xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dolomite: sing-box outbound to cf warp+

Browse source
This commit is contained in:
xinyangli 2023-12-19 21:32:40 +08:00
parent 3bc12ecfa3
commit fcdc65d8ce
9 changed files with 261 additions and 169 deletions
Download patch file Download diff file Expand all files Collapse all files

112
machines/dolomite/default.nix
View file

@ -1,33 +1,24 @@
{ config, pkgs, lib, modulesPath, ... }:
let
cfg = config.custom;
sg_password = {
_secret = config.sops.secrets.singbox_sg_password.path;
};
sg_uuid = {
_secret = config.sops.secrets.singbox_sg_uuid.path;
};
singTls = {
enabled = true;
server_name = cfg.domain;
key_path = config.security.acme.certs.${cfg.domain}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${cfg.domain}.directory + "/cert.pem";
};
in
{ inputs, config, pkgs, lib, modulesPath, ... }:
{
options = {
custom.domain = lib.mkOption {
type = lib.types.str;
default = "";
};
};
imports = [
"${modulesPath}/virtualisation/amazon-image.nix"
../sops.nix
"${modulesPath}/virtualisation/amazon-image.nix"
];
config = {
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
};
};
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
@ -38,7 +29,7 @@ in
security.acme = {
acceptTerms = true;
certs.${cfg.domain} = {
certs.${config.deployment.targetHost} = {
email = "me@namely.icu";
listenHTTP = ":80";
};
@ -46,9 +37,31 @@ in
networking.firewall.allowedTCPPorts = [ 80 8080 ];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
services.sing-box = {
services.sing-box = let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true;
settings = {
dns = {
servers = [
{
address = "1.1.1.1";
detour = "wg-out";
}
];
};
inbounds = [
{
tag = "sg0";
@ -57,7 +70,7 @@ in
listen_port = 8080;
users = [
{ name = "proxy";
password = sg_password;
password = password;
}
];
tls = singTls;
@ -70,12 +83,53 @@ in
congestion_control = "bbr";
users = [
{ name = "proxy";
uuid = sg_uuid;
password = sg_password;
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{ public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [ "0.0.0.0/0" "::/0" ];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{
outbound = "dns-out";
protocol = "dns";
}
{
geoip = "cn";
geosite = "cn";
outbound = "direct";
}
];
};
};
};
};

31
machines/dolomite/secrets/sgp-00.yaml Normal file
View file

@ -0,0 +1,31 @@
wg_private_key: ENC[AES256_GCM,data:UjxZ3iC5hxVcVJdEUJ3+myaQ/6MvghDw6eKa2flSuxMwFS31WB7r3evjlI0=,iv:BjgXCps6gx1ISghEO42x5aKb+c/n0P1V8FMVlPxAyLY=,tag:IkxCkpyVre+sFoBlRSFpMA==,type:str]
wg_ipv6_local_addr: ENC[AES256_GCM,data:ejDYuZjZCKcsvyUUKdXtxgBqWloIwYHmpc/YwCYq7O2thsxvOou6iSHf,iv:HDrMlec4svxHpZXMyRDzpdSKeJbTmkZPd98SHv2ZLhQ=,tag:LjpapuaJ6sl4USZC8xEU5w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUkpVa0dCSE1rTjZpaWR1
cjJjc25iOEV4TnhQUWE4SjI4QWVZYXdVcHdBCkIrNlVrV2xJRURVSG9sUHozeE5s
NitsV1MvcENZTHhmU01CSTRVNENXUFEKLS0tIGgxakQ2cGIzdzg5QzRoT3ZSaXUx
TkN5MkNTNitWMzVKZWdhNGRIZ3VNNDgKQ6lwM6EowuGOrskUpwD8VGirravE+e3/
Hkv5jLvvfVjmg0kvKlNRotTHrRUGV04JsbW7T9FfbKyYpmEb6oCrsg==
-----END AGE ENCRYPTED FILE-----
- recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSUlkQzhYSGwyNnYvNHpQ
UktKOUZiYk56S0piVy9ZMFdYVFdsN1FEVkhVCnZETEM5MW84TlNpbm1hSXJtR2Yy
OEdrSi9lcmJOR2F1cUZqc0NyQjl4RDgKLS0tIHVLcnRicmVNd2MwVjB4cGFXTlBu
VkJCcXdqTkUzejNzSjIvV2YrVUc5Sm8KutTATsWJ5+yB/CFoGwTNshyI5LzwH4x5
i5EIIkVPdxSIHrXUp0j6+RPWMJvEOFIE3dVwxz+MxqqHqtmEny1WKA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-19T12:31:51Z"
mac: ENC[AES256_GCM,data:AY0/qJ1ZXv4mQlHnG3uY2zQ0FhIYjHBWKyXXpv2/Q6yZkuSu6nIQk039nd+nk7lczXy2cylTHyjYv5vDF6BJARhu4jeYov6yMqYR8ye8rXjZKcOfrN5yv7LV6jyuzBRBkCWTQsaoR8ycKHlrMe+vkAGu50epdAQjAG+Qv6RkBiM=,iv:dMi2CququdEIg+g8NMUb8ioKwEkUqTP+nrivtsUYUUY=,tag:drHI6oJUUwN3JadCHbWWkg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

31
machines/dolomite/secrets/tok-00.yaml Normal file
View file

@ -0,0 +1,31 @@
wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str]
wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTc2a2J3ZXRXTlRxQTAx
UjZVTTVPa0FjbS9jekI5eXhLOTdUQTlBS2pJCnVPL2Q1d05QR2NpTDVZeDFpSCs3
Yjh3aXkvdTBIOThVMGMzcUZmUWhtTjgKLS0tIFZvcy9zRVBRcDN0ekp0MEV5cEph
ZURTL3hnSHgwQTlSNklCK25icEM0SGsKq2jM6jXLfK38BgV0calwKLuHIcGw0zed
lT19Mt9jFsqmIkpJh1U9Ddpz63WND+7ruMdTZt6RWStIxww4m7pevg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSXBqdXcxUDNkS29Gd3ZY
dTA3bmNUVThtTFJtdnFpSjZQT01TTXhpYUc4CkFhcm14eUw1YXIyWEViMSsyc3pr
VUJqWWdHMCtoRGQ1T3dMQlg3ZTZ5dGMKLS0tIGQvbGpFZTdrVUFURE9tdENCZGwr
aDBKbitCTmhxNXVNRGh6TVBvbkNhTUEKIuj7B4RdueX7BfExgzVoo6YJf59GsUHa
j5kIJ5UeTqWEBGBaXcPjhHMEQjYqwSBsVz2XJmsxLhi8WxejLio8FA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-19T12:30:24Z"
mac: ENC[AES256_GCM,data:f+7+O2ZVSZJhr0fJlfO/AtZC2N/7gsNu1f4cnUoXYFb1wobyU6tLkbwGqeyIulokgIDAU5lJ62TJXAjybe+kE+PGtpr61KS7dyiO0LjzcT/X898oBYvJ9jtkuxDzKM4ve570U7ZmS7Jbxt2NJEkcBvSUJRdJHH5l0sDrvmW8cwY=,iv:mno6jVUDUWxsO353hbCqGub+NYfk0XFsWzmWCBUt6Gg=,tag:KOw7HTy+pETha5pzx5Pf8Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1