{ config, pkgs, secret, ... }: { imports = [ ./hardware-configuration.nix ./nginx.nix ]; services.yggdrasil.persistentKeys = true; marzban = { env = { UVICORN_HOST = "ivan.project-a.space"; UVICORN_PORT = secret.marzban.port; SUDO_USERNAME = secret.marzban.sudo-username; SUDO_PASSWORD = secret.marzban.sudo-password; DOCS = true; }; cert = true; domain = "ivan.project-a.space"; xray = { log.loglevel = "warning"; dns = { servers = [ "1.1.1.1" ]; queryStrategy = "UseIPv4"; }; routing = { rules = [ { ip = [ "geoip:private" ]; outboundTag = "BLOCK"; type = "field"; } { user = ["sayhex"]; outboundTag = "proxy"; type = "field"; } ]; }; inbounds = [ { tag = "VLESS TCP REALITY"; listen = "0.0.0.0"; port = secret.marzban.vless-port; protocol = "vless"; settings = { clients = []; decryption = "none"; }; streamSettings = { network = "tcp"; tcpSettings = {}; security = "reality"; realitySettings = { show = false; dest = secret.marzban.dest; xver = 0; serverNames = secret.marzban.sni; privateKey = secret.marzban.privateKey; shortIds = [ secret.marzban.shortId ]; }; }; sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; }; } { tag = "VMESS WS NOTLS"; listen = "0.0.0.0"; port = 8080; protocol = "vmess"; settings = { clients = []; decryption = "none"; }; streamSettings = { network = "ws"; wsSettings = { path = "/"; }; security = "none"; }; sniffing = { enabled = true; destOverride = [ "http" "tls" "quic" ]; }; } ]; outbounds = [ { protocol = "freedom"; tag = "DIRECT"; } { protocol = "blackhole"; tag = "BLOCK"; } ]; }; }; networking.firewall.allowedTCPPorts = [ secret.marzban.port secret.marzban.vless-port 8080 ]; }