Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@kimat
kimat committed Mar 12, 2024
1 parent 0b206ad commit 8243047
Showing 1 changed file with 104 additions and 9 deletions.
113 changes: 104 additions & 9 deletions nixos/modules/services/desktops/espanso.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,30 +5,125 @@ let cfg = config.services.espanso;
in {
meta = { maintainers = with lib.maintainers; [ numkem ]; };

options = {
services.espanso = {
enable = options.mkEnableOption (lib.mdDoc "Espanso");
options.services.espanso = {
enable = options.mkEnableOption (lib.mdDoc "Espanso");
package = mkOption {
type = types.package;
default = pkgs.espanso;
defaultText = literalExpression "pkgs.espanso";
description = mdDoc "The espanso package to use.";
};
};

config = mkIf cfg.enable {
systemd.user.services.espanso = {
description = "Espanso daemon";
serviceConfig = {
ExecStart = "${pkgs.espanso}/bin/espanso daemon";
ExecStart = "${cfg.package}/bin/espanso daemon";
Restart = "on-failure";
# CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_SETPCAP" ];
PrivateNetwork = true;
MemoryDenyWriteExecute = true;
CapabilityBoundingSet = [
"~CAP_SETUID"
"~CAP_SETGID"
"~CAP_SETPCAP"
"~CAP_SYS_ADMIN"
"~CAP_SYS_PTRACE"
"~CAP_NET_ADMIN"
"~CAP_FOWNER"
"~CAP_IPC_OWNER"
"~CAP_SYS_TIME"
"~CAP_KILL"
"~CAP_SYS_BOOT"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_SYS_CHROOT"
"~CAP_BLOCK_SUSPEND"
"~CAP_SYS_PACCT"
"~CAP_WAKE_ALARM"
"~CAP_AUDIT_WRITE"
"~CAP_AUDIT_CONTROL"
"~CAP_AUDIT_READ"
"CAP_DAC_READ_SEARCH"
"CAP_DAC_OVERRIDE"
];
SystemCallArchitectures = [ "native" ];
RestrictRealtime = true;
# SystemCallFilter = map (x: "~@${x}") [
# "clock"
# "debug"
# "module"
# "reboot"
# "swap"
# "cpu-emulation"
# "obsolete"
# "privileged"
# "resources"
# ];
LockPersonality = true;
UMask = "077";
IPAddressDeny = [ "0.0.0.0/0" "::/0" ];
# ProtectClock = true;
# DeviceAllow = [ "/dev/input/event24" ];
ProtectHostname = true;
# Does not work, the service cannot locate sway socket
# PrivateUsers = true;
RestrictAddressFamilies = "AF_UNIX";
RestrictNamespaces = true;
# RestrictNamespaces = ["~CLONE_NEWUSER" "~CLONE_NEWIPC" "~CLONE_NEWNET" "~CLONE_NEWNS" "~CLONE_NEWPID"];
# ProtectClock = true;
# Need 'tmpfs' here so that the socket may be actually bind-mounted through Bind*Paths
ProtectHome = "tmpfs";
# BindReadOnlyPaths = lib.mkIf (cfg.withSway) [ userPath ];
# Sway socket gets generated as $XDG_RUNTIME_DIR/sway-ipc.$UID.$SWAY_PID
# Hacky way to allow sway socket
# Systemd does not support wildcards :(
# InaccessiblePaths = lib.mkIf (cfg.withSway)
# (map (x: "-${userPath}/${x}") [
# "app"
# "bus"
# "dbus-1"
# ".dbus-proxy"
# "dconf"
# "env-vars"
# ".flatpak"
# ".flatpak-helper"
# "gnupg"
# "pipewire-0"
# "pipewire-0.lock"
# "pulse"
# "systemd"
# "tmux-${toString cfg.userId}"
# "wayland-1"
# "wayland-1.lock"
# ]);
# Looks like Hyprland socket is hardcoded to be in tmp
# PrivateTmp = cfg.withHypr;
ProtectKernelLogs = true;
# Does not work, running as root
# ProtectProc = true;
# SystemCallFilter = "~@clock";
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictSUIDSGID = true;
# End of hardening
Nice = -20;
};
wantedBy = [ "default.target" ];
};

environment.systemPackages = [ pkgs.espanso ];
environment.systemPackages = [ cfg.package ];

security.wrappers.dumpcap = {
source = "${pkgs.espanso}/bin/espanso";
security.wrappers.espanso = {
source = "${pkgs.espanso-wayland}/bin/espanso";
capabilities = "cap_dac_override+p";
owner = "root";
group = "espanso";
permissions = "u+rw";
group = "users";
permissions = "u+rw,g+rw";
};
};
}

0 comments on commit 8243047

Please sign in to comment.