From 159d73f7a3b69841ccd587d439341d78f8c859c6 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 29 Sep 2022 20:19:33 +0200 Subject: [PATCH] nixos/chisel-server: add module --- nixos/modules/module-list.nix | 1 + .../services/networking/chisel-server.nix | 99 +++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 nixos/modules/services/networking/chisel-server.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 67d9266b49f..ca5bf624f72 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -774,6 +774,7 @@ ./services/networking/blockbook-frontend.nix ./services/networking/blocky.nix ./services/networking/charybdis.nix + ./services/networking/chisel-server.nix ./services/networking/cjdns.nix ./services/networking/cloudflare-dyndns.nix ./services/networking/cntlm.nix diff --git a/nixos/modules/services/networking/chisel-server.nix b/nixos/modules/services/networking/chisel-server.nix new file mode 100644 index 00000000000..d3724743209 --- /dev/null +++ b/nixos/modules/services/networking/chisel-server.nix @@ -0,0 +1,99 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.chisel-server; + +in { + options = { + services.chisel-server = { + enable = mkEnableOption (mdDoc "Chisel Tunnel Server"); + host = mkOption { + description = mdDoc "Address to listen on, falls back to 0.0.0.0"; + type = with types; nullOr str; + default = null; + example = "[::1]"; + }; + port = mkOption { + description = mdDoc "Port to listen on, falls back to 8080"; + type = with types; nullOr int; + default = null; + }; + authfile = mkOption { + description = mdDoc "Path to auth.json file"; + type = with types; nullOr path; + default = null; + }; + keepalive = mkOption { + description = mdDoc "Keepalive interval, falls back to 25s"; + type = with types; nullOr str; + default = null; + example = "5s"; + }; + backend = mkOption { + description = mdDoc "HTTP server to proxy normal requests to"; + type = with types; nullOr str; + default = null; + example = "http://127.0.0.1:8888"; + }; + socks5 = mkOption { + description = mdDoc "Allow clients access to internal SOCKS5 proxy"; + type = types.bool; + default = false; + }; + reverse = mkOption { + description = mdDoc "Allow clients reverse port forwarding"; + type = types.bool; + default = false; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.chisel-server = { + description = "Chisel Tunnel Server"; + wantedBy = [ "network-online.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " ( + optional (cfg.host != null) "--host ${cfg.host}" + ++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}" + ++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}" + ++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}" + ++ optional (cfg.backend != null) "--backend ${cfg.backend}" + ++ optional cfg.socks5 "--socks5" + ++ optional cfg.reverse "--reverse" + ); + + # Security Hardening + # Refer to systemd.exec(5) for option descriptions. + CapabilityBoundingSet = ""; + + # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=, + # ProtectSystem=strict, ProtectHome=read-only + DynamicUser = true; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with maintainers; [ clerie ]; +}