nixos/clash: add cfg.tunMode

This commit is contained in:
Guanran Wang 2024-01-15 19:50:57 +08:00
parent 7d47e189f8
commit 563d7c4851
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8

View file

@ -36,6 +36,11 @@ in {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Extra command line options to use."; description = "Extra command line options to use.";
}; };
tunMode = lib.mkEnableOption ''
Whether to grant necessary permission for Clash's systemd service for TUN mode to function properly.
Keep in mind, that you still need to enable TUN mode manually in Clash's configuration.
'';
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -45,47 +50,56 @@ in {
documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"]; documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];
after = ["network-online.target"]; after = ["network-online.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
serviceConfig = { serviceConfig =
ExecStart = builtins.concatStringsSep " " [ {
(lib.getExe cfg.package) ExecStart = builtins.concatStringsSep " " [
"-d /var/lib/private/clash" (lib.getExe cfg.package)
(lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml") "-d /var/lib/private/clash"
(lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}") (lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml")
(lib.optionalString (cfg.extraOpts != null) cfg.extraOpts) (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
]; (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
];
DynamicUser = true; DynamicUser = true;
StateDirectory = "clash"; StateDirectory = "clash";
LoadCredential = "config.yaml:${cfg.configFile}"; LoadCredential = "config.yaml:${cfg.configFile}";
### Hardening ### Hardening
CapabilityBoundingSet = ""; AmbientCapabilities = "";
DeviceAllow = ""; CapabilityBoundingSet = "";
LockPersonality = true; DeviceAllow = "";
MemoryDenyWriteExecute = true; LockPersonality = true;
NoNewPrivileges = true; MemoryDenyWriteExecute = true;
PrivateDevices = true; NoNewPrivileges = true;
PrivateMounts = true; PrivateDevices = true;
PrivateTmp = true; PrivateMounts = true;
PrivateUsers = true; PrivateTmp = true;
ProcSubset = "pid"; PrivateUsers = true;
ProtectClock = true; ProcSubset = "pid";
ProtectControlGroups = true; ProtectClock = true;
ProtectHome = true; ProtectControlGroups = true;
ProtectHostname = true; ProtectHome = true;
ProtectKernelLogs = true; ProtectHostname = true;
ProtectKernelModules = true; ProtectKernelLogs = true;
ProtectKernelTunables = true; ProtectKernelModules = true;
ProtectProc = "invisible"; ProtectKernelTunables = true;
ProtectSystem = "strict"; ProtectProc = "invisible";
RestrictRealtime = true; ProtectSystem = "strict";
RestrictSUIDSGID = true; RestrictRealtime = true;
RestrictNamespaces = true; RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6"; RestrictNamespaces = true;
SystemCallArchitectures = "native"; RestrictAddressFamilies = "AF_INET AF_INET6";
SystemCallFilter = "@system-service bpf"; SystemCallArchitectures = "native";
UMask = "0077"; SystemCallFilter = "@system-service bpf";
}; UMask = "0077";
}
// lib.optionalAttrs cfg.tunMode {
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
PrivateDevices = false;
PrivateUsers = false;
RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";
};
}; };
}; };
} }