nixos/modules/services/web-apps/rimgo.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / rimgo.nix
at 25.11-pre 2.7 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.rimgo;
  9  inherit (lib)
 10    mkOption
 11    mkEnableOption
 12    mkPackageOption
 13    mkDefault
 14    mkIf
 15    types
 16    literalExpression
 17    optionalString
 18    getExe
 19    mapAttrs
 20    ;
 21in
 22{
 23  options.services.rimgo = {
 24    enable = mkEnableOption "rimgo";
 25    package = mkPackageOption pkgs "rimgo" { };
 26    settings = mkOption {
 27      type = types.submodule {
 28        freeformType = with types; attrsOf str;
 29        options = {
 30          PORT = mkOption {
 31            type = types.port;
 32            default = 3000;
 33            example = 69420;
 34            description = "The port to use.";
 35          };
 36          ADDRESS = mkOption {
 37            type = types.str;
 38            default = "127.0.0.1";
 39            example = "1.1.1.1";
 40            description = "The address to listen on.";
 41          };
 42        };
 43      };
 44      example = literalExpression ''
 45        {
 46          PORT = 69420;
 47          FORCE_WEBP = "1";
 48        }
 49      '';
 50      description = ''
 51        Settings for rimgo, see [the official documentation](https://rimgo.codeberg.page/docs/usage/configuration/) for supported options.
 52      '';
 53    };
 54  };
 55
 56  config = mkIf cfg.enable {
 57    systemd.services.rimgo = {
 58      description = "Rimgo";
 59      wantedBy = [ "multi-user.target" ];
 60      after = [ "network.target" ];
 61      environment = mapAttrs (_: toString) cfg.settings;
 62      serviceConfig = {
 63        ExecStart = getExe cfg.package;
 64        AmbientCapabilities = mkIf (cfg.settings.PORT < 1024) [
 65          "CAP_NET_BIND_SERVICE"
 66        ];
 67        DynamicUser = true;
 68        Restart = "on-failure";
 69        RestartSec = "5s";
 70        CapabilityBoundingSet = [
 71          (optionalString (cfg.settings.PORT < 1024) "CAP_NET_BIND_SERVICE")
 72        ];
 73        DeviceAllow = [ "" ];
 74        LockPersonality = true;
 75        MemoryDenyWriteExecute = true;
 76        PrivateDevices = true;
 77        PrivateUsers = cfg.settings.PORT >= 1024;
 78        ProcSubset = "pid";
 79        ProtectClock = true;
 80        ProtectControlGroups = true;
 81        ProtectHome = true;
 82        ProtectHostname = true;
 83        ProtectKernelLogs = true;
 84        ProtectKernelModules = true;
 85        ProtectKernelTunables = true;
 86        ProtectProc = "invisible";
 87        RestrictAddressFamilies = [
 88          "AF_INET"
 89          "AF_INET6"
 90        ];
 91        RestrictNamespaces = true;
 92        RestrictRealtime = true;
 93        RestrictSUIDSGID = true;
 94        SystemCallArchitectures = "native";
 95        SystemCallFilter = [
 96          "@system-service"
 97          "~@privileged"
 98        ];
 99        UMask = "0077";
100      };
101    };
102  };
103
104  meta = {
105    maintainers = with lib.maintainers; [ quantenzitrone ];
106  };
107}