diff --git a/flake.lock b/flake.lock index 02e26d5..53bf642 100644 --- a/flake.lock +++ b/flake.lock @@ -65,6 +65,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724895876, + "narHash": "sha256-GSqAwa00+vRuHbq9O/yRv7Ov7W/pcMLis3HmeHv8a+Q=", + "owner": "nix-community", + "repo": "disko", + "rev": "511388d837178979de66d14ca4a2ebd5f7991cd3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -234,6 +254,7 @@ "agenix": "agenix", "bootspec-secureboot": "bootspec-secureboot", "desu-deploy": "desu-deploy", + "disko": "disko", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nix-index-database": "nix-index-database", diff --git a/flake.nix b/flake.nix index 92467aa..3eb0bad 100755 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,9 @@ nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + desu-deploy.url = "github:teidesu/desu-deploy/a77b8e790324df51471cf40924acff9643972dfa"; desu-deploy.inputs.nixpkgs.follows = "nixpkgs"; }; @@ -53,6 +56,7 @@ , home-manager , nix-darwin , desu-deploy + , disko , ... }: let @@ -82,7 +86,7 @@ }: let specialArgsMerged = specialArgsCommon // specialArgs // { pkgs-stable = import nixpkgs-stable { - system = "x86_64-linux"; + inherit system; config = { allowUnfree = true; }; }; }; @@ -120,6 +124,14 @@ ./hosts/madohomu/madoka.nix ]; }; + + arumi = mkNixosSystem { + system = "aarch64-linux"; + modules = [ + disko.nixosModules.disko + ./hosts/arumi/configuration.nix + ]; + }; }; darwinConfigurations = { diff --git a/hosts/arumi/configuration.nix b/hosts/arumi/configuration.nix new file mode 100644 index 0000000..3c45211 --- /dev/null +++ b/hosts/arumi/configuration.nix @@ -0,0 +1,34 @@ +{ abs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + + ./services/sing-box.nix + ./services/uptime-kuma.nix + ]; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + age.identityPaths = [ + "/etc/ssh/agenix_key" + ]; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + (abs "ssh/teidesu.pub") + ]; + + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; + + system.stateVersion = "23.11"; +} \ No newline at end of file diff --git a/hosts/arumi/deploy.sh b/hosts/arumi/deploy.sh new file mode 100755 index 0000000..af43c59 --- /dev/null +++ b/hosts/arumi/deploy.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +set -eau + +SCRIPT=$(realpath "$0") +SCRIPTPATH=$(dirname "$SCRIPT") + +$SCRIPTPATH/../../switch --remote root@arumi --build-on-remote .#arumi \ No newline at end of file diff --git a/hosts/arumi/disk-config.nix b/hosts/arumi/disk-config.nix new file mode 100644 index 0000000..5c92907 --- /dev/null +++ b/hosts/arumi/disk-config.nix @@ -0,0 +1,54 @@ +{ + disko.devices = { + disk.disk1 = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/hosts/madohomu/services/sing-box.nix b/hosts/arumi/services/sing-box.nix similarity index 84% rename from hosts/madohomu/services/sing-box.nix rename to hosts/arumi/services/sing-box.nix index 0cc814e..f2ee6b2 100644 --- a/hosts/madohomu/services/sing-box.nix +++ b/hosts/arumi/services/sing-box.nix @@ -5,9 +5,9 @@ let in { imports = [ (secrets.declare [ - "madohomu-singbox-pk" - "madohomu-singbox-sid" - "madohomu-singbox-users" + "arumi-singbox-pk" + "arumi-singbox-sid" + "arumi-singbox-users" ]) ]; @@ -31,9 +31,9 @@ in { reality = { enabled = true; handshake = { inherit server; server_port = 443; }; - private_key._secret = secrets.file config "madohomu-singbox-pk"; + private_key._secret = secrets.file config "arumi-singbox-pk"; short_id = [ - { _secret = secrets.file config "madohomu-singbox-sid"; } + { _secret = secrets.file config "arumi-singbox-sid"; } ]; }; }; @@ -49,7 +49,7 @@ in { systemd.services.sing-box.preStart = let file = "/etc/sing-box/config.json"; in '' - users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"}) + users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "arumi-singbox-users"}) ${pkgs.jq}/bin/jq --arg users "$users" \ '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ ${file} > ${file}.tmp diff --git a/hosts/madohomu/services/uptime-kuma.nix b/hosts/arumi/services/uptime-kuma.nix similarity index 84% rename from hosts/madohomu/services/uptime-kuma.nix rename to hosts/arumi/services/uptime-kuma.nix index f003821..8b25365 100644 --- a/hosts/madohomu/services/uptime-kuma.nix +++ b/hosts/arumi/services/uptime-kuma.nix @@ -6,10 +6,11 @@ let UID = 1100; in { # we use cf tunnels because 443 port is used by the proxy, - # and it's also generally easier + # and it's also generally easierbrew install cloudflared && + imports = [ (secrets.declare [{ - name = "madohomu-cf-token"; + name = "arumi-cf-token"; owner = "uptime-kuma"; }]) ]; @@ -30,7 +31,7 @@ in { PGID = builtins.toString UID; }; environmentFiles = [ - (secrets.file config "madohomu-cf-token") + (secrets.file config "arumi-cf-token") ]; }; diff --git a/hosts/koi/services/sing-box.nix b/hosts/koi/services/sing-box.nix index d0e852f..9b3b8bf 100644 --- a/hosts/koi/services/sing-box.nix +++ b/hosts/koi/services/sing-box.nix @@ -6,9 +6,9 @@ let in { imports = [ (secrets.declare [ - "madohomu-singbox-pub" - "madohomu-singbox-sid" - "madohomu-singbox-koi-uuid" + "arumi-singbox-pub" + "arumi-singbox-sid" + "arumi-singbox-koi-uuid" "vless-sakura-ip" "vless-sakura-pk" "vless-sakura-sid" @@ -33,10 +33,10 @@ in { outbounds = [ { tag = "direct"; type = "direct"; } { - tag = "xtls-madoka"; + tag = "xtls-arumi"; type = "vless"; flow = "xtls-rprx-vision"; - server = secretsUnsafe.readUnsafe "madoka-ip"; + server = secretsUnsafe.readUnsafe "arumi-ip"; server_port = 443; domain_strategy = ""; packet_encoding = ""; @@ -46,33 +46,12 @@ in { server_name = "updates.cdn-apple.com"; reality = { enabled = true; - public_key._secret = secrets.file config "madohomu-singbox-pub"; - short_id._secret = secrets.file config "madohomu-singbox-sid"; + public_key._secret = secrets.file config "arumi-singbox-pub"; + short_id._secret = secrets.file config "arumi-singbox-sid"; }; utls = { enabled = true; fingerprint = "edge"; }; }; - uuid._secret = secrets.file config "madohomu-singbox-koi-uuid"; - } - { - tag = "xtls-homura"; - type = "vless"; - flow = "xtls-rprx-vision"; - server = secretsUnsafe.readUnsafe "homura-ip"; - server_port = 443; - domain_strategy = ""; - packet_encoding = ""; - tls = { - enabled = true; - alpn = [ "h2" ]; - server_name = "updates.cdn-apple.com"; - reality = { - enabled = true; - public_key._secret = secrets.file config "madohomu-singbox-pub"; - short_id._secret = secrets.file config "madohomu-singbox-sid"; - }; - utls = { enabled = true; fingerprint = "edge"; }; - }; - uuid._secret = secrets.file config "madohomu-singbox-koi-uuid"; + uuid._secret = secrets.file config "arumi-singbox-koi-uuid"; } { # thanks kamillaova @@ -98,9 +77,8 @@ in { tag = "final"; type = "urltest"; outbounds = [ + "xtls-arumi" "xtls-sakura" - "xtls-madoka" - "xtls-homura" ]; } ]; diff --git a/hosts/madohomu/common.nix b/hosts/madohomu/common.nix index 28903bf..7c50138 100644 --- a/hosts/madohomu/common.nix +++ b/hosts/madohomu/common.nix @@ -5,8 +5,6 @@ (modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/qemu-guest.nix") ./hardware-configuration.nix - - ./services/sing-box.nix ]; boot.tmp.cleanOnBoot = true; diff --git a/hosts/madohomu/madoka.nix b/hosts/madohomu/madoka.nix index 77609b2..bf94d64 100644 --- a/hosts/madohomu/madoka.nix +++ b/hosts/madohomu/madoka.nix @@ -3,7 +3,6 @@ { imports = [ ./common.nix - ./services/uptime-kuma.nix ]; networking.hostName = "madoka"; diff --git a/secrets/UNSAFE.arumi-ip.age b/secrets/UNSAFE.arumi-ip.age new file mode 100644 index 0000000..8c4be7a --- /dev/null +++ b/secrets/UNSAFE.arumi-ip.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 Q7pPYw KEozsbVFmr+fZeEcSqcWLzLLOw6DPhBCoJFiRmJRdyw +0eNEnPDRqcNWCmuCx3dhzhyy3MriHKleKRd0f/BMvSo +--- pmIACVHsr9XHRbQgRjPC/rRYzWa5n9yttGsZti6WI5o +*f_ nHNy^g +̙C.G v+ \ No newline at end of file diff --git a/secrets/arumi-cf-token.age b/secrets/arumi-cf-token.age new file mode 100644 index 0000000..8c153b2 Binary files /dev/null and b/secrets/arumi-cf-token.age differ diff --git a/secrets/madohomu-singbox-koi-uuid.age b/secrets/arumi-singbox-koi-uuid.age similarity index 100% rename from secrets/madohomu-singbox-koi-uuid.age rename to secrets/arumi-singbox-koi-uuid.age diff --git a/secrets/madohomu-singbox-pk.age b/secrets/arumi-singbox-pk.age similarity index 100% rename from secrets/madohomu-singbox-pk.age rename to secrets/arumi-singbox-pk.age diff --git a/secrets/madohomu-singbox-pub.age b/secrets/arumi-singbox-pub.age similarity index 100% rename from secrets/madohomu-singbox-pub.age rename to secrets/arumi-singbox-pub.age diff --git a/secrets/madohomu-singbox-sid.age b/secrets/arumi-singbox-sid.age similarity index 100% rename from secrets/madohomu-singbox-sid.age rename to secrets/arumi-singbox-sid.age diff --git a/secrets/madohomu-singbox-users.age b/secrets/arumi-singbox-users.age similarity index 100% rename from secrets/madohomu-singbox-users.age rename to secrets/arumi-singbox-users.age diff --git a/secrets/madohomu-cf-token.age b/secrets/madohomu-cf-token.age deleted file mode 100644 index a83682b..0000000 Binary files a/secrets/madohomu-cf-token.age and /dev/null differ diff --git a/switch b/switch index 35fbfd5..4bcd42b 100755 --- a/switch +++ b/switch @@ -23,6 +23,13 @@ while [ $# -ne 0 ]; do remote=1 NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub" shift + ;; + --build-on-remote) + if [ "$remote" == "0" ]; then + echo "Cannot build on remote without specifying remote host" + exit 1 + fi + args+=("--build-host" "$norm_host") ;; .\#*) flake=$cur; shift;; *) echo "Unknown argument: $cur"; exit 1;; diff --git a/users/teidesu/ssh.nix b/users/teidesu/ssh.nix index 35b800f..57fc84b 100644 --- a/users/teidesu/ssh.nix +++ b/users/teidesu/ssh.nix @@ -21,6 +21,7 @@ in { matchBlocks = { madoka.hostname = secrets.readUnsafe "madoka-ip"; homura.hostname = secrets.readUnsafe "homura-ip"; + arumi.hostname = secrets.readUnsafe "arumi-ip"; koi = { hostname = "10.42.0.2"; @@ -31,7 +32,6 @@ in { identityFile = "~/.ssh/ssh.pub"; }; } // (lib.optionalAttrs isDarwin { - # orbstack host "orb" = { hostname = "127.0.0.1";