chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:19:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

merge into: chn:debug
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire
...
pull from: chn:srv1-archive
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire

163 Commits
debug ... srv1-archi

Author SHA1 Message Date
chn
5976c58a67 set branch 2025-07-05 12:29:31 +08:00
chn
a9e3fbb3d8 devices.cross: set password for zgq 2025-07-05 12:25:33 +08:00
chn
f44140eb69 modules.user.zgq: init 2025-07-04 10:13:16 +08:00
chn
dcc7f21f73 devices.srv3/vps4/vps6: clean up xray user 2025-06-09 09:35:40 +08:00
chn
6d1e006741 devices.nas: disable nix-serve 2025-06-09 09:22:22 +08:00
chn
2b281efb50 flake: update nixos-wallpaper 2025-06-08 10:34:51 +08:00
chn
de8aaf388c flake.packages.archive: fix 2025-06-07 21:32:34 +08:00
chn
50e6069aed modules.system.sysctl: set max mount 2025-06-07 21:27:02 +08:00
chn
dc0f444481 flake.dns: setup xserver2 2025-06-07 20:45:24 +08:00
chn
f57bd8bb9b flake.packages.src: fix 2025-06-06 17:58:33 +08:00
chn
39d4ff9d4f flake.packages: add archive 2025-06-06 17:56:56 +08:00
chn
24718f4125 add doc 2025-06-06 08:42:49 +08:00
chn
21b04d953d Revert "modules.services.xray: fix mark" 
This reverts commit 21e9f53b39.
 2025-06-05 20:08:06 +08:00
chn
21e9f53b39 modules.services.xray: fix mark 2025-06-05 19:48:45 +08:00
chn
b8f27cc8e9 Revert "modules.services.wireguard: enable refresh" 
This reverts commit 587bd4ded1.
 2025-06-05 18:57:03 +08:00
chn
587bd4ded1 modules.services.wireguard: enable refresh 2025-06-05 18:39:47 +08:00
chn
f1c231bccc modules.system.nixpkgs.buildNixpkgsConfig: cleanup 2025-06-05 17:55:43 +08:00
chn
601dfa050d Revert "modules.system.nixpkgs.buildNixpkgsConfig: use allowUnfreePredicate" 
This reverts commit 4887332da8.
 2025-06-05 17:54:30 +08:00
chn
4887332da8 modules.system.nixpkgs.buildNixpkgsConfig: use allowUnfreePredicate 2025-06-05 17:52:49 +08:00
chn
f310054b03 devices.vps4: add xray user 2025-06-05 15:42:22 +08:00
chn
8ced3ce943 flake.dns: set xserver2 2025-06-05 15:42:22 +08:00
chn
47617baea8 modules.services.xray.server: set serverName default to xserver2 2025-06-05 15:42:13 +08:00
chn
65d05e7676 modules.services.xray.client: not set ip; use xserver2 as default 2025-06-05 15:42:05 +08:00
chn
feed87db2d modules.server.xray: remove unused options 2025-06-05 14:51:41 +08:00
chn
8faf4b1d5c modules.services.nixvirt: add nftables table for port forwarding 2025-06-05 12:01:22 +08:00
chn
d88d904013 modules.packages.desktop: add activitywatch 2025-06-05 12:01:22 +08:00
chn
5793e62f6a modules.services.xray.client: use existing nftables options 2025-06-05 12:01:18 +08:00
chn
9c267052b0 modules.services.nginx: fix nft rules 2025-06-05 11:20:02 +08:00
chn
c69bd56b5f devices.vps6: forward using wg0 2025-06-05 10:46:23 +08:00
chn
8e9185ec6b devices.vps4/6: move forward to vps6 2025-06-05 10:43:20 +08:00
chn
9774ea9a2d modules.services.sshd.motd: fix 2025-06-05 10:34:58 +08:00
chn
ed57489bb3 Reapply "users.zqq: add ssh key" 
This reverts commit 38df611978.
 2025-06-05 10:24:07 +08:00
chn
2c3687b785 devices.vps4: add forward table 2025-06-05 10:16:02 +08:00
chn
627f9cf9a8 devices.vps4: enable wireguard 2025-06-04 19:52:20 +08:00
chn
d83c3f38da devices.srv2: disable password authentication for SSH 2025-06-04 19:46:41 +08:00
chn
f43da51a0a modules.services.gitea: longer git timeouts 2025-06-04 16:03:07 +08:00
chn
7a3f945ca8 fix peertube 2025-06-04 13:51:41 +08:00
chn
1c42579bc4 modules.services.sshd: fix lolcat 2025-06-04 12:34:01 +08:00
chn
5d295ce114 update nixpkgs (no change) 2025-06-04 12:22:51 +08:00
chn
0dc2fe9131 Reapply "revert slurm version" 
This reverts commit 3988d626fc.
 2025-06-04 12:16:19 +08:00
chn
9aed79f30d modules.services.slurm: disable upstream nvml 2025-06-04 12:09:35 +08:00
chn
32fe05d653 Revert "modules.services.slurm: remove nvml support, upstream already has it" 
This reverts commit 351f8cd9fa.
 2025-06-04 12:08:18 +08:00
chn
3988d626fc Revert "revert slurm version" 
This reverts commit 2b2fbd4ab5.
 2025-06-04 12:08:03 +08:00
chn
2b2fbd4ab5 revert slurm version 2025-06-04 11:57:17 +08:00
chn
351f8cd9fa modules.services.slurm: remove nvml support, upstream already has it 2025-06-04 11:44:52 +08:00
chn
5b95c9d5a5 fix mariadb 2025-06-04 11:28:43 +08:00
chn
2f4034a3f8 modules.system.networking -> network 2025-06-03 08:49:10 +08:00
chn
45eaad9ee2 modules.system.networking: bridge.devs -> bridge.interfaces 2025-06-03 08:45:48 +08:00
chn
77df06600d devices.pc: remove unused dnsmasq resolve 2025-06-02 23:23:02 +08:00
chn
e55578eb81 devices.pc: remove unused hosts 2025-06-02 23:22:14 +08:00
chn
1224574cfa devices.pc: use vps4 proxy 2025-06-02 23:21:57 +08:00
chn
2d4555757e modules.system.kernel: fix initrd bridge 2025-06-02 22:08:35 +08:00
chn
80b72bde87 modules.system.networking: fix 2025-06-02 19:34:26 +08:00
chn
70c53aa3cc modules.system.initrd: fix 2025-06-02 18:56:15 +08:00
chn
e6abe12bad devices.srv3: bridge interface 2025-06-02 17:21:31 +08:00
chn
ff6cb0c803 modules.system.fileSystems.nfs: auto enable network in initrd 2025-06-02 17:21:31 +08:00
chn
b8e5327c09 modules.system.networking: add trust masquerade 2025-06-02 17:21:25 +08:00
chn
e6e636ea09 modules.system.initrd: fix network config 2025-06-02 17:21:21 +08:00
chn
cac01d62a1 devices.nas: add nix-serve 2025-06-02 14:24:15 +08:00
chn
949cf6c326 modules.services.nginx.applications.sticker: fix 2025-06-02 13:34:53 +08:00
chn
04d6e0bc32 flake: set branch 2025-06-02 13:12:49 +08:00
chn
5884f26e5c flake: lock openxlsx 2025-06-02 13:11:56 +08:00
chn
7fed1fee7f add doc 2025-06-02 13:08:38 +08:00
chn
dc24c38857 modules.service.rsshub: use docker image 2025-06-02 13:06:56 +08:00
chn
3073c1ad9c modules.system.nixpkgs.buildNixpkgsConfig: fix ctranslate2 2025-06-02 12:54:41 +08:00
chn
5a534cd763 flake: update blog 2025-06-01 22:23:36 +08:00
chn
42b6ffe6c8 modules.system.nixpkgs.buildNixpkgsConfig: fix 2025-06-01 16:01:19 +08:00
chn
e8423a9153 modules.system.nixpkgs.buildNixpkgsConfig: allow broken 2025-06-01 15:28:27 +08:00
chn
ce94df1856 modules.packages.desktop: fix 2025-06-01 15:18:18 +08:00
chn
1768853fba modules.user.hjp: fix 2025-06-01 14:30:38 +08:00
chn
e5b982560d modules.packages.desktop: fix 2025-06-01 13:30:54 +08:00
chn
e8e380e469 Merge branch 'next' into production 2025-06-01 13:29:42 +08:00
chn
62774e052a devices.vps4: disable beesd 2025-06-01 13:29:29 +08:00
chn
656ffa32ac modules.services.nextcloud: fix 2025-06-01 13:29:29 +08:00
chn
c499715522 modules.services.freshrss: fix 2025-06-01 13:29:29 +08:00
chn
2eb0dedb04 packages.mirism-old: fix 2025-06-01 13:29:29 +08:00
chn
298bba7dcd flake: fix blog build 2025-06-01 13:29:29 +08:00
chn
5ddaf317d6 modules.packages: remove unused python packages 2025-06-01 13:29:29 +08:00
chn
b56f81fc23 devices.vps6: remove generic specialisation 2025-06-01 13:29:29 +08:00
chn
9ee1927cde modules.system.nixpkgs.buildNixpkgsConfig: fix build for nas 2025-06-01 13:29:29 +08:00
chn
918ff6641b devices.vps4: disable beesd 2025-06-01 13:01:36 +08:00
chn
7c20bab9ec modules.services.nextcloud: fix 2025-06-01 12:48:12 +08:00
chn
1c88cf7607 modules.services.freshrss: fix 2025-06-01 12:47:58 +08:00
chn
b96dda6f08 packages.mirism-old: fix 2025-06-01 12:47:40 +08:00
chn
01c1389c79 flake: fix blog build 2025-06-01 11:06:46 +08:00
chn
2c76ca9425 modules.packages: remove unused python packages 2025-06-01 10:01:10 +08:00
chn
2c1e466966 devices.vps6: remove generic specialisation 2025-06-01 09:44:20 +08:00
chn
82435ec7ea modules.system.nixpkgs.buildNixpkgsConfig: fix build for nas 2025-06-01 09:42:59 +08:00
chn
c26bdc7fd6 modules.packages.desktop: list dir recursive 2025-05-31 16:53:14 +08:00
chn
73b1e11052 modules.services.nixvirt: fix 2025-05-31 16:00:18 +08:00
chn
76c5317b86 modules.services.nixvirt: fix cpu pin 2025-05-31 15:38:47 +08:00
chn
ca3564ab44 modules.services.nixvirt: fix 2025-05-31 15:10:27 +08:00
chn
6748c57588 devices.test-pc: fix 2025-05-31 15:02:27 +08:00
chn
a8103fb3da modules.services.nixvirt: typo 2025-05-31 15:02:06 +08:00
chn
14683a9711 devices.test-pc: test dedicated memory and cpu 2025-05-31 15:00:10 +08:00
chn
22697b4caf modules.services.nixvirt: typo 2025-05-31 14:59:51 +08:00
chn
37eb856076 devices.nas: switch to minimal 2025-05-31 14:54:55 +08:00
chn
38f6f97c2a devices.test-pc: fix 2025-05-31 14:52:13 +08:00
chn
7662b92c95 modules.system.networking: fix 2025-05-31 14:42:22 +08:00
chn
7a55486bb2 modules.system.networking: fix 2025-05-31 14:36:51 +08:00
chn
62913af307 modules.system.networking: fix 2025-05-31 14:23:33 +08:00
chn
c96f02281d devices.test-pc: fix 2025-05-31 13:45:48 +08:00
chn
c76256de89 modules.system.networking: fix 2025-05-31 13:39:34 +08:00
chn
491ff62f89 devices.test-pc: test bridge network 2025-05-31 13:37:38 +08:00
chn
c9dce7648c modules.services.nixvirt: allow network bridge 2025-05-31 13:33:24 +08:00
chn
b0d0566b7c modules.system.networking: add bridge networking support 2025-05-31 13:26:13 +08:00
chn
5d6a98225d modules.services.nixvirt: allow cpu isolation 2025-05-31 12:58:05 +08:00
chn
533f2d96f0 modules.services/nixvirt: memory allow lock in memory 2025-05-31 12:24:06 +08:00
chn
5fc8a9f7e8 modules.services.nixvirt: storage allow nodatacow 2025-05-31 12:20:58 +08:00
chn
38ea01a1f0 modules.services.nixvirt: 移动选项 2025-05-31 12:18:16 +08:00
chn
b2cad6faee modules.services.nixvirt: format 2025-05-31 12:14:52 +08:00
chn
cbbb6485fc devices.pc/srv2: add lammps 2025-05-31 12:05:21 +08:00
chn
1f3d8a189e modules.packages: split molecule packages 2025-05-31 12:04:05 +08:00
chn
0a9eac14de modules.system: do not enable something on server 2025-05-31 11:56:55 +08:00
chn
8cb7807383 modules.packages: do not install a lot of packages on server 2025-05-31 11:53:26 +08:00
chn
5b11399fab modules.packages.android-studio: format 2025-05-31 11:50:12 +08:00
chn
dc61586a4e modules.packages.server -> minimal 2025-05-31 11:49:45 +08:00
chn
450fac54c7 modules.packages.nushell: format 2025-05-31 11:45:47 +08:00
chn
674ea92cf4 modules.packages.lammps: do not install by default 2025-05-31 11:45:12 +08:00
chn
3fbb32955e modules.packages.mumax: do not install as default 2025-05-31 11:44:14 +08:00
chn
1a196c3eec format 2025-05-31 11:43:05 +08:00
chn
71af517886 modules.model: vps -> minimal 2025-05-31 11:41:48 +08:00
chn
97be517f27 modules.services.nixvirt: do not use template from nixvirt 2025-05-31 11:40:42 +08:00
chn
ba9c67d7e8 modules.system.kernel: remove cachyos kernel 2025-05-31 11:20:56 +08:00
chn
f53e3d726a devices.one: use xanmod kernel 2025-05-31 11:19:21 +08:00
chn
f09d1f0717 Reapply "modules.system.nixpkgs.buildNixpkgsConfig: disable contentAddressedByDefault" 
This reverts commit 8babcc5185.
 2025-05-31 11:17:33 +08:00
chn
7f442b2532 modules.services.nixvirt: fix sops path 2025-05-31 11:08:47 +08:00
chn
32b47cd5dd Merge branch 'temp' into next 2025-05-31 10:28:46 +08:00
chn
df93212d11 devices.pc: use xanmod kernel 2025-05-31 10:16:19 +08:00
chn
8babcc5185 Revert "modules.system.nixpkgs.buildNixpkgsConfig: disable contentAddressedByDefault" 
This reverts commit 30c283523a.
 2025-05-29 20:52:24 +08:00
chn
96d507a5ee packages.sbatch-tui: allow set low priority 2025-05-29 13:39:48 +08:00
chn
21ec879c84 packages.sbatch-tui: 统一设置输出文件和任务名 2025-05-29 13:36:17 +08:00
chn
4c7c357aca update blog 2025-05-29 13:24:52 +08:00
chn
ce6b60b150 remove plasma theme 2025-05-29 13:05:40 +08:00
chn
30c283523a modules.system.nixpkgs.buildNixpkgsConfig: disable contentAddressedByDefault 2025-05-29 12:53:24 +08:00
chn
66a7da7c0c update nixpkgs 2025-05-29 12:52:39 +08:00
chn
d0836dd35e modules.services.xrdp: drop 2025-05-29 12:50:16 +08:00
chn
4516dd39b3 Revert "modules.system: dbus use default implementation" 
This reverts commit c027bb456c.
 2025-05-29 12:25:46 +08:00
chn
97f36d2e92 fix build 2025-05-29 12:12:48 +08:00
chn
2ded7a75f0 modules.packages.firefox: remove firefoxpwa 2025-05-29 12:07:17 +08:00
chn
8379b95651 update doc 2025-05-29 12:01:06 +08:00
chn
26d8e48e61 add todo 2025-05-29 11:35:54 +08:00
chn
125bab0ea8 modules.packages.desktop: remove kde gear 2025-05-29 11:15:55 +08:00
chn
1f108a4ffc remove yakuake kclockd 2025-05-29 11:00:02 +08:00
chn
1259ace667 Merge branch 'staging' into next 2025-05-28 20:09:06 +08:00
chn
1325418934 fix intel compiler 2025-05-28 20:08:33 +08:00
chn
780f86a0b7 modules.packages.vasp: fix 2025-05-28 18:35:10 +08:00
chn
b6495a02a8 fix intel compiler 2025-05-28 18:35:05 +08:00
chn
e171f3cd97 modules.system.nixpkgs.buildNixpkgsConfig: fix rich 2025-05-28 17:50:22 +08:00
chn
6b8ecc62c1 modules.system.nixpkgs.buildNixpkgsConfig: fix root 2025-05-28 17:30:33 +08:00
chn
ef71e54d26 devices.one: switch to cachyos-lts 2025-05-27 09:24:58 +08:00
chn
b1b76c2984 modules.system.nixpkgs.buildNixpkgsConfig: fix iio-sensor-proxy 2025-05-27 08:52:52 +08:00
chn
e110601a80 modules.system.kernel: fix 2025-05-27 00:42:16 +08:00
chn
cef3a1eb63 devices.one: disable kvm 2025-05-26 21:14:01 +08:00
chn
bb8442a458 modules.system.default: remove plymouth.use-simpledrm 2025-05-26 21:12:59 +08:00
chn
b8320c00a7 modules.services.fz-new-order: remove 2025-05-26 18:55:04 +08:00
chn
3d162ddfb9 modules.system.nixpkgs.buildNixpkgsConfig: enable contentAddressedByDefault 2025-05-26 09:53:37 +08:00
chn
ec321e117c flake: update nixpkgs 2025-05-26 09:01:57 +08:00
chn
29e15e70ab Revert "flake: remove bscpkgs" 
This reverts commit 39de1b5e9e.
 2025-05-25 20:03:06 +08:00
chn
eb3ec5828f packages.oneapi.stdenv: fix 2025-05-25 19:56:59 +08:00
chn
9ec5772480 packages.oneapi.stdenv: fix 2025-05-25 16:03:01 +08:00
chn
7796e96c20 modules.user.chn.plasma.konsole: set Opacity 2025-05-25 14:30:43 +08:00
chn
a5b9725b41 modules.user.chn.plasma.theme: set kdecoration2 2025-05-25 14:21:40 +08:00
103 changed files with 1195 additions and 1715 deletions
Expand all files Collapse all files

9
devices/cross/secrets/default.yaml
View File

@@ -28,6 +28,9 @@ users:
pen: ENC[AES256_GCM,data:XOKXV0YSFbHC3I3xO8fpWvYerNfVFg2afs+CUp2MZB+yt9KR5bTJdVOfUGldLbWH5CR4v5FxTrTujv24wJ710Rfyugxh9aFJ/w==,iv:tHLoO+XpdUk8S56QUiJQOpVO9C5epam9PMubMN+8fHw=,tag:H0srWRigNUedQMIAfJlfjg==,type:str]
#ENC[AES256_GCM,data:K6O0TIYYGZmM8iOwsQ==,iv:xtT8Psnoy51V9gsRo335+VT56FXTcMQ3d4/tnuWouew=,tag:k8irtZ33G3UFK++rzcmyiw==,type:comment]
reonokiy: ENC[AES256_GCM,data:fPKdOPAKbXUvK5Jj08T0iSD23mhhkTXCexgB5q3v5JS4c6V4S+W14WOkS4UHrMQls/rHslw0NyMzS5G27A+5vN+EN+xJZfuRGg==,iv:tSdNOgs61tyt7/hUKt8bfKvpq9qOQU14ligdxBs/ATs=,tag:6IoS/p2StKtFREIpxsWkdg==,type:str]
#ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
zgq: ENC[AES256_GCM,data:cHYFToQ5ulEcb741Gg3X4lKj8ZJy1zcLHpkVQjQXt5hRAQtPsiPlegi2a1nUIAUb6sI//4ffcytlXpdK2sXewFe3ZiIXy3UVjQ==,iv:fKaPxpfh5ssOwAbmEsAPaQ45KrNtkHZb96IzWc6pD9s=,tag:Vt91B77SjxYaZ/HvWVBufA==,type:str]
telegram:
token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
user:
@@ -174,7 +177,7 @@ sops:
UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
+unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-14T01:17:28Z"
mac: ENC[AES256_GCM,data:r1FWYKz9aJtmhH7MLPqwZjG0W7LULScGd63CnIqsm2AbFIs6DgW33zDsgwrl1oblx/zYGda3irB5s1+otR38DU0VE7jqLYzHpb3eLsE986ZTwe9Tujy6BJm2Pyng60BJTTBwKU8awS2WpbTUivK1aVivNfBffQIL5Scv/qkyH3U=,iv:1USu0hh8IM2T/w1Fm/udGswPJcxKmvcG6XwlS2ku6iY=,tag:F/rZiGc3KTaNA0YtrWF3+w==,type:str]
lastmodified: "2025-07-05T04:25:07Z"
mac: ENC[AES256_GCM,data:x7wXcdExnf3grO9uS90dQMCSTgJiCyz5sdiek4EnYPsb/EVXfbzYnOo05T3ns8nNfQb6jCKBr/TZO6ZhOneaa/b8uZrG3c4EtDRVptm6+8PydgG5pv5ZiVLb83XR/t11xLWyzc8livLiTPb2RT0UglznOWCGPz20ULoI+JphGGc=,iv:iE7sRIyY2Espmaushcb0VJMjUZYhSGAqRdhmQRMkndU=,tag:0qsijRFyFshIKZTwVbvntw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.9.2
version: 3.10.2

3
devices/cross/wireguard.nix
View File

@@ -2,6 +2,7 @@ inputs:
let
publicKey =
{
vps4 = "sUB97q3lPyGkFqPmjETzDP71J69ZVfaUTWs85+HA12g=";
vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
@@ -61,7 +62,7 @@ let
# 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接
(builtins.listToAttrs
(
(builtins.map (n: { name = n; value = getAddress n; }) [ "vps6" "srv3" ])
(builtins.map (n: { name = n; value = getAddress n; }) [ "vps4" "vps6" "srv3" ])
++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
))
# 校内网络

16
devices/nas/default.nix
View File

@@ -4,7 +4,7 @@ inputs:
{
nixos =
{
model = { type = "desktop"; private = true; };
model.private = true;
system =
{
fileSystems =
@@ -19,23 +19,13 @@ inputs:
};
initrd.sshd = {};
nixpkgs.march = "silvermont";
networking = {};
network = {};
};
hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
services =
{
sshd = {};
xray.client =
{
enable = true;
# TODO: remove on next month
xray =
{
serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
serverName = "xserver.srv3.chn.moe";
};
dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
};
xray.client.dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
beesd."/".hashTableSizeMB = 10 * 128;
nfs."/" = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc";
};

4
devices/nas/secrets.yaml
View File

@@ -21,7 +21,7 @@ sops:
by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-19T01:47:25Z"
mac: ENC[AES256_GCM,data:J79zVjfGgptSjh+ShPBOd+lJ9i+NuS2Uw7P4ZvF7xeahn7fbT8bercsBv1F1USwW2ituTBMZFmxaspGjAD+azEM2X7zSJnVtbKr+T9FY6i2N+kPIxdseyw93JLZ1pPTy9bQeXRAJYlJHyEw4zHEpMBbWSI88I+i43s2xkScwEuU=,iv:4Ge0dHPxa4zF++0eeHy8fH7t5ndFznhFAKnrV7WOOXs=,tag:+UG3b93zFo/EfOfCQrPoBg==,type:str]
lastmodified: "2025-06-09T01:22:01Z"
mac: ENC[AES256_GCM,data:OxRUW3e2SXTTdb7Iwvsf/UaHsTIVxohJwRIFExh5N/dJhU9Ui8omKBjkooiGaysrZEVEZNAWSp2zvTPXUdZrtW2fikyhF6Fsg7jUFFTqhV/sjYMy7gISbfkcGF9SuYGByuuySyXPqsfg+ESeBmMVZiqDSEPYJWu+q8OwThdhsAM=,iv:UnSfmuxcV+tr7wd59Xg0MG2QbP2uOshVhN5C++9ZSzA=,tag:cWiG85xv2OuiBOoAlvVBGw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

12
devices/one/default.nix
View File

@@ -24,19 +24,9 @@ inputs:
hardware = { cpus = [ "intel" ]; gpu.type = "intel"; };
services =
{
xray.client =
{
enable = true;
# TODO: remove on next month
xray =
{
serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
serverName = "xserver.srv3.chn.moe";
};
};
xray.client = {};
beesd."/".hashTableSizeMB = 64;
sshd = {};
kvm = {};
};
bugs = [ "xmunet" ];
};

34
devices/pc/default.nix
View File

@@ -52,7 +52,6 @@ inputs:
"alderlake"
];
nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
kernel.variant = "cachyos-lts";
sysctl.laptop-mode = 5;
};
hardware =
@@ -75,29 +74,13 @@ inputs:
};
};
sshd = {};
xray.client =
{
enable = true;
# TODO: remove on next month
xray =
{
serverAddress = inputs.topInputs.self.config.dns."chn.moe".getAddress "xserver.srv3";
serverName = "xserver.srv3.chn.moe";
};
dnsmasq.hosts = builtins.listToAttrs
(
(builtins.map
(name: { inherit name; value = "144.34.225.59"; })
[ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
++ (builtins.map
(name: { inherit name; value = "0.0.0.0"; })
[ "log-upload.mihoyo.com" "uspider.yuanshen.com" "ys-log-upload.mihoyo.com" ])
)
// {
"4006024680.com" = "192.168.199.1";
"hpc.xmu.edu.cn" = "121.192.191.11";
};
};
xray.client.dnsmasq.hosts = builtins.listToAttrs
(
(builtins.map
(name: { inherit name; value = "144.34.225.59"; })
[ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
)
// { "4006024680.com" = "192.168.199.1"; };
acme.cert."debug.mirism.one" = {};
nix-serve = {};
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
@@ -130,7 +113,7 @@ inputs:
nfs."/" = "192.168.84.0/24";
};
bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
packages = { android-studio = {}; mathematica = {}; };
packages = { android-studio = {}; mathematica = {}; vasp = {}; lammps = {}; };
user.users = [ "chn" "test" ];
};
boot.loader.grub =
@@ -165,7 +148,6 @@ inputs:
services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
# 允许kvm读取物理硬盘
users.users.qemu-libvirtd.extraGroups = [ "disk" ];
networking.extraHosts = "144.34.225.59 mirism.one beta.mirism.one ng01.mirism.one";
services.colord.enable = true;
};
}

3
devices/srv1/default.nix
View File

@@ -62,7 +62,8 @@ inputs:
];
};
};
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
packages.vasp = {};
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" "zgq" ];
};
};
}

20
devices/srv1/node0/default.nix
View File

@@ -8,26 +8,26 @@ inputs:
system =
{
nixpkgs.march = "cascadelake";
networking.static =
network =
{
eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
eno146 = { ip = "192.168.178.1"; mask = 24; };
static =
{
eno145 = { ip = "192.168.1.10"; mask = 24; gateway = "192.168.1.1"; };
eno146 = { ip = "192.168.178.1"; mask = 24; };
};
masquerade = [ "eno146" ];
trust = [ "eno146" ];
};
};
services =
{
xray.client = { enable = true; dnsmasq.extraInterfaces = [ "eno146" ]; };
sshd.motd = true;
xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
beesd."/" = { hashTableSizeMB = 128; threads = 4; };
xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
};
packages.packages._prebuildPackages =
[ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
};
# allow other machine access network by this machine
systemd.network.networks."10-eno146".networkConfig.IPMasquerade = "both";
# without this, tproxy does not work
# TODO: why?
networking.firewall.trustedInterfaces = [ "eno146" ];
};
}

11
devices/srv1/node1/default.nix
View File

@@ -7,13 +7,14 @@ inputs:
system =
{
nixpkgs.march = "broadwell";
networking.static.eno2 =
{ ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
network =
{
static.eno2 =
{ ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
trust = [ "eno2" ];
};
};
services.beesd."/".threads = 4;
};
boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
# make slurm sub process to be able to communicate with the master
networking.firewall.trustedInterfaces = [ "eno2" ];
};
}

19
devices/srv1/node2/default.nix
View File

@@ -7,26 +7,25 @@ inputs:
system =
{
nixpkgs.march = "broadwell";
networking.static =
network =
{
br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
eno2 = { ip = "192.168.178.3"; mask = 24; };
static =
{
br0 = { ip = "192.168.1.12"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
eno2 = { ip = "192.168.178.3"; mask = 24; };
};
trust = [ "eno2" ];
bridge.br0.interfaces = [ "eno1" ];
};
fileSystems.mount.btrfs."/dev/disk/by-partlabel/srv1-node2-nodatacow" =
{ "/nix/nodatacow" = "/nix/nodatacow"; "/nix/backups" = "/nix/backups"; };
};
services =
{
xray.client.enable = true;
xray.client = {};
beesd."/".threads = 4;
kvm.nodatacow = true;
};
};
boot.initrd.systemd.network.networks."10-eno2" = inputs.config.systemd.network.networks."10-eno2";
# make slurm sub process to be able to communicate with the master
networking.firewall.trustedInterfaces = [ "eno2" ];
# add a bridge for kvm
# 设置桥接之后不能再给eno1配置ip需要转而给 br0 配置ip
networking.bridges.br0.interfaces = [ "eno1" ];
};
}

5
devices/srv2/default.nix
View File

@@ -35,7 +35,7 @@ inputs:
hardware.gpu.type = "nvidia";
services =
{
sshd = { passwordAuthentication = true; groupBanner = true; };
sshd = {};
slurm =
{
enable = true;
@@ -80,7 +80,8 @@ inputs:
};
};
};
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" ];
packages = { vasp = {}; mumax = {}; lammps = {}; };
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" "zqq" ];
};
};
}

16
devices/srv2/node0/default.nix
View File

@@ -9,30 +9,24 @@ inputs:
system =
{
nixpkgs.march = "skylake";
networking =
network =
{
static.eno2 = { ip = "192.168.178.1"; mask = 24; };
wireless = [ "4575G" ];
masquerade = [ "eno2" ];
trust = [ "eno2" ];
};
};
services =
{
xray.client =
{
enable = true;
dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
};
xray.client = { dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
groupshare = {};
hpcstat = {};
ollama = {};
sshd = { groupBanner = true; motd = true; };
};
};
# allow other machine access network by this machine
systemd.network.networks."10-eno2".networkConfig.IPMasquerade = "both";
# without this, tproxy does not work
networking.firewall.trustedInterfaces = [ "eno2" ];
};
}

11
devices/srv2/node1/default.nix
View File

@@ -8,14 +8,15 @@ inputs:
system =
{
nixpkgs.march = "znver3";
networking.static.enp58s0 =
{ ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
network =
{
static.enp58s0 =
{ ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
trust = [ "enp58s0" ];
};
};
services.beesd."/".hashTableSizeMB = 64;
};
services.hardware.bolt.enable = true;
boot.initrd.systemd.network.networks."10-enp58s0" = inputs.config.systemd.network.networks."10-enp58s0";
# make slurm sub process to be able to communicate with the master
networking.firewall.trustedInterfaces = [ "enp58s0" ];
};
}

33
devices/srv3/default.nix
View File

@@ -19,12 +19,16 @@ inputs:
};
nixpkgs.march = "haswell";
initrd.sshd = {};
networking.static.eno1 =
network =
{
ip = "23.135.236.216";
mask = 24;
gateway = "23.135.236.1";
dns = "8.8.8.8";
bridge.nixvirt.interfaces = [ "eno1" ];
static.nixvirt =
{
ip = "23.135.236.216";
mask = 24;
gateway = "23.135.236.1";
dns = "8.8.8.8";
};
};
};
hardware.cpus = [ "intel" ];
@@ -36,12 +40,14 @@ inputs:
{
alikia =
{
hardware = { memoryMB = 1024; cpus = 1; };
memory.sizeMB = 1024;
cpu.count = 1;
network = { address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
};
pen =
{
hardware = { memoryMB = 512; cpus = 1; };
memory.sizeMB = 512;
cpu.count = 1;
network =
{
address = 3;
@@ -62,7 +68,8 @@ inputs:
test =
{
owner = "chn";
hardware = { memoryMB = 512; cpus = 1; };
memory.sizeMB = 512;
cpu.count = 1;
network =
{
address = 4;
@@ -72,7 +79,8 @@ inputs:
};
reonokiy =
{
hardware = { memoryMB = 4 * 1024; cpus = 4; };
memory.sizeMB = 4 * 1024;
cpu.count = 4;
network = { address = 5; portForward.tcp = [{ host = 5694; guest = 22; }]; };
};
};
@@ -87,15 +95,14 @@ inputs:
vaultwarden.enable = true;
photoprism.enable = true;
nextcloud = {};
freshrss.enable = true;
freshrss = {};
send = {};
huginn = {};
fz-new-order = {};
httpapi.enable = true;
gitea = { enable = true; ssh = {}; };
grafana = {};
fail2ban = {};
xray.server.serverName = "xserver.srv3.chn.moe";
xray.server = {};
docker = {};
peertube = {};
nginx.applications.webdav.instances."webdav.chn.moe" = {};
@@ -103,7 +110,5 @@ inputs:
};
user.users = [ "chn" "aleksana" "alikia" "pen" "reonokiy" ];
};
# TODO: use a generic way
boot.initrd.systemd.network.networks."10-eno1" = inputs.config.systemd.network.networks."10-eno1";
};
}

65
devices/srv3/secrets.yaml
View File

@@ -66,27 +66,6 @@ freshrss:
chn: ENC[AES256_GCM,data:Z4UmsXv1KiVfZMIQOEHH,iv:pF5lQLggkxm9y7taDVcp366JKp8U+8akNEdPA+Nf9Uo=,tag:0TajgUI/VgM3FxG1j6c/jA==,type:str]
huginn:
invitationCode: ENC[AES256_GCM,data:JDN913i+zf6+obWxrNAbgx1NJGPyewRm,iv:lqnjbSk46J0ZJN6ccbbiCiOK92W8fj2mWRwQHKqy2dc=,tag:UYZesryRlfAMo7xhKQ7zgw==,type:str]
fz-new-order:
token: ENC[AES256_GCM,data:JdMiu4du4S4fLg7b8LATG4g8NlahIFPvilGd1MsXNeMtnQs=,iv:fWBFYAVlfzi1dD/TpiA5N0JMY/LHTYPZGSh4sbK1BZc=,tag:LQTZe3DNk8xoy2+G4zld9A==,type:str]
uids:
#ENC[AES256_GCM,data:btt80rJcGg==,iv:DCBo36NMFiQO+dXom+AYTrSMYEAGCNXdMTJDIQVRlFA=,tag:LzoynD0J9surdmcFvVf/NQ==,type:comment]
user0: ENC[AES256_GCM,data:53ag/e8f4aVEkUVszd7MzxNpDBBIkqGMneASW9/m5xU=,iv:LEZoitbzvTFAiXKZAPPOok/WaKsuTWgvd41Rq4/FMP4=,tag:opV15bhvDF1FR0UURsm+Iw==,type:str]
#ENC[AES256_GCM,data:jXeZGm4rrw==,iv:hxZ6AU6FLzoUSJIeUh4zjuR6kvDfDhJCpvG47M+jRdc=,tag:AqMF7SJ96OEh0G8cgqvvuA==,type:comment]
user1: ENC[AES256_GCM,data:emM3ffDBmymM9367YJG0lvYpw7iRl24fHSd5G4C4g6U=,iv:sJ9zLlgU2zZGFpeuIZXtL0Dqvd8RwbKU/a6HFdZTnvU=,tag:L6M7H24DXMvV55pYRiX8WA==,type:str]
#ENC[AES256_GCM,data:gMDlZq2HXQ==,iv:hyJ2gkzrt0BZ3rO5rmz1tiS3jbrrA3VjpqjgPXQymjQ=,tag:aOWFyhuTjV9umsWJ0VjJDg==,type:comment]
user2: ENC[AES256_GCM,data:b4jqm4Xm9dU2tYqqddKcHYcOh0Ol9W309fpQPcG2cQo=,iv:EKUDKnbYX8MTqd/G4NaQUVZ4mZAw3GvAlDe7XIVvVZQ=,tag:+oO6MaA6PFVbnP2ahfAArw==,type:str]
#ENC[AES256_GCM,data:L0wkMIIuSA==,iv:j0LGq9Xe+Dru8bCwt93T51ZaK0ex/7CZJdBDn6jhq7w=,tag:EU4/62fe3p7QjpfSMAYHCQ==,type:comment]
user3: ENC[AES256_GCM,data:dWJzu6S6T598TiKqX48LUcT1BAc0/gVy1tAknkvmg8k=,iv:KWl/av7a3hj27p+S2hhe2QpcNMFGJPsnnCjcaqzjOqc=,tag:HQbtRPxO8OnfKIBqTDjKlA==,type:str]
#ENC[AES256_GCM,data:8/kYjPRSEA==,iv:etABb0TqNHhEs3/HGuRixEJUGhyXSTXI3cvhTTAUlXA=,tag:IfPzvdSamLcY1dRJls74GQ==,type:comment]
user4: ENC[AES256_GCM,data:F6tbn2WBo9HrM+fmtf70GrNJyZ6qJ2HrNdJG788zMKM=,iv:Dx/7MUJVZO61u/DqwrrqmWIVpx4Qpi88SMflCRvj7Wc=,tag:WH6tsk/69+EEz2DS1srrNw==,type:str]
config0:
username: ENC[AES256_GCM,data:DDGErXyt,iv:7Z3U++o930QhngC+NzNna32F2AKSWjEFnJYXY00rCM4=,tag:L83e1KTQkVwSWSwhTwTzYQ==,type:str]
password: ENC[AES256_GCM,data:Jy9Gbo0i,iv:ZthlQ0x5At9TUbh6MUiLkZUoVdCG0gp0SEyMtxKhnjM=,tag:fKmnopQ/sVFQsmb2ISOk0A==,type:str]
comment: ENC[AES256_GCM,data:lb51oO8l,iv:4Iac4P+zfa7/T+aq5429VbdHoK7+WZkj1nC+yPOoIy0=,tag:NRl5GjjKn4OHfIGDNh+3MA==,type:str]
config1:
username: ENC[AES256_GCM,data:/QlSea1D,iv:0gMEI2JJudtKHE9J7IlI8Hsfo0jQwCy2Ap8EXxVqUVo=,tag:2DnWRv1b2VhtV5wSnnOzqg==,type:str]
password: ENC[AES256_GCM,data:FHd4UPV2,iv:jI5BwcfxTBj2igdFUQtKS4LGnt5O96Kp3RPvnpXxFR8=,tag:Lfe8paHNQ44nRb/gk0oUbg==,type:str]
comment: ENC[AES256_GCM,data:QILd5mRa,iv:mmM6h721UIXTuRL7k9TDOPdRrqMuq5M8krz5yWR20Mw=,tag:ALpQZjR6W0X44rST8U74NQ==,type:str]
grafana:
secret: ENC[AES256_GCM,data:1Wfq8QmhzKBObdktheFPySzXYlOJzHWbYYQXgn3beLOwSlW9f7bUn+wIrRoj1e8WlFJkAU2xywzjzzy/UwpSYA==,iv:/0YoHTs54O+cT6VVt1U5CYXr2qEdY2kijOlnMZMW4d0=,tag:SD/IELlcgfS7p9NBEa6D/g==,type:str]
chn: ENC[AES256_GCM,data:8R92k7RH1491u6lfQdM0U3SG8TPi3vWhZyj810XSjnA=,iv:8v6ijLHgoTPT6MGoP/lWB+UEZCCgOpvfskWCJJ63Udo=,tag:k9SHzJ9d54Rny3n8EbksOw==,type:str]
@@ -96,48 +75,8 @@ xray-server:
user0: ENC[AES256_GCM,data:n6gIZGYdT6wEfKgizFvIE802AkpR8BpSPSZrQ5WP/aZWzLUL,iv:AxnwFOzmIRm3nTLpi8/4lkv+TjO4y4RZQtHO0GriD8o=,tag:nllDCaLZd6JNS2JqwvgVyg==,type:str]
#ENC[AES256_GCM,data:uhAauqQ1oQ==,iv:0Sr6YjarjkLmBq5H1ELb3SYBzrTVhqIE6qPxc9HYeKY=,tag:NvGGSY99Y7d3OTnpOr2p2g==,type:comment]
user1: ENC[AES256_GCM,data:EcEySx/n52rN5REPEWNjCuWywokvOetadbljqPpDPADTeeSk,iv:7r3CdvHJT1iZvx1Xn53It1ZxIkdLVIeQ+Q03zISm94k=,tag:8cIGZUlIhVgRc2FeU931kQ==,type:str]
#ENC[AES256_GCM,data:qbXmxTn+Mwk3zw==,iv:8F/0ELOwXMrKaigfRmwvGREujqNwM6XjIeaPyr6JS5U=,tag:PF/PAQCwzH7uOj+xgM0rKw==,type:comment]
user2: ENC[AES256_GCM,data:cA2oKqGsKuZyydMQspbSrWqsQIAde/VtGIPybC2gr3Bg355H,iv:YOj+6f6YR3Ze3x5IrqdqzXp9e3v1jdAu8re1Is6Q4eQ=,tag:n/CV6+PX/y+okpJwRraSDA==,type:str]
#ENC[AES256_GCM,data:VcLtO+6YWg==,iv:TWM3IY00V+LaJzk+E8ji/v7Ol4TCvSP/FHzFsV5MGIE=,tag:CijsW2O/AKpWgQUm6ipPeg==,type:comment]
user3: ENC[AES256_GCM,data:F3HK6znDEsN8UO7B9vBs03jyjqoQ+MGCcNJuOeglSBzLD2Hy,iv:TKBRe8Qmn9DL4AEilX20YcKbz6bydKsQUuUd5lyM2jE=,tag:nAyrTD4zkJ6CjLuj29zuJQ==,type:str]
#ENC[AES256_GCM,data:UFE3pg02VA==,iv:thT5OYPIHLIjKB7uiAk5vff8rtsgwncdo+U0KmW3uTE=,tag:qGWmSsI1mzg8ZbpunxBuyw==,type:comment]
user4: ENC[AES256_GCM,data:FYMQFFTCue+umBl5OwJvlZ+NyocsRbkycr+y1L6d6LPdR9px,iv:ZX9Z0dqmBvvXlz+oEYd7vQ5rW5lvmlc+bneDguQld30=,tag:y3d7aDWOtO0T3Yf5pGnffQ==,type:str]
#ENC[AES256_GCM,data:KuuPQQ==,iv:LGGqLFV4CnUMLWaNbHj6bRseetvdMdSOefV1FeYlJSA=,tag:wXlqKM2BuoMRZAwYbv5eOg==,type:comment]
user5: ENC[AES256_GCM,data:T5p0POx9Cnqdlp0blEYvAnRNIDOCNVdpOBR4rVQ1/07/rOCX,iv:EZx6ToeORzHoG+aEPi9oiTcwp4bOIAJpPUvemhYM96Q=,tag:aSS+RY5rEzr62mbE+JDanw==,type:str]
#ENC[AES256_GCM,data:tmlMaaDT4Q==,iv:zDBCjdBioiXGbJve03VcwCt81hiFxyKqql9rp6zW25g=,tag:cxedo8U2FICH5yMoPXwQMg==,type:comment]
user6: ENC[AES256_GCM,data:LzYfIXgZP0q9FpxDM6skSTiwOxEO+N5wuFq86KAazqe8zS/h,iv:Jh7bWMVr5U69L1uARLMUciWvv/aRjJJeEXvU5bo8e3A=,tag:PxesHErVSlkbuNeeRpQfEA==,type:str]
#ENC[AES256_GCM,data:boB2Ug==,iv:echGnXhoj2wX7GDj302nbirmzQFCqql2jtY0JaNyla4=,tag:7YnhNwCFZ9rOstanr0wGcw==,type:comment]
user7: ENC[AES256_GCM,data:s1O6GRn/9T9DWKlcXJTnOoAPZnPgHGBpZZcEDAKRtiYAI/5p,iv:JyaGsolN5WgQekPYxJiJbniuxLPf3+elHHbd3+ZrLtc=,tag:32wNUTqyyaKoPRQdB4U0SA==,type:str]
#ENC[AES256_GCM,data:cvG7WQcnwj+u9A==,iv:ui40+u9yE/Prksmiqed1NjuHyNP2RGtgSMazfI8ultc=,tag:he2F4i71Z8gFdW3fmRdhUA==,type:comment]
user8: ENC[AES256_GCM,data:roCYRvszJo7weozfIRoGgUhIs1f2a5/a2d1b/Iy6WEbbehOS,iv:tcOsL0SE4qMRPZIGOlzRIaMJvcapx2H9HK4D8qmSbIs=,tag:Z0skFdgtpjSR7jli3dwd5A==,type:str]
#ENC[AES256_GCM,data:IFXAXr0RVg/DCA==,iv:pKdnsUFX4XXJIZleA71fAfua1ibSa/2tgjdqnhbt/Rg=,tag:2Fv397j/uJDFZ/uvBxtrQw==,type:comment]
user9: ENC[AES256_GCM,data:5HP+OVmf+dsS8sDHakC7Yx1HVutMoTbITONHQiSvHw+17M9J,iv:TYDf7lx04pHohbGBbPJvOAoIGUKqil59k4Pt405/9kA=,tag:HUxT/uSR8sYCXQ8uX69Fqg==,type:str]
#ENC[AES256_GCM,data:7TJeKZM=,iv:FKcgDOtV417n1xmufqB3WENrbZ0V93sI5/XhiDYouMw=,tag:TchW2jgxZAXHvvMYY089dA==,type:comment]
user10: ENC[AES256_GCM,data:+u1KwJo3Y4enFM2RVr379GF7O6r9bWofUEZ2994IIC+Ce2NV,iv:ssKA5y3JM4tm+JdVznQFUAYmlrHaWd8hQXs6R/aEXN8=,tag:Q5uuM1sBZJRYBe4XXTL3ZQ==,type:str]
#ENC[AES256_GCM,data:O3qEWI+vFA==,iv:R7HLFRNszV6yXwciNfk/rTbDQYLmKsTCQFCfWIpJdfY=,tag:DjuM2a48/lDF11aLIf3Fgw==,type:comment]
user11: ENC[AES256_GCM,data:4HDGJq9nl8oGeQEo0XBEUiJweAaZ9yWc9Ib1TM91Djj2jH8d,iv:1i9/bZhHkhc8dP9Pg4gIRnCms61AP9VYxAG4acV3gpQ=,tag:vID9DEXZu3wGbXDqsLVEAg==,type:str]
#ENC[AES256_GCM,data:CdJubErTSg==,iv:UKn0lvbCzJnE241Tg3yjSx4xZNbp5sa/NfgIlRNU5z8=,tag:6FMGY6hbMQQFoN31z4e4uw==,type:comment]
user12: ENC[AES256_GCM,data:U+ynUYI+l6McI9oWF4PNiLUwvNowdseZ5gO8o73cX8MsXS2+,iv:r0KIBXczRkubZqyM/LUBPp/x9Zb/rvDJIKGGKkR3EfY=,tag:yn7806HD7ei57UtpuPjlkg==,type:str]
#ENC[AES256_GCM,data:3trgclrgDXhKUg==,iv:qyLmCBaB5ql950diUj7YlPi6P3a0hYH8adADEI0AGrU=,tag:Oleq79giA9/gYBO8Carznw==,type:comment]
user13: ENC[AES256_GCM,data:M6JXRrqnKrdihAA1aUg9zzJfhCK5TLLRf4wZkemnlHyaXnLL,iv:OA6i+BGYTr9gILE3jzFILLZvPRZeAvmSbXEStihN3aw=,tag:WcpTKRC8crDhzKHcxjtICQ==,type:str]
#ENC[AES256_GCM,data:VryB1AM=,iv:6FdWfpQ53bdpkXZ22gpy8GxKb1X7bak0K/Oa56mP7Uw=,tag:VBg7u7MSMl4Pr72W6ugYEg==,type:comment]
user14: ENC[AES256_GCM,data:g8y07VaxsuTs74L5xF/XDlmYetOfXFwHEr+FCHRtFLKwTAVq,iv:TjT49pTk97l3u1wGG7BmqZr/LAMC2765er3HGarOANw=,tag:zt1ojulNjWcuKIdix6NFJw==,type:str]
#ENC[AES256_GCM,data:Bawjfo3ubW1eXA==,iv:m2/ViC9AIZUV3Wl9EBYV5L0QQDw7QgXPpQ7WX22XpQ8=,tag:1wqpie9BuDi7BiDCvRIWog==,type:comment]
user15: ENC[AES256_GCM,data:2Ylnb7ZJgr3ha0rXrjkscPX9zJI2L9aydfL5Ndl2b9cJmVUC,iv:mu0GlGGXH4njmi4KzsvFSJN2zC5IcXVQ6oqVv2ClWpM=,tag:AIhnDqQehLyJY+wh7RWTYg==,type:str]
#ENC[AES256_GCM,data:uORLUE+excPAuw==,iv:K1Qch9qkg5T59+lcMC7vHWu1mnOv2dH5cOAZHX8HhgQ=,tag:chVMn/kb3Rr3f2igjbsAUA==,type:comment]
user16: ENC[AES256_GCM,data:D4lPjTb2kaYfUSCCRaMpGNtzLIfvPvfiJK+kkTQtSMOBglpN,iv:FCpHHBSKDYA+H6fgabNggXJlenzg5am5excBknpD1uU=,tag:FPQaBfLiZ5PBJa8gCpBfTA==,type:str]
#ENC[AES256_GCM,data:Cfs0Ul9BHWW/oQ==,iv:OOcRWmc7fy2RnE7+TtSBauKa1k1/unC1nFJ2SJ3yWqk=,tag:q6MjcXEYuep1eRw5BJspqw==,type:comment]
user17: ENC[AES256_GCM,data:2mzbUcGRye0cdgQxoTzSeKaM+m1dUPvKq61uBnGvZDFXrqQ7,iv:hxkruf0Xo1ZNJ/ym5YdLGJF5aK5nXZMJ46XC18Aksmc=,tag:KrUCTgDgYndxhi8QSYpGwA==,type:str]
#ENC[AES256_GCM,data:vHvpcqJaH2hPTg==,iv:S1WbgLU+15FMJr699YGY4f9r8wIg880tjJo6W6APhx0=,tag:F7fbA83eco8/Qd6u4vUMbA==,type:comment]
user18: ENC[AES256_GCM,data:LwZKy71ecB/E2EMIaUuFV0a7j+16EWo8LA9/0Gc8lpXAQpaT,iv:+cjrRDSvW7KFGDlpI6W+eDi3bux+eQl6NXNjnUoj7L0=,tag:PurtN+Vede0DNTQqbea1Ig==,type:str]
#ENC[AES256_GCM,data:rhbv9bL/0d7pGA==,iv:XvKiQWO72BfHhVRyti5ST9+f9tPUne2IcMNC08kD9r8=,tag:qhA6q4MrX3lAELrrGM8LCQ==,type:comment]
user19: ENC[AES256_GCM,data:jOyA913cS21eGwjUPY/XrQUBofoHwsCHghpmjzGx7cBzk/K0,iv:wXAnuSUhJ+gwGvMF7/YsfgeTHOvQC+S6rM5DzypvOuo=,tag:b/FsoypjkVYLSfyowNL2Nw==,type:str]
#ENC[AES256_GCM,data:Q48F7+SNdz7duKY=,iv:KIb6lIJWAVXKekBhwPztkySYDA7IP4jMjDsWy+waeFQ=,tag:s8hEz2zrh1ZXNKi/IuVV4Q==,type:comment]
user20: ENC[AES256_GCM,data:D6+eQdWO/W4P1ul9zQLpUQxqNA+kytz5ZHH6HmU/jwSuq3hU,iv:U4H7Ez0P3gWBLVeQ6O4PN4AmVP7Ij3oArhMmfT1BWic=,tag:l6TNsJFXXH/+yMcszkVRrQ==,type:str]
#ENC[AES256_GCM,data:F8qJksiC3Z8GbJc=,iv:yDBYQLUFFSXMn5Vo69rXzGBWzA+GkYw1qHS/ShisH7w=,tag:mnxj03thlYN5KhKDUO7hug==,type:comment]
user21: ENC[AES256_GCM,data:QeSxzBR6fLAyoUsA4aGKilYHcF42SNdkwjdwWZbxNvqZU6bf,iv:ocZGB4i8M7qM9Ypp3BUlGIdGL0AQx8NdO5yBZFLB6fk=,tag:WMFmljoJSnCU8BL/GfiZMg==,type:str]
#ENC[AES256_GCM,data:LxUne7UMT32f,iv:AyVaLB7Ni6HB5BE+InEG99TQsEzdQG7EXoHXC8PLGlQ=,tag:j5GoVfDsqoHypkxYFNPjyg==,type:comment]
user22: ENC[AES256_GCM,data:lzFvCb/zbTZs2jmYUfl3onGeWjBCdjxcIzAIff/fm6Qre+HZ,iv:eSiosE3eOrl7iLnOV41w+pwdtcske/4R1Bf1D1qxsOo=,tag:r69jFKp/FlxN3MEL5E6EXA==,type:str]
private-key: ENC[AES256_GCM,data:xz7xFt/g++E79bIl6AeBWATHDB+gHBIoXo5vdWTeyrAT1RtllgYie9k3Fg==,iv:x7fdmSINQA+F7a08jpuvCAg7vIZpsYaoX+EnitJMUCk=,tag:GAb/RRdAOlteIQPxeIMAXQ==,type:str]
peertube:
secrets: ENC[AES256_GCM,data:OR3OA8qJsq1gAYiv1rShNa8eODzIxPOpVbqbnseSCMUNx4+FeOgReTLl7cXHPxbBkrJbsfEq5XYm1QtRtxotdw==,iv:6vz0ezsFuCNsBduNhm4VQ+it6oEJF/eMxktVFhdXgug=,tag:hmW7BwF9C53SAHhu2HBLYg==,type:str]
@@ -165,7 +104,7 @@ sops:
d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-16T02:55:19Z"
mac: ENC[AES256_GCM,data:fsqb3NvXwyoGWfcJEV04XcWiifB/zEW+LU8twQ2sY3cZWR5KHAWgVXCXrCunYiSy/Q5nf+ldTgoXKdmNu1pVOJQQXRCY1q1y9MV36msAfIUc1hdkDlo2ka5+d4aBcpqr5nPo5ZU6GJ5by1p8WIPSOWCGfsqMMlKhIWJ+8YaqokU=,iv:cfveyxa/0/qKRHc6wsjAC9stZSkgF85khnp3LTtF+K0=,tag:5vVFg0isyJcg3Twhq5Ouaw==,type:str]
lastmodified: "2025-06-09T01:35:04Z"
mac: ENC[AES256_GCM,data:q2BolEBB6Ik8yx6NHnnE3Wcl2rGVZN86dpfLJrrFOxWd8fZyfBQ/00v4dUZSZw0aQoMj1V2RBDyVtScuRiH0NVb6+RfX+0t3zTEf6guuJdurczLBz9+D51+Th3KE1uk+UjI7J+Q/TOWTvoGMj8P4XZCXQsCDIct/vbLGqNB9CgM=,iv:/6xR7KXXLejm9Iuqcxc/7IqLEckNhmaJTKzJGonSrng=,tag:XdeCoEkHefw2HqTGSchUJA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

2
devices/test-pc-vm/default.nix
View File

@@ -16,7 +16,7 @@ inputs:
rollingRootfs = {};
};
nixpkgs.march = "znver4";
networking = {};
network = {};
};
hardware.cpus = [ "amd" ];
services.sshd = {};

12
devices/test-pc/default.nix
View File

@@ -16,7 +16,7 @@ inputs:
rollingRootfs = {};
};
nixpkgs.march = "znver4";
networking = {};
network = { dhcp = [ "nixvirt" ]; bridge.nixvirt.interfaces = [ "enp1s0" ]; };
};
hardware.cpus = [ "amd" ];
services =
@@ -29,17 +29,19 @@ inputs:
{
chn =
{
hardware = { memoryMB = 2048; cpus = 4; };
memory = { sizeMB = 2048; dedicated = true; };
cpu = { count = 4; set = builtins.genList builtins.toString 4; };
network =
{
address = 2;
portForward = { tcp = [{ host = 5693; guest = 22; }]; web = [ "example.chn.moe" ]; };
bridge = true;
vnc.port = 15901;
};
};
chn2 =
{
owner = "chn";
hardware = { memoryMB = 2048; cpus = 4; };
memory.sizeMB = 2048;
cpu.count = 4;
network = { address = 3; portForward.tcp = [{ host = 5694; guest = 22; }]; };
};
};

2
devices/test/default.nix
View File

@@ -16,7 +16,7 @@ inputs:
rollingRootfs = {};
};
nixpkgs.march = "haswell";
networking = {};
network = {};
};
hardware.cpus = [ "intel" ];
services =

5
devices/vps4/default.nix
View File

@@ -22,14 +22,13 @@ inputs:
grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
nixpkgs.march = "znver2";
initrd.sshd = {};
networking = {};
network = {};
};
services =
{
sshd = {};
fail2ban = {};
beesd."/".hashTableSizeMB = 64;
xray.server.serverName = "xserver.vps4.chn.moe";
xray.server = {};
};
};
};

61
devices/vps4/secrets.yaml
View File

@@ -4,27 +4,45 @@ xray-server:
user0: ENC[AES256_GCM,data:o2wxpSzoqsPxs6grgYRLtPutMVwSqtzUWBrj7+7QuWWd1a1z,iv:2/5SxXq8Iw4J/LzBeclHbkrZXHitguip0WN+MINym8s=,tag:v/3oly53ORM9XAwbOzp06g==,type:str]
#ENC[AES256_GCM,data:0nHZmEPPaw==,iv:BtOZ8/U0yg3fthHrwerNQX3+KD/H9+fcUylYGnZqiIM=,tag:DkFGSFfq//LmWfg6DGm1aA==,type:comment]
user1: ENC[AES256_GCM,data:7ev7GuKLeJbPReMy0FnX02fLv5nNCpxdzfnQyAA+/IviwDMQ,iv:YbESsyIAiEAyvrHnj9A4lITX7NtRkuRhCrTv6hoG9Qs=,tag:8uledxLXqpXXLBh+cczm4g==,type:str]
#ENC[AES256_GCM,data:3KN/1hzeR2I=,iv:iaqJJD6iURTUlIL8e8P7fsAzJYo+y3NGZXgWmPX+4ao=,tag:e8g/JgVrMrWJamUMpiv2pQ==,type:comment]
user2: ENC[AES256_GCM,data:58PnLCwDayOYinsPCYPeMvuKiF7b4tZtbmEJFWEl+2Nu6HL2,iv:hSv3jCtkLm4rrm/4+ot10CBhobGwtnK5db5wR1S/XrU=,tag:SQbynYp8pDSqj4tAK6JBMQ==,type:str]
#ENC[AES256_GCM,data:4Y00hDJ+8Hjq3Q==,iv:XWZYNC1T5B55B43tcuzzvOOFtHqZJ9XDuEaYQOO5cR4=,tag:5oNFsqUtSiv8CY6aHyGjNQ==,type:comment]
user2: ENC[AES256_GCM,data:MRMdc7LRYqgRsfKKW6LnP14g3JoFT6g7jzkXW8gIAeqypyoc,iv:tfPBD2FkIljz3xasYNJsj3vh2lEObrvSZ95FyCgWcTs=,tag:B1PQpyX24DqrPscL/pjZmQ==,type:str]
#ENC[AES256_GCM,data:gGd3kkNcyIwOXg4=,iv:vILDvtdvopPM8lZDDpedvtXYHpoPvPn1A8AJca41r9A=,tag:2LMImcmdyPKsQDloq7041Q==,type:comment]
user3: ENC[AES256_GCM,data:+KUVcqy18t6Fd+QNgB5DeZkNSA6lsjebO+xnzxzIjWuZ9UmS,iv:qugbmBv9jk1yfH2s0A0jla0DR3jkdXLVUeWGcj6v68U=,tag:4FUf/guDzPqgDcb1086WTA==,type:str]
#ENC[AES256_GCM,data:jCgKe0t2xQ==,iv:UE48L/JpobN6LUd6Z9RlsUGSJ1sHHgiL6xj8lPztwJc=,tag:xnwWLQm+GIUzsfBO/TXhrg==,type:comment]
user4: ENC[AES256_GCM,data:3yrdvbcH/ToAQpTLppSVp2FNGjatyBInKP85bAY9OrEtzhhQ,iv:4zvb1nzKjrCNWWKelOnDhsNBAC7Ak6ZpJlvQKqGJrgc=,tag:dBOTBJDJhJsKHKg/vGmpxQ==,type:str]
#ENC[AES256_GCM,data:2ptsDQ==,iv:dEzyk6NQcFZQPx8h/ViCqtRaQ/8dfMTVKBq+iguk6nU=,tag:11SLIAhtcHja4G9HUXr9Ng==,type:comment]
user5: ENC[AES256_GCM,data:NO9rpzFkySistf9++oXpo1tBaa4XtPtcCGR+2IWmhQYEH/l1,iv:OG+U0avgo9mjmU3soxRNL71ZC7Ee4ijpsJMRn3jYvhw=,tag:QuBFX2KHgNJ+f3RwqEH4+Q==,type:str]
#ENC[AES256_GCM,data:uTZDsA==,iv:6cxvQycfji/x+DW1CnO45r+yNTLwkhYkiJwDaSpUCwo=,tag:8pMw+sYeOyZBN1idHoM9+g==,type:comment]
user3: ENC[AES256_GCM,data:WCVr0ylGm2SHtOGulb8TD/cI2xJXrbvY1d6+STXGxf0d0izb,iv:vhNshb38AVpwKCFRwUVruCQ0SxhHrOmwQ+IoQZeUj1k=,tag:OfdIjRrTAuVZBOEXTtnrQQ==,type:str]
user7: ENC[AES256_GCM,data:Ie8M385wtRx8bWIdCupnda799kL0OLBsWdk9pHTY7IxxaZbn,iv:OrRYOkaC9uI9E1Eb8GYqmYr9VAUM895oO8NSdvxUPCQ=,tag:NZTUE4KnUjhg/auoALavTA==,type:str]
#ENC[AES256_GCM,data:Wwq+ypJgx6OcXA==,iv:dSvFz4I5tFx+ZVClxNGKwcbIQe7OY43OzAhqRiDK2TQ=,tag:CYUs1cJ/zqc+Y0yFec7Upw==,type:comment]
user8: ENC[AES256_GCM,data:2GyFDXIiAN3mTobwnY4czV2Egoin3B5Ih+aet3yT+krPTkPq,iv:NwrzO//HXwKMudgD+yK1hsj9o71RG6BfBle3logvuLE=,tag:WWpioPsnhHvVSrzAmN16Sg==,type:str]
#ENC[AES256_GCM,data:vVz6E2juGqXS1Q==,iv:9itEkwMsW8cqSzwV2EZtgJVgaW7aJJ5fw1rLuKFwiKM=,tag:9hRADkot8kELoYAgd6Dz7Q==,type:comment]
user9: ENC[AES256_GCM,data:HgSVrry+nKGW9X9N6h8hsI9VETKtSEi+/ZC9QvNZW4zETQxt,iv:ERgmCDPBpboA/+Sxeq6BvWoMxsv3Kkczqb/mbXz9pOk=,tag:bklzRg9toKy//6T8xdtbRw==,type:str]
#ENC[AES256_GCM,data:2sHxXec=,iv:aA61+cmDw4rHab7RuRRK3eUDx5d6gpmfw4RpQ6Nd0mc=,tag:H9kovJyn3Te3ir9X234VGA==,type:comment]
user10: ENC[AES256_GCM,data:CqrwaZp1fHd/WEGQH3xWI8DZ2/AavCqwTtwZeHmnrct5yoD3,iv:IBOHGQlw+uQt8Ryp/mCDcglfSPNXvvHOjNnrT+7nOHQ=,tag:tEkGEtPaOBK+P3LrQzOLsQ==,type:str]
#ENC[AES256_GCM,data:oB64XheVxA==,iv:Ci9apSqTHQ02IFhqVvlC3hO8yWRKELVtJE3H/CUgFyY=,tag:4uV2aYzzZAUW+OZf7QEVPg==,type:comment]
user11: ENC[AES256_GCM,data:pk9b5lFhuAfhKMcTUIdlx6eQHn+MJaPQEs6flmUhhHA2ygj/,iv:UGuPrxJPh+V7vSFjmgmBc9vhg7qye5SrNCFiiTcnDk0=,tag:D/B4PTafZe4r/W/dVWC2CA==,type:str]
#ENC[AES256_GCM,data:Rw4BWXZutQ==,iv:rXe2i1G/xQkpBl0wh6VIzaNoidCc3JL4sy6v5hcOF/M=,tag:2tZyH8B0ZL7XptKHk6TcAQ==,type:comment]
user12: ENC[AES256_GCM,data:CsbquwEn+iOKCzda8z26FYk2i5aPk2xzqGIYORiD4lotvnFE,iv:zHPmlT4LAc6NDjXrExze23dZZFIj0c1eR4WW74cu+qs=,tag:5MDFrZNgv54mK05ImSvpkw==,type:str]
#ENC[AES256_GCM,data:vqYkwGVcQ8yZbA==,iv:1ckVSiAgjuT/K0MuVHe8D2hHE7X2qxCHpb+y6nrFCsI=,tag:so9oFl6bXlJT2O+prplazw==,type:comment]
user13: ENC[AES256_GCM,data:KUraqncs8iPr7z+COfJ1z0TLNLlgctxy8FCav95+kkVXtStx,iv:Uv90bnVmmQh6f9pKOWmEKCul5VPxF7rrQ9GYrsCGPp8=,tag:I0r5o8xIYuq5/MIXSOHT3Q==,type:str]
#ENC[AES256_GCM,data:F2x+2zrePYDkCA==,iv:aTMeqvGVI43xLsN9submgciiJEjY4hYypJ9RJLIBYTE=,tag:quKW+MATVzRw1bda2jGjdg==,type:comment]
user16: ENC[AES256_GCM,data:BjnUUnNyqUvvPbfa1CeYvcVbMOwz6/Em4YhxRgmlicOSwro+,iv:LULwzjV5PRihTHNZFJ21IrDG3rW3qX4CYwF4Xu1KdZg=,tag:pZAI4OEx24d6h/h9JyQ/hA==,type:str]
#ENC[AES256_GCM,data:aka1O9hn/dZX3Q==,iv:rWik4cYtHY/Z3xQ0p/i49zTXVmKEQDV4OMn12UaQr3Q=,tag:hPm4bugH9RAtsykj0BJ0Pw==,type:comment]
user17: ENC[AES256_GCM,data:URZqRUDtG5FDrZDsmI7CFn4ilp97GJtgaVVB+j0dRUdtVGoq,iv:iUkcr6Oo29y5PIGF/GJRltn5DD19yEcBIsJAaYs43AI=,tag:gzSsjeQxvjvfFVkDHPkfvQ==,type:str]
#ENC[AES256_GCM,data:JkMniTrakuonAA==,iv:V5KmQL+C5O2mb3ktlm1ITjLaa1NxToQlyToqYbGme9U=,tag:UTZm05uyb5j0Pf9vuxyIxg==,type:comment]
user18: ENC[AES256_GCM,data:fFtnkBnaOktHaIfk7dN2U73UkloToiLvP3Pg2VAqPzvTE49h,iv:DZrba7RWmaeOQsqh3Kq/IuFS9so5u5ItK5WwV/65FYE=,tag:v+pOozYvrJJIsj7A/a3S/g==,type:str]
#ENC[AES256_GCM,data:gR0WsUYdBZBWjA==,iv:rnXZQaDNu+cEzneEa6/2pO+qUXl/fut8FJ3n90A6ATs=,tag:azNGPfWv+ZgOU/B5PMCVZg==,type:comment]
user19: ENC[AES256_GCM,data:S8VSoBIR/RqwctgYPtyIPEK2hXLr4LZ/jJvvFHA6CGgp9/Ff,iv:8eLCZEaiquwZyswwLkLoJcl7UPWTVYmQqZ2egAGFWWM=,tag:VgJiSt8eRcRhppMXkAkmKg==,type:str]
#ENC[AES256_GCM,data:vWW1bNyENgcspxI=,iv:xXCrjHyxVtodkVu/wgy1OrHGGm20nEd1iyparWcycYE=,tag:FRu132btquzXkiLXlnq1Iw==,type:comment]
user20: ENC[AES256_GCM,data:Wux6pzwor0B1A9d1y0QEpcNnYn1pObloHxghSONHcsQ266/7,iv:jWSuswV6vTQdL764I/zxFC5gkFOa5Qwj54rggmmZX7I=,tag:4hmqBTn0T3a6Sjt9lofwbg==,type:str]
#ENC[AES256_GCM,data:IJWHWxbhy+gxhxk=,iv:HzMi211JiVfHUhEJm+q/K0tCjUEXDhollUf8Bm+HVA0=,tag:P22Q/h+DUhhJayZftcvVfg==,type:comment]
user21: ENC[AES256_GCM,data:0X5x3SATZm25kVf8cu7TGm2t95DneLAqhP16fRQCtROzyZyg,iv:dmlwRmubnRq2fNdNz3lVlAVYpPjVHkFm60IvPcajjds=,tag:eDJYYf3eRw+FxfaHiRDk5Q==,type:str]
#ENC[AES256_GCM,data:O3ovvRYzFrQY,iv:/Zs8e6u7wdp18AacZ3WWBvn5PDtXDnQ6ZyqLiyYmvAY=,tag:HmhKBI3aRCIR34vOEnv1iA==,type:comment]
user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
acme:
token: ENC[AES256_GCM,data:JBeN7SVxKGOe6er0eS7/v8YrXdv0nCK/KZc8Ygq0G7FIGu4hO662kg==,iv:rf59MgUCYlAA5h18wtdWoUyb2VPB13OPuJjz1VsI2dU=,tag:ViPrwduD8aWf8i8vmBG78A==,type:str]
nginx:
detectAuth:
chn: ENC[AES256_GCM,data:lQHDpv8/Yl5/nycHoeTnCw==,iv:ernNxRpcTOSAllDpqRFVFg3qEw/slEEPPXDFq1AhNL0=,tag:2AVALUf9cDyOgCqI9wwgQQ==,type:str]
led: ENC[AES256_GCM,data:zyCiiH21,iv:iEYyNClDsCpWE2oNjt2NqQZ88xOOlMr0yycjKTPdmlw=,tag:kQfbshXfTBA5PtUAgpgCcA==,type:str]
chat: ENC[AES256_GCM,data:pXu0WPWmvUzvl2expDpQPqWwi1A4abg72npsaYXDXRcg6aVU0Ec+tgM2+uz2hT9rh3mNoBxadYXDc/zeOL1UCg==,iv:iln5UGGBK2s5pGS03PtolWTkx6KrnYBAWCFnI0V2Bag=,tag:EahTDoPIBkgWnp4MOoTCmw==,type:str]
maxmind-license: ENC[AES256_GCM,data:8OioibcXQ9IZ0OQhJ/zHSBQjfdHzkoqwUx5zR8Zq0atNw6SSf7vKrg==,iv:z6WTI2yeqP0h7EqKG114nRQpFVJlNzZspgS6gIFtpt4=,tag:a0dBt9pXJnncBiSKt9dsAQ==,type:str]
telegram:
token: ENC[AES256_GCM,data:Si6yTh48HpA8OkkkvgHwtJYFhF8tW3oaQbldjwBc09QJxp9AoKgASMnZtbDZYA==,iv:GrNyZXjaZMviSjy/LGHHrYTr5PFvDkCXmT3MU4+SLpc=,tag:YifB1tKFLqsgXB/YLqYK4w==,type:str]
chat: ENC[AES256_GCM,data:ydPky0W4ZWqn,iv:uWQrZDz2GCxiKRaijM89Npt0fQeSNHbQzDefkZCkUAE=,tag:OJQwV/889Vp2/4wjbN41JA==,type:str]
wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
enc: |
@@ -44,8 +62,7 @@ sops:
Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-25T03:19:55Z"
mac: ENC[AES256_GCM,data:v6yb7ZYcnPw/8SqEJnSWzmlE17PenjnBH2X8HZp+kIDXzNFyNvD19FcbCBZjwyjBLvN1ZF4M9FS7Y4+CvvMrN/4JcFufcY/V1NrOd8IZisfAT5N3WuopPee4IN9WEyPVOsbFnesZo6/wJKuqlV1UR8UZxCd3/wHXob9Lkz45cBw=,iv:XKIUiRfP0lj8V/Z1HbvhBankdcAjQqM8Way6TWjJJMY=,tag:PLYsVj6BmR132oWsxEKnfg==,type:str]
pgp: []
lastmodified: "2025-06-09T01:35:34Z"
mac: ENC[AES256_GCM,data:40uhvaJNu1ELo6xHYECEOTE0lVcrcMmZKJpLmE28D2pyXnl6UQza0j9O7944+Ii+VroSvm7juB86gR8/x6URabQF0l2HTiYtBvyPicxdobB209i5JSULiCUe1zlfz8WyQ4VnPAJ9SJny59ucMYxMh8RM4UPtXWLs5whcqt5ooSk=,iv:5odm078cRXnwTA233NV7edcYTfMmTLFLrGRhE/oi8SU=,tag:2t06LMMrRkmbAQbCad6URA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.9.0
version: 3.10.2

27
devices/vps6/default.nix
View File

@@ -22,13 +22,12 @@ inputs:
grub.installDevice = "/dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:0";
nixpkgs.march = "znver2";
initrd.sshd = {};
networking = {};
# do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why
network = {};
};
services =
{
sshd = {};
xray.server.serverName = "vps6.xserver.chn.moe";
xray.server = {};
frpServer = { enable = true; serverName = "frp.chn.moe"; };
nginx =
{
@@ -63,10 +62,26 @@ inputs:
beesd."/" = {};
};
};
specialisation.generic.configuration =
networking.nftables.tables.forward =
{
nixos.system.nixpkgs.march = inputs.lib.mkForce null;
system.nixos.tags = [ "generic" ];
family = "inet";
content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
''
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
}
chain output {
type nat hook output priority dstnat; policy accept;
# gid nginx
meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname wg0 meta mark & 4 == 4 counter masquerade
}
'';
};
};
}

33
devices/vps6/secrets.yaml
View File

@@ -7,44 +7,41 @@ xray-server:
#ENC[AES256_GCM,data:OVgDU+zqcQ==,iv:8KuEqBuL5Ca6pUOFFA+vySJx/h3BhGAAC0CgnxiW46o=,tag:TY1MajSSy2RjKVI2SSAAFw==,type:comment]
user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
#ENC[AES256_GCM,data:OQOPobpbbhajgA==,iv:4jG3bHKzWcR+JnvSlJsc0Qlv5kywqVN5UE96J31CP7Q=,tag:P+jJkRxPu99tLXyO5k6dRA==,type:comment]
#ENC[AES256_GCM,data:s6BwbmIwmC1J+vA27pPGh0Q+Rmowkd8ES3hYOny3vX+tjWtW+qiWBz2A9M4=,iv:XXPPaVyP7fEUhNJay2mjjC2f3Vg3wYtBUDoSYQt1Iew=,tag:B2WAfg2Oqwp0t0gE7Jdq6w==,type:comment]
user2: ENC[AES256_GCM,data:+MKTpaA8hO8q0kyY0V1csedLOtIf760Vr0+WllGe9lgMJ5da,iv:5txOM3sFOhKVX4EVozb8XHWLU0fUNxCF9YAwTYaTL6c=,tag:jkgOVgiEc5phY1XNETsdpA==,type:str]
#ENC[AES256_GCM,data:m0iCqLI8ELaPb9g=,iv:bsh7JHILbOZJ+bgGr0U0rDanjUVGgDzYGhboezspEjE=,tag:o7A4SXoCXk5LXmZ1bidg/w==,type:comment]
user3: ENC[AES256_GCM,data:r+6jXaIj4HJoYLnJcnjJB+WEZlGaoSy/ktc1Aw77hFtNrrGp,iv:P+YUKns1yaOZokH5WkDB0jssGyHg3ncc54tF1PyA7Oc=,tag:/pxMEr7l4ye5EDAOsllxJA==,type:str]
#ENC[AES256_GCM,data:4gqZh391hg==,iv:No22DrD6EBs2FA4/qH8msWEjs20fc+ZpEeZep+HIv+c=,tag:aHrYNbI83POI4PRj1nd+Yw==,type:comment]
#ENC[AES256_GCM,data:RVChRrOl3R8DiKPS7yduAu5RG7d4VkOZ5akRTp18mK7Hz/xQ7FpxlNqGJcQ=,iv:j7naYq9tD+G5dDB8+hyUVosA3p2O4wlkcxIBlO7hRdo=,tag:TvlSmZwTDGLCX7qOR5Clhg==,type:comment]
user4: ENC[AES256_GCM,data:/kBaGAqbewLav+WCJPHm1py3pvb7bA/YO2DeBP2FTCZv44wA,iv:iwxV6KHu00oITH/58kBFmf43lkgTU3BHJ/kb9FPnRSE=,tag:ns+6Dvhf/D15bZc0fd6zLA==,type:str]
#ENC[AES256_GCM,data:AzzKMw==,iv:Z73ISOLhPWP40wTy8PucY3KaB9nS7WQECK3tZFYC1ao=,tag:KJuiCODhHyDl5bXInUSI5g==,type:comment]
user5: ENC[AES256_GCM,data:iDuLRb4dhLUOjpamioMwoTYrn7Cy+Ln4SaedVXkwVD05rjJ0,iv:AqzBBvLpJuIJCUJq0IyDcHrlqb0e84nQC0c94Rj85uw=,tag:0xou1i/iwAxGngO74OIMXg==,type:str]
#ENC[AES256_GCM,data:nTsDaAIVIP28YBCw0XONqWoYziAYhszJhLBlJfbFM6w2NB0nQcYWAanhkkA=,iv:rezGcsfxcAUjTtBFd099TDrV+K59cb0gbJCCVqH+nCA=,tag:5g2Zl82MNuHTf12Tb0GWcg==,type:comment]
#ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
user7: ENC[AES256_GCM,data:H/jje9ONEY6XuBXTZmTVGIcWUgGSMf5OB1NNRPtqGCgRP1ei,iv:xew+0BkRqz3nfOoBXTPbBv5hRczy/3tgYSKq432q4iw=,tag:da2ljcffiCVJCsMZaNPZyQ==,type:str]
#ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
#ENC[AES256_GCM,data:hG7EUK7V9QObh7rHKtgTESwNLOf16WXoQrCAAEiK8Nzsr7atwh9DqNIJAww=,iv:3zAY7CImCzvNmsVK/OG3VgYSUL1wdt+keYtuskGO7Gg=,tag:7JeGHrlVkAUOX7bhd8UJaA==,type:comment]
user8: ENC[AES256_GCM,data:AnZb12dioiCamubOb6fsGWoM55zfPMeRbu+j8bRRcMfSQFJf,iv:rB+4B11JFC0oS2ExUW18f5WvhnE4EuHh3IiEyxWeY3A=,tag:jt+3yxDvhusvB8ppbdAwzw==,type:str]
#ENC[AES256_GCM,data:aYWIiLxs1UvupQ==,iv:AisokHuAzD5B6fEF6ak8WfAe151CM3a8MsaWC4uJPnw=,tag:cdk5S4n9ulyWrqsD+jcqYg==,type:comment]
#ENC[AES256_GCM,data:C6ri4a3iCXf7I3PWSoPk1y4143TTFugot1MMxdawWxGyfg/P7SYUBMs+T0U=,iv:v2lCOw+p0hJhXNsUpTSCvqNSBtPaPJGMrk6ukJYtB+w=,tag:WXq9rUYDQKN/cZzZ7CFQvA==,type:comment]
user9: ENC[AES256_GCM,data:+SA+VcZcy5ckuS/46Dn093VvuqxrIACuqMAMx6Ko5yw0DVdW,iv:TeLXb1WI7uhcPDkXYSlKIxdE6Kz+nCnlB+ZYpWcaF4I=,tag:YB0sPD9yHMARhiMJs7JKcA==,type:str]
#ENC[AES256_GCM,data:eCl1bK4=,iv:oYA2CFW6OGGrRYx6OHRYJpbEyFh575UjztvHaXA8UG8=,tag:Pw7xsisQB2Dd0KJeWFq6bQ==,type:comment]
#ENC[AES256_GCM,data:Gs2pJl4YMPRBDZCmd/1ycXJcArdIb8cUAQ+09OuRm7z/x1ATc9xVr7dE+C4b,iv:JYf4sTzJh7PoQe5yFAC60mJ5zKUIof7QKm5jMfiF5xE=,tag:/CJPT/OmblQvzqkQ1VCP/Q==,type:comment]
user10: ENC[AES256_GCM,data:Pec0CVGia/ZIaq7WerZlr0/waJ/Ev1OKwt7V3PBxBSFMLi7p,iv:wYTdhv4Xoe58KBIwV1vk/V4IcdVzQrBgmzGaRD7qHQs=,tag:IZVt5LmjTUge8XntujJlTA==,type:str]
#ENC[AES256_GCM,data:+s3MMeNU5Q==,iv:CUrg+nNxCpJFbHQmMNXmSE+JcZK6Dfu8cGwtznx3CFY=,tag:G5CYMtao+hz3hs0fPVPmcw==,type:comment]
#ENC[AES256_GCM,data:JOabknMamJFImHErEcsrAMuYBXzJkw/Gm0+6rWrer2ePsoOakN/A3ByCPzwQ,iv:wnUFMeGfkUMkkpJBrFswy1SwJzVBDehEoilnzb43MgY=,tag:sXCKkiwtDp9v7ptpuAfOhQ==,type:comment]
user11: ENC[AES256_GCM,data:IFIVzbnZCyn0j7AG0ClBT4byyZyVtRk1JqlWsojqPIVenek2,iv:ONdq1qIXG2kbAjuM/tHSPxce7oD/MHcBw1pBYm9DlEk=,tag:OuzeX0K+fSO7jWadb1uSRQ==,type:str]
#ENC[AES256_GCM,data:spyQkQIHwg==,iv:7+0DUK95MPH7lpr+GMbbLu4/5yA11/4gTuLhQKlStfE=,tag:G/gIXML8UhYoCi9FfoTvSA==,type:comment]
#ENC[AES256_GCM,data:LRRsL6u+FH3jHa8UAhEXrb3UTQss9piBle2aH2xuuFw0cupmRd5PlSOBIbvQ,iv:0cccpn4bWkrla6COI5g6pDDW1JoVK4UULYteXoJp38s=,tag:+EFlWxGIw7k85Q2RIL/YHg==,type:comment]
user12: ENC[AES256_GCM,data:iTZViWyKkCU1y6mvB0NzkXf3I98U/+nCs21ZD6M285YKaU6q,iv:vFgA3sv/7ENcw3gyJLiiHLwroXtVJjAxZXViqjXF3mQ=,tag:u3b9Uu6TIPPYX0TW5X5Sjg==,type:str]
#ENC[AES256_GCM,data:HueqiREBet2bxQ==,iv:WCjTAGg2gXgBSvY3zc/YyB/1X0XjvphPduVXLsjOwH8=,tag:wC+On6lyyYQ1Dt/BHDvONw==,type:comment]
#ENC[AES256_GCM,data:JFKeeVBSBO8pWttZy/fTX1YaVV69Et1GmHVDLZ1E5vUY3BvajjjS04t7V5TG,iv:rZJQTe5+YgJ6X6uPoQcpTw4AF+gQCVSMe7maFetLEPg=,tag:H4ravqgOgQYgVXMayv7tXw==,type:comment]
#ENC[AES256_GCM,data:R8lN5T0=,iv:FXLf8Vtjg+PkwNhxXWDViMKqwn7tFMaPhio9zhnudZw=,tag:34gxRH+P9lmkUxlOPKcYMg==,type:comment]
#ENC[AES256_GCM,data:dpOaSMuXhIiwb+yD3TgOIKkeWBusQvqHbj4PuvH/anF5/P8JagplDpBSIimJ,iv:PkVIthbA21sFC4J4VmwZ/1HZqA6qbjVPnJoRszmeVbs=,tag:PcXPRYLzuC9F0YfNT4mi3A==,type:comment]
user13: ENC[AES256_GCM,data:ID/A7yCWQIWRoU7Emhel2ASZfTweqXYmpC5q6Fm6ptD0XfCu,iv:YrFjIilO4pH+QxVVDTqwkufj2VSC38y9lAJfD8w522I=,tag:1v/T7vWeh0LMi0OL0FVs9g==,type:str]
#ENC[AES256_GCM,data:4jJkbMD9Psxrag==,iv:arRtRaNrqnYcT7vE3wqgl/y8/65ORaxqTdGw55AKDP8=,tag:pRpta6mXfy0XCyzMA4+cEQ==,type:comment]
#ENC[AES256_GCM,data:DeWybZ68gAH4cukohO+OQqeNrnRlUdclGHFeH8aBcn0aq1iWh1UCgtiT5xXd,iv:HYq+CiPWCswr+7+uwUblN8N6T38WU/qu9F5VzaLp4Gg=,tag:YKunlBxH4H71FRSuPxR8Uw==,type:comment]
user16: ENC[AES256_GCM,data:esInSvj+a90TAl+b/n9m2iJsH7e6tlQRwSsoLBCy8KA9a0Z3,iv:U4c0pZzqS1s5H6XW3YRSCvDhtxnwCnyKR/tObefX2Rw=,tag:YtY/t4xsmZaj4lC39XQ5SA==,type:str]
#ENC[AES256_GCM,data:/Kec+CdtnT11EA==,iv:DnmbWfgriaE6XAnMqq2UXhHhN+Rd/3YRodKVUCJo6p4=,tag:NimqZpbslKxwzoljaZqEdw==,type:comment]
#ENC[AES256_GCM,data:tkJTZZjJfQdU0EDQw9mmc1GRlSpqdwOdsE/QCw4BedDbixjElKqUC5MPRR/b,iv:/3obljBcGiXJfzlTQivkVcaWWcsiqokuU/DmUTchpwg=,tag:E80OLtqoM5XuGk2/xYBYKw==,type:comment]
user17: ENC[AES256_GCM,data:6h343SreoMqz5ZHkdyDI/je4v10r5zBV7cWc6Pj4x5sI2cvE,iv:7WSikMxAZJUnv3+GPq40d8r9JkKRRH/SPW5F5fy5HHY=,tag:6h5Z7+WXT/dLNeEIrC0UGw==,type:str]
#ENC[AES256_GCM,data:h7E4P6BiGjktYg==,iv:DhkK3NNppBqo3sXt9U7kbgfaBPYcSEX2hu6VOAesDiE=,tag:XoVbZklwCmU1EBhv0ujcSw==,type:comment]
#ENC[AES256_GCM,data:LXBBph+nPScs6CSHPKwMSvcgFtWrmcOHEhhDZUNClb/7ixJFno82QnRwrnTp,iv:00I8csKFj65qeK8RPbbQ18oQZBrYKeFV3eGwfFXyGDc=,tag:uWUPNfu5Tmqr2LDkijc5cA==,type:comment]
user18: ENC[AES256_GCM,data:HJj0e6EHXEYmDXlZcS8UlfEQo/4y47w3sYKgb2Ojq6E4vMdE,iv:xThlGl/DDLLgoY5VkBSCx9HIvxy2ZlO5Q987vIMu0lA=,tag:gB07jP6Do4/6RmVaLB3Ecg==,type:str]
#ENC[AES256_GCM,data:qGsMmWrUIzVdHw==,iv:DXayEA5zquwOzm+TqECYNHM98r0WSzcP3gA8zkzdPy4=,tag:OKTx12RqP9VxJQOnrBLkmw==,type:comment]
#ENC[AES256_GCM,data:ttTvPgRtQ4tYmYBSNaO+Bbs/Kz85vuNX+2Od4cOG6yD9yqrSdfLRwVvedVol,iv:ZWZX5rytwefvte/NgNlmmp9FN9vuZ62KVhVgVwX+g7s=,tag:uXx87i/ly6GkLgXA4+QULw==,type:comment]
user19: ENC[AES256_GCM,data:unW8dOhNbPNLWd7X2prpD82tcqUua7msq8nX3ykFs8STsuto,iv:OLaZ9XQDFGaA1VENgsSn/3HQXp957Zf9MD9GPZ4KLE8=,tag:UK27LK+De3AzbI2mEIsQpw==,type:str]
#ENC[AES256_GCM,data:1g2gohLbiixMes8=,iv:E3HA6cAdv3BdLMcrrcWW4Zsc2KLtW7L8Xrk9Z57l49o=,tag:rZ7W9ckf7lzJ23u5zwQiwg==,type:comment]
user20: ENC[AES256_GCM,data:3UbVnn9oMRc0zZR46tWxwM9VFOvMOYm690csUomEVBcS3xPm,iv:KHuPXttLAFr7WT/qa/UYLY8GRsPWYZPyKNmdUh4iFQQ=,tag:jN8rQ0Gv+qnhwOWGH+CwlA==,type:str]
#ENC[AES256_GCM,data:GzxXsTbEvdHV7A0=,iv:uxUG4hnYEsmJtnqbEwamwhtLt3UClt7ktmkGyAFdxsc=,tag:sF8YQ2cejAezI3Bbp9qKIw==,type:comment]
user21: ENC[AES256_GCM,data:hgDJ11crZaWcKrc+ZDQklXwpnvt/sMbARkx3sLZfQGZqQZeA,iv:2Re+hdJuT5yg/qTymfpN+KdU3criOmwuqqg+SHb8iAo=,tag:s16N6u5cRDaoWxnrCkamuw==,type:str]
#ENC[AES256_GCM,data:U0CcBBJraJj9,iv:9kuHsHkSDdDT0Gi/3Oy608RArrg+4cgeii5zWbsGuPA=,tag:EvqqMNvNcWBwie28t0+52w==,type:comment]
#ENC[AES256_GCM,data:FnindYeqk6g6aZgajHVejfHPqeF+uSX3QzbrDS6XLZz52aQF5ZQSiJQCaDha,iv:c/mrS0jfy5EzQe4Tkm0QqBH9/okJnCsRZFGhzSjeit0=,tag:e5otDw+I2d7moybCx4jeqw==,type:comment]
user22: ENC[AES256_GCM,data:LClSrxtBzuJUD4J4QaYXHUr8XSi+N7Zh193j/YeBZRm9sjgf,iv:djiq3+iVnuKK2HveoCm/j8FezzrHRGnjbyoO6iGm6eA=,tag:N5hqYyvJGxnwT8wbxdnjiA==,type:str]
private-key: ENC[AES256_GCM,data:ts/LRGFAsYqvGvkvlxUI42IW1a8cGsSkpZhMDd3QVceRKvhPb1SRDaXoSw==,iv:6xX9xFIFUNlLBZ6CPBOz9JbHpvC4+QG9ZaCZcWdl12c=,tag:DYIa+QTV8vyl1l7OKKykTw==,type:str]
send:
redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str]
@@ -71,7 +68,7 @@ sops:
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-18T07:37:52Z"
mac: ENC[AES256_GCM,data:nfUU2BsDuErJGm8sVB9shRv4N+cIFZmAF1vWF4iZmcJwjP2PekVWcp4COPAlapy5oVhMutr39oW6VsltTR27jVxhI4+dueurMU7KRLD5Bwpk5hQmMAfZxvl4GaP50zehJbCwfApiX9CcjwCUxUjraTs4rG6LK2+8d5Z0PYosm2A=,iv:TR63cpbe3z0K4bWpbEnv/DE9jnAJV1Zv+Aj0HXoA16Y=,tag:fS78JUapMvBtZCFtM1z07A==,type:str]
lastmodified: "2025-06-09T01:33:33Z"
mac: ENC[AES256_GCM,data:sRZaOvmwZqoxNFKrWtY19t4As7CEu1kXNR1XWO1uo28KEWQJ2n9HLRsdinjG70j/bFyTkXXiBz6Vlhx2RkdhHURKxe/UKuv/5szuGV/aE0NUGu+jYIaSbbIZpv1FkuUYuRFbuaSJnejEyQYW9ahaJYAJgXutqMY/e4xgUJ7Ooeo=,iv:PvAvKe/23u+aPP2moiNrkEqi0CgP9VCwfzcKC8S8Z1w=,tag:YburNo3mniyi4jyUjMF8DQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

20
doc/todo.md
View File

@@ -1,6 +1,14 @@
* 使用 wrap 好的 intel 编译器。
* 在挂载根目录前(创建 rootfs 时),按用户复制需要的文件
* 挑选一个好看的主题
* 尝试一些别的计算软件
* 解决 vscode 中的英语语法检查插件,尝试 valentjn.vscode-ltex
* 调整 xmupc1 xmupc2 启动分区
* 测试 huggin rsshub
* 打包 intel 编译器
* 切换到 niri清理 plasma
* 调整其它用户的 zsh 配置
* 调整 motd
* 找到 wg1 不能稳定工作的原因;确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
* 备份系统
* 备份数据
* 清理 mariadb移动到 persistent
* 清理多余文件
* 移动日志到 persistent
* 更新 srv1
* 告知将代理改到 xserver2
* 准备单独一个的 archive

133
flake.lock generated
View File

@@ -3,12 +3,12 @@
"blog": {
"flake": false,
"locked": {
"lastModified": 1742891194,
"lastModified": 1748787595,
"lfs": true,
"narHash": "sha256-MTP/2zAh8VUft3mlgLOWYRuYslDKDu+YRM6BM8r9L9w=",
"narHash": "sha256-FFkwHb9DEdBjBaaH6JuhlmpP7ReSEWTy79P3i/eH708=",
"ref": "refs/heads/public",
"rev": "99ec653eac9f8452500ee3a2d553728dd60a1a11",
"revCount": 27,
"rev": "d9020a59f07f7ced60c854f324df8879b249e8b6",
"revCount": 32,
"type": "git",
"url": "https://git.chn.moe/chn/blog-public.git"
},
@@ -18,34 +18,43 @@
"url": "https://git.chn.moe/chn/blog-public.git"
}
},
"blurred-wallpaper": {
"flake": false,
"bscpkgs": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1746480265,
"narHash": "sha256-A1xKQy6ufGrW4yVGkYb8zBqRuQFFxtowCbao2GOP150=",
"owner": "bouteillerAlan",
"repo": "blurredwallpaper",
"rev": "6fa32cc6062c4852b9abb83f590314a2cab9b5ad",
"lastModified": 1748433430,
"narHash": "sha256-rTmarmlP4SplEBAD+RM0kD5cB1F5g93H8ooSodxl8XE=",
"owner": "CHN-beta",
"repo": "bscpkgs",
"rev": "bd7d5b02b59c4807e551a43f43489f79206e326a",
"type": "github"
},
"original": {
"owner": "bouteillerAlan",
"repo": "blurredwallpaper",
"owner": "CHN-beta",
"repo": "bscpkgs",
"type": "github"
}
},
"cachyos-lts": {
"buildproxy": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1743535541,
"narHash": "sha256-OlBtXY26w9OcAmpqrTvxaG4/rfDdavauQF2eRxb+ySs=",
"owner": "drakon64",
"repo": "nixos-cachyos-kernel",
"rev": "8516d89c4e0c4a25cea1be8431db3963359ee81b",
"lastModified": 1709212359,
"narHash": "sha256-La70ax79Hrp/Vz2G3gzI4fLgRd2z3lJrYLvCf+xcTj4=",
"owner": "polygon",
"repo": "nix-buildproxy",
"rev": "c26d73992ddae96812501b5ae1cc45037d8b10be",
"type": "github"
},
"original": {
"owner": "drakon64",
"repo": "nixos-cachyos-kernel",
"owner": "polygon",
"repo": "nix-buildproxy",
"type": "github"
}
},
@@ -494,12 +503,12 @@
"nixos-wallpaper": {
"flake": false,
"locked": {
"lastModified": 1744994349,
"lastModified": 1749300029,
"lfs": true,
"narHash": "sha256-DMVWLep/yoR05kfYqjQxazjZXEUw/CRLoELajXQq3eM=",
"narHash": "sha256-m5rQGDo9sogrNFtHNdf4CiUe4odqOVStj03ikUQX7NE=",
"ref": "refs/heads/main",
"rev": "5e4d102f5da8c27589083fb90e3f6edd8383ced8",
"revCount": 6,
"rev": "8da808801224ac49758e4df095922be0c84650c8",
"revCount": 8,
"type": "git",
"url": "https://git.chn.moe/chn/nixos-wallpaper.git"
},
@@ -511,11 +520,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1748069742,
"narHash": "sha256-GcfcL/c9Q696oftYwlKjTZS1UTTQR7jSzxNa+imZ+tI=",
"lastModified": 1749016257,
"narHash": "sha256-Vi+QhXm6Kau233v7ijtdD5aNpE4RpnUjRUhXGwi7pxk=",
"owner": "CHN-beta",
"repo": "nixpkgs",
"rev": "08e074b33507733ffb0ccb3006eb5fbad612ce6f",
"rev": "5835771b10e3197408d3ac7d32558c8e2ae0ab8d",
"type": "github"
},
"original": {
@@ -709,16 +718,17 @@
"openxlsx": {
"flake": false,
"locked": {
"lastModified": 1745313465,
"narHash": "sha256-HOYgrF3eU8yZIML6Soz7MHXlHpM4TB71zM/IGzwLHRY=",
"lastModified": 1716560554,
"narHash": "sha256-Aqn1830lG4g7BbwEeePhvGawLarmrIMnF2MXROTUBCw=",
"owner": "troldal",
"repo": "OpenXLSX",
"rev": "86af3b043f6b13b09e591a920a49ea1f9724d4a1",
"rev": "f85f7f1bd632094b5d78d4d1f575955fc3801886",
"type": "github"
},
"original": {
"owner": "troldal",
"repo": "OpenXLSX",
"rev": "f85f7f1bd632094b5d78d4d1f575955fc3801886",
"type": "github"
}
},
@@ -819,8 +829,8 @@
"root": {
"inputs": {
"blog": "blog",
"blurred-wallpaper": "blurred-wallpaper",
"cachyos-lts": "cachyos-lts",
"bscpkgs": "bscpkgs",
"buildproxy": "buildproxy",
"catppuccin": "catppuccin",
"concurrencpp": "concurrencpp",
"cppcoro": "cppcoro",
@@ -854,10 +864,9 @@
"py4vasp": "py4vasp",
"rsshub": "rsshub",
"rycee": "rycee",
"shadowrz": "shadowrz",
"slate": "slate",
"sops-nix": "sops-nix",
"sqlite-orm": "sqlite-orm",
"sticker": "sticker",
"stickerpicker": "stickerpicker",
"tgbot-cpp": "tgbot-cpp",
"ufo": "ufo",
@@ -898,42 +907,6 @@
"type": "gitlab"
}
},
"shadowrz": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1748056260,
"narHash": "sha256-bcUxYhdC/wCw20DeU3tHgdc80JLOAIsKUULH37fdU/M=",
"owner": "ShadowRZ",
"repo": "nur-packages",
"rev": "0c35cdecdf6ecec27c69810ca9f0346fca7c2ee8",
"type": "github"
},
"original": {
"owner": "ShadowRZ",
"repo": "nur-packages",
"type": "github"
}
},
"slate": {
"flake": false,
"locked": {
"lastModified": 1626631298,
"narHash": "sha256-3tbB16sWVUqiHAfeFc0FnFb0Cf6ZFxYWsYAyexeZVxk=",
"owner": "TheBigWazz",
"repo": "Slate",
"rev": "ff21b49c6e49b5a9f89497e4fea49a5a0c39bd6b",
"type": "github"
},
"original": {
"owner": "TheBigWazz",
"repo": "Slate",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
@@ -970,6 +943,24 @@
"type": "github"
}
},
"sticker": {
"flake": false,
"locked": {
"lastModified": 1748842256,
"lfs": true,
"narHash": "sha256-os0NWrft+N/HFy/+WRWup4fOHZLSLHANejih7qdXPxA=",
"ref": "refs/heads/main",
"rev": "2826c739c5602c5998afdcb3d041d521a214429a",
"revCount": 1,
"type": "git",
"url": "https://git.chn.moe/chn/sticker.git"
},
"original": {
"lfs": true,
"type": "git",
"url": "https://git.chn.moe/chn/sticker.git"
}
},
"stickerpicker": {
"flake": false,
"locked": {

9
flake.nix
View File

@@ -25,9 +25,9 @@
inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
};
catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; };
cachyos-lts.url = "github:drakon64/nixos-cachyos-kernel";
bscpkgs = { url = "github:CHN-beta/bscpkgs"; inputs.nixpkgs.follows = "nixpkgs"; };
nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
shadowrz = { url = "github:ShadowRZ/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
buildproxy = { url = "github:polygon/nix-buildproxy"; inputs.nixpkgs.follows = "nixpkgs"; };
misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
@@ -40,11 +40,9 @@
tgbot-cpp = { url = "github:reo7sp/tgbot-cpp"; flake = false; };
v-sim = { url = "gitlab:l_sim/v_sim/master"; flake = false; };
rycee = { url = "gitlab:rycee/nur-expressions"; flake = false; };
blurred-wallpaper = { url = "github:bouteillerAlan/blurredwallpaper"; flake = false; };
slate = { url = "github:TheBigWazz/Slate"; flake = false; };
lepton = { url = "github:black7375/Firefox-UI-Fix"; flake = false; };
mumax = { url = "github:CHN-beta/mumax"; flake = false; };
openxlsx = { url = "github:troldal/OpenXLSX"; flake = false; };
openxlsx = { url = "github:troldal/OpenXLSX?rev=f85f7f1bd632094b5d78d4d1f575955fc3801886"; flake = false; };
sqlite-orm = { url = "github:fnc12/sqlite_orm"; flake = false; };
nc4nix = { url = "github:helsinki-systems/nc4nix"; flake = false; };
hextra = { url = "github:imfing/hextra"; flake = false; };
@@ -59,6 +57,7 @@
fancy-motd = { url = "github:CHN-beta/fancy-motd"; flake = false; };
mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme?lfs=1"; flake = false; };
phono3py = { url = "github:phonopy/phono3py"; flake = false; };
sticker = { url = "git+https://git.chn.moe/chn/sticker.git?lfs=1"; flake = false; };
};
outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in

2
flake/branch.nix
View File

@@ -1 +1 @@
"next"
"archive"

7
flake/dns/config/chn.moe.nix
View File

@@ -5,11 +5,11 @@ let
autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "" ];
nas = [ "initrd.nas" ];
office = [ "srv2-node0" ];
vps4 = [ "initrd.vps4" "xserver.vps4" ];
vps4 = [ "initrd.vps4" "xserver2.vps4" ];
vps6 =
[
"blog" "catalog" "coturn" "element" "frp" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
"ua" "vps6.xserver" ""
"ua" "xserver2" "xserver2.vps6" ""
];
"xlog.autoroute" = [ "xlog" ];
"wg0.srv1-node0" = [ "wg0.srv1" ];
@@ -17,11 +17,12 @@ let
srv3 =
[
"chat" "freshrss" "huginn" "initrd.srv3" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
"xserver.srv3" "example"
"xserver2.srv3" "example"
];
srv1-node0 = [ "srv1" ];
srv2-node0 = [ "srv2" ];
"wg1.pc" = [ "nix-store" ];
"wg1.nas" = [ "nix-store.nas" ];
};
a =
{

8
flake/packages.nix
View File

@@ -23,7 +23,6 @@
version = inputs.self.rev or "dirty";
stdenv = pkgs.pkgsStatic.gcc14Stdenv;
};
inherit (pkgs.localPackages) blog;
inherit (pkgs.localPackages.pkgsStatic) chn-bsub;
vaspberry = pkgs.pkgsStatic.localPackages.vaspberry.override
{
@@ -37,13 +36,18 @@
else if builtins.isAttrs x then builtins.concatMap getDrv (builtins.attrValues x)
else if builtins.isList x then builtins.concatMap getDrv x
else [];
in pkgs.writeClosure (getDrv (inputs.self.outputs.src));
in pkgs.concatText "src" (getDrv (inputs.self.outputs.src));
dns-push = pkgs.callPackage ./dns
{
inherit localLib;
tokenPath = inputs.self.nixosConfigurations.pc.config.sops.secrets."acme/token".path;
octodns = pkgs.octodns.withProviders (_: with pkgs.octodns-providers; [ cloudflare ]);
};
archive =
let devices =
[ "nas" "one" "pc" "srv1-node0" "srv1-node1" "srv1-node2" "srv2-node0" "srv2-node1" "srv3" "vps4" "vps6" ];
in pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.map
(d: "${inputs.self.outputs.nixosConfigurations.${d}.config.system.build.toplevel}") devices));
}
// (builtins.listToAttrs (builtins.map
(system: { inherit (system) name; value = system.value.config.system.build.toplevel; })

22
flake/src.nix
View File

@@ -114,12 +114,32 @@
mathematica = pkgs.mathematica.src;
oneapi =
{
src = pkgs.fetchurl
src = pkgs.fetchurl
{
url = "https://registrationcenter-download.intel.com/akdlm/IRC_NAS/2cf9c083-82b5-4a8f-a515-c599b09dcefc/"
+ "intel-oneapi-hpc-toolkit-2025.1.1.40_offline.sh";
sha256 = "1qjy9dsnskwqsk66fm99b3cch1wp3rl9dx7y884p3x5kwiqdma2x";
};
version = "2025.1";
fullVersion = "2025.1.1.40";
components =
[
"intel.oneapi.lin.dpcpp-cpp-common,v=2025.1.1+10"
"intel.oneapi.lin.dpcpp-cpp-common.runtime,v=2025.1.1+10"
"intel.oneapi.lin.ifort-compiler,v=2025.1.1+10"
"intel.oneapi.lin.compilers-common.runtime,v=2025.1.1+10"
"intel.oneapi.lin.mpi.runtime,v=2021.15.0+493"
"intel.oneapi.lin.umf,v=0.10.0+355"
"intel.oneapi.lin.tbb.runtime,v=2022.1.0+425"
"intel.oneapi.lin.compilers-common,v=2025.1.1+10"
];
};
rsshub = pkgs.dockerTools.pullImage
{
imageName = "diygod/rsshub";
imageDigest = "sha256:1f9d97263033752bf5e20c66a75e134e6045b6d69ae843c1f6610add696f8c22";
hash = "sha256-zN47lhQc3EX28LmGF4N3rDUPqumwmhfGn1OpvBYd2Vw=";
finalImageName = "rsshub";
finalImageTag = "latest";
};
}

2
modules/model.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.model = let inherit (inputs.lib) mkOption types; in
{
hostname = mkOption { type = types.nonEmptyStr; };
type = mkOption { type = types.enum [ "vps" "desktop" "server" ]; default = "vps"; };
type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
private = mkOption { type = types.bool; default = false; };
cluster = mkOption
{

5
modules/packages/android-studio.nix
View File

@@ -1,10 +1,7 @@
inputs:
{
options.nixos.packages.android-studio = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = null;
};
{ type = types.nullOr (types.submodule {}); default = null; };
config = let inherit (inputs.config.nixos.packages) android-studio; in inputs.lib.mkIf (android-studio != null)
{
nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ];

2
modules/packages/chromium.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.packages.chromium = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
};
config = let inherit (inputs.config.nixos.packages) chromium; in inputs.lib.mkIf (chromium != null)
{

33
modules/packages/desktop.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.packages.desktop = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
};
config = let inherit (inputs.config.nixos.packages) desktop; in inputs.lib.mkIf (desktop != null)
{
@@ -15,8 +15,7 @@ inputs:
[
# system management
# TODO: module should add yubikey-touch-detector into path
gparted yubikey-touch-detector btrfs-assistant
kdePackages.qtstyleplugin-kvantum cpu-x wl-mirror xpra
gparted yubikey-touch-detector btrfs-assistant kdePackages.qtstyleplugin-kvantum cpu-x wl-mirror xpra
(
writeShellScriptBin "xclip"
''
@@ -25,16 +24,16 @@ inputs:
''
)
# networking
remmina putty
remmina putty kdePackages.krdc
# media
mpv nomacs simplescreenrecorder imagemagick gimp-with-plugins qcm waifu2x-converter-cpp blender paraview vlc
obs-studio (inkscape-with-extensions.override { inkscapeExtensions = null; })
# themes
klassy-qt6 localPackages.slate localPackages.blurred-wallpaper
obs-studio (inkscape-with-extensions.override { inkscapeExtensions = null; }) kdePackages.kcolorchooser
kdePackages.kdenlive
# development
adb-sync scrcpy dbeaver-bin aircrack-ng fprettify
# password and key management
yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden hashcat
kdePackages.kleopatra
# download
qbittorrent wgetpaste rclone
# editor
@@ -50,27 +49,24 @@ inputs:
# browser
google-chrome tor-browser
# office
crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain
crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain activitywatch
ydict pspp libreoffice-qt6-fresh ocrmypdf typst
# required by ltex-plus.vscode-ltex-plus
ltex-ls ltex-ls-plus
# matplot++ needs old gnuplot
inputs.pkgs.pkgs-2311.gnuplot
# math, physics and chemistry
octaveFull ovito localPackages.vesta localPackages.v-sim mpi geogebra6 localPackages.ufo
inputs.pkgs.pkgs-2311.hdfview qalculate-qt
octaveFull mpi geogebra6 qalculate-qt
# virtualization
bottles wineWowPackages.stagingFull
# media
nur-xddxdd.svp
# for kdenlive auto subtitle
openai-whisper
]
++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ])))
(builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)));
];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
phonopy scipy scikit-learn jupyterlab autograd inputs.pkgs.localPackages.phono3py numpy
scipy scikit-learn jupyterlab autograd numpy
])];
};
user.sharedModules =
@@ -89,9 +85,15 @@ inputs:
inherit (inputs.topInputs) nixos-wallpaper;
isPicture = f: builtins.elem (inputs.lib.last (inputs.lib.splitString "." f))
[ "png" "jpg" "jpeg" "webp" ];
listDirRecursive =
let listDir = dir:
if dir.value == "directory" then builtins.concatLists
(builtins.map (f: listDir f) (inputs.localLib.attrsToList (builtins.readDir dir.name)))
else [ dir ];
in dir: listDir { name = dir; value = "directory"; };
in builtins.concatStringsSep "," (builtins.map (f: "${nixos-wallpaper}/${f.name}")
(builtins.filter (f: (isPicture f.name) && (f.value == "regular"))
(inputs.localLib.attrsToList (builtins.readDir nixos-wallpaper))));
(listDirRecursive nixos-wallpaper)));
};
powerdevil =
let config =
@@ -118,6 +120,7 @@ inputs:
wireshark = { enable = true; package = inputs.pkgs.wireshark; };
yubikey-touch-detector.enable = true;
kdeconnect.enable = true;
kde-pim = { enable = true; kmail = true; };
};
services.pcscd.enable = true;
};

7
modules/packages/firefox.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.packages.firefox = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
};
config = let inherit (inputs.config.nixos.packages) firefox; in inputs.lib.mkIf (firefox != null)
{
@@ -12,11 +12,10 @@ inputs:
{
enable = true;
languagePacks = [ "zh-CN" "en-US" ];
nativeMessagingHosts.packages = with inputs.pkgs; [ uget-integrator firefoxpwa ];
nativeMessagingHosts.packages = with inputs.pkgs; [ uget-integrator ];
};
nixos =
{
packages.packages._packages = [ inputs.pkgs.firefoxpwa ];
user.sharedModules =
[{
config =
@@ -25,7 +24,7 @@ inputs:
{
enable = true;
nativeMessagingHosts = with inputs.pkgs;
[ kdePackages.plasma-browser-integration uget-integrator firefoxpwa ];
[ kdePackages.plasma-browser-integration uget-integrator ];
# TODO: use fixed-version of plugins
policies.DefaultDownloadDirectory = "\${home}/Downloads";
profiles.default =

31
modules/packages/lammps.nix
View File

@@ -1,22 +1,23 @@
inputs:
{
options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
};
{ type = types.nullOr (types.submodule {}); default = null; };
config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
{
nixos.packages.packages._packages =
let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
in
if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
.overrideAttrs (prev:
{
cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
}))]
else [ inputs.pkgs.lammps-mpi ];
nixos.packages =
{
molecule = {};
packages._packages =
let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
in
if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
.overrideAttrs (prev:
{
cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
}))]
else [ inputs.pkgs.lammps-mpi ];
};
};
}

5
modules/packages/mathematica.nix
View File

@@ -1,10 +1,7 @@
inputs:
{
options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = null;
};
{ type = types.nullOr (types.submodule {}); default = null; };
config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
{ nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; };
}

11
modules/packages/server.nix → modules/packages/minimal.nix
View File

@@ -1,8 +1,8 @@
inputs:
{
options.nixos.packages.server = let inherit (inputs.lib) mkOption types; in mkOption
options.nixos.packages.minimal = let inherit (inputs.lib) mkOption types; in mkOption
{ type = types.nullOr (types.submodule {}); default = {}; };
config = let inherit (inputs.config.nixos.packages) server; in inputs.lib.mkIf (server != null)
config = let inherit (inputs.config.nixos.packages) minimal; in inputs.lib.mkIf (minimal != null)
{
nixos.packages.packages =
{
@@ -42,13 +42,6 @@ inputs:
pdfgrep ffmpeg-full hdf5
]
++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
_pythonPackages = [(pythonPackages: with pythonPackages;
[
openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2
certifi charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus odfpy
# for vasp plot-workfunc.py
ase
])];
};
programs =
{

20
modules/packages/molecule.nix Normal file
View File

@@ -0,0 +1,20 @@
inputs:
{
options.nixos.packages.molecule = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
};
config = let inherit (inputs.config.nixos.packages) molecule; in inputs.lib.mkIf (molecule != null)
{
nixos.packages.packages =
{
_packages = with inputs.pkgs;
[ ovito localPackages.vesta localPackages.v-sim localPackages.ufo inputs.pkgs.pkgs-2311.hdfview ];
_pythonPackages = [(pythonPackages: with pythonPackages;
[
phonopy inputs.pkgs.localPackages.phono3py
])];
};
};
}

9
modules/packages/mumax.nix
View File

@@ -1,14 +1,7 @@
inputs:
{
options.nixos.packages.mumax = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default =
if (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
&& (let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
then {}
else null;
};
{ type = types.nullOr (types.submodule {}); default = null; };
config = let inherit (inputs.config.nixos.packages) mumax; in inputs.lib.mkIf (mumax != null)
{
nixos.packages.packages._packages = [ inputs.pkgs.localPackages.mumax ];

5
modules/packages/nushell.nix
View File

@@ -1,10 +1,7 @@
inputs:
{
options.nixos.packages.nushell = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = {};
};
{ type = types.nullOr (types.submodule {}); default = {}; };
config = let inherit (inputs.config.nixos.packages) nushell; in inputs.lib.mkIf (nushell != null)
{
nixos =

2
modules/packages/steam.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.packages.steam = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
};
config = let inherit (inputs.config.nixos.packages) steam; in inputs.lib.mkIf (steam != null)
{

30
modules/packages/vasp.nix
View File

@@ -1,25 +1,23 @@
inputs:
{
options.nixos.packages.vasp = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
# default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
# TODO: fix vasp
default = null;
};
# TODO: add more options to correctly configure VASP
{ type = types.nullOr (types.submodule {}); default = null; };
config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
{
nixos.packages.packages = with inputs.pkgs;
nixos.packages =
{
_packages =
(
[ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
++ (inputs.lib.optional
(let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
localPackages.vasp.nvidia)
);
_pythonPackages = [(_: [ localPackages.py4vasp ])];
molecule = {};
packages = with inputs.pkgs;
{
_packages =
(
[ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
++ (inputs.lib.optional
(let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
localPackages.vasp.nvidia)
);
_pythonPackages = [(_: [ localPackages.py4vasp ])];
};
};
};
}

2
modules/packages/vscode.nix
View File

@@ -3,7 +3,7 @@ inputs:
options.nixos.packages.vscode = let inherit (inputs.lib) mkOption types; in mkOption
{
type = types.nullOr (types.submodule {});
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
};
config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
{

73
modules/services/freshrss.nix
View File

@@ -1,52 +1,33 @@
inputs:
{
options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in
options.nixos.services.freshrss = let inherit (inputs.lib) mkOption types; in mkOption
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) freshrss;
inherit (inputs.lib) mkIf;
in mkIf freshrss.enable
type = types.nullOr (types.submodule { options =
{
services.freshrss =
{
enable = true;
baseUrl = "https://${freshrss.hostname}";
defaultUser = "chn";
passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
virtualHost = null;
};
sops.secrets =
{
"freshrss/chn".owner = inputs.config.users.users.freshrss.name;
"freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
};
systemd.services.freshrss-config.after = [ "mysql.service" ];
nixos.services =
{
mariadb = { enable = true; instances.freshrss = {}; };
nginx.https.${freshrss.hostname} =
{
location =
{
"/".static =
{
root = "${inputs.pkgs.freshrss}/p";
index = [ "index.php" ];
tryFiles = [ "$uri" "$uri/" "$uri/index.php" ];
};
"~ ^.+?\.php(/.*)?$".php =
{
root = "${inputs.pkgs.freshrss}/p";
fastcgiPass =
"unix:${inputs.config.services.phpfpm.pools.${inputs.config.services.freshrss.pool}.socket}";
};
};
};
};
hostname = mkOption { type = types.str; default = "freshrss.chn.moe"; };
};});
default = null;
};
config = let inherit (inputs.config.nixos.services) freshrss; in inputs.lib.mkIf (freshrss != null)
{
services.freshrss =
{
enable = true;
baseUrl = "https://${freshrss.hostname}";
defaultUser = "chn";
passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
};
sops.secrets =
{
"freshrss/chn".owner = inputs.config.users.users.freshrss.name;
"freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
};
systemd.services.freshrss-config.after = [ "mysql.service" ];
nixos.services =
{
mariadb = { enable = true; instances.freshrss = {}; };
nginx.https.${freshrss.hostname}.global.configName = "freshrss";
};
};
}

99
modules/services/fz-new-order/default.nix
View File

@@ -1,99 +0,0 @@
inputs:
{
options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in mkOption
{ type = types.nullOr (types.submodule {}); default = null; };
config = let inherit (inputs.config.nixos.services) fz-new-order; in inputs.lib.mkIf (fz-new-order != null)
{
users =
{
users.fz-new-order =
{
uid = inputs.config.nixos.user.uid.fz-new-order;
group = "fz-new-order";
home = "/var/lib/fz-new-order";
createHome = true;
isSystemUser = true;
};
groups.fz-new-order.gid = inputs.config.nixos.user.gid.fz-new-order;
};
systemd =
{
timers.fz-new-order =
{
wantedBy = [ "timers.target" ];
timerConfig = { OnBootSec = "10m"; OnUnitActiveSec = "10m"; Unit = "fz-new-order.service"; };
};
services.fz-new-order = rec
{
description = "fz-new-order";
after = [ "network.target" ];
requires = after;
serviceConfig =
{
User = inputs.config.users.users."fz-new-order".name;
Group = inputs.config.users.users."fz-new-order".group;
WorkingDirectory = "/var/lib/fz-new-order";
ExecStart =
let
src = inputs.pkgs.replaceVars ./main.cpp
{ config_file = inputs.config.sops.templates."fz-new-order/config.json".path; };
binary = inputs.pkgs.stdenv.mkDerivation
{
name = "fz-new-order";
inherit src;
buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
dontUnpack = true;
buildPhase =
''
runHook preBuild
g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
runHook postBuild
'';
installPhase =
''
runHook preInstall
mkdir -p $out/bin
cp fz-new-order $out/bin/fz-new-order
runHook postInstall
'';
};
in "${binary}/bin/fz-new-order";
};
};
tmpfiles.rules =
[
"d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
"Z /var/lib/fz-new-order - fz-new-order fz-new-order"
];
};
sops = let userNum = 5; configNum = 2; in
{
templates."fz-new-order/config.json" =
{
owner = inputs.config.users.users."fz-new-order".name;
group = inputs.config.users.users."fz-new-order".group;
content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
{
token = placeholder."fz-new-order/token";
uids = builtins.map (j: placeholder."fz-new-order/uids/user${builtins.toString j}")
(builtins.genList (n: n) userNum);
config = builtins.map
(i: builtins.listToAttrs (builtins.map
(attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
[ "username" "password" "comment" ]))
(builtins.genList (n: n) configNum);
};
};
secrets =
{ "fz-new-order/token" = {}; }
// (builtins.listToAttrs (builtins.map
(i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
(builtins.genList (n: n) userNum)))
// (builtins.listToAttrs (builtins.concatLists (builtins.map
(i: builtins.map
(attrName: { name = "fz-new-order/config${builtins.toString i}/${attrName}"; value = {}; })
[ "username" "password" "comment" ])
(builtins.genList (n: n) configNum))));
};
};
}

244
modules/services/fz-new-order/main.cpp
View File

@@ -1,244 +0,0 @@
# include <iostream>
# include <set>
# include <sstream>
# include <filesystem>
# include <cereal/types/set.hpp>
# include <cereal/archives/json.hpp>
# include <fmt/format.h>
# include <fmt/ranges.h>
# include <httplib.h>
# include <json/json.h>
std::string urlencode(std::string s)
{
auto hexchar = [](unsigned char c, unsigned char &hex1, unsigned char &hex2)
{
hex1 = c / 16;
hex2 = c % 16;
hex1 += hex1 <= 9 ? '0' : 'a' - 10;
hex2 += hex2 <= 9 ? '0' : 'a' - 10;
};
const char *str = s.c_str();
std::vector<char> v(s.size());
v.clear();
for (std::size_t i = 0, l = s.size(); i < l; i++)
{
char c = str[i];
if
(
(c >= '0' && c <= '9')
|| (c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| c == '-' || c == '_' || c == '.' || c == '!' || c == '~'
|| c == '*' || c == '\'' || c == '(' || c == ')'
)
v.push_back(c);
else
{
v.push_back('%');
unsigned char d1, d2;
hexchar(c, d1, d2);
v.push_back(d1);
v.push_back(d2);
}
}
return std::string(v.cbegin(), v.cend());
}
void oneshot
(
const std::string& username, const std::string& password, const std::string& comment,
const std::set<std::string>& wxuser, const std::string& token
)
{
httplib::Client fzclient("http://scmv9.fengzhansy.com:8882");
httplib::Client wxclient("http://wxpusher.zjiecode.com");
auto& log = std::clog;
try
{
// get JSESSIONID
auto cookie_jsessionid = [&]() -> std::string
{
log << "get /scmv9/login.jsp\n";
auto result = fzclient.Get("/scmv9/login.jsp");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
auto it = result.value().headers.find("Set-Cookie");
if (it == result.value().headers.end() || it->first != "Set-Cookie")
throw std::runtime_error("find cookie failed");
log << fmt::format("set_cookie JSESSIONID {}\n", it->second.substr(0, it->second.find(';')));
return it->second.substr(0, it->second.find(';'));
}();
// login
auto cookie_pppp = [&]() -> std::string
{
auto body = fmt::format("method=dologinajax&rand=1234&userc={}&mdid=P&passw={}", username, password);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882" },
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/login.jsp" },
{ "Cookie", cookie_jsessionid }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("set_cookie pppp {}\n", fmt::format("pppp={}%40{}", username, password));
return fmt::format("pppp={}%40{}", username, password);
}();
// get order list
auto order_list = [&]() -> std::map<std::string, std::pair<std::string, std::string>>
{
auto body = fmt::format("method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=dd_qry&nv%5B%5D=bill&nv%5B%5D=&nv%5B%5D=storeid&nv%5B%5D=&nv%5B%5D=vendorid&nv%5B%5D={}&nv%5B%5D=qr_status&nv%5B%5D=&nv%5B%5D=ddprt&nv%5B%5D=%25&nv%5B%5D=fdate&nv%5B%5D=&nv%5B%5D=tdate&nv%5B%5D=&nv%5B%5D=shfdate&nv%5B%5D=&nv%5B%5D=shtdate&nv%5B%5D=&nv%5B%5D=fy_pno&nv%5B%5D=1&nv%5B%5D=fy_psize&nv%5B%5D=10", username);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882"
},
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
{ "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("get result {}\n", result.value().body);
std::stringstream result_body(result.value().body);
Json::Value root;
result_body >> root;
std::map<std::string, std::pair<std::string, std::string>> orders;
for (unsigned i = 0; i < root["dt"][1].size(); i++)
{
log << fmt::format
(
"insert order {} {} {}\n", root["dt"][1][i].asString(), root["dt"][2][i].asString(),
root["dt"][4][i].asString()
);
orders.insert({root["dt"][1][i].asString(), {root["dt"][2][i].asString(), root["dt"][4][i].asString()}});
}
return orders;
}();
// read order old
auto order_old = [&]() -> std::set<std::string>
{
if (!std::filesystem::exists("orders.json"))
return {};
else
{
std::ifstream ins("orders.json");
cereal::JSONInputArchive ina(ins);
std::set<std::string> data;
cereal::load(ina, data);
return data;
}
}();
// push new order info
for (const auto& order : order_list)
if (!order_old.contains(order.first))
{
auto body = fmt::format
(
"method=dgate&rand=1234&op=scmmgr_pcggl&nv%5B%5D=opmode&nv%5B%5D=ddsp_qry&nv%5B%5D=bill&nv%5B%5D={}",
order.first
);
httplib::Headers headers =
{
{ "X-Requested-With", "XMLHttpRequest" },
{
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
},
{ "Content-Type", "application/x-www-form-urlencoded; charset=UTF-8" },
{ "Origin", "http://scmv9.fengzhansy.com:8882" },
{ "Referer", "http://scmv9.fengzhansy.com:8882/scmv9/SCM/cggl_po_qry.jsp" },
{ "Cookie", fmt::format("{}; {}", cookie_jsessionid, cookie_pppp) }
};
log << "post /scmv9/data.jsp\n";
auto result = fzclient.Post
("/scmv9/data.jsp", headers, body, "application/x-www-form-urlencoded; charset=UTF-8");
if (result.error() != httplib::Error::Success)
throw std::runtime_error("request failed");
log << fmt::format("get result {}\n", result.value().body);
std::stringstream result_body(result.value().body);
Json::Value root;
result_body >> root;
std::stringstream push_body;
double all_cost = 0;
push_body << fmt::format
(
"{} {} {}店\n", comment, order.second.second.substr(order.second.second.find('-') + 1),
order.second.first.substr(1, 2)
);
for (unsigned i = 0; i < root["dt"][6].size(); i++)
{
push_body << fmt::format
(
"{} {}{}\n", root["dt"][6][i].asString().substr(root["dt"][6][i].asString().length() - 4),
root["dt"][7][i].asString(), root["dt"][5][i].asString()
);
// 订货金额 maybe empty ???
if (root["dt"][10][i].asString() != "")
all_cost += std::stod(root["dt"][10][i].asString());
}
push_body << fmt::format("共{:.2f}元\n", all_cost);
log << fmt::format("push to wx {}\n", push_body.str());
auto encoded = urlencode(push_body.str());
for (const auto& wxu : wxuser)
{
auto path = fmt::format
("/api/send/message/?appToken={}&content={}&uid={}", token, encoded, wxu);
auto wxresult = wxclient.Get(path.c_str());
}
}
// save data
{
for (const auto& order : order_list)
if (!order_old.contains(order.first))
order_old.insert(order.first);
std::ofstream os("orders.json");
cereal::JSONOutputArchive oa(os);
cereal::save(oa, order_old);
}
}
catch (const std::exception& ex)
{
log << ex.what() << "\n" << std::flush;
std::terminate();
}
}
int main(int argc, char** argv)
{
Json::Value configs;
std::ifstream("@config_file@") >> configs;
auto config_uids = configs["uids"];
std::set<std::string> uids;
for (auto& uid : config_uids)
uids.insert(uid.asString());
for (auto& config : configs["config"])
oneshot
(
config["username"].asString(), config["password"].asString(), config["comment"].asString(),
uids, configs["token"].asString()
);
}

2
modules/services/gitea.nix
View File

@@ -45,6 +45,8 @@ inputs:
};
service.DISABLE_REGISTRATION = true;
security.LOGIN_REMEMBER_DAYS = 365;
"git.timeout" = builtins.listToAttrs (builtins.map (n: { name = n; value = 1800; })
[ "DEFAULT" "MIGRATE" "MIRROR" "CLONE" "PULL" "GC" ]);
};
};
nixos.services =

2
modules/services/nextcloud.nix
View File

@@ -57,7 +57,7 @@ inputs:
};
in builtins.listToAttrs (builtins.map
(package: { name = package; value = inputs.pkgs.fetchNextcloudApp (getInfo package); })
[ "maps" "phonetrack" "twofactor_webauthn" "calendar" ]);
[ "phonetrack" "twofactor_webauthn" "calendar" ]);
};
nixos.services =
{

2
modules/services/nginx/applications/sticker/default.nix → modules/services/nginx/applications/sticker.nix
View File

@@ -11,7 +11,7 @@ inputs:
mkdir -p $out
cp -r ${inputs.topInputs.stickerpicker}/web/* $out
chmod -R +w $out
cp -r ${./web}/* $out
cp -r ${inputs.topInputs.sticker}/web/* $out
'');
index = [ "index.html" ];
};

2
modules/services/nginx/applications/sticker/.gitignore vendored
View File

@@ -1,2 +0,0 @@
/config.json
/sticker-import.session

1
modules/services/nginx/applications/sticker/web/packs/LINE_nachonekodayo.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/Mare_by_WuMingv2Bot.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/Sakurada_Shiro.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/TheDonaldTrump.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/csaexi.json
View File

File diff suppressed because one or more lines are too long

19
modules/services/nginx/applications/sticker/web/packs/index.json
View File

@@ -1,19 +0,0 @@
{
"packs": [
"Mare_by_WuMingv2Bot.json",
"line_191054124446_by_moe_sticker_bot.json",
"Sakurada_Shiro.json",
"loli_DaiSi_by_WuMingv2Bot.json",
"listentoweiwei_by_WuMingv2Bot.json",
"csaexi.json",
"wechat_transfer_zhcn.json",
"teamtimothy_bilibili.json",
"line26158619ac0d_by_moe_sticker_bot.json",
"LINE_nachonekodayo.json",
"zhehelima.json",
"TheDonaldTrump.json",
"line_173195293297_by_moe_sticker_bot.json",
"line261586194a0d_by_moe_sticker_bot.json"
],
"homeserver_url": "https://matrix.chn.moe"
}

1
modules/services/nginx/applications/sticker/web/packs/line261586194a0d_by_moe_sticker_bot.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/line26158619ac0d_by_moe_sticker_bot.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/line_173195293297_by_moe_sticker_bot.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/line_191054124446_by_moe_sticker_bot.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/listentoweiwei_by_WuMingv2Bot.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/loli_DaiSi_by_WuMingv2Bot.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/teamtimothy_bilibili.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/wechat_transfer_zhcn.json
View File

File diff suppressed because one or more lines are too long

1
modules/services/nginx/applications/sticker/web/packs/zhehelima.json
View File

File diff suppressed because one or more lines are too long

49
modules/services/nginx/default.nix
View File

@@ -366,38 +366,13 @@ inputs:
systemd.services.nginx-proxy =
let
ip = "${inputs.pkgs.iproute2}/bin/ip";
nft = "${inputs.pkgs.nftables}/bin/nft";
nftConfigFile = inputs.pkgs.writeText "nginx.nft"
''
table inet nginx {
chain output {
type route hook output priority mangle; policy accept;
# gid nginx
#
meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
ct state new counter ct mark set ct mark | 2
#
#
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
return
}
# prerouting
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
return
}
}
'';
start = inputs.pkgs.writeShellScript "nginx-proxy.start"
''
${nft} -f ${nftConfigFile}
${ip} rule add fwmark 2/2 table 200
${ip} route add local 0.0.0.0/0 dev lo table 200
'';
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
''
${nft} delete table inet nginx
${ip} rule del fwmark 2/2 table 200
${ip} route del local 0.0.0.0/0 dev lo table 200
'';
@@ -415,6 +390,30 @@ inputs:
wants = [ "network.target" ];
wantedBy= [ "multi-user.target" ];
};
networking.nftables.tables.nginx =
{
family = "inet";
content =
''
chain output {
type route hook output priority mangle; policy accept;
# gid nginx
#
meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
ct state new counter ct mark set ct mark | 2
#
#
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
return
}
# prerouting
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
return
}
'';
};
})
# streamProxy
{

250
modules/services/nixvirt.nix
View File

@@ -1,4 +1,3 @@
# TODO: fix libvirtd network
inputs:
{
options.nixos.services.nixvirt = let inherit (inputs.lib) mkOption types; in mkOption
@@ -19,19 +18,31 @@ inputs:
{
uuid = mkOption { type = types.nonEmptyStr; default = defaultUuid; };
owner = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
hardware =
storage =
{
storage = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
memoryMB = mkOption { type = types.ints.unsigned; };
cpus = mkOption { type = types.ints.unsigned; };
mac = mkOption { type = types.nonEmptyStr; default = defaultMac; };
name = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
nodatacow = mkOption { type = types.bool; default = false; };
};
memory =
{
sizeMB = mkOption { type = types.ints.unsigned; };
dedicated = mkOption { type = types.bool; default = false; };
};
cpu =
{
count = mkOption { type = types.ints.unsigned; };
hyprthread = mkOption { type = types.bool; default = false; };
set = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
};
network =
{
address = mkOption { type = types.ints.unsigned; };
mac = mkOption { type = types.nonEmptyStr; default = defaultMac; };
address = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
bridge = mkOption { type = types.bool; default = false; };
vnc =
{
port = mkOption { type = types.ints.unsigned; default = 15900 + submoduleInputs.config.network.address; };
port = mkOption
{ type = types.ints.unsigned; default = 15900 + submoduleInputs.config.network.address; };
openFirewall = mkOption { type = types.bool; default = true; };
};
portForward = rec
@@ -54,6 +65,13 @@ inputs:
};
config = let inherit (inputs.config.nixos.services) nixvirt; in inputs.lib.mkIf (nixvirt != null)
{
assertions = builtins.map
(vm:
{
assertion = vm.value.cpu.set != null -> builtins.length vm.value.cpu.set == vm.value.cpu.count;
message = "nixvirt.instance.${vm.name}.cpu.set must have the same length as cpu.count";
})
(inputs.localLib.attrsToList nixvirt.instance);
virtualisation =
{
libvirt =
@@ -63,7 +81,12 @@ inputs:
connections."qemu:///system" = let inherit (inputs.topInputs.nixvirt) lib; in
{
domains = builtins.map
(vm: { definition = inputs.config.sops.templates."${vm.name}.xml".path; active = true; restart = false; })
(vm:
{
definition = inputs.config.sops.templates."nixvirt/${vm.name}.xml".path;
active = true;
restart = false;
})
(inputs.localLib.attrsToList nixvirt.instance);
networks =
[{
@@ -74,10 +97,10 @@ inputs:
host = builtins.map
(vm:
{
inherit (vm.hardware) mac;
inherit (vm.network) mac;
ip = "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}";
})
(builtins.attrValues nixvirt.instance);
(builtins.filter (vm: vm.network.address != null) (builtins.attrValues nixvirt.instance));
in lib.network.writeXML (base // { ip = base.ip // { dhcp = base.ip.dhcp // { inherit host; }; }; });
active = true;
# never restart the network
@@ -126,50 +149,113 @@ inputs:
templates = builtins.listToAttrs (builtins.map
(vm:
{
name = "${vm.name}.xml";
value.content =
let
inherit (inputs.topInputs.nixvirt) lib;
base = lib.domain.templates.linux
{
inherit (vm) name;
inherit (vm.value) uuid;
memory = { count = vm.value.hardware.memoryMB; unit = "MiB"; };
storage_vol = "/var/lib/libvirt/images/${vm.value.hardware.storage}.img";
install_vol = "${inputs.topInputs.self.src.iso.netboot}";
virtio_video = false;
};
in lib.domain.getXML (base //
name = "nixvirt/${vm.name}.xml";
value.content = inputs.topInputs.nixvirt.lib.domain.getXML
# port from 8bcc23e27a62297254d0e9c87281e650ff777132
{
inherit (vm) name;
inherit (vm.value) uuid;
type = "kvm";
vcpu = { placement = "static"; count = vm.value.cpu.count; };
cputune = inputs.lib.optionalAttrs (vm.value.cpu.set != null)
{
devices =
# remove spicevmc, which needs spice
(builtins.removeAttrs base.devices [ "channel" "redirdev" "sound" "audio" ])
// {
graphics =
{
type = "vnc";
autoport = false;
port = vm.value.network.vnc.port;
listen.type = "address";
passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
};
interface = base.devices.interface // { mac.address = vm.value.hardware.mac; };
disk = builtins.map (disk: disk // { driver = disk.driver // { type = "raw"; }; }) base.devices.disk;
};
cpu = base.cpu // { topology = { sockets = 1; dies = 1; cores = vm.value.hardware.cpus; threads = 1; };};
vcpu = { placement = "static"; count = vm.value.hardware.cpus; };
os = (builtins.removeAttrs base.os [ "boot" ]) //
vcpupin = builtins.genList
(cpu: { vcpu = cpu; cpuset = builtins.elemAt vm.value.cpu.set cpu; })
vm.value.cpu.count;
};
memory =
{
count = vm.value.memory.sizeMB;
unit = "MiB";
nosharepages = vm.value.memory.dedicated;
locked = vm.value.memory.dedicated;
};
os =
{
type = "hvm";
arch = "x86_64";
machine = "q35";
bootmenu = { enable = true; timeout = 15000; };
loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
nvram =
{
loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
nvram =
{
template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
path = "/var/lib/libvirt/qemu/nvram/${vm.name}_VARS.fd";
templateFormat = "raw";
format = "raw";
};
template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
path = "/var/lib/libvirt/qemu/nvram/${vm.name}_VARS.fd";
templateFormat = "raw";
format = "raw";
};
});
};
features = { acpi = {}; apic = {}; };
cpu =
{
mode = "host-passthrough";
topology =
{
sockets = 1;
dies = 1;
cores = if vm.value.cpu.hyprthread then vm.value.cpu.count / 2 else vm.value.cpu.count;
threads = if vm.value.cpu.hyprthread then 2 else 1;
};
};
clock =
{
offset = "utc";
timer =
[
{ name = "rtc"; tickpolicy = "catchup"; }
{ name = "pit"; tickpolicy = "delay"; }
{ name = "hpet"; present = false; }
];
};
devices =
{
emulator = "${inputs.config.virtualisation.libvirtd.qemu.package}/bin/qemu-system-x86_64";
disk =
[
{
type = "file";
device = "disk";
driver = { name = "qemu"; type = "raw"; cache = "none"; discard = "unmap"; };
source.file = "${if vm.value.storage.nodatacow then "/nix/nodatacow" else ""}/var/lib/libvirt/images/"
+ "${vm.value.storage.name}.img";
target = { dev = "vda"; bus = "virtio"; };
boot.order = 1;
}
{
type = "file";
device = "cdrom";
driver = { name = "qemu"; type = "raw"; };
source.file = "${inputs.topInputs.self.src.iso.netboot}";
target = { dev = "sdc"; bus = "sata"; };
readonly = true;
boot.order = 10;
}
];
interface =
{
type = "bridge";
model.type = "virtio";
mac.address = vm.value.network.mac;
source.bridge = if vm.value.network.bridge then "nixvirt" else "virbr0";
};
input =
[
{ type = "tablet"; bus = "usb"; }
{ type = "mouse"; bus = "ps2"; }
{ type = "keyboard"; bus = "ps2"; }
];
graphics =
{
type = "vnc";
autoport = false;
port = vm.value.network.vnc.port;
listen.type = "address";
passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
};
video.model = { type = "qxl"; ram = 65536; vram = 65536; vgamem = 16384; heads = 1; primary = true; };
rng = { model = "virtio"; backend = { model = "random"; source = /dev/urandom; }; };
};
};
})
(inputs.localLib.attrsToList nixvirt.instance));
secrets = builtins.listToAttrs (builtins.map
@@ -202,24 +288,25 @@ inputs:
group = "root";
setuid = true;
};
networking.firewall.allowedTCPPorts = builtins.map (vm: vm.network.vnc.port)
(builtins.filter (vm: vm.network.vnc.openFirewall) (builtins.attrValues nixvirt.instance));
# TODO: use existing options
systemd.services.nixvirt-forward =
let
nftRules = builtins.concatLists (builtins.concatLists (builtins.map
(vm: builtins.map
(protocol: builtins.map
(port: "${protocol} dport ${builtins.toString port.host} fib daddr type local counter dnat ip to "
+ "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}"
+ ":${builtins.toString port.guest}")
vm.network.portForward.${protocol})
[ "tcp" "udp" ])
(builtins.attrValues nixvirt.instance)));
nft = "${inputs.pkgs.nftables}/bin/nft";
nftConfigFile = inputs.pkgs.writeText "nixvirt.nft"
''
table inet nixvirt {
networking =
{
firewall.allowedTCPPorts = builtins.map (vm: vm.network.vnc.port)
(builtins.filter (vm: vm.network.vnc.openFirewall) (builtins.attrValues nixvirt.instance));
nftables.tables.nixvirt =
{
family = "inet";
content =
let nftRules = builtins.concatLists (builtins.concatLists (builtins.map
(vm: builtins.map
(protocol: builtins.map
(port: "${protocol} dport ${builtins.toString port.host} fib daddr type local counter dnat ip to "
+ "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}"
+ ":${builtins.toString port.guest}")
vm.network.portForward.${protocol})
[ "tcp" "udp" ])
(builtins.attrValues nixvirt.instance)));
in
''
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
${builtins.concatStringsSep "\n" nftRules}
@@ -228,22 +315,13 @@ inputs:
type nat hook output priority dstnat; policy accept;
${builtins.concatStringsSep "\n" nftRules}
}
}
'';
start = inputs.pkgs.writeShellScript "nixvirt.start" "${nft} -f ${nftConfigFile}";
stop = inputs.pkgs.writeShellScript "nixvirt.stop" "${nft} delete table inet nixvirt";
in
{
description = "nixvirt port forward";
after = [ "nftables.service" "nixvirt.service" ];
serviceConfig =
{
Type = "oneshot";
RemainAfterExit = true;
ExecStart = start;
ExecStop = stop;
};
wantedBy= [ "multi-user.target" ];
'';
};
};
boot.kernelParams =
let cpusets = builtins.concatLists (builtins.map
(vm: vm.cpu.set)
(builtins.filter (vm: vm.cpu.set != null) (builtins.attrValues nixvirt.instance)));
in inputs.lib.mkIf (cpusets != []) [ "isolcpus=${builtins.concatStringsSep "," cpusets}" ];
};
}

43
modules/services/rsshub.nix
View File

@@ -4,41 +4,26 @@ inputs:
{
type = types.nullOr (types.submodule { options =
{
hostname = mkOption { type = types.nonEmptyStr; default = "rsshub.chn.moe"; };
hostname = mkOption { type = types.str; default = "rsshub.chn.moe"; };
};});
default = null;
};
config = let inherit (inputs.config.nixos.services) rsshub; in inputs.lib.mkIf (rsshub != null)
{
systemd =
virtualisation.oci-containers.containers.rsshub =
{
services.rsshub =
{
description = "rsshub";
after = [ "network.target" "redis-rsshub.service" ];
requires = [ "redis-rsshub.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
User = "rsshub";
Group = "rsshub";
EnvironmentFile = inputs.config.sops.templates."rsshub/env".path;
WorkingDirectory = "${inputs.pkgs.localPackages.rsshub}";
ExecStart = "${inputs.pkgs.localPackages.rsshub}/bin/rsshub";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
restartTriggers = [ inputs.config.sops.templates."rsshub/env".content ];
};
tmpfiles.rules = [ "d /var/cache/rsshub 0700 rsshub rsshub" ];
image = "rsshub:latest";
imageFile = inputs.topInputs.self.src.rsshub;
ports = [ "127.0.0.1:5221:5221/tcp" ];
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
environmentFiles = [ inputs.config.sops.templates."rsshub/env".path ];
};
sops =
{
templates."rsshub/env".content = let placeholder = inputs.config.sops.placeholder; in
''
PORT=5221
CACHE_TYPE=redis
REDIS_URL='redis://:${placeholder."redis/rsshub"}@127.0.0.1:7116'
CACHE_TYPE=memory
PIXIV_REFRESHTOKEN='${placeholder."rsshub/pixiv-refreshtoken"}'
YOUTUBE_KEY='${placeholder."rsshub/youtube-key"}'
YOUTUBE_CLIENT_ID='${placeholder."rsshub/youtube-client-id"}'
@@ -59,15 +44,7 @@ inputs:
"zhihu-cookies"
]));
};
users =
{
users.rsshub = { uid = inputs.config.nixos.user.uid.rsshub; group = "rsshub"; isSystemUser = true; };
groups.rsshub.gid = inputs.config.nixos.user.gid.rsshub;
};
nixos.services =
{
redis.instances.rsshub.port = 7116;
nginx = { enable = true; https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5221"; };
};
nixos.services.nginx =
{ enable = true; https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5221"; };
};
}

2
modules/services/slurm.nix
View File

@@ -53,7 +53,7 @@ inputs:
{
slurm =
{
package = (inputs.pkgs.slurm.override { enableGtk2 = true; }).overrideAttrs
package = (inputs.pkgs.slurm.override { enableX11 = false; enableNVML = false; }).overrideAttrs
(prev:
let
inherit (inputs.config.nixos.system.nixpkgs) cuda;

6
modules/services/sshd/default.nix
View File

@@ -6,6 +6,7 @@ inputs:
{
passwordAuthentication = mkOption { type = types.bool; default = false; };
groupBanner = mkOption { type = types.bool; default = false; };
motd = mkOption { type = types.bool; default = false; };
};});
default = null;
};
@@ -25,8 +26,7 @@ inputs:
};
};
}
# 如果是服务器,那么启用 motd
(inputs.lib.mkIf (inputs.config.nixos.model.type == "server")
(inputs.lib.mkIf sshd.motd
{
nixos =
{
@@ -34,7 +34,7 @@ inputs:
[ (inputs.pkgs.fancy-motd.overrideAttrs { src = inputs.topInputs.fancy-motd; }) ];
user.sharedModules = [(home-inputs: { config.programs.zsh.loginExtra =
''
[ -f /etc/fancy-motd/banner ] && lolcat -f /etc/fancy-motd/banner
[ -f /etc/fancy-motd/banner ] && (lolcat -f /etc/fancy-motd/banner 2> /dev/null)
motd
'';})];
};

457
modules/services/xray.nix
View File

@@ -2,32 +2,38 @@ inputs:
{
options.nixos.services.xray = let inherit (inputs.lib) mkOption types; in
{
client =
client = mkOption
{
enable = mkOption { type = types.bool; default = false; };
xray =
type = types.nullOr (types.submodule (submoduleInputs: { options =
{
serverAddress = mkOption { type = types.nonEmptyStr; default = "144.34.225.59"; };
serverName = mkOption { type = types.nonEmptyStr; default = "vps6.xserver.chn.moe"; };
};
dnsmasq =
{
extraInterfaces = mkOption
xray =
{
type = types.listOf types.nonEmptyStr;
default = inputs.lib.optional (inputs.config.nixos.services.docker != null) "docker0";
serverName = mkOption { type = types.nonEmptyStr; default = "xserver2.chn.moe"; };
serverAddress = mkOption
{
type = types.nonEmptyStr;
default = inputs.topInputs.self.config.dns."chn.moe".getAddress
(inputs.lib.removeSuffix ".chn.moe" submoduleInputs.config.xray.serverName);
};
};
hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
};
v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
# 是否允许代理来自其它机器的流量(相关端口会被放行)
allowForward = mkOption { type = types.bool; default = true; };
dnsmasq =
{
extraInterfaces = mkOption
{
type = types.listOf types.nonEmptyStr;
default = inputs.lib.optional (inputs.config.nixos.services.docker != null) "docker0";
};
hosts = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
};
v2ray-forwarder.noproxyUsers = mkOption { type = types.listOf types.nonEmptyStr; default = [ "gb" "xll" ]; };
};}));
default = null;
};
server = mkOption
{
type = types.nullOr (types.submodule { options =
{
serverName = mkOption { type = types.nonEmptyStr; };
serverName = mkOption { type = types.nonEmptyStr; default = "xserver2.chn.moe"; };
};});
default = null;
};
@@ -37,12 +43,12 @@ inputs:
{
assertions =
[{
assertion = !(xray.client.enable && xray.server != null);
assertion = !(xray.client != null && xray.server != null);
message = "Currenty xray.client and xray.server could not be simutaniusly enabled.";
}];
}
(
inputs.lib.mkIf xray.client.enable
inputs.lib.mkIf (xray.client != null)
{
services =
{
@@ -57,7 +63,7 @@ inputs:
server = [ "127.0.0.1#10853" ];
interface = xray.client.dnsmasq.extraInterfaces ++ [ "lo" ];
bind-dynamic = true;
address = map (host: "/${host.name}/${host.value}")
address = builtins.map (host: "/${host.name}/${host.value}")
(inputs.localLib.attrsToList xray.client.dnsmasq.hosts);
};
};
@@ -69,132 +75,127 @@ inputs:
{
owner = inputs.config.users.users.v2ray.name;
group = inputs.config.users.users.v2ray.group;
content =
let
chinaDns = "223.5.5.5";
foreignDns = "8.8.8.8";
in
builtins.toJSON
content = let chinaDns = "223.5.5.5"; foreignDns = "8.8.8.8"; in builtins.toJSON
{
log.loglevel = "warning";
dns =
{
log.loglevel = "warning";
dns =
{
servers =
# 先尝试匹配域名列表进行查询,若匹配成功则使用前两个 dns 查询。
# 若匹配域名列表失败,或者匹配成功但是查询到的 IP 不在期望的 IP 列表中,则回落到使用后两个 dns 依次查询。
[
{
address = chinaDns;
domains = [ "geosite:geolocation-cn" ];
expectIPs = [ "geoip:cn" ];
skipFallback = true;
}
{
address = foreignDns;
domains = [ "geosite:geolocation-!cn" ];
expectIPs = [ "geoip:!cn" ];
skipFallback = true;
}
{ address = chinaDns; expectIPs = [ "geoip:cn" ]; }
{ address = foreignDns; }
];
disableCache = true;
queryStrategy = "UseIPv4";
tag = "dns-internal";
};
inbounds =
servers =
# 先尝试匹配域名列表进行查询,若匹配成功则使用前两个 dns 查询。
# 若匹配域名列表失败,或者匹配成功但是查询到的 IP 不在期望的 IP 列表中,则回落到使用后两个 dns 依次查询。
[
{
port = 10853;
protocol = "dokodemo-door";
settings = { address = "8.8.8.8"; network = "tcp,udp"; port = 53; };
tag = "dns-in";
address = chinaDns;
domains = [ "geosite:geolocation-cn" ];
expectIPs = [ "geoip:cn" ];
skipFallback = true;
}
{
port = 10880;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
tag = "common-in";
address = foreignDns;
domains = [ "geosite:geolocation-!cn" ];
expectIPs = [ "geoip:!cn" ];
skipFallback = true;
}
{
port = 10881;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
tag = "xmu-in";
}
{
port = 10883;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
tag = "proxy-in";
}
{ port = 10884; protocol = "socks"; settings.udp = true; tag = "proxy-socks-in"; }
{ port = 10882; protocol = "socks"; settings.udp = true; tag = "direct-in"; }
{ address = chinaDns; expectIPs = [ "geoip:cn" ]; }
{ address = foreignDns; }
];
outbounds =
[
{
protocol = "vless";
settings.vnext =
[{
address = xray.client.xray.serverAddress;
port = 443;
users =
[{
id = inputs.config.sops.placeholder."xray-client/uuid";
encryption = "none";
flow = "xtls-rprx-vision-udp443";
}];
}];
streamSettings =
{
network = "raw";
security = "reality";
realitySettings =
{
serverName = xray.client.xray.serverName;
publicKey = "Nl0eVZoDF9d71_3dVsZGJl3UWR9LCv3B14gu7G6vhjk";
fingerprint = "firefox";
};
};
tag = "proxy-vless";
}
{ protocol = "freedom"; tag = "direct"; }
{ protocol = "dns"; tag = "dns-out"; }
{
protocol = "socks";
settings.servers = [{ address = "127.0.0.1"; port = 10069; }];
tag = "xmu-out";
}
{ protocol = "blackhole"; tag = "block"; }
];
routing =
{
domainStrategy = "AsIs";
rules = builtins.map (rule: rule // { type = "field"; })
[
{ inboundTag = [ "dns-in" ]; outboundTag = "dns-out"; }
{ inboundTag = [ "dns-internal" ]; ip = [ chinaDns ]; outboundTag = "direct"; }
{ inboundTag = [ "dns-internal" ]; ip = [ foreignDns ]; outboundTag = "proxy-vless"; }
{ inboundTag = [ "dns-internal" ]; outboundTag = "block"; }
{ inboundTag = [ "xmu-in" ]; outboundTag = "xmu-out"; }
{ inboundTag = [ "direct-in" ]; outboundTag = "direct"; }
{ inboundTag = [ "proxy-in" "proxy-socks-in" ]; outboundTag = "proxy-vless"; }
{ inboundTag = [ "common-in" ]; domain = [ "geosite:geolocation-cn" ]; outboundTag = "direct"; }
{
inboundTag = [ "common-in" ];
domain = [ "geosite:geolocation-!cn" ];
outboundTag = "proxy-vless";
}
{ inboundTag = [ "common-in" ]; ip = [ "geoip:cn" ]; outboundTag = "direct"; }
{ inboundTag = [ "common-in" ]; outboundTag = "proxy-vless"; }
];
};
disableCache = true;
queryStrategy = "UseIPv4";
tag = "dns-internal";
};
inbounds =
[
{
port = 10853;
protocol = "dokodemo-door";
settings = { address = "8.8.8.8"; network = "tcp,udp"; port = 53; };
tag = "dns-in";
}
{
port = 10880;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
tag = "common-in";
}
{
port = 10881;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
tag = "xmu-in";
}
{
port = 10883;
protocol = "dokodemo-door";
settings = { network = "tcp,udp"; followRedirect = true; };
streamSettings.sockopt.tproxy = "tproxy";
tag = "proxy-in";
}
{ port = 10884; protocol = "socks"; settings.udp = true; tag = "proxy-socks-in"; }
{ port = 10882; protocol = "socks"; settings.udp = true; tag = "direct-in"; }
];
outbounds =
[
{
protocol = "vless";
settings.vnext =
[{
address = xray.client.xray.serverAddress;
port = 443;
users =
[{
id = inputs.config.sops.placeholder."xray-client/uuid";
encryption = "none";
flow = "xtls-rprx-vision-udp443";
}];
}];
streamSettings =
{
network = "raw";
security = "reality";
realitySettings =
{
inherit (xray.client.xray) serverName;
publicKey = "Nl0eVZoDF9d71_3dVsZGJl3UWR9LCv3B14gu7G6vhjk";
fingerprint = "firefox";
};
};
tag = "proxy-vless";
}
{ protocol = "freedom"; tag = "direct"; }
{ protocol = "dns"; tag = "dns-out"; }
{
protocol = "socks";
settings.servers = [{ address = "127.0.0.1"; port = 10069; }];
tag = "xmu-out";
}
{ protocol = "blackhole"; tag = "block"; }
];
routing =
{
domainStrategy = "AsIs";
rules = builtins.map (rule: rule // { type = "field"; })
[
{ inboundTag = [ "dns-in" ]; outboundTag = "dns-out"; }
{ inboundTag = [ "dns-internal" ]; ip = [ chinaDns ]; outboundTag = "direct"; }
{ inboundTag = [ "dns-internal" ]; ip = [ foreignDns ]; outboundTag = "proxy-vless"; }
{ inboundTag = [ "dns-internal" ]; outboundTag = "block"; }
{ inboundTag = [ "xmu-in" ]; outboundTag = "xmu-out"; }
{ inboundTag = [ "direct-in" ]; outboundTag = "direct"; }
{ inboundTag = [ "proxy-in" "proxy-socks-in" ]; outboundTag = "proxy-vless"; }
{ inboundTag = [ "common-in" ]; domain = [ "geosite:geolocation-cn" ]; outboundTag = "direct"; }
{
inboundTag = [ "common-in" ];
domain = [ "geosite:geolocation-!cn" ];
outboundTag = "proxy-vless";
}
{ inboundTag = [ "common-in" ]; ip = [ "geoip:cn" ]; outboundTag = "direct"; }
{ inboundTag = [ "common-in" ]; outboundTag = "proxy-vless"; }
];
};
};
};
secrets."xray-client/uuid" = {};
};
@@ -215,93 +216,26 @@ inputs:
};
restartTriggers = [ inputs.config.sops.templates."xray-client.json".file ];
};
# TODO: use existing options
v2ray-forwarder =
{
description = "v2ray-forwarder Daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
let
ip = "${inputs.pkgs.iproute2}/bin/ip";
nft = "${inputs.pkgs.nftables}/bin/nft";
autoPort = "10880";
xmuPort = "10881";
proxyPort = "10883";
in
{
Type = "oneshot";
RemainAfterExit = true;
ExecStart =
let
loNet =
[
"0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12"
"192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15"
"198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4"
];
loNetStr = builtins.concatStringsSep ", " loNet;
noproxyUserStr = builtins.concatStringsSep ", " (builtins.map
(user: builtins.toString inputs.config.nixos.user.uid.${user})
(xray.client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ]));
nftConfigFile = inputs.pkgs.writeText "v2ray.nft"
''
table inet v2ray {
set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; }
set xmu_net { type ipv4_addr; flags interval; }
set noproxy_net { type ipv4_addr; flags interval; elements = { 223.5.5.5 }; }
set noproxy_src_net { type ipv4_addr; flags interval; }
set proxy_net { type ipv4_addr; flags interval; elements = { 8.8.8.8 }; }
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto != { tcp, udp } counter return
#
fib daddr type local ct state new counter ct mark set ct mark | 1 return
ct mark & 1 == 1 counter return
ip saddr @noproxy_src_net return
ip daddr @noproxy_net return
ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } \
tproxy ip to :${xmuPort} meta mark set meta mark | 1
ip daddr @proxy_net meta l4proto { tcp, udp } tproxy ip to :${proxyPort} \
meta mark set meta mark | 1
ip daddr @lo_net return
meta l4proto { tcp, udp } tproxy ip to :${autoPort} meta mark set meta mark | 1
return
}
chain output {
type route hook output priority mangle; policy accept;
ct mark & 1 == 1 counter return
meta skuid { ${noproxyUserStr} } return
ip saddr @noproxy_src_net return
ip daddr @noproxy_net return
ip daddr @xmu_net meta mark set meta mark | 1
ip daddr @proxy_net meta mark set meta mark | 1
ip daddr @lo_net return
meta l4proto { tcp, udp } meta mark set meta mark | 1
return
}
}
'';
in inputs.pkgs.writeShellScript "v2ray-forwarder.start"
''
${nft} -f ${nftConfigFile}
${ip} rule add fwmark 1/1 table 100
${ip} route add local 0.0.0.0/0 dev lo table 100
'';
ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop"
''
${nft} delete table inet v2ray
${ip} rule del fwmark 1/1 table 100
${ip} route del local 0.0.0.0/0 dev lo table 100
'';
};
serviceConfig = let ip = "${inputs.pkgs.iproute2}/bin/ip"; in
{
Type = "oneshot";
RemainAfterExit = true;
ExecStart = inputs.pkgs.writeShellScript "v2ray-forwarder.start"
''
${ip} rule add fwmark 1/1 table 100
${ip} route add local 0.0.0.0/0 dev lo table 100
'';
ExecStop = inputs.pkgs.writeShellScript "v2ray-forwarder.stop"
''
${ip} rule del fwmark 1/1 table 100
${ip} route del local 0.0.0.0/0 dev lo table 100
'';
};
};
};
users =
@@ -310,12 +244,77 @@ inputs:
groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
};
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
networking.firewall =
networking =
{
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
nftables.tables.v2ray =
{
family = "inet";
content =
let
autoPort = "10880";
xmuPort = "10881";
proxyPort = "10883";
loNet =
[
"0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12"
"192.0.0.0/24" "192.88.99.0/24" "192.168.0.0/16" "59.77.0.143" "198.18.0.0/15"
"198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "240.0.0.0/4"
];
loNetStr = builtins.concatStringsSep ", " loNet;
noproxyUserStr = builtins.concatStringsSep ", " (builtins.map
(user: builtins.toString inputs.config.nixos.user.uid.${user})
(xray.client.v2ray-forwarder.noproxyUsers ++ [ "v2ray" ]));
in
''
set lo_net { type ipv4_addr; flags interval; elements = { ${loNetStr} }; }
set xmu_net { type ipv4_addr; flags interval; }
set noproxy_net { type ipv4_addr; flags interval; elements = { 223.5.5.5 }; }
set noproxy_src_net { type ipv4_addr; flags interval; }
set proxy_net { type ipv4_addr; flags interval; elements = { 8.8.8.8 }; }
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto != { tcp, udp } counter return
#
fib daddr type local ct state new counter ct mark set ct mark | 1 return
ct mark & 1 == 1 counter return
ip saddr @noproxy_src_net return
ip daddr @noproxy_net return
ip saddr != 172.16.0.0/12 ip daddr @xmu_net meta l4proto { tcp, udp } \
tproxy ip to :${xmuPort} meta mark set meta mark | 1
ip daddr @proxy_net meta l4proto { tcp, udp } tproxy ip to :${proxyPort} \
meta mark set meta mark | 1
ip daddr @lo_net return
meta l4proto { tcp, udp } tproxy ip to :${autoPort} meta mark set meta mark | 1
return
}
chain output {
type route hook output priority mangle; policy accept;
ct mark & 1 == 1 counter return
meta skuid { ${noproxyUserStr} } return
ip saddr @noproxy_src_net return
ip daddr @noproxy_net return
ip daddr @xmu_net meta mark set meta mark | 1
ip daddr @proxy_net meta mark set meta mark | 1
ip daddr @lo_net return
meta l4proto { tcp, udp } meta mark set meta mark | 1
return
}
'';
};
firewall =
{
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
};
};
}
)
@@ -327,11 +326,7 @@ inputs:
.xray-server.clients;
in
{
services.xray =
{
enable = true;
settingsFile = inputs.config.sops.templates."xray-server.json".path;
};
services.xray = { enable = true; settingsFile = inputs.config.sops.templates."xray-server.json".path; };
sops =
{
templates."xray-server.json" =
@@ -353,7 +348,7 @@ inputs:
protocol = "vless";
settings =
{
clients = map
clients = builtins.map
(n:
{
id = inputs.config.sops.placeholder."xray-server/clients/${n}";

36
modules/services/xrdp.nix
View File

@@ -1,36 +0,0 @@
inputs:
{
options.nixos.services.xrdp = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 3389; };
hostname = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
};
config = let inherit (inputs.config.nixos.services) xrdp;
in inputs.lib.mkIf xrdp.enable (inputs.lib.mkMerge
[
{
services.xrdp =
{
enable = true;
port = xrdp.port;
openFirewall = true;
defaultWindowManager = "${inputs.pkgs.plasma-workspace}/bin/startplasma-x11";
};
}
(
inputs.lib.mkIf (xrdp.hostname != null)
(
let mainDomain = builtins.elemAt xrdp.hostname 0;
in
{
services.xrdp =
let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme.cert.${mainDomain} =
{ domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
}
)
)
]);
}

4
modules/system/default.nix
View File

@@ -5,6 +5,7 @@ inputs:
{
services =
{
dbus.implementation = "broker";
fstrim.enable = true;
acpid.enable = true;
# TODO: set ipfs as separate service
@@ -15,9 +16,6 @@ inputs:
{
supportedFilesystems = [ "ntfs" "nfs" "nfsv4" ];
# consoleLogLevel = 7;
kernelParams = inputs.lib.mkIf
(builtins.elem inputs.config.nixos.system.grub.installDevice [ "efi" "efiRemovable" ])
[ "plymouth.use-simpledrm" ];
};
hardware = { enableAllFirmware = true; bluetooth.enable = true; sensor.iio.enable = true; };
environment =

70
modules/system/fileSystems/nfs.nix
View File

@@ -13,41 +13,45 @@ inputs:
]);
default = {};
};
config = let inherit (inputs.config.nixos.system.fileSystems.mount) nfs; in inputs.lib.mkIf (nfs != {})
{
fileSystems = builtins.listToAttrs (builtins.map
(device:
config =
let inherit (inputs.config.nixos.system.fileSystems.mount) nfs;
in inputs.lib.mkIf (nfs != {}) (inputs.lib.mkMerge
[
{
name = device.value.mountPoint or device.value;
value =
fileSystems = builtins.listToAttrs (builtins.map
(device:
{
name = device.value.mountPoint or device.value;
value =
{
device = device.name;
fsType = "nfs4";
neededForBoot = device.value.hard or true;
options = builtins.concatLists
[
# sync every seconds
[ "actimeo=1" "noatime" ]
# when try to mount at startup, wait 15 minutes before giving up
(inputs.lib.optionals (device.value.hard or true) [ "retry=15" "x-systemd.device-timeout=15min" ])
# do not fail, just try continuously in background
# nfs4 use tcp, tcp itself will retransmit several times, which is enough
(inputs.lib.optionals (!(device.value.hard or true))
[ "bg" "soft" "retrans=1" "timeo=20" "softreval" "x-systemd.requires=network-online.target" ])
];
};
})
(inputs.localLib.attrsToList nfs));
services.rpcbind.enable = true;
}
(inputs.lib.mkIf (builtins.any (mount: mount.hard or true) (builtins.attrValues nfs))
{
boot.initrd.systemd.extraBin =
{
device = device.name;
fsType = "nfs4";
neededForBoot = device.value.hard or true;
options = builtins.concatLists
[
# sync every seconds
[ "actimeo=1" "noatime" ]
# when try to mount at startup, wait 15 minutes before giving up
(inputs.lib.optionals (device.value.hard or true) [ "retry=15" "x-systemd.device-timeout=15min" ])
# do not fail, just try continuously in background
# nfs4 use tcp, tcp itself will retransmit several times, which is enough
(inputs.lib.optionals (!(device.value.hard or true))
[ "bg" "soft" "retrans=1" "timeo=20" "softreval" "x-systemd.requires=network-online.target" ])
];
"ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
"mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
"mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
};
nixos.system.initrd.network = {};
})
(inputs.localLib.attrsToList nfs));
boot.initrd = inputs.lib.mkIf (builtins.any (mount: mount.hard or true) (builtins.attrValues nfs))
{
network.enable = true;
systemd.extraBin =
{
"ifconfig" = "${inputs.pkgs.nettools}/bin/ifconfig";
"mount.nfs" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs";
"mount.nfs4" = "${inputs.pkgs.nfs-utils}/bin/mount.nfs4";
};
};
services.rpcbind.enable = true;
};
]);
}

2
modules/system/font.nix
View File

@@ -1,6 +1,6 @@
inputs:
{
config = inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
config = inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
{
fonts =
{

2
modules/system/gui.nix
View File

@@ -3,7 +3,7 @@ inputs:
config = inputs.lib.mkMerge
[
# enable gui
(inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
(inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
{
services =
{

56
modules/system/initrd.nix
View File

@@ -3,6 +3,15 @@ inputs:
options.nixos.system.initrd = let inherit (inputs.lib) mkOption types; in
{
sshd = mkOption { type = types.nullOr (types.submodule {}); default = null; };
network = mkOption
{
type = types.nullOr (types.submodule { options =
{
# null: enable all interfaces configured in systemd.network
interfaces = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
};});
default = null;
};
};
config = let inherit (inputs.config.nixos.system) initrd; in inputs.lib.mkMerge
[
@@ -16,17 +25,54 @@ inputs:
(
inputs.lib.mkIf (initrd.sshd != null)
{
boot.initrd.network.ssh =
{ enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
nixos.system.initrd.network = {};
}
)
(
inputs.lib.mkIf (initrd.network != null)
{
assertions =
[{
assertion = inputs.config.nixos.system.network != null;
message = "initrd network requires systemd networkd.";
}];
boot =
{
initrd =
{
network =
{
enable = true;
ssh = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
network.enable = true;
# resolved does not work in initrd, causing network.target to fail
services.resolved.enable = false;
systemd.network =
let inherit (inputs.config.nixos.system.network) dhcp static bridge; in
let
networks = inputs.lib.unique
(
dhcp ++ (builtins.attrNames static) ++ (builtins.attrNames bridge)
++ (builtins.concatLists (builtins.map (network: network.interfaces) (builtins.attrValues bridge)))
);
netdevs = builtins.attrNames bridge;
in
{
networks = builtins.listToAttrs (builtins.map
(network: { name = "10-${network}"; value = inputs.config.systemd.network.networks."10-${network}"; })
(builtins.filter
(network:
if initrd.network.interfaces == null then true
else builtins.elem network initrd.network.interfaces
)
networks));
netdevs = builtins.listToAttrs (builtins.map
(netdev: { name = "10-${netdev}"; value = inputs.config.systemd.network.netdevs."10-${netdev}"; })
(builtins.filter
(netdev:
if initrd.network.interfaces == null then true
else builtins.elem netdev initrd.network.interfaces
)
netdevs));
};
};
# do not use ip=xxx, as it will override systemd-networkd configurations
# kernelParams = [ "ip=on" ];

116
modules/system/kernel/default.nix
View File

@@ -4,72 +4,66 @@ inputs:
{
variant = mkOption
{
type = types.nullOr (types.enum [ "nixos" "xanmod-lts" "xanmod-latest" "cachyos" "cachyos-lts" ]);
type = types.nullOr (types.enum [ "nixos" "xanmod-lts" "xanmod-latest" ]);
default = "xanmod-lts";
};
patches = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
modules.modprobeConfig = mkOption { type = types.listOf types.str; default = []; };
};
config = let inherit (inputs.config.nixos.system) kernel; in inputs.lib.mkMerge
[
config = let inherit (inputs.config.nixos.system) kernel; in
{
boot =
{
boot =
kernelModules = [ "br_netfilter" ];
# modprobe --show-depends
initrd.availableKernelModules =
[
"bfq" "failover" "net_failover" "nls_cp437" "nls_iso8859-1" "sd_mod"
"sr_mod" "usbcore" "usbhid" "usbip-core" "usb-common" "usb_storage" "vhci-hcd" "virtio" "virtio_blk"
"virtio_net" "virtio_ring" "virtio_scsi" "cryptd" "libaes"
"ahci" "ata_piix" "nvme" "sdhci_acpi" "virtio_pci" "xhci_pci"
# network for nas
"igb"
# disk for srv1
"megaraid_sas"
# disks for cluster
"nfs" "nfsv4"
# netowrk for srv1
"bnx2x" "tg3"
# network for srv2
"e1000e" "igb" "atlantic" "igc"
# temp wireless for nas
"r8712u"
# network for srv3
"igb"
# touchscreen for one
"pinctrl-tigerlake"
# bridge network
"bridge"
]
++ (inputs.lib.optionals (kernel.variant != "nixos") [ "crypto_simd" ]);
extraModulePackages = with inputs.config.boot.kernelPackages; [ v4l2loopback zenpower ];
extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
kernelParams = [ "delayacct" ];
kernelPackages = inputs.lib.mkIf (kernel.variant != null)
{
kernelModules = [ "br_netfilter" ];
# modprobe --show-depends
initrd.availableKernelModules =
[
"bfq" "failover" "net_failover" "nls_cp437" "nls_iso8859-1" "sd_mod"
"sr_mod" "usbcore" "usbhid" "usbip-core" "usb-common" "usb_storage" "vhci-hcd" "virtio" "virtio_blk"
"virtio_net" "virtio_ring" "virtio_scsi" "cryptd" "libaes"
"ahci" "ata_piix" "nvme" "sdhci_acpi" "virtio_pci" "xhci_pci"
# networking for nas
"igb"
# disk for srv1
"megaraid_sas"
# disks for cluster
"nfs" "nfsv4"
# netowrk for srv1
"bnx2x" "tg3"
# network for srv2
"e1000e" "igb" "atlantic" "igc"
# temp wireless for nas
"r8712u"
# network for srv3
"igb"
]
++ (inputs.lib.optionals (kernel.variant != "nixos") [ "crypto_simd" ]);
extraModulePackages = with inputs.config.boot.kernelPackages; [ v4l2loopback zenpower ];
extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
kernelParams = [ "delayacct" ];
kernelPackages = inputs.lib.mkIf (kernel.variant != null)
{
nixos = inputs.pkgs.linuxPackages;
xanmod-lts = inputs.pkgs.linuxPackages_xanmod;
xanmod-latest = inputs.pkgs.linuxPackages_xanmod_latest;
cachyos = inputs.pkgs.linuxPackages_cachyos;
# TODO: package cachyos-lts
cachyos-lts = inputs.pkgs.linuxPackages_cachyos_lts;
}.${kernel.variant};
kernelPatches =
let
patches =
{
hibernate-progress =
[{
name = "hibernate-progress";
patch =
let version = inputs.lib.versions.majorMinor inputs.config.boot.kernelPackages.kernel.version;
in ./hibernate-progress-${version}.patch;
}];
};
in builtins.concatLists (builtins.map (name: patches.${name}) kernel.patches);
};
}
# enable scx when using cachyos
(
inputs.lib.mkIf (builtins.elem kernel.variant [ "cachyos" "cachyos-lts" ])
{ services.scx = { enable = true; scheduler = "scx_rustland"; }; }
)
];
nixos = inputs.pkgs.linuxPackages;
xanmod-lts = inputs.pkgs.linuxPackages_xanmod;
xanmod-latest = inputs.pkgs.linuxPackages_xanmod_latest;
}.${kernel.variant};
kernelPatches =
let
patches =
{
hibernate-progress =
[{
name = "hibernate-progress";
patch =
let version = inputs.lib.versions.majorMinor inputs.config.boot.kernelPackages.kernel.version;
in ./hibernate-progress-${version}.patch;
}];
};
in builtins.concatLists (builtins.map (name: patches.${name}) kernel.patches);
};
};
}

72
modules/system/networking.nix → modules/system/network.nix
View File

@@ -1,6 +1,6 @@
inputs:
{
options.nixos.system.networking = let inherit (inputs.lib) mkOption types; in mkOption
options.nixos.system.network = let inherit (inputs.lib) mkOption types; in mkOption
{
# null: use network-manager; otherwise use networkd
type = types.nullOr (types.submodule { options =
@@ -17,12 +17,22 @@ inputs:
};});
default = {};
};
bridge = mkOption
{
type = types.attrsOf (types.submodule { options =
{
interfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};});
default = {};
};
# wpa_passphrase SSID(wifi name) PSK(password)
wireless = mkOption { type = types.nullOr (types.listOf types.nonEmptyStr); default = null; };
trust = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
masquerade = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};});
default = null;
};
config = let inherit (inputs.config.nixos.system) networking; in inputs.lib.mkMerge
config = let inherit (inputs.config.nixos.system) network; in inputs.lib.mkMerge
[
# general config
{
@@ -51,7 +61,7 @@ inputs:
};
networking.nftables = { enable = true; flushRuleset = false; };
}
(inputs.localLib.mkConditional (networking == null)
(inputs.localLib.mkConditional (network == null)
{
networking.networkmanager =
{
@@ -65,9 +75,9 @@ inputs:
systemd.network =
{
enable = true;
networks = builtins.listToAttrs
(
(builtins.map
networks = inputs.lib.mkMerge
[
(builtins.listToAttrs (builtins.map
(network:
{
name = "10-${network}";
@@ -78,8 +88,8 @@ inputs:
linkConfig.RequiredForOnline = "routable";
};
})
networking.dhcp)
++ (builtins.map
network.dhcp))
(builtins.listToAttrs (builtins.map
(network:
{
name = "10-${network.name}";
@@ -93,31 +103,63 @@ inputs:
dns = inputs.lib.mkIf (network.value.dns != null) [ network.value.dns ];
};
})
(inputs.localLib.attrsToList networking.static))
);
(inputs.localLib.attrsToList network.static)))
(builtins.listToAttrs (builtins.map
(network:
{
name = "10-${network.name}";
value =
{
matchConfig.Name = network.name;
bridgeConfig = {};
linkConfig.RequiredForOnline = "routable";
};
})
(inputs.localLib.attrsToList network.bridge)))
(builtins.listToAttrs (builtins.concatLists (builtins.map
(bridge: builtins.map
(network:
{
name = "10-${network}";
value =
{
matchConfig.Name = network;
networkConfig.Bridge = bridge.name;
linkConfig.RequiredForOnline = "enslaved";
};
}) bridge.value.interfaces)
(inputs.localLib.attrsToList network.bridge))))
(builtins.listToAttrs (builtins.map
(network: { name = "10-${network}"; value.networkConfig.IPMasquerade = "both"; })
network.masquerade))
];
netdevs = builtins.listToAttrs (builtins.map
(network: { name = "10-${network}"; value.netdevConfig = { Name = network; Kind = "bridge"; }; })
(builtins.attrNames network.bridge));
};
networking =
{
useNetworkd = true;
wireless = inputs.lib.mkIf (networking.wireless != null)
wireless = inputs.lib.mkIf (network.wireless != null)
{
enable = true;
networks = builtins.listToAttrs (builtins.map
(network: { name = network; value.pskRaw = "ext:${network}"; })
networking.wireless);
network.wireless);
secretsFile = inputs.config.sops.templates."wireless.env".path;
};
firewall.trustedInterfaces = network.trust;
};
# dnsable dns fallback, use provided dns servers or no dns
services.resolved.fallbackDns = [];
sops = inputs.lib.mkIf (networking.wireless != null)
sops = inputs.lib.mkIf (network.wireless != null)
{
templates."wireless.env".content = builtins.concatStringsSep "\n" (builtins.map
(network: "${network}=${inputs.config.sops.placeholder."wireless/${network}"}")
networking.wireless);
network.wireless);
secrets = builtins.listToAttrs (builtins.map
(network: { name = "wireless/${network}"; value = {}; })
networking.wireless);
network.wireless);
};
})
];

105
modules/system/nixpkgs/buildNixpkgsConfig.nix
View File

@@ -13,34 +13,33 @@ let
{ cudaForwardCompat = nixpkgs.cuda.forwardCompat; })
);
allowInsecurePredicate = p: inputs.lib.warn "Allowing insecure package ${p.name or "${p.pname}-${p.version}"}" true;
config = cudaConfig
// {
inherit allowInsecurePredicate;
allowUnfree = true;
android_sdk.accept_license = true;
allowBroken = true;
}
// (inputs.lib.optionalAttrs (nixpkgs.march != null)
{
oneapiArch = let match = {}; in match.${nixpkgs.march} or nixpkgs.march;
nvhpcArch = nixpkgs.march;
# contentAddressedByDefault = true;
})
// (inputs.lib.optionalAttrs (nixpkgs.nixRoot != null)
{ nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/var"; }; });
in platformConfig //
{
config = cudaConfig //
{
inherit allowInsecurePredicate;
allowUnfree = true;
android_sdk.accept_license = true;
}
// (inputs.lib.optionalAttrs (nixpkgs.march != null)
{
# TODO: test znver3 do use AVX
oneapiArch = let match = {}; in match.${nixpkgs.march} or nixpkgs.march;
nvhpcArch = nixpkgs.march;
# contentAddressedByDefault = true;
})
// (inputs.lib.optionalAttrs (nixpkgs.nixRoot != null)
{ nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/var"; }; });
inherit config;
overlays =
[
inputs.topInputs.nur-xddxdd.overlays.inSubTree
inputs.topInputs.shadowrz.overlays.default
inputs.topInputs.nix-vscode-extensions.overlays.default
inputs.topInputs.buildproxy.overlays.default
(final: prev:
{
inherit (inputs.topInputs.nix-vscode-extensions.overlays.default final prev) nix-vscode-extensions;
firefox-addons = (import "${inputs.topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
linuxPackages_cachyos_lts =
final.linuxPackagesFor (inputs.topInputs.cachyos-lts.overlays.default final prev).linuxPackages_cachyos;
})
inputs.topInputs.self.overlays.default
(final: prev:
@@ -58,11 +57,12 @@ in platformConfig //
};
libvirt = (prev.libvirt.override { iptables = final.nftables; }).overrideAttrs
(prev: { patches = prev.patches or [] ++ [ ./libvirt.patch ]; });
root = prev.root.overrideAttrs (prev:
root = (prev.root.override { stdenv = final.gcc13Stdenv; }).overrideAttrs (prev:
{
patches = prev.patches or [] ++ [ ./root.patch ];
cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ];
});
inherit (final.pkgs-2411) iio-sensor-proxy;
}
// (
let
@@ -70,64 +70,26 @@ in platformConfig //
{
pkgs-2305 = "nixpkgs-2305";
pkgs-2311 = "nixpkgs-2311";
pkgs-2411 = "nixpkgs-2411";
pkgs-2411 = { source = "nixpkgs-2411"; overlay = inputs.topInputs.bscpkgs.overlays.default; };
pkgs-unstable =
{
source = "nixpkgs-unstable";
overlay = final: prev:
(inputs.topInputs.self.overlays.default final prev);
# {
# ollama = prev.ollama.override { cudaPackages = final.cudaPackages_12_8; };
# }
# // inputs.lib.optionalAttrs (nixpkgs.march != null)
# {
# pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
# {
# scipy = prev.scipy.overridePythonAttrs (prev:
# { disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
# rapidocr-onnxruntime = prev.rapidocr-onnxruntime.overridePythonAttrs { doCheck = false; };
# cfn-lint = prev.cfn-lint.overridePythonAttrs { doCheck = false; };
# })];
# rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
# ctranslate2 = (prev.ctranslate2.override { withCUDA = false; withCuDNN = false; })
# .overrideAttrs (prev:
# { cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
# valkey = prev.valkey.overrideAttrs { doCheck = false; };
# }
# // inputs.lib.optionalAttrs
# (builtins.elem nixpkgs.march [ "skylake" "silvermont" "broadwell" "znver3" ])
# { redis = prev.redis.overrideAttrs { doCheck = false; }; }
# // inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx2Support)
# {
# haskellPackages = prev.haskellPackages.override
# {
# overrides = final: prev:
# {
# crypton = prev.crypton.overrideAttrs
# (prev: { configureFlags = prev.configureFlags or [] ++ [ "--ghc-option=-optc-mno-avx2" ]; });
# };
# };
# }
# // (inputs.topInputs.self.overlays.default final prev);
overlay = inputs.topInputs.self.overlays.default;
};
};
packages = name: import inputs.topInputs.${source.${name}.source or source.${name}}
{
localSystem = platformConfig.hostPlatform or { inherit (platformConfig) system; };
config = cudaConfig //
{
allowUnfree = true;
# contentAddressedByDefault = true;
inherit allowInsecurePredicate;
};
inherit config;
overlays = [(source.${name}.overlay or (_: _: {}))];
};
in builtins.listToAttrs (builtins.map
(name: { inherit name; value = packages name; }) (builtins.attrNames source))
)
# TODO: bring patch to upstream
// (inputs.lib.optionalAttrs (prev.stdenv.hostPlatform.avx512Support)
{ gsl = prev.gsl.overrideAttrs { doCheck = false; }; })
// (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx512Support)
{ libhwy = prev.libhwy.override { stdenv = final.genericPackages.stdenv; }; })
// (inputs.lib.optionalAttrs (nixpkgs.march != null)
{
libinsane = prev.libinsane.overrideAttrs (prev:
@@ -144,7 +106,6 @@ in platformConfig //
sed -i '/CPPUNIT_TEST.testDubiousArrayFormulasFODS/d' sc/qa/unit/functions_array.cxx
'';});});
opencolorio = prev.opencolorio.overrideAttrs (prev: { doCheck = false; });
# TODO: maybe something really broken?
openvswitch = prev.openvswitch.overrideAttrs (prev: { doCheck = false; });
rapidjson = prev.rapidjson.overrideAttrs { doCheck = false; };
valkey = prev.valkey.overrideAttrs { doCheck = false; };
@@ -152,14 +113,18 @@ in platformConfig //
# https://github.com/embree/embree/issues/115
embree = prev.embree.override { stdenv = final.genericPackages.stdenv; };
simde = prev.simde.override { stdenv = final.genericPackages.stdenv; };
ctranslate2 = prev.ctranslate2.overrideAttrs (prev:
{ cmakeFlags = prev.cmakeFlags or [] ++ [ "-DENABLE_CPU_DISPATCH=OFF" ]; });
pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
{
scipy = prev.scipy.overridePythonAttrs (prev:
{ disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
# paperwork-backend = prev.paperwork-backend.overrideAttrs (prev: { doCheck = false; });
})];
(
{
scipy = prev.scipy.overridePythonAttrs (prev:
{ disabledTests = prev.disabledTests or [] ++ [ "test_hyp2f1" ]; });
rich = prev.rich.overridePythonAttrs (prev:
{ disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
}
))];
inherit (final.pkgs-2411) intelPackages_2023;
})
# // (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
# { c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
)];
}

2
modules/system/sysctl.nix
View File

@@ -16,6 +16,8 @@ inputs:
"kernel.sysrq" = 1;
# set to larger value, otherwise the system will be very slow on low memory machines
"vm.vfs_cache_pressure" = 100;
# when building archive, nix need more than 100k mounts
"fs.mount-max" = 1000000;
};
}
(inputs.lib.mkIf (sysctl.laptop-mode != null) { boot.kernel.sysctl."vm.laptop_mode" = sysctl.laptop-mode; })

1
modules/user/chn/default.nix
View File

@@ -57,7 +57,6 @@ inputs:
)
];
};
gtk.iconTheme.name = "klassy";
};
};
};

16
modules/user/chn/plasma/autostart.nix
View File

@@ -1,6 +1,6 @@
inputs:
{
config = inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
config = inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
{
home-manager.users.chn.config.home.file =
let
@@ -11,16 +11,6 @@ inputs:
fileName = "nheko.desktop";
path = "${inputs.pkgs.nheko}/share/applications/${fileName}";
};
kclockd = rec
{
fileName = "org.kde.kclockd-autostart.desktop";
path = "${inputs.pkgs.kdePackages.kdeGear.kclock}/etc/xdg/autostart/${fileName}";
};
yakuake = rec
{
fileName = "org.kde.yakuake.desktop";
path = "${inputs.pkgs.kdePackages.yakuake}/share/applications/${fileName}";
};
telegram = rec
{
fileName = "org.telegram.desktop.desktop";
@@ -55,8 +45,8 @@ inputs:
};
devices =
{
pc = [ "nheko" "kclockd" "yakuake" "telegram" "element" "kmail" "discord" "crow-translate" ];
one = [ "kclockd" "yakuake" "telegram" "element" "kmail" "crow-translate" ];
pc = [ "nheko" "telegram" "element" "kmail" "discord" "crow-translate" ];
one = [ "telegram" "element" "kmail" "crow-translate" ];
};
in builtins.listToAttrs (builtins.map
(file:

73
modules/user/chn/plasma/konsole.nix
View File

@@ -1,73 +0,0 @@
inputs:
{
config = inputs.lib.mkIf (inputs.config.nixos.packages.desktop != null)
{
home-manager.users.chn.config =
{
programs.plasma =
{
overrideConfig = true;
resetFiles = [ "konsolerc" "yakuakerc" ];
configFile =
{
yakuakerc =
{
Appearance =
{
HideSkinBorders.value = true;
Skin.value = "Slate";
Translucency.value = true;
};
"Desktop Entry".DefaultProfile.value = "plasma-manager.profile";
Dialogs.FirstRun.value = false;
Window =
{
KeepOpen.value = false;
KeepOpenAfterLastSessionCloses.value = true;
ShowSystrayIcon.value = false;
};
};
konsolerc =
{
"Desktop Entry".DefaultProfile.value = "plasma-manager.profile";
"MainWindow.Toolbar sessionToolbar".ToolButtonStyle.value = "IconOnly";
};
};
dataFile."konsole/plasma-manager.profile" =
{
Appearance =
{
AntiAliasFonts.value = true;
BoldIntense.value = true;
ColorScheme.value = "Breeze";
Font.value = "FiraCode Nerd Font Mono,10,-1,5,50,0,0,0,0,0";
UseFontLineChararacters.value = true;
WordModeAttr.value = false;
};
"Cursor Options".CursorShape.value = 1;
General =
{
Name.value = "plasma-manager";
Parent.value = "FALLBACK/";
TerminalCenter.value = true;
TerminalMargin.value = 1;
};
"Interaction Options" =
{
AutoCopySelectedText.value = true;
TrimLeadingSpacesInSelectedText.value = true;
TrimTrailingSpacesInSelectedText.value = true;
UnderlineFilesEnabled.value = true;
};
Scrolling = { HistoryMode.value = 2; ReflowLines.value = false; };
"Terminal Features".BlinkingCursorEnabled.value = true;
};
};
home.file.".local/share/konsole/Breeze.colorscheme".text = builtins.replaceStrings
[ "Opacity=1" ] [ "Opacity=0.9\nBlur=true" ]
(builtins.readFile "${inputs.pkgs.libsForQt5.konsole}/share/konsole/Breeze.colorscheme");
};
environment.persistence."/nix/rootfs/current".users.chn.directories =
[ ".local/share/konsole" ".local/share/yakuake" ];
};
}

4
modules/user/chn/plasma/shortcuts.nix
View File

@@ -1,6 +1,6 @@
inputs:
{
config = inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
config = inputs.lib.mkIf (inputs.config.nixos.model.type == "desktop")
{
home-manager.users.chn.config.programs.plasma =
{
@@ -88,8 +88,6 @@ inputs:
{ "org.kde.krunner.desktop"._launch = "Alt+Space"; }
# settings
{ "systemsettings.desktop"._launch = "Meta+I"; }
# yakuake
{ yakuake.toggle-window-state = "Meta+Space"; }
# virt-manager
{ "virt-manager.desktop"._launch = "Meta+V"; }
# system monitor

45
modules/user/chn/plasma/theme.nix
View File

@@ -1,45 +0,0 @@
inputs:
{
config = inputs.lib.mkIf (builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ])
{
home-manager.users.chn.config =
{
programs.plasma =
{
workspace =
{
theme = "breeze-light";
colorScheme = "BreezeLight";
cursor.theme = "breeze_cursors";
lookAndFeel = "org.kde.klassylighttraditional.desktop";
# ~/.config/kdeglobals [Icons]
iconTheme = "klassy";
};
configFile =
{
kwinrc =
{
Effect-blur.BlurStrength.value = 10;
Effect-kwin4_effect_translucency.MoveResize.value = 75;
Effect-wobblywindows =
{
AdvancedMode.value = true;
Drag.value = 85;
Stiffness.value = 10;
WobblynessLevel.value = 1;
ResizeWobble.value = false;
};
Plugins =
{
blurEnabled.value = true;
kwin4_effect_dimscreenEnabled.value = true;
kwin4_effect_translucencyEnabled.value = true;
padding.value = 4;
wobblywindowsEnabled.value = true;
};
};
};
};
};
};
}

20
modules/user/chn/plasma/wallpaper.nix
View File

@@ -1,21 +1,5 @@
inputs:
{
config.home-manager.users.chn.config.programs.plasma.configFile =
let
inherit (inputs.topInputs) nixos-wallpaper;
wallpaper =
{
pc = "${nixos-wallpaper}/pixiv-117612023.png";
}.${inputs.config.nixos.model.hostname} or "${nixos-wallpaper}/pixiv-96734339-x2.png";
in
{
# "plasma-org.kde.plasma.desktop-appletsrc" =
# {
# "Containments/1".wallpaperplugin.value = "a2n.blur";
# "Containments/1/Wallpaper/a2n.blur/General".Image.value = wallpaper;
# };
kscreenlockerrc."Greeter/Wallpaper/org.kde.image/General" =
{ Image.value = wallpaper; PreviewImage.value = wallpaper; };
kdeglobals.General.accentColorFromWallpaper.value = true;
};
config.home-manager.users.chn.config.programs.plasma.configFile.kdeglobals.General.accentColorFromWallpaper.value
= true;
}

9
modules/user/default.nix
View File

@@ -32,6 +32,8 @@ inputs:
alikia = 1018;
pen = 1019;
reonokiy = 1020;
zqq = 1021;
zgq = 1022;
misskey-misskey = 2000;
misskey-misskey-old = 2001;
frp = 2002;
@@ -117,7 +119,12 @@ inputs:
users.users.root =
{
shell = inputs.pkgs.zsh;
openssh.authorizedKeys.keys = [(builtins.readFile ./chn/id_ed25519_sk.pub)];
openssh.authorizedKeys.keys = inputs.lib.mkMerge
[
[(builtins.readFile ./chn/id_ed25519_sk.pub)]
(inputs.lib.mkIf (inputs.config.nixos.model.cluster.clusterName or null == "srv1")
[(builtins.readFile ./zgq/id_ed25519.pub)])
];
hashedPassword = "$y$j9T$.UyKKvDnmlJaYZAh6./rf/$65dRqishAiqxCE6LEMjqruwJPZte7uiyYLVKpzdZNH5";
};
home-manager.users.root = homeInputs:

2
modules/user/hjp/default.nix
View File

@@ -2,7 +2,7 @@ inputs:
{
config = let inherit (inputs.config.nixos) user; in inputs.lib.mkIf (builtins.elem "hjp" user.users)
{
home-manager.users.hjp.config.programs.zsh.initExtra =
home-manager.users.hjp.config.programs.zsh.initContent =
''
export PATH=$PATH:/home/hjp/software/intel/oneapi/compiler/latest/bin
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/hjp/software/intel/oneapi/compiler/latest/lib

8
modules/user/zgq/default.nix Normal file
View File

@@ -0,0 +1,8 @@
inputs:
{
config = let inherit (inputs.config.nixos) user; in inputs.lib.mkIf (builtins.elem "zgq" user.users)
{
users.users.zgq.extraGroups = inputs.lib.mkIf (inputs.config.nixos.model.cluster.clusterName or null == "srv1")
[ "wheel" ];
};
}

1
modules/user/zgq/id_ed25519.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKHnhPmiGpuK0OlMPLM9QFYpjcr5/WoG8IFoC9EDLSqc zgq

1
modules/user/zqq/id_ed25519.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM+Hi3Jo/xb7vDm5L75jybjjrE6z7quveuKd0mTeXDP zqq@xmupc1

17
packages/blog-buildproxy.nix Normal file
View File

@@ -0,0 +1,17 @@
{ fetchurl }:
[
{
url = "https://cdn.jsdelivr.net/npm/flexsearch@0.8.143/dist/flexsearch.bundle.min.js";
file = fetchurl
{
url = "https://cdn.jsdelivr.net/npm/flexsearch@0.8.143/dist/flexsearch.bundle.min.js";
sha256 = "0k3g87h84s667m7zphlsaqzvkdka4rszq5pw66cvngjpi8d98gj3";
};
status_code = 200;
headers =
{
"content-type" = "application/javascript; charset=utf-8";
"content-length" = "46087";
};
}
]

11
packages/blurred-wallpaper.nix
View File

@@ -1,11 +0,0 @@
{ stdenv, src }: stdenv.mkDerivation
{
name = "blurred-wallpaper";
inherit src;
phases = [ "installPhase" ];
installPhase =
''
mkdir -p $out/share/plasma/wallpapers
cp -r $src/a2n.blur $out/share/plasma/wallpapers
'';
}

23
packages/default.nix
View File

@@ -1,7 +1,6 @@
inputs: rec
{
vesta = inputs.pkgs.callPackage ./vesta.nix { src = inputs.topInputs.self.src.vesta; };
rsshub = inputs.pkgs.callPackage ./rsshub.nix { inherit mkPnpmPackage; src = inputs.topInputs.rsshub; };
misskey = inputs.pkgs.callPackage ./misskey.nix
{
inherit mkPnpmPackage;
@@ -26,16 +25,15 @@ inputs: rec
tgbot-cpp = inputs.pkgs.callPackage ./tgbot-cpp.nix { src = inputs.topInputs.tgbot-cpp; };
mirism-old = inputs.pkgs.callPackage ./mirism-old.nix
{
inherit cppcoro nameof tgbot-cpp date;
inherit cppcoro nameof date;
inherit (inputs.pkgs.pkgs-2305) boost;
src = inputs.topInputs.self.src.mirism-old;
nghttp2 = inputs.pkgs.callPackage "${inputs.topInputs.nixpkgs-2305}/pkgs/development/libraries/nghttp2"
{ enableAsioLib = true; stdenv = inputs.pkgs.gcc12Stdenv; };
nghttp2 = inputs.pkgs.pkgs-2305.nghttp2.override { enableAsioLib = true; };
stdenv = inputs.pkgs.gcc12Stdenv;
tgbot-cpp = tgbot-cpp.override { stdenv = inputs.pkgs.gcc12Stdenv; };
};
cppcoro = inputs.pkgs.callPackage ./cppcoro { src = inputs.topInputs.cppcoro; };
date = inputs.pkgs.callPackage ./date.nix { src = inputs.topInputs.date; };
blurred-wallpaper = inputs.pkgs.callPackage ./blurred-wallpaper.nix { src = inputs.topInputs.blurred-wallpaper; };
slate = inputs.pkgs.callPackage ./slate.nix { src = inputs.topInputs.slate; };
vasp =
{
gnu = inputs.pkgs.callPackage ./vasp/gnu
@@ -122,13 +120,18 @@ inputs: rec
};
stickerpicker = inputs.pkgs.python3Packages.callPackage ./stickerpicker.nix { src = inputs.topInputs.stickerpicker; };
info = inputs.pkgs.callPackage ./info { inherit biu; stdenv = inputs.pkgs.clang18Stdenv; };
blog = inputs.pkgs.callPackage inputs.topInputs.blog { inherit (inputs.topInputs) hextra; };
blog = inputs.pkgs.callPackage inputs.topInputs.blog
{
inherit (inputs.topInputs) hextra;
buildProxy = inputs.pkgs.lib.mkBuildproxy ./blog-buildproxy.nix;
};
phono3py = inputs.pkgs.python3Packages.callPackage ./phono3py.nix { src = inputs.topInputs.phono3py; };
vm = inputs.pkgs.callPackage ./vm { inherit biu; stdenv = inputs.pkgs.clang18Stdenv; };
oneapiPackages =
oneapiPackages = inputs.pkgs.lib.makeScope inputs.pkgs.newScope (final:
{
stdenv = inputs.pkgs.callPackage ./oneapi/stdenv.nix { src = inputs.topInputs.self.src.oneapi; };
};
stdenv = inputs.pkgs.callPackage ./oneapi/stdenv.nix { src = inputs.topInputs.self.src.oneapi; inherit gccFull; };
fmt = (inputs.pkgs.fmt.override { inherit (final) stdenv; }).overrideAttrs { doCheck = false; env.VERBOSE = "1"; };
});
fromYaml = content: builtins.fromJSON (builtins.readFile
(inputs.pkgs.runCommand "toJSON" {}

101
packages/oneapi/stdenv.nix
View File

@@ -1,70 +1,87 @@
{
src, stdenv, autoPatchelfHook, wrapCCWith, config, overrideCC, makeSetupHook, writeScript, overrideInStdenv,
runCommand,
gcc, glibc, libz, zstd, libxml2, flock, numactl, ncurses, openssl, gmp, kdePackages,
libxcrypt-legacy, libfabric, rdma-core, xorg, bash
runCommand, lib, gccFull,
gcc, glibc, zlib, zstd, libxml2, flock, numactl, ncurses, openssl, gmp, kdePackages,
libxcrypt-legacy, libfabric, rdma-core, xorg, bash, p7zip, hwloc
}:
let
oneapi = stdenv.mkDerivation
{
pname = "oneapi";
inherit (src) src version;
buildInputs = [];
nativeBuildInputs = [ ncurses stdenv.cc.cc autoPatchelfHook ];
buildInputs = [ zlib stdenv.cc.cc hwloc ];
nativeBuildInputs = [ autoPatchelfHook p7zip ];
langFortran = true;
dontUnpack = true;
dontConfigure = true;
dontBuild = true;
unpackPhase =
''
mkdir installer
sh ${src.src} --extract-only --extract-folder installer
addAutoPatchelfSearchPath installer/intel*/lib
autoPatchelf installer/intel*/bootstrapper
'';
installPhase =
let installComponents = builtins.concatStringsSep "\n" (builtins.map
(component:
''
pushd ${component}
7za x cupPayload.cup
cp -r _installdir/* ../../../../install
popd
'')
src.components);
in
''
mkdir -p $out/install
export HOME=$out
echo "will install to $out/install"
sh installer/intel*/install.sh --silent --eula accept --install-dir $out/install
mv $out/install/compiler/${src.version}/{bin,include,lib,share,opt/compiler/include} $out
mv $out/bin/compiler/* $out/bin
rm -rf $out/install
# addAutoPatchelfSearchPath
mkdir -p installer install $out
sh ${src.src} --extract-only --extract-folder installer
pushd installer/intel-oneapi-hpc-toolkit-${src.fullVersion}_offline/packages
${installComponents}
popd
cp -r install/compiler/${src.version}/{bin,include,lib,share} $out
cp -r install/{mpi,tbb,umf}/*/lib $out
# mv $out/bin/compiler/* $out/bin
# rm -r $out/bin/compiler
# mv $out/bin/clang%2B%2B $out/bin/clang++
mv $out/bin/compiler/clang%2B%2B $out/bin/compiler/clang++
# mv $out/lib/crt/* $out/lib
# rm -r $out/lib/crt
'';
autoPatchelfIgnoreMissingDeps = [];
autoPatchelfIgnoreMissingDeps = [ "libze_loader.so.1" "libcuda.so.1" "libhwloc.so.5" ];
passthru = { inherit src; };
};
wrapper = (wrapCCWith
{
cc = oneapi;
extraBuildCommands =
''
# provide libgcc_s.so but not libgomp.so
echo "-L${gcc.cc.libgcc}/lib" >> $out/nix-support/cc-ldflags
let
gcc = stdenv.cc.cc;
gccVersion = builtins.concatStringsSep "." (lib.take 3 (builtins.splitVersion gcc.version));
in
''
echo "-isystem ${oneapi}/include" >> $out/nix-support/cc-cflags
echo "-isystem ${oneapi}/include/intel64" >> $out/nix-support/cc-cflags
echo "-isystem ${oneapi}/include/icx" >> $out/nix-support/cc-cflags
echo "-isystem ${gcc}/include/c++/${gcc.version}/${stdenv.targetPlatform.config}" >> $out/nix-support/cc-cflags
echo "-isystem ${gcc}/include/c++/${gcc.version}" >> $out/nix-support/cc-cflags
echo "--gcc-toolchain=${stdenv.cc}/lib/gcc/x86_64-unknown-linux-gnu/14.2.1" >> $out/nix-support/cc-cflags
echo "-march=${config.oneapiArch}" >> $out/nix-support/cc-cflags-before
echo "-tp=${config.nvhpcArch}" >> $out/nix-support/cc-cflags-before
echo "-L${gcc.lib}/lib" >> $out/nix-support/cc-ldflags
echo "-L${gcc}/lib/gcc/${stdenv.targetPlatform.config}/${gccVersion}" >> $out/nix-support/cc-ldflags
echo "-L${oneapi}/lib" >> $out/nix-support/cc-ldflags
echo "-Lsome_path_does_not_exist" >> $out/nix-support/cc-ldflags
echo "-noswitcherror" >> $out/nix-support/cc-cflags
# echo 'export "PATH=${gcc}/bin:$PATH"' >> $out/nix-support/cc-wrapper-hook
# print verbose output for debugging
# echo "-v" >> $out/nix-support/cc-cflags
echo "" > $out/nix-support/add-hardening.sh
# echo "" > $out/nix-support/add-hardening.sh
echo "-v" >> $out/nix-support/cc-cflags
# substitute -idirafter in libc-cflags
# somehow -isystem does not work
sed -i 's/-idirafter/-I/g' $out/nix-support/libc-cflags
for i in nvc nvc++ nvcc nvfortran; do
wrap $i $wrapper ${oneapi}/bin/$i
done
'';
for i in icx icpx ifx; do
wrap $i $wrapper ${oneapi}/bin/$i
done
'';
}).overrideAttrs (prev: { installPhase = prev.installPhase +
''
export named_cc=nvc
export named_cxx=nvc++
export named_fc=nvfortran
export named_cc=icx
export named_cxx=icpx
export named_fc=ifx
'';});
# in overrideInStdenv (overrideCC stdenv wrapper) [ ]
in oneapi
in overrideInStdenv (overrideCC stdenv wrapper) [ ]

25
packages/rsshub.nix
View File

@@ -1,25 +0,0 @@
{
lib, mkPnpmPackage, nodejs, writeShellScript,
bash, chromium, src, git
}: (mkPnpmPackage.override { inherit nodejs; })
{
inherit src;
extraNativeBuildInputs = [ bash git ];
extraAttrs =
{
PUPPETEER_SKIP_DOWNLOAD = true;
postInstall =
let startScript = writeShellScript "rsshub"
''
export PATH=${lib.makeBinPath [ bash nodejs nodejs.pkgs.pnpm chromium git ]}:$PATH
export CHROMIUM_EXECUTABLE_PATH=chromium
export COREPACK_ENABLE_STRICT=0
pnpm start
'';
in
''
mkdir -p $out/bin
cp ${startScript} $out/bin/rsshub
'';
};
}

10
packages/sbatch-tui/src/main.cpp
View File

@@ -17,6 +17,9 @@ int main()
std::string UserCommand;
std::string SubmitCommand;
std::string CurrentInterface = "Program";
std::string JobName = std::filesystem::current_path().filename().string();
std::string OutputFile = "output.txt";
bool LowPriority = false;
} State;
std::vector<std::unique_ptr<Program>> Programs;
auto ConfigFile = YAML::LoadFile(SBATCH_CONFIG);
@@ -64,6 +67,9 @@ int main()
return ftxui::Container::Vertical
({
Programs[State.ProgramSelected]->get_interface() | with_bottom_heavy,
input(&State.JobName, "Job name: "),
input(&State.OutputFile, "Output file: "),
checkbox("Low priority", &State.LowPriority),
// 操作按钮
ftxui::Container::Horizontal
({
@@ -111,7 +117,9 @@ int main()
else if (State.UserCommand == "Continue")
{
State.CurrentInterface = "Confirm";
State.SubmitCommand = Programs[State.ProgramSelected]->get_submit_command();
State.SubmitCommand = Programs[State.ProgramSelected]->get_submit_command()
+ "\n--job-name='{}' --output='{}'{}"_f
(State.JobName, State.OutputFile, State.LowPriority ? " --nice=10000" : "");
}
else std::unreachable();
}

18
packages/sbatch-tui/src/mumax3.cpp
View File

@@ -16,8 +16,6 @@ namespace sbatch
int MemorySchemeSelected = 0;
std::vector<std::string> MemorySchemeEntries = { "Default", "All", "Custom" };
std::string Memory = "1";
std::string JobName = std::filesystem::current_path().filename().string();
std::string OutputFile = "output.txt";
std::string InputFile = "input.txt";
};
protected: StateType State_;
@@ -47,7 +45,6 @@ namespace sbatch
if (saved_state.MemorySchemeSelected < State_.MemorySchemeEntries.size())
State_.MemorySchemeSelected = saved_state.MemorySchemeSelected;
State_.Memory = saved_state.Memory;
State_.OutputFile = saved_state.OutputFile;
State_.InputFile = saved_state.InputFile;
}
catch (...) {}
@@ -90,12 +87,8 @@ namespace sbatch
}) | with_title("Memory:", ftxui::Color::GrayDark) | with_separator
}) | with_title("Resource allocation:") | with_bottom,
// 第三行:任务名和输入输出文件
ftxui::Container::Vertical
({
input(&State_.JobName, "Job name: "),
input(&State_.InputFile, "Input file: "),
input(&State_.OutputFile, "Output file: "),
}) | with_title("Misc:")
ftxui::Container::Vertical({input(&State_.InputFile, "Input file: ")})
| with_title("Misc:")
});
}
public: virtual std::string get_submit_command() const override
@@ -116,11 +109,8 @@ namespace sbatch
else if (State_.MemorySchemeSelected == 2) return "--mem={}G"_f(State_.Memory);
else std::unreachable();
}();
return "sbatch --partition={}\n{}{} {}\n--job-name='{}' --output='{}'\n--wrap=\"mumax3 {}\""_f
(
State_.QueueEntries[State_.QueueSelected], gpu_string, cpu_string, mem_string,
State_.JobName, State_.OutputFile, State_.InputFile
);
return "sbatch --partition={}\n{}{} {}\n--wrap=\"mumax3 {}\""_f
(State_.QueueEntries[State_.QueueSelected], gpu_string, cpu_string, mem_string, State_.InputFile);
}
};
template void Program::register_child_<Mumax3>();

9
packages/sbatch-tui/src/vasp_cpu.cpp
View File

@@ -18,8 +18,6 @@ namespace sbatch
int MemorySchemeSelected = 0;
std::vector<std::string> MemorySchemeEntries = { "Default", "All", "Custom" };
std::string Memory = "1";
std::string JobName = std::filesystem::current_path().filename().string();
std::string OutputFile = "output.txt";
bool OptcellEnable = false;
int OptcellSelected = 0;
std::vector<std::string> OptcellEntries = { "fix ab", "fix c" };
@@ -96,8 +94,7 @@ namespace sbatch
// 第三行:任务名和输出文件
ftxui::Container::Vertical
({
input(&State_.JobName, "Job name: "),
input(&State_.OutputFile, "Output file: "),
ftxui::Container::Horizontal
({
checkbox("Generate OPTCELL", &State_.OptcellEnable),
@@ -141,11 +138,11 @@ namespace sbatch
else return ""s;
}();
return
"{}sbatch --partition={} --nodes=1-1\n{}{}\n--job-name='{}' --output='{}'\n"
"{}sbatch --partition={} --nodes=1-1\n{}{}\n"
"--wrap=\"srun{} vasp-intel vasp-{}\""_f
(
optcell_string, State_.QueueEntries[State_.QueueSelected], cpu_string, mem_string,
State_.JobName, State_.OutputFile, srun_string, State_.VaspEntries[State_.VaspSelected]
srun_string, State_.VaspEntries[State_.VaspSelected]
);
}
};

Some files were not shown because too many files have changed in this diff Show More