nixos: hysteria2 -> vless
This commit is contained in:
parent
38125607f8
commit
de39160e63
8 changed files with 100 additions and 62 deletions
|
@ -165,4 +165,30 @@
|
||||||
"org.freedesktop.impl.portal.Inhibit" = "none";
|
"org.freedesktop.impl.portal.Inhibit" = "none";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.sing-box.settings = {
|
||||||
|
outbounds = [
|
||||||
|
{
|
||||||
|
type = "selector";
|
||||||
|
tag = "select";
|
||||||
|
outbounds = [
|
||||||
|
"tyo0"
|
||||||
|
"direct"
|
||||||
|
];
|
||||||
|
default = "tyo0";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
route = {
|
||||||
|
final = "select";
|
||||||
|
};
|
||||||
|
|
||||||
|
experimental = {
|
||||||
|
clash_api = {
|
||||||
|
external_controller = "127.0.0.1:9090";
|
||||||
|
external_ui = pkgs.metacubexd;
|
||||||
|
secret = "hunter2";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,3 @@
|
||||||
{
|
|
||||||
# Disables HTTP/3 for Hysteria
|
|
||||||
# https://github.com/apernet/hysteria/issues/768
|
|
||||||
servers :443 {
|
|
||||||
protocols h1 h2 h2c
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
(default) {
|
(default) {
|
||||||
encode zstd gzip
|
encode zstd gzip
|
||||||
handle_path /robots.txt {
|
handle_path /robots.txt {
|
||||||
|
|
|
@ -10,7 +10,6 @@
|
||||||
./anti-feature.nix
|
./anti-feature.nix
|
||||||
|
|
||||||
./services/forgejo.nix
|
./services/forgejo.nix
|
||||||
./services/hysteria.nix
|
|
||||||
./services/keycloak.nix
|
./services/keycloak.nix
|
||||||
./services/miniflux.nix
|
./services/miniflux.nix
|
||||||
./services/murmur.nix
|
./services/murmur.nix
|
||||||
|
@ -18,6 +17,7 @@
|
||||||
./services/pixivfe.nix
|
./services/pixivfe.nix
|
||||||
./services/redlib.nix
|
./services/redlib.nix
|
||||||
./services/searx.nix
|
./services/searx.nix
|
||||||
|
./services/sing-box.nix
|
||||||
./services/uptime-kuma.nix
|
./services/uptime-kuma.nix
|
||||||
./services/vaultwarden.nix
|
./services/vaultwarden.nix
|
||||||
./services/wastebin.nix
|
./services/wastebin.nix
|
||||||
|
@ -38,8 +38,8 @@
|
||||||
|
|
||||||
### Secrets
|
### Secrets
|
||||||
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
||||||
"hysteria/auth" = {
|
"sing-box/auth" = {
|
||||||
restartUnits = [ "hysteria.service" ];
|
restartUnits = [ "sing-box.service" ];
|
||||||
};
|
};
|
||||||
"pixivfe/environment" = {
|
"pixivfe/environment" = {
|
||||||
restartUnits = [ "pixivfe.service" ];
|
restartUnits = [ "pixivfe.service" ];
|
||||||
|
@ -56,11 +56,11 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
### Services
|
### Services
|
||||||
networking.firewall.allowedUDPPorts = [ 443 ]; # hysteria
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
80
|
80
|
||||||
443
|
443
|
||||||
]; # caddy
|
];
|
||||||
|
|
||||||
systemd.tmpfiles.settings = {
|
systemd.tmpfiles.settings = {
|
||||||
"10-www" = {
|
"10-www" = {
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
hysteria:
|
sing-box:
|
||||||
auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
|
auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
|
||||||
searx:
|
searx:
|
||||||
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
||||||
pixivfe:
|
pixivfe:
|
||||||
|
@ -32,8 +32,8 @@ sops:
|
||||||
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
||||||
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-08-12T12:55:54Z"
|
lastmodified: "2024-08-27T20:25:39Z"
|
||||||
mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str]
|
mac: ENC[AES256_GCM,data:Jg5dJZtIz8ZM30T1+iLLIDBghqn7JWIKirJzF0UfhlMJ1EGM1tjbuW4ZecPlSsqi3mYsA/Ns5eG8/jFeyUhs9WIsPvNTU62n8JMBwFeGAwdQO7QmmLXGuxyfJKtMrvn2IQxNx5jE97ag4atxdHNRiO5xChXYfWxgNvkskA1CJ0w=,iv:z9gOkUTN/ddYDPXVzefbN3P+ZuLrXV6LPbGIWRnP/gQ=,tag:AP5dnT6u+dA/sY6zmfkjXA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
{ config, ... }:
|
|
||||||
{
|
|
||||||
services.hysteria = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
auth = {
|
|
||||||
type = "userpass";
|
|
||||||
userpass = {
|
|
||||||
_secret = "/run/credentials/hysteria.service/auth";
|
|
||||||
quote = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
masquerade = {
|
|
||||||
type = "proxy";
|
|
||||||
proxy.url = "https://ny4.dev/";
|
|
||||||
};
|
|
||||||
tls = {
|
|
||||||
cert = "/run/credentials/hysteria.service/cert";
|
|
||||||
key = "/run/credentials/hysteria.service/key";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."hysteria".serviceConfig.LoadCredential = [
|
|
||||||
# FIXME: remove hardcoded path
|
|
||||||
"auth:${config.sops.secrets."hysteria/auth".path}"
|
|
||||||
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
|
|
||||||
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
|
|
||||||
];
|
|
||||||
}
|
|
56
hosts/tyo0/services/sing-box.nix
Normal file
56
hosts/tyo0/services/sing-box.nix
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
27253
|
||||||
|
];
|
||||||
|
|
||||||
|
services.sing-box = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
log = {
|
||||||
|
level = "info";
|
||||||
|
};
|
||||||
|
|
||||||
|
inbounds = [
|
||||||
|
{
|
||||||
|
type = "vless";
|
||||||
|
tag = "inbound";
|
||||||
|
listen = "0.0.0.0";
|
||||||
|
listen_port = 27253;
|
||||||
|
users = {
|
||||||
|
_secret = "/run/credentials/sing-box.service/auth";
|
||||||
|
quote = false;
|
||||||
|
};
|
||||||
|
tls = {
|
||||||
|
enabled = true;
|
||||||
|
server_name = "tyo0.ny4.dev";
|
||||||
|
certificate_path = "/run/credentials/sing-box.service/cert";
|
||||||
|
key_path = "/run/credentials/sing-box.service/key";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
outbounds = [
|
||||||
|
{
|
||||||
|
type = "direct";
|
||||||
|
tag = "direct";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
route = {
|
||||||
|
final = "direct";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."sing-box".serviceConfig.LoadCredential =
|
||||||
|
let
|
||||||
|
# FIXME: remove hardcoded path
|
||||||
|
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
|
||||||
|
in
|
||||||
|
[
|
||||||
|
"auth:${config.sops.secrets."sing-box/auth".path}"
|
||||||
|
"cert:${path}/tyo0.ny4.dev.crt"
|
||||||
|
"key:${path}/tyo0.ny4.dev.key"
|
||||||
|
];
|
||||||
|
}
|
|
@ -1,4 +1,5 @@
|
||||||
{
|
{
|
||||||
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
|
@ -24,11 +25,12 @@
|
||||||
|
|
||||||
outbounds = [
|
outbounds = [
|
||||||
{
|
{
|
||||||
type = "hysteria2";
|
type = "vless";
|
||||||
tag = "tyo0";
|
tag = "tyo0";
|
||||||
server = "tyo0.ny4.dev";
|
server = "tyo0.ny4.dev";
|
||||||
server_port = 443;
|
server_port = 27253;
|
||||||
password._secret = config.sops.secrets."sing-box/tyo0".path;
|
uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
|
||||||
|
flow = "xtls-rprx-vision";
|
||||||
tls.enabled = true;
|
tls.enabled = true;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
@ -76,15 +78,7 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
final = "tyo0";
|
final = lib.mkDefault "tyo0";
|
||||||
};
|
|
||||||
|
|
||||||
experimental = {
|
|
||||||
clash_api = {
|
|
||||||
external_controller = "127.0.0.1:9090";
|
|
||||||
external_ui = pkgs.metacubexd;
|
|
||||||
secret = "hunter2";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
sing-box:
|
sing-box:
|
||||||
tyo0: ENC[AES256_GCM,data:c1WIyaAXyiir4VRcggvJ0drgxOi24+s=,iv:1CufURfG6PL+iv54LOkh6kdjjf6Pa8uvyWsRX4rBTls=,tag:M5PzRvKJzQzhpv3z6XlG9A==,type:str]
|
tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -33,8 +33,8 @@ sops:
|
||||||
NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
|
NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
|
||||||
JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
|
JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-08-24T07:58:00Z"
|
lastmodified: "2024-08-27T20:29:35Z"
|
||||||
mac: ENC[AES256_GCM,data:gbgaZ6fGr8sIaEPMTJeTr4nHEkfWDMwNPstEjfn580go8Ogg3cIW0Lca1nPERCI7XimswjT9V6FnxV8HtTZ+VH3jZsuB/Zu0lYpCsTx//wY0meWWHtOINFZ6Qn9dl6CTRi/QgmNJPKjPPYcHg0ECGY/Iv8s44Mj0aXthVN61huk=,iv:8y+vjDSWaVt7kQkvu499+bK3lYB3moVtAQJ4UvfLYv4=,tag:XAhiF7cw8i8ilj3Dp/zoDw==,type:str]
|
mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
Loading…
Reference in a new issue