2024-09-17 22:27:11 +08:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2023-03-27 14:18:13 +08:00
|
|
|
|
|
|
|
|
{
|
2024-11-25 18:01:42 +08:00
|
|
|
imports = [
|
|
|
|
|
];
|
2023-03-27 14:18:13 +08:00
|
|
|
options.programs.clash-verge = {
|
2023-09-11 14:17:54 +08:00
|
|
|
enable = lib.mkEnableOption "Clash Verge";
|
2024-09-17 22:27:11 +08:00
|
|
|
package = lib.mkOption {
|
|
|
|
|
type = lib.types.package;
|
|
|
|
|
description = ''
|
|
|
|
|
The clash-verge package to use. Available options are
|
|
|
|
|
clash-verge-rev and clash-nyanpasu, both are forks of
|
|
|
|
|
the original clash-verge project.
|
|
|
|
|
'';
|
2024-11-25 18:01:42 +08:00
|
|
|
default = pkgs.clash-verge-rev;
|
|
|
|
|
defaultText = lib.literalExpression "pkgs.clash-verge-rev";
|
2024-09-17 22:27:11 +08:00
|
|
|
};
|
2025-04-28 21:35:57 +08:00
|
|
|
serviceMode = lib.mkEnableOption "Service Mode";
|
|
|
|
|
tunMode = lib.mkEnableOption "Setcap for TUN Mode. DNS settings won't work on this way";
|
2023-09-11 14:17:54 +08:00
|
|
|
autoStart = lib.mkEnableOption "Clash Verge auto launch";
|
2023-03-27 14:18:13 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config =
|
|
|
|
|
let
|
|
|
|
|
cfg = config.programs.clash-verge;
|
|
|
|
|
in
|
|
|
|
|
lib.mkIf cfg.enable {
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = [
|
2024-03-10 20:03:25 +01:00
|
|
|
cfg.package
|
2024-09-17 22:27:11 +08:00
|
|
|
(lib.mkIf cfg.autoStart (
|
|
|
|
|
pkgs.makeAutostartItem {
|
|
|
|
|
name = "clash-verge";
|
|
|
|
|
package = cfg.package;
|
|
|
|
|
}
|
|
|
|
|
))
|
2023-03-27 14:18:13 +08:00
|
|
|
];
|
|
|
|
|
|
2025-04-28 21:35:57 +08:00
|
|
|
security.wrappers.clash-verge = lib.mkIf cfg.tunMode {
|
|
|
|
|
owner = "root";
|
|
|
|
|
group = "root";
|
|
|
|
|
capabilities = "cap_net_bind_service,cap_net_raw,cap_net_admin=+ep";
|
|
|
|
|
source = "${lib.getExe cfg.package}";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.clash-verge = lib.mkIf cfg.serviceMode {
|
2024-11-25 18:01:42 +08:00
|
|
|
enable = true;
|
|
|
|
|
description = "Clash Verge Service Mode";
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
ExecStart = "${cfg.package}/bin/clash-verge-service";
|
|
|
|
|
Restart = "on-failure";
|
2025-04-26 18:06:51 +08:00
|
|
|
ProtectSystem = "strict";
|
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
|
ProtectHostname = true;
|
|
|
|
|
ProtectProc = "invisible";
|
|
|
|
|
ProcSubset = "pid";
|
|
|
|
|
SystemCallArchitectures = "native";
|
|
|
|
|
PrivateTmp = true;
|
|
|
|
|
PrivateMounts = true;
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
LockPersonality = true;
|
|
|
|
|
RestrictRealtime = true;
|
|
|
|
|
ProtectClock = true;
|
|
|
|
|
MemoryDenyWriteExecute = true;
|
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
|
RestrictNamespaces = [ "~user cgroup ipc mnt uts" ];
|
|
|
|
|
RestrictAddressFamilies = [
|
|
|
|
|
"AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW"
|
|
|
|
|
];
|
|
|
|
|
CapabilityBoundingSet = [
|
|
|
|
|
"CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"
|
|
|
|
|
];
|
|
|
|
|
SystemCallFilter = [
|
|
|
|
|
"~@aio @chown @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @pkey @privileged @raw-io @reboot @sandbox @setuid @swap @timer"
|
|
|
|
|
];
|
|
|
|
|
SystemCallErrorNumber = "EPERM";
|
2024-11-25 18:01:42 +08:00
|
|
|
};
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2023-03-27 14:18:13 +08:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2024-11-25 18:01:42 +08:00
|
|
|
meta.maintainers = with lib.maintainers; [
|
|
|
|
|
bot-wxt1221
|
|
|
|
|
Guanran928
|
|
|
|
|
];
|
2023-03-27 14:18:13 +08:00
|
|
|
}
|
