diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index 83b0e36..fffb74d 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, lib, ... }: { config = { sops = { @@ -29,7 +29,9 @@ commonSettings = { auth.enable = true; - proxyServer.enable = true; + proxyServer = { + enable = true; + }; }; }; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index e44fac4..0c22e07 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -39,6 +39,13 @@ in fsType = "vfat"; }; + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 4 * 1024; + } + ]; + boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.initrd.availableKernelModules = [ "nvme" ]; diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix index d2cfb0f..166bf2d 100644 --- a/modules/nixos/common-settings/proxy-server.nix +++ b/modules/nixos/common-settings/proxy-server.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, ... }: @@ -32,7 +31,9 @@ let tag = "sg0"; type = "trojan"; listen = "::"; - listen_port = 8080; + listen_port = cfg.trojan.port; + tcp_multi_path = true; + tcp_fast_open = true; users = [ { name = "proxy"; @@ -63,51 +64,77 @@ let ]; tls = singTls; }); - outbounds = [ - { - type = "wireguard"; - tag = "wg-out"; - private_key = { - _secret = config.sops.secrets.wg_private_key.path; - }; - local_address = [ - "172.16.0.2/32" - { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } - ]; - peers = [ - { - public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; - allowed_ips = [ - "0.0.0.0/0" - "::/0" - ]; - server = "162.159.192.1"; - server_port = 500; - } - ]; - } - { - type = "direct"; - tag = "direct"; - } - ]; - route = { - rules = [ + outbounds = + # warp outbound goes first to make it default outbound + (lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [ { - inbound = "sg0"; - outbound = "direct"; + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { + public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ + "0.0.0.0/0" + "::/0" + ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; } + ]) + ++ [ + { - inbound = "sg4"; - outbound = "direct"; + type = "direct"; + tag = "direct"; } ]; + route = { + rules = + [ + { + inbound = "sg4"; + outbound = "direct"; + } + ] + ++ (lib.optionals (!cfg.warp.onTuic) ( + lib.forEach (lib.range 1 3) (i: { + inbound = "sg${toString i}"; + outbound = "direct"; + }) + )) + ++ (lib.optionals (!cfg.warp.onTrojan) [ + { + inbound = "sg0"; + outbound = "direct"; + } + ]); }; }; in { options.commonSettings.proxyServer = { enable = mkEnableOption "sing-box as a server"; + + trojan = { + port = mkOption { + type = lib.types.port; + default = cfg.trojan.port; + }; + }; + + warp = { + onTrojan = mkEnableOption "forward to warp in trojan"; + onTuic = mkEnableOption "forward to warp in first two port of tuic"; + }; }; config = mkIf cfg.enable { @@ -132,7 +159,7 @@ in networking.firewall.allowedTCPPorts = [ 80 - 8080 + cfg.trojan.port ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);