summaryrefslogtreecommitdiff
path: root/nix/modules/public_inbox.nix
blob: 9f1532c964235b3fce932b7e744c4b9ca73eea79 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

{ lib, config, ... }:
{
  systemd.tmpfiles.rules = [
    "C+ /var/lib/public-inbox/style.css 0644 public-inbox public-inbox - ${../data/public-inbox.css}"
  ];
  systemd.services.public-inbox-httpd = if config.monorepo.profiles.server.enable then {
    preStart = ''
    # Copy or link the file. 
    # Using 'cp' is often safer for sandboxed services than linking to the store. Lol.
    cp -f ${../data/public-inbox.css} /var/lib/public-inbox/style.css
    chmod 644 /var/lib/public-inbox/style.css
  '';
    
    serviceConfig = {
      # Allow the service to see the file it just created
      BindPaths = [ 
        "/var/lib/public-inbox" 
      ];
      ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ];
      # Ensure it can actually write to the directory during preStart
      ReadWritePaths = [ "/var/lib/public-inbox" ];
    };
  } else {};

  systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then {
    after = [ "sops-nix.service" ];
    confinement.enable = lib.mkForce false;
    preStart = ''
      mkdir -p /var/lib/public-inbox/.tmp
      chmod 0700 /var/lib/public-inbox/.tmp
      ln -sfn ${config.sops.templates."public-inbox-netrc".path} /var/lib/public-inbox/.netrc
    '';
    environment = {
      PUBLIC_INBOX_FORCE_IPV4 = "1";
      NETRC = config.sops.templates."public-inbox-netrc".path;
      HOME = "/var/lib/public-inbox";
      TMPDIR = "/var/lib/public-inbox/.tmp";
    };

    serviceConfig = {
      RestrictSUIDSGID = lib.mkForce false;
      ReadWritePaths = [ "/var/lib/public-inbox" ];
      RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" ];
      PrivateNetwork = lib.mkForce false;
      SystemCallFilter = lib.mkForce [];
      RootDirectory = lib.mkForce "";

      CapabilityBoundingSet = lib.mkForce [ "~" ];
      UMask = lib.mkForce "0022";
      ProtectSystem = lib.mkForce false;
    };
  } else {};

  services.public-inbox = {
    enable = lib.mkDefault config.monorepo.profiles.server.enable;
    settings = {
      publicinbox.css = ["/var/lib/public-inbox/style.css"];
      publicinbox.wwwlisting = "all";
    };
    http = {
      enable = true;
      port = 9090;
    };
    inboxes = {
      "monorepo" = {
        description = "discussion of ret2pop's monorepo project and related work.";
        address = [ "monorepo@${config.monorepo.vars.orgHost}" ];
        inboxdir = "/var/lib/public-inbox/monorepo";
        url = "https://list.${config.monorepo.vars.orgHost}/monorepo";
        watch = [ "imaps://monorepo%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ];
      };

      "discussion" = {
        description = "Main Nullring Discussion Mailing List";
        address = [ "discussion@${config.monorepo.vars.orgHost}" ];
        inboxdir = "/var/lib/public-inbox/discuss";
        url = "https://list.${config.monorepo.vars.orgHost}/discussion";
        watch = [ "imaps://discussion%40${config.monorepo.vars.orgHost}@mail.${config.monorepo.vars.orgHost}/INBOX" ];
      };
    };
  };
}
generated by cgit v1.3 (git 2.53.0) at 2026-05-31 16:45:44 +0000