1
0

modules/chisel: Create proper module and lock down service

This commit is contained in:
clerie 2022-09-29 19:02:05 +02:00
parent 1d8b007b95
commit 2f91b7cd75
2 changed files with 85 additions and 10 deletions

View File

@ -42,7 +42,12 @@
}; };
}; };
clerie.chisel.enable = true; services.chisel-server = {
enable = true;
host = "[::1]";
port = 3765;
authfile = "/var/src/secrets/chisel/users.json";
};
services.snowflake-proxy.enable = true; services.snowflake-proxy.enable = true;

View File

@ -3,24 +3,94 @@
with lib; with lib;
let let
cfg = config.clerie.chisel; cfg = config.services.chisel-server;
in { in {
options = { options = {
clerie.chisel = { services.chisel-server = {
enable = mkEnableOption "Chisel Tunnel Service"; enable = mkEnableOption (mdDoc "Chisel Tunnel Server");
host = mkOption {
description = mdDoc "Address to listen on, falls back to 0.0.0.0";
type = with types; nullOr str;
default = null;
example = "[::1]";
};
port = mkOption {
description = mkDoc "Port to listen on, falls back to 8080";
type = with types; nullOr int;
default = null;
};
authfile = mkOption {
description = mdDoc "Path to auth.json file.";
type = with types; nullOr path;
default = null;
};
keepalive = mkOption {
description = mdDoc "Keepalive interval, falls back to 25s";
type = with types; nullOr str;
default = null;
example = "5s";
};
backend = mkOption {
description = mdDoc "HTTP server to proxy normal requests to";
type = with types; nullOr str;
default = null;
example = "http://127.0.0.1:8080";
};
socks5 = mkOption {
description = mdDoc "Allow clients access to internal SOCKS5 proxy";
type = types.bool;
default = false;
};
reverse = mkOption {
description = "Allow clients reverse port forwarding";
type = types.bool;
default = false;
};
}; };
}; };
config = { config = {
systemd.services.chisel = mkIf cfg.enable { systemd.services.chisel-server = mkIf cfg.enable {
description = "Chisel Tunnel"; description = "Chisel Tunnel Server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "network-online.target" ];
after = [ "network.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.chisel}/bin/chisel server --host [::1] --port 3765 --authfile /var/src/secrets/chisel/users.json"; ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " (
Restart = "always"; optional (cfg.host != null) "--host ${cfg.host}"
++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}"
++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}"
++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}"
++ optional (cfg.backend != null) "--backend ${cfg.backend}"
++ optional cfg.socks5 "--socks5"
++ optional cfg.reverse "--reverse"
);
# Security Hardening
# Refer to systemd.exec(5) for option descriptions.
CapabilityBoundingSet = "";
# implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
# ProtectSystem=strict, ProtectHome=read-only
DynamicUser = true;
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources";
UMask = "0077";
}; };
}; };
}; };