2019-05-24 21:17:51 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.services.spacecookie;
|
|
|
|
configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} {
|
|
|
|
inherit (cfg) hostname port root;
|
|
|
|
});
|
|
|
|
in {
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
services.spacecookie = {
|
|
|
|
|
|
|
|
enable = mkEnableOption "spacecookie";
|
|
|
|
|
|
|
|
hostname = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "localhost";
|
2020-12-28 00:08:45 +01:00
|
|
|
description = ''
|
|
|
|
The hostname the service is reachable via. Clients
|
|
|
|
will use this hostname for further requests after
|
|
|
|
loading the initial gopher menu.
|
|
|
|
'';
|
2019-05-24 21:17:51 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
port = mkOption {
|
|
|
|
type = types.port;
|
|
|
|
default = 70;
|
2020-12-28 00:08:45 +01:00
|
|
|
description = ''
|
|
|
|
Port the gopher service should be exposed on. The
|
|
|
|
firewall is not opened automatically.
|
|
|
|
'';
|
2019-05-24 21:17:51 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
root = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "/srv/gopher";
|
2020-12-28 00:08:45 +01:00
|
|
|
description = ''
|
|
|
|
The root directory spacecookie serves via gopher.
|
|
|
|
'';
|
2019-05-24 21:17:51 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
|
|
|
systemd.sockets.spacecookie = {
|
|
|
|
description = "Socket for the Spacecookie Gopher Server";
|
|
|
|
wantedBy = [ "sockets.target" ];
|
|
|
|
listenStreams = [ "[::]:${toString cfg.port}" ];
|
|
|
|
socketConfig = {
|
|
|
|
BindIPv6Only = "both";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.spacecookie = {
|
|
|
|
description = "Spacecookie Gopher Server";
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
requires = [ "spacecookie.socket" ];
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "notify";
|
|
|
|
ExecStart = "${pkgs.haskellPackages.spacecookie}/bin/spacecookie ${configFile}";
|
|
|
|
FileDescriptorStoreMax = 1;
|
|
|
|
|
|
|
|
DynamicUser = true;
|
|
|
|
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
ProtectHome = true;
|
|
|
|
PrivateTmp = true;
|
|
|
|
PrivateDevices = true;
|
|
|
|
PrivateMounts = true;
|
|
|
|
PrivateUsers = true;
|
|
|
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
|
|
|
CapabilityBoundingSet = "";
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
LockPersonality = true;
|
|
|
|
RestrictRealtime = true;
|
|
|
|
|
|
|
|
# AF_UNIX for communication with systemd
|
|
|
|
# AF_INET replaced by BindIPv6Only=both
|
|
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET6";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|