···

       
217
       
217
       
 
       


     

       
218
       
218
       
 
       
- [GoDNS](https://github.com/TimothyYe/godns), a dynamic DNS client written in Go, which supports multiple DNS providers. Available as [services.godns](option.html#opt-services.godns.enable).

     

       
219
       
219
       
 
       


     

       
220
       
220
       
+
       
- [CookCLI](https://cooklang.org/cli/) Server, a web UI for cooklang recipes.

     

       
221
       
221
       
+
       


     

       
220
       
222
       
 
       
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

     

       
221
       
223
       
 
       


     

       
222
       
224
       
 
       
## Backward Incompatibilities {#sec-release-25.05-incompatibilities}

     

···

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  config,

     

       
3
       
3
       
+
       
  pkgs,

     

       
4
       
4
       
+
       
  lib,

     

       
5
       
5
       
+
       
  ...

     

       
6
       
6
       
+
       
}:

     

       
7
       
7
       
+
       


     

       
8
       
8
       
+
       
let

     

       
9
       
9
       
+
       
  cfg = config.services.cook-cli;

     

       
10
       
10
       
+
       
  inherit (lib)

     

       
11
       
11
       
+
       
    mkIf

     

       
12
       
12
       
+
       
    mkEnableOption

     

       
13
       
13
       
+
       
    mkPackageOption

     

       
14
       
14
       
+
       
    mkOption

     

       
15
       
15
       
+
       
    getExe

     

       
16
       
16
       
+
       
    types

     

       
17
       
17
       
+
       
    ;

     

       
18
       
18
       
+
       
in

     

       
19
       
19
       
+
       
{

     

       
20
       
20
       
+
       
  options = {

     

       
21
       
21
       
+
       
    services.cook-cli = {

     

       
22
       
22
       
+
       
      enable = lib.mkEnableOption "cook-cli";

     

       
23
       
23
       
+
       


     

       
24
       
24
       
+
       
      package = lib.mkPackageOption pkgs "cook-cli" { };

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
      autoStart = lib.mkOption {

     

       
27
       
27
       
+
       
        type = lib.types.bool;

     

       
28
       
28
       
+
       
        default = true;

     

       
29
       
29
       
+
       
        description = ''

     

       
30
       
30
       
+
       
          Whether to start cook-cli server automatically.

     

       
31
       
31
       
+
       
        '';

     

       
32
       
32
       
+
       
      };

     

       
33
       
33
       
+
       


     

       
34
       
34
       
+
       
      port = lib.mkOption {

     

       
35
       
35
       
+
       
        type = lib.types.port;

     

       
36
       
36
       
+
       
        default = 9080;

     

       
37
       
37
       
+
       
        description = ''

     

       
38
       
38
       
+
       
          Which port cook-cli server will use.

     

       
39
       
39
       
+
       
        '';

     

       
40
       
40
       
+
       
      };

     

       
41
       
41
       
+
       


     

       
42
       
42
       
+
       
      basePath = lib.mkOption {

     

       
43
       
43
       
+
       
        type = lib.types.str;

     

       
44
       
44
       
+
       
        default = "/var/lib/cook-cli";

     

       
45
       
45
       
+
       
        description = ''

     

       
46
       
46
       
+
       
          Path to the directory cook-cli will look for recipes.

     

       
47
       
47
       
+
       
        '';

     

       
48
       
48
       
+
       
      };

     

       
49
       
49
       
+
       


     

       
50
       
50
       
+
       
      openFirewall = lib.mkOption {

     

       
51
       
51
       
+
       
        type = lib.types.bool;

     

       
52
       
52
       
+
       
        default = false;

     

       
53
       
53
       
+
       
        description = ''

     

       
54
       
54
       
+
       
          Whether to open the cook-cli server port in the firewall.

     

       
55
       
55
       
+
       
        '';

     

       
56
       
56
       
+
       
      };

     

       
57
       
57
       
+
       
    };

     

       
58
       
58
       
+
       
  };

     

       
59
       
59
       
+
       


     

       
60
       
60
       
+
       
  config = lib.mkIf cfg.enable {

     

       
61
       
61
       
+
       
    environment.systemPackages = [ cfg.package ];

     

       
62
       
62
       
+
       


     

       
63
       
63
       
+
       
    systemd.tmpfiles.rules = [

     

       
64
       
64
       
+
       
      "d ${cfg.basePath} 0770 cook-cli users"

     

       
65
       
65
       
+
       
    ];

     

       
66
       
66
       
+
       


     

       
67
       
67
       
+
       
    users.users.cook-cli = {

     

       
68
       
68
       
+
       
      home = "${cfg.basePath}";

     

       
69
       
69
       
+
       
      group = "cook-cli";

     

       
70
       
70
       
+
       
      isSystemUser = true;

     

       
71
       
71
       
+
       
    };

     

       
72
       
72
       
+
       
    users.groups.cook-cli.members = [

     

       
73
       
73
       
+
       
      "cook-cli"

     

       
74
       
74
       
+
       
    ];

     

       
75
       
75
       
+
       


     

       
76
       
76
       
+
       
    systemd.services.cook-cli = {

     

       
77
       
77
       
+
       
      description = "cook-cli server";

     

       
78
       
78
       
+
       
      serviceConfig = {

     

       
79
       
79
       
+
       
        ExecStart = "${getExe cfg.package} server --host --port ${toString cfg.port} ${cfg.basePath}";

     

       
80
       
80
       
+
       
        WorkingDirectory = cfg.basePath;

     

       
81
       
81
       
+
       
        User = "cook-cli";

     

       
82
       
82
       
+
       
        Group = "cook-cli";

     

       
83
       
83
       
+
       
        # Hardening options

     

       
84
       
84
       
+
       
        CapabilityBoundingSet = [ "CAP_SYS_NICE" ];

     

       
85
       
85
       
+
       
        AmbientCapabilities = [ "CAP_SYS_NICE" ];

     

       
86
       
86
       
+
       
        LockPersonality = true;

     

       
87
       
87
       
+
       
        NoNewPrivileges = true;

     

       
88
       
88
       
+
       
        PrivateTmp = true;

     

       
89
       
89
       
+
       
        ProtectControlGroups = true;

     

       
90
       
90
       
+
       
        ProtectKernelLogs = true;

     

       
91
       
91
       
+
       
        ProtectKernelModules = true;

     

       
92
       
92
       
+
       
        ProtectKernelTunables = true;

     

       
93
       
93
       
+
       
        ProtectSystem = "strict";

     

       
94
       
94
       
+
       
        ReadWritePaths = cfg.basePath;

     

       
95
       
95
       
+
       
        RestrictNamespaces = true;

     

       
96
       
96
       
+
       
        RestrictSUIDSGID = true;

     

       
97
       
97
       
+
       
        Restart = "on-failure";

     

       
98
       
98
       
+
       
        RestartSec = 5;

     

       
99
       
99
       
+
       
      };

     

       
100
       
100
       
+
       
      wantedBy = mkIf cfg.autoStart [ "multi-user.target" ];

     

       
101
       
101
       
+
       
      wants = [ "network.target" ];

     

       
102
       
102
       
+
       
    };

     

       
103
       
103
       
+
       


     

       
104
       
104
       
+
       
    networking.firewall = lib.mkIf cfg.openFirewall {

     

       
105
       
105
       
+
       
      allowedTCPPorts = [ cfg.port ];

     

       
106
       
106
       
+
       
    };

     

       
107
       
107
       
+
       
  };

     

       
108
       
108
       
+
       


     

       
109
       
109
       
+
       
  meta.maintainers = [

     

       
110
       
110
       
+
       
    lib.maintainers.luNeder

     

       
111
       
111
       
+
       
    lib.maintainers.emilioziniades

     

       
112
       
112
       
+
       
  ];

     

       
113
       
113
       
+
       
}