first xray

2026-02-20 09:04:42 +04:00 · 2025-10-18 12:43:35 +09:00 · 2025-10-18 12:43:35 +09:00 · c2106ca1a6
commit c2106ca1a6
parent bbacfb100e
18 changed files with 482 additions and 29 deletions
--- a/nix/server/secrets.nix
+++ b/nix/server/secrets.nix
@ -0,0 +1,96 @@
+{ config
+, pkgs
+, lib
+, ...
+}:
+let
+  cfg = config.kp2pml30.server;
+
+  # Script to decrypt secrets.yaml and extract XRAY_UIDS
+  decryptSecrets = pkgs.writeShellScript "decrypt-secrets" ''
+    set -euo pipefail
+
+    source /var/lib/secrets/.env
+
+    if [ -z "''${KP2_DOTFILES_SECRET_KEY:-}" ]; then
+      echo "Error: KP2_DOTFILES_SECRET_KEY environment variable not set" >&2
+      exit 1
+    fi
+
+    if [ ! -f "${./secrets.yaml}" ]; then
+      echo "Error: secrets.yaml not found" >&2
+      exit 1
+    fi
+
+    # Decrypt and parse XRAY_UIDS
+    ${pkgs.openssl}/bin/openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -d -k "$KP2_DOTFILES_SECRET_KEY" -in "${./secrets.yaml}" | ${pkgs.yq}/bin/yq '.XRAY_UIDS[]' -r
+  '';
+
+  xray-config-pre = builtins.toFile "xray-pre.json" (builtins.readFile ./xray-pre.json);
+  xray-config-post = builtins.toFile "xray-post.json" (builtins.readFile ./xray-post.json);
+
+  # Script to generate complete xray configuration
+  generateXrayConfig = pkgs.writeShellScript "generate-xray-config" ''
+    set -euo pipefail
+
+    cat ${xray-config-pre}
+
+    first=true
+    while IFS= read -r uuid; do
+      if [ "$first" = true ]; then
+        first=false
+      else
+        echo ","
+      fi
+      echo "          {"
+      echo "            \"id\": \"$uuid\","
+      echo "            \"flow\": \"xtls-rprx-vision\""
+      echo "          }"
+    done < <(${decryptSecrets})
+
+    cat ${xray-config-post}
+  '';
+
+in {
+  options.kp2pml30.server.secretsDir = lib.mkOption {
+    type = lib.types.str;
+    default = "/var/lib/secrets";
+    description = "Directory for secrets management";
+  };
+
+  config = lib.mkIf cfg.xray {
+    # Ensure xray user and group exist
+    users.users.xray = {
+      isSystemUser = true;
+      group = "xray";
+    };
+
+    users.groups.xray = {};
+
+    # Create a systemd service to decrypt and prepare xray clients config
+    systemd.services.xray-secrets = {
+      description = "Decrypt Xray client configuration";
+      wantedBy = [ "xray.service" ];
+      before = [ "xray.service" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        EnvironmentFile = "${cfg.secretsDir}/.env";
+      };
+
+      script = ''
+        mkdir -p /run/secrets
+        ${generateXrayConfig} > /run/secrets/xray-config.json
+        chown xray:xray /run/secrets/xray-config.json
+        chmod 440 /run/secrets/xray-config.json
+      '';
+    };
+
+    # Ensure secrets directory exists
+    systemd.tmpfiles.rules = [
+      "d ${cfg.secretsDir} 0750 root root -"
+      "d /run/secrets 0755 root root -"
+    ];
+  };
+}