1  { lib, pkgs, config, ... }: let
 2  
 3  
 4  in {
 5    system = {
 6      activationScripts = {
 7        rad-auth.text = ''
 8          cd /home/enroll
 9          ${pkgs.su}/bin/su enroll -c "bash -c 'cat /dev/null | rad auth --alias $(cat /etc/hostname) --stdin'"
10        '';
11      };
12    };
13    environment.systemPackages = [ pkgs.jq ];
14    systemd = {
15      timers.radicle-enroll-node = {
16        description = "enroll node to radicle";
17        wantedBy = [ "timers.target" ];
18        requires = [ "network-online.target" ];
19        timerConfig = {
20          OnBootSec = "1min";
21          OnCalendar = "hourly";
22          Persistent = true;
23        };
24      };
25      services.radicle-enroll-node = {
26        description = "enroll node to radicle";
27        script = ''${pkgs.su}/bin/su enroll -c "bash -x /home/enroll/enroll.sh"'';
28        serviceConfig = {
29          Type = "oneshot";
30          Restart = "on-failure";
31          #StandardInput = "tty";
32          TTYPath = "/dev/tty2";
33          WorkingDirectory = "/home/enroll";
34          NoNewPrivileges = true;
35          ProtectControlGroups = true;
36          ProtectKernelTunables = true;
37          ProtectKernelModules = true;
38          ProtectKernelLogs = true;
39          ProtectHostname = true;
40          ProtectClock = true;
41          ProtectSystem = "full";
42          RestrictSUIDSGID = true;
43          RestrictRealtime = true;
44          LockPersonality = true;
45          PrivateTmp = true;
46          ProcSubset = "pid";
47        };
48        wantedBy = [ "multi-user.target" ];
49      };
50    };
51  }