depot/nixos/modules/services/networking/tetrd.nix
Luke Granger-Brown 57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
2024-11-10 23:59:47 +00:00

96 lines
2.6 KiB
Nix

{ config, lib, pkgs, ... }:
{
options.services.tetrd.enable = lib.mkEnableOption "tetrd";
config = lib.mkIf config.services.tetrd.enable {
environment = {
systemPackages = [ pkgs.tetrd ];
etc."resolv.conf".source = "/etc/tetrd/resolv.conf";
};
systemd = {
tmpfiles.rules = [ "f /etc/tetrd/resolv.conf - - -" ];
services.tetrd = {
description = pkgs.tetrd.meta.description;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.tetrd}/opt/Tetrd/bin/tetrd";
Restart = "always";
RuntimeDirectory = "tetrd";
RootDirectory = "/run/tetrd";
DynamicUser = true;
UMask = "006";
DeviceAllow = "usb_device";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateMounts = true;
PrivateNetwork = lib.mkDefault false;
PrivateTmp = true;
PrivateUsers = lib.mkDefault false;
ProtectClock = lib.mkDefault false;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@aio"
"~@chown"
"~@clock"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@module"
"~@mount"
"~@obsolete"
"~@pkey"
"~@raw-io"
"~@reboot"
"~@swap"
"~@sync"
];
BindReadOnlyPaths = [
builtins.storeDir
"/etc/ssl"
"/etc/static/ssl"
"${pkgs.nettools}/bin/route:/usr/bin/route"
"${pkgs.nettools}/bin/ifconfig:/usr/bin/ifconfig"
];
BindPaths = [
"/etc/tetrd/resolv.conf:/etc/resolv.conf"
"/run"
"/var/log"
];
CapabilityBoundingSet = [
"CAP_DAC_OVERRIDE"
"CAP_NET_ADMIN"
];
AmbientCapabilities = [
"CAP_DAC_OVERRIDE"
"CAP_NET_ADMIN"
];
};
};
};
};
}