From 91f00475f077dcaeee60a56ecebbe50b3b6166aa Mon Sep 17 00:00:00 2001 From: teidesu Date: Fri, 7 Jun 2024 11:34:06 +0300 Subject: [PATCH] chore: madohomu initial --- flake.lock | 21 +++++++ flake.nix | 18 ++++++ hosts/madohomu/common.nix | 25 ++++++++ hosts/madohomu/hardware-configuration.nix | 14 +++++ hosts/madohomu/homura.nix | 9 +++ hosts/madohomu/madoka.nix | 9 +++ hosts/madohomu/services/sing-box.nix | 60 +++++++++++++++++++ secrets/UNSAFE.desu-arm-ip.age | Bin 225 -> 0 bytes secrets/UNSAFE.homura-ip.age | 5 ++ secrets/UNSAFE.madoka-ip.age | 6 ++ secrets/madohomu-singbox-pk.age | 5 ++ secrets/madohomu-singbox-pub.age | Bin 0 -> 255 bytes secrets/madohomu-singbox-sid.age | 5 ++ secrets/madohomu-singbox-users.age | Bin 0 -> 305 bytes switch | 69 +++++++++++++--------- users/teidesu/ssh.nix | 7 +-- 16 files changed, 220 insertions(+), 33 deletions(-) create mode 100644 hosts/madohomu/common.nix create mode 100644 hosts/madohomu/hardware-configuration.nix create mode 100644 hosts/madohomu/homura.nix create mode 100644 hosts/madohomu/madoka.nix create mode 100644 hosts/madohomu/services/sing-box.nix delete mode 100644 secrets/UNSAFE.desu-arm-ip.age create mode 100644 secrets/UNSAFE.homura-ip.age create mode 100644 secrets/UNSAFE.madoka-ip.age create mode 100644 secrets/madohomu-singbox-pk.age create mode 100644 secrets/madohomu-singbox-pub.age create mode 100644 secrets/madohomu-singbox-sid.age create mode 100644 secrets/madohomu-singbox-users.age diff --git a/flake.lock b/flake.lock index 60bf3ce..7790ef9 100644 --- a/flake.lock +++ b/flake.lock @@ -43,6 +43,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717637172, + "narHash": "sha256-geTO9YL1V9zYGxupuZvKFWxh6II9sH2bjI1dmEVhVYQ=", + "owner": "nix-community", + "repo": "disko", + "rev": "713aa3df481782719aed4d8c20ad31a9effe3564", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -193,6 +213,7 @@ "inputs": { "agenix": "agenix", "bootspec-secureboot": "bootspec-secureboot", + "disko": "disko", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nix-index-database": "nix-index-database", diff --git a/flake.nix b/flake.nix index 925ae0c..6a4e4f5 100755 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,9 @@ nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = @@ -49,6 +52,7 @@ , bootspec-secureboot , home-manager , nix-darwin + , disko , ... }: let @@ -101,6 +105,20 @@ ./hosts/koi/configuration.nix ]; }; + + homura = mkNixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/madohomu/homura.nix + ]; + }; + + madoka = mkNixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/madohomu/madoka.nix + ]; + }; }; darwinConfigurations = { diff --git a/hosts/madohomu/common.nix b/hosts/madohomu/common.nix new file mode 100644 index 0000000..7c86e42 --- /dev/null +++ b/hosts/madohomu/common.nix @@ -0,0 +1,25 @@ +{ abs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/minimal.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./hardware-configuration.nix + + ./services/sing-box.nix + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + age.identityPaths = [ + "/etc/ssh/agenix_key" + ]; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keyFiles = [ + (abs "ssh/teidesu.pub") + ]; + + system.stateVersion = "23.11"; +} \ No newline at end of file diff --git a/hosts/madohomu/hardware-configuration.nix b/hosts/madohomu/hardware-configuration.nix new file mode 100644 index 0000000..224bcf9 --- /dev/null +++ b/hosts/madohomu/hardware-configuration.nix @@ -0,0 +1,14 @@ +{ ... }: + +{ + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + fileSystems."/boot" = { device = "/dev/disk/by-uuid/6514-E9BA"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; +} \ No newline at end of file diff --git a/hosts/madohomu/homura.nix b/hosts/madohomu/homura.nix new file mode 100644 index 0000000..4635cf4 --- /dev/null +++ b/hosts/madohomu/homura.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + imports = [ + ./common.nix + ]; + + networking.hostName = "homura"; +} \ No newline at end of file diff --git a/hosts/madohomu/madoka.nix b/hosts/madohomu/madoka.nix new file mode 100644 index 0000000..bf94d64 --- /dev/null +++ b/hosts/madohomu/madoka.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + imports = [ + ./common.nix + ]; + + networking.hostName = "madoka"; +} \ No newline at end of file diff --git a/hosts/madohomu/services/sing-box.nix b/hosts/madohomu/services/sing-box.nix new file mode 100644 index 0000000..0cc814e --- /dev/null +++ b/hosts/madohomu/services/sing-box.nix @@ -0,0 +1,60 @@ +{ config, abs, pkgs, ... }: + +let + secrets = import (abs "lib/secrets.nix"); +in { + imports = [ + (secrets.declare [ + "madohomu-singbox-pk" + "madohomu-singbox-sid" + "madohomu-singbox-users" + ]) + ]; + + services.sing-box = { + enable = true; + settings = { + log = { level = "info"; timestamp = true; }; + inbounds = [ + { + type = "vless"; + tag = "vless-in"; + listen = "::"; + listen_port = 443; + sniff = true; + sniff_override_destination = true; + domain_strategy = "ipv4_only"; + users = []; # populated later in the preStart script + tls = let server = "updates.cdn-apple.com"; in { + enabled = true; + server_name = server; + reality = { + enabled = true; + handshake = { inherit server; server_port = 443; }; + private_key._secret = secrets.file config "madohomu-singbox-pk"; + short_id = [ + { _secret = secrets.file config "madohomu-singbox-sid"; } + ]; + }; + }; + } + ]; + outbounds = [ + { type = "direct"; tag = "direct"; } + { type = "block"; tag = "block"; } + ]; + }; + }; + + systemd.services.sing-box.preStart = let + file = "/etc/sing-box/config.json"; + in '' + users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"}) + ${pkgs.jq}/bin/jq --arg users "$users" \ + '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ + ${file} > ${file}.tmp + mv ${file}.tmp ${file} + ''; + + networking.firewall.allowedTCPPorts = [ 443 ]; +} \ No newline at end of file diff --git a/secrets/UNSAFE.desu-arm-ip.age b/secrets/UNSAFE.desu-arm-ip.age deleted file mode 100644 index e532d0b4a21ed7f2bc5171babfdff1ba21f54658..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 225 zcmV<703QEgXJsvAZewzJaCB*JZZ2S5P)`Q&kF0b#+EVbWnCw zK~!;KK{0r9QAt!&c~dqkF=}OZV{AraLRoHSdR2NjR80ykEiE8sHgi*VP-aX@Y-&w2 zaBX=vQ8F`mcv>$=Pf$lzc2_ema&}lbXk{=qPIC%6RyKG1?76a%R`>Fw`x>(H-=PH1 bIv21d#K0o-_ra`nB6IV<(?4WUW&o5Gy$w^D diff --git a/secrets/UNSAFE.homura-ip.age b/secrets/UNSAFE.homura-ip.age new file mode 100644 index 0000000..aa396ff --- /dev/null +++ b/secrets/UNSAFE.homura-ip.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 Q7pPYw FjTnZ0gV0J9KbujZDF+s4lsQTp15//4R6IgboLyFmzc +7CKys4Yv1eCL0TznrCeVcXALHUzBLpKc2PAv48v+AJc +--- wChyp6YsZPedRW/pQlUQlA5ElkTroiOpEsI5sGHydS4 +Zq~ȝ1u$4360ɟnd ssh-ed25519 Q7pPYw I5xBcBGDF6+AD9SSjOBjCTFAG3mph0SskFkCkwzyW0I +q5OZRzz+VNsxSZJ6TIIU78PW3chT5xtVRMFl2w6Clhc +--- UQyI75UTwq49YzizoPsi6GGrxMphl7vpqM/Kuvk45pk +O"N- +ء><{~lBmcj \ No newline at end of file diff --git a/secrets/madohomu-singbox-pk.age b/secrets/madohomu-singbox-pk.age new file mode 100644 index 0000000..062f658 --- /dev/null +++ b/secrets/madohomu-singbox-pk.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 sj88Xw D1VPiSD1MLUjpvglASYOpT5b3O5qHxpM0FQa0ej3qiw +I/3C2lhDGz0nC+zMX6/2tNya0L7Lbik7a04SbnU7NA4 +--- PDQY1baSqlotyQAI+pl+lRGrF4zr1CfvLrzHHp/CrAA +3:+!|Of*h{, }XmE2#a(XmSD{oe2XEkJPQZ+PbFHts3Gjj?mnDHMll&eQH+4}pwbTbhD92ooG zIl14fx!MSn>2s$MNsmEP*swvHy@W+et^R3&0BqLkqE8G|ks1A#JibCDKc>m?S9>9& FX ssh-ed25519 sj88Xw hAtVKoM67sny48SaADCUDoVXYwxlkkXeKq3MFG176xk +b8sb4Lvc7+kA6KPejzPnpwDiBXyMRwcSwimSNK9QbkA +--- M3UGyBWpx9LmHxSlh6CzQWMKoqt/k2D7od58F82WJcA +nSd>Ȗ%NK+`k?>&GGQ =PHJpoL`6YPaBD?ccX&2vFE(;hSZ`%%MKlU6EiE8SYcFncFhx&wb9!+r zZ%Sn{dQ){vNl+_yY)C~#OD|brS9wEYRd{SqV{Zy{e`nIZ^fxA79zkP&u|45hK^Ps~ zQ3FOY`zll_02Ct@7?f!oab%dMUmaL_V z#Pq(94+EbGo$CHsL5G6Rny?55A&IN+^ofU!y6JjadYETDl^D|tqjTn$)4S%3x5zHC DQz~|6 literal 0 HcmV?d00001 diff --git a/switch b/switch index 57532b6..4f93193 100755 --- a/switch +++ b/switch @@ -1,32 +1,43 @@ #!/usr/bin/env bash -args="" +args=() cmd="switch" - -if [ "$1" == "debug" ]; then - args="--show-trace -v -L" - shift -fi - -if [ "$1" == "build" ]; then - cmd="build" - shift -fi - -if [ "$1" == "dry-activate" ]; then - cmd="dry-activate" - shift -fi - -if [ "$1" == "boot" ]; then - cmd="boot" - shift -fi - flake="." -if [ ! -z ${NIX_HOSTNAME+x} ]; then - flake=".#$NIX_HOSTNAME" -fi +remote=0 + +while [ $# -ne 0 ]; do + cur=${1}; next=${2-}; + case "$cur" in + --debug) args+=("--show-trace" "-v" "-L");; + --build) cmd="build";; + --dry-activate) cmd="dry-activate";; + --boot) cmd="boot";; + --remote) + sshg=$(ssh -G $next) + # normalize hostname + ssh_host=$(echo "$sshg" | awk '$1 == "hostname" { print $2 }') + ssh_user=$(echo "$sshg" | awk '$1 == "user" { print $2 }') + norm_host="$ssh_user@$ssh_host" + + args+=("--fast" "--target-host" "$norm_host" "--use-remote-sudo" "--use-substitutes") + remote=1 + NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub" + shift + ;; + .\#*) flake=$cur; shift;; + *) echo "Unknown argument: $cur"; exit 1;; + esac + shift; +done + +args=${args[@]} + +function log_then_run { + echo "$ $@" + $@ +} + +echo $args function on_exit { git restore --staged secrets/unsafe.key @@ -37,16 +48,16 @@ function on_exit { trap on_exit EXIT git add -f secrets/unsafe.key -if [ "$(uname)" == "Darwin" ]; then +if [ "$(uname)" == "Darwin" -a "$remote" == 0 ]; then if [ $(hostname) == "teidesu-osx" ]; then git add -f hosts/teidesu-osx/arc-setup.nix fi if command -v darwin-rebuild &> /dev/null; then - darwin-rebuild switch --flake $flake $args $@ + log_then_run darwin-rebuild switch --flake $flake $args $@ else - nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@ + log_then_run nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@ fi else - sudo nixos-rebuild $cmd --flake $flake $args $@ + log_then_run sudo -E nixos-rebuild $cmd --flake $flake $args $@ fi \ No newline at end of file diff --git a/users/teidesu/ssh.nix b/users/teidesu/ssh.nix index 3c7360e..98323cb 100644 --- a/users/teidesu/ssh.nix +++ b/users/teidesu/ssh.nix @@ -15,13 +15,12 @@ in { extraOptionOverrides = { GlobalKnownHostsFile = "~/.ssh/base_known_hosts"; + ControlPath = "~/.ssh/master-%C"; }; matchBlocks = { - desu-arm = { - hostname = secrets.readUnsafe "desu-arm-ip"; - forwardAgent = true; - }; + madoka.hostname = secrets.readUnsafe "madoka-ip"; + homura.hostname = secrets.readUnsafe "homura-ip"; koi = { hostname = "10.42.0.2";