From 48b052c1e485e97d7e77abdef44b69b4967faada Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Fri, 21 May 2021 13:11:46 +0200
Subject: feat(whitby): Add shadowsocks server

This adds a shadowsocks service, running on port 8443, tcp and udp.

The password is read from /etc/secrets/shadowsocks-secret.sec, and needs
to be populated externally.

Change-Id: I6797150db108ba14459502dee43d8e4ed6cfa910
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3125
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
---
 ops/machines/whitby/default.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'ops/machines')

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 5767be5787..46c2868c55 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -129,7 +129,8 @@ in {
       interface = "enp196s0";
     };
 
-    firewall.allowedTCPPorts = [ 22 80 443 4238 29418 ];
+    firewall.allowedTCPPorts = [ 22 80 443 4238 8443 29418 ];
+    firewall.allowedUDPPorts = [ 8443 ];
 
     interfaces.enp196s0.useDHCP = true;
     interfaces.enp196s0.ipv6.addresses = [
@@ -339,6 +340,12 @@ in {
     ];
   };
 
+  services.shadowsocks = {
+    enable = true;
+    port = 8443;
+    passwordFile = "/etc/secrets/shadowsocks-secret.sec";
+  };
+
   services.nix-serve = {
     enable = true;
     port = 6443;
-- 
cgit 1.4.1