nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos/clash: use upstream module

Browse source
This commit is contained in:
Guanran Wang 2024-03-22 15:09:07 +08:00
parent 6265bc8374
commit 46c2d1589e
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
4 changed files with 11 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/modules/default.nix
View file

@ -8,8 +8,5 @@
./myFlake/hardware/components/audio.nix ./myFlake/hardware/components/audio.nix
./myFlake/hardware/components/bluetooth.nix ./myFlake/hardware/components/bluetooth.nix
./myFlake/hardware/components/tpm.nix ./myFlake/hardware/components/tpm.nix
# nixpkgs styled options
./services/clash.nix
]; ];
} }

106
nixos/modules/services/clash.nix
View file

@ -1,106 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.services.clash;
in {
options.services.clash = {
enable = lib.mkEnableOption "Whether to enable Clash, A rule-based proxy in Go.";
package = lib.mkPackageOption pkgs "clash" {};
configFile = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.path;
description = "Configuration file to use.";
};
webui = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.path;
description = ''
Local web interface to use.
You can also use the following website, just in case:
- metacubexd:
- https://d.metacubex.one
- https://metacubex.github.io/metacubexd
- https://metacubexd.pages.dev
- yacd:
- https://yacd.haishan.me
- clash-dashboard (buggy):
- https://clash.razord.top
'';
};
extraOpts = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = "Extra command line options to use.";
};
tunMode = lib.mkEnableOption ''
Whether to grant necessary permission for Clash's systemd service for TUN mode to function properly.
Keep in mind, that you still need to enable TUN mode manually in Clash's configuration.
'';
};
config = lib.mkIf cfg.enable {
### systemd service
systemd.services."clash" = {
description = "Clash daemon, A rule-based proxy in Go.";
documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];
requires = ["network-online.target"];
after = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig =
{
ExecStart = builtins.concatStringsSep " " [
(lib.getExe cfg.package)
"-d /var/lib/private/clash"
(lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml")
(lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
(lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
];
DynamicUser = true;
StateDirectory = "clash";
LoadCredential = "config.yaml:${cfg.configFile}";
### Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictNamespaces = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service bpf";
UMask = "0077";
}
// lib.optionalAttrs cfg.tunMode {
AmbientCapabilities = "CAP_NET_ADMIN";
CapabilityBoundingSet = "CAP_NET_ADMIN";
PrivateDevices = false;
PrivateUsers = false;
RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";
};
};
};
}

20
nixos/profiles/common/opt-in/clash-meta-client/default.nix
View file

@ -3,26 +3,28 @@
config, config,
... ...
}: { }: {
### home-manager services.mihomo = {
home-manager.users.guanranwang.imports = [./home];
services.clash = {
enable = true; enable = true;
package = pkgs.clash-meta;
configFile = config.sops.templates."clash.yaml".path; configFile = config.sops.templates."clash.yaml".path;
webui = config.nur.repos.guanran928.metacubexd; webui = config.nur.repos.guanran928.metacubexd;
}; };
systemd.services.clash.serviceConfig.ExecStartPre = [ systemd.services.mihomo.serviceConfig.ExecStartPre = [
"${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/clash/GeoIP.dat" "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/mihomo/GeoIP.dat"
"${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/clash/GeoSite.dat" "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/mihomo/GeoSite.dat"
]; ];
### System proxy settings ### System proxy settings
networking.proxy.default = "http://127.0.0.1:7890/"; networking.proxy.default = "http://127.0.0.1:7890/";
environment.shellAliases = let
inherit (config.networking) proxy;
in {
"setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}";
"unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy";
};
### sops-nix ### sops-nix
sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["clash.service"];}) { sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) {
"clash/secret" = {}; "clash/secret" = {};
"clash/proxy-providers/flyairport" = {}; "clash/proxy-providers/flyairport" = {};
"clash/proxy-providers/efcloud" = {}; "clash/proxy-providers/efcloud" = {};

8
nixos/profiles/common/opt-in/clash-meta-client/home/default.nix
View file

@ -1,8 +0,0 @@
{osConfig, ...}: let
inherit (osConfig.networking) proxy;
in {
home.shellAliases = {
"setproxy" = "export http_proxy=${proxy.httpProxy} https_proxy=${proxy.httpsProxy} all_proxy=${proxy.allProxy} ftp_proxy=${proxy.ftpProxy} rsync_proxy=${proxy.rsyncProxy}";
"unsetproxy" = "set -e http_proxy https_proxy all_proxy ftp_proxy rsync_proxy";
};
}