151 lines
4 KiB
Nix
151 lines
4 KiB
Nix
|
{ pkgs, abs, config, ... }:
|
|||
|
|
|
|||
|
|
let
|
|||
|
|
secrets = import (abs "lib/secrets.nix");
|
|||
|
|
in {
|
|||
|
|
imports = [
|
|||
|
|
(secrets.declare [ "ss-desu-arm-password" "ss-desu-arm-ip" ])
|
|||
|
|
];
|
|||
|
|
|
|||
|
|
services.sing-box = {
|
|||
|
|
enable = true;
|
|||
|
|
settings = {
|
|||
|
|
dns = {
|
|||
|
|
rules = [
|
|||
|
|
{
|
|||
|
|
outbound = [ "any" ];
|
|||
|
|
server = "dns-coredns";
|
|||
|
|
}
|
|||
|
|
{
|
|||
|
|
# suffixes specific to our coredns configuration
|
|||
|
|
# we don't want to expose them in the proxy
|
|||
|
|
domain_suffix = [
|
|||
|
|
".docker"
|
|||
|
|
".containers"
|
|||
|
|
];
|
|||
|
|
server = "dns-block";
|
|||
|
|
}
|
|||
|
|
{
|
|||
|
|
rule_set = "rkn";
|
|||
|
|
query_type = [ "A" "AAAA" ];
|
|||
|
|
server = "dns-fakeip";
|
|||
|
|
}
|
|||
|
|
];
|
|||
|
|
servers = [
|
|||
|
|
# upstream dns
|
|||
|
|
{
|
|||
|
|
address = "127.0.0.1";
|
|||
|
|
tag = "dns-coredns";
|
|||
|
|
detour = "direct";
|
|||
|
|
}
|
|||
|
|
{ tag = "dns-fakeip"; address = "fakeip"; }
|
|||
|
|
{
|
|||
|
|
tag = "dns-block";
|
|||
|
|
address = "rcode://success";
|
|||
|
|
}
|
|||
|
|
];
|
|||
|
|
|
|||
|
|
# "fake ip" setup.
|
|||
|
|
# setup for keenetic:
|
|||
|
|
# 1. create a proxy outbound (see https://help.keenetic.com/hc/ru/articles/7474374790300)
|
|||
|
|
# 2. create a static route for v4, can be done via web ui: Static Routes > Create, Route type = Route to network,
|
|||
|
|
# Destination network address & Subnet mask – from `inet4_range`, interface = [our proxy]
|
|||
|
|
# 3. create a static route for v6, can be done via telnet: `ipv6 route [inet6_range] Proxy0` (interface name may differ)
|
|||
|
|
# 4. set up keenetic to use our dns server:
|
|||
|
|
# 4.1. setup opkg
|
|||
|
|
# 4.2. install dnsmasq
|
|||
|
|
# 4.3. put something along this in /opt/etc/dnsmasq.conf:
|
|||
|
|
# no-resolv
|
|||
|
|
# bind-dynamic
|
|||
|
|
# listen-address=127.0.0.1
|
|||
|
|
# listen-address=10.42.0.1
|
|||
|
|
# except-interface=lo
|
|||
|
|
# cache-size=2500
|
|||
|
|
# port=53
|
|||
|
|
#
|
|||
|
|
# server=10.42.0.2#5353 # <- ip of the server
|
|||
|
|
# server=8.8.8.8
|
|||
|
|
# strict-order
|
|||
|
|
# 4.4. run `opkg dns-override` via telnet
|
|||
|
|
# 4.5. set up the router as the only dns server in dhcp settings
|
|||
|
|
fakeip = {
|
|||
|
|
enabled = true;
|
|||
|
|
inet4_range = "10.224.0.0/11";
|
|||
|
|
inet6_range = "fd3e:dead:dead::/48";
|
|||
|
|
};
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
inbounds = [
|
|||
|
|
{
|
|||
|
|
tag = "dns-in";
|
|||
|
|
type = "direct";
|
|||
|
|
listen = "0.0.0.0";
|
|||
|
|
listen_port = 5353;
|
|||
|
|
}
|
|||
|
|
{
|
|||
|
|
tag = "mixed-in";
|
|||
|
|
type = "mixed";
|
|||
|
|
listen = "0.0.0.0";
|
|||
|
|
listen_port = 7890;
|
|||
|
|
}
|
|||
|
|
];
|
|||
|
|
|
|||
|
|
outbounds = [
|
|||
|
|
{ tag = "direct"; type = "direct"; }
|
|||
|
|
{ tag = "dns-out"; type = "dns"; }
|
|||
|
|
{
|
|||
|
|
tag = "ss-desu-arm";
|
|||
|
|
type = "shadowsocks";
|
|||
|
|
server._secret = config.age.secrets.ss-desu-arm-ip.path;
|
|||
|
|
server_port = 9000;
|
|||
|
|
method = "chacha20-ietf-poly1305";
|
|||
|
|
password._secret = config.age.secrets.ss-desu-arm-password.path;
|
|||
|
|
udp_over_tcp = {
|
|||
|
|
enabled = true;
|
|||
|
|
version = 1;
|
|||
|
|
};
|
|||
|
|
}
|
|||
|
|
];
|
|||
|
|
|
|||
|
|
route = {
|
|||
|
|
final = "ss-desu-arm";
|
|||
|
|
rules = [
|
|||
|
|
{
|
|||
|
|
inbound = [ "dns-in" ];
|
|||
|
|
outbound = "dns-out";
|
|||
|
|
}
|
|||
|
|
{
|
|||
|
|
outbound = "dns-out";
|
|||
|
|
port = [ 53 ];
|
|||
|
|
}
|
|||
|
|
];
|
|||
|
|
|
|||
|
|
rule_set = [
|
|||
|
|
{
|
|||
|
|
tag = "rkn";
|
|||
|
|
format = "binary";
|
|||
|
|
|
|||
|
|
type = "remote";
|
|||
|
|
url = "https://github.com/teidesu/rkn-singbox/raw/ruleset/rkn-ruleset.srs";
|
|||
|
|
}
|
|||
|
|
];
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
experimental = {
|
|||
|
|
cache_file = {
|
|||
|
|
enabled = true;
|
|||
|
|
store_fakeip = true;
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
# clash_api = {
|
|||
|
|
# external_controller = "127.0.0.1:9090";
|
|||
|
|
# external_ui = "dashboard";
|
|||
|
|
# };
|
|||
|
|
};
|
|||
|
|
};
|
|||
|
|
};
|
|||
|
|
|
|||
|
|
networking.firewall.allowedTCPPorts = [ 7890 ];
|
|||
|
|
networking.firewall.allowedUDPPorts = [ 5353 ];
|
|||
|
|
}
|