From a6de5934d3aa95c3e455d51df2067d8158483305 Mon Sep 17 00:00:00 2001
From: Balakrishnan Balasubramanian <git.user@balki.me>
Date: Sun, 27 Jul 2025 22:03:30 -0400
Subject: [PATCH] Add nnss-sproxy

---
 Makefile             | 20 ++++++++++++--------
 nnss-sproxy@.service | 17 +++++++++++++++++
 nnss-sproxy@.socket  | 16 ++++++++++++++++
 3 files changed, 45 insertions(+), 8 deletions(-)
 create mode 100644 nnss-sproxy@.service
 create mode 100644 nnss-sproxy@.socket

diff --git a/Makefile b/Makefile
index 9037939..eba1593 100644
--- a/Makefile
+++ b/Makefile
@@ -2,14 +2,16 @@
 PREFIX=/usr
 
 install:
-	install -Dm 644 nnss-ssh@.service -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 nnssA@.service    -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 nnssB@.service    -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 ssh_config        -t "$(PREFIX)/lib/nnss"
-	install -Dm 755 tunsocks.sh       -t "$(PREFIX)/lib/nnss"
-	install -Dm 644 README.md         -t "$(PREFIX)/share/doc/nnss"
-	install -Dm 644 LICENSE           -t "$(PREFIX)/share/doc/nnss"
-	install -Dm 644 tmpfiles.conf     "$(PREFIX)/lib/tmpfiles.d/nnss.conf"
+	install -Dm 644 nnss-ssh@.service    -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnssA@.service       -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnssB@.service       -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnss-sproxy@.service -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnss-sproxy@.socket  -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 ssh_config           -t "$(PREFIX)/lib/nnss"
+	install -Dm 755 tunsocks.sh          -t "$(PREFIX)/lib/nnss"
+	install -Dm 644 README.md            -t "$(PREFIX)/share/doc/nnss"
+	install -Dm 644 LICENSE              -t "$(PREFIX)/share/doc/nnss"
+	install -Dm 644 tmpfiles.conf           "$(PREFIX)/lib/tmpfiles.d/nnss.conf"
 
 uninstall:
 	rm -rf "$(PREFIX)/lib/nnss" \
@@ -17,4 +19,6 @@ uninstall:
 		"$(PREFIX)/lib/tmpfiles.d/nnss.conf" \
 		"$(PREFIX)/lib/systemd/system/nnssA@.service" \
 		"$(PREFIX)/lib/systemd/system/nnssB@.service" \
+		"$(PREFIX)/lib/systemd/system/nnss-sproxy@.service" \
+		"$(PREFIX)/lib/systemd/system/nnss-sproxy@.socket" \
 		"$(PREFIX)/lib/systemd/system/nnss-ssh@.service"
diff --git a/nnss-sproxy@.service b/nnss-sproxy@.service
new file mode 100644
index 0000000..0aa27f6
--- /dev/null
+++ b/nnss-sproxy@.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Connect to a service running inside a network namespace using socket activation
+
+[Service]
+Type=notify
+User=nnss-sproxy-%i
+DynamicUser=yes
+
+# Add CONNECT_ADDR environment variable to below file. E.g.
+# echo CONNECT_ADDR=127.0.0.1:8080 > /etc/nnss/sproxy_myapp/env
+EnvironmentFile=/etc/nnss/sproxy_%i/env
+
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd $CONNECT_ADDR
+
+# This should be a symlink to the actual network namespace file. E.g.
+# ln -snf /run/netns/torns /etc/nnss/sproxy_myapp/ns
+NetworkNamespacePath=/etc/nnss/sproxy_%i/ns
diff --git a/nnss-sproxy@.socket b/nnss-sproxy@.socket
new file mode 100644
index 0000000..1f85bbf
--- /dev/null
+++ b/nnss-sproxy@.socket
@@ -0,0 +1,16 @@
+[Unit]
+Description=Socket to connect to a service running inside a network namespace
+
+[Socket]
+ListenStream=/run/nnss-%i.sock
+
+# By default, the above socket is world writable
+# To restrict to just the web server, Run
+# sudo systemctl edit nnss-sproxy@.socket --drop-in=sockperms.conf
+# and add below settings. (change to your web server user)
+# SocketGroup=caddy
+# SocketMode=0660
+
+
+[Install]
+WantedBy=sockets.target