chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-13 11:19:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: chn:nas-beesd
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire
..
compare: chn:benchmark
Branches Tags
chn:production chn:next chn:legacy-2505 chn:archive chn:edge chn:a30 chn:hpcstat chn:rocm chn:nas-alderlake chn:one-fprint chn:rog-x chn:sbatch-add-fdtd chn:r2s chn:steamdeck chn:biu chn:sbatch-tui chn:sops chn:srv1 chn:srv1-archive chn:srv1-add-zgq chn:switch-srv2 chn:xray-debug chn:srv2-debug chn:srv2-notice chn:temp chn:staging chn:debug chn:wannier-tools chn:next-pc chn:fix-libvirt chn:add-pen chn:libvirt-cow chn:test-nfs chn:wg-stage chn:hdf5-slurm chn:vasp-debug chn:container chn:debug-nfs chn:test-impermanence chn:xmuserver chn:pc chn:test-motd chn:nvhpc chn:root chn:srv-archive chn:xmuserver-archive chn:python chn:test-bindmount chn:test-keyd chn:srv chn:vasp chn:ufo chn:ip-debug chn:nex chn:blog chn:fcitx5 chn:winjob chn:winjob-old-design chn:ollama chn:server chn:vps6 chn:chn-bsub chn:test-nvidia chn:bug chn:next-debug chn:krfb chn:xray chn:split-desktop-server chn:pi chn:envfs chn:main chn:dae chn:xmupc2 chn:xrdp chn:ipfs chn:xmupc1 chn:mumax chn:slurm chn:blas chn:firefox chn:color chn:gpu chn:nvidia chn:xanmod chn:rsshub chn:ttyd chn:fix-efishell chn:device chn:misskey chn:power chn:native chn:meilisearch-migration chn:nixos-23.05 chn:nginx chn:ua chn:vps7-freshrss chn:nvme-bug chn:yoga chn:kernel-lts chn:nas-beesd chn:vps7-beesd chn:vps6-beesd chn:phonopy chn:tested chn:docker chn:test-nebula chn:test-nebula-nas chn:stable chn:benchmark chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire

1 Commits
nas-beesd ... benchmark

Author SHA1 Message Date
chn
0a51443b79 add phoronix-test-suite 2023-09-10 01:24:02 +08:00
59 changed files with 1093 additions and 1713 deletions
Expand all files Collapse all files

2
.sops.yaml
View File

@@ -5,7 +5,6 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- &vps7 age137x7csalutwvfygvvzpemlsywvdxj3j4z93a50z2sjx03w6zau8q3r5902
- &yoga age1qrea4twxdhd7fnvlq5v45528c90qy6hp2wa55kghsxzgut6n6fxs7w6u42
- &pe age1cahahn9hp265dkhduaec65vugk8fct2vt9ur6y54m4mgmyx4v4fq0etjhv
- &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
creation_rules:
- path_regex: secrets/pc\.yaml$
key_groups:
@@ -30,7 +29,6 @@ creation_rules:
key_groups:
- age:
- *chn
- *nas
- path_regex: secrets/xmupc1\.yaml$
key_groups:
- age:

79
flake.lock generated
View File

@@ -30,11 +30,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1695052866,
"narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
"lastModified": 1694158470,
"narHash": "sha256-yWx9eBDHt6WR3gr65+J85KreHdMypty/P6yM35tIYYM=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
"rev": "d0cfc042eba92eb206611c9e8784d41a2c053bab",
"type": "github"
},
"original": {
@@ -449,11 +449,11 @@
"systems": "systems_6"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"lastModified": 1692799911,
"narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
"type": "github"
},
"original": {
@@ -548,11 +548,11 @@
]
},
"locked": {
"lastModified": 1694465129,
"narHash": "sha256-8BQiuobMrCfCbGM7w6Snx+OBYdtTIm0+cGVaKwQ5BFg=",
"lastModified": 1693208669,
"narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9787dffff5d315c9593d3f9fb0f9bf2097e1b57b",
"rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c",
"type": "github"
},
"original": {
@@ -564,11 +564,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1694622745,
"narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=",
"lastModified": 1690797372,
"narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e",
"rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851",
"type": "github"
},
"original": {
@@ -708,11 +708,11 @@
]
},
"locked": {
"lastModified": 1694921880,
"narHash": "sha256-yU36cs5UdzhTwsM9bUWUz43N//ELzQ1ro69C07pU/8E=",
"lastModified": 1693711723,
"narHash": "sha256-5QmlVzskLciJ0QzYmZ6ULvKA7bP6pgV9wwrLBB0V3j0=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "9d2bcc47110b3b6217dfebd6761ba20bc78aedf2",
"rev": "aca56a79afb82208af2b39d8459dd29c10989135",
"type": "github"
},
"original": {
@@ -730,17 +730,16 @@
]
},
"locked": {
"lastModified": 1693358717,
"narHash": "sha256-OYGe2Yay1QoodZZmvPYBFGAoTrRfyKLzFs2vON4gRek=",
"lastModified": 1694222210,
"narHash": "sha256-PzfwrGQMEpJk4lMK2a47bFbJpJFlAG/ihvZsL9U1Lik=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "50c4bce16b93e7ca8565d51fafabc05e9f0515da",
"rev": "5a63908466573a4a1c0466e38f33c42c73ec5136",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "50c4bce16b93e7ca8565d51fafabc05e9f0515da",
"type": "github"
}
},
@@ -752,11 +751,11 @@
]
},
"locked": {
"lastModified": 1694400214,
"narHash": "sha256-QHESodq9FQpjWshfxmdYePnEAPaNPsYEd3iBe/JYjqk=",
"lastModified": 1693052712,
"narHash": "sha256-7wrP6s4OEuR7BUasy76n7j+c09rp7wyOq7YVYviXw9s=",
"owner": "nix-community",
"repo": "nixd",
"rev": "69b533e8d643c5dcbda7962d4dff808d72165783",
"rev": "f88accc8a8231efdae900ff6a14cb6301a73cff9",
"type": "github"
},
"original": {
@@ -795,11 +794,11 @@
]
},
"locked": {
"lastModified": 1694664321,
"narHash": "sha256-NLuFP5JW2LRJTUg0zpeYXS14KjtrgTpFdhH0T7YqEpc=",
"lastModified": 1694192131,
"narHash": "sha256-nt5ypVXKh65lQFqKqWgytEzI841yUhpl6E291Briu+g=",
"owner": "nixpak",
"repo": "nixpak",
"rev": "9dd948303ea4c7d531e0775146b1b7fd969994c9",
"rev": "16bd2860238c53bb7a31f745693d7d3c33a1490c",
"type": "github"
},
"original": {
@@ -894,11 +893,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1695562663,
"narHash": "sha256-cnPZFTKQGldgFHWC9LHt8mDtJVTmj4WJxvKHF5uw5qA=",
"lastModified": 1694233973,
"narHash": "sha256-LPFbAgsJhj5l64bwmeA2POGrdtEm6+WyGwyNVbGRl9A=",
"owner": "CHN-beta",
"repo": "nixpkgs",
"rev": "82e02a1546fc59bc496f859e446ddcd412f09849",
"rev": "6b10eef17e5f6fbbb07b38015ce3dc0d5e463282",
"type": "github"
},
"original": {
@@ -942,11 +941,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1695281058,
"narHash": "sha256-YQs/xiqOW081DCqkeVc+Eonapo0fBCUGwy/5SD1rKTI=",
"lastModified": 1694240057,
"narHash": "sha256-K80B2TusGw/LJlS2LiJ5C6TpKBhx9SU3nld4y2yz8L0=",
"owner": "CHN-beta",
"repo": "nixpkgs",
"rev": "53bdd8bdc15e678f30e450f5be8ef3cee572b11a",
"rev": "36b41fed7ac17125d23ffab564e3376bf01eab9a",
"type": "github"
},
"original": {
@@ -958,11 +957,11 @@
},
"nur": {
"locked": {
"lastModified": 1695048039,
"narHash": "sha256-zbJJylG0nrr6bP4+UXK10m2h9Kae5OUeYntU6rli02o=",
"lastModified": 1694237951,
"narHash": "sha256-6gql7EJIWwn3mUvG/RHf1iGUA3Ptfmalz9WdgX3noSY=",
"owner": "nix-community",
"repo": "NUR",
"rev": "e57ad2a4d59c577780da709180c36304a1d8106c",
"rev": "19674a713837dcfbef704a16815a4bbc462cd57a",
"type": "github"
},
"original": {
@@ -981,11 +980,11 @@
"nvfetcher": "nvfetcher"
},
"locked": {
"lastModified": 1695017238,
"narHash": "sha256-JoGZyYAnWZnq8NPu+ptmydA9s/96kb518fY5Q56FcHE=",
"lastModified": 1694239804,
"narHash": "sha256-C5ERSMRp8kQEqyKS2yggXSqaKZUgnNyQD+zjy6iqXm0=",
"owner": "xddxdd",
"repo": "nur-packages",
"rev": "6e5f2de9db2dede7f1bf350b97adff4901209352",
"rev": "ce48d1df62cab988a5e8eefdf97bec8bdc46392f",
"type": "github"
},
"original": {
@@ -1114,11 +1113,11 @@
]
},
"locked": {
"lastModified": 1694495315,
"narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=",
"lastModified": 1693898833,
"narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415",
"rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
"type": "github"
},
"original": {

231
flake.nix
View File

@@ -17,11 +17,7 @@
nur.url = "github:nix-community/NUR";
nixos-cn = { url = "github:nixos-cn/flakes"; inputs.nixpkgs.follows = "nixpkgs"; };
nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-vscode-extensions =
{
url = "github:nix-community/nix-vscode-extensions?rev=50c4bce16b93e7ca8565d51fafabc05e9f0515da";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; };
nix-alien = { url = "github:thiagokokada/nix-alien"; inputs.nix-index-database.follows = "nix-index-database"; };
impermanence.url = "github:nix-community/impermanence";
qchem = { url = "github:Nix-QChem/NixOS-QChem"; inputs.nixpkgs.follows = "nixpkgs"; };
@@ -44,7 +40,7 @@
default = inputs.nixpkgs.legacyPackages.x86_64-linux.writeText "systems"
(builtins.concatStringsSep "\n" (builtins.map
(system: builtins.toString inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel)
[ "pc" "vps6" "vps7" "nas" ]));
[ "pc" "vps6" "vps4" "vps7" "nas" "xmupc1" "yoga" "pe" ]));
}
// (
builtins.listToAttrs (builtins.map
@@ -53,7 +49,7 @@
name = system;
value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel;
})
[ "pc" "vps6" "vps7" "nas" "yoga" ])
[ "pc" "vps6" "vps4" "vps7" "nas" "xmupc1" "yoga" "pe" ])
);
nixosConfigurations = builtins.listToAttrs (builtins.map
(system:
@@ -67,7 +63,11 @@
(
[
(inputs: { config.nixpkgs.overlays = [(final: prev:
{ localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; }); })]; })
{
localPackages = (import ./local/pkgs { inherit (inputs) lib; pkgs = final; });
unstablePackages = import inputs.topInputs.nixpkgs-unstable
{ system = "x86_64-linux"; config.allowUnfree = true; };
})]; })
./modules
]
++ system.value
@@ -126,15 +126,14 @@
keepOutputs = true;
};
nixpkgs = { march = "alderlake"; cudaSupport = true; };
gui = { enable = true; preferred = true; };
gui.enable = true;
kernel =
{
patches = [ "cjktty" "preempt" ];
modules.modprobeConfig = [ "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
};
impermanence.enable = true;
networking =
{ hostname = "pc"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
networking = { hostname = "pc"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; }; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
@@ -198,7 +197,6 @@
"debug.mirism.one" = "127.0.0.1";
"initrd.vps6.chn.moe" = "74.211.99.69";
"nix-store.chn.moe" = "127.0.0.1";
"initrd.nas.chn.moe" = "192.168.1.185";
};
};
};
@@ -213,15 +211,14 @@
};
nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
smartd.enable = true;
nginx = { enable = true; transparentProxy.externalIp = [ "192.168.82.3" ]; };
nginx = { enable = true; transparentProxy.enable = false; };
misskey = { enable = true; hostname = "xn--qbtm095lrg0bfka60z.chn.moe"; };
misskey-proxy."xn--qbtm095lrg0bfka60z.chn.moe" = {};
beesd = { enable = true; instances.root = { device = "/"; hashTableSizeMB = 2048; }; };
};
bugs =
[
"intel-hdmi" "suspend-hibernate-no-platform" "hibernate-iwlwifi" "suspend-lid-no-wakeup" "xmunet"
"suspend-hibernate-waydroid" "embree" "nvme"
"suspend-hibernate-waydroid" "embree"
];
};})
];
@@ -275,21 +272,13 @@
enable = true;
transparentProxy =
{
externalIp = [ "74.211.99.69" "192.168.82.1" ];
externalIp = "74.211.99.69";
map =
{
"ng01.mirism.one" = 7411;
"beta.mirism.one" = 9114;
};
};
streamProxy =
{
enable = true;
map =
{
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; };
"anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
"nix-store.chn.moe" = 7676;
"direct.xn--qbtm095lrg0bfka60z.chn.moe" = 7676;
};
};
};
@@ -300,8 +289,52 @@
};
coturn.enable = true;
synapse-proxy."synapse.chn.moe".upstream.address = "internal.vps7.chn.moe";
vaultwarden-proxy = { enable = true; upstream.address = "internal.vps7.chn.moe"; };
beesd = { enable = false; instances.root = { device = "/"; hashTableSizeMB = 32; }; };
};
};})
];
"vps4" =
[
(inputs: { config.nixos =
{
system =
{
fileSystems =
{
mount =
{
btrfs =
{
"/dev/disk/by-uuid/a6460ff0-b6aa-4c1c-a546-8ad0d495bcf8"."/boot" = "/boot";
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
};
decrypt.manual =
{
enable = true;
devices."/dev/disk/by-uuid/46e59fc7-7bb1-4534-bbe4-b948a9a8eeda" = { mapper = "root"; ssd = true; };
delayedMount = [ "/" ];
};
swap = [ "/nix/swap/swap" ];
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
nixpkgs.march = "znver3";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
initrd =
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
kernel.patches = [ "preempt" ];
impermanence.enable = true;
networking.hostname = "vps4";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
packages.packageSet = "server";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
sshd.enable = true;
};
};})
];
@@ -351,20 +384,15 @@
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
sshd.enable = true;
rsshub.enable = true;
nginx = { enable = true; transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ]; };
nginx = { enable = true; transparentProxy.externalIp = "95.111.228.40"; };
wallabag.enable = true;
misskey = { enable = true; hostname = "xn--s8w913fdga.chn.moe"; };
misskey-proxy."xn--s8w913fdga.chn.moe" = {};
synapse.enable = true;
synapse-proxy."synapse.chn.moe" = {};
xrdp = { enable = true; hostname = "vps7.chn.moe"; };
vaultwarden.enable = true;
vaultwarden-proxy.enable = true;
meilisearch.ioLimitDevice = "/dev/mapper/root";
beesd = { enable = false; instances.root = { device = "/"; hashTableSizeMB = 1024; }; };
};
};})
];
@@ -378,90 +406,40 @@
{
mount =
{
vfat."/dev/disk/by-uuid/13BC-F0C9" = "/boot/efi";
btrfs =
{
"/dev/disk/by-uuid/0e184f3b-af6c-4f5d-926a-2559f2dc3063"."/boot" = "/boot";
"/dev/mapper/nix"."/nix" = "/nix";
"/dev/mapper/root1" =
{
"/nix/rootfs" = "/nix/rootfs";
"/nix/persistent" = "/nix/persistent";
"/nix/nodatacow" = "/nix/nodatacow";
"/nix/rootfs/current" = "/";
};
"/dev/disk/by-uuid/a6460ff0-b6aa-4c1c-a546-8ad0d495bcf8"."/boot" = "/boot";
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
};
decrypt.manual =
{
enable = true;
devices =
{
"/dev/disk/by-uuid/5cf1d19d-b4a5-4e67-8e10-f63f0d5bb649".mapper = "root1";
"/dev/disk/by-uuid/aa684baf-fd8a-459c-99ba-11eb7636cb0d".mapper = "root2";
"/dev/disk/by-uuid/a779198f-cce9-4c3d-a64a-9ec45f6f5495" = { mapper = "nix"; ssd = true; };
};
delayedMount = [ "/" "/nix" ];
devices."/dev/disk/by-uuid/46e59fc7-7bb1-4534-bbe4-b948a9a8eeda" = { mapper = "root"; ssd = true; };
delayedMount = [ "/" ];
};
rollingRootfs = { device = "/dev/mapper/root1"; path = "/nix/rootfs"; };
swap = [ "/nix/swap/swap" ];
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
grub.installDevice = "/dev/disk/by-path/pci-0000:00:04.0";
nixpkgs.march = "silvermont";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
initrd =
{
network.enable = true;
sshd = { enable = true; hostKeys = [ "/nix/persistent/etc/ssh/initrd_ssh_host_ed25519_key" ]; };
};
grub.installDevice = "efi";
nixpkgs.march = "silvermont";
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
kernel.patches = [ "cjktty" "preempt" ];
kernel.patches = [ "preempt" ];
impermanence.enable = true;
networking =
{ hostname = "nas"; nebula = { enable = true; lighthouse = "vps6.chn.moe"; useRelay = true; }; };
networking.hostname = "nas";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
gui.enable = true;
};
hardware =
{
cpus = [ "intel" ];
gpus = [ "intel" ];
};
packages.packageSet = "desktop";
packages.packageSet = "server";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
samba =
{
enable = true;
hostsAllowed = "192.168. 127.";
shares =
{
home.path = "/home";
root.path = "/";
};
};
sshd = { enable = true; passwordAuthentication = true; };
xrayClient =
{
enable = true;
serverAddress = "74.211.99.69";
serverName = "vps6.xserver.chn.moe";
dns.extraInterfaces = [ "docker0" ];
};
xrdp = { enable = true; hostname = [ "nas.chn.moe" "office.chn.moe" ]; };
groupshare.enable = true;
smartd.enable = true;
beesd =
{
enable = true;
instances =
{
root = { device = "/"; hashTableSizeMB = 2048; };
nix = { device = "/nix"; hashTableSizeMB = 128; };
};
};
sshd.enable = true;
};
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
};})
];
"xmupc1" =
@@ -646,6 +624,63 @@
};
};})
];
"pe" =
[
(inputs: { config.nixos =
{
system =
{
fileSystems =
{
mount =
{
vfat."/dev/disk/by-uuid/A0F1-74E5" = "/boot/efi";
btrfs =
{
"/dev/disk/by-uuid/a7546428-1982-4931-a61f-b7eabd185097"."/boot" = "/boot";
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
};
decrypt.auto."/dev/disk/by-uuid/0b800efa-6381-4908-bd63-7fa46322a2a9" =
{ mapper = "root"; ssd = true; };
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
grub.installDevice = "efiRemovable";
gui.enable = true;
nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
kernel.patches = [ "cjktty" "preempt" ];
impermanence.enable = true;
networking.hostname = "pe";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
cpus = [ "intel" ];
gpus = [ "intel" "nvidia" ];
bluetooth.enable = true;
joystick.enable = true;
printer.enable = true;
sound.enable = true;
};
packages.packageSet = "desktop";
virtualization.docker.enable = true;
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
sshd.enable = true;
xrayClient =
{
enable = true;
serverAddress = "74.211.99.69";
serverName = "vps6.xserver.chn.moe";
dns.extraInterfaces = [ "docker0" ];
};
firewall.trustedInterfaces = [ "virbr0" ];
smartd.enable = true;
};
};})
];
}));
# sudo HTTPS_PROXY=socks5://127.0.0.1:10884 nixos-install --flake .#bootstrap --option substituters http://127.0.0.1:5000 --option require-sigs false --option system-features gccarch-silvermont
# nix-serve -p 5000
@@ -682,7 +717,7 @@
inputs.self.nixosConfigurations.${node};
};
})
[ "vps6" "vps7" "nas" ]);
[ "vps6" "vps4" "vps7" ]);
};
};
}

13
local/pkgs/concurrencpp/default.nix
View File

@@ -1,13 +0,0 @@
{ stdenv, fetchFromGitHub, cmake }: stdenv.mkDerivation rec
{
pname = "concurrencpp";
version = "0.1.7";
src = fetchFromGitHub
{
owner = "David-Haim";
repo = "concurrencpp";
rev = "v.${version}";
sha256 = "4qT29YVjKEWcMrI5R5Ps8aD4grAAgz5VOxANjpp1oTo=";
};
nativeBuildInputs = [ cmake ];
}

11
local/pkgs/default.nix
View File

@@ -1,4 +1,4 @@
{ lib, pkgs }: with pkgs; rec
{ lib, pkgs }: with pkgs;
{
typora = callPackage ./typora {};
upho = python3Packages.callPackage ./upho {};
@@ -7,7 +7,7 @@
oneapi = callPackage ./oneapi {};
send = callPackage ./send {};
rsshub = callPackage ./rsshub {};
misskey = callPackage ./misskey { vips = unstablePackages.vips; };
misskey = callPackage ./misskey {};
mk-meili-mgn = callPackage ./mk-meili-mgn {};
phonon-unfolding = callPackage ./phonon-unfolding {};
# vasp = callPackage ./vasp
@@ -25,11 +25,4 @@
# "12to11" = callPackage ./12to11 {};
huginn = callPackage ./huginn {};
v_sim = callPackage ./v_sim {};
concurrencpp = callPackage ./concurrencpp { stdenv = gcc13Stdenv; };
eigengdb = python3Packages.callPackage ./eigengdb {};
nodesoup = callPackage ./nodesoup {};
matplotplusplus = callPackage ./matplotplusplus { inherit nodesoup; };
zpp-bits = callPackage ./zpp-bits {};
eigen = callPackage ./eigen {};
nameof = callPackage ./nameof {};
}

12
local/pkgs/eigen/default.nix
View File

@@ -1,12 +0,0 @@
{ lib, stdenv, fetchFromGitLab, cmake }: stdenv.mkDerivation rec
{
name = "eigen";
src = fetchFromGitLab
{
owner = "libeigen";
repo = name;
rev = "6d829e766ff1b1ab867d93631163cbc63ed5798f";
sha256 = "BXUnizcRPrOyiPpoyYJ4VVOjlG49aj80mgzPKmEYPKU=";
};
nativeBuildInputs = [ cmake ];
}

15
local/pkgs/eigengdb/default.nix
View File

@@ -1,15 +0,0 @@
{ lib, fetchFromGitHub, buildPythonPackage, numpy, gdb }: buildPythonPackage
{
name = "eigengdb";
src = fetchFromGitHub
{
owner = "dmillard";
repo = "eigengdb";
rev = "c741edef3f07f33429056eff48d79a62733ed494";
sha256 = "MTqOaWsKhWaPs3G5F/6bYZmQI5qS2hEGKGa3mwbgFaY=";
};
doCheck = false;
buildInputs = [ gdb ];
nativeBuildInputs = [ gdb ];
propagatedBuildInputs = [ numpy ];
}

22
local/pkgs/matplotplusplus/default.nix
View File

@@ -1,22 +0,0 @@
{
stdenv, fetchFromGitHub, cmake, pkg-config,
gnuplot, libjpeg, libtiff, zlib, libpng, lapack, blas, fftw, opencv, nodesoup, cimg
}: stdenv.mkDerivation rec
{
pname = "matplotplusplus";
version = "1.2.0";
src = fetchFromGitHub
{
owner = "alandefreitas";
repo = "matplotplusplus";
rev = "v${version}";
sha256 = "mYXAB1AbCtcd2rEuluJN6hDKE9+AowodjJt2pdyntes=";
};
cmakeFlags =
[
"-DBUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_SHARED_LIBS=ON" "-DMATPLOTPP_BUILD_EXAMPLES=OFF"
"-DMATPLOTPP_WITH_SYSTEM_NODESOUP=ON" "-DMATPLOTPP_WITH_SYSTEM_CIMG=ON"
];
buildInputs = [ gnuplot libjpeg libtiff zlib libpng lapack blas fftw opencv nodesoup cimg ];
nativeBuildInputs = [ cmake pkg-config ];
}

70
local/pkgs/misskey/default.nix
View File

@@ -1,16 +1,16 @@
{
lib, stdenv, mkPnpmPackage, fetchFromGitHub, fetchurl, nodejs_20, writeShellScript, buildFHSEnv,
lib, stdenv, mkPnpmPackage, fetchFromGitHub, nodejs_20, writeShellScript, buildFHSEnv,
bash, cypress, vips, pkg-config
}:
let
pname = "misskey";
version = "2023.9.3";
version = "13.14.2";
src = fetchFromGitHub
{
owner = "CHN-beta";
repo = "misskey";
rev = "d88358090da8459ef6f3b01890b361ff44a007f7";
sha256 = "JeXMnFoJuudGGHhAEXhdBRMN8EHEbm4U1yXuoz8K4hU=";
rev = "e02ecb3819f6f05352d43b64ae59fa1bd683e2e0";
hash = "sha256-zsYM67LYUn+bI6kbdW9blftxw5TUxCdzlfaOOEgZz+Q=";
fetchSubmodules = true;
};
originalPnpmPackage = mkPnpmPackage
@@ -26,66 +26,14 @@ let
export NODE_ENV=production
pnpm run migrateandstart
'';
re2 = stdenv.mkDerivation rec
{
pname = "re2";
version = "1.20.3";
srcs =
[
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.br";
sha256 = "0g2k0bki0zm0vaqpz25ww119qcs1flv63h6s5ib3103arpnzmb6d";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-115.gz";
sha256 = "1dr9zzzm67jknzvla1l5178lzmj6cfh8i1vsp5r4gkwdwbfh3ip0";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.br";
sha256 = "0wby987byhshb20np1gglj6y9ji7m7jza5jwa4hyxfxs1pkkmg1n";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-108.gz";
sha256 = "0q3dyxm63d2x0wxx23gdwym7r2gmaw4ahvmd35dgrj179ik290pi";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.br";
sha256 = "1wjmdni24353ppwfiyrv1zl9ci4g2habk0g2nz6b0sijagcy7bv3";
})
(fetchurl
{
url = "https://github.com/uhop/node-re2/releases/download/1.20.3/linux-x64-93.gz";
sha256 = "0rgkryjh412g2m7rfrl2krsb9137prkk2y9ga8akn7qp1bqsbq1i";
})
];
phases = [ "installPhase" ];
installPhase =
''
mkdir -p $out/${version}
for i in $srcs
do
cp $i $out/${version}/''${i#*-}
done
'';
};
in
stdenv.mkDerivation rec
stdenv.mkDerivation
{
inherit version src pname;
buildInputs =
[
bash nodejs_20 nodejs_20.pkgs.typescript nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress vips pkg-config
];
nativeBuildInputs = buildInputs;
nativeBuildInputs =
[ bash nodejs_20 nodejs_20.pkgs.typescript nodejs_20.pkgs.pnpm nodejs_20.pkgs.gulp cypress vips pkg-config ];
CYPRESS_RUN_BINARY = "${cypress}/bin/Cypress";
NODE_ENV = "production";
RE2_DOWNLOAD_MIRROR = "${re2}";
RE2_DOWNLOAD_SKIP_PATH = "true";
configurePhase =
''
export HOME=$NIX_BUILD_TOP # Some packages need a writable HOME
@@ -119,8 +67,4 @@ in
mkdir -p $out/files
runHook postInstall
'';
passthru =
{
inherit originalPnpmPackage startScript re2;
};
}

20
local/pkgs/nameof/default.nix
View File

@@ -1,20 +0,0 @@
{ lib, stdenv, fetchFromGitHub }: stdenv.mkDerivation rec
{
pname = "nameof";
version = "0.10.3";
src = fetchFromGitHub
{
owner = "Neargye";
repo = pname;
rev = "v${version}";
sha256 = "eHG0Y/BQGbwTrBHjq9SeSiIXaVqWp7PxIq7vCIECYPk=";
};
phases = [ "installPhase" ];
installPhase =
''
runHook preInstall
mkdir -p $out
cp -r $src/include $out
runHook postInstall
'';
}

13
local/pkgs/nodesoup/default.nix
View File

@@ -1,13 +0,0 @@
{ stdenv, fetchFromGitHub, cmake, pkg-config, cairo, pcre2, xorg }: stdenv.mkDerivation rec
{
name = "nodesoup";
src = fetchFromGitHub
{
owner = "olvb";
repo = "nodesoup";
rev = "3158ad082bb0cd1abee75418b12b35522dbca74f";
sha256 = "tFLq6QC3U3uvcuWsdRy2wnwcmAfH2MkI2oMcAiUBHSo=";
};
buildInputs = [ cairo pcre2.dev xorg.libXdmcp.dev ];
nativeBuildInputs = [ cmake pkg-config ];
}

4
local/pkgs/rsshub/default.nix
View File

@@ -9,8 +9,8 @@ let
{
owner = "DIYgod";
repo = "RSSHub";
rev = "46d32af2c57061a70114536d1f4514eb5b35dff2";
sha256 = "WvPE+WAvRSCPVwoz7sSH3KhC8GUC82wYmYKXb5F9xHI=";
rev = "afcf9774260dc6505263cf0428970e890f2f7b1d";
hash = "sha256-BQFE0Z5DsFTf0tylQ0NN89hCdXT/Y2M+YPa/10ccOVg=";
};
originalPnpmPackage = mkPnpmPackage { inherit pname version src nodejs; };
nodeModules = originalPnpmPackage.nodeModules.overrideAttrs { PUPPETEER_SKIP_DOWNLOAD = true; };

18
local/pkgs/zpp-bits/default.nix
View File

@@ -1,18 +0,0 @@
{ stdenv, fetchFromGitHub }: stdenv.mkDerivation rec
{
pname = "zpp-bits";
version = "4.4.19";
src = fetchFromGitHub
{
owner = "eyalz800";
repo = "zpp_bits";
rev = "v${version}";
sha256 = "ejIwrvCFALuBQbQhTfzjBb11oMR/akKnboB60GWbjlQ=";
};
phases = [ "installPhase" ];
installPhase =
''
mkdir -p $out/include
cp $src/zpp_bits.h $out/include
'';
}

1
modules/bugs/default.nix
View File

@@ -75,7 +75,6 @@ inputs:
firefox.programs.firefox.enable = inputs.lib.mkForce false;
embree.nixpkgs.overlays =
[(final: prev: { embree = prev.embree.override { stdenv = final.genericPackages.stdenv; }; })];
nvme.boot.kernelParams = [ "nvme_core.default_ps_max_latency_us=0" ];
};
in
{

391
modules/packages/default.nix
View File

@@ -29,164 +29,44 @@ inputs:
[
# >= server
{
nixos =
nixos.packages = with inputs.pkgs;
{
packages = with inputs.pkgs;
{
_packages =
[
# shell
ksh
# basic tools
beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch
# lsxx
pciutils usbutils lshw util-linux lsof
# top
iotop iftop htop btop powertop s-tui
# editor
nano bat
# downloader
wget aria2 curl
# file manager
tree exa trash-cli lsd broot file xdg-ninja mlocate
# compress
pigz rar upx unzip zip lzip p7zip
# file system management
sshfs e2fsprogs adb-sync duperemove compsize
# disk management
smartmontools hdparm
# encryption and authentication
apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
# networking
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils
# nix tools
nix-output-monitor nix-tree
# office
todo-txt-cli
# development
gdb
] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
_pythonPackages = [(pythonPackages: with pythonPackages;
[
inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
certifi charset-normalizer idna orjson psycopg2 localPackages.eigengdb
])];
};
users.sharedModules =
[{
config.programs =
{
zsh =
{
enable = true;
initExtraBeforeCompInit =
''
# p10k instant prompt
P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
HYPHEN_INSENSITIVE="true"
export PATH=~/bin:$PATH
function br
{
local cmd cmd_file code
cmd_file=$(mktemp)
if broot --outcmd "$cmd_file" "$@"; then
cmd=$(<"$cmd_file")
command rm -f "$cmd_file"
eval "$cmd"
else
code=$?
command rm -f "$cmd_file"
return "$code"
fi
}
alias todo="todo.sh"
'';
plugins =
[
{
file = "powerlevel10k.zsh-theme";
name = "powerlevel10k";
src = "${inputs.pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
}
{
file = "p10k.zsh";
name = "powerlevel10k-config";
src = ./p10k-config;
}
{
name = "zsh-lsd";
src = inputs.pkgs.fetchFromGitHub
{
owner = "z-shell";
repo = "zsh-lsd";
rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
};
}
];
history =
{
extended = true;
save = 100000000;
size = 100000000;
share = true;
};
};
direnv = { enable = true; nix-direnv.enable = true; };
git =
{
enable = true;
lfs.enable = true;
extraConfig =
{
core.editor = if inputs.config.nixos.system.gui.preferred then "code --wait" else "vim";
advice.detachedHead = false;
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
};
package = inputs.pkgs.gitFull;
delta =
{
enable = true;
options =
{
side-by-side = true;
navigate = true;
syntax-theme = "GitHub";
light = true;
zero-style = "syntax white";
line-numbers-zero-style = "#ffffff";
};
};
};
ssh =
{
enable = true;
controlMaster = "auto";
controlPersist = "1m";
compression = true;
};
vim =
{
enable = true;
defaultEditor = true;
packageConfigurable = inputs.config.programs.vim.package;
settings =
{
number = true;
expandtab = false;
shiftwidth = 2;
tabstop = 2;
};
extraConfig =
''
set clipboard=unnamedplus
colorscheme evening
'';
};
};
}];
_packages =
[
# shell
ksh
# basic tools
beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq zellij neofetch ipfetch
# lsxx
pciutils usbutils lshw util-linux lsof
# top
iotop iftop htop btop powertop s-tui
# editor
nano bat
# downloader
wget aria2 curl
# file manager
tree exa trash-cli lsd broot file xdg-ninja mlocate
# compress
pigz rar upx unzip zip lzip p7zip
# file system management
sshfs e2fsprogs adb-sync duperemove compsize
# disk management
smartmontools hdparm
# encryption and authentication
apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
# networking
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils
# nix tools
nix-output-monitor nix-tree
# office
todo-txt-cli
] ++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ]);
_pythonPackages = [(pythonPackages: with pythonPackages;
[
inquirerpy requests python-telegram-bot tqdm fastapi pypdf2 pandas matplotlib plotly gunicorn redis jinja2
certifi charset-normalizer idna orjson psycopg2
])];
};
programs =
{
@@ -236,135 +116,80 @@ inputs:
];
allowUnfree = true;
};
home-manager =
{
useGlobalPkgs = true;
useUserPackages = true;
};
}
# >= desktop
(
mkIf (builtins.elem inputs.config.nixos.packages.packageSet [ "desktop" "workstation" ] )
{
nixos =
nixos.packages = with inputs.pkgs;
{
packages = with inputs.pkgs;
{
_packages =
[
# system management
gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
wayland-utils clinfo glxinfo vulkan-tools dracut etcher unstablePackages.btrfs-assistant
# nix tools
ssh-to-age deploy-rs.deploy-rs nixpkgs-fmt
# instant messager
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
cinny-desktop # nur-xddxdd.wine-wechat thunder
# browser
google-chrome
# networking
remmina putty mtr-gui
# password and key management
bitwarden yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui
# download
qbittorrent yt-dlp nur-xddxdd.baidupcs-go wgetpaste
# office
unstablePackages.crow-translate zotero pandoc
# development
scrcpy
# media
spotify yesplaymusic mpv nomacs simplescreenrecorder imagemagick gimp netease-cloud-music-gtk vlc
# text editor
localPackages.typora
# themes
orchis-theme tela-circle-icon-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme
arc-kde-theme materia-theme
# news
fluent-reader rssguard
# davinci-resolve playonlinux
weston cage openbox krita
genymotion hdfview
(
vscode-with-extensions.override
{
vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
(with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
++ (with github; [ copilot copilot-chat copilot-labs github-vscode-theme ])
++ (with intellsmi; [ comment-translate deepl-translate ])
++ (with ms-python; [ isort python vscode-pylance ])
++ (with ms-toolsai;
[
jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
])
++ (with ms-vscode;
[
cmake-tools cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
test-adapter-converter
])
++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
++ [
donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
oderwat.indent-rainbow
twxs.cmake guyutongxue.cpp-reference znck.grammarly thfriedrich.lammps leetcode.vscode-leetcode
james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug
hbenl.vscode-test-explorer
jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode webfreak.debug
];
}
)
] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
};
users.sharedModules =
[{
config =
{
programs =
_packages =
[
# system management
gparted snapper-gui libsForQt5.qtstyleplugin-kvantum wl-clipboard-x11 kio-fuse wl-mirror
wayland-utils clinfo glxinfo vulkan-tools dracut etcher
# nix tools
ssh-to-age deploy-rs.deploy-rs nixpkgs-fmt
# instant messager
element-desktop telegram-desktop discord inputs.config.nur.repos.linyinfeng.wemeet # native
cinny-desktop # nur-xddxdd.wine-wechat thunder
# browser
google-chrome
# networking
remmina putty mtr-gui
# password and key management
bitwarden yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui
# download
qbittorrent yt-dlp nur-xddxdd.baidupcs-go wgetpaste
# office
crow-translate zotero pandoc
# development
scrcpy
# media
spotify yesplaymusic mpv nomacs simplescreenrecorder imagemagick gimp netease-cloud-music-gtk
# text editor
localPackages.typora
# themes
orchis-theme tela-circle-icon-theme plasma-overdose-kde-theme materia-kde-theme graphite-kde-theme
arc-kde-theme materia-theme
# news
fluent-reader rssguard
# davinci-resolve playonlinux
weston cage openbox krita phoronix-test-suite
genymotion
(
vscode-with-extensions.override
{
chromium =
{
enable = true;
extensions =
vscodeExtensions = with nix-vscode-extensions.vscode-marketplace;
(with equinusocio; [ vsc-community-material-theme vsc-material-theme-icons ])
++ (with github; [ copilot copilot-chat copilot-labs github-vscode-theme ])
++ (with intellsmi; [ comment-translate deepl-translate ])
++ (with ms-python; [ isort python vscode-pylance ])
++ (with ms-toolsai;
[
{ id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
{ id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
{ id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
{ id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
{ id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
{ id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
{ id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
{ id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
{ id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
{ id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
{ id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
{ id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
{ id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
{ id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
{ id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
{ id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
{ id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
])
++ (with ms-vscode;
[
cmake-tools cpptools cpptools-extension-pack cpptools-themes hexeditor remote-explorer
test-adapter-converter
])
++ (with ms-vscode-remote; [ remote-ssh remote-containers remote-ssh-edit ])
++ [
donjayamanne.githistory genieai.chatgpt-vscode fabiospampinato.vscode-diff cschlosser.doxdocgen
llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans oderwat.indent-rainbow
twxs.cmake guyutongxue.cpp-reference znck.grammarly thfriedrich.lammps leetcode.vscode-leetcode
james-yu.latex-workshop gimly81.matlab affenwiesel.matlab-formatter ckolkman.vscode-postgres
yzhang.markdown-all-in-one pkief.material-icon-theme bbenoist.nix ms-ossdata.vscode-postgresql
redhat.vscode-xml dotjoshjohnson.xml jnoortheen.nix-ide xdebug.php-debug hbenl.vscode-test-explorer
jeff-hykin.better-cpp-syntax fredericbonnet.cmake-test-adapter mesonbuild.mesonbuild
hirse.vscode-ungit fortran-lang.linter-gfortran tboox.xmake-vscode ccls-project.ccls
feiskyer.chatgpt-copilot yukiuuh2936.vscode-modern-fortran-formatter wolframresearch.wolfram
njpipeorgan.wolfram-language-notebook brettm12345.nixfmt-vscode
];
};
obs-studio =
{
enable = true;
plugins = with inputs.pkgs.obs-studio-plugins;
[ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
};
home.file.".config/baloofilerc".text =
''
[Basic Settings]
Indexing-Enabled=false
'';
};
}];
}
)
] ++ (with inputs.lib; filter isDerivation (attrValues plasma5Packages.kdeGear));
};
programs =
{
@@ -409,11 +234,11 @@ inputs:
# media
nur-xddxdd.svp obs-studio waifu2x-converter-cpp inkscape blender
# virtualization
wineWowPackages.stagingFull virt-viewer bottles # wine64
wine virt-viewer bottles # wine64
# text editor
appflowy notion-app-enhanced joplin-desktop standardnotes
# math, physics and chemistry
mathematica octaveFull root ovito paraview localPackages.vesta qchem.quantum-espresso
mathematica octave root ovito paraview localPackages.vesta qchem.quantum-espresso
localPackages.vasp localPackages.phonon-unfolding localPackages.vaspkit jmol localPackages.v_sim
# news
newsflash newsboat
@@ -422,11 +247,7 @@ inputs:
[
phonopy tensorflow keras openai scipy scikit-learn
])];
_prebuildPackages =
[
httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2
unstablePackages.gcc13Stdenv
];
_prebuildPackages = [ httplib magic-enum xtensor boost cereal cxxopts ftxui yaml-cpp gfortran gcc10 python2 ];
};
programs =
{
@@ -590,4 +411,4 @@ inputs:
# x11-misc/optimus-manager
# x11-misc/unclutter-xfixes
# ++ ( with inputs.pkgs.pkgsCross.mingwW64.buildPackages; [ gcc ] );
# ++ ( with inputs.pkgs.pkgsCross.mingwW64.buildPackages; [ gcc ] );

39
modules/services/acme.nix
View File

@@ -1,39 +0,0 @@
inputs:
{
options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
certs = mkOption
{
type = types.listOf (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
default = [];
};
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) acme;
inherit (builtins) map listToAttrs;
in mkIf acme.enable
{
security.acme =
{
acceptTerms = true;
defaults.email = "chn@chn.moe";
certs = listToAttrs (map
(cert:
{
name = if builtins.typeOf cert == "string" then cert else builtins.elemAt cert 0;
value =
{
dnsResolver = "8.8.8.8";
dnsProvider = "cloudflare";
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
extraDomainNames = if builtins.typeOf cert == "string" then [] else builtins.tail cert;
};
})
acme.certs);
};
sops.secrets."acme/cloudflare.ini" = {};
};
}

50
modules/services/beesd.nix
View File

@@ -1,50 +0,0 @@
inputs:
{
options.nixos.services.beesd = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
instances = mkOption
{
type = types.attrsOf (types.oneOf
[
types.nonEmptyStr
(types.submodule { options =
{
device = mkOption { type = types.nonEmptyStr; };
hashTableSizeMB = mkOption { type = types.int; };
};})
]);
default = {};
};
};
config =
let
inherit (inputs.config.nixos.services) beesd;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs;
inherit (inputs.localLib) attrsToList;
in mkIf beesd.enable
{
services.beesd.filesystems = listToAttrs (map
(instance:
{
inherit (instance) name;
value =
{
spec = instance.value.device or instance.value;
hashTableSizeMB = instance.value.hashTableSizeMB or 1024;
extraOptions = [ "--thread-count" "1" "--scan-mode" "3" ];
};
})
(attrsToList beesd.instances));
systemd.slices.system-beesd.sliceConfig =
{
CPUSchedulingPolicy = "idle";
IOSchedulingClass = "idle";
IOSchedulingPriority = 4;
IOAccounting = true;
IOWeight = 1;
Nice = 19;
};
};
}

1
modules/services/ca.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV9egbTbIbVCV4TNr6IgvXw7fMEK4v/WKAHddkX4uvysL7l+H1cLM0TRDvGefUFoU7eYcEIRV9lwvjMo/xy0GKao76fylQ03gkrzTiPvztThpAfKKOIniXvzWoIP7/fzNwuW6GgUiM4JKvgJEieRTybclLRgauy2gqiwVZMAFksxG1fAPYGXIrhtVQ+WjN+0IIiayNlj1J6tJ9fQWc+BkNsoJJZBADf+qjTsqsVHjcABoo2vYRTYnSVzrsnjSu6ivGjSY0ImG+ASPqyluA7eSXe4XQkyxjuyBVTwwqTpZ0Y+DMESr/Fd5rQ3N/iylLcUVGexl7gHHFtJGiERloG8Bv Public key for Digital Signature

297
modules/services/default.nix
View File

@@ -13,20 +13,65 @@ inputs:
./synapse.nix
./phpfpm.nix
./xrdp.nix
./groupshare.nix
./acme.nix
./samba.nix
./sshd.nix
./vaultwarden.nix
./frp.nix
./beesd.nix
./snapper.nix
# ./docker.nix
];
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{
snapper =
{
enable = mkOption { type = types.bool; default = false; };
configs = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
};
kmscon.enable = mkOption { type = types.bool; default = false; };
fontconfig.enable = mkOption { type = types.bool; default = false; };
samba =
{
enable = mkOption { type = types.bool; default = false; };
wsdd = mkOption { type = types.bool; default = false; };
private = mkOption { type = types.bool; default = false; };
hostsAllowed = mkOption { type = types.str; default = "127."; };
shares = mkOption
{
type = types.attrsOf (types.submodule { options =
{
comment = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
path = mkOption { type = types.nonEmptyStr; };
};});
default = {};
};
};
sshd.enable = mkOption { type = types.bool; default = false; };
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
acme =
{
enable = mkOption { type = types.bool; default = false; };
certs = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
frpClient =
{
enable = mkOption { type = types.bool; default = false; };
serverName = mkOption { type = types.nonEmptyStr; };
user = mkOption { type = types.nonEmptyStr; };
tcp = mkOption
{
type = types.attrsOf (types.submodule (inputs:
{
options =
{
localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
localPort = mkOption { type = types.ints.unsigned; };
remoteIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
remotePort = mkOption { type = types.ints.unsigned; default = inputs.config.localPort; };
};
}));
default = {};
};
};
frpServer =
{
enable = mkOption { type = types.bool; default = false; };
serverName = mkOption { type = types.nonEmptyStr; };
};
nix-serve =
{
enable = mkOption { type = types.bool; default = false; };
@@ -44,6 +89,38 @@ inputs:
inherit (builtins) map listToAttrs toString;
in mkMerge
[
(
mkIf services.snapper.enable
{
services.snapper.configs =
let
f = (config:
{
inherit (config) name;
value =
{
SUBVOLUME = config.value;
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
TIMELINE_MIN_AGE = 1800;
TIMELINE_LIMIT_HOURLY = "10";
TIMELINE_LIMIT_DAILY = "7";
TIMELINE_LIMIT_WEEKLY = "1";
TIMELINE_LIMIT_MONTHLY = "0";
TIMELINE_LIMIT_YEARLY = "0";
};
});
in
listToAttrs (map f (attrsToList services.snapper.configs));
nixpkgs.config.packageOverrides = pkgs:
{
snapper = pkgs.snapper.overrideAttrs (attrs:
{
patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./snapper.patch ];
});
};
}
)
(
mkIf services.kmscon.enable
{
@@ -72,7 +149,204 @@ inputs:
};
}
)
(
mkIf services.samba.enable
{
# make shares visible for windows 10 clients
services =
{
samba-wsdd.enable = services.samba.wsdd;
samba =
{
enable = true;
openFirewall = !services.samba.private;
securityType = "user";
extraConfig =
''
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
hosts allow = ${services.samba.hostsAllowed}
dns proxy = no
'';
# obey pam restrictions = yes
# encrypt passwords = no
shares = listToAttrs (map
(share:
{
name = share.name;
value =
{
comment = if share.value.comment != null then share.value.comment else share.name;
path = share.value.path;
browseable = true;
writeable = true;
"create mask" = "664";
"force create mode" = "644";
"directory mask" = "2755";
"force directory mode" = "2755";
};
})
(attrsToList services.samba.shares));
};
};
}
)
(
mkIf services.sshd.enable
{
services.openssh =
{
enable = true;
settings =
{
X11Forwarding = true;
TrustedUserCAKeys = builtins.toString ./ca.pub;
ChallengeResponseAuthentication = false;
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
UsePAM = true;
};
};
}
)
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
(
mkIf services.acme.enable
{
security.acme =
{
acceptTerms = true;
defaults.email = "chn@chn.moe";
certs = listToAttrs (map
(name:
{
name = name; value =
{
dnsResolver = "8.8.8.8";
dnsProvider = "cloudflare";
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
};
})
services.acme.certs);
};
sops.secrets."acme/cloudflare.ini" = {};
}
)
(
mkIf (services.frpClient.enable)
{
systemd.services.frpc =
let
frpc = "${inputs.pkgs.frp}/bin/frpc";
config = inputs.config.sops.templates."frpc.ini";
in
{
description = "Frp Client Service";
after = [ "network.target" ];
serviceConfig =
{
Type = "simple";
User = "frp";
Restart = "always";
RestartSec = "5s";
ExecStart = "${frpc} -c ${config.path}";
LimitNOFILE = 1048576;
};
wantedBy= [ "multi-user.target" ];
restartTriggers = [ config.file ];
};
sops =
{
templates."frpc.ini" =
{
owner = inputs.config.users.users.frp.name;
group = inputs.config.users.users.frp.group;
content = inputs.lib.generators.toINI {}
(
{
common =
{
server_addr = services.frpClient.serverName;
server_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
user = services.frpClient.user;
tls_enable = true;
};
}
// (listToAttrs (map
(tcp:
{
name = tcp.name;
value =
{
type = "tcp";
local_ip = tcp.value.localIp;
local_port = tcp.value.localPort;
remote_port = tcp.value.remotePort;
use_compression = true;
};
})
(attrsToList services.frpClient.tcp))
)
);
};
secrets."frp/token" = {};
};
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
}
)
(
mkIf (services.frpServer.enable)
{
systemd.services.frps =
let
frps = "${inputs.pkgs.frp}/bin/frps";
config = inputs.config.sops.templates."frps.ini";
in
{
description = "Frp Server Service";
after = [ "network.target" ];
serviceConfig =
{
Type = "simple";
User = "frp";
Restart = "on-failure";
RestartSec = "5s";
ExecStart = "${frps} -c ${config.path}";
LimitNOFILE = 1048576;
};
wantedBy= [ "multi-user.target" ];
restartTriggers = [ config.file ];
};
sops =
{
templates."frps.ini" =
{
owner = inputs.config.users.users.frp.name;
group = inputs.config.users.users.frp.group;
content = inputs.lib.generators.toINI {}
{
common = let cert = inputs.config.security.acme.certs.${services.frpServer.serverName}.directory; in
{
bind_port = 7000;
bind_udp_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
tls_cert_file = "${cert}/full.pem";
tls_key_file = "${cert}/key.pem";
tls_only = true;
user_conn_timeout = 30;
};
};
};
secrets."frp/token" = {};
};
nixos.services.acme = { enable = true; certs = [ services.frpServer.serverName ]; };
security.acme.certs.${services.frpServer.serverName}.group = "frp";
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
networking.firewall.allowedTCPPorts = [ 7000 ];
}
)
(
mkIf services.nix-serve.enable
{
@@ -83,8 +357,7 @@ inputs:
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
};
sops.secrets."store/signingKey" = {};
nixos.services.nginx.httpProxy.${services.nix-serve.hostname} =
{ rewriteHttps = true; locations."/".upstream = "http://127.0.0.1:5000"; };
nixos.services.nginx.httpProxy.${services.nix-serve.hostname}.upstream = "http://127.0.0.1:5000";
}
)
(mkIf services.smartd.enable { services.smartd.enable = true; })
@@ -171,8 +444,8 @@ inputs:
enable = true;
httpProxy."wallabag.chn.moe" =
{
rewriteHttps = true;
locations."/" = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
upstream = "http://127.0.0.1:4398";
setHeaders.Host = "wallabag.chn.moe";
};
};
postgresql.enable = true;

103
modules/services/docker.nix Normal file
View File

@@ -0,0 +1,103 @@
inputs:
{
options.nixos.services.docker = let inherit (inputs.lib) mkOption types; in
{
type = types.attrsOf (types.submodule (inputs: { options =
{
user = mkOption { type = types.nonEmptyStr; default = inputs.config._module.args.name; };
image = mkOption { type = types.package; };
imageName =
mkOption { type = types.nonEmptyStr; default = with inputs.image; (imageName + ":" + imageTag); };
ports = mkOption
{
type = types.listOf (types.oneOf
[
types.ints.unsigned
types.submodule (inputs: { options =
{
hostIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
hostPort = mkOption { type = types.ints.unsigned; };
containerPort = mkOption { type = types.ints.unsigned; };
protocol = mkOption { type = types.enum [ "tcp" "udp" ]; default = "tcp"; };
};})
]);
default = [];
};
environmentFile = mkOption { type = types.oneOf [ types.bool types.nonEmptyStr ]; default = false; };
};}));
default = {};
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (builtins) listToAttrs map concatLists;
inherit (inputs.localLib) attrsToList;
inherit (inputs.config.nixos.services) docker;
in mkMerge
[
{
virtualisation.oci-containers.containers = listToAttrs (map
(container:
{
name = "${container.name}";
value =
{
image = container.value.imageName;
imageFile = container.value.image;
ports = map
(port:
(
if builtins.typeOf port == "int" then "127.0.0.1::${toString port}"
else ("${port.value.hostIp}:${toString port.value.hostPort}"
+ ":${toString port.value.containerPort}/${port.value.protocol}")
))
container.value.ports;
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
environmentFiles =
if builtins.typeOf container.value.environmentFile == "bool" && container.value.environmentFile
then [ inputs.config.sops.templates."${container.name}/env".path ]
else if builtins.typeOf container.value.environmentFile == "bool" then []
else [ container.value.environmentFile ];
};
})
(attrsToList docker));
systemd.services = listToAttrs (concatLists (map
(container:
[
{
name = "docker-${container.value.user}-daemon";
value =
{
wantedBy = [ "multi-user.target" ];
inherit (inputs.systemd.user.services.docker) description path;
serviceConfig = inputs.systemd.user.services.docker.serviceConfig //
{
User = container.value.user;
Group = container.value.user;
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
ExecStart = inputs.systemd.user.services.docker.serviceConfig.ExecStart
+ " -H unix:///var/run/docker-rootless/${container.value.user}.sock";
};
unitConfig = { inherit (inputs.systemd.user.services.docker.unitConfig) StartLimitInterval; };
};
}
{
name = "docker-${container.name}";
value =
{
requires = [ "docker-${container.value.user}-daemon.service" ];
after = [ "docker-${container.value.user}-daemon.service" ];
environment.DOCKER_HOST = "unix:///var/run/docker-rootless/${container.value.user}.sock";
serviceConfig = { User = container.value.user; Group = container.value.user; };
};
}
])
(attrsToList docker)));
}
(mkIf (docker != {})
{
systemd.tmpfiles.rules = [ "d /var/run/docker-rootless 0777" ];
nixos.virtualization.docker.enable = true;
})
];
}

154
modules/services/frp.nix
View File

@@ -1,154 +0,0 @@
inputs:
{
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{
frpClient =
{
enable = mkOption { type = types.bool; default = false; };
serverName = mkOption { type = types.nonEmptyStr; };
user = mkOption { type = types.nonEmptyStr; };
tcp = mkOption
{
type = types.attrsOf (types.submodule (inputs:
{
options =
{
localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
localPort = mkOption { type = types.ints.unsigned; };
remoteIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
remotePort = mkOption { type = types.ints.unsigned; default = inputs.config.localPort; };
};
}));
default = {};
};
};
frpServer =
{
enable = mkOption { type = types.bool; default = false; };
serverName = mkOption { type = types.nonEmptyStr; };
};
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) attrsToList;
inherit (inputs.config.nixos.services) frpClient frpServer;
inherit (builtins) map listToAttrs;
in mkMerge
[
(
mkIf frpClient.enable
{
systemd.services.frpc =
let
frpc = "${inputs.pkgs.frp}/bin/frpc";
config = inputs.config.sops.templates."frpc.ini";
in
{
description = "Frp Client Service";
after = [ "network.target" ];
serviceConfig =
{
Type = "simple";
User = "frp";
Restart = "always";
RestartSec = "5s";
ExecStart = "${frpc} -c ${config.path}";
LimitNOFILE = 1048576;
};
wantedBy= [ "multi-user.target" ];
restartTriggers = [ config.file ];
};
sops =
{
templates."frpc.ini" =
{
owner = inputs.config.users.users.frp.name;
group = inputs.config.users.users.frp.group;
content = inputs.lib.generators.toINI {}
(
{
common =
{
server_addr = frpClient.serverName;
server_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
user = frpClient.user;
tls_enable = true;
};
}
// (listToAttrs (map
(tcp:
{
name = tcp.name;
value =
{
type = "tcp";
local_ip = tcp.value.localIp;
local_port = tcp.value.localPort;
remote_port = tcp.value.remotePort;
use_compression = true;
};
})
(attrsToList frpClient.tcp))
)
);
};
secrets."frp/token" = {};
};
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
}
)
(
mkIf frpServer.enable
{
systemd.services.frps =
let
frps = "${inputs.pkgs.frp}/bin/frps";
config = inputs.config.sops.templates."frps.ini";
in
{
description = "Frp Server Service";
after = [ "network.target" ];
serviceConfig =
{
Type = "simple";
User = "frp";
Restart = "on-failure";
RestartSec = "5s";
ExecStart = "${frps} -c ${config.path}";
LimitNOFILE = 1048576;
};
wantedBy= [ "multi-user.target" ];
restartTriggers = [ config.file ];
};
sops =
{
templates."frps.ini" =
{
owner = inputs.config.users.users.frp.name;
group = inputs.config.users.users.frp.group;
content = inputs.lib.generators.toINI {}
{
common = let cert = inputs.config.security.acme.certs.${frpServer.serverName}.directory; in
{
bind_port = 7000;
bind_udp_port = 7000;
token = inputs.config.sops.placeholder."frp/token";
tls_cert_file = "${cert}/full.pem";
tls_key_file = "${cert}/key.pem";
tls_only = true;
user_conn_timeout = 30;
};
};
};
secrets."frp/token" = {};
};
nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; };
security.acme.certs.${frpServer.serverName}.group = "frp";
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
networking.firewall.allowedTCPPorts = [ 7000 ];
}
)
];
}

37
modules/services/groupshare.nix
View File

@@ -1,37 +0,0 @@
inputs:
{
options.nixos.services.groupshare = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
# hard to read value from inputs.config.users.users.xxx.home, causing infinite recursion
mountPoints = mkOption { type = types.listOf types.str; default = []; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (builtins) listToAttrs map concatLists;
inherit (inputs.config.nixos.services) groupshare;
users = inputs.config.users.groups.groupshare.members;
in mkIf groupshare.enable
{
users.groups.groupshare = {};
systemd.tmpfiles.rules = [ "d /var/lib/groupshare" ]
++ (concatLists (map
(user:
[
"d /var/lib/groupshare/${user} 2750 ${user} groupshare"
# systemd 253 does not support 'X' bit, it should be manually set
# sudo setfacl -m 'xxx' dir
# ("a /var/lib/groupshare/${user} - - - - "
# + "d:u:${user}:rwX,u:${user}:rwX,d:g:groupshare:r-X,g:groupshare:r-X,d:o::---,o::---,d:m::r-x,m::r-x")
])
users));
fileSystems = listToAttrs (map
(mountPoint:
{
name = mountPoint;
value = { device = "/var/lib/groupshare"; options = [ "bind" ]; depends = [ "/home" "/var/lib" ]; };
})
groupshare.mountPoints);
};
}

23
modules/services/huginn.nix Normal file
View File

@@ -0,0 +1,23 @@
inputs:
{
options.nixos.services.huginn.enable = inputs.lib.mkOption { type = inputs.lib.types.bool; default = false; };
config = inputs.lib.mkIf inputs.config.nixos.services.huginn.enable
{
nixos.services =
{
docker.huginn =
{
image = inputs.pkgs.dockerTools.pullImage
{
imageName = "huginn/huginn";
imageDigest = "sha256:dbe871597d43232add81d1adfc5ad9f5cf9dcb5e1f1ba3d669598c20b96ab6c1";
sha256 = "0ls97k8ic7w5j54jlpwh8rrvj1y4pl4106j9pyap105r6p7dziiz";
finalImageName = "huginn/huginn";
finalImageTag = "2d5fcafc507da3e8c115c3479e9116a0758c5375";
};
ports = [ 3000 ];
environmentFile = true;
};
};
};
}

15
modules/services/meilisearch.nix
View File

@@ -11,7 +11,6 @@ inputs:
};}));
default = {};
};
ioLimitDevice = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};
config =
let
@@ -59,17 +58,11 @@ inputs:
IOSchedulingPriority = 4;
IOAccounting = true;
IOWeight = 1;
IOReadBandwidthMax = "/dev/mapper/root 20M";
IOWriteBandwidthMax = "/dev/mapper/root 20M";
Nice = 19;
Slice = "-.slice";
}
// (if meilisearch.ioLimitDevice != null then
{
IOReadBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
IOWriteBandwidthMax = "${meilisearch.ioLimitDevice} 20M";
# iostat -dx 1
IOReadIOPSMax = "${meilisearch.ioLimitDevice} 100";
IOWriteIOPSMax = "${meilisearch.ioLimitDevice} 100";
} else {});
};
};
})
(attrsToList meilisearch.instances));
@@ -98,7 +91,7 @@ inputs:
env = "production"
dump_dir = "/var/lib/meilisearch/${instance.name}/dumps"
log_level = "INFO"
max_indexing_memory = "16Gb"
max_indexing_memory = "8Gb"
max_indexing_threads = 1
'';
owner = inputs.config.users.users.misskey.name;

16
modules/services/misskey.nix
View File

@@ -65,12 +65,12 @@ inputs:
"/var/lib/misskey/work" =
{
device = "${inputs.pkgs.localPackages.misskey}";
options = [ "bind" "private" "x-gvfs-hide" ];
options = [ "bind" ];
};
"/var/lib/misskey/work/files" =
{
device = "/var/lib/misskey/files";
options = [ "bind" "private" "x-gvfs-hide" ];
options = [ "bind" ];
};
};
sops.templates."misskey/default.yml" =
@@ -140,14 +140,10 @@ inputs:
name = hostname;
value =
{
rewriteHttps = true;
locations."/" =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
})
(attrsToList misskey-proxy));

156
modules/services/nginx.nix
View File

@@ -6,47 +6,23 @@ inputs:
transparentProxy =
{
enable = mkOption { type = types.bool; default = true; };
externalIp = mkOption { type = types.listOf types.nonEmptyStr; };
externalIp = mkOption { type = types.nonEmptyStr; };
map = mkOption { type = types.attrsOf types.ints.unsigned; default = {};};
};
httpProxy = mkOption
{
type = types.attrsOf (types.submodule { options =
{
upstream = mkOption { type = types.nonEmptyStr; };
rewriteHttps = mkOption { type = types.bool; default = false; };
websocket = mkOption { type = types.bool; default = false; };
http2 = mkOption { type = types.bool; default = true; };
setHeaders = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
addAuth = mkOption { type = types.bool; default = false; };
detectAuth = mkOption { type = types.bool; default = false; };
locations = mkOption
{
type = types.attrsOf (types.submodule { options =
{
upstream = mkOption { type = types.nonEmptyStr; };
websocket = mkOption { type = types.bool; default = false; };
setHeaders = mkOption { type = types.attrsOf types.str; default = {}; };
};});
};
};});
default = {};
};
streamProxy =
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 5575; };
map = mkOption
{
type = types.attrsOf (types.oneOf
[
types.nonEmptyStr
(types.submodule { options =
{
upstream = mkOption { type = types.nonEmptyStr; };
rewriteHttps = mkOption { type = types.bool; default = false; };
};})
]);
default = {};
};
};
};
config =
let
@@ -89,38 +65,37 @@ inputs:
value =
{
serverName = site.name;
listen = [ { addr = "127.0.0.1"; port = (if site.value.http2 then 443 else 3065); ssl = true; } ]
++ (if site.value.rewriteHttps then [ { addr = "0.0.0.0"; port = 80; } ] else []);
listen =
[
{ addr = "127.0.0.1"; port = (if site.value.http2 then 443 else 3065); ssl = true; }
{ addr = "0.0.0.0"; port = 80; }
];
useACMEHost = site.name;
locations = listToAttrs (map
(location:
{
inherit (location) name;
value =
{
proxyPass = location.value.upstream;
proxyWebsockets = location.value.websocket;
recommendedProxySettings = false;
recommendedProxySettingsNoHost = true;
extraConfig = concatStringsSep "\n"
(
(map
(header: ''proxy_set_header ${header.name} "${header.value}";'')
(attrsToList location.value.setHeaders))
++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
++ (
if site.value.addAuth then
["include ${inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path};"]
else [])
);
};
})
(attrsToList site.value.locations));
locations."/" =
{
proxyPass = site.value.upstream;
proxyWebsockets = site.value.websocket;
recommendedProxySettings = false;
recommendedProxySettingsNoHost = true;
basicAuthFile =
if site.value.detectAuth then
inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path
else null;
extraConfig = concatStringsSep "\n"
(
(map
(header: "proxy_set_header ${header.name} ${header.value};")
(attrsToList site.value.setHeaders))
++ (if site.value.detectAuth then ["proxy_hide_header Authorization;"] else [])
++ (
if site.value.addAuth then
["include ${inputs.config.sops.templates."nginx/addAuth/${site.name}-template".path};"]
else [])
);
};
addSSL = true;
forceSSL = site.value.rewriteHttps;
http2 = site.value.http2;
basicAuthFile =
if site.value.detectAuth then inputs.config.sops.secrets."nginx/detectAuth/${site.name}".path
else null;
};
})
(attrsToList nginx.httpProxy));
@@ -148,16 +123,6 @@ inputs:
in
(inputs.pkgs.nginxMainline.override (prev: { modules = prev.modules ++ [ nginx-geoip2 ]; }))
.overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
streamConfig =
''
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb
{
$geoip2_data_country_code country iso_code;
}
resolver 8.8.8.8;
'';
# todo: use host dns
resolver.addresses = [ "8.8.8.8" ];
};
geoipupdate =
{
@@ -213,9 +178,13 @@ inputs:
{
services.nginx.streamConfig =
''
log_format transparent_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
'"$ssl_preread_server_name"->$transparent_proxy_backend $bytes_sent $bytes_received';
map $ssl_preread_server_name $transparent_proxy_backend
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb
{
$geoip2_data_country_code country iso_code;
}
log_format stream '[$time_local] $remote_addr-$geoip2_data_country_code "$ssl_preread_server_name"->$backend $bytes_sent $bytes_received';
access_log syslog:server=unix:/dev/log stream;
map $ssl_preread_server_name $backend
{
${concatStringsSep "\n" (map
(x: '' "${x.name}" 127.0.0.1:${toString x.value};'')
@@ -230,14 +199,13 @@ inputs:
}
server
{
${concatStringsSep "\n " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
listen ${nginx.transparentProxy.externalIp}:443;
ssl_preread on;
proxy_bind $remote_addr transparent;
proxy_pass $transparent_proxy_backend;
proxy_pass $backend;
proxy_connect_timeout 1s;
proxy_socket_keepalive on;
proxy_buffer_size 128k;
access_log syslog:server=unix:/dev/log transparent_proxy;
}
'';
networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -292,47 +260,5 @@ inputs:
wantedBy= [ "multi-user.target" ];
};
})
(mkIf nginx.streamProxy.enable
{
services.nginx =
{
streamConfig =
''
log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
'"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
map $ssl_preread_server_name $stream_proxy_backend
{
${concatStringsSep "\n" (map
(x: '' "${x.name}" "${x.value.upstream or x.value}";'')
(attrsToList nginx.streamProxy.map))}
}
server
{
listen 127.0.0.1:${toString nginx.streamProxy.port};
ssl_preread on;
proxy_pass $stream_proxy_backend;
proxy_connect_timeout 10s;
proxy_socket_keepalive on;
proxy_buffer_size 128k;
access_log syslog:server=unix:/dev/log stream_proxy;
}
'';
virtualHosts = listToAttrs (map
(site:
{
inherit (site) name;
value =
{
serverName = site.name;
listen = [ { addr = "0.0.0.0"; port = 80; } ];
locations."/".return = "301 https://${site.name}$request_uri";
};
})
(filter (site: site.value.rewriteHttps or false) (attrsToList nginx.streamProxy.map)));
};
nixos.services.nginx.transparentProxy.map = listToAttrs (map
(site: { name = site.name; value = nginx.streamProxy.port; })
(attrsToList nginx.streamProxy.map));
})
];
}

5
modules/services/rsshub.nix
View File

@@ -62,9 +62,8 @@ inputs:
enable = true;
httpProxy.${rsshub.hostname} =
{
rewriteHttps = true;
locations."/" =
{ upstream = "http://127.0.0.1:${toString rsshub.port}"; setHeaders.Host = rsshub.hostname; };
upstream = "http://127.0.0.1:${toString rsshub.port}";
setHeaders.Host = rsshub.hostname;
};
};
};

67
modules/services/samba.nix
View File

@@ -1,67 +0,0 @@
inputs:
{
options.nixos.services.samba = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
wsdd = mkOption { type = types.bool; default = false; };
private = mkOption { type = types.bool; default = false; };
hostsAllowed = mkOption { type = types.str; default = "127."; };
shares = mkOption
{
type = types.attrsOf (types.submodule { options =
{
comment = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
path = mkOption { type = types.nonEmptyStr; };
};});
default = {};
};
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.localLib) attrsToList;
inherit (inputs.config.nixos.services) samba;
inherit (builtins) map listToAttrs;
in mkIf samba.enable
{
services =
{
# make shares visible for windows 10 clients
samba-wsdd.enable = samba.wsdd;
samba =
{
enable = true;
# TCP 139 445 UDP 137 138
openFirewall = !samba.private;
securityType = "user";
extraConfig =
''
workgroup = WORKGROUP
server string = Samba Server
server role = standalone server
hosts allow = ${samba.hostsAllowed}
dns proxy = no
'';
# obey pam restrictions = yes
# encrypt passwords = no
shares = listToAttrs (map
(share:
{
name = share.name;
value =
{
comment = if share.value.comment != null then share.value.comment else share.name;
path = share.value.path;
browseable = true;
writeable = true;
"create mask" = "644";
"force create mode" = "644";
"directory mask" = "2755";
"force directory mode" = "2755";
};
})
(attrsToList samba.shares));
};
};
};
}

37
modules/services/snapper.nix
View File

@@ -1,37 +0,0 @@
inputs:
{
options.nixos.services.snapper = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
configs = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos) services;
inherit (builtins) map listToAttrs toString;
in mkIf services.snapper.enable
{
services.snapper.configs =
let
f = (config:
{
inherit (config) name;
value =
{
SUBVOLUME = config.value;
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
TIMELINE_MIN_AGE = 1800;
TIMELINE_LIMIT_HOURLY = "10";
TIMELINE_LIMIT_DAILY = "7";
TIMELINE_LIMIT_WEEKLY = "1";
TIMELINE_LIMIT_MONTHLY = "0";
TIMELINE_LIMIT_YEARLY = "0";
};
});
in
listToAttrs (map f (attrsToList services.snapper.configs));
};
}

13
modules/services/snapper.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/snapper/FileUtils.cc b/snapper/FileUtils.cc
index 9da572f..48f60fa 100644
--- a/snapper/FileUtils.cc
+++ b/snapper/FileUtils.cc
@@ -424,7 +424,7 @@ namespace snapper
v /= 62;
}
- int fd = open(name, O_RDWR | O_CREAT | O_EXCL | O_CLOEXEC, S_IRUSR | S_IWUSR);
+ int fd = open(name, O_RDWR | O_CREAT | O_EXCL | O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (fd >= 0)
return fd;
else if (errno != EEXIST)

27
modules/services/sshd.nix
View File

@@ -1,27 +0,0 @@
inputs:
{
options.nixos.services.sshd = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
passwordAuthentication = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) sshd;
in mkIf sshd.enable
{
services.openssh =
{
enable = true;
settings =
{
X11Forwarding = true;
ChallengeResponseAuthentication = false;
PasswordAuthentication = sshd.passwordAuthentication;
KbdInteractiveAuthentication = false;
UsePAM = true;
};
};
};
}

12
modules/services/synapse.nix
View File

@@ -133,14 +133,10 @@ inputs:
name = hostname;
value =
{
rewriteHttps = true;
locations."/" =
{
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
upstream = if builtins.typeOf upstream == "string" then "http://${upstream}"
else "http://${upstream.address}:${toString upstream.port}";
websocket = true;
setHeaders.Host = hostname;
};
})
(attrsToList synapse-proxy));

117
modules/services/vaultwarden.nix
View File

@@ -1,117 +0,0 @@
inputs:
{
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{
vaultwarden =
{
enable = mkOption { type = types.bool; default = false; };
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 8000; };
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
hostname = mkOption { type = types.str; default = "vaultwarden.chn.moe"; };
};
vaultwarden-proxy =
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "vaultwarden.chn.moe"; };
upstream = mkOption
{
type = types.oneOf [ types.nonEmptyStr (types.submodule { options =
{
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
port = mkOption { type = types.ints.unsigned; default = 8000; };
websocketPort = mkOption { type = types.ints.unsigned; default = 3012; };
};})];
default = {};
};
};
};
config =
let
inherit (inputs.config.nixos.services) vaultwarden vaultwarden-proxy;
inherit (builtins) listToAttrs;
inherit (inputs.lib) mkIf mkMerge;
in mkMerge
[
(
mkIf vaultwarden.enable
{
services.vaultwarden =
{
enable = true;
dbBackend = "postgresql";
config =
{
DATA_FOLDER = "/var/lib/vaultwarden";
WEB_VAULT_ENABLED = true;
WEBSOCKET_ENABLED = true;
ROCKET_PORT = vaultwarden.port;
WEBSOCKET_PORT = toString vaultwarden.websocketPort;
SIGNUPS_VERIFY = true;
DOMAIN = "https://${vaultwarden.hostname}";
SMTP_HOST = "mail.chn.moe";
SMTP_FROM = "bot@chn.moe";
SMTP_FROM_NAME = "vaultwarden";
SMTP_SECURITY = "force_tls";
SMTP_USERNAME = "bot@chn.moe";
};
environmentFile = inputs.config.sops.templates."vaultwarden.env".path;
};
sops =
{
templates."vaultwarden.env" =
let
serviceConfig = inputs.config.systemd.services.vaultwarden.serviceConfig;
placeholder = inputs.config.sops.placeholder;
in
{
owner = serviceConfig.User;
group = serviceConfig.Group;
content =
''
DATABASE_URL=postgresql://vaultwarden:${placeholder."postgresql/vaultwarden"}@localhost/vaultwarden
ADMIN_TOKEN=${placeholder."vaultwarden/admin_token"}
SMTP_PASSWORD=${placeholder."mail/bot"}
'';
};
secrets = listToAttrs (map
(secret: { name = secret; value = {}; })
[ "vaultwarden/admin_token" "mail/bot" ]);
};
systemd.services.vaultwarden =
{
enable = vaultwarden.autoStart;
after = [ "postgresql.service" ];
};
nixos.services.postgresql = { enable = true; instances.vaultwarden = {}; };
}
)
(
mkIf vaultwarden-proxy.enable
{
nixos.services.nginx =
{
enable = true;
httpProxy."${vaultwarden-proxy.hostname}" =
{
rewriteHttps = true;
locations = let upstream = vaultwarden-proxy.upstream; in (listToAttrs (map
(location: { name = location; value =
{
upstream = "http://${upstream.address or upstream}:${builtins.toString upstream.port or 8000}";
setHeaders = { Host = vaultwarden-proxy.hostname; Connection = ""; };
};})
[ "/" "/notifications/hub/negotiate" ]))
// { "/notifications/hub" =
{
upstream =
"http://${upstream.address or upstream}:${builtins.toString upstream.websocketPort or 3012}";
websocket = true;
setHeaders.Host = vaultwarden-proxy.hostname;
};};
};
};
}
)
];
}

6
modules/services/xray.nix
View File

@@ -269,12 +269,6 @@ inputs:
${iptables} -t mangle -N v2ray_mark -w
${iptables} -t mangle -A OUTPUT -j v2ray_mark -w
${iptables} -t mangle -A v2ray_mark -m owner --uid-owner $(id -u v2ray) -j RETURN -w
${
if inputs.config.nixos.system.networking.nebula.enable then
let user = inputs.config.systemd.services."nebula@nebula".serviceConfig.User; in
"${iptables} -t mangle -A v2ray_mark -m owner --uid-owner $(id -u ${user}) -j RETURN -w"
else ""
}
${iptables} -t mangle -A v2ray_mark -m set --match-set noproxy_src_net src -j RETURN -w
${iptables} -t mangle -A v2ray_mark -m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1 -w
${iptables} -t mangle -A v2ray_mark -m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1 -w

26
modules/services/xrdp.nix
View File

@@ -4,16 +4,14 @@ inputs:
{
enable = mkOption { type = types.bool; default = false; };
port = mkOption { type = types.ints.unsigned; default = 3389; };
hostname = mkOption
{
type = types.nullOr (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
default = null;
};
hostname = mkOption { type = types.nullOr types.str; default = null; };
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos.services) xrdp;
inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues;
in mkIf xrdp.enable (mkMerge
[
{
@@ -27,18 +25,12 @@ inputs:
}
(
mkIf (xrdp.hostname != null)
(
let
mainDomain = if builtins.typeOf xrdp.hostname == "string" then xrdp.hostname
else builtins.elemAt xrdp.hostname 0;
in
{
services.xrdp = let keydir = inputs.config.security.acme.certs.${mainDomain}.directory; in
{ sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme = { enable = true; certs = [ xrdp.hostname ]; };
security.acme.certs.${mainDomain}.group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
}
)
{
services.xrdp = let keydir = inputs.config.security.acme.certs.${xrdp.hostname}.directory; in
{ sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme = { enable = true; certs = [ xrdp.hostname ]; };
security.acme.certs.${xrdp.hostname}.group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
}
)
]);
}

4
modules/system/default.nix
View File

@@ -3,7 +3,7 @@ inputs:
imports = inputs.localLib.mkModules
[
./nix.nix
./fileSystems
./fileSystems.nix
./grub.nix
./initrd.nix
./kernel.nix
@@ -61,11 +61,9 @@ inputs:
defaultLocale = "C.UTF-8";
supportedLocales = [ "zh_CN.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" "C.UTF-8/UTF-8" ];
};
users.mutableUsers = false;
# environment.pathsToLink = [ "/include" ];
# environment.variables.CPATH = "/run/current-system/sw/include";
# environment.variables.LIBRARY_PATH = "/run/current-system/sw/lib";
virtualisation.oci-containers.backend = "docker";
home-manager.sharedModules = [{ home.stateVersion = "22.11"; }];
};
}

18
modules/system/fileSystems/default.nix → modules/system/fileSystems.nix
View File

@@ -39,11 +39,6 @@ inputs:
});
default = {};
};
keyFile = mkOption
{
type = types.path;
default = ./. + "/${inputs.config.nixos.system.networking.hostname}.key";
};
delayedMount = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
};
};
@@ -84,11 +79,7 @@ inputs:
# mount.vfat
{
fileSystems = listToAttrs (map
(device:
{
name = device.value;
value = { device = device.name; fsType = "vfat"; neededForBoot = true; };
})
(device: { name = device.value; value = { device = device.name; fsType = "vfat"; }; })
(attrsToList fileSystems.mount.vfat));
}
# mount.btrfs
@@ -115,8 +106,7 @@ inputs:
# zstd:15 5m33s 7.16G
# zstd:8 54s 7.32G
# zstd:3 17s 7.52G
options = [ "compress-force=zstd" "subvol=${subvol.name}" "acl" ];
neededForBoot = true;
options = [ "compress-force=zstd" "subvol=${subvol.name}" ];
};
}
)
@@ -241,9 +231,7 @@ inputs:
mount ${device} /mnt -m
if [ -f /mnt${path}/current/.timestamp ]
then
timestamp=$(cat /mnt${path}/current/.timestamp)
mv /mnt${path}/current /mnt${path}/$timestamp
btrfs property set -ts /mnt${path}/$timestamp ro true
mv /mnt${path}/current /mnt${path}/$(cat /mnt${path}/current/.timestamp)
fi
btrfs subvolume create /mnt${path}/current
echo $(date '+%Y%m%d%H%M%S') > /mnt${path}/current/.timestamp

BIN
modules/system/fileSystems/nas.key
View File

Binary file not shown.

BIN
modules/system/fileSystems/vps6.key
View File

Binary file not shown.

BIN
modules/system/fileSystems/vps7.key
View File

Binary file not shown.

1
modules/system/gui.nix
View File

@@ -3,7 +3,6 @@ inputs:
options.nixos.system.gui = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
preferred = mkOption { type = types.bool; default = false; };
};
config =
let

21
modules/system/impermanence.nix
View File

@@ -41,20 +41,10 @@ inputs:
"${impermanence.root}" =
{
hideMounts = true;
directories = [ "/var/lib/systemd/linger" ]
directories = []
++ (if inputs.config.services.xserver.displayManager.sddm.enable then
[{ directory = "/var/lib/sddm"; user = "sddm"; group = "sddm"; mode = "0700"; }] else []);
}
// (if builtins.elem "chn" inputs.config.nixos.users.users then
{
users.chn =
{
directories =
[
".cache"
];
};
} else {});
};
"${impermanence.nodatacow}" =
{
hideMounts = true;
@@ -64,12 +54,7 @@ inputs:
[{ directory = "/var/lib/postgresql"; user = user.name; group = user.group; mode = "0750"; }]
else []
)
++ (if inputs.config.nixos.services.meilisearch.instances != {} then [ "/var/lib/meilisearch" ] else [])
++ (
if inputs.config.nixos.virtualization.kvmHost.enable then
[{ directory = "/var/lib/libvirt/images"; mode = "0711"; }]
else []
);
++ (if inputs.config.nixos.services.meilisearch.instances != {} then [ "/var/lib/meilisearch" ] else []);
};
};
};

15
modules/system/kernel.nix
View File

@@ -25,13 +25,22 @@ inputs:
"ahci" "ata_piix" "bfq" "failover" "net_failover" "nls_cp437" "nls_iso8859-1" "nvme" "sdhci_acpi" "sd_mod"
"sr_mod" "usbcore" "usbhid" "usbip-core" "usb-common" "usb_storage" "vhci-hcd" "virtio" "virtio_blk"
"virtio_net" "virtio_pci" "xhci_pci" "virtio_ring" "virtio_scsi" "cryptd" "crypto_simd" "libaes"
# networking for nas
"igb"
] ++ kernel.modules.initrd;
extraModulePackages = (with inputs.config.boot.kernelPackages; [ v4l2loopback ]) ++ kernel.modules.install;
extraModprobeConfig = builtins.concatStringsSep "\n" kernel.modules.modprobeConfig;
kernelParams = [ "delayacct" "acpi_osi=Linux" ];
kernelPackages = inputs.pkgs.linuxPackages_xanmod_latest;
kernelPackages = inputs.pkgs.linuxPackagesFor (inputs.pkgs.linuxPackages_xanmod.kernel.override rec
{
src = inputs.pkgs.fetchFromGitHub
{
owner = "xanmod";
repo = "linux";
rev = modDirVersion;
hash = "sha256-EugTfBbeH9VTpIg1aDNfaY57NDCA70QIdsOfzxWMSeA=";
};
version = "6.4.14";
modDirVersion = "6.4.14-xanmod1";
});
kernelPatches =
let
patches =

16
modules/system/networking/nebula/default.nix
View File

@@ -3,9 +3,8 @@ inputs:
options.nixos.system.networking.nebula = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
# null: is lighthouse; non-empty string: is not lighthouse, and use this string as lighthouse address.
# null: is lighthouse, non-empty string: is not lighthouse, and use this string as lighthouse address.
lighthouse = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
useRelay = mkOption { type = types.bool; default = false; };
};
config =
let
@@ -18,19 +17,18 @@ inputs:
{
enable = true;
ca = ./ca.crt;
# nebula-cert sign -name 1p9p -ip 192.168.82.4/24
cert = ./. + "/${inputs.config.nixos.system.networking.hostname}.crt";
key = inputs.config.sops.templates."nebula/key-template".path;
firewall.inbound = [ { host = "any"; port = "any"; proto = "any"; } ];
firewall.outbound = [ { host = "any"; port = "any"; proto = "any"; } ];
}
// (
if nebula.lighthouse == null then { isLighthouse = true; isRelay = true; }
if nebula.lighthouse == null then { isLighthouse = true; }
else
{
lighthouses = [ "192.168.82.1" ];
relays = if nebula.useRelay then [ "192.168.82.1" ] else [];
staticHostMap."192.168.82.1" = [ "${nebula.lighthouse}:4242" ];
listen.port = 0;
}
);
sops =
@@ -48,11 +46,7 @@ inputs:
};
secrets."nebula/key" = {};
};
networking.firewall.trustedInterfaces = [ "nebula.nebula" ];
systemd.services."nebula@nebula" =
{
after = [ "network-online.target" ];
serviceConfig.Restart = "always";
};
networking.firewall = { trustedInterfaces = [ "nebula.nebula" ]; }
// (if nebula.lighthouse != null then {} else { allowedTCPPorts = [ 4242 ]; allowedUDPPorts = [ 4242 ]; });
};
}

6
modules/system/networking/nebula/nas.crt
View File

@@ -1,6 +0,0 @@
-----BEGIN NEBULA CERTIFICATE-----
CmEKA25hcxIKhKShhQyA/v//DyiRxoCoBjCv/sW2BjoghACiJywxa2n7Aki9/HEU
q2KpxFE+1Eshcgiy09UagFxKICju+bVGfbNKKrhV7SCNXhazgyVZYigGrzfpvHza
nafWEkDfhP5lh+/rFLPZslxaU+jy1swpr+oipToAnZ9Lw5Wlefpmxo/8mTBb4a8T
0jhdUC8x4ETwta6LbtWfo7uPinAJ
-----END NEBULA CERTIFICATE-----

1
modules/system/nix.nix
View File

@@ -26,6 +26,7 @@ inputs:
experimental-features = [ "nix-command" "flakes" ];
keep-outputs = nix.keepOutputs;
keep-failed = true;
auto-optimise-store = true;
substituters = if nix.substituters == null then [ "https://cache.nixos.org/" ] else nix.substituters;
trusted-public-keys = [ "chn:Cc+nowW1LIpe1kyXOZmNaznFDiH1glXmpb4A+WD/DTE=" ];
show-trace = true;

26
modules/system/nixpkgs.nix
View File

@@ -22,30 +22,17 @@ inputs:
{
config.allowUnfree = true;
config.cudaSupport = nixpkgs.cudaSupport;
overlays = [(final: prev:
{
genericPackages =
import inputs.topInputs.nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; };
waydroid = final.unstablePackages.waydroid;
})];
overlays = [(final: prev: { genericPackages =
import inputs.topInputs.nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; };})];
};
}
(
mkConditional (nixpkgs.march != null)
{
programs.ccache.enable = true;
nixpkgs =
{
hostPlatform = { system = "x86_64-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; };
config = { qchem-config.optArch = nixpkgs.march; oneapiArch = nixpkgs.oneapiArch; };
overlays = [(final: prev:
{
unstablePackages = import inputs.topInputs.nixpkgs-unstable
{
localSystem = { system = "x86_64-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; };
config.allowUnfree = true;
};
})];
};
boot.kernelPatches =
[{
@@ -69,14 +56,7 @@ inputs:
};
}];
}
{
nixpkgs =
{
hostPlatform = "x86_64-linux";
overlays = [(final: prev: { unstablePackages = import inputs.topInputs.nixpkgs-unstable
{ localSystem.system = "x86_64-linux"; config.allowUnfree = true; }; })];
};
}
{ nixpkgs.hostPlatform = "x86_64-linux"; }
)
];
}

7
modules/system/security.nix
View File

@@ -25,6 +25,13 @@ inputs:
"es256"
"+presence"
])
(builtins.concatStringsSep ","
[
"WgLCnlQcGP4uVHI8OZrJWoLK6ezHtl404NVGsfH2LXsq0TNVZ7l2OidGpbYqIJwTn5yKu6t0MI7KdHYD18T/HA=="
"GVPuwp38yb+A1Uur22hywW7mQJPOxuLXXKLlM9FU2bvVhpwdjWDvg+BB5YFAL9NjTW22V7Hy/a9UuSmZejs7dw=="
"es256"
"+presence"
])
])
]);
};

520
modules/users/default.nix
View File

@@ -1,276 +1,276 @@
inputs:
let
allUsers =
{
root =
{
config =
let
inherit (inputs.lib) listToAttrs mkMerge;
inherit (builtins) map;
inherit (inputs.localLib) stripeTabs;
in mkMerge
[
{
users.users.root =
users =
{
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$.UyKKvDnmlJaYZAh6./rf/$65dRqishAiqxCE6LEMjqruwJPZte7uiyYLVKpzdZNH5";
openssh.authorizedKeys.keys =
[
(builtins.concatStringsSep ""
[
"sk-ssh-ed25519@openssh.com "
"AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo= "
"chn@pc"
])
];
};
home-manager.users.root =
{
imports = inputs.config.nixos.users.sharedModules;
config.programs.git =
users =
{
extraConfig.core.editor = inputs.lib.mkForce "vim";
userName = "chn";
userEmail = "chn@chn.moe";
};
};
};
chn =
{
users.users.chn =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" "groupshare" ]
(builtins.attrNames inputs.config.users.groups);
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
openssh.authorizedKeys.keys =
[
# ykman fido credentials list
# ykman fido credentials delete f2c1ca2d
# ssh-keygen -t ed25519-sk -O resident
# ssh-keygen -K
(builtins.concatStringsSep ""
[
"sk-ssh-ed25519@openssh.com "
"AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEU/JPpLxsk8UWXiZr8CPNG+4WKFB92o1Ep9OEstmPLzAAAABHNzaDo= "
"chn@pc"
])
];
};
home-manager.users.chn =
{
imports = inputs.config.nixos.users.sharedModules;
config =
{
programs =
root =
{
git =
shell = inputs.pkgs.zsh;
hashedPassword = "$y$j9T$.UyKKvDnmlJaYZAh6./rf/$65dRqishAiqxCE6LEMjqruwJPZte7uiyYLVKpzdZNH5";
openssh.authorizedKeys.keys =
[
("sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPLByi05vCA95EfpgrCIXzkuyUWsyh"
+ "+Vso8FsUNFwPXFAAAABHNzaDo= chn@chn.moe")
];
};
chn =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "adbusers" "networkmanager" "wheel" "wireshark" "libvirtd" "video" "audio" ]
(builtins.attrNames inputs.config.users.groups);
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
hashedPassword = "$y$j9T$xJwVBoGENJEDSesJ0LfkU1$VEExaw7UZtFyB4VY1yirJvl7qS7oiF49KbEBrV0.hhC";
};
};
mutableUsers = false;
};
}
# (mkMerge (map (user:
# {
# sops.secrets."password/${user}".neededForUsers = true;
# users.users.${user}.passwordFile = inputs.config.sops.secrets."password/${user}".path;
# }) [ "root" "chn" ]))
{
home-manager =
{
useGlobalPkgs = true;
useUserPackages = true;
users =
let
normal = { gui ? false }: { pkgs, ...}:
{
userName = "chn";
userEmail = "chn@chn.moe";
};
ssh.matchBlocks = builtins.listToAttrs
(
(builtins.map
(host:
home.stateVersion = "22.11";
programs =
{
zsh =
{
name = host.name;
value = { host = host.name; hostname = host.value; user = "chn"; };
})
(inputs.localLib.attrsToList
{
vps3 = "vps3.chn.moe";
vps4 = "vps4.chn.moe";
vps5 = "vps5.chn.moe";
vps6 = "vps6.chn.moe";
vps7 = "vps7.chn.moe";
}))
++ (builtins.map
(host:
{
name = host;
value =
{
host = host;
hostname = "hpc.xmu.edu.cn";
user = host;
extraOptions =
enable = true;
initExtraBeforeCompInit =
''
# p10k instant prompt
typeset -g POWERLEVEL9K_INSTANT_PROMPT=off
P10K_INSTANT_PROMPT="$XDG_CACHE_HOME/p10k-instant-prompt-''${(%):-%n}.zsh"
[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
HYPHEN_INSENSITIVE="true"
export PATH=~/bin:$PATH
function br
{
PubkeyAcceptedAlgorithms = "+ssh-rsa";
HostkeyAlgorithms = "+ssh-rsa";
SetEnv = "TERM=chn_unset_ls_colors:xterm-256color";
# in .bash_profile:
# if [[ $TERM == chn_unset_ls_colors* ]]; then
# export TERM=${TERM#*:}
# export CHN_LS_USE_COLOR=1
# fi
# in .bashrc
# [ -n "$CHN_LS_USE_COLOR" ] && alias ls="ls --color=auto"
local cmd cmd_file code
cmd_file=$(mktemp)
if broot --outcmd "$cmd_file" "$@"; then
cmd=$(<"$cmd_file")
command rm -f "$cmd_file"
eval "$cmd"
else
code=$?
command rm -f "$cmd_file"
return "$code"
fi
}
alias todo="todo.sh"
'';
plugins =
[
{
file = "powerlevel10k.zsh-theme";
name = "powerlevel10k";
src = "${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k";
}
{
file = "p10k.zsh";
name = "powerlevel10k-config";
src = ./p10k-config;
}
{
name = "zsh-lsd";
src = pkgs.fetchFromGitHub
{
owner = "z-shell";
repo = "zsh-lsd";
rev = "029a9cb0a9b39c9eb6c5b5100dd9182813332250";
sha256 = "sha256-oWjWnhiimlGBMaZlZB+OM47jd9hporKlPNwCx6524Rk=";
};
}
];
history =
{
extended = true;
save = 100000000;
size = 100000000;
share = true;
};
};
direnv = { enable = true; nix-direnv.enable = true; };
git =
{
enable = true;
lfs.enable = true;
userEmail = "chn@chn.moe";
userName = "chn";
extraConfig =
{
core.editor = if gui then "code --wait" else "vim";
advice.detachedHead = false;
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
};
package = pkgs.gitFull;
delta =
{
enable = true;
options =
{
side-by-side = true;
navigate = true;
syntax-theme = "GitHub";
light = true;
zero-style = "syntax white";
line-numbers-zero-style = "#ffffff";
};
};
})
[ "wlin" "jykang" "hwang" ])
)
// {
xmupc1 =
{
host = "xmupc1";
hostname = "office.chn.moe";
user = "chn";
port = 6007;
};
nas =
{
host = "nas";
hostname = "office.chn.moe";
user = "chn";
port = 5440;
};
xmupc1-ext =
{
host = "xmupc1-ext";
hostname = "vps3.chn.moe";
user = "chn";
port = 6007;
};
xmuhk =
{
host = "xmuhk";
hostname = "10.26.14.56";
user = "xmuhk";
# identityFile = "~/.ssh/xmuhk_id_rsa";
};
xmuhk2 =
{
host = "xmuhk2";
hostname = "183.233.219.132";
user = "xmuhk";
port = 62022;
};
ssh =
{
enable = true;
controlMaster = "auto";
controlPersist = "1m";
compression = true;
matchBlocks = builtins.listToAttrs
(
(map
(host:
{
name = host.name;
value = { host = host.name; hostname = host.value; user = "chn"; };
})
(inputs.localLib.attrsToList
{
vps3 = "vps3.chn.moe";
vps4 = "vps4.chn.moe";
vps5 = "vps5.chn.moe";
vps6 = "vps6.chn.moe";
vps7 = "vps7.chn.moe";
nas = "192.168.1.188";
}))
++ (map
(host:
{
name = host;
value =
{
host = host;
hostname = "hpc.xmu.edu.cn";
user = host;
extraOptions = { PubkeyAcceptedAlgorithms = "+ssh-rsa"; HostkeyAlgorithms = "+ssh-rsa"; };
};
})
[ "wlin" "jykang" "hwang" ])
)
// {
xmupc1 =
{
host = "xmupc1";
hostname = "office.chn.moe";
user = "chn";
port = 6007;
};
xmupc1-ext =
{
host = "xmupc1-ext";
hostname = "vps3.chn.moe";
user = "chn";
port = 6007;
};
xmuhk =
{
host = "xmuhk";
hostname = "10.26.14.56";
user = "xmuhk";
# identityFile = "~/.ssh/xmuhk_id_rsa";
};
xmuhk2 =
{
host = "xmuhk2";
hostname = "183.233.219.132";
user = "xmuhk";
port = 62022;
};
};
};
vim =
{
enable = true;
defaultEditor = true;
packageConfigurable = inputs.config.programs.vim.package;
settings =
{
number = true;
expandtab = false;
shiftwidth = 2;
tabstop = 2;
};
extraConfig =
''
set clipboard=unnamedplus
colorscheme evening
'';
};
chromium =
{
enable = inputs.config.programs.chromium.enable && gui;
extensions =
[
{ id = "mpkodccbngfoacfalldjimigbofkhgjn"; } # Aria2 Explorer
{ id = "nngceckbapebfimnlniiiahkandclblb"; } # Bitwarden
{ id = "kbfnbcaeplbcioakkpcpgfkobkghlhen"; } # Grammarly
{ id = "ihnfpdchjnmlehnoeffgcbakfmdjcckn"; } # Pixiv Fanbox Downloader
{ id = "cimiefiiaegbelhefglklhhakcgmhkai"; } # Plasma Integration
{ id = "dkndmhgdcmjdmkdonmbgjpijejdcilfh"; } # Powerful Pixiv Downloader
{ id = "padekgcemlokbadohgkifijomclgjgif"; } # Proxy SwitchyOmega
{ id = "kefjpfngnndepjbopdmoebkipbgkggaa"; } # RSSHub Radar
{ id = "abpdnfjocnmdomablahdcfnoggeeiedb"; } # Save All Resources
{ id = "nbokbjkabcmbfdlbddjidfmibcpneigj"; } # SmoothScroll
{ id = "onepmapfbjohnegdmfhndpefjkppbjkm"; } # SuperCopy 超级复制
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
{ id = "gppongmhjkpfnbhagpmjfkannfbllamg"; } # Wappalyzer
{ id = "hkbdddpiemdeibjoknnofflfgbgnebcm"; } # YouTube™ 双字幕
{ id = "ekhagklcjbdpajgpjgmbionohlpdbjgc"; } # Zotero Connector
{ id = "ikhdkkncnoglghljlkmcimlnlhkeamad"; } # 划词翻译
{ id = "dhdgffkkebhmkfjojejmpbldmpobfkfo"; } # 篡改猴
{ id = "hipekcciheckooncpjeljhnekcoolahp"; } # Tabliss
];
};
obs-studio =
{
enable = true;
plugins = with pkgs.obs-studio-plugins; [ wlrobs obs-vaapi obs-nvfbc droidcam-obs obs-vkcapture ];
};
};
};
in
{
root = normal { gui = false; };
chn = normal { gui = inputs.config.nixos.system.gui.enable; };
};
home.packages =
[
(
let
servers = builtins.filter
(system: system.value.enable)
(builtins.map
(system:
{
name = system.config.nixos.system.networking.hostname;
value = system.config.nixos.system.fileSystems.decrypt.manual;
})
(builtins.attrValues inputs.topInputs.self.nixosConfigurations));
cat = "${inputs.pkgs.coreutils}/bin/cat";
gpg = "${inputs.pkgs.gnupg}/bin/gpg";
ssh = "${inputs.pkgs.openssh}/bin/ssh";
in inputs.pkgs.writeShellScriptBin "remote-decrypt" (builtins.concatStringsSep "\n"
(
(builtins.map (system: builtins.concatStringsSep "\n"
[
"decrypt-${system.name}() {"
" key=$(${cat} ${system.value.keyFile} | ${gpg} --decrypt)"
(builtins.concatStringsSep "\n" (builtins.map
(device: " echo $key | ${ssh} root@initrd.${system.name}.chn.moe cryptsetup luksOpen "
+ (if device.value.ssd then "--allow-discards " else "")
+ "${device.name} ${device.value.mapper} -")
(inputs.localLib.attrsToList system.value.devices)))
"}"
])
servers)
++ [ "decrypt-$1" ]
))
)
];
};
};
nixos.services.groupshare.mountPoints = [ "/home/chn/groupshare" ];
};
xll =
{
users.users.xll =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/xll".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./xll_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.xll.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/xll".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/xll/groupshare" ];
};
zem =
{
users.users.zem =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/zem".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./zem_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.zem.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/zem".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/zem/groupshare" ];
};
yjq =
{
users.users.yjq =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/yjq".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./yjq_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.yjq.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/yjq".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/yjq/groupshare" ];
};
yxy =
{
users.users.yxy =
{
isNormalUser = true;
extraGroups = inputs.lib.intersectLists
[ "groupshare" "video" ]
(builtins.attrNames inputs.config.users.groups);
passwordFile = inputs.config.sops.secrets."users/yxy".path;
openssh.authorizedKeys.keys = [ (builtins.readFile ./yxy_id_rsa.pub) ];
shell = inputs.pkgs.zsh;
autoSubUidGidRange = true;
};
home-manager.users.yxy.imports = inputs.config.nixos.users.sharedModules;
sops.secrets."users/yxy".neededForUsers = true;
nixos.services.groupshare.mountPoints = [ "/home/yxy/groupshare" ];
};
};
in
{
options.nixos.users = let inherit (inputs.lib) mkOption types; in
{
users = mkOption { type = types.listOf (types.enum (builtins.attrNames allUsers)); default = [ "root" "chn" ]; };
sharedModules = mkOption { type = types.listOf types.anything; default = []; };
};
config =
let
inherit (builtins) map attrNames;
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.config.nixos) users;
in mkMerge
[
(mkMerge (map (user: mkIf (builtins.elem user users.users) allUsers.${user}) (attrNames allUsers)))
];
}
}
];
}
# environment.persistence."/impermanence".users.chn =
# {
@@ -313,4 +313,4 @@ inputs:
# ".viminfo"
# ".zsh_history"
# ];
# };
# };

2
modules/packages/p10k-config/p10k.zsh → modules/users/p10k-config/p10k.zsh
View File

@@ -1686,7 +1686,7 @@
# - verbose: Enable instant prompt and print a warning when detecting console output during
# zsh initialization. Choose this if you've never tried instant prompt, haven't
# seen the warning, or if you are unsure what this all means.
typeset -g POWERLEVEL9K_INSTANT_PROMPT=quiet
typeset -g POWERLEVEL9K_INSTANT_PROMPT=verbose
# Hot reload allows you to change POWERLEVEL9K options after Powerlevel10k has been initialized.
# For example, you can type POWERLEVEL9K_BACKGROUND=red and see your prompt turn red. Hot reload

1
modules/users/xll_id_rsa.pub
View File

@@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJ/jzUQ6QuAjnAryvpWk7TReS6pnHxhEXY9RonojKkurhfYSQO/IlxDMDq23TFXcgu8iZG4cS6MADgx/KNZD/MjuN9YNCIEGvMwzWvB0oM25BC6Vf3iKDmhH06rZKH6/g5GN+HWoCN4yE/+MhIpegFO3+YMpveXwEESlyoIjPvcW+RwmlNJevrHd83ETYDQ4AybWyJo6en5tz2ngr22HaK4MtxgrqnIN/KorY+nrzTNa7VBC7BaZc1tA5FLwUeCXtuzp2ibfrxoGUAiDig4FW09ijCk3Y77y7aNVI2nw5y28nCV5rgVMh5fejtNVqIqku7p+8qgjxvY6veATG0lYgZgw2ldnDGDNbEGxcCnKKmCgZMxok8zTRsniZ91KuHkcl2L7xUo7kdQYzBRwZyQ53eW+yPoqUya4yn272rscBEUMyZzmegfr1SXMqw/8zn+MZdr1KXEvrbfjX+2QL52GY3bfYUf3KFje+Sp88k688bRH0vrxj9BCOS7ovbyfe9BEU= xll@chn-PC

1
modules/users/yjq_id_rsa.pub
View File

@@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtnVhZQsJfbs2w9hFZkx4qDhIs++7no+6r5TifP3Dq7epJYd2QYx4dI66XxTNhKxZjN6a4Xn5nFlYLtQJXOvzBLC8IBf1W5GCH0k/jqzzskS0/Ix/70HzcBwJk8ihWDkyON5Ki1BRCx34RNxth1BIxWyc5QT+lou+D92x8iAu/uOvmcAL3Ua0OlZwxw03hLp/PpS4ZnUqFjc2JVtarY7eQu/i3RwOZUaK6nT2EL8RObzk4xnieqsU5PWwA3voVjetqZaDQ+P7dimQXz/FaucroKxCNyTiy1oG4fdQpm2UDrH6ZfPvdQLYrtet6FQabXOxhV7MuR3jYtxZjs1kDVZIseIZ6IwjetaUoMxvIouRfYjOSIEo9Ek9o0+Yhku4r0uWmPDrymWugU1raMmlRxSUwdlzW+C7mQwtGbs/MG4MN4GWkM6id5DKlY2vYKUfrTzmhY1swCtzKq20fjvyX8qhJdcytgVlOrBZnPje6Qd55sI0RjdgJrBsxT2SYquez7U8= yjq@chn-PC

1
modules/users/yxy_id_rsa.pub
View File

@@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3D1PKR7xwlFBT/XdvGl9JkKTR0opBOQwxokR0Ri+zy0a6PgFFE6/L2NhgbHLQZt96J4lHl9ZxPdRgQ8Tc4+rptJiEX5VvZaNXmOC5wa5fGZuSj93HPEUzrtOv1sFzh2WgAeWd2nf7r/DoSYY91W1Bpsjx1YaeI6KvTHMeqoidTd17CcrMkIcOuYlgAHDeZ+vnxljTOddjK17D+AsG1+ThbDNwd97AlRv/pRkL2BAnHHNvL1UXVKg47IV4+60guB0Xqr947mSdCAomW1Oe9XbYooVRZZaVov1cv6NTQ0dZ6ktV3i+s7VXZh8dNkp46Hw68gI+fHp0I3mze5MblffpaGo2f0qQrJOROQygOyj/ihK1eMkPNKfdJE0odQ0z+1mwnwq5bhP5UPBvz6Z11M9Ez+/VtX3MG27RdVPMtoLSgHV7XwvVsvJQ5V+O+TkdO95IIlPuA2+1wj9O+Tsz4u4IS5xC7XXr9Jo+Mj1gbYnZqmTSldyBIkSUuKRgDF6oC4Fs= yxy@chn-xmupc1

1
modules/users/zem_id_rsa.pub
View File

@@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDn1pfGen7kjPTHsbb8AgrUJWOeFPHK5S4M97Lcj3tvdcjZi2SXN6PwHQfh8/xGhZbTLPz/40S9O9/Dn30xkUTfnONirKt790jp7VEbOtPnjQPOd/KRNWlS3VV0BELuq5p633Mi13rP6JZtdKmU2uSkvvaUBfCppy3JaWv/B7HLJ48f8IzkdiT1px3dN1eQ4SFoHOiVG0ci5TGG6wfMdoAAnM9R1aXI4gDxnYjLYujpaNZ4hBOta/6ZK/PV0JufoXdIAZjubgk1Hv04XHXLR2Z0UhRM6x7UrZIOdM/LlnKmcVk408ZKEj/9m1xRyDsNoZ24CF++cmnwfBHrp9I5nvDI7xOTdZlOhzkiiPM3f4i6s2Qjdv4vpZ6AeE3Qt1LVQyAr67b4UMjHuYqSi2KgyCO6My2Ov2eRoS74EKcb8ejJv3O+XInmYUgDgTgDFT3CgQgK2DG45HiV6nOkaE/6iKx2JSOiYZTFc7TRcePfXF9JQD7dXFde6qm3EbIVyJIpCJ8= zem@chn-PC

9
modules/virtualization/default.nix
View File

@@ -67,14 +67,7 @@ inputs:
};
virtualisation =
{
libvirtd =
{
enable = true;
qemu.runAsRoot = false;
onBoot = "ignore";
onShutdown = "shutdown";
parallelShutdown = 4;
};
libvirtd = { enable = true; qemu.runAsRoot = false; onBoot = "ignore"; onShutdown = "shutdown"; };
spiceUSBRedirection.enable = true;
};
environment.systemPackages = with inputs.pkgs; [ qemu_full win-spice ] ++

34
secrets/nas.yaml
View File

@@ -1,14 +1,5 @@
xray-client:
uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
nebula:
key: ENC[AES256_GCM,data:zWLXEH628ZVDZk7U/9zEXocJatCJr7hZrCmh/pifPlxVvVud5RQxLvgRvhQ=,iv:YFn7spiIcaW/l8dQZvGhsERi81L2RKLUE/55Bht0TMQ=,tag:fVdIRCMeT6o0lrGVDjCVlA==,type:str]
acme:
cloudflare.ini: ENC[AES256_GCM,data:/LpP1qoVS+CG+5ska6vtmagHNrhcgr5e1QRzDdbdCYGnDB8Nca/GmIogzHCXsogQY/rwGTCZoXLKKEGToYiThwk=,iv:R++I0ued2wrVsmM/vYvBVMOp9M7HyZIfDOVOlg7GALE=,tag:gYchPuh8MHk3EEnGb9g4WA==,type:str]
users:
xll: ENC[AES256_GCM,data:XLSsz6fZ23PPaJS1Y5C3FAOks3wzb2f+Pv8TgyKrDBfMeoLk1M37A00OGJ2wsYxkuR0JV6Uoh+hhRpTUjOQnmLfQrBxPxxP8DA==,iv:jxEZX/flxxduM1sdrYfGHfMtFMYduMg0Lr6hY1pkAPg=,tag:CYy0y1e2S2Txz1OSh+XDHA==,type:str]
zem: ENC[AES256_GCM,data:VCVLfGO9a06XhAOBciFf1u7A5jaQikAt2wZf+dCAi1BglXpM6Hof1yAunadYOwLOBFgGlP19kX53CBBlZtaqZFL2GRDzXP0woQ==,iv:AFYtHCCkzNrllN/fjQ8GKYs2TyV3uj3BsU5n1tBQAmM=,tag:5dP7c5N4yG2NS4T+Vg0Zpg==,type:str]
yjq: ENC[AES256_GCM,data:yn6eGrySCxlRsFioaE2p1qlTHkIGC9l64+edjuDvt232xc+iFeD03EYfuulyr0GxYFwnlAwtaJnyMi5eOrSd1W6HeV3Canzdbw==,iv:qTc6vA8uQza8CB+BvffEN9GqHkiwNM4h9RkqQR14ylk=,tag:UZ2GYCJLjcWLuVXlscLviw==,type:str]
yxy: ENC[AES256_GCM,data:71vjvwr29lfPCarnblpbW3WVyJK8EMV+cR4prc4AM3r0PG4z88P6i0IrzSy8XwkVPrEasfYXxn+vDbzXyi7kIWaWXrkjcyGTxg==,iv:LfkinvbIhchvgfgixIY8Wg6esrc+TOS4YWqRTJ0qfvw=,tag:mLPw6z8DOPrHsRpUHn3/gw==,type:str]
uuid: ENC[AES256_GCM,data:0q37D3FVH95eSmw1KPuQSbt6zgzdt9iyO6Mnsk/CiDtp36BR,iv:V0sZLD4VAPF6LQg+mrWxpvnKfkCwQlmwGuJ86XEe8Ik=,tag:UEQAcpkv1LmuIBF50PL0lQ==,type:str]
sops:
kms: []
gcp_kms: []
@@ -18,23 +9,14 @@ sops:
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aWJSUVUwMnYwN01vSEJO
cHV3Ylkzb1Z6Z1E3a2NwZXdIVlpacHJDNWhBCkZXZWx5M21HKy94WkhuaDhkVEFL
M01MdUlza0VmK1hKTExmeFdUWDllbTAKLS0tIE8wR1F6ZVZPNVYwU1Y3ZFJaUkhT
a3B1UzdQSjlzTmxReVhWMzhTaVdTRDgKG76K16V6NAMaeyfne4LL/zwa5+lfPz/y
1SX1JOaWNpXqfOIGflZUF88lxCLR8ttEFea391x2vhoKPZKCvIDGHw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbFR2bHMrRmdXWVVHTTlJ
VVFoMXNBWUU0MGkrOWl0bEphb3JlSTlsN25nCjE1NTZwTHM1b09ZeS9GQ09pRFB0
TFRPcW5MTGI1dTk0YXFsVmI1ZmVnTlUKLS0tIEpZNW1YMi9Gc0laRkxYbEw2TGd2
MVRPMDVCeHVlOTBnWVNJZ21kcmlBTFkKKbyR6MGaKRvk23toLEdD9s7deQN2Dp9U
fYn/X4SC7Wfm4atiDbLR3Jz6FhjRAN+s//lrojRb4yqoipa2AN5tPA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eXhkb1B3WXhGTTBLTDk2
ZmhTUDltWGk4ZU1PUk8vYkVaUkx0MDFEWUZNCjl2R25JR3Z0U3NKWWwzbjVsMXVq
NXMxOThGaFVHQ1ZacU4yUXVBVXNBNUkKLS0tIFkyUjhzMzlMVkM2WFZ1VUw5Zlcy
by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-14T11:09:58Z"
mac: ENC[AES256_GCM,data:f6D4N+He7Zz0VA2FxUzTARfckidgVlDHE1hZrYW6jDf+v9ZK/c/JAj12zLNiCy9aG6rBz5K0jdWpnTsguMlTYCKUjLcD8MSW4KJErYmeVFLpfuiSBMr0+pcSVA9DpEmekaYl0GbnxrgQKrfEL0dthR6+9m5CsP/1bvEs34XcKGk=,iv:0YVxL5iVOvmFzThk7fua2Cqpty9lTX/tdKNii5gY/UA=,tag:d+NwYbpeDziniYXwQYVCdg==,type:str]
lastmodified: "2023-08-23T12:21:23Z"
mac: ENC[AES256_GCM,data:sUfKYYu4aQYa2hO09aRXDdlrxY9T8ePb4sMTf8hfHHZLRaxLubWy7JkzVdxlTDpCHEZIW5J5zpbcjpvE8ZC5G/m45iCLwJIqAM5teSoG5FW/hR2uzfSuRsF/5vh1xFREsGtMLYskBobvf9mssBwRXgaKOv4zAHzlBmEhTLTBFLg=,iv:TmjRAHISDSK1+M1WtrMYF20cdCPCqu05VhHl6/ipKB4=,tag:jwMdzZoFu1IOB3sg2/kxlg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

6
secrets/pc.yaml
View File

@@ -7,6 +7,8 @@ frp:
store:
signingKey: ENC[AES256_GCM,data:TsB1nA0Rf2AsYyH59WpUK53pTCX2JdrGQjkJ9A9BfWLLmw3EMnPoaLHG12rv1R2/xRU7rP+iVhXb77g60I/Kn4ehun3ogMmK1oEAKyQcxudBUJFk+SeijaQLr2A=,iv:e2rdGBVOPS1nyC3pXhs5r0WyEkqxcpCnX3eAcBCj93M=,tag:HwccjH2Wms5/TevU2IuzNw==,type:str]
nginx:
#ENC[AES256_GCM,data:sHSfWhEO9PHWTY0r,iv:XSyOSkzEVOjMF/9vjEVpcuKH6B2mdE5D7l9VKrSILO0=,tag:2YkAoPW5GqOjFpPF5IvApg==,type:comment]
#ENC[AES256_GCM,data:Oaxg1nXYHLNOAF2V8lNF+4OtJz5bXOdEleXi89AW+dQvDgj0HMAAlxLiixlfhFW48Clcu+C+4opFZUk+4Q3GBePTQWeabgEFAZi+MgnVoiXzfizQpmve,iv:/NyV6W0vaXvS5qFKPw+7Iqe9po1VKQDLbHaC9Fa8Mto=,tag:JiCKJxhpAI9k11N9WxfZew==,type:comment]
maxmind-license: ENC[AES256_GCM,data:PVV4VAvB22KoA8EM8Honb+KWYhydXdmTAVlDw/XnTcbaIY+5Km2gGA==,iv:7PfytRbpW4G2iDNqysvZnB0YsQFVUL5Kr1DNsBzuhCA=,tag:z2J14fdD7AUNabN+6kUojA==,type:str]
postgresql:
misskey: ENC[AES256_GCM,data:KiJ2smpRwJ1pzauCgVsmFH4aCiw4sEkCQ9JSTao5NdI=,iv:jIc0a797dokfByN2vJcYcAFfPC8MP7wCV5qsxoCDxcE=,tag:L5n1/xszwB0lhqYcbLqp2Q==,type:str]
@@ -40,8 +42,8 @@ sops:
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-18T12:02:13Z"
mac: ENC[AES256_GCM,data:cO1AngVyJaj+M91wUCG4mGLRjYDF57CdV1UyYeWBXozNl1VxgTWlUFfQJFC5gIGKohAXhGT0SERLGPRVIkacd0hvuHdeHHyp7kzrwQGZTkfxu6oknlvXEXNUdrIiwoers5aJQbbdlEHI6jKL794VRtkykp3bJs0tSeI+v4EA6kI=,iv:YE+oJN+ZJ+1zmze0+GOYG/G8UI7VrVGO1Iwut6mrBfg=,tag:gF8EQSIbVoAzbb4kmWB/uA==,type:str]
lastmodified: "2023-09-03T08:51:32Z"
mac: ENC[AES256_GCM,data:PlBRhBHJ067MzX77ZaG7XzQviTixWWEZboFM8h1ezmei+Pf2PY4oDxRfmEgAodXD2EpM0x4cao3NPzMeAYtJK0YUViZRzdSbya/60W6Xzv0nrbJHh3xvvJmLVsMXyD3KKMcafTOrBsxnCg0gRro778Z63XkN/S9tA2tZfdZLLcY=,iv:9N223T+lBjYt0WLvvERbAFE1Z30ejWwZNDjByFjlW98=,tag:iTD7+P5uFlwe/xEX80QgMg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

6
secrets/vps6.yaml
View File

@@ -22,9 +22,7 @@ xray-server:
user7: ENC[AES256_GCM,data:7rxvmKbtYrDKBlo8kZIfd86KLd9EcSWB0ikasIRqfCZ24W0h,iv:Uplz4fnFymmBVZ9YTniHFFY3EVSrTYsg1+CTFqBu1WY=,tag:l3EPeYRHSeRsCyRhqFRrEg==,type:str]
#ENC[AES256_GCM,data:8FxApg==,iv:vPa5p3QVHAvw+ECusWGqx1ugTcHh42CVFDQcMhG59wM=,tag:lHiZtydcYFBQiXnWh8pCrw==,type:comment]
user8: ENC[AES256_GCM,data:FNT3hHMwPJu3iI1LuOP1KvsoOonh+J/ecrNrRQO5TpunDPUq,iv:tTEB0MSUmQ39tNq9v1BTfaEcJY7Y59CPHRASMC1a4U8=,tag:klDm6Isk52hG8ubcFu6yHA==,type:str]
#ENC[AES256_GCM,data:QdaYYH3RGJ4qIg==,iv:79NBTEKCPtgVVv3G7wg+vdoLOWxc+bdqT1lF4HJpTC8=,tag:8mRFGjy7lBrdyGyX9vaSOQ==,type:comment]
user9: ENC[AES256_GCM,data:4BD/4MXAVLhDm3EXdgTiEgPketf0WgflVPGb3/JMWXfycEKY,iv:jwE5sFVxZjORwoqCBdufP2EhetVtFGHyCP58AzJwle0=,tag:OCteA20hDBLI9zt1ET0tUQ==,type:str]
#ENC[AES256_GCM,data:U48hPlrJn2dF9g==,iv:W+6QEgemNa41VCT2OfBvEhuLAucLxfR+YZiDgdkkSnk=,tag:IhVstGnQ4EviT5ctMgyKiA==,type:comment]
user10: ENC[AES256_GCM,data:d9qxJQH9Jo8gJKUi5jjSdVwqzuHG+dj08Tk+TxhczJmlSaFT,iv:DS+9isZX2B9AYAyV4Yle4fpHzA/SHcR56B/GW8QdALw=,tag:9nUQ0OuMCuXGSZs2kjfnIQ==,type:str]
user11: ENC[AES256_GCM,data:RPIH0DudfPJwPsa0yFLNqUy2EMwQh1bIqkmhCfteVTkUQGWP,iv:NH0aGTZ6nVqz2nn+o1HQS0PKpqHTBMkAhy0oFeyX/8k=,tag:kgd5zkHXW+oxRFC9x2VTUg==,type:str]
user12: ENC[AES256_GCM,data:Q+XcMYPWWeHqXZZt3lf9OurlWwVQGBJWTnRwDUvg7np19g3+,iv:ybREjo5/SFRN5LMSyYdm0ygkYoq/G1uBv9K0iGPqrh4=,tag:g2y8IJeXtHW1XjelOvT+/A==,type:str]
@@ -88,8 +86,8 @@ sops:
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-30T12:43:07Z"
mac: ENC[AES256_GCM,data:78zZudkrqLTqFy2B2G5hTj4y1e7ApVfKSWUPlx+7nojZb0PdyoRE7q0ZSdOv5qKi2dU5+DLxfwJIDLBOQyquQKHKaPSZ4kL9iY9dEH1ySAYUcSuVs/+kXB4SbLPEO9zcgJmI3BCu/A3dbnRCNB3yotjfwHQ4cwDp09k/8DcN/Gw=,iv:h2qx6Izx7N8tdEUD/rknauQ7Tn6eSNgJrXg/pIZsQpA=,tag:sz+LGutIsRx200hAbCeSOw==,type:str]
lastmodified: "2023-09-03T08:50:37Z"
mac: ENC[AES256_GCM,data:+w04X4hdgiBO3VpCI5tM2h+X13m3QOQeMdcmKGavqBoC9S+jx9dOoy2H9FdhjyYN/dkhglFqG5LMnHqEsdLGSwSxUsJDmHMm3MvFLJYIybvanNB+Gxb9+ooBNpC/e+d1iLg85mAUTXhLlezw5gaRHtwiQ4llOXZesE+c+Wnbbws=,iv:mM5lw8pFJoqYvz8uIi+oTqJFyIHq6HjspYTaEJp2xzY=,tag:9AqRnzwUxIV/ClJATxz95g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

7
secrets/vps7.yaml
View File

@@ -13,7 +13,6 @@ postgresql:
wallabag: ENC[AES256_GCM,data:ANwvEE3K/W/hU34Y7RvlbUuJNo2bOaRfeusYM9pRxXQOdG4XpwYfd/DprsrVjlkrMFuTurUR5j6UNHWh+ILDbQ==,iv:K8doqhVosz+OosMrLJXrSxairr84EeGs3EWgVQjpkS8=,tag:WjDzy7ubm/GVlBkW0O3znQ==,type:str]
misskey: ENC[AES256_GCM,data:OXKLrkPDgVTdsZolzLVOlkYswLVFy0LSXiGjohic4j3t9cTrMIfBa7LbA5J7VlLryO/ISzLpu8lt9aEsmjYSSw==,iv:V4n3MUkAnbLs5gBOOqCubHxuKJGvfH9dND1YgD1YgCs=,tag:RXiXeekS76pGHUz3oEPQ9w==,type:str]
synapse: ENC[AES256_GCM,data:Orfse2arRGMujA8MloqOp+iVr0+uCVtlMZJNAA36J3UCog5ExE8HE6G5wIvvoP0o/PNToYc9Jgn8T7iWdU6FIA==,iv:XQ6/bDfIRmvZ3VdTqH5Gaiu2emd5kV+q6RjNXDQEtkc=,tag:Yq+w9oxv2yhpsQfMRp4HaQ==,type:str]
vaultwarden: ENC[AES256_GCM,data:Uz8GJMaLUTQ9pQbZyZLWS4bL5wmt9RvbAwNctAIDt9JrV3FaXxgKjE0MJSGklS55yj/Z/wbO6RCuCK2AWR2VKw==,iv:7hA8YcB88M1qCV8EhFYpHbfPmAZ/7xNqvTMJYZ/UcAY=,tag:mkDHJYmRoYZ/Ct0UmOp9FA==,type:str]
meilisearch:
misskey: ENC[AES256_GCM,data:+oLR/0G6bjSz3jbZxeoGbLd7I4AiJDxodpc8DEHmHjYaNS6UrQEO50ekNSm3DpcK9+bqMJl4q+d1PWXgHRJbIw==,iv:rQcq7LksBhJr26D3112y41ryW3cEwnG6XLgiFhLv3d4=,tag:/PaX7MIERrtqJoayzdf/AA==,type:str]
rsshub:
@@ -33,8 +32,6 @@ synapse:
signing-key: ENC[AES256_GCM,data:ZCayvU2lElUnuyVDL05XjO3v2P78ha9i9PEcLvpBLgNeYkh7nH9Z4kIAP6Pmbw39ufaSJuo5tZZPmA==,iv:CfxqL7dJbmG/jEcdDe+Su8uxsA4dkOq/CCOGlb3EDIk=,tag:9728QS3GLnTcerzDgtQEWw==,type:str]
nebula:
key: ENC[AES256_GCM,data:9o6EkfTWOU0KwnJsgHML4E7VOfzo3LHnlOkV8ubhi6aayXImC3lAaoPrqUI=,iv:KHprijN7z+4FIIW+D5klDM9a9VzMJ5xawPc7jJtbHmk=,tag:0DAmxoz8D5f38ndPbkNW+g==,type:str]
vaultwarden:
admin_token: ENC[AES256_GCM,data:muavuOY88Lm4rSEoCp4IIPp7Z+sqf36VwpnPgf+K6IwwFkUgYM1GO80ogReYWqqUM6ij1Yzl5D9ncUbq+aGTKQ==,iv:jA4MRJlz71CMmPnWjb2tGbbIoMkEsESUowhXDckKKMI=,tag:l0HaJmnU29YeFUxjOgN3Kg==,type:str]
sops:
kms: []
gcp_kms: []
@@ -59,8 +56,8 @@ sops:
SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-16T06:00:05Z"
mac: ENC[AES256_GCM,data:1+Uqp+nb1zIkKVQzQWlEVBv3hAiBknHJSiVdEPxj4IzAAWc1okSsh8QYRkTA5WR54BL6I7xerITLvaqAIF1cNnmkZJ/bbbgXuQgwrrRfqDKzxOmtblQDxFO6A815VreLTfWjZN6/h3oEzH4DW+xRtd+js4n5L+nyLMee1O9kOi8=,iv:s6QN07djU9PAA2WRZ4xw2O0iDKqzmaEqVyRmeRoHNXE=,tag:y/KjOdf0cXl2XQbibjrVPQ==,type:str]
lastmodified: "2023-09-03T08:51:12Z"
mac: ENC[AES256_GCM,data:PKxrr1uONIi4ljjS6FFLApcvjVEda4lnsh005Ukmi4NF4fj5/Tyg/4+j85S3UGjgKlHUJsda9qit/23sZjb1IMGgQyL3HakOhEGc1JgbvlibcGm8ZE5LCznu9sp7BQ6hDnYmV1rAyWBDmO6zjNwdjT6NikZUY5o+KiXptLWaUYo=,iv:Gw07qLy4QijtdJa3e15YsbP9UhCS+hpJuApvkvIDc7c=,tag:zit2ySLqpJ7si+YrGINFmg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3