flake/hosts/tyo0/services/sing-box.nix

{ lib, config, ... }:
{
  networking.firewall.allowedTCPPorts = [
    27253
  ];

  services.sing-box = {
    enable = true;
    settings = {
      log = {
        level = "info";
      };

      inbounds = [
        {
          type = "vless";
          tag = "inbound";
          listen = "0.0.0.0";
          listen_port = 27253;
          users = {
            _secret = config.sops.secrets."sing-box/auth".path;
            quote = false;
          };
          tls = {
            enabled = true;
            server_name = "tyo0.ny4.dev";
            certificate_path = "/run/credentials/sing-box.service/cert";
            key_path = "/run/credentials/sing-box.service/key";
          };
        }
      ];

      outbounds = lib.singleton {
        type = "direct";
        tag = "direct";
      };

      route = {
        final = "direct";
      };
    };
  };

  systemd.services."sing-box".serviceConfig.LoadCredential =
    let
      # FIXME: remove hardcoded path
      path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
    in
    [
      "cert:${path}/tyo0.ny4.dev.crt"
      "key:${path}/tyo0.ny4.dev.key"
    ];
}
treewide: use lib.singleton 2024-08-29 18:17:30 +00:00			`{ lib, config, ... }:`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00			`{`
			`networking.firewall.allowedTCPPorts = [`
			`27253`
			`];`

			`services.sing-box = {`
			`enable = true;`
			`settings = {`
			`log = {`
			`level = "info";`
			`};`

			`inbounds = [`
			`{`
			`type = "vless";`
			`tag = "inbound";`
			`listen = "0.0.0.0";`
			`listen_port = 27253;`
			`users = {`
tyo0/sing-box: use sops path directly 2024-09-06 13:20:24 +00:00			`_secret = config.sops.secrets."sing-box/auth".path;`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00			`quote = false;`
			`};`
			`tls = {`
			`enabled = true;`
			`server_name = "tyo0.ny4.dev";`
			`certificate_path = "/run/credentials/sing-box.service/cert";`
			`key_path = "/run/credentials/sing-box.service/key";`
			`};`
			`}`
			`];`

treewide: use lib.singleton 2024-08-29 18:17:30 +00:00			`outbounds = lib.singleton {`
			`type = "direct";`
			`tag = "direct";`
			`};`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00
			`route = {`
			`final = "direct";`
			`};`
			`};`
			`};`

			`systemd.services."sing-box".serviceConfig.LoadCredential =`
			`let`
			`# FIXME: remove hardcoded path`
			`path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";`
			`in`
			`[`
			`"cert:${path}/tyo0.ny4.dev.crt"`
			`"key:${path}/tyo0.ny4.dev.key"`
			`];`
			`}`