pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7
8with lib;
9
10let
11 cfg = config.services.convos;
12in
13{
14 options.services.convos = {
15 enable = mkEnableOption "Convos";
16 listenPort = mkOption {
17 type = types.port;
18 default = 3000;
19 example = 8080;
20 description = "Port the web interface should listen on";
21 };
22 listenAddress = mkOption {
23 type = types.str;
24 default = "*";
25 example = "127.0.0.1";
26 description = "Address or host the web interface should listen on";
27 };
28 reverseProxy = mkOption {
29 type = types.bool;
30 default = false;
31 description = ''
32 Enables reverse proxy support. This will allow Convos to automatically
33 pick up the `X-Forwarded-For` and
34 `X-Request-Base` HTTP headers set in your reverse proxy
35 web server. Note that enabling this option without a reverse proxy in
36 front will be a security issue.
37 '';
38 };
39 };
40 config = mkIf cfg.enable {
41 systemd.services.convos = {
42 description = "Convos Service";
43 wantedBy = [ "multi-user.target" ];
44 after = [ "networking.target" ];
45 environment = {
46 CONVOS_HOME = "%S/convos";
47 CONVOS_REVERSE_PROXY = if cfg.reverseProxy then "1" else "0";
48 MOJO_LISTEN = "http://${toString cfg.listenAddress}:${toString cfg.listenPort}";
49 };
50 serviceConfig = {
51 ExecStart = "${pkgs.convos}/bin/convos daemon";
52 Restart = "on-failure";
53 StateDirectory = "convos";
54 WorkingDirectory = "%S/convos";
55 DynamicUser = true;
56 MemoryDenyWriteExecute = true;
57 ProtectHome = true;
58 ProtectClock = true;
59 ProtectHostname = true;
60 ProtectKernelTunables = true;
61 ProtectKernelModules = true;
62 ProtectKernelLogs = true;
63 ProtectControlGroups = true;
64 PrivateDevices = true;
65 PrivateMounts = true;
66 PrivateUsers = true;
67 LockPersonality = true;
68 RestrictRealtime = true;
69 RestrictNamespaces = true;
70 RestrictAddressFamilies = [
71 "AF_INET"
72 "AF_INET6"
73 ];
74 SystemCallFilter = "@system-service";
75 SystemCallArchitectures = "native";
76 CapabilityBoundingSet = "";
77 };
78 };
79 };
80}