{ pkgs, config, ... }: { systemd.services.afvalcalendar = { description = "Enschede afvalcalendar -> ical converter"; wantedBy = ["multi-user.target"]; after = ["network.target"]; script = '' ${pkgs.local.afvalcalendar}/bin/afvalcalendar > /srv/afvalcalendar/afvalcalendar.ical ''; startAt = "daily"; serviceConfig = { DynamicUser = true; ProtectHome = true; # Override the default (read-only) PrivateDevices = true; PrivateIPC = true; PrivateUsers = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"]; Umask = 0002; SupplementaryGroups = "afvalcalendar-hosting"; ReadWritePaths = "/srv/afvalcalendar"; }; }; services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = { forceSSL = true; enableACME = true; enableHSTS = true; root = "/srv/afvalcalendar"; }; users.groups.afvalcalendar-hosting = {}; systemd.tmpfiles.settings."10-afvalcalendar" = { "/srv/afvalcalendar".d = { user = "nginx"; group = "afvalcalendar-hosting"; mode = "0775"; }; "/srv/afvalcalendar/afvalcalendar.ical".f = { user = "nginx"; group = "afvalcalendar-hosting"; mode = "0775"; }; }; }