diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md index e899538851379..8a1d6d65a6610 100644 --- a/nixos/doc/manual/release-notes/rl-2511.section.md +++ b/nixos/doc/manual/release-notes/rl-2511.section.md @@ -103,6 +103,9 @@ - The non-LTS Forgejo package (`forgejo`) has been updated to 12.0.0. This release contains breaking changes, see the [release blog post](https://forgejo.org/2025-07-release-v12-0/) for all the details and how to ensure smooth upgrades. +- `sing-box` has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run. + See the [change log](https://sing-box.sagernet.org/changelog/#1123) for details and [migration](https://sing-box.sagernet.org/migration/#1120) for how to update old configurations. + - The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/). - The `zigbee2mqtt` package was updated to version 2.x, which contains breaking changes. See the [discussion](https://github.com/Koenkk/zigbee2mqtt/discussions/24198) for further information. diff --git a/nixos/modules/services/networking/sing-box.nix b/nixos/modules/services/networking/sing-box.nix index 104c75c8105cc..5910dadd5878a 100644 --- a/nixos/modules/services/networking/sing-box.nix +++ b/nixos/modules/services/networking/sing-box.nix @@ -12,7 +12,10 @@ in { meta = { - maintainers = with lib.maintainers; [ nickcao ]; + maintainers = with lib.maintainers; [ + nickcao + prince213 + ]; }; options = { @@ -59,15 +62,27 @@ in } ]; + # for polkit rules + environment.systemPackages = [ cfg.package ]; + services.dbus.packages = [ cfg.package ]; systemd.packages = [ cfg.package ]; systemd.services.sing-box = { - preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/run/sing-box/config.json"; serviceConfig = { + User = "sing-box"; + Group = "sing-box"; StateDirectory = "sing-box"; StateDirectoryMode = "0700"; RuntimeDirectory = "sing-box"; RuntimeDirectoryMode = "0700"; + ExecStartPre = + let + script = pkgs.writeShellScript "sing-box-pre-start" '' + ${utils.genJqSecretsReplacementSnippet cfg.settings "/run/sing-box/config.json"} + chown --reference=/run/sing-box /run/sing-box/config.json + ''; + in + "+${script}"; ExecStart = [ "" "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run" @@ -75,6 +90,13 @@ in }; wantedBy = [ "multi-user.target" ]; }; - }; + users = { + users.sing-box = { + isSystemUser = true; + group = "sing-box"; + }; + groups.sing-box = { }; + }; + }; } diff --git a/nixos/tests/sing-box.nix b/nixos/tests/sing-box.nix index 8e48031d1224b..0825684e0bed6 100644 --- a/nixos/tests/sing-box.nix +++ b/nixos/tests/sing-box.nix @@ -111,7 +111,10 @@ in name = "sing-box"; meta = { - maintainers = with lib.maintainers; [ nickcao ]; + maintainers = with lib.maintainers; [ + nickcao + prince213 + ]; }; nodes = { @@ -436,26 +439,25 @@ in dns = { final = "dns:default"; independent_cache = true; - fakeip = { - enabled = true; - inet4_range = "198.18.0.0/16"; - }; servers = [ { - detour = "outbound:direct"; + type = "udp"; tag = "dns:default"; - address = hosts."${target_host}"; + server = hosts."${target_host}"; } { + type = "fakeip"; tag = "dns:fakeip"; - address = "fakeip"; + inet4_range = "198.18.0.0/16"; } - ]; - rules = [ { - outbound = [ "any" ]; - server = "dns:default"; + type = "resolved"; + tag = "dns:resolved"; + service = "service:resolved"; + accept_default_resolvers = true; } + ]; + rules = [ { query_type = [ "A" @@ -479,6 +481,7 @@ in } ]; route = { + default_domain_resolver = "dns:default"; default_interface = "eth1"; final = "outbound:direct"; rules = [ @@ -491,6 +494,12 @@ in } ]; }; + services = [ + { + type = "resolved"; + tag = "service:resolved"; + } + ]; }; }; }; diff --git a/pkgs/by-name/si/sing-box/package.nix b/pkgs/by-name/si/sing-box/package.nix index 6f558689e0d53..465ec13501a44 100644 --- a/pkgs/by-name/si/sing-box/package.nix +++ b/pkgs/by-name/si/sing-box/package.nix @@ -10,27 +10,26 @@ buildGoModule (finalAttrs: { pname = "sing-box"; - version = "1.11.15"; + version = "1.12.3"; src = fetchFromGitHub { owner = "SagerNet"; repo = "sing-box"; tag = "v${finalAttrs.version}"; - hash = "sha256-uqPV3PGk3hFpV1B8+htBG9x58RVWew0sBDUItpxyv8Q="; + hash = "sha256-OHhCC+tSDZRSDN9i3L6NtwgarBKHv+KGNyPhHttqo4g="; }; - vendorHash = "sha256-qZlnY0MxB4/ttgjuAroTfqGWqGRea549EyIjSxPAlOI="; + vendorHash = "sha256-Y/UP2rbee4WSctelk9QddMXciucz5dNLOLDDWtEFfLU="; tags = [ "with_quic" "with_dhcp" "with_wireguard" - "with_ech" "with_utls" - "with_reality_server" "with_acme" "with_clash_api" "with_gvisor" + "with_tailscale" ]; subPackages = [ @@ -50,6 +49,9 @@ buildGoModule (finalAttrs: { --replace-fail "/usr/bin/sing-box" "$out/bin/sing-box" \ --replace-fail "/bin/kill" "${coreutils}/bin/kill" install -Dm444 -t "$out/lib/systemd/system/" release/config/sing-box{,@}.service + + install -Dm444 release/config/sing-box.rules $out/share/polkit-1/rules.d/sing-box.rules + install -Dm444 release/config/sing-box-split-dns.xml $out/share/dbus-1/system.d/sing-box-split-dns.conf ''; passthru = {