xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dolomite: disable warp

Browse source
This commit is contained in:
xinyangli 2024-11-24 23:43:32 +08:00
parent ca8f27bafa
commit 7c5c8be995
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
3 changed files with 75 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
machines/dolomite/common.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: { config, lib, ... }:
{ {
config = { config = {
sops = { sops = {
@ -29,7 +29,9 @@
commonSettings = { commonSettings = {
auth.enable = true; auth.enable = true;
proxyServer.enable = true; proxyServer = {
enable = true;
};
}; };
}; };

7
machines/dolomite/lightsail.nix
View file

@ -39,6 +39,13 @@ in
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [
{
device = "/var/lib/swapfile";
size = 4 * 1024;
}
];
boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ]; boot.initrd.availableKernelModules = [ "nvme" ];

101
modules/nixos/common-settings/proxy-server.nix
View file

@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
@ -32,7 +31,9 @@ let
tag = "sg0"; tag = "sg0";
type = "trojan"; type = "trojan";
listen = "::"; listen = "::";
listen_port = 8080; listen_port = cfg.trojan.port;
tcp_multi_path = true;
tcp_fast_open = true;
users = [ users = [
{ {
name = "proxy"; name = "proxy";
@ -63,51 +64,77 @@ let
]; ];
tls = singTls; tls = singTls;
}); });
outbounds = [ outbounds =
{ # warp outbound goes first to make it default outbound
type = "wireguard"; (lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
];
route = {
rules = [
{ {
inbound = "sg0"; type = "wireguard";
outbound = "direct"; tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
} }
])
++ [
{ {
inbound = "sg4"; type = "direct";
outbound = "direct"; tag = "direct";
} }
]; ];
route = {
rules =
[
{
inbound = "sg4";
outbound = "direct";
}
]
++ (lib.optionals (!cfg.warp.onTuic) (
lib.forEach (lib.range 1 3) (i: {
inbound = "sg${toString i}";
outbound = "direct";
})
))
++ (lib.optionals (!cfg.warp.onTrojan) [
{
inbound = "sg0";
outbound = "direct";
}
]);
}; };
}; };
in in
{ {
options.commonSettings.proxyServer = { options.commonSettings.proxyServer = {
enable = mkEnableOption "sing-box as a server"; enable = mkEnableOption "sing-box as a server";
trojan = {
port = mkOption {
type = lib.types.port;
default = cfg.trojan.port;
};
};
warp = {
onTrojan = mkEnableOption "forward to warp in trojan";
onTuic = mkEnableOption "forward to warp in first two port of tuic";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -132,7 +159,7 @@ in
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
8080 cfg.trojan.port
]; ];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);