services/wezterm-mux-server: init module

2025-04-18 06:19:11 +00:00 · 2023-07-20 10:40:04 +08:00 · 2023-07-20 10:40:04 +08:00 · 44ccbea7e1
commit 44ccbea7e1
parent 5212de691d
2 changed files with 82 additions and 0 deletions
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -12,6 +12,7 @@ let
    ./programs/wezterm.nix
    ./services/archivebox.nix
    ./services/gallery-dl.nix
+    ./services/wezterm-mux-server.nix
    ./services/yt-dlp.nix
    ./workflows
  ];
--- a/modules/nixos/services/wezterm-mux-server.nix
+++ b/modules/nixos/services/wezterm-mux-server.nix
@ -0,0 +1,81 @@
+{ config, options, lib, pkgs, ... }:
+
+let
+  cfg = config.services.wezterm-mux-server;
+in
+{
+  options.services.wezterm-mux-server = {
+    enable = lib.mkEnableOption "Wezterm mux server";
+    package = lib.mkOption {
+      type = lib.types.package;
+      description = lib.mdDoc ''
+        The package containing the {command}`wezterm-mux-server` binary.
+      '';
+      default = pkgs.wezterm;
+      defaultText = "pkgs.wezterm";
+    };
+    configFile = lib.mkOption {
+      type = with lib.types; nullOr path;
+      description = lib.mdDoc ''
+        The path to the configuration file. For more information, you can see
+        [its section for setting up multiplexing](https://wezfurlong.org/wezterm/multiplexing.html).
+      '';
+      default = null;
+      defaultText = "null";
+      example = lib.literalExpression "./wezterm-mux-server.lua";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.wezterm-mux-server = {
+      description = "Wezterm mux server";
+      after = [ "network.target" ];
+      script = "${lib.getBin cfg.package}/bin/wezterm-mux-server ${lib.optionalString (cfg.configFile != null) "--config-file ${cfg.configFile}"}";
+
+      # Give it some tough love.
+      serviceConfig = {
+        # Use a dynamic user.
+        User = "wezterm";
+        Group = "wezterm";
+        DynamicUser = true;
+
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        RestrictSUIDSGID = true;
+        RestrictRealtime = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectHostname = true;
+        ProtectControlGroups = true;
+        ProtectProc = "invisible";
+
+        # Filtering system calls.
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        SystemCallErrorNumber = "EPERM";
+        SystemCallArchitectures = "native";
+
+        # Restricting what capabilities this service has.
+        CapabilityBoundingSet = [ "" ];
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+
+        # Restrict what address families this service can interact with.
+        # Wezterm mux server mostly expects it to interact with the internet
+        # families and makes use of Unix sockets.
+        RestrictAddressFamilies = [
+          # Practically required as it uses Unix sockets.
+          "AF_LOCAL"
+
+          # The internet class families.
+          "AF_INET"
+          "AF_INET6"
+        ];
+
+        # Restrict what namespaces it can create which is none.
+        RestrictNamespaces = true;
+      };
+    };
+  };
+}