nixos/chisel-server: add module
This commit is contained in:
parent
c42018900a
commit
159d73f7a3
2 changed files with 100 additions and 0 deletions
|
@ -774,6 +774,7 @@
|
|||
./services/networking/blockbook-frontend.nix
|
||||
./services/networking/blocky.nix
|
||||
./services/networking/charybdis.nix
|
||||
./services/networking/chisel-server.nix
|
||||
./services/networking/cjdns.nix
|
||||
./services/networking/cloudflare-dyndns.nix
|
||||
./services/networking/cntlm.nix
|
||||
|
|
99
nixos/modules/services/networking/chisel-server.nix
Normal file
99
nixos/modules/services/networking/chisel-server.nix
Normal file
|
@ -0,0 +1,99 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.chisel-server;
|
||||
|
||||
in {
|
||||
options = {
|
||||
services.chisel-server = {
|
||||
enable = mkEnableOption (mdDoc "Chisel Tunnel Server");
|
||||
host = mkOption {
|
||||
description = mdDoc "Address to listen on, falls back to 0.0.0.0";
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
example = "[::1]";
|
||||
};
|
||||
port = mkOption {
|
||||
description = mdDoc "Port to listen on, falls back to 8080";
|
||||
type = with types; nullOr int;
|
||||
default = null;
|
||||
};
|
||||
authfile = mkOption {
|
||||
description = mdDoc "Path to auth.json file";
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
};
|
||||
keepalive = mkOption {
|
||||
description = mdDoc "Keepalive interval, falls back to 25s";
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
example = "5s";
|
||||
};
|
||||
backend = mkOption {
|
||||
description = mdDoc "HTTP server to proxy normal requests to";
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
example = "http://127.0.0.1:8888";
|
||||
};
|
||||
socks5 = mkOption {
|
||||
description = mdDoc "Allow clients access to internal SOCKS5 proxy";
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
reverse = mkOption {
|
||||
description = mdDoc "Allow clients reverse port forwarding";
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.chisel-server = {
|
||||
description = "Chisel Tunnel Server";
|
||||
wantedBy = [ "network-online.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " (
|
||||
optional (cfg.host != null) "--host ${cfg.host}"
|
||||
++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}"
|
||||
++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}"
|
||||
++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}"
|
||||
++ optional (cfg.backend != null) "--backend ${cfg.backend}"
|
||||
++ optional cfg.socks5 "--socks5"
|
||||
++ optional cfg.reverse "--reverse"
|
||||
);
|
||||
|
||||
# Security Hardening
|
||||
# Refer to systemd.exec(5) for option descriptions.
|
||||
CapabilityBoundingSet = "";
|
||||
|
||||
# implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
|
||||
# ProtectSystem=strict, ProtectHome=read-only
|
||||
DynamicUser = true;
|
||||
LockPersonality = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources";
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ clerie ];
|
||||
}
|
Loading…
Reference in a new issue