From 837cfbb9ea65d9b0b3b8dcf4b511d528e2874166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edward=20Tj=C3=B6rnhammar?= Date: Wed, 14 Jan 2015 22:08:19 +0100 Subject: [PATCH] nixos: adding nylon service with uid,gid --- nixos/modules/misc/ids.nix | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/nylon.nix | 139 ++++++++++++++++++++ 3 files changed, 142 insertions(+) create mode 100644 nixos/modules/services/networking/nylon.nix diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index b5f9f5ca55a0..7bfbefb348f0 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -175,6 +175,7 @@ gitlab = 165; tox-bootstrapd = 166; cadvisor = 167; + nylon = 168; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -313,6 +314,7 @@ bosun = 161; kubernetes = 162; gitlab = 165; + nylon = 166; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 844fae536e95..bd9551fa1997 100755 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -263,6 +263,7 @@ ./services/networking/nsd.nix ./services/networking/ntopng.nix ./services/networking/ntpd.nix + ./services/networking/nylon.nix ./services/networking/oidentd.nix ./services/networking/openfire.nix ./services/networking/openntpd.nix diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix new file mode 100644 index 000000000000..da6487dbd499 --- /dev/null +++ b/nixos/modules/services/networking/nylon.nix @@ -0,0 +1,139 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nylon; + + homeDir = "/var/lib/nylon"; + + configFile = pkgs.writeText "nylon.conf" '' + [General] + No-Simultaneous-Conn=${toString cfg.nrConnections} + Log=${if cfg.logging then "1" else "0"} + Verbose=${if cfg.verbosity then "1" else "0"} + + [Server] + Binding-Interface=${cfg.acceptInterface} + Connecting-Interface=${cfg.bindInterface} + Port=${toString cfg.port} + Allow-IP=${concatStringsSep " " cfg.allowedIPRanges} + Deny-IP=${concatStringsSep " " cfg.deniedIPRanges} + ''; + +in + +{ + + ###### interface + + options = { + + services.nylon = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables nylon as a running service upon activation. + ''; + }; + + nrConnections = mkOption { + type = types.int; + default = 10; + description = '' + The number of allowed simultaneous connections to the daemon, default 10. + ''; + }; + + logging = mkOption { + type = types.bool; + default = false; + description = '' + Enable logging, default is no logging. + ''; + }; + + verbosity = mkOption { + type = types.bool; + default = false; + description = '' + Enable verbose output, default is to not be verbose. + ''; + }; + + acceptInterface = mkOption { + type = types.string; + default = "lo"; + description = '' + Tell nylon which interface to listen for client requests on, default is "lo". + ''; + }; + + bindInterface = mkOption { + type = types.string; + default = "enp3s0f0"; + description = '' + Tell nylon which interface to use as an uplink, default is "enp3s0f0". + ''; + }; + + port = mkOption { + type = types.int; + default = 1080; + description = '' + What port to listen for client requests, default is 1080. + ''; + }; + + allowedIPRanges = mkOption { + type = with types; listOf string; + default = [ "192.168.0.0/16" "127.0.0.1/8" "172.16.0.1/12" "10.0.0.0/8" ]; + description = '' + Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges: + [ "192.168.0.0/16" "127.0.0.0/8" "172.16.0.0/12" "10.0.0.0/8" ] + ''; + }; + + deniedIPRanges = mkOption { + type = with types; listOf string; + default = [ "0.0.0.0/0" ]; + description = '' + Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses: + [ "0.0.0.0/0" ] + To block all other access than the allowed. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + users.extraUsers.nylon= { + group = "nylon"; + description = "Nylon SOCKS Proxy"; + home = homeDir; + createHome = true; + uid = config.ids.uids.nylon; + }; + + users.extraGroups.nylon.gid = config.ids.gids.nylon; + + systemd.services.nylon = { + description = "Nylon, a lightweight SOCKS proxy server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + { + User = "nylon"; + Group = "nylon"; + WorkingDirectory = homeDir; + ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile}"; + }; + }; + }; +}