Merge branch 'main' into next

2026-01-12 04:39:23 +08:00 · 2023-08-11 16:22:45 +08:00
parent 0a48e6ffae 682cf2766f
commit fe62b6bd81
5 changed files with 142 additions and 32 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -217,6 +217,7 @@
 											"beta.mirism.one" = "216.24.188.24";
 											"ng01.mirism.one" = "216.24.188.24";
 											"debug.mirism.one" = "127.0.0.1";
+											"initrd.vps6.chn.moe" = "74.211.99.69";
 										};
 									};
 								};
--- a/modules/fileSystems/default.nix
+++ b/modules/fileSystems/default.nix
@@ -208,7 +208,7 @@ inputs:
 				{
 					boot.initrd.systemd.services.roll-rootfs =
 					{
-						wantedBy = [ "local-fs-pre.target" ];
+						wantedBy = [ "initrd.target" ];
 						after = [ "cryptsetup.target" "systemd-hibernate-resume.service" ];
 						before = [ "local-fs-pre.target" "sysroot.mount" ];
 						unitConfig.DefaultDependencies = false;
--- a/modules/packages/default.nix
+++ b/modules/packages/default.nix
@@ -36,7 +36,7 @@ inputs:
 					# shell
 					ksh
 					# basic tools
-					beep dos2unix gnugrep pv tmux screen parallel tldr cowsay
+					beep dos2unix gnugrep pv tmux screen parallel tldr cowsay jq
 					# lsxx
 					pciutils usbutils lshw util-linux lsof
 					# top
@@ -116,7 +116,7 @@ inputs:
 						# instant messager
 						element-desktop telegram-desktop discord qq nur-xddxdd.wechat-uos # jail
 						inputs.config.nur.repos.linyinfeng.wemeet # native # nur-xddxdd.wine-wechat thunder
-						zoom-us signal-desktop
+						zoom-us signal-desktop cinny-desktop
 						# browser
 						google-chrome
 						# networking
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -306,9 +306,8 @@ inputs:
 					{
 						templates."xray-client.json" =
 						{
-							mode = "0440";
-							owner = "v2ray";
-							group = "v2ray";
+							owner = inputs.config.users.users.v2ray.name;
+							group = inputs.config.users.users.v2ray.group;
 							content = builtins.toJSON
 							{
 								log.loglevel = "info";
@@ -427,7 +426,7 @@ inputs:
 				}
 			)
 			(
-				mkIf services.xrayServer.enable
+				mkIf services.xrayServer.enable (let userList = genList (n: n) 3; in
 				{
 					services =
 					{
@@ -440,13 +439,12 @@ inputs:
 							locations."/".return = "400";
 						};
 					};
-					sops = let userList = genList (n: n) 3; in
+					sops =
 					{
 						templates."xray-server.json" =
 						{
-							mode = "0440";
-							owner = "v2ray";
-							group = "v2ray";
+							owner = inputs.config.users.users.v2ray.name;
+							group = inputs.config.users.users.v2ray.group;
 							content = builtins.toJSON
 							{
 								log.loglevel = "warning";
@@ -486,27 +484,137 @@ inputs:
 													}];
 											};
 										};
+										sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; routeOnly = true; };
 										tag = "in";
 									}
+									{
+										port = 4638;
+										listen = "127.0.0.1";
+										protocol = "vless";
+										settings =
+										{
+											clients = [{ id = "be01f0a0-9976-42f5-b9ab-866eba6ed393"; }];
+											decryption = "none";
+										};
+										streamSettings.network = "tcp";
+										sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; };
+										tag = "in-localdns";
+									}
+									{
+										listen = "127.0.0.1";
+										port = 6149;
+										protocol = "dokodemo-door";
+										settings.address = "127.0.0.1";
+										tag = "api";
+									}
 								];
-								outbounds = [{ protocol = "freedom"; tag = "freedom"; }];
+								outbounds =
+								[
+									{ protocol = "freedom"; tag = "freedom"; }
+									{
+										protocol = "vless";
+										settings.vnext =
+										[{
+											address = "127.0.0.1";
+											port = 4638;
+											users = [{ id = "be01f0a0-9976-42f5-b9ab-866eba6ed393"; encryption = "none"; }];
+										}];
+										streamSettings.network = "tcp";
+										tag = "loopback-localdns";
+									}
+								];
+								routing =
+								{
+									domainStrategy = "AsIs";
+									rules = builtins.map (rule: rule // { type = "field"; })
+									[
+										{ inboundTag = [ "in" ]; domain = [ "domain:openai.com" ]; outboundTag = "loopback-localdns"; }
+										{ inboundTag = [ "in" ]; outboundTag = "freedom"; }
+										{ inboundTag = [ "in-localdns" ]; outboundTag = "freedom"; }
+										{ inboundTag = [ "api" ]; outboundTag = "api"; }
+									];
+								};
+								stats = {};
+								api = { tag = "api"; services = [ "StatsService" ]; };
+								policy =
+								{
+									levels."0" = { statsUserUplink = true; statsUserDownlink = true; };
+									system =
+									{
+										statsInboundUplink = true;
+										statsInboundDownlink = true;
+										statsOutboundUplink = true;
+										statsOutboundDownlink = true;
+									};
+								};
 							};
 						};
-						secrets = listToAttrs (map (n: { name = "xray-server/clients/user${toString n}"; value = {}; }) userList);
+						secrets = listToAttrs (map (n: { name = "xray-server/clients/user${toString n}"; value = {}; }) userList)
+							// (listToAttrs (map
+								(name:
+								{
+									name = "xray-server/telegram/${name}";
+									value =
+									{
+										owner = inputs.config.users.users.v2ray.name;
+										group = inputs.config.users.users.v2ray.group;
+									};
+								})
+								[ "token" "chat" ]));
 					};
-					systemd.services.xray =
+					systemd =
 					{
-						serviceConfig =
+						services =
 						{
-							DynamicUser = inputs.lib.mkForce false;
-							User = "v2ray";
-							Group = "v2ray";
-							CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-							AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-							LimitNPROC = 10000;
-							LimitNOFILE = 1000000;
+							xray =
+							{
+								serviceConfig =
+								{
+									DynamicUser = inputs.lib.mkForce false;
+									User = "v2ray";
+									Group = "v2ray";
+									CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
+									AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
+									LimitNPROC = 10000;
+									LimitNOFILE = 1000000;
+								};
+								restartTriggers = [ inputs.config.sops.templates."xray-server.json".file ];
+							};
+							xray-stat =
+							{
+								script =
+									let
+										xray = "${inputs.pkgs.xray}/bin/xray";
+										awk = "${inputs.pkgs.gawk}/bin/awk";
+										curl = "${inputs.pkgs.curl}/bin/curl";
+										token = inputs.config.sops.secrets."xray-server/telegram/token".path;
+										chat = inputs.config.sops.secrets."xray-server/telegram/chat".path;
+									in stripeTabs
+									''
+										message='xray:\n'
+										for i in {0..${toString ((length userList) - 1)}}
+										do
+											upload_bytes=$(${xray} api stats --server=127.0.0.1:6149 \
+												-name "user>>>''${i}@xray.chn.moe>>>traffic>>>uplink" | , jq '.stat.value' | sed 's/"//g')
+											[ -z "$upload_bytes" ] && upload_bytes=0
+											download_bytes=$(${xray} api stats --server=127.0.0.1:6149 \
+												-name "user>>>''${i}@xray.chn.moe>>>traffic>>>downlink" | , jq '.stat.value' | sed 's/"//g')
+											[ -z "$download_bytes" ] && download_bytes=0
+											traffic_gb=$(echo | ${awk} "{printf \"%.3f\",(''${upload_bytes}+''${download_bytes})/1073741824}")
+											message="$message$i"'\t'"''${traffic_gb}"'G\n'
+										done
+										${curl} -X POST -H 'Content-Type: application/json' \
+											-d "{\"chat_id\": \"$(cat ${chat})\", \"text\": \"$message\"}" \
+											https://api.telegram.org/bot$(cat ${token})/sendMessage
+									'';
+								serviceConfig = { Type = "oneshot"; User = "v2ray"; Group = "v2ray"; };
+							};
+						};
+						timers.xray-stat =
+						{
+							wantedBy = [ "timers.target" ];
+							timerConfig = { OnCalendar = "*-*-* 0:00:00"; Unit = "xray-stat.service"; };
 						};
-						restartTriggers = [ inputs.config.sops.templates."xray-server.json".file ];
 					};
 					users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
 					nixos.services =
@@ -521,7 +629,7 @@ inputs:
 					};
 					security.acme.certs.${services.xrayServer.serverName}.group = "v2ray";
 				}
-			)
+			))
 			{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
 			(
 				mkIf services.acme.enable
@@ -571,9 +679,8 @@ inputs:
 					{
 						templates."frpc.ini" =
 						{
-							mode = "0440";
-							owner = "frp";
-							group = "frp";
+							owner = inputs.config.users.users.frp.name;
+							group = inputs.config.users.users.frp.group;
 							content = inputs.lib.generators.toINI {}
 							(
 								{
@@ -635,9 +742,8 @@ inputs:
 					{
 						templates."frps.ini" =
 						{
-							mode = "0440";
-							owner = "frp";
-							group = "frp";
+							owner = inputs.config.users.users.frp.name;
+							group = inputs.config.users.users.frp.group;
 							content = inputs.lib.generators.toINI {}
 							{
 								common = let cert = inputs.config.security.acme.certs.${services.frpServer.serverName}.directory; in
--- a/secrets/vps6.yaml
+++ b/secrets/vps6.yaml
@@ -7,6 +7,9 @@ xray-server:
        user0: ENC[AES256_GCM,data:rJ00sfe/oJSry6Ixn4Bn+p41syqsOrdWv6fRGVCwPvn/unMY,iv:htTvFMvhIRkORA/gIU8J7CgA+tOncYQWh7sUh+F6XDs=,tag:VrSJBD7ti9WtSLHoWjMClw==,type:str]
        user1: ENC[AES256_GCM,data:S3IHO9FcVHTJOsRxjSohM9MgnrEwLdDpFU+efLkQaXT2jNJG,iv:KOesvPzjDfm1EDLFiegbk0wgjp7di5mUwUuuY2hwvOQ=,tag:ZsYyUyyEhO5S3weCw/gPMw==,type:str]
        user2: ENC[AES256_GCM,data:e7ITe2ZouKr8dXT7SYATyzbzHaVeu6AKt1OcQKk3U0nsQgoa,iv:UbOOuojy6OAFEH8lGhKe5Hs+2K6FX5MZ8Br9AB007gs=,tag:5XeB4YngzTcHZvCpXe/ZXA==,type:str]
+    telegram:
+        token: ENC[AES256_GCM,data:xsJoGgQ8pLeZqA2alGKkCyrvnjY6rVF5TlXn4GWDrStFBl65XXzwVY/9ZZthYQ==,iv:qTLfpRUyuIGFM668URfknhSRtx3WEHp/WTGzGUPuFd4=,tag:p8mF0tM+t02g7v2EQZN3Vg==,type:str]
+        chat: ENC[AES256_GCM,data:X1JxFQw0bPCu,iv:hf+TOSH2p9RdnXDFKxTpSRzxDLdJyzNHVV8MfOQuGWY=,tag:iiWw9IFiBGOOyOSl9Jj2wQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -31,8 +34,8 @@ sops:
            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-10T11:31:46Z"
-    mac: ENC[AES256_GCM,data:+NY9DY6NvTfGkfrjglcGpBSTLbLSzYw0A9zMo5/sGwcFtJKgjhGTUmKAgjKeojYsXk+ha8mdBoHnpVoW253EYywdq5uSXnw6KDnNZ+UVNxbD3JP9rnx3x+ZWehG7K6NH9ANW4GQjrKW+WDFPCggoviNWRZ3hANWVvJNV3jwj88E=,iv:04RvCNPh1N3uc1pv9Zxwhppe1s5YtpgMhq4VXd+twCA=,tag:4K2RV++JdCBBPYh7InNyjg==,type:str]
+    lastmodified: "2023-08-11T06:52:35Z"
+    mac: ENC[AES256_GCM,data:dHv2vxW9eHdFj2TuDegrLghBRwIv3+GfkQQWTGPx6mOYRLHhs6dzlzCFXmIXLGWL3d/bkqvSXRLso43eoOlE+u5SAoB+NgXP06Gs+6RVaATM8GT9Hjh+CLl+Rz9O8lXkkptCtsET97rDc++WTBaQ98dFavILHKTuenzHcsPpU4c=,iv:1Ob7SO4qQNOGYsqQcKWYzMv3IChQ50HsttbkK2I186M=,tag:8VkUMiyLFSh5z/DUlokzRg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3