nixos/modules/services/networking/snowflake-proxy.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / snowflake-proxy.nix
at 25.11-pre 2.6 kB view raw
 1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7
 8with lib;
 9
10let
11  cfg = config.services.snowflake-proxy;
12in
13{
14  options = {
15    services.snowflake-proxy = {
16      enable = mkEnableOption "snowflake-proxy, a system to defeat internet censorship";
17
18      broker = mkOption {
19        description = "Broker URL (default \"https://snowflake-broker.torproject.net/\")";
20        type = with types; nullOr str;
21        default = null;
22      };
23
24      capacity = mkOption {
25        description = "Limits the amount of maximum concurrent clients allowed.";
26        type = with types; nullOr int;
27        default = null;
28      };
29
30      relay = mkOption {
31        description = "websocket relay URL (default \"wss://snowflake.bamsoftware.com/\")";
32        type = with types; nullOr str;
33        default = null;
34      };
35
36      stun = mkOption {
37        description = "STUN broker URL (default \"stun:stun.stunprotocol.org:3478\")";
38        type = with types; nullOr str;
39        default = null;
40      };
41    };
42  };
43
44  config = mkIf cfg.enable {
45    systemd.services.snowflake-proxy = {
46      wantedBy = [ "network-online.target" ];
47      serviceConfig = {
48        ExecStart =
49          "${pkgs.snowflake}/bin/proxy "
50          + concatStringsSep " " (
51            optional (cfg.broker != null) "-broker ${cfg.broker}"
52            ++ optional (cfg.capacity != null) "-capacity ${builtins.toString cfg.capacity}"
53            ++ optional (cfg.relay != null) "-relay ${cfg.relay}"
54            ++ optional (cfg.stun != null) "-stun ${cfg.stun}"
55          );
56
57        # Security Hardening
58        # Refer to systemd.exec(5) for option descriptions.
59        CapabilityBoundingSet = "";
60
61        # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
62        # ProtectSystem=strict, ProtectHome=read-only
63        DynamicUser = true;
64        LockPersonality = true;
65        PrivateDevices = true;
66        PrivateUsers = true;
67        ProcSubset = "pid";
68        ProtectClock = true;
69        ProtectControlGroups = true;
70        ProtectHome = true;
71        ProtectHostname = true;
72        ProtectKernelLogs = true;
73        ProtectProc = "invisible";
74        ProtectKernelModules = true;
75        ProtectKernelTunables = true;
76        RestrictAddressFamilies = [
77          "AF_INET"
78          "AF_INET6"
79          "AF_UNIX"
80        ];
81        RestrictNamespaces = true;
82        RestrictRealtime = true;
83        SystemCallArchitectures = "native";
84        SystemCallFilter = [
85          "@system-service"
86          "~@privileged"
87        ];
88        UMask = "0077";
89      };
90    };
91  };
92
93  meta.maintainers = with maintainers; [ yayayayaka ];
94}