nixos/modules/services/networking/clatd.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / clatd.nix
at 25.11-pre 2.9 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.clatd;
  9
 10  settingsFormat = pkgs.formats.keyValue { };
 11
 12  configFile = settingsFormat.generate "clatd.conf" cfg.settings;
 13in
 14{
 15  options = {
 16    services.clatd = {
 17      enable = lib.mkEnableOption "clatd";
 18
 19      package = lib.mkPackageOption pkgs "clatd" { };
 20
 21      enableNetworkManagerIntegration = lib.mkEnableOption "NetworkManager integration" // {
 22        default = config.networking.networkmanager.enable;
 23        defaultText = "config.networking.networkmanager.enable";
 24      };
 25
 26      settings = lib.mkOption {
 27        type = lib.types.submodule (
 28          { name, ... }:
 29          {
 30            freeformType = settingsFormat.type;
 31          }
 32        );
 33        default = { };
 34        example = lib.literalExpression ''
 35          {
 36            plat-prefix = "64:ff9b::/96";
 37          }
 38        '';
 39        description = ''
 40          Configuration of clatd. See [clatd Documentation](https://github.com/toreanderson/clatd/blob/master/README.pod#configuration).
 41        '';
 42      };
 43    };
 44  };
 45
 46  config = lib.mkIf cfg.enable {
 47    systemd.services.clatd = {
 48      description = "464XLAT CLAT daemon";
 49      documentation = [ "man:clatd(8)" ];
 50      wantedBy = [ "multi-user.target" ];
 51      after = [ "network-online.target" ];
 52      wants = [ "network-online.target" ];
 53      startLimitIntervalSec = 0;
 54
 55      serviceConfig = {
 56        ExecStart = "${cfg.package}/bin/clatd -c ${configFile}";
 57
 58        # Hardening
 59        CapabilityBoundingSet = [
 60          "CAP_NET_ADMIN"
 61        ];
 62        LockPersonality = true;
 63        MemoryDenyWriteExecute = true;
 64        NoNewPrivileges = true;
 65        PrivateTmp = true;
 66        ProtectClock = true;
 67        ProtectControlGroups = true;
 68        ProtectHome = true;
 69        ProtectHostname = true;
 70        ProtectKernelLogs = true;
 71        ProtectKernelModules = true;
 72        ProtectProc = "invisible";
 73        ProtectSystem = true;
 74        RestrictAddressFamilies = [
 75          "AF_INET"
 76          "AF_INET6"
 77          "AF_NETLINK"
 78          "AF_UNIX"
 79        ];
 80        RestrictNamespaces = true;
 81        RestrictRealtime = true;
 82        RestrictSUIDSGID = true;
 83        SystemCallArchitectures = "native";
 84        SystemCallFilter = [
 85          "@network-io"
 86          "@system-service"
 87          "~@privileged"
 88          "~@resources"
 89        ];
 90      };
 91    };
 92
 93    networking.networkmanager.dispatcherScripts = lib.optionals cfg.enableNetworkManagerIntegration [
 94      {
 95        type = "basic";
 96        # https://github.com/toreanderson/clatd/blob/master/scripts/clatd.networkmanager
 97        source = pkgs.writeShellScript "restart-clatd" ''
 98          [ "$DEVICE_IFACE" = "${cfg.settings.clat-dev or "clat"}" ] && exit 0
 99          [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
100          ${pkgs.systemd}/bin/systemctl restart clatd.service
101        '';
102      }
103    ];
104  };
105}