modules/nixos/microbin.nix at deck

hyl.st / helm
fork atom
nix config
fork atom
helm / modules / nixos / microbin.nix
at deck 95 lines 2.6 kB view raw
wrap content
Anish Lakhwara fix: microbin css issue 2y ago
55c47ec2
 1{ self, config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.microbin;
 7  configFile = "/etc/microbin/config";
 8  dataFolder = "/var/lib/microbin";
 9in
10{
11  options = {
12
13    services.microbin = {
14      enable = mkEnableOption "A super tiny pasta";
15
16      user = mkOption {
17        type = types.str;
18        default = "microbin";
19        description = "User account under which microbin runs.";
20      };
21
22      group = mkOption {
23        type = types.str;
24        default = "microbin";
25        description = "Group account under which microbin runs.";
26      };
27
28      hostname = mkOption {
29        type = types.str;
30        description = "Hostname of your microbin service";
31      };
32
33      port = mkOption {
34        type = types.port;
35        default = 8080;
36        description = "Port on which to run the serice";
37      };
38
39    };
40  };
41
42  config = mkIf cfg.enable {
43    systemd.services.microbin = {
44      description = "Microbin A Super Tiny Pasta";
45      after = [ "remote-fs.target" "network.target" ];
46      wantedBy = [ "multi-user.target" ];
47      serviceConfig = {
48        ExecStart = "${pkgs.unstable.microbin}/bin/microbin --public-path https://${cfg.hostname}/ --qr --enable-burn-after --private";
49        Environment = [
50          "MICROBIN_EDITABLE=true"
51          "MICROBIN_HIDE_FOOTER=true"
52          "MICROBIN_HIGHLIGHTSYNTAX=true"
53          "MICROBIN_PORT=${builtins.toString cfg.port}"
54          "MICROBIN_TITLE=SealightBin"
55        ];
56        WorkingDirectory = dataFolder;
57        TimeoutStopSec = " 20 ";
58        KillMode = " process ";
59        RestartSec = " 10 ";
60        User = cfg.user;
61        Group = cfg.group;
62        DevicePolicy = " closed ";
63        NoNewPrivileges = " yes ";
64        PrivateTmp = " yes ";
65        PrivateUsers = " yes ";
66        ProtectControlGroups = " yes ";
67        ProtectKernelModules = " yes ";
68        ProtectKernelTunables = " yes ";
69        RestrictAddressFamilies = "
70          AF_UNIX
71          AF_INET
72          AF_INET6 ";
73        RestrictNamespaces = " yes ";
74        RestrictRealtime = " yes ";
75        SystemCallFilter = "~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap";
76        ReadWritePaths = dataFolder;
77        StateDirectory = baseNameOf dataFolder;
78      };
79    };
80
81    users.users = optionalAttrs (cfg.user == "microbin") ({
82      microbin = {
83        description = "microbin service user";
84        name = cfg.user;
85        group = cfg.group;
86        isSystemUser = true;
87      };
88    });
89
90    users.groups = optionalAttrs (cfg.group == "microbin") ({
91      microbin = { };
92    });
93  };
94}
95