diff --git a/.sops.yaml b/.sops.yaml index 153993e..79707f1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -24,14 +24,6 @@ creation_rules: - age: - *xin - *host-massicot - - path_regex: machines/dolomite/secrets/secrets.yaml - key_groups: - - age: - - *xin - - *host-sgp-00 - - *host-tok-00 - - *host-la-00 - - *host-hk-00 - path_regex: machines/dolomite/secrets/sgp-00.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index 606276e..1000f83 100644 --- a/flake.nix +++ b/flake.nix @@ -104,18 +104,6 @@ machines/calcite/configuration.nix (mkHome "xin" "calcite") ]; - hk-00 = [ - ./machines/dolomite/claw.nix - ./machines/dolomite/common.nix - ]; - la-00 = [ - ./machines/dolomite/bandwagon.nix - ./machines/dolomite/common.nix - ]; - tok-00 = [ - ./machines/dolomite/lightsail.nix - ./machines/dolomite/common.nix - ]; }; sharedColmenaModules = [ deploymentModule @@ -187,7 +175,7 @@ tok-00 = { ... }: { - imports = nodeNixosModules.tok-00 ++ sharedColmenaModules; + imports = [ machines/dolomite ] ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "tok-00"; system.stateVersion = "23.11"; @@ -201,7 +189,7 @@ la-00 = { ... }: { - imports = nodeNixosModules.la-00 ++ sharedColmenaModules; + imports = [ machines/dolomite ] ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "la-00"; system.stateVersion = "21.05"; @@ -215,7 +203,7 @@ hk-00 = { ... }: { - imports = nodeNixosModules.hk-00 ++ sharedColmenaModules; + imports = [ machines/dolomite ] ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "hk-00"; system.stateVersion = "24.05"; diff --git a/garnix.yaml b/garnix.yaml deleted file mode 100644 index 38563a7..0000000 --- a/garnix.yaml +++ /dev/null @@ -1,10 +0,0 @@ -builds: - include: - - '*.x86_64-linux.*' - - defaultPackage.x86_64-linux - - devShell.x86_64-linux - - homeConfigurations.x86_64-linux.* - - homeConfigurations.aarch64-linux.* - - darwinConfigurations.* - - nixosConfigurations.* - diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 803be29..91449c1 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -1,11 +1,21 @@ { + config, + lib, + pkgs, modulesPath, ... }: +let + cfg = config.isBandwagon; +in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - config = { + options = { + isBandwagon = lib.mkEnableOption "Bandwagon instance"; + }; + + config = lib.mkIf cfg { boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" diff --git a/machines/dolomite/claw.nix b/machines/dolomite/claw.nix index ead0225..b8cf692 100644 --- a/machines/dolomite/claw.nix +++ b/machines/dolomite/claw.nix @@ -1,14 +1,22 @@ { + config, lib, modulesPath, ... }: +let + cfg = config.isClaw; +in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - config = { + options = { + isClaw = lib.mkEnableOption "Lightsail instance"; + }; + + config = lib.mkIf cfg { boot.initrd.availableKernelModules = [ "uhci_hcd" "virtio_blk" diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix deleted file mode 100644 index 83b0e36..0000000 --- a/machines/dolomite/common.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, ... }: -{ - config = { - sops = { - secrets = { - wg_private_key = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - wg_ipv6_local_addr = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - "sing-box/password" = { - owner = "root"; - sopsFile = ./secrets/secrets.yaml; - }; - "sing-box/uuid" = { - owner = "root"; - sopsFile = ./secrets/secrets.yaml; - }; - }; - }; - - custom.prometheus = { - enable = true; - exporters.blackbox.enable = true; - }; - - commonSettings = { - auth.enable = true; - proxyServer.enable = true; - }; - }; - -} diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix new file mode 100644 index 0000000..e3bb640 --- /dev/null +++ b/machines/dolomite/default.nix @@ -0,0 +1,159 @@ +{ config, lib, ... }: +let + awsHosts = [ "tok-00" ]; + bwgHosts = [ "la-00" ]; + clawHosts = [ "hk-00" ]; +in +{ + imports = [ + ../sops.nix + ./bandwagon.nix + ./lightsail.nix + ./claw.nix + ]; + + config = { + isBandwagon = builtins.elem config.networking.hostName bwgHosts; + isLightsail = builtins.elem config.networking.hostName awsHosts; + isClaw = builtins.elem config.networking.hostName clawHosts; + sops = { + secrets = { + wg_private_key = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + wg_ipv6_local_addr = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + }; + }; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + networking.firewall.trustedInterfaces = [ "tun0" ]; + + security.acme = { + acceptTerms = true; + certs.${config.deployment.targetHost} = { + email = "me@namely.icu"; + # Avoid port conflict + listenHTTP = if config.services.caddy.enable then ":30310" else ":80"; + }; + }; + services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = '' + reverse_proxy 127.0.0.1:30310 + ''; + + networking.firewall.allowedTCPPorts = [ + 80 + 8080 + ]; + networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); + + custom.prometheus = { + enable = true; + exporters.blackbox.enable = true; + }; + + custom.commonSettings = { + auth.enable = true; + }; + + services.sing-box = + let + singTls = { + enabled = true; + server_name = config.deployment.targetHost; + key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; + certificate_path = + config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; + }; + password = { + _secret = config.sops.secrets.singbox_password.path; + }; + uuid = { + _secret = config.sops.secrets.singbox_uuid.path; + }; + in + { + enable = true; + settings = { + inbounds = + [ + { + tag = "sg0"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = [ + { + name = "proxy"; + password = password; + } + ]; + tls = singTls; + } + ] + ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); + type = "tuic"; + listen = "::"; + listen_port = port; + congestion_control = "bbr"; + users = [ + { + name = "proxy"; + uuid = uuid; + password = password; + } + ]; + tls = singTls; + }); + outbounds = [ + { + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { + public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ + "0.0.0.0/0" + "::/0" + ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; + } + { + type = "direct"; + tag = "direct"; + } + ]; + route = { + rules = [ + { + inbound = "sg0"; + outbound = "direct"; + } + { + inbound = "sg4"; + outbound = "direct"; + } + ]; + }; + }; + }; + }; + +} diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index e44fac4..230b23d 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -1,9 +1,11 @@ { config, + lib, pkgs, modulesPath, ... }: +with lib; let cfg = config.ec2; in @@ -18,7 +20,11 @@ in "${modulesPath}/virtualisation/amazon-init.nix" ]; - config = { + options = { + isLightsail = mkEnableOption "Lightsail instance"; + }; + + config = mkIf config.isLightsail { boot.loader.grub.device = "/dev/nvme0n1"; # from nixpkgs amazon-image.nix diff --git a/machines/dolomite/secrets/secrets.yaml b/machines/dolomite/secrets/secrets.yaml deleted file mode 100644 index c05a97e..0000000 --- a/machines/dolomite/secrets/secrets.yaml +++ /dev/null @@ -1,59 +0,0 @@ -sing-box: - password: ENC[AES256_GCM,data:aifvj/rBvmIF6M4SJ6j4rkw0J0oBGUmO,iv:C9KlVngh74z/VjjOGxnlpA4CqFv7TCSD3KSm2l/xGB4=,tag:10zUgbP2exTQ4KK0zeMM2A==,type:str] - uuid: ENC[AES256_GCM,data:ZPEqllAXeLMyVEp/6+9LSL346J2tiuM5tYs404/vp9rnkrvc,iv:Oy/U1c2sW5a2eQQxXAEjqaE85xX5rFapz9k/DtcZR+w=,tag:BHU+ScDBeWnctkDBRnm+4g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dElZTXFjbzhNbE1OYmdP - M0JLVWMyOUpSMnQ1Q2hDc2VXVUxpblhDVUNjCmxGZXRsUmdWWjZPZGFhaDFHNnpx - YVVSWFl1YThwWENSVTdiWkRENlBhdDQKLS0tIGl0OWsrNXljLy9wejd4Q3JmTUFE - WGFaN21vb1EwTDdSOEFVSWlQZWR1Z1kKIy+vG42G/7hTJX9BNYXjy4GNnUEnzUgB - aRoLxgTpkTKezZiKkISQwEuFD8qC7aeQIV1kmGDpNK2uucJfFswvbQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvNGE0Sk5lbXVNSjVQUTFF - VFFrVzJKczJwTWJJOEdKTVFhai9RWmJNSkJjCkNKQzRQWmcxTndIcERkMTFubi9K - SXVhbDhEMmRFRCtXdEVqMFdRbjQ3RTgKLS0tIGNIOWYzL0NUeklBRU5paEoyZ211 - NDY5RDdwelMwVjVscHdOaGV2aTMwQUUKZaCo5jFlWxTsELGyQiY4CmcjdUcnBzOU - JzcWDMcODTo/yER/0jdPpdfvUWiGi12voIuqRJkON0x7d3X2d2Sexg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2LzI1M2orSDVyYTRRRnB6 - d25oaHZSMWFUQ2lZTWxtVzFRSkxjd01tNjFZCmJHUWVGd2hYWVlpdk80WUxwM080 - N0V1UW1hUC9GNWlPRCtuYUsxSzdmWUEKLS0tIEhSazVWeEpIVnoweWdnOEU2Q1hT - Yjl6bFRZS2RSRGpPWFdDS2lObCt0MGsKcFXy/2mLLlxY/vP+kCaeaR+9aBRL7ys1 - x+HBAPqvcqvYk3MGBD9TpIW317RthDhEkY57GmtHgqIUsSLWsBgNdw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL2NXTDNqWkYzQlVvM0xO - ZDk2RTFISHh3TmpTN2cxT3RTVnFUaURpK3dRCmJEVWJnNXdoT0JYYjBvcm4rSkZ0 - QW5WeWhqWnZqaGlLRHphZW5PMUNZTDQKLS0tIGZFc2ZlREgwKysrNEhROUJzbHBU - TzhHdlV1bjduT1hlTVFMTmRtQmN0MFUKhCYQh5uVOjEj2kKSfSUVa8k35mqkDoTk - 3CchebRciIR+w52d6uEsQove0248+OniG6bJ5ykkExLo1RzDQD7pBQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhS0tDdThIRnNaZVZKanZY - bm1uV25nUzZITW5QY2Z2SkZtMFAvY1RVOWdrCnZMZ3F6dHd1TmhCMnZvbFhZYjJK - ZXRVUWNtVXVpOWFYWmdFQ2RZajlTQk0KLS0tIFJSYkxkelFTWkRYMjAvQ2lpTGRQ - bmE0bWg1U1ZkZHR4TEVtR0crbVZxdmcKeVUli/Tt4Xy4XxbUbFj9a4y6c9ZE/NjE - nCKLNYYPsZ/nS6qN3Pdetps4ziajJHUVmxCqNMHD+OoWqT6W8V/O6w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-22T05:51:19Z" - mac: ENC[AES256_GCM,data:LPUb7YbELPsgYX+LvfuGdiNG1B5ZrvyRVZL9UiMHoJMDHaWpDGCQkT1bk5jEOewwFh+StK560UsPK4uW0+SqADJO80rmM3xfqlp5Ul2HJ8mU19l5C6FLpv2REIzhCp333rNJJlyhn3H6GZgMaWnjjLSX9XMOVaq1iz6Qt0P76SI=,iv://EdDr5D51RFuucq8gkei2RC7H2bkRYxP/7lerp9dtk=,tag:JrRQ19sZ0OAZouMgOiU/tQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/machines/secrets.yaml b/machines/secrets.yaml index cedd676..58dc777 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -4,9 +4,8 @@ autofs-nas-secret: ENC[AES256_GCM,data:gbOizRZAvh79HlJWIWeKTk79Ux311XGL1eIswc0P2 github_public_token: ENC[AES256_GCM,data:6Gt+oJcCRHeoLK7CRndMMbszTXSEbnN0nQzsVOnl/+zB4hxbEPD5k/vkkl+cZ/qmxdxFXV0OOsYvktn44Yv1DMUE3mkB0hcAdoyPwLuYM7W3RpOoW3OktH8DRCUi6msvFp3ykpdmIl9WyjVhc/lMwTaYJQyRh1ue,iv:PJSFtJBelyc3rzd6hqjMp+ciU2Q3FTOEXsiq5F2KKTY=,tag:Y/stRg6kwyjjIFZCXS/peg==,type:str] singbox_sg_server: ENC[AES256_GCM,data:SF2ja6W4TwThwoug5x2KTA==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:7XA9KSoR0GA6FoYRhCv4BQ==,type:str] singbox_jp_server: ENC[AES256_GCM,data:S3Bs5yVMzyz6vD51GYElOM5h,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:o9d55cZuWmX4NDYexWjvYQ==,type:str] -sing-box: - password: ENC[AES256_GCM,data:xyqmoJEDI5959zHPTVelln/iThtoeDwS,iv:rLyqJsE/4JDf08RlMLLPh+MKJkba9bL0z8jx6bTEfgc=,tag:cgLHdeLIyPvLhRNaVcQ0TQ==,type:str] - uuid: ENC[AES256_GCM,data:lWBCM5wyz6BcUUHdvynkn5y166Kk15jO0EhWUDuhXXhrve5l,iv:RmDJYFnYqIEIShLn25sf4h8AO2E3+3Xa2U9Mff+Xk2w=,tag:SN0DUdwZXKO/VEnozrr5mA==,type:str] +singbox_password: ENC[AES256_GCM,data:bZ50/gG53D9fyGnQ7ky8VRdNEDhGjbFD,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:nbr2zNCs3RAr/uidkp08ng==,type:str] +singbox_uuid: ENC[AES256_GCM,data:gYppcUvF5Aj4mBQTMy56kb9JazUM6SeiYLspqiZjbTkPOhhk,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:IiBZRfFpjKB/swmJNjodyA==,type:str] grafana_cloud_api: ENC[AES256_GCM,data:eEvPAwtThK1FMhbrnmSo89+GlWZAF+LQRMLXA2C6f1vR7ZPlXJZGWzjYwDcPlnpiC737/cG14M4kZqvPGBuNub5A83rBS/+FeebvGDIF59L5PC1Ys1jWBB9YRI/L9EU0tvwTTUCvLRA9j28n7Jw7wR6mWXm63XA+OMu8/UbTwbeV/WUQn8vnwqadSUdCnNKJXMsAY+q9t/st0DPm5+aNxA==,iv:cHvbeCmLFmJPNKsl1BBYx9WJP7ZJWi+8c9yHZWc6FTs=,tag:87C+0FVvzDIowE0+QpY1zA==,type:str] private_dns_address: ENC[AES256_GCM,data:YJxNOH4hsZHResvANEqJRTANhnL4PLp/Pmi/PhgtSTbTKiJKPqudhTEkNg==,iv:8+qG5rQXAKfrykEjt9qrbtyNaBuKvi7EaIWouRqEipY=,tag:VH0w5ZbXcWFGZ9GLavm7/w==,type:str] sops: @@ -87,8 +86,8 @@ sops: NzA1cy80ZW5vUFplQzVMZ0txSmVkMUEKFUvgmJNdo9sV33gOx7LVUSCYvIqCNwaP u+XoWTfg4kp9f4KVTy/8huPsVLhZBUaf6jI10mV2z4QwaLHje4JiHw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-22T05:48:59Z" - mac: ENC[AES256_GCM,data:In/gSIYnXKbbv1lzS/nmSESCHBcBv/TtkvhzdNiIn73N4kP9aJ+1JE8Npix8zNItzk46DX+nHBk8Kwgl6uq26YtL+sMTBKh5K8Ny0H8ivlgS+olXswv3Y9h1cYD7FBHUKzbMuiJd0ppjC0ZIn20rRpb4d57rwUbvY0KstyQW4JA=,iv:DcdTAimbXXpKhhiB9rriS75+XGNOCcScqi/804+Xx6g=,tag:NHW+UViRmbUDHb0gTd9TDg==,type:str] + lastmodified: "2024-10-17T12:19:12Z" + mac: ENC[AES256_GCM,data:3Z22GxxDjR2FVZ7VnFY/QhQ1i//1WC93GIwK4d51i13OWmcb71UPmmA6O/HlvLdP6goFCj95eRMUEiiVcdKagt1ca6HsDd6bkOEXwdl//fgOHUsgx5SNtA4kVJwK2bJuUvG72aOiLq89qvNprMLslJ47YqS9WM3rudk3Wp/P+og=,iv:GMN806nsrQg0+ZS0AReamzVv2FrLGELfA6x3RLNE/II=,tag:j2Bq9xYETCSL13zHx1BztA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.0 diff --git a/machines/sops.nix b/machines/sops.nix index 869fef7..3f56687 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -19,6 +19,12 @@ singbox_jp_server = { owner = "root"; }; + singbox_password = { + owner = "root"; + }; + singbox_uuid = { + owner = "root"; + }; private_dns_address = { owner = "root"; }; diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix index d2cfb0f..a6b5af9 100644 --- a/modules/nixos/common-settings/proxy-server.nix +++ b/modules/nixos/common-settings/proxy-server.nix @@ -36,9 +36,7 @@ let users = [ { name = "proxy"; - password = { - _secret = password; - }; + password = password; } ]; tls = singTls; @@ -53,12 +51,8 @@ let users = [ { name = "proxy"; - uuid = { - _secret = uuid; - }; - password = { - _secret = password; - }; + uuid = uuid; + password = password; } ]; tls = singTls; @@ -108,6 +102,12 @@ in { options.commonSettings.proxyServer = { enable = mkEnableOption "sing-box as a server"; + uuidFile = mkOption { + type = types.path; + }; + passwordFile = mkOption { + type = types.path; + }; }; config = mkIf cfg.enable { @@ -118,6 +118,19 @@ in networking.firewall.trustedInterfaces = [ "tun0" ]; + sops = { + secrets = { + wg_private_key = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + wg_ipv6_local_addr = { + owner = "root"; + sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; + }; + }; + }; + security.acme = { acceptTerms = true; certs.${config.deployment.targetHost} = { @@ -144,8 +157,8 @@ in services.sing-box = { enable = true; settings = mkSingConfig { - uuid = config.sops.secrets."sing-box/uuid".path; - password = config.sops.secrets."sing-box/password".path; + uuid = cfg.uuidFile; + password = cfg.passwordFile; }; }; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index bcfdca7..2851a12 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,7 +3,6 @@ ./common-settings/auth.nix ./common-settings/autoupgrade.nix ./common-settings/nix-conf.nix - ./common-settings/proxy-server.nix ./restic.nix ./vaultwarden.nix ./prometheus