···

       
209
       
209
       
 
       


     

       
210
       
210
       
 
       
- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable).

     

       
211
       
211
       
 
       


     

       
212
       
212
       
+
       
- [ydotool](https://github.com/ReimuNotMoe/ydotool), a generic command-line automation tool now has a module. Available as [programs.ydotool](#opt-programs.ydotool.enable)

     

       
213
       
213
       
+
       


     

       
212
       
214
       
 
       
- [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable).

     

       
213
       
215
       
 
       


     

       
214
       
216
       
 
       
## Backward Incompatibilities {#sec-release-24.05-incompatibilities}

     

···

       
308
       
308
       
 
       
  ./programs/xwayland.nix

     

       
309
       
309
       
 
       
  ./programs/yabar.nix

     

       
310
       
310
       
 
       
  ./programs/yazi.nix

     

       
311
       
311
       
+
       
  ./programs/ydotool.nix

     

       
311
       
312
       
 
       
  ./programs/yubikey-touch-detector.nix

     

       
312
       
313
       
 
       
  ./programs/zmap.nix

     

       
313
       
314
       
 
       
  ./programs/zsh/oh-my-zsh.nix

     

···

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  config,

     

       
3
       
3
       
+
       
  lib,

     

       
4
       
4
       
+
       
  pkgs,

     

       
5
       
5
       
+
       
  ...

     

       
6
       
6
       
+
       
}:

     

       
7
       
7
       
+
       
let

     

       
8
       
8
       
+
       
  cfg = config.programs.ydotool;

     

       
9
       
9
       
+
       
in

     

       
10
       
10
       
+
       
{

     

       
11
       
11
       
+
       
  meta = {

     

       
12
       
12
       
+
       
    maintainers = with lib.maintainers; [ quantenzitrone ];

     

       
13
       
13
       
+
       
  };

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
  options.programs.ydotool = {

     

       
16
       
16
       
+
       
    enable = lib.mkEnableOption ''

     

       
17
       
17
       
+
       
      ydotoold system service and install ydotool.

     

       
18
       
18
       
+
       
      Add yourself to the 'ydotool' group to be able to use it.

     

       
19
       
19
       
+
       
    '';

     

       
20
       
20
       
+
       
  };

     

       
21
       
21
       
+
       


     

       
22
       
22
       
+
       
  config = lib.mkIf cfg.enable {

     

       
23
       
23
       
+
       
    users.groups.ydotool = { };

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
    systemd.services.ydotoold = {

     

       
26
       
26
       
+
       
      description = "ydotoold - backend for ydotool";

     

       
27
       
27
       
+
       
      wantedBy = [ "multi-user.target" ];

     

       
28
       
28
       
+
       
      partOf = [ "multi-user.target" ];

     

       
29
       
29
       
+
       
      serviceConfig = {

     

       
30
       
30
       
+
       
        Group = "ydotool";

     

       
31
       
31
       
+
       
        RuntimeDirectory = "ydotoold";

     

       
32
       
32
       
+
       
        RuntimeDirectoryMode = "0750";

     

       
33
       
33
       
+
       
        ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660";

     

       
34
       
34
       
+
       


     

       
35
       
35
       
+
       
        # hardening

     

       
36
       
36
       
+
       


     

       
37
       
37
       
+
       
        ## allow access to uinput

     

       
38
       
38
       
+
       
        DeviceAllow = [ "/dev/uinput" ];

     

       
39
       
39
       
+
       
        DevicePolicy = "closed";

     

       
40
       
40
       
+
       


     

       
41
       
41
       
+
       
        ## allow creation of unix sockets

     

       
42
       
42
       
+
       
        RestrictAddressFamilies = [ "AF_UNIX" ];

     

       
43
       
43
       
+
       


     

       
44
       
44
       
+
       
        CapabilityBoundingSet = "";

     

       
45
       
45
       
+
       
        IPAddressDeny = "any";

     

       
46
       
46
       
+
       
        LockPersonality = true;

     

       
47
       
47
       
+
       
        MemoryDenyWriteExecute = true;

     

       
48
       
48
       
+
       
        NoNewPrivileges = true;

     

       
49
       
49
       
+
       
        PrivateNetwork = true;

     

       
50
       
50
       
+
       
        PrivateTmp = true;

     

       
51
       
51
       
+
       
        PrivateUsers = true;

     

       
52
       
52
       
+
       
        ProcSubset = "pid";

     

       
53
       
53
       
+
       
        ProtectClock = true;

     

       
54
       
54
       
+
       
        ProtectControlGroups = true;

     

       
55
       
55
       
+
       
        ProtectHome = true;

     

       
56
       
56
       
+
       
        ProtectHostname = true;

     

       
57
       
57
       
+
       
        ProtectKernelLogs = true;

     

       
58
       
58
       
+
       
        ProtectKernelModules = true;

     

       
59
       
59
       
+
       
        ProtectKernelTunables = true;

     

       
60
       
60
       
+
       
        ProtectProc = "invisible";

     

       
61
       
61
       
+
       
        ProtectSystem = "strict";

     

       
62
       
62
       
+
       
        ProtectUser = true;

     

       
63
       
63
       
+
       
        RestrictNamespaces = true;

     

       
64
       
64
       
+
       
        RestrictRealtime = true;

     

       
65
       
65
       
+
       
        RestrictSUIDSGID = true;

     

       
66
       
66
       
+
       
        SystemCallArchitectures = "native";

     

       
67
       
67
       
+
       
        SystemCallFilter = [

     

       
68
       
68
       
+
       
          "@system-service"

     

       
69
       
69
       
+
       
          "~@privileged"

     

       
70
       
70
       
+
       
          "~@resources"

     

       
71
       
71
       
+
       
        ];

     

       
72
       
72
       
+
       
        UMask = "0077";

     

       
73
       
73
       
+
       


     

       
74
       
74
       
+
       
        # -> systemd-analyze security score 0.7 SAFE 😀

     

       
75
       
75
       
+
       
      };

     

       
76
       
76
       
+
       
    };

     

       
77
       
77
       
+
       


     

       
78
       
78
       
+
       
    environment.variables = {

     

       
79
       
79
       
+
       
      YDOTOOL_SOCKET = "/run/ydotoold/socket";

     

       
80
       
80
       
+
       
    };

     

       
81
       
81
       
+
       
    environment.systemPackages = with pkgs; [ ydotool ];

     

       
82
       
82
       
+
       
  };

     

       
83
       
83
       
+
       
}