chore: madohomu initial

2024-06-07 11:34:06 +03:00 · 2024-06-07 11:34:06 +03:00 · 91f00475f0
commit 91f00475f0
parent 4b3d875cb4
16 changed files with 220 additions and 33 deletions
--- a/flake.lock
+++ b/flake.lock
@ -43,6 +43,26 @@
        "type": "github"
      }
    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717637172,
+        "narHash": "sha256-geTO9YL1V9zYGxupuZvKFWxh6II9sH2bjI1dmEVhVYQ=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "713aa3df481782719aed4d8c20ad31a9effe3564",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
@ -193,6 +213,7 @@
      "inputs": {
        "agenix": "agenix",
        "bootspec-secureboot": "bootspec-secureboot",
+        "disko": "disko",
        "home-manager": "home-manager_2",
        "nix-darwin": "nix-darwin",
        "nix-index-database": "nix-index-database",
--- a/flake.nix
+++ b/flake.nix
@ -38,6 +38,9 @@

    nix-index-database.url = "github:nix-community/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs =
@ -49,6 +52,7 @@
    , bootspec-secureboot
    , home-manager
    , nix-darwin
+    , disko
    , ...
    }:
    let
@ -101,6 +105,20 @@
            ./hosts/koi/configuration.nix
          ];
        };
+
+        homura = mkNixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            ./hosts/madohomu/homura.nix
+          ];
+        };
+
+        madoka = mkNixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            ./hosts/madohomu/madoka.nix
+          ];
+        };
      };

      darwinConfigurations = {
--- a/hosts/madohomu/common.nix
+++ b/hosts/madohomu/common.nix
@ -0,0 +1,25 @@
+{ abs, modulesPath, ... }: 
+
+{
+  imports = [
+    (modulesPath + "/profiles/minimal.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./hardware-configuration.nix
+
+    ./services/sing-box.nix
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+
+  age.identityPaths = [
+    "/etc/ssh/agenix_key"
+  ];
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    (abs "ssh/teidesu.pub")
+  ];
+  
+  system.stateVersion = "23.11";
+}
--- a/hosts/madohomu/hardware-configuration.nix
+++ b/hosts/madohomu/hardware-configuration.nix
@ -0,0 +1,14 @@
+{ ... }: 
+
+{
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/6514-E9BA"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+}
--- a/hosts/madohomu/homura.nix
+++ b/hosts/madohomu/homura.nix
@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./common.nix
+  ];
+  
+  networking.hostName = "homura";
+}
--- a/hosts/madohomu/madoka.nix
+++ b/hosts/madohomu/madoka.nix
@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./common.nix
+  ];
+  
+  networking.hostName = "madoka";
+}
--- a/hosts/madohomu/services/sing-box.nix
+++ b/hosts/madohomu/services/sing-box.nix
@ -0,0 +1,60 @@
+{ config, abs, pkgs, ... }:
+
+let 
+  secrets = import (abs "lib/secrets.nix");
+in {
+  imports = [
+    (secrets.declare [
+      "madohomu-singbox-pk"
+      "madohomu-singbox-sid"
+      "madohomu-singbox-users"
+    ])
+  ];
+
+  services.sing-box = {
+    enable = true;
+    settings = {
+      log = { level = "info"; timestamp = true; };
+      inbounds = [
+        {
+          type = "vless";
+          tag = "vless-in";
+          listen = "::";
+          listen_port = 443;
+          sniff = true;
+          sniff_override_destination = true;
+          domain_strategy = "ipv4_only";
+          users = []; # populated later in the preStart script
+          tls = let server = "updates.cdn-apple.com"; in {
+            enabled = true;
+            server_name = server;
+            reality = {
+              enabled = true;
+              handshake = { inherit server; server_port = 443; };
+              private_key._secret = secrets.file config "madohomu-singbox-pk";
+              short_id = [ 
+                { _secret = secrets.file config "madohomu-singbox-sid"; }
+              ];
+            };
+          };
+        }
+      ];
+      outbounds = [
+        { type = "direct"; tag = "direct"; }
+        { type = "block"; tag = "block"; }
+      ];
+    };
+  };
+
+  systemd.services.sing-box.preStart = let 
+    file = "/etc/sing-box/config.json";
+  in ''
+    users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "madohomu-singbox-users"})
+    ${pkgs.jq}/bin/jq --arg users "$users" \
+      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
+      ${file} > ${file}.tmp
+    mv ${file}.tmp ${file}
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 443 ];
+}
--- a/secrets/UNSAFE.desu-arm-ip.age
+++ b/secrets/UNSAFE.desu-arm-ip.age
--- a/secrets/UNSAFE.homura-ip.age
+++ b/secrets/UNSAFE.homura-ip.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 Q7pPYw FjTnZ0gV0J9KbujZDF+s4lsQTp15//4R6IgboLyFmzc
+7CKys4Yv1eCL0TznrCeVcXALHUzBLpKc2PAv48v+AJc
+--- wChyp6YsZPedRW/pQlUQlA5ElkTroiOpEsI5sGHydS4
+ÊÉÊZÎqÿùîà~ì†È<E280A0>ëùž„1ýuâ“ó‹$ß4360ÉŸÆnd<o8|¬
--- a/secrets/UNSAFE.madoka-ip.age
+++ b/secrets/UNSAFE.madoka-ip.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 Q7pPYw I5xBcBGDF6+AD9SSjOBjCTFAG3mph0SskFkCkwzyW0I
+q5OZRzz+VNsxSZJ6TIIU78PW3chT5xtVRMFl2w6Clhc
+--- UQyI75UTwq49YzizoPsi6GGrxMphl7vpqM/Kuvk45pk
+O"«àÀèNÐ-
+†Ø¡>ºÓÔ<{™é~¦•““ÝŠ¹—lÆBmÒcíŠj©‘î
--- a/secrets/madohomu-singbox-pk.age
+++ b/secrets/madohomu-singbox-pk.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw D1VPiSD1MLUjpvglASYOpT5b3O5qHxpM0FQa0ej3qiw
+I/3C2lhDGz0nC+zMX6/2tNya0L7Lbik7a04SbnU7NA4
+--- PDQY1baSqlotyQAI+pl+lRGrF4zr1CfvLrzHHp/CrAA
+3êÈ:+!|ÂÚOfÊ*±h{¹,<2C>´”¥Î	¿äøí<sb
íþááíÅþé‹È6§ˆ†ZöÐ*â-wþ÷ÎTw¾{¦¨Û1¤
--- a/secrets/madohomu-singbox-pub.age
+++ b/secrets/madohomu-singbox-pub.age
--- a/secrets/madohomu-singbox-sid.age
+++ b/secrets/madohomu-singbox-sid.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw hAtVKoM67sny48SaADCUDoVXYwxlkkXeKq3MFG176xk
+b8sb4Lvc7+kA6KPejzPnpwDiBXyMRwcSwimSNK9QbkA
+--- M3UGyBWpx9LmHxSlh6CzQWMKoqt/k2D7od58F82WJcA
+nSdà>ûÈ–‘ð%<25>NKþš†+‡Æ`kË?±‚>&ŽGGQ¡ôæåŒ	=<J›ÎÑKã
--- a/secrets/madohomu-singbox-users.age
+++ b/secrets/madohomu-singbox-users.age
--- a/69
+++ b/69
@ -1,32 +1,43 @@
 #!/usr/bin/env bash

-args=""
+args=()
 cmd="switch"
-
-if [ "$1" == "debug" ]; then
-    args="--show-trace -v -L"
-    shift
-fi
-
-if [ "$1" == "build" ]; then
-    cmd="build"
-    shift
-fi
-
-if [ "$1" == "dry-activate" ]; then
-    cmd="dry-activate"
-    shift
-fi
-
-if [ "$1" == "boot" ]; then
-    cmd="boot"
-    shift
-fi
-
 flake="."
-if [ ! -z ${NIX_HOSTNAME+x} ]; then
-    flake=".#$NIX_HOSTNAME"
-fi
+remote=0
+
+while [ $# -ne 0 ]; do
+    cur=${1}; next=${2-};
+    case "$cur" in
+        --debug) args+=("--show-trace" "-v" "-L");;
+        --build) cmd="build";;
+        --dry-activate) cmd="dry-activate";;
+        --boot) cmd="boot";;
+        --remote) 
+            sshg=$(ssh -G $next)
+            # normalize hostname
+            ssh_host=$(echo "$sshg" | awk '$1 == "hostname" { print $2 }')
+            ssh_user=$(echo "$sshg" | awk '$1 == "user" { print $2 }')
+            norm_host="$ssh_user@$ssh_host"
+
+            args+=("--fast" "--target-host" "$norm_host" "--use-remote-sudo" "--use-substitutes")
+            remote=1
+            NIX_SSHOPTS="-i $HOME/.ssh/ssh.pub"
+            shift
+            ;;
+		.\#*) flake=$cur; shift;;
+        *) echo "Unknown argument: $cur"; exit 1;;
+	esac
+	shift;
+done
+
+args=${args[@]}
+
+function log_then_run {
+    echo "$ $@"
+    $@
+}
+
+echo $args

 function on_exit {
    git restore --staged secrets/unsafe.key
@ -37,16 +48,16 @@ function on_exit {
 trap on_exit EXIT

 git add -f secrets/unsafe.key
-if [ "$(uname)" == "Darwin" ]; then
+if [ "$(uname)" == "Darwin" -a "$remote" == 0 ]; then
    if [ $(hostname) == "teidesu-osx" ]; then
        git add -f hosts/teidesu-osx/arc-setup.nix
    fi

    if command -v darwin-rebuild &> /dev/null; then
-        darwin-rebuild switch --flake $flake $args $@
+        log_then_run darwin-rebuild switch --flake $flake $args $@
    else
-        nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@
+        log_then_run nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake $flake $args $@
    fi
 else
-    sudo nixos-rebuild $cmd --flake $flake $args $@
+    log_then_run sudo -E nixos-rebuild $cmd --flake $flake $args $@
 fi
--- a/users/teidesu/ssh.nix
+++ b/users/teidesu/ssh.nix
@ -15,13 +15,12 @@ in {

    extraOptionOverrides = {
      GlobalKnownHostsFile = "~/.ssh/base_known_hosts";
+      ControlPath = "~/.ssh/master-%C";
    };

    matchBlocks = {
-      desu-arm = {
-        hostname = secrets.readUnsafe "desu-arm-ip";
-        forwardAgent = true;
-      };
+      madoka.hostname = secrets.readUnsafe "madoka-ip";
+      homura.hostname = secrets.readUnsafe "homura-ip";

      koi = {
        hostname = "10.42.0.2";