feat: add sing-box nixos module

2025-06-07 17:29:25 +03:00 · 2025-06-07 17:29:25 +03:00 · 0442bf82ad
commit 0442bf82ad
parent 4ce388747c
2 changed files with 85 additions and 0 deletions
--- a/hosts/andromedae/default.nix
+++ b/hosts/andromedae/default.nix
@ -71,6 +71,12 @@ in
    wal_init_zero = "off";
    wal_recycle = "off";
  };
+  ataraxia.vpn.sing-box.enable = true;
+  ataraxia.vpn.sing-box.config = "ataraxia-singbox";
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+  };

  # Mesa from unstable channel
  hardware.graphics.package = pkgs.mesaUnstable;
--- a/modules/nixos/networking/sing-box.nix
+++ b/modules/nixos/networking/sing-box.nix
@ -0,0 +1,79 @@
+{
+  config,
+  lib,
+  pkgs,
+  secretsDir,
+  ...
+}:
+let
+  inherit (lib)
+    mkEnableOption
+    mkPackageOption
+    mkIf
+    mkOption
+    ;
+  inherit (lib.types) str;
+  cfg = config.ataraxia.vpn.sing-box;
+  isNetworkd = config.networking.useNetworkd;
+in
+{
+  options.ataraxia.vpn.sing-box = {
+    enable = mkEnableOption "Enable sing-box proxy service";
+    package = mkPackageOption pkgs "sing-box" { };
+    config = mkOption {
+      type = str;
+      description = "Name of sing-box config in sops secret";
+    };
+    interfaceName = mkOption {
+      type = str;
+      default = "singtun0";
+      description = "Name of sing-box tunnel network interface";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.${cfg.config} = {
+      sopsFile = secretsDir + /proxy.yaml;
+      restartUnits = [ "sing-box.service" ];
+      mode = "0600";
+    };
+
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.packages = [ cfg.package ];
+
+    systemd.services.sing-box = {
+      preStart = ''
+        umask 0007
+        mkdir -p ''${RUNTIME_DIRECTORY}
+        cp ${config.sops.secrets.${cfg.config}.path} ''${RUNTIME_DIRECTORY}/config.json
+      '';
+      serviceConfig = {
+        StateDirectory = "sing-box";
+        StateDirectoryMode = "0700";
+        RuntimeDirectory = "sing-box";
+        RuntimeDirectoryMode = "0700";
+        ExecStart = [
+          ""
+          "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
+        ];
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ];
+
+    systemd.network = {
+      wait-online.ignoredInterfaces = [ cfg.interfaceName ];
+      networks."50-singbox" = mkIf isNetworkd {
+        matchConfig = {
+          Name = cfg.interfaceName;
+        };
+        linkConfig = {
+          Unmanaged = true;
+          ActivationPolicy = "manual";
+        };
+      };
+    };
+  };
+}