nixos/modules/services/networking/envoy.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / envoy.nix
at 23.05-pre 2.4 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.envoy;
 7  format = pkgs.formats.json { };
 8  conf = format.generate "envoy.json" cfg.settings;
 9  validateConfig = file:
10    pkgs.runCommand "validate-envoy-conf" { } ''
11      ${pkgs.envoy}/bin/envoy --log-level error --mode validate -c "${file}"
12      cp "${file}" "$out"
13    '';
14
15in
16
17{
18  options.services.envoy = {
19    enable = mkEnableOption (lib.mdDoc "Envoy reverse proxy");
20
21    settings = mkOption {
22      type = format.type;
23      default = { };
24      example = literalExpression ''
25        {
26          admin = {
27            access_log_path = "/dev/null";
28            address = {
29              socket_address = {
30                protocol = "TCP";
31                address = "127.0.0.1";
32                port_value = 9901;
33              };
34            };
35          };
36          static_resources = {
37            listeners = [];
38            clusters = [];
39          };
40        }
41      '';
42      description = lib.mdDoc ''
43        Specify the configuration for Envoy in Nix.
44      '';
45    };
46  };
47
48  config = mkIf cfg.enable {
49    environment.systemPackages = [ pkgs.envoy ];
50    systemd.services.envoy = {
51      description = "Envoy reverse proxy";
52      after = [ "network-online.target" ];
53      requires = [ "network-online.target" ];
54      wantedBy = [ "multi-user.target" ];
55      serviceConfig = {
56        ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}";
57        DynamicUser = true;
58        Restart = "no";
59        CacheDirectory = "envoy";
60        LogsDirectory = "envoy";
61        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
62        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
63        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP";
64        SystemCallArchitectures = "native";
65        LockPersonality = true;
66        RestrictNamespaces = true;
67        RestrictRealtime = true;
68        PrivateUsers = false;  # breaks CAP_NET_BIND_SERVICE
69        PrivateDevices = true;
70        ProtectClock = true;
71        ProtectControlGroups = true;
72        ProtectHome = true;
73        ProtectKernelLogs = true;
74        ProtectKernelModules = true;
75        ProtectKernelTunables = true;
76        ProtectProc = "ptraceable";
77        ProtectHostname = true;
78        ProtectSystem = "strict";
79        UMask = "0066";
80        SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation";
81      };
82    };
83  };
84}