9 changed files with 36 additions and 136 deletions
--- a/hosts/arumi/services/sing-box.nix
+++ b/hosts/arumi/services/sing-box.nix
@ -1,69 +1,53 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 {
-  desu.secrets.arumi-singbox-pk.owner = "xray";
+  desu.secrets.arumi-singbox-pk = {};
-  desu.secrets.arumi-singbox-sid.owner = "xray";
+  desu.secrets.arumi-singbox-sid = {};
-  desu.secrets.arumi-singbox-users.owner = "xray";
+  desu.secrets.arumi-singbox-users = {};
-  users.users.xray = {
+  services.sing-box = {
    isNormalUser = true;
    uid = 1102;
  };
  services.xray = {
    enable = true;
-    settingsFile = "/etc/xray/config.json";
+    settings = {
  };
  systemd.tmpfiles.rules = [
    "d /etc/xray 0700 1102 1102 -"
  ];
  systemd.services.xray.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = "xray";
  };
  systemd.services.xray.preStart = let 
    file = "/etc/xray/config.json";
    template = pkgs.writeText "config.json" (builtins.toJSON {
      log = { level = "info"; timestamp = true; };
      inbounds = [
        {
-          port = 443;
+          type = "vless";
-          protocol = "vless";
+          tag = "vless-in";
-          settings = {
+          listen = "::";
-            decryption = "none";
+          listen_port = 443;
-            clients = []; # populated later in the preStart script
+          sniff = true;
-          };
+          sniff_override_destination = true;
-          streamSettings = {
+          domain_strategy = "ipv4_only";
-            network = "tcp";
+          users = []; # populated later in the preStart script
-            security = "reality";
+          tls = let server = "updates.cdn-apple.com"; in {
            realitySettings = {
              alpn = [ "h2" ];
              target = "updates.cdn-apple.com:443"; 
              serverNames = [ "updates.cdn-apple.com" ];
              privateKey = ""; # populated later in the preStart script
              shortIds = []; # populated later in the preStart script
            };
          };
          sniffing = {
            enabled = true;
-            destOverride = [ "tls" "http" "quic" ];
+            server_name = server;
-            routeOnly = true;
+            reality = {
              enabled = true;
              handshake = { inherit server; server_port = 443; };
              private_key._secret = config.desu.secrets.arumi-singbox-pk.path;
              short_id = [ 
                { _secret = config.desu.secrets.arumi-singbox-sid.path; }
              ];
            };
          };
        }
      ];
      outbounds = [
-        { protocol = "freedom"; tag = "direct"; }
+        { type = "direct"; tag = "direct"; }
        { type = "block"; tag = "block"; }
      ];
-    });
+    };
  };
  systemd.services.sing-box.preStart = let 
    file = "/etc/sing-box/config.json";
  in ''
    users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
-    pk=$(cat ${config.desu.secrets.arumi-singbox-pk.path})
+    ${pkgs.jq}/bin/jq --arg users "$users" \
-    sid=$(cat ${config.desu.secrets.arumi-singbox-sid.path})
+      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
-    ${pkgs.jq}/bin/jq --arg users "$users" --arg pk "$pk" --arg sid "$sid" \
+      ${file} > ${file}.tmp
-      '.inbounds[0].settings.clients = ($users | fromjson | map({ "id": ., "flow": "xtls-rprx-vision" }))
+    mv ${file}.tmp ${file}
        | .inbounds[0].streamSettings.realitySettings.privateKey = $pk
        | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
  '';
  networking.firewall.allowedTCPPorts = [ 443 ];
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@ -41,7 +41,6 @@
    ./containers/outline
    ./containers/docmost
    ./containers/forgejo
    ./containers/activepieces
    ./containers/teisu.nix
    ./containers/bots/pcre-sub-bot.nix
    ./containers/bots/channel-logger-bot.nix
@ -113,8 +112,6 @@
  boot.kernelParams = [ "panic=5" "panic_on_oops=1" "mitigations=off" ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  networking.firewall.allowedTCPPorts = [ 25565 ];
  services.desu-deploy = {
    enable = true;
    key = builtins.readFile (abs "ssh/desu-deploy.pub");
--- a/hosts/koi/containers/activepieces/default.nix
+++ b/hosts/koi/containers/activepieces/default.nix
@ -1,67 +0,0 @@
 { pkgs, config, ... }:
 let 
  UID = 1127;
  context = pkgs.copyPathToStore ./image;
 in {
  desu.secrets.activepieces-env.owner = "activepieces";
  users.users.activepieces = {
    isNormalUser = true;
    uid = UID;
  };
  services.postgresql.ensureUsers = [
    { name = "activepieces"; ensureDBOwnership = true; }
  ];
  services.postgresql.ensureDatabases = [ "activepieces" ];
  desu.postgresql.ensurePasswords.activepieces = "activepieces";
  virtualisation.oci-containers.containers.activepieces-redis = {
    image = "docker.io/redis:7.0-alpine";
    user = builtins.toString UID;
    extraOptions = [
      "--mount=type=bind,source=/srv/activepieces/redis,target=/data"
    ];
  };
  systemd.tmpfiles.rules = [
    "d /srv/activepieces/redis 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];
  systemd.services.docker-activepieces.serviceConfig.ExecStartPre = [
    (pkgs.writeShellScript "build-activepieces" ''
      docker build -t local/activepieces ${context}
    '')
  ];
  virtualisation.oci-containers.containers.activepieces = {
    image = "local/activepieces";
    dependsOn = [ "activepieces-redis" ];
    environment = {
      AP_EXECUTION_MODE = "SANDBOX_CODE_ONLY";
      AP_FRONTEND_URL = "https://ap.stupid.fish";
      AP_POSTGRES_URL = "postgres://activepieces:activepieces@172.17.0.1:5432/activepieces";
      AP_TELEMETRY_ENABLED = "false";
      AP_EDITION = "ee";
      AP_QUEUE_MODE = "REDIS";
      AP_REDIS_HOST = "activepieces-redis.docker";
      AP_REDIS_PORT = "6379"; 
    };
    environmentFiles = [
      # oidc related config + SECRET_KEY, UTILS_SECRET
      config.desu.secrets.activepieces-env.path
    ];
    user = builtins.toString UID;
  };
  systemd.services.docker-activepieces.requires = [ "postgresql.service" ];
  services.nginx.virtualHosts."ap.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";
    locations."/" = {
      proxyPass = "http://activepieces.docker$request_uri";
      proxyWebsockets = true;
    };
  };
 }
--- a/hosts/koi/containers/activepieces/image/Dockerfile
+++ b/hosts/koi/containers/activepieces/image/Dockerfile
@ -1,8 +0,0 @@
 FROM ghcr.io/activepieces/activepieces:0.38.3
 RUN sed -i -E 's!https://secrets.activepieces.com/license-keys!https://license.stupid.fish/services/activepieces!' /usr/src/app/dist/packages/server/api/main.js && \
    chmod -R 777 /var/log/nginx/ && \
    chmod -R 777 /var/lib/nginx && \
    chmod -R 777 /run/ && \
    mkdir -p /usr/src/app/cache && \
    chmod -R 777 /usr/src/app/cache
--- a/hosts/koi/containers/teisu.nix
+++ b/hosts/koi/containers/teisu.nix
@ -11,7 +11,7 @@ in {
  };
  virtualisation.oci-containers.containers.teisu = {
-    image = "git.stupid.fish/teidesu/tei.su:latest";
+    image = "ghcr.io/teidesu/tei.su:latest";
    environmentFiles = [
      config.desu.secrets.teisu-env.path
    ];
--- a/secrets/activepieces-env.age
+++ b/secrets/activepieces-env.age
--- a/secrets/arumi-singbox-users.age
+++ b/secrets/arumi-singbox-users.age
--- a/secrets/forgejo-packages-token.age
+++ b/secrets/forgejo-packages-token.age
--- a/secrets/license-servers-env.age
+++ b/secrets/license-servers-env.age
@ -1,6 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 sj88Xw x8G6D56j1N7kjMuU9TXdKxpmCyPyDnkbRSAAjcmIXGc
 qzQbchvolZgSIWisyKg/eiNRh+826iz6WHu5HQOiBoU
 --- MnAF7KtGU97wxf2tCfRbitqRPV/Bfg/GftUCrZAjtuU
 YC¥`+Û¬¦k÷bt½b¥‰CGRÿoùUtMü5b<35>UäZ
 xN÷I(pÜž6ºjÏ]y°_›ÃP&ÎE…<45>ÒjSO‰¢ZŽÒCÜkñÇmCW¾4´4M°g¼ª’ÖtìÏvhÆHá