From dbf012cdc2ffdcdd756e196f17e3443116397446 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Sun, 22 Sep 2024 04:19:03 +0800 Subject: [PATCH] sin0: add sing-box --- .sops.yaml | 6 +++ flake.nix | 1 + hosts/dust/default.nix | 1 + hosts/tyo0/default.nix | 6 +-- hosts/tyo0/secrets.yaml | 6 +-- hosts/vultr/sin0/default.nix | 3 ++ infra/data.json | 3 +- infra/terraform.tfstate | 2 +- infra/vultr.tf | 2 +- .../profiles/sing-box-server/default.nix | 18 ++++++--- nixos/profiles/sing-box-server/secrets.yaml | 40 +++++++++++++++++++ nixos/profiles/sing-box/default.nix | 9 +++++ treefmt.nix | 7 +--- 13 files changed, 82 insertions(+), 22 deletions(-) rename hosts/tyo0/services/sing-box.nix => nixos/profiles/sing-box-server/default.nix (73%) create mode 100644 nixos/profiles/sing-box-server/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 4611234..53354d8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -23,6 +23,12 @@ creation_rules: - *guanranwang - *dust - *pek0 + - path_regex: ^nixos/profiles/sing-box-server/secrets.yaml$ + key_groups: + - age: + - *guanranwang + - *tyo0 + - *sin0 - path_regex: ^nixos/profiles/wireless/secrets.yaml$ key_groups: - age: diff --git a/flake.nix b/flake.nix index 1726b88..234c903 100644 --- a/flake.nix +++ b/flake.nix @@ -163,6 +163,7 @@ "tyo0" = { imports = [ ./hosts/tyo0 ]; deployment.targetHost = "tyo0.ny4.dev"; + deployment.tags = [ "proxy" ]; }; "pek0" = { diff --git a/hosts/dust/default.nix b/hosts/dust/default.nix index f35bcbb..0aa097c 100644 --- a/hosts/dust/default.nix +++ b/hosts/dust/default.nix @@ -212,6 +212,7 @@ tag = "select"; outbounds = [ "tyo0" + "sin0" "direct" ]; default = "tyo0"; diff --git a/hosts/tyo0/default.nix b/hosts/tyo0/default.nix index 0b68f4f..fe035dd 100644 --- a/hosts/tyo0/default.nix +++ b/hosts/tyo0/default.nix @@ -18,9 +18,10 @@ ./services/ntfy.nix ./services/prometheus.nix ./services/redlib.nix - ./services/sing-box.nix ./services/vaultwarden.nix ./services/wastebin.nix + + ../../nixos/profiles/sing-box-server ]; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; @@ -40,9 +41,6 @@ ### Secrets sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) { - "sing-box/auth" = { - restartUnits = [ "sing-box.service" ]; - }; "prometheus/auth" = { owner = config.systemd.services.prometheus.serviceConfig.User; restartUnits = [ "prometheus.service" ]; diff --git a/hosts/tyo0/secrets.yaml b/hosts/tyo0/secrets.yaml index e5a68e2..5c2adb9 100644 --- a/hosts/tyo0/secrets.yaml +++ b/hosts/tyo0/secrets.yaml @@ -1,5 +1,3 @@ -sing-box: - auth: ENC[AES256_GCM,data:gzoeMI/8A6e6HBbE2VofGJB1/sIq+b7MrkFoTp4zvRT1gLHVfP1B6XT+srJCOgUFNWL++JU1ShPYqgH61cl77WtJjzy+LJxb3oYnW3u/EzJJMpBHggstVQpaWfiGb16lhCq+Figsxk0G8BUFI/PPR/KmBZzLOw+/I/z8Dqf66dQh9BIhEOY0pJknZ4El2Ml5oGvYxdpjQ9rESfegwTz5wrha77V1mi733jrPFDuWLDkgNDf5nKRfCkpfLrdzyU7OX4qcj81qIpHsRBZ25Lib0IwDGurC7njKdbs8S0bprqZlK9sW34Dmx3s=,iv:XgXX2LaLgyyRuI04/RzgnfTAXUW3e9F0cdw6l6koVgc=,tag:9hDiGVADrBgpc0G+UFjM3g==,type:str] miniflux: environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str] vaultwarden: @@ -30,8 +28,8 @@ sops: UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4 n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-07T05:32:46Z" - mac: ENC[AES256_GCM,data:K+J0o/hlOHociZO8Fd08/ixr21ZGCM9yK6M87ylSbRNb8rwwS+IAsumvMMa8/R79ay66T0VWlTjBY2ywlrNLiz11n1Qx2j97L1MrCy4VWy3LmJEFhbGuUBbZLIp53OK7brSC/6XN3lB6K5KsiZ4vLCyGu/6hRpxcHg5Iada5h+8=,iv:JT9Xl9JQWYpacWz+ymwoZfOSeMqtrsmxhNu6hCBxUEQ=,tag:wRPCTHyL2iupmvnMJOx30g==,type:str] + lastmodified: "2024-09-21T20:01:24Z" + mac: ENC[AES256_GCM,data:5bFyGI0wQmUXIRgC9cy/xnRzyoigr9uX98jrR66KPW6xjYNSBrlh41zFwBty0ZAvvSnX0qs+OqUm9Do5LsePVnVBGWlnDp9e0rnzTYMrvrHseVMdLcxvbPlotjVRfnkt7pdBOW4bSUIKsXPjMN2pdN9lq1s7vf8NJqPoJAj1kqc=,iv:qf7woEP2jL0FxiwkFsDAv0pT+oVcpxBJa6I2bXKkzc8=,tag:ZYLBrpK915hOU+4gvyxjsA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/hosts/vultr/sin0/default.nix b/hosts/vultr/sin0/default.nix index 2dbe833..40d5000 100644 --- a/hosts/vultr/sin0/default.nix +++ b/hosts/vultr/sin0/default.nix @@ -1,4 +1,7 @@ +{ ... }: { + imports = [ ../../../nixos/profiles/sing-box-server ]; + system.stateVersion = "24.05"; networking.firewall.allowedUDPPorts = [ 443 ]; diff --git a/infra/data.json b/infra/data.json index 01694c9..d35e569 100644 --- a/infra/data.json +++ b/infra/data.json @@ -37,7 +37,8 @@ "country": "SG" }, "tags": [ - "vultr" + "vultr", + "proxy" ] } } diff --git a/infra/terraform.tfstate b/infra/terraform.tfstate index bc8e19c..68a37ec 100644 --- a/infra/terraform.tfstate +++ b/infra/terraform.tfstate @@ -1 +1 @@ -{"serial":20,"lineage":"c3bb4ce4-695c-edf3-3636-1ad64a51509c","meta":{"key_provider.pbkdf2.default":"eyJzYWx0IjoiLy9zSUhodjZXcHpuVCt2ZzRUUysxRWl4U0d1ZnpoWFpNcEtHVGNOcGZGVT0iLCJpdGVyYXRpb25zIjo2MDAwMDAsImhhc2hfZnVuY3Rpb24iOiJzaGE1MTIiLCJrZXlfbGVuZ3RoIjozMn0="},"encrypted_data":"ARbMMkDR4wMjTnQ6RibHraOHI7kT2LKSGLDVspKd50y9XcaCNtpYgekJRlz/4mjG9xxIQy5mEiOJ6nHeJ+OlXZ3lH61JQpNI0lNFlS5zCRRLcx4APG1Ez0qedz8ZRwtrz5LaPBG6MazIf3kaJokAjNZ9eN3q8r7GvV33jm5SWR3kf9cGOR62t+M5YQG9xvqr0uwb0OPjf2LzTbw3wG+asAcAOVxmubOWcwmRv5301uRtCpDw7VGgTz1TjkH7BaguhJOL7REU/VzxSJaNQCWSFOOwq23bsKWNi6lnkC+BZ7W9AGp3j681+IrUTRGCBjnGQm9HqLualZm76MLEZYCJgaXxlEpEjca6hloLni/gj6WvAG9u4NEYa1MQ3xUI2RxZhbTtq88RLv4DaNUubcLwv+9O+BYBz9vjMYr+5AuKK8iJYM6YxjY5VDalPRnemOcWI6vQnDvQeEiGeewdlvhHrNrr0bPhi6IjqowNZeRh1xSonAXdBmQNrCRixU0hShOu3x1y0PsAoWvViaL3hJCcTPNYA5ZH8+/7G2JDAZTudbMFXYWWShWnCHQQNlnYeup/ExItc2AMyV1LTDd6aGGgEU3Y4L2dKVSimydjuMJkXhRZgHZ2wZlXIL50O1W00GABbEWqOBQzdcDuMxNGbevo92ewsdxyX+R0/BKJaJ+t8uStG4Cvb7LewflBKH4SzmYp9adFXgmPQO3jZuaN8U6CSkFc52OGyeYO7x4OZjeksrPzEVgN9BP2O3eHV6vvaTIQ0NeGpaFXPSO1RpckA7rmHL+1oxY/pX+TkDJXZiCU+64uojOjC1Z3K/EWskXPGPMKdQAjIJ4X6GEPpi6PrU6liG7M1CnpVlqO1O5lf9k81X7+9zjwZrfyKFpKnUbMHq8GRnHQteC1P6axWh4ZdOexjopDUGmU+lZWNZLeQQMmDvz9tI3HCTSd7Q84VN/XuzH/Xmn6QeRlVwO657vryzv+xZ2CMH2GRAyCzDk4b+Ml+aT4mtSIU/dVPR/1MESwVoNHwqe/62TxPsL0wWtN8PBihzg3PV4IoARUp9KPJyf2LSvaoUuZZvVUG9YZ2B7nLh/zuWtT3q2lb+Nwc+/6XiHzuuOZvuZ2DCoo/pn96nJE96cVWJa+q9sfN46eBzs1n0iYc/d2nGDeoaWYVHh1Sbkt1ml3mjfaVXpclJvTuug3ty23uDoUjyAJEQ/f0hxXZaSc0SnzWLhjfG2T0js4fBbK78IwOHV3x2zjXPfRo8PVPttDBkv1rZlh2ml6aPseI9vQxfEoGQy0H9+gl3IWf2xHhFDonKpIiOHe7ove1w0pHggWRg5E0FmSOvbAcTL397ZghXScAGi2MF1alVSCUjC1DyPLxkLoWrDUc/dLySbR5JlnAS7a5LzL+URZGiJWE6Y0is3Tr1Ay8XwQ5VpwfYhrphK+hALxtDSFTaq6e7zI0/2vTAdXLrijeKles5TI/1JmBwJyub/rJGdlrWTD8cV4C04i7ZNTSAAlG0g7x7bIJPcAZVN05lZFx1WDRxLUZihUbH89rgYNytnkiKmZVhniaoFulEQ48IXaYl12tnytjDahp/C4e1dYxoGiB0MRlUNRSkFSvMND5VckN6P0MTuqQD9lkEuIbS9+IGgTDW7dMR27QKO+hB4Sx0ZKlDPq9fkEgf/hYAxPxxm8jPBwW8eE7hiZbs/l12X8ioO6/wlGocGKivLwihvCbk62fFsG69pv4sdDBl2c+IkDyOW5Mlp7SYeLvV3zjepxEg6vTJe1aKtxnO5AIVGdOtpIrbZB0evrz8W8WNgn02H2yCB0x8T2yFyr8+sY93+iEr2GwSHRASYxRMxuXBA8LBp/kEZuzc9JDe76feMPHhlL7eDWVw2WoXn0VImPVAYo/QEJY/5rE5N7IXDjg7VD8Oauc60iz8BOwgCQ2eSzv8kkF6QQl1xZb278qYYxexLvUENifr0YgX5L4obqsne/rNmYeLSMNJtEnJMUvsJZf8KNTv5vIQIbJPcqtfczlyFoq8s98MtGTVgKGuoGWGi3OtBAw2loGdgkD1bMxM2kLkoE41dsqEwf37Y/hYbTJKIg9IsqZydMI3YOKDaQvLxG2eAZCCz7OX9qwoD+1Ubia7z7fK+rDmIQRucITWBGgfEgPhncnwwhlP2nFPTRq/H91s87HLD6fzqDhZP/bikdFeQBcGx52ik8G3cFu2ciKppcM0ctGrOpbtuQ/hFgVw64NPR2eOkwAnhEqbAHTzwKZWjk4U4ACG8RN31lDHpiLZdZ/sPzpkydkj4LGgPZUNkGWScJVQGiMi+8bAxLhT5vOgmWZwiLQeInLsX2dhoIxO2ZVCy2rPBHj/3mYqEZ4eHAFM0lkhyrApF5QwsGo9S1XtmigL2nQD7/Vk4lLjZyNU2pOfJ1665iBt3Y1q9uKIWHKrMUtHPkQYiBvyU8ERcF/MV1SZsbFAR5QKXi+0PcmJynoOcUCAF+onPTKnst2ffIYCAq1DECe3SY6wVJ683a9zasD2dsiSEMKjCigyJ1OwmaDNgO4qtVCtjkwtyNYfpbX6VRr/sUyBKG05tmweTvpTohEeVIJfSKRi5iwN6oI1iySFYTFOIeAe5DkGBE3g80/blu0P9L9tXj72Sp3bo8lMxblNQaTO1gLm2Ic6yoQU+1wZ0FumW27fvrA8qo9jwxEtqlCZ6qGmAX5PFusV7pAwZkcVBLK2VyYK3QfXh4ISJduvoW9dTTxI1ipFK0aK6XUdd0vGDEZAHo7wc7hQcoYR8pOK/6KGOD/2NSwXLbpvS6DbZ9Ur/DtKgMOdfqmcdIfaAQh7Q+8uNs7KdKZJN+eoX8OUYkzp4y1ZRkphZMEkXWGnMYGVADWoZkgfz6hocINN5ewZHmxvMSP+oLbg7MGmiCyGVq9nymUbDcnf2KxRyXuOw3smAr6IIxqCiXgtzxxB4Sdq00ab79PkIeJ4aDu5H+CU7jKnVHr2gK3hpS58z+nThkGCTfI/NJFQYNTR36SJX7/cfz2oM2kdf1AxkIJt//m8A+f5s9Z/yDc1qoS5Y4nsLk64R9LMBR2P9Keg9pzC65NOV/vfRhYs7YDfO50BOONr+C57eXZz48Z6UG20p7uZmVc5odVI72Ol3wDQfSx5fmgl5808L8/8gJFnIowjd2iwuDDr4dgE4FKlQPGFsKB6ndguacE2Ex07oFEKr08UcHE33W6q2pjS1aj7Zr9YXRMi0n1oiF6L+wYuvOEZzx1XCo3B1iL2xwX8SgfFc00xFPPE7a0j5FPyIHdRryNXIqLWm8h8Zkba/wulVE6N++JNZejEcPOnu1NUCXskoY2ON68QbVWphdUe5xVQrHsa4voNQwKYecQqxY16L3Xf3PcxPgfUQD9UIru839Bl0bLsi1848GFTR2wlvyYBzGrOjJvL+QBb5i1bBW3M0poFqp/uvl3pRZ0Q6rjokyvvoCMTQEGtjXfTv7jmYWVh4Htr5QXSWQg83UbXKGQwPVebuvb9f63FhvKvAXaOoN9UnRPmayaLPBLnhZjLrrzutW1N9upEmlr5ogifMua4AEo2sAvfZD5foOFuy4so/Sf9bcuwRVNOjEkIf+dMG/FxDWCxcWjeCjkF73BLkweyA50i+ZUYX87CMJJCBb5kX1xtPAczw2qx1ibq1FhxQPtAA8Kby5OY8nkmL93YTg6+ndTqb6x0p3wfyXYGK034YghaPCaJLQCFv6vJwQH0EnrRZ5GHYhcRgfBRuKDxiEfKW+RoGQmuDgMP2cElF7UO1J3Sbqp7/gaUOIZIUYoqon1Z58fX8Z4SHswDbloqC2tPhffC1YnYWzM0TsD53cNZXY3XPLHYJ4XV/mGXhtZPzAaCkwRGbJ337+xfdSBQZvoyND0uI0tonT8vfj1zerzLSRjrj3WU7+RJ91UKjkcVZv+4PebonNM+z82RXqytIB6I+JzOz3cZJquCxV6dDZ++cDasELZpivbylCZ9025bpttDezdqmrzmtHXlDaUZDDPXFk0fHTPODpWMCkS6P+eGFHzKMrYfbjI1AJj8aStIFMCnASBRHxs0YjoVR7Nnn4gs1Gl+9SjERH4TSOtsniVCBZ7x54CTdaV1gE3vkMjbA0J6jo4qvpBNjERJyDWzekq/JLtoWZcaU8EKphpOYunJTn/e53U/vt3FUcdQDK6KY+kI9aW0bQ9LxamoSelM23/bPnL4s6U6yUEMrp7hY3hFFWgCD5XsKBwChM5EllUsrt8/en9hMYKuW7zD7Odhf16KG8IkWPL1D8wmm4T4jsQnxZVl7fZdqvJDFYXQ/XhC31jxjlwogKnLc08io9aXyhkqNKSxSwMSISamuZQDfHHfc/UJfCHlfrnAoKHyojL2zcch7lOgavUywWoN6tslmevdeu95IlEI2jOuoDHWOSCMPZUa1cTWZ++U9UQt4poqD7ODRClHzdzPnOM5+6azDK6w1YwiIqitdqr+tryBXop1qoeR25fYkVrZUpXXQp3y7BWQ4KuTsBhoSr2+kcgyg6HItXjMOH7Td1KZbHxaTaohOC6R57Xbe57qvPyVOKTTaoDqoCcp3eZl0J6cryujmJe7GbggDMyOzfBF0W/WAHxI47dxjFVUZRXM/owloADpdyaPBt756bZGsbkxjex/slKP+0/IIXb9HBsK7L0g3zGJ2x+Fi/tMp/GkXXJZ6njaTLZ6ETK5zPguDE2usxYCoLpYdp65ReLwvsvlpPNqQRX96lcxWSL79dhx/mlNFDPTIwXRDsp/WJr4FMvzX0SB5zHytwKALBsvx/ze9g+tygozRKbzxARI57t3JDOovkTiw6Z1H/g3cWG6gZoZTV3riLN56sUjy2gT67LwByf/s13J4lf9ej5KbX3JQ5cNqT8YBG/9qp5WtqEM2VfUts8ii7Nc/zGslz/uQcQ8NVVscolD36tsfxL2Wba+h4hVQq55LQrgcRq1b+TOFaGxJJU6AAHPkVIZHNrzDDqG7ZfIHUXme7jEbYTZ6trjJRc4TaDvUbUFJBPMJOQues9qr6ZgJEJZC3XjKgoOt6pZMWGdljMKUlqSO7qIqi0CotvkpV69F8BgoSBte79QAH7sdxowKuHpFCdKA+rCUhkhK9696RhNpXsnJe7CFD9FJ5MOEU5tm9mehm7hx7KYPvq/XKjr026Q6X0yO53nHSEQQMb8Q39y0FB9ZI2K95zjYzrWuApj5skbVx0L03wl2EGySnKMs3q4hbUyejhTyhZwcdSQJzDUNe0x1q+x07LmEFHCUpZinJLW/Pj9cHdvRynGV2ziDGfEWBlYAbYxOrV5KkE7ao0vz1p+/VjkEdmEw+KuvImCFfGKSn8sJq1qsXH8PCusa7g/4umTq3uNIQ3SIPCvR0XYhzOooq0kItAQS1bgm8nxmB6qaWJd7eZVi0iMte59SqK42fSgs0CSWhw8WXbkwKFiVi/Yj1w1CLUt0azcGZc1wrjPOXI2cUqszPSk29QVep7+P1YZalxLV42RKfdxyIZ0RasC1M934Tdwnq9zMNBUBEV3jvu55QDXNWW9mp1sMsrV0h/OyNzW1Aa8myzClsxiOCaAey96Gq5oI/t0/pVBB9BV/whu5EZMzziLQlc8CYsywZ+PSEOCeJrux9PuIoNvJ3L0IMYPv9TII/y0+891WeVTPMKCAk/tLLnbHIGMVAgR9GBuxFPSNR4ewkicOQZbsp3T7/ByHW0AsqxSpbBQxgtEEuBMTgi097OgUhUHAoDJhht8pLKlmnvp/8F66nPqtSHFFZToCFw4biS6ShZE1U2Qw46cKHwiBI1eDKauD+vbMR55UCRiKp+OnkuZ3lJOWJhNtbOnohy0mHGZYJQk+OE2AE2r1aMRvRNDVpWd+e4OxnE1pw63M5QIt86kdpBY3sGL9HBC5HMFivmedxx0BkF/Go6/SskCkt9vvrOHPA+wPffnw6aGjnH68IlYWqPR67RYQ8bQrUalnY+KnxuyLZK4fDqqcWi2OzpJluxrqSUxoknNW5iCtueT04Tmxaal3S8RVcPA/G2TNByOozuiy5RVSP6E2XGRq/FUPB885VIlz+sN+1LZm7/GJqfO3gwcINN9AAQX8en6yWS14RG5Ny3Drqc1e/j0TFND2MoqX2mEMgU4N+XodE84GbkqguVJDJQ7LTt//vuamFZSQj0EyiwYu02ffhoWrjo6ez2K+5gc0MAwFDRW7UlfTxqc00qHn19mm7si0K88ENyLfj+Jipj9pG2ozPn4iqnQV84Tq3znrW4nmXkun/NSsJMLuOj4fo+D/y9W8buE7ZVD+MIs8Y8lcnqiSxYk6IYj6hkHw+Csw165RCKQXlKx03lDove6SAR8nGK+3+s/Zq5mUiVWkLO/bOpRxIbxv/vJBRi1DhwZoENOfq+nCKenvTSbBEPj3rW5j9aMpoFuOh7AbxO0blwZbw27FSlO5UGzcjk/uIB1RSFe06w6/T4E4HalJOrmZ9nwmiP1QoJcRTWUEak3c4GN+H1WP4H/cnFoXwb1phW9cRXa9sN8LCYXWjbbWm9V/f0pEc+mZ3ZfvCzKuoDkv87GZTiOBNFb0Enq8UnZUkFNEcR4Cqhde69zrxjPAmpaw4DI4djIYP1JOoYMilKB+Y+dyli6tM+N1mqTRUAnhTCHs2wV0mka65iUGyXL0m17pKqY4voEpmyARrroCZjvMJR6Xuc9SSuhS+cxSU51AqmYXAqTzBkyZl3NMQNUvcFPK0r3uKlzKpxoUydy80Z3T8i9vJyeAK0OMVzHrqbclh5eGgOk+3jshfDcFXP+mTQgYtuowsRZ84unXRJu6cxl5ygZvBNIW7LcKxQsrIvNKEnFAnLJnTptUJtAVnwHEoKjJkrDa9BRVUR1dly/X9c5zmKuWzsE7m87pLgFNfIrDPSSEh5Mckif17EpwNg9rb/bt1cHquj4KviGUYCJ9frpRpdjAh3fbOYrbqh7VdF+SlE/dzzkdBBSfA8PcnvXOiRRUPQl9ovCp7WeH4XonPAceVh+4r/l75TGLLrA==","encryption_version":"v0"} \ No newline at end of file +{"serial":22,"lineage":"c3bb4ce4-695c-edf3-3636-1ad64a51509c","meta":{"key_provider.pbkdf2.default":"eyJzYWx0IjoiYVFlaDBOeVdxblJTdTZyVWVwRC9uTWFjUmlMSFlYRkVrbFA2cCt1RjFJMD0iLCJpdGVyYXRpb25zIjo2MDAwMDAsImhhc2hfZnVuY3Rpb24iOiJzaGE1MTIiLCJrZXlfbGVuZ3RoIjozMn0="},"encrypted_data":"9C/lUpiYEAXZMtdThPZHCegow1pjcx00rish/bN0iKJulJ0gefujYEwuAuezviIsZ5zruSfjRY5RHPugsir6rLJI47Smq6/lMxiNDldal6KjZkFmBv7oN2Rx1MQogDDW4p8h9D19n09E4LMlIZPMrmibwMKWpw6Y7LUsaoH1dDQgLSviPMS9txJivp+CYhnkmO/9jaIyLXI8Ehw4PfvJby1XvVfqOTirIyZNFfR0Nn0CCFvpYw5aHnBDOqL6QnXhhRTCu+gSpo2dh+1oqOBqHASGGS6E0c411jT7GLgofqrCkDNZmZeSkpQWse4QbApCXqOiUUyAGIW9qaF13vfyW/Ba4g5dGaFw6VZbPF3HO/Flo8BxqEsn1hTpUeUtXK5izfWEHGkyCBiS9J6H4DyzPPA+DWc4aDjRPC/o1iWDpfIEaggxRuLII6EMBJQ1sRTQgNZwFLI08So937xL0e4XeEusSzn2DwZcMUoQutOYG3CbQX5onbF0rjl6+5mTqLmc+c9P8o9rFo4sC0Tz2Offif4J3KqhmbA7ab8NPg+ZrgoUVlF6cfcFpWnYMSzy+VXiW9q7ebAbD6NkMaB4YX6fpPoGchKxhE7r4NHxKpqlycf+TaDiTI1of/4sxEvt+Pf0mx8WpJr/czPe1omXGQF0ZyuWTCD+fOIQtC6hMJ+gzygc3cLNP1793B8unZI0G8IuuEGvyHyIZ/5uQlDo3vdUZxe/eIgvy68U65Xy3MqUFjhnL8L5QgmSjJYXU9mQVe1QCgeuxM7qKtVQfuq1JFrLJz3pQe9LycUHlXW2mHErhNIDqg8cV8VztRofGnjYtNVZS/ZASjJlBN+AMtODO4NylDwYSnIFLJygsgyTIGk3OBuh0uWnGSgYtKOrkekhc6X11Y/DYPfTEdbKkYpRD+epeUO2/ZrZrVEIjQoElITuqw6ziQOqqIbKxeqvX8WX6qSg3VzlhNqz63uWa28DJ53unUdNh1fKWKvSrJfqRZPXcghNVnLYPfkB8+/SZ5wLZsvpOoBXtI7rAeBX91mgiRqIhx4LljTkpPsv5DotRWQ+L6/iRqr4imZPsKSr/CPMriGmvCKqWzBI8th7NqPlCAmhTwx8boiA7aEjjidhBJrRo6+3Y2tUYi/Gnyx3mvVnTEVhEEBqoawx5T8/IQFqmXFLmgpwKsFwbbKvXLcXgFNJoTnfpG23Tx47sNsGM2tigs7rO9Uz+DGWMEtyBrug37K7Ji78JOpNpeZv8CXpGFhRp8ao2PLGSyGAvv6+2PlSUDw1z/6K9sITm/Bk0heLmkx4jx2fO8Nhmm74Iwflpzh6IHqyuldNbWs7268YRjAt2c4e0S8U/qBoBScPFIoYIdi/ri7Ymjh4ua/Yjd9zDccbpzHwTK8ZU8xDv3IB5LajVzOK5rvrl/i0S6LlLOIuaHhvLivnQVg/z5TBJjikno2XtIXgnqkvbPPWWqINazNtX9CFiqLEkRF4AtIfqW8bnUUvjNWiS7fd59chayfU4ZnXOU3RhN5g6VDPsP3PsQZ7BzkDUo6sPgzhjZxdD0Fuj6Uk0MTuV7baehfVvd5DQZQnblQiAG5HgDSbdBhDlkolig33300YPP92k2LWW2t/JtP57GglamjQTC3YQu1hDzdtdEPsptey/z1QEAB+5b9kNqMVaEwb929m3Nzf9PwRoGSTUkRzz24oJbUHMS/qrU0vNqwsBkNTBYpPNfXlN5AezOZdwP8N+XCkOe08cUZNIUq56erPWgikAsmKW1qaTXjzKsdLSqtVmHYQz4Lb005EGHpPDN7A4BcP/Ocua6aYl9+bX9lqCj56re6vJS9k3dolkAH5xnoMwuiGs51+JUZ5SHLXHYSqgtyrCR1wgfIYzHUivyVZf/XoSTXkrDBNCt3bWWMITxFXvbZFqd7c8L1tw340A2g5e/1BACnEaTDF0B0Z8Rvnlp3f84knARmwktew2mxiFjMMAUCxCf9G3Q4qu0lOfGVy8heclH16iQOnjx7FWuXMWMKwAZj50Bjgcv1xjov9iBkgs2AyGjwXO64GG1LNDyOx8nuOFekk5kGdVllQPuzps+b7cb4lZPCaywis1yQbKBZOjvHYcBb1THeTZg8jK4Fikmt0clv5n7llygxARmKm031+V7V6pAdMD/JEg+MJYMmUMxgWsRmDW7HOgC3zp9TQz9LpivYbkNIAYLYJpbZrZ4HlwytYPXPCb0Aoes6ilY+WeYv9fLYfraLPWpaPGhwqB7TwMmu0HGwx6toMzucOWgOfDf4Uuz8K2dD0A8BKBJjvFudnxkSaqhOaDgwtWsTMBgfUeOGeKjoxdST9+ORDjingerYDn+1GoGq/BXNDlB3NtI4gL+//vc2hlUNDFJ6B6QvGwa03b4C3rZ2R6J5KWuwz+6vecD94ODV1AXZgYd3kpK1x1cBEtC8hoJSWozqyH8u/SNh5UyQCE9z8wQ9HDsGuOAurE2+jzA4QwecehxFscyG2xr+onT01MF2vGkctu5dd7zFa+Pg9wsVO/jYet3mTA+/4Dt3RVefh3bKoQIVCtb+szNWU4dFgdPQlipHTlXWVAjqa5knjn3VY4ScxwimqJumjj+ACsQE2pDYtoaP+R1aPQByYlUgnteNAjkvv9mOn6iKqcquJwfj9/U0YZ/XmRhfNiZsWq2ekU5chf5whyrvYc6tPgb49ga8HRxx3Frnabw1sigwpLdEVJr2pwB/Bfft8HB7VT9Czlxua0jg3MMYE6jH7BjypCVovmCOdrkzAIxfwD7Cv83MZ1wEOFZuq7b5e9PSRXqcJXfJZ2kcUslPcHGAQvZKSFLJ7hHdnRBh4iuUG6zEDMOYMsrk0oT9AfPhkwXcxoGs/6/CX/tH8vjGEiMDACNiNRRUW8xZ0RhmICGxnF9eICGPVDWF9c5YBTcuq+OBdCeuioolvWsdAA3S33Bn2NmNYXMeCns2Vy7NO6TxbEGZ4oBcIonXs9zwV2K/+ra0cRHAtxYKDfWiqgQYOza/iNcLhZqCHPoHhn47z6+i+9UZY/yahvlj7EJuo129x9s2XiaOrtS4aksUcjgMunKimO+1XZqHLY3hLYCKnp3g6yTSsVzK+h8vjurfiflJQU8QtyKLQdlfB7/rKVWWP400o6VfP6r9ouWsb7k8fH2lvRZUWwzwV+6bSoFbTTX3paoOz/mh+xWNL9kW6a0gYbLSCXkgEM4eAkpA0xChVZ16BQZBcud1hk9osHngm3tNhwDZVf9WkMUk+wgTbKlY5l9IGZfsepl1RYWu1dUFfWynAorRweqXCkRt9nqs+YY18Hip12Lv+/wdo6CCBEGs2laFNtJr/CralTEQFz23DRLUemhQsvJcdxXZsvFKqYgB9+KWeq1AjG0binX+f/qslaEikUkzIn6iPW5CnmzR8I+nOD9xhNE2K7hEj+c5zKc2bjkfCr3Gj0/2uNrbXQqkfQJldF35W9CfS97jp/IGIN8Omd/sH+xiaFJet2fsI91r/X4wsxhKdEVB7DSx0X4gcTOLtaEll/zfWQFWLTW1htTgYXo1KtpptqszzdjiErZ+ly06r4nYeSVFR/+NWTv2dYfyvLHmGMPrDLcx1JrjZu0uGPxcWQhYNt/V2UhlfmVpNyclACQtDE5rR0/tLayyk1EUf/f8c8J30Wd2lmVf65tRF5tHvHR/DEqMD/tcnj2N03B2KgT3SReyjBCZlwiPXflp6XkkITIlMq0etTnj2WBopmQRxtB2Ae2VXeUANiAJQvNZYr5J8L9Nwm0/LyMqUKy34McN3YOqTRv80OUQ98uHImskLD+Cc7kdSHExZ9A6wTgdVtdYQ4mWb+kvknYbtf7DnqvHollDtUfNvVgy5Mw5Yv3/U0tkZg28DElSY0rA9BWDBqINbGQb9s4OxuwtvlnpAHpu+Mc58DSHflrR57RVVC47iCC6Gx3UyA+mV8B4J89atQKNOE9bqLx6tL3VEuVjjLHkdYuFv7ngxJqH73BxsDfd0vS+o0w6ipHs0Kd29nmruJZ9liV7mF9z8NABPYoHrTMMKIaO2SOE5+yfmBc+ObBM8Gdllu8Kw72QfVEPGxMmuHdhHsT2OyKVj9I0xZMC9Z26t+yuK2vdKOIR8DkKUISr866CkQ+Js1a1SkOgD0JCF3S7Mee6bUyRVsSfF/Jy9m25+Nu2vI5rNR1BZmKOUMhTqm9VWl3evWDQkYB+6gWMcE2bzdVwyZSC39kdsihVA5aCn6t6SMpavnW84ttH0VCbNafhbLXXfQG17yiENafFBvkliIZteaHrwo4JujYM+8wPeQma4ZsoTYK4nCpUxgrrL/U4XtD++CQiXJ4BSb80mwh2agCFqYPjyGcm4py4dA/6DvBU64AvF3MmL3E/0dCdxBg3n5FD+uXpJx0+tVpg7dh+0py+YTpk3IsndY9v5Ek9lvWnGYIFOnMhItGb/TSDnCbz/T6Iyv4Ewkof7r4c8a8WozJs0itgdpasA1cu6e/2FV7vjz3MIBCr+N7BgSCmAwCbN4jg1hBRry+XX3FoIigfi0jFKpETvHXDizcXdvxNP/M/fYpLU0gVAlqJGjm6B4OF5eGw6xhntb2uraBtErySvgnjwbDUaSpYX4A9UHt7kubdwqXQPxls+s7Lw2QVV9j+jsbsqBcoS83FDVNSeb8VEUGNgXPAajwREILU7//o2uVLzpm+BnpZ+Vy1SLIJiyz4rACKC+VZmJ7yONqMjIjwpHQKspq3vAj7fkI5oFIPBtHFJV0m7iUZnsCN3TvuNT6Ch1UWjLVo2rFo7GZALG+lmrR3WiGtFlnHlIt6FRhvB4Gw9vp/RfTDjNywlDwd+gbk2ZjL7sb9WJCQd/NnTNoj7jPOdrKotAIHJTe4xhPQtPyHh4xTjs6SkCxKPVaFzKQnxhMEpc+rRMBIxgYi52pmr/juvV9z0Nrlf7tuGTnWHnM9AGOkss6QkTC6pi6CaeyMmBdkemjPkgCjST/6AvGjUn1d77GaUArS4Nbpob1ba7iRnneaTOiK26RMyBYOSx9qW/JU6QCtPJZC+HhX7/LHwwLzkCYUqJx5MVecUnCZAEvQt3muIpVU8hfu132Wos/K9A/l3jHgA3oejMC9JMgc9VzzDw9klz//oDCugf1mb3h1G8lKGz3FItVFUp761oOqma/82T2nfcbE5u9jmmNdFvZ03lfaPGGx6c36DG2qflg3h/J6MaKmeE37EvFY4tCUVZ3qhyLBpH8hKyFPopjQ3dRk4anmgVVjB/L1MPcdqvuamgSkfJ0Lszw/LAeBikWk8uG/E3oRvv+GszeFiufasWloEzsF26JCuAXtCBboDzHESRIDIrDqDNzTHumBZi5ZFtOHQ0s8j3/WGxkJ2IVzQenAjIeqzfxO8cRfdDUnj+UtU9bBgIxAUdWRIodFbMJl8F24ROgQHLkBct+tX+nDBuSmUrzw6PoAqVXctknDg/m13WWeShye7gf7JjUmky3Ty50AZqu6Fu7ZYMl7leW8Vq+SKyMQuqF2ficKVwLFdX1qZY8uFEw/SeAvaDQ0XaW/IzHQ3GZaYCK/62cZ1As3hgbnUJWKrFU8KvoGIlpN0kXmSiRS7Bee9mPIymxQGxA5wZWN7ya6ByWnYADJqP+qDpQ+HaRbMyK0S/oQe566/8EwPZL8NwSvFQHx+VUUVt+S58W/oj2x3fXZcCAHhestr6l2iWmSWq170yvjfTiz1Wk7J+EWO8Yc6CW3/mQJkOX7mJ/e96+b46nUByxbpj8Ke5k52MMe4ghT0Ju1mIvlRpqgeYco0X6Y9N4nmXmJzCH9BU2yuTcWC5DCvlpIoX74iRwX4A6pJhaBzvmNhw4jsosjNgbkZbDKtkcLSF3bDPhASruOoos9vBqlu0wia6bGjBxxTQJ0UCoN1vwd6uenDVG9vNrb6MMjktSMdVaPJQWk9k0SP9PLO172pXq1SlzR5fQ30Fw+5LtY3wdGv6wjil9txcBjuGRODssVjb8bqt/JA7Js9Nb4xTia5UvKo+A/0YWwn/Te9tO9wBC1C6N0vtW/kIWdTtu9ljf9NQY0Kn3S6hKJXIaw8a8yzGRORhCvidzifTYUWUhLQkRAOH3EVzhlyKC8MRFjSh+yOx265r9REhEH1wIR+uC0DkETuRkZV+PNVL2ylmvjKcXpSlIZ3y+8j3pEZO019JvNn44TMnR6+KFbBwvIjhHipdzk09LQgLdwW+lBYohZQOo3kUl7eQlirlJUFKICDcd/ppMBmv23+sJZEvPlmCQQ5JdPkRmRMBI3e10u90qsAuF3ci1UEfUagEtlnZiCDcrxbJQNMLO3PeW/pjOXiQpb+iN/ixndk3FxuIQqaQtrVGUkOGlh3FEtuxgzm5KVtaDOlWCEH2h8pErN3BHPlRKIrFcxMnskkHc855jCfhbVwp3QxjNIyXosg70jY6Spat1bXoRGhOK3VFBlDXdJf40RLjeNLL6nfdOrnrSzYg1kyzawX9QWhbFfXKsrEsbtHj13b5DNmhIJ1BCmzz42PShOIxYf30i1EfuKfEtzcZKVMu81mMvLZLW2UqUWDOsJawTW1XgyYgB26fjMzmQNhjQfNgwiOG/29OHblJ97gMNAugKVdsCKM/oNyHH5iFXnLyl1VSdX2fYvt4TykKFEUJ8GB0s0CYSLlh1PF7YpDU8Rd8iLvEOWUQUBf1WXqJihMtVLToPLCOt9ISchMSCnMXV3tc3RF7DDuVzf+IdKKFg7ERm56KV559UzrhQnsUv3qvUWCooI8KzGRrmGqPiYMJvyVjvZy7D94mymuOg+zy39j8icUl34OwRAH7n2EYwYZtqhBGr17/XVzrnwaCxQKrDxVKLOoe808C4HZTK72zFIvR4OahNkPlJf2mVF0SHWjd6tJPWxOYbjCqcpwKk8hKdmW3wVhowhZNpkV8dyI4eMQXtdGdCoWwv6o+O1UcTjFWUbrB+vqxmydD2AkCOAHb6ufYJ+gttpNy5rFwSk3EJ9rjLyqK8PLP14xBIpzIeRjIS+H6NOotTjl","encryption_version":"v0"} \ No newline at end of file diff --git a/infra/vultr.tf b/infra/vultr.tf index 9524caa..b561993 100644 --- a/infra/vultr.tf +++ b/infra/vultr.tf @@ -3,7 +3,7 @@ locals { sin0 = { region = "sgp" plan = "vhp-1c-1gb-amd" - tags = ["vultr"] + tags = ["vultr", "proxy"] } } } diff --git a/hosts/tyo0/services/sing-box.nix b/nixos/profiles/sing-box-server/default.nix similarity index 73% rename from hosts/tyo0/services/sing-box.nix rename to nixos/profiles/sing-box-server/default.nix index 7b4b6a0..48e799e 100644 --- a/hosts/tyo0/services/sing-box.nix +++ b/nixos/profiles/sing-box-server/default.nix @@ -1,5 +1,13 @@ { lib, config, ... }: +let + inherit (config.networking) fqdn; +in { + sops.secrets."sing-box/auth" = { + restartUnits = [ "sing-box.service" ]; + sopsFile = ./secrets.yaml; + }; + networking.firewall.allowedTCPPorts = [ 27253 ]; services.sing-box = { @@ -21,7 +29,7 @@ }; tls = { enabled = true; - server_name = "tyo0.ny4.dev"; + server_name = fqdn; certificate_path = "/run/credentials/sing-box.service/cert"; key_path = "/run/credentials/sing-box.service/key"; }; @@ -41,11 +49,11 @@ systemd.services."sing-box".serviceConfig.LoadCredential = let - # FIXME: remove hardcoded path - path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev"; + # FIXME: remove somewhat hardcoded path + path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory"; in [ - "cert:${path}/tyo0.ny4.dev.crt" - "key:${path}/tyo0.ny4.dev.key" + "cert:${path}/${fqdn}/${fqdn}.crt" + "key:${path}/${fqdn}/${fqdn}.key" ]; } diff --git a/nixos/profiles/sing-box-server/secrets.yaml b/nixos/profiles/sing-box-server/secrets.yaml new file mode 100644 index 0000000..98bf279 --- /dev/null +++ b/nixos/profiles/sing-box-server/secrets.yaml @@ -0,0 +1,40 @@ +sing-box: + auth: ENC[AES256_GCM,data:/2f3B5JHxbGsonNVXVJ8tGbhHv6hBEKw3X/ZN2L4hFOF2ia+jqMTNb5zIu+EgcsK9mZt4jzlHGmJ6xwqxDu7kEl4xeZNQnxH7F13GN2IJGM6TTr3eLWK+la5CVDCLkg95GSvsNSq+0ZK7B+Wm+AaJ8A1bCmPxmFfVmzIKm+wHrC4tXULpFI7uLDiXvhktfhshWHu1WVrgkAMDR0DuvdxREEfKQdDEnQj6KA1XRV6xHz+kYrjgCNdQ4If5izK0RL65OfBJ2q1jTR0lOEvei7rRsDcWxv74M6WGzNVgHa8/61VVpehNS27YzI=,iv:Br3Z5BemcfXuFoHKFf0lR0M5NlZ1NP2bUTOmbH7LFww=,tag:Umc1aVyd0q/GLb1YUxZZDg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTEtxZ0Q2bm9pdGhWZDRS + RDZ5T0lPZ2M3MHo2ZXBRYXZDWXI2YXpCVlY0ClVrUkNnbG94R0FGREpJZmtROSt6 + cVFIL2pLcUd6ZFNnU09Qa21ITDNYWWcKLS0tIE84QXpNWnNXUGVsdDZ1aFBnakF1 + NUFWc2xTWEtWU3hscmI1WmJCdGZYdDQKhVHE+D5G5PD6sa+lKHsZHI8gFX8GGx+o + n2VNQqIEIZSwx5oZt8lCPsLvRN8+KNAkH8aFTIkoIOphcvEA8iAOFA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPK1Jsa2E5SGEzSzFadGYx + Q3pFaFk2bGNhR2ZHKzBGeGF3Y2ZtNlYzbFhjCjdSdWV3ZDBybUlIRmNOWTlFRHZJ + dERvMmF2MFp0UnVkNGlOUWtGOUEwelEKLS0tICtpa0hwb1ExNGRwUXF1NnlQUjVy + VnY0N3hJUERGOTZPbERHVWxuM2dvZlUKUjBAhqCo/eUkwNsdhl2CfCyGLbLPu9gE + f7Ug7DhWA4Kd0HrUG23+hcA0sRWAuJ2vEcwL42+MuLjPNIWJTRMe0w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRWpYUTh2aE9Iek5XYVhS + QmQrdk5jRFg3Z1JYbWpFUHZmTmV1Qkx4OTJBCnZ6a3EySlF5MCtNYkpRdWUyTy9q + R3BjaklhV0tNMkxyQTdmYUhFVDdDSlUKLS0tIFNENUtXc2Y4VWpyYVhLa1ZDVm5R + K3FhYkduZFpZU29jb3RlT09hbEZsbncKfYv/fY/IAhPhl5frAfSuFUNi88nt8Ift + zrz47ZMYbrlif16xT/8JDAmAcYnIUSMv1LrarufaOPyQ8OyBdJSrXw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-21T20:02:31Z" + mac: ENC[AES256_GCM,data:o84AcKDbFV3Kc54njq7T8FcjK9eIqvV121cIAaf2VxH0j4dck7JPf2eB87RCUGiD7kP4fZOnTTqNQPgzkTJvSjLqlNCNkqq0q4xGJh5uRLP9ioqYsSYF8gJvo8kq2VaaKgwjPWrJfw+fBhGANLlyIDG4BNeAXZTJ9BAB6Yr6ukM=,iv:iE2fVzTRdZFnvj5dxtdpwgGIbRWDMrE7NZb5A2DSa2c=,tag:f6T+OQeFTR8gtvipdkv3Xw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/profiles/sing-box/default.nix b/nixos/profiles/sing-box/default.nix index afbd052..1e6e20a 100644 --- a/nixos/profiles/sing-box/default.nix +++ b/nixos/profiles/sing-box/default.nix @@ -31,6 +31,15 @@ flow = "xtls-rprx-vision"; tls.enabled = true; } + { + type = "vless"; + tag = "sin0"; + server = "sin0.ny4.dev"; + server_port = 27253; + uuid._secret = config.sops.secrets."sing-box/tyo0".path; + flow = "xtls-rprx-vision"; + tls.enabled = true; + } { type = "direct"; tag = "direct"; diff --git a/treefmt.nix b/treefmt.nix index 1975997..84d2d8e 100644 --- a/treefmt.nix +++ b/treefmt.nix @@ -12,12 +12,7 @@ settings.formatter.nixfmt.options = [ "--strict" ]; settings.formatter.prettier.excludes = [ - "hosts/pek0/secrets.yaml" - "hosts/tyo0/secrets.yaml" - "infra/secrets.yaml" + "**/secrets.yaml" "infra/data.json" - "nixos/profiles/sing-box/secrets.yaml" - "nixos/profiles/wireless/secrets.yaml" - "secrets.yaml" ]; }