pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4let
5 cfg = config.services.clatd;
6
7 settingsFormat = pkgs.formats.keyValue {};
8
9 configFile = settingsFormat.generate "clatd.conf" cfg.settings;
10in
11{
12 options = {
13 services.clatd = {
14 enable = mkEnableOption "clatd";
15
16 package = mkPackageOption pkgs "clatd" { };
17
18 settings = mkOption {
19 type = types.submodule ({ name, ... }: {
20 freeformType = settingsFormat.type;
21 });
22 default = { };
23 example = literalExpression ''
24 {
25 plat-prefix = "64:ff9b::/96";
26 }
27 '';
28 description = ''
29 Configuration of clatd. See [clatd Documentation](https://github.com/toreanderson/clatd/blob/master/README.pod#configuration).
30 '';
31 };
32 };
33 };
34
35 config = mkIf cfg.enable {
36 systemd.services.clatd = {
37 description = "464XLAT CLAT daemon";
38 documentation = [ "man:clatd(8)" ];
39 wantedBy = [ "multi-user.target" ];
40 after = [ "network-online.target" ];
41 wants = [ "network-online.target" ];
42 startLimitIntervalSec = 0;
43
44 serviceConfig = {
45 ExecStart = "${cfg.package}/bin/clatd -c ${configFile}";
46
47 # Hardening
48 CapabilityBoundingSet = [
49 "CAP_NET_ADMIN"
50 ];
51 LockPersonality = true;
52 MemoryDenyWriteExecute = true;
53 NoNewPrivileges = true;
54 PrivateTmp = true;
55 ProtectClock = true;
56 ProtectControlGroups = true;
57 ProtectHome = true;
58 ProtectHostname = true;
59 ProtectKernelLogs = true;
60 ProtectKernelModules = true;
61 ProtectProc = "invisible";
62 ProtectSystem = true;
63 RestrictAddressFamilies = [
64 "AF_INET"
65 "AF_INET6"
66 "AF_NETLINK"
67 ];
68 RestrictNamespaces = true;
69 RestrictRealtime = true;
70 RestrictSUIDSGID = true;
71 SystemCallArchitectures = "native";
72 SystemCallFilter = [
73 "@network-io"
74 "@system-service"
75 "~@privileged"
76 "~@resources"
77 ];
78 };
79 };
80 };
81}