646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
61 lines
1.4 KiB
Nix
61 lines
1.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.services.realm;
|
|
configFormat = pkgs.formats.json { };
|
|
configFile = configFormat.generate "config.json" cfg.config;
|
|
inherit (lib)
|
|
mkEnableOption
|
|
mkPackageOption
|
|
mkOption
|
|
mkIf
|
|
types
|
|
getExe
|
|
;
|
|
in
|
|
{
|
|
|
|
meta.maintainers = with lib.maintainers; [ ocfox ];
|
|
|
|
options = {
|
|
services.realm = {
|
|
enable = mkEnableOption "A simple, high performance relay server written in rust";
|
|
package = mkPackageOption pkgs "realm" { };
|
|
config = mkOption {
|
|
type = types.submodule {
|
|
freeformType = configFormat.type;
|
|
};
|
|
default = { };
|
|
description = ''
|
|
The realm configuration, see <https://github.com/zhboner/realm#overview> for documentation.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.realm = {
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
MemoryDenyWriteExecute = true;
|
|
PrivateDevices = true;
|
|
ProtectClock = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectProc = "invisible";
|
|
ProtectKernelTunables = true;
|
|
ExecStart = "${getExe cfg.package} --config ${configFile}";
|
|
AmbientCapabilities = [
|
|
"CAP_NET_ADMIN"
|
|
"CAP_NET_BIND_SERVICE"
|
|
];
|
|
};
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
};
|
|
}
|