dolomite: host sing-box

.sops.yaml

@@ -2,6 +2,7 @@ keys:
   - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
   - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
   - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
+  - &host-dolomite age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
 creation_rules:
   - path_regex: machines/calcite/secrets.yaml
     key_groups:
@@ -19,6 +20,7 @@ creation_rules:
       - *xin
       - *host-calcite
       - *host-raspite
+      - *host-dolomite
   - path_regex: home/xin/secrets.yaml
     key_groups:
     - age:

flake.nix

@@ -48,7 +48,6 @@
         modules = [
           home-manager.nixosModules.home-manager
           nur.nixosModules.nur
-          sops-nix.nixosModules.sops
         ] ++ modules;
       };
       evalSecrets = import ./eval_secrets.nix;
@@ -63,6 +62,9 @@
                   system = "x86_64-linux";
               };
               machinesFile = ./nixbuild.net;
+              specialArgs = {
+                inherit inputs;
+              };
           };
 
           massicot = { name, nodes, pkgs, ... }: with inputs; {
@@ -71,6 +73,17 @@
                   machines/massicot
               ];
           };
+
+          dolomite = { name, nodes, pkgs, ... }: with inputs; {
+              imports = [
+                  { nixpkgs.system = "x86_64-linux"; }
+                  machines/dolomite
+              ];
+              deployment = {
+                targetHost = "video.namely.icu";
+                buildOnTarget = false;
+              };
+          };
       };
 
       nixosConfigurations.calcite = mkNixos {
@@ -99,7 +112,6 @@
         ];
       };
 
-
       images.raspite = (mkNixos {
         system = "aarch64-linux";
         modules = [
@@ -120,6 +132,9 @@
         packages = {
           homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; };
         };
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [ git colmena nix-output-monitor ssh-to-age ];
+        };
       }
       )));
 }

machines/calcite/configuration.nix

@@ -18,6 +18,14 @@
   boot.supportedFilesystems = [ "ntfs" ];
   boot.binfmt.emulatedSystems = ["aarch64-linux"]; 
 
+  security.tpm2 = {
+    enable = true;
+    # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+    pkcs11.enable = true;
+    # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+    tctiEnvironment.enable = true;
+  };
+
   networking.hostName = "calcite";
 
   programs.vim.defaultEditor = true;
@@ -87,7 +95,7 @@
   users.users.xin = {
     isNormalUser = true;
     description = "xin";
-    extraGroups = [ "networkmanager" "wheel" "wireshark" ];
+    extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ];
   };
 
   # Enable automatic login for the user.

machines/dolomite/default.nix

@@ -1,11 +1,76 @@
-{ config, pkgs, modulesPath, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
+let
+  sg_server = {
+    _secret = config.sops.secrets.singbox_sg_server.path;
+  };
+  sg_password = {
+    _secret = config.sops.secrets.singbox_sg_password.path;
+  };
+  sg_uuid = {
+    _secret = config.sops.secrets.singbox_sg_uuid.path;
+  };
+  singTls = {
+    enabled = true;
+    server_name = sg_server;
+    key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem";
+    certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem";
+  };
+in
 {
-  imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
+  imports = [
+    "${modulesPath}/virtualisation/amazon-image.nix"
+    ../sops.nix
+  ];
+
+  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
+  boot.kernel.sysctl = {
+    "net.core.default_qdisc" = "fq";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+  };
+
+  networking.firewall.trustedInterfaces = [ "tun0" ];
+
+  security.acme = {
+    acceptTerms = true;
+    certs."video.namely.icu" = {
+      email = "me@namely.icu";
+      listenHTTP = ":80";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 80 8080 ];
+  networking.firewall.allowedUDPPorts = [ 6311 ];
 
   services.sing-box = {
     enable = true;
     settings = {
-      
+      inbounds = [
+        {
+          tag = "sg1";
+          type = "trojan";
+          listen = "::";
+          listen_port = 8080;
+          users = [
+            { name = "proxy";
+              password = sg_password;
+            }
+          ];
+          tls = singTls;
+        }
+        {
+          tag = "sg2";
+          type = "tuic";
+          listen = "::";
+          listen_port = 6311;
+          congestion_control = "bbr";
+          users = [
+            { name = "proxy";
+              uuid = sg_uuid;
+              password = sg_password;
+            }
+          ];
+          tls = singTls;
+        }
+      ];
     };
   };
 }

machines/secrets.yaml

@@ -4,6 +4,9 @@ autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9a
 github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str]
 singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str]
 singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str]
+singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str]
+singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str]
+singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -13,32 +16,41 @@ sops:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYjBKUUNCTlpoYXJqMkVL
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW9oblRGVXZSYU1UaUpY
-            U0xoNDNXVUpGaEdTVFVVL05MYng4N3l5dlhRCjZXMmplRGY1UWdlUTB4NHBFNHVO
+            bEJvd0FST3gydXRzQ25GNm5vMEsyMlJpU0RRCjNFTk9rajQraGhoWFhFTDFtTnNE
-            QThQTkhwVlc2NE1HWUc5RlRyS2lURE0KLS0tIDZPOW1EMis2TjFjaS9sUHEvenRJ
+            aDNuaTZRZUtVcWkrN1RvZmZBRmJVTVkKLS0tIFdta3l4M3JoTU9tTllLUENOdTU0
-            cmZYOEVHTE1ybDBXMDFZRnJQaWRjeU0KVAiaO0xMhDQTh26e4lTRigkG2P6KfXov
+            K2UxRnNTcEw4OC85cWdFNlVSMnlseFUKXtUh8vavnw5I+16bZszXNXmDndXovAN/
-            c2DItjmdWmdfN/QOKl6JzObtHBxSWxXGZwbnWmDkGq69t20TDus2Xw==
+            XzrbfhXyE8B7jxlsSp6b5mu7RXWHP9knM2BqfrhhK0NJ/uuKfKNIEA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWWx3TGJTWEtLd0ROVXZQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzd2tMOXVCZFJsaWJDV1FQ
-            OUcycUlCUmhJT3JybldLYytJNlhld3lSVENJCmd0YUVBbWN3MU8yQ2FFMTRSWXln
+            UWpoSDgxVUZ6UCt3Z2I5YjFxcnUzK3dNVndnClZBV29OV0swZzd5UmJsQ2J3RFpo
-            S0x4c0pGemVDdVV6N3hCM3BsWGxBYzQKLS0tIDdyNFBtK2RQTFNXdlRDaVZBNjZ6
+            UnpvQ21BajBYc2xzWDNHWStzNTJLelkKLS0tIDNROGJQTzNDZUZHU09RcUpGemJr
-            TVo3cmh0eFlDU1d2RnVZVUI1NXcrbnMKU+tJhePvEk/awxtoZA8NWTxUr5buXSRu
+            dnpGSmdCRXJsU2FNV0V1N0pSczJwRTgK99s4wGGlpgkmr6sFzw8iqEPy2c3CvrvK
-            CyIZXG3THbrIWAzBRlgtKqmlvdOseIASSO9OgOUPb8/EKSD5eUTH3g==
+            Ak+DlVCx6G9YXCIoXPIysY3EkfrKQwf/5LUMxSTN8V1gOMeTyomt/w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidXFsbFBPc3hhMzFMSk9v
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWU0xQzRqbG1CTnlSZmFj
-            NVdKWDE5MWoyMnUyVWdwOXhsK3dpQ1o2bGlBClZHVTZzc2lxblYrUUUvRFRmQ2Mv
+            TFZvMHU3NVVQTTVHZzJkZ3FGS3doRXhGamdjCk0vaGVaZWlwT2NLd0NPeUliQ09Q
-            S1I4YzJYd1JCcUx5b0E2MTlwYWlwRDAKLS0tIGphM2NaSXBwdlZSR3kwSUkzcXkv
+            cFNiMGZqUHliUEw1WDlWV3ZsR0lRYzAKLS0tIG8wWm1IK2tpRGhQVVNCQU83cnFB
-            dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou
+            S1lwZ2NDRGQyOW92R2JLakRUMG1JUkUKHNvXcHFlbgssrzLVdFxIT7QpMiPK5zoy
-            DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ==
+            /OqQhXZ/ewER3b+kMidZv5QXU6GvMWsriT24/yyfTc0tEe7t/Ojm4A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-11T19:16:18Z"
+        - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
-    mac: ENC[AES256_GCM,data:iyqD4XJHw072IYKyRnWKJRVLex/GfnYn5QY4/YPkGK9cHjVML/97k1IWM76zXOpoJ9wSENvTqQirjMZz0TS92Ak2Ps/3fsyPj2f9BEFmF+q8r+VWEj9ZGEzHb52uMKyj3vYs5Mg9O5eeDmdAifdvC3RmRkoQ7WFoLDVCwcVFKoU=,iv:AuqLIPVMhX537MPaqnrYgOuHPH+P8Ili8tkg4p1jC1I=,tag:t2gQZzO1dIXnM3UqOnn/FA==,type:str]
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK3o4WkZqaldXd2lBUm5r
+            NWVNMVh5SXZmVmFlUldiVUdrYitPK3dUUVJzCjJnSHR0ZmpmMzF3ZnlBeEJ6bHc0
+            T0p2SXpoOGprbEdyUC9oWklTRndFcTAKLS0tIGN6VUZmVEJkWk5xR2dUaU1mbkZB
+            TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb
+            naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-25T11:52:08Z"
+    mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.0
+    version: 3.8.1

machines/sing-box.nix

@@ -9,6 +9,15 @@ let
   uuid = {
     _secret = config.sops.secrets.singbox_password.path;
   };
+  sg_server = {
+    _secret = config.sops.secrets.singbox_sg_server.path;
+  };
+  sg_password = {
+    _secret = config.sops.secrets.singbox_sg_password.path;
+  };
+  sg_uuid = {
+    _secret = config.sops.secrets.singbox_sg_uuid.path;
+  };
 in
 {
   services.sing-box = {
@@ -37,15 +46,23 @@ in
             domain_suffix = server;
             server = "_dns_doh_mainland";
           }
+          {
+            domain_suffix = sg_server;
+            server = "_dns_doh_mainland";
+          }
         ];
         servers = [
           {
-            address = "https://cloudflare-dns.com/dns-query";
+            address = "tls://dns.google:853/";
-            address_strategy = "prefer_ipv4";
+            address_resolver = "_dns_udp_global";
-            address_resolver = "_dns_doh_mainland";
             detour = "_proxy_select";
             tag = "_dns_global";
           }
+          {
+            address = "1.1.1.1";
+            detour = "_proxy_select";
+            tag = "_dns_udp_global";
+          }
           {
             address = "119.29.29.29";
             detour = "direct";
@@ -62,9 +79,8 @@ in
             tag = "_dns_block";
           }
         ];
-        strategy = "prefer_ipv4";
         final = "_dns_global";
-        disable_cache = false;
+        disable_cache = true;
       };
       inbounds = [
         {
@@ -79,6 +95,7 @@ in
           auto_route = true;
           strict_route = false;
           inet4_address = "172.19.0.1/30";
+          inet6_address = "fdfe:dcba:9876::1/126";
           sniff = true;
         }
       ];
@@ -102,7 +119,10 @@ in
         ];
       };
       outbounds = [ 
-        { default = "auto"; outbounds = [ "auto" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
+        { tag = "selfhost"; type = "urltest"; outbounds = [ "sg1" "sg2" ]; tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; }
+        { tag = "sg1"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; }
+        { tag = "sg2"; type = "tuic"; congestion_control = "bbr"; server = sg_server; server_port = 6311; uuid = sg_uuid; password = sg_password; tls = { enabled = true; server_name = sg_server; }; }
+        { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
         { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; }
         { tag = "direct"; type = "direct"; }
         { tag = "block"; type = "block"; }

machines/sops.nix

@@ -1,18 +1,28 @@
-{ ... }:
+{ inputs, ... }:
 {
+  imports = [ inputs.sops-nix.nixosModules.sops ];
   sops = {
     defaultSopsFile = ./secrets.yaml;
     # TODO: How to generate this key when bootstrap?
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     secrets = {
       clash_subscription_link = { 
-        owner = "xin";
+        owner = "root";
       };
       singbox_password = {
-        owner = "xin";
+        owner = "root";
       };
       singbox_domain = {
-        owner = "xin";
+        owner = "root";
+      };
+      singbox_sg_server = {
+         owner = "root";
+      };
+      singbox_sg_password = {
+         owner = "root";
+      };
+      singbox_sg_uuid = {
+         owner = "root";
       };
     };
   };