nixos/modules/services/security/tang.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / tang.nix
at 25.11-pre 2.9 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.tang;
  9in
 10{
 11  options.services.tang = {
 12    enable = lib.mkEnableOption "tang";
 13
 14    package = lib.mkOption {
 15      type = lib.types.package;
 16      default = pkgs.tang;
 17      defaultText = lib.literalExpression "pkgs.tang";
 18      description = "The tang package to use.";
 19    };
 20
 21    listenStream = lib.mkOption {
 22      type = with lib.types; listOf str;
 23      default = [ "7654" ];
 24      example = [
 25        "198.168.100.1:7654"
 26        "[2001:db8::1]:7654"
 27        "7654"
 28      ];
 29      description = ''
 30        Addresses and/or ports on which tang should listen.
 31        For detailed syntax see ListenStream in {manpage}`systemd.socket(5)`.
 32      '';
 33    };
 34
 35    ipAddressAllow = lib.mkOption {
 36      example = [ "192.168.1.0/24" ];
 37      type = lib.types.listOf lib.types.str;
 38      description = ''
 39        Whitelist a list of address prefixes.
 40        Preferably, internal addresses should be used.
 41      '';
 42    };
 43
 44  };
 45  config = lib.mkIf cfg.enable {
 46    environment.systemPackages = [ cfg.package ];
 47
 48    systemd.services."tangd@" = {
 49      description = "Tang server";
 50      path = [ cfg.package ];
 51      serviceConfig = {
 52        StandardInput = "socket";
 53        StandardOutput = "socket";
 54        StandardError = "journal";
 55        DynamicUser = true;
 56        StateDirectory = "tang";
 57        RuntimeDirectory = "tang";
 58        StateDirectoryMode = "700";
 59        UMask = "0077";
 60        CapabilityBoundingSet = [ "" ];
 61        ExecStart = "${cfg.package}/libexec/tangd %S/tang";
 62        LockPersonality = true;
 63        MemoryDenyWriteExecute = true;
 64        NoNewPrivileges = true;
 65        DeviceAllow = [ "/dev/stdin" ];
 66        RestrictAddressFamilies = [ "AF_UNIX" ];
 67        DevicePolicy = "strict";
 68        PrivateDevices = true;
 69        PrivateTmp = true;
 70        PrivateUsers = true;
 71        ProcSubset = "pid";
 72        ProtectClock = true;
 73        ProtectControlGroups = true;
 74        ProtectHome = true;
 75        ProtectHostname = true;
 76        ProtectKernelLogs = true;
 77        ProtectKernelModules = true;
 78        ProtectKernelTunables = true;
 79        ProtectProc = "invisible";
 80        ProtectSystem = "strict";
 81        RestrictNamespaces = true;
 82        RestrictRealtime = true;
 83        RestrictSUIDSGID = true;
 84        SystemCallArchitectures = "native";
 85        SystemCallFilter = [
 86          "@system-service"
 87          "~@privileged"
 88          "~@resources"
 89        ];
 90        IPAddressDeny = "any";
 91        IPAddressAllow = cfg.ipAddressAllow;
 92      };
 93    };
 94
 95    systemd.sockets.tangd = {
 96      description = "Tang server";
 97      wantedBy = [ "sockets.target" ];
 98      socketConfig = {
 99        ListenStream = cfg.listenStream;
100        Accept = "yes";
101        IPAddressDeny = "any";
102        IPAddressAllow = cfg.ipAddressAllow;
103      };
104    };
105  };
106  meta.maintainers = with lib.maintainers; [
107    jfroche
108    julienmalka
109  ];
110}