{ lib, config, ... }: { systemd.tmpfiles.rules = [ "C+ /var/lib/public-inbox/style.css 0644 public-inbox public-inbox - ${../data/public-inbox.css}" ]; systemd.services.public-inbox-httpd = if config.monorepo.profiles.server.enable then { preStart = '' # Copy or link the file. # Using 'cp' is often safer for sandboxed services than linking to the store. Lol. cp -f ${../data/public-inbox.css} /var/lib/public-inbox/style.css chmod 644 /var/lib/public-inbox/style.css ''; serviceConfig = { # Allow the service to see the file it just created BindPaths = [ "/var/lib/public-inbox" "/srv/git/" ]; ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ]; # Ensure it can actually write to the directory during preStart ReadWritePaths = [ "/var/lib/public-inbox" ]; }; } else {}; systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then { after = [ "sops-nix.service" ]; confinement.enable = lib.mkForce false; preStart = '' mkdir -p /var/lib/public-inbox/.tmp chmod 0700 /var/lib/public-inbox/.tmp ln -sfn ${config.sops.templates."public-inbox-netrc".path} /var/lib/public-inbox/.netrc ''; environment = { PUBLIC_INBOX_FORCE_IPV4 = "1"; NETRC = config.sops.templates."public-inbox-netrc".path; HOME = "/var/lib/public-inbox"; TMPDIR = "/var/lib/public-inbox/.tmp"; }; serviceConfig = { RestrictSUIDSGID = lib.mkForce false; ReadWritePaths = [ "/var/lib/public-inbox" ]; RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" ]; PrivateNetwork = lib.mkForce false; SystemCallFilter = lib.mkForce []; RootDirectory = lib.mkForce ""; CapabilityBoundingSet = lib.mkForce [ "~" ]; UMask = lib.mkForce "0022"; ProtectSystem = lib.mkForce false; }; } else {}; services.public-inbox = { enable = lib.mkDefault config.monorepo.profiles.server.enable; settings = { coderepo."nullerbot".dir = "/srv/git/nullerbot.git"; coderepo."nullerbot".cgitUrl = "https://git.nullring.xyz/nullerbot.git"; coderepo."monorepo".dir = "/srv/git/monorepo.git"; coderepo."monorepo".cgitUrl = "https://git.nullring.xyz/monorepo.git"; publicinbox.css = ["/var/lib/public-inbox/style.css"]; publicinbox.wwwlisting = "all"; }; http = { enable = true; port = 9090; }; inboxes = { "monorepo" = { description = "discussion of ret2pop's monorepo project and related work."; address = [ "monorepo@${config.monorepo.vars.orgHost}" ]; inboxdir = "/var/lib/public-inbox/monorepo"; url = "https://list.${config.monorepo.vars.orgHost}/monorepo"; watch = [ "imaps://monorepo%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; coderepo = [ "monorepo" ]; }; "discussion" = { description = "Main Nullring Discussion Mailing List"; address = [ "discussion@${config.monorepo.vars.orgHost}" ]; inboxdir = "/var/lib/public-inbox/discuss"; url = "https://list.${config.monorepo.vars.orgHost}/discussion"; watch = [ "imaps://discussion%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; }; "nullerbot" = { description = "Discussion of Nullerbot Matrix Bot"; address = [ "nullerbot@${config.monorepo.vars.orgHost}" ]; inboxdir = "/var/lib/public-inbox/nullerbot"; url = "https://list.${config.monorepo.vars.orgHost}/nullerbot"; watch = [ "imaps://nullerbot%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ]; coderepo = [ "nullerbot" ]; }; }; }; }