1 { config, lib, pkgs, ... }:
7 cfg = config.services.parsoid;
9 parsoid = pkgs.nodePackages.parsoid;
12 worker_heartbeat_timeout = 300000;
13 logging = { level = "info"; };
15 module = "lib/index.js";
16 entrypoint = "apiServiceWorker";
18 mwApis = map (x: if isAttrs x then x else { uri = x; }) cfg.wikis;
19 serverInterface = cfg.interface;
20 serverPort = cfg.port;
25 confFile = pkgs.writeText "config.yml" (builtins.toJSON (recursiveUpdate confTree cfg.extraConfig));
30 (mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead")
42 description = lib.mdDoc ''
43 Whether to enable Parsoid -- bidirectional
49 type = types.listOf (types.either types.str types.attrs);
50 example = [ "http://localhost/api.php" ];
51 description = lib.mdDoc ''
52 Used MediaWiki API endpoints.
59 description = lib.mdDoc ''
60 Number of Parsoid workers.
64 interface = mkOption {
66 default = "127.0.0.1";
67 description = lib.mdDoc ''
68 Interface to listen on.
75 description = lib.mdDoc ''
80 extraConfig = mkOption {
83 description = lib.mdDoc ''
84 Extra configuration to add to parsoid configuration.
94 config = mkIf cfg.enable {
96 systemd.services.parsoid = {
97 description = "Bidirectional wikitext parser";
98 wantedBy = [ "multi-user.target" ];
99 after = [ "network.target" ];
101 ExecStart = "${parsoid}/lib/node_modules/parsoid/bin/server.js -c ${confFile} -n ${toString cfg.workers}";
107 CapabilityBoundingSet = "";
108 NoNewPrivileges = true;
109 ProtectSystem = "strict";
112 PrivateDevices = true;
113 ProtectHostname = true;
114 ProtectKernelTunables = true;
115 ProtectKernelModules = true;
116 ProtectControlGroups = true;
117 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
118 RestrictNamespaces = true;
119 LockPersonality = true;
120 #MemoryDenyWriteExecute = true;
121 RestrictRealtime = true;
122 RestrictSUIDSGID = true;