diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5b8be7a969ba..338507d61e41 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1150,6 +1150,7 @@ ./services/networking/radicale.nix ./services/networking/radvd.nix ./services/networking/rdnssd.nix + ./services/networking/realm.nix ./services/networking/redsocks.nix ./services/networking/resilio.nix ./services/networking/robustirc-bridge.nix diff --git a/nixos/modules/services/networking/realm.nix b/nixos/modules/services/networking/realm.nix new file mode 100644 index 000000000000..5b0c34ac825f --- /dev/null +++ b/nixos/modules/services/networking/realm.nix @@ -0,0 +1,50 @@ +{ config +, lib +, pkgs +, ... +}: +let + cfg = config.services.realm; + configFormat = pkgs.formats.json { }; + configFile = configFormat.generate "config.json" cfg.config; + inherit (lib) + mkEnableOption mkPackageOption mkOption mkIf types getExe; +in +{ + + meta.maintainers = with lib.maintainers; [ ocfox ]; + + options = { + services.realm = { + enable = mkEnableOption "A simple, high performance relay server written in rust"; + package = mkPackageOption pkgs "realm" { }; + config = mkOption { + type = types.submodule { + freeformType = configFormat.type; + }; + default = { }; + description = '' + The realm configuration, see for documentation. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.realm = { + serviceConfig = { + DynamicUser = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectProc = "invisible"; + ProtectKernelTunables = true; + ExecStart = "${getExe cfg.package} --config ${configFile}"; + AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; +}