nixos/modules/services/web-apps/alps.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / alps.nix
at 25.11-pre 3.5 kB view raw
  1{
  2  lib,
  3  pkgs,
  4  config,
  5  ...
  6}:
  7
  8with lib;
  9
 10let
 11  cfg = config.services.alps;
 12in
 13{
 14  options.services.alps = {
 15    enable = mkEnableOption "alps";
 16
 17    port = mkOption {
 18      type = types.port;
 19      default = 1323;
 20      description = ''
 21        TCP port the service should listen on.
 22      '';
 23    };
 24
 25    bindIP = mkOption {
 26      default = "[::]";
 27      type = types.str;
 28      description = ''
 29        The IP the service should listen on.
 30      '';
 31    };
 32
 33    theme = mkOption {
 34      type = types.enum [
 35        "alps"
 36        "sourcehut"
 37      ];
 38      default = "sourcehut";
 39      description = ''
 40        The frontend's theme to use.
 41      '';
 42    };
 43
 44    imaps = {
 45      port = mkOption {
 46        type = types.port;
 47        default = 993;
 48        description = ''
 49          The IMAPS server port.
 50        '';
 51      };
 52
 53      host = mkOption {
 54        type = types.str;
 55        default = "[::1]";
 56        example = "mail.example.org";
 57        description = ''
 58          The IMAPS server address.
 59        '';
 60      };
 61    };
 62
 63    smtps = {
 64      port = mkOption {
 65        type = types.port;
 66        default = 465;
 67        description = ''
 68          The SMTPS server port.
 69        '';
 70      };
 71
 72      host = mkOption {
 73        type = types.str;
 74        default = cfg.imaps.host;
 75        defaultText = "services.alps.imaps.host";
 76        example = "mail.example.org";
 77        description = ''
 78          The SMTPS server address.
 79        '';
 80      };
 81    };
 82
 83    package = mkOption {
 84      internal = true;
 85      type = types.package;
 86      default = pkgs.alps;
 87    };
 88
 89    args = mkOption {
 90      internal = true;
 91      type = types.listOf types.str;
 92      default = [
 93        "-addr"
 94        "${cfg.bindIP}:${toString cfg.port}"
 95        "-theme"
 96        "${cfg.theme}"
 97        "imaps://${cfg.imaps.host}:${toString cfg.imaps.port}"
 98        "smtps://${cfg.smtps.host}:${toString cfg.smtps.port}"
 99      ];
100    };
101  };
102
103  config = mkIf cfg.enable {
104    systemd.services.alps = {
105      description = "alps is a simple and extensible webmail.";
106      documentation = [ "https://git.sr.ht/~migadu/alps" ];
107      wantedBy = [ "multi-user.target" ];
108      wants = [ "network-online.target" ];
109      after = [
110        "network.target"
111        "network-online.target"
112      ];
113
114      serviceConfig = {
115        ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";
116        AmbientCapabilities = "";
117        CapabilityBoundingSet = "";
118        DynamicUser = true;
119        LockPersonality = true;
120        MemoryDenyWriteExecute = true;
121        NoNewPrivileges = true;
122        PrivateDevices = true;
123        PrivateIPC = true;
124        PrivateTmp = true;
125        PrivateUsers = true;
126        ProtectClock = true;
127        ProtectControlGroups = true;
128        ProtectHome = true;
129        ProtectHostname = true;
130        ProtectKernelLogs = true;
131        ProtectKernelModules = true;
132        ProtectKernelTunables = true;
133        ProtectProc = "invisible";
134        ProtectSystem = "strict";
135        RemoveIPC = true;
136        RestrictAddressFamilies = [
137          "AF_INET"
138          "AF_INET6"
139        ];
140        RestrictNamespaces = true;
141        RestrictRealtime = true;
142        RestrictSUIDSGID = true;
143        SocketBindAllow = cfg.port;
144        SocketBindDeny = "any";
145        SystemCallArchitectures = "native";
146        SystemCallFilter = [
147          "@system-service"
148          "~@privileged @obsolete"
149        ];
150      };
151    };
152  };
153}