From 9cc2ff512c143c4591a270950063f95159d80f81 Mon Sep 17 00:00:00 2001 From: Charlie Root Date: Sat, 8 Mar 2025 14:36:33 +0100 Subject: [PATCH] nextcloud/module.nix: init Introduce a hardened systemd service for nextcloud --- modules/services/nextcloud/module.nix | 48 +++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 modules/services/nextcloud/module.nix diff --git a/modules/services/nextcloud/module.nix b/modules/services/nextcloud/module.nix new file mode 100644 index 0000000..53456e5 --- /dev/null +++ b/modules/services/nextcloud/module.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib.meta) getExe'; + inherit (lib.modules) mkIf; + cfg = config.modules.system.services.nextcloud; +in { + options.modules.system.services.nextcloud.enable = lib.mkEnableOption "nextcloud"; + + config = { + systemd.user.services.nextcloud = mkIf cfg.enable { + description = "Nextcloud client service"; + + # makes the graphical session start this service when it starts + wantedBy = ["graphical-session.target"]; + # when graphical session restarts or gets stopped, this also gets restarted/stopped. + partOf = ["graphical-session.target"]; + # gets started only after graphical session + after = ["graphical-session.target"]; + + serviceConfig = { + ExecStart = "${getExe' pkgs.nextcloud-client "nextcloud"} --background"; + Restart = "always"; + RestartSec = 30; + + # User = "cr"; + # Group = "cr"; + + Keyringmode = "shared"; + DevicePolicy = "closed"; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectControlGroup = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + ProtectSystem = "strict"; + SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged"; + }; + }; + }; +}