nixfiles/hosts/arumi/services/sing-box.nix

{ config, lib, pkgs, ... }:

{
  desu.secrets.arumi-singbox-pk.owner = "xray";
  desu.secrets.arumi-singbox-sid.owner = "xray";
  desu.secrets.arumi-singbox-users.owner = "xray";

  users.users.xray = {
    isNormalUser = true;
    uid = 1102;
  };

  services.xray = {
    enable = true;
    settingsFile = "/etc/xray/config.json";
  };

  systemd.tmpfiles.rules = [
    "d /etc/xray 0700 1102 1102 -"
  ];
  systemd.services.xray.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = "xray";
  };
  systemd.services.xray.preStart = let 
    file = "/etc/xray/config.json";
    template = pkgs.writeText "config.json" (builtins.toJSON {
      log = { level = "info"; timestamp = true; };
      inbounds = [
        {
          port = 443;
          protocol = "vless";
          settings = {
            decryption = "none";
            clients = []; # populated later in the preStart script
          };
          streamSettings = {
            network = "tcp";
            security = "reality";
            realitySettings = {
              alpn = [ "h2" ];
              target = "updates.cdn-apple.com:443"; 
              serverNames = [ "updates.cdn-apple.com" ];
              privateKey = ""; # populated later in the preStart script
              shortIds = []; # populated later in the preStart script
            };
          };
          sniffing = {
            enabled = true;
            destOverride = [ "tls" "http" "quic" ];
            routeOnly = true;
          };
        }
      ];
      outbounds = [
        { protocol = "freedom"; tag = "direct"; }
      ];
    });
  in ''
    users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
    pk=$(cat ${config.desu.secrets.arumi-singbox-pk.path})
    sid=$(cat ${config.desu.secrets.arumi-singbox-sid.path})
    ${pkgs.jq}/bin/jq --arg users "$users" --arg pk "$pk" --arg sid "$sid" \
      '.inbounds[0].settings.clients = ($users | fromjson | map({ "id": ., "flow": "xtls-rprx-vision" }))
        | .inbounds[0].streamSettings.realitySettings.privateKey = $pk
        | .inbounds[0].streamSettings.realitySettings.shortIds = [$sid]' ${template} > ${file}
  '';

  networking.firewall.allowedTCPPorts = [ 443 ];
}