nixos/firezone: init module and packages (#374647) (47661806) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -108,6 +108,8 @@

		- [Schroot](https://codeberg.org/shelter/reschroot), a lightweight virtualisation tool. Securely enter a chroot and run a command or login shell. Available as [programs.schroot](#opt-programs.schroot.enable).

		- [Firezone](https://firezone.dev), an enterprise-ready zero-trust access platform built on WireGuard. This includes the server stack as [services.firezone.server.enable](#opt-services.firezone.server.enable), a TURN/STUN relay service as [services.firezone.relay.enable](#opt-services.firezone.relay.enable), a gateway service as [services.firezone.gateway.enable](#opt-services.firezone.gateway.enable), a headless client as [services.firezone.headless-client.enable](#opt-services.firezone.headless-client.enable) and a GUI client as [services.firezone.gui-client.enable](#opt-services.firezone.gui-client.enable).

		- [crab-hole](https://github.com/LuckyTurtleDev/crab-hole), a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as [services.crab-hole](#opt-services.crab-hole.enable).

		- [zwave-js-ui](https://zwave-js.github.io/zwave-js-ui/), a full featured Z-Wave Control Panel and MQTT Gateway. Available as [services.zwave-js-ui](#opt-services.zwave-js-ui.enable).

nixos/modules/module-list.nix

+5 −0

Original line number	Diff line number	Diff line
		@@ -1101,6 +1101,11 @@
		./services/networking/firewall.nix
		./services/networking/firewall-iptables.nix
		./services/networking/firewall-nftables.nix
		./services/networking/firezone/gateway.nix
		./services/networking/firezone/gui-client.nix
		./services/networking/firezone/headless-client.nix
		./services/networking/firezone/relay.nix
		./services/networking/firezone/server.nix
		./services/networking/flannel.nix
		./services/networking/freenet.nix
		./services/networking/freeradius.nix

nixos/modules/services/networking/firezone/gateway.nix

0 → 100644

+159 −0

Original line number	Diff line number	Diff line
		{
		lib,
		pkgs,
		config,
		...
		}:
		let
		inherit (lib)
		boolToString
		getExe
		mkEnableOption
		mkIf
		mkOption
		mkPackageOption
		types
		;

		cfg = config.services.firezone.gateway;
		in
		{
		options = {
		services.firezone.gateway = {
		enable = mkOption {
		default = false;
		example = true;
		description = ''
		Whether to enable the firezone gateway.

		You have to manually masquerade and forward traffic from the
		tun-firezone interface to your resource! Refer to the
		[upstream setup script](https://github.com/firezone/firezone/blob/8c7c0a9e8e33ae790aeb75fdb5a15432c2870b79/scripts/gateway-systemd-install.sh#L154-L168)
		for a list of iptable commands.

		See the firezone nixos test in this repository for an nftables based example.
		'';
		type = lib.types.bool;
		};
		package = mkPackageOption pkgs "firezone-gateway" { };

		name = mkOption {
		type = types.str;
		description = "The name of this gateway as shown in firezone";
		};

		apiUrl = mkOption {
		type = types.strMatching "^wss://.+/$";
		example = "wss://firezone.example.com/api/";
		description = ''
		The URL of your firezone server's API. This should be the same
		as your server's setting for {option}`services.firezone.server.settings.api.externalUrl`,
		but with `wss://` instead of `https://`.
		'';
		};

		tokenFile = mkOption {
		type = types.path;
		example = "/run/secrets/firezone-gateway-token";
		description = ''
		A file containing the firezone gateway token. Do not use a nix-store path here
		as it will make the token publicly readable!

		This file will be passed via systemd credentials, it should only be accessible
		by the root user.
		'';
		};

		logLevel = mkOption {
		type = types.str;
		default = "info";
		description = ''
		The log level for the firezone application. See
		[RUST_LOG](https://docs.rs/env_logger/latest/env_logger/#enabling-logging)
		for the format.
		'';
		};

		enableTelemetry = mkEnableOption "telemetry";
		};
		};

		config = mkIf cfg.enable {
		systemd.services.firezone-gateway = {
		description = "Gateway service for the Firezone zero-trust access platform";
		after = [ "network.target" ];
		wantedBy = [ "multi-user.target" ];

		path = [ pkgs.util-linux ];
		script = ''
		# If FIREZONE_ID is not given by the user, use a persisted (or newly generated) uuid.
		if [[ -z "''${FIREZONE_ID:-}" ]]; then
		if [[ ! -e gateway_id ]]; then
		uuidgen -r > gateway_id
		fi
		export FIREZONE_ID=$(< gateway_id)
		fi

		export FIREZONE_TOKEN=$(< "$CREDENTIALS_DIRECTORY/firezone-token")
		exec ${getExe cfg.package}
		'';

		environment = {
		FIREZONE_API_URL = cfg.apiUrl;
		FIREZONE_NAME = cfg.name;
		FIREZONE_NO_TELEMETRY = boolToString (!cfg.enableTelemetry);
		RUST_LOG = cfg.logLevel;
		};

		serviceConfig = {
		Type = "exec";
		DynamicUser = true;
		User = "firezone-gateway";
		LoadCredential = [ "firezone-token:${cfg.tokenFile}" ];

		DeviceAllow = "/dev/net/tun";
		AmbientCapabilities = [ "CAP_NET_ADMIN" ];
		CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];

		StateDirectory = "firezone-gateway";
		WorkingDirectory = "/var/lib/firezone-gateway";

		Restart = "on-failure";
		RestartSec = 10;

		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		NoNewPrivileges = true;
		PrivateMounts = true;
		PrivateTmp = true;
		PrivateUsers = false;
		ProcSubset = "pid";
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		ProtectSystem = "strict";
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_NETLINK"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = "@system-service";
		UMask = "077";
		};
		};
		};

		meta.maintainers = with lib.maintainers; [
		oddlama
		patrickdag
		];
		}

nixos/modules/services/networking/firezone/gui-client.nix

0 → 100644

+138 −0

Original line number	Diff line number	Diff line
		{
		lib,
		pkgs,
		config,
		...
		}:
		let
		inherit (lib)
		boolToString
		getExe'
		mkEnableOption
		mkIf
		mkOption
		mkPackageOption
		types
		;

		cfg = config.services.firezone.gui-client;
		in
		{
		options = {
		services.firezone.gui-client = {
		enable = mkEnableOption "the firezone gui client";
		package = mkPackageOption pkgs "firezone-gui-client" { };

		allowedUsers = mkOption {
		type = types.listOf types.str;
		default = [ ];
		description = ''
		All listed users will become part of the `firezone-client` group so
		they can control the IPC service. This is a convenience option.
		'';
		};

		name = mkOption {
		type = types.str;
		description = "The name of this client as shown in firezone";
		};

		logLevel = mkOption {
		type = types.str;
		default = "info";
		description = ''
		The log level for the firezone application. See
		[RUST_LOG](https://docs.rs/env_logger/latest/env_logger/#enabling-logging)
		for the format.
		'';
		};
		};
		};

		config = mkIf cfg.enable {
		users.groups.firezone-client.members = cfg.allowedUsers;

		# Required for deep-link mimetype registration
		environment.systemPackages = [ cfg.package ];

		# Required for the token store in the gui application
		services.gnome.gnome-keyring.enable = true;

		systemd.services.firezone-ipc-service = {
		description = "GUI IPC service for the Firezone zero-trust access platform";
		after = [ "network.target" ];
		wantedBy = [ "multi-user.target" ];

		path = [ pkgs.util-linux ];
		script = ''
		# If FIREZONE_ID is not given by the user, use a persisted (or newly generated) uuid.
		if [[ -z "''${FIREZONE_ID:-}" ]]; then
		if [[ ! -e client_id ]]; then
		uuidgen -r > client_id
		fi
		export FIREZONE_ID=$(< client_id)
		fi

		exec ${getExe' cfg.package "firezone-client-ipc"} run
		'';

		environment = {
		FIREZONE_NAME = cfg.name;
		LOG_DIR = "%L/dev.firezone.client";
		RUST_LOG = cfg.logLevel;
		};

		serviceConfig = {
		Type = "notify";

		DeviceAllow = "/dev/net/tun";
		AmbientCapabilities = [ "CAP_NET_ADMIN" ];
		CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];

		# This block contains hardcoded values in the client, we cannot change these :(
		Group = "firezone-client";
		RuntimeDirectory = "dev.firezone.client";
		StateDirectory = "dev.firezone.client";
		WorkingDirectory = "/var/lib/dev.firezone.client";
		LogsDirectory = "dev.firezone.client";

		Restart = "on-failure";
		RestartSec = 10;

		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		NoNewPrivileges = true;
		PrivateMounts = true;
		PrivateTmp = true;
		PrivateUsers = false;
		ProcSubset = "pid";
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		ProtectSystem = "strict";
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_NETLINK"
		"AF_UNIX"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = "@system-service";
		UMask = "077";
		};
		};
		};

		meta.maintainers = with lib.maintainers; [
		oddlama
		patrickdag
		];
		}

nixos/modules/services/networking/firezone/headless-client.nix

0 → 100644

+148 −0

Original line number	Diff line number	Diff line
		{
		lib,
		pkgs,
		config,
		...
		}:
		let
		inherit (lib)
		boolToString
		getExe
		mkEnableOption
		mkIf
		mkOption
		mkPackageOption
		types
		;

		cfg = config.services.firezone.headless-client;
		in
		{
		options = {
		services.firezone.headless-client = {
		enable = mkEnableOption "the firezone headless client";
		package = mkPackageOption pkgs "firezone-headless-client" { };

		name = mkOption {
		type = types.str;
		description = "The name of this client as shown in firezone";
		};

		apiUrl = mkOption {
		type = types.strMatching "^wss://.+/$";
		example = "wss://firezone.example.com/api/";
		description = ''
		The URL of your firezone server's API. This should be the same
		as your server's setting for {option}`services.firezone.server.settings.api.externalUrl`,
		but with `wss://` instead of `https://`.
		'';
		};

		tokenFile = mkOption {
		type = types.path;
		example = "/run/secrets/firezone-client-token";
		description = ''
		A file containing the firezone client token. Do not use a nix-store path here
		as it will make the token publicly readable!

		This file will be passed via systemd credentials, it should only be accessible
		by the root user.
		'';
		};

		logLevel = mkOption {
		type = types.str;
		default = "info";
		description = ''
		The log level for the firezone application. See
		[RUST_LOG](https://docs.rs/env_logger/latest/env_logger/#enabling-logging)
		for the format.
		'';
		};

		enableTelemetry = mkEnableOption "telemetry";
		};
		};

		config = mkIf cfg.enable {
		systemd.services.firezone-headless-client = {
		description = "headless client service for the Firezone zero-trust access platform";
		after = [ "network.target" ];
		wantedBy = [ "multi-user.target" ];

		path = [ pkgs.util-linux ];
		script = ''
		# If FIREZONE_ID is not given by the user, use a persisted (or newly generated) uuid.
		if [[ -z "''${FIREZONE_ID:-}" ]]; then
		if [[ ! -e client_id ]]; then
		uuidgen -r > client_id
		fi
		export FIREZONE_ID=$(< client_id)
		fi

		exec ${getExe cfg.package}
		'';

		environment = {
		FIREZONE_API_URL = cfg.apiUrl;
		FIREZONE_NAME = cfg.name;
		FIREZONE_NO_TELEMETRY = boolToString (!cfg.enableTelemetry);
		FIREZONE_TOKEN_PATH = "%d/firezone-token";
		LOG_DIR = "%L/dev.firezone.client";
		RUST_LOG = cfg.logLevel;
		};

		serviceConfig = {
		Type = "exec";
		LoadCredential = [ "firezone-token:${cfg.tokenFile}" ];

		DeviceAllow = "/dev/net/tun";
		AmbientCapabilities = [ "CAP_NET_ADMIN" ];
		CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];

		# Hardcoded values in the client :(
		RuntimeDirectory = "dev.firezone.client";
		StateDirectory = "dev.firezone.client";
		WorkingDirectory = "/var/lib/dev.firezone.client";
		LogsDirectory = "dev.firezone.client";

		Restart = "on-failure";
		RestartSec = 10;

		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		NoNewPrivileges = true;
		PrivateMounts = true;
		PrivateTmp = true;
		PrivateUsers = false;
		ProcSubset = "pid";
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		ProtectSystem = "strict";
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		"AF_NETLINK"
		"AF_UNIX"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = "@system-service";
		UMask = "077";
		};
		};
		};

		meta.maintainers = with lib.maintainers; [
		oddlama
		patrickdag
		];
		}