nixos/modules/services/web-apps/microbin.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / microbin.nix
at 25.11-pre 3.1 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  cfg = config.services.microbin;
 10in
 11{
 12  options.services.microbin = {
 13    enable = lib.mkEnableOption "MicroBin is a super tiny, feature rich, configurable paste bin web application";
 14
 15    package = lib.mkPackageOption pkgs "microbin" { };
 16
 17    settings = lib.mkOption {
 18      type = lib.types.submodule {
 19        freeformType =
 20          with lib.types;
 21          attrsOf (oneOf [
 22            bool
 23            int
 24            str
 25          ]);
 26      };
 27      default = { };
 28      example = {
 29        MICROBIN_PORT = 8080;
 30        MICROBIN_HIDE_LOGO = false;
 31      };
 32      description = ''
 33        Additional configuration for MicroBin, see
 34        <https://microbin.eu/docs/installation-and-configuration/configuration/>
 35        for supported values.
 36
 37        For secrets use passwordFile option instead.
 38      '';
 39    };
 40
 41    dataDir = lib.mkOption {
 42      type = lib.types.str;
 43      default = "/var/lib/microbin";
 44      description = "Default data folder for MicroBin.";
 45    };
 46
 47    passwordFile = lib.mkOption {
 48      type = lib.types.nullOr lib.types.path;
 49      default = null;
 50      example = "/run/secrets/microbin.env";
 51      description = ''
 52        Path to file containing environment variables.
 53        Useful for passing down secrets.
 54        Variables that can be considered secrets are:
 55         - MICROBIN_BASIC_AUTH_USERNAME
 56         - MICROBIN_BASIC_AUTH_PASSWORD
 57         - MICROBIN_ADMIN_USERNAME
 58         - MICROBIN_ADMIN_PASSWORD
 59         - MICROBIN_UPLOADER_PASSWORD
 60      '';
 61    };
 62  };
 63
 64  config = lib.mkIf cfg.enable {
 65    services.microbin.settings = with lib; {
 66      MICROBIN_BIND = mkDefault "0.0.0.0";
 67      MICROBIN_DISABLE_TELEMETRY = mkDefault true;
 68      MICROBIN_LIST_SERVER = mkDefault false;
 69      MICROBIN_PORT = mkDefault "8080";
 70    };
 71
 72    systemd.services.microbin = {
 73      after = [ "network.target" ];
 74      wantedBy = [ "multi-user.target" ];
 75      environment = lib.mapAttrs (
 76        _: v: if lib.isBool v then lib.boolToString v else toString v
 77      ) cfg.settings;
 78      serviceConfig = {
 79        DevicePolicy = "closed";
 80        DynamicUser = true;
 81        EnvironmentFile = lib.optional (cfg.passwordFile != null) cfg.passwordFile;
 82        ExecStart = "${cfg.package}/bin/microbin";
 83        LockPersonality = true;
 84        MemoryDenyWriteExecute = true;
 85        PrivateDevices = true;
 86        PrivateUsers = true;
 87        ProtectClock = true;
 88        ProtectControlGroups = true;
 89        ProtectHostname = true;
 90        ProtectKernelLogs = true;
 91        ProtectKernelModules = true;
 92        ProtectKernelTunables = true;
 93        ProtectProc = "invisible";
 94        ReadWritePaths = cfg.dataDir;
 95        RestrictAddressFamilies = [
 96          "AF_INET"
 97          "AF_INET6"
 98        ];
 99        RestrictNamespaces = true;
100        RestrictRealtime = true;
101        StateDirectory = "microbin";
102        SystemCallArchitectures = [ "native" ];
103        SystemCallFilter = [ "@system-service" ];
104        WorkingDirectory = cfg.dataDir;
105      };
106    };
107  };
108
109  meta.maintainers = with lib.maintainers; [ surfaceflinger ];
110}