2023-11-28 13:38:50 +00:00
|
|
|
{ config, pkgs, lib, modulesPath, ... }:
|
|
|
|
let
|
2023-12-06 14:54:22 +00:00
|
|
|
cfg = config.custom;
|
2023-11-28 13:38:50 +00:00
|
|
|
sg_password = {
|
|
|
|
_secret = config.sops.secrets.singbox_sg_password.path;
|
|
|
|
};
|
|
|
|
sg_uuid = {
|
|
|
|
_secret = config.sops.secrets.singbox_sg_uuid.path;
|
|
|
|
};
|
|
|
|
singTls = {
|
|
|
|
enabled = true;
|
2023-12-06 14:54:22 +00:00
|
|
|
server_name = cfg.domain;
|
|
|
|
key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem";
|
|
|
|
certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem";
|
2023-11-28 13:38:50 +00:00
|
|
|
};
|
|
|
|
in
|
2023-10-06 14:05:19 +00:00
|
|
|
{
|
2023-12-06 14:54:22 +00:00
|
|
|
options = {
|
|
|
|
custom.domain = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
default = "";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-11-28 13:38:50 +00:00
|
|
|
imports = [
|
|
|
|
"${modulesPath}/virtualisation/amazon-image.nix"
|
|
|
|
../sops.nix
|
|
|
|
];
|
|
|
|
|
2023-12-06 14:54:22 +00:00
|
|
|
config = {
|
|
|
|
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.core.default_qdisc" = "fq";
|
|
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
|
|
};
|
2023-11-28 13:38:50 +00:00
|
|
|
|
2023-12-06 14:54:22 +00:00
|
|
|
networking.firewall.trustedInterfaces = [ "tun0" ];
|
2023-11-28 13:38:50 +00:00
|
|
|
|
2023-12-06 14:54:22 +00:00
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
certs.${cfg.domain} = {
|
|
|
|
email = "me@namely.icu";
|
|
|
|
listenHTTP = ":80";
|
|
|
|
};
|
2023-11-28 13:38:50 +00:00
|
|
|
};
|
2023-12-06 14:54:22 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [ 80 8080 ];
|
|
|
|
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
|
2023-10-06 14:05:19 +00:00
|
|
|
|
2023-12-06 14:54:22 +00:00
|
|
|
services.sing-box = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
inbounds = [
|
|
|
|
{
|
|
|
|
tag = "sg0";
|
|
|
|
type = "trojan";
|
|
|
|
listen = "::";
|
|
|
|
listen_port = 8080;
|
|
|
|
users = [
|
|
|
|
{ name = "proxy";
|
|
|
|
password = sg_password;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
tls = singTls;
|
|
|
|
}
|
|
|
|
] ++ lib.forEach (lib.range 6311 6314) (port: {
|
|
|
|
tag = "sg" + toString (port - 6310);
|
|
|
|
type = "tuic";
|
|
|
|
listen = "::";
|
|
|
|
listen_port = port;
|
|
|
|
congestion_control = "bbr";
|
|
|
|
users = [
|
|
|
|
{ name = "proxy";
|
|
|
|
uuid = sg_uuid;
|
|
|
|
password = sg_password;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
tls = singTls;
|
|
|
|
});
|
|
|
|
};
|
2023-10-06 14:05:19 +00:00
|
|
|
};
|
|
|
|
};
|
2023-12-06 14:54:22 +00:00
|
|
|
|
2023-10-06 14:05:19 +00:00
|
|
|
}
|