nixos/modules/services/security/paretosecurity.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / paretosecurity.nix
at 25.11-pre 2.3 kB view raw
 1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7let
 8  cfg = config.services.paretosecurity;
 9in
10{
11
12  options.services.paretosecurity = {
13    enable = lib.mkEnableOption "[ParetoSecurity](https://paretosecurity.com) [agent](https://github.com/ParetoSecurity/agent) and its root helper";
14    package = lib.mkPackageOption pkgs "paretosecurity" { };
15    trayIcon = lib.mkOption {
16      type = lib.types.bool;
17      default = true;
18      description = "Set to false to disable the tray icon and run as a CLI tool only.";
19    };
20  };
21
22  config = lib.mkIf cfg.enable {
23    environment.systemPackages = [ cfg.package ];
24    systemd.packages = [ cfg.package ];
25
26    # In traditional Linux distributions, systemd would read the [Install] section from
27    # unit files and automatically create the appropriate symlinks to enable services.
28    # However, in NixOS, due to its immutable nature and the way the Nix store works,
29    # the [Install] sections are not processed during system activation. Instead, we
30    # must explicitly tell NixOS which units to enable by specifying their target
31    # dependencies here. This creates the necessary symlinks in the proper locations.
32    systemd.sockets.paretosecurity.wantedBy = [ "sockets.target" ];
33
34    # In NixOS, systemd services are configured with minimal PATH. However,
35    # paretosecurity helper looks for installed software to do its job, so
36    # it needs the full system PATH. For example, it runs `iptables` to see if
37    # firewall is configured. And it looks for various password managers to see
38    # if one is installed.
39    # The `paretosecurity-user` timer service that is configured lower has
40    # the same need.
41    systemd.services.paretosecurity.serviceConfig.Environment = [
42      "PATH=${config.system.path}/bin:${config.system.path}/sbin"
43    ];
44
45    # Enable the tray icon and timer services if the trayIcon option is enabled
46    systemd.user = lib.mkIf cfg.trayIcon {
47      services = {
48        paretosecurity-trayicon.wantedBy = [ "graphical-session.target" ];
49        paretosecurity-user = {
50          wantedBy = [ "graphical-session.target" ];
51          serviceConfig.Environment = [
52            "PATH=${config.system.path}/bin:${config.system.path}/sbin"
53          ];
54        };
55      };
56      timers.paretosecurity-user.wantedBy = [ "timers.target" ];
57    };
58  };
59}