From 26165af9724a9848669db0a1e0cbba6f6db6d7ac Mon Sep 17 00:00:00 2001 From: pazpi Date: Sun, 16 Mar 2025 17:53:06 +0100 Subject: [PATCH] Add Shadowsocks proxy service --- hosts/default.nix | 12 ++++++++++++ hosts/deployments.nix | 10 ++++++++++ hosts/parameters.nix | 1 + hosts/shadowshocks/default.nix | 29 +++++++++++++++++++++++++++++ secrets.nix | 1 + secrets/shadowshocks-password.age | 13 +++++++++++++ ssh-keys.nix | 4 ++++ 7 files changed, 70 insertions(+) create mode 100644 hosts/shadowshocks/default.nix create mode 100644 secrets/shadowshocks-password.age diff --git a/hosts/default.nix b/hosts/default.nix index ced99cd..82fd793 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -199,4 +199,16 @@ in ]; # specialArgs = { }; }; + + shadowshocks = nixpkgs.lib.nixosSystem { + pkgs = pkgs "x86_64-linux"; + modules = [ + myModules + proxmoxModule + ./shadowshocks + agenix.nixosModules.default + ]; + # specialArgs = { }; + }; + } diff --git a/hosts/deployments.nix b/hosts/deployments.nix index 780eb21..15db5c8 100644 --- a/hosts/deployments.nix +++ b/hosts/deployments.nix @@ -116,6 +116,16 @@ in ]; }; + shadowshocks.deployment = { + targetHost = hosts.shadowshocks; + tags = [ + "lxc" + "bacco" + "shadowshocks" + ]; + }; + + deadbeef.deployment = { allowLocalDeployment = true; targetHost = null; diff --git a/hosts/parameters.nix b/hosts/parameters.nix index 928b200..b3a09f1 100644 --- a/hosts/parameters.nix +++ b/hosts/parameters.nix @@ -12,6 +12,7 @@ colmena = "colmena.internal"; dns01 = "192.168.1.2"; dns02 = "192.168.1.3"; + shadowshocks = "shadowshocks.internal"; }; domains = { public = "pasetto.me"; diff --git a/hosts/shadowshocks/default.nix b/hosts/shadowshocks/default.nix new file mode 100644 index 0000000..1dc078a --- /dev/null +++ b/hosts/shadowshocks/default.nix @@ -0,0 +1,29 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + + age.secrets.shadowshocks-password.file = ../../secrets/shadowshocks-password.age; + + my = { + + utils = { + commons.enable = true; + commons.gc.enable = true; + lxc-standard.enable = true; + }; + + virtualisation.proxmox.enable = true; + }; + + services.shadowsocks = { + enable = true; + passwordFile = config.age.secrets.shadowshocks-password.path; + port = 8388; + }; + + system.stateVersion = "24.11"; +} diff --git a/secrets.nix b/secrets.nix index fc20ab2..7764776 100644 --- a/secrets.nix +++ b/secrets.nix @@ -26,6 +26,7 @@ let dns01-admin-password = [ machines.dns01 ]; dns02-admin-password = [ machines.dns02 ]; dns02-dhcp-failover = [ machines.dns02 ]; + shadowshocks-password = [ machines.shadowshocks ]; }; in builtins.listToAttrs ( diff --git a/secrets/shadowshocks-password.age b/secrets/shadowshocks-password.age new file mode 100644 index 0000000..0c83aa2 --- /dev/null +++ b/secrets/shadowshocks-password.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 HvFEmA Sgw7itnDakJJZVEGnk05/nLyX3iWD11/ecFUajNa5CY +iyr7PaWsI8f7AuegC8fuzLbEDLtZTrSUtf1wW/r2zcU +-> ssh-ed25519 Si3UKw ordExftJbU34g6aLRvMeq9MxWCzewdqP9jZ4KDR9vxk +POyBfD2B0jzEgiC8uD30zFmW/gbPoQvZTSPuBDqUS8c +-> ssh-ed25519 3UG3uw uNqAwETfOBrLlW94SjOx/rjvvfsjmQKyrrz4hdJLwSU +0LKAJee5MFnchg9mwnE8mm/3q4g5a0qUn6NgvA0USys +-> ssh-ed25519 JEhtoQ opRX4YguKxB894OOt/pfEOJ2Ae5JDzo8Kger1vdBST8 +W/TRgFFZKoMV/0P4pmZbzthr7tSv4o2HUlYq8pAETV0 +-> ssh-ed25519 uqg2jw D35Xr71KPyotnlwoRX42cpWAFR/8IT+njHk2YV8immQ +M/Kmj5tHAhXMHiQyqVUN2cmo6p7MgcPKXg/Bup2+rsU +--- TKPGfD9QO8HTMcvlIqpXVxr0JOPgAhA/q/BfJHz2rEQ +nÆU¬FeGxÜ<­–ï(¿…ømj—au²Ù·‘3Ûþ»dkížçBßÖ+ \ No newline at end of file diff --git a/ssh-keys.nix b/ssh-keys.nix index 884fd44..852f16c 100644 --- a/ssh-keys.nix +++ b/ssh-keys.nix @@ -19,6 +19,7 @@ rec { auth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsSQbXHRt+MpUh+YQxd5p6YPnbbWR/4ylz/pXjdZ9Bs"; dns01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7BdiP/dCE6FHoJylcBKQ5AXz06UpLHNyeuvfLVccSi"; dns02 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+HIq6/ebjiv71xDozdOTn5AdnXgr1fGqIzXnH7Not+"; + shadowshocks = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ4qYaS5ccciH7BNyrF5+J3d4JtHJNr1R256/ulEtxl"; }; # Machines able to provision other machines @@ -31,8 +32,11 @@ rec { # Machines in tailscale network tailscale-machine = [ + machines.arr + machines.auth machines.caddy machines.metrics + machines.shadowshocks ]; # Machines provisioned with Colmena