From 877f45c103d050283506f963a0d357683ad54ecf Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sat, 29 Nov 2025 15:20:15 +0900
Subject: [PATCH] nix: vendor systemd units

---
 assets/systemd/muscl.service |  2 +
 assets/systemd/muscl.socket  |  4 +-
 flake.nix                    |  1 +
 nix/default.nix              |  7 +++-
 nix/module.nix               | 72 ++++--------------------------------
 5 files changed, 20 insertions(+), 66 deletions(-)

diff --git a/assets/systemd/muscl.service b/assets/systemd/muscl.service
index 592a4aa..ce22fe6 100644
--- a/assets/systemd/muscl.service
+++ b/assets/systemd/muscl.service
@@ -8,6 +8,8 @@ ExecStart=/usr/bin/muscl server --systemd socket-activate
 
 WatchdogSec=15
 
+# Although this is a multi-instance unit, the constant `User` field is needed
+# for authentication via mysql's auth_socket plugin to work.
 User=muscl
 Group=muscl
 DynamicUser=yes
diff --git a/assets/systemd/muscl.socket b/assets/systemd/muscl.socket
index c126cc2..3dc3aef 100644
--- a/assets/systemd/muscl.socket
+++ b/assets/systemd/muscl.socket
@@ -1,8 +1,10 @@
 [Unit]
 Description=MySQL administration tool for non-admin users
-WantedBy=sockets.target
 
 [Socket]
 ListenStream=/run/muscl/muscl.sock
 Accept=no
 PassCredentials=true
+
+[Install]
+WantedBy=sockets.target
diff --git a/flake.nix b/flake.nix
index 56c2d19..52e9105 100644
--- a/flake.nix
+++ b/flake.nix
@@ -82,6 +82,7 @@
         root = ./.;
         fileset = lib.fileset.unions [
           (craneLib.fileset.commonCargoSources ./.)
+          ./assets
         ];
       };
     in {
diff --git a/nix/default.nix b/nix/default.nix
index f9ac4d9..4f43563 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -31,7 +31,12 @@ buildFunction {
       shell = [ "bash" "zsh" "fish" ];
       command = [ "muscl" "mysql-dbadm" "mysql-useradm" ];
     };
-  in lib.concatStringsSep "\n" commands;
+  in lib.concatStringsSep "\n" commands + ''
+    install -Dm444 assets/systemd/muscl.socket -t "$out/lib/systemd/system"
+    install -Dm644 assets/systemd/muscl.service -t "$out/lib/systemd/system"
+    substituteInPlace "$out/lib/systemd/system/muscl.service" \
+      --replace-fail '/usr/bin/muscl' "$out/bin/muscl"
+  '';
 
   meta = with lib; {
     license = licenses.mit;
diff --git a/nix/module.nix b/nix/module.nix
index 076369b..ae37411 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -96,31 +96,17 @@ in
       }
     ];
 
+    systemd.packages = [ cfg.package ];
+
+    systemd.sockets."muscl".wantedBy = [ "sockets.target" ];
+
     systemd.services."muscl" = {
-      description = "MySQL administration tool for non-admin users";
       restartTriggers = [ config.environment.etc."muscl/config.toml".source ];
-      requires = [ "muscl.socket" ];
       serviceConfig = {
-        Type = "notify";
-        ExecStart = "${lib.getExe cfg.package} ${cfg.logLevel} server --systemd socket-activate";
-
-        WatchdogSec = 15;
-
-        # Although this is a multi-instance unit, the constant `User` field is needed
-        # for authentication via mysql's auth_socket plugin to work.
-        User = "muscl";
-        Group = "muscl";
-        DynamicUser = true;
-
-        ConfigurationDirectory = "muscl";
-        RuntimeDirectory = "muscl";
-
-        # This is required to read unix user/group details.
-        PrivateUsers = false;
-
-        # Needed to communicate with MySQL.
-        PrivateNetwork = false;
-        PrivateIPC = false;
+        ExecStart = [
+          ""
+          "${lib.getExe cfg.package} ${cfg.logLevel} server --systemd socket-activate"
+        ];
 
         IPAddressDeny = "any";
         IPAddressAllow = [
@@ -131,48 +117,6 @@ in
 
         RestrictAddressFamilies = [ "AF_UNIX" ]
           ++ (lib.optionals (cfg.settings.mysql.host != null) [ "AF_INET" "AF_INET6" ]);
-
-        AmbientCapabilities = [ "" ];
-        CapabilityBoundingSet = [ "" ];
-        DeviceAllow = [ "" ];
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateMounts = true;
-        PrivateTmp = "yes";
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = "strict";
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RemoveIPC = true;
-        UMask = "0777";
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SocketBindDeny = [ "any" ];
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-          "~@resources"
-        ];
-      };
-    };
-
-    systemd.sockets."muscl" = {
-      description = "MySQL administration tool for non-admin users";
-      wantedBy = [ "sockets.target" ];
-      socketConfig = {
-        ListenStream = cfg.settings.server.socket_path;
-        Accept = "no";
-        PassCredentials = true;
       };
     };
   };