blob: 0e55bc3866536ea8d7d718f3f44b18132e200834 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.doh-proxy-rust;
in {
options.services.doh-proxy-rust = {
enable = mkEnableOption "doh-proxy-rust";
flags = mkOption {
type = types.listOf types.str;
default = [];
example = literalExample [ "--server-address=9.9.9.9:53" ];
description = ''
A list of command-line flags to pass to doh-proxy. For details on the
available options, see <link xlink:href="https://github.com/jedisct1/doh-server#usage"/>.
'';
};
};
config = mkIf cfg.enable {
systemd.services.doh-proxy-rust = {
description = "doh-proxy-rust";
after = [ "network.target" "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.doh-proxy-rust}/bin/doh-proxy ${escapeShellArgs cfg.flags}";
Restart = "always";
RestartSec = 10;
DynamicUser = true;
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
RemoveIPC = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [ "@system-service" "~@privileged @resources" ];
};
};
};
meta.maintainers = with maintainers; [ stephank ];
}
|