nixos/modules/services/web-apps/nostr-rs-relay.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / nostr-rs-relay.nix
at master 2.4 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7let
 8  cfg = config.services.nostr-rs-relay;
 9  settingsFormat = pkgs.formats.toml { };
10  configFile = settingsFormat.generate "config.toml" (
11    cfg.settings
12    // {
13      database = {
14        data_directory = config.services.nostr-rs-relay.dataDir;
15      };
16      network = {
17        port = config.services.nostr-rs-relay.port;
18      };
19    }
20  );
21in
22{
23  options.services.nostr-rs-relay = {
24    enable = lib.mkEnableOption "nostr-rs-relay";
25
26    package = lib.mkPackageOption pkgs "nostr-rs-relay" { };
27
28    port = lib.mkOption {
29      default = 12849;
30      type = lib.types.port;
31      description = "Listen on this port.";
32    };
33
34    dataDir = lib.mkOption {
35      type = lib.types.path;
36      default = "/var/lib/nostr-rs-relay";
37      description = "Directory for SQLite files.";
38    };
39
40    settings = lib.mkOption {
41      inherit (settingsFormat) type;
42      default = { };
43      description = "See <https://git.sr.ht/~gheartsfield/nostr-rs-relay/#configuration> for documentation.";
44    };
45  };
46
47  config = lib.mkIf cfg.enable {
48    systemd.services.nostr-rs-relay = {
49      description = "nostr-rs-relay";
50      wants = [ "network.target" ];
51      wantedBy = [ "multi-user.target" ];
52
53      serviceConfig = {
54        ExecStart = "${cfg.package}/bin/nostr-rs-relay --config ${configFile}";
55        DynamicUser = true;
56        Restart = "on-failure";
57        Type = "simple";
58
59        ReadWritePaths = [ cfg.dataDir ];
60
61        RuntimeDirectory = "nostr-rs-relay";
62        StateDirectory = "nostr-rs-relay";
63
64        PrivateTmp = true;
65        PrivateUsers = true;
66        PrivateDevices = true;
67        ProtectSystem = "strict";
68        ProtectHome = true;
69        NoNewPrivileges = true;
70        MemoryDenyWriteExecute = true;
71        ProtectKernelTunables = true;
72        ProtectKernelModules = true;
73        ProtectKernelLogs = true;
74        ProtectClock = true;
75        ProtectProc = "invisible";
76        ProcSubset = "pid";
77        ProtectControlGroups = true;
78        LockPersonality = true;
79        RestrictSUIDSGID = true;
80        RemoveIPC = true;
81        RestrictRealtime = true;
82        ProtectHostname = true;
83        CapabilityBoundingSet = "";
84        SystemCallFilter = [
85          "@system-service"
86        ];
87        SystemCallArchitectures = "native";
88      };
89    };
90  };
91
92  meta.maintainers = with lib.maintainers; [
93    felixzieger
94    jb55
95  ];
96}