nix(systemd): more improvements

This commit is contained in:
surtur 2023-12-05 15:38:41 +01:00
parent 12b2ee2901
commit 00dce937d7
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI

@ -4,6 +4,20 @@
...
}: let
swayTgt = "sway-session.target";
paths = {
inaccessible = [
"-/lost+found"
"/dev/shm"
"-%h/.ssh"
"-%h/.gnupg"
"-%h/Documents"
# "-%h/Downloads"
"-%h/Pictures"
"-%h/Videos"
"-%h/Sync"
"-%h/sync"
];
};
in {
systemd.user.services = {
kanshi = {
@ -125,9 +139,63 @@ in {
Install = {WantedBy = ["default.target"];};
};
ff_nn = {
ff_nn = let
flavour = "firefox-nightly";
in {
Unit = {
Description = "sh*tbrowser";
Description = "sh*tbrowser (${flavour})";
PartOf = swayTgt;
After = [swayTgt];
};
Service = {
# Type = "simple";
Environment = [
"MOZ_ENABLE_WAYLAND=1"
"MOZ_DBUS_REMOTE=1"
"MOZ_USE_XINPUT2=1"
"QT_QPA_PLATFORM=wayland"
"XDG_SESSION_TYPE=wayland"
"SDL_VIDEODRIVER=wayland"
"NO_AT_BRIDGE=1"
];
ExecStart = "-%h/Downloads/${flavour}/firefox-bin -desktop";
Restart = "on-failure";
RestartSec = "5s";
StartLimitBurst = 3;
StartLimitInterval = "60s";
TimeoutStopFailureMode = "abort";
KeyringMode = "private";
RestrictNamespaces = true;
DevicePolicy = "closed";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
InaccessiblePaths = paths.inaccessible;
BindPaths = [
"-%h/Downloads/${flavour}"
"-%h/Downloads/toClear"
"-%h/.mozilla/firefox"
"-%h/.cache/mozilla/firefox"
"-%h/.local"
"-%h/.fonts"
"-%h/.config"
];
NoNewPrivileges = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = "yes";
LockPersonality = true;
SystemCallFilter = "~@reboot @obsolete";
SystemCallArchitectures = "native";
};
# Install = {WantedBy = [swayTgt];};
};
voidff = let
execPath = "Downloads/lrg/void/firefox";
in {
Unit = {
Description = "voidfox";
PartOf = swayTgt;
After = swayTgt;
};
@ -143,30 +211,37 @@ in {
"SDL_VIDEODRIVER=wayland"
"NO_AT_BRIDGE=1"
];
ExecStart = "-%h/Downloads/firefox-nightly/firefox-bin -desktop";
ExecStart = "-%h/${execPath}/firefox-bin -desktop";
Restart = "on-failure";
RestartSec = "5s";
StartLimitBurst = 3;
StartLimitInterval = "60s";
TimeoutStopFailureMode = "abort";
# RestrictNamespaces=true;
RestrictNamespaces = true;
DevicePolicy = "closed";
ProtectHome = true;
ProtectSystem = "strict";
ReadWritePaths = [
"-%h/Downloads/firefox-nightly"
"-%h/Downloads"
# ProtectHome = true;
ProtectHome = "tmpfs";
InaccessiblePaths = paths.inaccessible;
BindPaths = [
"-%h/${execPath}"
"-%h/Downloads/toClear"
"-%h/.mozilla/firefox"
"-%h/.cache/mozilla/firefox"
"-%h/.local"
"-%h/.fonts"
"-%h/.config"
];
NoNewPrivileges = true;
ProtectProc = "invisible";
# ProcSubset = "pid";
ProcSubset = "pid";
PrivateTmp = "yes";
LockPersonality = true;
SystemCallFilter = "~@reboot @obsolete";
SystemCallArchitectures = "native";
};
Install = {WantedBy = [swayTgt];};
# Install = {WantedBy = [swayTgt];};
};
battery = {
@ -207,7 +282,7 @@ in {
TimeoutStartSec = 600;
# TimeoutStopSec=10;
ExecStartPre = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
ExecStart = "/usr/bin/podman-compose -f ${composeF} -p nextcloud up --remove-orphans";
ExecStart = "/usr/bin/podman-compose --podman-run-args=\"--replace\" -f ${composeF} -p nextcloud up --remove-orphans";
ExecStop = "/usr/bin/podman-compose -f ${composeF} -p nextcloud down";
Type = "simple";
Delegate = "no";
@ -221,6 +296,7 @@ in {
"-/lost+found"
"/dev/shm"
"-%h/.ssh"
"-%h/.gnupg"
];
KeyringMode = "private";
SystemCallFilter = "~memfd_create @reboot";
@ -238,11 +314,11 @@ in {
After = "network.target";
};
Service = {
ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a a_mirre";
ExecStart = "${pkgs.himalaya}/bin/himalaya watch -a w";
Restart = "always";
RestartSec = 300;
Environment = "RUST_LOG=debug";
ReadWritePaths = "/tmp/himalaya-counter-am";
# ReadWritePaths = "/tmp/himalaya-counter-w";
ProtectHome = "true";
ProtectSystem = "true";
DevicePolicy = "closed";
@ -252,6 +328,7 @@ in {
"-/lost+found"
"/dev/shm"
"-%h/.ssh"
"-%h/.gnupg"
];
# KeyringMode = "private";
};
@ -279,6 +356,7 @@ in {
"-/lost+found"
"/dev/shm"
"-%h/.ssh"
"-%h/.gnupg"
];
# KeyringMode = "private";
};
@ -300,6 +378,7 @@ in {
"-/lost+found"
"/dev/shm"
"-%h/.ssh"
"-%h/.gnupg"
];
KeyringMode = "private";
};
@ -318,6 +397,7 @@ in {
"-/lost+found"
"/dev/shm"
"-%h/.ssh"
"-%h/.gnupg"
];
KeyringMode = "private";
};