nixos/modules/services/databases/surrealdb.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / databases / surrealdb.nix
at 25.11-pre 2.8 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8
  9  cfg = config.services.surrealdb;
 10in
 11{
 12
 13  options = {
 14    services.surrealdb = {
 15      enable = lib.mkEnableOption "SurrealDB, a scalable, distributed, collaborative, document-graph database, for the realtime web";
 16
 17      package = lib.mkPackageOption pkgs "surrealdb" { };
 18
 19      dbPath = lib.mkOption {
 20        type = lib.types.str;
 21        description = ''
 22          The path that surrealdb will write data to. Use null for in-memory.
 23          Can be one of "memory", "rocksdb://:path", "surrealkv://:path", "tikv://:addr", "fdb://:addr".
 24        '';
 25        default = "rocksdb:///var/lib/surrealdb/";
 26        example = "memory";
 27      };
 28
 29      host = lib.mkOption {
 30        type = lib.types.str;
 31        description = ''
 32          The host that surrealdb will connect to.
 33        '';
 34        default = "127.0.0.1";
 35        example = "127.0.0.1";
 36      };
 37
 38      port = lib.mkOption {
 39        type = lib.types.port;
 40        description = ''
 41          The port that surrealdb will connect to.
 42        '';
 43        default = 8000;
 44        example = 8000;
 45      };
 46
 47      extraFlags = lib.mkOption {
 48        type = lib.types.listOf lib.types.str;
 49        default = [ ];
 50        example = [
 51          "--allow-all"
 52          "--user"
 53          "root"
 54          "--pass"
 55          "root"
 56        ];
 57        description = ''
 58          Specify a list of additional command line flags.
 59        '';
 60      };
 61    };
 62  };
 63
 64  config = lib.mkIf cfg.enable {
 65
 66    # Used to connect to the running service
 67    environment.systemPackages = [ cfg.package ];
 68
 69    systemd.services.surrealdb = {
 70      description = "A scalable, distributed, collaborative, document-graph database, for the realtime web";
 71      wantedBy = [ "multi-user.target" ];
 72      after = [ "network.target" ];
 73
 74      serviceConfig = {
 75        ExecStart = "${cfg.package}/bin/surreal start --bind ${cfg.host}:${toString cfg.port} ${lib.strings.concatStringsSep " " cfg.extraFlags} -- ${cfg.dbPath}";
 76        DynamicUser = true;
 77        Restart = "on-failure";
 78        StateDirectory = "surrealdb";
 79        CapabilityBoundingSet = "";
 80        NoNewPrivileges = true;
 81        PrivateTmp = true;
 82        ProtectHome = true;
 83        ProtectClock = true;
 84        ProtectProc = "noaccess";
 85        ProcSubset = "pid";
 86        ProtectKernelLogs = true;
 87        ProtectKernelModules = true;
 88        ProtectKernelTunables = true;
 89        ProtectControlGroups = true;
 90        ProtectHostname = true;
 91        RestrictSUIDSGID = true;
 92        RestrictRealtime = true;
 93        RestrictNamespaces = true;
 94        LockPersonality = true;
 95        RemoveIPC = true;
 96        SystemCallFilter = [
 97          "@system-service"
 98          "~@privileged"
 99        ];
100      };
101    };
102  };
103}