flake: update lock file

2024-07-09 21:03:42 +08:00 · 2024-07-09 21:03:42 +08:00 · 0e41e653a4
commit 0e41e653a4
parent a20a63696f
4 changed files with 84 additions and 94 deletions
--- a/flake.lock
+++ b/flake.lock
@ -50,11 +50,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720056646,
+        "lastModified": 1720402389,
-        "narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
+        "narHash": "sha256-zJv6euDOrJWMHBhxfp/ay+Dvjwpe8YtMuEI5b09bxmo=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
+        "rev": "f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414",
        "type": "github"
      },
      "original": {
@ -145,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720327769,
+        "lastModified": 1720470846,
-        "narHash": "sha256-kAsg3Lg4YKKpGw+f1W2s5hzjP8B0y/juowvjK8utIag=",
+        "narHash": "sha256-7ftA4Bv5KfH4QdTRxqe8/Hz2YTKo+7IQ9n7vbNWgv28=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6b7ce96f34b324e4e104abc30d06955d216bac71",
+        "rev": "2fb5c1e0a17bc6059fa09dc411a43d75f35bb192",
        "type": "github"
      },
      "original": {
@ -227,11 +227,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718491861,
+        "lastModified": 1720421091,
-        "narHash": "sha256-nnKZRkwXoCtGN8Rgv6FcHttX1JOPWQt2y7yY4Bz/hWk=",
+        "narHash": "sha256-BWvb+z+5LgfjIUIDrNr1Yv5R6ouDLKduZUoJKIQ83as=",
        "ref": "refs/heads/master",
-        "rev": "49f55400d06fa113e4b4ae5a6fa97a6d83c59983",
+        "rev": "012748be4f7011416261ec2d60adde19bf17d010",
-        "revCount": 64,
+        "revCount": 67,
        "type": "git",
        "url": "https://git.ny4.dev/nyancat/nvim"
      },
@ -247,11 +247,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720337362,
+        "lastModified": 1720469887,
-        "narHash": "sha256-9TNQtlwu97NPaJYsKkdObOsy0MLN4NAOBz0pqwH3KnA=",
+        "narHash": "sha256-BwPsGQ/EMqCreUc5j9Efj+wx13AjREtuHhbyHZygcE4=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "0f89b73f41eaa1dde67b291452c181d9a75f10dd",
+        "rev": "fabc653517106127e2ed435fb52e7e8854354428",
        "type": "github"
      },
      "original": {
@ -324,11 +324,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1719895800,
+        "lastModified": 1720515935,
-        "narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=",
+        "narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "6e253f12b1009053eff5344be5e835f604bb64cd",
+        "rev": "a111ce6b537df12a39874aa9672caa87f8677eda",
        "type": "github"
      },
      "original": {
@ -354,11 +354,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1720181791,
+        "lastModified": 1720498663,
-        "narHash": "sha256-i4vJL12/AdyuQuviMMd1Hk2tsGt02hDNhA0Zj1m16N8=",
+        "narHash": "sha256-juqJkkdAt44mOfA43q1qUHn7iWoK++81lR8Mh7N/EF8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4284c2b73c8bce4b46a6adf23e16d9e2ec8da4bb",
+        "rev": "106e145e1d4583d1e2bb20e54947d15ad55e75e1",
        "type": "github"
      },
      "original": {
@ -425,11 +425,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1720352738,
+        "lastModified": 1720521897,
-        "narHash": "sha256-S/FwaFfzUaGv81QxJJFWbrWhAAlR+L3S5i2MIujqmcE=",
+        "narHash": "sha256-k/lSErCNGvHj/vI+TXHLuQI9pmEnQBVcKbV3yB3I8NQ=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "18a4856920ac463d8ed386d9830a7742e2cf2c2c",
+        "rev": "4cb066aae41593df9901910e45f9dfd1af5aa743",
        "type": "github"
      },
      "original": {
@ -454,11 +454,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1719259945,
+        "lastModified": 1720524665,
-        "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
+        "narHash": "sha256-ni/87oHPZm6Gv0ECYxr1f6uxB0UKBWJ6HvS7lwLU6oY=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
+        "rev": "8d6a17d0cdf411c55f12602624df6368ad86fac1",
        "type": "github"
      },
      "original": {
@ -506,11 +506,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720318855,
+        "lastModified": 1720491570,
-        "narHash": "sha256-w3CCVK9LJ5aznXGkO1IyAlbvMNJfyA+dBF7Z1Zwx1LA=",
+        "narHash": "sha256-PHS2BcQ9kxBpu9GKlDg3uAlrX/ahQOoAiVmwGl6BjD4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "3eed08a074cd2000884a69d448d70da2843f7103",
+        "rev": "b970af40fdc4bd80fd764796c5f97c15e2b564eb",
        "type": "github"
      },
      "original": {
@ -545,11 +545,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720321395,
+        "lastModified": 1720479166,
-        "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
+        "narHash": "sha256-jqvhLDXzTLTHq9ZviFOpcTmXXmnbLfz7mWhgMNipMN4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
+        "rev": "67035a355b1d52d2d238501f8cc1a18706979760",
        "type": "github"
      },
      "original": {
@ -565,11 +565,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720190661,
+        "lastModified": 1720400448,
-        "narHash": "sha256-51aPk6VqCSEuQeGvi/j5pdRyx8UxvqBeph+sXsj94EU=",
+        "narHash": "sha256-v7JVJ8H1PyH7/8EU72mz7wzxJ1OLE/h3NCqQyZ6ONjs=",
        "owner": "nix-community",
        "repo": "srvos",
-        "rev": "27dbc690931cc30f2c4bb2ff39e46490c3b6421d",
+        "rev": "21a3259985e3cddc455f64ad66d4a825b39934ad",
        "type": "github"
      },
      "original": {
@ -600,11 +600,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1719887753,
+        "lastModified": 1720507012,
-        "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
+        "narHash": "sha256-QIeZ43t9IVB4dLsFaWh2f4C7JSRfK7p+Y1U9dULsLXU=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
+        "rev": "8b63fe8cf7892c59b3df27cbcab4d5644035d72f",
        "type": "github"
      },
      "original": {
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@ -40,21 +40,6 @@
        restartUnits = ["searx.service"];
      };
    };
    templates = {
      "hysteria.yaml".content = ''
        tls:
          cert: /run/credentials/hysteria.service/cert
          key: /run/credentials/hysteria.service/key
        masquerade:
          type: proxy
          proxy:
            url: https://ny4.dev/
        ${config.sops.placeholder."hysteria/auth"}
      '';
    };
  };
  ### Services
@ -76,12 +61,12 @@
      "element" = pkgs.element-web.override {
        element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
-          version = "1.11.70-rc.0";
+          version = "1.11.70";
          src = oldAttrs.src.overrideAttrs {
-            outputHash = "sha256-LnPqwXczECH7XnVvGnoUQpZct2jmGEFVpJ1nTewAHC8=";
+            outputHash = "sha256-kx6xQIuYSXkkBTYb+fZLL3cuHFcNj7RkC60o6Fyp8LI=";
          };
          offlineCache = oldAttrs.offlineCache.overrideAttrs {
-            outputHash = "sha256-yAAZXnxrBGuTWUJcL6Su0F5H2D5MNg9PUU7Uj8XT8N8=";
+            outputHash = "sha256-q/KbpU/haBhXZbGBITLYSywCluwN6ZZarVLmzB9tDN8=";
          };
        });
@ -97,14 +82,32 @@
  services.hysteria = {
    enable = true;
-    configFile = config.sops.templates."hysteria.yaml".path;
+    settings = {
-    credentials = [
+      auth = {
-      # FIXME: remove hardcoded path
+        type = "userpass";
-      "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
+        userpass = {
-      "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
+          _secret = "/run/credentials/hysteria.service/auth";
-    ];
+          quote = false;
        };
      };
      masquerade = {
        type = "proxy";
        proxy.url = "https://ny4.dev/";
      };
      tls = {
        cert = "/run/credentials/hysteria.service/cert";
        key = "/run/credentials/hysteria.service/key";
      };
    };
  };
  systemd.services."hysteria".serviceConfig.LoadCredential = [
    # FIXME: remove hardcoded path
    "auth:${config.sops.secrets."hysteria/auth".path}"
    "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
    "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
  ];
  # `journalctl -u murmur.service | grep Password`
  services.murmur = {
    enable = true;
--- a/hosts/lightsail-tokyo/secrets.yaml
+++ b/hosts/lightsail-tokyo/secrets.yaml
@ -1,5 +1,5 @@
 hysteria:
-    auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
+    auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
 searx:
    environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
 pixivfe:
@ -28,8 +28,8 @@ sops:
            R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
            3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-21T07:19:35Z"
+    lastmodified: "2024-07-09T11:50:11Z"
-    mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
+    mac: ENC[AES256_GCM,data:kzxia2Bygi0YR24/dJfKZR3jF99IhIGGIZFJnIo5kp7/PZfQE2EbgD5yTFrSX9+Ur5u8a169UVEtveJ+uR59bX3DsjZDPRSWRMmWJodLcZifx+oSSGmhYufC61D3pVa+Jv2mwKf8UTKdb2oQtk/8bNrMuonedX8hPz+wZJQyMD0=,iv:VxBeb5QTaF5snKNtc51XFtwAdydnOyX8CGhxBjyBTQ0=,tag:vQEJJubHv3dRazmr1bAcnQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/nixos/modules/services/hysteria.nix
+++ b/nixos/modules/services/hysteria.nix
@ -1,10 +1,12 @@
 {
  pkgs,
  config,
  lib,
  pkgs,
  utils,
  ...
 }: let
  cfg = config.services.hysteria;
  settingsFormat = pkgs.formats.json {};
 in {
  options.services.hysteria = {
    enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
@ -17,54 +19,39 @@ in {
      description = "Whether to use Hysteria as a client or a server.";
    };
-    configFile = lib.mkOption {
+    settings = lib.mkOption {
-      default = null;
+      type = lib.types.submodule {
-      type = lib.types.nullOr lib.types.path;
+        freeformType = settingsFormat.type;
-      description = "Configuration file to use.";
+      };
-    };
+      default = {};
    credentials = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
      example = lib.literalExpression ''
        [
          "cert:/tmp/certificate.crt"
          "key:/tmp/private-key.key"
        ];
      '';
      description = ''
-        Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
+        The Hysteria configuration, see https://hysteria.network/ for documentation.
-        See `systemd.exec(5)` for more information.
+        Options containing secret data should be set to an attribute set
        containing the attribute `_secret` - a string pointing to a file
        containing the value the option should be set to.
        Ignored when `services.hysteria.configFile` is set.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.configFile != null;
        message = "A configuration file is required for Hysteria";
      }
    ];
    systemd.services."hysteria" = {
      description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
      documentation = ["https://hysteria.network/"];
      wantedBy = ["multi-user.target"];
      after = ["network-online.target"];
      wants = ["network-online.target"];
-      restartTriggers = [cfg.configFile];
+      preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json";
      serviceConfig = {
        ExecStart = lib.concatStringsSep " " [
          (lib.getExe cfg.package)
          cfg.mode
-          "--disable-update-check"
+          "--config /var/lib/private/hysteria/config.json"
          "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
        ];
        DynamicUser = true;
        StateDirectory = "hysteria";
        LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials;
        ### Hardening
        AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];