From 756d943e6901a28594c4e6dee4e6b70edda1ab82 Mon Sep 17 00:00:00 2001 From: Harry Ying Date: Tue, 17 Sep 2024 18:49:31 +0800 Subject: [PATCH] modularize sing-box --- cfgs/deck/networking.nix | 20 ++----------- cfgs/img-deck/networking.nix | 54 +---------------------------------- cfgs/img-x1c7/networking.nix | 55 ++---------------------------------- cfgs/x1c7/networking.nix | 19 ++----------- flake.nix | 2 ++ modules/sing-box/default.nix | 32 +++++++++++++++++++++ 6 files changed, 43 insertions(+), 139 deletions(-) create mode 100644 modules/sing-box/default.nix diff --git a/cfgs/deck/networking.nix b/cfgs/deck/networking.nix index aa77736..a973ac4 100644 --- a/cfgs/deck/networking.nix +++ b/cfgs/deck/networking.nix @@ -1,6 +1,5 @@ -{ config, lib, pkgs, ... }: { - # An unused nameserver config. - networking.nameservers = [ "127.0.0.1" ]; +{ config, pkgs, ... }: { + networking.resolvconf.useLocalResolver = true; networking.networkmanager = { # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff. @@ -11,13 +10,7 @@ wifi.scanRandMacAddress = true; }; - # sing-box requires IP forwarding - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - # Required by the sing-box TUN mode - networking.firewall.trustedInterfaces = [ "tun0" ]; - networking.firewall.checkReversePath = "loose"; - - services.sing-box = { + my.sing-box = { enable = true; settings = { log = { @@ -73,13 +66,6 @@ }; }; - systemd.services.sing-box.serviceConfig = { - ProtectSystem = true; - ProtectHome = true; - PrivateTmp = true; - RemoveIPC = true; - }; - # Setup our local DNS my.dcompass = { enable = true; diff --git a/cfgs/img-deck/networking.nix b/cfgs/img-deck/networking.nix index 0ef3f20..3aa2cc2 100644 --- a/cfgs/img-deck/networking.nix +++ b/cfgs/img-deck/networking.nix @@ -15,58 +15,6 @@ my.dcompass = { enable = true; package = pkgs.dcompass.dcompass-maxmind; - settings = { - cache_size = 1024; - upstreams = { - domestic = { hybrid = [ "feic" "ali" "aliudp" ]; }; - - secure = { hybrid = [ "cloudflare" "quad9" ]; }; - - feic = { udp = { addr = "[240C::6666]:53"; }; }; - - aliudp = { udp = { addr = "223.5.5.6:53"; }; }; - - ali = { tls = { domain = "dns.alidns.com"; max_reuse = 100; reuse_timeout = 5000; addr = "223.6.6.6:853"; }; }; - - cloudflare = { - https = { - timeout = 4; - # addr = "2606:4700:4700::1111"; - addr = "104.16.248.249"; - uri = "https://cloudflare-dns.com/dns-query"; - }; - }; - - quad9 = { - https = { - timeout = 4; - addr = "9.9.9.9"; - uri = "https://dns.quad9.net/dns-query"; - }; - }; - }; - script = ''pub async fn init() { - let domain = Domain::new() - .add_file("${pkgs.chinalist}/google.china.raw.txt")? - .add_file("${pkgs.chinalist}/apple.china.raw.txt")? - .add_file("${pkgs.chinalist}/accelerated-domains.china.raw.txt")?.seal(); - Ok(#{"domain": Utils::Domain(domain)}) - } - - pub async fn route(upstreams, inited, ctx, query) { - // if query.first_question?.qtype == "AAAA" { return blackhole(query); } - - if inited.domain.0.contains(query.first_question?.qname) { - query.push_opt(ClientSubnet::new(u8(15), u8(0), IpAddr::from_str("58.220.0.0")?).to_opt_data())?; - upstreams.send_default("domestic", query).await - } else { - upstreams.send("secure", CacheMode::Persistent, query).await - } - } - ''; - - address = "127.0.0.1:53"; - verbosity = "warn"; - }; + settings = (import ../../misc/dcompass_settings.nix { inherit pkgs; }); }; } diff --git a/cfgs/img-x1c7/networking.nix b/cfgs/img-x1c7/networking.nix index b395fb0..e717acd 100644 --- a/cfgs/img-x1c7/networking.nix +++ b/cfgs/img-x1c7/networking.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: { +{ pkgs, ... }: { # Use local DNS server all the time networking.resolvconf.useLocalResolver = true; @@ -15,57 +15,6 @@ my.dcompass = { enable = true; package = pkgs.dcompass.dcompass-maxmind; - settings = { - cache_size = 1024; - upstreams = { - domestic = { hybrid = [ "feic" "ali" "aliudp" ]; }; - - secure = { hybrid = [ "cloudflare" "quad9" ]; }; - - feic = { udp = { addr = "[240C::6666]:53"; }; }; - - aliudp = { udp = { addr = "223.5.5.6:53"; }; }; - - ali = { tls = { domain = "dns.alidns.com"; max_reuse = 100; reuse_timeout = 5000; addr = "223.6.6.6:853"; }; }; - - cloudflare = { - https = { - timeout = 4; - # addr = "2606:4700:4700::1111"; - addr = "104.16.248.249"; - uri = "https://cloudflare-dns.com/dns-query"; - }; - }; - - quad9 = { - https = { - timeout = 4; - addr = "9.9.9.9"; - uri = "https://dns.quad9.net/dns-query"; - }; - }; - }; - script = ''pub async fn init() { - let domain = Domain::new() - .add_file("${pkgs.chinalist}/google.china.raw.txt")? - .add_file("${pkgs.chinalist}/apple.china.raw.txt")? - .add_file("${pkgs.chinalist}/accelerated-domains.china.raw.txt")?.seal(); - Ok(#{"domain": Utils::Domain(domain)}) - } - - pub async fn route(upstreams, inited, ctx, query) { - // if query.first_question?.qtype == "AAAA" { return blackhole(query); } - - if inited.domain.0.contains(query.first_question?.qname) { - query.push_opt(ClientSubnet::new(u8(15), u8(0), IpAddr::from_str("58.220.0.0")?).to_opt_data())?; - upstreams.send_default("domestic", query).await - } else { - upstreams.send("secure", CacheMode::Persistent, query).await - } - } - ''; - address = "127.0.0.1:53"; - verbosity = "warn"; - }; + settings = (import ../../misc/dcompass_settings.nix { inherit pkgs; }); }; } diff --git a/cfgs/x1c7/networking.nix b/cfgs/x1c7/networking.nix index 6e4be1b..1bc3ad8 100644 --- a/cfgs/x1c7/networking.nix +++ b/cfgs/x1c7/networking.nix @@ -1,5 +1,5 @@ -{ config, lib, pkgs, ... }: { - networking.nameservers = [ "127.0.0.1" ]; +{ config, pkgs, ... }: { + networking.resolvconf.useLocalResolver = true; networking.networkmanager = { # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff. @@ -13,13 +13,7 @@ }; }; - # sing-box requires IP forwarding - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - # Required by the sing-box TUN mode - networking.firewall.trustedInterfaces = [ "tun0" ]; - networking.firewall.checkReversePath = "loose"; - - services.sing-box = { + my.sing-box = { enable = true; settings = { log = { @@ -77,13 +71,6 @@ }; }; - systemd.services.sing-box.serviceConfig = { - ProtectSystem = true; - ProtectHome = true; - PrivateTmp = true; - RemoveIPC = true; - }; - # Setup our local DNS my.dcompass = { enable = true; diff --git a/flake.nix b/flake.nix index 5d54eaf..e97b4db 100644 --- a/flake.nix +++ b/flake.nix @@ -111,6 +111,7 @@ nixosModules.home nixosModules.gnome-desktop nixosModules.dcompass + nixosModules.sing-box nixosModules.timezone impermanence.nixosModules.impermanence disko.nixosModules.disko @@ -157,6 +158,7 @@ nixosModules.home nixosModules.gnome-desktop nixosModules.dcompass + nixosModules.sing-box nixosModules.timezone disko.nixosModules.disko nixosModules.steamdeck diff --git a/modules/sing-box/default.nix b/modules/sing-box/default.nix new file mode 100644 index 0000000..bad86d5 --- /dev/null +++ b/modules/sing-box/default.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: +with lib; +let cfg = config.my.sing-box; in { + options.my.sing-box = { + enable = mkEnableOption "sing-box module including related systemd and networking setups"; + settings = mkOption { + type = types.unspecified; + description = '' + Configuration + ''; + }; + }; + config = mkIf cfg.enable { + # sing-box requires IP forwarding + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + # Required by the sing-box TUN mode + networking.firewall.trustedInterfaces = [ "tun0" ]; + networking.firewall.checkReversePath = "loose"; + + services.sing-box = { + enable = true; + settings = cfg.settings; + }; + + systemd.services.sing-box.serviceConfig = { + ProtectSystem = true; + ProtectHome = true; + PrivateTmp = true; + RemoveIPC = true; + }; + }; +}