teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(koi): reworked proxy yet again

Browse source 
decided to move routing to router after all. will get back to handling this in nix once i make the server a router
This commit is contained in:
alina 🌸 2024-06-17 13:52:14 +03:00
parent c1bff9ef74
commit 07dad24175
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
2 changed files with 6 additions and 149 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/koi/services/coredns.nix
View file

@ -81,5 +81,6 @@ in
shell = pkgs.shadow; shell = pkgs.shadow;
}; };
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];
} }

154
hosts/koi/services/sing-box.nix
View file

@ -20,88 +20,18 @@ in {
enable = true; enable = true;
settings = { settings = {
log.level = "warning"; log.level = "warning";
dns = {
rules = [
{
outbound = [ "any" ];
server = "dns-coredns";
}
{
# suffixes specific to our coredns configuration
# we don't want to expose them in the proxy
domain_suffix = [
".docker"
".containers"
];
server = "dns-block";
}
{
rule_set = "adblock";
server = "dns-block";
}
{
query_type = [ "A" "AAAA" ];
server = "dns-fakeip";
}
];
servers = [
{
# upstream dns
address = "127.0.0.1";
tag = "dns-coredns";
detour = "direct";
}
{ tag = "dns-fakeip"; address = "fakeip"; }
{
tag = "dns-block";
address = "rcode://success";
}
];
fakeip = {
enabled = true;
inet4_range = "10.224.0.0/11";
inet6_range = "fd3e:dead:dead::/48";
};
# important for fakeip to work, otherwise cache from upstream gets mixed up with fakeip cache
independent_cache = true;
};
inbounds = [ inbounds = [
{
tag = "dns-in";
type = "direct";
listen = "0.0.0.0";
listen_port = 5353;
}
{ {
tag = "mixed-in"; tag = "mixed-in";
type = "mixed"; type = "mixed";
listen = "0.0.0.0"; listen = "0.0.0.0";
listen_port = 7890; listen_port = 7890;
} }
{
tag = "personal-in";
type = "mixed";
listen = "127.0.0.1";
listen_port = 7891;
}
{
# sing-box doesn't properly support udp over socks, so we use
# xkeen on router side with a minimal config to connect to this
# sing-box instance via plain ss, and all further routing/proxying is done here.
tag = "router-in";
type = "shadowsocks";
listen = "0.0.0.0";
listen_port = 7899;
method = "none";
password = "";
}
]; ];
outbounds = [ outbounds = [
{ tag = "direct"; type = "direct"; } { tag = "direct"; type = "direct"; }
{ tag = "dns-out"; type = "dns"; }
{ {
tag = "xtls-madoka"; tag = "xtls-madoka";
type = "vless"; type = "vless";
@ -165,93 +95,19 @@ in {
uuid._secret = secrets.file config "vless-sakura-uuid"; uuid._secret = secrets.file config "vless-sakura-uuid";
} }
{ {
tag = "personal-proxy"; tag = "final";
type = "urltest"; type = "urltest";
outbounds = [ outbounds = [
"xtls-madoka"
"xtls-homura"
];
}
{
tag = "final";
type = "selector";
outbounds = [
"xtls-madoka"
"xtls-homura"
"xtls-sakura" "xtls-sakura"
"direct" "xtls-madoka"
"xtls-homura"
]; ];
default = "xtls-sakura";
} }
]; ];
route = { route.final = "final";
final = "final";
rules = [
{
inbound = [ "dns-in" ];
outbound = "dns-out";
}
{
inbound = [ "personal-in" ];
outbound = "personal-proxy";
}
{
# bypass proxy for...
domain = [
# most of these can be removed once we update to 1.9.0 (https://sing-box.sagernet.org/migration/#domain_suffix-behavior-update)
"soundcloud.com"
"youtube.com"
"yandex-team.ru"
"gosuslugi.ru"
"mos.ru"
"antizapret.prostovpn.org"
];
domain_suffix = [
".soundcloud.com" # russian ips don't have ads
".youtube.com" # russian ips don't have ads
".yandex.net"
".yandex-team.ru"
".vk.com"
".gosuslugi.ru"
".mos.ru"
".stupid.fish"
];
domain_keyword = [
".aki-game.net" # wuthering waves
".aki-game.com" # wuthering waves
];
inbound = [ "router-in" ]; # if we are connected via some other inbound, we want to proxy everything.
outbound = "direct";
}
];
rule_set = [
{
tag = "adblock";
format = "binary";
type = "remote";
url = "https://adrules.top/adrules-singbox.srs";
}
];
};
experimental = {
cache_file = {
enabled = true;
store_fakeip = true;
};
clash_api = {
# no secret because it's only available for nat so who cares
external_controller = "0.0.0.0:7900";
external_ui = "dashboard";
};
};
}; };
}; };
networking.firewall.allowedTCPPorts = [ 5353 7890 7899 7900 ]; networking.firewall.allowedTCPPorts = [ 7890 ];
networking.firewall.allowedUDPPorts = [ 5353 7899 ];
} }