···
10
-
(lib.mkRemovedOptionModule [ "programs" "clash-verge" "tunMode" ] ''
11
-
The tunMode will work with service mode which is enabled by default.
options.programs.clash-verge = {
enable = lib.mkEnableOption "Clash Verge";
···
default = pkgs.clash-verge-rev;
defaultText = lib.literalExpression "pkgs.clash-verge-rev";
23
+
serviceMode = lib.mkEnableOption "Service Mode";
24
+
tunMode = lib.mkEnableOption "Setcap for TUN Mode. DNS settings won't work on this way";
autoStart = lib.mkEnableOption "Clash Verge auto launch";
···
45
-
systemd.services.clash-verge = {
44
+
security.wrappers.clash-verge = lib.mkIf cfg.tunMode {
47
+
capabilities = "cap_net_bind_service,cap_net_raw,cap_net_admin=+ep";
48
+
source = "${lib.getExe cfg.package}";
51
+
systemd.services.clash-verge = lib.mkIf cfg.serviceMode {
description = "Clash Verge Service Mode";
ExecStart = "${cfg.package}/bin/clash-verge-service";
57
+
ProtectSystem = "strict";
58
+
NoNewPrivileges = true;
59
+
ProtectHostname = true;
60
+
ProtectProc = "invisible";
62
+
SystemCallArchitectures = "native";
64
+
PrivateMounts = true;
65
+
ProtectKernelTunables = true;
66
+
ProtectKernelModules = true;
67
+
ProtectKernelLogs = true;
68
+
ProtectControlGroups = true;
69
+
LockPersonality = true;
70
+
RestrictRealtime = true;
71
+
ProtectClock = true;
72
+
MemoryDenyWriteExecute = true;
73
+
RestrictSUIDSGID = true;
74
+
RestrictNamespaces = [ "~user cgroup ipc mnt uts" ];
75
+
RestrictAddressFamilies = [
76
+
"AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW"
78
+
CapabilityBoundingSet = [
79
+
"CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"
81
+
SystemCallFilter = [
82
+
"~@aio @chown @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @pkey @privileged @raw-io @reboot @sandbox @setuid @swap @timer"
84
+
SystemCallErrorNumber = "EPERM";
wantedBy = [ "multi-user.target" ];
pyrox.dev