test

jz8132543 · Feb 25, 2024 · 5ff5149 · 5ff5149
1 parent 3e880f1
commit 5ff5149
Show file tree

Hide file tree

Showing 18 changed files with 503 additions and 178 deletions.
diff --git a/home-manager/modules/tippy/ssh.nix b/home-manager/modules/tippy/ssh.nix
@@ -16,6 +16,8 @@
         "CanonicalizeHostname" = "yes";
         "CanonicalDomains" = "dora.im ts.dora.im users.dora.im";
         "CanonicalizeMaxDots" = "0";
+        # fix kde connection for android
+        "HostKeyAlgorithms " = "+ssh-rsa";
       };
       matchBlocks = {
         "github.com" = {

diff --git a/nixos/hosts/arx8/default.nix b/nixos/hosts/arx8/default.nix
@@ -16,6 +16,7 @@
     refind
     efibootmgr
   ];
+  services.dnscrypt-proxy2.enable = true;
   services.create_ap = {
     enable = true;
     settings = {

diff --git a/nixos/hosts/isk/default.nix b/nixos/hosts/isk/default.nix
@@ -15,7 +15,9 @@
       nixosModules.services.derp
       (import nixosModules.services.matrix {PG = "127.0.0.1";})
     ];
-  environment.isNAT = true;
+  # environment.isNAT = true;
   environment.isCN = true;
   networking.firewall.enable = lib.mkForce false;
+
+  ports.derp-stun = lib.mkForce 3440;
 }
diff --git a/nixos/hosts/isk/hardware-configuration.nix b/nixos/hosts/isk/hardware-configuration.nix
@@ -6,14 +6,10 @@
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
-  boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "e1000" "e1000e"];
   boot.kernelModules = ["kvm-intel"];
   utils.disk = "/dev/sda";
   networking = {
-    nat = {
-      enable = true;
-      # dmzHost = "192.168.1.111";
-    };
     interfaces.enp6s18 = {
       useDHCP = true;
       ipv4.addresses = [

diff --git a/nixos/modules/base/dns-client.nix b/nixos/modules/base/dns-client.nix
@@ -0,0 +1,73 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.services.dnscrypt-proxy2;
+in {
+  networking =
+    if cfg.enable
+    then {
+      nameservers = ["127.0.0.2" "127.0.0.55"];
+      # resolvconf.enable = lib.mkForce false;
+      dhcpcd.extraConfig = "nohook resolv.conf";
+      networkmanager.dns = lib.mkForce "none";
+      # resolvconf.useLocalResolver = true;
+    }
+    else {};
+  services = {
+    resolved =
+      if cfg.enable
+      then {
+        enable = true;
+        dnssec = "allow-downgrade";
+        extraConfig = ''
+          MulticastDNS=true
+          DNSStubListener=no
+        '';
+        fallbackDns =
+          if config.services.tailscale.enable
+          then ["100.100.100.100"]
+          else [];
+      }
+      else {};
+    dnscrypt-proxy2 = {
+      enable = lib.mkDefault false;
+      settings = {
+        listen_addresses = ["127.0.0.55:53"];
+        ipv4_servers = true;
+        ipv6_servers = true;
+        require_dnssec = true;
+        doh_servers = true;
+        odoh_servers = true;
+        require_nolog = true;
+        bootstrap_resolvers = ["1.0.0.1:53" "1.1.1.1:53" "9.9.9.9:53"];
+        cache = true;
+
+        sources.public-resolvers = {
+          urls = [
+            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+          ];
+          cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
+          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+        };
+
+        # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+        server_names = [
+          "cloudflare"
+          "google"
+          "quad9-doh-ip4-port443-filter-pri"
+          "quad9-doh-ip4-port5053-filter-pri"
+          "quad9-doh-ip6-port443-filter-pri"
+          "quad9-doh-ip6-port5053-filter-pri"
+          #"cloudflare-security-ipv6"
+          #"doh-crypto-sx"
+        ];
+      };
+    };
+  };
+  # systemd.services.dnscrypt-proxy2.serviceConfig = {
+  #   StateDirectory = "dnscrypt-proxy";
+  # };
+}
diff --git a/nixos/modules/base/network.nix b/nixos/modules/base/network.nix
@@ -1,11 +1,11 @@
-{...}: {
+{lib, ...}: {
   networking = {
-    nameservers = ["1.1.1.1" "1.0.0.1"];
+    nameservers = lib.mkDefault ["1.1.1.1" "1.0.0.1"];
     domain = "dora.im";
     search = ["dora.im"];
     firewall.enable = true;
     dhcpcd.extraConfig = "nohook resolv.conf";
-    networkmanager.dns = "none";
+    networkmanager.dns = lib.mkDefault "none";
   };
 
   boot = {

diff --git a/nixos/modules/desktop/apps.nix b/nixos/modules/desktop/apps.nix
@@ -6,7 +6,7 @@
   programs = {
     clash-verge = {
       enable = true;
-      autoStart = true;
+      # autoStart = true;
       tunMode = true;
     };
   };

diff --git a/nixos/modules/desktop/clash.nix b/nixos/modules/desktop/clash.nix
@@ -0,0 +1,127 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  enable = true;
+  configFile = "/var/lib/sing-box/config.json";
+  updateTimeoutMin = "720";
+  subscriptionEnv = config.sops.secrets.sing-box.path;
+
+  uiPackage = pkgs.clash-webui-yacd-meta;
+in {
+  sops.secrets.sing-box = {};
+
+  systemd.services.sing-box = optionalAttrs enable (
+    let
+      caps = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE"];
+    in {
+      description = "Sing-box networking service";
+      wantedBy = ["multi-user.target"];
+      requires = ["network-online.target"];
+      after = ["network-online.target"];
+      path = with pkgs; [curl sing-box];
+
+      environment = {
+        SB_WORK_DIR = "/var/lib/sing-box";
+        SB_CONF_FILE = configFile;
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        # User = "sing-box";
+        # Group = "sing-box";
+        StateDirectory = "sing-box";
+        EnvironmentFile = [subscriptionEnv];
+        ExecStart = "${pkgs.sing-box}/bin/sing-box run -D $SB_WORK_DIR -c $SB_CONF_FILE";
+
+        # Sing-box Auto Update
+        Restart = "always";
+        # RuntimeMaxSec = "${updateTimeoutMin}min";
+
+        # OOM Killer
+        OOMPolicy = "kill";
+        MemoryMax = "200M";
+
+        # DynamicUser = "yes";
+        # Capabilities
+        CapabilityBoundingSet = caps;
+        AmbientCapabilities = caps;
+        # Proc filesystem
+        ProcSubset = "pid";
+        ProtectProc = "invisible";
+        # Security
+        NoNewPrivileges = true;
+        # Sandboxing
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        # PrivateDevices = true;        # NOT WORK on Tun Mode
+        PrivateMounts = true;
+        PrivateTmp = true;
+        # PrivateUsers = true;          # NOT WORK on Tun Mode
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_NETLINK"];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" "setrlimit"];
+      };
+
+      preStop = ''
+        if [[ -f $SB_CONF_FILE ]] && test `find $SB_CONF_FILE -mmin -2`; then
+          :
+        else
+          curl --connect-timeout 5 --retry 3 --retry-delay 1 \
+            -L $SB_SUBSCRIPTION_URI \
+            -o $SB_CONF_FILE || true
+        fi
+      '';
+
+      preStart = ''
+        [[ -d $SB_WORK_DIR ]] || mkdir -p $SB_WORK_DIR
+
+        if [[ -f $SB_CONF_FILE ]] && test `find $SB_CONF_FILE -mmin -3`; then
+          :
+        elif [[ -f $SB_CONF_FILE ]] && test `find $SB_CONF_FILE -mmin -${updateTimeoutMin}`; then
+          curl --connect-timeout 5 \
+            -L $SB_SUBSCRIPTION_URI \
+            -o $SB_CONF_FILE || true
+        else
+          curl --connect-timeout 5 --retry 3 --retry-delay 1 \
+            -L $SB_SUBSCRIPTION_URI \
+            -o $SB_CONF_FILE || true
+        fi
+
+        [[ -f $SB_CONF_FILE ]] && chmod 0600 $SB_CONF_FILE || exit 1
+      '';
+    }
+  );
+
+  services.lighttpd = {
+    inherit enable;
+    port = 80;
+    document-root = "${uiPackage}/share/clash/ui";
+    extraConfig = ''server.bind = "127.0.0.88"'';
+  };
+
+  networking.hosts = {
+    "127.0.0.88" = ["yacd.local"]; # Yacd Dashboard
+    "127.0.0.64" = ["singbox.local"]; # Sing-box
+  };
+
+  environment.global-persistence.directories = [
+    "/etc/sing-box"
+  ];
+}
diff --git a/nixos/modules/services/ddns.nix b/nixos/modules/services/ddns.nix
@@ -1,17 +1,33 @@
-{config, ...}: {
-  sops.secrets = {
-    "traefik/cloudflare_token" = {};
-  };
-  services.ddclient = {
-    enable = true;
-    interval = "5min";
-    username = "token";
-    passwordFile = config.sops.secrets."traefik/cloudflare_token".path;
-    protocol = "cloudflare";
-    zone = config.networking.domain;
-    domains = [config.networking.fqdn];
-    ssl = true;
-    use = "web,web=ifconfig.me/ip";
-    verbose = true;
-  };
-}
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.networking) enableIPv6;
+in
+  with lib; {
+    sops.secrets = {
+      "traefik/cloudflare_token" = {};
+    };
+    services.ddclient = {
+      enable = true;
+      interval = "5min";
+      username = "token";
+      passwordFile = config.sops.secrets."traefik/cloudflare_token".path;
+      protocol = "cloudflare";
+      zone = config.networking.domain;
+      domains = [config.networking.fqdn];
+      ssl = true;
+      # use = "web,web=ifconfig.me/ip";
+      extraConfig = mkMerge [
+        (mkIf enableIPv6 ''
+          usev6=webv6, webv6=https://ipv6.nsupdate.info/myip
+        '')
+        ''
+          usev4=webv4, webv4=https://ipv4.nsupdate.info/myip
+          max-interval=1d
+        ''
+      ];
+      verbose = true;
+    };
+  }
diff --git a/nixos/modules/services/derp.nix b/nixos/modules/services/derp.nix
@@ -10,7 +10,7 @@
       Restart = "always";
       DynamicUser = true;
       ExecStart =
-        if !config.environment.isCN
+        if !config.environment.isNAT
         then "${pkgs.tailscale-derp}/bin/derper -a ':${toString config.ports.derp}' -stun-port ${toString config.ports.derp-stun} --hostname='${config.networking.fqdn}' -c /tmp/derper.conf -verify-clients"
         else "${pkgs.tailscale-derp}/bin/derper -a ':${toString config.ports.derp}' -stun-port ${toString config.ports.derp-stun} -http-port='-1' --hostname='${config.networking.fqdn}' -c /tmp/derper.conf -certdir '$CREDENTIALS_DIRECTORY' -certmode manual -verify-clients";
       LoadCredential = [
@@ -35,7 +35,10 @@
     services = {
       derp.loadBalancer = {
         passHostHeader = true;
-        servers = [{url = "http://localhost:${toString config.ports.derp}";}];
+        servers =
+          if !config.environment.isNAT
+          then [{url = "http://localhost:${toString config.ports.derp}";}]
+          else [{url = "https://localhost:${toString config.ports.derp}";}];
       };
     };
   };
@@ -56,6 +59,6 @@
   #   after = ["derper.service"];
   #   requiredBy = ["derper.service"];
   # };
-  networking.firewall.allowedTCPPorts = [3478];
-  networking.firewall.allowedUDPPorts = [3478];
+  networking.firewall.allowedTCPPorts = [config.ports.derp-stun];
+  networking.firewall.allowedUDPPorts = [config.ports.derp-stun];
 }
diff --git a/nixos/modules/users/tippy/default.nix b/nixos/modules/users/tippy/default.nix
@@ -10,7 +10,7 @@ in {
   users.users.${name} = {
     isNormalUser = true;
     shell = pkgs.zsh;
-    extraGroups = ["wheel" "cdrom" "libvirtd" "acme"];
+    extraGroups = ["wheel" "cdrom" "libvirtd" "acme" "systemd-resolve"];
     openssh.authorizedKeys.keys = [config.lib.self.data.ssh.i];
     hashedPassword = "$6$0gRnTBQjBv9ipXZz$AEBVrBbWXgzZ0IICD1HVWeCwqELFe85.ePsOOdkvFM1E6/sKvQUUesvXhQN519Ud33RsqA3h5z.4luO8Jk4Ls/";
   };

diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json
@@ -28,11 +28,26 @@
     "pinned": false,
     "src": {
       "name": null,
-      "sha256": "sha256-Nj0xWRtR9uQjPlRaZjEq9hBjL+o/RY3sAMMo/QTguPU=",
+      "sha256": "sha256-7J4mZcryqkErAfSRZMWjaK+wALa9Xe1w9RsUy9xOmsU=",
       "type": "url",
-      "url": "https://github.com/alist-org/alist/releases/download/v3.30.0/alist-linux-musl-amd64.tar.gz"
+      "url": "https://github.com/alist-org/alist/releases/download/v3.31.0/alist-linux-musl-amd64.tar.gz"
     },
-    "version": "v3.30.0"
+    "version": "v3.31.0"
+  },
+  "clash-webui-yacd-meta": {
+    "cargoLocks": null,
+    "date": "2023-12-29",
+    "extract": null,
+    "name": "clash-webui-yacd-meta",
+    "passthru": null,
+    "pinned": false,
+    "src": {
+      "name": null,
+      "sha256": "sha256-S6gLic5TeCkYDQsKmasr4/H5+ca8hP5qTzpVDXZHzdY=",
+      "type": "url",
+      "url": "https://github.com/MetaCubeX/Yacd-meta/archive/b66b1d0393bd284b7a40329f95eae3746bb102be.zip"
+    },
+    "version": "b66b1d0393bd284b7a40329f95eae3746bb102be"
   },
   "kitty-catppuccin": {
     "cargoLocks": null,