91 lines
3.0 KiB
Nix
91 lines
3.0 KiB
Nix
|
{
|
||
|
inputs = {
|
||
|
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||
|
};
|
||
|
|
||
|
outputs = { self, nixpkgs, ... }@inputs: let
|
||
|
forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
|
||
|
in {
|
||
|
nixosModule = { pkgs, config, lib, ... }: let
|
||
|
cfg = config.papatutuwawa.pubcached;
|
||
|
in {
|
||
|
options.papatutuwawa.pubcached = {
|
||
|
enable = lib.mkEnableOption "Enable pubcached";
|
||
|
|
||
|
serverUrl = lib.mkOption {
|
||
|
description = "The URL to which archives should be redirected";
|
||
|
};
|
||
|
|
||
|
host = lib.mkOption {
|
||
|
description = "The host to bind to";
|
||
|
default = "127.0.0.1";
|
||
|
};
|
||
|
port = lib.mkOption {
|
||
|
description = "The port to bind to";
|
||
|
default = 8000;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = lib.mkIf cfg.enable {
|
||
|
systemd.services.pubcached = let
|
||
|
settingsFormat = pkgs.formats.toml {};
|
||
|
configRaw = {
|
||
|
"db_path" = "/var/lib/pubcached/db.sqlite";
|
||
|
"package_path" = "/var/lib/pubcached/packages/";
|
||
|
"server_url" = cfg.serverUrl;
|
||
|
|
||
|
"host" = cfg.host;
|
||
|
"port" = cfg.port;
|
||
|
};
|
||
|
in {
|
||
|
description = "pubcached Service";
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
after = [ "network-online.target" ];
|
||
|
wants = [ "network-online.target" ];
|
||
|
serviceConfig = {
|
||
|
DynamicUser = true;
|
||
|
WorkingDirectory = "%S/pubcached";
|
||
|
StateDirectory = "pubcached";
|
||
|
StateDirectoryMode = "0700";
|
||
|
UMask = "0007";
|
||
|
ConfigurationDirectory = "pubcached";
|
||
|
ExecStart = "${pkgs.pubcached}/bin/pubcached -c ${settingsFormat.generate "config.toml" configRaw}";
|
||
|
Restart = "on-failure";
|
||
|
RestartSec = 15;
|
||
|
CapabilityBoundingSet = "";
|
||
|
# Security
|
||
|
NoNewPrivileges = true;
|
||
|
# Sandboxing
|
||
|
ProtectSystem = "strict";
|
||
|
ProtectHome = true;
|
||
|
PrivateTmp = true;
|
||
|
PrivateDevices = true;
|
||
|
PrivateUsers = true;
|
||
|
ProtectHostname = true;
|
||
|
ProtectClock = true;
|
||
|
ProtectKernelTunables = true;
|
||
|
ProtectKernelModules = true;
|
||
|
ProtectKernelLogs = true;
|
||
|
ProtectControlGroups = true;
|
||
|
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||
|
LockPersonality = true;
|
||
|
MemoryDenyWriteExecute = true;
|
||
|
RestrictRealtime = true;
|
||
|
RestrictSUIDSGID = true;
|
||
|
PrivateMounts = true;
|
||
|
# System Call Filtering
|
||
|
SystemCallArchitectures = "native";
|
||
|
SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
packages = forAllSystems (system: let
|
||
|
pkgs = import nixpkgs { inherit system; };
|
||
|
in {
|
||
|
pubcached = pkgs.callPackage ./pkgs/pubcached.nix {};
|
||
|
});
|
||
|
};
|
||
|
}
|