nixos/modules/services/networking/squid.nix at 18.03-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / squid.nix
at 18.03-beta 4.8 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.services.squid;
  8
  9
 10  squidConfig = pkgs.writeText "squid.conf"
 11    (if cfg.configText != null then cfg.configText else
 12    ''
 13    #
 14    # Recommended minimum configuration (3.5):
 15    #
 16
 17    # Example rule allowing access from your local networks.
 18    # Adapt to list your (internal) IP networks from where browsing
 19    # should be allowed
 20    acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
 21    acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
 22    acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
 23    acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
 24    acl localnet src fc00::/7       # RFC 4193 local private network range
 25    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
 26
 27    acl SSL_ports port 443          # https
 28    acl Safe_ports port 80          # http
 29    acl Safe_ports port 21          # ftp
 30    acl Safe_ports port 443         # https
 31    acl Safe_ports port 70          # gopher
 32    acl Safe_ports port 210         # wais
 33    acl Safe_ports port 1025-65535  # unregistered ports
 34    acl Safe_ports port 280         # http-mgmt
 35    acl Safe_ports port 488         # gss-http
 36    acl Safe_ports port 591         # filemaker
 37    acl Safe_ports port 777         # multiling http
 38    acl CONNECT method CONNECT
 39
 40    #
 41    # Recommended minimum Access Permission configuration:
 42    #
 43    # Deny requests to certain unsafe ports
 44    http_access deny !Safe_ports
 45
 46    # Deny CONNECT to other than secure SSL ports
 47    http_access deny CONNECT !SSL_ports
 48
 49    # Only allow cachemgr access from localhost
 50    http_access allow localhost manager
 51    http_access deny manager
 52
 53    # We strongly recommend the following be uncommented to protect innocent
 54    # web applications running on the proxy server who think the only
 55    # one who can access services on "localhost" is a local user
 56    http_access deny to_localhost
 57
 58    # Application logs to syslog, access and store logs have specific files
 59    cache_log       syslog
 60    access_log      stdio:/var/log/squid/access.log
 61    cache_store_log stdio:/var/log/squid/store.log
 62
 63    # Required by systemd service
 64    pid_filename    /run/squid.pid
 65
 66    # Run as user and group squid
 67    cache_effective_user squid squid
 68
 69    #
 70    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 71    #
 72    ${cfg.extraConfig}
 73
 74    # Example rule allowing access from your local networks.
 75    # Adapt localnet in the ACL section to list your (internal) IP networks
 76    # from where browsing should be allowed
 77    http_access allow localnet
 78    http_access allow localhost
 79
 80    # And finally deny all other access to this proxy
 81    http_access deny all
 82
 83    # Squid normally listens to port 3128
 84    http_port ${toString cfg.proxyPort}
 85
 86    # Leave coredumps in the first cache dir
 87    coredump_dir /var/cache/squid
 88
 89    #
 90    # Add any of your own refresh_pattern entries above these.
 91    #
 92    refresh_pattern ^ftp:           1440    20%     10080
 93    refresh_pattern ^gopher:        1440    0%      1440
 94    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
 95    refresh_pattern .               0       20%     4320
 96  '');
 97
 98in
 99
100{
101
102  options = {
103
104    services.squid = {
105
106      enable = mkOption {
107        type = types.bool;
108        default = false;
109        description = "Whether to run squid web proxy.";
110      };
111
112      proxyPort = mkOption {
113        type = types.int;
114        default = 3128;
115        description = "TCP port on which squid will listen.";
116      };
117
118      extraConfig = mkOption {
119        type = types.lines;
120        default = "";
121        description = ''
122          Squid configuration. Contents will be added
123          verbatim to the configuration file.
124        '';
125      };
126
127      configText = mkOption {
128        type = types.nullOr types.lines;
129        default = null;
130        description = ''
131          Verbatim contents of squid.conf. If null (default), use the
132          autogenerated file from NixOS instead.
133        '';
134      };
135
136    };
137
138  };
139
140  config = mkIf cfg.enable {
141
142    users.users.squid = {
143      isSystemUser = true;
144      group = "squid";
145      home = "/var/cache/squid";
146      createHome = true;
147    };
148
149    users.groups.squid = {};
150
151    systemd.services.squid = {
152      description = "Squid caching web proxy";
153      after = [ "network.target" "nss-lookup.target" ];
154      wantedBy = [ "multi-user.target"];
155      preStart = ''
156        mkdir -p "/var/log/squid"
157        chown squid:squid "/var/log/squid"
158      '';
159      serviceConfig = {
160        Type="forking";
161        PIDFile="/run/squid.pid";
162        PermissionsStartOnly = true;
163        ExecStart  = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}";
164      };
165    };
166
167  };
168
169}