nixos/modules/services/misc/yarr.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / yarr.nix
at master 3.1 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  inherit (lib)
 10    types
 11    mkIf
 12    mkOption
 13    mkEnableOption
 14    mkPackageOption
 15    optionalString
 16    ;
 17
 18  cfg = config.services.yarr;
 19in
 20{
 21  meta.maintainers = with lib.maintainers; [ christoph-heiss ];
 22
 23  options.services.yarr = {
 24    enable = mkEnableOption "Yet another rss reader";
 25
 26    package = mkPackageOption pkgs "yarr" { };
 27
 28    environmentFile = mkOption {
 29      type = types.nullOr types.path;
 30      default = null;
 31      description = ''
 32        Environment file for specifying additional settings such as secrets.
 33
 34        See `yarr -help` for all available options.
 35      '';
 36    };
 37
 38    address = mkOption {
 39      type = types.str;
 40      default = "localhost";
 41      description = "Address to run server on.";
 42    };
 43
 44    port = mkOption {
 45      type = types.port;
 46      default = 7070;
 47      description = "Port to run server on.";
 48    };
 49
 50    baseUrl = mkOption {
 51      type = types.nullOr types.str;
 52      default = null;
 53      description = "Base path of the service url.";
 54    };
 55
 56    authFilePath = mkOption {
 57      type = types.nullOr types.path;
 58      default = null;
 59      description = "Path to a file containing username:password. `null` means no authentication required to use the service.";
 60    };
 61  };
 62
 63  config = mkIf cfg.enable {
 64    systemd.services.yarr = {
 65      description = "Yet another rss reader";
 66      after = [ "network-online.target" ];
 67      wants = [ "network-online.target" ];
 68      wantedBy = [ "multi-user.target" ];
 69
 70      environment.XDG_CONFIG_HOME = "/var/lib/yarr/.config";
 71
 72      serviceConfig = {
 73        Type = "simple";
 74        Restart = "on-failure";
 75
 76        StateDirectory = "yarr";
 77        StateDirectoryMode = "0700";
 78        WorkingDirectory = "/var/lib/yarr";
 79        EnvironmentFile = cfg.environmentFile;
 80
 81        LoadCredential = mkIf (cfg.authFilePath != null) "authfile:${cfg.authFilePath}";
 82
 83        DynamicUser = true;
 84        DevicePolicy = "closed";
 85        LockPersonality = "yes";
 86        MemoryDenyWriteExecute = true;
 87        NoNewPrivileges = true;
 88        PrivateDevices = true;
 89        PrivateMounts = true;
 90        PrivateTmp = true;
 91        ProcSubset = "pid";
 92        ProtectClock = true;
 93        ProtectControlGroups = true;
 94        ProtectHome = true;
 95        ProtectHostname = true;
 96        ProtectKernelLogs = true;
 97        ProtectKernelModules = true;
 98        ProtectKernelTunables = true;
 99        ProtectProc = "invisible";
100        ProtectSystem = "strict";
101        RemoveIPC = true;
102        RestrictAddressFamilies = "AF_INET AF_INET6";
103        RestrictNamespaces = true;
104        RestrictRealtime = true;
105        RestrictSUIDSGID = true;
106        UMask = "0077";
107
108        ExecStart = ''
109          ${lib.getExe cfg.package} \
110            -db storage.db \
111            -addr "${cfg.address}:${toString cfg.port}" \
112            ${optionalString (cfg.baseUrl != null) "-base ${cfg.baseUrl}"} \
113            ${optionalString (cfg.authFilePath != null) "-auth-file /run/credentials/yarr.service/authfile"}
114        '';
115      };
116    };
117  };
118}