pyrox.dev
1{
2 config,
3 pkgs,
4 lib,
5 ...
6}:
7let
8 cfg = config.services.plikd;
9
10 format = pkgs.formats.toml { };
11 plikdCfg = format.generate "plikd.cfg" cfg.settings;
12in
13{
14 options = {
15 services.plikd = {
16 enable = lib.mkEnableOption "plikd, a temporary file upload system";
17
18 openFirewall = lib.mkOption {
19 type = lib.types.bool;
20 default = false;
21 description = "Open ports in the firewall for the plikd.";
22 };
23
24 settings = lib.mkOption {
25 type = format.type;
26 default = { };
27 description = ''
28 Configuration for plikd, see <https://github.com/root-gg/plik/blob/master/server/plikd.cfg>
29 for supported values.
30 '';
31 };
32 };
33 };
34
35 config = lib.mkIf cfg.enable {
36 services.plikd.settings = lib.mapAttrs (name: lib.mkDefault) {
37 ListenPort = 8080;
38 ListenAddress = "localhost";
39 DataBackend = "file";
40 DataBackendConfig = {
41 Directory = "/var/lib/plikd";
42 };
43 MetadataBackendConfig = {
44 Driver = "sqlite3";
45 ConnectionString = "/var/lib/plikd/plik.db";
46 };
47 };
48
49 systemd.services.plikd = {
50 description = "Plikd file sharing server";
51 after = [ "network.target" ];
52 wantedBy = [ "multi-user.target" ];
53 serviceConfig = {
54 Type = "simple";
55 ExecStart = "${pkgs.plikd}/bin/plikd --config ${plikdCfg}";
56 Restart = "on-failure";
57 StateDirectory = "plikd";
58 LogsDirectory = "plikd";
59 DynamicUser = true;
60
61 # Basic hardening
62 NoNewPrivileges = "yes";
63 PrivateTmp = "yes";
64 PrivateDevices = "yes";
65 DevicePolicy = "closed";
66 ProtectSystem = "strict";
67 ProtectHome = "read-only";
68 ProtectControlGroups = "yes";
69 ProtectKernelModules = "yes";
70 ProtectKernelTunables = "yes";
71 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
72 RestrictNamespaces = "yes";
73 RestrictRealtime = "yes";
74 RestrictSUIDSGID = "yes";
75 MemoryDenyWriteExecute = "yes";
76 LockPersonality = "yes";
77 };
78 };
79
80 networking.firewall = lib.mkIf cfg.openFirewall {
81 allowedTCPPorts = [ cfg.settings.ListenPort ];
82 };
83 };
84}