nixos/modules/services/networking/alice-lg.nix

   1 { config, lib, pkgs, ... }:
   2 let
   3   cfg = config.services.alice-lg;
   4   settingsFormat = pkgs.formats.ini { };
   5 in
   6 {
   7   options = {
   8     services.alice-lg = {
   9       enable = lib.mkEnableOption "Alice Looking Glass";
  10
  11       package = lib.mkPackageOption pkgs "alice-lg" { };
  12
  13       settings = lib.mkOption {
  14         type = settingsFormat.type;
  15         default = { };
  16         description = ''
  17           alice-lg configuration, for configuration options see the example on [github](https://github.com/alice-lg/alice-lg/blob/main/etc/alice-lg/alice.example.conf)
  18         '';
  19         example = lib.literalExpression ''
  20           {
  21             server = {
  22               # configures the built-in webserver and provides global application settings
  23               listen_http = "127.0.0.1:7340";
  24               enable_prefix_lookup = true;
  25               asn = 9033;
  26               store_backend = postgres;
  27               routes_store_refresh_parallelism = 5;
  28               neighbors_store_refresh_parallelism = 10000;
  29               routes_store_refresh_interval = 5;
  30               neighbors_store_refresh_interval = 5;
  31             };
  32             postgres = {
  33               url = "postgres://postgres:postgres@localhost:5432/alice";
  34               min_connections = 2;
  35               max_connections = 128;
  36             };
  37             pagination = {
  38               routes_filtered_page_size = 250;
  39               routes_accepted_page_size = 250;
  40               routes_not_exported_page_size = 250;
  41             };
  42           }
  43         '';
  44       };
  45     };
  46   };
  47
  48   config = lib.mkIf cfg.enable {
  49     environment = {
  50       etc."alice-lg/alice.conf".source = settingsFormat.generate "alice-lg.conf" cfg.settings;
  51     };
  52     systemd.services = {
  53       alice-lg = {
  54         wants = [ "network.target" ];
  55         after = [ "network.target" ];
  56         wantedBy = [ "multi-user.target" ];
  57         description = "Alice Looking Glass";
  58         serviceConfig = {
  59           DynamicUser = true;
  60           Type = "simple";
  61           Restart = "on-failure";
  62           RestartSec = 15;
  63           ExecStart = "${cfg.package}/bin/alice-lg";
  64           StateDirectoryMode = "0700";
  65           UMask = "0007";
  66           CapabilityBoundingSet = "";
  67           NoNewPrivileges = true;
  68           ProtectSystem = "strict";
  69           PrivateTmp = true;
  70           PrivateDevices = true;
  71           PrivateUsers = true;
  72           ProtectHostname = true;
  73           ProtectClock = true;
  74           ProtectKernelTunables = true;
  75           ProtectKernelModules = true;
  76           ProtectKernelLogs = true;
  77           ProtectControlGroups = true;
  78           RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
  79           LockPersonality = true;
  80           MemoryDenyWriteExecute = true;
  81           RestrictRealtime = true;
  82           RestrictSUIDSGID = true;
  83           PrivateMounts = true;
  84           SystemCallArchitectures = "native";
  85           SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
  86           BindReadOnlyPaths = [
  87             "-/etc/resolv.conf"
  88             "-/etc/nsswitch.conf"
  89             "-/etc/ssl/certs"
  90             "-/etc/static/ssl/certs"
  91             "-/etc/hosts"
  92             "-/etc/localtime"
  93           ];
  94         };
  95       };
  96     };
  97   };
  98 }