modules/nixos/gpodder2go.nix at deck

hyl.st / helm
fork atom
nix config
fork atom
helm / modules / nixos / gpodder2go.nix
at deck 120 lines 3.2 kB view raw
wrap content
Anish Lakhwara feat(box): gpodder deployed 2y ago
676ed31a
  1{ self, config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.gpodder;
  7in
  8{
  9  options = {
 10
 11    services.gpodder = {
 12      enable = mkEnableOption "A gpodder instance";
 13
 14      user = mkOption {
 15        type = types.str;
 16        default = "gpodder";
 17        description = "User account under which gpodder runs.";
 18      };
 19
 20      group = mkOption {
 21        type = types.str;
 22        default = "gpodder";
 23        description = "Group account under which gpodder runs.";
 24      };
 25
 26      hostname = mkOption {
 27        type = types.str;
 28        description = "Hostname of your gpodder service";
 29      };
 30
 31      dataFolder = mkOption {
 32        type = types.str;
 33        default = "/var/lib/gpodder";
 34        description = "State director";
 35      };
 36
 37      VERIFIER_SECRET_KEY = mkOption {
 38        type = types.str;
 39        default = "satnheiycglsrcgaecrlufg";
 40        description = "Verifer Secret";
 41      };
 42
 43    };
 44  };
 45
 46  config = mkIf cfg.enable {
 47    systemd.services.gpodder = {
 48      description = "gpodder2go A gpodder instance";
 49      after = [ "remote-fs.target" "network.target" ];
 50      wantedBy = [ "multi-user.target" ];
 51      serviceConfig = {
 52        ExecStart = "${pkgs.gpodder2go}/bin/gpodder2go serve";
 53        Environment = [
 54          "VERIFIER_SECRET_KEY=${cfg.VERIFIER_SECRET_KEY}"
 55        ];
 56        WorkingDirectory = cfg.dataFolder;
 57        TimeoutStopSec = " 20 ";
 58        KillMode = " process ";
 59        RestartSec = " 10 ";
 60        User = cfg.user;
 61        Group = cfg.group;
 62        DevicePolicy = " closed ";
 63        NoNewPrivileges = " yes ";
 64        PrivateTmp = " yes ";
 65        PrivateUsers = " yes ";
 66        ProtectControlGroups = " yes ";
 67        ProtectKernelModules = " yes ";
 68        ProtectKernelTunables = " yes ";
 69        RestrictAddressFamilies = "
 70          AF_UNIX
 71          AF_INET
 72          AF_INET6 ";
 73        RestrictNamespaces = " yes ";
 74        RestrictRealtime = " yes ";
 75        SystemCallFilter = "~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap";
 76        ReadWritePaths = cfg.dataFolder;
 77        StateDirectory = baseNameOf cfg.dataFolder;
 78      };
 79    };
 80
 81    users.users = optionalAttrs (cfg.user == "gpodder") ({
 82      gpodder = {
 83        description = "gpodder service user";
 84        name = cfg.user;
 85        group = cfg.group;
 86        isSystemUser = true;
 87      };
 88    });
 89
 90    users.groups = optionalAttrs (cfg.group == "gpodder") ({
 91      gpodder = { };
 92    });
 93
 94    # systemd.services.gpodder-install = {
 95    #   description = "gpodder install service";
 96    #   wantedBy = [ "multi-user.target" ];
 97    #   before = [ "gpodder.service" ];
 98    #   path = with pkgs; [ gpodder2go ];
 99
100    #   serviceConfig = {
101    #     User = cfg.user;
102    #     Type = "oneshot";
103    #     CacheDirectory = "gpodder";
104    #     # Stores sessions.
105    #     CacheDirectoryMode = "700";
106    #     ConfigurationDirectory = "gpodder";
107    #     LogsDirectory = "gpodder";
108    #     StateDirectory = "gpodder";
109    #   };
110
111    #   script = ''
112    #   if [ ! -f "${cfg.dataFolder}/installed" ]; then
113    #     ${pkgs.gpodder2go}/bin/gpodder2go init
114    #     touch "${cfg.dataFolder}/installed"
115    #   fi
116    # '';
117    # };
118  };
119}
120