nixos/modules/services/web-apps/microbin.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / microbin.nix
at 24.11-pre 3.0 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3let
 4  cfg = config.services.microbin;
 5in
 6{
 7  options.services.microbin = {
 8    enable = lib.mkEnableOption "MicroBin is a super tiny, feature rich, configurable paste bin web application";
 9
10    package = lib.mkPackageOption pkgs "microbin" { };
11
12    settings = lib.mkOption {
13      type = lib.types.submodule { freeformType = with lib.types; attrsOf (oneOf [ bool int str ]); };
14      default = { };
15      example = {
16        MICROBIN_PORT = 8080;
17        MICROBIN_HIDE_LOGO = false;
18      };
19      description = ''
20        Additional configuration for MicroBin, see
21        <https://microbin.eu/docs/installation-and-configuration/configuration/>
22        for supported values.
23
24        For secrets use passwordFile option instead.
25      '';
26    };
27
28    dataDir = lib.mkOption {
29      type = lib.types.str;
30      default = "/var/lib/microbin";
31      description = "Default data folder for MicroBin.";
32    };
33
34    passwordFile = lib.mkOption {
35      type = lib.types.nullOr lib.types.path;
36      default = null;
37      example = "/run/secrets/microbin.env";
38      description = ''
39        Path to file containing environment variables.
40        Useful for passing down secrets.
41        Variables that can be considered secrets are:
42         - MICROBIN_BASIC_AUTH_USERNAME
43         - MICROBIN_BASIC_AUTH_PASSWORD
44         - MICROBIN_ADMIN_USERNAME
45         - MICROBIN_ADMIN_PASSWORD
46         - MICROBIN_UPLOADER_PASSWORD
47      '';
48    };
49  };
50
51  config = lib.mkIf cfg.enable {
52    services.microbin.settings = with lib; {
53      MICROBIN_BIND = mkDefault "0.0.0.0";
54      MICROBIN_DISABLE_TELEMETRY = mkDefault true;
55      MICROBIN_LIST_SERVER = mkDefault false;
56      MICROBIN_PORT = mkDefault "8080";
57    };
58
59    systemd.services.microbin = {
60      after = [ "network.target" ];
61      wantedBy = [ "multi-user.target" ];
62      environment = lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings;
63      serviceConfig = {
64        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
65        DevicePolicy = "closed";
66        DynamicUser = true;
67        EnvironmentFile = lib.optional (cfg.passwordFile != null) cfg.passwordFile;
68        ExecStart = "${cfg.package}/bin/microbin";
69        LockPersonality = true;
70        MemoryDenyWriteExecute = true;
71        PrivateDevices = true;
72        PrivateUsers = true;
73        ProtectClock = true;
74        ProtectControlGroups = true;
75        ProtectHostname = true;
76        ProtectKernelLogs = true;
77        ProtectKernelModules = true;
78        ProtectKernelTunables = true;
79        ProtectProc = "invisible";
80        ReadWritePaths = cfg.dataDir;
81        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
82        RestrictNamespaces = true;
83        RestrictRealtime = true;
84        StateDirectory = "microbin";
85        SystemCallArchitectures = [ "native" ];
86        SystemCallFilter = [ "@system-service" ];
87        WorkingDirectory = cfg.dataDir;
88      };
89    };
90  };
91
92  meta.maintainers = with lib.maintainers; [ surfaceflinger ];
93}