From 91ed66d8fb22011a6c774312298069c0071635b5 Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Tue, 8 Jul 2025 20:06:01 +0300
Subject: [PATCH] feat: add tinyproxy nixos-container to orion

---
 hosts/orion/default.nix                |  1 +
 modules/nixos/containers/tinyproxy.nix | 76 ++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 modules/nixos/containers/tinyproxy.nix

diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix
index f81e433..dafde03 100644
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@@ -102,6 +102,7 @@
     smartmontools
   ];
 
+  ataraxia.containers.tinyproxy.enable = true;
   ataraxia.services.vaultwarden.enable = true;
 
   ataraxia.virtualisation.guests = {
diff --git a/modules/nixos/containers/tinyproxy.nix b/modules/nixos/containers/tinyproxy.nix
new file mode 100644
index 0000000..5492fc1
--- /dev/null
+++ b/modules/nixos/containers/tinyproxy.nix
@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+
+  cfg = config.ataraxia.containers.tinyproxy;
+in
+{
+  options.ataraxia.containers.tinyproxy = {
+    enable = mkEnableOption "Enable tinyproxy nixos-container";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.tinyproxy-singbox = {
+      sopsFile = secretsDir + /proxy.yaml;
+      restartUnits = [ "container@tinyproxy.service" ];
+      mode = "0600";
+    };
+    containers.tinyproxy = {
+      # extraFlags = [ "-U" ];
+      autoStart = true;
+      ephemeral = true;
+      privateNetwork = true;
+      hostBridge = "br0";
+      localAddress = "10.10.10.6/24";
+      bindMounts."/tmp/sing-box.json".hostPath = config.sops.secrets.tinyproxy-singbox.path;
+      config =
+        { pkgs, ... }:
+        {
+          environment.systemPackages = with pkgs; [
+            dnsutils
+            kitty.terminfo
+            sing-box
+          ];
+          systemd.packages = with pkgs; [ sing-box ];
+          systemd.services.sing-box = {
+            preStart = ''
+              umask 0007
+              mkdir -p ''${RUNTIME_DIRECTORY}
+              cp /tmp/sing-box.json ''${RUNTIME_DIRECTORY}/config.json
+            '';
+            serviceConfig = {
+              StateDirectory = "sing-box";
+              StateDirectoryMode = "0700";
+              RuntimeDirectory = "sing-box";
+              RuntimeDirectoryMode = "0700";
+              ExecStart = [
+                ""
+                "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
+              ];
+            };
+            wantedBy = [ "multi-user.target" ];
+          };
+          networking = {
+            dhcpcd.denyInterfaces = [ "singtun0" ];
+            defaultGateway = "10.10.10.1";
+            hostName = "tinyproxy-node";
+            nameservers = [ "10.10.10.1" ];
+            useHostResolvConf = false;
+            firewall = {
+              enable = true;
+              allowedTCPPorts = [
+                8888
+                8889
+              ];
+              rejectPackets = false;
+            };
+          };
+        };
+    };
+  };
+}