rimgo: add module · pyrox.dev/nixpkgs@f857cfd

pyrox.dev / nixpkgs

fork atom

lol

fork atom

rimgo: add module

authored by

Quantenzitrone and committed by

Weijia Wang 2 years ago f857cfd5 264cd9eb

+108

2 changed files

expand all

nixos

modules

module-list.nix

services

web-apps

rimgo.nix

nixos/modules/module-list.nix

··· 1284 1284 ./services/web-apps/powerdns-admin.nix 1285 1285 ./services/web-apps/prosody-filer.nix 1286 1286 ./services/web-apps/restya-board.nix 1287 + ./services/web-apps/rimgo.nix 1287 1288 ./services/web-apps/sftpgo.nix 1288 1289 ./services/web-apps/rss-bridge.nix 1289 1290 ./services/web-apps/selfoss.nix

+107

nixos/modules/services/web-apps/rimgo.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + let 8 + cfg = config.services.rimgo; 9 + inherit (lib) 10 + mkOption 11 + mkEnableOption 12 + mkPackageOption 13 + mkDefault 14 + mkIf 15 + types 16 + literalExpression 17 + optionalString 18 + getExe 19 + mapAttrs 20 + ; 21 + in 22 + { 23 + options.services.rimgo = { 24 + enable = mkEnableOption "rimgo"; 25 + package = mkPackageOption pkgs "rimgo" { }; 26 + settings = mkOption { 27 + type = types.submodule { 28 + freeformType = with types; attrsOf str; 29 + options = { 30 + PORT = mkOption { 31 + type = types.port; 32 + default = 3000; 33 + example = 69420; 34 + description = "The port to use."; 35 + }; 36 + ADDRESS = mkOption { 37 + type = types.str; 38 + default = "127.0.0.1"; 39 + example = "1.1.1.1"; 40 + description = "The address to listen on."; 41 + }; 42 + }; 43 + }; 44 + example = literalExpression '' 45 + { 46 + PORT = 69420; 47 + FORCE_WEBP = "1"; 48 + } 49 + ''; 50 + description = '' 51 + Settings for rimgo, see [the official documentation](https://rimgo.codeberg.page/docs/usage/configuration/) for supported options. 52 + ''; 53 + }; 54 + }; 55 + 56 + config = mkIf cfg.enable { 57 + systemd.services.rimgo = { 58 + description = "Rimgo"; 59 + wantedBy = [ "multi-user.target" ]; 60 + after = [ "network.target" ]; 61 + environment = mapAttrs (_: toString) cfg.settings; 62 + serviceConfig = { 63 + ExecStart = getExe cfg.package; 64 + AmbientCapabilities = mkIf (cfg.settings.PORT < 1024) [ 65 + "CAP_NET_BIND_SERVICE" 66 + ]; 67 + DynamicUser = true; 68 + Restart = "on-failure"; 69 + RestartSec = "5s"; 70 + CapabilityBoundingSet = [ 71 + (optionalString (cfg.settings.PORT < 1024) "CAP_NET_BIND_SERVICE") 72 + ]; 73 + DeviceAllow = [ "" ]; 74 + LockPersonality = true; 75 + MemoryDenyWriteExecute = true; 76 + PrivateDevices = true; 77 + PrivateUsers = cfg.settings.PORT >= 1024; 78 + ProcSubset = "pid"; 79 + ProtectClock = true; 80 + ProtectControlGroups = true; 81 + ProtectHome = true; 82 + ProtectHostname = true; 83 + ProtectKernelLogs = true; 84 + ProtectKernelModules = true; 85 + ProtectKernelTunables = true; 86 + ProtectProc = "invisible"; 87 + RestrictAddressFamilies = [ 88 + "AF_INET" 89 + "AF_INET6" 90 + ]; 91 + RestrictNamespaces = true; 92 + RestrictRealtime = true; 93 + RestrictSUIDSGID = true; 94 + SystemCallArchitectures = "native"; 95 + SystemCallFilter = [ 96 + "@system-service" 97 + "~@privileged" 98 + ]; 99 + UMask = "0077"; 100 + }; 101 + }; 102 + }; 103 + 104 + meta = { 105 + maintainers = with lib.maintainers; [ quantenzitrone ]; 106 + }; 107 + }