pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / cato-client.nix
at 25.11-pre 2.0 kB view raw
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: 7let 8 inherit (lib) mkIf mkEnableOption mkPackageOption; 9 10 cfg = config.services.cato-client; 11in 12{ 13 options.services.cato-client = { 14 enable = mkEnableOption "cato-client service"; 15 package = mkPackageOption pkgs "cato-client" { }; 16 }; 17 18 config = mkIf cfg.enable { 19 users = { 20 groups.cato-client = { }; 21 }; 22 23 environment.systemPackages = [ 24 cfg.package 25 ]; 26 27 systemd.services.cato-client = { 28 enable = true; 29 description = "Cato Networks Linux client - connects tunnel to Cato cloud"; 30 after = [ "network.target" ]; 31 32 serviceConfig = { 33 Type = "simple"; 34 User = "root"; # Note: daemon runs as root, tools sticky to group 35 Group = "cato-client"; 36 ExecStart = "${cfg.package}/bin/cato-clientd systemd"; 37 WorkingDirectory = "${cfg.package}"; 38 Restart = "always"; 39 40 # Cato client seems to do the following: 41 # - Look in each user's ~/.cato/ for configuration and keys 42 # - Write to /var/log/cato-client.log 43 # - Create and use sockets /var/run/cato-sdp.i, /var/run/cato-sdp.o 44 # - Read and Write to /opt/cato/ for runtime settings 45 # - Read /etc/systemd/resolved.conf (but fine if fails) 46 # - Restart systemd-resolved (also fine if doesn't exist) 47 48 NoNewPrivileges = true; 49 PrivateTmp = true; 50 ProtectKernelTunables = true; 51 ProtectControlGroups = true; 52 ProtectSystem = true; 53 }; 54 55 wantedBy = [ "multi-user.target" ]; 56 }; 57 58 # set up Security wrapper Same as inteded in deb post install 59 security.wrappers.cato-clientd = { 60 source = "${cfg.package}/bin/cato-clientd"; 61 owner = "root"; 62 group = "cato-client"; 63 permissions = "u+rwx,g+rwx"; # 770 64 setgid = true; 65 }; 66 67 security.wrappers.cato-sdp = { 68 source = "${cfg.package}/bin/cato-sdp"; 69 owner = "root"; 70 group = "cato-client"; 71 permissions = "u+rwx,g+rx,a+rx"; # 755 72 setgid = true; 73 }; 74 }; 75}