pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7
8let
9 cfg = config.services.whoami;
10in
11
12{
13 meta.maintainers = with lib.maintainers; [ defelo ];
14
15 options.services.whoami = {
16 enable = lib.mkEnableOption "whoami";
17
18 package = lib.mkPackageOption pkgs "whoami" { };
19
20 port = lib.mkOption {
21 type = lib.types.port;
22 description = "The port whoami should listen on.";
23 default = 8000;
24 };
25
26 extraArgs = lib.mkOption {
27 type = lib.types.listOf lib.types.str;
28 description = "Extra command line arguments to pass to whoami. See <https://github.com/traefik/whoami#flags> for details.";
29 default = [ ];
30 };
31 };
32
33 config = lib.mkIf cfg.enable {
34 systemd.services.whoami = {
35 wantedBy = [ "multi-user.target" ];
36
37 wants = [ "network-online.target" ];
38 after = [ "network-online.target" ];
39
40 serviceConfig = {
41 User = "whoami";
42 Group = "whoami";
43 DynamicUser = true;
44 ExecStart = lib.escapeShellArgs (
45 [
46 (lib.getExe cfg.package)
47 "-port"
48 cfg.port
49 ]
50 ++ cfg.extraArgs
51 );
52
53 # Hardening
54 AmbientCapabilities = "";
55 CapabilityBoundingSet = [ "" ];
56 DevicePolicy = "closed";
57 LockPersonality = true;
58 MemoryDenyWriteExecute = true;
59 NoNewPrivileges = true;
60 PrivateDevices = true;
61 PrivateTmp = true;
62 PrivateUsers = true;
63 ProcSubset = "pid";
64 ProtectClock = true;
65 ProtectControlGroups = true;
66 ProtectHome = true;
67 ProtectHostname = true;
68 ProtectKernelLogs = true;
69 ProtectKernelModules = true;
70 ProtectKernelTunables = true;
71 ProtectProc = "invisible";
72 ProtectSystem = "strict";
73 RemoveIPC = true;
74 RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
75 RestrictNamespaces = true;
76 RestrictRealtime = true;
77 RestrictSUIDSGID = true;
78 SocketBindAllow = "tcp:${toString cfg.port}";
79 SocketBindDeny = "any";
80 SystemCallArchitectures = "native";
81 SystemCallFilter = [
82 "@system-service"
83 "~@privileged"
84 "~@resources"
85 ];
86 UMask = "0077";
87 };
88 };
89 };
90}