From 22e10a3567ffbf8ea0d4e7f012710607b1129716 Mon Sep 17 00:00:00 2001
From: Jeidnx <jeidnx@domainhier.de>
Date: Mon, 17 Jun 2024 22:28:19 +0200
Subject: [PATCH] feat(proxy): add socket support

---
 piped-proxy/module.nix | 94 ++++++++++++++++++++++++++----------------
 1 file changed, 59 insertions(+), 35 deletions(-)

diff --git a/piped-proxy/module.nix b/piped-proxy/module.nix
index f92fb00..5c00de5 100644
--- a/piped-proxy/module.nix
+++ b/piped-proxy/module.nix
@@ -23,6 +23,13 @@ in
       type = types.str;
     };
 
+    listenPath = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "/run/piped-proxy/piped-proxy.sock";
+      description = "Path for listening on a unix socket. Enabling this ignores `listenAddress`";
+    };
+
     package = mkOption {
       default = self.packages."${pkgs.stdenv.system}".piped-proxy;
       type = types.package;
@@ -30,41 +37,58 @@ in
 
   };
 
-  config = mkIf cfg.enable {
-    systemd.services.piped-proxy = {
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/piped-proxy";
-        Environment = [ "BIND=${cfg.listenAddress}" ];
-        RuntimeDirectory = [ "%N" ];
-        WorkingDirectory = [ "%t/%N" ];
-        DynamicUser = true;
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectControlGroups = true;
-        ProtectKernelLogs = true;
-        ProtectHostname = true;
-        ProtectClock = true;
-        ProtectProc = "invisible";
-        ProcSubset = "pid";
-        PrivateTmp = true;
-        PrivateUsers = true;
-        PrivateDevices = true;
-        PrivateIPC = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        CapabilityBoundingSet = "";
-        LockPersonality = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-        RestrictNamespaces = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service" ];
-        SystemCallErrorNumber = "EPERM";
+  config =
+    let
+      useSocket = cfg.listenPath != null;
+    in
+    mkIf cfg.enable {
+
+      systemd.sockets.piped-proxy = mkIf useSocket {
+        wantedBy = [ "sockets.target" ];
+        socketConfig = {
+          ListenStream = cfg.listenPath;
+        };
+      };
+
+      systemd.services.piped-proxy = {
+        wantedBy = [ "multi-user.target" ];
+        wants = mkIf useSocket [ "piped-proxy.socket" ];
+        after = mkIf useSocket [ "piped-proxy.socket" ];
+        serviceConfig = {
+          ExecStart = "${cfg.package}/bin/piped-proxy";
+          Environment = (if useSocket then [ "FD_UNIX=0" ] else [ "BIND=${cfg.listenAddress}" ]);
+          RuntimeDirectory = [ "%N" ];
+          WorkingDirectory = [ "%t/%N" ];
+          DynamicUser = true;
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectControlGroups = true;
+          ProtectKernelLogs = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+          PrivateTmp = true;
+          PrivateUsers = true;
+          PrivateDevices = true;
+          PrivateIPC = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          CapabilityBoundingSet = "";
+          LockPersonality = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+          ];
+          RestrictNamespaces = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" ];
+          SystemCallErrorNumber = "EPERM";
+        };
       };
     };
-  };
 }