nixos/hysteria: cleanup
This commit is contained in:
parent
c9af571fd4
commit
035afa11fe
1 changed files with 23 additions and 4 deletions
|
@ -14,6 +14,7 @@ in {
|
||||||
mode = lib.mkOption {
|
mode = lib.mkOption {
|
||||||
type = lib.types.enum ["server" "client"];
|
type = lib.types.enum ["server" "client"];
|
||||||
default = "server";
|
default = "server";
|
||||||
|
description = "Whether to use Hysteria as a client or a server.";
|
||||||
};
|
};
|
||||||
|
|
||||||
configFile = lib.mkOption {
|
configFile = lib.mkOption {
|
||||||
|
@ -25,22 +26,40 @@ in {
|
||||||
credentials = lib.mkOption {
|
credentials = lib.mkOption {
|
||||||
type = lib.types.listOf lib.types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
description = "Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.";
|
example = lib.literalExpression ''
|
||||||
|
[
|
||||||
|
"cert:/tmp/certificate.crt"
|
||||||
|
"key:/tmp/private-key.key"
|
||||||
|
];
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
|
||||||
|
|
||||||
|
See `systemd.exec(5)` for more information.
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = cfg.configFile != null;
|
||||||
|
message = "A configuration file is required for Hysteria";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
systemd.services."hysteria" = {
|
systemd.services."hysteria" = {
|
||||||
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
|
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
|
||||||
documentation = ["https://hysteria.network/docs/getting-started/Installation/"];
|
documentation = ["https://hysteria.network/"];
|
||||||
wantedBy = ["multi-user.target"];
|
wantedBy = ["multi-user.target"];
|
||||||
after = ["network-online.target"];
|
after = ["network-online.target"];
|
||||||
wants = ["network-online.target"];
|
wants = ["network-online.target"];
|
||||||
|
restartTriggers = [cfg.configFile];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = lib.concatStringsSep " " [
|
ExecStart = lib.concatStringsSep " " [
|
||||||
(lib.getExe cfg.package)
|
(lib.getExe cfg.package)
|
||||||
cfg.mode
|
cfg.mode
|
||||||
"--disable-update-check"
|
"--disable-update-check"
|
||||||
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml"
|
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
|
||||||
];
|
];
|
||||||
|
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
|
@ -67,7 +86,7 @@ in {
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
SystemCallFilter = "@system-service bpf";
|
SystemCallFilter = "@system-service";
|
||||||
UMask = "0077";
|
UMask = "0077";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue