From e0fe5bcd6fcfbccb8d372a1a391c8105f577b4db Mon Sep 17 00:00:00 2001 From: arcnmx Date: Wed, 17 Sep 2025 14:32:14 -0700 Subject: [PATCH] fix(cloudflared): explicit user --- modules/nixos/cloudflared.nix | 13 +++++++++++++ nixos/cloudflared.nix | 7 +++++-- systems/meiling/sysctl.50-net.conf | 4 ++-- systems/reisen/sysctl.50-net.conf | 4 ++-- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/modules/nixos/cloudflared.nix b/modules/nixos/cloudflared.nix index 42b11715..b908ab01 100644 --- a/modules/nixos/cloudflared.nix +++ b/modules/nixos/cloudflared.nix @@ -2,9 +2,11 @@ let tunnelModule = { pkgs, config, + gensokyo-zone, lib, ... }: let + inherit (gensokyo-zone.lib) unmerged; inherit (lib.options) mkOption mkEnableOption; settingsFormat = pkgs.formats.json {}; in { @@ -24,6 +26,10 @@ let default = {}; }; }; + systemd.extraServiceSettings = mkOption { + type = unmerged.types.attrs; + default = {}; + }; }; }; in @@ -35,6 +41,7 @@ in lib, ... }: let + inherit (gensokyo-zone.lib) unmerged; inherit (lib.attrsets) mapAttrsToList mapAttrs' nameValuePair filterAttrsRecursive; inherit (lib.lists) singleton; inherit (lib.modules) mkIf mkMerge mkForce; @@ -63,6 +70,10 @@ in }; }); }; + systemd.extraServiceSettings = mkOption { + type = unmerged.types.attrs; + default = {}; + }; }; config.services.cloudflared = { extraArgs = mkIf (cfg.metricsPort != null) [ @@ -112,6 +123,8 @@ in ]; }; } + (unmerged.mergeAttrs tunnel.systemd.extraServiceSettings) + (unmerged.mergeAttrs cfg.systemd.extraServiceSettings) (mkIf tunnel.extraTunnel.enable { serviceConfig = { inherit RuntimeDirectory; diff --git a/nixos/cloudflared.nix b/nixos/cloudflared.nix index 19c77824..dc768f35 100644 --- a/nixos/cloudflared.nix +++ b/nixos/cloudflared.nix @@ -11,6 +11,9 @@ in { enable = mkDefault true; metricsPort = mkDefault 3011; metricsBind = "[::]"; + systemd.extraServiceSettings = { + serviceConfig.User = mkDefault "cloudflared"; + }; }; users = mkIf cfg.enable { users.cloudflared = { @@ -26,8 +29,8 @@ in { }; boot.kernel.sysctl = mkIf (!config.boot.isContainer && cfg.enable) { # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes - "net.core.rmem_max" = mkDefault 2500000; - "net.core.wmem_max" = mkDefault 2500000; + "net.core.rmem_max" = mkDefault 7500000; + "net.core.wmem_max" = mkDefault 7500000; }; }; } diff --git a/systems/meiling/sysctl.50-net.conf b/systems/meiling/sysctl.50-net.conf index 83e0f6bb..1b022995 100644 --- a/systems/meiling/sysctl.50-net.conf +++ b/systems/meiling/sysctl.50-net.conf @@ -1,5 +1,5 @@ net.ipv4.ping_group_range=0 2147483647 net.ipv4.ip_forward=1 # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes -net.core.rmem_max=2500000 -net.core.wmem_max=2500000 +net.core.rmem_max=7500000 +net.core.wmem_max=7500000 diff --git a/systems/reisen/sysctl.50-net.conf b/systems/reisen/sysctl.50-net.conf index aba630be..aae6805f 100644 --- a/systems/reisen/sysctl.50-net.conf +++ b/systems/reisen/sysctl.50-net.conf @@ -3,5 +3,5 @@ net.ipv6.conf.vmbr0.use_tempaddr=1 net.ipv6.conf.vmbr0.accept_ra_rt_info_max_plen=128 net.ipv4.ping_group_range=0 2147483647 # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes -net.core.rmem_max=2500000 -net.core.wmem_max=2500000 +net.core.rmem_max=7500000 +net.core.wmem_max=7500000