parent
74bec37293
commit
fc2ae7d79e
@ -0,0 +1,82 @@ |
||||
{ config, pkgs, lib, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
cfg = config.services.plikd; |
||||
|
||||
format = pkgs.formats.toml {}; |
||||
plikdCfg = format.generate "plikd.cfg" cfg.settings; |
||||
in |
||||
{ |
||||
options = { |
||||
services.plikd = { |
||||
enable = mkEnableOption "the plikd server"; |
||||
|
||||
openFirewall = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = "Open ports in the firewall for the plikd."; |
||||
}; |
||||
|
||||
settings = mkOption { |
||||
type = format.type; |
||||
default = {}; |
||||
description = '' |
||||
Configuration for plikd, see <link xlink:href="https://github.com/root-gg/plik/blob/master/server/plikd.cfg"/> |
||||
for supported values. |
||||
''; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
services.plikd.settings = mapAttrs (name: mkDefault) { |
||||
ListenPort = 8080; |
||||
ListenAddress = "localhost"; |
||||
DataBackend = "file"; |
||||
DataBackendConfig = { |
||||
Directory = "/var/lib/plikd"; |
||||
}; |
||||
MetadataBackendConfig = { |
||||
Driver = "sqlite3"; |
||||
ConnectionString = "/var/lib/plikd/plik.db"; |
||||
}; |
||||
}; |
||||
|
||||
systemd.services.plikd = { |
||||
description = "Plikd file sharing server"; |
||||
after = [ "network.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
serviceConfig = { |
||||
Type = "simple"; |
||||
ExecStart = "${pkgs.plikd}/bin/plikd --config ${plikdCfg}"; |
||||
Restart = "on-failure"; |
||||
StateDirectory = "plikd"; |
||||
LogsDirectory = "plikd"; |
||||
DynamicUser = true; |
||||
|
||||
# Basic hardening |
||||
NoNewPrivileges = "yes"; |
||||
PrivateTmp = "yes"; |
||||
PrivateDevices = "yes"; |
||||
DevicePolicy = "closed"; |
||||
ProtectSystem = "strict"; |
||||
ProtectHome = "read-only"; |
||||
ProtectControlGroups = "yes"; |
||||
ProtectKernelModules = "yes"; |
||||
ProtectKernelTunables = "yes"; |
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; |
||||
RestrictNamespaces = "yes"; |
||||
RestrictRealtime = "yes"; |
||||
RestrictSUIDSGID = "yes"; |
||||
MemoryDenyWriteExecute = "yes"; |
||||
LockPersonality = "yes"; |
||||
}; |
||||
}; |
||||
|
||||
networking.firewall = mkIf cfg.openFirewall { |
||||
allowedTCPPorts = [ cfg.settings.ListenPort ]; |
||||
}; |
||||
}; |
||||
} |
Loading…
Reference in new issue