nixos/modules/services/databases/surrealdb.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / databases / surrealdb.nix
at 23.11-pre 3.2 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4let
  5
  6  cfg = config.services.surrealdb;
  7in {
  8
  9  options = {
 10    services.surrealdb = {
 11      enable = mkEnableOption (lib.mdDoc "A scalable, distributed, collaborative, document-graph database, for the realtime web ");
 12
 13      package = mkOption {
 14        default = pkgs.surrealdb;
 15        defaultText = literalExpression "pkgs.surrealdb";
 16        type = types.package;
 17        description = lib.mdDoc ''
 18          Which surrealdb derivation to use.
 19        '';
 20      };
 21
 22      dbPath = mkOption {
 23        type = types.str;
 24        description = lib.mdDoc ''
 25          The path that surrealdb will write data to. Use null for in-memory.
 26          Can be one of "memory", "file://:path", "tikv://:addr".
 27        '';
 28        default = "file:///var/lib/surrealdb/";
 29        example = "memory";
 30      };
 31
 32      host = mkOption {
 33        type = types.str;
 34        description = lib.mdDoc ''
 35          The host that surrealdb will connect to.
 36        '';
 37        default = "127.0.0.1";
 38        example = "127.0.0.1";
 39      };
 40
 41      port = mkOption {
 42        type = types.port;
 43        description = lib.mdDoc ''
 44          The port that surrealdb will connect to.
 45        '';
 46        default = 8000;
 47        example = 8000;
 48      };
 49
 50      userNamePath = mkOption {
 51        type = types.path;
 52        description = lib.mdDoc ''
 53          Path to read the username from.
 54        '';
 55      };
 56
 57      passwordPath = mkOption {
 58        type = types.path;
 59        description = lib.mdDoc ''
 60          Path to read the password from.
 61        '';
 62      };
 63    };
 64  };
 65
 66  config = mkIf cfg.enable {
 67
 68    # Used to connect to the running service
 69    environment.systemPackages = [ cfg.package ] ;
 70
 71    systemd.services.surrealdb = {
 72      description = "A scalable, distributed, collaborative, document-graph database, for the realtime web ";
 73      wantedBy = [ "multi-user.target" ];
 74      after = [ "network.target" ];
 75
 76      script = ''
 77        ${cfg.package}/bin/surreal start \
 78          --user $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_USERNAME) \
 79          --pass $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_PASSWORD) \
 80          --bind ${cfg.host}:${toString cfg.port} \
 81          -- ${cfg.dbPath}
 82      '';
 83      serviceConfig = {
 84        LoadCredential = [
 85          "SURREALDB_USERNAME:${cfg.userNamePath}"
 86          "SURREALDB_PASSWORD:${cfg.passwordPath}"
 87        ];
 88
 89        DynamicUser = true;
 90        Restart = "on-failure";
 91        StateDirectory = "surrealdb";
 92        CapabilityBoundingSet = "";
 93        NoNewPrivileges = true;
 94        PrivateTmp = true;
 95        ProtectHome = true;
 96        ProtectClock = true;
 97        ProtectProc = "noaccess";
 98        ProcSubset = "pid";
 99        ProtectKernelLogs = true;
100        ProtectKernelModules = true;
101        ProtectKernelTunables = true;
102        ProtectControlGroups = true;
103        ProtectHostname = true;
104        RestrictSUIDSGID = true;
105        RestrictRealtime = true;
106        RestrictNamespaces = true;
107        LockPersonality = true;
108        RemoveIPC = true;
109        SystemCallFilter = [ "@system-service" "~@privileged" ];
110      };
111    };
112  };
113}