From 8130f4a68cf0e065498cc9a829f4765edfcede88 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Tue, 22 Aug 2023 10:08:59 +0500 Subject: [PATCH] Add microboard service --- flake.nix | 5 ----- nixos/programs/microboard.nix | 36 +++++++++++++++++++++++++++++++++-- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/flake.nix b/flake.nix index 9ba6272..1b7cdf1 100644 --- a/flake.nix +++ b/flake.nix @@ -5,11 +5,6 @@ nixpkgs = { url = "github:NixOS/nixpkgs/nixos-23.05"; }; - - microboard = { - url = "github:ordinary-dev/microboard"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = inputs @ { self, nixpkgs, ... }: diff --git a/nixos/programs/microboard.nix b/nixos/programs/microboard.nix index e3cecdc..a3d1a6f 100644 --- a/nixos/programs/microboard.nix +++ b/nixos/programs/microboard.nix @@ -1,4 +1,36 @@ -{ config, microboard, ... }: +{ config, ... }: +let + dataDir = "/var/lib/microboard"; +in { - microboard.enable = false; + systemd.services.microboard = { + description = "Microboard engine"; + wantedBy = ["multi-user.target"]; + + environment = { + MB_LOGLEVEL = "warning"; + MB_UPLOADDIR = "${ dataDir }/uploads"; + MB_PREVIEWDIR = "${ dataDir }/previews"; + MB_DBHOST = "/run/postgresql"; + MB_DBUSER = "microboard"; + MB_DBNAME = "microboard"; + }; + + serviceConfig = { + User = "microboard"; + Group = "microboard"; + ExecStart = "${ dataDir }/microboard"; + Restart = "on-failure"; + Type = "exec"; + WorkingDirectory = dataDir; + + # Security Hardening + LockPersonality = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ReadWritePaths = [ dataDir ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictSUIDSGID = true; + }; + }; }