depot/nixos/modules/services/networking/microsocks.nix
Luke Granger-Brown 57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
2024-11-10 23:59:47 +00:00

146 lines
4.4 KiB
Nix

{ config,
lib,
pkgs,
...
}:
let
cfg = config.services.microsocks;
cmd =
if cfg.execWrapper != null
then "${cfg.execWrapper} ${cfg.package}/bin/microsocks"
else "${cfg.package}/bin/microsocks";
args =
[ "-i" cfg.ip "-p" (toString cfg.port) ]
++ lib.optionals (cfg.authOnce) [ "-1" ]
++ lib.optionals (cfg.disableLogging) [ "-q" ]
++ lib.optionals (cfg.outgoingBindIp != null) [ "-b" cfg.outgoingBindIp ]
++ lib.optionals (cfg.authUsername != null) [ "-u" cfg.authUsername ];
in {
options.services.microsocks = {
enable = lib.mkEnableOption "Tiny, portable SOCKS5 server with very moderate resource usage";
user = lib.mkOption {
default = "microsocks";
description = "User microsocks runs as.";
type = lib.types.str;
};
group = lib.mkOption {
default = "microsocks";
description = "Group microsocks runs as.";
type = lib.types.str;
};
package = lib.mkPackageOption pkgs "microsocks" {};
ip = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = ''
IP on which microsocks should listen. Defaults to 127.0.0.1 for
security reasons.
'';
};
port = lib.mkOption {
type = lib.types.port;
default = 1080;
description = "Port on which microsocks should listen.";
};
disableLogging = lib.mkOption {
type = lib.types.bool;
default = false;
description = "If true, microsocks will not log any messages to stdout/stderr.";
};
authOnce = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
If true, once a specific ip address authed successfully with user/pass,
it is added to a whitelist and may use the proxy without auth.
'';
};
outgoingBindIp = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Specifies which ip outgoing connections are bound to";
};
authUsername = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "alice";
description = "Optional username to use for authentication.";
};
authPasswordFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/run/secrets/microsocks-password";
description = "Path to a file containing the password for authentication.";
};
execWrapper = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = ''
''${pkgs.mullvad-vpn}/bin/mullvad-exclude
'';
description = ''
An optional command to prepend to the microsocks command (such as proxychains, or a VPN exclude command).
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = (cfg.authUsername != null) == (cfg.authPasswordFile != null);
message = "Need to set both authUsername and authPasswordFile for microsocks";
}
];
users = {
users = lib.mkIf (cfg.user == "microsocks") {
microsocks = {
group = cfg.group;
isSystemUser = true;
};
};
groups = lib.mkIf (cfg.group == "microsocks") {
microsocks = {};
};
};
systemd.services.microsocks = {
enable = true;
description = "a tiny socks server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
RestartSec = 10;
LoadCredential = lib.optionalString (cfg.authPasswordFile != null) "MICROSOCKS_PASSWORD_FILE:${cfg.authPasswordFile}";
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
PrivateTmp = true;
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
RestrictSUIDSGID = true;
RestrictNamespaces = [
"cgroup"
"ipc"
"pid"
"user"
"uts"
];
};
script =
if cfg.authPasswordFile != null
then ''
PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/MICROSOCKS_PASSWORD_FILE")
${cmd} ${lib.escapeShellArgs args} -P "$PASSWORD"
''
else ''
${cmd} ${lib.escapeShellArgs args}
'';
};
};
}