kittybox: { config, pkgs, lib, ... }: with lib; let cfg = config.services.kittybox; in { options = { services.kittybox = { enable = mkOption { type = types.bool; default = false; description = '' Whether to enable Kittybox, the IndieWeb blogging solution. ''; }; package = mkOption { type = types.package; default = kittybox.packages.${config.nixpkgs.localSystem.system}.kittybox; defaultText = ""; description = "Which Kittybox derivation to use."; }; bind = mkOption { type = types.nullOr types.str; default = "127.0.0.1"; description = "The host for Kittybox to bind to."; example = "192.168.1.100"; }; port = mkOption { type = types.int; default = 8080; description = "The port for Kittybox to listen at."; example = 16420; }; logLevel = mkOption { type = types.str; default = "warn"; example = "info"; description = "Specify the server verbosity level. Uses RUST_LOG environment variable internally."; }; backendUri = mkOption { type = types.str; default = "file:///var/lib/kittybox/data"; example = "redis://192.168.1.200:6379"; description = lib.mdDoc '' Set the backend used for storing data. Available backends are: - `postgres://` - PostgreSQL backend (recommended) - `file://` - static folder backend - `redis://` - Redis backend (currently unavailable) Make sure that if you are using the file backend, the state directory is accessible by Kittybox. By default, the unit config uses DynamicUser=true and heavy sandboxing options which prevent the unit from accessing data outside of its directory. It is recommended to reconfigure the sandboxing or use a bind-mount to `/var/lib/private/kittybox` if you require the state directory to reside elsewhere. ''; }; blobstoreUri = mkOption { type = types.nullOr types.str; default = "file:///var/lib/kittybox/media"; description = lib.mdDoc '' Set the backend used for the media endpoint storage. Available options are: - `file://` - content-addressed storage using flat files (recommended) When using the file backend, check notes in the `backendUri` option too. ''; }; authstoreUri = mkOption { type = types.nullOr types.str; default = "file:///var/lib/kittybox/auth"; description = lib.mdDoc '' Set the backend used for persisting authentication data. Available options are: - `file://` - flat files. Codes are stored globally, tokens and credentials are stored per-site. ''; }; microsubServer = mkOption { type = types.nullOr types.str; default = null; example = "https://aperture.p3k.io/microsub/69420"; description = '' The URL of your Microsub server, which saves feeds for you and allows you to browse Web content from one place. Try https://aperture.p3k.io/ if you don't have one yet! ''; }; webmentionEndpoint = mkOption { type = types.nullOr types.str; default = null; example = "https://webmention.io/example.com/webmention"; description = '' The URL of your webmention endpoint, which allows you to receive notifications about your site's content being featured or interacted with elsewhere on the IndieWeb. By default Kittybox expects the Webmention endpoint to post updates using an internal token. kittybox-webmention is an endpoint capable of that. ''; }; internalTokenFile = mkOption { type = types.nullOr types.str; default = null; example = "/run/secrets/kittybox-shared-secret"; description = "A shared secret that will, when passed, allow unlimited editing access to database. Keep it safe."; }; cookieSecretFile = mkOption { type = types.str; default = "/var/lib/kittybox/cookie_secret_key"; example = "/run/secrets/kittybox-cookie-secret"; description = "A secret file to encrypt cookies with the contents of. Should be at least 32 bytes in length. A random persistent file will be generated if this variable is left untouched."; }; }; }; config = lib.mkIf cfg.enable { assertions = [ { assertion = lib.strings.hasPrefix cfg.backendUri "postgres://" -> cfg.package.hasPostgres; message = "To use the Postgres backend, Kittybox has to be compiled with Postgres support enabled."; } ]; systemd.services.kittybox = { description = "An IndieWeb-enabled blog engine"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; restartTriggers = [ cfg.package cfg.backendUri cfg.blobstoreUri cfg.authstoreUri cfg.internalTokenFile cfg.bind cfg.port cfg.cookieSecretFile ]; environment = { SERVE_AT = "${cfg.bind}:${builtins.toString cfg.port}"; MICROSUB_ENDPOINT = cfg.microsubServer; WEBMENTION_ENDPOINT = cfg.webmentionEndpoint; BACKEND_URI = cfg.backendUri; BLOBSTORE_URI = cfg.blobstoreUri; AUTH_STORE_URI = cfg.authstoreUri; RUST_LOG = "${cfg.logLevel}"; COOKIE_SECRET_FILE = "${cfg.cookieSecretFile}"; }; script = '' ${lib.optionalString (cfg.internalTokenFile != null) '' if [[ -f ${cfg.internalTokenFile} ]]; then export KITTYBOX_INTERNAL_TOKEN=$(${pkgs.coreutils}/bin/cat ${cfg.internalTokenFile}) fi ''} if [[ ${cfg.cookieSecretFile} == /var/lib/kittybox/cookie_secret_key && ! -f /var/lib/kittybox/cookie_secret_key ]]; then cat /dev/urandom | tr -Cd '[:alnum:]' | head -c 128 > /var/lib/kittybox/cookie_secret_key fi exec ${cfg.package}/bin/kittybox ''; serviceConfig = { DynamicUser = true; StateDirectory = "kittybox"; # Hardening NoNewPrivileges = true; CapabilityBoundingSet = ""; ProtectSystem = "strict"; ProtectHome = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; ProtectProc = "invisible"; SystemCallArchitectures = "native"; SystemCallFilter = [ "@aio" "@basic-io" "@file-system" "@io-event" "@network-io" "@sync" "@system-service" "~@resources" "~@privileged" ]; PrivateDevices = true; DeviceAllow = [ "" ]; UMask = "0077"; IPAddressDeny = [ "link-local" "multicast" ]; }; }; }; }