diff options
author | Stanisław Pitucha <git@viraptor.info> | 2022-06-26 01:20:59 +1000 |
---|---|---|
committer | Sandro Jäckel <sandro.jaeckel@gmail.com> | 2024-02-17 20:45:49 +0100 |
commit | 2eed715fbfd05a536d9f9756c656ba242fd0800a (patch) | |
tree | 25e2365ce8822d3de16a64b10b1227b9613340b5 /nixos/modules/services/networking | |
parent | fa17e0c563dc934b69e855d42c350af828918245 (diff) | |
download | nixlib-2eed715fbfd05a536d9f9756c656ba242fd0800a.tar nixlib-2eed715fbfd05a536d9f9756c656ba242fd0800a.tar.gz nixlib-2eed715fbfd05a536d9f9756c656ba242fd0800a.tar.bz2 nixlib-2eed715fbfd05a536d9f9756c656ba242fd0800a.tar.lz nixlib-2eed715fbfd05a536d9f9756c656ba242fd0800a.tar.xz nixlib-2eed715fbfd05a536d9f9756c656ba242fd0800a.tar.zst nixlib-2eed715fbfd05a536d9f9756c656ba242fd0800a.zip |
nixos/go-camo: init
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/go-camo.nix | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/go-camo.nix b/nixos/modules/services/networking/go-camo.nix new file mode 100644 index 000000000000..cb3b6eade464 --- /dev/null +++ b/nixos/modules/services/networking/go-camo.nix @@ -0,0 +1,73 @@ +{ lib, pkgs, config, ... }: + +let + cfg = config.services.go-camo; + inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalString; +in +{ + options.services.go-camo = { + enable = mkEnableOption "go-camo service"; + listen = mkOption { + type = types.nullOr types.str; + default = null; + description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080)."; + apply = v: optionalString (v != null) "--listen=${v}"; + }; + sslListen = mkOption { + type = types.nullOr types.str; + default = null; + description = "Address:Port to bind to for HTTPS."; + apply = v: optionalString (v != null) "--ssl-listen=${v}"; + }; + sslKey = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to TLS private key."; + apply = v: optionalString (v != null) "--ssl-key=${v}"; + }; + sslCert = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to TLS certificate."; + apply = v: optionalString (v != null) "--ssl-cert=${v}"; + }; + keyFile = mkOption { + type = types.path; + default = null; + description = '' + A file containing the HMAC key to use for signing URLs. + The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file". + ''; + }; + extraOptions = mkOption { + type = with types; listOf str; + default = []; + description = "Extra options passed to the go-camo command."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.go-camo = { + description = "go-camo service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + GOCAMO_HMAC_FILE = "%d/hmac"; + }; + script = '' + export GOCAMO_HMAC=$(cat "$GOCAMO_HMAC_FILE") + exec ${lib.escapeShellArgs(lib.lists.remove "" ([ "${pkgs.go-camo}/bin/go-camo" cfg.listen cfg.sslListen cfg.sslKey cfg.sslCert ] ++ cfg.extraOptions))} + ''; + serviceConfig = { + NoNewPrivileges = true; + ProtectSystem = "strict"; + DynamicUser = true; + User = "gocamo"; + Group = "gocamo"; + LoadCredential = [ + "hmac:${cfg.keyFile}" + ]; + }; + }; + }; +} |