nixos/realm: init

Co-authored-by: Nick Cao <nickcao@nichi.co>
Co-authored-by: oluceps <i@oluceps.uk>
This commit is contained in:
ocfox 2024-01-28 12:55:05 +08:00 committed by Sandro Jäckel
parent a595aba420
commit 86ce0733d2
No known key found for this signature in database
GPG Key ID: 3AF5A43A3EECC2E5
2 changed files with 51 additions and 0 deletions

View File

@ -1150,6 +1150,7 @@
./services/networking/radicale.nix
./services/networking/radvd.nix
./services/networking/rdnssd.nix
./services/networking/realm.nix
./services/networking/redsocks.nix
./services/networking/resilio.nix
./services/networking/robustirc-bridge.nix

View File

@ -0,0 +1,50 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.services.realm;
configFormat = pkgs.formats.json { };
configFile = configFormat.generate "config.json" cfg.config;
inherit (lib)
mkEnableOption mkPackageOption mkOption mkIf types getExe;
in
{
meta.maintainers = with lib.maintainers; [ ocfox ];
options = {
services.realm = {
enable = mkEnableOption "A simple, high performance relay server written in rust";
package = mkPackageOption pkgs "realm" { };
config = mkOption {
type = types.submodule {
freeformType = configFormat.type;
};
default = { };
description = ''
The realm configuration, see <https://github.com/zhboner/realm#overview> for documentation.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.realm = {
serviceConfig = {
DynamicUser = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectProc = "invisible";
ProtectKernelTunables = true;
ExecStart = "${getExe cfg.package} --config ${configFile}";
AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ];
};
wantedBy = [ "multi-user.target" ];
};
};
}