diff --git a/nixos/modules/services/hysteria.nix b/nixos/modules/services/hysteria.nix index fc5612d..17e08b8 100644 --- a/nixos/modules/services/hysteria.nix +++ b/nixos/modules/services/hysteria.nix @@ -14,6 +14,7 @@ in { mode = lib.mkOption { type = lib.types.enum ["server" "client"]; default = "server"; + description = "Whether to use Hysteria as a client or a server."; }; configFile = lib.mkOption { @@ -25,22 +26,40 @@ in { credentials = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; - description = "Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`."; + example = lib.literalExpression '' + [ + "cert:/tmp/certificate.crt" + "key:/tmp/private-key.key" + ]; + ''; + description = '' + Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`. + + See `systemd.exec(5)` for more information. + ''; }; }; config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.configFile != null; + message = "A configuration file is required for Hysteria"; + } + ]; + systemd.services."hysteria" = { description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy."; - documentation = ["https://hysteria.network/docs/getting-started/Installation/"]; + documentation = ["https://hysteria.network/"]; wantedBy = ["multi-user.target"]; after = ["network-online.target"]; wants = ["network-online.target"]; + restartTriggers = [cfg.configFile]; serviceConfig = { ExecStart = lib.concatStringsSep " " [ (lib.getExe cfg.package) cfg.mode "--disable-update-check" - "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" + "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats ]; DynamicUser = true; @@ -67,7 +86,7 @@ in { RestrictSUIDSGID = true; RestrictNamespaces = true; SystemCallArchitectures = "native"; - SystemCallFilter = "@system-service bpf"; + SystemCallFilter = "@system-service"; UMask = "0077"; }; };