diff --git a/devices/nas/default.nix b/devices/nas/default.nix index 7acf8cb7..bd151d10 100644 --- a/devices/nas/default.nix +++ b/devices/nas/default.nix @@ -34,15 +34,10 @@ inputs: services = { sshd = {}; - xray = + xray.client = { - client = - { - xray.serverName = "xserver2.vps9.chn.moe"; - dnsmasq = { extraInterfaces = [ "enp3s0" ]; hosts."git.chn.moe" = "127.0.0.1"; }; - }; - xmuServer = {}; - server.serverName = "xservernas.chn.moe"; + xray.serverName = "xserver2.vps9.chn.moe"; + dnsmasq = { extraInterfaces = [ "enp3s0" ]; hosts."git.chn.moe" = "127.0.0.1"; }; }; beesd."/".hashTableSizeMB = 10 * 128; nix-serve.hostname = "nix-store.nas.chn.moe"; diff --git a/devices/nas/secrets.yaml b/devices/nas/secrets.yaml index a80f0299..59f3638e 100644 --- a/devices/nas/secrets.yaml +++ b/devices/nas/secrets.yaml @@ -1,11 +1,5 @@ xray-client: uuid: ENC[AES256_GCM,data:97aX07G5FPumdWcDxnYOs6fRgljXWuwyNXGg1d7zdbUUfNnb,iv:+wAC/DZXsg+evYFA4DMfLw5Ut3ExQl1RgZ/2AsNQDpo=,tag:ebD77muITHof+FQMydWobg==,type:str] -xray-xmu-server: ENC[AES256_GCM,data:3O5rFi5szla70M/c62JV4nGWKPSOREImrOucjeVYf9bde6K8,iv:PGCqlmHtaNuWOtAAeJ6O+CWFpMszijozU1OpUFrftjs=,tag:iGTOoNvQhhZy2FL9jy1KIQ==,type:str] -xray-server: - clients: - #ENC[AES256_GCM,data:gToh4rgMOQ==,iv:A14sSC7ExbSZNOzzz6mOmWalSz9K6ROoSYgCqdF7j4U=,tag:1Jr2FfVQ9L2w+bWHh/NekQ==,type:comment] - user4: ENC[AES256_GCM,data:/ZrgvlpwDlKhcHqkBRsdqqJsNUxtb3ZnC36mc8qlJ+HP4mY3,iv:R5QzXY0mC72TDB0OcF4fJt3bc5L1Z96Q+n9kNbZP7m4=,tag:tjWSEcsG0udvQZZJ/RMTJw==,type:str] - private-key: ENC[AES256_GCM,data:34FOslwr3AZNDg4YrS95S20agGXwGJRNGnpogMR7utbt1ELUxfQkiAU1qw==,iv:4fiJCi6TJM+NIlfI1qFX/eCNhcVaCWGsLA7iMjQpATw=,tag:eLz8HlQMprQNryk5saqyVQ==,type:str] store: signingKey: ENC[AES256_GCM,data:zr02XBgQ4H5jRnjpLtp9rjcysXP9qI7McOiBwaWhdylu5GevKmxlCd4h3pEUO74k+gJT88BzJ+S59P+6DS76Y5nlKqextGMzGjdq5XPkdDkSkKZBai2kkqBSyko=,iv:hyhroaDazMLFeLMGruiFeokZ2Tz3xKj+xCsiEUJ5faQ=,tag:w3805eqo6Y1pw65mjoRgOg==,type:str] nginx: @@ -99,7 +93,7 @@ sops: by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-12T08:53:54Z" - mac: ENC[AES256_GCM,data:BmUcsv1AFkmIYdrYsYcjZExdyIfbAK+RHeIgaHvvgaGNxl3LxaS04CIwTB7HKA2vl87V+1Z2I/pGdEgE+KcUxl1RaRhGDTjkJeoxubSnwnhPb7B1WAb18MXXD5LiMUZzoGoMcqRTbkBIX9JJHcrdiKuSiXuyn6HbP/9g50unr2w=,iv:XMWqHOtodBX8UvPfGhoSt08gbacabzEJ59r4qrPOx2s=,tag:/dEIE5lMG1J54cIVB2Impg==,type:str] + lastmodified: "2025-12-04T12:33:59Z" + mac: ENC[AES256_GCM,data:PziK49hYICDZX887LZmQhOOtjjijduVZxcimw0P9HecJrixtda2CzG2ZzRK3fmo4qIIWpdopmoNAHkFLV5SmA8W5NCW467fYvETFtChZk/R+7MlzNctCQ3DJKCNIGcPxq+7XuqXcX3Cv6n4tELYs23q9TCkXuEjIRaaL4qYRVq0=,iv:VQdHRmFUUlLOJ+6QRjmhEfYQ6FAcIjgfiCDS63ZjZto=,tag:3Wnkci/4r5xVGZNJ4fXxHw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/devices/pc/secrets/default.yaml b/devices/pc/secrets/default.yaml index 7193eb5d..a13f0e0c 100644 --- a/devices/pc/secrets/default.yaml +++ b/devices/pc/secrets/default.yaml @@ -12,9 +12,6 @@ nix: remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str] searx: secret-key: ENC[AES256_GCM,data:KhIP+Rz3rMfNgPEGTlKGvm6gl1/ZuPI=,iv:GcaLEJHKJO3n6IaeiFr9PaJ6eNx04/VjX3UgmBF429g=,tag:HkplyH9hTHUaEZ709TyitA==,type:str] -xray-xmu-client: - uuid: ENC[AES256_GCM,data:XiUkReTJLAxZNWFVeD6EiOtUX5tsyPLFi6QyDBdHyB4v5/mD,iv:QppdtP2CFDEVhlrmDJKYBGc1zYGJvpGYxLfsBAMxDSI=,tag:jzMSFRit+aBzWMkaa3+5hA==,type:str] - cookie: ENC[AES256_GCM,data:0jqSEZloX2/c8Zg4WTKkLw==,iv:BKLm1KMoRrH0uO6hPMsv2a7sG0AwNRrdbpmABP4BszA=,tag:pBs+rQIhhNO4Qr6q1V3MUA==,type:str] tinc: ENC[AES256_GCM,data:qI2KAyJiC9m+IOzTQ7SFjWnjzzkxvNe6R2yxyK+C/YnEK4JdYqEETIMuqAUQxaSyHjKk9x6kDs3YPC2AyNKf+lc22YoB35Eo5ym+3+GDDPTL4wL4aI4xnGHVLH3JrSFHDyIbvu8R2NLnSy2j4O5Uj+jJmOz/b1xV8zeLbdoFwLgZCbcxvqkIwMlJdDGjAtjEb8eDkjtVzSRSPXohgYgmhxKZyA5/7c41e+/X6RIsHHeOD+Ppz5jlYAkRrsvAxGTfrMN2xTZopxc=,iv:E/8ys6ucmmaKawqrgumJdjTsC17F7Y0RgnHYfu3RIPQ=,tag:OZM/HG88gyF9TZXwHcd3nA==,type:str] open-webui: openai: ENC[AES256_GCM,data:8CQLvoDuGtQ7PN+1SOmXF48dV/G6fDOiu6olkhSbWEjYcNO4VVmxtHw=,iv:rKBxOTB7/LXfXWVrBFBJeyn43R82oBYCxup8OzWvzKk=,tag:ByoyMizWc9Lpnt+ciYcszg==,type:str] @@ -39,7 +36,7 @@ sops: OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-06T12:37:57Z" - mac: ENC[AES256_GCM,data:7iy/orIRUCtFhTaHdskIYu7b9a3uqM4xz+2hRSAvJ7HeKEWFcgCOhE8t5jPkXTi8gMciw/I60015k+GF/mY7cK2Sa/HiWptGwhKAr1jNF4LgJN13eG+7HLQ7Y2SopAzVV2+j0Sit7gsg8x+a1hR/Xi6OBu8ecjyW//Rcelj/Lwc=,iv:F82F+w7BRO3ubZjzV2TU4d0pqbf9d6gUAEZ5YOzEQ1M=,tag:TKMi/mHSqtVv+kvhRbRxmQ==,type:str] + lastmodified: "2025-12-04T12:34:21Z" + mac: ENC[AES256_GCM,data:S2ijc6yqf12ETehYD5Qbjf5CqEv9JiPOiP1cp2O/WiVPM/fUYBgae/jCC22KEoo4EbSgefV0IvTNM+1Xw2ROmIE19I6vLvKcc1B+qI2kUtXurL1XcpYWNiZg+dlLFFYq8NloktwC9TWQuOC4c6kI2UaWYvzOx9ZBDZ8NLJCHbWo=,iv:/fGS/lgnVFlTdIS+IpKTfyKinfGSUbb1tbLM0jPZxvE=,tag:oVs/jCBRoRBCBbTBOuRjSA==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix index a3daf79f..1c2f5a6f 100644 --- a/devices/vps6/default.nix +++ b/devices/vps6/default.nix @@ -25,7 +25,7 @@ inputs: services = { sshd = {}; - xray = { server = {}; xmuPersist = {}; }; + xray.server = {}; nginx = { streamProxy.map = diff --git a/devices/vps6/secrets.yaml b/devices/vps6/secrets.yaml index b4e975cc..ace993c7 100644 --- a/devices/vps6/secrets.yaml +++ b/devices/vps6/secrets.yaml @@ -2,8 +2,6 @@ send: redis-password: ENC[AES256_GCM,data:6zVKw9AmKwSWvHUZhzy0F2KcJW96uFoZY/N1Zq8ilUJOLZeX,iv:viwLIgJz9v8oadr8784OgETbEsxzGsJvVoxmOwWEFxo=,tag:XEYFnoCGwlnrkqaUbgeH+Q==,type:str] coturn: auth-secret: ENC[AES256_GCM,data:50KqO4GQ1ERbCnK4IjYu6aywT+IPMtVlTzh/TE4MwWApU4pO9yqz25ENGUAKRLi4p+Ecug+Rn3InRl1b+q6bAQ==,iv:SgHkHvHg/+yA1Z5E9effgCnZMVXv5amGNUsVKErai54=,tag:PoYLV9Xr0IXXsA39n7wiTQ==,type:str] -xray-xmu-client: - cookie: ENC[AES256_GCM,data:RZ2WFnsX7s/PVqA7ZKhGqw==,iv:CknFoAcHIiIwJI1IEXkFdWXcOCAZr50pfwmQN72OI8o=,tag:w2pNU1APxlSQsGMIEdE2OA==,type:str] tinc: ENC[AES256_GCM,data:E3OrPA67R48x5FJUW0ZbERlclz8Z/XokAaGTeBQLPEHSeqEArHYSZkdJRZejFrBruJPlGZMPNBQzlIBXOfXKwMnlBDaGJIIJHIzPDGG9W7QF4IIRK/BjVZHFwfKvZtbUDGsqLcCSe5+ttmyucBaFGquXhnD/Tu09uyWtRvS10KAJLY0Z2/16CFB1+8egJIcYw2TFXObo+KR92Va0qwiDSepKaJtYLimDGRKk04QGj+BYa5y8PjIG6bz8UG82mmCiV7XM3EPlSMA=,iv:kawsklNGFbRhxKuUwvNL2WyBxuYu2T/uks1cJ4i8NhA=,tag:V+jAaxQX7JCiR5+wIVW4Nw==,type:str] postgresql: headscale: ENC[AES256_GCM,data:z2cyyT1TcIhNJCBeGn072aFI2nAioWZQvpyzoky4tWtMymKlw4ilOtSYAsp+kaNOoqvWSmoAQNJLNzeDk1iTCQ==,iv:hZdS/CAVBO0k/AmX3qw3YwTYgK49Aeu5QI3YCAduiZ0=,tag:2l4GPV/T2GHjAAUDX3LaEA==,type:str] @@ -27,7 +25,7 @@ sops: ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-16T03:45:41Z" - mac: ENC[AES256_GCM,data:AnvNGraWYOKZHtmI73wWerrFRNjAlZdcVSPXDsv+x/0Dohq+9KB/PoWoczXQTUy240BDErXp7UrNmNgwyGtUofdQvJqmdJ2vFkTW0VIWJ1Alq489nafdanGwn97P/aluHqF+zhgBCANAGwIVLaEAggR/xCdidcyn01taHpKoVfE=,iv:frCptbX5gtEmjL7XfCIRaB5jwqOLGJkpVuaOoo/Tg6k=,tag:G0C0ZZ0V24YN+vNv4z4xHQ==,type:str] + lastmodified: "2025-12-04T12:35:00Z" + mac: ENC[AES256_GCM,data:hiEzLAEtU82Be/+nuMv10/ex/ZacXkNR9LkxdBn/x3kY/0uwHSDI9LGjn0b0/KWIg5zLoxV+zPZEBJQhN4QcRzDT6538zwc0yTv9fkFS0NUF5GchHi8Is6EjjHANbSLe3MEwFumKjx3Lm8AyMjcOXiCckzo4aXV98SHZW9EMVbQ=,iv:Nzzlfsm2aMSVa6NNh4ar67J5dzheWRIVLHSUu5ndjvE=,tag:jO8x2LUpP75g7cXyIYDfQw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/modules/services/xray/xmuClient.nix b/modules/services/xray/xmuClient.nix deleted file mode 100644 index be09e256..00000000 --- a/modules/services/xray/xmuClient.nix +++ /dev/null @@ -1,91 +0,0 @@ -inputs: -{ - options.nixos.services.xray.xmuClient = let inherit (inputs.lib) mkOption types; in mkOption - { - type = types.nullOr (types.submodule (submoduleInputs: { options = - { - hostname = mkOption { type = types.nonEmptyStr; default = "xserverxmu.chn.moe"; }; - };})); - default = null; - }; - config = let inherit (inputs.config.nixos.services.xray) xmuClient; in inputs.lib.mkIf (xmuClient != null) - { - nixos.system.sops = - { - templates."xray-xmu-client.json" = - { - owner = inputs.config.users.users.v2ray.name; - group = inputs.config.users.users.v2ray.group; - content = builtins.toJSON - { - log.loglevel = "warning"; - inbounds = - [ - { - port = 10983; - protocol = "dokodemo-door"; - settings = { network = "tcp,udp"; followRedirect = true; }; - streamSettings.sockopt.tproxy = "tproxy"; - tag = "tproxy-in"; - } - { port = 10984; protocol = "socks"; settings.udp = true; tag = "socks-in"; } - ]; - outbounds = - [{ - protocol = "vless"; - settings.vnext = - [{ - address = "webvpn.xmu.edu.cn"; - port = 443; - users = - [{ id = inputs.config.nixos.system.sops.placeholder."xray-xmu-client/uuid"; encryption = "none"; }]; - }]; - streamSettings = - { - network = "xhttp"; - security = "tls"; - xhttpSettings = - { - path = "${inputs.pkgs.localPackages.webvpnPath xmuClient.hostname}/xsession"; - mode = "packet-up"; - security = "tls"; - extra.headers.Cookie = - let ticket = inputs.config.nixos.system.sops.placeholder."xray-xmu-client/cookie"; - in "show_vpn=0; heartbeat=1; show_faq=0; wengine_vpn_ticketwebvpn_xmu_edu_cn=${ticket}"; - }; - tlsSettings.alpn = [ "http/1.1" ]; - }; - }]; - }; - }; - secrets = { "xray-xmu-client/uuid" = {}; "xray-xmu-client/cookie" = {}; }; - }; - systemd.services = - { - xray-xmu-client = - { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - script = let config = inputs.config.nixos.system.sops.templates."xray-xmu-client.json".path; in - "exec ${inputs.pkgs.xray}/bin/xray -config ${config}"; - serviceConfig = - { - User = "v2ray"; - Group = "v2ray"; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; - AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; - NoNewPrivileges = true; - LimitNPROC = 65536; - LimitNOFILE = 524288; - CPUSchedulingPolicy = "rr"; - }; - restartTriggers = [ inputs.config.nixos.system.sops.templates."xray-xmu-client.json".file ]; - }; - }; - users = - { - users.v2ray = { uid = inputs.config.nixos.user.uid.v2ray; group = "v2ray"; isSystemUser = true; }; - groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray; - }; - }; -} diff --git a/modules/services/xray/xmuPersist.nix b/modules/services/xray/xmuPersist.nix deleted file mode 100644 index bab686e4..00000000 --- a/modules/services/xray/xmuPersist.nix +++ /dev/null @@ -1,57 +0,0 @@ -inputs: -{ - options.nixos.services.xray.xmuPersist = let inherit (inputs.lib) mkOption types; in mkOption - { - type = types.nullOr (types.submodule (submoduleInputs: { options = - { - keepAliveHost = mkOption { type = types.nonEmptyStr; default = "blog.chn.moe"; }; - };})); - default = null; - }; - config = let inherit (inputs.config.nixos.services.xray) xmuPersist; in inputs.lib.mkIf (xmuPersist != null) - { - nixos.system.sops = - { - templates."xray-xmu-persist-cookie.txt" = - { - owner = inputs.config.users.users.v2ray.name; - group = inputs.config.users.users.v2ray.group; - content = let cookie = inputs.config.nixos.system.sops.placeholder."xray-xmu-client/cookie"; in - '' - .webvpn.xmu.edu.cn TRUE / TRUE 0 wengine_vpn_ticketwebvpn_xmu_edu_cn ${cookie} - webvpn.xmu.edu.cn FALSE / TRUE 0 show_vpn 0 - webvpn.xmu.edu.cn FALSE / TRUE 0 heartbeat 1 - webvpn.xmu.edu.cn FALSE / TRUE 0 show_faq 0 - webvpn.xmu.edu.cn FALSE / FALSE 0 refresh 0 - ''; - }; - secrets."xray-xmu-client/cookie" = {}; - }; - systemd = - { - services.xray-xmu-persist = - { - script = - let - curl = "${inputs.pkgs.curl}/bin/curl"; - cookie = inputs.config.nixos.system.sops.templates."xray-xmu-persist-cookie.txt".path; - in - '' - ${curl} -s -o /dev/null -w "%{http_code}\n" -b ${cookie} \ - "https://webvpn.xmu.edu.cn${inputs.pkgs.localPackages.webvpnPath xmuPersist.keepAliveHost}/"; - ''; - serviceConfig = { Type = "oneshot"; User = "v2ray"; Group = "v2ray"; }; - }; - timers.xray-xmu-persist = - { - wantedBy = [ "timers.target" ]; - timerConfig = { OnCalendar = "*-*-* *:*:00"; Unit = "xray-xmu-persist.service"; }; - }; - }; - users = - { - users.v2ray = { uid = inputs.config.nixos.user.uid.v2ray; group = "v2ray"; isSystemUser = true; }; - groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray; - }; - }; -} diff --git a/modules/services/xray/xmuServer.nix b/modules/services/xray/xmuServer.nix deleted file mode 100644 index ed439149..00000000 --- a/modules/services/xray/xmuServer.nix +++ /dev/null @@ -1,65 +0,0 @@ -inputs: -{ - options.nixos.services.xray.xmuServer = let inherit (inputs.lib) mkOption types; in mkOption - { - type = types.nullOr (types.submodule { options = - { - hostname = mkOption { type = types.nonEmptyStr; default = "xserverxmu.chn.moe"; }; - };}); - default = null; - }; - config = let inherit (inputs.config.nixos.services.xray) xmuServer; in inputs.lib.mkIf (xmuServer != null) - { - nixos.system.sops = - { - templates."xray-xmu-server.json" = - { - owner = inputs.config.users.users.v2ray.name; - content = builtins.toJSON - { - log.loglevel = "warning"; - inbounds = - [{ - port = 4727; - listen = "127.0.0.1"; - protocol = "vless"; - settings = - { - clients = [{ id = inputs.config.nixos.system.sops.placeholder."xray-xmu-server"; }]; - decryption = "none"; - }; - streamSettings = { network = "xhttp"; xhttpSettings = { mode = "packet-up"; path = "/xsession"; }; }; - tag = "in"; - }]; - outbounds = [{ protocol = "freedom"; tag = "freedom"; }]; - }; - }; - secrets."xray-xmu-server" = {}; - }; - systemd.services.xray-xmu-server = - { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - script = let config = inputs.config.nixos.system.sops.templates."xray-xmu-server.json".path; in - "exec ${inputs.pkgs.xray}/bin/xray -config ${config}"; - serviceConfig = - { - User = "v2ray"; - Group = "v2ray"; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; - AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; - NoNewPrivileges = true; - LimitNPROC = 65536; - LimitNOFILE = 524288; - }; - restartTriggers = [ inputs.config.nixos.system.sops.templates."xray-xmu-server.json".file ]; - }; - users = - { - users.v2ray = { uid = inputs.config.nixos.user.uid.v2ray; group = "v2ray"; isSystemUser = true; }; - groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray; - }; - nixos.services.nginx.https.${xmuServer.hostname}.location = - { "/".return.return = "400"; "/xsession".proxy.upstream = "http://127.0.0.1:4727"; }; - }; -}