nixos/modules/services/web-apps/eintopf.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / eintopf.nix
at 25.11-pre 2.6 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8with lib;
  9
 10let
 11
 12  cfg = config.services.eintopf;
 13
 14in
 15{
 16  options.services.eintopf = {
 17
 18    enable = mkEnableOption "Lauti (Eintopf) community event calendar web app";
 19
 20    settings = mkOption {
 21      type = types.attrsOf types.str;
 22      default = { };
 23      description = ''
 24        Settings to configure web service. See
 25        <https://codeberg.org/Klasse-Methode/lauti/src/branch/main/DEPLOYMENT.md>
 26        for available options.
 27      '';
 28      example = literalExpression ''
 29        {
 30          EINTOPF_ADDR = ":1234";
 31          EINTOPF_ADMIN_EMAIL = "admin@example.org";
 32          EINTOPF_TIMEZONE = "Europe/Berlin";
 33        }
 34      '';
 35    };
 36
 37    secrets = lib.mkOption {
 38      type = with types; listOf path;
 39      description = ''
 40        A list of files containing the various secrets. Should be in the
 41        format expected by systemd's `EnvironmentFile` directory.
 42      '';
 43      default = [ ];
 44    };
 45
 46  };
 47
 48  config = mkIf cfg.enable {
 49
 50    systemd.services.eintopf = {
 51      description = "Community event calendar web app";
 52      wantedBy = [ "multi-user.target" ];
 53      after = [ "network-online.target" ];
 54      wants = [ "network-online.target" ];
 55      environment = cfg.settings;
 56      serviceConfig = {
 57        ExecStart = lib.getExe pkgs.lauti;
 58        WorkingDirectory = "/var/lib/eintopf";
 59        StateDirectory = "eintopf";
 60        EnvironmentFile = [ cfg.secrets ];
 61
 62        # hardening
 63        AmbientCapabilities = "";
 64        CapabilityBoundingSet = "";
 65        DevicePolicy = "closed";
 66        DynamicUser = true;
 67        LockPersonality = true;
 68        MemoryDenyWriteExecute = true;
 69        NoNewPrivileges = true;
 70        PrivateDevices = true;
 71        PrivateTmp = true;
 72        PrivateUsers = true;
 73        ProcSubset = "pid";
 74        ProtectClock = true;
 75        ProtectControlGroups = true;
 76        ProtectHome = true;
 77        ProtectHostname = true;
 78        ProtectKernelLogs = true;
 79        ProtectKernelModules = true;
 80        ProtectKernelTunables = true;
 81        ProtectProc = "invisible";
 82        ProtectSystem = "strict";
 83        RemoveIPC = true;
 84        RestrictAddressFamilies = [
 85          "AF_INET"
 86          "AF_INET6"
 87        ];
 88        RestrictNamespaces = true;
 89        RestrictRealtime = true;
 90        RestrictSUIDSGID = true;
 91        SystemCallArchitectures = "native";
 92        SystemCallFilter = [
 93          "@system-service"
 94          "~@privileged"
 95        ];
 96        UMask = "0077";
 97      };
 98    };
 99
100  };
101
102  meta.maintainers = with lib.maintainers; [ onny ];
103
104}