ctucx.git: nixfiles

ctucx' nixfiles

commit f659210989cfeb40ea3111b053156625f5fd0160
parent 87df0fd2b4798a1a7c78d60abd64be2fe995112a
Author: Katja (ctucx) <git@ctu.cx>
Date: Thu, 20 Mar 2025 15:16:18 +0100

modules/nixos: add `gomuks-web`

2 files changed, 97 insertions(+), 0 deletions(-)
M
modules/nixos/default.nix
|
1
+
A
modules/nixos/gomuks-web.nix
|
96
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
@@ -24,6 +24,7 @@
     ./mautrix-whatsapp.nix
     ./mautrix-signal.nix
     ./mautrix-telegram.nix
+    ./gomuks-web.nix
   ];
 
 }

diff --git a/modules/nixos/gomuks-web.nix b/modules/nixos/gomuks-web.nix
@@ -0,0 +1,96 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.services.gomuks-web;
+  dataDir = "/var/lib/private/gomuks-web";
+  settingsFile = "${dataDir}/config/config.yaml";
+  settingsFileUnsubstituted = settingsFormat.generate "gomuks-web-config-unsubstituted.json" cfg.settings;
+  settingsFormat = pkgs.formats.json { };
+
+in {
+
+  options.services.gomuks-web = {
+    enable = lib.mkEnableOption "gomuks-web";
+
+    settings = lib.mkOption {
+      type    = settingsFormat.type;
+      default = {};
+    };
+
+    environmentFile = lib.mkOption {
+      type    = lib.types.nullOr lib.types.path;
+      default = null;
+    };
+
+    serviceDependencies = lib.mkOption {
+      type    = lib.types.listOf lib.types.str;
+      default = [];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.gomuks-web = {
+      description = "gomuks-web";
+      restartTriggers = [ settingsFileUnsubstituted ];
+
+      environment.GOMUKS_ROOT = "/var/lib/gomuks-web";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+
+      path = [ pkgs.ffmpeg-headless ];
+
+      preStart = ''
+        # substitute the settings file by environment variables
+        # in this case read from EnvironmentFile
+        test -f '${settingsFile}' && rm -f '${settingsFile}'
+        old_umask=$(umask)
+        umask 0177
+        ${pkgs.envsubst}/bin/envsubst \
+          -o '${settingsFile}' \
+          -i '${settingsFileUnsubstituted}'
+        umask $old_umask
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = lib.getExe pkgs.gomuks-web;
+
+        DynamicUser = true;
+        User  = "gomuks-web";
+        Group = "gomuks-web";
+
+        EnvironmentFile  = cfg.environmentFile;
+        StateDirectory   = "gomuks-web";
+
+        Restart = "on-failure";
+        RestartSec = "30s";
+
+        LockPersonality = true;
+        NoNewPrivileges = true;
+
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = [ "@system-service" ];
+      };
+    };
+  };
+
+}