2024-08-29 18:17:30 +00:00
|
|
|
{ lib, config, ... }:
|
2024-08-27 21:02:01 +00:00
|
|
|
{
|
2024-09-20 17:38:01 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [ 27253 ];
|
2024-08-27 21:02:01 +00:00
|
|
|
|
|
|
|
services.sing-box = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
log = {
|
|
|
|
level = "info";
|
|
|
|
};
|
|
|
|
|
|
|
|
inbounds = [
|
|
|
|
{
|
|
|
|
type = "vless";
|
|
|
|
tag = "inbound";
|
|
|
|
listen = "0.0.0.0";
|
|
|
|
listen_port = 27253;
|
|
|
|
users = {
|
2024-09-06 13:20:24 +00:00
|
|
|
_secret = config.sops.secrets."sing-box/auth".path;
|
2024-08-27 21:02:01 +00:00
|
|
|
quote = false;
|
|
|
|
};
|
|
|
|
tls = {
|
|
|
|
enabled = true;
|
|
|
|
server_name = "tyo0.ny4.dev";
|
|
|
|
certificate_path = "/run/credentials/sing-box.service/cert";
|
|
|
|
key_path = "/run/credentials/sing-box.service/key";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
2024-08-29 18:17:30 +00:00
|
|
|
outbounds = lib.singleton {
|
|
|
|
type = "direct";
|
|
|
|
tag = "direct";
|
|
|
|
};
|
2024-08-27 21:02:01 +00:00
|
|
|
|
|
|
|
route = {
|
|
|
|
final = "direct";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services."sing-box".serviceConfig.LoadCredential =
|
|
|
|
let
|
|
|
|
# FIXME: remove hardcoded path
|
|
|
|
path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
|
|
|
|
in
|
|
|
|
[
|
|
|
|
"cert:${path}/tyo0.ny4.dev.crt"
|
|
|
|
"key:${path}/tyo0.ny4.dev.key"
|
|
|
|
];
|
|
|
|
}
|