From 9fa4825864e6b8017d22d5215b02fb05b96bf276 Mon Sep 17 00:00:00 2001
From: Atridad Lahiji <me@atri.dad>
Date: Wed, 1 Apr 2026 09:53:53 -0600
Subject: [PATCH] Update proxy.nix

---
 modules/proxy.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/proxy.nix b/modules/proxy.nix
index 34dcfc2..663bae6 100644
--- a/modules/proxy.nix
+++ b/modules/proxy.nix
@@ -47,6 +47,9 @@ let
 
   mkSocatService =
     port: proto:
+    let
+      isPrivileged = port < 1024;
+    in
     lib.nameValuePair "socat-${proto}-${toString port}" {
       description = "Socat ${proto} proxy for port ${toString port}";
       after = [
@@ -63,7 +66,12 @@ let
             "${pkgs.socat}/bin/socat TCP-LISTEN:${toString port},fork,reuseaddr TCP:${upstream}:${toString port}";
         Restart = "on-failure";
         RestartSec = "5s";
+      }
+      // lib.optionalAttrs (!isPrivileged) {
         DynamicUser = true;
+      }
+      // lib.optionalAttrs isPrivileged {
+        User = "nobody";
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
         CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
       };