| blob | 6d1ddc74c719ab10d98a90310bbc69cb467a6a4a |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.services.xandikos;
7 in
8 {
10 options = {
11 services.xandikos = {
12 enable = mkEnableOption (lib.mdDoc "Xandikos CalDAV and CardDAV server");
14 package = mkOption {
15 type = types.package;
16 default = pkgs.xandikos;
17 defaultText = literalExpression "pkgs.xandikos";
18 description = lib.mdDoc "The Xandikos package to use.";
19 };
21 address = mkOption {
22 type = types.str;
23 default = "localhost";
24 description = lib.mdDoc ''
25 The IP address on which Xandikos will listen.
26 By default listens on localhost.
27 '';
28 };
30 port = mkOption {
31 type = types.port;
32 default = 8080;
33 description = lib.mdDoc "The port of the Xandikos web application";
34 };
36 routePrefix = mkOption {
37 type = types.str;
38 default = "/";
39 description = lib.mdDoc ''
40 Path to Xandikos.
41 Useful when Xandikos is behind a reverse proxy.
42 '';
43 };
45 extraOptions = mkOption {
46 default = [];
47 type = types.listOf types.str;
48 example = literalExpression ''
49 [ "--autocreate"
50 "--defaults"
51 "--current-user-principal user"
52 "--dump-dav-xml"
53 ]
54 '';
55 description = lib.mdDoc ''
56 Extra command line arguments to pass to xandikos.
57 '';
58 };
60 nginx = mkOption {
61 default = {};
62 description = lib.mdDoc ''
63 Configuration for nginx reverse proxy.
64 '';
66 type = types.submodule {
67 options = {
68 enable = mkOption {
69 type = types.bool;
70 default = false;
71 description = lib.mdDoc ''
72 Configure the nginx reverse proxy settings.
73 '';
74 };
76 hostName = mkOption {
77 type = types.str;
78 description = lib.mdDoc ''
79 The hostname use to setup the virtualhost configuration
80 '';
81 };
82 };
83 };
84 };
86 };
88 };
90 config = mkIf cfg.enable (
91 mkMerge [
92 {
93 meta.maintainers = with lib.maintainers; [ _0x4A6F ];
95 systemd.services.xandikos = {
96 description = "A Simple Calendar and Contact Server";
97 after = [ "network.target" ];
98 wantedBy = [ "multi-user.target" ];
100 serviceConfig = {
101 User = "xandikos";
102 Group = "xandikos";
103 DynamicUser = "yes";
104 RuntimeDirectory = "xandikos";
105 StateDirectory = "xandikos";
106 StateDirectoryMode = "0700";
107 PrivateDevices = true;
108 # Sandboxing
109 CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
110 ProtectSystem = "strict";
111 ProtectHome = true;
112 PrivateTmp = true;
113 ProtectKernelTunables = true;
114 ProtectKernelModules = true;
115 ProtectControlGroups = true;
116 RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_PACKET AF_NETLINK";
117 RestrictNamespaces = true;
118 LockPersonality = true;
119 MemoryDenyWriteExecute = true;
120 RestrictRealtime = true;
121 RestrictSUIDSGID = true;
122 ExecStart = ''
123 ${cfg.package}/bin/xandikos \
124 --directory /var/lib/xandikos \
125 --listen-address ${cfg.address} \
126 --port ${toString cfg.port} \
127 --route-prefix ${cfg.routePrefix} \
128 ${lib.concatStringsSep " " cfg.extraOptions}
129 '';
130 };
131 };
132 }
134 (
135 mkIf cfg.nginx.enable {
136 services.nginx = {
137 enable = true;
138 virtualHosts."${cfg.nginx.hostName}" = {
139 locations."/" = {
140 proxyPass = "http://${cfg.address}:${toString cfg.port}/";
141 };
142 };
143 };
144 }
145 )
146 ]
147 );
148 }