{ pkgs, lib, config, ... }: let inherit (lib) mkEnableOption mkIf mkOption getExe ; inherit (lib.types) pathWith listOf ; cfg = config.xyno.services.oauth2Proxy; settingsFormat = pkgs.formats.toml { }; configFile = settingsFormat.generate "oauth2-proxy.conf" cfg.settings; absPath = pathWith { inStore = false; absolute = true; }; in { options.xyno.services.oauth2Proxy = { enable = mkEnableOption "oauth2-proxy"; package = lib.mkPackageOption pkgs "oauth2-proxy" { }; settings = mkOption { type = settingsFormat.type; description = "what to add to the config toml file"; }; environmentFiles = mkOption { type = listOf absPath; default = [ ]; example = [ "/run/secrets/oauth2Proxy" ]; }; }; config = mkIf cfg.enable { systemd.services.oauth2-proxy = { wantedBy = [ "multi-user.target" ]; description = "OAuth2 Proxy (66642's less weird version)"; confinement.enable = true; after = [ "network.target" ]; serviceConfig = { BindReadOnlyPaths = [ "-/etc/resolv.conf" "-/run/systemd" "/etc/hosts" "${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt" ]; ExecStart = "${getExe cfg.package} --config=${configFile}"; EnvironmentFile = cfg.environmentFiles; DynamicUser = true; CapabilityBoundingSet = [ "" ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; PrivateDevices = true; UMask = "0022"; SystemCallFilter = [ "@system-service" ]; SystemCallErrorNumber = "EPERM"; LockPersonality = true; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; }; }; }; }