kp2pml30/dotfiles
1
0
Fork 0
mirror of https://github.com/kp2pml30/dotfiles.git synced 2026-02-16 23:34:42 +04:00
Code Issues Projects Releases Packages Wiki Activity Actions
dotfiles/nix/server/secrets.nix
kp2pml30 c2106ca1a6
first xray
2025-10-18 12:43:35 +09:00

96 lines
2.5 KiB
Nix
Raw Blame History

{ config
, pkgs
, lib
, ...
}:
let
cfg = config.kp2pml30.server;
# Script to decrypt secrets.yaml and extract XRAY_UIDS
decryptSecrets = pkgs.writeShellScript "decrypt-secrets" ''
set -euo pipefail
source /var/lib/secrets/.env
if [ -z "''${KP2_DOTFILES_SECRET_KEY:-}" ]; then
echo "Error: KP2_DOTFILES_SECRET_KEY environment variable not set" >&2
exit 1
fi
if [ ! -f "${./secrets.yaml}" ]; then
echo "Error: secrets.yaml not found" >&2
exit 1
fi
# Decrypt and parse XRAY_UIDS
${pkgs.openssl}/bin/openssl enc -aes-256-cbc -pbkdf2 -iter 1000000 -base64 -d -k "$KP2_DOTFILES_SECRET_KEY" -in "${./secrets.yaml}" | ${pkgs.yq}/bin/yq '.XRAY_UIDS[]' -r
'';
xray-config-pre = builtins.toFile "xray-pre.json" (builtins.readFile ./xray-pre.json);
xray-config-post = builtins.toFile "xray-post.json" (builtins.readFile ./xray-post.json);
# Script to generate complete xray configuration
generateXrayConfig = pkgs.writeShellScript "generate-xray-config" ''
set -euo pipefail
cat ${xray-config-pre}
first=true
while IFS= read -r uuid; do
if [ "$first" = true ]; then
first=false
else
echo ","
fi
echo " {"
echo " \"id\": \"$uuid\","
echo " \"flow\": \"xtls-rprx-vision\""
echo " }"
done < <(${decryptSecrets})
cat ${xray-config-post}
'';
in {
options.kp2pml30.server.secretsDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/secrets";
description = "Directory for secrets management";
};
config = lib.mkIf cfg.xray {
# Ensure xray user and group exist
users.users.xray = {
isSystemUser = true;
group = "xray";
};
users.groups.xray = {};
# Create a systemd service to decrypt and prepare xray clients config
systemd.services.xray-secrets = {
description = "Decrypt Xray client configuration";
wantedBy = [ "xray.service" ];
before = [ "xray.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
EnvironmentFile = "${cfg.secretsDir}/.env";
};
script = ''
mkdir -p /run/secrets
${generateXrayConfig} > /run/secrets/xray-config.json
chown xray:xray /run/secrets/xray-config.json
chmod 440 /run/secrets/xray-config.json
'';
};
# Ensure secrets directory exists
systemd.tmpfiles.rules = [
"d ${cfg.secretsDir} 0750 root root -"
"d /run/secrets 0755 root root -"
];
};
}
Reference in a new issue View git blame Copy permalink