgddmtVLy5PnVPzqMk5y6ikpE38G+QwN+/ZdS5ZQ/FD/BWnXFohH6gk/ClBhS6EJO3G4e1J0yI1HngHjy6SN8Hpe9EmfxrQEyyEGb4/NS0vk0iMDr76nqlb7+dBreYdte/VQakOxvPHlMWYPZZ6oQvfx9k+Vsz8=,iv:uUiaNgfvKz1+5d0GHVFWEeAMM4kBKGON3xmTq8XDVeU=,tag:/3T1+DQHUWuONNBPFavIPQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:TEi3LAZA0BaPxeXA1yFMD6fQPRKSndVyAzNycCD/5CYXmNVyO7zv4o23ahg=,iv:tEKFPyuqmpsWf0vDoSaw4Ai6S5DzacZFA4otNgnknxY=,tag:qZJzr/Yyoex2hDfVtT6nYA==,type:str]
|
||||
mariadb:
|
||||
slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
|
||||
hpcstat:
|
||||
@@ -29,7 +28,7 @@ sops:
|
||||
M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
|
||||
LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-07T13:12:08Z"
|
||||
mac: ENC[AES256_GCM,data:N4bro1QNf5LcBpLCMeKbWzB7dADpAP7my6B6rM/J4FkUeqal39REDuDVDq3QD3/bKew4ltfj8j/9tXbWAClq5l2P/1z4RJVqbranjEdBL3nwhYMcdG3jGmf/E1xRmYaIs5Lo9F7KY1yWyVmArfH+/enRMTNO3kvn4Zg22KsOfMY=,iv:ytX/k8Lnru71CftYREQYZ3hhmh1nKfJfuy2HD+bFaPk=,tag:SMfy7V9F9Ob+iwpyaTlYsw==,type:str]
|
||||
lastmodified: "2025-10-12T08:53:38Z"
|
||||
mac: ENC[AES256_GCM,data:65vJWsL3KDz200mYsRVgsXM1N1nm/m+fHdFKeVufm/Nr9zsB/Q9e3KVmrjQAKC7s/WYxOYc1IY3yI+bf5duJzYWeVMzLQb1BqYOV0/UhYsPPGVHMe85+daThufo6rAWgHVALu/rC9Lo01hMRL+VwFglfiStDOP38Greku+Z/ruk=,iv:6APK7Ar1xbYgMTKeiLE0BSY48oPWDCV0JD+19s4iAQI=,tag:wbBrvnQMrPzSPXAw0bIYHw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
wireguard: ENC[AES256_GCM,data:zfyNpCZ2EhQdsz+/vknjtbT1vMLebil1tarIcxLoUQ3J5XOKTCQBay4jBL8=,iv:tF6I5HHhDMfoGAfrtkmvrlqsSpX9YZL8dtzxAgBCp5c=,tag:DeOFwrIGbwVtf42iO1dm6g==,type:str]
|
||||
tinc: ENC[AES256_GCM,data:0fOvjy/b+87HS+bcNENY3jfxcxMLcjeQh/hT5HIUG2aCiTLbsmlqXTR9j18ZwcKAAEbzzDSonpPmQv/kGeMyvk9B4Q0En8FSdBaW5y5HQVLf32KlSoq8+MBRPTQREcHHMDZ/tQw02aAdq0jvYpHnFIKiqOZFfGhKo2oS12wxlR33n+zwqwyBu5quN0ynbwG+BMZua9uJrlsfFe8ttu5BHzl5xdCTVzmJ7vV7H1K7lJBwlDF62Rn6zsQV2uGaUew1ScephX/KC40=,iv:eA6YLGY+d4BldBAsqFsrrUiTY3Xa7eJ687C3gS7ofG0=,tag:40QXjFYc0ht7/OuIPDo1Wg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
@@ -20,7 +19,7 @@ sops:
|
||||
c0I4VUdiZytoQWRsUUhBVStDR2VPT3MKDkDQ3sKJjotYUfoBWF85t3LYtz1OVFws
|
||||
2IdtJBHISb5j3xnAs/UUHDPzjUUsgb+sTHm9krQy3LDuELNY6KGMPw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-07T13:12:57Z"
|
||||
mac: ENC[AES256_GCM,data:dEAd/vpSY8gGbyQrvGfCe4Qhun2BjhpSZDjjxrOWWe29GkXHyMpdGf89hgeIO3V0lfoX3iipoWT2QSUxJDPK0szJY8W2U+hz2aIis9hqC1UKIggIJWxev2aV1kvVHx5xw7Hl6JLs1OBtpTZpXSV2ySVXc7U3OobituTpYdqXx58=,iv:mZBCqng0K1LuUjg6fEMeWYEJlbkNAnUaSgyyIWA/p9A=,tag:jVUmWteAHr0UhPXY47sMbw==,type:str]
|
||||
lastmodified: "2025-10-12T08:53:30Z"
|
||||
mac: ENC[AES256_GCM,data:+WZvi4HIk3P1ZKL5Bml4OgAsB4XdPVtlioVQYgaEGoTy/g3lqkCKRQok2ceQ85Mpj4NTf9PEK1Xlx8k07Mqrk51zINPNGOe2LCl233Wdbk9wCOOU3pdrj+Vj+zrd07P3KR/PVR79Mr/jrFgHRYKfdbGLOANyfDG3bUedTLLWcNw=,iv:oxpDJeSlGWl+331VJUyL+IaTezu1GPHJwo/8JKJ0+XA=,tag:fvT24Dtt1ECDCm5wJKWCwA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -39,7 +39,6 @@ xray-server:
|
||||
#ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
|
||||
user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
|
||||
private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
|
||||
tinc: ENC[AES256_GCM,data:MO+GKj5Ma1weblDjViBXUR5JS8fKoc5XQp6jVimhgip1MiulkUTgJ0Z+ecazAdBh9WnaI65SnLMXLMzk5wiJfblE5KJ+UlSvn7TXKvFPoWw9WXsU96to7D+IZNAYRXj6eMJ6g9j/u01Q348s5F9RE30C9jtk2mwM1n8yyAP/BuwcyyVZK6jOwtE5zsZyinGzLTCyD8pZqhVQ63qdrNMAdvNowl38cVm5pKYsiZiU9r8fzQJXS+5R65rJPxNKJ9CYBI3ca8OGJbY=,iv:bJgHF4CFagARNXFvkNFznzyUit6LsO75RiDTxZGsmr0=,tag:zDX6N6tDoooRUmovhgKsZw==,type:str]
|
||||
sops:
|
||||
age:
|
||||
@@ -61,7 +60,7 @@ sops:
|
||||
Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
|
||||
1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-05T21:10:30Z"
|
||||
mac: ENC[AES256_GCM,data:yy+mbLJ0kjmNxonwFt1wxZck4AeCEKa8iW6JvhrDnCnvxvSw8DHRc5xvNT/m+lZemqVbkCy5ipnS72rHCf3V6kswdCvgIqhLK5ECkppHaeSr4M2n097Zf56o69S7BYw4MC0oQ8XNT322SHD0zyJCC2fE6Wgs7+PS89QczxO3ch8=,iv:H3fpKlJ7vS5kUow3zgqsF/9DZtsG+b3NpBcKUAjhVGo=,tag:/FhgegbibNY99CuANbSEsw==,type:str]
|
||||
lastmodified: "2025-10-12T08:53:17Z"
|
||||
mac: ENC[AES256_GCM,data:uJPxF01MX0WXrkSrjBY+GHM58gSZqKjs3777LNfou2VMfwWtmiEcOTrx+i9iWAWA1idnCoDfLy4EEIGo1EhLJBFcmMvSpoFBfJUvpTCefOLkTYW6J7AHI/Bd+aYK5UXYZxk4uoCURFt1inSCiDWAw2aQ+1g+j5a/HgRtTux9FEo=,iv:a/SuzpuHkq+D2tddrMaWjn1pLJJjpb2zzEbDkcVjH7o=,tag:+lq8vfZxBRmyG9U8KXTsHA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -64,27 +64,24 @@ inputs:
|
||||
networking.nftables.tables.forward =
|
||||
{
|
||||
family = "inet";
|
||||
content =
|
||||
let
|
||||
srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0";
|
||||
in
|
||||
''
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain output {
|
||||
type nat hook output priority dstnat; policy accept;
|
||||
# 需要忽略透明代理发出的流量(gid 不是 nginx)
|
||||
meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
|
||||
tcp dport 7011 fib daddr type local \
|
||||
counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname wg0 meta mark & 4 == 4 counter masquerade
|
||||
}
|
||||
'';
|
||||
content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "tinc0.srv2-node0"; in
|
||||
''
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain output {
|
||||
type nat hook output priority dstnat; policy accept;
|
||||
# 需要忽略透明代理发出的流量(gid 不是 nginx)
|
||||
meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
|
||||
tcp dport 7011 fib daddr type local \
|
||||
counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname tinc0 meta mark & 4 == 4 counter masquerade
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -43,7 +43,6 @@ send:
|
||||
redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
|
||||
coturn:
|
||||
auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str]
|
||||
xray-xmu-client:
|
||||
cookie: ENC[AES256_GCM,data:RZ2WFnsX7s/PVqA7ZKhGqw==,iv:CknFoAcHIiIwJI1IEXkFdWXcOCAZr50pfwmQN72OI8o=,tag:w2pNU1APxlSQsGMIEdE2OA==,type:str]
|
||||
tinc: ENC[AES256_GCM,data:E3OrPA67R48x5FJUW0ZbERlclz8Z/XokAaGTeBQLPEHSeqEArHYSZkdJRZejFrBruJPlGZMPNBQzlIBXOfXKwMnlBDaGJIIJHIzPDGG9W7QF4IIRK/BjVZHFwfKvZtbUDGsqLcCSe5+ttmyucBaFGquXhnD/Tu09uyWtRvS10KAJLY0Z2/16CFB1+8egJIcYw2TFXObo+KR92Va0qwiDSepKaJtYLimDGRKk04QGj+BYa5y8PjIG6bz8UG82mmCiV7XM3EPlSMA=,iv:kawsklNGFbRhxKuUwvNL2WyBxuYu2T/uks1cJ4i8NhA=,tag:V+jAaxQX7JCiR5+wIVW4Nw==,type:str]
|
||||
@@ -67,7 +66,7 @@ sops:
|
||||
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
|
||||
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-10-05T21:17:49Z"
|
||||
mac: ENC[AES256_GCM,data:Pp87u4oiU3gljDn9tg//eH2jyQA4CS9yog/ms/iDNO9Ov2T1Bw2Y1ImDjaTrk6pjsJflZin6T/FFb3t6mmjC2raHJy2iasu93/fWJDFeFr27SykRGgew4x9hOWFB3a1lXqlpARskerXhFIucLZVv0m1EMJJ9rBb1G6tPz/XreDE=,iv:Zeo1FrWAvICfY4j7wFgVfjryiiSYD2igXWOkpvwU1VI=,tag:kO3a0hcXS/Bzw7QqsyMiQA==,type:str]
|
||||
lastmodified: "2025-10-12T08:53:02Z"
|
||||
mac: ENC[AES256_GCM,data:Nx+PkDiF0Rz1jqO93ylzCPAWOFoc9KFnMGixcHgvzl+hvxFMHFEx0CzPceLGBLaz3s22nSL5PPq2k2fPJ1Yi9+kndWsTQuTu7gHQLABCriFysTshcOHd9m5/I8vgKHNaaYGOfDNjhji8xL/naSx2rpCyJDKSygRvfPvBaNdOYMg=,iv:VRIOc8eSWSZPveq2sbojNs2u9qEyOOoomhGE+Jwgnw4=,tag:xKdg4x/DWjktD0QZpycwGg==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
Reference in New Issue
Block a user