nixos/clash: use systemd LoadCredential

2023-12-26 14:42:06 +08:00 · 2023-12-26 14:42:06 +08:00 · b5b59e3729
commit b5b59e3729
parent 0de1ec8d89
2 changed files with 18 additions and 22 deletions
--- a/nixos/modules/services/clash.nix
+++ b/nixos/modules/services/clash.nix
@ -43,17 +43,17 @@ in {
      serviceConfig = {
        # TODO: DynamicUser
        # DynamicUser = true;
-        # LoadCredential = "credentials:${config.sops.secrets."clash-config".path}";
+        User = config.users.users."clash".name;
+        Group = config.users.groups."clash".name;

        # https://man.archlinux.org/man/systemd.exec.5
        ConfigurationDirectory = "clash";
-        User = config.users.users."clash".name;
-        Group = config.users.groups."clash".name;
+        LoadCredential = "configuration:${cfg.configFile}";
        ExecStart = builtins.replaceStrings ["\n"] [" "] ''
          ${lib.getExe cfg.package}
          -d /etc/clash
          ${lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}"}
-          ${lib.optionalString (cfg.configFile != null) "-f ${cfg.configFile}"}
+          ${lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration"}
          ${lib.optionalString (cfg.extraOpts != null) cfg.extraOpts}
        '';

--- a/users/guanranwang/nixos/profiles/opt-in/clash-meta-client/default.nix
+++ b/users/guanranwang/nixos/profiles/opt-in/clash-meta-client/default.nix
@ -21,24 +21,20 @@
  # TODO: Using example config
  # https://wiki.metacubex.one/example/conf/
  # MetaCubeX/Meta-Docs doesnt look reliable through commit messages, no fetchers was used
-  sops.templates."clash.yaml" = {
-    owner = config.systemd.services."clash".serviceConfig.User;
-    group = config.systemd.services."clash".serviceConfig.Group;
-    content =
-      builtins.readFile ./config.yaml
-      + ''
-        proxy-providers:
-          efcloud:
-            <<: *p
-            url: "${config.sops.placeholder."clash/proxy-providers/efcloud"}"
-          spcloud:
-            <<: *p
-            url: "${config.sops.placeholder."clash/proxy-providers/spcloud"}"
-          #pawdroid:
-          #  <<: *p
-          #  url: "${config.sops.placeholder."clash/proxy-providers/pawdroid"}"
-      '';
-  };
+  sops.templates."clash.yaml".content =
+    builtins.readFile ./config.yaml
+    + ''
+      proxy-providers:
+        efcloud:
+          <<: *p
+          url: "${config.sops.placeholder."clash/proxy-providers/efcloud"}"
+        spcloud:
+          <<: *p
+          url: "${config.sops.placeholder."clash/proxy-providers/spcloud"}"
+        #pawdroid:
+        #  <<: *p
+        #  url: "${config.sops.placeholder."clash/proxy-providers/pawdroid"}"
+    '';

  ### System proxy settings
  networking.proxy.default = "http://127.0.0.1:7890/";