robin/shortcutd
1
0
Fork 0
mirror of https://codeberg.org/icewind/shortcutd.git synced 2026-06-03 17:24:08 +02:00
Code Issues Projects Releases Packages Wiki Activity

nixos module

Browse source
This commit is contained in:
Robin Appelman 2023-06-17 22:59:43 +02:00
commit 1f5b9a129f
3 changed files with 149 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

159
flake.nix
View file

@ -21,7 +21,7 @@
... ...
}: }:
flake-utils.lib.eachDefaultSystem (system: let flake-utils.lib.eachDefaultSystem (system: let
overlays = [ (import rust-overlay) ]; overlays = [(import rust-overlay)];
pkgs = (import nixpkgs) { pkgs = (import nixpkgs) {
inherit system overlays; inherit system overlays;
}; };
@ -38,7 +38,7 @@
releaseTargets = lib.lists.remove hostTarget targets; releaseTargets = lib.lists.remove hostTarget targets;
toolchain = (pkgs.rust-bin.stable.latest.default.override { inherit targets; }); toolchain = pkgs.rust-bin.stable.latest.default.override {inherit targets;};
assetNameForTarget = replaceStrings ["-unknown" "-gnu" "-musl" "eabihf" "-pc"] ["" "" "" "" ""]; assetNameForTarget = replaceStrings ["-unknown" "-gnu" "-musl" "eabihf" "-pc"] ["" "" "" "" ""];
cross-naersk' = pkgs.callPackage cross-naersk {inherit naersk;}; cross-naersk' = pkgs.callPackage cross-naersk {inherit naersk;};
@ -49,42 +49,58 @@
}; };
buildMatrix = targets: { buildMatrix = targets: {
include = (map (target: { include =
inherit target; map (target: {
artifact_name = "shortcutd"; inherit target;
asset_name = "shortcutd-${assetNameForTarget target}"; artifact_name = "shortcutd";
}) targets ++ map (target: { asset_name = "shortcutd-${assetNameForTarget target}";
target = "${target}-example-client"; })
artifact_name = "client"; targets
asset_name = "example-client-${assetNameForTarget target}"; ++ map (target: {
}) targets); target = "${target}-example-client";
artifact_name = "client";
asset_name = "example-client-${assetNameForTarget target}";
})
targets;
}; };
serverPackages = genAttrs targets (target: (cross-naersk' target).buildPackage ({ serverPackages = genAttrs targets (target:
pname = "shortcutd"; (cross-naersk' target).buildPackage {
root = src; pname = "shortcutd";
})); root = src;
clientPackages = listToAttrs (map (target: nameValuePair "${target}-example-client" ((cross-naersk' target).buildPackage ({ postInstall = ''
pname = "shortcutd-example-client"; mkdir -p $out/etc/dbus-1/system.d/
root = src; cp ${./nixos-nl.icewind.shortcutd.conf} $out/etc/dbus-1/system.d/nl.icewind.shortcutd.conf
overrideMain = x: {
preConfigure = ''
cargo_build_options="$cargo_build_options --example client"
''; '';
}; });
}))) targets); clientPackages = listToAttrs (map (target:
nameValuePair "${target}-example-client" ((cross-naersk' target).buildPackage {
pname = "shortcutd-example-client";
root = src;
overrideMain = x: {
preConfigure = ''
cargo_build_options="$cargo_build_options --example client"
'';
};
}))
targets);
in rec { in rec {
packages = serverPackages // clientPackages // rec { packages =
shortcutd = packages.${hostTarget}; serverPackages
example-client = packages."${hostTarget}-example-client"; // clientPackages
check = (cross-naersk' hostTarget).buildPackage (naerskOpt // { // rec {
mode = "check"; shortcutd = packages.${hostTarget};
}); example-client = packages."${hostTarget}-example-client";
clippy = (cross-naersk' hostTarget).buildPackage (naerskOpt // { check = (cross-naersk' hostTarget).buildPackage (naerskOpt
mode = "clippy"; // {
}); mode = "check";
default = shortcutd; });
}; clippy = (cross-naersk' hostTarget).buildPackage (naerskOpt
// {
mode = "clippy";
});
default = shortcutd;
};
inherit targets; inherit targets;
inherit releaseTargets; inherit releaseTargets;
@ -102,5 +118,76 @@
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
nativeBuildInputs = with pkgs; [rust-bin.stable.latest.default bacon cargo-edit cargo-outdated rustfmt clippy cargo-audit hyperfine valgrind]; nativeBuildInputs = with pkgs; [rust-bin.stable.latest.default bacon cargo-edit cargo-outdated rustfmt clippy cargo-audit hyperfine valgrind];
}; };
}); })
// {
nixosModule = {
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.shortcutd;
in {
options.services.shortcutd = {
enable = mkEnableOption "Enables the shortcutd service";
log = mkOption rec {
type = types.str;
default = "WARN";
example = "INFO";
description = "log level";
};
};
config = mkIf cfg.enable {
services.dbus.packages = [self.packages.${pkgs.system}.default];
users.users.shortcutd = {
isSystemUser = true;
group = "shortcutd";
};
users.groups.shortcutd = {};
systemd.services."shortcutd" = {
wantedBy = ["multi-user.target"];
environment = {
RUST_LOG = cfg.log;
};
serviceConfig = let
pkg = self.packages.${pkgs.system}.default;
in {
User = "shortcutd";
Restart = "on-failure";
ExecStart = "${pkg}/bin/shortcutd";
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
NoNewPrivileges = true;
CapabilityBoundingSet = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
SystemCallArchitectures = "native";
ProtectKernelModules = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
RestrictRealtime = true;
SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
RestrictAddressFamilies = ["AF_UNIX"];
IPAddressDeny = "any";
PrivateUsers = true;
RestrictSUIDSGID = true;
PrivateNetwork = true;
UMask = "0077";
SupplementaryGroups = ["input"];
};
};
};
};
};
} }

16
nixos-nl.icewind.shortcutd.conf Normal file
View file

@ -0,0 +1,16 @@
<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="shortcutd">
<allow own="nl.icewind.shortcutd"/>
</policy>
<policy context="default">
<allow send_destination="nl.icewind.shortcutd"/>
<allow receive_sender="nl.icewind.shortcutd"/>
</policy>
</busconfig>

15
server/src/server.rs
View file

@ -3,7 +3,7 @@ use futures::stream::StreamExt;
use glob::GlobError; use glob::GlobError;
use main_error::MainError; use main_error::MainError;
use std::path::PathBuf; use std::path::PathBuf;
use tracing::info; use tracing::{error, info};
use zbus::export::futures_util::pin_mut; use zbus::export::futures_util::pin_mut;
use zbus::{dbus_interface, fdo, ConnectionBuilder, ObjectServer, SignalContext}; use zbus::{dbus_interface, fdo, ConnectionBuilder, ObjectServer, SignalContext};
@ -24,7 +24,6 @@ impl Register {
match shortcut.parse::<Shortcut>() { match shortcut.parse::<Shortcut>() {
Ok(shortcut) => { Ok(shortcut) => {
if shortcut.modifiers.is_empty() && !self.listener.has(&shortcut) { if shortcut.modifiers.is_empty() && !self.listener.has(&shortcut) {
dbg!(&shortcut);
if self.bare_count >= MAX_BARE { if self.bare_count >= MAX_BARE {
return Err(fdo::Error::InvalidArgs(format!( return Err(fdo::Error::InvalidArgs(format!(
"Only {} shortcuts without modifiers are allowed", "Only {} shortcuts without modifiers are allowed",
@ -68,11 +67,19 @@ async fn main() -> Result<(), MainError> {
listener, listener,
bare_count: 0, bare_count: 0,
}; };
let conn = ConnectionBuilder::system()? let conn = ConnectionBuilder::system()
.map_err(|e| {
error!(error = ?e, "error while connecting to dbus system socket");
e
})?
.name("nl.icewind.shortcutd")? .name("nl.icewind.shortcutd")?
.serve_at("/register", bus)? .serve_at("/register", bus)?
.build() .build()
.await?; .await
.map_err(|e| {
error!(error = ?e, "error while binding dbus service");
e
})?;
let server = conn.object_server(); let server = conn.object_server();