rolling update in 20240606

Signed-off-by: iosmanthus <[email protected]>
iosmanthus · Jun 6, 2024 · 84a17a1 · 84a17a1
1 parent 8452b90
commit 84a17a1
Show file tree

Hide file tree

Showing 93 changed files with 44,936 additions and 57,623 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -5,7 +5,7 @@
 
     master.url = "github:NixOS/nixpkgs";
 
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.url = "github:iosmanthus/sops-nix/nested-secrets";
 
     home-manager = {
       url = "github:nix-community/home-manager";
@@ -38,6 +38,8 @@
     };
 
     nur.url = "github:nix-community/NUR";
+
+    firefox.url = "github:nix-community/flake-firefox-nightly";
   };
   outputs =
     { self
@@ -100,6 +102,10 @@
                 code-insiders.overlays.default
                 nur.overlay
               ];
+
+            nixpkgs.config.permittedInsecurePackages = [
+              "openssl-1.1.1w"
+            ];
           }
         ];
     in
@@ -190,8 +196,12 @@
             inherit self;
           };
           modules = [
-            ./secrets/endpoints
             ./secrets/aws-lightsail-0
+            ./secrets/cloud/cloudflare
+            ./secrets/cloud/endpoints
+            ./secrets/cloud/grafana
+            ./secrets/cloud/sing-box
+
             ./nixos/aws-lightsail-0
 
             sops-nix.nixosModules.sops
@@ -218,13 +228,21 @@
           };
           modules = [
             ./secrets/gcp-instance-0
+            ./secrets/cloud/cloudflare
+            ./secrets/cloud/grafana
+            ./secrets/cloud/sing-box
+            ./secrets/cloud/endpoints
+            ./secrets/cloud/subgen
+
             ./nixos/gcp-instance-0
 
             sops-nix.nixosModules.sops
 
             self.nixosModules.cloud.gce
             self.nixosModules.cloud.sing-box
             self.nixosModules.o11y
+            self.nixosModules.subgen
+            self.nixosModules.unguarded
 
             {
               nixpkgs.overlays = [
@@ -241,6 +259,10 @@
           };
           modules = [
             ./secrets/gcp-instance-1
+            ./secrets/cloud/cloudflare
+            ./secrets/cloud/grafana
+            ./secrets/cloud/sing-box
+
             ./nixos/gcp-instance-1
 
             sops-nix.nixosModules.sops
@@ -298,6 +320,7 @@
             gotools
             nix-output-monitor
             nixpkgs-fmt
+            nodejs
             sops
             statix
             terraform

diff --git a/infra/cloudflare/terraform.tfstate b/infra/cloudflare/terraform.tfstate
diff --git a/infra/cloudflare/terraform.tfvars.json b/infra/cloudflare/terraform.tfvars.json
diff --git a/infra/gcp/gce/main.tf b/infra/gcp/gce/main.tf
@@ -47,7 +47,7 @@ resource "google_compute_firewall" "main" {
 
   allow {
     protocol = "tcp"
-    ports    = ["22", "443", "6626", "10080"]
+    ports    = ["22", "443", "10080"]
   }
 
   source_ranges = ["0.0.0.0/0"]
@@ -63,7 +63,7 @@ resource "google_compute_firewall" "main_v6" {
 
   allow {
     protocol = "tcp"
-    ports    = ["22", "443", "6626", "10080"]
+    ports    = ["22", "443", "10080"]
   }
 
   source_ranges = ["::/0"]

diff --git a/infra/gcp/main.tf b/infra/gcp/main.tf
@@ -28,7 +28,7 @@ module "gcp_instance_0" {
 
   google_region = "asia-east1"
   google_zone   = "asia-east1-b"
-  ip_revision   = "202405061637"
+  ip_revision   = "202405241514"
 }
 
 module "gcp_instance_1" {

diff --git a/infra/gcp/terraform.tfstate b/infra/gcp/terraform.tfstate
diff --git a/infra/gcp/terraform.tfvars.json b/infra/gcp/terraform.tfvars.json
@@ -1,6 +1,6 @@
 {
-	"google_project": "ENC[AES256_GCM,data:+95vzUKM3PhKTZ3m,iv:YTLeEZ9vvjX3P21gHw6AEpr7074XpsqfA+asSQ4GhLo=,tag:MOyYOP/ucKb9Qj+xBAiGmA==,type:str]",
-	"google_service_account_id": "ENC[AES256_GCM,data:lLlpy6wKTtd9oaXa6NfVicUJSoTfaEXFf5CAWg7x/32dhiMTDDX3hgTBvtzgEWS9taM=,iv:E76YsIwRdv/pgSRfjsgZR9PyTMmHB/B3Hsha4kRb8aA=,tag:kkqH3u5yo4pP6d5bEDl6bg==,type:str]",
+	"google_project": "ENC[AES256_GCM,data:agOmXh6qUh4kcDhq,iv:XQJbhZsqhtE8NTgLnB2gRM1mga0x6LK8O9us+r31pN0=,tag:K+ckC9tCnnUzrGP80ZAyig==,type:str]",
+	"google_service_account_id": "ENC[AES256_GCM,data:wiyxpRsrDAQzR7jGlo2waLksgQB14ynRn9u+ulzgvh7xa+PqLLqPOGeiyxUNvdEzoRk=,iv:6v/BDnL2zlllsWTJg4aZTDWVPR6jrG1VkhAy5kSJMRQ=,tag:oegi0dSKAKIXQ08fUzLCRQ==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -9,11 +9,11 @@
 		"age": [
 			{
 				"recipient": "age12409ktkdynl48p38wz45pu2s25kmffsw4p9d9vgt3xmmwl8f7q7sjlxyrs",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ajg4TEF2cUtlK0Jnaktt\nN0Y4RFg2NS9EL3BOMTk2M3lPcCtvM2QxSW1jCmI0dkU0WEY5U1RTQ0YwU21ybDB6\nazNicitTWE5VR2xUbkhwR3RKWHVFQm8KLS0tIGx5eW1HRTJCSHpUOHczc0VKQ2I4\nWFgyNjM3SU1uWEFmMmJBZGhjMytValUKcntnqwM6zwXveHfNSu0PNl+8KrOpyR49\nNaaox+ojPhXs7g3aPVCPmkw0i0IncgjCwBKYf9Ig5TD7qAeAw3PIsg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtR1RMRmk5VHBtbXpDYWt5\nQ3laMklldSt2S2t6WlpYVUZjNnhaSGNvd0E4Cmg4OUI5Z3BxZGxOZ2QzakFOY0o3\ncGRaSWI3SlcxY3B5ZUlzNllTdVVxcHcKLS0tIFdLOUwwV1gxOEsvbkUxclJKUUs5\nRFlhd0lkNXk3ODZkdWRLclJyWUxpNUUKozLK+sj6RLVt/+qoMOy5MquTZcs4jHnf\nqEZP8fOlvtlV7JmhqoODJHGwyQ5elcFyJ3ujUWHSngn6R+sIhd7mVg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-05-07T11:44:56Z",
-		"mac": "ENC[AES256_GCM,data:X2SLfRPyfubSJe4/xbeKNxGoFUU+vaAgwluJqHSufflcmMnAiIIWbBuRG95+ugGtNWtA+HdfK7vAPCiBQYkRubM+cEsGxHDQQIqHwXASAN6tZzUdqlsD0ddYRIU9wPb08+gCDyqrIuA3VnVMHgEiltvJ7V2phNtGflh7eGmGg9Y=,iv:Eqrb3+5qsBGNnlAA/gs5ADBjQynLXyspuT377VpwDb4=,tag:oXK1rWeRngaw8YXt4QVKag==,type:str]",
+		"lastmodified": "2024-05-24T07:15:29Z",
+		"mac": "ENC[AES256_GCM,data:EYTat9nXb07Os5QNofIS3YMDnRdCCtjfxhqrS9GbeFqjVuGzoxf4BAoGh9ouGBwqQRby7C0rQWPuDwedkqOT4S4jVG/FOsYRSAzCaaDzzCANcqvZtdSTsWUuBKV6vUeRUQheA9Z+9oLXF5zA6ownvsyRtS7HUGNpmYPFrseatRs=,iv:SMeO8Z16WpLLH4+V2Ag0vt1lddSJj/ZokaEsPpKioMw=,tag:IBmjttrAoxFcYLiN34GvcA==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"

diff --git a/modules/cloud/sing-box/default.nix b/modules/cloud/sing-box/default.nix
@@ -12,6 +12,8 @@ let
   mkGeositeUrl = geosite: "${ruleBaseUrl}/rule-set-geosite/${geosite}.srs";
   mkGeoipUrl = geoip: "${ruleBaseUrl}/rule-set-geoip/${geoip}.srs";
 
+  latencyTester = "www.gstatic.com";
+
   warpGeosite = builtins.map
     (geosite: "geosite-${geosite}")
     [
@@ -46,6 +48,10 @@ let
           outbound = "any";
           server = "cloudflare";
         }
+        {
+          domain = latencyTester;
+          server = "cloudflare";
+        }
         {
           inbound = [
             "shadowsocks-multi-user"
@@ -91,6 +97,14 @@ let
         )
         warpGeoip;
       rules = [
+        {
+          protocol = "bittorrent";
+          outbound = "block";
+        }
+        {
+          domain = latencyTester;
+          outbound = "direct";
+        }
         {
           rule_set = warpGeoip ++ warpGeosite;
           outbound = "warp";
@@ -100,52 +114,47 @@ let
     inbounds = [
       {
         type = "shadowtls";
-        listen = "::";
-        listen_port = cfg.ingress;
         version = 3;
-        strict_mode = true;
+
+        detour = "shadowsocks-multi-user";
         domain_strategy = "prefer_ipv6";
+        listen = "::";
+        listen_port = cfg.ingress;
         sniff = true;
         sniff_override_destination = true;
+        strict_mode = true;
+        tcp_fast_open = true;
+        handshake = {
+          server = config.sops.placeholder."sing-box/shadowtls/handshake/server";
+          server_port = 443;
+        };
         users = [
           {
             name = config.sops.placeholder."sing-box/shadowtls/username";
             password = config.sops.placeholder."sing-box/shadowtls/password";
           }
         ];
-        handshake = {
-          server = config.sops.placeholder."sing-box/shadowtls/handshake/server";
-          server_port = 443;
-        };
-        tcp_fast_open = true;
-        detour = "shadowsocks-multi-user";
       }
       {
         type = "shadowsocks";
         tag = "shadowsocks-multi-user";
+
         listen = "::1";
         listen_port = 0;
         method = config.sops.placeholder."sing-box/shadowsocks/method";
         password = config.sops.placeholder."sing-box/shadowsocks/password";
-        users = builtins.map
-          (user: {
-            name = user;
-            password = config.sops.placeholder."sing-box/shadowsocks/users/${user}";
-          }) [
-          "iosmanthus"
-          "lego"
-          "lbwang"
-          "tover"
-          "alex"
-          "mgw"
-        ];
+        users = config.sops.placeholder."sing-box/shadowsocks/users";
       }
     ];
     outbounds = [
       {
         type = "direct";
         tag = "direct";
       }
+      {
+        type = "block";
+        tag = "block";
+      }
       {
         type = "wireguard";
         tag = "warp";
@@ -163,6 +172,12 @@ let
       }
     ];
   };
+
+  # nested JSON objects should be unquoted
+  settingsJSON = builtins.replaceStrings
+    [ ''"${config.sops.placeholder."sing-box/shadowsocks/users"}"'' ]
+    [ config.sops.placeholder."sing-box/shadowsocks/users" ]
+    (builtins.toJSON settings);
 in
 {
   imports = [
@@ -190,7 +205,7 @@ in
     ];
 
     sops.templates."sing-box.json" = {
-      content = builtins.toJSON settings;
+      content = settingsJSON;
     };
   };
 }
diff --git a/modules/default.nix b/modules/default.nix
@@ -27,4 +27,5 @@
   sing-box = import ./sing-box;
   subgen = import ./subgen;
   gemini-openai-proxy = import ./gemini-openai-proxy;
+  unguarded = import ./unguarded;
 }
diff --git a/modules/unguarded/default.nix b/modules/unguarded/default.nix
@@ -0,0 +1,38 @@
+{ pkgs
+, config
+, lib
+, ...
+}:
+with lib;
+let
+  cfg = config.services.self-hosted.unguarded;
+in
+{
+  options.services.self-hosted.unguarded = {
+    enable = mkEnableOption "unguarded service";
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.unguarded;
+      description = "The unguarded package to use";
+    };
+
+    address = mkOption {
+      type = types.str;
+      default = "127.0.0.1:8787";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.unguarded = {
+      serviceConfig = {
+        Type = "simple";
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        ExecStart = "${cfg.package}/bin/unguarded -addr ${cfg.address}";
+      };
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "network-online.target" ];
+      requires = [ "network-online.target" ];
+    };
+  };
+}
diff --git a/nixos/aws-lightsail-0/caddy/default.nix b/nixos/aws-lightsail-0/caddy/default.nix
@@ -57,10 +57,6 @@ in
   services.caddy = {
     enable = true;
     virtualHosts = {
-      "subgen.iosmanthus.com" = mkReverseProxy {
-        backend = config.services.self-hosted.subgen.address;
-        logLevel = "INFO";
-      };
       "vault.iosmanthus.com" = mkReverseProxy {
         backend = "${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
         logLevel = "INFO";
@@ -69,10 +65,6 @@ in
         backend = "127.0.0.1:8888";
         logLevel = "INFO";
       };
-      "chatgpt.iosmanthus.com" = mkReverseProxy {
-        backend = "127.0.0.1:3210";
-        logLevel = "INFO";
-      };
       "o2g.iosmanthus.com" = mkReverseProxy {
         backend = "127.0.0.1:${toString config.services.self-hosted.gemini-openai-proxy.port}";
         logLevel = "INFO";

diff --git a/nixos/aws-lightsail-0/chatgpt-next-web/default.nix b/nixos/aws-lightsail-0/chatgpt-next-web/default.nix
diff --git a/nixos/aws-lightsail-0/default.nix b/nixos/aws-lightsail-0/default.nix
@@ -1,14 +1,9 @@
-{ pkgs
-, modulesPath
-, lib
-, ...
+{ ...
 }:
 {
   imports = [
     ./atuin
     ./caddy
-    ./chatgpt-next-web
-    ./subgen
     ./vaultwarden
   ];