nixos/codeberg-pages: init

nixos/modules/module-list.nix

@@ -1437,6 +1437,7 @@
   ./services/web-apps/c2fmzq-server.nix
   ./services/web-apps/calibre-web.nix
   ./services/web-apps/castopod.nix
+  ./services/web-apps/codeberg-server.nix
   ./services/web-apps/coder.nix
   ./services/web-apps/changedetection-io.nix
   ./services/web-apps/chatgpt-retrieval-plugin.nix

nixos/modules/services/web-apps/codeberg-pages.nix

@@ -0,0 +1,118 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkOption mkEnableOption mkPackageOption;
+  inherit (lib) types;
+
+  cfg = config.services.codeberg-pages;
+in
+{
+  options = {
+    services.codeberg-pages = {
+      enable = mkEnableOption "Codeberg pages server";
+      package = mkPackageOption pkgs "codeberg-pages" { };
+      stateDir = mkOption {
+        type = types.str;
+        default = "/var/lib/codeberg-pages";
+        description = "Directory in which state will be stored";
+      };
+
+      settings = mkOption {
+        type = with types; submodule { freeformType = attrsOf str; };
+        default = { };
+        example = {
+          ACME_ACCEPT_TERMS = true;
+          ENABLE_HTTP_SERVER = true;
+
+          GITEA_ROOT = "git.exampledomain.tld";
+        };
+
+        description = ''
+          Configuration values to be passed to the codeberg pages server
+          as environment variables.
+          [pages-server documentation]: https://codeberg.org/Codeberg/pages-server#environment-variables
+
+          See [pages-server documentation] for available options.
+
+          For sensitive values, prefer using {option}`services.pages-server.environmentFile`.
+
+        '';
+      };
+
+      environmentFile = mkOption {
+        type = with types; nullOr path;
+        default = null;
+        example = "/run/secret/pages-server.env";
+        description = ''
+          An environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Sensitive information, such as `GITEA_API_TOKEN`, may be passed
+          to the service without adding them to the world-readable Nix store.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.codeberg-pages = {
+      description = "Codeberg pages server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment = cfg.settings;
+      serviceConfig = {
+        Type = "simple";
+        StateDirectory = cfg.stateDir;
+        WorkingDirectory = cfg.stateDir;
+        ReadWritePaths = [ cfg.stateDir ];
+        DynamicUser = true;
+        ExecStart = "${lib.getExe cfg.package}";
+        EnvironmentFile = cfg.environmentFile;
+        Restart = "on-failure";
+        # Security section directly mimics the one of Forgejo module
+        UMask = "0027";
+        # Capabilities
+        CapabilityBoundingSet = "";
+        # Security
+        NoNewPrivileges = true;
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [
+          "AF_UNIX"
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
+          "setrlimit"
+        ];
+      };
+    };
+  };
+
+  maintainers = with lib.maintainers; [
+    NotAShelf
+  ];
+}