pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / doh-proxy-rust.nix
at 23.11-pre 1.6 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 cfg = config.services.doh-proxy-rust; 8 9in { 10 11 options.services.doh-proxy-rust = { 12 13 enable = mkEnableOption (lib.mdDoc "doh-proxy-rust"); 14 15 flags = mkOption { 16 type = types.listOf types.str; 17 default = []; 18 example = [ "--server-address=9.9.9.9:53" ]; 19 description = lib.mdDoc '' 20 A list of command-line flags to pass to doh-proxy. For details on the 21 available options, see <https://github.com/jedisct1/doh-server#usage>. 22 ''; 23 }; 24 25 }; 26 27 config = mkIf cfg.enable { 28 systemd.services.doh-proxy-rust = { 29 description = "doh-proxy-rust"; 30 after = [ "network.target" "nss-lookup.target" ]; 31 wantedBy = [ "multi-user.target" ]; 32 serviceConfig = { 33 ExecStart = "${pkgs.doh-proxy-rust}/bin/doh-proxy ${escapeShellArgs cfg.flags}"; 34 Restart = "always"; 35 RestartSec = 10; 36 DynamicUser = true; 37 38 CapabilityBoundingSet = ""; 39 LockPersonality = true; 40 MemoryDenyWriteExecute = true; 41 NoNewPrivileges = true; 42 ProtectClock = true; 43 ProtectHome = true; 44 ProtectHostname = true; 45 ProtectKernelLogs = true; 46 RemoveIPC = true; 47 RestrictAddressFamilies = "AF_INET AF_INET6"; 48 RestrictNamespaces = true; 49 RestrictRealtime = true; 50 RestrictSUIDSGID = true; 51 SystemCallArchitectures = "native"; 52 SystemCallErrorNumber = "EPERM"; 53 SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; 54 }; 55 }; 56 }; 57 58 meta.maintainers = with maintainers; [ stephank ]; 59 60}