nixos/modules/services/networking/tetrd.nix

   1 { config, lib, pkgs, ... }:
   2
   3 {
   4   options.services.tetrd.enable = lib.mkEnableOption (lib.mdDoc "tetrd");
   5
   6   config = lib.mkIf config.services.tetrd.enable {
   7     environment = {
   8       systemPackages = [ pkgs.tetrd ];
   9       etc."resolv.conf".source = "/etc/tetrd/resolv.conf";
  10     };
  11
  12     systemd = {
  13       tmpfiles.rules = [ "f /etc/tetrd/resolv.conf - - -" ];
  14
  15       services.tetrd = {
  16         description = pkgs.tetrd.meta.description;
  17         wantedBy = [ "multi-user.target" ];
  18
  19         serviceConfig = {
  20           ExecStart = "${pkgs.tetrd}/opt/Tetrd/bin/tetrd";
  21           Restart = "always";
  22           RuntimeDirectory = "tetrd";
  23           RootDirectory = "/run/tetrd";
  24           DynamicUser = true;
  25           UMask = "006";
  26           DeviceAllow = "usb_device";
  27           LockPersonality = true;
  28           MemoryDenyWriteExecute = true;
  29           NoNewPrivileges = true;
  30           PrivateMounts = true;
  31           PrivateNetwork = lib.mkDefault false;
  32           PrivateTmp = true;
  33           PrivateUsers = lib.mkDefault false;
  34           ProtectClock = lib.mkDefault false;
  35           ProtectControlGroups = true;
  36           ProtectHome = true;
  37           ProtectHostname = true;
  38           ProtectKernelLogs = true;
  39           ProtectKernelModules = true;
  40           ProtectKernelTunables = true;
  41           ProtectProc = "invisible";
  42           ProtectSystem = "strict";
  43           RemoveIPC = true;
  44           RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
  45           RestrictNamespaces = true;
  46           RestrictRealtime = true;
  47           RestrictSUIDSGID = true;
  48           SystemCallArchitectures = "native";
  49
  50           SystemCallFilter = [
  51             "@system-service"
  52             "~@aio"
  53             "~@chown"
  54             "~@clock"
  55             "~@cpu-emulation"
  56             "~@debug"
  57             "~@keyring"
  58             "~@memlock"
  59             "~@module"
  60             "~@mount"
  61             "~@obsolete"
  62             "~@pkey"
  63             "~@raw-io"
  64             "~@reboot"
  65             "~@swap"
  66             "~@sync"
  67           ];
  68
  69           BindReadOnlyPaths = [
  70             builtins.storeDir
  71             "/etc/ssl"
  72             "/etc/static/ssl"
  73             "${pkgs.nettools}/bin/route:/usr/bin/route"
  74             "${pkgs.nettools}/bin/ifconfig:/usr/bin/ifconfig"
  75           ];
  76
  77           BindPaths = [
  78             "/etc/tetrd/resolv.conf:/etc/resolv.conf"
  79             "/run"
  80             "/var/log"
  81           ];
  82
  83           CapabilityBoundingSet = [
  84             "CAP_DAC_OVERRIDE"
  85             "CAP_NET_ADMIN"
  86           ];
  87
  88           AmbientCapabilities = [
  89             "CAP_DAC_OVERRIDE"
  90             "CAP_NET_ADMIN"
  91           ];
  92         };
  93       };
  94     };
  95   };
  96 }