nixos/hysteria: cleanup

This commit is contained in:
Guanran Wang 2024-05-01 08:20:34 +08:00
parent c9af571fd4
commit 035afa11fe
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF

View file

@ -14,6 +14,7 @@ in {
mode = lib.mkOption { mode = lib.mkOption {
type = lib.types.enum ["server" "client"]; type = lib.types.enum ["server" "client"];
default = "server"; default = "server";
description = "Whether to use Hysteria as a client or a server.";
}; };
configFile = lib.mkOption { configFile = lib.mkOption {
@ -25,22 +26,40 @@ in {
credentials = lib.mkOption { credentials = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
description = "Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`."; example = lib.literalExpression ''
[
"cert:/tmp/certificate.crt"
"key:/tmp/private-key.key"
];
'';
description = ''
Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
See `systemd.exec(5)` for more information.
'';
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.configFile != null;
message = "A configuration file is required for Hysteria";
}
];
systemd.services."hysteria" = { systemd.services."hysteria" = {
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy."; description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
documentation = ["https://hysteria.network/docs/getting-started/Installation/"]; documentation = ["https://hysteria.network/"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
after = ["network-online.target"]; after = ["network-online.target"];
wants = ["network-online.target"]; wants = ["network-online.target"];
restartTriggers = [cfg.configFile];
serviceConfig = { serviceConfig = {
ExecStart = lib.concatStringsSep " " [ ExecStart = lib.concatStringsSep " " [
(lib.getExe cfg.package) (lib.getExe cfg.package)
cfg.mode cfg.mode
"--disable-update-check" "--disable-update-check"
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml" "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
]; ];
DynamicUser = true; DynamicUser = true;
@ -67,7 +86,7 @@ in {
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
RestrictNamespaces = true; RestrictNamespaces = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = "@system-service bpf"; SystemCallFilter = "@system-service";
UMask = "0077"; UMask = "0077";
}; };
}; };