From 0e41e653a4d3a5f4e2e4472d960246a544b1d5b7 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Tue, 9 Jul 2024 21:03:42 +0800 Subject: [PATCH] flake: update lock file --- flake.lock | 74 ++++++++++++++--------------- hosts/lightsail-tokyo/default.nix | 51 ++++++++++---------- hosts/lightsail-tokyo/secrets.yaml | 8 ++-- nixos/modules/services/hysteria.nix | 45 +++++++----------- 4 files changed, 84 insertions(+), 94 deletions(-) diff --git a/flake.lock b/flake.lock index 11e73fc..894cc5d 100644 --- a/flake.lock +++ b/flake.lock @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1720056646, - "narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=", + "lastModified": 1720402389, + "narHash": "sha256-zJv6euDOrJWMHBhxfp/ay+Dvjwpe8YtMuEI5b09bxmo=", "owner": "nix-community", "repo": "disko", - "rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e", + "rev": "f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414", "type": "github" }, "original": { @@ -145,11 +145,11 @@ ] }, "locked": { - "lastModified": 1720327769, - "narHash": "sha256-kAsg3Lg4YKKpGw+f1W2s5hzjP8B0y/juowvjK8utIag=", + "lastModified": 1720470846, + "narHash": "sha256-7ftA4Bv5KfH4QdTRxqe8/Hz2YTKo+7IQ9n7vbNWgv28=", "owner": "nix-community", "repo": "home-manager", - "rev": "6b7ce96f34b324e4e104abc30d06955d216bac71", + "rev": "2fb5c1e0a17bc6059fa09dc411a43d75f35bb192", "type": "github" }, "original": { @@ -227,11 +227,11 @@ ] }, "locked": { - "lastModified": 1718491861, - "narHash": "sha256-nnKZRkwXoCtGN8Rgv6FcHttX1JOPWQt2y7yY4Bz/hWk=", + "lastModified": 1720421091, + "narHash": "sha256-BWvb+z+5LgfjIUIDrNr1Yv5R6ouDLKduZUoJKIQ83as=", "ref": "refs/heads/master", - "rev": "49f55400d06fa113e4b4ae5a6fa97a6d83c59983", - "revCount": 64, + "rev": "012748be4f7011416261ec2d60adde19bf17d010", + "revCount": 67, "type": "git", "url": "https://git.ny4.dev/nyancat/nvim" }, @@ -247,11 +247,11 @@ ] }, "locked": { - "lastModified": 1720337362, - "narHash": "sha256-9TNQtlwu97NPaJYsKkdObOsy0MLN4NAOBz0pqwH3KnA=", + "lastModified": 1720469887, + "narHash": "sha256-BwPsGQ/EMqCreUc5j9Efj+wx13AjREtuHhbyHZygcE4=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "0f89b73f41eaa1dde67b291452c181d9a75f10dd", + "rev": "fabc653517106127e2ed435fb52e7e8854354428", "type": "github" }, "original": { @@ -324,11 +324,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1719895800, - "narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=", + "lastModified": 1720515935, + "narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "6e253f12b1009053eff5344be5e835f604bb64cd", + "rev": "a111ce6b537df12a39874aa9672caa87f8677eda", "type": "github" }, "original": { @@ -354,11 +354,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1720181791, - "narHash": "sha256-i4vJL12/AdyuQuviMMd1Hk2tsGt02hDNhA0Zj1m16N8=", + "lastModified": 1720498663, + "narHash": "sha256-juqJkkdAt44mOfA43q1qUHn7iWoK++81lR8Mh7N/EF8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4284c2b73c8bce4b46a6adf23e16d9e2ec8da4bb", + "rev": "106e145e1d4583d1e2bb20e54947d15ad55e75e1", "type": "github" }, "original": { @@ -425,11 +425,11 @@ }, "nur": { "locked": { - "lastModified": 1720352738, - "narHash": "sha256-S/FwaFfzUaGv81QxJJFWbrWhAAlR+L3S5i2MIujqmcE=", + "lastModified": 1720521897, + "narHash": "sha256-k/lSErCNGvHj/vI+TXHLuQI9pmEnQBVcKbV3yB3I8NQ=", "owner": "nix-community", "repo": "NUR", - "rev": "18a4856920ac463d8ed386d9830a7742e2cf2c2c", + "rev": "4cb066aae41593df9901910e45f9dfd1af5aa743", "type": "github" }, "original": { @@ -454,11 +454,11 @@ ] }, "locked": { - "lastModified": 1719259945, - "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=", + "lastModified": 1720524665, + "narHash": "sha256-ni/87oHPZm6Gv0ECYxr1f6uxB0UKBWJ6HvS7lwLU6oY=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07", + "rev": "8d6a17d0cdf411c55f12602624df6368ad86fac1", "type": "github" }, "original": { @@ -506,11 +506,11 @@ ] }, "locked": { - "lastModified": 1720318855, - "narHash": "sha256-w3CCVK9LJ5aznXGkO1IyAlbvMNJfyA+dBF7Z1Zwx1LA=", + "lastModified": 1720491570, + "narHash": "sha256-PHS2BcQ9kxBpu9GKlDg3uAlrX/ahQOoAiVmwGl6BjD4=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "3eed08a074cd2000884a69d448d70da2843f7103", + "rev": "b970af40fdc4bd80fd764796c5f97c15e2b564eb", "type": "github" }, "original": { @@ -545,11 +545,11 @@ ] }, "locked": { - "lastModified": 1720321395, - "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=", + "lastModified": 1720479166, + "narHash": "sha256-jqvhLDXzTLTHq9ZviFOpcTmXXmnbLfz7mWhgMNipMN4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea", + "rev": "67035a355b1d52d2d238501f8cc1a18706979760", "type": "github" }, "original": { @@ -565,11 +565,11 @@ ] }, "locked": { - "lastModified": 1720190661, - "narHash": "sha256-51aPk6VqCSEuQeGvi/j5pdRyx8UxvqBeph+sXsj94EU=", + "lastModified": 1720400448, + "narHash": "sha256-v7JVJ8H1PyH7/8EU72mz7wzxJ1OLE/h3NCqQyZ6ONjs=", "owner": "nix-community", "repo": "srvos", - "rev": "27dbc690931cc30f2c4bb2ff39e46490c3b6421d", + "rev": "21a3259985e3cddc455f64ad66d4a825b39934ad", "type": "github" }, "original": { @@ -600,11 +600,11 @@ ] }, "locked": { - "lastModified": 1719887753, - "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=", + "lastModified": 1720507012, + "narHash": "sha256-QIeZ43t9IVB4dLsFaWh2f4C7JSRfK7p+Y1U9dULsLXU=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c", + "rev": "8b63fe8cf7892c59b3df27cbcab4d5644035d72f", "type": "github" }, "original": { diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix index 6334ede..f092acd 100644 --- a/hosts/lightsail-tokyo/default.nix +++ b/hosts/lightsail-tokyo/default.nix @@ -40,21 +40,6 @@ restartUnits = ["searx.service"]; }; }; - - templates = { - "hysteria.yaml".content = '' - tls: - cert: /run/credentials/hysteria.service/cert - key: /run/credentials/hysteria.service/key - - masquerade: - type: proxy - proxy: - url: https://ny4.dev/ - - ${config.sops.placeholder."hysteria/auth"} - ''; - }; }; ### Services @@ -76,12 +61,12 @@ "element" = pkgs.element-web.override { element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: { - version = "1.11.70-rc.0"; + version = "1.11.70"; src = oldAttrs.src.overrideAttrs { - outputHash = "sha256-LnPqwXczECH7XnVvGnoUQpZct2jmGEFVpJ1nTewAHC8="; + outputHash = "sha256-kx6xQIuYSXkkBTYb+fZLL3cuHFcNj7RkC60o6Fyp8LI="; }; offlineCache = oldAttrs.offlineCache.overrideAttrs { - outputHash = "sha256-yAAZXnxrBGuTWUJcL6Su0F5H2D5MNg9PUU7Uj8XT8N8="; + outputHash = "sha256-q/KbpU/haBhXZbGBITLYSywCluwN6ZZarVLmzB9tDN8="; }; }); @@ -97,14 +82,32 @@ services.hysteria = { enable = true; - configFile = config.sops.templates."hysteria.yaml".path; - credentials = [ - # FIXME: remove hardcoded path - "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt" - "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key" - ]; + settings = { + auth = { + type = "userpass"; + userpass = { + _secret = "/run/credentials/hysteria.service/auth"; + quote = false; + }; + }; + masquerade = { + type = "proxy"; + proxy.url = "https://ny4.dev/"; + }; + tls = { + cert = "/run/credentials/hysteria.service/cert"; + key = "/run/credentials/hysteria.service/key"; + }; + }; }; + systemd.services."hysteria".serviceConfig.LoadCredential = [ + # FIXME: remove hardcoded path + "auth:${config.sops.secrets."hysteria/auth".path}" + "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt" + "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key" + ]; + # `journalctl -u murmur.service | grep Password` services.murmur = { enable = true; diff --git a/hosts/lightsail-tokyo/secrets.yaml b/hosts/lightsail-tokyo/secrets.yaml index 766f03e..a832d48 100644 --- a/hosts/lightsail-tokyo/secrets.yaml +++ b/hosts/lightsail-tokyo/secrets.yaml @@ -1,5 +1,5 @@ hysteria: - auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str] + auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str] searx: environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str] pixivfe: @@ -28,8 +28,8 @@ sops: R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3 3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-21T07:19:35Z" - mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str] + lastmodified: "2024-07-09T11:50:11Z" + mac: ENC[AES256_GCM,data:kzxia2Bygi0YR24/dJfKZR3jF99IhIGGIZFJnIo5kp7/PZfQE2EbgD5yTFrSX9+Ur5u8a169UVEtveJ+uR59bX3DsjZDPRSWRMmWJodLcZifx+oSSGmhYufC61D3pVa+Jv2mwKf8UTKdb2oQtk/8bNrMuonedX8hPz+wZJQyMD0=,iv:VxBeb5QTaF5snKNtc51XFtwAdydnOyX8CGhxBjyBTQ0=,tag:vQEJJubHv3dRazmr1bAcnQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/nixos/modules/services/hysteria.nix b/nixos/modules/services/hysteria.nix index 17e08b8..140c385 100644 --- a/nixos/modules/services/hysteria.nix +++ b/nixos/modules/services/hysteria.nix @@ -1,10 +1,12 @@ { - pkgs, config, lib, + pkgs, + utils, ... }: let cfg = config.services.hysteria; + settingsFormat = pkgs.formats.json {}; in { options.services.hysteria = { enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy"; @@ -17,54 +19,39 @@ in { description = "Whether to use Hysteria as a client or a server."; }; - configFile = lib.mkOption { - default = null; - type = lib.types.nullOr lib.types.path; - description = "Configuration file to use."; - }; - - credentials = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - example = lib.literalExpression '' - [ - "cert:/tmp/certificate.crt" - "key:/tmp/private-key.key" - ]; - ''; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + }; + default = {}; description = '' - Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`. + The Hysteria configuration, see https://hysteria.network/ for documentation. - See `systemd.exec(5)` for more information. + Options containing secret data should be set to an attribute set + containing the attribute `_secret` - a string pointing to a file + containing the value the option should be set to. + + Ignored when `services.hysteria.configFile` is set. ''; }; }; config = lib.mkIf cfg.enable { - assertions = [ - { - assertion = cfg.configFile != null; - message = "A configuration file is required for Hysteria"; - } - ]; - systemd.services."hysteria" = { description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy."; documentation = ["https://hysteria.network/"]; wantedBy = ["multi-user.target"]; after = ["network-online.target"]; wants = ["network-online.target"]; - restartTriggers = [cfg.configFile]; + preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json"; serviceConfig = { ExecStart = lib.concatStringsSep " " [ (lib.getExe cfg.package) cfg.mode - "--disable-update-check" - "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats + "--config /var/lib/private/hysteria/config.json" ]; DynamicUser = true; StateDirectory = "hysteria"; - LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials; ### Hardening AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];