| blob | df3eeaef161833fb931c328581be541ab00648e6 |
1 { config, lib, pkgs, ... }:
3 let cfg = config.services.shiori;
4 in {
5 options = {
6 services.shiori = {
7 enable = lib.mkEnableOption "Shiori simple bookmarks manager";
9 package = lib.mkPackageOption pkgs "shiori" { };
11 address = lib.mkOption {
12 type = lib.types.str;
13 default = "";
14 description = ''
15 The IP address on which Shiori will listen.
16 If empty, listens on all interfaces.
17 '';
18 };
20 port = lib.mkOption {
21 type = lib.types.port;
22 default = 8080;
23 description = "The port of the Shiori web application";
24 };
26 webRoot = lib.mkOption {
27 type = lib.types.str;
28 default = "/";
29 example = "/shiori";
30 description = "The root of the Shiori web application";
31 };
33 environmentFile = lib.mkOption {
34 type = lib.types.nullOr lib.types.path;
35 default = null;
36 example = "/path/to/environmentFile";
37 description = ''
38 Path to file containing environment variables.
39 Useful for passing down secrets.
40 <https://github.com/go-shiori/shiori/blob/master/docs/Configuration.md#overall-configuration>
41 '';
42 };
44 databaseUrl = lib.mkOption {
45 type = lib.types.nullOr lib.types.str;
46 default = null;
47 example = "postgres:///shiori?host=/run/postgresql";
48 description = "The connection URL to connect to MySQL or PostgreSQL";
49 };
50 };
51 };
53 config = lib.mkIf cfg.enable {
54 systemd.services.shiori = {
55 description = "Shiori simple bookmarks manager";
56 wantedBy = [ "multi-user.target" ];
57 after = [ "postgresql.service" "mysql.service" ];
58 environment = {
59 SHIORI_DIR = "/var/lib/shiori";
60 } // lib.optionalAttrs (cfg.databaseUrl != null) {
61 SHIORI_DATABASE_URL = cfg.databaseUrl;
62 };
64 serviceConfig = {
65 ExecStart =
66 "${cfg.package}/bin/shiori server --address '${cfg.address}' --port '${
67 toString cfg.port
68 }' --webroot '${cfg.webRoot}'";
70 DynamicUser = true;
71 StateDirectory = "shiori";
72 # As the RootDirectory
73 RuntimeDirectory = "shiori";
75 # Security options
76 EnvironmentFile =
77 lib.optional (cfg.environmentFile != null) cfg.environmentFile;
78 BindReadOnlyPaths = [
79 "/nix/store"
81 # For SSL certificates, and the resolv.conf
82 "/etc"
83 ] ++ lib.optional (config.services.postgresql.enable &&
84 cfg.databaseUrl != null &&
85 lib.strings.hasPrefix "postgres://" cfg.databaseUrl)
86 "/run/postgresql"
87 ++ lib.optional (config.services.mysql.enable &&
88 cfg.databaseUrl != null &&
89 lib.strings.hasPrefix "mysql://" cfg.databaseUrl)
90 "/var/run/mysqld";
92 CapabilityBoundingSet = "";
93 AmbientCapabilities = "CAP_NET_BIND_SERVICE";
95 DeviceAllow = "";
97 LockPersonality = true;
99 MemoryDenyWriteExecute = true;
101 PrivateDevices = true;
102 PrivateUsers = true;
104 ProtectClock = true;
105 ProtectControlGroups = true;
106 ProtectHome = true;
107 ProtectHostname = true;
108 ProtectKernelLogs = true;
109 ProtectKernelModules = true;
110 ProtectKernelTunables = true;
112 RestrictNamespaces = true;
113 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
114 RestrictRealtime = true;
115 RestrictSUIDSGID = true;
117 RootDirectory = "/run/shiori";
119 SystemCallArchitectures = "native";
120 SystemCallErrorNumber = "EPERM";
121 SystemCallFilter = [
122 "@system-service"
123 "~@cpu-emulation"
124 "~@debug"
125 "~@keyring"
126 "~@memlock"
127 "~@obsolete"
128 "~@privileged"
129 "~@setuid"
130 ];
131 };
132 };
133 };
135 meta.maintainers = with lib.maintainers; [ minijackson CaptainJawZ ];
136 }