{ config, pkgs, lib, ... }: let cfg = config.services.gickup; format = pkgs.formats.yaml { }; in { options.services.gickup = { enable = lib.mkEnableOption "gickup, a git repository mirroring service"; package = lib.mkPackageOption pkgs "gickup" { }; gitPackage = lib.mkPackageOption pkgs "git" { }; gitLfsPackage = lib.mkPackageOption pkgs "git-lfs" { }; settings = lib.mkOption { type = lib.types.submodule { freeformType = format.type; }; }; }; config = lib.mkIf cfg.enable { users.users.gickup = { isSystemUser = true; group = "gickup"; home = "/var/lib/gickup"; }; users.groups.gickup = { }; systemd.services.gickup = { description = "Gickup git repository mirroring service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = [ cfg.gitPackage cfg.gitLfsPackage ]; serviceConfig = { ExecStart = utils.escapeSystemdExecArgs [ (lib.getExe cfg.package) (format.generate "gickup-settings.conf" cfg.settings) ]; StateDirectory = "gickup"; WorkingDirectory = "gickup"; RuntimeDirectory = "gickup"; RuntimeDirectoryMode = "0700"; # Hardening options AmbientCapabilities = []; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; UMask = "0002"; CapabilityBoundingSet = []; }; }; }; }