nixos/hysteria: init

NixOS · Apr 29, 2024 · d4e0156 · d4e0156
1 parent 1e1dc66
commit d4e0156
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 0 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -116,6 +116,8 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - [Mihomo](https://github.com/MetaCubeX/mihomo/tree/Alpha), a rule-based proxy in Go. Available as [services.mihomo.enable](#opt-services.mihomo.enable).
 
+- [Hysteria](https://hysteria.network/), a powerful, lightning fast and censorship resistant proxy. Available as [services.hysteria.enable](#opt-services.hysteria.enable).
+
 - [hebbot](https://github.com/haecker-felix/hebbot), a Matrix bot to generate "This Week in X" like blog posts. Available as [services.hebbot](#opt-services.hebbot.enable).
 
 - [Workout-tracker](https://github.com/jovandeginste/workout-tracker), a workout tracking web application for personal use.

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -1007,6 +1007,7 @@
   ./services/networking/htpdate.nix
   ./services/networking/https-dns-proxy.nix
   ./services/networking/hylafax/default.nix
+  ./services/networking/hysteria.nix
   ./services/networking/i2p.nix
   ./services/networking/i2pd.nix
   ./services/networking/icecream/daemon.nix

diff --git a/nixos/modules/services/networking/hysteria.nix b/nixos/modules/services/networking/hysteria.nix
@@ -0,0 +1,109 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.hysteria;
+in
+{
+  options.services.hysteria = {
+    enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
+
+    package = lib.mkPackageOption pkgs "hysteria" { };
+
+    mode = lib.mkOption {
+      type = lib.types.enum [
+        "server"
+        "client"
+      ];
+      default = "server";
+      description = "Whether to use Hysteria as a client or a server.";
+    };
+
+    configFile = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.path;
+      description = "Configuration file to use.";
+    };
+
+    credentials = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      example = lib.literalExpression ''
+        [
+          "cert:/tmp/certificate.crt"
+          "key:/tmp/private-key.key"
+        ];
+      '';
+      description = ''
+        Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
+
+        See `systemd.exec(5)` for more information.
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.configFile != null;
+        message = "A configuration file is required for Hysteria";
+      }
+    ];
+
+    systemd.services."hysteria" = {
+      description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
+      documentation = [ "https://hysteria.network/" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      restartTriggers = [ cfg.configFile ];
+      serviceConfig = {
+        ExecStart = lib.concatStringsSep " " [
+          (lib.getExe cfg.package)
+          cfg.mode
+          "--disable-update-check"
+          "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
+        ];
+
+        DynamicUser = true;
+        StateDirectory = "hysteria";
+        LoadCredential = [ "config.yaml:${cfg.configFile}" ] ++ cfg.credentials;
+
+        ### Hardening
+        AmbientCapabilities = [
+          "CAP_NET_ADMIN"
+          "CAP_NET_BIND_SERVICE"
+          "CAP_NET_RAW"
+        ];
+        CapabilityBoundingSet = [
+          "CAP_NET_ADMIN"
+          "CAP_NET_BIND_SERVICE"
+          "CAP_NET_RAW"
+        ];
+        NoNewPrivileges = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        UMask = "0077";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ Guanran928 ];
+}