From de27bd212c6d3cb84487fd3d1dfa560a2df0415e Mon Sep 17 00:00:00 2001
From: Yingchi Long <i@lyc.dev>
Date: Fri, 29 Dec 2023 18:13:17 +0800
Subject: [PATCH] nixos/modules/clash: add permissions to open /dev/net/tun

---
 nixos/modules/clash/default.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/nixos/modules/clash/default.nix b/nixos/modules/clash/default.nix
index 1d9e5f6..6d99110 100644
--- a/nixos/modules/clash/default.nix
+++ b/nixos/modules/clash/default.nix
@@ -48,10 +48,9 @@ in
           Restart = "on-failure";
           CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
           AmbientCapabilities = CapabilityBoundingSet;
+          DeviceAllowed = [ "/dev/net/tun" ];
           ProtectSystem = "strict";
           ProtectHome = "yes";
-          PrivateDevices = "yes";
-          PrivateUsers = "yes";
           ProtectHostname = "yes";
           ProtectClock = "yes";
           ProtectKernelTunables = "yes";