diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 1b1abd4..b9f6809 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -7,7 +7,6 @@ ./hardware-configuration.nix ./network.nix ../sops.nix - ../clash.nix ]; # Bootloader. @@ -191,6 +190,7 @@ # Browser firefox chromium + brave microsoft-edge # Writting diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 1d9fb88..3689211 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -1,31 +1,20 @@ { pkgs, ...}: { + imports = [ + ../sing-box.nix + ]; + # Enable networking networking = { networkmanager = { enable = true; dns = "systemd-resolved"; - # dns = "resolvconf"; }; }; services.resolved = { enable = true; - extraConfig = '' - [Resolve] - Domains=~. - DNS=127.0.0.1 - ''; - # DNSOverTLS=opportunistic - }; - - # Configure network proxy if necessary - networking.proxy = { - allProxy = "socks5://127.0.0.1:7891/"; - httpProxy = "http://127.0.0.1:7890/"; - httpsProxy = "http://127.0.0.1:7890/"; - noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net"; }; # Enable Tailscale @@ -33,15 +22,15 @@ # services.tailscale.useRoutingFeatures = "both"; # Open ports in the firewall. + networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ ]; networking.firewall.allowedUDPPorts = [ 41641 ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; networking.firewall.trustedInterfaces = [ + "tun0" "tailscale0" ]; - - programs.steam.remotePlay.openFirewall = true; + # Use nftables to manager firewall + networking.nftables.enable = true; # Add gsconnect, open firewall programs.kdeconnect = { @@ -53,9 +42,4 @@ enable = true; package = pkgs.wireshark-qt; }; - - # services.gnome.gnome-remote-desktop.enable = true; - # services.xrdp.enable = true; - # services.xrdp.openFirewall = true; - # services.xrdp.defaultWindowManager = icewm; } diff --git a/machines/clash.nix b/machines/clash.nix deleted file mode 100644 index fc90056..0000000 --- a/machines/clash.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - systemd.timers."clash-config-update" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnUnitActiveSec = "1d"; - Unit = "clash-config-update.service"; - }; - }; - - systemd.services."clash-config-update" = { - script = '' - ${pkgs.curl}/bin/curl $(${pkgs.coreutils}/bin/cat ${config.sops.secrets.clash_subscription_link.path}) > /tmp/config.yaml && mv /tmp/config.yaml /home/xin/.config/clash/ - ''; - serviceConfig = { - Type = "oneshot"; - User= "xin"; - }; - }; - - systemd.services.clash = { - enable = true; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.clash}/bin/clash -d /home/xin/.config/clash"; - }; - -} diff --git a/machines/dnscrypt.nix b/machines/dnscrypt.nix deleted file mode 100644 index 3ecdcb8..0000000 --- a/machines/dnscrypt.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.dnscrypt-proxy2 = { - enable = true; - settings = { - ipv6_servers = false; - require_dnssec = true; - sources = { - public-resolvers = { - urls = [ - "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; - cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; - minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; - }; - }; - server_names = [ "cloudflare" "tuna-doh-ipv4" ]; - }; - }; - - networking.networkmanager.dns = "none"; - - # dns - systemd.services.dnscrypt-proxy2.serviceConfig = { - StateDirectory = "dnscrypt-proxy"; - }; -} diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 97a4df9..9006057 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -2,6 +2,8 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] +singbox_domain: ENC[AES256_GCM,data:26WBV6F6JsdR81BzFbeFA0c8,iv:SRkEJdAxH/0in5oq7kCz6sBeMQzjDcV9242SqwFwMis=,tag:u6sn2Xs3Pwsmo8xwAfObCA==,type:str] +singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] sops: kms: [] gcp_kms: [] @@ -35,8 +37,8 @@ sops: dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-22T02:00:48Z" - mac: ENC[AES256_GCM,data:DXQaCRuD4trEjIFvVAGF3/F/AiUcIOKGmqKKF/S7tJ51ZGXIh64g7vXZhZC22UxGs2pYU/gQOfA58cSxrHav0hmA0KbidLGA2ySRzVCSP3IH2jLx9KXdYv6SIS5I3MRMUqf7ZH+5rtdjTrrYBDWZrDzB9T7naMn1BujMqi+SwsU=,iv:QrFcEz7sxC0kbRtFr45cUaT4VosFq5ICtF3HOZ3If9I=,tag:Ste0v4xcONasn182R2ZyFw==,type:str] + lastmodified: "2023-09-26T15:10:12Z" + mac: ENC[AES256_GCM,data:R1y2LCVbIcJ4hHLrgRT+H45jdSPUIE8uuW1EoJattnciLExlpZzNtuUxV6yVUKoUxh/Bdl4gUwRP6YINegMflUJIlby9vUyDTVAwzFpk5p4Ev0YF/X8ZgXcerwOZjEkHqekqEtDjEsnOt2U41XsXOzQsFXkmWl/aBRlxGYiTHcU=,iv:jFM3EKnTIJbBP1FHw3t7Q1+NvGIQYWtVCV+4Z9snPIQ=,tag:NkdeGL6IFA0iQoUqWmPZgw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.0 diff --git a/machines/sing-box.nix b/machines/sing-box.nix new file mode 100644 index 0000000..c77aefc --- /dev/null +++ b/machines/sing-box.nix @@ -0,0 +1,157 @@ +{ config, lib, pkgs, ... }: +let + server = { + _secret = config.sops.secrets.singbox_domain.path; + }; + password = { + _secret = config.sops.secrets.singbox_password.path; + }; + uuid = { + _secret = config.sops.secrets.singbox_password.path; + }; +in +{ + services.sing-box = { + enable = true; + settings = { + log = { level = "warning"; }; + experimental = { + clash_api = { + external_controller = "127.0.0.1:9090"; + store_selected = true; + external_ui = "${config.nur.repos.linyinfeng.yacd}"; + }; + }; + dns = { + rules = [ + { + disable_cache = true; + geosite = "category-ads-all"; + server = "_dns_block"; + } + { + geosite = "cn"; + server = "_dns_doh_mainland"; + } + { + domain_suffix = "tiktokuu.xyz"; + server = "_dns_doh_mainland"; + } + ]; + servers = [ + { + address = "https://cloudflare-dns.com/dns-query"; + address_strategy = "prefer_ipv4"; + address_resolver = "_dns_doh_mainland"; + detour = "_proxy_select"; + tag = "_dns_global"; + } + { + address = "119.29.29.29"; + detour = "direct"; + tag = "_dns_udp_mainland"; + } + { + address = "https://doh.pub/dns-query"; + address_resolver = "_dns_udp_mainland"; + detour = "direct"; + tag = "_dns_doh_mainland"; + } + { + address = "rcode://success"; + tag = "_dns_block"; + } + ]; + strategy = "prefer_ipv4"; + final = "_dns_global"; + disable_cache = false; + }; + inbounds = [ + { + type = "mixed"; + tag = "mixed-in"; + listen = "127.0.0.1"; + listen_port = 7891; + } + { + type = "tun"; + tag = "tun-in"; + auto_route = true; + strict_route = false; + inet4_address = "172.19.0.1/30"; + sniff = true; + } + ]; + route = { + auto_detect_interface = true; + final = "_proxy_select"; + rules = [ + { outbound = "dns-out"; protocol = "dns"; } + { + geoip = "cn"; + geosite = "cn"; + outbound = "direct"; + } + { geoip = "private"; outbound = "direct"; } + { + geosite = "cn"; + geoip = "cn"; + invert = true; + outbound = "_proxy_select"; + } + ]; + }; + outbounds = [ + { default = "auto"; outbounds = [ "auto" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } + { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } + { tag = "direct"; type = "direct"; } + { tag = "block"; type = "block"; } + { tag = "dns-out"; type = "dns"; } + { inherit server password; method = "aes-128-gcm"; server_port = 12001; tag = "香港SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12002; tag = "香港SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12003; tag = "香港SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12004; tag = "香港SS-04"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12011; tag = "日本SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12012; tag = "日本SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12013; tag = "日本SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12021; tag = "美国SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12022; tag = "美国SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12023; tag = "美国SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12031; tag = "台湾SS-01"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12032; tag = "台湾SS-02"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12033; tag = "台湾SS-03"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server password; method = "aes-128-gcm"; server_port = 12034; tag = "台湾SS-04"; type = "shadowsocks"; udp_over_tcp = false; } + { inherit server uuid; security = "auto"; server_port = 1201; tag = "香港中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1202; tag = "香港中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1203; tag = "香港中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1204; tag = "香港中继4"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1205; tag = "香港中继5"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1206; tag = "香港中继6"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1207; tag = "香港中继7"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1208; tag = "香港中继8"; transport = { path = "/"; type = "ws"; }; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1211; tag = "日本中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1212; tag = "日本中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1213; tag = "日本中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1214; tag = "日本中继4"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1231; tag = "美国中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1232; tag = "美国中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1233; tag = "美国中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1234; tag = "美国中继4"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1235; tag = "美国中继5"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1236; tag = "美国中继6"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1237; tag = "美国中继7"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1238; tag = "美国中继8"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1241; tag = "新加坡中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1242; tag = "新加坡中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1261; tag = "台湾中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1262; tag = "台湾中继2"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1263; tag = "台湾中继3"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1264; tag = "台湾中继4"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1265; tag = "台湾中继5"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1266; tag = "台湾中继6"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1251; tag = "韩国中继1"; type = "vmess"; } + { inherit server uuid; security = "auto"; server_port = 1252; tag = "韩国中继2"; type = "vmess"; } + ]; + }; + }; +} diff --git a/machines/sops.nix b/machines/sops.nix index d3f04f8..f2b93f3 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -8,6 +8,12 @@ clash_subscription_link = { owner = "xin"; }; + singbox_password = { + owner = "xin"; + }; + singbox_domain = { + owner = "xin"; + }; }; }; } \ No newline at end of file