nixos/clash: use systemd DynamicUser

This commit is contained in:
Guanran Wang 2024-01-02 17:45:55 +08:00
parent 00aab46112
commit b4a9fa903f
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
2 changed files with 3 additions and 15 deletions

View file

@ -39,13 +39,6 @@ in {
};
config = lib.mkIf cfg.enable {
### User running clash
users.groups."clash" = {};
users.users."clash" = {
isSystemUser = true;
group = config.users.groups."clash".name;
};
### systemd service
# https://en.clash.wiki/introduction/service.html#systemd
# https://wiki.metacubex.one/startup/service/#systemd
@ -54,17 +47,13 @@ in {
after = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
# TODO: DynamicUser
# DynamicUser = true;
User = config.users.users."clash".name;
Group = config.users.groups."clash".name;
# https://man.archlinux.org/man/systemd.exec.5
ConfigurationDirectory = "clash";
DynamicUser = true;
StateDirectory = "clash";
LoadCredential = "configuration:${cfg.configFile}";
ExecStart = builtins.replaceStrings ["\n"] [" "] ''
${lib.getExe cfg.package}
-d /etc/clash
-d /var/lib/private/clash
${lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration"}
${lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}"}
${lib.optionalString (cfg.extraOpts != null) cfg.extraOpts}

View file

@ -9,7 +9,6 @@
"/var/log"
"/var/lib"
"/etc/clash" # clash
"/etc/secureboot" # sbctl, lanzaboote
];
files = [