{ config, lib, pkgs, ... }: { desu.secrets.arumi-singbox-pk.owner = "xray"; desu.secrets.arumi-singbox-sid.owner = "xray"; desu.secrets.arumi-singbox-users.owner = "xray"; users.users.xray = { isNormalUser = true; uid = 1102; }; services.xray = { enable = true; settingsFile = "/etc/xray/config.json"; }; systemd.tmpfiles.rules = [ "d /etc/xray 0700 1102 1102 -" ]; systemd.services.xray.serviceConfig = { DynamicUser = lib.mkForce false; User = "xray"; }; systemd.services.xray.preStart = let file = "/etc/xray/config.json"; template = pkgs.writeText "config.json" (builtins.toJSON { log = { level = "info"; timestamp = true; }; inbounds = [ { port = 443; protocol = "vless"; settings = { decryption = "none"; clients = []; # populated later in the preStart script }; streamSettings = { network = "tcp"; security = "reality"; realitySettings = { alpn = [ "h2" ]; target = "updates.cdn-apple.com:443"; serverNames = [ "updates.cdn-apple.com" ]; privateKey = ""; # populated later in the preStart script shortIds = []; # populated later in the preStart script }; }; sniffing = { enabled = true; destOverride = [ "tls" "http" "quic" ]; routeOnly = true; }; } ]; outbounds = [ { protocol = "freedom"; tag = "direct"; } ]; }); in '' users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path}) pk=$(cat ${config.desu.secrets.arumi-singbox-pk.path}) sid=$(cat ${config.desu.secrets.arumi-singbox-sid.path}) ${pkgs.jq}/bin/jq --arg users "$users" --arg pk "$pk" --arg sid "$sid" \ '.inbounds[0].settings.clients = ($users | fromjson | map({ "id": ., "flow": "xtls-rprx-vision" })) | .inbounds[0].streamSettings.realitySettings.privateKey = $pk | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file} ''; networking.firewall.allowedTCPPorts = [ 443 ]; }