chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:39:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'production' into next

Browse Source
This commit is contained in:
陈浩南
2025-05-11 07:46:27 +08:00
parent db180c731b dad924dcb0
commit bb58891baa
19 changed files with 240 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.sops.yaml
View File

@@ -10,6 +10,7 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
- &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
- &srv3 age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
- &test age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
creation_rules:
- path_regex: devices/pc/.*$
key_groups: [{ age: [ *chn, *pc ] }]
@@ -35,10 +36,12 @@ creation_rules:
key_groups: [{ age: [ *chn, *srv2-node1 ] }]
- path_regex: devices/srv3/.*$
key_groups: [{ age: [ *chn, *srv3 ] }]
- path_regex: devices/test/.*$
key_groups: [{ age: [ *chn, *test ] }]
- path_regex: devices/cross/secrets/default.yaml$
key_groups:
- age: [ *chn, *pc, *vps6, *nas, *one, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
*srv3 ]
*srv3, *test ]
- path_regex: devices/cross/secrets/chn.yaml$
key_groups:
- age: [ *chn, *pc, *one, *nas ]

119
devices/cross/secrets/default.yaml
View File

@@ -44,101 +44,110 @@ sops:
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZmU0akxEZkdwK2ZWZHlq
bnlYTXpFamtFa3Z6bHJTbVBJemExU1RqNUU4CmM0U1dPNm9ucHA4aHNoVDNaZUVF
ZFFPNUtQRUp0U1U1VFlaQy9ZRjZoM2sKLS0tIG5KdEx2VnhienlTQVVkeEY2djht
eUpYUm5VcVBick5QV3lXZjdRbWFtdUUK9J/gU3VxD6T7sre/Hkz/U9E563j/Sbk9
QubuNrbCBCAASxcqb2PkozHSuOB8eN+clmr2gZdcaNGQR1DgtJL64w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVY2YwTDdrd2R0cWNEMSs0
V2lJZFE2N0VGZmhpOGVwa0JqZkZPNjhOWERFCndpT3N2WGU0MlBUdFRNZFozN1Qy
TUxhQ1RPSEdvTEhaWHFsWmx5Z1pHeWsKLS0tIDRlSUFrS0tnWmRFUXhUc0F4MlhJ
ZEhMeFhPbC9JUEpjS3V4dFJuRW5FYTAKP5Fg427hKD6Jmp9b7KaD2SVg0ZirYlYi
v/VskZmPXVsE+sUM7QWjXDrw7Tzr704aMYNCPuOSjCSDTOmDl+E8BA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbDlkd2hQc2I0NWVXN0NL
eTFzTDBlU2ZBL2M2c1lDZ1FaOFlGY2s4T1EwCjZpbUNWMjgyMGt1NFBIVldLQTl1
MDB0anpxblBMMDE2TnZsWisyR3lJT1kKLS0tIHhDY0tRcVNlT1d1aVgzMitRYjd2
RHhxSFVBR1lCa0xacGhWQjhnVjJENFkK7W2Pbu5sZ3TDBvgPgBq7PbYqmRtl64PF
JOyUDEzM7Bx1BT7nfJLfBtyrvoe71s4bb2Bm6F0kp882Ikq4vEb3og==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYXZ0dTZ5M1licDFzYVFz
cGY2Q0JGdEVSTVVqL1Fxc1lnOGlXdjBpYlN3CkhvbG8vS2FVTHJXOEUwcVJ3M1Uz
V3VXZGIrRTI2TGR0NnJBQkpPdy9nOW8KLS0tIE9IVlR4VGhmbWZFSzhWK0VvR21J
WC9rVzBHWC9aZnhzWng3UHlibDRwa3MKaZV+lJQ0EUybv8OzdJPjBg5ivFsRL3C7
HYK0VzuAe0dq13rNC0suQWU3CXgblvJGC6Z601QpwYouuZ35LcXiUw==
-----END AGE ENCRYPTED FILE-----
- recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVk1VcHNXYzIyd1NSWHZk
SHhSdFhROHlOY21WMDUzcDdtWThrZVZsK2c0CkxFd053YVUvbSttNno4b0JCVWVU
UCtwYTVYWEFRdjJsOGZxNWhiaEFMeDgKLS0tIEt6R3MyT2RPYWUweGN3MGdndGQw
eStNZ3lIT2UrK2FvVFU2YTI4eHlLNTAKZgoZUxnoS3Nd9lC1Xpr0nVzXr3KF+Gy8
RJyvXtbZDZq5PNtRKikvXMmu1aJnWMdsFrtD0kcO7Zt0zXFSBckWyA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydisyN1JrMTFHRi9JdHZF
TDluR0MxOGdiNmc2bGMxajluc0wyN0xrUjE4CjJMMERiRGFDbTdVaHlxcGZxZVpZ
UUxBbDAwMFVkZFZ1MENXd0w2RDF3VTQKLS0tIEpOQmRRTUhxRW5STzZOQkg2YjdD
UE1tMDJiNjkwK1ptcW1HaUdRRlJHQjgKIe1znKWjFJWVYigN4ZdoGKWAbIGa8TEj
s3ZwEV6x53U3FngaXwzJE3vLl/iqM4/8VNPW/XgiJqrrFGGyx+FSzQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTd3akZjQm1USzhpdllh
TEZldDZxSm9CVmxza0gybTVWNU1DMk9SVGtNClZiY0RMUENDSkd1YndheWgzUUtP
WVJGN0RIRmdKVTA4ZVVGSDhKYkxZVUUKLS0tIHRwVFBrWThIMTJWRDY1R2wrNDlI
R3Y2eWhqNlVrUE51Y3NNaTBHTWVxM1UKKRttJ8YN3IYAFjf28C0iG7kdocpxehwo
RoKkwjoP5QPYyQGSRRJQtGyRi/fpBct+FWYNytnABkiC5MPlc2f9tw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOVdETW1STWRib2pwQTNX
OGRDVG83c25FRGxPbkxEd3UrKzQ3MWxvMmxvClFMbmQ3a1c1ekZ1NFR1dUIwSHV5
bEJiT3dMckZocGNxMHgzN0hPZE5PeU0KLS0tIFZxUWF0eGdaem8xT1RlOC84c0xu
TGNnY0VaWjhPeGtBOTNvdWMzc1pGaFkK2clrEZ5okljtK1osBpNPkFmk4UQxTYb/
Zk5KPXzlMOoR0eTZkyETy0tgE9E470yBZxbUU/7F9cHEo1/ndaB/9w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcFBJcWFMNlU3NEhDSTFn
ZnZ0NUtUSkpXdk5BWjV2WWhqcTR0aTZQWmpNCkY5Y2p4elZpbHJQcXU4c05sQ1Rz
YlV5MWsvZy84L2hvbGZldXQxZzY5U3cKLS0tIGo3V3RvS2o3SnErQlpxVnl1dVV6
RmVTeisyOURzaEpLWllhQ05iTTlFMGcKdm+CWsmJcnmaftsc2ael7FI7RMTA4VcT
cIP8UoMusrN4SY4qHROKEGNubJ52y1MeJm1SWV8Ck5t/G4V6S7Ggnw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbGZVYnMyMit6c0xwdEM4
V2JhWExCMURQTy9KTGpQVkxQOEJCcWRxdjFZCjFSZlV5R1daNzZ0MUMxdVZlczJq
dFNKbFpnc202aFFSdnY5RFNaU2JlcGsKLS0tIEFrT3piZDkzT2NwT3UrSUJTNzJr
U0lKa2tuejh0dStyVDhrajZ4RGhoVXMKTGCBgNgokTu+XIr1RrVk0HVwygHMIqzN
p0T4/6pldge6uxEhN6NlktwnrhYUEHGR/uMLeRpJ0cfLitWWa+hmOQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZHJTSXd5bGdiUFF2OEFV
QmNLTVk0WDAydWFRZEhnTGZma0dRZ2VsaGlFClVkMGRtcm5sYnUzNEZNZnR4Tkcy
RFZBbkwzWUtRMnhoWGNkN1ZqSmpTTFEKLS0tIEU4L1dMazVCeFM3YnJLNXFJV1BE
dTVqV29EN011OEx5c0ZqYnFDU2RzMHMKcnsM7verWr7xkwZVeuBUN1K7sGfPzoqD
y25ak/NRNgotQZWmCvvztH56kZt9LxGZKVhBnI8+lN4yhoZ82RilDw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBOUhXRXRyTEU0R2FZT29p
Vm15NDYwZTkwLzlvcUVZVDcyczgrOVNqZHpJCmZXQllrMXlGM2h3cVBsL0xwUlZl
bG5vNUdzMkJIaXE1a2pmY2g0T1NWQXcKLS0tIFlSKzBza1BTYXkxb2xxTVNUUXlU
WVB5SDB5eXAwazhMUThBZEpvOXFLdncK11euZcv4rVDk88RngrcEnB4iqOu+9wnq
9LgYY+Uiy1GHemtk1eNS6I/umsxM1V1fmAaGxOWKuwypMRSxYY7RXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpS0FVSnk2M2x3a2lqaVQv
SGUyQStvOXQ5T2JteXJpUUxobEZyYTlZTFJVCnZobUVtV09XQnpDVzgrV2lUc2xh
SVArQmtYQXJBelhsQ1lYMW5SVzA0YmsKLS0tIEVWTmNscW9oSTZXeFR5aVphdUE0
TTZVNXd3di95MkxkTWVSRXpTbE82SHMKGQQ5TK9cUlcRTZxHjmT8pb4W310YHjMh
ML4cL+kkJZ/irPvvPOKFeISTEZfuhHvLhy7wXBNXZ6vyaKDEWT0iYw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZE1seklBN0gxUTdYbDdN
bzBycTBydDJYNjNyZHZ6clJzamJ0MktzNzBjCk5WODFkeEE4c3JqK1IxQzdCNXJi
TjVTcHFOc0FtRWJzMkw2NW9zUGV0ZWcKLS0tIFRSR1ZzVzlQRHZjQjM2c2JUaUdU
UU9QM3VKa2JzWUcwVEZmcldhMFZPTmsKuNZ1fQxumQ8slwHRSpojhxDO4cPNun/+
y+4KNOnnXxF644RywBYXo0BQ07ZRJiDw7RN6wnz8RYCYkXUkg+r1NA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQK1hPeFhOOVlJczhVbzZS
ZG1aUmxQNGZTb1ZLZU1OMHhsWHJmbHpBVmlvCkhuMUJhKzFJY3JmSThNc25HNjB6
aDJXOHA1aHVrZ3JMOENMOWFwT2dWRVUKLS0tIFpoWDFiVk4vS0xtWWJxOXczaGN2
RitTQVdyQ21JN2ZINHZGVXZrNE04OXMKmA1MlhYLUr3nyBMQ9pB+Bv0OvDIlzU2r
QlFIhydoJS6KZE0sgKNGA77vv91+EN5OHP6xu80yC4x43F3hDdfGPQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIL1VQYnBsVmVXcWwvTENr
YisySFNmR1VuMXN2K2tvdHozcGk4cnQ5YW0wCmhvcWFrazdFdnJDQlVndGlaZ0tG
cnNUNk1leGFhNWFWTVJuT29jUU5aTUkKLS0tIFFGTk1DR25BK2hZWjhQOUZXT3Y1
T0xrdzdpV0UrVmFIRGJmSjVDMThDYUEK7ObFJYS8AU6o0tr0nZf+uGmDzpMPE2pN
tRJD7zrMQkKRucfSN7xmYkee6G6LTkJeGrkEXsy7L1QThDiDp4WKhQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1eDRhTUtBcG9CVHVDMTli
QmJoZ0N5N0k0UXpUSzhPOW1nQjVMdFdXUGlFCkpHaERDb2NjYmhHVUMvdndqbXow
djNrSGFqREFRMTVXc3k3NzNwaVg5SXcKLS0tIFZKS3FzRnBCbU1hR0FxV0NMQWJO
Wlo4blFrSFN5dGQrMG5wSDVWamw2ZUkKZ6l+NsISChK0B0T/lLT+k0Uie+cGdUph
IMrLnVGxft5r7TYRioGH7iSnSBdll3Mas1G1Sj2C2mfn6An8Fwip2A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbncrWWtrRk5WZ2JRS2pZ
TWU0dkxpbmNBV2pwRjFKcU1vNkE1ZGVlbFdRCkZCTTREVnAyekxYYWROb0JNKzlj
cE1hTmVHUloyRkxOenJnS2Z1Zy83QW8KLS0tIHJoZkdBU09jOWoyMVlKSDdaV1Zn
c3h4NC9jN29kVUJSZHZyQTZqQU85K1EKHEtK2tC1Li8NmpokUtMh60mZFXf21XnN
XxKZziobr84wERCwMzrMJ0EJE0nn/fBxj3ISexX0yEC+UHJqiFdlfw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydUsrS01YN2x5RmxUOWxv
cDZqdUJISjVrV0RPUi91aEMvK0E2MXYrRm1zCkxlNVArUkNuU21WQzlkc2pTellS
VTRxeVNiSGhUc3lrdmVtVDFYbkJWa3MKLS0tIFlqRis5VmNmVUNuczQ0UjFJL09Y
VEFuc2VIWnZtUjBqbzRkUDJVTjZYVEUKYebLOtuHKxC8L6T6tVga+e6jUDWYbRpM
aCaXOxWDYLhfHsWe+1UvDNX+6tN8fsNdkdP2WKZnOaR6QPVybdkvZA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbHRETnBmVE5NVlp0NlZp
WW9HeWJxM1FydkttNHdLZkRnYmxEL3RtN1d3CnVUeGpJUU9vb2Q3eThpWFl2a2Fx
aDlRdnA3cCtTQlgyOVBRaVdvNlVlUjQKLS0tIHZsOGRDMVl5bFh5eTZDSWFoTzhB
Njd3NktlZ1h3SmtTVEU1OXhDOGNSZWcKVjNJ3W4xLYiREudr+kqA2xd/sS+8WF76
AalhiHOtNEGeyXbIh8GKhBbz+fvoALU8tZyedvilNry3D6d2Ecfbyg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUnVodFkyZnk4R1NOUFpn
YThOcy9QdFZnRDFFb20yMlNrWTlFek0yekFzCjFRL1RWQ3VTWWlEMHE5ZEk5dGds
SUI3alg3VkJDRHVTTkpmUXVuQldkU1UKLS0tIFJaY2t1TTBHV1ltNmxBY3czb2ly
ZHdZeVFpcFdHKy91ZFd5SVRJTWR4ejgKEX9OO+mtQUTkoP4YQgYouLXvLzNlcHge
RTRJ4bkddB8bJaRPo+EJdgi+XzzvRFlEqAA5drUclHAtP/MgEOuKpw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1VHJ4aHdSYmpEcnBES29D
bmtudVVKQXVMZzBaTW5QWngwdEFtbTllTFJ3CmkxK0JUUEF4enoxWVRRVURxR0k3
RVZ6OUxUODRSVGNmdk9heE5IY2tqbW8KLS0tIDU2cjZqVEYwWnRiTHNQM0ZSWkc2
ckt2cHRMZTI1ckM0bUM4em90YWRDbVEK1NiJMOJF1GD9N0BpewD/Cw8tV4Lizhmd
03EYgUycbYAzC8GNtruz8FkkIqpWzwtsh0v10EUkclZoLZyz9qVWcA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNHVFc2R3RkpCMzNlTEk5
bVlDVFc2MlpNeGVra01EZDhiTk5PbGJSL213CkRoelRxRHNhYVd4bGt5Yzg5Z3E4
Qnh4ZlhZU3NhMHA3Ymc3TitIUzFqWlUKLS0tIFhzU3c4VExxM1FNRXE3d2pYdFhr
NFZmRFpJNDMzNnVSU09DQzhZbFVrdjQKjG23RwmfafAeSyfU0R3JQI22CWDvLA8K
sHa9ok9o0A3b3hc48HkhMqOL5n3WvCtX3Ub+Pvt9hRSDsVdShZriyA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-06T13:35:31Z"
mac: ENC[AES256_GCM,data:BKvC45okHmg4k+YZxqjuI1E5Wp/mntzeq/JJeVNG1cA0IfchAi+59IXJgBKPxbjHc4dAxIGozmsDaPPC76hxhdQ+W8DhMGM7kRstpA8iSiljn/SuwzRMizgMZHPXxY3LWg2QcOSScLI7p8HeAmKYby4Ixb+X4Z6jzASFJnhgQss=,iv:VYNN0sYNMbITS4p+wytRKOBN/gLGyDQNo5rnZH9QwhA=,tag:7QtkgYO6/LpocqLL35RoYw==,type:str]

2
devices/jykang.xmuhpc/default.nix
View File

@@ -10,6 +10,6 @@ let pkgs = import inputs.nixpkgs (import ../../modules/system/nixpkgs/buildNixpk
in pkgs.symlinkJoin
{
name = "jykang";
paths = with pkgs; [ hello iotop gnuplot ];
paths = with pkgs; [ hello iotop gnuplot localPackages.vaspkit ];
postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
}

7
devices/pc/default.nix
View File

@@ -12,7 +12,12 @@ inputs:
mount =
{
vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
btrfs."/dev/mapper/root1" =
{
"/nix" = "/nix";
"/nix/rootfs/current" = "/";
"/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
};
nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.nas"}:/" =
{ mountPoint = "/nix/nas"; hard = false; };
};

8
devices/srv3/README.md
View File

@@ -12,7 +12,7 @@
* 希望内存中的数据一直驻留在内存中(而不是被交换到 swap 中)。
* **可能会超售**,但我凭良心保证,当你需要时,仍然可以占满内存和硬盘;长期占满硬盘和内存不算滥用。
* 前期肯定不会超售(笑死,根本没有那么多用户)。
* 永远不会滥售;但后期可能会视情况调整价格。
* 永远不会滥售;但后期可能会视情况调整价格。如果涨价,会延迟三个月生效。如果降价则立即生效。
* 万一出现卖超太多了、不够用的情况,我会自掏腰包增加母鸡配置。
* 实现细节:
* 硬盘会使用 raw 格式,放置在启用 CoW 的 btrfs 子卷中;不预先分配,用到时再分配。
@@ -86,9 +86,9 @@
**如何调整虚拟机启动顺序(重启到 iso 而不是硬盘)?**
先重启虚拟机,然后马上连接 VNC可以看到“按 ESC 选择启动菜单”或者“Tina Core”的提示。这个界面按 F2 或者 ESC 就可以临时调整启动顺序
这个界面只会停留 15 秒,所以重启虚拟机后要迅速连接 VNC
先重启虚拟机,然后马上连接 VNC可以看到“Tiano Core”的提示。这个提示只会停留 15 秒,所以重启虚拟机后要迅速连接 VNC
在这个界面按 ESC 就可以进入虚拟机的 BIOS在这里可以修改虚拟机的一些设置就像实体机的 BIOS 那样)。
如果只是想临时从 ISO 启动可以在这里选择“Boot Manager”然后选择带 “CDROM” 那一项就可以了
**如何调整硬盘大小?**

38
devices/srv3/default.nix
View File

@@ -34,23 +34,37 @@ inputs:
sshd = {};
nixvirt =
{
alikia = { memoryMB = 1024; cpus = 1; address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
alikia =
{
hardware = { memoryMB = 1024; cpus = 1; };
network = { address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
};
pen =
{
memoryMB = 512;
cpus = 1;
address = 3;
portForward =
hardware = { memoryMB = 512; cpus = 1; };
network =
{
tcp =
[
{ host = 5690; guest = 22; }
{ host = 5691; guest = 80; }
{ host = 5692; guest = 443; }
];
web = [ "natsume.nohost.me" ];
address = 3;
portForward =
{
tcp =
[
{ host = 5690; guest = 22; }
{ host = 5691; guest = 80; }
{ host = 5692; guest = 443; }
{ host = 22000; guest = 22000; }
];
udp = [{ host = 22000; guest = 22000; }];
web = [ "natsume.nohost.me" ];
};
};
};
test =
{
owner = "chn";
hardware = { memoryMB = 512; cpus = 1; };
network = { address = 4; vnc.openFirewall = false; portForward.web = [ "example.chn.moe" ]; };
};
};
rsshub = {};
misskey.instances =

5
devices/srv3/secrets.yaml
View File

@@ -2,6 +2,7 @@ wireguard: ENC[AES256_GCM,data:Coe4iIEnJVDb4a9KUVTRkXl4kng5Zo6x1Iyr0ErgR2b9bN287
nixvirt:
alikia: ENC[AES256_GCM,data:sP3sWN0RrBU=,iv:TetUcaxsRXl0QsGAyXbVUAW12AXjChVN1/X+ku+3nO4=,tag:kBupoPqVlwHuCnwVdBJBKQ==,type:str]
pen: ENC[AES256_GCM,data:okvzUul3UXk=,iv:hcBhsUMP8jdhhKuKdHD1lZi8ixNAC729HfMQ79UzyNk=,tag:SRRav39ScHn0O/sf86CIOw==,type:str]
test: ENC[AES256_GCM,data:MYlMmzgbW9c=,iv:q1qPAwFTh0fj2IHBIlnrOMbTU2BnwIYzOFUHVqWCY/Q=,tag:Mb2bJJemg/LxpKI5whNvQw==,type:str]
nginx:
detectAuth:
chn: ENC[AES256_GCM,data:cek6iIlJXgU191uzq44rTw==,iv:r7aMj5UzH1sbKkxvS8oyw6kpIcpRygD4ype8qkmnNa0=,tag:x2jWZnnFCO0sHj/OS2BQbA==,type:str]
@@ -129,8 +130,8 @@ sops:
d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-06T13:34:57Z"
mac: ENC[AES256_GCM,data:nPuHzb5DZtiHRNMRysknkRPUHCCh83fKRjYlB85LVEYpqytVfPKHml36DzZ5QdU9/YX/lQf79skq8qO2D6uqU9EHwxHBgq0Xysja/2R2bG/+LpU/wvmykc90hLWVoodXKG8SCNMkW/eGS9UTPTQBdpeUYLIUZXDlZtjWHTffHvE=,iv:BMliaH95V13kf6t9pLuNQhjfXvSwZj+1RXSqRGE4wfA=,tag:gfyl8ajH8+6VvrPYNXrDHg==,type:str]
lastmodified: "2025-05-10T03:59:21Z"
mac: ENC[AES256_GCM,data:4mGHzFX7pEKG5P3032sJwKiU3QGj8yUsqjK1KuMvPzNgyt5+m4xzm+7BxqPcWohUYtkn4ladFSTposSpVE+EXvmb2YXXISsat22YGE4WPGzAjwuEB96hGJ8ZVKolK8UMZGntxVNue0LiadhuhbDM6GGMbbr4cqRTINiEkqFfNWw=,iv:pXdtQyQxQOGO3f8cXOzAuuN3Qn/6nkFyaGRYHb6FD8A=,tag:9WXip6vCHbPEpjua6Ka5jQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

29
devices/test/default.nix Normal file
View File

@@ -0,0 +1,29 @@
inputs:
{
config =
{
nixos =
{
system =
{
fileSystems =
{
mount =
{
vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
rollingRootfs = {};
};
nixpkgs.march = "haswell";
networking = {};
};
hardware.cpus = [ "intel" ];
services =
{
sshd = {};
nginx = { enable = true; applications.example = {}; };
};
};
};
}

30
devices/test/secrets.yaml Normal file
View File

@@ -0,0 +1,30 @@
hello: ENC[AES256_GCM,data:y6Kl7kHqgft7T1eiFEeIppvosCACIcVWIQm6TzjS6RgUkJEg17GEZFRy2zTvVg==,iv:wChah8rTtEkkR8pRHO9NdhaGBwsTrrP+tPp7k2SOdn0=,tag:jRdYgJoKz+Q+/m8l/03JoQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcldLRERrOHdadVA4RXdQ
dmsxL1o5aDdJTitqdXBzRWxqVmZKUzFtTlUwCnc2a1N4WUNEVUhsSlFuSExjR0Rl
TlFnNjVpUkpmbWdxYW5oblk5dGQ0THMKLS0tIDFBa0FKQXBPYThFTUwvd2tIaU9p
TERYVkp3dkUxU2ZaTnFRamRKclRRa1EKosUuvJXekUIxIHL8s/QuZf+hCXQS5dMC
HqZ74f/jvIW8i/Etu29VtK3n8MD8W1EenhJjfxOvhpRpLpzQP2GImg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK2F0R1JRR2t6NDhXVnVD
Unh5QmxDaGJtWmhsb1ZDRkMzUlpSeU9GL3lNCkU0ZVYxaWs3MHZDQlNHS25WMTl3
VVVtQUlxeXNQNVQrSTdSbWYzSmlPVGMKLS0tIDlyRm1tYlR3WU9ISjc2T3BSY2FP
Z3h2QWh6eDB6L1krbU9SS050dUhEamMKHnvdCmLuhuIfeBRs3LJ6IEatqrlMJNnc
vhPTVgfn+M8dGo+odTTwlvr5XGzE5cMSxGtdSE33JsbBFfVyaPCFjQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-10T03:54:30Z"
mac: ENC[AES256_GCM,data:JMr6ybbOk7tDZKUo11bd0xwUfLUuE4DIB5sYOCEVuaXLpDirgMgNSQgayqnnYDLOC7kGA7wDbbcxWhdaT8TcyYwdeha3SgA9mjkruPtOZ4R+ozfLDeqa59h2P+xronaOCDdl9G2JbhLA+k/S2ImBP43iPbcycJViSQs0RrntMxY=,iv:3ZILO4L01r4I2SJWOxe4pp9XLWo6KPPl3t/IbIf07+8=,tag:jhf73Y42fOYmeQS2oA0qSA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

2
flake/dns/config/chn.moe.nix
View File

@@ -16,7 +16,7 @@ let
srv3 =
[
"chat" "freshrss" "huginn" "initrd.srv3" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
"xsession.srv3"
"xsession.srv3" "example"
];
srv1-node0 = [ "srv1" ];
srv2-node0 = [ "srv2" ];

2
flake/nixos.nix
View File

@@ -1,6 +1,6 @@
{ inputs, localLib }:
let
singles = [ "nas" "pc" "vps6" "one" "srv3" ];
singles = [ "nas" "pc" "vps6" "one" "srv3" "test" ];
cluster = { srv1 = 3; srv2 = 2; };
deviceModules = builtins.listToAttrs
(

2
modules/services/kvm.nix
View File

@@ -42,7 +42,7 @@ inputs:
environment =
{
persistence."/nix/nodatacow".directories = inputs.lib.mkIf kvm.nodatacow
{ directory = "/var/lib/libvirt/images"; mode = "0711"; };
[{ directory = "/var/lib/libvirt/images"; mode = "0711"; }];
systemPackages = with inputs.pkgs; [ qemu_full win-spice guestfs-tools virt-manager ];
};
systemd =

10
modules/services/nginx/applications/example.nix Normal file
View File

@@ -0,0 +1,10 @@
inputs:
{
options.nixos.services.nginx.applications.example = let inherit (inputs.lib) mkOption types; in mkOption
{ type = types.nullOr (types.submodule {}); default = null; };
config = let inherit (inputs.config.nixos.services.nginx.applications) example; in inputs.lib.mkIf (example != null)
{
nixos.services.nginx.https."example.chn.moe".location."/".static =
{ root = "${inputs.config.services.nginx.package}/html"; index = [ "index.html" ]; };
};
}

12
modules/services/nginx/default.nix
View File

@@ -371,9 +371,19 @@ inputs:
table inet nginx {
chain output {
type route hook output priority mangle; policy accept;
# gid nginx
#
meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
ct state new counter ct mark set ct mark | 2
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2
#
#
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
return
}
# prerouting
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
return
}
}

96
modules/services/nixvirt.nix
View File

@@ -7,35 +7,38 @@ inputs:
hash = builtins.hashString "sha256" submoduleInputs.config._module.args.name;
createString = separator: parts: builtins.concatStringsSep separator
(builtins.map (p: builtins.substring (builtins.head p) (builtins.elemAt p 1) hash) parts);
defaultUuid = createString "-" [ [ 0 8 ] [ 8 4 ] [ 12 4 ] [ 16 4 ] [ 20 12 ] ];
defaultMac = "02:${createString ":" [ [ 0 2 ] [ 2 2 ] [ 4 2 ] [ 6 2 ] [ 8 2 ] ]}";
in
{
uuid = mkOption
{
type = types.nonEmptyStr;
default = createString "-" [ [ 0 8 ] [ 8 4 ] [ 12 4 ] [ 16 4 ] [ 20 12 ] ];
};
storage = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
memoryMB = mkOption { type = types.ints.unsigned; };
cpus = mkOption { type = types.ints.unsigned; };
vnc =
{
port = mkOption { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.address; };
openFirewall = mkOption { type = types.bool; default = true; };
};
mac = mkOption
{ type = types.nonEmptyStr; default = "02:${createString ":" [ [ 0 2 ] [ 2 2 ] [ 4 2 ] [ 6 2 ] [ 8 2 ] ]}"; };
address = mkOption { type = types.ints.unsigned; };
uuid = mkOption { type = types.nonEmptyStr; default = defaultUuid; };
owner = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
portForward = rec
hardware =
{
tcp = mkOption
storage = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
memoryMB = mkOption { type = types.ints.unsigned; };
cpus = mkOption { type = types.ints.unsigned; };
mac = mkOption { type = types.nonEmptyStr; default = defaultMac; };
};
network =
{
address = mkOption { type = types.ints.unsigned; };
vnc =
{
type = types.listOf (types.submodule { options = rec
{ host = mkOption { type = types.ints.unsigned; }; guest = host; };});
default = [];
port = mkOption { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.network.address; };
openFirewall = mkOption { type = types.bool; default = true; };
};
portForward = rec
{
tcp = mkOption
{
type = types.listOf (types.submodule { options = rec
{ host = mkOption { type = types.ints.unsigned; }; guest = host; };});
default = [];
};
udp = tcp;
web = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
udp = tcp;
web = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
};})));
default = null;
@@ -60,7 +63,7 @@ inputs:
base = lib.network.templates.bridge
{ uuid = "8f403474-f8d6-4fa7-991a-f62f40d51191"; subnet_byte = 122; };
host = builtins.map
(vm: { inherit (vm) mac; ip = "192.168.122.${builtins.toString vm.address}"; })
(vm: { inherit (vm.hardware) mac; ip = "192.168.122.${builtins.toString vm.network.address}"; })
(builtins.attrValues nixvirt);
in lib.network.writeXML (base // { ip = base.ip // { dhcp = base.ip.dhcp // { inherit host; }; }; });
active = true;
@@ -89,25 +92,17 @@ inputs:
{
nginx =
let hosts = builtins.concatLists (builtins.map
(vm: builtins.map (domain: { inherit domain; ip = vm.address; }) vm.portForward.web)
(vm: builtins.map
(domain: { inherit domain; ip = "192.168.122.${builtins.toString vm.network.address}"; })
vm.network.portForward.web)
(builtins.attrValues nixvirt));
in
{
enable = inputs.lib.mkIf (hosts != []) true;
transparentProxy.map = builtins.listToAttrs (builtins.map
(host:
{
name = host.domain;
value = "192.168.122.${builtins.toString host.ip}:443";
})
hosts);
(host: { name = host.domain; value = "${host.ip}" + ":443"; }) hosts);
http = builtins.listToAttrs (builtins.map
(host:
{
name = host.domain;
value.proxy.upstream = "http://192.168.122.${builtins.toString host.ip}:443";
})
hosts);
(host: { name = host.domain; value.proxy.upstream = "http://${host.ip}" + ":80"; }) hosts);
};
kvm = {};
};
@@ -124,8 +119,8 @@ inputs:
{
inherit (vm) name;
inherit (vm.value) uuid;
memory = { count = vm.value.memoryMB; unit = "MiB"; };
storage_vol = { pool = "default"; volume = "${vm.value.storage}.img"; };
memory = { count = vm.value.hardware.memoryMB; unit = "MiB"; };
storage_vol = { pool = "default"; volume = "${vm.value.hardware.storage}.img"; };
install_vol = "${inputs.topInputs.self.src.iso.netboot}";
virtio_video = false;
};
@@ -139,17 +134,15 @@ inputs:
{
type = "vnc";
autoport = false;
port = vm.value.vnc.port;
port = vm.value.network.vnc.port;
listen.type = "address";
passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
};
interface = base.devices.interface // { mac.address = vm.value.mac; };
disk = builtins.map
(disk: disk // { driver = disk.driver // { type = "raw"; }; })
base.devices.disk;
interface = base.devices.interface // { mac.address = vm.value.hardware.mac; };
disk = builtins.map (disk: disk // { driver = disk.driver // { type = "raw"; }; }) base.devices.disk;
};
cpu = base.cpu // { topology = { sockets = 1; dies = 1; cores = vm.value.cpus; threads = 1; };};
vcpu = { placement = "static"; count = vm.value.cpus; };
cpu = base.cpu // { topology = { sockets = 1; dies = 1; cores = vm.value.hardware.cpus; threads = 1; };};
vcpu = { placement = "static"; count = vm.value.hardware.cpus; };
os = (builtins.removeAttrs base.os [ "boot" ]) //
{
loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
@@ -192,16 +185,17 @@ inputs:
group = "root";
setuid = true;
};
networking.firewall.allowedTCPPorts = builtins.map (vm: vm.vnc.port)
(builtins.filter (vm: vm.vnc.openFirewall) (builtins.attrValues nixvirt));
networking.firewall.allowedTCPPorts = builtins.map (vm: vm.network.vnc.port)
(builtins.filter (vm: vm.network.vnc.openFirewall) (builtins.attrValues nixvirt));
systemd.services.nixvirt-forward =
let
nftRules = builtins.concatLists (builtins.concatLists (builtins.map
(vm: builtins.map
(protocol: builtins.map
(port: "${protocol} dport ${builtins.toString port.host} "
+ "counter dnat ip to 192.168.122.${builtins.toString vm.address}:${builtins.toString port.guest}")
vm.portForward.${protocol})
+ "counter dnat ip to 192.168.122.${builtins.toString vm.network.address}"
+ ":${builtins.toString port.guest}")
vm.network.portForward.${protocol})
[ "tcp" "udp" ])
(builtins.attrValues nixvirt)));
nft = "${inputs.pkgs.nftables}/bin/nft";
@@ -232,8 +226,6 @@ inputs:
{
description = "nixvirt port forward";
after = [ "nftables.service" "nixvirt.service" ];
bindsTo= [ "nftables.service" ];
partOf = [ "nftables.service" "nixvirt.service" ];
serviceConfig =
{
Type = "oneshot";

1
modules/services/xray.nix
View File

@@ -216,6 +216,7 @@ inputs:
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
LimitNPROC = 65536;
LimitNOFILE = 524288;
CPUSchedulingPolicy = "rr";
};
restartTriggers = [ inputs.config.sops.templates."xray-client.json".file ];
};

3
modules/system/plymouth/default.nix
View File

@@ -2,7 +2,8 @@ inputs:
{
config.boot.plymouth =
{
enable = true;
# TODO: race condition, try enable it at next release
enable = false;
theme = "mac-style";
themePackages = [((inputs.pkgs.callPackage inputs.topInputs.mac-style {}).overrideAttrs (prev:
{

1
packages/misskey.nix
View File

@@ -1,3 +1,4 @@
# TODO: update to use pnpm.setupHook
{
lib, mkPnpmPackage, nodejs, writeShellScript, src, extraIntegritySha256,
bash, cypress, vips, python3

2
packages/vm/CMakeLists.txt
View File

@@ -15,7 +15,7 @@ add_executable(vm src/main.cpp)
target_compile_features(vm PUBLIC cxx_std_23)
target_link_libraries(vm PRIVATE biu::biu)
if(VM_CONFIG)
target_compile_definitions(vm PRIVATE VM_CONFIG="${VMCONFIG}")
target_compile_definitions(vm PRIVATE VM_CONFIG="${VM_CONFIG}")
endif()
install(TARGETS vm RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})