project-flake/servers/wise/main.nix

{ config, pkgs, secret, ... }:

{
	imports = [
		./hardware-configuration.nix
	];
	networking.hostName = "wise";
	system.stateVersion = "25.05";

	services.yggdrasil.persistentKeys = true;
	
	marzban = {
		env = {
			UVICORN_HOST = "wise.project-a.space";
			UVICORN_PORT = 1488;
			SUDO_USERNAME = "wise-admin";
			SUDO_PASSWORD = "ZgUrEmg3m#U5t+ryhbac";
			DOCS = true;
		};
		cert = true;
		domain = "wise.project-a.space";
		xray = {
			log.loglevel = "warning";
			dns = {
				servers = [ "1.1.1.1" ];
				queryStrategy = "UseIPv4";
			};
			routing = {
				rules = [
					{
						ip = [ "geoip:private" ];
						outboundTag = "BLOCK";
						type = "field";
					}
					{
					  user = ["sayhex"];
						outboundTag = "proxy";
						type = "field";
					}
				];
			};
			inbounds = [
				{
					tag = "VLESS TCP REALITY";
					listen = "0.0.0.0";
					port = 443;
					protocol = "vless";
					settings = {
						clients = [];
						decryption = "none";
					};
					streamSettings = {
						network = "tcp";
						tcpSettings = {};
						security = "reality";
						realitySettings = {
							show = false;
							dest = "vk.com:443";
							xver = 0;
							serverNames = [
								"*.vk.com"
								"*.vk.ru"
								"*.userapi.com"
								"*.vk-portal.net"
								"*.yandex.net"
								"*.yandex.ru"
								"*.mail.ru"
								"*.ozone.ru"
								"*.ozon.ru"
								"*.wildberries.ru"
								"*.tbank.ru"
								"*.alfabank.ru"
								"*.sberbank.ru"
								"*.2gis.ru"
								"*.kinopoisk.ru"
								"*.rutube.ru"
								"*.mts.ru"
								"*.beeline.ru"
								"*.t2.ru"
								"*.megafon.ru"
								"*.mindbox.ru"
								"*.yandexcloud.net"
								"*.max.ru"
								"dzen.ru"
								"ok.ru"
								"servicepipe.ru"
								"nspk.ru"
								"statad.ru"
								"get4click.ru"
								"tns-counter.ru"
								"cdn.uxfeedback.ru"
								"speller.yandex.net"
								"widgets.cbonds.ru"
								"www.magnit.com"
								"vk.com"
								"vk.ru"
								"userapi.com"
								"vk-portal.net"
								"yandex.net"
								"yandex.ru"
								"mail.ru"
								"ozone.ru"
								"ozon.ru"
								"wildberries.ru"
								"tbank.ru"
								"alfabank.ru"
								"sberbank.ru"
								"2gis.ru"
								"kinopoisk.ru"
								"rutube.ru"
								"mts.ru"
								"beeline.ru"
								"t2.ru"
								"megafon.ru"
								"mindbox.ru"
								"yandexcloud.net"
								"cloudflare.com"
								"max.ru"
							];
							privateKey = "uMLrAwrkba7AZ040JWwgX3lsCJFWAICW9diA5OIyOiI";
							shortIds = [
							  "12f1c52fdfb49461"
							];
						};
					};
					sniffing = {
						enabled = true;
						destOverride = [ "http" "tls" "quic" ];
					};
				}
				{
					port = 8443;
					tag = "Mr Penis Network";
					protocol = "shadowsocks";
					settings = {
						method = "aes-128-gcm";
						password = "sosal?";
						network = "tcp,udp";
					};
				}
			];
			outbounds = [
				{
					protocol = "freedom";
					tag = "DIRECT";
				}
				{
					protocol = "blackhole";
					tag = "BLOCK";
				}
			];
		};
	};

	networking.firewall.allowedTCPPorts = [ 1488 443 8443 ];
}