blob: 54c4bf1b09ca594b9553068918ee269377aab7cf (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
{ lib, pkgs, config, ... }:
let
inherit (lib) mkEnableOption mkPackageOption mkOption types;
cfg = config.services.c2fmzq-server;
argsFormat = {
type = with lib.types; attrsOf (nullOr (oneOf [ bool int str ]));
generate = lib.cli.toGNUCommandLineShell { };
};
in {
options.services.c2fmzq-server = {
enable = mkEnableOption "c2fmzq-server";
bindIP = mkOption {
type = types.str;
default = "127.0.0.1";
description = "The local address to use.";
};
port = mkOption {
type = types.port;
default = 8080;
description = "The local port to use.";
};
passphraseFile = mkOption {
type = types.str;
example = "/run/secrets/c2fmzq/pwfile";
description = "Path to file containing the database passphrase";
};
package = mkPackageOption pkgs "c2fmzq" { };
settings = mkOption {
type = types.submodule {
freeformType = argsFormat.type;
options = {
address = mkOption {
internal = true;
type = types.str;
default = "${cfg.bindIP}:${toString cfg.port}";
};
database = mkOption {
type = types.str;
default = "%S/c2fmzq-server/data";
description = "Path of the database";
};
verbose = mkOption {
type = types.ints.between 1 3;
default = 2;
description = "The level of logging verbosity: 1:Error 2:Info 3:Debug";
};
};
};
description = ''
Configuration for c2FmZQ-server passed as CLI arguments.
Run {command}`c2FmZQ-server help` for supported values.
'';
example = {
verbose = 3;
allow-new-accounts = true;
auto-approve-new-accounts = true;
encrypt-metadata = true;
enable-webapp = true;
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.c2fmzq-server = {
description = "c2FmZQ-server";
documentation = [ "https://github.com/c2FmZQ/c2FmZQ/blob/main/README.md" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "network-online.target" ];
serviceConfig = {
ExecStart = "${lib.getExe cfg.package} ${argsFormat.generate cfg.settings}";
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DynamicUser = true;
Environment = "C2FMZQ_PASSPHRASE_FILE=%d/passphrase-file";
IPAccounting = true;
IPAddressAllow = cfg.bindIP;
IPAddressDeny = "any";
LoadCredential = "passphrase-file:${cfg.passphraseFile}";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SocketBindAllow = cfg.port;
SocketBindDeny = "any";
StateDirectory = "c2fmzq-server";
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ];
};
};
};
meta = {
doc = ./c2fmzq-server.md;
maintainers = with lib.maintainers; [ hmenke ];
};
}
|
