flake: update lock file

This commit is contained in:
Guanran Wang 2024-07-09 21:03:42 +08:00
parent a20a63696f
commit 0e41e653a4
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
4 changed files with 84 additions and 94 deletions

View file

@ -50,11 +50,11 @@
]
},
"locked": {
"lastModified": 1720056646,
"narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
"lastModified": 1720402389,
"narHash": "sha256-zJv6euDOrJWMHBhxfp/ay+Dvjwpe8YtMuEI5b09bxmo=",
"owner": "nix-community",
"repo": "disko",
"rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
"rev": "f1a00e7f55dc266ef286cc6fc8458fa2b5ca2414",
"type": "github"
},
"original": {
@ -145,11 +145,11 @@
]
},
"locked": {
"lastModified": 1720327769,
"narHash": "sha256-kAsg3Lg4YKKpGw+f1W2s5hzjP8B0y/juowvjK8utIag=",
"lastModified": 1720470846,
"narHash": "sha256-7ftA4Bv5KfH4QdTRxqe8/Hz2YTKo+7IQ9n7vbNWgv28=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6b7ce96f34b324e4e104abc30d06955d216bac71",
"rev": "2fb5c1e0a17bc6059fa09dc411a43d75f35bb192",
"type": "github"
},
"original": {
@ -227,11 +227,11 @@
]
},
"locked": {
"lastModified": 1718491861,
"narHash": "sha256-nnKZRkwXoCtGN8Rgv6FcHttX1JOPWQt2y7yY4Bz/hWk=",
"lastModified": 1720421091,
"narHash": "sha256-BWvb+z+5LgfjIUIDrNr1Yv5R6ouDLKduZUoJKIQ83as=",
"ref": "refs/heads/master",
"rev": "49f55400d06fa113e4b4ae5a6fa97a6d83c59983",
"revCount": 64,
"rev": "012748be4f7011416261ec2d60adde19bf17d010",
"revCount": 67,
"type": "git",
"url": "https://git.ny4.dev/nyancat/nvim"
},
@ -247,11 +247,11 @@
]
},
"locked": {
"lastModified": 1720337362,
"narHash": "sha256-9TNQtlwu97NPaJYsKkdObOsy0MLN4NAOBz0pqwH3KnA=",
"lastModified": 1720469887,
"narHash": "sha256-BwPsGQ/EMqCreUc5j9Efj+wx13AjREtuHhbyHZygcE4=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "0f89b73f41eaa1dde67b291452c181d9a75f10dd",
"rev": "fabc653517106127e2ed435fb52e7e8854354428",
"type": "github"
},
"original": {
@ -324,11 +324,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1719895800,
"narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=",
"lastModified": 1720515935,
"narHash": "sha256-8b+fzR4W2hI5axwB+4nBwoA15awPKkck4ghhCt8v39M=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "6e253f12b1009053eff5344be5e835f604bb64cd",
"rev": "a111ce6b537df12a39874aa9672caa87f8677eda",
"type": "github"
},
"original": {
@ -354,11 +354,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1720181791,
"narHash": "sha256-i4vJL12/AdyuQuviMMd1Hk2tsGt02hDNhA0Zj1m16N8=",
"lastModified": 1720498663,
"narHash": "sha256-juqJkkdAt44mOfA43q1qUHn7iWoK++81lR8Mh7N/EF8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4284c2b73c8bce4b46a6adf23e16d9e2ec8da4bb",
"rev": "106e145e1d4583d1e2bb20e54947d15ad55e75e1",
"type": "github"
},
"original": {
@ -425,11 +425,11 @@
},
"nur": {
"locked": {
"lastModified": 1720352738,
"narHash": "sha256-S/FwaFfzUaGv81QxJJFWbrWhAAlR+L3S5i2MIujqmcE=",
"lastModified": 1720521897,
"narHash": "sha256-k/lSErCNGvHj/vI+TXHLuQI9pmEnQBVcKbV3yB3I8NQ=",
"owner": "nix-community",
"repo": "NUR",
"rev": "18a4856920ac463d8ed386d9830a7742e2cf2c2c",
"rev": "4cb066aae41593df9901910e45f9dfd1af5aa743",
"type": "github"
},
"original": {
@ -454,11 +454,11 @@
]
},
"locked": {
"lastModified": 1719259945,
"narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
"lastModified": 1720524665,
"narHash": "sha256-ni/87oHPZm6Gv0ECYxr1f6uxB0UKBWJ6HvS7lwLU6oY=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
"rev": "8d6a17d0cdf411c55f12602624df6368ad86fac1",
"type": "github"
},
"original": {
@ -506,11 +506,11 @@
]
},
"locked": {
"lastModified": 1720318855,
"narHash": "sha256-w3CCVK9LJ5aznXGkO1IyAlbvMNJfyA+dBF7Z1Zwx1LA=",
"lastModified": 1720491570,
"narHash": "sha256-PHS2BcQ9kxBpu9GKlDg3uAlrX/ahQOoAiVmwGl6BjD4=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "3eed08a074cd2000884a69d448d70da2843f7103",
"rev": "b970af40fdc4bd80fd764796c5f97c15e2b564eb",
"type": "github"
},
"original": {
@ -545,11 +545,11 @@
]
},
"locked": {
"lastModified": 1720321395,
"narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
"lastModified": 1720479166,
"narHash": "sha256-jqvhLDXzTLTHq9ZviFOpcTmXXmnbLfz7mWhgMNipMN4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
"rev": "67035a355b1d52d2d238501f8cc1a18706979760",
"type": "github"
},
"original": {
@ -565,11 +565,11 @@
]
},
"locked": {
"lastModified": 1720190661,
"narHash": "sha256-51aPk6VqCSEuQeGvi/j5pdRyx8UxvqBeph+sXsj94EU=",
"lastModified": 1720400448,
"narHash": "sha256-v7JVJ8H1PyH7/8EU72mz7wzxJ1OLE/h3NCqQyZ6ONjs=",
"owner": "nix-community",
"repo": "srvos",
"rev": "27dbc690931cc30f2c4bb2ff39e46490c3b6421d",
"rev": "21a3259985e3cddc455f64ad66d4a825b39934ad",
"type": "github"
},
"original": {
@ -600,11 +600,11 @@
]
},
"locked": {
"lastModified": 1719887753,
"narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=",
"lastModified": 1720507012,
"narHash": "sha256-QIeZ43t9IVB4dLsFaWh2f4C7JSRfK7p+Y1U9dULsLXU=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c",
"rev": "8b63fe8cf7892c59b3df27cbcab4d5644035d72f",
"type": "github"
},
"original": {

View file

@ -40,21 +40,6 @@
restartUnits = ["searx.service"];
};
};
templates = {
"hysteria.yaml".content = ''
tls:
cert: /run/credentials/hysteria.service/cert
key: /run/credentials/hysteria.service/key
masquerade:
type: proxy
proxy:
url: https://ny4.dev/
${config.sops.placeholder."hysteria/auth"}
'';
};
};
### Services
@ -76,12 +61,12 @@
"element" = pkgs.element-web.override {
element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
version = "1.11.70-rc.0";
version = "1.11.70";
src = oldAttrs.src.overrideAttrs {
outputHash = "sha256-LnPqwXczECH7XnVvGnoUQpZct2jmGEFVpJ1nTewAHC8=";
outputHash = "sha256-kx6xQIuYSXkkBTYb+fZLL3cuHFcNj7RkC60o6Fyp8LI=";
};
offlineCache = oldAttrs.offlineCache.overrideAttrs {
outputHash = "sha256-yAAZXnxrBGuTWUJcL6Su0F5H2D5MNg9PUU7Uj8XT8N8=";
outputHash = "sha256-q/KbpU/haBhXZbGBITLYSywCluwN6ZZarVLmzB9tDN8=";
};
});
@ -97,14 +82,32 @@
services.hysteria = {
enable = true;
configFile = config.sops.templates."hysteria.yaml".path;
credentials = [
# FIXME: remove hardcoded path
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
];
settings = {
auth = {
type = "userpass";
userpass = {
_secret = "/run/credentials/hysteria.service/auth";
quote = false;
};
};
masquerade = {
type = "proxy";
proxy.url = "https://ny4.dev/";
};
tls = {
cert = "/run/credentials/hysteria.service/cert";
key = "/run/credentials/hysteria.service/key";
};
};
};
systemd.services."hysteria".serviceConfig.LoadCredential = [
# FIXME: remove hardcoded path
"auth:${config.sops.secrets."hysteria/auth".path}"
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
];
# `journalctl -u murmur.service | grep Password`
services.murmur = {
enable = true;

View file

@ -1,5 +1,5 @@
hysteria:
auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
searx:
environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
pixivfe:
@ -28,8 +28,8 @@ sops:
R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-21T07:19:35Z"
mac: ENC[AES256_GCM,data:1zG5at1zfjbnnHcZ1Vy7aJxMjaZpE9aL3QlAaxyQ7GYle05z/4PqIdampd7p1WrMWNWqkxkUFazTCpQF9faR0qbnZ2zyOWk45ZtBGZSEhvHRFke6JjwPv4fi35ozHL4JiuP76kGivegvR2OgQ7NH6HJBoZgEqduu+YISJlrvJVs=,iv:p/v8BnUmOCYsaXtUeaVq5MKLk69as3XkQsG688tYkiE=,tag:if6U/qbzrNdYaqLcQbGe6Q==,type:str]
lastmodified: "2024-07-09T11:50:11Z"
mac: ENC[AES256_GCM,data:kzxia2Bygi0YR24/dJfKZR3jF99IhIGGIZFJnIo5kp7/PZfQE2EbgD5yTFrSX9+Ur5u8a169UVEtveJ+uR59bX3DsjZDPRSWRMmWJodLcZifx+oSSGmhYufC61D3pVa+Jv2mwKf8UTKdb2oQtk/8bNrMuonedX8hPz+wZJQyMD0=,iv:VxBeb5QTaF5snKNtc51XFtwAdydnOyX8CGhxBjyBTQ0=,tag:vQEJJubHv3dRazmr1bAcnQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.0

View file

@ -1,10 +1,12 @@
{
pkgs,
config,
lib,
pkgs,
utils,
...
}: let
cfg = config.services.hysteria;
settingsFormat = pkgs.formats.json {};
in {
options.services.hysteria = {
enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
@ -17,54 +19,39 @@ in {
description = "Whether to use Hysteria as a client or a server.";
};
configFile = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.path;
description = "Configuration file to use.";
};
credentials = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
example = lib.literalExpression ''
[
"cert:/tmp/certificate.crt"
"key:/tmp/private-key.key"
];
'';
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
};
default = {};
description = ''
Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
The Hysteria configuration, see https://hysteria.network/ for documentation.
See `systemd.exec(5)` for more information.
Options containing secret data should be set to an attribute set
containing the attribute `_secret` - a string pointing to a file
containing the value the option should be set to.
Ignored when `services.hysteria.configFile` is set.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.configFile != null;
message = "A configuration file is required for Hysteria";
}
];
systemd.services."hysteria" = {
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
documentation = ["https://hysteria.network/"];
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
restartTriggers = [cfg.configFile];
preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json";
serviceConfig = {
ExecStart = lib.concatStringsSep " " [
(lib.getExe cfg.package)
cfg.mode
"--disable-update-check"
"--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
"--config /var/lib/private/hysteria/config.json"
];
DynamicUser = true;
StateDirectory = "hysteria";
LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials;
### Hardening
AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];