···

       
109
       
109
       
 
       
- The non-LTS Forgejo package (`forgejo`) has been updated to 12.0.0. This release contains breaking changes, see the [release blog post](https://forgejo.org/2025-07-release-v12-0/)

     

       
110
       
110
       
 
       
  for all the details and how to ensure smooth upgrades.

     

       
111
       
111
       
 
       


     

       
112
       
112
       
+
       
- `sing-box` has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.

     

       
113
       
113
       
+
       
  See the [change log](https://sing-box.sagernet.org/changelog/#1123) for details and [migration](https://sing-box.sagernet.org/migration/#1120) for how to update old configurations.

     

       
114
       
114
       
+
       


     

       
112
       
115
       
 
       
- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).

     

       
113
       
116
       
 
       


     

       
114
       
117
       
 
       
- The `zigbee2mqtt` package was updated to version 2.x, which contains breaking changes. See the [discussion](https://github.com/Koenkk/zigbee2mqtt/discussions/24198) for further information.

     

···

       
12
       
12
       
 
       
{

     

       
13
       
13
       
 
       


     

       
14
       
14
       
 
       
  meta = {

     

       
15
       
15
       
-
       
    maintainers = with lib.maintainers; [ nickcao ];

     

       
15
       
15
       
+
       
    maintainers = with lib.maintainers; [

     

       
16
       
16
       
+
       
      nickcao

     

       
17
       
17
       
+
       
      prince213

     

       
18
       
18
       
+
       
    ];

     

       
16
       
19
       
 
       
  };

     

       
17
       
20
       
 
       


     

       
18
       
21
       
 
       
  options = {

     
···

       
59
       
62
       
 
       
        }

     

       
60
       
63
       
 
       
      ];

     

       
61
       
64
       
 
       


     

       
65
       
65
       
+
       
    # for polkit rules

     

       
66
       
66
       
+
       
    environment.systemPackages = [ cfg.package ];

     

       
67
       
67
       
+
       
    services.dbus.packages = [ cfg.package ];

     

       
62
       
68
       
 
       
    systemd.packages = [ cfg.package ];

     

       
63
       
69
       
 
       


     

       
64
       
70
       
 
       
    systemd.services.sing-box = {

     

       
65
       
65
       
-
       
      preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/run/sing-box/config.json";

     

       
66
       
71
       
 
       
      serviceConfig = {

     

       
72
       
72
       
+
       
        User = "sing-box";

     

       
73
       
73
       
+
       
        Group = "sing-box";

     

       
67
       
74
       
 
       
        StateDirectory = "sing-box";

     

       
68
       
75
       
 
       
        StateDirectoryMode = "0700";

     

       
69
       
76
       
 
       
        RuntimeDirectory = "sing-box";

     

       
70
       
77
       
 
       
        RuntimeDirectoryMode = "0700";

     

       
78
       
78
       
+
       
        ExecStartPre =

     

       
79
       
79
       
+
       
          let

     

       
80
       
80
       
+
       
            script = pkgs.writeShellScript "sing-box-pre-start" ''

     

       
81
       
81
       
+
       
              ${utils.genJqSecretsReplacementSnippet cfg.settings "/run/sing-box/config.json"}

     

       
82
       
82
       
+
       
              chown --reference=/run/sing-box /run/sing-box/config.json

     

       
83
       
83
       
+
       
            '';

     

       
84
       
84
       
+
       
          in

     

       
85
       
85
       
+
       
          "+${script}";

     

       
71
       
86
       
 
       
        ExecStart = [

     

       
72
       
87
       
 
       
          ""

     

       
73
       
88
       
 
       
          "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"

     
···

       
75
       
90
       
 
       
      };

     

       
76
       
91
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
77
       
92
       
 
       
    };

     

       
93
       
93
       
+
       


     

       
94
       
94
       
+
       
    users = {

     

       
95
       
95
       
+
       
      users.sing-box = {

     

       
96
       
96
       
+
       
        isSystemUser = true;

     

       
97
       
97
       
+
       
        group = "sing-box";

     

       
98
       
98
       
+
       
      };

     

       
99
       
99
       
+
       
      groups.sing-box = { };

     

       
100
       
100
       
+
       
    };

     

       
78
       
101
       
 
       
  };

     

       
79
       
79
       
-
       


     

       
80
       
102
       
 
       
}

     

···

       
111
       
111
       
 
       
  name = "sing-box";

     

       
112
       
112
       
 
       


     

       
113
       
113
       
 
       
  meta = {

     

       
114
       
114
       
-
       
    maintainers = with lib.maintainers; [ nickcao ];

     

       
114
       
114
       
+
       
    maintainers = with lib.maintainers; [

     

       
115
       
115
       
+
       
      nickcao

     

       
116
       
116
       
+
       
      prince213

     

       
117
       
117
       
+
       
    ];

     

       
115
       
118
       
 
       
  };

     

       
116
       
119
       
 
       


     

       
117
       
120
       
 
       
  nodes = {

     
···

       
436
       
439
       
 
       
            dns = {

     

       
437
       
440
       
 
       
              final = "dns:default";

     

       
438
       
441
       
 
       
              independent_cache = true;

     

       
439
       
439
       
-
       
              fakeip = {

     

       
440
       
440
       
-
       
                enabled = true;

     

       
441
       
441
       
-
       
                inet4_range = "198.18.0.0/16";

     

       
442
       
442
       
-
       
              };

     

       
443
       
442
       
 
       
              servers = [

     

       
444
       
443
       
 
       
                {

     

       
445
       
445
       
-
       
                  detour = "outbound:direct";

     

       
444
       
444
       
+
       
                  type = "udp";

     

       
446
       
445
       
 
       
                  tag = "dns:default";

     

       
447
       
447
       
-
       
                  address = hosts."${target_host}";

     

       
446
       
446
       
+
       
                  server = hosts."${target_host}";

     

       
448
       
447
       
 
       
                }

     

       
449
       
448
       
 
       
                {

     

       
449
       
449
       
+
       
                  type = "fakeip";

     

       
450
       
450
       
 
       
                  tag = "dns:fakeip";

     

       
451
       
451
       
-
       
                  address = "fakeip";

     

       
451
       
451
       
+
       
                  inet4_range = "198.18.0.0/16";

     

       
452
       
452
       
 
       
                }

     

       
453
       
453
       
-
       
              ];

     

       
454
       
454
       
-
       
              rules = [

     

       
455
       
453
       
 
       
                {

     

       
456
       
456
       
-
       
                  outbound = [ "any" ];

     

       
457
       
457
       
-
       
                  server = "dns:default";

     

       
454
       
454
       
+
       
                  type = "resolved";

     

       
455
       
455
       
+
       
                  tag = "dns:resolved";

     

       
456
       
456
       
+
       
                  service = "service:resolved";

     

       
457
       
457
       
+
       
                  accept_default_resolvers = true;

     

       
458
       
458
       
 
       
                }

     

       
459
       
459
       
+
       
              ];

     

       
460
       
460
       
+
       
              rules = [

     

       
459
       
461
       
 
       
                {

     

       
460
       
462
       
 
       
                  query_type = [

     

       
461
       
463
       
 
       
                    "A"

     
···

       
479
       
481
       
 
       
              }

     

       
480
       
482
       
 
       
            ];

     

       
481
       
483
       
 
       
            route = {

     

       
484
       
484
       
+
       
              default_domain_resolver = "dns:default";

     

       
482
       
485
       
 
       
              default_interface = "eth1";

     

       
483
       
486
       
 
       
              final = "outbound:direct";

     

       
484
       
487
       
 
       
              rules = [

     
···

       
491
       
494
       
 
       
                }

     

       
492
       
495
       
 
       
              ];

     

       
493
       
496
       
 
       
            };

     

       
497
       
497
       
+
       
            services = [

     

       
498
       
498
       
+
       
              {

     

       
499
       
499
       
+
       
                type = "resolved";

     

       
500
       
500
       
+
       
                tag = "service:resolved";

     

       
501
       
501
       
+
       
              }

     

       
502
       
502
       
+
       
            ];

     

       
494
       
503
       
 
       
          };

     

       
495
       
504
       
 
       
        };

     

       
496
       
505
       
 
       
      };

     

···

       
10
       
10
       
 
       


     

       
11
       
11
       
 
       
buildGoModule (finalAttrs: {

     

       
12
       
12
       
 
       
  pname = "sing-box";

     

       
13
       
13
       
-
       
  version = "1.11.15";

     

       
13
       
13
       
+
       
  version = "1.12.3";

     

       
14
       
14
       
 
       


     

       
15
       
15
       
 
       
  src = fetchFromGitHub {

     

       
16
       
16
       
 
       
    owner = "SagerNet";

     

       
17
       
17
       
 
       
    repo = "sing-box";

     

       
18
       
18
       
 
       
    tag = "v${finalAttrs.version}";

     

       
19
       
19
       
-
       
    hash = "sha256-uqPV3PGk3hFpV1B8+htBG9x58RVWew0sBDUItpxyv8Q=";

     

       
19
       
19
       
+
       
    hash = "sha256-OHhCC+tSDZRSDN9i3L6NtwgarBKHv+KGNyPhHttqo4g=";

     

       
20
       
20
       
 
       
  };

     

       
21
       
21
       
 
       


     

       
22
       
22
       
-
       
  vendorHash = "sha256-qZlnY0MxB4/ttgjuAroTfqGWqGRea549EyIjSxPAlOI=";

     

       
22
       
22
       
+
       
  vendorHash = "sha256-Y/UP2rbee4WSctelk9QddMXciucz5dNLOLDDWtEFfLU=";

     

       
23
       
23
       
 
       


     

       
24
       
24
       
 
       
  tags = [

     

       
25
       
25
       
 
       
    "with_quic"

     

       
26
       
26
       
 
       
    "with_dhcp"

     

       
27
       
27
       
 
       
    "with_wireguard"

     

       
28
       
28
       
-
       
    "with_ech"

     

       
29
       
28
       
 
       
    "with_utls"

     

       
30
       
30
       
-
       
    "with_reality_server"

     

       
31
       
29
       
 
       
    "with_acme"

     

       
32
       
30
       
 
       
    "with_clash_api"

     

       
33
       
31
       
 
       
    "with_gvisor"

     

       
32
       
32
       
+
       
    "with_tailscale"

     

       
34
       
33
       
 
       
  ];

     

       
35
       
34
       
 
       


     

       
36
       
35
       
 
       
  subPackages = [

     
···

       
50
       
49
       
 
       
      --replace-fail "/usr/bin/sing-box" "$out/bin/sing-box" \

     

       
51
       
50
       
 
       
      --replace-fail "/bin/kill" "${coreutils}/bin/kill"

     

       
52
       
51
       
 
       
    install -Dm444 -t "$out/lib/systemd/system/" release/config/sing-box{,@}.service

     

       
52
       
52
       
+
       


     

       
53
       
53
       
+
       
    install -Dm444 release/config/sing-box.rules $out/share/polkit-1/rules.d/sing-box.rules

     

       
54
       
54
       
+
       
    install -Dm444 release/config/sing-box-split-dns.xml $out/share/dbus-1/system.d/sing-box-split-dns.conf

     

       
53
       
55
       
 
       
  '';

     

       
54
       
56
       
 
       


     

       
55
       
57
       
 
       
  passthru = {