···
8
+
cfg = config.services.temporal;
10
+
settingsFormat = pkgs.formats.yaml { };
12
+
usingDefaultDataDir = cfg.dataDir == "/var/lib/temporal";
13
+
usingDefaultUserAndGroup = cfg.user == "temporal" && cfg.group == "temporal";
16
+
meta.maintainers = [ lib.maintainers.jpds ];
18
+
options.services.temporal = {
19
+
enable = lib.mkEnableOption "Temporal";
21
+
package = lib.mkPackageOption pkgs "Temporal" {
22
+
default = [ "temporal" ];
25
+
settings = lib.mkOption {
26
+
type = lib.types.submodule {
27
+
freeformType = settingsFormat.type;
31
+
Temporal configuration.
33
+
See <https://docs.temporal.io/references/configuration> for more
34
+
information about Temporal configuration options
38
+
dataDir = lib.mkOption {
39
+
type = lib.types.path;
40
+
default = "/var/lib/temporal";
41
+
apply = lib.converge (lib.removeSuffix "/");
43
+
Data directory for Temporal. If you change this, you need to
44
+
manually create the directory. You also need to create the
45
+
`temporal` user and group, or change
46
+
[](#opt-services.temporal.user) and
47
+
[](#opt-services.temporal.group) to existing ones with
48
+
access to the directory.
52
+
user = lib.mkOption {
53
+
type = lib.types.str;
54
+
default = "temporal";
56
+
The user Temporal runs as. Should be left at default unless
57
+
you have very specific needs.
61
+
group = lib.mkOption {
62
+
type = lib.types.str;
63
+
default = "temporal";
65
+
The group temporal runs as. Should be left at default unless
66
+
you have very specific needs.
70
+
restartIfChanged = lib.mkOption {
71
+
type = lib.types.bool;
73
+
Automatically restart the service on config change.
74
+
This can be set to false to defer restarts on a server or cluster.
75
+
Please consider the security implications of inadvertently running an older version,
76
+
and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.
82
+
config = lib.mkIf cfg.enable {
83
+
environment.etc."temporal/temporal-server.yaml".source =
84
+
settingsFormat.generate "temporal-server.yaml" cfg.settings;
86
+
systemd.services.temporal = {
87
+
description = "Temporal server";
88
+
wantedBy = [ "multi-user.target" ];
89
+
after = [ "network.target" ];
90
+
inherit (cfg) restartIfChanged;
91
+
restartTriggers = [ config.environment.etc."temporal/temporal-server.yaml".source ];
97
+
${cfg.package}/bin/temporal-server --root / --config /etc/temporal/ -e temporal-server start
101
+
Restart = "on-failure";
102
+
DynamicUser = usingDefaultUserAndGroup && usingDefaultDataDir;
103
+
CapabilityBoundingSet = [ "" ];
104
+
DevicePolicy = "closed";
105
+
LockPersonality = true;
106
+
MemoryDenyWriteExecute = true;
107
+
NoNewPrivileges = true;
108
+
PrivateDevices = true;
109
+
ProcSubset = "pid";
110
+
ProtectClock = true;
111
+
ProtectHome = true;
112
+
ProtectHostname = true;
113
+
ProtectControlGroups = true;
114
+
ProtectKernelLogs = true;
115
+
ProtectKernelModules = true;
116
+
ProtectKernelTunables = true;
117
+
ProtectProc = "invisible";
118
+
ProtectSystem = "strict";
122
+
RestrictAddressFamilies = [
127
+
RestrictNamespaces = true;
128
+
RestrictRealtime = true;
129
+
RestrictSUIDSGID = true;
130
+
SystemCallArchitectures = "native";
131
+
SystemCallFilter = [
132
+
# 1. allow a reasonable set of syscalls
133
+
"@system-service @resources"
134
+
# 2. and deny unreasonable ones
136
+
# 3. then allow the required subset within denied groups
140
+
// (lib.optionalAttrs (usingDefaultDataDir) {
141
+
StateDirectory = "temporal";
142
+
StateDirectoryMode = "0700";
pyrox.dev