From ddfe7d6d3c6c02434be333b6b10fea8356f0d1bf Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Thu, 16 Jan 2025 21:01:09 +0800 Subject: [PATCH] nixos/sing-box: use remote dns, cleanup --- hosts/dust/default.nix | 33 +++----------- nixos/profiles/sing-box/default.nix | 69 ++++++++++++++++++++++------- 2 files changed, 59 insertions(+), 43 deletions(-) diff --git a/hosts/dust/default.nix b/hosts/dust/default.nix index e0ee034..879d119 100644 --- a/hosts/dust/default.nix +++ b/hosts/dust/default.nix @@ -253,33 +253,12 @@ }; }; - services.sing-box.settings = { - outbounds = [ - { - type = "selector"; - tag = "select"; - outbounds = [ - "tyo0" - "sin0" - "direct" - ]; - default = "tyo0"; - } - ]; - - route = { - final = "select"; - }; - - experimental = { - clash_api = rec { - external_controller = "127.0.0.1:9090"; - external_ui = pkgs.metacubexd; - secret = "hunter2"; - # https://www.v2ex.com/t/1076579 - access_control_allow_origin = [ "http://${external_controller}" ]; - }; - }; + services.sing-box.settings.experimental.clash_api = rec { + external_controller = "127.0.0.1:9090"; + external_ui = pkgs.metacubexd; + secret = "hunter2"; + # https://www.v2ex.com/t/1076579 + access_control_allow_origin = [ "http://${external_controller}" ]; }; services.restic.backups.persist.exclude = [ "/persist/home/guanranwang/.local/share/Steam" ]; diff --git a/nixos/profiles/sing-box/default.nix b/nixos/profiles/sing-box/default.nix index f2c1e41..1c3bafd 100644 --- a/nixos/profiles/sing-box/default.nix +++ b/nixos/profiles/sing-box/default.nix @@ -5,6 +5,9 @@ nodes, ... }: +let + proxyServers = lib.filterAttrs (_name: value: lib.elem "proxy" value.tags) nodes; +in { services.sing-box = { enable = true; @@ -13,6 +16,33 @@ level = "info"; }; + dns = { + servers = [ + { + tag = "cloudflare"; + address = "https://[2606:4700:4700::1111]/dns-query"; + strategy = "prefer_ipv6"; + } + { + tag = "local"; + address = "local"; + strategy = "prefer_ipv4"; + } + ]; + rules = lib.singleton { + rule_set = [ + "geoip-cn" + "geosite-cn" + "geosite-private" + ]; + # avoid querying proxy server's dns from proxy server + domain = lib.mapAttrsToList (_name: node: node.fqdn) proxyServers; + ip_is_private = true; + server = "local"; + }; + final = "cloudflare"; + }; + inbounds = lib.singleton { type = "http"; tag = "inbound"; @@ -31,28 +61,35 @@ uuid._secret = config.sops.secrets."sing-box/uuid".path; flow = "xtls-rprx-vision"; tls.enabled = true; - }) (lib.filterAttrs (_name: value: lib.elem "proxy" value.tags) nodes) - ++ lib.singleton { - type = "direct"; - tag = "direct"; - }; - - route = { - rules = [ + }) proxyServers + ++ [ { - rule_set = [ - "geoip-cn" - "geosite-cn" + type = "selector"; + tag = "select"; + outbounds = [ + "tyo0" + "sin0" + "direct" ]; - outbound = "direct"; + default = "tyo0"; } { - rule_set = [ "geosite-private" ]; - ip_is_private = true; - outbound = "direct"; + type = "direct"; + tag = "direct"; } ]; + route = { + rules = lib.singleton { + rule_set = [ + "geoip-cn" + "geosite-cn" + "geosite-private" + ]; + ip_is_private = true; + outbound = "direct"; + }; + rule_set = [ { tag = "geoip-cn"; @@ -74,7 +111,7 @@ } ]; - final = lib.mkDefault "tyo0"; + final = "select"; }; }; };