nixos/modules/services/misc/overseerr.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / overseerr.nix
at master 2.4 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7
 8let
 9  cfg = config.services.overseerr;
10in
11{
12  meta.maintainers = [ lib.maintainers.jf-uu ];
13
14  options.services.overseerr = {
15    enable = lib.mkEnableOption "Overseerr, a request management and media discovery tool for the Plex ecosystem";
16
17    package = lib.mkPackageOption pkgs "overseerr" { };
18
19    openFirewall = lib.mkOption {
20      type = lib.types.bool;
21      default = false;
22      description = "Open a port in the firewall for the Overseerr web interface.";
23    };
24
25    port = lib.mkOption {
26      type = lib.types.port;
27      default = 5055;
28      description = "The port which the Overseerr web UI should listen on.";
29    };
30  };
31
32  config = lib.mkIf cfg.enable {
33    systemd.services.overseerr = {
34      description = "Request management and media discovery tool for the Plex ecosystem";
35      after = [ "network.target" ];
36      wantedBy = [ "multi-user.target" ];
37      environment = {
38        CONFIG_DIRECTORY = "/var/lib/overseerr";
39        PORT = toString cfg.port;
40      };
41      serviceConfig = {
42        CapabilityBoundingSet = "";
43        DynamicUser = true;
44        ExecStart = lib.getExe cfg.package;
45        LockPersonality = true;
46        NoNewPrivileges = true;
47        PrivateDevices = true;
48        PrivateIPC = true;
49        PrivateMounts = true;
50        PrivateTmp = true;
51        PrivateUsers = true;
52        ProcSubset = "pid";
53        ProtectClock = true;
54        ProtectControlGroups = true;
55        ProtectHome = true;
56        ProtectHostname = true;
57        ProtectKernelLogs = true;
58        ProtectKernelModules = true;
59        ProtectKernelTunables = true;
60        ProtectProc = "invisible";
61        ProtectSystem = "strict";
62        RemoveIPC = true;
63        Restart = "on-failure";
64        RestrictAddressFamilies = [
65          "AF_INET"
66          "AF_INET6"
67          "AF_UNIX"
68        ];
69        RestrictNamespaces = true;
70        RestrictRealtime = true;
71        RestrictSUIDSGID = true;
72        StateDirectory = "overseerr";
73        StateDirectoryMode = "0700";
74        SystemCallArchitectures = "native";
75        SystemCallErrorNumber = "EPERM";
76        SystemCallFilter = [
77          "@system-service"
78          "~@privileged"
79          "~@resources"
80        ];
81        Type = "exec";
82      };
83    };
84
85    networking.firewall = lib.mkIf cfg.openFirewall {
86      allowedTCPPorts = [ cfg.port ];
87    };
88  };
89}