Merge pull request #258558 from hmenke/c2FmZQ

- [Rosenpass](https://rosenpass.eu/), a service for post-quantum-secure VPNs with WireGuard. Available as [services.rosenpass](#opt-services.rosenpass.enable).

- [c2FmZQ](https://github.com/c2FmZQ/c2FmZQ/), an application that can securely encrypt, store, and share files, including but not limited to pictures and videos. Available as [services.c2fmzq-server](#opt-services.c2fmzq-server.enable).

## Backward Incompatibilities {#sec-release-23.11-incompatibilities}

- `network-online.target` has been fixed to no longer time out for systems with `networking.useDHCP = true` and `networking.useNetworkd = true`.

  ./services/web-apps/atlassian/jira.nix

  ./services/web-apps/audiobookshelf.nix

  ./services/web-apps/bookstack.nix

  ./services/web-apps/c2fmzq-server.nix

  ./services/web-apps/calibre-web.nix

  ./services/web-apps/coder.nix

  ./services/web-apps/changedetection-io.nix

# c2FmZQ {#module-services-c2fmzq}

c2FmZQ is an application that can securely encrypt, store, and share files,

including but not limited to pictures and videos.

The service `c2fmzq-server` can be enabled by setting

```

{

  services.c2fmzq-server.enable = true;

}

```

This will spin up an instance of the server which is API-compatible with

[Stingle Photos](https://stingle.org) and an experimental Progressive Web App

(PWA) to interact with the storage via the browser.

In principle the server can be exposed directly on a public interface and there

are command line options to manage HTTPS certificates directly, but the module

is designed to be served behind a reverse proxy or only accessed via localhost.

```

{

  services.c2fmzq-server = {

    enable = true;

    bindIP = "127.0.0.1"; # default

    port = 8080; # default

  };

  services.nginx = {

    enable = true;

    recommendedProxySettings = true;

    virtualHosts."example.com" = {

      enableACME = true;

      forceSSL = true;

      locations."/" = {

        proxyPass = "http://127.0.0.1:8080";

      };

    };

  };

}

```

For more information, see <https://github.com/c2FmZQ/c2FmZQ/>.

{ lib, pkgs, config, ... }:

let

  inherit (lib) mkEnableOption mkPackageOption mkOption types;

  cfg = config.services.c2fmzq-server;

  argsFormat = {

    type = with lib.types; nullOr (oneOf [ bool int str ]);

    generate = lib.cli.toGNUCommandLineShell { };

  };

in {

  options.services.c2fmzq-server = {

    enable = mkEnableOption "c2fmzq-server";

    bindIP = mkOption {

      type = types.str;

      default = "127.0.0.1";

      description = "The local address to use.";

    };

    port = mkOption {

      type = types.port;

      default = 8080;

      description = "The local port to use.";

    };

    passphraseFile = mkOption {

      type = types.str;

      example = "/run/secrets/c2fmzq/pwfile";

      description = "Path to file containing the database passphrase";

    };

    package = mkPackageOption pkgs "c2fmzq" { };

    settings = mkOption {

      type = types.submodule {

        freeformType = argsFormat.type;

        options = {

          address = mkOption {

            internal = true;

            type = types.str;

            default = "${cfg.bindIP}:${toString cfg.port}";

          };

          database = mkOption {

            type = types.str;

            default = "%S/c2fmzq-server/data";

            description = "Path of the database";

          };

          verbose = mkOption {

            type = types.ints.between 1 3;

            default = 2;

            description = "The level of logging verbosity: 1:Error 2:Info 3:Debug";

          };

        };

      };

      description = ''

        Configuration for c2FmZQ-server passed as CLI arguments.

        Run {command}`c2FmZQ-server help` for supported values.

      '';

      example = {

        verbose = 3;

        allow-new-accounts = true;

        auto-approve-new-accounts = true;

        encrypt-metadata = true;

        enable-webapp = true;

      };

    };

  };

  config = lib.mkIf cfg.enable {

    systemd.services.c2fmzq-server = {

      description = "c2FmZQ-server";

      documentation = [ "https://github.com/c2FmZQ/c2FmZQ/blob/main/README.md" ];

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" "network-online.target" ];

      serviceConfig = {

        ExecStart = "${lib.getExe cfg.package} ${argsFormat.generate cfg.settings}";

        AmbientCapabilities = "";

        CapabilityBoundingSet = "";

        DynamicUser = true;

        Environment = "C2FMZQ_PASSPHRASE_FILE=%d/passphrase-file";

        IPAccounting = true;

        IPAddressAllow = cfg.bindIP;

        IPAddressDeny = "any";

        LoadCredential = "passphrase-file:${cfg.passphraseFile}";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateIPC = true;

        PrivateTmp = true;

        PrivateUsers = true;

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectSystem = "strict";

        RemoveIPC = true;

        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SocketBindAllow = cfg.port;

        SocketBindDeny = "any";

        StateDirectory = "c2fmzq-server";

        SystemCallArchitectures = "native";

        SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ];

      };

    };

  };

  meta = {

    doc = ./c2fmzq-server.md;

    maintainers = with lib.maintainers; [ hmenke ];

  };

}

  budgie = handleTest ./budgie.nix {};

  buildbot = handleTest ./buildbot.nix {};

  buildkite-agents = handleTest ./buildkite-agents.nix {};

  c2fmzq = handleTest ./c2fmzq.nix {};

  caddy = handleTest ./caddy.nix {};

  cadvisor = handleTestOn ["x86_64-linux"] ./cadvisor.nix {};

  cage = handleTest ./cage.nix {};