nixos/modules/services/web-apps/stirling-pdf.nix

   1 {
   2   config,
   3   lib,
   4   pkgs,
   5   ...
   6 }:
   7
   8 let
   9   cfg = config.services.stirling-pdf;
  10 in
  11 {
  12   options.services.stirling-pdf = {
  13     enable = lib.mkEnableOption "the stirling-pdf service";
  14
  15     package = lib.mkPackageOption pkgs "stirling-pdf" { };
  16
  17     environment = lib.mkOption {
  18       type = lib.types.attrsOf (
  19         lib.types.oneOf [
  20           lib.types.str
  21           lib.types.int
  22         ]
  23       );
  24       default = { };
  25       example = {
  26         SERVER_PORT = 8080;
  27         INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true";
  28       };
  29       description = ''
  30         Environment variables for the stirling-pdf app.
  31         See https://github.com/Stirling-Tools/Stirling-PDF#customisation for available options.
  32       '';
  33     };
  34
  35     environmentFiles = lib.mkOption {
  36       type = lib.types.listOf lib.types.path;
  37       default = [ ];
  38       description = ''
  39         Files containing additional environment variables to pass to Stirling PDF.
  40         Secrets should be added in environmentFiles instead of environment.
  41       '';
  42     };
  43   };
  44
  45   config = lib.mkIf cfg.enable {
  46     systemd.services.stirling-pdf = {
  47       environment = lib.mapAttrs (_: toString) cfg.environment;
  48
  49       # following https://github.com/Stirling-Tools/Stirling-PDF#locally
  50       path =
  51         with pkgs;
  52         [
  53           unpaper
  54           libreoffice
  55           ocrmypdf
  56           poppler_utils
  57           unoconv
  58           opencv
  59           pngquant
  60           tesseract
  61           python3Packages.weasyprint
  62           ghostscript_headless
  63         ]
  64         ++ lib.optional (cfg.environment.INSTALL_BOOK_AND_ADVANCED_HTML_OPS or "false" == "true") calibre;
  65
  66       wantedBy = [ "multi-user.target" ];
  67
  68       serviceConfig = {
  69         BindReadOnlyPaths = [ "${pkgs.tesseract}/share/tessdata:/usr/share/tessdata" ];
  70         CacheDirectory = "stirling-pdf";
  71         Environment = [ "HOME=%S/stirling-pdf" ];
  72         EnvironmentFile = cfg.environmentFiles;
  73         ExecStart = lib.getExe cfg.package;
  74         RuntimeDirectory = "stirling-pdf";
  75         StateDirectory = "stirling-pdf";
  76         SuccessExitStatus = 143;
  77         User = "stirling-pdf";
  78         WorkingDirectory = "/var/lib/stirling-pdf";
  79
  80         # Hardening
  81         CapabilityBoundingSet = "";
  82         DynamicUser = true;
  83         LockPersonality = true;
  84         NoNewPrivileges = true;
  85         PrivateDevices = true;
  86         PrivateUsers = true;
  87         ProcSubset = "pid";
  88         ProtectClock = true;
  89         ProtectControlGroups = true;
  90         ProtectHome = true;
  91         ProtectHostname = true;
  92         ProtectKernelLogs = true;
  93         ProtectKernelModules = true;
  94         ProtectKernelTunables = true;
  95         ProtectProc = "invisible";
  96         RestrictAddressFamilies = [
  97           "AF_INET"
  98           "AF_INET6"
  99           "AF_UNIX"
 100         ];
 101         RestrictNamespaces = true;
 102         RestrictRealtime = true;
 103         SystemCallArchitectures = "native";
 104         SystemCallFilter = [
 105           "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources @clock @setuid @chown"
 106         ];
 107         UMask = "0077";
 108       };
 109     };
 110   };
 111
 112   meta.maintainers = with lib.maintainers; [ DCsunset ];
 113 }