From aec8006f606b68a9d2b50da21f3d9e9353d03295 Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Sat, 2 May 2020 15:28:25 +0200
Subject: modules: add services/drawpile

Headless server for the drawpile shared drawing application.
---
 modules/module-list.nix       |  1 +
 modules/services/drawpile.nix | 71 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 modules/services/drawpile.nix

diff --git a/modules/module-list.nix b/modules/module-list.nix
index d5de7026..d30041f9 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -9,6 +9,7 @@
   ./hardware/thinkpad.nix
   ./programs/gnupg
   ./programs/fish/fasd.nix
+  ./services/drawpile.nix
   ./services/postfix
   ./services/starbound.nix
   ./services/guix.nix
diff --git a/modules/services/drawpile.nix b/modules/services/drawpile.nix
new file mode 100644
index 00000000..55a5ba69
--- /dev/null
+++ b/modules/services/drawpile.nix
@@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+
+let
+  cfg = config.vuizvui.services.drawpile;
+
+  port = 27750;
+  adminPort = 9876;
+  stateDir = "/var/lib/drawpile";
+
+in {
+
+  options = {
+
+    vuizvui.services.drawpile = {
+      enable = lib.mkEnableOption "drawpile dedicated server";
+
+      configFile = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          The ini configuration file of the server.
+          See https://drawpile.net/help/server/
+        '';
+      };
+
+    };
+  };
+
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.drawpile = {
+      description   = "drawpile headless server";
+      wantedBy      = [ "multi-user.target" ];
+      after         = [ "network.target" ];
+
+      serviceConfig = {
+        Restart = "always";
+        RestartSec = "1s";
+        KillSignal = "SIGINT";
+        DynamicUser = true;
+        StateDirectory = "drawpile";
+        UMask = "0007";
+        ExecStart = toString [
+          "${pkgs.drawpile-server-headless}/bin/drawpile-srv"
+          "--config" (pkgs.writeText "drawpile-server.ini" cfg.configFile)
+          # implicit from StateDirectory
+          "--sessions" "/var/lib/drawpile"
+          "--port" (toString port)
+          "--web-admin-port" (toString adminPort)
+        ];
+
+        # Sandboxing
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        MemoryDenyWriteExecute = true;
+      };
+    };
+
+    networking.firewall.allowedUDPPorts = [ port ];
+
+  };
+
+}
-- 
cgit 1.4.1