pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / nzbhydra2.nix
at 24.11-pre 1.9 kB view raw
1{ config, pkgs, lib, ... }: 2 3with lib; 4 5let cfg = config.services.nzbhydra2; 6 7in { 8 options = { 9 services.nzbhydra2 = { 10 enable = mkEnableOption "NZBHydra2, Usenet meta search"; 11 12 dataDir = mkOption { 13 type = types.str; 14 default = "/var/lib/nzbhydra2"; 15 description = "The directory where NZBHydra2 stores its data files."; 16 }; 17 18 openFirewall = mkOption { 19 type = types.bool; 20 default = false; 21 description = "Open ports in the firewall for the NZBHydra2 web interface."; 22 }; 23 24 package = mkPackageOption pkgs "nzbhydra2" { }; 25 }; 26 }; 27 28 config = mkIf cfg.enable { 29 systemd.tmpfiles.rules = 30 [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ]; 31 32 systemd.services.nzbhydra2 = { 33 description = "NZBHydra2"; 34 after = [ "network.target" ]; 35 wantedBy = [ "multi-user.target" ]; 36 37 serviceConfig = { 38 Type = "simple"; 39 User = "nzbhydra2"; 40 Group = "nzbhydra2"; 41 ExecStart = 42 "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'"; 43 Restart = "on-failure"; 44 # Hardening 45 NoNewPrivileges = true; 46 PrivateTmp = true; 47 PrivateDevices = true; 48 DevicePolicy = "closed"; 49 ProtectSystem = "strict"; 50 ReadWritePaths = cfg.dataDir; 51 ProtectHome = "read-only"; 52 ProtectControlGroups = true; 53 ProtectKernelModules = true; 54 ProtectKernelTunables = true; 55 RestrictAddressFamilies ="AF_UNIX AF_INET AF_INET6 AF_NETLINK"; 56 RestrictNamespaces = true; 57 RestrictRealtime = true; 58 RestrictSUIDSGID = true; 59 LockPersonality = true; 60 }; 61 }; 62 63 networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; }; 64 65 users.users.nzbhydra2 = { 66 group = "nzbhydra2"; 67 isSystemUser = true; 68 }; 69 70 users.groups.nzbhydra2 = {}; 71 }; 72}