Unverified Commit 73d91cdd authored by quantenzitrone's avatar quantenzitrone
Browse files

nixos/ydotool: init module 



Co-authored-by: default avatarCosima Neidahl <opna2608@protonmail.com>
parent 6722b4ad

nixos/doc/manual/release-notes/rl-2405.section.md

+2 −0
Original line number Diff line number Diff line
@@ -209,6 +209,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m 


- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable).



- [ydotool](https://github.com/ReimuNotMoe/ydotool), a generic command-line automation tool now has a module. Available as [programs.ydotool](#opt-programs.ydotool.enable)



- [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable).



## Backward Incompatibilities {#sec-release-24.05-incompatibilities}

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -308,6 +308,7 @@ 
  ./programs/xwayland.nix

  ./programs/yabar.nix

  ./programs/yazi.nix

  ./programs/ydotool.nix

  ./programs/yubikey-touch-detector.nix

  ./programs/zmap.nix

  ./programs/zsh/oh-my-zsh.nix

nixos/modules/programs/ydotool.nix

0 → 100644
+83 −0
Original line number Diff line number Diff line 
{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.programs.ydotool;

in

{

  meta = {

    maintainers = with lib.maintainers; [ quantenzitrone ];

  };



  options.programs.ydotool = {

    enable = lib.mkEnableOption ''

      ydotoold system service and install ydotool.

      Add yourself to the 'ydotool' group to be able to use it.

    '';

  };



  config = lib.mkIf cfg.enable {

    users.groups.ydotool = { };



    systemd.services.ydotoold = {

      description = "ydotoold - backend for ydotool";

      wantedBy = [ "multi-user.target" ];

      partOf = [ "multi-user.target" ];

      serviceConfig = {

        Group = "ydotool";

        RuntimeDirectory = "ydotoold";

        RuntimeDirectoryMode = "0750";

        ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660";



        # hardening



        ## allow access to uinput

        DeviceAllow = [ "/dev/uinput" ];

        DevicePolicy = "closed";



        ## allow creation of unix sockets

        RestrictAddressFamilies = [ "AF_UNIX" ];



        CapabilityBoundingSet = "";

        IPAddressDeny = "any";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        PrivateNetwork = true;

        PrivateTmp = true;

        PrivateUsers = true;

        ProcSubset = "pid";

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectSystem = "strict";

        ProtectUser = true;

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "~@privileged"

          "~@resources"

        ];

        UMask = "0077";



        # -> systemd-analyze security score 0.7 SAFE 😀

      };

    };



    environment.variables = {

      YDOTOOL_SOCKET = "/run/ydotoold/socket";

    };

    environment.systemPackages = with pkgs; [ ydotool ];

  };

}