nixos/modules/services/networking/go-camo.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / go-camo.nix
at 24.11-pre 2.3 kB view raw
 1{ lib, pkgs, config, ... }:
 2
 3let
 4  cfg = config.services.go-camo;
 5  inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalString;
 6in
 7{
 8  options.services.go-camo = {
 9    enable = mkEnableOption "go-camo service";
10    listen = mkOption {
11      type = types.nullOr types.str;
12      default = null;
13      description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080).";
14      apply = v: optionalString (v != null) "--listen=${v}";
15    };
16    sslListen = mkOption {
17      type = types.nullOr types.str;
18      default = null;
19      description = "Address:Port to bind to for HTTPS.";
20      apply = v: optionalString (v != null) "--ssl-listen=${v}";
21    };
22    sslKey = mkOption {
23      type = types.nullOr types.path;
24      default = null;
25      description = "Path to TLS private key.";
26      apply = v: optionalString (v != null) "--ssl-key=${v}";
27    };
28    sslCert = mkOption {
29      type = types.nullOr types.path;
30      default = null;
31      description = "Path to TLS certificate.";
32      apply = v: optionalString (v != null) "--ssl-cert=${v}";
33    };
34    keyFile = mkOption {
35      type = types.path;
36      default = null;
37      description = ''
38        A file containing the HMAC key to use for signing URLs.
39        The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file".
40      '';
41    };
42    extraOptions = mkOption {
43      type = with types; listOf str;
44      default = [];
45      description = "Extra options passed to the go-camo command.";
46    };
47  };
48
49  config = mkIf cfg.enable {
50    systemd.services.go-camo = {
51      description = "go-camo service";
52      wantedBy = [ "multi-user.target" ];
53      after = [ "network.target" ];
54      environment = {
55        GOCAMO_HMAC_FILE = "%d/hmac";
56      };
57      script = ''
58        export GOCAMO_HMAC=$(cat "$GOCAMO_HMAC_FILE")
59        exec ${lib.escapeShellArgs(lib.lists.remove "" ([ "${pkgs.go-camo}/bin/go-camo" cfg.listen cfg.sslListen cfg.sslKey cfg.sslCert ] ++ cfg.extraOptions))}
60      '';
61      serviceConfig = {
62        NoNewPrivileges = true;
63        ProtectSystem = "strict";
64        DynamicUser = true;
65        User = "gocamo";
66        Group = "gocamo";
67        LoadCredential = [
68          "hmac:${cfg.keyFile}"
69        ];
70      };
71    };
72  };
73}