flake.lock

@@ -159,6 +159,21 @@
         "type": "github"
       }
     },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1724489415,
+        "narHash": "sha256-ey8vhwY/6XCKoh7fyTn3aIQs7WeYSYtLbYEG87VCzX4=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "c7f5b394397398c023000cf843986ee2571a1fd7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
     "lanzaboote": {
       "inputs": {
         "crane": [
@@ -283,21 +298,6 @@
         "type": "github"
       }
     },
-    "preservation": {
-      "locked": {
-        "lastModified": 1725460242,
-        "narHash": "sha256-9n9Ygta1MCfpbF9D88tG2B4EL5nuSz4eIOAofGSlxoE=",
-        "owner": "WilliButz",
-        "repo": "preservation",
-        "rev": "02e731a820d05107bc648460f8630d0d80a5ffd4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "WilliButz",
-        "repo": "preservation",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "colmena": "colmena",
@@ -308,12 +308,12 @@
         "flake-utils": "flake-utils",
         "gitignore": "gitignore",
         "home-manager": "home-manager",
+        "impermanence": "impermanence",
         "lanzaboote": "lanzaboote",
         "neovim": "neovim",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "preservation": "preservation",
         "rust-overlay": "rust-overlay",
         "sops-nix": "sops-nix",
         "systems": "systems",

flake.nix

@@ -28,6 +28,9 @@
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
     lanzaboote = {
       url = "github:nix-community/lanzaboote";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -47,9 +50,6 @@
     nixos-hardware = {
       url = "github:NixOS/nixos-hardware";
     };
-    preservation = {
-      url = "github:WilliButz/preservation";
-    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";

hosts/dust/default.nix

@@ -6,23 +6,16 @@
   ...
 }:
 {
-  imports =
+  imports = [
-    [
     ../../nixos/profiles/sing-box
     ../../nixos/profiles/wireless
 
     ./anti-feature.nix
     ./disko.nix
     ./hardware-configuration.nix
+    ./impermanence.nix
     ./lanzaboote.nix
-      ./preservation.nix
+  ];
-    ]
-    ++ (with inputs; [
-      disko.nixosModules.disko
-      home-manager.nixosModules.home-manager
-      lanzaboote.nixosModules.lanzaboote
-      preservation.nixosModules.preservation
-    ]);
 
   networking.hostName = "dust";
   time.timeZone = "Asia/Shanghai";

hosts/dust/impermanence.nix

@@ -2,8 +2,8 @@
 {
   sops.age.sshKeyPaths = lib.mkForce [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
   fileSystems."/persist".neededForBoot = true;
-  preservation.enable = true;
+  environment.persistence."/persist" = {
-  preservation.preserveAt."/persist" = {
+    hideMounts = true;
     directories = [
       "/var/log"
       "/var/lib"
@@ -15,7 +15,6 @@
       "/etc/ssh/ssh_host_rsa_key"
       "/etc/ssh/ssh_host_rsa_key.pub"
     ];
-
     users.guanranwang = {
       directories = [
         "Desktop"
@@ -44,19 +43,4 @@
       ];
     };
   };
-
-  systemd.tmpfiles.settings.preservation =
-    let
-      mkTmpfile = {
-        user = "guanranwang";
-        group = "users";
-        mode = "0755";
-      };
-    in
-    {
-      "/home/guanranwang/.config".d = mkTmpfile;
-      "/home/guanranwang/.mozilla".d = mkTmpfile;
-      "/home/guanranwang/.local/share".d = mkTmpfile;
-      "/home/guanranwang/.local/state".d = mkTmpfile;
-    };
 }

hosts/tyo0/default.nix

@@ -9,7 +9,6 @@
   imports = [
     "${modulesPath}/virtualisation/amazon-image.nix"
     ./anti-feature.nix
-    ./ports.nix
 
     ./services/forgejo.nix
     ./services/keycloak.nix

hosts/tyo0/ports.nix

@@ -1,13 +0,0 @@
-{
-  lib.ports = {
-    keycloak = 8010;
-    miniflux = 8020;
-    redlib = 8030;
-    vaultwarden = 8040;
-    wastebin = 8050;
-
-    prometheus = 9010;
-    blackbox = 9020;
-    alertmanager = 9030;
-  };
-}

hosts/tyo0/secrets.yaml

@@ -1,5 +1,5 @@
 sing-box:
-    auth: ENC[AES256_GCM,data:gzoeMI/8A6e6HBbE2VofGJB1/sIq+b7MrkFoTp4zvRT1gLHVfP1B6XT+srJCOgUFNWL++JU1ShPYqgH61cl77WtJjzy+LJxb3oYnW3u/EzJJMpBHggstVQpaWfiGb16lhCq+Figsxk0G8BUFI/PPR/KmBZzLOw+/I/z8Dqf66dQh9BIhEOY0pJknZ4El2Ml5oGvYxdpjQ9rESfegwTz5wrha77V1mi733jrPFDuWLDkgNDf5nKRfCkpfLrdzyU7OX4qcj81qIpHsRBZ25Lib0IwDGurC7njKdbs8S0bprqZlK9sW34Dmx3s=,iv:XgXX2LaLgyyRuI04/RzgnfTAXUW3e9F0cdw6l6koVgc=,tag:9hDiGVADrBgpc0G+UFjM3g==,type:str]
+    auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
 miniflux:
     environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
 vaultwarden:
@@ -30,8 +30,8 @@ sops:
             UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
             n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-07T05:32:46Z"
+    lastmodified: "2024-08-29T16:26:25Z"
-    mac: ENC[AES256_GCM,data:K+J0o/hlOHociZO8Fd08/ixr21ZGCM9yK6M87ylSbRNb8rwwS+IAsumvMMa8/R79ay66T0VWlTjBY2ywlrNLiz11n1Qx2j97L1MrCy4VWy3LmJEFhbGuUBbZLIp53OK7brSC/6XN3lB6K5KsiZ4vLCyGu/6hRpxcHg5Iada5h+8=,iv:JT9Xl9JQWYpacWz+ymwoZfOSeMqtrsmxhNu6hCBxUEQ=,tag:wRPCTHyL2iupmvnMJOx30g==,type:str]
+    mac: ENC[AES256_GCM,data:jpm+TBCtdFcgfRvzg+mTgWtu20/rm6nF/OdxUGbufkC1Y0Z8+eb8nIBe1TJhodt6kT/NdPRVI0N1JLD5XOwduvqL/QoZGzGkBfEVqFvnTxQYVVXp4sWdqji26XPb1sn+gbmobR4qlZPxdmvKZWEQxO2VJpKA3Bfalwa9fy0ajHE=,iv:XDRDEP/+rs2DLLkrftSxlxDMbdz7W9nHBEs0QWIDK88=,tag:UVmyD5FOev9LPRBvMcmJyw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

hosts/tyo0/services/keycloak.nix

@@ -1,12 +1,4 @@
-{
+{ lib, pkgs, ... }:
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  port = config.lib.ports.keycloak;
-in
 {
   services.keycloak = {
     enable = true;
@@ -14,7 +6,7 @@ in
       cache = "local";
       hostname = "id.ny4.dev";
       http-host = "127.0.0.1";
-      http-port = port;
+      http-port = 8800;
       proxy = "edge";
     };
     database.passwordFile = toString (pkgs.writeText "password" "keycloak");
@@ -26,7 +18,7 @@ in
     };
     handle = lib.singleton {
       handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:${toString port}"; } ];
+      upstreams = [ { dial = "localhost:8800"; } ];
     };
   };
 }

hosts/tyo0/services/miniflux.nix

@@ -1,13 +1,10 @@
 { lib, config, ... }:
-let
-  port = config.lib.ports.miniflux;
-in
 {
   services.miniflux = {
     enable = true;
     adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
     config = {
-      LISTEN_ADDR = "127.0.0.1:${toString port}";
+      LISTEN_ADDR = "127.0.0.1:9300";
       BASE_URL = "https://rss.ny4.dev";
 
       OAUTH2_PROVIDER = "oidc";
@@ -24,7 +21,7 @@ in
     };
     handle = lib.singleton {
       handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:${toString port}"; } ];
+      upstreams = [ { dial = "localhost:9300"; } ];
     };
   };
 }

hosts/tyo0/services/prometheus.nix

@@ -4,20 +4,17 @@
   config,
   ...
 }:
-let
-  inherit (config.lib) ports;
-in
 {
   services.prometheus = {
     enable = true;
     listenAddress = "127.0.0.1";
-    port = ports.prometheus;
+    port = 9090;
     webExternalUrl = "https://prom.ny4.dev";
 
     exporters.blackbox = {
       enable = true;
       listenAddress = "127.0.0.1";
-      port = ports.blackbox;
+      port = 9093;
       configFile = (pkgs.formats.yaml { }).generate "config.yaml" {
         modules = {
           http_2xx = {
@@ -76,7 +73,7 @@ in
           }
           {
             target_label = "__address__";
-            replacement = "127.0.0.1:${toString ports.blackbox}";
+            replacement = "127.0.0.1:9093";
           }
         ];
       }
@@ -119,7 +116,7 @@ in
     alertmanagers = lib.singleton {
       static_configs = lib.singleton {
         targets = [
-          "127.0.0.1:${toString ports.alertmanager}"
+          "127.0.0.1:9092"
         ];
       };
     };
@@ -127,7 +124,7 @@ in
     alertmanager = {
       enable = true;
       listenAddress = "127.0.0.1";
-      port = ports.alertmanager;
+      port = 9092;
 
       configuration = {
         receivers = lib.singleton {
@@ -149,7 +146,7 @@ in
     };
     handle = lib.singleton {
       handler = "reverse_proxy";
-      upstreams = [ { dial = "127.0.0.1:${toString ports.prometheus}"; } ];
+      upstreams = [ { dial = "127.0.0.1:9090"; } ];
     };
   };
 }

hosts/tyo0/services/redlib.nix

@@ -1,29 +1,18 @@
-{ lib, config, ... }:
+{ lib, ... }:
-let
-  port = config.lib.ports.redlib;
-in
 {
   services.redlib = {
-    inherit port;
     enable = true;
     address = "127.0.0.1";
+    port = 9400;
   };
 
   services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
     match = lib.singleton {
       host = [ "reddit.ny4.dev" ];
     };
-    handle = [
+    handle = lib.singleton {
-      {
-        # Google's indexing caused a DoS with 800k requests...
-        # https://developers.google.com/search/docs/crawling-indexing/block-indexing
-        handler = "headers";
-        response.set."X-Robots-Tag" = [ "noindex" ];
-      }
-      {
       handler = "reverse_proxy";
-        upstreams = [ { dial = "localhost:${toString port}"; } ];
+      upstreams = [ { dial = "localhost:9400"; } ];
-      }
+    };
-    ];
   };
 }

hosts/tyo0/services/sing-box.nix

@@ -18,7 +18,7 @@
           listen = "0.0.0.0";
           listen_port = 27253;
           users = {
-            _secret = config.sops.secrets."sing-box/auth".path;
+            _secret = "/run/credentials/sing-box.service/auth";
             quote = false;
           };
           tls = {
@@ -47,6 +47,7 @@
       path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
     in
     [
+      "auth:${config.sops.secrets."sing-box/auth".path}"
       "cert:${path}/tyo0.ny4.dev.crt"
       "key:${path}/tyo0.ny4.dev.key"
     ];

hosts/tyo0/services/vaultwarden.nix

@@ -1,7 +1,4 @@
 { lib, config, ... }:
-let
-  port = config.lib.ports.vaultwarden;
-in
 {
   services.vaultwarden = {
     enable = true;
@@ -10,7 +7,7 @@ in
       DOMAIN = "https://vault.ny4.dev";
       IP_HEADER = "X-Forwarded-For";
       ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = port;
+      ROCKET_PORT = 9500;
 
       EMERGENCY_ACCESS_ALLOWED = false;
       SENDS_ALLOWED = false;
@@ -25,7 +22,7 @@ in
     };
     handle = lib.singleton {
       handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:${toString port}"; } ];
+      upstreams = [ { dial = "localhost:9500"; } ];
     };
   };
 }

hosts/tyo0/services/wastebin.nix

@@ -1,11 +1,8 @@
-{ lib, config, ... }:
+{ lib, ... }:
-let
-  port = config.lib.ports.wastebin;
-in
 {
   services.wastebin = {
     enable = true;
-    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:${toString port}";
+    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
   };
 
   services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
@@ -14,7 +11,7 @@ in
     };
     handle = lib.singleton {
       handler = "reverse_proxy";
-      upstreams = [ { dial = "localhost:${toString port}"; } ];
+      upstreams = [ { dial = "localhost:8200"; } ];
     };
   };
 }

nixos/profiles/core/default.nix

@@ -12,6 +12,10 @@
       ./zram.nix
     ]
     ++ (with inputs; [
+      disko.nixosModules.disko
+      home-manager.nixosModules.home-manager
+      impermanence.nixosModules.impermanence
+      lanzaboote.nixosModules.lanzaboote
       self.nixosModules.default
       sops-nix.nixosModules.sops
     ]);

nixos/profiles/sing-box/default.nix

@@ -27,7 +27,7 @@
           tag = "tyo0";
           server = "tyo0.ny4.dev";
           server_port = 27253;
-          uuid._secret = config.sops.secrets."sing-box/tyo0".path;
+          uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
           flow = "xtls-rprx-vision";
           tls.enabled = true;
         }

nixos/profiles/sing-box/secrets.yaml

@@ -1,5 +1,5 @@
 sing-box:
-    tyo0: ENC[AES256_GCM,data:GDMc7U+e60UzGkkl2uvRfhyAdGKE4WCrcQSvwENXjV0yKhVa,iv:uobBavFcQZ/8JmJrZHtL11Tjhs2Aaq/ZBBhrW+o97JQ=,tag:/qME2YQCw6Lrt47gu7UAgg==,type:str]
+    tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -33,8 +33,8 @@ sops:
             NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
             JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-07T05:32:11Z"
+    lastmodified: "2024-08-27T20:29:35Z"
-    mac: ENC[AES256_GCM,data:wWWjkP5ADCStznOy+REs4ZqjTXVW6BW3Xl2o+OU8PtgBrZWHLJ2eVumVlf3aHZWXlCFOZQ7C8e/bmdSdHJh3vTeZ8tgT54+4d5aXgMc+stj2Cz3EHjAON0nnvO5EeFUsFvdSbQfTz871Wyl9BUlJsDnf+4m3Rl/kUanidOioqxM=,iv:L5vHKzWJ+MVNLsUiJsNh1d6X+It3MkIETi6gqyieYQE=,tag:wJqm4cr2G4j26BDlXnHOUg==,type:str]
+    mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0