nixos/modules/services/networking/alice-lg.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / alice-lg.nix
at 23.11-pre 3.3 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.alice-lg;
  7  settingsFormat = pkgs.formats.ini { };
  8in
  9{
 10  options = {
 11    services.alice-lg = {
 12      enable = mkEnableOption (lib.mdDoc "Alice Looking Glass");
 13
 14      package = mkPackageOptionMD pkgs "alice-lg" { };
 15
 16      settings = mkOption {
 17        type = settingsFormat.type;
 18        default = { };
 19        description = lib.mdDoc ''
 20          alice-lg configuration, for configuration options see the example on [github](https://github.com/alice-lg/alice-lg/blob/main/etc/alice-lg/alice.example.conf)
 21        '';
 22        example = literalExpression ''
 23          {
 24            server = {
 25              # configures the built-in webserver and provides global application settings
 26              listen_http = "127.0.0.1:7340";
 27              enable_prefix_lookup = true;
 28              asn = 9033;
 29              store_backend = postgres;
 30              routes_store_refresh_parallelism = 5;
 31              neighbors_store_refresh_parallelism = 10000;
 32              routes_store_refresh_interval = 5;
 33              neighbors_store_refresh_interval = 5;
 34            };
 35            postgres = {
 36              url = "postgres://postgres:postgres@localhost:5432/alice";
 37              min_connections = 2;
 38              max_connections = 128;
 39            };
 40            pagination = {
 41              routes_filtered_page_size = 250;
 42              routes_accepted_page_size = 250;
 43              routes_not_exported_page_size = 250;
 44            };
 45          }
 46        '';
 47      };
 48    };
 49  };
 50
 51  config = lib.mkIf cfg.enable {
 52    environment = {
 53      etc."alice-lg/alice.conf".source = settingsFormat.generate "alice-lg.conf" cfg.settings;
 54    };
 55    systemd.services = {
 56      alice-lg = {
 57        wants = [ "network.target" ];
 58        after = [ "network.target" ];
 59        wantedBy = [ "multi-user.target" ];
 60        description = "Alice Looking Glass";
 61        serviceConfig = {
 62          DynamicUser = true;
 63          Type = "simple";
 64          Restart = "on-failure";
 65          RestartSec = 15;
 66          ExecStart = "${cfg.package}/bin/alice-lg";
 67          StateDirectoryMode = "0700";
 68          UMask = "0007";
 69          CapabilityBoundingSet = "";
 70          NoNewPrivileges = true;
 71          ProtectSystem = "strict";
 72          PrivateTmp = true;
 73          PrivateDevices = true;
 74          PrivateUsers = true;
 75          ProtectHostname = true;
 76          ProtectClock = true;
 77          ProtectKernelTunables = true;
 78          ProtectKernelModules = true;
 79          ProtectKernelLogs = true;
 80          ProtectControlGroups = true;
 81          RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
 82          LockPersonality = true;
 83          MemoryDenyWriteExecute = true;
 84          RestrictRealtime = true;
 85          RestrictSUIDSGID = true;
 86          PrivateMounts = true;
 87          SystemCallArchitectures = "native";
 88          SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
 89          BindReadOnlyPaths = [
 90            "-/etc/resolv.conf"
 91            "-/etc/nsswitch.conf"
 92            "-/etc/ssl/certs"
 93            "-/etc/static/ssl/certs"
 94            "-/etc/hosts"
 95            "-/etc/localtime"
 96          ];
 97        };
 98      };
 99    };
100  };
101}