pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.programs.ydotool;
9in
10{
11 meta = {
12 maintainers = with lib.maintainers; [ quantenzitrone ];
13 };
14
15 options.programs.ydotool = {
16 enable = lib.mkEnableOption ''
17 ydotoold system service and install ydotool.
18 Add yourself to the 'ydotool' group to be able to use it.
19 '';
20 };
21
22 config = lib.mkIf cfg.enable {
23 users.groups.ydotool = { };
24
25 systemd.services.ydotoold = {
26 description = "ydotoold - backend for ydotool";
27 wantedBy = [ "multi-user.target" ];
28 partOf = [ "multi-user.target" ];
29 serviceConfig = {
30 Group = "ydotool";
31 RuntimeDirectory = "ydotoold";
32 RuntimeDirectoryMode = "0750";
33 ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660";
34
35 # hardening
36
37 ## allow access to uinput
38 DeviceAllow = [ "/dev/uinput" ];
39 DevicePolicy = "closed";
40
41 ## allow creation of unix sockets
42 RestrictAddressFamilies = [ "AF_UNIX" ];
43
44 CapabilityBoundingSet = "";
45 IPAddressDeny = "any";
46 LockPersonality = true;
47 MemoryDenyWriteExecute = true;
48 NoNewPrivileges = true;
49 PrivateNetwork = true;
50 PrivateTmp = true;
51 PrivateUsers = true;
52 ProcSubset = "pid";
53 ProtectClock = true;
54 ProtectControlGroups = true;
55 ProtectHome = true;
56 ProtectHostname = true;
57 ProtectKernelLogs = true;
58 ProtectKernelModules = true;
59 ProtectKernelTunables = true;
60 ProtectProc = "invisible";
61 ProtectSystem = "strict";
62 ProtectUser = true;
63 RestrictNamespaces = true;
64 RestrictRealtime = true;
65 RestrictSUIDSGID = true;
66 SystemCallArchitectures = "native";
67 SystemCallFilter = [
68 "@system-service"
69 "~@privileged"
70 "~@resources"
71 ];
72 UMask = "0077";
73
74 # -> systemd-analyze security score 0.7 SAFE 😀
75 };
76 };
77
78 environment.variables = {
79 YDOTOOL_SOCKET = "/run/ydotoold/socket";
80 };
81 environment.systemPackages = with pkgs; [ ydotool ];
82 };
83}