decouple vpn and proxies

m/vpn/default.nix

@@ -1,5 +1,6 @@
 {
   imports = [
     ./hft.nix
+    ./shadowsocks.nix
   ];
 }

m/vpn/hft.nix

@@ -2,6 +2,7 @@
 let
   types = lib.types;
   hft = config.maid.vpn.hft;
+  proxies = config.maid.proxies;
 in
 {
   options.maid.vpn.hft = {
@@ -14,6 +15,12 @@ in
   };
 
   config = lib.mkIf hft.enable {
+    assertions = [
+      { assertion = proxies.yor.enable;
+        message = "HFT OpenVPN requires shadowsocks server to bypass DPI";
+      }
+    ];
+
     services.openvpn.servers.hft = {
       autoStart = hft.autoStart;
       updateResolvConf = true;
@@ -24,16 +31,8 @@ in
       '';
     };
 
-    systemd.services.hft-shadowsocks = {
-      wantedBy = [ "openvpn-hft.service" ];
-      partOf = [ "openvpn-hft.service" ];
-      after = [ "network.target" ];
-
-      description = "Shadowsocks to bypass OpenVPN block";
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = ''${pkgs.shadowsocks-rust}/bin/sslocal --config ${config.sops.secrets."work/shadowsocks".path}'';
-      };
-    };
+    systemd.services.openvpn-hft.requires = [
+      "yor-proxy.service"
+    ];
   };
 }

m/vpn/shadowsocks.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.maid.proxies;
+in
+{
+  options.maid.proxies = {
+    yor = {
+      enable = lib.mkEnableOption "Yor shadowsocks proxy";
+    };
+  };
+
+  config = lib.mkIf cfg.yor.enable {
+    systemd.services.yor-proxy = {
+      after = [ "network.target" ];
+      description = "`Yor` proxy server";
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = ''${pkgs.shadowsocks-rust}/bin/sslocal --config ${config.sops.secrets."viendesu/shadowsocks/yor".path}'';
+      };
+    };
+  };
+}