nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9c3d00c7d3
nixos-config/lib/system.nix

126 lines
4.2 KiB
Nix
Raw Blame History

{ lib, ... }:
with lib;
let
# See: man capabilities(7)
capabilities = [
"CAP_AUDIT_CONTROL"
"CAP_AUDIT_READ"
"CAP_AUDIT_WRITE"
"CAP_BLOCK_SUSPEND"
"CAP_BPF"
"CAP_CHECKPOINT_RESTORE"
"CAP_CHOWN"
"CAP_DAC_OVERRIDE"
"CAP_DAC_READ_SEARCH"
"CAP_FOWNER"
"CAP_FSETID"
"CAP_IPC_LOCK"
"CAP_IPC_OWNER"
"CAP_KILL"
"CAP_LEASE"
"CAP_LINUX_IMMUTABLE"
"CAP_MAC_ADMIN"
"CAP_MAC_OVERRIDE"
"CAP_MKNOD"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_BROADCAST"
"CAP_NET_RAW"
"CAP_PERFMON"
"CAP_SETGID"
"CAP_SETFCAP"
"CAP_SETPCAP"
"CAP_SETUID"
"CAP_SYS_ADMIN"
"CAP_SYS_BOOT"
"CAP_SYS_CHROOT"
"CAP_SYS_MODULE"
"CAP_SYS_NICE"
"CAP_SYS_PACCT"
"CAP_SYS_PTRACE"
"CAP_SYS_RAWIO"
"CAP_SYS_RESOURCE"
"CAP_SYS_TIME"
"CAP_SYS_TTY_CONFIG"
"CAP_SYSLOG"
"CAP_WAKE_ALARM"
];
restrict-capabilities = allowed:
if (allowed == [ ]) then
"~${concatStringsSep " " capabilities}"
else
concatStringsSep " " allowed;
in {
timed-service = { ... }: false;
default-service = { after ? [ ], script ? null, reloadScript ? null
, before ? [ ], requires ? [ ], preStart ? null, postStop ? null
, preStop ? null, postStart ? null, requiredBy ? [ ], environment ? { }
, description, restartIfChanged ? true, confine ? false, path ? [ ]
, privateNetwork ? true, dynamicUser ? true, privateUsers ? true
, privateDevices ? true, privateTmp ? true, protectControlGroups ? true
, restrictSuidSgid ? true, protectKernelTunables ? true
, privateMounts ? true, protectKernelModules ? true, protectHome ? true
, protectHostname ? true, keyringMode ? "private"
, requiredCapabilities ? [ ], restartWhen ? "on-failure", restartSec ? "10"
, execStart ? null, protectSystem ? "full", addressFamilies ? null
, wantedBy ? [ ], workingDirectory ? null, user ? null, group ? null
, type ? "simple", partOf ? [ ], standardOutput ? "journal", pidFile ? null
, lockPersonality ? true, restrictRealtime ? true, networkWhitelist ? null
, memoryDenyWriteExecute ? true, ... }: {
enable = true;
script = mkIf (script != null) script;
reload = mkIf (reloadScript != null) reloadScript;
after = after;
before = before;
requires = requires;
wantedBy = wantedBy;
preStart = mkIf (preStart != null) preStart;
postStart = mkIf (postStart != null) postStart;
postStop = mkIf (postStop != null) postStop;
preStop = mkIf (preStop != null) preStop;
partOf = partOf;
requiredBy = requiredBy;
environment = environment;
description = description;
restartIfChanged = restartIfChanged;
confinement = mkIf confine { enable = true; };
path = path;
serviceConfig = {
PrivateNetwork = privateNetwork;
PrivateUsers = privateUsers;
PrivateDevices = privateDevices;
PrivateTmp = privateTmp;
PrivateMounts = privateMounts;
ProtectControlGroups = protectControlGroups;
ProtectKernelTunables = protectKernelTunables;
ProtectKernelModules = protectKernelModules;
ProtectSystem = protectSystem;
ProtectHostname = protectHostname;
ProtectHome = protectHome;
KeyringMode = keyringMode;
# This is more complicated than it looks...
CapabilityBoundingSet = restrict-capabilities requiredCapabilities;
DynamicUser = dynamicUser;
Restart = restartWhen;
WorkingDirectory = mkIf (workingDirectory != null) workingDirectory;
RestrictAddressFamilies =
mkIf (addressFamilies != null) (concatStringsSep " " addressFamilies);
User = mkIf (user != null) user;
Group = mkIf (group != null) group;
Type = type;
StandardOutput = standardOutput;
PIDFile = mkIf (pidFile != null) pidFile;
LockPersonality = lockPersonality;
RestrictRealtime = restrictRealtime;
IpAddressAllow = mkIf (networkWhitelist != null) networkWhitelist;
IpAddressDeny = mkIf (networkWhitelist != null) "any";
ExecStart = mkIf (execStart != null) execStart;
MemoryDenyWriteExecute = memoryDenyWriteExecute;
};
};
}
Reference in New Issue View Git Blame Copy Permalink