113 lines
2.7 KiB
Nix
113 lines
2.7 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
with lib;
|
||
|
|
||
|
let
|
||
|
cfg = config.services.shadowsocks;
|
||
|
|
||
|
opts = {
|
||
|
server = cfg.localAddress;
|
||
|
server_port = cfg.port;
|
||
|
method = cfg.encryptionMethod;
|
||
|
mode = cfg.mode;
|
||
|
user = "nobody";
|
||
|
fast_open = true;
|
||
|
} // optionalAttrs (cfg.password != null) { password = cfg.password; };
|
||
|
|
||
|
configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts);
|
||
|
|
||
|
in
|
||
|
|
||
|
{
|
||
|
|
||
|
###### interface
|
||
|
|
||
|
options = {
|
||
|
|
||
|
services.shadowsocks = {
|
||
|
|
||
|
enable = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Whether to run shadowsocks-libev shadowsocks server.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
localAddress = mkOption {
|
||
|
type = types.str;
|
||
|
default = "0.0.0.0";
|
||
|
description = ''
|
||
|
Local address to which the server binds.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
port = mkOption {
|
||
|
type = types.int;
|
||
|
default = 8388;
|
||
|
description = ''
|
||
|
Port which the server uses.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
password = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = ''
|
||
|
Password for connecting clients.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
passwordFile = mkOption {
|
||
|
type = types.nullOr types.path;
|
||
|
default = null;
|
||
|
description = ''
|
||
|
Password file with a password for connecting clients.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
mode = mkOption {
|
||
|
type = types.enum [ "tcp_only" "tcp_and_udp" "udp_only" ];
|
||
|
default = "tcp_and_udp";
|
||
|
description = ''
|
||
|
Relay protocols.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
encryptionMethod = mkOption {
|
||
|
type = types.str;
|
||
|
default = "chacha20-ietf-poly1305";
|
||
|
description = ''
|
||
|
Encryption method. See <link xlink:href="https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers"/>.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
};
|
||
|
|
||
|
};
|
||
|
|
||
|
|
||
|
###### implementation
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
assertions = singleton
|
||
|
{ assertion = cfg.password == null || cfg.passwordFile == null;
|
||
|
message = "Cannot use both password and passwordFile for shadowsocks-libev";
|
||
|
};
|
||
|
|
||
|
systemd.services.shadowsocks-libev = {
|
||
|
description = "shadowsocks-libev Daemon";
|
||
|
after = [ "network.target" ];
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.passwordFile != null) pkgs.jq;
|
||
|
serviceConfig.PrivateTmp = true;
|
||
|
script = ''
|
||
|
${optionalString (cfg.passwordFile != null) ''
|
||
|
cat ${configFile} | jq --arg password "$(cat "${cfg.passwordFile}")" '. + { password: $password }' > /tmp/shadowsocks.json
|
||
|
''}
|
||
|
exec ss-server -c ${if cfg.passwordFile != null then "/tmp/shadowsocks.json" else configFile}
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
}
|