| blob | 1b72cd03ba9cf833186b42a615f1c40d0d41b048 |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 with lib;
10 let
11 cfg = config.services.xandikos;
12 in
13 {
15 options = {
16 services.xandikos = {
17 enable = mkEnableOption "Xandikos CalDAV and CardDAV server";
19 package = mkPackageOption pkgs "xandikos" { };
21 address = mkOption {
22 type = types.str;
23 default = "localhost";
24 description = ''
25 The IP address on which Xandikos will listen.
26 By default listens on localhost.
27 '';
28 };
30 port = mkOption {
31 type = types.port;
32 default = 8080;
33 description = "The port of the Xandikos web application";
34 };
36 routePrefix = mkOption {
37 type = types.str;
38 default = "/";
39 description = ''
40 Path to Xandikos.
41 Useful when Xandikos is behind a reverse proxy.
42 '';
43 };
45 extraOptions = mkOption {
46 default = [ ];
47 type = types.listOf types.str;
48 example = literalExpression ''
49 [ "--autocreate"
50 "--defaults"
51 "--current-user-principal user"
52 "--dump-dav-xml"
53 ]
54 '';
55 description = ''
56 Extra command line arguments to pass to xandikos.
57 '';
58 };
60 nginx = mkOption {
61 default = { };
62 description = ''
63 Configuration for nginx reverse proxy.
64 '';
66 type = types.submodule {
67 options = {
68 enable = mkOption {
69 type = types.bool;
70 default = false;
71 description = ''
72 Configure the nginx reverse proxy settings.
73 '';
74 };
76 hostName = mkOption {
77 type = types.str;
78 description = ''
79 The hostname use to setup the virtualhost configuration
80 '';
81 };
82 };
83 };
84 };
86 };
88 };
90 config = mkIf cfg.enable (mkMerge [
91 {
92 meta.maintainers = with lib.maintainers; [ _0x4A6F ];
94 systemd.services.xandikos = {
95 description = "A Simple Calendar and Contact Server";
96 after = [ "network.target" ];
97 wantedBy = [ "multi-user.target" ];
99 serviceConfig = {
100 User = "xandikos";
101 Group = "xandikos";
102 DynamicUser = "yes";
103 RuntimeDirectory = "xandikos";
104 StateDirectory = "xandikos";
105 StateDirectoryMode = "0700";
106 PrivateDevices = true;
107 # Sandboxing
108 CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
109 ProtectSystem = "strict";
110 ProtectHome = true;
111 PrivateTmp = true;
112 ProtectKernelTunables = true;
113 ProtectKernelModules = true;
114 ProtectControlGroups = true;
115 RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_PACKET AF_NETLINK";
116 RestrictNamespaces = true;
117 LockPersonality = true;
118 MemoryDenyWriteExecute = true;
119 RestrictRealtime = true;
120 RestrictSUIDSGID = true;
121 ExecStart = ''
122 ${cfg.package}/bin/xandikos \
123 --directory /var/lib/xandikos \
124 --listen-address ${cfg.address} \
125 --port ${toString cfg.port} \
126 --route-prefix ${cfg.routePrefix} \
127 ${lib.concatStringsSep " " cfg.extraOptions}
128 '';
129 };
130 };
131 }
133 (mkIf cfg.nginx.enable {
134 services.nginx = {
135 enable = true;
136 virtualHosts."${cfg.nginx.hostName}" = {
137 locations."/" = {
138 proxyPass = "http://${cfg.address}:${toString cfg.port}/";
139 };
140 };
141 };
142 })
143 ]);
144 }