atridad/haschel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update proxy.nix
Deploy NixOS / deploy (push) Failing after 27s
Details

Browse Source
This commit is contained in:
Atridad Lahiji
2026-04-01 09:53:53 -06:00
parent a8a73c1b91
commit 9fa4825864
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/proxy.nix
+8
View File
@@ -47,6 +47,9 @@ let
mkSocatService = mkSocatService =
port: proto: port: proto:
let
isPrivileged = port < 1024;
in
lib.nameValuePair "socat-${proto}-${toString port}" { lib.nameValuePair "socat-${proto}-${toString port}" {
description = "Socat ${proto} proxy for port ${toString port}"; description = "Socat ${proto} proxy for port ${toString port}";
after = [ after = [
@@ -63,7 +66,12 @@ let
"${pkgs.socat}/bin/socat TCP-LISTEN:${toString port},fork,reuseaddr TCP:${upstream}:${toString port}"; "${pkgs.socat}/bin/socat TCP-LISTEN:${toString port},fork,reuseaddr TCP:${upstream}:${toString port}";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s"; RestartSec = "5s";
}
// lib.optionalAttrs (!isPrivileged) {
DynamicUser = true; DynamicUser = true;
}
// lib.optionalAttrs isPrivileged {
User = "nobody";
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
}; };