pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / web-servers / agate.nix
at 25.11-pre 4.1 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9 10let 11 cfg = config.services.agate; 12in 13{ 14 options = { 15 services.agate = { 16 enable = mkEnableOption "Agate Server"; 17 18 package = mkPackageOption pkgs "agate" { }; 19 20 addresses = mkOption { 21 type = types.listOf types.str; 22 default = [ "0.0.0.0:1965" ]; 23 description = '' 24 Addresses to listen on, IP:PORT, if you haven't disabled forwarding 25 only set IPv4. 26 ''; 27 }; 28 29 contentDir = mkOption { 30 default = "/var/lib/agate/content"; 31 type = types.path; 32 description = "Root of the content directory."; 33 }; 34 35 certificatesDir = mkOption { 36 default = "/var/lib/agate/certificates"; 37 type = types.path; 38 description = "Root of the certificate directory."; 39 }; 40 41 hostnames = mkOption { 42 default = [ ]; 43 type = types.listOf types.str; 44 description = '' 45 Domain name of this Gemini server, enables checking hostname and port 46 in requests. (multiple occurrences means basic vhosts) 47 ''; 48 }; 49 50 language = mkOption { 51 default = null; 52 type = types.nullOr types.str; 53 description = "RFC 4646 Language code for text/gemini documents."; 54 }; 55 56 onlyTls_1_3 = mkOption { 57 default = false; 58 type = types.bool; 59 description = "Only use TLSv1.3 (default also allows TLSv1.2)."; 60 }; 61 62 extraArgs = mkOption { 63 type = types.listOf types.str; 64 default = [ "" ]; 65 example = [ "--log-ip" ]; 66 description = "Extra arguments to use running agate."; 67 }; 68 }; 69 }; 70 71 config = mkIf cfg.enable { 72 # available for generating certs by hand 73 # it can be a bit arduous with openssl 74 environment.systemPackages = [ cfg.package ]; 75 76 systemd.services.agate = { 77 description = "Agate"; 78 wantedBy = [ "multi-user.target" ]; 79 wants = [ "network-online.target" ]; 80 after = [ 81 "network.target" 82 "network-online.target" 83 ]; 84 85 script = 86 let 87 prefixKeyList = 88 key: list: 89 concatMap (v: [ 90 key 91 v 92 ]) list; 93 addresses = prefixKeyList "--addr" cfg.addresses; 94 hostnames = prefixKeyList "--hostname" cfg.hostnames; 95 in 96 '' 97 exec ${cfg.package}/bin/agate ${ 98 escapeShellArgs ( 99 [ 100 "--content" 101 "${cfg.contentDir}" 102 "--certs" 103 "${cfg.certificatesDir}" 104 ] 105 ++ addresses 106 ++ (optionals (cfg.hostnames != [ ]) hostnames) 107 ++ (optionals (cfg.language != null) [ 108 "--lang" 109 cfg.language 110 ]) 111 ++ (optionals cfg.onlyTls_1_3 [ "--only-tls13" ]) 112 ++ (optionals (cfg.extraArgs != [ ]) cfg.extraArgs) 113 ) 114 } 115 ''; 116 117 serviceConfig = { 118 Restart = "always"; 119 RestartSec = "5s"; 120 DynamicUser = true; 121 StateDirectory = "agate"; 122 123 # Security options: 124 AmbientCapabilities = ""; 125 CapabilityBoundingSet = ""; 126 127 # ProtectClock= adds DeviceAllow=char-rtc r 128 DeviceAllow = ""; 129 130 LockPersonality = true; 131 132 PrivateTmp = true; 133 PrivateDevices = true; 134 PrivateUsers = true; 135 136 ProtectClock = true; 137 ProtectControlGroups = true; 138 ProtectHostname = true; 139 ProtectKernelLogs = true; 140 ProtectKernelModules = true; 141 ProtectKernelTunables = true; 142 143 RestrictNamespaces = true; 144 RestrictAddressFamilies = [ 145 "AF_INET" 146 "AF_INET6" 147 ]; 148 RestrictRealtime = true; 149 150 SystemCallArchitectures = "native"; 151 SystemCallErrorNumber = "EPERM"; 152 SystemCallFilter = [ 153 "@system-service" 154 "~@cpu-emulation" 155 "~@debug" 156 "~@keyring" 157 "~@memlock" 158 "~@obsolete" 159 "~@privileged" 160 "~@setuid" 161 ]; 162 }; 163 }; 164 }; 165}