blob: f639e9283de422948b589f1514c424ba4d2ab57c (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.ydotool;
in
{
meta = {
maintainers = with lib.maintainers; [ quantenzitrone ];
};
options.programs.ydotool = {
enable = lib.mkEnableOption ''
ydotoold system service and install ydotool.
Add yourself to the 'ydotool' group to be able to use it.
'';
};
config = lib.mkIf cfg.enable {
users.groups.ydotool = { };
systemd.services.ydotoold = {
description = "ydotoold - backend for ydotool";
wantedBy = [ "multi-user.target" ];
partOf = [ "multi-user.target" ];
serviceConfig = {
Group = "ydotool";
RuntimeDirectory = "ydotoold";
RuntimeDirectoryMode = "0750";
ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660";
# hardening
## allow access to uinput
DeviceAllow = [ "/dev/uinput" ];
DevicePolicy = "closed";
## allow creation of unix sockets
RestrictAddressFamilies = [ "AF_UNIX" ];
CapabilityBoundingSet = "";
IPAddressDeny = "any";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectUser = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
# -> systemd-analyze security score 0.7 SAFE 😀
};
};
environment.variables = {
YDOTOOL_SOCKET = "/run/ydotoold/socket";
};
environment.systemPackages = with pkgs; [ ydotool ];
};
}
|