diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/misc/wastebin.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/misc/wastebin.nix | 158 |
1 files changed, 158 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/misc/wastebin.nix b/nixpkgs/nixos/modules/services/misc/wastebin.nix new file mode 100644 index 000000000000..3d0af2862683 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/wastebin.nix @@ -0,0 +1,158 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.wastebin; + inherit (lib) + mkEnableOption mkPackageOption mkIf mkOption + types mapAttrs isBool getExe boolToString optionalAttrs; +in +{ + + options.services.wastebin = { + + enable = mkEnableOption "Wastenbin pastebin service"; + + package = mkPackageOption pkgs "wastebin" { }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/wastebin"; + description = "State directory of the daemon."; + }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/secrets/wastebin.env"; + description = '' + Path to file containing sensitive environment variables. + Some variables that can be considered secrets are: + + - WASTEBIN_PASSWORD_SALT: + salt used to hash user passwords used for encrypting pastes. + + - WASTEBIN_SIGNING_KEY: + sets the key to sign cookies. If not set, a random key will be + generated which means cookies will become invalid after restarts and + paste creators will not be able to delete their pastes anymore. + ''; + }; + + settings = mkOption { + + description = '' + Additional configuration for wastebin, see + <https://github.com/matze/wastebin#usage> for supported values. + For secrets use secretFile option instead. + ''; + + type = types.submodule { + + freeformType = with types; attrsOf (oneOf [ bool int str ]); + + options = { + + WASTEBIN_ADDRESS_PORT = mkOption { + type = types.str; + default = "0.0.0.0:8088"; + description = "Address and port to bind to"; + }; + + WASTEBIN_BASE_URL = mkOption { + default = "http://localhost"; + example = "https://myhost.tld"; + type = types.str; + description = '' + Base URL for the QR code display. If not set, the user agent's Host + header field is used as an approximation. + ''; + }; + + WASTEBIN_CACHE_SIZE = mkOption { + default = 128; + type = types.int; + description = "Number of rendered syntax highlight items to cache. Can be disabled by setting to 0."; + }; + + WASTEBIN_DATABASE_PATH = mkOption { + default = "/var/lib/wastebin/sqlite3.db"; # TODO make this default to stateDir/sqlite3.db + type = types.str; + description = "Path to the sqlite3 database file. If not set, an in-memory database is used."; + }; + + WASTEBIN_HTTP_TIMEOUT = mkOption { + default = 5; + type = types.int; + description = "Maximum number of seconds a request can be processed until wastebin responds with 408"; + }; + + WASTEBIN_MAX_BODY_SIZE = mkOption { + default = 1024; + type = types.int; + description = "Number of bytes to accept for POST requests"; + }; + + WASTEBIN_TITLE = mkOption { + default = "wastebin"; + type = types.str; + description = "Overrides the HTML page title"; + }; + + RUST_LOG = mkOption { + default = "info"; + type = types.str; + description = + '' + Influences logging. Besides the typical trace, debug, info etc. + keys, you can also set the tower_http key to some log level to get + additional information request and response logs. + ''; + }; + }; + }; + + default = { }; + + example = { + WASTEBIN_TITLE = "My awesome pastebin"; + }; + }; + }; + + config = mkIf cfg.enable + { + systemd.services.wastebin = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings; + serviceConfig = { + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + DevicePolicy = "closed"; + DynamicUser = true; + ExecStart = "${getExe cfg.package}"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = [ "native" ]; + SystemCallFilter = [ "@system-service" ]; + StateDirectory = baseNameOf cfg.stateDir; + ReadWritePaths = cfg.stateDir; + } // optionalAttrs (cfg.secretFile != null) { + EnvironmentFile = cfg.secretFile; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ pinpox ]; +} |