diff options
author | Nikolay Amiantov <ab@fmap.me> | 2022-01-08 13:36:29 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2022-01-11 20:09:36 +0300 |
commit | 8956803ade4f16319f2685ae9e1b7cfed85e9848 (patch) | |
tree | dbe28d52e71e75d221e350dc46e150ceb27da3ac /nixos/modules/services/web-apps | |
parent | b0dacda1a253400d5ebca40d523413c51a6067f2 (diff) | |
download | nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.gz nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.bz2 nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.lz nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.xz nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.tar.zst nixpkgs-8956803ade4f16319f2685ae9e1b7cfed85e9848.zip |
prosody-filer service: init
Add user and group, as files stored are persistent and to be accessed by nginx or other web server.
Diffstat (limited to 'nixos/modules/services/web-apps')
-rw-r--r-- | nixos/modules/services/web-apps/prosody-filer.nix | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/prosody-filer.nix b/nixos/modules/services/web-apps/prosody-filer.nix new file mode 100644 index 00000000000..6a52c36ab2c --- /dev/null +++ b/nixos/modules/services/web-apps/prosody-filer.nix @@ -0,0 +1,88 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.prosody-filer; + + settingsFormat = pkgs.formats.toml { }; + configFile = settingsFormat.generate "prosody-filer.toml" cfg.settings; +in { + + options = { + services.prosody-filer = { + enable = mkEnableOption "Prosody Filer XMPP upload file server"; + + settings = mkOption { + description = '' + Configuration for Prosody Filer. + Refer to <link xlink:href="https://github.com/ThomasLeister/prosody-filer#configure-prosody-filer"/> for details on supported values. + ''; + + type = settingsFormat.type; + + example = literalExample '' + { + secret = "mysecret"; + storeDir = "/srv/http/nginx/prosody-upload"; + } + ''; + + defaultText = literalExpression '' + { + listenport = mkDefault "127.0.0.1:5050"; + uploadSubDir = mkDefault "upload/"; + } + ''; + }; + }; + }; + + config = mkIf cfg.enable { + services.prosody-filer.settings = { + listenport = mkDefault "127.0.0.1:5050"; + uploadSubDir = mkDefault "upload/"; + }; + + users.users.prosody-filer = { + group = "prosody-filer"; + isSystemUser = true; + }; + + users.groups.prosody-filer = { }; + + systemd.services.prosody-filer = { + description = "Prosody file upload server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = "prosody-filer"; + Group = "prosody-filer"; + ExecStart = "${pkgs.prosody-filer}/bin/prosody-filer -config ${configFile}"; + Restart = "on-failure"; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateMounts = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + }; + }; + }; +} |