encode42.dev / nixos
Personal-use NixOS configuration
fork atom
nixos / modules / network-optimizer.nix
at main 157 lines 3.9 kB view raw
encode42.dev Merge personal packages into this flake
5384bd9a
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8let 9 cfg = config.services.network-optimizer; 10 11 pkgs-internal = import ../packages { inherit pkgs; }; 12 13 inherit (lib) 14 types 15 mkIf 16 mkOption 17 mkEnableOption 18 ; 19in 20{ 21 options.services.network-optimizer = { 22 enable = mkEnableOption "network-optimizer"; 23 24 package = mkOption { 25 type = types.package; 26 default = pkgs-internal.network-optimizer; 27 28 description = "The NetworkOptimizer package to use."; 29 }; 30 31 environment = mkOption { 32 type = types.attrsOf types.str; 33 default = { }; 34 example = lib.literalExpression '' 35 { 36 HOST_IP = "192.168.1.100"; 37 38 TZ = "America/New_York"; 39 BIND_LOCALHOST_ONLY = true; 40 } 41 ''; 42 description = '' 43 Environment variables to set for the service. Secrets should be 44 specified using {option}`environmentFile`. 45 46 Refer to the [NetworkOptimization documentation] for the list of available 47 configuration options. 48 49 [NetworkOptimization documentation]: https://github.com/Ozark-Connect/NetworkOptimizer/blob/f0e6a0b48eb07ea73797e1970a8f3dbc88b97d8c/docker/.env.example 50 ''; 51 }; 52 53 environmentFile = mkOption { 54 type = types.nullOr types.path; 55 default = null; 56 description = '' 57 File to load environment variables from. Loaded variables override 58 values set in {option}`environment`. 59 ''; 60 }; 61 62 iperf3 = { 63 enable = mkOption { 64 type = types.bool; 65 default = false; 66 description = '' 67 Whether to enable the iperf3 server for network speed tests. 68 ''; 69 }; 70 }; 71 72 port = mkOption { 73 type = types.int; 74 default = 8042; 75 76 description = "Port to bind webserver."; 77 78 example = 8042; 79 }; 80 81 openFirewall = mkEnableOption "" // { 82 description = "Whether to open the firewall for the port in {option}`services.network-optimizer.port`."; 83 }; 84 }; 85 86 config = mkIf cfg.enable { 87 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ 88 cfg.port 89 ]; 90 91 services.iperf3 = mkIf cfg.iperf3.enable { 92 enable = lib.mkDefault true; 93 }; 94 95 systemd.services.network-optimizer = { 96 description = "NetworkOptimizer self-hosted performance optimization and security audit tool for UniFi Networks"; 97 98 wantedBy = [ "multi-user.target" ]; 99 after = [ "network.target" ]; 100 101 path = with pkgs; [ 102 sshpass 103 ]; 104 105 environment = lib.mkMerge [ 106 cfg.environment 107 { 108 ASPNETCORE_HTTP_PORTS = toString cfg.port; 109 ASPNETCORE_CONTENTROOT = "${cfg.package}/lib/network-optimizer/"; 110 } 111 ]; 112 113 serviceConfig = { 114 DynamicUser = true; 115 116 StateDirectory = "network-optimizer"; 117 StateDirectoryMode = "0700"; 118 UMask = "0077"; 119 120 WorkingDirectory = "/var/lib/network-optimizer"; 121 122 ExecStart = lib.getExe cfg.package; 123 124 EnvironmentFile = cfg.environmentFile; 125 126 AmbientCapabilities = ""; 127 CapabilityBoundingSet = [ "" ]; 128 DevicePolicy = "closed"; 129 LockPersonality = true; 130 NoNewPrivileges = true; 131 PrivateDevices = true; 132 PrivateTmp = true; 133 PrivateUsers = true; 134 ProcSubset = "pid"; 135 ProtectClock = true; 136 ProtectControlGroups = true; 137 ProtectHome = true; 138 ProtectHostname = true; 139 ProtectKernelLogs = true; 140 ProtectKernelModules = true; 141 ProtectKernelTunables = true; 142 ProtectProc = "invisible"; 143 ProtectSystem = "strict"; 144 RemoveIPC = true; 145 RestrictAddressFamilies = [ 146 "AF_INET AF_INET6" 147 "AF_UNIX" 148 ]; 149 RestrictNamespaces = true; 150 RestrictRealtime = true; 151 RestrictSUIDSGID = true; 152 SocketBindAllow = "tcp:${toString cfg.port}"; 153 SocketBindDeny = "any"; 154 }; 155 }; 156 }; 157}