Add nnss-sproxy

Makefile

@@ -2,14 +2,16 @@
 PREFIX=/usr
 
 install:
-	install -Dm 644 nnss-ssh@.service -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 nnssA@.service    -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 nnssB@.service    -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 ssh_config        -t "$(PREFIX)/lib/nnss"
-	install -Dm 755 tunsocks.sh       -t "$(PREFIX)/lib/nnss"
-	install -Dm 644 README.md         -t "$(PREFIX)/share/doc/nnss"
-	install -Dm 644 LICENSE           -t "$(PREFIX)/share/doc/nnss"
-	install -Dm 644 tmpfiles.conf     "$(PREFIX)/lib/tmpfiles.d/nnss.conf"
+	install -Dm 644 nnss-ssh@.service    -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnssA@.service       -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnssB@.service       -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnss-sproxy@.service -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnss-sproxy@.socket  -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 ssh_config           -t "$(PREFIX)/lib/nnss"
+	install -Dm 755 tunsocks.sh          -t "$(PREFIX)/lib/nnss"
+	install -Dm 644 README.md            -t "$(PREFIX)/share/doc/nnss"
+	install -Dm 644 LICENSE              -t "$(PREFIX)/share/doc/nnss"
+	install -Dm 644 tmpfiles.conf           "$(PREFIX)/lib/tmpfiles.d/nnss.conf"
 
 uninstall:
 	rm -rf "$(PREFIX)/lib/nnss" \
@@ -17,4 +19,6 @@ uninstall:
 		"$(PREFIX)/lib/tmpfiles.d/nnss.conf" \
 		"$(PREFIX)/lib/systemd/system/nnssA@.service" \
 		"$(PREFIX)/lib/systemd/system/nnssB@.service" \
+		"$(PREFIX)/lib/systemd/system/nnss-sproxy@.service" \
+		"$(PREFIX)/lib/systemd/system/nnss-sproxy@.socket" \
 		"$(PREFIX)/lib/systemd/system/nnss-ssh@.service"

nnss-sproxy@.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Connect to a service running inside a network namespace using socket activation
+
+[Service]
+Type=notify
+User=nnss-sproxy-%i
+DynamicUser=yes
+
+# Add CONNECT_ADDR environment variable to below file. E.g.
+# echo CONNECT_ADDR=127.0.0.1:8080 > /etc/nnss/sproxy_myapp/env
+EnvironmentFile=/etc/nnss/sproxy_%i/env
+
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd $CONNECT_ADDR
+
+# This should be a symlink to the actual network namespace file. E.g.
+# ln -snf /run/netns/torns /etc/nnss/sproxy_myapp/ns
+NetworkNamespacePath=/etc/nnss/sproxy_%i/ns

nnss-sproxy@.socket

@@ -0,0 +1,16 @@
+[Unit]
+Description=Socket to connect to a service running inside a network namespace
+
+[Socket]
+ListenStream=/run/nnss-%i.sock
+
+# By default, the above socket is world writable
+# To restrict to just the web server, Run
+# sudo systemctl edit nnss-sproxy@.socket --drop-in=sockperms.conf
+# and add below settings. (change to your web server user)
+# SocketGroup=caddy
+# SocketMode=0660
+
+
+[Install]
+WantedBy=sockets.target