{ pkgs, lib, config, ... }: with lib; let cfg = config.services.photoview; in { options.services.photoview = { enable = mkEnableOption "photoview server"; package = mkOption { type = with types; package; default = pkgs.photoview; description = "photoview package"; }; user = mkOption { type = with types; str; default = "photoview"; description = "user under which photoview runs"; }; group = mkOption { type = with types; str; default = "photoview"; description = "group under which photoview runs"; }; listen = { host = mkOption { type = with types; str; default = "127.0.0.1"; description = "host to listen on"; }; port = mkOption { type = with types; port; default = 8000; description = "port to listen on"; }; }; database = { driver = mkOption { type = with types; enum [ "sqlite" "mysql" "postgres" ]; default = "sqlite"; description = "database driver"; }; string = mkOption { type = with types; str; description = "database connection string"; }; }; stateDir = mkOption { type = with types; str; default = "/var/lib/photoview"; description = "path to photoview state directory"; }; cacheDir = mkOption { type = with types; str; default = "${cfg.stateDir}/media_cache"; description = "path to photoview media cache"; }; secrets = mkOption { type = with types; nullOr str; default = null; description = "path to secrets environment file"; example = '' MAPBOX_TOKEN= ''; }; }; config = mkIf cfg.enable { systemd.services.photoview = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; description = "Photoview - Photo gallery for self-hosted personal servers"; environment = with cfg; { PHOTOVIEW_LISTEN_IP = listen.host; PHOTOVIEW_LISTEN_PORT = toString listen.port; PHOTOVIEW_MEDIA_CACHE = cacheDir; PHOTOVIEW_DATABASE_DRIVER = database.driver; "PHOTOVIEW_${toUpper database.driver}_URL" = database.string; }; serviceConfig = { ExecStartPre = pkgs.writeShellScript "photoview-pre" '' rm -f "${cfg.stateDir}/data" ln -s "${cfg.package}/lib/photoview/data" "${cfg.stateDir}/data" ''; ExecStart = "${cfg.package}/bin/photoview"; WorkingDirectory = cfg.stateDir; User = cfg.user; Group = cfg.group; EnvironmentFile = mkIf (cfg.secrets != null) cfg.secrets; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProcSubset = "all"; ProtectSystem = "strict"; RemoveIPC = true; ReadWritePaths = [ cfg.stateDir ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; }; }; users.users = mkIf (cfg.user == "photoview") { photoview = { description = "photoview service account"; group = cfg.group; uid = config.ids.uids.photoview; }; }; users.groups = mkIf (cfg.group == "photoview") { photoview.gid = config.ids.gids.photoview; }; ids.uids.photoview = 287; ids.gids.photoview = 287; }; }