squid service: intial service based on default config

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Pascal Bach 8 years ago 2ed89edd dd07d9a0

+170

2 changed files

expand all

unified split

nixos

modules

module-list.nix

services

networking

squid.nix

nixos/modules/module-list.nix

··· 508 508 ./services/networking/smokeping.nix 509 509 ./services/networking/softether.nix 510 510 ./services/networking/spiped.nix 511 + ./services/networking/squid.nix 511 512 ./services/networking/sslh.nix 512 513 ./services/networking/ssh/lshd.nix 513 514 ./services/networking/ssh/sshd.nix

+169

nixos/modules/services/networking/squid.nix

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + 7 + cfg = config.services.squid; 8 + 9 + 10 + squidConfig = pkgs.writeText "squid.conf" 11 + (if cfg.configText != null then cfg.configText else 12 + '' 13 + # 14 + # Recommended minimum configuration (3.5): 15 + # 16 + 17 + # Example rule allowing access from your local networks. 18 + # Adapt to list your (internal) IP networks from where browsing 19 + # should be allowed 20 + acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network 21 + acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network 22 + acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network 23 + acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines 24 + acl localnet src fc00::/7 # RFC 4193 local private network range 25 + acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 26 + 27 + acl SSL_ports port 443 # https 28 + acl Safe_ports port 80 # http 29 + acl Safe_ports port 21 # ftp 30 + acl Safe_ports port 443 # https 31 + acl Safe_ports port 70 # gopher 32 + acl Safe_ports port 210 # wais 33 + acl Safe_ports port 1025-65535 # unregistered ports 34 + acl Safe_ports port 280 # http-mgmt 35 + acl Safe_ports port 488 # gss-http 36 + acl Safe_ports port 591 # filemaker 37 + acl Safe_ports port 777 # multiling http 38 + acl CONNECT method CONNECT 39 + 40 + # 41 + # Recommended minimum Access Permission configuration: 42 + # 43 + # Deny requests to certain unsafe ports 44 + http_access deny !Safe_ports 45 + 46 + # Deny CONNECT to other than secure SSL ports 47 + http_access deny CONNECT !SSL_ports 48 + 49 + # Only allow cachemgr access from localhost 50 + http_access allow localhost manager 51 + http_access deny manager 52 + 53 + # We strongly recommend the following be uncommented to protect innocent 54 + # web applications running on the proxy server who think the only 55 + # one who can access services on "localhost" is a local user 56 + http_access deny to_localhost 57 + 58 + # Application logs to syslog, access and store logs have specific files 59 + cache_log syslog 60 + access_log stdio:/var/log/squid/access.log 61 + cache_store_log stdio:/var/log/squid/store.log 62 + 63 + # Required by systemd service 64 + pid_filename /run/squid.pid 65 + 66 + # Run as user and group squid 67 + cache_effective_user squid squid 68 + 69 + # 70 + # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 71 + # 72 + ${cfg.extraConfig} 73 + 74 + # Example rule allowing access from your local networks. 75 + # Adapt localnet in the ACL section to list your (internal) IP networks 76 + # from where browsing should be allowed 77 + http_access allow localnet 78 + http_access allow localhost 79 + 80 + # And finally deny all other access to this proxy 81 + http_access deny all 82 + 83 + # Squid normally listens to port 3128 84 + http_port ${toString cfg.proxyPort} 85 + 86 + # Leave coredumps in the first cache dir 87 + coredump_dir /var/cache/squid 88 + 89 + # 90 + # Add any of your own refresh_pattern entries above these. 91 + # 92 + refresh_pattern ^ftp: 1440 20% 10080 93 + refresh_pattern ^gopher: 1440 0% 1440 94 + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 95 + refresh_pattern . 0 20% 4320 96 + ''); 97 + 98 + in 99 + 100 + { 101 + 102 + options = { 103 + 104 + services.squid = { 105 + 106 + enable = mkOption { 107 + type = types.bool; 108 + default = false; 109 + description = "Whether to run squid web proxy."; 110 + }; 111 + 112 + proxyPort = mkOption { 113 + type = types.int; 114 + default = 3128; 115 + description = "TCP port on which squid will listen."; 116 + }; 117 + 118 + extraConfig = mkOption { 119 + type = types.lines; 120 + default = ""; 121 + description = '' 122 + Squid configuration. Contents will be added 123 + verbatim to the configuration file. 124 + ''; 125 + }; 126 + 127 + configText = mkOption { 128 + type = types.nullOr types.lines; 129 + default = null; 130 + description = '' 131 + Verbatim contents of squid.conf. If null (default), use the 132 + autogenerated file from NixOS instead. 133 + ''; 134 + }; 135 + 136 + }; 137 + 138 + }; 139 + 140 + config = mkIf cfg.enable { 141 + 142 + users.users.squid = { 143 + isSystemUser = true; 144 + group = "squid"; 145 + home = "/var/cache/squid"; 146 + createHome = true; 147 + }; 148 + 149 + users.groups.squid = {}; 150 + 151 + systemd.services.squid = { 152 + description = "Squid caching web proxy"; 153 + after = [ "network.target" "nss-lookup.target" ]; 154 + wantedBy = [ "multi-user.target"]; 155 + preStart = '' 156 + mkdir -p "/var/log/squid" 157 + chown squid:squid "/var/log/squid" 158 + ''; 159 + serviceConfig = { 160 + Type="forking"; 161 + PIDFile="/run/squid.pid"; 162 + PermissionsStartOnly = true; 163 + ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}"; 164 + }; 165 + }; 166 + 167 + }; 168 + 169 + }