nixos/modules/services/networking/tetrd.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tetrd.nix
at 23.11-pre 2.7 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3{
 4  options.services.tetrd.enable = lib.mkEnableOption (lib.mdDoc "tetrd");
 5
 6  config = lib.mkIf config.services.tetrd.enable {
 7    environment = {
 8      systemPackages = [ pkgs.tetrd ];
 9      etc."resolv.conf".source = "/etc/tetrd/resolv.conf";
10    };
11
12    systemd = {
13      tmpfiles.rules = [ "f /etc/tetrd/resolv.conf - - -" ];
14
15      services.tetrd = {
16        description = pkgs.tetrd.meta.description;
17        wantedBy = [ "multi-user.target" ];
18
19        serviceConfig = {
20          ExecStart = "${pkgs.tetrd}/opt/Tetrd/bin/tetrd";
21          Restart = "always";
22          RuntimeDirectory = "tetrd";
23          RootDirectory = "/run/tetrd";
24          DynamicUser = true;
25          UMask = "006";
26          DeviceAllow = "usb_device";
27          LockPersonality = true;
28          MemoryDenyWriteExecute = true;
29          NoNewPrivileges = true;
30          PrivateMounts = true;
31          PrivateNetwork = lib.mkDefault false;
32          PrivateTmp = true;
33          PrivateUsers = lib.mkDefault false;
34          ProtectClock = lib.mkDefault false;
35          ProtectControlGroups = true;
36          ProtectHome = true;
37          ProtectHostname = true;
38          ProtectKernelLogs = true;
39          ProtectKernelModules = true;
40          ProtectKernelTunables = true;
41          ProtectProc = "invisible";
42          ProtectSystem = "strict";
43          RemoveIPC = true;
44          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
45          RestrictNamespaces = true;
46          RestrictRealtime = true;
47          RestrictSUIDSGID = true;
48          SystemCallArchitectures = "native";
49
50          SystemCallFilter = [
51            "@system-service"
52            "~@aio"
53            "~@chown"
54            "~@clock"
55            "~@cpu-emulation"
56            "~@debug"
57            "~@keyring"
58            "~@memlock"
59            "~@module"
60            "~@mount"
61            "~@obsolete"
62            "~@pkey"
63            "~@raw-io"
64            "~@reboot"
65            "~@swap"
66            "~@sync"
67          ];
68
69          BindReadOnlyPaths = [
70            builtins.storeDir
71            "/etc/ssl"
72            "/etc/static/ssl"
73            "${pkgs.nettools}/bin/route:/usr/bin/route"
74            "${pkgs.nettools}/bin/ifconfig:/usr/bin/ifconfig"
75          ];
76
77          BindPaths = [
78            "/etc/tetrd/resolv.conf:/etc/resolv.conf"
79            "/run"
80            "/var/log"
81          ];
82
83          CapabilityBoundingSet = [
84            "CAP_DAC_OVERRIDE"
85            "CAP_NET_ADMIN"
86          ];
87
88          AmbientCapabilities = [
89            "CAP_DAC_OVERRIDE"
90            "CAP_NET_ADMIN"
91          ];
92        };
93      };
94    };
95  };
96}