+

oluceps · Oct 16, 2024 · 919364e · 919364e
1 parent 673917a
commit 919364e
Show file tree

Hide file tree

Showing 14 changed files with 45 additions and 12 deletions.
diff --git a/hosts/abhoth/spec.nix b/hosts/abhoth/spec.nix
@@ -15,19 +15,14 @@
   nix.gc = {
     automatic = true;
     dates = "weekly";
-    options = "--delete-older-than 3d";
+    options = "--delete-older-than 1d";
   };
 
   boot = {
     supportedFilesystems = [ "tcp_bbr" ];
     inherit ((import ../sysctl.nix { inherit lib; }).boot) kernel;
   };
 
-  systemd.services.trojan-server.serviceConfig.LoadCredential = (map (lib.genCredPath config)) [
-    "nyaw.cert"
-    "nyaw.key"
-  ];
-
   repack = {
     openssh.enable = true;
     fail2ban.enable = true;

diff --git a/hosts/graphBase.nix b/hosts/graphBase.nix
@@ -323,6 +323,7 @@
 
     inputMethod = {
       type = "fcitx5";
+      fcitx5.waylandFrontend = true;
       enable = true;
       fcitx5.addons = with pkgs; [
         fcitx5-chinese-addons

diff --git a/hosts/sum.toml b/hosts/sum.toml
@@ -24,4 +24,4 @@ addr = "[email protected]"
 
 [[host]]
 name = "yidhra" # feral chicken
-addr = "root@8.210.47.13"
+addr = "elen@8.210.47.13"
diff --git a/hosts/yidhra/network.nix b/hosts/yidhra/network.nix
@@ -1,8 +1,11 @@
 { config, lib, ... }:
 {
+
+  environment.etc."resolv.conf".text = ''
+    nameserver 127.0.0.1
+  '';
   networking = {
     domain = "nyaw.xyz";
-    resolvconf.useLocalResolver = true;
     firewall = {
       checkReversePath = false;
       enable = true;

diff --git a/hosts/yidhra/spec.nix b/hosts/yidhra/spec.nix
@@ -59,7 +59,7 @@
         openFirewall = 4432;
         credentials = [
           "key:${config.age.secrets."nyaw.key".path}"
-          "cert:${config.age.secrets."nyaw.cert".path}"
+          "crt:${config.age.secrets."nyaw.cert".path}"
         ];
         configFile = config.age.secrets.hyst-us.path;
       };

diff --git a/modules/trojan-server.nix b/modules/trojan-server.nix
@@ -5,7 +5,12 @@
   ...
 }:
 let
-  inherit (lib) mkOption types mkIf;
+  inherit (lib)
+    mkOption
+    types
+    mkIf
+    optionals
+    ;
 
   cfg = config.services.trojan-server;
 in
@@ -39,7 +44,12 @@ in
       serviceConfig = {
         DynamicUser = true;
         ExecStart = "${lib.getExe' cfg.package "sing-box"} run -c $\{CREDENTIALS_DIRECTORY}/config.json -D $STATE_DIRECTORY";
-        LoadCredential = [ ("config.json:" + cfg.configFile) ];
+        LoadCredential =
+          [ ("config.json:" + cfg.configFile) ]
+          ++ (optionals (!(config ? repack && config.repack.reuse-cert.enable)) [
+            "crt:${config.age.secrets."nyaw.cert".path}"
+            "key:${config.age.secrets."nyaw.key".path}"
+          ]);
         StateDirectory = "trojan-server";
         CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

diff --git a/sec/hyst-us.age b/sec/hyst-us.age
diff --git a/sec/rekeyed/abhoth/91682cd7361c686c624a42db7ed39c81-hyst-us.yaml.age b/sec/rekeyed/abhoth/91682cd7361c686c624a42db7ed39c81-hyst-us.yaml.age
diff --git a/sec/rekeyed/abhoth/bd9d4a155f208eb6a0ea867dfd4dd300-hyst-us.yaml.age b/sec/rekeyed/abhoth/bd9d4a155f208eb6a0ea867dfd4dd300-hyst-us.yaml.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 hJdCng +8z3gEROP/k142y0K1cVKQDTgz4VTmEhuwz+x00/mlQ
+RbGGMH1WTkzM/FMCcnJJ33ezQqEKYk/rL3OJ0US468o
+-> '-grease mQ :JP>>Y :y:sK) ,|E
+fuVfg5xMLi/6cucKT9gUSbbKuJq7Atq3rhMHj4LFHwlJh8mCOH6wBmmsggDlCO6y
+Kz+j1Pa8y86oMQdn4rVsnszAroVbPs0iuk+F
+--- px2MmTprbeceTBTBygFHVSncKLj7IazdruCwU1lDr0w
+J�ԁ|>�@��vsU��⛙�k˙��,��������1�G�^C�wTܛa��!8Xb�FCVs񱚀��3�S3\naj!�P���T�e[�ot7+{�3���s���'����)��H�g�^sl�y-��r�6�:��N�����b���mvj)f�3��q��Ѭ�@��]G�$�[M��S�E5��a�[Ya�%��baǘ<K�ޭ��Ur�oS$/����DT�ޏna�`	̓���kϋޑ����l�
diff --git a/sec/rekeyed/nodens/cd4767e02bf1f33ec54729660b12a212-hyst-us.yaml.age b/sec/rekeyed/nodens/cd4767e02bf1f33ec54729660b12a212-hyst-us.yaml.age
diff --git a/sec/rekeyed/nodens/ebce21f5c58e3c694983583f8cf66550-hyst-us.yaml.age b/sec/rekeyed/nodens/ebce21f5c58e3c694983583f8cf66550-hyst-us.yaml.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 OyH5xQ OHCP6HZPQEyxOlDQIVYL2Fi7Ukz8/+GDxLNIX8SKeks
+xXXUZ1HsXBa94li4F5Q2MjFgPP9tEBUNMqpwbg9/ozY
+-> #RT-grease \sxr
+L1YfNfbFRCoTO2U5dmQaDywVZscyUc1/xAvWL/h6LQ
+--- hmB22Jtas9Fnz5HfJlWxXWtuvxlqtsb0x5HeRf07BxQ
+ �B��h�L���6�����Qx҉T���`$+��T��OG\7��]C|�ڂEJ+r��α�.��L|^3k����.!v��DG�{���G���W��U��'��yN��[̇�#f���4��W#�N�'�p����;�˭u+=R�8?Ȟ)��������J��T�gLk��O��'ų��+��F�+�d>��ci3QY��T@��2J�@b�߹��Gc�;t��@{p�˸�Z��=q��}�
diff --git a/sec/rekeyed/yidhra/b320ec1e19fb3f735b245d70b9f3df07-hyst-us.yaml.age b/sec/rekeyed/yidhra/b320ec1e19fb3f735b245d70b9f3df07-hyst-us.yaml.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 wfJcTA ZLGXYOmxn8MXuu1avBqGyGeJF1etXaYK5ZHZzAugXHA
+hcTpWZ/clRwZpzx67ByQEvGklc9WLsYS10zYhw0KyH8
+-> ZTZ-grease b$ ?; T)]l% ^
+pIValIZsusO6ZQrMfWj2m9rKuHB8PRuH0IcOS3FKnGbV9CXuCKLV4GAe1It4TPAU
+8Zfo29zNu704m5ywc9GtnsqoCf827vr77VF9CCETOV2wI3v2yh9R14Wnt1qS2pO5
+0w
+--- OoObqmL/7G0+kYjhJtOvMz/DabL8HkIKSrgzXUVuvTs
+�`݀2È(�I�c�_4A�Y�B�aP�.m�ˋ�6kAn�L�j�E�g�襉5`37�y��U�s�W�r&�QxBru�:���z�y��<�8s�����������F{��,0���I�H5�RE���a���(�(�y�?�*���$�-4�����r�.���������W����V���$՞\����܎�<�;����.�.�[�s�c��~ۦwF!i�t�~`�v�Ig��

diff --git a/sec/rekeyed/yidhra/f97e0d18a885ee6e72ea3792ddea4d2f-hyst-us.yaml.age b/sec/rekeyed/yidhra/f97e0d18a885ee6e72ea3792ddea4d2f-hyst-us.yaml.age
diff --git a/util.nu b/util.nu
@@ -74,7 +74,7 @@ export def d [
     }
     | par-each {|| {name: $in.0, addr: $in.1, path: $in.2}} | each {|i|
         log info $'deploying ($i.path)(char newline)-> ($i.name) | ($i.addr)'
-        ssh -t $'ssh://($i.addr)' $'sudo ($i.path)/bin/switch-to-configuration ($mode)'
+        ssh -t $'ssh://($i.addr)' $'sudo ($i.path)/bin/switch-to-configuration ($mode)'  o+e>|
       }
   }
 }