diff options
author | Guillaume Girol <symphorien@users.noreply.github.com> | 2024-03-16 17:34:45 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-16 17:34:45 +0100 |
commit | 119099506c8e6eeaf21db47651a6ef3d7f3b5850 (patch) | |
tree | be373d47c92a2c0024a5766c82aec538c141f5e4 /nixos | |
parent | 07d0a01e9c07fbb01f5889e5dae4f4e914e40cec (diff) | |
parent | 636584b3ff55e7d2e6e80fef43e5e4644c1d09ef (diff) |
Merge pull request #292477 from nu-nu-ko/nixos-komga-hardening
nixos/komga: add service hardening and misc format changes.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-apps/komga.nix | 145 |
1 files changed, 84 insertions, 61 deletions
diff --git a/nixos/modules/services/web-apps/komga.nix b/nixos/modules/services/web-apps/komga.nix index 31f475fc7b048..d7ab2a9e612ef 100644 --- a/nixos/modules/services/web-apps/komga.nix +++ b/nixos/modules/services/web-apps/komga.nix @@ -1,99 +1,122 @@ -{ config, pkgs, lib, ... }: - -with lib; +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.komga; - -in { + inherit (lib) mkOption mkEnableOption maintainers; + inherit (lib.types) port str bool; +in +{ options = { services.komga = { - enable = mkEnableOption (lib.mdDoc "Komga, a free and open source comics/mangas media server"); + enable = mkEnableOption "Komga, a free and open source comics/mangas media server"; port = mkOption { - type = types.port; + type = port; default = 8080; - description = lib.mdDoc '' - The port that Komga will listen on. - ''; + description = "The port that Komga will listen on."; }; user = mkOption { - type = types.str; + type = str; default = "komga"; - description = lib.mdDoc '' - User account under which Komga runs. - ''; + description = "User account under which Komga runs."; }; group = mkOption { - type = types.str; + type = str; default = "komga"; - description = lib.mdDoc '' - Group under which Komga runs. - ''; + description = "Group under which Komga runs."; }; stateDir = mkOption { - type = types.str; + type = str; default = "/var/lib/komga"; - description = lib.mdDoc '' - State and configuration directory Komga will use. - ''; + description = "State and configuration directory Komga will use."; }; openFirewall = mkOption { - type = types.bool; + type = bool; default = false; - description = lib.mdDoc '' - Whether to open the firewall for the port in {option}`services.komga.port`. - ''; + description = "Whether to open the firewall for the port in {option}`services.komga.port`."; }; }; }; - config = mkIf cfg.enable { - - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + config = + let + inherit (lib) mkIf getExe; + in + mkIf cfg.enable { - users.groups = mkIf (cfg.group == "komga") { - komga = {}; - }; + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; - users.users = mkIf (cfg.user == "komga") { - komga = { - group = cfg.group; - home = cfg.stateDir; - description = "Komga Daemon user"; - isSystemUser = true; - }; - }; + users.groups = mkIf (cfg.group == "komga") { komga = { }; }; - systemd.services.komga = { - environment = { - SERVER_PORT = builtins.toString cfg.port; - KOMGA_CONFIGDIR = cfg.stateDir; + users.users = mkIf (cfg.user == "komga") { + komga = { + group = cfg.group; + home = cfg.stateDir; + description = "Komga Daemon user"; + isSystemUser = true; + }; }; - description = "Komga is a free and open source comics/mangas media server"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - serviceConfig = { - User = cfg.user; - Group = cfg.group; - - Type = "simple"; - Restart = "on-failure"; - ExecStart = "${pkgs.komga}/bin/komga"; - - StateDirectory = mkIf (cfg.stateDir == "/var/lib/komga") "komga"; + systemd.services.komga = { + environment = { + SERVER_PORT = builtins.toString cfg.port; + KOMGA_CONFIGDIR = cfg.stateDir; + }; + + description = "Komga is a free and open source comics/mangas media server"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + + Type = "simple"; + Restart = "on-failure"; + ExecStart = getExe pkgs.komga; + + StateDirectory = mkIf (cfg.stateDir == "/var/lib/komga") "komga"; + + RemoveIPC = true; + NoNewPrivileges = true; + CapabilityBoundingSet = ""; + SystemCallFilter = [ "@system-service" ]; + ProtectSystem = "full"; + PrivateTmp = true; + ProtectProc = "invisible"; + ProtectClock = true; + ProcSubset = "pid"; + PrivateUsers = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + LockPersonality = true; + RestrictNamespaces = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + SystemCallArchitectures = "native"; + RestrictSUIDSGID = true; + RestrictRealtime = true; + }; }; - }; - }; meta.maintainers = with maintainers; [ govanify ]; } |