Add nnss-sproxy

Makefile

@@ -2,14 +2,16 @@
 PREFIX=/usr
 
 install:
-	install -Dm 644 nnss-ssh@.service -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 nnssA@.service    -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 nnssB@.service    -t "$(PREFIX)/lib/systemd/system"
-	install -Dm 644 ssh_config        -t "$(PREFIX)/lib/nnss"
-	install -Dm 755 tunsocks.sh       -t "$(PREFIX)/lib/nnss"
-	install -Dm 644 README.md         -t "$(PREFIX)/share/doc/nnss"
-	install -Dm 644 LICENSE           -t "$(PREFIX)/share/doc/nnss"
-	install -Dm 644 tmpfiles.conf     "$(PREFIX)/lib/tmpfiles.d/nnss.conf"
+	install -Dm 644 nnss-ssh@.service    -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnssA@.service       -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnssB@.service       -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnss-sproxy@.service -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 nnss-sproxy@.socket  -t "$(PREFIX)/lib/systemd/system"
+	install -Dm 644 ssh_config           -t "$(PREFIX)/lib/nnss"
+	install -Dm 755 tunsocks.sh          -t "$(PREFIX)/lib/nnss"
+	install -Dm 644 README.md            -t "$(PREFIX)/share/doc/nnss"
+	install -Dm 644 LICENSE              -t "$(PREFIX)/share/doc/nnss"
+	install -Dm 644 tmpfiles.conf           "$(PREFIX)/lib/tmpfiles.d/nnss.conf"
 
 uninstall:
 	rm -rf "$(PREFIX)/lib/nnss" \
@@ -17,4 +19,6 @@ uninstall:
 		"$(PREFIX)/lib/tmpfiles.d/nnss.conf" \
 		"$(PREFIX)/lib/systemd/system/nnssA@.service" \
 		"$(PREFIX)/lib/systemd/system/nnssB@.service" \
+		"$(PREFIX)/lib/systemd/system/nnss-sproxy@.service" \
+		"$(PREFIX)/lib/systemd/system/nnss-sproxy@.socket" \
 		"$(PREFIX)/lib/systemd/system/nnss-ssh@.service"

nnss-sproxy@.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Connect to a service running inside a network namespace using socket activation
+
+[Service]
+Type=notify
+User=nnss-sproxy-%i
+DynamicUser=yes
+
+# Add CONNECT_ADDR environment variable to below file. E.g.
+# echo CONNECT_ADDR=127.0.0.1:8080 > /etc/nnss/sproxy_myapp/env
+EnvironmentFile=/etc/nnss/sproxy_%i/env
+
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd $CONNECT_ADDR
+
+# This should be a symlink to the actual network namespace file. E.g.
+# ln -snf /run/netns/torns /etc/nnss/sproxy_myapp/ns
+NetworkNamespacePath=/etc/nnss/sproxy_%i/ns

nnss-sproxy@.socket

@@ -0,0 +1,16 @@
+[Unit]
+Description=Socket to connect to a service running inside a network namespace
+
+[Socket]
+ListenStream=/run/nnss-%i.sock
+
+# By default, the above socket is world writable
+# To restrict to just the web server, Run
+# sudo systemctl edit nnss-sproxy@.socket --drop-in=sockperms.conf
+# and add below settings. (change to your web server user)
+# SocketGroup=caddy
+# SocketMode=0660
+
+
+[Install]
+WantedBy=sockets.target

nnss-ssh@.service

@@ -8,9 +8,13 @@ StopWhenUnneeded=yes
 Type=notify
 NotifyAccess=all
 DynamicUser=yes
+User=nnss-ssh-%i
 
 LoadCredential=ssh:/etc/nnss/%i
 
+# Note: App service running in the namespace should have Restart=always,
+# otherwise, both the ssh connection and the app will be stopped as this unit
+# has StopWhenUnneeded set
 # https://enotty.pipebreaker.pl/posts/2024/01/how-systemd-exponential-restart-delay-works/
 Restart=on-failure
 RestartSec=5min
@@ -18,6 +22,7 @@ RestartSteps=6
 RestartMaxDelaySec=24h
 
 RuntimeDirectory=nnss-%i
+RuntimeDirectoryMode=0750
 StateDirectory=nnss-%i
 ExecStart=ssh -F /usr/lib/nnss/ssh_config default
 

nnssB@.service

@@ -10,7 +10,7 @@ NotifyAccess=all
 RuntimeDirectory=nnssB%i
 
 # Add SOCKS_PROXY environment variable to below file. E.g.
-# SOCKS_PROXY=socks5://127.0.0.1:9050
+# echo SOCKS_PROXY=socks5://127.0.0.1:9050 > /etc/nnss/env_tor
 EnvironmentFile=/etc/nnss/env_%i
 
 ExecStart=/usr/lib/nnss/tunsocks.sh "%i" use_env setup