modules/nixos/hysteria.nix at main

pluie.me / flake
fork
All my system configs and packages in one repo
fork
flake / modules / nixos / hysteria.nix
at main 96 lines 2.8 kB view raw
wrap content
pluie.me stuff 4mo ago
f979753b
 1# Copied from https://github.com/NixOS/nixpkgs/pull/307601
 2{
 3  config,
 4  lib,
 5  pkgs,
 6  utils,
 7  ...
 8}:
 9let
10  cfg = config.services.hysteria;
11  settingsFormat = pkgs.formats.json { };
12in
13{
14  options.services.hysteria = {
15    enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
16
17    package = lib.mkPackageOption pkgs "hysteria" { };
18
19    mode = lib.mkOption {
20      type = lib.types.enum [
21        "server"
22        "client"
23      ];
24      default = "server";
25      description = "Whether to use Hysteria as a client or a server.";
26    };
27
28    settings = lib.mkOption {
29      type = lib.types.submodule { freeformType = settingsFormat.type; };
30      default = { };
31      description = ''
32        The Hysteria configuration, see https://hysteria.network/ for documentation.
33
34        Options containing secret data should be set to an attribute set
35        containing the attribute `_secret` - a string pointing to a file
36        containing the value the option should be set to.
37      '';
38    };
39  };
40  config = lib.mkIf cfg.enable {
41    systemd.services.hysteria = {
42      description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
43      documentation = [ "https://hysteria.network/" ];
44      wantedBy = [ "multi-user.target" ];
45      after = [ "network-online.target" ];
46      wants = [ "network-online.target" ];
47      preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/hysteria/config.json";
48      serviceConfig = {
49        ExecStart = lib.concatStringsSep " " [
50          (lib.getExe cfg.package)
51          cfg.mode
52          "--disable-update-check"
53          "--config /var/lib/hysteria/config.json"
54        ];
55
56        StateDirectory = "hysteria";
57        WorkingDirectory = "/var/lib/hysteria";
58
59        ### Hardening
60        AmbientCapabilities = [
61          "CAP_NET_ADMIN"
62          "CAP_NET_BIND_SERVICE"
63          "CAP_NET_RAW"
64        ];
65        CapabilityBoundingSet = [
66          "CAP_NET_ADMIN"
67          "CAP_NET_BIND_SERVICE"
68          "CAP_NET_RAW"
69        ];
70        NoNewPrivileges = true;
71        PrivateMounts = true;
72        PrivateTmp = true;
73        ProcSubset = "pid";
74        ProtectClock = true;
75        ProtectControlGroups = true;
76        ProtectHome = true;
77        ProtectHostname = true;
78        ProtectKernelLogs = true;
79        ProtectKernelModules = true;
80        ProtectKernelTunables = true;
81        ProtectProc = "invisible";
82        ProtectSystem = "strict";
83        RestrictRealtime = true;
84        RestrictSUIDSGID = true;
85        RestrictNamespaces = true;
86        SystemCallArchitectures = "native";
87        SystemCallFilter = "@system-service";
88        UMask = "0077";
89
90        # More perf
91        CPUSchedulingPolicy = "rr";
92        CPUSchedulingPriority = 99;
93      };
94    };
95  };
96}
Configure Feed

Configure Feed
