nix(systemd): more improvements

2023-12-05 15:38:41 +01:00 · 2023-12-05 15:38:41 +01:00 · 00dce937d7
commit 00dce937d7
parent 12b2ee2901
1 changed files with 93 additions and 13 deletions
--- a/nix/systemd.nix
+++ b/nix/systemd.nix
@ -4,6 +4,20 @@
  ...
 }: let
  swayTgt = "sway-session.target";
+  paths = {
+    inaccessible = [
+      "-/lost+found"
+      "/dev/shm"
+      "-%h/.ssh"
+      "-%h/.gnupg"
+      "-%h/Documents"
+      # "-%h/Downloads"
+      "-%h/Pictures"
+      "-%h/Videos"
+      "-%h/Sync"
+      "-%h/sync"
+    ];
+  };
 in {
  systemd.user.services = {
    kanshi = {
@ -125,9 +139,63 @@ in {
      Install = {WantedBy = ["default.target"];};
    };

-    ff_nn = {
+    ff_nn = let
+      flavour = "firefox-nightly";
+    in {
      Unit = {
-        Description = "sh*tbrowser";
+        Description = "sh*tbrowser (${flavour})";
+        PartOf = swayTgt;
+        After = [swayTgt];
+      };
+
+      Service = {
+        # Type = "simple";
+        Environment = [
+          "MOZ_ENABLE_WAYLAND=1"
+          "MOZ_DBUS_REMOTE=1"
+          "MOZ_USE_XINPUT2=1"
+          "QT_QPA_PLATFORM=wayland"
+          "XDG_SESSION_TYPE=wayland"
+          "SDL_VIDEODRIVER=wayland"
+          "NO_AT_BRIDGE=1"
+        ];
+        ExecStart = "-%h/Downloads/${flavour}/firefox-bin -desktop";
+        Restart = "on-failure";
+        RestartSec = "5s";
+        StartLimitBurst = 3;
+        StartLimitInterval = "60s";
+        TimeoutStopFailureMode = "abort";
+        KeyringMode = "private";
+        RestrictNamespaces = true;
+        DevicePolicy = "closed";
+        ProtectSystem = "strict";
+        ProtectHome = "tmpfs";
+        InaccessiblePaths = paths.inaccessible;
+        BindPaths = [
+          "-%h/Downloads/${flavour}"
+          "-%h/Downloads/toClear"
+          "-%h/.mozilla/firefox"
+          "-%h/.cache/mozilla/firefox"
+          "-%h/.local"
+          "-%h/.fonts"
+          "-%h/.config"
+        ];
+        NoNewPrivileges = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateTmp = "yes";
+        LockPersonality = true;
+        SystemCallFilter = "~@reboot @obsolete";
+        SystemCallArchitectures = "native";
+      };
+
+      # Install = {WantedBy = [swayTgt];};
+    };
+    voidff = let
+      execPath = "Downloads/lrg/void/firefox";
+    in {
+      Unit = {
+        Description = "voidfox";
        PartOf = swayTgt;
        After = swayTgt;
      };
@ -143,30 +211,37 @@ in {
          "SDL_VIDEODRIVER=wayland"
          "NO_AT_BRIDGE=1"
        ];
-        ExecStart = "-%h/Downloads/firefox-nightly/firefox-bin -desktop";
+        ExecStart = "-%h/${execPath}/firefox-bin -desktop";
        Restart = "on-failure";
        RestartSec = "5s";
        StartLimitBurst = 3;
        StartLimitInterval = "60s";
        TimeoutStopFailureMode = "abort";
-        # RestrictNamespaces=true;
+        RestrictNamespaces = true;
        DevicePolicy = "closed";
-        ProtectHome = true;
        ProtectSystem = "strict";
-        ReadWritePaths = [
-          "-%h/Downloads/firefox-nightly"
-          "-%h/Downloads"
+        # ProtectHome = true;
+        ProtectHome = "tmpfs";
+        InaccessiblePaths = paths.inaccessible;
+        BindPaths = [
+          "-%h/${execPath}"
+          "-%h/Downloads/toClear"
+          "-%h/.mozilla/firefox"
+          "-%h/.cache/mozilla/firefox"
+          "-%h/.local"
+          "-%h/.fonts"
+          "-%h/.config"
        ];
        NoNewPrivileges = true;
        ProtectProc = "invisible";
-        # ProcSubset = "pid";
+        ProcSubset = "pid";
        PrivateTmp = "yes";
        LockPersonality = true;
        SystemCallFilter = "~@reboot @obsolete";
        SystemCallArchitectures = "native";
      };

-      Install = {WantedBy = [swayTgt];};
+      # Install = {WantedBy = [swayTgt];};
    };

    battery = {
@ -207,7 +282,7 @@ in {
        TimeoutStartSec = 600;
        # TimeoutStopSec=10;
        ExecStartPre = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
-        ExecStart = "/usr/bin/podman-compose -f ${composeF} -p nextcloud up --remove-orphans";
+        ExecStart = "/usr/bin/podman-compose --podman-run-args=\"--replace\" -f ${composeF} -p nextcloud up --remove-orphans";
        ExecStop = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
        Type = "simple";
        Delegate = "no";
@ -221,6 +296,7 @@ in {
          "-/lost+found"
          "/dev/shm"
          "-%h/.ssh"
+          "-%h/.gnupg"
        ];
        KeyringMode = "private";
        SystemCallFilter = "~memfd_create @reboot";
@ -238,11 +314,11 @@ in {
        After = "network.target";
      };
      Service = {
-        ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a a_mirre";
+        ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a w";
        Restart = "always";
        RestartSec = 300;
        Environment = "RUST_LOG=debug";
-        ReadWritePaths = "/tmp/himalaya-counter-am";
+        # ReadWritePaths = "/tmp/himalaya-counter-w";
        ProtectHome = "true";
        ProtectSystem = "true";
        DevicePolicy = "closed";
@ -252,6 +328,7 @@ in {
          "-/lost+found"
          "/dev/shm"
          "-%h/.ssh"
+          "-%h/.gnupg"
        ];
        # KeyringMode = "private";
      };
@ -279,6 +356,7 @@ in {
          "-/lost+found"
          "/dev/shm"
          "-%h/.ssh"
+          "-%h/.gnupg"
        ];
        # KeyringMode = "private";
      };
@ -300,6 +378,7 @@ in {
          "-/lost+found"
          "/dev/shm"
          "-%h/.ssh"
+          "-%h/.gnupg"
        ];
        KeyringMode = "private";
      };
@ -318,6 +397,7 @@ in {
          "-/lost+found"
          "/dev/shm"
          "-%h/.ssh"
+          "-%h/.gnupg"
        ];
        KeyringMode = "private";
      };