nixpkgs/nixos/modules/services/networking/privoxy.nix
Joachim Fasting 3dcdc2d2b0
privoxy service: remove static uid
The service owns no data, having a static uid serves no purpose.

This frees up uid/gid 32
2016-12-05 13:37:08 +01:00

112 lines
2.8 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) privoxy;
cfg = config.services.privoxy;
confFile = pkgs.writeText "privoxy.conf" ''
user-manual ${privoxy}/share/doc/privoxy/user-manual
confdir ${privoxy}/etc/
listen-address ${cfg.listenAddress}
enable-edit-actions ${if (cfg.enableEditActions == true) then "1" else "0"}
${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles}
${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles}
${cfg.extraConfig}
'';
in
{
###### interface
options = {
services.privoxy = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the Privoxy non-caching filtering proxy.
'';
};
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1:8118";
description = ''
Address the proxy server is listening to.
'';
};
actionsFiles = mkOption {
type = types.listOf types.str;
example = [ "match-all.action" "default.action" "/etc/privoxy/user.action" ];
default = [ "match-all.action" "default.action" ];
description = ''
List of paths to Privoxy action files.
These paths may either be absolute or relative to the privoxy configuration directory.
'';
};
filterFiles = mkOption {
type = types.listOf types.str;
example = [ "default.filter" "/etc/privoxy/user.filter" ];
default = [ "default.filter" ];
description = ''
List of paths to Privoxy filter files.
These paths may either be absolute or relative to the privoxy configuration directory.
'';
};
enableEditActions = mkOption {
type = types.bool;
default = false;
description = ''
Whether or not the web-based actions file editor may be used.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "" ;
description = ''
Extra configuration. Contents will be added verbatim to the configuration file.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
users.users.privoxy = {
isSystemUser = true;
home = "/var/empty";
group = "privoxy";
};
users.groups.privoxy = {};
systemd.services.privoxy = {
description = "Filtering web proxy";
after = [ "network.target" "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${privoxy}/bin/privoxy --no-daemon --user privoxy ${confFile}";
serviceConfig.PrivateDevices = true;
serviceConfig.PrivateTmp = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectSystem = "full";
};
};
}