diff options
author | Nikolay Amiantov <ab@fmap.me> | 2022-01-08 13:36:29 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2022-01-11 20:09:36 +0300 |
commit | 8956803ade4f16319f2685ae9e1b7cfed85e9848 (patch) | |
tree | dbe28d52e71e75d221e350dc46e150ceb27da3ac | |
parent | b0dacda1a253400d5ebca40d523413c51a6067f2 (diff) | |
download | nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.gz nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.bz2 nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.lz nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.xz nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.zst nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.zip |
prosody-filer service: init
Add user and group, as files stored are persistent and to be accessed by nginx or other web server.
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 7 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2205.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/prosody-filer.nix | 88 |
4 files changed, 98 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4a6ecac6bd0..845a5f09dae 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -135,6 +135,13 @@ <link linkend="opt-services.baget.enable">services.baget</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ThomasLeister/prosody-filer">prosody-filer</link>, + a server for handling XMPP HTTP Upload requests. Available at + <link linkend="opt-services.prosody-filer.enable">services.prosody-filer</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-22.05-incompatibilities"> diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 9540681fa4f..ad4743d7cd9 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -41,6 +41,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable). +- [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable). + ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} - `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b4a0bcb01dc..a8f1ce83c26 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1031,6 +1031,7 @@ ./services/web-apps/plausible.nix ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/powerdns-admin.nix + ./services/web-apps/prosody-filer.nix ./services/web-apps/matomo.nix ./services/web-apps/openwebrx.nix ./services/web-apps/restya-board.nix diff --git a/nixos/modules/services/web-apps/prosody-filer.nix b/nixos/modules/services/web-apps/prosody-filer.nix new file mode 100644 index 00000000000..6a52c36ab2c --- /dev/null +++ b/nixos/modules/services/web-apps/prosody-filer.nix @@ -0,0 +1,88 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.prosody-filer; + + settingsFormat = pkgs.formats.toml { }; + configFile = settingsFormat.generate "prosody-filer.toml" cfg.settings; +in { + + options = { + services.prosody-filer = { + enable = mkEnableOption "Prosody Filer XMPP upload file server"; + + settings = mkOption { + description = '' + Configuration for Prosody Filer. + Refer to <link xlink:href="https://github.com/ThomasLeister/prosody-filer#configure-prosody-filer"/> for details on supported values. + ''; + + type = settingsFormat.type; + + example = literalExample '' + { + secret = "mysecret"; + storeDir = "/srv/http/nginx/prosody-upload"; + } + ''; + + defaultText = literalExpression '' + { + listenport = mkDefault "127.0.0.1:5050"; + uploadSubDir = mkDefault "upload/"; + } + ''; + }; + }; + }; + + config = mkIf cfg.enable { + services.prosody-filer.settings = { + listenport = mkDefault "127.0.0.1:5050"; + uploadSubDir = mkDefault "upload/"; + }; + + users.users.prosody-filer = { + group = "prosody-filer"; + isSystemUser = true; + }; + + users.groups.prosody-filer = { }; + + systemd.services.prosody-filer = { + description = "Prosody file upload server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = "prosody-filer"; + Group = "prosody-filer"; + ExecStart = "${pkgs.prosody-filer}/bin/prosody-filer -config ${configFile}"; + Restart = "on-failure"; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateMounts = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + }; + }; + }; +} |