modules/chisel: Create proper module and lock down service
This commit is contained in:
parent
1d8b007b95
commit
2f91b7cd75
@ -42,7 +42,12 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
clerie.chisel.enable = true;
|
services.chisel-server = {
|
||||||
|
enable = true;
|
||||||
|
host = "[::1]";
|
||||||
|
port = 3765;
|
||||||
|
authfile = "/var/src/secrets/chisel/users.json";
|
||||||
|
};
|
||||||
|
|
||||||
services.snowflake-proxy.enable = true;
|
services.snowflake-proxy.enable = true;
|
||||||
|
|
||||||
|
@ -3,24 +3,94 @@
|
|||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.clerie.chisel;
|
cfg = config.services.chisel-server;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
options = {
|
options = {
|
||||||
clerie.chisel = {
|
services.chisel-server = {
|
||||||
enable = mkEnableOption "Chisel Tunnel Service";
|
enable = mkEnableOption (mdDoc "Chisel Tunnel Server");
|
||||||
|
host = mkOption {
|
||||||
|
description = mdDoc "Address to listen on, falls back to 0.0.0.0";
|
||||||
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
|
example = "[::1]";
|
||||||
|
};
|
||||||
|
port = mkOption {
|
||||||
|
description = mkDoc "Port to listen on, falls back to 8080";
|
||||||
|
type = with types; nullOr int;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
authfile = mkOption {
|
||||||
|
description = mdDoc "Path to auth.json file.";
|
||||||
|
type = with types; nullOr path;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
keepalive = mkOption {
|
||||||
|
description = mdDoc "Keepalive interval, falls back to 25s";
|
||||||
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
|
example = "5s";
|
||||||
|
};
|
||||||
|
backend = mkOption {
|
||||||
|
description = mdDoc "HTTP server to proxy normal requests to";
|
||||||
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
|
example = "http://127.0.0.1:8080";
|
||||||
|
};
|
||||||
|
socks5 = mkOption {
|
||||||
|
description = mdDoc "Allow clients access to internal SOCKS5 proxy";
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
reverse = mkOption {
|
||||||
|
description = "Allow clients reverse port forwarding";
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
systemd.services.chisel = mkIf cfg.enable {
|
systemd.services.chisel-server = mkIf cfg.enable {
|
||||||
description = "Chisel Tunnel";
|
description = "Chisel Tunnel Server";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "network-online.target" ];
|
||||||
after = [ "network.target" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pkgs.chisel}/bin/chisel server --host [::1] --port 3765 --authfile /var/src/secrets/chisel/users.json";
|
ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " (
|
||||||
Restart = "always";
|
optional (cfg.host != null) "--host ${cfg.host}"
|
||||||
|
++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}"
|
||||||
|
++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}"
|
||||||
|
++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}"
|
||||||
|
++ optional (cfg.backend != null) "--backend ${cfg.backend}"
|
||||||
|
++ optional cfg.socks5 "--socks5"
|
||||||
|
++ optional cfg.reverse "--reverse"
|
||||||
|
);
|
||||||
|
|
||||||
|
# Security Hardening
|
||||||
|
# Refer to systemd.exec(5) for option descriptions.
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
|
||||||
|
# implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
|
||||||
|
# ProtectSystem=strict, ProtectHome=read-only
|
||||||
|
DynamicUser = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources";
|
||||||
|
UMask = "0077";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user