nixos/modules/services/development/nixseparatedebuginfod2.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / development / nixseparatedebuginfod2.nix
at master 3.4 kB view raw
 1{
 2  pkgs,
 3  lib,
 4  config,
 5  utils,
 6  ...
 7}:
 8let
 9  cfg = config.services.nixseparatedebuginfod2;
10  url = "127.0.0.1:${toString cfg.port}";
11in
12{
13  options = {
14    services.nixseparatedebuginfod2 = {
15      enable = lib.mkEnableOption "nixseparatedebuginfod2, a debuginfod server providing source and debuginfo for nix packages";
16      port = lib.mkOption {
17        description = "port to listen";
18        default = 1950;
19        type = lib.types.port;
20      };
21      package = lib.mkPackageOption pkgs "nixseparatedebuginfod2" { };
22      substituter = lib.mkOption {
23        description = "nix substituter to fetch debuginfo from. Either http/https substituters, or `local:` to use debuginfo present in the local store.";
24        default = "https://cache.nixos.org";
25        example = "local:";
26        type = lib.types.str;
27      };
28      cacheExpirationDelay = lib.mkOption {
29        description = "keep unused cache entries for this long. A number followed by a unit";
30        default = "1d";
31        type = lib.types.str;
32      };
33    };
34  };
35  config = lib.mkIf cfg.enable {
36    systemd.services.nixseparatedebuginfod2 = {
37      wantedBy = [ "multi-user.target" ];
38      path = [ config.nix.package ];
39      serviceConfig = {
40        ExecStart = [
41          (utils.escapeSystemdExecArgs [
42            (lib.getExe cfg.package)
43            "--listen-address"
44            url
45            "--substituter"
46            cfg.substituter
47            "--expiration"
48            cfg.cacheExpirationDelay
49          ])
50        ];
51        Restart = "on-failure";
52        CacheDirectory = "nixseparatedebuginfod2";
53        DynamicUser = true;
54
55        # hardening
56        # Filesystem stuff
57        ProtectSystem = "strict"; # Prevent writing to most of /
58        ProtectHome = true; # Prevent accessing /home and /root
59        PrivateTmp = true; # Give an own directory under /tmp
60        PrivateDevices = true; # Deny access to most of /dev
61        ProtectKernelTunables = true; # Protect some parts of /sys
62        ProtectControlGroups = true; # Remount cgroups read-only
63        RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files
64        PrivateMounts = true; # Give an own mount namespace
65        RemoveIPC = true;
66        UMask = "0077";
67
68        # Capabilities
69        CapabilityBoundingSet = ""; # Allow no capabilities at all
70        NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options.
71
72        # Kernel stuff
73        ProtectKernelModules = true; # Prevent loading of kernel modules
74        SystemCallArchitectures = "native"; # Usually no need to disable this
75        SystemCallFilter = "@system-service";
76        ProtectKernelLogs = true; # Prevent access to kernel logs
77        ProtectClock = true; # Prevent setting the RTC
78        ProtectProc = "noaccess";
79        ProcSubset = "pid";
80
81        # Networking
82        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
83
84        # Misc
85        LockPersonality = true; # Prevent change of the personality
86        ProtectHostname = true; # Give an own UTS namespace
87        RestrictRealtime = true; # Prevent switching to RT scheduling
88        MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python
89        RestrictNamespaces = true;
90
91      };
92    };
93
94    environment.debuginfodServers = [ "http://${url}" ];
95
96  };
97}