45 lines
1.4 KiB
Nix
45 lines
1.4 KiB
Nix
{ depot, config, lib, ... }:
|
|
let
|
|
cfg = config.services.lightspeed.webrtc;
|
|
inherit (lib) mkOption types mkEnableOption;
|
|
in
|
|
{
|
|
options.services.lightspeed.webrtc = {
|
|
enable = mkEnableOption "Lightspeed WebRTC server (RTP->WebRTC)";
|
|
address = mkOption {
|
|
description = "Address to listen on for incoming RTP traffic and websockets";
|
|
default = "127.0.0.1";
|
|
type = types.str;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
systemd.services.lightspeed-webrtc = {
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
ExecStart = "${depot.pkgs.lightspeed-webrtc}/bin/lightspeed-webrtc -addr ${cfg.address}";
|
|
DynamicUser = true;
|
|
ProtectSystem = "strict";
|
|
CapabilityBoundingSet = "";
|
|
RestrictAddressFamilies = "AF_INET AF_INET6";
|
|
RestrictNamespaces = true;
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = "tmpfs";
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "noaccess";
|
|
SystemCallArchitectures = "native";
|
|
RestrictRealtime = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
UMask = "0077";
|
|
ProtectHostname = true;
|
|
};
|
|
};
|
|
};
|
|
}
|