792b51d22f
GitOrigin-RevId: d5f237872975e6fb6f76eef1368b5634ffcd266f
148 lines
3.9 KiB
Nix
148 lines
3.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.agate;
|
|
in
|
|
{
|
|
options = {
|
|
services.agate = {
|
|
enable = mkEnableOption "Agate Server";
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.agate;
|
|
defaultText = literalExpression "pkgs.agate";
|
|
description = "The package to use";
|
|
};
|
|
|
|
addresses = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ "0.0.0.0:1965" ];
|
|
description = ''
|
|
Addresses to listen on, IP:PORT, if you haven't disabled forwarding
|
|
only set IPv4.
|
|
'';
|
|
};
|
|
|
|
contentDir = mkOption {
|
|
default = "/var/lib/agate/content";
|
|
type = types.path;
|
|
description = "Root of the content directory.";
|
|
};
|
|
|
|
certificatesDir = mkOption {
|
|
default = "/var/lib/agate/certificates";
|
|
type = types.path;
|
|
description = "Root of the certificate directory.";
|
|
};
|
|
|
|
hostnames = mkOption {
|
|
default = [ ];
|
|
type = types.listOf types.str;
|
|
description = ''
|
|
Domain name of this Gemini server, enables checking hostname and port
|
|
in requests. (multiple occurences means basic vhosts)
|
|
'';
|
|
};
|
|
|
|
language = mkOption {
|
|
default = null;
|
|
type = types.nullOr types.str;
|
|
description = "RFC 4646 Language code for text/gemini documents.";
|
|
};
|
|
|
|
onlyTls_1_3 = mkOption {
|
|
default = false;
|
|
type = types.bool;
|
|
description = "Only use TLSv1.3 (default also allows TLSv1.2).";
|
|
};
|
|
|
|
extraArgs = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ "" ];
|
|
example = [ "--log-ip" ];
|
|
description = "Extra arguments to use running agate.";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
# available for generating certs by hand
|
|
# it can be a bit arduous with openssl
|
|
environment.systemPackages = [ cfg.package ];
|
|
|
|
systemd.services.agate = {
|
|
description = "Agate";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" "network-online.target" ];
|
|
|
|
script =
|
|
let
|
|
prefixKeyList = key: list: concatMap (v: [ key v ]) list;
|
|
addresses = prefixKeyList "--addr" cfg.addresses;
|
|
hostnames = prefixKeyList "--hostname" cfg.hostnames;
|
|
in
|
|
''
|
|
exec ${cfg.package}/bin/agate ${
|
|
escapeShellArgs (
|
|
[
|
|
"--content" "${cfg.contentDir}"
|
|
"--certs" "${cfg.certificatesDir}"
|
|
] ++
|
|
addresses ++
|
|
(optionals (cfg.hostnames != []) hostnames) ++
|
|
(optionals (cfg.language != null) [ "--lang" cfg.language ]) ++
|
|
(optionals cfg.onlyTls_1_3 [ "--only-tls13" ]) ++
|
|
(optionals (cfg.extraArgs != []) cfg.extraArgs)
|
|
)
|
|
}
|
|
'';
|
|
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
DynamicUser = true;
|
|
StateDirectory = "agate";
|
|
|
|
# Security options:
|
|
AmbientCapabilities = "";
|
|
CapabilityBoundingSet = "";
|
|
|
|
# ProtectClock= adds DeviceAllow=char-rtc r
|
|
DeviceAllow = "";
|
|
|
|
LockPersonality = true;
|
|
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
|
|
RestrictNamespaces = true;
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
RestrictRealtime = true;
|
|
|
|
SystemCallArchitectures = "native";
|
|
SystemCallErrorNumber = "EPERM";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@cpu-emulation"
|
|
"~@debug"
|
|
"~@keyring"
|
|
"~@memlock"
|
|
"~@obsolete"
|
|
"~@privileged"
|
|
"~@setuid"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|