From 86e98d062d116441d3b3a95c7e3d3f771ca5482b Mon Sep 17 00:00:00 2001 From: Ziping Sun Date: Mon, 22 Jun 2026 23:05:33 +0800 Subject: [PATCH 1/5] add DNS for lax0 --- flake/hosts.nix | 4 ++++ nixos/services/coredns/default.nix | 5 ----- nixos/services/coredns/szp.io.zone | 10 ++++++--- nixos/services/sing-box/default.nix | 1 + secrets/hosts/router.yaml | 31 +++++++++++++--------------- secrets/sources/coredns.yaml | 19 ----------------- terraform/cloudflare/dns.auto.tfvars | 1 + 7 files changed, 27 insertions(+), 44 deletions(-) delete mode 100644 secrets/sources/coredns.yaml diff --git a/flake/hosts.nix b/flake/hosts.nix index 595aafd..7236e33 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -112,6 +112,10 @@ let services.nginx system.disko ]; + nixos.lax0 = suites.server ++ [ + hosts.lax0 + system.disko + ]; } ); diff --git a/nixos/services/coredns/default.nix b/nixos/services/coredns/default.nix index 0e0b554..1d608f7 100644 --- a/nixos/services/coredns/default.nix +++ b/nixos/services/coredns/default.nix @@ -67,11 +67,6 @@ in ''; environment.etc."coredns/zones/szp15.com.zone".source = ./szp15.com.zone; environment.etc."coredns/zones/szp.io.zone".source = ./szp.io.zone; - - sops.secrets."coredns/secretRecords/szp.io" = { }; - systemd.services.coredns.serviceConfig.LoadCredential = [ - "szp.io:${config.sops.secrets."coredns/secretRecords/szp.io".path}" - ]; }) (lib.mkIf (name != primary) { services.coredns.config = '' diff --git a/nixos/services/coredns/szp.io.zone b/nixos/services/coredns/szp.io.zone index 32f55b1..28eb357 100644 --- a/nixos/services/coredns/szp.io.zone +++ b/nixos/services/coredns/szp.io.zone @@ -1,7 +1,7 @@ $ORIGIN szp.io. $TTL 600 @ IN SOA ns1 me ( - 2026060902 ; serial Tue, 09 Jun 2026 00:28:00 UTC + 2026062201 ; serial Mon, 22 Jun 2026 00:14:00 UTC 3H ; refresh 40M ; retry 1W ; expire @@ -19,8 +19,13 @@ hasee02.nodes IN A 10.112.8.3 hasee03.nodes IN A 10.112.8.4 desktop.nodes IN A 10.112.8.5 ingress.k8s IN A 10.112.10.100 -ai.vm IN A 10.112.12.2 +hgh0.nodes IN CNAME hgh0.szp15.com. +hkg0.nodes IN CNAME hkg0.eh578599.xyz. +hkg1.nodes IN CNAME hkg1.eh578599.xyz. +sjc0.nodes IN CNAME sjc0.eh578599.xyz. +sjc1.nodes IN CNAME sjc1.eh578599.xyz. +lax0.nodes IN CNAME lax0.eh578599.xyz. cache IN CNAME cache.o niks3 IN CNAME niks3.o hubble.k8s IN CNAME ingress.k8s @@ -30,4 +35,3 @@ grafana.k8s IN CNAME ingress.k8s metrics.k8s IN CNAME ingress.k8s logs.k8s IN CNAME ingress.k8s cdi-uploadproxy.k8s IN CNAME ingress.k8s -$INCLUDE /run/credentials/coredns.service/szp.io diff --git a/nixos/services/sing-box/default.nix b/nixos/services/sing-box/default.nix index 7a1f756..d4b4a74 100644 --- a/nixos/services/sing-box/default.nix +++ b/nixos/services/sing-box/default.nix @@ -285,6 +285,7 @@ in "87.83.107.0/24" "194.104.147.128/26" "185.218.4.0/22" + "209.209.59.0/24" ]; } ]; diff --git a/secrets/hosts/router.yaml b/secrets/hosts/router.yaml index 1f15f95..0e30713 100644 --- a/secrets/hosts/router.yaml +++ b/secrets/hosts/router.yaml @@ -1,26 +1,23 @@ -coredns: - secretRecords: - szp.io: ENC[AES256_GCM,data:z6dxExfis0mSZL+nVFuCZxLrRjKm6aCwt/vzaa3Prkfo2jYs92GKhrm4YdCAGf0AoWrN62SlO79S3eWLibSKTCMaKBG5FuVC3lOD7vc2DvvhB7W9RFhpeKEUSWaLRENDU3xcHrbZUO8F4tmjPSpa3s+nqBFgh+mPO+Rzuk4PtUj2IrX/Ml+Ymn34QDoYJ7NKU+dhS9NTSq1mp0aCPQYwSKflIq6P0n5iNit2wwyOk967qRqMANIZB1dhAxM0fcyc,iv:RpFTmFPMwkX/EhvvlERVMhZo9VjpNpVsuiPwzMrcmuw=,tag:IzHxWwmTp4H61Y4vwGuFTA==,type:str] ppp: - pap-secrets: ENC[AES256_GCM,data:drXV/FJjB3UTX6AIhs/NYZtxOi7lKg==,iv:4qEovkx7J/4yp74dS4mH70k4G9dPdjiR5jg2tGpACfo=,tag:HBOh4qTtPO2YCKnfJ7Wmqg==,type:str] + pap-secrets: ENC[AES256_GCM,data:HiTHqYh4Kem3JWodVNCQ9J/iItdIoA==,iv:GCfmsuGPPIkM0kDKd0bCme75ZZWbOUOOJjhlobsxHtA=,tag:8HRXG2lcPQxkDEoepcwUyQ==,type:str] sing-box: - config.json: ENC[AES256_GCM,data:ab2/RQfOtie/1rlvjeeA/tOEfAdhFOymWFn+nv/yd7eLY4mUCYf8aWqxlTPDsWgt5gzHqq3WJLxGgRbc8M032NeKPoLNCcsAcvGy5YyN7Jb+OIw2JF9znYG8XPuZ38h3jRmFhzjAGZzKZIMbFp2AB4Jo3NZnf3dpjN2lKPvFw+Cjx/kevIOVzyREEj1XesFs6nJ16V85H0ErFyJbqN2PdoSLd5A1b2HpBxBmoxmyvVxiw0kRrO8i4I5Qoo7cxXoJtsVhH5vVpwvyl09LtWag4NeHq6EfWP+J2Ood4xiEPtfFi8OrOoISTtEhgqkFP8X7hM1uq4ciSFOhR1fJLo5wmwQ74pZw+7l86FAxt6JRmXkAb2TtBkP8HTzhrH9RfYBxcVx34XVpScZZHRJFJJYHyhCMNAFSfOumuB9WE7YIyh9ahuV6cOsl1qLV11LdN5H2dT68U2IDCwBL9YfN9WvP09m06PAXnPJ9e3C29lKCRRf5fksakW3tn+mN6zPX3o07TyaNBP2WLahIy8mgaewP9lV+haMbpx1/M+RHXtYrwEjrCG5CXvyzecwh8y0tl0x5hmdWWMVvGQyS91ha6/WxDkNAeuc8asORSTdJjMq70fVoWAOBihWFc0qFJxSd2hK1chrzCw78AaspVF+b8pS5aYRMzl2TosWr2HpAGice8EWmZUGdoccP/X9RS4o4LUp2TeadG1woQNsLMLmeN1hlYvoGCI8c6IpDui6YBqSlFCC7/LvTA+WphaW4ZOZgDPL3jRWz8Oy2XOn6f9VF2P4kacSNqgenmaUXhU01gwmSnNvTA+SLq+jrmu+gfbu0iGWezS/FuHO2O3raENtvGDjvYJsRL9LpujiWEWPBVmpEAijgZvdl5kAPt4l19KgmqFG8d41/fvp8MzQ+ICnAEMicwyVfYt1KxzRgrY/wpOu9vyilua4UCF3tH2OlLPxWwJ6uOJKMLTC8Lqh/ZmRjC+XLcW6LlEkgEfYfnoqt9g16N4JynyfJjFmPz620xOpGEfSdNQkWqmrpqynPmFnNL5l+BJeqOqWeb6IOnsU8f8yFE7R1ymG/drS2IrudaMajMBQVMBMMY7u+Xtn3GFNZwKi0Pz6K+V6Oji9zyqdJyPh+MA7ygvUPOTFqfk8QQVmRcIdm/vMxXTBCdS6E9NRPHEWNri93GepWA346xnLDmCoXsGFKWUm84BhcTgt7md7O7DN7mavIxCSmQKwcjCAalmDYpCC7U0VxjLDJsBSZ5kgil4iCDGf7JP8p+YjfnOhhO1yT7CfoOi0pKLw9/rH/gmd8Sp1TSRtBcrb6IfO1b2RvsEkYXidTePPrwSNLhI8xjMsm49RB+lvcscU7ZW7GV9hOezfCA7Kj8uSsPcu3hYRBSVUEpxAve11wd0hu3twvfdPvDfSSPnzyilClZRsoSEXYbkFiW7sqbMvpbyGluVzngPwEXpnkm5aabQlP8hhfAiV3BAya/Paxo+RfhU+LJ5dJa0WU/NKjph5s2lYQezghfJJgfrwh+aYXwE8OyKuNTVkBAMBamUM1Tebycx8G3bkTqXrksxufb4quTnioxGWe1T2ti4GXEzA/sfyJQ5LJxxWsnMSMJH5V5eWHKfEMYdll/FEiN1guxwokqNzmp6C46HvGXkJE34ALLuSncF0cjbz45nTCZjSbnPWUbT5WZIQombWlIuva/HDQnOK6WOSkv/gAzFsionW15fEyjNr2rNt5f4VB7JQucgdg9l4NiLch1+/Phbjr5FPrriGNl34E5ITSqgoXIyCy06EC/SffYKP5jqq5KukCv4xRZFlUFqVIzve9U6rvrcAGZHj7eT9/x0RMlACW0AW3YVluPipcf7lqzSD0osfmnC6oTL05iOdtUKRJszApdnVAljKfa/Cs4sZG0qFf5d2GEDdmxWtiGI1rWbRozijNal1+itQ6p2UEdKH22wJHA219Bjj6SSmHRunv2SLD07yT+iKKchrp7Dg8JXOFeUhPhvSfc9c/NaIO3D+jnN6ANA1iAo3DZIubAxpiWHj/tU/aTyEMnLjXU+jkHyXnuhRtuVZN/SUq/+QyQGlVRUyh/BubAPRMqrClRavisP+FNFQEtRVsORbOk7eEgK8bE1+hGglo0ehHq49MFDv0t2OkpfBx3Nbjv/qp+lE1HHgMg5EIDZMt16+ZMVoWe9TEOtj1QLVvxJiFsDtV//Wl6JbPRVDadK4xqUACiINkLVDTdd4BaLGKiAsP+A/8iqhp0zA61zOop1kbju0aGN7JgTS86c4scBjuC2jwBVaZ09ugFsWkpWV/xlaXqnJez829EO0TdvB1jAM7AHp+oWL3xUsB7ai/W0iesdaB/fGQRHUj3U6UOXL9thIEw0lXxRZcVon5KjdFr9MJoP1XY93BpqrxYFb90pRFUic0gfG1n4QwI7AbBHtZIL+zb3FMRaXPGK/Z0hLcG4MGDrdVz6I20+0qAgN+WhT8tC3ZoMyJjd1etL69gCUeppenU2l3GNhI3+5K33gLAr0qZR1Jl9tjQgIDshrKAU2buU1xQ2szq0qWsb8/tZr/pvGl5/3IZ3ZIcqwJ+Ym36Ag2XqGZAv88t2pBalNO6wquk0Is4zf7Unhxy9f/RdZ/RsG9591B65TgSkjRVBVxAN3jTeWmNzHMYl/FG/4AL8+KKA3leMpOFvST42LL2Ln79SMvRCZALQUgsm/bR1dwDq2i0otSDL/yBEYPcvs5oCNA4mgBIL1beIgfo54oRCqTpSjhL6tfAIwoNUWmLQo0m1KWZ0w/u8BgL/LbnrjDYBg9H5jNG7LoY7PxYIH9qBvLSduQHxn32IExoqgyUrvjEvbjY8CeWr2Qo8XOkeWVMStexLebPNRQzu3fE9FvlvoSJJ2oKnwMqETngEkK4A3LcPnzMUttv48NuQd0603LrOJrHhpO63YMeYOWmVaDtRLc1DIM23Qz9hLjMQ9EELzEA6dVuUGZ2HQUy1pqgivbOcqTIS02/KMJT1wdODe90cyH7w4c4wkOD6K9pONiIpdPou4=,iv:sWlQ7lY5YB8hPcaILbLmAXqOjc0xUJJnUmvaPj1qXCE=,tag:DYjW0tGb+r4aNI0GLQY53w==,type:str] + config.json: ENC[AES256_GCM,data:kW47tmGhI5zP2JeJe8o4aGCYAP1386i92+gRvhokYnOYM/VyvkK2OrZjJ4sptSF5biQQKaaghestWhHEwA3wa+Gl+yId29rk4K09n/iqfn7dptqgTb70wgmO00wySOhLoJBHKK8MCa+mGDzj4FBqXi7sva2bWNXDMoELIZc87cc/DG/B6yNcY85lgQr5+L3oBn9nz6hquMovMXiFtbKQJPA82KZImdFKsSqyYBwDCMzh7iXV6FKwl2Q5h1/HDN0lsw3KhcbbhuwItQtDaaWm/ACObsM3MjGQeJFG2tcGpPshTjU3CpuZsfkdMAi7SLUEA5wXL04y097s9b91xni7AA1zfQiqm/PrH3kREa6/63WzEMKX0VGbbWkI6yrhbPNOaotXW8ZxCI3HJX3BGteC00Hpr/3XHK6E3QKLCrjoJ445kF6jVbr3GE/pSny3NIWzomc+O+Juw7RQKiRHOw7Ae+ToNBpqzI63S7BYL6G8KBGg+WYI+yLMqMYvP6IxSLVuktNVK+ubI+II3kGZfkRBtO1iX5jT/jQ54o0YM56Y91zFyPiTsxLpCELGCZE+TfIgJOmgxAfPlifJhQA0hwRCi8UUssjFbeb0S5sUOsSGkg5jBqLH2V1C2HDoVb2hEPQrXWtaOqm8Wt16LStMkKpy501M+hDBJ5JlWJUkPT1BAiaGi9mIAp2VD/fx9qt6528RlMkC5PPugOZQHeBj0v/Ny50Xr0iGOr4i1aHiWoidOaw1atrCtMFbAz2MFyGxf7JupmEwCx2T3WjmKH30Pq6mRuHd8EqLYDQSqGBIlnPNecGp9HcYgXr+Za0twVh62LR3CoReYxg1zqWE8/Bhq6dFNv6yBajhvfsGhBDXBTSw3yRclV0BIkB79KtZ8QzDYjsCGKiSLv5JxvdoGLM5gYJD/Kk+28TKnCVtvmCH2FQXzixXW/cZXhFEvhS2gkuaoTyovZ3HkXZ+PsmiUNEXw9xCM4Rt8tsKG3BRNSs4S0wrF9NLrY3P54Kp36yozLLkHzLVgccuneBvvMqwOLroCZkq5KGaS06TQxV8OotHOLl6ymqN0aQsW9nVVY4CAzfi4Ui9OvD7hyuXSOKeEm6Lvp+OviY0YlC8pg6B+sm2oUOV2lq+UBUz1bp9ybq/De8XLIrXyMTz3UmMrHxagibrNdsMB3ettxiaKMki4744XCnUXNCxkXdHB6l7WA0zLLMSTpquSzrwz3d+WRUgkCa1Tsy0GXJTA09SkAQtt5Jp7vpgCNpNlLgceiVyAxCAIRM448xg6YfbmrNh/ry/I0vAVxbVxKFagWSMX8/R7VQYPSgCYrB17EkWVkjQlEDRGtYYDodb0IdL/xy6lh8mboOGeYfSBPxOMt7qtKy2dN645dEr86Oxn/KdVFIVnfbUzE88lo7qG5wQTGGpawsCnUo9YbQQAP7UZ/dU7iyRDMTeoF/y8/zX29fJ+/H5yaGOIQY/64DtcZDoxsDezmOXpLdMX/VILkT2kSKwxn2FC+Kppx9uF9gntB+ah4X05LL49rjUSzP6T14eA5Vuqd+iOnuKxrbr45k/IqjlfDxLSg+ipgQbYfJlqc6I5glbJR/i3bD5oom+OpegErZD71MGcyF3G2UcZHodN9KCljDxetuml8paAq7x2ZtlGu+VvLlNNlQpXwgMrjoDaIdI9Sqn6gCZkGGyqzRau1GhcsjcQiRTbYemo1tUj4SLXhIkEsHqksl3KZFfhaFVlo0MSF4n6yPS+XoCC8cKrkWWX5p8INjlK2XDAOnxe3mDjXu0SctuSwnGJs0GAc+FtebanJJ0dVk5uCdj/ZmgRQFb4t5r1u7klpIkC19d6I0aA2xYZ9TDFK2Ijrfq5k4xgRACFm3OfVuAdACTo7SwYGICQydBq1QNWPFQVAiUQhPaMDqKLWvmM5G2whxt/kmzfJmRWgz3Ar6drSicVyY30Z2QP66iAgzrHWdcmSA362BeOXSOA1aIs2Zm/SgjjBqu57Qjy33BCtIkLUucV9TBhrGPR5BfSlH7CJlVtj9iUY8CvnF/VkzccBqAECt4rlolgNqnWtDOMyUCBDDEi6CMFRlBHXgJjsKmxBCEfLWJWGd/45PKI2GHYKIslgo4F+R3vrh4LjfzoIOoI0D9XxVejFoPvxGRYPhRzM4SzrXDI9D1QeCIhVys1nLU9LYUoUgQRwHGYngn6yXcDzgxFvTLdpOEsZhVPcXr+nlt75gcbyCENB5+W5Vwf0a/naOVEp00lju6TspbMq8vR+/xjyMCUMaeLgmduWITB1/wZMmbUSCyAMrt/UDn2ntZdZq0iwrQWUyQ8SXL6E8GiqLRCpcQQDYsV9UvowAw/6jaDffd8Z7+l7lpNvjRl7e8JtxLMYyxOsX6CoNpThvSRHxPVwwpi0y1FWlnAF/aBJaavlqhYPA2Rxv+GdDoj5UeIEzNgh/s6QQL1SIPjN9bw3xEiRrz7DLADQYEdydzRrpwueMa9jzUkatlQiBe743P8MR8Ff/YkA/ZWHxab2c1FtEafLpMGGk2n2cJvyILE6YH+fivFXm+LZg2Kq1Yj+xvdBV9GMYBN42P7p6IswPGrCyzPS47CYyPMwHdoEx9f4U6AdGca0rGoTmSpNzgmawdXrQ2kV3QxG517ONzgX7AZJOaE69j6Ez8f6mUoKyYeZWFk4rjTLLristgkShrfhdnDJ+8Yp8MVAfLGEtDX99O+wo0ny99XmdqOhAmQv0oF4PsI5g8PV3ZoJlJy67Kaz3Rf8XmXevjVaGluR8hdMRJP0736SS6DW4ErB6s3TgSwtnWmOyRYkMG280Qvs7fjpICHz0AyC2khyxzH2qvXG5imb5d768DoaTK1+4CkWWpeYU7Qup6V8RtHLUcjKURQ/CYpW3CieMdBCc/mlkgQdQGwvc73/Uxc4cQ9SNLeqtjMFElkdDO0+V2GCZzT7t2jN79tEGWMax2ssvil2zOC5TEi2MbyE70enpEFyJSpqsyE2732begWdHyHszJmF5rKS3TR8Q13dGBBUMlQk+hbYU=,iv:Rse5YbXKGhkgp5mGbRO4U+zmAGg8SzubFgTUPhYMJzA=,tag:WBkx2iue/89DLyOci2l+6Q==,type:str] wireguard: - presharedKey: ENC[AES256_GCM,data:IqgV+1ik0hz0dsiK2IdehX6zHKpWEybLLIh1Pn8LWMTP3RKgLI2xBllxAzU=,iv:SHx7fiauLqiwPAVa8cdCtiaNh7Q4nVsChFNhaCUvPo0=,tag:nfjhHjG3YuMcUya3a5xbkQ==,type:str] privateKeys: - router: ENC[AES256_GCM,data:vx0piFnIJ7zv2WrJECcljBrBgMxozHvDfeoy1jZOCCTRWOonNhvJtYHXU94=,iv:2ruiQWDqqSOam707eNlaYutsrbIqqMIkxW/VqQ4neKY=,tag:LBeHqmymSINVnI/SrkSYIw==,type:str] + router: ENC[AES256_GCM,data:IhTjAwFcrIyOCr0F16UDfGv3E3BVbGCKmbT823kNMTRPz9hapN/t5lz/7Vk=,iv:PCVbVcRD0eLINr7YT9mHO+QR3FVNYLB8HGv0C3pACeg=,tag:3r7ltIravijAF8VVwytQPA==,type:str] + presharedKey: ENC[AES256_GCM,data:bF6K3dn75/cR9r1dJ8YuIjqIvTF11GTU/0s0s46hxsRhdD3+p1+V/dLvLUE=,iv:Q1n31sJfOTSDYV8yA5nyhzxHZO5mA3+7DYjZh7tAIKs=,tag:9yVbusf03Hnn71pfU8qWTQ==,type:str] sops: age: - - recipient: age1dtdquu63vrxag5pgs4yrqaarjywuksnw4nz2dq5t44v8tv24cy8qz7yfcn - enc: | + - enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2T2pvOU9rSTRhYnJ6ZGdq - UFMzM2VUSHpaOUx1eGxlTDNUZFl2bmZMMkNzClpETzRibFlIMEV1UmZJTmZiNlU2 - eGdIOFZTUFpWZGZxeEtrbVBRaWNmMFkKLS0tIDFiZ0xHeHpkSEJKdWpLcWZ0UWpG - cjdUSzMwaGhyWTA1bUdockRFWGlOVzAKb2W3wfR8Vly5/i/TaSmcge/6/B+85lbQ - uzuSGgZNOo8rb+eYi/nI9qSnM31Aesjb4N7ZopoI54iPA34w5cYQcA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1am9lcm1taldJL290SHMy + bkUxbCt2SXRhNUh0UGdhT0kwL1NjNW5hMjJRCnFnN0ZNYTFBaE9yTDBzM1hLUlpm + SGc2UlJML29YNS84VWhkV0IwNDY4UTgKLS0tIGNLalh3VGt2Y3RyV1RyYUZ2M1lW + UUw1SFJFdGlVQ2E3STBxNlg1b0NtUUkKbW8qT0X0jWcZWS6HavQUGchlPD8M2QFI + htdLOVHdpToh1vOxk+p4U44Cc2cPpmc+eer/9d1VWPtInTc5OOgihQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-10T16:11:16Z" - mac: ENC[AES256_GCM,data:qPHbbRqs03hDFufdmF51g7L81A/fmiTmcdWEIiUrp+D0x7jkehfKe0gpVLifSDk+UnuTB1teHzzW77EtnKpcKgoNZjO8HbHpumtwrmBmUEN3JcwkORG1lJBQSsMr3k4S2QOExWiWPyxo56LFyyHNnMU/PO4u0SGaRJjyjMOCdG8=,iv:01VMwmhWKYUOD4S/zeeK23h4cTG1XEtsfvGL6n6SptM=,tag:crwUfMqRGH/ig8X1yAU+nw==,type:str] + recipient: age1dtdquu63vrxag5pgs4yrqaarjywuksnw4nz2dq5t44v8tv24cy8qz7yfcn + lastmodified: "2026-06-22T15:06:52Z" + mac: ENC[AES256_GCM,data:j0DhrRI7RsJ/hCXgZUjqjeccqDIHNyzSsm9tvYpqry9DajbmqfZh1vlJAI1gBOaqYcy983AcGR1IRYjtKfUU6xV3k+9BhOIjJPLVishIpn9HosxuNRhpAz2WPlaD3xk1jTXSo4MTnywO6KXXEMaZKYPbZD1ngc21vo9z6TSVWHQ=,iv:0JIxekbUCI91tAHbyL0NQ0GYDcX9XhNFEVF4UErjTG4=,tag:7kIs+X4kMr9HSEJ3aGCh7w==,type:str] unencrypted_suffix: _unencrypted - version: 3.12.1 + version: 3.13.1 diff --git a/secrets/sources/coredns.yaml b/secrets/sources/coredns.yaml deleted file mode 100644 index 5f11b4a..0000000 --- a/secrets/sources/coredns.yaml +++ /dev/null @@ -1,19 +0,0 @@ -secretRecords: - szp.io: ENC[AES256_GCM,data:sFmWPCplKP9CZHyEBjk+CXLWpQoC5SKpioRlewWa+oyoW7hka6qJEIB7L6a5eRGy/2fHcVGNhxTY84LOdRCwY+VcRMygoR/JE6gtYaTPFmwViyusRmrZCWYfDcA81tkBXLpFjwKJW+FXlq7+Ofn2iWBQgMVUbn9CEPjy+4863bcTK7yx6vnBluX7wW/7pCBA3yszvh4cNpA/yNaCKurN9EVlRqPzyMU1WH3CNgZZGbZ66HpDejxKg3izNqQqB4lC,iv:fzpwUW24a8ZPjJNphyztDbf0JD1VJ5LtzYl2uKiuKCc=,tag:vjt4zzYYCObg8ixf99REaw==,type:str] -sops: - lastmodified: "2026-04-10T16:11:00Z" - mac: ENC[AES256_GCM,data:+7Bh3CuHmxA6ZxN0WV4ZMMF7Z2Ww9rqVACM4dHqxpv77jMMMIF/sBJywZV8El8w1dIIUl/wgRjkvoePRBsSFvS98NSmRxsBmFkC3mUnfQrk0h9YDQgR3gJ/MRk+EVnfIrKJnVHQY6CIQYXVmmygZbCP7g4+fMu2lZ+cWL7ebCnU=,iv:XHDM5yndofuWDYBRhHAAcrp97t5qmmRH+xFcTKlHz7M=,tag:A95T3xnp+HXxJsLtABdEZg==,type:str] - pgp: - - created_at: "2026-03-01T17:48:12Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DZSODbPSZIlESAQdAoCpA/Lt+3qw5jKG4Iqn+u0+Y/RSL59jJJTgU8HOur3Mw - qXvUCY0OSnCqgRwGRc12JRQjjDZigCAmrZn/hbodA2LoXpzpA3V6+Xt6EozSHPGS - 0l4BWqssmTnerDSbWFF636HvhK3GrHErWNeNKtArpKhQtQvQZcbATpKU1+iqLaE+ - fSt/SxsDOQh4/IqAcEoCgdrP2ktdHYfJdwHQmRGgARn+CmFkcpGfgbR49cxibN4W - =LXE7 - -----END PGP MESSAGE----- - fp: 8CC5C91F72DB57DA20BD848C6523836CF4992251 - unencrypted_suffix: _unencrypted - version: 3.12.1 diff --git a/terraform/cloudflare/dns.auto.tfvars b/terraform/cloudflare/dns.auto.tfvars index a8b1eca..bb455c1 100644 --- a/terraform/cloudflare/dns.auto.tfvars +++ b/terraform/cloudflare/dns.auto.tfvars @@ -25,6 +25,7 @@ zones = { hkg1 = { name = "hkg1", type = "A", content = "194.104.147.179" } sjc0 = { name = "sjc0", type = "A", content = "185.218.6.162" } sjc1 = { name = "sjc1", type = "A", content = "185.218.5.211" } + lax0 = { name = "lax0", type = "A", content = "209.209.59.219" } } } From 0ec4f30ab1b01e6f0fe29db55f4899559f010f4c Mon Sep 17 00:00:00 2001 From: Ziping Sun Date: Tue, 23 Jun 2026 20:36:02 +0800 Subject: [PATCH 2/5] use sing-box pre-match backed by nfqueue --- nixos/services/coredns/default.nix | 1 + nixos/services/sing-box/default.nix | 94 +++++++++++------------------ 2 files changed, 37 insertions(+), 58 deletions(-) diff --git a/nixos/services/coredns/default.nix b/nixos/services/coredns/default.nix index 1d608f7..7603e9a 100644 --- a/nixos/services/coredns/default.nix +++ b/nixos/services/coredns/default.nix @@ -47,6 +47,7 @@ in (lib.mkIf (name == primary) { services.coredns.config = '' (authoritative) { + import snip root /etc/coredns/zones transfer { to ${lib.concatStringsSep " " secondaryAddresses} diff --git a/nixos/services/sing-box/default.nix b/nixos/services/sing-box/default.nix index d4b4a74..be9859d 100644 --- a/nixos/services/sing-box/default.nix +++ b/nixos/services/sing-box/default.nix @@ -10,29 +10,29 @@ let type = "local"; path = "${pkgs.sing-geosite}/share/sing-box/rule-set/${name}.srs"; }; - geoip-modified = - { - sing-geoip, - runCommandLocal, - sing-box, - python3, - name ? "geoip-cn", - excludeIPAddresses ? [ ], - lib, - }: - runCommandLocal "${name}-modified.srs" - { - src = "${sing-geoip}/share/sing-box/rule-set/${name}.srs"; - nativeBuildInputs = [ - sing-box - python3 - ]; - } - '' - sing-box rule-set decompile $src -o /dev/stdout | - python ${./geoip_subtract.py} ${lib.escapeShellArgs excludeIPAddresses} | - sing-box rule-set compile /dev/stdin -o $out - ''; + # geoip-modified = + # { + # sing-geoip, + # runCommandLocal, + # sing-box, + # python3, + # name ? "geoip-cn", + # excludeIPAddresses ? [ ], + # lib, + # }: + # runCommandLocal "${name}-modified.srs" + # { + # src = "${sing-geoip}/share/sing-box/rule-set/${name}.srs"; + # nativeBuildInputs = [ + # sing-box + # python3 + # ]; + # } + # '' + # sing-box rule-set decompile $src -o /dev/stdout | + # python ${./geoip_subtract.py} ${lib.escapeShellArgs excludeIPAddresses} | + # sing-box rule-set compile /dev/stdin -o $out + # ''; in { ## --------------------------------------------------------------------------- @@ -41,7 +41,7 @@ in services.sing-box = { enable = true; package = pkgs.sing-box.overrideAttrs (oldAttrs: { - patches = [ + patches = (oldAttrs.patches or [ ]) ++ [ # add disable_dns_hijack option ./sing-box-disable-dns-hijack.patch ]; @@ -114,8 +114,8 @@ in "172.19.0.1/30" "fdfe:dcba:9876::1/126" ]; + # Note that pre-match stage doesn't respect the exclude set route_exclude_address_set = [ - "geoip-cn-modified" "geoip-private" "geoip-special" ]; @@ -167,40 +167,26 @@ in auto_detect_interface = true; final = "Proxy"; rules = [ + # Note that sniff will always match during the pre-match stage. + # Therefore, we avoid use sniff action. + # https://github.com/SagerNet/sing-box/blob/v1.13.12/route/route.go#L520C21-L536 { - action = "sniff"; - sniffer = [ - "dns" - "stun" - ]; - } - { - action = "hijack-dns"; - protocol = "dns"; + network = "udp"; + port = 53; ip_cidr = [ "172.19.0.2/32" "fdfe:dcba:9876::2/128" ]; + action = "hijack-dns"; } { ip_is_private = true; + action = "bypass"; outbound = "direct"; } { - type = "logical"; - mode = "or"; - rules = [ - { - port = 853; - } - { - network = "udp"; - port = 443; - } - { - protocol = "stun"; - } - ]; + network = "udp"; + port = 443; action = "reject"; } { @@ -211,6 +197,7 @@ in } { rule_set = "geosite-geolocation-cn"; + action = "bypass"; outbound = "direct"; } { @@ -225,6 +212,7 @@ in invert = true; } ]; + action = "bypass"; outbound = "direct"; } { @@ -290,16 +278,6 @@ in } ]; } - { - tag = "geoip-cn-modified"; - type = "local"; - path = (pkgs.callPackage geoip-modified { }).override { - excludeIPAddresses = [ - # byr.pt - "2001:da8:215:4078:250:56ff:fe97:654d" - ]; - }; - } ]; }; }; From 84ad8966e71d56ca0ae74f43a623fc4e1beb5a3f Mon Sep 17 00:00:00 2001 From: Ziping Sun Date: Wed, 24 Jun 2026 00:34:33 +0800 Subject: [PATCH 3/5] optimize router sing-box configuration --- nixos/services/coredns/default.nix | 10 +++++----- nixos/services/fail2ban.nix | 6 +++++- nixos/services/sing-box/default.nix | 28 +++++++++++++++++++++++++++- 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/nixos/services/coredns/default.nix b/nixos/services/coredns/default.nix index 7603e9a..603be70 100644 --- a/nixos/services/coredns/default.nix +++ b/nixos/services/coredns/default.nix @@ -42,6 +42,10 @@ in rewrite name suffix .o.szp15.com .szp15.com answer auto forward . /run/systemd/resolve/resolv.conf } + . { + import snip + forward . /run/systemd/resolve/resolv.conf + } ''; } (lib.mkIf (name == primary) { @@ -91,11 +95,7 @@ in extraStartScript = '' ip netns exec coredns ip address add ${anycastAddress}/32 dev eth0 ip route add ${anycastAddress}/32 dev coredns - resolvectl dns coredns ${address} - resolvectl domain coredns ~szp.io ~szp15.com - resolvectl llmnr coredns off - resolvectl mdns coredns off - # systemd doesn't set DNS when the interface doesn't has an IP address. + # sing-box requires an IP address for coredns ip address add 169.254.23.1/32 dev coredns ''; }; diff --git a/nixos/services/fail2ban.nix b/nixos/services/fail2ban.nix index 4002cc4..8f712d3 100644 --- a/nixos/services/fail2ban.nix +++ b/nixos/services/fail2ban.nix @@ -1,5 +1,9 @@ { - services.fail2ban.enable = true; + services.fail2ban = { + enable = true; + banaction = "nftables-multiport[blocktype=DROP]"; + banaction-allports = "nftables-allports[blocktype=DROP]"; + }; preservation.preserveAt.default.directories = [ { diff --git a/nixos/services/sing-box/default.nix b/nixos/services/sing-box/default.nix index be9859d..75d0907 100644 --- a/nixos/services/sing-box/default.nix +++ b/nixos/services/sing-box/default.nix @@ -76,8 +76,20 @@ in server = "8.8.8.8"; detour = "Proxy"; } + { + tag = "coredns"; + type = "udp"; + server = "10.112.35.3"; + } ]; rules = [ + { + domain_suffix = [ + "szp.io" + "szp15.com" + ]; + server = "coredns"; + } { rule_set = "geosite-geolocation-cn"; server = "local"; @@ -149,6 +161,9 @@ in # iproute2_table_index = 2022; # auto_redirect_input_mark = "0x2023"; # auto_redirect_output_mark = "0x2024"; + + # Note that sing-box 1.14.0 add `dns_mode = "native"` option, + # which should function the same. disable_dns_hijack = true; auto_route = true; @@ -164,7 +179,7 @@ in ]; route = { default_domain_resolver = "local"; - auto_detect_interface = true; + # auto_detect_interface = true; final = "Proxy"; rules = [ # Note that sniff will always match during the pre-match stage. @@ -179,6 +194,12 @@ in ]; action = "hijack-dns"; } + { + network = "udp"; + port = 53; + action = "route"; + outbound = "direct"; + } { ip_is_private = true; action = "bypass"; @@ -224,6 +245,11 @@ in ]; outbound = "US"; } + { + network = "icmp"; + action = "reject"; + method = "reply"; + } ]; rule_set = [ (mkGeoipRuleSet "geoip-cn") From ce0e70b4d758eda91e652433db29af013e93ca56 Mon Sep 17 00:00:00 2001 From: Ziping Sun Date: Wed, 24 Jun 2026 02:35:54 +0800 Subject: [PATCH 4/5] enroll lax0 --- flake/hosts.nix | 7 +++++++ nixos/hosts/lax0/hardware.nix | 17 +++++++++++++++++ nixos/hosts/lax0/state.nix | 3 +++ nixos/system/disko.nix | 8 ++++++++ 4 files changed, 35 insertions(+) create mode 100644 nixos/hosts/lax0/hardware.nix create mode 100644 nixos/hosts/lax0/state.nix diff --git a/flake/hosts.nix b/flake/hosts.nix index 7236e33..d66d482 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -230,6 +230,13 @@ in name = "laptop"; system = "x86_64-linux"; }) + # To make nixos-anywhere work, please turn on swapfile before kexec, + # and manually turn on zramswap and increase + # writable nix store size before the disko phase. + (mkHost { + name = "lax0"; + system = "x86_64-linux"; + }) ]; flake.passthru = { diff --git a/nixos/hosts/lax0/hardware.nix b/nixos/hosts/lax0/hardware.nix new file mode 100644 index 0000000..8514a70 --- /dev/null +++ b/nixos/hosts/lax0/hardware.nix @@ -0,0 +1,17 @@ +{ modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.initrd.availableKernelModules = [ + "ahci" + "sym53c8xx" + "xhci_pci" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; +} diff --git a/nixos/hosts/lax0/state.nix b/nixos/hosts/lax0/state.nix new file mode 100644 index 0000000..1e0ea0d --- /dev/null +++ b/nixos/hosts/lax0/state.nix @@ -0,0 +1,3 @@ +{ + system.stateVersion = "26.05"; +} diff --git a/nixos/system/disko.nix b/nixos/system/disko.nix index a7248ed..bb6bf0f 100644 --- a/nixos/system/disko.nix +++ b/nixos/system/disko.nix @@ -65,5 +65,13 @@ in swapSize = "32G"; }; }) + + (lib.mkIf (name == "lax0") { + profiles.system.disko = { + devices = [ "/dev/vda" ]; + swapSize = "1G"; + legacyBoot = true; + }; + }) ]; } From 07a3d5109715589e1f7491de1fc6d6365262ae42 Mon Sep 17 00:00:00 2001 From: Ziping Sun Date: Wed, 24 Jun 2026 22:41:35 +0800 Subject: [PATCH 5/5] update docs --- flake/hosts.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/flake/hosts.nix b/flake/hosts.nix index d66d482..45d202c 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -233,6 +233,13 @@ in # To make nixos-anywhere work, please turn on swapfile before kexec, # and manually turn on zramswap and increase # writable nix store size before the disko phase. + # + # mount -o remount,size=70% -t tmpfs tmpfs /nix/.rw-store + # modprobe zram + # zramctl /dev/zram0 --algorithm zstd --size 800000KiB + # mkswap -U clear /dev/zram0 + # swapon --discard --priority 100 /dev/zram0 + # (mkHost { name = "lax0"; system = "x86_64-linux";