self: { config, lib, pkgs, utils, ... }: let cfg = config.services.matrixoidc; in { meta.maintainers = with lib.maintainers; [quadradical]; options.services.matrixoidc = { enable = lib.mkEnableOption "the matrixoidc server"; package = lib.mkPackageOption self.packages.${pkgs.system} "default" {}; jwtSecretFile = lib.mkOption { type = lib.types.path; }; group = lib.mkOption { type = lib.types.str; default = "matrixoidc"; }; args = lib.mkOption { type = with lib.types; listOf str; default = []; }; }; config = lib.mkIf cfg.enable { systemd.services.matrixoidc = { description = "matrixoidc server"; documentation = ["https://git.federated.nexus/Henry-Hiles/matrixoidc"]; wantedBy = ["multi-user.target"]; wants = ["network-online.target"]; after = ["network-online.target"]; serviceConfig = { LoadCredential = ["matrixoidc-secrets:${cfg.jwtSecretFile}"]; ExecStart = utils.escapeSystemdExecArgs ([ (lib.getExe cfg.package) "--jwtSecretFile=/run/credentials/matrixoidc.service/matrixoidc-secrets" ] ++ cfg.args); DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; ProtectClock = true; ProtectControlGroups = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; PrivateDevices = true; PrivateMounts = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; ProtectHome = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; Restart = "aslways"; RestartSec = 5; UMask = 007; RuntimeDirectory = "matrixoidc"; RuntimeDirectoryMode = 0770; Group = cfg.group; }; }; }; }