Merge pull request #283660 from ocfox/transfer

2024-03-01 13:36:03 +01:00 · 2024-03-01 13:36:03 +01:00 · 51e92056db
commit 51e92056db
parent 8beb4562d9 77013c442e
6 changed files with 162 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -81,6 +81,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).
 The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.

+- [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable).
+
 - [Suwayomi Server](https://github.com/Suwayomi/Suwayomi-Server), a free and open source manga reader server that runs extensions built for [Tachiyomi](https://tachiyomi.org). Available as [services.suwayomi-server](#opt-services.suwayomi-server.enable).

 - [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable).
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -786,6 +786,7 @@
  ./services/misc/tiddlywiki.nix
  ./services/misc/tp-auto-kbbl.nix
  ./services/misc/tuxclocker.nix
+  ./services/misc/transfer-sh.nix
  ./services/misc/tzupdate.nix
  ./services/misc/uhub.nix
  ./services/misc/weechat.nix
--- a/nixos/modules/services/misc/transfer-sh.nix
+++ b/nixos/modules/services/misc/transfer-sh.nix
@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.transfer-sh;
+  inherit (lib)
+    mkDefault mkEnableOption mkPackageOption mkIf mkOption
+    types mapAttrs isBool getExe boolToString mdDoc optionalAttrs;
+in
+{
+  options.services.transfer-sh = {
+    enable = mkEnableOption (mdDoc "Easy and fast file sharing from the command-line");
+
+    package = mkPackageOption pkgs "transfer-sh" { };
+
+    settings = mkOption {
+      type = types.submodule { freeformType = with types; attrsOf (oneOf [ bool int str ]); };
+      default = { };
+      example = {
+        LISTENER = ":8080";
+        BASEDIR = "/var/lib/transfer.sh";
+        TLS_LISTENER_ONLY = false;
+      };
+      description = mdDoc ''
+        Additional configuration for transfer-sh, see
+        <https://github.com/dutchcoders/transfer.sh#usage-1>
+        for supported values.
+
+        For secrets use secretFile option instead.
+      '';
+    };
+
+    provider = mkOption {
+      type = types.enum [ "local" "s3" "storj" "gdrive" ];
+      default = "local";
+      description = mdDoc "Storage providers to use";
+    };
+
+    secretFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "/run/secrets/transfer-sh.env";
+      description = mdDoc ''
+        Path to file containing environment variables.
+        Useful for passing down secrets.
+        Some variables that can be considered secrets are:
+         - AWS_ACCESS_KEY
+         - AWS_ACCESS_KEY
+         - TLS_PRIVATE_KEY
+         - HTTP_AUTH_HTPASSWD
+      '';
+    };
+  };
+
+  config =
+    let
+      localProvider = (cfg.provider == "local");
+      stateDirectory = "/var/lib/transfer.sh";
+    in
+    mkIf cfg.enable
+      {
+        services.transfer-sh.settings = {
+          LISTENER = mkDefault ":8080";
+        } // optionalAttrs localProvider {
+          BASEDIR = mkDefault stateDirectory;
+        };
+
+        systemd.services.transfer-sh = {
+          after = [ "network.target" ];
+          wantedBy = [ "multi-user.target" ];
+          environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
+          serviceConfig = {
+            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+            DevicePolicy = "closed";
+            DynamicUser = true;
+            ExecStart = "${getExe cfg.package} --provider ${cfg.provider}";
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            PrivateDevices = true;
+            PrivateUsers = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            SystemCallArchitectures = [ "native" ];
+            SystemCallFilter = [ "@system-service" ];
+            StateDirectory = baseNameOf stateDirectory;
+          } // optionalAttrs (cfg.secretFile != null) {
+            EnvironmentFile = cfg.secretFile;
+          } // optionalAttrs localProvider {
+            ReadWritePaths = cfg.settings.BASEDIR;
+          };
+        };
+      };
+
+  meta.maintainers = with lib.maintainers; [ ocfox ];
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -916,6 +916,7 @@ in {
  tor = handleTest ./tor.nix {};
  traefik = handleTestOn ["aarch64-linux" "x86_64-linux"] ./traefik.nix {};
  trafficserver = handleTest ./trafficserver.nix {};
+  transfer-sh = handleTest ./transfer-sh.nix {};
  transmission = handleTest ./transmission.nix { transmission = pkgs.transmission; };
  transmission_4 = handleTest ./transmission.nix { transmission = pkgs.transmission_4; };
  # tracee requires bpf
--- a/nixos/tests/transfer-sh.nix
+++ b/nixos/tests/transfer-sh.nix
@ -0,0 +1,20 @@
+import ./make-test-python.nix ({ pkgs, lib, ... }: {
+  name = "transfer-sh";
+
+  meta = {
+    maintainers = with lib.maintainers; [ ocfox ];
+  };
+
+  nodes.machine = { pkgs, ... }: {
+    services.transfer-sh = {
+      enable = true;
+      settings.LISTENER = ":1234";
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("transfer-sh.service")
+    machine.wait_for_open_port(1234)
+    machine.succeed("curl --fail http://localhost:1234/")
+  '';
+})
--- a/pkgs/by-name/tr/transfer-sh/package.nix
+++ b/pkgs/by-name/tr/transfer-sh/package.nix
@ -0,0 +1,36 @@
+{ lib
+, fetchFromGitHub
+, buildGoModule
+, nix-update-script
+, nixosTests
+}:
+
+buildGoModule rec {
+  pname = "transfer-sh";
+  version = "1.6.1";
+
+  src = fetchFromGitHub {
+    owner = "dutchcoders";
+    repo = "transfer.sh";
+    rev = "v${version}";
+    hash = "sha256-V8E6RwzxKB6KeGPer5074e7y6XHn3ZD24PQMwTxw5lQ=";
+  };
+
+  vendorHash = "sha256-C8ZfUIGT9HiQQiJ2hk18uwGaQzNCIKp/Jiz6ePZkgDQ=";
+
+  passthru = {
+    tests = {
+      inherit (nixosTests) transfer-sh;
+    };
+    updateScript = nix-update-script { };
+  };
+
+  meta = with lib; {
+    description = "Easy and fast file sharing and pastebin server with access from the command-line";
+    homepage = "https://github.com/dutchcoders/transfer.sh";
+    changelog = "https://github.com/dutchcoders/transfer.sh/releases";
+    mainProgram = "transfer.sh";
+    license = licenses.mit;
+    maintainers = with maintainers; [ ocfox pinpox ];
+  };
+}