| blob | 0a0925856e7113816de08a43bac31f5978f348eb |
1 {
2 lib,
3 pkgs,
4 config,
5 ...
6 }:
8 with lib;
10 let
11 cfg = config.services.alps;
12 in
13 {
14 options.services.alps = {
15 enable = mkEnableOption "alps";
17 port = mkOption {
18 type = types.port;
19 default = 1323;
20 description = ''
21 TCP port the service should listen on.
22 '';
23 };
25 bindIP = mkOption {
26 default = "[::]";
27 type = types.str;
28 description = ''
29 The IP the service should listen on.
30 '';
31 };
33 theme = mkOption {
34 type = types.enum [
35 "alps"
36 "sourcehut"
37 ];
38 default = "sourcehut";
39 description = ''
40 The frontend's theme to use.
41 '';
42 };
44 imaps = {
45 port = mkOption {
46 type = types.port;
47 default = 993;
48 description = ''
49 The IMAPS server port.
50 '';
51 };
53 host = mkOption {
54 type = types.str;
55 default = "[::1]";
56 example = "mail.example.org";
57 description = ''
58 The IMAPS server address.
59 '';
60 };
61 };
63 smtps = {
64 port = mkOption {
65 type = types.port;
66 default = 465;
67 description = ''
68 The SMTPS server port.
69 '';
70 };
72 host = mkOption {
73 type = types.str;
74 default = cfg.imaps.host;
75 defaultText = "services.alps.imaps.host";
76 example = "mail.example.org";
77 description = ''
78 The SMTPS server address.
79 '';
80 };
81 };
83 package = mkOption {
84 internal = true;
85 type = types.package;
86 default = pkgs.alps;
87 };
89 args = mkOption {
90 internal = true;
91 type = types.listOf types.str;
92 default = [
93 "-addr"
94 "${cfg.bindIP}:${toString cfg.port}"
95 "-theme"
96 "${cfg.theme}"
97 "imaps://${cfg.imaps.host}:${toString cfg.imaps.port}"
98 "smtps://${cfg.smtps.host}:${toString cfg.smtps.port}"
99 ];
100 };
101 };
103 config = mkIf cfg.enable {
104 systemd.services.alps = {
105 description = "alps is a simple and extensible webmail.";
106 documentation = [ "https://git.sr.ht/~migadu/alps" ];
107 wantedBy = [ "multi-user.target" ];
108 wants = [ "network-online.target" ];
109 after = [
110 "network.target"
111 "network-online.target"
112 ];
114 serviceConfig = {
115 ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}";
116 AmbientCapabilities = "";
117 CapabilityBoundingSet = "";
118 DynamicUser = true;
119 LockPersonality = true;
120 MemoryDenyWriteExecute = true;
121 NoNewPrivileges = true;
122 PrivateDevices = true;
123 PrivateIPC = true;
124 PrivateTmp = true;
125 PrivateUsers = true;
126 ProtectClock = true;
127 ProtectControlGroups = true;
128 ProtectHome = true;
129 ProtectHostname = true;
130 ProtectKernelLogs = true;
131 ProtectKernelModules = true;
132 ProtectKernelTunables = true;
133 ProtectProc = "invisible";
134 ProtectSystem = "strict";
135 RemoveIPC = true;
136 RestrictAddressFamilies = [
137 "AF_INET"
138 "AF_INET6"
139 ];
140 RestrictNamespaces = true;
141 RestrictRealtime = true;
142 RestrictSUIDSGID = true;
143 SocketBindAllow = cfg.port;
144 SocketBindDeny = "any";
145 SystemCallArchitectures = "native";
146 SystemCallFilter = [
147 "@system-service"
148 "~@privileged @obsolete"
149 ];
150 };
151 };
152 };
153 }