nixos: clash-meta-client: use sops templates
This commit is contained in:
parent
738c806307
commit
09d875d9aa
6 changed files with 188 additions and 40 deletions
|
@ -10,7 +10,7 @@
|
||||||
# User
|
# User
|
||||||
../../../users/guanranwang/nixos/profiles/core
|
../../../users/guanranwang/nixos/profiles/core
|
||||||
../../../users/guanranwang/nixos/profiles/device-type/laptop
|
../../../users/guanranwang/nixos/profiles/device-type/laptop
|
||||||
../../../users/guanranwang/nixos/profiles/opt-in/clash-meta-client.nix
|
../../../users/guanranwang/nixos/profiles/opt-in/clash-meta-client
|
||||||
../../../users/guanranwang/nixos/profiles/opt-in/gaming
|
../../../users/guanranwang/nixos/profiles/opt-in/gaming
|
||||||
../../../users/guanranwang/nixos/profiles/opt-in/torrenting
|
../../../users/guanranwang/nixos/profiles/opt-in/torrenting
|
||||||
|
|
||||||
|
|
|
@ -47,8 +47,8 @@ in {
|
||||||
|
|
||||||
# https://man.archlinux.org/man/systemd.exec.5
|
# https://man.archlinux.org/man/systemd.exec.5
|
||||||
ConfigurationDirectory = "clash";
|
ConfigurationDirectory = "clash";
|
||||||
User = [config.users.users."clash".name];
|
User = config.users.users."clash".name;
|
||||||
Group = [config.users.groups."clash".name];
|
Group = config.users.groups."clash".name;
|
||||||
ExecStart = builtins.replaceStrings ["\n"] [" "] ''
|
ExecStart = builtins.replaceStrings ["\n"] [" "] ''
|
||||||
${lib.getExe cfg.package}
|
${lib.getExe cfg.package}
|
||||||
-d /etc/clash
|
-d /etc/clash
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
{
|
|
||||||
pkgs,
|
|
||||||
config,
|
|
||||||
inputs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
services.clash = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.clash-meta;
|
|
||||||
configFile = config.sops.secrets."clash-config".path;
|
|
||||||
webui = inputs.self.packages.${pkgs.system}.metacubexd;
|
|
||||||
};
|
|
||||||
|
|
||||||
### sops-nix
|
|
||||||
sops.secrets."clash-config" = {
|
|
||||||
owner = config.users.users."clash".name;
|
|
||||||
group = config.users.groups."clash".name;
|
|
||||||
restartUnits = ["clash.service"];
|
|
||||||
};
|
|
||||||
|
|
||||||
### System proxy settings
|
|
||||||
networking.proxy.default = "http://127.0.0.1:7890/";
|
|
||||||
|
|
||||||
### Local Clash WebUI
|
|
||||||
# You can also use the following website, just in case:
|
|
||||||
# - metacubexd:
|
|
||||||
# - GH Pages Custom Domain: http://d.metacubex.one
|
|
||||||
# - GH Pages: https://metacubex.github.io/metacubexd
|
|
||||||
# - Cloudflare Pages: https://metacubexd.pages.dev
|
|
||||||
# - yacd (Yet Another Clash Dashboard):
|
|
||||||
# - https://yacd.haishan.me
|
|
||||||
# - clash-dashboard (buggy):
|
|
||||||
# - https://clash.razord.top
|
|
||||||
}
|
|
|
@ -0,0 +1,115 @@
|
||||||
|
######### 锚点 start #######
|
||||||
|
# 策略组相关
|
||||||
|
pr: &pr { type: select, proxies: [ 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点, 自动选择, DIRECT, ], }
|
||||||
|
|
||||||
|
# 这里是订阅更新和延迟测试相关的
|
||||||
|
p: &p { type: http, interval: 3600, health-check: { enable: true, url: https://www.gstatic.com/generate_204, interval: 300, }, }
|
||||||
|
|
||||||
|
######### 锚点 end #######
|
||||||
|
|
||||||
|
allow-lan: true
|
||||||
|
port: 7890
|
||||||
|
unified-delay: false
|
||||||
|
tcp-concurrent: true
|
||||||
|
external-controller: 127.0.0.1:9090
|
||||||
|
log-level: warning
|
||||||
|
|
||||||
|
geodata-mode: true
|
||||||
|
geox-url:
|
||||||
|
geoip: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat"
|
||||||
|
geosite: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
|
||||||
|
mmdb: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country-lite.mmdb"
|
||||||
|
|
||||||
|
find-process-mode: strict
|
||||||
|
global-client-fingerprint: chrome
|
||||||
|
|
||||||
|
profile:
|
||||||
|
store-selected: true
|
||||||
|
store-fake-ip: true
|
||||||
|
|
||||||
|
sniffer:
|
||||||
|
enable: true
|
||||||
|
sniff:
|
||||||
|
HTTP:
|
||||||
|
ports: [80, 8080-8880]
|
||||||
|
override-destination: true
|
||||||
|
TLS:
|
||||||
|
ports: [443, 8443]
|
||||||
|
#QUIC:
|
||||||
|
# ports: [443, 8443]
|
||||||
|
skip-domain:
|
||||||
|
- "Mijia Cloud"
|
||||||
|
|
||||||
|
dns:
|
||||||
|
enable: true
|
||||||
|
listen: :1053
|
||||||
|
ipv6: true
|
||||||
|
enhanced-mode: fake-ip
|
||||||
|
fake-ip-filter:
|
||||||
|
- "*"
|
||||||
|
- "+.lan"
|
||||||
|
- "+.local"
|
||||||
|
nameserver:
|
||||||
|
- https://doh.pub/dns-query
|
||||||
|
- https://dns.alidns.com/dns-query
|
||||||
|
proxy-server-nameserver:
|
||||||
|
- https://doh.pub/dns-query
|
||||||
|
nameserver-policy:
|
||||||
|
"geosite:private":
|
||||||
|
- https://doh.pub/dns-query
|
||||||
|
- https://dns.alidns.com/dns-query
|
||||||
|
"geosite:geolocation-!cn":
|
||||||
|
- "https://dns.cloudflare.com/dns-query#dns"
|
||||||
|
- "https://dns.google/dns-query#dns"
|
||||||
|
|
||||||
|
proxy-groups:
|
||||||
|
- { name: 默认, type: select, proxies: [自动选择, DIRECT, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点], }
|
||||||
|
- { name: dns, type: select, proxies: [自动选择, 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点], }
|
||||||
|
- { name: Google, <<: *pr }
|
||||||
|
- { name: Telegram, <<: *pr }
|
||||||
|
- { name: Twitter, <<: *pr }
|
||||||
|
- { name: Pixiv, <<: *pr }
|
||||||
|
- { name: ehentai, <<: *pr }
|
||||||
|
- { name: 哔哩哔哩, <<: *pr }
|
||||||
|
- { name: 哔哩东南亚, <<: *pr }
|
||||||
|
- { name: 巴哈姆特, <<: *pr }
|
||||||
|
- { name: YouTube, <<: *pr }
|
||||||
|
- { name: NETFLIX, <<: *pr }
|
||||||
|
- { name: Spotify, <<: *pr }
|
||||||
|
- { name: Github, <<: *pr }
|
||||||
|
- { name: 国内, type: select, proxies: [ DIRECT, 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点, 自动选择, ], }
|
||||||
|
- { name: 其他, <<: *pr }
|
||||||
|
|
||||||
|
# 分隔,下面是地区分组
|
||||||
|
- { name: 香港, <<: *use, filter: "(?i)港|hk|hongkong|hong kong" }
|
||||||
|
- { name: 台湾, <<: *use, filter: "(?i)台|tw|taiwan" }
|
||||||
|
- { name: 日本, <<: *use, filter: "(?i)日本|jp|japan" }
|
||||||
|
- { name: 美国, <<: *use, filter: "(?i)美|us|unitedstates|united states" }
|
||||||
|
- { name: 新加坡, <<: *use, filter: "(?i)(新|sg|singapore)" }
|
||||||
|
- { name: 其它地区, <<: *use, filter: "(?i)^(?!.*(?:🇭🇰|🇯🇵|🇺🇸|🇸🇬|🇨🇳|港|hk|hongkong|台|tw|taiwan|日|jp|japan|新|sg|singapore|美|us|unitedstates)).*", }
|
||||||
|
- { name: 全部节点, <<: *use }
|
||||||
|
- { name: 自动选择, <<: *use, tolerance: 2, type: url-test }
|
||||||
|
|
||||||
|
rules:
|
||||||
|
- GEOIP,lan,直连,no-resolve
|
||||||
|
- GEOSITE,biliintl,哔哩东南亚
|
||||||
|
- GEOSITE,ehentai,ehentai
|
||||||
|
- GEOSITE,github,Github
|
||||||
|
- GEOSITE,twitter,Twitter
|
||||||
|
- GEOSITE,youtube,YouTube
|
||||||
|
- GEOSITE,google,Google
|
||||||
|
- GEOSITE,telegram,Telegram
|
||||||
|
- GEOSITE,netflix,NETFLIX
|
||||||
|
- GEOSITE,bilibili,哔哩哔哩
|
||||||
|
- GEOSITE,bahamut,巴哈姆特
|
||||||
|
- GEOSITE,spotify,Spotify
|
||||||
|
- GEOSITE,pixiv,Pixiv
|
||||||
|
- GEOSITE,geolocation-!cn,其他
|
||||||
|
|
||||||
|
- GEOIP,google,Google
|
||||||
|
- GEOIP,netflix,NETFLIX
|
||||||
|
- GEOIP,telegram,Telegram
|
||||||
|
- GEOIP,twitter,Twitter
|
||||||
|
- GEOSITE,CN,国内
|
||||||
|
- GEOIP,CN,国内
|
||||||
|
- MATCH,其他
|
|
@ -0,0 +1,63 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
services.clash = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.clash-meta;
|
||||||
|
configFile = config.sops.templates."clash.yaml".path;
|
||||||
|
webui = inputs.self.packages.${pkgs.system}.metacubexd;
|
||||||
|
};
|
||||||
|
|
||||||
|
### sops-nix
|
||||||
|
sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["clash.service"];}) {
|
||||||
|
"clash/proxy-providers/efcloud" = {};
|
||||||
|
"clash/proxy-providers/spcloud" = {};
|
||||||
|
"clash/proxy-providers/pawdroid" = {};
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: Using example config
|
||||||
|
# https://wiki.metacubex.one/example/conf/
|
||||||
|
# MetaCubeX/Meta-Docs doesnt look reliable through commit messages, no fetchers was used
|
||||||
|
sops.templates."clash.yaml" = {
|
||||||
|
owner = config.systemd.services."clash".serviceConfig.User;
|
||||||
|
group = config.systemd.services."clash".serviceConfig.Group;
|
||||||
|
content =
|
||||||
|
''
|
||||||
|
use: &use
|
||||||
|
type: select
|
||||||
|
use:
|
||||||
|
- efcloud
|
||||||
|
- spcloud
|
||||||
|
#- pawdroid
|
||||||
|
|
||||||
|
proxy-providers:
|
||||||
|
efcloud:
|
||||||
|
<<: *p
|
||||||
|
url: "${config.sops.placeholder."clash/proxy-providers/efcloud"}"
|
||||||
|
spcloud:
|
||||||
|
<<: *p
|
||||||
|
url: "${config.sops.placeholder."clash/proxy-providers/spcloud"}"
|
||||||
|
#pawdroid:
|
||||||
|
# <<: *p
|
||||||
|
# url: "${config.sops.placeholder."clash/proxy-providers/pawdroid"}"
|
||||||
|
''
|
||||||
|
+ builtins.readFile ./config.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
### System proxy settings
|
||||||
|
networking.proxy.default = "http://127.0.0.1:7890/";
|
||||||
|
|
||||||
|
### Local Clash WebUI
|
||||||
|
# You can also use the following website, just in case:
|
||||||
|
# - metacubexd:
|
||||||
|
# - GH Pages Custom Domain: http://d.metacubex.one
|
||||||
|
# - GH Pages: https://metacubex.github.io/metacubexd
|
||||||
|
# - Cloudflare Pages: https://metacubexd.pages.dev
|
||||||
|
# - yacd (Yet Another Clash Dashboard):
|
||||||
|
# - https://yacd.haishan.me
|
||||||
|
# - clash-dashboard (buggy):
|
||||||
|
# - https://clash.razord.top
|
||||||
|
}
|
File diff suppressed because one or more lines are too long
Loading…
Reference in a new issue