Shadowsocks module

hosts/shadowshocks/default.nix

@@ -18,6 +18,13 @@ in
   my = {
 
     networking = {
+
+      shadownsocks = {
+        enable = true;
+        port = shadowshocks-port;
+        passwordFile = config.age.secrets.shadowshocks-password.path;
+      };
+
       tailscale = {
         enable = true;
         magicDNSDomain = p.domains.tsDns;
@@ -34,14 +41,5 @@ in
     virtualisation.proxmox.enable = true;
   };
 
-  services.shadowsocks = {
-    enable = true;
-    passwordFile = config.age.secrets.shadowshocks-password.path;
-    port = shadowshocks-port;
-  };
-
-  # open shadownsocks port
-  networking.firewall.allowedTCPPorts = [ shadowshocks-port ];
-
   system.stateVersion = "24.11";
 }

modules/networking/default.nix

@@ -4,6 +4,7 @@
     ./caddy.nix
     ./ddclient.nix
     ./nas-samba-share.nix
+    ./shadowsocks.nix
     ./tailscale.nix
     ./technitium-dns-server.nix
   ];

modules/networking/shadowsocks.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.networking.shadowsocks;
+in
+{
+  options.my.networking.shadowsocks = {
+    enable = lib.mkEnableOption "Enable Shadowsocks relay";
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 8388;
+      description = "Port to listen on";
+    };
+    passwordFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/shadowsocks/password";
+      description = "File with the Shadowsocks relay access password";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services.shadowsocks = lib.mkIf cfg.enable {
+      enable = true;
+      passwordFile = cfg.passwordFile;
+      port = cfg.port;
+    };
+
+    # open shadownsocks port
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
+  };
+
+}