nixos/modules/services/web-apps/isso.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / isso.nix
at 23.11-pre 2.4 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3let
 4  inherit (lib) mkEnableOption mkIf mkOption types literalExpression;
 5
 6  cfg = config.services.isso;
 7
 8  settingsFormat = pkgs.formats.ini { };
 9  configFile = settingsFormat.generate "isso.conf" cfg.settings;
10in {
11
12  options = {
13    services.isso = {
14      enable = mkEnableOption (lib.mdDoc ''
15        A commenting server similar to Disqus.
16
17        Note: The application's author suppose to run isso behind a reverse proxy.
18        The embedded solution offered by NixOS is also only suitable for small installations
19        below 20 requests per second.
20      '');
21
22      settings = mkOption {
23        description = lib.mdDoc ''
24          Configuration for `isso`.
25
26          See [Isso Server Configuration](https://posativ.org/isso/docs/configuration/server/)
27          for supported values.
28        '';
29
30        type = types.submodule {
31          freeformType = settingsFormat.type;
32        };
33
34        example = literalExpression ''
35          {
36            general = {
37              host = "http://localhost";
38            };
39          }
40        '';
41      };
42    };
43  };
44
45  config = mkIf cfg.enable {
46    services.isso.settings.general.dbpath = lib.mkDefault "/var/lib/isso/comments.db";
47
48    systemd.services.isso = {
49      description = "isso, a commenting server similar to Disqus";
50      wantedBy = [ "multi-user.target" ];
51
52      serviceConfig = {
53        User = "isso";
54        Group = "isso";
55
56        DynamicUser = true;
57
58        StateDirectory = "isso";
59
60        ExecStart = ''
61          ${pkgs.isso}/bin/isso -c ${configFile}
62        '';
63
64        Restart = "on-failure";
65        RestartSec = 1;
66
67        # Hardening
68        CapabilityBoundingSet = [ "" ];
69        DeviceAllow = [ "" ];
70        LockPersonality = true;
71        PrivateDevices = true;
72        PrivateUsers = true;
73        ProcSubset = "pid";
74        ProtectClock = true;
75        ProtectControlGroups = true;
76        ProtectHome = true;
77        ProtectHostname = true;
78        ProtectKernelLogs = true;
79        ProtectKernelModules = true;
80        ProtectKernelTunables = true;
81        ProtectProc = "invisible";
82        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
83        RestrictNamespaces = true;
84        RestrictRealtime = true;
85        SystemCallArchitectures = "native";
86        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
87        UMask = "0077";
88      };
89    };
90  };
91}