vuls: init at 0.27.0
[NixPkgs.git] / nixos / modules / services / web-apps / glance.nix
blobfbc310daea770f2735a7e73ff9f68168d9f91b61
2   config,
3   lib,
4   pkgs,
5   ...
6 }:
7 let
8   cfg = config.services.glance;
10   inherit (lib)
11     mkEnableOption
12     mkPackageOption
13     mkOption
14     mkIf
15     getExe
16     types
17     ;
19   settingsFormat = pkgs.formats.yaml { };
22   options.services.glance = {
23     enable = mkEnableOption "glance";
24     package = mkPackageOption pkgs "glance" { };
26     settings = mkOption {
27       type = types.submodule {
28         freeformType = settingsFormat.type;
29         options = {
30           server = {
31             host = mkOption {
32               description = "Glance bind address";
33               default = "127.0.0.1";
34               example = "0.0.0.0";
35               type = types.str;
36             };
37             port = mkOption {
38               description = "Glance port to listen on";
39               default = 8080;
40               example = 5678;
41               type = types.port;
42             };
43           };
44           pages = mkOption {
45             type = settingsFormat.type;
46             description = ''
47               List of pages to be present on the dashboard.
49               See <https://github.com/glanceapp/glance/blob/main/docs/configuration.md#pages--columns>
50             '';
51             default = [
52               {
53                 name = "Calendar";
54                 columns = [
55                   {
56                     size = "full";
57                     widgets = [ { type = "calendar"; } ];
58                   }
59                 ];
60               }
61             ];
62             example = [
63               {
64                 name = "Home";
65                 columns = [
66                   {
67                     size = "full";
68                     widgets = [
69                       { type = "calendar"; }
70                       {
71                         type = "weather";
72                         location = "Nivelles, Belgium";
73                       }
74                     ];
75                   }
76                 ];
77               }
78             ];
79           };
80         };
81       };
82       default = { };
83       description = ''
84         Configuration written to a yaml file that is read by glance. See
85         <https://github.com/glanceapp/glance/blob/main/docs/configuration.md>
86         for more.
87       '';
88     };
90     openFirewall = mkOption {
91       type = types.bool;
92       default = false;
93       description = ''
94         Whether to open the firewall for Glance.
95         This adds `services.glance.settings.server.port` to `networking.firewall.allowedTCPPorts`.
96       '';
97     };
98   };
100   config = mkIf cfg.enable {
101     systemd.services.glance = {
102       description = "Glance feed dashboard server";
103       wantedBy = [ "multi-user.target" ];
104       after = [ "network.target" ];
106       serviceConfig = {
107         ExecStart =
108           let
109             glance-yaml = settingsFormat.generate "glance.yaml" cfg.settings;
110           in
111           "${getExe cfg.package} --config ${glance-yaml}";
112         WorkingDirectory = "/var/lib/glance";
113         StateDirectory = "glance";
114         RuntimeDirectory = "glance";
115         RuntimeDirectoryMode = "0755";
116         PrivateTmp = true;
117         DynamicUser = true;
118         DevicePolicy = "closed";
119         LockPersonality = true;
120         MemoryDenyWriteExecute = true;
121         PrivateUsers = true;
122         ProtectHome = true;
123         ProtectHostname = true;
124         ProtectKernelLogs = true;
125         ProtectKernelModules = true;
126         ProtectKernelTunables = true;
127         ProtectControlGroups = true;
128         ProcSubset = "pid";
129         RestrictNamespaces = true;
130         RestrictRealtime = true;
131         SystemCallArchitectures = "native";
132         UMask = "0077";
133       };
134     };
136     networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.settings.server.port ]; };
137   };
139   meta.doc = ./glance.md;
140   meta.maintainers = [ lib.maintainers.drupol ];