depot/third_party/nixpkgs/nixos/modules/services/web-apps/alps.nix

131 lines
3.3 KiB
Nix
Raw Normal View History

{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.services.alps;
in {
options.services.alps = {
enable = mkEnableOption (lib.mdDoc "alps");
port = mkOption {
type = types.port;
default = 1323;
description = lib.mdDoc ''
TCP port the service should listen on.
'';
};
bindIP = mkOption {
default = "[::]";
type = types.str;
description = lib.mdDoc ''
The IP the service should listen on.
'';
};
theme = mkOption {
type = types.enum [ "alps" "sourcehut" ];
default = "sourcehut";
description = lib.mdDoc ''
The frontend's theme to use.
'';
};
imaps = {
port = mkOption {
type = types.port;
default = 993;
description = lib.mdDoc ''
The IMAPS server port.
'';
};
host = mkOption {
type = types.str;
default = "[::1]";
example = "mail.example.org";
description = lib.mdDoc ''
The IMAPS server address.
'';
};
};
smtps = {
port = mkOption {
type = types.port;
default = 465;
description = lib.mdDoc ''
The SMTPS server port.
'';
};
host = mkOption {
type = types.str;
default = cfg.imaps.host;
defaultText = "services.alps.imaps.host";
example = "mail.example.org";
description = lib.mdDoc ''
The SMTPS server address.
'';
};
};
package = mkOption {
internal = true;
type = types.package;
default = pkgs.alps;
};
args = mkOption {
internal = true;
type = types.listOf types.str;
default = [
"-addr" "${cfg.bindIP}:${toString cfg.port}"
"-theme" "${cfg.theme}"
"imaps://${cfg.imaps.host}:${toString cfg.imaps.port}"
"smpts://${cfg.smtps.host}:${toString cfg.smtps.port}"
];
};
};
config = mkIf cfg.enable {
systemd.services.alps = {
description = "alps is a simple and extensible webmail.";
documentation = [ "https://git.sr.ht/~migadu/alps" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "network-online.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";
DynamicUser = true;
## This is desirable but would restrict bindIP to 127.0.0.1
#IPAddressAllow = "localhost";
#IPAddressDeny = "any";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ];
};
};
};
}