nixos/clash: use upstream module
This commit is contained in:
parent
6265bc8374
commit
46c2d1589e
4 changed files with 11 additions and 126 deletions
|
@ -8,8 +8,5 @@
|
||||||
./myFlake/hardware/components/audio.nix
|
./myFlake/hardware/components/audio.nix
|
||||||
./myFlake/hardware/components/bluetooth.nix
|
./myFlake/hardware/components/bluetooth.nix
|
||||||
./myFlake/hardware/components/tpm.nix
|
./myFlake/hardware/components/tpm.nix
|
||||||
|
|
||||||
# nixpkgs styled options
|
|
||||||
./services/clash.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,106 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: let
|
|
||||||
cfg = config.services.clash;
|
|
||||||
in {
|
|
||||||
options.services.clash = {
|
|
||||||
enable = lib.mkEnableOption "Whether to enable Clash, A rule-based proxy in Go.";
|
|
||||||
package = lib.mkPackageOption pkgs "clash" {};
|
|
||||||
configFile = lib.mkOption {
|
|
||||||
default = null;
|
|
||||||
type = lib.types.nullOr lib.types.path;
|
|
||||||
description = "Configuration file to use.";
|
|
||||||
};
|
|
||||||
webui = lib.mkOption {
|
|
||||||
default = null;
|
|
||||||
type = lib.types.nullOr lib.types.path;
|
|
||||||
description = ''
|
|
||||||
Local web interface to use.
|
|
||||||
|
|
||||||
You can also use the following website, just in case:
|
|
||||||
- metacubexd:
|
|
||||||
- https://d.metacubex.one
|
|
||||||
- https://metacubex.github.io/metacubexd
|
|
||||||
- https://metacubexd.pages.dev
|
|
||||||
- yacd:
|
|
||||||
- https://yacd.haishan.me
|
|
||||||
- clash-dashboard (buggy):
|
|
||||||
- https://clash.razord.top
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
extraOpts = lib.mkOption {
|
|
||||||
default = null;
|
|
||||||
type = lib.types.nullOr lib.types.str;
|
|
||||||
description = "Extra command line options to use.";
|
|
||||||
};
|
|
||||||
tunMode = lib.mkEnableOption ''
|
|
||||||
Whether to grant necessary permission for Clash's systemd service for TUN mode to function properly.
|
|
||||||
|
|
||||||
Keep in mind, that you still need to enable TUN mode manually in Clash's configuration.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
### systemd service
|
|
||||||
systemd.services."clash" = {
|
|
||||||
description = "Clash daemon, A rule-based proxy in Go.";
|
|
||||||
documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];
|
|
||||||
requires = ["network-online.target"];
|
|
||||||
after = ["network-online.target"];
|
|
||||||
wantedBy = ["multi-user.target"];
|
|
||||||
serviceConfig =
|
|
||||||
{
|
|
||||||
ExecStart = builtins.concatStringsSep " " [
|
|
||||||
(lib.getExe cfg.package)
|
|
||||||
"-d /var/lib/private/clash"
|
|
||||||
(lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml")
|
|
||||||
(lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
|
|
||||||
(lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
|
|
||||||
];
|
|
||||||
|
|
||||||
DynamicUser = true;
|
|
||||||
StateDirectory = "clash";
|
|
||||||
LoadCredential = "config.yaml:${cfg.configFile}";
|
|
||||||
|
|
||||||
### Hardening
|
|
||||||
AmbientCapabilities = "";
|
|
||||||
CapabilityBoundingSet = "";
|
|
||||||
DeviceAllow = "";
|
|
||||||
LockPersonality = true;
|
|
||||||
MemoryDenyWriteExecute = true;
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
PrivateDevices = true;
|
|
||||||
PrivateMounts = true;
|
|
||||||
PrivateTmp = true;
|
|
||||||
PrivateUsers = true;
|
|
||||||
ProcSubset = "pid";
|
|
||||||
ProtectClock = true;
|
|
||||||
ProtectControlGroups = true;
|
|
||||||
ProtectHome = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
ProtectProc = "invisible";
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
RestrictRealtime = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
RestrictAddressFamilies = "AF_INET AF_INET6";
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
SystemCallFilter = "@system-service bpf";
|
|
||||||
UMask = "0077";
|
|
||||||
}
|
|
||||||
// lib.optionalAttrs cfg.tunMode {
|
|
||||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
|
||||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
|
||||||
PrivateDevices = false;
|
|
||||||
PrivateUsers = false;
|
|
||||||
RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -3,26 +3,28 @@
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
### home-manager
|
services.mihomo = {
|
||||||
home-manager.users.guanranwang.imports = [./home];
|
|
||||||
|
|
||||||
services.clash = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.clash-meta;
|
|
||||||
configFile = config.sops.templates."clash.yaml".path;
|
configFile = config.sops.templates."clash.yaml".path;
|
||||||
webui = config.nur.repos.guanran928.metacubexd;
|
webui = config.nur.repos.guanran928.metacubexd;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.clash.serviceConfig.ExecStartPre = [
|
systemd.services.mihomo.serviceConfig.ExecStartPre = [
|
||||||
"${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/clash/GeoIP.dat"
|
"${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/mihomo/GeoIP.dat"
|
||||||
"${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/clash/GeoSite.dat"
|
"${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/mihomo/GeoSite.dat"
|
||||||
];
|
];
|
||||||
|
|
||||||
### System proxy settings
|
### System proxy settings
|
||||||
networking.proxy.default = "http://127.0.0.1:7890/";
|
networking.proxy.default = "http://127.0.0.1:7890/";
|
||||||
|
environment.shellAliases = let
|
||||||
|
inherit (config.networking) proxy;
|
||||||
|
in {
|
||||||
|
"setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}";
|
||||||
|
"unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy";
|
||||||
|
};
|
||||||
|
|
||||||
### sops-nix
|
### sops-nix
|
||||||
sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["clash.service"];}) {
|
sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) {
|
||||||
"clash/secret" = {};
|
"clash/secret" = {};
|
||||||
"clash/proxy-providers/flyairport" = {};
|
"clash/proxy-providers/flyairport" = {};
|
||||||
"clash/proxy-providers/efcloud" = {};
|
"clash/proxy-providers/efcloud" = {};
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
{osConfig, ...}: let
|
|
||||||
inherit (osConfig.networking) proxy;
|
|
||||||
in {
|
|
||||||
home.shellAliases = {
|
|
||||||
"setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}";
|
|
||||||
"unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy";
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue