chore: madohomu initial

2024-06-07 11:34:06 +03:00 · 2024-06-07 11:34:06 +03:00 · 91f00475f0
commit 91f00475f0
parent 4b3d875cb4
16 changed files with 220 additions and 33 deletions
--- a/flake.lock
+++ b/flake.lock
@ -43,6 +43,26 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717637172,
        "narHash": "sha256-geTO9YL1V9zYGxupuZvKFWxh6II9sH2bjI1dmEVhVYQ=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "713aa3df481782719aed4d8c20ad31a9effe3564",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
@ -193,6 +213,7 @@
      "inputs": {
        "agenix": "agenix",
        "bootspec-secureboot": "bootspec-secureboot",
        "disko": "disko",
        "home-manager": "home-manager_2",
        "nix-darwin": "nix-darwin",
        "nix-index-database": "nix-index-database",
--- a/flake.nix
+++ b/flake.nix
@ -38,6 +38,9 @@
    nix-index-database.url = "github:nix-community/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs =
@ -49,6 +52,7 @@
    , bootspec-secureboot
    , home-manager
    , nix-darwin
    , disko
    , ...
    }:
    let
@ -101,6 +105,20 @@
            ./hosts/koi/configuration.nix
          ];
        };
        homura = mkNixosSystem {
          system = "x86_64-linux";
          modules = [
            ./hosts/madohomu/homura.nix
          ];
        };
        madoka = mkNixosSystem {
          system = "x86_64-linux";
          modules = [
            ./hosts/madohomu/madoka.nix
          ];
        };
      };
      darwinConfigurations = {
--- a/hosts/madohomu/common.nix
+++ b/hosts/madohomu/common.nix
@ -0,0 +1,25 @@
 { abs, modulesPath, ... }: 
 {
  imports = [
    (modulesPath + "/profiles/minimal.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./hardware-configuration.nix
    ./services/sing-box.nix
  ];
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  age.identityPaths = [
    "/etc/ssh/agenix_key"
  ];
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keyFiles = [
    (abs "ssh/teidesu.pub")
  ];
  system.stateVersion = "23.11";
 }
--- a/hosts/madohomu/hardware-configuration.nix
+++ b/hosts/madohomu/hardware-configuration.nix
@ -0,0 +1,14 @@
 { ... }: 
 {
  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  fileSystems."/boot" = { device = "/dev/disk/by-uuid/6514-E9BA"; fsType = "vfat"; };
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
 }
--- a/hosts/madohomu/homura.nix
+++ b/hosts/madohomu/homura.nix
@ -0,0 +1,9 @@
 { ... }:
 {
  imports = [
    ./common.nix
  ];
  networking.hostName = "homura";
 }
--- a/hosts/madohomu/madoka.nix
+++ b/hosts/madohomu/madoka.nix
@ -0,0 +1,9 @@
 { ... }:
 {
  imports = [
    ./common.nix
  ];
  networking.hostName = "madoka";
 }
--- a/hosts/madohomu/services/sing-box.nix
+++ b/hosts/madohomu/services/sing-box.nix
@ -0,0 +1,60 @@
 { config, abs, pkgs, ... }:
 let 
  secrets = import (abs "lib/secrets.nix");
 in {
  imports = [
    (secrets.declare [
      "madohomu-singbox-pk"
      "madohomu-singbox-sid"
      "madohomu-singbox-users"
    ])
  ];
  services.sing-box = {
    enable = true;
    settings = {
      log = { level = "info"; timestamp = true; };
      inbounds = [
        {
          type = "vless";
          tag = "vless-in";
          listen = "::";
          listen_port = 443;
          sniff = true;
          sniff_override_destination = true;
          domain_strategy = "ipv4_only";
          users = []; # populated later in the preStart script
          tls = let server = "updates.cdn-apple.com"; in {
            enabled = true;
            server_name = server;
            reality = {
              enabled = true;
              handshake = { inherit server; server_port = 443; };
              private_key._secret = secrets.file config "madohomu-singbox-pk";
              short_id = [ 
                { _secret = secrets.file config "madohomu-singbox-sid"; }
              ];
            };
          };
        }
      ];
      outbounds = [
        { type = "direct"; tag = "direct"; }
        { type = "block"; tag = "block"; }
      ];
    };
  };
  systemd.services.sing-box.preStart = let 
    file = "/etc/sing-box/config.json";
  in ''
    users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"})
    ${pkgs.jq}/bin/jq --arg users "$users" \
      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
      ${file} > ${file}.tmp
    mv ${file}.tmp ${file}
  '';
  networking.firewall.allowedTCPPorts = [ 443 ];
 }
--- a/secrets/UNSAFE.desu-arm-ip.age
+++ b/secrets/UNSAFE.desu-arm-ip.age
--- a/secrets/UNSAFE.homura-ip.age
+++ b/secrets/UNSAFE.homura-ip.age
@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 Q7pPYw FjTnZ0gV0J9KbujZDF+s4lsQTp15//4R6IgboLyFmzc
 7CKys4Yv1eCL0TznrCeVcXALHUzBLpKc2PAv48v+AJc
 --- wChyp6YsZPedRW/pQlUQlA5ElkTroiOpEsI5sGHydS4
 ÊÉÊZÎqÿùîà~ì†È<E280A0>ëùž„1ýuâ“ó‹$ß4360ÉŸÆnd<o8|¬
--- a/secrets/UNSAFE.madoka-ip.age
+++ b/secrets/UNSAFE.madoka-ip.age
@ -0,0 +1,6 @@
 age-encryption.org/v1
 -> ssh-ed25519 Q7pPYw I5xBcBGDF6+AD9SSjOBjCTFAG3mph0SskFkCkwzyW0I
 q5OZRzz+VNsxSZJ6TIIU78PW3chT5xtVRMFl2w6Clhc
 --- UQyI75UTwq49YzizoPsi6GGrxMphl7vpqM/Kuvk45pk
 O"«àÀèNÐ-
 †Ø¡>ºÓÔ<{™é~¦•““ÝŠ¹—lÆBmÒcíŠj©‘î
--- a/secrets/madohomu-singbox-pk.age
+++ b/secrets/madohomu-singbox-pk.age
@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 sj88Xw D1VPiSD1MLUjpvglASYOpT5b3O5qHxpM0FQa0ej3qiw
 I/3C2lhDGz0nC+zMX6/2tNya0L7Lbik7a04SbnU7NA4
 --- PDQY1baSqlotyQAI+pl+lRGrF4zr1CfvLrzHHp/CrAA
 3êÈ:+!|ÂÚOfÊ*±h{¹,<2C>´”¥Î	¿äøí<sb
íþááíÅþé‹È6§ˆ†ZöÐ*â-wþ÷ÎTw¾{¦¨Û1¤
--- a/secrets/madohomu-singbox-pub.age
+++ b/secrets/madohomu-singbox-pub.age
--- a/secrets/madohomu-singbox-sid.age
+++ b/secrets/madohomu-singbox-sid.age
@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 sj88Xw hAtVKoM67sny48SaADCUDoVXYwxlkkXeKq3MFG176xk
 b8sb4Lvc7+kA6KPejzPnpwDiBXyMRwcSwimSNK9QbkA
 --- M3UGyBWpx9LmHxSlh6CzQWMKoqt/k2D7od58F82WJcA
 nSdà>ûÈ–‘ð%<25>NKþš†+‡Æ`kË?±‚>&ŽGGQ¡ôæåŒ	=<J›ÎÑKã
--- a/secrets/madohomu-singbox-users.age
+++ b/secrets/madohomu-singbox-users.age
--- a/69
+++ b/69
@ -1,32 +1,43 @@
 #!/usr/bin/env bash
-args=""
+args=()
 cmd="switch"
 if [ "$1" == "debug" ]; then
    args="--show-trace -v -L"
    shift
 fi
 if [ "$1" == "build" ]; then
    cmd="build"
    shift
 fi
 if [ "$1" == "dry-activate" ]; then
    cmd="dry-activate"
    shift
 fi
 if [ "$1" == "boot" ]; then
    cmd="boot"
    shift
 fi
 flake="."
-if [ ! -z ${NIX_HOSTNAME+x} ]; then
+remote=0
-    flake=".#$NIX_HOSTNAME"
+
-fi
+while [ $# -ne 0 ]; do
    cur=${1}; next=${2-};
    case "$cur" in
        --debug) args+=("--show-trace" "-v" "-L");;
        --build) cmd="build";;
        --dry-activate) cmd="dry-activate";;
        --boot) cmd="boot";;
        --remote) 
            sshg=$(ssh -G $next)
            # normalize hostname
            ssh_host=$(echo "$sshg" | awk '$1 == "hostname" { print $2 }')
            ssh_user=$(echo "$sshg" | awk '$1 == "user" { print $2 }')
            norm_host="$ssh_user@$ssh_host"
            args+=("--fast" "--target-host" "$norm_host" "--use-remote-sudo" "--use-substitutes")
            remote=1
            NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub"
            shift
            ;;
 		.\#*) flake=$cur; shift;;
        *) echo "Unknown argument: $cur"; exit 1;;
 	esac
 	shift;
 done
 args=${args[@]}
 function log_then_run {
    echo "$ $@"
    $@
 }
 echo $args
 function on_exit {
    git restore --staged secrets/unsafe.key
@ -37,16 +48,16 @@ function on_exit {
 trap on_exit EXIT
 git add -f secrets/unsafe.key
-if [ "$(uname)" == "Darwin" ]; then
+if [ "$(uname)" == "Darwin" -a "$remote" == 0 ]; then
    if [ $(hostname) == "teidesu-osx" ]; then
        git add -f hosts/teidesu-osx/arc-setup.nix
    fi
    if command -v darwin-rebuild &> /dev/null; then
-        darwin-rebuild switch --flake $flake $args $@
+        log_then_run darwin-rebuild switch --flake $flake $args $@
    else
-        nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@
+        log_then_run nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@
    fi
 else
-    sudo nixos-rebuild $cmd --flake $flake $args $@
+    log_then_run sudo -E nixos-rebuild $cmd --flake $flake $args $@
 fi
--- a/users/teidesu/ssh.nix
+++ b/users/teidesu/ssh.nix
@ -15,13 +15,12 @@ in {
    extraOptionOverrides = {
      GlobalKnownHostsFile = "~/.ssh/base_known_hosts";
      ControlPath = "~/.ssh/master-%C";
    };
    matchBlocks = {
-      desu-arm = {
+      madoka.hostname = secrets.readUnsafe "madoka-ip";
-        hostname = secrets.readUnsafe "desu-arm-ip";
+      homura.hostname = secrets.readUnsafe "homura-ip";
        forwardAgent = true;
      };
      koi = {
        hostname = "10.42.0.2";