initial commit

2026-04-01 08:50:01 +03:00 · 2026-04-01 08:50:01 +03:00 · 30ce0dafc2
commit 30ce0dafc2
195 changed files with 8902 additions and 0 deletions
--- a/services/xray-3x-ui/default.nix
+++ b/services/xray-3x-ui/default.nix
@ -0,0 +1,8 @@
+{
+  imports = [
+    ./options.nix
+    ./firewall.nix
+    ./nginx.nix
+    ./service.nix
+  ];
+}
--- a/services/xray-3x-ui/firewall.nix
+++ b/services/xray-3x-ui/firewall.nix
@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.xray-3x-ui)
+    enable
+    port
+    ;
+in
+with lib; mkIf enable {
+  networking.firewall.allowedTCPPorts = [
+    # Web panel
+    port
+
+    # SSL & HTTP
+    80
+    443
+
+    # Inbounds
+    1082
+  ];
+}
--- a/services/xray-3x-ui/nginx.nix
+++ b/services/xray-3x-ui/nginx.nix
@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit
+    (config.machine.xray-3x-ui)
+    enable
+    port
+    domain
+    subscriptions
+    ;
+in {
+  services.nginx.virtualHosts = with lib; mkIf enable {
+    ${domain} = with lib; mkIf (domain != null) {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_redirect off;
+        '';
+      };
+    };
+    ${subscriptions.domain} = with lib; mkIf (subscriptions.domain != null) {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:2096";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_redirect off;
+        '';
+      };
+    };
+  };
+}
--- a/services/xray-3x-ui/options.nix
+++ b/services/xray-3x-ui/options.nix
@ -0,0 +1,33 @@
+{ lib, config, ... }:
+with lib;
+{
+  options.machine.xray-3x-ui = {
+    enable = mkEnableOption "3x-ui Xray panel";
+
+    port = mkOption {
+      type = types.port;
+      default = 2053;
+      description = "Port for the web interface.";
+    };
+
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "domain for the web interface.";
+    };
+
+    subscriptions = {
+      domain = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "domain for the web interface.";
+      };
+    };
+
+    dataDir = mkOption {
+      type = types.path;
+      default = "/var/lib/3x-ui";
+      description = "Directory to store 3x-ui data.";
+    };
+  };
+}
--- a/services/xray-3x-ui/service.nix
+++ b/services/xray-3x-ui/service.nix
@ -0,0 +1,96 @@
+# See https://github.com/sunmeplz/xray-3x-ui
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.machine.xray-3x-ui;
+
+  # Minimum Go version required for building
+  minGoVersion = "1.26.0";
+
+  xray-3x-ui =
+    assert assertMsg
+      (versionAtLeast pkgs.go.version minGoVersion)
+      "3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available";
+
+    pkgs.buildGoModule rec {
+      pname = "3x-ui";
+      version = "2.8.11";
+
+      src = pkgs.fetchFromGitHub {
+        owner = "MHSanaei";
+        repo = "3x-ui";
+        rev = "v${version}";
+        hash = "sha256-2I6t3caf2t7nKSFwxI/dVIobpBzuptrgauuXfFw8ltg=";
+      };
+
+      vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ=";
+
+      ldflags = [ "-s" "-w" ];
+
+      meta = with lib; {
+        description = "Xray panel supporting multi-protocol multi-user";
+        homepage = "https://github.com/MHSanaei/3x-ui";
+        license = licenses.gpl3Only;
+        platforms = platforms.linux;
+        maintainers = [ ];
+      };
+    };
+
+in {
+  # Service implementation
+  config = mkIf cfg.enable {
+    # User and group configuration
+    users.users.xray-3x-ui = {
+      isSystemUser = true;
+      group = "xray-3x-ui";
+      description = "3x-ui service user";
+    };
+
+    users.groups.xray-3x-ui = { };
+
+    # Directory structure
+    systemd.tmpfiles.rules = [
+      "d ${cfg.dataDir} 0755 xray-3x-ui xray-3x-ui -"
+      "d ${cfg.dataDir}/bin 0755 xray-3x-ui xray-3x-ui -"
+      "d ${cfg.dataDir}/logs 0755 xray-3x-ui xray-3x-ui -"
+    ];
+
+    # Systemd service
+    systemd.services.xray-3x-ui = {
+      description = "3x-ui Xray Panel";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+        XUI_DB_FOLDER = cfg.dataDir;
+        XUI_BIN_FOLDER = "${cfg.dataDir}/bin";
+        XUI_LOG_FOLDER = "${cfg.dataDir}/logs";
+      };
+
+      preStart = ''
+        # Symlink xray-core binary to expected location
+        ln -sf ${pkgs.xray}/bin/xray ${cfg.dataDir}/bin/xray-linux-amd64
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${xray-3x-ui}/bin/3x-ui";
+        WorkingDirectory = cfg.dataDir;
+        Restart = "on-failure";
+        RestartSec = "10s";
+        User = "xray-3x-ui";
+        Group = "xray-3x-ui";
+        StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs";
+        StateDirectoryMode = "0755";
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ];
+      };
+    };
+
+    # Add to system packages for CLI access
+    environment.systemPackages = [ xray-3x-ui ];
+  };
+}