+1

hosts/helix/default.nix

reviewed

··· 10 10 ../profiles/rss-bridge 11 11 ../profiles/mount-mossnet 12 12 ../profiles/freshrss 13 13 + ../profiles/microbin 13 14 ]; 14 15 15 16 # Capsul specific

+18

hosts/profiles/microbin/default.nix

reviewed

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + { 3 3 + services.microbin.enable = true; 4 4 + services.microbin.hostname = "bin.sealight.xyz"; 5 5 + services.microbin.port = 4949; 6 6 + networking.firewall.allowedTCPPorts = [ 4949 ]; 7 7 + services.nginx.virtualHosts."bin.sealight.xyz" = { 8 8 + enableACME = true; 9 9 + forceSSL = true; 10 10 + 11 11 + locations."/" = { 12 12 + extraConfig = '' 13 13 + proxy_pass http://localhost:4949/; 14 14 + proxy_set_header X-Forwarded-Host $host; 15 15 + ''; 16 16 + }; 17 17 + }; 18 18 + }

+85

modules/nixos/microbin.nix

reviewed

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + cfg = config.services.microbin; 7 7 + configFile = "/etc/microbin/config"; 8 8 + dataFolder = "/var/lib/microbin"; 9 9 + in 10 10 + { 11 11 + options = { 12 12 + 13 13 + services.microbin = { 14 14 + enable = mkEnableOption "A super tiny pasta"; 15 15 + 16 16 + user = mkOption { 17 17 + type = types.str; 18 18 + default = "microbin"; 19 19 + description = "User account under which microbin runs."; 20 20 + }; 21 21 + 22 22 + group = mkOption { 23 23 + type = types.str; 24 24 + default = "microbin"; 25 25 + description = "Group account under which microbin runs."; 26 26 + }; 27 27 + 28 28 + }; 29 29 + }; 30 30 + 31 31 + config = mkIf cfg.enable { 32 32 + systemd.services.microbin = { 33 33 + description = "Microbin A Super Tiny Pasta"; 34 34 + after = [ "remote-fs.target" "network.target" ]; 35 35 + wantedBy = [ "multi-user.target" ]; 36 36 + serviceConfig = { 37 37 + ExecStart = "${pkgs.microbin}/bin/microbin --port ${cfg.port} \\ 38 38 + --public-path ${cfg.hostname} \\ 39 39 + --editable \\ 40 40 + --enable-burn-after \\ 41 41 + --private \\ 42 42 + --qr \\ 43 43 + --title=sealight \\ 44 44 + --highlightsyntax"; 45 45 + WorkingDirectory = dataFolder; 46 46 + TimeoutStopSec = " 20 "; 47 47 + KillMode = " process "; 48 48 + Restart = " on-failure "; 49 49 + RestartSec = " 10 "; 50 50 + User = cfg.user; 51 51 + Group = cfg.group; 52 52 + DevicePolicy = " closed "; 53 53 + NoNewPrivileges = " yes "; 54 54 + PrivateTmp = " yes "; 55 55 + PrivateUsers = " yes "; 56 56 + ProtectControlGroups = " yes "; 57 57 + ProtectKernelModules = " yes "; 58 58 + ProtectKernelTunables = " yes "; 59 59 + RestrictAddressFamilies = " 60 60 + AF_UNIX 61 61 + AF_INET 62 62 + AF_INET6 "; 63 63 + RestrictNamespaces = " yes "; 64 64 + RestrictRealtime = " yes "; 65 65 + SystemCallFilter = "~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap"; 66 66 + ReadWritePaths = dataFolder; 67 67 + StateDirectory = baseNameOf dataFolder; 68 68 + }; 69 69 + }; 70 70 + 71 71 + users.users = optionalAttrs (cfg.user == "microbin") ({ 72 72 + microbin = { 73 73 + description = "microbin service user"; 74 74 + name = cfg.user; 75 75 + group = cfg.group; 76 76 + isSystemUser = true; 77 77 + }; 78 78 + }); 79 79 + 80 80 + users.groups = optionalAttrs (cfg.group == "microbin") ({ 81 81 + microbin = { }; 82 82 + }); 83 83 + }; 84 84 + } 85 85 +