disable wireguard, enable sing-box on amd, dell, tinyproxy

2024-10-24 01:57:37 +03:00 · 2024-10-24 01:57:37 +03:00 · 5135c88511
commit 5135c88511
parent c2755b492a
6 changed files with 57 additions and 22 deletions
--- a/machines/AMD-Workstation/default.nix
+++ b/machines/AMD-Workstation/default.nix
@ -1,4 +1,4 @@
-{ inputs, config, lib, pkgs, ... }: {
+{ inputs, config, lib, pkgs, secretsDir, ... }: {
  imports = with inputs.self; [
    ./boot.nix
    ./hardware-configuration.nix
@ -78,12 +78,12 @@
  deviceSpecific.enableVirtualisation = true;
  # VPN
  deviceSpecific.vpn.tailscale.enable = true;
-  sops.secrets.wg-ataraxia.sopsFile = inputs.self.secretsDir + /wg-configs.yaml;
-  networking.wg-quick.interfaces.wg0.autostart = false;
-  networking.wg-quick.interfaces.wg0.configFile = config.sops.secrets.wg-ataraxia.path;
+  deviceSpecific.vpn.sing-box.enable = true;
+  deviceSpecific.vpn.sing-box.config = "ataraxia-singbox";
+
  # Mount
  # TODO: fix sops
-  sops.secrets.files-veracrypt.sopsFile = inputs.self.secretsDir + /amd-workstation/misc.yaml;
+  sops.secrets.files-veracrypt.sopsFile = secretsDir + /amd-workstation/misc.yaml;
  services.cryptmount.files-veracrypt = {
    what = "/dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a";
    where = "/media/files";
@ -112,7 +112,7 @@
  services.openssh.settings.PermitRootLogin = lib.mkForce "without-password";
  services.ratbagd.enable = true;
  # Networking
-  networking.firewall.allowedTCPPorts = [ 8000 5900 52736 3456 ];
+  networking.firewall.allowedTCPPorts = [ 8000 5900 52736 3456 1080 ];
  networking.nameservers = [ "10.10.10.1" ];
  networking.defaultGateway = "10.10.10.1";
  networking.bridges.br0.interfaces = [ "enp9s0" ];
--- a/machines/Dell-Laptop/default.nix
+++ b/machines/Dell-Laptop/default.nix
@ -19,9 +19,8 @@
  deviceSpecific.isGaming = false;
  deviceSpecific.enableVirtualisation = true;
  deviceSpecific.vpn.tailscale.enable = true;
-  sops.secrets.wg-dell.sopsFile = inputs.self.secretsDir + /wg-configs.yaml;
-  networking.wg-quick.interfaces.wg0.autostart = false;
-  networking.wg-quick.interfaces.wg0.configFile = config.sops.secrets.wg-dell.path;
+  deviceSpecific.vpn.sing-box.enable = true;
+  deviceSpecific.vpn.sing-box.config = "dell-singbox";

  boot.blacklistedKernelModules = [
    "psmouse"
--- a/modules/devices.nix
+++ b/modules/devices.nix
@ -89,6 +89,14 @@ with types; {
          type = bool;
          default = false;
        };
+        sing-box.enable = mkOption {
+          type = bool;
+          default = false;
+        };
+        sing-box.config = mkOption {
+          type = str;
+          default = "";
+        };
        wireguard = {
          enable = mkOption {
            type = bool;
--- a/profiles/overlay.nix
+++ b/profiles/overlay.nix
@ -31,6 +31,7 @@ with lib; {
        youtube-to-mpv = prev.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
        yt-archivist = prev.callPackage ./packages/yt-archivist { };
        yt-dlp = master.yt-dlp;
+        sing-box = master.sing-box;
        steam = prev.steam.override {
          extraPkgs = pkgs: with pkgs; [ mono libkrb5 keyutils ];
        };
--- a/profiles/servers/tinyproxy.nix
+++ b/profiles/servers/tinyproxy.nix
@ -1,20 +1,30 @@
-{ ... }: {
+{ config, secretsDir, ... }: {
+  sops.secrets.tinyproxy-singbox = {
+    sopsFile = secretsDir + /proxy.yaml;
+    restartUnits = [ "container@tinyproxy.service" ];
+    mode = "0600";
+  };
  containers.tinyproxy = {
-    extraFlags = [ "-U" ];
+    # extraFlags = [ "-U" ];
    autoStart = true;
    ephemeral = true;
    privateNetwork = true;
    hostBridge = "br0";
    localAddress = "10.10.10.6/24";
-    config = { ... }: {
-      services.privoxy = {
-        enable = true;
-        settings = {
-          listen-address = "10.10.10.6:8888";
-          toggle = false;
-          keep-alive-timeout = 300;
-          default-server-timeout = 60;
-          connection-sharing = false;
+    bindMounts."/tmp/sing-box.json".hostPath = config.sops.secrets.tinyproxy-singbox.path;
+    config = { pkgs, lib, ... }: {
+      environment.systemPackages = [ pkgs.dnsutils pkgs.kitty ];
+      systemd.packages = [ pkgs.sing-box ];
+      systemd.services.sing-box = {
+        preStart = ''
+          umask 0077
+          mkdir -p /etc/sing-box
+          cp /tmp/sing-box.json /etc/sing-box/config.json
+        '';
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          User = "root";
+          Group = "root";
        };
      };
      networking = {
@ -24,7 +34,7 @@
        useHostResolvConf = false;
        firewall = {
          enable = true;
-          allowedTCPPorts = [ 8888 ];
+          allowedTCPPorts = [ 8888 8889 ];
          rejectPackets = false;
        };
      };
--- a/profiles/vpn.nix
+++ b/profiles/vpn.nix
@ -1,11 +1,28 @@
-{ lib, config, ... }:
+{ config, lib, pkgs, secretsDir, ... }:
 let
  isTailscale = config.deviceSpecific.vpn.tailscale.enable;
  wg = config.deviceSpecific.vpn.wireguard;
+  sing-box = config.deviceSpecific.vpn.sing-box;
  wgIFName = "wg0";
  isRouteAll = (builtins.elem "0.0.0.0/0" wg.allowedIPs) || (builtins.elem "::0/0" wg.allowedIPs);
 in {
  config = lib.mkMerge [
+    (lib.mkIf sing-box.enable {
+      sops.secrets.${sing-box.config} = {
+        sopsFile = secretsDir + /proxy.yaml;
+        restartUnits = [ "sing-box.service" ];
+        mode = "0600";
+      };
+      systemd.packages = [ pkgs.sing-box ];
+      systemd.services.sing-box = {
+        preStart = ''
+          umask 0077
+          mkdir -p /etc/sing-box
+          cp ${config.sops.secrets.${sing-box.config}.path} /etc/sing-box/config.json
+        '';
+        wantedBy = [ "multi-user.target" ];
+      };
+    })
    (lib.mkIf isTailscale {
      services.tailscale.enable = true;
      services.tailscale.useRoutingFeatures = "client";