lightsail-tokyo: add hysteria

forgot to commit...

.sops.yaml

@@ -8,6 +8,10 @@ keys:
   - &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
   - &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
 creation_rules:
+  - path_regex: hosts/lightsail-tokyo/secrets.yaml$
+    key_groups:
+      - age:
+          - *lightsail-tokyo
   - path_regex: secrets.yaml$
     key_groups:
       - age:

hosts/lightsail-tokyo/default.nix

@@ -1,6 +1,7 @@
 {
   modulesPath,
   lib,
+  config,
   ...
 }: {
   imports = [
@@ -12,4 +13,42 @@
   time.timeZone = "Asia/Tokyo";
   boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
   system.stateVersion = "23.11";
+
+  ### Services
+  sops.secrets = builtins.mapAttrs (_name: value:
+    value
+    // {
+      sopsFile = ./secrets.yaml;
+      restartUnits = ["hysteria.service"];
+    }) {
+    "hysteria/certificate" = {};
+    "hysteria/private-key" = {};
+    "hysteria/auth" = {};
+  };
+
+  sops.templates."hysteria.yaml".content = ''
+     tls:
+       cert: /run/credentials/hysteria.service/cert
+       key: /run/credentials/hysteria.service/key
+
+     masquerade:
+       type: proxy
+       proxy:
+         url: https://news.ycombinator.com/
+         rewriteHost: true
+
+    ${config.sops.placeholder."hysteria/auth"}
+  '';
+
+  networking.firewall.allowedUDPPorts = [80 443];
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  services.hysteria = {
+    enable = true;
+    configFile = config.sops.templates."hysteria.yaml".path;
+    credentials = [
+      "cert:${config.sops.secrets."hysteria/certificate".path}"
+      "key:${config.sops.secrets."hysteria/private-key".path}"
+    ];
+  };
 }

hosts/lightsail-tokyo/secrets.yaml

@@ -0,0 +1,24 @@
+hysteria:
+    certificate: ENC[AES256_GCM,data:g1/uRZbhH+EJ5s/Zu3QRUT+cEyj5n+SAEUgdsqvoOF0nKGEjTE8NhCnvFy4kpB97VuOEfFrIPlgQ9cAnUC64t3oExmIz8DhVTrDgCS1PGKkbOSix8k2sDMA6/3KeTzG3R70kN2IyeSz5fQSUTnj3TjcufAs5H4JvTB/M/JoAgyUHpPTPWbgINwoSGtTgO845I/sv68sf66KE/nk7m1UcKzwXLNXDJB2lpGf3xd/X0TNJWMtopHN9VbUnFvBM22Lfl4yjb+C58IM7KApkPU8V1tZI6H2tCtZw5V1PqFVgwirQRB53NjKrTxnizaPbg0appVOxjZVQ95cV9STIj4uArudaXGv+E4bA92SNyUL12x22Y5/F8HvsWZ7xObZC0ABYdZd61+RHJ/Iy88ZS7egAq11lvtQnwuDuBUlDR25TF99YLebReon/bWaJZ9CEXJUCLaw0ibk4u0J6Lb/FuDHdlr1y37Py8KJZ3fD/7CMgzm0zbpMGdw2tl73CSONsSfaA3MNTLhIS81ON2/mMjP3XEYsznRKNum3hJIyKfzKOdCgqtcaGzYVeE7ApKSwR4PTO2pTzSe+72GI/ODfDkR+0Df1ex0gEtvVLDcgrRc+VyTsuDPA55mJtu9njwOx0DEAUWH2+dGw23/+p2HWnNbi1pUgzTWVyE9Hz1Dkmplrgj/bPgqBgYkae8u3ZRLucxRlIw7UysLhsp+HlP5HDE5nfnZpQDCbhh2zLgjsS6LRBzibopkpjrEE7IGfnsmAW0XXzBsS2iEV9f1pNGDgBa9vt,iv:933c5DHeoOmFf2mmEquIRLo8pST91qe7OO2RGV8c2Zo=,tag:9LiJrZryyR68wMKPIK5qkg==,type:str]
+    private-key: ENC[AES256_GCM,data:00lUMy2Is//XkYYRCnqvQG8xw3oFWr5ApG6ZGlkiiTgveC4uCETH8+KAsfU+AxLE1DBuN7EhLjd8Zh50vxldjB9yXZ5vU0ARgLC5RtuUVOx7BcltoWU2p+hms/PNiIKf1mgriHLun8UoyvkxAQKzQ8UN9eDvv0SdBTU9S6GhS3nkfdSHHOCzy6ekTZCjaLtMrMpelkZEWbkYW2kOd7spLmpagyEHhsTeggesxQo1zgQM7vmlN3l4bDrskoUcCsSCV9fkvaxYCuNfWYQjyfkQcl/OUMWPTVm2NFrXdhis1g9HyqRQy0vUQ1clJSfohSd5W5RZmeiGXqtWc+ep3KvVbBA/X5ybbPsdFtmgOIteIg2jygCW9blTWr2zLHAizmw58dzZt2eq6xfDetpDf6M=,iv:oZN+aj/cIGnUseIr1T6W+9WsRD54+5ifXQabtX6ZWTw=,tag:SdMEludXw9aMaBnvuev33w==,type:str]
+    auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdzMxRkVvMm1xbXByanUv
+            eXNKb2lLSi83ME1jajVVZ2x4dnV1SjBjeHlRCnVVVnFEK24zcTB1SnZ5WWYwRDlk
+            RHJSWlFqMklVU0hOYU1LeXl4THZRK00KLS0tIDEzTzhHUlhqWXRLSENMajJvM3Iw
+            b1lSK3l0U25BYW4wRmlIYzAweTZEK3cKk8sK1Wky0sRKKMrK5gnp7wWx7qu04Wpg
+            Bc5OPhqAZkNVOG0Mt2C2XynsDVOyzq4RcOZQGeI0xaJGFQ+wlZG37g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-22T19:40:45Z"
+    mac: ENC[AES256_GCM,data:K3SkQQYgdpRBByNVPJVPLbAlwTD8U6knrdFvVm6rrMhWAsVN6zFvalDZTd9kLqC4pmd2eg6czarUK+IfnOvF4qqWeEO9QlBFfD8GDfdgRG28A1wb2aCNYAPMox6X1ZI5uo2QR7oODfS2u1r8tVtY6VSevusH7u16KwjR17IXA8I=,iv:PFtREBhYZJDDQjRBn3kG13hKBsN87jML01kjpdsWsTA=,tag:E1CBiUv0KrrdzZW6/TZk1Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixos/modules/default.nix

@@ -8,5 +8,8 @@
     ./myFlake/hardware/components/audio.nix
     ./myFlake/hardware/components/bluetooth.nix
     ./myFlake/hardware/components/tpm.nix
+
+    # nixpkgs styled options
+    ./services/hysteria.nix
   ];
 }

nixos/modules/services/hysteria.nix

@@ -0,0 +1,75 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.hysteria;
+in {
+  options.services.hysteria = {
+    enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
+
+    package = lib.mkPackageOption pkgs "hysteria" {};
+
+    mode = lib.mkOption {
+      type = lib.types.enum ["server" "client"];
+      default = "server";
+    };
+
+    configFile = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.path;
+      description = "Configuration file to use.";
+    };
+
+    credentials = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [];
+      description = "Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    systemd.services."hysteria" = {
+      description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
+      documentation = ["https://hysteria.network/docs/getting-started/Installation/"];
+      wantedBy = ["multi-user.target"];
+      after = ["network-online.target"];
+      wants = ["network-online.target"];
+      serviceConfig = {
+        ExecStart = lib.concatStringsSep " " [
+          (lib.getExe cfg.package)
+          cfg.mode
+          "--disable-update-check"
+          "--config $\{CREDENTIALS_DIRECTORY}/config.yaml"
+        ];
+
+        DynamicUser = true;
+        StateDirectory = "hysteria";
+        LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials;
+
+        ### Hardening
+        AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
+        CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
+        NoNewPrivileges = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service bpf";
+        UMask = "0077";
+      };
+    };
+  };
+}