nixpkgs/nixos/modules/services/hardware/kmonad.nix

{
  config,
  lib,
  pkgs,
  utils,
  ...
}:

let
  cfg = config.services.kmonad;

  # Per-keyboard options:
  keyboard =
    { name, ... }:
    {
      options = {
        name = lib.mkOption {
          type = lib.types.str;
          default = name;
          example = "laptop-internal";
          description = "Keyboard name.";
        };

        device = lib.mkOption {
          type = lib.types.path;
          example = "/dev/input/by-id/some-dev";
          description = "Path to the keyboard's device file.";
        };

        extraGroups = lib.mkOption {
          type = lib.types.listOf lib.types.str;
          default = [ ];
          description = ''
            Extra permission groups to attach to the KMonad instance for
            this keyboard.

            Since KMonad runs as an unprivileged user, it may sometimes
            need extra permissions in order to read the keyboard device
            file.  If your keyboard's device file isn't in the input
            group, you'll need to list its group in this option.
          '';
        };

        enableHardening = lib.mkOption {
          type = lib.types.bool;
          default = true;
          example = false;
          description = ''
            Whether to enable systemd hardening.

            ::: {.note}
            If KMonad is used to execute shell commands, hardening may make some of them fail.
            :::
          '';
        };

        defcfg = {
          enable = lib.mkEnableOption ''
            automatic generation of the defcfg block.

            When this option is set to true, the config option for
            this keyboard should not include a defcfg block
          '';

          compose = {
            key = lib.mkOption {
              type = lib.types.nullOr lib.types.str;
              default = "ralt";
              description = "The (optional) compose key to use.";
            };

            delay = lib.mkOption {
              type = lib.types.ints.unsigned;
              default = 5;
              description = "The delay (in milliseconds) between compose key sequences.";
            };
          };

          fallthrough = lib.mkEnableOption "re-emitting unhandled key events";

          allowCommands = lib.mkEnableOption "keys to run shell commands";
        };

        config = lib.mkOption {
          type = lib.types.lines;
          description = "Keyboard configuration.";
        };
      };
    };

  mkName = name: "kmonad-" + name;

  # Create a complete KMonad configuration file:
  mkCfg =
    keyboard:
    let
      defcfg = ''
        (defcfg
          input  (device-file "${keyboard.device}")
          output (uinput-sink "${mkName keyboard.name}")
          ${lib.optionalString (keyboard.defcfg.compose.key != null) ''
            cmp-seq ${keyboard.defcfg.compose.key}
            cmp-seq-delay ${toString keyboard.defcfg.compose.delay}
          ''}
          fallthrough ${lib.boolToString keyboard.defcfg.fallthrough}
          allow-cmd ${lib.boolToString keyboard.defcfg.allowCommands}
        )
      '';
    in
    pkgs.writeTextFile {
      name = "${mkName keyboard.name}.kbd";
      text = lib.optionalString keyboard.defcfg.enable (defcfg + "\n") + keyboard.config;
      checkPhase = "${lib.getExe cfg.package} -d $out";
    };

  # Build a systemd path config that starts the service below when a
  # keyboard device appears:
  mkPath =
    keyboard:
    let
      name = mkName keyboard.name;
    in
    lib.nameValuePair name {
      description = "KMonad trigger for ${keyboard.device}";
      wantedBy = [ "paths.target" ];
      pathConfig = {
        Unit = "${name}.service";
        PathExists = keyboard.device;
      };
    };

  # Build a systemd service that starts KMonad:
  mkService =
    keyboard:
    lib.nameValuePair (mkName keyboard.name) {
      description = "KMonad for ${keyboard.device}";
      unitConfig = {
        # Control rate limiting.
        # Stop the restart logic if we restart more than
        # StartLimitBurst times in a period of StartLimitIntervalSec.
        StartLimitIntervalSec = 2;
        StartLimitBurst = 5;
      };
      serviceConfig =
        {
          ExecStart = ''
            ${lib.getExe cfg.package} ${mkCfg keyboard} \
              ${utils.escapeSystemdExecArgs cfg.extraArgs}
          '';
          Restart = "always";
          # Restart at increasing intervals from 2s to 1m
          RestartSec = 2;
          RestartSteps = 30;
          RestartMaxDelaySec = "1min";
          Nice = -20;
          DynamicUser = true;
          User = "kmonad";
          Group = "kmonad";
          SupplementaryGroups = [
            # These ensure that our dynamic user has access to the device node
            config.users.groups.input.name
            config.users.groups.uinput.name
          ] ++ keyboard.extraGroups;
        }
        // lib.optionalAttrs keyboard.enableHardening {
          DeviceAllow = [
            "/dev/uinput w"
            "char-input r"
          ];
          CapabilityBoundingSet = [ "" ];
          DevicePolicy = "closed";
          IPAddressDeny = [ "any" ];
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          PrivateNetwork = true;
          PrivateUsers = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "invisible";
          RestrictAddressFamilies = [ "none" ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          SystemCallArchitectures = [ "native" ];
          SystemCallErrorNumber = "EPERM";
          SystemCallFilter = [
            "@system-service"
            "~@privileged"
            "~@resources"
          ];
          UMask = "0077";
        };
      # make sure the new config is used after nixos-rebuild switch
      # stopIfChanged controls[0] how a service is "restarted" during
      # nixos-rebuild switch.  By default, stopIfChanged is true, which stops
      # the old service and then starts the new service after config updates.
      # Since we use path-based activation[1] here, the service unit will
      # immediately[2] be started by the path unit.  Probably that start is
      # before config updates, whcih causes the service unit to use the old
      # config after nixos-rebuild switch.  Setting stopIfChanged to false works
      # around this issue by restarting the service after config updates.
      # [0]: https://nixos.org/manual/nixos/unstable/#sec-switching-systems
      # [1]: man 7 daemon
      # [2]: man 5 systemd.path
      stopIfChanged = false;
    };
in
{
  options.services.kmonad = {
    enable = lib.mkEnableOption "KMonad: an advanced keyboard manager";

    package = lib.mkPackageOption pkgs "KMonad" { default = "kmonad"; };

    keyboards = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule keyboard);
      default = { };
      description = "Keyboard configuration.";
    };

    extraArgs = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [
        "--log-level"
        "debug"
      ];
      description = "Extra arguments to pass to KMonad.";
    };
  };

  config = lib.mkIf cfg.enable {
    hardware.uinput.enable = true;

    services.udev.extraRules =
      let
        mkRule = name: ''
          ACTION=="add", KERNEL=="event*", SUBSYSTEM=="input", ATTRS{name}=="${name}", ATTRS{id/product}=="5679", ATTRS{id/vendor}=="1235", SYMLINK+="input/by-id/${name}"
        '';
      in
      lib.foldlAttrs (
        rules: _: keyboard:
        rules + "\n" + mkRule (mkName keyboard.name)
      ) "" cfg.keyboards;

    systemd = {
      paths = lib.mapAttrs' (_: mkPath) cfg.keyboards;
      services = lib.mapAttrs' (_: mkService) cfg.keyboards;
    };
  };

  meta = {
    maintainers = with lib.maintainers; [
      linj
      rvdp
    ];
  };
}
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
nixos/kmonad: avoid running an unnecessary bash 2025-01-02 06:42:32 +08:00			`utils,`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`...`
			`}:`

			`let`
			`cfg = config.services.kmonad;`

			`# Per-keyboard options:`
			`keyboard =`
			`{ name, ... }:`
			`{`
			`options = {`
			`name = lib.mkOption {`
			`type = lib.types.str;`
nixos/kmonad: simplify config for default keyboard name 2025-01-01 06:49:07 +08:00			`default = name;`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`example = "laptop-internal";`
			`description = "Keyboard name.";`
			`};`

			`device = lib.mkOption {`
			`type = lib.types.path;`
			`example = "/dev/input/by-id/some-dev";`
			`description = "Path to the keyboard's device file.";`
			`};`

			`extraGroups = lib.mkOption {`
			`type = lib.types.listOf lib.types.str;`
			`default = [ ];`
			`description = ''`
			`Extra permission groups to attach to the KMonad instance for`
			`this keyboard.`

			`Since KMonad runs as an unprivileged user, it may sometimes`
			`need extra permissions in order to read the keyboard device`
			`file. If your keyboard's device file isn't in the input`
nixos/kmonad: improve doc 2025-01-01 06:48:34 +08:00			`group, you'll need to list its group in this option.`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`'';`
			`};`

nixos/kmonad: add new option enableHardening Before ```console $ systemd-analyze security kmonad-foo.service \| tail -n 1 → Overall exposure level for kmonad-foo.service: 8.2 EXPOSED 🙁 ``` After ```console $ systemd-analyze security kmonad-foo.service \| tail -n 1 → Overall exposure level for kmonad-foo.service: 0.4 SAFE 😀 ``` 2025-01-02 10:26:06 +08:00			`enableHardening = lib.mkOption {`
			`type = lib.types.bool;`
			`default = true;`
			`example = false;`
			`description = ''`
			`Whether to enable systemd hardening.`

			`::: {.note}`
			`If KMonad is used to execute shell commands, hardening may make some of them fail.`
			`:::`
			`'';`
			`};`

nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`defcfg = {`
			`enable = lib.mkEnableOption ''`
nixos/kmonad: improve doc 2025-01-01 06:48:34 +08:00			`automatic generation of the defcfg block.`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00
nixos/kmonad: improve doc 2025-01-01 06:48:34 +08:00			`When this option is set to true, the config option for`
			`this keyboard should not include a defcfg block`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`'';`

			`compose = {`
			`key = lib.mkOption {`
			`type = lib.types.nullOr lib.types.str;`
			`default = "ralt";`
			`description = "The (optional) compose key to use.";`
			`};`

			`delay = lib.mkOption {`
nixos/kmonad: make type of delay more strict 2025-01-01 06:49:34 +08:00			`type = lib.types.ints.unsigned;`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`default = 5;`
			`description = "The delay (in milliseconds) between compose key sequences.";`
			`};`
			`};`

nixos/kmonad: improve doc 2025-01-01 06:48:34 +08:00			`fallthrough = lib.mkEnableOption "re-emitting unhandled key events";`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00
nixos/kmonad: improve doc 2025-01-01 06:48:34 +08:00			`allowCommands = lib.mkEnableOption "keys to run shell commands";`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`};`

			`config = lib.mkOption {`
			`type = lib.types.lines;`
			`description = "Keyboard configuration.";`
			`};`
			`};`
			`};`

nixos/kmonad: introduce a new helper function mkName 2025-01-01 07:01:45 +08:00			`mkName = name: "kmonad-" + name;`

nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`# Create a complete KMonad configuration file:`
			`mkCfg =`
			`keyboard:`
			`let`
			`defcfg = ''`
			`(defcfg`
			`input (device-file "${keyboard.device}")`
nixos/kmonad: introduce a new helper function mkName 2025-01-01 07:01:45 +08:00			`output (uinput-sink "${mkName keyboard.name}")`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`${lib.optionalString (keyboard.defcfg.compose.key != null) ''`
			`cmp-seq ${keyboard.defcfg.compose.key}`
			`cmp-seq-delay ${toString keyboard.defcfg.compose.delay}`
			`''}`
			`fallthrough ${lib.boolToString keyboard.defcfg.fallthrough}`
			`allow-cmd ${lib.boolToString keyboard.defcfg.allowCommands}`
			`)`
			`'';`
			`in`
			`pkgs.writeTextFile {`
nixos/kmonad: use the official suffix for config file Both the official Emacs[1] and Vim[2] plugins use kbd as the config file suffix. [1]: https://github.com/kmonad/kbd-mode/blob/b07f3e16043fbb268b3e47fb49abc419e8b7e2d7/kbd-mode.el#L275 [2]: https://github.com/kmonad/kmonad-vim/blob/37978445197ab00edeb5b731e9ca90c2b141723f/ftdetect/kbd.vim#L18 2025-01-01 07:02:22 +08:00			`name = "${mkName keyboard.name}.kbd";`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`text = lib.optionalString keyboard.defcfg.enable (defcfg + "\n") + keyboard.config;`
nixos/kmonad: use lib.getExe 2025-01-01 07:14:25 +08:00			`checkPhase = "${lib.getExe cfg.package} -d $out";`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`};`

			`# Build a systemd path config that starts the service below when a`
			`# keyboard device appears:`
			`mkPath =`
			`keyboard:`
			`let`
nixos/kmonad: introduce a new helper function mkName 2025-01-01 07:01:45 +08:00			`name = mkName keyboard.name;`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`in`
			`lib.nameValuePair name {`
			`description = "KMonad trigger for ${keyboard.device}";`
			`wantedBy = [ "paths.target" ];`
			`pathConfig = {`
			`Unit = "${name}.service";`
			`PathExists = keyboard.device;`
			`};`
			`};`

			`# Build a systemd service that starts KMonad:`
			`mkService =`
			`keyboard:`
nixos/kmonad: introduce a new helper function mkName 2025-01-01 07:01:45 +08:00			`lib.nameValuePair (mkName keyboard.name) {`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`description = "KMonad for ${keyboard.device}";`
			`unitConfig = {`
			`# Control rate limiting.`
			`# Stop the restart logic if we restart more than`
			`# StartLimitBurst times in a period of StartLimitIntervalSec.`
			`StartLimitIntervalSec = 2;`
			`StartLimitBurst = 5;`
			`};`
nixos/kmonad: add new option enableHardening Before ```console $ systemd-analyze security kmonad-foo.service \| tail -n 1 → Overall exposure level for kmonad-foo.service: 8.2 EXPOSED 🙁 ``` After ```console $ systemd-analyze security kmonad-foo.service \| tail -n 1 → Overall exposure level for kmonad-foo.service: 0.4 SAFE 😀 ``` 2025-01-02 10:26:06 +08:00			`serviceConfig =`
			`{`
			`ExecStart = ''`
			`${lib.getExe cfg.package} ${mkCfg keyboard} \`
			`${utils.escapeSystemdExecArgs cfg.extraArgs}`
			`'';`
			`Restart = "always";`
			`# Restart at increasing intervals from 2s to 1m`
			`RestartSec = 2;`
			`RestartSteps = 30;`
			`RestartMaxDelaySec = "1min";`
			`Nice = -20;`
			`DynamicUser = true;`
			`User = "kmonad";`
			`Group = "kmonad";`
			`SupplementaryGroups = [`
			`# These ensure that our dynamic user has access to the device node`
			`config.users.groups.input.name`
			`config.users.groups.uinput.name`
			`] ++ keyboard.extraGroups;`
			`}`
			`// lib.optionalAttrs keyboard.enableHardening {`
			`DeviceAllow = [`
			`"/dev/uinput w"`
			`"char-input r"`
			`];`
			`CapabilityBoundingSet = [ "" ];`
			`DevicePolicy = "closed";`
			`IPAddressDeny = [ "any" ];`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`PrivateNetwork = true;`
			`PrivateUsers = true;`
			`ProcSubset = "pid";`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectProc = "invisible";`
			`RestrictAddressFamilies = [ "none" ];`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`SystemCallArchitectures = [ "native" ];`
			`SystemCallErrorNumber = "EPERM";`
			`SystemCallFilter = [`
			`"@system-service"`
			`"~@privileged"`
			`"~@resources"`
			`];`
			`UMask = "0077";`
			`};`
nixos/kmonad: make sure new config is used after nixos-rebuild switch 2025-01-01 12:28:07 +08:00			`# make sure the new config is used after nixos-rebuild switch`
			`# stopIfChanged controls[0] how a service is "restarted" during`
			`# nixos-rebuild switch. By default, stopIfChanged is true, which stops`
			`# the old service and then starts the new service after config updates.`
			`# Since we use path-based activation[1] here, the service unit will`
			`# immediately[2] be started by the path unit. Probably that start is`
			`# before config updates, whcih causes the service unit to use the old`
			`# config after nixos-rebuild switch. Setting stopIfChanged to false works`
			`# around this issue by restarting the service after config updates.`
			`# [0]: https://nixos.org/manual/nixos/unstable/#sec-switching-systems`
			`# [1]: man 7 daemon`
			`# [2]: man 5 systemd.path`
			`stopIfChanged = false;`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`};`
			`in`
			`{`
			`options.services.kmonad = {`
nixos/kmonad: improve doc 2025-01-01 06:48:34 +08:00			`enable = lib.mkEnableOption "KMonad: an advanced keyboard manager";`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00
nixos/kmonad: improve doc 2025-01-01 06:48:34 +08:00			`package = lib.mkPackageOption pkgs "KMonad" { default = "kmonad"; };`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00
			`keyboards = lib.mkOption {`
			`type = lib.types.attrsOf (lib.types.submodule keyboard);`
			`default = { };`
			`description = "Keyboard configuration.";`
			`};`

			`extraArgs = lib.mkOption {`
			`type = lib.types.listOf lib.types.str;`
			`default = [ ];`
			`example = [`
			`"--log-level"`
			`"debug"`
			`];`
			`description = "Extra arguments to pass to KMonad.";`
			`};`
			`};`

			`config = lib.mkIf cfg.enable {`
			`hardware.uinput.enable = true;`

nixos/kmonad: create determinate symlinks 2025-01-01 12:26:06 +08:00			`services.udev.extraRules =`
			`let`
			`mkRule = name: ''`
			`ACTION=="add", KERNEL=="event*", SUBSYSTEM=="input", ATTRS{name}=="${name}", ATTRS{id/product}=="5679", ATTRS{id/vendor}=="1235", SYMLINK+="input/by-id/${name}"`
			`'';`
			`in`
			`lib.foldlAttrs (`
			`rules: _: keyboard:`
			`rules + "\n" + mkRule (mkName keyboard.name)`
			`) "" cfg.keyboards;`

nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`systemd = {`
			`paths = lib.mapAttrs' (_: mkPath) cfg.keyboards;`
			`services = lib.mapAttrs' (_: mkService) cfg.keyboards;`
			`};`
			`};`
nixos/kmonad: add meta.maintainers 2025-01-01 07:11:12 +08:00
			`meta = {`
			`maintainers = with lib.maintainers; [`
			`linj`
			`rvdp`
			`];`
			`};`
nixos/kmonad: init 2024-10-18 11:18:39 +02:00			`}`