teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: shadowsocks-rust -> sing-box

Browse source
This commit is contained in:
alina 🌸 2024-05-11 07:16:10 +03:00
parent 6d4c7a62a7
commit 9c15fce069
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
5 changed files with 152 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/koi/configuration.nix
View file

@ -12,8 +12,8 @@
./partials/fde.nix ./partials/fde.nix
./services/ss-client.nix
./services/coredns.nix ./services/coredns.nix
./services/sing-box.nix
./services/nginx.nix ./services/nginx.nix
./services/landing ./services/landing

2
hosts/koi/containers/sharkey/.config/default.yml
View file

@ -31,7 +31,7 @@ clusterLimit: 2
maxNoteLength: 30000 maxNoteLength: 30000
proxy: 'http://10.42.0.2:7891' proxy: 'http://10.42.0.2:7890'
proxyBypassHosts: proxyBypassHosts:
- api.deepl.com - api.deepl.com
- api-free.deepl.com - api-free.deepl.com

150
hosts/koi/services/sing-box.nix Normal file
View file

@ -0,0 +1,150 @@
{ pkgs, abs, config, ... }:
let
secrets = import (abs "lib/secrets.nix");
in {
imports = [
(secrets.declare [ "ss-desu-arm-password" "ss-desu-arm-ip" ])
];
services.sing-box = {
enable = true;
settings = {
dns = {
rules = [
{
outbound = [ "any" ];
server = "dns-coredns";
}
{
# suffixes specific to our coredns configuration
# we don't want to expose them in the proxy
domain_suffix = [
".docker"
".containers"
];
server = "dns-block";
}
{
rule_set = "rkn";
query_type = [ "A" "AAAA" ];
server = "dns-fakeip";
}
];
servers = [
# upstream dns
{
address = "127.0.0.1";
tag = "dns-coredns";
detour = "direct";
}
{ tag = "dns-fakeip"; address = "fakeip"; }
{
tag = "dns-block";
address = "rcode://success";
}
];
# "fake ip" setup.
# setup for keenetic:
# 1. create a proxy outbound (see https://help.keenetic.com/hc/ru/articles/7474374790300)
# 2. create a static route for v4, can be done via web ui: Static Routes > Create, Route type = Route to network,
# Destination network address & Subnet mask from `inet4_range`, interface = [our proxy]
# 3. create a static route for v6, can be done via telnet: `ipv6 route [inet6_range] Proxy0` (interface name may differ)
# 4. set up keenetic to use our dns server:
# 4.1. setup opkg
# 4.2. install dnsmasq
# 4.3. put something along this in /opt/etc/dnsmasq.conf:
# no-resolv
# bind-dynamic
# listen-address=127.0.0.1
# listen-address=10.42.0.1
# except-interface=lo
# cache-size=2500
# port=53
#
# server=10.42.0.2#5353 # <- ip of the server
# server=8.8.8.8
# strict-order
# 4.4. run `opkg dns-override` via telnet
# 4.5. set up the router as the only dns server in dhcp settings
fakeip = {
enabled = true;
inet4_range = "10.224.0.0/11";
inet6_range = "fd3e:dead:dead::/48";
};
};
inbounds = [
{
tag = "dns-in";
type = "direct";
listen = "0.0.0.0";
listen_port = 5353;
}
{
tag = "mixed-in";
type = "mixed";
listen = "0.0.0.0";
listen_port = 7890;
}
];
outbounds = [
{ tag = "direct"; type = "direct"; }
{ tag = "dns-out"; type = "dns"; }
{
tag = "ss-desu-arm";
type = "shadowsocks";
server._secret = config.age.secrets.ss-desu-arm-ip.path;
server_port = 9000;
method = "chacha20-ietf-poly1305";
password._secret = config.age.secrets.ss-desu-arm-password.path;
udp_over_tcp = {
enabled = true;
version = 1;
};
}
];
route = {
final = "ss-desu-arm";
rules = [
{
inbound = [ "dns-in" ];
outbound = "dns-out";
}
{
outbound = "dns-out";
port = [ 53 ];
}
];
rule_set = [
{
tag = "rkn";
format = "binary";
type = "remote";
url = "https://github.com/teidesu/rkn-singbox/raw/ruleset/rkn-ruleset.srs";
}
];
};
experimental = {
cache_file = {
enabled = true;
store_fakeip = true;
};
# clash_api = {
# external_controller = "127.0.0.1:9090";
# external_ui = "dashboard";
# };
};
};
};
networking.firewall.allowedTCPPorts = [ 7890 ];
networking.firewall.allowedUDPPorts = [ 5353 ];
}

32
hosts/koi/services/ss-client.nix
View file

@ -1,32 +0,0 @@
{ config, abs, pkgs, ... }@inputs:
let
secrets = import (abs "lib/secrets.nix");
in
{
imports = [
(secrets.declare [ "ss-desu-arm-password" "ss-desu-arm-ip" ])
((import (abs "services/shadowsocks-rust.nix") inputs) {
serverFile = config.age.secrets.ss-desu-arm-ip.path;
port = 9000;
passwordFile = config.age.secrets.ss-desu-arm-password.path;
mode = "tcp_and_udp";
fastOpen = true;
encryptionMethod = "chacha20-ietf-poly1305";
client = true;
localPort = 7890;
})
];
# http -> socks5 proxy
services.privoxy = {
enable = true;
settings = {
listen-address = "0.0.0.0:7891";
forward-socks5 = "/ 127.0.0.1:7890 .";
};
};
networking.firewall.allowedTCPPorts = [ 7890 7891 ];
}

88
services/shadowsocks-rust.nix
View file

@ -1,88 +0,0 @@
# Based on https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/networking/shadowsocks.nix
{ lib, pkgs, ... }:
with lib;
{
# Local addresses to which the server binds.
localAddress ? "0.0.0.0"
, # Port which the server uses.
# If `client = true`, port of the remote server to connect to.
port ? 8388
, # Password for connecting clients
password ? null
, # Password file with a password for connecting clients
passwordFile ? null
, # Relay protocols (one of "tcp_only" "tcp_and_udp" "udp_only")
mode ? "tcp_and_udp"
, # use TCP fast-open
fastOpen ? true
, # Encryption method
encryptionMethod ? "chacha20-ietf-poly1305"
, # SIP003 plugin for shadowsocks
plugin ? null
, # Options to pass to the plugin if one was specified (e.g. "server;host=example.com")
pluginOpts ? ""
, # Whether to set up a Shadowsocks client instead of a server
client ? false
, # Address of the remote Shadowsocks server
server ? null
, # File containing address of the remote Shadowsocks server
serverFile ? null
, # Local port for the client to bind
localPort ? 8388
, # Additional configuration for shadowsocks that is not covered by the
# provided options. The provided attrset will be serialized to JSON config as-is
extraConfig ? { }
, # Name of the systemd service
serviceName ? "shadowsocks-rust"
, # Shadowsocks-rust package
package ? pkgs.shadowsocks-rust
}:
assert assertOneOf "mode" mode [ "tcp_only" "tcp_and_udp" "udp_only" ];
assert assertMsg (password == null || passwordFile == null) "Cannot use both password and passwordFile for shadowsocks-rust";
assert assertMsg (server == null || serverFile == null) "Cannot use both server and serverFile for shadowsocks-rust";
let
opts = {
server = localAddress;
server_port = port;
method = encryptionMethod;
mode = mode;
user = "nobody";
fast_open = fastOpen;
} // optionalAttrs (plugin != null) {
plugin = plugin;
plugin_opts = pluginOpts;
} // optionalAttrs (password != null) {
password = password;
} // optionalAttrs (client == true) {
server = server;
local_address = localAddress;
local_port = localPort;
} // extraConfig;
configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts);
in
{
systemd.services.${serviceName} = {
description = "${serviceName} Daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ package ] ++ optional (plugin != null) plugin ++ optional (passwordFile != null) pkgs.jq;
serviceConfig = {
PrivateTmp = true;
Restart = "on-failure";
};
script = ''
cp ${configFile} /tmp/shadowsocks.json
${optionalString (passwordFile != null) ''
cat /tmp/shadowsocks.json | jq --arg password "$(cat "${passwordFile}")" '. + { password: $password }' > /tmp/shadowsocks.json
''}
${optionalString (serverFile != null) ''
cat /tmp/shadowsocks.json | jq --arg server "$(cat "${serverFile}")" '. + { server: $server }' > /tmp/shadowsocks.json
''}
exec ${if client == true then "sslocal" else "ssserver"} -c /tmp/shadowsocks.json
'';
};
}