+2

nixos/doc/manual/release-notes/rl-2311.section.md

··· 125 125 126 126 - [Rosenpass](https://rosenpass.eu/), a service for post-quantum-secure VPNs with WireGuard. Available as [services.rosenpass](#opt-services.rosenpass.enable). 127 127 128 128 + - [c2FmZQ](https://github.com/c2FmZQ/c2FmZQ/), an application that can securely encrypt, store, and share files, including but not limited to pictures and videos. Available as [services.c2fmzq-server](#opt-services.c2fmzq-server.enable). 129 129 + 128 130 ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} 129 131 130 132 - `network-online.target` has been fixed to no longer time out for systems with `networking.useDHCP = true` and `networking.useNetworkd = true`.

+1

nixos/modules/module-list.nix

··· 1232 1232 ./services/web-apps/atlassian/jira.nix 1233 1233 ./services/web-apps/audiobookshelf.nix 1234 1234 ./services/web-apps/bookstack.nix 1235 1235 + ./services/web-apps/c2fmzq-server.nix 1235 1236 ./services/web-apps/calibre-web.nix 1236 1237 ./services/web-apps/coder.nix 1237 1238 ./services/web-apps/changedetection-io.nix

+42

nixos/modules/services/web-apps/c2fmzq-server.md

··· 1 1 + # c2FmZQ {#module-services-c2fmzq} 2 2 + 3 3 + c2FmZQ is an application that can securely encrypt, store, and share files, 4 4 + including but not limited to pictures and videos. 5 5 + 6 6 + The service `c2fmzq-server` can be enabled by setting 7 7 + ``` 8 8 + { 9 9 + services.c2fmzq-server.enable = true; 10 10 + } 11 11 + ``` 12 12 + This will spin up an instance of the server which is API-compatible with 13 13 + [Stingle Photos](https://stingle.org) and an experimental Progressive Web App 14 14 + (PWA) to interact with the storage via the browser. 15 15 + 16 16 + In principle the server can be exposed directly on a public interface and there 17 17 + are command line options to manage HTTPS certificates directly, but the module 18 18 + is designed to be served behind a reverse proxy or only accessed via localhost. 19 19 + 20 20 + ``` 21 21 + { 22 22 + services.c2fmzq-server = { 23 23 + enable = true; 24 24 + bindIP = "127.0.0.1"; # default 25 25 + port = 8080; # default 26 26 + }; 27 27 + 28 28 + services.nginx = { 29 29 + enable = true; 30 30 + recommendedProxySettings = true; 31 31 + virtualHosts."example.com" = { 32 32 + enableACME = true; 33 33 + forceSSL = true; 34 34 + locations."/" = { 35 35 + proxyPass = "http://127.0.0.1:8080"; 36 36 + }; 37 37 + }; 38 38 + }; 39 39 + } 40 40 + ``` 41 41 + 42 42 + For more information, see <https://github.com/c2FmZQ/c2FmZQ/>.

+125

nixos/modules/services/web-apps/c2fmzq-server.nix

··· 1 1 + { lib, pkgs, config, ... }: 2 2 + 3 3 + let 4 4 + inherit (lib) mkEnableOption mkPackageOption mkOption types; 5 5 + 6 6 + cfg = config.services.c2fmzq-server; 7 7 + 8 8 + argsFormat = { 9 9 + type = with lib.types; nullOr (oneOf [ bool int str ]); 10 10 + generate = lib.cli.toGNUCommandLineShell { }; 11 11 + }; 12 12 + in { 13 13 + options.services.c2fmzq-server = { 14 14 + enable = mkEnableOption "c2fmzq-server"; 15 15 + 16 16 + bindIP = mkOption { 17 17 + type = types.str; 18 18 + default = "127.0.0.1"; 19 19 + description = "The local address to use."; 20 20 + }; 21 21 + 22 22 + port = mkOption { 23 23 + type = types.port; 24 24 + default = 8080; 25 25 + description = "The local port to use."; 26 26 + }; 27 27 + 28 28 + passphraseFile = mkOption { 29 29 + type = types.str; 30 30 + example = "/run/secrets/c2fmzq/pwfile"; 31 31 + description = "Path to file containing the database passphrase"; 32 32 + }; 33 33 + 34 34 + package = mkPackageOption pkgs "c2fmzq" { }; 35 35 + 36 36 + settings = mkOption { 37 37 + type = types.submodule { 38 38 + freeformType = argsFormat.type; 39 39 + 40 40 + options = { 41 41 + address = mkOption { 42 42 + internal = true; 43 43 + type = types.str; 44 44 + default = "${cfg.bindIP}:${toString cfg.port}"; 45 45 + }; 46 46 + 47 47 + database = mkOption { 48 48 + type = types.str; 49 49 + default = "%S/c2fmzq-server/data"; 50 50 + description = "Path of the database"; 51 51 + }; 52 52 + 53 53 + verbose = mkOption { 54 54 + type = types.ints.between 1 3; 55 55 + default = 2; 56 56 + description = "The level of logging verbosity: 1:Error 2:Info 3:Debug"; 57 57 + }; 58 58 + }; 59 59 + }; 60 60 + description = '' 61 61 + Configuration for c2FmZQ-server passed as CLI arguments. 62 62 + Run {command}`c2FmZQ-server help` for supported values. 63 63 + ''; 64 64 + example = { 65 65 + verbose = 3; 66 66 + allow-new-accounts = true; 67 67 + auto-approve-new-accounts = true; 68 68 + encrypt-metadata = true; 69 69 + enable-webapp = true; 70 70 + }; 71 71 + }; 72 72 + }; 73 73 + 74 74 + config = lib.mkIf cfg.enable { 75 75 + systemd.services.c2fmzq-server = { 76 76 + description = "c2FmZQ-server"; 77 77 + documentation = [ "https://github.com/c2FmZQ/c2FmZQ/blob/main/README.md" ]; 78 78 + wantedBy = [ "multi-user.target" ]; 79 79 + after = [ "network.target" "network-online.target" ]; 80 80 + 81 81 + serviceConfig = { 82 82 + ExecStart = "${lib.getExe cfg.package} ${argsFormat.generate cfg.settings}"; 83 83 + AmbientCapabilities = ""; 84 84 + CapabilityBoundingSet = ""; 85 85 + DynamicUser = true; 86 86 + Environment = "C2FMZQ_PASSPHRASE_FILE=%d/passphrase-file"; 87 87 + IPAccounting = true; 88 88 + IPAddressAllow = cfg.bindIP; 89 89 + IPAddressDeny = "any"; 90 90 + LoadCredential = "passphrase-file:${cfg.passphraseFile}"; 91 91 + LockPersonality = true; 92 92 + MemoryDenyWriteExecute = true; 93 93 + NoNewPrivileges = true; 94 94 + PrivateDevices = true; 95 95 + PrivateIPC = true; 96 96 + PrivateTmp = true; 97 97 + PrivateUsers = true; 98 98 + ProtectClock = true; 99 99 + ProtectControlGroups = true; 100 100 + ProtectHome = true; 101 101 + ProtectHostname = true; 102 102 + ProtectKernelLogs = true; 103 103 + ProtectKernelModules = true; 104 104 + ProtectKernelTunables = true; 105 105 + ProtectProc = "invisible"; 106 106 + ProtectSystem = "strict"; 107 107 + RemoveIPC = true; 108 108 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 109 109 + RestrictNamespaces = true; 110 110 + RestrictRealtime = true; 111 111 + RestrictSUIDSGID = true; 112 112 + SocketBindAllow = cfg.port; 113 113 + SocketBindDeny = "any"; 114 114 + StateDirectory = "c2fmzq-server"; 115 115 + SystemCallArchitectures = "native"; 116 116 + SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; 117 117 + }; 118 118 + }; 119 119 + }; 120 120 + 121 121 + meta = { 122 122 + doc = ./c2fmzq-server.md; 123 123 + maintainers = with lib.maintainers; [ hmenke ]; 124 124 + }; 125 125 + }