nixos: hysteria2 -> vless
This commit is contained in:
parent
38125607f8
commit
de39160e63
8 changed files with 100 additions and 62 deletions
|
@ -165,4 +165,30 @@
|
|||
"org.freedesktop.impl.portal.Inhibit" = "none";
|
||||
};
|
||||
};
|
||||
|
||||
services.sing-box.settings = {
|
||||
outbounds = [
|
||||
{
|
||||
type = "selector";
|
||||
tag = "select";
|
||||
outbounds = [
|
||||
"tyo0"
|
||||
"direct"
|
||||
];
|
||||
default = "tyo0";
|
||||
}
|
||||
];
|
||||
|
||||
route = {
|
||||
final = "select";
|
||||
};
|
||||
|
||||
experimental = {
|
||||
clash_api = {
|
||||
external_controller = "127.0.0.1:9090";
|
||||
external_ui = pkgs.metacubexd;
|
||||
secret = "hunter2";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,11 +1,3 @@
|
|||
{
|
||||
# Disables HTTP/3 for Hysteria
|
||||
# https://github.com/apernet/hysteria/issues/768
|
||||
servers :443 {
|
||||
protocols h1 h2 h2c
|
||||
}
|
||||
}
|
||||
|
||||
(default) {
|
||||
encode zstd gzip
|
||||
handle_path /robots.txt {
|
||||
|
|
|
@ -10,7 +10,6 @@
|
|||
./anti-feature.nix
|
||||
|
||||
./services/forgejo.nix
|
||||
./services/hysteria.nix
|
||||
./services/keycloak.nix
|
||||
./services/miniflux.nix
|
||||
./services/murmur.nix
|
||||
|
@ -18,6 +17,7 @@
|
|||
./services/pixivfe.nix
|
||||
./services/redlib.nix
|
||||
./services/searx.nix
|
||||
./services/sing-box.nix
|
||||
./services/uptime-kuma.nix
|
||||
./services/vaultwarden.nix
|
||||
./services/wastebin.nix
|
||||
|
@ -38,8 +38,8 @@
|
|||
|
||||
### Secrets
|
||||
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
||||
"hysteria/auth" = {
|
||||
restartUnits = [ "hysteria.service" ];
|
||||
"sing-box/auth" = {
|
||||
restartUnits = [ "sing-box.service" ];
|
||||
};
|
||||
"pixivfe/environment" = {
|
||||
restartUnits = [ "pixivfe.service" ];
|
||||
|
@ -56,11 +56,11 @@
|
|||
};
|
||||
|
||||
### Services
|
||||
networking.firewall.allowedUDPPorts = [ 443 ]; # hysteria
|
||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
]; # caddy
|
||||
];
|
||||
|
||||
systemd.tmpfiles.settings = {
|
||||
"10-www" = {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
hysteria:
|
||||
auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
|
||||
sing-box:
|
||||
auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
|
||||
searx:
|
||||
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
||||
pixivfe:
|
||||
|
@ -32,8 +32,8 @@ sops:
|
|||
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
|
||||
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-08-12T12:55:54Z"
|
||||
mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str]
|
||||
lastmodified: "2024-08-27T20:25:39Z"
|
||||
mac: ENC[AES256_GCM,data:Jg5dJZtIz8ZM30T1+iLLIDBghqn7JWIKirJzF0UfhlMJ1EGM1tjbuW4ZecPlSsqi3mYsA/Ns5eG8/jFeyUhs9WIsPvNTU62n8JMBwFeGAwdQO7QmmLXGuxyfJKtMrvn2IQxNx5jE97ag4atxdHNRiO5xChXYfWxgNvkskA1CJ0w=,iv:z9gOkUTN/ddYDPXVzefbN3P+ZuLrXV6LPbGIWRnP/gQ=,tag:AP5dnT6u+dA/sY6zmfkjXA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
services.hysteria = {
|
||||
enable = true;
|
||||
settings = {
|
||||
auth = {
|
||||
type = "userpass";
|
||||
userpass = {
|
||||
_secret = "/run/credentials/hysteria.service/auth";
|
||||
quote = false;
|
||||
};
|
||||
};
|
||||
masquerade = {
|
||||
type = "proxy";
|
||||
proxy.url = "https://ny4.dev/";
|
||||
};
|
||||
tls = {
|
||||
cert = "/run/credentials/hysteria.service/cert";
|
||||
key = "/run/credentials/hysteria.service/key";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."hysteria".serviceConfig.LoadCredential = [
|
||||
# FIXME: remove hardcoded path
|
||||
"auth:${config.sops.secrets."hysteria/auth".path}"
|
||||
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
|
||||
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
|
||||
];
|
||||
}
|
56
hosts/tyo0/services/sing-box.nix
Normal file
56
hosts/tyo0/services/sing-box.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
27253
|
||||
];
|
||||
|
||||
services.sing-box = {
|
||||
enable = true;
|
||||
settings = {
|
||||
log = {
|
||||
level = "info";
|
||||
};
|
||||
|
||||
inbounds = [
|
||||
{
|
||||
type = "vless";
|
||||
tag = "inbound";
|
||||
listen = "0.0.0.0";
|
||||
listen_port = 27253;
|
||||
users = {
|
||||
_secret = "/run/credentials/sing-box.service/auth";
|
||||
quote = false;
|
||||
};
|
||||
tls = {
|
||||
enabled = true;
|
||||
server_name = "tyo0.ny4.dev";
|
||||
certificate_path = "/run/credentials/sing-box.service/cert";
|
||||
key_path = "/run/credentials/sing-box.service/key";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
outbounds = [
|
||||
{
|
||||
type = "direct";
|
||||
tag = "direct";
|
||||
}
|
||||
];
|
||||
|
||||
route = {
|
||||
final = "direct";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."sing-box".serviceConfig.LoadCredential =
|
||||
let
|
||||
# FIXME: remove hardcoded path
|
||||
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
|
||||
in
|
||||
[
|
||||
"auth:${config.sops.secrets."sing-box/auth".path}"
|
||||
"cert:${path}/tyo0.ny4.dev.crt"
|
||||
"key:${path}/tyo0.ny4.dev.key"
|
||||
];
|
||||
}
|
|
@ -1,4 +1,5 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
|
@ -24,11 +25,12 @@
|
|||
|
||||
outbounds = [
|
||||
{
|
||||
type = "hysteria2";
|
||||
type = "vless";
|
||||
tag = "tyo0";
|
||||
server = "tyo0.ny4.dev";
|
||||
server_port = 443;
|
||||
password._secret = config.sops.secrets."sing-box/tyo0".path;
|
||||
server_port = 27253;
|
||||
uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
|
||||
flow = "xtls-rprx-vision";
|
||||
tls.enabled = true;
|
||||
}
|
||||
{
|
||||
|
@ -76,15 +78,7 @@
|
|||
}
|
||||
];
|
||||
|
||||
final = "tyo0";
|
||||
};
|
||||
|
||||
experimental = {
|
||||
clash_api = {
|
||||
external_controller = "127.0.0.1:9090";
|
||||
external_ui = pkgs.metacubexd;
|
||||
secret = "hunter2";
|
||||
};
|
||||
final = lib.mkDefault "tyo0";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
sing-box:
|
||||
tyo0: ENC[AES256_GCM,data:c1WIyaAXyiir4VRcggvJ0drgxOi24+s=,iv:1CufURfG6PL+iv54LOkh6kdjjf6Pa8uvyWsRX4rBTls=,tag:M5PzRvKJzQzhpv3z6XlG9A==,type:str]
|
||||
tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -33,8 +33,8 @@ sops:
|
|||
NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
|
||||
JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-08-24T07:58:00Z"
|
||||
mac: ENC[AES256_GCM,data:gbgaZ6fGr8sIaEPMTJeTr4nHEkfWDMwNPstEjfn580go8Ogg3cIW0Lca1nPERCI7XimswjT9V6FnxV8HtTZ+VH3jZsuB/Zu0lYpCsTx//wY0meWWHtOINFZ6Qn9dl6CTRi/QgmNJPKjPPYcHg0ECGY/Iv8s44Mj0aXthVN61huk=,iv:8y+vjDSWaVt7kQkvu499+bK3lYB3moVtAQJ4UvfLYv4=,tag:XAhiF7cw8i8ilj3Dp/zoDw==,type:str]
|
||||
lastmodified: "2024-08-27T20:29:35Z"
|
||||
mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
Loading…
Reference in a new issue