nixos/modules/services/web-apps/isso.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / isso.nix
at 25.11-pre 2.5 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  inherit (lib)
 10    mkEnableOption
 11    mkIf
 12    mkOption
 13    types
 14    literalExpression
 15    ;
 16
 17  cfg = config.services.isso;
 18
 19  settingsFormat = pkgs.formats.ini { };
 20  configFile = settingsFormat.generate "isso.conf" cfg.settings;
 21in
 22{
 23
 24  options = {
 25    services.isso = {
 26      enable = mkEnableOption ''
 27        isso, a commenting server similar to Disqus.
 28
 29        Note: The application's author suppose to run isso behind a reverse proxy.
 30        The embedded solution offered by NixOS is also only suitable for small installations
 31        below 20 requests per second
 32      '';
 33
 34      settings = mkOption {
 35        description = ''
 36          Configuration for `isso`.
 37
 38          See [Isso Server Configuration](https://posativ.org/isso/docs/configuration/server/)
 39          for supported values.
 40        '';
 41
 42        type = types.submodule {
 43          freeformType = settingsFormat.type;
 44        };
 45
 46        example = literalExpression ''
 47          {
 48            general = {
 49              host = "http://localhost";
 50            };
 51          }
 52        '';
 53      };
 54    };
 55  };
 56
 57  config = mkIf cfg.enable {
 58    services.isso.settings.general.dbpath = lib.mkDefault "/var/lib/isso/comments.db";
 59
 60    systemd.services.isso = {
 61      description = "isso, a commenting server similar to Disqus";
 62      wantedBy = [ "multi-user.target" ];
 63
 64      serviceConfig = {
 65        User = "isso";
 66        Group = "isso";
 67
 68        DynamicUser = true;
 69
 70        StateDirectory = "isso";
 71
 72        ExecStart = ''
 73          ${pkgs.isso}/bin/isso -c ${configFile}
 74        '';
 75
 76        Restart = "on-failure";
 77        RestartSec = 1;
 78
 79        # Hardening
 80        CapabilityBoundingSet = [ "" ];
 81        DeviceAllow = [ "" ];
 82        LockPersonality = true;
 83        PrivateDevices = true;
 84        PrivateUsers = true;
 85        ProcSubset = "pid";
 86        ProtectClock = true;
 87        ProtectControlGroups = true;
 88        ProtectHome = true;
 89        ProtectHostname = true;
 90        ProtectKernelLogs = true;
 91        ProtectKernelModules = true;
 92        ProtectKernelTunables = true;
 93        ProtectProc = "invisible";
 94        RestrictAddressFamilies = [
 95          "AF_INET"
 96          "AF_INET6"
 97        ];
 98        RestrictNamespaces = true;
 99        RestrictRealtime = true;
100        SystemCallArchitectures = "native";
101        SystemCallFilter = [
102          "@system-service"
103          "~@privileged"
104          "~@resources"
105        ];
106        UMask = "0077";
107      };
108    };
109  };
110}