nixos/clash: init

This commit is contained in:
Guanran Wang 2023-12-21 11:59:19 +08:00
parent 2cf6f52c8b
commit dfd022660c
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
5 changed files with 66 additions and 41 deletions

View file

@ -2,5 +2,8 @@
imports = [
# utils that is used internally
./myFlake
# nixpkgs styled options
./services
];
}

View file

@ -0,0 +1,47 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.services.clash;
in {
options.services.clash = {
enable = lib.mkEnableOption "Whether to enable Clash.";
package = lib.mkPackageOption pkgs "clash" {};
};
config = lib.mkIf cfg.enable {
### User running clash
users.groups."clash" = {};
users.users."clash" = {
isSystemUser = true;
group = config.users.groups."clash".name;
};
### systemd service
systemd.services."clash" = {
description = "Clash Daemon";
after = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/clash";
User = [config.users.users."clash".name];
Group = [config.users.groups."clash".name];
ExecStart = "${lib.getExe cfg.package} -d /etc/clash";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
};
};
};
}

View file

@ -0,0 +1,5 @@
{...}: {
imports = [
./clash.nix
];
}

View file

@ -9,7 +9,7 @@
"/var/log"
"/var/lib"
"/etc/clash-meta" # clash-meta
"/etc/clash" # clash
"/etc/secureboot" # sbctl, lanzaboote
];
files = [

View file

@ -2,54 +2,24 @@
pkgs,
config,
inputs,
lib,
...
}: {
services.clash = {
enable = true;
package = pkgs.clash-meta;
};
### sops-nix
sops.secrets."clash-config" = {
owner = config.users.users."clash-meta".name;
group = config.users.groups."clash-meta".name;
restartUnits = ["clash-meta.service"];
path = "/etc/clash-meta/config.yaml";
owner = config.users.users."clash".name;
group = config.users.groups."clash".name;
restartUnits = ["clash.service"];
path = "/etc/clash/config.yaml";
};
### System proxy settings
networking.proxy.default = "http://127.0.0.1:7890/";
### User running proxy service
users.groups."clash-meta" = {};
users.users."clash-meta" = {
isSystemUser = true;
group = config.users.groups."clash-meta".name;
};
### Proxy service
systemd.services."clash-meta" = {
description = "Clash.Meta Client";
after = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/clash-meta";
User = [config.users.users."clash-meta".name];
Group = [config.users.groups."clash-meta".name];
ExecStart = "${lib.getExe pkgs.clash-meta} -d /etc/clash-meta";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
};
};
### Local Clash WebUI
# You can also use the following website, just in case:
# - metacubexd:
@ -60,5 +30,5 @@
# - https://yacd.haishan.me
# - clash-dashboard (buggy):
# - https://clash.razord.top
environment.etc."clash-meta/metacubexd".source = inputs.self.packages.${pkgs.system}.metacubexd;
environment.etc."clash/metacubexd".source = inputs.self.packages.${pkgs.system}.metacubexd;
}