diff options
Diffstat (limited to '')
-rw-r--r-- | modules/nixos/shadowsocks.nix | 124 |
1 files changed, 70 insertions, 54 deletions
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index 7307933..c04799b 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -19,69 +19,84 @@ in { }; config = mkIf cfg.enable { - secrets.shadowsocks-password.file = "${inputs.self}/secrets/shadowsocks-password"; + secrets.shadowsocks-json.file = "${inputs.self}/secrets/shadowsocks-json"; - services = { - shadowsocks = { - enable = true; - passwordFile = config.secrets.shadowsocks-password.path; - localAddress = ["0.0.0.0"]; - mode = "tcp_only"; - }; - - fail2ban.jails.shadowsocks-libev = { - enabled = true; - settings = { - filter = "shadowsocks-libev"; - inherit (cfg) port; - }; + services.fail2ban.jails.shadowsocks = { + enabled = true; + settings = { + filter = "shadowsocks"; + inherit (cfg) port; }; }; - systemd.services.shadowsocks-libev.path = with pkgs; - mkForce [ - (writeShellApplication { - name = "ss-server"; - runtimeInputs = [shadowsocks-libev]; - text = let - # https://github.com/shadowsocks/shadowsocks-libev/blob/master/acl/server_block_local.acl - aclFile = writeText "outbound_block_list.acl" '' - [outbound_block_list] - 0.0.0.0/8 - 10.0.0.0/8 - 100.64.0.0/10 - 127.0.0.0/8 - 169.254.0.0/16 - 172.16.0.0/12 - 192.0.0.0/24 - 192.0.2.0/24 - 192.88.99.0/24 - 192.168.0.0/16 - 198.18.0.0/15 - 198.51.100.0/24 - 203.0.113.0/24 - 224.0.0.0/4 - 240.0.0.0/4 - 255.255.255.255/32 - ::1/128 - ::ffff:127.0.0.1/104 - fc00::/7 - fe80::/10 + systemd.services.shadowsocks = { + description = "Shadowsocks"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + DynamicUser = true; + RuntimeDirectory = "shadowsocks"; + LoadCredential = "secret.json:${config.secrets.shadowsocks-json.path}"; + ExecStartPre = let + mergeJson = let + configFile = pkgs.writeText "config.json" (generators.toJSON {} { + server = "::"; + server_port = cfg.port; + # Can't really use AEAD-2022[1] just yet because it's not + # supported by some[2] clients. + # + # [1]: https://shadowsocks.org/doc/sip022.html + # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480 + # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448 + # method = "2022-blake3-chacha20-poly1305"; + method = "chacha20-ietf-poly1305"; + password = null; # Must be set as a secret. + users = null; # Muse be set as a secret. + fast_open = true; + acl = pkgs.writeText "block-internal-access.acl" '' + [outbound_block_list] + 0.0.0.0/8 + 10.0.0.0/8 + 100.64.0.0/10 + 127.0.0.0/8 + 169.254.0.0/16 + 172.16.0.0/12 + 192.0.0.0/24 + 192.0.2.0/24 + 192.88.99.0/24 + 192.168.0.0/16 + 198.18.0.0/15 + 198.51.100.0/24 + 203.0.113.0/24 + 224.0.0.0/4 + 240.0.0.0/4 + 255.255.255.255/32 + ::1/128 + ::ffff:127.0.0.1/104 + fc00::/7 + fe80::/10 + ''; + }); + in + pkgs.writeShellScript "meregeJson" '' + ${pkgs.jq}/bin/jq \ + -s '.[0] * .[1]' \ + ${configFile} \ + $CREDENTIALS_DIRECTORY/secret.json \ + >$RUNTIME_DIRECTORY/config.json ''; - in '' - ss-server --acl ${aclFile} "$@" - ''; - }) - coreutils-full - jq - ]; + in + mergeJson; + ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver --config \${RUNTIME_DIRECTORY}/config.json"; + }; + }; environment.etc = mkIf config.nixfiles.modules.fail2ban.enable { - "fail2ban/filter.d/shadowsocks-libev.conf".text = '' + "fail2ban/filter.d/shadowsocks.conf".text = '' [Definition] - failregex = ^.*failed to handshake with <ADDR>: authentication error$ + failregex = ^.*tcp handshake failed.*\[::ffff:<ADDR>\].*$ ignoreregex = - journalmatch = _SYSTEMD_UNIT=shadowsocks-libev.service + journalmatch = _SYSTEMD_UNIT=shadowsocks.service ''; }; @@ -94,6 +109,7 @@ in { ''; }; + # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks boot.kernel.sysctl = { "net.core.rmem_max" = mkOverride 100 (pow 2 26); "net.core.wmem_max" = mkOverride 100 (pow 2 26); |