Merge pull request #38896 from abbradar/shadowsocks

Update shadowsocks-libuv and add shadowsocks service

nixos/modules/module-list.nix

@@ -547,6 +547,7 @@
   ./services/networking/searx.nix
   ./services/networking/seeks.nix
   ./services/networking/skydns.nix
+  ./services/networking/shadowsocks.nix
   ./services/networking/shairport-sync.nix
   ./services/networking/shout.nix
   ./services/networking/sniproxy.nix

nixos/modules/services/networking/shadowsocks.nix

@@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.shadowsocks;
+
+  opts = {
+    server = cfg.localAddress;
+    server_port = cfg.port;
+    method = cfg.encryptionMethod;
+    mode = cfg.mode;
+    user = "nobody";
+    fast_open = true;
+  } // optionalAttrs (cfg.password != null) { password = cfg.password; };
+
+  configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts);
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.shadowsocks = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to run shadowsocks-libev shadowsocks server.
+        '';
+      };
+
+      localAddress = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = ''
+          Local address to which the server binds.
+        '';
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 8388;
+        description = ''
+          Port which the server uses.
+        '';
+      };
+
+      password = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Password for connecting clients.
+        '';
+      };
+
+      passwordFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = ''
+          Password file with a password for connecting clients.
+        '';
+      };
+
+      mode = mkOption {
+        type = types.enum [ "tcp_only" "tcp_and_udp" "udp_only" ];
+        default = "tcp_and_udp";
+        description = ''
+          Relay protocols.
+        '';
+      };
+
+      encryptionMethod = mkOption {
+        type = types.str;
+        default = "chacha20-ietf-poly1305";
+        description = ''
+          Encryption method. See <link xlink:href="https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers"/>.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+    assertions = singleton
+      { assertion = cfg.password == null || cfg.passwordFile == null;
+        message = "Cannot use both password and passwordFile for shadowsocks-libev";
+      };
+
+    systemd.services.shadowsocks-libev = {
+      description = "shadowsocks-libev Daemon";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.passwordFile != null) pkgs.jq;
+      serviceConfig.PrivateTmp = true;
+      script = ''
+        ${optionalString (cfg.passwordFile != null) ''
+          cat ${configFile} | jq --arg password "$(cat "${cfg.passwordFile}")" '. + { password: $password }' > /tmp/shadowsocks.json
+        ''}
+        exec ss-server -c ${if cfg.passwordFile != null then "/tmp/shadowsocks.json" else configFile}
+      '';
+    };
+  };
+}

pkgs/tools/networking/shadowsocks-libev/default.nix

@@ -1,47 +1,32 @@
-{ withMbedTLS ? true
-, enableSystemSharedLib ? true
-, stdenv, fetchurl, zlib
-, openssl ? null
-, mbedtls ? null
-, libev ? null
-, libsodium ? null
-, udns ? null
-, asciidoc
-, xmlto
-, docbook_xml_dtd_45
-, docbook_xsl
-, libxslt
-, pcre
+{ stdenv, fetchurl, fetchgit, cmake
+, libsodium, mbedtls, libev, c-ares, pcre
+, asciidoc, xmlto, docbook_xml_dtd_45, docbook_xsl, libxslt
 }:
 
-let
-
-  version = "2.5.5";
-  sha256 = "46a72367b7301145906185f1e4136e39d6792d27643826e409ab708351b6d0dd";
-
-in
-
-with stdenv.lib;
-
 stdenv.mkDerivation rec {
   name = "shadowsocks-libev-${version}";
-  src = fetchurl {
-    url = "https://github.com/shadowsocks/shadowsocks-libev/archive/v${version}.tar.gz";
-    inherit sha256;
+  version = "3.1.3";
+
+  # Git tag includes CMake build files which are much more convenient.
+  # fetchgit because submodules.
+  src = fetchgit {
+    url = "https://github.com/shadowsocks/shadowsocks-libev";
+    rev = "refs/tags/v${version}";
+    sha256 = "16q91xh6ixfv7b5rl31an11101irv08119klfx5qgj4i6h7c41s7";
   };
 
-  buildInputs = [ zlib asciidoc xmlto docbook_xml_dtd_45 docbook_xsl libxslt pcre ]
-                ++ optional (!withMbedTLS) openssl
-                ++ optional withMbedTLS mbedtls
-                ++ optionals enableSystemSharedLib [libev libsodium udns];
+  buildInputs = [ libsodium mbedtls libev c-ares pcre ];
+  nativeBuildInputs = [ cmake asciidoc xmlto docbook_xml_dtd_45 docbook_xsl libxslt ];
 
-  configureFlags = optional withMbedTLS
-                     [ "--with-crypto-library=mbedtls"
-                       "--with-mbedtls=${mbedtls}"
-                     ]
-                   ++ optional enableSystemSharedLib "--enable-system-shared-lib";
+  cmakeFlags = [ "-DWITH_STATIC=OFF" ];
 
-  meta = {
+  postInstall = ''
+    cp lib/* $out/lib
+    chmod +x $out/bin/*
+    mv $out/pkgconfig $out/lib
+  '';
+
+  meta = with stdenv.lib; {
     description = "A lightweight secured SOCKS5 proxy";
     longDescription = ''
       Shadowsocks-libev is a lightweight secured SOCKS5 proxy for embedded devices and low-end boxes.
@@ -50,6 +35,6 @@ stdenv.mkDerivation rec {
     homepage = https://github.com/shadowsocks/shadowsocks-libev;
     license = licenses.gpl3Plus;
     maintainers = [ maintainers.nfjinjing ];
-    platforms = platforms.all;
+    platforms = platforms.linux;
   };
 }