teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(arumi): friendship ended with sing-box, now xray is my new best friend

Browse source
This commit is contained in:
alina 🌸 2025-01-06 02:52:25 +03:00
parent 327f2452c5
commit e3e1964ffa
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
2 changed files with 51 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

86
hosts/arumi/services/sing-box.nix
View file

@ -1,53 +1,69 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
desu.secrets.arumi-singbox-pk = {}; desu.secrets.arumi-singbox-pk.owner = "xray";
desu.secrets.arumi-singbox-sid = {}; desu.secrets.arumi-singbox-sid.owner = "xray";
desu.secrets.arumi-singbox-users = {}; desu.secrets.arumi-singbox-users.owner = "xray";
services.sing-box = { users.users.xray = {
isNormalUser = true;
uid = 1102;
};
services.xray = {
enable = true; enable = true;
settings = { settingsFile = "/etc/xray/config.json";
};
systemd.tmpfiles.rules = [
"d /etc/xray 0700 1102 1102 -"
];
systemd.services.xray.serviceConfig = {
DynamicUser = lib.mkForce false;
User = "xray";
};
systemd.services.xray.preStart = let
file = "/etc/xray/config.json";
template = pkgs.writeText "config.json" (builtins.toJSON {
log = { level = "info"; timestamp = true; }; log = { level = "info"; timestamp = true; };
inbounds = [ inbounds = [
{ {
type = "vless"; port = 443;
tag = "vless-in"; protocol = "vless";
listen = "::"; settings = {
listen_port = 443; decryption = "none";
sniff = true; clients = []; # populated later in the preStart script
sniff_override_destination = true; };
domain_strategy = "ipv4_only"; streamSettings = {
users = []; # populated later in the preStart script network = "tcp";
tls = let server = "updates.cdn-apple.com"; in { security = "reality";
enabled = true; realitySettings = {
server_name = server; alpn = [ "h2" ];
reality = { target = "updates.cdn-apple.com:443";
enabled = true; serverNames = [ "updates.cdn-apple.com" ];
handshake = { inherit server; server_port = 443; }; privateKey = ""; # populated later in the preStart script
private_key._secret = config.desu.secrets.arumi-singbox-pk.path; shortIds = []; # populated later in the preStart script
short_id = [
{ _secret = config.desu.secrets.arumi-singbox-sid.path; }
];
}; };
}; };
sniffing = {
enabled = true;
destOverride = [ "tls" "http" "quic" ];
routeOnly = true;
};
} }
]; ];
outbounds = [ outbounds = [
{ type = "direct"; tag = "direct"; } { protocol = "freedom"; tag = "direct"; }
{ type = "block"; tag = "block"; }
]; ];
}; });
};
systemd.services.sing-box.preStart = let
file = "/etc/sing-box/config.json";
in '' in ''
users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path}) users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
${pkgs.jq}/bin/jq --arg users "$users" \ pk=$(cat ${config.desu.secrets.arumi-singbox-pk.path})
'.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ sid=$(cat ${config.desu.secrets.arumi-singbox-sid.path})
${file} > ${file}.tmp ${pkgs.jq}/bin/jq --arg users "$users" --arg pk "$pk" --arg sid "$sid" \
mv ${file}.tmp ${file} '.inbounds[0].settings.clients = ($users | fromjson | map({ "id": ., "flow": "xtls-rprx-vision" }))
| .inbounds[0].streamSettings.realitySettings.privateKey = $pk
| .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
''; '';
networking.firewall.allowedTCPPorts = [ 443 ]; networking.firewall.allowedTCPPorts = [ 443 ];

BIN
secrets/arumi-singbox-users.age
View file

Binary file not shown.