youthlic/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move some config to modules

Browse source 
update dae config

move dae config to module

move openssh config to module

change david config location

move nh.nix to module

move i18n config to module

move steam config to module

remove kvm config
This commit is contained in:
ulic-youthlic 2025-01-13 16:49:40 +08:00
parent 47dac088a4
commit 85c42efac0
Signed by: youthlic
GPG key ID: 63E86C3C14A0D721
17 changed files with 285 additions and 261 deletions
Download patch file Download diff file Expand all files Collapse all files

89
nixos/modules/dae/config.dae Normal file
View file

@ -0,0 +1,89 @@
include {
proxy.d/*.dae
}
global {
lan_interface: auto
wan_interface: auto
log_level: trace
allow_insecure: false
auto_config_kernel_parameter: true
dial_mode: domain
tcp_check_url: 'http://cp.cloudflare.com'
udp_check_dns: 'dns.google.com:53'
check_interval: 600s
check_tolerance: 50ms
tproxy_port: 12345
}
dns {
ipversion_prefer: 4
upstream {
googledns: 'tcp+udp://8.8.8.8:53'
alidns: 'udp://dns.alidns.com:53'
}
routing {
request {
qname(geosite: category-ads) -> reject
qname(geosite: category-ads-all) -> reject
qname(geosite: cn) -> alidns
fallback: googledns
}
response {
upstream(googledns) && ip(geoip: private) -> alidns
fallback: accept
}
}
}
group {
proxy {
filter: subtag(wget)
policy: min_moving_avg
}
us {
filter: subtag(wget) && name(keyword: "美国")
policy: min_moving_avg
}
hk {
filter: subtag(wget) && name(keyword: "香港")
policy: min_moving_avg
}
}
# 更多的 Routing 样例见 https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md
routing {
pname(hickory-dns) && dport(53) -> must_direct
pname(mihomo) -> must_direct
pname(systemd-resolved) -> must_direct
domain(full: time.windows.com) -> must_direct
domain(regex: ".*wgetcloud.*v2ray.*") -> must_direct
domain(suffix: "hit.edu.cn") -> must_direct
domain(geosite: microsoft) -> proxy
# domain(geosite: onedrive) -> must_direct
domain(geosite: "category-ai-chat-!cn") -> us
domain(geosite: google) -> us
domain(geosite: google-play) -> proxy
domain(geosite: apple) -> us
domain(geosite: spotify) -> us
domain(geosite: tiktok) -> us
domain(geosite: cn) -> direct
dip(geoip:private) -> direct
dip(geoip:cn) -> direct
# dport(63434) && sip(192.168.31.170) -> hk
dip(223.5.5.5) -> direct
# ban qq dns over http
# dip(43.136.0.0/13) -> block
# dip(109.244.0.0/16) -> block
# dip(175.27.0.0/16) -> block
# dip('2409:8C1E:75B0:80::/64') -> block
fallback: proxy
}

127
nixos/modules/dae/default.nix Normal file
View file

@ -0,0 +1,127 @@
{
config,
rootPath,
pkgs,
lib,
...
}:
let
cfg = config.youthlic.programs.dae;
in
{
options = {
youthlic.programs.dae = {
enable = lib.mkEnableOption "dae";
};
};
config = lib.mkIf cfg.enable {
services.dae = {
enable = true;
openFirewall = {
enable = true;
port = 12345;
};
disableTxChecksumIpGeneric = false;
config = builtins.readFile ./config.dae;
};
sops.secrets.url = {
mode = "0444";
sopsFile = rootPath + "/secrets/general.yaml";
};
systemd.services =
let
update = ''
head="user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
new_proxy=/etc/dae/proxy.d.new
num=0
check=1
urls="$(cat ${config.sops.secrets.url.path})"
mkdir -p ''${new_proxy}
for url in ''${urls}; do
txt=''${new_proxy}/''${num}.txt
config="''${new_proxy}/''${num}.dae"
echo \'curl -LH \""''${head}"\" \""''${url}"\" -o \""''${txt}"\"\'
curl -LH "''${head}" "''${url}" -o "''${txt}"
echo End curl
echo "" > ''${config}
{
echo 'subscription {'
echo \ \ wget:\ \"file://proxy.d/''${num}.txt\"
echo "}"
} >> ''${config}
if [[ ! -s ''${txt} ]]; then
check=0
fi
chmod 0640 ''${txt}
chmod 0640 ''${config}
num=$((num+1))
if [[ ''${check} -eq 0 ]]; then
echo "''${txt}" is empty
exit 103
fi
done
if [[ -d /etc/dae/proxy.d ]]; then
mv /etc/dae/proxy.d /etc/dae/proxy.d.old
fi
mv ''${new_proxy} /etc/dae/proxy.d
'';
updateScript = pkgs.writeShellApplication {
name = "update.sh";
runtimeInputs = with pkgs; [
coreutils
curl
];
text = ''
mkdir -p /etc/proxy.d
if [ -z "$(ls -A /etc/dae/proxy.d 2>/dev/null)" ]; then
echo "No subscription file found in /etc/dae/proxy.d. Update now..."
${update}
else
echo "Found existing subscription files. Skipping immediate update."
fi
'';
};
updateForceScript = pkgs.writeShellApplication {
name = "update-force.sh";
runtimeInputs = with pkgs; [
coreutils
curl
];
text = ''
${update}
'';
};
in
{
"update-dae-subscription-immediate" = {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
before = [ "dae.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStart = [
"${updateScript}/bin/update.sh"
];
};
wantedBy = [ "multi-user.target" ];
};
"update-dae-subscription-force" = {
serviceConfig = {
Type = "oneshot";
User = "root";
ExecStartPre = [
"-${pkgs.systemd}/bin/systemctl stop dae.service"
];
ExecStartPost = [
"-${pkgs.systemd}/bin/systemctl start dae.service"
];
ExecStart = [
"${updateForceScript}/bin/update-force.sh"
];
};
};
};
};
}

3
nixos/modules/default.nix
View file

@ -17,6 +17,9 @@
./nix.nix
./home.nix
./sops.nix
./dae
./openssh.nix
./nh.nix
];
config = {

54
nixos/modules/i18n.nix Normal file
View file

@ -0,0 +1,54 @@
{
pkgs,
outputs,
lib,
config,
...
}:
let
cfg = config.youthlic.i18n;
in
{
options = {
youthlic.i18n = {
enable = lib.mkEnableOption "zh env";
};
};
config = lib.mkIf cfg.enable {
i18n = {
defaultLocale = "C.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "zh_CN.UTF-8";
LC_IDENTIFICATION = "zh_CN.UTF-8";
LC_MEASUREMENT = "zh_CN.UTF-8";
LC_MONETARY = "zh_CN.UTF-8";
LC_NAME = "zh_CN.UTF-8";
LC_NUMERIC = "zh_CN.UTF-8";
LC_PAPER = "zh_CN.UTF-8";
LC_TELEPHONE = "zh_CN.UTF-8";
LC_TIME = "zh_CN.UTF-8";
};
inputMethod = {
enable = true;
type = "fcitx5";
fcitx5 = {
addons = with pkgs; [
libsForQt5.fcitx5-qt
fcitx5-gtk
fcitx5-configtool
fcitx5-chinese-addons
(fcitx5-rime.override {
rimeDataPkgs = (
with (outputs.packages."${pkgs.system}");
[
rime-ice
]
);
})
];
waylandFrontend = true;
};
};
};
};
}

10
nixos/modules/nh.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
config = {
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
};
};
}

5
nixos/modules/nix.nix
View file

@ -7,6 +7,11 @@
}:
{
config = {
nixpkgs = {
config = {
allowUnfree = true;
};
};
nix = {
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
settings = {

47
nixos/modules/openssh.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, lib, ... }:
let
cfg = config.youthlic.programs.openssh;
in
{
options = {
youthlic.programs.openssh = {
enable = lib.mkEnableOption "openssh";
};
};
config = lib.mkIf cfg.enable {
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
X11Forwarding = true;
PermitRootLogin = "no";
LogLevel = "VERBOSE";
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
KexAlgorithms = [
"curve25519-sha256@libssh.org"
"ecdh-sha2-nistp521"
"ecdh-sha2-nistp384"
"ecdh-sha2-nistp256"
"diffie-hellman-group-exchange-sha256"
];
};
ports = [ 3022 ];
};
};
}

20
nixos/modules/steam.nix Normal file
View file

@ -0,0 +1,20 @@
{ lib, config, ... }:
let
cfg = config.youthlic.programs.steam;
in
{
options = {
youthlic.programs.steam = {
enable = lib.mkEnableOption "steam";
};
};
config = lib.mkIf cfg.enable {
hardware.graphics.enable32Bit = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
};
};
}