diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/databases/surrealdb.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/databases/surrealdb.nix | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/databases/surrealdb.nix b/nixpkgs/nixos/modules/services/databases/surrealdb.nix new file mode 100644 index 000000000000..050a5336cb4c --- /dev/null +++ b/nixpkgs/nixos/modules/services/databases/surrealdb.nix @@ -0,0 +1,113 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.surrealdb; +in { + + options = { + services.surrealdb = { + enable = mkEnableOption (lib.mdDoc "A scalable, distributed, collaborative, document-graph database, for the realtime web "); + + package = mkOption { + default = pkgs.surrealdb; + defaultText = literalExpression "pkgs.surrealdb"; + type = types.package; + description = lib.mdDoc '' + Which surrealdb derivation to use. + ''; + }; + + dbPath = mkOption { + type = types.str; + description = lib.mdDoc '' + The path that surrealdb will write data to. Use null for in-memory. + Can be one of "memory", "file://:path", "tikv://:addr". + ''; + default = "file:///var/lib/surrealdb/"; + example = "memory"; + }; + + host = mkOption { + type = types.str; + description = lib.mdDoc '' + The host that surrealdb will connect to. + ''; + default = "127.0.0.1"; + example = "127.0.0.1"; + }; + + port = mkOption { + type = types.port; + description = lib.mdDoc '' + The port that surrealdb will connect to. + ''; + default = 8000; + example = 8000; + }; + + userNamePath = mkOption { + type = types.path; + description = lib.mdDoc '' + Path to read the username from. + ''; + }; + + passwordPath = mkOption { + type = types.path; + description = lib.mdDoc '' + Path to read the password from. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + # Used to connect to the running service + environment.systemPackages = [ cfg.package ] ; + + systemd.services.surrealdb = { + description = "A scalable, distributed, collaborative, document-graph database, for the realtime web "; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + script = '' + ${cfg.package}/bin/surreal start \ + --user $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_USERNAME) \ + --pass $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_PASSWORD) \ + --bind ${cfg.host}:${toString cfg.port} \ + -- ${cfg.dbPath} + ''; + serviceConfig = { + LoadCredential = [ + "SURREALDB_USERNAME:${cfg.userNamePath}" + "SURREALDB_PASSWORD:${cfg.passwordPath}" + ]; + + DynamicUser = true; + Restart = "on-failure"; + StateDirectory = "surrealdb"; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; +} |