pyrox.dev
lol
nixos/sshwifty: init module
Signed-off-by: David Wronek <david.wronek@mainlining.org>
+129
+1
nixos/modules/module-list.nix
+1
nixos/modules/module-list.nix
+128
nixos/modules/services/web-apps/sshwifty.nix
+128
nixos/modules/services/web-apps/sshwifty.nix
···
1
+
{
2
+
config,
3
+
lib,
4
+
pkgs,
5
+
...
6
+
}:
7
+
let
8
+
cfg = config.services.sshwifty;
9
+
format = pkgs.formats.json { };
10
+
settings = format.generate "sshwifty.json" cfg.settings;
11
+
in
12
+
{
13
+
options.services.sshwifty = {
14
+
enable = lib.mkEnableOption "Sshwifty";
15
+
package = lib.mkPackageOption pkgs "sshwifty" { };
16
+
settings = lib.mkOption {
17
+
type = format.type;
18
+
description = ''
19
+
Configuration for Sshwifty. See
20
+
[the Sshwifty documentation](https://github.com/nirui/sshwifty/tree/master?tab=readme-ov-file#configuration)
21
+
for possible options.
22
+
'';
23
+
};
24
+
sharedKeyFile = lib.mkOption {
25
+
type = lib.types.nullOr lib.types.path;
26
+
default = null;
27
+
description = "Path to a file containing the shared key.";
28
+
};
29
+
socks5PasswordFile = lib.mkOption {
30
+
type = lib.types.nullOr lib.types.path;
31
+
default = null;
32
+
description = "Path to a file containing the SOCKS5 password.";
33
+
};
34
+
};
35
+
config = lib.mkIf cfg.enable {
36
+
systemd.services.sshwifty = {
37
+
description = "Sshwifty";
38
+
after = [ "network.target" ];
39
+
wantedBy = [ "multi-user.target" ];
40
+
script = ''
41
+
${lib.optionalString (cfg.sharedKeyFile != null || cfg.socks5PasswordFile != null) (
42
+
lib.concatStringsSep " " [
43
+
(lib.getExe pkgs.jq)
44
+
"-s"
45
+
"'.[0] * .[1]"
46
+
(lib.optionalString (cfg.sharedKeyFile != null && cfg.socks5PasswordFile != null) "* .[2]")
47
+
"'"
48
+
settings
49
+
(lib.optionalString (
50
+
cfg.sharedKeyFile != null
51
+
) "<(echo \"{\\\"SharedKey\\\":\\\"$(cat $CREDENTIALS_DIRECTORY/sharedkey)\\\"}\")")
52
+
(lib.optionalString (
53
+
cfg.socks5PasswordFile != null
54
+
) "<(echo \"{\\\"Socks5Password\\\":\\\"$(cat $CREDENTIALS_DIRECTORY/socks5pass)\\\"}\")")
55
+
"> /run/sshwifty/sshwifty.json"
56
+
]
57
+
)}
58
+
${lib.optionalString (
59
+
cfg.sharedKeyFile != null || cfg.socks5PasswordFile != null
60
+
) "export SSHWIFTY_CONFIG=/run/sshwifty/sshwifty.json"}
61
+
${lib.optionalString (
62
+
cfg.sharedKeyFile == null && cfg.socks5PasswordFile == null
63
+
) "export SSHWIFTY_CONFIG=${settings}"}
64
+
exec ${lib.getExe cfg.package}
65
+
'';
66
+
serviceConfig = {
67
+
DynamicUser = true;
68
+
RuntimeDirectory = "sshwifty";
69
+
RuntimeDirectoryMode = "0750";
70
+
LoadCredential =
71
+
[ ]
72
+
++ lib.optionals (cfg.sharedKeyFile != null) [ "sharedkey:${cfg.sharedKeyFile}" ]
73
+
++ lib.optionals (cfg.socks5PasswordFile != null) [ "socks5pass:${cfg.socks5PasswordFile}" ];
74
+
# Hardening
75
+
LockPersonality = true;
76
+
MemoryDenyWriteExecute = true;
77
+
NoNewPrivileges = true;
78
+
PrivateDevices = true;
79
+
PrivateMounts = true;
80
+
ProtectClock = true;
81
+
ProtectControlGroups = true;
82
+
ProtectHome = true;
83
+
ProtectHostname = true;
84
+
ProtectKernelLogs = true;
85
+
ProtectKernelModules = true;
86
+
ProtectKernelTunables = true;
87
+
RemoveIPC = true;
88
+
RestrictRealtime = true;
89
+
RestrictSUIDSGID = true;
90
+
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
91
+
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
92
+
PrivateTmp = "disconnected";
93
+
ProcSubset = "pid";
94
+
ProtectProc = "invisible";
95
+
ProtectSystem = "strict";
96
+
RestrictAddressFamilies = [
97
+
"AF_INET"
98
+
"AF_INET6"
99
+
];
100
+
RestrictNamespaces = [
101
+
"~cgroup"
102
+
"~ipc"
103
+
"~mnt"
104
+
"~net"
105
+
"~pid"
106
+
"~user"
107
+
"~uts"
108
+
];
109
+
SystemCallArchitectures = "native";
110
+
SystemCallFilter = [
111
+
"~@clock"
112
+
"~@cpu-emulation"
113
+
"~@debug"
114
+
"~@module"
115
+
"~@mount"
116
+
"~@obsolete"
117
+
"~@privileged"
118
+
"~@raw-io"
119
+
"~@reboot"
120
+
"~@resources"
121
+
"~@swap"
122
+
];
123
+
UMask = "0077";
124
+
};
125
+
};
126
+
};
127
+
meta.maintainers = [ lib.maintainers.ungeskriptet ];
128
+
}