From 01ed2c36768581c991a00e03ddcd66741caed491 Mon Sep 17 00:00:00 2001
From: Yingchi Long <i@lyc.dev>
Date: Fri, 29 Dec 2023 18:13:17 +0800
Subject: [PATCH] nixos/modules/clash: add permissions to open /dev/net/tun

---
 nixos/modules/clash/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/clash/default.nix b/nixos/modules/clash/default.nix
index 1d9e5f6..d3ea3d6 100644
--- a/nixos/modules/clash/default.nix
+++ b/nixos/modules/clash/default.nix
@@ -48,9 +48,9 @@ in
           Restart = "on-failure";
           CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
           AmbientCapabilities = CapabilityBoundingSet;
+          DeviceAllowed = [ "/dev/net/tun" ];
           ProtectSystem = "strict";
           ProtectHome = "yes";
-          PrivateDevices = "yes";
           PrivateUsers = "yes";
           ProtectHostname = "yes";
           ProtectClock = "yes";