nixpkgs/nixos/modules/services/misc/mame.nix
rnhmjoj fedd7cd690
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
2021-09-13 13:48:13 +02:00

70 lines
1.9 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.mame;
mame = "mame${lib.optionalString pkgs.stdenv.is64bit "64"}";
in
{
options = {
services.mame = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to setup TUN/TAP Ethernet interface for MAME emulator.
'';
};
user = mkOption {
type = types.str;
description = ''
User from which you run MAME binary.
'';
};
hostAddr = mkOption {
type = types.str;
description = ''
IP address of the host system. Usually an address of the main network
adapter or the adapter through which you get an internet connection.
'';
example = "192.168.31.156";
};
emuAddr = mkOption {
type = types.str;
description = ''
IP address of the guest system. The same you set inside guest OS under
MAME. Should be on the same subnet as <option>services.mame.hostAddr</option>.
'';
example = "192.168.31.155";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.mame ];
security.wrappers."${mame}" = {
owner = "root";
group = "root";
capabilities = "cap_net_admin,cap_net_raw+eip";
source = "${pkgs.mame}/bin/${mame}";
};
systemd.services.mame = {
description = "MAME TUN/TAP Ethernet interface";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.iproute2 ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.mame}/bin/taputil.sh -c ${cfg.user} ${cfg.emuAddr} ${cfg.hostAddr} -";
ExecStop = "${pkgs.mame}/bin/taputil.sh -d ${cfg.user}";
};
};
};
meta.maintainers = with lib.maintainers; [ ];
}