nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos: clash-meta-client: use sops templates

Browse source
This commit is contained in:
Guanran Wang 2023-12-25 15:23:54 +08:00
parent 738c806307
commit 09d875d9aa
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
6 changed files with 188 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/hosts/Aristotle/default.nix
View file

@ -10,7 +10,7 @@
# User # User
../../../users/guanranwang/nixos/profiles/core ../../../users/guanranwang/nixos/profiles/core
../../../users/guanranwang/nixos/profiles/device-type/laptop ../../../users/guanranwang/nixos/profiles/device-type/laptop
../../../users/guanranwang/nixos/profiles/opt-in/clash-meta-client.nix ../../../users/guanranwang/nixos/profiles/opt-in/clash-meta-client
../../../users/guanranwang/nixos/profiles/opt-in/gaming ../../../users/guanranwang/nixos/profiles/opt-in/gaming
../../../users/guanranwang/nixos/profiles/opt-in/torrenting ../../../users/guanranwang/nixos/profiles/opt-in/torrenting

4
nixos/modules/services/clash.nix
View file

@ -47,8 +47,8 @@ in {
# https://man.archlinux.org/man/systemd.exec.5 # https://man.archlinux.org/man/systemd.exec.5
ConfigurationDirectory = "clash"; ConfigurationDirectory = "clash";
User = [config.users.users."clash".name]; User = config.users.users."clash".name;
Group = [config.users.groups."clash".name]; Group = config.users.groups."clash".name;
ExecStart = builtins.replaceStrings ["\n"] [" "] '' ExecStart = builtins.replaceStrings ["\n"] [" "] ''
${lib.getExe cfg.package} ${lib.getExe cfg.package}
-d /etc/clash -d /etc/clash

34
users/guanranwang/nixos/profiles/opt-in/clash-meta-client.nix
View file

@ -1,34 +0,0 @@
{
pkgs,
config,
inputs,
...
}: {
services.clash = {
enable = true;
package = pkgs.clash-meta;
configFile = config.sops.secrets."clash-config".path;
webui = inputs.self.packages.${pkgs.system}.metacubexd;
};
### sops-nix
sops.secrets."clash-config" = {
owner = config.users.users."clash".name;
group = config.users.groups."clash".name;
restartUnits = ["clash.service"];
};
### System proxy settings
networking.proxy.default = "http://127.0.0.1:7890/";
### Local Clash WebUI
# You can also use the following website, just in case:
# - metacubexd:
# - GH Pages Custom Domain: http://d.metacubex.one
# - GH Pages: https://metacubex.github.io/metacubexd
# - Cloudflare Pages: https://metacubexd.pages.dev
# - yacd (Yet Another Clash Dashboard):
# - https://yacd.haishan.me
# - clash-dashboard (buggy):
# - https://clash.razord.top
}

115
users/guanranwang/nixos/profiles/opt-in/clash-meta-client/config.yaml Normal file
View file

@ -0,0 +1,115 @@
######### 锚点 start #######
# 策略组相关
pr: &pr { type: select, proxies: [ 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点, 自动选择, DIRECT, ], }
# 这里是订阅更新和延迟测试相关的
p: &p { type: http, interval: 3600, health-check: { enable: true, url: https://www.gstatic.com/generate_204, interval: 300, }, }
######### 锚点 end #######
allow-lan: true
port: 7890
unified-delay: false
tcp-concurrent: true
external-controller: 127.0.0.1:9090
log-level: warning
geodata-mode: true
geox-url:
geoip: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat"
geosite: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
mmdb: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country-lite.mmdb"
find-process-mode: strict
global-client-fingerprint: chrome
profile:
store-selected: true
store-fake-ip: true
sniffer:
enable: true
sniff:
HTTP:
ports: [80, 8080-8880]
override-destination: true
TLS:
ports: [443, 8443]
#QUIC:
# ports: [443, 8443]
skip-domain:
- "Mijia Cloud"
dns:
enable: true
listen: :1053
ipv6: true
enhanced-mode: fake-ip
fake-ip-filter:
- "*"
- "+.lan"
- "+.local"
nameserver:
- https://doh.pub/dns-query
- https://dns.alidns.com/dns-query
proxy-server-nameserver:
- https://doh.pub/dns-query
nameserver-policy:
"geosite:private":
- https://doh.pub/dns-query
- https://dns.alidns.com/dns-query
"geosite:geolocation-!cn":
- "https://dns.cloudflare.com/dns-query#dns"
- "https://dns.google/dns-query#dns"
proxy-groups:
- { name: 默认, type: select, proxies: [自动选择, DIRECT, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点], }
- { name: dns, type: select, proxies: [自动选择, 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点], }
- { name: Google, <<: *pr }
- { name: Telegram, <<: *pr }
- { name: Twitter, <<: *pr }
- { name: Pixiv, <<: *pr }
- { name: ehentai, <<: *pr }
- { name: 哔哩哔哩, <<: *pr }
- { name: 哔哩东南亚, <<: *pr }
- { name: 巴哈姆特, <<: *pr }
- { name: YouTube, <<: *pr }
- { name: NETFLIX, <<: *pr }
- { name: Spotify, <<: *pr }
- { name: Github, <<: *pr }
- { name: 国内, type: select, proxies: [ DIRECT, 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点, 自动选择, ], }
- { name: 其他, <<: *pr }
# 分隔,下面是地区分组
- { name: 香港, <<: *use, filter: "(?i)港|hk|hongkong|hong kong" }
- { name: 台湾, <<: *use, filter: "(?i)台|tw|taiwan" }
- { name: 日本, <<: *use, filter: "(?i)日本|jp|japan" }
- { name: 美国, <<: *use, filter: "(?i)美|us|unitedstates|united states" }
- { name: 新加坡, <<: *use, filter: "(?i)(新|sg|singapore)" }
- { name: 其它地区, <<: *use, filter: "(?i)^(?!.*(?:🇭🇰|🇯🇵|🇺🇸|🇸🇬|🇨🇳|港|hk|hongkong|台|tw|taiwan|日|jp|japan|新|sg|singapore|美|us|unitedstates)).*", }
- { name: 全部节点, <<: *use }
- { name: 自动选择, <<: *use, tolerance: 2, type: url-test }
rules:
- GEOIP,lan,直连,no-resolve
- GEOSITE,biliintl,哔哩东南亚
- GEOSITE,ehentai,ehentai
- GEOSITE,github,Github
- GEOSITE,twitter,Twitter
- GEOSITE,youtube,YouTube
- GEOSITE,google,Google
- GEOSITE,telegram,Telegram
- GEOSITE,netflix,NETFLIX
- GEOSITE,bilibili,哔哩哔哩
- GEOSITE,bahamut,巴哈姆特
- GEOSITE,spotify,Spotify
- GEOSITE,pixiv,Pixiv
- GEOSITE,geolocation-!cn,其他
- GEOIP,google,Google
- GEOIP,netflix,NETFLIX
- GEOIP,telegram,Telegram
- GEOIP,twitter,Twitter
- GEOSITE,CN,国内
- GEOIP,CN,国内
- MATCH,其他

63
users/guanranwang/nixos/profiles/opt-in/clash-meta-client/default.nix Normal file
View file

@ -0,0 +1,63 @@
{
pkgs,
config,
inputs,
...
}: {
services.clash = {
enable = true;
package = pkgs.clash-meta;
configFile = config.sops.templates."clash.yaml".path;
webui = inputs.self.packages.${pkgs.system}.metacubexd;
};
### sops-nix
sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["clash.service"];}) {
"clash/proxy-providers/efcloud" = {};
"clash/proxy-providers/spcloud" = {};
"clash/proxy-providers/pawdroid" = {};
};
# TODO: Using example config
# https://wiki.metacubex.one/example/conf/
# MetaCubeX/Meta-Docs doesnt look reliable through commit messages, no fetchers was used
sops.templates."clash.yaml" = {
owner = config.systemd.services."clash".serviceConfig.User;
group = config.systemd.services."clash".serviceConfig.Group;
content =
''
use: &use
type: select
use:
- efcloud
- spcloud
#- pawdroid
proxy-providers:
efcloud:
<<: *p
url: "${config.sops.placeholder."clash/proxy-providers/efcloud"}"
spcloud:
<<: *p
url: "${config.sops.placeholder."clash/proxy-providers/spcloud"}"
#pawdroid:
# <<: *p
# url: "${config.sops.placeholder."clash/proxy-providers/pawdroid"}"
''
+ builtins.readFile ./config.yaml;
};
### System proxy settings
networking.proxy.default = "http://127.0.0.1:7890/";
### Local Clash WebUI
# You can also use the following website, just in case:
# - metacubexd:
# - GH Pages Custom Domain: http://d.metacubex.one
# - GH Pages: https://metacubex.github.io/metacubexd
# - Cloudflare Pages: https://metacubexd.pages.dev
# - yacd (Yet Another Clash Dashboard):
# - https://yacd.haishan.me
# - clash-dashboard (buggy):
# - https://clash.razord.top
}

10
users/guanranwang/secrets.yaml
View file

File diff suppressed because one or more lines are too long