washngpmachien.nix · by cool-handle.ebil.club

cool-handle.ebil.club / washngpmachien.nix
this string has no description
washngpmachien.nix edited 2mo ago
106 lines 3.0 kB view raw
  1{
  2  lib,
  3  pkgs,
  4  config,
  5  ...
  6}:
  7let
  8  cfg = config.services.washng-machine;
  9in
 10{
 11  options.services.washng-machine = {
 12    enable = lib.mkEnableOption "washien machien";
 13
 14    package = lib.mkOption {
 15      type = lib.types.package;
 16      default = pkgs.callPackage ./default.nix { };
 17      description = "The package to use for th washng machine";
 18    };
 19
 20    settings = {
 21      IDENTIFIER = lib.mkOption {
 22        type = lib.types.str;
 23        description = "ur bee sky identifier";
 24      };
 25      BACKGROUND = lib.mkOption {
 26        type = lib.types.nullOr lib.types.str;
 27        default = null;
 28        description = "background colour";
 29      };
 30      AVATAR = lib.mkOption {
 31        type = lib.types.str;
 32        description = "avatar image path";
 33      };
 34    };
 35
 36    environmentFiles = lib.mkOption {
 37      type = lib.types.listOf lib.types.str;
 38      default = [ ];
 39      description = "The environment file to use for WASHING MACHIEn";
 40    };
 41  };
 42
 43  config = lib.mkIf cfg.enable {
 44    systemd.services = {
 45      washng-machine = {
 46        description = "washng-machine";
 47        after = [ "network.target" ];
 48        wantedBy = [ "multi-user.target" ];
 49
 50        serviceConfig = {
 51          Type = "oneshot";
 52          EnvironmentFile = cfg.environmentFiles;
 53          Environment = lib.mapAttrsToList (k: v: "${k}=${if builtins.isInt v then toString v else v}") (
 54            lib.filterAttrs (_: v: v != null) cfg.settings
 55          );
 56
 57          ExecStart = "${lib.getExe cfg.package} ${cfg.settings.AVATAR}";
 58          RemainAfterExit = false;
 59
 60          # Hardening
 61          RemoveIPC = true;
 62          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
 63          NoNewPrivileges = true;
 64          PrivateDevices = true;
 65          ProtectClock = true;
 66          ProtectKernelLogs = true;
 67          ProtectControlGroups = true;
 68          ProtectKernelModules = true;
 69          PrivateMounts = true;
 70          SystemCallArchitectures = [ "native" ];
 71          MemoryDenyWriteExecute = false; # required by V8 JIT
 72          RestrictNamespaces = true;
 73          RestrictSUIDSGID = true;
 74          ProtectHostname = true;
 75          LockPersonality = true;
 76          ProtectKernelTunables = true;
 77          RestrictAddressFamilies = [
 78            "AF_UNIX"
 79            "AF_INET"
 80            "AF_INET6"
 81          ];
 82          RestrictRealtime = true;
 83          DeviceAllow = [ "" ];
 84          ProtectProc = "invisible";
 85          ProcSubset = "pid";
 86          ProtectHome = true;
 87          PrivateUsers = true;
 88          PrivateTmp = true;
 89          UMask = "0077";
 90        };
 91      };
 92    };
 93
 94    systemd.timers.washng-machine = {
 95      description = "Run washng-machine every minute";
 96      wantedBy = [ "timers.target" ];
 97
 98      timerConfig = {
 99        OnBootSec = "1min"; # first run 1 minute after boot
100        OnUnitActiveSec = "1min"; # run every minute
101        AccuracySec = "5s";
102        Unit = "washng-machine.service"; # the service to run
103      };
104    };
105  };
106}