nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos: hysteria2 -> vless

Browse source
This commit is contained in:
Guanran Wang 2024-08-28 05:02:01 +08:00
parent 38125607f8
commit de39160e63
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
8 changed files with 100 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
hosts/dust/default.nix
View file

@ -165,4 +165,30 @@
"org.freedesktop.impl.portal.Inhibit" = "none";
};
};
services.sing-box.settings = {
outbounds = [
{
type = "selector";
tag = "select";
outbounds = [
"tyo0"
"direct"
];
default = "tyo0";
}
];
route = {
final = "select";
};
experimental = {
clash_api = {
external_controller = "127.0.0.1:9090";
external_ui = pkgs.metacubexd;
secret = "hunter2";
};
};
};
}

8
hosts/tyo0/Caddyfile
View file

@ -1,11 +1,3 @@
{
# Disables HTTP/3 for Hysteria
# https://github.com/apernet/hysteria/issues/768
servers :443 {
protocols h1 h2 h2c
}
}
(default) {
encode zstd gzip
handle_path /robots.txt {

10
hosts/tyo0/default.nix
View file

@ -10,7 +10,6 @@
./anti-feature.nix
./services/forgejo.nix
./services/hysteria.nix
./services/keycloak.nix
./services/miniflux.nix
./services/murmur.nix
@ -18,6 +17,7 @@
./services/pixivfe.nix
./services/redlib.nix
./services/searx.nix
./services/sing-box.nix
./services/uptime-kuma.nix
./services/vaultwarden.nix
./services/wastebin.nix
@ -38,8 +38,8 @@
### Secrets
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
"hysteria/auth" = {
restartUnits = [ "hysteria.service" ];
"sing-box/auth" = {
restartUnits = [ "sing-box.service" ];
};
"pixivfe/environment" = {
restartUnits = [ "pixivfe.service" ];
@ -56,11 +56,11 @@
};
### Services
networking.firewall.allowedUDPPorts = [ 443 ]; # hysteria
networking.firewall.allowedUDPPorts = [ 443 ];
networking.firewall.allowedTCPPorts = [
80
443
]; # caddy
];
systemd.tmpfiles.settings = {
"10-www" = {

8
hosts/tyo0/secrets.yaml
View file

@ -1,5 +1,5 @@
hysteria:
auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
sing-box:
auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
searx:
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
pixivfe:
@ -32,8 +32,8 @@ sops:
UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-12T12:55:54Z"
mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str]
lastmodified: "2024-08-27T20:25:39Z"
mac: ENC[AES256_GCM,data:Jg5dJZtIz8ZM30T1+iLLIDBghqn7JWIKirJzF0UfhlMJ1EGM1tjbuW4ZecPlSsqi3mYsA/Ns5eG8/jFeyUhs9WIsPvNTU62n8JMBwFeGAwdQO7QmmLXGuxyfJKtMrvn2IQxNx5jE97ag4atxdHNRiO5xChXYfWxgNvkskA1CJ0w=,iv:z9gOkUTN/ddYDPXVzefbN3P+ZuLrXV6LPbGIWRnP/gQ=,tag:AP5dnT6u+dA/sY6zmfkjXA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

30
hosts/tyo0/services/hysteria.nix
View file

@ -1,30 +0,0 @@
{ config, ... }:
{
services.hysteria = {
enable = true;
settings = {
auth = {
type = "userpass";
userpass = {
_secret = "/run/credentials/hysteria.service/auth";
quote = false;
};
};
masquerade = {
type = "proxy";
proxy.url = "https://ny4.dev/";
};
tls = {
cert = "/run/credentials/hysteria.service/cert";
key = "/run/credentials/hysteria.service/key";
};
};
};
systemd.services."hysteria".serviceConfig.LoadCredential = [
# FIXME: remove hardcoded path
"auth:${config.sops.secrets."hysteria/auth".path}"
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
];
}

56
hosts/tyo0/services/sing-box.nix Normal file
View file

@ -0,0 +1,56 @@
{ config, ... }:
{
networking.firewall.allowedTCPPorts = [
27253
];
services.sing-box = {
enable = true;
settings = {
log = {
level = "info";
};
inbounds = [
{
type = "vless";
tag = "inbound";
listen = "0.0.0.0";
listen_port = 27253;
users = {
_secret = "/run/credentials/sing-box.service/auth";
quote = false;
};
tls = {
enabled = true;
server_name = "tyo0.ny4.dev";
certificate_path = "/run/credentials/sing-box.service/cert";
key_path = "/run/credentials/sing-box.service/key";
};
}
];
outbounds = [
{
type = "direct";
tag = "direct";
}
];
route = {
final = "direct";
};
};
};
systemd.services."sing-box".serviceConfig.LoadCredential =
let
# FIXME: remove hardcoded path
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
in
[
"auth:${config.sops.secrets."sing-box/auth".path}"
"cert:${path}/tyo0.ny4.dev.crt"
"key:${path}/tyo0.ny4.dev.key"
];
}

18
nixos/profiles/sing-box/default.nix
View file

@ -1,4 +1,5 @@
{
lib,
pkgs,
config,
...
@ -24,11 +25,12 @@
outbounds = [
{
type = "hysteria2";
type = "vless";
tag = "tyo0";
server = "tyo0.ny4.dev";
server_port = 443;
password._secret = config.sops.secrets."sing-box/tyo0".path;
server_port = 27253;
uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
flow = "xtls-rprx-vision";
tls.enabled = true;
}
{
@ -76,15 +78,7 @@
}
];
final = "tyo0";
};
experimental = {
clash_api = {
external_controller = "127.0.0.1:9090";
external_ui = pkgs.metacubexd;
secret = "hunter2";
};
final = lib.mkDefault "tyo0";
};
};
};

6
nixos/profiles/sing-box/secrets.yaml
View file

@ -1,5 +1,5 @@
sing-box:
tyo0: ENC[AES256_GCM,data:c1WIyaAXyiir4VRcggvJ0drgxOi24+s=,iv:1CufURfG6PL+iv54LOkh6kdjjf6Pa8uvyWsRX4rBTls=,tag:M5PzRvKJzQzhpv3z6XlG9A==,type:str]
tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -33,8 +33,8 @@ sops:
NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-24T07:58:00Z"
mac: ENC[AES256_GCM,data:gbgaZ6fGr8sIaEPMTJeTr4nHEkfWDMwNPstEjfn580go8Ogg3cIW0Lca1nPERCI7XimswjT9V6FnxV8HtTZ+VH3jZsuB/Zu0lYpCsTx//wY0meWWHtOINFZ6Qn9dl6CTRi/QgmNJPKjPPYcHg0ECGY/Iv8s44Mj0aXthVN61huk=,iv:8y+vjDSWaVt7kQkvu499+bK3lYB3moVtAQJ4UvfLYv4=,tag:XAhiF7cw8i8ilj3Dp/zoDw==,type:str]
lastmodified: "2024-08-27T20:29:35Z"
mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0