nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sin0: add sing-box

Browse source
This commit is contained in:
Guanran Wang 2024-09-22 04:19:03 +08:00
parent 49b607129d
commit dbf012cdc2
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
13 changed files with 82 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -23,6 +23,12 @@ creation_rules:
- *guanranwang - *guanranwang
- *dust - *dust
- *pek0 - *pek0
- path_regex: ^nixos/profiles/sing-box-server/secrets.yaml$
key_groups:
- age:
- *guanranwang
- *tyo0
- *sin0
- path_regex: ^nixos/profiles/wireless/secrets.yaml$ - path_regex: ^nixos/profiles/wireless/secrets.yaml$
key_groups: key_groups:
- age: - age:

1
flake.nix
View file

@ -163,6 +163,7 @@
"tyo0" = { "tyo0" = {
imports = [ ./hosts/tyo0 ]; imports = [ ./hosts/tyo0 ];
deployment.targetHost = "tyo0.ny4.dev"; deployment.targetHost = "tyo0.ny4.dev";
deployment.tags = [ "proxy" ];
}; };
"pek0" = { "pek0" = {

1
hosts/dust/default.nix
View file

@ -212,6 +212,7 @@
tag = "select"; tag = "select";
outbounds = [ outbounds = [
"tyo0" "tyo0"
"sin0"
"direct" "direct"
]; ];
default = "tyo0"; default = "tyo0";

6
hosts/tyo0/default.nix
View file

@ -18,9 +18,10 @@
./services/ntfy.nix ./services/ntfy.nix
./services/prometheus.nix ./services/prometheus.nix
./services/redlib.nix ./services/redlib.nix
./services/sing-box.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/wastebin.nix ./services/wastebin.nix
../../nixos/profiles/sing-box-server
]; ];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
@ -40,9 +41,6 @@
### Secrets ### Secrets
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) { sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
"sing-box/auth" = {
restartUnits = [ "sing-box.service" ];
};
"prometheus/auth" = { "prometheus/auth" = {
owner = config.systemd.services.prometheus.serviceConfig.User; owner = config.systemd.services.prometheus.serviceConfig.User;
restartUnits = [ "prometheus.service" ]; restartUnits = [ "prometheus.service" ];

6
hosts/tyo0/secrets.yaml
View file

@ -1,5 +1,3 @@
sing-box:
auth: ENC[AES256_GCM,data:gzoeMI/8A6e6HBbE2VofGJB1/sIq+b7MrkFoTp4zvRT1gLHVfP1B6XT+srJCOgUFNWL++JU1ShPYqgH61cl77WtJjzy+LJxb3oYnW3u/EzJJMpBHggstVQpaWfiGb16lhCq+Figsxk0G8BUFI/PPR/KmBZzLOw+/I/z8Dqf66dQh9BIhEOY0pJknZ4El2Ml5oGvYxdpjQ9rESfegwTz5wrha77V1mi733jrPFDuWLDkgNDf5nKRfCkpfLrdzyU7OX4qcj81qIpHsRBZ25Lib0IwDGurC7njKdbs8S0bprqZlK9sW34Dmx3s=,iv:XgXX2LaLgyyRuI04/RzgnfTAXUW3e9F0cdw6l6koVgc=,tag:9hDiGVADrBgpc0G+UFjM3g==,type:str]
miniflux: miniflux:
environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str] environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
vaultwarden: vaultwarden:
@ -30,8 +28,8 @@ sops:
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4 UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA== n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-07T05:32:46Z" lastmodified: "2024-09-21T20:01:24Z"
mac: ENC[AES256_GCM,data:K+J0o/hlOHociZO8Fd08/ixr21ZGCM9yK6M87ylSbRNb8rwwS+IAsumvMMa8/R79ay66T0VWlTjBY2ywlrNLiz11n1Qx2j97L1MrCy4VWy3LmJEFhbGuUBbZLIp53OK7brSC/6XN3lB6K5KsiZ4vLCyGu/6hRpxcHg5Iada5h+8=,iv:JT9Xl9JQWYpacWz+ymwoZfOSeMqtrsmxhNu6hCBxUEQ=,tag:wRPCTHyL2iupmvnMJOx30g==,type:str] mac: ENC[AES256_GCM,data:5bFyGI0wQmUXIRgC9cy/xnRzyoigr9uX98jrR66KPW6xjYNSBrlh41zFwBty0ZAvvSnX0qs+OqUm9Do5LsePVnVBGWlnDp9e0rnzTYMrvrHseVMdLcxvbPlotjVRfnkt7pdBOW4bSUIKsXPjMN2pdN9lq1s7vf8NJqPoJAj1kqc=,iv:qf7woEP2jL0FxiwkFsDAv0pT+oVcpxBJa6I2bXKkzc8=,tag:ZYLBrpK915hOU+4gvyxjsA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

3
hosts/vultr/sin0/default.nix
View file

@ -1,4 +1,7 @@
{ ... }:
{ {
imports = [ ../../../nixos/profiles/sing-box-server ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];

3
infra/data.json
View file

@ -37,7 +37,8 @@
"country": "SG" "country": "SG"
}, },
"tags": [ "tags": [
"vultr" "vultr",
"proxy"
] ]
} }
} }

2
infra/terraform.tfstate
View file

File diff suppressed because one or more lines are too long

2
infra/vultr.tf
View file

@ -3,7 +3,7 @@ locals {
sin0 = { sin0 = {
region = "sgp" region = "sgp"
plan = "vhp-1c-1gb-amd" plan = "vhp-1c-1gb-amd"
tags = ["vultr"] tags = ["vultr", "proxy"]
} }
} }
} }

18
hosts/tyo0/services/sing-box.nix → nixos/profiles/sing-box-server/default.nix
View file

@ -1,5 +1,13 @@
{ lib, config, ... }: { lib, config, ... }:
let
inherit (config.networking) fqdn;
in
{ {
sops.secrets."sing-box/auth" = {
restartUnits = [ "sing-box.service" ];
sopsFile = ./secrets.yaml;
};
networking.firewall.allowedTCPPorts = [ 27253 ]; networking.firewall.allowedTCPPorts = [ 27253 ];
services.sing-box = { services.sing-box = {
@ -21,7 +29,7 @@
}; };
tls = { tls = {
enabled = true; enabled = true;
server_name = "tyo0.ny4.dev"; server_name = fqdn;
certificate_path = "/run/credentials/sing-box.service/cert"; certificate_path = "/run/credentials/sing-box.service/cert";
key_path = "/run/credentials/sing-box.service/key"; key_path = "/run/credentials/sing-box.service/key";
}; };
@ -41,11 +49,11 @@
systemd.services."sing-box".serviceConfig.LoadCredential = systemd.services."sing-box".serviceConfig.LoadCredential =
let let
# FIXME: remove hardcoded path # FIXME: remove somewhat hardcoded path
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev"; path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory";
in in
[ [
"cert:${path}/tyo0.ny4.dev.crt" "cert:${path}/${fqdn}/${fqdn}.crt"
"key:${path}/tyo0.ny4.dev.key" "key:${path}/${fqdn}/${fqdn}.key"
]; ];
} }

40
nixos/profiles/sing-box-server/secrets.yaml Normal file
View file

@ -0,0 +1,40 @@
sing-box:
auth: ENC[AES256_GCM,data:/2f3B5JHxbGsonNVXVJ8tGbhHv6hBEKw3X/ZN2L4hFOF2ia+jqMTNb5zIu+EgcsK9mZt4jzlHGmJ6xwqxDu7kEl4xeZNQnxH7F13GN2IJGM6TTr3eLWK+la5CVDCLkg95GSvsNSq+0ZK7B+Wm+AaJ8A1bCmPxmFfVmzIKm+wHrC4tXULpFI7uLDiXvhktfhshWHu1WVrgkAMDR0DuvdxREEfKQdDEnQj6KA1XRV6xHz+kYrjgCNdQ4If5izK0RL65OfBJ2q1jTR0lOEvei7rRsDcWxv74M6WGzNVgHa8/61VVpehNS27YzI=,iv:Br3Z5BemcfXuFoHKFf0lR0M5NlZ1NP2bUTOmbH7LFww=,tag:Umc1aVyd0q/GLb1YUxZZDg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTEtxZ0Q2bm9pdGhWZDRS
RDZ5T0lPZ2M3MHo2ZXBRYXZDWXI2YXpCVlY0ClVrUkNnbG94R0FGREpJZmtROSt6
cVFIL2pLcUd6ZFNnU09Qa21ITDNYWWcKLS0tIE84QXpNWnNXUGVsdDZ1aFBnakF1
NUFWc2xTWEtWU3hscmI1WmJCdGZYdDQKhVHE+D5G5PD6sa+lKHsZHI8gFX8GGx+o
n2VNQqIEIZSwx5oZt8lCPsLvRN8+KNAkH8aFTIkoIOphcvEA8iAOFA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPK1Jsa2E5SGEzSzFadGYx
Q3pFaFk2bGNhR2ZHKzBGeGF3Y2ZtNlYzbFhjCjdSdWV3ZDBybUlIRmNOWTlFRHZJ
dERvMmF2MFp0UnVkNGlOUWtGOUEwelEKLS0tICtpa0hwb1ExNGRwUXF1NnlQUjVy
VnY0N3hJUERGOTZPbERHVWxuM2dvZlUKUjBAhqCo/eUkwNsdhl2CfCyGLbLPu9gE
f7Ug7DhWA4Kd0HrUG23+hcA0sRWAuJ2vEcwL42+MuLjPNIWJTRMe0w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRWpYUTh2aE9Iek5XYVhS
QmQrdk5jRFg3Z1JYbWpFUHZmTmV1Qkx4OTJBCnZ6a3EySlF5MCtNYkpRdWUyTy9q
R3BjaklhV0tNMkxyQTdmYUhFVDdDSlUKLS0tIFNENUtXc2Y4VWpyYVhLa1ZDVm5R
K3FhYkduZFpZU29jb3RlT09hbEZsbncKfYv/fY/IAhPhl5frAfSuFUNi88nt8Ift
zrz47ZMYbrlif16xT/8JDAmAcYnIUSMv1LrarufaOPyQ8OyBdJSrXw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-21T20:02:31Z"
mac: ENC[AES256_GCM,data:o84AcKDbFV3Kc54njq7T8FcjK9eIqvV121cIAaf2VxH0j4dck7JPf2eB87RCUGiD7kP4fZOnTTqNQPgzkTJvSjLqlNCNkqq0q4xGJh5uRLP9ioqYsSYF8gJvo8kq2VaaKgwjPWrJfw+fBhGANLlyIDG4BNeAXZTJ9BAB6Yr6ukM=,iv:iE2fVzTRdZFnvj5dxtdpwgGIbRWDMrE7NZb5A2DSa2c=,tag:f6T+OQeFTR8gtvipdkv3Xw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

9
nixos/profiles/sing-box/default.nix
View file

@ -31,6 +31,15 @@
flow = "xtls-rprx-vision"; flow = "xtls-rprx-vision";
tls.enabled = true; tls.enabled = true;
} }
{
type = "vless";
tag = "sin0";
server = "sin0.ny4.dev";
server_port = 27253;
uuid._secret = config.sops.secrets."sing-box/tyo0".path;
flow = "xtls-rprx-vision";
tls.enabled = true;
}
{ {
type = "direct"; type = "direct";
tag = "direct"; tag = "direct";

7
treefmt.nix
View file

@ -12,12 +12,7 @@
settings.formatter.nixfmt.options = [ "--strict" ]; settings.formatter.nixfmt.options = [ "--strict" ];
settings.formatter.prettier.excludes = [ settings.formatter.prettier.excludes = [
"hosts/pek0/secrets.yaml" "**/secrets.yaml"
"hosts/tyo0/secrets.yaml"
"infra/secrets.yaml"
"infra/data.json" "infra/data.json"
"nixos/profiles/sing-box/secrets.yaml"
"nixos/profiles/wireless/secrets.yaml"
"secrets.yaml"
]; ];
} }