nixos: clash-meta-client: use sops templates

nixos/hosts/Aristotle/default.nix

@@ -10,7 +10,7 @@
     # User
     ../../../users/guanranwang/nixos/profiles/core
     ../../../users/guanranwang/nixos/profiles/device-type/laptop
-    ../../../users/guanranwang/nixos/profiles/opt-in/clash-meta-client.nix
+    ../../../users/guanranwang/nixos/profiles/opt-in/clash-meta-client
     ../../../users/guanranwang/nixos/profiles/opt-in/gaming
     ../../../users/guanranwang/nixos/profiles/opt-in/torrenting
 

nixos/modules/services/clash.nix

@@ -47,8 +47,8 @@ in {
 
         # https://man.archlinux.org/man/systemd.exec.5
         ConfigurationDirectory = "clash";
-        User = [config.users.users."clash".name];
-        Group = [config.users.groups."clash".name];
+        User = config.users.users."clash".name;
+        Group = config.users.groups."clash".name;
         ExecStart = builtins.replaceStrings ["\n"] [" "] ''
           ${lib.getExe cfg.package}
           -d /etc/clash

users/guanranwang/nixos/profiles/opt-in/clash-meta-client.nix

@@ -1,34 +0,0 @@
-{
-  pkgs,
-  config,
-  inputs,
-  ...
-}: {
-  services.clash = {
-    enable = true;
-    package = pkgs.clash-meta;
-    configFile = config.sops.secrets."clash-config".path;
-    webui = inputs.self.packages.${pkgs.system}.metacubexd;
-  };
-
-  ### sops-nix
-  sops.secrets."clash-config" = {
-    owner = config.users.users."clash".name;
-    group = config.users.groups."clash".name;
-    restartUnits = ["clash.service"];
-  };
-
-  ### System proxy settings
-  networking.proxy.default = "http://127.0.0.1:7890/";
-
-  ### Local Clash WebUI
-  # You can also use the following website, just in case:
-  # - metacubexd:
-  #   - GH Pages Custom Domain: http://d.metacubex.one
-  #   - GH Pages: https://metacubex.github.io/metacubexd
-  #   - Cloudflare Pages: https://metacubexd.pages.dev
-  # - yacd (Yet Another Clash Dashboard):
-  #   - https://yacd.haishan.me
-  # - clash-dashboard (buggy):
-  #   - https://clash.razord.top
-}

users/guanranwang/nixos/profiles/opt-in/clash-meta-client/config.yaml

@@ -0,0 +1,115 @@
+######### 锚点 start #######
+# 策略组相关
+pr: &pr { type: select, proxies: [ 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点, 自动选择, DIRECT, ], }
+
+# 这里是订阅更新和延迟测试相关的
+p: &p { type: http, interval: 3600, health-check: { enable: true, url: https://www.gstatic.com/generate_204, interval: 300, }, }
+
+######### 锚点 end #######
+
+allow-lan: true
+port: 7890
+unified-delay: false
+tcp-concurrent: true
+external-controller: 127.0.0.1:9090
+log-level: warning
+
+geodata-mode: true
+geox-url:
+  geoip: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.dat"
+  geosite: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
+  mmdb: "https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country-lite.mmdb"
+
+find-process-mode: strict
+global-client-fingerprint: chrome
+
+profile:
+  store-selected: true
+  store-fake-ip: true
+
+sniffer:
+  enable: true
+  sniff:
+    HTTP:
+      ports: [80, 8080-8880]
+      override-destination: true
+    TLS:
+      ports: [443, 8443]
+    #QUIC:
+    #  ports: [443, 8443]
+  skip-domain:
+    - "Mijia Cloud"
+
+dns:
+  enable: true
+  listen: :1053
+  ipv6: true
+  enhanced-mode: fake-ip
+  fake-ip-filter:
+    - "*"
+    - "+.lan"
+    - "+.local"
+  nameserver:
+    - https://doh.pub/dns-query
+    - https://dns.alidns.com/dns-query
+  proxy-server-nameserver:
+    - https://doh.pub/dns-query
+  nameserver-policy:
+    "geosite:private":
+      - https://doh.pub/dns-query
+      - https://dns.alidns.com/dns-query
+    "geosite:geolocation-!cn":
+      - "https://dns.cloudflare.com/dns-query#dns"
+      - "https://dns.google/dns-query#dns"
+
+proxy-groups:
+  - { name: 默认, type: select, proxies: [自动选择, DIRECT, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点], }
+  - { name: dns, type: select, proxies: [自动选择, 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点], }
+  - { name: Google, <<: *pr }
+  - { name: Telegram, <<: *pr }
+  - { name: Twitter, <<: *pr }
+  - { name: Pixiv, <<: *pr }
+  - { name: ehentai, <<: *pr }
+  - { name: 哔哩哔哩, <<: *pr }
+  - { name: 哔哩东南亚, <<: *pr }
+  - { name: 巴哈姆特, <<: *pr }
+  - { name: YouTube, <<: *pr }
+  - { name: NETFLIX, <<: *pr }
+  - { name: Spotify, <<: *pr }
+  - { name: Github, <<: *pr }
+  - { name: 国内, type: select, proxies: [ DIRECT, 默认, 香港, 台湾, 日本, 新加坡, 美国, 其它地区, 全部节点, 自动选择, ], }
+  - { name: 其他, <<: *pr }
+
+  # 分隔,下面是地区分组
+  - { name: 香港, <<: *use, filter: "(?i)港|hk|hongkong|hong kong" }
+  - { name: 台湾, <<: *use, filter: "(?i)台|tw|taiwan" }
+  - { name: 日本, <<: *use, filter: "(?i)日本|jp|japan" }
+  - { name: 美国, <<: *use, filter: "(?i)美|us|unitedstates|united states" }
+  - { name: 新加坡, <<: *use, filter: "(?i)(新|sg|singapore)" }
+  - { name: 其它地区, <<: *use, filter: "(?i)^(?!.*(?:🇭🇰|🇯🇵|🇺🇸|🇸🇬|🇨🇳|港|hk|hongkong|台|tw|taiwan|日|jp|japan|新|sg|singapore|美|us|unitedstates)).*", }
+  - { name: 全部节点, <<: *use }
+  - { name: 自动选择, <<: *use, tolerance: 2, type: url-test }
+
+rules:
+  - GEOIP,lan,直连,no-resolve
+  - GEOSITE,biliintl,哔哩东南亚
+  - GEOSITE,ehentai,ehentai
+  - GEOSITE,github,Github
+  - GEOSITE,twitter,Twitter
+  - GEOSITE,youtube,YouTube
+  - GEOSITE,google,Google
+  - GEOSITE,telegram,Telegram
+  - GEOSITE,netflix,NETFLIX
+  - GEOSITE,bilibili,哔哩哔哩
+  - GEOSITE,bahamut,巴哈姆特
+  - GEOSITE,spotify,Spotify
+  - GEOSITE,pixiv,Pixiv
+  - GEOSITE,geolocation-!cn,其他
+
+  - GEOIP,google,Google
+  - GEOIP,netflix,NETFLIX
+  - GEOIP,telegram,Telegram
+  - GEOIP,twitter,Twitter
+  - GEOSITE,CN,国内
+  - GEOIP,CN,国内
+  - MATCH,其他

users/guanranwang/nixos/profiles/opt-in/clash-meta-client/default.nix

@@ -0,0 +1,63 @@
+{
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  services.clash = {
+    enable = true;
+    package = pkgs.clash-meta;
+    configFile = config.sops.templates."clash.yaml".path;
+    webui = inputs.self.packages.${pkgs.system}.metacubexd;
+  };
+
+  ### sops-nix
+  sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["clash.service"];}) {
+    "clash/proxy-providers/efcloud" = {};
+    "clash/proxy-providers/spcloud" = {};
+    "clash/proxy-providers/pawdroid" = {};
+  };
+
+  # TODO: Using example config
+  # https://wiki.metacubex.one/example/conf/
+  # MetaCubeX/Meta-Docs doesnt look reliable through commit messages, no fetchers was used
+  sops.templates."clash.yaml" = {
+    owner = config.systemd.services."clash".serviceConfig.User;
+    group = config.systemd.services."clash".serviceConfig.Group;
+    content =
+      ''
+        use: &use
+          type: select
+          use:
+          - efcloud
+          - spcloud
+          #- pawdroid
+
+        proxy-providers:
+          efcloud:
+            <<: *p
+            url: "${config.sops.placeholder."clash/proxy-providers/efcloud"}"
+          spcloud:
+            <<: *p
+            url: "${config.sops.placeholder."clash/proxy-providers/spcloud"}"
+          #pawdroid:
+          #  <<: *p
+          #  url: "${config.sops.placeholder."clash/proxy-providers/pawdroid"}"
+      ''
+      + builtins.readFile ./config.yaml;
+  };
+
+  ### System proxy settings
+  networking.proxy.default = "http://127.0.0.1:7890/";
+
+  ### Local Clash WebUI
+  # You can also use the following website, just in case:
+  # - metacubexd:
+  #   - GH Pages Custom Domain: http://d.metacubex.one
+  #   - GH Pages: https://metacubex.github.io/metacubexd
+  #   - Cloudflare Pages: https://metacubexd.pages.dev
+  # - yacd (Yet Another Clash Dashboard):
+  #   - https://yacd.haishan.me
+  # - clash-dashboard (buggy):
+  #   - https://clash.razord.top
+}