NixOS
Note: This documentation is written assuming you are using Nix flakes. Using Nix with channels is not currently supported, though it should be possible.
Add flake input
Add the Hydrui flake to the Nix flake that contains your system configuration.
{
inputs = {
...
hydrui = {
url = "github:hydrui/hydrui";
inputs.nixpkgs.follows = "nixpkgs";
};
...
};
...
}
Add NixOS module
Where your NixOS system configuration is defined, add the NixOS module.
{
outputs =
{
...
hydrui,
...
}:
{
nixosConfiguration = {
default = nixpkgs.lib.nixosSystem {
...
modules = [
...
hydrui.nixosModules.hydrui
...
];
};
};
};
}
Configure the NixOS module
Within your system configuration, you can now use the Hydrui options.
{ config, ... }: {
services.hydrui = {
enable = true;
# Enables "server mode". Check the documentation for more information.
# https://hydrui.dev/en/docs/server-mode/
serverMode = true;
# The rest of the options are only allowed when using server mode.
# Hydrus URL to connect to.
hydrusUrl = "http://localhost:45869";
# You can also insecurely pass API credentials using builtins.toFile,
# but this will be *world-readable* in your Nix store. Tread carefully.
hydrusApiKeyFile = config.sops.secrets.hydrus-api-key.path;
# Provide an htpasswd file with login credentials.
# Compatible with Apache .htpasswd, but only bcrypt is supported.
# A simple HTML utility for editing htpasswd files is available here:
# https://hydrui.dev/tools/htpasswd/
htpasswdFile = ./htpasswd.txt;
# Disable sending issue reports.
allowReport = false;
};
}
Secret files will be passed in via systemd credentials, so you do not need to make them accessible to any user except for root.
NixOS module options
services.hydrui.enable
| Description | Whether to enable Hydrui Server. |
|---|---|
| Type | boolean |
| Example | true |
services.hydrui.package
| Description | The hydrui-server package to use. |
|---|---|
| Type | package |
| Default | pkgs.hydrui-server |
services.hydrui.openFirewall
| Description | Whether to automatically open the necessary ports in the firewall. |
|---|---|
| Type | boolean |
| Default | true |
| Example | true |
services.hydrui.serverMode
| Description | Enable Hydrui's server mode, as opposed to the default client-only mode. When enabled, Hydrui Server will act as a proxy to the upstream hydrus client. The API credentials will need to be specified directly to Hydrui Server. When this value is set, hydrusUrl and hydrusApiKeyFile must be set. |
|---|---|
| Type | boolean |
| Example | true |
services.hydrui.acme
| Description | Whether to enable automatic TLS with ACME. |
|---|---|
| Type | boolean |
| Example | true |
services.hydrui.bindAddress
| Description | Address to listen on; empty string for all interfaces. |
|---|---|
| Type | string |
| Default | "" |
| Example | 127.0.0.1 |
services.hydrui.user
| Description | User under which the service is running on, or null for systemd DynamicUser. |
|---|---|
| Type | null or string |
| Example | hydrus |
services.hydrui.group
| Description | Group under which the service is running on. |
|---|---|
| Type | null or string |
| Example | hydrus |
services.hydrui.port
| Description | Port to listen on, or null to disable listening on TCP. |
|---|---|
| Type | null or 16 bit unsigned integer; between 0 and 65535 (both inclusive) |
| Default | 8080 |
services.hydrui.socket
| Description | UNIX domain socket path to bind, or null to disable listening on a UNIX domain socket. |
|---|---|
| Type | null or absolute path |
| Example | /var/run/hydrui.sock |
services.hydrui.portTLS
| Description | Port to listen on for HTTPS (TLS), or null to disable listening on TCP TLS. |
|---|---|
| Type | null or 16 bit unsigned integer; between 0 and 65535 (both inclusive) |
| Example | 8443 |
services.hydrui.socketTLS
| Description | UNIX domain socket path to bind for HTTPS (TLS), or null to disable listening on a UNIX domain socket TLS. |
|---|---|
| Type | null or absolute path |
| Example | /var/run/hydrui-tls.sock |
services.hydrui.tlsCertFile
| Description | Path to the TLS certificate file (full chain, PEM-formatted). |
|---|---|
| Type | null or absolute path |
| Example | /var/lib/hydrui/cert.pem |
services.hydrui.tlsKeyFile
| Description | Path to the TLS private key file (PEM-formatted). |
|---|---|
| Type | null or absolute path |
| Example | /var/lib/hydrui/key.pem |
services.hydrui.socketPerms
| Description | Permissions to set on the UNIX domain socket, or null to use Hydrui's default. |
|---|---|
| Type | null or string |
| Example | 0660 |
services.hydrui.hydrusUrl
| Description | Hydrus client API server to connect to. (server mode only) |
|---|---|
| Type | null or string |
| Example | http://localhost:45869 |
services.hydrui.hydrusApiKeyFile
| Description | Path to a file that contains the hydrus client API access key. (server mode only) |
|---|---|
| Type | null or absolute path |
services.hydrui.htpasswdFile
| Description | Path to a file that contains an htpasswd file for authentication. (server mode only) |
|---|---|
| Type | null or absolute path |
services.hydrui.allowReport
| Description | Allow users to submit issue reports to the Hydrui Mothership. You can disable this to improve privacy if you don't think you will ever use the issue reporting functionality within Hydrui. (server mode only) |
|---|---|
| Type | null or boolean |
services.hydrui.noAuth
| Description | Disables authentication in server mode. Make sure you have appropriate security in front of the Hydrui server! (server mode only) |
|---|---|
| Type | boolean |
services.hydrui.secretFile
| Description | Secret keymatter used for session validation. If not specified, it will be generated and stored locally in /var/lib. |
|---|---|
| Type | null or absolute path |