dolomite: add an instance at sg

.sops.yaml

@@ -2,7 +2,8 @@ keys:
   - &xin age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
   - &host-calcite age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
   - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
-  - &host-dolomite age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
+  - &host-dolomite00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
+  - &host-dolomite01 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
 creation_rules:
   - path_regex: machines/calcite/secrets.yaml
     key_groups:
@@ -20,7 +21,8 @@ creation_rules:
       - *xin
       - *host-calcite
       - *host-raspite
-      - *host-dolomite
+      - *host-dolomite00
+      - *host-dolomite01
   - path_regex: home/xin/secrets.yaml
     key_groups:
     - age:

flake.nix

@@ -75,9 +75,9 @@
               ];
           };
 
-          dolomite = { name, nodes, pkgs, ... }: with inputs; {
+          dolomite00 = { name, nodes, pkgs, ... }: with inputs; {
               imports = [
-                  { nixpkgs.system = "x86_64-linux"; }
+                  { nixpkgs.system = "x86_64-linux"; custom.domain = "video.namely.icu"; }
                   machines/dolomite
               ];
               deployment = {
@@ -85,6 +85,17 @@
                 buildOnTarget = false;
               };
           };
+
+          dolomite01 = { name, nodes, pkgs, ... }: with inputs; {
+              imports = [
+                  { nixpkgs.system = "x86_64-linux"; custom.domain = "video01.namely.icu"; }
+                  machines/dolomite
+              ];
+              deployment = {
+                targetHost = "video01.namely.icu";
+                buildOnTarget = false;
+              };
+          };
       };
 
       nixosConfigurations.calcite = mkNixos {

machines/calcite/configuration.nix

@@ -188,7 +188,7 @@
     digikam
 
     # IM
-    cinny-desktop
+    element-desktop
     tdesktop
     qq
     config.nur.repos.xddxdd.wechat-uos

machines/dolomite/default.nix

@@ -1,8 +1,6 @@
 { config, pkgs, lib, modulesPath, ... }:
 let
-  sg_server = {
+  cfg = config.custom;
-    _secret = config.sops.secrets.singbox_sg_server.path;
-  };
   sg_password = {
     _secret = config.sops.secrets.singbox_sg_password.path;
   };
@@ -11,65 +9,75 @@ let
   };
   singTls = {
     enabled = true;
-    server_name = sg_server;
+    server_name = cfg.domain;
-    key_path = config.security.acme.certs."video.namely.icu".directory + "/key.pem";
+    key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem";
-    certificate_path = config.security.acme.certs."video.namely.icu".directory + "/cert.pem";
+    certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem";
   };
 in
 {
+  options = {
+    custom.domain = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
+  };
+
   imports = [
     "${modulesPath}/virtualisation/amazon-image.nix"
     ../sops.nix
   ];
 
-  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
+  config = {
-  boot.kernel.sysctl = {
+    boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
-    "net.core.default_qdisc" = "fq";
+    boot.kernel.sysctl = {
-    "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.default_qdisc" = "fq";
-  };
+      "net.ipv4.tcp_congestion_control" = "bbr";
+    };
 
-  networking.firewall.trustedInterfaces = [ "tun0" ];
+    networking.firewall.trustedInterfaces = [ "tun0" ];
 
-  security.acme = {
+    security.acme = {
-    acceptTerms = true;
+      acceptTerms = true;
-    certs."video.namely.icu" = {
+      certs.${cfg.domain} = {
-      email = "me@namely.icu";
+        email = "me@namely.icu";
-      listenHTTP = ":80";
+        listenHTTP = ":80";
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 80 8080 ];
+    networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
+
+    services.sing-box = {
+      enable = true;
+      settings = {
+        inbounds = [
+          {
+            tag = "sg0";
+            type = "trojan";
+            listen = "::";
+            listen_port = 8080;
+            users = [
+              { name = "proxy";
+                password = sg_password;
+              }
+            ];
+            tls = singTls;
+          }
+        ] ++ lib.forEach (lib.range 6311 6314) (port: {
+            tag = "sg" + toString (port - 6310);
+            type = "tuic";
+            listen = "::";
+            listen_port = port;
+            congestion_control = "bbr";
+            users = [
+              { name = "proxy";
+                uuid = sg_uuid;
+                password = sg_password;
+              }
+            ];
+            tls = singTls;
+          });
+      };
     };
   };
-  networking.firewall.allowedTCPPorts = [ 80 8080 ];
-  networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
 
-  services.sing-box = {
-    enable = true;
-    settings = {
-      inbounds = [
-        {
-          tag = "sg0";
-          type = "trojan";
-          listen = "::";
-          listen_port = 8080;
-          users = [
-            { name = "proxy";
-              password = sg_password;
-            }
-          ];
-          tls = singTls;
-        }
-      ] ++ lib.forEach (lib.range 6311 6314) (port: {
-          tag = "sg" + toString (port - 6310);
-          type = "tuic";
-          listen = "::";
-          listen_port = port;
-          congestion_control = "bbr";
-          users = [
-            { name = "proxy";
-              uuid = sg_uuid;
-              password = sg_password;
-            }
-          ];
-          tls = singTls;
-        });
-    };
-  };
 }

machines/secrets.yaml

@@ -5,6 +5,7 @@ github_public_token: ENC[AES256_GCM,data:SYj6F8jXhAvpYgPllyJca4cdekp52ayYPndCaGt
 singbox_domain: ENC[AES256_GCM,data:D14hCWxVZG3EL/fIIYVs8G/bWGo=,iv:slK/UPnLtT2Uu4aXWLCOGSTGZ8U41ZhUexB9/Yy/AaE=,tag:NQ2PtV6jcT4jTZLgDzTfAg==,type:str]
 singbox_password: ENC[AES256_GCM,data:yEDny7bjaUpCoo0fXInfi/6phc6na4tJFwJhsW1yprn+Xm/x,iv:I+lmPWGdCOhpxL5tzfBR4KtIR3Bl5ECrBD95gUkwL+Y=,tag:OPzAxS7K5QQ6xEYFQ5gy4A==,type:str]
 singbox_sg_server: ENC[AES256_GCM,data:5rogqKm5yiy5Yvz4Vo1a6Q==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:9fVlCP/DadcOvhO3c1oCzw==,type:str]
+singbox_jp_server: ENC[AES256_GCM,data:xKTcxkcu1WIsT/wlMpEoqGJK,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:+Nwsx65/gdrDhL1ZurR5Ng==,type:str]
 singbox_sg_password: ENC[AES256_GCM,data:eR2AI3BQHhWbCCGvSlIyCTR4zzWyKrgJ,iv:Fdg/E2v8aY6OeDbTTT1ZF8RfeYmbMzMUy7LBrMxZ274=,tag:SShma8nF+m/GZLilHl5+Sw==,type:str]
 singbox_sg_uuid: ENC[AES256_GCM,data:6As9sHY/DoIWzm1/tHxzUEF+JCbf0LxCYsahriADaNEha+ob,iv:C/5GXrR6tSyirYRB6XQ3+yL2n1hB8LEchGBjT7nxsgg=,tag:BoVmH86uTxTwbRUzJ8SZRQ==,type:str]
 sops:
@@ -16,41 +17,50 @@ sops:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW9oblRGVXZSYU1UaUpY
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweTlPTGVRbUlndTdES0s2
-            bEJvd0FST3gydXRzQ25GNm5vMEsyMlJpU0RRCjNFTk9rajQraGhoWFhFTDFtTnNE
+            SVM2N2FUMnozQk11cDk0cTFEb1l6YldkVHc4CmhnNzJyY1VKRWhpc0tTbFNKeDBD
-            aDNuaTZRZUtVcWkrN1RvZmZBRmJVTVkKLS0tIFdta3l4M3JoTU9tTllLUENOdTU0
+            a0hzMi93Ly9zY2Fjd1RCdjV6WnVmOU0KLS0tIFh6NVFteWxxNithMGM0dnJiNE9X
-            K2UxRnNTcEw4OC85cWdFNlVSMnlseFUKXtUh8vavnw5I+16bZszXNXmDndXovAN/
+            dGovQ2ZMZWx1djVkb0Y4ZVNLRDJPRncKz0N/zP3mN97BpLaDgE9hx/zooGyHAnvC
-            XzrbfhXyE8B7jxlsSp6b5mu7RXWHP9knM2BqfrhhK0NJ/uuKfKNIEA==
+            D8iH/1PZ21uMYeUQq83B8mDKbv+qAltA/vD+ZNnb4ULjYLmVn5p/hQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzd2tMOXVCZFJsaWJDV1FQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUkxVTUtYZ0RWUFVxY0Rl
-            UWpoSDgxVUZ6UCt3Z2I5YjFxcnUzK3dNVndnClZBV29OV0swZzd5UmJsQ2J3RFpo
+            UFFadVlzUFJVMGpzRVd5bHVDQmQycVlNSkcwCkMvcUJMRFVWTzNHZ3pxemRLelJP
-            UnpvQ21BajBYc2xzWDNHWStzNTJLelkKLS0tIDNROGJQTzNDZUZHU09RcUpGemJr
+            K3pQMFdURmpRUVRuL1lzT09FVVdBd3MKLS0tIE9LY0NHSW1UWUJpbWdNQW1CVUlD
-            dnpGSmdCRXJsU2FNV0V1N0pSczJwRTgK99s4wGGlpgkmr6sFzw8iqEPy2c3CvrvK
+            b1FmZnVjOFFCMDVXdFBtZzZWdkt6RVUKvLoHmEhkyeKHlstRoT3duTIQTojxzcFI
-            Ak+DlVCx6G9YXCIoXPIysY3EkfrKQwf/5LUMxSTN8V1gOMeTyomt/w==
+            NapIBB3/6Qqho+kYc8/hLWb61EsSX9yqO9C6f6FpFrwi0696OvP3mA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWU0xQzRqbG1CTnlSZmFj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZFNoMmNXV2F1U2E2bUhv
-            TFZvMHU3NVVQTTVHZzJkZ3FGS3doRXhGamdjCk0vaGVaZWlwT2NLd0NPeUliQ09Q
+            K3lGTCs2KzZYbXVlWEdVelNDTS80SW85c0J3CkszNGkrbFVKWks4dmwyYlpQMkpW
-            cFNiMGZqUHliUEw1WDlWV3ZsR0lRYzAKLS0tIG8wWm1IK2tpRGhQVVNCQU83cnFB
+            Zm02cG41ZlpwcEdCbzFkSHpjWHpCdG8KLS0tIHlrNXp6TTI5ZnhGTUNMWTZ0ekVS
-            S1lwZ2NDRGQyOW92R2JLakRUMG1JUkUKHNvXcHFlbgssrzLVdFxIT7QpMiPK5zoy
+            VExPWk1zeVExYXdaL2o1WVB5NlhsNFkK3vsnc4qE08W13ttzt+YCHbQh2c/mOxFZ
-            /OqQhXZ/ewER3b+kMidZv5QXU6GvMWsriT24/yyfTc0tEe7t/Ojm4A==
+            DneXTgOjkyBaY5JDFKlzlIN3m8QRBG5vPOuSKXaoFmY8E68RzNey3w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZK3o4WkZqaldXd2lBUm5r
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdHA5WHA2V2RNTTZXNVVT
-            NWVNMVh5SXZmVmFlUldiVUdrYitPK3dUUVJzCjJnSHR0ZmpmMzF3ZnlBeEJ6bHc0
+            Wks2a2tqT045ZkJFYTN2RHhmdkZxMjlPRDNFCm1HaHhLNkp6NWZxNUYvOTRybE1Z
-            T0p2SXpoOGprbEdyUC9oWklTRndFcTAKLS0tIGN6VUZmVEJkWk5xR2dUaU1mbkZB
+            Y1l5eDFkcXRWSko3ODhqV2htb3pzcDQKLS0tIGI3YlI4dCtMbGl1aHFZdDBic0Jv
-            TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb
+            LzV3NWhFQTlaZ1Y3R0paaEZPZDNpZzgK3/ZE3+F+mq574MfiF7PRlKmAU6mUTiGF
-            naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig==
+            Ffqh0kQumHH7nBuunD0L7Zp2j15hMjUs/oxX558jY9BNl+rN2VWO0Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-30T16:23:27Z"
+        - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
-    mac: ENC[AES256_GCM,data:TMy8toui6/DbFpyc+K7r+DN6Q21W9XKNxZeB44hJ+Sw3i+z46/m+lNJYbFVn/l/g7KykWMCi0UP8bgQtRrf6ARqyZkgXX/2H3FRyC1WXY9IJFXib05TtvXQQCkqscyWjEjkGBR8VREkVGCKEZAKdHqXFve70FrlxiWZgDv6QrIM=,iv:ukv1Mo6bwrTjsLnKzOesZiT1z5k6nvg7F8dk4fUsDUI=,tag:JM/iCdj+broRn1AxD2tQTg==,type:str]
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueFhiQzdMaU1zR2VtOEtO
+            WFVtdVJLU3B3TzRSSENodUpuUm03TnBHQnhBCmRrdjJScEVsS0JTQmthZWIzVFlv
+            TVY3TUo0VllPWElua21mczZvT3YxYjAKLS0tIFpDcE0wSXdSRXFGY2tLd1orVE9L
+            Y2MyZUhOaEVVZU9Hc0xHbWtMdG1Ca2cKHU7pgODnNVDiMFF6be07a320a9HWKIdO
+            OKFA9R6WX1TFhKBKNDqK/mokJBTxu4nR16ewHSWOU13O/M8aKCQhug==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-02T15:24:19Z"
+    mac: ENC[AES256_GCM,data:dgWoBRMuDxVT/j/ybQX7suehwsjy86rJ0pJ1UeDQcTywIeK8WgIvNuq+T1x9UFgPWn7xt+vMQV665hugTl8T4Wb7Eot2FqM3KPq8EONVaGLAxtQv75MQmcJD+5kfSSsDC+HVujmWl5uFy5jzFJgrHEsm2v9lCxRO/2kvjbQbZAM=,iv:YBz+OewY51YNhjPF4QSq27vT6zEwFCkPW5MctOQ7AvQ=,tag:Tfbo7o4QgMUP6UPTJ36dTg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

machines/sing-box.nix

@@ -12,6 +12,10 @@ let
   sg_server = {
     _secret = config.sops.secrets.singbox_sg_server.path;
   };
+  jp_server = {
+    _secret = config.sops.secrets.singbox_jp_server.path;
+  };
+  # TODO: diffrent password
   sg_password = {
     _secret = config.sops.secrets.singbox_sg_password.path;
   };
@@ -50,6 +54,10 @@ in
             domain_suffix = sg_server;
             server = "_dns_doh_mainland";
           }
+          {
+            domain_suffix = jp_server;
+            server = "_dns_doh_mainland";
+          }
         ];
         servers = [
           {
@@ -123,8 +131,9 @@ in
         ];
       };
       outbounds = [ 
-        { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 800; url = "http://www.gstatic.com/generate_204"; interval = "1m0s"; }
+        { tag = "selfhost"; type = "urltest"; outbounds = lib.forEach (lib.range 0 4) (id: "jp" + toString id) ++ lib.forEach (lib.range 0 4) (id: "sg" + toString id); tolerance = 50; url = "http://www.gstatic.com/generate_204"; }
         { tag = "sg0"; type = "trojan"; server = sg_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = sg_server; utls = { enabled = true; fingerprint = "firefox"; }; }; }
+        { tag = "jp0"; type = "trojan"; server = jp_server; server_port = 8080; password = sg_password; tls = { enabled = true; server_name = jp_server; utls = { enabled = true; fingerprint = "firefox"; }; }; }
         
         { default = "auto"; outbounds = [ "auto" "selfhost" "direct" "block"]; tag = "_proxy_select"; type = "selector"; }
         { interval = "1m0s"; outbounds = [ "香港SS-01" "香港SS-02" "香港SS-03" "香港SS-04" "日本SS-01" "日本SS-02" "日本SS-03" "美国SS-01" "美国SS-02" "美国SS-03" "台湾SS-01" "台湾SS-02" "台湾SS-03" "台湾SS-04" "香港中继1" "香港中继2" "香港中继3" "香港中继4" "香港中继5" "香港中继6" "香港中继7" "香港中继8" "日本中继1" "日本中继2" "日本中继3" "日本中继4" "美国中继1" "美国中继2" "美国中继3" "美国中继4" "美国中继5" "美国中继6" "美国中继7" "美国中继8" "新加坡中继1" "新加坡中继2" "台湾中继1" "台湾中继2" "台湾中继3" "台湾中继4" "台湾中继5" "台湾中继6" "韩国中继1" "韩国中继2" ]; tag = "auto"; tolerance = 300; type = "urltest"; url = "http://www.gstatic.com/generate_204"; }
@@ -184,6 +193,15 @@ in
         uuid = sg_uuid;
         password = sg_password;
         tls = { enabled = true; server_name = sg_server; };
+      }) ++ lib.forEach (lib.range 6311 6314) (port: {
+        tag = "jp" + toString (port - 6310);
+        type = "tuic";
+        congestion_control = "bbr";
+        server = jp_server;
+        server_port = port;
+        uuid = sg_uuid;
+        password = sg_password;
+        tls = { enabled = true; server_name = jp_server; };
       });
     };
   };

machines/sops.nix

@@ -7,7 +7,7 @@
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     secrets = {
       github_public_token = {
-        owner = "xin";
+        owner = "root";
       };
       clash_subscription_link = { 
         owner = "root";
@@ -21,6 +21,9 @@
       singbox_sg_server = {
          owner = "root";
       };
+      singbox_jp_server = {
+         owner = "root";
+      };
       singbox_sg_password = {
          owner = "root";
       };