add nixos configuration for Cape

flake.nix

@@ -202,12 +202,17 @@
               };
           in
           {
-            homeConfigurations = nixpkgs.lib.foldr (a: b: a // b) { } (
+            homeConfigurations =
+              nixpkgs.lib.foldr (a: b: a // b) { } (
                 map (hostName: mkHomeConfig { inherit hostName; }) [
                   "Tytonidae"
                   "Akun"
                 ]
-            );
+              )
+              // mkHomeConfig {
+                hostName = "Cape";
+                unixName = "alice";
+              };
             homeManagerModules =
               {
                 default = import ./home/modules;

home/alice/configurations/Cape/default.nix

@@ -0,0 +1,84 @@
+{
+  pkgs,
+  unixName,
+  config,
+  ...
+}:
+{
+  youthlic.programs = {
+    helix.enable = true;
+    gpg.enable = true;
+    fish.enable = true;
+    bash.enable = true;
+    starship.enable = true;
+    sops.enable = true;
+    atuin.enable = true;
+    git = {
+      email = "ulic.youthlic@gmail.com";
+      name = "ulic-youthlic";
+      encrypt-credential = false;
+    };
+  };
+  xdg.userDirs = {
+    enable = true;
+    download = "${config.home.homeDirectory}/dls";
+    documents = "${config.home.homeDirectory}/doc";
+    music = "${config.home.homeDirectory}/mus";
+    pictures = "${config.home.homeDirectory}/pic";
+    videos = "${config.home.homeDirectory}/vid";
+    templates = "${config.home.homeDirectory}/tpl";
+    publicShare = "${config.home.homeDirectory}/pub";
+    desktop = "${config.home.homeDirectory}/dsk";
+    createDirectories = true;
+  };
+  home.username = "${unixName}";
+  home.homeDirectory = "/home/${unixName}";
+  home.stateVersion = "24.11";
+  programs.home-manager.enable = true;
+  home.packages = with pkgs; [
+    tealdeer
+    ripgrep
+    fzf
+    file
+    which
+    gnused
+    gnutar
+    bat
+    gawk
+    zstd
+    tree
+    ouch
+    dust
+    duf
+    doggo
+    ast-grep
+    dig
+    lazygit
+    dig
+    fend
+    gitoxide
+    viu
+    fd
+    just
+  ];
+  programs.ssh = {
+    enable = true;
+    hashKnownHosts = true;
+    extraOptionOverrides = {
+      HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
+      KexAlgorithms = "curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256";
+      MACs = "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com";
+      Ciphers = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr";
+    };
+    matchBlocks = {
+      "github.com" = {
+        hostname = "ssh.github.com";
+        port = 443;
+        user = "git";
+        extraOptions = {
+          AddKeysToAgent = "yes";
+        };
+      };
+    };
+  };
+}

home/alice/modules/default.nix

@@ -0,0 +1 @@
+{ ... }: { }

home/david/configurations/Akun/default.nix

@@ -123,6 +123,10 @@
       mode = "0600";
       path = "${config.home.homeDirectory}/.ssh/id_ed25519_akun";
     };
+    "ssh-private-key/cape" = {
+      mode = "0600";
+      path = "${config.home.homeDirectory}/.ssh/id_ed25519_cape";
+    };
     "ssh-config" = {
       mode = "0400";
       format = "yaml";

home/david/configurations/Tytonidae/default.nix

@@ -137,6 +137,10 @@
       mode = "0600";
       path = "${config.home.homeDirectory}/.ssh/id_ed25519_akun";
     };
+    "ssh-private-key/cape" = {
+      mode = "0600";
+      path = "${config.home.homeDirectory}/.ssh/id_ed25519_cape";
+    };
     "ssh-config" = {
       mode = "0400";
       format = "yaml";

nixos/configurations/Cape/default.nix

@@ -0,0 +1,57 @@
+{
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    ./networking.nix
+    ./stylix.nix
+    ./hardware-configuration.nix
+    ./users
+    ./disko-config.nix
+  ];
+
+  youthlic = {
+    home-manager = {
+      enable = true;
+      unixName = "alice";
+      hostName = "Cape";
+    };
+    programs = {
+      openssh.enable = true;
+      tailscale.enable = true;
+      caddy = {
+        enable = true;
+        baseDomain = "youthlic.fun";
+      };
+    };
+  };
+
+  programs.gnupg.agent = {
+    enable = true;
+  };
+
+  networking.hostName = "Cape";
+
+  time.timeZone = "America/New_York";
+
+  services.printing.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    nix-output-monitor
+    wget
+    git
+    vim
+    helix
+    btop
+  ];
+
+  environment.variables.EDITOR = "hx";
+  services.dbus.implementation = "broker";
+
+  boot.loader.grub = {
+    enable = true;
+  };
+
+  system.stateVersion = "24.11";
+}

nixos/configurations/Cape/disko-config.nix

@@ -0,0 +1,37 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vda";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02";
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "@root" = {
+                    mountpoint = "/";
+                  };
+                  "@home" = {
+                    mountpoint = "/home";
+                  };
+                  "@nix" = {
+                    mountpoint = "/nix";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos/configurations/Cape/hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nixos/configurations/Cape/networking.nix

@@ -0,0 +1,26 @@
+{ ... }:
+{
+  systemd.network = {
+    enable = true;
+    wait-online.enable = true;
+    networks = {
+      "ens3" = {
+        matchConfig.Name = "ens3";
+        networkConfig = {
+          DHCP = "yes";
+          IPv6AcceptRA = true;
+        };
+      };
+    };
+  };
+
+  networking = {
+    networkmanager.enable = false;
+    useNetworkd = true;
+    useDHCP = false;
+    nftables = {
+      enable = true;
+    };
+    firewall.enable = true;
+  };
+}

nixos/configurations/Cape/stylix.nix

@@ -0,0 +1,27 @@
+{ pkgs, rootPath, ... }:
+{
+  stylix = {
+    enable = true;
+    image = rootPath + "/assets/wallpaper/01.png";
+    polarity = "dark";
+    base16Scheme = "${pkgs.base16-schemes}/share/themes/ayu-dark.yaml";
+    fonts = {
+      serif = {
+        package = pkgs.lxgw-wenkai;
+        name = "LXGW WenKai";
+      };
+      sansSerif = {
+        package = pkgs.noto-fonts-cjk-serif;
+        name = "Noto Serif CJK SC";
+      };
+      monospace = {
+        package = pkgs.nerd-fonts.fira-code;
+        name = "FiraCode Nerd Font";
+      };
+      emoji = {
+        package = pkgs.noto-fonts-emoji;
+        name = "Noto Color Emoji";
+      };
+    };
+  };
+}

nixos/configurations/Cape/users/cape.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIH9MU2xZ175iLWcULZkU6crhocFgjcvUHXf0ttJ6Vbp david@Tytonidae

nixos/configurations/Cape/users/default.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+  users.users.alice = {
+    initialHashedPassword = "$y$j9T$eS5zCi4W.4IPpf3P8Tb/o1$xhumXY1.PJKmTguNi/zlljLbLemNGiubWoUEc878S36";
+    isNormalUser = true;
+    description = "alice";
+    extraGroups = [
+      "networkmanager"
+      "libvirtd"
+      "wheel"
+      "video"
+    ];
+  };
+
+  programs.fish.enable = true;
+  users.users.alice.shell = pkgs.fish;
+  users.users.alice.openssh.authorizedKeys.keyFiles = [
+    ./cape.pub
+  ];
+}

nixos/modules/caddy.nix

@@ -16,5 +16,8 @@ in
     services.caddy = {
       enable = true;
     };
+    networking.firewall = {
+      allowedTCPPorts = [ 443 ];
+    };
   };
 }

nixos/modules/dae/config.dae

@@ -61,6 +61,7 @@ routing {
   pname(mihomo) -> must_direct
   # pname(systemd-resolve) -> must_direct
 
+  dip(107.174.145.140) -> must_direct
   domain(full: time.windows.com) -> must_direct
   domain(regex: ".*wgetcloud.*v2ray.*") -> must_direct
   domain(suffix: "hit.edu.cn") -> must_direct

nixos/modules/open-webui.nix

@@ -23,7 +23,7 @@ in
       let
         caddy-cfg = config.youthlic.programs.caddy;
       in
-      lib.mkIf caddy-cfg.enable {
+      lib.mkIf (cfg.enable && caddy-cfg.enable) {
         services.caddy.virtualHosts = {
           "open-webui.${caddy-cfg.baseDomain}" = {
             extraConfig = ''

nixos/modules/openssh.nix

@@ -11,6 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     services.openssh = {
       enable = true;
+      openFirewall = true;
       settings = {
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;

nixos/modules/tailscale.nix

@@ -11,6 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     services.tailscale = {
       enable = true;
+      openFirewall = true;
     };
   };
 }

nixos/modules/transmission.nix

@@ -41,7 +41,7 @@ in
       let
         caddy-cfg = config.youthlic.programs.caddy;
       in
-      lib.mkIf caddy-cfg.enable {
+      lib.mkIf (cfg.enable && caddy-cfg.enable) {
         services.transmission = {
           openRPCPort = lib.mkForce false;
           settings = {

secrets/general.yaml

@@ -2,6 +2,7 @@ atuin-key: ENC[AES256_GCM,data:e3K7/7BaeXuR+vHJdtO79UQp3XRvROcD8ISkuCp3KGCSlBKUM
 ssh-private-key:
     tytonidae: ENC[AES256_GCM,data:I1RF/umtOGAuSVoLfwDnN2DG+w1yWqPkhZzM61y5XRSxF2Xq5C/iUJGWeCc+1Hwbw+oEMnm2e57m79Uke0LIJJrw//kRMqNOewQtx2xHkNSscWKCIANoNiDdhlOnB0r0BfXObr0xEu/69ST11lupPGIGQiWhjT1BY7c4NhAhhzfThttQCwznfrX3SfLu4p2Akg6p8QmRcU6h9kox+PK1Im+h956W0dYVnIe4ePZ3NGitQll9hxLxM+agnxF9wDDO+4pQ3i8aadbxLr8ug/boEhBy/e+sOKqzboAiWpuDjfQRUxklz0IxBihK8z6J/AHgXusxs70EdUDKf5sH7RIi95poYqJdl6bKToSCJtuM7JQ/eNTUjHvUZlRvlXSZG4iNypUYTOxSHTFGH7rA0wNeE0sMXkaTfJHD5utZDjxibICW1+BYXam8mTKWhXMUyfAL2bLMRmshxRB81bPnik08axpzJ22oSxZ1AfPz5I98zn/o0bDlAPTRetImQtSN181WrRHCCVUMe4wZIfgQvVryFgfPU06gqztgU2DB22QphXXysHn4p3jbAF3Hqvgq0f+iNXoh6NJLaUD+i7xb,iv:nSTfnDbaS9DZL2WhVgcu8qIPkYH1Zws58yvcIeSZCzk=,tag:JJV7vJylaFOYdVjyeeOt9g==,type:str]
     akun: ENC[AES256_GCM,data:d04sdY1cvJuOPSq9H2lT26jrUFSA1sHz1i9jj+XtXGeagQyc4XaknTmfC3EDfvNghoizZWZ/Ma+BfIvnlWDBFqhkGhdhB7X8PnI9rySOfkMmOk2HXHtvP4GfSy2oQ4BMRfYX2N9TcViascnXA9MRsetDjD3fhiCKkZ+2H/sthxw38JgK95O74lFCze7sc4ZzK/RhXaBkLFrQpMdqnGBYpH9wuHiQSlFxBQ0jHJDUeOSxOdCanw2xfdkJnNe5dKRweoYp4Mtit2C3DRdaT3lMQ/SQjfEhUs/0TIXyunoWE7nX5tUN2F2s/FtkPMU5lpiW1x+kntMBBfY9TA+r4CyH4lkhFit+DsIkPfdUZGzSquQAHHWzDzS5vXnKTf8NFCzHIeoQzegkf4JS+CWf51Iy15FfWy+Pd6CmxLikAQnGTixGDa7LMqOV48BhZ5it/hJmrzg0FMkNFeeJW/s9YvCNMae8lMt/0K+N+pUD/Ud8VJnIxP4MmWGKRwNNFHivGuZjtKCJR9agf1N7NPBDDqV7HRDYAfxa2sPozWZ5ZGGGlsmINeymNk10aY4ovRs/6CcRWw2gPspNuxvqb9HQ7r/cQFmGhLYpkliRLpFM/skLCHA=,iv:YVPvHL4nxqJMR8PE+hraS0piboGYXqyljgGcBHqG38g=,tag:HSab+C3Xd5wMzyomF9dGMA==,type:str]
+    cape: ENC[AES256_GCM,data:5CD6oW9IBAjf9X3waQXMSt82ykOzUZ1D2VFZvZVLRWw+6GUDkPF1jSl9bLR6igY3cQO6164Li7gDz/yImoPgPpy7mvG4iJjaILSWVr9ZwB1dmWK30ZkHB1wpPxHbrSXo6M3t610x8I1ScqSkgh2PV5+cmMH8wd+QSgKwoL7IOoXHkuqKHxI9D+dCGSHH35MvQwWQO0jyn3vjFDhBode5+7tbMPD9dgQLDmWkiSE2xkgIh/RqsJ5x6i8qferyWZeHv9fJMYpJi9SJJe+LwmHZW/JHhaHZztAAu5sHFtC8pA0UwiUMn/ND8L28J1nuMHHNZEF3rmX1cQykPYP1VeNya8Rf+aSzNtD/LjJrU5bjBNt0IEatsnBPUDNZNFrOxgWV4k84wCbDknwqmk5tYLgMF/BsXdShbMguezTgOZS2xpX35QZ3TM+mHkThtPDR+i3ZuDvj5kvAMngCIr95TtZRilGAytABF5CCE6e7jxGG5ijCa46AHDi38/Dk4ci/2s5sY/ekUDLFjhYIkLEFQWsn9VAy9MD+Bkkr+YjHQ1rL74uuqgccxRjEqzBFvVZliq7SbYQ7Bub9qFld1o4+P/YbUGdJlmd0+//pKO9ws20AjvU=,iv:VplLC/sDztaqUiHr/3aglvqxyptZLN2MV3HQzneRk9A=,tag:/hUJjB+oxCKTPk+hPgC4rQ==,type:str]
 git-credential: ENC[AES256_GCM,data:Rt6ccMJ+D/Jv1U7Ex51j4zIKp5KIyPFJdWZwJyW6liU5CHxBfrFWeNOJobhT5tFPrhzHRUI=,iv:f2SYFKpAcHoKG3dMsniKRi02EFDzwgzzli5Qzw8CWqo=,tag:hUi0FAZ7+2+mcqUsz5HtbQ==,type:str]
 url: ENC[AES256_GCM,data:snv3FaeR8t30rOX9klSNdY/xqcHGXO1DnVi4GMkvyqaII9l/l8AeSlfOVM4qZq8Mqvn01FaiINOE8WPjhyUs9uYp5pfD7X5EXK+5vWwBYmE/isWlHHHNUhuz3UTV/xiSad4n4MiD8wxlF5u8cImwhDyO+SoG,iv:Tay4S5ZFMEIW6MrHnlen85FGvDJ5ZqfVBlgO5MQWufs=,tag:Njywn0i8W7g6cdDvPeJWEg==,type:str]
 open-webui_env: ENC[AES256_GCM,data:HUoNzOqVuu9MtW4VZJfrh4DbzQCtVYa+FzhDs21FpvImuVz9cue0X8s2MXKqYH0LD1US/DJKL4QLLeNTKVMGxmBOCGxSIgeFejnqK5k/r0GF54SBOURWZn/TyzqxZKAym01DUvfNIe68LhvW1LOHaCDK4zsI9BnhkBVjV8/Vmsc=,iv:4aUgQ6HoLqeuUp01fg+yXQRbH6mS/dakZ1ZUdCZzvAM=,tag:GlFnN5bqIcIZadXmFBkSXA==,type:str]
@@ -29,8 +30,8 @@ sops:
             RjdOK1RiRHRzTGd1dDlUTEVRVzBtQk0K5vtopA4dhLODrVlUnegm9f5DwSvOKuIS
             bIPHM5FarLGRXTXs09vKW5LFKo3BOm9N4Zc6q4cV7Pdp5+AZEEp/0Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-23T16:39:54Z"
+    lastmodified: "2025-01-26T07:53:45Z"
-    mac: ENC[AES256_GCM,data:aGl7qMUkmcMeU+oh9VtE6bPS9aEwxe4aqn3oJlARkUKnUJdxRxj3BCDbRlp0dMcRSKnlFq7A5PfWlOR62yL83pZrSgh7XPP8R4j8qFZ+vRnGbs8nTG/hPw0swYff8nx9xxrneMw8JuLFkYBWCQXjQsDloiUSIAW2G4tadXG51hY=,iv:eiEmGLI5NViLFkR3mf0uzz0AefA/FohES2vf4qbLB5w=,tag:GcK0K5sQF2KHZ5S07+uJIA==,type:str]
+    mac: ENC[AES256_GCM,data:0ndToxSzjLVwdWgxq64naRilPbX9X2+0l9r8eFpKplg1ZOT3gWBQHKrp8ShWmvgmjr5LvildTjqfBC6WGh1Aj3X5xQEnAzCD5IS4bpLtCKMzShiOL2z9ExXBfNMrfs5p7BVxAYQg2pWusDRgx2x+4Z5iiEycocky295rtph3qQ4=,iv:t07So6P8Op0ylUvASIFiaaDWKPrEsRvl1UdqhEaQnDg=,tag:D0Z+aM6YjUQZ0iYX++1dtA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.3

secrets/ssh-config.yaml

@@ -1,4 +1,4 @@
-ssh-config: ENC[AES256_GCM,data:kQe12czlvgScrtOae32PpKNrXREh1XP5n7WrFvBb4NcGLRj0j61T490D5v6vgTzppyQnU84tTNVtMBUfdLN6jjdli8cEM71qcKy4eLw=,iv:FaUEI9dYamBt7kI9quCNBXZwDzTosR4ad1JQq6IatBE=,tag:R4TTA6iMrRQPt1ApYBGfEg==,type:str]
+ssh-config: ENC[AES256_GCM,data:I9j2GFdag4JpJaaKdm1oS6hHmOy+Y7w7ykPGPhEaLZk9ndUS7LRfcYuMZtUwK/5OctHJKz+UqdsA0Dcl2y1xNN4iIoNqWhShEu8e/N/ASN8UUd67xrkxC6LNjbf/WCyA1ib0jH/Dh8/frDs=,iv:G4AwOhpXpykjrTvMoHEvXFHQzUwWvTaq9id2DuK3k/E=,tag:XcpDZbPVovs5iEd3lpumcg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +23,8 @@ sops:
             Vm9nNE9aVjNtM3dUcHVMS201aEUzWVEKsRUBRWmJH+SeySfohgygVdJWy8eGB6Kh
             dFvTObd4VenTVHI6/Cz2NZAYVEYWVe7d68TeGSNTPBVaFqqgqRm/Vw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-19T15:55:21Z"
+    lastmodified: "2025-01-27T02:51:28Z"
-    mac: ENC[AES256_GCM,data:i1/deYyKf3kkUyFZeiUH0958uDNSZoN0ykChfhr1i8pbvbUe8EYrOJNI5HShhaap9nmpc6f5XFG9xA2DT4oCF1m3RSz9lVJguSRK05L7/1U7GdK90PTaPaTrNio7o0JiLAaarD3TmaPhhpcM6pE+Hz0f0oKpNEFbVI38dMlDq7M=,iv:UXTm9X9erv+dPjSG8WdHyqbl5hyiCid1cpYfDjk2rK8=,tag:3UhJ91wnrzPxPH1Ilr6o7A==,type:str]
+    mac: ENC[AES256_GCM,data:JIv/R2t5adjPV4h4WMITfF9wQ4OyV1Cy8TKc9IUDX6Xu/JYSiYKhCUAzV/CkjG/FGEjeXz9dzzhR5wrZefVf2FnrTErPMpdy4yxuDL28F1zMK+Uixay0FB4Z52PmDXzzNhqOrEUhC2t4ev7/SUtxmJjgJ/Q8e8Impgsi4TLvhlo=,iv:Sx8T2Acryn4d3KhIf3Of8Fo55ma4g00wBwyOsL4gVls=,tag:OUX1313d9NW5MmTq2yT2Fg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.3