orthanc: init at 1.12.6, nixos/orthanc: init (#385329)

- [Limine](https://github.com/limine-bootloader/limine) a modern, advanced, portable, multiprotocol bootloader and boot manager. Available as [boot.loader.limine](#opt-boot.loader.limine.enable)

- [Orthanc](https://orthanc.uclouvain.be/) a lightweight, RESTful DICOM server for healthcare and medical research. Available as [services.orthanc](#opt-services.orthanc.enable).

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

## Backward Incompatibilities {#sec-release-25.05-incompatibilities}

  ./services/misc/ombi.nix

  ./services/misc/omnom.nix

  ./services/misc/open-webui.nix

  ./services/misc/orthanc.nix

  ./services/misc/osrm.nix

  ./services/misc/owncast.nix

  ./services/misc/packagekit.nix

{

  config,

  options,

  lib,

  pkgs,

  ...

}:

let

  inherit (lib) types;

  cfg = config.services.orthanc;

  opt = options.services.orthanc;

  settingsFormat = pkgs.formats.json { };

in

{

  options = {

    services.orthanc = {

      enable = lib.mkEnableOption "Orthanc server";

      package = lib.mkPackageOption pkgs "orthanc" { };

      stateDir = lib.mkOption {

        type = types.path;

        default = "/var/lib/orthanc";

        example = "/home/foo";

        description = "State directory of Orthanc.";

      };

      environment = lib.mkOption {

        type = types.attrsOf types.str;

        default = {

        };

        example = ''

          {

            ORTHANC_NAME = "Orthanc server";

          }

        '';

        description = ''

          Extra environment variables

          For more details see <https://orthanc.uclouvain.be/book/users/configuration.html>

        '';

      };

      environmentFile = lib.mkOption {

        description = ''

          Environment file to be passed to the systemd service.

          Useful for passing secrets to the service to prevent them from being

          world-readable in the Nix store.

        '';

        type = lib.types.nullOr lib.types.path;

        default = null;

        example = "/var/lib/secrets/orthancSecrets";

      };

      settings = lib.mkOption {

        type = lib.types.submodule {

          freeformType = settingsFormat.type;

        };

        default = {

          HttpPort = lib.mkDefault 8042;

          IndexDirectory = lib.mkDefault "/var/lib/orthanc/";

          StorageDirectory = lib.mkDefault "/var/lib/orthanc/";

        };

        example = {

          Name = "My Orthanc Server";

          HttpPort = 12345;

        };

        description = ''

          Configuration written to a json file that is read by orthanc.

          See <https://orthanc.uclouvain.be/book/index.html> for more.

        '';

      };

      openFirewall = lib.mkOption {

        type = types.bool;

        default = false;

        description = ''

          Whether to open the firewall for Orthanc.

          This adds `services.orthanc.settings.HttpPort` to `networking.firewall.allowedTCPPorts`.

        '';

      };

    };

  };

  config = lib.mkIf cfg.enable {

    services.orthanc.settings = options.services.orthanc.settings.default;

    systemd.services.orthanc = {

      description = "Orthanc is a lightweight, RESTful DICOM server for healthcare and medical research";

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

      environment = cfg.environment;

      serviceConfig =

        let

          config-json = settingsFormat.generate "orthanc-config.json" (cfg.settings);

        in

        {

          ExecStart = "${lib.getExe cfg.package} ${config-json}";

          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;

          WorkingDirectory = cfg.stateDir;

          BindReadOnlyPaths = [

            "-/etc/localtime"

          ];

          StateDirectory = "orthanc";

          RuntimeDirectory = "orthanc";

          RuntimeDirectoryMode = "0755";

          PrivateTmp = true;

          DynamicUser = true;

          DevicePolicy = "closed";

          LockPersonality = true;

          PrivateUsers = true;

          ProtectHome = true;

          ProtectHostname = true;

          ProtectKernelLogs = true;

          ProtectKernelModules = true;

          ProtectKernelTunables = true;

          ProtectControlGroups = true;

          RestrictNamespaces = true;

          RestrictRealtime = true;

          SystemCallArchitectures = "native";

          UMask = "0077";

        };

    };

    networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.settings.HttpPort ]; };

    # Orthanc requires /etc/localtime to be present

    time.timeZone = lib.mkDefault "UTC";

  };

  meta.maintainers = with lib.maintainers; [ drupol ];

}

  opentelemetry-collector = handleTest ./opentelemetry-collector.nix {};

  open-web-calendar = handleTest ./web-apps/open-web-calendar.nix {};

  ocsinventory-agent = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./ocsinventory-agent.nix {};

  orthanc = runTest ./orthanc.nix;

  owncast = handleTest ./owncast.nix {};

  outline = handleTest ./outline.nix {};

  image-contents = handleTest ./image-contents.nix {};

{ lib, ... }:

{

  name = "orthanc";

  nodes = {

    machine =

      { pkgs, ... }:

      {

        services.orthanc = {

          enable = true;

          settings = {

            HttpPort = 12345;

          };

        };

      };

  };

  testScript = ''

    machine.start()

    machine.wait_for_unit("orthanc.service")

    machine.wait_for_open_port(12345)

    machine.wait_for_open_port(4242)

  '';

  meta.maintainers = [ lib.maintainers.drupol ];

}