diff options
| author | Ethel Morgan <eth@ethulhu.co.uk> | 2020-05-24 11:49:03 +0100 |
|---|---|---|
| committer | Ethel Morgan <eth@ethulhu.co.uk> | 2020-05-24 11:49:03 +0100 |
| commit | 8096ed8c66f08afa02714f3660f8539d48f08da8 (patch) | |
| tree | 3b97972344b95b529ae1c064a9070c69284160fd | |
| parent | 276c0a88f5ed89dddfccb7d197559dbc6c95f5b4 (diff) | |
move services.helix-player to eth.services
also harden the systemd config.
| -rw-r--r-- | module-list.nix | 2 | ||||
| -rw-r--r-- | modules/services/helix-player.nix (renamed from modules/helix-player.nix) | 30 |
2 files changed, 18 insertions, 14 deletions
diff --git a/module-list.nix b/module-list.nix index c24ae39..7ec267e 100644 --- a/module-list.nix +++ b/module-list.nix @@ -1,8 +1,8 @@ [ - ./modules/helix-player.nix ./modules/keyboard.nix ./modules/linode.nix ./modules/overlays.nix + ./modules/services/helix-player.nix ./modules/services/mosquitto.nix ./modules/services/snapclient.nix ./modules/services/upmpdcli.nix diff --git a/modules/helix-player.nix b/modules/services/helix-player.nix index d73fc16..977e263 100644 --- a/modules/helix-player.nix +++ b/modules/services/helix-player.nix @@ -3,15 +3,15 @@ with lib; let - cfg = config.services.helix-player; - helixPackage = pkgs.eth.helix; + cfg = config.eth.services.helix-player; - runtimeDirectory = "helix-player"; - socket = "/run/${runtimeDirectory}/listen.sock"; + systemdDirectoryName = "helix-player"; + runtimeDirectory = "/run/${systemdDirectoryName}"; + socket = "${runtimeDirectory}/listen.sock"; in { - options.services.helix-player = { + options.eth.services.helix-player = { enable = mkEnableOption "Whether to enable helix-player"; @@ -26,11 +26,7 @@ in { config = mkIf cfg.enable { - services.helix-player.socket = socket; - - environment.systemPackages = [ - helixPackage - ]; + eth.services.helix-player.socket = socket; systemd.services.helix-player = { enable = true; @@ -39,10 +35,18 @@ in { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - DynamicUser = "yes"; + DynamicUser = true; Group = config.services.nginx.group; - RuntimeDirectory = "${runtimeDirectory}"; - ExecStart = "${helixPackage}/bin/helix-player -socket ${socket}"; + + RuntimeDirectory = systemdDirectoryName; + + ExecStart = "${pkgs.eth.helix}/bin/helix-player -socket ${socket}"; + + NoNewPrivileges = true; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; }; }; }; |