diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 06979a4df508f9..c253e2d54116f2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1437,6 +1437,7 @@ ./services/web-apps/c2fmzq-server.nix ./services/web-apps/calibre-web.nix ./services/web-apps/castopod.nix + ./services/web-apps/codeberg-server.nix ./services/web-apps/coder.nix ./services/web-apps/changedetection-io.nix ./services/web-apps/chatgpt-retrieval-plugin.nix diff --git a/nixos/modules/services/web-apps/codeberg-pages.nix b/nixos/modules/services/web-apps/codeberg-pages.nix new file mode 100644 index 00000000000000..b4c405906e6125 --- /dev/null +++ b/nixos/modules/services/web-apps/codeberg-pages.nix @@ -0,0 +1,118 @@ +{ + config, + pkgs, + lib, + ... +}: +let + inherit (lib) mkOption mkEnableOption mkPackageOption; + inherit (lib) types; + + cfg = config.services.codeberg-pages; +in +{ + options = { + services.codeberg-pages = { + enable = mkEnableOption "Codeberg pages server"; + package = mkPackageOption pkgs "codeberg-pages" { }; + stateDir = mkOption { + type = types.str; + default = "/var/lib/codeberg-pages"; + description = "Directory in which state will be stored"; + }; + + settings = mkOption { + type = with types; submodule { freeformType = attrsOf str; }; + default = { }; + example = { + ACME_ACCEPT_TERMS = true; + ENABLE_HTTP_SERVER = true; + + GITEA_ROOT = "git.exampledomain.tld"; + }; + + description = '' + Configuration values to be passed to the codeberg pages server + as environment variables. + [pages-server documentation]: https://codeberg.org/Codeberg/pages-server#environment-variables + + See [pages-server documentation] for available options. + + For sensitive values, prefer using {option}`services.pages-server.environmentFile`. + + ''; + }; + + environmentFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/run/secret/pages-server.env"; + description = '' + An environment file as defined in {manpage}`systemd.exec(5)`. + + Sensitive information, such as `GITEA_API_TOKEN`, may be passed + to the service without adding them to the world-readable Nix store. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.codeberg-pages = { + description = "Codeberg pages server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = cfg.settings; + serviceConfig = { + Type = "simple"; + StateDirectory = cfg.stateDir; + WorkingDirectory = cfg.stateDir; + ReadWritePaths = [ cfg.stateDir ]; + DynamicUser = true; + ExecStart = "${lib.getExe cfg.package}"; + EnvironmentFile = cfg.environmentFile; + Restart = "on-failure"; + # Security section directly mimics the one of Forgejo module + UMask = "0027"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" + "setrlimit" + ]; + }; + }; + }; + + maintainers = with lib.maintainers; [ + NotAShelf + ]; +}