diff --git a/machines/AMD-Workstation/default.nix b/machines/AMD-Workstation/default.nix index e6d51a5..33edf61 100644 --- a/machines/AMD-Workstation/default.nix +++ b/machines/AMD-Workstation/default.nix @@ -1,4 +1,4 @@ -{ inputs, config, lib, pkgs, ... }: { +{ inputs, config, lib, pkgs, secretsDir, ... }: { imports = with inputs.self; [ ./boot.nix ./hardware-configuration.nix @@ -78,12 +78,12 @@ deviceSpecific.enableVirtualisation = true; # VPN deviceSpecific.vpn.tailscale.enable = true; - sops.secrets.wg-ataraxia.sopsFile = inputs.self.secretsDir + /wg-configs.yaml; - networking.wg-quick.interfaces.wg0.autostart = false; - networking.wg-quick.interfaces.wg0.configFile = config.sops.secrets.wg-ataraxia.path; + deviceSpecific.vpn.sing-box.enable = true; + deviceSpecific.vpn.sing-box.config = "ataraxia-singbox"; + # Mount # TODO: fix sops - sops.secrets.files-veracrypt.sopsFile = inputs.self.secretsDir + /amd-workstation/misc.yaml; + sops.secrets.files-veracrypt.sopsFile = secretsDir + /amd-workstation/misc.yaml; services.cryptmount.files-veracrypt = { what = "/dev/disk/by-partuuid/15fa11a1-a6d8-4962-9c03-74b209d7c46a"; where = "/media/files"; @@ -112,7 +112,7 @@ services.openssh.settings.PermitRootLogin = lib.mkForce "without-password"; services.ratbagd.enable = true; # Networking - networking.firewall.allowedTCPPorts = [ 8000 5900 52736 3456 ]; + networking.firewall.allowedTCPPorts = [ 8000 5900 52736 3456 1080 ]; networking.nameservers = [ "10.10.10.1" ]; networking.defaultGateway = "10.10.10.1"; networking.bridges.br0.interfaces = [ "enp9s0" ]; diff --git a/machines/Dell-Laptop/default.nix b/machines/Dell-Laptop/default.nix index dc3952a..36c23e6 100644 --- a/machines/Dell-Laptop/default.nix +++ b/machines/Dell-Laptop/default.nix @@ -19,9 +19,8 @@ deviceSpecific.isGaming = false; deviceSpecific.enableVirtualisation = true; deviceSpecific.vpn.tailscale.enable = true; - sops.secrets.wg-dell.sopsFile = inputs.self.secretsDir + /wg-configs.yaml; - networking.wg-quick.interfaces.wg0.autostart = false; - networking.wg-quick.interfaces.wg0.configFile = config.sops.secrets.wg-dell.path; + deviceSpecific.vpn.sing-box.enable = true; + deviceSpecific.vpn.sing-box.config = "dell-singbox"; boot.blacklistedKernelModules = [ "psmouse" diff --git a/modules/devices.nix b/modules/devices.nix index 7a6fd7d..55c721f 100644 --- a/modules/devices.nix +++ b/modules/devices.nix @@ -89,6 +89,14 @@ with types; { type = bool; default = false; }; + sing-box.enable = mkOption { + type = bool; + default = false; + }; + sing-box.config = mkOption { + type = str; + default = ""; + }; wireguard = { enable = mkOption { type = bool; diff --git a/profiles/overlay.nix b/profiles/overlay.nix index 961bfe0..82d701c 100644 --- a/profiles/overlay.nix +++ b/profiles/overlay.nix @@ -31,6 +31,7 @@ with lib; { youtube-to-mpv = prev.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; }; yt-archivist = prev.callPackage ./packages/yt-archivist { }; yt-dlp = master.yt-dlp; + sing-box = master.sing-box; steam = prev.steam.override { extraPkgs = pkgs: with pkgs; [ mono libkrb5 keyutils ]; }; diff --git a/profiles/servers/tinyproxy.nix b/profiles/servers/tinyproxy.nix index ea68c34..60425cc 100644 --- a/profiles/servers/tinyproxy.nix +++ b/profiles/servers/tinyproxy.nix @@ -1,20 +1,30 @@ -{ ... }: { +{ config, secretsDir, ... }: { + sops.secrets.tinyproxy-singbox = { + sopsFile = secretsDir + /proxy.yaml; + restartUnits = [ "container@tinyproxy.service" ]; + mode = "0600"; + }; containers.tinyproxy = { - extraFlags = [ "-U" ]; + # extraFlags = [ "-U" ]; autoStart = true; ephemeral = true; privateNetwork = true; hostBridge = "br0"; localAddress = "10.10.10.6/24"; - config = { ... }: { - services.privoxy = { - enable = true; - settings = { - listen-address = "10.10.10.6:8888"; - toggle = false; - keep-alive-timeout = 300; - default-server-timeout = 60; - connection-sharing = false; + bindMounts."/tmp/sing-box.json".hostPath = config.sops.secrets.tinyproxy-singbox.path; + config = { pkgs, lib, ... }: { + environment.systemPackages = [ pkgs.dnsutils pkgs.kitty ]; + systemd.packages = [ pkgs.sing-box ]; + systemd.services.sing-box = { + preStart = '' + umask 0077 + mkdir -p /etc/sing-box + cp /tmp/sing-box.json /etc/sing-box/config.json + ''; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "root"; + Group = "root"; }; }; networking = { @@ -24,7 +34,7 @@ useHostResolvConf = false; firewall = { enable = true; - allowedTCPPorts = [ 8888 ]; + allowedTCPPorts = [ 8888 8889 ]; rejectPackets = false; }; }; diff --git a/profiles/vpn.nix b/profiles/vpn.nix index f391634..0011d07 100644 --- a/profiles/vpn.nix +++ b/profiles/vpn.nix @@ -1,11 +1,28 @@ -{ lib, config, ... }: +{ config, lib, pkgs, secretsDir, ... }: let isTailscale = config.deviceSpecific.vpn.tailscale.enable; wg = config.deviceSpecific.vpn.wireguard; + sing-box = config.deviceSpecific.vpn.sing-box; wgIFName = "wg0"; isRouteAll = (builtins.elem "0.0.0.0/0" wg.allowedIPs) || (builtins.elem "::0/0" wg.allowedIPs); in { config = lib.mkMerge [ + (lib.mkIf sing-box.enable { + sops.secrets.${sing-box.config} = { + sopsFile = secretsDir + /proxy.yaml; + restartUnits = [ "sing-box.service" ]; + mode = "0600"; + }; + systemd.packages = [ pkgs.sing-box ]; + systemd.services.sing-box = { + preStart = '' + umask 0077 + mkdir -p /etc/sing-box + cp ${config.sops.secrets.${sing-box.config}.path} /etc/sing-box/config.json + ''; + wantedBy = [ "multi-user.target" ]; + }; + }) (lib.mkIf isTailscale { services.tailscale.enable = true; services.tailscale.useRoutingFeatures = "client";