53 lines
1.5 KiB
Nix
53 lines
1.5 KiB
Nix
# From https://codeberg.org/ollijh/nixos-modules/src/branch/main/modules/cloudflare-warp.nix
|
|
{pkgs, ...}: {
|
|
config = {
|
|
environment.systemPackages = with pkgs; [cloudflare-warp];
|
|
|
|
users.users.warp = {
|
|
isSystemUser = true;
|
|
group = "warp";
|
|
description = "Cloudflare Warp user";
|
|
home = "/var/lib/cloudflare-warp";
|
|
};
|
|
users.groups.warp = {};
|
|
|
|
services.resolved.extraConfig = ''
|
|
ResolveUnicastSingleLabel=yes
|
|
'';
|
|
|
|
systemd = {
|
|
packages = [
|
|
(pkgs.cloudflare-warp.overrideAttrs (old: {
|
|
postInstall = ''
|
|
wrapProgram $out/bin/warp-svc --prefix PATH : ${pkgs.lib.makeBinPath [pkgs.nftables pkgs.lsof pkgs.iproute2]}
|
|
'';
|
|
}))
|
|
];
|
|
services.warp-svc = {
|
|
after = ["network-online.target" "systemd-resolved.service"];
|
|
wants = ["network-online.target"];
|
|
wantedBy = ["multi-user.target"];
|
|
serviceConfig = {
|
|
StateDirectory = "cloudflare-warp";
|
|
#User = "warp";
|
|
#Umask = "0077";
|
|
# Hardening
|
|
LockPersonality = true;
|
|
PrivateMounts = true;
|
|
PrivateTmp = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
# Leaving on strict activates warp on plus
|
|
ProtectSystem = true;
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|