nixos/modules/services/networking/realm.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / services / networking / realm.nix

at 25.11-pre 1.4 kB view raw

 1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7let
 8  cfg = config.services.realm;
 9  configFormat = pkgs.formats.json { };
10  configFile = configFormat.generate "config.json" cfg.config;
11  inherit (lib)
12    mkEnableOption
13    mkPackageOption
14    mkOption
15    mkIf
16    types
17    getExe
18    ;
19in
20{
21
22  meta.maintainers = with lib.maintainers; [ ocfox ];
23
24  options = {
25    services.realm = {
26      enable = mkEnableOption "A simple, high performance relay server written in rust";
27      package = mkPackageOption pkgs "realm" { };
28      config = mkOption {
29        type = types.submodule {
30          freeformType = configFormat.type;
31        };
32        default = { };
33        description = ''
34          The realm configuration, see <https://github.com/zhboner/realm#overview> for documentation.
35        '';
36      };
37    };
38  };
39
40  config = mkIf cfg.enable {
41    systemd.services.realm = {
42      serviceConfig = {
43        DynamicUser = true;
44        MemoryDenyWriteExecute = true;
45        PrivateDevices = true;
46        ProtectClock = true;
47        ProtectKernelLogs = true;
48        ProtectKernelModules = true;
49        ProtectProc = "invisible";
50        ProtectKernelTunables = true;
51        ExecStart = "${getExe cfg.package} --config ${configFile}";
52        AmbientCapabilities = [
53          "CAP_NET_ADMIN"
54          "CAP_NET_BIND_SERVICE"
55        ];
56      };
57      wantedBy = [ "multi-user.target" ];
58    };
59  };
60}