default.nix (1808B)
1 { 2 config, 3 pkgs, 4 ... 5 }: let 6 idle_detect = pkgs.callPackage ./idle_detect/. {}; 7 in { 8 services.boinc.enable = true; 9 services.boinc.extraEnvPackages = [ 10 pkgs.gmp 11 pkgs.ocl-icd 12 pkgs.podman 13 config.hardware.nvidia.package 14 ]; 15 16 users.users.event_detect = { 17 isSystemUser = true; 18 group = "event_detect"; 19 extraGroups = ["input" "tty"]; 20 }; 21 users.groups.event_detect = {}; 22 23 systemd.services.dc_event_detection = { 24 after = ["multi-user.target" "dev-shm.mount"]; 25 description = "DC Event Detection Service"; 26 wantedBy = ["multi-user.target"]; 27 serviceConfig = { 28 Type = "simple"; 29 ExecStartPre = "${pkgs.coreutils}/bin/sleep 5"; 30 ExecStart = "${idle_detect}/bin/event_detect ${idle_detect}/etc/event_detect.conf"; 31 32 Restart = "on-failure"; 33 RestartSec = "5s"; 34 35 RuntimeDirectory = "event_detect"; 36 RuntimeDirectoryMode = "0755"; 37 38 User = "event_detect"; 39 Group = "event_detect"; 40 41 # Filesystem Access Control 42 ProtectHome = true; 43 ProtectSystem = "strict"; 44 ReadWritePaths = ["/dev/shm"]; 45 PrivateTmp = true; 46 ProtectKernelTunables = true; 47 ProtectKernelModules = true; 48 ProtectControlGroups = true; 49 ProtectClock = true; 50 ProtectHostname = true; 51 52 # Process Execution Control 53 NoNewPrivileges = true; 54 55 # Network Access Control 56 PrivateNetwork = true; 57 }; 58 }; 59 60 systemd.user.services.dc_idle_detection = { 61 after = ["graphical-session.target"]; 62 description = "BOINC Idle Detection Service"; 63 wantedBy = ["graphical-session.target"]; 64 serviceConfig = { 65 Type = "simple"; 66 ExecStartPre = "${pkgs.coreutils}/bin/sleep 5"; 67 ExecStart = "${idle_detect}/bin/idle_detect_wrapper.sh"; 68 Restart = "on-failure"; 69 RestartSec = "5s"; 70 ProtectSystem = "strict"; 71 ReadWritePaths = ["/run/event_detect"]; 72 NoNewPrivileges = true; 73 }; 74 }; 75 }