nixos/modules/services/networking/go-camo.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / go-camo.nix
at 25.11-pre 2.5 kB view raw
 1{
 2  lib,
 3  pkgs,
 4  config,
 5  ...
 6}:
 7
 8let
 9  cfg = config.services.go-camo;
10  inherit (lib)
11    mkOption
12    mkEnableOption
13    mkIf
14    mkMerge
15    types
16    optionalString
17    ;
18in
19{
20  options.services.go-camo = {
21    enable = mkEnableOption "go-camo service";
22    listen = mkOption {
23      type = types.nullOr types.str;
24      default = null;
25      description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080).";
26      apply = v: optionalString (v != null) "--listen=${v}";
27    };
28    sslListen = mkOption {
29      type = types.nullOr types.str;
30      default = null;
31      description = "Address:Port to bind to for HTTPS.";
32      apply = v: optionalString (v != null) "--ssl-listen=${v}";
33    };
34    sslKey = mkOption {
35      type = types.nullOr types.path;
36      default = null;
37      description = "Path to TLS private key.";
38      apply = v: optionalString (v != null) "--ssl-key=${v}";
39    };
40    sslCert = mkOption {
41      type = types.nullOr types.path;
42      default = null;
43      description = "Path to TLS certificate.";
44      apply = v: optionalString (v != null) "--ssl-cert=${v}";
45    };
46    keyFile = mkOption {
47      type = types.path;
48      default = null;
49      description = ''
50        A file containing the HMAC key to use for signing URLs.
51        The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file".
52      '';
53    };
54    extraOptions = mkOption {
55      type = with types; listOf str;
56      default = [ ];
57      description = "Extra options passed to the go-camo command.";
58    };
59  };
60
61  config = mkIf cfg.enable {
62    systemd.services.go-camo = {
63      description = "go-camo service";
64      wantedBy = [ "multi-user.target" ];
65      after = [ "network.target" ];
66      environment = {
67        GOCAMO_HMAC_FILE = "%d/hmac";
68      };
69      script = ''
70        GOCAMO_HMAC="$(cat "$GOCAMO_HMAC_FILE")"
71        export GOCAMO_HMAC
72        exec ${
73          lib.escapeShellArgs (
74            lib.lists.remove "" (
75              [
76                "${pkgs.go-camo}/bin/go-camo"
77                cfg.listen
78                cfg.sslListen
79                cfg.sslKey
80                cfg.sslCert
81              ]
82              ++ cfg.extraOptions
83            )
84          )
85        }
86      '';
87      serviceConfig = {
88        NoNewPrivileges = true;
89        ProtectSystem = "strict";
90        DynamicUser = true;
91        User = "gocamo";
92        Group = "gocamo";
93        LoadCredential = [
94          "hmac:${cfg.keyFile}"
95        ];
96      };
97    };
98  };
99}