dotfiles/modules/os/misc/syncyomi.nix
eriedaberrie c2380dad7b Initial commit
Note: not the actual initial commit.

I swear I will stop repeatedly force pushing to this single commit eventually
ok.
2024-09-21 00:45:42 -07:00

110 lines
2.9 KiB
Nix

{ pkgs, config, lib, ... }:
let
cfg = config.services.syncyomi;
defaultUser = "syncyomi";
defaultGroup = defaultUser;
defaultStateDir = "/var/lib/syncyomi";
settingsFormat = pkgs.formats.toml { };
in {
options.services.syncyomi = {
enable = lib.mkEnableOption null;
package = lib.mkPackageOption pkgs "syncyomi" {};
user = lib.mkOption {
type = lib.types.str;
default = defaultUser;
};
group = lib.mkOption {
type = lib.types.str;
default = defaultGroup;
};
stateDir = lib.mkOption {
type = lib.types.str;
default = defaultStateDir;
};
settings = lib.mkOption {
type = settingsFormat.type;
default = { };
};
};
config = lib.mkIf cfg.enable {
services.syncyomi.settings = {
host = lib.mkDefault "127.0.0.1";
port = lib.mkDefault 8282;
checkForUpdates = lib.mkDefault false;
};
users = {
users = lib.mkIf (cfg.user == defaultUser) {
${defaultUser} = {
home = cfg.stateDir;
group = cfg.group;
isSystemUser = true;
description = "Syncyomi daemon user";
};
};
groups = lib.mkIf (cfg.group == defaultGroup) {
${defaultGroup} = { };
};
};
systemd.services.syncyomi = {
description = "Syncyomi service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "on-failure";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/syncyomi --config ${cfg.stateDir}";
ReadWritePaths = [ cfg.stateDir ];
ProcSubset = "pid";
ProtectProc = "invisible";
CapabilityBoundingSet = "";
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
PrivateMounts = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@keyring @privileged @resources"
"setrlimit"
];
};
};
systemd.tmpfiles.rules = let
configToml = settingsFormat.generate "config.toml" cfg.settings;
in [
"d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
"z '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
"L+ '${cfg.stateDir}/config.toml' - - - - ${configToml}"
];
};
}