flake: update lock file
This commit is contained in:
parent
a20a63696f
commit
0e41e653a4
GPG key ID:
91F97D9ED12639CF
4 changed files with 84 additions and 94 deletions
74
flake.lock
74
flake.lock
|
|
@ -50,11 +50,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720056646,
|
||||
"narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
|
||||
"lastModified": 1720402389,
|
||||
"narHash": "sha256-zJv6euDOrJWMHBhxfp/ay+Dvjwpe8YtMuEI5b09bxmo=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
|
||||
"rev": "f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -145,11 +145,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720327769,
|
||||
"narHash": "sha256-kAsg3Lg4YKKpGw+f1W2s5hzjP8B0y/juowvjK8utIag=",
|
||||
"lastModified": 1720470846,
|
||||
"narHash": "sha256-7ftA4Bv5KfH4QdTRxqe8/Hz2YTKo+7IQ9n7vbNWgv28=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "6b7ce96f34b324e4e104abc30d06955d216bac71",
|
||||
"rev": "2fb5c1e0a17bc6059fa09dc411a43d75f35bb192",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -227,11 +227,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718491861,
|
||||
"narHash": "sha256-nnKZRkwXoCtGN8Rgv6FcHttX1JOPWQt2y7yY4Bz/hWk=",
|
||||
"lastModified": 1720421091,
|
||||
"narHash": "sha256-BWvb+z+5LgfjIUIDrNr1Yv5R6ouDLKduZUoJKIQ83as=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "49f55400d06fa113e4b4ae5a6fa97a6d83c59983",
|
||||
"revCount": 64,
|
||||
"rev": "012748be4f7011416261ec2d60adde19bf17d010",
|
||||
"revCount": 67,
|
||||
"type": "git",
|
||||
"url": "https://git.ny4.dev/nyancat/nvim"
|
||||
},
|
||||
|
|
@ -247,11 +247,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720337362,
|
||||
"narHash": "sha256-9TNQtlwu97NPaJYsKkdObOsy0MLN4NAOBz0pqwH3KnA=",
|
||||
"lastModified": 1720469887,
|
||||
"narHash": "sha256-BwPsGQ/EMqCreUc5j9Efj+wx13AjREtuHhbyHZygcE4=",
|
||||
"owner": "LnL7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "0f89b73f41eaa1dde67b291452c181d9a75f10dd",
|
||||
"rev": "fabc653517106127e2ed435fb52e7e8854354428",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -324,11 +324,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1719895800,
|
||||
"narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=",
|
||||
"lastModified": 1720515935,
|
||||
"narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "6e253f12b1009053eff5344be5e835f604bb64cd",
|
||||
"rev": "a111ce6b537df12a39874aa9672caa87f8677eda",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -354,11 +354,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1720181791,
|
||||
"narHash": "sha256-i4vJL12/AdyuQuviMMd1Hk2tsGt02hDNhA0Zj1m16N8=",
|
||||
"lastModified": 1720498663,
|
||||
"narHash": "sha256-juqJkkdAt44mOfA43q1qUHn7iWoK++81lR8Mh7N/EF8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "4284c2b73c8bce4b46a6adf23e16d9e2ec8da4bb",
|
||||
"rev": "106e145e1d4583d1e2bb20e54947d15ad55e75e1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -425,11 +425,11 @@
|
|||
},
|
||||
"nur": {
|
||||
"locked": {
|
||||
"lastModified": 1720352738,
|
||||
"narHash": "sha256-S/FwaFfzUaGv81QxJJFWbrWhAAlR+L3S5i2MIujqmcE=",
|
||||
"lastModified": 1720521897,
|
||||
"narHash": "sha256-k/lSErCNGvHj/vI+TXHLuQI9pmEnQBVcKbV3yB3I8NQ=",
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"rev": "18a4856920ac463d8ed386d9830a7742e2cf2c2c",
|
||||
"rev": "4cb066aae41593df9901910e45f9dfd1af5aa743",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -454,11 +454,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719259945,
|
||||
"narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
|
||||
"lastModified": 1720524665,
|
||||
"narHash": "sha256-ni/87oHPZm6Gv0ECYxr1f6uxB0UKBWJ6HvS7lwLU6oY=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
|
||||
"rev": "8d6a17d0cdf411c55f12602624df6368ad86fac1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -506,11 +506,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720318855,
|
||||
"narHash": "sha256-w3CCVK9LJ5aznXGkO1IyAlbvMNJfyA+dBF7Z1Zwx1LA=",
|
||||
"lastModified": 1720491570,
|
||||
"narHash": "sha256-PHS2BcQ9kxBpu9GKlDg3uAlrX/ahQOoAiVmwGl6BjD4=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "3eed08a074cd2000884a69d448d70da2843f7103",
|
||||
"rev": "b970af40fdc4bd80fd764796c5f97c15e2b564eb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -545,11 +545,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720321395,
|
||||
"narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
|
||||
"lastModified": 1720479166,
|
||||
"narHash": "sha256-jqvhLDXzTLTHq9ZviFOpcTmXXmnbLfz7mWhgMNipMN4=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
|
||||
"rev": "67035a355b1d52d2d238501f8cc1a18706979760",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -565,11 +565,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720190661,
|
||||
"narHash": "sha256-51aPk6VqCSEuQeGvi/j5pdRyx8UxvqBeph+sXsj94EU=",
|
||||
"lastModified": 1720400448,
|
||||
"narHash": "sha256-v7JVJ8H1PyH7/8EU72mz7wzxJ1OLE/h3NCqQyZ6ONjs=",
|
||||
"owner": "nix-community",
|
||||
"repo": "srvos",
|
||||
"rev": "27dbc690931cc30f2c4bb2ff39e46490c3b6421d",
|
||||
"rev": "21a3259985e3cddc455f64ad66d4a825b39934ad",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -600,11 +600,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1719887753,
|
||||
"narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
|
||||
"lastModified": 1720507012,
|
||||
"narHash": "sha256-QIeZ43t9IVB4dLsFaWh2f4C7JSRfK7p+Y1U9dULsLXU=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
|
||||
"rev": "8b63fe8cf7892c59b3df27cbcab4d5644035d72f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -40,21 +40,6 @@
|
|||
restartUnits = ["searx.service"];
|
||||
};
|
||||
};
|
||||
|
||||
templates = {
|
||||
"hysteria.yaml".content = ''
|
||||
tls:
|
||||
cert: /run/credentials/hysteria.service/cert
|
||||
key: /run/credentials/hysteria.service/key
|
||||
|
||||
masquerade:
|
||||
type: proxy
|
||||
proxy:
|
||||
url: https://ny4.dev/
|
||||
|
||||
${config.sops.placeholder."hysteria/auth"}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
### Services
|
||||
|
|
@ -76,12 +61,12 @@
|
|||
|
||||
"element" = pkgs.element-web.override {
|
||||
element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
|
||||
version = "1.11.70-rc.0";
|
||||
version = "1.11.70";
|
||||
src = oldAttrs.src.overrideAttrs {
|
||||
outputHash = "sha256-LnPqwXczECH7XnVvGnoUQpZct2jmGEFVpJ1nTewAHC8=";
|
||||
outputHash = "sha256-kx6xQIuYSXkkBTYb+fZLL3cuHFcNj7RkC60o6Fyp8LI=";
|
||||
};
|
||||
offlineCache = oldAttrs.offlineCache.overrideAttrs {
|
||||
outputHash = "sha256-yAAZXnxrBGuTWUJcL6Su0F5H2D5MNg9PUU7Uj8XT8N8=";
|
||||
outputHash = "sha256-q/KbpU/haBhXZbGBITLYSywCluwN6ZZarVLmzB9tDN8=";
|
||||
};
|
||||
});
|
||||
|
||||
|
|
@ -97,13 +82,31 @@
|
|||
|
||||
services.hysteria = {
|
||||
enable = true;
|
||||
configFile = config.sops.templates."hysteria.yaml".path;
|
||||
credentials = [
|
||||
settings = {
|
||||
auth = {
|
||||
type = "userpass";
|
||||
userpass = {
|
||||
_secret = "/run/credentials/hysteria.service/auth";
|
||||
quote = false;
|
||||
};
|
||||
};
|
||||
masquerade = {
|
||||
type = "proxy";
|
||||
proxy.url = "https://ny4.dev/";
|
||||
};
|
||||
tls = {
|
||||
cert = "/run/credentials/hysteria.service/cert";
|
||||
key = "/run/credentials/hysteria.service/key";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services."hysteria".serviceConfig.LoadCredential = [
|
||||
# FIXME: remove hardcoded path
|
||||
"auth:${config.sops.secrets."hysteria/auth".path}"
|
||||
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
|
||||
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
|
||||
];
|
||||
};
|
||||
|
||||
# `journalctl -u murmur.service | grep Password`
|
||||
services.murmur = {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
hysteria:
|
||||
auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
|
||||
auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
|
||||
searx:
|
||||
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
|
||||
pixivfe:
|
||||
|
|
@ -28,8 +28,8 @@ sops:
|
|||
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
|
||||
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-21T07:19:35Z"
|
||||
mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
|
||||
lastmodified: "2024-07-09T11:50:11Z"
|
||||
mac: ENC[AES256_GCM,data:kzxia2Bygi0YR24/dJfKZR3jF99IhIGGIZFJnIo5kp7/PZfQE2EbgD5yTFrSX9+Ur5u8a169UVEtveJ+uR59bX3DsjZDPRSWRMmWJodLcZifx+oSSGmhYufC61D3pVa+Jv2mwKf8UTKdb2oQtk/8bNrMuonedX8hPz+wZJQyMD0=,iv:VxBeb5QTaF5snKNtc51XFtwAdydnOyX8CGhxBjyBTQ0=,tag:vQEJJubHv3dRazmr1bAcnQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
version: 3.9.0
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
utils,
|
||||
...
|
||||
}: let
|
||||
cfg = config.services.hysteria;
|
||||
settingsFormat = pkgs.formats.json {};
|
||||
in {
|
||||
options.services.hysteria = {
|
||||
enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
|
||||
|
|
@ -17,54 +19,39 @@ in {
|
|||
description = "Whether to use Hysteria as a client or a server.";
|
||||
};
|
||||
|
||||
configFile = lib.mkOption {
|
||||
default = null;
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
description = "Configuration file to use.";
|
||||
settings = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
};
|
||||
|
||||
credentials = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [];
|
||||
example = lib.literalExpression ''
|
||||
[
|
||||
"cert:/tmp/certificate.crt"
|
||||
"key:/tmp/private-key.key"
|
||||
];
|
||||
'';
|
||||
default = {};
|
||||
description = ''
|
||||
Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
|
||||
The Hysteria configuration, see https://hysteria.network/ for documentation.
|
||||
|
||||
See `systemd.exec(5)` for more information.
|
||||
Options containing secret data should be set to an attribute set
|
||||
containing the attribute `_secret` - a string pointing to a file
|
||||
containing the value the option should be set to.
|
||||
|
||||
Ignored when `services.hysteria.configFile` is set.
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.configFile != null;
|
||||
message = "A configuration file is required for Hysteria";
|
||||
}
|
||||
];
|
||||
|
||||
systemd.services."hysteria" = {
|
||||
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
|
||||
documentation = ["https://hysteria.network/"];
|
||||
wantedBy = ["multi-user.target"];
|
||||
after = ["network-online.target"];
|
||||
wants = ["network-online.target"];
|
||||
restartTriggers = [cfg.configFile];
|
||||
preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json";
|
||||
serviceConfig = {
|
||||
ExecStart = lib.concatStringsSep " " [
|
||||
(lib.getExe cfg.package)
|
||||
cfg.mode
|
||||
"--disable-update-check"
|
||||
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
|
||||
"--config /var/lib/private/hysteria/config.json"
|
||||
];
|
||||
|
||||
DynamicUser = true;
|
||||
StateDirectory = "hysteria";
|
||||
LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials;
|
||||
|
||||
### Hardening
|
||||
AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
|
||||
|
|
|
|||
Loading…
Reference in a new issue