diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 9343f2dbc847..5610813d9ad0 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -584,6 +584,7 @@ ./services/misc/safeeyes.nix ./services/misc/sdrplay.nix ./services/misc/sickbeard.nix + ./services/misc/signald.nix ./services/misc/siproxd.nix ./services/misc/snapper.nix ./services/misc/sonarr.nix diff --git a/nixos/modules/services/misc/signald.nix b/nixos/modules/services/misc/signald.nix new file mode 100644 index 000000000000..4cd34e4326d7 --- /dev/null +++ b/nixos/modules/services/misc/signald.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.signald; + dataDir = "/var/lib/signald"; + defaultUser = "signald"; +in +{ + options.services.signald = { + enable = mkEnableOption "the signald service"; + + user = mkOption { + type = types.str; + default = defaultUser; + description = "User under which signald runs."; + }; + + group = mkOption { + type = types.str; + default = defaultUser; + description = "Group under which signald runs."; + }; + + socketPath = mkOption { + type = types.str; + default = "/run/signald/signald.sock"; + description = "Path to the signald socket"; + }; + }; + + config = mkIf cfg.enable { + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == defaultUser) { + ${defaultUser} = { }; + }; + + systemd.services.signald = { + description = "A daemon for interacting with the Signal Private Messenger"; + wants = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${pkgs.signald}/bin/signald -d ${dataDir} -s ${cfg.socketPath}"; + Restart = "on-failure"; + StateDirectory = "signald"; + RuntimeDirectory = "signald"; + StateDirectoryMode = "0750"; + RuntimeDirectoryMode = "0750"; + + BindReadOnlyPaths = [ + "/nix/store" + "-/etc/resolv.conf" + "-/etc/nsswitch.conf" + "-/etc/hosts" + "-/etc/localtime" + ]; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + # Use a static user so other applications can access the files + #DynamicUser = true; + LockPersonality = true; + # Needed for java + #MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + # Needs network access + #PrivateNetwork = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + # Would re-mount paths ignored by temporary root + #ProtectSystem = "strict"; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; + TemporaryFileSystem = "/:ro"; + # Does not work well with the temporary root + #UMask = "0066"; + }; + }; + }; +} diff --git a/pkgs/applications/networking/instant-messengers/signald/default.nix b/pkgs/applications/networking/instant-messengers/signald/default.nix index 9dfd26bd2815..649cc8843d2e 100644 --- a/pkgs/applications/networking/instant-messengers/signald/default.nix +++ b/pkgs/applications/networking/instant-messengers/signald/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, fetchgit, fetchFromGitLab, jre_headless, coreutils, gradle_6, git, perl +{ lib, stdenv, fetchurl, fetchFromGitLab, jre_headless, coreutils, gradle_6, git, perl , makeWrapper }: let