chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:39:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

enabel nginx transparent proxy for vps6

Browse Source
This commit is contained in:
陈浩南
2023-08-10 17:50:08 +08:00
parent 13d1cd8d2d
commit 72a1c5c489
2 changed files with 116 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
flake.nix
View File

@@ -308,6 +308,21 @@
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
frpServer = { enable = true; serverName = "frp.chn.moe"; };
nginx =
{
transparentProxy =
{
enable = true;
listen = "74.211.99.69:443";
map =
{
default = "443";
"ng01.mirism.one" = "7411";
"beta.mirism.one" = "9114";
};
proxyPorts = [ 443 7411 9114 ];
};
};
};
boot =
{

102
modules/services/default.nix
View File

@@ -79,13 +79,23 @@ inputs:
};
nix-serve.enable = mkOption { type = types.bool; default = false; };
smartd.enable = mkOption { type = types.bool; default = false; };
nginx =
{
transparentProxy =
{
enable = mkOption { type = types.bool; default = false; };
listen = mkOption { type = types.nonEmptyStr; };
map = mkOption { type = types.attrsOf types.nonEmptyStr; };
proxyPorts = mkOption { type = types.listOf types.ints.unsigned; };
};
};
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos) services;
inherit (builtins) map listToAttrs;
inherit (builtins) map listToAttrs concatStringsSep toString;
in mkMerge
[
(
@@ -560,5 +570,95 @@ inputs:
}
)
(mkIf services.smartd.enable { services.smartd.enable = true; })
(
mkIf services.nginx.transparentProxy.enable
{
services.nginx =
{
enable = true;
streamConfig = stripeTabs
''
stream
{
map $ssl_preread_server_name $backend
{
${concatStringsSep "\n" (map
(x: '' "${x.name}" 127.0.0.1:${x.value};'')
(attrsToList services.nginx.transparentProxy.map))}
}
server
{
listen ${services.nginx.transparentProxy.listen};
ssl_preread on;
proxy_bind $remote_addr transparent;
proxy_pass $backend;
proxy_connect_timeout 1s;
proxy_socket_keepalive on;
proxy_buffer_size 128k;
}
}
'';
};
systemd.services.nginx-proxy =
let
ipset = "${inputs.pkgs.ipset}/bin/ipset";
iptables = "${inputs.pkgs.iptables}/bin/iptables";
ip = "${inputs.pkgs.iproute}/bin/ip";
start = inputs.pkgs.writeShellScript "nginx-proxy.start"
(
(
stripeTabs
''
${ipset} create nginx_proxy_port bitmap:port range 0-65535
${iptables} -t mangle -N nginx_proxy_mark
${iptables} -t mangle -A OUTPUT -j nginx_proxy_mark
${iptables} -t mangle -A nginx_proxy_mark -s 127.0.0.1 -p tcp \
-m set --match-set nginx_proxy_port src -j MARK --set-mark 2/2
${iptables} -t mangle -N nginx_proxy
${iptables} -t mangle -A PREROUTING -j nginx_proxy
${iptables} -t mangle -A nginx_proxy -s 127.0.0.1 -p tcp \
-m set --match-set nginx_proxy_port src -j MARK --set-mark 2/2
${ip} rule add fwmark 2/2 table 200
${ip} route add local 0.0.0.0/0 dev lo table 200
''
)
+ concatStringsSep "\n" (map
(port: ''${ipset} add nginx_proxy_port ${toString port}'')
services.nginx.transparentProxy.proxyPorts)
);
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop" (stripeTabs
''
${iptables} -t mangle -F nginx_proxy_mark
${iptables} -t mangle -D OUTPUT -j nginx_proxy_mark
${iptables} -t mangle -X nginx_proxy_mark
${iptables} -t mangle -F nginx_proxy
${iptables} -t mangle -D PREROUTING -j nginx_proxy
${iptables} -t mangle -X nginx_proxy
${ip} rule del fwmark 2/2 table 200
${ip} route del local 0.0.0.0/0 dev lo table 200
${ipset} destroy nginx_proxy_port
'');
in
{
description = "nginx transparent proxy";
after = [ "network.target" ];
serviceConfig =
{
Type = "simple";
RemainAfterExit = true;
ExecStart = start;
ExecStop = stop;
};
wants = [ "network.target" ];
wantedBy= [ "multi-user.target" ];
};
}
)
];
}