From c2038cecc264efa6f2030583362f7a4d3aa3d9c4 Mon Sep 17 00:00:00 2001 From: oqyude Date: Fri, 10 Oct 2025 10:54:47 +0300 Subject: [PATCH] 123 --- nixosModules/vds/secrets/xray.yaml | 17 ++++++++ nixosModules/vds/xray.nix | 70 ++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 nixosModules/vds/secrets/xray.yaml diff --git a/nixosModules/vds/secrets/xray.yaml b/nixosModules/vds/secrets/xray.yaml new file mode 100644 index 0000000..e91f950 --- /dev/null +++ b/nixosModules/vds/secrets/xray.yaml @@ -0,0 +1,17 @@ +uuid: ENC[AES256_GCM,data:ISIVGVI2ILnxIGQBZi84cM7sTCOgh6JX6kugxwB+QOBhhvD5,iv:X17MqGOZ69ioW6P5lVx6cyyILaMuPCpZOXimp9JpYHs=,tag:99sGk20v3tEGHlqhbbT+DQ==,type:str] +private-key: ENC[AES256_GCM,data:u0kQ41APPlasPx9pcp6xOBDxTO2FiMDQKicylYJKO4RJwLkoESpbUZOB4g==,iv:HKEvSczfqJ5VEGQEJ3BCVUvAdqodRG6rK2VqV4jOQLk=,tag:9qw+6uA7QoJ68vK1FArn3A==,type:str] +sops: + age: + - recipient: age13l2gtk0nzr484zprp7e0pkrt0ne0j4asyn2pjmlaw73nte7t7d8q4sqtxm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZy8zTEI2YzZtMTZ3enAw + SDRxZHZRSEY3YVA3blllRUlzd0syN3pLK0RvCk5mUy9zR3Q4TS9jWm1SbE5GOVdI + c0hYbnJxVlY0TnRicHFOYXEwYUxwVFEKLS0tIE5EOW9Wanp5YXN1YjF2TnFYSzFL + eTVHTVpEKzBIZllheXM5WkFERi9vUXMKzcA4e8aBvUwxgBzAwH/ZkphpMVVJl3NO + o5kgbaKyLw5C2jjLiYj8+vapFGV0O1HaTUfwSQ/wh2qh+ltlYot1xg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-10T07:50:55Z" + mac: ENC[AES256_GCM,data:19bVxUtE2QR+o497vof7UeRIbA+Ki3tX1iNMUHdtWbZkvSZbjh6eAp1OSk8d+syo1TkTZdYYWdmbsUmJq/q4cfEvCvOJpoCW6JOTooRoC3xYfJLsxs3QSn9HTM/FBEaAFfqpzemyaulk7AVbFy5Fl5Ta13hz/YIJcxNa4Q9kGbA=,iv:6tu0HWo1aIhlxf4RnK1PeujLDPg1yxNOclRUXA2bxEQ=,tag:O/+x8taMuE5mvw1+rqkcsw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/nixosModules/vds/xray.nix b/nixosModules/vds/xray.nix index 4c4d802..6983100 100755 --- a/nixosModules/vds/xray.nix +++ b/nixosModules/vds/xray.nix @@ -4,6 +4,61 @@ pkgs, ... }: +let + xraySettings = { + log = { + loglevel = "warning"; + }; + inbounds = [ + { + port = 8443; + protocol = "vless"; + settings = { + clients = [ + { + id = config.sops.secrets.xray_uuid.path; + flow = "xtls-rprx-vision"; + } + ]; + decryption = "none"; + }; + streamSettings = { + network = "tcp"; + security = "reality"; + realitySettings = { + dest = "cloudflare.com:443"; + serverNames = [ + "cloudflare.com" + ]; + privateKey = config.sops.secrets.xray_private-key.path; + shortIds = [ + "0a381e1fa219" + "be0ce04754dc" + "41beec74f4bc" + ]; + }; + }; + sniffing = { + enabled = true; + destOverride = [ + "http" + "tls" + ]; + }; + } + ]; + outbounds = [ + { + protocol = "freedom"; + tag = "direct"; + } + { + protocol = "blackhole"; + tag = "block"; + } + ]; + }; +in { services.xray = { enable = true; @@ -16,4 +71,19 @@ }; environment.systemPackages = [ pkgs.xray ]; + + sops.secrets = { + xray_uuid = { + key = "uuid"; + mode = 444; + format = "yaml"; + sopsFile = ./secrets/xray.yaml; + }; + xray_private-key = { + key = "private-key"; + mode = 444; + format = "yaml"; + sopsFile = ./secrets/xray.yaml; + }; + }; }