diff options
author | Guanran Wang <guanran928@outlook.com> | 2024-02-10 22:23:36 +0800 |
---|---|---|
committer | Guanran Wang <guanran928@outlook.com> | 2024-03-11 09:51:36 +0800 |
commit | a6857b00fe466d887d615b33dd262584a066faac (patch) | |
tree | f9ced26c1705d5814239f4949d05c149f1097e8a /nixos | |
parent | c41ece2391fdc2351e839a9d9bb9cc561480ddea (diff) | |
download | nixlib-a6857b00fe466d887d615b33dd262584a066faac.tar nixlib-a6857b00fe466d887d615b33dd262584a066faac.tar.gz nixlib-a6857b00fe466d887d615b33dd262584a066faac.tar.bz2 nixlib-a6857b00fe466d887d615b33dd262584a066faac.tar.lz nixlib-a6857b00fe466d887d615b33dd262584a066faac.tar.xz nixlib-a6857b00fe466d887d615b33dd262584a066faac.tar.zst nixlib-a6857b00fe466d887d615b33dd262584a066faac.zip |
nixos/mihomo: init
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/mihomo.nix | 118 |
2 files changed, 119 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 41e369ac1c65..58da622b1b07 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1018,6 +1018,7 @@ ./services/networking/lxd-image-server.nix ./services/networking/magic-wormhole-mailbox-server.nix ./services/networking/matterbridge.nix + ./services/networking/mihomo.nix ./services/networking/minidlna.nix ./services/networking/miniupnpd.nix ./services/networking/miredo.nix diff --git a/nixos/modules/services/networking/mihomo.nix b/nixos/modules/services/networking/mihomo.nix new file mode 100644 index 000000000000..ae700603b529 --- /dev/null +++ b/nixos/modules/services/networking/mihomo.nix @@ -0,0 +1,118 @@ +# NOTE: +# cfg.configFile contains secrets such as proxy servers' credential! +# we dont want plaintext secrets in world-readable `/nix/store`. + +{ lib +, config +, pkgs +, ... +}: +let + cfg = config.services.mihomo; +in +{ + options.services.mihomo = { + enable = lib.mkEnableOption "Mihomo, A rule-based proxy in Go."; + + package = lib.mkPackageOption pkgs "mihomo" { }; + + configFile = lib.mkOption { + default = null; + type = lib.types.nullOr lib.types.path; + description = "Configuration file to use."; + }; + + webui = lib.mkOption { + default = null; + type = lib.types.nullOr lib.types.path; + description = '' + Local web interface to use. + + You can also use the following website, just in case: + - metacubexd: + - https://d.metacubex.one + - https://metacubex.github.io/metacubexd + - https://metacubexd.pages.dev + - yacd: + - https://yacd.haishan.me + - clash-dashboard (buggy): + - https://clash.razord.top + ''; + }; + + extraOpts = lib.mkOption { + default = null; + type = lib.types.nullOr lib.types.str; + description = "Extra command line options to use."; + }; + + tunMode = lib.mkEnableOption '' + necessary permission for Mihomo's systemd service for TUN mode to function properly. + + Keep in mind, that you still need to enable TUN mode manually in Mihomo's configuration. + ''; + }; + + config = lib.mkIf cfg.enable { + ### systemd service + systemd.services."mihomo" = { + description = "Mihomo daemon, A rule-based proxy in Go."; + documentation = [ "https://wiki.metacubex.one/" ]; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + { + ExecStart = lib.concatStringsSep " " [ + (lib.getExe cfg.package) + "-d /var/lib/private/mihomo" + (lib.optionalString (cfg.configFile != null) "-f \${CREDENTIALS_DIRECTORY}/config.yaml") + (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}") + (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts) + ]; + + DynamicUser = true; + StateDirectory = "mihomo"; + LoadCredential = "config.yaml:${cfg.configFile}"; + + ### Hardening + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service bpf"; + UMask = "0077"; + } + // lib.optionalAttrs cfg.tunMode { + AmbientCapabilities = "CAP_NET_ADMIN"; + CapabilityBoundingSet = "CAP_NET_ADMIN"; + PrivateDevices = false; + PrivateUsers = false; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ Guanran928 ]; +} |