From 6bdb2c6c8b8e730678db3d59726e55df65eac3da Mon Sep 17 00:00:00 2001 From: teidesu Date: Fri, 30 Aug 2024 11:34:22 +0300 Subject: [PATCH] feat: added arumi host and moved stuff from madohomu there --- flake.lock | 21 +++++++ flake.nix | 14 ++++- hosts/arumi/configuration.nix | 34 +++++++++++ hosts/arumi/deploy.sh | 8 +++ hosts/arumi/disk-config.nix | 54 ++++++++++++++++++ .../{madohomu => arumi}/services/sing-box.nix | 12 ++-- .../services/uptime-kuma.nix | 7 ++- hosts/koi/services/sing-box.nix | 40 +++---------- hosts/madohomu/common.nix | 2 - hosts/madohomu/madoka.nix | 1 - secrets/UNSAFE.arumi-ip.age | 6 ++ secrets/arumi-cf-token.age | Bin 0 -> 427 bytes ...oi-uuid.age => arumi-singbox-koi-uuid.age} | Bin ...mu-singbox-pk.age => arumi-singbox-pk.age} | 0 ...-singbox-pub.age => arumi-singbox-pub.age} | Bin ...-singbox-sid.age => arumi-singbox-sid.age} | 0 ...gbox-users.age => arumi-singbox-users.age} | Bin secrets/madohomu-cf-token.age | Bin 427 -> 0 bytes switch | 7 +++ users/teidesu/ssh.nix | 2 +- 20 files changed, 163 insertions(+), 45 deletions(-) create mode 100644 hosts/arumi/configuration.nix create mode 100755 hosts/arumi/deploy.sh create mode 100644 hosts/arumi/disk-config.nix rename hosts/{madohomu => arumi}/services/sing-box.nix (84%) rename hosts/{madohomu => arumi}/services/uptime-kuma.nix (84%) create mode 100644 secrets/UNSAFE.arumi-ip.age create mode 100644 secrets/arumi-cf-token.age rename secrets/{madohomu-singbox-koi-uuid.age => arumi-singbox-koi-uuid.age} (100%) rename secrets/{madohomu-singbox-pk.age => arumi-singbox-pk.age} (100%) rename secrets/{madohomu-singbox-pub.age => arumi-singbox-pub.age} (100%) rename secrets/{madohomu-singbox-sid.age => arumi-singbox-sid.age} (100%) rename secrets/{madohomu-singbox-users.age => arumi-singbox-users.age} (100%) delete mode 100644 secrets/madohomu-cf-token.age diff --git a/flake.lock b/flake.lock index 02e26d5..53bf642 100644 --- a/flake.lock +++ b/flake.lock @@ -65,6 +65,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724895876, + "narHash": "sha256-GSqAwa00+vRuHbq9O/yRv7Ov7W/pcMLis3HmeHv8a+Q=", + "owner": "nix-community", + "repo": "disko", + "rev": "511388d837178979de66d14ca4a2ebd5f7991cd3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -234,6 +254,7 @@ "agenix": "agenix", "bootspec-secureboot": "bootspec-secureboot", "desu-deploy": "desu-deploy", + "disko": "disko", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nix-index-database": "nix-index-database", diff --git a/flake.nix b/flake.nix index 92467aa..3eb0bad 100755 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,9 @@ nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + desu-deploy.url = "github:teidesu/desu-deploy/a77b8e790324df51471cf40924acff9643972dfa"; desu-deploy.inputs.nixpkgs.follows = "nixpkgs"; }; @@ -53,6 +56,7 @@ , home-manager , nix-darwin , desu-deploy + , disko , ... }: let @@ -82,7 +86,7 @@ }: let specialArgsMerged = specialArgsCommon // specialArgs // { pkgs-stable = import nixpkgs-stable { - system = "x86_64-linux"; + inherit system; config = { allowUnfree = true; }; }; }; @@ -120,6 +124,14 @@ ./hosts/madohomu/madoka.nix ]; }; + + arumi = mkNixosSystem { + system = "aarch64-linux"; + modules = [ + disko.nixosModules.disko + ./hosts/arumi/configuration.nix + ]; + }; }; darwinConfigurations = { diff --git a/hosts/arumi/configuration.nix b/hosts/arumi/configuration.nix new file mode 100644 index 0000000..3c45211 --- /dev/null +++ b/hosts/arumi/configuration.nix @@ -0,0 +1,34 @@ +{ abs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + + ./services/sing-box.nix + ./services/uptime-kuma.nix + ]; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + age.identityPaths = [ + "/etc/ssh/agenix_key" + ]; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + (abs "ssh/teidesu.pub") + ]; + + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; + + system.stateVersion = "23.11"; +} \ No newline at end of file diff --git a/hosts/arumi/deploy.sh b/hosts/arumi/deploy.sh new file mode 100755 index 0000000..af43c59 --- /dev/null +++ b/hosts/arumi/deploy.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +set -eau + +SCRIPT=$(realpath "$0") +SCRIPTPATH=$(dirname "$SCRIPT") + +$SCRIPTPATH/../../switch --remote root@arumi --build-on-remote .#arumi \ No newline at end of file diff --git a/hosts/arumi/disk-config.nix b/hosts/arumi/disk-config.nix new file mode 100644 index 0000000..5c92907 --- /dev/null +++ b/hosts/arumi/disk-config.nix @@ -0,0 +1,54 @@ +{ + disko.devices = { + disk.disk1 = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/hosts/madohomu/services/sing-box.nix b/hosts/arumi/services/sing-box.nix similarity index 84% rename from hosts/madohomu/services/sing-box.nix rename to hosts/arumi/services/sing-box.nix index 0cc814e..f2ee6b2 100644 --- a/hosts/madohomu/services/sing-box.nix +++ b/hosts/arumi/services/sing-box.nix @@ -5,9 +5,9 @@ let in { imports = [ (secrets.declare [ - "madohomu-singbox-pk" - "madohomu-singbox-sid" - "madohomu-singbox-users" + "arumi-singbox-pk" + "arumi-singbox-sid" + "arumi-singbox-users" ]) ]; @@ -31,9 +31,9 @@ in { reality = { enabled = true; handshake = { inherit server; server_port = 443; }; - private_key._secret = secrets.file config "madohomu-singbox-pk"; + private_key._secret = secrets.file config "arumi-singbox-pk"; short_id = [ - { _secret = secrets.file config "madohomu-singbox-sid"; } + { _secret = secrets.file config "arumi-singbox-sid"; } ]; }; }; @@ -49,7 +49,7 @@ in { systemd.services.sing-box.preStart = let file = "/etc/sing-box/config.json"; in '' - users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"}) + users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "arumi-singbox-users"}) ${pkgs.jq}/bin/jq --arg users "$users" \ '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ ${file} > ${file}.tmp diff --git a/hosts/madohomu/services/uptime-kuma.nix b/hosts/arumi/services/uptime-kuma.nix similarity index 84% rename from hosts/madohomu/services/uptime-kuma.nix rename to hosts/arumi/services/uptime-kuma.nix index f003821..8b25365 100644 --- a/hosts/madohomu/services/uptime-kuma.nix +++ b/hosts/arumi/services/uptime-kuma.nix @@ -6,10 +6,11 @@ let UID = 1100; in { # we use cf tunnels because 443 port is used by the proxy, - # and it's also generally easier + # and it's also generally easierbrew install cloudflared && + imports = [ (secrets.declare [{ - name = "madohomu-cf-token"; + name = "arumi-cf-token"; owner = "uptime-kuma"; }]) ]; @@ -30,7 +31,7 @@ in { PGID = builtins.toString UID; }; environmentFiles = [ - (secrets.file config "madohomu-cf-token") + (secrets.file config "arumi-cf-token") ]; }; diff --git a/hosts/koi/services/sing-box.nix b/hosts/koi/services/sing-box.nix index d0e852f..9b3b8bf 100644 --- a/hosts/koi/services/sing-box.nix +++ b/hosts/koi/services/sing-box.nix @@ -6,9 +6,9 @@ let in { imports = [ (secrets.declare [ - "madohomu-singbox-pub" - "madohomu-singbox-sid" - "madohomu-singbox-koi-uuid" + "arumi-singbox-pub" + "arumi-singbox-sid" + "arumi-singbox-koi-uuid" "vless-sakura-ip" "vless-sakura-pk" "vless-sakura-sid" @@ -33,10 +33,10 @@ in { outbounds = [ { tag = "direct"; type = "direct"; } { - tag = "xtls-madoka"; + tag = "xtls-arumi"; type = "vless"; flow = "xtls-rprx-vision"; - server = secretsUnsafe.readUnsafe "madoka-ip"; + server = secretsUnsafe.readUnsafe "arumi-ip"; server_port = 443; domain_strategy = ""; packet_encoding = ""; @@ -46,33 +46,12 @@ in { server_name = "updates.cdn-apple.com"; reality = { enabled = true; - public_key._secret = secrets.file config "madohomu-singbox-pub"; - short_id._secret = secrets.file config "madohomu-singbox-sid"; + public_key._secret = secrets.file config "arumi-singbox-pub"; + short_id._secret = secrets.file config "arumi-singbox-sid"; }; utls = { enabled = true; fingerprint = "edge"; }; }; - uuid._secret = secrets.file config "madohomu-singbox-koi-uuid"; - } - { - tag = "xtls-homura"; - type = "vless"; - flow = "xtls-rprx-vision"; - server = secretsUnsafe.readUnsafe "homura-ip"; - server_port = 443; - domain_strategy = ""; - packet_encoding = ""; - tls = { - enabled = true; - alpn = [ "h2" ]; - server_name = "updates.cdn-apple.com"; - reality = { - enabled = true; - public_key._secret = secrets.file config "madohomu-singbox-pub"; - short_id._secret = secrets.file config "madohomu-singbox-sid"; - }; - utls = { enabled = true; fingerprint = "edge"; }; - }; - uuid._secret = secrets.file config "madohomu-singbox-koi-uuid"; + uuid._secret = secrets.file config "arumi-singbox-koi-uuid"; } { # thanks kamillaova @@ -98,9 +77,8 @@ in { tag = "final"; type = "urltest"; outbounds = [ + "xtls-arumi" "xtls-sakura" - "xtls-madoka" - "xtls-homura" ]; } ]; diff --git a/hosts/madohomu/common.nix b/hosts/madohomu/common.nix index 28903bf..7c50138 100644 --- a/hosts/madohomu/common.nix +++ b/hosts/madohomu/common.nix @@ -5,8 +5,6 @@ (modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/qemu-guest.nix") ./hardware-configuration.nix - - ./services/sing-box.nix ]; boot.tmp.cleanOnBoot = true; diff --git a/hosts/madohomu/madoka.nix b/hosts/madohomu/madoka.nix index 77609b2..bf94d64 100644 --- a/hosts/madohomu/madoka.nix +++ b/hosts/madohomu/madoka.nix @@ -3,7 +3,6 @@ { imports = [ ./common.nix - ./services/uptime-kuma.nix ]; networking.hostName = "madoka"; diff --git a/secrets/UNSAFE.arumi-ip.age b/secrets/UNSAFE.arumi-ip.age new file mode 100644 index 0000000..8c4be7a --- /dev/null +++ b/secrets/UNSAFE.arumi-ip.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 Q7pPYw KEozsbVFmr+fZeEcSqcWLzLLOw6DPhBCoJFiRmJRdyw +0eNEnPDRqcNWCmuCx3dhzhyy3MriHKleKRd0f/BMvSo +--- pmIACVHsr9XHRbQgRjPC/rRYzWa5n9yttGsZti6WI5o +*f_ nHNy^g +̙C.G v+ \ No newline at end of file diff --git a/secrets/arumi-cf-token.age b/secrets/arumi-cf-token.age new file mode 100644 index 0000000000000000000000000000000000000000..8c153b2acb6634a4ca799cd431a6b530d2475883 GIT binary patch literal 427 zcmV;c0aX5BXJsvAZewzJaCB*JZZ2L~Xf}3wRcBUkMso^nYH3bmRyJmN zcTQPoM`&$OIBzyiVK+foD^xRTMsZPCN@`+fNHuqOP*DmkEiE84VpLg9Z%1Z9b3#=( zPH1&ZVq<4GZf19IV`)Q2VM2FDVM}*nVNqp7F-;0x4lN=HXuwVWgl?pa9*`%oUU8lVYmAJp#f;SVF3 zPO51+_W^AT+C7Ri$FD>+&o1O;%@U%>xa-8%Z}1NVh9bOl$bsKk`SEGROhv`a`v&hLgrQz7V$R-4`U9%GL!XUw2JZ_{i#$eu0Qx VP3tDA?v)v2tk5|!7E>26S!X=*vPl2{ literal 0 HcmV?d00001 diff --git a/secrets/madohomu-singbox-koi-uuid.age b/secrets/arumi-singbox-koi-uuid.age similarity index 100% rename from secrets/madohomu-singbox-koi-uuid.age rename to secrets/arumi-singbox-koi-uuid.age diff --git a/secrets/madohomu-singbox-pk.age b/secrets/arumi-singbox-pk.age similarity index 100% rename from secrets/madohomu-singbox-pk.age rename to secrets/arumi-singbox-pk.age diff --git a/secrets/madohomu-singbox-pub.age b/secrets/arumi-singbox-pub.age similarity index 100% rename from secrets/madohomu-singbox-pub.age rename to secrets/arumi-singbox-pub.age diff --git a/secrets/madohomu-singbox-sid.age b/secrets/arumi-singbox-sid.age similarity index 100% rename from secrets/madohomu-singbox-sid.age rename to secrets/arumi-singbox-sid.age diff --git a/secrets/madohomu-singbox-users.age b/secrets/arumi-singbox-users.age similarity index 100% rename from secrets/madohomu-singbox-users.age rename to secrets/arumi-singbox-users.age diff --git a/secrets/madohomu-cf-token.age b/secrets/madohomu-cf-token.age deleted file mode 100644 index a83682beec1d5b0265940e2b4f94d2290ea1d270..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 427 zcmV;c0aX5BXJsvAZewzJaCB*JZZ2d zQb#jIcsW{gbT4x?LNrNJYhz7wcx-D*W^q?SR#0zFNU_xp&s)hn6#s))46=SD&|h4hxXcz zx?N1$AD|)yTEgPm&p!QS<*h)ajkFzUDwARl_ViKQfbO&6PWP&CnW zfaRO(65U2N*hrapB>5WhS~n@M1Gyyq6KkJDF7P6xKFWW#4zU9%VSl0%p@zx(X2M{K VPCmS8$DXh&E8(2WB8(bT-G<^kvWNfx diff --git a/switch b/switch index 35fbfd5..4bcd42b 100755 --- a/switch +++ b/switch @@ -23,6 +23,13 @@ while [ $# -ne 0 ]; do remote=1 NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub" shift + ;; + --build-on-remote) + if [ "$remote" == "0" ]; then + echo "Cannot build on remote without specifying remote host" + exit 1 + fi + args+=("--build-host" "$norm_host") ;; .\#*) flake=$cur; shift;; *) echo "Unknown argument: $cur"; exit 1;; diff --git a/users/teidesu/ssh.nix b/users/teidesu/ssh.nix index 35b800f..57fc84b 100644 --- a/users/teidesu/ssh.nix +++ b/users/teidesu/ssh.nix @@ -21,6 +21,7 @@ in { matchBlocks = { madoka.hostname = secrets.readUnsafe "madoka-ip"; homura.hostname = secrets.readUnsafe "homura-ip"; + arumi.hostname = secrets.readUnsafe "arumi-ip"; koi = { hostname = "10.42.0.2"; @@ -31,7 +32,6 @@ in { identityFile = "~/.ssh/ssh.pub"; }; } // (lib.optionalAttrs isDarwin { - # orbstack host "orb" = { hostname = "127.0.0.1";