flake/nixos/profiles/sing-box-server/default.nix

{ lib, config, ... }:
let
  inherit (config.networking) fqdn;
in
{
  sops.secrets."sing-box/auth" = {
    restartUnits = [ "sing-box.service" ];
    sopsFile = ./secrets.yaml;
  };

  networking.firewall.allowedTCPPorts = [ 27253 ];

  services.sing-box = {
    enable = true;
    settings = {
      log = {
        level = "info";
      };

      inbounds = [
        {
          type = "vless";
          tag = "inbound";
          listen = "0.0.0.0";
          listen_port = 27253;
          users = {
            _secret = config.sops.secrets."sing-box/auth".path;
            quote = false;
          };
          tls = {
            enabled = true;
            server_name = fqdn;
            certificate_path = "/run/credentials/sing-box.service/cert";
            key_path = "/run/credentials/sing-box.service/key";
          };
        }
      ];

      outbounds = lib.singleton {
        type = "direct";
        tag = "direct";
      };

      route = {
        final = "direct";
      };
    };
  };

  systemd.services."sing-box".serviceConfig.LoadCredential =
    let
      # FIXME: remove somewhat hardcoded path
      path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory";
    in
    [
      "cert:${path}/${fqdn}/${fqdn}.crt"
      "key:${path}/${fqdn}/${fqdn}.key"
    ];
}
treewide: use lib.singleton 2024-08-29 18:17:30 +00:00			`{ lib, config, ... }:`
sin0: add sing-box 2024-09-21 20:19:03 +00:00			`let`
			`inherit (config.networking) fqdn;`
			`in`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00			`{`
sin0: add sing-box 2024-09-21 20:19:03 +00:00			`sops.secrets."sing-box/auth" = {`
			`restartUnits = [ "sing-box.service" ];`
			`sopsFile = ./secrets.yaml;`
			`};`

treewide: use nixfmt --strict flag 2024-09-20 17:38:01 +00:00			`networking.firewall.allowedTCPPorts = [ 27253 ];`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00
			`services.sing-box = {`
			`enable = true;`
			`settings = {`
			`log = {`
			`level = "info";`
			`};`

			`inbounds = [`
			`{`
			`type = "vless";`
			`tag = "inbound";`
			`listen = "0.0.0.0";`
			`listen_port = 27253;`
			`users = {`
tyo0/sing-box: use sops path directly 2024-09-06 13:20:24 +00:00			`_secret = config.sops.secrets."sing-box/auth".path;`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00			`quote = false;`
			`};`
			`tls = {`
			`enabled = true;`
sin0: add sing-box 2024-09-21 20:19:03 +00:00			`server_name = fqdn;`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00			`certificate_path = "/run/credentials/sing-box.service/cert";`
			`key_path = "/run/credentials/sing-box.service/key";`
			`};`
			`}`
			`];`

treewide: use lib.singleton 2024-08-29 18:17:30 +00:00			`outbounds = lib.singleton {`
			`type = "direct";`
			`tag = "direct";`
			`};`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00
			`route = {`
			`final = "direct";`
			`};`
			`};`
			`};`

			`systemd.services."sing-box".serviceConfig.LoadCredential =`
			`let`
sin0: add sing-box 2024-09-21 20:19:03 +00:00			`# FIXME: remove somewhat hardcoded path`
			`path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory";`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00			`in`
			`[`
sin0: add sing-box 2024-09-21 20:19:03 +00:00			`"cert:${path}/${fqdn}/${fqdn}.crt"`
			`"key:${path}/${fqdn}/${fqdn}.key"`
nixos: hysteria2 -> vless 2024-08-27 21:02:01 +00:00			`];`
			`}`