Add Shadowsocks proxy service

2025-03-16 17:53:06 +01:00 · 2025-03-16 17:53:06 +01:00 · 26165af972
commit 26165af972
parent 854b6374d7
7 changed files with 70 additions and 0 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -199,4 +199,16 @@ in
    ];
    # specialArgs = { };
  };
+
+  shadowshocks = nixpkgs.lib.nixosSystem {
+    pkgs = pkgs "x86_64-linux";
+    modules = [
+      myModules
+      proxmoxModule
+      ./shadowshocks
+      agenix.nixosModules.default
+    ];
+    # specialArgs = { };
+  };
+
 }
--- a/hosts/deployments.nix
+++ b/hosts/deployments.nix
@ -116,6 +116,16 @@ in
    ];
  };

+  shadowshocks.deployment = {
+    targetHost = hosts.shadowshocks;
+    tags = [
+      "lxc"
+      "bacco"
+      "shadowshocks"
+    ];
+  };
+
+
  deadbeef.deployment = {
    allowLocalDeployment = true;
    targetHost = null;
--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@ -12,6 +12,7 @@
    colmena = "colmena.internal";
    dns01 = "192.168.1.2";
    dns02 = "192.168.1.3";
+    shadowshocks = "shadowshocks.internal";
  };
  domains = {
    public = "pasetto.me";
--- a/hosts/shadowshocks/default.nix
+++ b/hosts/shadowshocks/default.nix
@ -0,0 +1,29 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+
+  age.secrets.shadowshocks-password.file = ../../secrets/shadowshocks-password.age;
+
+  my = {
+
+    utils = {
+      commons.enable = true;
+      commons.gc.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  services.shadowsocks = {
+    enable = true;
+    passwordFile = config.age.secrets.shadowshocks-password.path;
+    port = 8388;
+  };
+
+  system.stateVersion = "24.11";
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -26,6 +26,7 @@ let
    dns01-admin-password = [ machines.dns01 ];
    dns02-admin-password = [ machines.dns02 ];
    dns02-dhcp-failover = [ machines.dns02 ];
+    shadowshocks-password = [ machines.shadowshocks ];
  };
 in
 builtins.listToAttrs (
--- a/secrets/shadowshocks-password.age
+++ b/secrets/shadowshocks-password.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 HvFEmA Sgw7itnDakJJZVEGnk05/nLyX3iWD11/ecFUajNa5CY
+iyr7PaWsI8f7AuegC8fuzLbEDLtZTrSUtf1wW/r2zcU
+-> ssh-ed25519 Si3UKw ordExftJbU34g6aLRvMeq9MxWCzewdqP9jZ4KDR9vxk
+POyBfD2B0jzEgiC8uD30zFmW/gbPoQvZTSPuBDqUS8c
+-> ssh-ed25519 3UG3uw uNqAwETfOBrLlW94SjOx/rjvvfsjmQKyrrz4hdJLwSU
+0LKAJee5MFnchg9mwnE8mm/3q4g5a0qUn6NgvA0USys
+-> ssh-ed25519 JEhtoQ opRX4YguKxB894OOt/pfEOJ2Ae5JDzo8Kger1vdBST8
+W/TRgFFZKoMV/0P4pmZbzthr7tSv4o2HUlYq8pAETV0
+-> ssh-ed25519 uqg2jw D35Xr71KPyotnlwoRX42cpWAFR/8IT+njHk2YV8immQ
+M/Kmj5tHAhXMHiQyqVUN2cmo6p7MgcPKXg/Bup2+rsU
+--- TKPGfD9QO8HTMcvlIqpXVxr0JOPgAhA/q/BfJHz2rEQ
+nÆU¬FeGxÜ<–ï(¿…ømj—au<X>²Ù·‘3Ûþ»dkížçBßÖ+
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@ -19,6 +19,7 @@ rec {
    auth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsSQbXHRt+MpUh+YQxd5p6YPnbbWR/4ylz/pXjdZ9Bs";
    dns01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7BdiP/dCE6FHoJylcBKQ5AXz06UpLHNyeuvfLVccSi";
    dns02 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+HIq6/ebjiv71xDozdOTn5AdnXgr1fGqIzXnH7Not+";
+    shadowshocks = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ4qYaS5ccciH7BNyrF5+J3d4JtHJNr1R256/ulEtxl";
  };

  # Machines able to provision other machines
@ -31,8 +32,11 @@ rec {

  # Machines in tailscale network
  tailscale-machine = [
+    machines.arr
+    machines.auth
    machines.caddy
    machines.metrics
+    machines.shadowshocks
  ];

  # Machines provisioned with Colmena