2022-03-22 06:03:48 +03:00
|
|
|
{ config, pkgs, lib, ... }: {
|
2022-11-21 02:53:20 +03:00
|
|
|
disabledModules = [ "services/networking/xray.nix" ];
|
|
|
|
|
|
2022-03-22 06:03:48 +03:00
|
|
|
secrets.xray-config = {};
|
2022-12-07 22:19:51 +03:00
|
|
|
secrets.tor-config = {};
|
2022-03-22 06:03:48 +03:00
|
|
|
|
2022-12-07 22:19:51 +03:00
|
|
|
services.xray = {
|
2022-03-22 06:03:48 +03:00
|
|
|
enable = true;
|
2022-11-21 02:53:20 +03:00
|
|
|
settingsFile = config.secrets.xray-config.decrypted;
|
2022-03-22 06:03:48 +03:00
|
|
|
};
|
|
|
|
|
|
2022-12-07 22:19:51 +03:00
|
|
|
containers.tor = {
|
2023-01-26 00:27:05 +03:00
|
|
|
mullvadExclude = config.deviceSpecific.vpn.mullvad.enable;
|
2023-03-27 15:50:40 +03:00
|
|
|
autoStart = false;
|
2022-12-14 23:51:59 +03:00
|
|
|
ephemeral = true;
|
|
|
|
|
# extraFlags = [ "-U" ]; # unprivileged
|
2022-12-07 22:19:51 +03:00
|
|
|
hostAddress = "192.168.1.10";
|
|
|
|
|
localAddress = "192.168.1.11";
|
2022-12-14 23:51:59 +03:00
|
|
|
privateNetwork = true;
|
|
|
|
|
tmpfs = [ "/" ];
|
2022-12-07 22:19:51 +03:00
|
|
|
bindMounts."/var/secrets" = {
|
|
|
|
|
hostPath = "/var/secrets";
|
|
|
|
|
isReadOnly = true;
|
|
|
|
|
};
|
|
|
|
|
config = { config, pkgs, ... }: {
|
|
|
|
|
services.tor.enable = true;
|
|
|
|
|
systemd.services.tor-config = {
|
|
|
|
|
script = ''
|
|
|
|
|
cp /var/secrets/tor-config /var/lib/tor/tor-config
|
|
|
|
|
chown tor /var/lib/tor/tor-config
|
|
|
|
|
chmod 600 /var/lib/tor/tor-config
|
|
|
|
|
sed -i 's#obfs4proxy-path#${pkgs.obfs4}/bin/obfs4proxy#' /var/lib/tor/tor-config
|
|
|
|
|
'';
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
after = [ "network.target" ];
|
|
|
|
|
};
|
|
|
|
|
systemd.services.tor = {
|
|
|
|
|
after = [ "tor-config.service" ];
|
|
|
|
|
serviceConfig.ExecStart = lib.mkForce "${config.services.tor.package}/bin/tor -f /var/lib/tor/tor-config";
|
|
|
|
|
};
|
2023-01-26 00:27:05 +03:00
|
|
|
networking = {
|
|
|
|
|
enableIPv6 = false;
|
|
|
|
|
nameservers = [ "127.0.0.1" ];
|
|
|
|
|
firewall = {
|
|
|
|
|
enable = true;
|
|
|
|
|
allowedTCPPorts = [ 9050 ];
|
|
|
|
|
rejectPackets = false;
|
|
|
|
|
};
|
2023-03-27 20:57:06 +03:00
|
|
|
useHostResolvConf = false;
|
2023-01-26 00:27:05 +03:00
|
|
|
};
|
|
|
|
|
services.dnscrypt-proxy2 = {
|
2022-12-07 22:19:51 +03:00
|
|
|
enable = true;
|
2023-01-26 00:27:05 +03:00
|
|
|
settings = {
|
|
|
|
|
ipv6_servers = false;
|
|
|
|
|
doh_servers = false;
|
|
|
|
|
require_dnssec = true;
|
|
|
|
|
require_nolog = true;
|
|
|
|
|
require_nofilter = true;
|
|
|
|
|
block_ipv6 = true;
|
|
|
|
|
bootstrap_resolvers = [ "9.9.9.11:53" "9.9.9.9:53" ];
|
|
|
|
|
sources = {
|
|
|
|
|
public-resolvers = {
|
|
|
|
|
urls = [
|
|
|
|
|
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
|
|
|
|
|
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
|
|
|
|
|
];
|
|
|
|
|
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
|
|
|
|
|
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
force_tcp = true;
|
|
|
|
|
proxy = "socks5://127.0.0.1:9050";
|
|
|
|
|
};
|
2022-12-07 22:19:51 +03:00
|
|
|
};
|
|
|
|
|
system.stateVersion = "22.11";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2023-01-26 00:27:05 +03:00
|
|
|
networking.nat.internalInterfaces = [ "ve-tor" ];
|
2023-03-27 15:50:40 +03:00
|
|
|
}
|
