ctucx.git: nixfiles

ctucx' nixfiles

commit 7da43c299c08666b971273433bb68012e5c22b2c
parent c891cb11e12374194a895f05e49175423c3145c2
Author: Leah (ctucx) <leah@ctu.cx>
Date: Thu, 28 Apr 2022 14:29:24 +0200

modules: add gotosocial

1 file changed, 110 insertions(+), 0 deletions(-)
A
modules/gotosocial.nix
|
110
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/modules/gotosocial.nix b/modules/gotosocial.nix
@@ -0,0 +1,110 @@
+{ options, config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.gotosocial;
+
+in {
+
+  options = {
+    services.gotosocial = with lib; {
+      enable = mkEnableOption "gotosocial";
+
+      package = mkOption {
+        type = types.package;
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "gotosocial";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "gotosocial";
+      };
+
+      stateDir = mkOption {
+        type = types.str;
+        default = "/var/lib/gotosocial";
+        readOnly = true;
+      };
+
+      config = mkOption {
+        type = types.lines;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    users = {
+      users."${cfg.user}" = {
+        description = "Pleroma user";
+        home = cfg.stateDir;
+        group = cfg.group;
+        isSystemUser = true;
+      };
+      groups."${cfg.group}" = {};
+    };
+
+    environment.systemPackages = [
+      (pkgs.writeShellScriptBin "gotosocial" ''
+        exec ${cfg.package}/bin/gotosocial --config-path /etc/gotosocial/config.yaml "$@"
+      '')
+    ];
+
+    environment.etc."/gotosocial/config.yaml".text = "${cfg.config}";
+
+    systemd.services.gotosocial = {
+      description = "gotosocial";
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [ config.environment.etc."/gotosocial/config.yaml".source ];
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+
+        Type = "exec";
+        WorkingDirectory = "~";
+        StateDirectory = "gotosocial gotosocial/storage";
+        StateDirectoryMode = "700";
+
+        ExecStart = "${cfg.package}/bin/gotosocial --config-path /etc/gotosocial/config.yaml server start";
+
+#        NoNewPrivileges = true;
+#        PrivateTmp      = true;
+#        PrivateDevices  = false;
+
+#        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+#        RestrictNamespaces      = true;
+#        RestrictRealtime        = true;
+        
+#        ProtectSystem         = "full";
+#        ProtectControlGroups  = true;
+#        ProtectKernelModules  = true;
+#        ProtectKernelTunables = true;
+#
+#        DevicePolicy     = "closed";
+#        LockPersonality  = true;
+#        SystemCallFilter = "~@clock @debug @module @mount @obsolete @reboot @setuid @swap";
+#
+#        CapabilityBoundingSet = [
+#          "~CAP_RAWIO CAP_MKNOD"
+#          "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE"
+#          "~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT"
+#          "~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK"
+#          "~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM"
+#          "~CAP_SYS_TTY_CONFIG"
+#          "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE"
+#          "~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW"
+#          "~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG"
+#        ];
+      };
+    };
+
+  };
+
+}