1 { config, lib, pkgs, ... }:
6 cfg = config.services.convos;
9 options.services.convos = {
10 enable = mkEnableOption "Convos";
11 listenPort = mkOption {
15 description = "Port the web interface should listen on";
17 listenAddress = mkOption {
20 example = "127.0.0.1";
21 description = "Address or host the web interface should listen on";
23 reverseProxy = mkOption {
27 Enables reverse proxy support. This will allow Convos to automatically
28 pick up the `X-Forwarded-For` and
29 `X-Request-Base` HTTP headers set in your reverse proxy
30 web server. Note that enabling this option without a reverse proxy in
31 front will be a security issue.
35 config = mkIf cfg.enable {
36 systemd.services.convos = {
37 description = "Convos Service";
38 wantedBy = [ "multi-user.target" ];
39 after = [ "networking.target" ];
41 CONVOS_HOME = "%S/convos";
42 CONVOS_REVERSE_PROXY = if cfg.reverseProxy then "1" else "0";
43 MOJO_LISTEN = "http://${toString cfg.listenAddress}:${toString cfg.listenPort}";
46 ExecStart = "${pkgs.convos}/bin/convos daemon";
47 Restart = "on-failure";
48 StateDirectory = "convos";
49 WorkingDirectory = "%S/convos";
51 MemoryDenyWriteExecute = true;
54 ProtectHostname = true;
55 ProtectKernelTunables = true;
56 ProtectKernelModules = true;
57 ProtectKernelLogs = true;
58 ProtectControlGroups = true;
59 PrivateDevices = true;
62 LockPersonality = true;
63 RestrictRealtime = true;
64 RestrictNamespaces = true;
65 RestrictAddressFamilies = [ "AF_INET" "AF_INET6"];
66 SystemCallFilter = "@system-service";
67 SystemCallArchitectures = "native";
68 CapabilityBoundingSet = "";