# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, pkgs, ... }:
{
systemd.targets.barf = {
wantedBy = [ "multi-user.target" ];
};
security.wrappers.barf-cli = {
source = "${depot.web.barf.frontend}/bin/barfcli";
setuid = true;
owner = "root";
group = "root";
};
systemd.services.barf-fe = {
wantedBy = [ "barf.target" ];
serviceConfig = {
ExecStart = "${depot.web.barf.frontend}/bin/barffe -serve=:12001 -sam_backend=http://127.0.0.1:11316 -db_path=/var/lib/barf-fe/db.db";
StateDirectory = "barf-fe";
User = "barf-fe";
PrivateTmp = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectHome = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectClock = true;
CapabilityBoundingSet = "";
LockPersonality = true;
PrivateUsers = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
DynamicUser = true;
Restart = "always";
};
};
systemd.services.barf-sapid = {
wantedBy = [ "barf.target" ];
serviceConfig = {
ExecStart = "${depot.web.barf.sapi.sapid-wrapper}/bin/sapid-wrapper -serve=127.0.0.1:11316";
CacheDirectory = "barf-sapid";
User = "barf-sapid";
KillMode = "mixed";
PrivateTmp = true;
PrivateDevices = true;
RestrictNamespaces = true;
RestrictRealtime = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectHome = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectClock = true;
CapabilityBoundingSet = "";
LockPersonality = true;
PrivateUsers = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
DynamicUser = true;
Restart = "always";
};
};
}