with import <stockholm/lib>; { config, pkgs, ... }: let cfg = config.tv.x0vncserver; in { options.tv.x0vncserver = { display = mkOption { default = ":${toString config.services.xserver.display}"; type = types.str; }; enable = mkEnableOption "tv.x0vncserver"; pwfile = mkOption { default = { name = "x0vncserver-pwfile"; owner = cfg.user; path = "${cfg.user.home}/.vncpasswd"; source-path = toString <secrets> + "/vncpasswd"; }; description = '' Use vncpasswd to edit pwfile. See: nix-shell -p tigervnc --run 'man vncpasswd' ''; type = types.secret-file; }; rfbport = mkOption { default = 5900; type = types.int; }; user = mkOption { default = config.krebs.build.user; type = types.user; }; }; config = mkIf cfg.enable { krebs.secret.files = { x0vncserver-pwfile = cfg.pwfile; }; systemd.services.x0vncserver = { after = [ config.krebs.secret.files.x0vncserver-pwfile.service "graphical.target" ]; partOf = [ config.krebs.secret.files.x0vncserver-pwfile.service ]; requires = [ "graphical.target" ]; serviceConfig = { ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [ "-display ${cfg.display}" "-passwordfile ${cfg.pwfile.path}" "-rfbport ${toString cfg.rfbport}" ]}"; User = cfg.user.name; }; }; tv.iptables.input-retiolum-accept-tcp = singleton (toString cfg.rfbport); }; }