From 9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 31 Mar 2024 21:29:27 +0300 Subject: 2024-03-31 --- modules/nixos/shadowsocks.nix | 110 ++++++++++++++++++++++-------------------- 1 file changed, 58 insertions(+), 52 deletions(-) (limited to 'modules/nixos/shadowsocks.nix') diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index 69688da..670faec 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -5,9 +5,11 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.nixfiles.modules.shadowsocks; -in { +in +{ options.nixfiles.modules.shadowsocks = { enable = mkEnableOption "Shadowsocks"; @@ -31,61 +33,65 @@ in { systemd.services.shadowsocks = { description = "Shadowsocks"; - after = ["network.target"]; - wantedBy = ["multi-user.target"]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; serviceConfig = { DynamicUser = true; RuntimeDirectory = "shadowsocks"; LoadCredential = "secret.json:${config.secrets.shadowsocks-json.path}"; - ExecStartPre = let - mergeJson = let - configFile = pkgs.writeText "config.json" (generators.toJSON {} { - server = "::"; - server_port = cfg.port; - # Can't really use AEAD-2022[1] just yet because it's not - # supported by some[2] clients. - # - # [1]: https://shadowsocks.org/doc/sip022.html - # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480 - # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448 - # method = "2022-blake3-chacha20-poly1305"; - method = "chacha20-ietf-poly1305"; - password = null; # Must be set as a secret. - users = null; # Muse be set as a secret. - fast_open = true; - acl = pkgs.writeText "block-internal-access.acl" '' - [outbound_block_list] - 0.0.0.0/8 - 10.0.0.0/8 - 100.64.0.0/10 - 127.0.0.0/8 - 169.254.0.0/16 - 172.16.0.0/12 - 192.0.0.0/24 - 192.0.2.0/24 - 192.88.99.0/24 - 192.168.0.0/16 - 198.18.0.0/15 - 198.51.100.0/24 - 203.0.113.0/24 - 224.0.0.0/4 - 240.0.0.0/4 - 255.255.255.255/32 - ::1/128 - ::ffff:127.0.0.1/104 - fc00::/7 - fe80::/10 + ExecStartPre = + let + mergeJson = + let + configFile = pkgs.writeText "config.json" ( + generators.toJSON { } { + server = "::"; + server_port = cfg.port; + # Can't really use AEAD-2022[1] just yet because it's not + # supported by some[2] clients. + # + # [1]: https://shadowsocks.org/doc/sip022.html + # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480 + # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448 + # method = "2022-blake3-chacha20-poly1305"; + method = "chacha20-ietf-poly1305"; + password = null; # Must be set as a secret. + users = null; # Muse be set as a secret. + fast_open = true; + acl = pkgs.writeText "block-internal-access.acl" '' + [outbound_block_list] + 0.0.0.0/8 + 10.0.0.0/8 + 100.64.0.0/10 + 127.0.0.0/8 + 169.254.0.0/16 + 172.16.0.0/12 + 192.0.0.0/24 + 192.0.2.0/24 + 192.88.99.0/24 + 192.168.0.0/16 + 198.18.0.0/15 + 198.51.100.0/24 + 203.0.113.0/24 + 224.0.0.0/4 + 240.0.0.0/4 + 255.255.255.255/32 + ::1/128 + ::ffff:127.0.0.1/104 + fc00::/7 + fe80::/10 + ''; + } + ); + in + pkgs.writeShellScript "meregeJson" '' + ${getExe pkgs.jq} \ + -s '.[0] * .[1]' \ + ${configFile} \ + $CREDENTIALS_DIRECTORY/secret.json \ + >$RUNTIME_DIRECTORY/config.json ''; - }); in - pkgs.writeShellScript "meregeJson" '' - ${getExe pkgs.jq} \ - -s '.[0] * .[1]' \ - ${configFile} \ - $CREDENTIALS_DIRECTORY/secret.json \ - >$RUNTIME_DIRECTORY/config.json - ''; - in mergeJson; ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver --config \${RUNTIME_DIRECTORY}/config.json"; }; @@ -100,7 +106,7 @@ in { ''; }; - networking.firewall.allowedTCPPorts = [cfg.port]; + networking.firewall.allowedTCPPorts = [ cfg.port ]; # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks boot.kernel.sysctl = { -- cgit v1.2.3