58 lines
1.6 KiB
Nix
58 lines
1.6 KiB
Nix
# Portions of this file are sourced from
|
|
# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/nixos/mainframe/gravity.nix
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.services.enthalpy;
|
|
in
|
|
{
|
|
options.services.enthalpy.gost = {
|
|
enable = mkEnableOption "simple tunnel for accessing the underlay network";
|
|
};
|
|
|
|
config = mkIf (cfg.enable && cfg.gost.enable) {
|
|
systemd.network.networks."50-enthalpy" = {
|
|
address = singleton "fc00::";
|
|
routes = singleton { Destination = cfg.address; };
|
|
};
|
|
|
|
systemd.services.enthalpy-gost = {
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
Restart = "on-failure";
|
|
RestartSec = 5;
|
|
DynamicUser = true;
|
|
RuntimeDirectory = "enthalpy";
|
|
ExecStart = "${pkgs.gost}/bin/gost -L=socks5://[fc00::]:${toString config.networking.ports.enthalpy-gost}";
|
|
ProtectSystem = "full";
|
|
ProtectHome = "yes";
|
|
ProtectKernelTunables = true;
|
|
ProtectControlGroups = true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
|
|
MemoryDenyWriteExecute = "yes";
|
|
};
|
|
wants = [ "network-online.target" ];
|
|
after = [
|
|
"enthalpy.service"
|
|
"network-online.target"
|
|
];
|
|
requires = [ "enthalpy.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
|
|
services.enthalpy.exit.enable = true;
|
|
services.enthalpy.exit.prefix = singleton {
|
|
type = "static";
|
|
destination = "fc00::/128";
|
|
source = "${cfg.address}/128";
|
|
};
|
|
};
|
|
}
|