1 { config, pkgs, lib, ... }:
6 cfg = config.services.plikd;
8 format = pkgs.formats.toml {};
9 plikdCfg = format.generate "plikd.cfg" cfg.settings;
14 enable = mkEnableOption (lib.mdDoc "the plikd server");
16 openFirewall = mkOption {
19 description = lib.mdDoc "Open ports in the firewall for the plikd.";
25 description = lib.mdDoc ''
26 Configuration for plikd, see <https://github.com/root-gg/plik/blob/master/server/plikd.cfg>
33 config = mkIf cfg.enable {
34 services.plikd.settings = mapAttrs (name: mkDefault) {
36 ListenAddress = "localhost";
39 Directory = "/var/lib/plikd";
41 MetadataBackendConfig = {
43 ConnectionString = "/var/lib/plikd/plik.db";
47 systemd.services.plikd = {
48 description = "Plikd file sharing server";
49 after = [ "network.target" ];
50 wantedBy = [ "multi-user.target" ];
53 ExecStart = "${pkgs.plikd}/bin/plikd --config ${plikdCfg}";
54 Restart = "on-failure";
55 StateDirectory = "plikd";
56 LogsDirectory = "plikd";
60 NoNewPrivileges = "yes";
62 PrivateDevices = "yes";
63 DevicePolicy = "closed";
64 ProtectSystem = "strict";
65 ProtectHome = "read-only";
66 ProtectControlGroups = "yes";
67 ProtectKernelModules = "yes";
68 ProtectKernelTunables = "yes";
69 RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
70 RestrictNamespaces = "yes";
71 RestrictRealtime = "yes";
72 RestrictSUIDSGID = "yes";
73 MemoryDenyWriteExecute = "yes";
74 LockPersonality = "yes";
78 networking.firewall = mkIf cfg.openFirewall {
79 allowedTCPPorts = [ cfg.settings.ListenPort ];