From 058ba839634cf1e045e7183fa75c602451503abc Mon Sep 17 00:00:00 2001
From: Charlie Root <charlie@charlieroot.dev>
Date: Tue, 4 Mar 2025 19:37:59 +0100
Subject: [PATCH] wayneko/module.nix: init

---
 modules/services/wayneko/module.nix | 44 +++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 modules/services/wayneko/module.nix

diff --git a/modules/services/wayneko/module.nix b/modules/services/wayneko/module.nix
new file mode 100644
index 0000000..462272e
--- /dev/null
+++ b/modules/services/wayneko/module.nix
@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib.meta) getExe;
+in {
+  systemd.user.services.wayneko = {
+    description = "Wayneko, as a systemd service";
+
+    wantedBy = ["graphical-session.target"];
+    partOf = ["graphical-session.target"];
+    after = ["graphical-session.target"];
+
+    serviceConfig = {
+      ExecStart = "${getExe pkgs.wayneko} --layer top";
+
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+
+      PrivateTmp = true;
+      PrivateDevices = true;
+      DevicePolicy = "closed";
+      PrivateNetwork = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectControlGroup = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictRealTime = true;
+      RestrictSUIDSGID = true;
+
+      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
+    };
+  };
+}