teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: added arumi host and moved stuff from madohomu there

Browse source
This commit is contained in:
alina 🌸 2024-08-30 11:34:22 +03:00
parent 2e30f0541c
commit 6bdb2c6c8b
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
20 changed files with 163 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
flake.lock
View file

@ -65,6 +65,26 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724895876,
"narHash": "sha256-GSqAwa00+vRuHbq9O/yRv7Ov7W/pcMLis3HmeHv8a+Q=",
"owner": "nix-community",
"repo": "disko",
"rev": "511388d837178979de66d14ca4a2ebd5f7991cd3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
@ -234,6 +254,7 @@
"agenix": "agenix", "agenix": "agenix",
"bootspec-secureboot": "bootspec-secureboot", "bootspec-secureboot": "bootspec-secureboot",
"desu-deploy": "desu-deploy", "desu-deploy": "desu-deploy",
"disko": "disko",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",

14
flake.nix
View file

@ -39,6 +39,9 @@
nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.url = "github:nix-community/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
desu-deploy.url = "github:teidesu/desu-deploy/a77b8e790324df51471cf40924acff9643972dfa"; desu-deploy.url = "github:teidesu/desu-deploy/a77b8e790324df51471cf40924acff9643972dfa";
desu-deploy.inputs.nixpkgs.follows = "nixpkgs"; desu-deploy.inputs.nixpkgs.follows = "nixpkgs";
}; };
@ -53,6 +56,7 @@
, home-manager , home-manager
, nix-darwin , nix-darwin
, desu-deploy , desu-deploy
, disko
, ... , ...
}: }:
let let
@ -82,7 +86,7 @@
}: let }: let
specialArgsMerged = specialArgsCommon // specialArgs // { specialArgsMerged = specialArgsCommon // specialArgs // {
pkgs-stable = import nixpkgs-stable { pkgs-stable = import nixpkgs-stable {
system = "x86_64-linux"; inherit system;
config = { allowUnfree = true; }; config = { allowUnfree = true; };
}; };
}; };
@ -120,6 +124,14 @@
./hosts/madohomu/madoka.nix ./hosts/madohomu/madoka.nix
]; ];
}; };
arumi = mkNixosSystem {
system = "aarch64-linux";
modules = [
disko.nixosModules.disko
./hosts/arumi/configuration.nix
];
};
}; };
darwinConfigurations = { darwinConfigurations = {

34
hosts/arumi/configuration.nix Normal file
View file

@ -0,0 +1,34 @@
{ abs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./disk-config.nix
./services/sing-box.nix
./services/uptime-kuma.nix
];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
age.identityPaths = [
"/etc/ssh/agenix_key"
];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keyFiles = [
(abs "ssh/teidesu.pub")
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
system.stateVersion = "23.11";
}

8
hosts/arumi/deploy.sh Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/env bash
set -eau
SCRIPT=$(realpath "$0")
SCRIPTPATH=$(dirname "$SCRIPT")
$SCRIPTPATH/../../switch --remote root@arumi --build-on-remote .#arumi

54
hosts/arumi/disk-config.nix Normal file
View file

@ -0,0 +1,54 @@
{
disko.devices = {
disk.disk1 = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
};
};
};
};
}

12
hosts/madohomu/services/sing-box.nix → hosts/arumi/services/sing-box.nix
View file

@ -5,9 +5,9 @@ let
in { in {
imports = [ imports = [
(secrets.declare [ (secrets.declare [
"madohomu-singbox-pk" "arumi-singbox-pk"
"madohomu-singbox-sid" "arumi-singbox-sid"
"madohomu-singbox-users" "arumi-singbox-users"
]) ])
]; ];
@ -31,9 +31,9 @@ in {
reality = { reality = {
enabled = true; enabled = true;
handshake = { inherit server; server_port = 443; }; handshake = { inherit server; server_port = 443; };
private_key._secret = secrets.file config "madohomu-singbox-pk"; private_key._secret = secrets.file config "arumi-singbox-pk";
short_id = [ short_id = [
{ _secret = secrets.file config "madohomu-singbox-sid"; } { _secret = secrets.file config "arumi-singbox-sid"; }
]; ];
}; };
}; };
@ -49,7 +49,7 @@ in {
systemd.services.sing-box.preStart = let systemd.services.sing-box.preStart = let
file = "/etc/sing-box/config.json"; file = "/etc/sing-box/config.json";
in '' in ''
users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"}) users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "arumi-singbox-users"})
${pkgs.jq}/bin/jq --arg users "$users" \ ${pkgs.jq}/bin/jq --arg users "$users" \
'.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
${file} > ${file}.tmp ${file} > ${file}.tmp

7
hosts/madohomu/services/uptime-kuma.nix → hosts/arumi/services/uptime-kuma.nix
View file

@ -6,10 +6,11 @@ let
UID = 1100; UID = 1100;
in { in {
# we use cf tunnels because 443 port is used by the proxy, # we use cf tunnels because 443 port is used by the proxy,
# and it's also generally easier # and it's also generally easierbrew install cloudflared &&
imports = [ imports = [
(secrets.declare [{ (secrets.declare [{
name = "madohomu-cf-token"; name = "arumi-cf-token";
owner = "uptime-kuma"; owner = "uptime-kuma";
}]) }])
]; ];
@ -30,7 +31,7 @@ in {
PGID = builtins.toString UID; PGID = builtins.toString UID;
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "madohomu-cf-token") (secrets.file config "arumi-cf-token")
]; ];
}; };

40
hosts/koi/services/sing-box.nix
View file

@ -6,9 +6,9 @@ let
in { in {
imports = [ imports = [
(secrets.declare [ (secrets.declare [
"madohomu-singbox-pub" "arumi-singbox-pub"
"madohomu-singbox-sid" "arumi-singbox-sid"
"madohomu-singbox-koi-uuid" "arumi-singbox-koi-uuid"
"vless-sakura-ip" "vless-sakura-ip"
"vless-sakura-pk" "vless-sakura-pk"
"vless-sakura-sid" "vless-sakura-sid"
@ -33,10 +33,10 @@ in {
outbounds = [ outbounds = [
{ tag = "direct"; type = "direct"; } { tag = "direct"; type = "direct"; }
{ {
tag = "xtls-madoka"; tag = "xtls-arumi";
type = "vless"; type = "vless";
flow = "xtls-rprx-vision"; flow = "xtls-rprx-vision";
server = secretsUnsafe.readUnsafe "madoka-ip"; server = secretsUnsafe.readUnsafe "arumi-ip";
server_port = 443; server_port = 443;
domain_strategy = ""; domain_strategy = "";
packet_encoding = ""; packet_encoding = "";
@ -46,33 +46,12 @@ in {
server_name = "updates.cdn-apple.com"; server_name = "updates.cdn-apple.com";
reality = { reality = {
enabled = true; enabled = true;
public_key._secret = secrets.file config "madohomu-singbox-pub"; public_key._secret = secrets.file config "arumi-singbox-pub";
short_id._secret = secrets.file config "madohomu-singbox-sid"; short_id._secret = secrets.file config "arumi-singbox-sid";
}; };
utls = { enabled = true; fingerprint = "edge"; }; utls = { enabled = true; fingerprint = "edge"; };
}; };
uuid._secret = secrets.file config "madohomu-singbox-koi-uuid"; uuid._secret = secrets.file config "arumi-singbox-koi-uuid";
}
{
tag = "xtls-homura";
type = "vless";
flow = "xtls-rprx-vision";
server = secretsUnsafe.readUnsafe "homura-ip";
server_port = 443;
domain_strategy = "";
packet_encoding = "";
tls = {
enabled = true;
alpn = [ "h2" ];
server_name = "updates.cdn-apple.com";
reality = {
enabled = true;
public_key._secret = secrets.file config "madohomu-singbox-pub";
short_id._secret = secrets.file config "madohomu-singbox-sid";
};
utls = { enabled = true; fingerprint = "edge"; };
};
uuid._secret = secrets.file config "madohomu-singbox-koi-uuid";
} }
{ {
# thanks kamillaova # thanks kamillaova
@ -98,9 +77,8 @@ in {
tag = "final"; tag = "final";
type = "urltest"; type = "urltest";
outbounds = [ outbounds = [
"xtls-arumi"
"xtls-sakura" "xtls-sakura"
"xtls-madoka"
"xtls-homura"
]; ];
} }
]; ];

2
hosts/madohomu/common.nix
View file

@ -5,8 +5,6 @@
(modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
./hardware-configuration.nix ./hardware-configuration.nix
./services/sing-box.nix
]; ];
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;

1
hosts/madohomu/madoka.nix
View file

@ -3,7 +3,6 @@
{ {
imports = [ imports = [
./common.nix ./common.nix
./services/uptime-kuma.nix
]; ];
networking.hostName = "madoka"; networking.hostName = "madoka";

6
secrets/UNSAFE.arumi-ip.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 Q7pPYw KEozsbVFmr+fZeEcSqcWLzLLOw6DPhBCoJFiRmJRdyw
0eNEnPDRqcNWCmuCx3dhzhyy3MriHKleKRd0f/BMvSo
--- pmIACVHsr9XHRbQgRjPC/rRYzWa5n9yttGsZti6WI5o
*™f·_ n£žHNy^ûg<C3BB>±é
Ì™Cÿ<EFBFBD>Å.Gÿß øv+

BIN
secrets/arumi-cf-token.age Normal file
View file

Binary file not shown.

0
secrets/madohomu-singbox-koi-uuid.age → secrets/arumi-singbox-koi-uuid.age
View file

0
secrets/madohomu-singbox-pk.age → secrets/arumi-singbox-pk.age
View file

0
secrets/madohomu-singbox-pub.age → secrets/arumi-singbox-pub.age
View file

0
secrets/madohomu-singbox-sid.age → secrets/arumi-singbox-sid.age
View file

0
secrets/madohomu-singbox-users.age → secrets/arumi-singbox-users.age
View file

BIN
secrets/madohomu-cf-token.age
View file

Binary file not shown.

7
switch
View file

@ -23,6 +23,13 @@ while [ $# -ne 0 ]; do
remote=1 remote=1
NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub" NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub"
shift shift
;;
--build-on-remote)
if [ "$remote" == "0" ]; then
echo "Cannot build on remote without specifying remote host"
exit 1
fi
args+=("--build-host" "$norm_host")
;; ;;
.\#*) flake=$cur; shift;; .\#*) flake=$cur; shift;;
*) echo "Unknown argument: $cur"; exit 1;; *) echo "Unknown argument: $cur"; exit 1;;

2
users/teidesu/ssh.nix
View file

@ -21,6 +21,7 @@ in {
matchBlocks = { matchBlocks = {
madoka.hostname = secrets.readUnsafe "madoka-ip"; madoka.hostname = secrets.readUnsafe "madoka-ip";
homura.hostname = secrets.readUnsafe "homura-ip"; homura.hostname = secrets.readUnsafe "homura-ip";
arumi.hostname = secrets.readUnsafe "arumi-ip";
koi = { koi = {
hostname = "10.42.0.2"; hostname = "10.42.0.2";
@ -31,7 +32,6 @@ in {
identityFile = "~/.ssh/ssh.pub"; identityFile = "~/.ssh/ssh.pub";
}; };
} // (lib.optionalAttrs isDarwin { } // (lib.optionalAttrs isDarwin {
# orbstack host # orbstack host
"orb" = { "orb" = {
hostname = "127.0.0.1"; hostname = "127.0.0.1";