summary refs log tree commit diff
path: root/modules/vpn/egress.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/vpn/egress.nix')
-rw-r--r--modules/vpn/egress.nix92
1 files changed, 55 insertions, 37 deletions
diff --git a/modules/vpn/egress.nix b/modules/vpn/egress.nix
index fe39880..7858751 100644
--- a/modules/vpn/egress.nix
+++ b/modules/vpn/egress.nix
@@ -20,6 +20,9 @@ let
   # other protocols, if roskomnadzor learns to sniff out vless fully.
   protocol = "vless";
 
+  inboundTag = "vless-in";
+  outboundTag = "direct-out";
+
   definition = import ./definition.nix;
   inherit (definition) paths mask;
 
@@ -27,48 +30,63 @@ let
     p: p.egress == me.name
   ) (throw "no egress information found for this server!") paths;
 
-  xrayConfig = pkgs.writeText "xray.json" (
-    builtins.toJSON {
-      inbounds = [
-        {
-          inherit port protocol;
-
-          settings = {
-            clients = [
-              {
-                id = path.info.uuid;
-                flow = "xtls-rprx-vision";
-              }
+  xrayConfig = {
+    inbounds = [
+      {
+        inherit port protocol;
+        tag = inboundTag;
+
+        settings = {
+          clients = [
+            {
+              id = path.info.uuid;
+              flow = "xtls-rprx-vision";
+            }
+          ];
+          decryption = "none";
+        };
+
+        streamSettings = {
+          network = "tcp";
+          security = "reality";
+          realitySettings = {
+            show = false;
+            dest = "www.${mask}:443";
+            serverNames = [
+              "www.${mask}"
+              mask
             ];
-            decryption = "none";
+            privateKey = "@PRIVATE_KEY@";
+            shortIds = [ path.info.short ];
           };
+        };
+      }
+    ];
 
-          streamSettings = {
-            network = "tcp";
-            security = "reality";
-            realitySettings = {
-              show = false;
-              dest = "www.${mask}:443";
-              serverNames = [
-                "www.${mask}"
-                mask
-              ];
-              privateKey = "@PRIVATE_KEY@";
-              shortIds = [ path.info.short ];
-            };
-          };
-        }
-      ];
+    # and we're out!
+    outbounds = [
+      {
+        protocol = "freedom";
+        tag = outboundTag;
+      }
+    ];
 
-      # and we're out!
-      outbounds = [
+    routing = {
+      rules = [
         {
-          protocol = "freedom";
-          tag = "direct";
+          type = "field";
+          inboundTag = [ inboundTag ];
+          inherit outboundTag;
         }
       ];
-    }
-  );
+    };
+
+    log = {
+      loglevel = "debug";
+    };
+  };
+
+  config-file = pkgs.writeText "xray.json" (builtins.toJSON xrayConfig);
 in
 {
   networking.firewall.allowedTCPPorts = [ port ];
@@ -92,7 +110,7 @@ in
       };
       script = ''
         mkdir -p /run/xray-configuration
-        cp ${xrayConfig} /run/xray-configuration/xray.json
+        cp ${config-file} /run/xray-configuration/xray.json
 
         egress_key=$(cat ${config.age.secrets.egress-key.path})
 
@@ -104,7 +122,7 @@ in
     xray = {
       requires = [ "generate-xray-config.service" ];
       after = [ "generate-xray-config.service" ];
-      restartTriggers = [ xrayConfig ];
+      restartTriggers = [ config-file ];
     };
   };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-04-25 12:42:15 +0000