nixos/modules/services/web-apps/readeck.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / readeck.nix
at 25.11-pre 2.4 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7
 8let
 9  inherit (lib)
10    mkEnableOption
11    mkPackageOption
12    mkOption
13    mkIf
14    types
15    ;
16  cfg = config.services.readeck;
17  settingsFormat = pkgs.formats.toml { };
18  configFile = settingsFormat.generate "readeck.toml" cfg.settings;
19
20in
21{
22
23  meta.maintainers = [ lib.maintainers.julienmalka ];
24
25  options = {
26    services.readeck = {
27      enable = mkEnableOption "Readeck";
28
29      package = mkPackageOption pkgs "readeck" { };
30
31      environmentFile = mkOption {
32        type = types.nullOr types.path;
33        description = ''
34          File containing environment variables to be passed to Readeck.
35          May be used to provide the Readeck secret key by setting the READECK_SECRET_KEY variable.
36        '';
37        default = null;
38      };
39
40      settings = mkOption {
41        type = settingsFormat.type;
42        default = { };
43        example = {
44          main.log_level = "debug";
45          server.port = 9000;
46        };
47        description = ''
48          Additional configuration for Readeck, see
49          <https://readeck.org/en/docs/configuration>
50          for supported values.
51        '';
52      };
53
54    };
55  };
56
57  config = mkIf cfg.enable {
58    systemd.services.readeck = {
59      description = "Readeck";
60      after = [ "network.target" ];
61      wantedBy = [ "multi-user.target" ];
62      serviceConfig = {
63        Type = "simple";
64        StateDirectory = "readeck";
65        WorkingDirectory = "/var/lib/readeck";
66        EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
67        DynamicUser = true;
68        ExecStart = "${lib.getExe cfg.package} serve -config ${configFile}";
69        ProtectSystem = "full";
70        SystemCallArchitectures = "native";
71        NoNewPrivileges = true;
72        PrivateTmp = true;
73        PrivateDevices = true;
74        RestrictAddressFamilies = [
75          "AF_INET"
76          "AF_INET6"
77          "AF_UNIX"
78          "AF_NETLINK"
79        ];
80        RestrictNamespaces = true;
81        RestrictRealtime = true;
82        DevicePolicy = "closed";
83        ProtectClock = true;
84        ProtectHostname = true;
85        ProtectProc = "invisible";
86        ProtectControlGroups = true;
87        ProtectKernelModules = true;
88        ProtectKernelTunables = true;
89        LockPersonality = true;
90        Restart = "on-failure";
91      };
92    };
93  };
94}