felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2025-10-30 17:32:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

services/photoprism: aplly suggestions

Browse source
This commit is contained in:
Felix Buehler 2023-01-15 12:17:21 +01:00
parent 655eb195cb
commit b4cdac4912
1 changed files with 39 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

80
modules/services/photoprism/default.nix
View file

@ -11,12 +11,12 @@ let
PHOTOPRISM_HTTP_HOST = cfg.address; PHOTOPRISM_HTTP_HOST = cfg.address;
PHOTOPRISM_HTTP_PORT = toString cfg.port; PHOTOPRISM_HTTP_PORT = toString cfg.port;
} // ( } // (
lib.mapAttrs (_: toString) cfg.extraConfig lib.mapAttrs (_: toString) cfg.settings
); );
manage = manage =
let let
setupEnv = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); setupEnv = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: val: "export ${name}=${lib.escapeShellArg val}") env);
in in
pkgs.writeShellScript "manage" '' pkgs.writeShellScript "manage" ''
${setupEnv} ${setupEnv}
@ -26,56 +26,63 @@ in
{ {
meta.maintainers = with lib.maintainers; [ stunkymonkey ]; meta.maintainers = with lib.maintainers; [ stunkymonkey ];
options.my.services.photoprism = with lib; { options.my.services.photoprism = {
enable = mkEnableOption (lib.mdDoc "Photoprism web server"); enable = lib.mkEnableOption (lib.mdDoc "Photoprism web server");
passwordFile = mkOption { passwordFile = lib.mkOption {
type = types.nullOr types.path; type = lib.types.nullOr lib.types.path;
default = null; default = null;
description = lib.mdDoc "Admin password file."; description = lib.mdDoc ''
Admin password file.
'';
}; };
address = mkOption { address = lib.mkOption {
type = types.str; type = lib.types.str;
default = "localhost"; default = "localhost";
description = lib.mdDoc "Web interface address."; description = lib.mdDoc ''
Web interface address.
'';
}; };
port = mkOption { port = lib.mkOption {
type = types.port; type = lib.types.port;
default = 2342; default = 2342;
description = lib.mdDoc "Web interface port."; description = lib.mdDoc ''
Web interface port.
'';
}; };
originalsPath = mkOption { originalsPath = lib.mkOption {
type = types.path; type = lib.types.path;
default = null; default = null;
example = "/data/photos"; example = "/data/photos";
description = lib.mdDoc "storage path of your original media files (photos and videos)."; description = lib.mdDoc ''
Storage path of your original media files (photos and videos)
'';
}; };
importPath = mkOption { importPath = lib.mkOption {
type = types.str; type = lib.types.str;
default = "import"; default = "import";
description = lib.mdDoc "relative or absolute to the `originalsPath` from where the files should be imported."; description = lib.mdDoc ''
Relative or absolute to the `originalsPath` from where the files should be imported.
'';
}; };
storagePath = mkOption { storagePath = lib.mkOption {
type = types.path; type = lib.types.path;
default = "/var/lib/photoprism"; default = "/var/lib/photoprism";
description = lib.mdDoc "location for sidecar, cache, and database files."; description = lib.mdDoc ''
location for sidecar, cache, and database files.
'';
}; };
package = mkOption { package = lib.mkPackageOption pkgs "photoprism" { };
type = types.package;
default = pkgs.photoprism;
defaultText = literalExpression "pkgs.photoprism";
description = lib.mdDoc "The Photoprism package to use.";
};
extraConfig = mkOption { settings = lib.mkOption {
type = types.attrs; type = lib.types.attrsOf lib.types.str;
default = { }; default = { };
description = lib.mdDoc '' description = lib.mdDoc ''
Extra photoprism config options. See [the getting-stated guide](https://docs.photoprism.app/getting-started/config-options/) for available options. Extra photoprism config options. See [the getting-stated guide](https://docs.photoprism.app/getting-started/config-options/) for available options.
@ -99,18 +106,8 @@ in
StateDirectory = "photoprism"; StateDirectory = "photoprism";
WorkingDirectory = "/var/lib/photoprism"; WorkingDirectory = "/var/lib/photoprism";
RuntimeDirectory = "photoprism"; RuntimeDirectory = "photoprism";
LoadCredential = lib.optionalString (cfg.passwordFile != null) LoadCredential = lib.optionalString (cfg.passwordFile != null)
"PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}"; "PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}";
BindReadOnlyPaths = [
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
builtins.storeDir
"-/etc/resolv.conf"
"-/etc/nsswitch.conf"
"-/etc/hosts"
"-/etc/localtime"
];
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
LockPersonality = true; LockPersonality = true;
PrivateDevices = true; PrivateDevices = true;
@ -126,7 +123,8 @@ in
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ]; #SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ];
UMask = "0066"; UMask = "0066";
} // lib.optionalAttrs (cfg.port < 1024) { } // lib.optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];