pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #215222 from dotlambda/nixos-imaginary-init

nixos/imaginary: init

authored by

Robert Schütz and committed by
GitHub 7b60fce8 dbbaedf6

+131 -2
+2
nixos/doc/manual/release-notes/rl-2305.section.md
··· 32 32 33 33 - [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable). 34 34 35 + - [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable). 36 + 35 37 - [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in golang with many filters. Available as [services.goeland](#opt-services.goeland.enable). 36 38 37 39 - [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
+1
nixos/modules/module-list.nix
··· 860 860 ./services/networking/i2pd.nix 861 861 ./services/networking/icecream/daemon.nix 862 862 ./services/networking/icecream/scheduler.nix 863 + ./services/networking/imaginary.nix 863 864 ./services/networking/inspircd.nix 864 865 ./services/networking/iodine.nix 865 866 ./services/networking/iperf3.nix
+110
nixos/modules/services/networking/imaginary.nix
··· 1 + { lib, config, pkgs, utils, ... }: 2 + 3 + let 4 + inherit (lib) mdDoc mkEnableOption mkIf mkOption types; 5 + 6 + cfg = config.services.imaginary; 7 + in { 8 + options.services.imaginary = { 9 + enable = mkEnableOption (mdDoc "imaginary image processing microservice"); 10 + 11 + address = mkOption { 12 + type = types.str; 13 + default = ""; 14 + description = mdDoc "Bind address. Corresponds to the `-a` flag."; 15 + example = "localhost"; 16 + }; 17 + 18 + port = mkOption { 19 + type = types.port; 20 + default = 8088; 21 + description = mdDoc "Bind port. Corresponds to the `-p` flag."; 22 + }; 23 + 24 + settings = mkOption { 25 + description = mdDoc '' 26 + Command line arguments passed to the imaginary executable, stripped of 27 + the prefix `-`. See upstream's 28 + [README](https://github.com/h2non/imaginary#command-line-usage) for all 29 + options. 30 + ''; 31 + type = types.submodule { 32 + freeformType = with types; attrsOf (oneOf [ 33 + bool 34 + int 35 + (nonEmptyListOf str) 36 + str 37 + ]); 38 + 39 + options = { 40 + return-size = mkOption { 41 + type = types.bool; 42 + default = false; 43 + description = mdDoc "Return the image size in the HTTP headers."; 44 + }; 45 + }; 46 + }; 47 + }; 48 + }; 49 + 50 + config = mkIf cfg.enable { 51 + assertions = [ { 52 + assertion = ! lib.hasAttr "a" cfg.settings; 53 + message = "Use services.imaginary.address to specify the -a flag."; 54 + } { 55 + assertion = ! lib.hasAttr "p" cfg.settings; 56 + message = "Use services.imaginary.port to specify the -p flag."; 57 + } ]; 58 + 59 + systemd.services.imaginary = { 60 + after = [ "network.target" ]; 61 + wantedBy = [ "multi-user.target" ]; 62 + serviceConfig = rec { 63 + ExecStart = let 64 + args = lib.mapAttrsToList (key: val: 65 + "-" + key + "=" + lib.concatStringsSep "," (map toString (lib.toList val)) 66 + ) (cfg.settings // { a = cfg.address; p = cfg.port; }); 67 + in "${pkgs.imaginary}/bin/imaginary ${utils.escapeSystemdExecArgs args}"; 68 + ProtectProc = "invisible"; 69 + BindReadOnlyPaths = lib.optional (cfg.settings ? mount) cfg.settings.mount; 70 + CapabilityBoundingSet = if cfg.port < 1024 then 71 + [ "CAP_NET_BIND_SERVICE" ] 72 + else 73 + [ "" ]; 74 + AmbientCapabilities = CapabilityBoundingSet; 75 + NoNewPrivileges = true; 76 + DynamicUser = true; 77 + ProtectSystem = "strict"; 78 + ProtectHome = true; 79 + TemporaryFileSystem = [ "/:ro" ]; 80 + PrivateTmp = true; 81 + PrivateDevices = true; 82 + PrivateUsers = cfg.port >= 1024; 83 + ProtectHostname = true; 84 + ProtectClock = true; 85 + ProtectKernelTunables = true; 86 + ProtectKernelModules = true; 87 + ProtectKernelLogs = true; 88 + ProtectControlGroups = true; 89 + RestrictAddressFamilies = [ 90 + "AF_INET" 91 + "AF_INET6" 92 + ]; 93 + RestrictNamespaces = true; 94 + LockPersonality = true; 95 + MemoryDenyWriteExecute = true; 96 + RestrictRealtime = true; 97 + PrivateMounts = true; 98 + SystemCallFilter = [ 99 + "@system-service" 100 + "~@privileged" 101 + ]; 102 + DevicePolicy = "closed"; 103 + }; 104 + }; 105 + }; 106 + 107 + meta = { 108 + maintainers = with lib.maintainers; [ dotlambda ]; 109 + }; 110 + }
+18 -2
pkgs/servers/imaginary/default.nix
··· 1 - { lib, buildGoModule, fetchFromGitHub, pkg-config, vips }: 1 + { lib 2 + , buildGoModule 3 + , fetchFromGitHub 4 + , fetchpatch 5 + , pkg-config 6 + , vips 7 + }: 2 8 3 9 buildGoModule rec { 4 10 pname = "imaginary"; ··· 11 17 hash = "sha256-oEkFoZMaNNJPMisqpIneeLK/sA23gaTWJ4nqtDHkrwA="; 12 18 }; 13 19 20 + patches = [ 21 + # add -return-size flag recommend by Nextcloud 22 + # https://github.com/h2non/imaginary/pull/382 23 + (fetchpatch { 24 + name = "return-width-and-height-of-generated-images.patch"; 25 + url = "https://github.com/h2non/imaginary/commit/cfbf8d724cd326e835dfcb01e7224397c46037d3.patch"; 26 + hash = "sha256-TwZ5WU5g9LXrenpfY52jYsc6KsEt2fjDq7cPz6ILlhA="; 27 + }) 28 + ]; 29 + 14 30 vendorHash = "sha256-BluY6Fz4yAKJ/A9aFuPPsgQN9N/5yd8g8rDfIZeYz5U="; 15 31 16 32 buildInputs = [ vips ]; ··· 28 44 changelog = "https://github.com/h2non/${pname}/releases/tag/v${version}"; 29 45 description = "Fast, simple, scalable, Docker-ready HTTP microservice for high-level image processing"; 30 46 license = licenses.mit; 31 - maintainers = with maintainers; [ urandom ]; 47 + maintainers = with maintainers; [ dotlambda urandom ]; 32 48 }; 33 49 }