|
| 1 | +{ |
| 2 | + pkgs, |
| 3 | + lib, |
| 4 | + ... |
| 5 | +}: let |
| 6 | + serviceHardening = { |
| 7 | + PrivateUsers = true; |
| 8 | + LockPersonality = true; |
| 9 | + ProtectHostname = true; |
| 10 | + ProtectKernelTunables = true; |
| 11 | + ProtectClock = true; |
| 12 | + ProtectSystem = true; |
| 13 | + ProtectProc = true; |
| 14 | + ProtectHome = true; |
| 15 | + PrivateTmp = true; |
| 16 | + PrivateDevices = false; # cage's drmGetDevices need devices despite being headless. |
| 17 | + SystemCallArchitectures = "native"; |
| 18 | + CapabilityBoundingSet = null; |
| 19 | + NoNewPrivileges = true; |
| 20 | + RestrictAddressFamilies = [ |
| 21 | + "AF_INET" |
| 22 | + "AF_INET6" |
| 23 | + "AF_UNIX" |
| 24 | + ]; |
| 25 | + SystemCallFilter = [ |
| 26 | + "@system-service" |
| 27 | + # "~@privileged" # cage/wlroots needs setgid for some reason? |
| 28 | + ]; |
| 29 | + }; |
| 30 | +in { |
| 31 | + users.users.funny = { |
| 32 | + isSystemUser = true; |
| 33 | + group = "funny"; |
| 34 | + }; |
| 35 | + users.groups.funny = {}; |
| 36 | + |
| 37 | + systemd.services = { |
| 38 | + cage-feh = { |
| 39 | + wantedBy = ["multi-user.target"]; |
| 40 | + serviceConfig = |
| 41 | + { |
| 42 | + User = "funny"; |
| 43 | + RuntimeDirectory = "funny"; |
| 44 | + Restart = "on-failure"; |
| 45 | + RestartSec = "1"; |
| 46 | + } |
| 47 | + // serviceHardening; |
| 48 | + path = with pkgs; [cage feh]; |
| 49 | + script = '' |
| 50 | + set -e |
| 51 | + cage -d feh -- -.dz -D10 --draw-tinted /srv/funny |
| 52 | + ''; |
| 53 | + environment = { |
| 54 | + WLR_BACKENDS = "headless"; |
| 55 | + WLR_LIBINPUT_NO_DEVICES = "1"; |
| 56 | + XDG_RUNTIME_DIR = "%t/funny"; # if this is set to %t only, it fails with a cryptic "invalid argument" error but in fact it's probably just a permission denied error. |
| 57 | + }; |
| 58 | + }; |
| 59 | + |
| 60 | + wayvnc-feh = { |
| 61 | + wantedBy = ["multi-user.target"]; |
| 62 | + requires = ["cage-feh.service"]; |
| 63 | + after = ["cage-feh.service"]; |
| 64 | + serviceConfig = |
| 65 | + { |
| 66 | + User = "funny"; |
| 67 | + RuntimeDirectory = "funny"; |
| 68 | + ExecStart = "${lib.getExe pkgs.wayvnc} -d 0.0.0.0"; |
| 69 | + Restart = "on-failure"; |
| 70 | + RestartSec = "1"; |
| 71 | + } |
| 72 | + // serviceHardening; |
| 73 | + environment = { |
| 74 | + WAYLAND_DISPLAY = "wayland-0"; |
| 75 | + XDG_RUNTIME_DIR = "%t/funny"; |
| 76 | + }; |
| 77 | + }; |
| 78 | + }; |
| 79 | + |
| 80 | + networking.firewall.allowedTCPPorts = [ |
| 81 | + 5900 # vnc; yes this is intended. |
| 82 | + ]; |
| 83 | +} |
0 commit comments