nixos/modules/services/networking/alice-lg.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / alice-lg.nix
at 25.11-pre 3.3 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.alice-lg;
  9  settingsFormat = pkgs.formats.ini { };
 10in
 11{
 12  options = {
 13    services.alice-lg = {
 14      enable = lib.mkEnableOption "Alice Looking Glass";
 15
 16      package = lib.mkPackageOption pkgs "alice-lg" { };
 17
 18      settings = lib.mkOption {
 19        type = settingsFormat.type;
 20        default = { };
 21        description = ''
 22          alice-lg configuration, for configuration options see the example on [github](https://github.com/alice-lg/alice-lg/blob/main/etc/alice-lg/alice.example.conf)
 23        '';
 24        example = lib.literalExpression ''
 25          {
 26            server = {
 27              # configures the built-in webserver and provides global application settings
 28              listen_http = "127.0.0.1:7340";
 29              enable_prefix_lookup = true;
 30              asn = 9033;
 31              store_backend = postgres;
 32              routes_store_refresh_parallelism = 5;
 33              neighbors_store_refresh_parallelism = 10000;
 34              routes_store_refresh_interval = 5;
 35              neighbors_store_refresh_interval = 5;
 36            };
 37            postgres = {
 38              url = "postgres://postgres:postgres@localhost:5432/alice";
 39              min_connections = 2;
 40              max_connections = 128;
 41            };
 42            pagination = {
 43              routes_filtered_page_size = 250;
 44              routes_accepted_page_size = 250;
 45              routes_not_exported_page_size = 250;
 46            };
 47          }
 48        '';
 49      };
 50    };
 51  };
 52
 53  config = lib.mkIf cfg.enable {
 54    environment = {
 55      etc."alice-lg/alice.conf".source = settingsFormat.generate "alice-lg.conf" cfg.settings;
 56    };
 57    systemd.services = {
 58      alice-lg = {
 59        wants = [ "network.target" ];
 60        after = [ "network.target" ];
 61        wantedBy = [ "multi-user.target" ];
 62        description = "Alice Looking Glass";
 63        serviceConfig = {
 64          DynamicUser = true;
 65          Type = "simple";
 66          Restart = "on-failure";
 67          RestartSec = 15;
 68          ExecStart = "${cfg.package}/bin/alice-lg";
 69          StateDirectoryMode = "0700";
 70          UMask = "0007";
 71          CapabilityBoundingSet = "";
 72          NoNewPrivileges = true;
 73          ProtectSystem = "strict";
 74          PrivateTmp = true;
 75          PrivateDevices = true;
 76          PrivateUsers = true;
 77          ProtectHostname = true;
 78          ProtectClock = true;
 79          ProtectKernelTunables = true;
 80          ProtectKernelModules = true;
 81          ProtectKernelLogs = true;
 82          ProtectControlGroups = true;
 83          RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
 84          LockPersonality = true;
 85          MemoryDenyWriteExecute = true;
 86          RestrictRealtime = true;
 87          RestrictSUIDSGID = true;
 88          PrivateMounts = true;
 89          SystemCallArchitectures = "native";
 90          SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
 91          BindReadOnlyPaths = [
 92            "-/etc/resolv.conf"
 93            "-/etc/nsswitch.conf"
 94            "-/etc/ssl/certs"
 95            "-/etc/static/ssl/certs"
 96            "-/etc/hosts"
 97            "-/etc/localtime"
 98          ];
 99        };
100      };
101    };
102  };
103}