diff options
| author | Preston Pan <ret2pop@nullring.xyz> | 2026-02-16 23:13:47 -0800 |
|---|---|---|
| committer | Preston Pan <ret2pop@nullring.xyz> | 2026-02-16 23:13:47 -0800 |
| commit | 06198567765055febc8829f9f2ca398dd6817d93 (patch) | |
| tree | 8553f885ae27fc7f64dc3655802dc3c129416f99 /nix/modules/public_inbox.nix | |
| parent | efe21725f8d68a6be6fb3c4697c88666d11b13a8 (diff) | |
finish up most of the sysadmin work
Diffstat (limited to 'nix/modules/public_inbox.nix')
| -rw-r--r-- | nix/modules/public_inbox.nix | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/nix/modules/public_inbox.nix b/nix/modules/public_inbox.nix new file mode 100644 index 0000000..9f1532c --- /dev/null +++ b/nix/modules/public_inbox.nix @@ -0,0 +1,82 @@ +{ lib, config, ... }: +{ + systemd.tmpfiles.rules = [ + "C+ /var/lib/public-inbox/style.css 0644 public-inbox public-inbox - ${../data/public-inbox.css}" + ]; + systemd.services.public-inbox-httpd = if config.monorepo.profiles.server.enable then { + preStart = '' + # Copy or link the file. + # Using 'cp' is often safer for sandboxed services than linking to the store. Lol. + cp -f ${../data/public-inbox.css} /var/lib/public-inbox/style.css + chmod 644 /var/lib/public-inbox/style.css + ''; + + serviceConfig = { + # Allow the service to see the file it just created + BindPaths = [ + "/var/lib/public-inbox" + ]; + ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ]; + # Ensure it can actually write to the directory during preStart + ReadWritePaths = [ "/var/lib/public-inbox" ]; + }; + } else {}; + + systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then { + after = [ "sops-nix.service" ]; + confinement.enable = lib.mkForce false; + preStart = '' + mkdir -p /var/lib/public-inbox/.tmp + chmod 0700 /var/lib/public-inbox/.tmp + ln -sfn ${config.sops.templates."public-inbox-netrc".path} /var/lib/public-inbox/.netrc + ''; + environment = { + PUBLIC_INBOX_FORCE_IPV4 = "1"; + NETRC = config.sops.templates."public-inbox-netrc".path; + HOME = "/var/lib/public-inbox"; + TMPDIR = "/var/lib/public-inbox/.tmp"; + }; + + serviceConfig = { + RestrictSUIDSGID = lib.mkForce false; + ReadWritePaths = [ "/var/lib/public-inbox" ]; + RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + PrivateNetwork = lib.mkForce false; + SystemCallFilter = lib.mkForce []; + RootDirectory = lib.mkForce ""; + + CapabilityBoundingSet = lib.mkForce [ "~" ]; + UMask = lib.mkForce "0022"; + ProtectSystem = lib.mkForce false; + }; + } else {}; + + services.public-inbox = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + settings = { + publicinbox.css = ["/var/lib/public-inbox/style.css"]; + publicinbox.wwwlisting = "all"; + }; + http = { + enable = true; + port = 9090; + }; + inboxes = { + "monorepo" = { + description = "discussion of ret2pop's monorepo project and related work."; + address = [ "monorepo@${config.monorepo.vars.orgHost}" ]; + inboxdir = "/var/lib/public-inbox/monorepo"; + url = "https://list.${config.monorepo.vars.orgHost}/monorepo"; + watch = [ "imaps://monorepo%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; + }; + + "discussion" = { + description = "Main Nullring Discussion Mailing List"; + address = [ "discussion@${config.monorepo.vars.orgHost}" ]; + inboxdir = "/var/lib/public-inbox/discuss"; + url = "https://list.${config.monorepo.vars.orgHost}/discussion"; + watch = [ "imaps://discussion%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; + }; + }; + }; +} |