| blob | 09f7fdfb6e9e9c2523180f3ed103b754078ad95e |
1 { config, lib, pkgs, ... }:
2 let
3 cfg = config.services.clatd;
5 settingsFormat = pkgs.formats.keyValue {};
7 configFile = settingsFormat.generate "clatd.conf" cfg.settings;
8 in
9 {
10 options = {
11 services.clatd = {
12 enable = lib.mkEnableOption "clatd";
14 package = lib.mkPackageOption pkgs "clatd" { };
16 settings = lib.mkOption {
17 type = lib.types.submodule ({ name, ... }: {
18 freeformType = settingsFormat.type;
19 });
20 default = { };
21 example = lib.literalExpression ''
22 {
23 plat-prefix = "64:ff9b::/96";
24 }
25 '';
26 description = ''
27 Configuration of clatd. See [clatd Documentation](https://github.com/toreanderson/clatd/blob/master/README.pod#configuration).
28 '';
29 };
30 };
31 };
33 config = lib.mkIf cfg.enable {
34 systemd.services.clatd = {
35 description = "464XLAT CLAT daemon";
36 documentation = [ "man:clatd(8)" ];
37 wantedBy = [ "multi-user.target" ];
38 after = [ "network-online.target" ];
39 wants = [ "network-online.target" ];
40 startLimitIntervalSec = 0;
42 serviceConfig = {
43 ExecStart = "${cfg.package}/bin/clatd -c ${configFile}";
45 # Hardening
46 CapabilityBoundingSet = [
47 "CAP_NET_ADMIN"
48 ];
49 LockPersonality = true;
50 MemoryDenyWriteExecute = true;
51 NoNewPrivileges = true;
52 PrivateTmp = true;
53 ProtectClock = true;
54 ProtectControlGroups = true;
55 ProtectHome = true;
56 ProtectHostname = true;
57 ProtectKernelLogs = true;
58 ProtectKernelModules = true;
59 ProtectProc = "invisible";
60 ProtectSystem = true;
61 RestrictAddressFamilies = [
62 "AF_INET"
63 "AF_INET6"
64 "AF_NETLINK"
65 ];
66 RestrictNamespaces = true;
67 RestrictRealtime = true;
68 RestrictSUIDSGID = true;
69 SystemCallArchitectures = "native";
70 SystemCallFilter = [
71 "@network-io"
72 "@system-service"
73 "~@privileged"
74 "~@resources"
75 ];
76 };
77 };
78 };
79 }