commit 4e6df6f865bf4b1b6fd94bfdcdb3e0b1a828d5a2 · pyrox.dev/nixpkgs

+6 -36

nixos/modules/services/misc/redlib.nix

···

       89
       89
        
         };

     

       90
       90
        
       

     

       91
       91
        
         config = mkIf cfg.enable {

     

       92
       92
       +
           systemd.packages = [ cfg.package ];

     

       92
       93
        
           systemd.services.redlib = {

     

       93
       93
       -
             description = "Private front-end for Reddit";

     

       94
       94
       -
             wantedBy = [ "multi-user.target" ];

     

       95
       95
       -
             after = [ "network.target" ];

     

       94
       94
       +
             wantedBy = [ "default.target" ];

     

       96
       95
        
             environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings;

     

       97
       96
        
             serviceConfig = {

     

       98
       98
       -
               DynamicUser = true;

     

       99
       99
       -
               ExecStart = "${lib.getExe cfg.package} ${args}";

     

       97
       97
       +
               ExecStart = [

     

       98
       98
       +
                 ""

     

       99
       99
       +
                 "${lib.getExe cfg.package} ${args}"

     

       100
       100
       +
               ];

     

       100
       101
        
               AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];

     

       101
       101
       -
               Restart = "on-failure";

     

       102
       102
       -
               RestartSec = "2s";

     

       103
       103
       -
       

     

       104
       104
       -
               # Hardening

     

       105
       102
        
               CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];

     

       106
       106
       -
               DeviceAllow = [ "" ];

     

       107
       107
       -
               LockPersonality = true;

     

       108
       108
       -
               MemoryDenyWriteExecute = true;

     

       109
       109
       -
               PrivateDevices = true;

     

       110
       103
        
               # A private user cannot have process capabilities on the host's user

     

       111
       104
        
               # namespace and thus CAP_NET_BIND_SERVICE has no effect.

     

       112
       105
        
               PrivateUsers = (cfg.port >= 1024);

     

       113
       113
       -
               ProcSubset = "pid";

     

       114
       114
       -
               ProtectClock = true;

     

       115
       115
       -
               ProtectControlGroups = true;

     

       116
       116
       -
               ProtectHome = true;

     

       117
       117
       -
               ProtectHostname = true;

     

       118
       118
       -
               ProtectKernelLogs = true;

     

       119
       119
       -
               ProtectKernelModules = true;

     

       120
       120
       -
               ProtectKernelTunables = true;

     

       121
       121
       -
               ProtectProc = "invisible";

     

       122
       122
       -
               RestrictAddressFamilies = [

     

       123
       123
       -
                 "AF_INET"

     

       124
       124
       -
                 "AF_INET6"

     

       125
       125
       -
               ];

     

       126
       126
       -
               RestrictNamespaces = true;

     

       127
       127
       -
               RestrictRealtime = true;

     

       128
       128
       -
               RestrictSUIDSGID = true;

     

       129
       129
       -
               SystemCallArchitectures = "native";

     

       130
       130
       -
               SystemCallFilter = [

     

       131
       131
       -
                 "@system-service"

     

       132
       132
       -
                 "~@privileged"

     

       133
       133
       -
                 "~@resources"

     

       134
       134
       -
               ];

     

       135
       135
       -
               UMask = "0077";

     

       136
       106
        
             };

     

       137
       107
        
           };

     

       138
       108

pkgs/by-name/re/redlib/package.nix

···

       24
       24
        
           darwin.apple_sdk.frameworks.Security

     

       25
       25
        
         ];

     

       26
       26
        
       

     

       27
       27
       +
         postInstall = ''

     

       28
       28
       +
           install -Dm644 contrib/redlib.service $out/lib/systemd/system/redlib.service

     

       29
       29
       +
           sed -i "s#/usr/bin/redlib#$out/bin/redlib#" $out/lib/systemd/system/redlib.service

     

       30
       30
       +
           sed -i "/EnvironmentFile/d" $out/lib/systemd/system/redlib.service

     

       31
       31
       +
         '';

     

       32
       32
       +
       

     

       27
       33
        
         checkFlags = [

     

       28
       34
        
           # All these test try to connect to Reddit.

     

       29
       35
        
           # utils.rs