1 files changed, 70 insertions, 54 deletions

diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index 7307933..c04799b 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -19,69 +19,84 @@ in {
   };
 
   config = mkIf cfg.enable {
-    secrets.shadowsocks-password.file = "${inputs.self}/secrets/shadowsocks-password";
+    secrets.shadowsocks-json.file = "${inputs.self}/secrets/shadowsocks-json";
 
-    services = {
-      shadowsocks = {
-        enable = true;
-        passwordFile = config.secrets.shadowsocks-password.path;
-        localAddress = ["0.0.0.0"];
-        mode = "tcp_only";
-      };
-
-      fail2ban.jails.shadowsocks-libev = {
-        enabled = true;
-        settings = {
-          filter = "shadowsocks-libev";
-          inherit (cfg) port;
-        };
+    services.fail2ban.jails.shadowsocks = {
+      enabled = true;
+      settings = {
+        filter = "shadowsocks";
+        inherit (cfg) port;
       };
     };
 
-    systemd.services.shadowsocks-libev.path = with pkgs;
-      mkForce [
-        (writeShellApplication {
-          name = "ss-server";
-          runtimeInputs = [shadowsocks-libev];
-          text = let
-            # https://github.com/shadowsocks/shadowsocks-libev/blob/master/acl/server_block_local.acl
-            aclFile = writeText "outbound_block_list.acl" ''
-              [outbound_block_list]
-              0.0.0.0/8
-              10.0.0.0/8
-              100.64.0.0/10
-              127.0.0.0/8
-              169.254.0.0/16
-              172.16.0.0/12
-              192.0.0.0/24
-              192.0.2.0/24
-              192.88.99.0/24
-              192.168.0.0/16
-              198.18.0.0/15
-              198.51.100.0/24
-              203.0.113.0/24
-              224.0.0.0/4
-              240.0.0.0/4
-              255.255.255.255/32
-              ::1/128
-              ::ffff:127.0.0.1/104
-              fc00::/7
-              fe80::/10
+    systemd.services.shadowsocks = {
+      description = "Shadowsocks";
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        DynamicUser = true;
+        RuntimeDirectory = "shadowsocks";
+        LoadCredential = "secret.json:${config.secrets.shadowsocks-json.path}";
+        ExecStartPre = let
+          mergeJson = let
+            configFile = pkgs.writeText "config.json" (generators.toJSON {} {
+              server = "::";
+              server_port = cfg.port;
+              # Can't really use AEAD-2022[1] just yet because it's not
+              # supported by some[2] clients.
+              #
+              # [1]: https://shadowsocks.org/doc/sip022.html
+              # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480
+              # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448
+              # method = "2022-blake3-chacha20-poly1305";
+              method = "chacha20-ietf-poly1305";
+              password = null; # Must be set as a secret.
+              users = null; # Muse be set as a secret.
+              fast_open = true;
+              acl = pkgs.writeText "block-internal-access.acl" ''
+                [outbound_block_list]
+                0.0.0.0/8
+                10.0.0.0/8
+                100.64.0.0/10
+                127.0.0.0/8
+                169.254.0.0/16
+                172.16.0.0/12
+                192.0.0.0/24
+                192.0.2.0/24
+                192.88.99.0/24
+                192.168.0.0/16
+                198.18.0.0/15
+                198.51.100.0/24
+                203.0.113.0/24
+                224.0.0.0/4
+                240.0.0.0/4
+                255.255.255.255/32
+                ::1/128
+                ::ffff:127.0.0.1/104
+                fc00::/7
+                fe80::/10
+              '';
+            });
+          in
+            pkgs.writeShellScript "meregeJson" ''
+              ${pkgs.jq}/bin/jq \
+                -s '.[0] * .[1]' \
+                ${configFile} \
+                $CREDENTIALS_DIRECTORY/secret.json \
+                >$RUNTIME_DIRECTORY/config.json
             '';
-          in ''
-            ss-server --acl ${aclFile} "$@"
-          '';
-        })
-        coreutils-full
-        jq
-      ];
+        in
+          mergeJson;
+        ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver --config \${RUNTIME_DIRECTORY}/config.json";
+      };
+    };
 
     environment.etc = mkIf config.nixfiles.modules.fail2ban.enable {
-      "fail2ban/filter.d/shadowsocks-libev.conf".text = ''
+      "fail2ban/filter.d/shadowsocks.conf".text = ''
         [Definition]
-        failregex = ^.*failed to handshake with <ADDR>: authentication error$
+        failregex = ^.*tcp handshake failed.*\[::ffff:<ADDR>\].*$
         ignoreregex =
-        journalmatch = _SYSTEMD_UNIT=shadowsocks-libev.service
+        journalmatch = _SYSTEMD_UNIT=shadowsocks.service
       '';
     };
 
@@ -94,6 +109,7 @@ in {
       '';
     };
 
+    # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
     boot.kernel.sysctl = {
       "net.core.rmem_max" = mkOverride 100 (pow 2 26);
       "net.core.wmem_max" = mkOverride 100 (pow 2 26);