nixos/modules/services/networking/chisel-server.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / chisel-server.nix
at 25.11-pre 3.4 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.chisel-server;
  9
 10in
 11{
 12  options = {
 13    services.chisel-server = {
 14      enable = lib.mkEnableOption "Chisel Tunnel Server";
 15      host = lib.mkOption {
 16        description = "Address to listen on, falls back to 0.0.0.0";
 17        type = with lib.types; nullOr str;
 18        default = null;
 19        example = "[::1]";
 20      };
 21      port = lib.mkOption {
 22        description = "Port to listen on, falls back to 8080";
 23        type = with lib.types; nullOr port;
 24        default = null;
 25      };
 26      authfile = lib.mkOption {
 27        description = "Path to auth.json file";
 28        type = with lib.types; nullOr path;
 29        default = null;
 30      };
 31      keepalive = lib.mkOption {
 32        description = "Keepalive interval, falls back to 25s";
 33        type = with lib.types; nullOr str;
 34        default = null;
 35        example = "5s";
 36      };
 37      backend = lib.mkOption {
 38        description = "HTTP server to proxy normal requests to";
 39        type = with lib.types; nullOr str;
 40        default = null;
 41        example = "http://127.0.0.1:8888";
 42      };
 43      socks5 = lib.mkOption {
 44        description = "Allow clients access to internal SOCKS5 proxy";
 45        type = lib.types.bool;
 46        default = false;
 47      };
 48      reverse = lib.mkOption {
 49        description = "Allow clients reverse port forwarding";
 50        type = lib.types.bool;
 51        default = false;
 52      };
 53    };
 54  };
 55
 56  config = lib.mkIf cfg.enable {
 57    systemd.services.chisel-server = {
 58      description = "Chisel Tunnel Server";
 59      wantedBy = [ "network-online.target" ];
 60
 61      serviceConfig = {
 62        ExecStart =
 63          "${pkgs.chisel}/bin/chisel server "
 64          + lib.concatStringsSep " " (
 65            lib.optional (cfg.host != null) "--host ${cfg.host}"
 66            ++ lib.optional (cfg.port != null) "--port ${builtins.toString cfg.port}"
 67            ++ lib.optional (cfg.authfile != null) "--authfile ${cfg.authfile}"
 68            ++ lib.optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}"
 69            ++ lib.optional (cfg.backend != null) "--backend ${cfg.backend}"
 70            ++ lib.optional cfg.socks5 "--socks5"
 71            ++ lib.optional cfg.reverse "--reverse"
 72          );
 73
 74        # Security Hardening
 75        # Refer to systemd.exec(5) for option descriptions.
 76        CapabilityBoundingSet = "";
 77
 78        # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
 79        # ProtectSystem=strict, ProtectHome=read-only
 80        DynamicUser = true;
 81        LockPersonality = true;
 82        PrivateDevices = true;
 83        PrivateUsers = true;
 84        ProcSubset = "pid";
 85        ProtectClock = true;
 86        ProtectControlGroups = true;
 87        ProtectHome = true;
 88        ProtectHostname = true;
 89        ProtectKernelLogs = true;
 90        ProtectProc = "invisible";
 91        ProtectKernelModules = true;
 92        ProtectKernelTunables = true;
 93        RestrictAddressFamilies = [
 94          "AF_INET"
 95          "AF_INET6"
 96          "AF_UNIX"
 97        ];
 98        RestrictNamespaces = true;
 99        RestrictRealtime = true;
100        SystemCallArchitectures = "native";
101        SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources";
102        UMask = "0077";
103      };
104    };
105  };
106
107  meta.maintainers = with lib.maintainers; [ clerie ];
108}