arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity
infra/modules/cloudflare-warp.nix

53 lines
1.5 KiB
Nix
Raw Blame History

# From https://codeberg.org/ollijh/nixos-modules/src/branch/main/modules/cloudflare-warp.nix
{pkgs, ...}: {
config = {
environment.systemPackages = with pkgs; [cloudflare-warp];
users.users.warp = {
isSystemUser = true;
group = "warp";
description = "Cloudflare Warp user";
home = "/var/lib/cloudflare-warp";
};
users.groups.warp = {};
services.resolved.extraConfig = ''
ResolveUnicastSingleLabel=yes
'';
systemd = {
packages = [
(pkgs.cloudflare-warp.overrideAttrs (old: {
postInstall = ''
wrapProgram $out/bin/warp-svc --prefix PATH : ${pkgs.lib.makeBinPath [pkgs.nftables pkgs.lsof pkgs.iproute2]}
'';
}))
];
services.warp-svc = {
after = ["network-online.target" "systemd-resolved.service"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
StateDirectory = "cloudflare-warp";
#User = "warp";
#Umask = "0077";
# Hardening
LockPersonality = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
# Leaving on strict activates warp on plus
ProtectSystem = true;
RestrictNamespaces = true;
RestrictRealtime = true;
};
};
};
};
}
View git blame Copy permalink