nixos/modules/services/web-apps/alps.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / alps.nix
at 23.11-pre 3.4 kB view raw
  1{ lib, pkgs, config, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.alps;
  7in {
  8  options.services.alps = {
  9    enable = mkEnableOption (lib.mdDoc "alps");
 10
 11    port = mkOption {
 12      type = types.port;
 13      default = 1323;
 14      description = lib.mdDoc ''
 15        TCP port the service should listen on.
 16      '';
 17    };
 18
 19    bindIP = mkOption {
 20      default = "[::]";
 21      type = types.str;
 22      description = lib.mdDoc ''
 23        The IP the service should listen on.
 24      '';
 25    };
 26
 27    theme = mkOption {
 28      type = types.enum [ "alps" "sourcehut" ];
 29      default = "sourcehut";
 30      description = lib.mdDoc ''
 31        The frontend's theme to use.
 32      '';
 33    };
 34
 35    imaps = {
 36      port = mkOption {
 37        type = types.port;
 38        default = 993;
 39        description = lib.mdDoc ''
 40          The IMAPS server port.
 41        '';
 42      };
 43
 44      host = mkOption {
 45        type = types.str;
 46        default = "[::1]";
 47        example = "mail.example.org";
 48        description = lib.mdDoc ''
 49          The IMAPS server address.
 50        '';
 51      };
 52    };
 53
 54    smtps = {
 55      port = mkOption {
 56        type = types.port;
 57        default = 465;
 58        description = lib.mdDoc ''
 59          The SMTPS server port.
 60        '';
 61      };
 62
 63      host = mkOption {
 64        type = types.str;
 65        default = cfg.imaps.host;
 66        defaultText = "services.alps.imaps.host";
 67        example = "mail.example.org";
 68        description = lib.mdDoc ''
 69          The SMTPS server address.
 70        '';
 71      };
 72    };
 73
 74    package = mkOption {
 75      internal = true;
 76      type = types.package;
 77      default = pkgs.alps;
 78    };
 79
 80    args = mkOption {
 81      internal = true;
 82      type = types.listOf types.str;
 83      default = [
 84        "-addr" "${cfg.bindIP}:${toString cfg.port}"
 85        "-theme" "${cfg.theme}"
 86        "imaps://${cfg.imaps.host}:${toString cfg.imaps.port}"
 87        "smtps://${cfg.smtps.host}:${toString cfg.smtps.port}"
 88      ];
 89    };
 90  };
 91
 92  config = mkIf cfg.enable {
 93    systemd.services.alps = {
 94      description = "alps is a simple and extensible webmail.";
 95      documentation = [ "https://git.sr.ht/~migadu/alps" ];
 96      wantedBy = [ "multi-user.target" ];
 97      after = [ "network.target" "network-online.target" ];
 98
 99      serviceConfig = {
100        ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";
101        AmbientCapabilities = "";
102        CapabilityBoundingSet = "";
103        DynamicUser = true;
104        LockPersonality = true;
105        MemoryDenyWriteExecute = true;
106        NoNewPrivileges = true;
107        PrivateDevices = true;
108        PrivateIPC = true;
109        PrivateTmp = true;
110        PrivateUsers = true;
111        ProtectClock = true;
112        ProtectControlGroups = true;
113        ProtectHome = true;
114        ProtectHostname = true;
115        ProtectKernelLogs = true;
116        ProtectKernelModules = true;
117        ProtectKernelTunables = true;
118        ProtectProc = "invisible";
119        ProtectSystem = "strict";
120        RemoveIPC = true;
121        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
122        RestrictNamespaces = true;
123        RestrictRealtime = true;
124        RestrictSUIDSGID = true;
125        SocketBindAllow = cfg.port;
126        SocketBindDeny = "any";
127        SystemCallArchitectures = "native";
128        SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ];
129      };
130    };
131  };
132}