nixos/sing-box: use remote dns, cleanup

2025-01-16 21:01:09 +08:00 · 2025-01-16 21:01:09 +08:00 · ddfe7d6d3c
commit ddfe7d6d3c
parent 6418827894
2 changed files with 59 additions and 43 deletions
--- a/hosts/dust/default.nix
+++ b/hosts/dust/default.nix
@ -253,33 +253,12 @@
    };
  };

-  services.sing-box.settings = {
-    outbounds = [
-      {
-        type = "selector";
-        tag = "select";
-        outbounds = [
-          "tyo0"
-          "sin0"
-          "direct"
-        ];
-        default = "tyo0";
-      }
-    ];
-
-    route = {
-      final = "select";
-    };
-
-    experimental = {
-      clash_api = rec {
-        external_controller = "127.0.0.1:9090";
-        external_ui = pkgs.metacubexd;
-        secret = "hunter2";
-        # https://www.v2ex.com/t/1076579
-        access_control_allow_origin = [ "http://${external_controller}" ];
-      };
-    };
+  services.sing-box.settings.experimental.clash_api = rec {
+    external_controller = "127.0.0.1:9090";
+    external_ui = pkgs.metacubexd;
+    secret = "hunter2";
+    # https://www.v2ex.com/t/1076579
+    access_control_allow_origin = [ "http://${external_controller}" ];
  };

  services.restic.backups.persist.exclude = [ "/persist/home/guanranwang/.local/share/Steam" ];
--- a/nixos/profiles/sing-box/default.nix
+++ b/nixos/profiles/sing-box/default.nix
@ -5,6 +5,9 @@
  nodes,
  ...
 }:
+let
+  proxyServers = lib.filterAttrs (_name: value: lib.elem "proxy" value.tags) nodes;
+in
 {
  services.sing-box = {
    enable = true;
@ -13,6 +16,33 @@
        level = "info";
      };

+      dns = {
+        servers = [
+          {
+            tag = "cloudflare";
+            address = "https://[2606:4700:4700::1111]/dns-query";
+            strategy = "prefer_ipv6";
+          }
+          {
+            tag = "local";
+            address = "local";
+            strategy = "prefer_ipv4";
+          }
+        ];
+        rules = lib.singleton {
+          rule_set = [
+            "geoip-cn"
+            "geosite-cn"
+            "geosite-private"
+          ];
+          # avoid querying proxy server's dns from proxy server
+          domain = lib.mapAttrsToList (_name: node: node.fqdn) proxyServers;
+          ip_is_private = true;
+          server = "local";
+        };
+        final = "cloudflare";
+      };
+
      inbounds = lib.singleton {
        type = "http";
        tag = "inbound";
@ -31,28 +61,35 @@
          uuid._secret = config.sops.secrets."sing-box/uuid".path;
          flow = "xtls-rprx-vision";
          tls.enabled = true;
-        }) (lib.filterAttrs (_name: value: lib.elem "proxy" value.tags) nodes)
-        ++ lib.singleton {
-          type = "direct";
-          tag = "direct";
-        };
-
-      route = {
-        rules = [
+        }) proxyServers
+        ++ [
          {
-            rule_set = [
-              "geoip-cn"
-              "geosite-cn"
+            type = "selector";
+            tag = "select";
+            outbounds = [
+              "tyo0"
+              "sin0"
+              "direct"
            ];
-            outbound = "direct";
+            default = "tyo0";
          }
          {
-            rule_set = [ "geosite-private" ];
-            ip_is_private = true;
-            outbound = "direct";
+            type = "direct";
+            tag = "direct";
          }
        ];

+      route = {
+        rules = lib.singleton {
+          rule_set = [
+            "geoip-cn"
+            "geosite-cn"
+            "geosite-private"
+          ];
+          ip_is_private = true;
+          outbound = "direct";
+        };
+
        rule_set = [
          {
            tag = "geoip-cn";
@ -74,7 +111,7 @@
          }
        ];

-        final = lib.mkDefault "tyo0";
+        final = "select";
      };
    };
  };