nixos/commafeed: init module

- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable).

- [CommaFeed](https://github.com/Athou/commafeed), a Google Reader inspired self-hosted RSS reader. Available as [services.commafeed](#opt-services.commafeed.enable).

- [Monado](https://monado.freedesktop.org/), an open source XR runtime. Available as [services.monado](#opt-services.monado.enable).

- [Pretix](https://pretix.eu/about/en/), an open source ticketing software for events. Available as [services.pretix]($opt-services-pretix.enable).

  ./services/web-apps/chatgpt-retrieval-plugin.nix

  ./services/web-apps/cloudlog.nix

  ./services/web-apps/code-server.nix

  ./services/web-apps/commafeed.nix

  ./services/web-apps/convos.nix

  ./services/web-apps/davis.nix

  ./services/web-apps/dex.nix

{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.commafeed;

in

{

  options.services.commafeed = {

    enable = lib.mkEnableOption "CommaFeed";

    package = lib.mkPackageOption pkgs "commafeed" { };

    user = lib.mkOption {

      type = lib.types.str;

      description = "User under which CommaFeed runs.";

      default = "commafeed";

    };

    group = lib.mkOption {

      type = lib.types.str;

      description = "Group under which CommaFeed runs.";

      default = "commafeed";

    };

    stateDir = lib.mkOption {

      type = lib.types.path;

      description = "Directory holding all state for CommaFeed to run.";

      default = "/var/lib/commafeed";

    };

    environment = lib.mkOption {

      type = lib.types.attrsOf (

        lib.types.oneOf [

          lib.types.bool

          lib.types.int

          lib.types.str

        ]

      );

      description = ''

        Extra environment variables passed to CommaFeed, refer to

        <https://github.com/Athou/commafeed/blob/master/commafeed-server/config.yml.example>

        for supported values. The default user is `admin` and the default password is `admin`.

        Correct configuration for H2 database is already provided.

      '';

      default = { };

      example = {

        CF_SERVER_APPLICATIONCONNECTORS_0_TYPE = "http";

        CF_SERVER_APPLICATIONCONNECTORS_0_PORT = 9090;

      };

    };

    environmentFile = lib.mkOption {

      type = lib.types.nullOr lib.types.path;

      description = ''

        Environment file as defined in {manpage}`systemd.exec(5)`.

      '';

      default = null;

      example = "/var/lib/commafeed/commafeed.env";

    };

  };

  config = lib.mkIf cfg.enable {

    systemd.services.commafeed = {

      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      environment = lib.mapAttrs (

        _: v: if lib.isBool v then lib.boolToString v else toString v

      ) cfg.environment;

      serviceConfig = {

        ExecStart = "${lib.getExe cfg.package} server ${cfg.package}/share/config.yml";

        User = cfg.user;

        Group = cfg.group;

        StateDirectory = baseNameOf cfg.stateDir;

        WorkingDirectory = cfg.stateDir;

        # Hardening

        CapabilityBoundingSet = [ "" ];

        DevicePolicy = "closed";

        DynamicUser = true;

        LockPersonality = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateUsers = true;

        ProcSubset = "pid";

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectSystem = true;

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "~@privileged"

        ];

        UMask = "0077";

      } // lib.optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; };

    };

  };

  meta.maintainers = [ lib.maintainers.raroh73 ];

}

  code-server = handleTest ./code-server.nix {};

  coder = handleTest ./coder.nix {};

  collectd = handleTest ./collectd.nix {};

  commafeed = handleTest ./commafeed.nix {};

  connman = handleTest ./connman.nix {};

  consul = handleTest ./consul.nix {};

  consul-template = handleTest ./consul-template.nix {};

import ./make-test-python.nix (

  { lib, ... }:

  {

    name = "commafeed";

    nodes.server = {

      services.commafeed = {

        enable = true;

      };

    };

    testScript = ''

      server.start()

      server.wait_for_unit("commafeed.service")

      server.wait_for_open_port(8082)

      server.succeed("curl --fail --silent http://localhost:8082")

    '';

    meta.maintainers = [ lib.maintainers.raroh73 ];

  }

)