diff --git a/.sops.yaml b/.sops.yaml index 966db60..b7491c3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,13 +18,13 @@ creation_rules: - age: - *guanranwang - *lightsail-tokyo - - path_regex: nixos/profiles/opt-in/mihomo/secrets.yaml$ + - path_regex: nixos/profiles/sing-box/secrets.yaml$ key_groups: - age: - *guanranwang - *blacksteel - *dust - - path_regex: nixos/profiles/opt-in/wireless/secrets.yaml$ + - path_regex: nixos/profiles/wireless/secrets.yaml$ key_groups: - age: - *guanranwang diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix index 072d84a..b44232b 100644 --- a/hosts/blacksteel/default.nix +++ b/hosts/blacksteel/default.nix @@ -6,7 +6,7 @@ }: { imports = [ # OS - ../../nixos/profiles/opt-in/mihomo + ../../nixos/profiles/sing-box # Hardware ./hardware-configuration.nix diff --git a/hosts/dust/default.nix b/hosts/dust/default.nix index ede10f7..c8c8fb6 100644 --- a/hosts/dust/default.nix +++ b/hosts/dust/default.nix @@ -4,8 +4,8 @@ ... }: { imports = [ - ../../nixos/profiles/opt-in/mihomo - ../../nixos/profiles/opt-in/wireless + ../../nixos/profiles/sing-box + ../../nixos/profiles/wireless ./anti-feature.nix ./disko.nix diff --git a/nixos/profiles/opt-in/mihomo/config.yaml b/nixos/profiles/opt-in/mihomo/config.yaml deleted file mode 100644 index bc7f294..0000000 --- a/nixos/profiles/opt-in/mihomo/config.yaml +++ /dev/null @@ -1,53 +0,0 @@ -### YAML Anchors -fetch: &fetch - type: http - interval: 43200 # 12 hours - health-check: - enable: true - url: https://www.gstatic.com/generate_204 - interval: 600 # 10 minutes - -use: &use - type: select - use: - - efcloud - - spcloud - -port: 7890 -external-controller: 127.0.0.1:9090 -log-level: warning -unified-delay: true -tcp-concurrent: true -geodata-mode: true - -secret: "@clash/secret@" - -proxies: - # @clash/proxies/lightsail@ - -proxy-providers: - efcloud: - <<: *fetch - url: "@clash/proxy-providers/efcloud@" - spcloud: - <<: *fetch - url: "@clash/proxy-providers/spcloud@" - -proxy-groups: - - { name: PROXY, type: select, proxies: [自动选择, lightsail, DIRECT] } - - { name: 自动选择, <<: *use, tolerance: 2, type: url-test } - -rules: - - GEOIP, lan, DIRECT, no-resolve - - GEOSITE, private, DIRECT - - GEOSITE, category-ads, REJECT - - - GEOSITE, icloud, DIRECT - - GEOSITE, apple@cn, DIRECT - - GEOSITE, google@cn, DIRECT - - GEOSITE, microsoft@cn, DIRECT - - GEOSITE, category-games@cn, DIRECT - - - GEOSITE, cn, DIRECT - - GEOIP, cn, DIRECT - - MATCH, PROXY diff --git a/nixos/profiles/opt-in/mihomo/default.nix b/nixos/profiles/opt-in/mihomo/default.nix deleted file mode 100644 index 9196420..0000000 --- a/nixos/profiles/opt-in/mihomo/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: { - services.mihomo = { - enable = true; - configFile = config.sops.templates."clash.yaml".path; - webui = pkgs.metacubexd; - }; - - systemd.services.mihomo.preStart = '' - ${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/mihomo/GeoIP.dat - ${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/mihomo/GeoSite.dat - ''; - - ### System proxy settings - networking.proxy.default = "http://127.0.0.1:7890/"; - environment.shellAliases = let - inherit (config.networking) proxy; - in { - "setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}"; - "unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy"; - }; - - ### sops-nix - sops.secrets = lib.mapAttrs (_name: value: - value - // { - restartUnits = ["mihomo.service"]; - sopsFile = ./secrets.yaml; - }) { - "clash/secret" = {}; - "clash/proxies/lightsail" = {}; - "clash/proxy-providers/efcloud" = {}; - "clash/proxy-providers/spcloud" = {}; - }; - - sops.templates."clash.yaml".file = pkgs.replaceVars ./config.yaml { - inherit - (config.sops.placeholder) - "clash/secret" - "clash/proxies/lightsail" - "clash/proxy-providers/efcloud" - "clash/proxy-providers/spcloud" - ; - }; -} diff --git a/nixos/profiles/opt-in/mihomo/secrets.yaml b/nixos/profiles/opt-in/mihomo/secrets.yaml deleted file mode 100644 index a034ba8..0000000 --- a/nixos/profiles/opt-in/mihomo/secrets.yaml +++ /dev/null @@ -1,45 +0,0 @@ -clash: - secret: ENC[AES256_GCM,data:0dikpMbntA==,iv:63yclHF0yUJXWr7/RN0RLMFmASD847i6WAplx6sfvGQ=,tag:Y7lw2sn34CEfAmzy/0IugA==,type:str] - proxies: - lightsail: ENC[AES256_GCM,data:YfyZsBi3yMIAMIjotAk4g4M+yYYozSSbKE77oz3lwbRHCMVJqxeo5nR04HrG8Hy2mQvVV09et1MbgnDMhEaSERZvsfaBojFUoRE6Du18n1ET8P1/ez5aKgC6ZnHy90a99mktqD4QDGNE8VDX2xBtNcVLF6i9dJ9di9tJEtnOdw+Q,iv:/uqtX6E2I0sqSWt2FmKwzG9zQb2TjdQqfDBZQXLh8cs=,tag:ofvc5GKEPrizajUaevI1jA==,type:str] - proxy-providers: - efcloud: ENC[AES256_GCM,data:36mToXGiHVAgM4vVQFOYvNPaHHuVf4mtvnNOgMBTyzbZ/mKpT1Exx7rWZ7i9EVBy5eX7SJtKmnHs0CqD48hr7R708W2oW3YNPEfkK7aGDqfQFyS1TVjT+MM=,iv:+qiFyM10fcAjcdyVZCC+0hb83GYENooM52+1GPXpamQ=,tag:wZupiFJMQq8A5ZwJtjXiOg==,type:str] - spcloud: ENC[AES256_GCM,data:gmJM+sTTaUrIxQXRBlDtE+K1gEfseMPUC2AQLq1LeY6iQmgq3wK7oJlz+buLbm/LUDitvls9d517905hz/Mpp2F7ohBeW9m1Jkcvdh/Zfgnfqg==,iv:FPe//+/ZMDZloZg2AnQ7JXRzqZdKDjLYs3wqMxqNA/Y=,tag:JPEU/WnUfy8bNlhAgPQwJw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZkVpWm43Y3NOVHpBWHdm - bDhyeHA5RkhQZDNCZzQwL2l4cDFuZFlzUHg0CjhkWkJTWVEyRDRiUnFUVHcrd0Zh - NUt2aG5jTjZ6dFBxRkFLZkdEWm5FcWsKLS0tIFY3VURVUWpRQ1A3WGxUWmdPaG1w - bnNtenl4MUpTME9CYmZIL1VNZzdxREUKyIJVIyXg5lDkUlwG8hbGdgJ4ii/K/cTV - 2u/B5KSCTQ0/ndyamjfYMDawL7xVoXTuPRufj/oW/j1lNd0UTbSphA== - -----END AGE ENCRYPTED FILE----- - - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSlpRSjZHS29SMERKQ0tN - bkJ2YlZVNVhEUHhNc3Z0bmc0TTZHR3Q1Y3hZCmx3cHZoL2lvWFVBTzNXa3hVa0Zk - SG1zbDI0dnlicEV0RktnSmVvWEdaN3MKLS0tIHlJaExjRE15Q1JCTDFOUlBLUkFY - US9haXAyakN5QXJpNFVFZnoybE5va1UK5b4Mr3sVReaT3KoiDPbSIMwNMjyp2Ob0 - iTdjOx3LklF4rslHxEb3nwHSTzQjsFUPVfygyMKC4oPoUk9jN1hy/A== - -----END AGE ENCRYPTED FILE----- - - recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWXB5L1VESXBhRkdBSTJk - VVpJRGtyVTAvdXA1WUNwVW0xd3JZclBLeW5ZCllCS1dBTWxuRlpSbWFLbG1HdFR0 - TjFGVW1zUGE5dG9rZmF1NGQ1NEJnWkEKLS0tIDdzenRaWVRoVTZ5eGNVQk8zZmlp - R3JVUlNmd0t2WWlvK3U3K2gyYmQycUEKoDQ7wLxvHbyLUKCvt2cV3xUDyiPXLTq8 - 1KyVQ/5FHQCRPsqjYmXioqKNecZxYnVESPi8UZslTn8edtl3iiQTLQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-10T15:24:00Z" - mac: ENC[AES256_GCM,data:BGF/DAfOhdw0YZ6PGipXu0sL9+8E1s509bg89dMnAtf1WfreFCQMuHe7uqfkC3Be99proNgJ1O5fWTENaynXyMKto1YF+7z9ZZ3CCOceFLNqbBucaxRFAO+tkMlVixLoqIvEHdyoZD+iM45wOO6mn+/o6wR/z3Ze36wmZCJ1+4c=,iv:s9N2lNx1SwPm0qNyqgGm2Qp5zS4xIhxwp2kj7sQmcQc=,tag:o1/WS7b7FR//IZK1iNQkCg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/nixos/profiles/sing-box/default.nix b/nixos/profiles/sing-box/default.nix new file mode 100644 index 0000000..10f6fd5 --- /dev/null +++ b/nixos/profiles/sing-box/default.nix @@ -0,0 +1,83 @@ +{ + pkgs, + config, + ... +}: { + services.sing-box = { + enable = true; + settings = { + inbounds = [ + { + type = "http"; + tag = "inbound"; + listen = "127.0.0.1"; + listen_port = 1080; + sniff = true; + sniff_override_destination = true; + } + ]; + + outbounds = [ + { + type = "hysteria2"; + tag = "tyo0"; + server = "tyo0.ny4.dev"; + server_port = 443; + password._secret = config.sops.secrets."sing-box/tyo0".path; + tls.enabled = true; + } + { + type = "direct"; + tag = "direct"; + } + ]; + + route = { + rules = [ + { + rule_set = ["geoip-cn" "geosite-cn"]; + outbound = "direct"; + } + ]; + rule_set = [ + { + tag = "geoip-cn"; + type = "local"; + format = "binary"; + path = "${pkgs.sing-geoip}/share/sing-box/rule-set/geoip-cn.srs"; + } + { + tag = "geosite-cn"; + type = "local"; + format = "binary"; + path = "${pkgs.sing-geosite}/share/sing-box/rule-set/geosite-cn.srs"; + } + ]; + final = "tyo0"; + }; + + experimental = { + clash_api = { + external_controller = "127.0.0.1:9090"; + external_ui = pkgs.metacubexd; + secret = "hunter2"; + }; + }; + }; + }; + + ### System proxy settings + networking.proxy.default = "http://127.0.0.1:1080/"; + environment.shellAliases = let + inherit (config.networking) proxy; + in { + "setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}"; + "unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy"; + }; + + ### sops-nix + sops.secrets."sing-box/tyo0" = { + restartUnits = ["sing-box.service"]; + sopsFile = ./secrets.yaml; + }; +} diff --git a/nixos/profiles/sing-box/secrets.yaml b/nixos/profiles/sing-box/secrets.yaml new file mode 100644 index 0000000..1f47ad2 --- /dev/null +++ b/nixos/profiles/sing-box/secrets.yaml @@ -0,0 +1,40 @@ +sing-box: + tyo0: ENC[AES256_GCM,data:c1WIyaAXyiir4VRcggvJ0drgxOi24+s=,iv:1CufURfG6PL+iv54LOkh6kdjjf6Pa8uvyWsRX4rBTls=,tag:M5PzRvKJzQzhpv3z6XlG9A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3K013WDMwWUZFQW42bVow + WnVkVDRtYlJCdGxmK2VLLy9SaE9rOTdLYmprClVXeGZuWTRYNm9oNXRMTXJ1cjhR + dXhUYU9sMldSVFlKS0RnMlZ0WHI4SzAKLS0tIHpDYTZFL0drTWk1Z3BWYS9Kckky + N0RHU3oxck5VaGUxdHdSQWxHeWRkS1UKf7sd4eJNOmXYaCJj84fiQLkzDmrlzIxR + hBOzEt38wVlsq7529TXADbSoNBfLZzuhBvawS67sCGqjCK7VFn0uWw== + -----END AGE ENCRYPTED FILE----- + - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrbllZOHRYQkZSQ25VVEtp + OEg5U1F3RXlaWTFBYnRYb0MyeFpXZ0lWMkEwClBrVTZWcHVBMU5HS0hZVzltUnBV + bGFxYlVFMmhSZVF0WGFIbERWWEhkS00KLS0tIDlzZjEzVHVIQlJUeUdXSkNEWFVF + ajc4azNsTlRkQVNkeU9vZXY3Njg2aTgK4ycqVY7KUAkkeNAiSOPUwo73wLL7M0HD + b8U7C7BcBReujeVV3HUiStpeXR250rCiySWREQlyyWs4DpBoryBSnw== + -----END AGE ENCRYPTED FILE----- + - recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyYnJlZHA1eDVPVnJnRUFX + MmxBbjdZTXhCTDd1OUNnK3RmNGxsNEh6NENrCmZFMEhOSDZhRlBONEl1N2pwbnhF + Szl3RGcyT20xNFpMTWx0dnlQdjdsQ1UKLS0tIFVtcEdvL0VKN2p3cTJPODMxTVVX + NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6 + JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-24T07:58:00Z" + mac: ENC[AES256_GCM,data:gbgaZ6fGr8sIaEPMTJeTr4nHEkfWDMwNPstEjfn580go8Ogg3cIW0Lca1nPERCI7XimswjT9V6FnxV8HtTZ+VH3jZsuB/Zu0lYpCsTx//wY0meWWHtOINFZ6Qn9dl6CTRi/QgmNJPKjPPYcHg0ECGY/Iv8s44Mj0aXthVN61huk=,iv:8y+vjDSWaVt7kQkvu499+bK3lYB3moVtAQJ4UvfLYv4=,tag:XAhiF7cw8i8ilj3Dp/zoDw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/profiles/opt-in/wireless/default.nix b/nixos/profiles/wireless/default.nix similarity index 100% rename from nixos/profiles/opt-in/wireless/default.nix rename to nixos/profiles/wireless/default.nix diff --git a/nixos/profiles/opt-in/wireless/secrets.yaml b/nixos/profiles/wireless/secrets.yaml similarity index 100% rename from nixos/profiles/opt-in/wireless/secrets.yaml rename to nixos/profiles/wireless/secrets.yaml diff --git a/treefmt.nix b/treefmt.nix index ebdb572..d47a806 100644 --- a/treefmt.nix +++ b/treefmt.nix @@ -11,8 +11,8 @@ settings.formatter.prettier.excludes = [ "hosts/blacksteel/secrets.yaml" "hosts/tyo0/secrets.yaml" - "nixos/profiles/opt-in/mihomo/secrets.yaml" - "nixos/profiles/opt-in/wireless/secrets.yaml" + "nixos/profiles/sing-box/secrets.yaml" + "nixos/profiles/wireless/secrets.yaml" "secrets.yaml" ]; }