nixos-config/machines/dolomite/default.nix

{ inputs, config, pkgs, lib, modulesPath, ... }:
{
  imports = [
    ../sops.nix
    "${modulesPath}/virtualisation/amazon-image.nix"
  ];


  config = {
    sops = {
      secrets = {
        wg_private_key = {
          owner = "root";
          sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
        };
        wg_ipv6_local_addr = {
          owner = "root";
          sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
        };
      };
    };
    boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
    boot.kernel.sysctl = {
      "net.core.default_qdisc" = "fq";
      "net.ipv4.tcp_congestion_control" = "bbr";
    };

    networking.firewall.trustedInterfaces = [ "tun0" ];

    security.acme = {
      acceptTerms = true;
      certs.${config.deployment.targetHost} = {
        email = "me@namely.icu";
        listenHTTP = ":80";
      };
    };
    networking.firewall.allowedTCPPorts = [ 80 8080 ];
    networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);

    custom.prometheus = {
      enable = true;
      exporters.enable = true;
      grafana = {
        enable = true;
        password_file = config.sops.secrets.grafana_cloud_api.path;
      };
    };

    services.sing-box = let
      singTls = {
        enabled = true;
        server_name = config.deployment.targetHost;
        key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
        certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
      };
      password = {
        _secret = config.sops.secrets.singbox_password.path;
      };
      uuid = {
        _secret = config.sops.secrets.singbox_uuid.path;
      };
    in
    {
      enable = true;
      settings = {
        dns = {
          servers = [
            {
              address = "1.1.1.1";
              detour = "wg-out";
            }
          ];
        };
        inbounds = [
          {
            tag = "sg0";
            type = "trojan";
            listen = "::";
            listen_port = 8080;
            users = [
              { name = "proxy";
                password = password;
              }
            ];
            tls = singTls;
          }
        ] ++ lib.forEach (lib.range 6311 6314) (port: {
            tag = "sg" + toString (port - 6310);
            type = "tuic";
            listen = "::";
            listen_port = port;
            congestion_control = "bbr";
            users = [
              { name = "proxy";
                uuid = uuid;
                password = password;
              }
            ];
            tls = singTls;
          });
        outbounds = [
          {
            type = "wireguard";
            tag = "wg-out";
            private_key = {
              _secret = config.sops.secrets.wg_private_key.path;
            };
            local_address = [
              "172.16.0.2/32"
              { _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
            ];
            peers = [
              { public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
                allowed_ips = [ "0.0.0.0/0" "::/0" ];
                server = "162.159.192.1";
                server_port = 500;
              }
            ];
          }
          {
            type = "direct";
            tag = "direct";
          }
          {
            type = "dns";
            tag = "dns-out";
          }
        ];
        route = {
          rules = [
            {
              outbound = "dns-out";
              protocol = "dns";
            }
            {
              geoip = "cn";
              geosite = "cn";
              outbound = "direct";
            }
          ];
        };
      };
    };
  };

}
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`{ inputs, config, pkgs, lib, modulesPath, ... }:`
dolomite: init 2023-10-06 14:05:19 +00:00			`{`
dolomite: host sing-box 2023-11-28 13:38:50 +00:00			`imports = [`
			`../sops.nix`
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`"${modulesPath}/virtualisation/amazon-image.nix"`
dolomite: host sing-box 2023-11-28 13:38:50 +00:00			`];`

dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`config = {`
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`sops = {`
			`secrets = {`
			`wg_private_key = {`
			`owner = "root";`
			`sopsFile = ./secrets + "/${config.networking.hostName}.yaml";`
			`};`
			`wg_ipv6_local_addr = {`
			`owner = "root";`
			`sopsFile = ./secrets + "/${config.networking.hostName}.yaml";`
			`};`
			`};`
			`};`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";`
			`boot.kernel.sysctl = {`
			`"net.core.default_qdisc" = "fq";`
			`"net.ipv4.tcp_congestion_control" = "bbr";`
			`};`
dolomite: host sing-box 2023-11-28 13:38:50 +00:00
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`networking.firewall.trustedInterfaces = [ "tun0" ];`
dolomite: host sing-box 2023-11-28 13:38:50 +00:00
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`security.acme = {`
			`acceptTerms = true;`
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`certs.${config.deployment.targetHost} = {`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`email = "me@namely.icu";`
			`listenHTTP = ":80";`
			`};`
dolomite: host sing-box 2023-11-28 13:38:50 +00:00			`};`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`networking.firewall.allowedTCPPorts = [ 80 8080 ];`
			`networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);`
dolomite: init 2023-10-06 14:05:19 +00:00
all: add prometheus 2023-12-20 03:13:20 +00:00			`custom.prometheus = {`
			`enable = true;`
			`exporters.enable = true;`
			`grafana = {`
			`enable = true;`
			`password_file = config.sops.secrets.grafana_cloud_api.path;`
			`};`
			`};`

dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`services.sing-box = let`
			`singTls = {`
			`enabled = true;`
			`server_name = config.deployment.targetHost;`
			`key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";`
			`certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";`
			`};`
			`password = {`
			`_secret = config.sops.secrets.singbox_password.path;`
			`};`
			`uuid = {`
			`_secret = config.sops.secrets.singbox_uuid.path;`
			`};`
			`in`
			`{`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`enable = true;`
			`settings = {`
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`dns = {`
			`servers = [`
			`{`
			`address = "1.1.1.1";`
			`detour = "wg-out";`
			`}`
			`];`
			`};`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`inbounds = [`
			`{`
			`tag = "sg0";`
			`type = "trojan";`
			`listen = "::";`
			`listen_port = 8080;`
			`users = [`
			`{ name = "proxy";`
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`password = password;`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`}`
			`];`
			`tls = singTls;`
			`}`
			`] ++ lib.forEach (lib.range 6311 6314) (port: {`
			`tag = "sg" + toString (port - 6310);`
			`type = "tuic";`
			`listen = "::";`
			`listen_port = port;`
			`congestion_control = "bbr";`
			`users = [`
			`{ name = "proxy";`
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`uuid = uuid;`
			`password = password;`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`}`
			`];`
			`tls = singTls;`
			`});`
dolomite: sing-box outbound to cf warp+ 2023-12-19 13:32:40 +00:00			`outbounds = [`
			`{`
			`type = "wireguard";`
			`tag = "wg-out";`
			`private_key = {`
			`_secret = config.sops.secrets.wg_private_key.path;`
			`};`
			`local_address = [`
			`"172.16.0.2/32"`
			`{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }`
			`];`
			`peers = [`
			`{ public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";`
			`allowed_ips = [ "0.0.0.0/0" "::/0" ];`
			`server = "162.159.192.1";`
			`server_port = 500;`
			`}`
			`];`
			`}`
			`{`
			`type = "direct";`
			`tag = "direct";`
			`}`
			`{`
			`type = "dns";`
			`tag = "dns-out";`
			`}`
			`];`
			`route = {`
			`rules = [`
			`{`
			`outbound = "dns-out";`
			`protocol = "dns";`
			`}`
			`{`
			`geoip = "cn";`
			`geosite = "cn";`
			`outbound = "direct";`
			`}`
			`];`
			`};`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00			`};`
dolomite: init 2023-10-06 14:05:19 +00:00			`};`
			`};`
dolomite: add an instance at sg 2023-12-06 14:54:22 +00:00
dolomite: init 2023-10-06 14:05:19 +00:00			`}`