pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8
9 cfg = config.services.doh-proxy-rust;
10
11in
12{
13
14 options.services.doh-proxy-rust = {
15
16 enable = lib.mkEnableOption "doh-proxy-rust";
17
18 flags = lib.mkOption {
19 type = lib.types.listOf lib.types.str;
20 default = [ ];
21 example = [ "--server-address=9.9.9.9:53" ];
22 description = ''
23 A list of command-line flags to pass to doh-proxy. For details on the
24 available options, see <https://github.com/jedisct1/doh-server#usage>.
25 '';
26 };
27
28 };
29
30 config = lib.mkIf cfg.enable {
31 systemd.services.doh-proxy-rust = {
32 description = "doh-proxy-rust";
33 after = [
34 "network.target"
35 "nss-lookup.target"
36 ];
37 wantedBy = [ "multi-user.target" ];
38 serviceConfig = {
39 ExecStart = "${pkgs.doh-proxy-rust}/bin/doh-proxy ${lib.escapeShellArgs cfg.flags}";
40 Restart = "always";
41 RestartSec = 10;
42 DynamicUser = true;
43
44 CapabilityBoundingSet = "";
45 LockPersonality = true;
46 MemoryDenyWriteExecute = true;
47 NoNewPrivileges = true;
48 ProtectClock = true;
49 ProtectHome = true;
50 ProtectHostname = true;
51 ProtectKernelLogs = true;
52 RemoveIPC = true;
53 RestrictAddressFamilies = "AF_INET AF_INET6";
54 RestrictNamespaces = true;
55 RestrictRealtime = true;
56 RestrictSUIDSGID = true;
57 SystemCallArchitectures = "native";
58 SystemCallErrorNumber = "EPERM";
59 SystemCallFilter = [
60 "@system-service"
61 "~@privileged @resources"
62 ];
63 };
64 };
65 };
66
67 meta.maintainers = with lib.maintainers; [ stephank ];
68
69}