diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/web-apps/isso.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/web-apps/isso.nix | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/web-apps/isso.nix b/nixpkgs/nixos/modules/services/web-apps/isso.nix new file mode 100644 index 000000000000..1a852ec352f2 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/isso.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption types literalExpression; + + cfg = config.services.isso; + + settingsFormat = pkgs.formats.ini { }; + configFile = settingsFormat.generate "isso.conf" cfg.settings; +in { + + options = { + services.isso = { + enable = mkEnableOption (lib.mdDoc '' + A commenting server similar to Disqus. + + Note: The application's author suppose to run isso behind a reverse proxy. + The embedded solution offered by NixOS is also only suitable for small installations + below 20 requests per second. + ''); + + settings = mkOption { + description = lib.mdDoc '' + Configuration for `isso`. + + See [Isso Server Configuration](https://posativ.org/isso/docs/configuration/server/) + for supported values. + ''; + + type = types.submodule { + freeformType = settingsFormat.type; + }; + + example = literalExpression '' + { + general = { + host = "http://localhost"; + }; + } + ''; + }; + }; + }; + + config = mkIf cfg.enable { + services.isso.settings.general.dbpath = lib.mkDefault "/var/lib/isso/comments.db"; + + systemd.services.isso = { + description = "isso, a commenting server similar to Disqus"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "isso"; + Group = "isso"; + + DynamicUser = true; + + StateDirectory = "isso"; + + ExecStart = '' + ${pkgs.isso}/bin/isso -c ${configFile} + ''; + + Restart = "on-failure"; + RestartSec = 1; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; + }; + }; + }; +} |