vuls: init at 0.27.0
[NixPkgs.git] / nixos / modules / services / search / manticore.nix
bloba8fcd9d0b3820aedb98d85e6170dc7651b89497c
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
7   cfg = config.services.manticore;
8   format = pkgs.formats.json { };
10   toSphinx = {
11     mkKeyValue    ? mkKeyValueDefault {} "=",
12     listsAsDuplicateKeys ? true
13   }: attrsOfAttrs:
14     let
15         # map function to string for each key val
16         mapAttrsToStringsSep = sep: mapFn: attrs:
17           concatStringsSep sep
18             (mapAttrsToList mapFn attrs);
19         mkSection = sectName: sectValues: ''
20           ${sectName} {
21         '' + lib.generators.toKeyValue { inherit mkKeyValue listsAsDuplicateKeys; } sectValues + ''}'';
22     in
23       # map input to ini sections
24       mapAttrsToStringsSep "\n" mkSection attrsOfAttrs;
26   configFile = pkgs.writeText "manticore.conf" (
27     toSphinx {
28         mkKeyValue = k: v: "  ${k} = ${v}";
29     } cfg.settings
30   );
32 in {
34   options = {
35     services.manticore = {
37       enable = mkEnableOption "Manticoresearch";
39       settings = mkOption {
40         default = {
41           searchd = {
42             listen = [
43               "127.0.0.1:9312"
44               "127.0.0.1:9306:mysql"
45               "127.0.0.1:9308:http"
46             ];
47             log = "/var/log/manticore/searchd.log";
48             query_log = "/var/log/manticore/query.log";
49             pid_file = "/run/manticore/searchd.pid";
50             data_dir = "/var/lib/manticore";
51           };
52         };
53         description = ''
54           Configuration for Manticoresearch. See
55           <https://manual.manticoresearch.com/Server%20settings>
56           for more information.
57         '';
58         type = types.submodule {
59           freeformType = format.type;
60         };
61         example = literalExpression ''
62           {
63             searchd = {
64                 listen = [
65                   "127.0.0.1:9312"
66                   "127.0.0.1:9306:mysql"
67                   "127.0.0.1:9308:http"
68                 ];
69                 log = "/var/log/manticore/searchd.log";
70                 query_log = "/var/log/manticore/query.log";
71                 pid_file = "/run/manticore/searchd.pid";
72                 data_dir = "/var/lib/manticore";
73             };
74           }
75         '';
76       };
78     };
79   };
81   config = mkIf cfg.enable {
83     systemd = {
84       packages = [ pkgs.manticoresearch ];
85       services.manticore = {
86         wantedBy = [ "multi-user.target" ];
87         after = [ "network.target" ];
88         serviceConfig = {
89           ExecStart = [
90             ""
91             "${pkgs.manticoresearch}/bin/searchd --config ${configFile}"
92           ];
93           ExecStop = [
94             ""
95             "${pkgs.manticoresearch}/bin/searchd --config ${configFile} --stopwait"
96           ];
97           ExecStartPre = [ "" ];
98           DynamicUser = true;
99           LogsDirectory = "manticore";
100           RuntimeDirectory = "manticore";
101           StateDirectory = "manticore";
102           ReadWritePaths = "";
103           CapabilityBoundingSet = "";
104           RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
105           RestrictNamespaces = true;
106           PrivateDevices = true;
107           PrivateUsers = true;
108           ProtectClock = true;
109           ProtectControlGroups = true;
110           ProtectHome = true;
111           ProtectKernelLogs = true;
112           ProtectKernelModules = true;
113           ProtectKernelTunables = true;
114           SystemCallArchitectures = "native";
115           SystemCallFilter = [ "@system-service" "~@privileged" ];
116           RestrictRealtime = true;
117           LockPersonality = true;
118           MemoryDenyWriteExecute = true;
119           UMask = "0066";
120           ProtectHostname = true;
121         } // lib.optionalAttrs (cfg.settings.searchd.pid_file != null) {
122           PIDFile = cfg.settings.searchd.pid_file;
123         };
124       };
125     };
127   };
129   meta.maintainers = with lib.maintainers; [ onny ];