nixos/modules/services/web-apps/prosody-filer.nix at 23.11-beta

pyrox.dev / nixpkgs

fork

lol

fork

nixpkgs / nixos / modules / services / web-apps / prosody-filer.nix

at 23.11-beta 86 lines 2.4 kB view raw

wrap content

MidAutumnMoon nixos/prosody-filer: set proper SystemCallFilter 3y ago

5c983ac3

 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4let
 5
 6  cfg = config.services.prosody-filer;
 7
 8  settingsFormat = pkgs.formats.toml { };
 9  configFile = settingsFormat.generate "prosody-filer.toml" cfg.settings;
10in {
11
12  options = {
13    services.prosody-filer = {
14      enable = mkEnableOption (lib.mdDoc "Prosody Filer XMPP upload file server");
15
16      settings = mkOption {
17        description = lib.mdDoc ''
18          Configuration for Prosody Filer.
19          Refer to <https://github.com/ThomasLeister/prosody-filer#configure-prosody-filer> for details on supported values.
20        '';
21
22        type = settingsFormat.type;
23
24        example = {
25          secret = "mysecret";
26          storeDir = "/srv/http/nginx/prosody-upload";
27        };
28
29        defaultText = literalExpression ''
30          {
31            listenport = mkDefault "127.0.0.1:5050";
32            uploadSubDir = mkDefault "upload/";
33          }
34        '';
35      };
36    };
37  };
38
39  config = mkIf cfg.enable {
40    services.prosody-filer.settings = {
41      listenport = mkDefault "127.0.0.1:5050";
42      uploadSubDir = mkDefault "upload/";
43    };
44
45    users.users.prosody-filer = {
46      group = "prosody-filer";
47      isSystemUser = true;
48    };
49
50    users.groups.prosody-filer = { };
51
52    systemd.services.prosody-filer = {
53      description = "Prosody file upload server";
54      wantedBy = [ "multi-user.target" ];
55      after = [ "network.target" ];
56
57      serviceConfig = {
58        User = "prosody-filer";
59        Group = "prosody-filer";
60        ExecStart = "${pkgs.prosody-filer}/bin/prosody-filer -config ${configFile}";
61        Restart = "on-failure";
62        CapabilityBoundingSet = "";
63        NoNewPrivileges = true;
64        PrivateDevices = true;
65        PrivateTmp = true;
66        PrivateMounts = true;
67        ProtectHome = true;
68        ProtectClock = true;
69        ProtectProc = "noaccess";
70        ProcSubset = "pid";
71        ProtectKernelLogs = true;
72        ProtectKernelModules = true;
73        ProtectKernelTunables = true;
74        ProtectControlGroups = true;
75        ProtectHostname = true;
76        RestrictSUIDSGID = true;
77        RestrictRealtime = true;
78        RestrictNamespaces = true;
79        LockPersonality = true;
80        RemoveIPC = true;
81        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
82        SystemCallFilter = [ "@system-service" "~@privileged" ];
83      };
84    };
85  };
86}

Configure Feed

Configure Feed