sing-box: 1.11.15 -> 1.12.3, nixos/sing-box: add user and group, nixosTests.sing-box: migrate config (#430835)

Author: NickCao

nixos/doc/manual/release-notes/rl-2511.section.md

@@ -109,6 +109,9 @@
 - The non-LTS Forgejo package (`forgejo`) has been updated to 12.0.0. This release contains breaking changes, see the [release blog post](https://forgejo.org/2025-07-release-v12-0/)
   for all the details and how to ensure smooth upgrades.
 
+- `sing-box` has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.
+  See the [change log](https://sing-box.sagernet.org/changelog/#1123) for details and [migration](https://sing-box.sagernet.org/migration/#1120) for how to update old configurations.
+
 - The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).
 
 - The `zigbee2mqtt` package was updated to version 2.x, which contains breaking changes. See the [discussion](https://github.com/Koenkk/zigbee2mqtt/discussions/24198) for further information.

nixos/modules/services/networking/sing-box.nix

@@ -12,7 +12,10 @@ in
 {
 
   meta = {
-    maintainers = with lib.maintainers; [ nickcao ];
+    maintainers = with lib.maintainers; [
+      nickcao
+      prince213
+    ];
   };
 
   options = {
@@ -59,22 +62,41 @@ in
         }
       ];
 
+    # for polkit rules
+    environment.systemPackages = [ cfg.package ];
+    services.dbus.packages = [ cfg.package ];
     systemd.packages = [ cfg.package ];
 
     systemd.services.sing-box = {
-      preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/run/sing-box/config.json";
       serviceConfig = {
+        User = "sing-box";
+        Group = "sing-box";
         StateDirectory = "sing-box";
         StateDirectoryMode = "0700";
         RuntimeDirectory = "sing-box";
         RuntimeDirectoryMode = "0700";
+        ExecStartPre =
+          let
+            script = pkgs.writeShellScript "sing-box-pre-start" ''
+              ${utils.genJqSecretsReplacementSnippet cfg.settings "/run/sing-box/config.json"}
+              chown --reference=/run/sing-box /run/sing-box/config.json
+            '';
+          in
+          "+${script}";
         ExecStart = [
           ""
           "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
         ];
       };
       wantedBy = [ "multi-user.target" ];
     };
-  };
 
+    users = {
+      users.sing-box = {
+        isSystemUser = true;
+        group = "sing-box";
+      };
+      groups.sing-box = { };
+    };
+  };
 }

nixos/tests/sing-box.nix

@@ -111,7 +111,10 @@ in
   name = "sing-box";
 
   meta = {
-    maintainers = with lib.maintainers; [ nickcao ];
+    maintainers = with lib.maintainers; [
+      nickcao
+      prince213
+    ];
   };
 
   nodes = {
@@ -436,26 +439,25 @@ in
             dns = {
               final = "dns:default";
               independent_cache = true;
-              fakeip = {
-                enabled = true;
-                inet4_range = "198.18.0.0/16";
-              };
               servers = [
                 {
-                  detour = "outbound:direct";
+                  type = "udp";
                   tag = "dns:default";
-                  address = hosts."${target_host}";
+                  server = hosts."${target_host}";
                 }
                 {
+                  type = "fakeip";
                   tag = "dns:fakeip";
-                  address = "fakeip";
+                  inet4_range = "198.18.0.0/16";
                 }
-              ];
-              rules = [
                 {
-                  outbound = [ "any" ];
-                  server = "dns:default";
+                  type = "resolved";
+                  tag = "dns:resolved";
+                  service = "service:resolved";
+                  accept_default_resolvers = true;
                 }
+              ];
+              rules = [
                 {
                   query_type = [
                     "A"
@@ -479,6 +481,7 @@ in
               }
             ];
             route = {
+              default_domain_resolver = "dns:default";
               default_interface = "eth1";
               final = "outbound:direct";
               rules = [
@@ -491,6 +494,12 @@ in
                 }
               ];
             };
+            services = [
+              {
+                type = "resolved";
+                tag = "service:resolved";
+              }
+            ];
           };
         };
       };

pkgs/by-name/si/sing-box/package.nix

@@ -10,27 +10,26 @@
 
 buildGoModule (finalAttrs: {
   pname = "sing-box";
-  version = "1.11.15";
+  version = "1.12.3";
 
   src = fetchFromGitHub {
     owner = "SagerNet";
     repo = "sing-box";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-uqPV3PGk3hFpV1B8+htBG9x58RVWew0sBDUItpxyv8Q=";
+    hash = "sha256-OHhCC+tSDZRSDN9i3L6NtwgarBKHv+KGNyPhHttqo4g=";
   };
 
-  vendorHash = "sha256-qZlnY0MxB4/ttgjuAroTfqGWqGRea549EyIjSxPAlOI=";
+  vendorHash = "sha256-Y/UP2rbee4WSctelk9QddMXciucz5dNLOLDDWtEFfLU=";
 
   tags = [
     "with_quic"
     "with_dhcp"
     "with_wireguard"
-    "with_ech"
     "with_utls"
-    "with_reality_server"
     "with_acme"
     "with_clash_api"
     "with_gvisor"
+    "with_tailscale"
   ];
 
   subPackages = [
@@ -50,6 +49,9 @@ buildGoModule (finalAttrs: {
       --replace-fail "/usr/bin/sing-box" "$out/bin/sing-box" \
       --replace-fail "/bin/kill" "${coreutils}/bin/kill"
     install -Dm444 -t "$out/lib/systemd/system/" release/config/sing-box{,@}.service
+
+    install -Dm444 release/config/sing-box.rules $out/share/polkit-1/rules.d/sing-box.rules
+    install -Dm444 release/config/sing-box-split-dns.xml $out/share/dbus-1/system.d/sing-box-split-dns.conf
   '';
 
   passthru = {