clerie/nixfiles
1
0
Fork 0
Code

Update nixpkgs sources

Browse Source
This commit is contained in:
clerie 2023-02-02 23:17:21 +01:00
parent 5bb88492c2
commit ee61ab2b1b
3 changed files with 3 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
flake.lock
View File

@ -22,11 +22,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1667142599, "lastModified": 1675183161,
"narHash": "sha256-OLJxsg9VqfKjFkerOxWtNIkibsCvxsv5A8wNWO1MeWk=", "narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "412b9917cea092f3d39f9cd5dead4effd5bc4053", "rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e",
"type": "github" "type": "github"
}, },
"original": { "original": {

97
modules/chisel/default.nix
View File

@ -1,97 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.chisel-server;
in {
options = {
services.chisel-server = {
enable = mkEnableOption (mdDoc "Chisel Tunnel Server");
host = mkOption {
description = mdDoc "Address to listen on, falls back to 0.0.0.0";
type = with types; nullOr str;
default = null;
example = "[::1]";
};
port = mkOption {
description = mkDoc "Port to listen on, falls back to 8080";
type = with types; nullOr int;
default = null;
};
authfile = mkOption {
description = mdDoc "Path to auth.json file.";
type = with types; nullOr path;
default = null;
};
keepalive = mkOption {
description = mdDoc "Keepalive interval, falls back to 25s";
type = with types; nullOr str;
default = null;
example = "5s";
};
backend = mkOption {
description = mdDoc "HTTP server to proxy normal requests to";
type = with types; nullOr str;
default = null;
example = "http://127.0.0.1:8080";
};
socks5 = mkOption {
description = mdDoc "Allow clients access to internal SOCKS5 proxy";
type = types.bool;
default = false;
};
reverse = mkOption {
description = "Allow clients reverse port forwarding";
type = types.bool;
default = false;
};
};
};
config = {
systemd.services.chisel-server = mkIf cfg.enable {
description = "Chisel Tunnel Server";
wantedBy = [ "network-online.target" ];
serviceConfig = {
ExecStart = "${pkgs.chisel}/bin/chisel server " + concatStringsSep " " (
optional (cfg.host != null) "--host ${cfg.host}"
++ optional (cfg.port != null) "--port ${builtins.toString cfg.port}"
++ optional (cfg.authfile != null) "--authfile ${cfg.authfile}"
++ optional (cfg.keepalive != null) "--keepalive ${cfg.keepalive}"
++ optional (cfg.backend != null) "--backend ${cfg.backend}"
++ optional cfg.socks5 "--socks5"
++ optional cfg.reverse "--reverse"
);
# Security Hardening
# Refer to systemd.exec(5) for option descriptions.
CapabilityBoundingSet = "";
# implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=,
# ProtectSystem=strict, ProtectHome=read-only
DynamicUser = true;
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources";
UMask = "0077";
};
};
};
}

1
modules/default.nix
View File

@ -5,7 +5,6 @@
./policyrouting ./policyrouting
./akne ./akne
./anycast_healthchecker ./anycast_healthchecker
./chisel
./gre-tunnel ./gre-tunnel
./minecraft-server ./minecraft-server
./monitoring ./monitoring