xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dolomite: disable warp

Browse source
This commit is contained in:
xinyangli 2024-11-24 23:43:32 +08:00
parent ca8f27bafa
commit 7c5c8be995
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
3 changed files with 75 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
machines/dolomite/common.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, lib, ... }:
{
config = {
sops = {
@ -29,7 +29,9 @@
commonSettings = {
auth.enable = true;
proxyServer.enable = true;
proxyServer = {
enable = true;
};
};
};

7
machines/dolomite/lightsail.nix
View file

@ -39,6 +39,13 @@ in
fsType = "vfat";
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 4 * 1024;
}
];
boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ];

101
modules/nixos/common-settings/proxy-server.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
...
}:
@ -32,7 +31,9 @@ let
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
listen_port = cfg.trojan.port;
tcp_multi_path = true;
tcp_fast_open = true;
users = [
{
name = "proxy";
@ -63,51 +64,77 @@ let
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
];
route = {
rules = [
outbounds =
# warp outbound goes first to make it default outbound
(lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [
{
inbound = "sg0";
outbound = "direct";
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
])
++ [
{
inbound = "sg4";
outbound = "direct";
type = "direct";
tag = "direct";
}
];
route = {
rules =
[
{
inbound = "sg4";
outbound = "direct";
}
]
++ (lib.optionals (!cfg.warp.onTuic) (
lib.forEach (lib.range 1 3) (i: {
inbound = "sg${toString i}";
outbound = "direct";
})
))
++ (lib.optionals (!cfg.warp.onTrojan) [
{
inbound = "sg0";
outbound = "direct";
}
]);
};
};
in
{
options.commonSettings.proxyServer = {
enable = mkEnableOption "sing-box as a server";
trojan = {
port = mkOption {
type = lib.types.port;
default = cfg.trojan.port;
};
};
warp = {
onTrojan = mkEnableOption "forward to warp in trojan";
onTuic = mkEnableOption "forward to warp in first two port of tuic";
};
};
config = mkIf cfg.enable {
@ -132,7 +159,7 @@ in
networking.firewall.allowedTCPPorts = [
80
8080
cfg.trojan.port
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);