From e3e1964ffa48f129a8f2ffcbbcb87df09e6de687 Mon Sep 17 00:00:00 2001
From: teidesu <alina@tei.su>
Date: Mon, 6 Jan 2025 02:52:25 +0300
Subject: [PATCH] chore(arumi): friendship ended with sing-box, now xray is my
 new best friend

---
 hosts/arumi/services/sing-box.nix |  86 ++++++++++++++++++------------
 secrets/arumi-singbox-users.age   | Bin 405 -> 453 bytes
 2 files changed, 51 insertions(+), 35 deletions(-)

diff --git a/hosts/arumi/services/sing-box.nix b/hosts/arumi/services/sing-box.nix
index 38d0744..a965fc1 100644
--- a/hosts/arumi/services/sing-box.nix
+++ b/hosts/arumi/services/sing-box.nix
@@ -1,53 +1,69 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 {
-  desu.secrets.arumi-singbox-pk = {};
-  desu.secrets.arumi-singbox-sid = {};
-  desu.secrets.arumi-singbox-users = {};
+  desu.secrets.arumi-singbox-pk.owner = "xray";
+  desu.secrets.arumi-singbox-sid.owner = "xray";
+  desu.secrets.arumi-singbox-users.owner = "xray";
 
-  services.sing-box = {
+  users.users.xray = {
+    isNormalUser = true;
+    uid = 1102;
+  };
+
+  services.xray = {
     enable = true;
-    settings = {
+    settingsFile = "/etc/xray/config.json";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /etc/xray 0700 1102 1102 -"
+  ];
+  systemd.services.xray.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "xray";
+  };
+  systemd.services.xray.preStart = let 
+    file = "/etc/xray/config.json";
+    template = pkgs.writeText "config.json" (builtins.toJSON {
       log = { level = "info"; timestamp = true; };
       inbounds = [
         {
-          type = "vless";
-          tag = "vless-in";
-          listen = "::";
-          listen_port = 443;
-          sniff = true;
-          sniff_override_destination = true;
-          domain_strategy = "ipv4_only";
-          users = []; # populated later in the preStart script
-          tls = let server = "updates.cdn-apple.com"; in {
-            enabled = true;
-            server_name = server;
-            reality = {
-              enabled = true;
-              handshake = { inherit server; server_port = 443; };
-              private_key._secret = config.desu.secrets.arumi-singbox-pk.path;
-              short_id = [ 
-                { _secret = config.desu.secrets.arumi-singbox-sid.path; }
-              ];
+          port = 443;
+          protocol = "vless";
+          settings = {
+            decryption = "none";
+            clients = []; # populated later in the preStart script
+          };
+          streamSettings = {
+            network = "tcp";
+            security = "reality";
+            realitySettings = {
+              alpn = [ "h2" ];
+              target = "updates.cdn-apple.com:443"; 
+              serverNames = [ "updates.cdn-apple.com" ];
+              privateKey = ""; # populated later in the preStart script
+              shortIds = []; # populated later in the preStart script
             };
           };
+          sniffing = {
+            enabled = true;
+            destOverride = [ "tls" "http" "quic" ];
+            routeOnly = true;
+          };
         }
       ];
       outbounds = [
-        { type = "direct"; tag = "direct"; }
-        { type = "block"; tag = "block"; }
+        { protocol = "freedom"; tag = "direct"; }
       ];
-    };
-  };
-
-  systemd.services.sing-box.preStart = let 
-    file = "/etc/sing-box/config.json";
+    });
   in ''
     users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
-    ${pkgs.jq}/bin/jq --arg users "$users" \
-      '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
-      ${file} > ${file}.tmp
-    mv ${file}.tmp ${file}
+    pk=$(cat ${config.desu.secrets.arumi-singbox-pk.path})
+    sid=$(cat ${config.desu.secrets.arumi-singbox-sid.path})
+    ${pkgs.jq}/bin/jq --arg users "$users" --arg pk "$pk" --arg sid "$sid" \
+      '.inbounds[0].settings.clients = ($users | fromjson | map({ "id": ., "flow": "xtls-rprx-vision" }))
+        | .inbounds[0].streamSettings.realitySettings.privateKey = $pk
+        | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
   '';
 
   networking.firewall.allowedTCPPorts = [ 443 ];
diff --git a/secrets/arumi-singbox-users.age b/secrets/arumi-singbox-users.age
index 34fc6ec8e78023700512208291aa2771f8bb12ad..2c0ac0b712cd279bf6e39282dcbf7625acbc8675 100644
GIT binary patch
delta 419
zcmV;U0bKr-1H}W7EPqNhN_9ADS8{P#Nn%M%ZbM2|ReEh#S87*zZ#Q;rYDH2|ax`N$
za!E&LI0{dCcQth@cT-0*Ic-Hvb$D=OFEw{DHD@?YOl5gPNm5B<L`O(VOG<Y|Zwf6f
zEg&^CR7*xnX-#ZnFjGiIbyqN0SYm5SYEU$KI8jt+Pi1m1LVt5mb8kUdaxe-I3P{if
zx<m4AT&hWYUSN8eD0Z<SL*YX_T-<VCY})4Wu<B5FeeAb>TgEz#j}&ha5kqPFJukz)
z1Hl1_oMS#RUL>+h$m^4ULf0Ez4#3EA%)l$o_zXD;!M;BB=t8Hk-3<sz#ZnDU?(nF9
zJl*U|$!bdvoPT+qRxtO|DERYVaYlet^a0RK?`%(Ex3kHbn|Ej5#qO2(&3SgfikZ0V
z*+0i3DJF46X=z<raSMwt;;`MI1U{Zyrb<#0ndIHIz^yRJ$i6IenLT7Auin<?fJ}tn
ztmjsArfmb_Bld9k1K$3bw{!nMTnb{^%ZklA-CE7nWgNG^aqRhC>Yeyse6LVCDT@EE
NlLV8l{<(<>EZ$-)zN7#E

delta 370
zcmV-&0ge8}1C;}iEPpRJY-ch?WM@%idM{aHW>#!CP)u`GLS<q?YA|tFad>B1QFn1T
zK{-`IMG9hgWKU61M{s9OXfIPSbWdY-L3K)5O>a_gS8X+RWjRZ6c5p;FT5W1bSqd#J
zEg&*SK{hX8ad2`qGB0OZd2&Q-D@jmnNl!L6H%m}(ayLwCcYkL~V|7(gY%~fCzo_$4
z$xA)5D+S}M3;?wgUv}-BF`@*XNURivB;XFH7iu)~o9ll1E-2wZ_pYKd-l1bfH6{<=
zEi4VnF{wqe^bCFWRNbIdQ8dYK^Xb6C=CWgU_+9qeftX_hEe)b>r3U14SK2RqF5&99
zOBF3R<s9hQ^lLFEPAo-qN1>}^={Rj8{m7Kses=?EYXTOWOA+XRveZJ8Yhs6Dw09Bc
z?LZbimM@obXg5hl;@P0asPM-`i#INnsuGcCtUf69q5NDlBYl3LCP27p3<K^vWTqIh
Q4{9yde@smxFZlZTgRBLci~s-t