nixos-configs/modules/services/work-proxy.nix

{
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.modules.services.work-proxy;
in
{
  options.modules.services.work-proxy = {
    enable = lib.my.mkBoolOpt false;
  };

  config = lib.mkIf cfg.enable {
    services.dnsmasq = {
      enable = true;
      settings = {
        server = [
          "/lefoyer.lu/127.0.0.1#1053"
          "/foyer.lu/127.0.0.1#1053"
          "/foyer.cloud/127.0.0.1#1053"
          "1.1.1.1"
        ];
        no-resolv = true;
        interface = "lo";
        bind-interfaces = true;
      };
    };

    networking = {
      proxy = {
        httpProxy = "http://127.0.0.1:${toString config.services.tinyproxy.settings.Port}";
        httpsProxy = "http://127.0.0.1:${toString config.services.tinyproxy.settings.Port}";
      };
    };

    services.tinyproxy = {
      enable = true;
      settings = {
        LogLevel = "Info";
        Port = 2345;
        Upstream = [
          ''upstream socks5 127.0.0.1:5080 ".lefoyer.lu"''
          ''upstream socks5 127.0.0.1:5080 ".foyer.lu"''
          ''upstream socks5 127.0.0.1:5080 ".foyer.cloud"''
          ''upstream http   127.0.0.1:3128 ".microsoftonline.com"''
        ];
      };
    };

    services.redsocks = {
      enable = false;
      log_debug = true;
      log_info = true;
      redsocks = [
        {
          port = 12345;
          proxy = "127.0.0.1:5080";
          type = "socks5";
          redirectCondition = "-d 10.134.0.0/16";
          doNotRedirect = [
            "-p tcp -m owner --uid-owner redsocks"
            "-p tcp --dport 80"
            "-p tcp --dport 443"
          ];
        }
        # {
        #   port = 12345;
        #   proxy = "127.0.0.1:${toString config.services.tinyproxy.settings.Port}";
        #   type = "http-relay";
        #   redirectCondition = "--dport 80";
        #   doNotRedirect = [
        #     "-p tcp -m owner --uid-owner tinyproxy"
        #   ];
        # }
        # {
        #   port = 12346;
        #   proxy = "127.0.0.1:${toString config.services.tinyproxy.settings.Port}";
        #   type = "http-connect";
        #   redirectCondition = "--dport 443";
        #   doNotRedirect = [
        #     "-p tcp -m owner --uid-owner tinyproxy"
        #   ];
        # }
      ];
    };

    security.pki.certificateFiles = [
      "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      ./certs/Foyer-Group-Root-CA.crt
      ./certs/Foyer-Sub-CA.crt
    ];

    environment.variables = {
      JAVAX_NET_SSL_TRUSTSTORE = ./certs/cacerts;
      JAVA_OPTS = "-Dhttp.proxyHost=localhost -Dhttp.proxyPort=${toString config.services.tinyproxy.settings.Port} -Dhttps.proxyHost=localhost -Dhttps.proxyPort=${toString config.services.tinyproxy.settings.Port} -Djavax.net.ssl.trustStore=${./certs/cacerts} -Djavax.net.ssl.trustStorePassword=changeit";
    };

    home-manager.users.${config.user.name} = {
      home = {
        file.".sbt/repositories".text = ''
          [repositories]
            local
            maven-local
            nexus-maven: https://nexus.foyer.lu/repository/mvn-all/
            nexus-ivy: https://nexus.foyer.lu/repository/ivy-all/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
            nexus-ivy-sbt: https://nexus.foyer.lu/repository/ivy-all/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[artifact](-[classifier])-[type].[ext]
        '';
      };
    };

    environment.systemPackages = with pkgs; [ chisel ];
  };
}
Add work-proxy module 2025-08-01 02:06:04 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`

			`let`
			`cfg = config.modules.services.work-proxy;`
			`in`
			`{`
			`options.modules.services.work-proxy = {`
			`enable = lib.my.mkBoolOpt false;`
			`};`

			`config = lib.mkIf cfg.enable {`
Add dnsmasq to support split dns 2025-08-03 04:02:00 +02:00			`services.dnsmasq = {`
			`enable = true;`
			`settings = {`
			`server = [`
Update work-proxy 2025-08-05 14:58:34 +02:00			`"/lefoyer.lu/127.0.0.1#1053"`
			`"/foyer.lu/127.0.0.1#1053"`
			`"/foyer.cloud/127.0.0.1#1053"`
Add dnsmasq to support split dns 2025-08-03 04:02:00 +02:00			`"1.1.1.1"`
			`];`
			`no-resolv = true;`
			`interface = "lo";`
			`bind-interfaces = true;`
			`};`
			`};`
Add work-proxy module 2025-08-01 02:06:04 +02:00
			`networking = {`
			`proxy = {`
			`httpProxy = "http://127.0.0.1:${toString config.services.tinyproxy.settings.Port}";`
			`httpsProxy = "http://127.0.0.1:${toString config.services.tinyproxy.settings.Port}";`
			`};`
			`};`

			`services.tinyproxy = {`
			`enable = true;`
			`settings = {`
Update work-proxy 2025-08-05 14:58:34 +02:00			`LogLevel = "Info";`
Add work-proxy module 2025-08-01 02:06:04 +02:00			`Port = 2345;`
			`Upstream = [`
Update work-proxy 2025-08-05 14:58:34 +02:00			`''upstream socks5 127.0.0.1:5080 ".lefoyer.lu"''`
			`''upstream socks5 127.0.0.1:5080 ".foyer.lu"''`
			`''upstream socks5 127.0.0.1:5080 ".foyer.cloud"''`
			`''upstream http 127.0.0.1:3128 ".microsoftonline.com"''`
Add work-proxy module 2025-08-01 02:06:04 +02:00			`];`
			`};`
			`};`

Update work-proxy 2025-08-05 14:58:34 +02:00			`services.redsocks = {`
			`enable = false;`
			`log_debug = true;`
			`log_info = true;`
			`redsocks = [`
			`{`
			`port = 12345;`
			`proxy = "127.0.0.1:5080";`
			`type = "socks5";`
			`redirectCondition = "-d 10.134.0.0/16";`
			`doNotRedirect = [`
			`"-p tcp -m owner --uid-owner redsocks"`
			`"-p tcp --dport 80"`
			`"-p tcp --dport 443"`
			`];`
			`}`
			`# {`
			`# port = 12345;`
			`# proxy = "127.0.0.1:${toString config.services.tinyproxy.settings.Port}";`
			`# type = "http-relay";`
			`# redirectCondition = "--dport 80";`
			`# doNotRedirect = [`
			`# "-p tcp -m owner --uid-owner tinyproxy"`
			`# ];`
			`# }`
			`# {`
			`# port = 12346;`
			`# proxy = "127.0.0.1:${toString config.services.tinyproxy.settings.Port}";`
			`# type = "http-connect";`
			`# redirectCondition = "--dport 443";`
			`# doNotRedirect = [`
			`# "-p tcp -m owner --uid-owner tinyproxy"`
			`# ];`
			`# }`
			`];`
			`};`

Add work-proxy module 2025-08-01 02:06:04 +02:00			`security.pki.certificateFiles = [`
			`"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`
			`./certs/Foyer-Group-Root-CA.crt`
			`./certs/Foyer-Sub-CA.crt`
			`];`

			`environment.variables = {`
			`JAVAX_NET_SSL_TRUSTSTORE = ./certs/cacerts;`
			`JAVA_OPTS = "-Dhttp.proxyHost=localhost -Dhttp.proxyPort=${toString config.services.tinyproxy.settings.Port} -Dhttps.proxyHost=localhost -Dhttps.proxyPort=${toString config.services.tinyproxy.settings.Port} -Djavax.net.ssl.trustStore=${./certs/cacerts} -Djavax.net.ssl.trustStorePassword=changeit";`
			`};`

			`home-manager.users.${config.user.name} = {`
Update work-proxy 2025-08-05 14:58:34 +02:00			`home = {`
			`file.".sbt/repositories".text = ''`
			`[repositories]`
			`local`
			`maven-local`
			`nexus-maven: https://nexus.foyer.lu/repository/mvn-all/`
			`nexus-ivy: https://nexus.foyer.lu/repository/ivy-all/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]`
			`nexus-ivy-sbt: https://nexus.foyer.lu/repository/ivy-all/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[artifact](-[classifier])-[type].[ext]`
			`'';`
			`};`
Add work-proxy module 2025-08-01 02:06:04 +02:00			`};`

Add dnsmasq to support split dns 2025-08-03 04:02:00 +02:00			`environment.systemPackages = with pkgs; [ chisel ];`
Add work-proxy module 2025-08-01 02:06:04 +02:00			`};`
			`}`