nixos/modules/services/web-apps/plantuml-server.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / plantuml-server.nix
at 24.11-pre 4.5 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3let
  4  inherit (lib)
  5    literalExpression
  6    mkEnableOption
  7    mkIf
  8    mkOption
  9    mkPackageOption
 10    mkRemovedOptionModule
 11    types
 12    ;
 13
 14  cfg = config.services.plantuml-server;
 15
 16in
 17
 18{
 19  imports = [
 20    (mkRemovedOptionModule [ "services" "plantuml-server" "allowPlantumlInclude" ] "This option has been removed from PlantUML.")
 21  ];
 22
 23  options = {
 24    services.plantuml-server = {
 25      enable = mkEnableOption "PlantUML server";
 26
 27      package = mkPackageOption pkgs "plantuml-server" { };
 28
 29      packages = {
 30        jdk = mkPackageOption pkgs "jdk" { };
 31        jetty = mkPackageOption pkgs "jetty" {
 32          default = [ "jetty_11" ];
 33          extraDescription = ''
 34            At the time of writing (v1.2023.12), PlantUML Server does not support
 35            Jetty versions higher than 12.x.
 36
 37            Jetty 12.x has introduced major breaking changes, see
 38            <https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.0> and
 39            <https://eclipse.dev/jetty/documentation/jetty-12/programming-guide/index.html#pg-migration-11-to-12>
 40          '';
 41        };
 42      };
 43
 44      user = mkOption {
 45        type = types.str;
 46        default = "plantuml";
 47        description = "User which runs PlantUML server.";
 48      };
 49
 50      group = mkOption {
 51        type = types.str;
 52        default = "plantuml";
 53        description = "Group which runs PlantUML server.";
 54      };
 55
 56      home = mkOption {
 57        type = types.path;
 58        default = "/var/lib/plantuml";
 59        description = "Home directory of the PlantUML server instance.";
 60      };
 61
 62      listenHost = mkOption {
 63        type = types.str;
 64        default = "127.0.0.1";
 65        description = "Host to listen on.";
 66      };
 67
 68      listenPort = mkOption {
 69        type = types.int;
 70        default = 8080;
 71        description = "Port to listen on.";
 72      };
 73
 74      plantumlLimitSize = mkOption {
 75        type = types.int;
 76        default = 4096;
 77        description = "Limits image width and height.";
 78      };
 79
 80      graphvizPackage = mkPackageOption pkgs "graphviz" { };
 81
 82      plantumlStats = mkOption {
 83        type = types.bool;
 84        default = false;
 85        description = "Set it to on to enable statistics report (https://plantuml.com/statistics-report).";
 86      };
 87
 88      httpAuthorization = mkOption {
 89        type = types.nullOr types.str;
 90        default = null;
 91        description = "When calling the proxy endpoint, the value of HTTP_AUTHORIZATION will be used to set the HTTP Authorization header.";
 92      };
 93    };
 94  };
 95
 96  config = mkIf cfg.enable {
 97    systemd.services.plantuml-server = {
 98      description = "PlantUML server";
 99      wantedBy = [ "multi-user.target" ];
100      path = [ cfg.home ];
101
102      environment = {
103        PLANTUML_LIMIT_SIZE = builtins.toString cfg.plantumlLimitSize;
104        GRAPHVIZ_DOT = "${cfg.graphvizPackage}/bin/dot";
105        PLANTUML_STATS = if cfg.plantumlStats then "on" else "off";
106        HTTP_AUTHORIZATION = cfg.httpAuthorization;
107      };
108      script = ''
109      ${cfg.packages.jdk}/bin/java \
110        -jar ${cfg.packages.jetty}/start.jar \
111          --module=deploy,http,jsp \
112          jetty.home=${cfg.packages.jetty} \
113          jetty.base=${cfg.package} \
114          jetty.http.host=${cfg.listenHost} \
115          jetty.http.port=${builtins.toString cfg.listenPort}
116      '';
117
118      serviceConfig = {
119        User = cfg.user;
120        Group = cfg.group;
121        StateDirectory = mkIf (cfg.home == "/var/lib/plantuml") "plantuml";
122        StateDirectoryMode = mkIf (cfg.home == "/var/lib/plantuml") "0750";
123
124        # Hardening
125        AmbientCapabilities = [ "" ];
126        CapabilityBoundingSet = [ "" ];
127        DynamicUser = true;
128        LockPersonality = true;
129        NoNewPrivileges = true;
130        PrivateDevices = true;
131        PrivateNetwork = false;
132        PrivateTmp = true;
133        PrivateUsers = true;
134        ProtectClock = true;
135        ProtectControlGroups = true;
136        ProtectHome = true;
137        ProtectHostname = true;
138        ProtectKernelLogs = true;
139        ProtectKernelModules = true;
140        ProtectKernelTunables = true;
141        ProtectSystem = "strict";
142        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
143        RestrictNamespaces = true;
144        RestrictRealtime = true;
145        RestrictSUIDSGID = true;
146        SystemCallArchitectures = "native";
147        SystemCallFilter = [ "@system-service" ];
148      };
149    };
150  };
151
152  meta.maintainers = with lib.maintainers; [ truh anthonyroussel ];
153}