Split module to different file

pull/2/head
Tudor Roman 2023-09-14 22:22:25 +02:00
parent 942e43395e
commit fe4373583b
Signed by: tudor
SSH Key Fingerprint: SHA256:3CwS9plgXBecpXImPGxDIaSktUXBejbV/zerZMqzzBk
2 changed files with 78 additions and 77 deletions

View File

@ -46,82 +46,6 @@
yarr = pkgs.callPackage yarrPkg {};
});
nixosModules.default = { config, lib, pkgs, ... }: with lib; let
cfg = config.services.yarr;
in {
options = {
services.yarr = {
enable = mkEnableOption "yarr";
package = mkOption {
type = types.package;
default = pkgs.yarr;
defaultText = literalExpression "pkgs.yarr";
description = "Yarr package to use.";
};
environmentFile = mkOption {
type = types.path;
description = ''
File containing config environment variables starting with YARR_
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [
cfg.package
];
users.users.yarr = {
description = "Yarr user";
group = "yarr";
isSystemUser = true;
};
users.groups.yarr = {};
systemd.services.yarr = {
description = "Yarr Feed Reader service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/yarr";
User = "yarr";
DynamicUser = true;
StateDirectory = "yarr";
StateDirectoryMode = "0700";
Environment = [
"XDG_CONFIG_HOME=%S"
];
EnvironmentFile = cfg.environmentFile;
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077";
};
};
};
};
nixosModules.default = import ./module.nix;
};
}

77
module.nix Normal file
View File

@ -0,0 +1,77 @@
{ config, lib, pkgs, ... }: with lib; let
cfg = config.services.yarr;
in {
options = {
services.yarr = {
enable = mkEnableOption "yarr";
package = mkOption {
type = types.package;
default = pkgs.yarr;
defaultText = literalExpression "pkgs.yarr";
description = "Yarr package to use.";
};
environmentFile = mkOption {
type = types.path;
description = ''
File containing config environment variables starting with YARR_
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [
cfg.package
];
users.users.yarr = {
description = "Yarr user";
group = "yarr";
isSystemUser = true;
};
users.groups.yarr = {};
systemd.services.yarr = {
description = "Yarr Feed Reader service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/yarr";
User = "yarr";
DynamicUser = true;
StateDirectory = "yarr";
StateDirectoryMode = "0700";
Environment = [
"XDG_CONFIG_HOME=%S"
];
EnvironmentFile = cfg.environmentFile;
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077";
};
};
};
}