From 265ca91a58800a41651dc483a29ef1f22230bcd8 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Tue, 23 Apr 2024 05:01:38 +0800 Subject: [PATCH] lightsail-tokyo: add hysteria forgot to commit... --- .sops.yaml | 4 ++ hosts/lightsail-tokyo/default.nix | 39 +++++++++++++++ hosts/lightsail-tokyo/secrets.yaml | 24 +++++++++ nixos/modules/default.nix | 3 ++ nixos/modules/services/hysteria.nix | 75 +++++++++++++++++++++++++++++ 5 files changed, 145 insertions(+) create mode 100644 hosts/lightsail-tokyo/secrets.yaml create mode 100644 nixos/modules/services/hysteria.nix diff --git a/.sops.yaml b/.sops.yaml index 3bb72d3..696eb67 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,6 +8,10 @@ keys: - &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk - &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa creation_rules: + - path_regex: hosts/lightsail-tokyo/secrets.yaml$ + key_groups: + - age: + - *lightsail-tokyo - path_regex: secrets.yaml$ key_groups: - age: diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix index 03e3535..84d7695 100644 --- a/hosts/lightsail-tokyo/default.nix +++ b/hosts/lightsail-tokyo/default.nix @@ -1,6 +1,7 @@ { modulesPath, lib, + config, ... }: { imports = [ @@ -12,4 +13,42 @@ time.timeZone = "Asia/Tokyo"; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; system.stateVersion = "23.11"; + + ### Services + sops.secrets = builtins.mapAttrs (_name: value: + value + // { + sopsFile = ./secrets.yaml; + restartUnits = ["hysteria.service"]; + }) { + "hysteria/certificate" = {}; + "hysteria/private-key" = {}; + "hysteria/auth" = {}; + }; + + sops.templates."hysteria.yaml".content = '' + tls: + cert: /run/credentials/hysteria.service/cert + key: /run/credentials/hysteria.service/key + + masquerade: + type: proxy + proxy: + url: https://news.ycombinator.com/ + rewriteHost: true + + ${config.sops.placeholder."hysteria/auth"} + ''; + + networking.firewall.allowedUDPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [80 443]; + + services.hysteria = { + enable = true; + configFile = config.sops.templates."hysteria.yaml".path; + credentials = [ + "cert:${config.sops.secrets."hysteria/certificate".path}" + "key:${config.sops.secrets."hysteria/private-key".path}" + ]; + }; } diff --git a/hosts/lightsail-tokyo/secrets.yaml b/hosts/lightsail-tokyo/secrets.yaml new file mode 100644 index 0000000..bfa69b2 --- /dev/null +++ b/hosts/lightsail-tokyo/secrets.yaml @@ -0,0 +1,24 @@ +hysteria: + certificate: ENC[AES256_GCM,data:g1/uRZbhH+EJ5s/Zu3QRUT+cEyj5n+SAEUgdsqvoOF0nKGEjTE8NhCnvFy4kpB97VuOEfFrIPlgQ9cAnUC64t3oExmIz8DhVTrDgCS1PGKkbOSix8k2sDMA6/3KeTzG3R70kN2IyeSz5fQSUTnj3TjcufAs5H4JvTB/M/JoAgyUHpPTPWbgINwoSGtTgO845I/sv68sf66KE/nk7m1UcKzwXLNXDJB2lpGf3xd/X0TNJWMtopHN9VbUnFvBM22Lfl4yjb+C58IM7KApkPU8V1tZI6H2tCtZw5V1PqFVgwirQRB53NjKrTxnizaPbg0appVOxjZVQ95cV9STIj4uArudaXGv+E4bA92SNyUL12x22Y5/F8HvsWZ7xObZC0ABYdZd61+RHJ/Iy88ZS7egAq11lvtQnwuDuBUlDR25TF99YLebReon/bWaJZ9CEXJUCLaw0ibk4u0J6Lb/FuDHdlr1y37Py8KJZ3fD/7CMgzm0zbpMGdw2tl73CSONsSfaA3MNTLhIS81ON2/mMjP3XEYsznRKNum3hJIyKfzKOdCgqtcaGzYVeE7ApKSwR4PTO2pTzSe+72GI/ODfDkR+0Df1ex0gEtvVLDcgrRc+VyTsuDPA55mJtu9njwOx0DEAUWH2+dGw23/+p2HWnNbi1pUgzTWVyE9Hz1Dkmplrgj/bPgqBgYkae8u3ZRLucxRlIw7UysLhsp+HlP5HDE5nfnZpQDCbhh2zLgjsS6LRBzibopkpjrEE7IGfnsmAW0XXzBsS2iEV9f1pNGDgBa9vt,iv:933c5DHeoOmFf2mmEquIRLo8pST91qe7OO2RGV8c2Zo=,tag:9LiJrZryyR68wMKPIK5qkg==,type:str] + private-key: ENC[AES256_GCM,data:00lUMy2Is//XkYYRCnqvQG8xw3oFWr5ApG6ZGlkiiTgveC4uCETH8+KAsfU+AxLE1DBuN7EhLjd8Zh50vxldjB9yXZ5vU0ARgLC5RtuUVOx7BcltoWU2p+hms/PNiIKf1mgriHLun8UoyvkxAQKzQ8UN9eDvv0SdBTU9S6GhS3nkfdSHHOCzy6ekTZCjaLtMrMpelkZEWbkYW2kOd7spLmpagyEHhsTeggesxQo1zgQM7vmlN3l4bDrskoUcCsSCV9fkvaxYCuNfWYQjyfkQcl/OUMWPTVm2NFrXdhis1g9HyqRQy0vUQ1clJSfohSd5W5RZmeiGXqtWc+ep3KvVbBA/X5ybbPsdFtmgOIteIg2jygCW9blTWr2zLHAizmw58dzZt2eq6xfDetpDf6M=,iv:oZN+aj/cIGnUseIr1T6W+9WsRD54+5ifXQabtX6ZWTw=,tag:SdMEludXw9aMaBnvuev33w==,type:str] + auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdzMxRkVvMm1xbXByanUv + eXNKb2lLSi83ME1jajVVZ2x4dnV1SjBjeHlRCnVVVnFEK24zcTB1SnZ5WWYwRDlk + RHJSWlFqMklVU0hOYU1LeXl4THZRK00KLS0tIDEzTzhHUlhqWXRLSENMajJvM3Iw + b1lSK3l0U25BYW4wRmlIYzAweTZEK3cKk8sK1Wky0sRKKMrK5gnp7wWx7qu04Wpg + Bc5OPhqAZkNVOG0Mt2C2XynsDVOyzq4RcOZQGeI0xaJGFQ+wlZG37g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-22T19:40:45Z" + mac: ENC[AES256_GCM,data:K3SkQQYgdpRBByNVPJVPLbAlwTD8U6knrdFvVm6rrMhWAsVN6zFvalDZTd9kLqC4pmd2eg6czarUK+IfnOvF4qqWeEO9QlBFfD8GDfdgRG28A1wb2aCNYAPMox6X1ZI5uo2QR7oODfS2u1r8tVtY6VSevusH7u16KwjR17IXA8I=,iv:PFtREBhYZJDDQjRBn3kG13hKBsN87jML01kjpdsWsTA=,tag:E1CBiUv0KrrdzZW6/TZk1Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index f8fd17d..1ce856b 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -8,5 +8,8 @@ ./myFlake/hardware/components/audio.nix ./myFlake/hardware/components/bluetooth.nix ./myFlake/hardware/components/tpm.nix + + # nixpkgs styled options + ./services/hysteria.nix ]; } diff --git a/nixos/modules/services/hysteria.nix b/nixos/modules/services/hysteria.nix new file mode 100644 index 0000000..fc5612d --- /dev/null +++ b/nixos/modules/services/hysteria.nix @@ -0,0 +1,75 @@ +{ + pkgs, + config, + lib, + ... +}: let + cfg = config.services.hysteria; +in { + options.services.hysteria = { + enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy"; + + package = lib.mkPackageOption pkgs "hysteria" {}; + + mode = lib.mkOption { + type = lib.types.enum ["server" "client"]; + default = "server"; + }; + + configFile = lib.mkOption { + default = null; + type = lib.types.nullOr lib.types.path; + description = "Configuration file to use."; + }; + + credentials = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + description = "Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`."; + }; + }; + config = lib.mkIf cfg.enable { + systemd.services."hysteria" = { + description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy."; + documentation = ["https://hysteria.network/docs/getting-started/Installation/"]; + wantedBy = ["multi-user.target"]; + after = ["network-online.target"]; + wants = ["network-online.target"]; + serviceConfig = { + ExecStart = lib.concatStringsSep " " [ + (lib.getExe cfg.package) + cfg.mode + "--disable-update-check" + "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" + ]; + + DynamicUser = true; + StateDirectory = "hysteria"; + LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials; + + ### Hardening + AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"]; + CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"]; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service bpf"; + UMask = "0077"; + }; + }; + }; +}