{ config, pkgs, lib, inputs ? null, ... }: let walkerPkg = if inputs != null && inputs ? walker then inputs.walker.packages.${pkgs.system}.default else pkgs.walker; elephantPkg = if inputs != null && inputs ? elephant then inputs.elephant.packages.${pkgs.system}.default else pkgs.elephant; sessionTarget = "graphical-session.target"; in { xdg.enable = true; home.packages = [ walkerPkg elephantPkg ]; systemd.user.services.elephant = { Unit = { Description = "Elephant backend for Walker"; PartOf = [ sessionTarget ]; After = [ sessionTarget ]; }; Service = { Type = "simple"; ExecStart = "${elephantPkg}/bin/elephant"; Restart = "on-failure"; RestartSec = 1; # Ensure Elephant can create its socket under: # /run/user/$UID/elephant/... RuntimeDirectory = "elephant"; RuntimeDirectoryMode = "0700"; # Light hardening (DO NOT use ProtectSystem=strict here) NoNewPrivileges = true; PrivateTmp = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; }; Install = { WantedBy = [ sessionTarget ]; }; }; systemd.user.services.walker = { Unit = { Description = "Walker GApplication service"; PartOf = [ sessionTarget ]; After = [ sessionTarget "elephant.service" ]; Wants = [ "elephant.service" ]; }; Service = { Type = "simple"; ExecStart = "${walkerPkg}/bin/walker --gapplication-service"; Restart = "on-failure"; RestartSec = 1; # Light hardening NoNewPrivileges = true; PrivateTmp = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; LockPersonality = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; }; Install = { WantedBy = [ sessionTarget ]; }; }; }