From d3c0d9f7860799852f3ef0035fb372aba95c06ac Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Tue, 5 Jan 2021 17:43:37 +0100 Subject: [PATCH] Add NixOS module --- module.nix | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 module.nix diff --git a/module.nix b/module.nix new file mode 100644 index 0000000..02c29ce --- /dev/null +++ b/module.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.bang-evaluator; +in +{ + options.services.bang-evaluator = { + enable = lib.mkEnableOption "bang-evaluator"; + package = lib.mkOption { + type = lib.types.package; + default = import ./default.nix { inherit pkgs; }; + example = "pkgs.bang-exporter-fork"; + description = "The package to use for bang-exporter"; + }; + listenAddress = lib.mkOption { + type = lib.types.str; + default = ":8081"; + example = "localhost:8081"; + description = "The address bang-evaluator should listen on."; + }; + }; + + config = { + systemd.services.bang-evaluator = lib.mkIf cfg.enable { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + BANG_EVALUATOR_LISTEN_ADDRESS = cfg.listenAddress; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/evaluator"; + Restart = "always"; + + # taken from systemd-analyze --no-pager security bang-evaluator.service + # probably overkill + CapabilityBoundingSet = null; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + }; + }; + }; +}