diff --git a/flake.lock b/flake.lock index c049561..c5184c1 100644 --- a/flake.lock +++ b/flake.lock @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1667142599, - "narHash": "sha256-OLJxsg9VqfKjFkerOxWtNIkibsCvxsv5A8wNWO1MeWk=", + "lastModified": 1675183161, + "narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "412b9917cea092f3d39f9cd5dead4effd5bc4053", + "rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e", "type": "github" }, "original": { diff --git a/modules/chisel/default.nix b/modules/chisel/default.nix deleted file mode 100644 index 8c0ddf4..0000000 --- a/modules/chisel/default.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.chisel-server; - -in { - options = { - services.chisel-server = { - enable = mkEnableOption (mdDoc "Chisel Tunnel Server"); - host = mkOption { - description = mdDoc "Address to listen on, falls back to 0.0.0.0"; - type = with types; nullOr str; - default = null; - example = "[::1]"; - }; - port = mkOption { - description = mkDoc "Port to listen on, falls back to 8080"; - type = with types; nullOr int; - default = null; - }; - authfile = mkOption { - description = mdDoc "Path to auth.json file."; - type = with types; nullOr path; - default = null; - }; - keepalive = mkOption { - description = mdDoc "Keepalive interval, falls back to 25s"; - type = with types; nullOr str; - default = null; - example = "5s"; - }; - backend = mkOption { - description = mdDoc "HTTP server to proxy normal requests to"; - type = with types; nullOr str; - default = null; - example = "http://127.0.0.1:8080"; - }; - socks5 = mkOption { - description = mdDoc "Allow clients access to internal SOCKS5 proxy"; - type = types.bool; - default = false; - }; - reverse = mkOption { - description = "Allow clients reverse port forwarding"; - type = types.bool; - default = false; - }; - }; - }; - - config = { - systemd.services.chisel-server = mkIf cfg.enable { - description = "Chisel Tunnel Server"; - wantedBy = [ "network-online.target" ]; - - serviceConfig = { - ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " ( - optional (cfg.host != null) "--host ${cfg.host}" - ++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}" - ++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}" - ++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}" - ++ optional (cfg.backend != null) "--backend ${cfg.backend}" - ++ optional cfg.socks5 "--socks5" - ++ optional cfg.reverse "--reverse" - ); - - # Security Hardening - # Refer to systemd.exec(5) for option descriptions. - CapabilityBoundingSet = ""; - - # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=, - # ProtectSystem=strict, ProtectHome=read-only - DynamicUser = true; - LockPersonality = true; - PrivateDevices = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectProc = "invisible"; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; - UMask = "0077"; - }; - }; - }; -} diff --git a/modules/default.nix b/modules/default.nix index 112288f..eea78e0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,7 +5,6 @@ ./policyrouting ./akne ./anycast_healthchecker - ./chisel ./gre-tunnel ./minecraft-server ./monitoring