diff --git a/.sops.yaml b/.sops.yaml index b712e57..baadf5e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,8 +2,8 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta creation_rules: - path_regex: machines/calcite/secrets.yaml @@ -21,18 +21,28 @@ creation_rules: - age: - *xin - *host-massicot - + - path_regex: machines/dolomite/secrets/sgp-00.yaml + key_groups: + - age: + - *xin + - *host-sgp-00 + - path_regex: machines/dolomite/secrets/tok-00.yaml + key_groups: + - age: + - *xin + - *host-tok-00 - path_regex: machines/secrets.yaml key_groups: - age: - *xin - *host-calcite - *host-raspite - - *host-dolomite00 - - *host-dolomite01 + - *host-sgp-00 + - *host-tok-00 - path_regex: home/xin/secrets.yaml key_groups: - age: - *xin - *host-raspite - *host-calcite + diff --git a/flake.lock b/flake.lock index 714b2a5..c8658bc 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,49 @@ { "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699171528, + "narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "665603956a1c3040d756987bc7a810ffe86a3b15", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -76,7 +119,7 @@ }, "nix-vscode-extensions": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": [ "flake-utils" ], @@ -202,6 +245,7 @@ }, "root": { "inputs": { + "colmena": "colmena", "flake-utils": "flake-utils", "home-manager": "home-manager", "nix-index-database": "nix-index-database", diff --git a/flake.nix b/flake.nix index 8584b8d..f7e2e10 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,13 @@ url = "github:numtide/flake-utils"; }; + colmena = { + url = "github:zhaofengli/colmena"; + inputs.stable.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; @@ -73,7 +80,7 @@ nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; - colmena = { + colmenaHive = colmena.lib.makeHive { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; @@ -95,60 +102,53 @@ ]; }; - dolomite00 = { name, nodes, pkgs, ... }: with inputs; { + sgp-00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ - { nixpkgs.system = "x86_64-linux"; custom.domain = "video.namely.icu"; } - machines/dolomite + machines/dolomite ]; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "sgp-00"; + system.stateVersion = "23.11"; deployment = { targetHost = "video.namely.icu"; buildOnTarget = false; + tags = [ "proxy" ]; }; }; - dolomite01 = { name, nodes, pkgs, ... }: with inputs; { + tok-00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ - { nixpkgs.system = "x86_64-linux"; custom.domain = "video01.namely.icu"; } - machines/dolomite + machines/dolomite ]; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "tok-00"; + system.stateVersion = "23.11"; deployment = { targetHost = "video01.namely.icu"; buildOnTarget = false; + tags = [ "proxy" ]; }; }; }; - nixosConfigurations.calcite = mkNixos { - system = "x86_64-linux"; - modules = [ - nixos-hardware.nixosModules.asus-zephyrus-ga401 - machines/calcite/configuration.nix - (mkHome "xin" "calcite") - ]; - }; - - nixosConfigurations.massicot = mkNixos { - system = "aarch64-linux"; - modules = [ - machines/massicot - ]; - }; - - nixosConfigurations.dolomite = mkNixos { - system = "x86_64-linux"; - modules = [ - machines/dolomite - ]; - }; - - nixosConfigurations.raspite = mkNixos { - system = "aarch64-linux"; - modules = [ - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - (mkHome "xin" "raspite") - ]; - }; + nixosConfigurations = { + calcite = mkNixos { + system = "x86_64-linux"; + modules = [ + nixos-hardware.nixosModules.asus-zephyrus-ga401 + machines/calcite/configuration.nix + (mkHome "xin" "calcite") + ]; + }; + raspite = mkNixos { + system = "aarch64-linux"; + modules = [ + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + (mkHome "xin" "raspite") + ]; + }; + } // self.colmenaHive.nodes; images.raspite = (mkNixos { system = "aarch64-linux"; @@ -163,16 +163,5 @@ } ]; }).config.system.build.sdImage; - } // - (with flake-utils.lib; (eachSystem defaultSystems (system: - let pkgs = import nixpkgs { inherit system; }; in - { - packages = { - homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; }; - }; - devShells.default = pkgs.mkShell { - buildInputs = with pkgs; [ git colmena nix-output-monitor ssh-to-age ]; - }; - } - ))); + }; } diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index f50fb6f..5dd6073 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,33 +1,24 @@ -{ config, pkgs, lib, modulesPath, ... }: -let - cfg = config.custom; - sg_password = { - _secret = config.sops.secrets.singbox_sg_password.path; - }; - sg_uuid = { - _secret = config.sops.secrets.singbox_sg_uuid.path; - }; - singTls = { - enabled = true; - server_name = cfg.domain; - key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem"; - certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem"; - }; -in +{ inputs, config, pkgs, lib, modulesPath, ... }: { - options = { - custom.domain = lib.mkOption { - type = lib.types.str; - default = ""; - }; - }; - imports = [ - "${modulesPath}/virtualisation/amazon-image.nix" ../sops.nix + "${modulesPath}/virtualisation/amazon-image.nix" ]; + config = { + sops = { + secrets = { + wg_private_key = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + wg_ipv6_local_addr = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + }; + }; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; boot.kernel.sysctl = { "net.core.default_qdisc" = "fq"; @@ -38,7 +29,7 @@ in security.acme = { acceptTerms = true; - certs.${cfg.domain} = { + certs.${config.deployment.targetHost} = { email = "me@namely.icu"; listenHTTP = ":80"; }; @@ -46,9 +37,31 @@ in networking.firewall.allowedTCPPorts = [ 80 8080 ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - services.sing-box = { + services.sing-box = let + singTls = { + enabled = true; + server_name = config.deployment.targetHost; + key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; + certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; + }; + password = { + _secret = config.sops.secrets.singbox_password.path; + }; + uuid = { + _secret = config.sops.secrets.singbox_uuid.path; + }; + in + { enable = true; settings = { + dns = { + servers = [ + { + address = "1.1.1.1"; + detour = "wg-out"; + } + ]; + }; inbounds = [ { tag = "sg0"; @@ -57,7 +70,7 @@ in listen_port = 8080; users = [ { name = "proxy"; - password = sg_password; + password = password; } ]; tls = singTls; @@ -70,12 +83,53 @@ in congestion_control = "bbr"; users = [ { name = "proxy"; - uuid = sg_uuid; - password = sg_password; + uuid = uuid; + password = password; } ]; tls = singTls; }); + outbounds = [ + { + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ "0.0.0.0/0" "::/0" ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; + } + { + type = "direct"; + tag = "direct"; + } + { + type = "dns"; + tag = "dns-out"; + } + ]; + route = { + rules = [ + { + outbound = "dns-out"; + protocol = "dns"; + } + { + geoip = "cn"; + geosite = "cn"; + outbound = "direct"; + } + ]; + }; }; }; }; diff --git a/machines/dolomite/secrets/sgp-00.yaml b/machines/dolomite/secrets/sgp-00.yaml new file mode 100644 index 0000000..aef9c5d --- /dev/null +++ b/machines/dolomite/secrets/sgp-00.yaml @@ -0,0 +1,31 @@ +wg_private_key: ENC[AES256_GCM,data:UjxZ3iC5hxVcVJdEUJ3+myaQ/6MvghDw6eKa2flSuxMwFS31WB7r3evjlI0=,iv:BjgXCps6gx1ISghEO42x5aKb+c/n0P1V8FMVlPxAyLY=,tag:IkxCkpyVre+sFoBlRSFpMA==,type:str] +wg_ipv6_local_addr: ENC[AES256_GCM,data:ejDYuZjZCKcsvyUUKdXtxgBqWloIwYHmpc/YwCYq7O2thsxvOou6iSHf,iv:HDrMlec4svxHpZXMyRDzpdSKeJbTmkZPd98SHv2ZLhQ=,tag:LjpapuaJ6sl4USZC8xEU5w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUkpVa0dCSE1rTjZpaWR1 + cjJjc25iOEV4TnhQUWE4SjI4QWVZYXdVcHdBCkIrNlVrV2xJRURVSG9sUHozeE5s + NitsV1MvcENZTHhmU01CSTRVNENXUFEKLS0tIGgxakQ2cGIzdzg5QzRoT3ZSaXUx + TkN5MkNTNitWMzVKZWdhNGRIZ3VNNDgKQ6lwM6EowuGOrskUpwD8VGirravE+e3/ + Hkv5jLvvfVjmg0kvKlNRotTHrRUGV04JsbW7T9FfbKyYpmEb6oCrsg== + -----END AGE ENCRYPTED FILE----- + - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSUlkQzhYSGwyNnYvNHpQ + UktKOUZiYk56S0piVy9ZMFdYVFdsN1FEVkhVCnZETEM5MW84TlNpbm1hSXJtR2Yy + OEdrSi9lcmJOR2F1cUZqc0NyQjl4RDgKLS0tIHVLcnRicmVNd2MwVjB4cGFXTlBu + VkJCcXdqTkUzejNzSjIvV2YrVUc5Sm8KutTATsWJ5+yB/CFoGwTNshyI5LzwH4x5 + i5EIIkVPdxSIHrXUp0j6+RPWMJvEOFIE3dVwxz+MxqqHqtmEny1WKA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-19T12:31:51Z" + mac: ENC[AES256_GCM,data:AY0/qJ1ZXv4mQlHnG3uY2zQ0FhIYjHBWKyXXpv2/Q6yZkuSu6nIQk039nd+nk7lczXy2cylTHyjYv5vDF6BJARhu4jeYov6yMqYR8ye8rXjZKcOfrN5yv7LV6jyuzBRBkCWTQsaoR8ycKHlrMe+vkAGu50epdAQjAG+Qv6RkBiM=,iv:dMi2CququdEIg+g8NMUb8ioKwEkUqTP+nrivtsUYUUY=,tag:drHI6oJUUwN3JadCHbWWkg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/dolomite/secrets/tok-00.yaml b/machines/dolomite/secrets/tok-00.yaml new file mode 100644 index 0000000..5872491 --- /dev/null +++ b/machines/dolomite/secrets/tok-00.yaml @@ -0,0 +1,31 @@ +wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str] +wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTc2a2J3ZXRXTlRxQTAx + UjZVTTVPa0FjbS9jekI5eXhLOTdUQTlBS2pJCnVPL2Q1d05QR2NpTDVZeDFpSCs3 + Yjh3aXkvdTBIOThVMGMzcUZmUWhtTjgKLS0tIFZvcy9zRVBRcDN0ekp0MEV5cEph + ZURTL3hnSHgwQTlSNklCK25icEM0SGsKq2jM6jXLfK38BgV0calwKLuHIcGw0zed + lT19Mt9jFsqmIkpJh1U9Ddpz63WND+7ruMdTZt6RWStIxww4m7pevg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSXBqdXcxUDNkS29Gd3ZY + dTA3bmNUVThtTFJtdnFpSjZQT01TTXhpYUc4CkFhcm14eUw1YXIyWEViMSsyc3pr + VUJqWWdHMCtoRGQ1T3dMQlg3ZTZ5dGMKLS0tIGQvbGpFZTdrVUFURE9tdENCZGwr + aDBKbitCTmhxNXVNRGh6TVBvbkNhTUEKIuj7B4RdueX7BfExgzVoo6YJf59GsUHa + j5kIJ5UeTqWEBGBaXcPjhHMEQjYqwSBsVz2XJmsxLhi8WxejLio8FA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-19T12:30:24Z" + mac: ENC[AES256_GCM,data:f+7+O2ZVSZJhr0fJlfO/AtZC2N/7gsNu1f4cnUoXYFb1wobyU6tLkbwGqeyIulokgIDAU5lJ62TJXAjybe+kE+PGtpr61KS7dyiO0LjzcT/X898oBYvJ9jtkuxDzKM4ve570U7ZmS7Jbxt2NJEkcBvSUJRdJHH5l0sDrvmW8cwY=,iv:mno6jVUDUWxsO353hbCqGub+NYfk0XFsWzmWCBUt6Gg=,tag:KOw7HTy+pETha5pzx5Pf8Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 6f33bd8..fba11c5 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -2,12 +2,10 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] -singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str] -singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str] -singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str] -singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str] +singbox_password: ENC[AES256_GCM,data:0tBIzwtNSQqbGlD+CDnQfJigbFVBChEL,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:5BtYAv1NO70IL4m/uG8QKA==,type:str] +singbox_uuid: ENC[AES256_GCM,data:ufN+vDl/rDASoQL23tHwlr3ybMyrlC/Kd7bT0c5+SP+bc6Zj,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:6Yma9+yrISwQoSRDgUbuwA==,type:str] sops: kms: [] gcp_kms: [] @@ -59,8 +57,8 @@ sops: Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-02T15:24:19Z" - mac: ENC[AES256_GCM,data:dgWoBRMuDxVT/j/ybQX7suehwsjy86rJ0pJ1UeDQcTywIeK8WgIvNuq+T1x9UFgPWn7xt+vMQV665hugTl8T4Wb7Eot2FqM3KPq8EONVaGLAxtQv75MQmcJD+5kfSSsDC+HVujmWl5uFy5jzFJgrHEsm2v9lCxRO/2kvjbQbZAM=,iv:YBz+OewY51YNhjPF4QSq27vT6zEwFCkPW5MctOQ7AvQ=,tag:Tfbo7o4QgMUP6UPTJ36dTg==,type:str] + lastmodified: "2023-12-19T12:56:28Z" + mac: ENC[AES256_GCM,data:v7Rn7dPOzfcgab2MhiU7h0CXjkAbkpBX7l7iLdnw3RUIjxulTXVuPpgenojF5yVqFCPgm2LKBKniD+cvtMvVhb00a1tnDNM/tfjH9GjBYNZH9xtPWJED7GLASd6nIF5BZhANKhH8yphAi5VJ/4cyEdMFbWu+2gO8GyQxJQYhgY8=,iv:bbbZ8vF+Vbwq/6PXN/7qvRO62M/eDZ591v4gXc1fs+g=,tag:dyt9LVU32hnbVT12C/Afqw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/sing-box.nix b/machines/sing-box.nix index e83fa05..060d028 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -1,13 +1,10 @@ { config, lib, pkgs, ... }: let - server = { - _secret = config.sops.secrets.singbox_domain.path; - }; password = { _secret = config.sops.secrets.singbox_password.path; }; uuid = { - _secret = config.sops.secrets.singbox_password.path; + _secret = config.sops.secrets.singbox_uuid.path; }; sg_server = { _secret = config.sops.secrets.singbox_sg_server.path; @@ -15,13 +12,6 @@ let jp_server = { _secret = config.sops.secrets.singbox_jp_server.path; }; - # TODO: diffrent password - sg_password = { - _secret = config.sops.secrets.singbox_sg_password.path; - }; - sg_uuid = { - _secret = config.sops.secrets.singbox_sg_uuid.path; - }; in { services.sing-box = { @@ -47,14 +37,12 @@ in server = "_dns_doh_mainland"; } { - domain_suffix = server; - server = "_dns_doh_mainland"; - } - { + disable_cache = false; domain_suffix = sg_server; server = "_dns_doh_mainland"; } { + disable_cache = false; domain_suffix = jp_server; server = "_dns_doh_mainland"; } @@ -77,7 +65,7 @@ in tag = "_dns_udp_mainland"; } { - address = "https://doh.pub/dns-query"; + address = "tls://1.12.12.12:853/"; address_resolver = "_dns_udp_mainland"; detour = "direct"; tag = "_dns_doh_mainland"; @@ -88,6 +76,7 @@ in } ]; final = "_dns_global"; + strategy = "prefer_ipv4"; disable_cache = true; }; inbounds = [ @@ -131,76 +120,28 @@ in ]; }; outbounds = [ - { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://www.gstatic.com/generate_204"; } - { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } - { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } - - { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } - { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } + { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://cp.cloudflare.com/"; } + { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { default = "auto"; outbounds = [ "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } { tag = "direct"; type = "direct"; } { tag = "block"; type = "block"; } { tag = "dns-out"; type = "dns"; } - { inherit server password; method = "aes-128-gcm"; server_port = 12001; tag = "香港SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12002; tag = "香港SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12003; tag = "香港SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12004; tag = "香港SS-04"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12011; tag = "日本SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12012; tag = "日本SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12013; tag = "日本SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12021; tag = "美国SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12022; tag = "美国SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12023; tag = "美国SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12031; tag = "台湾SS-01"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12032; tag = "台湾SS-02"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12033; tag = "台湾SS-03"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server password; method = "aes-128-gcm"; server_port = 12034; tag = "台湾SS-04"; type = "shadowsocks"; udp_over_tcp = false; } - { inherit server uuid; security = "auto"; server_port = 1201; tag = "香港中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1202; tag = "香港中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1203; tag = "香港中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1204; tag = "香港中继4"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1205; tag = "香港中继5"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1206; tag = "香港中继6"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1207; tag = "香港中继7"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1208; tag = "香港中继8"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1211; tag = "日本中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1212; tag = "日本中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1213; tag = "日本中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1214; tag = "日本中继4"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1231; tag = "美国中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1232; tag = "美国中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1233; tag = "美国中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1234; tag = "美国中继4"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1235; tag = "美国中继5"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1236; tag = "美国中继6"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1237; tag = "美国中继7"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1238; tag = "美国中继8"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1241; tag = "新加坡中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1242; tag = "新加坡中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1261; tag = "台湾中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1262; tag = "台湾中继2"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1263; tag = "台湾中继3"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1264; tag = "台湾中继4"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1265; tag = "台湾中继5"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1266; tag = "台湾中继6"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1251; tag = "韩国中继1"; type = "vmess"; } - { inherit server uuid; security = "auto"; server_port = 1252; tag = "韩国中继2"; type = "vmess"; } ] ++ lib.forEach (lib.range 6311 6314) (port: { + inherit uuid password; tag = "sg" + toString (port - 6310); type = "tuic"; congestion_control = "bbr"; server = sg_server; server_port = port; - uuid = sg_uuid; - password = sg_password; tls = { enabled = true; server_name = sg_server; }; }) ++ lib.forEach (lib.range 6311 6314) (port: { + inherit uuid password; tag = "jp" + toString (port - 6310); type = "tuic"; congestion_control = "bbr"; server = jp_server; server_port = port; - uuid = sg_uuid; - password = sg_password; tls = { enabled = true; server_name = jp_server; }; }); }; diff --git a/machines/sops.nix b/machines/sops.nix index 13a57d3..1a8aa50 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -12,22 +12,16 @@ clash_subscription_link = { owner = "root"; }; - singbox_password = { - owner = "root"; - }; - singbox_domain = { - owner = "root"; - }; singbox_sg_server = { owner = "root"; }; singbox_jp_server = { owner = "root"; }; - singbox_sg_password = { + singbox_password = { owner = "root"; }; - singbox_sg_uuid = { + singbox_uuid = { owner = "root"; }; };