nixos/modules/services/web-apps/shiori.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / shiori.nix
at 23.11-pre 2.4 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4let
 5  cfg = config.services.shiori;
 6in {
 7  options = {
 8    services.shiori = {
 9      enable = mkEnableOption (lib.mdDoc "Shiori simple bookmarks manager");
10
11      package = mkOption {
12        type = types.package;
13        default = pkgs.shiori;
14        defaultText = literalExpression "pkgs.shiori";
15        description = lib.mdDoc "The Shiori package to use.";
16      };
17
18      address = mkOption {
19        type = types.str;
20        default = "";
21        description = lib.mdDoc ''
22          The IP address on which Shiori will listen.
23          If empty, listens on all interfaces.
24        '';
25      };
26
27      port = mkOption {
28        type = types.port;
29        default = 8080;
30        description = lib.mdDoc "The port of the Shiori web application";
31      };
32    };
33  };
34
35  config = mkIf cfg.enable {
36    systemd.services.shiori = with cfg; {
37      description = "Shiori simple bookmarks manager";
38      wantedBy = [ "multi-user.target" ];
39
40      environment.SHIORI_DIR = "/var/lib/shiori";
41
42      serviceConfig = {
43        ExecStart = "${package}/bin/shiori serve --address '${address}' --port '${toString port}'";
44
45        DynamicUser = true;
46        StateDirectory = "shiori";
47        # As the RootDirectory
48        RuntimeDirectory = "shiori";
49
50        # Security options
51
52        BindReadOnlyPaths = [
53          "/nix/store"
54
55          # For SSL certificates, and the resolv.conf
56          "/etc"
57        ];
58
59        CapabilityBoundingSet = "";
60
61        DeviceAllow = "";
62
63        LockPersonality = true;
64
65        MemoryDenyWriteExecute = true;
66
67        PrivateDevices = true;
68        PrivateUsers = true;
69
70        ProtectClock = true;
71        ProtectControlGroups = true;
72        ProtectHome = true;
73        ProtectHostname = true;
74        ProtectKernelLogs = true;
75        ProtectKernelModules = true;
76        ProtectKernelTunables = true;
77
78        RestrictNamespaces = true;
79        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
80        RestrictRealtime = true;
81        RestrictSUIDSGID = true;
82
83        RootDirectory = "/run/shiori";
84
85        SystemCallArchitectures = "native";
86        SystemCallErrorNumber = "EPERM";
87        SystemCallFilter = [
88          "@system-service"
89          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
90        ];
91      };
92    };
93  };
94
95  meta.maintainers = with maintainers; [ minijackson ];
96}