feat: added arumi host and moved stuff from madohomu there

2024-08-30 11:34:22 +03:00 · 2024-08-30 11:34:22 +03:00 · 6bdb2c6c8b
commit 6bdb2c6c8b
parent 2e30f0541c
20 changed files with 163 additions and 45 deletions
--- a/flake.lock
+++ b/flake.lock
@ -65,6 +65,26 @@
        "type": "github"
      }
    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1724895876,
+        "narHash": "sha256-GSqAwa00+vRuHbq9O/yRv7Ov7W/pcMLis3HmeHv8a+Q=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "511388d837178979de66d14ca4a2ebd5f7991cd3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
@ -234,6 +254,7 @@
        "agenix": "agenix",
        "bootspec-secureboot": "bootspec-secureboot",
        "desu-deploy": "desu-deploy",
+        "disko": "disko",
        "home-manager": "home-manager_2",
        "nix-darwin": "nix-darwin",
        "nix-index-database": "nix-index-database",
--- a/flake.nix
+++ b/flake.nix
@ -39,6 +39,9 @@
    nix-index-database.url = "github:nix-community/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";

+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
    desu-deploy.url = "github:teidesu/desu-deploy/a77b8e790324df51471cf40924acff9643972dfa";
    desu-deploy.inputs.nixpkgs.follows = "nixpkgs";
  };
@ -53,6 +56,7 @@
    , home-manager
    , nix-darwin
    , desu-deploy
+    , disko
    , ...
    }:
    let
@ -82,7 +86,7 @@
      }: let 
        specialArgsMerged = specialArgsCommon // specialArgs // {
          pkgs-stable = import nixpkgs-stable {
-            system = "x86_64-linux";
+            inherit system;
            config = { allowUnfree = true; };
          };
        };
@ -120,6 +124,14 @@
            ./hosts/madohomu/madoka.nix
          ];
        };
+
+        arumi = mkNixosSystem {
+          system = "aarch64-linux";
+          modules = [
+            disko.nixosModules.disko
+            ./hosts/arumi/configuration.nix
+          ];
+        };
      };

      darwinConfigurations = {
--- a/hosts/arumi/configuration.nix
+++ b/hosts/arumi/configuration.nix
@ -0,0 +1,34 @@
+{ abs, modulesPath, ... }: 
+
+{
+  imports = [
+    (modulesPath + "/profiles/minimal.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./disk-config.nix
+
+    ./services/sing-box.nix
+    ./services/uptime-kuma.nix
+  ];
+
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  age.identityPaths = [
+    "/etc/ssh/agenix_key"
+  ];
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    (abs "ssh/teidesu.pub")
+  ];
+
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
+  
+  system.stateVersion = "23.11";
+}
--- a/hosts/arumi/deploy.sh
+++ b/hosts/arumi/deploy.sh
@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -eau
+
+SCRIPT=$(realpath "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+$SCRIPTPATH/../../switch --remote root@arumi --build-on-remote .#arumi
--- a/hosts/arumi/disk-config.nix
+++ b/hosts/arumi/disk-config.nix
@ -0,0 +1,54 @@
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/hosts/madohomu/services/sing-box.nix
+++ b/hosts/madohomu/services/sing-box.nix
@ -5,9 +5,9 @@ let
 in {
  imports = [
    (secrets.declare [
-      "madohomu-singbox-pk"
-      "madohomu-singbox-sid"
-      "madohomu-singbox-users"
+      "arumi-singbox-pk"
+      "arumi-singbox-sid"
+      "arumi-singbox-users"
    ])
  ];

@ -31,9 +31,9 @@ in {
            reality = {
              enabled = true;
              handshake = { inherit server; server_port = 443; };
-              private_key._secret = secrets.file config "madohomu-singbox-pk";
+              private_key._secret = secrets.file config "arumi-singbox-pk";
              short_id = [ 
-                { _secret = secrets.file config "madohomu-singbox-sid"; }
+                { _secret = secrets.file config "arumi-singbox-sid"; }
              ];
            };
          };
@ -49,7 +49,7 @@ in {
  systemd.services.sing-box.preStart = let 
    file = "/etc/sing-box/config.json";
  in ''
-    users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"})
+    users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "arumi-singbox-users"})
    ${pkgs.jq}/bin/jq --arg users "$users" \
      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
      ${file} > ${file}.tmp
--- a/hosts/madohomu/services/uptime-kuma.nix
+++ b/hosts/madohomu/services/uptime-kuma.nix
@ -6,10 +6,11 @@ let
  UID = 1100;
 in {
  # we use cf tunnels because 443 port is used by the proxy,
-  # and it's also generally easier
+  # and it's also generally easierbrew install cloudflared && 
+
  imports = [
    (secrets.declare [{
-      name = "madohomu-cf-token";
+      name = "arumi-cf-token";
      owner = "uptime-kuma";
    }])
  ];
@ -30,7 +31,7 @@ in {
      PGID = builtins.toString UID;
    };
    environmentFiles = [
-      (secrets.file config "madohomu-cf-token")
+      (secrets.file config "arumi-cf-token")
    ];
  };

--- a/hosts/koi/services/sing-box.nix
+++ b/hosts/koi/services/sing-box.nix
@ -6,9 +6,9 @@ let
 in {
  imports = [
    (secrets.declare [ 
-      "madohomu-singbox-pub"
-      "madohomu-singbox-sid"
-      "madohomu-singbox-koi-uuid"
+      "arumi-singbox-pub"
+      "arumi-singbox-sid"
+      "arumi-singbox-koi-uuid"
      "vless-sakura-ip"
      "vless-sakura-pk"
      "vless-sakura-sid"
@ -33,10 +33,10 @@ in {
      outbounds = [
        { tag = "direct"; type = "direct"; }
        {
-          tag = "xtls-madoka";
+          tag = "xtls-arumi";
          type = "vless";
          flow = "xtls-rprx-vision";
-          server = secretsUnsafe.readUnsafe "madoka-ip";
+          server = secretsUnsafe.readUnsafe "arumi-ip";
          server_port = 443;
          domain_strategy = "";
          packet_encoding = "";
@ -46,33 +46,12 @@ in {
            server_name = "updates.cdn-apple.com";
            reality = {
              enabled = true;
-              public_key._secret = secrets.file config "madohomu-singbox-pub";
-              short_id._secret = secrets.file config "madohomu-singbox-sid";
+              public_key._secret = secrets.file config "arumi-singbox-pub";
+              short_id._secret = secrets.file config "arumi-singbox-sid";
            };
            utls = { enabled = true; fingerprint = "edge"; };
          };
-          uuid._secret = secrets.file config "madohomu-singbox-koi-uuid";
-        }
-        {
-          tag = "xtls-homura";
-          type = "vless";
-          flow = "xtls-rprx-vision";
-          server = secretsUnsafe.readUnsafe "homura-ip";
-          server_port = 443;
-          domain_strategy = "";
-          packet_encoding = "";
-          tls = {
-            enabled = true;
-            alpn = [ "h2" ];
-            server_name = "updates.cdn-apple.com";
-            reality = {
-              enabled = true;
-              public_key._secret = secrets.file config "madohomu-singbox-pub";
-              short_id._secret = secrets.file config "madohomu-singbox-sid";
-            };
-            utls = { enabled = true; fingerprint = "edge"; };
-          };
-          uuid._secret = secrets.file config "madohomu-singbox-koi-uuid";
+          uuid._secret = secrets.file config "arumi-singbox-koi-uuid";
        }
        {
          # thanks kamillaova
@ -98,9 +77,8 @@ in {
          tag = "final";
          type = "urltest";
          outbounds = [
+            "xtls-arumi"
            "xtls-sakura"
-            "xtls-madoka"
-            "xtls-homura"
          ];
        }
      ];
--- a/hosts/madohomu/common.nix
+++ b/hosts/madohomu/common.nix
@ -5,8 +5,6 @@
    (modulesPath + "/profiles/minimal.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./hardware-configuration.nix
-
-    ./services/sing-box.nix
  ];

  boot.tmp.cleanOnBoot = true;
--- a/hosts/madohomu/madoka.nix
+++ b/hosts/madohomu/madoka.nix
@ -3,7 +3,6 @@
 {
  imports = [
    ./common.nix
-    ./services/uptime-kuma.nix
  ];
  
  networking.hostName = "madoka";
--- a/secrets/UNSAFE.arumi-ip.age
+++ b/secrets/UNSAFE.arumi-ip.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 Q7pPYw KEozsbVFmr+fZeEcSqcWLzLLOw6DPhBCoJFiRmJRdyw
+0eNEnPDRqcNWCmuCx3dhzhyy3MriHKleKRd0f/BMvSo
+--- pmIACVHsr9XHRbQgRjPC/rRYzWa5n9yttGsZti6WI5o
+*™f·_n£žHNy^ûg<C3BB>±é
+Ì™Cÿ<EFBFBD>Å.Gÿß
øv+’
--- a/secrets/arumi-cf-token.age
+++ b/secrets/arumi-cf-token.age
--- a/secrets/madohomu-singbox-koi-uuid.age
+++ b/secrets/madohomu-singbox-koi-uuid.age
--- a/secrets/madohomu-singbox-pk.age
+++ b/secrets/madohomu-singbox-pk.age
--- a/secrets/madohomu-singbox-pub.age
+++ b/secrets/madohomu-singbox-pub.age
--- a/secrets/madohomu-singbox-sid.age
+++ b/secrets/madohomu-singbox-sid.age
--- a/secrets/madohomu-singbox-users.age
+++ b/secrets/madohomu-singbox-users.age
--- a/secrets/madohomu-cf-token.age
+++ b/secrets/madohomu-cf-token.age
--- a/7
+++ b/7
@ -23,6 +23,13 @@ while [ $# -ne 0 ]; do
            remote=1
            NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub"
            shift
+            ;;
+        --build-on-remote)
+            if [ "$remote" == "0" ]; then
+                echo "Cannot build on remote without specifying remote host"
+                exit 1
+            fi
+            args+=("--build-host" "$norm_host")
            ;;
 		.\#*) flake=$cur; shift;;
        *) echo "Unknown argument: $cur"; exit 1;;
--- a/users/teidesu/ssh.nix
+++ b/users/teidesu/ssh.nix
@ -21,6 +21,7 @@ in {
    matchBlocks = {
      madoka.hostname = secrets.readUnsafe "madoka-ip";
      homura.hostname = secrets.readUnsafe "homura-ip";
+      arumi.hostname = secrets.readUnsafe "arumi-ip";

      koi = {
        hostname = "10.42.0.2";
@ -31,7 +32,6 @@ in {
        identityFile = "~/.ssh/ssh.pub";
      };
    } // (lib.optionalAttrs isDarwin {
-
      # orbstack host
      "orb" = {
        hostname = "127.0.0.1";