mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-24 02:29:03 +08:00
50 lines
1.3 KiB
Nix
50 lines
1.3 KiB
Nix
|
inputs:
|
||
|
{
|
||
|
config =
|
||
|
{
|
||
|
services =
|
||
|
{
|
||
|
dnsmasq =
|
||
|
{
|
||
|
enable = true;
|
||
|
settings =
|
||
|
{
|
||
|
no-poll = true;
|
||
|
server = [ "127.0.0.1#10853" ];
|
||
|
listen-address = "127.0.0.1";
|
||
|
bind-interfaces = true;
|
||
|
ipset =
|
||
|
[
|
||
|
"/developer.download.nvidia.com/noproxy_net"
|
||
|
"/yuanshen.com/noproxy_net"
|
||
|
"/zoom.us/noproxy_net"
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
xray = { enable = true; settingsFile = inputs.config.sops.secrets."xray.json".path; };
|
||
|
v2ray-forwarder = { enable = true; proxyPort = 10880; xmuPort = 10881; };
|
||
|
};
|
||
|
sops.secrets."xray.json" =
|
||
|
{ mode = "0440"; owner = "v2ray"; group = "v2ray"; restartUnits = [ "xray.service" ]; };
|
||
|
systemd.services.xray.serviceConfig =
|
||
|
{
|
||
|
DynamicUser = inputs.lib.mkForce false;
|
||
|
User = "v2ray";
|
||
|
Group = "v2ray";
|
||
|
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||
|
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||
|
};
|
||
|
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
|
||
|
boot.kernel.sysctl =
|
||
|
{
|
||
|
"net.ipv4.conf.all.route_localnet" = true;
|
||
|
"net.ipv4.conf.default.route_localnet" = true;
|
||
|
"net.ipv4.conf.all.accept_local" = true;
|
||
|
"net.ipv4.conf.default.accept_local" = true;
|
||
|
"net.ipv4.ip_forward" = true;
|
||
|
"net.ipv4.ip_nonlocal_bind" = true;
|
||
|
};
|
||
|
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
|
||
|
};
|
||
|
}
|