iopq/nixos-laptop - Change W6MVLNZJLFMC3G22YG476CDK2NZWBWWQAWSIKR56OSVYSN6F65PQC

Initial commit after removing passwords

Created by 8vzDUcF1pcK6gTEMRRQsoHFiE7u2nqDVXCvVn776ESB6 on October 24, 2025

W6MVLNZJLFMC3G22YG476CDK2NZWBWWQAWSIKR56OSVYSN6F65PQC

Dependencies

[2] 2E7PS7MI7JL45ADWA72SSPTVE7IN2KWWURCBL7JG4AMRHBZFPRMAC

In channels

main

Change contents

File addition: scripts (d--x------)
[2.1]

File addition: udp2raw.sh (---x------)

[0.19]

#!/bin/sh
until SERVER=$(/etc/profiles/per-user/iopq/bin/dig @$NAME_SERVER +short A $DOMAIN); do /run/current-system/sw/bin/sleep 2; done;
/etc/udp2raw_binaries/udp2raw_amd64_hw_aes -c -l 127.0.0.1:6443 -r $SERVER:443 -k $UDP2RAW_PWD --raw-mode $RAW_MODE --auth-mode hmac_sha1 --fix-gro

File addition: tproxy-rules.sh (---x------)

[0.19]

#!/bin/sh
# Load variables from .env file
until SERVER=$($DIG_CMD) && [ -n "$SERVER" ]; do /run/current-system/sw/bin/sleep 2; echo "Lookup failed or returned empty. Retrying in 2s..." >&2; done;
echo $SERVER
/etc/nixos/scripts/iptables.sh
/run/current-system/sw/bin/ip route add local 0.0.0.0/0 dev lo table 100
/run/current-system/sw/bin/ip rule add fwmark 1 table 100
/etc/profiles/per-user/iopq/bin/iptables -I INPUT -s $SERVER $IPTABLES_OPTIONS -j DROP

File addition: iptables.sh (---x------)

[0.19]

#!/bin/sh
iptables -t mangle -N XRAY
#ip -o -4 addr show scope global | awk '{print $4}'
iptables -t mangle -A XRAY -d 192.168.2.184/24 -j RETURN
# 组播地址/E类地址/广播地址直连
iptables -t mangle -A XRAY -d 224.0.0.0/3 -j RETURN
iptables -t mangle -A XRAY -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 100.64.0.0/10 -j RETURN
iptables -t mangle -A XRAY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A XRAY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A XRAY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A XRAY -d 198.18.0.0/15 -j RETURN
iptables -t mangle -A XRAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY -d 240.0.0.0/4 -j RETURN
#ip -o -4 addr show scope global | awk '{print $4}'
iptables -t mangle -A XRAY ! -s 192.168.2.184/24 -j RETURN
iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j XRAY
iptables -t mangle -N XRAY_MASK
iptables -t mangle -A XRAY_MASK -m owner --gid-owner 988 -j RETURN
iptables -t mangle -A XRAY_MASK -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY_MASK -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY_MASK -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A XRAY_MASK -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A XRAY_MASK -d 172.16.0.0/12 -j RETURN
#ip -o -4 addr show scope global | awk '{print $4}'
iptables -t mangle -A XRAY_MASK -d 192.168.2.184/24 -j RETURN
iptables -t mangle -A XRAY_MASK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY_MASK -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A XRAY_MASK -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p tcp -j XRAY_MASK
iptables -t mangle -A OUTPUT -p udp -j XRAY_MASK

File addition: ipclean.sh (---x------)

[0.19]

#!/bin/sh
iptables -t mangle -D PREROUTING -j XRAY -w
iptables -t mangle -D OUTPUT -p tcp -j XRAY_MASK -w
iptables -t mangle -D OUTPUT -p udp -j XRAY_MASK -w
iptables -t mangle -F XRAY
iptables -t mangle -F XRAY_MASK
iptables -t mangle -X XRAY
iptables -t mangle -X XRAY_MASK

File addition: ip6tables.sh (---x------)

[0.19]

#!/bin/sh
ip6tables -t mangle -N XRAY6
ip6tables -t mangle -A XRAY6 -d 2408:8207:2452:9010:dfba:2572:4088:320d/64 -j RETURN
ip6tables -t mangle -A XRAY6 -d 2408:8207:2452:9010:7301:5ec:a961:e85/64 -j RETURN
ip6tables -t mangle -A XRAY6 -d ::/128  -j RETURN
ip6tables -t mangle -A XRAY6 -d ::1/128  -j RETURN
ip6tables -t mangle -A XRAY6 -d 64:ff9b::/96  -j RETURN
ip6tables -t mangle -A XRAY6 -d 100::/64  -j RETURN
ip6tables -t mangle -A XRAY6 -d 2001::/32  -j RETURN
ip6tables -t mangle -A XRAY6 -d 2001:20::/28  -j RETURN
ip6tables -t mangle -A XRAY6 -d fe80::/10  -j RETURN
ip6tables -t mangle -A XRAY6 -d ff00::/8  -j RETURN
ip6tables -t mangle -A XRAY6 ! -s 2408:8207:2452:9010:dfba:2572:4088:320d/64 -j RETURN
ip6tables -t mangle -A XRAY6 ! -s 2408:8207:2452:9010:7301:5ec:a961:e85/64 -j RETURN
ip6tables -t mangle -A XRAY6 -p udp -j TPROXY --on-port 2500 --tproxy-mark 1
ip6tables -t mangle -A XRAY6 -p tcp -j TPROXY --on-port 2500 --tproxy-mark 1
ip6tables -t mangle -A PREROUTING -j XRAY6
ip6tables -t mangle -N XRAY6_MASK
ip6tables -t mangle -A XRAY6_MASK -m owner --gid-owner 988 -j RETURN
ip6tables -t mangle -A XRAY6_MASK -d 2408:8207:2452:9010:dfba:2572:4088:320d -j RETURN
ip6tables -t mangle -A XRAY6_MASK -d 2408:8207:2452:9010:7301:5ec:a961:e85 -j RETURN
ip6tables -t mangle -A XRAY6_MASK -j MARK --set-mark 1
ip6tables -t mangle -A OUTPUT -p tcp -j XRAY6_MASK
ip6tables -t mangle -A OUTPUT -p udp -j XRAY6_MASK

File addition: ip6clean.sh (---x------)

[0.19]

#!/bin/sh
ip6tables -t mangle -D PREROUTING -j XRAY6 -w
ip6tables -t mangle -D OUTPUT -p tcp -j XRAY6_MASK -w
ip6tables -t mangle -D OUTPUT -p udp -j XRAY6_MASK -w
ip6tables -t mangle -F XRAY6
ip6tables -t mangle -F XRAY6_MASK
ip6tables -t mangle -X XRAY6
ip6tables -t mangle -X XRAY6_MASK

File addition: modules.nix (----------)

[2.1]

{ config, pkgs, ... }:
{
  # Enable networking
  networking.networkmanager.enable = true;
  # virtual file system
  services.gvfs.enable = true;
  #disable power save for better latency
  networking.networkmanager.wifi.powersave = false;
  #stop systemd from taking too long to time out
  systemd.settings.Manager = {
    DefaultTimeoutStopSec="10s";
  };
  systemd.user.extraConfig = "DefaultTimeoutStopSec=10s";
  networking.firewall.enable = false;
  networking.extraHosts =
  ''
    255.255.255.255 wpad
    255.255.255.255 wpad.lan
  '';
  # Enable CUPS to print documents.
  #services.printing.enable = true;
  # Enable automatic login for the user.
  services.displayManager.autoLogin.enable = true;
  services.displayManager.autoLogin.user = "iopq";
  services.xserver.enable = true;
  #kde
  services.desktopManager.plasma6.enable = true;
  security.pam.services.sddm.enableKwallet = true;
  #sddm
  services.displayManager.sddm.enable = true;
  services.displayManager.sddm.wayland.enable = true;
  services.flatpak.enable = true;
  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
  hardware.bluetooth.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    pulse.enable = true;
  };
/*  services.pulseaudio.enable = true;
  services.pulseaudio.support32Bit = true;
  services.pulseaudio.daemon.config = {
    avoid-resampling = "yes";
    resample-method = "soxr-vhq";
  };
*/
  #services.pipewire.package = (pkgs.pipewire.override { alsa-lib = pkgs.alsa-lib.overrideAttrs { separateDebugInfo = true; }; }).overrideAttrs { separateDebugInfo = true; };
  # graphics
  hardware.graphics = {
    enable = true;
    enable32Bit = true;
  };
  #fonts
  fonts.packages = with pkgs; [
    noto-fonts-cjk-sans
    babelstone-han
  ];
  programs.steam = {
    enable = true;
  };
  nixpkgs.config.packageOverrides = pkgs: {
    steam = pkgs.steam.override {
      extraPkgs = pkgs: with pkgs; [
        libgdiplus
      ];
    };
  };
  #fingerprint reader
  services.fprintd = {
    enable = true;
  };
    i18n.inputMethod = {
    enable = true;
    type = "fcitx5";
    fcitx5.waylandFrontend = true;
    fcitx5.addons = with pkgs; [
       rime-data
       fcitx5-gtk
       fcitx5-rime
       fcitx5-hangul
     ];
  };
#  services.daed.enable = true;
  services.speechd.enable = true; #firefox error
  #programs.ssh.startAgent = true;
  #GnuPG
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
  services.pcscd.enable = true;
  services.tlp.enable = true;
  services.power-profiles-daemon.enable = false; # avoid conflicts
  services.xray.settingsFile = "/etc/nixos/scripts/config.json";
  services.xray.enable = true;
  systemd.services.xray.serviceConfig = {
    User="xray_tproxy";
  };
  users.users.xray_tproxy.linger = true;
  users.users.xray_tproxy.isSystemUser= true;
  users.users.xray_tproxy.group = "xray_tproxy";
  users.groups.xray_tproxy = {
    gid = 988;
  };
  systemd.services.tproxy-rules = {
    enable = true;
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    description = "Tproxy rules";
    path = [
    pkgs.nftables
    pkgs.iptables
    pkgs.iproute2]; #realpath $(which ip)
    serviceConfig = {
        EnvironmentFile = "/etc/nixos/scripts/.env";
        Type = "oneshot";
        RemainAfterExit="yes";
        ExecStart = "/etc/nixos/scripts/tproxy-rules.sh";
        ExecStop=''/etc/nixos/scripts/ipclean.sh ; \
        /run/current-system/sw/bin/ip route del local default dev lo table 100 ; /run/current-system/sw/bin/ip rule del table 100'';
    };
  };
  systemd.services.udp2raw = {
    enable = true;
    description = "Run udp2raw as a tproxy user";
    wantedBy = [ "multi-user.target" ];
    after = [ "tproxy-rules.service" ];
    serviceConfig = {
      EnvironmentFile = "/etc/nixos/scripts/.env";
      ExecStart = ''/etc/nixos/scripts/udp2raw.sh'';
      User="xray_tproxy";
    };
  };
  systemd.services.udpspeeder = {
    enable = true;
    description = "Run udpspeeder as a tproxy user";
    wantedBy = [ "multi-user.target" ];
    after = [ "tproxy-rules.service" ];
    serviceConfig = {
      EnvironmentFile = "/etc/nixos/scripts/.env";
      ExecStart = ''/etc/speederv2_binaries/speederv2_amd64 -c -l 0.0.0.0:7443 -r 127.0.0.1:6443 -k $SPEEDER_PWD -f2:2,20:8,50:15 --timeout 4 --mode 0 --log-level 5'';
      User="xray_tproxy";
    };
  };
  /*
    services.samba = {
    enable = true;
    settings = {
      myshare = {
        path = "/home/iopq/Public/";
        writable = true;
        "browseable" = "yes";
        "create mask" = "0644";
        "directory mask" = "0755";
        "force user" = "iopq";
        guestOk = true;
      };
    };
  };*/
}

File addition: hardware-configuration.nix (----------)

[2.1]

# Do not modify this file!  It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations.  Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/8d5e4631-bd01-4295-81e2-17b1aeeceaca";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/DE38-454E";
      fsType = "vfat";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

File addition: flake.nix (----------)

[2.1]

{
  description = "NixOS configuration";
  inputs = {
    nixpkgs.url = "nixpkgs/nixos-unstable";
#    daeuniverse.url = "github:daeuniverse/flake.nix";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
  };
  outputs = inputs@{ self, nixpkgs, /*daeuniverse,*/ nixos-hardware}:
    let
      system = "x86_64-linux";
    in {
      nixosConfigurations.laptop = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = [
  #        daeuniverse.nixosModules.dae
  #        daeuniverse.nixosModules.daed
          nixos-hardware.nixosModules.framework-16-7040-amd
          ./configuration.nix
        ];
        specialArgs = {
          inherit inputs;
        };
      };
    };
}

File addition: flake.lock (----------)

[2.1]

{
  "nodes": {
    "nixos-hardware": {
      "locked": {
        "lastModified": 1760106635,
        "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1760524057,
        "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-unstable",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
}

File addition: configuration.nix (----------)

[2.1]

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
# shopt -s histappend
# make this work later
{ inputs, config, pkgs, lib, ... }:
{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./modules.nix
    ];
  #Chinese mirror
  #  nix.settings.substituters = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
  nix.settings = {
    substituters = ["https://cache.garnix.io"];
    trusted-public-keys = [
      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
    ];
  };
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot";
  networking.hostName = "laptop"; # Define your hostname.
  # Set your time zone.
  time.timeZone = "Asia/Shanghai";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  console.useXkbConfig = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.iopq = {
    isNormalUser = true;
    description = "Igor";
    extraGroups = [ "networkmanager" "wheel" ];
    packages = with pkgs; [
      firefox
      thunderbird
      git
      tdesktop
      wineWowPackages.stagingFull #contains more stuff that changes between versions to let Battle.net launch StarCraft
      wineWowPackages.fonts
      winetricks
      krita
      vlc
      kodi
      mpv
      chromium
      stuntman
      pavucontrol
      p7zip
      wireplumber
      dig
      nftables
      samba #ntlm_auth for starcraft
      tcping-go
      nexttrace
      #xray
      iptables
      pijul
      scummvm
      telegram-desktop
      libreoffice
      bitcoin
      wget
      awscli2
      jq
      oci-cli
      anki
  (wrapOBS {
        plugins = [ obs-studio-plugins.obs-vkcapture
          obs-studio-plugins.wlrobs];
      })
    ];
  };
  nixpkgs.config.firefox.speechSynthesisSupport = true;
  environment.sessionVariables = {
    QT_QPA_PLATFORM = "wayland";
    __NV_DISABLE_EXPLICIT_SYNC = "1";
    HISTSIZE = "900";
    HISTFILESIZE = "900";
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    go
    gcc
    nix-prefetch-github
    mission-center
    libva-utils
    tuxclocker
    killall
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.11"; # Did you read the comment?
}

File addition: .ignore (----------)
[2.1]
```
scripts/.env
```

Initial commit after removing passwords

Dependencies

In channels

Change contents

File addition: scripts (d--x------)

File addition: udp2raw.sh (---x------)

File addition: tproxy-rules.sh (---x------)

File addition: iptables.sh (---x------)

File addition: ipclean.sh (---x------)

File addition: ip6tables.sh (---x------)

File addition: ip6clean.sh (---x------)

File addition: modules.nix (----------)

File addition: hardware-configuration.nix (----------)

File addition: flake.nix (----------)

File addition: flake.lock (----------)

File addition: configuration.nix (----------)

File addition: .ignore (----------)