pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / nzbhydra2.nix
at master 1.9 kB view raw
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: 7let 8 cfg = config.services.nzbhydra2; 9 10in 11{ 12 options = { 13 services.nzbhydra2 = { 14 enable = lib.mkEnableOption "NZBHydra2, Usenet meta search"; 15 16 dataDir = lib.mkOption { 17 type = lib.types.str; 18 default = "/var/lib/nzbhydra2"; 19 description = "The directory where NZBHydra2 stores its data files."; 20 }; 21 22 openFirewall = lib.mkOption { 23 type = lib.types.bool; 24 default = false; 25 description = "Open ports in the firewall for the NZBHydra2 web interface."; 26 }; 27 28 package = lib.mkPackageOption pkgs "nzbhydra2" { }; 29 }; 30 }; 31 32 config = lib.mkIf cfg.enable { 33 systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ]; 34 35 systemd.services.nzbhydra2 = { 36 description = "NZBHydra2"; 37 after = [ "network.target" ]; 38 wantedBy = [ "multi-user.target" ]; 39 40 serviceConfig = { 41 Type = "simple"; 42 User = "nzbhydra2"; 43 Group = "nzbhydra2"; 44 ExecStart = "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'"; 45 Restart = "on-failure"; 46 # Hardening 47 NoNewPrivileges = true; 48 PrivateTmp = true; 49 PrivateDevices = true; 50 DevicePolicy = "closed"; 51 ProtectSystem = "strict"; 52 ReadWritePaths = cfg.dataDir; 53 ProtectHome = "read-only"; 54 ProtectControlGroups = true; 55 ProtectKernelModules = true; 56 ProtectKernelTunables = true; 57 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; 58 RestrictNamespaces = true; 59 RestrictRealtime = true; 60 RestrictSUIDSGID = true; 61 LockPersonality = true; 62 }; 63 }; 64 65 networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; }; 66 67 users.users.nzbhydra2 = { 68 group = "nzbhydra2"; 69 isSystemUser = true; 70 }; 71 72 users.groups.nzbhydra2 = { }; 73 }; 74}