nix-router/services/clash.nix

{ config, pkgs, ... }:
{
    systemd.services.clash = {
        wantedBy = [ "multi-user.target" ];
        after = [ "network-online.target" ];
        description = "Clash Service";
        serviceConfig = {
            Type = "simple";
            User = "clash";
            Group = "clash";
            ExecStartPre = "ip rule add fwmark 0x233 lookup 100 && ip route add local 0.0.0.0/0 dev lo table 100";
            ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash";
            ExecStop = "ip route del local && ip rule del fwmark 0x233 lookup 100";
            Restart = "on-failure";
            CapabilityBoundingSet="CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW";
            AmbientCapabilities="CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW";
        };
    };
    environment.systemPackages = [ pkgs.clash-meta ];
}