From a0c9b62c0edb2dbf1cd84e9a3d03b891eddad3f0 Mon Sep 17 00:00:00 2001
From: chn <chn@chn.moe>
Date: Tue, 5 Dec 2023 14:41:05 +0800
Subject: [PATCH] Revert "services.xray: nebula do not bypass"

This reverts commit 5a30ebe7b60f3c8af0216d8e12bd098205e115d6.
---
 modules/services/xray.nix | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/modules/services/xray.nix b/modules/services/xray.nix
index a9ccccf5..21ba9e91 100644
--- a/modules/services/xray.nix
+++ b/modules/services/xray.nix
@@ -258,18 +258,24 @@ inputs:
                       "${iptables} -t mangle -A OUTPUT -j v2ray_mark -w"
                     ]
                     ++ (map (action: "${iptables} -t mangle -A v2ray_mark ${action} -w")
-                      [
-                        "-m owner --uid-owner $(id -u v2ray) -j RETURN"
-                        "-m set --match-set noproxy_src_net src -j RETURN"
-                        "-m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1"
-                        "-m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1"
-                        "-m set --match-set noproxy_net dst -j RETURN"
-                        "-m set --match-set proxy_net dst -p tcp -j MARK --set-mark 1/1"
-                        "-m set --match-set proxy_net dst -p udp -j MARK --set-mark 1/1"
-                        "-m set --match-set lo_net dst -j RETURN"
-                        "-p tcp -j MARK --set-mark 1/1"
-                        "-p udp -j MARK --set-mark 1/1"
-                      ])
+                      (
+                        (if inputs.config.nixos.system.networking.nebula.enable then
+                          let user = inputs.config.systemd.services."nebula@nebula".serviceConfig.User;
+                          in [ "-m owner --uid-owner $(id -u ${user}) -j RETURN" ]
+                          else [])
+                        ++ [
+                          "-m owner --uid-owner $(id -u v2ray) -j RETURN"
+                          "-m set --match-set noproxy_src_net src -j RETURN"
+                          "-m set --match-set xmu_net dst -p tcp -j MARK --set-mark 1/1"
+                          "-m set --match-set xmu_net dst -p udp -j MARK --set-mark 1/1"
+                          "-m set --match-set noproxy_net dst -j RETURN"
+                          "-m set --match-set proxy_net dst -p tcp -j MARK --set-mark 1/1"
+                          "-m set --match-set proxy_net dst -p udp -j MARK --set-mark 1/1"
+                          "-m set --match-set lo_net dst -j RETURN"
+                          "-p tcp -j MARK --set-mark 1/1"
+                          "-p udp -j MARK --set-mark 1/1"
+                        ]
+                      ))
                     ++ [
                       "${ip} rule add fwmark 1/1 table 100"
                       "${ip} route add local 0.0.0.0/0 dev lo table 100"