nixos/system-master/home/desktop/walker.nix

{ config, pkgs, lib, inputs ? null, ... }:

let
  walkerPkg =
    if inputs != null && inputs ? walker
    then inputs.walker.packages.${pkgs.system}.default
    else pkgs.walker;

  elephantPkg =
    if inputs != null && inputs ? elephant
    then inputs.elephant.packages.${pkgs.system}.default
    else pkgs.elephant;

  sessionTarget = "graphical-session.target";
in
{
  xdg.enable = true;

  home.packages = [
    walkerPkg
    elephantPkg
  ];

  systemd.user.services.elephant = {
    Unit = {
      Description = "Elephant backend for Walker";
      PartOf = [ sessionTarget ];
      After  = [ sessionTarget ];
    };

    Service = {
      Type = "simple";
      ExecStart = "${elephantPkg}/bin/elephant";

      Restart = "on-failure";
      RestartSec = 1;

      # Ensure Elephant can create its socket under:
      # /run/user/$UID/elephant/...
      RuntimeDirectory = "elephant";
      RuntimeDirectoryMode = "0700";

      # Light hardening (DO NOT use ProtectSystem=strict here)
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
    };

    Install = {
      WantedBy = [ sessionTarget ];
    };
  };

  systemd.user.services.walker = {
    Unit = {
      Description = "Walker GApplication service";
      PartOf = [ sessionTarget ];
      After  = [ sessionTarget "elephant.service" ];
      Wants  = [ "elephant.service" ];
    };

    Service = {
      Type = "simple";
      ExecStart = "${walkerPkg}/bin/walker --gapplication-service";

      Restart = "on-failure";
      RestartSec = 1;

      # Light hardening
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      LockPersonality = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
    };

    Install = {
      WantedBy = [ sessionTarget ];
    };
  };
}