diff --git a/flake.lock b/flake.lock index f46f16e..e45132d 100644 --- a/flake.lock +++ b/flake.lock @@ -68,11 +68,11 @@ ] }, "locked": { - "lastModified": 1733168902, - "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=", + "lastModified": 1732988076, + "narHash": "sha256-2uMaVAZn7fiyTUGhKgleuLYe5+EAAYB/diKxrM7g3as=", "owner": "nix-community", "repo": "disko", - "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5", + "rev": "2814a5224a47ca19e858e027f7e8bff74a8ea9f1", "type": "github" }, "original": { @@ -167,27 +167,6 @@ "type": "github" } }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -302,11 +281,11 @@ ] }, "locked": { - "lastModified": 1733754861, - "narHash": "sha256-3JKzIou54yjiMVmvgdJwopekEvZxX3JDT8DpKZs4oXY=", + "lastModified": 1733085484, + "narHash": "sha256-dVmNuUajnU18oHzBQWZm1BQtANCHaqNuxTHZQ+GN0r8=", "owner": "nix-community", "repo": "home-manager", - "rev": "9ebaa80a227eaca9c87c53ed515ade013bc2bca9", + "rev": "c1fee8d4a60b89cae12b288ba9dbc608ff298163", "type": "github" }, "original": { @@ -439,11 +418,11 @@ ] }, "locked": { - "lastModified": 1733629314, - "narHash": "sha256-U0vivjQFAwjNDYt49Krevs1murX9hKBFe2Ye0cHpgbU=", + "lastModified": 1733024876, + "narHash": "sha256-vy9Q41hBE7Zg0yakF79neVgb3i3PQMSMR7uHPpPywFE=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "f1e477a7dd11e27e7f98b646349cd66bbabf2fb8", + "rev": "6e0b7f81367069589a480b91603a10bcf71f3103", "type": "github" }, "original": { @@ -463,11 +442,11 @@ ] }, "locked": { - "lastModified": 1733795858, - "narHash": "sha256-K595Q2PrZv2iiumdBkwM2G456T2lKsLD71bn/fbJiQ0=", + "lastModified": 1733104664, + "narHash": "sha256-UhlyYYO84s36aSj0/xZdclY6CgwJSWPYtTHTOBuHodM=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "66ced222ef9235f90dbdd754ede3d6476722aaa9", + "rev": "e3a9b717e8327886d4ab6115f6989f4d1ef44e51", "type": "github" }, "original": { @@ -478,11 +457,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1733481457, - "narHash": "sha256-IS3bxa4N1VMSh3/P6vhEAHQZecQ3oAlKCDvzCQSO5Is=", + "lastModified": 1733066523, + "narHash": "sha256-aQorWITXZu7b095UwnpUvcGt9dNJie/GO9r4hZfe2sU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e563803af3526852b6b1d77107a81908c66a9fcf", + "rev": "fe01780d356d70fd119a19277bff71d3e78dad00", "type": "github" }, "original": { @@ -522,11 +501,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1733730953, - "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=", + "lastModified": 1733016324, + "narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7109b680d161993918b0a126f38bc39763e5a709", + "rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6", "type": "github" }, "original": { @@ -538,11 +517,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1733805440, - "narHash": "sha256-AQdCeGt3dMV9/cchlWGMcP0Z8qM47V+B0p7cSRr+HhA=", + "lastModified": 1733128666, + "narHash": "sha256-JOIhbU0EPRXwFv1wCXGTkUZ9KnIcLxChvCqeV9hh63U=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "61b1078fca3a097ce06ada68a6f2766347eed02c", + "rev": "6273ca0a0fd51ac708a71e380c0cda97a72bbb07", "type": "github" }, "original": { @@ -552,22 +531,6 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1733581040, - "narHash": "sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "22c3f2cf41a0e70184334a958e6b124fb0ce3e01", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixvim": { "inputs": { "devshell": "devshell", @@ -595,17 +558,12 @@ } }, "nur": { - "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_3", - "treefmt-nix": "treefmt-nix_2" - }, "locked": { - "lastModified": 1733805328, - "narHash": "sha256-5F49/mOzFb40uUZh71uNr7kBXjDCw5ZfHMbpZjjUVBQ=", + "lastModified": 1733125101, + "narHash": "sha256-C8f6ekiZ4kP84JWLDrMigvnSK6RXQoxLEDoteXMx1yc=", "owner": "nix-community", "repo": "NUR", - "rev": "b54fa3d8c020e077d88be036a12a711b84fe2031", + "rev": "1844924bf1e7e5a98198eca17b6c27cc9a363b05", "type": "github" }, "original": { @@ -662,11 +620,11 @@ ] }, "locked": { - "lastModified": 1733785344, - "narHash": "sha256-pm4cfEcPXripE36PYCl0A2Tu5ruwHEvTee+HzNk+SQE=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a80af8929781b5fe92ddb8ae52e9027fae780d2a", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { @@ -742,27 +700,6 @@ "repo": "treefmt-nix", "type": "github" } - }, - "treefmt-nix_2": { - "inputs": { - "nixpkgs": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d01cdba..c3c5982 100644 --- a/flake.nix +++ b/flake.nix @@ -111,9 +111,10 @@ nodeNixosModules = { calcite = [ nixos-hardware.nixosModules.asus-zephyrus-ga401 + nur.nixosModules.nur catppuccin.nixosModules.catppuccin machines/calcite/configuration.nix - (mkHome "xin" "calcite") + # (mkHome "xin" "calcite") ]; hk-00 = [ ./machines/dolomite/claw.nix diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 728dd93..8fbf3bb 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -5,12 +5,13 @@ ... }: { - imports = [ - ./modern-unix.nix - ]; + imports = [ ]; home.packages = with pkgs; [ dig + du-dust # du + rust + zoxide # autojumper + ripgrep file man-pages unar @@ -18,6 +19,7 @@ wget tmux ffmpeg + tealdeer rclone wl-clipboard diff --git a/home/xin/common/modern-unix.nix b/home/xin/common/modern-unix.nix deleted file mode 100644 index 298fae2..0000000 --- a/home/xin/common/modern-unix.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - httpie - curlie - bat - htop - procs - rust-parallel - jq - fd - du-dust # du + rust - zoxide # autojumper - ripgrep - tealdeer - ]; -} diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index 741e281..5a51ab0 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -44,7 +44,6 @@ custom.prometheus.exporters = { enable = true; - node.enable = true; }; services.tailscale.enable = true; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c5afb73..2e99cbd 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -16,7 +16,7 @@ in ]; commonSettings = { - # auth.enable = true; + auth.enable = true; nix = { signing.enable = true; }; @@ -301,16 +301,11 @@ in zotero # onlyoffice-bin - wemeet + config.nur.repos.linyinfeng.wemeet virt-manager - wineWowPackages.waylandFull - winetricks ]; - services.esphome.enable = true; - users.groups.dialout.members = [ "xin" ]; - system.stateVersion = "22.05"; system.switch.enable = false; diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index 65b10c7..c50c1a9 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -3,7 +3,6 @@ config = { sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = ./secrets/secrets.yaml; secrets = { wg_private_key = { owner = "root"; @@ -13,6 +12,14 @@ owner = "root"; sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; }; + "sing-box/password" = { + owner = "root"; + sopsFile = ./secrets/secrets.yaml; + }; + "sing-box/uuid" = { + owner = "root"; + sopsFile = ./secrets/secrets.yaml; + }; }; }; swapDevices = [ @@ -25,8 +32,6 @@ custom.prometheus.exporters = { enable = true; node.enable = true; - blackbox.enable = true; - v2ray.enable = true; }; custom.monitoring = { @@ -39,11 +44,6 @@ auth.enable = true; proxyServer = { enable = true; - users = [ - "wyj" - "yhb" - "xin" - ]; }; }; }; diff --git a/machines/dolomite/secrets/secrets.yaml b/machines/dolomite/secrets/secrets.yaml index e0df929..53a7131 100644 --- a/machines/dolomite/secrets/secrets.yaml +++ b/machines/dolomite/secrets/secrets.yaml @@ -1,14 +1,6 @@ sing-box: - users: - wyj: - password: ENC[AES256_GCM,data:yp+T3eci9RiuZzdmRSq5nTjHaz8e/Rri,iv:hIPc+7YHUnaIdU9O8GGx3r7l3oBA6prQb+KBQV0G+8k=,tag:2GNiBP4PQy+KGHgLupKGSg==,type:str] - uuid: ENC[AES256_GCM,data:Qrgil6G7pjQAQzCCOlstDi27EqqmSuBMhs+RTl9++wrPrIgJ,iv:u+3Z17uX4I6li2qd9UP3y+WaKn7aKfbb3J6H1Pyc1QY=,tag:hSa4AB383/B58XMmZ8LIfQ==,type:str] - yhb: - password: ENC[AES256_GCM,data:TwRct68TePpcZcnpWIQpFaF23WGMre8=,iv:YU4mQNm0rt2u4ItJwQ8nZPEmJi0+lmEIPG2Kxh/nI58=,tag:ukZem38O/b42dEKM3CYa+w==,type:str] - uuid: ENC[AES256_GCM,data:6hVhEqWPLVrn8rCS4x/eapd+iL7JRaXtOGCj9uuPlkGjBTMK,iv:VZ27KWCY6/K5GoNwRNmaRWzqfV7+8iFjtias1vKeGfA=,tag:8mhmZPooxHaGNYdznuFhMQ==,type:str] - xin: - password: ENC[AES256_GCM,data:SRiPFO+Uwy/PT41SIg7eI68wk4AX6so=,iv:aXwP5wa1IrlnvFo/ZL+DYFFHDdWw2Z83de3ApHUTsXo=,tag:sxXoy1FnDxZBQCDeNxphzQ==,type:str] - uuid: ENC[AES256_GCM,data:7xK53SO4x0tOIEIYl6kmmAvnpdsR/tYQoG1t/ytsnO4QqWY3,iv:i694Fnu7g1OA3IGzSaoSGA5/eMPo+I/1TZbYuaQrgNA=,tag:4cUlioJn/IvsvZclgboOSA==,type:str] + password: ENC[AES256_GCM,data:qCc1v8nAL0oYisRinMDXGrBQA+r6XNoa,iv:eTxtad4kEdE28XqnrZEek8BtXNY1rNgLvGLxlMzRtl4=,tag:s/shWAkYE4DSnScpTY8ulQ==,type:str] + uuid: ENC[AES256_GCM,data:lEpz15sLOVrGDzQwTJyS+tFJY0bMeO265bxocWAjB6qrvxYx,iv:lhk5jl/udUH3AZEuk5ffuvin/qhRUaOZ/3nk1Jaw+DI=,tag:4mKFIVKT+D47njfDsxe9iA==,type:str] sops: kms: [] gcp_kms: [] @@ -51,8 +43,8 @@ sops: K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-06T04:35:52Z" - mac: ENC[AES256_GCM,data:DAg4UTwNv+rs6hye2z5UUtA1a4yZbFaAWjLoKAXf87tKgBCZzK8C1q6gLyTQOqp07ptYQd5Q951kfE1a/35SFJsubREzJmu6haxznRgq7pO5HDGqgtjYEHsngsWZh3bUSX/aG2dLISdD81VY68nLzTO0r4h/SL6DNG36RzJgL8E=,iv:V0WhENNt/Szi5VWVD2t5AsWP1tOZUGjFjMNYPDq59XI=,tag:ThRstdzVNtSs6E7qlvKPOw==,type:str] + lastmodified: "2024-12-02T05:26:17Z" + mac: ENC[AES256_GCM,data:K94zFWPWGUisLCqDjSLs17QxHXPH4tPU/98Sb4lCnt7IRAIn14x/T+BnInY/DK+DOVLLtzSfuN0kgzzGjSzwJx5Vq1G3MkhngRQQRT9dvODTCMAw6lPt98Ofw1CEEsFQnpYo9zIUlCGKg2YPKFLqE7OjkPxqw7VYvgzr5dDw58s=,iv:3xcJfNX5v/e9HgZt3UrHs2/C5ivaBV1rXKIBs9hKKFg=,tag:RQPQQ1cmZiOpQjUwqnzZQA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index a4f0d72..748a4ed 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -46,6 +46,18 @@ in }; }; + services.ntfy-sh = { + enable = true; + group = "caddy"; + settings = { + listen-unix = "/var/run/ntfy-sh/ntfy.sock"; + listen-unix-mode = 432; # octal 0660 + base-url = "https://ntfy.xinyang.life"; + }; + }; + + systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh"; + services.kanidm = { package = pkgs.kanidm.withSecretProvisioning; enableServer = true; @@ -86,6 +98,15 @@ in services.caddy = { enable = true; + virtualHosts."xinyang.life:443".extraConfig = '' + tls internal + encode zstd gzip + reverse_proxy /.well-known/matrix/* localhost:6167 + reverse_proxy * http://localhost:8080 { + flush_interval -1 + } + ''; + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} ''; @@ -98,5 +119,15 @@ in } } ''; + + virtualHosts."https://ntfy.xinyang.life".extraConfig = '' + reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} + @httpget { + protocol http + method GET + path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) + } + redir @httpget https://{host}{uri} + ''; }; } diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index 981fd14..e9cbb3b 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -67,18 +67,10 @@ in let probeList = [ "la-00.video.namely.icu:8080" - "fra-00.video.namely.icu:8080" + "fre-00.video.namely.icu:8080" "hk-00.video.namely.icu:8080" "home.xinyang.life:8000" ]; - chinaTargets = [ - "bj-cu-v4.ip.zstaticcdn.com:80" - "bj-cm-v4.ip.zstaticcdn.com:80" - "bj-ct-v4.ip.zstaticcdn.com:80" - "sh-cu-v4.ip.zstaticcdn.com:80" - "sh-cm-v4.ip.zstaticcdn.com:80" - "sh-ct-v4.ip.zstaticcdn.com:80" - ]; passwordFile = config.sops.secrets."prometheus/metrics_password".path; in (mkScrapes [ @@ -131,7 +123,6 @@ in { address = "thorite.coho-tet.ts.net"; } { address = "massicot.coho-tet.ts.net"; } { address = "weilite.coho-tet.ts.net"; } - { address = "biotite.coho-tet.ts.net"; } { address = "hk-00.coho-tet.ts.net"; } { address = "la-00.coho-tet.ts.net"; } { address = "fra-00.coho-tet.ts.net"; } @@ -149,27 +140,10 @@ in hostAddress = "weilite.coho-tet.ts.net"; targetAddresses = [ "la-00.video.namely.icu:8080" - "fra-00.video.namely.icu:8080" + "fre-00.video.namely.icu:8080" "hk-00.video.namely.icu:8080" ]; } - { - hostAddress = "la-00.coho-tet.ts.net"; - targetAddresses = chinaTargets; - } - { - hostAddress = "hk-00.coho-tet.ts.net"; - targetAddresses = chinaTargets; - } - { - hostAddress = "fra-00.coho-tet.ts.net"; - targetAddresses = chinaTargets; - } - ]) - ++ (mkV2rayScrapes [ - { address = "la-00.coho-tet.ts.net"; } - { address = "hk-00.coho-tet.ts.net"; } - { address = "fra-00.coho-tet.ts.net"; } ]); }; diff --git a/modules/home-manager/fish.nix b/modules/home-manager/fish.nix index 1b9f626..4d265d5 100644 --- a/modules/home-manager/fish.nix +++ b/modules/home-manager/fish.nix @@ -91,10 +91,6 @@ in ${pkgs.comma}/bin/comma $argv end set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha) - alias ctlsp="systemctl stop" - alias ctlst="systemctl start" - alias ctlrt="systemctl restart" - alias ctls="systemctl status" '' else ""; diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index 56bc382..d28eb50 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -25,9 +25,8 @@ in }; }; }; - config = mkIf cfg.enable { - home.packages = [ pkgs.git-absorb ]; - programs.git = { + config = { + programs.git = mkIf cfg.enable { enable = true; delta.enable = true; userName = "Xinyang Li"; @@ -43,10 +42,6 @@ in signByDefault = true; key = cfg.signing.keyFile; }; - extraConfig.absorb = { - oneFixupPerCommit = true; - maxStack = 20; - }; extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; }; }; diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix index 2384900..b54774a 100644 --- a/modules/nixos/common-settings/proxy-server.nix +++ b/modules/nixos/common-settings/proxy-server.nix @@ -1,6 +1,5 @@ { config, - pkgs, lib, ... }: @@ -22,117 +21,106 @@ let config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; }; - mkSingConfig = users: { - log = { - level = "warn"; - }; - inbounds = - [ - { - tag = "sg0"; - type = "trojan"; - listen = "::"; - listen_port = cfg.trojan.port; - tcp_multi_path = true; - tcp_fast_open = true; - users = map (user: { - name = user.name; - password = { - _secret = user.passwordFile; - }; - }) users; - tls = singTls; - } - ] - ++ lib.forEach (lib.range 6311 6314) (port: { - tag = "sg" + toString (port - 6310); - type = "tuic"; - listen = "::"; - listen_port = port; - congestion_control = "bbr"; - users = map (user: { - name = user.name; - uuid = { - _secret = user.uuidFile; - }; - password = { - _secret = user.passwordFile; - }; - }) users; - tls = singTls; - }); - outbounds = - # warp outbound goes first to make it default outbound - (lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [ - { - type = "wireguard"; - tag = "wg-out"; - private_key = { - _secret = config.sops.secrets.wg_private_key.path; - }; - local_address = [ - "172.16.0.2/32" - { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } - ]; - peers = [ - { - public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; - allowed_ips = [ - "0.0.0.0/0" - "::/0" - ]; - server = "162.159.192.1"; - server_port = 500; - } - ]; - } - ]) - ++ [ - - { - type = "direct"; - tag = "direct"; - } - ]; - route = { - rules = + mkSingConfig = + { uuid, password, ... }: + { + log = { + level = "warn"; + }; + inbounds = [ { - inbound = "sg4"; - outbound = "direct"; + tag = "sg0"; + type = "trojan"; + listen = "::"; + listen_port = cfg.trojan.port; + tcp_multi_path = true; + tcp_fast_open = true; + users = [ + { + name = "proxy"; + password = { + _secret = password; + }; + } + ]; + tls = singTls; } ] - ++ (lib.optionals (!cfg.warp.onTuic) ( - lib.forEach (lib.range 1 3) (i: { - inbound = "sg${toString i}"; - outbound = "direct"; - }) - )) - ++ (lib.optionals (!cfg.warp.onTrojan) [ + ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); + type = "tuic"; + listen = "::"; + listen_port = port; + congestion_control = "bbr"; + users = [ + { + name = "proxy"; + uuid = { + _secret = uuid; + }; + password = { + _secret = password; + }; + } + ]; + tls = singTls; + }); + outbounds = + # warp outbound goes first to make it default outbound + (lib.optionals (cfg.warp.onTuic or cfg.warp.onTrojan) [ { - inbound = "sg0"; - outbound = "direct"; + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { + public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ + "0.0.0.0/0" + "::/0" + ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; } - ]); - }; - experimental = { - v2ray_api = { - listen = "127.0.0.1:15175"; - stats = { - users = map (u: u.name) users; - enabled = true; - inbounds = map (p: "sg" + toString p) (lib.range 0 4); - }; + ]) + ++ [ + + { + type = "direct"; + tag = "direct"; + } + ]; + route = { + rules = + [ + { + inbound = "sg4"; + outbound = "direct"; + } + ] + ++ (lib.optionals (!cfg.warp.onTuic) ( + lib.forEach (lib.range 1 3) (i: { + inbound = "sg${toString i}"; + outbound = "direct"; + }) + )) + ++ (lib.optionals (!cfg.warp.onTrojan) [ + { + inbound = "sg0"; + outbound = "direct"; + } + ]); }; }; - }; - sing-box = pkgs.sing-box.overrideAttrs ( - finalAttrs: previousAttrs: { - tags = previousAttrs.tags ++ [ - "with_v2ray_api" - ]; - } - ); in { options.commonSettings.proxyServer = { @@ -149,62 +137,40 @@ in onTrojan = mkEnableOption "forward to warp in trojan"; onTuic = mkEnableOption "forward to warp in first two port of tuic"; }; - - users = mkOption { - type = lib.types.listOf lib.types.str; - }; }; - config = mkIf cfg.enable ( - { - boot.kernel.sysctl = { - "net.core.default_qdisc" = "fq"; - "net.ipv4.tcp_congestion_control" = "bbr"; + config = mkIf cfg.enable { + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + networking.firewall.trustedInterfaces = [ "tun0" ]; + + security.acme = { + acceptTerms = true; + certs.${config.deployment.targetHost} = { + email = "me@namely.icu"; + # Avoid port conflict + listenHTTP = if config.services.caddy.enable then ":30310" else ":80"; }; + }; + services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = '' + reverse_proxy 127.0.0.1:30310 + ''; - networking.firewall.trustedInterfaces = [ "tun0" ]; + networking.firewall.allowedTCPPorts = [ + 80 + cfg.trojan.port + ]; + networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - security.acme = { - acceptTerms = true; - certs.${config.deployment.targetHost} = { - email = "me@namely.icu"; - # Avoid port conflict - listenHTTP = if config.services.caddy.enable then ":30310" else ":80"; - }; + services.sing-box = { + enable = true; + settings = mkSingConfig { + uuid = config.sops.secrets."sing-box/uuid".path; + password = config.sops.secrets."sing-box/password".path; }; - services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = '' - reverse_proxy 127.0.0.1:30310 - ''; - - networking.firewall.allowedTCPPorts = [ - 80 - cfg.trojan.port - ]; - networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - - services.sing-box = { - enable = true; - package = sing-box; - settings = ( - mkSingConfig ( - map (n: { - name = n; - uuidFile = config.sops.secrets."sing-box/users/${n}/uuid".path; - passwordFile = config.sops.secrets."sing-box/users/${n}/password".path; - }) cfg.users - ) - ); - }; - } - // { - sops.secrets = ( - builtins.foldl' (a: b: a // b) { } ( - map (u: { - "sing-box/users/${u}/uuid" = { }; - "sing-box/users/${u}/password" = { }; - }) cfg.users - ) - ); - } - ); + }; + }; } diff --git a/modules/nixos/monitor/default.nix b/modules/nixos/monitor/default.nix index 71ec05e..ae366d1 100644 --- a/modules/nixos/monitor/default.nix +++ b/modules/nixos/monitor/default.nix @@ -57,13 +57,6 @@ in default = "${config.networking.hostName}.coho-tet.ts.net"; }; }; - v2ray = { - enable = mkEnableOption "blackbox exporter"; - listenAddress = mkOption { - type = types.str; - default = "${config.networking.hostName}.coho-tet.ts.net"; - }; - }; }; }; }; diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index 56750ef..e3aa561 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -47,13 +47,6 @@ in ); }; - services.prometheus.exporters.v2ray = mkIf cfg.v2ray.enable { - enable = true; - listenAddress = cfg.v2ray.listenAddress; - port = 9516; - v2rayEndpoint = config.services.sing-box.settings.experimental.v2ray_api.listen; - }; - # gotosocial sops.templates."gotosocial_metrics.env" = { content = '' diff --git a/overlays/my-lib/prometheus.nix b/overlays/my-lib/prometheus.nix index c79f131..b7607a1 100644 --- a/overlays/my-lib/prometheus.nix +++ b/overlays/my-lib/prometheus.nix @@ -28,36 +28,6 @@ in ) ); - mkV2rayScrapes = targets: [ - { - job_name = "v2ray-exporter"; - scheme = "http"; - static_configs = map ( - { - address, - port ? 9516, - }: - { - targets = [ "${address}${mkPort port}" ]; - } - ) targets; - } - { - job_name = "singbox_stat"; - scheme = "http"; - metrics_path = "/scrape"; - static_configs = map ( - { - address, - port ? 9516, - }: - { - targets = [ "${address}${mkPort port}" ]; - } - ) targets; - } - ]; - mkCaddyScrapes = targets: [ { job_name = "caddy"; @@ -267,17 +237,6 @@ in { inherit name; rules = [ - { - alert = "ProbeError"; - expr = "probe_success != 1"; - for = "3m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Probing {{ $labels.instance }} from {{ $labels.from }} failed"; - }; - } { alert = "HighProbeLatency"; expr = "probe_duration_seconds > 0.5";