nixos/modules/services/torrent/flood.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / torrent / flood.nix
at master 2.6 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  utils,
  6  ...
  7}:
  8
  9let
 10  cfg = config.services.flood;
 11in
 12{
 13  meta.maintainers = with lib.maintainers; [ thiagokokada ];
 14
 15  options.services.flood = {
 16    enable = lib.mkEnableOption "flood";
 17    package = lib.mkPackageOption pkgs "flood" { };
 18    openFirewall = lib.mkEnableOption "" // {
 19      description = "Whether to open the firewall for the port in {option}`services.flood.port`.";
 20    };
 21    port = lib.mkOption {
 22      type = lib.types.port;
 23      description = "Port to bind webserver.";
 24      default = 3000;
 25      example = 3001;
 26    };
 27    host = lib.mkOption {
 28      type = lib.types.str;
 29      description = "Host to bind webserver.";
 30      default = "localhost";
 31      example = "::";
 32    };
 33    extraArgs = lib.mkOption {
 34      type = with lib.types; listOf str;
 35      description = "Extra arguments passed to `flood`.";
 36      default = [ ];
 37      example = [ "--baseuri=/" ];
 38    };
 39  };
 40
 41  config = lib.mkIf cfg.enable {
 42    systemd.services.flood = {
 43      description = "A modern web UI for various torrent clients.";
 44      after = [ "network.target" ];
 45      wantedBy = [ "multi-user.target" ];
 46      unitConfig = {
 47        Documentation = "https://github.com/jesec/flood/wiki";
 48      };
 49      serviceConfig = {
 50        Restart = "on-failure";
 51        RestartSec = "3s";
 52        ExecStart = utils.escapeSystemdExecArgs (
 53          [
 54            (lib.getExe cfg.package)
 55            "--host"
 56            cfg.host
 57            "--port"
 58            (toString cfg.port)
 59            "--rundir=/var/lib/flood"
 60          ]
 61          ++ cfg.extraArgs
 62        );
 63
 64        CapabilityBoundingSet = [ "" ];
 65        DynamicUser = true;
 66        LockPersonality = true;
 67        NoNewPrivileges = true;
 68        PrivateDevices = true;
 69        PrivateTmp = true;
 70        ProtectClock = true;
 71        ProtectControlGroups = true;
 72        ProtectHome = true;
 73        ProtectHostname = true;
 74        ProtectKernelLogs = true;
 75        ProtectKernelModules = true;
 76        ProtectKernelTunables = true;
 77        ProtectProc = "invisible";
 78        ProtectSystem = "strict";
 79        RestrictAddressFamilies = [
 80          "AF_UNIX"
 81          "AF_INET"
 82          "AF_INET6"
 83        ];
 84        RestrictNamespaces = true;
 85        RestrictRealtime = true;
 86        RestrictSUIDSGID = true;
 87        StateDirectory = "flood";
 88        SystemCallArchitectures = "native";
 89        SystemCallFilter = [
 90          "@system-service"
 91          "@pkey"
 92          "~@privileged"
 93        ];
 94      };
 95    };
 96
 97    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
 98      cfg.port
 99    ];
100  };
101}