{ config, pkgs, lib, ... }: let cfg = config.services.qotd; in { options.services.qotd = { enable = lib.mkEnableOption "Enable qotd"; package = lib.mkPackageOption pkgs "qotd" { }; quotes = lib.mkOption { description = ""; type = lib.types.listOf lib.types.str; default = []; }; }; config = lib.mkIf cfg.enable { systemd.services."qotd@" = { description = "qotd"; environment.QOTD_QUOTES_PATH = lib.pipe cfg.quotes [ # (map (x: x + "\n")) (lib.concatStringsSep "\n\n---\n\n") (pkgs.writeText "qotd-db.txt") ]; serviceConfig = { Type = "simple"; ExecStart = "${lib.getExe pkgs.uiua} run ${cfg.package}/bin/.main.uasm"; User = "qotd"; DynamicUser = true; PrivateUsers = true; PrivateNetwork = false; StandardOutput = "socket"; # IPAddressDeny = # lib.optionals (lib.elem cfg.settings.mysql.host [ null "localhost" "127.0.0.1" ]) [ "any" ]; # RestrictAddressFamilies = [ "AF_UNIX" ] # ++ (lib.optionals (cfg.settings.mysql.host != null) [ "AF_INET" "AF_INET6" ]); # AmbientCapabilities = [ "" ]; # CapabilityBoundingSet = [ "" ]; # DeviceAllow = [ "" ]; # LockPersonality = true; # MemoryDenyWriteExecute = true; # NoNewPrivileges = true; # PrivateDevices = true; # PrivateMounts = true; # PrivateTmp = "yes"; # ProcSubset = "pid"; # ProtectClock = true; # ProtectControlGroups = true; # ProtectHome = true; # ProtectHostname = true; # ProtectKernelLogs = true; # ProtectKernelModules = true; # ProtectKernelTunables = true; # ProtectProc = "invisible"; # ProtectSystem = "strict"; # RemoveIPC = true; # UMask = "0777"; # RestrictNamespaces = true; # RestrictRealtime = true; # RestrictSUIDSGID = true; # SystemCallArchitectures = "native"; # SocketBindDeny = [ "any" ]; # SystemCallFilter = [ # "@system-service" # "~@privileged" # "~@resources" # ]; }; }; systemd.sockets."qotd" = { wantedBy = [ "sockets.target" ]; socketConfig = { ListenStream = 17; Accept = "yes"; }; }; }; }