Home Explore Help
Sign In
kotoyuuko
/
ansible-proxy-chain
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 1a97d299df
Branches Tags
ansible-proxy-c...
/
openspec
/
specs
/
shadowsocks-relay
/
spec.md

spec.md 3.0 KB
History Raw

ADDED Requirements

Requirement: shadowsocks-rust is installed on the relay server

The shadowsocks role SHALL download and install the shadowsocks-rust ssserver binary from GitHub releases to a configurable path, with a configurable version.

Scenario: Fresh installation

  • WHEN the shadowsocks role runs on a relay server without shadowsocks-rust installed
  • THEN the specified version of ssserver binary is downloaded and installed
  • THEN the binary is executable and owned by a dedicated service user

Scenario: Version upgrade

  • WHEN the shadowsocks version variable is changed and the playbook is re-run
  • THEN the binary is replaced with the new version
  • THEN the service is restarted

Requirement: shadowsocks-rust runs as a systemd service

The shadowsocks role SHALL create a systemd unit file for ssserver and ensure it is enabled and started.

Scenario: Service is running

  • WHEN the shadowsocks role completes
  • THEN the ssserver systemd service is enabled and running
  • THEN the service runs under a dedicated non-root user

Requirement: shadowsocks-rust configuration is templated

The relay server's shadowsocks configuration SHALL be generated from a Jinja2 template with variables for port, password, and cipher method.

Scenario: Configuration is generated from template

  • WHEN the shadowsocks role runs
  • THEN a JSON config file is rendered from template with port, password, and encryption method
  • THEN the config file permissions are restricted (readable only by the service user)

Scenario: Configuration change triggers restart

  • WHEN a variable in group_vars/relay.yml is changed and the playbook is re-run
  • THEN the configuration file is updated
  • THEN the ssserver service is restarted

Requirement: shadowsocks uses AEAD cipher

The shadowsocks configuration SHALL use an AEAD cipher (e.g., aes-256-gcm or chacha20-ietf-poly1305), configurable via Ansible variable. The SS port and password SHALL default to auto-generated values from the credentials/ directory, with manual override supported.

Scenario: AEAD cipher is configured

  • WHEN the shadowsocks configuration is generated
  • THEN the method field uses the configured AEAD cipher
  • THEN the default cipher is aes-256-gcm if not overridden

Scenario: Port and password use auto-generated defaults

  • WHEN the shadowsocks role runs without manual overrides
  • THEN the port and password come from credentials/ lookup values

Requirement: shadowsocks credentials are auto-generated and persisted

The relay server's shadowsocks password and port SHALL be auto-generated on first run via Ansible password lookup and persisted in credentials/. Manual override via --extra-vars is supported.

Scenario: Credentials are auto-generated

  • WHEN the playbook runs for the first time
  • THEN a random password and port are generated and persisted to credentials/
  • THEN no plaintext password exists in version-controlled files