shitcoding moment

2025-12-01 13:47:27 +07:00 · 2025-12-01 13:47:27 +07:00 · 58475e433e
commit 58475e433e
parent 8e31bd6c02
28 changed files with 703 additions and 258 deletions
--- a/servers/ivan/main.nix
+++ b/servers/ivan/main.nix
@ -5,7 +5,7 @@
 		./hardware-configuration.nix
 		./nginx.nix
 	];
-	
+
 	services.yggdrasil.persistentKeys = true;
 	marzban = {
 		env = {
@ -17,16 +17,94 @@
 		};
 		cert = true;
 		domain = "ivan.project-a.space";
-		xray = import ../common/xray.nix {
-			server-domain = "ivan.project-a.space";
-			port = secret.marzban.vless-port;
-			dest = secret.marzban.dest;
-			privateKey = secret.marzban.privateKey;
-			shortId = secret.marzban.shortId;
-			spiderX = secret.marzban.spiderX;
-			sni = secret.marzban.sni;
+		xray = {
+			log.loglevel = "warning";
+			dns = {
+				servers = [ "1.1.1.1" ];
+				queryStrategy = "UseIPv4";
+			};
+			routing = {
+				rules = [
+					{
+						ip = [ "geoip:private" ];
+						outboundTag = "BLOCK";
+						type = "field";
+					}
+					{
+					  user = ["sayhex"];
+						outboundTag = "proxy";
+						type = "field";
+					}
+				];
+			};
+			inbounds = [
+				{
+					tag = "VLESS TCP REALITY";
+					listen = "0.0.0.0";
+					port = secret.marzban.vless-port;
+					protocol = "vless";
+					settings = {
+						clients = [];
+						decryption = "none";
+					};
+					streamSettings = {
+						network = "tcp";
+						tcpSettings = {};
+						security = "reality";
+						realitySettings = {
+							show = false;
+							dest = secret.marzban.dest;
+							xver = 0;
+							serverNames = secret.marzban.sni;
+							privateKey = secret.marzban.privateKey;
+							shortIds = [
+							  secret.marzban.shortId
+							];
+						};
+					};
+					sniffing = {
+						enabled = true;
+						destOverride = [ "http" "tls" "quic" ];
+					};
+				}
+				{
+					tag = "VMESS WS NOTLS";
+					listen = "0.0.0.0";
+					port = 8080;
+					protocol = "vmess";
+					settings = {
+						clients = [];
+						decryption = "none";
+					};
+					streamSettings = {
+						network = "ws";
+						wsSettings = {
+							path = "/";
+						};
+						security = "none";
+					};
+					sniffing = {
+						enabled = true;
+						destOverride = [
+							"http"
+							"tls"
+							"quic"
+						];
+					};
+				}
+			];
+			outbounds = [
+				{
+					protocol = "freedom";
+					tag = "DIRECT";
+				}
+				{
+					protocol = "blackhole";
+					tag = "BLOCK";
+				}
+			];
 		};
 	};

-	networking.firewall.allowedTCPPorts = [ secret.marzban.port secret.marzban.vless-port ];
-}
+	networking.firewall.allowedTCPPorts = [ secret.marzban.port secret.marzban.vless-port 8080 ];
+}