flake/nixos/modules/services/clash.nix

{
  lib,
  config,
  pkgs,
  ...
}: let
  cfg = config.services.clash;
in {
  options.services.clash = {
    enable = lib.mkEnableOption "Whether to enable Clash, A rule-based proxy in Go.";
    package = lib.mkPackageOption pkgs "clash" {};
    configFile = lib.mkOption {
      default = null;
      type = lib.types.nullOr lib.types.path;
      description = "Configuration file to use.";
    };
    webui = lib.mkOption {
      default = null;
      type = lib.types.nullOr lib.types.path;
      description = ''
        Local web interface to use.

        You can also use the following website, just in case:
        - metacubexd:
          - http://d.metacubex.one
          - https://metacubex.github.io/metacubexd
          - https://metacubexd.pages.dev
        - yacd:
          - https://yacd.haishan.me
        - clash-dashboard (buggy):
          - https://clash.razord.top
      '';
    };
    extraOpts = lib.mkOption {
      default = null;
      type = lib.types.nullOr lib.types.str;
      description = "Extra command line options to use.";
    };
  };

  config = lib.mkIf cfg.enable {
    ### systemd service
    systemd.services."clash" = {
      description = "Clash daemon, A rule-based proxy in Go.";
      documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];
      after = ["network-online.target"];
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        ExecStart = builtins.concatStringsSep " " [
          (lib.getExe cfg.package)
          "-d /var/lib/private/clash"
          (lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration")
          (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
          (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
        ];

        DynamicUser = true;
        StateDirectory = "clash";
        LoadCredential = "configuration:${cfg.configFile}";

        ### Hardening
        CapabilityBoundingSet = "";
        DeviceAllow = "";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateMounts = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProcSubset = "pid";
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RestrictNamespaces = true;
        RestrictAddressFamilies = "AF_INET AF_INET6";
        SystemCallArchitectures = "native";
        SystemCallFilter = "@system-service bpf";
        UMask = "0077";
      };
    };
  };
}
nixos/clash: init 2023-12-21 03:59:19 +00:00			`{`
			`lib,`
			`config,`
			`pkgs,`
			`...`
			`}: let`
			`cfg = config.services.clash;`
			`in {`
			`options.services.clash = {`
nixos/clash: add option descriptions 2023-12-31 12:22:48 +00:00			`enable = lib.mkEnableOption "Whether to enable Clash, A rule-based proxy in Go.";`
nixos/clash: init 2023-12-21 03:59:19 +00:00			`package = lib.mkPackageOption pkgs "clash" {};`
nixos/clash: add option descriptions 2023-12-31 12:22:48 +00:00			`configFile = lib.mkOption {`
nixos/clash: utilize command line opts 2023-12-25 02:58:41 +00:00			`default = null;`
			`type = lib.types.nullOr lib.types.path;`
nixos/clash: add option descriptions 2023-12-31 12:22:48 +00:00			`description = "Configuration file to use.";`
nixos/clash: utilize command line opts 2023-12-25 02:58:41 +00:00			`};`
nixos/clash: add option descriptions 2023-12-31 12:22:48 +00:00			`webui = lib.mkOption {`
nixos/clash: utilize command line opts 2023-12-25 02:58:41 +00:00			`default = null;`
			`type = lib.types.nullOr lib.types.path;`
nixos/clash: add option descriptions 2023-12-31 12:22:48 +00:00			`description = ''`
			`Local web interface to use.`

			`You can also use the following website, just in case:`
			`- metacubexd:`
			`- http://d.metacubex.one`
			`- https://metacubex.github.io/metacubexd`
			`- https://metacubexd.pages.dev`
			`- yacd:`
			`- https://yacd.haishan.me`
			`- clash-dashboard (buggy):`
			`- https://clash.razord.top`
			`'';`
nixos/clash: utilize command line opts 2023-12-25 02:58:41 +00:00			`};`
			`extraOpts = lib.mkOption {`
			`default = null;`
{darwin,nixos}/clash: replace types.string with types.str 2024-01-03 15:40:08 +00:00			`type = lib.types.nullOr lib.types.str;`
nixos/clash: add option descriptions 2023-12-31 12:22:48 +00:00			`description = "Extra command line options to use.";`
nixos/clash: utilize command line opts 2023-12-25 02:58:41 +00:00			`};`
nixos/clash: init 2023-12-21 03:59:19 +00:00			`};`

			`config = lib.mkIf cfg.enable {`
			`### systemd service`
			`systemd.services."clash" = {`
nixos/clash: minor adjustments 2023-12-23 08:47:14 +00:00			`description = "Clash daemon, A rule-based proxy in Go.";`
nixos/clash: cleanup 2024-01-02 09:46:36 +00:00			`documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];`
nixos/clash: init 2023-12-21 03:59:19 +00:00			`after = ["network-online.target"];`
			`wantedBy = ["multi-user.target"];`
			`serviceConfig = {`
nixos/clash: cleanup 2024-01-02 09:46:36 +00:00			`ExecStart = builtins.concatStringsSep " " [`
			`(lib.getExe cfg.package)`
			`"-d /var/lib/private/clash"`
			`(lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration")`
			`(lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")`
			`(lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)`
			`];`

nixos/clash: use systemd DynamicUser 2024-01-02 09:45:55 +00:00			`DynamicUser = true;`
			`StateDirectory = "clash";`
nixos/clash: use systemd LoadCredential 2023-12-26 06:42:06 +00:00			`LoadCredential = "configuration:${cfg.configFile}";`
nixos/clash: minor adjustments 2023-12-23 08:47:14 +00:00
nixos/clash: cleanup 2024-01-02 09:46:36 +00:00			`### Hardening`
nixos/clash: apply more hardening options 2024-01-03 11:21:55 +00:00			`CapabilityBoundingSet = "";`
			`DeviceAllow = "";`
nixos/clash: apply hardening 2023-12-25 06:13:46 +00:00			`LockPersonality = true;`
nixos/clash: apply more hardening options 2024-01-03 11:21:55 +00:00			`MemoryDenyWriteExecute = true;`
			`NoNewPrivileges = true;`
			`PrivateDevices = true;`
			`PrivateMounts = true;`
			`PrivateTmp = true;`
			`PrivateUsers = true;`
			`ProcSubset = "pid";`
nixos/clash: apply hardening 2023-12-25 06:13:46 +00:00			`ProtectClock = true;`
			`ProtectControlGroups = true;`
nixos/clash: apply more hardening options 2024-01-03 11:21:55 +00:00			`ProtectHome = true;`
nixos/clash: apply hardening 2023-12-25 06:13:46 +00:00			`ProtectHostname = true;`
nixos/clash: apply more hardening options 2024-01-03 11:21:55 +00:00			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
nixos/clash: apply hardening 2023-12-25 06:13:46 +00:00			`ProtectKernelTunables = true;`
nixos/clash: apply more hardening options 2024-01-03 11:21:55 +00:00			`ProtectProc = "invisible";`
			`ProtectSystem = "strict";`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`RestrictNamespaces = true;`
			`RestrictAddressFamilies = "AF_INET AF_INET6";`
			`SystemCallArchitectures = "native";`
			`SystemCallFilter = "@system-service bpf";`
			`UMask = "0077";`
nixos/clash: init 2023-12-21 03:59:19 +00:00			`};`
			`};`
			`};`
			`}`