Skip to content

enroll lax0 #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sunziping2016 merged 5 commits into from
Jun 24, 2026
Merged

enroll lax0 #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
86e98d0
add DNS for lax0
sunziping2016 Jun 22, 2026
0ec4f30
use sing-box pre-match backed by nfqueue
sunziping2016 Jun 23, 2026
84ad896
optimize router sing-box configuration
sunziping2016 Jun 23, 2026
ce0e70b
enroll lax0
sunziping2016 Jun 23, 2026
07a3d51
update docs
sunziping2016 Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions flake/hosts.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,10 @@ let
services.nginx
system.disko
];
nixos.lax0 = suites.server ++ [
hosts.lax0
system.disko
];
}
);

Expand Down Expand Up @@ -226,6 +230,20 @@ in
name = "laptop";
system = "x86_64-linux";
})
# To make nixos-anywhere work, please turn on swapfile before kexec,
# and manually turn on zramswap and increase
# writable nix store size before the disko phase.
#
# mount -o remount,size=70% -t tmpfs tmpfs /nix/.rw-store
# modprobe zram
# zramctl /dev/zram0 --algorithm zstd --size 800000KiB
# mkswap -U clear /dev/zram0
# swapon --discard --priority 100 /dev/zram0
#
(mkHost {
name = "lax0";
system = "x86_64-linux";
})
];

flake.passthru = {
Expand Down
17 changes: 17 additions & 0 deletions nixos/hosts/lax0/hardware.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ahci"
"sym53c8xx"
"xhci_pci"
"virtio_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
}
3 changes: 3 additions & 0 deletions nixos/hosts/lax0/state.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
system.stateVersion = "26.05";
}
16 changes: 6 additions & 10 deletions nixos/services/coredns/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,16 @@ in
rewrite name suffix .o.szp15.com .szp15.com answer auto
forward . /run/systemd/resolve/resolv.conf
}
. {
import snip
forward . /run/systemd/resolve/resolv.conf
}
'';
}
(lib.mkIf (name == primary) {
services.coredns.config = ''
(authoritative) {
import snip
root /etc/coredns/zones
transfer {
to ${lib.concatStringsSep " " secondaryAddresses}
Expand All @@ -67,11 +72,6 @@ in
'';
environment.etc."coredns/zones/szp15.com.zone".source = ./szp15.com.zone;
environment.etc."coredns/zones/szp.io.zone".source = ./szp.io.zone;

sops.secrets."coredns/secretRecords/szp.io" = { };
systemd.services.coredns.serviceConfig.LoadCredential = [
"szp.io:${config.sops.secrets."coredns/secretRecords/szp.io".path}"
];
})
(lib.mkIf (name != primary) {
services.coredns.config = ''
Expand All @@ -95,11 +95,7 @@ in
extraStartScript = ''
ip netns exec coredns ip address add ${anycastAddress}/32 dev eth0
ip route add ${anycastAddress}/32 dev coredns
resolvectl dns coredns ${address}
resolvectl domain coredns ~szp.io ~szp15.com
resolvectl llmnr coredns off
resolvectl mdns coredns off
# systemd doesn't set DNS when the interface doesn't has an IP address.
# sing-box requires an IP address for coredns
ip address add 169.254.23.1/32 dev coredns
'';
};
Expand Down
10 changes: 7 additions & 3 deletions nixos/services/coredns/szp.io.zone
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
$ORIGIN szp.io.
$TTL 600
@ IN SOA ns1 me (
2026060902 ; serial Tue, 09 Jun 2026 00:28:00 UTC
2026062201 ; serial Mon, 22 Jun 2026 00:14:00 UTC
3H ; refresh
40M ; retry
1W ; expire
Expand All @@ -19,8 +19,13 @@ hasee02.nodes IN A 10.112.8.3
hasee03.nodes IN A 10.112.8.4
desktop.nodes IN A 10.112.8.5
ingress.k8s IN A 10.112.10.100
ai.vm IN A 10.112.12.2

hgh0.nodes IN CNAME hgh0.szp15.com.
hkg0.nodes IN CNAME hkg0.eh578599.xyz.
hkg1.nodes IN CNAME hkg1.eh578599.xyz.
sjc0.nodes IN CNAME sjc0.eh578599.xyz.
sjc1.nodes IN CNAME sjc1.eh578599.xyz.
lax0.nodes IN CNAME lax0.eh578599.xyz.
cache IN CNAME cache.o
niks3 IN CNAME niks3.o
hubble.k8s IN CNAME ingress.k8s
Expand All @@ -30,4 +35,3 @@ grafana.k8s IN CNAME ingress.k8s
metrics.k8s IN CNAME ingress.k8s
logs.k8s IN CNAME ingress.k8s
cdi-uploadproxy.k8s IN CNAME ingress.k8s
$INCLUDE /run/credentials/coredns.service/szp.io
6 changes: 5 additions & 1 deletion nixos/services/fail2ban.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
{
services.fail2ban.enable = true;
services.fail2ban = {
enable = true;
banaction = "nftables-multiport[blocktype=DROP]";
banaction-allports = "nftables-allports[blocktype=DROP]";
};

preservation.preserveAt.default.directories = [
{
Expand Down
123 changes: 64 additions & 59 deletions nixos/services/sing-box/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,29 +10,29 @@ let
type = "local";
path = "${pkgs.sing-geosite}/share/sing-box/rule-set/${name}.srs";
};
geoip-modified =
{
sing-geoip,
runCommandLocal,
sing-box,
python3,
name ? "geoip-cn",
excludeIPAddresses ? [ ],
lib,
}:
runCommandLocal "${name}-modified.srs"
{
src = "${sing-geoip}/share/sing-box/rule-set/${name}.srs";
nativeBuildInputs = [
sing-box
python3
];
}
''
sing-box rule-set decompile $src -o /dev/stdout |
python ${./geoip_subtract.py} ${lib.escapeShellArgs excludeIPAddresses} |
sing-box rule-set compile /dev/stdin -o $out
'';
# geoip-modified =
# {
# sing-geoip,
# runCommandLocal,
# sing-box,
# python3,
# name ? "geoip-cn",
# excludeIPAddresses ? [ ],
# lib,
# }:
# runCommandLocal "${name}-modified.srs"
# {
# src = "${sing-geoip}/share/sing-box/rule-set/${name}.srs";
# nativeBuildInputs = [
# sing-box
# python3
# ];
# }
# ''
# sing-box rule-set decompile $src -o /dev/stdout |
# python ${./geoip_subtract.py} ${lib.escapeShellArgs excludeIPAddresses} |
# sing-box rule-set compile /dev/stdin -o $out
# '';
in
{
## ---------------------------------------------------------------------------
Expand All @@ -41,7 +41,7 @@ in
services.sing-box = {
enable = true;
package = pkgs.sing-box.overrideAttrs (oldAttrs: {
patches = [
patches = (oldAttrs.patches or [ ]) ++ [
# add disable_dns_hijack option
./sing-box-disable-dns-hijack.patch
];
Expand Down Expand Up @@ -76,8 +76,20 @@ in
server = "8.8.8.8";
detour = "Proxy";
}
{
tag = "coredns";
type = "udp";
server = "10.112.35.3";
}
];
rules = [
{
domain_suffix = [
"szp.io"
"szp15.com"
];
server = "coredns";
}
{
rule_set = "geosite-geolocation-cn";
server = "local";
Expand Down Expand Up @@ -114,8 +126,8 @@ in
"172.19.0.1/30"
"fdfe:dcba:9876::1/126"
];
# Note that pre-match stage doesn't respect the exclude set
route_exclude_address_set = [
"geoip-cn-modified"
"geoip-private"
"geoip-special"
];
Expand Down Expand Up @@ -149,6 +161,9 @@ in
# iproute2_table_index = 2022;
# auto_redirect_input_mark = "0x2023";
# auto_redirect_output_mark = "0x2024";

# Note that sing-box 1.14.0 add `dns_mode = "native"` option,
# which should function the same.
disable_dns_hijack = true;

auto_route = true;
Expand All @@ -164,43 +179,35 @@ in
];
route = {
default_domain_resolver = "local";
auto_detect_interface = true;
# auto_detect_interface = true;
final = "Proxy";
rules = [
# Note that sniff will always match during the pre-match stage.
# Therefore, we avoid use sniff action.
# https://github.com/SagerNet/sing-box/blob/v1.13.12/route/route.go#L520C21-L536
{
action = "sniff";
sniffer = [
"dns"
"stun"
];
}
{
action = "hijack-dns";
protocol = "dns";
network = "udp";
port = 53;
ip_cidr = [
"172.19.0.2/32"
"fdfe:dcba:9876::2/128"
];
action = "hijack-dns";
}
{
network = "udp";
port = 53;
action = "route";
outbound = "direct";
}
{
ip_is_private = true;
action = "bypass";
outbound = "direct";
}
{
type = "logical";
mode = "or";
rules = [
{
port = 853;
}
{
network = "udp";
port = 443;
}
{
protocol = "stun";
}
];
network = "udp";
port = 443;
action = "reject";
}
{
Expand All @@ -211,6 +218,7 @@ in
}
{
rule_set = "geosite-geolocation-cn";
action = "bypass";
outbound = "direct";
}
{
Expand All @@ -225,6 +233,7 @@ in
invert = true;
}
];
action = "bypass";
outbound = "direct";
}
{
Expand All @@ -236,6 +245,11 @@ in
];
outbound = "US";
}
{
network = "icmp";
action = "reject";
method = "reply";
}
];
rule_set = [
(mkGeoipRuleSet "geoip-cn")
Expand Down Expand Up @@ -285,20 +299,11 @@ in
"87.83.107.0/24"
"194.104.147.128/26"
"185.218.4.0/22"
"209.209.59.0/24"
];
}
];
}
{
tag = "geoip-cn-modified";
type = "local";
path = (pkgs.callPackage geoip-modified { }).override {
excludeIPAddresses = [
# byr.pt
"2001:da8:215:4078:250:56ff:fe97:654d"
];
};
}
];
};
};
Expand Down
8 changes: 8 additions & 0 deletions nixos/system/disko.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,5 +65,13 @@ in
swapSize = "32G";
};
})

(lib.mkIf (name == "lax0") {
profiles.system.disko = {
devices = [ "/dev/vda" ];
swapSize = "1G";
legacyBoot = true;
};
})
];
}
Loading
Loading