dolomite: add an instance at sg

2023-12-06 22:54:22 +08:00 · 2023-12-06 22:54:22 +08:00 · 9fb8bcd621
commit 9fb8bcd621
parent 9986100945
7 changed files with 132 additions and 80 deletions
--- a/machines/dolomite/default.nix
+++ b/machines/dolomite/default.nix
@ -1,8 +1,6 @@
 { config, pkgs, lib, modulesPath, ... }:
 let
-  sg_server = {
-    _secret = config.sops.secrets.singbox_sg_server.path;
-  };
+  cfg = config.custom;
  sg_password = {
    _secret = config.sops.secrets.singbox_sg_password.path;
  };
@ -11,65 +9,75 @@ let
  };
  singTls = {
    enabled = true;
-    server_name = sg_server;
-    key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem";
-    certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem";
+    server_name = cfg.domain;
+    key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem";
+    certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem";
  };
 in
 {
+  options = {
+    custom.domain = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
+  };
+
  imports = [
    "${modulesPath}/virtualisation/amazon-image.nix"
    ../sops.nix
  ];

-  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
-  boot.kernel.sysctl = {
-    "net.core.default_qdisc" = "fq";
-    "net.ipv4.tcp_congestion_control" = "bbr";
-  };
+  config = {
+    boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
+    boot.kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+    };

-  networking.firewall.trustedInterfaces = [ "tun0" ];
+    networking.firewall.trustedInterfaces = [ "tun0" ];

-  security.acme = {
-    acceptTerms = true;
-    certs."video.namely.icu" = {
-      email = "me@namely.icu";
-      listenHTTP = ":80";
+    security.acme = {
+      acceptTerms = true;
+      certs.${cfg.domain} = {
+        email = "me@namely.icu";
+        listenHTTP = ":80";
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 80 8080 ];
+    networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
+
+    services.sing-box = {
+      enable = true;
+      settings = {
+        inbounds = [
+          {
+            tag = "sg0";
+            type = "trojan";
+            listen = "::";
+            listen_port = 8080;
+            users = [
+              { name = "proxy";
+                password = sg_password;
+              }
+            ];
+            tls = singTls;
+          }
+        ] ++ lib.forEach (lib.range 6311 6314) (port: {
+            tag = "sg" + toString (port - 6310);
+            type = "tuic";
+            listen = "::";
+            listen_port = port;
+            congestion_control = "bbr";
+            users = [
+              { name = "proxy";
+                uuid = sg_uuid;
+                password = sg_password;
+              }
+            ];
+            tls = singTls;
+          });
+      };
    };
  };
-  networking.firewall.allowedTCPPorts = [ 80 8080 ];
-  networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);

-  services.sing-box = {
-    enable = true;
-    settings = {
-      inbounds = [
-        {
-          tag = "sg0";
-          type = "trojan";
-          listen = "::";
-          listen_port = 8080;
-          users = [
-            { name = "proxy";
-              password = sg_password;
-            }
-          ];
-          tls = singTls;
-        }
-      ] ++ lib.forEach (lib.range 6311 6314) (port: {
-          tag = "sg" + toString (port - 6310);
-          type = "tuic";
-          listen = "::";
-          listen_port = port;
-          congestion_control = "bbr";
-          users = [
-            { name = "proxy";
-              uuid = sg_uuid;
-              password = sg_password;
-            }
-          ];
-          tls = singTls;
-        });
-    };
-  };
 }