nixos/modules/services/databases/surrealdb.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / databases / surrealdb.nix
at 23.05-pre 2.3 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4let
 5
 6  cfg = config.services.surrealdb;
 7in {
 8
 9  options = {
10    services.surrealdb = {
11      enable = mkEnableOption (lib.mdDoc "A scalable, distributed, collaborative, document-graph database, for the realtime web ");
12
13      dbPath = mkOption {
14        type = types.str;
15        description = lib.mdDoc ''
16          The path that surrealdb will write data to. Use null for in-memory.
17          Can be one of "memory", "file://:path", "tikv://:addr".
18        '';
19        default = "file:///var/lib/surrealdb/";
20        example = "memory";
21      };
22
23      host = mkOption {
24        type = types.str;
25        description = lib.mdDoc ''
26          The host that surrealdb will connect to.
27        '';
28        default = "127.0.0.1";
29        example = "127.0.0.1";
30      };
31
32      port = mkOption {
33        type = types.port;
34        description = lib.mdDoc ''
35          The port that surrealdb will connect to.
36        '';
37        default = 8000;
38        example = 8000;
39      };
40    };
41  };
42
43  config = mkIf cfg.enable {
44
45    # Used to connect to the running service
46    environment.systemPackages = [ pkgs.surrealdb ] ;
47
48    systemd.services.surrealdb = {
49      description = "A scalable, distributed, collaborative, document-graph database, for the realtime web ";
50      wantedBy = [ "multi-user.target" ];
51      after = [ "network.target" ];
52
53      serviceConfig = {
54        ExecStart = "${pkgs.surrealdb}/bin/surreal start --bind ${cfg.host}:${toString cfg.port} ${optionalString (cfg.dbPath != null) "-- ${cfg.dbPath}"}";
55        DynamicUser = true;
56        Restart = "on-failure";
57        StateDirectory = "surrealdb";
58        CapabilityBoundingSet = "";
59        NoNewPrivileges = true;
60        PrivateTmp = true;
61        ProtectHome = true;
62        ProtectClock = true;
63        ProtectProc = "noaccess";
64        ProcSubset = "pid";
65        ProtectKernelLogs = true;
66        ProtectKernelModules = true;
67        ProtectKernelTunables = true;
68        ProtectControlGroups = true;
69        ProtectHostname = true;
70        RestrictSUIDSGID = true;
71        RestrictRealtime = true;
72        RestrictNamespaces = true;
73        LockPersonality = true;
74        RemoveIPC = true;
75        SystemCallFilter = [ "@system-service" "~@privileged" ];
76      };
77    };
78  };
79}