nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos/clash: use systemd DynamicUser

Browse source
This commit is contained in:
Guanran Wang 2024-01-02 17:45:55 +08:00
parent 00aab46112
commit b4a9fa903f
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
2 changed files with 3 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
nixos/modules/services/clash.nix
View file

@ -39,13 +39,6 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
### User running clash
users.groups."clash" = {};
users.users."clash" = {
isSystemUser = true;
group = config.users.groups."clash".name;
};
### systemd service ### systemd service
# https://en.clash.wiki/introduction/service.html#systemd # https://en.clash.wiki/introduction/service.html#systemd
# https://wiki.metacubex.one/startup/service/#systemd # https://wiki.metacubex.one/startup/service/#systemd
@ -54,17 +47,13 @@ in {
after = ["network-online.target"]; after = ["network-online.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
serviceConfig = { serviceConfig = {
# TODO: DynamicUser
# DynamicUser = true;
User = config.users.users."clash".name;
Group = config.users.groups."clash".name;
# https://man.archlinux.org/man/systemd.exec.5 # https://man.archlinux.org/man/systemd.exec.5
ConfigurationDirectory = "clash"; DynamicUser = true;
StateDirectory = "clash";
LoadCredential = "configuration:${cfg.configFile}"; LoadCredential = "configuration:${cfg.configFile}";
ExecStart = builtins.replaceStrings ["\n"] [" "] '' ExecStart = builtins.replaceStrings ["\n"] [" "] ''
${lib.getExe cfg.package} ${lib.getExe cfg.package}
-d /etc/clash -d /var/lib/private/clash
${lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration"} ${lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration"}
${lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}"} ${lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}"}
${lib.optionalString (cfg.extraOpts != null) cfg.extraOpts} ${lib.optionalString (cfg.extraOpts != null) cfg.extraOpts}

1
nixos/profiles/common/opt-in/impermanence.nix
View file

@ -9,7 +9,6 @@
"/var/log" "/var/log"
"/var/lib" "/var/lib"
"/etc/clash" # clash
"/etc/secureboot" # sbctl, lanzaboote "/etc/secureboot" # sbctl, lanzaboote
]; ];
files = [ files = [