mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-13 05:05:29 +03:00
f0652b5dff
This adds a simple hardened systemd-based module for g3proxy, a generic purpose forward proxy. Change-Id: I8c6e5d2cc8a9faa2aea8c5df3af56756ffed542d Signed-off-by: Raito Bezarius <masterancpp@gmail.com> Co-authored-by: Elias Coppens <elias.coppens@ens.fr>
92 lines
2.1 KiB
Nix
92 lines
2.1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.services.g3proxy;
|
|
|
|
inherit (lib)
|
|
mkPackageOption
|
|
mkEnableOption
|
|
mkOption
|
|
mkIf
|
|
literalExpression
|
|
;
|
|
|
|
settingsFormat = pkgs.formats.yaml { };
|
|
in
|
|
{
|
|
options.services.g3proxy = {
|
|
enable = mkEnableOption "g3proxy, a generic purpose forward proxy";
|
|
|
|
package = mkPackageOption pkgs "g3proxy" { };
|
|
|
|
settings = mkOption {
|
|
type = settingsFormat.type;
|
|
default = { };
|
|
example = literalExpression ''
|
|
{
|
|
server = [{
|
|
name = "test";
|
|
escaper = "default";
|
|
type = "socks_proxy";
|
|
listen = {
|
|
address = "[::]:10086";
|
|
};
|
|
}];
|
|
}
|
|
'';
|
|
description = ''
|
|
Settings of g3proxy.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.g3proxy = {
|
|
description = "g3proxy server";
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
ExecStart =
|
|
let
|
|
g3proxy-yaml = settingsFormat.generate "g3proxy.yaml" cfg.settings;
|
|
in
|
|
"${lib.getExe cfg.package} --config-file ${g3proxy-yaml}";
|
|
|
|
WorkingDirectory = "/var/lib/g3proxy";
|
|
StateDirectory = "g3proxy";
|
|
RuntimeDirectory = "g3proxy";
|
|
DynamicUser = true;
|
|
|
|
RuntimeDirectoryMode = "0755";
|
|
PrivateTmp = true;
|
|
DevicePolicy = "closed";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
PrivateUsers = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectControlGroups = true;
|
|
ProtectSystem = "strict";
|
|
ProcSubset = "pid";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RemoveIPC = true;
|
|
SystemCallArchitectures = "native";
|
|
UMask = "0077";
|
|
RestrictAddressFamilies = [
|
|
"AF_UNIX"
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
];
|
|
RestrictSUIDSGID = true;
|
|
};
|
|
};
|
|
};
|
|
}
|