From 6cec90bdfa6ca683a043cbcb97daa3ce9b922a30 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Fri, 23 Jul 2021 23:32:33 +0200
Subject: [PATCH] Deploy chisel on porter

---
 hosts/porter/configuration.nix |  3 +++
 modules/chisel/default.nix     | 27 +++++++++++++++++++++++++++
 modules/default.nix            |  1 +
 3 files changed, 31 insertions(+)
 create mode 100644 modules/chisel/default.nix

diff --git a/hosts/porter/configuration.nix b/hosts/porter/configuration.nix
index 2a91973..6c31e3e 100644
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -75,6 +75,9 @@
     };
   };
 
+  clerie.chisel.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 443 ];
   networking.firewall.allowedUDPPorts = [ 50101 50138 51337 ];
 
   services.bird2.enable = true;
diff --git a/modules/chisel/default.nix b/modules/chisel/default.nix
new file mode 100644
index 0000000..3e045a6
--- /dev/null
+++ b/modules/chisel/default.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.clerie.chisel;
+
+in {
+  options = {
+    clerie.chisel = {
+      enable = mkEnableOption "Chisel Tunnel Service";
+    };
+  };
+
+  config = {
+    systemd.services.chisel = mkIf cfg.enable {
+      description = "Chisel Tunnel";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.chisel}/bin/chisel server --port 443 --authfile /var/src/secrets/chisel/users.json";
+        Restart = "always";
+      };
+    };
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index c72d097..3d1c635 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./policyrouting
     ./anycast_healthchecker
+    ./chisel
     ./gitea
     ./gre-tunnel
     ./minecraft-server