From c6c9929a090aa8022045514e09ecafd57a954c27 Mon Sep 17 00:00:00 2001
From: azahi <azat@bahawi.net>
Date: Thu, 10 Oct 2024 03:33:47 +0300
Subject: 2024-10-10

---
 modules/sing-box.nix | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 modules/sing-box.nix

(limited to 'modules/sing-box.nix')

diff --git a/modules/sing-box.nix b/modules/sing-box.nix
new file mode 100644
index 0000000..9fc86eb
--- /dev/null
+++ b/modules/sing-box.nix
@@ -0,0 +1,82 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.nixfiles.modules.sing-box;
+in
+{
+  options.nixfiles.modules.sing-box = {
+    enable = mkEnableOption "";
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.enable -> !config.nixfiles.modules.nginx.enable;
+        message = "VLESS requires binding to 443";
+      }
+    ];
+
+    secrets = {
+      sing-box-shadowsocks-password.file = "${inputs.self}/secrets/sing-box-shadowsocks-password";
+      sing-box-shadowsocks-users.file = "${inputs.self}/secrets/sing-box-shadowsocks-users";
+      sing-box-vless-tls.file = "${inputs.self}/secrets/sing-box-vless-tls";
+      sing-box-vless-users.file = "${inputs.self}/secrets/sing-box-vless-users";
+    };
+
+    services.sing-box = {
+      enable = true;
+      settings = {
+        log = {
+          level = "warn";
+          timestamp = false;
+        };
+        inbounds = [
+          {
+            tag = "shadowsocks";
+            type = "shadowsocks";
+            listen = "::";
+            listen_port = 21515;
+            method = "2022-blake3-aes-128-gcm";
+            password = {
+              _secret = config.secrets.sing-box-shadowsocks-password.path;
+              quote = true;
+            };
+            users = {
+              _secret = config.secrets.sing-box-shadowsocks-users.path;
+              quote = false;
+            };
+            multiplex.enabled = true;
+          }
+          {
+            tag = "vless";
+            type = "vless";
+            listen = "::";
+            listen_port = 443;
+            users = {
+              _secret = config.secrets.sing-box-vless-users.path;
+              quote = false;
+            };
+            tls = {
+              _secret = config.secrets.sing-box-vless-tls.path;
+              quote = false;
+            };
+          }
+        ];
+        outbounds = [
+          {
+            type = "direct";
+          }
+        ];
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = map (
+      a: a.listen_port
+    ) config.services.sing-box.settings.inbounds;
+  };
+}
-- 
cgit 1.4.1