| blob | c71e8a92b727446b88164604aa6b7dbc3fb50fd0 |
1 { config, pkgs, lib, ... }:
2 let cfg = config.services.nzbhydra2;
4 in {
5 options = {
6 services.nzbhydra2 = {
7 enable = lib.mkEnableOption "NZBHydra2, Usenet meta search";
9 dataDir = lib.mkOption {
10 type = lib.types.str;
11 default = "/var/lib/nzbhydra2";
12 description = "The directory where NZBHydra2 stores its data files.";
13 };
15 openFirewall = lib.mkOption {
16 type = lib.types.bool;
17 default = false;
18 description = "Open ports in the firewall for the NZBHydra2 web interface.";
19 };
21 package = lib.mkPackageOption pkgs "nzbhydra2" { };
22 };
23 };
25 config = lib.mkIf cfg.enable {
26 systemd.tmpfiles.rules =
27 [ "d '${cfg.dataDir}' 0700 nzbhydra2 nzbhydra2 - -" ];
29 systemd.services.nzbhydra2 = {
30 description = "NZBHydra2";
31 after = [ "network.target" ];
32 wantedBy = [ "multi-user.target" ];
34 serviceConfig = {
35 Type = "simple";
36 User = "nzbhydra2";
37 Group = "nzbhydra2";
38 ExecStart =
39 "${cfg.package}/bin/nzbhydra2 --nobrowser --datafolder '${cfg.dataDir}'";
40 Restart = "on-failure";
41 # Hardening
42 NoNewPrivileges = true;
43 PrivateTmp = true;
44 PrivateDevices = true;
45 DevicePolicy = "closed";
46 ProtectSystem = "strict";
47 ReadWritePaths = cfg.dataDir;
48 ProtectHome = "read-only";
49 ProtectControlGroups = true;
50 ProtectKernelModules = true;
51 ProtectKernelTunables = true;
52 RestrictAddressFamilies ="AF_UNIX AF_INET AF_INET6 AF_NETLINK";
53 RestrictNamespaces = true;
54 RestrictRealtime = true;
55 RestrictSUIDSGID = true;
56 LockPersonality = true;
57 };
58 };
60 networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ 5076 ]; };
62 users.users.nzbhydra2 = {
63 group = "nzbhydra2";
64 isSystemUser = true;
65 };
67 users.groups.nzbhydra2 = {};
68 };
69 }