Skip to content

Commit

Permalink
nixos/archivebox: init
Browse files Browse the repository at this point in the history
  • Loading branch information
pyrox0 committed Nov 15, 2024
1 parent 7a62e6b commit c47fbfb
Show file tree
Hide file tree
Showing 2 changed files with 112 additions and 0 deletions.
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
Original file line number Diff line number Diff line change
Expand Up @@ -1392,6 +1392,7 @@
./services/web-apps/akkoma.nix
./services/web-apps/alps.nix
./services/web-apps/anuko-time-tracker.nix
./services/web-apps/archivebox.nix
./services/web-apps/artalk.nix
./services/web-apps/audiobookshelf.nix
./services/web-apps/bluemap.nix
Expand Down
111 changes: 111 additions & 0 deletions nixos/modules/services/web-apps/archivebox.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.archivebox;

inherit (lib) mkOption types;
in
{
options.services.archivebox = {
enable = lib.mkEnableOption "ArchiveBox, open source self-hosted web archiving";

package = lib.mkPackageOption pkgs "archivebox" { };

settings = mkOption {
type =
with types;
submodule {
freeformType = attrsOf (
nullOr (oneOf [
bool
int
str
])
);
options = { };
};
default = { };
description = ''
Configuration settings for ArchiveBox.
In version 0.8.0+ of ArchiveBox, the configuration was changed. Since ArchiveBox is now a plugin-based system, the configuration is no longer centralized.
Therefore, to find plugin settings, go to `archivebox/pkgs` in the [upstream git repo](https://github.com/ArchiveBox/ArchiveBox) to look for plugin settings,
or `archivebox/config/common.py` in the same repo for serverwide settings.
Settings here are named the same as their environment variables, for simplicity. There are more than the settings documented here, the ones here are needed for other functions in the module.
'';
};

environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
An additional file with environment variables to load into the ArchiveBox service.
This should be used for secret variables, such as the `SECRET_KEY` and `ADMIN_PASSWORD`.
'';
};
};

config = lib.mkIf cfg.enable {
# Needs a persistant user since it stores the archived data
users.users.archivebox = {
isSystemUser = true;
group = "archivebox";
};
users.groups.archivebox = { };

systemd.services.archivebox = {
after = [ "network.target" ];
serviceConfig = {
User = "archivebox";
Group = "archivebox";
StateDirectory = "archivebox";
Environment = lib.mapAttrsToList (k: v: "${k}=${v}") (
lib.filterAttrs (_: v: v != null) cfg.settings
);

ExecStartPre = "${lib.getExe cfg.package} install";
ExecStart = "${lib.getExe cfg.package} server";

# Hardening options
PrivateDevices = true;
PrivateIPC = true;
PrivateUsers = true;

ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";

RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;

LockPersonality = true;
MemoryDenyWriteExecute = true;

SystemCallFilter = [
"@system-service"
"~@privileged"
];
SystemCallArchitectures = "native";
};
};
};

meta.maintainers = with lib.maintainers; [ pyrox0 ];
}

0 comments on commit c47fbfb

Please sign in to comment.