nixos/clash: cleanup
This commit is contained in:
parent
b4a9fa903f
commit
e403ee5821
1 changed files with 11 additions and 14 deletions
|
@ -40,31 +40,29 @@ in {
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
### systemd service
|
### systemd service
|
||||||
# https://en.clash.wiki/introduction/service.html#systemd
|
|
||||||
# https://wiki.metacubex.one/startup/service/#systemd
|
|
||||||
systemd.services."clash" = {
|
systemd.services."clash" = {
|
||||||
description = "Clash daemon, A rule-based proxy in Go.";
|
description = "Clash daemon, A rule-based proxy in Go.";
|
||||||
|
documentation = ["https://clash.wiki/" "https://wiki.metacubex.one/"];
|
||||||
after = ["network-online.target"];
|
after = ["network-online.target"];
|
||||||
wantedBy = ["multi-user.target"];
|
wantedBy = ["multi-user.target"];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
# https://man.archlinux.org/man/systemd.exec.5
|
ExecStart = builtins.concatStringsSep " " [
|
||||||
|
(lib.getExe cfg.package)
|
||||||
|
"-d /var/lib/private/clash"
|
||||||
|
(lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration")
|
||||||
|
(lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
|
||||||
|
(lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
|
||||||
|
];
|
||||||
|
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
StateDirectory = "clash";
|
StateDirectory = "clash";
|
||||||
LoadCredential = "configuration:${cfg.configFile}";
|
LoadCredential = "configuration:${cfg.configFile}";
|
||||||
ExecStart = builtins.replaceStrings ["\n"] [" "] ''
|
|
||||||
${lib.getExe cfg.package}
|
|
||||||
-d /var/lib/private/clash
|
|
||||||
${lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/configuration"}
|
|
||||||
${lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}"}
|
|
||||||
${lib.optionalString (cfg.extraOpts != null) cfg.extraOpts}
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Capability, inherited from Clash wiki
|
### Hardening
|
||||||
# https://man.archlinux.org/man/core/man-pages/capabilities.7.en
|
# Experimental, since I have no idea what am I doing...
|
||||||
CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
|
CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
|
||||||
AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
|
AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
|
||||||
|
|
||||||
# Hardening, experimental since I have no idea what am I doing
|
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
MemoryDenyWriteExecute = true;
|
MemoryDenyWriteExecute = true;
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
|
@ -83,7 +81,6 @@ in {
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
|
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
#PrivateNetwork = true;
|
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
PrivateMounts = true;
|
PrivateMounts = true;
|
||||||
|
|
Loading…
Reference in a new issue