From 563d7c4851641ad2a686f4c22d1e83b474fe500c Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Mon, 15 Jan 2024 19:50:57 +0800 Subject: [PATCH] nixos/clash: add cfg.tunMode --- nixos/modules/services/clash.nix | 92 ++++++++++++++++++-------------- 1 file changed, 53 insertions(+), 39 deletions(-) diff --git a/nixos/modules/services/clash.nix b/nixos/modules/services/clash.nix index 95ebfc6..422a354 100644 --- a/nixos/modules/services/clash.nix +++ b/nixos/modules/services/clash.nix @@ -36,6 +36,11 @@ in { type = lib.types.nullOr lib.types.str; description = "Extra command line options to use."; }; + tunMode = lib.mkEnableOption '' + Whether to grant necessary permission for Clash's systemd service for TUN mode to function properly. + + Keep in mind, that you still need to enable TUN mode manually in Clash's configuration. + ''; }; config = lib.mkIf cfg.enable { @@ -45,47 +50,56 @@ in { documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"]; after = ["network-online.target"]; wantedBy = ["multi-user.target"]; - serviceConfig = { - ExecStart = builtins.concatStringsSep " " [ - (lib.getExe cfg.package) - "-d /var/lib/private/clash" - (lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml") - (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}") - (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts) - ]; + serviceConfig = + { + ExecStart = builtins.concatStringsSep " " [ + (lib.getExe cfg.package) + "-d /var/lib/private/clash" + (lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml") + (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}") + (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts) + ]; - DynamicUser = true; - StateDirectory = "clash"; - LoadCredential = "config.yaml:${cfg.configFile}"; + DynamicUser = true; + StateDirectory = "clash"; + LoadCredential = "config.yaml:${cfg.configFile}"; - ### Hardening - CapabilityBoundingSet = ""; - DeviceAllow = ""; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RestrictNamespaces = true; - RestrictAddressFamilies = "AF_INET AF_INET6"; - SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service bpf"; - UMask = "0077"; - }; + ### Hardening + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service bpf"; + UMask = "0077"; + } + // lib.optionalAttrs cfg.tunMode { + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; + PrivateDevices = false; + PrivateUsers = false; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK"; + }; }; }; }