| blob | 3642a4b15a661eafcde5e062489d486cd4e2b2fb |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.services.pppd;
7 in
8 {
9 meta = {
10 maintainers = [ ];
11 };
13 options = {
14 services.pppd = {
15 enable = mkEnableOption "pppd";
17 package = mkPackageOption pkgs "ppp" { };
19 peers = mkOption {
20 default = {};
21 description = "pppd peers.";
22 type = types.attrsOf (types.submodule (
23 { name, ... }:
24 {
25 options = {
26 name = mkOption {
27 type = types.str;
28 default = name;
29 example = "dialup";
30 description = "Name of the PPP peer.";
31 };
33 enable = mkOption {
34 type = types.bool;
35 default = true;
36 example = false;
37 description = "Whether to enable this PPP peer.";
38 };
40 autostart = mkOption {
41 type = types.bool;
42 default = true;
43 example = false;
44 description = "Whether the PPP session is automatically started at boot time.";
45 };
47 config = mkOption {
48 type = types.lines;
49 default = "";
50 description = "pppd configuration for this peer, see the pppd(8) man page.";
51 };
52 };
53 }));
54 };
55 };
56 };
58 config = let
59 enabledConfigs = filter (f: f.enable) (attrValues cfg.peers);
61 mkEtc = peerCfg: {
62 name = "ppp/peers/${peerCfg.name}";
63 value.text = peerCfg.config;
64 };
66 mkSystemd = peerCfg: {
67 name = "pppd-${peerCfg.name}";
68 value = {
69 restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ];
70 before = [ "network.target" ];
71 wants = [ "network.target" ];
72 after = [ "network-pre.target" ];
73 environment = {
74 # pppd likes to write directly into /var/run. This is rude
75 # on a modern system, so we use libredirect to transparently
76 # move those files into /run/pppd.
77 LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";
78 NIX_REDIRECTS = "/var/run=/run/pppd";
79 };
80 serviceConfig = let
81 capabilities = [
82 "CAP_BPF"
83 "CAP_SYS_TTY_CONFIG"
84 "CAP_NET_ADMIN"
85 "CAP_NET_RAW"
86 ];
87 in
88 {
89 ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";
90 Restart = "always";
91 RestartSec = 5;
93 AmbientCapabilities = capabilities;
94 CapabilityBoundingSet = capabilities;
95 KeyringMode = "private";
96 LockPersonality = true;
97 MemoryDenyWriteExecute = true;
98 NoNewPrivileges = true;
99 PrivateMounts = true;
100 PrivateTmp = true;
101 ProtectControlGroups = true;
102 ProtectHome = true;
103 ProtectHostname = true;
104 ProtectKernelModules = true;
105 # pppd can be configured to tweak kernel settings.
106 ProtectKernelTunables = false;
107 ProtectSystem = "strict";
108 RemoveIPC = true;
109 RestrictAddressFamilies = [
110 "AF_ATMPVC"
111 "AF_ATMSVC"
112 "AF_INET"
113 "AF_INET6"
114 "AF_IPX"
115 "AF_NETLINK"
116 "AF_PACKET"
117 "AF_PPPOX"
118 "AF_UNIX"
119 ];
120 RestrictNamespaces = true;
121 RestrictRealtime = true;
122 RestrictSUIDSGID = true;
123 SecureBits = "no-setuid-fixup-locked noroot-locked";
124 SystemCallFilter = "@system-service";
125 SystemCallArchitectures = "native";
127 # All pppd instances on a system must share a runtime
128 # directory in order for PPP multilink to work correctly. So
129 # we give all instances the same /run/pppd directory to store
130 # things in.
131 #
132 # For the same reason, we can't set PrivateUsers=true, because
133 # all instances need to run as the same user to access the
134 # multilink database.
135 RuntimeDirectory = "pppd";
136 RuntimeDirectoryPreserve = true;
137 };
138 wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ];
139 };
140 };
142 etcFiles = listToAttrs (map mkEtc enabledConfigs);
143 systemdConfigs = listToAttrs (map mkSystemd enabledConfigs);
145 in mkIf cfg.enable {
146 environment.etc = etcFiles;
147 systemd.services = systemdConfigs;
148 };
149 }