pyrox.dev
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.plikd;
7
8 format = pkgs.formats.toml {};
9 plikdCfg = format.generate "plikd.cfg" cfg.settings;
10in
11{
12 options = {
13 services.plikd = {
14 enable = mkEnableOption (lib.mdDoc "the plikd server");
15
16 openFirewall = mkOption {
17 type = types.bool;
18 default = false;
19 description = lib.mdDoc "Open ports in the firewall for the plikd.";
20 };
21
22 settings = mkOption {
23 type = format.type;
24 default = {};
25 description = lib.mdDoc ''
26 Configuration for plikd, see <https://github.com/root-gg/plik/blob/master/server/plikd.cfg>
27 for supported values.
28 '';
29 };
30 };
31 };
32
33 config = mkIf cfg.enable {
34 services.plikd.settings = mapAttrs (name: mkDefault) {
35 ListenPort = 8080;
36 ListenAddress = "localhost";
37 DataBackend = "file";
38 DataBackendConfig = {
39 Directory = "/var/lib/plikd";
40 };
41 MetadataBackendConfig = {
42 Driver = "sqlite3";
43 ConnectionString = "/var/lib/plikd/plik.db";
44 };
45 };
46
47 systemd.services.plikd = {
48 description = "Plikd file sharing server";
49 after = [ "network.target" ];
50 wantedBy = [ "multi-user.target" ];
51 serviceConfig = {
52 Type = "simple";
53 ExecStart = "${pkgs.plikd}/bin/plikd --config ${plikdCfg}";
54 Restart = "on-failure";
55 StateDirectory = "plikd";
56 LogsDirectory = "plikd";
57 DynamicUser = true;
58
59 # Basic hardening
60 NoNewPrivileges = "yes";
61 PrivateTmp = "yes";
62 PrivateDevices = "yes";
63 DevicePolicy = "closed";
64 ProtectSystem = "strict";
65 ProtectHome = "read-only";
66 ProtectControlGroups = "yes";
67 ProtectKernelModules = "yes";
68 ProtectKernelTunables = "yes";
69 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
70 RestrictNamespaces = "yes";
71 RestrictRealtime = "yes";
72 RestrictSUIDSGID = "yes";
73 MemoryDenyWriteExecute = "yes";
74 LockPersonality = "yes";
75 };
76 };
77
78 networking.firewall = mkIf cfg.openFirewall {
79 allowedTCPPorts = [ cfg.settings.ListenPort ];
80 };
81 };
82}