sin0: add sing-box
This commit is contained in:
parent
49b607129d
commit
dbf012cdc2
13 changed files with 82 additions and 22 deletions
|
@ -23,6 +23,12 @@ creation_rules:
|
||||||
- *guanranwang
|
- *guanranwang
|
||||||
- *dust
|
- *dust
|
||||||
- *pek0
|
- *pek0
|
||||||
|
- path_regex: ^nixos/profiles/sing-box-server/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *guanranwang
|
||||||
|
- *tyo0
|
||||||
|
- *sin0
|
||||||
- path_regex: ^nixos/profiles/wireless/secrets.yaml$
|
- path_regex: ^nixos/profiles/wireless/secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
|
|
@ -163,6 +163,7 @@
|
||||||
"tyo0" = {
|
"tyo0" = {
|
||||||
imports = [ ./hosts/tyo0 ];
|
imports = [ ./hosts/tyo0 ];
|
||||||
deployment.targetHost = "tyo0.ny4.dev";
|
deployment.targetHost = "tyo0.ny4.dev";
|
||||||
|
deployment.tags = [ "proxy" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
"pek0" = {
|
"pek0" = {
|
||||||
|
|
|
@ -212,6 +212,7 @@
|
||||||
tag = "select";
|
tag = "select";
|
||||||
outbounds = [
|
outbounds = [
|
||||||
"tyo0"
|
"tyo0"
|
||||||
|
"sin0"
|
||||||
"direct"
|
"direct"
|
||||||
];
|
];
|
||||||
default = "tyo0";
|
default = "tyo0";
|
||||||
|
|
|
@ -18,9 +18,10 @@
|
||||||
./services/ntfy.nix
|
./services/ntfy.nix
|
||||||
./services/prometheus.nix
|
./services/prometheus.nix
|
||||||
./services/redlib.nix
|
./services/redlib.nix
|
||||||
./services/sing-box.nix
|
|
||||||
./services/vaultwarden.nix
|
./services/vaultwarden.nix
|
||||||
./services/wastebin.nix
|
./services/wastebin.nix
|
||||||
|
|
||||||
|
../../nixos/profiles/sing-box-server
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
||||||
|
@ -40,9 +41,6 @@
|
||||||
|
|
||||||
### Secrets
|
### Secrets
|
||||||
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
||||||
"sing-box/auth" = {
|
|
||||||
restartUnits = [ "sing-box.service" ];
|
|
||||||
};
|
|
||||||
"prometheus/auth" = {
|
"prometheus/auth" = {
|
||||||
owner = config.systemd.services.prometheus.serviceConfig.User;
|
owner = config.systemd.services.prometheus.serviceConfig.User;
|
||||||
restartUnits = [ "prometheus.service" ];
|
restartUnits = [ "prometheus.service" ];
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
sing-box:
|
|
||||||
auth: ENC[AES256_GCM,data:gzoeMI/8A6e6HBbE2VofGJB1/sIq+b7MrkFoTp4zvRT1gLHVfP1B6XT+srJCOgUFNWL++JU1ShPYqgH61cl77WtJjzy+LJxb3oYnW3u/EzJJMpBHggstVQpaWfiGb16lhCq+Figsxk0G8BUFI/PPR/KmBZzLOw+/I/z8Dqf66dQh9BIhEOY0pJknZ4El2Ml5oGvYxdpjQ9rESfegwTz5wrha77V1mi733jrPFDuWLDkgNDf5nKRfCkpfLrdzyU7OX4qcj81qIpHsRBZ25Lib0IwDGurC7njKdbs8S0bprqZlK9sW34Dmx3s=,iv:XgXX2LaLgyyRuI04/RzgnfTAXUW3e9F0cdw6l6koVgc=,tag:9hDiGVADrBgpc0G+UFjM3g==,type:str]
|
|
||||||
miniflux:
|
miniflux:
|
||||||
environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
|
environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
|
||||||
vaultwarden:
|
vaultwarden:
|
||||||
|
@ -30,8 +28,8 @@ sops:
|
||||||
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
||||||
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-09-07T05:32:46Z"
|
lastmodified: "2024-09-21T20:01:24Z"
|
||||||
mac: ENC[AES256_GCM,data:K+J0o/hlOHociZO8Fd08/ixr21ZGCM9yK6M87ylSbRNb8rwwS+IAsumvMMa8/R79ay66T0VWlTjBY2ywlrNLiz11n1Qx2j97L1MrCy4VWy3LmJEFhbGuUBbZLIp53OK7brSC/6XN3lB6K5KsiZ4vLCyGu/6hRpxcHg5Iada5h+8=,iv:JT9Xl9JQWYpacWz+ymwoZfOSeMqtrsmxhNu6hCBxUEQ=,tag:wRPCTHyL2iupmvnMJOx30g==,type:str]
|
mac: ENC[AES256_GCM,data:5bFyGI0wQmUXIRgC9cy/xnRzyoigr9uX98jrR66KPW6xjYNSBrlh41zFwBty0ZAvvSnX0qs+OqUm9Do5LsePVnVBGWlnDp9e0rnzTYMrvrHseVMdLcxvbPlotjVRfnkt7pdBOW4bSUIKsXPjMN2pdN9lq1s7vf8NJqPoJAj1kqc=,iv:qf7woEP2jL0FxiwkFsDAv0pT+oVcpxBJa6I2bXKkzc8=,tag:ZYLBrpK915hOU+4gvyxjsA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
|
{ ... }:
|
||||||
{
|
{
|
||||||
|
imports = [ ../../../nixos/profiles/sing-box-server ];
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||||
|
|
|
@ -37,7 +37,8 @@
|
||||||
"country": "SG"
|
"country": "SG"
|
||||||
},
|
},
|
||||||
"tags": [
|
"tags": [
|
||||||
"vultr"
|
"vultr",
|
||||||
|
"proxy"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -3,7 +3,7 @@ locals {
|
||||||
sin0 = {
|
sin0 = {
|
||||||
region = "sgp"
|
region = "sgp"
|
||||||
plan = "vhp-1c-1gb-amd"
|
plan = "vhp-1c-1gb-amd"
|
||||||
tags = ["vultr"]
|
tags = ["vultr", "proxy"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,13 @@
|
||||||
{ lib, config, ... }:
|
{ lib, config, ... }:
|
||||||
|
let
|
||||||
|
inherit (config.networking) fqdn;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
|
sops.secrets."sing-box/auth" = {
|
||||||
|
restartUnits = [ "sing-box.service" ];
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 27253 ];
|
networking.firewall.allowedTCPPorts = [ 27253 ];
|
||||||
|
|
||||||
services.sing-box = {
|
services.sing-box = {
|
||||||
|
@ -21,7 +29,7 @@
|
||||||
};
|
};
|
||||||
tls = {
|
tls = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
server_name = "tyo0.ny4.dev";
|
server_name = fqdn;
|
||||||
certificate_path = "/run/credentials/sing-box.service/cert";
|
certificate_path = "/run/credentials/sing-box.service/cert";
|
||||||
key_path = "/run/credentials/sing-box.service/key";
|
key_path = "/run/credentials/sing-box.service/key";
|
||||||
};
|
};
|
||||||
|
@ -41,11 +49,11 @@
|
||||||
|
|
||||||
systemd.services."sing-box".serviceConfig.LoadCredential =
|
systemd.services."sing-box".serviceConfig.LoadCredential =
|
||||||
let
|
let
|
||||||
# FIXME: remove hardcoded path
|
# FIXME: remove somewhat hardcoded path
|
||||||
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
|
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory";
|
||||||
in
|
in
|
||||||
[
|
[
|
||||||
"cert:${path}/tyo0.ny4.dev.crt"
|
"cert:${path}/${fqdn}/${fqdn}.crt"
|
||||||
"key:${path}/tyo0.ny4.dev.key"
|
"key:${path}/${fqdn}/${fqdn}.key"
|
||||||
];
|
];
|
||||||
}
|
}
|
40
nixos/profiles/sing-box-server/secrets.yaml
Normal file
40
nixos/profiles/sing-box-server/secrets.yaml
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
sing-box:
|
||||||
|
auth: ENC[AES256_GCM,data:/2f3B5JHxbGsonNVXVJ8tGbhHv6hBEKw3X/ZN2L4hFOF2ia+jqMTNb5zIu+EgcsK9mZt4jzlHGmJ6xwqxDu7kEl4xeZNQnxH7F13GN2IJGM6TTr3eLWK+la5CVDCLkg95GSvsNSq+0ZK7B+Wm+AaJ8A1bCmPxmFfVmzIKm+wHrC4tXULpFI7uLDiXvhktfhshWHu1WVrgkAMDR0DuvdxREEfKQdDEnQj6KA1XRV6xHz+kYrjgCNdQ4If5izK0RL65OfBJ2q1jTR0lOEvei7rRsDcWxv74M6WGzNVgHa8/61VVpehNS27YzI=,iv:Br3Z5BemcfXuFoHKFf0lR0M5NlZ1NP2bUTOmbH7LFww=,tag:Umc1aVyd0q/GLb1YUxZZDg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTEtxZ0Q2bm9pdGhWZDRS
|
||||||
|
RDZ5T0lPZ2M3MHo2ZXBRYXZDWXI2YXpCVlY0ClVrUkNnbG94R0FGREpJZmtROSt6
|
||||||
|
cVFIL2pLcUd6ZFNnU09Qa21ITDNYWWcKLS0tIE84QXpNWnNXUGVsdDZ1aFBnakF1
|
||||||
|
NUFWc2xTWEtWU3hscmI1WmJCdGZYdDQKhVHE+D5G5PD6sa+lKHsZHI8gFX8GGx+o
|
||||||
|
n2VNQqIEIZSwx5oZt8lCPsLvRN8+KNAkH8aFTIkoIOphcvEA8iAOFA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPK1Jsa2E5SGEzSzFadGYx
|
||||||
|
Q3pFaFk2bGNhR2ZHKzBGeGF3Y2ZtNlYzbFhjCjdSdWV3ZDBybUlIRmNOWTlFRHZJ
|
||||||
|
dERvMmF2MFp0UnVkNGlOUWtGOUEwelEKLS0tICtpa0hwb1ExNGRwUXF1NnlQUjVy
|
||||||
|
VnY0N3hJUERGOTZPbERHVWxuM2dvZlUKUjBAhqCo/eUkwNsdhl2CfCyGLbLPu9gE
|
||||||
|
f7Ug7DhWA4Kd0HrUG23+hcA0sRWAuJ2vEcwL42+MuLjPNIWJTRMe0w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRWpYUTh2aE9Iek5XYVhS
|
||||||
|
QmQrdk5jRFg3Z1JYbWpFUHZmTmV1Qkx4OTJBCnZ6a3EySlF5MCtNYkpRdWUyTy9q
|
||||||
|
R3BjaklhV0tNMkxyQTdmYUhFVDdDSlUKLS0tIFNENUtXc2Y4VWpyYVhLa1ZDVm5R
|
||||||
|
K3FhYkduZFpZU29jb3RlT09hbEZsbncKfYv/fY/IAhPhl5frAfSuFUNi88nt8Ift
|
||||||
|
zrz47ZMYbrlif16xT/8JDAmAcYnIUSMv1LrarufaOPyQ8OyBdJSrXw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-21T20:02:31Z"
|
||||||
|
mac: ENC[AES256_GCM,data:o84AcKDbFV3Kc54njq7T8FcjK9eIqvV121cIAaf2VxH0j4dck7JPf2eB87RCUGiD7kP4fZOnTTqNQPgzkTJvSjLqlNCNkqq0q4xGJh5uRLP9ioqYsSYF8gJvo8kq2VaaKgwjPWrJfw+fBhGANLlyIDG4BNeAXZTJ9BAB6Yr6ukM=,iv:iE2fVzTRdZFnvj5dxtdpwgGIbRWDMrE7NZb5A2DSa2c=,tag:f6T+OQeFTR8gtvipdkv3Xw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
|
@ -31,6 +31,15 @@
|
||||||
flow = "xtls-rprx-vision";
|
flow = "xtls-rprx-vision";
|
||||||
tls.enabled = true;
|
tls.enabled = true;
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
type = "vless";
|
||||||
|
tag = "sin0";
|
||||||
|
server = "sin0.ny4.dev";
|
||||||
|
server_port = 27253;
|
||||||
|
uuid._secret = config.sops.secrets."sing-box/tyo0".path;
|
||||||
|
flow = "xtls-rprx-vision";
|
||||||
|
tls.enabled = true;
|
||||||
|
}
|
||||||
{
|
{
|
||||||
type = "direct";
|
type = "direct";
|
||||||
tag = "direct";
|
tag = "direct";
|
||||||
|
|
|
@ -12,12 +12,7 @@
|
||||||
settings.formatter.nixfmt.options = [ "--strict" ];
|
settings.formatter.nixfmt.options = [ "--strict" ];
|
||||||
|
|
||||||
settings.formatter.prettier.excludes = [
|
settings.formatter.prettier.excludes = [
|
||||||
"hosts/pek0/secrets.yaml"
|
"**/secrets.yaml"
|
||||||
"hosts/tyo0/secrets.yaml"
|
|
||||||
"infra/secrets.yaml"
|
|
||||||
"infra/data.json"
|
"infra/data.json"
|
||||||
"nixos/profiles/sing-box/secrets.yaml"
|
|
||||||
"nixos/profiles/wireless/secrets.yaml"
|
|
||||||
"secrets.yaml"
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue