50 lines
1.8 KiB
Nix
50 lines
1.8 KiB
Nix
{ pkgs, lib, ... }:
|
|
{
|
|
systemd.services = lib.attrsets.mapAttrs'
|
|
(
|
|
name: mapping: lib.attrsets.nameValuePair "redir-${name}" {
|
|
description = "Port redirection for local development web server (${name})";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
BindReadOnlyPaths = [ "/nix/store" ];
|
|
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
|
|
DynamicUser = true;
|
|
ExecStart = "${pkgs.redir}/bin/redir -n 127.0.0.1:${toString mapping.to} 127.0.0.1:${toString mapping.from}";
|
|
IPAddressAllow = "localhost";
|
|
IPAddressDeny = "any";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = lib.mkForce true;
|
|
PrivateTmp = true;
|
|
ProcSubset = "pid";
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "noaccess";
|
|
ProtectSystem = "strict";
|
|
ReadWritePaths = "";
|
|
RemoveIPC = true;
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
RootDirectory = "/run/redir-https";
|
|
RuntimeDirectory = "redir-https";
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
|
|
Type = "exec";
|
|
};
|
|
}
|
|
)
|
|
{
|
|
http = { from = 8080; to = 80; };
|
|
https = { from = 8443; to = 443; };
|
|
};
|
|
}
|