nixos: cleanup
This commit is contained in:
parent
65a4e1e46a
commit
0044b9eed1
6 changed files with 29 additions and 19 deletions
|
@ -1,5 +1,15 @@
|
||||||
{inputs, ...}: {
|
{
|
||||||
imports = [inputs.impermanence.nixosModules.impermanence];
|
inputs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
inputs.impermanence.nixosModules.impermanence
|
||||||
|
./sops-nix.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
### sops-nix
|
||||||
|
sops.age.sshKeyPaths = lib.mkForce ["/nix/persist/system/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
|
||||||
# this folder is where the files will be stored (don't put it in tmpfs)
|
# this folder is where the files will be stored (don't put it in tmpfs)
|
||||||
environment.persistence."/nix/persist/system" = {
|
environment.persistence."/nix/persist/system" = {
|
||||||
|
|
|
@ -30,6 +30,7 @@
|
||||||
### Flakes
|
### Flakes
|
||||||
imports = [
|
imports = [
|
||||||
../../../../../nixos/flake-modules/sops-nix.nix
|
../../../../../nixos/flake-modules/sops-nix.nix
|
||||||
|
../../../../../nixos/flake-modules/home-manager.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
### sops-nix
|
### sops-nix
|
||||||
|
@ -37,11 +38,10 @@
|
||||||
users.groups."nix-access-tokens" = {};
|
users.groups."nix-access-tokens" = {};
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ../../../secrets/secrets.yaml;
|
defaultSopsFile = ../../../secrets/secrets.yaml;
|
||||||
age.sshKeyPaths = ["/nix/persist/system/etc/ssh/ssh_host_ed25519_key"];
|
age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
gnupg.sshKeyPaths = [];
|
gnupg.sshKeyPaths = [];
|
||||||
secrets = {
|
secrets = {
|
||||||
"hashed-passwd".neededForUsers = true; # Hashed user password
|
"hashed-passwd".neededForUsers = true; # Hashed user password
|
||||||
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
|
|
||||||
"nix-access-tokens" = {
|
"nix-access-tokens" = {
|
||||||
group = config.users.groups."nix-access-tokens".name;
|
group = config.users.groups."nix-access-tokens".name;
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
### Flakes
|
### Flakes
|
||||||
|
../../../../../../nixos/flake-modules/sops-nix.nix
|
||||||
../../../../../../nixos/flake-modules/home-manager.nix
|
../../../../../../nixos/flake-modules/home-manager.nix
|
||||||
../../../../../../nixos/flake-modules/berberman.nix
|
../../../../../../nixos/flake-modules/berberman.nix
|
||||||
];
|
];
|
||||||
|
@ -12,6 +13,9 @@
|
||||||
### Options
|
### Options
|
||||||
myFlake.nixos.boot.noLoaderMenu = lib.mkDefault true;
|
myFlake.nixos.boot.noLoaderMenu = lib.mkDefault true;
|
||||||
|
|
||||||
|
### sops-nix
|
||||||
|
sops.secrets."wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
|
||||||
|
|
||||||
### home-manager
|
### home-manager
|
||||||
home-manager.users.guanranwang.imports = map (n: ../../../../home-manager/${n}) [
|
home-manager.users.guanranwang.imports = map (n: ../../../../home-manager/${n}) [
|
||||||
"profiles/command-line/nixos/fancy-stuff.nix"
|
"profiles/command-line/nixos/fancy-stuff.nix"
|
||||||
|
|
|
@ -3,9 +3,7 @@
|
||||||
config,
|
config,
|
||||||
inputs,
|
inputs,
|
||||||
...
|
...
|
||||||
}: let
|
}: {
|
||||||
etcDirectory = "clash-meta";
|
|
||||||
in {
|
|
||||||
imports = [
|
imports = [
|
||||||
../../../../../nixos/flake-modules/sops-nix.nix
|
../../../../../nixos/flake-modules/sops-nix.nix
|
||||||
];
|
];
|
||||||
|
@ -15,7 +13,7 @@ in {
|
||||||
owner = config.users.users."clash-meta".name;
|
owner = config.users.users."clash-meta".name;
|
||||||
group = config.users.groups."clash-meta".name;
|
group = config.users.groups."clash-meta".name;
|
||||||
restartUnits = ["clash-meta.service"];
|
restartUnits = ["clash-meta.service"];
|
||||||
path = "/etc/${etcDirectory}/config.yaml";
|
path = "/etc/clash-meta/config.yaml";
|
||||||
};
|
};
|
||||||
|
|
||||||
### System proxy settings
|
### System proxy settings
|
||||||
|
@ -37,10 +35,10 @@ in {
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
WorkingDirectory = "/etc/${etcDirectory}";
|
WorkingDirectory = "/etc/clash-meta";
|
||||||
User = [config.users.users."clash-meta".name];
|
User = [config.users.users."clash-meta".name];
|
||||||
Group = [config.users.groups."clash-meta".name];
|
Group = [config.users.groups."clash-meta".name];
|
||||||
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/${etcDirectory}";
|
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
CapabilityBoundingSet = [
|
CapabilityBoundingSet = [
|
||||||
"CAP_NET_ADMIN"
|
"CAP_NET_ADMIN"
|
||||||
|
@ -65,5 +63,5 @@ in {
|
||||||
# - https://yacd.haishan.me
|
# - https://yacd.haishan.me
|
||||||
# - clash-dashboard (buggy):
|
# - clash-dashboard (buggy):
|
||||||
# - https://clash.razord.top
|
# - https://clash.razord.top
|
||||||
environment.etc."${etcDirectory}/metacubexd".source = inputs.metacubexd;
|
environment.etc."clash-meta/metacubexd".source = inputs.metacubexd;
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
etcDirectory = "hysteria";
|
|
||||||
port = 43956;
|
port = 43956;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -21,7 +20,7 @@ in {
|
||||||
owner = config.users.users."hysteria".name;
|
owner = config.users.users."hysteria".name;
|
||||||
group = config.users.groups."hysteria".name;
|
group = config.users.groups."hysteria".name;
|
||||||
restartUnits = ["hysteria-server.service"];
|
restartUnits = ["hysteria-server.service"];
|
||||||
path = "/etc/${etcDirectory}/config.yaml";
|
path = "/etc/hysteria/config.yaml";
|
||||||
};
|
};
|
||||||
|
|
||||||
### User running proxy service
|
### User running proxy service
|
||||||
|
@ -40,10 +39,10 @@ in {
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
WorkingDirectory = "/etc/${etcDirectory}";
|
WorkingDirectory = "/etc/hysteria";
|
||||||
User = [config.users.users."hysteria".name];
|
User = [config.users.users."hysteria".name];
|
||||||
Group = [config.users.groups."hysteria".name];
|
Group = [config.users.groups."hysteria".name];
|
||||||
ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/${etcDirectory}/config.yaml";
|
ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/hysteria/config.yaml";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
CapabilityBoundingSet = [
|
CapabilityBoundingSet = [
|
||||||
"CAP_NET_ADMIN"
|
"CAP_NET_ADMIN"
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
etcDirectory = "juicity";
|
|
||||||
port = "33829";
|
port = "33829";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -21,7 +20,7 @@ in {
|
||||||
owner = config.users.users."juicity".name;
|
owner = config.users.users."juicity".name;
|
||||||
group = config.users.groups."juicity".name;
|
group = config.users.groups."juicity".name;
|
||||||
restartUnits = ["juicity-server.service"];
|
restartUnits = ["juicity-server.service"];
|
||||||
path = "/etc/${etcDirectory}/config.yaml";
|
path = "/etc/juicity/config.yaml";
|
||||||
};
|
};
|
||||||
|
|
||||||
### User running proxy service
|
### User running proxy service
|
||||||
|
@ -40,10 +39,10 @@ in {
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
WorkingDirectory = "/etc/${etcDirectory}";
|
WorkingDirectory = "/etc/juicity";
|
||||||
User = [config.users.users."juicity".name];
|
User = [config.users.users."juicity".name];
|
||||||
Group = [config.users.groups."juicity".name];
|
Group = [config.users.groups."juicity".name];
|
||||||
ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/${etcDirectory}/config.json";
|
ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/juicity/config.json";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
CapabilityBoundingSet = [
|
CapabilityBoundingSet = [
|
||||||
"CAP_NET_ADMIN"
|
"CAP_NET_ADMIN"
|
||||||
|
|
Loading…
Reference in a new issue