nixos/modules/services/web-apps/readeck.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / readeck.nix
at master 2.5 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7
 8let
 9  inherit (lib)
10    mkEnableOption
11    mkPackageOption
12    mkOption
13    mkIf
14    types
15    ;
16  cfg = config.services.readeck;
17  settingsFormat = pkgs.formats.toml { };
18  configFile = settingsFormat.generate "readeck.toml" cfg.settings;
19
20in
21{
22
23  meta.maintainers = [ lib.maintainers.julienmalka ];
24
25  options = {
26    services.readeck = {
27      enable = mkEnableOption "Readeck";
28
29      package = mkPackageOption pkgs "readeck" { };
30
31      environmentFile = mkOption {
32        type = types.nullOr types.path;
33        description = ''
34          File containing environment variables to be passed to Readeck.
35          May be used to provide the Readeck secret key by setting the READECK_SECRET_KEY variable.
36        '';
37        default = null;
38      };
39
40      settings = mkOption {
41        type = settingsFormat.type;
42        default = { };
43        example = {
44          main.log_level = "debug";
45          server.port = 9000;
46        };
47        description = ''
48          Additional configuration for Readeck, see
49          <https://readeck.org/en/docs/configuration>
50          for supported values.
51        '';
52      };
53
54    };
55  };
56
57  config = mkIf cfg.enable {
58    systemd.services.readeck = {
59      description = "Readeck";
60      after = [ "network-online.target" ];
61      wants = [ "network-online.target" ];
62      wantedBy = [ "multi-user.target" ];
63      serviceConfig = {
64        Type = "simple";
65        StateDirectory = "readeck";
66        WorkingDirectory = "/var/lib/readeck";
67        EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
68        DynamicUser = true;
69        ExecStart = "${lib.getExe cfg.package} serve -config ${configFile}";
70        ProtectSystem = "full";
71        SystemCallArchitectures = "native";
72        MemoryDenyWriteExecute = true;
73        NoNewPrivileges = true;
74        PrivateTmp = true;
75        PrivateDevices = true;
76        RestrictAddressFamilies = [
77          "AF_INET"
78          "AF_INET6"
79          "AF_UNIX"
80          "AF_NETLINK"
81        ];
82        RestrictNamespaces = true;
83        RestrictRealtime = true;
84        DevicePolicy = "closed";
85        ProtectClock = true;
86        ProtectHostname = true;
87        ProtectProc = "invisible";
88        ProtectControlGroups = true;
89        ProtectKernelModules = true;
90        ProtectKernelTunables = true;
91        LockPersonality = true;
92        Restart = "on-failure";
93      };
94    };
95  };
96}