Support shadowsocks Cloak plugin

bingzhangdai · Dec 11, 2023 · df1d2da · df1d2da
1 parent 015f602
commit df1d2da
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 22 deletions.
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
@@ -1,16 +1,10 @@
 ansible_connection: ssh
 ansible_port: 22
 
-ansible_user: david
+ansible_user: atl
 
 # workaround: https://github.com/ansible/ansible/issues/24425#issuecomment-437326526
-ssh_pass: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          31646633376664333363336333643364343566623236356664313866326332363734386666643063
-          3731633061313330393138303665353832643139363864370a343930663430363062373566333835
-          32323463393865343334633965636537326439623861663334316663613139363035373433393834
-          6435393632646235650a643737626136323437383864383838643530656533393239656330346234
-          3161
+ssh_pass: q1w2E#R$
 ansible_ssh_pass: "{{ ssh_pass | string }}"
 
 # Privilege Escalation

diff --git a/group_vars/all/shadowsocks-libev.yml b/group_vars/all/shadowsocks-libev.yml
@@ -1,17 +1,22 @@
 ss_config:
-  server_port: 2333
-  password: !vault |
-            $ANSIBLE_VAULT;1.1;AES256
-            66393234643561383433343464373833316232396535333735376333316638333233343062653638
-            6335333331393337306139663831653463666137643432390a333936383732376437333139316237
-            36393136323033316164633839636138343338656566663831313732613935326130616632396439
-            3262633937653062350a646462383939656432613333616335653263386436333835613936333766
-            3461
+  server_port: 443
+  password: q1w2E#R$
 
   encrypt_method: chacha20-ietf-poly1305
   plugin:
-    v2ray:
-      opts: server
+    # v2ray:
+    #   opts: server
+    cloak:
+      # optional
+      ProxyBook:
+        wireguard:
+        - udp
+        - 127.0.0.1:500
+      BypassUID:
+      - dflsTpipqZsExqvhznVVfg==
+      RedirAddr: www.bing.com
+      PrivateKey: 'aGxPlWl7vH6ywSLe0v5Y54zeIqnevTszSqwX13NGqWY='
+      AdminUID: 'dflsTpipqZsExqvhznVVfg=='
   timeout: 300
   local_port: 1080
-  fast_open: true
+  fast_open: true
diff --git a/hosts b/hosts
@@ -6,3 +6,6 @@ ss-wus2.westus2.cloudapp.azure.com
 
 [centos]
 centos-jpe.japaneast.cloudapp.azure.com
+
+[debian]
+hkass5.southeastasia.cloudapp.azure.com
diff --git a/roles/shadowsocks-libev/defaults/main.yml b/roles/shadowsocks-libev/defaults/main.yml
@@ -2,5 +2,10 @@ ss_github:
   user: shadowsocks
   v2ray_repo: v2ray-plugin
 
+cloak_github:
+  user: cbeuw
+  repo: Cloak
+
 ss_plugin_release:
   v2ray: "https://github.com/{{ ss_github.user }}/{{ ss_github.v2ray_repo }}/releases/download/v{{ release_version }}/v2ray-plugin-linux-amd64-v{{ release_version }}.tar.gz"
+  cloak: "https://github.com/{{ cloak_github.user }}/{{ cloak_github.repo }}/releases/download/v{{ release_version }}/ck-server-linux-amd64-v{{ release_version }}"
diff --git a/roles/shadowsocks-libev/tasks/main.yml b/roles/shadowsocks-libev/tasks/main.yml
@@ -27,6 +27,24 @@
           command: setcap 'CAP_NET_BIND_SERVICE=+eip' /etc/shadowsocks-libev/v2ray-plugin_linux_amd64
           when: ss_config.server_port < 1024
       when: ss_config.plugin.v2ray is defined
+    - name: install cloak
+      block:
+        - name: detect latest v2ray version
+          import_role:
+            name: utils
+            tasks_from: github-release
+          vars:
+            user: "{{ cloak_github.user }}"
+            repo: "{{ cloak_github.repo }}"
+        - name: download cloak-server {{ release_version }}
+          get_url:
+            url: "{{ ss_plugin_release.cloak }}"
+            dest: "/etc/shadowsocks-libev/ck-server"
+            mode: 755
+          notify: restart shadowsocks-libev
+        - name: allow a non-root process to bind to a privileged port
+          command: setcap 'CAP_NET_BIND_SERVICE=+eip' /etc/shadowsocks-libev/ck-server
+          when: ss_config.server_port < 1024
   when: ss_config.plugin is defined
 
 - name: optimize shadowsocks
@@ -90,6 +108,12 @@
         dest: /etc/shadowsocks-libev/config.json
         mode: '644'
       notify: restart shadowsocks-libev
+    - name: edit /etc/shadowsocks-libev/ckserver.json
+      template:
+        src: ckserver.json.j2
+        dest: /etc/shadowsocks-libev/ckserver.json
+        mode: '644'
+      when: ss_config.plugin is defined and ss_config.plugin.cloak is defined
     - name: turn on TCP Fast Open on server side
       sysctl:
         name: net.ipv4.tcp_fastopen

diff --git a/roles/shadowsocks-libev/templates/ckserver.json.j2 b/roles/shadowsocks-libev/templates/ckserver.json.j2
@@ -0,0 +1,4 @@
+{% do
+    ss_config.plugin.cloak['location'] = ansible_env.HOME + '/userinfo.db'
+%}
+{{ ss_config.plugin.cloak | to_nice_json(indent=4) }}
diff --git a/roles/shadowsocks-libev/templates/config.json.j2 b/roles/shadowsocks-libev/templates/config.json.j2
@@ -4,7 +4,7 @@
     "password": "{{ ss_config.password }}",
     "timeout": {{ ss_config.timeout }},
     "method": "{{ ss_config.encrypt_method }}",
-    "nameserver": "8.8.8.8",
+    "nameserver": "{{ nameservers.nameservers[0] }}",
     "mode": "tcp_and_udp",
     "fast_open": {{ ss_config.fast_open | default(false) | lower }}
 }
diff --git a/roles/shadowsocks-libev/templates/shadowsocks-libev.j2 b/roles/shadowsocks-libev/templates/shadowsocks-libev.j2
@@ -8,7 +8,7 @@ CONFFILE="/etc/shadowsocks-libev/config.json"
 DAEMON_ARGS=
 
 # User and group to run the server as
-USER=nobody
+USER={{ ansible_env.USER }}
 GROUP=nogroup
 
 # Number of maximum file descriptors
@@ -20,4 +20,8 @@ MAXFD=32768
 PLUGIN="/etc/shadowsocks-libev/v2ray-plugin_linux_amd64"
 PLUGINOPTS="{{ ss_config.plugin.v2ray.opts }}"
 {% endif %}
-{% endif %}
+{% if ss_config.plugin.cloak is defined %}
+PLUGIN="/etc/shadowsocks-libev/ck-server"
+PLUGINOPTS="/etc/shadowsocks-libev/ckserver.json"
+{% endif %}
+{% endif %}