mira/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-config/modules/fedi/iceshrimp/default.nix

124 lines
2.8 KiB
Nix
Raw Blame History

{
lib,
pkgs,
config,
...
}: let
inherit (lib) mkIf mkOption;
inherit (lib.generators) toINI;
inherit (config) versions;
inherit (lib.types) attrs package;
cfg = config.conf.fedi.iceshrimp;
iceshrimp = pkgs.callPackage ./iceshrimp.nix {version = versions.iceshrimp;};
settings = pkgs.writeTextFile {
name = "configuration.overrides.ini";
text = toINI {} config.services.iceshrimp.settings;
};
in {
options = {
services.iceshrimp = {
package = mkOption {
type = package;
default = iceshrimp;
};
settings = mkOption {
type = attrs;
default = {};
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [iceshrimp];
services.iceshrimp = {
settings = {
Instance = {
ListenPort = 3000;
ListenHost = "localhost";
WebDomain = cfg.domain.full;
AccountDomain = cfg.domain.full;
};
Security = {
};
};
};
systemd.services.iceshrimp = {
enable = true;
description = "Iceshrimp.NET daemon";
environment = {
ICESHRIMP_CONFIG_OVERRIDES = settings;
MALLOC_TRIM_TRESHOLD = "131072";
};
after = ["postgresql.service"];
requires = ["postgresql.service"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
Restart = "on-failure";
User = "iceshrimp";
Group = "iceshrimp";
WorkingDirectory = "${iceshrimp}/usr/share";
SysLogIdentifier = "iceshrimp.net";
ExecStart = "${iceshrimp}/usr/share/Iceshrimp.Backend --migrate-and-start";
ReadOnlyPaths = [
"${iceshrimp}/usr/share"
"${iceshrimp}/etc/configuration.ini"
"${settings}"
];
ReadWritePaths = [
"/var/lib/iceshrimp.net/files"
"/var/lib/iceshrimp/iceshrimp.net.sock"
];
NoExecPaths = [
"/var/lib/iceshrimp.net/files"
];
RestrictSUIDSGID = true;
RestrictNamespaces = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
LockPersonality = true;
NoNewPrivileges = true;
};
};
services.postgresql = {
enable = true;
ensureDatabases = ["iceshrimp"];
ensureUsers = [
{
name = "iceshrimp";
ensureDBOwnership = true;
}
];
};
};
}
Reference in a new issue View git blame Copy permalink