sin0: add sing-box
This commit is contained in:
parent
49b607129d
commit
dbf012cdc2
13 changed files with 82 additions and 22 deletions
|
@ -23,6 +23,12 @@ creation_rules:
|
|||
- *guanranwang
|
||||
- *dust
|
||||
- *pek0
|
||||
- path_regex: ^nixos/profiles/sing-box-server/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *tyo0
|
||||
- *sin0
|
||||
- path_regex: ^nixos/profiles/wireless/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
|
|
|
@ -163,6 +163,7 @@
|
|||
"tyo0" = {
|
||||
imports = [ ./hosts/tyo0 ];
|
||||
deployment.targetHost = "tyo0.ny4.dev";
|
||||
deployment.tags = [ "proxy" ];
|
||||
};
|
||||
|
||||
"pek0" = {
|
||||
|
|
|
@ -212,6 +212,7 @@
|
|||
tag = "select";
|
||||
outbounds = [
|
||||
"tyo0"
|
||||
"sin0"
|
||||
"direct"
|
||||
];
|
||||
default = "tyo0";
|
||||
|
|
|
@ -18,9 +18,10 @@
|
|||
./services/ntfy.nix
|
||||
./services/prometheus.nix
|
||||
./services/redlib.nix
|
||||
./services/sing-box.nix
|
||||
./services/vaultwarden.nix
|
||||
./services/wastebin.nix
|
||||
|
||||
../../nixos/profiles/sing-box-server
|
||||
];
|
||||
|
||||
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
|
||||
|
@ -40,9 +41,6 @@
|
|||
|
||||
### Secrets
|
||||
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
||||
"sing-box/auth" = {
|
||||
restartUnits = [ "sing-box.service" ];
|
||||
};
|
||||
"prometheus/auth" = {
|
||||
owner = config.systemd.services.prometheus.serviceConfig.User;
|
||||
restartUnits = [ "prometheus.service" ];
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
sing-box:
|
||||
auth: ENC[AES256_GCM,data:gzoeMI/8A6e6HBbE2VofGJB1/sIq+b7MrkFoTp4zvRT1gLHVfP1B6XT+srJCOgUFNWL++JU1ShPYqgH61cl77WtJjzy+LJxb3oYnW3u/EzJJMpBHggstVQpaWfiGb16lhCq+Figsxk0G8BUFI/PPR/KmBZzLOw+/I/z8Dqf66dQh9BIhEOY0pJknZ4El2Ml5oGvYxdpjQ9rESfegwTz5wrha77V1mi733jrPFDuWLDkgNDf5nKRfCkpfLrdzyU7OX4qcj81qIpHsRBZ25Lib0IwDGurC7njKdbs8S0bprqZlK9sW34Dmx3s=,iv:XgXX2LaLgyyRuI04/RzgnfTAXUW3e9F0cdw6l6koVgc=,tag:9hDiGVADrBgpc0G+UFjM3g==,type:str]
|
||||
miniflux:
|
||||
environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
|
||||
vaultwarden:
|
||||
|
@ -30,8 +28,8 @@ sops:
|
|||
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
||||
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-07T05:32:46Z"
|
||||
mac: ENC[AES256_GCM,data:K+J0o/hlOHociZO8Fd08/ixr21ZGCM9yK6M87ylSbRNb8rwwS+IAsumvMMa8/R79ay66T0VWlTjBY2ywlrNLiz11n1Qx2j97L1MrCy4VWy3LmJEFhbGuUBbZLIp53OK7brSC/6XN3lB6K5KsiZ4vLCyGu/6hRpxcHg5Iada5h+8=,iv:JT9Xl9JQWYpacWz+ymwoZfOSeMqtrsmxhNu6hCBxUEQ=,tag:wRPCTHyL2iupmvnMJOx30g==,type:str]
|
||||
lastmodified: "2024-09-21T20:01:24Z"
|
||||
mac: ENC[AES256_GCM,data:5bFyGI0wQmUXIRgC9cy/xnRzyoigr9uX98jrR66KPW6xjYNSBrlh41zFwBty0ZAvvSnX0qs+OqUm9Do5LsePVnVBGWlnDp9e0rnzTYMrvrHseVMdLcxvbPlotjVRfnkt7pdBOW4bSUIKsXPjMN2pdN9lq1s7vf8NJqPoJAj1kqc=,iv:qf7woEP2jL0FxiwkFsDAv0pT+oVcpxBJa6I2bXKkzc8=,tag:ZYLBrpK915hOU+4gvyxjsA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
{ ... }:
|
||||
{
|
||||
imports = [ ../../../nixos/profiles/sing-box-server ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||
|
|
|
@ -37,7 +37,8 @@
|
|||
"country": "SG"
|
||||
},
|
||||
"tags": [
|
||||
"vultr"
|
||||
"vultr",
|
||||
"proxy"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -3,7 +3,7 @@ locals {
|
|||
sin0 = {
|
||||
region = "sgp"
|
||||
plan = "vhp-1c-1gb-amd"
|
||||
tags = ["vultr"]
|
||||
tags = ["vultr", "proxy"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,5 +1,13 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
inherit (config.networking) fqdn;
|
||||
in
|
||||
{
|
||||
sops.secrets."sing-box/auth" = {
|
||||
restartUnits = [ "sing-box.service" ];
|
||||
sopsFile = ./secrets.yaml;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 27253 ];
|
||||
|
||||
services.sing-box = {
|
||||
|
@ -21,7 +29,7 @@
|
|||
};
|
||||
tls = {
|
||||
enabled = true;
|
||||
server_name = "tyo0.ny4.dev";
|
||||
server_name = fqdn;
|
||||
certificate_path = "/run/credentials/sing-box.service/cert";
|
||||
key_path = "/run/credentials/sing-box.service/key";
|
||||
};
|
||||
|
@ -41,11 +49,11 @@
|
|||
|
||||
systemd.services."sing-box".serviceConfig.LoadCredential =
|
||||
let
|
||||
# FIXME: remove hardcoded path
|
||||
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
|
||||
# FIXME: remove somewhat hardcoded path
|
||||
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory";
|
||||
in
|
||||
[
|
||||
"cert:${path}/tyo0.ny4.dev.crt"
|
||||
"key:${path}/tyo0.ny4.dev.key"
|
||||
"cert:${path}/${fqdn}/${fqdn}.crt"
|
||||
"key:${path}/${fqdn}/${fqdn}.key"
|
||||
];
|
||||
}
|
40
nixos/profiles/sing-box-server/secrets.yaml
Normal file
40
nixos/profiles/sing-box-server/secrets.yaml
Normal file
|
@ -0,0 +1,40 @@
|
|||
sing-box:
|
||||
auth: ENC[AES256_GCM,data:/2f3B5JHxbGsonNVXVJ8tGbhHv6hBEKw3X/ZN2L4hFOF2ia+jqMTNb5zIu+EgcsK9mZt4jzlHGmJ6xwqxDu7kEl4xeZNQnxH7F13GN2IJGM6TTr3eLWK+la5CVDCLkg95GSvsNSq+0ZK7B+Wm+AaJ8A1bCmPxmFfVmzIKm+wHrC4tXULpFI7uLDiXvhktfhshWHu1WVrgkAMDR0DuvdxREEfKQdDEnQj6KA1XRV6xHz+kYrjgCNdQ4If5izK0RL65OfBJ2q1jTR0lOEvei7rRsDcWxv74M6WGzNVgHa8/61VVpehNS27YzI=,iv:Br3Z5BemcfXuFoHKFf0lR0M5NlZ1NP2bUTOmbH7LFww=,tag:Umc1aVyd0q/GLb1YUxZZDg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTEtxZ0Q2bm9pdGhWZDRS
|
||||
RDZ5T0lPZ2M3MHo2ZXBRYXZDWXI2YXpCVlY0ClVrUkNnbG94R0FGREpJZmtROSt6
|
||||
cVFIL2pLcUd6ZFNnU09Qa21ITDNYWWcKLS0tIE84QXpNWnNXUGVsdDZ1aFBnakF1
|
||||
NUFWc2xTWEtWU3hscmI1WmJCdGZYdDQKhVHE+D5G5PD6sa+lKHsZHI8gFX8GGx+o
|
||||
n2VNQqIEIZSwx5oZt8lCPsLvRN8+KNAkH8aFTIkoIOphcvEA8iAOFA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPK1Jsa2E5SGEzSzFadGYx
|
||||
Q3pFaFk2bGNhR2ZHKzBGeGF3Y2ZtNlYzbFhjCjdSdWV3ZDBybUlIRmNOWTlFRHZJ
|
||||
dERvMmF2MFp0UnVkNGlOUWtGOUEwelEKLS0tICtpa0hwb1ExNGRwUXF1NnlQUjVy
|
||||
VnY0N3hJUERGOTZPbERHVWxuM2dvZlUKUjBAhqCo/eUkwNsdhl2CfCyGLbLPu9gE
|
||||
f7Ug7DhWA4Kd0HrUG23+hcA0sRWAuJ2vEcwL42+MuLjPNIWJTRMe0w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRWpYUTh2aE9Iek5XYVhS
|
||||
QmQrdk5jRFg3Z1JYbWpFUHZmTmV1Qkx4OTJBCnZ6a3EySlF5MCtNYkpRdWUyTy9q
|
||||
R3BjaklhV0tNMkxyQTdmYUhFVDdDSlUKLS0tIFNENUtXc2Y4VWpyYVhLa1ZDVm5R
|
||||
K3FhYkduZFpZU29jb3RlT09hbEZsbncKfYv/fY/IAhPhl5frAfSuFUNi88nt8Ift
|
||||
zrz47ZMYbrlif16xT/8JDAmAcYnIUSMv1LrarufaOPyQ8OyBdJSrXw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-21T20:02:31Z"
|
||||
mac: ENC[AES256_GCM,data:o84AcKDbFV3Kc54njq7T8FcjK9eIqvV121cIAaf2VxH0j4dck7JPf2eB87RCUGiD7kP4fZOnTTqNQPgzkTJvSjLqlNCNkqq0q4xGJh5uRLP9ioqYsSYF8gJvo8kq2VaaKgwjPWrJfw+fBhGANLlyIDG4BNeAXZTJ9BAB6Yr6ukM=,iv:iE2fVzTRdZFnvj5dxtdpwgGIbRWDMrE7NZb5A2DSa2c=,tag:f6T+OQeFTR8gtvipdkv3Xw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
|
@ -31,6 +31,15 @@
|
|||
flow = "xtls-rprx-vision";
|
||||
tls.enabled = true;
|
||||
}
|
||||
{
|
||||
type = "vless";
|
||||
tag = "sin0";
|
||||
server = "sin0.ny4.dev";
|
||||
server_port = 27253;
|
||||
uuid._secret = config.sops.secrets."sing-box/tyo0".path;
|
||||
flow = "xtls-rprx-vision";
|
||||
tls.enabled = true;
|
||||
}
|
||||
{
|
||||
type = "direct";
|
||||
tag = "direct";
|
||||
|
|
|
@ -12,12 +12,7 @@
|
|||
settings.formatter.nixfmt.options = [ "--strict" ];
|
||||
|
||||
settings.formatter.prettier.excludes = [
|
||||
"hosts/pek0/secrets.yaml"
|
||||
"hosts/tyo0/secrets.yaml"
|
||||
"infra/secrets.yaml"
|
||||
"**/secrets.yaml"
|
||||
"infra/data.json"
|
||||
"nixos/profiles/sing-box/secrets.yaml"
|
||||
"nixos/profiles/wireless/secrets.yaml"
|
||||
"secrets.yaml"
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue