{ lib, ... }: with lib; let # See: man capabilities(7) capabilities = [ "CAP_AUDIT_CONTROL" "CAP_AUDIT_READ" "CAP_AUDIT_WRITE" "CAP_BLOCK_SUSPEND" "CAP_BPF" "CAP_CHECKPOINT_RESTORE" "CAP_CHOWN" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH" "CAP_FOWNER" "CAP_FSETID" "CAP_IPC_LOCK" "CAP_IPC_OWNER" "CAP_KILL" "CAP_LEASE" "CAP_LINUX_IMMUTABLE" "CAP_MAC_ADMIN" "CAP_MAC_OVERRIDE" "CAP_MKNOD" "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_RAW" "CAP_PERFMON" "CAP_SETGID" "CAP_SETFCAP" "CAP_SETPCAP" "CAP_SETUID" "CAP_SYS_ADMIN" "CAP_SYS_BOOT" "CAP_SYS_CHROOT" "CAP_SYS_MODULE" "CAP_SYS_NICE" "CAP_SYS_PACCT" "CAP_SYS_PTRACE" "CAP_SYS_RAWIO" "CAP_SYS_RESOURCE" "CAP_SYS_TIME" "CAP_SYS_TTY_CONFIG" "CAP_SYSLOG" "CAP_WAKE_ALARM" ]; restrict-capabilities = allowed: if (allowed == [ ]) then "~${concatStringsSep " " capabilities}" else concatStringsSep " " allowed; in { timed-service = { ... }: false; default-service = { after ? [ ], script ? null, reloadScript ? null , before ? [ ], requires ? [ ], preStart ? null, postStop ? null , preStop ? null, postStart ? null, requiredBy ? [ ], environment ? { } , description, restartIfChanged ? true, confine ? false, path ? [ ] , privateNetwork ? true, dynamicUser ? true, privateUsers ? true , privateDevices ? true, privateTmp ? true, protectControlGroups ? true , restrictSuidSgid ? true, protectKernelTunables ? true , privateMounts ? true, protectKernelModules ? true, protectHome ? true , protectHostname ? true, keyringMode ? "private" , requiredCapabilities ? [ ], restartWhen ? "on-failure", restartSec ? "10" , execStart ? null, protectSystem ? "full", addressFamilies ? null , wantedBy ? [ ], workingDirectory ? null, user ? null, group ? null , type ? "simple", partOf ? [ ], standardOutput ? "journal", pidFile ? null , lockPersonality ? true, restrictRealtime ? true, networkWhitelist ? null , memoryDenyWriteExecute ? true, ... }: { enable = true; script = mkIf (script != null) script; reload = mkIf (reloadScript != null) reloadScript; after = after; before = before; requires = requires; wantedBy = wantedBy; preStart = mkIf (preStart != null) preStart; postStart = mkIf (postStart != null) postStart; postStop = mkIf (postStop != null) postStop; preStop = mkIf (preStop != null) preStop; partOf = partOf; requiredBy = requiredBy; environment = environment; description = description; restartIfChanged = restartIfChanged; confinement = mkIf confine { enable = true; }; path = path; serviceConfig = { PrivateNetwork = privateNetwork; PrivateUsers = privateUsers; PrivateDevices = privateDevices; PrivateTmp = privateTmp; PrivateMounts = privateMounts; ProtectControlGroups = protectControlGroups; ProtectKernelTunables = protectKernelTunables; ProtectKernelModules = protectKernelModules; ProtectSystem = protectSystem; ProtectHostname = protectHostname; ProtectHome = protectHome; KeyringMode = keyringMode; # This is more complicated than it looks... CapabilityBoundingSet = restrict-capabilities requiredCapabilities; DynamicUser = dynamicUser; Restart = restartWhen; WorkingDirectory = mkIf (workingDirectory != null) workingDirectory; RestrictAddressFamilies = mkIf (addressFamilies != null) (concatStringsSep " " addressFamilies); User = mkIf (user != null) user; Group = mkIf (group != null) group; Type = type; StandardOutput = standardOutput; PIDFile = mkIf (pidFile != null) pidFile; LockPersonality = lockPersonality; RestrictRealtime = restrictRealtime; IpAddressAllow = mkIf (networkWhitelist != null) networkWhitelist; IpAddressDeny = mkIf (networkWhitelist != null) "any"; ExecStart = mkIf (execStart != null) execStart; MemoryDenyWriteExecute = memoryDenyWriteExecute; }; }; }