nixos/modules/services/misc/dump1090-fa.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / dump1090-fa.nix
at 25.11-pre 3.4 kB view raw
  1{
  2  pkgs,
  3  config,
  4  lib,
  5  ...
  6}:
  7let
  8  cfg = config.services.dump1090-fa;
  9  inherit (lib) mkOption types;
 10in
 11{
 12  options.services.dump1090-fa = {
 13    enable = lib.mkEnableOption "dump1090-fa";
 14
 15    package = lib.mkPackageOption pkgs "dump1090-fa" { };
 16
 17    extraArgs = mkOption {
 18      type = types.listOf types.str;
 19      default = [ ];
 20      description = "Additional passed arguments";
 21    };
 22  };
 23
 24  config = lib.mkIf cfg.enable {
 25    systemd.services.dump1090-fa = {
 26      description = "dump1090 ADS-B receiver (FlightAware customization)";
 27      after = [ "network.target" ];
 28      wantedBy = [ "multi-user.target" ];
 29
 30      serviceConfig = {
 31        ExecStart = lib.escapeShellArgs (
 32          [
 33            (lib.getExe cfg.package)
 34            "--net"
 35            "--write-json"
 36            "%t/dump1090-fa"
 37          ]
 38          ++ cfg.extraArgs
 39        );
 40        DynamicUser = true;
 41        SupplementaryGroups = "plugdev";
 42        RuntimeDirectory = "dump1090-fa";
 43        WorkingDirectory = "%t/dump1090-fa";
 44        RuntimeDirectoryMode = 755;
 45        PrivateNetwork = true;
 46        LockPersonality = true;
 47        MemoryDenyWriteExecute = true;
 48        NoNewPrivileges = true;
 49        PrivateMounts = true;
 50        PrivateTmp = true;
 51        PrivateUsers = true;
 52        ProtectClock = true;
 53        ProtectHome = true;
 54        ProtectKernelLogs = true;
 55        ProtectKernelModules = true;
 56        ProtectKernelTunables = true;
 57        ProtectProc = "invisible";
 58        ProcSubset = "pid";
 59        ProtectSystem = "strict";
 60        ProtectHostname = true;
 61        RestrictSUIDSGID = true;
 62        RestrictNamespaces =
 63          "~"
 64          + (lib.concatStringsSep " " [
 65            "cgroup"
 66            "ipc"
 67            "net"
 68            "mnt"
 69            "pid"
 70            "user"
 71            "uts"
 72          ]);
 73        CapabilityBoundingSet = [
 74          "~CAP_AUDIT_CONTROL"
 75          "~CAP_AUDIT_READ"
 76          "~CAP_AUDIT_WRITE"
 77          "~CAP_KILL"
 78          "~CAP_MKNOD"
 79          "~CAP_NET_BIND_SERVICE"
 80          "~CAP_NET_BROADCAST"
 81          "~CAP_NET_ADMIN"
 82          "~CAP_NET_RAW"
 83          "~CAP_SYS_RAWIO"
 84          "~CAP_SYS_MODULE"
 85          "~CAP_SYS_PTRACE"
 86          "~CAP_SYS_TIME"
 87          "~CAP_SYS_NICE"
 88          "~CAP_SYS_RESOURCE"
 89          "~CAP_CHOWN"
 90          "~CAP_FSETID"
 91          "~CAP_SETUID"
 92          "~CAP_SETGID"
 93          "~CAP_SETPCAP"
 94          "~CAP_SETFCAP"
 95          "~CAP_DAC_OVERRIDE"
 96          "~CAP_DAC_READ_SEARCH"
 97          "~CAP_FOWNER"
 98          "~CAP_IPC_OWNER"
 99          "~CAP_IPC_LOCK"
100          "~CAP_SYS_BOOT"
101          "~CAP_SYS_ADMIN"
102          "~CAP_MAC_ADMIN"
103          "~CAP_MAC_OVERRIDE"
104          "~CAP_SYS_CHROOT"
105          "~CAP_BLOCK_SUSPEND"
106          "~CAP_WAKE_ALARM"
107          "~CAP_LEASE"
108          "~CAP_SYS_PACCT"
109        ];
110        SystemCallFilter = [
111          "~@clock"
112          "~@debug"
113          "~@module"
114          "~@mount"
115          "~@raw-io"
116          "~@reboot"
117          "~@swap"
118          "~@privileged"
119          "~@resources"
120          "~@cpu-emulation"
121          "~@obsolete"
122        ];
123        RestrictAddressFamilies = [ "~AF_PACKET" ];
124        ProtectControlGroups = true;
125        UMask = "0022";
126        SystemCallArchitectures = "native";
127      };
128    };
129  };
130
131  meta = {
132    maintainers = with lib.maintainers; [ aciceri ];
133    doc = ./dump1090-fa.md;
134  };
135}