nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: nyancat:ab1da3531ad5495da51df1f31a5d970c0c28a5cf
Branches Tags
nyancat:master
..
compare: nyancat:0890d1518e6f657e05960d895d2e9872f40cdf52
Branches Tags
nyancat:master

No commits in common. "ab1da3531ad5495da51df1f31a5d970c0c28a5cf" and "0890d1518e6f657e05960d895d2e9872f40cdf52" have entirely different histories.
ab1da3531a ... 0890d1518e

59 changed files with 841 additions and 502 deletions
Show stats Expand all files Collapse all files

12
.sops.yaml
View file

@ -18,18 +18,6 @@ creation_rules:
- age: - age:
- *guanranwang - *guanranwang
- *lightsail-tokyo - *lightsail-tokyo
- path_regex: nixos/profiles/opt-in/mihomo/secrets.yaml$
key_groups:
- age:
- *guanranwang
- *aristotle
- *blacksteel
- path_regex: nixos/profiles/opt-in/wireless/secrets.yaml$
key_groups:
- age:
- *guanranwang
- *aristotle
- *blacksteel
- path_regex: secrets.yaml$ - path_regex: secrets.yaml$
key_groups: key_groups:
- age: - age:

13
darwin/profiles/common/core/nix/nix.nix
View file

@ -1,5 +1,4 @@
{ {
lib,
pkgs, pkgs,
config, config,
... ...
@ -7,15 +6,23 @@
nix.settings = { nix.settings = {
trusted-users = ["@admin"]; trusted-users = ["@admin"];
substituters = substituters =
(lib.optionals (config.time.timeZone == "Asia/Shanghai") [ {
"Asia/Shanghai" = [
"https://mirror.sjtu.edu.cn/nix-channels/store" # SJTU - 上海交通大学 Mirror
"https://mirrors.ustc.edu.cn/nix-channels/store" # USTC - 中国科学技术大学 Mirror
"https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # TUNA - 清华大学 Mirror "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # TUNA - 清华大学 Mirror
]) ];
}
.${config.time.timeZone}
or []
++ [ ++ [
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://cache.garnix.io"
"https://guanran928.cachix.org" "https://guanran928.cachix.org"
]; ];
trusted-public-keys = [ trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"guanran928.cachix.org-1:BE/iBCj2/pqJXG908wHRrcaV0B2fC+KbFjHsXY6b91c=" "guanran928.cachix.org-1:BE/iBCj2/pqJXG908wHRrcaV0B2fC+KbFjHsXY6b91c="
]; ];
use-xdg-base-directories = true; use-xdg-base-directories = true;

11
darwin/profiles/desktop/packages/_homebrew.nix Normal file
View file

@ -0,0 +1,11 @@
{
homebrew = {
enable = true;
casks = [
"altserver"
"squirrel"
"librewolf"
"google-chrome"
];
};
}

1
darwin/profiles/desktop/packages/default.nix
View file

@ -1,6 +1,7 @@
{...}: { {...}: {
imports = [ imports = [
./fonts.nix ./fonts.nix
# ./homebrew.nix
./window-manager.nix ./window-manager.nix
]; ];
} }

74
flake.lock
View file

@ -50,11 +50,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720402389, "lastModified": 1720056646,
"narHash": "sha256-zJv6euDOrJWMHBhxfp/ay+Dvjwpe8YtMuEI5b09bxmo=", "narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414", "rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -145,11 +145,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720470846, "lastModified": 1720327769,
"narHash": "sha256-7ftA4Bv5KfH4QdTRxqe8/Hz2YTKo+7IQ9n7vbNWgv28=", "narHash": "sha256-kAsg3Lg4YKKpGw+f1W2s5hzjP8B0y/juowvjK8utIag=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2fb5c1e0a17bc6059fa09dc411a43d75f35bb192", "rev": "6b7ce96f34b324e4e104abc30d06955d216bac71",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -227,11 +227,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720421091, "lastModified": 1718491861,
"narHash": "sha256-BWvb+z+5LgfjIUIDrNr1Yv5R6ouDLKduZUoJKIQ83as=", "narHash": "sha256-nnKZRkwXoCtGN8Rgv6FcHttX1JOPWQt2y7yY4Bz/hWk=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "012748be4f7011416261ec2d60adde19bf17d010", "rev": "49f55400d06fa113e4b4ae5a6fa97a6d83c59983",
"revCount": 67, "revCount": 64,
"type": "git", "type": "git",
"url": "https://git.ny4.dev/nyancat/nvim" "url": "https://git.ny4.dev/nyancat/nvim"
}, },
@ -247,11 +247,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720469887, "lastModified": 1720337362,
"narHash": "sha256-BwPsGQ/EMqCreUc5j9Efj+wx13AjREtuHhbyHZygcE4=", "narHash": "sha256-9TNQtlwu97NPaJYsKkdObOsy0MLN4NAOBz0pqwH3KnA=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "fabc653517106127e2ed435fb52e7e8854354428", "rev": "0f89b73f41eaa1dde67b291452c181d9a75f10dd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -324,11 +324,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1720515935, "lastModified": 1719895800,
"narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=", "narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "a111ce6b537df12a39874aa9672caa87f8677eda", "rev": "6e253f12b1009053eff5344be5e835f604bb64cd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -354,11 +354,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1720498663, "lastModified": 1720181791,
"narHash": "sha256-juqJkkdAt44mOfA43q1qUHn7iWoK++81lR8Mh7N/EF8=", "narHash": "sha256-i4vJL12/AdyuQuviMMd1Hk2tsGt02hDNhA0Zj1m16N8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "106e145e1d4583d1e2bb20e54947d15ad55e75e1", "rev": "4284c2b73c8bce4b46a6adf23e16d9e2ec8da4bb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -425,11 +425,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1720521897, "lastModified": 1720352738,
"narHash": "sha256-k/lSErCNGvHj/vI+TXHLuQI9pmEnQBVcKbV3yB3I8NQ=", "narHash": "sha256-S/FwaFfzUaGv81QxJJFWbrWhAAlR+L3S5i2MIujqmcE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "4cb066aae41593df9901910e45f9dfd1af5aa743", "rev": "18a4856920ac463d8ed386d9830a7742e2cf2c2c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -454,11 +454,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720524665, "lastModified": 1719259945,
"narHash": "sha256-ni/87oHPZm6Gv0ECYxr1f6uxB0UKBWJ6HvS7lwLU6oY=", "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "8d6a17d0cdf411c55f12602624df6368ad86fac1", "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -506,11 +506,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720491570, "lastModified": 1720318855,
"narHash": "sha256-PHS2BcQ9kxBpu9GKlDg3uAlrX/ahQOoAiVmwGl6BjD4=", "narHash": "sha256-w3CCVK9LJ5aznXGkO1IyAlbvMNJfyA+dBF7Z1Zwx1LA=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "b970af40fdc4bd80fd764796c5f97c15e2b564eb", "rev": "3eed08a074cd2000884a69d448d70da2843f7103",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -545,11 +545,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720479166, "lastModified": 1720321395,
"narHash": "sha256-jqvhLDXzTLTHq9ZviFOpcTmXXmnbLfz7mWhgMNipMN4=", "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "67035a355b1d52d2d238501f8cc1a18706979760", "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -565,11 +565,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720400448, "lastModified": 1720190661,
"narHash": "sha256-v7JVJ8H1PyH7/8EU72mz7wzxJ1OLE/h3NCqQyZ6ONjs=", "narHash": "sha256-51aPk6VqCSEuQeGvi/j5pdRyx8UxvqBeph+sXsj94EU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "srvos", "repo": "srvos",
"rev": "21a3259985e3cddc455f64ad66d4a825b39934ad", "rev": "27dbc690931cc30f2c4bb2ff39e46490c3b6421d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -600,11 +600,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720507012, "lastModified": 1719887753,
"narHash": "sha256-QIeZ43t9IVB4dLsFaWh2f4C7JSRfK7p+Y1U9dULsLXU=", "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "8b63fe8cf7892c59b3df27cbcab4d5644035d72f", "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
"type": "github" "type": "github"
}, },
"original": { "original": {

13
flake.nix
View file

@ -159,8 +159,7 @@
// (let // (let
mkNixOS = system: modules: mkNixOS = system: modules:
inputs.nixpkgs.lib.nixosSystem { inputs.nixpkgs.lib.nixosSystem {
inherit system; inherit system modules;
modules = [./nixos/profiles/core] ++ modules;
specialArgs = {inherit inputs;}; specialArgs = {inherit inputs;};
}; };
@ -209,18 +208,12 @@
}; };
"lightsail-tokyo" = { "lightsail-tokyo" = {
imports = [ imports = [./hosts/lightsail-tokyo];
./nixos/profiles/core
./hosts/lightsail-tokyo
];
deployment.targetHost = "tyo0.ny4.dev"; deployment.targetHost = "tyo0.ny4.dev";
}; };
"blacksteel" = { "blacksteel" = {
imports = [ imports = [./hosts/blacksteel];
./nixos/profiles/core
./hosts/blacksteel
];
deployment.targetHost = "blacksteel"; # thru tailscale deployment.targetHost = "blacksteel"; # thru tailscale
}; };
}; };

1
home/applications/sway/default.nix
View file

@ -2,6 +2,7 @@
config, config,
pkgs, pkgs,
lib, lib,
inputs,
... ...
}: let }: let
# https://www.pixiv.net/en/artworks/49983419 # https://www.pixiv.net/en/artworks/49983419

6
hosts/aristotle/anti-feature.nix
View file

@ -8,7 +8,6 @@
"adoptopenjdk-hotspot-bin" "adoptopenjdk-hotspot-bin"
"cargo-bootstrap" "cargo-bootstrap"
"cef-binary" "cef-binary"
"dart"
"osu-lazer-bin" "osu-lazer-bin"
"rustc-bootstrap" "rustc-bootstrap"
"rustc-bootstrap-wrapper" "rustc-bootstrap-wrapper"
@ -19,15 +18,14 @@
allowUnfree = false; allowUnfree = false;
allowUnfreePredicate = pkg: allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [
"fcitx5-pinyin-minecraft"
"fcitx5-pinyin-moegirl"
"libXNVCtrl" "libXNVCtrl"
"nvidia-x11" "nvidia-x11"
"osu-lazer-bin" "osu-lazer-bin"
"steam" "steam"
"steam-original" "steam-original"
"steam-run"
"xow_dongle-firmware" "xow_dongle-firmware"
"fcitx5-pinyin-minecraft"
"fcitx5-pinyin-moegirl"
]; ];
}; };
} }

91
hosts/aristotle/default.nix
View file

@ -1,18 +1,26 @@
{pkgs, ...}: { {
pkgs,
inputs,
...
}: {
imports = [ imports = [
../../nixos/profiles/opt-in/mihomo # OS
../../nixos/profiles/opt-in/wireless ../../nixos/profiles/laptop
../../nixos/profiles/common/opt-in/mihomo
../../nixos/profiles/common/opt-in/gaming
./anti-feature.nix # Hardware
./disko.nix
./graphical
./hardware-configuration.nix ./hardware-configuration.nix
./impermanence.nix ./anti-feature.nix
./lanzaboote.nix ../../nixos/profiles/common/opt-in/lanzaboote.nix
../../nixos/profiles/common/opt-in/impermanence.nix
../../nixos/profiles/common/opt-in/disko.nix
]; ];
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "aristotle"; networking.hostName = "aristotle";
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
_module.args.disks = ["/dev/nvme0n1"]; # Disko
system.stateVersion = "23.11"; system.stateVersion = "23.11";
services.tailscale = { services.tailscale = {
@ -20,34 +28,45 @@
openFirewall = true; openFirewall = true;
}; };
programs.adb.enable = true; # Stuff that I only want on my main machine
programs.anime-game-launcher.enable = true; home-manager.users.guanranwang = {
programs.steam.enable = true; imports = map (n: ../../home/applications/${n}) [
services.power-profiles-daemon.enable = true; "thunderbird"
"ydict"
# https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth
hardware.xone.enable = true; # via wired or wireless dongle
hardware.xpadneo.enable = true; # via Bluetooth
### https://wiki.archlinux.org/title/Gaming#Improving_performance
systemd.tmpfiles.rules = [
"w /proc/sys/vm/min_free_kbytes - - - - 1048576"
"w /proc/sys/vm/swappiness - - - - 10"
"w /sys/kernel/mm/lru_gen/enabled - - - - 5"
"w /proc/sys/vm/zone_reclaim_mode - - - - 0"
"w /proc/sys/vm/page_lock_unfairness - - - - 1"
"w /proc/sys/kernel/sched_child_runs_first - - - - 0"
"w /proc/sys/kernel/sched_autogroup_enabled - - - - 1"
"w /proc/sys/kernel/sched_cfs_bandwidth_slice_us - - - - 500"
"w /sys/kernel/debug/sched/latency_ns - - - - 1000000"
"w /sys/kernel/debug/sched/migration_cost_ns - - - - 500000"
"w /sys/kernel/debug/sched/min_granularity_ns - - - - 500000"
"w /sys/kernel/debug/sched/wakeup_granularity_ns - - - - 0"
"w /sys/kernel/debug/sched/nr_migrate - - - - 8"
]; ];
# yubikey home.packages =
environment.systemPackages = [pkgs.yubikey-manager]; (with pkgs; [
services.pcscd.enable = true; amberol
services.udev.packages = [pkgs.yubikey-personalization]; fractal
gnome-calculator
hyperfine
mousai
])
++ (with inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts; [
lofi
]);
programs.obs-studio.enable = true;
};
# for udev rules
programs.adb.enable = true;
# fucking hell
programs.anime-game-launcher.enable = true;
# nouveou
services.xserver.videoDrivers = [];
# novideo
# hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta;
# environment.sessionVariables."MOZ_ENABLE_WAYLAND" = "0";
# networking.networkmanager.enable = false;
# services.xserver.desktopManager.gnome.enable = true;
# services.xserver.displayManager.gdm.enable = true;
# # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1562
# services.udev.extraRules = ''
# ENV{DEVNAME}=="/dev/dri/card1", TAG+="mutter-device-preferred-primary"
# '';
} }

65
hosts/aristotle/graphical/home/default.nix
View file

@ -1,65 +0,0 @@
{
pkgs,
inputs,
...
}: {
imports =
[
./fonts
./theme.nix
./xdg-mime.nix
]
++ map (n: ../../../../home/applications/${n}) [
"fcitx5"
"firefox"
"foot"
"go"
"mpv"
"nautilus"
"nix"
"sway"
"thunderbird"
"ydict"
];
# https://wiki.archlinux.org/title/Fish#Start_X_at_login
programs.fish.loginShellInit = ''
if test -z "$DISPLAY" -a "$XDG_VTNR" = 1
exec sway
end
'';
home.packages =
(
with pkgs; [
amberol
dconf-editor
file-roller
fractal
gnome-calculator
hyperfine
loupe
mousai
seahorse
(prismlauncher.override {
glfw = glfw-wayland-minecraft;
gamemodeSupport = false;
})
mumble
osu-lazer-bin
]
)
++ (with inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts; [
lofi
]);
home.sessionVariables = {
# https://github.com/ppy/osu-framework/pull/6292
"OSU_SDL3" = "1";
};
programs.mangohud.enable = true;
programs.obs-studio.enable = true;
services.ssh-agent.enable = true;
}

36
hosts/aristotle/graphical/home/fonts/fonts.conf
View file

@ -1,36 +0,0 @@
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<its:rules version="1.0" xmlns:its="http://www.w3.org/2005/11/its">
<its:translateRule selector="/fontconfig/*[not(self::description)]" translate="no"/>
</its:rules>
<description>trash Font Config 4.0</description>
<!-- Default fonts -->
<alias binding="strong">
<family>serif</family>
<prefer>
<family>Source Han Serif SC VF</family>
<family>Noto Color Emoji</family>
</prefer>
</alias>
<alias binding="strong">
<family>sans-serif</family>
<prefer>
<family>Inter Variable</family>
<family>Source Han Sans SC VF</family>
<family>Noto Color Emoji</family>
</prefer>
</alias>
<alias binding="strong">
<family>monospace</family>
<prefer>
<family>JetBrains Mono</family>
<family>Source Han Sans SC VF</family>
<family>Noto Color Emoji</family>
</prefer>
</alias>
</fontconfig>

37
hosts/aristotle/hardware-configuration.nix
View file

@ -5,41 +5,14 @@
inputs.nixos-sensible.nixosModules.zram inputs.nixos-sensible.nixosModules.zram
]; ];
hardware.nvidia.nvidiaSettings = false;
services.hdapsd.enable = false; services.hdapsd.enable = false;
services.thermald.enable = true; my.hardware = {
audio.enable = true;
security.rtkit.enable = true; bluetooth.enable = true;
hardware.pulseaudio.enable = false; tpm.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
}; };
hardware.bluetooth = {
enable = true;
settings.General.FastConnectable = true;
};
# nouveou
services.xserver.videoDrivers = [];
# novideo
# hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta;
# hardware.nvidia.nvidiaSettings = false;
# environment.sessionVariables."MOZ_ENABLE_WAYLAND" = "0";
# networking.networkmanager.enable = false;
# services.xserver.desktopManager.gnome.enable = true;
# services.xserver.displayManager.gdm.enable = true;
# # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1562
# services.udev.extraRules = ''
# ENV{DEVNAME}=="/dev/dri/card1", TAG+="mutter-device-preferred-primary"
# '';
boot.loader.timeout = 0;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"];
boot.kernelModules = ["kvm-intel"]; boot.kernelModules = ["kvm-intel"];
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";

3
hosts/blacksteel/anti-feature.nix
View file

@ -8,11 +8,13 @@
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [
"adoptopenjdk-hotspot-bin" "adoptopenjdk-hotspot-bin"
"cargo-bootstrap" "cargo-bootstrap"
"cef-binary"
"minecraft-server" "minecraft-server"
"rustc-bootstrap" "rustc-bootstrap"
"rustc-bootstrap-wrapper" "rustc-bootstrap-wrapper"
"sof-firmware" "sof-firmware"
"temurin-bin" "temurin-bin"
"vscodium"
]; ];
allowUnfree = false; allowUnfree = false;
@ -20,6 +22,7 @@
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [
"broadcom-sta" "broadcom-sta"
"minecraft-server" "minecraft-server"
"nvidia-x11"
]; ];
}; };
} }

7
hosts/blacksteel/default.nix
View file

@ -6,8 +6,11 @@
}: { }: {
imports = [ imports = [
# OS # OS
../../nixos/profiles/opt-in/mihomo # FIXME:
../../nixos/profiles/opt-in/wireless ../../nixos/profiles/common/core
../../nixos/profiles/common/physical
../../nixos/profiles/common/mobile
../../nixos/profiles/common/opt-in/mihomo
# Hardware # Hardware
./hardware-configuration.nix ./hardware-configuration.nix

6
hosts/blacksteel/hardware-configuration.nix
View file

@ -14,7 +14,11 @@
inputs.nixos-sensible.nixosModules.zram inputs.nixos-sensible.nixosModules.zram
]; ];
services.thermald.enable = true; my.hardware = {
audio.enable = true;
bluetooth.enable = true;
tpm.enable = true;
};
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
boot.kernelModules = ["kvm-intel" "wl"]; boot.kernelModules = ["kvm-intel" "wl"];

45
hosts/lightsail-tokyo/default.nix
View file

@ -40,6 +40,21 @@
restartUnits = ["searx.service"]; restartUnits = ["searx.service"];
}; };
}; };
templates = {
"hysteria.yaml".content = ''
tls:
cert: /run/credentials/hysteria.service/cert
key: /run/credentials/hysteria.service/key
masquerade:
type: proxy
proxy:
url: https://ny4.dev/
${config.sops.placeholder."hysteria/auth"}
'';
};
}; };
### Services ### Services
@ -61,12 +76,12 @@
"element" = pkgs.element-web.override { "element" = pkgs.element-web.override {
element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: { element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
version = "1.11.70"; version = "1.11.70-rc.0";
src = oldAttrs.src.overrideAttrs { src = oldAttrs.src.overrideAttrs {
outputHash = "sha256-kx6xQIuYSXkkBTYb+fZLL3cuHFcNj7RkC60o6Fyp8LI="; outputHash = "sha256-LnPqwXczECH7XnVvGnoUQpZct2jmGEFVpJ1nTewAHC8=";
}; };
offlineCache = oldAttrs.offlineCache.overrideAttrs { offlineCache = oldAttrs.offlineCache.overrideAttrs {
outputHash = "sha256-q/KbpU/haBhXZbGBITLYSywCluwN6ZZarVLmzB9tDN8="; outputHash = "sha256-yAAZXnxrBGuTWUJcL6Su0F5H2D5MNg9PUU7Uj8XT8N8=";
}; };
}); });
@ -82,31 +97,13 @@
services.hysteria = { services.hysteria = {
enable = true; enable = true;
settings = { configFile = config.sops.templates."hysteria.yaml".path;
auth = { credentials = [
type = "userpass";
userpass = {
_secret = "/run/credentials/hysteria.service/auth";
quote = false;
};
};
masquerade = {
type = "proxy";
proxy.url = "https://ny4.dev/";
};
tls = {
cert = "/run/credentials/hysteria.service/cert";
key = "/run/credentials/hysteria.service/key";
};
};
};
systemd.services."hysteria".serviceConfig.LoadCredential = [
# FIXME: remove hardcoded path # FIXME: remove hardcoded path
"auth:${config.sops.secrets."hysteria/auth".path}"
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt" "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key" "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
]; ];
};
# `journalctl -u murmur.service | grep Password` # `journalctl -u murmur.service | grep Password`
services.murmur = { services.murmur = {

8
hosts/lightsail-tokyo/secrets.yaml
View file

@ -1,5 +1,5 @@
hysteria: hysteria:
auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str] auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
searx: searx:
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str] environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
pixivfe: pixivfe:
@ -28,8 +28,8 @@ sops:
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3 R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA== 3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-09T11:50:11Z" lastmodified: "2024-06-21T07:19:35Z"
mac: ENC[AES256_GCM,data:kzxia2Bygi0YR24/dJfKZR3jF99IhIGGIZFJnIo5kp7/PZfQE2EbgD5yTFrSX9+Ur5u8a169UVEtveJ+uR59bX3DsjZDPRSWRMmWJodLcZifx+oSSGmhYufC61D3pVa+Jv2mwKf8UTKdb2oQtk/8bNrMuonedX8hPz+wZJQyMD0=,iv:VxBeb5QTaF5snKNtc51XFtwAdydnOyX8CGhxBjyBTQ0=,tag:vQEJJubHv3dRazmr1bAcnQ==,type:str] mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.8.1

7
nixos/modules/default.nix
View file

@ -1,5 +1,12 @@
{...}: { {...}: {
imports = [ imports = [
# utils that is used internally
./my/boot.nix
./my/hardware/audio.nix
./my/hardware/bluetooth.nix
./my/hardware/tpm.nix
# nixpkgs styled options
./services/hysteria.nix ./services/hysteria.nix
./services/pixivfe.nix ./services/pixivfe.nix
./services/rathole.nix ./services/rathole.nix

29
nixos/modules/my/boot.nix Normal file
View file

@ -0,0 +1,29 @@
{
config,
lib,
...
}: let
cfg = config.my.boot;
in {
options = {
my.boot = {
silentBoot = lib.mkEnableOption "silent boot";
noLoaderMenu = lib.mkEnableOption "" // {description = "Whether to disable bootloader menu.";};
};
};
config = {
### cfg.noLoaderMenu
boot.loader.timeout = lib.mkIf cfg.noLoaderMenu 0;
### cfg.silentBoot
boot.consoleLogLevel = lib.mkIf cfg.silentBoot 0;
boot.kernelParams =
lib.mkIf cfg.silentBoot
(["quiet"]
++ lib.optionals config.boot.initrd.systemd.enable [
"systemd.show_status=auto"
"rd.udev.log_level=3"
]);
};
}

24
nixos/modules/my/hardware/audio.nix Normal file
View file

@ -0,0 +1,24 @@
{
lib,
config,
...
}: let
cfg = config.my.hardware.audio;
in {
options = {
my.hardware.audio.enable = lib.mkEnableOption "audio";
};
# https://nixos.wiki/wiki/PipeWire
config = lib.mkIf cfg.enable {
security.rtkit.enable = true;
hardware.pulseaudio.enable = false;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
};
}

21
nixos/modules/my/hardware/bluetooth.nix Normal file
View file

@ -0,0 +1,21 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.my.hardware.bluetooth;
in {
options = {
my.hardware.bluetooth.enable = lib.mkEnableOption "bluetooth";
};
# https://nixos.wiki/wiki/Bluetooth
config = lib.mkIf cfg.enable {
environment.systemPackages = lib.mkIf config.services.xserver.enable (with pkgs; [blueberry]);
hardware.bluetooth = {
enable = true;
settings.General.FastConnectable = true;
};
};
}

20
nixos/modules/my/hardware/tpm.nix Normal file
View file

@ -0,0 +1,20 @@
{
lib,
config,
...
}: let
cfg = config.my.hardware.tpm;
in {
options = {
my.hardware.tpm.enable = lib.mkEnableOption "TPM";
};
# https://nixos.wiki/wiki/TPM
config = lib.mkIf cfg.enable {
security.tpm2 = {
enable = true;
pkcs11.enable = true;
tctiEnvironment.enable = true;
};
};
}

43
nixos/modules/services/hysteria.nix
View file

@ -1,12 +1,10 @@
{ {
pkgs,
config, config,
lib, lib,
pkgs,
utils,
... ...
}: let }: let
cfg = config.services.hysteria; cfg = config.services.hysteria;
settingsFormat = pkgs.formats.json {};
in { in {
options.services.hysteria = { options.services.hysteria = {
enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy"; enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
@ -19,39 +17,54 @@ in {
description = "Whether to use Hysteria as a client or a server."; description = "Whether to use Hysteria as a client or a server.";
}; };
settings = lib.mkOption { configFile = lib.mkOption {
type = lib.types.submodule { default = null;
freeformType = settingsFormat.type; type = lib.types.nullOr lib.types.path;
description = "Configuration file to use.";
}; };
default = {};
credentials = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
example = lib.literalExpression ''
[
"cert:/tmp/certificate.crt"
"key:/tmp/private-key.key"
];
'';
description = '' description = ''
The Hysteria configuration, see https://hysteria.network/ for documentation. Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
Options containing secret data should be set to an attribute set See `systemd.exec(5)` for more information.
containing the attribute `_secret` - a string pointing to a file
containing the value the option should be set to.
Ignored when `services.hysteria.configFile` is set.
''; '';
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.configFile != null;
message = "A configuration file is required for Hysteria";
}
];
systemd.services."hysteria" = { systemd.services."hysteria" = {
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy."; description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
documentation = ["https://hysteria.network/"]; documentation = ["https://hysteria.network/"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
after = ["network-online.target"]; after = ["network-online.target"];
wants = ["network-online.target"]; wants = ["network-online.target"];
preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json"; restartTriggers = [cfg.configFile];
serviceConfig = { serviceConfig = {
ExecStart = lib.concatStringsSep " " [ ExecStart = lib.concatStringsSep " " [
(lib.getExe cfg.package) (lib.getExe cfg.package)
cfg.mode cfg.mode
"--config /var/lib/private/hysteria/config.json" "--disable-update-check"
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
]; ];
DynamicUser = true; DynamicUser = true;
StateDirectory = "hysteria"; StateDirectory = "hysteria";
LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials;
### Hardening ### Hardening
AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"]; AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];

43
nixos/profiles/core/default.nix → nixos/profiles/common/core/default.nix
View file

@ -7,10 +7,10 @@
}: { }: {
imports = imports =
[ [
./hardening.nix ./hardening
./networking.nix ./networking
./nix.nix ./nix
"${inputs.srvos}/nixos/common/well-known-hosts.nix" ./fun.nix
] ]
++ (with inputs; [ ++ (with inputs; [
aagl.nixosModules.default aagl.nixosModules.default
@ -28,14 +28,16 @@
inputs.self.overlays.patches inputs.self.overlays.patches
]; ];
### home-manager
home-manager.users.guanranwang = import ../../../../home;
home-manager = { home-manager = {
users.guanranwang = import ../../../home;
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ??? extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ???
}; };
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
### Default Programs ### Default Programs
# In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix # In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix
@ -84,27 +86,22 @@
programs.dconf.enable = true; programs.dconf.enable = true;
programs.fish.enable = true; programs.fish.enable = true;
programs.command-not-found.enable = false; users.groups."nix-access-tokens" = {};
environment.stub-ld.enable = false; nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
documentation = {
doc.enable = false;
info.enable = false;
nixos.enable = false;
};
# https://github.com/NixOS/nixpkgs/pull/308801
# nixos/switch-to-configuration: add new implementation
system.switch = {
enable = false;
enableNg = true;
};
### sops-nix ### sops-nix
sops = { sops = {
defaultSopsFile = ../../../secrets.yaml; defaultSopsFile = ../../../../secrets.yaml;
age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
gnupg.sshKeyPaths = []; gnupg.sshKeyPaths = [];
secrets."hashed-passwd".neededForUsers = true; secrets = {
"hashed-passwd" = {
neededForUsers = true;
};
"nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
};
};
}; };
} }

24
nixos/profiles/common/core/fun.nix Normal file
View file

@ -0,0 +1,24 @@
{
lib,
config,
...
}: {
options = {
system.nixos.codeName = lib.mkOption {readOnly = false;};
};
config = {
# https://github.com/NixOS/nixpkgs/issues/315574
system.nixos.codeName = "";
services.getty.greetingLine = let
inherit (config.system) nixos;
in ''
NixOS ${nixos.label} ${nixos.codeName} (\m) - \l
${lib.strings.optionalString (builtins.elem "nvidia" config.services.xserver.videoDrivers)
"--my-next-gpu-wont-be-nvidia"}
${lib.strings.optionalString (builtins.elem "amdgpu" config.boot.initrd.kernelModules)
"[ 5.996722] amdgpu 0000:67:00.0: Fatal error during GPU init"}
'';
};
}

13
nixos/profiles/core/hardening.nix → nixos/profiles/common/core/hardening/default.nix
View file

@ -1,6 +1,15 @@
{ {...}: {
### Basic hardening
# ref: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
# ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html
imports = [
./sysctl.nix
];
environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id
security.sudo.execWheelOnly = true; security.apparmor.enable = true;
security.sudo-rs.enable = true;
security.sudo-rs.execWheelOnly = true;
boot.blacklistedKernelModules = [ boot.blacklistedKernelModules = [
# Obscure network protocols # Obscure network protocols

50
nixos/profiles/common/core/hardening/sysctl.nix Normal file
View file

@ -0,0 +1,50 @@
{
boot.kernel.sysctl = {
### https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Kernel self-protection
"kernel.kptr_restrict" = "2";
"kernel.dmesg_restrict" = "1";
"kernel.printk" = "3 3 3 3"; #
"kernel.unprivileged_bpf_disabled" = "1";
"net.core.bpf_jit_harden" = "2";
"dev.tty.ldisc_autoload" = "0";
"vm.unprivileged_userfaultfd" = "0";
"kernel.kexec_load_disabled" = "1";
"kernel.sysrq" = "4"; #
#"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos
"kernel.perf_event_paranoid" = "3";
# Network
"net.ipv4.tcp_syncookies" = "1";
"net.ipv4.tcp_rfc1337" = "1";
"net.ipv4.conf.all.rp_filter" = "1";
"net.ipv4.conf.default.rp_filter" = "1";
"net.ipv4.conf.all.accept_redirects" = "0";
"net.ipv4.conf.default.accept_redirects" = "0";
"net.ipv4.conf.all.secure_redirects" = "0";
"net.ipv4.conf.default.secure_redirects" = "0";
"net.ipv6.conf.all.accept_redirects" = "0";
"net.ipv6.conf.default.accept_redirects" = "0";
"net.ipv4.conf.all.send_redirects" = "0";
"net.ipv4.conf.default.send_redirects" = "0";
"net.ipv4.icmp_echo_ignore_all" = "1";
"net.ipv4.conf.all.accept_source_route" = "0";
"net.ipv4.conf.default.accept_source_route" = "0";
"net.ipv6.conf.all.accept_source_route" = "0";
"net.ipv6.conf.default.accept_source_route" = "0";
"net.ipv6.conf.all.accept_ra" = "0";
"net.ipv6.conf.default.accept_ra" = "0";
"net.ipv4.tcp_sack" = "0";
"net.ipv4.tcp_dsack" = "0";
"net.ipv4.tcp_fack" = "0";
# User Space
"kernel.yama.ptrace_scope" = "2";
"vm.mmap_rnd_bits" = "32";
"vm.mmap_rnd_compat_bits" = "16";
"fs.protected_symlinks" = "1";
"fs.protected_hardlinks" = "1";
"fs.protected_fifos" = "2";
"fs.protected_regular" = "2";
};
}

18
nixos/profiles/common/core/networking/default.nix Normal file
View file

@ -0,0 +1,18 @@
{
lib,
config,
...
}: {
networking.wireless.iwd.enable = lib.mkDefault true;
services.resolved.enable = true;
sops.secrets."wireless/wangxiaobo".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/wangxiaobo.psk";
sops.secrets."wireless/OpenWrt".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/OpenWrt.psk";
### https://wiki.archlinux.org/title/Sysctl#Improving_performance
boot.kernelModules = ["tcp_bbr"];
boot.kernel.sysctl = {
"net.core.default_qdisc" = "cake";
"net.ipv4.tcp_congestion_control" = "bbr";
};
}

8
nixos/profiles/common/core/nix/default.nix Normal file
View file

@ -0,0 +1,8 @@
{...}: {
imports = [
./flake.nix
./nix.nix
./gc.nix
#./monitor.nix
];
}

27
nixos/profiles/common/core/nix/flake.nix Normal file
View file

@ -0,0 +1,27 @@
# ref: https://github.com/Misterio77/nix-config/blob/main/hosts/common/global/nix.nix
{
pkgs,
inputs,
lib,
...
}: {
# Enable Flakes
nix.settings.experimental-features = ["nix-command" "flakes"];
# Disable nix-channel
nix.channel.enable = false;
# Disable flake-registry
nix.settings.flake-registry = "";
# Add each flake input as a registry
# To make nix3 commands consistent with the flake
nix.registry = lib.mapAttrs (_: value: {flake = value;}) inputs;
# Install Git
environment.systemPackages = [pkgs.git];
# Does not work with Flake based configurations
system.copySystemConfiguration = false;
programs.command-not-found.enable = false;
}

19
nixos/profiles/common/core/nix/gc.nix Normal file
View file

@ -0,0 +1,19 @@
{
nix = {
### Auto hard linking
settings.auto-optimise-store = true;
### Automatically delete older NixOS builds
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
### optimiser
optimise = {
automatic = true;
dates = ["03:45"];
};
};
}

49
nixos/profiles/common/core/nix/nix.nix Normal file
View file

@ -0,0 +1,49 @@
{config, ...}: {
nix.settings = {
substituters =
{
"Asia/Shanghai" = [
"https://mirror.sjtu.edu.cn/nix-channels/store" # SJTU - 上海交通大学 Mirror
"https://mirrors.ustc.edu.cn/nix-channels/store" # USTC - 中国科学技术大学 Mirror
"https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # TUNA - 清华大学 Mirror
];
}
.${config.time.timeZone}
or []
++ [
"https://nix-community.cachix.org"
"https://cache.garnix.io"
"https://guanran928.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"guanran928.cachix.org-1:BE/iBCj2/pqJXG908wHRrcaV0B2fC+KbFjHsXY6b91c="
];
trusted-users = ["@wheel"];
experimental-features = [
"auto-allocate-uids"
"cgroups"
"no-url-literals"
];
allow-import-from-derivation = false;
auto-allocate-uids = true;
builders-use-substitutes = true;
use-cgroups = true;
use-xdg-base-directories = true;
};
documentation = {
doc.enable = false;
info.enable = false;
nixos.enable = false;
};
# https://github.com/NixOS/nixpkgs/pull/308801
# nixos/switch-to-configuration: add new implementation
system.switch = {
enable = false;
enableNg = true;
};
}

40
hosts/aristotle/graphical/default.nix → nixos/profiles/common/graphical/default.nix
View file

@ -1,7 +1,14 @@
{pkgs, ...}: { {
pkgs,
lib,
...
}: {
### home-manager ### home-manager
home-manager.users.guanranwang = import ./home; home-manager.users.guanranwang = import ./home;
# plymouth
#boot.plymouth.enable = true;
# xserver # xserver
services.xserver = { services.xserver = {
enable = true; enable = true;
@ -14,6 +21,7 @@
# polkit # polkit
security.polkit.enable = true; security.polkit.enable = true;
environment.systemPackages = with pkgs; [polkit_gnome];
systemd.user.services.polkit-gnome-authentication-agent-1 = { systemd.user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1"; description = "polkit-gnome-authentication-agent-1";
wantedBy = ["graphical-session.target"]; wantedBy = ["graphical-session.target"];
@ -28,13 +36,16 @@
}; };
}; };
### Options
my.boot.noLoaderMenu = lib.mkDefault true;
fonts.enableDefaultPackages = false; fonts.enableDefaultPackages = false;
security.pam.services.swaylock = {}; security.pam.services.swaylock = {};
xdg.portal = { xdg.portal = {
enable = true; enable = true;
xdgOpenUsePortal = true; xdgOpenUsePortal = true;
wlr.enable = true; wlr.enable = true;
extraPortals = [pkgs.xdg-desktop-portal-gtk]; extraPortals = with pkgs; [xdg-desktop-portal-gtk];
# https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf
config."sway" = { config."sway" = {
default = "gtk"; default = "gtk";
@ -43,24 +54,33 @@
"org.freedesktop.impl.portal.Inhibit" = "none"; "org.freedesktop.impl.portal.Inhibit" = "none";
}; };
}; };
services = { services = {
gvfs.enable = true; gvfs.enable = true;
gnome = { gnome = {
gnome-keyring.enable = true; gnome-keyring.enable = true;
gnome-online-accounts.enable = true;
sushi.enable = true; sushi.enable = true;
gnome-online-accounts.enable = true;
}; };
}; };
programs = {
programs.kdeconnect = { kdeconnect = {
enable = true; enable = true;
#package = pkgs.gnomeExtensions.gsconnect;
package = pkgs.valent; package = pkgs.valent;
}; };
};
environment.systemPackages = [pkgs.localsend]; services.libinput = {
networking.firewall.allowedTCPPorts = [53317]; touchpad = {
networking.firewall.allowedUDPPorts = [53317]; accelProfile = "flat";
naturalScrolling = true;
middleEmulation = false;
};
mouse = {
accelProfile = "flat";
naturalScrolling = true;
middleEmulation = false;
};
};
### Removes debounce time ### Removes debounce time
# https://www.reddit.com/r/linux_gaming/comments/ku6gth # https://www.reddit.com/r/linux_gaming/comments/ku6gth

37
nixos/profiles/common/graphical/home/default.nix Normal file
View file

@ -0,0 +1,37 @@
{pkgs, ...}: {
imports =
[
./fonts
./theme.nix
./xdg-mime.nix
]
++ map (n: ../../../../../home/applications/${n}) [
"fcitx5"
"firefox"
"foot"
"go"
"mpv"
"nautilus"
"nix"
"sway"
];
# https://wiki.archlinux.org/title/Fish#Start_X_at_login
programs.fish.loginShellInit = ''
if test -z "$DISPLAY" -a "$XDG_VTNR" = 1
exec sway
end
'';
home.packages = with pkgs; [
loupe
gnome-calculator
seahorse
file-roller
dconf-editor
];
services = {
ssh-agent.enable = true;
};
}

0
hosts/aristotle/graphical/home/fonts/default.nix → nixos/profiles/common/graphical/home/fonts/default.nix
View file

112
nixos/profiles/common/graphical/home/fonts/fonts.conf Normal file
View file

@ -0,0 +1,112 @@
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<its:rules version="1.0" xmlns:its="http://www.w3.org/2005/11/its">
<its:translateRule selector="/fontconfig/*[not(self::description)]" translate="no"/>
</its:rules>
<description>trash Font Config 4.0</description>
<match target="font">
<!-- <edit mode="assign" name="antialias"> <bool>true</bool></edit> --> <!-- breaks emoji in GTK, unsure why -->
<edit mode="assign" name="hinting"> <bool>true</bool></edit>
<edit mode="assign" name="hintstyle"> <const>hintslight</const></edit>
<edit mode="assign" name="autohint"> <bool>false</bool></edit>
<edit mode="assign" name="embeddedbitmap"> <bool>false</bool></edit>
<edit mode="assign" name="lcdfilter"> <const>lcddefault</const></edit>
<edit mode="assign" name="rgba"> <const>rgb</const></edit>
</match>
<!-- Default fonts -->
<alias binding="strong">
<family>serif</family>
<prefer>
<family>Source Han Serif SC VF</family>
<family>Noto Color Emoji</family>
</prefer>
</alias>
<alias binding="strong">
<family>sans-serif</family>
<prefer>
<family>Inter Variable</family>
<family>Source Han Sans SC VF</family>
<family>Noto Color Emoji</family>
</prefer>
</alias>
<alias binding="strong">
<family>monospace</family>
<prefer>
<family>JetBrains Mono</family>
<family>Source Han Sans SC VF</family>
<family>Noto Color Emoji</family>
</prefer>
</alias>
<alias binding="strong">
<family>system-ui</family>
<prefer>
<family>Inter Variable</family>
<family>Source Han Sans SC VF</family>
<family>Noto Color Emoji</family>
</prefer>
</alias>
<!-- Rebind unliked/old fonts -->
<!-- Sans -->
<match target="pattern">
<test name="family" qual="any"><string>Microsoft YaHei</string></test>
<edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
</match>
<match target="pattern">
<test name="family" qual="any"><string>SimHei</string></test>
<edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
</match>
<match target="pattern">
<test name="family" qual="any"><string>WenQuanYi Zen Hei</string></test>
<edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
</match>
<match target="pattern">
<test name="family" qual="any"><string>WenQuanYi Micro Hei</string></test>
<edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
</match>
<match target="pattern">
<test name="family" qual="any"><string>WenQuanYi Micro Hei Light</string></test>
<edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
</match>
<!-- Serif -->
<match target="pattern">
<test name="family" qual="any"><string>SimSun</string></test>
<edit name="family" binding="same" mode="assign"><string>serif</string></edit>
</match>
<match target="pattern">
<test name="family" qual="any"><string>SimSun-18030</string></test>
<edit name="family" binding="same" mode="assign"><string>serif</string></edit>
</match>
<!-- Monospace -->
<match target="pattern">
<test name="family" qual="any"><string>Liberation Mono</string></test>
<edit name="family" binding="same" mode="assign"><string>monospace</string></edit>
</match>
<match target="pattern">
<test name="family" qual="any"><string>SF Mono</string></test>
<edit name="family" binding="same" mode="assign"><string>monospace</string></edit>
</match>
<match target="pattern">
<test name="family" qual="any"><string>Noto Sans Mono</string></test>
<edit name="family" binding="same" mode="assign"><string>monospace</string></edit>
</match>
<!-- Reject DejaVu Sans -->
<!-- why is DejaVu Sans still here after fonts.enableDefaultPackages = false -->
<selectfont>
<rejectfont>
<pattern><patelt name="family" ><string>DejaVu Sans</string></patelt></pattern>
</rejectfont>
</selectfont>
</fontconfig>

0
hosts/aristotle/graphical/home/theme.nix → nixos/profiles/common/graphical/home/theme.nix
View file

0
hosts/aristotle/graphical/home/xdg-mime.nix → nixos/profiles/common/graphical/home/xdg-mime.nix
View file

5
nixos/profiles/common/minimal/default.nix Normal file
View file

@ -0,0 +1,5 @@
{modulesPath, ...}: {
imports = [
(modulesPath + "/profiles/minimal.nix")
];
}

3
nixos/profiles/common/mobile/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
home-manager.users.guanranwang = import ./home;
}

3
nixos/profiles/common/mobile/home/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
services.batsignal.enable = true;
}

3
hosts/aristotle/disko.nix → nixos/profiles/common/opt-in/disko.nix
View file

@ -1,5 +1,4 @@
let {disks ? ["/dev/sda"], ...}: let
disks = ["/dev/nvme0n1"];
# compress-force: https://t.me/archlinuxcn_group/3054167 # compress-force: https://t.me/archlinuxcn_group/3054167
mountOptions = ["defaults" "compress-force=zstd" "noatime"]; mountOptions = ["defaults" "compress-force=zstd" "noatime"];
cryptSettings = { cryptSettings = {

58
nixos/profiles/common/opt-in/gaming/default.nix Normal file
View file

@ -0,0 +1,58 @@
{
pkgs,
lib,
config,
...
}: {
### home-manager
home-manager.users.guanranwang.imports = [./home];
### for steam
# https://github.com/NixOS/nixpkgs/issues/47932
hardware.opengl.driSupport32Bit = true;
# https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth
hardware.xone.enable = true; # via wired or wireless dongle
hardware.xpadneo.enable = true; # via Bluetooth
programs.gamemode = {
enable = true;
settings.custom = {
start = "${lib.getExe pkgs.libnotify} 'GameMode Activated' 'GameMode Activated! Enjoy enhanced performance. 🚀'";
end = "${lib.getExe pkgs.libnotify} 'GameMode Deactivated' 'GameMode Deactivated. Back to normal mode. '";
};
};
# Integrate with NVIDIA Optimus offloading.
# https://github.com/FeralInteractive/gamemode#note-for-hybrid-gpu-users
environment.sessionVariables = {
"GAMEMODERUNEXEC" = let
inherit (config.hardware.nvidia.prime) offload;
in
lib.mkIf
(builtins.elem "nvidia" config.services.xserver.videoDrivers && offload.enable && offload.enableOffloadCmd)
(lib.mkDefault "nvidia-offload");
};
### https://wiki.archlinux.org/title/Gaming#Improving_performance
systemd.tmpfiles.rules = [
# Path Mode UID GID Age Argument
#"w /proc/sys/vm/compaction_proactiveness - - - - 0"
"w /proc/sys/vm/min_free_kbytes - - - - 1048576"
"w /proc/sys/vm/swappiness - - - - 10"
"w /sys/kernel/mm/lru_gen/enabled - - - - 5"
"w /proc/sys/vm/zone_reclaim_mode - - - - 0"
#"w /sys/kernel/mm/transparent_hugepage/enabled - - - - never"
#"w /sys/kernel/mm/transparent_hugepage/shmem_enabled - - - - never"
#"w /sys/kernel/mm/transparent_hugepage/khugepaged/defrag - - - - 0"
"w /proc/sys/vm/page_lock_unfairness - - - - 1"
"w /proc/sys/kernel/sched_child_runs_first - - - - 0"
"w /proc/sys/kernel/sched_autogroup_enabled - - - - 1"
"w /proc/sys/kernel/sched_cfs_bandwidth_slice_us - - - - 500"
"w /sys/kernel/debug/sched/latency_ns - - - - 1000000"
"w /sys/kernel/debug/sched/migration_cost_ns - - - - 500000"
"w /sys/kernel/debug/sched/min_granularity_ns - - - - 500000"
"w /sys/kernel/debug/sched/wakeup_granularity_ns - - - - 0"
"w /sys/kernel/debug/sched/nr_migrate - - - - 8"
];
}

15
nixos/profiles/common/opt-in/gaming/home/default.nix Normal file
View file

@ -0,0 +1,15 @@
{pkgs, ...}: {
programs.mangohud.enable = true;
home.packages = with pkgs; [
(prismlauncher.override {glfw = glfw-wayland-minecraft;})
steam
mumble
osu-lazer-bin
];
home.sessionVariables = {
# https://github.com/ppy/osu-framework/pull/6292
"OSU_SDL3" = "1";
};
}

0
hosts/aristotle/impermanence.nix → nixos/profiles/common/opt-in/impermanence.nix
View file

3
hosts/aristotle/lanzaboote.nix → nixos/profiles/common/opt-in/lanzaboote.nix
View file

@ -1,5 +1,6 @@
{pkgs, ...}: { {pkgs, ...}: {
environment.systemPackages = [pkgs.sbctl]; environment.systemPackages = with pkgs; [sbctl];
boot.loader.systemd-boot.enable = false;
boot.lanzaboote = { boot.lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; pkiBundle = "/etc/secureboot";

0
nixos/profiles/opt-in/mihomo/config.yaml → nixos/profiles/common/opt-in/mihomo/config.yaml
View file

7
nixos/profiles/opt-in/mihomo/default.nix → nixos/profiles/common/opt-in/mihomo/default.nix
View file

@ -25,12 +25,7 @@
}; };
### sops-nix ### sops-nix
sops.secrets = builtins.mapAttrs (_name: value: sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) {
value
// {
restartUnits = ["mihomo.service"];
sopsFile = ./secrets.yaml;
}) {
"clash/secret" = {}; "clash/secret" = {};
"clash/proxies/lightsail" = {}; "clash/proxies/lightsail" = {};
"clash/proxy-providers/efcloud" = {}; "clash/proxy-providers/efcloud" = {};

11
nixos/profiles/common/physical/default.nix Normal file
View file

@ -0,0 +1,11 @@
{pkgs, ...}: {
networking.stevenblack.enable = true;
services.system76-scheduler.enable = true;
services.power-profiles-daemon.enable = true;
services.thermald.enable = true;
# YubiKey
environment.systemPackages = [pkgs.yubikey-manager];
services.pcscd.enable = true;
services.udev.packages = [pkgs.yubikey-personalization];
}

10
nixos/profiles/core/networking.nix
View file

@ -1,10 +0,0 @@
{
services.resolved.enable = true;
### https://wiki.archlinux.org/title/Sysctl#Improving_performance
boot.kernelModules = ["tcp_bbr"];
boot.kernel.sysctl = {
"net.core.default_qdisc" = "cake";
"net.ipv4.tcp_congestion_control" = "bbr";
};
}

60
nixos/profiles/core/nix.nix
View file

@ -1,60 +0,0 @@
{
lib,
config,
inputs,
...
}: {
nix.settings = {
substituters =
(lib.optionals (config.time.timeZone == "Asia/Shanghai") [
"https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # TUNA - 清华大学 Mirror
])
++ [
"https://nix-community.cachix.org"
"https://guanran928.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"guanran928.cachix.org-1:BE/iBCj2/pqJXG908wHRrcaV0B2fC+KbFjHsXY6b91c="
];
experimental-features = [
"auto-allocate-uids"
"cgroups"
"flakes"
"nix-command"
"no-url-literals"
];
flake-registry = "";
trusted-users = ["@wheel"];
allow-import-from-derivation = false;
auto-allocate-uids = true;
auto-optimise-store = true;
builders-use-substitutes = true;
use-cgroups = true;
use-xdg-base-directories = true;
};
nix = {
# Add each flake input as a registry
# To make nix3 commands consistent with the flake
registry = lib.mapAttrs (_: value: {flake = value;}) inputs;
# Disable nix-channel
channel.enable = false;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
};
users.groups."nix-access-tokens" = {};
sops.secrets."nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
};
}

7
nixos/profiles/desktop/default.nix Normal file
View file

@ -0,0 +1,7 @@
{...}: {
imports = [
../common/core
../common/graphical
../common/physical
];
}

8
nixos/profiles/laptop/default.nix Normal file
View file

@ -0,0 +1,8 @@
{...}: {
imports = [
../common/core
../common/graphical
../common/physical
../common/mobile
];
}

46
nixos/profiles/opt-in/mihomo/secrets.yaml
View file

@ -1,46 +0,0 @@
clash:
secret: ENC[AES256_GCM,data:0dikpMbntA==,iv:63yclHF0yUJXWr7/RN0RLMFmASD847i6WAplx6sfvGQ=,tag:Y7lw2sn34CEfAmzy/0IugA==,type:str]
proxies:
lightsail: ENC[AES256_GCM,data:YfyZsBi3yMIAMIjotAk4g4M+yYYozSSbKE77oz3lwbRHCMVJqxeo5nR04HrG8Hy2mQvVV09et1MbgnDMhEaSERZvsfaBojFUoRE6Du18n1ET8P1/ez5aKgC6ZnHy90a99mktqD4QDGNE8VDX2xBtNcVLF6i9dJ9di9tJEtnOdw+Q,iv:/uqtX6E2I0sqSWt2FmKwzG9zQb2TjdQqfDBZQXLh8cs=,tag:ofvc5GKEPrizajUaevI1jA==,type:str]
proxy-providers:
flyairport: ENC[AES256_GCM,data:x6li/5tWuAX9ZvLVUETLaBDqjB8pb8vSD9jD8HDMXNiiilq03RVHx7eXTiWMVJMlRUBOxvhTXH1fQxzye34aZQMx4BftMOQzvG5soF/P+K5hGapC9wbFnoH8znHkAdIgRLIeDBHRix3ll2OqGhqCENkWF4jjs/Pxqfz5bJlhcA==,iv:lO59riu5seloBRIy8QG02afNciEKvElzovLyaX90iSA=,tag:/L+elOLB2agQdRvg9tR0WQ==,type:str]
efcloud: ENC[AES256_GCM,data:36mToXGiHVAgM4vVQFOYvNPaHHuVf4mtvnNOgMBTyzbZ/mKpT1Exx7rWZ7i9EVBy5eX7SJtKmnHs0CqD48hr7R708W2oW3YNPEfkK7aGDqfQFyS1TVjT+MM=,iv:+qiFyM10fcAjcdyVZCC+0hb83GYENooM52+1GPXpamQ=,tag:wZupiFJMQq8A5ZwJtjXiOg==,type:str]
spcloud: ENC[AES256_GCM,data:gmJM+sTTaUrIxQXRBlDtE+K1gEfseMPUC2AQLq1LeY6iQmgq3wK7oJlz+buLbm/LUDitvls9d517905hz/Mpp2F7ohBeW9m1Jkcvdh/Zfgnfqg==,iv:FPe//+/ZMDZloZg2AnQ7JXRzqZdKDjLYs3wqMxqNA/Y=,tag:JPEU/WnUfy8bNlhAgPQwJw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaXJJdVlKb0lpa3pkZ0px
UGwveFAydHBUMzdXOU5ibHRBNmg1VllUVWxBCkh5SWQrQUhFSFA2NHA2WWhhYXhV
bFlteVVCM1M1VlRoakZ1UW1ENmJWM3cKLS0tIDdpZVo0Z2dQQ29DVnVOQU5kWkMy
N2djZElOQUtINXY5bGJKZFROK1VpZWcKMQY/1i3yvoKhDUdkmvQ0boVHzh9vta1Z
hz9WY8aYIMsa0PY71FuBMklOfNtaPKbewx9XXfLDetFLQ7tmWnIzFg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVzFrcWdBNlYvdWRzNVNr
T3YyQ3JBakRQcnd2MzMyNnN4Z3h0TkN3S1NvCmdCZnFaeVdFcCtoVzh6OGRnd2o3
cVpxTCtpV1RYRjloUElLek9NcDlrMWsKLS0tIEdtZWVNUXY4VDAzSUxkUGhodjlJ
UHFlbi9JYTBVYWIyOGZ6SnBZcWo4K1kK9TkNUwrKIywSaXoExUaBb3y4L5Gg+2CT
0eI/CUL8LuYSSGeGRtypMPklHUQS4qV3UmXbnNSKctdLrNcDRperXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MHd3Qjl1ODJzVWlwN3VB
L3ZFdVBPbmRzQUJBbWdiRUtqVzJYeVlHdkZJCit4YzExQ1UweXcrRkpVMEVKQlB3
NGt0VHE1alFvSkJGKzU5ZzM5akFwUG8KLS0tIGdvNS9ZYWU4TXM2Y1hVbjl2Z3cy
QStSb1FJb0xUUkV5cjg1Qk5ORDRQMzQKiTUdlCbgRX0zRPURsolB4O0dvxl9+lkn
0cIBYnVxzSdlDj+TXnTR2zL2cqZg94cNaTz0qWk/kmkmgmqm80hZ7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-09T22:04:17Z"
mac: ENC[AES256_GCM,data:iKwYqxBllI8SydCUjyK2cJkcUKVj4CqjmfDSMNJtLwM6IWUoOScV4Pu0YJz0aui5F8nbyC92vdDwsE599GZMTWdCH20MeWEMo7pbkPFxxL1bY5BMCNNE3Tm354nz4ihmBXMB9aI1JRiSareV5yQ1v6lOxzDargDigMrPI/6DRfo=,iv:JRvJQ3YdFZsBstT55xKcCMGJODy42FImugHbwEbpV2I=,tag:go33lpTdouZoFk53g9FXTw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

8
nixos/profiles/opt-in/wireless/default.nix
View file

@ -1,8 +0,0 @@
{lib, ...}: {
sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
"wireless/wangxiaobo".path = "/var/lib/iwd/wangxiaobo.psk";
"wireless/OpenWrt".path = "/var/lib/iwd/OpenWrt.psk";
};
networking.wireless.iwd.enable = lib.mkDefault true;
}

41
nixos/profiles/opt-in/wireless/secrets.yaml
View file

@ -1,41 +0,0 @@
wireless:
wangxiaobo: ENC[AES256_GCM,data:D9m+JRZ2Tw1a4mukW+WU3QLYIRiTiRkGz1ddD7zvkctbuYg+BZXtRgDR0FOIn586t0DsgA1wBDEN/WWiLRTrArgWTHiv7OsOa1NI7+BuL1cFb1TNbk04zbtc6cCOpDBH8qivx0jdZIqrJ5JzIaeZ9T78tj1jMmp3pyt3RiEcZLqxjnPiJhJVaZ8iUNDTvuX3DpsmqybYiLO+Hz7qvIHwM1euc/vyraZ2SR/y5DjTjwVK1jiAs3glPy2oYayVhv+RPs/AHVDnslbtPxGrPhRXxZT3t9LnBw+I0VgrdKUl39ym38PurGnVoBJ7EUVWl3SUPQjnDfQI/XQiDyI3DZ8uA5MGwlR9mny5N/ojs+q7J/k4YiSThCasA5tA24SNRZQWI9lFevoortU+is9FTTGkfzgrrcuURDs6E3ShbbHgn4tvHPhB87J1mP9D7UMIFFfVyvqp5fRgBMHcrEA8xln2xvvQdRDDj/JJYIj3ex8PpTqvAi1EwnAFWhBgqIchcHRFcfQRWOsR7h8M1UQpnge85UZfePMropq5zJ3TSF4AKa2A4UqhgkvLm8qrMI1lvsEnH4TMoyV5Z59T4sPd4Eb3FV26wey6DTdw6cCuywh0AQ==,iv:nbD9EcQYaAf4XwvTLKRy+IjTkV7aHsHK+gBD/Ooc/l8=,tag:VHD3X0ONH4YTp/BTcnpLDQ==,type:str]
OpenWrt: ENC[AES256_GCM,data:KaRLfzoXPTyAscYjJ9mpMAKtsP29PjNvm1G89ne/7N3MtgO9/GfO2JHrmeU2KZBLCJEllovbw82TFsfG7q0ID0sGTVHEZ52yQdOD5wUiuKaiCoN4jaSsU/VsOfOF7ZGt9lWjl+JrGLLWfqAfvN6Jy85jb8XnaOT4jxqjHtTcMDU/ZkL3IJPdTB1RwuIua/UYFYW96kyOyKh5CKloFV9yZTdAmvI3f5Wjm7f7yHMchRI/G0Jk5QLCLSWeXyD2o2iy+vU2a9/0X3hNgoHhzEsB96PHLjtOdSDvWLl598aHelzqKP7GOy71KMTM7cW5i7eyWLNe7+4f3wTl1JQPIGx8T+/Y1G1T+BGWzhWxLHC5V1JQcSHysDfO7Q2ITdQC9jScNKROFlphvinMqItrBWDgWz/ESHViCVqW3qeCqDFFTMhKTTfBnwaOhSb+M99Rd+nCzmyLQrDgq/CSHzXhVtkQJV5MugZ1+wCUl59ylxroFsIS9csy2uRWGiWQh5Q59zc6kUbjPKDx53b2DXC8WuGhgD4XgT1fkSN2SOXxYiyPullF9T9ljCX4Qny9AQ3X6tvk+2MviKS40vlevdFLS4xFkf3BxzP+oAyB+X+py7kpD+RoH+jrSEC3lBPNwPd65J4TSDa4ZpFJeNX7Us7R6bIc8kesW+IWu9+vZjcD0Gji1xbQ5FtL/5YzdrO7hzEWVQbkl6kuRtvZ1AwWjeM+nT34RWal7XcdcFzeV0NPwNQ=,iv:IbLwzWe6vis4hH/4T5tzaVJflYFXZFjSlzYeBAqcaZs=,tag:WTYuVWCsrzSvNrCuGaXsRA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSktSV1ByUnF2TGJaMzh3
a3RoaHptWHF1MjdsUFc5R2pySEFYa1IzQVE0CjZoUkVhaktldDJvL2dmRjdGa1B5
MEtoUHpoaENNUVRtS3B4aXJQMHNCT2sKLS0tIGd5dEt0RWpkd3ZPVGkvM1JWWUdh
ZDBtRFJTMlZmUmtlNVc3ZW5oa3V0WGsKcqjqj+oPnGxAzeWpPYSpBBfS9GhN+O4/
Mt9NT1LWfiUDhxz5GYmcLKe1tRNXpGeG02HcY65WgcVd1Y7n4mMJRA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZnRDOHZ1MWViV0dhS3JO
dmY2N2lyVHUxNmZnMStpcFMwbzMyZXBaaEJZCjZqWk0rOEdnMVNLTVRHMDNzUm5u
OFZTV2ZGTFQ5QlQrM3gzNUhQQ2xXMkEKLS0tIGUzeTEwZmYxekQ0cTJrU2Vhb3Zp
M2FjUFFrREphODFQUm1kRlJNOGRpTTQKF7k5/oPjoILtFEf2sO6nnF0Ar6ebTN3r
TdXYtTek0sIlSdYfVSxLmhiymz2mKi7TKPcKH6POmp0uuVX8HFEAJg==
-----END AGE ENCRYPTED FILE-----
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eWIvamwrRGthdzlYRmJm
SjNQTG92TzlvckJCMTM3SytHdUVodVJFYkVJCmRLSjg5TGF4RkZ1WitRNVVrSlNT
ZnQ5TnRPTGI5Uk1vaWpvMWh2NHR4NmsKLS0tIFRtbm5Kemo1WVMyMFZ3SDAwdDBn
dEN1cEJFZU82bVFRVlVqcTIzckRHQjgKHgRyq4UOcZyiFnK9fq1NLtxRktFCs3V8
EQhl+CPWTRZTZkttJ5MclGlvTNbiH3Iy9syKns6qvOw75wqtXIdIWQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-09T22:04:02Z"
mac: ENC[AES256_GCM,data:m3EXpaGra4uT0m2w9B8D6p03PBXeYWn4AiStPtdN15/JwvTRsJvYeOE4CirZvDT3nq7ne/8j/62Z7sCkb7t8W48MfjrnvAYRFJvKT2hSmJnzqXH6446Srel88BfVmiMdcts4OvAea3Dg4oTMMIn5d2L+rIT8zuPY208tqo4vCPY=,iv:LI5WRb46DZLSL9rndXDo/xzDzXUArRANBqrEx8bmGIc=,tag:2K3vKFmb88Zjru1miwR7Dw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

11
nixos/profiles/server/default.nix
View file

@ -1,5 +1,14 @@
{inputs, ...}: { {
pkgs,
inputs,
...
}: {
imports = [ imports = [
../common/core
# ../common/minimal
inputs.srvos.nixosModules.mixins-terminfo inputs.srvos.nixosModules.mixins-terminfo
]; ];
boot.kernelPackages = pkgs.linuxPackages;
networking.wireless.iwd.enable = false;
} }

17
secrets.yaml
View file

@ -1,5 +1,16 @@
hashed-passwd: ENC[AES256_GCM,data:KPOh1bYW2eruBI7Z9OKqqRmoXAxQ/k5sghAmHDFyUeJTNavelU9hcGfBq69KSU+MeFVfRmwHZncZYyiDkF4hFI2YFgFY0M2jzA==,iv:h7XtrT/4/T1b4SPGx10w5g84DMCA/FE3mjinwcLn0tI=,tag:jS8XnwEdEH2QYkNJVRwkcA==,type:str] hashed-passwd: ENC[AES256_GCM,data:KPOh1bYW2eruBI7Z9OKqqRmoXAxQ/k5sghAmHDFyUeJTNavelU9hcGfBq69KSU+MeFVfRmwHZncZYyiDkF4hFI2YFgFY0M2jzA==,iv:h7XtrT/4/T1b4SPGx10w5g84DMCA/FE3mjinwcLn0tI=,tag:jS8XnwEdEH2QYkNJVRwkcA==,type:str]
nix-access-tokens: ENC[AES256_GCM,data:lUeCDT0r1AnTFG4s8eLxSlGRVQAJ4eyXVW80pkgAL5aVrG86+G7NOLVfQYUxthLBRFFXnGA2rQD4h4c2VWknd0YDFdS+me8RBbN2mqJm6YqEYdMEW2Lgv9iSz/zXuDT9FFdDWRdv71lTTwyP2Gie4Y8UkBrAV3ue,iv:HyDyQ5H2nDzi4nIUKoelOrzF4K3sIMlB5HoQR9EMc0s=,tag:vgn2TtQRE8Qd+/zjlOSuAw==,type:str] nix-access-tokens: ENC[AES256_GCM,data:lUeCDT0r1AnTFG4s8eLxSlGRVQAJ4eyXVW80pkgAL5aVrG86+G7NOLVfQYUxthLBRFFXnGA2rQD4h4c2VWknd0YDFdS+me8RBbN2mqJm6YqEYdMEW2Lgv9iSz/zXuDT9FFdDWRdv71lTTwyP2Gie4Y8UkBrAV3ue,iv:HyDyQ5H2nDzi4nIUKoelOrzF4K3sIMlB5HoQR9EMc0s=,tag:vgn2TtQRE8Qd+/zjlOSuAw==,type:str]
wireless:
wangxiaobo: ENC[AES256_GCM,data:Lz1gAdJn2aBn/TdcQRjErSrIAJHlq0mT9qsE72ocEMxNqx6TW6dJkbRfKZ6IDe/a2HNP3zUpX3MjjRbCepBkZIHmsg1SwkGfA7wWysQOxXRXYCoqWH+NbP4xm6r0QV5RGTmXU+bnKubrrJZ8Z2M2n5LDp3bf16XL22Wjsyakju4z36d1K7NPBUoCIHoVKJaLam29rWDyIaBOfZbzG+M5reGLt1hVPDWWYGjnB4xC4lqQE5bpyKrVtoU+XATCWIIx3ZZWqJsf3TVzEDvu1aCb127PMCP2lqI55Hf94RgsZPWWgoLrAhaI8t067hAWPOfdfZEEGetO4BjzJwRyCNQAvqx+YLe0RJOz3lriUP3ie1mYmft4AyhV8JUmVZhEsJ7peATt+ds11BUuGw2SU9cKSa2NHM/K7e1x23Kofl1qrFF+ylr1Sy8OCZhfBozdFnPDzcYsuApe0xvMYCt4fsHFjB/kGtIG7rdGapJnvgAwhewd3dTtg4mAKPgvYr4FdWgDSr7GqrDdgqT2W8nbtJ5oQQnYmDnX+0tfLcF15EgvEN9mLIpsdNfVX3eOp1e/Z6fsbdMtpyNuMRwNDAi9V1tsYTDM/+U9xvZK3DWNX6XTYQ==,iv:nq2Hj7aY+M8QJoA08oyvg55UuxJdnoGTT2KQNu3B8Z8=,tag:sYV4ZE2evYb3U4JRPCJT3Q==,type:str]
OpenWrt: ENC[AES256_GCM,data:tlZJExED1Brv4/hOJjbgEbyLMQZVfNhl/5ux94IDM5jSL2lEBYy74qf4VVn2SKMYUuu7bjV7UlnwrD/jzDRuO/gWfkeuoZ5uh3pX0s2wv5E2Z7nJjkYtVn0XDlr8m/4Y6R14ahSIqKJKY4LAAeuQo0t7jEeYv4E3kuyhXUNE5jjrdD9mW+ObS1WV/DpBqUZc3dJe+88EVzgVa5F/L+VWQ3Klz5TduQzqfOyjjoNe+z8gwODzHczfPZCdplfo4PbrMWV8FlyUdJUX37nkZiEkyUpPuksZHb5OPAtx9fCh/KF5y/txS9oZTwOkiE4LBQBpj2NcLMQGOEdtRYLzJekyaOGChrtD+mFfL9LBuLwQLAzHLUI4oZ3PUgu3zXYevtmyrSSwlK/2iama71swmNu+qYws+WkjMVyF4MB/KCtMJULbZW9XJp7tw7cfSzek0RMizlk3MgrEyF2w3J9vx6Q4OHPSE48kgK2Kw0kg93wl9uO6kCRq0QiTJ6lZHopsWyWHTcs1,iv:kvBRYkhFAmDCSdU5Nkc66VblbjQfWHp7ls8x0d46ueA=,tag:Y/oa7vgoI/VsZ+OyJUjZ/g==,type:str]
clash:
secret: ENC[AES256_GCM,data:eCq/pDlSOw==,iv:QGNKxqmkj9BWFBJGj/O4fUL8Ey8zGEHMsWX02DrM82U=,tag:z2vVCBSt6mw47ca2xoxg9A==,type:str]
proxies:
lightsail: ENC[AES256_GCM,data:o84OgvKdogV8EmeyRLu/gexre5QY8kaf2txXTi2Id2Ya+cWJ08WBiNGYdLKGVKSr1bflbeTirTnUgBJ7ozAw3seWDxOuFRrdvy2jZx+x8doOVwP3FsKQUeCJd4yr4M7FuA3lA0dvBpAX/W5nvz82F15x4o6AYKx0AOTh+QbVTdX4,iv:ojvL+sSORq2DYHdVDUCvN1nCt44Th7SM++I1ZRB9KyQ=,tag:z+er0P7gHa+rn4MiMyJnmg==,type:str]
proxy-providers:
flyairport: ENC[AES256_GCM,data:akHdU/2o8D65sG2b/mcj76HASwhg3WvoEcrpgkXPyh7kuc+Ci42hmmmmBk9I29vuvZjTtCTs8mMzaLK1wm8TS/K1A1zeAGULxSsqhpV4cA19Q4vAtQ2+FyuGiaFszuaHK6BSlZAosfmCGoM1nZRYuOnsdeR0vnHBIHhJFNhaLw==,iv:VeVT3cEaOO/90gcqpm2yOacThbEyaXuBRhp4buX/XOY=,tag:kojJbqwYk/DNFBcJMY2eXg==,type:str]
efcloud: ENC[AES256_GCM,data:GvKNMscPknhlBy9Qp8iuYoxF10oX2ZIOKo+XKRH2NOGGDiMk/GwdGfA5+gf3ZcEEGFGw/8CrBddjJCivyxqwF+oAEHJyjdcFhGyyOopsx9s3waq8Hge/KzE=,iv:WXAd3yA5cTZp+ttKHXPf6cbsk6pRXq5/xMysNUAs1Rk=,tag:HygexRSW8ICa+RIFmrRKRQ==,type:str]
spcloud: ENC[AES256_GCM,data:Uz0SLmSxzV/hcsBuYtlsZ5G5E8wjzmHcFMGCyBrEewOr6gAdBQvC4njotYbMIdQAQRTgAE2wBukdSxXWCTrNph7uoVhskz1YkNjxnQVPUO5WfQ==,iv:TwHPdeATx+LanfhHeD7M5sSf3M2NLBWBAAaFTwgsK7A=,tag:9DMgcSoy4ksYl/dPWwA+dA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -42,8 +53,8 @@ sops:
SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH
c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ== c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-09T22:04:25Z" lastmodified: "2024-07-01T09:25:25Z"
mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str] mac: ENC[AES256_GCM,data:rQ0ZRb1Js05XWfrXSGjdJd8g3heaAmNHyRoPxmvZe36a1DXFi3eCKvBs8JjOFdtAp9XCJ9OYjzDsCpBvUSfuApjmBoMZUVqjrf88sAxT7j/4e1tdkBZto0ReondIxwt7hTEcNpuawdouPk+yehTqmw3Nyovnd/mztw/I9zhHPuk=,iv:EXvTgLqRp2JZtpiEcSW4XyQdKZ+aSoKKPgx6q8BFkhY=,tag:gbPiWetjaFm+mEmjsl9kww==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.8.1

4
treefmt.nix
View file

@ -23,10 +23,8 @@
### misc ### misc
programs.prettier.enable = true; programs.prettier.enable = true;
settings.formatter.prettier.excludes = [ settings.formatter.prettier.excludes = [
"secrets.yaml"
"hosts/blacksteel/secrets.yaml" "hosts/blacksteel/secrets.yaml"
"hosts/lightsail-tokyo/secrets.yaml" "hosts/lightsail-tokyo/secrets.yaml"
"nixos/profiles/opt-in/mihomo/secrets.yaml"
"nixos/profiles/opt-in/wireless/secrets.yaml"
"secrets.yaml"
]; ];
} }