wanderer/dotfiles
2
2
Fork 0
Code Issues 1 Pull Requests Releases Activity

nix(systemd): more improvements

Browse Source
This commit is contained in:
surtur 2023-12-05 15:38:41 +01:00
parent 12b2ee2901
commit 00dce937d7
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
1 changed files with 93 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
nix/systemd.nix
View File

@ -4,6 +4,20 @@
... ...
}: let }: let
swayTgt = "sway-session.target"; swayTgt = "sway-session.target";
paths = {
inaccessible = [
"-/lost+found"
"/dev/shm"
"-%h/.ssh"
"-%h/.gnupg"
"-%h/Documents"
# "-%h/Downloads"
"-%h/Pictures"
"-%h/Videos"
"-%h/Sync"
"-%h/sync"
];
};
in { in {
systemd.user.services = { systemd.user.services = {
kanshi = { kanshi = {
@ -125,9 +139,63 @@ in {
Install = {WantedBy = ["default.target"];}; Install = {WantedBy = ["default.target"];};
}; };
ff_nn = { ff_nn = let
flavour = "firefox-nightly";
in {
Unit = { Unit = {
Description = "sh*tbrowser"; Description = "sh*tbrowser (${flavour})";
PartOf = swayTgt;
After = [swayTgt];
};
Service = {
# Type = "simple";
Environment = [
"MOZ_ENABLE_WAYLAND=1"
"MOZ_DBUS_REMOTE=1"
"MOZ_USE_XINPUT2=1"
"QT_QPA_PLATFORM=wayland"
"XDG_SESSION_TYPE=wayland"
"SDL_VIDEODRIVER=wayland"
"NO_AT_BRIDGE=1"
];
ExecStart = "-%h/Downloads/${flavour}/firefox-bin -desktop";
Restart = "on-failure";
RestartSec = "5s";
StartLimitBurst = 3;
StartLimitInterval = "60s";
TimeoutStopFailureMode = "abort";
KeyringMode = "private";
RestrictNamespaces = true;
DevicePolicy = "closed";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
InaccessiblePaths = paths.inaccessible;
BindPaths = [
"-%h/Downloads/${flavour}"
"-%h/Downloads/toClear"
"-%h/.mozilla/firefox"
"-%h/.cache/mozilla/firefox"
"-%h/.local"
"-%h/.fonts"
"-%h/.config"
];
NoNewPrivileges = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = "yes";
LockPersonality = true;
SystemCallFilter = "~@reboot @obsolete";
SystemCallArchitectures = "native";
};
# Install = {WantedBy = [swayTgt];};
};
voidff = let
execPath = "Downloads/lrg/void/firefox";
in {
Unit = {
Description = "voidfox";
PartOf = swayTgt; PartOf = swayTgt;
After = swayTgt; After = swayTgt;
}; };
@ -143,30 +211,37 @@ in {
"SDL_VIDEODRIVER=wayland" "SDL_VIDEODRIVER=wayland"
"NO_AT_BRIDGE=1" "NO_AT_BRIDGE=1"
]; ];
ExecStart = "-%h/Downloads/firefox-nightly/firefox-bin -desktop"; ExecStart = "-%h/${execPath}/firefox-bin -desktop";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s"; RestartSec = "5s";
StartLimitBurst = 3; StartLimitBurst = 3;
StartLimitInterval = "60s"; StartLimitInterval = "60s";
TimeoutStopFailureMode = "abort"; TimeoutStopFailureMode = "abort";
# RestrictNamespaces=true; RestrictNamespaces = true;
DevicePolicy = "closed"; DevicePolicy = "closed";
ProtectHome = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
ReadWritePaths = [ # ProtectHome = true;
"-%h/Downloads/firefox-nightly" ProtectHome = "tmpfs";
"-%h/Downloads" InaccessiblePaths = paths.inaccessible;
BindPaths = [
"-%h/${execPath}"
"-%h/Downloads/toClear"
"-%h/.mozilla/firefox"
"-%h/.cache/mozilla/firefox"
"-%h/.local"
"-%h/.fonts"
"-%h/.config"
]; ];
NoNewPrivileges = true; NoNewPrivileges = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
# ProcSubset = "pid"; ProcSubset = "pid";
PrivateTmp = "yes"; PrivateTmp = "yes";
LockPersonality = true; LockPersonality = true;
SystemCallFilter = "~@reboot @obsolete"; SystemCallFilter = "~@reboot @obsolete";
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
}; };
Install = {WantedBy = [swayTgt];}; # Install = {WantedBy = [swayTgt];};
}; };
battery = { battery = {
@ -207,7 +282,7 @@ in {
TimeoutStartSec = 600; TimeoutStartSec = 600;
# TimeoutStopSec=10; # TimeoutStopSec=10;
ExecStartPre = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down"; ExecStartPre = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
ExecStart = "/usr/bin/podman-compose -f ${composeF} -p nextcloud up --remove-orphans"; ExecStart = "/usr/bin/podman-compose --podman-run-args=\"--replace\" -f ${composeF} -p nextcloud up --remove-orphans";
ExecStop = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down"; ExecStop = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
Type = "simple"; Type = "simple";
Delegate = "no"; Delegate = "no";
@ -221,6 +296,7 @@ in {
"-/lost+found" "-/lost+found"
"/dev/shm" "/dev/shm"
"-%h/.ssh" "-%h/.ssh"
"-%h/.gnupg"
]; ];
KeyringMode = "private"; KeyringMode = "private";
SystemCallFilter = "~memfd_create @reboot"; SystemCallFilter = "~memfd_create @reboot";
@ -238,11 +314,11 @@ in {
After = "network.target"; After = "network.target";
}; };
Service = { Service = {
ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a a_mirre"; ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a w";
Restart = "always"; Restart = "always";
RestartSec = 300; RestartSec = 300;
Environment = "RUST_LOG=debug"; Environment = "RUST_LOG=debug";
ReadWritePaths = "/tmp/himalaya-counter-am"; # ReadWritePaths = "/tmp/himalaya-counter-w";
ProtectHome = "true"; ProtectHome = "true";
ProtectSystem = "true"; ProtectSystem = "true";
DevicePolicy = "closed"; DevicePolicy = "closed";
@ -252,6 +328,7 @@ in {
"-/lost+found" "-/lost+found"
"/dev/shm" "/dev/shm"
"-%h/.ssh" "-%h/.ssh"
"-%h/.gnupg"
]; ];
# KeyringMode = "private"; # KeyringMode = "private";
}; };
@ -279,6 +356,7 @@ in {
"-/lost+found" "-/lost+found"
"/dev/shm" "/dev/shm"
"-%h/.ssh" "-%h/.ssh"
"-%h/.gnupg"
]; ];
# KeyringMode = "private"; # KeyringMode = "private";
}; };
@ -300,6 +378,7 @@ in {
"-/lost+found" "-/lost+found"
"/dev/shm" "/dev/shm"
"-%h/.ssh" "-%h/.ssh"
"-%h/.gnupg"
]; ];
KeyringMode = "private"; KeyringMode = "private";
}; };
@ -318,6 +397,7 @@ in {
"-/lost+found" "-/lost+found"
"/dev/shm" "/dev/shm"
"-%h/.ssh" "-%h/.ssh"
"-%h/.gnupg"
]; ];
KeyringMode = "private"; KeyringMode = "private";
}; };