modularize sing-box

cfgs/deck/networking.nix

@@ -1,6 +1,5 @@
-{ config, lib, pkgs, ... }: {
-  # An unused nameserver config.
-  networking.nameservers = [ "127.0.0.1" ];
+{ config, pkgs, ... }: {
+  networking.resolvconf.useLocalResolver = true;
 
   networking.networkmanager = {
     # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
@@ -11,13 +10,7 @@
     wifi.scanRandMacAddress = true;
   };
 
-  # sing-box requires IP forwarding
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  # Required by the sing-box TUN mode
-  networking.firewall.trustedInterfaces = [ "tun0" ];
-  networking.firewall.checkReversePath = "loose";
-
-  services.sing-box = {
+  my.sing-box = {
     enable = true;
     settings = {
       log = {
@@ -73,13 +66,6 @@
     };
   };
 
-  systemd.services.sing-box.serviceConfig = {
-    ProtectSystem = true;
-    ProtectHome = true;
-    PrivateTmp = true;
-    RemoveIPC = true;
-  };
-
   # Setup our local DNS
   my.dcompass = {
     enable = true;

cfgs/img-deck/networking.nix

@@ -15,58 +15,6 @@
   my.dcompass = {
     enable = true;
     package = pkgs.dcompass.dcompass-maxmind;
-    settings = {
-      cache_size = 1024;
-      upstreams = {
-        domestic = { hybrid = [ "feic" "ali" "aliudp" ]; };
-
-        secure = { hybrid = [ "cloudflare" "quad9" ]; };
-
-        feic = { udp = { addr = "[240C::6666]:53"; }; };
-
-        aliudp = { udp = { addr = "223.5.5.6:53"; }; };
-
-        ali = { tls = { domain = "dns.alidns.com"; max_reuse = 100; reuse_timeout = 5000; addr = "223.6.6.6:853"; }; };
-
-        cloudflare = {
-          https = {
-            timeout = 4;
-            # addr = "2606:4700:4700::1111";
-            addr = "104.16.248.249";
-            uri = "https://cloudflare-dns.com/dns-query";
-          };
-        };
-
-        quad9 = {
-          https = {
-            timeout = 4;
-            addr = "9.9.9.9";
-            uri = "https://dns.quad9.net/dns-query";
-          };
-        };
-      };
-      script = ''pub async fn init() {
-                   let domain = Domain::new()
-                                  .add_file("${pkgs.chinalist}/google.china.raw.txt")?
-                                  .add_file("${pkgs.chinalist}/apple.china.raw.txt")?
-                                  .add_file("${pkgs.chinalist}/accelerated-domains.china.raw.txt")?.seal();
-                   Ok(#{"domain": Utils::Domain(domain)})
-                 }
-
-                 pub async fn route(upstreams, inited, ctx, query) {
-                   // if query.first_question?.qtype == "AAAA" { return blackhole(query); }
-
-                   if inited.domain.0.contains(query.first_question?.qname) {
-                     query.push_opt(ClientSubnet::new(u8(15), u8(0), IpAddr::from_str("58.220.0.0")?).to_opt_data())?;
-                     upstreams.send_default("domestic", query).await
-                   } else {
-                     upstreams.send("secure", CacheMode::Persistent, query).await
-                   }
-                 }
-              '';
-
-      address = "127.0.0.1:53";
-      verbosity = "warn";
-    };
+    settings = (import ../../misc/dcompass_settings.nix { inherit pkgs; });
   };
 }

cfgs/img-x1c7/networking.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: {
+{ pkgs, ... }: {
   # Use local DNS server all the time
   networking.resolvconf.useLocalResolver = true;
 
@@ -15,57 +15,6 @@
   my.dcompass = {
     enable = true;
     package = pkgs.dcompass.dcompass-maxmind;
-    settings = {
-      cache_size = 1024;
-      upstreams = {
-        domestic = { hybrid = [ "feic" "ali" "aliudp" ]; };
-
-        secure = { hybrid = [ "cloudflare" "quad9" ]; };
-
-        feic = { udp = { addr = "[240C::6666]:53"; }; };
-
-        aliudp = { udp = { addr = "223.5.5.6:53"; }; };
-
-        ali = { tls = { domain = "dns.alidns.com"; max_reuse = 100; reuse_timeout = 5000; addr = "223.6.6.6:853"; }; };
-
-        cloudflare = {
-          https = {
-            timeout = 4;
-            # addr = "2606:4700:4700::1111";
-            addr = "104.16.248.249";
-            uri = "https://cloudflare-dns.com/dns-query";
-          };
-        };
-
-        quad9 = {
-          https = {
-            timeout = 4;
-            addr = "9.9.9.9";
-            uri = "https://dns.quad9.net/dns-query";
-          };
-        };
-      };
-      script = ''pub async fn init() {
-                   let domain = Domain::new()
-                                  .add_file("${pkgs.chinalist}/google.china.raw.txt")?
-                                  .add_file("${pkgs.chinalist}/apple.china.raw.txt")?
-                                  .add_file("${pkgs.chinalist}/accelerated-domains.china.raw.txt")?.seal();
-                   Ok(#{"domain": Utils::Domain(domain)})
-                 }
-
-                 pub async fn route(upstreams, inited, ctx, query) {
-                   // if query.first_question?.qtype == "AAAA" { return blackhole(query); }
-
-                   if inited.domain.0.contains(query.first_question?.qname) {
-                     query.push_opt(ClientSubnet::new(u8(15), u8(0), IpAddr::from_str("58.220.0.0")?).to_opt_data())?;
-                     upstreams.send_default("domestic", query).await
-                   } else {
-                     upstreams.send("secure", CacheMode::Persistent, query).await
-                   }
-                 }
-              '';
-      address = "127.0.0.1:53";
-      verbosity = "warn";
-    };
+    settings = (import ../../misc/dcompass_settings.nix { inherit pkgs; });
   };
 }

cfgs/x1c7/networking.nix

@@ -1,5 +1,5 @@
-{ config, lib, pkgs, ... }: {
-  networking.nameservers = [ "127.0.0.1" ];
+{ config, pkgs, ... }: {
+  networking.resolvconf.useLocalResolver = true;
 
   networking.networkmanager = {
     # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
@@ -13,13 +13,7 @@
     };
   };
 
-  # sing-box requires IP forwarding
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  # Required by the sing-box TUN mode
-  networking.firewall.trustedInterfaces = [ "tun0" ];
-  networking.firewall.checkReversePath = "loose";
-
-  services.sing-box = {
+  my.sing-box = {
     enable = true;
     settings = {
       log = {
@@ -77,13 +71,6 @@
     };
   };
 
-  systemd.services.sing-box.serviceConfig = {
-    ProtectSystem = true;
-    ProtectHome = true;
-    PrivateTmp = true;
-    RemoveIPC = true;
-  };
-
   # Setup our local DNS
   my.dcompass = {
     enable = true;

flake.nix

@@ -111,6 +111,7 @@
           nixosModules.home
           nixosModules.gnome-desktop
           nixosModules.dcompass
+          nixosModules.sing-box
           nixosModules.timezone
           impermanence.nixosModules.impermanence
           disko.nixosModules.disko
@@ -157,6 +158,7 @@
           nixosModules.home
           nixosModules.gnome-desktop
           nixosModules.dcompass
+          nixosModules.sing-box
           nixosModules.timezone
           disko.nixosModules.disko
           nixosModules.steamdeck

modules/sing-box/default.nix

@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+with lib;
+let cfg = config.my.sing-box; in {
+  options.my.sing-box = {
+    enable = mkEnableOption "sing-box module including related systemd and networking setups";
+    settings = mkOption {
+      type = types.unspecified;
+      description = ''
+        Configuration
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    # sing-box requires IP forwarding
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    # Required by the sing-box TUN mode
+    networking.firewall.trustedInterfaces = [ "tun0" ];
+    networking.firewall.checkReversePath = "loose";
+
+    services.sing-box = {
+      enable = true;
+      settings = cfg.settings;
+    };
+
+    systemd.services.sing-box.serviceConfig = {
+      ProtectSystem = true;
+      ProtectHome = true;
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+  };
+}