nixos/evdevremapkeys: init #94100
nixos/evdevremapkeys: init #94100
Conversation
q3k
force-pushed
the
q3k/nixos-evdevremapkeys
branch
from
8cd838b
to
8e8d27a
Compare
| description = "Remap Evdev Input"; | ||
| after = [ "systemd-udev-settle.service" ]; | ||
| wantedBy = [ "multi-user.target" ]; | ||
| serviceConfig = { |
There was a problem hiding this comment.
It would be nice to add some systemd hardening options here.
There was a problem hiding this comment.
I think he means:
Can we run the daemon as a DynamicUser=yes instead of as root
Also we could set things like:
RestrictAddressFamilies=AF_NETLINK
PrivateTmp=yes
Etc.. (See man systemd.exec for more isolation options)
However I expect that this unit probably has to run as root to be able to create new input events
There was a problem hiding this comment.
I'm going to take a look if this is possible to harden by running as a less privileged user. But I'm also not expecting much.
There was a problem hiding this comment.
Even if you still end up running as root there are some settings you can apply to limit the abilities this service can have on a system. Though still hoping for a non root user, maybe with some capabilities or something.
|
|
||
| systemd.services.evdevremapkeys = { | ||
| description = "Remap Evdev Input"; | ||
| after = [ "systemd-udev-settle.service" ]; |
There was a problem hiding this comment.
I was reading the manpage of systemd-udev-settle and it said:
Using this service is not recommended. There can be no guarantee that hardware is fully discovered at any specific
time, because the kernel does hardware detection asynchronously, and certain buses and devices take a very long
time to become ready, and also additional hardware may be plugged in at any time. Instead, services should
subscribe to udev events and react to any new hardware as it is discovered. Services that, based on configuration,
expect certain devices to appear, may warn or report failure after a timeout. This timeout should be tailored to
the hardware type. Waiting for systemd-udev-settle.service usually slows boot significantly, because it means
waiting for all unrelated events too.
I also saw that the example upstream provides doesn't depend on it https://github.com/philipl/evdevremapkeys/blob/master/examples/evdevremapkeys.service
Why do we need it?
There was a problem hiding this comment.
From the source code of evdevremapkeys it seems they subscribe to udev events properly; so I don't think there is any need to wait for systemd-udev-settle
There was a problem hiding this comment.
Whoops, I did indeed copy this mindlessly this from somewhere else in nixpkgs during development and then forgot to actually make this sensible :). I've updated the service definition to reflect upstream's service example.
q3k
force-pushed
the
q3k/nixos-evdevremapkeys
branch
from
8e8d27a
to
ccbe0a5
Compare
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
Superseded by #215247 |
Motivation for this change
Implement a basic evdevremapkeys service. The tool itself already exists as a derivation, this merely adds a module to turn it into a service.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)