xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dolomite: host sing-box

Browse source
This commit is contained in:
xinyangli 2023-11-28 21:38:50 +08:00
parent 8b2120f9ec
commit 500ad4be63
7 changed files with 167 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -2,6 +2,7 @@ keys:
- &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
- &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
- &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
- &host-dolomite age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
creation_rules:
- path_regex: machines/calcite/secrets.yaml
key_groups:
@ -19,6 +20,7 @@ creation_rules:
- *xin
- *host-calcite
- *host-raspite
- *host-dolomite
- path_regex: home/xin/secrets.yaml
key_groups:
- age:

19
flake.nix
View file

@ -48,7 +48,6 @@
modules = [
home-manager.nixosModules.home-manager
nur.nixosModules.nur
sops-nix.nixosModules.sops
] ++ modules;
};
evalSecrets = import ./eval_secrets.nix;
@ -63,6 +62,9 @@
system = "x86_64-linux";
};
machinesFile = ./nixbuild.net;
specialArgs = {
inherit inputs;
};
};
massicot = { name, nodes, pkgs, ... }: with inputs; {
@ -71,6 +73,17 @@
machines/massicot
];
};
dolomite = { name, nodes, pkgs, ... }: with inputs; {
imports = [
{ nixpkgs.system = "x86_64-linux"; }
machines/dolomite
];
deployment = {
targetHost = "video.namely.icu";
buildOnTarget = false;
};
};
};
nixosConfigurations.calcite = mkNixos {
@ -99,7 +112,6 @@
];
};
images.raspite = (mkNixos {
system = "aarch64-linux";
modules = [
@ -120,6 +132,9 @@
packages = {
homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; };
};
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ git colmena nix-output-monitor ssh-to-age ];
};
}
)));
}

10
machines/calcite/configuration.nix
View file

@ -18,6 +18,14 @@
boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = ["aarch64-linux"];
security.tpm2 = {
enable = true;
# expose /run/current-system/sw/lib/libtpm2_pkcs11.so
pkcs11.enable = true;
# TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
tctiEnvironment.enable = true;
};
networking.hostName = "calcite";
programs.vim.defaultEditor = true;
@ -87,7 +95,7 @@
users.users.xin = {
isNormalUser = true;
description = "xin";
extraGroups = [ "networkmanager" "wheel" "wireshark" ];
extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ];
};
# Enable automatic login for the user.

71
machines/dolomite/default.nix
View file

@ -1,11 +1,76 @@
{ config, pkgs, modulesPath, ... }:
{ config, pkgs, lib, modulesPath, ... }:
let
sg_server = {
_secret = config.sops.secrets.singbox_sg_server.path;
};
sg_password = {
_secret = config.sops.secrets.singbox_sg_password.path;
};
sg_uuid = {
_secret = config.sops.secrets.singbox_sg_uuid.path;
};
singTls = {
enabled = true;
server_name = sg_server;
key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem";
certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem";
};
in
{
imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
imports = [
"${modulesPath}/virtualisation/amazon-image.nix"
../sops.nix
];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
networking.firewall.trustedInterfaces = [ "tun0" ];
security.acme = {
acceptTerms = true;
certs."video.namely.icu" = {
email = "me@namely.icu";
listenHTTP = ":80";
};
};
networking.firewall.allowedTCPPorts = [ 80 8080 ];
networking.firewall.allowedUDPPorts = [ 6311 ];
services.sing-box = {
enable = true;
settings = {
inbounds = [
{
tag = "sg1";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{ name = "proxy";
password = sg_password;
}
];
tls = singTls;
}
{
tag = "sg2";
type = "tuic";
listen = "::";
listen_port = 6311;
congestion_control = "bbr";
users = [
{ name = "proxy";
uuid = sg_uuid;
password = sg_password;
}
];
tls = singTls;
}
];
};
};
}

48
machines/secrets.yaml
View file

@ -4,6 +4,9 @@ autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9a
github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str]
singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str]
singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str]
singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str]
singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str]
singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -13,32 +16,41 @@ sops:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYjBKUUNCTlpoYXJqMkVL
U0xoNDNXVUpGaEdTVFVVL05MYng4N3l5dlhRCjZXMmplRGY1UWdlUTB4NHBFNHVO
QThQTkhwVlc2NE1HWUc5RlRyS2lURE0KLS0tIDZPOW1EMis2TjFjaS9sUHEvenRJ
cmZYOEVHTE1ybDBXMDFZRnJQaWRjeU0KVAiaO0xMhDQTh26e4lTRigkG2P6KfXov
c2DItjmdWmdfN/QOKl6JzObtHBxSWxXGZwbnWmDkGq69t20TDus2Xw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW9oblRGVXZSYU1UaUpY
bEJvd0FST3gydXRzQ25GNm5vMEsyMlJpU0RRCjNFTk9rajQraGhoWFhFTDFtTnNE
aDNuaTZRZUtVcWkrN1RvZmZBRmJVTVkKLS0tIFdta3l4M3JoTU9tTllLUENOdTU0
K2UxRnNTcEw4OC85cWdFNlVSMnlseFUKXtUh8vavnw5I+16bZszXNXmDndXovAN/
XzrbfhXyE8B7jxlsSp6b5mu7RXWHP9knM2BqfrhhK0NJ/uuKfKNIEA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWWx3TGJTWEtLd0ROVXZQ
OUcycUlCUmhJT3JybldLYytJNlhld3lSVENJCmd0YUVBbWN3MU8yQ2FFMTRSWXln
S0x4c0pGemVDdVV6N3hCM3BsWGxBYzQKLS0tIDdyNFBtK2RQTFNXdlRDaVZBNjZ6
TVo3cmh0eFlDU1d2RnVZVUI1NXcrbnMKU+tJhePvEk/awxtoZA8NWTxUr5buXSRu
CyIZXG3THbrIWAzBRlgtKqmlvdOseIASSO9OgOUPb8/EKSD5eUTH3g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzd2tMOXVCZFJsaWJDV1FQ
UWpoSDgxVUZ6UCt3Z2I5YjFxcnUzK3dNVndnClZBV29OV0swZzd5UmJsQ2J3RFpo
UnpvQ21BajBYc2xzWDNHWStzNTJLelkKLS0tIDNROGJQTzNDZUZHU09RcUpGemJr
dnpGSmdCRXJsU2FNV0V1N0pSczJwRTgK99s4wGGlpgkmr6sFzw8iqEPy2c3CvrvK
Ak+DlVCx6G9YXCIoXPIysY3EkfrKQwf/5LUMxSTN8V1gOMeTyomt/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidXFsbFBPc3hhMzFMSk9v
NVdKWDE5MWoyMnUyVWdwOXhsK3dpQ1o2bGlBClZHVTZzc2lxblYrUUUvRFRmQ2Mv
S1I4YzJYd1JCcUx5b0E2MTlwYWlwRDAKLS0tIGphM2NaSXBwdlZSR3kwSUkzcXkv
dWVDd2VSd213NmpYdDcvNUZXTHdzSDgKj68TLxSYYExtGg/hyuAiPqmdXPGIWzou
DnCdBitTPPswI+BVwYufnGmHdt8xz5nofBxACWg/bS3NUTGFcnIPWQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWU0xQzRqbG1CTnlSZmFj
TFZvMHU3NVVQTTVHZzJkZ3FGS3doRXhGamdjCk0vaGVaZWlwT2NLd0NPeUliQ09Q
cFNiMGZqUHliUEw1WDlWV3ZsR0lRYzAKLS0tIG8wWm1IK2tpRGhQVVNCQU83cnFB
S1lwZ2NDRGQyOW92R2JLakRUMG1JUkUKHNvXcHFlbgssrzLVdFxIT7QpMiPK5zoy
/OqQhXZ/ewER3b+kMidZv5QXU6GvMWsriT24/yyfTc0tEe7t/Ojm4A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-11T19:16:18Z"
mac: ENC[AES256_GCM,data:iyqD4XJHw072IYKyRnWKJRVLex/GfnYn5QY4/YPkGK9cHjVML/97k1IWM76zXOpoJ9wSENvTqQirjMZz0TS92Ak2Ps/3fsyPj2f9BEFmF+q8r+VWEj9ZGEzHb52uMKyj3vYs5Mg9O5eeDmdAifdvC3RmRkoQ7WFoLDVCwcVFKoU=,iv:AuqLIPVMhX537MPaqnrYgOuHPH+P8Ili8tkg4p1jC1I=,tag:t2gQZzO1dIXnM3UqOnn/FA==,type:str]
- recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK3o4WkZqaldXd2lBUm5r
NWVNMVh5SXZmVmFlUldiVUdrYitPK3dUUVJzCjJnSHR0ZmpmMzF3ZnlBeEJ6bHc0
T0p2SXpoOGprbEdyUC9oWklTRndFcTAKLS0tIGN6VUZmVEJkWk5xR2dUaU1mbkZB
TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb
naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-25T11:52:08Z"
mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.0
version: 3.8.1

32
machines/sing-box.nix
View file

@ -9,6 +9,15 @@ let
uuid = {
_secret = config.sops.secrets.singbox_password.path;
};
sg_server = {
_secret = config.sops.secrets.singbox_sg_server.path;
};
sg_password = {
_secret = config.sops.secrets.singbox_sg_password.path;
};
sg_uuid = {
_secret = config.sops.secrets.singbox_sg_uuid.path;
};
in
{
services.sing-box = {
@ -37,15 +46,23 @@ in
domain_suffix = server;
server = "_dns_doh_mainland";
}
{
domain_suffix = sg_server;
server = "_dns_doh_mainland";
}
];
servers = [
{
address = "https://cloudflare-dns.com/dns-query";
address_strategy = "prefer_ipv4";
address_resolver = "_dns_doh_mainland";
address = "tls://dns.google:853/";
address_resolver = "_dns_udp_global";
detour = "_proxy_select";
tag = "_dns_global";
}
{
address = "1.1.1.1";
detour = "_proxy_select";
tag = "_dns_udp_global";
}
{
address = "119.29.29.29";
detour = "direct";
@ -62,9 +79,8 @@ in
tag = "_dns_block";
}
];
strategy = "prefer_ipv4";
final = "_dns_global";
disable_cache = false;
disable_cache = true;
};
inbounds = [
{
@ -79,6 +95,7 @@ in
auto_route = true;
strict_route = false;
inet4_address = "172.19.0.1/30";
inet6_address = "fdfe:dcba:9876::1/126";
sniff = true;
}
];
@ -102,7 +119,10 @@ in
];
};
outbounds = [
{ default = "auto"; outbounds = [ "auto" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
{ tag = "selfhost"; type = "urltest"; outbounds = [ "sg1" "sg2" ]; tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; }
{ tag = "sg1"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; }
{ tag = "sg2"; type = "tuic"; congestion_control = "bbr"; server = sg_server; server_port = 6311; uuid = sg_uuid; password = sg_password; tls = { enabled = true; server_name = sg_server; }; }
{ default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
{ interval = "1m0s"; outbounds = [ "SS-01" "SS-02" "SS-03" "SS-04" "SS-01" "SS-02" "SS-03" "SS-01" "SS-02" "SS-03" "SS-01" "SS-02" "SS-03" "SS-04" "1" "2" "3" "4" "5" "6" "7" "8" "1" "2" "3" "4" "1" "2" "3" "4" "5" "6" "7" "8" "1" "2" "1" "2" "3" "4" "5" "6" "1" "2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; }
{ tag = "direct"; type = "direct"; }
{ tag = "block"; type = "block"; }

18
machines/sops.nix
View file

@ -1,18 +1,28 @@
{ ... }:
{ inputs, ... }:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops = {
defaultSopsFile = ./secrets.yaml;
# TODO: How to generate this key when bootstrap?
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
clash_subscription_link = {
owner = "xin";
owner = "root";
};
singbox_password = {
owner = "xin";
owner = "root";
};
singbox_domain = {
owner = "xin";
owner = "root";
};
singbox_sg_server = {
owner = "root";
};
singbox_sg_password = {
owner = "root";
};
singbox_sg_uuid = {
owner = "root";
};
};
};