diff options
author | sternenseemann <git@lukasepple.de> | 2019-05-24 21:17:51 +0200 |
---|---|---|
committer | sternenseemann <git@lukasepple.de> | 2019-12-17 14:17:03 +0100 |
commit | 25503db8e845ccfa3db20ed1049837868d53775a (patch) | |
tree | 7d89c7ca665daa10d3a5d063a74d21d0f081e952 /nixos/modules/services/networking | |
parent | 6eff44f9fb5dff0ae0dffa982c3549b7091f2b67 (diff) | |
download | nixlib-25503db8e845ccfa3db20ed1049837868d53775a.tar nixlib-25503db8e845ccfa3db20ed1049837868d53775a.tar.gz nixlib-25503db8e845ccfa3db20ed1049837868d53775a.tar.bz2 nixlib-25503db8e845ccfa3db20ed1049837868d53775a.tar.lz nixlib-25503db8e845ccfa3db20ed1049837868d53775a.tar.xz nixlib-25503db8e845ccfa3db20ed1049837868d53775a.tar.zst nixlib-25503db8e845ccfa3db20ed1049837868d53775a.zip |
nixos/spacecookie: add service module and test
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/spacecookie.nix | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix new file mode 100644 index 000000000000..c4d06df6ad4a --- /dev/null +++ b/nixos/modules/services/networking/spacecookie.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.spacecookie; + configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} { + inherit (cfg) hostname port root; + }); +in { + + options = { + + services.spacecookie = { + + enable = mkEnableOption "spacecookie"; + + hostname = mkOption { + type = types.str; + default = "localhost"; + description = "The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu."; + }; + + port = mkOption { + type = types.port; + default = 70; + description = "Port the gopher service should be exposed on."; + }; + + root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = "The root directory spacecookie serves via gopher."; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.sockets.spacecookie = { + description = "Socket for the Spacecookie Gopher Server"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ "[::]:${toString cfg.port}" ]; + socketConfig = { + BindIPv6Only = "both"; + }; + }; + + systemd.services.spacecookie = { + description = "Spacecookie Gopher Server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "spacecookie.socket" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${pkgs.haskellPackages.spacecookie}/bin/spacecookie ${configFile}"; + FileDescriptorStoreMax = 1; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + + # AF_UNIX for communication with systemd + # AF_INET replaced by BindIPv6Only=both + RestrictAddressFamilies = "AF_UNIX AF_INET6"; + }; + }; + }; +} |