nixos/mollysocket: init
This commit is contained in:
parent
d39618aa2d
commit
078994248a
6 changed files with 169 additions and 0 deletions
|
@ -87,6 +87,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
|
||||||
|
|
||||||
- [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable).
|
- [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable).
|
||||||
|
|
||||||
|
- [MollySocket](https://github.com/mollyim/mollysocket) which allows getting Signal notifications via UnifiedPush.
|
||||||
|
|
||||||
- [Suwayomi Server](https://github.com/Suwayomi/Suwayomi-Server), a free and open source manga reader server that runs extensions built for [Tachiyomi](https://tachiyomi.org). Available as [services.suwayomi-server](#opt-services.suwayomi-server.enable).
|
- [Suwayomi Server](https://github.com/Suwayomi/Suwayomi-Server), a free and open source manga reader server that runs extensions built for [Tachiyomi](https://tachiyomi.org). Available as [services.suwayomi-server](#opt-services.suwayomi-server.enable).
|
||||||
|
|
||||||
- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable).
|
- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable).
|
||||||
|
|
|
@ -726,6 +726,7 @@
|
||||||
./services/misc/mbpfan.nix
|
./services/misc/mbpfan.nix
|
||||||
./services/misc/mediatomb.nix
|
./services/misc/mediatomb.nix
|
||||||
./services/misc/metabase.nix
|
./services/misc/metabase.nix
|
||||||
|
./services/misc/mollysocket.nix
|
||||||
./services/misc/moonraker.nix
|
./services/misc/moonraker.nix
|
||||||
./services/misc/mqtt2influxdb.nix
|
./services/misc/mqtt2influxdb.nix
|
||||||
./services/misc/n8n.nix
|
./services/misc/n8n.nix
|
||||||
|
|
133
nixos/modules/services/misc/mollysocket.nix
Normal file
133
nixos/modules/services/misc/mollysocket.nix
Normal file
|
@ -0,0 +1,133 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) getExe mkIf mkOption mkEnableOption optionals types;
|
||||||
|
|
||||||
|
cfg = config.services.mollysocket;
|
||||||
|
configuration = format.generate "mollysocket.conf" cfg.settings;
|
||||||
|
format = pkgs.formats.toml { };
|
||||||
|
package = pkgs.writeShellScriptBin "mollysocket" ''
|
||||||
|
MOLLY_CONF=${configuration} exec ${getExe pkgs.mollysocket} "$@"
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
options.services.mollysocket = {
|
||||||
|
enable = mkEnableOption ''
|
||||||
|
[MollySocket](https://github.com/mollyim/mollysocket) for getting Signal
|
||||||
|
notifications via UnifiedPush
|
||||||
|
'';
|
||||||
|
|
||||||
|
settings = mkOption {
|
||||||
|
default = { };
|
||||||
|
description = ''
|
||||||
|
Configuration for MollySocket. Available options are listed
|
||||||
|
[here](https://github.com/mollyim/mollysocket#configuration).
|
||||||
|
'';
|
||||||
|
type = types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
options = {
|
||||||
|
host = mkOption {
|
||||||
|
default = "127.0.0.1";
|
||||||
|
description = "Listening address of the web server";
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
default = 8020;
|
||||||
|
description = "Listening port of the web server";
|
||||||
|
type = types.port;
|
||||||
|
};
|
||||||
|
|
||||||
|
allowed_endpoints = mkOption {
|
||||||
|
default = [ "*" ];
|
||||||
|
description = "List of UnifiedPush servers";
|
||||||
|
example = [ "https://ntfy.sh" ];
|
||||||
|
type = with types; listOf str;
|
||||||
|
};
|
||||||
|
|
||||||
|
allowed_uuids = mkOption {
|
||||||
|
default = [ "*" ];
|
||||||
|
description = "UUIDs of Signal accounts that may use this server";
|
||||||
|
example = [ "abcdef-12345-tuxyz-67890" ];
|
||||||
|
type = with types; listOf str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environmentFile = mkOption {
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Environment file (see {manpage}`systemd.exec(5)` "EnvironmentFile="
|
||||||
|
section for the syntax) passed to the service. This option can be
|
||||||
|
used to safely include secrets in the configuration.
|
||||||
|
'';
|
||||||
|
example = "/run/secrets/mollysocket";
|
||||||
|
type = with types; nullOr path;
|
||||||
|
};
|
||||||
|
|
||||||
|
logLevel = mkOption {
|
||||||
|
default = "info";
|
||||||
|
description = "Set the {env}`RUST_LOG` environment variable";
|
||||||
|
example = "debug";
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
environment.systemPackages = [
|
||||||
|
package
|
||||||
|
];
|
||||||
|
|
||||||
|
# see https://github.com/mollyim/mollysocket/blob/main/mollysocket.service
|
||||||
|
systemd.services.mollysocket = {
|
||||||
|
description = "MollySocket";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network-online.target" ];
|
||||||
|
wants = [ "network-online.target" ];
|
||||||
|
environment.RUST_LOG = cfg.logLevel;
|
||||||
|
serviceConfig = let
|
||||||
|
capabilities = [ "" ] ++ optionals (cfg.settings.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
|
||||||
|
in {
|
||||||
|
EnvironmentFile = cfg.environmentFile;
|
||||||
|
ExecStart = "${getExe package} server";
|
||||||
|
KillSignal = "SIGINT";
|
||||||
|
Restart = "on-failure";
|
||||||
|
StateDirectory = "mollysocket";
|
||||||
|
TimeoutStopSec = 5;
|
||||||
|
WorkingDirectory = "/var/lib/mollysocket";
|
||||||
|
|
||||||
|
# hardening
|
||||||
|
AmbientCapabilities = capabilities;
|
||||||
|
CapabilityBoundingSet = capabilities;
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
DynamicUser = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
|
||||||
|
UMask = "0077";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
meta.maintainers = with lib.maintainers; [ dotlambda ];
|
||||||
|
}
|
|
@ -540,6 +540,7 @@ in {
|
||||||
mobilizon = handleTest ./mobilizon.nix {};
|
mobilizon = handleTest ./mobilizon.nix {};
|
||||||
mod_perl = handleTest ./mod_perl.nix {};
|
mod_perl = handleTest ./mod_perl.nix {};
|
||||||
molly-brown = handleTest ./molly-brown.nix {};
|
molly-brown = handleTest ./molly-brown.nix {};
|
||||||
|
mollysocket = handleTest ./mollysocket.nix { };
|
||||||
monado = handleTest ./monado.nix {};
|
monado = handleTest ./monado.nix {};
|
||||||
monica = handleTest ./web-apps/monica.nix {};
|
monica = handleTest ./web-apps/monica.nix {};
|
||||||
mongodb = handleTest ./mongodb.nix {};
|
mongodb = handleTest ./mongodb.nix {};
|
||||||
|
|
27
nixos/tests/mollysocket.nix
Normal file
27
nixos/tests/mollysocket.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
import ./make-test-python.nix ({ pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
port = 1234;
|
||||||
|
in {
|
||||||
|
name = "mollysocket";
|
||||||
|
meta.maintainers = with lib.maintainers; [ dotlambda ];
|
||||||
|
|
||||||
|
nodes.mollysocket = { ... }: {
|
||||||
|
services.mollysocket = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
inherit port;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
import json
|
||||||
|
|
||||||
|
mollysocket.wait_for_unit("mollysocket.service")
|
||||||
|
mollysocket.wait_for_open_port(${toString port})
|
||||||
|
|
||||||
|
out = mollysocket.succeed("curl --fail http://127.0.0.1:${toString port}")
|
||||||
|
assert json.loads(out)["mollysocket"]["version"] == "${toString pkgs.mollysocket.version}"
|
||||||
|
'';
|
||||||
|
})
|
|
@ -6,6 +6,7 @@
|
||||||
, sqlite
|
, sqlite
|
||||||
, stdenv
|
, stdenv
|
||||||
, darwin
|
, darwin
|
||||||
|
, nixosTests
|
||||||
}:
|
}:
|
||||||
|
|
||||||
rustPlatform.buildRustPackage rec {
|
rustPlatform.buildRustPackage rec {
|
||||||
|
@ -42,6 +43,10 @@ rustPlatform.buildRustPackage rec {
|
||||||
"--skip=ws::tls::tests::connect_trusted_server"
|
"--skip=ws::tls::tests::connect_trusted_server"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
passthru.tests = {
|
||||||
|
inherit (nixosTests) mollysocket;
|
||||||
|
};
|
||||||
|
|
||||||
meta = {
|
meta = {
|
||||||
changelog = "https://github.com/mollyim/mollysocket/releases/tag/${version}";
|
changelog = "https://github.com/mollyim/mollysocket/releases/tag/${version}";
|
||||||
description = "Get Signal notifications via UnifiedPush";
|
description = "Get Signal notifications via UnifiedPush";
|
||||||
|
|
Loading…
Reference in a new issue