nixos/modules/services/security/endlessh.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / endlessh.nix
at 23.11-pre 3.0 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.endlessh;
 7in
 8{
 9  options.services.endlessh = {
10    enable = mkEnableOption (mdDoc "endlessh service");
11
12    port = mkOption {
13      type = types.port;
14      default = 2222;
15      example = 22;
16      description = mdDoc ''
17        Specifies on which port the endlessh daemon listens for SSH
18        connections.
19
20        Setting this to `22` may conflict with {option}`services.openssh`.
21      '';
22    };
23
24    extraOptions = mkOption {
25      type = with types; listOf str;
26      default = [ ];
27      example = [ "-6" "-d 9000" "-v" ];
28      description = mdDoc ''
29        Additional command line options to pass to the endlessh daemon.
30      '';
31    };
32
33    openFirewall = mkOption {
34      type = types.bool;
35      default = false;
36      description = lib.mdDoc ''
37        Whether to open a firewall port for the SSH listener.
38      '';
39    };
40  };
41
42  config = mkIf cfg.enable {
43    systemd.services.endlessh = {
44      description = "SSH tarpit";
45      requires = [ "network.target" ];
46      wantedBy = [ "multi-user.target" ];
47      serviceConfig =
48        let
49          needsPrivileges = cfg.port < 1024;
50          capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];
51          rootDirectory = "/run/endlessh";
52        in
53        {
54          Restart = "always";
55          ExecStart = with cfg; concatStringsSep " " ([
56            "${pkgs.endlessh}/bin/endlessh"
57            "-p ${toString port}"
58          ] ++ extraOptions);
59          DynamicUser = true;
60          RootDirectory = rootDirectory;
61          BindReadOnlyPaths = [ builtins.storeDir ];
62          InaccessiblePaths = [ "-+${rootDirectory}" ];
63          RuntimeDirectory = baseNameOf rootDirectory;
64          RuntimeDirectoryMode = "700";
65          AmbientCapabilities = capabilities;
66          CapabilityBoundingSet = capabilities;
67          UMask = "0077";
68          LockPersonality = true;
69          MemoryDenyWriteExecute = true;
70          NoNewPrivileges = true;
71          PrivateDevices = true;
72          PrivateTmp = true;
73          PrivateUsers = !needsPrivileges;
74          ProtectClock = true;
75          ProtectControlGroups = true;
76          ProtectHome = true;
77          ProtectHostname = true;
78          ProtectKernelLogs = true;
79          ProtectKernelModules = true;
80          ProtectKernelTunables = true;
81          ProtectSystem = "strict";
82          ProtectProc = "noaccess";
83          ProcSubset = "pid";
84          RemoveIPC = true;
85          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
86          RestrictNamespaces = true;
87          RestrictRealtime = true;
88          RestrictSUIDSGID = true;
89          SystemCallArchitectures = "native";
90          SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
91        };
92    };
93
94    networking.firewall.allowedTCPPorts = with cfg;
95      optionals openFirewall [ port ];
96  };
97
98  meta.maintainers = with maintainers; [ azahi ];
99}