nixos/modules/services/networking/tetrd.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tetrd.nix
at 25.11-pre 2.7 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8{
  9  options.services.tetrd.enable = lib.mkEnableOption "tetrd";
 10
 11  config = lib.mkIf config.services.tetrd.enable {
 12    environment = {
 13      systemPackages = [ pkgs.tetrd ];
 14      etc."resolv.conf".source = "/etc/tetrd/resolv.conf";
 15    };
 16
 17    systemd = {
 18      tmpfiles.rules = [ "f /etc/tetrd/resolv.conf - - -" ];
 19
 20      services.tetrd = {
 21        description = pkgs.tetrd.meta.description;
 22        wantedBy = [ "multi-user.target" ];
 23
 24        serviceConfig = {
 25          ExecStart = "${pkgs.tetrd}/opt/Tetrd/bin/tetrd";
 26          Restart = "always";
 27          RuntimeDirectory = "tetrd";
 28          RootDirectory = "/run/tetrd";
 29          DynamicUser = true;
 30          UMask = "006";
 31          DeviceAllow = "usb_device";
 32          LockPersonality = true;
 33          MemoryDenyWriteExecute = true;
 34          NoNewPrivileges = true;
 35          PrivateMounts = true;
 36          PrivateNetwork = lib.mkDefault false;
 37          PrivateTmp = true;
 38          PrivateUsers = lib.mkDefault false;
 39          ProtectClock = lib.mkDefault false;
 40          ProtectControlGroups = true;
 41          ProtectHome = true;
 42          ProtectHostname = true;
 43          ProtectKernelLogs = true;
 44          ProtectKernelModules = true;
 45          ProtectKernelTunables = true;
 46          ProtectProc = "invisible";
 47          ProtectSystem = "strict";
 48          RemoveIPC = true;
 49          RestrictAddressFamilies = [
 50            "AF_UNIX"
 51            "AF_INET"
 52            "AF_INET6"
 53            "AF_NETLINK"
 54          ];
 55          RestrictNamespaces = true;
 56          RestrictRealtime = true;
 57          RestrictSUIDSGID = true;
 58          SystemCallArchitectures = "native";
 59
 60          SystemCallFilter = [
 61            "@system-service"
 62            "~@aio"
 63            "~@chown"
 64            "~@clock"
 65            "~@cpu-emulation"
 66            "~@debug"
 67            "~@keyring"
 68            "~@memlock"
 69            "~@module"
 70            "~@mount"
 71            "~@obsolete"
 72            "~@pkey"
 73            "~@raw-io"
 74            "~@reboot"
 75            "~@swap"
 76            "~@sync"
 77          ];
 78
 79          BindReadOnlyPaths = [
 80            builtins.storeDir
 81            "/etc/ssl"
 82            "/etc/static/ssl"
 83            "${pkgs.nettools}/bin/route:/usr/bin/route"
 84            "${pkgs.nettools}/bin/ifconfig:/usr/bin/ifconfig"
 85          ];
 86
 87          BindPaths = [
 88            "/etc/tetrd/resolv.conf:/etc/resolv.conf"
 89            "/run"
 90            "/var/log"
 91          ];
 92
 93          CapabilityBoundingSet = [
 94            "CAP_DAC_OVERRIDE"
 95            "CAP_NET_ADMIN"
 96          ];
 97
 98          AmbientCapabilities = [
 99            "CAP_DAC_OVERRIDE"
100            "CAP_NET_ADMIN"
101          ];
102        };
103      };
104    };
105  };
106}