nixos/modules/services/networking/clatd.nix

   1 {
   2   config,
   3   lib,
   4   pkgs,
   5   ...
   6 }:
   7 let
   8   cfg = config.services.clatd;
   9
  10   settingsFormat = pkgs.formats.keyValue { };
  11
  12   configFile = settingsFormat.generate "clatd.conf" cfg.settings;
  13 in
  14 {
  15   options = {
  16     services.clatd = {
  17       enable = lib.mkEnableOption "clatd";
  18
  19       package = lib.mkPackageOption pkgs "clatd" { };
  20
  21       enableNetworkManagerIntegration = lib.mkEnableOption "NetworkManager integration" // {
  22         default = config.networking.networkmanager.enable;
  23         defaultText = "config.networking.networkmanager.enable";
  24       };
  25
  26       settings = lib.mkOption {
  27         type = lib.types.submodule (
  28           { name, ... }:
  29           {
  30             freeformType = settingsFormat.type;
  31           }
  32         );
  33         default = { };
  34         example = lib.literalExpression ''
  35           {
  36             plat-prefix = "64:ff9b::/96";
  37           }
  38         '';
  39         description = ''
  40           Configuration of clatd. See [clatd Documentation](https://github.com/toreanderson/clatd/blob/master/README.pod#configuration).
  41         '';
  42       };
  43     };
  44   };
  45
  46   config = lib.mkIf cfg.enable {
  47     systemd.services.clatd = {
  48       description = "464XLAT CLAT daemon";
  49       documentation = [ "man:clatd(8)" ];
  50       wantedBy = [ "multi-user.target" ];
  51       after = [ "network-online.target" ];
  52       wants = [ "network-online.target" ];
  53       startLimitIntervalSec = 0;
  54
  55       serviceConfig = {
  56         ExecStart = "${cfg.package}/bin/clatd -c ${configFile}";
  57
  58         # Hardening
  59         CapabilityBoundingSet = [
  60           "CAP_NET_ADMIN"
  61         ];
  62         LockPersonality = true;
  63         MemoryDenyWriteExecute = true;
  64         NoNewPrivileges = true;
  65         PrivateTmp = true;
  66         ProtectClock = true;
  67         ProtectControlGroups = true;
  68         ProtectHome = true;
  69         ProtectHostname = true;
  70         ProtectKernelLogs = true;
  71         ProtectKernelModules = true;
  72         ProtectProc = "invisible";
  73         ProtectSystem = true;
  74         RestrictAddressFamilies = [
  75           "AF_INET"
  76           "AF_INET6"
  77           "AF_NETLINK"
  78         ];
  79         RestrictNamespaces = true;
  80         RestrictRealtime = true;
  81         RestrictSUIDSGID = true;
  82         SystemCallArchitectures = "native";
  83         SystemCallFilter = [
  84           "@network-io"
  85           "@system-service"
  86           "~@privileged"
  87           "~@resources"
  88         ];
  89       };
  90     };
  91
  92     networking.networkmanager.dispatcherScripts = lib.optionals cfg.enableNetworkManagerIntegration [
  93       {
  94         type = "basic";
  95         # https://github.com/toreanderson/clatd/blob/master/scripts/clatd.networkmanager
  96         source = pkgs.writeShellScript "restart-clatd" ''
  97           [ "$DEVICE_IFACE" = "${cfg.settings.clat-dev or "clat"}" ] && exit 0
  98           [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
  99           ${pkgs.systemd}/bin/systemctl restart clatd.service
 100         '';
 101       }
 102     ];
 103   };
 104 }