diff --git a/glicid/services/networking.scm b/glicid/services/networking.scm index a548206..dc7cf78 100644 --- a/glicid/services/networking.scm +++ b/glicid/services/networking.scm @@ -3,6 +3,7 @@ #:use-module (gnu packages networking) #:use-module (gnu services) #:use-module (gnu services shepherd) + #:use-module (gnu system privilege) #:use-module (gnu system shadow) #:use-module (guix) #:use-module (guix records) @@ -14,6 +15,8 @@ squid-service-type )) + + (define-record-type* squid-configuration make-squid-configuration @@ -34,16 +37,17 @@ (documentation "Run squid.") (requirement '(user-processes)) (respawn? #t) + (respawn-delay 10) (start #~(make-forkexec-constructor (list - #$(file-append pkg "/sbin/squid") + "/run/privileged/bin/squid" "-f" #$config-file ) #:pid-file #$pid-file #:log-file #$log-file #:user (passwd:uid (getpwnam "squid")) #:group (passwd:gid (getpwnam "squid")) - #:resource-limits '((nofile 16384 16384)))) + #:resource-limits '((nofile 65535 65535)))) (stop #~(make-kill-destructor))))))) @@ -78,11 +82,18 @@ (home-directory "/var/spool/squid") (shell (file-append bash "/bin/bash"))))) +(define %squid-priv + (list + (privileged-program + (program (file-append squid "/sbin/squid")) + (capabilities "cap_net_admin,cap_net_bind_service=+ep,cap_net_raw=+ep,cap_syslog,cap_bpf")))) + (define squid-service-type (service-type (name 'squid) (extensions (list (service-extension shepherd-root-service-type squid-shepherd-service) - (service-extension activation-service-type (const %squid-activation)) - (service-extension account-service-type (const %squid-accounts)))) + (service-extension privileged-program-service-type (const %squid-priv)) + (service-extension account-service-type (const %squid-accounts) + (service-extension activation-service-type (const %squid-activation))))) (description "Run @uref{http://www.squid-cache.org/, squid} community developped Squid software.")))