Commit f0652b5d authored by Raito Bezarius's avatar Raito Bezarius
Browse files

nixos/services/networking/g3proxy: init 



This adds a simple hardened systemd-based module for g3proxy, a generic
purpose forward proxy.

Change-Id: I8c6e5d2cc8a9faa2aea8c5df3af56756ffed542d
Signed-off-by: default avatarRaito Bezarius <masterancpp@gmail.com>
Co-authored-by: default avatarElias Coppens <elias.coppens@ens.fr>
parent b8165b6b

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0
Original line number Diff line number Diff line
@@ -133,6 +133,8 @@ 


- [PowerStation](https://github.com/ShadowBlip/PowerStation/), an open source TDP control and performance daemon with DBus interface for Linux. Available as [services.powerstation](#opt-services.powerstation.enable).



- [`g3proxy`](https://github.com/bytedance/g3), an open source enterprise forward proxy from ByteDance, similar to Squid or tinyproxy. Available as [services.g3proxy](#opt-services.g3proxy.enable).



- [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable).



- [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -1266,6 +1266,7 @@ 
  ./services/networking/spacecookie.nix

  ./services/networking/spiped.nix

  ./services/networking/squid.nix

  ./services/networking/g3proxy.nix

  ./services/networking/ssh/sshd.nix

  ./services/networking/sslh.nix

  ./services/networking/strongswan-swanctl/module.nix

nixos/modules/services/networking/g3proxy.nix

0 → 100644
+92 −0
Original line number Diff line number Diff line 
{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.g3proxy;



  inherit (lib)

    mkPackageOption

    mkEnableOption

    mkOption

    mkIf

    literalExpression

    ;



  settingsFormat = pkgs.formats.yaml { };

in

{

  options.services.g3proxy = {

    enable = mkEnableOption "g3proxy, a generic purpose forward proxy";



    package = mkPackageOption pkgs "g3proxy" { };



    settings = mkOption {

      type = settingsFormat.type;

      default = { };

      example = literalExpression ''

        {

          server = [{

            name = "test";

            escaper = "default";

            type = "socks_proxy";

            listen = {

              address = "[::]:10086";

            };

          }];

        }

      '';

      description = ''

        Settings of g3proxy.

      '';

    };

  };



  config = mkIf cfg.enable {

    systemd.services.g3proxy = {

      description = "g3proxy server";

      wantedBy = [ "multi-user.target" ];



      serviceConfig = {

        ExecStart =

          let

            g3proxy-yaml = settingsFormat.generate "g3proxy.yaml" cfg.settings;

          in

          "${lib.getExe cfg.package} --config-file ${g3proxy-yaml}";



        WorkingDirectory = "/var/lib/g3proxy";

        StateDirectory = "g3proxy";

        RuntimeDirectory = "g3proxy";

        DynamicUser = true;



        RuntimeDirectoryMode = "0755";

        PrivateTmp = true;

        DevicePolicy = "closed";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        PrivateUsers = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectControlGroups = true;

        ProtectSystem = "strict";

        ProcSubset = "pid";

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RemoveIPC = true;

        SystemCallArchitectures = "native";

        UMask = "0077";

        RestrictAddressFamilies = [

          "AF_UNIX"

          "AF_INET"

          "AF_INET6"

        ];

        RestrictSUIDSGID = true;

      };

    };

  };

}