commit 8a1734ec9810406427cccff8b2e40eb0d181c2d2

pyrox.dev / nixpkgs

lol

fork atom

nixos/meme-bingo-web: init service

authored by

Anna Aurora and committed by

Anderson Torres 2 years ago 8a1734ec 82a2a96f

+94

2 changed files

expand all

unified split

nixos

modules

module-list.nix

services

web-apps

meme-bingo-web.nix

nixos/modules/module-list.nix

··· 1250 ./services/web-apps/matomo.nix 1251 ./services/web-apps/mattermost.nix 1252 ./services/web-apps/mediawiki.nix 1253 ./services/web-apps/miniflux.nix 1254 ./services/web-apps/monica.nix 1255 ./services/web-apps/moodle.nix

··· 1250 ./services/web-apps/matomo.nix 1251 ./services/web-apps/mattermost.nix 1252 ./services/web-apps/mediawiki.nix 1253 + ./services/web-apps/meme-bingo-web.nix 1254 ./services/web-apps/miniflux.nix 1255 ./services/web-apps/monica.nix 1256 ./services/web-apps/moodle.nix

+93

nixos/modules/services/web-apps/meme-bingo-web.nix

···

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + let 4 + inherit (lib) mkEnableOption mkIf mkOption mdDoc types literalExpression; 5 + 6 + cfg = config.services.meme-bingo-web; 7 + in { 8 + options = { 9 + services.meme-bingo-web = { 10 + enable = mkEnableOption (mdDoc '' 11 + A web app for the meme bingo, rendered entirely on the web server and made interactive with forms. 12 + 13 + Note: The application's author suppose to run meme-bingo-web behind a reverse proxy for SSL and HTTP/3. 14 + ''); 15 + 16 + package = mkOption { 17 + type = types.package; 18 + default = pkgs.meme-bingo-web; 19 + defaultText = literalExpression "pkgs.meme-bingo-web"; 20 + description = mdDoc "meme-bingo-web package to use."; 21 + }; 22 + 23 + baseUrl = mkOption { 24 + description = mdDoc '' 25 + URL to be used for the HTML <base> element on all HTML routes. 26 + ''; 27 + type = types.str; 28 + default = "http://localhost:41678/"; 29 + example = "https://bingo.example.com/"; 30 + }; 31 + port = mkOption { 32 + description = mdDoc '' 33 + Port to be used for the web server. 34 + ''; 35 + type = types.port; 36 + default = 41678; 37 + example = 21035; 38 + }; 39 + }; 40 + }; 41 + 42 + config = mkIf cfg.enable { 43 + systemd.services.meme-bingo-web = { 44 + description = "A web app for playing meme bingos."; 45 + wantedBy = [ "multi-user.target" ]; 46 + 47 + environment = { 48 + MEME_BINGO_BASE = cfg.baseUrl; 49 + MEME_BINGO_PORT = toString cfg.port; 50 + }; 51 + path = [ cfg.package ]; 52 + 53 + serviceConfig = { 54 + User = "meme-bingo-web"; 55 + Group = "meme-bingo-web"; 56 + 57 + DynamicUser = true; 58 + 59 + ExecStart = "${cfg.package}/bin/meme-bingo-web"; 60 + 61 + Restart = "always"; 62 + RestartSec = 1; 63 + 64 + # Hardening 65 + CapabilityBoundingSet = [ "" ]; 66 + DeviceAllow = [ "/dev/random" ]; 67 + LockPersonality = true; 68 + PrivateDevices = true; 69 + PrivateUsers = true; 70 + ProcSubset = "pid"; 71 + ProtectSystem = "strict"; 72 + ProtectClock = true; 73 + ProtectControlGroups = true; 74 + ProtectHome = true; 75 + ProtectHostname = true; 76 + ProtectKernelLogs = true; 77 + ProtectKernelModules = true; 78 + ProtectKernelTunables = true; 79 + ProtectProc = "invisible"; 80 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 81 + RestrictNamespaces = true; 82 + RestrictRealtime = true; 83 + SystemCallArchitectures = "native"; 84 + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; 85 + UMask = "0077"; 86 + RestrictSUIDSGID = true; 87 + RemoveIPC = true; 88 + NoNewPrivileges = true; 89 + MemoryDenyWriteExecute = true; 90 + }; 91 + }; 92 + }; 93 + }