nixfiles/hosts/arumi/services/sing-box.nix

{ config, pkgs, ... }:

{
  desu.secrets.arumi-singbox-pk = {};
  desu.secrets.arumi-singbox-sid = {};
  desu.secrets.arumi-singbox-users = {};

  services.sing-box = {
    enable = true;
    settings = {
      log = { level = "info"; timestamp = true; };
      inbounds = [
        {
          type = "vless";
          tag = "vless-in";
          listen = "::";
          listen_port = 443;
          sniff = true;
          sniff_override_destination = true;
          domain_strategy = "ipv4_only";
          users = []; # populated later in the preStart script
          tls = let server = "updates.cdn-apple.com"; in {
            enabled = true;
            server_name = server;
            reality = {
              enabled = true;
              handshake = { inherit server; server_port = 443; };
              private_key._secret = config.desu.secrets.arumi-singbox-pk.path;
              short_id = [ 
                { _secret = config.desu.secrets.arumi-singbox-sid.path; }
              ];
            };
          };
        }
      ];
      outbounds = [
        { type = "direct"; tag = "direct"; }
        { type = "block"; tag = "block"; }
      ];
    };
  };

  systemd.services.sing-box.preStart = let 
    file = "/etc/sing-box/config.json";
  in ''
    users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
    ${pkgs.jq}/bin/jq --arg users "$users" \
      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
      ${file} > ${file}.tmp
    mv ${file}.tmp ${file}
  '';

  networking.firewall.allowedTCPPorts = [ 443 ];
}
refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`{ config, pkgs, ... }:`
chore: madohomu initial 2024-06-07 11:34:06 +03:00
refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`{`
			`desu.secrets.arumi-singbox-pk = {};`
			`desu.secrets.arumi-singbox-sid = {};`
			`desu.secrets.arumi-singbox-users = {};`
chore: madohomu initial 2024-06-07 11:34:06 +03:00
			`services.sing-box = {`
			`enable = true;`
			`settings = {`
			`log = { level = "info"; timestamp = true; };`
			`inbounds = [`
			`{`
			`type = "vless";`
			`tag = "vless-in";`
			`listen = "::";`
			`listen_port = 443;`
			`sniff = true;`
			`sniff_override_destination = true;`
			`domain_strategy = "ipv4_only";`
			`users = []; # populated later in the preStart script`
			`tls = let server = "updates.cdn-apple.com"; in {`
			`enabled = true;`
			`server_name = server;`
			`reality = {`
			`enabled = true;`
			`handshake = { inherit server; server_port = 443; };`
refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`private_key._secret = config.desu.secrets.arumi-singbox-pk.path;`
chore: madohomu initial 2024-06-07 11:34:06 +03:00			`short_id = [`
refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`{ _secret = config.desu.secrets.arumi-singbox-sid.path; }`
chore: madohomu initial 2024-06-07 11:34:06 +03:00			`];`
			`};`
			`};`
			`}`
			`];`
			`outbounds = [`
			`{ type = "direct"; tag = "direct"; }`
			`{ type = "block"; tag = "block"; }`
			`];`
			`};`
			`};`

			`systemd.services.sing-box.preStart = let`
			`file = "/etc/sing-box/config.json";`
			`in ''`
refactor: avoid importing libs 2024-11-23 16:37:34 +03:00			`users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})`
chore: madohomu initial 2024-06-07 11:34:06 +03:00			`${pkgs.jq}/bin/jq --arg users "$users" \`
			`'.inbounds[0].users = ($users \| fromjson \| map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \`
			`${file} > ${file}.tmp`
			`mv ${file}.tmp ${file}`
			`'';`

			`networking.firewall.allowedTCPPorts = [ 443 ];`
			`}`