xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dolomite: sing-box outbound to cf warp+

Browse source
This commit is contained in:
xinyangli 2023-12-19 21:32:40 +08:00
parent 3bc12ecfa3
commit fcdc65d8ce
9 changed files with 261 additions and 169 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
.sops.yaml
View file

@ -2,8 +2,8 @@ keys:
- &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
- &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
- &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
- &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
- &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
- &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
creation_rules: creation_rules:
- path_regex: machines/calcite/secrets.yaml - path_regex: machines/calcite/secrets.yaml
@ -21,18 +21,28 @@ creation_rules:
- age: - age:
- *xin - *xin
- *host-massicot - *host-massicot
- path_regex: machines/dolomite/secrets/sgp-00.yaml
key_groups:
- age:
- *xin
- *host-sgp-00
- path_regex: machines/dolomite/secrets/tok-00.yaml
key_groups:
- age:
- *xin
- *host-tok-00
- path_regex: machines/secrets.yaml - path_regex: machines/secrets.yaml
key_groups: key_groups:
- age: - age:
- *xin - *xin
- *host-calcite - *host-calcite
- *host-raspite - *host-raspite
- *host-dolomite00 - *host-sgp-00
- *host-dolomite01 - *host-tok-00
- path_regex: home/xin/secrets.yaml - path_regex: home/xin/secrets.yaml
key_groups: key_groups:
- age: - age:
- *xin - *xin
- *host-raspite - *host-raspite
- *host-calcite - *host-calcite

46
flake.lock
View file

@ -1,6 +1,49 @@
{ {
"nodes": { "nodes": {
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"stable": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1699171528,
"narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "665603956a1c3040d756987bc7a810ffe86a3b15",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -76,7 +119,7 @@
}, },
"nix-vscode-extensions": { "nix-vscode-extensions": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-utils": [ "flake-utils": [
"flake-utils" "flake-utils"
], ],
@ -202,6 +245,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"colmena": "colmena",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",

89
flake.nix
View file

@ -38,6 +38,13 @@
url = "github:numtide/flake-utils"; url = "github:numtide/flake-utils";
}; };
colmena = {
url = "github:zhaofengli/colmena";
inputs.stable.follows = "nixpkgs";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nix-index-database = { nix-index-database = {
url = "github:Mic92/nix-index-database"; url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -73,7 +80,7 @@
nixosModules.default = import ./modules/nixos; nixosModules.default = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;
colmena = { colmenaHive = colmena.lib.makeHive {
meta = { meta = {
nixpkgs = import nixpkgs { nixpkgs = import nixpkgs {
system = "x86_64-linux"; system = "x86_64-linux";
@ -95,60 +102,53 @@
]; ];
}; };
dolomite00 = { name, nodes, pkgs, ... }: with inputs; { sgp-00 = { name, nodes, pkgs, ... }: with inputs; {
imports = [ imports = [
{ nixpkgs.system = "x86_64-linux"; custom.domain = "video.namely.icu"; } machines/dolomite
machines/dolomite
]; ];
nixpkgs.system = "x86_64-linux";
networking.hostName = "sgp-00";
system.stateVersion = "23.11";
deployment = { deployment = {
targetHost = "video.namely.icu"; targetHost = "video.namely.icu";
buildOnTarget = false; buildOnTarget = false;
tags = [ "proxy" ];
}; };
}; };
dolomite01 = { name, nodes, pkgs, ... }: with inputs; { tok-00 = { name, nodes, pkgs, ... }: with inputs; {
imports = [ imports = [
{ nixpkgs.system = "x86_64-linux"; custom.domain = "video01.namely.icu"; } machines/dolomite
machines/dolomite
]; ];
nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00";
system.stateVersion = "23.11";
deployment = { deployment = {
targetHost = "video01.namely.icu"; targetHost = "video01.namely.icu";
buildOnTarget = false; buildOnTarget = false;
tags = [ "proxy" ];
}; };
}; };
}; };
nixosConfigurations.calcite = mkNixos { nixosConfigurations = {
system = "x86_64-linux"; calcite = mkNixos {
modules = [ system = "x86_64-linux";
nixos-hardware.nixosModules.asus-zephyrus-ga401 modules = [
machines/calcite/configuration.nix nixos-hardware.nixosModules.asus-zephyrus-ga401
(mkHome "xin" "calcite") machines/calcite/configuration.nix
]; (mkHome "xin" "calcite")
}; ];
};
nixosConfigurations.massicot = mkNixos { raspite = mkNixos {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
machines/massicot nixos-hardware.nixosModules.raspberry-pi-4
]; machines/raspite/configuration.nix
}; (mkHome "xin" "raspite")
];
nixosConfigurations.dolomite = mkNixos { };
system = "x86_64-linux"; } // self.colmenaHive.nodes;
modules = [
machines/dolomite
];
};
nixosConfigurations.raspite = mkNixos {
system = "aarch64-linux";
modules = [
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
(mkHome "xin" "raspite")
];
};
images.raspite = (mkNixos { images.raspite = (mkNixos {
system = "aarch64-linux"; system = "aarch64-linux";
@ -163,16 +163,5 @@
} }
]; ];
}).config.system.build.sdImage; }).config.system.build.sdImage;
} // };
(with flake-utils.lib; (eachSystem defaultSystems (system:
let pkgs = import nixpkgs { inherit system; }; in
{
packages = {
homeConfigurations."xin" = import ./home/xin/gold { inherit home-manager pkgs; };
};
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ git colmena nix-output-monitor ssh-to-age ];
};
}
)));
} }

112
machines/dolomite/default.nix
View file

@ -1,33 +1,24 @@
{ config, pkgs, lib, modulesPath, ... }: { inputs, config, pkgs, lib, modulesPath, ... }:
let
cfg = config.custom;
sg_password = {
_secret = config.sops.secrets.singbox_sg_password.path;
};
sg_uuid = {
_secret = config.sops.secrets.singbox_sg_uuid.path;
};
singTls = {
enabled = true;
server_name = cfg.domain;
key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem";
};
in
{ {
options = {
custom.domain = lib.mkOption {
type = lib.types.str;
default = "";
};
};
imports = [ imports = [
"${modulesPath}/virtualisation/amazon-image.nix"
../sops.nix ../sops.nix
"${modulesPath}/virtualisation/amazon-image.nix"
]; ];
config = { config = {
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
};
};
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq"; "net.core.default_qdisc" = "fq";
@ -38,7 +29,7 @@ in
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
certs.${cfg.domain} = { certs.${config.deployment.targetHost} = {
email = "me@namely.icu"; email = "me@namely.icu";
listenHTTP = ":80"; listenHTTP = ":80";
}; };
@ -46,9 +37,31 @@ in
networking.firewall.allowedTCPPorts = [ 80 8080 ]; networking.firewall.allowedTCPPorts = [ 80 8080 ];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
services.sing-box = { services.sing-box = let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true; enable = true;
settings = { settings = {
dns = {
servers = [
{
address = "1.1.1.1";
detour = "wg-out";
}
];
};
inbounds = [ inbounds = [
{ {
tag = "sg0"; tag = "sg0";
@ -57,7 +70,7 @@ in
listen_port = 8080; listen_port = 8080;
users = [ users = [
{ name = "proxy"; { name = "proxy";
password = sg_password; password = password;
} }
]; ];
tls = singTls; tls = singTls;
@ -70,12 +83,53 @@ in
congestion_control = "bbr"; congestion_control = "bbr";
users = [ users = [
{ name = "proxy"; { name = "proxy";
uuid = sg_uuid; uuid = uuid;
password = sg_password; password = password;
} }
]; ];
tls = singTls; tls = singTls;
}); });
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{ public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [ "0.0.0.0/0" "::/0" ];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{
outbound = "dns-out";
protocol = "dns";
}
{
geoip = "cn";
geosite = "cn";
outbound = "direct";
}
];
};
}; };
}; };
}; };

31
machines/dolomite/secrets/sgp-00.yaml Normal file
View file

@ -0,0 +1,31 @@
wg_private_key: ENC[AES256_GCM,data:UjxZ3iC5hxVcVJdEUJ3+myaQ/6MvghDw6eKa2flSuxMwFS31WB7r3evjlI0=,iv:BjgXCps6gx1ISghEO42x5aKb+c/n0P1V8FMVlPxAyLY=,tag:IkxCkpyVre+sFoBlRSFpMA==,type:str]
wg_ipv6_local_addr: ENC[AES256_GCM,data:ejDYuZjZCKcsvyUUKdXtxgBqWloIwYHmpc/YwCYq7O2thsxvOou6iSHf,iv:HDrMlec4svxHpZXMyRDzpdSKeJbTmkZPd98SHv2ZLhQ=,tag:LjpapuaJ6sl4USZC8xEU5w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUkpVa0dCSE1rTjZpaWR1
cjJjc25iOEV4TnhQUWE4SjI4QWVZYXdVcHdBCkIrNlVrV2xJRURVSG9sUHozeE5s
NitsV1MvcENZTHhmU01CSTRVNENXUFEKLS0tIGgxakQ2cGIzdzg5QzRoT3ZSaXUx
TkN5MkNTNitWMzVKZWdhNGRIZ3VNNDgKQ6lwM6EowuGOrskUpwD8VGirravE+e3/
Hkv5jLvvfVjmg0kvKlNRotTHrRUGV04JsbW7T9FfbKyYpmEb6oCrsg==
-----END AGE ENCRYPTED FILE-----
- recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSUlkQzhYSGwyNnYvNHpQ
UktKOUZiYk56S0piVy9ZMFdYVFdsN1FEVkhVCnZETEM5MW84TlNpbm1hSXJtR2Yy
OEdrSi9lcmJOR2F1cUZqc0NyQjl4RDgKLS0tIHVLcnRicmVNd2MwVjB4cGFXTlBu
VkJCcXdqTkUzejNzSjIvV2YrVUc5Sm8KutTATsWJ5+yB/CFoGwTNshyI5LzwH4x5
i5EIIkVPdxSIHrXUp0j6+RPWMJvEOFIE3dVwxz+MxqqHqtmEny1WKA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-19T12:31:51Z"
mac: ENC[AES256_GCM,data:AY0/qJ1ZXv4mQlHnG3uY2zQ0FhIYjHBWKyXXpv2/Q6yZkuSu6nIQk039nd+nk7lczXy2cylTHyjYv5vDF6BJARhu4jeYov6yMqYR8ye8rXjZKcOfrN5yv7LV6jyuzBRBkCWTQsaoR8ycKHlrMe+vkAGu50epdAQjAG+Qv6RkBiM=,iv:dMi2CququdEIg+g8NMUb8ioKwEkUqTP+nrivtsUYUUY=,tag:drHI6oJUUwN3JadCHbWWkg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

31
machines/dolomite/secrets/tok-00.yaml Normal file
View file

@ -0,0 +1,31 @@
wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str]
wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTc2a2J3ZXRXTlRxQTAx
UjZVTTVPa0FjbS9jekI5eXhLOTdUQTlBS2pJCnVPL2Q1d05QR2NpTDVZeDFpSCs3
Yjh3aXkvdTBIOThVMGMzcUZmUWhtTjgKLS0tIFZvcy9zRVBRcDN0ekp0MEV5cEph
ZURTL3hnSHgwQTlSNklCK25icEM0SGsKq2jM6jXLfK38BgV0calwKLuHIcGw0zed
lT19Mt9jFsqmIkpJh1U9Ddpz63WND+7ruMdTZt6RWStIxww4m7pevg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSXBqdXcxUDNkS29Gd3ZY
dTA3bmNUVThtTFJtdnFpSjZQT01TTXhpYUc4CkFhcm14eUw1YXIyWEViMSsyc3pr
VUJqWWdHMCtoRGQ1T3dMQlg3ZTZ5dGMKLS0tIGQvbGpFZTdrVUFURE9tdENCZGwr
aDBKbitCTmhxNXVNRGh6TVBvbkNhTUEKIuj7B4RdueX7BfExgzVoo6YJf59GsUHa
j5kIJ5UeTqWEBGBaXcPjhHMEQjYqwSBsVz2XJmsxLhi8WxejLio8FA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-19T12:30:24Z"
mac: ENC[AES256_GCM,data:f+7+O2ZVSZJhr0fJlfO/AtZC2N/7gsNu1f4cnUoXYFb1wobyU6tLkbwGqeyIulokgIDAU5lJ62TJXAjybe+kE+PGtpr61KS7dyiO0LjzcT/X898oBYvJ9jtkuxDzKM4ve570U7ZmS7Jbxt2NJEkcBvSUJRdJHH5l0sDrvmW8cwY=,iv:mno6jVUDUWxsO353hbCqGub+NYfk0XFsWzmWCBUt6Gg=,tag:KOw7HTy+pETha5pzx5Pf8Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

10
machines/secrets.yaml
View file

@ -2,12 +2,10 @@ clash_subscription_link: ENC[AES256_GCM,data:Vwy0c8gOeR1XG/QNp8TGuBe/5kezD7SSStN
autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str] autofs-nas: ENC[AES256_GCM,data:wcrA2t8/i9PaxA1PQ3CDVJZUhVchGV4vCfa5j/ReNahKV3cfDf2owbpeB827sMpjYyyvSH6nri7mra/BLMAPcgySCpZNAgdR9DQZXAQ=,iv:QJzsS5a6vWeoBxkB13yXdVbyn0tt2QTvqj0LaHn6S2g=,tag:TtgubLgWBBzl67MVal5BvQ==,type:str]
autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str] autofs-nas-secret: ENC[AES256_GCM,data:OBh8h5CFv1Z4G6bMesna4zmXNASKhYdjFBvg47T9aKBCLDp/xVWnnQj8N7AFGg49wJ+0gYuqb33lIqpSnQ==,iv:UCaGeE8j4RqJzA0xhu3oB2xvzombzQD3fjLKCWd5fDg=,tag:+Oc78ddpLH7R2aT7gW3Ouw==,type:str]
github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str] github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGtg9GFLBAVt1Y+d2Q07l/zGFlcLXDTE4FI9kAHVzpXchZlfCWcjJGJ/gCHr306s0zoaa5zVfAsfQaLmkYNvYBuOu8WHifsL3RNvkQrx4xWiH5KlCbrKelAsUaoj,iv:/bYv5+PtVcqNKgrOy8ojY09GtS0+U1W8JI34CcBeoHE=,tag:Xsh6XOVrn06RQL6s1ze4PA==,type:str]
singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str]
singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str]
singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str] singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str]
singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str] singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str]
singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str] singbox_password: ENC[AES256_GCM,data:0tBIzwtNSQqbGlD+CDnQfJigbFVBChEL,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:5BtYAv1NO70IL4m/uG8QKA==,type:str]
singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str] singbox_uuid: ENC[AES256_GCM,data:ufN+vDl/rDASoQL23tHwlr3ybMyrlC/Kd7bT0c5+SP+bc6Zj,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:6Yma9+yrISwQoSRDgUbuwA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -59,8 +57,8 @@ sops:
Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO
OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug== OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-02T15:24:19Z" lastmodified: "2023-12-19T12:56:28Z"
mac: ENC[AES256_GCM,data:dgWoBRMuDxVT/j/ybQX7suehwsjy86rJ0pJ1UeDQcTywIeK8WgIvNuq+T1x9UFgPWn7xt+vMQV665hugTl8T4Wb7Eot2FqM3KPq8EONVaGLAxtQv75MQmcJD+5kfSSsDC+HVujmWl5uFy5jzFJgrHEsm2v9lCxRO/2kvjbQbZAM=,iv:YBz+OewY51YNhjPF4QSq27vT6zEwFCkPW5MctOQ7AvQ=,tag:Tfbo7o4QgMUP6UPTJ36dTg==,type:str] mac: ENC[AES256_GCM,data:v7Rn7dPOzfcgab2MhiU7h0CXjkAbkpBX7l7iLdnw3RUIjxulTXVuPpgenojF5yVqFCPgm2LKBKniD+cvtMvVhb00a1tnDNM/tfjH9GjBYNZH9xtPWJED7GLASd6nIF5BZhANKhH8yphAi5VJ/4cyEdMFbWu+2gO8GyQxJQYhgY8=,iv:bbbZ8vF+Vbwq/6PXN/7qvRO62M/eDZ591v4gXc1fs+g=,tag:dyt9LVU32hnbVT12C/Afqw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

81
machines/sing-box.nix
View file

@ -1,13 +1,10 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
server = {
_secret = config.sops.secrets.singbox_domain.path;
};
password = { password = {
_secret = config.sops.secrets.singbox_password.path; _secret = config.sops.secrets.singbox_password.path;
}; };
uuid = { uuid = {
_secret = config.sops.secrets.singbox_password.path; _secret = config.sops.secrets.singbox_uuid.path;
}; };
sg_server = { sg_server = {
_secret = config.sops.secrets.singbox_sg_server.path; _secret = config.sops.secrets.singbox_sg_server.path;
@ -15,13 +12,6 @@ let
jp_server = { jp_server = {
_secret = config.sops.secrets.singbox_jp_server.path; _secret = config.sops.secrets.singbox_jp_server.path;
}; };
# TODO: diffrent password
sg_password = {
_secret = config.sops.secrets.singbox_sg_password.path;
};
sg_uuid = {
_secret = config.sops.secrets.singbox_sg_uuid.path;
};
in in
{ {
services.sing-box = { services.sing-box = {
@ -47,14 +37,12 @@ in
server = "_dns_doh_mainland"; server = "_dns_doh_mainland";
} }
{ {
domain_suffix = server; disable_cache = false;
server = "_dns_doh_mainland";
}
{
domain_suffix = sg_server; domain_suffix = sg_server;
server = "_dns_doh_mainland"; server = "_dns_doh_mainland";
} }
{ {
disable_cache = false;
domain_suffix = jp_server; domain_suffix = jp_server;
server = "_dns_doh_mainland"; server = "_dns_doh_mainland";
} }
@ -77,7 +65,7 @@ in
tag = "_dns_udp_mainland"; tag = "_dns_udp_mainland";
} }
{ {
address = "https://doh.pub/dns-query"; address = "tls://1.12.12.12:853/";
address_resolver = "_dns_udp_mainland"; address_resolver = "_dns_udp_mainland";
detour = "direct"; detour = "direct";
tag = "_dns_doh_mainland"; tag = "_dns_doh_mainland";
@ -88,6 +76,7 @@ in
} }
]; ];
final = "_dns_global"; final = "_dns_global";
strategy = "prefer_ipv4";
disable_cache = true; disable_cache = true;
}; };
inbounds = [ inbounds = [
@ -131,76 +120,28 @@ in
]; ];
}; };
outbounds = [ outbounds = [
{ tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://www.gstatic.com/generate_204"; } { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://cp.cloudflare.com/"; }
{ tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; }
{ tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; } { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; }
{ default = "auto"; outbounds = [ "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
{ default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
{ interval = "1m0s"; outbounds = [ "SS-01" "SS-02" "SS-03" "SS-04" "SS-01" "SS-02" "SS-03" "SS-01" "SS-02" "SS-03" "SS-01" "SS-02" "SS-03" "SS-04" "1" "2" "3" "4" "5" "6" "7" "8" "1" "2" "3" "4" "1" "2" "3" "4" "5" "6" "7" "8" "1" "2" "1" "2" "3" "4" "5" "6" "1" "2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; }
{ tag = "direct"; type = "direct"; } { tag = "direct"; type = "direct"; }
{ tag = "block"; type = "block"; } { tag = "block"; type = "block"; }
{ tag = "dns-out"; type = "dns"; } { tag = "dns-out"; type = "dns"; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12001; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12002; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12003; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12004; tag = "SS-04"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12011; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12012; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12013; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12021; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12022; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12023; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12031; tag = "SS-01"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12032; tag = "SS-02"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12033; tag = "SS-03"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server password; method = "aes-128-gcm"; server_port = 12034; tag = "SS-04"; type = "shadowsocks"; udp_over_tcp = false; }
{ inherit server uuid; security = "auto"; server_port = 1201; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1202; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1203; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1204; tag = "4"; transport = { path = "/"; type = "ws"; }; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1205; tag = "5"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1206; tag = "6"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1207; tag = "7"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1208; tag = "8"; transport = { path = "/"; type = "ws"; }; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1211; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1212; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1213; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1214; tag = "4"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1231; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1232; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1233; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1234; tag = "4"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1235; tag = "5"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1236; tag = "6"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1237; tag = "7"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1238; tag = "8"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1241; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1242; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1261; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1262; tag = "2"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1263; tag = "3"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1264; tag = "4"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1265; tag = "5"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1266; tag = "6"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1251; tag = "1"; type = "vmess"; }
{ inherit server uuid; security = "auto"; server_port = 1252; tag = "2"; type = "vmess"; }
] ++ lib.forEach (lib.range 6311 6314) (port: { ] ++ lib.forEach (lib.range 6311 6314) (port: {
inherit uuid password;
tag = "sg" + toString (port - 6310); tag = "sg" + toString (port - 6310);
type = "tuic"; type = "tuic";
congestion_control = "bbr"; congestion_control = "bbr";
server = sg_server; server = sg_server;
server_port = port; server_port = port;
uuid = sg_uuid;
password = sg_password;
tls = { enabled = true; server_name = sg_server; }; tls = { enabled = true; server_name = sg_server; };
}) ++ lib.forEach (lib.range 6311 6314) (port: { }) ++ lib.forEach (lib.range 6311 6314) (port: {
inherit uuid password;
tag = "jp" + toString (port - 6310); tag = "jp" + toString (port - 6310);
type = "tuic"; type = "tuic";
congestion_control = "bbr"; congestion_control = "bbr";
server = jp_server; server = jp_server;
server_port = port; server_port = port;
uuid = sg_uuid;
password = sg_password;
tls = { enabled = true; server_name = jp_server; }; tls = { enabled = true; server_name = jp_server; };
}); });
}; };

10
machines/sops.nix
View file

@ -12,22 +12,16 @@
clash_subscription_link = { clash_subscription_link = {
owner = "root"; owner = "root";
}; };
singbox_password = {
owner = "root";
};
singbox_domain = {
owner = "root";
};
singbox_sg_server = { singbox_sg_server = {
owner = "root"; owner = "root";
}; };
singbox_jp_server = { singbox_jp_server = {
owner = "root"; owner = "root";
}; };
singbox_sg_password = { singbox_password = {
owner = "root"; owner = "root";
}; };
singbox_sg_uuid = { singbox_uuid = {
owner = "root"; owner = "root";
}; };
}; };