feat: add tinyproxy nixos-container to orion

2025-07-08 20:06:01 +03:00 · 2025-07-08 20:06:01 +03:00 · 91ed66d8fb
commit 91ed66d8fb
parent 5401e9e068
2 changed files with 77 additions and 0 deletions
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@ -102,6 +102,7 @@
    smartmontools
  ];

+  ataraxia.containers.tinyproxy.enable = true;
  ataraxia.services.vaultwarden.enable = true;

  ataraxia.virtualisation.guests = {
--- a/modules/nixos/containers/tinyproxy.nix
+++ b/modules/nixos/containers/tinyproxy.nix
@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+
+  cfg = config.ataraxia.containers.tinyproxy;
+in
+{
+  options.ataraxia.containers.tinyproxy = {
+    enable = mkEnableOption "Enable tinyproxy nixos-container";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.tinyproxy-singbox = {
+      sopsFile = secretsDir + /proxy.yaml;
+      restartUnits = [ "container@tinyproxy.service" ];
+      mode = "0600";
+    };
+    containers.tinyproxy = {
+      # extraFlags = [ "-U" ];
+      autoStart = true;
+      ephemeral = true;
+      privateNetwork = true;
+      hostBridge = "br0";
+      localAddress = "10.10.10.6/24";
+      bindMounts."/tmp/sing-box.json".hostPath = config.sops.secrets.tinyproxy-singbox.path;
+      config =
+        { pkgs, ... }:
+        {
+          environment.systemPackages = with pkgs; [
+            dnsutils
+            kitty.terminfo
+            sing-box
+          ];
+          systemd.packages = with pkgs; [ sing-box ];
+          systemd.services.sing-box = {
+            preStart = ''
+              umask 0007
+              mkdir -p ''${RUNTIME_DIRECTORY}
+              cp /tmp/sing-box.json ''${RUNTIME_DIRECTORY}/config.json
+            '';
+            serviceConfig = {
+              StateDirectory = "sing-box";
+              StateDirectoryMode = "0700";
+              RuntimeDirectory = "sing-box";
+              RuntimeDirectoryMode = "0700";
+              ExecStart = [
+                ""
+                "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
+              ];
+            };
+            wantedBy = [ "multi-user.target" ];
+          };
+          networking = {
+            dhcpcd.denyInterfaces = [ "singtun0" ];
+            defaultGateway = "10.10.10.1";
+            hostName = "tinyproxy-node";
+            nameservers = [ "10.10.10.1" ];
+            useHostResolvConf = false;
+            firewall = {
+              enable = true;
+              allowedTCPPorts = [
+                8888
+                8889
+              ];
+              rejectPackets = false;
+            };
+          };
+        };
+    };
+  };
+}