nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos/clash: add cfg.tunMode

Browse source
This commit is contained in:
Guanran Wang 2024-01-15 19:50:57 +08:00
parent 7d47e189f8
commit 563d7c4851
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
1 changed files with 53 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
nixos/modules/services/clash.nix
View file

@ -36,6 +36,11 @@ in {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Extra command line options to use."; description = "Extra command line options to use.";
}; };
tunMode = lib.mkEnableOption ''
Whether to grant necessary permission for Clash's systemd service for TUN mode to function properly.
Keep in mind, that you still need to enable TUN mode manually in Clash's configuration.
'';
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -45,47 +50,56 @@ in {
documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"]; documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];
after = ["network-online.target"]; after = ["network-online.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
serviceConfig = { serviceConfig =
ExecStart = builtins.concatStringsSep " " [ {
(lib.getExe cfg.package) ExecStart = builtins.concatStringsSep " " [
"-d /var/lib/private/clash" (lib.getExe cfg.package)
(lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml") "-d /var/lib/private/clash"
(lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}") (lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml")
(lib.optionalString (cfg.extraOpts != null) cfg.extraOpts) (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
]; (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
];
DynamicUser = true; DynamicUser = true;
StateDirectory = "clash"; StateDirectory = "clash";
LoadCredential = "config.yaml:${cfg.configFile}"; LoadCredential = "config.yaml:${cfg.configFile}";
### Hardening ### Hardening
CapabilityBoundingSet = ""; AmbientCapabilities = "";
DeviceAllow = ""; CapabilityBoundingSet = "";
LockPersonality = true; DeviceAllow = "";
MemoryDenyWriteExecute = true; LockPersonality = true;
NoNewPrivileges = true; MemoryDenyWriteExecute = true;
PrivateDevices = true; NoNewPrivileges = true;
PrivateMounts = true; PrivateDevices = true;
PrivateTmp = true; PrivateMounts = true;
PrivateUsers = true; PrivateTmp = true;
ProcSubset = "pid"; PrivateUsers = true;
ProtectClock = true; ProcSubset = "pid";
ProtectControlGroups = true; ProtectClock = true;
ProtectHome = true; ProtectControlGroups = true;
ProtectHostname = true; ProtectHome = true;
ProtectKernelLogs = true; ProtectHostname = true;
ProtectKernelModules = true; ProtectKernelLogs = true;
ProtectKernelTunables = true; ProtectKernelModules = true;
ProtectProc = "invisible"; ProtectKernelTunables = true;
ProtectSystem = "strict"; ProtectProc = "invisible";
RestrictRealtime = true; ProtectSystem = "strict";
RestrictSUIDSGID = true; RestrictRealtime = true;
RestrictNamespaces = true; RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true;
SystemCallArchitectures = "native"; RestrictAddressFamilies = "AF_INET AF_INET6";
SystemCallFilter = "@system-service bpf"; SystemCallArchitectures = "native";
UMask = "0077"; SystemCallFilter = "@system-service bpf";
}; UMask = "0077";
}
// lib.optionalAttrs cfg.tunMode {
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
PrivateDevices = false;
PrivateUsers = false;
RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";
};
}; };
}; };
} }