nixos/modules/services/web-apps/go-httpbin.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / go-httpbin.nix
at master 2.7 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  cfg = config.services.go-httpbin;
 10
 11  environment = lib.mapAttrs (
 12    _: value: if lib.isBool value then lib.boolToString value else toString value
 13  ) cfg.settings;
 14in
 15
 16{
 17  meta.maintainers = with lib.maintainers; [ defelo ];
 18
 19  options.services.go-httpbin = {
 20    enable = lib.mkEnableOption "go-httpbin";
 21
 22    package = lib.mkPackageOption pkgs "go-httpbin" { };
 23
 24    settings = lib.mkOption {
 25      description = ''
 26        Configuration of go-httpbin.
 27        See <https://github.com/mccutchen/go-httpbin#configuration> for a list of options.
 28      '';
 29      example = {
 30        HOST = "0.0.0.0";
 31        PORT = 8080;
 32      };
 33
 34      type = lib.types.submodule {
 35        freeformType =
 36          with lib.types;
 37          attrsOf (oneOf [
 38            str
 39            int
 40            bool
 41          ]);
 42
 43        options = {
 44          HOST = lib.mkOption {
 45            type = lib.types.str;
 46            description = "The host to listen on.";
 47            default = "127.0.0.1";
 48            example = "0.0.0.0";
 49          };
 50
 51          PORT = lib.mkOption {
 52            type = lib.types.port;
 53            description = "The port to listen on.";
 54            example = 8080;
 55          };
 56        };
 57      };
 58    };
 59  };
 60
 61  config = lib.mkIf cfg.enable {
 62    systemd.services.go-httpbin = {
 63      wantedBy = [ "multi-user.target" ];
 64
 65      inherit environment;
 66
 67      serviceConfig = {
 68        User = "go-httpbin";
 69        Group = "go-httpbin";
 70        DynamicUser = true;
 71
 72        ExecStart = lib.getExe cfg.package;
 73
 74        # hardening
 75        AmbientCapabilities = "";
 76        CapabilityBoundingSet = [ "" ];
 77        DevicePolicy = "closed";
 78        LockPersonality = true;
 79        MemoryDenyWriteExecute = true;
 80        NoNewPrivileges = true;
 81        PrivateDevices = true;
 82        PrivateTmp = true;
 83        PrivateUsers = true;
 84        ProcSubset = "pid";
 85        ProtectClock = true;
 86        ProtectControlGroups = true;
 87        ProtectHome = true;
 88        ProtectHostname = true;
 89        ProtectKernelLogs = true;
 90        ProtectKernelModules = true;
 91        ProtectKernelTunables = true;
 92        ProtectProc = "invisible";
 93        ProtectSystem = "strict";
 94        RemoveIPC = true;
 95        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
 96        RestrictNamespaces = true;
 97        RestrictRealtime = true;
 98        RestrictSUIDSGID = true;
 99        SocketBindAllow = "tcp:${toString cfg.settings.PORT}";
100        SocketBindDeny = "any";
101        SystemCallArchitectures = "native";
102        SystemCallFilter = [
103          "@system-service"
104          "~@privileged"
105          "~@resources"
106        ];
107        UMask = "0077";
108      };
109    };
110  };
111}