nixos/modules/services/networking/chisel-server.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / chisel-server.nix
at 23.11-pre 3.3 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.chisel-server;
 7
 8in {
 9  options = {
10    services.chisel-server = {
11      enable = mkEnableOption (mdDoc "Chisel Tunnel Server");
12      host = mkOption {
13        description = mdDoc "Address to listen on, falls back to 0.0.0.0";
14        type = with types; nullOr str;
15        default = null;
16        example = "[::1]";
17      };
18      port = mkOption {
19        description = mdDoc "Port to listen on, falls back to 8080";
20        type = with types; nullOr port;
21        default = null;
22      };
23      authfile = mkOption {
24        description = mdDoc "Path to auth.json file";
25        type = with types; nullOr path;
26        default = null;
27      };
28      keepalive  = mkOption {
29        description = mdDoc "Keepalive interval, falls back to 25s";
30        type = with types; nullOr str;
31        default = null;
32        example = "5s";
33      };
34      backend = mkOption {
35        description = mdDoc "HTTP server to proxy normal requests to";
36        type = with types; nullOr str;
37        default = null;
38        example = "http://127.0.0.1:8888";
39      };
40      socks5 = mkOption {
41        description = mdDoc "Allow clients access to internal SOCKS5 proxy";
42        type = types.bool;
43        default = false;
44      };
45      reverse = mkOption {
46        description = mdDoc "Allow clients reverse port forwarding";
47        type = types.bool;
48        default = false;
49      };
50    };
51  };
52
53  config = mkIf cfg.enable {
54    systemd.services.chisel-server = {
55      description = "Chisel Tunnel Server";
56      wantedBy = [ "network-online.target" ];
57
58      serviceConfig = {
59        ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " (
60          optional (cfg.host != null) "--host ${cfg.host}"
61          ++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}"
62          ++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}"
63          ++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}"
64          ++ optional (cfg.backend != null) "--backend ${cfg.backend}"
65          ++ optional cfg.socks5 "--socks5"
66          ++ optional cfg.reverse "--reverse"
67        );
68
69        # Security Hardening
70        # Refer to systemd.exec(5) for option descriptions.
71        CapabilityBoundingSet = "";
72
73        # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
74        # ProtectSystem=strict, ProtectHome=read-only
75        DynamicUser = true;
76        LockPersonality = true;
77        PrivateDevices = true;
78        PrivateUsers = true;
79        ProcSubset = "pid";
80        ProtectClock = true;
81        ProtectControlGroups = true;
82        ProtectHome = true;
83        ProtectHostname = true;
84        ProtectKernelLogs = true;
85        ProtectProc = "invisible";
86        ProtectKernelModules = true;
87        ProtectKernelTunables = true;
88        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
89        RestrictNamespaces = true;
90        RestrictRealtime = true;
91        SystemCallArchitectures = "native";
92        SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources";
93        UMask = "0077";
94      };
95    };
96  };
97
98  meta.maintainers = with maintainers; [ clerie ];
99}