]> Git — Sourcephile - sourcephile-nix.git/blob - nixpkgs/patches/services.croc.diff
wireguard: setup in initrd
[sourcephile-nix.git] / nixpkgs / patches / services.croc.diff
1 diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
2 index f361163ca63..24dcf53e635 100644
3 --- a/nixos/modules/module-list.nix
4 +++ b/nixos/modules/module-list.nix
5 @@ -598,6 +598,7 @@
6 ./services/networking/coredns.nix
7 ./services/networking/corerad.nix
8 ./services/networking/coturn.nix
9 + ./services/networking/croc.nix
10 ./services/networking/dante.nix
11 ./services/networking/ddclient.nix
12 ./services/networking/dhcpcd.nix
13 diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix
14 new file mode 100644
15 index 00000000000..adba6f7f565
16 --- /dev/null
17 +++ b/nixos/modules/services/networking/croc.nix
18 @@ -0,0 +1,78 @@
19 +{ config, lib, pkgs, ... }:
20 +let
21 + inherit (lib) types;
22 + cfg = config.services.croc;
23 +in
24 +{
25 + options.services.croc = {
26 + enable = lib.mkEnableOption "croc relay";
27 + ports = lib.mkOption {
28 + type = types.listOf types.port;
29 + default = [9009 9010 9011 9012 9013];
30 + description = "Ports of the relay.";
31 + };
32 + pass = lib.mkOption {
33 + type = types.str;
34 + default = "pass123";
35 + description = "Password for the relay (warning: it will be visible in the Nix store and the list of processes).";
36 + };
37 + };
38 +
39 + config = lib.mkIf cfg.enable {
40 + systemd.services.croc = {
41 + after = [ "network.target" ];
42 + wantedBy = [ "multi-user.target" ];
43 + serviceConfig = {
44 + ExecStart = "${pkgs.croc}/bin/croc --pass '${cfg.pass}' relay --ports ${lib.concatMapStringsSep "," toString cfg.ports}";
45 + # systemd-analyze security croc
46 + # → Overall exposure level for croc.service: 1.1 OK
47 + AmbientCapabilities = "";
48 + CapabilityBoundingSet = "";
49 + DynamicUser = true;
50 + LockPersonality = true;
51 + MemoryDenyWriteExecute = true;
52 + NoNewPrivileges = true;
53 + PrivateDevices = true;
54 + PrivateMounts = true;
55 + PrivateNetwork = false;
56 + PrivateTmp = true;
57 + PrivateUsers = true;
58 + ProtectClock = true;
59 + ProtectControlGroups = true;
60 + ProtectHome = true;
61 + ProtectHostname = true;
62 + ProtectKernelLogs = true;
63 + ProtectKernelModules = true;
64 + ProtectKernelTunables = true;
65 + ProtectSystem = "strict";
66 + RemoveIPC = true;
67 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
68 + RestrictNamespaces = true;
69 + RestrictRealtime = true;
70 + RestrictSUIDSGID = true;
71 + SystemCallFilter = [
72 + # perf stat -o /dev/stdout -e 'syscalls:sys_enter_*' croc relay |
73 + # awk '$1 && $2 ~ /syscalls:/ { sub("syscalls:sys_enter_", ""); print $2 }' |
74 + # sort >croc.syscalls
75 + # <use croc>
76 + # pkill croc
77 + # systemd-analyze syscall-filter | grep -v -e '#' |
78 + # sed -e ':loop; /^[^ ]/N; s/\n //; t loop' |
79 + # grep --color $(printf ' -e \\<%s\\>' $(cat croc.syscalls))
80 + "@default" "@basic-io" "@file-system" "@io-event" "@ipc" "@network-io" "@process" "@signal"
81 + "brk getrandom ioctl madvise mprotect sched_getaffinity sched_yield uname"
82 + ];
83 + SystemCallArchitectures = "native";
84 + SystemCallErrorNumber = "EPERM";
85 + UMask = "0077";
86 + };
87 + };
88 +
89 + networking.firewall =
90 + { allowedTCPPorts = [ cfg.ports ];
91 + allowedUDPPorts = [ cfg.ports ];
92 + };
93 + };
94 +
95 + meta.maintainers = with lib.maintainers; [ julm ];
96 +}