From 2f91b7cd75a5d473672e008835c79faa785672c5 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 29 Sep 2022 19:02:05 +0200 Subject: [PATCH] modules/chisel: Create proper module and lock down service --- hosts/porter/configuration.nix | 7 ++- modules/chisel/default.nix | 88 ++++++++++++++++++++++++++++++---- 2 files changed, 85 insertions(+), 10 deletions(-) diff --git a/hosts/porter/configuration.nix b/hosts/porter/configuration.nix index 0552f74..b54f1aa 100644 --- a/hosts/porter/configuration.nix +++ b/hosts/porter/configuration.nix @@ -42,7 +42,12 @@ }; }; - clerie.chisel.enable = true; + services.chisel-server = { + enable = true; + host = "[::1]"; + port = 3765; + authfile = "/var/src/secrets/chisel/users.json"; + }; services.snowflake-proxy.enable = true; diff --git a/modules/chisel/default.nix b/modules/chisel/default.nix index 1fc7ab6..8c0ddf4 100644 --- a/modules/chisel/default.nix +++ b/modules/chisel/default.nix @@ -3,24 +3,94 @@ with lib; let - cfg = config.clerie.chisel; + cfg = config.services.chisel-server; in { options = { - clerie.chisel = { - enable = mkEnableOption "Chisel Tunnel Service"; + services.chisel-server = { + enable = mkEnableOption (mdDoc "Chisel Tunnel Server"); + host = mkOption { + description = mdDoc "Address to listen on, falls back to 0.0.0.0"; + type = with types; nullOr str; + default = null; + example = "[::1]"; + }; + port = mkOption { + description = mkDoc "Port to listen on, falls back to 8080"; + type = with types; nullOr int; + default = null; + }; + authfile = mkOption { + description = mdDoc "Path to auth.json file."; + type = with types; nullOr path; + default = null; + }; + keepalive = mkOption { + description = mdDoc "Keepalive interval, falls back to 25s"; + type = with types; nullOr str; + default = null; + example = "5s"; + }; + backend = mkOption { + description = mdDoc "HTTP server to proxy normal requests to"; + type = with types; nullOr str; + default = null; + example = "http://127.0.0.1:8080"; + }; + socks5 = mkOption { + description = mdDoc "Allow clients access to internal SOCKS5 proxy"; + type = types.bool; + default = false; + }; + reverse = mkOption { + description = "Allow clients reverse port forwarding"; + type = types.bool; + default = false; + }; }; }; config = { - systemd.services.chisel = mkIf cfg.enable { - description = "Chisel Tunnel"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + systemd.services.chisel-server = mkIf cfg.enable { + description = "Chisel Tunnel Server"; + wantedBy = [ "network-online.target" ]; serviceConfig = { - ExecStart = "${pkgs.chisel}/bin/chisel server --host [::1] --port 3765 --authfile /var/src/secrets/chisel/users.json"; - Restart = "always"; + ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " ( + optional (cfg.host != null) "--host ${cfg.host}" + ++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}" + ++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}" + ++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}" + ++ optional (cfg.backend != null) "--backend ${cfg.backend}" + ++ optional cfg.socks5 "--socks5" + ++ optional cfg.reverse "--reverse" + ); + + # Security Hardening + # Refer to systemd.exec(5) for option descriptions. + CapabilityBoundingSet = ""; + + # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=, + # ProtectSystem=strict, ProtectHome=read-only + DynamicUser = true; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; + UMask = "0077"; }; }; };