vuls: init at 0.27.0
[NixPkgs.git] / nixos / modules / services / security / endlessh.nix
blobcb7480dbeaba0cc30144ed0dee5dbe3cc6d63df8
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6   cfg = config.services.endlessh;
7 in
9   options.services.endlessh = {
10     enable = mkEnableOption "endlessh service";
12     port = mkOption {
13       type = types.port;
14       default = 2222;
15       example = 22;
16       description = ''
17         Specifies on which port the endlessh daemon listens for SSH
18         connections.
20         Setting this to `22` may conflict with {option}`services.openssh`.
21       '';
22     };
24     extraOptions = mkOption {
25       type = with types; listOf str;
26       default = [ ];
27       example = [ "-6" "-d 9000" "-v" ];
28       description = ''
29         Additional command line options to pass to the endlessh daemon.
30       '';
31     };
33     openFirewall = mkOption {
34       type = types.bool;
35       default = false;
36       description = ''
37         Whether to open a firewall port for the SSH listener.
38       '';
39     };
40   };
42   config = mkIf cfg.enable {
43     systemd.services.endlessh = {
44       description = "SSH tarpit";
45       requires = [ "network.target" ];
46       wantedBy = [ "multi-user.target" ];
47       serviceConfig =
48         let
49           needsPrivileges = cfg.port < 1024;
50           capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];
51           rootDirectory = "/run/endlessh";
52         in
53         {
54           Restart = "always";
55           ExecStart = with cfg; concatStringsSep " " ([
56             "${pkgs.endlessh}/bin/endlessh"
57             "-p ${toString port}"
58           ] ++ extraOptions);
59           DynamicUser = true;
60           RootDirectory = rootDirectory;
61           BindReadOnlyPaths = [ builtins.storeDir ];
62           InaccessiblePaths = [ "-+${rootDirectory}" ];
63           RuntimeDirectory = baseNameOf rootDirectory;
64           RuntimeDirectoryMode = "700";
65           AmbientCapabilities = capabilities;
66           CapabilityBoundingSet = capabilities;
67           UMask = "0077";
68           LockPersonality = true;
69           MemoryDenyWriteExecute = true;
70           NoNewPrivileges = true;
71           PrivateDevices = true;
72           PrivateTmp = true;
73           PrivateUsers = !needsPrivileges;
74           ProtectClock = true;
75           ProtectControlGroups = true;
76           ProtectHome = true;
77           ProtectHostname = true;
78           ProtectKernelLogs = true;
79           ProtectKernelModules = true;
80           ProtectKernelTunables = true;
81           ProtectSystem = "strict";
82           ProtectProc = "noaccess";
83           ProcSubset = "pid";
84           RemoveIPC = true;
85           RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
86           RestrictNamespaces = true;
87           RestrictRealtime = true;
88           RestrictSUIDSGID = true;
89           SystemCallArchitectures = "native";
90           SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
91         };
92     };
94     networking.firewall.allowedTCPPorts = with cfg;
95       optionals openFirewall [ port ];
96   };
98   meta.maintainers = with maintainers; [ azahi ];