movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-20 09:00:41 +03:00
Code Activity
nixpkgs/nixos/modules/services/web-apps/shiori.nix
Wolfgang Walther 41c5662cbe
nixos/postgresql: move postStart into separate unit 
This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.

To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.

Resolves #400018

Co-authored-by: Marcel <me@m4rc3l.de>
2025-06-24 15:26:47 +02:00

154 lines
3.9 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.shiori;
in
{
options = {
services.shiori = {
enable = lib.mkEnableOption "Shiori simple bookmarks manager";
package = lib.mkPackageOption pkgs "shiori" { };
address = lib.mkOption {
type = lib.types.str;
default = "";
description = ''
The IP address on which Shiori will listen.
If empty, listens on all interfaces.
'';
};
port = lib.mkOption {
type = lib.types.port;
default = 8080;
description = "The port of the Shiori web application";
};
webRoot = lib.mkOption {
type = lib.types.str;
default = "/";
example = "/shiori";
description = "The root of the Shiori web application";
};
environmentFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/path/to/environmentFile";
description = ''
Path to file containing environment variables.
Useful for passing down secrets.
<https://github.com/go-shiori/shiori/blob/master/docs/Configuration.md#overall-configuration>
'';
};
databaseUrl = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "postgres:///shiori?host=/run/postgresql";
description = "The connection URL to connect to MySQL or PostgreSQL";
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.shiori = {
description = "Shiori simple bookmarks manager";
wantedBy = [ "multi-user.target" ];
after = [
"postgresql.target"
"mysql.service"
];
environment =
{
SHIORI_DIR = "/var/lib/shiori";
}
// lib.optionalAttrs (cfg.databaseUrl != null) {
SHIORI_DATABASE_URL = cfg.databaseUrl;
};
serviceConfig = {
ExecStart = "${cfg.package}/bin/shiori server --address '${cfg.address}' --port '${toString cfg.port}' --webroot '${cfg.webRoot}'";
DynamicUser = true;
StateDirectory = "shiori";
# As the RootDirectory
RuntimeDirectory = "shiori";
# Security options
EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
BindReadOnlyPaths =
[
"/nix/store"
# For SSL certificates, and the resolv.conf
"/etc"
]
++ lib.optional (
config.services.postgresql.enable
&& cfg.databaseUrl != null
&& lib.strings.hasPrefix "postgres://" cfg.databaseUrl
) "/run/postgresql"
++ lib.optional (
config.services.mysql.enable
&& cfg.databaseUrl != null
&& lib.strings.hasPrefix "mysql://" cfg.databaseUrl
) "/var/run/mysqld";
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictRealtime = true;
RestrictSUIDSGID = true;
RootDirectory = "/run/shiori";
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@obsolete"
"~@privileged"
"~@setuid"
];
};
};
};
meta.maintainers = with lib.maintainers; [
minijackson
CaptainJawZ
];
}
View git blame Copy permalink