commit 24a1589ebfa007628919883c84a6738073f2004d · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #251996 from surfaceflinger/microbin

microbin: add service

authored by Thiago Kenji Okada and committed by GitHub 2 years ago 24a1589e 383389d0

+96

3 changed files

expand all

unified split

nixos

doc

manual

release-notes

rl-2311.section.md

modules

module-list.nix

services

web-apps

microbin.nix

nixos/doc/manual/release-notes/rl-2311.section.md

··· 97 98 - [ferretdb](https://www.ferretdb.io/), an open-source proxy, converting the MongoDB 6.0+ wire protocol queries to PostgreSQL or SQLite. Available as [services.ferretdb](options.html#opt-services.ferretdb.enable). 99 100 - [NNCP](http://www.nncpgo.org/). Added nncp-daemon and nncp-caller services. Configuration is set with [programs.nncp.settings](#opt-programs.nncp.settings) and the daemons are enabled at [services.nncp](#opt-services.nncp.caller.enable). 101 102 - [tuxedo-rs](https://github.com/AaronErhardt/tuxedo-rs), Rust utilities for interacting with hardware from TUXEDO Computers.

··· 97 98 - [ferretdb](https://www.ferretdb.io/), an open-source proxy, converting the MongoDB 6.0+ wire protocol queries to PostgreSQL or SQLite. Available as [services.ferretdb](options.html#opt-services.ferretdb.enable). 99 100 + - [MicroBin](https://microbin.eu/), a feature rich, performant and secure text and file sharing web application, a "paste bin". Available as [services.microbin](#opt-services.microbin.enable). 101 + 102 - [NNCP](http://www.nncpgo.org/). Added nncp-daemon and nncp-caller services. Configuration is set with [programs.nncp.settings](#opt-programs.nncp.settings) and the daemons are enabled at [services.nncp](#opt-services.nncp.caller.enable). 103 104 - [tuxedo-rs](https://github.com/AaronErhardt/tuxedo-rs), Rust utilities for interacting with hardware from TUXEDO Computers.

nixos/modules/module-list.nix

··· 1267 ./services/web-apps/mattermost.nix 1268 ./services/web-apps/mediawiki.nix 1269 ./services/web-apps/meme-bingo-web.nix 1270 ./services/web-apps/miniflux.nix 1271 ./services/web-apps/monica.nix 1272 ./services/web-apps/moodle.nix

··· 1267 ./services/web-apps/mattermost.nix 1268 ./services/web-apps/mediawiki.nix 1269 ./services/web-apps/meme-bingo-web.nix 1270 + ./services/web-apps/microbin.nix 1271 ./services/web-apps/miniflux.nix 1272 ./services/web-apps/monica.nix 1273 ./services/web-apps/moodle.nix

+93

nixos/modules/services/web-apps/microbin.nix

···

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + let 4 + cfg = config.services.microbin; 5 + in 6 + { 7 + options.services.microbin = { 8 + enable = lib.mkEnableOption (lib.mdDoc "MicroBin is a super tiny, feature rich, configurable paste bin web application"); 9 + 10 + package = lib.mkPackageOption pkgs "microbin" { }; 11 + 12 + settings = lib.mkOption { 13 + type = lib.types.submodule { freeformType = with lib.types; attrsOf (oneOf [ bool int str ]); }; 14 + default = { }; 15 + example = { 16 + MICROBIN_PORT = 8080; 17 + MICROBIN_HIDE_LOGO = false; 18 + }; 19 + description = lib.mdDoc '' 20 + Additional configuration for MicroBin, see 21 + <https://microbin.eu/docs/installation-and-configuration/configuration/> 22 + for supported values. 23 + 24 + For secrets use passwordFile option instead. 25 + ''; 26 + }; 27 + 28 + dataDir = lib.mkOption { 29 + type = lib.types.str; 30 + default = "/var/lib/microbin"; 31 + description = lib.mdDoc "Default data folder for MicroBin."; 32 + }; 33 + 34 + passwordFile = lib.mkOption { 35 + type = lib.types.nullOr lib.types.path; 36 + default = null; 37 + example = "/run/secrets/microbin.env"; 38 + description = lib.mdDoc '' 39 + Path to file containing environment variables. 40 + Useful for passing down secrets. 41 + Variables that can be considered secrets are: 42 + - MICROBIN_BASIC_AUTH_USERNAME 43 + - MICROBIN_BASIC_AUTH_PASSWORD 44 + - MICROBIN_ADMIN_USERNAME 45 + - MICROBIN_ADMIN_PASSWORD 46 + - MICROBIN_UPLOADER_PASSWORD 47 + ''; 48 + }; 49 + }; 50 + 51 + config = lib.mkIf cfg.enable { 52 + services.microbin.settings = with lib; { 53 + MICROBIN_BIND = mkDefault "0.0.0.0"; 54 + MICROBIN_DISABLE_TELEMETRY = mkDefault true; 55 + MICROBIN_LIST_SERVER = mkDefault false; 56 + MICROBIN_PORT = mkDefault "8080"; 57 + }; 58 + 59 + systemd.services.microbin = { 60 + after = [ "network.target" ]; 61 + wantedBy = [ "multi-user.target" ]; 62 + environment = lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings; 63 + serviceConfig = { 64 + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; 65 + DevicePolicy = "closed"; 66 + DynamicUser = true; 67 + EnvironmentFile = lib.optional (cfg.passwordFile != null) cfg.passwordFile; 68 + ExecStart = "${cfg.package}/bin/microbin"; 69 + LockPersonality = true; 70 + MemoryDenyWriteExecute = true; 71 + PrivateDevices = true; 72 + PrivateUsers = true; 73 + ProtectClock = true; 74 + ProtectControlGroups = true; 75 + ProtectHostname = true; 76 + ProtectKernelLogs = true; 77 + ProtectKernelModules = true; 78 + ProtectKernelTunables = true; 79 + ProtectProc = "invisible"; 80 + ReadWritePaths = cfg.dataDir; 81 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 82 + RestrictNamespaces = true; 83 + RestrictRealtime = true; 84 + StateDirectory = "microbin"; 85 + SystemCallArchitectures = [ "native" ]; 86 + SystemCallFilter = [ "@system-service" ]; 87 + WorkingDirectory = cfg.dataDir; 88 + }; 89 + }; 90 + }; 91 + 92 + meta.maintainers = with lib.maintainers; [ surfaceflinger ]; 93 + }