pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.g3proxy;
9
10 inherit (lib)
11 mkPackageOption
12 mkEnableOption
13 mkOption
14 mkIf
15 literalExpression
16 ;
17
18 settingsFormat = pkgs.formats.yaml { };
19in
20{
21 options.services.g3proxy = {
22 enable = mkEnableOption "g3proxy, a generic purpose forward proxy";
23
24 package = mkPackageOption pkgs "g3proxy" { };
25
26 settings = mkOption {
27 type = settingsFormat.type;
28 default = { };
29 example = literalExpression ''
30 {
31 server = [{
32 name = "test";
33 escaper = "default";
34 type = "socks_proxy";
35 listen = {
36 address = "[::]:10086";
37 };
38 }];
39 }
40 '';
41 description = ''
42 Settings of g3proxy.
43 '';
44 };
45 };
46
47 config = mkIf cfg.enable {
48 systemd.services.g3proxy = {
49 description = "g3proxy server";
50 wantedBy = [ "multi-user.target" ];
51
52 serviceConfig = {
53 ExecStart =
54 let
55 g3proxy-yaml = settingsFormat.generate "g3proxy.yaml" cfg.settings;
56 in
57 "${lib.getExe cfg.package} --config-file ${g3proxy-yaml}";
58
59 WorkingDirectory = "/var/lib/g3proxy";
60 StateDirectory = "g3proxy";
61 RuntimeDirectory = "g3proxy";
62 DynamicUser = true;
63
64 RuntimeDirectoryMode = "0755";
65 PrivateTmp = true;
66 DevicePolicy = "closed";
67 LockPersonality = true;
68 MemoryDenyWriteExecute = true;
69 PrivateUsers = true;
70 ProtectHome = true;
71 ProtectHostname = true;
72 ProtectKernelLogs = true;
73 ProtectKernelModules = true;
74 ProtectKernelTunables = true;
75 ProtectControlGroups = true;
76 ProtectSystem = "strict";
77 ProcSubset = "pid";
78 RestrictNamespaces = true;
79 RestrictRealtime = true;
80 RemoveIPC = true;
81 SystemCallArchitectures = "native";
82 UMask = "0077";
83 RestrictAddressFamilies = [
84 "AF_UNIX"
85 "AF_INET"
86 "AF_INET6"
87 ];
88 RestrictSUIDSGID = true;
89 };
90 };
91 };
92}