diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2021-10-29 23:09:43 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-29 23:09:43 +0200 |
commit | a1eaddd5c563a85ff2814368f79dea88e1e6ba28 (patch) | |
tree | 2f183243742f0156b1b3bcf7462dc56d5c9a25b8 /nixos | |
parent | 080ef1637dbd19a969a3353ce6fc304a5bcefcb8 (diff) | |
parent | cb5186feead357d556ecdadb05e8ad5bc06b4442 (diff) | |
download | nixlib-a1eaddd5c563a85ff2814368f79dea88e1e6ba28.tar nixlib-a1eaddd5c563a85ff2814368f79dea88e1e6ba28.tar.gz nixlib-a1eaddd5c563a85ff2814368f79dea88e1e6ba28.tar.bz2 nixlib-a1eaddd5c563a85ff2814368f79dea88e1e6ba28.tar.lz nixlib-a1eaddd5c563a85ff2814368f79dea88e1e6ba28.tar.xz nixlib-a1eaddd5c563a85ff2814368f79dea88e1e6ba28.tar.zst nixlib-a1eaddd5c563a85ff2814368f79dea88e1e6ba28.zip |
Merge pull request #139472 from Flakebi/signald
signald: 0.13.1 -> 0.14.1 and add service
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/misc/signald.nix | 105 |
2 files changed, 106 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 9343f2dbc847..5610813d9ad0 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -584,6 +584,7 @@ ./services/misc/safeeyes.nix ./services/misc/sdrplay.nix ./services/misc/sickbeard.nix + ./services/misc/signald.nix ./services/misc/siproxd.nix ./services/misc/snapper.nix ./services/misc/sonarr.nix diff --git a/nixos/modules/services/misc/signald.nix b/nixos/modules/services/misc/signald.nix new file mode 100644 index 000000000000..4cd34e4326d7 --- /dev/null +++ b/nixos/modules/services/misc/signald.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.signald; + dataDir = "/var/lib/signald"; + defaultUser = "signald"; +in +{ + options.services.signald = { + enable = mkEnableOption "the signald service"; + + user = mkOption { + type = types.str; + default = defaultUser; + description = "User under which signald runs."; + }; + + group = mkOption { + type = types.str; + default = defaultUser; + description = "Group under which signald runs."; + }; + + socketPath = mkOption { + type = types.str; + default = "/run/signald/signald.sock"; + description = "Path to the signald socket"; + }; + }; + + config = mkIf cfg.enable { + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == defaultUser) { + ${defaultUser} = { }; + }; + + systemd.services.signald = { + description = "A daemon for interacting with the Signal Private Messenger"; + wants = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${pkgs.signald}/bin/signald -d ${dataDir} -s ${cfg.socketPath}"; + Restart = "on-failure"; + StateDirectory = "signald"; + RuntimeDirectory = "signald"; + StateDirectoryMode = "0750"; + RuntimeDirectoryMode = "0750"; + + BindReadOnlyPaths = [ + "/nix/store" + "-/etc/resolv.conf" + "-/etc/nsswitch.conf" + "-/etc/hosts" + "-/etc/localtime" + ]; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + # Use a static user so other applications can access the files + #DynamicUser = true; + LockPersonality = true; + # Needed for java + #MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + # Needs network access + #PrivateNetwork = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + # Would re-mount paths ignored by temporary root + #ProtectSystem = "strict"; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; + TemporaryFileSystem = "/:ro"; + # Does not work well with the temporary root + #UMask = "0066"; + }; + }; + }; +} |