small update

2025-07-13 22:51:22 +02:00 · 2025-07-13 22:51:22 +02:00 · b1490ec9a8
commit b1490ec9a8
parent c4f6785845
100 changed files with 187 additions and 1695 deletions
--- a/modules/services/wayneko/module.nix
+++ b/modules/services/wayneko/module.nix
@ -1,73 +0,0 @@
-{
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit (lib.meta) getExe;
-
-  custom-wayneko = pkgs.wayneko.overrideAttrs {
-    src = pkgs.fetchFromGitea {
-      domain = "copeberg.org";
-      owner = "virt";
-      repo = "wayneko";
-      rev = "3ed4e4e1f847213e712fe22e0278ec62c4fa2cf2";
-      hash = "sha256-NxNrcQkx82SQ5GRqcJbbgM/Qg3GY8Whu5m5wI3zQi18=";
-    };
-
-    hash = "";
-  };
-in {
-  systemd.user.services.wayneko = {
-    description = "Wayneko, as a systemd service";
-
-    # makes the graphical session start this service when it starts
-    wantedBy = ["graphical-session.target"];
-    # when graphical session restarts or gets stopped, this also gets restarted/stopped.
-    partOf = ["graphical-session.target"];
-    # gets started only after graphical session
-    after = ["graphical-session.target"];
-
-    serviceConfig = {
-      ExecStart = ''
-        ${getExe custom-wayneko}\
-        --layer top\
-        --type striped\
-        --background-colour 0xb4befe\
-        --outline-colour 0x1e1e2e
-      '';
-      Restart = "on-failure";
-      RestartSec = 1;
-      TimeoutStopSec = 10;
-
-      CapabilityBoundingSet = [""];
-      DevicePolicy = "closed";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateNetwork = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProcSubset = "pid";
-
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectControlGroup = true;
-      ProtectHome = "read-only";
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictRealTime = true;
-      RestrictSUIDSGID = true;
-
-      SystemCallArchitectures = ["native"];
-
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
-    };
-  };
-}