nixos/ydotool: init module
Co-authored-by: Cosima Neidahl <opna2608@protonmail.com>
This commit is contained in:
parent
6722b4ade9
commit
73d91cdd70
|
@ -209,6 +209,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
|
||||||
|
|
||||||
- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable).
|
- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable).
|
||||||
|
|
||||||
|
- [ydotool](https://github.com/ReimuNotMoe/ydotool), a generic command-line automation tool now has a module. Available as [programs.ydotool](#opt-programs.ydotool.enable)
|
||||||
|
|
||||||
- [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable).
|
- [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable).
|
||||||
|
|
||||||
## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
|
## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
|
||||||
|
|
|
@ -308,6 +308,7 @@
|
||||||
./programs/xwayland.nix
|
./programs/xwayland.nix
|
||||||
./programs/yabar.nix
|
./programs/yabar.nix
|
||||||
./programs/yazi.nix
|
./programs/yazi.nix
|
||||||
|
./programs/ydotool.nix
|
||||||
./programs/yubikey-touch-detector.nix
|
./programs/yubikey-touch-detector.nix
|
||||||
./programs/zmap.nix
|
./programs/zmap.nix
|
||||||
./programs/zsh/oh-my-zsh.nix
|
./programs/zsh/oh-my-zsh.nix
|
||||||
|
|
83
nixos/modules/programs/ydotool.nix
Normal file
83
nixos/modules/programs/ydotool.nix
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.programs.ydotool;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
meta = {
|
||||||
|
maintainers = with lib.maintainers; [ quantenzitrone ];
|
||||||
|
};
|
||||||
|
|
||||||
|
options.programs.ydotool = {
|
||||||
|
enable = lib.mkEnableOption ''
|
||||||
|
ydotoold system service and install ydotool.
|
||||||
|
Add yourself to the 'ydotool' group to be able to use it.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
users.groups.ydotool = { };
|
||||||
|
|
||||||
|
systemd.services.ydotoold = {
|
||||||
|
description = "ydotoold - backend for ydotool";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
partOf = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Group = "ydotool";
|
||||||
|
RuntimeDirectory = "ydotoold";
|
||||||
|
RuntimeDirectoryMode = "0750";
|
||||||
|
ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660";
|
||||||
|
|
||||||
|
# hardening
|
||||||
|
|
||||||
|
## allow access to uinput
|
||||||
|
DeviceAllow = [ "/dev/uinput" ];
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
|
||||||
|
## allow creation of unix sockets
|
||||||
|
RestrictAddressFamilies = [ "AF_UNIX" ];
|
||||||
|
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
IPAddressDeny = "any";
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateNetwork = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectUser = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"~@privileged"
|
||||||
|
"~@resources"
|
||||||
|
];
|
||||||
|
UMask = "0077";
|
||||||
|
|
||||||
|
# -> systemd-analyze security score 0.7 SAFE 😀
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.variables = {
|
||||||
|
YDOTOOL_SOCKET = "/run/ydotoold/socket";
|
||||||
|
};
|
||||||
|
environment.systemPackages = with pkgs; [ ydotool ];
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user