Wstunnel
services.wstunnel.clients
wstunnel clients to set up.
Type: attribute set of (submodule)
Default
{ }
Example
{wg-tunnel = {connectTo = "wss://wstunnel.server.com:8443";localToRemote = ["tcp://1212:google.com:443""tcp://2:n.lan:4?proxy_protocol"];remoteToLocal = ["socks5://[::1]:1212""unix://wstunnel.sock:g.com:443"];};}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.addNetBind
Whether to enable Whether add CAP_NET_BIND_SERVICE to the tunnel service, this should be enabled if you want to bind port < 1024.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.autoStart
Whether to enable starting this wstunnel instance automatically..
Type: boolean
Default
true
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.connectTo
Server address and port to connect to.
Type: string
Example
"https://wstunnel.server.com:8443"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.customHeaders
Custom HTTP headers to send during the upgrade request.
Type: attribute set of string
Default
{ }
Example
{X-Some-Header = "some-value";}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.enable
Whether to enable this wstunnel instance..
Type: boolean
Default
true
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.environmentFile
Environment file to be passed to the systemd service.
Useful for passing secrets to the service to prevent them from being
world-readable in the Nix store.
Note however that the secrets are passed to wstunnel through
the command line, which makes them locally readable for all users of
the system at runtime.
Type: null or path
Default
null
Example
"/var/lib/secrets/wstunnelSecrets"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.extraArgs
Extra command line arguments to pass to wstunnel.
Attributes of the form argName = true; will be translated to --argName,
and argName = \"value\" to --argName value.
Type: attribute set of (string or boolean)
Default
{ }
Example
{someNewOption = true;someNewOptionWithValue = "someValue";}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.httpProxy
Proxy to use to connect to the wstunnel server (USER:PASS@HOST:PORT).
::: {.warning}
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing PROXY_PASSWORD=<your-password-here> and set
this option to <user>:$PROXY_PASSWORD@<host>:<port>.
Note however that this will also locally leak the passwords at
runtime via e.g. /proc/
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.localToRemote
Listen on local and forwards traffic from remote.
Type: list of string
Default
[ ]
Example
["tcp://1212:google.com:443""unix:///tmp/wstunnel.sock:g.com:443"]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.loggingLevel
Passed to --log-lvl
Control the log verbosity. i.e: TRACE, DEBUG, INFO, WARN, ERROR, OFF For more details, checkout EnvFilter
Type: null or string
Default
null
Example
"INFO"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.package
The wstunnel package to use.
Type: package
Default
pkgs.wstunnel
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.remoteToLocal
Listen on remote and forwards traffic from local. Only tcp is supported
Type: list of string
Default
[ ]
Example
["tcp://1212:google.com:443""unix://wstunnel.sock:g.com:443"]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.soMark
Mark network packets with the SO_MARK sockoption with the specified value.
Setting this option will also enable the required CAP_NET_ADMIN capability
for the systemd service.
Type: null or (unsigned integer, meaning >=0)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.tlsSNI
Use this as the SNI while connecting via TLS. Useful for circumventing hostname-based firewalls.
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.tlsVerifyCertificate
Whether to verify the TLS certificate of the server. It might be useful to set this to false when working with the tlsSNI option.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.upgradeCredentials
Use these credentials to authenticate during the HTTP upgrade request
(Basic authorization type, USER:[PASS]).
::: {.warning}
Passwords specified here will be world-readable in the Nix store!
To pass a password to the service, point the environmentFile option
to a file containing HTTP_PASSWORD=<your-password-here> and set this
option to <user>:$HTTP_PASSWORD.
Note however that this will also locally leak the passwords at runtime
via e.g. /proc/
Type: null or string
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.upgradePathPrefix
Use a specific HTTP path prefix that will show up in the upgrade
request to the wstunnel server.
Useful when running wstunnel behind a reverse proxy.
Type: null or string
Default
null
Example
"wstunnel"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.clients.<name>.websocketPingInterval
Frequency at which the client will send websocket ping to the server.
Type: null or (unsigned integer, meaning >=0)
Default
null
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.enable
Whether to enable wstunnel.
Type: boolean
Default
false
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers
wstunnel servers to set up.
Type: attribute set of (submodule)
Default
{ }
Example
{wg-tunnel = {enableHTTPS = true;listen = {host = "0.0.0.0";port = 8080;};restrictTo = [{host = "127.0.0.1";port = 51820;}];tlsCertificate = "/var/lib/secrets/fullchain.pem";tlsKey = "/var/lib/secrets/key.pem";};}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.autoStart
Whether to enable starting this wstunnel instance automatically..
Type: boolean
Default
true
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.enable
Whether to enable this wstunnel instance..
Type: boolean
Default
true
Example
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.enableHTTPS
Use HTTPS for the tunnel server.
Type: boolean
Default
true
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.environmentFile
Environment file to be passed to the systemd service.
Useful for passing secrets to the service to prevent them from being
world-readable in the Nix store.
Note however that the secrets are passed to wstunnel through
the command line, which makes them locally readable for all users of
the system at runtime.
Type: null or path
Default
null
Example
"/var/lib/secrets/wstunnelSecrets"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.extraArgs
Extra command line arguments to pass to wstunnel.
Attributes of the form argName = true; will be translated to --argName,
and argName = \"value\" to --argName value.
Type: attribute set of (string or boolean)
Default
{ }
Example
{someNewOption = true;someNewOptionWithValue = "someValue";}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.listen
Address and port to listen on.
Setting the port to a value below 1024 will also give the process
the required CAP_NET_BIND_SERVICE capability.
Type: submodule
Default
{host = "0.0.0.0";port = if enableHTTPS then 443 else 80;}
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.listen.host
The hostname.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.listen.port
The port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.loggingLevel
Passed to --log-lvl
Control the log verbosity. i.e: TRACE, DEBUG, INFO, WARN, ERROR, OFF For more details, checkout EnvFilter
Type: null or string
Default
null
Example
"INFO"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.package
The wstunnel package to use.
Type: package
Default
pkgs.wstunnel
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.restrictTo
Accepted traffic will be forwarded only to this service.
Type: list of (submodule)
Default
[ ]
Example
[{host = "127.0.0.1";port = 51820;}]
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.restrictTo.*.host
The hostname.
Type: string
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.restrictTo.*.port
The port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.tlsCertificate
TLS certificate to use instead of the hardcoded one in case of HTTPS connections.
Use together with tlsKey.
Type: null or path
Default
null
Example
"/var/lib/secrets/cert.pem"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.tlsKey
TLS key to use instead of the hardcoded on in case of HTTPS connections.
Use together with tlsCertificate.
Type: null or path
Default
null
Example
"/var/lib/secrets/key.pem"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix
services.wstunnel.servers.<name>.useACMEHost
Use a certificate generated by the NixOS ACME module for the given host.
Note that this will not generate a new certificate - you will need to do so with security.acme.certs.
Type: null or string
Default
null
Example
"example.com"
Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/wstunnel.nix