nixos/modules/services/web-apps/convos.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / convos.nix
at 23.11-pre 2.3 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.convos;
 7in
 8{
 9  options.services.convos = {
10    enable = mkEnableOption (lib.mdDoc "Convos");
11    listenPort = mkOption {
12      type = types.port;
13      default = 3000;
14      example = 8080;
15      description = lib.mdDoc "Port the web interface should listen on";
16    };
17    listenAddress = mkOption {
18      type = types.str;
19      default = "*";
20      example = "127.0.0.1";
21      description = lib.mdDoc "Address or host the web interface should listen on";
22    };
23    reverseProxy = mkOption {
24      type = types.bool;
25      default = false;
26      description = lib.mdDoc ''
27        Enables reverse proxy support. This will allow Convos to automatically
28        pick up the `X-Forwarded-For` and
29        `X-Request-Base` HTTP headers set in your reverse proxy
30        web server. Note that enabling this option without a reverse proxy in
31        front will be a security issue.
32      '';
33    };
34  };
35  config = mkIf cfg.enable {
36    systemd.services.convos = {
37      description = "Convos Service";
38      wantedBy = [ "multi-user.target" ];
39      after = [ "networking.target" ];
40      environment = {
41        CONVOS_HOME = "%S/convos";
42        CONVOS_REVERSE_PROXY = if cfg.reverseProxy then "1" else "0";
43        MOJO_LISTEN = "http://${toString cfg.listenAddress}:${toString cfg.listenPort}";
44      };
45      serviceConfig = {
46        ExecStart = "${pkgs.convos}/bin/convos daemon";
47        Restart = "on-failure";
48        StateDirectory = "convos";
49        WorkingDirectory = "%S/convos";
50        DynamicUser = true;
51        MemoryDenyWriteExecute = true;
52        ProtectHome = true;
53        ProtectClock = true;
54        ProtectHostname = true;
55        ProtectKernelTunables = true;
56        ProtectKernelModules = true;
57        ProtectKernelLogs = true;
58        ProtectControlGroups = true;
59        PrivateDevices = true;
60        PrivateMounts = true;
61        PrivateUsers = true;
62        LockPersonality = true;
63        RestrictRealtime = true;
64        RestrictNamespaces = true;
65        RestrictAddressFamilies = [ "AF_INET" "AF_INET6"];
66        SystemCallFilter = "@system-service";
67        SystemCallArchitectures = "native";
68        CapabilityBoundingSet = "";
69      };
70    };
71  };
72}