pyrox.dev / nixpkgs
lol
fork atom

nixos/clatd: init

Georg Haas 0c42398c 62f7c1ff

options
unified split
Changed files
+85
nixos
doc
manual
release-notes
rl-2405.section.md
modules
module-list.nix
services
networking
clatd.nix
+2
nixos/doc/manual/release-notes/rl-2405.section.md 
···

       
92

       
92

       
 

       



     

       
93

       
93

       
 

       
- [PhotonVision](https://photonvision.org/), a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition.


     

       
94

       
94

       
 

       



     

       

       
95

       
+

       
- [clatd](https://github.com/toreanderson/clatd), a a CLAT / SIIT-DC Edge Relay implementation for Linux.


     

       

       
96

       
+

       



     

       
95

       
97

       
 

       
- [pyLoad](https://pyload.net/), a FOSS download manager written in Python. Available as [services.pyload](#opt-services.pyload.enable)


     

       
96

       
98

       
 

       



     

       
97

       
99

       
 

       
- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).
+1
nixos/modules/module-list.nix 
···

       
944

       
944

       
 

       
  ./services/networking/charybdis.nix


     

       
945

       
945

       
 

       
  ./services/networking/chisel-server.nix


     

       
946

       
946

       
 

       
  ./services/networking/cjdns.nix


     

       

       
947

       
+

       
  ./services/networking/clatd.nix


     

       
947

       
948

       
 

       
  ./services/networking/cloudflare-dyndns.nix


     

       
948

       
949

       
 

       
  ./services/networking/cloudflared.nix


     

       
949

       
950

       
 

       
  ./services/networking/cntlm.nix
+82
nixos/modules/services/networking/clatd.nix 
···

       

       
1

       
+

       
{ config, lib, pkgs, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let


     

       

       
5

       
+

       
  cfg = config.services.clatd;


     

       

       
6

       
+

       



     

       

       
7

       
+

       
  settingsFormat = pkgs.formats.keyValue {};


     

       

       
8

       
+

       



     

       

       
9

       
+

       
  configFile = settingsFormat.generate "clatd.conf" cfg.settings;


     

       

       
10

       
+

       
in


     

       

       
11

       
+

       
{


     

       

       
12

       
+

       
  options = {


     

       

       
13

       
+

       
    services.clatd = {


     

       

       
14

       
+

       
      enable = mkEnableOption "clatd";


     

       

       
15

       
+

       



     

       

       
16

       
+

       
      package = mkPackageOption pkgs "clatd" { };


     

       

       
17

       
+

       



     

       

       
18

       
+

       
      settings = mkOption {


     

       

       
19

       
+

       
        type = types.submodule ({ name, ... }: {


     

       

       
20

       
+

       
          freeformType = settingsFormat.type;


     

       

       
21

       
+

       
        });


     

       

       
22

       
+

       
        default = { };


     

       

       
23

       
+

       
        example = literalExpression ''


     

       

       
24

       
+

       
          {


     

       

       
25

       
+

       
            plat-prefix = "64:ff9b::/96";


     

       

       
26

       
+

       
          }


     

       

       
27

       
+

       
        '';


     

       

       
28

       
+

       
        description = ''


     

       

       
29

       
+

       
          Configuration of clatd. See [clatd Documentation](https://github.com/toreanderson/clatd/blob/master/README.pod#configuration).


     

       

       
30

       
+

       
        '';


     

       

       
31

       
+

       
      };


     

       

       
32

       
+

       
    };


     

       

       
33

       
+

       
  };


     

       

       
34

       
+

       



     

       

       
35

       
+

       
  config = mkIf cfg.enable {


     

       

       
36

       
+

       
    systemd.services.clatd = {


     

       

       
37

       
+

       
      description = "464XLAT CLAT daemon";


     

       

       
38

       
+

       
      documentation = [ "man:clatd(8)" ];


     

       

       
39

       
+

       
      wantedBy = [ "multi-user.target" ];


     

       

       
40

       
+

       
      after = [ "network-online.target" ];


     

       

       
41

       
+

       
      wants = [ "network-online.target" ];


     

       

       
42

       
+

       
      startLimitIntervalSec = 0;


     

       

       
43

       
+

       



     

       

       
44

       
+

       
      serviceConfig = {


     

       

       
45

       
+

       
        ExecStart = "${cfg.package}/bin/clatd -c ${configFile}";


     

       

       
46

       
+

       
        startLimitIntervalSec = 0;


     

       

       
47

       
+

       



     

       

       
48

       
+

       
        # Hardening


     

       

       
49

       
+

       
        CapabilityBoundingSet = [


     

       

       
50

       
+

       
          "CAP_NET_ADMIN"


     

       

       
51

       
+

       
        ];


     

       

       
52

       
+

       
        LockPersonality = true;


     

       

       
53

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
54

       
+

       
        NoNewPrivileges = true;


     

       

       
55

       
+

       
        PrivateTmp = true;


     

       

       
56

       
+

       
        ProtectClock = true;


     

       

       
57

       
+

       
        ProtectControlGroups = true;


     

       

       
58

       
+

       
        ProtectHome = true;


     

       

       
59

       
+

       
        ProtectHostname = true;


     

       

       
60

       
+

       
        ProtectKernelLogs = true;


     

       

       
61

       
+

       
        ProtectKernelModules = true;


     

       

       
62

       
+

       
        ProtectProc = "invisible";


     

       

       
63

       
+

       
        ProtectSystem = true;


     

       

       
64

       
+

       
        RestrictAddressFamilies = [


     

       

       
65

       
+

       
          "AF_INET"


     

       

       
66

       
+

       
          "AF_INET6"


     

       

       
67

       
+

       
          "AF_NETLINK"


     

       

       
68

       
+

       
        ];


     

       

       
69

       
+

       
        RestrictNamespaces = true;


     

       

       
70

       
+

       
        RestrictRealtime = true;


     

       

       
71

       
+

       
        RestrictSUIDSGID = true;


     

       

       
72

       
+

       
        SystemCallArchitectures = "native";


     

       

       
73

       
+

       
        SystemCallFilter = [


     

       

       
74

       
+

       
          "@network-io"


     

       

       
75

       
+

       
          "@system-service"


     

       

       
76

       
+

       
          "~@privileged"


     

       

       
77

       
+

       
          "~@resources"


     

       

       
78

       
+

       
        ];


     

       

       
79

       
+

       
      };


     

       

       
80

       
+

       
    };


     

       

       
81

       
+

       
  };


     

       

       
82

       
+

       
}