59 lines
1 KiB
Nix
59 lines
1 KiB
Nix
{ pkgs , ... } :
|
|
|
|
with pkgs ;
|
|
with pkgs . kernelmaft ;
|
|
|
|
{
|
|
systemd = {
|
|
units = {
|
|
"bookwyrm.service" = {
|
|
text = ''
|
|
[Unit]
|
|
|
|
After=network.target
|
|
|
|
[Service]
|
|
|
|
ExecStartPre=${coreutils-full}/bin/ln -sf ${bookwyrm}/var/lib/bookwyrm/VERSION /var/lib/bookwyrm/
|
|
ExecStart=${bookwyrm}/bin/bookwyrm
|
|
|
|
WorkingDirectory=/var/lib/bookwyrm
|
|
|
|
# Creates /var/lib/bookwyrm directory
|
|
StateDirectory=bookwyrm
|
|
|
|
User=bookwyrm
|
|
Group=bookwyrm
|
|
|
|
ProtectSystem="strict"
|
|
ProtectHome="tmpfs"
|
|
PrivateTmp="disconnected"
|
|
PrivateDevices=true
|
|
PrivateIPC=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups="strict"
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
'' ;
|
|
} ;
|
|
} ;
|
|
} ;
|
|
|
|
users = {
|
|
groups = {
|
|
bookwyrm = {} ;
|
|
} ;
|
|
users = {
|
|
bookwyrm = {
|
|
group = "bookwyrm" ;
|
|
home = "/var/lib/bookwyrm" ;
|
|
isSystemUser = true ;
|
|
} ;
|
|
} ;
|
|
} ;
|
|
}
|