parent
3b58c57aab
commit
18ffb9690c
@ -0,0 +1,106 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
cfg = config.services.uptermd; |
||||
in |
||||
{ |
||||
options = { |
||||
services.uptermd = { |
||||
enable = mkEnableOption "uptermd"; |
||||
|
||||
openFirewall = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Whether to open the firewall for the port in <option>services.uptermd.port</option>. |
||||
''; |
||||
}; |
||||
|
||||
port = mkOption { |
||||
type = types.port; |
||||
default = 2222; |
||||
description = '' |
||||
Port the server will listen on. |
||||
''; |
||||
}; |
||||
|
||||
listenAddress = mkOption { |
||||
type = types.str; |
||||
default = "[::]"; |
||||
example = "127.0.0.1"; |
||||
description = '' |
||||
Address the server will listen on. |
||||
''; |
||||
}; |
||||
|
||||
hostKey = mkOption { |
||||
type = types.nullOr types.path; |
||||
default = null; |
||||
example = "/run/keys/upterm_host_ed25519_key"; |
||||
description = '' |
||||
Path to SSH host key. If not defined, an ed25519 keypair is generated automatically. |
||||
''; |
||||
}; |
||||
|
||||
extraFlags = mkOption { |
||||
type = types.listOf types.str; |
||||
default = []; |
||||
example = [ "--debug" ]; |
||||
description = '' |
||||
Extra flags passed to the uptermd command. |
||||
''; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
networking.firewall = mkIf cfg.openFirewall { |
||||
allowedTCPPorts = [ cfg.port ]; |
||||
}; |
||||
|
||||
systemd.services.uptermd = { |
||||
description = "Upterm Daemon"; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
after = [ "network.target" ]; |
||||
|
||||
path = [ pkgs.openssh ]; |
||||
|
||||
preStart = mkIf (cfg.hostKey == null) '' |
||||
if ! [ -f ssh_host_ed25519_key ]; then |
||||
ssh-keygen \ |
||||
-t ed25519 \ |
||||
-f ssh_host_ed25519_key \ |
||||
-N "" |
||||
fi |
||||
''; |
||||
|
||||
serviceConfig = { |
||||
StateDirectory = "uptermd"; |
||||
WorkingDirectory = "/var/lib/uptermd"; |
||||
ExecStart = "${pkgs.upterm}/bin/uptermd --ssh-addr ${cfg.listenAddress}:${toString cfg.port} --private-key ${if cfg.hostKey == null then "ssh_host_ed25519_key" else cfg.hostKey} ${concatStringsSep " " cfg.extraFlags}"; |
||||
|
||||
# Hardening |
||||
AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; |
||||
CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; |
||||
PrivateUsers = cfg.port >= 1024; |
||||
LockPersonality = true; |
||||
MemoryDenyWriteExecute = true; |
||||
PrivateDevices = true; |
||||
ProtectClock = true; |
||||
ProtectControlGroups = true; |
||||
ProtectHome = true; |
||||
ProtectHostname = true; |
||||
ProtectKernelLogs = true; |
||||
ProtectKernelModules = true; |
||||
ProtectKernelTunables = true; |
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; |
||||
RestrictNamespaces = true; |
||||
RestrictRealtime = true; |
||||
SystemCallArchitectures = "native"; |
||||
SystemCallFilter = "@system-service"; |
||||
}; |
||||
}; |
||||
}; |
||||
} |
Loading…
Reference in new issue