nixos/modules/services/networking/firezone/gateway.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / firezone / gateway.nix
at 25.11-pre 4.6 kB view raw
  1{
  2  lib,
  3  pkgs,
  4  config,
  5  ...
  6}:
  7let
  8  inherit (lib)
  9    boolToString
 10    getExe
 11    mkEnableOption
 12    mkIf
 13    mkOption
 14    mkPackageOption
 15    types
 16    ;
 17
 18  cfg = config.services.firezone.gateway;
 19in
 20{
 21  options = {
 22    services.firezone.gateway = {
 23      enable = mkOption {
 24        default = false;
 25        example = true;
 26        description = ''
 27          Whether to enable the firezone gateway.
 28
 29          You have to manually masquerade and forward traffic from the
 30          tun-firezone interface to your resource! Refer to the
 31          [upstream setup script](https://github.com/firezone/firezone/blob/8c7c0a9e8e33ae790aeb75fdb5a15432c2870b79/scripts/gateway-systemd-install.sh#L154-L168)
 32          for a list of iptable commands.
 33
 34          See the firezone nixos test in this repository for an nftables based example.
 35        '';
 36        type = lib.types.bool;
 37      };
 38      package = mkPackageOption pkgs "firezone-gateway" { };
 39
 40      name = mkOption {
 41        type = types.str;
 42        description = "The name of this gateway as shown in firezone";
 43      };
 44
 45      apiUrl = mkOption {
 46        type = types.strMatching "^wss://.+/$";
 47        example = "wss://firezone.example.com/api/";
 48        description = ''
 49          The URL of your firezone server's API. This should be the same
 50          as your server's setting for {option}`services.firezone.server.settings.api.externalUrl`,
 51          but with `wss://` instead of `https://`.
 52        '';
 53      };
 54
 55      tokenFile = mkOption {
 56        type = types.path;
 57        example = "/run/secrets/firezone-gateway-token";
 58        description = ''
 59          A file containing the firezone gateway token. Do not use a nix-store path here
 60          as it will make the token publicly readable!
 61
 62          This file will be passed via systemd credentials, it should only be accessible
 63          by the root user.
 64        '';
 65      };
 66
 67      logLevel = mkOption {
 68        type = types.str;
 69        default = "info";
 70        description = ''
 71          The log level for the firezone application. See
 72          [RUST_LOG](https://docs.rs/env_logger/latest/env_logger/#enabling-logging)
 73          for the format.
 74        '';
 75      };
 76
 77      enableTelemetry = mkEnableOption "telemetry";
 78    };
 79  };
 80
 81  config = mkIf cfg.enable {
 82    systemd.services.firezone-gateway = {
 83      description = "Gateway service for the Firezone zero-trust access platform";
 84      after = [ "network.target" ];
 85      wantedBy = [ "multi-user.target" ];
 86
 87      path = [ pkgs.util-linux ];
 88      script = ''
 89        # If FIREZONE_ID is not given by the user, use a persisted (or newly generated) uuid.
 90        if [[ -z "''${FIREZONE_ID:-}" ]]; then
 91          if [[ ! -e gateway_id ]]; then
 92            uuidgen -r > gateway_id
 93          fi
 94          export FIREZONE_ID=$(< gateway_id)
 95        fi
 96
 97        export FIREZONE_TOKEN=$(< "$CREDENTIALS_DIRECTORY/firezone-token")
 98        exec ${getExe cfg.package}
 99      '';
100
101      environment = {
102        FIREZONE_API_URL = cfg.apiUrl;
103        FIREZONE_NAME = cfg.name;
104        FIREZONE_NO_TELEMETRY = boolToString (!cfg.enableTelemetry);
105        RUST_LOG = cfg.logLevel;
106      };
107
108      serviceConfig = {
109        Type = "exec";
110        DynamicUser = true;
111        User = "firezone-gateway";
112        LoadCredential = [ "firezone-token:${cfg.tokenFile}" ];
113
114        DeviceAllow = "/dev/net/tun";
115        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
116        CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
117
118        StateDirectory = "firezone-gateway";
119        WorkingDirectory = "/var/lib/firezone-gateway";
120
121        Restart = "on-failure";
122        RestartSec = 10;
123
124        LockPersonality = true;
125        MemoryDenyWriteExecute = true;
126        NoNewPrivileges = true;
127        PrivateMounts = true;
128        PrivateTmp = true;
129        PrivateUsers = false;
130        ProcSubset = "pid";
131        ProtectClock = true;
132        ProtectControlGroups = true;
133        ProtectHome = true;
134        ProtectHostname = true;
135        ProtectKernelLogs = true;
136        ProtectKernelModules = true;
137        ProtectKernelTunables = true;
138        ProtectProc = "invisible";
139        ProtectSystem = "strict";
140        RestrictAddressFamilies = [
141          "AF_INET"
142          "AF_INET6"
143          "AF_NETLINK"
144        ];
145        RestrictNamespaces = true;
146        RestrictRealtime = true;
147        RestrictSUIDSGID = true;
148        SystemCallArchitectures = "native";
149        SystemCallFilter = "@system-service";
150        UMask = "077";
151      };
152    };
153  };
154
155  meta.maintainers = with lib.maintainers; [
156    oddlama
157    patrickdag
158  ];
159}