From e2b93fa6df68d1df4ea302f02b30bd47e4e53809 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 22 Aug 2024 19:45:15 +0800
Subject: [PATCH] nixos/services/ctrld: init

---
 modules/nixos/default.nix        |  1 +
 modules/nixos/services/ctrld.nix | 95 ++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 modules/nixos/services/ctrld.nix

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index ad428325..8974f9bd 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -7,6 +7,7 @@
     ./programs/sessiond
     ./programs/wezterm.nix
     ./services/archivebox.nix
+    ./services/ctrld.nix
     ./services/gallery-dl.nix
     ./services/uxplay.nix
     ./services/wezterm-mux-server.nix
diff --git a/modules/nixos/services/ctrld.nix b/modules/nixos/services/ctrld.nix
new file mode 100644
index 00000000..5df489ab
--- /dev/null
+++ b/modules/nixos/services/ctrld.nix
@@ -0,0 +1,95 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.ctrld;
+
+  settingsFormat = pkgs.formats.toml { };
+  settingsFile = settingsFile.generate "ctrld-proxy-settings" cfg.settings;
+in
+{
+  options.services.ctrld = {
+    enable = lib.mkEnableOption "ctrld, a DNS forwarding proxy";
+    package = lib.mkPackageOption pkgs "ctrld" { };
+
+    settings = lib.mkOption {
+      type = settingsFormat.type;
+      description = ''
+        Settings to be used for the ctrld server.
+      '';
+      default = { };
+      example = lib.literalExpression ''
+        {
+          service = {
+            log_level = "info";
+            log_path = "";
+            cache_enable = true;
+            cache_size = 4096;
+            cache_ttl_override = 60;
+            cache_serve_stale = true;
+          };
+
+          "upstream.0" = {
+            bootstrap_ip = "76.76.2.11";
+            endpoint = "https://freedns.controld.com/p1";
+            name = "Control D - Anti-Malware";
+            timeout = 5000;
+            type = "doh";
+            ip_stack = "both";
+          };
+
+          "network.0" = {
+            cidrs = ["0.0.0.0/0"];
+            name = "Everyone";
+          };
+        }
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.ctrld = {
+      description = "Forwarding DNS proxy";
+      script = ''
+        ${lib.getExe' cfg.package "ctrld"} run --config ${settingsFile}
+      '';
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "default.target" ];
+
+      serviceConfig = {
+        User = "ctrld";
+        Group = "ctrld";
+        DynamicUser = true;
+
+        Restart = "on-failure";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+
+        # TODO: ProtectProc=?
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "full";
+        RestrictAddressFamilies = [
+          "AF_LOCAL"
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        SystemCallArchitectures = [ "native" ];
+        SystemCallFilter = [ "@system-service" ];
+      };
+    };
+  };
+}