pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / squid.nix
at 25.11-pre 6.1 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9 10let 11 12 cfg = config.services.squid; 13 14 configWriter = 15 if cfg.validateConfig then 16 ( 17 content: 18 pkgs.writers.makeScriptWriter { 19 check = "${cfg.package}/bin/squid -k parse -f"; 20 interpreter = "${cfg.package}/bin/squid"; 21 } "squid.conf" content 22 ) 23 else 24 (content: pkgs.writeText "squid.conf" content); 25 26 squidConfig = configWriter ( 27 if cfg.configText != null then 28 cfg.configText 29 else 30 '' 31 # 32 # Recommended minimum configuration (3.5): 33 # 34 35 # Example rule allowing access from your local networks. 36 # Adapt to list your (internal) IP networks from where browsing 37 # should be allowed 38 acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network 39 acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network 40 acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network 41 acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines 42 acl localnet src fc00::/7 # RFC 4193 local private network range 43 acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 44 45 acl SSL_ports port 443 # https 46 acl Safe_ports port 80 # http 47 acl Safe_ports port 21 # ftp 48 acl Safe_ports port 443 # https 49 acl Safe_ports port 70 # gopher 50 acl Safe_ports port 210 # wais 51 acl Safe_ports port 1025-65535 # unregistered ports 52 acl Safe_ports port 280 # http-mgmt 53 acl Safe_ports port 488 # gss-http 54 acl Safe_ports port 591 # filemaker 55 acl Safe_ports port 777 # multiling http 56 acl CONNECT method CONNECT 57 58 # 59 # Recommended minimum Access Permission configuration: 60 # 61 # Deny requests to certain unsafe ports 62 http_access deny !Safe_ports 63 64 # Deny CONNECT to other than secure SSL ports 65 http_access deny CONNECT !SSL_ports 66 67 # Only allow cachemgr access from localhost 68 http_access allow localhost manager 69 http_access deny manager 70 71 # We strongly recommend the following be uncommented to protect innocent 72 # web applications running on the proxy server who think the only 73 # one who can access services on "localhost" is a local user 74 http_access deny to_localhost 75 76 # Application logs to syslog, access and store logs have specific files 77 cache_log stdio:/var/log/squid/cache.log 78 access_log stdio:/var/log/squid/access.log 79 cache_store_log stdio:/var/log/squid/store.log 80 81 # Required by systemd service 82 pid_filename /run/squid.pid 83 84 # Run as user and group squid 85 cache_effective_user squid squid 86 87 # 88 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 89 # 90 ${cfg.extraConfig} 91 92 # Example rule allowing access from your local networks. 93 # Adapt localnet in the ACL section to list your (internal) IP networks 94 # from where browsing should be allowed 95 http_access allow localnet 96 http_access allow localhost 97 98 # And finally deny all other access to this proxy 99 http_access deny all 100 101 # Squid normally listens to port 3128 102 http_port ${ 103 optionalString (cfg.proxyAddress != null) "${cfg.proxyAddress}:" 104 }${toString cfg.proxyPort} 105 106 # Leave coredumps in the first cache dir 107 coredump_dir /var/cache/squid 108 109 # 110 # Add any of your own refresh_pattern entries above these. 111 # 112 refresh_pattern ^ftp: 1440 20% 10080 113 refresh_pattern ^gopher: 1440 0% 1440 114 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 115 refresh_pattern . 0 20% 4320 116 '' 117 ); 118 119in 120 121{ 122 123 options = { 124 125 services.squid = { 126 127 enable = mkOption { 128 type = types.bool; 129 default = false; 130 description = "Whether to run squid web proxy."; 131 }; 132 133 validateConfig = mkOption { 134 type = types.bool; 135 default = true; 136 description = "Validate config syntax."; 137 }; 138 139 package = mkPackageOption pkgs "squid" { }; 140 141 proxyAddress = mkOption { 142 type = types.nullOr types.str; 143 default = null; 144 description = "IP address on which squid will listen."; 145 }; 146 147 proxyPort = mkOption { 148 type = types.int; 149 default = 3128; 150 description = "TCP port on which squid will listen."; 151 }; 152 153 extraConfig = mkOption { 154 type = types.lines; 155 default = ""; 156 description = '' 157 Squid configuration. Contents will be added 158 verbatim to the configuration file. 159 ''; 160 }; 161 162 configText = mkOption { 163 type = types.nullOr types.lines; 164 default = null; 165 description = '' 166 Verbatim contents of squid.conf. If null (default), use the 167 autogenerated file from NixOS instead. 168 ''; 169 }; 170 171 }; 172 173 }; 174 175 config = mkIf cfg.enable { 176 177 users.users.squid = { 178 isSystemUser = true; 179 group = "squid"; 180 home = "/var/cache/squid"; 181 createHome = true; 182 }; 183 184 users.groups.squid = { }; 185 186 systemd.services.squid = { 187 description = "Squid caching proxy"; 188 documentation = [ "man:squid(8)" ]; 189 after = [ 190 "network.target" 191 "nss-lookup.target" 192 ]; 193 wantedBy = [ "multi-user.target" ]; 194 preStart = '' 195 mkdir -p "/var/log/squid" 196 chown squid:squid "/var/log/squid" 197 ${cfg.package}/bin/squid --foreground -z -f ${squidConfig} 198 ''; 199 serviceConfig = { 200 PIDFile = "/run/squid.pid"; 201 ExecStart = "${cfg.package}/bin/squid --foreground -YCs -f ${squidConfig}"; 202 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 203 KillMode = "mixed"; 204 NotifyAccess = "all"; 205 }; 206 }; 207 208 }; 209 210}