mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-11-19 07:05:29 +01:00
e66ee6f45f
Configuring an user home directory also enables several invocations and mechanisms, e.g. SSH authorized_keys or bashrc, which is bad from a security perspective. The service doesn't need that at all and the environment is set up over different ways now. So drop it. This doesn't change the current behaviour. Signed-off-by: Felix Singer <felixsinger@posteo.net>
78 lines
1.8 KiB
Nix
78 lines
1.8 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.services.weechat;
|
|
in
|
|
{
|
|
options.services.weechat = {
|
|
enable = lib.mkEnableOption "weechat";
|
|
|
|
root = lib.mkOption {
|
|
description = "Weechat state directory.";
|
|
type = lib.types.path;
|
|
default = "/var/lib/weechat";
|
|
};
|
|
|
|
sessionName = lib.mkOption {
|
|
description = "Name of the `screen` session for weechat.";
|
|
default = "weechat-screen";
|
|
type = lib.types.str;
|
|
};
|
|
|
|
binary = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = "Binary to execute.";
|
|
default = "${pkgs.weechat}/bin/weechat";
|
|
defaultText = lib.literalExpression ''"''${pkgs.weechat}/bin/weechat"'';
|
|
example = lib.literalExpression ''"''${pkgs.weechat}/bin/weechat-headless"'';
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
users = {
|
|
groups.weechat = { };
|
|
users.weechat = {
|
|
group = "weechat";
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
|
|
systemd.tmpfiles.settings."weechat" = {
|
|
"${cfg.root}" = lib.mkIf (cfg.root != "/var/lib/weechat") {
|
|
d = {
|
|
user = "weechat";
|
|
group = "weechat";
|
|
mode = "750";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.weechat = {
|
|
serviceConfig = {
|
|
User = "weechat";
|
|
Group = "weechat";
|
|
StateDirectory = lib.mkIf (cfg.root == "/var/lib/weechat") "weechat";
|
|
StateDirectoryMode = 750;
|
|
RemainAfterExit = "yes";
|
|
};
|
|
script = "exec ${config.security.wrapperDir}/screen -Dm -S ${cfg.sessionName} ${cfg.binary} --dir ${cfg.root}";
|
|
wantedBy = [ "multi-user.target" ];
|
|
wants = [ "network.target" ];
|
|
};
|
|
|
|
security.wrappers.screen = {
|
|
setuid = true;
|
|
owner = "root";
|
|
group = "root";
|
|
source = "${pkgs.screen}/bin/screen";
|
|
};
|
|
};
|
|
|
|
meta.doc = ./weechat.md;
|
|
}
|