katja's git: nixfiles

ctucx' nixfiles

path: /modules/nixos/gomuks-web.nix 2.49 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
{ lib, config, pkgs, ... }:

let
  cfg = config.services.gomuks-web;
  dataDir = "/var/lib/private/gomuks-web";
  settingsFile = "${dataDir}/config/config.yaml";
  settingsFileUnsubstituted = settingsFormat.generate "gomuks-web-config-unsubstituted.json" cfg.settings;
  settingsFormat = pkgs.formats.json { };

in {

  options.services.gomuks-web = {
    enable = lib.mkEnableOption "gomuks-web";

    settings = lib.mkOption {
      type    = settingsFormat.type;
      default = {};
    };

    environmentFile = lib.mkOption {
      type    = lib.types.nullOr lib.types.path;
      default = null;
    };

    serviceDependencies = lib.mkOption {
      type    = lib.types.listOf lib.types.str;
      default = [];
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.gomuks-web = {
      description = "gomuks-web";
      restartTriggers = [ settingsFileUnsubstituted ];

      environment.GOMUKS_ROOT = "/var/lib/gomuks-web";

      wantedBy = [ "multi-user.target" ];
      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
      after = [ "network-online.target" ] ++ cfg.serviceDependencies;

      path = [ pkgs.ffmpeg-headless ];

      preStart = ''
        # substitute the settings file by environment variables
        # in this case read from EnvironmentFile
        test -f '${settingsFile}' && rm -f '${settingsFile}'
        old_umask=$(umask)
        umask 0177
        ${pkgs.envsubst}/bin/envsubst \
          -o '${settingsFile}' \
          -i '${settingsFileUnsubstituted}'
        umask $old_umask
      '';

      serviceConfig = {
        Type = "simple";
        ExecStart = lib.getExe pkgs.gomuks-web;

        DynamicUser = true;
        User  = "gomuks-web";
        Group = "gomuks-web";

        EnvironmentFile  = cfg.environmentFile;
        StateDirectory   = "gomuks-web";

        Restart = "on-failure";
        RestartSec = "30s";

        LockPersonality = true;
        NoNewPrivileges = true;

        PrivateDevices = true;
        PrivateTmp = true;
        PrivateUsers = true;

        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";

        RestrictRealtime = true;
        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";
        SystemCallErrorNumber = "EPERM";
        SystemCallFilter = [ "@system-service" ];
      };
    };
  };

}