vuls: init at 0.27.0
[NixPkgs.git] / nixos / modules / services / web-apps / stirling-pdf.nix
blob48fe744b60144ba5f61d3b1f5c41ef1c7ef2e0db
2   config,
3   lib,
4   pkgs,
5   ...
6 }:
8 let
9   cfg = config.services.stirling-pdf;
12   options.services.stirling-pdf = {
13     enable = lib.mkEnableOption "the stirling-pdf service";
15     package = lib.mkPackageOption pkgs "stirling-pdf" { };
17     environment = lib.mkOption {
18       type = lib.types.attrsOf (
19         lib.types.oneOf [
20           lib.types.str
21           lib.types.int
22         ]
23       );
24       default = { };
25       example = {
26         SERVER_PORT = 8080;
27         INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true";
28       };
29       description = ''
30         Environment variables for the stirling-pdf app.
31         See https://github.com/Stirling-Tools/Stirling-PDF#customisation for available options.
32       '';
33     };
35     environmentFiles = lib.mkOption {
36       type = lib.types.listOf lib.types.path;
37       default = [ ];
38       description = ''
39         Files containing additional environment variables to pass to Stirling PDF.
40         Secrets should be added in environmentFiles instead of environment.
41       '';
42     };
43   };
45   config = lib.mkIf cfg.enable {
46     systemd.services.stirling-pdf = {
47       environment = lib.mapAttrs (_: toString) cfg.environment;
49       # following https://github.com/Stirling-Tools/Stirling-PDF#locally
50       path =
51         with pkgs;
52         [
53           unpaper
54           libreoffice
55           ocrmypdf
56           poppler_utils
57           unoconv
58           opencv
59           pngquant
60           tesseract
61           python3Packages.weasyprint
62           ghostscript_headless
63         ]
64         ++ lib.optional (cfg.environment.INSTALL_BOOK_AND_ADVANCED_HTML_OPS or "false" == "true") calibre;
66       wantedBy = [ "multi-user.target" ];
68       serviceConfig = {
69         BindReadOnlyPaths = [ "${pkgs.tesseract}/share/tessdata:/usr/share/tessdata" ];
70         CacheDirectory = "stirling-pdf";
71         Environment = [ "HOME=%S/stirling-pdf" ];
72         EnvironmentFile = cfg.environmentFiles;
73         ExecStart = lib.getExe cfg.package;
74         RuntimeDirectory = "stirling-pdf";
75         StateDirectory = "stirling-pdf";
76         SuccessExitStatus = 143;
77         User = "stirling-pdf";
78         WorkingDirectory = "/var/lib/stirling-pdf";
80         # Hardening
81         CapabilityBoundingSet = "";
82         DynamicUser = true;
83         LockPersonality = true;
84         NoNewPrivileges = true;
85         PrivateDevices = true;
86         PrivateUsers = true;
87         ProcSubset = "pid";
88         ProtectClock = true;
89         ProtectControlGroups = true;
90         ProtectHome = true;
91         ProtectHostname = true;
92         ProtectKernelLogs = true;
93         ProtectKernelModules = true;
94         ProtectKernelTunables = true;
95         ProtectProc = "invisible";
96         RestrictAddressFamilies = [
97           "AF_INET"
98           "AF_INET6"
99           "AF_UNIX"
100         ];
101         RestrictNamespaces = true;
102         RestrictRealtime = true;
103         SystemCallArchitectures = "native";
104         SystemCallFilter = [
105           "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources @clock @setuid @chown"
106         ];
107         UMask = "0077";
108       };
109     };
110   };
112   meta.maintainers = with lib.maintainers; [ DCsunset ];