diff --git a/hosts/koi/services/coredns.nix b/hosts/koi/services/coredns.nix index b25f39e..dbc75cf 100644 --- a/hosts/koi/services/coredns.nix +++ b/hosts/koi/services/coredns.nix @@ -81,5 +81,6 @@ in shell = pkgs.shadow; }; + networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; } diff --git a/hosts/koi/services/sing-box.nix b/hosts/koi/services/sing-box.nix index e42a605..d0e852f 100644 --- a/hosts/koi/services/sing-box.nix +++ b/hosts/koi/services/sing-box.nix @@ -20,88 +20,18 @@ in { enable = true; settings = { log.level = "warning"; - dns = { - rules = [ - { - outbound = [ "any" ]; - server = "dns-coredns"; - } - { - # suffixes specific to our coredns configuration - # we don't want to expose them in the proxy - domain_suffix = [ - ".docker" - ".containers" - ]; - server = "dns-block"; - } - { - rule_set = "adblock"; - server = "dns-block"; - } - { - query_type = [ "A" "AAAA" ]; - server = "dns-fakeip"; - } - ]; - servers = [ - { - # upstream dns - address = "127.0.0.1"; - tag = "dns-coredns"; - detour = "direct"; - } - { tag = "dns-fakeip"; address = "fakeip"; } - { - tag = "dns-block"; - address = "rcode://success"; - } - ]; - - fakeip = { - enabled = true; - inet4_range = "10.224.0.0/11"; - inet6_range = "fd3e:dead:dead::/48"; - }; - # important for fakeip to work, otherwise cache from upstream gets mixed up with fakeip cache - independent_cache = true; - }; inbounds = [ - { - tag = "dns-in"; - type = "direct"; - listen = "0.0.0.0"; - listen_port = 5353; - } { tag = "mixed-in"; type = "mixed"; listen = "0.0.0.0"; listen_port = 7890; } - { - tag = "personal-in"; - type = "mixed"; - listen = "127.0.0.1"; - listen_port = 7891; - } - { - # sing-box doesn't properly support udp over socks, so we use - # xkeen on router side with a minimal config to connect to this - # sing-box instance via plain ss, and all further routing/proxying is done here. - tag = "router-in"; - type = "shadowsocks"; - listen = "0.0.0.0"; - listen_port = 7899; - method = "none"; - password = ""; - } ]; outbounds = [ { tag = "direct"; type = "direct"; } - { tag = "dns-out"; type = "dns"; } { tag = "xtls-madoka"; type = "vless"; @@ -165,93 +95,19 @@ in { uuid._secret = secrets.file config "vless-sakura-uuid"; } { - tag = "personal-proxy"; + tag = "final"; type = "urltest"; outbounds = [ - "xtls-madoka" - "xtls-homura" - ]; - } - { - tag = "final"; - type = "selector"; - outbounds = [ - "xtls-madoka" - "xtls-homura" "xtls-sakura" - "direct" + "xtls-madoka" + "xtls-homura" ]; - default = "xtls-sakura"; } ]; - route = { - final = "final"; - rules = [ - { - inbound = [ "dns-in" ]; - outbound = "dns-out"; - } - { - inbound = [ "personal-in" ]; - outbound = "personal-proxy"; - } - { - # bypass proxy for... - domain = [ - # most of these can be removed once we update to 1.9.0 (https://sing-box.sagernet.org/migration/#domain_suffix-behavior-update) - "soundcloud.com" - "youtube.com" - "yandex-team.ru" - "gosuslugi.ru" - "mos.ru" - "antizapret.prostovpn.org" - ]; - domain_suffix = [ - ".soundcloud.com" # russian ips don't have ads - ".youtube.com" # russian ips don't have ads - ".yandex.net" - ".yandex-team.ru" - ".vk.com" - ".gosuslugi.ru" - ".mos.ru" - ".stupid.fish" - ]; - domain_keyword = [ - ".aki-game.net" # wuthering waves - ".aki-game.com" # wuthering waves - ]; - inbound = [ "router-in" ]; # if we are connected via some other inbound, we want to proxy everything. - outbound = "direct"; - } - ]; - - rule_set = [ - { - tag = "adblock"; - format = "binary"; - - type = "remote"; - url = "https://adrules.top/adrules-singbox.srs"; - } - ]; - }; - - experimental = { - cache_file = { - enabled = true; - store_fakeip = true; - }; - - clash_api = { - # no secret because it's only available for nat so who cares - external_controller = "0.0.0.0:7900"; - external_ui = "dashboard"; - }; - }; + route.final = "final"; }; }; - networking.firewall.allowedTCPPorts = [ 5353 7890 7899 7900 ]; - networking.firewall.allowedUDPPorts = [ 5353 7899 ]; + networking.firewall.allowedTCPPorts = [ 7890 ]; }