adding capabilities to squid

2025-06-17 09:41:48 +02:00 · 2025-05-29 07:40:58 +00:00 · 2025-05-29 07:40:58 +00:00 · 13724cced1
commit 13724cced1
parent bdf1e7fda6 d1b5dead20
1 changed files with 15 additions and 4 deletions
--- a/glicid/services/networking.scm
+++ b/glicid/services/networking.scm
@ -3,6 +3,7 @@
               #:use-module (gnu packages networking)
               #:use-module (gnu services)
               #:use-module (gnu services shepherd)
+               #:use-module (gnu system privilege)
               #:use-module (gnu system shadow)
               #:use-module (guix)
               #:use-module (guix records)
@ -14,6 +15,8 @@
                          squid-service-type
                          ))

+
+
 (define-record-type* 
  <squid-configuration>
  squid-configuration make-squid-configuration
@ -34,16 +37,17 @@
         (documentation "Run squid.")
         (requirement '(user-processes))
         (respawn? #t)
+         (respawn-delay 10)
         (start #~(make-forkexec-constructor
                    (list
-                      #$(file-append pkg "/sbin/squid")
+                      "/run/privileged/bin/squid"
                      "-f" #$config-file
                      )
                    #:pid-file #$pid-file 
                    #:log-file #$log-file
                    #:user (passwd:uid (getpwnam "squid"))
                    #:group (passwd:gid (getpwnam "squid"))
-                    #:resource-limits '((nofile 16384 16384))))
+                    #:resource-limits '((nofile 65535 65535))))
         (stop #~(make-kill-destructor)))))))


@ -78,11 +82,18 @@
      (home-directory "/var/spool/squid")
      (shell (file-append bash "/bin/bash")))))

+(define %squid-priv
+  (list
+    (privileged-program
+      (program (file-append squid "/sbin/squid"))
+      (capabilities "cap_net_admin,cap_net_bind_service=+ep,cap_net_raw=+ep,cap_syslog,cap_bpf"))))
+
 (define squid-service-type
  (service-type 
    (name 'squid)
    (extensions (list
                  (service-extension shepherd-root-service-type squid-shepherd-service)
-                  (service-extension activation-service-type (const %squid-activation))
-                  (service-extension account-service-type (const %squid-accounts))))
+                  (service-extension privileged-program-service-type (const %squid-priv))
+                  (service-extension account-service-type (const %squid-accounts)
+                  (service-extension activation-service-type (const %squid-activation)))))
    (description "Run @uref{http://www.squid-cache.org/, squid} community developped Squid software.")))