···
21
+
cfg = config.services.snips-sh;
24
+
meta.maintainers = with lib.maintainers; [
29
+
options.services.snips-sh = {
30
+
enable = mkEnableOption "snips.sh";
32
+
package = mkPackageOption pkgs "snips-sh" {
33
+
example = "pkgs.snips-sh.override {withTensorflow = true;}";
36
+
stateDir = mkOption {
38
+
default = "/var/lib/snips-sh";
39
+
description = "The state directory of the service.";
42
+
settings = mkOption {
43
+
type = types.submodule {
44
+
freeformType = types.attrsOf (
55
+
SNIPS_HTTP_INTERNAL = mkOption {
57
+
description = "The internal HTTP address of the service";
60
+
SNIPS_SSH_INTERNAL = mkOption {
62
+
description = "The internal SSH address of the service";
69
+
SNIPS_HTTP_INTERNAL = "http://0.0.0.0:8080";
70
+
SNIPS_SSH_INTERNAL = "ssh://0.0.0.0:2222";
74
+
The configuration of snips-sh is done through environment variables,
75
+
therefore you must use upper snake case (e.g. {env}`SNIPS_HTTP_INTERNAL`).
77
+
Based on the attributes passed to this config option an environment file will be generated
78
+
that is passed to snips-sh's systemd service.
80
+
The available configuration options can be found in
81
+
[self-hosting guide](https://github.com/robherley/snips.sh/blob/main/docs/self-hosting.md#configuration) to
82
+
find about the environment variables you can use.
86
+
environmentFile = mkOption {
87
+
type = with types; nullOr path;
89
+
example = "/etc/snips-sh.env";
91
+
Additional environment file as defined in {manpage}`systemd.exec(5)`.
93
+
Sensitive secrets such as {env}`SNIPS_SSH_HOSTKEYPATH` and {env}`SNIPS_METRICS_STATSD`
94
+
may be passed to the service while avoiding potentially making them world-readable in the nix store or
95
+
to convert an existing non-nix installation with minimum hassle.
97
+
Note that this file needs to be available on the host on which
98
+
`snips-sh` is running.
103
+
config = mkIf cfg.enable {
105
+
tmpfiles.settings."10-snips-sh" = {
106
+
"${cfg.stateDir}/data".D = {
111
+
services.snips-sh = {
112
+
wants = [ "network-online.target" ];
113
+
after = [ "network-online.target" ];
114
+
wantedBy = [ "multi-user.target" ];
116
+
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
119
+
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
120
+
ExecStart = getExe cfg.package;
121
+
LimitNOFILE = "1048576";
122
+
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
123
+
WorkingDirectory = cfg.stateDir;
124
+
RuntimeDirectory = "snips-sh";
125
+
StateDirectory = "snips-sh";
126
+
StateDirectoryMode = "0700";
127
+
Restart = "always";
130
+
DynamicUser = true;
131
+
NoNewPrivileges = true;
132
+
ProtectSystem = "strict";
133
+
ProtectHome = true;
134
+
ProtectHostname = true;
135
+
ProtectClock = true;
136
+
ProtectKernelLogs = true;
137
+
ProtectKernelModules = true;
138
+
ProtectKernelTunables = true;
139
+
ProtectControlGroups = true;
141
+
PrivateDevices = true;
142
+
PrivateUsers = true;
143
+
RestrictAddressFamilies = [
148
+
RestrictNamespaces = true;
149
+
RestrictSUIDSGID = true;
150
+
SystemCallFilter = "@system-service";
151
+
LockPersonality = true;
152
+
MemoryDenyWriteExecute = true;
153
+
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
pyrox.dev
isabelroses.com