nixos/modules/services/networking/snowflake-proxy.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / snowflake-proxy.nix
at 23.11-pre 2.6 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.snowflake-proxy;
 7in
 8{
 9  options = {
10    services.snowflake-proxy = {
11      enable = mkEnableOption (lib.mdDoc "System to defeat internet censorship");
12
13      broker = mkOption {
14        description = lib.mdDoc "Broker URL (default \"https://snowflake-broker.torproject.net/\")";
15        type = with types; nullOr str;
16        default = null;
17      };
18
19      capacity = mkOption {
20        description = lib.mdDoc "Limits the amount of maximum concurrent clients allowed.";
21        type = with types; nullOr int;
22        default = null;
23      };
24
25      relay = mkOption {
26        description = lib.mdDoc "websocket relay URL (default \"wss://snowflake.bamsoftware.com/\")";
27        type = with types; nullOr str;
28        default = null;
29      };
30
31      stun = mkOption {
32        description = lib.mdDoc "STUN broker URL (default \"stun:stun.stunprotocol.org:3478\")";
33        type = with types; nullOr str;
34        default = null;
35      };
36    };
37  };
38
39  config = mkIf cfg.enable {
40    systemd.services.snowflake-proxy = {
41      wantedBy = [ "network-online.target" ];
42      serviceConfig = {
43        ExecStart =
44          "${pkgs.snowflake}/bin/proxy " + concatStringsSep " " (
45            optional (cfg.broker != null) "-broker ${cfg.broker}"
46            ++ optional (cfg.capacity != null) "-capacity ${builtins.toString cfg.capacity}"
47            ++ optional (cfg.relay != null) "-relay ${cfg.relay}"
48            ++ optional (cfg.stun != null) "-stun ${cfg.stun}"
49          );
50
51        # Security Hardening
52        # Refer to systemd.exec(5) for option descriptions.
53        CapabilityBoundingSet = "";
54
55        # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
56        # ProtectSystem=strict, ProtectHome=read-only
57        DynamicUser = true;
58        LockPersonality = true;
59        PrivateDevices = true;
60        PrivateUsers = true;
61        ProcSubset = "pid";
62        ProtectClock = true;
63        ProtectControlGroups = true;
64        ProtectHome = true;
65        ProtectHostname = true;
66        ProtectKernelLogs = true;
67        ProtectProc = "invisible";
68        ProtectKernelModules = true;
69        ProtectKernelTunables = true;
70        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
71        RestrictNamespaces = true;
72        RestrictRealtime = true;
73        SystemCallArchitectures = "native";
74        SystemCallFilter = [ "@system-service" "~@privileged" ];
75        UMask = "0077";
76      };
77    };
78  };
79
80  meta.maintainers = with maintainers; [ yayayayaka ];
81}