diff options
author | Anna Aurora <anna@annaaurora.eu> | 2023-09-07 10:33:27 +0200 |
---|---|---|
committer | Anderson Torres <torres.anderson.85@protonmail.com> | 2023-09-12 02:45:58 +0000 |
commit | 8a1734ec9810406427cccff8b2e40eb0d181c2d2 (patch) | |
tree | 0a36b20a94e1582744b24d552de5d4bfed8cac02 /nixos/modules/services/web-apps/meme-bingo-web.nix | |
parent | 82a2a96f98c901480dae61201d3f91fad3956f3d (diff) | |
download | nixlib-8a1734ec9810406427cccff8b2e40eb0d181c2d2.tar nixlib-8a1734ec9810406427cccff8b2e40eb0d181c2d2.tar.gz nixlib-8a1734ec9810406427cccff8b2e40eb0d181c2d2.tar.bz2 nixlib-8a1734ec9810406427cccff8b2e40eb0d181c2d2.tar.lz nixlib-8a1734ec9810406427cccff8b2e40eb0d181c2d2.tar.xz nixlib-8a1734ec9810406427cccff8b2e40eb0d181c2d2.tar.zst nixlib-8a1734ec9810406427cccff8b2e40eb0d181c2d2.zip |
nixos/meme-bingo-web: init service
Diffstat (limited to 'nixos/modules/services/web-apps/meme-bingo-web.nix')
-rw-r--r-- | nixos/modules/services/web-apps/meme-bingo-web.nix | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/meme-bingo-web.nix b/nixos/modules/services/web-apps/meme-bingo-web.nix new file mode 100644 index 000000000000..cb864321ef27 --- /dev/null +++ b/nixos/modules/services/web-apps/meme-bingo-web.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption mdDoc types literalExpression; + + cfg = config.services.meme-bingo-web; +in { + options = { + services.meme-bingo-web = { + enable = mkEnableOption (mdDoc '' + A web app for the meme bingo, rendered entirely on the web server and made interactive with forms. + + Note: The application's author suppose to run meme-bingo-web behind a reverse proxy for SSL and HTTP/3. + ''); + + package = mkOption { + type = types.package; + default = pkgs.meme-bingo-web; + defaultText = literalExpression "pkgs.meme-bingo-web"; + description = mdDoc "meme-bingo-web package to use."; + }; + + baseUrl = mkOption { + description = mdDoc '' + URL to be used for the HTML <base> element on all HTML routes. + ''; + type = types.str; + default = "http://localhost:41678/"; + example = "https://bingo.example.com/"; + }; + port = mkOption { + description = mdDoc '' + Port to be used for the web server. + ''; + type = types.port; + default = 41678; + example = 21035; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.meme-bingo-web = { + description = "A web app for playing meme bingos."; + wantedBy = [ "multi-user.target" ]; + + environment = { + MEME_BINGO_BASE = cfg.baseUrl; + MEME_BINGO_PORT = toString cfg.port; + }; + path = [ cfg.package ]; + + serviceConfig = { + User = "meme-bingo-web"; + Group = "meme-bingo-web"; + + DynamicUser = true; + + ExecStart = "${cfg.package}/bin/meme-bingo-web"; + + Restart = "always"; + RestartSec = 1; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "/dev/random" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; + RestrictSUIDSGID = true; + RemoveIPC = true; + NoNewPrivileges = true; + MemoryDenyWriteExecute = true; + }; + }; + }; +} |