fix(cloudflared): explicit user

2026-02-09 04:19:19 -08:00 · 2025-09-17 14:32:14 -07:00 · 2025-09-17 14:32:14 -07:00 · e0fe5bcd6f
commit e0fe5bcd6f
parent d80fd6fd5f
4 changed files with 22 additions and 6 deletions
--- a/modules/nixos/cloudflared.nix
+++ b/modules/nixos/cloudflared.nix
@ -2,9 +2,11 @@ let
  tunnelModule = {
    pkgs,
    config,
+    gensokyo-zone,
    lib,
    ...
  }: let
+    inherit (gensokyo-zone.lib) unmerged;
    inherit (lib.options) mkOption mkEnableOption;
    settingsFormat = pkgs.formats.json {};
  in {
@ -24,6 +26,10 @@ let
          default = {};
        };
      };
+      systemd.extraServiceSettings = mkOption {
+        type = unmerged.types.attrs;
+        default = {};
+      };
    };
  };
 in
@ -35,6 +41,7 @@ in
    lib,
    ...
  }: let
+    inherit (gensokyo-zone.lib) unmerged;
    inherit (lib.attrsets) mapAttrsToList mapAttrs' nameValuePair filterAttrsRecursive;
    inherit (lib.lists) singleton;
    inherit (lib.modules) mkIf mkMerge mkForce;
@ -63,6 +70,10 @@ in
          };
        });
      };
+      systemd.extraServiceSettings = mkOption {
+        type = unmerged.types.attrs;
+        default = {};
+      };
    };
    config.services.cloudflared = {
      extraArgs = mkIf (cfg.metricsPort != null) [
@ -112,6 +123,8 @@ in
              ];
            };
          }
+          (unmerged.mergeAttrs tunnel.systemd.extraServiceSettings)
+          (unmerged.mergeAttrs cfg.systemd.extraServiceSettings)
          (mkIf tunnel.extraTunnel.enable {
            serviceConfig = {
              inherit RuntimeDirectory;
--- a/nixos/cloudflared.nix
+++ b/nixos/cloudflared.nix
@ -11,6 +11,9 @@ in {
      enable = mkDefault true;
      metricsPort = mkDefault 3011;
      metricsBind = "[::]";
+      systemd.extraServiceSettings = {
+        serviceConfig.User = mkDefault "cloudflared";
+      };
    };
    users = mkIf cfg.enable {
      users.cloudflared = {
@ -26,8 +29,8 @@ in {
    };
    boot.kernel.sysctl = mkIf (!config.boot.isContainer && cfg.enable) {
      # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
-      "net.core.rmem_max" = mkDefault 2500000;
-      "net.core.wmem_max" = mkDefault 2500000;
+      "net.core.rmem_max" = mkDefault 7500000;
+      "net.core.wmem_max" = mkDefault 7500000;
    };
  };
 }
--- a/systems/meiling/sysctl.50-net.conf
+++ b/systems/meiling/sysctl.50-net.conf
@ -1,5 +1,5 @@
 net.ipv4.ping_group_range=0 2147483647
 net.ipv4.ip_forward=1
 # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
-net.core.rmem_max=2500000
-net.core.wmem_max=2500000
+net.core.rmem_max=7500000
+net.core.wmem_max=7500000
--- a/systems/reisen/sysctl.50-net.conf
+++ b/systems/reisen/sysctl.50-net.conf
@ -3,5 +3,5 @@ net.ipv6.conf.vmbr0.use_tempaddr=1
 net.ipv6.conf.vmbr0.accept_ra_rt_info_max_plen=128
 net.ipv4.ping_group_range=0 2147483647
 # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
-net.core.rmem_max=2500000
-net.core.wmem_max=2500000
+net.core.rmem_max=7500000
+net.core.wmem_max=7500000