GLiCID/guix-glicid
7
0
Fork 0
mirror of https://gitlab.univ-nantes.fr/glicid-public/guix-glicid.git synced 2025-06-17 17:51:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

adding capabilities to squid

Browse source
This commit is contained in:
Jean-François GUILLAUME 2025-05-29 07:40:58 +00:00
commit 13724cced1
1 changed files with 15 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

19
glicid/services/networking.scm
View file

@ -3,6 +3,7 @@
#:use-module (gnu packages networking) #:use-module (gnu packages networking)
#:use-module (gnu services) #:use-module (gnu services)
#:use-module (gnu services shepherd) #:use-module (gnu services shepherd)
#:use-module (gnu system privilege)
#:use-module (gnu system shadow) #:use-module (gnu system shadow)
#:use-module (guix) #:use-module (guix)
#:use-module (guix records) #:use-module (guix records)
@ -14,6 +15,8 @@
squid-service-type squid-service-type
)) ))
(define-record-type* (define-record-type*
<squid-configuration> <squid-configuration>
squid-configuration make-squid-configuration squid-configuration make-squid-configuration
@ -34,16 +37,17 @@
(documentation "Run squid.") (documentation "Run squid.")
(requirement '(user-processes)) (requirement '(user-processes))
(respawn? #t) (respawn? #t)
(respawn-delay 10)
(start #~(make-forkexec-constructor (start #~(make-forkexec-constructor
(list (list
#$(file-append pkg "/sbin/squid") "/run/privileged/bin/squid"
"-f" #$config-file "-f" #$config-file
) )
#:pid-file #$pid-file #:pid-file #$pid-file
#:log-file #$log-file #:log-file #$log-file
#:user (passwd:uid (getpwnam "squid")) #:user (passwd:uid (getpwnam "squid"))
#:group (passwd:gid (getpwnam "squid")) #:group (passwd:gid (getpwnam "squid"))
#:resource-limits '((nofile 16384 16384)))) #:resource-limits '((nofile 65535 65535))))
(stop #~(make-kill-destructor))))))) (stop #~(make-kill-destructor)))))))
@ -78,11 +82,18 @@
(home-directory "/var/spool/squid") (home-directory "/var/spool/squid")
(shell (file-append bash "/bin/bash"))))) (shell (file-append bash "/bin/bash")))))
(define %squid-priv
(list
(privileged-program
(program (file-append squid "/sbin/squid"))
(capabilities "cap_net_admin,cap_net_bind_service=+ep,cap_net_raw=+ep,cap_syslog,cap_bpf"))))
(define squid-service-type (define squid-service-type
(service-type (service-type
(name 'squid) (name 'squid)
(extensions (list (extensions (list
(service-extension shepherd-root-service-type squid-shepherd-service) (service-extension shepherd-root-service-type squid-shepherd-service)
(service-extension activation-service-type (const %squid-activation)) (service-extension privileged-program-service-type (const %squid-priv))
(service-extension account-service-type (const %squid-accounts)))) (service-extension account-service-type (const %squid-accounts)
(service-extension activation-service-type (const %squid-activation)))))
(description "Run @uref{http://www.squid-cache.org/, squid} community developped Squid software."))) (description "Run @uref{http://www.squid-cache.org/, squid} community developped Squid software.")))