labmon/nix/module.nix

{
  lib,
  pkgs,
  config,
  ...
}:
let
  cfg = config.labmon;
  settingsFormat = pkgs.formats.toml { };

  settingsFile = settingsFormat.generate "labmon.toml" cfg.settings;
in
{
  options.labmon.enable = lib.mkEnableOption "Enable labmon";
  options.labmon = {

    settings = lib.mkOption {
      type = lib.types.attrs;
      description = ''
        Settings for labmon.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.labmon = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig = {
        ExecStart = "${pkgs.labmon}/bin/labmon ${settingsFile}";
        DynamicUser = true;
        Restart = "always";
        RuntimeDirectory = "labmon";
        RuntimeDirectoryMode = "0700";

        # Hardening
        DeviceAllow = [ "/dev/null rw" ];
        DevicePolicy = "strict";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "full";
        RemoveIPC = true;
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
      };
    };
  };
}