Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/hysteria: init #307601

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+109 −5
Open

nixos/hysteria: init #307601

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9effff8
nixos/hysteria: init
Guanran928 Apr 28, 2024
1386e56
hysteria: disable update check
Guanran928 Jun 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions nixos/doc/manual/release-notes/rl-2411.section.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,8 @@

- [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable).

- [Hysteria](https://hysteria.network/), a powerful, lightning fast and censorship resistant proxy. Available as [services.hysteria.enable](#opt-services.hysteria.enable).

- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).

- [Pingvin Share](https://github.com/stonith404/pingvin-share), a self-hosted file sharing platform and an alternative for WeTransfer. Available as [services.pingvin-share](#opt-services.pingvin-share.enable).
Expand Down
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1061,6 +1061,7 @@
./services/networking/htpdate.nix
./services/networking/https-dns-proxy.nix
./services/networking/hylafax/default.nix
./services/networking/hysteria.nix
./services/networking/i2p.nix
./services/networking/i2pd.nix
./services/networking/icecream/daemon.nix
Expand Down
92 changes: 92 additions & 0 deletions nixos/modules/services/networking/hysteria.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
config,
lib,
pkgs,
utils,
...
}:
let
cfg = config.services.hysteria;
settingsFormat = pkgs.formats.json { };
in
{
options.services.hysteria = {
enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";

package = lib.mkPackageOption pkgs "hysteria" { };

mode = lib.mkOption {
type = lib.types.enum [
"server"
"client"
];
default = "server";
description = "Whether to use Hysteria as a client or a server.";
};

settings = lib.mkOption {
type = lib.types.submodule { freeformType = settingsFormat.type; };
default = { };
description = ''
The Hysteria configuration, see https://hysteria.network/ for documentation.

Options containing secret data should be set to an attribute set
containing the attribute `_secret` - a string pointing to a file
containing the value the option should be set to.
'';
};
};
config = lib.mkIf cfg.enable {
systemd.services.hysteria = {
description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
documentation = [ "https://hysteria.network/" ];
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/run/hysteria/config.json";
serviceConfig = {
ExecStart = lib.concatStringsSep " " [
(lib.getExe cfg.package)
cfg.mode
"--config /run/hysteria/config.json"
];

DynamicUser = true;
RuntimeDirectory = "hysteria";

### Hardening
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
UMask = "0077";
};
};
};

meta.maintainers = with lib.maintainers; [ Guanran928 ];
}
19 changes: 14 additions & 5 deletions pkgs/tools/networking/hysteria/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{ lib
, fetchFromGitHub
, buildGoModule
{
lib,
fetchFromGitHub,
buildGoModule,
makeBinaryWrapper,
}:
buildGoModule rec {
pname = "hysteria";
Expand All @@ -17,16 +19,23 @@ buildGoModule rec {
proxyVendor = true;

ldflags =
let cmd = "github.com/apernet/hysteria/app/cmd";
in [
let
cmd = "github.com/apernet/hysteria/app/cmd";
in
[
"-s"
"-w"
"-X ${cmd}.appVersion=${version}"
"-X ${cmd}.appType=release"
];

nativeBuildInputs = [ makeBinaryWrapper ];

postInstall = ''
mv $out/bin/app $out/bin/hysteria

wrapProgram $out/bin/hysteria \
--add-flags "--disable-update-check"
'';

# Network required
Expand Down