{ config, pkgs, secret, ... }: { imports = [ ./hardware-configuration.nix ./nginx.nix ./forgejo.nix ]; networking.hostName = "artemisia"; system.stateVersion = "25.05"; services.yggdrasil.settings.PrivateKey = secret.yggdrasil.PrivateKey; services.yggdrasil.persistentKeys = false; marzban = { env = { UVICORN_HOST = "artemisia.project-a.space"; UVICORN_PORT = secret.marzban.port; SUDO_USERNAME = secret.marzban.sudo-username; SUDO_PASSWORD = secret.marzban.sudo-password; DOCS = true; }; cert = true; domain = "artemisia.project-a.space"; xray = { log.loglevel = "warning"; dns = { servers = [ "1.1.1.1" ]; queryStrategy = "UseIPv4"; }; routing = { rules = [ { ip = [ "geoip:private" ]; outboundTag = "BLOCK"; type = "field"; } { user = ["sayhex"]; outboundTag = "proxy"; type = "field"; } ]; }; inbounds = [ { tag = "VLESS TCP REALITY"; listen = "0.0.0.0"; port = secret.marzban.vless-port; protocol = "vless"; settings = { clients = []; decryption = "none"; }; streamSettings = { network = "tcp"; tcpSettings = {}; security = "reality"; realitySettings = { show = false; dest = secret.marzban.dest; xver = 0; serverNames = secret.marzban.sni; privateKey = secret.marzban.privateKey; shortIds = [ secret.marzban.shortId ]; }; }; sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; }; } { tag = "VMESS WS NOTLS"; listen = "0.0.0.0"; port = 8080; protocol = "vmess"; settings = { clients = []; decryption = "none"; }; streamSettings = { network = "ws"; wsSettings = { path = "/"; }; security = "none"; }; sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; }; } ]; outbounds = [ { protocol = "freedom"; tag = "DIRECT"; } { protocol = "blackhole"; tag = "BLOCK"; } { protocol = "shadowsocks"; tag = "proxy"; settings = { servers = [ { address = "62.60.177.69"; port = 8443; method = "aes-256-gcm"; password = "sosal?"; } ]; }; } ]; }; }; environment.systemPackages = with pkgs; [ temurin-jre-bin-24 ]; programs = { nix-ld.enable = true; }; networking.firewall.allowedTCPPorts = [ secret.marzban.port 4001 8080 ]; }