{ config, lib, pkgs, ... }: with lib; let cfg = config.services.ptouch-remote; in { options.services.ptouch-remote = { enable = mkEnableOption "Enables the ptouch-remote service"; socket = mkOption rec { type = types.str; default = "/run/ptouch-remote/ptouch-remote.sock"; description = "The socket to listen on"; }; package = mkOption { type = types.package; description = "package to use"; }; logLevel = mkOption { type = types.str; default = "info"; description = "Log level"; }; }; config = mkIf cfg.enable { users.users.ptouch-remote = { isSystemUser = true; group = "ptouch-remote"; }; users.groups.ptouch-remote = {}; services.udev.packages = [cfg.package]; systemd.services.ptouch-remote = { wants = ["ptouch-remote.socket"]; after = ["ptouch-remote.socket"]; environment = { RUST_LOG = cfg.logLevel; }; serviceConfig = { Restart = "on-failure"; ExecStart = getExe cfg.package; User = "ptouch-remote"; PrivateUsers = true; PrivateTmp = true; ProtectSystem = "strict"; ProtectHome = true; NoNewPrivileges = true; ProtectClock = true; CapabilityBoundingSet = true; ProtectControlGroups = true; SystemCallArchitectures = "native"; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectKernelTunables = true; ProtectHostname = true; LockPersonality = true; ProtectProc = "invisible"; RestrictAddressFamilies = ["AF_LOCAL"]; RestrictRealtime = true; SystemCallFilter = ["~@reboot" "~@cpu-emulation" "~@obsolete" "~@debug" "~@swap" "~@clock" "~@module"]; RestrictNamespaces = ["~cgroup"]; RuntimeDirectory = "ptouch-remote"; UMask = "0007"; }; }; systemd.sockets.ptouch-remote = { enable = true; wantedBy = ["sockets.target"]; socketConfig = { ListenStream = cfg.socket; SocketMode = "0666"; }; }; }; }