From 9fb8bcd6213c202fd616d0aca4ba7d74a8d7ab81 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 6 Dec 2023 22:54:22 +0800 Subject: [PATCH] dolomite: add an instance at sg --- .sops.yaml | 6 +- flake.nix | 15 +++- machines/calcite/configuration.nix | 2 +- machines/dolomite/default.nix | 110 ++++++++++++++++------------- machines/secrets.yaml | 54 ++++++++------ machines/sing-box.nix | 20 +++++- machines/sops.nix | 5 +- 7 files changed, 132 insertions(+), 80 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index fd6a3d4..63e67a7 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,8 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - - &host-dolomite age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -20,7 +21,8 @@ creation_rules: - *xin - *host-calcite - *host-raspite - - *host-dolomite + - *host-dolomite00 + - *host-dolomite01 - path_regex: home/xin/secrets.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index 22af664..ce335c2 100644 --- a/flake.nix +++ b/flake.nix @@ -75,9 +75,9 @@ ]; }; - dolomite = { name, nodes, pkgs, ... }: with inputs; { + dolomite00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ - { nixpkgs.system = "x86_64-linux"; } + { nixpkgs.system = "x86_64-linux"; custom.domain = "video.namely.icu"; } machines/dolomite ]; deployment = { @@ -85,6 +85,17 @@ buildOnTarget = false; }; }; + + dolomite01 = { name, nodes, pkgs, ... }: with inputs; { + imports = [ + { nixpkgs.system = "x86_64-linux"; custom.domain = "video01.namely.icu"; } + machines/dolomite + ]; + deployment = { + targetHost = "video01.namely.icu"; + buildOnTarget = false; + }; + }; }; nixosConfigurations.calcite = mkNixos { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 92dc4ca..c04f6ab 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -188,7 +188,7 @@ digikam # IM - cinny-desktop + element-desktop tdesktop qq config.nur.repos.xddxdd.wechat-uos diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 9bb2580..f50fb6f 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,8 +1,6 @@ { config, pkgs, lib, modulesPath, ... }: let - sg_server = { - _secret = config.sops.secrets.singbox_sg_server.path; - }; + cfg = config.custom; sg_password = { _secret = config.sops.secrets.singbox_sg_password.path; }; @@ -11,65 +9,75 @@ let }; singTls = { enabled = true; - server_name = sg_server; - key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem"; - certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem"; + server_name = cfg.domain; + key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem"; + certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem"; }; in { + options = { + custom.domain = lib.mkOption { + type = lib.types.str; + default = ""; + }; + }; + imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ../sops.nix ]; - boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; - boot.kernel.sysctl = { - "net.core.default_qdisc" = "fq"; - "net.ipv4.tcp_congestion_control" = "bbr"; - }; + config = { + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; - networking.firewall.trustedInterfaces = [ "tun0" ]; + networking.firewall.trustedInterfaces = [ "tun0" ]; - security.acme = { - acceptTerms = true; - certs."video.namely.icu" = { - email = "me@namely.icu"; - listenHTTP = ":80"; + security.acme = { + acceptTerms = true; + certs.${cfg.domain} = { + email = "me@namely.icu"; + listenHTTP = ":80"; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 8080 ]; + networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); + + services.sing-box = { + enable = true; + settings = { + inbounds = [ + { + tag = "sg0"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = [ + { name = "proxy"; + password = sg_password; + } + ]; + tls = singTls; + } + ] ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); + type = "tuic"; + listen = "::"; + listen_port = port; + congestion_control = "bbr"; + users = [ + { name = "proxy"; + uuid = sg_uuid; + password = sg_password; + } + ]; + tls = singTls; + }); + }; }; }; - networking.firewall.allowedTCPPorts = [ 80 8080 ]; - networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - services.sing-box = { - enable = true; - settings = { - inbounds = [ - { - tag = "sg0"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = [ - { name = "proxy"; - password = sg_password; - } - ]; - tls = singTls; - } - ] ++ lib.forEach (lib.range 6311 6314) (port: { - tag = "sg" + toString (port - 6310); - type = "tuic"; - listen = "::"; - listen_port = port; - congestion_control = "bbr"; - users = [ - { name = "proxy"; - uuid = sg_uuid; - password = sg_password; - } - ]; - tls = singTls; - }); - }; - }; } diff --git a/machines/secrets.yaml b/machines/secrets.yaml index d868166..6f33bd8 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -5,6 +5,7 @@ github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGt singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str] singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] +singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str] singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str] singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str] sops: @@ -16,41 +17,50 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW9oblRGVXZSYU1UaUpY - bEJvd0FST3gydXRzQ25GNm5vMEsyMlJpU0RRCjNFTk9rajQraGhoWFhFTDFtTnNE - aDNuaTZRZUtVcWkrN1RvZmZBRmJVTVkKLS0tIFdta3l4M3JoTU9tTllLUENOdTU0 - K2UxRnNTcEw4OC85cWdFNlVSMnlseFUKXtUh8vavnw5I+16bZszXNXmDndXovAN/ - XzrbfhXyE8B7jxlsSp6b5mu7RXWHP9knM2BqfrhhK0NJ/uuKfKNIEA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweTlPTGVRbUlndTdES0s2 + SVM2N2FUMnozQk11cDk0cTFEb1l6YldkVHc4CmhnNzJyY1VKRWhpc0tTbFNKeDBD + a0hzMi93Ly9zY2Fjd1RCdjV6WnVmOU0KLS0tIFh6NVFteWxxNithMGM0dnJiNE9X + dGovQ2ZMZWx1djVkb0Y4ZVNLRDJPRncKz0N/zP3mN97BpLaDgE9hx/zooGyHAnvC + D8iH/1PZ21uMYeUQq83B8mDKbv+qAltA/vD+ZNnb4ULjYLmVn5p/hQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzd2tMOXVCZFJsaWJDV1FQ - UWpoSDgxVUZ6UCt3Z2I5YjFxcnUzK3dNVndnClZBV29OV0swZzd5UmJsQ2J3RFpo - UnpvQ21BajBYc2xzWDNHWStzNTJLelkKLS0tIDNROGJQTzNDZUZHU09RcUpGemJr - dnpGSmdCRXJsU2FNV0V1N0pSczJwRTgK99s4wGGlpgkmr6sFzw8iqEPy2c3CvrvK - Ak+DlVCx6G9YXCIoXPIysY3EkfrKQwf/5LUMxSTN8V1gOMeTyomt/w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUkxVTUtYZ0RWUFVxY0Rl + UFFadVlzUFJVMGpzRVd5bHVDQmQycVlNSkcwCkMvcUJMRFVWTzNHZ3pxemRLelJP + K3pQMFdURmpRUVRuL1lzT09FVVdBd3MKLS0tIE9LY0NHSW1UWUJpbWdNQW1CVUlD + b1FmZnVjOFFCMDVXdFBtZzZWdkt6RVUKvLoHmEhkyeKHlstRoT3duTIQTojxzcFI + NapIBB3/6Qqho+kYc8/hLWb61EsSX9yqO9C6f6FpFrwi0696OvP3mA== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWU0xQzRqbG1CTnlSZmFj - TFZvMHU3NVVQTTVHZzJkZ3FGS3doRXhGamdjCk0vaGVaZWlwT2NLd0NPeUliQ09Q - cFNiMGZqUHliUEw1WDlWV3ZsR0lRYzAKLS0tIG8wWm1IK2tpRGhQVVNCQU83cnFB - S1lwZ2NDRGQyOW92R2JLakRUMG1JUkUKHNvXcHFlbgssrzLVdFxIT7QpMiPK5zoy - /OqQhXZ/ewER3b+kMidZv5QXU6GvMWsriT24/yyfTc0tEe7t/Ojm4A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFNoMmNXV2F1U2E2bUhv + K3lGTCs2KzZYbXVlWEdVelNDTS80SW85c0J3CkszNGkrbFVKWks4dmwyYlpQMkpW + Zm02cG41ZlpwcEdCbzFkSHpjWHpCdG8KLS0tIHlrNXp6TTI5ZnhGTUNMWTZ0ekVS + VExPWk1zeVExYXdaL2o1WVB5NlhsNFkK3vsnc4qE08W13ttzt+YCHbQh2c/mOxFZ + DneXTgOjkyBaY5JDFKlzlIN3m8QRBG5vPOuSKXaoFmY8E68RzNey3w== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK3o4WkZqaldXd2lBUm5r - NWVNMVh5SXZmVmFlUldiVUdrYitPK3dUUVJzCjJnSHR0ZmpmMzF3ZnlBeEJ6bHc0 - T0p2SXpoOGprbEdyUC9oWklTRndFcTAKLS0tIGN6VUZmVEJkWk5xR2dUaU1mbkZB - TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb - naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdHA5WHA2V2RNTTZXNVVT + Wks2a2tqT045ZkJFYTN2RHhmdkZxMjlPRDNFCm1HaHhLNkp6NWZxNUYvOTRybE1Z + Y1l5eDFkcXRWSko3ODhqV2htb3pzcDQKLS0tIGI3YlI4dCtMbGl1aHFZdDBic0Jv + LzV3NWhFQTlaZ1Y3R0paaEZPZDNpZzgK3/ZE3+F+mq574MfiF7PRlKmAU6mUTiGF + Ffqh0kQumHH7nBuunD0L7Zp2j15hMjUs/oxX558jY9BNl+rN2VWO0Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-30T16:23:27Z" - mac: ENC[AES256_GCM,data:TMy8toui6/DbFpyc+K7r+DN6Q21W9XKNxZeB44hJ+Sw3i+z46/m+lNJYbFVn/l/g7KykWMCi0UP8bgQtRrf6ARqyZkgXX/2H3FRyC1WXY9IJFXib05TtvXQQCkqscyWjEjkGBR8VREkVGCKEZAKdHqXFve70FrlxiWZgDv6QrIM=,iv:ukv1Mo6bwrTjsLnKzOesZiT1z5k6nvg7F8dk4fUsDUI=,tag:JM/iCdj+broRn1AxD2tQTg==,type:str] + - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueFhiQzdMaU1zR2VtOEtO + WFVtdVJLU3B3TzRSSENodUpuUm03TnBHQnhBCmRrdjJScEVsS0JTQmthZWIzVFlv + TVY3TUo0VllPWElua21mczZvT3YxYjAKLS0tIFpDcE0wSXdSRXFGY2tLd1orVE9L + Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO + OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-02T15:24:19Z" + mac: ENC[AES256_GCM,data:dgWoBRMuDxVT/j/ybQX7suehwsjy86rJ0pJ1UeDQcTywIeK8WgIvNuq+T1x9UFgPWn7xt+vMQV665hugTl8T4Wb7Eot2FqM3KPq8EONVaGLAxtQv75MQmcJD+5kfSSsDC+HVujmWl5uFy5jzFJgrHEsm2v9lCxRO/2kvjbQbZAM=,iv:YBz+OewY51YNhjPF4QSq27vT6zEwFCkPW5MctOQ7AvQ=,tag:Tfbo7o4QgMUP6UPTJ36dTg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sing-box.nix b/machines/sing-box.nix index fe775f6..e83fa05 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -12,6 +12,10 @@ let sg_server = { _secret = config.sops.secrets.singbox_sg_server.path; }; + jp_server = { + _secret = config.sops.secrets.singbox_jp_server.path; + }; + # TODO: diffrent password sg_password = { _secret = config.sops.secrets.singbox_sg_password.path; }; @@ -50,6 +54,10 @@ in domain_suffix = sg_server; server = "_dns_doh_mainland"; } + { + domain_suffix = jp_server; + server = "_dns_doh_mainland"; + } ]; servers = [ { @@ -123,8 +131,9 @@ in ]; }; outbounds = [ - { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; } + { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://www.gstatic.com/generate_204"; } { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } @@ -184,6 +193,15 @@ in uuid = sg_uuid; password = sg_password; tls = { enabled = true; server_name = sg_server; }; + }) ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "jp" + toString (port - 6310); + type = "tuic"; + congestion_control = "bbr"; + server = jp_server; + server_port = port; + uuid = sg_uuid; + password = sg_password; + tls = { enabled = true; server_name = jp_server; }; }); }; }; diff --git a/machines/sops.nix b/machines/sops.nix index 21a89c2..13a57d3 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -7,7 +7,7 @@ age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { github_public_token = { - owner = "xin"; + owner = "root"; }; clash_subscription_link = { owner = "root"; @@ -21,6 +21,9 @@ singbox_sg_server = { owner = "root"; }; + singbox_jp_server = { + owner = "root"; + }; singbox_sg_password = { owner = "root"; };