From 46c2d1589e5982f40a827e5faaed4b54c985cd8d Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Fri, 22 Mar 2024 15:09:07 +0800
Subject: [PATCH] nixos/clash: use upstream module

---
 nixos/modules/default.nix                     |   3 -
 nixos/modules/services/clash.nix              | 106 ------------------
 .../opt-in/clash-meta-client/default.nix      |  20 ++--
 .../opt-in/clash-meta-client/home/default.nix |   8 --
 4 files changed, 11 insertions(+), 126 deletions(-)
 delete mode 100644 nixos/modules/services/clash.nix
 delete mode 100644 nixos/profiles/common/opt-in/clash-meta-client/home/default.nix

diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index 3729419..f8fd17d 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -8,8 +8,5 @@
     ./myFlake/hardware/components/audio.nix
     ./myFlake/hardware/components/bluetooth.nix
     ./myFlake/hardware/components/tpm.nix
-
-    # nixpkgs styled options
-    ./services/clash.nix
   ];
 }
diff --git a/nixos/modules/services/clash.nix b/nixos/modules/services/clash.nix
deleted file mode 100644
index 0024157..0000000
--- a/nixos/modules/services/clash.nix
+++ /dev/null
@@ -1,106 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.clash;
-in {
-  options.services.clash = {
-    enable = lib.mkEnableOption "Whether to enable Clash, A rule-based proxy in Go.";
-    package = lib.mkPackageOption pkgs "clash" {};
-    configFile = lib.mkOption {
-      default = null;
-      type = lib.types.nullOr lib.types.path;
-      description = "Configuration file to use.";
-    };
-    webui = lib.mkOption {
-      default = null;
-      type = lib.types.nullOr lib.types.path;
-      description = ''
-        Local web interface to use.
-
-        You can also use the following website, just in case:
-        - metacubexd:
-          - https://d.metacubex.one
-          - https://metacubex.github.io/metacubexd
-          - https://metacubexd.pages.dev
-        - yacd:
-          - https://yacd.haishan.me
-        - clash-dashboard (buggy):
-          - https://clash.razord.top
-      '';
-    };
-    extraOpts = lib.mkOption {
-      default = null;
-      type = lib.types.nullOr lib.types.str;
-      description = "Extra command line options to use.";
-    };
-    tunMode = lib.mkEnableOption ''
-      Whether to grant necessary permission for Clash's systemd service for TUN mode to function properly.
-
-      Keep in mind, that you still need to enable TUN mode manually in Clash's configuration.
-    '';
-  };
-
-  config = lib.mkIf cfg.enable {
-    ### systemd service
-    systemd.services."clash" = {
-      description = "Clash daemon, A rule-based proxy in Go.";
-      documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];
-      requires = ["network-online.target"];
-      after = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      serviceConfig =
-        {
-          ExecStart = builtins.concatStringsSep " " [
-            (lib.getExe cfg.package)
-            "-d /var/lib/private/clash"
-            (lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml")
-            (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
-            (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
-          ];
-
-          DynamicUser = true;
-          StateDirectory = "clash";
-          LoadCredential = "config.yaml:${cfg.configFile}";
-
-          ### Hardening
-          AmbientCapabilities = "";
-          CapabilityBoundingSet = "";
-          DeviceAllow = "";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateMounts = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          RestrictNamespaces = true;
-          RestrictAddressFamilies = "AF_INET AF_INET6";
-          SystemCallArchitectures = "native";
-          SystemCallFilter = "@system-service bpf";
-          UMask = "0077";
-        }
-        // lib.optionalAttrs cfg.tunMode {
-          AmbientCapabilities = "CAP_NET_ADMIN";
-          CapabilityBoundingSet = "CAP_NET_ADMIN";
-          PrivateDevices = false;
-          PrivateUsers = false;
-          RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";
-        };
-    };
-  };
-}
diff --git a/nixos/profiles/common/opt-in/clash-meta-client/default.nix b/nixos/profiles/common/opt-in/clash-meta-client/default.nix
index 55e2004..ff93137 100644
--- a/nixos/profiles/common/opt-in/clash-meta-client/default.nix
+++ b/nixos/profiles/common/opt-in/clash-meta-client/default.nix
@@ -3,26 +3,28 @@
   config,
   ...
 }: {
-  ### home-manager
-  home-manager.users.guanranwang.imports = [./home];
-
-  services.clash = {
+  services.mihomo = {
     enable = true;
-    package = pkgs.clash-meta;
     configFile = config.sops.templates."clash.yaml".path;
     webui = config.nur.repos.guanran928.metacubexd;
   };
 
-  systemd.services.clash.serviceConfig.ExecStartPre = [
-    "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/clash/GeoIP.dat"
-    "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/clash/GeoSite.dat"
+  systemd.services.mihomo.serviceConfig.ExecStartPre = [
+    "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/mihomo/GeoIP.dat"
+    "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/mihomo/GeoSite.dat"
   ];
 
   ### System proxy settings
   networking.proxy.default = "http://127.0.0.1:7890/";
+  environment.shellAliases = let
+    inherit (config.networking) proxy;
+  in {
+    "setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}";
+    "unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy";
+  };
 
   ### sops-nix
-  sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["clash.service"];}) {
+  sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) {
     "clash/secret" = {};
     "clash/proxy-providers/flyairport" = {};
     "clash/proxy-providers/efcloud" = {};
diff --git a/nixos/profiles/common/opt-in/clash-meta-client/home/default.nix b/nixos/profiles/common/opt-in/clash-meta-client/home/default.nix
deleted file mode 100644
index da06bdc..0000000
--- a/nixos/profiles/common/opt-in/clash-meta-client/home/default.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-{osConfig, ...}: let
-  inherit (osConfig.networking) proxy;
-in {
-  home.shellAliases = {
-    "setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}";
-    "unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy";
-  };
-}