parent
ee7351d889
commit
f7651b35b8
@ -0,0 +1,112 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
cfg = config.services.shadowsocks; |
||||
|
||||
opts = { |
||||
server = cfg.localAddress; |
||||
server_port = cfg.port; |
||||
method = cfg.encryptionMethod; |
||||
mode = cfg.mode; |
||||
user = "nobody"; |
||||
fast_open = true; |
||||
} // optionalAttrs (cfg.password != null) { password = cfg.password; }; |
||||
|
||||
configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts); |
||||
|
||||
in |
||||
|
||||
{ |
||||
|
||||
###### interface |
||||
|
||||
options = { |
||||
|
||||
services.shadowsocks = { |
||||
|
||||
enable = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Whether to run shadowsocks-libev shadowsocks server. |
||||
''; |
||||
}; |
||||
|
||||
localAddress = mkOption { |
||||
type = types.str; |
||||
default = "0.0.0.0"; |
||||
description = '' |
||||
Local address to which the server binds. |
||||
''; |
||||
}; |
||||
|
||||
port = mkOption { |
||||
type = types.int; |
||||
default = 8388; |
||||
description = '' |
||||
Port which the server uses. |
||||
''; |
||||
}; |
||||
|
||||
password = mkOption { |
||||
type = types.nullOr types.str; |
||||
default = null; |
||||
description = '' |
||||
Password for connecting clients. |
||||
''; |
||||
}; |
||||
|
||||
passwordFile = mkOption { |
||||
type = types.nullOr types.path; |
||||
default = null; |
||||
description = '' |
||||
Password file with a password for connecting clients. |
||||
''; |
||||
}; |
||||
|
||||
mode = mkOption { |
||||
type = types.enum [ "tcp_only" "tcp_and_udp" "udp_only" ]; |
||||
default = "tcp_and_udp"; |
||||
description = '' |
||||
Relay protocols. |
||||
''; |
||||
}; |
||||
|
||||
encryptionMethod = mkOption { |
||||
type = types.str; |
||||
default = "chacha20-ietf-poly1305"; |
||||
description = '' |
||||
Encryption method. See <link xlink:href="https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers"/>. |
||||
''; |
||||
}; |
||||
|
||||
}; |
||||
|
||||
}; |
||||
|
||||
|
||||
###### implementation |
||||
|
||||
config = mkIf cfg.enable { |
||||
assertions = singleton |
||||
{ assertion = cfg.password == null || cfg.passwordFile == null; |
||||
message = "Cannot use both password and passwordFile for shadowsocks-libev"; |
||||
}; |
||||
|
||||
systemd.services.shadowsocks-libev = { |
||||
description = "shadowsocks-libev Daemon"; |
||||
after = [ "network.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.passwordFile != null) pkgs.jq; |
||||
serviceConfig.PrivateTmp = true; |
||||
script = '' |
||||
${optionalString (cfg.passwordFile != null) '' |
||||
cat ${configFile} | jq --arg password "$(cat "${cfg.passwordFile}")" '. + { password: $password }' > /tmp/shadowsocks.json |
||||
''} |
||||
exec ss-server -c ${if cfg.passwordFile != null then "/tmp/shadowsocks.json" else configFile} |
||||
''; |
||||
}; |
||||
}; |
||||
} |
Loading…
Reference in new issue