diff --git a/.sops.yaml b/.sops.yaml index f928eee..fd6a3d4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj + - &host-dolomite age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx creation_rules: - path_regex: machines/calcite/secrets.yaml key_groups: @@ -19,6 +20,7 @@ creation_rules: - *xin - *host-calcite - *host-raspite + - *host-dolomite - path_regex: home/xin/secrets.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index 0858ffe..0c61577 100644 --- a/flake.nix +++ b/flake.nix @@ -48,7 +48,6 @@ modules = [ home-manager.nixosModules.home-manager nur.nixosModules.nur - sops-nix.nixosModules.sops ] ++ modules; }; evalSecrets = import ./eval_secrets.nix; @@ -63,6 +62,9 @@ system = "x86_64-linux"; }; machinesFile = ./nixbuild.net; + specialArgs = { + inherit inputs; + }; }; massicot = { name, nodes, pkgs, ... }: with inputs; { @@ -71,6 +73,17 @@ machines/massicot ]; }; + + dolomite = { name, nodes, pkgs, ... }: with inputs; { + imports = [ + { nixpkgs.system = "x86_64-linux"; } + machines/dolomite + ]; + deployment = { + targetHost = "video.namely.icu"; + buildOnTarget = false; + }; + }; }; nixosConfigurations.calcite = mkNixos { @@ -99,7 +112,6 @@ ]; }; - images.raspite = (mkNixos { system = "aarch64-linux"; modules = [ @@ -120,6 +132,9 @@ packages = { homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; }; }; + devShells.default = pkgs.mkShell { + buildInputs = with pkgs; [ git colmena nix-output-monitor ssh-to-age ]; + }; } ))); } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c89aa84..c538867 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -18,6 +18,14 @@ boot.supportedFilesystems = [ "ntfs" ]; boot.binfmt.emulatedSystems = ["aarch64-linux"]; + security.tpm2 = { + enable = true; + # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + pkcs11.enable = true; + # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + tctiEnvironment.enable = true; + }; + networking.hostName = "calcite"; programs.vim.defaultEditor = true; @@ -87,7 +95,7 @@ users.users.xin = { isNormalUser = true; description = "xin"; - extraGroups = [ "networkmanager" "wheel" "wireshark" ]; + extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ]; }; # Enable automatic login for the user. diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 71f7ed1..cf83768 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,11 +1,76 @@ -{ config, pkgs, modulesPath, ... }: +{ config, pkgs, lib, modulesPath, ... }: +let + sg_server = { + _secret = config.sops.secrets.singbox_sg_server.path; + }; + sg_password = { + _secret = config.sops.secrets.singbox_sg_password.path; + }; + sg_uuid = { + _secret = config.sops.secrets.singbox_sg_uuid.path; + }; + singTls = { + enabled = true; + server_name = sg_server; + key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem"; + certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem"; + }; +in { - imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + imports = [ + "${modulesPath}/virtualisation/amazon-image.nix" + ../sops.nix + ]; + + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + networking.firewall.trustedInterfaces = [ "tun0" ]; + + security.acme = { + acceptTerms = true; + certs."video.namely.icu" = { + email = "me@namely.icu"; + listenHTTP = ":80"; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 8080 ]; + networking.firewall.allowedUDPPorts = [ 6311 ]; services.sing-box = { enable = true; settings = { - + inbounds = [ + { + tag = "sg1"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = [ + { name = "proxy"; + password = sg_password; + } + ]; + tls = singTls; + } + { + tag = "sg2"; + type = "tuic"; + listen = "::"; + listen_port = 6311; + congestion_control = "bbr"; + users = [ + { name = "proxy"; + uuid = sg_uuid; + password = sg_password; + } + ]; + tls = singTls; + } + ]; }; }; } diff --git a/machines/secrets.yaml b/machines/secrets.yaml index a6c2d77..57fbeb6 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -4,6 +4,9 @@ autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9a github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str] singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str] +singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] +singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str] +singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str] sops: kms: [] gcp_kms: [] @@ -13,32 +16,41 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYjBKUUNCTlpoYXJqMkVL - U0xoNDNXVUpGaEdTVFVVL05MYng4N3l5dlhRCjZXMmplRGY1UWdlUTB4NHBFNHVO - QThQTkhwVlc2NE1HWUc5RlRyS2lURE0KLS0tIDZPOW1EMis2TjFjaS9sUHEvenRJ - cmZYOEVHTE1ybDBXMDFZRnJQaWRjeU0KVAiaO0xMhDQTh26e4lTRigkG2P6KfXov - c2DItjmdWmdfN/QOKl6JzObtHBxSWxXGZwbnWmDkGq69t20TDus2Xw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW9oblRGVXZSYU1UaUpY + bEJvd0FST3gydXRzQ25GNm5vMEsyMlJpU0RRCjNFTk9rajQraGhoWFhFTDFtTnNE + aDNuaTZRZUtVcWkrN1RvZmZBRmJVTVkKLS0tIFdta3l4M3JoTU9tTllLUENOdTU0 + K2UxRnNTcEw4OC85cWdFNlVSMnlseFUKXtUh8vavnw5I+16bZszXNXmDndXovAN/ + XzrbfhXyE8B7jxlsSp6b5mu7RXWHP9knM2BqfrhhK0NJ/uuKfKNIEA== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWWx3TGJTWEtLd0ROVXZQ - OUcycUlCUmhJT3JybldLYytJNlhld3lSVENJCmd0YUVBbWN3MU8yQ2FFMTRSWXln - S0x4c0pGemVDdVV6N3hCM3BsWGxBYzQKLS0tIDdyNFBtK2RQTFNXdlRDaVZBNjZ6 - TVo3cmh0eFlDU1d2RnVZVUI1NXcrbnMKU+tJhePvEk/awxtoZA8NWTxUr5buXSRu - CyIZXG3THbrIWAzBRlgtKqmlvdOseIASSO9OgOUPb8/EKSD5eUTH3g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzd2tMOXVCZFJsaWJDV1FQ + UWpoSDgxVUZ6UCt3Z2I5YjFxcnUzK3dNVndnClZBV29OV0swZzd5UmJsQ2J3RFpo + UnpvQ21BajBYc2xzWDNHWStzNTJLelkKLS0tIDNROGJQTzNDZUZHU09RcUpGemJr + dnpGSmdCRXJsU2FNV0V1N0pSczJwRTgK99s4wGGlpgkmr6sFzw8iqEPy2c3CvrvK + Ak+DlVCx6G9YXCIoXPIysY3EkfrKQwf/5LUMxSTN8V1gOMeTyomt/w== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidXFsbFBPc3hhMzFMSk9v - NVdKWDE5MWoyMnUyVWdwOXhsK3dpQ1o2bGlBClZHVTZzc2lxblYrUUUvRFRmQ2Mv - S1I4YzJYd1JCcUx5b0E2MTlwYWlwRDAKLS0tIGphM2NaSXBwdlZSR3kwSUkzcXkv - dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou - DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWU0xQzRqbG1CTnlSZmFj + TFZvMHU3NVVQTTVHZzJkZ3FGS3doRXhGamdjCk0vaGVaZWlwT2NLd0NPeUliQ09Q + cFNiMGZqUHliUEw1WDlWV3ZsR0lRYzAKLS0tIG8wWm1IK2tpRGhQVVNCQU83cnFB + S1lwZ2NDRGQyOW92R2JLakRUMG1JUkUKHNvXcHFlbgssrzLVdFxIT7QpMiPK5zoy + /OqQhXZ/ewER3b+kMidZv5QXU6GvMWsriT24/yyfTc0tEe7t/Ojm4A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-11T19:16:18Z" - mac: ENC[AES256_GCM,data:iyqD4XJHw072IYKyRnWKJRVLex/GfnYn5QY4/YPkGK9cHjVML/97k1IWM76zXOpoJ9wSENvTqQirjMZz0TS92Ak2Ps/3fsyPj2f9BEFmF+q8r+VWEj9ZGEzHb52uMKyj3vYs5Mg9O5eeDmdAifdvC3RmRkoQ7WFoLDVCwcVFKoU=,iv:AuqLIPVMhX537MPaqnrYgOuHPH+P8Ili8tkg4p1jC1I=,tag:t2gQZzO1dIXnM3UqOnn/FA==,type:str] + - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK3o4WkZqaldXd2lBUm5r + NWVNMVh5SXZmVmFlUldiVUdrYitPK3dUUVJzCjJnSHR0ZmpmMzF3ZnlBeEJ6bHc0 + T0p2SXpoOGprbEdyUC9oWklTRndFcTAKLS0tIGN6VUZmVEJkWk5xR2dUaU1mbkZB + TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb + naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-25T11:52:08Z" + mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.0 + version: 3.8.1 diff --git a/machines/sing-box.nix b/machines/sing-box.nix index 050267f..037fa09 100644 --- a/machines/sing-box.nix +++ b/machines/sing-box.nix @@ -9,6 +9,15 @@ let uuid = { _secret = config.sops.secrets.singbox_password.path; }; + sg_server = { + _secret = config.sops.secrets.singbox_sg_server.path; + }; + sg_password = { + _secret = config.sops.secrets.singbox_sg_password.path; + }; + sg_uuid = { + _secret = config.sops.secrets.singbox_sg_uuid.path; + }; in { services.sing-box = { @@ -37,15 +46,23 @@ in domain_suffix = server; server = "_dns_doh_mainland"; } + { + domain_suffix = sg_server; + server = "_dns_doh_mainland"; + } ]; servers = [ { - address = "https://cloudflare-dns.com/dns-query"; - address_strategy = "prefer_ipv4"; - address_resolver = "_dns_doh_mainland"; + address = "tls://dns.google:853/"; + address_resolver = "_dns_udp_global"; detour = "_proxy_select"; tag = "_dns_global"; } + { + address = "1.1.1.1"; + detour = "_proxy_select"; + tag = "_dns_udp_global"; + } { address = "119.29.29.29"; detour = "direct"; @@ -62,9 +79,8 @@ in tag = "_dns_block"; } ]; - strategy = "prefer_ipv4"; final = "_dns_global"; - disable_cache = false; + disable_cache = true; }; inbounds = [ { @@ -79,6 +95,7 @@ in auto_route = true; strict_route = false; inet4_address = "172.19.0.1/30"; + inet6_address = "fdfe:dcba:9876::1/126"; sniff = true; } ]; @@ -102,7 +119,10 @@ in ]; }; outbounds = [ - { default = "auto"; outbounds = [ "auto" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } + { tag = "selfhost"; type = "urltest"; outbounds = [ "sg1" "sg2" ]; tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; } + { tag = "sg1"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } + { tag = "sg2"; type = "tuic"; congestion_control = "bbr"; server = sg_server; server_port = 6311; uuid = sg_uuid; password = sg_password; tls = { enabled = true; server_name = sg_server; }; } + { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; } { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; } { tag = "direct"; type = "direct"; } { tag = "block"; type = "block"; } diff --git a/machines/sops.nix b/machines/sops.nix index f2b93f3..96ac399 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -1,19 +1,29 @@ -{ ... }: +{ inputs, ... }: { + imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { defaultSopsFile = ./secrets.yaml; # TODO: How to generate this key when bootstrap? age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { clash_subscription_link = { - owner = "xin"; + owner = "root"; }; singbox_password = { - owner = "xin"; + owner = "root"; }; singbox_domain = { - owner = "xin"; + owner = "root"; + }; + singbox_sg_server = { + owner = "root"; + }; + singbox_sg_password = { + owner = "root"; + }; + singbox_sg_uuid = { + owner = "root"; }; }; }; -} \ No newline at end of file +}