ctucx.git: nixfiles

modules/nixos/conduwuit: some refactor in systemd-service

diff --git a/modules/nixos/conduwuit.nix b/modules/nixos/conduwuit.nix
@@ -100,8 +100,23 @@ in {
 
       serviceConfig = {
         DynamicUser = true;
-        User  = cfg.user;
-        Group = cfg.group;
+        User        = cfg.user;
+        Group       = cfg.group;
+
+        Type         = "notify-reload";
+        ReloadSignal = "SIGUSR1";
+
+        ExecStart  = lib.getExe cfg.package;
+
+        Restart    = "on-failure";
+        RestartSec = 10;
+
+        StateDirectory     = "conduwuit";
+        StateDirectoryMode = "0700";
+
+        RuntimeDirectory     = "conduwuit";
+        RuntimeDirectoryMode = "0750";
+
 
         DevicePolicy           = "closed";
         LockPersonality        = true;

@@ -123,30 +138,20 @@ in {
         PrivateIPC     = true;
         RemoveIPC      = true;
 
+        RestrictNamespaces      = true;
+        RestrictRealtime        = true;
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
           "AF_UNIX"
         ];
-        RestrictNamespaces      = true;
-        RestrictRealtime        = true;
+
         SystemCallArchitectures = "native";
+        SystemCallErrorNumber   = "EPERM";
         SystemCallFilter        = [
           "@system-service @resources"
           "~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc"
         ];
-        SystemCallErrorNumber = "EPERM";
-
-        StateDirectory     = "conduwuit";
-        StateDirectoryMode = "0700";
-
-        RuntimeDirectory     = "conduwuit";
-        RuntimeDirectoryMode = "0750";
-
-        Restart    = "on-failure";
-        RestartSec = 10;
-
-        ExecStart  = lib.getExe cfg.package;
       };
     };
   };