shitcoding moment

2025-12-01 13:47:27 +07:00 · 2025-12-01 13:47:27 +07:00 · 58475e433e
commit 58475e433e
parent 8e31bd6c02
28 changed files with 703 additions and 258 deletions
--- a/servers/wise/hardware-configuration.nix
+++ b/servers/wise/hardware-configuration.nix
@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/mapper/hk-root"; fsType = "ext4"; };
+  swapDevices = [ { device = "/dev/dm-0"; } ];
+}
--- a/servers/wise/main.nix
+++ b/servers/wise/main.nix
@ -0,0 +1,156 @@
+{ config, pkgs, secret, ... }:
+
+{
+	imports = [
+		./hardware-configuration.nix
+	];
+	networking.hostName = "wise";
+	system.stateVersion = "25.05";
+
+	services.yggdrasil.persistentKeys = true;
+	
+	marzban = {
+		env = {
+			UVICORN_HOST = "wise.project-a.space";
+			UVICORN_PORT = 1488;
+			SUDO_USERNAME = "wise-admin";
+			SUDO_PASSWORD = "ZgUrEmg3m#U5t+ryhbac";
+			DOCS = true;
+		};
+		cert = true;
+		domain = "wise.project-a.space";
+		xray = {
+			log.loglevel = "warning";
+			dns = {
+				servers = [ "1.1.1.1" ];
+				queryStrategy = "UseIPv4";
+			};
+			routing = {
+				rules = [
+					{
+						ip = [ "geoip:private" ];
+						outboundTag = "BLOCK";
+						type = "field";
+					}
+					{
+					  user = ["sayhex"];
+						outboundTag = "proxy";
+						type = "field";
+					}
+				];
+			};
+			inbounds = [
+				{
+					tag = "VLESS TCP REALITY";
+					listen = "0.0.0.0";
+					port = 443;
+					protocol = "vless";
+					settings = {
+						clients = [];
+						decryption = "none";
+					};
+					streamSettings = {
+						network = "tcp";
+						tcpSettings = {};
+						security = "reality";
+						realitySettings = {
+							show = false;
+							dest = "vk.com:443";
+							xver = 0;
+							serverNames = [
+								"*.vk.com"
+								"*.vk.ru"
+								"*.userapi.com"
+								"*.vk-portal.net"
+								"*.yandex.net"
+								"*.yandex.ru"
+								"*.mail.ru"
+								"*.ozone.ru"
+								"*.ozon.ru"
+								"*.wildberries.ru"
+								"*.tbank.ru"
+								"*.alfabank.ru"
+								"*.sberbank.ru"
+								"*.2gis.ru"
+								"*.kinopoisk.ru"
+								"*.rutube.ru"
+								"*.mts.ru"
+								"*.beeline.ru"
+								"*.t2.ru"
+								"*.megafon.ru"
+								"*.mindbox.ru"
+								"*.yandexcloud.net"
+								"*.max.ru"
+								"dzen.ru"
+								"ok.ru"
+								"servicepipe.ru"
+								"nspk.ru"
+								"statad.ru"
+								"get4click.ru"
+								"tns-counter.ru"
+								"cdn.uxfeedback.ru"
+								"speller.yandex.net"
+								"widgets.cbonds.ru"
+								"www.magnit.com"
+								"vk.com"
+								"vk.ru"
+								"userapi.com"
+								"vk-portal.net"
+								"yandex.net"
+								"yandex.ru"
+								"mail.ru"
+								"ozone.ru"
+								"ozon.ru"
+								"wildberries.ru"
+								"tbank.ru"
+								"alfabank.ru"
+								"sberbank.ru"
+								"2gis.ru"
+								"kinopoisk.ru"
+								"rutube.ru"
+								"mts.ru"
+								"beeline.ru"
+								"t2.ru"
+								"megafon.ru"
+								"mindbox.ru"
+								"yandexcloud.net"
+								"cloudflare.com"
+								"max.ru"
+							];
+							privateKey = "uMLrAwrkba7AZ040JWwgX3lsCJFWAICW9diA5OIyOiI";
+							shortIds = [
+							  "12f1c52fdfb49461"
+							];
+						};
+					};
+					sniffing = {
+						enabled = true;
+						destOverride = [ "http" "tls" "quic" ];
+					};
+				}
+				{
+					port = 8443;
+					tag = "Mr Penis Network";
+					protocol = "shadowsocks";
+					settings = {
+						method = "aes-128-gcm";
+						password = "sosal?";
+						network = "tcp,udp";
+					};
+				}
+			];
+			outbounds = [
+				{
+					protocol = "freedom";
+					tag = "DIRECT";
+				}
+				{
+					protocol = "blackhole";
+					tag = "BLOCK";
+				}
+			];
+		};
+	};
+
+	networking.firewall.allowedTCPPorts = [ 1488 443 8443 ];
+}
--- a/servers/wise/nginx.nix
+++ b/servers/wise/nginx.nix
@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+{
+	security.acme.defaults.email = "project-a@project-a.space";
+	security.acme.acceptTerms = true;
+
+	services.nginx = {
+		enable = true;
+		defaultSSLListenPort = 444;
+
+		streamConfig = ''
+			map $ssl_preread_server_name $name {
+				default                marzban;
+			}
+
+			upstream marzban {
+				server 127.0.0.1:1080;
+			}
+
+			server {
+				listen 0.0.0.0:443;
+				proxy_pass $name;
+				ssl_preread on;
+
+				proxy_connect_timeout 5s;
+				proxy_timeout 60s;
+			}
+		'';
+	};
+}