mirror of
https://github.com/CHN-beta/nixos.git
synced 2026-01-12 12:19:22 +08:00
Compare commits
360 Commits
xray-debug
...
a30
| Author | SHA1 | Date | |
|---|---|---|---|
| 0d444e570b | |||
| fcf9cb1943 | |||
| 6b080d7bed | |||
| a8fbca34c6 | |||
| 29f9309318 | |||
| e86581da43 | |||
| 1264a0e612 | |||
| 3967974068 | |||
| cfd8b12cff | |||
| ae6d56ebb3 | |||
| 6e7e78dd02 | |||
| 0b19563969 | |||
| c5273d720b | |||
| bda92824eb | |||
| 3893587b48 | |||
| c0e919adf4 | |||
| 1b7f706e51 | |||
| ad9ed28fca | |||
| 6c6a234a26 | |||
| 136583cf51 | |||
| 2ffc8c79e4 | |||
| 7cc2d28861 | |||
| a75179b11c | |||
| 2765efb973 | |||
| fb857db9f4 | |||
| 5227790451 | |||
| 4705912140 | |||
| 5eb9eaa199 | |||
| 64088c407f | |||
| 28fde40cc4 | |||
| 39461fb577 | |||
| 921ab1d8df | |||
| 593c01b039 | |||
| 238934ad36 | |||
| 0f0376a57d | |||
| 05a333756d | |||
| b868f94d01 | |||
| 544d600638 | |||
| 608fa7f46e | |||
| c515e4f3c6 | |||
| f25ff89cf4 | |||
| 553dd25488 | |||
| 7f86a2ea61 | |||
| 053ac5668e | |||
| 980edd9751 | |||
| ed9bad8211 | |||
| 27ff9dc82e | |||
| 66ef3a1eb9 | |||
| bd08ec2f3e | |||
| 566a917571 | |||
| 444449207e | |||
| ebfc90518f | |||
| 743e422b4f | |||
| 1e8b796512 | |||
| 2dbf1482e2 | |||
| fd7fc7aae2 | |||
| 804ffc9554 | |||
| 22e1d4f2f2 | |||
| bd95e5c7e5 | |||
| 8dcbc18eb9 | |||
| dc7d59fceb | |||
| a7f522bce8 | |||
| 0228860e5c | |||
| 23efd75504 | |||
| 9830bb15dc | |||
| b211e84d01 | |||
| 4028dc1d56 | |||
| fd1a81355c | |||
| b5965e2802 | |||
| 7a5a86b369 | |||
| 654798b1f8 | |||
| 011dcfd152 | |||
| 8ca519ac2f | |||
| 02a1232cf3 | |||
| f4a0e8385b | |||
| fcb5071e84 | |||
| c2cec0a10d | |||
| bb7ca773c0 | |||
| f793e2d42a | |||
| 1ea6614a9e | |||
| ac34dae3a7 | |||
| 7249047645 | |||
| 998d9a9b48 | |||
| b56e637660 | |||
| 1da5f62e4b | |||
| b8533c6f3e | |||
| 4171d3de62 | |||
| c86532bddd | |||
| 822fe1753f | |||
| aaf5948f80 | |||
| 83f7ea173c | |||
| 67bf92e772 | |||
| 5054b557bf | |||
| c07d104f44 | |||
| 4b0e7e2e5e | |||
| b7469542eb | |||
| 6114a8b0ca | |||
| a8351c6088 | |||
| 092885fce9 | |||
| 2afc42229f | |||
| 554a777637 | |||
| 8c685cf593 | |||
| 0741b1712a | |||
| 3f471d64f0 | |||
| 898f5cd3f5 | |||
| 7c34f06866 | |||
| 40d4dbbaed | |||
| 5100a482cf | |||
| 0b270cb9c2 | |||
| 1089ac48a3 | |||
| 2ac5d01af4 | |||
| e5c3eaa8a5 | |||
| 6b5067e2fd | |||
| 62b1926ab1 | |||
| 454463cd63 | |||
| ff80a7ce49 | |||
| dac39597cc | |||
| 7a19c017d4 | |||
| 7fe7b2382c | |||
| 806666b53c | |||
| bb0207cae6 | |||
| 292dc56aa9 | |||
| 934162ac8f | |||
| 7db2b38ca5 | |||
| 80f32d8d4e | |||
| 313b12364f | |||
| 5765835b87 | |||
| bb5da73734 | |||
| 9e22ca65c3 | |||
| d9d78424fc | |||
| 5c0b5ca78e | |||
| 94b67b308e | |||
| cdad2d0381 | |||
| 668b18d525 | |||
| 188c352cb6 | |||
| 0ef84c6c79 | |||
| fa396bd0ed | |||
| e718ccbae2 | |||
| 4012bc95d4 | |||
| 043050a491 | |||
| 38641ff593 | |||
| fbfad2b2a3 | |||
| b7d64b6d2f | |||
| ba7db8d042 | |||
| cb9604bb06 | |||
| 90bd7bf0f8 | |||
| 338f9072b3 | |||
| b56b6a8fcd | |||
| b0cbaf7a46 | |||
| 70caf942de | |||
| 66111e1dec | |||
| f39285ff0e | |||
| 9d5807d52a | |||
| e1e665d7f1 | |||
| 9874e9dce7 | |||
| 6b76ce497a | |||
| eda474f7d6 | |||
| 457bd2571c | |||
| 599b1e7ac0 | |||
| bcafae7509 | |||
| 86ff4c3feb | |||
| d3e11bae79 | |||
| d6a63ed7e5 | |||
| 8fb107b071 | |||
| c0eed934c7 | |||
| 1498a1989b | |||
| 8e029de511 | |||
| c9a231a4b2 | |||
| 4c1c00fcc5 | |||
| b0fee64fc7 | |||
| 2acd77be56 | |||
| b824220f15 | |||
| 2150fe6636 | |||
| 8f72efadd3 | |||
| 4a5e976d5b | |||
| 9858c48d90 | |||
| 2eb6f4ae67 | |||
| b4df678546 | |||
| 8bcecb9d9b | |||
| 2f40ba8166 | |||
| 7483935e93 | |||
| 8db43a7812 | |||
| 48bab70958 | |||
| 72337e2c7e | |||
| 9d0bea2683 | |||
| e4cf0007a3 | |||
| b745e79f6c | |||
| 6af5814ca6 | |||
| 53f596508e | |||
| 527e0028de | |||
| 19c1babd3c | |||
| 4e81de1d29 | |||
| 80b9ae7d8a | |||
| 01bde3548b | |||
| 8ee26927d0 | |||
| ce4b8d824a | |||
| 4c398d466a | |||
| cba657be2a | |||
| e19d24ee28 | |||
| 475a122108 | |||
| ceb1172d69 | |||
| 2e27420fb6 | |||
| 5197fb8afe | |||
| 6a1dbc7c3d | |||
| b0d4cb637a | |||
| 524953cff7 | |||
| 04975b986e | |||
| 4b4c883448 | |||
| 0cd648767b | |||
| 377a1a9011 | |||
| 5385eb7b7a | |||
| ffc17cf127 | |||
| df3f1d0ff2 | |||
| 9e59ef502b | |||
| 33c47388a8 | |||
| 8f5567576b | |||
| 2099aa9e12 | |||
| 0dfd0219af | |||
| da4f5fa5c5 | |||
| 505f93053f | |||
| ca26d7f8e1 | |||
| 3849301a72 | |||
| a12ff043e1 | |||
| 39ed76bae4 | |||
| 5066a83d6f | |||
| f6deb524df | |||
| 7a82f92743 | |||
| 34a444cc94 | |||
| 70f3ebdc42 | |||
| b3802d7ef0 | |||
| eb92fb319e | |||
| 0b9ccc9797 | |||
| 06321475bb | |||
| c21aed27ab | |||
| 3e1b621434 | |||
| f9dc3d7357 | |||
| 72350f15dd | |||
| e8eb6de0c0 | |||
| d3e290f19b | |||
| 5c8b43334f | |||
| 8cc28f6629 | |||
| d3024094ef | |||
| 984a80e1e3 | |||
| 94bfc5f711 | |||
| f4d71c9062 | |||
| 4581ab444c | |||
| 2557a33bc4 | |||
| ae705f203b | |||
| 1dd86833b9 | |||
| 96dbb612d0 | |||
| 1880d6edff | |||
| a72bac2f00 | |||
| 173f7bd6ba | |||
| dc66b05259 | |||
| c4a860ccac | |||
| a028de0e7b | |||
| 34278afedf | |||
| 4d2c9fd540 | |||
| 3244384cd2 | |||
| dbee578ed4 | |||
| 3700de79cb | |||
| 53f77d2873 | |||
| d77e71439d | |||
| aee3956c10 | |||
| 4080010669 | |||
| 502b09d6bc | |||
| 694cc41bf7 | |||
| e0a113747b | |||
| b6b5a7fecd | |||
| d5c7f2d842 | |||
| 28ee978c62 | |||
| a18d464a58 | |||
| c3491c8804 | |||
| 33f4031edc | |||
| 81ef46a464 | |||
| bb46b3b409 | |||
| efbfbb5eb0 | |||
| d1a6a37ed2 | |||
| d9d7bef796 | |||
| 325da64812 | |||
| 6c62d499f1 | |||
| 3639585a86 | |||
| 79084dc8e0 | |||
| ca15905e1a | |||
| bdb0652d24 | |||
| 6a375e241e | |||
| e4583277d3 | |||
| 17f9eb9d8f | |||
| 3d434264b9 | |||
| 411411d0af | |||
| 091f5dfc38 | |||
| c65f295518 | |||
| 50ca8f8232 | |||
| 9acf5a9afb | |||
| 3d6d7bb141 | |||
| 6030a965ce | |||
| 9c13e4efdc | |||
| 04cb3b86dd | |||
| 81874a7bbb | |||
| 6f422a9689 | |||
| f1be2f0d52 | |||
| 37d8d2ecde | |||
| 5afcec1f12 | |||
| cc785838de | |||
| e126b0cb2c | |||
| 25d6f8f4c7 | |||
| ced0fbf714 | |||
| 73d20da10f | |||
| 55a5085c23 | |||
| 6c89c350b1 | |||
| 21074ef749 | |||
| 510185f0ce | |||
| c1a3857389 | |||
| 2eabbf2796 | |||
| 74894efbde | |||
| 055599b5c7 | |||
| 5dabd06e71 | |||
| 289035d755 | |||
| abd242c99b | |||
| 4248975e94 | |||
| 1147ec64b7 | |||
| ab3300d7b4 | |||
| fd8d210336 | |||
| 08c8665cd6 | |||
| 041fc5e3af | |||
| 8493b31634 | |||
| 7f9dae314f | |||
| 1119f659b3 | |||
| a15ee17f22 | |||
| d2630dc2d2 | |||
| 9a0d1dc6a6 | |||
| 9f63ace01e | |||
| 378e8aad93 | |||
| 0f59021493 | |||
| 9d1179e422 | |||
| 06a2d200f3 | |||
| a96d365d58 | |||
| aad50566c8 | |||
| 4f254a863c | |||
| bcd14f67b2 | |||
| 143e14de8b | |||
| f17517d3df | |||
| 1d3022ea5a | |||
| ab3723b0e0 | |||
| 1d0a7261a3 | |||
| 96e7162e61 | |||
| 637620ab1d | |||
| 4979b39f73 | |||
| ba83828393 | |||
| ed1a98d7f8 | |||
| cb51844f5c | |||
| 59c35e4638 | |||
| 7efc011a8e | |||
| 895e371ac9 | |||
| 9b6507c92d | |||
| 995a88a156 | |||
| 010ea9b88f | |||
| a3cfa6a77a | |||
| b244b819dc | |||
| 22867656a5 |
15
.sops.yaml
15
.sops.yaml
@@ -4,13 +4,11 @@ keys: # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
||||
- &vps4 age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
|
||||
- &vps6 age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
|
||||
- &nas age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
|
||||
- &one age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
|
||||
- &srv1-node0 age1nzetyehldf3gl6pr6mu5d2cv387p8wjqn6wfpll7a3sl8us6n38s0ds633
|
||||
- &srv1-node1 age1wj33xt8nj7rhnsenepsf6k3lmq5vk4wn84jwr55qy9cwu05xn5cspg3h7t
|
||||
- &srv1-node2 age16e7ykphshal6qhwfvat698hl48s8yr0jvzh27ecdyfh5uk7t9u6s753jgy
|
||||
- &srv2-node0 age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
|
||||
- &srv2-node1 age1hnarptkze0ujpp05dqr8uma04cxg9zqcx68qgpks5uf5l6rpk5gqhh8wxg
|
||||
- &srv3 age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
|
||||
- &test age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
|
||||
- &test-pc age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
|
||||
- &test-pc-vm age1wmcayhf9eyx9e9yp97850mqas9ns455crce8hfmvnupgcxd6sews5r0cln
|
||||
@@ -23,8 +21,6 @@ creation_rules:
|
||||
key_groups: [{ age: [ *chn, *vps6 ] }]
|
||||
- path_regex: devices/nas/.*$
|
||||
key_groups: [{ age: [ *chn, *nas ] }]
|
||||
- path_regex: devices/one/.*$
|
||||
key_groups: [{ age: [ *chn, *one ] }]
|
||||
- path_regex: devices/srv1/secrets/.*$
|
||||
key_groups: [{ age: [ *chn, *srv1-node0, *srv1-node1, *srv1-node2 ] }]
|
||||
- path_regex: devices/srv1/node0/.*$
|
||||
@@ -39,8 +35,6 @@ creation_rules:
|
||||
key_groups: [{ age: [ *chn, *srv2-node0 ] }]
|
||||
- path_regex: devices/srv2/node1/.*$
|
||||
key_groups: [{ age: [ *chn, *srv2-node1 ] }]
|
||||
- path_regex: devices/srv3/.*$
|
||||
key_groups: [{ age: [ *chn, *srv3 ] }]
|
||||
- path_regex: devices/test/.*$
|
||||
key_groups: [{ age: [ *chn, *test ] }]
|
||||
- path_regex: devices/test-pc/.*$
|
||||
@@ -49,11 +43,8 @@ creation_rules:
|
||||
key_groups: [{ age: [ *chn, *test-pc-vm ] }]
|
||||
- path_regex: devices/cross/secrets/default.yaml$
|
||||
key_groups:
|
||||
- age: [ *chn, *pc, *vps4, *vps6, *nas, *one, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
|
||||
*srv3, *test, *test-pc, *test-pc-vm]
|
||||
- age: [ *chn, *pc, *vps4, *vps6, *nas, *srv1-node0, *srv1-node1, *srv1-node2, *srv2-node0, *srv2-node1,
|
||||
*test, *test-pc, *test-pc-vm]
|
||||
- path_regex: devices/cross/secrets/chn.yaml$
|
||||
key_groups:
|
||||
- age: [ *chn, *pc, *one, *nas ]
|
||||
- path_regex: devices/cross/secrets/acme.yaml$
|
||||
key_groups:
|
||||
- age: [ *chn, *nas, *pc, *srv3, *vps4, *vps6 ]
|
||||
- age: [ *chn, *pc, *nas ]
|
||||
|
||||
@@ -3,17 +3,16 @@ let devices =
|
||||
{
|
||||
nas =
|
||||
{
|
||||
"/dev/disk/by-partlabel/nas-root3".mapper = "root3";
|
||||
"/dev/disk/by-partlabel/nas-root4".mapper = "root4";
|
||||
"/dev/disk/by-partlabel/nas-root1".mapper = "root1";
|
||||
"/dev/disk/by-partlabel/nas-root2".mapper = "root2";
|
||||
"/dev/disk/by-partlabel/nas-root3" = { mapper = "root3"; ssd = true; };
|
||||
"/dev/disk/by-partlabel/nas-root4" = { mapper = "root4"; ssd = true; };
|
||||
"/dev/disk/by-partlabel/nas-swap" = { mapper = "swap"; ssd = true; };
|
||||
"/dev/disk/by-partlabel/nas-ssd1" = { mapper = "ssd1"; ssd = true; };
|
||||
"/dev/disk/by-partlabel/nas-ssd2" = { mapper = "ssd2"; ssd = true; };
|
||||
};
|
||||
vps4."/dev/disk/by-uuid/bf7646f9-496c-484e-ada0-30335da57068" = { mapper = "root"; ssd = true; };
|
||||
vps6."/dev/disk/by-uuid/961d75f0-b4ad-4591-a225-37b385131060" = { mapper = "root"; ssd = true; };
|
||||
srv3 =
|
||||
{
|
||||
"/dev/disk/by-partlabel/srv3-root1" = { mapper = "root1"; ssd = true; };
|
||||
"/dev/disk/by-partlabel/srv3-swap" = { mapper = "swap"; ssd = true; };
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
@@ -1,62 +0,0 @@
|
||||
acme:
|
||||
token: ENC[AES256_GCM,data:Zm4vCgYbrm8wtYMYqtRkMF7hm8feTcZXITKbJgWsgagWbbHE5Z8zoA==,iv:RSRw188gjoAdhTErApuF8tBSsD+aT3LGhifcy417Qzw=,tag:4ZHfkW8aCJ6BW8mtL261yQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOFEwcjQyUmlpRDJ1WVFt
|
||||
WUJVM29wdTFwZmNWTHNkMFpjeThCaGt0VkJjCjZ1bnNGVnF0dmdKVE1VdzJoeXJk
|
||||
ZXM0b0NZeENMY2g0R203Rnc4Y2x3QTQKLS0tIHVPc1NuaGx5ZE92R3VTenpiRGNI
|
||||
UWhxZVBpL1VSMVFabVJ3WWUrMjlrRTAKpya6EFm4EQ3o35C5Bdyyaw4Qys8IM2fe
|
||||
OrA5b9xElsEhfGzkpRXkEtsbMhbbpNu0zvDBpylU8rU70tffcWh1sA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdUowREVqOXBiZE02RUU2
|
||||
RVU3MkxNVFRiaUFHQzlzdXpQNFRvanhDMGdjCm1qUytTNzAyY3g1OXI4L0hmK2Va
|
||||
a0hJem5FNkFYTnBxbnhJT0QrbVBzdk0KLS0tIDkxeGYwTnNaUVVBa2NxT1dGWVRF
|
||||
UE9uY2tjdE1ZTVFXSWI5czE1ZHVBV0UKYHyDTeejdMwfYW2u6r9MWZ9qJU2mTYJx
|
||||
qK2/91+T5/paq23+gEpMJeCbCMfcws9xeaf4KgWdBr/JNgjNQ3mhyQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbjBLelBWR0ZpZEFrL3A2
|
||||
UExIamd3aElvZUNCK2VwZVJrdHMyWGZNYnhJCnBoUlF4ZWtKMDVIYzhqUlpxZXpr
|
||||
UlY4VnVwcFkxMzc0Q0VoQW03QU9BODQKLS0tIGtoRStxL3BFd09CMi9zT0pwZEwr
|
||||
d0hRWnVQOWVxdGRxRXpBZGtMQ24xbm8KtlIU+T++8IQRDLXAH1pBXa6hNqHD19ti
|
||||
AIZGn7+Eh/b6wOkndNpzLCWGVVm9yo7qMY7AzYNIz7SU/9a0JPGuGQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxbFVkbjdHWm9xTlEwbzBE
|
||||
Ky9KcjVvc0l2ZkJnOVdxVzFpUDMydDRuNWtVCmpkYXl1dG91TG84em16cFlRcG5y
|
||||
WTBKM1VuWmV3dUlpcE1ka093aHh6REEKLS0tIC91OHF0TnhDUjlqVWcvMjl1czlm
|
||||
YVRXZS9PRVpwNmFaY3pNT0JZNzB3R2MKHClUpTySdpU8AFNYoqT37KWkJbPgmd2+
|
||||
UhtufEWWgSL6j/npU0yxHNcsmU5gfd45TnTxp4sSOupJUDM0B4FKlQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObkt4a25UcGo4MnoxOVJQ
|
||||
WkF6elVWODYvSWw1QWtPYTJKS1gxUXRDVjNJCndNcU5GUHhMZW5uTzNpV2NtYUVh
|
||||
K0dYNGlmRzd5ZkZVaGd3cjJFVEFSMXMKLS0tIEVRQWtaY0d3TERsV0ZNcVc0Vyty
|
||||
WnZxTGxOY0NROU4vYTl1WWREemptaDAKhzzRPyr370b7ccTM5DE+jOczmXDqZBt5
|
||||
fYQ04+yLjcULNhqlu52mJRH1X5Se2pXbCzEG6JFiKCEra0wiYhoo5Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbjRpMWZ6eXZubjVUUlNL
|
||||
Z0N3ZkhoeVoxVzVwMHJzQzhJVjZ5MFhTU3dFCllwVWVWbm1KMTlUcEd0empxS1J2
|
||||
NzRSbkE5cEJLMmZCcjZBMTF0TUF2SEUKLS0tIFN6TVNEMU4rVVl1OEdzWGJSRmdl
|
||||
cndmbU16NkRmMHo5ZlJYMUFBUmlIZDQKNVXn3/twQKZC+74tRlpG2wx0hLEZuuka
|
||||
DKtNg6nnhd/UsVNF6/MSTwjnwXeilNemV7ffAbSE4tixcfBV3niILg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-09T13:04:33Z"
|
||||
mac: ENC[AES256_GCM,data:xKqvMTW+TTKPtuHh/pSGvxXXIpeKtzVWgwKPibGX9UTIpnDNzfylmkT6OouqQyI/HTQmiL67ch6gaFSMAbXfpw7JA9YpKif6p84rs3RelKzRLKinDpUtcvWhY1DEA2nsNWOdFHxu7EZhHRbXttRoB372kdV5063MJRvwuqslMpo=,iv:T4ff9w1AYGO9JIzuJz6VbPoS19OcIy9zFvOMLp3F2LE=,tag:x5Yk7tVSilKK68ZRhAnsIw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
@@ -21,22 +21,17 @@ users:
|
||||
GROUPIII-3: ENC[AES256_GCM,data:c+HRdDZPugIVI2vmuOlorhjZzxS11c6CJiZ3ZEwFFHfIoIUmGsXoRPGraJ0BjI3W+XZbI6qk211yufTgXLVj7nOVi0PW/9mteg==,iv:H8DlkTjkL/f6Oa2LG3dHRsJuWkEqokUJ/mjMyDnEAc4=,tag:0QmUyfAbYnn7vs4AdwQtYw==,type:str]
|
||||
#ENC[AES256_GCM,data:F347rPlEQZyz,iv:VlbVlc/tFmmoe8lVDza7ZJgHavZ/1NM9mK3KZNVrpbk=,tag:iRdvv0ajtgrJgMe87vBFfA==,type:comment]
|
||||
zzn: ENC[AES256_GCM,data:P76cGOGJK3B7Z3nxZ9BlvvyegJ+4JX25kax7/Bj/0VKsH1cGEfyvNbPH8qYUZqm+zUvqEoFNZKWM4+IQKO7Zo9IXCJhGItL1Nw==,iv:e9lnHecgzSrHJkxumRpKGHzGlYbM5Yov4F4Dd4fIqrc=,tag:G7Cr7d1KZfldzYNRL1eSpA==,type:str]
|
||||
aleksana: ENC[AES256_GCM,data:xRqQLPpcv0Ymz7wV0jDDz1i6eKIZKEXvqofO58VSHEC9aVSTLV7aXLw2kQ8PrAPo4FAkne2F6MYQGRwZFIHOjxfhw+ncXVDHxg==,iv:OSbT/f2LRUFY3DEyCCbWkPzwsrsNdVz6ah5ITRt+Kjc=,tag:00z36RTe76p1uxFCchGcpg==,type:str]
|
||||
#ENC[AES256_GCM,data:xAGWajpTpg2keMthwQ==,iv:sQreB2mExZlWgVsig7885zf4LI6RFSitYUnD4ngvhfQ=,tag:viEY1wUVlDCqKm5ucQWzsA==,type:comment]
|
||||
alikia: ENC[AES256_GCM,data:N4lyS8XZSxP3su+Frz00BPU+II+N6nosu4yOLPSG7zxefcJoG7i5bG3bzb1OQLc/x4fTuD2Wd6mEy6q66cizBkGn3xQHZIaW2w==,iv:FO64ACjOS6+UzWKP5WdcFOGZTzslfetX/VAxyUPZ3ds=,tag:6Kf0MCRUj9cbxyk4TsH8iA==,type:str]
|
||||
#ENC[AES256_GCM,data:1br5bc3q0jBn4WrJzQ==,iv:YmIFhDd9Wl4dcKJLBC6A3v7oUXhBin6ZOuJknSiaYfw=,tag:8gtEBug4vHQkxN/9tLjqSw==,type:comment]
|
||||
pen: ENC[AES256_GCM,data:XOKXV0YSFbHC3I3xO8fpWvYerNfVFg2afs+CUp2MZB+yt9KR5bTJdVOfUGldLbWH5CR4v5FxTrTujv24wJ710Rfyugxh9aFJ/w==,iv:tHLoO+XpdUk8S56QUiJQOpVO9C5epam9PMubMN+8fHw=,tag:H0srWRigNUedQMIAfJlfjg==,type:str]
|
||||
#ENC[AES256_GCM,data:K6O0TIYYGZmM8iOwsQ==,iv:xtT8Psnoy51V9gsRo335+VT56FXTcMQ3d4/tnuWouew=,tag:k8irtZ33G3UFK++rzcmyiw==,type:comment]
|
||||
reonokiy: ENC[AES256_GCM,data:fPKdOPAKbXUvK5Jj08T0iSD23mhhkTXCexgB5q3v5JS4c6V4S+W14WOkS4UHrMQls/rHslw0NyMzS5G27A+5vN+EN+xJZfuRGg==,iv:tSdNOgs61tyt7/hUKt8bfKvpq9qOQU14ligdxBs/ATs=,tag:6IoS/p2StKtFREIpxsWkdg==,type:str]
|
||||
#ENC[AES256_GCM,data:cZznknXjlWF6eoEaTA==,iv:tdw/54W2evO1o5sq1syz3k0DZrm/rjflxqJpB9LZgvg=,tag:d60Ctc5YeSmhZJUURUmeSg==,type:comment]
|
||||
zqq: ENC[AES256_GCM,data:iFtM0pxIvXPHBnLEfHdmYGVWXuroDLgUaAKF+DmuBdq1NY+pr33oXNJzckFZfWgpIOuCm4cNg5j5R6nsG+zk2VWdi2vuITT4jA==,iv:qfBC/D1gJYXOZ0Fy2DkAb+ImDgXZWU6R/Z50hbVDR98=,tag:eCr6lbSieWDCNaTYzoQ0qQ==,type:str]
|
||||
zgq: ENC[AES256_GCM,data:cHYFToQ5ulEcb741Gg3X4lKj8ZJy1zcLHpkVQjQXt5hRAQtPsiPlegi2a1nUIAUb6sI//4ffcytlXpdK2sXewFe3ZiIXy3UVjQ==,iv:fKaPxpfh5ssOwAbmEsAPaQ45KrNtkHZb96IzWc6pD9s=,tag:Vt91B77SjxYaZ/HvWVBufA==,type:str]
|
||||
telegram:
|
||||
token: ENC[AES256_GCM,data:zfMATU2E6cwoiyfszV35vkQG6JSk00y589wmGEf4wQNncPhNsvh+NcSfnTwHTQ==,iv:Q46mUquhUZLGQsCDYitk4IPu24MpVnYmi7aHyZL/b1E=,tag:QVbrwAA9mWK/ToJfGIs9ug==,type:str]
|
||||
user:
|
||||
chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
|
||||
hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
|
||||
nginx:
|
||||
maxmind-license: ENC[AES256_GCM,data:MtmNo6hHlU75N6PvzF7P5i6Q+myV4Keb1JRXVeHxTennNpKfAndsKg==,iv:DqM91JX+1WX8Zqzha2Tm3ztFaSzKYQg+b9NvUm+6jxY=,tag:XnDTBL9MA/B8XfPZqdk7Eg==,type:str]
|
||||
maxmind: ENC[AES256_GCM,data:KfTXvxX4zzXBfNMPmZY1z5jTHTByGfH9qEo6EUAQqZ1JOtNUomOWNQ==,iv:KcexOWAXFhWfli6bAMZ+61x960trZ3iE9UYMuOtJNms=,tag:reuuIe6MkONpeT44U6yUjQ==,type:str]
|
||||
acme:
|
||||
token: ENC[AES256_GCM,data:DrNdcyf2tiZ5nmjYmsG13V63ZuZhNG1c/kkGM7eXQWvRvDbu37nKWA==,iv:xc4gtNvZ/BYG+KmT1XgFfG3Z17bBLURazG8tz4/laxE=,tag:khnYVQWjiiaQC9VsJyLV6A==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
@@ -174,7 +169,7 @@ sops:
|
||||
UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
|
||||
+unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-09T12:54:56Z"
|
||||
mac: ENC[AES256_GCM,data:pAJ1mr02yp41jTcvy56OCUvJZh0NJXqAj582F85eevOIVy/GKQyvBonSkT0vN85q8UXw6tsNBpSqLi5MEoP2QhSP6x6mMZ6fHHGtkhw2ROmuTcfGdHDIq0SMU6arukEVDFlVsoneNXUUmdvwDjxAGv4qf7sI4ynPwu0V9xurYiI=,iv:ZuCObomHvfEPEKnepRyTOiojOEh6mfWW+bF/ytsTqiU=,tag:k0WuI8eewWeCQkiXDisjZw==,type:str]
|
||||
lastmodified: "2025-09-06T01:03:09Z"
|
||||
mac: ENC[AES256_GCM,data:9pJpUNzMogdijzFpjkCw4wEuOGn8B6Q/sKqzA6Pq73fp42t59BbdtK6ClTWqDRUG5MMmLVXYqdlrjPeHeRtXuQ0USNNFY6jC/p35/gB/+Gh+qqLY48YtBPjsV7aYkF8bVhC8EeDZPXvw6Hz5r+e1crVxcbOjk1uFXFVdoDGgsuQ=,iv:0QKuxk9WvCgLMJCNkX0/S/YonY/bmTvvN27DKcZGzv4=,tag:S9S/J57/GHjmVLJhtLDqDw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -17,8 +17,8 @@ let
|
||||
{
|
||||
publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIktNbEcDMKlibXg54u7QOLt0755qB/P4vfjwca8xY6V";
|
||||
initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIAoMu0HEaFQsnlJL0L6isnkNZdRq0OiDXyaX3+fl3NjT";
|
||||
extraAccess = [ "ssh.git" ];
|
||||
};
|
||||
one.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIC5i2Z/vK0D5DBRg3WBzS2ejM0U+w3ZPDJRJySdPcJ5d";
|
||||
pc.publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIMSfREi19OSwQnhdsE8wiNwGSFFJwNGN0M5gN+sdrrLJ";
|
||||
srv1-node0 =
|
||||
{ publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIDm6M1D7dBVhjjZtXYuzMj2P1fXNWN3O9wmwNssxEeDs"; extraAccess = [ "srv1" ]; };
|
||||
@@ -40,13 +40,6 @@ let
|
||||
publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAINTvfywkKRwMrVp73HfHTfjhac2Tn9qX/lRjLr09ycHp";
|
||||
proxyJump = "srv2";
|
||||
};
|
||||
srv3 =
|
||||
{
|
||||
publicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIIg2wuwWqIOWNx1kVmreF6xTrGaW7rIaXsEPfCMe+5P9";
|
||||
initrdPublicKey = "AAAAC3NzaC1lZDI1NTE5AAAAIPW7XPhNsIV0ZllaueVMHIRND97cHb6hE9O21oLaEdCX";
|
||||
# 默认仅包括wireguard访问的域名和直接访问的域名,这里写额外的域名
|
||||
extraAccess = [ "ssh.git" ];
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
@@ -6,240 +6,208 @@ let
|
||||
vps6 = "AVOsYUKQQCvo3ctst3vNi8XSVWo1Wh15066aHh+KpF4=";
|
||||
pc = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw=";
|
||||
nas = "xCYRbZEaGloMk7Awr00UR3JcDJy4AzVp4QvGNoyEgFY=";
|
||||
one = "Hey9V9lleafneEJwTLPaTV11wbzCQF34Cnhr0w2ihDQ=";
|
||||
srv1-node0 = "Br+ou+t9M9kMrnNnhTvaZi2oNFRygzebA1NqcHWADWM=";
|
||||
srv1-node1 = "wyNONnJF2WHykaHsQIV4gNntOaCsdTfi7ysXDsR2Bww=";
|
||||
srv1-node2 = "zWvkVyJwtQhwmxM2fHwNDnK+iwYm1O0RHrwCQ/VXdEo=";
|
||||
srv2-node0 = "lNTwQqaR0w/loeG3Fh5qzQevuAVXhKXgiPt6fZoBGFE=";
|
||||
srv2-node1 = "wc+DkY/WlGkLeI8cMcoRHcCcITNqX26P1v5JlkQwWSc=";
|
||||
srv3 = "a1pUi12SN6fIFiHA9W0N1ycuSz1fWUSpZnjz20OPaBk=";
|
||||
};
|
||||
dns = inputs.topInputs.self.config.dns.wireguard;
|
||||
networks = # 对于每个网络,只需要设置每个设备的 listenPort,以及每个设备的每个 peer 的 publicKey endpoint allowedIPs
|
||||
inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
|
||||
listenPort =
|
||||
{
|
||||
# 星形网络,所有流量通过 vps6 中转
|
||||
wg0 = let vps6ListenIp = "144.34.225.59"; in
|
||||
{
|
||||
devices =
|
||||
{
|
||||
vps6 =
|
||||
{
|
||||
listenPort = 51820;
|
||||
peer = builtins.listToAttrs (builtins.map
|
||||
(peerName:
|
||||
{
|
||||
name = peerName;
|
||||
value =
|
||||
{
|
||||
publicKey = publicKey.${peerName};
|
||||
allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.${builtins.toString dns.peer.${peerName}}" ];
|
||||
};
|
||||
})
|
||||
(inputs.lib.remove "vps6" (builtins.attrNames publicKey)));
|
||||
};
|
||||
}
|
||||
// (builtins.listToAttrs (builtins.map
|
||||
(deviceName:
|
||||
{
|
||||
name = deviceName;
|
||||
value.peer.vps6 =
|
||||
{
|
||||
publicKey = publicKey.vps6;
|
||||
endpoint = "${vps6ListenIp}:51820";
|
||||
allowedIPs = [ "192.168.${builtins.toString dns.net.wg0}.0/24" ];
|
||||
};
|
||||
})
|
||||
(inputs.lib.remove "vps6" (builtins.attrNames publicKey))));
|
||||
};
|
||||
# 两两互连
|
||||
wg0 = builtins.listToAttrs (builtins.map
|
||||
(name: inputs.lib.nameValuePair name 51820)
|
||||
(builtins.attrNames publicKey));
|
||||
wg1 = builtins.listToAttrs (builtins.map
|
||||
(name: inputs.lib.nameValuePair name (51820 + dns.peer.${name}))
|
||||
(builtins.attrNames publicKey));
|
||||
};
|
||||
subnet = # 设备之间可以直接连接的子网。若一个设备可以主动接受连接,则设置它接受连接的 ip;否则设置为 null
|
||||
{
|
||||
wg0 =
|
||||
[
|
||||
# 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ])
|
||||
++ (builtins.map
|
||||
(n: { name = n; value = null; })
|
||||
(inputs.lib.subtractLists [ "vps4" "vps6" ] (builtins.attrNames publicKey)))
|
||||
))
|
||||
];
|
||||
wg1 =
|
||||
let
|
||||
inherit (inputs.topInputs.self.config.dns."chn.moe") getAddress;
|
||||
# 设备之间可以直接连接的子网
|
||||
# 若一个设备可以主动接受连接,则设置它接受连接的 ip;否则设置为 null
|
||||
subnet =
|
||||
[
|
||||
# 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: { name = n; value = getAddress n; }) [ "vps4" "vps6" "srv3" ])
|
||||
++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" "srv1-node0" "srv2-node0" ])
|
||||
))
|
||||
# 校内网络
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: { name = n; value = getAddress n; }) [ "srv1-node0" "srv2-node0" ])
|
||||
++ (builtins.map (n: { name = n; value = null; }) [ "pc" "nas" "one" ])
|
||||
))
|
||||
# 办公室或者宿舍局域网
|
||||
(builtins.listToAttrs (builtins.map (n: { name = n; value = getAddress n; }) [ "pc" "nas" "one" ]))
|
||||
# 集群内部网络
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(n: { name = "srv1-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
|
||||
(builtins.genList (n: n) 3)))
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(n: { name = "srv2-node${builtins.toString n}"; value = "192.168.178.${builtins.toString (n + 1)}"; })
|
||||
(builtins.genList (n: n) 2)))
|
||||
];
|
||||
# 给定起止点,返回最短路径的第一跳的目的地
|
||||
# 如果两个设备不能连接,返回 null;
|
||||
# 如果可以直接、主动连接,返回 { ip = 地址; };如果可以直接连接但是被动连接,返回 { ip = null; };
|
||||
# 如果需要中转,返回 { jump = 下一跳; }
|
||||
connection =
|
||||
let
|
||||
# 将给定子网翻译成一列边,返回 [{ dev1 = null or ip; dev2 = null or ip; }]
|
||||
netToEdges = subnet:
|
||||
let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
|
||||
in inputs.lib.unique (builtins.concatLists (builtins.map
|
||||
(dev1: builtins.map
|
||||
(dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
|
||||
(inputs.lib.remove dev1 (builtins.attrNames subnet)))
|
||||
devWithAddress));
|
||||
# 在一个图中加入一个边,current 的结构是:from.to = null or { ip = "" or null; length = l; jump = ""; }
|
||||
addEdge = current: newEdge: builtins.mapAttrs
|
||||
(nameFrom: valueFrom: builtins.mapAttrs
|
||||
(nameTo: valueTo:
|
||||
# 忽略自己到自己的路
|
||||
if nameFrom == nameTo then null
|
||||
# 如果要加入的边包含起点
|
||||
else if newEdge ? "${nameFrom}" then
|
||||
# 如果要加入的边包含终点,那么这两个点可以直连
|
||||
if newEdge ? "${nameTo}" then { ip = newEdge.${nameTo}; length = 1; }
|
||||
else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
|
||||
# 如果边的另外一个点到终点可以连接
|
||||
if current.${edgePoint2}.${nameTo} != null then
|
||||
# 如果之前不能连接,则使用新的连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{ jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
|
||||
# 如果之前可以连接,且新连接更短,同样更新连接
|
||||
else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
|
||||
{ jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果要加入的边包不包含起点但包含终点
|
||||
else if newEdge ? "${nameTo}" then
|
||||
let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
|
||||
# 如果起点与另外一个点可以相连
|
||||
if current.${nameFrom}.${edgePoint2} != null then
|
||||
# 如果之前不能连接,则使用新的连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{
|
||||
jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
|
||||
length = current.${nameFrom}.${edgePoint2}.length + 1;
|
||||
}
|
||||
# 如果之前可以连接,且新连接更短,同样更新连接
|
||||
else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
|
||||
{
|
||||
jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
|
||||
length = current.${nameFrom}.${edgePoint2}.length + 1;
|
||||
}
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果起点与另外一个点不可以相连,则不改变连接
|
||||
[
|
||||
# 所有设备都可以连接到公网,但只有有公网 ip 的设备可以接受连接
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "vps4" "vps6" ])
|
||||
++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" "srv1-node0" "srv2-node0" ])
|
||||
))
|
||||
# 校内网络
|
||||
(builtins.listToAttrs
|
||||
(
|
||||
(builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "srv1-node0" "srv2-node0" ])
|
||||
++ (builtins.map (n: inputs.lib.nameValuePair n null) [ "pc" "nas" ])
|
||||
))
|
||||
# 办公室或者宿舍局域网
|
||||
(builtins.listToAttrs (builtins.map (n: inputs.lib.nameValuePair n (getAddress n)) [ "pc" "nas" ]))
|
||||
# 集群内部网络
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(n: inputs.lib.nameValuePair "srv1-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}")
|
||||
(builtins.genList (n: n) 3)))
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(n: inputs.lib.nameValuePair "srv2-node${builtins.toString n}" "192.168.178.${builtins.toString (n + 1)}")
|
||||
(builtins.genList (n: n) 2)))
|
||||
];
|
||||
};
|
||||
# 给定起止点,返回最短路径的第一跳的目的地
|
||||
# 如果两个设备不能连接,返回 null;
|
||||
# 如果可以直接、主动连接,返回 { address = xx; port = xx; };如果可以直接连接但是被动连接,返回 { address = null; };
|
||||
# 如果需要中转,返回 { jump = 下一跳; }
|
||||
connection =
|
||||
let
|
||||
# 将给定子网翻译成一列边,返回 [{ dev1 = null or ip; dev2 = null or ip; }]
|
||||
# 边中至少有一个端点是可以接受连接的
|
||||
netToEdges = subnet:
|
||||
let devWithAddress = builtins.filter (n: subnet.${n} != null) (builtins.attrNames subnet);
|
||||
in inputs.lib.unique (builtins.concatLists (builtins.map
|
||||
(dev1: builtins.map
|
||||
(dev2: { "${dev1}" = subnet."${dev1}"; "${dev2}" = subnet."${dev2}"; })
|
||||
(inputs.lib.remove dev1 (builtins.attrNames subnet)))
|
||||
devWithAddress));
|
||||
# 在一个图中加入一个边
|
||||
# current 的结构是:from.to = null or { address = xxx or null; length = l; jump = ""; }
|
||||
addEdge = current: newEdge: builtins.mapAttrs
|
||||
(nameFrom: valueFrom: builtins.mapAttrs
|
||||
(nameTo: valueTo:
|
||||
# 不处理自己到自己的路
|
||||
if nameFrom == nameTo then null
|
||||
# 如果要加入的边包含起点
|
||||
else if newEdge ? "${nameFrom}" then
|
||||
# 如果要加入的边包含终点,那么这两个点可以直连
|
||||
if newEdge ? "${nameTo}"
|
||||
then { address = newEdge.${nameTo}; length = 1; }
|
||||
else let edgePoint2 = builtins.head (inputs.lib.remove nameFrom (builtins.attrNames newEdge)); in
|
||||
# 如果边的另外一个点到终点可以连接
|
||||
if current.${edgePoint2}.${nameTo} != null then
|
||||
# 如果之前不能连接,则使用新的连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{ jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
|
||||
# 如果之前可以连接,且新连接更短,同样更新连接
|
||||
else if current.${nameFrom}.${nameTo}.length > 1 + current.${edgePoint2}.${nameTo}.length then
|
||||
{ jump = edgePoint2; length = 1 + current.${edgePoint2}.${nameTo}.length; }
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果要加入的边不包含起点和终点
|
||||
else
|
||||
let
|
||||
edgePoints = builtins.attrNames newEdge;
|
||||
p1 = builtins.elemAt edgePoints 0;
|
||||
p2 = builtins.elemAt edgePoints 1;
|
||||
in
|
||||
# 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
|
||||
if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
|
||||
# 如果之前不能连接,则新连接必然是唯一的连接,使用新连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{
|
||||
jump = current.${nameFrom}.${p1}.jump or p1;
|
||||
length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
|
||||
}
|
||||
# 如果之前可以连接,那么反过来一定也能连接,选取三种连接中最短的
|
||||
else builtins.head (inputs.lib.sort
|
||||
(a: b: if a == null then false else if b == null then true else a.length < b.length)
|
||||
[
|
||||
# 原先的连接
|
||||
current.${nameFrom}.${nameTo}
|
||||
# 正着连接
|
||||
{
|
||||
jump = current.${nameFrom}.${p1}.jump or p1;
|
||||
length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
|
||||
}
|
||||
# 反着连接
|
||||
{
|
||||
jump = current.${nameFrom}.${p2}.jump or p2;
|
||||
length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
|
||||
}
|
||||
])
|
||||
# 如果正着不能连接、反过来可以连接,那么反过来连接一定是唯一的通路,使用反向的连接
|
||||
else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果要加入的边包不包含起点但包含终点
|
||||
else if newEdge ? "${nameTo}" then
|
||||
let edgePoint2 = builtins.head (inputs.lib.remove nameTo (builtins.attrNames newEdge)); in
|
||||
# 如果起点与另外一个点可以相连
|
||||
if current.${nameFrom}.${edgePoint2} != null then
|
||||
# 如果之前不能连接,则使用新的连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{
|
||||
jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
|
||||
length = current.${nameFrom}.${edgePoint2}.length + 1;
|
||||
}
|
||||
# 如果之前可以连接,且新连接更短,同样更新连接
|
||||
else if current.${nameFrom}.${nameTo}.length > current.${nameFrom}.${edgePoint2}.length + 1 then
|
||||
{
|
||||
jump = current.${nameFrom}.${edgePoint2}.jump or edgePoint2;
|
||||
length = current.${nameFrom}.${edgePoint2}.length + 1;
|
||||
}
|
||||
# 否则,不更新连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果起点与另外一个点不可以相连,则不改变连接
|
||||
else current.${nameFrom}.${nameTo}
|
||||
# 如果要加入的边不包含起点和终点
|
||||
else
|
||||
let
|
||||
edgePoints = builtins.attrNames newEdge;
|
||||
p1 = builtins.elemAt edgePoints 0;
|
||||
p2 = builtins.elemAt edgePoints 1;
|
||||
in
|
||||
# 如果起点与边的第一个点可以连接、终点与边的第二个点可以连接
|
||||
if current.${nameFrom}.${p1} != null && current.${p2}.${nameTo} != null then
|
||||
# 如果之前不能连接,则新连接必然是唯一的连接,使用新连接
|
||||
if current.${nameFrom}.${nameTo} == null then
|
||||
{
|
||||
jump = current.${nameFrom}.${p1}.jump or p1;
|
||||
length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
|
||||
}
|
||||
# 如果之前可以连接,那么反过来一定也能连接,选取三种连接中最短的
|
||||
else builtins.head (inputs.lib.sort
|
||||
(a: b: if a == null then false else if b == null then true else a.length < b.length)
|
||||
[
|
||||
# 原先的连接
|
||||
current.${nameFrom}.${nameTo}
|
||||
# 正着连接
|
||||
{
|
||||
jump = current.${nameFrom}.${p1}.jump or p1;
|
||||
length = current.${nameFrom}.${p1}.length + 1 + current.${p2}.${nameTo}.length;
|
||||
}
|
||||
# 反着连接
|
||||
{
|
||||
jump = current.${nameFrom}.${p2}.jump or p2;
|
||||
length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
|
||||
}
|
||||
# 如果正着连接、反向连接都不行,那么就不更新连接
|
||||
else current.${nameFrom}.${nameTo})
|
||||
valueFrom)
|
||||
current;
|
||||
# 初始时,所有点之间都不连接
|
||||
init = builtins.listToAttrs (builtins.map
|
||||
(dev1:
|
||||
{
|
||||
name = dev1;
|
||||
value = builtins.listToAttrs (builtins.map
|
||||
(dev2: { name = dev2; value = null; })
|
||||
(builtins.attrNames publicKey));
|
||||
})
|
||||
(builtins.attrNames publicKey));
|
||||
in builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges subnet));
|
||||
in
|
||||
])
|
||||
# 如果正着不能连接、反过来可以连接,那么反过来连接一定是唯一的通路,使用反向的连接
|
||||
else if current.${nameFrom}.${p2} != null && current.${p1}.${nameTo} != null then
|
||||
{
|
||||
jump = current.${nameFrom}.${p2}.jump or p2;
|
||||
length = current.${nameFrom}.${p2}.length + 1 + current.${p1}.${nameTo}.length;
|
||||
}
|
||||
# 如果正着连接、反向连接都不行,那么就不更新连接
|
||||
else current.${nameFrom}.${nameTo})
|
||||
valueFrom)
|
||||
current;
|
||||
# 初始时,所有点之间都不连接
|
||||
init = builtins.listToAttrs (builtins.map
|
||||
(dev1:
|
||||
{
|
||||
name = dev1;
|
||||
value = builtins.listToAttrs (builtins.map
|
||||
(dev2: { name = dev2; value = null; })
|
||||
(builtins.attrNames publicKey));
|
||||
})
|
||||
(builtins.attrNames publicKey));
|
||||
in builtins.mapAttrs (_: v: builtins.foldl' addEdge init (builtins.concatLists (builtins.map netToEdges v))) subnet;
|
||||
networks = builtins.mapAttrs
|
||||
(n: v: builtins.listToAttrs (builtins.map
|
||||
(deviceName: inputs.lib.nameValuePair deviceName
|
||||
{
|
||||
devices = builtins.listToAttrs (builtins.map
|
||||
(deviceName:
|
||||
{
|
||||
name = deviceName;
|
||||
value =
|
||||
{
|
||||
listenPort = 51820 + dns.peer.${deviceName};
|
||||
peer = builtins.listToAttrs (builtins.concatLists (builtins.map
|
||||
(peerName:
|
||||
# 如果不能直连,就不用加 peer
|
||||
inputs.lib.optionals (connection.${deviceName}.${peerName} ? ip)
|
||||
[{
|
||||
name = peerName;
|
||||
value =
|
||||
{
|
||||
publicKey = publicKey.${peerName};
|
||||
allowedIPs =
|
||||
[ "192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${peerName}}" ]
|
||||
++ builtins.map
|
||||
(destination:
|
||||
"192.168.${builtins.toString dns.net.wg1}.${builtins.toString dns.peer.${destination}}")
|
||||
(builtins.filter
|
||||
(destination: connection.${deviceName}.${destination}.jump or null == peerName)
|
||||
(builtins.attrNames publicKey));
|
||||
}
|
||||
// inputs.lib.optionalAttrs (connection.${deviceName}.${peerName}.ip != null)
|
||||
{
|
||||
endpoint = "${connection.${deviceName}.${peerName}.ip}:"
|
||||
+ builtins.toString (51820 + dns.peer.${peerName});
|
||||
};
|
||||
}])
|
||||
(inputs.lib.remove deviceName (builtins.attrNames publicKey))));
|
||||
};
|
||||
})
|
||||
(builtins.attrNames publicKey));
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
config.nixos.services.wireguard = inputs.lib.mkMerge (builtins.map
|
||||
(network:
|
||||
let inherit (inputs.config.nixos.model) hostname;
|
||||
in inputs.lib.optionalAttrs (network.value.devices ? ${hostname}) { ${network.name} =
|
||||
network.value.devices.${hostname}
|
||||
// {
|
||||
ip = "192.168.${builtins.toString dns.net.${network.name}}.${builtins.toString dns.peer.${hostname}}";
|
||||
};})
|
||||
(inputs.localLib.attrsToList networks));
|
||||
}
|
||||
ip = "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${deviceName}}";
|
||||
listenPort = listenPort.${n}.${deviceName};
|
||||
peer = builtins.listToAttrs (builtins.concatLists (builtins.map
|
||||
(peerName:
|
||||
# 如果不能直连,就不用加 peer
|
||||
inputs.lib.optionals (v.${deviceName}.${peerName} ? address)
|
||||
[{
|
||||
name = peerName;
|
||||
value =
|
||||
{
|
||||
publicKey = publicKey.${peerName};
|
||||
allowedIPs =
|
||||
[ "192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${peerName}}" ]
|
||||
++ builtins.map
|
||||
(destination:
|
||||
"192.168.${builtins.toString dns.net.${n}}.${builtins.toString dns.peer.${destination}}")
|
||||
(builtins.filter
|
||||
(destination: v.${deviceName}.${destination}.jump or null == peerName)
|
||||
(builtins.attrNames publicKey));
|
||||
}
|
||||
// inputs.lib.optionalAttrs (v.${deviceName}.${peerName}.address != null)
|
||||
{
|
||||
endpoint = "${v.${deviceName}.${peerName}.address}:"
|
||||
+ builtins.toString (listenPort.${n}.${peerName});
|
||||
};
|
||||
}])
|
||||
(inputs.lib.remove deviceName (builtins.attrNames publicKey))));
|
||||
})
|
||||
(builtins.attrNames publicKey))
|
||||
)
|
||||
connection;
|
||||
in { config.nixos.services.wireguard = builtins.mapAttrs (_: v: v.${inputs.config.nixos.model.hostname}) networks; }
|
||||
|
||||
@@ -1,16 +1,24 @@
|
||||
# sudo nix build --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' .#jykang
|
||||
# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | sudo xargs nix-store --store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export > data.nar
|
||||
# sudo nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' -qR ./result | grep -Fxv -f <(ssh jykang find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log' --export | xz -T0 | pv > jykang.nar.xz
|
||||
# cat data.nar | nix-store --import
|
||||
{ inputs, localLib }:
|
||||
let pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
|
||||
{
|
||||
inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
|
||||
nixpkgs = { march = null; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; };
|
||||
});
|
||||
let
|
||||
pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
|
||||
{
|
||||
inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
|
||||
nixpkgs = { march = "haswell"; cuda = null; nixRoot = "/data/gpfs01/jykang/.nix"; nixos = false; };
|
||||
});
|
||||
python-lyj =
|
||||
let python = pkgs.pkgs-2411.python310.withPackages (_: [ pkgs.localPackages.pybinding ]);
|
||||
in pkgs.runCommand "python-lyj" { }
|
||||
''
|
||||
mkdir -p $out/bin
|
||||
ln -s ${python}/bin/python3 $out/bin/python-lyj
|
||||
'';
|
||||
in pkgs.symlinkJoin
|
||||
{
|
||||
name = "jykang";
|
||||
paths = with pkgs; [ hello iotop gnuplot localPackages.vaspkit ];
|
||||
paths = with pkgs; [ gnuplot localPackages.vaspkit pv python-lyj ];
|
||||
postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
|
||||
passthru = { inherit pkgs; };
|
||||
}
|
||||
|
||||
@@ -35,7 +35,7 @@ if [ -f /etc/bashrc ]; then
|
||||
fi
|
||||
|
||||
if [ -z "${BASHRC_SOURCED-}" ]; then
|
||||
export PATH=$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts:$HOME/.nix/state/gcroots/current/bin
|
||||
export PATH=$HOME/.nix/state/gcroots/current/bin:$HPCSTAT_SSH_BINDIR:$PATH:$HOME/bin:$HOME/linwei/chn/software/scripts
|
||||
export BASHRC_SOURCED=1
|
||||
if [ "${HPCSTAT_SUBACCOUNT}" == "lyj" ]; then
|
||||
export PATH=$HOME/wuyaping/lyj/bin:$PATH
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
store = local?store=/data/gpfs01/jykang/.nix/store&state=/data/gpfs01/jykang/.nix/state&log=/data/gpfs01/jykang/.nix/log
|
||||
experimental-features = flakes nix-command
|
||||
|
||||
@@ -10,6 +10,7 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwUhEAFHjkbUfOf0ng8I80YbKisbSeY4lq/byinV7lh
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5bg5cayOLfnfUBJz8LeyaYfP41s9pIqUgXn6w9xtvR lly
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBoDGk9HYphkngx2Ix/vef2ZntdVNK1kbS9pY8+TzI41 yxf
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi6O1Sf1BBV1dYyH1jcHiws+ntwVfV29+6Paq1CQaET hss
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlBxisj3sU9QC8UC5gX6sakf7G03ybbkmHtD2cybuZA qmx
|
||||
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmJoiGO5YD3lbbIOJ99Al2xxm6QS9q+dTCTtlALjYI5f9ICGZJT8PEGlV9BBNCRQdgb3i2LBzQi90Tq1oG6/PcTV3Mto2TawLz5+2+ym29eIq1QIhVTLmZskK815FpawWqxY6+xpGU3vP1WjrFBbhGtl+CCaN+P2TWNkrR8FjG2144hdAlFfEEqfQC+TXbsyJCYoExuxGDJo8ae0JGbz9w1A1UbjnHwKnoxvirTFEbw9IHJIcTdUwuQKOrwydboCOqeaHt74+BnnCOZhpYqMDacrknHITN4GfFFzbs6FsE8NAwFk6yvkNXXzoe60iveNXtCIYuWjG517LQgHAC5BdaPgqzYNg+eqSul72e+jjRs+KDioNqvprw+TcBBO1lXZ2VQFyWyAdV2Foyaz3Wk5qYlOpX/9JLEp6H3cU0XCFR25FdXmjQ4oXN1QEe+2akV8MQ9cWhFhDcbY8Q1EiMWpBVC1xbt4FwE8VCTByZOZsQ0wPVe/vkjANOo+brS3tsR18= 00@xmuhpc
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxcIWDQxVyIRqCGR4uWtrh4tLc025+q6du2GVsox8IzmBFkjNY8Au5GIMP5BKRstxFdg3f/wam8krckUN9rv5+OHB9U8HGz77Xs0FktqRVNMaDPdptePZQJ9A9eW3kkFDfQnORJtiVcEWfUBS3pi0QFOHylnG27YyC/Vjx9tjvtJWKsQEVTFJbFHPdi+G7lHTpqIGx+/a2JN9O6uVujXXYvjSVXsd+CWB9VMZMvYCIz2Ecb6RqR3brj4FhRRl8zyCj+J4ACYFdGWL98fTab2uPHbpVeKrefFFA43JOD/4zwBx/uw7MAQAq0GunTV3FpBfIAQHWgftf2fSlbz20oPjCwdYn9ZuGJOBUroryex7AKZmnSYM3biLHcctQfZtxqVPEU3W/62MUsI/kZb9RcF24JRksMoS2XWTiv2HFf5ijQGLXXOjqiTlGncwiKf65DwkDBsSxzgbXk5Uo86viq6UITFXPx/RytU+SUiN4Wb7wcBTjt/+tyQd1uqc7+3DCDXk= 01@xmuhpc
|
||||
|
||||
@@ -4,31 +4,77 @@ inputs:
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
model.private = true;
|
||||
model = { type = "server"; private = true; };
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-uuid/627D-1FAA" = "/boot";
|
||||
btrfs."/dev/mapper/root3" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
vfat."/dev/disk/by-partlabel/nas-boot" = "/boot";
|
||||
btrfs =
|
||||
{
|
||||
"/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
"/dev/mapper/ssd1"."/nix/ssd" = "/nix/ssd";
|
||||
};
|
||||
};
|
||||
swap = [ "/dev/mapper/swap" ];
|
||||
rollingRootfs.waitDevices = [ "/dev/mapper/root4" ];
|
||||
# TODO: snapshot should take place just before switching root
|
||||
rollingRootfs.waitDevices =
|
||||
[ "/dev/mapper/root2" "/dev/mapper/root3" "/dev/mapper/root4" "/dev/mapper/ssd1" "/dev/mapper/ssd2" ];
|
||||
};
|
||||
initrd.sshd = {};
|
||||
nixpkgs.march = "silvermont";
|
||||
network = {};
|
||||
nixpkgs.march = "alderlake";
|
||||
network =
|
||||
{
|
||||
bridge.nixvirt.interfaces = [ "enp3s0" ];
|
||||
static.nixvirt = { ip = "192.168.1.2"; mask = 24; gateway = "192.168.1.1"; dns = "192.168.1.1"; };
|
||||
};
|
||||
kernel.patches = [ "btrfs" ];
|
||||
};
|
||||
hardware.gpu.type = "intel";
|
||||
services =
|
||||
{
|
||||
sshd = {};
|
||||
xray.client.dnsmasq.hosts."git.nas.chn.moe" = "127.0.0.1";
|
||||
beesd."/".hashTableSizeMB = 10 * 128;
|
||||
nfs."/" = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc")];
|
||||
xray =
|
||||
{
|
||||
client =
|
||||
{
|
||||
xray.serverName = "xserver2.vps4.chn.moe";
|
||||
dnsmasq = { extraInterfaces = [ "enp3s0" ]; hosts."git.chn.moe" = "127.0.0.1"; };
|
||||
};
|
||||
xmuServer = {};
|
||||
server.serverName = "xservernas.chn.moe";
|
||||
};
|
||||
beesd."/" = { hashTableSizeMB = 10 * 128; threads = 4; };
|
||||
nix-serve.hostname = "nix-store.nas.chn.moe";
|
||||
postgresql.mountFrom = "ssd";
|
||||
mariadb.mountFrom = "ssd";
|
||||
rsshub = {};
|
||||
misskey.instances =
|
||||
{ misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
|
||||
synapse.instances =
|
||||
{
|
||||
synapse.matrixHostname = "synapse.chn.moe";
|
||||
matrix = { port = 8009; redisPort = 6380; };
|
||||
};
|
||||
vaultwarden = {};
|
||||
photoprism = {};
|
||||
nextcloud = {};
|
||||
freshrss = {};
|
||||
send = {};
|
||||
huginn = {};
|
||||
httpapi = {};
|
||||
gitea = {};
|
||||
grafana = {};
|
||||
podman = {};
|
||||
peertube = {};
|
||||
nginx.applications.webdav.instances."webdav.chn.moe" = {};
|
||||
# open-webui.ollamaHost = "192.168.83.3";
|
||||
nixvirt = {};
|
||||
};
|
||||
};
|
||||
systemd.tmpfiles.rules =
|
||||
[ "w /sys/class/powercap/intel-rapl/intel-rapl:0/constraint_0_power_limit_uw - - - - 10000000" ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,6 +1,87 @@
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:JaOSq474mGOoQQcdJ/j9fYo2e1vjXMPxJ69TOd079FrSkbzbIteWww5f8Xo=,iv:uy/NC2+tibL61XJDZK/spKjV9u0oXK4YzjFjYmCAL0k=,tag:en+c8cHaPvDqJL+EpQjr0g==,type:str]
|
||||
xray-xmu-server: ENC[AES256_GCM,data:3O5rFi5szla70M/c62JV4nGWKPSOREImrOucjeVYf9bde6K8,iv:PGCqlmHtaNuWOtAAeJ6O+CWFpMszijozU1OpUFrftjs=,tag:iGTOoNvQhhZy2FL9jy1KIQ==,type:str]
|
||||
xray-server:
|
||||
clients:
|
||||
#ENC[AES256_GCM,data:gToh4rgMOQ==,iv:A14sSC7ExbSZNOzzz6mOmWalSz9K6ROoSYgCqdF7j4U=,tag:1Jr2FfVQ9L2w+bWHh/NekQ==,type:comment]
|
||||
user4: ENC[AES256_GCM,data:/ZrgvlpwDlKhcHqkBRsdqqJsNUxtb3ZnC36mc8qlJ+HP4mY3,iv:R5QzXY0mC72TDB0OcF4fJt3bc5L1Z96Q+n9kNbZP7m4=,tag:tjWSEcsG0udvQZZJ/RMTJw==,type:str]
|
||||
private-key: ENC[AES256_GCM,data:34FOslwr3AZNDg4YrS95S20agGXwGJRNGnpogMR7utbt1ELUxfQkiAU1qw==,iv:4fiJCi6TJM+NIlfI1qFX/eCNhcVaCWGsLA7iMjQpATw=,tag:eLz8HlQMprQNryk5saqyVQ==,type:str]
|
||||
store:
|
||||
signingKey: ENC[AES256_GCM,data:zr02XBgQ4H5jRnjpLtp9rjcysXP9qI7McOiBwaWhdylu5GevKmxlCd4h3pEUO74k+gJT88BzJ+S59P+6DS76Y5nlKqextGMzGjdq5XPkdDkSkKZBai2kkqBSyko=,iv:hyhroaDazMLFeLMGruiFeokZ2Tz3xKj+xCsiEUJ5faQ=,tag:w3805eqo6Y1pw65mjoRgOg==,type:str]
|
||||
nginx:
|
||||
detectAuth:
|
||||
chn: ENC[AES256_GCM,data:5kGvlFB332xf+PQCDmJ+EA==,iv:/BQI83lMdzmycQCe0k6Y8bwqV4Ma9vqgvgPWWqVAr1g=,tag:61AhVVNUx8+b55DkIjVifQ==,type:str]
|
||||
led: ENC[AES256_GCM,data:XFlK2jjo,iv:rTCHmoFU4S++eBywCa7NXsAmSqcSgCFXxnW0RyFA2a0=,tag:aK5IejgS060FrxQfmdxohw==,type:str]
|
||||
redis:
|
||||
rsshub: ENC[AES256_GCM,data:r2O88tXccKZw68Jg5tvUcpwf6y8Vs1kcZ7XbAReJ7aGyGH4MH3jTO72Hs7vh7185IUygXri0M2C6Ko2CY3gaLg==,iv:ZYbSqlcnga+JnC5Dxt2cTHiGTlkndSAB550ilSO+P1U=,tag:PgrW6H276sSvYe3NA6o/vA==,type:str]
|
||||
misskey-misskey: ENC[AES256_GCM,data:Up0Q/4MjyCdXyL1EVoXbmW0J3QJCx1PlhClXSc2WpBNwpSfgmoJceLoXRbIs009JVjhn5tt7LO6EmwKiNc6yTA==,iv:myWj8+exXtg+t7Fs+ZPOLJXWtKEu0PyhTw68i7rnuTQ=,tag:WMpj06Swj3pMbSXgM0bNuQ==,type:str]
|
||||
misskey-misskey-old: ENC[AES256_GCM,data:yLVCQaElMWBdVnKa9hBNEnSxfOx/582SoCDpQM9QjEgWzYOmPIVoRsTAs10Gsw3PezJW54S+AUrNg1mV0f8Nwg==,iv:xYXQt2CsZyymdKMIoqKLzLeTMNff7RwGzBGDfBOoxlM=,tag:L3V+AZZyOJow/Sf1RzD38A==,type:str]
|
||||
nextcloud: ENC[AES256_GCM,data:/wv5hG7cmHz8S3d411cGxFY87MNmo/6V/vXJsWqYr4afoVLMlqUgpf6ZkSPcj2PKBmB/X+RR1s/Mus9RIJKpzw==,iv:WMdKp63LsMyOGheurm6bM4qUUNVe3/WmkvCQ8PWxqoo=,tag:PHjeJ052LtCqerED4bgACQ==,type:str]
|
||||
send: ENC[AES256_GCM,data:5y0GGNdmVzl1Ro4bv8rab9dgmIOgNQBPPF02HfpOn/ctbSBzi9c96TJeIbDJVS2tN4P2+hSgP/XOR+hoM9prxw==,iv:4xf0b1/1f9vyVlQtIGmX5Ea/xNPyjXmA5/vazf5sOZA=,tag:b2211wLiDTvPKqRA3IpzOA==,type:str]
|
||||
synapse-synapse: ENC[AES256_GCM,data:3lSmLz+sO9fwomeb/NCTlSRwpbegH6g1vp0qKg4G/hnWsKCu2mK6TDhQbLCSDQEagw4oBDN68yEBQ0C0tvmd3w==,iv:9rrv3XvB4ELcZhdi2KNxnYFw+XH96U4SM0X9ZSGp0KA=,tag:Qn8FdMMOaDeB9Wb11F44xA==,type:str]
|
||||
synapse-matrix: ENC[AES256_GCM,data:NqDKomSPI6UcRDAjqVapBlmXXFHdHYS0w3jvJ4oQCvoeqYvNalkD009A6E6Br3w0/FGEKJQeTBI2MkYLlHAWcg==,iv:o8TDqzRDQCi4+Kv82BSTRyB4Y7mKhxM3c49hEbQuQmw=,tag:6RCKWwxC5Fw5N1QD/5UktQ==,type:str]
|
||||
peertube: ENC[AES256_GCM,data:zzRRyCbXsqVVxDvS8kpBbOyozqi24d6G9K++/ToLQyt3TumefTssNehljNsb0oqsmZBLgLhND0T4WDhMf9//Ng==,iv:yDM/LREKnBW8noRzHPIdqg0TvmWAfxmVOplZkY8MSro=,tag:19uoxbEdGPOIzcQqm31H5Q==,type:str]
|
||||
postgresql:
|
||||
misskey_misskey: ENC[AES256_GCM,data:mcJM5hgd6Y6MjphFuH20QHU1zxPVnrd5CG3rwX3CekxpM4NzElhkD0pcWM0eTxbNQCM4V+lmjAvaQzBS8T9Mzg==,iv:eC2/GyNcZK31jxLYfRRw4l0aNhz1kcsjE/w4Y/P6ydQ=,tag:hNC2Fj327+O8/4/5/riTYw==,type:str]
|
||||
misskey_misskey_old: ENC[AES256_GCM,data:z4C8J2dAu6OhtRzkHGLb1u3pUGeRuTF1EHzjduO45zF9cpMufIs52u8vhzwmrEXm7bJP2lomyFtQRWNPqtPkVw==,iv:QA56d2wcAseFuhI+lgR5Op0TbKrzs+1Cd5v8/0i8/gE=,tag:Df63HfuHZhDn/0SL2/6fdA==,type:str]
|
||||
synapse_synapse: ENC[AES256_GCM,data:4Em7JbATF0Rs8pLjrVT9ZIxPaqecqxCGUtQPie69XWZIVuB/4AsmhPe4WmyJ2jPPmHBdzPHHLwQbd3ryusMzsg==,iv:49JsSMnsZzROuH5mXxMVEbkFOp0uf8gsps02vAH1Ovo=,tag:63LjUCFcnhqUsWqn/hDijQ==,type:str]
|
||||
vaultwarden: ENC[AES256_GCM,data:qP5i100QGGHbYLbmgI29eU1vjx3S9zAAJ6SuahykqehFcowJMG/x9L4VCfw8nMmvoDZDUDvOKsE/8XH6tJ8c8g==,iv:f+yahEvIwdchADrtQsX0EllR6jGzqLA5zwnnAaUjnck=,tag:Iy5JbgktJSoUPszcinb9vQ==,type:str]
|
||||
nextcloud: ENC[AES256_GCM,data:XBsqWgTwAMMQ+aZVf91w343yqL7a1xEswc8CeC0NWsM/ZwabQfYeToVDKlQEGnItuyBRZfhSzH+EUsF7pXDB9Q==,iv:OEoqECAOuyJ0wjsaof8GFYaftEv8z7vH64RWlGHU9XI=,tag:nFoMasHkPawFxiLvclsP6w==,type:str]
|
||||
gitea: ENC[AES256_GCM,data:7afp3qF0jU+aGOktymlk4iDaK2EuYjLD0QcMQA2Nkxf+ac4PQFb1g4rsaPcxuNLn5ZFueq6QXCVUTPNdEeCJNA==,iv:OjNWbhRoi5fvVY8dtkoHWIPO1frXsmI8cuBxKgDHPmo=,tag:1s3+L08McDetU2BTMXWP+g==,type:str]
|
||||
grafana: ENC[AES256_GCM,data:jsKB0+FFRGDfCG/alFwQF1fvI+TOFAUN6gc3zraMkCsRzn6SBzPsyuOiDthTCyS2dx0+arwmn93TzX1fm/vKuQ==,iv:Vl7IsQRuP8TBTDfwJSU/QrHTSowukXtGPG38fu3QcnA=,tag:L5G8sN6ZcOWyoeQgvTYGrg==,type:str]
|
||||
synapse_matrix: ENC[AES256_GCM,data:uyV13dMgUzPLGmSGN3Hoi6u1tY9rMU186VUSl7HspZXFqhs+OmRGL86cf91o/owvz15WijIw4wuAP++T8MY4LA==,iv:TG7Fi3ETAvmrOxv8ZahnrOR7Z90Vf5YgHcOtPkzueJI=,tag:uH10mk1m0q3a0fGcDbH9HQ==,type:str]
|
||||
peertube: ENC[AES256_GCM,data:J/qNYYuOhENTVFU+6Iz9P8Cy1FcHlD6xpPADDzdYDZuce9DEsnFq28d+tTJ7Z71IvOKvNySly7ru/R+Tu7rqpQ==,iv:sV34o2Zf7yLUovdVND7wh+rcoGglz4llc3xfSEllHNM=,tag:c9wzEAlWMINTN8TEZhDIRw==,type:str]
|
||||
rsshub:
|
||||
pixiv-refreshtoken: ENC[AES256_GCM,data:PVWacd0SAg2n76ExpQy5Hdg2WK2IdokhnZ0PoY7rNz7pLkBjlrMjbtCenQ==,iv:wPCVw0VVL4b/9TLvGd3fU+dDr/gIlSyUOO5pKF3CuzM=,tag:HgUrPEOCZK9DYsyowi55Ag==,type:str]
|
||||
youtube-key: ENC[AES256_GCM,data:XOPAZPIE8Hd3vKWAR8tlaXQp/FGeH2pIBmwym8h7TXUf+MGTGQko,iv:mv1csjmeKi/ZQIiuhzPIr3DPyygjWevhFGSK+URaQiA=,tag:yh4Zr9MpINU8O0eeH9+z3A==,type:str]
|
||||
youtube-client-id: ENC[AES256_GCM,data:HEJQeFtoyXaSQqprbpGY7qvYYsq1u23CMM5kGvgGsoP1xvEMcwRa3Lza8OhL/lk0MtKH0krojDyUMzWPZtohG9U3ad/t18YQPg==,iv:vT4V3VZU4lJx2djtjIOow/xuER2LQ4reQUOgCPeW+9Y=,tag:MFvBv/3hs2H6BQWGU9eeFg==,type:str]
|
||||
youtube-client-secret: ENC[AES256_GCM,data:7++nVoYfFxv304u9fxmk5W+38tP6Z+mMS/nh7adolhyfDXI=,iv:WlYBfwCz7//qM02ljM1prc/YnBwLOb60ATcUlnBK9ik=,tag:erwi1hRaSaUQ2cLp+S9QOw==,type:str]
|
||||
youtube-refresh-token: ENC[AES256_GCM,data:o9KEBZ18h+taPc3WoQ4EsbR/WbFn3wRhgdvLAz7dmM05Cktf9pgZ8iI1idWQZCJ0ehYL5VyizNhHrmkocXsHzCJ6i79J3uBl5vggWZ4v6/5cUBtNZXq5DYYG/EVN2RXjOdrkzYZnQA==,iv:CQzgvwhofMljnhNXYh+t6BkPJ3OO4GRPOSFZOVXe7TY=,tag:/1i73kP+RrkP76Tho27wkA==,type:str]
|
||||
twitter-auth-token: ENC[AES256_GCM,data:2OM7aZZYuE1A3aQMsDia5yy2cGVmaT7L3QljZ3J8IixA9zaJdFwu6w==,iv:vcc80V5PMqZk7lcvoyfl+XtoIhZ7g951OSRnXPywtao=,tag:EVL2NIiDTS5EHU8MxIZjpA==,type:str]
|
||||
bilibili-cookie: ENC[AES256_GCM,data:PoylF8gAs3dpRSdV6ClpaV9J6jRqRIsAYPlv1NiWy43hHmvEQac1tVrQfm0WHsxV3SfEaphyVH18bgwAcWnkWHbMTzKTWtzsJ74WrihRgksPiuttUm0JkTTr16g0jUtF8kSJiajQfDKmL0pEY9k3mnGnLltjIfntnqbH6dM11FRFy0Ixg0USUPiPz+uFMpJ7x6RHp+ypfhvMYsi5uuCiloCYMV4cUcr65gGym7a72S74vPdPQRzuGoz9fsJn/aPGPlhZR9L2k98TzQjp2jz5lbbGLEH6O1AH/aW9QlDuooF1ki9SvanQ,iv:nO6Adc002Twmw4Qov+EkhVu2TBN0NUEgaCoWOaTu7hE=,tag:cHG00fvDaTR7kAYIMPsICw==,type:str]
|
||||
zhihu-cookies: ENC[AES256_GCM,data:88obR6OzMhO07UM4Mqr928ik/LY8wjjuYRVJdFFJNwiq+q05DfKprrX0oh5barTBqWduZ/PZZzOswh8OgzyeVpRZwBLIz63AJSv+Zui6wV/KODITZs/iDC+UiEnGkh0kf93p3g/TUvxWDGwe7beydGiDXUZrvaQ2nKB7NBGAoohdsx3cXb+TPruj0U8G1GaqRscSjqoYJFhj30EJBH7Jqb687/Zms0oetgXi6KZ8Mw==,iv:tYjHMC7FVxQJ4mhst6pttxivCoSxVyv8qUPmXXDoqzs=,tag:c3UHpyGKvD48qi0rBlfyjA==,type:str]
|
||||
mail:
|
||||
bot: ENC[AES256_GCM,data:redeWqYAJlHVivVtywOD+Q==,iv:mDZ+4K4aj+05/KRij0oH+v7/JiBxs7y/x08Nz7U1sSQ=,tag:2FRwDxmN/mIuBjE39jl/Ng==,type:str]
|
||||
synapse:
|
||||
synapse:
|
||||
coturn: ENC[AES256_GCM,data:IAgJ3Lni1s/AGQxz2Tt0EpFoIwRZ7Y9TtDHsm7fyCcfDLNvwhNorTod5MSgiqFtHhWLzXf/iqh3/cWitIeuxAg==,iv:QUGCkeFMO+CA3tAXbM8h4KALFic6XbnW5pCxtPtJyb8=,tag:dq6qECRfcyUvJX5EwCPDvQ==,type:str]
|
||||
registration: ENC[AES256_GCM,data:HV4DXfW6h1Z/OaW73jXJ4oXs/FOJf4EXWrWlXsnqbOJyzhCszBOiGFAw/i+wx9sSB+k=,iv:8VIXG3Xqug8dYaw2Log9IrGpxqAXwXFk4MJ4JuzQsBY=,tag:3Ra69sIFOxtX4Wzehvz+lQ==,type:str]
|
||||
macaroon: ENC[AES256_GCM,data:ilCgbQjqIALJd+rz0XmEo6TLqO44NCBBG2vKv8QITLntZ80bgedKACXZogfMVCv7pTI=,iv:LQG1/agu05i7kFL2vWFnSCttivD7yyDijhWFfq50Xq4=,tag:2VfNhZA5OogXI/RaWohDag==,type:str]
|
||||
form: ENC[AES256_GCM,data:0NdGdzjSF1/Xo7jz+Y3sGK/szDlhgg6kWLCoBiqDmBSARZX8SnW9W5zlPKM4Xa0sG+o=,iv:XVxnFBK2f2tvhIshzQLqLeUMcO28MyLrrF5QZMUeUr8=,tag:5frMH5KQt1hL1u2ltDpApw==,type:str]
|
||||
signing-key: ENC[AES256_GCM,data:JPjrh78ySJwmfL7l5C2OT6pelzMfqaWRQK7MoMv3lQ3VXcWKrVsJZlfRQaTJbaEgK+qSiHh0T99LGA==,iv:DFefjxW8U9YK3kCQUPyxOHsh+ZhUYEj5DfOlKVZePxA=,tag:u7oyKnuVDqkyvzwvsyfV/A==,type:str]
|
||||
matrix:
|
||||
coturn: ENC[AES256_GCM,data:ecDAOVKq9+tJklCJK3ktiWQ6Ky+O5fjr9zS3b3PjwJUyCpIADvVhWBTmFeaVy2ApfuWbugGw8d5wCscpOOy/aw==,iv:p9l9X0UBK2mDpkR9+OX/j+ETYxMdzZhjowzOvA6Uk/Q=,tag:5IC3IsfXg4JmJ+m9F4ehPA==,type:str]
|
||||
registration: ENC[AES256_GCM,data:YnDk7rqVPi3uyzNSBvWLQPb2ZaayNzgubs4Hf0i/CN0hW4ha49AZtkcNka/hVtwTGMI=,iv:Zs7SpAecN8r2Sg7Ih190SUlbH5SLu19BDCUPX9ywYzw=,tag:RLZ6jIgOeFCDwzAu0008yA==,type:str]
|
||||
macaroon: ENC[AES256_GCM,data:YmEJKAZ6dyjBVyvK3Xi68TZtJHUuljAQMhlR6I8vNUOxuP766XYkU/z/YaH3R2rVv9Y=,iv:1/C8Fm2CIpo6Y+YnE80EtWvHfG6cQu/mYd10XjagJdg=,tag:QmtfqZ/3as+4gdF/b2OuxA==,type:str]
|
||||
form: ENC[AES256_GCM,data:rGLJQUMVpOBTCQEqQtiUk3SWitLL1tijBFqVDbohrUspUhTXgRmCQ/0eodhku3RiwcA=,iv:GSxZtwo4/FDRn/dA+L/NQFWcj45KEUSaV2sUL09vqe0=,tag:4dvt57c3Q73B6O/9/UsbNQ==,type:str]
|
||||
signing-key: ENC[AES256_GCM,data:mUY9Fn7TcBPs4HhSpRkj1weFezAzr5ld1xYE8kZcjRNU05MCGLTbPa+av6pYr0HoAaSyzBXmKBBZMQ==,iv:wX092d4eAJ2jLce6Y1EfewxGZsLnwOSce5RJoikCiRg=,tag:Uegzv54CvAI8d0NTz3UesQ==,type:str]
|
||||
vaultwarden:
|
||||
#ENC[AES256_GCM,data:wbKsGwBKrJYagX1AvY0o5FHXxOhrfjZ/+crasAh52uOFYGd0P8A7NnyF6JvNgH749dAT9H47DXRKBAclVVSqWPc=,iv:TZgJ7pwyGBpf7S4g7CL2dync2sGNzQ9369atAvLwFJ8=,tag:sxtkPHOmrjUb13zeWPBdng==,type:comment]
|
||||
admin_token: ENC[AES256_GCM,data:TrgqQwXBoCdsLeWQYkur4zS+Z4nCoDDoePnN5vm+AIcgYXVwjxcf/0AwXQIxVNEypYysPpoHKOigwhkf5kLazAMiBZ0goAflJT/S4nOLo90s+9kDCADXWnCeHNhBUg8fUulNPBbpqdfFKCJgJCD2WTI+V5yFLQ==,iv:maKU6pcxis7Cyrx9x26cUTBzA6ZKcKJWSP23w+MDehw=,tag:GYpPHp2slC6V8aKA1FHFAg==,type:str]
|
||||
mariadb:
|
||||
photoprism: ENC[AES256_GCM,data:h7TQh5ScGM30e42VSEg6AynwRUPHMRHddJcJotQtDbkFVgmfjHmAHTY22U5jWqjq4KXPN5ItRETLOMw9k9yOgg==,iv:jFTPaXortmiU+8m/NBTYjAXRXHCpD+UE5oeveH7/znk=,tag:3OOUUyHLQJROh5rZcX8bAg==,type:str]
|
||||
freshrss: ENC[AES256_GCM,data:Qjg5GIX13ccZi/DuqtWK0qzr2GK0GzzUdEZWXDhUhGxFWzgosADxDCc8wfOchItaJFefnVrpPxdAPvT+4TEH0g==,iv:oGii3o6sJYVc11kdQMh0Pa3GUbWqttFgjvSVEbTycZc=,tag:8GWWwuJjQBwDFl9pJvg90g==,type:str]
|
||||
huginn: ENC[AES256_GCM,data:/hFQdG/RGrX75qd0+WgwhnwR7p/CEVx1vPksRSudxmc1m4VO/AVzgMCWAz4310ctTEnn4GZinvD6QGFta5IOSA==,iv:mrPDZA6Bnw+SPVDDe64tivvvQtHWvCsPJbEnPqm12g4=,tag:ihXbIJwwtQ0RfaNfcaop4Q==,type:str]
|
||||
photoprism:
|
||||
adminPassword: ENC[AES256_GCM,data:QXrDNGSKdRZxc4mfwIhR5cmmmJysGV3cThSFlng3mEviaq0p+BvOa5Thtgw0CxQXdpgjrkui+837NJ/FxPUYvg==,iv:EkutxeDDWfSOVD9p1Ari/rkgf7EwTutDymZQ1uNm6FA=,tag:r3gXuefnIQ+5pPtGZajnZg==,type:str]
|
||||
nextcloud:
|
||||
admin: ENC[AES256_GCM,data:DJK+u19VP9cFvq4/P0+f7erXxZkRWI4NRrX9HdHO96xy9wZMtB+hEDN3zLQnkTTtmd2ZLs9+c9BsUNXZperGDQ==,iv:zX8Nxt5+O/mGVt5l1j8IojBkgxg5oDae6KWTXYz0hRE=,tag:MRyMx0OXYTCmtaySP/umNw==,type:str]
|
||||
freshrss:
|
||||
chn: ENC[AES256_GCM,data:wwHntnMeiGZ5v8CE7CGV,iv:snIdYdFpvv5HvcR5qucD2pZXXef3dhSU+2wK5SPrDjw=,tag:2RnujKKkQSoxvSNZPLS9Pg==,type:str]
|
||||
huginn:
|
||||
invitationCode: ENC[AES256_GCM,data:E8rEdAfUQX9oJEnvxVF5PmYFMd9PN8+K,iv:gZtUf+AkICLHD4h2beHbEfyoL4bcoOv0sivDFDB3vVY=,tag:4tlsPuED6jCXNE0iOayXsg==,type:str]
|
||||
grafana:
|
||||
secret: ENC[AES256_GCM,data:O2L0+R9QvOMJLKa941nxn+FeuZ5nOAm1iDlKW2vvk5Dyod0XLdGL1seWuYzpx+NL16qmC1u8jydDcBfUT+PAeA==,iv:Pqsr+POPAr8djdVMK5U4PiS1zUnZXLH3q588D/jOMys=,tag:QziP0kKT5oyI/RHaYHr2mw==,type:str]
|
||||
chn: ENC[AES256_GCM,data:xMwWBYChRIxw5KDjgCYBJWkbRRo5FUtyhZ0+SVRIgjQ=,iv:EIjECQHx3/2t+oMC16B1Xfwa8guiST2pdIKM1hNcuFA=,tag:BP8ElnMevqF6urDgBP/UAg==,type:str]
|
||||
peertube:
|
||||
secrets: ENC[AES256_GCM,data:9pm5hD8FdbmFIRZZX5+C0NyXn8qdt0OIlecu79xjVrWd8C6H7C01Uriw5M1qifTIJLDMvJC36Trci0/eniDsEA==,iv:iZ/KiwgFm5TyZBZxo8n9k3Lr3o3Vk+c4zFn9efPtJYw=,tag:HGgoRL1C3Nm/KTHGfq2Ejg==,type:str]
|
||||
password: ENC[AES256_GCM,data:PNrcz2PnGF6WGa7vL5PBWiM03xsA2B2imPiwHpU0IMPN/CMh77eMVtwmoxtl6QkGl1UKb12975NJsfJwJPg9gg==,iv:vjFl6SFNqZhTHmmxRckYAj8nZ1IbFtTfTAxYkdSf/lI=,tag:K2PpVnu+919MddGl5qJn+w==,type:str]
|
||||
open-webui:
|
||||
openai: ENC[AES256_GCM,data:E8/Szd4ZFat/R4UW6F4qVEvKmq55sT7mpY6hK274JDCYJgjfQdtJ3gY=,iv:Ryxy19pQsY9pFfz/E4SbBfxYx0N5BXqZtR/Kv9E+0uM=,tag:GEd5+N/ziOncF1UhrwgngQ==,type:str]
|
||||
webui: ENC[AES256_GCM,data:6rpvA80i+HXkDQgYCDIHbXwDfxHq/5tXQRK4piI=,iv:vVIBHf/9LnY1z4zVZGB0ZRBRwLpdXKvNhsYWySxhsiY=,tag:JmbDJKlZ2dH13+drXyXXPg==,type:str]
|
||||
nixvirt:
|
||||
yumieko: ENC[AES256_GCM,data:tO+67mdCFH8=,iv:vl+PLSBfMDk7rGmpjuZ8TnEC1B8tni2pphC7cTmxQU0=,tag:RVW5UaUD0g0HDpoGp2/mAA==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
@@ -21,7 +102,7 @@ sops:
|
||||
by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
|
||||
kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-09T01:22:01Z"
|
||||
mac: ENC[AES256_GCM,data:OxRUW3e2SXTTdb7Iwvsf/UaHsTIVxohJwRIFExh5N/dJhU9Ui8omKBjkooiGaysrZEVEZNAWSp2zvTPXUdZrtW2fikyhF6Fsg7jUFFTqhV/sjYMy7gISbfkcGF9SuYGByuuySyXPqsfg+ESeBmMVZiqDSEPYJWu+q8OwThdhsAM=,iv:UnSfmuxcV+tr7wd59Xg0MG2QbP2uOshVhN5C++9ZSzA=,tag:cWiG85xv2OuiBOoAlvVBGw==,type:str]
|
||||
lastmodified: "2025-09-07T00:23:06Z"
|
||||
mac: ENC[AES256_GCM,data:Vmcv7Hof4ZR8uXOwbk8zeKSfVldCxJQ696m3mCe6ar5FKpGja0f2XbW8a7tpuYqfwNa5Z7OCovku40PZ/TSmq91hQlZ+zbXe66nPx3/ybbQUSu1rvujprv36kvp1BQwK5A2clLEX7Vo7fGsTq1jX1AFrNM7zTJABrET/7yqVdTE=,iv:IkODPE4AMMLpBNbgwbOpYLWpG7IkRPKVBiLfxKASmPs=,tag:9xfwdCvaWvVey24dLmkFSQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -1,33 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
config =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
model = { type = "desktop"; private = true; };
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-partlabel/one-boot" = "/boot";
|
||||
btrfs."/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
luks.auto."/dev/disk/by-partlabel/one-root" = { mapper = "root"; ssd = true; };
|
||||
swap = [ "/nix/swap/swap" ];
|
||||
resume = { device = "/dev/mapper/root"; offset = 4728064; };
|
||||
};
|
||||
nixpkgs.march = "tigerlake";
|
||||
};
|
||||
hardware.gpu.type = "intel";
|
||||
services =
|
||||
{
|
||||
xray.client = {};
|
||||
beesd."/".hashTableSizeMB = 64;
|
||||
sshd = {};
|
||||
};
|
||||
bugs = [ "xmunet" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,32 +0,0 @@
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:GmfSlDQjO4aBq3u50jnFjOR9VxamYHzokUrO9IpIGuBx0j8e,iv:++O2wBUCnHDPowRgtxPQJQePXP2Cda74WXQvlKHbHNw=,tag:XDWhiXwT718RgrBw7L5yzw==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:OuduClOu9y9adCcV1+U/NLp/t1yWPkuyptproTJv4beImptrLOVGbhb5fb8=,iv:qa1jpzAlUEhPBznZw6j4CYquTCpmNZ+uNbyHjH2qGy4=,tag:+5I2CRuyCAMSy74xVtdJGA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOUJWMm5xT040cEoxQit5
|
||||
ZnhhQWVyWjlnejhzQlEvVVg3ZGVJb05iL1hjCnF5bzFTUTZFYkNQR0k5U0xmOW1t
|
||||
TXhsRHFIeVBBSXc1UURON2M4MDlTMEUKLS0tIGdSbTdZdmdjY0dmNjkrRjd0VkhK
|
||||
eWV6SDJqT1B2MEp1MURkV0E4S3Z0Zm8KX9lEjG4u2QRe1zH+13rbedCWl1B7vvl8
|
||||
2iMHj1qQ4JkCeq83llEH5IuDXKYnKKXSi8l3nU/l6Aw6yx/KHDFK/g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1m7nrxfw22wvp7pj8y9pdl745w95x89uu8dzl9ppsaazweqf2lqms5yshsp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2K3VKTVJqMTl2cWxUZHhM
|
||||
OVg5ZjN0VGNpVXQ5M1FKZHloZ0ZnWTZ2ZWowCjJIYTlhRU8wd1JienlUTHIwWXYw
|
||||
eFY1d2MxeStBd013VmszbTUzTkF6U2cKLS0tIDdDNXp4OTdQRjN0MGdIOS9oSldU
|
||||
ZW5PT3VYZWhDMkZUeHViZE41eUhna2sKc8J8mJ8ge9KMb5p6Xi/vRIIXZMEj6Ih+
|
||||
LjLKsgDfMbqNqKaQXSvC3tbvI/dDoiStyCsf4rkTY9QOkyEI80MtXg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-04-10T10:44:01Z"
|
||||
mac: ENC[AES256_GCM,data:Sso6g9UEH7faygbcrypsnB/4h8cIwveLdVI+YgDDfTHMC5nxXj+xtfFHhzao1pkyvF0avUVjsMVXLRcB48eDcbZdXwBvoNKg0mpL7VAeOnDuwElI6GGpRVTaOsZC9LT9d1kuGkmavMljCvmaA3sPLZsvW3Hqjdicj+suMoQJ/nE=,iv:DYf0m9PfJ1qx3gI/6T6ByxJWHrdVGgiNMCVhcBOrgBw=,tag:Ddw2HFuCmk6PFnxF4G13hQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.2
|
||||
@@ -11,53 +11,28 @@ inputs:
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-uuid/7A60-4232" = "/boot";
|
||||
btrfs."/dev/mapper/root1" =
|
||||
{
|
||||
"/nix" = "/nix";
|
||||
"/nix/rootfs/current" = "/";
|
||||
"/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
|
||||
"/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
|
||||
};
|
||||
nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.nas"}:/" =
|
||||
{ mountPoint = "/nix/remote/nas"; hard = false; };
|
||||
vfat."/dev/disk/by-partlabel/pc-boot" = "/boot";
|
||||
btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
luks.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/4c73288c-bcd8-4a7e-b683-693f9eed2d81" = { mapper = "root1"; ssd = true; };
|
||||
"/dev/disk/by-uuid/4be45329-a054-4c20-8965-8c5b7ee6b35d" =
|
||||
{ mapper = "swap"; ssd = true; before = [ "root1" ]; };
|
||||
};
|
||||
swap = [ "/dev/mapper/swap" ];
|
||||
luks.auto."/dev/disk/by-partlabel/pc-root1" = { mapper = "root1"; ssd = true; };
|
||||
};
|
||||
grub.windowsEntries."08D3-10DE" = "Windows";
|
||||
nix =
|
||||
{
|
||||
marches =
|
||||
[
|
||||
"znver2" "znver3" "znver4"
|
||||
# FXSR SAHF XSAVE
|
||||
"sandybridge"
|
||||
# FXSR PREFETCHW RDRND SAHF
|
||||
"silvermont"
|
||||
# SAHF FXSR XSAVE RDRND LZCNT HLE
|
||||
"haswell"
|
||||
# FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
|
||||
"broadwell"
|
||||
# FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
|
||||
"skylake" "cascadelake"
|
||||
# SAHF FXSR XSAVE RDRND LZCNT HLE PREFETCHW SGX MOVDIRI MOVDIR64B AVX512VP2INTERSECT KEYLOCKER
|
||||
"tigerlake"
|
||||
# AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT MOVDIR64B MOVDIRI PCONFIG PREFETCHW PTWRITE RDRND
|
||||
# SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
|
||||
"alderlake"
|
||||
];
|
||||
remote.master.host.srv2-node0 = [ "skylake" ];
|
||||
};
|
||||
nixpkgs = { march = "znver4"; cuda.capabilities = [ "8.9" ]; };
|
||||
nix.marches =
|
||||
[
|
||||
"znver2" "znver3" "znver5"
|
||||
# FXSR HLE LZCNT PREFETCHW RDRND SAHF XSAVE
|
||||
"broadwell"
|
||||
# FXSR HLE LZCNT PREFETCHW RDRND SAHF SGX XSAVE
|
||||
"skylake" "cascadelake"
|
||||
# AVX-VNNI CLDEMOTE GFNI-SSE HRESET KL LZCNT PCONFIG PREFETCHW PTWRITE RDRND
|
||||
# SERIALIZE SGX WAITPKG WIDEKL XSAVE XSAVEOPT
|
||||
"alderlake"
|
||||
];
|
||||
nixpkgs.march = "znver4";
|
||||
sysctl.laptop-mode = 5;
|
||||
kernel.variant = "xanmod-latest";
|
||||
};
|
||||
hardware = { gpu = { type = "nvidia"; nvidia.dynamicBoost = true; }; legion = {}; };
|
||||
hardware.gpu.type = "amd";
|
||||
services =
|
||||
{
|
||||
samba =
|
||||
@@ -72,13 +47,16 @@ inputs:
|
||||
};
|
||||
};
|
||||
sshd = {};
|
||||
xray.client.dnsmasq.hosts = builtins.listToAttrs
|
||||
(
|
||||
(builtins.map
|
||||
(name: { inherit name; value = "144.34.225.59"; })
|
||||
[ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
|
||||
)
|
||||
// { "4006024680.com" = "192.168.199.1"; };
|
||||
xray.client.dnsmasq =
|
||||
{
|
||||
hosts = builtins.listToAttrs
|
||||
(
|
||||
(builtins.map
|
||||
(name: { inherit name; value = "144.34.225.59"; })
|
||||
[ "mirism.one" "beta.mirism.one" "ng01.mirism.one" "initrd.vps6.chn.moe" ])
|
||||
);
|
||||
extraInterfaces = [ "wlo1" ];
|
||||
};
|
||||
nix-serve = {};
|
||||
misskey.instances.misskey.hostname = "xn--qbtm095lrg0bfka60z.chn.moe";
|
||||
beesd."/" = { hashTableSizeMB = 4 * 128; threads = 4; };
|
||||
@@ -91,58 +69,23 @@ inputs:
|
||||
name = "pc"; address = "127.0.0.1";
|
||||
cpu = { sockets = 2; cores = 8; threads = 2; };
|
||||
memoryGB = 80;
|
||||
gpus."4060" = 1;
|
||||
};
|
||||
partitions.localhost = [ "pc" ];
|
||||
tui =
|
||||
{
|
||||
cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
|
||||
gpuQueues = [{ name = "localhost"; gpuIds = [ "4060" ]; }];
|
||||
};
|
||||
tui.cpuQueues = [{ mpiThreads = 4; openmpThreads = 4; memoryGB = 56; }];
|
||||
};
|
||||
ollama = {};
|
||||
podman = {};
|
||||
ananicy = {};
|
||||
keyd = {};
|
||||
lumericalLicenseManager.macAddress = "745d22c7d297";
|
||||
searx = {};
|
||||
kvm.aarch64 = true;
|
||||
nspawn = [ "arch" "ubuntu-22.04" "fedora" ];
|
||||
nfs."/" = [ "192.168.84.0/24" ];
|
||||
peerBanHelper = {};
|
||||
mariadb.mountFrom = "nodatacow";
|
||||
lumericalLicenseManager.macAddress = "10:5f:ad:10:3e:ca";
|
||||
};
|
||||
bugs = [ "xmunet" "backlight" "amdpstate" "iwlwifi" ];
|
||||
packages = { mathematica = {}; vasp = {}; lammps = {}; };
|
||||
bugs = [ "xmunet" "amdpstate" "iwlwifi" ];
|
||||
packages = { mathematica = {}; vasp = {}; lumerical = {}; };
|
||||
user.users = [ "chn" "xly" ];
|
||||
};
|
||||
boot.loader.grub =
|
||||
{
|
||||
extraFiles =
|
||||
{
|
||||
"DisplayEngine.efi" = ./bios/DisplayEngine.efi;
|
||||
"SetupBrowser.efi" = ./bios/SetupBrowser.efi;
|
||||
"UiApp.efi" = ./bios/UiApp.efi;
|
||||
"EFI/Boot/Bootx64.efi" = ./bios/Bootx64.efi;
|
||||
"nixos.iso" = inputs.topInputs.self.src.iso.nixos;
|
||||
};
|
||||
extraEntries =
|
||||
''
|
||||
menuentry 'Advanced UEFI Firmware Settings' {
|
||||
insmod fat
|
||||
insmod chain
|
||||
chainloader @bootRoot@/EFI/Boot/Bootx64.efi
|
||||
}
|
||||
menuentry 'Live ISO' {
|
||||
set iso_path=@bootRoot@/nixos.iso
|
||||
export iso_path
|
||||
search --set=root --file "$iso_path"
|
||||
loopback loop "$iso_path"
|
||||
root=(loop)
|
||||
configfile /boot/grub/loopback.cfg
|
||||
loopback --delete loop
|
||||
}
|
||||
'';
|
||||
};
|
||||
# 禁止鼠标等在睡眠时唤醒
|
||||
services.udev.extraRules = ''ACTION=="add", ATTR{power/wakeup}="disabled"'';
|
||||
# 允许kvm读取物理硬盘
|
||||
users.users.qemu-libvirtd.extraGroups = [ "disk" ];
|
||||
services.colord.enable = true;
|
||||
|
||||
@@ -13,11 +13,10 @@ nix:
|
||||
remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
|
||||
searx:
|
||||
secret-key: ENC[AES256_GCM,data:KhIP+Rz3rMfNgPEGTlKGvm6gl1/ZuPI=,iv:GcaLEJHKJO3n6IaeiFr9PaJ6eNx04/VjX3UgmBF429g=,tag:HkplyH9hTHUaEZ709TyitA==,type:str]
|
||||
xray-xmu-client:
|
||||
uuid: ENC[AES256_GCM,data:XiUkReTJLAxZNWFVeD6EiOtUX5tsyPLFi6QyDBdHyB4v5/mD,iv:QppdtP2CFDEVhlrmDJKYBGc1zYGJvpGYxLfsBAMxDSI=,tag:jzMSFRit+aBzWMkaa3+5hA==,type:str]
|
||||
cookie: ENC[AES256_GCM,data:0jqSEZloX2/c8Zg4WTKkLw==,iv:BKLm1KMoRrH0uO6hPMsv2a7sG0AwNRrdbpmABP4BszA=,tag:pBs+rQIhhNO4Qr6q1V3MUA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
@@ -37,8 +36,7 @@ sops:
|
||||
OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
|
||||
+K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-05-24T11:27:02Z"
|
||||
mac: ENC[AES256_GCM,data:uNkThOX3NEUeiaJVavZ0rCpQRT+GbRXADiMuAwb/tg38fBrKQeUO9ohicl/UfiDFRTfCaiuH3T757jX2b51go2s0B6n7DOvPYYZ5EWGnM69RFxrdDfWfge8n8/SHmuKR9dPJb/eSa8HAs8uDnqBPoR5SqG5lnyZs3a7P/kjK2T4=,iv:snmnuYmcuyhGs4YrIGFLmDffFE9yecB/vsM0MvxBR4k=,tag:vbqA7jvVCFHvLoLmKbfO4g==,type:str]
|
||||
pgp: []
|
||||
lastmodified: "2025-08-01T07:22:50Z"
|
||||
mac: ENC[AES256_GCM,data:f4fultak/52Gq6nn1hJJYw3AMeuR3J6gcxtPDG/WKkNV+B+gtabWp5R8J8wLWFJ4C1ZsGHDYMTvTfSUlDVdm1dGpxJtFzdfoBBdajj8s2mju6nMQUFoNFRmHDZEQBdIzfXpob1+7Rsr+bBmg7HnFvjR0ozuaQP9QHsHEZxJVbnU=,iv:xh4OIom1TFgKralXw6rrOR/1xpD5SpY2tHfJUq6v41o=,tag:0QOtWN6DcGf3/gorusbXtQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
30
devices/r2s/default.nix
Normal file
30
devices/r2s/default.nix
Normal file
@@ -0,0 +1,30 @@
|
||||
inputs:
|
||||
{
|
||||
config =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
model.arch = "aarch64";
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount.btrfs."/dev/disk/by-partlabel/r2s-root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
swap = [ "/nix/swap/swap" ];
|
||||
};
|
||||
network = {};
|
||||
# uboot 起始位置 0x8000 字节,这个地方还在分区表内部;除此以外还需要预留一些空间,预留32M足够。
|
||||
uboot.buildArgs =
|
||||
{
|
||||
defconfig = "nanopi-r2s-rk3328_defconfig";
|
||||
filesToInstall = [ "u-boot-rockchip.bin" ];
|
||||
env.BL31 = "${inputs.pkgs.armTrustedFirmwareRK3328}/bl31.elf";
|
||||
};
|
||||
};
|
||||
services =
|
||||
{
|
||||
sshd = {};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -59,9 +59,10 @@ inputs:
|
||||
{ name = "n1"; mpiThreads = 8; openmpThreads = 4; }
|
||||
];
|
||||
};
|
||||
mariadb.mountFrom = "nodatacow";
|
||||
};
|
||||
packages.vasp = {};
|
||||
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" ];
|
||||
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "GROUPIII-1" "GROUPIII-2" "GROUPIII-3" "zgq" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -24,10 +24,15 @@ inputs:
|
||||
sshd.motd = true;
|
||||
xray.client.dnsmasq.extraInterfaces = [ "eno146" ];
|
||||
beesd."/" = { hashTableSizeMB = 128; threads = 4; };
|
||||
xrdp = { enable = true; hostname = [ "srv1.chn.moe" ]; };
|
||||
samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
|
||||
};
|
||||
packages.packages._prebuildPackages =
|
||||
[ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
|
||||
packages =
|
||||
{
|
||||
desktop = {};
|
||||
packages._prebuildPackages =
|
||||
[ inputs.topInputs.self.nixosConfigurations.srv1-node1.pkgs.localPackages.vasp.intel ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -7,17 +7,11 @@ inputs:
|
||||
model.type = "server";
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
fileSystems.mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
|
||||
{
|
||||
mount = let inherit (inputs.config.nixos.model.cluster) clusterName nodeName; in
|
||||
{
|
||||
vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
|
||||
btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
|
||||
{ "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
nfs."${inputs.topInputs.self.config.dns."chn.moe".getAddress "wg1.pc"}:/" =
|
||||
{ mountPoint = "/nix/remote/pc"; hard = false; };
|
||||
};
|
||||
swap = [ "/nix/swap/swap" ];
|
||||
vfat."/dev/disk/by-partlabel/${clusterName}-${nodeName}-boot" = "/boot";
|
||||
btrfs."/dev/disk/by-partlabel/${clusterName}-${nodeName}-root1" =
|
||||
{ "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
nixpkgs.cuda.capabilities =
|
||||
[
|
||||
@@ -25,6 +19,8 @@ inputs:
|
||||
"6.1"
|
||||
# 2080 Ti
|
||||
"7.5"
|
||||
# A30
|
||||
"8.0"
|
||||
# 3090
|
||||
"8.6"
|
||||
# 4090
|
||||
@@ -78,9 +74,21 @@ inputs:
|
||||
];
|
||||
};
|
||||
};
|
||||
mariadb.mountFrom = "nodatacow";
|
||||
};
|
||||
packages = { vasp = {}; mumax = {}; lammps = {}; };
|
||||
user.users = [ "chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "lly" "yxf" "hss" "zzn" "zqq" ];
|
||||
packages = { vasp = {}; desktop = {}; lumerical = {}; };
|
||||
user.users =
|
||||
[
|
||||
# 组内
|
||||
"chn" "xll" "zem" "yjq" "gb" "wp" "hjp" "wm" "qmx" "xly"
|
||||
# 组外
|
||||
"yxf" # 小芳同志
|
||||
"hss" # 还没见到本人
|
||||
"zzn" # 张宗南
|
||||
"zqq" # 庄芹芹
|
||||
"zgq" # 希望能接好班
|
||||
"lly" # 这谁?
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -7,25 +7,36 @@ inputs:
|
||||
model.cluster.nodeType = "master";
|
||||
system =
|
||||
{
|
||||
nixpkgs.march = "skylake";
|
||||
nixpkgs.march = "icelake-server";
|
||||
network =
|
||||
{
|
||||
static.eno2 = { ip = "192.168.178.1"; mask = 24; };
|
||||
wireless = [ "457的5G" ];
|
||||
masquerade = [ "eno2" ];
|
||||
trust = [ "eno2" ];
|
||||
};
|
||||
nix.remote.slave = {};
|
||||
fileSystems =
|
||||
{
|
||||
swap = [ "/dev/disk/by-partlabel/srv2-node0-swap" ];
|
||||
mount.btrfs."/dev/disk/by-partlabel/srv2-node0-root1" =
|
||||
{
|
||||
"/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
|
||||
"/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
|
||||
};
|
||||
};
|
||||
};
|
||||
services =
|
||||
{
|
||||
xray.client = { dnsmasq = { extraInterfaces = [ "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; }; };
|
||||
xray.client.dnsmasq = { extraInterfaces = [ "eno1" "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
|
||||
beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
|
||||
xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
|
||||
samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
|
||||
groupshare = {};
|
||||
hpcstat = {};
|
||||
ollama = {};
|
||||
sshd = { groupBanner = true; motd = true; };
|
||||
speedtest = {};
|
||||
lumericalLicenseManager.macAddress = "70:20:84:09:a3:52";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -6,13 +6,9 @@ mariadb:
|
||||
hpcstat:
|
||||
key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
|
||||
wireless:
|
||||
#ENC[AES256_GCM,data:xrg3Wxj/ghbWgg==,iv:6stu7voI5no2Y3YmnMrvTS8hev3eqjoWAyD5zTgyehc=,tag:cxkS7y7S1oM+/SJmlT10fw==,type:comment]
|
||||
457的5G: ENC[AES256_GCM,data:QjHlyGU4JIYymyh41T+c33T3EOpbqDOoD3U+v6/BzjlWLLeZQXU2hwPCVh4fi2bwn7yNkp4ygAYmFPVPZWoT1A==,iv:Tc6Guzsn5hkjWH6UWSb1KlfWCBXIi2OWdn/wttmCXnQ=,tag:FhyH6JmjSTuqSeFy+GyQhg==,type:str]
|
||||
#ENC[AES256_GCM,data:n9OPSJsB7yNk,iv:xQzKJxqPB7uT83m/B4UoOje6NQbPLhuHR7Hp93oNz8A=,tag:gtsTx6ALnS/7fIDd7VimOg==,type:comment]
|
||||
409的5G: ENC[AES256_GCM,data:K9wm3zedoil7jHgTcb+VmbdbkG2dgrMdr3BmDRUHDVADqLANMvnUMSecggYTO4HaiI9q6uv2/BSkluanD5K4Dw==,iv:7dGET3ULKlnaDMVmkuXDek+hQPLZ2VUbPqvEOX+5jlQ=,tag:MBGmQ0NNNqX+T9EsBiWCaw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
@@ -32,8 +28,7 @@ sops:
|
||||
M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
|
||||
LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-04-10T10:44:43Z"
|
||||
mac: ENC[AES256_GCM,data:6EeWT8IiCGyRdR/9WDoTTM8bBuhzf2LtP1kahCgfvFpU6g5HB+qG5O0eXaL0DMKg7OQJKHIS/wZVaEierVwno0CnP1WR7y9l6Rlab2nVG4YCNkEkwqZgIWFOUi0aZrZQc7WC3rUk1gxiJK38nEa4ebk8oqAbyHyKHsFAeUcMbqA=,iv:oqRLvYsXct+OwcymXslEH4o03vLNeV2eU/4zK8R+gKs=,tag:0d1DYjCGRewUd4aHPIpFSw==,type:str]
|
||||
pgp: []
|
||||
lastmodified: "2025-07-12T04:13:47Z"
|
||||
mac: ENC[AES256_GCM,data:W+e5d1scvV24AdVdl7Pisp9HxsXQ/tPjN2NV/Bd0RXZNBRB7LNQrSfk1GadboBnihW0ctAQOFk66PZsxwE2czfFL2/yzFxm9Cf11Mc822ZL3BwjnQBK4uR9LJrbjL7x1lFUk9v0AIPhjrir8F6dcX8mq6++hHNN0wjGaH3J9E0Y=,iv:RK7e4Dxog+Qsgk6gxK0f8PN8oF9bjWIrTyYK67Cdras=,tag:QSKsETYXbhnvhhjavP4UiA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.2
|
||||
version: 3.10.2
|
||||
|
||||
@@ -13,8 +13,13 @@ inputs:
|
||||
{ ip = "192.168.178.2"; mask = 24; gateway = "192.168.178.1"; dns = "192.168.178.1"; };
|
||||
trust = [ "enp58s0" ];
|
||||
};
|
||||
fileSystems.swap = [ "/nix/swap/swap" ];
|
||||
};
|
||||
services =
|
||||
{
|
||||
beesd."/".hashTableSizeMB = 64;
|
||||
lumericalLicenseManager.macAddress = "04:42:1a:26:0c:07";
|
||||
};
|
||||
services.beesd."/".hashTableSizeMB = 64;
|
||||
};
|
||||
services.hardware.bolt.enable = true;
|
||||
};
|
||||
|
||||
43
devices/srv2/node2/default.nix
Normal file
43
devices/srv2/node2/default.nix
Normal file
@@ -0,0 +1,43 @@
|
||||
inputs:
|
||||
{
|
||||
config =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
model.cluster.nodeType = "master";
|
||||
system =
|
||||
{
|
||||
nixpkgs.march = "skylake";
|
||||
network =
|
||||
{
|
||||
static.eno2 = { ip = "192.168.178.1"; mask = 24; };
|
||||
masquerade = [ "eno2" ];
|
||||
trust = [ "eno2" ];
|
||||
};
|
||||
nix.remote.slave = {};
|
||||
fileSystems =
|
||||
{
|
||||
swap = [ "/dev/disk/by-partlabel/srv2-node2-swap" ];
|
||||
mount.btrfs."/dev/disk/by-partlabel/srv2-node2-root1" =
|
||||
{
|
||||
"/nix/remote/jykang.xmuhpc" = "/data/gpfs01/jykang/.nix";
|
||||
"/nix/remote/xmuhk" = "/public/home/xmuhk/.nix";
|
||||
};
|
||||
};
|
||||
};
|
||||
services =
|
||||
{
|
||||
xray.client.dnsmasq = { extraInterfaces = [ "eno1" "eno2" ]; hosts."hpc.xmu.edu.cn" = "121.192.191.11"; };
|
||||
beesd."/" = { hashTableSizeMB = 16 * 128; loadAverage = 8; };
|
||||
xrdp = { enable = true; hostname = [ "srv2.chn.moe" ]; };
|
||||
samba = { hostsAllowed = ""; shares = { home.path = "/home"; root.path = "/"; }; };
|
||||
groupshare = {};
|
||||
hpcstat = {};
|
||||
ollama = {};
|
||||
sshd = { groupBanner = true; motd = true; };
|
||||
speedtest = {};
|
||||
lumericalLicenseManager.macAddress = "70:20:84:09:a3:52";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
34
devices/srv2/node2/secrets.yaml
Normal file
34
devices/srv2/node2/secrets.yaml
Normal file
@@ -0,0 +1,34 @@
|
||||
xray-client:
|
||||
uuid: ENC[AES256_GCM,data:j2R0UtfS/es2A+Ic+Kq6FZJSqXlA/Q8tGkuAIX0ZdTsV4hGk,iv:Ovpr49isIJRdUyM3jxgiT+9Sc+qTF6ZnkKUwxIq6KUs=,tag:2VRSkiPNWaOmCqLJti8Bzw==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:TEi3LAZA0BaPxeXA1yFMD6fQPRKSndVyAzNycCD/5CYXmNVyO7zv4o23ahg=,iv:tEKFPyuqmpsWf0vDoSaw4Ai6S5DzacZFA4otNgnknxY=,tag:qZJzr/Yyoex2hDfVtT6nYA==,type:str]
|
||||
mariadb:
|
||||
slurm: ENC[AES256_GCM,data:9wLQ1zF/kDaiw0s3UaRpiHgmngU7u6hwyqpddSjev0+Z0v58Q2oiJtK8vn+2VlSxx5ACfqEFbzp0PZYAxd575w==,iv:q9JTkgDymOwkbZ/PaxRAAQrtO96QmGgZcQuLTFCMoS4=,tag:dwOHlOTgZqT/1jQ+oGf7UQ==,type:str]
|
||||
hpcstat:
|
||||
key: ENC[AES256_GCM,data:+Z7MRDkLLdUqDwMrkafFKkBjeCkw+zgRoAoiVEwrr+LY0uMeW8nNYoaYrfz6Ig8CMCDgX3n/DMb0ibUeN32j3HShQIStbtUxRPGpQMyH+ealbvgskGriTFpST4VPyQxNACkUpq/e+sh2CmLbKkSxhamkjKOXwsfqrBlgVbEkp7u7HkWGuAaYL1oPGt0Q94fWXwH0UVhRYZYQ2iFA/S6SEZY8gxaTIGDKUdWU9+fOHzPQ5WfhxtKYU4p4ydyfYsAt6ffqnPSx/SI72GsUCOJ4981JX8TuvnEzx3gQLVFYheK6NibTWCy6eODbvguieVOTHSvCPTrHmoP12lHVWU2kKzLwv70Jl7sXyzKHYROG0D+/z/4DKlNeotKM/IA0q2cST08/lwSKN7WDDmrt+O6xXhvwby28ZYKEsSvvrfV+VIKzHPl84ZKbUEX5xv/GHc3THfznUvKKz5PzDiqrkjCkEt5PRMsVW9A6MU1+QEUr+sXLLtcUd2CCL87c8CpwNHJx1us6vJ4ji1gu0PGoT+60,iv:yU6j9W2Hs2D34uHMJqqPFbNy2pNEZY2kzXoNdhPMSmA=,tag:TNvEfMVrhu7HrNxY8qe5mg==,type:str]
|
||||
wireless:
|
||||
#ENC[AES256_GCM,data:n9OPSJsB7yNk,iv:xQzKJxqPB7uT83m/B4UoOje6NQbPLhuHR7Hp93oNz8A=,tag:gtsTx6ALnS/7fIDd7VimOg==,type:comment]
|
||||
409的5G: ENC[AES256_GCM,data:K9wm3zedoil7jHgTcb+VmbdbkG2dgrMdr3BmDRUHDVADqLANMvnUMSecggYTO4HaiI9q6uv2/BSkluanD5K4Dw==,iv:7dGET3ULKlnaDMVmkuXDek+hQPLZ2VUbPqvEOX+5jlQ=,tag:MBGmQ0NNNqX+T9EsBiWCaw==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Rmc2Ull1WFB4Smh3c0Zl
|
||||
emlTNGJKZkpIK2JFeUNVeUcrR2FzRXRQZHlvCkhzMHpzYmZRZ0M0cXdRVi8wZmp6
|
||||
ZDRZQ2FkOWt6M0lrdjBHa3VTWXBDKzgKLS0tIGtJbTRRelg1VVk2QStwdzlFM1g4
|
||||
M1JOd1g3cVdjUFRhZ0FxcWphZXZJbkkKFXDtJVoi+qIrXp6cznevuZ+peBiRRITP
|
||||
rrplqLiYsNIGKmKYtRIUu8WXDZ2q2CJ8Z+pka3W3H/U+m957hBDWyw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1l4stuz0vr7gs7pqwjrmezam44702jp2vmqaqyxw0l0r42kf9updq4dfhrw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSHdka3FPQUYrcXQzcTFo
|
||||
a000TUllT0MvUzk5ZzVFbXZheG9ZVTM2S253CkE5VW9tQktvL2pMWFoxcnFjTGpr
|
||||
Z0p1RjZWRGpSZ01TdTZRcEJXM2NOUkUKLS0tIC9rNmNzWitMdEd5dXQvdWlELzhM
|
||||
M0xoL1dQR0kvMWpzN0RMNWVCTFQxNFUKj9LPjBo5NGOrGYNvu8qZ13PLYjLEWllU
|
||||
LARzEn4XgkeHckouwvxZYMCx7WxmAruRWaOvnxTIczzSNP7wIrqnkA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-07-12T04:13:47Z"
|
||||
mac: ENC[AES256_GCM,data:W+e5d1scvV24AdVdl7Pisp9HxsXQ/tPjN2NV/Bd0RXZNBRB7LNQrSfk1GadboBnihW0ctAQOFk66PZsxwE2czfFL2/yzFxm9Cf11Mc822ZL3BwjnQBK4uR9LJrbjL7x1lFUk9v0AIPhjrir8F6dcX8mq6++hHNN0wjGaH3J9E0Y=,iv:RK7e4Dxog+Qsgk6gxK0f8PN8oF9bjWIrTyYK67Cdras=,tag:QSKsETYXbhnvhhjavP4UiA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
@@ -1,101 +0,0 @@
|
||||
# 定价与配置
|
||||
|
||||
售卖两类 kvm 虚拟机。它们都按照需求的内存和硬盘定价。
|
||||
|
||||
## 普通虚拟机
|
||||
|
||||
* 硬盘每 10 GB 0.056 美元每月;内存每 128 MB 0.044 美元每月。每 1G 内存附带 1 核心 CPU,内存不够 1G 的给 1 核心 CPU。
|
||||
* 例如,4C4G/100G 的配置,每月 2 美元。
|
||||
* 这个价格相当于母鸡价格的 70% 。
|
||||
* 适合绝大多数轻度负载。不适合的情况包括:
|
||||
* 硬盘需要禁用 CoW 以获得尽可能高的 IOPS,例如较大的、繁忙的数据库(例如大型 mastodon/misskey 实例)。
|
||||
* 希望内存中的数据一直驻留在内存中(而不是被交换到 swap 中)。
|
||||
* **可能会超售**,但我凭良心保证,当你需要时,仍然可以占满内存和硬盘;长期占满硬盘和内存不算滥用。
|
||||
* 前期肯定不会超售(笑死,根本没有那么多用户)。
|
||||
* 永远不会滥售;但后期可能会视情况调整价格。如果涨价,会延迟三个月生效。如果降价则立即生效。
|
||||
* 万一出现卖超太多了、不够用的情况,我会自掏腰包增加母鸡配置。
|
||||
* 实现细节:
|
||||
* 硬盘会使用 raw 格式,放置在启用 CoW 的 btrfs 子卷中;不预先分配,用到时再分配。
|
||||
* 内存会允许交换到 swap 中,并开启 KSM。
|
||||
* 限购:
|
||||
* 每台内存不能超过 8 GB,硬盘不能超过 200 GB。有更大的需求请买下一个配置。
|
||||
* 每个用户只能购买一台。
|
||||
* 这个限购措施是为了防止有人和我抬杠,花 70% 的价格把整个母鸡买下来。并不是营销手段。合理需求的情况都可以谈。
|
||||
* 宿主机会自动创建快照,需要时可以回滚到几个小时或几天前的状态。
|
||||
|
||||
## 独立虚拟机(资源独立分配)
|
||||
|
||||
* 按照母鸡价格的 1 倍定价。也就是:硬盘每 100 GB 0.8 美元每月;每 5G 内存/2 CPU 2.5 美元每月。
|
||||
* 实现细节:
|
||||
* 硬盘会使用 raw 格式,放置在禁用 CoW 的 btrfs 子卷中;预先分配所有容量。
|
||||
* 内存会锁定在物理内存中。
|
||||
* CPU 会隔离/锁定在物理 CPU 上。
|
||||
* 宿主机不会创建硬盘的快照。
|
||||
* 两类资源可以混合购买。比如可以硬盘按照独立虚拟机的价格购买,内存/CPU 按照普通虚拟机的价格购买。
|
||||
|
||||
## 其它细节
|
||||
|
||||
* 无论哪个方案,硬盘/内存长时间占满都不算滥用。对于第一个方案,CPU 是共享的,请不要长时间占满。
|
||||
* 暂不限制带宽,合理使用即可。
|
||||
* 默认共享 IPv4,支持端口转发(详见下文说明)。独立的 IPv4 每个每月 2 美元。
|
||||
独立的 IPv6 免费,但暂不支持(技术上没有准备好,如果有人有需要我就去准备)。
|
||||
* 只卖朋友和朋友的朋友(总之得有人保证别拿去做坏事)。
|
||||
若此定价对您来说仍然难以接受,可以联系我,打五折或者免费。
|
||||
* 此价格 2025 年 9 月 17 日前有效。之后大概率也不会调整,但保留调整的权利。
|
||||
* 预计收入无法覆盖成本。如果某个月的收入高于成本,承诺会将多出的部分捐出去。
|
||||
* 非 kvm 虚拟机的服务(例如,只跑一个 podman 容器,只跑某一个服务)定价私聊,大致上是上方价格再加上我的工作成本(事少的免费,事多的就要实收了)。
|
||||
* 配置随时可以调整。所以按照自己这个月够用的来就行,不需要为未来留余量。但每次调整都需要重启虚拟机。
|
||||
* 母鸡价格 40 美元每月,配置在下方列出。
|
||||
* 机房: LAX3 (IP:srv3.chn.moe)
|
||||
* CPU: Intel® Xeon E5-2650L v3 (12 Cores 24 Threads)
|
||||
* Memory: 64GB ECC DDR4
|
||||
* Storage: 1TB NVMe (可加,8 美元/TB,另有 NFS 3 美元/TB)
|
||||
* Network: 1Gbps, 1x IPv4 (可加,2 美元/IPv4), 8TB/month
|
||||
|
||||
# 操作
|
||||
|
||||
我不提供网页端的控制面板(因为懒得搞,要是有人想替我搞的话那就提供)。
|
||||
|
||||
在确认购买后,我会给你一个 VNC 端口和密码。虚拟机会首先启动到 netboot.xyz,你需要登陆 VNC 选择自己喜欢的发行版并安装。
|
||||
安装好系统之后,VNC 连接仍然可以使用,你可以使用它来重装系统等。如果你担心安全性,也可以告知我,将它关闭。
|
||||
|
||||
此外,我还可以提供一个宿主机的账户(SSH 连接),用于强制重启虚拟机等(会做好权限的分隔的)。若有需要请告知我。
|
||||
|
||||
# 共享 IP
|
||||
|
||||
支持多种转发策略。
|
||||
|
||||
* TCP/UDP 端口转发,就是最普通的转发。
|
||||
这个方法只有一个坏处,就是多个虚拟机不能共享同一个公网 IP 的同一个端口。
|
||||
这导致用户在访问时往往需要明确端口号而不能使用默认端口(因为默认端口已经被占用了),
|
||||
例如需要使用 https://srv3.chn.moe:4321 而不是 https://srv3.chn.moe。
|
||||
建议不面向普通用户的服务使用这个方法(例如,ssh,coturn,等)。
|
||||
* 利用 Nginx,根据一些信息分流再转发给虚拟机。这可以做到多个虚拟机共享同一个端口,但也有缺陷。具体来说,它有很多种方法:
|
||||
* 依据 SNI 分流,并透明代理到虚拟机。
|
||||
这个办法的缺点是,只支持 TLS 连接(例如 https),同时服务端看到的用户侧端口会变化(通常情况下不影响什么)。
|
||||
只要这两个缺点不是问题,就建议用这个方法。
|
||||
* 依据 SNI 分流,并使用代理协议(proxy protocol)转发给虚拟机。
|
||||
相比于上一个方法,这个方法可以正确传递用户侧端口号,但需要虚拟机的服务端支持 proxy protocol。
|
||||
* Nginx 依据 http 的 host 头分流,再发给虚拟机。
|
||||
这个方法的缺点有很多,例如我需要修改你的域名的 DNS(用来申请证书),母鸡到虚拟机的连接不加密,只支持 http/https,等。
|
||||
这个方法唯一的好处是,如果你不会配置 nginx,可以在宿主机上配置好,虚拟机只要跑后端的服务就行了。
|
||||
* 别转发了,直接在宿主机上处理。例如 80 到 443 的跳转。以及如果你想要 host 一个小的、不常改动的静态网站,等。
|
||||
|
||||
# 杂项
|
||||
|
||||
**如何调整虚拟机启动顺序(重启到 iso 而不是硬盘)?**
|
||||
|
||||
先重启虚拟机,然后马上连接 VNC,可以看到“Tiano Core”的提示。这个提示只会停留 15 秒,所以重启虚拟机后要迅速连接 VNC。
|
||||
在这个界面按 ESC 就可以进入虚拟机的 BIOS,在这里可以修改虚拟机的一些设置(就像实体机的 BIOS 那样)。
|
||||
如果只是想临时从 ISO 启动,可以在这里选择“Boot Manager”,然后选择带 “CDROM” 那一项就可以了。
|
||||
|
||||
**如何调整硬盘大小?**
|
||||
|
||||
* 扩容:你需要在扩容**后**将分区和文件系统调整大(占用虚拟磁盘在末尾新增的空间)。
|
||||
* 缩容:你需要在缩容**前**将分区和文件系统调整小(在虚拟磁盘的末尾预留出要缩容的空间)。
|
||||
|
||||
这些事情都最好你自己来做。我可以尝试帮忙,但不保证数据安全。
|
||||
|
||||
**如何强制重启虚拟机/关机后如何开机?**
|
||||
|
||||
登陆宿主机后,使用 `vm` 命令,不加任何参数,即可看到提示,按提示操作。
|
||||
@@ -1,112 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
config =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
model.type = "server";
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-partlabel/srv3-boot" = "/boot";
|
||||
btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
swap = [ "/dev/mapper/swap" ];
|
||||
};
|
||||
nixpkgs.march = "haswell";
|
||||
initrd.sshd = {};
|
||||
network =
|
||||
{
|
||||
bridge.nixvirt.interfaces = [ "eno1" ];
|
||||
static.nixvirt =
|
||||
{
|
||||
ip = "23.135.236.216";
|
||||
mask = 24;
|
||||
gateway = "23.135.236.1";
|
||||
dns = "8.8.8.8";
|
||||
};
|
||||
};
|
||||
};
|
||||
services =
|
||||
{
|
||||
beesd."/" = { hashTableSizeMB = 128; threads = 4;};
|
||||
sshd = {};
|
||||
nixvirt.instance =
|
||||
{
|
||||
alikia =
|
||||
{
|
||||
memory.sizeMB = 1024;
|
||||
cpu.count = 1;
|
||||
network = { address = 2; portForward.tcp = [{ host = 5689; guest = 22; }]; };
|
||||
};
|
||||
pen =
|
||||
{
|
||||
memory.sizeMB = 512;
|
||||
cpu.count = 1;
|
||||
network =
|
||||
{
|
||||
address = 3;
|
||||
portForward =
|
||||
{
|
||||
tcp =
|
||||
[
|
||||
{ host = 5690; guest = 22; }
|
||||
{ host = 5691; guest = 80; }
|
||||
{ host = 5692; guest = 443; }
|
||||
{ host = 22000; guest = 22000; }
|
||||
];
|
||||
udp = [{ host = 22000; guest = 22000; }];
|
||||
web = [ "natsume.nohost.me" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
test =
|
||||
{
|
||||
owner = "chn";
|
||||
memory.sizeMB = 4096;
|
||||
cpu.count = 4;
|
||||
network =
|
||||
{
|
||||
address = 4;
|
||||
vnc.openFirewall = false;
|
||||
portForward = { tcp = [{ host = 5693; guest = 22; }]; web = [ "example.chn.moe" ]; };
|
||||
};
|
||||
};
|
||||
reonokiy =
|
||||
{
|
||||
memory.sizeMB = 4 * 1024;
|
||||
cpu.count = 4;
|
||||
network = { address = 5; portForward.tcp = [{ host = 5694; guest = 22; }]; };
|
||||
};
|
||||
};
|
||||
rsshub = {};
|
||||
misskey.instances =
|
||||
{ misskey.hostname = "xn--s8w913fdga.chn.moe"; misskey-old = { port = 9727; redis.port = 3546; }; };
|
||||
synapse.instances =
|
||||
{
|
||||
synapse.matrixHostname = "synapse.chn.moe";
|
||||
matrix = { port = 8009; redisPort = 6380; };
|
||||
};
|
||||
vaultwarden = {};
|
||||
photoprism.enable = true;
|
||||
nextcloud = {};
|
||||
freshrss = {};
|
||||
send = {};
|
||||
huginn = {};
|
||||
httpapi = {};
|
||||
gitea = {};
|
||||
grafana = {};
|
||||
fail2ban = {};
|
||||
xray.server = {};
|
||||
podman = {};
|
||||
peertube = {};
|
||||
nginx.applications.webdav.instances."webdav.chn.moe" = {};
|
||||
open-webui.ollamaHost = "192.168.83.3";
|
||||
};
|
||||
user.users = [ "chn" "aleksana" "alikia" "pen" "reonokiy" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,110 +0,0 @@
|
||||
wireguard: ENC[AES256_GCM,data:Coe4iIEnJVDb4a9KUVTRkXl4kng5Zo6x1Iyr0ErgR2b9bN287mvO6jPUPSc=,iv:fiNUUKobJjitcoxBemIah5Cl5+dSz2Q7sbiOT8bDrRM=,tag:rHfNeRGTxnyVYAu8P/2ewA==,type:str]
|
||||
nixvirt:
|
||||
alikia: ENC[AES256_GCM,data:sP3sWN0RrBU=,iv:TetUcaxsRXl0QsGAyXbVUAW12AXjChVN1/X+ku+3nO4=,tag:kBupoPqVlwHuCnwVdBJBKQ==,type:str]
|
||||
pen: ENC[AES256_GCM,data:okvzUul3UXk=,iv:hcBhsUMP8jdhhKuKdHD1lZi8ixNAC729HfMQ79UzyNk=,tag:SRRav39ScHn0O/sf86CIOw==,type:str]
|
||||
test: ENC[AES256_GCM,data:MYlMmzgbW9c=,iv:q1qPAwFTh0fj2IHBIlnrOMbTU2BnwIYzOFUHVqWCY/Q=,tag:Mb2bJJemg/LxpKI5whNvQw==,type:str]
|
||||
reonokiy: ENC[AES256_GCM,data:J/ZM0Vavmnk=,iv:ZT1cMF/JWLWmXyBx331XkBQerOhLJeOd0a53jcSC4S4=,tag:/WCwzOg5LlAS5ZaiI5DSIw==,type:str]
|
||||
nginx:
|
||||
detectAuth:
|
||||
chn: ENC[AES256_GCM,data:cek6iIlJXgU191uzq44rTw==,iv:r7aMj5UzH1sbKkxvS8oyw6kpIcpRygD4ype8qkmnNa0=,tag:x2jWZnnFCO0sHj/OS2BQbA==,type:str]
|
||||
led: ENC[AES256_GCM,data:JiCmbknE,iv:Z2RFOWIPUk2jaR6qd4PgRb7LwwHSKNapPQq996Mx+yI=,tag:mq6Vtwjw31DKig3Dl4xU+w==,type:str]
|
||||
redis:
|
||||
rsshub: ENC[AES256_GCM,data:+wEclSJGMLBMt7Ss2fMlUgq5kRyNiOheQnRvVtbW47eG2mFODBaw04Qftb80aaSE6YpCTNslBGdIjcpIC7FTUA==,iv:6Caod/1AnUxEEC7ZwVrtDZ1kP6Qu50R+9I3eda/p0pk=,tag:/EYXZ6yl3QupVrzIHQMdbA==,type:str]
|
||||
misskey-misskey: ENC[AES256_GCM,data:nCrH0B3A5B6yMAgTd5TA56PKqJUxwtHeS6BvuUseyKAVbqH581TGsO80mNQ0AJRjviw5o3ftTay79nJnmGld6Q==,iv:fhGcgbpNBo9yUpFDWtuzMos2iPhMdWyc88S0fZDxGao=,tag:QIZ72z5VBqd5pFgaEvMTZg==,type:str]
|
||||
misskey-misskey-old: ENC[AES256_GCM,data:WS+SVmxYs3cNc/+sJQLNYDO0ZkZvmqzW9hCGdDae/N06KGicgiGOKV8LDe1UviGGGzXzB5VG0YvAprEGhUURcQ==,iv:6Ur9FL2+RzU4tfK2V4TaaCpempS1JSSMHz6ebg3mp7c=,tag:qCNqJ3SauPdpxo3f4NVg2g==,type:str]
|
||||
nextcloud: ENC[AES256_GCM,data:pwxtefU7CjTxyogcpPpvQxvdnYIpggaBHZ+/PaT9lhVfvFcNtBBZ1eeOGbUXMZc7BnkFAUDVTVjr5KV75CeX6Q==,iv:65K3PsNfesaAJ7rSRI66o5UEM3SW5KdUnGc4h9WMkUE=,tag:e2nx9vTlkGekvhm8lYsMkg==,type:str]
|
||||
send: ENC[AES256_GCM,data:QCfqbGYuBrlwfuHiSsZIZ1OBVnSO9QjhlPWGVRysKbQK+As/RGbJ5QYtPOyKfRg2L1d5Irfu1aGRoVrzpA8O1Q==,iv:MWzJP+JBwf131X030MnzNKMJ3d4Fq/GtbHpuan4N53Y=,tag:z29HS/FQXTvgN1e1HZFJkg==,type:str]
|
||||
synapse-synapse: ENC[AES256_GCM,data:C6eXXK6SvMmvIa8dVjttorYBScC1SfILqXPMYDCpewVyJCUFzQK3NB8KUz9TMov4P5n+Lm5YItjrUgnhNJA5jQ==,iv:ziJ5JK/+M9d+R6/O/4hQy5DPBw/4XSZVQvIcy55aHRY=,tag:nv0rre2/kyhKu4C5JSE5dg==,type:str]
|
||||
synapse-matrix: ENC[AES256_GCM,data:E72t568kxMjz+x+nC0kIJJFfgt6njlW8Wx6RuqnI736vW7IaA7scNVQ03lXpqZlKS1M7wUhb1QRPowJxNjSK7A==,iv:5qGHIWb7XXrnbjPQVWt+EcX/yDEV4Ny+TIo5OaRHwOk=,tag:O+SQBmZ7xpToSJYmcSCRWA==,type:str]
|
||||
peertube: ENC[AES256_GCM,data:lxf5JtlGfDsYY2kzqaas8zPmS3u7Xch6onLVe2yoQZL6Eeb94V8yncqezGFcsGv1k3Xfr4ncoEraupO3RtKYSw==,iv:VM3SAORs2Ol/WKYCffLlHNPAzA37Kp2fgToM1faS7Ew=,tag:gwI80Kn00QOU+9vRsUKchQ==,type:str]
|
||||
postgresql:
|
||||
misskey_misskey: ENC[AES256_GCM,data:BUHwrGGcniD/7+hSHkXegopgG1bRGSt+OXJxKdMOEyeawAkG96af+njJ+WgcZ6KAzQdWtqJATdiTOxpznkvKfA==,iv:9hF/jcGyWFNPzzqVyaVXEabeaGDE92bpVYq1oxvQGOY=,tag:nZObCyAfuMr+B+rlUhCMMA==,type:str]
|
||||
misskey_misskey_old: ENC[AES256_GCM,data:saLuu3wFcqRW2yNF9aZZ4zc6njm6pqqcUUqRTbijXELvZwMy+G+OMKuvgsh71NLDJiNDZdOBAOdUUXlC+okBFQ==,iv:kcHjlpndXENhASkenLN8fNLJjHmcuLN+i7+a+fLjxyU=,tag:Sbr74hl4GsCts2Diw8veRw==,type:str]
|
||||
synapse_synapse: ENC[AES256_GCM,data:NfXD6BHV9za79NW1kLvJjdOLeHjtcrzx9O9W65jgHYneEmUNKO1nuBgs3PrI8tkBPkmn55UdC+4v2WFjHWXrkQ==,iv:YdF0liKfIBT3CHCr1ufguu9qqYpfXfjOhJY5BO79orE=,tag:OWyN3Zh6uvm10LmCBipJ4w==,type:str]
|
||||
vaultwarden: ENC[AES256_GCM,data:4thZ0nGnbprVntYH2wG2PAgAJcAYuexQPOJBSpC1ivQgNbmn89L5pSANx5fvYewa834mlqSWHWeSqIw/81tDqg==,iv:d6gARu6yGzALNZrgpvaxWqM1cdkalA17GZ4EVWHqYUc=,tag:guYaW+Ds1TylCLw/naD2mA==,type:str]
|
||||
nextcloud: ENC[AES256_GCM,data:jeJSAF+oeEXL2BqKbzngnSVvpxE5yuzRq2LLu6EyKT76xHP/whP7QuRxns23dsJnUr55qaRUzDunvoFco8MCZw==,iv:0lxolTDXskNvrVEAC4dV/mIgCMi3B0xH+xVT40Brii0=,tag:YvUtW172rmKK6pY/+4WhXQ==,type:str]
|
||||
gitea: ENC[AES256_GCM,data:D+WDCVPTAcOg/gpxlcaNHFVHBC8uKOs5VZKQYuF0qNZQn0H0dWQS89K3DsgjBKck7ugiZOyXKUHISBVrfBn+VQ==,iv:qkahWBx8q1g6wlzXKM5Bl1PqxwkprCZzzCq1vGWaj7E=,tag:hWX9jF2qx60QrOForU7LLw==,type:str]
|
||||
grafana: ENC[AES256_GCM,data:Hm92Qnz5QVWwk6P61vrnnxDFLtdVx2vOMKwy3sRSv+KDnNSYvRNyLQUkyuf7Nh0S167XgAxDPTZQb9k6AjO36g==,iv:oXmfVDr63NGv4rRBb12V9l9dNXxQK7Se/2fbK40d2a0=,tag:DNeeRwEShxUhowkIfr1feg==,type:str]
|
||||
synapse_matrix: ENC[AES256_GCM,data:HdhB5WAxBa+BaFBVoIo6RwhOxhN5WrTLR11kah9H1sBS5GDPldDw0H274faWFwE/UwXO2ggBEAYvACXr/rXkvQ==,iv:NxOsZqxsP9BSgdlW43AuQGw0VjSGx77wygjdDcINf8s=,tag:CtbG4zcXG2QFFP4dGgOxzg==,type:str]
|
||||
peertube: ENC[AES256_GCM,data:6P8muSWzJ+A71nZZKlCXRCRwr1HWu7yrSw5bkeHg5As917frrbOMmDCpf21H0q+eagx/ZrRIWod2JXc2YGKCfg==,iv:G/zZeYbDCHffACCvhJlKlJ1cUCkw0+raq5G1ubqIRAg=,tag:HeQA3ueNo/t+8JR9jVUUPQ==,type:str]
|
||||
rsshub:
|
||||
pixiv-refreshtoken: ENC[AES256_GCM,data:3nQdmn5RAaeqeI7S/0gPUGOzt7rkizpk3Ouz+pXwbqKBpikXKm4amvwg1Q==,iv:sze0u8un0xyumqHj0YeKcBD9xKZRW77rQdQn7auIf8I=,tag:bWqg+/pBaQJ2J3hjx05hlw==,type:str]
|
||||
youtube-key: ENC[AES256_GCM,data:NZPG5iYrkOof+L3SKp9SqXmXOt37hvqCxTTibkzXv5TBPcCjPhCe,iv:Re6966w0oRtvHDCt9eYvswDMLNKcM+stIAA+P1qpWbg=,tag:0jNqPlGoXr0bHGMgHUZXCA==,type:str]
|
||||
youtube-client-id: ENC[AES256_GCM,data:7BOIrxA5FIUo/31p3yqrLJKJhV9IUB25//w343eBoAnr3uD6J9zeLO3nIQv99vItioqFA1RmygCeer9pG7j/FI/MmmT8nGzPcw==,iv:mzKY2XghoXhKTTkO6EiG+ZJFsM39TX6UXJbzh0UA7vc=,tag:w7oiCvURV8yFxxoFR2P/jw==,type:str]
|
||||
youtube-client-secret: ENC[AES256_GCM,data:JCyNb9biROLSx0RHkr0FqZ26nhU/LRBEnzfx91mmq+Ux0/A=,iv:fEMmanWtWaKBVUJVIeMSu+XV3v8xeccDY3DTJr4LOsk=,tag:bT+XedAZu94h053/1zr7Ow==,type:str]
|
||||
youtube-refresh-token: ENC[AES256_GCM,data:TXNvLTfF4K5RT4D0anzXds/fcdPy3FXddGt5xxLIaxbKIqCAtsQyLEhA+SfQXaBk6T/yKIhtd/H/BLu1jOkiZsFL/8i5GSRSIXyagFrCfh/7tEqhCB0u52Hz5Xy4pkZiqd/AXx84Og==,iv:s+q2ffpJP/rcKu/Pw4KosM5/7boFPArJxgbqL0f1ZkI=,tag:chUtPpJbYuhjv09lRdXHMw==,type:str]
|
||||
twitter-auth-token: ENC[AES256_GCM,data:scLoap0kDJW8Q9+h9S/JKYafyCUgx75RV7akHY/BYEmFhRNRq5Z2Lg==,iv:GhP3nyaK18PDcoHc18zhuuPAPnfEWgUagBrZNDY3toQ=,tag:qsE2rIgrmlxBW8D3i10KUw==,type:str]
|
||||
bilibili-cookie: ENC[AES256_GCM,data:fdAX5CpbJZv3fxRdA5SpFwNUZ0jYgYuv8SyKfbJzm5toQ8S5TrQ9WnQk6Jwweqmg3VDRD5l6l/irGsRlLdjt3p7fyAJy0wtzY0jD1xGw8XhdKWevMTysg1YQcMijkJSI0oHpofis975M6EDjcURPWwlR6GqW6POOpMep97siOxiNyBi32TbZHqvIWa1YfyuMcngYMEsShpzWAZCCvLYXoBINXebG1JPHU2xua7EHMO+VH7UFNVCyBYmOw4iXBJ4YFaXqxjQTBza4GDDZ/RVBvO5Egdjovjpj1DR/hOEG4xJHpg6xTsFw,iv:WQTVuovkZjzuu5w743GkMcWqu2p7dmPr9sKHemkbxG4=,tag:eszbpreVfC4LtxnRte241Q==,type:str]
|
||||
zhihu-cookies: ENC[AES256_GCM,data:ssemzXs7ub4z7pw4hWGSfzBfKH/xzv8bhtqC1dDbZJCnwZ4D4/U9ES9QDrPeKT5AjbdLV/WBvJqWKcwTQjGnRhMrgK2MU2/8Et61mur5WE5GPQjwhWV5JaTMhSxKS3pZtpyvIgy+0iwOj8QQS6mbujHnpb/y0fhszlmUQPBL4eIxm269/FyjBLeRivrJvSmMpLQxxwh2/GTojMPH2F3bclsdMHgZhvYGdJ65hSWn2Q==,iv:PffeWFhC+dYkLSDQKuIHRRDjqE7By/ZIuZIhkjCGDig=,tag:p4iJwqLfqkiKOi/KnoyfQA==,type:str]
|
||||
mail:
|
||||
bot: ENC[AES256_GCM,data:XngvO9b98ccRoW9WgfX/Pg==,iv:SE8SK49zhYhDxl6f2UonCzTPcKg23CzbI5V/fOh5zOA=,tag:IXGwnSU+Vx0BQxjgvyBnCQ==,type:str]
|
||||
synapse:
|
||||
synapse:
|
||||
coturn: ENC[AES256_GCM,data:TQqNzjJV8iM46JZQOKqkydkSrDFH2El4EE1ZCjUPpZ6EM7UHfjjxP536sm7c7adxIZzrj2TlzKufhlGFYfZ8xQ==,iv:OVguyW8sQzfczVHMaMTg6+J0wzTzeTb2zZkXnMEZ4Jk=,tag:dYLMU2bHyg/IR1oyujsoRQ==,type:str]
|
||||
registration: ENC[AES256_GCM,data:MXlRld2ugF3qDVPbrd3TGiwdFhJEcxKDsvmEV4P9Qap/zp1WcMzfo+wAeXtq18MV7Fw=,iv:ztN6q+1ql9b4NMiyuDEmWbnpWeOPmbEftymMDQ3C53M=,tag:+BI9t1jSNNcfrIU6AaDOXw==,type:str]
|
||||
macaroon: ENC[AES256_GCM,data:hVkFqtfaOL64qNGjIfmSORm0D8lOvA/H3Mrm11Glrgy11ACjh+zI1CSglQC0SmaKSP0=,iv:ydNz3kXOelPxSFKshjH9+iYw4OItm6QoNGuks8kSDow=,tag:TCHyMXc+gT+fxVyd7HexMQ==,type:str]
|
||||
form: ENC[AES256_GCM,data:lykxrVPMWz1sBk5GoMRHfHhsVxcT7txvLJ9GM48Jyff5HXh1z4IWuZzOu8HkrELkJrA=,iv:QGV8vqor+wByS9z37sF/iPfrNaL/0jU/yUGiphEl4Fw=,tag:Mg/Oz5hI+oDnp58aQF6Rew==,type:str]
|
||||
signing-key: ENC[AES256_GCM,data:Ov+ly2t3abRunse65ccPpQgqKzDrF8B2wMaCJt3Bxa+QDu6WwD8DD4E+pcQK5/HaTdsQte8Z/3f2Kw==,iv:SSMjSTrhgHt6iz+oyHe0sHm3Eb82ks5z8DR1Puc1raE=,tag:9X+T4n/6Vl4tUbVM0LJySA==,type:str]
|
||||
matrix:
|
||||
coturn: ENC[AES256_GCM,data:BmnF4oyUdbESzOwlqQ5SXYgeUnWgyFE0pdBox33JmaMcOvRPtckD9p38UeMTxp8Pccarmx6f83rdHsifeoiWaw==,iv:1bb3Tn67HTHVNR9ohH1HtqS8wh6t7qtTEl5MNbwn7h8=,tag:xlxMZtqew4pTc9ztY74cHg==,type:str]
|
||||
registration: ENC[AES256_GCM,data:LB5tWjoAsftqszYZGOXtqLFXa0HyU1b6lVUrBup5SJJdB2ZOnPsNtcgEkZLtMUlQ//M=,iv:jvLEwPv4iKuKfOPV08sPb9Z2XMnN+074DCQX+ARDPf4=,tag:4QxCLcOSQ30dU2Z+0OzGYg==,type:str]
|
||||
macaroon: ENC[AES256_GCM,data:JSlovYowIe0C2jEFsIJci6+M1GYgbINdp0XkY58oOk1/ztyMnABSXcgZ73pEpLeUCvY=,iv:r2d5COTXL3gz9pb4GxuFQjM5DHsmwAfDy/eqlZyZJoM=,tag:yRn/OBcy1IqMvJQYD9sA6Q==,type:str]
|
||||
form: ENC[AES256_GCM,data:sN24Yj5miXmUsvEmeSDOxFJxAetQdEJw+kEPNq+iMXyEexqEgoYBseH6kbFZwZAVrBo=,iv:ZtRkme3U1ofUBzT2J9SeRov1+rN5CrSi/ExKX7S5DNY=,tag:gGj8l5JXlzX+2sdHsLfQAg==,type:str]
|
||||
signing-key: ENC[AES256_GCM,data:nmP8lwTAYGHc0LYcEj2AJE1XwSJBfA/NK+K6/0KGsufxwS1VhCXUWX9s3oEUPwuteTGZesaDVep1Qg==,iv:NcJEhlz6WgorViN2oiUG7kLy8N5kUzr5cD7Z4PRGdTg=,tag:WiWhIKaE5UQwEXunUokaNQ==,type:str]
|
||||
vaultwarden:
|
||||
#ENC[AES256_GCM,data:rD0YOnSNf23ZjJhRWWia3+Zbpl6/cynCKlQQFhzaWIclHBk7YU3Z4E9J+YuWzlO8BM0bbp+zMxFGEFvbMrSHEHQ=,iv:PzQOCpSrjFb/aYn70oKrpb3jDy8rtZKPkLQ8qv0GMyE=,tag:wRfa4oHzAKD3BNYghIjZKA==,type:comment]
|
||||
admin_token: ENC[AES256_GCM,data:oEIaHRqRIVQh+lSv+4p6G26bIKCtAQiw3t/C24C465THrwVa05D2Sax1IZ1JaHKgOmLzo8vxteBmJarARyC4kAnw2vb5bDPT1KCO/6u99mXhQyF3NY3FjmDwWHqTHHZT29dwAmtdFRz7rJQowLVqhBVQzNePdQ==,iv:QVAZ9JwwebqD7zxS8+Ai3K5V60bQbe+ewDc+JBXDMuM=,tag:vUYNlVf7ccooiBIXQWQC0g==,type:str]
|
||||
mariadb:
|
||||
photoprism: ENC[AES256_GCM,data:JWeUPE1mb79IzyIsJime2yaBH+/yno2vbXAXO5E6Tx+al7bUlEH5JzYqz8+g8Jkiz3HhRNI4tcGUcVE7kkLgfA==,iv:ZJlIUGbEL/mGLWzjNEwgvzuzZZZrTy5D7e0eZ5+Ouvg=,tag:WY7/sUd2p2viKKDKsj1TLg==,type:str]
|
||||
freshrss: ENC[AES256_GCM,data:/qt890Ly7zvuZB4Zn5xHLflc3L6Ex9JDa1BAinbG7OOkPGpnC83g8ivaQA3xL/CU1FRsm9V1OW4Bv2eN7VDhrQ==,iv:xQG5j3e4C7HWGct6gAET9uVUhGFv0BYVMLdL/1sj664=,tag:YaqjUNk7ybjfitrRpreQwQ==,type:str]
|
||||
huginn: ENC[AES256_GCM,data:vbXI6k3IvTDgQNtKNX9VVJmanO6l+mLoOTq6djEuKfSQAO5UKMq9Xec2rsAibq4reKh503C4too3n2GU1Wo+FA==,iv:rSHmytVa2QWiZ1HH+8AOTOgimYcmPwo4fXgSSq7o+fQ=,tag:5DkdG0TarAs3cSsgPfFNJw==,type:str]
|
||||
photoprism:
|
||||
adminPassword: ENC[AES256_GCM,data:X9af31Z4xGu8XJjMfsf3+whEdx96KHMyfJKO+5Q4q1nlnZD+cLjO8Lza2soO1fFndXcowRYsReUAzmXjH8Ffvg==,iv:LmH+JDA3YwydSNr8KbePPDga5ukGFol/BGrHNOZUxPg=,tag:T2HbUNcHnYD5c3GR5rnRmA==,type:str]
|
||||
nextcloud:
|
||||
admin: ENC[AES256_GCM,data:mhTb6UPo3fIGlKPpER+Lcr2Jyv1nMk5jbQtxoN4txGJAFaJIhK+iAiZDZXBtOiysYqatcC2orJdgt9je8BAVWQ==,iv:G/uDlOGUt/F1GgxpIMGvVuFjcagVnHBudSGXZi3rrXY=,tag:hdE3Pf3G/xrnKaUkYO1WsA==,type:str]
|
||||
freshrss:
|
||||
chn: ENC[AES256_GCM,data:Z4UmsXv1KiVfZMIQOEHH,iv:pF5lQLggkxm9y7taDVcp366JKp8U+8akNEdPA+Nf9Uo=,tag:0TajgUI/VgM3FxG1j6c/jA==,type:str]
|
||||
huginn:
|
||||
invitationCode: ENC[AES256_GCM,data:JDN913i+zf6+obWxrNAbgx1NJGPyewRm,iv:lqnjbSk46J0ZJN6ccbbiCiOK92W8fj2mWRwQHKqy2dc=,tag:UYZesryRlfAMo7xhKQ7zgw==,type:str]
|
||||
grafana:
|
||||
secret: ENC[AES256_GCM,data:1Wfq8QmhzKBObdktheFPySzXYlOJzHWbYYQXgn3beLOwSlW9f7bUn+wIrRoj1e8WlFJkAU2xywzjzzy/UwpSYA==,iv:/0YoHTs54O+cT6VVt1U5CYXr2qEdY2kijOlnMZMW4d0=,tag:SD/IELlcgfS7p9NBEa6D/g==,type:str]
|
||||
chn: ENC[AES256_GCM,data:8R92k7RH1491u6lfQdM0U3SG8TPi3vWhZyj810XSjnA=,iv:8v6ijLHgoTPT6MGoP/lWB+UEZCCgOpvfskWCJJ63Udo=,tag:k9SHzJ9d54Rny3n8EbksOw==,type:str]
|
||||
xray-server:
|
||||
clients:
|
||||
#ENC[AES256_GCM,data:RIih,iv:1KQsPDpbG1A0NFT72tO6sSuQ84vfW07DST+/XzpNZvY=,tag:D3AHUPlCJGyVBbDalTHobQ==,type:comment]
|
||||
user0: ENC[AES256_GCM,data:n6gIZGYdT6wEfKgizFvIE802AkpR8BpSPSZrQ5WP/aZWzLUL,iv:AxnwFOzmIRm3nTLpi8/4lkv+TjO4y4RZQtHO0GriD8o=,tag:nllDCaLZd6JNS2JqwvgVyg==,type:str]
|
||||
#ENC[AES256_GCM,data:uhAauqQ1oQ==,iv:0Sr6YjarjkLmBq5H1ELb3SYBzrTVhqIE6qPxc9HYeKY=,tag:NvGGSY99Y7d3OTnpOr2p2g==,type:comment]
|
||||
user1: ENC[AES256_GCM,data:EcEySx/n52rN5REPEWNjCuWywokvOetadbljqPpDPADTeeSk,iv:7r3CdvHJT1iZvx1Xn53It1ZxIkdLVIeQ+Q03zISm94k=,tag:8cIGZUlIhVgRc2FeU931kQ==,type:str]
|
||||
#ENC[AES256_GCM,data:KuuPQQ==,iv:LGGqLFV4CnUMLWaNbHj6bRseetvdMdSOefV1FeYlJSA=,tag:wXlqKM2BuoMRZAwYbv5eOg==,type:comment]
|
||||
user5: ENC[AES256_GCM,data:T5p0POx9Cnqdlp0blEYvAnRNIDOCNVdpOBR4rVQ1/07/rOCX,iv:EZx6ToeORzHoG+aEPi9oiTcwp4bOIAJpPUvemhYM96Q=,tag:aSS+RY5rEzr62mbE+JDanw==,type:str]
|
||||
private-key: ENC[AES256_GCM,data:xz7xFt/g++E79bIl6AeBWATHDB+gHBIoXo5vdWTeyrAT1RtllgYie9k3Fg==,iv:x7fdmSINQA+F7a08jpuvCAg7vIZpsYaoX+EnitJMUCk=,tag:GAb/RRdAOlteIQPxeIMAXQ==,type:str]
|
||||
peertube:
|
||||
secrets: ENC[AES256_GCM,data:OR3OA8qJsq1gAYiv1rShNa8eODzIxPOpVbqbnseSCMUNx4+FeOgReTLl7cXHPxbBkrJbsfEq5XYm1QtRtxotdw==,iv:6vz0ezsFuCNsBduNhm4VQ+it6oEJF/eMxktVFhdXgug=,tag:hmW7BwF9C53SAHhu2HBLYg==,type:str]
|
||||
password: ENC[AES256_GCM,data:OaoqvUzWZz4LvVwZMbOSeq0mZyTqWT/E1Dt/N0XwEGwn9LLtarG/LrzV24BMS503N7NIxePVBK0jJCdbO7sI3Q==,iv:aaInNy3UmdF+aOu+Lzo7F0FvEVRbsn2XDwmYLNtYaFE=,tag:l/ONyeZJtZjS6IqwQgMs7A==,type:str]
|
||||
open-webui:
|
||||
openai: ENC[AES256_GCM,data:5B1wPAOx3GsLDoYBKHWFzoyXFmn93fdcq6UC2rCt/P5zYLA4VNzfsp0=,iv:Y2gTLCmwB5wY4dhN73HRvTqSMVXbAEd+RjRbgUEuTeE=,tag:vcfNhXpG0C3twFBsm7PHwA==,type:str]
|
||||
webui: ENC[AES256_GCM,data:Lg32DZ5GC+AYzWc4WloNMQlnpsqW67s5/kXzYwE=,iv:ECncgdYoLkX9GUOX26MXFSO8JOZahUDjTdKV87IRNJ8=,tag:J/5tTR3MI0iGIVDrlacYEg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaURzWlFQNUpObmtvaUd2
|
||||
bVc2UXRHajFPeXR5eTNqQnBhaWVOTXRDSEhVCjJVREN5MzF2MXhMSGIvNlM0endj
|
||||
ZGVhTUFrTXVXRTlvYThaRVZBWmwxd2sKLS0tIDNTME1EaHFKY2J2SWxrRWFpaVJ4
|
||||
Sm5xUlU2TXpyMUJQWVpoRUdlTnVjOFkKZErjPuX3nNFc3jFPBX462qs9hwguyxUD
|
||||
POxmT4DMCPAaEz+lNB+Qa03P3TYFJ3LfqTsO7QXO2f9113wFqF2lFg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxd2RzNEttTzk5cXVhc2RK
|
||||
R3hxM1N4TmkyNGp0Z2ZwODZBL0RuMW1qNjFjCkI0N2FMUkd0eENPK0w4MWVJY2d4
|
||||
NWlvUFdQbUh3SFIycDczZlg0ZEJMalkKLS0tIGs4dHlocTRseXRWYVFxMkdrV2x2
|
||||
d0h3aDh5QXFZYWJFdmNVYnJxQ3pBeVUKTl0XVvtwJcz+RpSylgDPl/R8msInxvWX
|
||||
eQGmrDHibeE1V+KSDiuNzC4MVRIrOnh1beHrhnVQ86HwPVgJqs2FoQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-09T01:35:04Z"
|
||||
mac: ENC[AES256_GCM,data:q2BolEBB6Ik8yx6NHnnE3Wcl2rGVZN86dpfLJrrFOxWd8fZyfBQ/00v4dUZSZw0aQoMj1V2RBDyVtScuRiH0NVb6+RfX+0t3zTEf6guuJdurczLBz9+D51+Th3KE1uk+UjI7J+Q/TOWTvoGMj8P4XZCXQsCDIct/vbLGqNB9CgM=,iv:/6xR7KXXLejm9Iuqcxc/7IqLEckNhmaJTKzJGonSrng=,tag:XdeCoEkHefw2HqTGSchUJA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
@@ -1,23 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
config =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
|
||||
btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
nixpkgs.march = "znver4";
|
||||
network = {};
|
||||
};
|
||||
services.sshd = {};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,26 +0,0 @@
|
||||
nixvirt:
|
||||
chn: ENC[AES256_GCM,data:0llBtdnPLl8=,iv:0w0huoNCvIiaL77Thj1iAwRY5edDlN7I4mMwiNKCzOc=,tag:Eh1b7dymn7jQtL5/rsxC1Q==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcldLRERrOHdadVA4RXdQ
|
||||
dmsxL1o5aDdJTitqdXBzRWxqVmZKUzFtTlUwCnc2a1N4WUNEVUhsSlFuSExjR0Rl
|
||||
TlFnNjVpUkpmbWdxYW5oblk5dGQ0THMKLS0tIDFBa0FKQXBPYThFTUwvd2tIaU9p
|
||||
TERYVkp3dkUxU2ZaTnFRamRKclRRa1EKosUuvJXekUIxIHL8s/QuZf+hCXQS5dMC
|
||||
HqZ74f/jvIW8i/Etu29VtK3n8MD8W1EenhJjfxOvhpRpLpzQP2GImg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK2F0R1JRR2t6NDhXVnVD
|
||||
Unh5QmxDaGJtWmhsb1ZDRkMzUlpSeU9GL3lNCkU0ZVYxaWs3MHZDQlNHS25WMTl3
|
||||
VVVtQUlxeXNQNVQrSTdSbWYzSmlPVGMKLS0tIDlyRm1tYlR3WU9ISjc2T3BSY2FP
|
||||
Z3h2QWh6eDB6L1krbU9SS050dUhEamMKHnvdCmLuhuIfeBRs3LJ6IEatqrlMJNnc
|
||||
vhPTVgfn+M8dGo+odTTwlvr5XGzE5cMSxGtdSE33JsbBFfVyaPCFjQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-05-16T05:29:11Z"
|
||||
mac: ENC[AES256_GCM,data:s1HBVQUDbYP63EntEXe/+9mqFj2zGEtx3ibFauBYmjJvtvw2hs44ODNebMxjasT8zTYICJWWZJxwMvpUs/CbcmSjPAXTV8379lzlOmG2wZLezF+9jWdJi3ZDvM9Y1D0/4GnaIRHof/+kPn/ykFE/gQhP5PQ4OtoV+VTR2fuwDaA=,iv:TUTM8tyZxiAjU3afazfmse+LL53hrSFSCIX4KIDyQq8=,tag:Vx4GsOPAXaZz0rEjsJS8sw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
@@ -1,50 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
config =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
|
||||
btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
nixpkgs.march = "znver4";
|
||||
network = { dhcp = [ "nixvirt" ]; bridge.nixvirt.interfaces = [ "enp1s0" ]; };
|
||||
};
|
||||
services =
|
||||
{
|
||||
sshd = {};
|
||||
nixvirt =
|
||||
{
|
||||
subnet = 123;
|
||||
instance =
|
||||
{
|
||||
chn =
|
||||
{
|
||||
memory = { sizeMB = 2048; dedicated = true; };
|
||||
cpu = { count = 4; set = builtins.genList builtins.toString 4; };
|
||||
network =
|
||||
{
|
||||
bridge = true;
|
||||
vnc.port = 15901;
|
||||
};
|
||||
};
|
||||
chn2 =
|
||||
{
|
||||
owner = "chn";
|
||||
memory.sizeMB = 2048;
|
||||
cpu.count = 4;
|
||||
network = { address = 3; portForward.tcp = [{ host = 5694; guest = 22; }]; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,27 +0,0 @@
|
||||
nixvirt:
|
||||
chn: ENC[AES256_GCM,data:0llBtdnPLl8=,iv:0w0huoNCvIiaL77Thj1iAwRY5edDlN7I4mMwiNKCzOc=,tag:Eh1b7dymn7jQtL5/rsxC1Q==,type:str]
|
||||
chn2: ENC[AES256_GCM,data:vlvFNwMfTMg=,iv:DKgX3DCvkfADF/Pj31bRTx/dfTiMxv/JaeN76Kppob8=,tag:SOioaCz/CvvLn2jB+08THQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGQ0R20zci9aU1l4d2Fs
|
||||
YkRZQ1FGUW1vSEd3S3FBdGlSTXB4dW54UVJJCk5MMEFZSzdYTFRQL1FRZUFWTXFh
|
||||
cC90bUx2dkdHUFVoMkhyNjR6U0w1QTAKLS0tIDZHZE4yNlV4cFBTVGN4c3VYZXZ5
|
||||
enZoU21MQ2VJbHlhSnhwUkNXZjV6OXcKzvdz1TNs/PDISx+QSi6cJ8vWNtZo4jfD
|
||||
qsrwpxvHou/wptLzYg5gXQuXB0izpOW/AtqA1XqLcTUbLzcRhqFvMg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17a8y4yr2ckuek67rt786ujuf7705gvj3vv6ezktxxmgayea9zcyqet7hgc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWUJVZmdVbWxXck5EY0tR
|
||||
cFRwZTlWVVpObjFneE95bXNPSUxjNE1DTlg0ClNQRy8yVmF6QWxuY3RGLzdJVEE4
|
||||
WXEwb1NGVUlJWFRqeWlyN1J0eE15QnMKLS0tIENRQWJ0VXlzNHV6MXh0QUVRZlJu
|
||||
RFFteDMzeGltVER3QjlpdUllZVNJS3MKyOMAu5xYr1z0YlNDFvaE4l4bposMTPUJ
|
||||
K13yerfRBxDlOrMhG/lSovusBPkmS3HejDedGgYi1WMvgLuOkNWZ2A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-05-18T01:55:44Z"
|
||||
mac: ENC[AES256_GCM,data:wGHagytOT30EgjPezkaLXrqml/tn8oMzplYgThb9JbnXJzpCMnZnXeAlnRW/zdXY+Vt+kRfGCm2W/3sif5wB+gu5DCIeGC6OZy9brMVIQLceQ6Wp7IwPTDjMIGYtqe+T3QX6LFAMPUVZOHNBL9eRdO27G2TGP1ojH69MwNt4aQo=,iv:Rn26bQ8crsVFbLAxPcvLeQWwRP484rS/UFnmg8xeTwc=,tag:zs4S6VPNKFUZU6xxC2rIuQ==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
@@ -1,27 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
config =
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-partlabel/test-boot" = "/boot";
|
||||
btrfs."/dev/disk/by-partlabel/test-root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
nixpkgs.march = "haswell";
|
||||
network = {};
|
||||
};
|
||||
services =
|
||||
{
|
||||
sshd = {};
|
||||
nginx = { enable = true; applications.example = {}; };
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,30 +0,0 @@
|
||||
hello: ENC[AES256_GCM,data:y6Kl7kHqgft7T1eiFEeIppvosCACIcVWIQm6TzjS6RgUkJEg17GEZFRy2zTvVg==,iv:wChah8rTtEkkR8pRHO9NdhaGBwsTrrP+tPp7k2SOdn0=,tag:jRdYgJoKz+Q+/m8l/03JoQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcldLRERrOHdadVA4RXdQ
|
||||
dmsxL1o5aDdJTitqdXBzRWxqVmZKUzFtTlUwCnc2a1N4WUNEVUhsSlFuSExjR0Rl
|
||||
TlFnNjVpUkpmbWdxYW5oblk5dGQ0THMKLS0tIDFBa0FKQXBPYThFTUwvd2tIaU9p
|
||||
TERYVkp3dkUxU2ZaTnFRamRKclRRa1EKosUuvJXekUIxIHL8s/QuZf+hCXQS5dMC
|
||||
HqZ74f/jvIW8i/Etu29VtK3n8MD8W1EenhJjfxOvhpRpLpzQP2GImg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1vgqvdqqe3mn0gvh0hydvu9c5f9yn5vek08cagyvwjhyta6utpvuq00g9c2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK2F0R1JRR2t6NDhXVnVD
|
||||
Unh5QmxDaGJtWmhsb1ZDRkMzUlpSeU9GL3lNCkU0ZVYxaWs3MHZDQlNHS25WMTl3
|
||||
VVVtQUlxeXNQNVQrSTdSbWYzSmlPVGMKLS0tIDlyRm1tYlR3WU9ISjc2T3BSY2FP
|
||||
Z3h2QWh6eDB6L1krbU9SS050dUhEamMKHnvdCmLuhuIfeBRs3LJ6IEatqrlMJNnc
|
||||
vhPTVgfn+M8dGo+odTTwlvr5XGzE5cMSxGtdSE33JsbBFfVyaPCFjQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-05-10T03:54:30Z"
|
||||
mac: ENC[AES256_GCM,data:JMr6ybbOk7tDZKUo11bd0xwUfLUuE4DIB5sYOCEVuaXLpDirgMgNSQgayqnnYDLOC7kGA7wDbbcxWhdaT8TcyYwdeha3SgA9mjkruPtOZ4R+ozfLDeqa59h2P+xronaOCDdl9G2JbhLA+k/S2ImBP43iPbcycJViSQs0RrntMxY=,iv:3ZILO4L01r4I2SJWOxe4pp9XLWo6KPPl3t/IbIf07+8=,tag:jhf73Y42fOYmeQS2oA0qSA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.2
|
||||
@@ -27,7 +27,13 @@ inputs:
|
||||
{
|
||||
sshd = {};
|
||||
fail2ban = {};
|
||||
xray.server = {};
|
||||
xray.server.serverName = "xserver2.vps4.chn.moe";
|
||||
nginx.streamProxy.map = builtins.listToAttrs (builtins.map
|
||||
(site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.nas.chn.moe"; })
|
||||
[
|
||||
"xn--s8w913fdga" "matrix" "send" "git" "grafana" "peertube" "rsshub" "misskey" "synapse" "vaultwarden"
|
||||
"photoprism" "nextcloud" "freshrss" "huginn" "api" "webdav" "chat"
|
||||
]);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -26,7 +26,7 @@ inputs:
|
||||
services =
|
||||
{
|
||||
sshd = {};
|
||||
xray.server = {};
|
||||
xray = { server = {}; xmuPersist = {}; };
|
||||
nginx =
|
||||
{
|
||||
streamProxy.map =
|
||||
@@ -34,19 +34,17 @@ inputs:
|
||||
"anchor.fm" = { upstream = "anchor.fm:443"; proxyProtocol = false; };
|
||||
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; proxyProtocol = false; };
|
||||
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; proxyProtocol = false; };
|
||||
"xservernas.chn.moe" = { upstream = "wg0.nas.chn.moe:443"; proxyProtocol = false; };
|
||||
}
|
||||
// (builtins.listToAttrs (builtins.map
|
||||
(site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.pc.chn.moe"; })
|
||||
[ "xn--qbtm095lrg0bfka60z" ]))
|
||||
// (builtins.listToAttrs (builtins.map
|
||||
(site: { name = "${site}.chn.moe"; value.upstream.address = "wg0.srv3.chn.moe"; })
|
||||
[ "xn--s8w913fdga" "misskey" "synapse" "matrix" "send" "api" "git" "grafana" "peertube" ]));
|
||||
[ "xn--qbtm095lrg0bfka60z" ]));
|
||||
applications =
|
||||
{
|
||||
element.instances."element.chn.moe" = {};
|
||||
synapse-admin.instances."synapse-admin.chn.moe" = {};
|
||||
catalog.enable = true;
|
||||
main.enable = true;
|
||||
main = {};
|
||||
nekomia.enable = true;
|
||||
blog = {};
|
||||
sticker = {};
|
||||
@@ -55,31 +53,36 @@ inputs:
|
||||
};
|
||||
coturn = {};
|
||||
httpua = {};
|
||||
mirism.enable = true;
|
||||
mirism = {};
|
||||
fail2ban = {};
|
||||
beesd."/" = {};
|
||||
# bind = {};
|
||||
};
|
||||
};
|
||||
networking.nftables.tables.forward =
|
||||
{
|
||||
family = "inet";
|
||||
content = let srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0"; in
|
||||
''
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain output {
|
||||
type nat hook output priority dstnat; policy accept;
|
||||
# 需要忽略透明代理发出的流量(gid 不是 nginx)
|
||||
meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} tcp dport 7011 fib daddr type local \
|
||||
counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname wg0 meta mark & 4 == 4 counter masquerade
|
||||
}
|
||||
'';
|
||||
content =
|
||||
let
|
||||
srv2 = inputs.topInputs.self.config.dns."chn.moe".getAddress "wg0.srv2-node0";
|
||||
in
|
||||
''
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
tcp dport 7011 fib daddr type local counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain output {
|
||||
type nat hook output priority dstnat; policy accept;
|
||||
# 需要忽略透明代理发出的流量(gid 不是 nginx)
|
||||
meta skgid != ${builtins.toString inputs.config.users.groups.nginx.gid} \
|
||||
tcp dport 7011 fib daddr type local \
|
||||
counter meta mark set meta mark | 4 dnat ip to ${srv2}:22
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname wg0 meta mark & 4 == 4 counter masquerade
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -44,6 +44,8 @@ send:
|
||||
coturn:
|
||||
auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str]
|
||||
wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str]
|
||||
xray-xmu-client:
|
||||
cookie: ENC[AES256_GCM,data:RZ2WFnsX7s/PVqA7ZKhGqw==,iv:CknFoAcHIiIwJI1IEXkFdWXcOCAZr50pfwmQN72OI8o=,tag:w2pNU1APxlSQsGMIEdE2OA==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
|
||||
@@ -64,7 +66,7 @@ sops:
|
||||
ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
|
||||
ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-12T23:51:02Z"
|
||||
mac: ENC[AES256_GCM,data:3QxWxinb3a7jvmHJO1kcePNwd/igurjFWVJw/sGKBuZpo47LU+W8132b9GpKs79AedDa5BM5yu0XN+CPrkviMcNuX5a3lLy8oI22a1N8fuKjEehld1Jq/boitGIsgJgb/M0Hn6yIq1ytuWuxoj2cOvmkEfNuyWRew+htI4DhJ/E=,iv:OyCWfcn218oaA970T9miIWIGSwOFeUbtWI0xO/02Hrw=,tag:c8riJplInFN1ZSPH3ze0QQ==,type:str]
|
||||
lastmodified: "2025-08-01T05:54:47Z"
|
||||
mac: ENC[AES256_GCM,data:OtHwr58A1UOfYxQR88ay76fWmAyWPl5YtNbAiv0LXPLZPRtLGBJKuTjMaHr17AMepFZ+u5IPV2r8z1AUDj0opLXlv3Ik/DJ2PCcQTOBH+/lnSgzJKWfdCip9/wFR6N3dT0PKKLuBiURB9ZCYmtnq6E5+Guadc6ATYDSEpwbENZQ=,iv:kXsYMGjAtUlv1UqFU8Xv0zagohnpHkzSI72mq5HKY7k=,tag:KR+1A8l2VvbzDZV/00hbJg==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
|
||||
@@ -1,21 +1,13 @@
|
||||
# install nix
|
||||
|
||||
1. download [nix-portable](https://github.com/DavHau/nix-portable),
|
||||
move the executable file to `$PATH`, rename it to `nix-portable` and make it executable.
|
||||
2. create several symlinks (including `nix` `nix-store` etc.) to it.
|
||||
3. create file `~/.config/nix/nix.conf` with the following content: `ignored-acls = lustre.lov`
|
||||
4. run `nix --version`, wait for it to initialize and print the version.
|
||||
1. Build nix using `nix build github:NixOS/nixpkgs/nixos-24.11#nixStatic`, upload, create symlink `nix-store` `nix-build` etc. pointing to it.
|
||||
2. Upload `.config/nix/nix.conf`.
|
||||
|
||||
# install or update packages
|
||||
|
||||
1. run `nix build github:CHN-beta/nixos#xmuhk` elsewhere (on NixOS is better, to avoid impure from FHS envs)
|
||||
2. `nix-store --export $(nix-store -qR ./result) | xz -T0 | pv > xmuhk.nar.xz`
|
||||
3. copy `xmuhk.nar.xz` to hpc, import it with `cat xmuhk.nar.xz | nix-store --import`
|
||||
4. create gcroot symlink: `ln -s /nix/store/xxxx-xmuhk ~/.nix-portable/nix/var/nix/gcroots/current`
|
||||
5. optionally `nix gc`
|
||||
6. create `nix-exec` in `$PATH` with the following content, make it executable:
|
||||
```sh
|
||||
#!/usr/bin/env sh
|
||||
nix shell ~/.nix-portable/nix/var/nix/gcroots/current -c "$(basename "$0")" "$@"
|
||||
```
|
||||
7. make symlinks to `nix-exec` for needed commands, e.g. `ln -s singularity nix-exec`
|
||||
1. On nixos, make sure `/public/home/xmuhk/.nix` is mounted correctly.
|
||||
2. Build using `sudo nix build --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' .#xmuhk` .
|
||||
3. Diff store using `sudo nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' -qR ./result | grep -Fxv -f <(ssh xmuhk find .nix/store -maxdepth 1 -exec realpath '{}' '\;') | sudo xargs nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' --export | xz -T0 | pv > xmuhk.nar.xz` .
|
||||
4. Upload `xmuhk.nar.xz` to hpc.
|
||||
5. On hpc, `pv xmuhk.nar.xz | xz -d | nix-store --import` .
|
||||
6. Create gcroot using `nix build /xxx-xmuhk -o .nix/state/gcroots/current`, where `/xxx-xmuhk` is the last path printed by `nix-store --import` .
|
||||
|
||||
@@ -1,31 +1,9 @@
|
||||
# sudo nix build --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' .#xmuhk
|
||||
# sudo nix-store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' -qR ./result | sudo xargs nix-store --store --store 'local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log' --export > data.nar
|
||||
# cat data.nar | nix-store --import
|
||||
{ inputs, localLib }:
|
||||
let
|
||||
pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
|
||||
{
|
||||
inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
|
||||
nixpkgs = { march = null; cuda = null; nixRoot = "/public/home/xmuhk/.nix"; };
|
||||
});
|
||||
# go = pkgs.go.overrideAttrs (prev:
|
||||
# {
|
||||
# buildInputs = builtins.filter (x: x != pkgs.glibc.static) prev.buildInputs;
|
||||
# });
|
||||
# buildGoModule = pkgs.buildGoModule.override { inherit go; };
|
||||
# singularity = (pkgs.singularity.override { inherit buildGoModule; }).overrideAttrs (prev:
|
||||
# {
|
||||
# configureFlags = builtins.filter (x: x != "--without-libsubid") prev.configureFlags;
|
||||
# buildInputs = prev.buildInputs ++ [ pkgs.shadow ];
|
||||
# # env.CGO_ENABLED = "1";
|
||||
# # autoPatchelfFlags = [ "--keep-libc" ];
|
||||
# });
|
||||
singularity = pkgs.singularity.overrideAttrs (prev:
|
||||
{
|
||||
configureFlags = builtins.filter (x: x != "--without-libsubid") prev.configureFlags;
|
||||
buildInputs = prev.buildInputs ++ [ pkgs.shadow ];
|
||||
# env.CGO_ENABLED = "1";
|
||||
# autoPatchelfFlags = [ "--keep-libc" ];
|
||||
nixpkgs = { march = null; cuda = null; nixRoot = "/public/home/xmuhk/.nix"; nixos = false; };
|
||||
});
|
||||
lumericalLicenseManager =
|
||||
let
|
||||
@@ -33,12 +11,22 @@ let
|
||||
awk = "${pkgs.gawk}/bin/awk";
|
||||
sed = "${pkgs.gnused}/bin/sed";
|
||||
chmod = "${pkgs.coreutils}/bin/chmod";
|
||||
sing = "${singularity}/bin/singularity";
|
||||
sing = "/public/software/singularity/singularity-3.8.3/bin/singularity";
|
||||
in pkgs.writeShellScriptBin "lumericalLicenseManager"
|
||||
''
|
||||
echo "Cleaning up..."
|
||||
rm -rf /tmp/lumerical
|
||||
${sing} instance stop lumericalLicenseManager || true
|
||||
[ -d /tmp/lumerical ] && chmod -R u+w /tmp/lumerical && rm -rf /tmp/lumerical || true
|
||||
mkdir -p /tmp/lumerical
|
||||
while true; do
|
||||
if ! ss -tan | grep -q ".*TIME-WAIT .*:1084 "; then break; fi
|
||||
sleep 10
|
||||
done
|
||||
|
||||
echo "Extracting image..."
|
||||
${sing} build --sandbox /tmp/lumerical/lumericalLicenseManager \
|
||||
${inputs.self.src.lumerical.licenseManager.sifImageFile}
|
||||
mkdir /tmp/lumerical/lumericalLicenseManager/public
|
||||
|
||||
echo 'Searching for en* interface...'
|
||||
iface=$(${ip} -o link show | ${awk} -F': ' '/^[0-9]+: en/ {print $2; exit}')
|
||||
@@ -53,19 +41,29 @@ let
|
||||
fi
|
||||
|
||||
echo 'Creating license file...'
|
||||
cp ${inputs.self.src.lumerical.licenseManager.sifImageFile} /tmp/lumerical/license.txt
|
||||
${chmod} +w /tmp/lumerical/license.txt
|
||||
${sed} -i "s|xxxxxxxxxxxxx|$mac|" /tmp/lumerical/license.txt
|
||||
${sed} -i 's|2022.1231|2035.1231|g' /tmp/lumerical/license.txt
|
||||
${sed} -i "s|xxxxxxxxxxxxx|$mac|" \
|
||||
/tmp/lumerical/lumericalLicenseManager/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
|
||||
${sed} -i 's|2022.1231|2035.1231|g' \
|
||||
/tmp/lumerical/lumericalLicenseManager/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic
|
||||
|
||||
echo "Starting license manager..."
|
||||
${sing} run --pwd /home/ansys_inc/shared_files/licensing --writable-tmpfs \
|
||||
${inputs.self.src.lumerical.licenseManager.sifImageFile}
|
||||
${sing} instance start --writable /tmp/lumerical/lumericalLicenseManager lumericalLicenseManager
|
||||
${sing} exec instance://lumericalLicenseManager /bin/sh -c \
|
||||
"pushd /home/ansys_inc/shared_files/licensing; (./start_ansysli &); (./start_lmcenter &); tail -f /dev/null"
|
||||
|
||||
cleanup() {
|
||||
echo "Stopping license manager..."
|
||||
${sing} instance stop lumericalLicenseManager
|
||||
chmod -R u+w /tmp/lumerical && rm -rf /tmp/lumerical
|
||||
}
|
||||
trap cleanup SIGINT SIGTERM SIGHUP EXIT
|
||||
tail -f /dev/null
|
||||
'';
|
||||
in pkgs.symlinkJoin
|
||||
{
|
||||
name = "xmuhk";
|
||||
paths = (with pkgs; [ hello ]) ++ [ lumericalLicenseManager ];
|
||||
paths = (with pkgs; [ hello btop htop iotop pv localPackages.lumerical.lumerical.cmd ])
|
||||
++ [ lumericalLicenseManager ];
|
||||
postBuild = "echo ${inputs.self.rev or "dirty"} > $out/.version";
|
||||
passthru = { inherit pkgs singularity; };
|
||||
passthru = { inherit pkgs; };
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
store = local?store=/public/home/xmuhk/.nix/store&state=/public/home/xmuhk/.nix/state&log=/public/home/xmuhk/.nix/log
|
||||
experimental-features = flakes nix-command
|
||||
|
||||
2
doc/branch.md
Normal file
2
doc/branch.md
Normal file
@@ -0,0 +1,2 @@
|
||||
* archive: archive
|
||||
* one-fprint: test fingerpint on one
|
||||
@@ -1,14 +1,10 @@
|
||||
* 测试 huggin rsshub
|
||||
* 打包 intel 编译器
|
||||
* 切换到 niri,清理 plasma
|
||||
* 调整其它用户的 zsh 配置
|
||||
* 调整 motd
|
||||
* 找到 wg1 不能稳定工作的原因;确定 persistentKeepalive 发包的协议、是否会被正确 NAT。
|
||||
* 备份系统
|
||||
* 备份数据
|
||||
* 清理 mariadb,移动到 persistent
|
||||
* 清理多余文件
|
||||
* 移动日志到 persistent
|
||||
* 更新 srv1
|
||||
* 告知将代理改到 xserver2
|
||||
* 准备单独一个的 archive
|
||||
* 测试透明代理代理其它机器的情况
|
||||
|
||||
640
flake.lock
generated
640
flake.lock
generated
@@ -1,14 +1,36 @@
|
||||
{
|
||||
"nodes": {
|
||||
"aagl": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1750597708,
|
||||
"narHash": "sha256-jpoh3tk4F4C0MZsXYqFt1fqm4qYOcyu3RtJlmpabpDo=",
|
||||
"owner": "ezKEa",
|
||||
"repo": "aagl-gtk-on-nix",
|
||||
"rev": "5e4851010e05030553f2265ced86b155dfe0bb93",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ezKEa",
|
||||
"ref": "release-25.05",
|
||||
"repo": "aagl-gtk-on-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"blog": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1748787595,
|
||||
"lastModified": 1759333393,
|
||||
"lfs": true,
|
||||
"narHash": "sha256-FFkwHb9DEdBjBaaH6JuhlmpP7ReSEWTy79P3i/eH708=",
|
||||
"narHash": "sha256-0ruJ4kw82hQZDLp5oIBG2Kq+SBeOUoTSMJzFofOz4Sg=",
|
||||
"ref": "refs/heads/public",
|
||||
"rev": "d9020a59f07f7ced60c854f324df8879b249e8b6",
|
||||
"revCount": 32,
|
||||
"rev": "e6d2bc75a815a8ea73eea24091af10b4eb595b95",
|
||||
"revCount": 37,
|
||||
"type": "git",
|
||||
"url": "https://git.chn.moe/chn/blog-public.git"
|
||||
},
|
||||
@@ -78,6 +100,32 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"chaotic": {
|
||||
"inputs": {
|
||||
"flake-schemas": "flake-schemas",
|
||||
"home-manager": [
|
||||
"home-manager"
|
||||
],
|
||||
"jovian": "jovian",
|
||||
"nixpkgs": [
|
||||
"nixpkgs-unstable"
|
||||
],
|
||||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1757979374,
|
||||
"narHash": "sha256-1ppp2L9mZsCe8H1GzV9Ni4PnXnYz1GDQPYurbPU/pZI=",
|
||||
"owner": "chaotic-cx",
|
||||
"repo": "nyx",
|
||||
"rev": "ed13c5539660d20490d07e3898977c2f39317920",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "chaotic-cx",
|
||||
"repo": "nyx",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"concurrencpp": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
@@ -127,6 +175,27 @@
|
||||
}
|
||||
},
|
||||
"devshell": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nur-linyinfeng",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1741473158,
|
||||
"narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
|
||||
"owner": "numtide",
|
||||
"repo": "devshell",
|
||||
"rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "devshell",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"devshell_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nur-xddxdd",
|
||||
@@ -166,11 +235,11 @@
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"lastModified": 1733328505,
|
||||
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -180,6 +249,22 @@
|
||||
}
|
||||
},
|
||||
"flake-compat_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1747046372,
|
||||
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_3": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
@@ -195,7 +280,58 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_4": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_5": {
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"revCount": 57,
|
||||
"type": "tarball",
|
||||
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nur-linyinfeng",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1749398372,
|
||||
"narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_2": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
@@ -213,9 +349,23 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-schemas": {
|
||||
"locked": {
|
||||
"lastModified": 1721999734,
|
||||
"narHash": "sha256-G5CxYeJVm4lcEtaO87LKzOsVnWeTcHGKbKxNamNWgOw=",
|
||||
"rev": "0a5c42297d870156d9c57d8f99e476b738dcd982",
|
||||
"revCount": 75,
|
||||
"type": "tarball",
|
||||
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/flake-schemas/0.1.5/0190ef2f-61e0-794b-ba14-e82f225e55e6/source.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
@@ -233,7 +383,7 @@
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
@@ -249,6 +399,24 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_3": {
|
||||
"inputs": {
|
||||
"systems": "systems_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gitignore": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@@ -323,6 +491,28 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"jovian": {
|
||||
"inputs": {
|
||||
"nix-github-actions": "nix-github-actions",
|
||||
"nixpkgs": [
|
||||
"chaotic",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1757230583,
|
||||
"narHash": "sha256-4uqu7sFPOaVTCogsxaGMgbzZ2vK40GVGMfUmrvK3/LY=",
|
||||
"owner": "Jovian-Experiments",
|
||||
"repo": "Jovian-NixOS",
|
||||
"rev": "fc3960e6c32c9d4f95fff2ef84444284d24d3bea",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Jovian-Experiments",
|
||||
"repo": "Jovian-NixOS",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"lepton": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
@@ -437,6 +627,100 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"niri": {
|
||||
"inputs": {
|
||||
"niri-stable": "niri-stable",
|
||||
"niri-unstable": "niri-unstable",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-stable": "nixpkgs-stable",
|
||||
"xwayland-satellite-stable": "xwayland-satellite-stable",
|
||||
"xwayland-satellite-unstable": "xwayland-satellite-unstable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1752569955,
|
||||
"narHash": "sha256-a21pjNhJYJ+OTQmBJ3NluU65PvMb54/mA7aEWJh5s/4=",
|
||||
"owner": "sodiboo",
|
||||
"repo": "niri-flake",
|
||||
"rev": "8fc18813bf6ceaabb3063050819a20807e11279b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "sodiboo",
|
||||
"repo": "niri-flake",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"niri-stable": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1748151941,
|
||||
"narHash": "sha256-z4viQZLgC2bIJ3VrzQnR+q2F3gAOEQpU1H5xHtX/2fs=",
|
||||
"owner": "YaLTeR",
|
||||
"repo": "niri",
|
||||
"rev": "8ba57fcf25d2fc9565131684a839d58703f1dae7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "YaLTeR",
|
||||
"ref": "v25.05.1",
|
||||
"repo": "niri",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"niri-unstable": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1752565554,
|
||||
"narHash": "sha256-BLLMN6oOarMdIm59AX8uypaXZHBhGfd6L3VURfqQTX8=",
|
||||
"owner": "YaLTeR",
|
||||
"repo": "niri",
|
||||
"rev": "007d35541db1bae32b7b43891af88831325ba068",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "YaLTeR",
|
||||
"repo": "niri",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-flatpak": {
|
||||
"locked": {
|
||||
"lastModified": 1749394952,
|
||||
"narHash": "sha256-WbWkzIvB0gqAdBLghdmUpGveY7MlAS2iMj3VEJnJ9yE=",
|
||||
"owner": "gmodena",
|
||||
"repo": "nix-flatpak",
|
||||
"rev": "64c6e53a3999957c19ab95cda78bde466d8374cc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "gmodena",
|
||||
"repo": "nix-flatpak",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-github-actions": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"chaotic",
|
||||
"jovian",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729697500,
|
||||
"narHash": "sha256-VFTWrbzDlZyFHHb1AlKRiD/qqCJIripXKiCSFS8fAOY=",
|
||||
"owner": "zhaofengli",
|
||||
"repo": "nix-github-actions",
|
||||
"rev": "e418aeb728b6aa5ca8c5c71974e7159c2df1d8cf",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "zhaofengli",
|
||||
"ref": "matrix-name",
|
||||
"repo": "nix-github-actions",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-index-database": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@@ -478,37 +762,52 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-vscode-extensions": {
|
||||
"nix4vscode": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
],
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1747382874,
|
||||
"narHash": "sha256-VCFqktsjKsz5eJOCdX2mM3Uytbb7Et6MHshEpCpuWFk=",
|
||||
"lastModified": 1757210216,
|
||||
"narHash": "sha256-wPFyyAJ9dw3a0W3rUUvMs53YHI1f37/4icFLYRbdBtE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-vscode-extensions",
|
||||
"rev": "4a7f92bdabb365936a8e8958948536cc2ceac7ba",
|
||||
"repo": "nix4vscode",
|
||||
"rev": "a916585d834e4e4bf092adad85e7f90c84ed7ddb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "4a7f92bdabb365936a8e8958948536cc2ceac7ba",
|
||||
"repo": "nix-vscode-extensions",
|
||||
"repo": "nix4vscode",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1750646418,
|
||||
"narHash": "sha256-4UAN+W0Lp4xnUiHYXUXAPX18t+bn6c4Btry2RqM9JHY=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1f426f65ac4e6bf808923eb6f8b8c2bfba3d18c5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-24.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-wallpaper": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1749300029,
|
||||
"lastModified": 1757571059,
|
||||
"lfs": true,
|
||||
"narHash": "sha256-m5rQGDo9sogrNFtHNdf4CiUe4odqOVStj03ikUQX7NE=",
|
||||
"narHash": "sha256-1Uc16Z/ji8j1xzCzLn497coFxSc53JopVW0TFHPL6+o=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "8da808801224ac49758e4df095922be0c84650c8",
|
||||
"revCount": 8,
|
||||
"rev": "d14321b09e94a4e071575246c296bffdf89978b5",
|
||||
"revCount": 11,
|
||||
"type": "git",
|
||||
"url": "https://git.chn.moe/chn/nixos-wallpaper.git"
|
||||
},
|
||||
@@ -520,16 +819,16 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1749016257,
|
||||
"narHash": "sha256-Vi+QhXm6Kau233v7ijtdD5aNpE4RpnUjRUhXGwi7pxk=",
|
||||
"owner": "CHN-beta",
|
||||
"lastModified": 1752480373,
|
||||
"narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5835771b10e3197408d3ac7d32558c8e2ae0ab8d",
|
||||
"rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "CHN-beta",
|
||||
"ref": "nixos-25.05",
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
@@ -552,11 +851,11 @@
|
||||
},
|
||||
"nixpkgs-2311": {
|
||||
"locked": {
|
||||
"lastModified": 1735377590,
|
||||
"narHash": "sha256-U9W9H/HYoaKa5wzSL2IBmnFDhxlesuKAcKi/hl5xPvE=",
|
||||
"lastModified": 1760234929,
|
||||
"narHash": "sha256-4W0o4O8ANykPCOQD2Jb6pdGerDSLNzIVNF7AoVNMZvM=",
|
||||
"owner": "CHN-beta",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0c3e74a65634ae3f43be7d0f6c3b5156ac54747b",
|
||||
"rev": "66170f3c82eecdee7dcd29a7e72ed87965bde4fc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -613,13 +912,29 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1752308619,
|
||||
"narHash": "sha256-pzrVLKRQNPrii06Rm09Q0i0dq3wt2t2pciT/GNq5EZQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "650e572363c091045cdbc5b36b0f4c1f614d3058",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-25.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1750554037,
|
||||
"narHash": "sha256-XE/lFNhz5lsriMm/yjXkvSZz5DfvKJLUjsS6pP8EC50=",
|
||||
"lastModified": 1757823305,
|
||||
"narHash": "sha256-goy+ZVzBAe/cN/Udsiqg7RdNA19jyJqO8x6KXnZ8Mfs=",
|
||||
"owner": "CHN-beta",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f6b1f449aa69592d8f9bce2d4141766b667294ac",
|
||||
"rev": "db545f2ed84e23a80610792162a7a8adc888dcae",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -629,6 +944,22 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1758027585,
|
||||
"narHash": "sha256-+so5XM1uC1cMlS7hp85a9W4FXsqxkTAaK6BfDH8s7kM=",
|
||||
"owner": "CHN-beta",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "eeeecadbdeeea84b71422bbda9ce3e80e8cbd56c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "CHN-beta",
|
||||
"ref": "nixos-25.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixvirt": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@@ -665,18 +996,45 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nur-xddxdd": {
|
||||
"nur-linyinfeng": {
|
||||
"inputs": {
|
||||
"devshell": "devshell",
|
||||
"flake-compat": "flake-compat_2",
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixos-stable": "nixos-stable",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nvfetcher": "nvfetcher",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1751049834,
|
||||
"narHash": "sha256-xgLH6/ZtQJKWsham0Cj0nKGY8hde2fY8vZgSM5JfRik=",
|
||||
"owner": "linyinfeng",
|
||||
"repo": "nur-packages",
|
||||
"rev": "d7a4ee64345bae20e75f40d6f35c705d22c216d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "linyinfeng",
|
||||
"repo": "nur-packages",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nur-xddxdd": {
|
||||
"inputs": {
|
||||
"devshell": "devshell_2",
|
||||
"flake-parts": "flake-parts_2",
|
||||
"nix-index-database": "nix-index-database_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-24_05": "nixpkgs-24_05",
|
||||
"nvfetcher": "nvfetcher",
|
||||
"nvfetcher": "nvfetcher_2",
|
||||
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
"treefmt-nix": "treefmt-nix_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1748081225,
|
||||
@@ -694,7 +1052,36 @@
|
||||
},
|
||||
"nvfetcher": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-compat": [
|
||||
"nur-linyinfeng",
|
||||
"flake-compat"
|
||||
],
|
||||
"flake-utils": [
|
||||
"nur-linyinfeng",
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nur-linyinfeng",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1732501185,
|
||||
"narHash": "sha256-Z0BpHelaGQsE5VD9hBsBHsvMU9h+Xt0kfkDJyFivZOU=",
|
||||
"owner": "berberman",
|
||||
"repo": "nvfetcher",
|
||||
"rev": "bdb14eab6fe9cefc29efe01e60c3a3f616d6b62a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "berberman",
|
||||
"repo": "nvfetcher",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nvfetcher_2": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_3",
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"nur-xddxdd",
|
||||
@@ -789,7 +1176,7 @@
|
||||
},
|
||||
"pre-commit-hooks-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_2",
|
||||
"flake-compat": "flake-compat_4",
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"nur-xddxdd",
|
||||
@@ -826,12 +1213,32 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pybinding": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1598796477,
|
||||
"narHash": "sha256-4DtGtQ40TEaM6qSydwsj9gD3JqpaCFpcvWJISwn69Zk=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "ec1128aaa84a1b43a74fb970479ce4544bd63179",
|
||||
"revCount": 774,
|
||||
"submodules": true,
|
||||
"type": "git",
|
||||
"url": "https://github.com/dean0x7d/pybinding"
|
||||
},
|
||||
"original": {
|
||||
"submodules": true,
|
||||
"type": "git",
|
||||
"url": "https://github.com/dean0x7d/pybinding"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"aagl": "aagl",
|
||||
"blog": "blog",
|
||||
"bscpkgs": "bscpkgs",
|
||||
"buildproxy": "buildproxy",
|
||||
"catppuccin": "catppuccin",
|
||||
"chaotic": "chaotic",
|
||||
"concurrencpp": "concurrencpp",
|
||||
"cppcoro": "cppcoro",
|
||||
"date": "date",
|
||||
@@ -846,25 +1253,30 @@
|
||||
"mumax": "mumax",
|
||||
"nameof": "nameof",
|
||||
"nc4nix": "nc4nix",
|
||||
"niri": "niri",
|
||||
"nix-flatpak": "nix-flatpak",
|
||||
"nix-index-database": "nix-index-database",
|
||||
"nix-vscode-extensions": "nix-vscode-extensions",
|
||||
"nix4vscode": "nix4vscode",
|
||||
"nixos-wallpaper": "nixos-wallpaper",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-2305": "nixpkgs-2305",
|
||||
"nixpkgs-2311": "nixpkgs-2311",
|
||||
"nixpkgs-2411": "nixpkgs-2411",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"nixvirt": "nixvirt",
|
||||
"nu-scripts": "nu-scripts",
|
||||
"nur-linyinfeng": "nur-linyinfeng",
|
||||
"nur-xddxdd": "nur-xddxdd",
|
||||
"openxlsx": "openxlsx",
|
||||
"phono3py": "phono3py",
|
||||
"plasma-manager": "plasma-manager",
|
||||
"pocketfft": "pocketfft",
|
||||
"py4vasp": "py4vasp",
|
||||
"pybinding": "pybinding",
|
||||
"rsshub": "rsshub",
|
||||
"rycee": "rycee",
|
||||
"sops-nix": "sops-nix",
|
||||
"speedtest": "speedtest",
|
||||
"sqlite-orm": "sqlite-orm",
|
||||
"sticker": "sticker",
|
||||
"stickerpicker": "stickerpicker",
|
||||
@@ -872,6 +1284,7 @@
|
||||
"ufo": "ufo",
|
||||
"v-sim": "v-sim",
|
||||
"vaspberry": "vaspberry",
|
||||
"winapps": "winapps",
|
||||
"zpp-bits": "zpp-bits"
|
||||
}
|
||||
},
|
||||
@@ -891,6 +1304,27 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"chaotic",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1757930296,
|
||||
"narHash": "sha256-Z9u5VszKs8rfEvg2AsFucWEjl7wMtAln9l1b78cfBh4=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "09442765a05c2ca617c20ed68d9613da92a2d96b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"rycee": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
@@ -927,6 +1361,22 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"speedtest": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1739473165,
|
||||
"narHash": "sha256-QimemnDZXlL5Ip+RFD0uxO21Aaol3kCw6Mf/0E3jHQc=",
|
||||
"owner": "librespeed",
|
||||
"repo": "speedtest",
|
||||
"rev": "a1c43977ad9bf73f09f81e8df3c22ea914ab9131",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "librespeed",
|
||||
"repo": "speedtest",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"sqlite-orm": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
@@ -978,6 +1428,7 @@
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
@@ -1007,6 +1458,36 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_3": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_4": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"tgbot-cpp": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
@@ -1024,6 +1505,27 @@
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nur-linyinfeng",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1750931469,
|
||||
"narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nur-xddxdd",
|
||||
@@ -1095,6 +1597,62 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"winapps": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_5",
|
||||
"flake-utils": "flake-utils_3",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730460191,
|
||||
"narHash": "sha256-CWaNjs2kOpmsR8ieVwqcd7EAz5Kd3y8I5huZyYgGqlA=",
|
||||
"owner": "winapps-org",
|
||||
"repo": "winapps",
|
||||
"rev": "b18efc4497c0994182bbe482808583c11cc51a2e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "winapps-org",
|
||||
"ref": "feat-nix-packaging",
|
||||
"repo": "winapps",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"xwayland-satellite-stable": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1748488455,
|
||||
"narHash": "sha256-IiLr1alzKFIy5tGGpDlabQbe6LV1c9ABvkH6T5WmyRI=",
|
||||
"owner": "Supreeeme",
|
||||
"repo": "xwayland-satellite",
|
||||
"rev": "3ba30b149f9eb2bbf42cf4758d2158ca8cceef73",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Supreeeme",
|
||||
"ref": "v0.6",
|
||||
"repo": "xwayland-satellite",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"xwayland-satellite-unstable": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1752338000,
|
||||
"narHash": "sha256-Fxlp/yKtynug0jyuauAmvZU2SzHCfwlwWf85j+IvQ0U=",
|
||||
"owner": "Supreeeme",
|
||||
"repo": "xwayland-satellite",
|
||||
"rev": "ba78881a68182ce338041846164cbfed0d70935c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Supreeeme",
|
||||
"repo": "xwayland-satellite",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"zpp-bits": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
||||
18
flake.nix
18
flake.nix
@@ -12,21 +12,27 @@
|
||||
sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
nur-xddxdd = { url = "github:xddxdd/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
nix-vscode-extensions =
|
||||
{
|
||||
url = "github:nix-community/nix-vscode-extensions?ref=4a7f92bdabb365936a8e8958948536cc2ceac7ba";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
impermanence.url = "github:CHN-beta/impermanence";
|
||||
plasma-manager =
|
||||
{
|
||||
url = "github:pjones/plasma-manager";
|
||||
inputs = { nixpkgs.follows = "nixpkgs"; home-manager.follows = "home-manager"; };
|
||||
};
|
||||
nur-linyinfeng = { url = "github:linyinfeng/nur-packages"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
nix-flatpak.url = "github:gmodena/nix-flatpak";
|
||||
chaotic =
|
||||
{
|
||||
url = "github:chaotic-cx/nyx";
|
||||
inputs = { nixpkgs.follows = "nixpkgs-unstable"; home-manager.follows = "home-manager"; };
|
||||
};
|
||||
catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
bscpkgs = { url = "github:CHN-beta/bscpkgs"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
aagl = { url = "github:ezKEa/aagl-gtk-on-nix/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
winapps = { url = "github:winapps-org/winapps/feat-nix-packaging"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
nixvirt = { url = "github:CHN-beta/NixVirt"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
buildproxy = { url = "github:polygon/nix-buildproxy"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
niri.url = "github:sodiboo/niri-flake";
|
||||
nix4vscode = { url = "github:nix-community/nix4vscode"; inputs.nixpkgs.follows = "nixpkgs"; };
|
||||
|
||||
misskey = { url = "git+https://github.com/CHN-beta/misskey?submodules=1"; flake = false; };
|
||||
rsshub = { url = "github:DIYgod/RSSHub"; flake = false; };
|
||||
@@ -57,6 +63,8 @@
|
||||
mac-style = { url = "github:SergioRibera/s4rchiso-plymouth-theme?lfs=1"; flake = false; };
|
||||
phono3py = { url = "github:phonopy/phono3py"; flake = false; };
|
||||
sticker = { url = "git+https://git.chn.moe/chn/sticker.git?lfs=1"; flake = false; };
|
||||
speedtest = { url = "github:librespeed/speedtest"; flake = false; };
|
||||
pybinding = { url = "git+https://github.com/dean0x7d/pybinding?submodules=1"; flake = false; };
|
||||
};
|
||||
|
||||
outputs = inputs: let localLib = import ./flake/lib inputs.nixpkgs.lib; in
|
||||
|
||||
@@ -48,4 +48,11 @@
|
||||
CMAKE_EXPORT_COMPILE_COMMANDS = "1";
|
||||
hardeningDisable = [ "all" ];
|
||||
};
|
||||
xinli = pkgs.mkShell.override { stdenv = pkgs.clang18Stdenv; }
|
||||
{
|
||||
inputsFrom = [ pkgs.localPackages.xinli ];
|
||||
packages = [ pkgs.clang-tools_18 ];
|
||||
CMAKE_EXPORT_COMPILE_COMMANDS = "1";
|
||||
hardeningDisable = [ "all" ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -2,42 +2,44 @@ localLib:
|
||||
let
|
||||
cname =
|
||||
{
|
||||
autoroute = [ "api" "git" "grafana" "matrix" "peertube" "send" "synapse" "vikunja" "铜锣湾" ];
|
||||
nas = [ "initrd.nas" ];
|
||||
office = [ "srv2-node0" ];
|
||||
vps4 = [ "initrd.vps4" "xserver2.vps4" ];
|
||||
office = [ "srv2-node0" "xserverxmu" ];
|
||||
vps4 =
|
||||
[
|
||||
"initrd.vps4" "xserver2.vps4"
|
||||
# to nas
|
||||
"git" "grafana" "matrix" "peertube" "send" "vikunja" "铜锣湾" "xservernas" "chat" "freshrss" "huginn" "nextcloud"
|
||||
"photoprism" "rsshub" "vaultwarden" "webdav" "synapse" "misskey" "api"
|
||||
];
|
||||
vps6 =
|
||||
[
|
||||
"blog" "catalog" "coturn" "element" "initrd.vps6" "misskey" "sticker" "synapse-admin" "tgapi"
|
||||
"ua" "xserver2" "xserver2.vps6" "铜锣湾实验室"
|
||||
"blog" "catalog" "coturn" "element" "initrd.vps6" "sticker" "synapse-admin" "tgapi" "ua" "xserver2"
|
||||
"xserver2.vps6"
|
||||
# to pc
|
||||
"铜锣湾实验室"
|
||||
];
|
||||
"xlog.autoroute" = [ "xlog" ];
|
||||
"wg0.srv1-node0" = [ "wg0.srv1" ];
|
||||
"wg0.srv2-node0" = [ "wg0.srv2" ];
|
||||
srv3 =
|
||||
[
|
||||
"chat" "freshrss" "huginn" "initrd.srv3" "nextcloud" "photoprism" "rsshub" "ssh.git" "vaultwarden" "webdav"
|
||||
"xserver2.srv3" "example"
|
||||
];
|
||||
srv1-node0 = [ "srv1" ];
|
||||
srv2-node0 = [ "srv2" ];
|
||||
"wg1.pc" = [ "nix-store" ];
|
||||
"wg1.nas" = [ "nix-store.nas" ];
|
||||
"wg0.nas" = [ "ssh.git" ];
|
||||
};
|
||||
a =
|
||||
{
|
||||
nas = "192.168.1.2";
|
||||
pc = "192.168.1.3";
|
||||
one = "192.168.1.4";
|
||||
office = "210.34.16.60";
|
||||
office = "210.34.16.21";
|
||||
srv1-node0 = "59.77.36.250";
|
||||
vps4 = "104.234.37.61";
|
||||
vps6 = "144.34.225.59";
|
||||
search = "127.0.0.1";
|
||||
srv3 = "23.135.236.216";
|
||||
srv1-node1 = "192.168.178.2";
|
||||
srv1-node2 = "192.168.178.3";
|
||||
srv2-node1 = "192.168.178.2";
|
||||
"409test" = "192.168.1.5";
|
||||
};
|
||||
wireguard = import ./wireguard.nix;
|
||||
in
|
||||
@@ -56,11 +58,7 @@ in
|
||||
{ type = "TXT"; value = "v=spf1 include:mxlogin.com -all"; }
|
||||
];
|
||||
"_xlog-challenge.xlog" = { type = "TXT"; value = "chn"; };
|
||||
autoroute =
|
||||
{
|
||||
type = "NS";
|
||||
values = builtins.map (suffix: "ns1.huaweicloud-dns.${suffix}.") [ "cn" "com" "net" "org" ];
|
||||
};
|
||||
autoroute = { type = "NS"; values = "vps6.chn.moe."; };
|
||||
"mail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
|
||||
"webmail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; };
|
||||
"x._domainkey" =
|
||||
|
||||
@@ -6,12 +6,10 @@
|
||||
vps6 = 1;
|
||||
pc = 3;
|
||||
nas = 4;
|
||||
one = 5;
|
||||
srv1-node0 = 9;
|
||||
srv1-node1 = 6;
|
||||
srv1-node2 = 8;
|
||||
srv2-node0 = 7;
|
||||
srv2-node1 = 10;
|
||||
srv3 = 11;
|
||||
};
|
||||
}
|
||||
|
||||
13
flake/lib/buildNixpkgsConfig/boost188.patch
Normal file
13
flake/lib/buildNixpkgsConfig/boost188.patch
Normal file
@@ -0,0 +1,13 @@
|
||||
diff --git a/boost/process/v2/stdio.hpp b/boost/process/v2/stdio.hpp
|
||||
index 01d0216..4084e46 100644
|
||||
--- a/boost/process/v2/stdio.hpp
|
||||
+++ b/boost/process/v2/stdio.hpp
|
||||
@@ -184,7 +184,7 @@ struct process_io_binding
|
||||
process_io_binding & operator=(const process_io_binding &) = delete;
|
||||
|
||||
process_io_binding(process_io_binding && other) noexcept
|
||||
- : fd(other.fd), fd_needs_closing(other.fd), ec(other.ec)
|
||||
+ : fd(other.fd), fd_needs_closing(other.fd_needs_closing), ec(other.ec)
|
||||
{
|
||||
other.fd = target;
|
||||
other.fd_needs_closing = false;
|
||||
@@ -1,9 +1,13 @@
|
||||
# inputs = { lib, topInputs, ...}; nixpkgs = { march, cuda, nixRoot };
|
||||
# inputs = { lib, topInputs, ...}; nixpkgs = { march, cuda, nixRoot, nixos, arch };
|
||||
{ inputs, nixpkgs }:
|
||||
let
|
||||
platformConfig =
|
||||
if nixpkgs.march == null then { system = "x86_64-linux"; }
|
||||
else { hostPlatform = { system = "x86_64-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; }; };
|
||||
if nixpkgs.march == null then { system = "${nixpkgs.arch or "x86_64"}-linux"; }
|
||||
else
|
||||
{
|
||||
${if nixpkgs.nixos then "hostPlatform" else "localSystem"} =
|
||||
{ system = "${nixpkgs.arch or "x86_64"}-linux"; gcc = { arch = nixpkgs.march; tune = nixpkgs.march; }; };
|
||||
};
|
||||
cudaConfig = inputs.lib.optionalAttrs (nixpkgs.cuda != null)
|
||||
(
|
||||
{ cudaSupport = true; }
|
||||
@@ -27,18 +31,19 @@ let
|
||||
# contentAddressedByDefault = true;
|
||||
})
|
||||
// (inputs.lib.optionalAttrs (nixpkgs.nixRoot != null)
|
||||
{ nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/var"; }; });
|
||||
{ nix = { storeDir = "${nixpkgs.nixRoot}/store"; stateDir = "${nixpkgs.nixRoot}/state"; }; });
|
||||
in platformConfig //
|
||||
{
|
||||
inherit config;
|
||||
overlays =
|
||||
[
|
||||
inputs.topInputs.aagl.overlays.default
|
||||
inputs.topInputs.nur-xddxdd.overlays.inSubTree
|
||||
inputs.topInputs.nix-vscode-extensions.overlays.default
|
||||
inputs.topInputs.buildproxy.overlays.default
|
||||
inputs.topInputs.nix4vscode.overlays.default
|
||||
(final: prev:
|
||||
{
|
||||
inherit (inputs.topInputs.nix-vscode-extensions.overlays.default final prev) nix-vscode-extensions;
|
||||
nur-linyinfeng = (inputs.topInputs.nur-linyinfeng.overlays.default final prev).linyinfeng;
|
||||
firefox-addons = (import "${inputs.topInputs.rycee}" { inherit (prev) pkgs; }).firefox-addons;
|
||||
})
|
||||
inputs.topInputs.self.overlays.default
|
||||
@@ -63,27 +68,61 @@ in platformConfig //
|
||||
patches = prev.patches or [] ++ [ ./root.patch ];
|
||||
cmakeFlags = prev.cmakeFlags ++ [ "-DCMAKE_CXX_STANDARD=23" ];
|
||||
});
|
||||
boost188 = prev.boost188.overrideAttrs (prev: { patches = prev.patches or [] ++ [ ./boost188.patch ]; });
|
||||
inherit (final.pkgs-2411) iio-sensor-proxy;
|
||||
inherit (final.pkgs-unstable) bees;
|
||||
}
|
||||
// (
|
||||
let
|
||||
marchFilter = version:
|
||||
# old version of nixpkgs does not recognize znver5, use znver4 instead
|
||||
inputs.lib.optionalAttrs (inputs.lib.versionOlder version "25.05") { znver5 = "znver4"; };
|
||||
source =
|
||||
{
|
||||
pkgs-2305 = "nixpkgs-2305";
|
||||
pkgs-2311 = "nixpkgs-2311";
|
||||
pkgs-2411 = { source = "nixpkgs-2411"; overlay = inputs.topInputs.bscpkgs.overlays.default; };
|
||||
pkgs-2411 =
|
||||
{
|
||||
source = "nixpkgs-2411";
|
||||
overlays =
|
||||
[
|
||||
inputs.topInputs.bscpkgs.overlays.default
|
||||
(final: prev: inputs.lib.optionalAttrs (nixpkgs.march != null)
|
||||
{
|
||||
pythonPackagesExtensions = prev.pythonPackagesExtensions or [] ++ [(final: prev:
|
||||
{
|
||||
sphinx = prev.sphinx.overridePythonAttrs (prev:
|
||||
{ disabledTests = prev.disabledTests or [] ++ [ "test_xml_warnings" ]; });
|
||||
})];
|
||||
})
|
||||
];
|
||||
};
|
||||
pkgs-unstable =
|
||||
{
|
||||
source = "nixpkgs-unstable";
|
||||
overlay = inputs.topInputs.self.overlays.default;
|
||||
overlays =
|
||||
[
|
||||
inputs.topInputs.self.overlays.default
|
||||
(_: _:
|
||||
{
|
||||
genericPackages = import inputs.topInputs.nixpkgs-unstable
|
||||
{ inherit system; config = { allowUnfree = true; inherit allowInsecurePredicate; }; };
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
packages = name: import inputs.topInputs.${source.${name}.source or source.${name}}
|
||||
{
|
||||
localSystem = platformConfig.hostPlatform or { inherit (platformConfig) system; };
|
||||
inherit config;
|
||||
overlays = [(source.${name}.overlay or (_: _: {}))];
|
||||
};
|
||||
packages = name:
|
||||
let flakeSource = inputs.topInputs.${source.${name}.source or source.${name}};
|
||||
in import flakeSource
|
||||
{
|
||||
localSystem =
|
||||
if nixpkgs.march == null then { system = "${nixpkgs.arch or "x86_64"}-linux"; }
|
||||
else
|
||||
let march = (marchFilter flakeSource.lib.version).${nixpkgs.march} or nixpkgs.march;
|
||||
in { system = "${nixpkgs.arch or "x86_64"}-linux"; gcc = { arch = march; tune = march; }; };
|
||||
inherit config;
|
||||
overlays = source.${name}.overlays or [(_: _: {})];
|
||||
};
|
||||
in builtins.listToAttrs (builtins.map
|
||||
(name: { inherit name; value = packages name; }) (builtins.attrNames source))
|
||||
)
|
||||
@@ -124,8 +163,19 @@ in platformConfig //
|
||||
rich = prev.rich.overridePythonAttrs (prev:
|
||||
{ disabledTests = prev.disabledTests or [] ++ [ "test_brokenpipeerror" ]; });
|
||||
}
|
||||
// (inputs.lib.optionalAttrs (nixpkgs.march != null && !prev.stdenv.hostPlatform.avx2Support)
|
||||
{
|
||||
numcodecs = prev.numcodecs.overridePythonAttrs (prev:
|
||||
{
|
||||
disabledTests = prev.disabledTests or []
|
||||
++ [ "test_encode_decode" "test_partial_decode" "test_blosc" ];
|
||||
});
|
||||
})
|
||||
))];
|
||||
inherit (final.pkgs-2411) intelPackages_2023;
|
||||
})
|
||||
// (inputs.lib.optionalAttrs (nixpkgs.march == "silvermont")
|
||||
{ c-blosc = prev.c-blosc.overrideAttrs { doCheck = false; }; })
|
||||
// (inputs.lib.optionalAttrs (nixpkgs.arch or null == "aarch64") { nix = final.nixVersions.nix_2_29; })
|
||||
)];
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
lib: rec
|
||||
{
|
||||
attrsToList = attrs: builtins.map (name: { inherit name; value = attrs.${name}; }) (builtins.attrNames attrs);
|
||||
inherit (lib) attrsToList;
|
||||
mkConditional = condition: trueResult: falseResult: let inherit (lib) mkMerge mkIf; in
|
||||
mkMerge [ ( mkIf condition trueResult ) ( mkIf (!condition) falseResult ) ];
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{ inputs, localLib }:
|
||||
let
|
||||
singles = [ "nas" "pc" "vps4" "vps6" "one" "srv3" "test" "test-pc" "test-pc-vm" ];
|
||||
cluster = { srv1 = 3; srv2 = 2; };
|
||||
singles = [ "nas" "pc" "vps4" "vps6" "r2s" ];
|
||||
cluster = { srv1 = 3; srv2 = 3; };
|
||||
deviceModules = builtins.listToAttrs
|
||||
(
|
||||
(builtins.map
|
||||
@@ -25,9 +25,9 @@ let
|
||||
(localLib.attrsToList cluster)))
|
||||
);
|
||||
in builtins.mapAttrs
|
||||
(_: v: inputs.nixpkgs.lib.nixosSystem
|
||||
(n: v: inputs.nixpkgs.lib.nixosSystem
|
||||
{
|
||||
system = "x86_64-linux";
|
||||
system = null;
|
||||
specialArgs = { topInputs = inputs; inherit localLib; };
|
||||
modules = localLib.mkModules v;
|
||||
})
|
||||
|
||||
@@ -1,17 +1,16 @@
|
||||
{ inputs, localLib }: rec
|
||||
{
|
||||
pkgs = (import inputs.nixpkgs
|
||||
pkgs = import inputs.nixpkgs (localLib.buildNixpkgsConfig
|
||||
{
|
||||
system = "x86_64-linux";
|
||||
config.allowUnfree = true;
|
||||
overlays = [ inputs.self.overlays.default ];
|
||||
inputs = { inherit (inputs.nixpkgs) lib; topInputs = inputs; };
|
||||
nixpkgs = { march = null; cuda = null; nixRoot = null; nixos = false; };
|
||||
});
|
||||
hpcstat =
|
||||
let
|
||||
openssh = (pkgs.pkgsStatic.openssh.override { withLdns = false; etcDir = null; }).overrideAttrs
|
||||
(prev: { doCheck = false; patches = prev.patches ++ [ ../packages/hpcstat/openssh.patch ];});
|
||||
duc = pkgs.pkgsStatic.duc.override { enableCairo = false; cairo = null; pango = null; };
|
||||
glaze = pkgs.pkgsStatic.glaze.overrideAttrs
|
||||
glaze = pkgs.pkgs-2411.pkgsStatic.glaze.overrideAttrs
|
||||
(prev: { cmakeFlags = prev.cmakeFlags ++ [ "-Dglaze_ENABLE_FUZZING=OFF" ]; });
|
||||
# pkgsStatic.clangStdenv have a bug
|
||||
# https://github.com/NixOS/nixpkgs/issues/177129
|
||||
@@ -37,19 +36,17 @@
|
||||
else if builtins.isAttrs x then builtins.concatMap getDrv (builtins.attrValues x)
|
||||
else if builtins.isList x then builtins.concatMap getDrv x
|
||||
else [];
|
||||
in pkgs.concatText "src" (getDrv (inputs.self.outputs.src));
|
||||
in pkgs.writeText "src" (builtins.concatStringsSep "\n" (getDrv inputs.self.outputs.src));
|
||||
dns-push = pkgs.callPackage ./dns
|
||||
{
|
||||
inherit localLib;
|
||||
tokenPath = inputs.self.nixosConfigurations.pc.config.sops.secrets."acme/token".path;
|
||||
tokenPath = inputs.self.nixosConfigurations.pc.config.nixos.system.sops.secrets."acme/token".path;
|
||||
octodns = pkgs.octodns.withProviders (_: with pkgs.octodns-providers; [ cloudflare ]);
|
||||
};
|
||||
archive =
|
||||
let devices =
|
||||
[ "nas" "one" "pc" "srv1-node0" "srv1-node1" "srv1-node2" "srv2-node0" "srv2-node1" "srv3" "vps4" "vps6" ];
|
||||
in pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.map
|
||||
(d: "${inputs.self.outputs.nixosConfigurations.${d}.config.system.build.toplevel}") devices));
|
||||
archive = pkgs.writeText "archive" (builtins.concatStringsSep "\n" (builtins.concatLists
|
||||
[
|
||||
(inputs.nixpkgs.lib.mapAttrsToList (_: v: v.config.system.build.toplevel) inputs.self.outputs.nixosConfigurations)
|
||||
[ src ]
|
||||
]));
|
||||
}
|
||||
// (builtins.listToAttrs (builtins.map
|
||||
(system: { inherit (system) name; value = system.value.config.system.build.toplevel; })
|
||||
(localLib.attrsToList inputs.self.outputs.nixosConfigurations)))
|
||||
// (builtins.mapAttrs (_: v: v.config.system.build.toplevel) inputs.self.outputs.nixosConfigurations)
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
netboot = pkgs.fetchurl
|
||||
{
|
||||
url = "https://boot.netboot.xyz/ipxe/netboot.xyz.iso";
|
||||
sha256 = "01hlslbi2i3jkzjwn24drhd2lriaqiwr9hb83r0nib9y1jvr3k5p";
|
||||
sha256 = "6GeOcugqElGPoPXeaWVpjcV5bCFxNLShGgN/sjsVzuI=";
|
||||
};
|
||||
};
|
||||
vasp =
|
||||
@@ -89,7 +89,7 @@
|
||||
hashMode = "recursive";
|
||||
message = "Source file not found.";
|
||||
};
|
||||
image = "7bb3a43bd1ad6103a57f700b13d11d486b6ea117838201e4a29d79b33ac72e3a";
|
||||
image = "6803f9562b941c23db81a2eae5914561f96fa748536199a010fe6f24922b2878";
|
||||
imageFile = pkgs.requireFile
|
||||
{
|
||||
name = "lumericalLicenseManager.tar";
|
||||
@@ -110,13 +110,13 @@
|
||||
};
|
||||
};
|
||||
};
|
||||
vesta =
|
||||
vesta = rec
|
||||
{
|
||||
version = "3.90.5a";
|
||||
version = "3.5.8";
|
||||
src = pkgs.fetchurl
|
||||
{
|
||||
url = "https://jp-minerals.org/vesta/archives/testing/VESTA-gtk3-x86_64.tar.bz2";
|
||||
sha256 = "0y277m2xvjyzx8hncc3ka73lir8x6x2xckjac9fdzg03z0jnpqzf";
|
||||
url = "https://jp-minerals.org/vesta/archives/${version}/VESTA-gtk3.tar.bz2";
|
||||
sha256 = "1y4dhqhk0jy7kbkkx2c6lsrm5lirn796mq67r5j1s7xkq8jz1gkq";
|
||||
};
|
||||
desktopFile = pkgs.fetchurl
|
||||
{
|
||||
@@ -128,7 +128,7 @@
|
||||
mirism-old = pkgs.requireFile
|
||||
{
|
||||
name = "mirism";
|
||||
sha256 = "0f50pvdafhlmrlbf341mkp9q50v4ld5pbx92d2w1633f18zghbzf";
|
||||
sha256 = "1zhhzwi325g21kqdip7zzw1i9b354h1wpzd4zhzb1ql9kjdh87q3";
|
||||
hashMode = "recursive";
|
||||
message = "Source file not found.";
|
||||
};
|
||||
@@ -180,7 +180,7 @@
|
||||
"intel.oneapi.lin.compilers-common,v=2025.1.1+10"
|
||||
];
|
||||
};
|
||||
rsshub = pkgs.dockerTools.pullImage
|
||||
rsshub = pkgs.dockerTools.pullImage
|
||||
{
|
||||
imageName = "diygod/rsshub";
|
||||
imageDigest = "sha256:1f9d97263033752bf5e20c66a75e134e6045b6d69ae843c1f6610add696f8c22";
|
||||
@@ -188,4 +188,32 @@
|
||||
finalImageName = "rsshub";
|
||||
finalImageTag = "latest";
|
||||
};
|
||||
atat = pkgs.fetchurl
|
||||
{
|
||||
url = "https://axelvandewalle.github.io/www-avdw/atat/atat3_50.tar.gz";
|
||||
sha256 = "14sblzqsi5bxfhsjbq256bc2gfd7zrxyf5za0iaw77b592ppjg3m";
|
||||
};
|
||||
atomkit = pkgs.fetchurl
|
||||
{
|
||||
url = "mirror://sourceforge/atomkit/Binaries/atomkit.0.9.0.linux.x64.tar.gz";
|
||||
sha256 = "0y9z7wva7zikh83w9q431lgn3bqkh1v5w6iz90dwc75wqwk0w5jr";
|
||||
};
|
||||
guix = pkgs.fetchurl
|
||||
{
|
||||
url = "https://ci.guix.gnu.org/download/2857";
|
||||
name = "guix.iso";
|
||||
sha256 = "0xqabnay8wwqc1a96db8ix1a6bhvgm84s5is1q67rr432q7gqgd4";
|
||||
};
|
||||
peerBanHelper =
|
||||
{
|
||||
image = "ghostchu/peerbanhelper:v8.0.12";
|
||||
imageFile = pkgs.dockerTools.pullImage
|
||||
{
|
||||
imageName = "ghostchu/peerbanhelper";
|
||||
imageDigest = "sha256:fce7047795fe1e6d730ea2583b390ccc336e79eb2d8dae8114f4f63f00208879";
|
||||
hash = "sha256-7Z2ewDpGFXyvCze9HZ7KwFwn9o9R6Y4pjJDcr5Wmy1g=";
|
||||
finalImageName = "ghostchu/peerbanhelper";
|
||||
finalImageTag = "v8.0.12";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -12,8 +12,12 @@ let bugs =
|
||||
(attrs: { patches = attrs.patches ++ [ ./xmunet.patch ];}); };
|
||||
backlight.boot.kernelParams = [ "nvidia.NVreg_RegistryDwords=EnableBrightnessControl=1" ];
|
||||
amdpstate.boot.kernelParams = [ "amd_pstate=active" ];
|
||||
iwlwifi.nixos.system.kernel.modules.modprobeConfig =
|
||||
[ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ];
|
||||
iwlwifi.boot.extraModprobeConfig =
|
||||
''
|
||||
options iwlwifi power_save=0
|
||||
options iwlmvm power_scheme=1
|
||||
options iwlwifi uapsd_disable=1
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
@@ -6,8 +6,16 @@ inputs: let inherit (inputs) topInputs; in
|
||||
topInputs.sops-nix.nixosModules.sops
|
||||
topInputs.nix-index-database.nixosModules.nix-index
|
||||
topInputs.impermanence.nixosModules.impermanence
|
||||
topInputs.nix-flatpak.nixosModules.nix-flatpak
|
||||
topInputs.chaotic.nixosModules.default
|
||||
{ config.chaotic.nyx.overlay.onTopOf = "user-pkgs"; }
|
||||
topInputs.catppuccin.nixosModules.catppuccin
|
||||
topInputs.aagl.nixosModules.default
|
||||
topInputs.nixvirt.nixosModules.default
|
||||
topInputs.niri.nixosModules.niri
|
||||
{ config.niri-flake.cache.enable = false; }
|
||||
# TODO: Remove after next release
|
||||
"${topInputs.nixpkgs-unstable}/nixos/modules/services/hardware/lact.nix"
|
||||
(inputs:
|
||||
{
|
||||
config =
|
||||
|
||||
@@ -2,11 +2,11 @@ inputs:
|
||||
{
|
||||
options.nixos.hardware.cpu = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.enum [ "intel" "amd" ];
|
||||
type = types.nullOr (types.enum [ "intel" "amd" ]);
|
||||
default = let inherit (inputs.config.nixos.system.nixpkgs) march; in
|
||||
if march == null then null
|
||||
else if inputs.lib.hasPrefix "znver" march then "amd"
|
||||
else if (inputs.lib.hasSuffix "lake" march)
|
||||
else if inputs.lib.hasInfix "znver" march then "amd"
|
||||
else if (inputs.lib.hasInfix "lake" march)
|
||||
|| (builtins.elem march [ "sandybridge" "silvermont" "haswell" "broadwell" ])
|
||||
then "intel"
|
||||
else null;
|
||||
|
||||
@@ -31,14 +31,18 @@ inputs:
|
||||
(
|
||||
let gpus = inputs.lib.strings.splitString "+" gpu.type; in
|
||||
{
|
||||
boot.initrd.availableKernelModules =
|
||||
let modules =
|
||||
{
|
||||
intel = [ "i915" ];
|
||||
nvidia = []; # early loading breaks resume from hibernation
|
||||
amd = [];
|
||||
};
|
||||
in builtins.concatLists (builtins.map (gpu: modules.${gpu}) gpus);
|
||||
boot =
|
||||
{
|
||||
initrd.availableKernelModules =
|
||||
let modules =
|
||||
{
|
||||
intel = [ "i915" ];
|
||||
nvidia = []; # early loading breaks resume from hibernation
|
||||
amd = [];
|
||||
};
|
||||
in builtins.concatLists (builtins.map (gpu: modules.${gpu}) gpus);
|
||||
blacklistedKernelModules = [ "nouveau" ];
|
||||
};
|
||||
hardware =
|
||||
{
|
||||
graphics =
|
||||
@@ -66,7 +70,6 @@ inputs:
|
||||
prime.allowExternalGpu = true;
|
||||
};
|
||||
};
|
||||
boot.blacklistedKernelModules = [ "nouveau" ];
|
||||
services.xserver.videoDrivers =
|
||||
let driver = { intel = "modesetting"; amd = "amdgpu"; nvidia = "nvidia"; };
|
||||
in builtins.map (gpu: driver.${gpu}) gpus;
|
||||
@@ -78,6 +81,14 @@ inputs:
|
||||
amd = [];
|
||||
};
|
||||
in builtins.concatLists (builtins.map (gpu: packages.${gpu}) gpus);
|
||||
environment.etc."nvidia/nvidia-application-profiles-rc.d/vram" = inputs.lib.mkIf (builtins.elem "nvidia" gpus)
|
||||
{
|
||||
source = inputs.pkgs.writeText "save-vram" (builtins.toJSON
|
||||
{
|
||||
rules = [{ pattern = { feature = "true"; matches = ""; }; profile = "save-vram"; }];
|
||||
profiles = [{ name = "save-vram"; settings = [{ key = "GLVidHeapReuseRatio"; value = 0; }]; }];
|
||||
});
|
||||
};
|
||||
}
|
||||
)
|
||||
# nvidia prime offload
|
||||
|
||||
@@ -3,6 +3,7 @@ inputs:
|
||||
options.nixos.model = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
hostname = mkOption { type = types.nonEmptyStr; };
|
||||
arch = mkOption { type = types.nonEmptyStr; default = "x86_64"; };
|
||||
type = mkOption { type = types.enum [ "minimal" "desktop" "server" ]; default = "minimal"; };
|
||||
private = mkOption { type = types.bool; default = false; };
|
||||
cluster = mkOption
|
||||
|
||||
@@ -1,25 +1,63 @@
|
||||
inputs:
|
||||
{
|
||||
imports = inputs.localLib.findModules ./.;
|
||||
options.nixos.packages.packages = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
_packages = mkOption { type = types.listOf types.unspecified; default = []; };
|
||||
_pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
|
||||
_prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
|
||||
_pythonEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
_vscodeEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};
|
||||
config =
|
||||
{
|
||||
environment.systemPackages = with inputs.config.nixos.packages.packages;
|
||||
_packages
|
||||
++ [
|
||||
(
|
||||
(inputs.pkgs.python3.withPackages (pythonPackages:
|
||||
builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages) _pythonPackages)))
|
||||
.override (prev: { makeWrapperArgs = prev.makeWrapperArgs or [] ++ _pythonEnvFlags; }))
|
||||
(inputs.pkgs.writeTextDir "share/prebuild-packages"
|
||||
(builtins.concatStringsSep "\n" (builtins.map builtins.toString _prebuildPackages)))
|
||||
];
|
||||
};
|
||||
options.nixos.packages =
|
||||
let
|
||||
inherit (inputs.lib) mkOption types;
|
||||
simpleSubmodule = mkOption { type = types.nullOr (types.submodule {}); default = null; };
|
||||
in
|
||||
{
|
||||
packages =
|
||||
{
|
||||
_packages = mkOption { type = types.listOf types.unspecified; default = []; };
|
||||
_pythonPackages = mkOption { type = types.listOf types.unspecified; default = []; };
|
||||
_prebuildPackages = mkOption { type = types.listOf types.unspecified; default = []; };
|
||||
_pythonEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
_vscodeEnvFlags = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
};
|
||||
}
|
||||
// (builtins.listToAttrs (builtins.map (n: inputs.lib.nameValuePair n simpleSubmodule)
|
||||
[ "vasp" "mathematica" "lumerical" "flatpak" "android-studio" ]));
|
||||
config = inputs.lib.mkMerge
|
||||
[
|
||||
{
|
||||
environment.systemPackages = with inputs.config.nixos.packages.packages;
|
||||
_packages
|
||||
++ [
|
||||
(
|
||||
(inputs.pkgs.python3.withPackages (pythonPackages:
|
||||
builtins.concatLists (builtins.map (packageFunction: packageFunction pythonPackages) _pythonPackages)))
|
||||
.override (prev: { makeWrapperArgs = prev.makeWrapperArgs or [] ++ _pythonEnvFlags; }))
|
||||
(inputs.pkgs.writeTextDir "share/prebuild-packages"
|
||||
(builtins.concatStringsSep "\n" (builtins.map builtins.toString _prebuildPackages)))
|
||||
];
|
||||
}
|
||||
(inputs.lib.mkIf (inputs.config.nixos.packages.vasp != null)
|
||||
{
|
||||
nixos.packages.packages = with inputs.pkgs;
|
||||
{
|
||||
_packages =
|
||||
[
|
||||
localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90
|
||||
(if inputs.config.nixos.system.nixpkgs.cuda != null then localPackages.vasp.nvidia else emptyDirectory)
|
||||
localPackages.atomkit (inputs.lib.mkAfter localPackages.atat)
|
||||
];
|
||||
_pythonPackages = [(_: [ localPackages.py4vasp ])];
|
||||
};
|
||||
})
|
||||
(inputs.lib.mkIf (inputs.config.nixos.packages.mathematica != null)
|
||||
{ nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; })
|
||||
(inputs.lib.mkIf (inputs.config.nixos.packages.lumerical != null)
|
||||
{
|
||||
nixos =
|
||||
{
|
||||
packages.packages._packages = [ inputs.pkgs.localPackages.lumerical.lumerical.cmd ];
|
||||
services.lumericalLicenseManager = {};
|
||||
};
|
||||
})
|
||||
(inputs.lib.mkIf (inputs.config.nixos.packages.flatpak != null)
|
||||
{ services.flatpak = { enable = true; uninstallUnmanaged = true; }; })
|
||||
(inputs.lib.mkIf (inputs.config.nixos.packages.android-studio != null)
|
||||
{ nixos.packages.packages._packages = with inputs.pkgs; [ androidStudioPackages.stable.full ]; })
|
||||
];
|
||||
}
|
||||
|
||||
@@ -15,7 +15,8 @@ inputs:
|
||||
[
|
||||
# system management
|
||||
# TODO: module should add yubikey-touch-detector into path
|
||||
gparted yubikey-touch-detector btrfs-assistant kdePackages.qtstyleplugin-kvantum cpu-x wl-mirror xpra
|
||||
gparted wayland-utils clinfo glxinfo vulkan-tools dracut yubikey-touch-detector btrfs-assistant snapper-gui
|
||||
kdePackages.qtstyleplugin-kvantum ventoy-full cpu-x wl-mirror geekbench xpra
|
||||
(
|
||||
writeShellScriptBin "xclip"
|
||||
''
|
||||
@@ -23,50 +24,69 @@ inputs:
|
||||
else exec ${wl-clipboard-x11}/bin/xclip "$@"; fi
|
||||
''
|
||||
)
|
||||
# color management
|
||||
argyllcms xcalib
|
||||
# networking
|
||||
remmina putty kdePackages.krdc
|
||||
remmina putty mtr-gui
|
||||
# media
|
||||
mpv nomacs simplescreenrecorder imagemagick gimp-with-plugins qcm waifu2x-converter-cpp blender paraview vlc
|
||||
obs-studio (inkscape-with-extensions.override { inkscapeExtensions = null; }) kdePackages.kcolorchooser
|
||||
kdePackages.kdenlive
|
||||
mpv nomacs simplescreenrecorder imagemagick gimp-with-plugins netease-cloud-music-gtk qcm
|
||||
waifu2x-converter-cpp blender paraview vlc whalebird spotify obs-studio
|
||||
(inkscape-with-extensions.override { inkscapeExtensions = null; })
|
||||
# terminal
|
||||
warp-terminal
|
||||
# development
|
||||
adb-sync scrcpy dbeaver-bin aircrack-ng fprettify waveterm
|
||||
adb-sync scrcpy dbeaver-bin cling aircrack-ng
|
||||
weston cage openbox krita fprettify # jetbrains.clion
|
||||
# desktop sharing
|
||||
rustdesk-flutter
|
||||
# password and key management
|
||||
yubikey-manager yubikey-manager-qt yubikey-personalization yubikey-personalization-gui bitwarden hashcat
|
||||
kdePackages.kleopatra
|
||||
electrum jabref john crunch
|
||||
# download
|
||||
qbittorrent wgetpaste rclone
|
||||
qbittorrent nur-xddxdd.baidupcs-go wgetpaste onedrive onedrivegui rclone
|
||||
# editor
|
||||
typora
|
||||
typora appflowy notion-app-enhanced joplin-desktop standardnotes logseq obsidian code-cursor
|
||||
# news
|
||||
fluent-reader newsflash follow
|
||||
fluent-reader rssguard newsflash newsboat follow
|
||||
# nix tools
|
||||
nixpkgs-fmt nixd nix-serve nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
|
||||
# required by vscode nix tools
|
||||
nil
|
||||
nixpkgs-fmt appimage-run nixd nix-serve node2nix nix-prefetch-github prefetch-npm-deps nix-prefetch-docker
|
||||
nix-template nil bundix
|
||||
# instant messager
|
||||
element-desktop telegram-desktop discord zoom-us slack nheko
|
||||
element-desktop telegram-desktop discord zoom-us slack nheko hexchat halloy
|
||||
fluffychat signal-desktop qq nur-xddxdd.wechat-uos-sandboxed cinny-desktop
|
||||
# browser
|
||||
google-chrome tor-browser
|
||||
# office
|
||||
crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain activitywatch
|
||||
ydict pspp libreoffice-qt6-fresh ocrmypdf typst kdePackages.kruler
|
||||
crow-translate zotero pandoc texliveFull poppler_utils pdftk pdfchain davinci-resolve
|
||||
ydict texstudio panoply pspp libreoffice-qt6-fresh ocrmypdf typst # paperwork
|
||||
# required by ltex-plus.vscode-ltex-plus
|
||||
ltex-ls ltex-ls-plus
|
||||
# matplot++ needs old gnuplot
|
||||
inputs.pkgs.pkgs-2311.gnuplot
|
||||
pkgs-2311.gnuplot
|
||||
# math, physics and chemistry
|
||||
octaveFull mpi geogebra6 qalculate-qt
|
||||
octaveFull ovito localPackages.vesta localPackages.v-sim jmol mpi geogebra6 localPackages.ufo
|
||||
(quantum-espresso.override
|
||||
{
|
||||
stdenv = gcc14Stdenv;
|
||||
gfortran = gfortran14;
|
||||
wannier90 = wannier90.overrideAttrs { buildFlags = [ "dynlib" ]; };
|
||||
})
|
||||
pkgs-2311.hdfview numbat qalculate-qt
|
||||
# virtualization
|
||||
bottles wineWowPackages.stagingFull
|
||||
virt-viewer bottles wineWowPackages.stagingFull genymotion playonlinux
|
||||
# media
|
||||
nur-xddxdd.svp
|
||||
# for kdenlive auto subtitle
|
||||
openai-whisper
|
||||
];
|
||||
# daily management
|
||||
activitywatch
|
||||
]
|
||||
++ (builtins.filter (p: !((p.meta.broken or false) || (builtins.elem p.pname or null [ "falkon" "kalzium" ])))
|
||||
(builtins.filter inputs.lib.isDerivation (builtins.attrValues kdePackages.kdeGear)));
|
||||
_pythonPackages = [(pythonPackages: with pythonPackages;
|
||||
[
|
||||
scipy scikit-learn jupyterlab autograd numpy
|
||||
phonopy scipy scikit-learn jupyterlab autograd inputs.pkgs.localPackages.phono3py
|
||||
tensorflow keras numpy
|
||||
])];
|
||||
};
|
||||
user.sharedModules =
|
||||
@@ -122,7 +142,15 @@ inputs:
|
||||
kdeconnect.enable = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde") true;
|
||||
kde-pim = inputs.lib.mkIf (inputs.config.nixos.system.gui.implementation == "kde")
|
||||
{ enable = true; kmail = true; };
|
||||
coolercontrol =
|
||||
{
|
||||
enable = true;
|
||||
nvidiaSupport = if inputs.config.nixos.hardware.gpu.type == null then false
|
||||
else inputs.lib.hasSuffix "nvidia" inputs.config.nixos.hardware.gpu.type;
|
||||
};
|
||||
alvr = { enable = true; openFirewall = true; };
|
||||
localsend.enable = true;
|
||||
};
|
||||
services.pcscd.enable = true;
|
||||
services = { pcscd.enable = true; lact.enable = true; };
|
||||
};
|
||||
}
|
||||
|
||||
14
modules/packages/extra.nix
Normal file
14
modules/packages/extra.nix
Normal file
@@ -0,0 +1,14 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.packages.extra = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.packages) extra; in inputs.lib.mkIf (extra != null)
|
||||
{
|
||||
programs =
|
||||
{
|
||||
anime-game-launcher = { enable = true; package = inputs.pkgs.anime-game-launcher; };
|
||||
honkers-railway-launcher = { enable = true; package = inputs.pkgs.honkers-railway-launcher; };
|
||||
sleepy-launcher = { enable = true; package = inputs.pkgs.sleepy-launcher; };
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -3,7 +3,7 @@ inputs:
|
||||
options.nixos.packages.firefox = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule {});
|
||||
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
|
||||
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.packages) firefox; in inputs.lib.mkIf (firefox != null)
|
||||
{
|
||||
|
||||
@@ -1,23 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.packages.lammps = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.packages) lammps; in inputs.lib.mkIf (lammps != null)
|
||||
{
|
||||
nixos.packages =
|
||||
{
|
||||
molecule = {};
|
||||
packages._packages =
|
||||
let cuda = let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null;
|
||||
in
|
||||
if cuda then [((inputs.pkgs.lammps.override { stdenv = inputs.pkgs.cudaPackages.backendStdenv; })
|
||||
.overrideAttrs (prev:
|
||||
{
|
||||
cmakeFlags = prev.cmakeFlags ++ [ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
|
||||
nativeBuildInputs = prev.nativeBuildInputs ++ [ inputs.pkgs.cudaPackages.cudatoolkit ];
|
||||
buildInputs = prev.buildInputs ++ [ inputs.pkgs.mpi ];
|
||||
}))]
|
||||
else [ inputs.pkgs.lammps-mpi ];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.packages.mathematica = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.packages) mathematica; in inputs.lib.mkIf (mathematica != null)
|
||||
{ nixos.packages.packages._packages = [ inputs.pkgs.mathematica ]; };
|
||||
}
|
||||
@@ -12,7 +12,7 @@ inputs:
|
||||
beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq yq ipfetch localPackages.pslist
|
||||
fastfetch reptyr duc ncdu progress libva-utils ksh neofetch dateutils kitty glib
|
||||
# lsxx
|
||||
pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools
|
||||
pciutils usbutils lshw util-linux lsof dmidecode lm_sensors hwloc acpica-tools ethtool
|
||||
# top
|
||||
iotop iftop htop btop powertop s-tui
|
||||
# editor
|
||||
@@ -22,28 +22,53 @@ inputs:
|
||||
# file manager
|
||||
tree eza trash-cli lsd broot file xdg-ninja mlocate
|
||||
# compress
|
||||
pigz upx unzip zip lzip p7zip rar
|
||||
pigz upx unzip zip lzip p7zip
|
||||
(if inputs.pkgs.stdenv.hostPlatform.linuxArch == "x86_64" then rar else emptyDirectory)
|
||||
# file system management
|
||||
sshfs e2fsprogs compsize exfatprogs
|
||||
# disk management
|
||||
smartmontools hdparm gptfdisk megacli
|
||||
smartmontools hdparm gptfdisk
|
||||
(if inputs.pkgs.stdenv.hostPlatform.linuxArch == "x86_64" then megacli else emptyDirectory)
|
||||
# encryption and authentication
|
||||
apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool libfido2
|
||||
# networking
|
||||
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools
|
||||
ipset iptables iproute2 dig nettools traceroute tcping-go whois tcpdump nmap inetutils wireguard-tools openvpn
|
||||
parted
|
||||
# nix tools
|
||||
nix-output-monitor nix-tree ssh-to-age nix-inspect
|
||||
# development
|
||||
gdb try rr hexo-cli gh nix-init hugo
|
||||
gdb try rr hexo-cli gh hugo
|
||||
# build failed on aarch64
|
||||
(if inputs.pkgs.stdenv.hostPlatform.linuxArch == "x86_64" then nix-init else emptyDirectory)
|
||||
(octodns.withProviders (_: with octodns-providers; [ cloudflare ]))
|
||||
# stupid things
|
||||
toilet lolcat localPackages.stickerpicker graph-easy
|
||||
# office
|
||||
pdfgrep ffmpeg-full hdf5
|
||||
# scientific computing
|
||||
(if inputs.config.nixos.system.nixpkgs.cuda != null then localPackages.mumax else emptyDirectory)
|
||||
(if inputs.config.nixos.system.nixpkgs.cuda != null
|
||||
then (lammps.override { stdenv = cudaPackages.backendStdenv; }).overrideAttrs (prev:
|
||||
{
|
||||
cmakeFlags = prev.cmakeFlags ++
|
||||
[ "-DPKG_GPU=on" "-DGPU_API=cuda" "-DCMAKE_POLICY_DEFAULT_CMP0146=OLD" ];
|
||||
nativeBuildInputs = prev.nativeBuildInputs ++ [ cudaPackages.cudatoolkit ];
|
||||
buildInputs = prev.buildInputs ++ [ mpi ];
|
||||
})
|
||||
else lammps-mpi)
|
||||
]
|
||||
++ (with inputs.config.boot.kernelPackages; [ cpupower usbip ])
|
||||
++ (inputs.lib.optionals (inputs.config.nixos.system.gui.implementation == "kde")
|
||||
[ inputs.topInputs.plasma-manager.packages.${inputs.pkgs.system}.rc2nix ]);
|
||||
_pythonPackages = [(pythonPackages: with pythonPackages;
|
||||
[
|
||||
openai python-telegram-bot fastapi-cli pypdf2 pandas matplotlib plotly gunicorn redis jinja2 certifi
|
||||
charset-normalizer idna orjson psycopg2 inquirerpy requests tqdm pydbus
|
||||
# allow pandas read odf
|
||||
odfpy
|
||||
# for vasp plot-workfunc.py
|
||||
ase
|
||||
])];
|
||||
};
|
||||
programs =
|
||||
{
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.packages.molecule = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule {});
|
||||
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.packages) molecule; in inputs.lib.mkIf (molecule != null)
|
||||
{
|
||||
nixos.packages.packages =
|
||||
{
|
||||
_packages = with inputs.pkgs;
|
||||
[ ovito localPackages.vesta localPackages.v-sim localPackages.ufo inputs.pkgs.pkgs-2311.hdfview ];
|
||||
_pythonPackages = [(pythonPackages: with pythonPackages;
|
||||
[
|
||||
phonopy inputs.pkgs.localPackages.phono3py
|
||||
])];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.packages.mumax = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.packages) mumax; in inputs.lib.mkIf (mumax != null)
|
||||
{
|
||||
nixos.packages.packages._packages = [ inputs.pkgs.localPackages.mumax ];
|
||||
};
|
||||
}
|
||||
@@ -3,7 +3,7 @@ inputs:
|
||||
options.nixos.packages.steam = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule {});
|
||||
default = if inputs.config.nixos.model.type == "desktop" then {} else null;
|
||||
default = if builtins.elem inputs.config.nixos.model.type [ "desktop" "server" ] then {} else null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.packages) steam; in inputs.lib.mkIf (steam != null)
|
||||
{
|
||||
|
||||
@@ -1,23 +0,0 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.packages.vasp = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.packages) vasp; in inputs.lib.mkIf (vasp != null)
|
||||
{
|
||||
nixos.packages =
|
||||
{
|
||||
molecule = {};
|
||||
packages = with inputs.pkgs;
|
||||
{
|
||||
_packages =
|
||||
(
|
||||
[ localPackages.vasp.intel localPackages.vasp.vtst localPackages.vaspkit wannier90 ]
|
||||
++ (inputs.lib.optional
|
||||
(let inherit (inputs.config.nixos.system.nixpkgs) cuda; in cuda.capabilities or null != null)
|
||||
localPackages.vasp.nvidia)
|
||||
);
|
||||
_pythonPackages = [(_: [ localPackages.py4vasp ])];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -7,80 +7,332 @@ inputs:
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.packages) vscode; in inputs.lib.mkIf (vscode != null)
|
||||
{
|
||||
nixos.packages.packages = with inputs.pkgs;
|
||||
{
|
||||
_packages =
|
||||
[(
|
||||
vscode-with-extensions.override
|
||||
nixos.user.sharedModules =
|
||||
[(hmInputs: {
|
||||
config.programs.vscode = inputs.lib.mkIf (hmInputs.config.home.username != "root")
|
||||
{
|
||||
enable = true;
|
||||
package = inputs.pkgs.vscode.overrideAttrs (prev: { preFixup = prev.preFixup +
|
||||
''
|
||||
gappsWrapperArgs+=(
|
||||
${builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags}
|
||||
)
|
||||
'';});
|
||||
profiles.default =
|
||||
{
|
||||
vscodeExtensions =
|
||||
let extensions = builtins.listToAttrs (builtins.map
|
||||
(set:
|
||||
enableExtensionUpdateCheck = false;
|
||||
enableUpdateCheck = false;
|
||||
extensions = inputs.pkgs.nix4vscode.forVscode
|
||||
[
|
||||
"github.copilot" "github.copilot-chat" "github.github-vscode-theme"
|
||||
"intellsmi.comment-translate"
|
||||
"ms-vscode.cmake-tools" "ms-vscode.cpptools-extension-pack" "ms-vscode.hexeditor"
|
||||
"ms-vscode.remote-explorer"
|
||||
"ms-vscode-remote.remote-ssh"
|
||||
"donjayamanne.githistory" "fabiospampinato.vscode-diff"
|
||||
"llvm-vs-code-extensions.vscode-clangd" "ms-ceintl.vscode-language-pack-zh-hans"
|
||||
"oderwat.indent-rainbow"
|
||||
"guyutongxue.cpp-reference" "thfriedrich.lammps" "leetcode.vscode-leetcode" # "znck.grammarly"
|
||||
"james-yu.latex-workshop" "bbenoist.nix" "jnoortheen.nix-ide" "ccls-project.ccls"
|
||||
"brettm12345.nixfmt-vscode"
|
||||
"gruntfuggly.todo-tree"
|
||||
# restrctured text
|
||||
"lextudio.restructuredtext" "trond-snekvik.simple-rst" "swyddfa.esbonio" "chrisjsewell.myst-tml-syntax"
|
||||
# markdown
|
||||
"yzhang.markdown-all-in-one" "shd101wyy.markdown-preview-enhanced"
|
||||
# vasp
|
||||
"mystery.vasp-support"
|
||||
"yutengjing.open-in-external-app"
|
||||
# git graph
|
||||
"mhutchie.git-graph"
|
||||
# python
|
||||
"ms-python.python"
|
||||
# theme
|
||||
"pkief.material-icon-theme"
|
||||
# direnv
|
||||
"mkhl.direnv"
|
||||
# svg viewer
|
||||
"vitaliymaz.vscode-svg-previewer"
|
||||
# draw
|
||||
"pomdtr.excalidraw-editor"
|
||||
# typst
|
||||
"myriad-dreamin.tinymist"
|
||||
# grammaly alternative
|
||||
"ltex-plus.vscode-ltex-plus"
|
||||
# jupyter
|
||||
"ms-toolsai.jupyter" "ms-toolsai.jupyter-keymap" "ms-toolsai.jupyter-renderers"
|
||||
"ms-toolsai.vscode-jupyter-cell-tags" "ms-toolsai.vscode-jupyter-slideshow"
|
||||
"ms-toolsai.datawrangler"
|
||||
];
|
||||
keybindings =
|
||||
[
|
||||
# use alt+a to complete inline suggestions, instead of tab or ctrl+enter
|
||||
{
|
||||
key = "alt+a";
|
||||
command = "editor.action.inlineSuggest.commit";
|
||||
when = "inlineSuggestionVisible";
|
||||
}
|
||||
{
|
||||
key = "tab";
|
||||
command = "-editor.action.inlineSuggest.commit";
|
||||
}
|
||||
{
|
||||
key = "ctrl+enter";
|
||||
command = "-editor.action.inlineSuggest.commit";
|
||||
}
|
||||
# use ctrl+j to jump to pdf in latex
|
||||
{
|
||||
key = "ctrl+alt+j";
|
||||
command = "-latex-workshop.synctex";
|
||||
}
|
||||
{
|
||||
key = "ctrl+j";
|
||||
command = "-workbench.action.togglePanel";
|
||||
}
|
||||
{
|
||||
key = "ctrl+j";
|
||||
command = "latex-workshop.synctex";
|
||||
when = "editorTextFocus && editorLangId == 'latex'";
|
||||
}
|
||||
{
|
||||
key = "ctrl+l alt+j";
|
||||
command = "-latex-workshop.synctex";
|
||||
}
|
||||
# use ctrl+j=b to build latex
|
||||
{
|
||||
key = "ctrl+b";
|
||||
command = "-workbench.action.toggleSidebarVisibility";
|
||||
}
|
||||
{
|
||||
key = "ctrl+b";
|
||||
command = "latex-workshop.build";
|
||||
when = "editorLangId =~ /^latex$|^latex-expl3$|^rsweave$|^jlweave$|^pweave$/";
|
||||
}
|
||||
{
|
||||
key = "ctrl+l alt+b";
|
||||
command = "-latex-workshop.build";
|
||||
}
|
||||
# use alt+t to cd to current dir
|
||||
{
|
||||
key = "alt+t";
|
||||
command = "workbench.action.terminal.sendSequence";
|
||||
args.text = "cd '\${fileDirname}'\n";
|
||||
}
|
||||
];
|
||||
userSettings =
|
||||
{
|
||||
"security.workspace.trust.enabled" = false;
|
||||
"editor.fontFamily" = "'FiraCode Nerd Font Mono', 'Noto Sans Mono CJK SC', 'Droid Sans Mono', 'monospace', monospace, 'Droid Sans Fallback'";
|
||||
"editor.fontLigatures" = true;
|
||||
"workbench.iconTheme" = "material-icon-theme";
|
||||
"cmake.configureOnOpen" = true;
|
||||
"editor.mouseWheelZoom" = true;
|
||||
"extensions.ignoreRecommendations" = true;
|
||||
"editor.smoothScrolling" = true;
|
||||
"editor.cursorSmoothCaretAnimation" = "on";
|
||||
"workbench.list.smoothScrolling" = true;
|
||||
"files.hotExit" = "off";
|
||||
"editor.wordWrapColumn" = 120;
|
||||
"window.restoreWindows" = "none";
|
||||
"editor.inlineSuggest.enabled" = true;
|
||||
"github.copilot.enable"."*" = true;
|
||||
"editor.acceptSuggestionOnEnter" = "off";
|
||||
"terminal.integrated.scrollback" = 10000;
|
||||
"editor.rulers" = [ 120 ];
|
||||
"indentRainbow.ignoreErrorLanguages" = [ "*" ];
|
||||
"markdown.extension.completion.respectVscodeSearchExclude" = false;
|
||||
"markdown.extension.print.absoluteImgPath" = false;
|
||||
"editor.tabCompletion" = "on";
|
||||
"workbench.colorTheme" = "GitHub Light";
|
||||
"workbench.startupEditor" = "none";
|
||||
"debug.toolBarLocation" = "docked";
|
||||
"search.maxResults" = 100000;
|
||||
"editor.action.inlineSuggest.commit" = "Ctrl+Space";
|
||||
"window.dialogStyle" = "custom";
|
||||
"redhat.telemetry.enabled" = true;
|
||||
"[xml]"."editor.defaultFormatter" = "DotJoshJohnson.xml";
|
||||
"git.ignoreLegacyWarning" = true;
|
||||
"git.confirmSync" = false;
|
||||
"cmake.configureArgs" = [ "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON" "-DCMAKE_EXPORT_COMPILE_COMMANDS=1" ];
|
||||
"editor.wordWrap" = "wordWrapColumn";
|
||||
"files.associations" = { "POSCAR" = "poscar"; "*.mod" = "lmps"; "*.vasp" = "poscar"; };
|
||||
"editor.stickyScroll.enabled" = true;
|
||||
"editor.minimap.showSlider" = "always";
|
||||
"editor.unicodeHighlight.allowedLocales" = { "zh-hans" = true; "zh-hant" = true; };
|
||||
"hexeditor.columnWidth" = 64;
|
||||
"latex-workshop.synctex.afterBuild.enabled" = true;
|
||||
"hexeditor.showDecodedText" = true;
|
||||
"hexeditor.defaultEndianness" = "little";
|
||||
"hexeditor.inspectorType" = "aside";
|
||||
"commentTranslate.hover.concise" = true;
|
||||
"commentTranslate.targetLanguage" = "en";
|
||||
"[python]"."editor.formatOnType" = true;
|
||||
"editor.minimap.renderCharacters" = false;
|
||||
"update.mode" = "none";
|
||||
"editor.tabSize" = 2;
|
||||
"nix.enableLanguageServer" = true;
|
||||
"nix.serverPath" = "nil";
|
||||
"nix.formatterPath" = "nixpkgs-fmt";
|
||||
"nix.serverSettings"."nil" =
|
||||
{
|
||||
"diagnostics"."ignored" = [ "unused_binding" "unused_with" ];
|
||||
"formatting"."command" = [ "nixpkgs-fmt" ];
|
||||
};
|
||||
"xmake.envBehaviour" = "erase";
|
||||
"git.openRepositoryInParentFolders" = "never";
|
||||
"todo-tree.regex.regex" = "(//|#|<!--|;|/\\*|^|%|^[ \\t]*(-|\\d+.))\\s*($TAGS)";
|
||||
"latex-workshop.latex.recipes" =
|
||||
[
|
||||
{
|
||||
name = set;
|
||||
value =
|
||||
# provided by nixpkgs
|
||||
vscode-extensions.${set} or {}
|
||||
# provided by nix-vscode-extensions, including pre-release versions, but prefer stable version
|
||||
// nix-vscode-extensions.vscode-marketplace.${set} or {}
|
||||
// nix-vscode-extensions.vscode-marketplace-release.${set} or {}
|
||||
# some versions are too high for the current vscode, use old version from here to override it
|
||||
// (nix-vscode-extensions.forVSCodeVersion inputs.pkgs.vscode.version)
|
||||
.vscode-marketplace-release.${set} or {};
|
||||
})
|
||||
(inputs.lib.unique
|
||||
(
|
||||
(builtins.attrNames vscode-extensions)
|
||||
++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace)
|
||||
++ (builtins.attrNames nix-vscode-extensions.vscode-marketplace-release)
|
||||
)));
|
||||
in with extensions;
|
||||
(with github; [ copilot copilot-chat github-vscode-theme ])
|
||||
++ (with intellsmi; [ comment-translate ])
|
||||
++ (with ms-vscode; [ cmake-tools cpptools-extension-pack hexeditor remote-explorer ])
|
||||
++ (with ms-vscode-remote; [ remote-ssh ])
|
||||
++ [
|
||||
donjayamanne.githistory fabiospampinato.vscode-diff
|
||||
llvm-vs-code-extensions.vscode-clangd ms-ceintl.vscode-language-pack-zh-hans
|
||||
oderwat.indent-rainbow
|
||||
twxs.cmake guyutongxue.cpp-reference thfriedrich.lammps leetcode.vscode-leetcode # znck.grammarly
|
||||
james-yu.latex-workshop bbenoist.nix jnoortheen.nix-ide ccls-project.ccls
|
||||
brettm12345.nixfmt-vscode
|
||||
gruntfuggly.todo-tree
|
||||
# restrctured text
|
||||
lextudio.restructuredtext trond-snekvik.simple-rst swyddfa.esbonio chrisjsewell.myst-tml-syntax
|
||||
# markdown
|
||||
yzhang.markdown-all-in-one shd101wyy.markdown-preview-enhanced
|
||||
# vasp
|
||||
mystery.vasp-support
|
||||
yutengjing.open-in-external-app
|
||||
# git graph
|
||||
mhutchie.git-graph
|
||||
# python
|
||||
ms-python.python
|
||||
# theme
|
||||
pkief.material-icon-theme
|
||||
# direnv
|
||||
mkhl.direnv
|
||||
# svg viewer
|
||||
vitaliymaz.vscode-svg-previewer
|
||||
# draw
|
||||
pomdtr.excalidraw-editor
|
||||
# typst
|
||||
myriad-dreamin.tinymist
|
||||
# grammaly alternative
|
||||
ltex-plus.vscode-ltex-plus
|
||||
]
|
||||
# jupyter
|
||||
# TODO: pick all extensions from nixpkgs or nix-vscode-extensions, explicitly
|
||||
++ (with vscode-extensions.ms-toolsai;
|
||||
[
|
||||
jupyter jupyter-keymap jupyter-renderers vscode-jupyter-cell-tags vscode-jupyter-slideshow
|
||||
datawrangler
|
||||
]);
|
||||
extraFlags = builtins.concatStringsSep " " inputs.config.nixos.packages.packages._vscodeEnvFlags;
|
||||
}
|
||||
)];
|
||||
};
|
||||
name = "xelatex";
|
||||
tools = [ "xelatex" "bibtex" "xelatex" "xelatex" ];
|
||||
}
|
||||
{
|
||||
name = "latexmk";
|
||||
tools = [ "latexmk" ];
|
||||
}
|
||||
{
|
||||
name = "latexmk (latexmkrc)";
|
||||
tools = [ "latexmk_rconly" ];
|
||||
}
|
||||
{
|
||||
name = "latexmk (lualatex)";
|
||||
tools = [ "lualatexmk" ];
|
||||
}
|
||||
{
|
||||
name = "latexmk (xelatex)";
|
||||
tools = [ "xelatexmk" ];
|
||||
}
|
||||
{
|
||||
name = "pdflatex -> bibtex -> pdflatex * 2";
|
||||
tools = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ];
|
||||
}
|
||||
];
|
||||
"latex-workshop.latex.recipe.default" = "xelatex";
|
||||
"latex-workshop.bind.altKeymap.enabled" = true;
|
||||
"latex-workshop.latex.autoBuild.run" = "never";
|
||||
"cmake.showOptionsMovedNotification" = false;
|
||||
"markdown.extension.toc.plaintext" = true;
|
||||
"markdown.extension.katex.macros" = {};
|
||||
"markdown-preview-enhanced.mathRenderingOption" = "MathJax";
|
||||
"mesonbuild.downloadLanguageServer" = false;
|
||||
"genieai.openai.model" = "gpt-3.5-turbo-instruct";
|
||||
"codeium.enableConfig" = { "*" = true; "Log" = true; };
|
||||
"fortran.notifications.releaseNotes" = false;
|
||||
"markdown-preview-enhanced.enablePreviewZenMode" = true;
|
||||
"ccls.misc.compilationDatabaseDirectory" = "build";
|
||||
"C_Cpp.intelliSenseEngine" = "disabled";
|
||||
"clangd.arguments" = [ "-header-insertion=never" ];
|
||||
"cmake.ctestDefaultArgs" = [ "-T" "test" "--output-on-failure" "--verbose" ];
|
||||
"terminal.integrated.mouseWheelZoom" = true;
|
||||
"notebook.lineNumbers" = "on";
|
||||
"editor.codeActionsOnSave" = {};
|
||||
"jupyter.notebookFileRoot" = "\${workspaceFolder}";
|
||||
"svg.preview.transparencyGrid" = false;
|
||||
"svg.preview.boundingBox" = false;
|
||||
"latex-workshop.latex.tools" =
|
||||
[
|
||||
{
|
||||
name = "xelatex";
|
||||
command = "xelatex";
|
||||
args = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOC%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "latexmk";
|
||||
command = "latexmk";
|
||||
args = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "-outdir=%OUTDIR%" "%DOC%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "lualatexmk";
|
||||
command = "latexmk";
|
||||
args =
|
||||
[ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-lualatex" "-outdir=%OUTDIR%" "%DOC%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "xelatexmk";
|
||||
command = "latexmk";
|
||||
args =
|
||||
[ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-xelatex" "-outdir=%OUTDIR%" "%DOC%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "latexmk_rconly";
|
||||
command = "latexmk";
|
||||
args = [ "%DOC%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "pdflatex";
|
||||
command = "pdflatex";
|
||||
args = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOC%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "bibtex";
|
||||
command = "bibtex";
|
||||
args = [ "%DOCFILE%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "rnw2tex";
|
||||
command = "Rscript";
|
||||
args = [ "-e" "knitr::opts_knit$set(concordance = TRUE); knitr::knit('%DOCFILE_EXT%')" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "jnw2tex";
|
||||
command = "julia";
|
||||
args = [ "-e" "using Weave; weave(\"%DOC_EXT%\", doctype=\"tex\")" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "jnw2texminted";
|
||||
command = "julia";
|
||||
args = [ "-e" "using Weave; weave(\"%DOC_EXT%\", doctype=\"texminted\")" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "pnw2tex";
|
||||
command = "pweave";
|
||||
args = [ "-f" "tex" "%DOC_EXT%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "pnw2texminted";
|
||||
command = "pweave";
|
||||
args = [ "-f" "texminted" "%DOC_EXT%" ];
|
||||
env = {};
|
||||
}
|
||||
{
|
||||
name = "tectonic";
|
||||
command = "tectonic";
|
||||
args = [ "--synctex" "--keep-logs" "--print" "%DOC%.tex" ];
|
||||
env = {};
|
||||
}
|
||||
];
|
||||
"todo-tree.general.tags" = [ "BUG" "HACK" "FIXME" "TODO" ];
|
||||
"ltex.additionalRules.motherTongue" = "zh-CN";
|
||||
"ltex.ltex-ls.path" = "/run/current-system/sw";
|
||||
"cmake.ignoreCMakeListsMissing" = true;
|
||||
"[nix]"."editor.defaultFormatter" = "jnoortheen.nix-ide";
|
||||
"todo-tree.filtering.excludedWorkspaces" = [ "/nix/remote/**" ];
|
||||
"dataWrangler.outputRenderer.enabledTypes" =
|
||||
{
|
||||
"numpy.ndarray" = true;
|
||||
"builtins.list" = true;
|
||||
"builtins.dict" = true;
|
||||
};
|
||||
"ltex.language" = "auto";
|
||||
# maybe this could fix typst preview freezing on large project
|
||||
"tinymist.preview.partialRendering" = false;
|
||||
"tinymist.preview.refresh" = "onSave";
|
||||
"workbench.secondarySideBar.defaultVisibility" = "hidden";
|
||||
};
|
||||
};
|
||||
};
|
||||
})];
|
||||
};
|
||||
}
|
||||
|
||||
44
modules/packages/winapps/default.nix
Normal file
44
modules/packages/winapps/default.nix
Normal file
@@ -0,0 +1,44 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.packages.winapps = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.packages) winapps; in inputs.lib.mkIf (winapps != null)
|
||||
{
|
||||
nixos.packages.packages._packages =
|
||||
[
|
||||
(inputs.pkgs.callPackage "${inputs.topInputs.winapps}/packages/winapps" {})
|
||||
(inputs.pkgs.runCommand "winapps-windows" {}
|
||||
''
|
||||
mkdir -p $out/share/applications
|
||||
cp ${inputs.pkgs.replaceVars ./windows.desktop { path = inputs.topInputs.winapps; }} \
|
||||
$out/share/applications/windows.desktop
|
||||
'')
|
||||
]
|
||||
++ builtins.map
|
||||
(p: inputs.pkgs.runCommand "winapps-${p}" {}
|
||||
''
|
||||
mkdir -p $out/share/applications
|
||||
source ${inputs.topInputs.winapps}/apps/${p}/info
|
||||
# replace \ with \\
|
||||
WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/\\/\\\\/g')
|
||||
# replace space with \s
|
||||
WIN_EXECUTABLE=$(echo $WIN_EXECUTABLE | sed 's/ /\\s/g')
|
||||
cat > $out/share/applications/${p}.desktop << EOF
|
||||
[Desktop Entry]
|
||||
Name=$NAME
|
||||
Exec=winapps manual "$WIN_EXECUTABLE" %F
|
||||
Terminal=false
|
||||
Type=Application
|
||||
Icon=${inputs.topInputs.winapps}/apps/${p}/icon.svg
|
||||
StartupWMClass=$FULL_NAME
|
||||
Comment=$FULL_NAME
|
||||
Categories=$CATEGORIES
|
||||
MimeType=$MIME_TYPES
|
||||
EOF
|
||||
'')
|
||||
[
|
||||
"access-o365" "acrobat-x-pro" "cmd" "excel-o365" "explorer" "illustrator-cc" "powerpoint-o365"
|
||||
"visual-studio-comm" "word-o365"
|
||||
];
|
||||
};
|
||||
}
|
||||
9
modules/packages/winapps/windows.desktop
Normal file
9
modules/packages/winapps/windows.desktop
Normal file
@@ -0,0 +1,9 @@
|
||||
[Desktop Entry]
|
||||
Name=Windows
|
||||
Exec=winapps windows %F
|
||||
Terminal=false
|
||||
Type=Application
|
||||
Icon=@path@/icons/windows.svg
|
||||
StartupWMClass=Micorosoft Windows
|
||||
Comment=Micorosoft Windows
|
||||
Categories=Windows
|
||||
@@ -35,7 +35,7 @@ inputs:
|
||||
}
|
||||
{
|
||||
programs.zsh = inputs.lib.mkIf
|
||||
(builtins.elem home-inputs.config.home.username [ "chn" "root" "aleksana" "alikia" ])
|
||||
(builtins.elem home-inputs.config.home.username [ "chn" "root" "aleksana" "alikia" "hjp" ])
|
||||
{
|
||||
plugins =
|
||||
[
|
||||
@@ -63,6 +63,7 @@ inputs:
|
||||
[[ ! -r "$P10K_INSTANT_PROMPT" ]] || source "$P10K_INSTANT_PROMPT"
|
||||
HYPHEN_INSENSITIVE="true"
|
||||
export PATH=~/bin:$PATH
|
||||
zstyle ':vcs_info:*' disable-patterns "/nix/remote/*"
|
||||
'';
|
||||
oh-my-zsh.theme = "";
|
||||
};
|
||||
|
||||
@@ -34,21 +34,21 @@ inputs:
|
||||
name = builtins.elemAt cert.value.domains 0;
|
||||
value =
|
||||
{
|
||||
credentialsFile = inputs.config.sops.templates."acme/cloudflare.ini".path;
|
||||
credentialsFile = inputs.config.nixos.system.sops.templates."acme/cloudflare.ini".path;
|
||||
extraDomainNames = builtins.tail cert.value.domains;
|
||||
group = inputs.lib.mkIf (cert.value.group != null) cert.value.group;
|
||||
};
|
||||
})
|
||||
(inputs.localLib.attrsToList acme.cert));
|
||||
};
|
||||
sops =
|
||||
nixos.system.sops =
|
||||
{
|
||||
templates."acme/cloudflare.ini".content =
|
||||
''
|
||||
CLOUDFLARE_DNS_API_TOKEN=${inputs.config.sops.placeholder."acme/token"}
|
||||
CLOUDFLARE_DNS_API_TOKEN=${inputs.config.nixos.system.sops.placeholder."acme/token"}
|
||||
CLOUDFLARE_PROPAGATION_TIMEOUT=300
|
||||
'';
|
||||
secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/acme.yaml";
|
||||
secrets."acme/token" = {};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -15,25 +15,19 @@ inputs:
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) beesd; in inputs.lib.mkIf (beesd != null)
|
||||
{
|
||||
services.beesd.filesystems = builtins.listToAttrs (builtins.map
|
||||
(fs:
|
||||
services.beesd.filesystems = inputs.lib.mapAttrs'
|
||||
(n: v: inputs.lib.nameValuePair (inputs.utils.escapeSystemdPath n)
|
||||
{
|
||||
name = inputs.utils.escapeSystemdPath fs.name;
|
||||
value =
|
||||
{
|
||||
spec = fs.name;
|
||||
inherit (fs.value) hashTableSizeMB;
|
||||
extraOptions =
|
||||
[
|
||||
"--workaround-btrfs-send"
|
||||
"--thread-count" "${builtins.toString fs.value.threads}"
|
||||
"--loadavg-target" "${builtins.toString fs.value.loadAverage}"
|
||||
"--scan-mode" "3"
|
||||
"--verbose" "4"
|
||||
];
|
||||
};
|
||||
spec = n;
|
||||
inherit (v) hashTableSizeMB;
|
||||
extraOptions =
|
||||
[
|
||||
"--thread-count" "${builtins.toString v.threads}"
|
||||
"--loadavg-target" "${builtins.toString v.loadAverage}"
|
||||
"--verbose" "4"
|
||||
];
|
||||
})
|
||||
(inputs.localLib.attrsToList beesd));
|
||||
beesd;
|
||||
nixos.packages.packages._packages = [ inputs.pkgs.bees ];
|
||||
};
|
||||
}
|
||||
|
||||
82
modules/services/bind.nix
Normal file
82
modules/services/bind.nix
Normal file
@@ -0,0 +1,82 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.bind = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule (submoduleInputs: {})); default = null; };
|
||||
config = let inherit (inputs.config.nixos.services) bind; in inputs.lib.mkIf (bind != null)
|
||||
{
|
||||
services.bind =
|
||||
let
|
||||
chinaZone = inputs.pkgs.writeText "autoroute.chn.moe.china.zone"
|
||||
''
|
||||
$ORIGIN autoroute.chn.moe.
|
||||
$TTL 3600
|
||||
@ IN SOA vps6.chn.moe. chn.chn.moe. (
|
||||
2024071301 ; serial
|
||||
3600 ; refresh
|
||||
600 ; retry
|
||||
604800 ; expire
|
||||
300 ; minimum
|
||||
)
|
||||
@ IN NS vps6.chn.moe.
|
||||
@ IN A ${inputs.topInputs.self.config.dns."chn.moe".getAddress "vps6"}
|
||||
'';
|
||||
globalZone = inputs.pkgs.writeText "autoroute.chn.moe.zone"
|
||||
''
|
||||
$ORIGIN autoroute.chn.moe.
|
||||
$TTL 3600
|
||||
@ IN SOA vps6.chn.moe. chn.chn.moe. (
|
||||
2024071301 ; serial
|
||||
3600 ; refresh
|
||||
600 ; retry
|
||||
604800 ; expire
|
||||
300 ; minimum
|
||||
)
|
||||
@ IN NS vps6.chn.moe.
|
||||
@ IN A ${inputs.topInputs.self.config.dns."chn.moe".getAddress "srv3"}
|
||||
'';
|
||||
nullZone = inputs.pkgs.writeText "null.zone" "";
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
package = inputs.pkgs.bind.overrideAttrs
|
||||
(prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
|
||||
listenOn = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "vps6")];
|
||||
extraOptions =
|
||||
''
|
||||
recursion no;
|
||||
geoip-directory "${inputs.config.services.geoipupdate.settings.DatabaseDirectory}";
|
||||
'';
|
||||
extraConfig =
|
||||
''
|
||||
acl "china" {
|
||||
geoip country CN;
|
||||
};
|
||||
|
||||
view "china" {
|
||||
match-clients { china; };
|
||||
zone "autoroute.chn.moe" {
|
||||
type master;
|
||||
file "${chinaZone}";
|
||||
};
|
||||
zone "." {
|
||||
type hint;
|
||||
file "${nullZone}";
|
||||
};
|
||||
};
|
||||
view "global" {
|
||||
match-clients { any; };
|
||||
zone "autoroute.chn.moe" {
|
||||
type master;
|
||||
file "${globalZone}";
|
||||
};
|
||||
zone "." {
|
||||
type hint;
|
||||
file "${nullZone}";
|
||||
};
|
||||
};
|
||||
'';
|
||||
};
|
||||
nixos.services.geoipupdate = {};
|
||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
}
|
||||
@@ -14,14 +14,17 @@ inputs:
|
||||
{
|
||||
enable = true;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
|
||||
static-auth-secret-file = inputs.config.nixos.system.sops.secrets."coturn/auth-secret".path;
|
||||
realm = coturn.hostname;
|
||||
cert = "${keydir}/full.pem";
|
||||
pkey = "${keydir}/key.pem";
|
||||
no-cli = true;
|
||||
};
|
||||
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
|
||||
nixos.services.acme.cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
nixos =
|
||||
{
|
||||
system.sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
|
||||
services.acme.cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
};
|
||||
networking.firewall = with inputs.config.services.coturn;
|
||||
{
|
||||
allowedUDPPorts = [ listening-port tls-listening-port ];
|
||||
|
||||
@@ -15,19 +15,18 @@ inputs:
|
||||
enable = true;
|
||||
baseUrl = "https://${freshrss.hostname}";
|
||||
defaultUser = "chn";
|
||||
passwordFile = inputs.config.sops.secrets."freshrss/chn".path;
|
||||
database = { type = "mysql"; passFile = inputs.config.sops.secrets."freshrss/db".path; };
|
||||
};
|
||||
sops.secrets =
|
||||
{
|
||||
"freshrss/chn".owner = inputs.config.users.users.freshrss.name;
|
||||
"freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
|
||||
passwordFile = inputs.config.nixos.system.sops.secrets."freshrss/chn".path;
|
||||
database = { type = "mysql"; passFile = inputs.config.nixos.system.sops.secrets."freshrss/db".path; };
|
||||
};
|
||||
systemd.services.freshrss-config.after = [ "mysql.service" ];
|
||||
nixos.services =
|
||||
nixos =
|
||||
{
|
||||
mariadb = { enable = true; instances.freshrss = {}; };
|
||||
nginx.https.${freshrss.hostname}.global.configName = "freshrss";
|
||||
services = { mariadb.instances.freshrss = {}; nginx.https.${freshrss.hostname}.global.configName = "freshrss"; };
|
||||
system.sops.secrets =
|
||||
{
|
||||
"freshrss/chn".owner = inputs.config.users.users.freshrss.name;
|
||||
"freshrss/db" = { owner = inputs.config.users.users.freshrss.name; key = "mariadb/freshrss"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
19
modules/services/geoipupdate.nix
Normal file
19
modules/services/geoipupdate.nix
Normal file
@@ -0,0 +1,19 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.geoipupdate = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.services) geoipupdate; in inputs.lib.mkIf (geoipupdate != null)
|
||||
{
|
||||
services.geoipupdate =
|
||||
{
|
||||
enable = true;
|
||||
settings =
|
||||
{
|
||||
AccountID = 901296;
|
||||
LicenseKey = inputs.config.nixos.system.sops.secrets."maxmind".path;
|
||||
EditionIDs = [ "GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country" ];
|
||||
};
|
||||
};
|
||||
nixos.system.sops.secrets."maxmind" = {};
|
||||
};
|
||||
}
|
||||
@@ -15,63 +15,73 @@ inputs:
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) gitea; in inputs.lib.mkIf (gitea != null)
|
||||
{
|
||||
services.gitea =
|
||||
services =
|
||||
{
|
||||
enable = true;
|
||||
lfs.enable = true;
|
||||
mailerPasswordFile = inputs.config.sops.secrets."gitea/mail".path;
|
||||
database =
|
||||
{ createDatabase = false; type = "postgres"; passwordFile = inputs.config.sops.secrets."gitea/db".path; };
|
||||
settings =
|
||||
{
|
||||
session.COOKIE_SECURE = true;
|
||||
server =
|
||||
{
|
||||
ROOT_URL = "https://${gitea.hostname}";
|
||||
DOMAIN = gitea.hostname;
|
||||
HTTP_PORT = 3002;
|
||||
SSH_DOMAIN = gitea.ssh.hostname;
|
||||
SSH_PORT = inputs.lib.mkIf (gitea.ssh.port != null) gitea.ssh.port;
|
||||
};
|
||||
mailer =
|
||||
{
|
||||
ENABLED = true;
|
||||
FROM = "bot@chn.moe";
|
||||
PROTOCOL = "smtps";
|
||||
SMTP_ADDR = "mail.chn.moe";
|
||||
SMTP_PORT = 465;
|
||||
USER = "bot@chn.moe";
|
||||
};
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
security.LOGIN_REMEMBER_DAYS = 365;
|
||||
"git.timeout" = builtins.listToAttrs (builtins.map (n: { name = n; value = 1800; })
|
||||
[ "DEFAULT" "MIGRATE" "MIRROR" "CLONE" "PULL" "GC" ]);
|
||||
};
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
nginx =
|
||||
gitea =
|
||||
{
|
||||
enable = true;
|
||||
https.${gitea.hostname}.location =
|
||||
lfs.enable = true;
|
||||
mailerPasswordFile = inputs.config.nixos.system.sops.secrets."gitea/mail".path;
|
||||
database =
|
||||
{
|
||||
"/".proxy.upstream = "http://127.0.0.1:3002";
|
||||
"/robots.txt".static.root =
|
||||
let robotsFile = inputs.pkgs.fetchurl
|
||||
{
|
||||
url = "https://gitea.com/robots.txt";
|
||||
sha256 = "144c5s3la4a85c9lygcnxhbxs3w5y23bkhhqx69fbp9yiqyxdkk2";
|
||||
};
|
||||
in "${inputs.pkgs.runCommand "robots.txt" {} "mkdir -p $out; cp ${robotsFile} $out/robots.txt"}";
|
||||
createDatabase = false;
|
||||
type = "postgres";
|
||||
passwordFile = inputs.config.nixos.system.sops.secrets."gitea/db".path;
|
||||
};
|
||||
settings =
|
||||
{
|
||||
session.COOKIE_SECURE = true;
|
||||
server =
|
||||
{
|
||||
ROOT_URL = "https://${gitea.hostname}";
|
||||
DOMAIN = gitea.hostname;
|
||||
HTTP_PORT = 3002;
|
||||
SSH_DOMAIN = gitea.ssh.hostname;
|
||||
SSH_PORT = inputs.lib.mkIf (gitea.ssh.port != null) gitea.ssh.port;
|
||||
LFS_ALLOW_PURE_SSH = true;
|
||||
};
|
||||
mailer =
|
||||
{
|
||||
ENABLED = true;
|
||||
FROM = "bot@chn.moe";
|
||||
PROTOCOL = "smtps";
|
||||
SMTP_ADDR = "mail.chn.moe";
|
||||
SMTP_PORT = 465;
|
||||
USER = "bot@chn.moe";
|
||||
};
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
security.LOGIN_REMEMBER_DAYS = 365;
|
||||
"git.timeout" = builtins.listToAttrs (builtins.map (n: { name = n; value = 3600 * 8; })
|
||||
[ "DEFAULT" "MIGRATE" "MIRROR" "CLONE" "PULL" "GC" ]);
|
||||
"cron.git_gc_repos" = { ENABLED = true; SCHEDULE = "@monthly"; TIMEOUT = "2h"; };
|
||||
"cron.gc_lfs" = { ENABLED = true; SCHEDULE = "@monthly"; NUMBER_TO_CHECK_PER_REPO = 0; };
|
||||
};
|
||||
package = inputs.pkgs.pkgs-unstable.gitea;
|
||||
};
|
||||
anubis.instances.gitea.settings =
|
||||
{
|
||||
OG_PASSTHROUGH = true;
|
||||
TARGET = "http://127.0.0.1:3002";
|
||||
BIND_NETWORK = "tcp";
|
||||
BIND = "127.0.0.1:3003";
|
||||
WEBMASTER_EMAIL = "chn@chn.moe";
|
||||
SERVE_ROBOTS_TXT = true;
|
||||
};
|
||||
postgresql.instances.gitea = {};
|
||||
};
|
||||
sops.secrets =
|
||||
nixos =
|
||||
{
|
||||
"gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
|
||||
"gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
|
||||
"mail/bot" = {};
|
||||
system.sops.secrets =
|
||||
{
|
||||
"gitea/mail" = { owner = "gitea"; key = "mail/bot"; };
|
||||
"gitea/db" = { owner = "gitea"; key = "postgresql/gitea"; };
|
||||
"mail/bot" = {};
|
||||
};
|
||||
services =
|
||||
{
|
||||
nginx.https.${gitea.hostname}.location."/".proxy.upstream = "http://127.0.0.1:3003";
|
||||
postgresql.instances.gitea = {};
|
||||
};
|
||||
};
|
||||
systemd.services.gitea.path = [ inputs.pkgs.git-lfs-transfer ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -24,7 +24,7 @@ inputs:
|
||||
enabled = true;
|
||||
host = "mail.chn.moe";
|
||||
user = "bot@chn.moe";
|
||||
password = "$__file{${inputs.config.sops.secrets."grafana/mail".path}}";
|
||||
password = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/mail".path}}";
|
||||
from_address = "bot@chn.moe";
|
||||
ehlo_identity = grafana.hostname;
|
||||
startTLS_policy = "MandatoryStartTLS";
|
||||
@@ -32,9 +32,9 @@ inputs:
|
||||
server = { root_url = "https://${grafana.hostname}"; http_port = 3001; enable_gzip = true; };
|
||||
security =
|
||||
{
|
||||
secret_key = "$__file{${inputs.config.sops.secrets."grafana/secret".path}}";
|
||||
secret_key = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/secret".path}}";
|
||||
admin_user = "chn";
|
||||
admin_password = "$__file{${inputs.config.sops.secrets."grafana/chn".path}}";
|
||||
admin_password = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/chn".path}}";
|
||||
admin_email = "chn@chn.moe";
|
||||
};
|
||||
database =
|
||||
@@ -42,7 +42,7 @@ inputs:
|
||||
type = "postgres";
|
||||
host = "127.0.0.1:5432";
|
||||
user = "grafana";
|
||||
password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
|
||||
password = "$__file{${inputs.config.nixos.system.sops.secrets."grafana/db".path}}";
|
||||
};
|
||||
};
|
||||
provision =
|
||||
@@ -78,23 +78,21 @@ inputs:
|
||||
extraFlags = [ "--storage.tsdb.max-block-chunk-segment-size=16MB" ];
|
||||
};
|
||||
};
|
||||
nixos.services =
|
||||
nixos =
|
||||
{
|
||||
nginx =
|
||||
services =
|
||||
{
|
||||
enable = true;
|
||||
https.${grafana.hostname}.location."/".proxy =
|
||||
{ upstream = "http://127.0.0.1:3001"; websocket = true; };
|
||||
nginx.https.${grafana.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3001"; websocket = true; };
|
||||
postgresql.instances.grafana = {};
|
||||
};
|
||||
system.sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
|
||||
{
|
||||
"grafana/mail" = { owner = owner; key = "mail/bot"; };
|
||||
"grafana/secret".owner = owner;
|
||||
"grafana/chn".owner = owner;
|
||||
"grafana/db" = { owner = owner; key = "postgresql/grafana"; };
|
||||
"mail/bot" = {};
|
||||
};
|
||||
postgresql.instances.grafana = {};
|
||||
};
|
||||
sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
|
||||
{
|
||||
"grafana/mail" = { owner = owner; key = "mail/bot"; };
|
||||
"grafana/secret".owner = owner;
|
||||
"grafana/chn".owner = owner;
|
||||
"grafana/db" = { owner = owner; key = "postgresql/grafana"; };
|
||||
"mail/bot" = {};
|
||||
};
|
||||
environment.persistence."/nix/nodatacow".directories =
|
||||
[{ directory = "/var/lib/prometheus2"; user = "prometheus"; group = "prometheus"; mode = "0700"; }];
|
||||
|
||||
@@ -15,13 +15,13 @@ inputs:
|
||||
grep = "${inputs.pkgs.gnugrep}/bin/grep";
|
||||
curl = "${inputs.pkgs.curl}/bin/curl";
|
||||
cat = "${inputs.pkgs.coreutils}/bin/cat";
|
||||
token = inputs.config.sops.secrets."telegram/token".path;
|
||||
chat = inputs.config.sops.secrets."telegram/user/chn".path;
|
||||
token = inputs.config.nixos.system.sops.secrets."telegram/token".path;
|
||||
chat = inputs.config.nixos.system.sops.secrets."telegram/user/chn".path;
|
||||
date = "${inputs.pkgs.coreutils}/bin/date";
|
||||
hpcstat = "${inputs.pkgs.localPackages.hpcstat}/bin/hpcstat";
|
||||
ssh = "${inputs.pkgs.openssh}/bin/ssh -i ${key} -o StrictHostKeyChecking=no"
|
||||
+ " -o ForwardAgent=yes -o AddKeysToAgent=yes";
|
||||
key = inputs.config.sops.secrets."hpcstat/key".path;
|
||||
key = inputs.config.nixos.system.sops.secrets."hpcstat/key".path;
|
||||
jykang = "${inputs.topInputs.self}/devices/jykang.xmuhpc/files";
|
||||
ssh-agent = "${inputs.pkgs.openssh}/bin/ssh-agent";
|
||||
in
|
||||
@@ -105,10 +105,10 @@ inputs:
|
||||
(inputs.localLib.attrsToList calenders));
|
||||
tmpfiles.rules = [ "d /var/lib/hpcstat 0700 hpcstat hpcstat" ];
|
||||
};
|
||||
sops.secrets = let sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml"; in
|
||||
nixos.system.sops.secrets =
|
||||
{
|
||||
"telegram/token" = { group = "telegram"; mode = "0440"; inherit sopsFile; };
|
||||
"telegram/user/chn" = { group = "telegram"; mode = "0440"; inherit sopsFile; };
|
||||
"telegram/token" = { group = "telegram"; mode = "0440"; };
|
||||
"telegram/user/chn" = { group = "telegram"; mode = "0440"; };
|
||||
"hpcstat/key" = { owner = "hpcstat"; group = "hpcstat"; };
|
||||
};
|
||||
users =
|
||||
|
||||
@@ -10,35 +10,37 @@ inputs:
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) httpapi; in inputs.lib.mkIf (httpapi != null)
|
||||
{
|
||||
nixos.services =
|
||||
nixos =
|
||||
{
|
||||
phpfpm.instances.httpapi = {};
|
||||
nginx.https.${httpapi.hostname}.location =
|
||||
services =
|
||||
{
|
||||
"/files".static.root = "/srv/api";
|
||||
"/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
|
||||
"/notify.php".php =
|
||||
phpfpm.instances.httpapi = {};
|
||||
nginx.https.${httpapi.hostname}.location =
|
||||
{
|
||||
root = builtins.dirOf inputs.config.sops.templates."httpapi/notify.php".path;
|
||||
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
|
||||
"/files".static.root = "/srv/api";
|
||||
"/led".static = { root = "/srv/api"; detectAuth.users = [ "led" ]; };
|
||||
"/notify.php".php =
|
||||
{
|
||||
root = builtins.dirOf inputs.config.nixos.system.sops.templates."httpapi/notify.php".path;
|
||||
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpapi.fastcgi;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."httpapi/notify.php" =
|
||||
system.sops =
|
||||
{
|
||||
owner = inputs.config.users.users.httpapi.name;
|
||||
group = inputs.config.users.users.httpapi.group;
|
||||
content =
|
||||
let
|
||||
placeholder = inputs.config.sops.placeholder;
|
||||
request = "https://api.telegram.org/bot${placeholder."telegram/token"}"
|
||||
+ "/sendMessage?chat_id=${placeholder."telegram/user/chn"}&text=";
|
||||
in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
|
||||
templates."httpapi/notify.php" =
|
||||
{
|
||||
owner = inputs.config.users.users.httpapi.name;
|
||||
group = inputs.config.users.users.httpapi.group;
|
||||
content =
|
||||
let
|
||||
inherit (inputs.config.sops) placeholder;
|
||||
request = "https://api.telegram.org/bot${placeholder."telegram/token"}"
|
||||
+ "/sendMessage?chat_id=${placeholder."telegram/user/chn"}&text=";
|
||||
in ''<?php print file_get_contents("${request}".urlencode($_GET["message"])); ?>'';
|
||||
};
|
||||
secrets = { "telegram/token" = {}; "telegram/user/chn" = {}; };
|
||||
};
|
||||
secrets = let sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml"; in
|
||||
{ "telegram/token" = { inherit sopsFile; }; "telegram/user/chn" = { inherit sopsFile; }; };
|
||||
};
|
||||
systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
|
||||
};
|
||||
|
||||
@@ -14,7 +14,10 @@ inputs:
|
||||
{
|
||||
phpfpm.instances.httpua = {};
|
||||
nginx.http.${httpua.hostname}.php =
|
||||
{ root = "${./.}"; fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi; };
|
||||
{
|
||||
root = builtins.toString (inputs.pkgs.writeTextDir "index.php" "<?php echo $_SERVER['HTTP_USER_AGENT']; ?>");
|
||||
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
<?php echo $_SERVER['HTTP_USER_AGENT']; ?>
|
||||
@@ -15,43 +15,39 @@ inputs:
|
||||
image = "ghcr.io/huginn/huginn:latest";
|
||||
imageFile = inputs.topInputs.self.src.huginn;
|
||||
ports = [ "127.0.0.1:3000:3000/tcp" ];
|
||||
environmentFiles = [ inputs.config.sops.templates."huginn/env".path ];
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."huginn/env".content = let placeholder = inputs.config.sops.placeholder; in
|
||||
''
|
||||
MYSQL_PORT_3306_TCP_ADDR=host.containers.internal
|
||||
HUGINN_DATABASE_NAME=huginn
|
||||
HUGINN_DATABASE_USERNAME=huginn
|
||||
HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
|
||||
DOMAIN=${huginn.hostname}
|
||||
RAILS_ENV=production
|
||||
FORCE_SSL=true
|
||||
INVITATION_CODE=${placeholder."huginn/invitationCode"}
|
||||
SMTP_DOMAIN=mail.chn.moe
|
||||
SMTP_USER_NAME=bot@chn.moe
|
||||
SMTP_PASSWORD="${placeholder."mail/bot"}"
|
||||
SMTP_SERVER=mail.chn.moe
|
||||
SMTP_SSL=true
|
||||
EMAIL_FROM_ADDRESS=bot@chn.moe
|
||||
TIMEZONE=Beijing
|
||||
DO_NOT_CREATE_DATABASE=true
|
||||
'';
|
||||
secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
|
||||
environmentFiles = [ inputs.config.nixos.system.sops.templates."huginn/env".path ];
|
||||
};
|
||||
nixos =
|
||||
{
|
||||
services =
|
||||
{
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${huginn.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
|
||||
};
|
||||
nginx.https.${huginn.hostname}.location."/".proxy = { upstream = "http://127.0.0.1:3000"; websocket = true; };
|
||||
mariadb.instances.huginn = {};
|
||||
podman = {};
|
||||
};
|
||||
system.sops =
|
||||
{
|
||||
templates."huginn/env".content = let inherit (inputs.config.nixos.system.sops) placeholder; in
|
||||
''
|
||||
MYSQL_PORT_3306_TCP_ADDR=host.containers.internal
|
||||
HUGINN_DATABASE_NAME=huginn
|
||||
HUGINN_DATABASE_USERNAME=huginn
|
||||
HUGINN_DATABASE_PASSWORD=${placeholder."mariadb/huginn"}
|
||||
DOMAIN=${huginn.hostname}
|
||||
RAILS_ENV=production
|
||||
FORCE_SSL=true
|
||||
INVITATION_CODE=${placeholder."huginn/invitationCode"}
|
||||
SMTP_DOMAIN=mail.chn.moe
|
||||
SMTP_USER_NAME=bot@chn.moe
|
||||
SMTP_PASSWORD="${placeholder."mail/bot"}"
|
||||
SMTP_SERVER=mail.chn.moe
|
||||
SMTP_SSL=true
|
||||
EMAIL_FROM_ADDRESS=bot@chn.moe
|
||||
TIMEZONE=Beijing
|
||||
DO_NOT_CREATE_DATABASE=true
|
||||
'';
|
||||
secrets = { "huginn/invitationCode" = {}; "mail/bot" = {}; };
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@ inputs:
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
macAddress = mkOption { type = types.str; };
|
||||
autoStart = mkOption { type = types.bool; default = true; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
@@ -16,10 +17,13 @@ inputs:
|
||||
inherit (inputs.topInputs.self.src.lumerical.licenseManager) image imageFile;
|
||||
extraOptions = [ "--network=host" ];
|
||||
volumes =
|
||||
let license = inputs.pkgs.localPackages.lumerical.license.override
|
||||
{ inherit (lumericalLicenseManager) macAddress; };
|
||||
let
|
||||
macAddress = builtins.replaceStrings [ ":" ] [ "" ] lumericalLicenseManager.macAddress;
|
||||
license = inputs.pkgs.localPackages.lumerical.license.override { inherit macAddress; };
|
||||
in [ "${license}:/home/ansys_inc/shared_files/licensing/license_files/ansyslmd.lic" ];
|
||||
};
|
||||
nixos.services.podman = {};
|
||||
systemd.services.podman-lumericalLicenseManager.wantedBy =
|
||||
inputs.lib.mkIf (!lumericalLicenseManager.autoStart) (inputs.lib.mkForce []);
|
||||
};
|
||||
}
|
||||
|
||||
@@ -13,6 +13,7 @@ inputs:
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
mountFrom = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) mariadb; in inputs.lib.mkIf mariadb.enable
|
||||
{
|
||||
@@ -30,7 +31,7 @@ inputs:
|
||||
};
|
||||
mysqlBackup =
|
||||
{
|
||||
enable = true;
|
||||
enable = mariadb.mountFrom == "nodatacow";
|
||||
singleTransaction = true;
|
||||
databases = builtins.map (db: db.value.database) (inputs.localLib.attrsToList mariadb.instances);
|
||||
};
|
||||
@@ -40,16 +41,19 @@ inputs:
|
||||
let
|
||||
passwordFile =
|
||||
if db.value.passwordFile or null != null then db.value.passwordFile
|
||||
else inputs.config.sops.secrets."mariadb/${db.value.user}".path;
|
||||
else inputs.config.nixos.system.sops.secrets."mariadb/${db.value.user}".path;
|
||||
mysql = "${inputs.config.services.mysql.package}/bin/mysql";
|
||||
in
|
||||
# force user use password auth
|
||||
''echo "ALTER USER '${db.value.user}' IDENTIFIED BY '$(cat ${passwordFile})';" | ${mysql} -N'')
|
||||
(inputs.localLib.attrsToList mariadb.instances)));
|
||||
sops.secrets = builtins.listToAttrs (builtins.map
|
||||
nixos.system.sops.secrets = builtins.listToAttrs (builtins.map
|
||||
(db: { name = "mariadb/${db.value.user}"; value.owner = inputs.config.users.users.mysql.name; })
|
||||
(builtins.filter (db: db.value.passwordFile == null) (inputs.localLib.attrsToList mariadb.instances)));
|
||||
environment.persistence."/nix/nodatacow".directories =
|
||||
[{ directory = "/var/lib/mysql"; user = "mysql"; group = "mysql"; mode = "0750"; }];
|
||||
environment.persistence = inputs.lib.mkIf (mariadb.mountFrom != null)
|
||||
{
|
||||
"/nix/${mariadb.mountFrom}".directories =
|
||||
[{ directory = "/var/lib/mysql"; user = "mysql"; group = "mysql"; mode = "0750"; }];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,75 +1,60 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.mirism = let inherit (inputs.lib) mkOption types; in
|
||||
options.nixos.services.mirism = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.services) mirism; in inputs.lib.mkIf (mirism != null)
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) mirism;
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (builtins) map listToAttrs toString concatLists;
|
||||
in mkIf mirism.enable
|
||||
users =
|
||||
{
|
||||
users =
|
||||
{
|
||||
users.mirism = { uid = inputs.config.nixos.user.uid.mirism; group = "mirism"; isSystemUser = true; };
|
||||
groups.mirism.gid = inputs.config.nixos.user.gid.mirism;
|
||||
};
|
||||
systemd =
|
||||
{
|
||||
services = listToAttrs (map
|
||||
(instance:
|
||||
{
|
||||
name = "mirism-${instance}";
|
||||
value =
|
||||
{
|
||||
description = "mirism ${instance}";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig =
|
||||
{
|
||||
User = inputs.config.users.users.mirism.name;
|
||||
Group = inputs.config.users.users.mirism.group;
|
||||
ExecStart = "${inputs.pkgs.localPackages.mirism-old}/bin/${instance}";
|
||||
RuntimeMaxSec = "1d";
|
||||
Restart = "always";
|
||||
};
|
||||
};
|
||||
})
|
||||
[ "ng01" "beta" ]);
|
||||
tmpfiles.rules = concatLists (map
|
||||
(dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ])
|
||||
[ "" "entry." ]);
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
transparentProxy.map = { "ng01.mirism.one" = 7411; "beta.mirism.one" = 9114; };
|
||||
https = listToAttrs (map
|
||||
(instance:
|
||||
{
|
||||
name = "${instance}mirism.one";
|
||||
value.location."/".static = { root = "/srv/${instance}mirism"; index = [ "index.html" ]; };
|
||||
})
|
||||
[ "entry." "" ]);
|
||||
};
|
||||
acme.cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; };
|
||||
};
|
||||
environment.etc = listToAttrs (concatLists (map
|
||||
(instance:
|
||||
[
|
||||
{
|
||||
name = "letsencrypt/live/${instance}.mirism.one/fullchain.pem";
|
||||
value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/fullchain.pem";
|
||||
}
|
||||
{
|
||||
name = "letsencrypt/live/${instance}.mirism.one/privkey.pem";
|
||||
value.source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/key.pem";
|
||||
}
|
||||
])
|
||||
[ "ng01" "beta" ]));
|
||||
users.mirism = { uid = inputs.config.nixos.user.uid.mirism; group = "mirism"; isSystemUser = true; };
|
||||
groups.mirism.gid = inputs.config.nixos.user.gid.mirism;
|
||||
};
|
||||
systemd =
|
||||
{
|
||||
services = builtins.listToAttrs (builtins.map
|
||||
(instance:
|
||||
{
|
||||
name = "mirism-${instance}";
|
||||
value =
|
||||
{
|
||||
description = "mirism ${instance}";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig =
|
||||
{
|
||||
User = inputs.config.users.users.mirism.name;
|
||||
Group = inputs.config.users.users.mirism.group;
|
||||
ExecStart = "${inputs.pkgs.localPackages.mirism-old}/bin/${instance}";
|
||||
RuntimeMaxSec = "1d";
|
||||
Restart = "always";
|
||||
};
|
||||
};
|
||||
})
|
||||
[ "ng01" "beta" ]);
|
||||
tmpfiles.rules = builtins.concatLists (builtins.map
|
||||
(dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ])
|
||||
[ "" "entry." ]);
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
nginx =
|
||||
{
|
||||
transparentProxy.map = { "ng01.mirism.one" = 7411; "beta.mirism.one" = 9114; };
|
||||
https = builtins.listToAttrs (builtins.map
|
||||
(instance: inputs.lib.nameValuePair "${instance}mirism.one"
|
||||
{ location."/".static = { root = "/srv/${instance}mirism"; index = [ "index.html" ]; }; })
|
||||
[ "entry." "" ]);
|
||||
};
|
||||
acme.cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; };
|
||||
};
|
||||
environment.etc = builtins.listToAttrs (builtins.concatLists (builtins.map
|
||||
(instance:
|
||||
[
|
||||
(inputs.lib.nameValuePair "letsencrypt/live/${instance}.mirism.one/fullchain.pem"
|
||||
{ source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/fullchain.pem"; })
|
||||
(inputs.lib.nameValuePair "letsencrypt/live/${instance}.mirism.one/privkey.pem"
|
||||
{ source = "${inputs.config.security.acme.certs."${instance}.mirism.one".directory}/key.pem"; })
|
||||
])
|
||||
[ "ng01" "beta" ]));
|
||||
};
|
||||
}
|
||||
|
||||
@@ -22,7 +22,8 @@ inputs:
|
||||
after = [ "network.target" "redis-misskey-${instance.name}.service" "postgresql.service" ];
|
||||
requires = after;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment.MISSKEY_CONFIG_YML = inputs.config.sops.templates."misskey/${instance.name}.yml".path;
|
||||
environment.MISSKEY_CONFIG_YML =
|
||||
inputs.config.nixos.system.sops.templates."misskey/${instance.name}.yml".path;
|
||||
serviceConfig = rec
|
||||
{
|
||||
User = "misskey-${instance.name}";
|
||||
@@ -53,50 +54,6 @@ inputs:
|
||||
};
|
||||
})
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
sops.templates = builtins.listToAttrs (builtins.map
|
||||
(instance:
|
||||
{
|
||||
name = "misskey/${instance.name}.yml";
|
||||
value =
|
||||
{
|
||||
content =
|
||||
let
|
||||
placeholder = inputs.config.sops.placeholder;
|
||||
redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
|
||||
in
|
||||
''
|
||||
url: https://${instance.value.hostname}/
|
||||
port: ${toString instance.value.port}
|
||||
db:
|
||||
host: 127.0.0.1
|
||||
port: 5432
|
||||
db: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
|
||||
user: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
|
||||
pass: ${placeholder."postgresql/misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"}
|
||||
extra:
|
||||
statement_timeout: 600000
|
||||
dbReplications: false
|
||||
redis:
|
||||
host: 127.0.0.1
|
||||
port: ${builtins.toString redis.port}
|
||||
pass: ${placeholder."redis/misskey-${instance.name}"}
|
||||
id: 'aid'
|
||||
proxyBypassHosts:
|
||||
- api.deepl.com
|
||||
- api-free.deepl.com
|
||||
- www.recaptcha.net
|
||||
- hcaptcha.com
|
||||
- challenges.cloudflare.com
|
||||
proxyRemoteFiles: true
|
||||
signToActivityPubGet: true
|
||||
maxFileSize: 1073741824
|
||||
fulltextSearch:
|
||||
provider: sqlPgroonga
|
||||
'';
|
||||
owner = "misskey-${instance.name}";
|
||||
};
|
||||
})
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
users = inputs.lib.mkMerge (builtins.map
|
||||
(instance:
|
||||
{
|
||||
@@ -111,18 +68,17 @@ inputs:
|
||||
groups."misskey-${instance.name}".gid = inputs.config.nixos.user.gid."misskey-${instance.name}";
|
||||
})
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
nixos.services =
|
||||
nixos =
|
||||
{
|
||||
redis.instances = builtins.listToAttrs (builtins.map
|
||||
(instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
postgresql.instances = builtins.listToAttrs (builtins.map
|
||||
(instance: { name = "misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
nginx =
|
||||
services =
|
||||
{
|
||||
enable = inputs.lib.mkIf (misskey.instances != {}) true;
|
||||
https = builtins.listToAttrs (builtins.map
|
||||
redis.instances = builtins.listToAttrs (builtins.map
|
||||
(instance: { name = "misskey-${instance.name}"; value.port = instance.value.redis.port; })
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
postgresql.instances = builtins.listToAttrs (builtins.map
|
||||
(instance: { name = "misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"; value = {}; })
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
nginx.https = builtins.listToAttrs (builtins.map
|
||||
(instance: with instance.value;
|
||||
{
|
||||
name = hostname;
|
||||
@@ -130,6 +86,50 @@ inputs:
|
||||
})
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
};
|
||||
system.sops.templates = builtins.listToAttrs (builtins.map
|
||||
(instance:
|
||||
{
|
||||
name = "misskey/${instance.name}.yml";
|
||||
value =
|
||||
{
|
||||
content =
|
||||
let
|
||||
placeholder = inputs.config.nixos.system.sops.placeholder;
|
||||
redis = inputs.config.nixos.services.redis.instances."misskey-${instance.name}";
|
||||
in
|
||||
''
|
||||
url: https://${instance.value.hostname}/
|
||||
port: ${toString instance.value.port}
|
||||
db:
|
||||
host: 127.0.0.1
|
||||
port: 5432
|
||||
db: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
|
||||
user: misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}
|
||||
pass: ${placeholder."postgresql/misskey_${builtins.replaceStrings [ "-" ] [ "_" ] instance.name}"}
|
||||
extra:
|
||||
statement_timeout: 600000
|
||||
dbReplications: false
|
||||
redis:
|
||||
host: 127.0.0.1
|
||||
port: ${builtins.toString redis.port}
|
||||
pass: ${placeholder."redis/misskey-${instance.name}"}
|
||||
id: 'aid'
|
||||
proxyBypassHosts:
|
||||
- api.deepl.com
|
||||
- api-free.deepl.com
|
||||
- www.recaptcha.net
|
||||
- hcaptcha.com
|
||||
- challenges.cloudflare.com
|
||||
proxyRemoteFiles: true
|
||||
signToActivityPubGet: true
|
||||
maxFileSize: 1073741824
|
||||
fulltextSearch:
|
||||
provider: sqlPgroonga
|
||||
'';
|
||||
owner = "misskey-${instance.name}";
|
||||
};
|
||||
})
|
||||
(inputs.localLib.attrsToList misskey.instances));
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -21,9 +21,9 @@ inputs:
|
||||
config =
|
||||
{
|
||||
dbtype = "pgsql";
|
||||
dbpassFile = inputs.config.sops.secrets."nextcloud/postgresql".path;
|
||||
dbpassFile = inputs.config.nixos.system.sops.secrets."nextcloud/postgresql".path;
|
||||
adminuser = "admin";
|
||||
adminpassFile = inputs.config.sops.secrets."nextcloud/admin".path;
|
||||
adminpassFile = inputs.config.nixos.system.sops.secrets."nextcloud/admin".path;
|
||||
};
|
||||
configureRedis = true;
|
||||
settings =
|
||||
@@ -39,7 +39,7 @@ inputs:
|
||||
overwriteprotocol = "https";
|
||||
default_phone_region = "CN";
|
||||
};
|
||||
secretFile = inputs.config.sops.templates."nextcloud/secret".path;
|
||||
secretFile = inputs.config.nixos.system.sops.templates."nextcloud/secret".path;
|
||||
extraApps =
|
||||
let
|
||||
version = inputs.lib.versions.major inputs.config.services.nextcloud.package.version;
|
||||
@@ -59,27 +59,30 @@ inputs:
|
||||
(package: { name = package; value = inputs.pkgs.fetchNextcloudApp (getInfo package); })
|
||||
[ "phonetrack" "twofactor_webauthn" "calendar" ]);
|
||||
};
|
||||
nixos.services =
|
||||
nixos =
|
||||
{
|
||||
postgresql.instances.nextcloud = {};
|
||||
redis.instances.nextcloud.port = 3499;
|
||||
nginx = { enable = true; https.${nextcloud.hostname}.global.configName = nextcloud.hostname; };
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates."nextcloud/secret" =
|
||||
system.sops =
|
||||
{
|
||||
content = builtins.toJSON
|
||||
templates."nextcloud/secret" =
|
||||
{
|
||||
redis.password = inputs.config.sops.placeholder."redis/nextcloud";
|
||||
mail_smtppassword = inputs.config.sops.placeholder."mail/bot";
|
||||
content = builtins.toJSON
|
||||
{
|
||||
redis.password = inputs.config.nixos.system.sops.placeholder."redis/nextcloud";
|
||||
mail_smtppassword = inputs.config.nixos.system.sops.placeholder."mail/bot";
|
||||
};
|
||||
owner = inputs.config.users.users.nextcloud.name;
|
||||
};
|
||||
secrets =
|
||||
{
|
||||
"nextcloud/postgresql" = { key = "postgresql/nextcloud"; owner = inputs.config.users.users.nextcloud.name; };
|
||||
"nextcloud/admin".owner = inputs.config.users.users.nextcloud.name;
|
||||
};
|
||||
owner = inputs.config.users.users.nextcloud.name;
|
||||
};
|
||||
secrets =
|
||||
services =
|
||||
{
|
||||
"nextcloud/postgresql" = { key = "postgresql/nextcloud"; owner = inputs.config.users.users.nextcloud.name; };
|
||||
"nextcloud/admin".owner = inputs.config.users.users.nextcloud.name;
|
||||
postgresql.instances.nextcloud = {};
|
||||
redis.instances.nextcloud.port = 3499;
|
||||
nginx.https.${nextcloud.hostname}.global.configName = nextcloud.hostname;
|
||||
};
|
||||
};
|
||||
systemd.services.nextcloud-setup = rec { requires = [ "postgresql.service" ]; after = requires; };
|
||||
|
||||
@@ -1,23 +1,13 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.applications.main = let inherit (inputs.lib) mkOption types; in
|
||||
options.nixos.services.nginx.applications.main = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{ type = types.nullOr (types.submodule {}); default = null; };
|
||||
config = let inherit (inputs.config.nixos.services.nginx.applications) main; in inputs.lib.mkIf (main != null)
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services.nginx.applications) main;
|
||||
inherit (inputs.lib) mkIf;
|
||||
in mkIf main.enable
|
||||
nixos.services.nginx.https."chn.moe".location =
|
||||
{
|
||||
nixos.services.nginx.https."chn.moe".location =
|
||||
{
|
||||
"/".return.return = "302 https://xn--s8w913fdga.chn.moe/@chn";
|
||||
"/.well-known/matrix/server".proxy =
|
||||
{
|
||||
setHeaders.Host = "matrix.chn.moe";
|
||||
upstream = "https://matrix.chn.moe";
|
||||
};
|
||||
};
|
||||
"/".return.return = "302 https://xn--s8w913fdga.chn.moe/@chn";
|
||||
"/.well-known/matrix/server".proxy = { setHeaders.Host = "matrix.chn.moe"; upstream = "https://matrix.chn.moe"; };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -3,7 +3,6 @@ inputs:
|
||||
imports = inputs.localLib.findModules ./.;
|
||||
options.nixos.services.nginx = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
# transparentProxy -> https(with proxyProtocol) or transparentProxy -> streamProxy -> https(with proxyProtocol)
|
||||
# https without proxyProtocol listen on private ip, with proxyProtocol listen on all ip
|
||||
# streamProxy listen on private ip
|
||||
@@ -16,824 +15,88 @@ inputs:
|
||||
{
|
||||
httpsPort = 3065;
|
||||
httpsPortShift = { http2 = 1; proxyProtocol = 2; };
|
||||
httpsLocationTypes = [ "proxy" "static" "php" "return" "cgi" "alias" ];
|
||||
httpTypes = [ "rewriteHttps" "php" ];
|
||||
httpsLocationTypes = [ "proxy" "static" "php" "return" "alias" ];
|
||||
httpTypes = [ "rewriteHttps" "php" "proxy" ];
|
||||
streamPort = 5575;
|
||||
streamPortShift = { proxyProtocol = 1; };
|
||||
streamPortShift.proxyProtocol = 1;
|
||||
};
|
||||
};
|
||||
transparentProxy =
|
||||
{
|
||||
# only disable in some rare cases
|
||||
enable = mkOption { type = types.bool; default = true; };
|
||||
externalIp = mkOption { type = types.listOf types.nonEmptyStr; default = [ "0.0.0.0" ]; };
|
||||
# proxy to 127.0.0.1:${specified port}
|
||||
map = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.oneOf
|
||||
[
|
||||
# proxy to 127.0.0.1:${specified port}
|
||||
types.ints.unsigned
|
||||
# proxy to specified ip:port
|
||||
types.nonEmptyStr
|
||||
]);
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
streamProxy =
|
||||
{
|
||||
map = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.oneOf
|
||||
[
|
||||
# proxy to specified ip:port without proxyProtocol
|
||||
types.nonEmptyStr
|
||||
(types.submodule { options =
|
||||
{
|
||||
upstream = mkOption
|
||||
{
|
||||
type = types.oneOf
|
||||
[
|
||||
# proxy to specified ip:port with or without proxyProtocol
|
||||
types.nonEmptyStr
|
||||
(types.submodule { options =
|
||||
{
|
||||
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
# if port not specified, guess from proxyProtocol enabled or not, assume http2 enabled
|
||||
port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
|
||||
};})
|
||||
];
|
||||
default = {};
|
||||
};
|
||||
proxyProtocol = mkOption { type = types.bool; default = true; };
|
||||
addToTransparentProxy = mkOption { type = types.bool; default = true; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
};})
|
||||
]);
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
https = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
|
||||
{
|
||||
global =
|
||||
{
|
||||
configName = mkOption
|
||||
{
|
||||
type = types.nonEmptyStr;
|
||||
default = "https:${siteSubmoduleInputs.config._module.args.name}";
|
||||
};
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
index = mkOption
|
||||
{
|
||||
type = types.nullOr (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
|
||||
default = null;
|
||||
};
|
||||
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
detectAuth = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
|
||||
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
tlsCert = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};
|
||||
listen = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
http2 = mkOption { type = types.bool; default = true; };
|
||||
proxyProtocol = mkOption { type = types.bool; default = true; };
|
||||
# if proxyProtocol not enabled, add to transparentProxy only
|
||||
# if proxyProtocol enabled, add to transparentProxy and streamProxy
|
||||
addToTransparentProxy = mkOption { type = types.bool; default = true; };
|
||||
};});
|
||||
default.main = {};
|
||||
};
|
||||
location = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
let
|
||||
genericOptions =
|
||||
{
|
||||
# should be set to non null value if global root is null
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
detectAuth = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
|
||||
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
# only one should be specified
|
||||
proxy = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
inherit (genericOptions) detectAuth;
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption
|
||||
{
|
||||
type = types.attrsOf types.str;
|
||||
default.Host = siteSubmoduleInputs.config._module.args.name;
|
||||
};
|
||||
# echo -n "username:password" | base64
|
||||
addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
static = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
inherit (genericOptions) detectAuth root;
|
||||
index = mkOption
|
||||
{
|
||||
type = types.nullOr
|
||||
(types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
|
||||
default = null;
|
||||
};
|
||||
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
tryFiles = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
webdav = mkOption { type = types.bool; default = false; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
php = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{ inherit (genericOptions) detectAuth root; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
|
||||
default = null;
|
||||
};
|
||||
return = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{ return = mkOption { type = types.nonEmptyStr; }; };});
|
||||
default = null;
|
||||
};
|
||||
cgi = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options = { inherit (genericOptions) detectAuth root; };});
|
||||
default = null;
|
||||
};
|
||||
alias = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
path = mkOption { type = types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
http = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
rewriteHttps = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
php = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{ root = mkOption { type = types.nonEmptyStr; }; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
|
||||
default = null;
|
||||
};
|
||||
proxy = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption
|
||||
{
|
||||
type = types.attrsOf types.str;
|
||||
default.Host = submoduleInputs.config._module.args.name;
|
||||
};
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.config.nixos.services) nginx;
|
||||
inherit (builtins) map listToAttrs concatStringsSep toString filter attrValues concatLists;
|
||||
concatAttrs = list: listToAttrs (concatLists (map (attrs: attrsToList attrs) list));
|
||||
in inputs.lib.mkIf nginx.enable (inputs.lib.mkMerge
|
||||
[
|
||||
# generic config
|
||||
{
|
||||
services =
|
||||
{
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
enableReload = true;
|
||||
eventsConfig =
|
||||
''
|
||||
worker_connections 524288;
|
||||
use epoll;
|
||||
'';
|
||||
commonHttpConfig =
|
||||
''
|
||||
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
log_format http '[$time_local] $remote_addr-$geoip2_data_country_code "$host"'
|
||||
' $request_length $bytes_sent $status "$request" referer: "$http_referer" ua: "$http_user_agent"';
|
||||
access_log syslog:server=unix:/dev/log http;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_session_reuse off;
|
||||
send_timeout 1d;
|
||||
# nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
|
||||
# this make it redirect to /docs/ without hostname
|
||||
absolute_redirect off;
|
||||
# allow realip module to set ip
|
||||
set_real_ip_from 0.0.0.0/0;
|
||||
real_ip_header proxy_protocol;
|
||||
'';
|
||||
proxyTimeout = "1d";
|
||||
recommendedZstdSettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedBrotliSettings = true;
|
||||
clientMaxBodySize = "0";
|
||||
package =
|
||||
let
|
||||
nginx-geoip2 =
|
||||
{
|
||||
name = "ngx_http_geoip2_module";
|
||||
src = inputs.pkgs.fetchFromGitHub
|
||||
{
|
||||
owner = "leev";
|
||||
repo = "ngx_http_geoip2_module";
|
||||
rev = "a607a41a8115fecfc05b5c283c81532a3d605425";
|
||||
hash = "sha256-CkmaeEa1iEAabJEDu3FhBUR7QF38koGYlyx+pyKZV9Y=";
|
||||
};
|
||||
meta.license = [];
|
||||
};
|
||||
in
|
||||
(inputs.pkgs.nginxMainline.override (prev: { modules = prev.modules ++ [ nginx-geoip2 ]; }))
|
||||
.overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
|
||||
streamConfig =
|
||||
''
|
||||
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
resolver 8.8.8.8;
|
||||
'';
|
||||
# todo: use host dns
|
||||
resolver.addresses = [ "8.8.8.8" ];
|
||||
};
|
||||
geoipupdate =
|
||||
{
|
||||
enable = true;
|
||||
settings =
|
||||
{
|
||||
AccountID = 901296;
|
||||
LicenseKey = inputs.config.sops.secrets."nginx/maxmind-license".path;
|
||||
EditionIDs = [ "GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
sops.secrets."nginx/maxmind-license" =
|
||||
{
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml";
|
||||
};
|
||||
systemd.services.nginx.serviceConfig =
|
||||
{
|
||||
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
||||
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
|
||||
LimitNPROC = 65536;
|
||||
LimitNOFILE = 524288;
|
||||
};
|
||||
}
|
||||
# transparentProxy
|
||||
(inputs.lib.mkIf nginx.transparentProxy.enable
|
||||
{
|
||||
services.nginx.streamConfig =
|
||||
''
|
||||
log_format transparent_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
|
||||
'"$ssl_preread_server_name"->$transparent_proxy_backend $bytes_sent $bytes_received';
|
||||
map $ssl_preread_server_name $transparent_proxy_backend {
|
||||
${concatStringsSep "\n " (builtins.map
|
||||
(x:
|
||||
let upstrem = if builtins.isInt x.value then "127.0.0.1:${builtins.toString x.value}" else x.value;
|
||||
in ''"${x.name}" ${upstrem};'')
|
||||
(attrsToList nginx.transparentProxy.map))}
|
||||
default 127.0.0.1:${toString (with nginx.global; (httpsPort + httpsPortShift.http2))};
|
||||
}
|
||||
server {
|
||||
${concatStringsSep "\n " (map (ip: "listen ${ip}:443;") nginx.transparentProxy.externalIp)}
|
||||
ssl_preread on;
|
||||
proxy_bind $remote_addr transparent;
|
||||
proxy_pass $transparent_proxy_backend;
|
||||
proxy_connect_timeout 1s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log transparent_proxy;
|
||||
}
|
||||
'';
|
||||
# TODO: use existing options
|
||||
systemd.services.nginx-proxy =
|
||||
let
|
||||
ip = "${inputs.pkgs.iproute2}/bin/ip";
|
||||
start = inputs.pkgs.writeShellScript "nginx-proxy.start"
|
||||
''
|
||||
${ip} rule add fwmark 2/2 table 200
|
||||
${ip} route add local 0.0.0.0/0 dev lo table 200
|
||||
'';
|
||||
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
|
||||
''
|
||||
${ip} rule del fwmark 2/2 table 200
|
||||
${ip} route del local 0.0.0.0/0 dev lo table 200
|
||||
'';
|
||||
in
|
||||
{
|
||||
description = "nginx transparent proxy";
|
||||
after = [ "network.target" ];
|
||||
serviceConfig =
|
||||
{
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = start;
|
||||
ExecStop = stop;
|
||||
};
|
||||
wants = [ "network.target" ];
|
||||
wantedBy= [ "multi-user.target" ];
|
||||
};
|
||||
networking.nftables.tables.nginx =
|
||||
{
|
||||
family = "inet";
|
||||
content =
|
||||
''
|
||||
chain output {
|
||||
type route hook output priority mangle; policy accept;
|
||||
# 由本机发出、gid 为 nginx、但源地址不是本地监听的地址,说明是透明代理的第一个包,将这个流标记
|
||||
# 但这个包本身不需要处理,正常路由即可。
|
||||
meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
|
||||
ct state new counter ct mark set ct mark | 2
|
||||
# 由本机发出、作为透明代理的回复,它不能按照通常的路由,它需要被打上标记并被路由到本地
|
||||
# 这对应于透明代理到本地的服务的情况
|
||||
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
|
||||
return
|
||||
}
|
||||
# 还需要处理透明代理到其它机器的情况,它们的回复需要在 prerouting 中标记
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority mangle; policy accept;
|
||||
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 accept
|
||||
return
|
||||
}
|
||||
'';
|
||||
};
|
||||
})
|
||||
# streamProxy
|
||||
{
|
||||
services.nginx.streamConfig =
|
||||
''
|
||||
log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
|
||||
'"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
|
||||
map $ssl_preread_server_name $stream_proxy_backend {
|
||||
${concatStringsSep "\n " (map
|
||||
(x:
|
||||
let
|
||||
upstream =
|
||||
if (builtins.typeOf x.value.upstream == "string") then
|
||||
x.value.upstream
|
||||
else
|
||||
let
|
||||
port = with nginx.global;
|
||||
if x.value.upstream.port == null then
|
||||
httpsPort + httpsPortShift.http2
|
||||
+ (if x.value.proxyProtocol then httpsPortShift.proxyProtocol else 0)
|
||||
else x.value.upstream.port;
|
||||
in "${x.value.upstream.address}:${toString port}";
|
||||
in ''"${x.name}" "${upstream}";'')
|
||||
(attrsToList nginx.streamProxy.map))}
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:${toString nginx.global.streamPort};
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:${toString (with nginx.global; (streamPort + streamPortShift.proxyProtocol))};
|
||||
proxy_protocol on;
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
'';
|
||||
nixos.services.nginx =
|
||||
{
|
||||
transparentProxy.map = listToAttrs
|
||||
(
|
||||
(map
|
||||
(site: { inherit (site) name; value = nginx.global.streamPort; })
|
||||
(filter
|
||||
(site: (!(site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
|
||||
(attrsToList nginx.streamProxy.map)))
|
||||
++ (map
|
||||
(site: { inherit (site) name; value = with nginx.global; streamPort + streamPortShift.proxyProtocol; })
|
||||
(filter
|
||||
(site: ((site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
|
||||
(attrsToList nginx.streamProxy.map)))
|
||||
);
|
||||
http = listToAttrs (map
|
||||
(site: { inherit (site) name; value.rewriteHttps = {}; })
|
||||
(filter (site: site.value.rewriteHttps or false) (attrsToList nginx.streamProxy.map)));
|
||||
};
|
||||
}
|
||||
# https assertions
|
||||
{
|
||||
# only one type should be specified in each location
|
||||
assertions =
|
||||
(
|
||||
(map
|
||||
(location:
|
||||
{
|
||||
assertion = (inputs.lib.count
|
||||
(x: x != null)
|
||||
(map (type: location.value.${type}) nginx.global.httpsLocationTypes)) <= 1;
|
||||
message = "Only one type shuold be specified in ${location.name}";
|
||||
})
|
||||
(concatLists (map
|
||||
(site: (map
|
||||
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
|
||||
(attrsToList site.value.location)))
|
||||
(attrsToList nginx.https))))
|
||||
# root should be specified either in global or in each location
|
||||
++ (map
|
||||
(location:
|
||||
{
|
||||
assertion = (location.value.root or "") != null;
|
||||
message = "Root should be specified in ${location.name}";
|
||||
})
|
||||
(concatLists (map
|
||||
(site: (map
|
||||
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
|
||||
(attrsToList site.value.location)))
|
||||
(filter (site: site.value.global.root == null) (attrsToList nginx.https)))))
|
||||
);
|
||||
}
|
||||
# https
|
||||
(
|
||||
let
|
||||
# merge different types of locations
|
||||
sites = map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value =
|
||||
{
|
||||
inherit (site.value) global;
|
||||
listens = attrValues site.value.listen;
|
||||
locations = map
|
||||
(location:
|
||||
{
|
||||
inherit (location) name;
|
||||
value =
|
||||
let _ = builtins.head (filter (type: type.value != null) (attrsToList location.value));
|
||||
in _.value // { type = _.name; };
|
||||
})
|
||||
(attrsToList site.value.location);
|
||||
};
|
||||
})
|
||||
(attrsToList nginx.https);
|
||||
in
|
||||
{
|
||||
services =
|
||||
{
|
||||
nginx.virtualHosts = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
name = site.value.global.configName;
|
||||
value =
|
||||
{
|
||||
serverName = site.name;
|
||||
root = inputs.lib.mkIf (site.value.global.root != null) site.value.global.root;
|
||||
basicAuthFile = inputs.lib.mkIf (site.value.global.detectAuth != null)
|
||||
(
|
||||
let secret = "nginx/templates/detectAuth/${inputs.lib.strings.escapeURL site.name}-global";
|
||||
in inputs.config.sops.templates.${secret}.path
|
||||
);
|
||||
extraConfig = concatStringsSep "\n"
|
||||
(
|
||||
(
|
||||
let inherit (site.value.global) index; in
|
||||
if (builtins.typeOf index == "list") then [ "index ${concatStringsSep " " index};" ]
|
||||
else if (index == "auto") then [ "autoindex on;" ]
|
||||
else []
|
||||
)
|
||||
++ (
|
||||
let inherit (site.value.global) detectAuth; in
|
||||
if (detectAuth != null) then [ ''auth_basic "${detectAuth.text}"'' ] else []
|
||||
)
|
||||
++ (
|
||||
let inherit (site.value.global) charset; in
|
||||
if (charset != null) then [ "charset ${charset};" ] else []
|
||||
)
|
||||
);
|
||||
listen = map
|
||||
(listen:
|
||||
{
|
||||
addr = if listen.proxyProtocol then "0.0.0.0" else "127.0.0.1";
|
||||
port = with nginx.global; httpsPort
|
||||
+ (if listen.http2 then httpsPortShift.http2 else 0)
|
||||
+ (if listen.proxyProtocol then httpsPortShift.proxyProtocol else 0);
|
||||
ssl = true;
|
||||
proxyProtocol = listen.proxyProtocol;
|
||||
extraParameters = inputs.lib.mkIf listen.http2 [ "http2" ];
|
||||
})
|
||||
site.value.listens;
|
||||
# do not automatically add http2 listen
|
||||
http2 = false;
|
||||
onlySSL = true;
|
||||
useACMEHost = inputs.lib.mkIf (site.value.global.tlsCert == null) site.name;
|
||||
sslCertificate = inputs.lib.mkIf (site.value.global.tlsCert != null)
|
||||
"${site.value.global.tlsCert}/fullchain.pem";
|
||||
sslCertificateKey = inputs.lib.mkIf (site.value.global.tlsCert != null)
|
||||
"${site.value.global.tlsCert}/privkey.pem";
|
||||
locations = listToAttrs (map
|
||||
(location:
|
||||
{
|
||||
inherit (location) name;
|
||||
value =
|
||||
{
|
||||
basicAuthFile = inputs.lib.mkIf (location.value.detectAuth or null != null)
|
||||
(
|
||||
let
|
||||
inherit (inputs.lib.strings) escapeURL;
|
||||
secret = "nginx/templates/detectAuth/${escapeURL site.name}/${escapeURL location.name}";
|
||||
in inputs.config.sops.templates.${secret}.path
|
||||
);
|
||||
root = inputs.lib.mkIf (location.value.root or null != null) location.value.root;
|
||||
}
|
||||
// {
|
||||
proxy =
|
||||
{
|
||||
proxyPass = location.value.upstream;
|
||||
proxyWebsockets = location.value.websocket;
|
||||
recommendedProxySettings = false;
|
||||
recommendedProxySettingsNoHost = true;
|
||||
extraConfig = concatStringsSep "\n"
|
||||
(
|
||||
(map
|
||||
(header: ''proxy_set_header ${header.name} "${header.value}";'')
|
||||
(attrsToList location.value.setHeaders))
|
||||
++ (
|
||||
if location.value.detectAuth != null || site.value.global.detectAuth != null
|
||||
then [ "proxy_hide_header Authorization;" ]
|
||||
else []
|
||||
)
|
||||
++ (
|
||||
if location.value.addAuth != null then
|
||||
let authFile = "nginx/templates/addAuth/${location.value.addAuth}";
|
||||
in [ "include ${inputs.config.sops.templates.${authFile}.path};" ]
|
||||
else [])
|
||||
);
|
||||
};
|
||||
static =
|
||||
{
|
||||
index = inputs.lib.mkIf (builtins.typeOf location.value.index == "list")
|
||||
(concatStringsSep " " location.value.index);
|
||||
tryFiles = inputs.lib.mkIf (location.value.tryFiles != null)
|
||||
(concatStringsSep " " location.value.tryFiles);
|
||||
extraConfig = inputs.lib.mkMerge
|
||||
[
|
||||
(inputs.lib.mkIf (location.value.index == "auto") "autoindex on;")
|
||||
(inputs.lib.mkIf (location.value.charset != null) "charset ${location.value.charset};")
|
||||
(inputs.lib.mkIf location.value.webdav
|
||||
''
|
||||
dav_access user:rw group:rw;
|
||||
dav_methods PUT DELETE MKCOL COPY MOVE;
|
||||
dav_ext_methods PROPFIND OPTIONS;
|
||||
create_full_put_path on;
|
||||
'')
|
||||
];
|
||||
};
|
||||
php.extraConfig =
|
||||
''
|
||||
fastcgi_pass ${location.value.fastcgiPass};
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
|
||||
'';
|
||||
return.return = location.value.return;
|
||||
cgi.extraConfig =
|
||||
''
|
||||
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
|
||||
fastcgi_pass unix:${inputs.config.services.fcgiwrap.socketAddress};
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
'';
|
||||
alias.alias = location.value.path;
|
||||
}.${location.value.type};
|
||||
})
|
||||
site.value.locations);
|
||||
};
|
||||
})
|
||||
sites);
|
||||
fcgiwrap = inputs.lib.mkIf
|
||||
(
|
||||
filter (site: site != []) (map
|
||||
(site: filter (location: location.value.type == "cgi") site.value.locations)
|
||||
sites)
|
||||
!= []
|
||||
)
|
||||
(with inputs.config.users.users.nginx; { enable = true; user = name; inherit group; });
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
nginx =
|
||||
let
|
||||
# { name = domain; value = listen = { http2 = xxx, proxyProtocol = xxx }; }
|
||||
listens = filter
|
||||
(listen: listen.value.addToTransparentProxy)
|
||||
(concatLists (map
|
||||
(site: map (listen: { inherit (site) name; value = listen; }) site.value.listens)
|
||||
sites));
|
||||
in
|
||||
{
|
||||
transparentProxy.map = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value = with nginx.global; httpsPort + (if site.value.http2 then httpsPortShift.http2 else 0);
|
||||
})
|
||||
(filter (listen: !listen.value.proxyProtocol) listens));
|
||||
streamProxy.map = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value =
|
||||
{
|
||||
upstream.port = with nginx.global; httpsPort + httpsPortShift.proxyProtocol
|
||||
+ (if site.value.http2 then httpsPortShift.http2 else 0);
|
||||
proxyProtocol = true;
|
||||
rewriteHttps = inputs.lib.mkDefault false;
|
||||
};
|
||||
})
|
||||
(filter (listen: listen.value.proxyProtocol) listens));
|
||||
http = listToAttrs (map
|
||||
(site: { inherit (site) name; value.rewriteHttps = {}; })
|
||||
(filter (site: site.value.global.rewriteHttps) sites));
|
||||
};
|
||||
acme.cert = listToAttrs (map
|
||||
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
|
||||
sites);
|
||||
};
|
||||
sops =
|
||||
let
|
||||
inherit (inputs.lib.strings) escapeURL;
|
||||
detectAuthUsers = concatLists (map
|
||||
(site:
|
||||
(
|
||||
(map
|
||||
(location:
|
||||
{
|
||||
name = "${escapeURL site.name}/${escapeURL location.name}";
|
||||
value = location.value.detectAuth.users;
|
||||
})
|
||||
(filter (location: location.value.detectAuth or null != null) site.value.locations))
|
||||
++ (if site.value.global.detectAuth != null then
|
||||
[ { name = "${escapeURL site.name}-global"; value = site.value.global.detectAuth.users; } ]
|
||||
else [])
|
||||
))
|
||||
sites);
|
||||
addAuth = concatLists (map
|
||||
(site: map
|
||||
(location:
|
||||
{
|
||||
name = "${escapeURL site.name}/${escapeURL location.name}";
|
||||
value = location.value.addAuth;
|
||||
})
|
||||
(filter (location: location.value.addAuth or null != null) site.value.locations)
|
||||
)
|
||||
sites);
|
||||
in
|
||||
{
|
||||
templates = listToAttrs
|
||||
(
|
||||
(map
|
||||
(detectAuth:
|
||||
{
|
||||
name = "nginx/templates/detectAuth/${detectAuth.name}";
|
||||
value =
|
||||
{
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
content = concatStringsSep "\n" (map
|
||||
(user: "${user}:{PLAIN}${inputs.config.sops.placeholder."nginx/detectAuth/${user}"}")
|
||||
detectAuth.value);
|
||||
};
|
||||
})
|
||||
detectAuthUsers)
|
||||
++ (map
|
||||
(addAuth:
|
||||
{
|
||||
name = "nginx/templates/addAuth/${addAuth.name}";
|
||||
value =
|
||||
{
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
content =
|
||||
let placeholder = inputs.config.sops.placeholder."nginx/addAuth/${addAuth.value}";
|
||||
in ''proxy_set_header Authorization "Basic ${placeholder}";'';
|
||||
};
|
||||
})
|
||||
addAuth)
|
||||
);
|
||||
secrets = listToAttrs
|
||||
(
|
||||
(map
|
||||
(secret: { name = "nginx/detectAuth/${secret}"; value = {}; })
|
||||
(inputs.lib.unique (concatLists (map (detectAuth: detectAuth.value) detectAuthUsers))))
|
||||
++ (map
|
||||
(secret: { name = "nginx/addAuth/${secret}"; value = {}; })
|
||||
(inputs.lib.unique (map (addAuth: addAuth.value) addAuth)))
|
||||
);
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf
|
||||
(nginx.http != {} || nginx.https != {} || nginx.streamProxy.map != {} || nginx.transparentProxy.map != {})
|
||||
{
|
||||
services.nginx =
|
||||
{
|
||||
enable = true;
|
||||
enableReload = true;
|
||||
eventsConfig =
|
||||
''
|
||||
worker_connections 524288;
|
||||
use epoll;
|
||||
'';
|
||||
commonHttpConfig =
|
||||
''
|
||||
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
)
|
||||
# http
|
||||
{
|
||||
assertions = map
|
||||
(site:
|
||||
log_format http '[$time_local] $remote_addr-$geoip2_data_country_code "$host"'
|
||||
' $request_length $bytes_sent $status "$request" referer: "$http_referer" ua: "$http_user_agent"';
|
||||
access_log syslog:server=unix:/dev/log http;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_session_reuse off;
|
||||
send_timeout 1d;
|
||||
# nginx will try to redirect https://blog.chn.moe/docs to https://blog.chn.moe:3068/docs/ in default
|
||||
# this make it redirect to /docs/ without hostname
|
||||
absolute_redirect off;
|
||||
# allow realip module to set ip
|
||||
set_real_ip_from 0.0.0.0/0;
|
||||
real_ip_header proxy_protocol;
|
||||
# gitea needs long time to upload/download large files over ssh
|
||||
client_body_timeout 1h;
|
||||
'';
|
||||
proxyTimeout = "1d";
|
||||
recommendedZstdSettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
# do not set Host header
|
||||
recommendedProxySettings = false;
|
||||
recommendedProxySettingsNoHost = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedBrotliSettings = true;
|
||||
clientMaxBodySize = "0";
|
||||
package =
|
||||
let nginx-geoip2 =
|
||||
{
|
||||
name = "ngx_http_geoip2_module";
|
||||
src = inputs.pkgs.fetchFromGitHub
|
||||
{
|
||||
assertion = (inputs.lib.count (x: x != null) (map (type: site.value.${type}) nginx.global.httpTypes)) <= 1;
|
||||
message = "Only one type shuold be specified in ${site.name}";
|
||||
})
|
||||
(attrsToList nginx.http);
|
||||
services.nginx.virtualHosts = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
name = "http.${site.name}";
|
||||
value = { serverName = site.name; listen = [ { addr = "0.0.0.0"; port = 80; } ]; }
|
||||
// (if site.value.rewriteHttps != null then
|
||||
{ locations."/".return = "301 https://${site.value.rewriteHttps.hostname}$request_uri"; }
|
||||
else {})
|
||||
// (if site.value.php != null then
|
||||
{
|
||||
extraConfig = "index index.php;";
|
||||
root = site.value.php.root;
|
||||
locations."~ ^.+?.php(/.*)?$".extraConfig =
|
||||
''
|
||||
fastcgi_pass ${site.value.php.fastcgiPass};
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
|
||||
'';
|
||||
}
|
||||
else {})
|
||||
// (if site.value.proxy != null then
|
||||
{
|
||||
locations."/" =
|
||||
{
|
||||
proxyPass = site.value.proxy.upstream;
|
||||
proxyWebsockets = site.value.proxy.websocket;
|
||||
recommendedProxySettings = false;
|
||||
recommendedProxySettingsNoHost = true;
|
||||
extraConfig = builtins.concatStringsSep "\n" (builtins.map
|
||||
(header: ''proxy_set_header ${header.name} "${header.value}";'')
|
||||
(inputs.localLib.attrsToList site.value.proxy.setHeaders));
|
||||
};
|
||||
}
|
||||
else {});
|
||||
})
|
||||
(attrsToList nginx.http));
|
||||
}
|
||||
]);
|
||||
owner = "leev";
|
||||
repo = "ngx_http_geoip2_module";
|
||||
rev = "a607a41a8115fecfc05b5c283c81532a3d605425";
|
||||
hash = "sha256-CkmaeEa1iEAabJEDu3FhBUR7QF38koGYlyx+pyKZV9Y=";
|
||||
};
|
||||
meta.license = [];
|
||||
};
|
||||
in (inputs.pkgs.nginxMainline.override (prev: { modules = prev.modules ++ [ nginx-geoip2 ]; }))
|
||||
.overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; });
|
||||
streamConfig =
|
||||
''
|
||||
geoip2 ${inputs.config.services.geoipupdate.settings.DatabaseDirectory}/GeoLite2-Country.mmdb {
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
resolver 8.8.8.8;
|
||||
'';
|
||||
# anyway to use host dns?
|
||||
resolver.addresses = [ "8.8.8.8" ];
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
nixos.services.geoipupdate = {};
|
||||
systemd.services.nginx.serviceConfig =
|
||||
{
|
||||
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
||||
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
|
||||
LimitNPROC = 65536;
|
||||
LimitNOFILE = 524288;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
79
modules/services/nginx/http.nix
Normal file
79
modules/services/nginx/http.nix
Normal file
@@ -0,0 +1,79 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.http = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
rewriteHttps = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
php = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{ root = mkOption { type = types.nonEmptyStr; }; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
|
||||
default = null;
|
||||
};
|
||||
proxy = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption
|
||||
{ type = types.attrsOf types.str; default.Host = submoduleInputs.config._module.args.name; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf (nginx.http != {})
|
||||
{
|
||||
assertions = inputs.lib.mapAttrsToList
|
||||
(n: v:
|
||||
{
|
||||
assertion = (inputs.lib.count (x: x != null) (builtins.map (type: v.${type}) nginx.global.httpTypes)) <= 1;
|
||||
message = "Only one type shuold be specified in ${n}";
|
||||
})
|
||||
nginx.http;
|
||||
services.nginx.virtualHosts = inputs.lib.mapAttrs'
|
||||
(n: v:
|
||||
{
|
||||
name = "http.${n}";
|
||||
value = { serverName = n; listen = [ { addr = "0.0.0.0"; port = 80; } ]; }
|
||||
// (inputs.lib.optionalAttrs (v.rewriteHttps != null)
|
||||
{ locations."/".return = "301 https://${v.rewriteHttps.hostname}$request_uri"; })
|
||||
// (inputs.lib.optionalAttrs (v.php != null)
|
||||
{
|
||||
extraConfig = "index index.php;";
|
||||
root = v.php.root;
|
||||
locations."~ ^.+?.php(/.*)?$".extraConfig =
|
||||
''
|
||||
fastcgi_pass ${v.php.fastcgiPass};
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
|
||||
'';
|
||||
})
|
||||
// (inputs.lib.optionalAttrs (v.proxy != null)
|
||||
{
|
||||
locations."/" =
|
||||
{
|
||||
proxyPass = v.proxy.upstream;
|
||||
proxyWebsockets = v.proxy.websocket;
|
||||
recommendedProxySettings = false;
|
||||
recommendedProxySettingsNoHost = true;
|
||||
extraConfig = builtins.concatStringsSep "\n" (inputs.lib.mapAttrsToList
|
||||
(n: v: ''proxy_set_header ${n} "${v}";'')
|
||||
v.proxy.setHeaders);
|
||||
};
|
||||
});
|
||||
})
|
||||
nginx.http;
|
||||
};
|
||||
}
|
||||
394
modules/services/nginx/https.nix
Normal file
394
modules/services/nginx/https.nix
Normal file
@@ -0,0 +1,394 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.https = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
|
||||
{
|
||||
global =
|
||||
{
|
||||
configName = mkOption
|
||||
{ type = types.nonEmptyStr; default = "https:${siteSubmoduleInputs.config._module.args.name}"; };
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
index = mkOption
|
||||
{
|
||||
type = types.nullOr (types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
|
||||
default = null;
|
||||
};
|
||||
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
detectAuth = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
|
||||
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
tlsCert = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};
|
||||
listen = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
http2 = mkOption { type = types.bool; default = true; };
|
||||
proxyProtocol = mkOption { type = types.bool; default = true; };
|
||||
# if proxyProtocol not enabled, add to transparentProxy only
|
||||
# if proxyProtocol enabled, add to transparentProxy and streamProxy
|
||||
addToTransparentProxy = mkOption { type = types.bool; default = true; };
|
||||
};});
|
||||
default.main = {};
|
||||
};
|
||||
location = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
let genericOptions =
|
||||
{
|
||||
# should be set to non null value if global root is null
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
detectAuth = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
text = mkOption { type = types.nonEmptyStr; default = "Restricted Content"; };
|
||||
users = mkOption { type = types.nonEmptyListOf types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
# only one should be specified
|
||||
proxy = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
inherit (genericOptions) detectAuth;
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption
|
||||
{ type = types.attrsOf types.str; default.Host = siteSubmoduleInputs.config._module.args.name; };
|
||||
# echo -n "username:password" | base64
|
||||
addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
static = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
inherit (genericOptions) detectAuth root;
|
||||
index = mkOption
|
||||
{
|
||||
type = types.nullOr
|
||||
(types.oneOf [ (types.enum [ "auto" ]) (types.nonEmptyListOf types.nonEmptyStr) ]);
|
||||
default = null;
|
||||
};
|
||||
charset = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
tryFiles = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
webdav = mkOption { type = types.bool; default = false; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
php = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{ inherit (genericOptions) detectAuth root; fastcgiPass = mkOption { type = types.nonEmptyStr; };};});
|
||||
default = null;
|
||||
};
|
||||
return = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options = { return = mkOption { type = types.nonEmptyStr; }; };});
|
||||
default = null;
|
||||
};
|
||||
alias = mkOption
|
||||
{
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
path = mkOption { type = types.nonEmptyStr; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf (nginx.https != {}) (inputs.lib.mkMerge
|
||||
[
|
||||
# https assertions
|
||||
{
|
||||
# only one type should be specified in each location
|
||||
assertions =
|
||||
(
|
||||
(builtins.map
|
||||
(location:
|
||||
{
|
||||
assertion = 1 >= (inputs.lib.count (x: x != null)
|
||||
(builtins.map (type: location.value.${type}) nginx.global.httpsLocationTypes));
|
||||
message = "Only one type shuold be specified in ${location.name}";
|
||||
})
|
||||
(builtins.concatLists (inputs.lib.mapAttrsToList
|
||||
(sn: sv: (inputs.lib.mapAttrsToList (ln: lv: inputs.lib.nameValuePair "${sn} ${ln}" lv) sv.location))
|
||||
nginx.https)))
|
||||
# root should be specified either in global or in each location
|
||||
++ (builtins.map
|
||||
(location:
|
||||
{
|
||||
assertion = (location.value.root or "") != null;
|
||||
message = "Root should be specified in ${location.name}";
|
||||
})
|
||||
(builtins.concatLists (builtins.map
|
||||
(site: (inputs.lib.mapAttrsToList
|
||||
(n: v: inputs.lib.nameValuePair "${site.name} ${n}" v)
|
||||
site.value.location))
|
||||
(builtins.filter (site: site.value.global.root == null) (inputs.localLib.attrsToList nginx.https)))))
|
||||
);
|
||||
}
|
||||
# https
|
||||
(
|
||||
# merge different types of locations
|
||||
let sites = inputs.lib.mapAttrsToList
|
||||
(sn: sv: inputs.lib.nameValuePair sn
|
||||
{
|
||||
inherit (sv) global;
|
||||
listens = builtins.attrValues sv.listen;
|
||||
locations = inputs.lib.mapAttrsToList
|
||||
(ln: lv: inputs.lib.nameValuePair ln
|
||||
(
|
||||
let _ = builtins.head (builtins.filter (type: type.value != null) (inputs.localLib.attrsToList lv));
|
||||
in _.value // { type = _.name; }
|
||||
))
|
||||
sv.location;
|
||||
})
|
||||
nginx.https;
|
||||
in
|
||||
{
|
||||
services.nginx.virtualHosts = builtins.listToAttrs (builtins.map
|
||||
(site:
|
||||
{
|
||||
name = site.value.global.configName;
|
||||
value =
|
||||
{
|
||||
serverName = site.name;
|
||||
root = inputs.lib.mkIf (site.value.global.root != null) site.value.global.root;
|
||||
basicAuthFile = inputs.lib.mkIf (site.value.global.detectAuth != null)
|
||||
(
|
||||
let secret = "nginx/templates/detectAuth/${inputs.lib.strings.escapeURL site.name}-global";
|
||||
in inputs.config.nixos.system.sops.templates.${secret}.path
|
||||
);
|
||||
extraConfig = builtins.concatStringsSep "\n"
|
||||
(
|
||||
(
|
||||
let inherit (site.value.global) index; in
|
||||
if (builtins.typeOf index == "list") then [ "index ${builtins.concatStringsSep " " index};" ]
|
||||
else if (index == "auto") then [ "autoindex on;" ]
|
||||
else []
|
||||
)
|
||||
++ (
|
||||
let inherit (site.value.global) detectAuth;
|
||||
in inputs.lib.optionals (detectAuth != null) [ ''auth_basic "${detectAuth.text}"'' ]
|
||||
)
|
||||
++ (
|
||||
let inherit (site.value.global) charset;
|
||||
in inputs.lib.optionals (charset != null) [ "charset ${charset};" ]
|
||||
)
|
||||
);
|
||||
listen = builtins.map
|
||||
(listen:
|
||||
{
|
||||
addr = if listen.proxyProtocol then "0.0.0.0" else "127.0.0.1";
|
||||
port = with nginx.global; httpsPort
|
||||
+ (if listen.http2 then httpsPortShift.http2 else 0)
|
||||
+ (if listen.proxyProtocol then httpsPortShift.proxyProtocol else 0);
|
||||
ssl = true;
|
||||
proxyProtocol = listen.proxyProtocol;
|
||||
extraParameters = inputs.lib.mkIf listen.http2 [ "http2" ];
|
||||
})
|
||||
site.value.listens;
|
||||
# do not automatically add http2 listen
|
||||
http2 = false;
|
||||
onlySSL = true;
|
||||
useACMEHost = inputs.lib.mkIf (site.value.global.tlsCert == null) site.name;
|
||||
sslCertificate = inputs.lib.mkIf (site.value.global.tlsCert != null)
|
||||
"${site.value.global.tlsCert}/fullchain.pem";
|
||||
sslCertificateKey = inputs.lib.mkIf (site.value.global.tlsCert != null)
|
||||
"${site.value.global.tlsCert}/privkey.pem";
|
||||
locations = builtins.listToAttrs (builtins.map
|
||||
(location:
|
||||
{
|
||||
inherit (location) name;
|
||||
value =
|
||||
{
|
||||
basicAuthFile = inputs.lib.mkIf (location.value.detectAuth or null != null)
|
||||
(
|
||||
let
|
||||
inherit (inputs.lib.strings) escapeURL;
|
||||
secret = "nginx/templates/detectAuth/${escapeURL site.name}/${escapeURL location.name}";
|
||||
in inputs.config.nixos.system.sops.templates.${secret}.path
|
||||
);
|
||||
root = inputs.lib.mkIf (location.value.root or null != null) location.value.root;
|
||||
}
|
||||
// {
|
||||
proxy =
|
||||
{
|
||||
proxyWebsockets = location.value.websocket;
|
||||
recommendedProxySettings = false;
|
||||
recommendedProxySettingsNoHost = true;
|
||||
proxyPass = location.value.upstream;
|
||||
extraConfig = builtins.concatStringsSep "\n"
|
||||
(
|
||||
(inputs.lib.mapAttrsToList (n: v: ''proxy_set_header ${n} "${v}";'')
|
||||
location.value.setHeaders)
|
||||
++ (inputs.lib.optionals
|
||||
(location.value.detectAuth != null || site.value.global.detectAuth != null)
|
||||
[ "proxy_hide_header Authorization;" ]
|
||||
)
|
||||
++ (inputs.lib.optionals (location.value.addAuth != null)
|
||||
(
|
||||
let authFile = "nginx/templates/addAuth/${location.value.addAuth}";
|
||||
in [ "include ${inputs.config.nixos.system.sops.templates.${authFile}.path};" ]
|
||||
))
|
||||
);
|
||||
};
|
||||
static =
|
||||
{
|
||||
index = inputs.lib.mkIf (builtins.typeOf location.value.index == "list")
|
||||
(builtins.concatStringsSep " " location.value.index);
|
||||
tryFiles = inputs.lib.mkIf (location.value.tryFiles != null)
|
||||
(builtins.concatStringsSep " " location.value.tryFiles);
|
||||
extraConfig = inputs.lib.mkMerge
|
||||
[
|
||||
(inputs.lib.mkIf (location.value.index == "auto") "autoindex on;")
|
||||
(inputs.lib.mkIf (location.value.charset != null) "charset ${location.value.charset};")
|
||||
(inputs.lib.mkIf location.value.webdav
|
||||
''
|
||||
dav_access user:rw group:rw;
|
||||
dav_methods PUT DELETE MKCOL COPY MOVE;
|
||||
dav_ext_methods PROPFIND OPTIONS;
|
||||
create_full_put_path on;
|
||||
'')
|
||||
];
|
||||
};
|
||||
php.extraConfig =
|
||||
''
|
||||
fastcgi_pass ${location.value.fastcgiPass};
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
include ${inputs.config.services.nginx.package}/conf/fastcgi.conf;
|
||||
'';
|
||||
return.return = location.value.return;
|
||||
alias.alias = location.value.path;
|
||||
}.${location.value.type};
|
||||
})
|
||||
site.value.locations);
|
||||
};
|
||||
})
|
||||
sites);
|
||||
nixos =
|
||||
{
|
||||
services =
|
||||
{
|
||||
nginx =
|
||||
# { name = domain; value = listen = { http2 = xxx, proxyProtocol = xxx }; }
|
||||
let listens = builtins.filter
|
||||
(listen: listen.value.addToTransparentProxy)
|
||||
(builtins.concatLists (builtins.map
|
||||
(site: builtins.map (listen: { inherit (site) name; value = listen; }) site.value.listens)
|
||||
sites));
|
||||
in
|
||||
{
|
||||
transparentProxy.map = builtins.listToAttrs (builtins.map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value = with nginx.global; httpsPort + (if site.value.http2 then httpsPortShift.http2 else 0);
|
||||
})
|
||||
(builtins.filter (listen: !listen.value.proxyProtocol) listens));
|
||||
streamProxy.map = builtins.listToAttrs (builtins.map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value =
|
||||
{
|
||||
upstream.port = with nginx.global; httpsPort + httpsPortShift.proxyProtocol
|
||||
+ (if site.value.http2 then httpsPortShift.http2 else 0);
|
||||
proxyProtocol = true;
|
||||
rewriteHttps = inputs.lib.mkDefault false;
|
||||
};
|
||||
})
|
||||
(builtins.filter (listen: listen.value.proxyProtocol) listens));
|
||||
http = builtins.listToAttrs (builtins.map
|
||||
(site: { inherit (site) name; value.rewriteHttps = {}; })
|
||||
(builtins.filter (site: site.value.global.rewriteHttps) sites));
|
||||
};
|
||||
acme.cert = builtins.listToAttrs (builtins.map
|
||||
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
|
||||
sites);
|
||||
};
|
||||
system.sops =
|
||||
let
|
||||
inherit (inputs.lib.strings) escapeURL;
|
||||
detectAuthUsers = builtins.concatLists (builtins.map
|
||||
(site:
|
||||
(
|
||||
(builtins.map
|
||||
(location:
|
||||
{
|
||||
name = "${escapeURL site.name}/${escapeURL location.name}";
|
||||
value = location.value.detectAuth.users;
|
||||
})
|
||||
(builtins.filter (location: location.value.detectAuth or null != null) site.value.locations))
|
||||
++ (inputs.lib.optionals (site.value.global.detectAuth != null)
|
||||
[ { name = "${escapeURL site.name}-global"; value = site.value.global.detectAuth.users; } ])
|
||||
))
|
||||
sites);
|
||||
addAuth = builtins.concatLists (builtins.map
|
||||
(site: builtins.map
|
||||
(location:
|
||||
{
|
||||
name = "${escapeURL site.name}/${escapeURL location.name}";
|
||||
value = location.value.addAuth;
|
||||
})
|
||||
(builtins.filter (location: location.value.addAuth or null != null) site.value.locations)
|
||||
)
|
||||
sites);
|
||||
in
|
||||
{
|
||||
templates = let inherit (inputs.config.nixos.system.sops) placeholder; in builtins.listToAttrs
|
||||
(
|
||||
(builtins.map
|
||||
(detectAuth: inputs.lib.nameValuePair "nginx/templates/detectAuth/${detectAuth.name}"
|
||||
{
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
content = builtins.concatStringsSep "\n" (builtins.map
|
||||
(user: "${user}:{PLAIN}${placeholder."nginx/detectAuth/${user}"}")
|
||||
detectAuth.value);
|
||||
})
|
||||
detectAuthUsers)
|
||||
++ (builtins.map
|
||||
(addAuth: inputs.lib.nameValuePair "nginx/templates/addAuth/${addAuth.name}"
|
||||
{
|
||||
owner = inputs.config.users.users.nginx.name;
|
||||
content =
|
||||
''proxy_set_header Authorization "Basic ${placeholder."nginx/addAuth/${addAuth.value}"}";'';
|
||||
})
|
||||
addAuth)
|
||||
);
|
||||
secrets = builtins.listToAttrs
|
||||
(
|
||||
(builtins.map
|
||||
(secret: { name = "nginx/detectAuth/${secret}"; value = {}; })
|
||||
(inputs.lib.unique (builtins.concatLists (builtins.map (detectAuth: detectAuth.value)
|
||||
detectAuthUsers))))
|
||||
++ (builtins.map
|
||||
(secret: { name = "nginx/addAuth/${secret}"; value = {}; })
|
||||
(inputs.lib.unique (builtins.map (addAuth: addAuth.value) addAuth)))
|
||||
);
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
]);
|
||||
}
|
||||
97
modules/services/nginx/streamProxy.nix
Normal file
97
modules/services/nginx/streamProxy.nix
Normal file
@@ -0,0 +1,97 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.streamProxy = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
map = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.oneOf
|
||||
[
|
||||
# proxy to specified ip:port without proxyProtocol
|
||||
types.nonEmptyStr
|
||||
(types.submodule { options =
|
||||
{
|
||||
upstream = mkOption
|
||||
{
|
||||
type = types.oneOf
|
||||
[
|
||||
# proxy to specified ip:port with or without proxyProtocol
|
||||
types.nonEmptyStr
|
||||
(types.submodule { options =
|
||||
{
|
||||
address = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
||||
# if port not specified, guess from proxyProtocol enabled or not, assume http2 enabled
|
||||
port = mkOption { type = types.nullOr types.ints.unsigned; default = null; };
|
||||
};})
|
||||
];
|
||||
default = {};
|
||||
};
|
||||
proxyProtocol = mkOption { type = types.bool; default = true; };
|
||||
addToTransparentProxy = mkOption { type = types.bool; default = true; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
};})
|
||||
]);
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf (nginx.streamProxy.map != {})
|
||||
{
|
||||
services.nginx.streamConfig =
|
||||
''
|
||||
log_format stream_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
|
||||
'"$ssl_preread_server_name"->$stream_proxy_backend $bytes_sent $bytes_received';
|
||||
map $ssl_preread_server_name $stream_proxy_backend {
|
||||
${builtins.concatStringsSep "\n " (inputs.lib.mapAttrsToList
|
||||
(n: v:
|
||||
let
|
||||
upstream =
|
||||
if (builtins.typeOf v.upstream == "string") then v.upstream
|
||||
else
|
||||
let port = with nginx.global;
|
||||
if v.upstream.port == null then
|
||||
httpsPort + httpsPortShift.http2 + (if v.proxyProtocol then httpsPortShift.proxyProtocol else 0)
|
||||
else v.upstream.port;
|
||||
in "${v.upstream.address}:${builtins.toString port}";
|
||||
in ''"${n}" "${upstream}";'')
|
||||
nginx.streamProxy.map)}
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:${toString nginx.global.streamPort};
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
server {
|
||||
listen 127.0.0.1:${builtins.toString (with nginx.global; (streamPort + streamPortShift.proxyProtocol))};
|
||||
proxy_protocol on;
|
||||
ssl_preread on;
|
||||
proxy_pass $stream_proxy_backend;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log stream_proxy;
|
||||
}
|
||||
'';
|
||||
nixos.services.nginx =
|
||||
{
|
||||
transparentProxy.map = builtins.listToAttrs
|
||||
(
|
||||
(builtins.map
|
||||
(site: { inherit (site) name; value = nginx.global.streamPort; })
|
||||
(builtins.filter
|
||||
(site: (!(site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
|
||||
(inputs.localLib.attrsToList nginx.streamProxy.map)))
|
||||
++ (builtins.map
|
||||
(site: { inherit (site) name; value = with nginx.global; streamPort + streamPortShift.proxyProtocol; })
|
||||
(builtins.filter
|
||||
(site: ((site.value.proxyProtocol or false) && (site.value.addToTransparentProxy or true)))
|
||||
(inputs.localLib.attrsToList nginx.streamProxy.map)))
|
||||
);
|
||||
http = builtins.listToAttrs (builtins.map
|
||||
(site: { inherit (site) name; value.rewriteHttps = {}; })
|
||||
(builtins.filter (site: site.value.rewriteHttps or false) (inputs.localLib.attrsToList nginx.streamProxy.map)));
|
||||
};
|
||||
};
|
||||
}
|
||||
108
modules/services/nginx/transparentProxy.nix
Normal file
108
modules/services/nginx/transparentProxy.nix
Normal file
@@ -0,0 +1,108 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nginx.transparentProxy = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
# proxy to 127.0.0.1:${specified port}
|
||||
map = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.oneOf
|
||||
[
|
||||
# proxy to 127.0.0.1:${specified port}
|
||||
types.ints.unsigned
|
||||
# proxy to specified ip:port
|
||||
types.nonEmptyStr
|
||||
]);
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) nginx; in inputs.lib.mkIf (nginx.transparentProxy.map != {})
|
||||
{
|
||||
services.nginx.streamConfig =
|
||||
''
|
||||
log_format transparent_proxy '[$time_local] $remote_addr-$geoip2_data_country_code '
|
||||
'"$ssl_preread_server_name"->$transparent_proxy_backend $bytes_sent $bytes_received';
|
||||
map $ssl_preread_server_name $transparent_proxy_backend {
|
||||
${builtins.concatStringsSep "\n " (inputs.lib.mapAttrsToList
|
||||
(n: v: ''"${n}" ${if builtins.isInt v then "127.0.0.1:${builtins.toString v}" else v};'')
|
||||
nginx.transparentProxy.map)}
|
||||
default 127.0.0.1:${toString (with nginx.global; (httpsPort + httpsPortShift.http2))};
|
||||
}
|
||||
server {
|
||||
listen 0.0.0.0:443;
|
||||
ssl_preread on;
|
||||
proxy_bind $remote_addr transparent;
|
||||
proxy_pass $transparent_proxy_backend;
|
||||
proxy_connect_timeout 1s;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffer_size 128k;
|
||||
access_log syslog:server=unix:/dev/log transparent_proxy;
|
||||
}
|
||||
'';
|
||||
systemd =
|
||||
{
|
||||
services = inputs.lib.mkIf (inputs.config.nixos.system.network == null)
|
||||
{
|
||||
nginx-proxy =
|
||||
let
|
||||
ip = "${inputs.pkgs.iproute2}/bin/ip";
|
||||
start = inputs.pkgs.writeShellScript "nginx-proxy.start"
|
||||
''
|
||||
${ip} rule add fwmark 2/2 table 200
|
||||
${ip} route add local 0.0.0.0/0 dev lo table 200
|
||||
'';
|
||||
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop"
|
||||
''
|
||||
${ip} rule del fwmark 2/2 table 200
|
||||
${ip} route del local 0.0.0.0/0 dev lo table 200
|
||||
'';
|
||||
in
|
||||
{
|
||||
description = "nginx transparent proxy";
|
||||
after = [ "network.target" ];
|
||||
serviceConfig =
|
||||
{
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = start;
|
||||
ExecStop = stop;
|
||||
};
|
||||
wants = [ "network.target" ];
|
||||
wantedBy= [ "multi-user.target" ];
|
||||
};
|
||||
};
|
||||
network.networks = inputs.lib.mkIf (inputs.config.nixos.system.network != null)
|
||||
{
|
||||
"10-custom" =
|
||||
{
|
||||
matchConfig.Name = "lo";
|
||||
routes = [{ Table = 200; Destination = "0.0.0.0/0"; Type = "local"; }];
|
||||
routingPolicyRules = [{ FirewallMark = "2/2"; Table = 200; }];
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.nftables.tables.nginx =
|
||||
{
|
||||
family = "inet";
|
||||
content =
|
||||
''
|
||||
chain output {
|
||||
type route hook output priority mangle; policy accept;
|
||||
# 由本机发出、gid 为 nginx、但源地址不是本地监听的地址,说明是透明代理的第一个包,将这个流标记
|
||||
# 但这个包本身不需要处理,正常路由即可。
|
||||
meta skgid ${builtins.toString inputs.config.users.groups.nginx.gid} fib saddr type != local \
|
||||
ct state new counter ct mark set ct mark | 2 return
|
||||
# 由本机发出、作为透明代理的回复,它不能按照通常的路由,它需要被打上标记并被路由到本地
|
||||
# 这对应于透明代理到本地的服务的情况
|
||||
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 return
|
||||
return
|
||||
}
|
||||
# 还需要处理透明代理到其它机器的情况,它们的回复需要在 prerouting 中标记
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority mangle; policy accept;
|
||||
ct mark & 2 == 2 ct direction reply counter meta mark set meta mark | 2 return
|
||||
return
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -13,11 +13,17 @@ inputs:
|
||||
services.nix-serve =
|
||||
{
|
||||
enable = true;
|
||||
package = inputs.pkgs.nix-serve-ng;
|
||||
openFirewall = true;
|
||||
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
|
||||
secretKeyFile = inputs.config.nixos.system.sops.secrets."store/signingKey".path;
|
||||
# curl -L cache.nixos.org/nix-cache-info
|
||||
# use this cache after official one
|
||||
extraParams = "--priority 50";
|
||||
};
|
||||
nixos =
|
||||
{
|
||||
system.sops.secrets."store/signingKey" = {};
|
||||
services.nginx.https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000";
|
||||
};
|
||||
sops.secrets."store/signingKey" = {};
|
||||
nixos.services.nginx =
|
||||
{ enable = true; https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000"; };
|
||||
};
|
||||
}
|
||||
|
||||
@@ -21,7 +21,8 @@ inputs:
|
||||
storage =
|
||||
{
|
||||
name = mkOption { type = types.nonEmptyStr; default = submoduleInputs.config._module.args.name; };
|
||||
nodatacow = mkOption { type = types.bool; default = false; };
|
||||
mountFrom = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
iso = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};
|
||||
memory =
|
||||
{
|
||||
@@ -54,7 +55,12 @@ inputs:
|
||||
default = [];
|
||||
};
|
||||
udp = tcp;
|
||||
web = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
web = rec
|
||||
{
|
||||
httpsProxy = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
httpProxy = httpsProxy;
|
||||
httpRedirect = httpsProxy;
|
||||
};
|
||||
};
|
||||
};
|
||||
};}));
|
||||
@@ -83,7 +89,7 @@ inputs:
|
||||
domains = builtins.map
|
||||
(vm:
|
||||
{
|
||||
definition = inputs.config.sops.templates."nixvirt/${vm.name}.xml".path;
|
||||
definition = inputs.config.nixos.system.sops.templates."nixvirt/${vm.name}.xml".path;
|
||||
active = true;
|
||||
restart = false;
|
||||
})
|
||||
@@ -122,147 +128,147 @@ inputs:
|
||||
vnc_listen = "0.0.0.0"
|
||||
'';
|
||||
};
|
||||
nixos.services =
|
||||
nixos =
|
||||
{
|
||||
nginx =
|
||||
let hosts = builtins.concatLists (builtins.map
|
||||
(vm: builtins.map
|
||||
(domain:
|
||||
{
|
||||
inherit domain;
|
||||
ip = "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}";
|
||||
})
|
||||
vm.network.portForward.web)
|
||||
(builtins.attrValues nixvirt.instance));
|
||||
in
|
||||
{
|
||||
enable = inputs.lib.mkIf (hosts != []) true;
|
||||
transparentProxy.map = builtins.listToAttrs (builtins.map
|
||||
(host: { name = host.domain; value = "${host.ip}" + ":443"; }) hosts);
|
||||
http = builtins.listToAttrs (builtins.map
|
||||
(host: { name = host.domain; value.proxy.upstream = "http://${host.ip}" + ":80"; }) hosts);
|
||||
};
|
||||
kvm = {};
|
||||
};
|
||||
sops =
|
||||
{
|
||||
templates = builtins.listToAttrs (builtins.map
|
||||
(vm:
|
||||
{
|
||||
name = "nixvirt/${vm.name}.xml";
|
||||
value.content = inputs.topInputs.nixvirt.lib.domain.getXML
|
||||
# port from 8bcc23e27a62297254d0e9c87281e650ff777132
|
||||
system.sops =
|
||||
{
|
||||
templates = inputs.lib.mapAttrs'
|
||||
(n: v: inputs.lib.nameValuePair "nixvirt/${n}.xml"
|
||||
{
|
||||
inherit (vm) name;
|
||||
inherit (vm.value) uuid;
|
||||
type = "kvm";
|
||||
vcpu = { placement = "static"; count = vm.value.cpu.count; };
|
||||
cputune = inputs.lib.optionalAttrs (vm.value.cpu.set != null)
|
||||
content = inputs.topInputs.nixvirt.lib.domain.getXML
|
||||
# port from 8bcc23e27a62297254d0e9c87281e650ff777132
|
||||
{
|
||||
vcpupin = builtins.genList
|
||||
(cpu: { vcpu = cpu; cpuset = builtins.elemAt vm.value.cpu.set cpu; })
|
||||
vm.value.cpu.count;
|
||||
};
|
||||
memory =
|
||||
{
|
||||
count = vm.value.memory.sizeMB;
|
||||
unit = "MiB";
|
||||
nosharepages = vm.value.memory.dedicated;
|
||||
locked = vm.value.memory.dedicated;
|
||||
};
|
||||
os =
|
||||
{
|
||||
type = "hvm";
|
||||
arch = "x86_64";
|
||||
machine = "q35";
|
||||
bootmenu = { enable = true; timeout = 15000; };
|
||||
loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
|
||||
nvram =
|
||||
name = n;
|
||||
inherit (v) uuid;
|
||||
type = "kvm";
|
||||
vcpu = { placement = "static"; count = v.cpu.count; };
|
||||
cputune = inputs.lib.optionalAttrs (v.cpu.set != null)
|
||||
{
|
||||
template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
|
||||
path = "/var/lib/libvirt/qemu/nvram/${vm.name}_VARS.fd";
|
||||
templateFormat = "raw";
|
||||
format = "raw";
|
||||
vcpupin = builtins.genList (cpu: { vcpu = cpu; cpuset = builtins.elemAt v.cpu.set cpu; }) v.cpu.count;
|
||||
};
|
||||
};
|
||||
features = { acpi = {}; apic = {}; };
|
||||
cpu =
|
||||
{
|
||||
mode = "host-passthrough";
|
||||
topology =
|
||||
memory =
|
||||
{
|
||||
sockets = 1;
|
||||
dies = 1;
|
||||
cores = if vm.value.cpu.hyprthread then vm.value.cpu.count / 2 else vm.value.cpu.count;
|
||||
threads = if vm.value.cpu.hyprthread then 2 else 1;
|
||||
count = v.memory.sizeMB;
|
||||
unit = "MiB";
|
||||
nosharepages = v.memory.dedicated;
|
||||
locked = v.memory.dedicated;
|
||||
};
|
||||
};
|
||||
clock =
|
||||
{
|
||||
offset = "utc";
|
||||
timer =
|
||||
[
|
||||
{ name = "rtc"; tickpolicy = "catchup"; }
|
||||
{ name = "pit"; tickpolicy = "delay"; }
|
||||
{ name = "hpet"; present = false; }
|
||||
];
|
||||
};
|
||||
devices =
|
||||
{
|
||||
emulator = "${inputs.config.virtualisation.libvirtd.qemu.package}/bin/qemu-system-x86_64";
|
||||
disk =
|
||||
[
|
||||
os =
|
||||
{
|
||||
type = "hvm";
|
||||
arch = "x86_64";
|
||||
machine = "q35";
|
||||
bootmenu = { enable = true; timeout = 15000; };
|
||||
loader = { readonly = true; type = "pflash"; path = "/run/libvirt/nix-ovmf/OVMF_CODE.fd"; };
|
||||
nvram =
|
||||
{
|
||||
type = "file";
|
||||
device = "disk";
|
||||
driver = { name = "qemu"; type = "raw"; cache = "none"; discard = "unmap"; };
|
||||
source.file = "${if vm.value.storage.nodatacow then "/nix/nodatacow" else ""}/var/lib/libvirt/images/"
|
||||
+ "${vm.value.storage.name}.img";
|
||||
target = { dev = "vda"; bus = "virtio"; };
|
||||
boot.order = 1;
|
||||
}
|
||||
template = "/run/libvirt/nix-ovmf/OVMF_VARS.fd";
|
||||
path = "/var/lib/libvirt/qemu/nvram/${n}_VARS.fd";
|
||||
templateFormat = "raw";
|
||||
format = "raw";
|
||||
};
|
||||
};
|
||||
features = { acpi = {}; apic = {}; };
|
||||
cpu =
|
||||
{
|
||||
mode = "host-passthrough";
|
||||
topology =
|
||||
{
|
||||
type = "file";
|
||||
device = "cdrom";
|
||||
driver = { name = "qemu"; type = "raw"; };
|
||||
source.file = "${inputs.topInputs.self.src.iso.netboot}";
|
||||
target = { dev = "sdc"; bus = "sata"; };
|
||||
readonly = true;
|
||||
boot.order = 10;
|
||||
}
|
||||
];
|
||||
interface =
|
||||
{
|
||||
type = "bridge";
|
||||
model.type = "virtio";
|
||||
mac.address = vm.value.network.mac;
|
||||
source.bridge = if vm.value.network.bridge then "nixvirt" else "virbr0";
|
||||
sockets = 1;
|
||||
dies = 1;
|
||||
cores = if v.cpu.hyprthread then v.cpu.count / 2 else v.cpu.count;
|
||||
threads = if v.cpu.hyprthread then 2 else 1;
|
||||
};
|
||||
};
|
||||
input =
|
||||
[
|
||||
{ type = "tablet"; bus = "usb"; }
|
||||
{ type = "mouse"; bus = "ps2"; }
|
||||
{ type = "keyboard"; bus = "ps2"; }
|
||||
];
|
||||
graphics =
|
||||
clock =
|
||||
{
|
||||
type = "vnc";
|
||||
autoport = false;
|
||||
port = vm.value.network.vnc.port;
|
||||
listen.type = "address";
|
||||
passwd = inputs.config.sops.placeholder."nixvirt/${vm.name}";
|
||||
offset = "utc";
|
||||
timer =
|
||||
[
|
||||
{ name = "rtc"; tickpolicy = "catchup"; }
|
||||
{ name = "pit"; tickpolicy = "delay"; }
|
||||
{ name = "hpet"; present = false; }
|
||||
];
|
||||
};
|
||||
devices =
|
||||
{
|
||||
emulator = "${inputs.config.virtualisation.libvirtd.qemu.package}/bin/qemu-system-x86_64";
|
||||
disk =
|
||||
[
|
||||
{
|
||||
type = "file";
|
||||
device = "disk";
|
||||
driver = { name = "qemu"; type = "raw"; cache = "writeback"; discard = "unmap"; };
|
||||
source.file = builtins.concatStringsSep ""
|
||||
[
|
||||
(if (v.storage.mountFrom != null) then "/nix/${v.storage.mountFrom}" else "")
|
||||
"/var/lib/libvirt/images/"
|
||||
"${v.storage.name}.img"
|
||||
];
|
||||
target = { dev = "vda"; bus = "virtio"; };
|
||||
boot.order = 1;
|
||||
}
|
||||
{
|
||||
type = "file";
|
||||
device = "cdrom";
|
||||
driver = { name = "qemu"; type = "raw"; };
|
||||
source.file =
|
||||
if v.storage.iso == null then "${inputs.topInputs.self.src.iso.netboot}" else v.storage.iso;
|
||||
target = { dev = "sdc"; bus = "sata"; };
|
||||
readonly = true;
|
||||
boot.order = 10;
|
||||
}
|
||||
];
|
||||
interface =
|
||||
{
|
||||
type = "bridge";
|
||||
model.type = "virtio";
|
||||
mac.address = v.network.mac;
|
||||
source.bridge = if v.network.bridge then "nixvirt" else "virbr0";
|
||||
};
|
||||
input =
|
||||
[
|
||||
{ type = "tablet"; bus = "usb"; }
|
||||
{ type = "mouse"; bus = "ps2"; }
|
||||
{ type = "keyboard"; bus = "ps2"; }
|
||||
];
|
||||
graphics =
|
||||
{
|
||||
type = "vnc";
|
||||
autoport = false;
|
||||
port = v.network.vnc.port;
|
||||
listen.type = "address";
|
||||
passwd = inputs.config.sops.placeholder."nixvirt/${n}";
|
||||
};
|
||||
video.model = { type = "qxl"; ram = 65536; vram = 65536; vgamem = 16384; heads = 1; primary = true; };
|
||||
rng = { model = "virtio"; backend = { model = "random"; source = /dev/urandom; }; };
|
||||
};
|
||||
video.model = { type = "qxl"; ram = 65536; vram = 65536; vgamem = 16384; heads = 1; primary = true; };
|
||||
rng = { model = "virtio"; backend = { model = "random"; source = /dev/urandom; }; };
|
||||
};
|
||||
};
|
||||
})
|
||||
(inputs.localLib.attrsToList nixvirt.instance));
|
||||
secrets = builtins.listToAttrs (builtins.map
|
||||
(vm: { name = "nixvirt/${vm}"; value = {}; }) (builtins.attrNames nixvirt.instance));
|
||||
placeholder = builtins.listToAttrs (builtins.map
|
||||
(vm: { name = "nixvirt/${vm}"; value = builtins.hashString "sha256" "nixvirt/${vm}"; })
|
||||
(builtins.attrNames nixvirt.instance));
|
||||
})
|
||||
nixvirt.instance;
|
||||
secrets = inputs.lib.mapAttrs' (n: _: inputs.lib.nameValuePair "nixvirt/${n}" {}) nixvirt.instance;
|
||||
};
|
||||
services =
|
||||
{
|
||||
nginx = inputs.lib.mkMerge (builtins.map
|
||||
(vm: let ip = "192.168.${builtins.toString nixvirt.subnet}.${builtins.toString vm.network.address}"; in
|
||||
{
|
||||
transparentProxy.map = builtins.listToAttrs (builtins.map
|
||||
(host: inputs.lib.nameValuePair host "${ip}:443")
|
||||
vm.network.portForward.web.httpsProxy);
|
||||
http = inputs.lib.mkMerge
|
||||
[
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(host: inputs.lib.nameValuePair host { proxy.upstream = "http://${ip}" + ":80"; })
|
||||
vm.network.portForward.web.httpProxy))
|
||||
(builtins.listToAttrs (builtins.map
|
||||
(host: inputs.lib.nameValuePair host { rewriteHttps = {}; })
|
||||
vm.network.portForward.web.httpRedirect))
|
||||
];
|
||||
})
|
||||
(builtins.attrValues nixvirt.instance or {}));
|
||||
kvm = {};
|
||||
};
|
||||
};
|
||||
security.wrappers.vm =
|
||||
{
|
||||
|
||||
@@ -28,22 +28,22 @@ inputs:
|
||||
ENABLE_IMAGE_GENERATION = "True";
|
||||
IMAGES_OPENAI_API_BASE_URL = "https://oa.api2d.net/v1";
|
||||
};
|
||||
environmentFile = inputs.config.sops.templates."open-webui.env".path;
|
||||
environmentFile = inputs.config.nixos.system.sops.templates."open-webui.env".path;
|
||||
};
|
||||
sops =
|
||||
nixos =
|
||||
{
|
||||
templates."open-webui.env".content = let inherit (inputs.config.sops) placeholder; in
|
||||
''
|
||||
OPENAI_API_KEY=${placeholder."open-webui/openai"}
|
||||
WEBUI_SECRET_KEY=${placeholder."open-webui/webui"}
|
||||
IMAGES_OPENAI_API_KEY=${placeholder."open-webui/openai"}
|
||||
'';
|
||||
secrets = { "open-webui/openai" = {}; "open-webui/webui" = {}; };
|
||||
};
|
||||
nixos.services.nginx =
|
||||
{
|
||||
enable = true;
|
||||
https."${open-webui.hostname}".location."/".proxy = { upstream = "http://127.0.0.1:8080"; websocket = true; };
|
||||
system.sops =
|
||||
{
|
||||
templates."open-webui.env".content = let inherit (inputs.config.nixos.system.sops) placeholder; in
|
||||
''
|
||||
OPENAI_API_KEY=${placeholder."open-webui/openai"}
|
||||
WEBUI_SECRET_KEY=${placeholder."open-webui/webui"}
|
||||
IMAGES_OPENAI_API_KEY=${placeholder."open-webui/openai"}
|
||||
'';
|
||||
secrets = { "open-webui/openai" = {}; "open-webui/webui" = {}; };
|
||||
};
|
||||
services.nginx.https."${open-webui.hostname}".location."/".proxy =
|
||||
{ upstream = "http://127.0.0.1:8080"; websocket = true; };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user