diff options
author | Henri Menke <henri@henrimenke.de> | 2023-10-01 22:09:24 +0200 |
---|---|---|
committer | Henri Menke <henri@henrimenke.de> | 2023-10-26 17:27:51 +0200 |
commit | e0cebb254e3bbc040791af7c133dbf50c3fc4f72 (patch) | |
tree | 142ead6cfa358af6de03c4e90a55b3e7ce3c4be6 /nixos/modules/services/web-apps/c2fmzq-server.nix | |
parent | 356a40ad141a2b8aefdac5978701ec4ea6b4bfa9 (diff) | |
download | nixlib-e0cebb254e3bbc040791af7c133dbf50c3fc4f72.tar nixlib-e0cebb254e3bbc040791af7c133dbf50c3fc4f72.tar.gz nixlib-e0cebb254e3bbc040791af7c133dbf50c3fc4f72.tar.bz2 nixlib-e0cebb254e3bbc040791af7c133dbf50c3fc4f72.tar.lz nixlib-e0cebb254e3bbc040791af7c133dbf50c3fc4f72.tar.xz nixlib-e0cebb254e3bbc040791af7c133dbf50c3fc4f72.tar.zst nixlib-e0cebb254e3bbc040791af7c133dbf50c3fc4f72.zip |
nixos/c2fmzq-server: init module
Co-authored-by: Peder Bergebakken Sundt <pbsds@hotmail.com> Co-authored-by: Anselm Schüler <mail@anselmschueler.com> Co-authored-by: h7x4 <h7x4@nani.wtf>
Diffstat (limited to 'nixos/modules/services/web-apps/c2fmzq-server.nix')
-rw-r--r-- | nixos/modules/services/web-apps/c2fmzq-server.nix | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/c2fmzq-server.nix b/nixos/modules/services/web-apps/c2fmzq-server.nix new file mode 100644 index 000000000000..2749c2a5a87a --- /dev/null +++ b/nixos/modules/services/web-apps/c2fmzq-server.nix @@ -0,0 +1,125 @@ +{ lib, pkgs, config, ... }: + +let + inherit (lib) mkEnableOption mkPackageOption mkOption types; + + cfg = config.services.c2fmzq-server; + + argsFormat = { + type = with lib.types; nullOr (oneOf [ bool int str ]); + generate = lib.cli.toGNUCommandLineShell { }; + }; +in { + options.services.c2fmzq-server = { + enable = mkEnableOption "c2fmzq-server"; + + bindIP = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "The local address to use."; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "The local port to use."; + }; + + passphraseFile = mkOption { + type = types.str; + example = "/run/secrets/c2fmzq/pwfile"; + description = "Path to file containing the database passphrase"; + }; + + package = mkPackageOption pkgs "c2fmzq" { }; + + settings = mkOption { + type = types.submodule { + freeformType = argsFormat.type; + + options = { + address = mkOption { + internal = true; + type = types.str; + default = "${cfg.bindIP}:${toString cfg.port}"; + }; + + database = mkOption { + type = types.str; + default = "%S/c2fmzq-server/data"; + description = "Path of the database"; + }; + + verbose = mkOption { + type = types.ints.between 1 3; + default = 2; + description = "The level of logging verbosity: 1:Error 2:Info 3:Debug"; + }; + }; + }; + description = '' + Configuration for c2FmZQ-server passed as CLI arguments. + Run {command}`c2FmZQ-server help` for supported values. + ''; + example = { + verbose = 3; + allow-new-accounts = true; + auto-approve-new-accounts = true; + encrypt-metadata = true; + enable-webapp = true; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.c2fmzq-server = { + description = "c2FmZQ-server"; + documentation = [ "https://github.com/c2FmZQ/c2FmZQ/blob/main/README.md" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "network-online.target" ]; + + serviceConfig = { + ExecStart = "${lib.getExe cfg.package} ${argsFormat.generate cfg.settings}"; + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DynamicUser = true; + Environment = "C2FMZQ_PASSPHRASE_FILE=%d/passphrase-file"; + IPAccounting = true; + IPAddressAllow = cfg.bindIP; + IPAddressDeny = "any"; + LoadCredential = "passphrase-file:${cfg.passphraseFile}"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindAllow = cfg.port; + SocketBindDeny = "any"; + StateDirectory = "c2fmzq-server"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; + }; + }; + }; + + meta = { + doc = ./c2fmzq-server.md; + maintainers = with lib.maintainers; [ hmenke ]; + }; +} |