blob: 44b82a931cd8446a15cb6869b4efcd62eebc9623 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.signald;
dataDir = "/var/lib/signald";
defaultUser = "signald";
in
{
options.services.signald = {
enable = mkEnableOption (lib.mdDoc "signald, the unofficial daemon for interacting with Signal");
user = mkOption {
type = types.str;
default = defaultUser;
description = lib.mdDoc "User under which signald runs.";
};
group = mkOption {
type = types.str;
default = defaultUser;
description = lib.mdDoc "Group under which signald runs.";
};
socketPath = mkOption {
type = types.str;
default = "/run/signald/signald.sock";
description = lib.mdDoc "Path to the signald socket";
};
};
config = mkIf cfg.enable {
users.users = optionalAttrs (cfg.user == defaultUser) {
${defaultUser} = {
group = cfg.group;
isSystemUser = true;
};
};
users.groups = optionalAttrs (cfg.group == defaultUser) {
${defaultUser} = { };
};
systemd.services.signald = {
description = "A daemon for interacting with the Signal Private Messenger";
wants = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.signald}/bin/signald -d ${dataDir} -s ${cfg.socketPath}";
Restart = "on-failure";
StateDirectory = "signald";
RuntimeDirectory = "signald";
StateDirectoryMode = "0750";
RuntimeDirectoryMode = "0750";
BindReadOnlyPaths = [
"/nix/store"
"-/etc/resolv.conf"
"-/etc/nsswitch.conf"
"-/etc/hosts"
"-/etc/localtime"
];
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
# Use a static user so other applications can access the files
#DynamicUser = true;
LockPersonality = true;
# Needed for java
#MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
# Needs network access
#PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
# Would re-mount paths ignored by temporary root
#ProtectSystem = "strict";
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
TemporaryFileSystem = "/:ro";
# Does not work well with the temporary root
#UMask = "0066";
};
};
};
}
|