| blob | a7e3fa81c48f1b39eae3cf9e19e0305e6f25dd2d |
1 { config, pkgs, lib, ... }:
2 let
3 cfg = config.services.ferretdb;
4 in
5 {
7 meta.maintainers = with lib.maintainers; [ julienmalka camillemndn ];
9 options = {
10 services.ferretdb = {
11 enable = lib.mkEnableOption "FerretDB, an Open Source MongoDB alternative";
13 package = lib.mkOption {
14 type = lib.types.package;
15 example = lib.literalExpression "pkgs.ferretdb";
16 default = pkgs.ferretdb;
17 defaultText = "pkgs.ferretdb";
18 description = "FerretDB package to use.";
19 };
21 settings = lib.mkOption {
22 type =
23 lib.types.submodule { freeformType = with lib.types; attrsOf str; };
24 example = {
25 FERRETDB_LOG_LEVEL = "warn";
26 FERRETDB_MODE = "normal";
27 };
28 description = ''
29 Additional configuration for FerretDB, see
30 <https://docs.ferretdb.io/configuration/flags/>
31 for supported values.
32 '';
33 };
34 };
35 };
37 config = lib.mkIf cfg.enable
38 {
40 services.ferretdb.settings = {
41 FERRETDB_HANDLER = lib.mkDefault "sqlite";
42 FERRETDB_SQLITE_URL = lib.mkDefault "file:/var/lib/ferretdb/";
43 };
45 systemd.services.ferretdb = {
46 description = "FerretDB";
47 after = [ "network.target" ];
48 wantedBy = [ "multi-user.target" ];
49 environment = cfg.settings;
50 serviceConfig = {
51 Type = "simple";
52 StateDirectory = "ferretdb";
53 WorkingDirectory = "/var/lib/ferretdb";
54 ExecStart = "${cfg.package}/bin/ferretdb";
55 Restart = "on-failure";
56 ProtectHome = true;
57 ProtectSystem = "strict";
58 PrivateTmp = true;
59 PrivateDevices = true;
60 ProtectHostname = true;
61 ProtectClock = true;
62 ProtectKernelTunables = true;
63 ProtectKernelModules = true;
64 ProtectKernelLogs = true;
65 ProtectControlGroups = true;
66 NoNewPrivileges = true;
67 RestrictRealtime = true;
68 RestrictSUIDSGID = true;
69 RemoveIPC = true;
70 PrivateMounts = true;
71 DynamicUser = true;
72 };
73 };
74 };
75 }