nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos/hysteria: cleanup

Browse source
This commit is contained in:
Guanran Wang 2024-05-01 08:20:34 +08:00
parent c9af571fd4
commit 035afa11fe
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
1 changed files with 23 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
nixos/modules/services/hysteria.nix
View file

@ -14,6 +14,7 @@ in {
mode = lib.mkOption {
type = lib.types.enum ["server" "client"];
default = "server";
description = "Whether to use Hysteria as a client or a server.";
};
configFile = lib.mkOption {
@ -25,22 +26,40 @@ in {
credentials = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.";
example = lib.literalExpression ''
[
"cert:/tmp/certificate.crt"
"key:/tmp/private-key.key"
];
'';
description = ''
Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
See `systemd.exec(5)` for more information.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.configFile != null;
message = "A configuration file is required for Hysteria";
}
];
systemd.services."hysteria" = {
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
documentation = ["https://hysteria.network/docs/getting-started/Installation/"];
documentation = ["https://hysteria.network/"];
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
restartTriggers = [cfg.configFile];
serviceConfig = {
ExecStart = lib.concatStringsSep " " [
(lib.getExe cfg.package)
cfg.mode
"--disable-update-check"
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml"
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
];
DynamicUser = true;
@ -67,7 +86,7 @@ in {
RestrictSUIDSGID = true;
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service bpf";
SystemCallFilter = "@system-service";
UMask = "0077";
};
};