nixos module

2026-06-03 09:14:07 +02:00 · 2023-06-17 22:59:43 +02:00 · 2023-06-17 22:59:43 +02:00 · 1f5b9a129f
commit 1f5b9a129f
parent 42237bc965
3 changed files with 149 additions and 39 deletions
--- a/flake.nix
+++ b/flake.nix
@ -21,7 +21,7 @@
    ...
  }:
    flake-utils.lib.eachDefaultSystem (system: let
-      overlays = [ (import rust-overlay) ];
+      overlays = [(import rust-overlay)];
      pkgs = (import nixpkgs) {
        inherit system overlays;
      };
@ -38,7 +38,7 @@

      releaseTargets = lib.lists.remove hostTarget targets;

-      toolchain = (pkgs.rust-bin.stable.latest.default.override { inherit targets; });
+      toolchain = pkgs.rust-bin.stable.latest.default.override {inherit targets;};
      assetNameForTarget = replaceStrings ["-unknown" "-gnu" "-musl" "eabihf" "-pc"] ["" "" "" "" ""];

      cross-naersk' = pkgs.callPackage cross-naersk {inherit naersk;};
@ -49,42 +49,58 @@
      };

      buildMatrix = targets: {
-        include = (map (target: {
-          inherit target;
-          artifact_name = "shortcutd";
-          asset_name = "shortcutd-${assetNameForTarget target}";
-        }) targets ++ map (target: {
-          target = "${target}-example-client";
-          artifact_name = "client";
-          asset_name = "example-client-${assetNameForTarget target}";
-        }) targets);
+        include =
+          map (target: {
+            inherit target;
+            artifact_name = "shortcutd";
+            asset_name = "shortcutd-${assetNameForTarget target}";
+          })
+          targets
+          ++ map (target: {
+            target = "${target}-example-client";
+            artifact_name = "client";
+            asset_name = "example-client-${assetNameForTarget target}";
+          })
+          targets;
      };
-      serverPackages = genAttrs targets (target: (cross-naersk' target).buildPackage ({
-        pname = "shortcutd";
-        root = src;
-      }));
-      clientPackages = listToAttrs (map (target: nameValuePair "${target}-example-client" ((cross-naersk' target).buildPackage ({
-        pname = "shortcutd-example-client";
-        root = src;
-
-        overrideMain = x: {
-            preConfigure = ''
-            cargo_build_options="$cargo_build_options --example client"
+      serverPackages = genAttrs targets (target:
+        (cross-naersk' target).buildPackage {
+          pname = "shortcutd";
+          root = src;
+          postInstall = ''
+            mkdir -p $out/etc/dbus-1/system.d/
+            cp ${./nixos-nl.icewind.shortcutd.conf} $out/etc/dbus-1/system.d/nl.icewind.shortcutd.conf
          '';
-        };
-      }))) targets);
+        });
+      clientPackages = listToAttrs (map (target:
+        nameValuePair "${target}-example-client" ((cross-naersk' target).buildPackage {
+          pname = "shortcutd-example-client";
+          root = src;
+
+          overrideMain = x: {
+            preConfigure = ''
+              cargo_build_options="$cargo_build_options --example client"
+            '';
+          };
+        }))
+      targets);
    in rec {
-      packages = serverPackages // clientPackages // rec {
-        shortcutd = packages.${hostTarget};
-        example-client = packages."${hostTarget}-example-client";
-        check = (cross-naersk' hostTarget).buildPackage (naerskOpt // {
-          mode = "check";
-        });
-        clippy = (cross-naersk' hostTarget).buildPackage (naerskOpt // {
-          mode = "clippy";
-        });
-        default = shortcutd;
-      };
+      packages =
+        serverPackages
+        // clientPackages
+        // rec {
+          shortcutd = packages.${hostTarget};
+          example-client = packages."${hostTarget}-example-client";
+          check = (cross-naersk' hostTarget).buildPackage (naerskOpt
+            // {
+              mode = "check";
+            });
+          clippy = (cross-naersk' hostTarget).buildPackage (naerskOpt
+            // {
+              mode = "clippy";
+            });
+          default = shortcutd;
+        };

      inherit targets;
      inherit releaseTargets;
@ -102,5 +118,76 @@
      devShells.default = pkgs.mkShell {
        nativeBuildInputs = with pkgs; [rust-bin.stable.latest.default bacon cargo-edit cargo-outdated rustfmt clippy cargo-audit hyperfine valgrind];
      };
-    });
+    })
+    // {
+      nixosModule = {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+        with lib; let
+          cfg = config.services.shortcutd;
+        in {
+          options.services.shortcutd = {
+            enable = mkEnableOption "Enables the shortcutd service";
+
+            log = mkOption rec {
+              type = types.str;
+              default = "WARN";
+              example = "INFO";
+              description = "log level";
+            };
+          };
+
+          config = mkIf cfg.enable {
+            services.dbus.packages = [self.packages.${pkgs.system}.default];
+
+            users.users.shortcutd = {
+              isSystemUser = true;
+              group = "shortcutd";
+            };
+            users.groups.shortcutd = {};
+
+            systemd.services."shortcutd" = {
+              wantedBy = ["multi-user.target"];
+
+              environment = {
+                RUST_LOG = cfg.log;
+              };
+
+              serviceConfig = let
+                pkg = self.packages.${pkgs.system}.default;
+              in {
+                User = "shortcutd";
+                Restart = "on-failure";
+                ExecStart = "${pkg}/bin/shortcutd";
+                PrivateTmp = true;
+                ProtectSystem = "strict";
+                ProtectHome = true;
+                NoNewPrivileges = true;
+                CapabilityBoundingSet = true;
+                ProtectKernelLogs = true;
+                ProtectControlGroups = true;
+                SystemCallArchitectures = "native";
+                ProtectKernelModules = true;
+                RestrictNamespaces = true;
+                MemoryDenyWriteExecute = true;
+                ProtectHostname = true;
+                LockPersonality = true;
+                ProtectKernelTunables = true;
+                RestrictRealtime = true;
+                SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
+                RestrictAddressFamilies = ["AF_UNIX"];
+                IPAddressDeny = "any";
+                PrivateUsers = true;
+                RestrictSUIDSGID = true;
+                PrivateNetwork = true;
+                UMask = "0077";
+                SupplementaryGroups = ["input"];
+              };
+            };
+          };
+        };
+    };
 }
--- a/nixos-nl.icewind.shortcutd.conf
+++ b/nixos-nl.icewind.shortcutd.conf
@ -0,0 +1,16 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+        "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+        <policy user="shortcutd">
+                <allow own="nl.icewind.shortcutd"/>
+        </policy>
+
+        <policy context="default">
+                <allow send_destination="nl.icewind.shortcutd"/>
+                <allow receive_sender="nl.icewind.shortcutd"/>
+        </policy>
+
+</busconfig>
--- a/server/src/server.rs
+++ b/server/src/server.rs
@ -3,7 +3,7 @@ use futures::stream::StreamExt;
 use glob::GlobError;
 use main_error::MainError;
 use std::path::PathBuf;
-use tracing::info;
+use tracing::{error, info};
 use zbus::export::futures_util::pin_mut;
 use zbus::{dbus_interface, fdo, ConnectionBuilder, ObjectServer, SignalContext};

@ -24,7 +24,6 @@ impl Register {
        match shortcut.parse::<Shortcut>() {
            Ok(shortcut) => {
                if shortcut.modifiers.is_empty() && !self.listener.has(&shortcut) {
-                    dbg!(&shortcut);
                    if self.bare_count >= MAX_BARE {
                        return Err(fdo::Error::InvalidArgs(format!(
                            "Only {} shortcuts without modifiers are allowed",
@ -68,11 +67,19 @@ async fn main() -> Result<(), MainError> {
        listener,
        bare_count: 0,
    };
-    let conn = ConnectionBuilder::system()?
+    let conn = ConnectionBuilder::system()
+        .map_err(|e| {
+            error!(error = ?e, "error while connecting to dbus system socket");
+            e
+        })?
        .name("nl.icewind.shortcutd")?
        .serve_at("/register", bus)?
        .build()
-        .await?;
+        .await
+        .map_err(|e| {
+            error!(error = ?e, "error while binding dbus service");
+            e
+        })?;

    let server = conn.object_server();