commit fc2ae7d79e31aade4bbbabc66ba57a456851b4df · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

nixos/plikd: Add new service module

freezeboy 5 years ago fc2ae7d7 74bec372

+83

2 changed files

expand all

unified split

nixos

modules

module-list.nix

services

misc

plikd.nix

nixos/modules/module-list.nix

··· 509 509 ./services/misc/paperless.nix 510 510 ./services/misc/parsoid.nix 511 511 ./services/misc/plex.nix 512 + ./services/misc/plikd.nix 512 513 ./services/misc/tautulli.nix 513 514 ./services/misc/pinnwand.nix 514 515 ./services/misc/pykms.nix

+82

nixos/modules/services/misc/plikd.nix

··· 1 + { config, pkgs, lib, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + cfg = config.services.plikd; 7 + 8 + format = pkgs.formats.toml {}; 9 + plikdCfg = format.generate "plikd.cfg" cfg.settings; 10 + in 11 + { 12 + options = { 13 + services.plikd = { 14 + enable = mkEnableOption "the plikd server"; 15 + 16 + openFirewall = mkOption { 17 + type = types.bool; 18 + default = false; 19 + description = "Open ports in the firewall for the plikd."; 20 + }; 21 + 22 + settings = mkOption { 23 + type = format.type; 24 + default = {}; 25 + description = '' 26 + Configuration for plikd, see <link xlink:href="https://github.com/root-gg/plik/blob/master/server/plikd.cfg"/> 27 + for supported values. 28 + ''; 29 + }; 30 + }; 31 + }; 32 + 33 + config = mkIf cfg.enable { 34 + services.plikd.settings = mapAttrs (name: mkDefault) { 35 + ListenPort = 8080; 36 + ListenAddress = "localhost"; 37 + DataBackend = "file"; 38 + DataBackendConfig = { 39 + Directory = "/var/lib/plikd"; 40 + }; 41 + MetadataBackendConfig = { 42 + Driver = "sqlite3"; 43 + ConnectionString = "/var/lib/plikd/plik.db"; 44 + }; 45 + }; 46 + 47 + systemd.services.plikd = { 48 + description = "Plikd file sharing server"; 49 + after = [ "network.target" ]; 50 + wantedBy = [ "multi-user.target" ]; 51 + serviceConfig = { 52 + Type = "simple"; 53 + ExecStart = "${pkgs.plikd}/bin/plikd --config ${plikdCfg}"; 54 + Restart = "on-failure"; 55 + StateDirectory = "plikd"; 56 + LogsDirectory = "plikd"; 57 + DynamicUser = true; 58 + 59 + # Basic hardening 60 + NoNewPrivileges = "yes"; 61 + PrivateTmp = "yes"; 62 + PrivateDevices = "yes"; 63 + DevicePolicy = "closed"; 64 + ProtectSystem = "strict"; 65 + ProtectHome = "read-only"; 66 + ProtectControlGroups = "yes"; 67 + ProtectKernelModules = "yes"; 68 + ProtectKernelTunables = "yes"; 69 + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; 70 + RestrictNamespaces = "yes"; 71 + RestrictRealtime = "yes"; 72 + RestrictSUIDSGID = "yes"; 73 + MemoryDenyWriteExecute = "yes"; 74 + LockPersonality = "yes"; 75 + }; 76 + }; 77 + 78 + networking.firewall = mkIf cfg.openFirewall { 79 + allowedTCPPorts = [ cfg.settings.ListenPort ]; 80 + }; 81 + }; 82 + }