]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/irssi.nix
nix: add PR for kernel-hardening-checker
[julm/julm-nix.git] / nixos / profiles / irssi.nix
1 { pkgs, config, ... }:
2 {
3 systemd.sockets."tmux@" = {
4 listenStreams = [ "/home/%i/tmux.sock" ];
5 socketConfig.SocketUser = "%i";
6 socketConfig.SocketMode = "600";
7 socketConfig.Service = "tmux@%i.service";
8 };
9 /*
10 systemd.services."proxy-to-irssi@" = {
11 requires = ["irssi@%i.service"];
12 after = ["irssi@%i.service" "proxy-to-irssi-%i.socket"];
13 #unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
14 unitConfig.JoinsNamespaceOf = ["irssi@%i.service"];
15 serviceConfig = {
16 ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd /var/lib/irssi/%i/tmux.sock";
17 #PrivateNetwork = true;
18 PrivateTmp = true;
19 };
20 };
21 */
22 #systemd.sockets."irssi@" = {
23 # enable = values.peersAnnouncing.enable;
24 # listenStreams = [(toString values.peersAnnouncing.listenPort)];
25 # socketConfig.Accept = true;
26 # socketConfig.ReusePort = true;
27 # wantedBy = [ "sockets.target" ];
28 #};
29 systemd.services."tmux@" = {
30 description = "tmux for user %i";
31 #after = [ "network.target" ];
32 environment.HOME = "/var/lib/tmux/%i";
33 # A custom LD_LIBRARY_PATH is needed to access in `getent passwd`
34 # the systemd's entry about the DynamicUser=
35 environment.LD_LIBRARY_PATH = config.system.nssModules.path;
36 unitConfig = {
37 RefuseManualStart = true;
38 };
39 serviceConfig = {
40 Type = "notify";
41 #GuessMainPID = true;
42 ExecStart = "${pkgs.tmux}/bin/tmux -v -D -f /var/lib/tmux/%i/.config/tmux/tmux.conf -f ${pkgs.writeText "tmux.conf" ''
43 set-option -g default-shell ${pkgs.runtimeShell}
44 #set-option -g exit-empty off
45 new-session -d
46 run-shell -b "systemd-notify --ready"
47 ''}";
48 NotifyAccess = "all";
49 #RuntimeDirectory = ["tmux/%i"];
50 #RuntimeDirectoryMode = "755";
51 StateDirectory = [ "tmux/%i" ];
52 #TimeoutSec = 5;
53 ExecStop = [
54 # Send CTRL+u to clear the input line before /quit
55 #"-${pkgs.tmux} -L %p send-keys -t irssi:0 C-u"
56 #"-${pkgs.tmux} -L %p send-keys -t irssi:0 /quit Enter"
57 # Sending /quit to irssi is asynchronous, so wait for irssi to exit
58 # before killing the session in tmux
59 #(pkgs.writeShellScript "stop-irssi" ''
60 # timeout 3 tail --pid=$(cat %t/irssi.pid || echo 0) -f /dev/null
61 #'')
62 #"-${pkgs.tmux} -L %p kill-session -t irssi-%i"
63 ];
64 WorkingDirectory = "/var/lib/tmux/%i";
65 DynamicUser = true;
66 #User = "%i";
67 BindReadOnlyPaths = [
68 "-/home/%i/.config/tmux/tmux.conf:/var/lib/tmux/%i/.config/tmux/tmux.conf"
69 ];
70
71 #IPAddressDeny = "any";
72 #AmbientCapabilities = [""];
73 #CapabilityBoundingSet = [""];
74 #RestrictNamespaces = true;
75 #PrivateUsers = true;
76 ##NoNewPrivileges = true;
77 ##ProtectSystem = true;
78 ##PrivateTmp = true;
79 #PrivateDevices = true;
80 #ProtectClock = true;
81 #ProtectControlGroups = true;
82 #ProtectHome = true;
83 #ProtectKernelLogs = true;
84 #ProtectKernelModules = true;
85 #ProtectKernelTunables = true;
86 #ProtectProc = "invisible";
87 #SystemCallArchitectures = "native";
88 #SystemCallFilter = [
89 # "@system-service"
90 # "~@keyring" "~@clock" "~@debug" "~@module"
91 # "~@obsolete" "~@privileged" "~@process" "~@resources"
92 #];
93 #RestrictRealtime = true;
94 #LockPersonality = true;
95 #MemoryDenyWriteExecute = true;
96 #UMask = 0077;
97 #ProtectHostname = true;
98 #ProcSubset = "pid";
99 #StandardInput = "socket";
100 #StandardOutput = "socket";
101 #RestrictAddressFamilies = "";
102 };
103 };
104 }