From 60d435c2af86cc7076a7f887e949c08d16b5dfe3 Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Sat, 19 Oct 2024 12:54:55 +0800
Subject: [PATCH] sin0: add ip-checker

---
 hosts/vultr/sin0/default.nix             |  1 +
 hosts/vultr/sin0/ports.nix               |  1 +
 hosts/vultr/sin0/services/ip-checker.nix | 53 ++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 hosts/vultr/sin0/services/ip-checker.nix

diff --git a/hosts/vultr/sin0/default.nix b/hosts/vultr/sin0/default.nix
index ddc0770..7632191 100644
--- a/hosts/vultr/sin0/default.nix
+++ b/hosts/vultr/sin0/default.nix
@@ -5,6 +5,7 @@
     ./ports.nix
 
     ./services/telegram-bot/danbooru_img_bot.nix
+    ./services/ip-checker.nix
     ./services/redlib.nix
 
     ../../../nixos/profiles/sing-box-server
diff --git a/hosts/vultr/sin0/ports.nix b/hosts/vultr/sin0/ports.nix
index 2f8376b..7f5843e 100644
--- a/hosts/vultr/sin0/ports.nix
+++ b/hosts/vultr/sin0/ports.nix
@@ -1,5 +1,6 @@
 {
   lib.ports = {
     redlib = 8010;
+    ip-checker = 8020;
   };
 }
diff --git a/hosts/vultr/sin0/services/ip-checker.nix b/hosts/vultr/sin0/services/ip-checker.nix
new file mode 100644
index 0000000..d813c97
--- /dev/null
+++ b/hosts/vultr/sin0/services/ip-checker.nix
@@ -0,0 +1,53 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  config,
+  ...
+}:
+let
+  port = config.lib.ports.ip-checker;
+in
+{
+  systemd.services."ip-checker" = {
+    wantedBy = [ "multi-user.target" ];
+    environment.IP_CHECKER_LISTEN = "127.0.0.1:${toString port}";
+    serviceConfig = {
+      ExecStart = lib.getExe inputs.ip-checker.packages.${pkgs.stdenv.hostPlatform.system}.default;
+      WorkingDirectory = inputs.ip-checker;
+
+      CapabilityBoundingSet = "";
+      DynamicUser = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallErrorNumber = "EPERM";
+      SystemCallFilter = "@system-service";
+      UMask = "0077";
+    };
+  };
+
+  services.caddy.settings.apps.http.servers.srv0.routes = lib.singleton {
+    match = lib.singleton { host = [ "ip.ny4.dev" ]; };
+    handle = lib.singleton {
+      handler = "reverse_proxy";
+      upstreams = lib.singleton { dial = "127.0.0.1:${toString port}"; };
+    };
+  };
+}